yafhooks.h File Reference
Processing hook interface for YAF. More...
#include <yaf/autoinc.h>#include <yaf/decode.h>#include <yaf/yafcore.h>#include <yaf/yaftab.h>Go to the source code of this file.
Data Structures | |
| struct | yfHookMetaData |
| Exported from the plugin to tell YAF about its export data & interface version. More... | |
Defines | |
| #define | YAF_HOOK_INTERFACE_VERSION 2 |
Functions | |
| gboolean | yfHookPacket (yfFlowKey_t *key, const uint8_t *pkt, size_t caplen, uint16_t iplen, yfTCPInfo_t *tcpinfo, yfL2Info_t *l2info) |
| Function called to do processing on each packet as it comes in. | |
| void | yfHookFlowPacket (yfFlow_t *flow, yfFlowVal_t *val, const uint8_t *pkt, size_t caplen, uint16_t iplen, yfTCPInfo_t *tcpinfo, yfL2Info_t *l2info) |
| Similar to yfHookPacket but also given yfFlowVal_t struct for processing per flow direction. | |
| void | yfHookValidateFlowTab (uint32_t max_payload, gboolean uniflow, gboolean silkmode, gboolean applabelmode, gboolean entropymode, gboolean fingerprintmode, gboolean fpExportMode, gboolean udp_max_payload, uint16_t udp_uniflow_port) |
| Validation function to make sure the plugin can and should operate based on the flowtable options. | |
| gboolean | yfHookFlowClose (yfFlow_t *flow) |
| Called upon flow close to do any necessary plugin processing upon flow close. | |
| void | yfHookFlowAlloc (yfFlow_t *flow) |
| Allow plugins to allocate flow state information for each flow captured by yaf. | |
| void | yfHookFlowFree (yfFlow_t *flow) |
| Frees all memory associated with the flow state in all of the attached plugins. | |
| fbInfoElement_t * | yfHookGetInfoModel (void) |
| returns the IPFIX info model aggregated for all plugins | |
| fbInfoElementSpec_t * | yfHookGetTemplate (void) |
| gets the IPFIX info model template for the export data from _all_ the plugins and turns it into a single template to return. | |
| gboolean | yfWriteFlowHook (void *rec, size_t rec_sz, yfFlow_t *flow, GError **err) |
| called by yfWriteFlow to add the data from all registered plugins to the outgoing IPFIX record | |
| gboolean | yfHookAddNewHook (const char *hookName, const char *hookOpts, GError **err) |
| yfHookAddNewHook | |
Detailed Description
Processing hook interface for YAF.
Not yet documented.
Function Documentation
| gboolean yfHookAddNewHook | ( | const char * | hookName, | |
| const char * | hookOpts, | |||
| GError ** | err | |||
| ) |
yfHookAddNewHook
adds another hook (plugin) into yaf
- Parameters:
-
hookName the file name of the plugin to load hookOpts a string of command line options for the plugin to process err the error value that gets set if this call didn't work
- Returns:
- TRUE if plugin loaded fine, other FALSE
| void yfHookFlowAlloc | ( | yfFlow_t * | flow | ) |
Allow plugins to allocate flow state information for each flow captured by yaf.
- Parameters:
-
flow the pointer to the flow context state structure, but more importantly contains the array of pointers (hfctx) which hold the plugin context state
| gboolean yfHookFlowClose | ( | yfFlow_t * | flow | ) |
Called upon flow close to do any necessary plugin processing upon flow close.
| void yfHookFlowFree | ( | yfFlow_t * | flow | ) |
Frees all memory associated with the flow state in all of the attached plugins.
- Parameters:
-
flow - a pointer to the flow context structure
| fbInfoElement_t* yfHookGetInfoModel | ( | void | ) |
returns the IPFIX info model aggregated for all plugins
- Returns:
- pointer to an arry of fbInfoElement_t that contains the sum of the IPFIX IE's from all active plugins
| fbInfoElementSpec_t* yfHookGetTemplate | ( | void | ) |
gets the IPFIX info model template for the export data from _all_ the plugins and turns it into a single template to return.
It caches the results so that future queries are a lot faster. It can validate the cached result if the numer of plugins registered changes.
- Parameters:
-
pointer to an array of fbInfoElementSpec_t structures that describes the info model template
| gboolean yfHookPacket | ( | yfFlowKey_t * | key, | |
| const uint8_t * | pkt, | |||
| size_t | caplen, | |||
| uint16_t | iplen, | |||
| yfTCPInfo_t * | tcpinfo, | |||
| yfL2Info_t * | l2info | |||
| ) |
Function called to do processing on each packet as it comes in.
| void yfHookValidateFlowTab | ( | uint32_t | max_payload, | |
| gboolean | uniflow, | |||
| gboolean | silkmode, | |||
| gboolean | applabelmode, | |||
| gboolean | entropymode, | |||
| gboolean | fingerprintmode, | |||
| gboolean | fpExportMode, | |||
| gboolean | udp_max_payload, | |||
| uint16_t | udp_uniflow_port | |||
| ) |
Validation function to make sure the plugin can and should operate based on the flowtable options.
- Parameters:
-
max payload value uniflow silkmode applabelmode p0f finger printing mode handshake header export mode udp max payload - concatenate udp payloads similar to TCP udp uniflow port - export all udp packets if have this src or dst port
| gboolean yfWriteFlowHook | ( | void * | rec, | |
| size_t | rec_sz, | |||
| yfFlow_t * | flow, | |||
| GError ** | err | |||
| ) |
called by yfWriteFlow to add the data from all registered plugins to the outgoing IPFIX record
- Parameters:
-
outgoing yfIpfixFlow_t record size of record pointer to the flow context structure Error