axa
1.2.1
Farsight Security Advanced Exchange Access (AXA)
|
axa_rad_mod
contains the RAD data types and function declarations for a RAD module.
Before including this file, #define RAD_MOD_PREFIX xxx where "xxx" is the name of the module to declare axa_rad_##prefix##_open() axa_rad_##prefix##_whit(), and axa_rad_##prefix##_close().
A RAD module expects the RAD daemon to enable SRA channels and start SRA watches based on a list of axa_rad_parm_t parameters that the module has computed from an optional list of watches and channels as well as optional strings from the users file and the RAD client. The RAD daemon delivers AXA messages containing NMSG or SIE messages and dark channel packets matching those watches to the RAD module. The module tells the RAD daemon to send copies of the AXA messages that the module considers anomalous to the RAD client.
Data Structures | |
struct | axa_rad_p_t |
A RAD parameter specifying an SRA channel to enable or a watch to start in the form of an AXA message header and body. More... | |
struct | axa_rad_parm |
a member of a linked list of RAD module parameters More... | |
Macros | |
#define | AXA_RAD_CPARMS_ALLOWED "+" |
This string when among the parameters for a RAD module in the users file, allows the RAD client to specify parameters for the module when the client sends its AXA_P_OP_ANOM message. More... | |
#define | RAD_PREFIX "axa_rad_" |
The names of the three functions exported by a RAD module start with this string/prefix. More... | |
Typedefs | |
typedef struct axa_rad_parm | axa_rad_parm_t |
AXA RAD paramter. More... | |
typedef bool( | axa_rad_open_t) (void **ctxt, char **errmsg, const axa_rad_parm_t **out_parms, const axa_rad_parm_t *in_parms, const char *uparms, const char *cparms) |
Open a RAD module. More... | |
typedef int( | axa_rad_whit_t) (void *ctxt, char **errmsg, const axa_p_whit_t *whit, size_t whit_len, const nmsg_message_t msg, const struct nmsg_ipdg *dgp) |
RAD module watch hit. More... | |
typedef void( | axa_rad_close_t) (void *ctxt) |
RAD module close. More... | |
#define AXA_RAD_CPARMS_ALLOWED "+" |
This string when among the parameters for a RAD module in the users file, allows the RAD client to specify parameters for the module when the client sends its AXA_P_OP_ANOM message.
#define RAD_PREFIX "axa_rad_" |
The names of the three functions exported by a RAD module start with this string/prefix.
typedef struct axa_rad_parm axa_rad_parm_t |
AXA RAD paramter.
typedef bool( axa_rad_open_t) (void **ctxt, char **errmsg, const axa_rad_parm_t **out_parms, const axa_rad_parm_t *in_parms, const char *uparms, const char *cparms) |
Open a RAD module.
All of these functions can be called concurrently by two or more RAD server threads and so must protect their data. A module's close function will be called by the RAD daemon if its open() function returns a non-null ctxt even if the open() function fails.
[out] | ctxt | a non-null context for this instance of the module that must be freed by the module in its close() function. |
[out] | errmsg | NULL on success but on failure, an error message that must be freed by the caller. |
[in] | out_parms | a list of 0 or more axa_rad_parm_t parameters consisting of AXA channel and watch enable commands usually generated by the module from in_parms, uparms, and cparms. It is usually a dynamically allocated list owned by the module and freed by the module's close() function. |
[in] | in_parms | a linked list of axa_rad_parm_t parameters consisting of the AXA watches specified by the RAD client with AXA messages before the AXA_P_OP_ANOM message. These watches are given to all anomaly modules with the same tag. |
[in] | uparms | an ASCII string of parameters from the users file. invalid after the open function returns. |
[in] | cparms | an ASCII string of parameters from the RAD client. invalid after the open function returns. |
true | success |
false | failure |
typedef int( axa_rad_whit_t) (void *ctxt, char **errmsg, const axa_p_whit_t *whit, size_t whit_len, const nmsg_message_t msg, const struct nmsg_ipdg *dgp) |
RAD module watch hit.
Say whether to forward an AXA watch "hit" to the RAD client.
\param[in] ctxt context for this instance of the module \param[in] errmsg NULL except after an error return when it contains an string explaining the error and that must be freed by the caller. \param[in] whit watch "hit" containing an SIE NMSG message or dark channel that matched one of watches specified by the module when it was opened. \param[in] whit_len the length of whit \param[in] msg NMSG message from whit decoded by #axa_whit2nmsg() if whit->hdr.type == #AXA_P_WHIT_NMSG \param[in] dgp IP packet from whit decoded by nmsg_ipdg_parse_pcap_raw() \retval -1 error with text in errmsg \retval 0 no, do not forward whit to the RAD client \retval 1 yes, forward whit to the RAD client
typedef void( axa_rad_close_t) (void *ctxt) |
RAD module close.
The module should free its context, ctxt, and any other resources including the list of axa_rad_parm_t parameters given by the module to the RAD daemon via the out_parms parameter of its open() function.
\param[in] ctxt context for this instance of the module