summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorliuxueli <[email protected]>2024-11-05 05:37:40 +0000
committerliuxueli <[email protected]>2024-11-27 06:36:56 +0000
commitb3ee13fad85492b30db3ea006efb60d6b1b5b2b0 (patch)
treeca0e1c20e5c70f21a056c8451ea290038d5b430f
parentd0193035811c8bc26bc28214edfc7bfaf839bab0 (diff)
Implement scanner_state.c/scanner_maat.c/attribute_schema.c
Diffstat
-rw-r--r--.gitlab-ci.yml3
-rw-r--r--CMakeLists.txt4
-rw-r--r--conf/stellar.toml61
-rw-r--r--deps/logger/log.c8
-rw-r--r--deps/yyjson/CMakeLists.txt4
-rw-r--r--enforcer/monitor/monitor.h1
-rw-r--r--enforcer/monitor/monitor_enforcer.c (renamed from enforcer/monitor/monitor.c)8
-rw-r--r--enforcer/monitor/monitor_enforcer.h55
-rw-r--r--enforcer/security/security.h1
-rw-r--r--enforcer/security/security_enforcer.c (renamed from enforcer/security/security.c)9
-rw-r--r--enforcer/security/security_enforcer.h (renamed from include/stellar/action_parameter.h)58
-rw-r--r--include/stellar/kv.h31
-rw-r--r--include/stellar/log.h6
-rw-r--r--include/stellar/scanner.h113
-rw-r--r--include/stellar/security.h40
-rw-r--r--infra/CMakeLists.txt2
-rw-r--r--scanner/CMakeLists.txt16
-rw-r--r--scanner/attribute_kv.c111
-rw-r--r--scanner/attribute_kv.h15
-rw-r--r--scanner/attribute_schema.c2957
-rw-r--r--scanner/attribute_schema.h521
-rw-r--r--scanner/packet_scanner.c270
-rw-r--r--scanner/packet_scanner.h8
-rw-r--r--scanner/recorder.c0
-rw-r--r--scanner/scanner.c1242
-rw-r--r--scanner/scanner_maat.c1037
-rw-r--r--scanner/scanner_maat.h122
-rw-r--r--scanner/scanner_shared.h69
-rw-r--r--scanner/scanner_state.c326
-rw-r--r--scanner/scanner_state.h24
-rw-r--r--scanner/scanner_toml.c121
-rw-r--r--scanner/scanner_toml.h9
-rw-r--r--scanner/session_scanner.c83
-rw-r--r--scanner/session_scanner.h8
-rw-r--r--scanner/test/CMakeLists.txt26
-rw-r--r--scanner/test/gtest_attribute_schema.cpp455
-rw-r--r--scanner/test/gtest_scanner_maat.cpp776
-rw-r--r--scanner/test/gtest_scanner_main.cpp23
-rw-r--r--scanner/test/gtest_scanner_state.cpp303
-rw-r--r--scanner/version.map21
40 files changed, 8683 insertions, 264 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6cf2ad0..448ab87 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -55,7 +55,6 @@ stages:
--suppress=*:${CI_PROJECT_DIR}/infra/monitor/stellar-dump/*
--suppress=*:${CI_PROJECT_DIR}/deps/yyjson/*
--suppress=*:${CI_PROJECT_DIR}/deps/mpack/*
-
tags:
- share
@@ -179,4 +178,4 @@ rpm_upload_for_rockylinux:
dependencies:
- release_build_release_for_rockylinux
script:
- - python3 rpm_upload_tools.py $PULP3_REPO_NAME $PULP3_DIST_NAME *.rpm \ No newline at end of file
+ - python3 rpm_upload_tools.py $PULP3_REPO_NAME $PULP3_DIST_NAME *.rpm
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b399cc5..e14c389 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -49,6 +49,7 @@ if (CMAKE_CXX_CPPCHECK)
"--suppress=integerOverflow"
"--suppress=*:${CMAKE_SOURCE_DIR}/infra/monitor/stellar-dump/*"
"--suppress=redundantInitialization"
+ "--suppress=*:${PROJECT_SOURCE_DIR}/deps/yyjson/*"
)
set(CMAKE_C_CPPCHECK ${CMAKE_CXX_CPPCHECK})
else()
@@ -86,6 +87,7 @@ add_subdirectory(vendors)
add_subdirectory(deps)
add_subdirectory(infra)
add_subdirectory(decoders)
+add_subdirectory(scanner)
add_subdirectory(scripts)
add_subdirectory(include)
add_subdirectory(tools)
@@ -93,4 +95,4 @@ add_subdirectory(test)
install(DIRECTORY DESTINATION log COMPONENT PROGRAM)
install(DIRECTORY DESTINATION metrics COMPONENT PROGRAM)
-install(DIRECTORY DESTINATION module COMPONENT PROGRAM) \ No newline at end of file
+install(DIRECTORY DESTINATION module COMPONENT PROGRAM)
diff --git a/conf/stellar.toml b/conf/stellar.toml
index 906503c..366ebcf 100644
--- a/conf/stellar.toml
+++ b/conf/stellar.toml
@@ -61,6 +61,67 @@
timeout_ms = 10000 # range: [1, 60000] (ms)
buffered_segments_max = 256 # range: [2, 4096] per flow
+[scanner]
+ traffic_vsystem_id=1
+ default_unknown_app_id=4
+ session_record_enabled=1
+ device_tag=""
+ device_group=""
+ data_center=""
+ override_sled_ip=""
+ nic_name="lo"
+ device_sn_filename="/opt/tsg/etc/device_sn.json"
+
+[cm_static_maat]
+ maat_mode="json"
+ stat_enabled=1
+ perf_enabled=1
+ hit_path_enabled=0
+ hit_object_enabled=1
+ maat_stat_enabled=1
+ deferred_load_enabled=0
+
+ effctive_interval_ms=1000
+ garbage_collect_ms=6000
+ rule_update_check_interval_ms=1000
+ redis_ip="127.0.0.1"
+ redis_port=7002
+ redis_index=1
+
+ log_level=0
+ log_path="log/scanner.cm.maat"
+
+ instance_name="cm_static_maat"
+ foreign_content_dir="cm_alerts_files"
+ stat_file="metrics/scanner_cm_maat_stat.json"
+ table_info="conf/scanner_cm_maat_tableinfo.json"
+ json_config_path="conf/scanner_cm_maat_rule.json"
+
+[sd_dynamic_maat]
+ maat_mode="json"
+ stat_enabled=1
+ perf_enabled=1
+ hit_path_enabled=0
+ hit_object_enabled=1
+ effctive_interval_ms=1000
+ garbage_collect_ms=6000
+ rule_update_check_interval_ms=1000
+ redis_ip="127.0.0.1"
+ redis_port=7002
+ redis_index=1
+
+ log_level=0
+ log_path="log/scanner.sd.maat"
+
+ instance_name="sd_dynamic_maat"
+ foreign_content_dir="sd_alerts_files"
+ stat_file="metrics/scanner_sd_maat_stat.json"
+ table_info="conf/scanner_sd_maat_tableinfo.json"
+ json_config_path="conf/scanner_sd_maat_rule.json"
+
+[monitor_enforcer]
+ default_vlan_id=2
+
[log]
output = "both" # stderr, file, both
file = "log/stellar.log"
diff --git a/deps/logger/log.c b/deps/logger/log.c
index aa5eba0..38f39f7 100644
--- a/deps/logger/log.c
+++ b/deps/logger/log.c
@@ -22,7 +22,7 @@ enum log_output
struct log_config
{
enum log_output output;
- enum log_level level;
+ int level;
char log_file[PATH_MAX];
};
@@ -161,7 +161,7 @@ static int config_parse(struct log_config *config, const char *config_file)
fprintf(stderr, "(logger) config file %s missing log.level\n", config_file);
goto error_out;
}
- config->level = (enum log_level)str_to_level(level);
+ config->level = str_to_level(level);
if ((int)config->level == -1)
{
fprintf(stderr, "config file %s invalid log.level\n", config_file);
@@ -275,7 +275,7 @@ void log_free(struct logger *logger)
}
}
-int log_check_level(struct logger *logger, enum log_level level)
+int log_check_level(struct logger *logger, int level)
{
if (logger)
{
@@ -302,7 +302,7 @@ void log_reload_level(struct logger *logger)
}
}
-void log_print(struct logger *logger, enum log_level level, const char *module, const char *fmt, ...)
+void log_print(struct logger *logger, int level, const char *module, const char *fmt, ...)
{
int nwrite;
char buf[4096] = {0};
diff --git a/deps/yyjson/CMakeLists.txt b/deps/yyjson/CMakeLists.txt
index cd3b5d9..2b4d33e 100644
--- a/deps/yyjson/CMakeLists.txt
+++ b/deps/yyjson/CMakeLists.txt
@@ -5,4 +5,6 @@ if (CMAKE_CXX_CPPCHECK)
set(CMAKE_C_CPPCHECK ${CMAKE_CXX_CPPCHECK})
endif()
-add_library(yyjson yyjson.c) \ No newline at end of file
+add_library(yyjson yyjson.c)
+target_include_directories(yyjson PUBLIC ${CMAKE_CURRENT_LIST_DIR})
+target_link_libraries(yyjson)
diff --git a/enforcer/monitor/monitor.h b/enforcer/monitor/monitor.h
deleted file mode 100644
index 6f70f09..0000000
--- a/enforcer/monitor/monitor.h
+++ /dev/null
@@ -1 +0,0 @@
-#pragma once
diff --git a/enforcer/monitor/monitor.c b/enforcer/monitor/monitor_enforcer.c
index 8143b1e..26bf550 100644
--- a/enforcer/monitor/monitor.c
+++ b/enforcer/monitor/monitor_enforcer.c
@@ -25,4 +25,12 @@ struct monitor_mirror
struct monitor_exdata
{
struct monitor_mirror *mirror;
+};
+
+
+enum MONITOR_MAAT_PLUGIN
+{
+ MONITOR_MAAT_PLUGIN_MONITOR_RULE=0,
+ MONITOR_MAAT_PLUGIN_MIRRORING_PROFILE,
+ MONITOR_MAAT_PLUGIN_MAX
}; \ No newline at end of file
diff --git a/enforcer/monitor/monitor_enforcer.h b/enforcer/monitor/monitor_enforcer.h
new file mode 100644
index 0000000..47da1e3
--- /dev/null
+++ b/enforcer/monitor/monitor_enforcer.h
@@ -0,0 +1,55 @@
+#pragma once
+
+#include <stdint.h>
+#include <stddef.h>
+#include <stdbool.h>
+#include <uuid/uuid.h>
+
+#include "stellar/action_parameter.h"
+
+enum LOG_OPTION
+{
+ LOG_OPTION_NONE=0,
+ LOG_OPTION_ALL,
+ LOG_OPTION_METADATA,
+};
+
+// monitor
+#ifndef MAX_VLAN_ID_NUM
+#define MAX_VLAN_ID_NUM 64
+#endif
+struct mirroring_vlan
+{
+ size_t n_vlan_id;
+ uint32_t vlan_id[MAX_VLAN_ID_NUM];
+};
+
+// packet capture
+struct packet_capture
+{
+ bool enable;
+ size_t depth;
+};
+
+// mirror traffic
+struct traffic_mirroring
+{
+ bool enable;
+ uuid_t mirroring_profile;
+};
+
+struct monitor_action_parameter
+{
+ struct traffic_mirroring mirror;
+ struct packet_capture capture;
+};
+
+struct monitor_rule
+{
+ uuid_t rule_uuid;
+ enum LOG_OPTION log_option;
+ struct monitor_action_parameter *monitor;
+};
+
+struct monitor_rule *plugin_exdata_get0_monitor_rule(struct maat *cm_maat, uuid_t rule_uuid);
+struct mirroring_vlan *plugin_exdata_get0_traffic_mirroring_vlan(struct maat *cm_maat, uuid_t profile_uuid);
diff --git a/enforcer/security/security.h b/enforcer/security/security.h
deleted file mode 100644
index 7b9637e..0000000
--- a/enforcer/security/security.h
+++ /dev/null
@@ -1 +0,0 @@
-#pragma once \ No newline at end of file
diff --git a/enforcer/security/security.c b/enforcer/security/security_enforcer.c
index 19513e9..8abdc3a 100644
--- a/enforcer/security/security.c
+++ b/enforcer/security/security_enforcer.c
@@ -21,4 +21,13 @@ struct security_exdata
drop after N packets
tamper packet
*/
+};
+
+
+enum SECURITY_MAAT_PLUGIN
+{
+ SECURITY_PLUGIN_SECURITY_RULE=0,
+ SECURITY_PLUGIN_HTTP_RESPONSE_PAGES,
+ SECURITY_PLUGIN_DNS_RESOURCE_RECORD,
+ SECURITY_PLUGIN_MAX
}; \ No newline at end of file
diff --git a/include/stellar/action_parameter.h b/enforcer/security/security_enforcer.h
index 750d4ef..ffefa29 100644
--- a/include/stellar/action_parameter.h
+++ b/enforcer/security/security_enforcer.h
@@ -5,12 +5,9 @@
#include <stdbool.h>
#include <uuid/uuid.h>
-enum LOG_OPTION
-{
- LOG_OPTION_NONE=0,
- LOG_OPTION_ALL,
- LOG_OPTION_METADATA,
-};
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <uthash/utarray.h>
enum response_type
{
@@ -160,13 +157,6 @@ enum action_parameter_origin
origin_override
};
-// packet capture
-struct packet_capture
-{
- bool enable;
- size_t depth;
-};
-
struct deny_action_parameter
{
enum action_parameter_origin origin;
@@ -178,32 +168,34 @@ struct deny_action_parameter
struct packet_capture capture;
};
-// mirror traffic
-struct traffic_mirroring
+enum SECURITY_RULE_ACTION
{
- bool enable;
- uuid_t mirroring_profile;
+ SECURITY_RULE_ACTION_NONE=0,
+ SECURITY_RULE_ACTION_DENY,
+ SECURITY_RULE_ACTION_ALLOW,
+ SECURITY_RULE_ACTION_SHUNT,
+ RULE_ACTION_MAX
};
-struct monitor_action_parameter
+struct security_rule
{
- struct traffic_mirroring mirror;
- struct packet_capture capture;
+ uuid_t rule_uuid;
+ enum SECURITY_RULE_ACTION action;
+ enum LOG_OPTION log_option;
+ char *action_str;
+ struct deny_action_parameter *deny;
};
-struct app_id_dict
+struct security_rule *plugin_exdata_get0_security_rule(struct maat *cm_maat, uuid_t rule_uuid);
+
+struct http_response_page *plugin_exdata_get0_http_response_page(struct maat *cm_maat, uuid_t profile_uuid);
+struct dns_resource_record *plugin_exdata_get0_dns_resource_record(struct maat *cm_maat, uuid_t profile_uuid);
+
+
+struct security_option_parameter
{
- int32_t app_id;
- int32_t tcp_timeout;
- int32_t udp_timeout;
- size_t app_name_sz;
- size_t category_sz;
- size_t content_sz;
- char *app_name;
- char *category;
- char *content;
- uuid_t object_uuid;
- struct override_sub_action sub_action;
+ // enum RULE_ACTION action;
+ struct override_sub_action *tcp;
+ struct override_sub_action *udp;
};
-struct app_id_dict *plugin_exdata_get0_app_id_dict(struct maat *cm_maat, int32_t appid); \ No newline at end of file
diff --git a/include/stellar/kv.h b/include/stellar/kv.h
index c9c2c81..c950d0a 100644
--- a/include/stellar/kv.h
+++ b/include/stellar/kv.h
@@ -5,14 +5,15 @@
enum vtype
{
- FIELD_VALUE_INTEGER,
- FIELD_VALUE_DOUBLE,
- FIELD_VALUE_CSTRING,
+ VTYPE_INTEGER,
+ VTYPE_DOUBLE,
+ VTYPE_CSTRING,
+ VTYPE_UUID,
};
struct kv
{
- const char *key;
+ char *key;
size_t key_sz;
enum vtype type;
union
@@ -21,10 +22,10 @@ struct kv
double value_double;
struct
{
- const char *str;
+ char *str;
size_t sz;
}value_str;
- uuid_t uuid;
+ uuid_t value_uuid;
struct
{
struct kv **elements;
@@ -32,21 +33,3 @@ struct kv
}value_list;
};
};
-
-struct kv_table;
-
-struct kv_table *kv_table_new(size_t n_reserved);
-struct kv_table *kv_table_new_by_indexing(struct kv *kv);
-
-
-
-struct kv_table
-{
- struct kv *kv;
- UT_handle hh;
-};
-
-
-int kv_table_add(struct kv_table *table, struct kv *kv);
-
-const struct kv *kv_table_get(struct kv_table *table, const char *key, size_t key_sz); \ No newline at end of file
diff --git a/include/stellar/log.h b/include/stellar/log.h
index a075267..46750d2 100644
--- a/include/stellar/log.h
+++ b/include/stellar/log.h
@@ -5,7 +5,7 @@ extern "C"
{
#endif
-enum log_level
+enum
{
LOG_TRACE,
LOG_DEBUG,
@@ -52,8 +52,8 @@ enum log_level
}
struct logger;
-int log_check_level(struct logger *logger, enum log_level level);
-void log_print(struct logger *logger, enum log_level level, const char *module, const char *fmt, ...);
+int log_check_level(struct logger *logger, int level);
+void log_print(struct logger *logger, int level, const char *module, const char *fmt, ...);
#ifdef __cplusplus
}
diff --git a/include/stellar/scanner.h b/include/stellar/scanner.h
index 62a4eac..febe777 100644
--- a/include/stellar/scanner.h
+++ b/include/stellar/scanner.h
@@ -8,22 +8,13 @@ extern "C"
#include "maat.h"
#include <stddef.h>
-#include "stellar/kv.h"
-
-struct scanner;
-struct scanner *stellar_module_get_scanner(struct stellar_module_manager *mod_mgr);
-
-/*
- @ return cm maat instance
-*/
-struct maat *scanner_module_get_maat_instance(struct scanner *scanner);
-
-//const char *plugin_exdata_get0_object_table_name(struct maat *cm_maat, const char *attribute_name);
-
-/*
- @ exdata/message shares the memory of policy_exdata, so we need to free the memory of policy_exdata in exdata free callback
-*/
+#include <stellar/kv.h>
+#include <stellar/module.h>
+#include <stellar/session.h>
+#define SCANNER_MODULE_NAME "scanner_module"
+struct scanner;
+struct scanner *scanner_module_to_scanner(struct module *mod);
enum RULE_TYPE
{
@@ -33,80 +24,88 @@ enum RULE_TYPE
RULE_TYPE_DOS_PROTECTION,
RULE_TYPE_STATISTICS,
RULE_TYPE_SHAPING,
- RULE_TYPE_PROXY,
+ RULE_TYPE_PXY_INTERCEPT,
RULE_TYPE_SERVICE_CHAINING,
+ RULE_TYPE_APP_SIGNATURE,
+ RULE_TYPE_TUNNEL,
RULE_TYPE_MAX
};
-typedef void packet_match_callback(struct packet *pkt, uuid_t rule[], size_t n_rule, void *args);
-
+typedef void packet_match_callback(struct packet *pkt, uuid_t rule_uuid[], size_t n_rule_uuid, void *args);
int scanner_subscribe_packet_match(struct scanner * scanner, enum RULE_TYPE type, packet_match_callback *cb, void *args);
-typedef void session_match_callback(struct session *sess, struct packet *pkt, uuid_t rule[], size_t n_rule, void *args);
-
+typedef void session_match_callback(struct session *sess, struct packet *pkt, uuid_t rule_uuid[], size_t n_rule_uuid, void *args);
int scanner_subscribe_session_match(struct scanner * scanner, enum RULE_TYPE type, session_match_callback *cb, void *args);
struct scanner_state;
-int scanner_state_get_security_policy_matched_appid(struct scanner_state *state, uuid_t rule);
+/* return -1 if not found */
+int scanner_state_get_security_policy_matched_appid(struct scanner_state *state, uuid_t rule_uuid);
+/* return NULL if not found */
const struct scanner_state *scanner_get_state_on_session(struct scanner *scanner, struct session *sess);
const struct scanner_state *scanner_get_state_on_packet(struct scanner *scanner, struct packet *pkt);
size_t scanner_state_get_history_rule_count(struct scanner_state *exdata, enum RULE_TYPE rule_type);
-size_t scanner_state_get_history_rules(struct scanner_state *exdata, enum RULE_TYPE rule_type, uuid_t rule_uuids[], char *rule_action[], size_t n_rule_uuids);
+size_t scanner_state_get_history_rules(struct scanner_state *exdata, enum RULE_TYPE rule_type, uuid_t rule_uuids[], size_t n_rule_uuids);
size_t scanner_state_get_current_packet_rule_count(struct scanner_state *exdata, enum RULE_TYPE rule_type);
-size_t scanner_state_get_current_packet_rules(struct scanner_state *exdata, enum RULE_TYPE rule_type, uuid_t rule_uuids[], char *rule_action[], size_t n_rule_uuids);
+size_t scanner_state_get_current_packet_rules(struct scanner_state *exdata, enum RULE_TYPE rule_type, uuid_t rule_uuids[], size_t n_rule_uuids);
-enum ATTRIBUTE_TYPE
+struct maat *scanne_get_maat_instance(struct scanner *scanner);
+const char *scanner_get_application_sub_action(struct scanner *scanner, int32_t appid);
+const char *scanner_get_security_settings(struct scanner *scanner, int32_t t_vsys_id);
+
+enum HIT_OBJECT_ATTRIBUTE_TYPE
{
- ATTRIBUTE_TYPE_UNKNOWN=0,
- ATTRIBUTE_TYPE_CLIENT_IP,
- ATTRIBUTE_TYPE_SERVER_IP,
- ATTRIBUTE_TYPE_OTHERS,
- ATTRIBUTE_TYPE_MAX
+ HIT_OBJECT_ATTRIBUTE_TYPE_UNKNOWN=0,
+ HIT_OBJECT_ATTRIBUTE_TYPE_CLIENT_IP,
+ HIT_OBJECT_ATTRIBUTE_TYPE_SERVER_IP,
+ HIT_OBJECT_ATTRIBUTE_TYPE_OTHERS,
+ HIT_OBJECT_ATTRIBUTE_TYPE_MAX
};
const char *scanner_attribute_name_to_object_type(struct scanner *scanner, const char *attribute_name);
/* object option is brief or elaborate */
-size_t scanner_state_get_history_object_count(struct scanner_state *exdata, enum ATTRIBUTE_TYPE attr_type);
-size_t scanner_state_get_current_packet_hit_objects(struct scanner_state *exdata, enum ATTRIBUTE_TYPE attr_type, struct maat_hit_object hit_objects[], size_t n_hit_objects);
+size_t scanner_state_get_history_object_count(struct scanner_state *exdata, enum HIT_OBJECT_ATTRIBUTE_TYPE type);
+size_t scanner_state_get_history_hit_objects(struct scanner_state *exdata, enum HIT_OBJECT_ATTRIBUTE_TYPE attr_type, struct maat_hit_object hit_objects[], size_t n_hit_objects);
-size_t scanner_state_get_current_packet_hit_object_count(struct scanner_state *exdata, enum ATTRIBUTE_TYPE attr_type);
-size_t scanner_state_get_current_packet_hit_objects(struct scanner_state *exdata, enum ATTRIBUTE_TYPE attr_type, struct maat_hit_object hit_objects[], size_t n_hit_objects);
+size_t scanner_state_get_current_packet_hit_object_count(struct scanner_state *exdata, enum HIT_OBJECT_ATTRIBUTE_TYPE attr_type);
+size_t scanner_state_get_current_packet_hit_objects(struct scanner_state *exdata, enum HIT_OBJECT_ATTRIBUTE_TYPE attr_type, struct maat_hit_object hit_objects[], size_t n_hit_objects);
void scanner_session_record_enable_brief(struct scanner *scanner, struct session *session);
void scanner_session_record_enable_elaborate(struct scanner *scanner, struct session *session);
-enum attribute_index
+enum ATTRIBUTE_KV_INDEX
{
- ATTRIBUTE_APPLICATION=0,
- ATTRIBUTE_APPLICATION_CATEGORY,
- ATTRIBUTE_APPLICATION_TRANSITION,
- ATTRIBUTE_APPLICATION_CONTENT,
- ATTRIBUTE_SERVER_FQDN,
- ATTRIBUTE_SERVER_DOMAIN,
- ATTRIBUTE_IMEI,
- ATTRIBUTE_IMSI,
- ATTRIBUTE_PHONE_NUMBER,
- ATTRIBUTE_APN,
- ATTRIBUTE_CLIENT_SUBSCRIBER_ID,
- ATTRIBUTE_CLIENT_ASN,
- ATTRIBUTE_SERVER_ASN,
- ATTRIBUTE_CLIENT_COUNTRY_CODE,
- ATTRIBUTE_SERVER_COUNTRY_CODE,
- ATTRIBUTE_CLIENT_IP_TAG_UUIDS,
- ATTRIBUTE_SERVER_IP_TAG_UUIDS,
- ATTRIBUTE_SERVER_FQDN_TAG_UUIDS,
- ATTRIBUTE_DECODE_PATH,
- ATTRIBUTE_DECODE_AS,
- ATTRIBUTE_MAX
+ ATTRIBUTE_KV_UNKNOWN=0,
+ ATTRIBUTE_KV_APPLICATION,
+ ATTRIBUTE_KV_APPLICATION_CATEGORY,
+ ATTRIBUTE_KV_APPLICATION_TRANSITION,
+ ATTRIBUTE_KV_APPLICATION_CONTENT,
+ ATTRIBUTE_KV_SERVER_FQDN,
+ ATTRIBUTE_KV_SERVER_DOMAIN,
+ ATTRIBUTE_KV_IMEI,
+ ATTRIBUTE_KV_IMSI,
+ ATTRIBUTE_KV_PHONE_NUMBER,
+ ATTRIBUTE_KV_APN,
+ ATTRIBUTE_KV_CLIENT_SUBSCRIBER_ID,
+ ATTRIBUTE_KV_CLIENT_ASN,
+ ATTRIBUTE_KV_SERVER_ASN,
+ ATTRIBUTE_KV_CLIENT_COUNTRY_CODE,
+ ATTRIBUTE_KV_SERVER_COUNTRY_CODE,
+ ATTRIBUTE_KV_CLIENT_IP_TAG_UUIDS,
+ ATTRIBUTE_KV_SERVER_IP_TAG_UUIDS,
+ ATTRIBUTE_KV_SERVER_FQDN_TAG_UUIDS,
+ ATTRIBUTE_KV_DECODE_PATH,
+ ATTRIBUTE_KV_DECODE_AS,
+ ATTRIBUTE_KV_MAX
};
-const struct kv *scanner_get_attribute_on_session(struct scanner *scanner, struct session *sess, enum attribute_index index);
-const struct kv *scanner_get_attribute_on_packet(struct scanner *scanner, struct packet *pkt, enum attribute_index index);
+const struct kv *scanner_get_attribute_on_session(struct scanner *scanner, struct session *sess, enum ATTRIBUTE_KV_INDEX index);
+const struct kv *scanner_get_attribute_on_packet(struct scanner *scanner, struct packet *pkt, enum ATTRIBUTE_KV_INDEX index);
+
#ifdef __cplusplus
}
diff --git a/include/stellar/security.h b/include/stellar/security.h
index 0378adc..4d20568 100644
--- a/include/stellar/security.h
+++ b/include/stellar/security.h
@@ -1,37 +1,15 @@
#pragma once
-#pragma once
-
-#include <stdint.h>
-#include <stddef.h>
-#include <stdbool.h>
#include <uuid/uuid.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <uthash/utarray.h>
-
-#include "stellar/action_parameter.h"
-
-enum SECURITY_RULE_ACTION
-{
- SECURITY_RULE_ACTION_NONE=0,
- //SECURITY_RULE_ACTION_MONITOR,
- SECURITY_RULE_ACTION_DENY,
- SECURITY_RULE_ACTION_ALLOW,
- SECURITY_RULE_ACTION_SHUNT,
- RULE_ACTION_MAX
-};
+#include <stellar/session.h>
-struct security_rule
-{
- uuid_t rule_uuid;
- enum SECURITY_RULE_ACTION action;
- enum LOG_OPTION log_option;
- char *action_str;
- struct deny_action_parameter *deny;
-};
+#define SECUIRTY_ENFORCER_MODULE_NAME "security_enforcer_module"
+struct security_enforcer;
+struct security_enforcer *security_enforcer_module_to_enforcer(struct module *mod);
-struct security_rule *plugin_exdata_get0_security_rule(struct maat *cm_maat, uuid_t rule_uuid);
+/* return NULL if not found */
+const char *security_enforcer_get_rule_action_on_packet(struct security_enforcer *enforcer, struct packet *pkt, uuid_t rule_uuid);
+const char *security_enforcer_get_rule_action_on_session(struct security_enforcer *enforcer, struct session *sess, uuid_t rule_uuid);
-struct http_response_page *plugin_exdata_get0_http_response_page(struct maat *cm_maat, uuid_t profile_uuid);
-struct dns_resource_record *plugin_exdata_get0_dns_resource_record(struct maat *cm_maat, uuid_t profile_uuid);
+/* return -1 if not found */
+long long security_enforcer_get_http_action_file_size(struct security_enforcer *enforcer, struct session *sess); \ No newline at end of file
diff --git a/infra/CMakeLists.txt b/infra/CMakeLists.txt
index fe127c2..9eb989c 100644
--- a/infra/CMakeLists.txt
+++ b/infra/CMakeLists.txt
@@ -22,4 +22,4 @@ target_link_libraries(stellar PRIVATE pthread -Wl,--whole-archive ${WHOLE_ARCHIV
target_link_options(stellar PRIVATE -rdynamic)
install(TARGETS stellar_lib LIBRARY DESTINATION lib COMPONENT LIBRARIES)
-install(TARGETS stellar RUNTIME DESTINATION bin COMPONENT PROGRAM) \ No newline at end of file
+install(TARGETS stellar RUNTIME DESTINATION bin COMPONENT PROGRAM)
diff --git a/scanner/CMakeLists.txt b/scanner/CMakeLists.txt
new file mode 100644
index 0000000..45aa964
--- /dev/null
+++ b/scanner/CMakeLists.txt
@@ -0,0 +1,16 @@
+add_definitions(-fPIC)
+include_directories(${CMAKE_SOURCE_DIR}/deps)
+
+set(SCANNER_SRC ${DEPS_SRC} scanner_toml.c attribute_kv.c attribute_schema.c scanner_state.c scanner_maat.c)
+
+add_library(scanner-static STATIC ${SCANNER_SRC})
+target_link_libraries(scanner-static fieldstat4 yyjson toml uuid maatframe)
+set_target_properties(scanner-static PROPERTIES OUTPUT_NAME scanner PREFIX "")
+set_target_properties(scanner-static PROPERTIES LINK_FLAGS "-Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/version.map")
+
+# add_library(scanner-shared SHARED ${SCANNER_SRC})
+# set_target_properties(scanner-shared PROPERTIES OUTPUT_NAME scanner PREFIX "")
+# set_target_properties(scanner-shared PROPERTIES LINK_FLAGS "-Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/version.map")
+# target_link_libraries(scanner-shared fieldstat4 yyjson toml uuid maatframe)
+
+add_subdirectory(test) \ No newline at end of file
diff --git a/scanner/attribute_kv.c b/scanner/attribute_kv.c
new file mode 100644
index 0000000..749521f
--- /dev/null
+++ b/scanner/attribute_kv.c
@@ -0,0 +1,111 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <stellar/utils.h>
+#include "attribute_kv.h"
+
+struct attribute_kv
+{
+ int magic;
+ struct kv *attr_kv[ATTRIBUTE_KV_MAX];
+};
+
+struct attribute_kv *attribute_kv_new(void)
+{
+ return (struct attribute_kv *)CALLOC(struct attribute_kv, 1);
+}
+
+void attribute_kv_free(struct attribute_kv *attr)
+{
+ if(attr==NULL)
+ {
+ return;
+ }
+
+ for(int i=0; i<ATTRIBUTE_KV_MAX; i++)
+ {
+ if(attr->attr_kv[i]==NULL)
+ {
+ continue;
+ }
+
+ if(attr->attr_kv[i]->key!=NULL)
+ {
+ FREE(attr->attr_kv[i]->key);
+ }
+
+ switch(attr->attr_kv[i]->type)
+ {
+ case VTYPE_CSTRING:
+ if(attr->attr_kv[i]->value_str.str!=NULL)
+ {
+ FREE(attr->attr_kv[i]->value_str.str);
+ }
+ break;
+ default:
+ break;
+ }
+ }
+
+ FREE(attr);
+}
+
+void attribute_kv_set_uuid(struct attribute_kv *attr, enum ATTRIBUTE_KV_INDEX index, const char *key, size_t key_sz, uuid_t uuid)
+{
+ if(attr==NULL || index>=ATTRIBUTE_KV_MAX || index<=ATTRIBUTE_KV_UNKNOWN || key==NULL || key_sz==0)
+ {
+ return;
+ }
+
+ struct kv *kv=(struct kv *)CALLOC(struct kv, 1);
+ kv->key=strndup(key, key_sz);
+ kv->key_sz=key_sz;
+ kv->type=VTYPE_UUID;
+ memcpy(kv->value_uuid, uuid, sizeof(uuid_t));
+
+ attr->attr_kv[index]=kv;
+}
+
+void attribute_kv_set_integer(struct attribute_kv *attr, enum ATTRIBUTE_KV_INDEX index, const char *key, size_t key_sz, long long value)
+{
+ if(attr==NULL || index>=ATTRIBUTE_KV_MAX || index<=ATTRIBUTE_KV_UNKNOWN || key==NULL || key_sz==0)
+ {
+ return;
+ }
+
+ struct kv *kv=(struct kv *)CALLOC(struct kv, 1);
+ kv->key=strndup(key, key_sz);
+ kv->key_sz=key_sz;
+ kv->type=VTYPE_INTEGER;
+ kv->value_longlong=value;
+
+ attr->attr_kv[index]=kv;
+}
+
+void attribute_kv_set_string(struct attribute_kv *attr, enum ATTRIBUTE_KV_INDEX index, const char *key, size_t key_sz, const char *value, size_t value_sz)
+{
+ if(attr==NULL || index>=ATTRIBUTE_KV_MAX || index<=ATTRIBUTE_KV_UNKNOWN || key==NULL || key_sz==0 || value==NULL || value_sz==0)
+ {
+ return;
+ }
+
+ struct kv *kv=(struct kv *)CALLOC(struct kv, 1);
+ kv->key=strndup(key, key_sz);
+ kv->key_sz=key_sz;
+ kv->type=VTYPE_CSTRING;
+ kv->value_str.str=strndup(value, value_sz);
+ kv->value_str.sz=value_sz;
+
+ attr->attr_kv[index]=kv;
+}
+
+const struct kv *attribute_kv_get(struct attribute_kv *attr, enum ATTRIBUTE_KV_INDEX index)
+{
+ if(attr==NULL || index>=ATTRIBUTE_KV_MAX || index<=ATTRIBUTE_KV_UNKNOWN)
+ {
+ return NULL;
+ }
+
+ return (const struct kv *)(attr->attr_kv[index]);
+} \ No newline at end of file
diff --git a/scanner/attribute_kv.h b/scanner/attribute_kv.h
new file mode 100644
index 0000000..8afed18
--- /dev/null
+++ b/scanner/attribute_kv.h
@@ -0,0 +1,15 @@
+#pragma once
+
+#include <uuid/uuid.h>
+#include <stellar/scanner.h>
+
+struct attribute_kv;
+
+struct attribute_kv *attribute_kv_new(void);
+void attribute_kv_free(struct attribute_kv *attr);
+
+void attribute_kv_set_uuid(struct attribute_kv *attr, enum ATTRIBUTE_KV_INDEX index, const char *key, size_t key_sz, uuid_t uuid);
+void attribute_kv_set_integer(struct attribute_kv *attr, enum ATTRIBUTE_KV_INDEX index, const char *key, size_t key_sz, long long value);
+void attribute_kv_set_string(struct attribute_kv *attr, enum ATTRIBUTE_KV_INDEX index, const char *key, size_t key_sz, const char *value, size_t value_sz);
+
+const struct kv *attribute_kv_get(struct attribute_kv *attr, enum ATTRIBUTE_KV_INDEX index); \ No newline at end of file
diff --git a/scanner/attribute_schema.c b/scanner/attribute_schema.c
new file mode 100644
index 0000000..f063b4a
--- /dev/null
+++ b/scanner/attribute_schema.c
@@ -0,0 +1,2957 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <stddef.h>
+#include <assert.h>
+
+#include <stellar/utils.h>
+
+#include "maat.h"
+#include "attribute_schema.h"
+
+void attribute_schema_free(struct attribute_schema *schema)
+{
+ if(schema==NULL)
+ {
+ return ;
+ }
+
+ if(schema->log_field_name!=NULL)
+ {
+ free(schema->log_field_name);
+ }
+
+ if(schema->scan_attribute_name!=NULL)
+ {
+ free(schema->scan_attribute_name);
+ }
+
+ free(schema);
+}
+
+void attribute_scratch_reset(struct attribute_scratch *attr, size_t n_attr)
+{
+ for(size_t i=0; i<n_attr; i++)
+ {
+ if(attr[i].is_free_schema==FREE_TRUE)
+ {
+ attribute_schema_free(attr[i].schema);
+ }
+ attr[i].schema=NULL;
+
+ switch(attr[i].value_type)
+ {
+ case ATTRIBUTE_VALUE_TYPE_STRING_ARRAY:
+ if(attr[i].is_free_value==FREE_TRUE && attr[i].string_array.value!=NULL)
+ {
+ for(size_t j=0; j<attr[i].string_array.n_value; j++)
+ {
+ FREE(attr[i].string_array.value[j]);
+ }
+ FREE(attr[i].string_array.value);
+ }
+ if(attr[i].is_free_value==FREE_TRUE && attr[i].string_array.value_sz!=NULL)
+ {
+ FREE(attr[i].string_array.value_sz);
+ }
+ attr[i].string_array.value=NULL;
+ attr[i].string_array.value_sz=NULL;
+ attr[i].string_array.n_value=0;
+ break;
+ case ATTRIBUTE_VALUE_TYPE_STRING:
+ case ATTRIBUTE_VALUE_TYPE_STREAM:
+ if(attr[i].is_free_value==FREE_TRUE && attr[i].chunk.value!=NULL)
+ {
+ FREE(attr[i].chunk.value);
+ }
+ attr[i].chunk.value=NULL;
+ attr[i].chunk.value_sz=0;
+ break;
+ case ATTRIBUTE_VALUE_TYPE_MAAT_OBJECT:
+ if(attr[i].is_free_value==FREE_TRUE && attr[i].maat_object.hit_objects!=NULL)
+ {
+ FREE(attr[i].maat_object.hit_objects);
+ }
+ attr[i].maat_object.hit_objects=NULL;
+ attr[i].maat_object.n_hit_objects=0;
+ break;
+ case ATTRIBUTE_VALUE_TYPE_NOT_LOGIC:
+ case ATTRIBUTE_VALUE_TYPE_INTEGER:
+ case ATTRIBUTE_VALUE_TYPE_FLAG:
+ attr[i].integer=0;
+ break;
+ case ATTRIBUTE_VALUE_TYPE_IPV4:
+ attr[i].ipv4_port.ipv4=0;
+ break;
+ case ATTRIBUTE_VALUE_TYPE_IPV6:
+ memset(attr[i].ipv6_port.ipv6, 0, sizeof(attr[i].ipv6_port.ipv6));
+ break;
+ default:
+ break;
+ }
+ }
+}
+
+void attribute_scratch_string_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, char *value, size_t value_sz)
+{
+ if(value==NULL || value_sz==0 || (*attr_offset+1 > attr_max))
+ {
+ return ;
+ }
+
+ attr[*attr_offset].string.value=value;
+ attr[*attr_offset].string.value_sz=value_sz;
+ attr[*attr_offset].value_type=ATTRIBUTE_VALUE_TYPE_STRING;
+ attr[*attr_offset].schema=schema;
+ attr[*attr_offset].is_free_schema=is_free_schema;
+ attr[*attr_offset].is_free_value=is_free_value;
+ (*attr_offset)+=1;
+}
+
+void attribute_scratch_string_array_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, char **value, size_t value_sz[], size_t n_value)
+{
+ if(value==NULL || n_value==0 || (*attr_offset+1 > attr_max))
+ {
+ return ;
+ }
+
+ attr[*attr_offset].string_array.value=value;
+ attr[*attr_offset].string_array.value_sz=value_sz;
+ attr[*attr_offset].string_array.n_value=n_value;
+ attr[*attr_offset].value_type=ATTRIBUTE_VALUE_TYPE_STRING_ARRAY;
+ attr[*attr_offset].schema=schema;
+ attr[*attr_offset].is_free_schema=is_free_schema;
+ attr[*attr_offset].is_free_value=is_free_value;
+ (*attr_offset)+=1;
+}
+
+
+void attribute_scratch_chunk_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, char *value, size_t value_sz)
+{
+ if(value==NULL || value_sz==0 || (*attr_offset+1 > attr_max))
+ {
+ return ;
+ }
+
+ attr[*attr_offset].chunk.value=value;
+ attr[*attr_offset].chunk.value_sz=value_sz;
+ attr[*attr_offset].value_type=ATTRIBUTE_VALUE_TYPE_STREAM;
+ attr[*attr_offset].schema=schema;
+ attr[*attr_offset].is_free_schema=is_free_schema;
+ attr[*attr_offset].is_free_value=is_free_value;
+ (*attr_offset)+=1;
+}
+
+void attribute_scratch_integer_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, long long value)
+{
+ if((*attr_offset+1 > attr_max))
+ {
+ return ;
+ }
+
+ attr[*attr_offset].integer=value;
+ attr[*attr_offset].value_type=ATTRIBUTE_VALUE_TYPE_INTEGER;
+ attr[*attr_offset].schema=schema;
+ attr[*attr_offset].is_free_schema=is_free_schema;
+ attr[*attr_offset].is_free_value=is_free_value;
+ (*attr_offset)+=1;
+}
+
+void attribute_scratch_flag_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, uint64_t value)
+{
+ if((*attr_offset+1 > attr_max))
+ {
+ return ;
+ }
+
+ attr[*attr_offset].flag=value;
+ attr[*attr_offset].value_type=ATTRIBUTE_VALUE_TYPE_FLAG;
+ attr[*attr_offset].schema=schema;
+ attr[*attr_offset].is_free_schema=is_free_schema;
+ attr[*attr_offset].is_free_value=is_free_value;
+ (*attr_offset)+=1;
+}
+
+void attribute_scratch_ipv4_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, uint32_t ipv4, int32_t port)
+{
+ if((*attr_offset+1 > attr_max))
+ {
+ return ;
+ }
+
+ attr[*attr_offset].ipv4_port.port=port;
+ attr[*attr_offset].ipv4_port.ipv4=ipv4;
+ attr[*attr_offset].value_type=ATTRIBUTE_VALUE_TYPE_IPV4;
+ attr[*attr_offset].schema=schema;
+ attr[*attr_offset].is_free_schema=is_free_schema;
+ attr[*attr_offset].is_free_value=is_free_value;
+ (*attr_offset)+=1;
+}
+
+void attribute_scratch_ipv6_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, uint8_t ipv6[16], int32_t port)
+{
+ if((*attr_offset+1 > attr_max))
+ {
+ return ;
+ }
+
+ attr[*attr_offset].ipv6_port.port=port;
+ memcpy(attr[*attr_offset].ipv6_port.ipv6, ipv6, sizeof(attr[*attr_offset].ipv6_port.ipv6));
+ attr[*attr_offset].value_type=ATTRIBUTE_VALUE_TYPE_IPV6;
+ attr[*attr_offset].schema=schema;
+ attr[*attr_offset].is_free_schema=is_free_schema;
+ attr[*attr_offset].is_free_value=is_free_value;
+ (*attr_offset)+=1;
+}
+
+void attribute_scratch_maat_object_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, struct maat_hit_object *hit_objects, size_t n_hit_objects)
+{
+ if((*attr_offset+1 > attr_max))
+ {
+ return ;
+ }
+
+ attr[*attr_offset].maat_object.hit_objects=(struct maat_hit_object *)malloc(sizeof(struct maat_hit_object)*n_hit_objects);
+ memcpy(attr[*attr_offset].maat_object.hit_objects, hit_objects, sizeof(struct maat_hit_object)*n_hit_objects);
+ attr[*attr_offset].maat_object.n_hit_objects=n_hit_objects;
+ attr[*attr_offset].value_type=ATTRIBUTE_VALUE_TYPE_MAAT_OBJECT;
+ attr[*attr_offset].schema=schema;
+ attr[*attr_offset].is_free_schema=is_free_schema;
+ attr[*attr_offset].is_free_value=1;
+ (*attr_offset)+=1;
+
+ if(is_free_value==FREE_TRUE)
+ {
+ free(hit_objects);
+ }
+}
+
+void attribute_scratch_not_logic_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value)
+{
+ if((*attr_offset+1 > attr_max))
+ {
+ return ;
+ }
+
+ attr[*attr_offset].value_type=ATTRIBUTE_VALUE_TYPE_NOT_LOGIC;
+ attr[*attr_offset].schema=schema;
+ attr[*attr_offset].is_free_schema=is_free_schema;
+ attr[*attr_offset].is_free_value=is_free_value;
+ attr[*attr_offset].null_ptr=NULL;
+ (*attr_offset)+=1;
+}
+
+void attribute_schema_init(struct attribute_schema *attr_schema, size_t attr_schema_sz)
+{
+ if(attr_schema==NULL || attr_schema_sz!=ATTRIBUTE_SCHEMA_MAX)
+ {
+ return ;
+ }
+
+ // tunnel
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNEL_LEVEL]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNEL_LEVEL,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_TUNNEL_LEVEL",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNEL_GTP_ENDPOINT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNEL_GTP_ENDPOINT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_TUNNEL_GTP_ENDPOINT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNEL_GRE_ENDPOINT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNEL_GRE_ENDPOINT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_TUNNEL_GRE_ENDPOINT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNEL_IP_IN_IP_ENDPOINT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNEL_IP_IN_IP_ENDPOINT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_TUNNEL_IP_IN_IP_ENDPOINT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNEL_UUID_LIST]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNEL_UUID_LIST,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tunnel_uuid_list"
+ };
+
+ attr_schema[ATTRIBUTE_SCHEMA_INTERNAL_IP_ADDR]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_INTERNAL_IP_ADDR,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_INTERNAL_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_INTERNAL_IP_ADDR_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_INTERNAL_IP_ADDR_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_INTERNAL_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_EXTERNAL_IP_ADDR]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_EXTERNAL_IP_ADDR,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_EXTERNAL_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_EXTERNAL_IP_ADDR_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_EXTERNAL_IP_ADDR_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_EXTERNAL_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+
+ attr_schema[ATTRIBUTE_SCHEMA_INTERNAL_PORT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_INTERNAL_PORT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_INTERNAL_PORT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_EXTERNAL_PORT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_EXTERNAL_PORT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_EXTERNAL_PORT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+
+ // tcp
+ attr_schema[ATTRIBUTE_SCHEMA_TCP_PAYLOAD]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TCP_PAYLOAD,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_TCP_PAYLOAD",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TCP_PAYLOAD_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TCP_PAYLOAD_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_TCP_PAYLOAD",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TCP_PAYLOAD_C2S_FIRST_DATA]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TCP_PAYLOAD_C2S_FIRST_DATA,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_TCP_PAYLOAD_C2S_FIRST_DATA",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TCP_PAYLOAD_S2C_FIRST_DATA]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TCP_PAYLOAD_S2C_FIRST_DATA,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_TCP_PAYLOAD_S2C_FIRST_DATA",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TCP_PAYLOAD_C2S_FIRST_DATA_LEN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TCP_PAYLOAD_C2S_FIRST_DATA_LEN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_TCP_PAYLOAD_C2S_FIRST_DATA_LEN",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TCP_PAYLOAD_S2C_FIRST_DATA_LEN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TCP_PAYLOAD_S2C_FIRST_DATA_LEN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_TCP_PAYLOAD_S2C_FIRST_DATA_LEN",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+
+ // udp
+ attr_schema[ATTRIBUTE_SCHEMA_UDP_PAYLOAD]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_UDP_PAYLOAD,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_UDP_PAYLOAD",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_UDP_PAYLOAD_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_UDP_PAYLOAD_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_UDP_PAYLOAD",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_UDP_PAYLOAD_C2S_FIRST_DATA]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_UDP_PAYLOAD_C2S_FIRST_DATA,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_UDP_PAYLOAD_C2S_FIRST_DATA",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_UDP_PAYLOAD_S2C_FIRST_DATA]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_UDP_PAYLOAD_S2C_FIRST_DATA,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_UDP_PAYLOAD_S2C_FIRST_DATA",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_UDP_PAYLOAD_C2S_FIRST_DATA_LEN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_UDP_PAYLOAD_C2S_FIRST_DATA_LEN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_UDP_PAYLOAD_C2S_FIRST_DATA_LEN",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_UDP_PAYLOAD_S2C_FIRST_DATA_LEN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_UDP_PAYLOAD_S2C_FIRST_DATA_LEN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_UDP_PAYLOAD_S2C_FIRST_DATA_LEN",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+
+ // session flags
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_FLAGS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_FLAGS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_FLAG",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"flags"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_FLAGS_IDENTIFY_INFO]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_FLAGS_IDENTIFY_INFO,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"flags_identify_info"
+ };
+
+ // app id
+ attr_schema[ATTRIBUTE_SCHEMA_ANALYSIS_APPLICATION_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_ANALYSIS_APPLICATION_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_APP_ID",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_ANALYSIS_APPLICATION_ID_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_ANALYSIS_APPLICATION_ID_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_APP_ID",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DECODED_PATH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DECODED_PATH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"decoded_path"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANS_PROTOCOL]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANS_PROTOCOL,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ip_protocol"
+ };
+
+ // http
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_VERSION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_VERSION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_version"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_HOST]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_host"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_URL]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_URL,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_HTTP_URL",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_url"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_URL_DECODED]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_URL_DECODED,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_HTTP_URL",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+
+ // http request header
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_REQUEST_USER_AGENT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_REQUEST_USER_AGENT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_user_agent"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_REQUEST_COOKIE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_REQUEST_COOKIE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_cookie"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_REQUEST_CONTENT_TYPE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_REQUEST_CONTENT_TYPE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_request_content_type"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_REQUEST_CONTENT_LENGTH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_REQUEST_CONTENT_LENGTH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_request_content_length"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_REQUEST_HEADER]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_REQUEST_HEADER,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_HTTP_REQ_HDR",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_REQUEST_HEADER_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_REQUEST_HEADER_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_HTTP_REQ_HDR",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_REQUEST_REFERER]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_REQUEST_REFERER,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_referer"
+ };
+
+ // http request body
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_REQUEST_BODY]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_REQUEST_BODY,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_HTTP_REQ_BODY",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_request_body"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_REQUEST_BODY_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_REQUEST_BODY_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_HTTP_REQ_BODY",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+
+ // http response header
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_USER_AGENT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_USER_AGENT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_user_agent"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_COOKIE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_COOKIE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_cookie"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_CONTENT_TYPE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_CONTENT_TYPE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_response_content_type"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_CONTENT_LENGTH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_CONTENT_LENGTH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_response_content_length"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_HEADER]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_HEADER,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_HTTP_RES_HDR",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_HEADER_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_HEADER_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_HTTP_RES_HDR",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_REFERER]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_REFERER,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_referer"
+ };
+
+ // http response body
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_BODY]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_BODY,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_HTTP_RES_BODY",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_response_body"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_BODY_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_BODY_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_HTTP_RES_BODY",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+
+ // http
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_SEQUENCE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_SEQUENCE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_sequence"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_SNAPSHOT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_SNAPSHOT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_snapshot"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_REQUEST_LINE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_REQUEST_LINE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_request_line"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_LINE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_LINE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_response_line"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_STATUS_CODE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_STATUS_CODE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_status_code"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_SET_COOKIE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_SET_COOKIE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_set_cookie"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_RESPONSE_LATENCY_MS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_RESPONSE_LATENCY_MS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_response_latency_ms"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_SESSION_DURATION_MS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_SESSION_DURATION_MS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_session_duration_ms"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_HTTP_ACTION_FILE_SIZE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_ACTION_FILE_SIZE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"http_action_file_size"
+ };
+
+ // mail
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_ACCOUNT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_ACCOUNT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_ACCOUNT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_account"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_PASSWORD]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_PASSWORD,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_password"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_FROM_CMD]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_FROM_CMD,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_FROM",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_from_cmd"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_TO_CMD]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_TO_CMD,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_TO",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_TO_CMD_LOG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_TO_CMD_LOG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_to_cmd"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_FROM]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_FROM,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_FROM",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_from"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_TO]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_TO,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_TO",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_TO_LOG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_TO_LOG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_to"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_CC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_CC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_TO",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_CC_LOG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_CC_LOG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_cc"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_BCC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_BCC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_TO",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_BCC_LOG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_BCC_LOG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_bcc"
+ };
+
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_SUBJECT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_SUBJECT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_SUBJECT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_SUBJECT_LOG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_SUBJECT_LOG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_subject"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_CONTENT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_CONTENT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_CONTENT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_content"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_CONTENT_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_CONTENT_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_CONTENT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_NAME]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_NAME,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_ATT_NAME",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_NAME_LOG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_NAME_LOG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_attachment_name"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_CONTENT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_CONTENT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_ATT_CONTENT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_attachment_content"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_CONTENT_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_CONTENT_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_ATT_CONTENT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_EML_FILE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_EML_FILE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_MAIL_EML_FILE",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_eml_file"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_PROTOCOL_TYPE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_PROTOCOL_TYPE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_protocol_type"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_SUBJECT_CHARSET]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_SUBJECT_CHARSET,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_subject_charset"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_NAME_CHARSET]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_NAME_CHARSET,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_attachment_name_charset"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_MAIL_STARTTLS_CMD]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_MAIL_STARTTLS_CMD,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mail_starttls_flag"
+ };
+
+ //dns
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_QNAME]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_QNAME,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_QNAME",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_qname"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_MESSAGE_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_MESSAGE_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_MESSAGE_ID",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_message_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_QR]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_QR,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_QR",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_qr"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_OPCODE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_OPCODE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_OPCODE",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_opcode"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_AA]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_AA,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_AA",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_aa"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_TC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_TC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_TC",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_tc"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_RD]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_RD,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_RD",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_rd"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_RA]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_RA,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_RA",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_ra"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_RCODE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_RCODE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_RCODE",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_rcode"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_QDCOUNT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_QDCOUNT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_QDCOUNT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_qdcount"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_ANCOUNT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_ANCOUNT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_ANCOUNT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_ancount"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_NSCOUNT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_NSCOUNT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_NSCOUNT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_nscount"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_ARCOUNT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_ARCOUNT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_ARCOUNT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_arcount"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_QTYPE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_QTYPE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_QTYPE",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_qtype"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_QCLASS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_QCLASS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_QCLASS",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_qclass"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_RR]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_RR,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_RR",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_rr"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_CNAME]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_CNAME,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_CNAME",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_cname"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_SUB]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_SUB,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DNS_SUB",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_sub"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DNS_RESPONSE_LATENCY_MS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DNS_RESPONSE_LATENCY_MS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dns_response_latency_ms"
+ };
+
+ // ssl
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_VERSION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_VERSION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_version"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_SNI]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_SNI,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_sni"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_CN",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_cn"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_SAN_LOG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_SAN_LOG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_san"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_SAN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_SAN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_SAN",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_SAN_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_SAN_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_SAN",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_JA3_HASH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_JA3_HASH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_ANALYSIS_JA3",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_ja3_hash"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_JA3S_HASH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_JA3S_HASH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_ANALYSIS_JA3S",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_ja3s_hash"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_JA4_HASH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_JA4_HASH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_ANALYSIS_JA4",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_ja4_fingerprint"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_JA4S_HASH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_JA4S_HASH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_ANALYSIS_JA4S",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_ja4s_fingerprint"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_ESNI]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_ESNI,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_ESNI",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_ESNI_FLAG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_ESNI_FLAG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_esni_flag"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_ECH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_ECH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_ECH",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_ECH_FLAG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_ECH_FLAG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_ech_flag"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_NO_SNI]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_NO_SNI,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_NO_SNI",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ALGORITHM_IDENTIFIER]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ALGORITHM_IDENTIFIER,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_HANDSHAKE_CERTIFICATE_ALGORITHM_IDENTIFIER",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_SERIAL_NUMBER]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_SERIAL_NUMBER,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_HANDSHAKE_CERTIFICATE_SERIAL_NUMBER",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ISSUER_COMMON_NAME]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ISSUER_COMMON_NAME,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_HANDSHAKE_CERTIFICATE_ISSUER_COMMON_NAME",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ISSUER_ORGANIZATION_NAME]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ISSUER_ORGANIZATION_NAME,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_HANDSHAKE_CERTIFICATE_ISSUER_ORGANIZATION_NAME",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ISSUER_COUNTRY_NAME]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ISSUER_COUNTRY_NAME,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_HANDSHAKE_CERTIFICATE_ISSUER_COUNTRY_NAME",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_SUBJECT_COUNTRY_NAME]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_SUBJECT_COUNTRY_NAME,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_HANDSHAKE_CERTIFICATE_SUBJECT_COUNTRY_NAME",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_SUBJECT_ORGANIZATION_NAME]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_SUBJECT_ORGANIZATION_NAME,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_HANDSHAKE_CERTIFICATE_SUBJECT_ORGANIZATION_NAME",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_NOT_VALID_BEFORE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_NOT_VALID_BEFORE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_HANDSHAKE_CERTIFICATE_NOT_VALID_BEFORE",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_NOT_VALID_AFTER]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_NOT_VALID_AFTER,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_HANDSHAKE_CERTIFICATE_NOT_VALID_AFTER",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ALGORITHM_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ALGORITHM_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SSL_HANDSHAKE_CERTIFICATE_ALGORITHM_ID",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_HANDSHAKE_LATENCY_MS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_HANDSHAKE_LATENCY_MS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_handshake_latency_ms"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ISSUER]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ISSUER,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_cert_issuer"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_SUBJECT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_SUBJECT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssl_cert_subject"
+ };
+
+ // dtls
+ attr_schema[ATTRIBUTE_SCHEMA_DTLS_SNI]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DTLS_SNI,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dtls_sni"
+ };
+
+ attr_schema[ATTRIBUTE_SCHEMA_DTLS_COOKIE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DTLS_COOKIE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dtls_cookie"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DTLS_VERSION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DTLS_VERSION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dtls_version"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DTLS_CN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DTLS_CN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DTLS_CN",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dtls_cn"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DTLS_SAN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DTLS_SAN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dtls_san"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DTLS_HANDSHAKE_LATENCY_MS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DTLS_HANDSHAKE_LATENCY_MS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dtls_handshake_latency_ms"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DTLS_JA3_HASH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DTLS_JA3_HASH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DTLS_ANALYSIS_JA3",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dtls_ja3_hash"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DTLS_JA3S_HASH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DTLS_JA3S_HASH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DTLS_ANALYSIS_JA3S",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dtls_ja3s_hash"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DTLS_CERTIFICATE_ISSUER]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DTLS_CERTIFICATE_ISSUER,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dtls_cert_issuer"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_DTLS_CERTIFICATE_SUBJECT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_DTLS_CERTIFICATE_SUBJECT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dtls_cert_subject"
+ };
+
+ // quic
+ attr_schema[ATTRIBUTE_SCHEMA_QUIC_SNI]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_QUIC_SNI,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"quic_sni"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_QUIC_VERSION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_QUIC_VERSION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"quic_version"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_QUIC_USER_AGENT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_QUIC_USER_AGENT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"quic_user_agent"
+ };
+
+ // ftp
+ attr_schema[ATTRIBUTE_SCHEMA_FTP_ACCOUNT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_FTP_ACCOUNT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_FTP_ACCOUNT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ftp_account"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_FTP_PASSWORD]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_FTP_PASSWORD,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ftp_password"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_FTP_URL]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_FTP_URL,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_FTP_URI",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ftp_url"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_FTP_CONTENT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_FTP_CONTENT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_FTP_CONTENT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_FTP_CONTENT_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_FTP_CONTENT_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_FTP_CONTENT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_FTP_LINK_TYPE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_FTP_LINK_TYPE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ftp_link_type"
+ };
+
+ // sip
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_DESCRIPTION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_DESCRIPTION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SIP_ORIGINATOR_DESCRIPTION",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_originator_description"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_RESPONDER_DESCRIPTION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_RESPONDER_DESCRIPTION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SIP_RESPONDER_DESCRIPTION",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_responder_description"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_CALL_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_CALL_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_call_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_USER_AGENT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_USER_AGENT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_user_agent"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_SERVER]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_SERVER,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_server"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_SDP_CONNECT_IP]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_SDP_CONNECT_IP,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_originator_sdp_connect_ip"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_RESPONDER_SDP_CONNECT_IP]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_RESPONDER_SDP_CONNECT_IP,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_responder_sdp_connect_ip"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_SDP_MEDIA_PORT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_SDP_MEDIA_PORT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_originator_sdp_media_port"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_RESPONDER_SDP_MEDIA_PORT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_RESPONDER_SDP_MEDIA_PORT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_responder_sdp_media_port"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_SDP_MEDIA_TYPE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_SDP_MEDIA_TYPE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_originator_sdp_media_type"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_RESPONDER_SDP_MEDIA_TYPE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_RESPONDER_SDP_MEDIA_TYPE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_responder_sdp_media_type"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_SDP_CONTENT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_SDP_CONTENT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_originator_sdp_content"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_RESPONDER_SDP_CONTENT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_RESPONDER_SDP_CONTENT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_responder_sdp_content"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_DURATION_S]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_DURATION_S,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_duration_s"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_BYE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_BYE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_bye"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_BYE_REASON]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_BYE_REASON,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_bye_reason"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_VIA]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_VIA,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_via"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SIP_CSEQ]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SIP_CSEQ,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sip_cseq"
+ };
+
+ // rtp
+ attr_schema[ATTRIBUTE_SCHEMA_RTP_PAYLOAD_TYPE_C2S]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RTP_PAYLOAD_TYPE_C2S,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rtp_payload_type_c2s"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RTP_PAYLOAD_TYPE_S2C]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RTP_PAYLOAD_TYPE_S2C,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rtp_payload_type_s2c"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RTP_PCAP_PATH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RTP_PCAP_PATH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rtp_pcap_path"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RTP_ORIGINATOR_DIR]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RTP_ORIGINATOR_DIR,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rtp_originator_dir"
+ };
+
+ // ssh
+ attr_schema[ATTRIBUTE_SCHEMA_SSH_VERSION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSH_VERSION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssh_version"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSH_AUTH_SUCCESS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSH_AUTH_SUCCESS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssh_auth_success"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSH_CLIENT_VERSION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSH_CLIENT_VERSION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssh_client_version"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSH_SERVER_VERSION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSH_SERVER_VERSION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssh_server_version"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSH_CIPHER_ALG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSH_CIPHER_ALG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssh_cipher_alg"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSH_MAC_ALG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSH_MAC_ALG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssh_mac_alg"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSH_COMPRESSION_ALG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSH_COMPRESSION_ALG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssh_compression_alg"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSH_KEX_ALG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSH_KEX_ALG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssh_kex_alg"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSH_HOST_KEY_ALG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSH_HOST_KEY_ALG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssh_host_key_alg"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSH_HOST_KEY]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSH_HOST_KEY,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssh_host_key"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SSH_HASSH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SSH_HASSH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"ssh_hassh"
+ };
+
+ // stratum
+ attr_schema[ATTRIBUTE_SCHEMA_STRATUM_CRYPTOCURRENCY]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_STRATUM_CRYPTOCURRENCY,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"stratum_cryptocurrency"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_STRATUM_MINING_POOLS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_STRATUM_MINING_POOLS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"stratum_mining_pools"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_STRATUM_MINING_PROGRAM]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_STRATUM_MINING_PROGRAM,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"stratum_mining_program"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_STRATUM_MINING_SUBSCRIBE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_STRATUM_MINING_SUBSCRIBE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"stratum_mining_subscribe"
+ };
+
+ // rdp
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_COOKIE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_COOKIE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_cookie"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_SECURITY_PROTOCOL]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_SECURITY_PROTOCOL,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_security_protocol"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_CLIENT_CHANNELS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_CLIENT_CHANNELS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_client_channels"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_KEYBOARD_LAYOUT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_KEYBOARD_LAYOUT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_keyboard_layout"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_CLIENT_VERSION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_CLIENT_VERSION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_client_version"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_CLIENT_NAME]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_CLIENT_NAME,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_client_name"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_CLIENT_PRODUCT_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_CLIENT_PRODUCT_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_client_product_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_DESKTOP_WIDTH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_DESKTOP_WIDTH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_desktop_width"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_DESKTOP_HEIGHT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_DESKTOP_HEIGHT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_desktop_height"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_REQUESTED_COLOR_DEPTH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_REQUESTED_COLOR_DEPTH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_requested_color_depth"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_CERTIFICATE_TYPE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_CERTIFICATE_TYPE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_certificate_type"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_CERTIFICATE_COUNT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_CERTIFICATE_COUNT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_certificate_count"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_CERTIFICATE_PERMANENT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_CERTIFICATE_PERMANENT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_certificate_permanent"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_ENCRYPTION_LEVEL]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_ENCRYPTION_LEVEL,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_encryption_level"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_RDP_ENCRYPTION_METHOD]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_RDP_ENCRYPTION_METHOD,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"rdp_encryption_method"
+ };
+ // general
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_SESSION_DIRECTION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_SESSION_DIRECTION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"direction"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_DECODED_AS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_DECODED_AS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"decoded_as"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_SESSION_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_SESSION_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"session_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_START_TIMESTAMP_MS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_START_TIMESTAMP_MS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"start_timestamp_ms"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_END_TIMESTAMP_MS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_END_TIMESTAMP_MS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"end_timestamp_ms"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_DURATION_MS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_DURATION_MS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"duration_ms"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_TCP_HANDSHAKE_LATENCY_MS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_TCP_HANDSHAKE_LATENCY_MS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_handshake_latency_ms"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_DEVICE_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_DEVICE_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"device_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_OUT_LINK_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_OUT_LINK_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"out_link_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_IN_LINK_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_IN_LINK_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"in_link_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_DEVICE_TAG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_DEVICE_TAG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"device_tag"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_DATA_CENTER]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_DATA_CENTER,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"data_center"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_DEVICE_GROUP]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_DEVICE_GROUP,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"device_group"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_SLED_IP]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_SLED_IP,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sled_ip"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_ADDRESS_TYPE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_ADDRESS_TYPE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"address_type"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_IP_PROTOCOL]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_IP_PROTOCOL,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_IP_PROTOCOL",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_VSYS_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_VSYS_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"vsys_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_GENERAL_T_VSYS_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_GENERAL_T_VSYS_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"t_vsys_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TREATMENT_SECURITY_RULE_LIST]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TREATMENT_SECURITY_RULE_LIST,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"security_rule_uuid_list"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TREATMENT_SECURITY_ACTION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TREATMENT_SECURITY_ACTION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"security_action"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TREATMENT_MONITOR_RULE_LIST]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TREATMENT_MONITOR_RULE_LIST,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"monitor_rule_uuid_list"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TREATMENT_MONITOR_MIRRORED_BYTES]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TREATMENT_MONITOR_MIRRORED_BYTES,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"monitor_mirrored_bytes"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TREATMENT_MONITOR_MIRRORED_PKTS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TREATMENT_MONITOR_MIRRORED_PKTS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"monitor_mirrored_pkts"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TREATMENT_STATISTICS_RULE_LIST]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TREATMENT_STATISTICS_RULE_LIST,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"statistics_rule_uuid_list"
+ };
+
+ // client and server
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_IP]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_IP,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"client_ip"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_IPV4]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_IPV4,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_CLIENT_IP_IDX,
+ .scan_attribute_name=(char *)"ATTR_SOURCE_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_IPV4_TAGS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_IPV4_TAGS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SOURCE_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_IPV4_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_IPV4_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_CLIENT_IP_IDX,
+ .scan_attribute_name=(char *)"ATTR_SOURCE_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_IPV6]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_IPV6,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_CLIENT_IP_IDX,
+ .scan_attribute_name=(char *)"ATTR_SOURCE_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_IPV6_TAGS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_IPV6_TAGS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SOURCE_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_IPV6_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_IPV6_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_CLIENT_IP_IDX,
+ .scan_attribute_name=(char *)"ATTR_SOURCE_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_IP_TAGS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_IP_TAGS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"client_ip_tags"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_PORT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_PORT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SOURCE_PORT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"client_port"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_PORT_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_PORT_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SOURCE_PORT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_OS_DESC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_OS_DESC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"client_os_desc"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_ASN_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_ASN_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"client_asn"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_ASN_ID_STR]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_ASN_ID_STR,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_SUBSCRIBER_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_SUBSCRIBER_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SUBSCRIBER_ID",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"subscriber_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_COUNTRY_CODE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_COUNTRY_CODE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"client_country"
+ };
+
+ // imei, imsi, apn, phone number
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_IMEI]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_IMEI,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_GTP_IMEI",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"imei"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_IMSI]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_IMSI,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_GTP_IMSI",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"imsi"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_APN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_APN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_GTP_APN",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"apn"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_MSISDN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_MSISDN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_GTP_PHONE_NUMBER",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"phone_number"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_CLIENT_FISRT_PKT_TTL]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_CLIENT_FISRT_PKT_TTL,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"c2s_ttl"
+ };
+
+ // server
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_IP]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_IP,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"server_ip"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_IPV4]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_IPV4,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_SERVER_IP_IDX,
+ .scan_attribute_name=(char *)"ATTR_DESTINATION_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_IPV4_TAGS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_IPV4_TAGS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DESTINATION_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_IPV4_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_IPV4_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_SERVER_IP_IDX,
+ .scan_attribute_name=(char *)"ATTR_DESTINATION_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_IPV6]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_IPV6,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_SERVER_IP_IDX,
+ .scan_attribute_name=(char *)"ATTR_DESTINATION_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_IPV6_TAGS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_IPV6_TAGS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DESTINATION_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_IPV6_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_IPV6_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_SERVER_IP_IDX,
+ .scan_attribute_name=(char *)"ATTR_DESTINATION_IP",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_IP_TAGS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_IP_TAGS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"server_ip_tags"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_PORT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_PORT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DESTINATION_PORT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"server_port"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_PORT_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_PORT_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_DESTINATION_PORT",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_OS_DESC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_OS_DESC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"server_os_desc"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_ASN_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_ASN_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"server_asn"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_ASN_ID_STR]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_ASN_ID_STR,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_COUNTRY_CODE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_COUNTRY_CODE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"server_country"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_FQDN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_FQDN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SERVER_FQDN",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_FQDN_COMMIT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_FQDN_COMMIT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX,
+ .scan_attribute_name=(char *)"ATTR_SERVER_FQDN",
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=NULL
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_FQDN_LOG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_FQDN_LOG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"server_fqdn"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_FQDN_TAGS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_FQDN_TAGS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"server_fqdn_tags"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_DOMAIN_LOG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_DOMAIN_LOG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"server_domain"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_SERVER_FISRT_PKT_TTL]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_SERVER_FISRT_PKT_TTL,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"s2c_ttl"
+ };
+
+ // application
+ attr_schema[ATTRIBUTE_SCHEMA_APPLICATION_TRANSITION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_APPLICATION_TRANSITION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"app_transition"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_APPLICATION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_APPLICATION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"app"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_APPLICATION_CATEGORY]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_APPLICATION_CATEGORY,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"app_category"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_APPLICATION_EXTRA_INFO]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_APPLICATION_EXTRA_INFO,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"app_extra_info"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_APPLICATION_DEBUG_INFO]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_APPLICATION_DEBUG_INFO,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"app_debug_info"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_APPLICATION_CONTENT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_APPLICATION_CONTENT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"app_content"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_APPLICATION_PROTOCOL_PATH]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_APPLICATION_PROTOCOL_PATH,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"protocol_path"
+ };
+
+ // transmission
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_SENT_PKTS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_SENT_PKTS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sent_pkts"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_SENT_BYTES]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_SENT_BYTES,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"sent_bytes"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_RECEIVED_PKTS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_RECEIVED_PKTS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"received_pkts"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_RECEIVED_BYTES]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_RECEIVED_BYTES,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"received_bytes"
+ };
+
+ // transmission tcp
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_IP_FRAGMENTS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_IP_FRAGMENTS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_c2s_ip_fragments"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_IP_FRAGMENTS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_IP_FRAGMENTS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_s2c_ip_fragments"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_LOST_BYTES]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_LOST_BYTES,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_c2s_lost_bytes"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_LOST_BYTES]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_LOST_BYTES,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_s2c_lost_bytes"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_O3_PKTS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_O3_PKTS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_c2s_o3_pkts"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_O3_PKTS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_O3_PKTS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_s2c_o3_pkts"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_RTX_PKTS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_RTX_PKTS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_c2s_rtx_pkts"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_RTX_PKTS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_RTX_PKTS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_s2c_rtx_pkts"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_RTX_BYTES]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_RTX_BYTES,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_c2s_rtx_bytes"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_RTX_BYTES]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_RTX_BYTES,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_s2c_rtx_bytes"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_RTT_MS]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_RTT_MS,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_rtt_ms"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_CLEINT_ISN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_CLEINT_ISN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_CLIENT_IP_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_client_isn"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_SERVER_ISN]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_SERVER_ISN,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_SERVER_IP_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tcp_server_isn"
+ };
+
+ // init other attribute schema
+ attr_schema[ATTRIBUTE_SCHEMA_OTHER_PACKET_CAPTURE_FILE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_OTHER_PACKET_CAPTURE_FILE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"packet_capture_file"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_OTHER_ENCAPSULATION_TYPE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_OTHER_ENCAPSULATION_TYPE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"encapsulation_type"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_OTHER_IN_SRC_MAC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_OTHER_IN_SRC_MAC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"in_src_mac"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_OTHER_OUT_SRC_MAC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_OTHER_OUT_SRC_MAC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"out_src_mac"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_OTHER_IN_DEST_MAC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_OTHER_IN_DEST_MAC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"in_dest_mac"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_OTHER_OUT_DEST_MAC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_OTHER_OUT_DEST_MAC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"out_dest_mac"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_OTHER_ENCAPSULATION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_OTHER_ENCAPSULATION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"encapsulation"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_OTHER_DUP_TRAFFIC_FLAG]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_OTHER_DUP_TRAFFIC_FLAG,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"dup_traffic_flag"
+ };
+
+ // encapsulation
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_SCHEMA_TYPE]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_SCHEMA_TYPE,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"tunnels_schema_type"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_GTP_ENDPOINT_A_IP]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_GTP_ENDPOINT_A_IP,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"gtp_endpoint_a_ip"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_GTP_ENDPOINT_B_IP]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_GTP_ENDPOINT_B_IP,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"gtp_endpoint_b_ip"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_GTP_ENDPOINT_A_PORT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_GTP_ENDPOINT_A_PORT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"gtp_endpoint_a_port"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_GTP_ENDPOINT_B_PORT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_GTP_ENDPOINT_B_PORT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"gtp_endpoint_b_port"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_GTP_A2B_TEID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_GTP_A2B_TEID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"gtp_endpoint_a2b_teid"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_GTP_B2A_TEID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_GTP_B2A_TEID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"gtp_endpoint_b2a_teid"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_MPLS_C2S_DIRECTION_LABEL]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_MPLS_C2S_DIRECTION_LABEL,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mpls_c2s_direction_label"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_MPLS_S2C_DIRECTION_LABEL]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_MPLS_S2C_DIRECTION_LABEL,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"mpls_s2c_direction_label"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_VLAN_C2S_DIRECTION_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_VLAN_C2S_DIRECTION_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"vlan_c2s_direction_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_VLAN_S2C_DIRECTION_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_VLAN_S2C_DIRECTION_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"vlan_s2c_direction_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_SOURCE_MAC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_SOURCE_MAC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"source_mac"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_DESTINATION_MAC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_DESTINATION_MAC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"destination_mac"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_C2S_SOURCE_MAC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_C2S_SOURCE_MAC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"c2s_source_mac"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_C2S_DESTINATION_MAC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_C2S_DESTINATION_MAC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"c2s_destination_mac"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_S2C_SOURCE_MAC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_S2C_SOURCE_MAC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"s2c_source_mac"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_S2C_DESTINATION_MAC]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_S2C_DESTINATION_MAC,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"s2c_destination_mac"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_CLIENT_IP]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_CLIENT_IP,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_CLIENT_IP_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"client_ip"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_SERVER_IP]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_SERVER_IP,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_SERVER_IP_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"server_ip"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_PPTP_UPLINK_TUNNEL_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_PPTP_UPLINK_TUNNEL_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"pptp_uplink_tunnel_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_PPTP_DOWNLINK_TUNNEL_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_PPTP_DOWNLINK_TUNNEL_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"pptp_downlink_tunnel_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_L2TP_VERSION]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_L2TP_VERSION,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"l2tp_version"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_L2TP_LAC2LNS_TUNNEL_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_L2TP_LAC2LNS_TUNNEL_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"l2tp_lac2lns_tunnel_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_L2TP_LNS2LAC_TUNNEL_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_L2TP_LNS2LAC_TUNNEL_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"l2tp_lns2lac_tunnel_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_L2TP_LAC2LNS_SESSION_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_L2TP_LAC2LNS_SESSION_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"l2tp_lac2lns_session_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_L2TP_LNS2LAC_SESSION_ID]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_L2TP_LNS2LAC_SESSION_ID,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"l2tp_lns2lac_session_id"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_L2TP_ACCESS_CONCENTRATOR_IP]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_L2TP_ACCESS_CONCENTRATOR_IP,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"l2tp_access_concentrator_ip"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_L2TP_NETWORK_SERVER_IP]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_L2TP_NETWORK_SERVER_IP,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"l2tp_network_server_ip"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_L2TP_ACCESS_CONCENTRATOR_PORT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_L2TP_ACCESS_CONCENTRATOR_PORT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"l2tp_access_concentrator_port"
+ };
+ attr_schema[ATTRIBUTE_SCHEMA_TUNNELS_L2TP_NETWORK_SERVER_PORT]=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_TUNNELS_L2TP_NETWORK_SERVER_PORT,
+ .scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_FALSE,
+ .scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ,
+ .log_field_name=(char *)"l2tp_network_server_port"
+ };
+
+ for(int i=ATTRIBUTE_SCHEMA_UNKNOWN; i<ATTRIBUTE_SCHEMA_MAX; i++)
+ {
+ attr_schema[i].attr_idx=(enum ATTRIBUTE_SCHEMA)i;
+ attr_schema[i].log_field_name_sz=((attr_schema[i].log_field_name!=NULL) ? strlen(attr_schema[i].log_field_name) : 0);
+ }
+}
diff --git a/scanner/attribute_schema.h b/scanner/attribute_schema.h
new file mode 100644
index 0000000..a2d94cc
--- /dev/null
+++ b/scanner/attribute_schema.h
@@ -0,0 +1,521 @@
+#pragma once
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "maat.h"
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+enum ATTRIBUTE_SCHEMA
+{
+ ATTRIBUTE_SCHEMA_UNKNOWN=0,
+
+ // tunnel
+ ATTRIBUTE_SCHEMA_TUNNEL_LEVEL,
+ ATTRIBUTE_SCHEMA_TUNNEL_OBJECT,
+ ATTRIBUTE_SCHEMA_TUNNEL_GTP_ENDPOINT,
+ ATTRIBUTE_SCHEMA_TUNNEL_GRE_ENDPOINT,
+ ATTRIBUTE_SCHEMA_TUNNEL_IP_IN_IP_ENDPOINT,
+ ATTRIBUTE_SCHEMA_TUNNEL_UUID_LIST,
+ ATTRIBUTE_SCHEMA_INTERNAL_IP_ADDR,
+ ATTRIBUTE_SCHEMA_INTERNAL_IP_ADDR_COMMIT,
+ ATTRIBUTE_SCHEMA_EXTERNAL_IP_ADDR,
+ ATTRIBUTE_SCHEMA_EXTERNAL_IP_ADDR_COMMIT,
+
+ ATTRIBUTE_SCHEMA_INTERNAL_PORT,
+ ATTRIBUTE_SCHEMA_EXTERNAL_PORT,
+
+ ATTRIBUTE_SCHEMA_INTERNAL_ASN_ID,
+ ATTRIBUTE_SCHEMA_EXTERNAL_ASN_ID,
+
+ // tcp
+ ATTRIBUTE_SCHEMA_TCP_PAYLOAD,
+ ATTRIBUTE_SCHEMA_TCP_PAYLOAD_COMMIT,
+ ATTRIBUTE_SCHEMA_TCP_PAYLOAD_C2S_FIRST_DATA,
+ ATTRIBUTE_SCHEMA_TCP_PAYLOAD_C2S_FIRST_DATA_LEN,
+ ATTRIBUTE_SCHEMA_TCP_PAYLOAD_S2C_FIRST_DATA,
+ ATTRIBUTE_SCHEMA_TCP_PAYLOAD_S2C_FIRST_DATA_LEN,
+
+ // udp
+ ATTRIBUTE_SCHEMA_UDP_PAYLOAD,
+ ATTRIBUTE_SCHEMA_UDP_PAYLOAD_COMMIT,
+ ATTRIBUTE_SCHEMA_UDP_PAYLOAD_C2S_FIRST_DATA,
+ ATTRIBUTE_SCHEMA_UDP_PAYLOAD_C2S_FIRST_DATA_LEN,
+ ATTRIBUTE_SCHEMA_UDP_PAYLOAD_S2C_FIRST_DATA,
+ ATTRIBUTE_SCHEMA_UDP_PAYLOAD_S2C_FIRST_DATA_LEN,
+
+ // http
+ ATTRIBUTE_SCHEMA_HTTP_HOST,
+ ATTRIBUTE_SCHEMA_HTTP_URL,
+ ATTRIBUTE_SCHEMA_HTTP_URL_DECODED,
+
+ ATTRIBUTE_SCHEMA_HTTP_REQUEST_LINE,
+ ATTRIBUTE_SCHEMA_HTTP_REQUEST_USER_AGENT,
+ ATTRIBUTE_SCHEMA_HTTP_REQUEST_REFERER,
+ ATTRIBUTE_SCHEMA_HTTP_REQUEST_COOKIE,
+ ATTRIBUTE_SCHEMA_HTTP_REQUEST_CONTENT_TYPE,
+ ATTRIBUTE_SCHEMA_HTTP_REQUEST_CONTENT_LENGTH,
+ ATTRIBUTE_SCHEMA_HTTP_REQUEST_BODY,
+ ATTRIBUTE_SCHEMA_HTTP_REQUEST_BODY_COMMIT,
+ ATTRIBUTE_SCHEMA_HTTP_REQUEST_HEADER,
+ ATTRIBUTE_SCHEMA_HTTP_REQUEST_HEADER_COMMIT,
+
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_LINE,
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_STATUS_CODE,
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_USER_AGENT,
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_REFERER,
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_COOKIE,
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_CONTENT_TYPE,
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_CONTENT_LENGTH,
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_BODY,
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_BODY_COMMIT,
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_HEADER,
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_HEADER_COMMIT,
+
+ ATTRIBUTE_SCHEMA_HTTP_VERSION,
+ ATTRIBUTE_SCHEMA_HTTP_SEQUENCE,
+ ATTRIBUTE_SCHEMA_HTTP_SNAPSHOT,
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_SET_COOKIE,
+ ATTRIBUTE_SCHEMA_HTTP_RESPONSE_LATENCY_MS,
+ ATTRIBUTE_SCHEMA_HTTP_SESSION_DURATION_MS,
+ ATTRIBUTE_SCHEMA_HTTP_ACTION_FILE_SIZE,
+
+ // mail
+ ATTRIBUTE_SCHEMA_MAIL_PROTOCOL_TYPE,
+ ATTRIBUTE_SCHEMA_MAIL_ACCOUNT,
+ ATTRIBUTE_SCHEMA_MAIL_PASSWORD,
+ ATTRIBUTE_SCHEMA_MAIL_FROM_CMD,
+ ATTRIBUTE_SCHEMA_MAIL_TO_CMD,
+ ATTRIBUTE_SCHEMA_MAIL_TO_CMD_LOG,
+ ATTRIBUTE_SCHEMA_MAIL_FROM,
+ ATTRIBUTE_SCHEMA_MAIL_TO,
+ ATTRIBUTE_SCHEMA_MAIL_TO_LOG,
+ ATTRIBUTE_SCHEMA_MAIL_CC,
+ ATTRIBUTE_SCHEMA_MAIL_CC_LOG,
+ ATTRIBUTE_SCHEMA_MAIL_BCC,
+ ATTRIBUTE_SCHEMA_MAIL_BCC_LOG,
+ ATTRIBUTE_SCHEMA_MAIL_SUBJECT,
+ ATTRIBUTE_SCHEMA_MAIL_SUBJECT_LOG,
+ ATTRIBUTE_SCHEMA_MAIL_SUBJECT_CHARSET,
+ ATTRIBUTE_SCHEMA_MAIL_CONTENT,
+ ATTRIBUTE_SCHEMA_MAIL_CONTENT_COMMIT,
+ ATTRIBUTE_SCHEMA_MAIL_CONTENT_CHARSET,
+ ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_NAME,
+ ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_NAME_LOG,
+ ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_NAME_CHARSET,
+ ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_CONTENT,
+ ATTRIBUTE_SCHEMA_MAIL_ATTACHMENT_CONTENT_COMMIT,
+ ATTRIBUTE_SCHEMA_MAIL_EML_FILE,
+ ATTRIBUTE_SCHEMA_MAIL_STARTTLS_CMD,
+
+ // dns
+ ATTRIBUTE_SCHEMA_DNS_MESSAGE_ID,
+ ATTRIBUTE_SCHEMA_DNS_QR,
+ ATTRIBUTE_SCHEMA_DNS_OPCODE,
+ ATTRIBUTE_SCHEMA_DNS_AA,
+ ATTRIBUTE_SCHEMA_DNS_TC,
+ ATTRIBUTE_SCHEMA_DNS_RD,
+ ATTRIBUTE_SCHEMA_DNS_RA,
+ ATTRIBUTE_SCHEMA_DNS_RCODE,
+ ATTRIBUTE_SCHEMA_DNS_QDCOUNT,
+ ATTRIBUTE_SCHEMA_DNS_ANCOUNT,
+ ATTRIBUTE_SCHEMA_DNS_NSCOUNT,
+ ATTRIBUTE_SCHEMA_DNS_ARCOUNT,
+ ATTRIBUTE_SCHEMA_DNS_QNAME,
+ ATTRIBUTE_SCHEMA_DNS_QTYPE,
+ ATTRIBUTE_SCHEMA_DNS_QCLASS,
+ ATTRIBUTE_SCHEMA_DNS_RR,
+ ATTRIBUTE_SCHEMA_DNS_CNAME,
+ ATTRIBUTE_SCHEMA_DNS_SUB,
+ ATTRIBUTE_SCHEMA_DNS_RESPONSE_LATENCY_MS,
+
+ // ssl
+ ATTRIBUTE_SCHEMA_SSL_VERSION,
+ ATTRIBUTE_SCHEMA_SSL_SNI,
+ ATTRIBUTE_SCHEMA_SSL_SAN_LOG,
+ ATTRIBUTE_SCHEMA_SSL_SAN,
+ ATTRIBUTE_SCHEMA_SSL_SAN_COMMIT,
+ ATTRIBUTE_SCHEMA_SSL_CN,
+ ATTRIBUTE_SCHEMA_SSL_HANDSHAKE_LATENCY_MS,
+ ATTRIBUTE_SCHEMA_SSL_JA3_HASH,
+ ATTRIBUTE_SCHEMA_SSL_JA3S_HASH,
+ ATTRIBUTE_SCHEMA_SSL_JA4_HASH,
+ ATTRIBUTE_SCHEMA_SSL_JA4S_HASH,
+ ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ISSUER,
+ ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_SUBJECT,
+ ATTRIBUTE_SCHEMA_SSL_ESNI,
+ ATTRIBUTE_SCHEMA_SSL_ESNI_FLAG,
+ ATTRIBUTE_SCHEMA_SSL_ECH,
+ ATTRIBUTE_SCHEMA_SSL_ECH_FLAG,
+ ATTRIBUTE_SCHEMA_SSL_NO_SNI,
+
+ ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ALGORITHM_IDENTIFIER,
+ ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_SERIAL_NUMBER,
+ ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ISSUER_COMMON_NAME,
+ ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ISSUER_ORGANIZATION_NAME,
+ ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ISSUER_COUNTRY_NAME,
+ ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_SUBJECT_COUNTRY_NAME,
+ ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_SUBJECT_ORGANIZATION_NAME,
+ ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_NOT_VALID_BEFORE,
+ ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_NOT_VALID_AFTER,
+ ATTRIBUTE_SCHEMA_SSL_CERTIFICATE_ALGORITHM_ID,
+
+ // dtls
+ ATTRIBUTE_SCHEMA_DTLS_COOKIE,
+ ATTRIBUTE_SCHEMA_DTLS_VERSION,
+ ATTRIBUTE_SCHEMA_DTLS_SNI,
+ ATTRIBUTE_SCHEMA_DTLS_CN,
+ ATTRIBUTE_SCHEMA_DTLS_SAN,
+ ATTRIBUTE_SCHEMA_DTLS_HANDSHAKE_LATENCY_MS,
+ ATTRIBUTE_SCHEMA_DTLS_JA3_HASH,
+ ATTRIBUTE_SCHEMA_DTLS_JA3S_HASH,
+ ATTRIBUTE_SCHEMA_DTLS_CERTIFICATE_ISSUER,
+ ATTRIBUTE_SCHEMA_DTLS_CERTIFICATE_SUBJECT,
+
+ // quic
+ ATTRIBUTE_SCHEMA_QUIC_SNI,
+ ATTRIBUTE_SCHEMA_QUIC_VERSION,
+ ATTRIBUTE_SCHEMA_QUIC_USER_AGENT,
+
+ // ftp
+ ATTRIBUTE_SCHEMA_FTP_ACCOUNT,
+ ATTRIBUTE_SCHEMA_FTP_PASSWORD,
+ ATTRIBUTE_SCHEMA_FTP_URL,
+ ATTRIBUTE_SCHEMA_FTP_CONTENT,
+ ATTRIBUTE_SCHEMA_FTP_CONTENT_COMMIT,
+ ATTRIBUTE_SCHEMA_FTP_LINK_TYPE,
+
+ //sip
+ ATTRIBUTE_SCHEMA_SIP_CALL_ID,
+ ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_DESCRIPTION,
+ ATTRIBUTE_SCHEMA_SIP_RESPONDER_DESCRIPTION,
+ ATTRIBUTE_SCHEMA_SIP_USER_AGENT,
+ ATTRIBUTE_SCHEMA_SIP_SERVER,
+ ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_SDP_CONNECT_IP,
+ ATTRIBUTE_SCHEMA_SIP_RESPONDER_SDP_CONNECT_IP,
+ ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_SDP_MEDIA_PORT,
+ ATTRIBUTE_SCHEMA_SIP_RESPONDER_SDP_MEDIA_PORT,
+ ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_SDP_MEDIA_TYPE,
+ ATTRIBUTE_SCHEMA_SIP_RESPONDER_SDP_MEDIA_TYPE,
+ ATTRIBUTE_SCHEMA_SIP_ORIGINATOR_SDP_CONTENT,
+ ATTRIBUTE_SCHEMA_SIP_RESPONDER_SDP_CONTENT,
+ ATTRIBUTE_SCHEMA_SIP_DURATION_S,
+ ATTRIBUTE_SCHEMA_SIP_BYE,
+ ATTRIBUTE_SCHEMA_SIP_BYE_REASON,
+ ATTRIBUTE_SCHEMA_SIP_VIA,
+ ATTRIBUTE_SCHEMA_SIP_CSEQ,
+
+ // rtp
+ ATTRIBUTE_SCHEMA_RTP_PAYLOAD_TYPE_C2S,
+ ATTRIBUTE_SCHEMA_RTP_PAYLOAD_TYPE_S2C,
+ ATTRIBUTE_SCHEMA_RTP_PCAP_PATH,
+ ATTRIBUTE_SCHEMA_RTP_ORIGINATOR_DIR,
+
+ // ssh
+ ATTRIBUTE_SCHEMA_SSH_VERSION,
+ ATTRIBUTE_SCHEMA_SSH_AUTH_SUCCESS,
+ ATTRIBUTE_SCHEMA_SSH_CLIENT_VERSION,
+ ATTRIBUTE_SCHEMA_SSH_SERVER_VERSION,
+ ATTRIBUTE_SCHEMA_SSH_CIPHER_ALG,
+ ATTRIBUTE_SCHEMA_SSH_MAC_ALG,
+ ATTRIBUTE_SCHEMA_SSH_COMPRESSION_ALG,
+ ATTRIBUTE_SCHEMA_SSH_KEX_ALG,
+ ATTRIBUTE_SCHEMA_SSH_HOST_KEY_ALG,
+ ATTRIBUTE_SCHEMA_SSH_HOST_KEY,
+ ATTRIBUTE_SCHEMA_SSH_HASSH,
+
+ // stratum
+ ATTRIBUTE_SCHEMA_STRATUM_CRYPTOCURRENCY,
+ ATTRIBUTE_SCHEMA_STRATUM_MINING_POOLS,
+ ATTRIBUTE_SCHEMA_STRATUM_MINING_PROGRAM,
+ ATTRIBUTE_SCHEMA_STRATUM_MINING_SUBSCRIBE,
+
+ // rdp
+ ATTRIBUTE_SCHEMA_RDP_COOKIE,
+ ATTRIBUTE_SCHEMA_RDP_SECURITY_PROTOCOL,
+ ATTRIBUTE_SCHEMA_RDP_CLIENT_CHANNELS,
+ ATTRIBUTE_SCHEMA_RDP_KEYBOARD_LAYOUT,
+ ATTRIBUTE_SCHEMA_RDP_CLIENT_VERSION,
+ ATTRIBUTE_SCHEMA_RDP_CLIENT_NAME,
+ ATTRIBUTE_SCHEMA_RDP_CLIENT_PRODUCT_ID,
+ ATTRIBUTE_SCHEMA_RDP_DESKTOP_WIDTH,
+ ATTRIBUTE_SCHEMA_RDP_DESKTOP_HEIGHT,
+ ATTRIBUTE_SCHEMA_RDP_REQUESTED_COLOR_DEPTH,
+ ATTRIBUTE_SCHEMA_RDP_CERTIFICATE_TYPE,
+ ATTRIBUTE_SCHEMA_RDP_CERTIFICATE_COUNT,
+ ATTRIBUTE_SCHEMA_RDP_CERTIFICATE_PERMANENT,
+ ATTRIBUTE_SCHEMA_RDP_ENCRYPTION_LEVEL,
+ ATTRIBUTE_SCHEMA_RDP_ENCRYPTION_METHOD,
+
+ // general
+ ATTRIBUTE_SCHEMA_GENERAL_SESSION_DIRECTION,
+ ATTRIBUTE_SCHEMA_GENERAL_DECODED_AS,
+ ATTRIBUTE_SCHEMA_GENERAL_SESSION_ID,
+ ATTRIBUTE_SCHEMA_GENERAL_START_TIMESTAMP_MS,
+ ATTRIBUTE_SCHEMA_GENERAL_END_TIMESTAMP_MS,
+ ATTRIBUTE_SCHEMA_GENERAL_DURATION_MS,
+ ATTRIBUTE_SCHEMA_GENERAL_TCP_HANDSHAKE_LATENCY_MS,
+
+ ATTRIBUTE_SCHEMA_GENERAL_DEVICE_ID,
+ ATTRIBUTE_SCHEMA_GENERAL_OUT_LINK_ID,
+ ATTRIBUTE_SCHEMA_GENERAL_IN_LINK_ID,
+ ATTRIBUTE_SCHEMA_GENERAL_DEVICE_TAG,
+ ATTRIBUTE_SCHEMA_GENERAL_DATA_CENTER,
+ ATTRIBUTE_SCHEMA_GENERAL_DEVICE_GROUP,
+ ATTRIBUTE_SCHEMA_GENERAL_SLED_IP,
+
+ ATTRIBUTE_SCHEMA_GENERAL_VSYS_ID,
+ ATTRIBUTE_SCHEMA_GENERAL_T_VSYS_ID,
+
+ ATTRIBUTE_SCHEMA_GENERAL_FLAGS,
+ ATTRIBUTE_SCHEMA_GENERAL_FLAGS_IDENTIFY_INFO,
+
+ ATTRIBUTE_SCHEMA_TREATMENT_SECURITY_RULE_LIST,
+ ATTRIBUTE_SCHEMA_TREATMENT_SECURITY_ACTION,
+ ATTRIBUTE_SCHEMA_TREATMENT_MONITOR_RULE_LIST,
+ ATTRIBUTE_SCHEMA_TREATMENT_MONITOR_MIRRORED_PKTS,
+ ATTRIBUTE_SCHEMA_TREATMENT_MONITOR_MIRRORED_BYTES,
+ ATTRIBUTE_SCHEMA_TREATMENT_STATISTICS_RULE_LIST,
+
+ // client and server
+ ATTRIBUTE_SCHEMA_GENERAL_ADDRESS_TYPE,
+ ATTRIBUTE_SCHEMA_IP_PROTOCOL,
+
+ ATTRIBUTE_SCHEMA_CLIENT_IP,
+ ATTRIBUTE_SCHEMA_CLIENT_IP_TAGS,
+ ATTRIBUTE_SCHEMA_CLIENT_IPV4,
+ ATTRIBUTE_SCHEMA_CLIENT_IPV4_TAGS,
+ ATTRIBUTE_SCHEMA_CLIENT_IPV4_COMMIT,
+ ATTRIBUTE_SCHEMA_CLIENT_IPV6,
+ ATTRIBUTE_SCHEMA_CLIENT_IPV6_TAGS,
+ ATTRIBUTE_SCHEMA_CLIENT_IPV6_COMMIT,
+ ATTRIBUTE_SCHEMA_CLIENT_PORT,
+ ATTRIBUTE_SCHEMA_CLIENT_PORT_COMMIT,
+ ATTRIBUTE_SCHEMA_CLIENT_OS_DESC,
+ ATTRIBUTE_SCHEMA_CLIENT_COUNTRY_CODE,
+ ATTRIBUTE_SCHEMA_CLIENT_ASN_ID,
+ ATTRIBUTE_SCHEMA_CLIENT_ASN_ID_STR,
+ ATTRIBUTE_SCHEMA_CLIENT_SUBSCRIBER_ID,
+
+ // imsi, apn, phone number, imei
+ ATTRIBUTE_SCHEMA_CLIENT_IMEI,
+ ATTRIBUTE_SCHEMA_CLIENT_IMSI,
+ ATTRIBUTE_SCHEMA_CLIENT_MSISDN,
+ ATTRIBUTE_SCHEMA_CLIENT_APN,
+
+ ATTRIBUTE_SCHEMA_CLIENT_FISRT_PKT_TTL,
+
+ ATTRIBUTE_SCHEMA_SERVER_IP,
+ ATTRIBUTE_SCHEMA_SERVER_IP_TAGS,
+ ATTRIBUTE_SCHEMA_SERVER_IPV4,
+ ATTRIBUTE_SCHEMA_SERVER_IPV4_TAGS,
+ ATTRIBUTE_SCHEMA_SERVER_IPV4_COMMIT,
+ ATTRIBUTE_SCHEMA_SERVER_IPV6,
+ ATTRIBUTE_SCHEMA_SERVER_IPV6_TAGS,
+ ATTRIBUTE_SCHEMA_SERVER_IPV6_COMMIT,
+ ATTRIBUTE_SCHEMA_SERVER_PORT,
+ ATTRIBUTE_SCHEMA_SERVER_PORT_COMMIT,
+ ATTRIBUTE_SCHEMA_SERVER_OS_DESC,
+ ATTRIBUTE_SCHEMA_SERVER_COUNTRY_CODE,
+ ATTRIBUTE_SCHEMA_SERVER_ASN_ID,
+ ATTRIBUTE_SCHEMA_SERVER_ASN_ID_STR,
+ ATTRIBUTE_SCHEMA_SERVER_FQDN,
+ ATTRIBUTE_SCHEMA_SERVER_FQDN_COMMIT,
+ ATTRIBUTE_SCHEMA_SERVER_FQDN_LOG,
+ ATTRIBUTE_SCHEMA_SERVER_FQDN_TAGS,
+ ATTRIBUTE_SCHEMA_SERVER_DOMAIN_LOG,
+ ATTRIBUTE_SCHEMA_SERVER_FISRT_PKT_TTL,
+
+ // application
+ ATTRIBUTE_SCHEMA_APPLICATION_TRANSITION,
+ ATTRIBUTE_SCHEMA_APPLICATION,
+ ATTRIBUTE_SCHEMA_APPLICATION_CATEGORY,
+ ATTRIBUTE_SCHEMA_APPLICATION_EXTRA_INFO,
+ ATTRIBUTE_SCHEMA_APPLICATION_DEBUG_INFO,
+ ATTRIBUTE_SCHEMA_APPLICATION_CONTENT,
+ ATTRIBUTE_SCHEMA_APPLICATION_PROTOCOL_PATH,
+ ATTRIBUTE_SCHEMA_APPLICATION_FQDN_CATEGORY_LIST,
+
+ ATTRIBUTE_SCHEMA_ANALYSIS_APPLICATION_ID,
+ ATTRIBUTE_SCHEMA_ANALYSIS_APPLICATION_ID_COMMIT,
+ ATTRIBUTE_SCHEMA_DECODED_PATH,
+ ATTRIBUTE_SCHEMA_TRANS_PROTOCOL,
+
+ // transmission
+ ATTRIBUTE_SCHEMA_TRANSMISSION_SENT_PKTS,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_SENT_BYTES,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_RECEIVED_PKTS,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_RECEIVED_BYTES,
+
+ // transmission tcp
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_IP_FRAGMENTS,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_IP_FRAGMENTS,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_LOST_BYTES,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_LOST_BYTES,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_O3_PKTS,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_O3_PKTS,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_RTX_PKTS,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_RTX_PKTS,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_C2S_RTX_BYTES,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_S2C_RTX_BYTES,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_RTT_MS,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_CLEINT_ISN,
+ ATTRIBUTE_SCHEMA_TRANSMISSION_TCP_SERVER_ISN,
+
+ // other
+ ATTRIBUTE_SCHEMA_OTHER_PACKET_CAPTURE_FILE,
+ ATTRIBUTE_SCHEMA_OTHER_ENCAPSULATION_TYPE,
+ ATTRIBUTE_SCHEMA_OTHER_IN_SRC_MAC,
+ ATTRIBUTE_SCHEMA_OTHER_IN_DEST_MAC,
+ ATTRIBUTE_SCHEMA_OTHER_OUT_SRC_MAC,
+ ATTRIBUTE_SCHEMA_OTHER_OUT_DEST_MAC,
+ ATTRIBUTE_SCHEMA_OTHER_ENCAPSULATION,
+ ATTRIBUTE_SCHEMA_OTHER_DUP_TRAFFIC_FLAG,
+
+ // encapsulation
+ ATTRIBUTE_SCHEMA_TUNNELS_SCHEMA_TYPE,
+ ATTRIBUTE_SCHEMA_TUNNELS_GTP_ENDPOINT_A_IP,
+ ATTRIBUTE_SCHEMA_TUNNELS_GTP_ENDPOINT_B_IP,
+ ATTRIBUTE_SCHEMA_TUNNELS_GTP_ENDPOINT_A_PORT,
+ ATTRIBUTE_SCHEMA_TUNNELS_GTP_ENDPOINT_B_PORT,
+ ATTRIBUTE_SCHEMA_TUNNELS_GTP_A2B_TEID,
+ ATTRIBUTE_SCHEMA_TUNNELS_GTP_B2A_TEID,
+ ATTRIBUTE_SCHEMA_TUNNELS_MPLS_C2S_DIRECTION_LABEL,
+ ATTRIBUTE_SCHEMA_TUNNELS_MPLS_S2C_DIRECTION_LABEL,
+ ATTRIBUTE_SCHEMA_TUNNELS_VLAN_C2S_DIRECTION_ID,
+ ATTRIBUTE_SCHEMA_TUNNELS_VLAN_S2C_DIRECTION_ID,
+ ATTRIBUTE_SCHEMA_TUNNELS_SOURCE_MAC,
+ ATTRIBUTE_SCHEMA_TUNNELS_DESTINATION_MAC,
+ ATTRIBUTE_SCHEMA_TUNNELS_C2S_SOURCE_MAC,
+ ATTRIBUTE_SCHEMA_TUNNELS_C2S_DESTINATION_MAC,
+ ATTRIBUTE_SCHEMA_TUNNELS_S2C_SOURCE_MAC,
+ ATTRIBUTE_SCHEMA_TUNNELS_S2C_DESTINATION_MAC,
+ ATTRIBUTE_SCHEMA_TUNNELS_CLIENT_IP,
+ ATTRIBUTE_SCHEMA_TUNNELS_SERVER_IP,
+ ATTRIBUTE_SCHEMA_TUNNELS_PPTP_UPLINK_TUNNEL_ID,
+ ATTRIBUTE_SCHEMA_TUNNELS_PPTP_DOWNLINK_TUNNEL_ID,
+ ATTRIBUTE_SCHEMA_TUNNELS_L2TP_VERSION,
+ ATTRIBUTE_SCHEMA_TUNNELS_L2TP_LAC2LNS_TUNNEL_ID,
+ ATTRIBUTE_SCHEMA_TUNNELS_L2TP_LNS2LAC_TUNNEL_ID,
+ ATTRIBUTE_SCHEMA_TUNNELS_L2TP_LAC2LNS_SESSION_ID,
+ ATTRIBUTE_SCHEMA_TUNNELS_L2TP_LNS2LAC_SESSION_ID,
+ ATTRIBUTE_SCHEMA_TUNNELS_L2TP_ACCESS_CONCENTRATOR_IP,
+ ATTRIBUTE_SCHEMA_TUNNELS_L2TP_NETWORK_SERVER_IP,
+ ATTRIBUTE_SCHEMA_TUNNELS_L2TP_ACCESS_CONCENTRATOR_PORT,
+ ATTRIBUTE_SCHEMA_TUNNELS_L2TP_NETWORK_SERVER_PORT,
+
+ ATTRIBUTE_SCHEMA_MAX
+};
+
+enum ATTRIBUTE_VALUE_TYPE
+{
+ ATTRIBUTE_VALUE_TYPE_UNKNOWN = 0,
+ ATTRIBUTE_VALUE_TYPE_STRING,
+ ATTRIBUTE_VALUE_TYPE_INTEGER,
+ ATTRIBUTE_VALUE_TYPE_MAAT_OBJECT,
+ ATTRIBUTE_VALUE_TYPE_FLAG,
+ ATTRIBUTE_VALUE_TYPE_IPV4,
+ ATTRIBUTE_VALUE_TYPE_IPV6,
+ ATTRIBUTE_VALUE_TYPE_STREAM,
+ ATTRIBUTE_VALUE_TYPE_NOT_LOGIC,
+ ATTRIBUTE_VALUE_TYPE_STRING_ARRAY,
+ ATTRIBUTE_VALUE_TYPE_MAX
+};
+
+
+#define SCHEMA_DEFAULT_TABLE_ID -1
+#define SCHEMA_SCAN_NOT_LOGIC_TRUE 1
+#define SCHEMA_SCAN_NOT_LOGIC_FALSE 0
+
+#define SCHEMA_SCAN_HIT_OBJECT_DEFAULT_IDX -1
+#define SCHEMA_SCAN_HIT_OBJECT_CLIENT_IP_IDX 1
+#define SCHEMA_SCAN_HIT_OBJECT_SERVER_IP_IDX 2
+#define SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX 3
+
+#define SCHEMA_DEFAULT_LOG_FIELD_NAME_SZ 0
+
+struct attribute_schema
+{
+ enum ATTRIBUTE_SCHEMA attr_idx;
+ int scan_not_logic_flag;
+ int scan_hit_object_idx;
+ char *scan_attribute_name;
+ size_t log_field_name_sz;
+ char *log_field_name;
+};
+
+#define FREE_FALSE 0
+#define FREE_TRUE 1
+
+struct attribute_value_borrow_string
+{
+ size_t value_sz;
+ char *value;
+};
+
+struct attribute_value_string_array
+{
+ size_t n_value;
+ size_t *value_sz;
+ char **value;
+};
+
+struct attribute_value_ipv4_port
+{
+ int32_t port;
+ uint32_t ipv4;
+};
+
+struct attribute_value_ipv6_port
+{
+ int32_t port;
+ uint32_t ipv6[4];
+};
+
+#define MAX_MAAT_GROUP_ID 128
+struct attribute_value_maat_object
+{
+ size_t n_hit_objects;
+ struct maat_hit_object *hit_objects;
+};
+
+struct attribute_scratch
+{
+ struct attribute_schema *schema;
+ enum ATTRIBUTE_VALUE_TYPE value_type;
+ int is_free_schema;
+ int is_free_value;
+ union
+ {
+ uint64_t flag;
+ long long integer;
+ void *null_ptr; // ATTRIBUTE_VALUE_TYPE_NOT_LOGIC
+ struct attribute_value_borrow_string string; // ATTRIBUTE_VALUE_TYPE_STRING
+ struct attribute_value_borrow_string chunk; //ATTR_VALUE_TYPE_STREAM
+ struct attribute_value_maat_object maat_object;
+ struct attribute_value_ipv4_port ipv4_port;
+ struct attribute_value_ipv6_port ipv6_port;
+ struct attribute_value_string_array string_array;
+ };
+};
+
+void attribute_schema_init(struct attribute_schema *attr_schema, size_t attr_schema_sz);
+
+void attribute_scratch_reset(struct attribute_scratch *attr, size_t n_attr);
+void attribute_scratch_string_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, char *value, size_t value_sz);
+void attribute_scratch_string_array_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, char **value, size_t value_sz[], size_t n_value);
+void attribute_scratch_chunk_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, char *value, size_t value_sz);
+void attribute_scratch_integer_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, long long value);
+void attribute_scratch_flag_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, uint64_t value);
+void attribute_scratch_ipv4_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, uint32_t ipv4, int32_t port);
+void attribute_scratch_ipv6_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, uint8_t ipv6[16], int32_t port);
+void attribute_scratch_maat_object_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value, struct maat_hit_object *hit_objects, size_t n_hit_objects);
+void attribute_scratch_not_logic_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, int is_free_schema, struct attribute_schema *schema, int is_free_value);
+
+#ifdef __cplusplus
+}
+#endif \ No newline at end of file
diff --git a/scanner/packet_scanner.c b/scanner/packet_scanner.c
new file mode 100644
index 0000000..d3cea2c
--- /dev/null
+++ b/scanner/packet_scanner.c
@@ -0,0 +1,270 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "stellar/utils.h"
+#include "stellar/packet.h"
+#include "stellar/packet_scanner.h"
+
+#include "attribute_schema.h"
+#include "attribute_exdata.h"
+
+struct packet_scanner
+{
+ int exdata_idx;
+ struct scannner *scanner;
+ struct logger *logger;
+};
+
+static void packet_scanner_exdata_free(int idx __unused, void *ex_ptr, void *arg __unused)
+{
+ if(ex_ptr==NULL)return;
+ FREE(ex_ptr);
+}
+
+const struct kv *packet_scanner_get_attribute(struct packet_scanner *pkt_scanner, struct packet *pkt, enum ATTRIBUTE_KV_INDEX index)
+{
+ if(pkt_scanner==NULL || pkt==NULL || index>=ATTRIBUTE_INDEX_MAX || index<=ATTRIBUTE_KV_UNKNOWN)
+ {
+ return NULL;
+ }
+
+ return attribute_kv_get((struct attribute_kv *)packet_get_exdata(pkt, pkt_scanner->exdata_idx), index);
+}
+
+void icmp_packet_attribute_fill()
+{
+
+}
+
+void packet_plugin_attribute_scan(const char *readable_addr, struct maat *cm_maat, struct maat_state *scan_state, struct scanner_state *policy_state, struct utable *utable, struct maat_stream **stream_handle, struct attribute_scratch *attribute, size_t n_attribute)
+{
+ if(attribute==NULL || n_attribute==0 || scan_state==NULL)
+ {
+ return ;
+ }
+
+ for(size_t i=0; i<n_attribute; i++)
+ {
+ switch(attribute[i].value_type)
+ {
+ case ATTRIBUTE_VALUE_TYPE_STRING:
+ scanner_scan_string_attribute(readable_addr, attribute[i].schema, cm_maat, scan_state, attribute[i].string.value, attribute[i].string.value_sz, policy_state);
+ break;
+ case ATTRIBUTE_VALUE_TYPE_INTEGER:
+ scanner_scan_integer_attribute(readable_addr, attribute[i].schema, cm_maat, scan_state, attribute[i].integer, policy_state);
+ break;
+ case ATTRIBUTE_VALUE_TYPE_FLAG:
+ scanner_scan_flag_attribute(readable_addr, attribute[i].schema, cm_maat, scan_state, attribute[i].flag, policy_state);
+ break;
+ case ATTRIBUTE_VALUE_TYPE_MAAT_OBJECT:
+ scanner_scan_object_attribute(readable_addr, attribute[i].schema, cm_maat, scan_state, attribute[i].maat_object.hit_objects, attribute[i].maat_object.n_hit_objects, policy_state);
+ break;
+ case ATTRIBUTE_VALUE_TYPE_IPV4:
+ scanner_scan_ipv4_attribute(readable_addr, attribute[i].schema, cm_maat, scan_state, attribute[i].ipv4_port.ipv4, attribute[i].ipv4_port.port, policy_state);
+ break;
+ case ATTRIBUTE_VALUE_TYPE_IPV6:
+ scanner_scan_ipv6_attribute(readable_addr, attribute[i].schema, cm_maat, scan_state, (uint8_t *)(attribute[i].ipv6_port.ipv6), attribute[i].ipv6_port.port, policy_state);
+ break;
+ case ATTRIBUTE_VALUE_TYPE_NOT_LOGIC:
+ scanner_scan_stream_attribute(readable_addr, attribute[i].schema, cm_maat, scan_state, policy_state);
+ break;
+ default:
+ break;
+ }
+
+ if(attribute[i].schema->scan_not_logic_flag==TRUE)
+ {
+ scanner_scan_not_logic_attribute(readable_addr, attribute[i].schema, cm_maat, scan_state, policy_state);
+ }
+
+ switch(attribute[i].schema->scan_hit_object_idx)
+ {
+ case SCHEMA_SCAN_HIT_OBJECT_CLIENT_IP_IDX:
+ break;
+ case SCHEMA_SCAN_HIT_OBJECT_SERVER_IP_IDX:
+ break;
+ case SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX:
+ break;
+ default:
+ break;
+ }
+ }
+}
+
+void packet_plugin_ipport_scan(struct scanner *scanner, struct packet *rawpkt, struct maat *cm_maat, struct maat_state *scan_state, struct scanner_state *policy_state,struct attribute_scratch *ipport_attr, size_t ipport_attr_num, enum TUNNEL_TYPE tunnel_type)
+{
+ if(rawpkt==NULL || scan_state==NULL || policy_state==NULL || ipport_attr==NULL || ipport_attr_num==0)
+ {
+ return ;
+ }
+
+ int is_client_internal=(packet_get_route_direction(rawpkt)==PACKET_DIRECTION_OUTGOING) ? TRUE : FALSE;
+ enum ATTRIBUTE_SCHEMA client_ip_idx=((is_client_internal==TRUE) ? ATTRIBUTE_SCHEMA_INTERNAL_IP_ADDR : ATTRIBUTE_SCHEMA_EXTERNAL_IP_ADDR);
+ enum ATTRIBUTE_SCHEMA server_ip_idx=((is_client_internal==TRUE) ? ATTRIBUTE_SCHEMA_EXTERNAL_IP_ADDR : ATTRIBUTE_SCHEMA_INTERNAL_IP_ADDR);
+ enum ATTRIBUTE_SCHEMA client_port_idx=((is_client_internal==TRUE) ? ATTRIBUTE_SCHEMA_INTERNAL_PORT : ATTRIBUTE_SCHEMA_EXTERNAL_PORT);
+ enum ATTRIBUTE_SCHEMA server_port_idx=((is_client_internal==TRUE) ? ATTRIBUTE_SCHEMA_EXTERNAL_PORT : ATTRIBUTE_SCHEMA_INTERNAL_PORT);
+
+ for(size_t i=0; i<ipport_attr_num; i++)
+ {
+ enum ATTRIBUTE_SCHEMA schema_attr_idx=ATTRIBUTE_SCHEMA_UNKNOWN;
+ enum ATTRIBUTE_SCHEMA schema_tunnel_idx=ATTRIBUTE_SCHEMA_UNKNOWN;
+
+ switch(ipport_attr[i].schema->attr_idx)
+ {
+ case ATTRIBUTE_SCHEMA_CLIENT_IPV6:
+ case ATTRIBUTE_SCHEMA_CLIENT_IPV4:
+ schema_attr_idx=client_ip_idx;
+ schema_tunnel_idx=plugin_shared_ipport_tunnel_schema_idx_get(tunnel_type);
+ break;
+ case ATTRIBUTE_SCHEMA_CLIENT_IPV4_TAGS:
+ case ATTRIBUTE_SCHEMA_CLIENT_IPV6_TAGS:
+ schema_attr_idx=client_ip_idx;
+ break;
+ case ATTRIBUTE_SCHEMA_CLIENT_IPV4_COMMIT:
+ case ATTRIBUTE_SCHEMA_CLIENT_IPV6_COMMIT:
+ break;
+ case ATTRIBUTE_SCHEMA_SERVER_IPV4:
+ case ATTRIBUTE_SCHEMA_SERVER_IPV6:
+ schema_attr_idx=server_ip_idx;
+ schema_tunnel_idx=plugin_shared_ipport_tunnel_schema_idx_get(tunnel_type);
+ break;
+ case ATTRIBUTE_SCHEMA_SERVER_IPV4_TAGS:
+ case ATTRIBUTE_SCHEMA_SERVER_IPV6_TAGS:
+ schema_attr_idx=server_ip_idx;
+ break;
+ case ATTRIBUTE_SCHEMA_SERVER_IPV4_COMMIT:
+ case ATTRIBUTE_SCHEMA_SERVER_IPV6_COMMIT:
+ break;
+ case ATTRIBUTE_SCHEMA_CLIENT_PORT:
+ schema_attr_idx=client_port_idx;
+ break;
+ case ATTRIBUTE_SCHEMA_CLIENT_PORT_COMMIT:
+ break;
+ case ATTRIBUTE_SCHEMA_SERVER_PORT:
+ schema_attr_idx=server_port_idx;
+ break;
+ case ATTRIBUTE_SCHEMA_SERVER_PORT_COMMIT:
+ break;
+ default:
+ break;
+ }
+
+ packet_plugin_attribute_scan(rawpkt, scan_state, policy_state, NULL, NULL, &(ipport_attr[i]), 1);
+ if(schema_attr_idx==ATTRIBUTE_SCHEMA_UNKNOWN && schema_tunnel_idx==ATTRIBUTE_SCHEMA_UNKNOWN)
+ {
+ continue;
+ }
+
+ size_t last_hit_object_size=maat_state_get_last_hit_object_cnt(scan_state);
+ if(last_hit_object_size==0)
+ {
+ continue;
+ }
+ struct maat_hit_object last_hit_object[last_hit_object_size];
+ int last_hit_object_cnt=maat_state_get_last_hit_objects(scan_state, last_hit_object, last_hit_object_size);
+
+ size_t maat_attr_offset=0;
+ size_t maat_object_size=2;
+ struct attribute_scratch maat_object_attr[maat_object_size];
+ attribute_scratch_maat_object_fill(maat_object_attr, maat_object_size, &maat_attr_offset, FREE_FALSE, &(attribute_scratch_schema[schema_tunnel_idx]), FREE_FALSE, last_hit_object, ((last_hit_object_cnt<0) ? 0 : last_hit_object_cnt));
+ attribute_scratch_maat_object_fill(maat_object_attr, maat_object_size, &maat_attr_offset, FREE_FALSE, &(attribute_scratch_schema[schema_tunnel_idx]), FREE_FALSE, last_hit_object, ((last_hit_object_cnt<0) ? 0 : last_hit_object_cnt));
+ packet_plugin_attribute_scan(rawpkt, scan_state, policy_state, NULL, NULL, maat_object_attr, maat_attr_offset);
+ attribute_scratch_reset(maat_object_attr, maat_attr_offset);
+ }
+
+ size_t negate_attr_offset=0;
+ size_t negate_object_size=2;
+ struct attribute_scratch negate_object_attr[negate_object_size];
+ attribute_scratch_not_logic_fill(negate_object_attr, negate_object_size, &negate_attr_offset, FREE_FALSE, &(attribute_scratch_schema[ATTRIBUTE_SCHEMA_INTERNAL_IP_ADDR_COMMIT]), FREE_FALSE);
+ attribute_scratch_not_logic_fill(negate_object_attr, negate_object_size, &negate_attr_offset, FREE_FALSE, &(attribute_scratch_schema[ATTRIBUTE_SCHEMA_EXTERNAL_IP_ADDR_COMMIT]), FREE_FALSE);
+ packet_plugin_attribute_scan(rawpkt, scan_state, policy_state, NULL, NULL, negate_object_attr, negate_attr_offset);
+ attribute_scratch_reset(negate_object_attr, negate_attr_offset);
+}
+
+static void packet_input_stage_callback(struct packet *rawpkt, enum packet_stage stage __attribute__((unused)), void *arg)
+{
+ struct packet_scanner *pkt_scanner=(struct packet_scanner *)arg;
+ if(pkt_scanner==NULL || rawpkt==NULL)
+ {
+ return ;
+ }
+
+ int pkt_layer_count=packet_get_layer_count(rawpkt);
+ const struct layer *innermost_layer=packet_get_layer_by_idx(rawpkt, pkt_layer_count-1);
+ if(innermost_layer==NULL)
+ {
+ return ;
+ }
+
+ struct attribute_kv *attr_kv=(struct attribute_kv *)CALLOC(struct attribute_kv, 1);
+ packet_set_exdata(rawpkt, pkt_scanner->exdata_idx, (void *)attr_kv);
+
+ switch(innermost_layer->proto)
+ {
+ case LAYER_PROTO_UDP:
+ break;
+ case LAYER_PROTO_TCP:
+ break;
+ case LAYER_PROTO_ICMP:
+ case LAYER_PROTO_ICMP6:
+ icmp_packet_xxx();
+ break;
+ default:
+ break;
+ }
+
+ return ;
+}
+
+struct packet_scanner *packet_scanner_new(struct module_manager *mod_mgr, struct scanner *scanner)
+{
+ if(mod_mgr==NULL || scanner==NULL)
+ {
+ return NULL;
+ }
+
+ struct packet_scanner *pkt_scanner=CALLOC(struct packet_scanner, 1);
+ pkt_scanner->scanner=scanner;
+ pkt_scanner->logger=module_manager_get_logger(mod_mgr);
+
+ struct module *pkt_mgr_mod=module_manager_get_module(mod_mgr, PACKET_MANAGER_MODULE_NAME);
+ struct packet_manager *pkt_mgr=module_to_packet_manager(pkt_mgr_mod);
+ struct mq_schema *mq_s=module_manager_get_mq_schema(mod_mgr);
+
+ if(pkt_mgr==NULL || mq_s==NULL)
+ {
+ STELLAR_LOG_FATAL(pkt_scanner->logger, SCANNER_MODULE_NAME, "packet_scanner_new failed to get packet manager or mq schema");
+ goto INIT_ERROR;
+ }
+
+ int ret=packet_manager_subscribe(pkt_mgr, PACKET_STAGE_INPUT, packet_input_stage_callback, (void *)packet_scanner);
+ if(ret<0)
+ {
+ STELLAR_LOG_FATAL(pkt_scanner->logger, SCANNER_MODULE_NAME, "packet_scanner_new failed to subscribe packet stage");
+ goto INIT_ERROR;
+ }
+
+ pkt_scanner->exdata_idx=packet_manager_new_packet_exdata_index(pkt_mgr, "SCANNER_EXDATA_SESSION", packet_scanner_exdata_free, (void *)packet_scanner);
+ if(pkt_scanner->exdata_idx<0)
+ {
+ STELLAR_LOG_FATAL(pkt_scanner->logger, SCANNER_MODULE_NAME, "packet_scanner_new failed to create exdata index");
+ goto INIT_ERROR;
+ }
+
+ return pkt_scanner;
+
+INIT_ERROR:
+ packet_scanner_free(pkt_scanner);
+ return NULL;
+}
+
+void packet_scanner_free(struct packet_scanner *pkt_scanner)
+{
+ if(pkt_scanner==NULL)
+ {
+ return ;
+ }
+
+ FREE(pkt_scanner);
+} \ No newline at end of file
diff --git a/scanner/packet_scanner.h b/scanner/packet_scanner.h
new file mode 100644
index 0000000..88b371b
--- /dev/null
+++ b/scanner/packet_scanner.h
@@ -0,0 +1,8 @@
+#pragma once
+
+#include "stellar/scanner.h"
+#include "stellar/module.h"
+
+const struct kv *packet_scanner_get_attribute(struct packet_scanner *pkt_scanner, struct packet *pkt, enum ATTRIBUTE_KV_INDEX index);
+struct packet_scanner *packet_scanner_new(struct module_manager *mod_mgr, struct scanner *scanner);
+void packet_scanner_free(struct packet_scanner *sess_scanner) \ No newline at end of file
diff --git a/scanner/recorder.c b/scanner/recorder.c
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/scanner/recorder.c
diff --git a/scanner/scanner.c b/scanner/scanner.c
index 53f45e7..aa69573 100644
--- a/scanner/scanner.c
+++ b/scanner/scanner.c
@@ -1,148 +1,1180 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <unistd.h>
+#include <uuid/uuid.h>
#include "uthash/utarray.h"
+#include <yyjson/yyjson.h>
+
+#include "stellar/utils.h"
#include "stellar/scanner.h"
+#include "stellar/session.h"
+
+#include "scanner_toml.h"
+#include "scanner_shared.h"
+
-#define PLOLICY_MESSAGE_MAGIC 0x12121212
-enum SD_MAAT_PLUGIN
+#define MAX_HITS_RULES_NUM 128
+
+struct global_parameter
{
- SD_PLUGIN_GTP_IP2SIGNALING=0,
- SD_PLUGIN_DYNAMIC_IPPORT_MAPPING,
- SD_PLUGIN_MAX
-};
+ char sled_ip[NAME_MAX];
+ char device_id[NAME_MAX];
+ char device_sn[NAME_MAX];
+ char device_tag[NAME_MAX];
+ char data_center[NAME_MAX];
+ char device_group[NAME_MAX];
-enum CM_MAAT_PLUGIN
-{
- CM_PLUGIN_SECURITY_RULE=0,
- CM_PLUGIN_MONITOR_RULE,
- CM_PLUGIN_APP_ID_DICT,
- CM_PLUGIN_HTTP_RESPONSE_PAGES,
- CM_PLUGIN_DNS_RESOURCE_RECORD,
- CM_PLUGIN_MIRRORING_PROFILE,
- CM_PLUGIN_SESSION_OPTION, //T_VSYS_INFO,
- CM_PLUGIN_MONITOR_RULE,
- CM_PLUGIN_POLICY_OBJECT,
- CM_PLUGIN_LIBRARY_TAG,
- CM_PLUGIN_IP_ADDR_ENTRY,
- CM_PLUGIN_FQDN_ENTRY,
- CM_PLUGIN_ATTRIBUTE_DICT,
- CM_PLUGIN_MAX
+ int traffic_vsystem_id;
+ int default_unknown_app_id;
+ int session_record_enabled;
};
-struct policy_exdata
+struct default_parameter
{
- int magic;
- UT_array *rule_delta[RULE_TYPE_MAX];
- UT_array *rule_cumulative[RULE_TYPE_MAX];
- UT_array *object_delta[ATTRIBUTE_TYPE_MAX];
- UT_array *object_cumulative[ATTRIBUTE_TYPE_MAX];
+ int32_t tunnel_app_id[TUNNEL_TYPE_MAX];
+ uuid_t boolean_true_object_uuid;
+ uuid_t boolean_false_object_uuid;
+ uuid_t ip_protocol_object_uuid[IP_PROTOCOL_MAX];
+ uuid_t tunnel_level_object_uuid[TUNNEL_LEVEL_NUM];
};
-#define MAX_DATA_CENTER_LEN 128
-#define MAX_DEVICE_TAG 128
-struct maat_runtime_para
+struct scanner
{
- int session_record_switch;
- char device_tag[MAX_DEVICE_TAG];
- char data_center[MAX_DATA_CENTER_LEN];
- //struct mirror_vlan_id default_vlan;
+ struct logger *logger;
+ struct module_manager *mod_mgr;
+ struct default_parameter default_para;
+ struct global_parameter global_para;
- struct maat_plugin_table cm_plugin_table[CM_PLUGIN_MAX];
- struct maat_plugin_table sd_plugin_table[SD_PLUGIN_MAX];
+ struct scanner_maat *maat;
+ struct attribute_schema attr_schema[ATTRIBUTE_SCHEMA_MAX];
};
-struct user_equipment
+struct rule_table_string2type
{
- char *apn;
- char *imsi;
- char *imei;
- char *msisdn; //MSISDN: phone number
+ enum MAAT_RULE_TABLE type;
+ size_t string_sz;
+ char *string;
};
-struct subscriber_id
+int32_t is_dup_tag_uuid(uuid_t *tag_uuids, size_t tag_uuids_num, uuid_t tag_uuid)
{
- char *subscriber_id;
-};
+ if(tag_uuids==NULL || tag_uuids_num==0)
+ {
+ return FALSE;
+ }
-struct user_identification
+ for(size_t i=0; i<tag_uuids_num; i++)
+ {
+ if(uuid_compare(tag_uuids[i], tag_uuid)==0)
+ {
+ return TRUE;
+ }
+ }
+
+ return FALSE;
+}
+
+const char *scanner_get_device_id(struct scanner *scanner)
{
- struct user_equipment *ue;
- struct subscriber_id subscriber;
-};
+ return ((scanner->global_para.device_id[0]=='\0') ? NULL : scanner->device_id);
+}
+const char *scanner_get_device_group(struct scanner *scanner)
+{
+ return ((scanner->global_para.device_group[0]=='\0') ? NULL : scanner->device_group);
+}
-// plugin_fqdn_entry
-// plugin_ip_addr_entry
-struct plugin_entry
+const char *scanner_get_data_center(struct scanner *scanner)
{
- size_t n_tag_uuids;
- uuid_t *tag_uuids;
-};
+ return ((scanner->global_para.data_center[0]=='\0') ? NULL : scanner->data_center);
+}
-struct attribute_dict
+const char *scanner_get_device_tag(struct scanner *scanner)
{
- char *object_table_name;
- char *available_object_type;
-};
+ return ((scanner->global_para.device_tag[0]=='\0') ? NULL : scanner->device_tag);
+}
+const char *scanner_get_device_sn(struct scanner *scanner)
+{
+ return ((scanner->global_para.device_sn[0]=='\0') ? NULL : scanner->device_sn);
+}
-#define MAX_TABLENAME_LEN 128
+const char *scanner_get__sled_ip(struct scanner *scanner)
+{
+ return ((scanner->global_para.sled_ip[0]=='\0') ? NULL : scanner->sled_ip);
+}
-struct maat_plugin_table
+int scanner_get_traffic_vsystem_id(struct scanner *scanner)
{
- char name[MAX_TABLENAME_LEN];
- maat_ex_new_func_t *ex_new;
- maat_ex_free_func_t *ex_free;
- maat_ex_dup_func_t *ex_dup;
-};
+ return scanner->global_para.traffic_vsystem_id;
+}
-enum LIBRARY_TAG_CATEGORY
-{
- LIBRARY_TAG_CATEGORY_NONE=0x0,
- LIBRARY_TAG_CATEGORY_GEOIP_CITY,
- LIBRARY_TAG_CATEGORY_GEOIP_COUNTRY,
- LIBRARY_TAG_CATEGORY_GEOIP_ASN,
- LIBRARY_TAG_CATEGORY_WEBSITE_CLASSIFICATION,
- LIBRARY_TAG_CATEGORY_INTERNET_SERVICE,
- LIBRARY_TAG_CATEGORY_SECURITY_THREAT,
- LIBRARY_TAG_CATEGORY_COMPLIANCE_RISK,
- LIBRARY_TAG_CATEGORY_MAX
-};
+void device_sn_value_parser(char *filename, char *device_sn, size_t device_sn_sz)
+{
+ if(filename==NULL || device_sn==NULL || device_sn_sz==0)
+ {
+ return ;
+ }
+
+ // using yyjson_read_file yyjson parser device_sn
+ yyjson_doc *doc=yyjson_read_file(filename, 0, NULL, NULL);
+ if(doc==NULL)
+ {
+ return ;
+ }
-enum POLICY_OBJECT_OPTION
+ yyjson_val *root=yyjson_doc_get_root(doc);
+ if(root==NULL)
+ {
+ goto ERROR;
+ }
+
+ yyjson_val *sn=yyjson_obj_get(root, "sn");
+ if(sn==NULL)
+ {
+ goto ERROR;
+ }
+
+ size_t sn_sz=yyjson_get_len(sn);
+ memcmp(device_sn, yyjson_get_str(sn), MIN(sn_sz, device_sn_sz-1));
+
+ERROR:
+ yyjson_doc_free(doc);
+ doc=NULL;
+}
+
+int device_nic_name_to_ipv4(const char *nic_name, char *ipv4, size_t ipv4_sz, struct logger *logger)
{
- POLICY_OBJECT_OPTION_DISABLE=1,
- POLICY_OBJECT_OPTION_NONE,
- POLICY_OBJECT_OPTION_BRIEF,
- POLICY_OBJECT_OPTION_ELABORATE
-};
+ int fd=socket(AF_INET, SOCK_DGRAM, 0);
+ if(fd<0)
+ {
+ STELLAR_LOG_FATAL(logger, SCANNER_MODULE_NAME, "device_nic_name_to_ipv4(%s), socket: %s", device, strerror(errno));
+ return ;
+ }
+
+ struct ifreq ifr;
+ memset(ifr.ifr_ifrn.ifrn_name, 0, sizeof(ifr.ifr_ifrn.ifrn_name));
+ strncpy(ifr.ifr_ifrn.ifrn_name, nic_name, sizeof(ifr.ifr_ifrn.ifrn_name));
+ if(ioctl(fd, SIOCGIFADDR, &ifr)==-1)
+ {
+ STELLAR_LOG_FATAL(logger, SCANNER_MODULE_NAME, "device_nic_name_to_ipv4(%s), ioctl SIOCGIFADDR: %s", device, strerror(errno));
+ }
+ else
+ {
+ inet_ntop(AF_INET, &((ifr.ifr_ifru.ifru_addr)->sin_addr.s_addr), ipv4, ipv4_sz);
+ }
-struct plugin_library_tag
+ close(fd);
+}
+
+void global_parameter_get(struct logger *logger, const char *toml_path, const char *table_key, struct global_parameter *para)
{
- char *key;
- char *value;
- enum LIBRARY_TAG_CATEGORY category;
- enum POLICY_OBJECT_OPTION object_option;
-};
+ toml_int_get(logger, toml_path, table_key, "traffic_vsystem_id", &(para->traffic_vsystem_id));
+ toml_int_get(logger, toml_path, table_key, "default_unknown_app_id", &(para->default_unknown_app_id));
+ toml_int_get(logger, toml_path, table_key, "session_record_enabled", &(para->session_record_enabled));
+
+ toml_string_get(logger, toml_path, table_key, "device_tag", para->device_tag, sizeof(para->device_tag));
+ toml_string_get(logger, toml_path, table_key, "device_group", para->device_group, sizeof(para->device_group));
+ toml_string_get(logger, toml_path, table_key, "data_center", para->data_center, sizeof(para->data_center));
+
+ char override_sled_ip[NAME_MAX]={0};
+ toml_string_get(logger, toml_path, table_key, "override_sled_ip", override_sled_ip, sizeof(override_sled_ip));
+ char *sled_ip=getenv(override_sled_ip);
+ if(sled_ip==NULL)
+ {
+ char nic_name[32]={0};
+ toml_string_get(logger, toml_path, table_key, "nic_name", nic_name, sizeof(nic_name));
+ device_nic_name_to_ipv4(nic_name, para->sled_ip,sizeof(para->sled_ip), logger);
+ }
+ else
+ {
+ memcpy(para->sled_ip, sled_ip, MIN(sizeof(para->sled_ip)-1, strlen(sled_ip)));
+ }
-#define MAX_TAG_IDS_NUM 256
-struct plugin_library_tag *plugin_exdata_get0_library_tag(struct maat *cm_maat, uuid_t tag_uuid);
-int plugin_exdata_get0_fqdn_entry(struct maat *cm_maat, char *server_fqdn, struct plugin_fqdn_entry **exdata, size_t n_exdata);
-int plugin_exdata_get0_ip_addr_entry(struct maat *cm_maat, struct ip_addr *ip_addr, uint16_t port, struct plugin_ip_addr_entry **exdata, size_t n_exdata);
+ char device_sn_filename[NAME_MAX]={0};
+ toml_string_get(logger, toml_path, table_key, "device_sn_filename", device_sn_filename, sizeof(device_sn_filename));
+ device_sn_value_parser(device_sn_filename, para->device_sn, sizeof(para->device_sn));
+}
-struct security_option_parameter
+void scanner_print_debug_hit_rule(struct scanner *scanner, const char *readable_addr, const char *tablename, uuid_t *rule_uuid_list, size_t rule_uuid_num)
{
- enum RULE_ACTION action;
- struct override_sub_action *tcp;
- struct override_sub_action *udp;
-};
+ if((MESA_handle_runtime_log_level_enabled(firewall_runtimelog, RLOG_LV_INFO)==0) || rule_uuid_num==0)
+ {
+ return ;
+ }
+
+ yyjson_mut_doc *doc=yyjson_mut_doc_new(NULL);
+ yyjson_mut_val *root=yyjson_mut_obj(doc);
+ yyjson_mut_doc_set_root(doc, root);
+ yyjson_mut_obj_add_str(doc, root, "addr", ((readable_addr!=NULL) ? readable_addr : ""));
+ yyjson_mut_val *rule_array=yyjson_mut_arr(doc);
+ for(size_t i=0; i<rule_uuid_num; i++)
+ {
+ char rule_uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse_lower(rule_uuid_list[i], rule_uuid_str);
+ yyjson_mut_arr_add_strcpy(doc, rule_array, rule_uuid_str);
+ }
+
+ yyjson_mut_obj_add_val(doc, root, tablename, rule_array);
+
+ char *json_str=yyjson_mut_write(doc, 0, NULL);
+ yyjson_mut_doc_free(doc);
+ STELLAR_LOG_INFO(scanner->logger, SCANNER_MODULE_NAME, "debug_hitted_rule_print: %s", json_str);
+ FREE(json_str);
+}
-struct session_option
+void scanner_print_debug_hit_object(struct scanner *scanner, const char *readable_addr, struct maat_hit_object *hit_object_list, size_t hit_object_num)
{
- int log_enabled;
- int limited_min_pkts;
- struct security_option_parameter security_parameter;
-};
-struct session_option *plugin_exdata_get0_session_option(struct maat *cm_maat, int32_t t_vsys_id); \ No newline at end of file
+ if((MESA_handle_runtime_log_level_enabled(firewall_runtimelog, RLOG_LV_INFO)==0))
+ {
+ return ;
+ }
+
+ yyjson_mut_doc *doc=yyjson_mut_doc_new(NULL);
+ yyjson_mut_val *root=yyjson_mut_obj(doc);
+ yyjson_mut_doc_set_root(doc, root);
+ yyjson_mut_obj_add_str(doc, root, "addr", ((readable_addr!=NULL) ? readable_addr : ""));
+ yyjson_mut_val *hit_object_array=yyjson_mut_arr(doc);
+ for(size_t i=0; i<hit_object_num; i++)
+ {
+ yyjson_mut_val *hit_object_object=yyjson_mut_obj(doc);
+
+ if(uuid_is_null(hit_object_list[i].item_uuid)==0)
+ {
+ char item_uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse_lower(hit_object_list[i].item_uuid, item_uuid_str);
+ yyjson_mut_obj_add_strcpy(doc, hit_object_object, "item_uuid", item_uuid_str);
+ }
+
+ char object_uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse_lower(hit_object_list[i].object_uuid, object_uuid_str);
+ yyjson_mut_obj_add_strcpy(doc, hit_object_object, "object_uuid", object_uuid_str);
+
+ if(hit_object_list[i].attribute_name!=NULL)
+ {
+ yyjson_mut_obj_add_str(doc, hit_object_object, "attribute_name", hit_object_list[i].attribute_name);
+ }
+
+ yyjson_mut_arr_add_val(hit_object_array, hit_object_object);
+ }
+
+ yyjson_mut_obj_add_val(doc, root, "hits_object", hit_object_array);
+
+ char *json_str=yyjson_mut_write(doc, 0, NULL);
+ yyjson_mut_doc_free(doc);
+ STELLAR_LOG_INFO(scanner->logger, SCANNER_MODULE_NAME, "debug_hit_object_print: %s", json_str);
+ FREE(json_str);
+}
+
+size_t scanner_get_matched_rule_uuid(UT_array *hitted_rules, uint32_t n_pre_hitted_rule, enum RULE_TYPE type, uuid_t *rule_uuid_list, size_t rule_uuid_num)
+{
+ if(hitted_rules==NULL || rule_uuid_list==NULL || rule_uuid_num==0)
+ {
+ return 0;
+ }
+
+ size_t offset=0;
+ for(size_t i=0; i<utarray_len(hitted_rules); i++)
+ {
+ if(offset>=rule_uuid_num)
+ {
+ break;
+ }
+
+ struct matched_rule *p_hits=(struct matched_rule *)utarray_eltptr(hitted_rules, i);
+ if(p_hits->type!=type)
+ {
+ continue;
+ }
+
+ uuid_copy(rule_uuid_list[offset++], p_hits->rule.uuid);
+ }
+
+ return offset;
+}
+
+void ipaddr_convert_layer_to_maat_format(struct packet *rawpkt, struct ip_addr *c_net_addr, struct ip_addr *s_net_addr)
+{
+ // switch(ip_addr_type)
+ // {
+ // case IP_ADDRESS_IPV4:
+ // case IP_ADDRESS_IPV4_PORT:
+ // c_net_addr->ip_type=4;
+ // s_net_addr->ip_type=4;
+ // c_net_addr->ipv4=ss_addr->ipv4.saddr;
+ // s_net_addr->ipv4=ss_addr->ipv4.daddr;
+ // break;
+ // case IP_ADDRESS_IPV6:
+ // case IP_ADDRESS_IPV6_PORT:
+ // c_net_addr->ip_type=6;
+ // s_net_addr->ip_type=6;
+ // memcpy(c_net_addr->ipv6, ss_addr->ipv6.saddr, sizeof(c_net_addr->ipv6));
+ // memcpy(s_net_addr->ipv6, ss_addr->ipv6.daddr, sizeof(s_net_addr->ipv6));
+ // break;
+ // default:
+ // return ;
+ // }
+}
+
+void ipaddr_entry_tag_uuids_attribute_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, uuid_t tag_uuids[], size_t n_tag_uuids, enum ATTRIBUTE_SCHEMA schema_attr_idx)
+{
+ if(attr==NULL || (*attr_offset)>=attr_max || tag_uuids==NULL || n_tag_uuids==0)
+ {
+ return ;
+ }
+
+ struct maat_hit_object hit_objects[n_tag_uuids];
+ for(size_t i=0; i<n_tag_uuids; i++)
+ {
+ hit_objects[i].attribute_name[0]='\0';
+ uuid_clear(hit_objects[i].item_uuid);
+ uuid_copy(hit_objects[i].object_uuid, tag_uuids[i]);
+ }
+
+ attribute_scratch_maat_object_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[schema_attr_idx]), FREE_FALSE, hit_objects, n_tag_uuids);
+}
+
+size_t ipaddr_entry_tag_uuids_get(struct maat *cm_maat, struct ip_addr *net_ipaddr, uint16_t net_port, uuid_t *tag_uuids, size_t n_tag_uuids)
+{
+ size_t n_ipaddr_exdata=n_tag_uuids;
+ struct plugin_ipaddr_entry *ipaddr_exdata[n_ipaddr_exdata];
+ int n_exdata=plugin_ex_data_ipaddr_entry_get(cm_maat, net_ipaddr, net_port, ipaddr_exdata, n_ipaddr_exdata);
+ if(n_exdata==0)
+ {
+ return 0;
+ }
+
+ size_t tag_uuids_offset=0;
+
+ for(int i=0; i<n_exdata; i++)
+ {
+ if(ipaddr_exdata[i]==NULL || ipaddr_exdata[i]->n_tag_uuids==0)
+ {
+ continue;
+ }
+
+ for(size_t j=0; j<ipaddr_exdata[i]->n_tag_uuids; j++)
+ {
+ if(is_dup_tag_uuid(tag_uuids, tag_uuids_offset, ipaddr_exdata[i]->tag_uuids[j])==TRUE)
+ {
+ continue;
+ }
+
+ if(tag_uuids_offset>=n_tag_uuids)
+ {
+ break;
+ }
+
+ uuid_copy(tag_uuids[tag_uuids_offset++], ipaddr_exdata[i]->tag_uuids[j]);
+ }
+ }
+
+ return tag_uuids_offset;
+}
+
+uuid_t *scanner_get_ip_protocol_object_uuid(struct scanner *scanner, enum IP_PROTOCOL ipproto)
+{
+ switch(ipproto)
+ {
+ case IP_PROTOCOL_TCP:
+ case IP_PROTOCOL_UDP:
+ case IP_PROTOCOL_ICMP:
+ return &(scanner->ip_protocol_object_uuid[ipproto]);
+ default:
+ break;
+ }
+
+ return NULL;
+}
+
+void ipport_attribute_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, struct session_addr *ss_addr, enum IP_ADDRESS ip_addr_type, enum IP_PROTOCOL ip_proto)
+{
+ if(attr==NULL || (*attr_offset)>=attr_max || ss_addr==NULL)
+ {
+ return ;
+ }
+
+ switch(ip_addr_type)
+ {
+ case IP_ADDRESS_IPV4:
+ case IP_ADDRESS_IPV4_PORT:
+ {
+ int32_t c_port=((ip_addr_type==IP_ADDRESS_IPV4_PORT) ? ntohs(ss_addr->ipv4.sport) : -1);
+ int32_t s_port=((ip_addr_type==IP_ADDRESS_IPV4_PORT) ? ntohs(ss_addr->ipv4.dport) : -1);
+
+ attribute_scratch_ipv4_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_IPV4]), FREE_FALSE, ss_addr->ipv4.saddr, c_port);
+ attribute_scratch_ipv4_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_SERVER_IPV4]), FREE_FALSE, ss_addr->ipv4.daddr, s_port);
+
+ struct ip_addr c_net_addr={0}, s_net_addr={0};
+ ipaddr_convert_layer_to_maat_format(ss_addr, ip_addr_type, &c_net_addr, &s_net_addr);
+
+ size_t max_tag_uuids=MAX_TAG_IDS_NUM;
+ uuid_t tag_uuids[max_tag_uuids];
+ size_t n_tag_uuids=ipaddr_entry_tag_uuids_get(&c_net_addr, c_port, tag_uuids, max_tag_uuids);
+ ipaddr_entry_tag_uuids_attribute_fill(attr, attr_max, attr_offset, tag_uuids, n_tag_uuids, ATTRIBUTE_SCHEMA_CLIENT_IPV4_TAGS);
+
+ n_tag_uuids=ipaddr_entry_tag_uuids_get(&s_net_addr, s_port, tag_uuids, max_tag_uuids);
+ ipaddr_entry_tag_uuids_attribute_fill(attr, attr_max, attr_offset, tag_uuids, n_tag_uuids, ATTRIBUTE_SCHEMA_SERVER_IPV4_TAGS);
+
+ attribute_scratch_not_logic_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_IPV4_COMMIT]), FREE_FALSE);
+ attribute_scratch_not_logic_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_SERVER_IPV4_COMMIT]), FREE_FALSE);
+
+ if(c_port!=-1 && s_port!=-1)
+ {
+ attribute_scratch_integer_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_PORT]), FREE_FALSE, (long long)c_port);
+ attribute_scratch_integer_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_SERVER_PORT]), FREE_FALSE, (long long)s_port);
+
+ attribute_scratch_not_logic_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_PORT_COMMIT]), FREE_FALSE);
+ attribute_scratch_not_logic_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_SERVER_PORT_COMMIT]), FREE_FALSE);
+ }
+ }
+ break;
+ case IP_ADDRESS_IPV6:
+ case IP_ADDRESS_IPV6_PORT:
+ {
+ int32_t c_port=((ip_addr_type==IP_ADDRESS_IPV6_PORT) ? ntohs(ss_addr->ipv6.sport) : -1);
+ int32_t s_port=((ip_addr_type==IP_ADDRESS_IPV6_PORT) ? ntohs(ss_addr->ipv6.dport) : -1);
+
+ attribute_scratch_ipv6_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_IPV6]), FREE_FALSE, ss_addr->ipv6.saddr, c_port);
+ attribute_scratch_ipv6_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_SERVER_IPV6]), FREE_FALSE, ss_addr->ipv6.daddr, s_port);
+
+ struct ip_addr c_net_addr, s_net_addr;
+ ipaddr_convert_layer_to_maat_format(ss_addr, ip_addr_type, &c_net_addr, &s_net_addr);
+
+ size_t max_tag_uuids=MAX_TAG_IDS_NUM;
+ uuid_t tag_uuids[max_tag_uuids];
+ size_t n_tag_uuids=ipaddr_entry_tag_uuids_get(&c_net_addr, c_port, tag_uuids, max_tag_uuids);
+ ipaddr_entry_tag_uuids_attribute_fill(attr, attr_max, attr_offset, tag_uuids, n_tag_uuids, ATTRIBUTE_SCHEMA_CLIENT_IPV6_TAGS);
+
+ n_tag_uuids=ipaddr_entry_tag_uuids_get(&s_net_addr, s_port, tag_uuids, max_tag_uuids);
+ ipaddr_entry_tag_uuids_attribute_fill(attr, attr_max, attr_offset, tag_uuids, n_tag_uuids, ATTRIBUTE_SCHEMA_SERVER_IPV6_TAGS);
+
+ attribute_scratch_not_logic_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_IPV6_COMMIT]), FREE_FALSE);
+ attribute_scratch_not_logic_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_SERVER_IPV6_COMMIT]), FREE_FALSE);
+
+ if(c_port!=-1 && s_port!=-1)
+ {
+ attribute_scratch_integer_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_PORT]), FREE_FALSE, (long long)c_port);
+ attribute_scratch_integer_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_SERVER_PORT]), FREE_FALSE, (long long)s_port);
+
+ attribute_scratch_not_logic_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_PORT_COMMIT]), FREE_FALSE);
+ attribute_scratch_not_logic_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_SERVER_PORT_COMMIT]), FREE_FALSE);
+ }
+ }
+ break;
+ default:
+ break;
+ }
+
+ uuid_t *ip_proto_object_uuid=scanner_get_ip_protocol_object_uuid(ip_proto);
+ if(ip_proto_object_uuid!=NULL)
+ {
+ struct maat_hit_object hit_objects;
+ hit_objects.attribute_name[0]='\0';;
+ uuid_clear(hit_objects.item_uuid);
+ uuid_copy(hit_objects.object_uuid, *ip_proto_object_uuid);
+ attribute_scratch_maat_object_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_IP_PROTOCOL]), FREE_FALSE, &hit_objects, 1);
+ }
+}
+
+enum ATTRIBUTE_SCHEMA scanner_ipport_tunnel_schema_idx_get(enum TUNNEL_TYPE tunnel_type)
+{
+ switch(tunnel_type)
+ {
+ case TUNNEL_TYPE_GRE:
+ return ATTRIBUTE_SCHEMA_TUNNEL_GRE_ENDPOINT;
+ case TUNNEL_TYPE_GTP:
+ case TUNNEL_TYPE_GTPV2:
+ return ATTRIBUTE_SCHEMA_TUNNEL_GTP_ENDPOINT;
+ case TUNNEL_TYPE_IP_IN_IP:
+ return ATTRIBUTE_SCHEMA_TUNNEL_IP_IN_IP_ENDPOINT;
+ default:
+ break;
+ }
+
+ return ATTRIBUTE_SCHEMA_UNKNOWN;
+}
+
+void scanner_get_application_userdefined_attribute(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, struct userdefine_attribute *userdefined_attr, size_t n_userdefined_attr)
+{
+ if(attr==NULL || (*attr_offset)>=attr_max || userdefined_attr==NULL || n_userdefined_attr==0)
+ {
+ return ;
+ }
+
+ for(size_t i=0; i<n_userdefined_attr; i++)
+ {
+ struct userdefine_attribute *ud_attr=&(userdefined_attr[i]);
+ struct attribute_schema *schema=(struct attribute_schema *)calloc(1, sizeof(struct attribute_schema));
+ schema->attr_idx=ATTRIBUTE_SCHEMA_UNKNOWN;
+ schema->scan_not_logic_flag=SCHEMA_SCAN_NOT_LOGIC_TRUE;
+ schema->scan_hit_object_idx=SCHEMA_SCAN_HIT_OBJECT_OTHER_ATTR_IDX;
+ schema->log_field_name_sz=0;
+ schema->log_field_name=NULL;
+ schema->scan_attribute_name=strdup(ud_attr->attribute_name);
+
+ switch(ud_attr->type)
+ {
+ case USERDEFINE_ATTRIBUTE_TYPE_STRING:
+ attribute_scratch_string_fill(attr, attr_max, attr_offset, FREE_TRUE, schema, FREE_FALSE, ud_attr->string, ud_attr->value_sz);
+ break;
+ case USERDEFINE_ATTRIBUTE_TYPE_INTEGER:
+ attribute_scratch_integer_fill(attr, attr_max, attr_offset, FREE_TRUE, schema, FREE_FALSE, ud_attr->integer);
+ break;
+ case USERDEFINE_ATTRIBUTE_TYPE_BOOLEAN:
+ {
+ uuid_t *boolean_uuid=((ud_attr->boolean==1) ? scanner_get0_boolean_object_uuid(true) : scanner_get0_boolean_object_uuid(false));
+ struct maat_hit_object hit_object;
+ uuid_clear(hit_object.item_uuid);
+ hit_object.attribute_name[0]='\0';
+ uuid_copy(hit_object.object_uuid, *boolean_uuid);
+ attribute_scratch_maat_object_fill(attr, attr_max, attr_offset, FREE_TRUE, schema, FREE_FALSE, &hit_object, 1);
+ }
+ break;
+ default:
+ return ;
+ }
+ }
+}
+
+void scanner_tunnel_object_get(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, UT_array *hitted_rules, uint32_t n_pre_hitted_rule)
+{
+ if(hitted_rules==NULL || utarray_len(hitted_rules)==0 || utarray_len(hitted_rules)<=n_pre_hitted_rule)
+ {
+ return ;
+ }
+
+ uint32_t n_hitted_rules=utarray_len(hitted_rules)-n_pre_hitted_rule;
+
+ uint32_t n_hit_objects=0;
+ struct maat_hit_object hit_objects[n_hitted_rules];
+
+ for(uint32_t i=0; i<n_hitted_rules; i++)
+ {
+ struct matched_rule *p_rule=(struct matched_rule *)utarray_eltptr(hitted_rules, n_pre_hitted_rule+i);
+ if(p_rule->rule_table_id!=RULE_TYPE_TUNNEL)
+ {
+ continue;
+ }
+
+ if(n_hit_objects<n_hitted_rules)
+ {
+ hit_objects[n_hit_objects].attribute_name[0]='\0';
+ uuid_clear(hit_objects[n_hit_objects].item_uuid);
+ uuid_copy(hit_objects[n_hit_objects++].object_uuid, p_rule->rule.uuid);
+ }
+ }
+
+ attribute_scratch_maat_object_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_TUNNEL_OBJECT]), FREE_FALSE, hit_objects, n_hit_objects);
+
+ firewall_local_file_counter_incby(LOCAL_STAT_COUNTER_HITS, TAG_KEY_TUNNEL_RULE, "Tunnel", n_hit_objects, stellar_get_current_thread_id(firewall_stellar_instance));
+}
+
+uuid_t *scanner_get0_tunnel_level_object_uuid(int32_t tunnel_level)
+{
+ if(tunnel_level<0 || tunnel_level>=TUNNEL_LEVEL_NUM)
+ {
+ return NULL;
+ }
+
+ return &(matcher->tunnel_level_object_uuid[tunnel_level]);
+}
+
+void scanner_tunnel_object_get(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, enum TUNNEL_TYPE tunnel_type)
+{
+ if(attr==NULL || (*attr_offset)>=attr_max)
+ {
+ return ;
+ }
+
+ struct app_id_dict *app_dict=NULL;
+ struct maat_hit_object hit_objects;
+ hit_objects.attribute_name[0]='\0';
+ uuid_clear(hit_objects.item_uuid);
+
+ switch(tunnel_type)
+ {
+ case TUNNEL_TYPE_GRE:
+ app_dict=plugin_ex_data_app_id_dict_get(firewall_cm_maat, matcher->tunnel_app_id[TUNNEL_TYPE_GRE]); // GRE app id is 58
+ if(app_dict!=NULL)
+ {
+ uuid_copy(hit_objects.object_uuid, app_dict->object_uuid);
+ attribute_scratch_maat_object_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_ANALYSIS_APPLICATION_ID]), FREE_FALSE, &hit_objects, 1);
+ attribute_scratch_not_logic_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_ANALYSIS_APPLICATION_ID_COMMIT]), FREE_FALSE);
+ }
+ break;
+ case TUNNEL_TYPE_NONE:
+ case TUNNEL_TYPE_IP_IN_IP:
+ break;
+ case TUNNEL_TYPE_GTP:
+ case TUNNEL_TYPE_GTPV2:
+ {
+ app_dict=plugin_ex_data_app_id_dict_get(firewall_cm_maat, matcher->tunnel_app_id[TUNNEL_TYPE_GTP]); // GTP app id is 59
+ if(app_dict!=NULL)
+ {
+ uuid_copy(hit_objects.object_uuid, app_dict->object_uuid);
+ attribute_scratch_maat_object_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_ANALYSIS_APPLICATION_ID]), FREE_FALSE, &hit_objects, 1);
+ }
+
+ app_dict=plugin_ex_data_app_id_dict_get(firewall_cm_maat, matcher->tunnel_app_id[TUNNEL_TYPE_GTPV2]); // GTPv2 app id is 735
+ if(app_dict!=NULL)
+ {
+ uuid_copy(hit_objects.object_uuid, app_dict->object_uuid);
+ attribute_scratch_maat_object_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_ANALYSIS_APPLICATION_ID]), FREE_FALSE, &hit_objects, 1);
+ }
+
+ attribute_scratch_not_logic_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_ANALYSIS_APPLICATION_ID_COMMIT]), FREE_FALSE);
+ }
+ break;
+ default:
+ break;
+ }
+}
+
+void scanner_tunnel_gtp_attribute_get(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, struct gtp_header *gtp_hdr)
+{
+ if(gtp_hdr==NULL)
+ {
+ return ;
+ }
+
+ struct user_identification *uid=NULL;
+ plugin_ex_data_user_identification_get_by_teid(firewall_sd_maat, gtp_hdr->c2s_teid, &uid);
+ if(uid==NULL)
+ {
+ return ;
+ }
+
+ size_t value_sz=((uid->subscriber.subscriber_id!=NULL) ? (strlen(uid->subscriber.subscriber_id)) : 0);
+ attribute_scratch_string_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_SUBSCRIBER_ID]), FREE_FALSE, uid->subscriber.subscriber_id, value_sz);
+
+ if(uid->ue==NULL)
+ {
+ return ;
+ }
+
+ value_sz=((uid->ue->imei!=NULL) ? (strlen(uid->ue->imei)) : 0);
+ attribute_scratch_string_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_IMEI]), FREE_FALSE, uid->ue->imei, value_sz);
+
+ value_sz=((uid->ue->imsi!=NULL) ? (strlen(uid->ue->imsi)) : 0);
+ attribute_scratch_string_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_IMSI]), FREE_FALSE, uid->ue->imei, value_sz);
+
+ value_sz=((uid->ue->apn!=NULL) ? (strlen(uid->ue->apn)) : 0);
+ attribute_scratch_string_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_APN]), FREE_FALSE, uid->ue->apn, value_sz);
+
+ value_sz=((uid->ue->msisdn!=NULL) ? (strlen(uid->ue->msisdn)) : 0);
+ attribute_scratch_string_fill(attr, attr_max, attr_offset, FREE_FALSE, &(attribute_schema[ATTRIBUTE_SCHEMA_CLIENT_MSISDN]), FREE_FALSE, uid->ue->msisdn, value_sz);
+}
+
+struct maat_compile *plugin_shareed_security_rule_priority_decide(uuid_t *rule_uuid_list, size_t n_rules)
+{
+ struct maat_compile *highest_priority_compile=NULL;
+ for(size_t i=0; i<n_rules; i++)
+ {
+ struct maat_compile *compile=plugin_ex_data_security_rule_get0(firewall_cm_maat, rule_uuid_list[i]);
+ if(compile==NULL)
+ {
+ continue;
+ }
+
+ if(highest_priority_compile==NULL)
+ {
+ highest_priority_compile=compile;
+ continue;
+ }
+
+ if(compile->rule.action > highest_priority_compile->rule.action)
+ {
+ highest_priority_compile=compile;
+ continue;
+ }
+
+ if(compile->rule.action < highest_priority_compile->rule.action)
+ {
+ continue;
+ }
+
+ if(compile->rule.uuid > highest_priority_compile->rule.uuid)
+ {
+ highest_priority_compile=compile;
+ continue;
+ }
+ }
+
+ return highest_priority_compile;
+}
+
+char *scanner_get1_ipaddr_entry_string(struct plugin_ipaddr_entry **ipaddr_exdata, size_t n_ipaddr_exdata, enum LIBRARY_TAG_CATEGORY category)
+{
+ for(size_t i=0; i<n_ipaddr_exdata; i++)
+ {
+ if(ipaddr_exdata[i]==NULL || ipaddr_exdata[i]->n_tag_uuids==0)
+ {
+ continue;
+ }
+
+ for(size_t j=0; j<ipaddr_exdata[i]->n_tag_uuids; j++)
+ {
+ struct plugin_library_tag *tag=plugin_ex_data_library_tag_get(firewall_cm_maat, ipaddr_exdata[i]->tag_uuids[j]);
+ if(tag!=NULL && tag->category==category)
+ {
+ return strdup(tag->value);
+ }
+ }
+ }
+
+ return NULL;
+}
+
+enum MAAT_RULE_TABLE maat_rule_table_string2type(char *rule_name, size_t rule_name_sz)
+{
+ if(rule_name==NULL || rule_name_sz==0)
+ {
+ return MAAT_RULE_TABLE_UNKNOWN;
+ }
+
+ struct rule_table_string2type rule_name_array[RULE_TYPE_MAX]={
+ {MAAT_RULE_TABLE_UNKNOWN, 0, NULL},
+ {RULE_TYPE_SECURITY, 13, (char *)"SECURITY_RULE"},
+ {RULE_TYPE_PXY_INTERCEPT, 18, (char *)"PXY_INTERCEPT_RULE"},
+ {RULE_TYPE_SERVICE_CHAINING, 21, (char *)"SERVICE_CHAINING_RULE"},
+ {RULE_TYPE_SHAPING, 20, (char *)"TRAFFIC_SHAPING_RULE"},
+ {RULE_TYPE_APP_SIGNATURE, 12, (char *)"APP_SIG_RULE"},
+ {RULE_TYPE_STATISTICS, 15, (char *)"STATISTICS_RULE"},
+ {RULE_TYPE_MONITOR, 12, (char *)"MONITOR_RULE"},
+ {RULE_TYPE_DOS_PROTECTION, 19, (char *)"DOS_PROTECTION_RULE"},
+ {RULE_TYPE_TUNNEL, 11, (char *)"TUNNEL_RULE"}
+ };
+
+ for(int i=0; i<RULE_TYPE_MAX; i++)
+ {
+ if(rule_name_array[i].string_sz==0)
+ {
+ continue;
+ }
+
+ if(rule_name_array[i].string_sz==rule_name_sz && (strncasecmp(rule_name_array[i].string, rule_name, rule_name_array[i].string_sz))==0
+ )
+ {
+ return rule_name_array[i].type;
+ }
+ }
+
+ return MAAT_RULE_TABLE_UNKNOWN;
+}
+
+void scanner_convert_rule(const char *readable_addr, struct maat_state *scan_state, struct scanner_state *policy_state, uuid_t *rule_uuids, size_t n_rule_uuids)
+{
+ if(scan_state==NULL || policy_state==NULL || rule_uuids==NULL || n_rule_uuids==0)
+ {
+ return ;
+ }
+
+ char *rule_table_names[MAX_HITS_RULES_NUM];
+ int n_rule_table_names=maat_state_get_rule_table_names(scan_state, rule_uuids, n_rule_uuids, rule_table_names);
+ if(n_rule_table_names<=0)
+ {
+ return ;
+ }
+
+ for(int i=0; i<n_rule_table_names; i++)
+ {
+ int dup_rule_uuid_flag=0;
+
+ for(uint32_t j=0; j<utarray_len(policy_state); j++)
+ {
+ struct matched_rule *p_rule=(struct matched_rule *)utarray_eltptr(policy_state, j);
+ if(uuid_compare(p_rule->rule.uuid, rule_uuids[i])==0)
+ {
+ dup_rule_uuid_flag=1;
+ break;
+ }
+ }
+
+ if(dup_rule_uuid_flag==1)
+ {
+ dup_rule_uuid_flag=0;
+ continue;
+ }
+
+ struct maat_compile *compile=NULL;
+ struct matched_rule add_one_rule;
+ add_one_rule.app_id=0;
+ uuid_copy(add_one_rule.rule.uuid, rule_uuids[i]);
+ size_t rule_table_name_sz=((rule_table_names[i]!=NULL) ? strlen(rule_table_names[i]) : 0);
+ add_one_rule.rule_table_id=maat_rule_table_string2type(rule_table_names[i], rule_table_name_sz);
+
+ utarray_push_back(policy_state, &add_one_rule);
+ }
+}
+
+void scanner_scan_not_logic_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, struct scanner_state *policy_state)
+{
+ if(scan_state==NULL || policy_state==NULL)
+ {
+ return ;
+ }
+
+ if(schema==NULL || schema->scan_attribute_name==NULL)
+ {
+ return ;
+ }
+
+ size_t n_rule_uuids=0;
+ uuid_t rule_uuids[MAX_HITS_RULES_NUM];
+ const char *table_name=firewall_attribuite_mapping_table_name_get0(cm_maat, schema->scan_attribute_name);
+ int hits_status=maat_scan_not_logic(cm_maat, table_name, schema->scan_attribute_name, rule_uuids, MAX_HITS_RULES_NUM, &n_rule_uuids, scan_state);
+ scanner_convert_rule(readable_addr, scan_state, policy_state, rule_uuids, n_rule_uuids);
+
+ FIREWALL_DEBUG_LOG("maat_scan_not_logic", "scan table: %s attribute: %s log_field_name: %s hits_status: %d n_hits: %d addr: %s",
+ table_name,
+ schema->scan_attribute_name,
+ (schema->log_field_name!=NULL) ? schema->log_field_name : "",
+ hits_status,
+ n_rule_uuids,
+ ((readable_addr!=NULL) ? readable_addr : "")
+ );
+}
+
+void scanner_scan_object_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, struct maat_hit_object *objects, size_t n_object, struct scanner_state *policy_state)
+{
+ if(scan_state==NULL || policy_state==NULL || objects==NULL || n_object==0)
+ {
+ return ;
+ }
+
+ if(schema==NULL || schema->scan_attribute_name==NULL)
+ {
+ return ;
+ }
+
+ size_t n_rule_uuids=0;
+ uuid_t rule_uuids[MAX_HITS_RULES_NUM];
+ const char *table_name=firewall_attribuite_mapping_table_name_get0(cm_maat, schema->scan_attribute_name);
+ int hits_status=maat_scan_object(cm_maat, table_name, schema->scan_attribute_name, objects, n_object, rule_uuids, MAX_HITS_RULES_NUM, &n_rule_uuids, scan_state);
+ scanner_convert_rule(readable_addr, scan_state, policy_state, rule_uuids, n_rule_uuids);
+
+ FIREWALL_DEBUG_LOG("maat_scan_object", "scan table: %s attribute: %s log_field_name: %s object_ids: %d hits_status: %d n_hits: %d addr: %s",
+ table_name,
+ schema->scan_attribute_name,
+ (schema->log_field_name!=NULL) ? schema->log_field_name : "",
+ n_object,
+ hits_status,
+ n_rule_uuids,
+ ((readable_addr!=NULL) ? readable_addr : "")
+ );
+}
+
+void scanner_scan_string_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, const char *scan_string, size_t scan_string_sz, struct scanner_state *policy_state)
+{
+ if(scan_state==NULL || scan_string==NULL || scan_string_sz==0 || policy_state==NULL)
+ {
+ return ;
+ }
+
+ if(schema==NULL || schema->scan_attribute_name==NULL)
+ {
+ return ;
+ }
+
+ size_t n_rule_uuids=0;
+ uuid_t rule_uuids[MAX_HITS_RULES_NUM];
+ const char *table_name=firewall_attribuite_mapping_table_name_get0(cm_maat, schema->scan_attribute_name);
+ int hits_status=maat_scan_string(cm_maat, table_name, schema->scan_attribute_name, scan_string, scan_string_sz, rule_uuids, MAX_HITS_RULES_NUM, &n_rule_uuids, scan_state);
+ scanner_convert_rule(readable_addr, scan_state, policy_state, rule_uuids, n_rule_uuids);
+
+ FIREWALL_DEBUG_LOG("maat_scan_string", "scan table: %s attribute: %s log_field_name: %s string: hits_status: %d n_hits: %d addr: %s",
+ table_name,
+ schema->scan_attribute_name,
+ (schema->log_field_name!=NULL) ? schema->log_field_name : "",
+ hits_status,
+ n_rule_uuids,
+ ((readable_addr!=NULL) ? readable_addr : "")
+ );
+}
+
+void scanner_scan_integer_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, uint64_t scan_integer, struct scanner_state *policy_state)
+{
+ if(scan_state==NULL || policy_state==NULL)
+ {
+ return ;
+ }
+
+ if(schema==NULL || schema->scan_attribute_name==NULL)
+ {
+ return ;
+ }
+
+ size_t n_rule_uuids=0;
+ uuid_t rule_uuids[MAX_HITS_RULES_NUM];
+ const char *table_name=firewall_attribuite_mapping_table_name_get0(cm_maat, schema->scan_attribute_name);
+ int hits_status=maat_scan_integer(cm_maat, table_name, schema->scan_attribute_name, scan_integer, rule_uuids, MAX_HITS_RULES_NUM, &n_rule_uuids, scan_state);
+ scanner_convert_rule(readable_addr, scan_state, policy_state, rule_uuids, n_rule_uuids);
+
+ FIREWALL_DEBUG_LOG("maat_scan_integer", "scan table: %s attribute: %s log_field_name: %s integer: %lu hits_status: %d n_hits: %d addr: %s",
+ table_name,
+ schema->scan_attribute_name,
+ (schema->log_field_name!=NULL) ? schema->log_field_name : "",
+ scan_integer,
+ hits_status,
+ n_rule_uuids,
+ ((readable_addr!=NULL) ? readable_addr : "")
+ );
+}
+
+void scanner_scan_flag_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, uint64_t scan_flag, struct scanner_state *policy_state)
+{
+ if(scan_state==NULL || policy_state==NULL)
+ {
+ return ;
+ }
+
+ if(schema==NULL || schema->scan_attribute_name==NULL)
+ {
+ return ;
+ }
+
+ size_t n_rule_uuids=0;
+ uuid_t rule_uuids[MAX_HITS_RULES_NUM];
+ const char *table_name=firewall_attribuite_mapping_table_name_get0(cm_maat, schema->scan_attribute_name);
+ int hits_status=maat_scan_flag(cm_maat, table_name, schema->scan_attribute_name, scan_flag, rule_uuids, MAX_HITS_RULES_NUM, &n_rule_uuids, scan_state);
+ scanner_convert_rule(readable_addr, scan_state, policy_state, rule_uuids, n_rule_uuids);
+
+ FIREWALL_DEBUG_LOG("maat_scan_flags", "scan table: %s attribute: %s log_field_name: %s flags: %lu hits_status: %d n_hits: %d addr: %s",
+ table_name,
+ schema->scan_attribute_name,
+ (schema->log_field_name!=NULL) ? schema->log_field_name : "",
+ scan_flag,
+ hits_status,
+ n_rule_uuids,
+ ((readable_addr!=NULL) ? readable_addr : "")
+ );
+}
+
+void scanner_scan_ipv4_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, uint32_t scan_ipv4, int32_t scan_port, struct scanner_state *policy_state)
+{
+ if(scan_state==NULL || policy_state==NULL)
+ {
+ return ;
+ }
+
+ if(schema==NULL || schema->scan_attribute_name==NULL)
+ {
+ return ;
+ }
+
+ size_t n_rule_uuids=0;
+ uuid_t rule_uuids[MAX_HITS_RULES_NUM];
+ const char *table_name=firewall_attribuite_mapping_table_name_get0(cm_maat, schema->scan_attribute_name);
+ int hits_status=maat_scan_ipv4_port(cm_maat, table_name, schema->scan_attribute_name, scan_ipv4, scan_port, rule_uuids, MAX_HITS_RULES_NUM, &n_rule_uuids, scan_state);
+ scanner_convert_rule(readable_addr, scan_state, policy_state, rule_uuids, n_rule_uuids);
+
+ FIREWALL_DEBUG_LOG("maat_scan_ipv4_port", "scan ipv4: %u port: %d table: %s attribute: %s hits_status: %d n_hits: %d addr: %s",
+ scan_ipv4,
+ scan_port,
+ table_name,
+ schema->scan_attribute_name,
+ hits_status,
+ n_rule_uuids,
+ ((readable_addr!=NULL) ? readable_addr : "")
+ );
+}
+
+void scanner_scan_ipv6_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, uint8_t *scan_ipv6, int32_t scan_port, struct scanner_state *policy_state)
+{
+ if(scan_state==NULL || policy_state==NULL)
+ {
+ return ;
+ }
+
+ if(schema==NULL || schema->scan_attribute_name==NULL)
+ {
+ return ;
+ }
+
+ size_t n_rule_uuids=0;
+ uuid_t rule_uuids[MAX_HITS_RULES_NUM];
+ const char *table_name=firewall_attribuite_mapping_table_name_get0(cm_maat, schema->scan_attribute_name);
+ int hits_status=maat_scan_ipv6_port(cm_maat, table_name, schema->scan_attribute_name, scan_ipv6, scan_port, rule_uuids, MAX_HITS_RULES_NUM, &n_rule_uuids, scan_state);
+ scanner_convert_rule(readable_addr, scan_state, policy_state, rule_uuids, n_rule_uuids);
+
+ FIREWALL_DEBUG_LOG("maat_scan_ipv6_port",
+ "scan ipv6: %.08x-%.08x-%.08x-%.08x port: %d table: %s attribute: %s hits_status: %d, n_hits: %d, addr: %s",
+ ((uint32_t *)scan_ipv6)[0],
+ ((uint32_t *)scan_ipv6)[1],
+ ((uint32_t *)scan_ipv6)[2],
+ ((uint32_t *)scan_ipv6)[3],
+ scan_port,
+ table_name,
+ schema->scan_attribute_name,
+ hits_status,
+ n_rule_uuids,
+ ((readable_addr!=NULL) ? readable_addr : "")
+ );
+}
+
+void scanner_scan_stream_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, struct maat_stream **stream_handle, const char *scan_string, size_t scan_string_sz, struct scanner_state *policy_state)
+{
+ if(scan_state==NULL || scan_string==NULL || scan_string_sz==0 || policy_state==NULL || stream_handle==NULL)
+ {
+ return ;
+ }
+
+ if(schema==NULL || schema->scan_attribute_name==NULL)
+ {
+ return ;
+ }
+
+ if(*stream_handle==NULL)
+ {
+ const char *table_name=firewall_attribuite_mapping_table_name_get0(cm_maat, schema->scan_attribute_name);
+ *stream_handle=maat_stream_new(cm_maat, table_name, schema->scan_attribute_name, scan_state);
+ FIREWALL_DEBUG_LOG("maat_stream_new", "new table: %s attribute: %s %s addr: %s",
+ table_name,
+ schema->scan_attribute_name,
+ (*stream_handle!=NULL) ? "success" : "failed",
+ ((readable_addr!=NULL) ? readable_addr : "")
+ );
+ }
+
+ size_t n_rule_uuids=0;
+ uuid_t rule_uuids[MAX_HITS_RULES_NUM];
+ int hits_status=maat_stream_scan(*stream_handle, scan_string, scan_string_sz, rule_uuids, MAX_HITS_RULES_NUM, &n_rule_uuids, scan_state);
+ scanner_convert_rule(readable_addr, scan_state, policy_state, rule_uuids, n_rule_uuids);
+
+ FIREWALL_DEBUG_LOG("maat_stream_scan", "scan table: %s attribute: %s hits_status: %d, n_hits: %d, addr: %s",
+ firewall_attribuite_mapping_table_name_get0(cm_maat, schema->scan_attribute_name),
+ schema->scan_attribute_name,
+ hits_status,
+ n_rule_uuids,
+ ((readable_addr!=NULL) ? readable_addr : "")
+ );
+}
+
+const char *scanner_get_rule_table_alias_name(struct scanner *scanner, enum RULE_TYPE type)
+{
+ switch(type)
+ {
+ case RULE_TYPE_SECURITY:
+ return "Security";
+ case RULE_TYPE_MONITOR:
+ return "Monitor";
+ case RULE_TYPE_PXY_INTERCEPT:
+ return "Intercept";
+ case RULE_TYPE_SERVICE_CHAINING:
+ return "Service_Chaining";
+ case RULE_TYPE_SHAPING:
+ return "Shaping";
+ case RULE_TYPE_APP_SIGNATURE:
+ return "Signature";
+ case RULE_TYPE_STATISTICS:
+ return "Statistics";
+ case RULE_TYPE_DOS_PROTECTION:
+ return "DoS_Protection";
+ case RULE_TYPE_TUNNEL:
+ return "Tunnel";
+ default:
+ break;
+ }
+
+ return NULL;
+}
+
+int32_t scanner_get_default_app_id(struct scanner *scanner)
+{
+ return matcher->default_unknown_app_id;
+}
+
+int32_t scanner_get_tunnel_app_id(struct scanner *scanner, enum TUNNEL_TYPE tunnel_type)
+{
+ if(tunnel_type<0 || tunnel_type>=TUNNEL_TYPE_MAX)
+ {
+ return 0;
+ }
+
+ return matcher->tunnel_app_id[tunnel_type];
+}
+
+uuid_t *scanner_get0_boolean_object_uuid(struct scanner *scanner, bool value)
+{
+ return ((value==true) ? &(matcher->boolean_true_object_uuid) : &(matcher->boolean_false_object_uuid));
+}
+
+void scanner_default_parameter_init(struct default_parameter *para)
+{
+ uuid_parse("00000000-0000-0000-0000-000000000002", para->boolean_true_object_uuid);
+ uuid_parse("00000000-0000-0000-0000-000000000003", para->boolean_false_object_uuid);
+
+ uuid_parse("00000000-0000-0000-0000-000000000005", para->ip_protocol_object_uuid[IP_PROTOCOL_ICMP]);
+ uuid_parse("00000000-0000-0000-0000-000000000006", para->ip_protocol_object_uuid[IP_PROTOCOL_TCP]);
+ uuid_parse("00000000-0000-0000-0000-000000000007", para->ip_protocol_object_uuid[IP_PROTOCOL_UDP]);
+
+ for(int i=0; i<TUNNEL_LEVEL_NUM; i++)
+ {
+ char uuid_str[UUID_STR_LEN];
+ snprintf(uuid_str, sizeof(uuid_str), "00000000-0000-0000-0000-0000000000%02d", 50+i);
+ uuid_parse(uuid_str, para->tunnel_level_object_uuid[i]);
+ }
+
+ para->tunnel_app_id[TUNNEL_TYPE_GRE]=58;
+ para->tunnel_app_id[TUNNEL_TYPE_GTP]=59;
+ para->tunnel_app_id[TUNNEL_TYPE_GTPV2]=735;
+ para->tunnel_app_id[TUNNEL_TYPE_IP_IN_IP]=0;
+ para->tunnel_app_id[TUNNEL_TYPE_NONE]=0;
+}
+
+struct scanner *scanner_module_to_scanner(struct module *mod)
+{
+ if(mod==NULL)return NULL;
+ if(strcmp(module_get_name(mod), SCANNER_MODULE_NAME)!=0)return NULL;
+ return (struct scanner *)module_get_ctx(mod);
+}
+
+struct module *scanner_module_init(struct module_manager *mod_mgr)
+{
+ if(mod_mgr==NULL)return NULL;
+
+ struct scanner *scanner=CALLOC(struct scanner, 1);
+ struct module *mod=module_new(SCANNER_MODULE_NAME, (void *)scanner);
+ if(mod==NULL)
+ {
+ goto INIT_ERROR;
+ }
+
+ scanner->mod_mgr=mod_mgr;
+ scanner->logger=module_manager_get_logger(mod_mgr);
+ scanner_default_parameter_init(&(scanner->default_para));
+ attribute_schema_init(scanner->attr_schema, ATTRIBUTE_SCHEMA_MAX);
+
+ int max_thread_num=module_manager_get_max_thread_num(mod_mgr);
+ const char *toml_path=module_manager_get_toml_path(mod_mgr);
+ global_parameter_get(scanner->logger, toml_path, "scanner", &(scanner->default_para));
+
+ scanner->maat=scanner_maat_new(scanner->logger, toml_path, max_thread_num);
+ if(scanner->maat==NULL)
+ {
+ goto INIT_ERROR;
+ }
+
+ session_scanner_new(mod_mgr, scanner)
+
+ return mod;
+
+INIT_ERROR:
+ scanner_module_exit(mod_mgr, mod);
+ exit(-1);
+ return NULL;
+}
+
+void scanner_module_exit(struct module_manager *mod_mgr, struct module *mod)
+{
+ if(mod_mgr==NULL)return;
+ if(mod)
+ {
+ struct scanner *scanner=(struct scanner *)module_get_ctx(mod);
+ FREE(scanner);
+ module_free(mod);
+ }
+}
diff --git a/scanner/scanner_maat.c b/scanner/scanner_maat.c
new file mode 100644
index 0000000..ed9a7f7
--- /dev/null
+++ b/scanner/scanner_maat.c
@@ -0,0 +1,1037 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <linux/limits.h>
+
+#include <yyjson/yyjson.h>
+#include <stellar/utils.h>
+
+#include "scanner_maat.h"
+#include "scanner_toml.h"
+
+struct maat_parameter
+{
+ bool stat_enabled;
+ bool perf_enabled;
+ bool hit_path_enabled;
+ bool hit_object_enabled;
+ bool maat_stat_enabled;
+ bool deferred_load_enabled;
+ int effctive_interval_ms;
+ int garbage_collect_ms;
+ int rule_update_check_interval_ms;
+ int redis_port;
+ int redis_index;
+ int log_level;
+ char log_path[PATH_MAX];
+ char redis_ip[NAME_MAX];
+ char maat_mode[NAME_MAX];
+ char device_tag[NAME_MAX];
+ char table_info[PATH_MAX];
+ char stat_file[PATH_MAX];
+ char instance_name[NAME_MAX];
+ char json_config_path[PATH_MAX];
+ char foreign_content_dir[PATH_MAX];
+};
+
+struct maat_plugin_table
+{
+ char name[NAME_MAX];
+ maat_ex_new_func_t *ex_new;
+ maat_ex_free_func_t *ex_free;
+ maat_ex_dup_func_t *ex_dup;
+};
+
+enum CM_MAAT_PLUGIN
+{
+ CM_MAAT_PLUGIN_APP_ID_DICT=0,
+ CM_MAAT_PLUGIN_SESSION_OPTION, //T_VSYS_INFO,
+ CM_MAAT_PLUGIN_POLICY_OBJECT,
+ CM_MAAT_PLUGIN_LIBRARY_TAG,
+ CM_MAAT_PLUGIN_IP_ADDR_ENTRY,
+ CM_MAAT_PLUGIN_FQDN_ENTRY,
+ CM_MAAT_PLUGIN_ATTRIBUTE_DICT,
+ CM_MAAT_PLUGIN_MAX
+};
+
+enum SD_MAAT_PLUGIN
+{
+ SD_MAAT_PLUGIN_GTP_IP2SIGNALING=0,
+ SD_MAAT_PLUGIN_DYNAMIC_IPPORT_MAPPING,
+ SD_MAAT_PLUGIN_MAX
+};
+
+struct scanner_maat
+{
+ struct logger *logger;
+ struct maat *feather;
+ struct maat_parameter parameter;
+ struct maat_plugin_table *plugin_table;
+};
+
+struct category_string2type
+{
+ enum LIBRARY_TAG_CATEGORY type;
+ size_t string_sz;
+ char *string;
+};
+
+static int yyjson_value_int32_get(yyjson_val *root, const char *key, int32_t *value)
+{
+ if(root==NULL || key==NULL)
+ {
+ *value=0;
+ return 0;
+ }
+
+ yyjson_val *val=yyjson_obj_get(root, key);
+ if(val==NULL)
+ {
+ *value=0;
+ return 0;
+ }
+
+ *value=yyjson_get_int(val);
+
+ return 1;
+}
+
+static int yyjson_value_string_get0(yyjson_val *root, const char *key, char **value, size_t *value_sz)
+{
+ if(root==NULL || key==NULL)
+ {
+ *value=NULL;
+ *value_sz=0;
+ return 0;
+ }
+
+ yyjson_val *val=yyjson_obj_get(root, key);
+ if(val==NULL || yyjson_get_str(val)==NULL)
+ {
+ *value=NULL;
+ *value_sz=0;
+ return 0;
+ }
+
+ *value=(char *)yyjson_get_str(val);
+ *value_sz=yyjson_get_len(val);
+
+ return 1;
+}
+
+static int yyjson_value_string_get1(yyjson_val *root, const char *key, char **value, size_t *value_sz)
+{
+ if(root==NULL || key==NULL)
+ {
+ *value=NULL;
+ *value_sz=0;
+ return 0;
+ }
+
+ yyjson_val *val=yyjson_obj_get(root, key);
+ if(val==NULL || yyjson_get_str(val)==NULL)
+ {
+ *value=NULL;
+ *value_sz=0;
+ return 0;
+ }
+
+ if(yyjson_get_len(val)==4 && memcmp(yyjson_get_str(val), "null", 4)==0)
+ {
+ *value=NULL;
+ *value_sz=0;
+ return 0;
+ }
+
+ *value=strdup(yyjson_get_str(val));
+ *value_sz=strlen(*value);
+
+ return 1;
+}
+
+void scanner_maat_exdata_app_id_dict_dup(const char *table_name __attribute__((unused)), void **to, void **from, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ *to=*from;
+}
+
+void scanner_maat_exdata_app_id_dict_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ yyjson_doc *doc=yyjson_read(table_line, strlen(table_line), 0);
+ if(doc==NULL)
+ {
+ return ;
+ }
+
+ yyjson_val *root=yyjson_doc_get_root(doc);
+ if(root==NULL)
+ {
+ goto ERROR;
+ }
+
+ struct app_id_dict *dict=(struct app_id_dict *)CALLOC(struct app_id_dict, 1);
+
+ yyjson_value_int32_get(root, "app_id", &(dict->app_id));
+ yyjson_value_string_get1(root, "app_name", &(dict->app_name), &(dict->app_name_sz));
+ yyjson_value_int32_get(root, "tcp_timeout", &(dict->tcp_timeout));
+ yyjson_value_int32_get(root, "udp_timeout", &(dict->udp_timeout));
+
+ char *object_uuid_str=NULL;
+ size_t object_uuid_str_sz=0;
+ yyjson_value_string_get0(root, "object_uuid", &object_uuid_str, &object_uuid_str_sz);
+ if(object_uuid_str!=NULL && object_uuid_str_sz>0)
+ {
+ uuid_parse(object_uuid_str, dict->object_uuid);
+ }
+
+ yyjson_value_string_get1(root, "category", &(dict->category), &(dict->category_sz));
+ yyjson_value_string_get1(root, "content", &(dict->content), &(dict->content_sz));
+
+ yyjson_val *action_parameter=yyjson_obj_get(root, "action_parameter");
+ if(action_parameter!=NULL)
+ {
+ dict->action_parameter=yyjson_val_write(action_parameter, 0, NULL);
+ }
+
+ *ad=(void *)dict;
+ERROR:
+ yyjson_doc_free(doc);
+}
+
+void scanner_maat_exdata_app_id_dict_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ if((*ad)==NULL)
+ {
+ return ;
+ }
+
+ struct app_id_dict *dict=(struct app_id_dict *)(*ad);
+ if(dict->app_name) { FREE(dict->app_name); }
+ if(dict->category) { FREE(dict->category); }
+ if(dict->content) { FREE(dict->content); }
+ if(dict->action_parameter) { FREE(dict->action_parameter); }
+
+ FREE((*ad));
+ *ad=NULL;
+}
+
+const struct app_id_dict *scanner_maat_get_app_id_dict(struct scanner_maat *cm_maat, int32_t appid)
+{
+ return (struct app_id_dict *)maat_plugin_table_get_ex_data(cm_maat->feather, cm_maat->plugin_table[CM_MAAT_PLUGIN_APP_ID_DICT].name, (const char *)&appid, sizeof(appid));
+}
+
+void scanner_maat_virtual_system_parameter_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ yyjson_doc *doc=yyjson_read(table_line, strlen(table_line), 0);
+ if(doc==NULL)
+ {
+ return ;
+ }
+
+ yyjson_val *root=yyjson_doc_get_root(doc);
+ if(root==NULL)
+ {
+ goto ERROR;
+ }
+
+ struct virtual_system_parameter *vsys_para=(struct virtual_system_parameter *)CALLOC(struct virtual_system_parameter, 1);
+ yyjson_value_int32_get(root, "is_enable_session_record", &(vsys_para->record_enabled));
+ yyjson_value_int32_get(root, "min_packets", &(vsys_para->limited_min_pkts));
+
+ yyjson_val *security_option=yyjson_obj_get(root, "security_option");
+ if(security_option!=NULL)
+ {
+ vsys_para->security_settings=yyjson_val_write(security_option, 0, NULL);
+ }
+
+ *ad=(void *)vsys_para;
+
+ERROR:
+ yyjson_doc_free(doc);
+}
+
+void scanner_maat_virtual_system_parameter_dup(const char *table_name __attribute__((unused)), void **to, void **from, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ (*to)=(*from);
+}
+
+void scanner_maat_virtual_system_parameter_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ if((*ad)==NULL)
+ {
+ return ;
+ }
+
+ struct virtual_system_parameter *vsys_para=(struct virtual_system_parameter *)(*ad);
+ if(vsys_para->security_settings)
+ {
+ FREE(vsys_para->security_settings);
+ }
+
+ FREE((*ad));
+ *ad=NULL;
+}
+
+const struct virtual_system_parameter *scanner_maat_get_virtual_system_parameter(struct scanner_maat *cm_maat, int32_t t_vsys_id)
+{
+ return (struct virtual_system_parameter *)maat_plugin_table_get_ex_data(cm_maat->feather, cm_maat->plugin_table[CM_MAAT_PLUGIN_SESSION_OPTION].name, (const char *)&t_vsys_id, sizeof(t_vsys_id));
+}
+
+enum POLICY_OBJECT_OPTION object_statistics_option_convert(char *option)
+{
+ if(option==NULL)
+ {
+ return POLICY_OBJECT_OPTION_NONE;
+ }
+
+ if((strcasecmp(option, "none"))==0)
+ {
+ return POLICY_OBJECT_OPTION_NONE;
+ }
+ else if((strcasecmp(option, "brief"))==0)
+ {
+ return POLICY_OBJECT_OPTION_BRIEF;
+ }
+ else if((strcasecmp(option, "elaborate"))==0)
+ {
+ return POLICY_OBJECT_OPTION_ELABORATE;
+ }
+
+ return POLICY_OBJECT_OPTION_NONE;
+}
+
+void scanner_maat_exdata_policy_object_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ yyjson_doc *doc=yyjson_read(table_line, strlen(table_line), 0);
+ if(doc==NULL)
+ {
+ return ;
+ }
+
+ yyjson_val *root=yyjson_doc_get_root(doc);
+ if(root==NULL)
+ {
+ goto ERROR;
+ }
+
+ char *option=NULL;
+ size_t option_sz=0;
+ yyjson_value_string_get0(root, "statistics_option", &option, &option_sz);
+ if(option==NULL || option_sz==0)
+ {
+ goto ERROR;
+ }
+
+ *ad=(void *)(long)object_statistics_option_convert(option);
+
+ERROR:
+ yyjson_doc_free(doc);
+}
+
+void scanner_maat_exdata_policy_object_dup(const char *table_name __attribute__((unused)), void **to, void **from, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ *to=*from;
+}
+
+void scanner_maat_exdata_policy_object_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ *ad=NULL;
+}
+
+enum POLICY_OBJECT_OPTION scanner_maat_get_policy_object_option(struct scanner_maat *cm_maat, uuid_t object_uuid)
+{
+ void *option=maat_plugin_table_get_ex_data(cm_maat->feather, cm_maat->plugin_table[CM_MAAT_PLUGIN_POLICY_OBJECT].name, (const char *)object_uuid, sizeof(uuid_t));
+ return ((option!=NULL) ? ((enum POLICY_OBJECT_OPTION)((long)option)) : POLICY_OBJECT_OPTION_DISABLE);
+}
+
+enum LIBRARY_TAG_CATEGORY library_tag_category_convert(char *category_str)
+{
+ if(category_str==NULL)
+ {
+ return LIBRARY_TAG_CATEGORY_NONE;
+ }
+
+ struct category_string2type category[LIBRARY_TAG_CATEGORY_MAX]={
+ {LIBRARY_TAG_CATEGORY_NONE, 0, NULL},
+ {LIBRARY_TAG_CATEGORY_GEOIP_CITY, 10, (char *)"geoip_city"},
+ {LIBRARY_TAG_CATEGORY_GEOIP_COUNTRY, 13, (char *)"geoip_country"},
+ {LIBRARY_TAG_CATEGORY_GEOIP_ASN, 9, (char *)"geoip_asn"},
+ {LIBRARY_TAG_CATEGORY_WEBSITE_CLASSIFICATION, 22, (char *)"website_classification"},
+ {LIBRARY_TAG_CATEGORY_INTERNET_SERVICE, 16, (char *)"internet_service"},
+ {LIBRARY_TAG_CATEGORY_SECURITY_THREAT, 15, (char *)"security_threat"},
+ {LIBRARY_TAG_CATEGORY_COMPLIANCE_RISK, 15, (char *)"compliance_risk"}
+ };
+
+ for(int i=0; i<LIBRARY_TAG_CATEGORY_MAX; i++)
+ {
+ if(category[i].string_sz==0 || strlen(category_str)!=category[i].string_sz)
+ {
+ continue;
+ }
+
+ if((strncasecmp(category_str, category[i].string, category[i].string_sz))==0)
+ {
+ return category[i].type;
+ }
+ }
+
+ return LIBRARY_TAG_CATEGORY_NONE;
+}
+
+void scanner_maat_exdata_library_tag_dup(const char *table_name __attribute__((unused)), void **to, void **from, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ *to=*from;
+}
+
+void scanner_maat_exdata_library_tag_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ yyjson_doc *doc=yyjson_read(table_line, strlen(table_line), 0);
+ if(doc==NULL)
+ {
+ return ;
+ }
+
+ yyjson_val *root=yyjson_doc_get_root(doc);
+ if(root==NULL)
+ {
+ goto ERROR;
+ }
+
+ struct plugin_library_tag *tag=(struct plugin_library_tag *)CALLOC(struct plugin_library_tag, 1);
+
+ char *option=NULL;
+ size_t option_sz=0;
+ yyjson_value_string_get0(root, "statistics_option", &option, &option_sz);
+ tag->object_option=object_statistics_option_convert(option);
+
+ char *category=NULL;
+ size_t category_sz=0;
+ yyjson_value_string_get0(root, "category", &category, &category_sz);
+ tag->category=library_tag_category_convert(category);
+
+ size_t key_sz=0;
+ yyjson_value_string_get1(root, "tag_key", &(tag->key), &key_sz);
+ size_t value_sz=0;
+ yyjson_value_string_get1(root, "tag_value", &(tag->value), &value_sz);
+
+ (*ad)=(void *)tag;
+
+ERROR:
+ yyjson_doc_free(doc);
+}
+
+void scanner_maat_exdata_library_tag_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ if((*ad)==NULL)
+ {
+ return ;
+ }
+
+ struct plugin_library_tag *tag=(struct plugin_library_tag *)(*ad);
+ if(tag->key!=NULL) { FREE(tag->key); }
+ if(tag->value!=NULL) { FREE(tag->value); }
+ FREE((*ad));
+ *ad=NULL;
+}
+
+const struct plugin_library_tag *scanner_maat_get_library_tag(struct scanner_maat *cm_maat, uuid_t tag_uuid)
+{
+ return (struct plugin_library_tag *)maat_plugin_table_get_ex_data(cm_maat->feather, cm_maat->plugin_table[CM_MAAT_PLUGIN_LIBRARY_TAG].name, (const char *)tag_uuid, sizeof(uuid_t));
+}
+
+void scanner_maat_exdata_ipaddr_entry_dup(const char *table_name __attribute__((unused)), void **to, void **from, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ *to=*from;
+}
+
+void scanner_maat_exdata_ipaddr_entry_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ yyjson_doc *doc=yyjson_read(table_line, strlen(table_line), 0);
+ if(doc==NULL)
+ {
+ return ;
+ }
+
+ yyjson_val *root=yyjson_doc_get_root(doc);
+ if(root==NULL)
+ {
+ goto ERROR;
+ }
+
+ yyjson_val *tag_uuids=yyjson_obj_get(root, "tag_uuids");
+ if(tag_uuids==NULL)
+ {
+ goto ERROR;
+ }
+
+ size_t n_tag_uuids=yyjson_arr_size(tag_uuids);
+ struct plugin_entry *ipaddr_entry=(struct plugin_entry *)CALLOC(struct plugin_entry, 1);
+ ipaddr_entry->n_tag_uuids=n_tag_uuids;
+ ipaddr_entry->tag_uuids=(uuid_t *)CALLOC(uuid_t, n_tag_uuids);
+
+ for(size_t i=0; i<n_tag_uuids; i++)
+ {
+ yyjson_val *one_tag=yyjson_arr_get(tag_uuids, i);
+ if(one_tag==NULL)
+ {
+ continue;
+ }
+
+ char *uuid_str=(char *)yyjson_get_str(one_tag);
+ uuid_parse(uuid_str, ipaddr_entry->tag_uuids[i]);
+ }
+
+ (*ad)=(void *)ipaddr_entry;
+
+ERROR:
+ yyjson_doc_free(doc);
+}
+
+void scanner_maat_exdata_ipaddr_entry_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ if((*ad)==NULL)
+ {
+ return ;
+ }
+
+ struct plugin_entry *ipaddr_entry=(struct plugin_entry *)(*ad);
+ if(ipaddr_entry->tag_uuids!=NULL) { FREE(ipaddr_entry->tag_uuids); }
+ FREE((*ad));
+ *ad=NULL;
+}
+
+int scanner_maat_get0_data_ipaddr_entry(struct scanner_maat *cm_maat, struct ip_addr *ip_addr, struct plugin_entry **exdata, size_t n_exdata)
+{
+ return maat_ip_plugin_table_get_ex_data(cm_maat->feather, cm_maat->plugin_table[CM_MAAT_PLUGIN_IP_ADDR_ENTRY].name, ip_addr, (void **)exdata, n_exdata);
+}
+
+void scanner_maat_exdata_fqdn_entry_dup(const char *table_name __attribute__((unused)), void **to, void **from, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ *to=*from;
+}
+
+void scanner_maat_exdata_fqdn_entry_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ yyjson_doc *doc=yyjson_read(table_line, strlen(table_line), 0);
+ if(doc==NULL)
+ {
+ return ;
+ }
+
+ yyjson_val *root=yyjson_doc_get_root(doc);
+ if(root==NULL)
+ {
+ goto ERROR;
+ }
+
+ yyjson_val *tag_uuids=yyjson_obj_get(root, "tag_uuids");
+ if(tag_uuids==NULL)
+ {
+ goto ERROR;
+ }
+
+ size_t n_tag_uuids=yyjson_arr_size(tag_uuids);
+ struct plugin_entry *fqdn_entry=(struct plugin_entry *)CALLOC(struct plugin_entry, 1);
+ fqdn_entry->n_tag_uuids=n_tag_uuids;
+ fqdn_entry->tag_uuids=(uuid_t *)CALLOC(uuid_t, n_tag_uuids);
+
+ for(size_t i=0; i<n_tag_uuids; i++)
+ {
+ yyjson_val *one_tag=yyjson_arr_get(tag_uuids, i);
+ if(one_tag==NULL)
+ {
+ continue;
+ }
+
+ char *uuid_str=(char *)yyjson_get_str(one_tag);
+ uuid_parse(uuid_str, fqdn_entry->tag_uuids[i]);
+ }
+
+ (*ad)=(void *)fqdn_entry;
+
+ERROR:
+ yyjson_doc_free(doc);
+}
+
+void scanner_maat_exdata_fqdn_entry_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ if((*ad)==NULL)
+ {
+ return ;
+ }
+
+ struct plugin_entry *fqdn_entry=(struct plugin_entry *)(*ad);
+ if(fqdn_entry->tag_uuids!=NULL) { FREE(fqdn_entry->tag_uuids); }
+ FREE((*ad));
+ *ad=NULL;
+}
+
+int scanner_maat_get0_fqdn_entry(struct scanner_maat *cm_maat, char *server_fqdn, struct plugin_entry **exdata, size_t n_exdata)
+{
+ return maat_fqdn_plugin_table_get_ex_data(cm_maat->feather, cm_maat->plugin_table[CM_MAAT_PLUGIN_FQDN_ENTRY].name, server_fqdn, (void **)exdata, n_exdata);
+}
+
+void mobile_identify_parse(yyjson_val *mobile_identify, struct user_identification *uid, const char *table_name __attribute__((unused)))
+{
+ if(uid==NULL || mobile_identify==NULL || yyjson_get_type(mobile_identify)!=YYJSON_TYPE_OBJ)
+ {
+ return ;
+ }
+
+ uid->ue=(struct user_equipment *)CALLOC(struct user_equipment, 1);
+ size_t imei_sz=0;
+ yyjson_value_string_get1(mobile_identify, "imei", &(uid->ue->imei), &imei_sz);
+ size_t imsi_sz=0;
+ yyjson_value_string_get1(mobile_identify, "imsi", &(uid->ue->imsi), &imsi_sz);
+ size_t msisdn_sz=0;
+ yyjson_value_string_get1(mobile_identify, "phone_number", &(uid->ue->msisdn), &msisdn_sz);
+ size_t apn_sz=0;
+ yyjson_value_string_get1(mobile_identify, "apn", &(uid->ue->apn), &apn_sz);
+
+ if(uid->ue->imei==NULL && uid->ue->imsi==NULL && uid->ue->msisdn==NULL && uid->ue->apn==NULL)
+ {
+ FREE(uid->ue);
+ uid->ue=NULL;
+ }
+}
+
+void user_identification_free(struct user_identification *uid, const char *table_name __attribute__((unused)))
+{
+ if(uid==NULL)
+ {
+ return ;
+ }
+
+ if(uid->subscriber.subscriber_id!=NULL)
+ {
+ FREE(uid->subscriber.subscriber_id);
+ }
+
+ if(uid->ue!=NULL)
+ {
+ if(uid->ue->imsi!=NULL) { FREE(uid->ue->imsi); }
+ if(uid->ue->msisdn!=NULL) { FREE(uid->ue->msisdn); }
+ if(uid->ue->apn!=NULL) { FREE(uid->ue->apn); }
+ if(uid->ue->imei!=NULL) { FREE(uid->ue->imei); }
+ FREE(uid->ue);
+ }
+
+ FREE(uid);
+}
+
+void scanner_maat_exdata_user_equipment_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ yyjson_doc *doc=yyjson_read(table_line, strlen(table_line), 0);
+ if(doc==NULL)
+ {
+ return ;
+ }
+
+ yyjson_val *root=yyjson_doc_get_root(doc);
+ if(root==NULL)
+ {
+ goto ERROR;
+ }
+
+ yyjson_val *mobile_identify=yyjson_obj_get(root, "mobile_identify");
+ if(mobile_identify==NULL)
+ {
+ goto ERROR;
+ }
+
+ struct user_identification *uid=(struct user_identification *)CALLOC(struct user_identification, 1);
+ mobile_identify_parse(mobile_identify, uid, table_name);
+ if(uid->ue==NULL)
+ {
+ FREE(uid);
+ goto ERROR;
+ }
+
+ __sync_add_and_fetch(&uid->ref_cnt, 1);
+ *ad=(void *)uid;
+
+ERROR:
+ yyjson_doc_free(doc);
+}
+
+void scanner_maat_get_user_identification_by_teid(struct scanner_maat *sd_maat, uint32_t teid, struct user_identification **uid)
+{
+ (*uid)=(struct user_identification *)maat_plugin_table_get_ex_data(sd_maat->feather, sd_maat->plugin_table[SD_MAAT_PLUGIN_GTP_IP2SIGNALING].name, (const char *)&teid, sizeof(teid));
+}
+
+void scanner_maat_exdata_dynamic_ipport_mapping_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ yyjson_doc *doc=yyjson_read(table_line, strlen(table_line), 0);
+ if(doc==NULL)
+ {
+ return ;
+ }
+
+ yyjson_val *root=yyjson_doc_get_root(doc);
+ if(root==NULL)
+ {
+ goto ERROR;
+ }
+
+ struct user_identification *uid=(struct user_identification *)CALLOC(struct user_identification, 1);
+ size_t subscriber_id_sz=0;
+ yyjson_value_string_get1(root, "subscriber_id", &(uid->subscriber.subscriber_id), &subscriber_id_sz);
+ yyjson_val *mobile_identify=yyjson_obj_get(root, "mobile_identify");
+ mobile_identify_parse(mobile_identify, uid, table_name);
+ if(uid->ue==NULL && uid->subscriber.subscriber_id==NULL)
+ {
+ FREE(uid);
+ goto ERROR;
+ }
+
+ __sync_add_and_fetch(&uid->ref_cnt, 1);
+ *ad=(void *)uid;
+
+ERROR:
+ yyjson_doc_free(doc);
+}
+
+void scanner_maat_get_user_identification_by_ipport(struct scanner_maat *sd_maat, struct ip_addr *net_addr, uint16_t net_port, struct user_identification **uid_array, size_t n_uid)
+{
+ maat_ipport_plugin_table_get_ex_data(sd_maat->feather, sd_maat->plugin_table[SD_MAAT_PLUGIN_DYNAMIC_IPPORT_MAPPING].name, net_addr, net_port, (void **)uid_array, n_uid);
+}
+
+void scanner_maat_exdata_user_identification_dup(const char *table_name __attribute__((unused)), void **to, void **from, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ if((*from)!=NULL)
+ {
+ struct user_identification *uid=(struct user_identification *)(*from);
+ __sync_add_and_fetch(&uid->ref_cnt, 1);
+ *to=*from;
+ }
+}
+
+void scanner_maat_exdata_user_identification_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ if((*ad)==NULL)
+ {
+ return ;
+ }
+
+ struct user_identification *uid=(struct user_identification *)(*ad);
+ if((__sync_sub_and_fetch(&uid->ref_cnt, 1) == 0))
+ {
+ user_identification_free(uid, table_name);
+ (*ad)=NULL;
+ }
+}
+
+void plugin_ex_data_user_identification_free(struct scanner_maat *sd_maat, struct user_identification *uid)
+{
+ scanner_maat_exdata_user_identification_free(sd_maat->plugin_table[SD_MAAT_PLUGIN_DYNAMIC_IPPORT_MAPPING].name, (void **)&uid, 0, NULL);
+}
+
+void scanner_maat_exdata_attribute_dict_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ yyjson_doc *doc=yyjson_read(table_line, strlen(table_line), 0);
+ if(doc==NULL)
+ {
+ return ;
+ }
+
+ yyjson_val *root=yyjson_doc_get_root(doc);
+ if(root==NULL)
+ {
+ goto ERROR;
+ }
+
+ struct attribute_dict *dict=(struct attribute_dict *)CALLOC(struct attribute_dict, 1);
+ size_t object_table_name_sz=0;
+ yyjson_value_string_get1(root, "object_table_name", &(dict->object_table_name), &object_table_name_sz);
+ size_t available_object_type_sz=0;
+ yyjson_value_string_get1(root, "available_object_type", &(dict->available_object_type), &available_object_type_sz);
+
+ *ad=(void *)dict;
+
+ERROR:
+ yyjson_doc_free(doc);
+}
+
+void scanner_maat_exdata_attribute_dict_dup(const char *table_name __attribute__((unused)), void **to, void **from, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ *to=*from;
+}
+
+void scanner_maat_exdata_attribute_dict_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)))
+{
+ if((*ad)==NULL)
+ {
+ return ;
+ }
+
+ struct attribute_dict *dict=(struct attribute_dict *)(*ad);
+ if(dict->object_table_name!=NULL) { FREE(dict->object_table_name); }
+ if(dict->available_object_type!=NULL) { FREE(dict->available_object_type); }
+ FREE((*ad));
+ *ad=NULL;
+}
+
+const char *scanner_maat_get_object_type(struct scanner_maat *cm_maat, const char *attribue_name)
+{
+ size_t attribute_name_sz=((attribue_name!=NULL) ? strlen(attribue_name) : 0);
+ struct attribute_dict *dict=(struct attribute_dict *)maat_plugin_table_get_ex_data(cm_maat->feather, cm_maat->plugin_table[CM_MAAT_PLUGIN_ATTRIBUTE_DICT].name, attribue_name, attribute_name_sz);
+ return ((dict!=NULL) ? dict->available_object_type : NULL);
+}
+
+const char *scanner_maat_get_object_table_name(struct scanner_maat *cm_maat, const char *attribue_name)
+{
+ size_t attribute_name_sz=((attribue_name!=NULL) ? strlen(attribue_name) : 0);
+ struct attribute_dict *dict=(struct attribute_dict *)maat_plugin_table_get_ex_data(cm_maat->feather, cm_maat->plugin_table[CM_MAAT_PLUGIN_ATTRIBUTE_DICT].name, attribue_name, attribute_name_sz);
+ return ((dict!=NULL) ? dict->object_table_name : NULL);
+}
+
+struct maat_plugin_table *scaner_maat_cm_plugin_new(struct scanner_maat *cm_maat)
+{
+ struct maat_plugin_table *plugin_table=(struct maat_plugin_table *)CALLOC(struct maat_plugin_table, CM_MAAT_PLUGIN_MAX);
+
+ plugin_table[CM_MAAT_PLUGIN_APP_ID_DICT]=(struct maat_plugin_table){
+ .name="APP_ID_DICT",
+ .ex_new=scanner_maat_exdata_app_id_dict_new,
+ .ex_free=scanner_maat_exdata_app_id_dict_free,
+ .ex_dup=scanner_maat_exdata_app_id_dict_dup
+ };
+ plugin_table[CM_MAAT_PLUGIN_SESSION_OPTION]=(struct maat_plugin_table){
+ .name="T_VSYS_INFO",
+ .ex_new=scanner_maat_virtual_system_parameter_new,
+ .ex_free=scanner_maat_virtual_system_parameter_free,
+ .ex_dup=scanner_maat_virtual_system_parameter_dup
+ };
+ plugin_table[CM_MAAT_PLUGIN_POLICY_OBJECT]=(struct maat_plugin_table){
+ .name="POLICY_OBJECT",
+ .ex_new=scanner_maat_exdata_policy_object_new,
+ .ex_free=scanner_maat_exdata_policy_object_free,
+ .ex_dup=scanner_maat_exdata_policy_object_dup
+ };
+ plugin_table[CM_MAAT_PLUGIN_LIBRARY_TAG]=(struct maat_plugin_table){
+ .name="LIBRARY_TAG",
+ .ex_new=scanner_maat_exdata_library_tag_new,
+ .ex_free=scanner_maat_exdata_library_tag_free,
+ .ex_dup=scanner_maat_exdata_library_tag_dup
+ };
+ plugin_table[CM_MAAT_PLUGIN_IP_ADDR_ENTRY]=(struct maat_plugin_table){
+ .name="IP_ADDR_ENTRY",
+ .ex_new=scanner_maat_exdata_ipaddr_entry_new,
+ .ex_free=scanner_maat_exdata_ipaddr_entry_free,
+ .ex_dup=scanner_maat_exdata_ipaddr_entry_dup
+ };
+ plugin_table[CM_MAAT_PLUGIN_FQDN_ENTRY]=(struct maat_plugin_table){
+ .name="FQDN_ENTRY",
+ .ex_new=scanner_maat_exdata_fqdn_entry_new,
+ .ex_free=scanner_maat_exdata_fqdn_entry_free,
+ .ex_dup=scanner_maat_exdata_fqdn_entry_dup
+ };
+ plugin_table[CM_MAAT_PLUGIN_ATTRIBUTE_DICT]=(struct maat_plugin_table){
+ .name="ATTRIBUTE_DICT",
+ .ex_new=scanner_maat_exdata_attribute_dict_new,
+ .ex_free=scanner_maat_exdata_attribute_dict_free,
+ .ex_dup=scanner_maat_exdata_attribute_dict_dup
+ };
+
+ for(int i=0; i<CM_MAAT_PLUGIN_MAX; i++)
+ {
+ int ret=maat_plugin_table_ex_schema_register(cm_maat->feather, plugin_table[i].name, plugin_table[i].ex_new, plugin_table[i].ex_free, plugin_table[i].ex_dup, 0, NULL);
+ if(ret<0)
+ {
+ STELLAR_LOG_FATAL(cm_maat->logger, SCANNER_MODULE_NAME, "maat_plugin_table_ex_schema_register failed, table_name: %s", plugin_table[i].name);
+ return NULL;
+ }
+ }
+
+ return plugin_table;
+}
+
+struct maat_plugin_table *scaner_maat_sd_plugin_new(struct scanner_maat *sd_maat)
+{
+ struct maat_plugin_table *plugin_table=(struct maat_plugin_table *)CALLOC(struct maat_plugin_table, SD_MAAT_PLUGIN_MAX);
+
+ plugin_table[SD_MAAT_PLUGIN_GTP_IP2SIGNALING]=(struct maat_plugin_table){
+ .name="GTP_IP2SIGNALING",
+ .ex_new=scanner_maat_exdata_user_equipment_new,
+ .ex_free=scanner_maat_exdata_user_identification_free,
+ .ex_dup=scanner_maat_exdata_user_identification_dup
+ };
+
+ plugin_table[SD_MAAT_PLUGIN_DYNAMIC_IPPORT_MAPPING]=(struct maat_plugin_table){
+ .name="DYNAMIC_IPPORT_MAPPING",
+ .ex_new=scanner_maat_exdata_dynamic_ipport_mapping_new,
+ .ex_free=scanner_maat_exdata_user_identification_free,
+ .ex_dup=scanner_maat_exdata_user_identification_dup
+ };
+
+ for(int i=0; i<SD_MAAT_PLUGIN_MAX; i++)
+ {
+ int ret=maat_plugin_table_ex_schema_register(sd_maat->feather, plugin_table[i].name, plugin_table[i].ex_new, plugin_table[i].ex_free, plugin_table[i].ex_dup, 0, NULL);
+ if(ret<0)
+ {
+ STELLAR_LOG_FATAL(sd_maat->logger, SCANNER_MODULE_NAME, "maat_plugin_table_ex_schema_register failed, table_name: %s", plugin_table[i].name);
+ return NULL;
+ }
+ }
+
+ return plugin_table;
+}
+
+struct maat *scaner_maat_feather_new(struct maat_parameter *para, int max_thread_num, struct logger *logger)
+{
+ struct maat_options *opts=maat_options_new();
+ maat_options_set_logger(opts, para->log_path, (enum log_level)para->log_level);
+ maat_options_set_caller_thread_number(opts, max_thread_num);
+ maat_options_set_accept_tags(opts, para->device_tag);
+ maat_options_set_instance_name(opts, para->instance_name);
+ maat_options_set_foreign_cont_dir(opts, para->foreign_content_dir);
+ maat_options_set_stat_file(opts, para->stat_file);
+ maat_options_set_rule_update_checking_interval_ms(opts, para->rule_update_check_interval_ms);
+ maat_options_set_gc_timeout_ms(opts, para->garbage_collect_ms);
+
+ if(para->hit_object_enabled==true)
+ {
+ maat_options_set_hit_object_enabled(opts);
+ }
+
+ if(para->hit_path_enabled==true)
+ {
+ maat_options_set_hit_path_enabled(opts);
+ }
+
+ if(para->maat_stat_enabled==true)
+ {
+ maat_options_set_stat_on(opts);
+ }
+ if(para->perf_enabled==true)
+ {
+ maat_options_set_perf_on(opts);
+ }
+
+ if(para->deferred_load_enabled==true)
+ {
+ maat_options_set_deferred_load_on(opts);
+ }
+
+ if(strcmp(para->maat_mode, "json")==0)
+ {
+ maat_options_set_json_file(opts, para->json_config_path);
+ }
+ else if(strcmp(para->maat_mode, "redis")==0)
+ {
+ maat_options_set_redis(opts, para->redis_ip, (unsigned short)para->redis_port, para->redis_index);
+ }
+ else
+ {
+ STELLAR_LOG_FATAL(logger, SCANNER_MODULE_NAME, "Unknown maat mode: %s, check maat_mode in [redis/json/local]", para->maat_mode);
+ }
+
+ struct maat *maat_handle=maat_new(opts, para->table_info);
+ maat_options_free(opts);
+
+ if(maat_handle==NULL)
+ {
+ STELLAR_LOG_FATAL(logger, SCANNER_MODULE_NAME, "maat_new failed, instance_name: %s, tableinfo: %s", para->instance_name, para->table_info);
+ }
+
+ return maat_handle;
+}
+
+void scanner_maat_parameter_get(struct logger *logger, const char *toml_path, const char *table_key, struct maat_parameter *para)
+{
+ // bool stat_enabled
+ toml_bool_get(logger, toml_path, table_key, "stat_enabled", &(para->stat_enabled));
+ toml_bool_get(logger, toml_path, table_key, "perf_enabled", &(para->perf_enabled));
+ toml_bool_get(logger, toml_path, table_key, "hit_path_enabled", &(para->hit_path_enabled));
+ toml_bool_get(logger, toml_path, table_key, "hit_object_enabled", &(para->hit_object_enabled));
+ toml_bool_get(logger, toml_path, table_key, "maat_stat_enabled", &(para->maat_stat_enabled));
+ toml_bool_get(logger, toml_path, table_key, "deferred_load_enabled", &(para->deferred_load_enabled));
+
+ // fill maat_parameter using maat_table
+ toml_int_get(logger, toml_path, table_key, "effctive_interval_ms", &(para->effctive_interval_ms));
+ toml_int_get(logger, toml_path, table_key, "garbage_collect_ms", &(para->garbage_collect_ms));
+ toml_int_get(logger, toml_path, table_key, "rule_update_check_interval_ms", &(para->rule_update_check_interval_ms));
+ toml_int_get(logger, toml_path, table_key, "redis_port", &(para->redis_port));
+ toml_int_get(logger, toml_path, table_key, "redis_index", &(para->redis_index));
+ toml_int_get(logger, toml_path, table_key, "log_level", &(para->log_level));
+
+ toml_string_get(logger, toml_path, table_key, "log_path", para->log_path, sizeof(para->log_path));
+ toml_string_get(logger, toml_path, table_key, "redis_ip", para->redis_ip, sizeof(para->redis_ip));
+ toml_string_get(logger, toml_path, table_key, "maat_mode", para->maat_mode, sizeof(para->maat_mode));
+ toml_string_get(logger, toml_path, table_key, "table_info", para->table_info, sizeof(para->table_info));
+ toml_string_get(logger, toml_path, table_key, "stat_file", para->stat_file, sizeof(para->stat_file));
+ toml_string_get(logger, toml_path, table_key, "instance_name", para->instance_name, sizeof(para->instance_name));
+ toml_string_get(logger, toml_path, table_key, "json_config_path", para->json_config_path, sizeof(para->json_config_path));
+ toml_string_get(logger, toml_path, table_key, "foreign_content_dir", para->foreign_content_dir, sizeof(para->foreign_content_dir));
+
+ toml_string_get(logger, toml_path, "scanner", "device_tag", para->device_tag, sizeof(para->device_tag));
+}
+
+void scanner_maat_free(struct scanner_maat *cm_maat)
+{
+ if(cm_maat==NULL)
+ {
+ return ;
+ }
+
+ if(cm_maat->feather!=NULL) { maat_free(cm_maat->feather); }
+ if(cm_maat->plugin_table!=NULL) { FREE(cm_maat->plugin_table); }
+
+ FREE(cm_maat);
+}
+
+void scanner_cm_maat_free(struct scanner_maat *cm_maat)
+{
+ scanner_maat_free(cm_maat);
+}
+
+void scanner_sd_maat_free(struct scanner_maat *sd_maat)
+{
+ scanner_maat_free(sd_maat);
+}
+
+struct scanner_maat *scanner_cm_maat_new(struct logger *logger, const char *toml_path, int max_thread_num)
+{
+ struct scanner_maat *cm_maat=(struct scanner_maat *)CALLOC(struct scanner_maat, 1);
+ if(cm_maat==NULL)
+ {
+ STELLAR_LOG_FATAL(logger, SCANNER_MODULE_NAME, "Failed to allocate memory for scanner_maat");
+ return NULL;
+ }
+
+ cm_maat->logger=logger;
+
+ scanner_maat_parameter_get(logger, toml_path, "cm_static_maat", &(cm_maat->parameter));
+ cm_maat->feather=scaner_maat_feather_new(&(cm_maat->parameter), max_thread_num, cm_maat->logger);
+ if(cm_maat->feather==NULL)
+ {
+ STELLAR_LOG_FATAL(cm_maat->logger, SCANNER_MODULE_NAME, "Failed to create cm maat instance");
+ return NULL;
+ }
+
+ cm_maat->plugin_table=scaner_maat_cm_plugin_new(cm_maat);
+
+ return cm_maat;
+}
+
+struct scanner_maat *scanner_sd_maat_new(struct logger *logger, const char *toml_path, int max_thread_num)
+{
+ struct scanner_maat *sd_maat=(struct scanner_maat *)CALLOC(struct scanner_maat, 1);
+ if(sd_maat==NULL)
+ {
+ STELLAR_LOG_FATAL(logger, SCANNER_MODULE_NAME, "Failed to allocate memory for scanner_maat");
+ return NULL;
+ }
+
+ sd_maat->logger=logger;
+
+ scanner_maat_parameter_get(logger, toml_path, "sd_dynamic_maat", &(sd_maat->parameter));
+ sd_maat->feather=scaner_maat_feather_new(&(sd_maat->parameter), max_thread_num, sd_maat->logger);
+ if(sd_maat->feather==NULL)
+ {
+ STELLAR_LOG_FATAL(sd_maat->logger, SCANNER_MODULE_NAME, "Failed to create sd maat instance");
+ return NULL;
+ }
+
+ sd_maat->plugin_table=scaner_maat_sd_plugin_new(sd_maat);
+
+ return sd_maat;
+} \ No newline at end of file
diff --git a/scanner/scanner_maat.h b/scanner/scanner_maat.h
new file mode 100644
index 0000000..4bfc568
--- /dev/null
+++ b/scanner/scanner_maat.h
@@ -0,0 +1,122 @@
+#pragma once
+
+#include <uuid/uuid.h>
+#include <stellar/scanner.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+struct scanner_maat;
+
+/* cm maat api */
+void scanner_cm_maat_free(struct scanner_maat *cm_maat);
+struct scanner_maat *scanner_cm_maat_new(struct logger *logger, const char *toml_path, int max_thread_num);
+
+enum POLICY_OBJECT_OPTION
+{
+ POLICY_OBJECT_OPTION_DISABLE=1,
+ POLICY_OBJECT_OPTION_NONE,
+ POLICY_OBJECT_OPTION_BRIEF,
+ POLICY_OBJECT_OPTION_ELABORATE
+};
+
+enum POLICY_OBJECT_OPTION scanner_maat_get_policy_object_option(struct scanner_maat *cm_maat, uuid_t object_uuid);
+
+enum LIBRARY_TAG_CATEGORY
+{
+ LIBRARY_TAG_CATEGORY_NONE=0,
+ LIBRARY_TAG_CATEGORY_GEOIP_CITY,
+ LIBRARY_TAG_CATEGORY_GEOIP_COUNTRY,
+ LIBRARY_TAG_CATEGORY_GEOIP_ASN,
+ LIBRARY_TAG_CATEGORY_WEBSITE_CLASSIFICATION,
+ LIBRARY_TAG_CATEGORY_INTERNET_SERVICE,
+ LIBRARY_TAG_CATEGORY_SECURITY_THREAT,
+ LIBRARY_TAG_CATEGORY_COMPLIANCE_RISK,
+ LIBRARY_TAG_CATEGORY_MAX
+};
+
+#define MAX_TAG_IDS_NUM 256
+struct plugin_library_tag
+{
+ char *key;
+ char *value;
+ enum LIBRARY_TAG_CATEGORY category;
+ enum POLICY_OBJECT_OPTION object_option;
+};
+const struct plugin_library_tag *scanner_maat_get_library_tag(struct scanner_maat *cm_maat, uuid_t tag_uuid);
+
+struct plugin_entry
+{
+ size_t n_tag_uuids;
+ uuid_t *tag_uuids;
+};
+
+int scanner_maat_get0_fqdn_entry(struct scanner_maat *cm_maat, char *server_fqdn, struct plugin_entry **exdata, size_t n_exdata);
+int scanner_maat_get0_data_ipaddr_entry(struct scanner_maat *cm_maat, struct ip_addr *ip_addr, struct plugin_entry **exdata, size_t n_exdata);
+
+struct virtual_system_parameter
+{
+ int record_enabled;
+ int limited_min_pkts;
+ char *security_settings;
+};
+
+const struct virtual_system_parameter *scanner_maat_get_virtual_system_parameter(struct scanner_maat *cm_maat, int32_t t_vsys_id);
+
+struct attribute_dict
+{
+ char *object_table_name;
+ char *available_object_type;
+};
+const char *scanner_maat_get_object_type(struct scanner_maat *cm_maat, const char *attribue_name);
+const char *scanner_maat_get_object_table_name(struct scanner_maat *cm_maat, const char *attribue_name);
+
+struct app_id_dict
+{
+ int32_t app_id;
+ int32_t tcp_timeout;
+ int32_t udp_timeout;
+ size_t app_name_sz;
+ size_t category_sz;
+ size_t content_sz;
+ char *app_name;
+ char *category;
+ char *content;
+ uuid_t object_uuid;
+ char *action_parameter;
+};
+
+const struct app_id_dict *scanner_maat_get_app_id_dict(struct scanner_maat *cm_maat, int32_t appid);
+
+/* sd maat api */
+void scanner_sd_maat_free(struct scanner_maat *cm_maat);
+struct scanner_maat *scanner_sd_maat_new(struct logger *logger, const char *toml_path, int max_thread_num);
+
+struct user_equipment
+{
+ char *apn;
+ char *imsi;
+ char *imei;
+ char *msisdn; //MSISDN: phone number
+};
+
+struct subscriber_id
+{
+ char *subscriber_id;
+};
+
+struct user_identification
+{
+ int ref_cnt;
+ struct user_equipment *ue;
+ struct subscriber_id subscriber;
+};
+
+void scanner_maat_get_user_identification_by_teid(struct scanner_maat *sd_maat, uint32_t teid, struct user_identification **uid);
+void scanner_maat_get_user_identification_by_ipport(struct scanner_maat *sd_maat, struct ip_addr *net_addr, uint16_t net_port, struct user_identification **uid_array, size_t n_uid);
+
+#ifdef __cplusplus
+}
+#endif \ No newline at end of file
diff --git a/scanner/scanner_shared.h b/scanner/scanner_shared.h
new file mode 100644
index 0000000..30e5e6c
--- /dev/null
+++ b/scanner/scanner_shared.h
@@ -0,0 +1,69 @@
+#pragma once
+
+#include <stdint.h>
+#include <stddef.h>
+#include <stdbool.h>
+#include <uuid/uuid.h>
+
+#include <uthash/utarray.h>
+
+#include "attribute_schema.h"
+
+enum IP_PROTOCOL
+{
+ IP_PROTOCOL_UNKNOWN=0,
+ IP_PROTOCOL_ICMP=1,
+ IP_PROTOCOL_TCP,
+ IP_PROTOCOL_UDP,
+ IP_PROTOCOL_MAX
+};
+
+#define TUNNEL_LEVEL_NUM 8
+enum TUNNEL_TYPE
+{
+ TUNNEL_TYPE_GRE=1,
+ TUNNEL_TYPE_GTP,
+ TUNNEL_TYPE_GTPV2,
+ TUNNEL_TYPE_IP_IN_IP,
+ TUNNEL_TYPE_NONE,
+ TUNNEL_TYPE_MAX
+};
+
+int32_t scanner_get_default_app_id(struct scanner *scanner);
+uuid_t *scanner_get0_boolean_object_uuid(struct scanner *scanner, bool value);
+
+int32_t scanner_get_tunnel_app_id(struct scanner *scanner, enum TUNNEL_TYPE tunnel_type);
+uuid_t *scanner_get0_tunnel_level_object_uuid(struct scanner *scanner, int32_t tunnel_level);
+
+const char *scanner_get_rule_table_alias_name(struct scanner *scanner, enum RULE_TYPE type);
+
+void scanner_message_hit_rule_free(struct packet *rawpkt, void *msg, void *msg_free_arg);
+void scanner_message_hit_object_free(struct packet *rawpkt, void *msg, void *msg_free_arg);
+
+void scanner_print_debug_hit_object(struct scanner *scanner, const char *readable_addr, struct maat_hit_object *hit_object_list, size_t hit_object_num);
+void scanner_print_debug_hit_rule(struct scanner *scanner, const char *readable_addr, const char *tablename, uuid_t *rule_uuid_list, size_t rule_uuid_num);
+
+size_t scanner_get_matched_rule_uuid(UT_array *hitted_rules, uint32_t n_pre_hitted_rule, int32_t compile_table_id, uuid_t *rule_uuid_list, size_t rule_uuid_num);
+
+void ipaddr_convert_layer_to_maat_format(struct packet *rawpkt, struct ip_addr *c_net_addr, struct ip_addr *s_net_addr);
+
+enum ATTRIBUTE_SCHEMA scanner_ipport_tunnel_schema_idx_get(enum TUNNEL_TYPE tunnel_type);
+void ipport_attribute_fill(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, struct session_addr *ss_addr, enum IP_ADDRESS ip_addr_type, enum IP_PROTOCOL ip_proto);
+
+void scanner_tunnel_object_get(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, UT_array *hitted_rules, uint32_t n_pre_hitted_rule);
+void scanner_tunnel_gtp_attribute_get(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, struct gtp_header *gtp_hdr);
+
+void scanner_get_application_userdefined_attribute(struct attribute_scratch *attr, size_t attr_max, size_t *attr_offset, struct userdefine_attribute *userdefined_attr, size_t n_userdefined_attr);
+
+size_t ipaddr_entry_tag_uuids_get( struct ip_addr *net_ipaddr, uint16_t net_port, uuid_t *tag_uuids, size_t n_tag_uuids);
+
+char *scanner_get1_ipaddr_entry_string(struct plugin_ipaddr_entry **ipaddr_exdata, size_t n_ipaddr_exdata, enum LIBRARY_TAG_CATEGORY category);
+
+void scanner_scan_not_logic_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, struct scanner_state *policy_state);
+void scanner_scan_object_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, struct maat_hit_object *objects, size_t n_object, struct scanner_state *policy_state);
+void scanner_scan_flag_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, uint64_t scan_flag, struct scanner_state *policy_state);
+void scanner_scan_integer_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, uint64_t scan_integer, struct scanner_state *policy_state);
+void scanner_scan_string_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, const char *scan_string, size_t scan_string_sz, struct scanner_state *policy_state);
+void scanner_scan_ipv4_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, uint32_t scan_ipv4, int32_t scan_port, struct scanner_state *policy_state);
+void scanner_scan_ipv6_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, uint8_t *scan_ipv6, int32_t scan_port, struct scanner_state *policy_state);
+void scanner_scan_stream_attribute(const char *readable_addr, struct attribute_schema *schema, struct maat *cm_maat, struct maat_state *scan_state, struct maat_stream **stream_handle, const char *scan_string, size_t scan_string_sz, struct scanner_state *policy_state);
diff --git a/scanner/scanner_state.c b/scanner/scanner_state.c
new file mode 100644
index 0000000..885fd0b
--- /dev/null
+++ b/scanner/scanner_state.c
@@ -0,0 +1,326 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <uuid/uuid.h>
+
+#include "uthash/utarray.h"
+#include "stellar/utils.h"
+#include "scanner_state.h"
+
+#define SCANNER_STATE_MAGIC 0x12345678
+
+struct matched_rule
+{
+ uuid_t rule_uuid;
+ int matched_app_id;
+ enum RULE_TYPE type;
+};
+
+struct scanner_state
+{
+ int magic;
+ UT_array *curr_pkt_rule[RULE_TYPE_MAX];
+ UT_array *history_rule[RULE_TYPE_MAX];
+ UT_array *curr_pkt_object[HIT_OBJECT_ATTRIBUTE_TYPE_MAX];
+ UT_array *history_object[HIT_OBJECT_ATTRIBUTE_TYPE_MAX];
+};
+
+struct scanner_state *scanner_state_new(void)
+{
+ return ((struct scanner_state *)CALLOC(struct scanner_state, 1));
+}
+
+void scanner_state_free(struct scanner_state *state)
+{
+ if(state==NULL)
+ {
+ return;
+ }
+
+ for(unsigned i=0; i<RULE_TYPE_MAX; i++)
+ {
+ if(state->curr_pkt_rule[i]!=NULL)
+ {
+ utarray_free(state->curr_pkt_rule[i]);
+ }
+
+ if(state->history_rule[i]!=NULL)
+ {
+ utarray_free(state->history_rule[i]);
+ }
+ }
+
+ for(unsigned i=0; i<HIT_OBJECT_ATTRIBUTE_TYPE_MAX; i++)
+ {
+ if(state->curr_pkt_object[i]!=NULL)
+ {
+ utarray_free(state->curr_pkt_object[i]);
+ }
+
+ if(state->history_object[i]!=NULL)
+ {
+ utarray_free(state->history_object[i]);
+ }
+ }
+
+ FREE(state);
+}
+
+int scanner_state_get_security_policy_matched_appid(struct scanner_state *state, uuid_t rule_uuid)
+{
+ if(state==NULL || state->curr_pkt_rule[RULE_TYPE_SECURITY]==NULL || uuid_is_null(rule_uuid))
+ {
+ return -1;
+ }
+
+ for(unsigned i=0; i<utarray_len(state->curr_pkt_rule[RULE_TYPE_SECURITY]); i++)
+ {
+ struct matched_rule *p_rule=(struct matched_rule *)utarray_eltptr(state->curr_pkt_rule[RULE_TYPE_SECURITY], i);
+ if(p_rule==NULL)
+ {
+ continue;
+ }
+
+ if(uuid_compare(p_rule->rule_uuid, rule_uuid)==0)
+ {
+ return p_rule->matched_app_id;
+ }
+ }
+
+ return -1;
+}
+void scanner_state_set_current_rule_matched_appid(struct scanner_state *state, enum RULE_TYPE type, uuid_t rule_uuid, int appid)
+{
+ if(state==NULL || type>=RULE_TYPE_MAX || state->curr_pkt_rule[type]==NULL || uuid_is_null(rule_uuid))
+ {
+ return;
+ }
+
+ for(unsigned i=0; i<utarray_len(state->curr_pkt_rule[type]); i++)
+ {
+ struct matched_rule *p_rule=(struct matched_rule *)utarray_eltptr(state->curr_pkt_rule[type], i);
+ if(p_rule==NULL)
+ {
+ continue;
+ }
+
+ if(uuid_compare(p_rule->rule_uuid, rule_uuid)==0)
+ {
+ p_rule->matched_app_id=appid;
+ return;
+ }
+ }
+}
+
+static size_t rule_uuid_copy(UT_array *rule_array, uuid_t rule_uuids[], size_t n_rule_uuids)
+{
+ if(rule_array==NULL || n_rule_uuids==0)
+ {
+ return 0;
+ }
+
+ size_t n_rule=MIN(utarray_len(rule_array), n_rule_uuids);
+ for(unsigned i=0; i<n_rule; i++)
+ {
+ struct matched_rule *p_rule=(struct matched_rule *)utarray_eltptr(rule_array, i);
+ if(p_rule==NULL)
+ {
+ continue;
+ }
+
+ uuid_copy(rule_uuids[i], p_rule->rule_uuid);
+ }
+
+ return n_rule;
+}
+
+size_t scanner_state_get_history_rule_count(struct scanner_state *state, enum RULE_TYPE type)
+{
+ return ((state==NULL || state->history_rule[type]==NULL) ? 0 : utarray_len(state->history_rule[type]));
+}
+
+size_t scanner_state_get_history_rules(struct scanner_state *state, enum RULE_TYPE type, uuid_t rule_uuids[], size_t n_rule_uuids)
+{
+ return ((state==NULL) ? 0 : rule_uuid_copy(state->history_rule[type], rule_uuids, n_rule_uuids));
+}
+
+size_t scanner_state_get_current_packet_rule_count(struct scanner_state *state, enum RULE_TYPE type)
+{
+ return ((state==NULL || state->curr_pkt_rule[type]==NULL) ? 0 : utarray_len(state->curr_pkt_rule[type]));
+}
+
+size_t scanner_state_get_current_packet_rules(struct scanner_state *state, enum RULE_TYPE type, uuid_t rule_uuids[], size_t n_rule_uuids)
+{
+ return ((state==NULL) ? 0 : rule_uuid_copy(state->curr_pkt_rule[type], rule_uuids, n_rule_uuids));
+}
+
+static size_t hit_objects_copy(UT_array *object_array, struct maat_hit_object hit_objects[], size_t n_hit_objects)
+{
+ if(object_array==NULL || n_hit_objects==0)
+ {
+ return 0;
+ }
+
+ size_t n_hit_object=MIN(utarray_len(object_array), n_hit_objects);
+ for(unsigned i=0; i<n_hit_object; i++)
+ {
+ struct maat_hit_object *p_hit_object=(struct maat_hit_object *)utarray_eltptr(object_array, i);
+ if(p_hit_object==NULL)
+ {
+ continue;
+ }
+
+ memcpy(&hit_objects[i], p_hit_object, sizeof(struct maat_hit_object));
+ }
+
+ return n_hit_object;
+}
+
+/* object option is brief or elaborate */
+size_t scanner_state_get_history_object_count(struct scanner_state *state, enum HIT_OBJECT_ATTRIBUTE_TYPE type)
+{
+ return ((state==NULL || state->history_object[type]==NULL) ? 0 : utarray_len(state->history_object[type]));
+}
+
+size_t scanner_state_get_history_hit_objects(struct scanner_state *state, enum HIT_OBJECT_ATTRIBUTE_TYPE type, struct maat_hit_object hit_objects[], size_t n_hit_objects)
+{
+ return ((state==NULL || state->curr_pkt_object[type]==NULL) ? 0 : hit_objects_copy(state->curr_pkt_object[type], hit_objects, n_hit_objects));
+}
+
+size_t scanner_state_get_current_packet_hit_object_count(struct scanner_state *state, enum HIT_OBJECT_ATTRIBUTE_TYPE type)
+{
+ return ((state==NULL || state->curr_pkt_object[type]==NULL) ? 0 : utarray_len(state->curr_pkt_object[type]));
+}
+
+size_t scanner_state_get_current_packet_hit_objects(struct scanner_state *state, enum HIT_OBJECT_ATTRIBUTE_TYPE type, struct maat_hit_object hit_objects[], size_t n_hit_objects)
+{
+ return ((state==NULL) ? 0 : hit_objects_copy(state->curr_pkt_object[type], hit_objects, n_hit_objects));
+}
+
+int is_duplicate_rule_uuid(UT_array *rule_uuids, uuid_t rule_uuid)
+{
+ if(rule_uuids==NULL || uuid_is_null(rule_uuid))
+ {
+ return 0;
+ }
+
+ for(unsigned i=0; i<utarray_len(rule_uuids); i++)
+ {
+ struct matched_rule *p_rule=(struct matched_rule *)utarray_eltptr(rule_uuids, i);
+ if(p_rule==NULL)
+ {
+ continue;
+ }
+
+ if(uuid_compare(p_rule->rule_uuid, rule_uuid)==0)
+ {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+void scanner_state_add_current_packet_rules(struct scanner_state *state, enum RULE_TYPE type, uuid_t rule_uuids[], size_t n_rule_uuids)
+{
+ if(state==NULL || type>=RULE_TYPE_MAX || n_rule_uuids==0)
+ {
+ return;
+ }
+
+ if(state->curr_pkt_rule[type]==NULL)
+ {
+ UT_icd UT_matched_rule_icd={sizeof(struct matched_rule), NULL, NULL, NULL};
+ utarray_new(state->curr_pkt_rule[type], &UT_matched_rule_icd);
+ }
+
+ for(unsigned i=0; i<n_rule_uuids; i++)
+ {
+ int duplicate_flag=is_duplicate_rule_uuid(state->curr_pkt_rule[type], rule_uuids[i]);
+ if(duplicate_flag==1)
+ {
+ continue;
+ }
+
+ duplicate_flag=is_duplicate_rule_uuid(state->history_rule[type], rule_uuids[i]);
+ if(duplicate_flag==1)
+ {
+ continue;
+ }
+
+ struct matched_rule p_rule;
+ p_rule.matched_app_id=0;
+ p_rule.type=type;
+ uuid_copy(p_rule.rule_uuid, rule_uuids[i]);
+ utarray_push_back(state->curr_pkt_rule[type], &p_rule);
+ }
+}
+
+void scanner_state_add_current_packet_hit_objects(struct scanner_state *state, enum HIT_OBJECT_ATTRIBUTE_TYPE type, struct maat_hit_object hit_objects[], size_t n_hit_objects)
+{
+ if(state==NULL || n_hit_objects==0)
+ {
+ return;
+ }
+
+ if(state->curr_pkt_object[type]==NULL)
+ {
+ UT_icd UT_maat_hit_object_icd={sizeof(struct maat_hit_object), NULL, NULL, NULL};
+ utarray_new(state->curr_pkt_object[type], &UT_maat_hit_object_icd);
+ }
+
+ for(unsigned i=0; i<n_hit_objects; i++)
+ {
+ utarray_push_back(state->curr_pkt_object[type], &hit_objects[i]);
+ }
+}
+
+void scanner_state_merge_packet_rules(struct scanner_state *state)
+{
+ if(state==NULL)
+ {
+ return;
+ }
+
+ for(unsigned i=0; i<RULE_TYPE_MAX; i++)
+ {
+ if(state->curr_pkt_rule[i]==NULL)
+ {
+ continue;
+ }
+
+ if(state->history_rule[i]==NULL)
+ {
+ UT_icd UT_matched_rule_icd={sizeof(struct matched_rule), NULL, NULL, NULL};
+ utarray_new(state->history_rule[i], &UT_matched_rule_icd);
+ }
+
+ utarray_concat(state->history_rule[i], state->curr_pkt_rule[i]);
+ utarray_clear(state->curr_pkt_rule[i]);
+ }
+}
+
+void scanner_state_merge_packet_hit_objects(struct scanner_state *state)
+{
+ if(state==NULL)
+ {
+ return;
+ }
+
+ for(unsigned i=0; i<HIT_OBJECT_ATTRIBUTE_TYPE_MAX; i++)
+ {
+ if(state->curr_pkt_object[i]==NULL)
+ {
+ continue;
+ }
+
+ if(state->history_object[i]==NULL)
+ {
+ UT_icd UT_maat_hit_object_icd={sizeof(struct maat_hit_object), NULL, NULL, NULL};
+ utarray_new(state->history_object[i], &UT_maat_hit_object_icd);
+ }
+
+ utarray_concat(state->history_object[i], state->curr_pkt_object[i]);
+ utarray_clear(state->curr_pkt_object[i]);
+ }
+} \ No newline at end of file
diff --git a/scanner/scanner_state.h b/scanner/scanner_state.h
new file mode 100644
index 0000000..bf88a95
--- /dev/null
+++ b/scanner/scanner_state.h
@@ -0,0 +1,24 @@
+#pragma once
+
+#include <uuid/uuid.h>
+#include <stellar/scanner.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+struct scanner_state *scanner_state_new(void);
+void scanner_state_free(struct scanner_state *state);
+
+void scanner_state_merge_packet_rules(struct scanner_state *state);
+void scanner_state_merge_packet_hit_objects(struct scanner_state *state);
+
+void scanner_state_set_current_rule_matched_appid(struct scanner_state *state, enum RULE_TYPE rule_type, uuid_t rule_uuid, int appid);
+
+void scanner_state_add_current_packet_rules(struct scanner_state *state, enum RULE_TYPE rule_type, uuid_t rule_uuids[], size_t n_rule_uuids);
+void scanner_state_add_current_packet_hit_objects(struct scanner_state *state, enum HIT_OBJECT_ATTRIBUTE_TYPE type, struct maat_hit_object hit_objects[], size_t n_hit_objects);
+
+#ifdef __cplusplus
+}
+#endif \ No newline at end of file
diff --git a/scanner/scanner_toml.c b/scanner/scanner_toml.c
new file mode 100644
index 0000000..600bfa0
--- /dev/null
+++ b/scanner/scanner_toml.c
@@ -0,0 +1,121 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <linux/limits.h>
+
+#include <toml/toml.h>
+#include <yyjson/yyjson.h>
+
+#include <stellar/utils.h>
+#include <stellar/scanner.h>
+
+#include "scanner_toml.h"
+
+static toml_table_t *toml_open(struct logger *logger, const char *toml_path)
+{
+ FILE *fp=fopen(toml_path, "r");
+ if (NULL==fp)
+ {
+ STELLAR_LOG_FATAL(logger, SCANNER_MODULE_NAME, "toml_bool_get can't open config file: %s", toml_path);
+ return NULL;
+ }
+
+ char errbuf[256]={0};
+ toml_table_t *root=toml_parse_file(fp, errbuf, sizeof(errbuf));
+ fclose(fp);
+
+ return root;
+}
+
+static void toml_close(struct toml_table_t *root)
+{
+ toml_free(root);
+}
+
+void toml_bool_get(struct logger *logger, const char *toml_path, const char *table_key, const char *key, bool *value)
+{
+ toml_table_t *root=toml_open(logger, toml_path);
+ if(NULL==root)
+ {
+ return ;
+ }
+
+ toml_table_t *table=toml_table_in(root, table_key);
+ if(NULL==table)
+ {
+ STELLAR_LOG_FATAL(logger, SCANNER_MODULE_NAME, "toml_bool_get can't find key: [%s] in config file: %s", table_key, toml_path);
+ toml_close(root);
+ return ;
+ }
+
+ toml_datum_t val=toml_bool_in(table, key);
+ if(val.ok>0)
+ {
+ *value=val.u.b;
+ }
+ else
+ {
+ *value=false;
+ }
+
+ toml_close(root);
+}
+
+void toml_int_get(struct logger *logger, const char *toml_path, const char *table_key, const char *key, int *value)
+{
+ toml_table_t *root=toml_open(logger, toml_path);
+ if(NULL==root)
+ {
+ return ;
+ }
+
+ toml_table_t *table=toml_table_in(root, table_key);
+ if(NULL==table)
+ {
+ STELLAR_LOG_FATAL(logger, SCANNER_MODULE_NAME, "toml_int_get can't find key: [%s] in config file: %s", table_key, toml_path);
+ toml_close(root);
+ return ;
+ }
+
+ toml_datum_t val=toml_int_in(table, key);
+ if(val.ok>0)
+ {
+ *value=val.u.i;
+ }
+ else
+ {
+ *value=0;
+ }
+
+ toml_close(root);
+}
+
+void toml_string_get(struct logger *logger, const char *toml_path, const char *table_key, const char *key, char *value, size_t value_len)
+{
+ toml_table_t *root=toml_open(logger, toml_path);
+ if(NULL==root)
+ {
+ return ;
+ }
+
+ toml_table_t *table=toml_table_in(root, table_key);
+ if(NULL==table)
+ {
+ STELLAR_LOG_FATAL(logger, SCANNER_MODULE_NAME, "toml_string_get can't find key: [%s] in config file: %s", table_key, toml_path);
+ toml_close(root);
+ return ;
+ }
+
+ toml_datum_t val=toml_string_in(table, key);
+ if(val.ok>0)
+ {
+ strncpy(value, val.u.s, MIN(value_len-1, strlen(val.u.s)));
+ free(val.u.s);
+ }
+ else
+ {
+ strncpy(value, "", value_len);
+ }
+
+ toml_close(root);
+}
diff --git a/scanner/scanner_toml.h b/scanner/scanner_toml.h
new file mode 100644
index 0000000..fd4dabe
--- /dev/null
+++ b/scanner/scanner_toml.h
@@ -0,0 +1,9 @@
+#pragma once
+
+#include <stdbool.h>
+#include <linux/limits.h>
+#include <stellar/log.h>
+
+void toml_bool_get(struct logger *logger, const char *toml_path, const char *table_key, const char *key, bool *value);
+void toml_int_get(struct logger *logger, const char *toml_path, const char *table_key, const char *key, int *value);
+void toml_string_get(struct logger *logger, const char *toml_path, const char *table_key, const char *key, char *value, size_t value_len);
diff --git a/scanner/session_scanner.c b/scanner/session_scanner.c
new file mode 100644
index 0000000..dad6ea2
--- /dev/null
+++ b/scanner/session_scanner.c
@@ -0,0 +1,83 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "stellar/utils.h"
+#include "stellar/session.h"
+#include "stellar/session_scanner.h"
+
+struct session_scanner
+{
+ int exdata_idx;
+ struct scannner *scanner;
+ struct logger *logger;
+};
+
+static void session_scanner_exdata_free(int idx __unused, void *ex_ptr, void *arg __unused)
+{
+ if(ex_ptr==NULL)return;
+ FREE(ex_ptr);
+}
+
+const struct kv *session_scanner_get_attribute(struct session_scanner *sess_scanner, struct session *sess, enum ATTRIBUTE_KV_INDEX index)
+{
+ if(sess_scanner==NULL || sess==NULL || index>=ATTRIBUTE_INDEX_MAX || index<=ATTRIBUTE_KV_UNKNOWN)
+ {
+ return NULL;
+ }
+
+ return attribute_kv_get((struct attribute_kv *)session_get_exdata(sess, sess_scanner->exdata_idx), index);
+}
+
+static void session_scanner_on_session(struct session *sess, enum session_state state, struct packet *pkt, void *args)
+{
+
+}
+
+struct session_scanner *session_scanner_new(struct module_manager *mod_mgr, struct scanner *scanner)
+{
+ if(mod_mgr==NULL || scanner==NULL)
+ {
+ return NULL;
+ }
+
+ struct session_scanner *sess_scanner=CALLOC(struct session_scanner, 1);
+ sess_scanner->scanner=scanner;
+ sess_scanner->logger=module_manager_get_logger(mod_mgr);
+
+ struct module *sess_mgr_mod=module_manager_get_module(mod_mgr, SESSION_MANAGER_MODULE_NAME);
+ struct session_manager *sess_mgr=module_to_session_manager(sess_mgr_mod);
+ struct mq_schema *mq_s=module_manager_get_mq_schema(mod_mgr);
+
+ if(sess_mgr==NULL || mq_s==NULL)
+ {
+ STELLAR_LOG_FATAL(sess_scanner->logger, SCANNER_MODULE_NAME, "session_scanner_new failed to get session manager or mq schema");
+ goto INIT_ERROR;
+ }
+
+ session_manager_subscribe_tcp(sess_mgr, session_scanner_on_session, sess_scanner);
+ session_manager_subscribe_udp(sess_mgr, session_scanner_on_session, sess_scanner);
+
+ sess_scanner->exdata_idx=session_manager_new_session_exdata_index(sess_mgr, "SCANNER_EXDATA_SESSION", session_scanner_exdata_free, NULL);
+ if(sess_scanner->exdata_idx<0)
+ {
+ STELLAR_LOG_FATAL(sess_scanner->logger, SCANNER_MODULE_NAME, "session_scanner_new failed to create exdata index");
+ goto INIT_ERROR;
+ }
+
+ return sess_scanner;
+
+INIT_ERROR:
+ session_scanner_free(sess_scanner);
+ return NULL;
+}
+
+void session_scanner_free(struct session_scanner *sess_scanner)
+{
+ if(sess_scanner==NULL)
+ {
+ return ;
+ }
+
+ FREE(sess_scanner);
+} \ No newline at end of file
diff --git a/scanner/session_scanner.h b/scanner/session_scanner.h
new file mode 100644
index 0000000..3496d10
--- /dev/null
+++ b/scanner/session_scanner.h
@@ -0,0 +1,8 @@
+#pragma once
+
+#include "stellar/scanner.h"
+#include "stellar/module.h"
+
+const struct kv *session_scanner_get_attribute(struct session_scanner *sess_scanner, struct session *sess, enum ATTRIBUTE_KV_INDEX index);
+struct session_scanner *session_scanner_new(struct module_manager *mod_mgr, struct scanner *scanner);
+void session_scanner_free(struct session_scanner *sess_scanner) \ No newline at end of file
diff --git a/scanner/test/CMakeLists.txt b/scanner/test/CMakeLists.txt
new file mode 100644
index 0000000..a5dc197
--- /dev/null
+++ b/scanner/test/CMakeLists.txt
@@ -0,0 +1,26 @@
+add_executable(gtest_scanner
+ gtest_scanner_main.cpp
+ ${CMAKE_SOURCE_DIR}/scanner/scanner_toml.c
+ ${CMAKE_SOURCE_DIR}/scanner/scanner_state.c
+ gtest_scanner_state.cpp
+ ${CMAKE_SOURCE_DIR}/scanner/scanner_maat.c
+ gtest_scanner_maat.cpp
+ ${CMAKE_SOURCE_DIR}/scanner/attribute_schema.c
+ gtest_attribute_schema.cpp
+)
+
+target_include_directories(gtest_scanner PRIVATE ${CMAKE_SOURCE_DIR}/scanner/)
+
+target_link_libraries(
+ gtest_scanner
+ "-rdynamic"
+ gtest
+ gmock
+ uuid
+ yyjson
+ logger
+ maatframe
+)
+
+include(GoogleTest)
+gtest_discover_tests(gtest_scanner) \ No newline at end of file
diff --git a/scanner/test/gtest_attribute_schema.cpp b/scanner/test/gtest_attribute_schema.cpp
new file mode 100644
index 0000000..fdd5dd6
--- /dev/null
+++ b/scanner/test/gtest_attribute_schema.cpp
@@ -0,0 +1,455 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <uuid/uuid.h>
+
+#include <gtest/gtest.h>
+#include "attribute_schema.h"
+
+TEST(scanner_attribute_schema, demo)
+{
+ EXPECT_EQ(1, 1);
+}
+
+TEST(scanner_attribute_schema, attribute_string_not_free)
+{
+ struct attribute_schema attr_schema=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ attribute_scratch_string_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_FALSE, (char *)"hello", 5);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_STRING);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_FALSE);
+ EXPECT_EQ(attr[0].string.value_sz, 5);
+ EXPECT_EQ(0, memcmp(attr[0].string.value, "hello", 5));
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_string_free)
+{
+ struct attribute_schema attr_schema={
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ size_t value_sz=strlen("world");
+ char *value=(char *)malloc(5);
+ memcpy(value, "world", 5);
+ attribute_scratch_string_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_TRUE, value, value_sz);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_STRING);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_TRUE);
+ EXPECT_EQ(attr[0].string.value_sz, value_sz);
+ EXPECT_EQ(0, memcmp(attr[0].string.value, "world", 5));
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_string_array_not_free)
+{
+ struct attribute_schema attr_schema={
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ size_t n_value=2;
+ size_t value_sz[2]={5, 5};
+ char *value[2]={(char *)"hello", (char *)"world"};
+ attribute_scratch_string_array_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_FALSE, value, value_sz, n_value);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_STRING_ARRAY);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_FALSE);
+ EXPECT_EQ(attr[0].string_array.n_value, 2);
+
+ EXPECT_EQ(attr[0].string_array.value_sz[0], 5);
+ EXPECT_EQ(0, memcmp(attr[0].string_array.value[0], "hello", 5));
+
+ EXPECT_EQ(attr[0].string_array.value_sz[1], 5);
+ EXPECT_EQ(0, memcmp(attr[0].string_array.value[1], "world", 5));
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_string_array_free)
+{
+ struct attribute_schema attr_schema={
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ size_t n_value=2;
+ size_t *value_sz=(size_t *)malloc(2*sizeof(size_t));
+ value_sz[0]=5;
+ value_sz[1]=5;
+
+ char **value=(char **)malloc(2*sizeof(char *));
+ value[0]=(char *)malloc(5);
+ memcpy(value[0], "hello", 5);
+ value[1]=(char *)malloc(5);
+ memcpy(value[1], "world", 5);
+ attribute_scratch_string_array_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_TRUE, value, value_sz, n_value);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_STRING_ARRAY);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_TRUE);
+ EXPECT_EQ(attr[0].string_array.n_value, 2);
+
+ EXPECT_EQ(attr[0].string_array.value_sz[0], 5);
+ EXPECT_EQ(0, memcmp(attr[0].string_array.value[0], "hello", 5));
+
+ EXPECT_EQ(attr[0].string_array.value_sz[1], 5);
+ EXPECT_EQ(0, memcmp(attr[0].string_array.value[1], "world", 5));
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_chunk_not_free)
+{
+ struct attribute_schema attr_schema={
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ attribute_scratch_chunk_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_FALSE, (char *)"hello", 5);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_STREAM);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_FALSE);
+ EXPECT_EQ(attr[0].chunk.value_sz, 5);
+ EXPECT_EQ(0, memcmp(attr[0].chunk.value, "hello", 5));
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_chunk_free)
+{
+ struct attribute_schema attr_schema={
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ size_t value_sz=strlen("world");
+ char *value=(char *)malloc(5);
+ memcpy(value, "world", 5);
+ attribute_scratch_chunk_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_TRUE, value, value_sz);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_STREAM);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_TRUE);
+ EXPECT_EQ(attr[0].chunk.value_sz, value_sz);
+ EXPECT_EQ(0, memcmp(attr[0].chunk.value, "world", 5));
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_integer)
+{
+ struct attribute_schema attr_schema={
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ attribute_scratch_integer_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_FALSE, 123);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_INTEGER);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_FALSE);
+ EXPECT_EQ(attr[0].integer, 123);
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_flag)
+{
+ struct attribute_schema attr_schema={
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ attribute_scratch_flag_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_FALSE, 123);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_FLAG);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_FALSE);
+ EXPECT_EQ(attr[0].flag, 123);
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_ipv4)
+{
+ struct attribute_schema attr_schema={
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ attribute_scratch_ipv4_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_FALSE, 0x01020304, 80);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_IPV4);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_FALSE);
+ EXPECT_EQ(attr[0].ipv4_port.port, 80);
+ EXPECT_EQ(attr[0].ipv4_port.ipv4, 0x01020304);
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_ipv6)
+{
+ struct attribute_schema attr_schema={
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ uint8_t ipv6[16]={0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10};
+ attribute_scratch_ipv6_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_FALSE, ipv6, 80);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_IPV6);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_FALSE);
+ EXPECT_EQ(attr[0].ipv6_port.port, 80);
+ EXPECT_EQ(0, memcmp(attr[0].ipv6_port.ipv6, ipv6, 16));
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_maat_object_not_free)
+{
+ struct attribute_schema attr_schema={
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t n_hit_objects=2;
+ struct maat_hit_object hit_objects[n_hit_objects];
+ uuid_parse("12345678-1234-5678-1234-567812345678", hit_objects[0].item_uuid);
+ uuid_parse("87654321-4321-8765-4321-876543218765", hit_objects[0].object_uuid);
+
+ uuid_parse("12345678-1234-5678-1234-567812345678", hit_objects[1].item_uuid);
+ uuid_parse("87654321-4321-8765-4321-876543218765", hit_objects[1].object_uuid);
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ attribute_scratch_maat_object_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_FALSE, hit_objects, n_hit_objects);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_MAAT_OBJECT);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_TRUE); // notice here
+ EXPECT_EQ(attr[0].maat_object.n_hit_objects, 2);
+
+ char uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse_lower(attr[0].maat_object.hit_objects[0].item_uuid, uuid_str);
+ EXPECT_STREQ(uuid_str, "12345678-1234-5678-1234-567812345678");
+
+ uuid_unparse_lower(attr[0].maat_object.hit_objects[0].object_uuid, uuid_str);
+ EXPECT_STREQ(uuid_str, "87654321-4321-8765-4321-876543218765");
+
+ uuid_unparse_lower(attr[0].maat_object.hit_objects[1].item_uuid, uuid_str);
+ EXPECT_STREQ(uuid_str, "12345678-1234-5678-1234-567812345678");
+
+ uuid_unparse_lower(attr[0].maat_object.hit_objects[1].object_uuid, uuid_str);
+ EXPECT_STREQ(uuid_str, "87654321-4321-8765-4321-876543218765");
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_maat_object_free)
+{
+ struct attribute_schema attr_schema={
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t n_hit_objects=2;
+ struct maat_hit_object *hit_objects=(struct maat_hit_object *)malloc(n_hit_objects*sizeof(struct maat_hit_object));
+ uuid_parse("12345678-1234-5678-1234-567812345678", hit_objects[0].item_uuid);
+ uuid_parse("87654321-4321-8765-4321-876543218765", hit_objects[0].object_uuid);
+
+ uuid_parse("12345678-1234-5678-1234-567812345678", hit_objects[1].item_uuid);
+ uuid_parse("87654321-4321-8765-4321-876543218765", hit_objects[1].object_uuid);
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ attribute_scratch_maat_object_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_TRUE, hit_objects, n_hit_objects);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_MAAT_OBJECT);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_TRUE);
+ EXPECT_EQ(attr[0].maat_object.n_hit_objects, 2);
+
+ char uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse_lower(attr[0].maat_object.hit_objects[0].item_uuid, uuid_str);
+ EXPECT_STREQ(uuid_str, "12345678-1234-5678-1234-567812345678");
+ uuid_unparse_lower(attr[0].maat_object.hit_objects[0].object_uuid, uuid_str);
+ EXPECT_STREQ(uuid_str, "87654321-4321-8765-4321-876543218765");
+
+ uuid_unparse_lower(attr[0].maat_object.hit_objects[1].item_uuid, uuid_str);
+ EXPECT_STREQ(uuid_str, "12345678-1234-5678-1234-567812345678");
+ uuid_unparse_lower(attr[0].maat_object.hit_objects[1].object_uuid, uuid_str);
+ EXPECT_STREQ(uuid_str, "87654321-4321-8765-4321-876543218765");
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_not_logic)
+{
+ struct attribute_schema attr_schema={
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ attribute_scratch_not_logic_fill(attr, attr_max, &attr_offset, FREE_FALSE, &attr_schema, FREE_FALSE);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, &attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_NOT_LOGIC);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_FALSE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_FALSE);
+ EXPECT_EQ(attr[0].null_ptr, nullptr);
+
+ attribute_scratch_reset(attr, attr_offset);
+}
+
+TEST(scanner_attribute_schema, attribute_not_logic_free_schema)
+{
+ struct attribute_schema *attr_schema=(struct attribute_schema *)malloc(sizeof(struct attribute_schema));
+ *attr_schema=(struct attribute_schema){
+ .attr_idx=ATTRIBUTE_SCHEMA_HTTP_HOST,
+ .scan_not_logic_flag=0,
+ .scan_hit_object_idx=0,
+ .scan_attribute_name=NULL,
+ .log_field_name_sz=0,
+ .log_field_name=NULL
+ };
+
+ size_t attr_offset=0;
+ size_t attr_max=1;
+ struct attribute_scratch attr[attr_max];
+ attribute_scratch_not_logic_fill(attr, attr_max, &attr_offset, FREE_TRUE, attr_schema, FREE_FALSE);
+
+ EXPECT_EQ(attr_offset, 1);
+ EXPECT_EQ(attr[0].schema, attr_schema);
+ EXPECT_EQ(attr[0].value_type, ATTRIBUTE_VALUE_TYPE_NOT_LOGIC);
+ EXPECT_EQ(attr[0].is_free_schema, FREE_TRUE);
+ EXPECT_EQ(attr[0].is_free_value, FREE_FALSE);
+ EXPECT_EQ(attr[0].null_ptr, nullptr);
+
+ attribute_scratch_reset(attr, attr_offset);
+} \ No newline at end of file
diff --git a/scanner/test/gtest_scanner_maat.cpp b/scanner/test/gtest_scanner_maat.cpp
new file mode 100644
index 0000000..98afdc2
--- /dev/null
+++ b/scanner/test/gtest_scanner_maat.cpp
@@ -0,0 +1,776 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <gtest/gtest.h>
+#include "scanner_state.h"
+#include "scanner_maat.h"
+
+TEST(scanner_maat, demo)
+{
+ EXPECT_EQ(1, 1);
+}
+
+extern "C" void scanner_maat_exdata_app_id_dict_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+extern "C" void scanner_maat_exdata_app_id_dict_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+
+TEST(scanner_maat, app_id_dict_is_correct)
+{
+ const char *table_line="{ \
+ \"app_id\": 4, \
+ \"app_name\": \"unknown\", \
+ \"category\": \"networking\", \
+ \"subcategory\": \"infrastructure\", \
+ \"content\": \"technology\", \
+ \"risk\": \"3\", \
+ \"characteristics\": \"used-by-malware,vulnerability,widely-used\", \
+ \"action_parameter\": { \
+ \"sub_action\": \"drop\", \
+ \"after_n_packets\": 0, \
+ \"send_icmp_unreachable\": 1, \
+ \"send_tcp_reset\": 1 \
+ }, \
+ \"continue_scanning\": 1, \
+ \"tcp_timeout\": 3600, \
+ \"udp_timeout\": 3600, \
+ \"tcp_half_close\": 1800, \
+ \"tcp_time_wait\": 1800, \
+ \"object_uuid\": \"00000000-0000-0000-0000-000000004000\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct app_id_dict *dict=NULL;
+ scanner_maat_exdata_app_id_dict_new("app_id_dict", "4", table_line, (void **)(&dict), 0, NULL);
+ EXPECT_NE(dict, nullptr);
+
+ EXPECT_EQ(dict->app_id, 4);
+ EXPECT_EQ(dict->tcp_timeout, 3600);
+ EXPECT_EQ(dict->udp_timeout, 3600);
+
+ EXPECT_EQ(dict->app_name_sz, 7);
+ EXPECT_STREQ(dict->app_name, "unknown");
+
+ EXPECT_EQ(dict->category_sz, 10);
+ EXPECT_STREQ(dict->category, "networking");
+
+ EXPECT_EQ(dict->content_sz, 10);
+ EXPECT_STREQ(dict->content, "technology");
+
+ EXPECT_STREQ(dict->action_parameter, "{\"sub_action\":\"drop\",\"after_n_packets\":0,\"send_icmp_unreachable\":1,\"send_tcp_reset\":1}");
+
+ char uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse(dict->object_uuid, uuid_str);
+ EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000004000");
+
+ scanner_maat_exdata_app_id_dict_free("app_id_dict", (void **)(&dict), 0, NULL);
+}
+
+extern "C" void scanner_maat_virtual_system_parameter_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+extern "C" void scanner_maat_virtual_system_parameter_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+TEST(scanner_maat, virtual_system_parameter_is_correct_and_security_option_is_deny)
+{
+ const char *table_line="{ \
+ \"id\": 1, \
+ \"is_enable_session_record\": 1, \
+ \"min_packets\": 3, \
+ \"is_valid\": 1, \
+ \"security_option\": { \
+ \"action\": \"deny\", \
+ \"action_parameter\": { \
+ \"udp_session\": { \
+ \"after_n_packets\": 1, \
+ \"sub_action\": \"drop\", \
+ \"send_icmp_unreachable\": 1 \
+ }, \
+ \"tcp_session\": { \
+ \"after_n_packets\": 4, \
+ \"sub_action\": \"drop\", \
+ \"send_icmp_unreachable\": 1, \
+ \"send_tcp_reset\": 1 \
+ } \
+ } \
+ } \
+ }";
+
+ struct virtual_system_parameter *vsys_para=NULL;
+ scanner_maat_virtual_system_parameter_new("T_VSYS_INFO", "1", table_line, (void **)(&vsys_para), 0, NULL);
+ EXPECT_NE(vsys_para, nullptr);
+
+ EXPECT_EQ(vsys_para->record_enabled, 1);
+ EXPECT_EQ(vsys_para->limited_min_pkts, 3);
+ EXPECT_STREQ(vsys_para->security_settings, "{\"action\":\"deny\",\"action_parameter\":{\"udp_session\":{\"after_n_packets\":1,\"sub_action\":\"drop\",\"send_icmp_unreachable\":1},\"tcp_session\":{\"after_n_packets\":4,\"sub_action\":\"drop\",\"send_icmp_unreachable\":1,\"send_tcp_reset\":1}}}");
+
+ scanner_maat_virtual_system_parameter_free("T_VSYS_INFO", (void **)(&vsys_para), 0, NULL);
+}
+
+TEST(scanner_maat, virtual_system_parameter_is_correct_and_security_option_is_allow)
+{
+ const char *table_line="{ \
+ \"id\": 1, \
+ \"is_enable_session_record\": 0, \
+ \"min_packets\": 2, \
+ \"is_valid\": 1, \
+ \"security_option\": { \
+ \"action\": \"allow\" \
+ } \
+ }";
+
+ struct virtual_system_parameter *vsys_para=NULL;
+ scanner_maat_virtual_system_parameter_new("T_VSYS_INFO", "1", table_line, (void **)(&vsys_para), 0, NULL);
+ EXPECT_NE(vsys_para, nullptr);
+
+ EXPECT_EQ(vsys_para->record_enabled, 0);
+ EXPECT_EQ(vsys_para->limited_min_pkts, 2);
+ EXPECT_STREQ(vsys_para->security_settings, "{\"action\":\"allow\"}");
+
+ scanner_maat_virtual_system_parameter_free("T_VSYS_INFO", (void **)(&vsys_para), 0, NULL);
+}
+
+TEST(scanner_maat, virtual_system_parameter_is_correct_and_security_option_is_null)
+{
+ const char *table_line="{ \
+ \"id\": 1, \
+ \"is_enable_session_record\": 1, \
+ \"min_packets\": 5, \
+ \"is_valid\": 1 \
+ }";
+
+ struct virtual_system_parameter *vsys_para=NULL;
+ scanner_maat_virtual_system_parameter_new("T_VSYS_INFO", "1", table_line, (void **)(&vsys_para), 0, NULL);
+ EXPECT_NE(vsys_para, nullptr);
+
+ EXPECT_EQ(vsys_para->record_enabled, 1);
+ EXPECT_EQ(vsys_para->limited_min_pkts, 5);
+ EXPECT_EQ(vsys_para->security_settings, nullptr);
+
+ scanner_maat_virtual_system_parameter_free("T_VSYS_INFO", (void **)(&vsys_para), 0, NULL);
+}
+
+extern "C" void scanner_maat_exdata_policy_object_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+extern "C" void scanner_maat_exdata_policy_object_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+TEST(scanner_maat, policy_object_is_none)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000010000\", \
+ \"statistics_option\": \"none\", \
+ \"is_valid\": 1 \
+ }";
+
+ long policy_obj=0;
+ scanner_maat_exdata_policy_object_new("policy_object", "00000000-0000-0000-0000-000000010000", table_line, (void **)(&policy_obj), 0, NULL);
+
+ EXPECT_EQ(policy_obj, POLICY_OBJECT_OPTION_NONE);
+
+ scanner_maat_exdata_policy_object_free("policy_object", (void **)(&policy_obj), 0, NULL);
+}
+
+TEST(scanner_maat, policy_object_is_brief)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000010001\", \
+ \"statistics_option\": \"brief\", \
+ \"is_valid\": 1 \
+ }";
+
+ long policy_obj=0;
+ scanner_maat_exdata_policy_object_new("policy_object", "00000000-0000-0000-0000-000000010001", table_line, (void **)(&policy_obj), 0, NULL);
+
+ EXPECT_EQ(policy_obj, POLICY_OBJECT_OPTION_BRIEF);
+
+ scanner_maat_exdata_policy_object_free("policy_object", (void **)(&policy_obj), 0, NULL);
+}
+
+TEST(scanner_maat, policy_object_is_elaborate)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000010002\", \
+ \"statistics_option\": \"elaborate\", \
+ \"is_valid\": 1 \
+ }";
+
+ long policy_obj=0;
+ scanner_maat_exdata_policy_object_new("policy_object", "00000000-0000-0000-0000-000000010002", table_line, (void **)(&policy_obj), 0, NULL);
+
+ EXPECT_EQ(policy_obj, POLICY_OBJECT_OPTION_ELABORATE);
+
+ scanner_maat_exdata_policy_object_free("policy_object", (void **)(&policy_obj), 0, NULL);
+}
+
+extern "C" void scanner_maat_exdata_library_tag_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+extern "C" void scanner_maat_exdata_library_tag_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+TEST(scanner_maat, library_tag_is_geoip_country)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000103001\", \
+ \"statistics_option\": \"none\", \
+ \"category\": \"geoip_country\", \
+ \"tag_key\": \"geoip_country\", \
+ \"tag_value\": \"China\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct plugin_library_tag *library_tag=NULL;
+ scanner_maat_exdata_library_tag_new("library_tag", "00000000-0000-0000-0000-000000103001", table_line, (void **)(&library_tag), 0, NULL);
+ EXPECT_NE(library_tag, nullptr);
+
+ EXPECT_EQ(library_tag->object_option, POLICY_OBJECT_OPTION_NONE);
+ EXPECT_EQ(library_tag->category, LIBRARY_TAG_CATEGORY_GEOIP_COUNTRY);
+
+ EXPECT_STREQ(library_tag->key, "geoip_country");
+ EXPECT_STREQ(library_tag->value, "China");
+
+ scanner_maat_exdata_library_tag_free("library_tag", (void **)(&library_tag), 0, NULL);
+}
+
+TEST(scanner_maat, library_tag_is_geoip_city)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000103002\", \
+ \"statistics_option\": \"none\", \
+ \"category\": \"geoip_city\", \
+ \"tag_key\": \"super_administrative_area\", \
+ \"tag_value\": \"Hong Kong\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct plugin_library_tag *library_tag=NULL;
+ scanner_maat_exdata_library_tag_new("library_tag", "00000000-0000-0000-0000-000000103002", table_line, (void **)(&library_tag), 0, NULL);
+ EXPECT_NE(library_tag, nullptr);
+
+ EXPECT_EQ(library_tag->object_option, POLICY_OBJECT_OPTION_NONE);
+ EXPECT_EQ(library_tag->category, LIBRARY_TAG_CATEGORY_GEOIP_CITY);
+
+ EXPECT_STREQ(library_tag->key, "super_administrative_area");
+ EXPECT_STREQ(library_tag->value, "Hong Kong");
+
+ scanner_maat_exdata_library_tag_free("library_tag", (void **)(&library_tag), 0, NULL);
+}
+
+TEST(scanner_maat, library_tag_is_geoip_asn)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000030000\", \
+ \"statistics_option\": \"none\", \
+ \"category\": \"geoip_asn\", \
+ \"tag_key\": \"asn_number\", \
+ \"tag_value\": \"30000\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct plugin_library_tag *library_tag=NULL;
+ scanner_maat_exdata_library_tag_new("library_tag", "00000000-0000-0000-0000-000000030000", table_line, (void **)(&library_tag), 0, NULL);
+ EXPECT_NE(library_tag, nullptr);
+
+ EXPECT_EQ(library_tag->object_option, POLICY_OBJECT_OPTION_NONE);
+ EXPECT_EQ(library_tag->category, LIBRARY_TAG_CATEGORY_GEOIP_ASN);
+
+ EXPECT_STREQ(library_tag->key, "asn_number");
+ EXPECT_STREQ(library_tag->value, "30000");
+
+ scanner_maat_exdata_library_tag_free("library_tag", (void **)(&library_tag), 0, NULL);
+}
+
+TEST(scanner_maat, library_tag_is_website_classification)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000050001\", \
+ \"statistics_option\": \"none\", \
+ \"category\": \"website_classification\", \
+ \"tag_key\": \"Category Name\", \
+ \"tag_value\": \"Parked Domains\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct plugin_library_tag *library_tag=NULL;
+ scanner_maat_exdata_library_tag_new("library_tag", "00000000-0000-0000-0000-000000050001", table_line, (void **)(&library_tag), 0, NULL);
+ EXPECT_NE(library_tag, nullptr);
+
+ EXPECT_EQ(library_tag->object_option, POLICY_OBJECT_OPTION_NONE);
+ EXPECT_EQ(library_tag->category, LIBRARY_TAG_CATEGORY_WEBSITE_CLASSIFICATION);
+
+ EXPECT_STREQ(library_tag->key, "Category Name");
+ EXPECT_STREQ(library_tag->value, "Parked Domains");
+
+ scanner_maat_exdata_library_tag_free("library_tag", (void **)(&library_tag), 0, NULL);
+}
+
+TEST(scanner_maat, library_tag_is_internet_service)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000060001\", \
+ \"statistics_option\": \"none\", \
+ \"category\": \"internet_service\", \
+ \"tag_key\": \"Cloud Provider\", \
+ \"tag_value\": \"Amazon Web Services\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct plugin_library_tag *library_tag=NULL;
+ scanner_maat_exdata_library_tag_new("library_tag", "00000000-0000-0000-0000-000000060001", table_line, (void **)(&library_tag), 0, NULL);
+ EXPECT_NE(library_tag, nullptr);
+
+ EXPECT_EQ(library_tag->object_option, POLICY_OBJECT_OPTION_NONE);
+ EXPECT_EQ(library_tag->category, LIBRARY_TAG_CATEGORY_INTERNET_SERVICE);
+
+ EXPECT_STREQ(library_tag->key, "Cloud Provider");
+ EXPECT_STREQ(library_tag->value, "Amazon Web Services");
+
+ scanner_maat_exdata_library_tag_free("library_tag", (void **)(&library_tag), 0, NULL);
+}
+
+TEST(scanner_maat, library_tag_is_security_threat)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000070001\", \
+ \"statistics_option\": \"none\", \
+ \"category\": \"security_threat\", \
+ \"tag_key\": \"IoC\", \
+ \"tag_value\": \"Malware\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct plugin_library_tag *library_tag=NULL;
+ scanner_maat_exdata_library_tag_new("library_tag", "00000000-0000-0000-0000-000000070001", table_line, (void **)(&library_tag), 0, NULL);
+ EXPECT_NE(library_tag, nullptr);
+
+ EXPECT_EQ(library_tag->object_option, POLICY_OBJECT_OPTION_NONE);
+ EXPECT_EQ(library_tag->category, LIBRARY_TAG_CATEGORY_SECURITY_THREAT);
+
+ EXPECT_STREQ(library_tag->key, "IoC");
+ EXPECT_STREQ(library_tag->value, "Malware");
+
+ scanner_maat_exdata_library_tag_free("library_tag", (void **)(&library_tag), 0, NULL);
+}
+
+TEST(scanner_maat, library_tag_is_compliance_risk)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000080001\", \
+ \"statistics_option\": \"none\", \
+ \"category\": \"compliance_risk\", \
+ \"tag_key\": \"Anonymous\", \
+ \"tag_value\": \"VPN\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct plugin_library_tag *library_tag=NULL;
+ scanner_maat_exdata_library_tag_new("library_tag", "00000000-0000-0000-0000-000000080001", table_line, (void **)(&library_tag), 0, NULL);
+ EXPECT_NE(library_tag, nullptr);
+
+ EXPECT_EQ(library_tag->object_option, POLICY_OBJECT_OPTION_NONE);
+ EXPECT_EQ(library_tag->category, LIBRARY_TAG_CATEGORY_COMPLIANCE_RISK);
+
+ EXPECT_STREQ(library_tag->key, "Anonymous");
+ EXPECT_STREQ(library_tag->value, "VPN");
+
+ scanner_maat_exdata_library_tag_free("library_tag", (void **)(&library_tag), 0, NULL);
+}
+
+extern "C" void scanner_maat_exdata_ipaddr_entry_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+extern "C" void scanner_maat_exdata_ipaddr_entry_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+TEST(scanner_maat, ipaddr_entry_is_ipv4)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000003716523\", \
+ \"tag_uuids\": [ \
+ \"00000000-0000-0000-0000-001921685601\", \
+ \"00000000-0000-0000-0000-000019216856\", \
+ \"00000000-0000-0000-0000-000001685601\", \
+ \"00000000-0000-0000-0000-000001925601\" \
+ ], \
+ \"ip\": \"192.168.56.1-192.168.56.255\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct plugin_entry *ipaddr_entry=NULL;
+ scanner_maat_exdata_ipaddr_entry_new("ipaddr_entry", "00000000-0000-0000-0000-000003716523", table_line, (void **)(&ipaddr_entry), 0, NULL);
+ EXPECT_NE(ipaddr_entry, nullptr);
+
+ EXPECT_EQ(ipaddr_entry->n_tag_uuids, 4);
+ char uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse_lower(ipaddr_entry->tag_uuids[0], uuid_str);
+ EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-001921685601");
+
+ uuid_unparse_lower(ipaddr_entry->tag_uuids[1], uuid_str);
+ EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000019216856");
+
+ uuid_unparse_lower(ipaddr_entry->tag_uuids[2], uuid_str);
+ EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000001685601");
+
+ uuid_unparse_lower(ipaddr_entry->tag_uuids[3], uuid_str);
+ EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000001925601");
+
+ scanner_maat_exdata_ipaddr_entry_free("ipaddr_entry", (void **)(&ipaddr_entry), 0, NULL);
+}
+
+TEST(scanner_maat, ipaddr_entry_is_ipv6)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000006777622\", \
+ \"tag_uuids\": [ \
+ \"00000000-0000-0000-0000-000000103001\", \
+ \"00000000-0000-0000-0000-000000103002\", \
+ \"00000000-0000-0000-0000-000000103003\", \
+ \"00000000-0000-0000-0000-000000103004\" \
+ ], \
+ \"ip\": \"1030::c9b4:ff12:48aa:1a2b-1030::c9b4:ff12:48aa:1a2b\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct plugin_entry *ipaddr_entry=NULL;
+ scanner_maat_exdata_ipaddr_entry_new("ipaddr_entry", "00000000-0000-0000-0000-000006777622", table_line, (void **)(&ipaddr_entry), 0, NULL);
+ EXPECT_NE(ipaddr_entry, nullptr);
+
+ EXPECT_EQ(ipaddr_entry->n_tag_uuids, 4);
+ char uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse_lower(ipaddr_entry->tag_uuids[0], uuid_str);
+ EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000103001");
+
+ uuid_unparse_lower(ipaddr_entry->tag_uuids[1], uuid_str);
+ EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000103002");
+
+ uuid_unparse_lower(ipaddr_entry->tag_uuids[2], uuid_str);
+ EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000103003");
+
+ uuid_unparse_lower(ipaddr_entry->tag_uuids[3], uuid_str);
+ EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000000103004");
+
+ scanner_maat_exdata_ipaddr_entry_free("ipaddr_entry", (void **)(&ipaddr_entry), 0, NULL);
+}
+
+extern "C" void scanner_maat_exdata_fqdn_entry_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+extern "C" void scanner_maat_exdata_fqdn_entry_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+TEST(scanner_maat, fqdn_entry_is_correct)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000106285692\", \
+ \"tag_uuids\": [ \
+ \"00000000-0000-0000-0000-000106285692\", \
+ \"00000000-0000-0000-0000-000106285693\" \
+ ], \
+ \"fqdn\": \"*gtest.ssl.chello.sni.rule203.com\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct plugin_entry *fqdn_entry=NULL;
+ scanner_maat_exdata_fqdn_entry_new("fqdn_entry", "00000000-0000-0000-0000-000106285692", table_line, (void **)(&fqdn_entry), 0, NULL);
+ EXPECT_NE(fqdn_entry, nullptr);
+
+ EXPECT_EQ(fqdn_entry->n_tag_uuids, 2);
+ char uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse_lower(fqdn_entry->tag_uuids[0], uuid_str);
+ EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000106285692");
+
+ uuid_unparse_lower(fqdn_entry->tag_uuids[1], uuid_str);
+ EXPECT_STREQ(uuid_str, "00000000-0000-0000-0000-000106285693");
+
+ scanner_maat_exdata_fqdn_entry_free("fqdn_entry", (void **)(&fqdn_entry), 0, NULL);
+}
+
+extern "C" void scanner_maat_exdata_attribute_dict_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+extern "C" void scanner_maat_exdata_attribute_dict_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+TEST(scanner_maat, attribute_dict_is_correct)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000001111\", \
+ \"attribute_name\": \"ATTR_SOURCE_IP\", \
+ \"attribute_value_type\": \"numeric\", \
+ \"object_table_name\": \"TSG_OBJ_IP_ADDR\", \
+ \"available_object_type\": \"ip\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct attribute_dict *attr_dict=NULL;
+ scanner_maat_exdata_attribute_dict_new("attribute_dict", "00000000-0000-0000-0000-000000001111", table_line, (void **)(&attr_dict), 0, NULL);
+ EXPECT_NE(attr_dict, nullptr);
+
+ EXPECT_STREQ(attr_dict->object_table_name, "TSG_OBJ_IP_ADDR");
+ EXPECT_STREQ(attr_dict->available_object_type, "ip");
+
+ scanner_maat_exdata_attribute_dict_free("attribute_dict", (void **)(&attr_dict), 0, NULL);
+}
+
+extern "C" void scanner_maat_exdata_user_identification_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+extern "C" void scanner_maat_exdata_user_equipment_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+TEST(scanner_maat, user_identification_is_correct_and_mobile_identify_full)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000000001\", \
+ \"teid\": 111039813, \
+ \"mobile_identify\": { \
+ \"imei\": \"8626070583075127\", \
+ \"imsi\": \"460045157065560\", \
+ \"apn\": \"111039813.cmiott.gxqli.mcto60g.com\", \
+ \"phone_number\": \"861440152009856\" \
+ }, \
+ \"is_valid\": 1 \
+ }";
+
+ struct user_identification *uid=NULL;
+ scanner_maat_exdata_user_equipment_new("user_identification", "00000000-0000-0000-0000-000000000001", table_line, (void **)(&uid), 0, NULL);
+ EXPECT_NE(uid, nullptr);
+
+ EXPECT_NE(uid->ue, nullptr);
+ EXPECT_STREQ(uid->ue->imei, "8626070583075127");
+ EXPECT_STREQ(uid->ue->imsi, "460045157065560");
+ EXPECT_STREQ(uid->ue->apn, "111039813.cmiott.gxqli.mcto60g.com");
+ EXPECT_STREQ(uid->ue->msisdn, "861440152009856");
+
+ scanner_maat_exdata_user_identification_free("user_identification", (void **)(&uid), 0, NULL);
+}
+
+TEST(scanner_maat, user_identification_is_correct_and_imei_is_null)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000000001\", \
+ \"teid\": 111039813, \
+ \"mobile_identify\": { \
+ \"imsi\": \"460045157065560\", \
+ \"apn\": \"111039813.cmiott.gxqli.mcto60g.com\", \
+ \"phone_number\": \"861440152009856\" \
+ }, \
+ \"is_valid\": 1 \
+ }";
+
+ struct user_identification *uid=NULL;
+ scanner_maat_exdata_user_equipment_new("user_identification", "00000000-0000-0000-0000-000000000001", table_line, (void **)(&uid), 0, NULL);
+ EXPECT_NE(uid, nullptr);
+
+ EXPECT_NE(uid->ue, nullptr);
+ EXPECT_EQ(uid->ue->imei, nullptr);
+ EXPECT_STREQ(uid->ue->imsi, "460045157065560");
+ EXPECT_STREQ(uid->ue->apn, "111039813.cmiott.gxqli.mcto60g.com");
+ EXPECT_STREQ(uid->ue->msisdn, "861440152009856");
+
+ scanner_maat_exdata_user_identification_free("user_identification", (void **)(&uid), 0, NULL);
+}
+
+TEST(scanner_maat, user_identification_is_correct_and_imsi_is_null)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000000001\", \
+ \"teid\": 111039813, \
+ \"mobile_identify\": { \
+ \"imei\": \"8626070583075127\", \
+ \"apn\": \"111039813.cmiott.gxqli.mcto60g.com\", \
+ \"phone_number\": \"861440152009856\" \
+ }, \
+ \"is_valid\": 1 \
+ }";
+
+ struct user_identification *uid=NULL;
+ scanner_maat_exdata_user_equipment_new("user_identification", "00000000-0000-0000-0000-000000000001", table_line, (void **)(&uid), 0, NULL);
+ EXPECT_NE(uid, nullptr);
+
+ EXPECT_NE(uid->ue, nullptr);
+ EXPECT_STREQ(uid->ue->imei, "8626070583075127");
+ EXPECT_EQ(uid->ue->imsi, nullptr);
+ EXPECT_STREQ(uid->ue->apn, "111039813.cmiott.gxqli.mcto60g.com");
+ EXPECT_STREQ(uid->ue->msisdn, "861440152009856");
+
+ scanner_maat_exdata_user_identification_free("user_identification", (void **)(&uid), 0, NULL);
+}
+
+TEST(scanner_maat, user_identification_is_correct_and_apn_is_null)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000000001\", \
+ \"teid\": 111039813, \
+ \"mobile_identify\": { \
+ \"imei\": \"8626070583075127\", \
+ \"imsi\": \"460045157065560\", \
+ \"phone_number\": \"861440152009856\" \
+ }, \
+ \"is_valid\": 1 \
+ }";
+
+ struct user_identification *uid=NULL;
+ scanner_maat_exdata_user_equipment_new("user_identification", "00000000-0000-0000-0000-000000000001", table_line, (void **)(&uid), 0, NULL);
+ EXPECT_NE(uid, nullptr);
+
+ EXPECT_NE(uid->ue, nullptr);
+ EXPECT_STREQ(uid->ue->imei, "8626070583075127");
+ EXPECT_STREQ(uid->ue->imsi, "460045157065560");
+ EXPECT_EQ(uid->ue->apn, nullptr);
+ EXPECT_STREQ(uid->ue->msisdn, "861440152009856");
+
+ scanner_maat_exdata_user_identification_free("user_identification", (void **)(&uid), 0, NULL);
+}
+
+TEST(scanner_maat, user_identification_is_correct_and_msisdn_is_null)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000000001\", \
+ \"teid\": 111039813, \
+ \"mobile_identify\": { \
+ \"imei\": \"8626070583075127\", \
+ \"imsi\": \"460045157065560\", \
+ \"apn\": \"111039813.cmiott.gxqli.mcto60g.com\" \
+ }, \
+ \"is_valid\": 1 \
+ }";
+
+ struct user_identification *uid=NULL;
+ scanner_maat_exdata_user_equipment_new("user_identification", "00000000-0000-0000-0000-000000000001", table_line, (void **)(&uid), 0, NULL);
+ EXPECT_NE(uid, nullptr);
+
+ EXPECT_NE(uid->ue, nullptr);
+ EXPECT_STREQ(uid->ue->imei, "8626070583075127");
+ EXPECT_STREQ(uid->ue->imsi, "460045157065560");
+ EXPECT_STREQ(uid->ue->apn, "111039813.cmiott.gxqli.mcto60g.com");
+ EXPECT_EQ(uid->ue->msisdn, nullptr);
+
+ scanner_maat_exdata_user_identification_free("user_identification", (void **)(&uid), 0, NULL);
+}
+
+TEST(scanner_maat, user_identification_is_correct_and_mobile_identify_is_null_1)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000000001\", \
+ \"teid\": 111039813, \
+ \"mobile_identify\": { \
+ }, \
+ \"is_valid\": 1 \
+ }";
+
+ struct user_identification *uid=NULL;
+ scanner_maat_exdata_user_equipment_new("user_identification", "00000000-0000-0000-0000-000000000001", table_line, (void **)(&uid), 0, NULL);
+ EXPECT_EQ(uid, nullptr);
+
+ scanner_maat_exdata_user_identification_free("user_identification", (void **)(&uid), 0, NULL);
+}
+
+TEST(scanner_maat, user_identification_is_correct_and_mobile_identify_is_null_2)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000000001\", \
+ \"teid\": 111039813, \
+ \"is_valid\": 1 \
+ }";
+
+ struct user_identification *uid=NULL;
+ scanner_maat_exdata_user_equipment_new("user_identification", "00000000-0000-0000-0000-000000000001", table_line, (void **)(&uid), 0, NULL);
+ EXPECT_EQ(uid, nullptr);
+
+ scanner_maat_exdata_user_identification_free("user_identification", (void **)(&uid), 0, NULL);
+}
+
+extern "C" void scanner_maat_exdata_user_identification_free(const char *table_name __attribute__((unused)), void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+extern "C" void scanner_maat_exdata_dynamic_ipport_mapping_new(const char *table_name __attribute__((unused)), const char *key __attribute__((unused)), const char *table_line, void **ad, long argl __attribute__((unused)), void *argp __attribute__((unused)));
+TEST(scanner_maat, user_identification_is_correct_and_ipport_mobile_identify_is_null_1)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000001052\", \
+ \"ip\": \"192.168.50.52\", \
+ \"port\": \"0-255\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct user_identification *uid=NULL;
+ scanner_maat_exdata_dynamic_ipport_mapping_new("user_identification", "00000000-0000-0000-0000-000000001052", table_line, (void **)(&uid), 0, NULL);
+ EXPECT_EQ(uid, nullptr);
+
+ scanner_maat_exdata_user_identification_free("user_identification", (void **)(&uid), 0, NULL);
+}
+
+TEST(scanner_maat, user_identification_is_correct_and_ipport_mobile_identify_is_null_2)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000001052\", \
+ \"ip\": \"192.168.50.52\", \
+ \"port\": \"0-255\", \
+ \"subscriber_id\": \"test52\", \
+ \"mobile_identify\": null, \
+ \"is_valid\": 1 \
+ }";
+
+ struct user_identification *uid=NULL;
+ scanner_maat_exdata_dynamic_ipport_mapping_new("user_identification", "00000000-0000-0000-0000-000000001052", table_line, (void **)(&uid), 0, NULL);
+ EXPECT_NE(uid, nullptr);
+
+ EXPECT_EQ(uid->ue, nullptr);
+ EXPECT_STREQ(uid->subscriber.subscriber_id, "test52");
+
+ scanner_maat_exdata_user_identification_free("user_identification", (void **)(&uid), 0, NULL);
+}
+
+TEST(scanner_maat, user_identification_is_correct_and_ipport_mobile_identify_is_null_3)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000001052\", \
+ \"ip\": \"192.168.50.52\", \
+ \"port\": \"0-255\", \
+ \"subscriber_id\": \"test52\", \
+ \"is_valid\": 1 \
+ }";
+
+ struct user_identification *uid=NULL;
+ scanner_maat_exdata_dynamic_ipport_mapping_new("user_identification", "00000000-0000-0000-0000-000000001052", table_line, (void **)(&uid), 0, NULL);
+ EXPECT_NE(uid, nullptr);
+
+ EXPECT_EQ(uid->ue, nullptr);
+ EXPECT_STREQ(uid->subscriber.subscriber_id, "test52");
+
+ scanner_maat_exdata_user_identification_free("user_identification", (void **)(&uid), 0, NULL);
+}
+
+TEST(scanner_maat, user_identification_is_correct_and_ipport_subscriber_id_is_null_3)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000001037\", \
+ \"ip\": \"192.168.50.37\", \
+ \"port\": \"40001-40255\", \
+ \"subscriber_id\": null, \
+ \"mobile_identify\": { \
+ \"imei\": \"1298473129873912\", \
+ \"apn\": \"test.com\" \
+ }, \
+ \"is_valid\": 1 \
+ }";
+
+ struct user_identification *uid=NULL;
+ scanner_maat_exdata_dynamic_ipport_mapping_new("user_identification", "00000000-0000-0000-0000-000000001037", table_line, (void **)(&uid), 0, NULL);
+ EXPECT_NE(uid, nullptr);
+
+ EXPECT_NE(uid->ue, nullptr);
+ EXPECT_STREQ(uid->ue->imei, "1298473129873912");
+ EXPECT_EQ(uid->ue->imsi, nullptr);
+ EXPECT_STREQ(uid->ue->apn, "test.com");
+ EXPECT_EQ(uid->ue->msisdn, nullptr);
+
+ EXPECT_EQ(uid->subscriber.subscriber_id, nullptr);
+
+ scanner_maat_exdata_user_identification_free("user_identification", (void **)(&uid), 0, NULL);
+}
+
+TEST(scanner_maat, user_identification_is_correct_and_ipport_full)
+{
+ const char *table_line="{ \
+ \"uuid\": \"00000000-0000-0000-0000-000000001041\", \
+ \"ip\": \"196.189.54.123\", \
+ \"port\": \"2-65156\", \
+ \"subscriber_id\": \"test1041\", \
+ \"mobile_identify\": { \
+ \"imei\": \"3527916051651178\", \
+ \"imsi\": \"410033150502325\", \
+ \"apn\": \"ufone.pinternet\", \
+ \"phone_number\": \"923368865801\" \
+ }, \
+ \"is_valid\": 1 \
+ }";
+
+ struct user_identification *uid=NULL;
+ scanner_maat_exdata_dynamic_ipport_mapping_new("user_identification", "00000000-0000-0000-0000-000000001041", table_line, (void **)(&uid), 0, NULL);
+ EXPECT_NE(uid, nullptr);
+
+ EXPECT_NE(uid->ue, nullptr);
+ EXPECT_STREQ(uid->ue->imei, "3527916051651178");
+ EXPECT_STREQ(uid->ue->imsi, "410033150502325");
+ EXPECT_STREQ(uid->ue->apn, "ufone.pinternet");
+ EXPECT_STREQ(uid->ue->msisdn, "923368865801");
+
+ EXPECT_STREQ(uid->subscriber.subscriber_id, "test1041");
+
+ scanner_maat_exdata_user_identification_free("user_identification", (void **)(&uid), 0, NULL);
+}
+
diff --git a/scanner/test/gtest_scanner_main.cpp b/scanner/test/gtest_scanner_main.cpp
new file mode 100644
index 0000000..d6c1f4f
--- /dev/null
+++ b/scanner/test/gtest_scanner_main.cpp
@@ -0,0 +1,23 @@
+#pragma GCC diagnostic ignored "-Wunused-parameter"
+
+#include <gtest/gtest.h>
+
+/*******************************************
+ * TEST SCANNER *
+ *******************************************/
+
+TEST(scanner, demo) {
+
+}
+
+/**********************************************
+ * GTEST MAIN *
+ **********************************************/
+
+int main(int argc, char ** argv)
+{
+ int ret=0;
+ ::testing::InitGoogleTest(&argc, argv);
+ ret=RUN_ALL_TESTS();
+ return ret;
+} \ No newline at end of file
diff --git a/scanner/test/gtest_scanner_state.cpp b/scanner/test/gtest_scanner_state.cpp
new file mode 100644
index 0000000..67444c2
--- /dev/null
+++ b/scanner/test/gtest_scanner_state.cpp
@@ -0,0 +1,303 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <gtest/gtest.h>
+#include "scanner_state.h"
+
+TEST(scanner_state, demo)
+{
+
+}
+
+TEST(scanner_state, state_is_null_when_get)
+{
+ struct scanner_state *state=NULL;
+ EXPECT_EQ(-1, scanner_state_get_security_policy_matched_appid(state, NULL));
+
+ for(int i=1; i<RULE_TYPE_MAX; i++)
+ {
+ uuid_t rule_uuids[10];
+
+ EXPECT_EQ(0, scanner_state_get_history_rule_count(state, (enum RULE_TYPE)i));
+ EXPECT_EQ(0, scanner_state_get_history_rules(state, (enum RULE_TYPE)i, rule_uuids, 10));
+
+ EXPECT_EQ(0, scanner_state_get_current_packet_rule_count(state, (enum RULE_TYPE)i));
+ EXPECT_EQ(0, scanner_state_get_current_packet_rules(state, (enum RULE_TYPE)i, rule_uuids, 10));
+ }
+
+
+
+ for(int i=1; i<HIT_OBJECT_ATTRIBUTE_TYPE_MAX; i++)
+ {
+ struct maat_hit_object hit_objects[10];
+
+ EXPECT_EQ(0, scanner_state_get_history_object_count(state, (enum HIT_OBJECT_ATTRIBUTE_TYPE)i));
+ EXPECT_EQ(0, scanner_state_get_history_hit_objects(state, (enum HIT_OBJECT_ATTRIBUTE_TYPE)i, hit_objects, 10));
+
+ EXPECT_EQ(0, scanner_state_get_current_packet_hit_object_count(state, (enum HIT_OBJECT_ATTRIBUTE_TYPE)i));
+ EXPECT_EQ(0, scanner_state_get_current_packet_hit_objects(state, (enum HIT_OBJECT_ATTRIBUTE_TYPE)i, hit_objects, 10));
+ }
+
+ scanner_state_merge_packet_rules(state);
+ scanner_state_merge_packet_hit_objects(state);
+}
+
+TEST(scanner_state, state_is_null_when_add)
+{
+ struct scanner_state *state=NULL;
+
+ int appid=4;
+ uuid_t rule_uuid;
+ for(int i=0; i<RULE_TYPE_MAX; i++)
+ {
+ scanner_state_set_current_rule_matched_appid(state, (enum RULE_TYPE)i, rule_uuid, appid);
+ }
+
+ uuid_t rule_uuids[10];
+ for(int i=0; i<RULE_TYPE_MAX; i++)
+ {
+ scanner_state_add_current_packet_rules(state, (enum RULE_TYPE)i, rule_uuids, 10);
+ }
+
+ struct maat_hit_object hit_objects[10];
+ for(int i=0; i<HIT_OBJECT_ATTRIBUTE_TYPE_MAX; i++)
+ {
+ scanner_state_add_current_packet_hit_objects(state, (enum HIT_OBJECT_ATTRIBUTE_TYPE)i, hit_objects, 10);
+ }
+}
+
+TEST(scanner_state, state_add_rule_uuid)
+{
+ struct scanner_state *state=scanner_state_new();
+ EXPECT_NE(state, nullptr);
+
+ /* add rule uuids */
+ size_t n_rule_uuid=10;
+ uuid_t rule_uuids[n_rule_uuid];
+ for(size_t i=1; i<RULE_TYPE_MAX; i++)
+ {
+ for(size_t j=0; j<n_rule_uuid; j++)
+ {
+ char uuid_str[UUID_STR_LEN]={0};
+ snprintf(uuid_str, UUID_STR_LEN, "%08x-0000-0000-0000-0000%08x", (int)i, (int)j);
+ uuid_parse(uuid_str, rule_uuids[j]);
+ }
+
+ scanner_state_add_current_packet_rules(state, (enum RULE_TYPE)i, rule_uuids, n_rule_uuid);
+ }
+
+ /* get rule uuids from current packet */
+
+ for(size_t i=1; i<RULE_TYPE_MAX; i++)
+ {
+ size_t n_curr_rule_uuid=scanner_state_get_current_packet_rule_count(state, (enum RULE_TYPE)i);
+ EXPECT_EQ(n_curr_rule_uuid, n_rule_uuid);
+
+ uuid_t gotten_curr_rule_uuids[n_curr_rule_uuid];
+ size_t n_gotten_curr_rule_uuid=scanner_state_get_current_packet_rules(state, (enum RULE_TYPE)i, gotten_curr_rule_uuids, n_curr_rule_uuid);
+ EXPECT_EQ(n_gotten_curr_rule_uuid, n_curr_rule_uuid);
+
+ for(size_t j=0; j<n_gotten_curr_rule_uuid; j++)
+ {
+ char uuid_str[UUID_STR_LEN]={0};
+ snprintf(uuid_str, UUID_STR_LEN, "%08x-0000-0000-0000-0000%08x", (int)i, (int)j);
+
+ char rule_uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse_lower(gotten_curr_rule_uuids[j], rule_uuid_str);
+ EXPECT_STREQ(rule_uuid_str, uuid_str);
+ }
+ }
+
+ /* get rule uuids from history */
+
+ uuid_t gotten_history_rule_uuids[n_rule_uuid];
+ for(size_t i=1; i<RULE_TYPE_MAX; i++)
+ {
+ EXPECT_EQ(0, scanner_state_get_history_rule_count(state, (enum RULE_TYPE)i));
+ EXPECT_EQ(0, scanner_state_get_history_rules(state, (enum RULE_TYPE)i, gotten_history_rule_uuids, n_rule_uuid));
+ }
+
+ /* merge rule uuids */
+ scanner_state_merge_packet_rules(state);
+
+ /* get rule uuids from history */
+ for(size_t i=1; i<RULE_TYPE_MAX; i++)
+ {
+ size_t n_curr_rule_uuid=scanner_state_get_history_rule_count(state, (enum RULE_TYPE)i);
+ EXPECT_EQ(n_curr_rule_uuid, n_rule_uuid);
+
+ uuid_t gotten_curr_rule_uuids[n_curr_rule_uuid];
+ size_t n_gotten_curr_rule_uuid=scanner_state_get_history_rules(state, (enum RULE_TYPE)i, gotten_curr_rule_uuids, n_curr_rule_uuid);
+ EXPECT_EQ(n_gotten_curr_rule_uuid, n_curr_rule_uuid);
+
+ for(size_t j=0; j<n_gotten_curr_rule_uuid; j++)
+ {
+ char uuid_str[UUID_STR_LEN]={0};
+ snprintf(uuid_str, UUID_STR_LEN, "%08x-0000-0000-0000-0000%08x", (int)i, (int)j);
+
+ char rule_uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse_lower(gotten_curr_rule_uuids[j], rule_uuid_str);
+ EXPECT_STREQ(rule_uuid_str, uuid_str);
+ }
+ }
+
+ scanner_state_free(state);
+}
+
+TEST(scanner_state, state_merge_duplicate_rule_uuid)
+{
+ struct scanner_state *state=scanner_state_new();
+ EXPECT_NE(state, nullptr);
+
+ /* add 1 rule uuids */
+ size_t n1_rule_uuid=10;
+ for(size_t i=1; i<RULE_TYPE_MAX; i++)
+ {
+ uuid_t rule_uuids[n1_rule_uuid];
+ for(size_t j=0; j<n1_rule_uuid; j++)
+ {
+ char uuid_str[UUID_STR_LEN]={0};
+ snprintf(uuid_str, UUID_STR_LEN, "%08x-0000-0000-0000-0000%08x", (int)i, (int)j);
+ uuid_parse(uuid_str, rule_uuids[j]);
+ }
+
+ scanner_state_add_current_packet_rules(state, (enum RULE_TYPE)i, rule_uuids, n1_rule_uuid);
+ }
+
+ /* add 2 rule uuids and different current packet rule uuids */
+ size_t n2_rule_uuid=10;
+ for(size_t i=1; i<RULE_TYPE_MAX; i++)
+ {
+ uuid_t rule_uuids[n2_rule_uuid];
+ for(size_t j=0; j<n2_rule_uuid; j++)
+ {
+ char uuid_str[UUID_STR_LEN]={0};
+ snprintf(uuid_str, UUID_STR_LEN, "%08x-0000-0000-0000-0000%08x", (int)i, (int)j);
+ uuid_parse(uuid_str, rule_uuids[j]);
+ }
+
+ scanner_state_add_current_packet_rules(state, (enum RULE_TYPE)i, rule_uuids, n2_rule_uuid);
+ }
+
+ /* merge rule uuids */
+ scanner_state_merge_packet_rules(state);
+
+ /* add 3 rule uuids and different current packet rule uuids */
+ size_t n3_rule_uuid=10;
+ for(size_t i=1; i<RULE_TYPE_MAX; i++)
+ {
+ uuid_t rule_uuids[n3_rule_uuid];
+ for(size_t j=0; j<n3_rule_uuid; j++)
+ {
+ char uuid_str[UUID_STR_LEN]={0};
+ snprintf(uuid_str, UUID_STR_LEN, "%08x-0000-0000-0000-0000%08x", (int)i, (int)j);
+ uuid_parse(uuid_str, rule_uuids[j]);
+ }
+
+ scanner_state_add_current_packet_rules(state, (enum RULE_TYPE)i, rule_uuids, n3_rule_uuid);
+ }
+
+ /* get rule uuids from curent pcaket */
+ for(size_t i=1; i<RULE_TYPE_MAX; i++)
+ {
+ EXPECT_EQ(0, scanner_state_get_current_packet_rule_count(state, (enum RULE_TYPE)i));
+ }
+
+ /* get rule uuids from history */
+ for(size_t i=1; i<RULE_TYPE_MAX; i++)
+ {
+ size_t n_curr_rule_uuid=scanner_state_get_history_rule_count(state, (enum RULE_TYPE)i);
+ EXPECT_EQ(n_curr_rule_uuid, n1_rule_uuid);
+ EXPECT_EQ(n_curr_rule_uuid, n2_rule_uuid);
+ EXPECT_EQ(n_curr_rule_uuid, n3_rule_uuid);
+
+ uuid_t gotten_curr_rule_uuids[n_curr_rule_uuid];
+ size_t n_gotten_curr_rule_uuid=scanner_state_get_history_rules(state, (enum RULE_TYPE)i, gotten_curr_rule_uuids, n_curr_rule_uuid);
+ EXPECT_EQ(n_gotten_curr_rule_uuid, n_curr_rule_uuid);
+
+ for(size_t j=0; j<n_gotten_curr_rule_uuid; j++)
+ {
+ char uuid_str[UUID_STR_LEN]={0};
+ snprintf(uuid_str, UUID_STR_LEN, "%08x-0000-0000-0000-0000%08x", (int)i, (int)j);
+
+ char rule_uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse_lower(gotten_curr_rule_uuids[j], rule_uuid_str);
+ EXPECT_STREQ(rule_uuid_str, uuid_str);
+ }
+ }
+
+ scanner_state_free(state);
+}
+
+TEST(scanner_state, state_merge_different_rule_uuid)
+{
+ struct scanner_state *state=scanner_state_new();
+ EXPECT_NE(state, nullptr);
+
+ /* add rule uuids */
+ size_t n1_rule_uuid=10;
+ for(size_t i=1; i<RULE_TYPE_MAX; i++)
+ {
+ uuid_t rule_uuids[n1_rule_uuid];
+ for(size_t j=0; j<n1_rule_uuid; j++)
+ {
+ char uuid_str[UUID_STR_LEN]={0};
+ snprintf(uuid_str, UUID_STR_LEN, "%08x-0000-0000-0000-0000%08x", (int)i, (int)j);
+ uuid_parse(uuid_str, rule_uuids[j]);
+ }
+
+ scanner_state_add_current_packet_rules(state, (enum RULE_TYPE)i, rule_uuids, n1_rule_uuid);
+ }
+
+ /* merge rule uuids */
+ scanner_state_merge_packet_rules(state);
+
+ /* add rule uuids */
+ size_t n2_rule_uuid=10;
+ for(size_t i=1; i<RULE_TYPE_MAX; i++)
+ {
+ uuid_t rule_uuids[n2_rule_uuid];
+ for(size_t j=0; j<n2_rule_uuid; j++)
+ {
+ char uuid_str[UUID_STR_LEN]={0};
+ snprintf(uuid_str, UUID_STR_LEN, "%08x-0000-0000-0000-0000%08x", (int)i+1, (int)(j+10000));
+ uuid_parse(uuid_str, rule_uuids[j]);
+ }
+
+ scanner_state_add_current_packet_rules(state, (enum RULE_TYPE)i, rule_uuids, n2_rule_uuid);
+ }
+
+ /* merge rule uuids */
+ scanner_state_merge_packet_rules(state);
+
+ /* get rule uuids from history */
+ for(size_t i=1; i<RULE_TYPE_MAX; i++)
+ {
+ size_t n_curr_rule_uuid=scanner_state_get_history_rule_count(state, (enum RULE_TYPE)i);
+ EXPECT_EQ(n_curr_rule_uuid, n1_rule_uuid+n2_rule_uuid);
+
+ uuid_t gotten_curr_rule_uuids[n_curr_rule_uuid];
+ size_t n_gotten_curr_rule_uuid=scanner_state_get_history_rules(state, (enum RULE_TYPE)i, gotten_curr_rule_uuids, n_curr_rule_uuid);
+ EXPECT_EQ(n_gotten_curr_rule_uuid, n_curr_rule_uuid);
+
+ for(size_t j=0; j<n_gotten_curr_rule_uuid; j++)
+ {
+ char uuid_str[UUID_STR_LEN]={0};
+ if(j<n1_rule_uuid)
+ {
+ snprintf(uuid_str, UUID_STR_LEN, "%08x-0000-0000-0000-0000%08x", (int)i, (int)j);
+ }
+ else
+ {
+ snprintf(uuid_str, UUID_STR_LEN, "%08x-0000-0000-0000-0000%08x", (int)i+1, (int)(j-n1_rule_uuid+10000));
+ }
+
+ char rule_uuid_str[UUID_STR_LEN]={0};
+ uuid_unparse_lower(gotten_curr_rule_uuids[j], rule_uuid_str);
+ EXPECT_STREQ(rule_uuid_str, uuid_str);
+ }
+ }
+
+ scanner_state_free(state);
+} \ No newline at end of file
diff --git a/scanner/version.map b/scanner/version.map
new file mode 100644
index 0000000..d09b6bd
--- /dev/null
+++ b/scanner/version.map
@@ -0,0 +1,21 @@
+VERS_2.4{
+global:
+ extern "C" {
+ *dns_decoder_load*;
+ *dns_decoder_unload*;
+ *dns_decoder_resource_record_json_exporter*;
+ *dns_decoder_resource_record_is_dnssec*;
+ *dns_decoder_resource_record_cname_json_exporter*;
+ *GIT*;
+ };
+ local: *;
+};
+VERS_2.4{
+global:
+ extern "C" {
+ *scanner_module_init*;
+ *scanner_module_exit*;
+ *GIT*;
+ };
+ local: *;
+};
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-30 20:50:58 +0000