From: Ashutosh Gupta (ashugup3) Date: Fri, 10 Jan 2025 08:27:57 +0000 (+0000) Subject: Pull request #4553: shadowtraffic_aggregator: Implemented header definitions X-Git-Tag: 3.6.2.0~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fef91833f0f0b9a5ff16728b720644239538ffc9;p=thirdparty%2Fsnort3.git Pull request #4553: shadowtraffic_aggregator: Implemented header definitions Merge in SNORT/snort3 from ~ASHUGUP3/snort3:shadow_traffic_master to master Squashed commit of the following: commit e0a2ec29595b80164609c63f313e46bbff819ae5 Author: ashutosh Date: Wed Dec 18 14:14:04 2024 +0530 shadowtraffic_aggregator: Implemented header defintions --- diff --git a/src/pub_sub/CMakeLists.txt b/src/pub_sub/CMakeLists.txt index 29710692b..9664c5c3f 100644 --- a/src/pub_sub/CMakeLists.txt +++ b/src/pub_sub/CMakeLists.txt @@ -25,6 +25,7 @@ set (PUB_SUB_INCLUDES rna_events.h sip_events.h stream_event_ids.h + shadowtraffic_aggregator.h smb_events.h ssh_events.h ssl_events.h diff --git a/src/pub_sub/shadowtraffic_aggregator.h b/src/pub_sub/shadowtraffic_aggregator.h new file mode 100644 index 000000000..730be81d0 --- /dev/null +++ b/src/pub_sub/shadowtraffic_aggregator.h @@ -0,0 +1,70 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2019-2024 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// shadowtraffic_aggregator.h author Ashutosh Gupta + +#ifndef SHADOWTRAFFIC_AGGREGATOR_H +#define SHADOWTRAFFIC_AGGREGATOR_H + +#include "framework/data_bus.h" + +// Shadow traffic types are defined as bitmaps as a single flow can qualify for multiple shadow traffic types. + +#define ShadowTraffic_Type_Encrypted_DNS 0x00000001 +#define ShadowTraffic_Type_ECH 0x00000002 +#define ShadowTraffic_Type_Evasive_VPN 0x00000004 +#define ShadowTraffic_Type_Multihop_Proxy 0x00000008 +#define ShadowTraffic_Type_Domain_Fronting 0x00000010 +#define ShadowTraffic_Type_Domain_Faking 0x00000020 + +namespace snort +{ + +struct ShadowTrafficEventIds +{ + enum : unsigned + { + SHADOWTRAFFIC_FLOW_DETECTED, + num_ids + }; + + static const snort::PubKey shadowtraffic_pub_key; +}; + +const snort::PubKey shadowtraffic_pub_key { "shadowtraffic", ShadowTrafficEventIds::num_ids }; + +class SO_PUBLIC ShadowTrafficEvent : public snort::DataEvent { + public: + ShadowTrafficEvent( const uint32_t shadowtraffic_type, const std::string& server_name, + const std::string& process_name, const std::string& application_name) : + shadowtraffictype(shadowtraffic_type), server_name(server_name), + process_name(process_name), application_name(application_name) {} + + uint32_t get_shadowtraffic_type() { return shadowtraffictype; } + std::string& get_server_name () { return server_name; } + std::string& get_process_name () { return process_name; } + std::string& get_application_name () { return application_name; } + + private: + uint32_t shadowtraffictype; + std::string server_name; + std::string process_name; + std::string application_name; +}; + +} +#endif // SHADOWTRAFFIC_AGGREGATOR_H