00001 /** 00002 ** @file hi_si.h 00003 ** 00004 ** @author Daniel J. Roelker <droelker@sourcefire.com> 00005 ** 00006 ** @brief This file contains structures and functions for the 00007 ** Session Inspection Module. 00008 ** 00009 ** The Session Inspection Module has several data structures that are 00010 ** very important to the functionality of the module. The two major 00011 ** structures are the HI_SESSION and the HI_SI_INPUT. 00012 ** 00013 ** NOTES: 00014 ** - 2.25.03: Initial Development. DJR 00015 */ 00016 #ifndef __HI_SI_H__ 00017 #define __HI_SI_H__ 00018 00019 #include "hi_include.h" 00020 #include "hi_ui_config.h" 00021 #include "hi_client.h" 00022 #include "hi_server.h" 00023 #include "hi_ad.h" 00024 00025 /* 00026 ** These are the defines for the different types of 00027 ** inspection modes. We have a server mode, client mode and a "no" mode which 00028 ** looks for anomalous HTTP server detection and tunneling. 00029 */ 00030 #define HI_SI_NO_MODE 0 00031 #define HI_SI_CLIENT_MODE 1 00032 #define HI_SI_SERVER_MODE 2 00033 00034 /** 00035 ** The HI_SESSION structure contains the complete HTTP session, both the 00036 ** client and the server constructs. This structure is the structure that 00037 ** is saved per session in the Stream Interface Module. This structure 00038 ** gets sent through the detection engine process (Normalization, 00039 ** Detection). 00040 */ 00041 typedef struct s_HI_SESSION 00042 { 00043 /* 00044 ** The client construct contains all the info associated with a 00045 ** client request. 00046 */ 00047 HI_CLIENT client; 00048 00049 /* 00050 ** The server construct contains all the info associated with a 00051 ** server response. 00052 */ 00053 HI_SERVER server; 00054 00055 /* 00056 ** The anomalous server construct that let's us do things when we've 00057 ** found undefined HTTP traffic. 00058 */ 00059 HI_ANOM_SERVER anom_server; 00060 00061 /* 00062 ** The server configuration for this session 00063 */ 00064 HTTPINSPECT_CONF *server_conf; 00065 00066 /* 00067 ** If this HTTP request came from a proxy, we 00068 ** have to see if it was configured. 00069 */ 00070 HTTPINSPECT_CONF *client_conf; 00071 00072 /* 00073 ** The global configuration for this session 00074 */ 00075 HTTPINSPECT_GLOBAL_CONF *global_conf; 00076 00077 } HI_SESSION; 00078 00079 /** 00080 ** The HI_SI_INPUT structure holds the information that the Session 00081 ** Inspection Module needs to determine the type of inspection mode 00082 ** (client, server, neither) and to retrieve the appropriate server 00083 ** configuration. 00084 ** 00085 ** The input is the source and destination IP addresses, and the 00086 ** source and destination ports (since this should always be a 00087 ** TCP packet). 00088 */ 00089 typedef struct s_HI_SI_INPUT 00090 { 00091 unsigned long sip; 00092 unsigned long dip; 00093 unsigned short sport; 00094 unsigned short dport; 00095 unsigned char pdir; 00096 00097 } HI_SI_INPUT; 00098 00099 int hi_si_session_inspection(HTTPINSPECT_GLOBAL_CONF *GlobalConf, 00100 HI_SESSION **Session, HI_SI_INPUT *SiInput, int *piInspectMode); 00101 00102 #endif 00103
1.4.2