elog_write.h

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#ifndef __ELOG_WRITE_HEADER_INCLUDED__
#define __ELOG_WRITE_HEADER_INCLUDED__

#include <sys/uio.h>

#define ALERT_FN "alert.elog"
#define ALERT_FNLEN 23

#define SPOOL_DEFAULT_MINS 60
#define SPOOL_DEFAULT_SIZE (512*1024)
#define SPOOL_DEFAULT_BUFFER (16*1024)

/* Stormwall mode */
#define STORMWALL_NONE 0 /* stormwall comms disabled */
#define STORMWALL_WAIT 1 /* wait for stormwall to come alive */
#define STORMWALL_FAIL 2 /* fail immidietly if stormwall is not ready */

/* Event structures */
struct event_alert {
	struct generator *gen;
	struct packet *pkt;
	struct alert *a;
};

/* Elog spooled output interface */
#define ALERT_VEC 6
struct elog_spool {
	/* Current packet data */
	struct iovec iov[ALERT_VEC];
	struct elog_pkthdr ph;
	size_t tot_len;
	int io_len;

	/* The files */
	int fd;
	char *alert_fn;
	char *rotate_fn;
	char *log_dir;

	/* Output buffer */
	char *buf; /* base of buffer */
	char *ptr; /* current pos in buffer */
	size_t buf_len; /* amount of buffer left */
	size_t buf_sz; /* total buffer size */

	/* state information */
	size_t size;
	struct timeval tv;

	/* rotation parameters */
	unsigned int max_bytes;
	unsigned int max_time;

	/* stormwall stuff */
	char *fifo_fn;
	int fifo_fd;
	int stormwall;
};

#ifndef __PLUGIN__
/* spool methods */
struct elog_spool *spool_new(void);
void spool_delete(struct elog_spool *);
int spool_open(struct elog_spool *);
void spool_close(struct elog_spool *);
void spool_rotate(struct elog_spool *, int);
int spool_check_old(struct elog_spool *);
void spool_fini(struct elog_spool *);
int spool_flush(struct elog_spool *);
int spool_packet(struct elog_spool *, struct event_alert *);

/* spool accessors */
int spool_set_buf(struct elog_spool *, size_t);

/* Stormwall API */
int stormwall_msg(struct elog_spool *s, int msg);
void stormwall_open(struct elog_spool *s);
void stormwall_close(struct elog_spool *s);

static inline int spool_isempty(struct elog_spool *s)
{
	return (s->tv.tv_sec==0) ? 1 : 0;
}
#endif

#endif /* __ELOG_WRITE_HEADER_INCLUDED__ */