summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorgit commit -m first <[email protected]>2019-06-13 16:52:28 +0800
committergit commit -m first <[email protected]>2019-06-13 16:52:28 +0800
commita229a3ec73dbd7678e2700eb18bc65632950614c (patch)
tree40804646a85ada6a0afbdb82b77b12793302698d
add dns_jt_audit codeHEADmaster
Diffstat
-rwxr-xr-xbin/dns_jt_audit.sobin0 -> 34032 bytes
-rw-r--r--src/Makefile22
-rw-r--r--src/dns_jt_audit.cpp472
-rw-r--r--src/dns_jt_audit.h105
-rw-r--r--src/inc/MESA_logger.h72
-rw-r--r--src/inc/dj_rule.h72
-rw-r--r--src/inc/dns_analyse.h242
-rw-r--r--src/inc/ip_control.h57
-rw-r--r--src/inc/ip_jt.h60
-rw-r--r--src/inc/magellan_logger.h88
-rw-r--r--src/inc/qdjcq_magellan_id.h187
11 files changed, 1377 insertions, 0 deletions
diff --git a/bin/dns_jt_audit.so b/bin/dns_jt_audit.so
new file mode 100755
index 0000000..1d0e770
--- /dev/null
+++ b/bin/dns_jt_audit.so
Binary files differ
diff --git a/src/Makefile b/src/Makefile
new file mode 100644
index 0000000..72b7b80
--- /dev/null
+++ b/src/Makefile
@@ -0,0 +1,22 @@
+CC = g++
+CFLAGS = -Wall -g -fPIC
+INC = -I./inc/ -I/opt/MESA/include
+LIBS = -L/opt/MESA/lib -lMESA_handle_logger -lMESA_prof_load
+OBJS = dns_jt_audit.o
+TARGET = dns_jt_audit.so
+
+.cpp.o:
+ $(CC) -c $(INC) $(CFLAGS) $<
+
+all: $(TARGET) CP
+
+$(TARGET): $(OBJS)
+ $(CC) -O2 -o $@ $^ $(LIBS) -shared -fPIC
+
+CP:
+ cp $(TARGET) ../bin/
+
+.PHONY:clean
+
+clean:
+ -rm -rf $(OBJS) $(TARGET)
diff --git a/src/dns_jt_audit.cpp b/src/dns_jt_audit.cpp
new file mode 100644
index 0000000..e2135c6
--- /dev/null
+++ b/src/dns_jt_audit.cpp
@@ -0,0 +1,472 @@
+/*
+ ============================================================================
+ Name : xxx.c
+ Author : [email protected]
+ Version : 2016-07-30 v0.01
+ Copyright : All right reserved by Institute of Engineer,Chinese Academic of Science 2014~2018
+ Description : ip_shift_dns_service in C++, Ansi-style
+ V0.0.2 2014-11-27
+ ============================================================================
+ */
+#include <time.h>
+//#include <MESA/magellan_logger.h>
+
+#include "dns_jt_audit.h"
+#include "inc/dns_analyse.h"
+
+int default_dbg_level = 1;
+#define DBG(level, msg...) do {\
+ if(default_dbg_level > level) \
+ printf(msg); \
+ }while(0)
+
+#define IP_REQ_NAME "JT_IP_PKT"
+
+int JT_DNS_PLUG_VERSION_20170724 = 0;
+char * dj_dns_service_conf_path = (char *)"./djconf/dns_jt_audit.conf";
+const char *dns_service_module_name = "DJ_DNS_SERVICE";
+
+//const char *register_gq_dns_table_name[REGISTER_TABLE_NUM] = {"DNS_DOMAIN_PZ", "IP_GEO_PZ"};
+const char *register_gq_dns_table_name[REGISTER_TABLE_NUM] = {"DNS_DOMAIN_PZ"};
+/*char *opt_log_name[11] = { \
+// (char *)"opt_sip", (char *)"opt_dip", (char *)"opt_sport", (char*)"opt_dport", (char*)"opt_smac", (char *)"opt_dmac", \
+// (char *)"opt_dns_domain",(char *)"opt_dns_responseip",(char *)"opt_alarm_id", (char *)"opt_alarm_risk", (char*)"opt_rule_id"};
+*/
+dns_service_conf g_dns_service;
+
+int dns_project_req_id = 0;
+
+#ifndef atomic_read
+#define atomic_read(x) __sync_add_and_fetch((x),0)
+#endif
+
+#ifndef atomic_add
+#define atomic_add(x,y) __sync_add_and_fetch((x),(y))
+#endif
+
+#ifndef atomic_set
+#define atomic_set(x,y) __sync_lock_test_and_set((x),y)
+#endif
+
+unsigned short dns_seq = 0;
+
+int dj_dns_service_add_cache(char* opt_name, const void* opt_value, int opt_len,dj_cache_t cache_handle,APPD_MSG_TYPE status)
+{
+ int ret = 0;
+ opt_unit_t dns_service_opt = create_opt_unit(opt_name,opt_value,opt_len);
+
+ ret = add_dj_cache(cache_handle,status,dns_service_opt);
+ if(ret == -1)
+ {
+ printf("error\n");
+ MESA_handle_runtime_log(g_dns_service.log_handle, RLOG_LV_FATAL,dns_service_module_name,"Add cache failed!");
+ return ret;
+ }
+ return 0;
+}
+
+#if 0
+unsigned long long get_uniq_id()
+{
+ static unsigned short sequence=0;
+ static time_t last_second=0;
+ time_t now;
+ time(&now);
+// time_t now=g_CurrentTime;
+ unsigned long long ADDR_OVER_ID=0;
+
+ short dns = 2;
+
+ if(last_second!=now)
+ {
+ last_second=now;
+ sequence=0;
+ }
+ //suppose maximum 65535 logs per second
+ assert(sequence<0xffff);
+ //16bit alarm type +32bit time + 16bit sequence
+ ADDR_OVER_ID=(dns&0x00000000000000FF)<<48|now<<32|sequence;
+ sequence++;
+ return ADDR_OVER_ID;
+
+}
+#endif
+void dns_time_to_string(char *time_str, unsigned int time_str_len)
+{
+ time_t t;
+ time(&t);
+ dj_thread_safe_ctime(&t, time_str, time_str_len);
+}
+
+int dns_set_magellan_opt(magellan_opt_t*m_opt,int opt_type,int opt_len,const void* opt_value)
+{
+ m_opt->opt_type=opt_type;
+ m_opt->opt_len=opt_len;
+ m_opt->opt_value=(void *)opt_value;
+ return 1;
+}
+
+
+int dj_dns_create_log(dns_response_t* dns_info,struct streaminfo *dns_stream, int thread_num, Maat_rule_t *presult,magellan_opt_t *m_opt,char un_id[])
+{
+ scan_status_t mid = NULL;
+ char resip[700];
+ int m_opt_cnt = 0;
+
+ if(presult->do_blacklist != DOMAIN_BLACK_CHAR )
+ return -1;
+
+ m_opt_cnt = 2;
+ m_opt[0].opt_type = MAGELLAN_OPT_DNS;
+ m_opt[1].opt_type = MAGELLAN_OPT_DOMAIN_IP;
+ memcpy(resip, m_opt[1].opt_value, m_opt[1].opt_len);
+ m_opt[1].opt_value = resip;
+
+ time_t captime = time(NULL);
+
+ //m_opt_cnt+=dns_set_magellan_opt(m_opt+2,MAGELLAN_OPT_CAP_TIME, sizeof(time_t),&captime);
+ m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_CAP_TIME, sizeof(time_t),&captime);
+ m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_ID,strlen(un_id),un_id);
+ m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_RISK,sizeof(char),&(presult->do_log));
+ m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_RULE_ID,sizeof(int),&(presult->config_id));
+
+ dj_magellan_write_log(dns_stream,QDJCQ_MGLL_USERID,TABID_DOMAIN_LISTEN_ALARM,m_opt,m_opt_cnt,thread_num);//TABID_DOMAIN_LISTEN_ALARM
+
+ Maat_clean_status(&mid);
+
+ return 0;
+}
+
+int dj_dns_scan_domain(dns_response_t* dns_info,struct streaminfo *dns_stream, void *a_packet,magellan_opt_t *m_opt,int thread_num)
+{
+ int ret = 0;
+ int domain_len = 0;
+ char *domain = NULL;
+// unsigned long long uniq_id;
+
+ time_t now;
+ short seq = 0;
+
+ int found_pos = 0;
+ Maat_rule_t domain_scan_result[MAX_SUPPORT_RULE_SIZE];
+ scan_status_t mid = NULL;
+ //char dot_domain[256];
+
+ memset(domain_scan_result,0,MAX_SUPPORT_RULE_SIZE*sizeof(Maat_rule_t));
+
+ domain = (char*)(dns_info->question.qname);
+ domain_len = strlen(domain);
+
+/* memset(dot_domain, 0, 256);
+ snprintf(dot_domain, domain_len+2, ".%s", domain);*/
+
+ ret = Maat_full_scan_string(g_dj_feather,g_dns_service.table_id[REGISTER_TABLE_DOMAIN],CHARSET_GBK,\
+ domain,domain_len,domain_scan_result,&found_pos,MAX_SUPPORT_RULE_SIZE,&mid,thread_num);
+ if(ret == -1)
+ {
+ if(g_dns_service.debug_info == DJ_DEBUG_ON)
+ DBG(0, "Maat scan domain failed!\n");
+ MESA_handle_runtime_log(g_dns_service.log_handle,RLOG_LV_FATAL,dns_service_module_name,(char *)"Maat scan domain failed!\n");
+ Maat_clean_status(&mid);
+ return ret;
+ }
+ else if(ret > 0)
+ {
+ int i, index=0, black_flag=0;
+ int risk = 0;
+
+ for(i=0; i<ret; i++)
+ {
+ if(domain_scan_result[i].action == DOMAIN_BLACK_CHAR)
+ {
+ if(domain_scan_result[i].do_log >= risk)
+ {
+ risk = domain_scan_result[i].do_log;
+ index = i;
+ }
+ black_flag = 1;
+ }
+ }
+
+ //add to dynamic black list
+ if(black_flag == 1)
+ {
+// make_ip_control_wblist(dns_stream, thread_num, domain_scan_result[index].config_id,risk,IPC_BLACK_IP_TYPE);
+
+ target_tag *dns_tag = (target_tag *)dictator_malloc(thread_num, sizeof(target_tag));
+ memset(dns_tag, 0, sizeof(target_tag));
+ dns_tag->type = domain_scan_result[index].service_id;
+ dns_tag->rule_id = domain_scan_result[index].config_id;
+ dns_tag->risk = risk;
+// uniq_id = get_uniq_id();
+// sprintf(dns_tag->id,"%lld",uniq_id);
+ atomic_add(&dns_seq,1);
+ seq = atomic_read(&dns_seq);
+ now = time(NULL);
+
+ sprintf(dns_tag->id,"%u%lu%u",DNS_BUSINESS,now,seq);
+ black_ip *dns_black_ip = NULL;
+ if(black_flag == 1) {
+ if (dns_info->ipv4_num > 0) {
+ dns_black_ip = (black_ip *) dictator_malloc(thread_num, sizeof(black_ip));
+ memset(dns_black_ip,0,sizeof(black_ip));
+ dns_black_ip->ip_num = dns_info->ipv4_num;
+ memcpy(dns_black_ip->ipv4, dns_info->ipv4, dns_info->ipv4_num * sizeof(unsigned int));
+ dns_black_ip->thread_num = thread_num;
+ dns_black_ip->ip_type = IPC_BLACK_IP_TYPE;
+
+ dns_tag->dns_ip = dns_black_ip;
+ }
+ }
+
+ int tag_ret = project_req_add_struct(dns_stream,dns_project_req_id,dns_tag);
+ if(tag_ret < 0)
+ {
+ if(g_dns_service.debug_info == DJ_DEBUG_ON)
+ DBG(0, "Add flow tag fail!\n");
+ MESA_handle_runtime_log(g_dns_service.log_handle,RLOG_LV_FATAL,dns_service_module_name,(char *)"Add flow tag fail!\n");
+ }
+
+ //if(black_flag == 1) {
+ dj_dns_create_log(dns_info,dns_stream, thread_num, &domain_scan_result[index],m_opt,dns_tag->id);
+ }
+
+// printf("\n\ndomain hitted---%d, ser_def=%s\n\n", domain_scan_result[index].do_blacklist, domain_scan_result[index].service_defined);
+ }
+
+ //dj_dns_create_log(dns_info,dns_stream, thread_num, &domain_scan_result[0]);
+ Maat_clean_status(&mid);
+ return ret;
+}
+
+void dns_free_magellan_opt(magellan_opt_t *m_opt, int thread_seq)
+{
+ if(m_opt->opt_value != NULL)
+ {
+ dictator_free(thread_seq, (void *)m_opt->opt_value);
+ m_opt->opt_value = NULL;
+ }
+}
+
+int dns_init_process_context(process_context_t **process_context, int thread_seq)
+{
+ process_context_t *context = (process_context_t *)dictator_malloc(thread_seq, sizeof(process_context_t));
+ memset(context, 0 , sizeof(process_context_t));
+
+ *process_context = context;
+
+ return 1;
+}
+
+void dns_destroy_process_context(process_context_t *process_context, int thread_seq)
+{
+ int i = 0;
+
+ if(process_context->m_opt_index != 0)
+ {
+ for(i = 0; i < process_context->m_opt_index; i++)
+ {
+ dns_free_magellan_opt(&(process_context->m_opt[i]), thread_seq);
+ }
+ }
+
+ dictator_free(thread_seq,process_context);
+ process_context = NULL;
+}
+
+char dj_dns_service_entry (stSessionInfo *session_info, void **pme, int thread_seq, struct streaminfo *dns_stream, void *a_packet)
+{
+ int i,len,ret = 0;
+ int domain_len = 0;
+ int m_opt_cnt = 0;
+ magellan_opt_t m_opt[MAX_MAGELLON_OPT_NUM];
+ char respip[700];
+ char ipaddr[60];
+ const char *module_name = "JT_DNS_PLUG";
+
+ process_context_t *context = (process_context_t *)*pme;
+ struct Maat_rule_t scan_result[MAX_RESULT_NUM];
+ int found_pos = 0;
+ scan_status_t scan_mid = NULL;
+
+
+ if(*pme == NULL)
+ {
+ if((dns_init_process_context(&context, thread_seq)) < 0)
+ {
+ MESA_handle_runtime_log(g_dns_service.log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: init_process_context failed ...", __FILE__, __LINE__);
+ return PROT_STATE_DROPME;
+ }
+ *pme = context;
+ }
+
+
+ if(NULL == session_info)
+ {
+ dns_destroy_process_context(context,thread_seq);
+ return PROT_STATE_DROPME;
+ }
+
+ dns_response_t* dns_info = (dns_response_t *)session_info->app_info;
+ domain_len = strlen((char*)(dns_info->question.qname));
+ if(domain_len <= 0)
+ {
+ dns_destroy_process_context(context,thread_seq);
+ return PROT_STATE_DROPME;
+ }
+
+ context->hit_config_num = Maat_full_scan_string(g_dj_feather,
+ g_dns_service.table_id[REGISTER_TABLE_DOMAIN],
+ CHARSET_GBK,
+ (const char *)(dns_info->question.qname),
+ strlen((char*)(dns_info->question.qname)),
+ //sizeof(dns_info->question.qname),
+ scan_result,
+ &found_pos,
+ MAX_RESULT_NUM,
+ &scan_mid,
+ thread_seq
+ );
+ Maat_clean_status(&scan_mid);
+
+ //如果匹配错误
+ if(context->hit_config_num < 0)
+ {
+ MESA_handle_runtime_log(g_dns_service.log_handle,RLOG_LV_FATAL,dns_service_module_name,(char *)"Error in Maat_full_scan_string ");;
+ }
+ // 默认全是白名单
+ int flag_whitelist = 0;
+
+ for (i = 0; i < context->hit_config_num; i++)
+ {
+ //黑名单是优先
+ if(scan_result[i].action == 1)
+ {
+ flag_whitelist = 1;
+ }
+ }
+ //0是白名单,1是存在黑名单
+ //如果全是白名单,且有命中
+ if(flag_whitelist == 0 && context->hit_config_num > 0)
+ {
+ MESA_handle_runtime_log(g_dns_service.log_handle,RLOG_LV_FATAL,dns_service_module_name,"<%s> filter 。。。",(const char *)(dns_info->question.qname));
+ dns_destroy_process_context(context,thread_seq);
+ return PROT_STATE_DROPME;
+ }
+ else
+ //if(flag_whitelist == 1 || context->hit_config_num == 0)
+ //如果不是白名单
+ {
+ memset(respip, 0, 700);
+ len = 0;
+ for(i=0; i<dns_info->ipv4_num; i++)
+ {
+ context->respone_flag = 1;
+ memset(ipaddr,0,60);
+ inet_ntop(AF_INET, (const void *)(&(dns_info->ipv4[i])),ipaddr,60);
+ memcpy(respip + len, ipaddr, strlen(ipaddr));
+ len += strlen(ipaddr);
+ respip[len++] = ';';
+ }
+
+ char cur_time_str[20] = {0};
+ dns_time_to_string(cur_time_str, sizeof(cur_time_str));
+
+ m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_REQUEST,domain_len,dns_info->question.qname);
+
+ if(context->respone_flag == 1)
+ {
+ m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_RESPONSE,len,respip);
+ }
+ else
+ m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_RESPONSE,4,"NULL");
+
+ m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_TIME,sizeof(cur_time_str),cur_time_str);
+ if(dns_stream->type == STREAM_TYPE_TCP)
+ m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_PROTOCOL,3,"TCP");
+ else
+ m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_PROTOCOL,3,"UDP");
+ m_opt_cnt+=dns_set_magellan_opt(m_opt+m_opt_cnt,MAGELLAN_OPT_APP,3,"dns");
+
+ if(g_dns_service.audit_level == 0)
+ dj_magellan_write_log(dns_stream,QDJCQ_MGLL_USERID,TABID_DNS_AUDIT_LOG,m_opt,m_opt_cnt,thread_seq);
+
+ //scan domain
+ ret = dj_dns_scan_domain(dns_info,dns_stream, a_packet,m_opt,thread_seq);
+ }
+
+
+ if(ret <= 0)
+ {
+ dns_destroy_process_context(context,thread_seq);
+ return PROT_STATE_DROPME;
+ }
+
+ return PROT_STATE_GIVEME;
+}
+
+int register_table(void)
+{
+ int i = 0;
+
+ for(i = 0; i < REGISTER_TABLE_NUM; i++)
+ {
+ g_dns_service.table_id[i] = Maat_table_register(g_dj_feather, register_gq_dns_table_name[i]);
+ if(g_dns_service.table_id[i] == -1)
+ {
+ MESA_handle_runtime_log(g_dns_service.log_handle, RLOG_LV_FATAL, dns_service_module_name, "<%s>%d: Maat_table_register failed ...", __FILE__, __LINE__);
+ return -1;
+ }
+ }
+ return 0;
+}
+
+
+void free_project_req(int thread_seq, void *project_req_value)
+{
+ if(project_req_value != NULL) {
+ target_tag *tmp = (target_tag *) project_req_value;
+ if(tmp->dns_ip != NULL)
+ {
+ dictator_free(thread_seq,tmp->dns_ip);
+ tmp->dns_ip = NULL;
+ }
+
+ dictator_free(thread_seq,tmp);
+ tmp = NULL;
+ }
+}
+
+int dj_dns_service_init()
+{
+ MESA_load_profile_int_def(dj_dns_service_conf_path,(char *)"SYSTEM",(char *)"DEBUG_INFO",&g_dns_service.debug_info,0);
+ MESA_load_profile_int_def(dj_dns_service_conf_path,(char *)"SYSTEM",(char *)"LOG_LEVEL",&g_dns_service.log_level,0);
+ MESA_load_profile_int_def(dj_dns_service_conf_path,(char *)"SYSTEM",(char *)"AUDIT_LEVEL",&g_dns_service.audit_level,0);
+ MESA_load_profile_string_def(dj_dns_service_conf_path,(char *)"SYSTEM",(char *)"LOG_PATH",g_dns_service.log_path,MAX_LOG_FILE_PATH_LENGTH,NULL);
+ g_dns_service.log_handle = MESA_create_runtime_log_handle(g_dns_service.log_path,g_dns_service.log_level);
+ if(NULL == g_dns_service.log_handle)
+
+ {
+ DBG(0, "dj_dns_service_init---MESA_create_runtime_log_handle failed.\n");
+ }
+
+ if((register_table()) == -1)
+ return -1;
+ dns_project_req_id = project_producer_register(IP_REQ_NAME,PROJECT_VAL_TYPE_STRUCT,free_project_req);
+
+ if(g_dns_service.debug_info == DJ_DEBUG_ON)
+ {
+ DBG(0, "Hello! This is dj_dns_service.so\n");
+ }
+
+ return 0;
+}
+
+void dj_dns_service_destory()
+{
+ if(g_dns_service.debug_info == DJ_DEBUG_ON)
+ {
+ DBG(0, "Hello! This is dj_dns_service.so service_destory, but i am not complete!!!\n");
+ }
+ MESA_destroy_runtime_log_handle(g_dns_service.log_handle);
+}
diff --git a/src/dns_jt_audit.h b/src/dns_jt_audit.h
new file mode 100644
index 0000000..5a60eb7
--- /dev/null
+++ b/src/dns_jt_audit.h
@@ -0,0 +1,105 @@
+#ifndef DNS_SERVICE_H
+#define DNS_SERVICE_H
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <assert.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <pthread.h>
+#include <netinet/ip6.h>
+#include <netinet/in.h>
+
+//#include <MESA_SDK.h>
+#include <MESA/stream.h>
+#include <MESA/field_stat.h>
+#include <MESA/MESA_handle_logger.h>
+#include <MESA/Maat_rule.h>
+#include <MESA/MESA_prof_load.h>
+
+#include "inc/dj_rule.h"
+#include "inc/dns_analyse.h"
+#include "inc/ip_jt.h"
+#include "inc/qdjcq_magellan_id.h"
+#include "MESA/magellan_logger.h"
+
+
+//#define DNS_SRV_FLAG 0x01
+//
+#define DNS_PLUGIN_ID 34
+//#define DNS_UDP_PROTOCOL 17
+
+#define MAX_MAGELLON_OPT_NUM 5
+
+#define MAX_RES_IP_BUF_LEN 512
+#define MAX_CNAME_INFO_BUF_LEN 1024
+#define MAX_KEY_LEN 512
+
+#define MAX_SUPPORT_RULE_SIZE 16
+#define MAX_LOG_FILE_PATH_LENGTH 80
+#define DJ_DEBUG_ON 1
+#define DNS_SERVICE_LOG_OPT_NUM 6
+
+#define REGISTER_TABLE_NUM 1
+#define REGISTER_TABLE_DOMAIN 0
+#define REGISTER_TABLE_IP_GEO 1
+
+#define DOMAIN_BLACK_CHAR 1
+#define DOMAIN_GRAY_CHAR 3
+#define DOMAIN_WHITE_CHAR 1
+
+#define SCC_CHAR_FOREIGN 0
+#define SCC_CHAR_DALU 1
+#define SCC_CHAR_TAIWAN 2
+#define SCC_CHAR_HONKON 3
+#define SCC_CHAR_MACOU 4
+#define SCC_CHAR_OTHER 5
+#define SCC_CHAR_LOCAL 6
+
+#define IPC_WHITE_IP_TYPE 1
+#define IPC_BLACK_IP_TYPE 2
+
+#define DNS_BUSINESS 2
+#define REGISTER_TABLE_URL_PZ 0
+
+#define MAX_RESULT_NUM 16
+
+#define SEND_LOG_MAGELLAN_OPT_NUM 32
+
+
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+typedef struct _process_context
+{
+ int do_blacklist;
+ int hit_config_num;
+ int m_opt_index;
+ int respone_flag;
+ magellan_opt_t m_opt[SEND_LOG_MAGELLAN_OPT_NUM];
+}process_context_t;
+
+
+typedef struct dns_service_config_t
+{
+ int debug_info;
+ int log_level;
+ int audit_level;
+ int table_id[REGISTER_TABLE_NUM];
+ void *log_handle;
+ char log_path[MAX_LOG_FILE_PATH_LENGTH];
+}dns_service_conf;
+
+int dj_dns_scan_domain(dns_response_t* dns_info,struct streaminfo *dns_stream, void *a_packet,magellan_opt_t *m_opt,int thread_num);
+char dj_dns_service_entry (stSessionInfo *session_info, void **pme, int thread_seq, struct streaminfo *a_udp, void *a_packet);
+int dj_dns_service_init();
+void dj_dns_service_destory();
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/src/inc/MESA_logger.h b/src/inc/MESA_logger.h
new file mode 100644
index 0000000..5f7e974
--- /dev/null
+++ b/src/inc/MESA_logger.h
@@ -0,0 +1,72 @@
+#ifndef H__LOGGER_H
+#define H__LOGGER_H
+
+/*
+ * does runtime logging.
+ * xiang hong
+ * 2002-07-29
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+//#include "thread_safe.h"
+
+#define RLOG_LV_DEBUG 10
+#define RLOG_LV_INFO 20
+#define RLOG_LV_FATAL 30
+
+#define LOGMSG_MAX_LEN 1024
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define RUNTIME_LOG(lv, mod, fmt, args...) \
+ MESA_runtime_log((lv), (mod), "file %s, line %d, " fmt, \
+ __FILE__, __LINE__, ##args)
+
+/*
+ * define your own version of RLOG.
+ */
+#define RLOGF(fmt, args...) RLOG(RLOG_LV_FATAL, fmt, ##args)
+#define RLOGI(fmt, args...) RLOG(RLOG_LV_INFO, fmt, ##args)
+#define RLOGD(fmt, args...) RLOG(RLOG_LV_DEBUG, fmt, ##args)
+
+/*
+ * returns:
+ * 0, if succeeded;
+ * -1, if file is not absolute path, or failed to create log file;
+ */
+int MESA_runtime_log_init(char * file, int level);
+int MESA_system_log_init(char * file, int level);
+
+/*
+ * name: runtime_log
+ * functionality: appends log message to runtime log file.
+ * params:
+ * level: log level, messages with level value smaller the global var
+ * "runtime_log_level" are ignored;
+ * module: name of loggin module;
+ * fmt: format string;
+ * returns:
+ * none;
+ */
+void MESA_runtime_log(int level, char * module, char * fmt, ...);
+
+/*
+ * fake function.
+ */
+void MESA_system_log(int level, char * module, char * fmt, ...);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
+
diff --git a/src/inc/dj_rule.h b/src/inc/dj_rule.h
new file mode 100644
index 0000000..a3b5577
--- /dev/null
+++ b/src/inc/dj_rule.h
@@ -0,0 +1,72 @@
+#ifndef _DJ_RULE_H_
+#define _DJ_RULE_H_
+
+#include <MESA/Maat_rule.h>
+#include <MESA/stream.h>
+#include <MESA/field_stat.h>
+//#include <MESA/stream.h>
+//#include <MESA/field_stat.h>
+//#include <MESA/Maat_rule.h>
+#include <MESA/magellan_logger.h>
+//global maat scanner
+extern void* g_dj_feather;
+extern void* g_dj_stat_handle;
+
+//global doc analyse instance
+extern void* g_dj_doc_instance;
+
+
+/*cache and send*/
+typedef enum
+{
+ COMPLETE=0,
+ FRAG=1,
+ FRAG_END=2,
+}APPD_MSG_TYPE;
+
+typedef void* opt_unit_t;
+typedef void* dj_cache_t;
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+/*for 056jcq jt and audit*/
+int32_t dj_magellan_write_log (const struct streaminfo* a_tcp,const int user_id, const int table_id, magellan_opt_t* opt_array, int opt_num,int t_id);
+
+dj_cache_t create_dj_cache(const char* protocol, struct streaminfo* a_stream);
+void set_dj_cache_send(dj_cache_t handle);
+void destroy_dj_cache(dj_cache_t handle);
+/*
+*if set_dj_cache_send, callback add_dj_cache will send cache data, otherwise only cache not send
+*return -1: get mem_limit ; return 0: OK
+*opt will be free by add_dj_cache
+*/
+int add_dj_cache(dj_cache_t handle, APPD_MSG_TYPE status, opt_unit_t opt);
+
+/*
+*NULL value means nested option, otherwise is simple option
+*opt will be free by dj_cache, if not add_dj_cache, please do not create_opt_unit
+*/
+opt_unit_t create_opt_unit(const char* opt_name, const void* opt_value, int opt_len);
+void append_opt_nested_value(opt_unit_t ext_opt, opt_unit_t inner_opt);
+
+//return 1 if type match, otherwise return 0;
+int is_zip_type(int doctype);
+int is_scan_type(int doctype);
+
+/*
+ * dj_thread_safe_ctime: thread safe(no lock) time to string
+ * tp:current time
+ * buf: [out] to store the time string
+ * len:buffer length
+ */
+char *dj_thread_safe_ctime(const time_t *tp, char *buf, int len);
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
+
diff --git a/src/inc/dns_analyse.h b/src/inc/dns_analyse.h
new file mode 100644
index 0000000..9f6e639
--- /dev/null
+++ b/src/inc/dns_analyse.h
@@ -0,0 +1,242 @@
+#ifndef DNS_ANALYSE_H
+#define DNS_ANALYSE_H
+
+#ifndef u_char
+#define u_char unsigned char
+#endif
+#ifndef u_int16_t
+#define u_int16_t unsigned short
+#endif
+#ifndef u_int32_t
+#define u_int32_t unsigned int //adjust by lqy 20070521 long to int
+#endif
+
+#include <MESA/stream.h>
+
+#define RUNTIME_DNSMODULE "[DNS MODULE:]"
+
+#define DNS_PORT 53
+#define PROTID_DNS 6
+
+#define DNS_MAX_UDP_MESSAGE 512
+#define DNS_MAX_LABEL 63
+#define DNS_MAX_NAME 255
+#define MAX_IP_NUM 128
+#define MAX_CNAME_NUM 32
+#define MAX_NS_NUM 32
+#define MAX_MB_NUM 32
+#define MAX_MX_NUM 32
+#define MAX_SOA_NUM 32
+#define IPV6_LEN 16
+
+#define MAX_FLAG_LEN 30
+
+typedef struct{
+ u_char type; //0-query, 1-response
+ void *apme;
+} dns_info_t;
+
+typedef struct{
+ u_int16_t qtype;
+ u_int16_t qclass;
+ u_char qname[DNS_MAX_NAME + 1];
+} dns_question_t;
+
+typedef struct
+{
+ u_char type; //0-query, 1-response
+ dns_question_t question; //query structure
+ int ipv4_num; //number of ipv4s in response
+ int ipv6_num; //number of ipv6s in response
+ int cname_num; //number of cnames in response
+ int ns_num; //number of ns in response
+ int mb_num; //number of mbs in response
+ int mx_num; //number of mxs in response
+ int soa_num; //number of soa(start of authority) in response
+ unsigned int ipv4[MAX_IP_NUM]; //list of ips in response for ipv4 (network order)
+ unsigned char ipv6[MAX_IP_NUM][IPV6_LEN]; //list of ips in response for ipv6 (network order)
+ u_char cname[MAX_CNAME_NUM][DNS_MAX_NAME]; //list of cnames in response
+ u_char ns[MAX_NS_NUM][DNS_MAX_NAME]; //list of name server(ns)s in response
+ u_char mb[MAX_MB_NUM][DNS_MAX_NAME]; //list of mail box(nmb)s in response
+ u_char mx[MAX_MX_NUM][DNS_MAX_NAME]; //list of mail exchange(mx)s in response
+ u_char soa_manme[MAX_SOA_NUM][DNS_MAX_NAME]; //list of soa master name(mname)s in response
+ u_char soa_rname[MAX_SOA_NUM][DNS_MAX_NAME]; //list of soa responsible name(rname:ranme is a emalil addr)s in response
+} dns_response_t;
+
+typedef struct {
+ u_int16_t id;
+
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+ u_char rd:1;
+ u_char tc:1;
+ u_char aa:1;
+ u_char opcode:4;
+ u_char qr:1;
+ u_char rcode:4;
+ u_char z:3;
+ u_char ra:1;
+#elif __BYTE_ORDER == __BIG_ENDIAN
+ u_char qr:1;
+ u_char opcode:4;
+ u_char aa:1;
+ u_char tc:1;
+ u_char rd:1;
+ u_char ra:1;
+ u_char z:3;
+ u_char rcode:4;
+#endif
+
+ u_int16_t qdcount;
+ u_int16_t ancount;
+ u_int16_t nscount;
+ u_int16_t arcount;
+} dnshdr_t;
+
+#define DNSHDR_OPCODE_QUERY 0
+#define DNSHDR_OPCODE_IQUERY 1
+#define DNSHDR_OPCODE_STATUS 2
+
+#define DNSHDR_RCODE_NOERR 0
+#define DNSHDR_RCODE_FMTERR 1
+#define DNSHDR_RCODE_SRVFAIL 2
+#define DNSHDR_RCODE_NAMEERR 3
+#define DNSHDR_RCODE_NOTIMPL 4
+#define DNSHDR_RCODE_REFUSE 5
+
+#define DNS_HINFO_MAX_CPU 40
+#define DNS_HINFO_MAX_OS 40
+
+typedef struct {
+ u_char name[DNS_MAX_NAME + 1];
+ u_int16_t type;
+ u_int16_t rr_class;
+ u_int32_t ttl;
+ u_int16_t rdlength;
+ union {
+ u_char cname[DNS_MAX_NAME + 1];
+ struct {
+ u_char cpu[DNS_HINFO_MAX_CPU + 1];
+ u_char os[DNS_HINFO_MAX_OS + 1];
+ } hinfo;
+ u_char mb[DNS_MAX_NAME + 1];
+ u_char md[DNS_MAX_NAME + 1];
+ u_char mf[DNS_MAX_NAME + 1];
+ u_char mg[DNS_MAX_NAME + 1];
+ struct {
+ u_char rmailbx[DNS_MAX_NAME + 1];
+ u_char emailbx[DNS_MAX_NAME + 1];
+ } minfo;
+ u_char mr[DNS_MAX_NAME + 1];
+ struct {
+ u_int16_t preference;
+ u_char exchange[DNS_MAX_NAME + 1];
+ } mx;
+ u_char ns[DNS_MAX_NAME + 1];
+ u_char ptr[DNS_MAX_NAME + 1];
+ struct {
+ u_char mname[DNS_MAX_NAME + 1];
+ u_char rname[DNS_MAX_NAME + 1];
+ u_int32_t serial;
+ u_int32_t refresh;
+ u_int32_t retry;
+ u_int32_t expire;
+ u_int32_t minimum;
+ } soa;
+ u_int32_t a;
+ u_char aaaa[16];
+ struct {
+ u_char * txt;
+ u_int32_t size;
+ } txt;
+ struct {
+ u_char * null;
+ u_int32_t size;
+ } null;
+ struct {
+ u_int32_t addr;
+ u_char protocol;
+ u_char * bitmap;
+ u_int32_t size;
+ } wks;
+ } rdata;
+} dns_rr_t;
+
+#define DNS_TYPE_A 1
+#define DNS_TYPE_NS 2
+#define DNS_TYPE_MD 3
+#define DNS_TYPE_MF 4
+#define DNS_TYPE_CNAME 5
+#define DNS_TYPE_SOA 6
+#define DNS_TYPE_MB 7
+#define DNS_TYPE_MG 8
+#define DNS_TYPE_MR 9
+#define DNS_TYPE_NULL 10
+#define DNS_TYPE_WKS 11
+#define DNS_TYPE_PTR 12
+#define DNS_TYPE_HINFO 13
+#define DNS_TYPE_MINFO 14
+#define DNS_TYPE_MX 15
+#define DNS_TYPE_TXT 16
+#define DNS_TYPE_AAAA 28 //dns_ipv6
+
+#define DNS_QTYPE_AXFR 252
+#define DNS_QTYPE_MAILB 253
+#define DNS_QTYPE_MAILA 254
+#define DNS_QTYPE_ANY 255
+
+#define DNS_CLASS_IN 1
+#define DNS_CLASS_CS 2
+#define DNS_CLASS_CH 3
+#define DNS_CLASS_HS 4
+#define DNS_QCLASS_ANY 255
+
+#define NS_INT16SZ 2
+#define NS_INT32SZ 4
+
+#define NS_GET16(s, cp) do { \
+ register u_char *t_cp = (u_char *)(cp); \
+ (s) = ((u_int16_t)t_cp[0] << 8) \
+ | ((u_int16_t)t_cp[1]) \
+ ; \
+ (cp) += NS_INT16SZ; \
+} while (0)
+
+#define NS_GET32(l, cp) do { \
+ register u_char *t_cp = (u_char *)(cp); \
+ (l) = ((u_int32_t)t_cp[0] << 24) \
+ | ((u_int32_t)t_cp[1] << 16) \
+ | ((u_int32_t)t_cp[2] << 8) \
+ | ((u_int32_t)t_cp[3]) \
+ ; \
+ (cp) += NS_INT32SZ; \
+} while (0)
+
+#define NS_PUT16(s, cp) do { \
+ register u_int16_t t_s = (u_int16_t)(s); \
+ register u_char *t_cp = (u_char *)(cp); \
+ *t_cp++ = t_s >> 8; \
+ *t_cp = t_s; \
+ (cp) += NS_INT16SZ; \
+} while (0)
+
+#define NS_PUT32(l, cp) do { \
+ register u_int32_t t_l = (u_int32_t)(l); \
+ register u_char *t_cp = (u_char *)(cp); \
+ *t_cp++ = t_l >> 24; \
+ *t_cp++ = t_l >> 16; \
+ *t_cp++ = t_l >> 8; \
+ *t_cp = t_l; \
+ (cp) += NS_INT32SZ; \
+} while (0)
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/inc/ip_control.h b/src/inc/ip_control.h
new file mode 100644
index 0000000..c95f201
--- /dev/null
+++ b/src/inc/ip_control.h
@@ -0,0 +1,57 @@
+/*
+ * ip_control.h
+ *
+ * Created on: 2015年5月26日
+ * Author: byte
+ */
+
+#ifndef IP_CONTROL_H_
+#define IP_CONTROL_H_
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#define IPC_WHITE_IP_TYPE 1
+#define IPC_BLACK_IP_TYPE 2
+
+typedef struct black_ip_t{
+ int thread_num;//线程号 仅DNS使用
+ int ip_type;//IP地址类型 IPC_WHITE_IP_TYPE/IPC_BLACK_IP_TYPE 仅DNS使用
+ int ip_num;//黑IP个数
+ unsigned int ipv4[MAX_IP_NUM];//解析出的IP地址 仅DNS使用
+}black_ip;
+
+typedef struct target_tag_t
+{
+ int type;//业务类型
+ int rule_id;//规则ID
+ short risk;//告警级别
+ char id[22];//唯一日志ID
+ black_ip *dns_ip;//仅DNS使用
+}target_tag;
+
+
+/*
+* name:make_ip_control_wblist
+* functionality:add white or black list
+* param:
+* [IN]:
+* stream:stream info
+* thread_num:the thread num
+* rule_id:Maat result config_id
+* risk:alarm risk
+* type:IPC_WHITE_IP_TYPE or IPC_BLACK_IP_TYPE
+* [OUT]: none
+* returns:
+* >0,success;
+* <=0, there is error
+* */
+//wblist:white black list
+int make_ip_control_wblist(struct streaminfo* stream,int thread_num,int rule_id,int risk,int type);
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* IP_CONTROL_H_ */
diff --git a/src/inc/ip_jt.h b/src/inc/ip_jt.h
new file mode 100644
index 0000000..609efe0
--- /dev/null
+++ b/src/inc/ip_jt.h
@@ -0,0 +1,60 @@
+/*
+ * ip_control.h
+ *
+ * Created on: 2015年5月26日
+ * Author: byte
+ */
+
+#ifndef IP_CONTROL_H_
+#define IP_CONTROL_H_
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#define IPC_WHITE_IP_TYPE 1
+#define IPC_BLACK_IP_TYPE 2
+
+typedef struct black_ip_t{
+ int thread_num;//线程号 仅DNS使用
+ int ip_type;//IP地址类型 IPC_WHITE_IP_TYPE/IPC_BLACK_IP_TYPE 仅DNS使用
+ int ip_num;//黑IP个数
+ unsigned int ipv4[MAX_IP_NUM];//解析出的IP地址 仅DNS使用
+}black_ip;
+
+typedef struct target_tag_t
+{
+ int type;//业务类型
+ int rule_id;//规则ID
+ short risk;//告警级别
+ char id[22];//唯一日志ID
+ void *dns_ip;//仅DNS使用
+}target_tag;
+
+
+/*
+* name:make_ip_control_wblist
+* functionality:add white or black list
+* param:
+* [IN]:
+* stream:stream info
+* thread_num:the thread num
+* rule_id:Maat result config_id
+* risk:alarm risk
+* type:IPC_WHITE_IP_TYPE or IPC_BLACK_IP_TYPE
+* [OUT]: none
+* returns:
+* >0,success;
+* <=0, there is error
+* */
+//wblist:white black list
+//int make_ip_control_wblist(struct streaminfo* stream,int thread_num,int rule_id,int risk,int type);
+int make_ip_control_wblist(black_ip* dns_black_ip,int rule_id,int risk);
+
+int ip_control_send_pkt(struct streaminfo *stream,target_tag *flow_tag,const void *raw_pkt,int thread_seq);
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* IP_CONTROL_H_ */
diff --git a/src/inc/magellan_logger.h b/src/inc/magellan_logger.h
new file mode 100644
index 0000000..a73b836
--- /dev/null
+++ b/src/inc/magellan_logger.h
@@ -0,0 +1,88 @@
+/*
+*
+*interface:magellan's logger
+*the function of magellan_write_log is send the message which contains logrecord
+*
+*@xj
+*@2014-04-30
+*************************************************************************
+*@xj 2014-06-30
+*添加支持目的地址组和负载均衡功能
+*/
+
+#ifndef _SEND_LOG_H
+#define _SEND_LOG_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stdint.h>
+
+/*set type*/
+#define MAGELLAN_BALANCE_MAX_NUM (1) //类型int; ip负载均衡的日志条数,默认50万
+#define MAGELLAN_LOG_INTERVAL_TIME (2) //类型int; 内部统计信息输出的间隔时间,默认1分钟
+#define MAGELLAN_TCP_CONNECT_TIME_OUT (3) //类型int; tcp建立连接最大等待时间,默认5s
+#define MAGELLAN_KEEP_LIVE_CHECK_TIME (4) //类型int; 检测ip是否存在的时间,默认5分钟
+#define MAGELLAN_DEBUG_LOG_PATH (5) //类型char *; 打开保存发送成功的日志原始信息开关, 保存的路径
+#define MAGELLAN_THREAD_AMOUNT (6) //类型int; 支持多线程发送
+
+typedef struct _magellan_opt{
+ int opt_type;
+ int opt_len;
+ const void* opt_value;
+} magellan_opt_t;
+
+typedef struct _addr_list{
+ unsigned int ip_nr; //network
+ unsigned short port_nr; //network
+}addr_list_t ;
+
+typedef void * magellan_logger_t;
+
+/*
+* arguments:
+* arg1: MAGELLAN handle
+* arg2: set type (MAGELLAN_BALANCE_MAX_NUM ......)
+* arg3: set value
+* arg 4: value size
+* returns:
+* 成功时返回0, 失败时返回-1。
+*/
+int magellan_set (magellan_logger_t handle, int type, const char *value, int size);
+
+/*
+* arguments:
+* arg1:用户ID
+* arg2: 库表对应的ID
+* arg3:日志选项数组
+* arg 4: 选项的个数
+* arg 5:线程ID
+ * returns:
+ * 成功时返回发送长度,失败时返回小于0的值
+ * -1, 构造日志信息失败
+ * -2, 发送失败
+ * -3, 发送的长度和真实长度不相等
+ * -4,ip不存在或port未监听
+ * -5,线程ID超过最大值
+*/
+int32_t magellan_write_log(magellan_logger_t handle, const int user_id, const int table_id,magellan_opt_t* opt_array,int opt_num, int th_id);
+
+/*
+*
+* arguments:
+* arg1: 目的地址组, ip和port为网络字节序
+* arg2: 目的地址的个数
+* arg3: MESA_run_time_log 的句柄,为NULL时表示不写日志;5分钟统计一次
+* returns:
+* ,失败时返回NULL
+*/
+magellan_logger_t magellan_logger_init(addr_list_t *dst_addr, int dst_addr_num, void *run_time_log_handle);
+
+void magellan_logger_destroy (magellan_logger_t handle);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/inc/qdjcq_magellan_id.h b/src/inc/qdjcq_magellan_id.h
new file mode 100644
index 0000000..419f88c
--- /dev/null
+++ b/src/inc/qdjcq_magellan_id.h
@@ -0,0 +1,187 @@
+#ifndef __QDJCQ_MAGELLAN_ID_H__
+#define __QDJCQ_MAGELLAN_ID_H__
+
+#define MAX_OPT_VALUE_LEN 10485760
+
+//ѡ��ID
+#define MAGELLAN_OPT_ID 1
+#define MAGELLAN_OPT_BUSINESS_DETECT_ID 2
+#define MAGELLAN_OPT_NAME 3
+#define MAGELLAN_OPT_STATUS 4
+#define MAGELLAN_OPT_SUBMODULE_NAME 5
+#define MAGELLAN_OPT_SUBMODULE_STATUS 6
+#define MAGELLAN_OPT_SUBMODULE_VERSION 7
+#define MAGELLAN_OPT_SUBMODULE_WARNING 8
+#define MAGELLAN_OPT_INSERT_TIME 9
+#define MAGELLAN_OPT_CAP_TIME 10
+#define MAGELLAN_OPT_FILENAME 11
+#define MAGELLAN_OPT_FILEPATH 12
+#define MAGELLAN_OPT_CHECKSUM 13
+#define MAGELLAN_OPT_FILESIZE 14
+#define MAGELLAN_OPT_FILETYPE 15
+#define MAGELLAN_OPT_PROTOCOL 16
+#define MAGELLAN_OPT_ACCOUNT 17
+#define MAGELLAN_OPT_DOMAIN 18
+#define MAGELLAN_OPT_SYSTEM_DETECT_ID 19
+#define MAGELLAN_OPT_PHYSICAL_ID 20
+#define MAGELLAN_OPT_CPU_USAGE 21
+#define MAGELLAN_OPT_RULE_ID 22
+#define MAGELLAN_OPT_NUM 23
+#define MAGELLAN_OPT_SIP 24
+#define MAGELLAN_OPT_SPORT 25
+#define MAGELLAN_OPT_SMAC 26
+#define MAGELLAN_OPT_DIP 27
+#define MAGELLAN_OPT_DPORT 28
+#define MAGELLAN_OPT_DMAC 29
+#define MAGELLAN_OPT_ALERT_TYPE 30
+#define MAGELLAN_OPT_ALERT_POLICY 31
+#define MAGELLAN_OPT_ALERT_DESC 32
+#define MAGELLAN_OPT_RISK 33
+#define MAGELLAN_OPT_ATTACK_TYPE 34
+#define MAGELLAN_OPT_APPLICATION 35
+#define MAGELLAN_OPT_OS 36
+#define MAGELLAN_OPT_IS_UPLOAD 37
+#define MAGELLAN_OPT_PWD 38
+#define MAGELLAN_OPT_TRANS_DIR 39
+#define MAGELLAN_OPT_PLUGIN_ID 40
+#define MAGELLAN_OPT_CPU_RANGE 41
+#define MAGELLAN_OPT_MEM_RANGE 42
+#define MAGELLAN_OPT_MEM_USAGE 43
+#define MAGELLAN_OPT_DISK_UASAGE 44
+#define MAGELLAN_OPT_APP 45
+#define MAGELLAN_OPT_TIME 46
+#define MAGELLAN_OPT_REQUEST 47
+#define MAGELLAN_OPT_RESPONSE 48
+#define MAGELLAN_OPT_UPTIME 49
+#define MAGELLAN_OPT_SOFT_VERSION 50
+#define MAGELLAN_OPT_MALWARE_TYPE 51
+#define MAGELLAN_OPT_MALWARE_NAME 52
+#define MAGELLAN_OPT_PROTO_INFO 53
+#define MAGELLAN_OPT_TROJAN_ID 54
+#define MAGELLAN_OPT_TROJAN_NAME 55
+#define MAGELLAN_OPT_TROJAN_TYPE 56
+#define MAGELLAN_OPT_DESC 57
+#define MAGELLAN_OPT_URL 58
+#define MAGELLAN_OPT_METHOD 59
+#define MAGELLAN_OPT_RET_CODE 60
+#define MAGELLAN_OPT_USER_AGENT 61
+#define MAGELLAN_OPT_COOKIE 62
+#define MAGELLAN_OPT_SERVER 63
+#define MAGELLAN_OPT_REFER 64
+#define MAGELLAN_OPT_MEM 65
+#define MAGELLAN_OPT_DISK 66
+#define MAGELLAN_OPT_FINGER 67
+#define MAGELLAN_OPT_COUNTRY 68
+#define MAGELLAN_OPT_ORGANIZE 69
+#define MAGELLAN_OPT_CNAME 70
+#define MAGELLAN_OPT_SNI 71
+#define MAGELLAN_OPT_UORGANIZE 72
+#define MAGELLAN_OPT_UCNAME 73
+#define MAGELLAN_OPT_DNS 74
+#define MAGELLAN_OPT_DOMAIN_IP 75
+#define MAGELLAN_OPT_EVENT_TYPE 76
+#define MAGELLAN_OPT_MSG 77
+#define MAGELLAN_OPT_IP 78
+#define MAGELLAN_OPT_USER 79
+#define MAGELLAN_OPT_PROGRAM 80
+#define MAGELLAN_OPT_OBJECT 81
+#define MAGELLAN_OPT_RESULT 82
+#define MAGELLAN_OPT_SM_INPATH 83
+#define MAGELLAN_OPT_SM_SUMMARY 84
+#define MAGELLAN_OPT_SM_DESC 85
+#define MAGELLAN_OPT_XM_DIR 86
+#define MAGELLAN_OPT_PROTOCOL_TYPE 87
+#define MAGELLAN_OPT_PROTOCOL_ID 88
+#define MAGELLAN_OPT_SENDER 89
+#define MAGELLAN_OPT_RECEIVER 90
+#define MAGELLAN_OPT_MSG_CONTENT 91
+#define MAGELLAN_OPT_TCP_FLAG 92
+#define MAGELLAN_OPT_IN_BYTES 93
+#define MAGELLAN_OPT_OUT_BYTES 94
+#define MAGELLAN_OPT_IN_PKTS 95
+#define MAGELLAN_OPT_OUT_PKTS 96
+#define MAGELLAN_OPT_START_TIME 97
+#define MAGELLAN_OPT_END_TIME 98
+#define MAGELLAN_OPT_INTERFACE_SEQ 99
+#define MAGELLAN_OPT_INTERFACE_FLAG 100
+#define MAGELLAN_OPT_INTERFACE_STAT 101
+#define MAGELLAN_OPT_INTERFACE_FLOW 102
+#define MAGELLAN_OPT_INTERFACE_ERROR 103
+#define MAGELLAN_OPT_INTERFACE_DROP 104
+#define MAGELLAN_OPT_DURATION_TIME 105
+#define MAGELLAN_OPT_CC 106
+#define MAGELLAN_OPT_BCC 107
+#define MAGELLAN_OPT_SUBJECT 108
+#define MAGELLAN_OPT_AUTHINFO 109
+#define MAGELLAN_OPT_ATTACHMENT 110
+#define MAGELLAN_OPT_MAIL_CONTENT 111
+#define MAGELLAN_OPT_ATTACHMENT_NAME 112
+#define MAGELLAN_OPT_PLUGIN_VERSION 113
+#define MAGELLAN_OPT_PLUGIN_POLICY_VERSION 114
+#define MAGELLAN_OPT_PLUG_ID 115
+
+//AUTHINFO����ʱ��ʹ��
+#define MAGELLAN_OPT_MAIL_FROM 116
+#define MAGELLAN_OPT_RCPT_TO 117
+#define MAGELLAN_OPT_EHLO 118
+
+
+//�ļ�/PCAPѡ��
+#define MAGELLAN_OPT_STREAM_START 200
+#define MAGELLAN_OPT_STREAM_CONT 201
+#define MAGELLAN_OPT_STREAM_END 202
+
+#define MAGELLAN_OPT_PCAP_START MAGELLAN_OPT_STREAM_START
+#define MAGELLAN_OPT_PCAP_CONT MAGELLAN_OPT_STREAM_CONT
+#define MAGELLAN_OPT_PCAP_END MAGELLAN_OPT_STREAM_END
+
+//��ID
+#define TABID_BUSINESS_MODULE_DETECT_INFO 1
+#define TABID_COMPRESS_ALARM_FILE 2
+#define TABID_KEYWORD_ALARM_FILE 3
+#define TABID_SM_NETDISK_ELEMENT 4
+#define TABID_SYSTEM_CPU_DETECT_INFO 5
+#define TABID_DOMAIN_LISTEN_FILE 9 //9
+#define TABID_ABNORMAL_ALARM 7
+#define TABID_IP_LISTEN_FILE 8
+#define TABID_ATTACK_ALARM 6
+#define TABID_URL_LISTEN_FILE 10 //10
+#define TABID_SM_FILETRANSFER_ELEMENT 38
+#define TABID_SYSTEM_PLUGIN_DETECT_INFO 12
+#define TABID_DNS_AUDIT_LOG 13
+#define TABID_MALWARE_ALARM_FILE 14
+#define TABID_BUSINESS_DETECT_INFO 15
+#define TABID_MALWARE_ALARM 16
+#define TABID_TROJAN_ALARM 17
+#define TABID_FILE_TRNS_AUDIT_LOG 18
+#define TABID_ATTACK_ALARM_FILE 19
+#define TABID_SM_HTTP_ELEMENT 20
+#define TABID_SENSITIVE_ALARM_FILE 21
+#define TABID_SYSTEM_DETECT_INFO 22
+#define TABID_SSL_AUDIT_LOG 23
+#define TABID_DOMAIN_LISTEN_ALARM 24
+#define TABID_ABNORMAL_FILE 25
+#define TABID_URL_LISTEN_ALARM 26
+#define TABID_BUSINESS_SUSPECTED_DETECT_INFO 27
+#define TABID_SYSTEM_AUDIT_LOG 28
+#define TABID_TROJAN_ALARM_FILE 29
+#define TABID_SM_CONTENT_ALARM 30
+#define TABID_SM_IM_ELEMENT 31
+#define TABID_PICTURE_ALARM_FILE 32
+#define TABID_NET_AUDIT 33
+#define TABID_BUSINESS_INTERFACE_DETECT_INFO 34
+#define TABID_SM_EMAIL_ELEMENT 35
+#define TABID_STYLE_ALARM_FILE 36
+#define TABID_MAIL_AUDIT_LOG 37
+#define TABID_ACCOUNT_LISTEN_FILE 11 //11
+#define TABID_WEB_AUDIT_LOG 39
+#define TABID_ENCRYPT_ALARM_FILE 40
+#define TABID_ACCOUNT_LISTEN_ALARM 41
+#define TABID_BUSINESS_PLUGIN_DETECT_INFO 42
+#define TABID_IP_LISTEN_ALARM 43
+#define TABID_PLUG_STATUS_INFO 44
+
+//�û�ID
+#define QDJCQ_MGLL_USERID 1
+
+#endif
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-30 13:21:53 +0000