|
| 1 | +/** |
| 2 | + * \file ssadetector.hpp |
| 3 | + * \brief Plugin for parsing vpn_automaton traffic. |
| 4 | + * \author Jan Jirák [email protected] |
| 5 | + * \author Karel Hynek [email protected] |
| 6 | + * \date 2023 |
| 7 | + */ |
| 8 | +/* |
| 9 | + * Copyright (C) 2023 CESNET |
| 10 | + * |
| 11 | + * LICENSE TERMS |
| 12 | + * |
| 13 | + * Redistribution and use in source and binary forms, with or without |
| 14 | + * modification, are permitted provided that the following conditions |
| 15 | + * are met: |
| 16 | + * 1. Redistributions of source code must retain the above copyright |
| 17 | + * notice, this list of conditions and the following disclaimer. |
| 18 | + * 2. Redistributions in binary form must reproduce the above copyright |
| 19 | + * notice, this list of conditions and the following disclaimer in |
| 20 | + * the documentation and/or other materials provided with the |
| 21 | + * distribution. |
| 22 | + * 3. Neither the name of the Company nor the names of its contributors |
| 23 | + * may be used to endorse or promote products derived from this |
| 24 | + * software without specific prior written permission. |
| 25 | + * |
| 26 | + * ALTERNATIVELY, provided that this notice is retained in full, this |
| 27 | + * product may be distributed under the terms of the GNU General Public |
| 28 | + * License (GPL) version 2 or later, in which case the provisions |
| 29 | + * of the GPL apply INSTEAD OF those given above. |
| 30 | + * |
| 31 | + * This software is provided as is'', and any express or implied |
| 32 | + * warranties, including, but not limited to, the implied warranties of |
| 33 | + * merchantability and fitness for a particular purpose are disclaimed. |
| 34 | + * In no event shall the company or contributors be liable for any |
| 35 | + * direct, indirect, incidental, special, exemplary, or consequential |
| 36 | + * damages (including, but not limited to, procurement of substitute |
| 37 | + * goods or services; loss of use, data, or profits; or business |
| 38 | + * interruption) however caused and on any theory of liability, whether |
| 39 | + * in contract, strict liability, or tort (including negligence or |
| 40 | + * otherwise) arising in any way out of the use of this software, even |
| 41 | + * if advised of the possibility of such damage. |
| 42 | + * |
| 43 | + */ |
| 44 | + |
| 45 | +#ifndef IPXP_SSADETECTOR_HPP |
| 46 | +#define IPXP_SSADETECTOR_HPP |
| 47 | + |
| 48 | +#include <cstring> |
| 49 | + |
| 50 | +#ifdef WITH_NEMEA |
| 51 | + #include "fields.h" |
| 52 | +#endif |
| 53 | + |
| 54 | +#include <ipfixprobe/process.hpp> |
| 55 | +#include <ipfixprobe/flowifc.hpp> |
| 56 | +#include <ipfixprobe/packet.hpp> |
| 57 | +#include <ipfixprobe/ipfix-elements.hpp> |
| 58 | + |
| 59 | +namespace ipxp { |
| 60 | + |
| 61 | +#define SSADETECTOR_UNIREC_TEMPLATE "SSA_CONF_LEVEL" |
| 62 | + |
| 63 | +UR_FIELDS ( |
| 64 | + uint8 SSA_CONF_LEVEL |
| 65 | +) |
| 66 | + |
| 67 | +/** |
| 68 | + * \brief Flow record extension header for storing parsed SSADETECTOR data. |
| 69 | + */ |
| 70 | +struct RecordExtSSADetector : public RecordExt { |
| 71 | + static int REGISTERED_ID; |
| 72 | + |
| 73 | + uint8_t possible_vpn; |
| 74 | + |
| 75 | + RecordExtSSADetector() : RecordExt(REGISTERED_ID) |
| 76 | + { |
| 77 | + possible_vpn = 0; |
| 78 | + } |
| 79 | + |
| 80 | +#ifdef WITH_NEMEA |
| 81 | + virtual void fill_unirec(ur_template_t *tmplt, void *record) |
| 82 | + { |
| 83 | + ur_set(tmplt, record, F_SSA_CONF_LEVEL, possible_vpn); |
| 84 | + } |
| 85 | + |
| 86 | + const char *get_unirec_tmplt() const |
| 87 | + { |
| 88 | + return SSADETECTOR_UNIREC_TEMPLATE; |
| 89 | + } |
| 90 | +#endif |
| 91 | + |
| 92 | + virtual int fill_ipfix(uint8_t *buffer, int size) |
| 93 | + { |
| 94 | + if (size < 1) { |
| 95 | + return -1; |
| 96 | + } |
| 97 | + buffer[0] = (uint8_t) possible_vpn; |
| 98 | + return 1; |
| 99 | + } |
| 100 | + |
| 101 | + const char **get_ipfix_tmplt() const |
| 102 | + { |
| 103 | + static const char *ipfix_template[] = { |
| 104 | + IPFIX_SSADETECTOR_TEMPLATE(IPFIX_FIELD_NAMES) |
| 105 | + NULL |
| 106 | + }; |
| 107 | + return ipfix_template; |
| 108 | + } |
| 109 | +}; |
| 110 | + |
| 111 | +/** |
| 112 | + * \brief Process plugin for parsing SSADETECTOR packets. |
| 113 | + */ |
| 114 | +class SSADetectorPlugin : public ProcessPlugin |
| 115 | +{ |
| 116 | +public: |
| 117 | + SSADetectorPlugin(); |
| 118 | + ~SSADetectorPlugin(); |
| 119 | + void init(const char *params); |
| 120 | + void close(); |
| 121 | + OptionsParser *get_parser() const { |
| 122 | + return new OptionsParser("SSADetector", "Check traffic for SYN-SYNACK-ACK sequence to find possible network tunnels."); |
| 123 | + } |
| 124 | + std::string get_name() const { return "SSADetector"; } |
| 125 | + RecordExt *get_ext() const { return new RecordExtSSADetector(); } |
| 126 | + ProcessPlugin *copy(); |
| 127 | + |
| 128 | + int pre_create(Packet &pkt); |
| 129 | + int post_create(Flow &rec, const Packet &pkt); |
| 130 | + int pre_update(Flow &rec, Packet &pkt); |
| 131 | + int post_update(Flow &rec, const Packet &pkt); |
| 132 | + void pre_export(Flow &rec); |
| 133 | +}; |
| 134 | + |
| 135 | +} |
| 136 | +#endif /* IPXP_SSADETECTOR_HPP */ |
| 137 | + |
0 commit comments