Pull request #4553: shadowtraffic_aggregator: Implemented header definitions

Merge in SNORT/snort3 from ~ASHUGUP3/snort3:shadow_traffic_master to master

Squashed commit of the following:

commit e0a2ec29595b80164609c63f313e46bbff819ae5
Author: ashutosh <ashugup3@cisco.com>
Date:   Wed Dec 18 14:14:04 2024 +0530

    shadowtraffic_aggregator: Implemented header defintions

diff --git a/src/pub_sub/CMakeLists.txt b/src/pub_sub/CMakeLists.txt
index 29710692b080ab5284fda840b4ae789ee092780e..9664c5c3fedc8106d6548b0634e25417c7345cdc 100644 (file)
--- a/src/pub_sub/CMakeLists.txt
+++ b/src/pub_sub/CMakeLists.txt
@@ -25,6 +25,7 @@ set (PUB_SUB_INCLUDES
     rna_events.h
     sip_events.h
     stream_event_ids.h
+    shadowtraffic_aggregator.h
     smb_events.h
     ssh_events.h
     ssl_events.h

diff --git a/src/pub_sub/shadowtraffic_aggregator.h b/src/pub_sub/shadowtraffic_aggregator.h
new file mode 100644 (file)
index 0000000..730be81
--- /dev/null
+++ b/src/pub_sub/shadowtraffic_aggregator.h
@@ -0,0 +1,70 @@
+//--------------------------------------------------------------------------
+// Copyright (C) 2019-2024 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation.  You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+//--------------------------------------------------------------------------
+// shadowtraffic_aggregator.h author Ashutosh Gupta <ashugup3@cisco.com>
+
+#ifndef SHADOWTRAFFIC_AGGREGATOR_H
+#define SHADOWTRAFFIC_AGGREGATOR_H
+
+#include "framework/data_bus.h"
+
+// Shadow traffic types are defined as bitmaps as a single flow can qualify for multiple shadow traffic types.
+
+#define ShadowTraffic_Type_Encrypted_DNS      0x00000001
+#define ShadowTraffic_Type_ECH                0x00000002
+#define ShadowTraffic_Type_Evasive_VPN        0x00000004
+#define ShadowTraffic_Type_Multihop_Proxy     0x00000008
+#define ShadowTraffic_Type_Domain_Fronting    0x00000010
+#define ShadowTraffic_Type_Domain_Faking      0x00000020
+
+namespace snort
+{
+
+struct ShadowTrafficEventIds
+{
+    enum : unsigned
+    {
+        SHADOWTRAFFIC_FLOW_DETECTED,
+        num_ids
+    };
+
+    static const snort::PubKey shadowtraffic_pub_key;
+};
+
+const snort::PubKey shadowtraffic_pub_key { "shadowtraffic", ShadowTrafficEventIds::num_ids };
+
+class SO_PUBLIC ShadowTrafficEvent : public snort::DataEvent {
+    public:
+        ShadowTrafficEvent( const uint32_t shadowtraffic_type, const std::string& server_name, 
+            const std::string& process_name, const std::string& application_name) : 
+                shadowtraffictype(shadowtraffic_type), server_name(server_name), 
+                    process_name(process_name), application_name(application_name) {}
+
+        uint32_t get_shadowtraffic_type() { return shadowtraffictype; }
+        std::string& get_server_name () { return server_name; }
+        std::string& get_process_name () { return process_name; } 
+        std::string& get_application_name () { return application_name; }
+        
+    private:
+        uint32_t      shadowtraffictype;
+        std::string   server_name;
+        std::string   process_name;
+        std::string   application_name; 
+};
+
+}
+#endif // SHADOWTRAFFIC_AGGREGATOR_H