axa  1.2.1
Farsight Security Advanced Exchange Access (AXA)
axa_rad_mod

Detailed Description

axa_rad_mod contains the RAD data types and function declarations for a RAD module.

Before including this file, #define RAD_MOD_PREFIX xxx where "xxx" is the name of the module to declare axa_rad_##prefix##_open() axa_rad_##prefix##_whit(), and axa_rad_##prefix##_close().

A RAD module expects the RAD daemon to enable SRA channels and start SRA watches based on a list of axa_rad_parm_t parameters that the module has computed from an optional list of watches and channels as well as optional strings from the users file and the RAD client. The RAD daemon delivers AXA messages containing NMSG or SIE messages and dark channel packets matching those watches to the RAD module. The module tells the RAD daemon to send copies of the AXA messages that the module considers anomalous to the RAD client.

Data Structures

struct  axa_rad_p_t
 A RAD parameter specifying an SRA channel to enable or a watch to start in the form of an AXA message header and body. More...
 
struct  axa_rad_parm
 a member of a linked list of RAD module parameters More...
 

Macros

#define AXA_RAD_CPARMS_ALLOWED   "+"
 This string when among the parameters for a RAD module in the users file, allows the RAD client to specify parameters for the module when the client sends its AXA_P_OP_ANOM message. More...
 
#define RAD_PREFIX   "axa_rad_"
 The names of the three functions exported by a RAD module start with this string/prefix. More...
 

Typedefs

typedef struct axa_rad_parm axa_rad_parm_t
 AXA RAD paramter. More...
 
typedef bool( axa_rad_open_t) (void **ctxt, char **errmsg, const axa_rad_parm_t **out_parms, const axa_rad_parm_t *in_parms, const char *uparms, const char *cparms)
 Open a RAD module. More...
 
typedef int( axa_rad_whit_t) (void *ctxt, char **errmsg, const axa_p_whit_t *whit, size_t whit_len, const nmsg_message_t msg, const struct nmsg_ipdg *dgp)
 RAD module watch hit. More...
 
typedef void( axa_rad_close_t) (void *ctxt)
 RAD module close. More...
 

Macro Definition Documentation

#define AXA_RAD_CPARMS_ALLOWED   "+"

This string when among the parameters for a RAD module in the users file, allows the RAD client to specify parameters for the module when the client sends its AXA_P_OP_ANOM message.

#define RAD_PREFIX   "axa_rad_"

The names of the three functions exported by a RAD module start with this string/prefix.

Typedef Documentation

typedef struct axa_rad_parm axa_rad_parm_t

AXA RAD paramter.

typedef bool( axa_rad_open_t) (void **ctxt, char **errmsg, const axa_rad_parm_t **out_parms, const axa_rad_parm_t *in_parms, const char *uparms, const char *cparms)

Open a RAD module.

All of these functions can be called concurrently by two or more RAD server threads and so must protect their data. A module's close function will be called by the RAD daemon if its open() function returns a non-null ctxt even if the open() function fails.

Parameters
[out]ctxta non-null context for this instance of the module that must be freed by the module in its close() function.
[out]errmsgNULL on success but on failure, an error message that must be freed by the caller.
[in]out_parmsa list of 0 or more axa_rad_parm_t parameters consisting of AXA channel and watch enable commands usually generated by the module from in_parms, uparms, and cparms. It is usually a dynamically allocated list owned by the module and freed by the module's close() function.
[in]in_parmsa linked list of axa_rad_parm_t parameters consisting of the AXA watches specified by the RAD client with AXA messages before the AXA_P_OP_ANOM message. These watches are given to all anomaly modules with the same tag.
[in]uparmsan ASCII string of parameters from the users file. invalid after the open function returns.
[in]cparmsan ASCII string of parameters from the RAD client. invalid after the open function returns.
Return values
truesuccess
falsefailure
typedef int( axa_rad_whit_t) (void *ctxt, char **errmsg, const axa_p_whit_t *whit, size_t whit_len, const nmsg_message_t msg, const struct nmsg_ipdg *dgp)

RAD module watch hit.

Say whether to forward an AXA watch "hit" to the RAD client.

\param[in] ctxt context for this instance of the module
\param[in] errmsg NULL except after an error return when it contains an
    string explaining the error and that must be freed by the caller.
\param[in] whit watch "hit" containing an SIE NMSG message or dark
    channel that matched one of watches specified by the module when it
    was opened.
\param[in] whit_len the length of whit
\param[in] msg NMSG message from whit decoded by #axa_whit2nmsg() if
    whit->hdr.type == #AXA_P_WHIT_NMSG
\param[in] dgp IP packet from whit decoded by nmsg_ipdg_parse_pcap_raw()

\retval -1 error with text in errmsg
\retval 0 no, do not forward whit to the RAD client
\retval 1 yes, forward whit to the RAD client
typedef void( axa_rad_close_t) (void *ctxt)

RAD module close.

The module should free its context, ctxt, and any other resources including the list of axa_rad_parm_t parameters given by the module to the RAD daemon via the out_parms parameter of its open() function.

\param[in] ctxt context for this instance of the module