hi_si.h File Reference

This file contains structures and functions for the Session Inspection Module. More...

#include "hi_include.h"
#include "hi_ui_config.h"
#include "hi_client.h"
#include "hi_server.h"
#include "hi_ad.h"

Go to the source code of this file.

Defines
#define	HI_SI_NO_MODE   0
#define	HI_SI_CLIENT_MODE   1
#define	HI_SI_SERVER_MODE   2
Typedefs
typedef s_HI_SESSION	HI_SESSION
typedef s_HI_SI_INPUT	HI_SI_INPUT
Functions
int	hi_si_session_inspection (HTTPINSPECT_GLOBAL_CONF *GlobalConf, HI_SESSION **Session, HI_SI_INPUT *SiInput, int *piInspectMode)

---

Detailed Description

This file contains structures and functions for the Session Inspection Module.

Author:

Daniel J. Roelker <droelker@sourcefire.com>

The Session Inspection Module has several data structures that are very important to the functionality of the module. The two major structures are the HI_SESSION and the HI_SI_INPUT.

NOTES:

• 2.25.03: Initial Development. DJR

Definition in file hi_si.h.

---

Define Documentation

#define HI_SI_CLIENT_MODE   1

Definition at line 31 of file hi_si.h. Referenced by hi_mi_mode_inspection(), hi_normalization(), InitServerConf(), LogEvents(), SetSiInput(), and SnortHttpInspect().

#define HI_SI_NO_MODE   0

Definition at line 30 of file hi_si.h. Referenced by hi_mi_mode_inspection(), InitServerConf(), and SetSiInput().

#define HI_SI_SERVER_MODE   2

Definition at line 32 of file hi_si.h. Referenced by hi_mi_mode_inspection(), InitServerConf(), LogEvents(), SetSiInput(), and SnortHttpInspect().

---

Typedef Documentation

typedef struct s_HI_SESSION HI_SESSION

The HI_SESSION structure contains the complete HTTP session, both the client and the server constructs. This structure is the structure that is saved per session in the Stream Interface Module. This structure gets sent through the detection engine process (Normalization, Detection).

typedef struct s_HI_SI_INPUT HI_SI_INPUT

The HI_SI_INPUT structure holds the information that the Session Inspection Module needs to determine the type of inspection mode (client, server, neither) and to retrieve the appropriate server configuration. The input is the source and destination IP addresses, and the source and destination ports (since this should always be a TCP packet).

---

Function Documentation

int hi_si_session_inspection (  HTTPINSPECT_GLOBAL_CONF *  GlobalConf, HI_SESSION **  Session, HI_SI_INPUT *  SiInput, int *  piInspectMode )

The Session Inspection module selects the appropriate server configuration for the session, and the type of inspection to be performed (client or server.) When the Session Inspection module is in stateful mode, it checks to see if there is a HI_SESSION pointer already associated with the stream. If there is, then it uses that session pointer, otherwise it calculates the server configuration using the HI_SI_INPUT and returns a HI_SESSION pointer. In stateful mode, this means that memory is allocated, but in stateless mode, the same session pointer is used for all packets to reduce the allocation overhead. The inspection mode can be either client, server, or neither. In the case of neither, the packet is inspected for rogue HTTP servers and HTTP tunneling. Parameters: GlobalConf  pointer to the global configuration Session  double pointer so the session can be set SiInput  session input pointer for data piInspectMode  pointer for setting inspection mode Returns: integer Return values: HI_SUCCESS  function successful HI_MEM_ALLOC_FAIL  failure to allocate memory HI_INVALID_ARG  argument was invalid (NULL pointers, etc) Definition at line 322 of file hi_si.c. References HI_SUCCESS, HI_UI_CONFIG_STATEFUL, s_HTTPINSPECT_GLOBAL_CONF::inspection_type, StatefulSessionInspection(), and StatelessSessionInspection(). Referenced by SnortHttpInspect().

---