diff options
| -rwxr-xr-x | bin/http_jt_audit.so | bin | 0 -> 38120 bytes | |||
| -rw-r--r-- | src/Makefile | 37 | ||||
| -rw-r--r-- | src/http_jt_audit.cpp | 505 | ||||
| -rw-r--r-- | src/http_jt_audit.h | 77 | ||||
| -rw-r--r-- | src/inc/DocumentAnalyze.h | 235 | ||||
| -rw-r--r-- | src/inc/dj_rule.h | 69 | ||||
| -rw-r--r-- | src/inc/qdjcq_magellan_id.h | 187 |
7 files changed, 1110 insertions, 0 deletions
diff --git a/bin/http_jt_audit.so b/bin/http_jt_audit.so Binary files differnew file mode 100755 index 0000000..dea9972 --- /dev/null +++ b/bin/http_jt_audit.so diff --git a/src/Makefile b/src/Makefile new file mode 100644 index 0000000..2206209 --- /dev/null +++ b/src/Makefile @@ -0,0 +1,37 @@ +CC = g++ +CFLAGS = -Wall -g -fPIC +INC = -I./inc/ +LIBS = -lMESA_handle_logger -lMESA_prof_load +OBJS = http_jt_audit.o +TARGET = http_jt_audit.so +PAPP_PATH=/home/dj/sapp_run +PLUGIN_PATH=./plug/business +CONFLIST_NAME=conflist_business.inf +PLUGIN_DIR_NAME=http_jt_audit +PLUGIN_INF_NAME=http_jt_audit.inf + +TARGET_DIR=$(PAPP_PATH)/$(PLUGIN_PATH)/$(PLUGIN_DIR_NAME)/ +INSERT_FILE=$(PAPP_PATH)/$(PLUGIN_PATH)/$(CONFLIST_NAME) +INSERT_CONTENT=$(PLUGIN_PATH)/$(PLUGIN_DIR_NAME)/$(PLUGIN_INF_NAME) + + +.cpp.o: + $(CC) -c $(INC) $(CFLAGS) $< + +all: $(TARGET) + + +$(TARGET): $(OBJS) + $(CC) -O2 -o $@ $^ $(LIBS) -shared -fPIC + cp $(TARGET) ../bin/ + +install: + mkdir -p $(TARGET_DIR) + cp -r ../bin/jt_http_plug.so $(TARGET_DIR) + cp -r ../bin/jt_http_plug.inf $(TARGET_DIR) + @ret=`cat $(INSERT_FILE)|grep $(INSERT_CONTENT)|wc -l`;if [ $$ret -eq 0 ];then echo $(INSERT_CONTENT) >>$(INSERT_FILE);fi + +.PHONY:clean + +clean: + -rm -rf $(OBJS) $(TARGET) diff --git a/src/http_jt_audit.cpp b/src/http_jt_audit.cpp new file mode 100644 index 0000000..e4680ba --- /dev/null +++ b/src/http_jt_audit.cpp @@ -0,0 +1,505 @@ +#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <dlfcn.h>
+#include <arpa/inet.h>
+#include <time.h>
+
+#include <MESA/stream.h>
+#include <MESA/http.h>
+#include <MESA/MESA_handle_logger.h>
+#include <MESA/MESA_prof_load.h>
+#include <MESA/magellan_logger.h>
+
+#include "inc/qdjcq_magellan_id.h"
+#include "inc/dj_rule.h"
+#include "http_jt_audit.h"
+
+const char HTTP_JT_AUDIT_VERSION_20170721 = 0;
+
+g_jt_aduit_http_info_t g_jt_aduit_http_info;
+const char *g_conf_file_path = "./djconf/http_jt_audit.conf";
+const char *module_name = "JT_HTTP_PLUG";
+
+const char *register_table_name[REGISTER_TABLE_NUM] = {"URL_PZ"};
+unsigned short http_file_sequence = 0;
+
+#ifndef atomic_read
+#define atomic_read(x) __sync_add_and_fetch((x),0)
+#endif
+
+#ifndef atomic_add
+#define atomic_add(x,y) __sync_add_and_fetch((x),(y))
+#endif
+
+#ifndef atomic_set
+#define atomic_set(x,y) __sync_lock_test_and_set((x),y)
+#endif
+
+void free_project_req(int thread_seq, void *project_req)
+{
+ if(project_req != NULL)
+ {
+ dictator_free(thread_seq, project_req);
+ project_req = NULL;
+ }
+
+}
+
+void http_free_magellan_opt(magellan_opt_t *m_opt, int thread_seq)
+{
+ if(m_opt->opt_value != NULL)
+ {
+ dictator_free(thread_seq, (void *)m_opt->opt_value);
+ m_opt->opt_value = NULL;
+ }
+}
+
+void http_time_to_string(char *time_str, unsigned int time_str_len)
+{
+ time_t t;
+ time(&t);
+ dj_thread_safe_ctime(&t, time_str, time_str_len);
+}
+
+int http_get_magellan_opt(magellan_opt_t *m_opt, int count, char *buf, int buflen, int type, int thread_seq)
+{
+ if(buf == NULL || buflen == 0)
+ {
+ return 0;
+ }
+
+ if(count >= SEND_LOG_MAGELLAN_OPT_NUM)
+ return 0;
+
+ m_opt->opt_len= buflen;
+ m_opt->opt_type= type;
+ m_opt->opt_value= (char *)dictator_malloc(thread_seq, m_opt->opt_len);
+ memcpy((void *)m_opt->opt_value, (void *)buf, buflen);
+
+ return 1;
+}
+
+int get_tuple4_opt(magellan_opt_t **opt, struct streaminfo *a_tcp, int thread_seq)
+{
+ int ret = -1, index = 0;
+ char mac_str[32], ip_str[32];
+ void *out_value = NULL;
+ struct layer_addr_ipv4 *ipv4 = NULL;
+ struct layer_addr_mac *mac = NULL;
+
+ ret = get_rawpkt_opt_from_streaminfo(a_tcp, RAW_PKT_GET_DATA, out_value);
+ if(ret < 0)
+ {
+ MESA_handle_runtime_log(g_jt_aduit_http_info.runlog, RLOG_LV_FATAL, "GET_TUPLE$_OPT", "No support get MAC ...");
+ return -1;
+ }
+
+ mac = (struct layer_addr_mac *)out_value;
+ //½«¿É±ä¸ö²ÎÊý°´ÕÕformat¸ñʽ»¯³É×Ö·û´®
+ snprintf(mac_str, 32, "%02x-%02x-%02x-%02x-%02x-%02x", mac->dst_mac[0], mac->dst_mac[1],
+ mac->dst_mac[2], mac->dst_mac[3], mac->dst_mac[4], mac->dst_mac[5]);
+ index+=http_get_magellan_opt(opt[index],index,mac_str,strlen(mac_str), MAGELLAN_OPT_DMAC, thread_seq);
+
+ snprintf(mac_str, 32, "%02x-%02x-%02x-%02x-%02x-%02x", mac->src_mac[0], mac->src_mac[1],
+ mac->src_mac[2], mac->src_mac[3], mac->src_mac[4], mac->src_mac[5]);
+ index+=http_get_magellan_opt(opt[index],index,mac_str,strlen(mac_str), MAGELLAN_OPT_SMAC, thread_seq);
+
+ if(a_tcp->addr.addrtype == ADDR_TYPE_IPV4)
+ {
+ ipv4 = a_tcp->addr.ipv4;
+ inet_ntop(AF_INET, (const void *)&ipv4->daddr, ip_str, sizeof(ip_str));
+ index+=http_get_magellan_opt(opt[index],index, ip_str,strlen(ip_str), MAGELLAN_OPT_DIP, thread_seq);
+ index+=http_get_magellan_opt(opt[index],index, (char *)&ipv4->dest, sizeof(ipv4->dest), MAGELLAN_OPT_DPORT, thread_seq);
+ inet_ntop(AF_INET, (const void *)&ipv4->saddr, ip_str, sizeof(ip_str));
+ index+=http_get_magellan_opt(opt[index],index, ip_str,strlen(ip_str), MAGELLAN_OPT_SIP, thread_seq);
+ index+=http_get_magellan_opt(opt[index],index, (char *)&ipv4->source, sizeof(ipv4->source), MAGELLAN_OPT_SPORT, thread_seq);
+ }
+
+ return index;
+}
+
+int http_init_process_context(process_context_t **process_context, int thread_seq)
+{
+ process_context_t *context = (process_context_t *)dictator_malloc(thread_seq, sizeof(process_context_t));
+ memset(context, 0 , sizeof(process_context_t));
+
+ *process_context = context;
+
+ return 1;
+}
+
+void http_destroy_process_context(process_context_t *process_context, int thread_seq)
+{
+ int i = 0;
+
+ if(process_context->m_opt_index != 0)
+ {
+ for(i = 0; i < process_context->m_opt_index; i++)
+ {
+ http_free_magellan_opt(&(process_context->m_opt[i]), thread_seq);
+ }
+ }
+
+ dictator_free(thread_seq,process_context);
+ process_context = NULL;
+}
+
+ unsigned char JT_AUDIT_HTTP_PLUG_ENTRY(stSessionInfo* session_info, void **param, int thread_seq, struct streaminfo *a_tcp, void *a_packet)
+ {
+ int ret = PROT_STATE_GIVEME;
+ int found_pos = 0, file_seq = 0, i = 0;
+ time_t alarm_time;
+ char *method = NULL;
+ const char *transf_proto = "TCP";
+ const char *app_proto = "http";
+ scan_status_t scan_mid = NULL;
+ target_tag *tag = NULL;
+ struct Maat_rule_t scan_result[MAX_RESULT_NUM];
+ struct http_infor_t *http_info = (http_infor *)session_info->app_info;
+ process_context_t *context = (process_context_t *)*param;
+ char nothing[] = "NULL";
+ char *nothing_p = nothing;
+ char buffer_url[1024] = {0};
+ char domain[1024] = {0};
+ int opt_index = 0;
+
+ if(*param == NULL)
+ {
+ if((http_init_process_context(&context, thread_seq)) < 0)
+ {
+ MESA_handle_runtime_log(g_jt_aduit_http_info.runlog, RLOG_LV_FATAL, module_name, "<%s>%d: init_process_context failed ...", __FILE__, __LINE__);
+ return PROT_STATE_DROPME;
+ }
+ *param = context;
+ }
+
+ switch(session_info->prot_flag)
+ {
+ case HTTP_REQ_LINE:
+ method = (char *)http_get_method(http_info->method);
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ method, strlen(method), MAGELLAN_OPT_METHOD, thread_seq);
+ context->method_check = 1;
+ break;
+ case HTTP_RES_LINE:
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)&http_info->res_code, sizeof(http_info->res_code), MAGELLAN_OPT_RET_CODE, thread_seq);
+ context->res_code_check = 1;
+ break;
+ case HTTP_HOST:
+ if(session_info->buflen != 0)
+ context->domain_check = 1;
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)session_info->buf, session_info->buflen, MAGELLAN_OPT_DOMAIN, thread_seq);
+ break;
+ case HTTP_MESSAGE_URL:
+ if(session_info->buflen != 0)
+ context->url_check = 1;
+
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)session_info->buf, session_info->buflen, MAGELLAN_OPT_URL, thread_seq);
+
+ context->hit_config_num = Maat_full_scan_string(g_dj_feather,
+ g_jt_aduit_http_info.table_id[REGISTER_TABLE_URL_PZ],
+ CHARSET_NONE,
+ (const char *)session_info->buf,
+ session_info->buflen,
+ scan_result,
+ &found_pos,
+ MAX_RESULT_NUM,
+ &scan_mid,
+ thread_seq
+ );
+ Maat_clean_status(&scan_mid);
+ /*if(context->hit_config_num <= 0)
+ {
+ ret = PROT_STATE_DROPME;
+ //break;
+ }*/
+
+ tag = (target_tag *)dictator_malloc(thread_seq, sizeof(target_tag));
+ memset(tag, 0, sizeof(target_tag));
+
+ for(i = 0; i < context->hit_config_num; i++)
+ {
+ if((scan_result[i].action == 1))
+ {
+ if(context->do_blacklist == 0)
+ {
+ tag->risk = scan_result[i].do_log;
+ }
+ else
+ {
+ if(scan_result[i].do_log >= tag->risk)
+ {
+ tag->risk = scan_result[i].do_log;
+ }
+ }
+ tag->type = scan_result[i].service_id;
+ tag->rule_id = scan_result[i].config_id;
+ context->do_blacklist = scan_result[i].action;
+ }
+
+ }
+ //白名单逻辑,直接break并释放tag,退出
+ if(context->do_blacklist == 0 && context->hit_config_num > 0)
+ {
+ if(tag != NULL)
+ {
+ dictator_free(thread_seq,tag);
+ tag = NULL;
+ }
+ http_destroy_process_context(context, thread_seq);
+ *param = NULL;
+ ret = PROT_STATE_DROPME;
+ return ret;
+ }
+
+
+
+ if(context->do_blacklist > 0)
+ {
+ atomic_add(&http_file_sequence, 1);
+ file_seq = atomic_read(&http_file_sequence);
+ alarm_time = time(NULL);
+ snprintf(tag->id, sizeof(tag->id), "%u%lu%u", TABID_URL_LISTEN_ALARM, alarm_time, file_seq);
+
+ project_req_add_struct(a_tcp, g_jt_aduit_http_info.label_id, (void *)tag);
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ tag->id, strlen(tag->id), MAGELLAN_OPT_ID, thread_seq);
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)&tag->rule_id, sizeof(tag->rule_id), MAGELLAN_OPT_RULE_ID, thread_seq);
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)&tag->risk, sizeof(tag->risk), MAGELLAN_OPT_RISK, thread_seq);
+
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)&alarm_time, sizeof(alarm_time), MAGELLAN_OPT_CAP_TIME, thread_seq);
+ }
+ /*if(tag !=NULL)
+ {
+ dictator_free(thread_seq,tag);
+ tag = NULL;
+ }*/
+
+ break;
+ case HTTP_USER_AGENT:
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)session_info->buf, session_info->buflen, MAGELLAN_OPT_USER_AGENT, thread_seq);
+ context->user_agent_check = 1;
+ break;
+ case HTTP_COOKIE:
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)session_info->buf, session_info->buflen, MAGELLAN_OPT_COOKIE, thread_seq);
+ context->cookie_check = 1;
+ break;
+ case HTTP_SERVER:
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ //(char *)session_info->buf, strlen((char *)session_info->buf), MAGELLAN_OPT_SERVER, thread_seq);
+ (char *)session_info->buf, session_info->buflen, MAGELLAN_OPT_SERVER, thread_seq);
+ context->server_check = 1;
+ break;
+ case HTTP_REFERER:
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)session_info->buf, session_info->buflen, MAGELLAN_OPT_REFER, thread_seq);
+ context->refer_check = 1;
+ break;
+ default:
+ break;
+ }
+
+ if((session_info->session_state&SESSION_STATE_CLOSE) || (ret&PROT_STATE_DROPME))
+ {
+ if(context->hit_config_num > 0 && context->do_blacklist > 0)//ÃüÖÐÇÒÖ»ÒªÓкÚÃûµ¥£¬Éó¼ÆÕìÌý¶¼¼Ç¼
+ {
+ //domain
+
+ if(context->method_check==0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,nothing_p, strlen(nothing_p), MAGELLAN_OPT_METHOD, thread_seq);
+
+ if(context->res_code_check==0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,(char *)&context->res_code_check, sizeof(int), MAGELLAN_OPT_RET_CODE, thread_seq);
+
+ if(context->user_agent_check==0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index, nothing_p, strlen(nothing_p), MAGELLAN_OPT_USER_AGENT, thread_seq);
+
+ if(context->cookie_check==0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index, nothing_p, strlen(nothing_p), MAGELLAN_OPT_COOKIE, thread_seq);
+
+ if(context->server_check==0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index, nothing_p, strlen(nothing_p), MAGELLAN_OPT_SERVER, thread_seq);
+
+ if(context->refer_check==0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index, nothing_p, strlen(nothing_p), MAGELLAN_OPT_REFER, thread_seq);
+
+ if(context->domain_check == 0)
+ {
+ opt_index = context->m_opt_index;
+ for(i = 0; i < opt_index; i++)
+ {
+ if(context->m_opt[i].opt_type == MAGELLAN_OPT_URL)
+ {
+ int j = 0;
+ if(context->m_opt[i].opt_len > 1024)
+ {
+ memcpy(buffer_url,context->m_opt[i].opt_value,1024);
+ }
+ else
+ {
+ memcpy(buffer_url,context->m_opt[i].opt_value,context->m_opt[i].opt_len);
+ }
+ int len_url = strlen(buffer_url);
+ for(j = 0;j<len_url;j++)
+ {
+ if(buffer_url[j] - 0 == 47)
+ break;
+ domain[j] = buffer_url[j];
+ }
+ }
+ }
+ if(strlen(domain) == 0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index, nothing_p, strlen(nothing_p), MAGELLAN_OPT_DOMAIN, thread_seq);
+ else
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,domain, strlen(domain), MAGELLAN_OPT_DOMAIN, thread_seq);
+
+ }
+
+ char cur_time_str[20] = {0};
+ http_time_to_string(cur_time_str, sizeof(cur_time_str));
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ cur_time_str,strlen(cur_time_str),MAGELLAN_OPT_TIME,thread_seq);
+ time_t captime = time(NULL);
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)&captime,sizeof(time_t),MAGELLAN_OPT_CAP_TIME,thread_seq);
+ dj_magellan_write_log(a_tcp, QDJCQ_MGLL_USERID, TABID_URL_LISTEN_ALARM, context->m_opt, context->m_opt_index, thread_seq);
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)transf_proto, strlen(transf_proto)+1, MAGELLAN_OPT_PROTOCOL, thread_seq);
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)app_proto, strlen(app_proto)+1, MAGELLAN_OPT_APP, thread_seq);
+ dj_magellan_write_log(a_tcp, QDJCQ_MGLL_USERID, TABID_WEB_AUDIT_LOG, context->m_opt, context->m_opt_index, thread_seq);
+
+ }
+ else if(context->hit_config_num > 0 && context->do_blacklist == 0)//Èç¹ûÈ«°×£¬NULL
+ {
+ MESA_handle_runtime_log(g_jt_aduit_http_info.runlog, RLOG_LV_FATAL, "http_jt_audit", "filter ...");
+ }
+ else//Èç¹ûûÓÐÃüÖУ¬Ö»Êä³öÉó¼ÆÈÕÖ¾
+ {
+ char cur_time_str[20] = {0};
+ http_time_to_string(cur_time_str, sizeof(cur_time_str));
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ cur_time_str,strlen(cur_time_str),MAGELLAN_OPT_TIME,thread_seq);
+
+ if(context->url_check == 0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,nothing_p, strlen(nothing_p), MAGELLAN_OPT_URL, thread_seq);
+
+ if(context->method_check==0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,nothing_p, strlen(nothing_p), MAGELLAN_OPT_METHOD, thread_seq);
+
+ if(context->res_code_check==0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,(char *)&context->res_code_check, sizeof(int), MAGELLAN_OPT_RET_CODE, thread_seq);
+
+ if(context->user_agent_check==0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,nothing_p, strlen(nothing_p), MAGELLAN_OPT_USER_AGENT, thread_seq);
+
+ if(context->cookie_check==0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,nothing_p, strlen(nothing_p), MAGELLAN_OPT_COOKIE, thread_seq);
+
+ if(context->server_check==0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,nothing_p, strlen(nothing_p), MAGELLAN_OPT_SERVER, thread_seq);
+
+ if(context->refer_check==0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,nothing_p, strlen(nothing_p), MAGELLAN_OPT_REFER, thread_seq);
+
+ if(context->domain_check == 0)
+ {
+ opt_index = context->m_opt_index;
+ for(i = 0; i < opt_index; i++)
+ {
+ if(context->m_opt[i].opt_type == MAGELLAN_OPT_URL)
+ {
+ int j;
+ if(context->m_opt[i].opt_len > 1024)
+ {
+ memcpy(buffer_url,context->m_opt[i].opt_value,1024);
+ }
+ else
+ {
+ memcpy(buffer_url,context->m_opt[i].opt_value,context->m_opt[i].opt_len);
+ }
+ int len_url = strlen(buffer_url);
+ for(j = 0;j<len_url;j++)
+ {
+ if(buffer_url[j] - 0 == 47)
+ break;
+ domain[j] = buffer_url[j];
+ }
+ }
+ }
+ if(strlen(domain) == 0)
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index, nothing_p, strlen(nothing_p), MAGELLAN_OPT_DOMAIN, thread_seq);
+ else
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,domain, strlen(domain), MAGELLAN_OPT_DOMAIN, thread_seq);
+
+ }
+
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)transf_proto, strlen(transf_proto)+1, MAGELLAN_OPT_PROTOCOL, thread_seq);
+ context->m_opt_index+=http_get_magellan_opt(&context->m_opt[context->m_opt_index],context->m_opt_index,
+ (char *)app_proto, strlen(app_proto)+1, MAGELLAN_OPT_APP, thread_seq);
+
+ if(g_jt_aduit_http_info.audit_level == 0)
+ dj_magellan_write_log(a_tcp, QDJCQ_MGLL_USERID, TABID_WEB_AUDIT_LOG, context->m_opt, context->m_opt_index, thread_seq);
+ }
+ http_destroy_process_context(context, thread_seq);
+ *param = NULL;
+ return PROT_STATE_DROPME;
+ }
+
+ return ret;
+ }
+
+
+
+
+int JT_AUDIT_HTTP_PLUG_INIT(void)
+{
+ int i = 0, ret = 0;
+
+ MESA_load_profile_int_def(g_conf_file_path, "Moudle", "AUDIT_LEVEL", &g_jt_aduit_http_info.audit_level, 0);
+ MESA_load_profile_int_def(g_conf_file_path, "Moudle", "LOG_LEVEL", &g_jt_aduit_http_info.log_level, 30);
+ MESA_load_profile_string_def(g_conf_file_path, "Moudle", "LOG_PATH", g_jt_aduit_http_info.runlog_path, MAX_FILEPATH_LEN,NULL);
+
+ g_jt_aduit_http_info.runlog = MESA_create_runtime_log_handle(g_jt_aduit_http_info.runlog_path, g_jt_aduit_http_info.log_level);
+ if(g_jt_aduit_http_info.runlog == NULL)
+ {
+ printf("MESA_create_handle failed ... \n\n");
+ return -1;
+ }
+
+ for(i = 0; i < REGISTER_TABLE_NUM; i++)
+ {
+ g_jt_aduit_http_info.table_id[i] = Maat_table_register(g_dj_feather, register_table_name[i]);
+
+ if(g_jt_aduit_http_info.table_id[i] < 0)
+ {
+ MESA_handle_runtime_log(g_jt_aduit_http_info.runlog, RLOG_LV_FATAL, "JT_AUDIT_HTTP_PLUG_INIT", "Register table id failed ...");
+ return -1;
+ }
+ }
+
+
+ g_jt_aduit_http_info.label_id = project_producer_register(IP_REQ_NAME, PROJECT_VAL_TYPE_STRUCT, free_project_req);
+ if(ret < 0)
+ {
+ MESA_handle_runtime_log(g_jt_aduit_http_info.runlog, RLOG_LV_FATAL, "JT_AUDIT_HTTP_PLUG_INIT", "Register stream label failed ...");
+ return -1;
+ }
+
+ return 0;
+}
+void JT_AUDIT_HTTP_PLUG_DESTROY(void)
+{
+
+}
+
diff --git a/src/http_jt_audit.h b/src/http_jt_audit.h new file mode 100644 index 0000000..716f863 --- /dev/null +++ b/src/http_jt_audit.h @@ -0,0 +1,77 @@ +#ifndef __JT_ADUIT_HTTP_PLUG_H__
+#define __JT_ADUIT_HTTP_PLUG_H__
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+
+#define REGISTER_TABLE_NUM 1
+#define REGISTER_TABLE_URL_PZ 0
+
+
+#define MAX_RESULT_NUM 16
+#define MAX_FILEPATH_LEN 128
+
+
+#define SEND_LOG_MAGELLAN_OPT_NUM 32
+
+#define IP_REQ_NAME "JT_IP_PKT"
+
+typedef struct target_tag_t
+{
+ int type; /*业务类型 */
+ int rule_id; /*规则ID */
+ short risk; /* 告警级别 */
+ char id[22]; /* 唯一日志ID */
+ void *dns_ip; /* 仅DNS使用 */
+}target_tag;
+
+typedef struct _opt_common
+{
+ int len;
+ char type;
+ char *value;
+}opt_common_t;
+
+typedef struct _process_context
+{
+ int do_blacklist;
+ int hit_config_num;
+ int m_opt_index;
+ int method_check;
+ int res_code_check;
+ int user_agent_check;
+ int cookie_check;
+ int server_check;
+ int refer_check;
+ int url_check;
+ int domain_check;
+ magellan_opt_t m_opt[SEND_LOG_MAGELLAN_OPT_NUM];
+}process_context_t;
+
+typedef struct _jt_aduit_http_info
+{
+ int label_id;
+ int log_level;
+ int audit_level;
+ int table_id[REGISTER_TABLE_NUM];
+ char absolute_path[MAX_FILEPATH_LEN];
+ char config_filepath[MAX_FILEPATH_LEN];
+ char runlog_path[MAX_FILEPATH_LEN];
+ void *runlog;
+}g_jt_aduit_http_info_t;
+
+
+unsigned char JT_AUDIT_HTTP_PLUG_ENTRY(stSessionInfo* session_info, void **param, int thread_seq, struct streaminfo *a_tcp, void *a_packet);
+int JT_AUDIT_HTTP_PLUG_INIT(void);
+void JT_AUDIT_HTTP_PLUG_DESTROY(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
+
diff --git a/src/inc/DocumentAnalyze.h b/src/inc/DocumentAnalyze.h new file mode 100644 index 0000000..8b39239 --- /dev/null +++ b/src/inc/DocumentAnalyze.h @@ -0,0 +1,235 @@ +/*
+ *
+ * Copyright (c) 2014
+ * String Algorithms Research Group
+ * Institute of Information Engineering, Chinese Academy of Sciences (IIE-CAS)
+ * National Engineering Laboratory for Information Security Technologies (NELIST)
+ * All rights reserved
+ *
+ * Written by: LIU YANBING ([email protected])
+ LU YUHAI ([email protected])
+
+ * Last modification: 2014-9-22
+ *
+ * This code is the exclusive and proprietary property of IIE-CAS and NELIST.
+ * Usage for direct or indirect commercial advantage is not allowed without
+ * written permission from the authors.
+ *
+ */
+
+#ifndef H_DOCUMENT_ANALYZE_H
+#define H_DOCUMENT_ANALYZE_H
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#define DOC_PRO_OK 0
+#define DOC_PRO_ERR -1
+
+ /* ��ʽ�ĵ����Ͷ��� */
+ enum DocumentType
+ {
+ DOC_UNKNOWN_TYPE = 0, /* δ֪�ĵ����� */
+
+ DOC_TXT_TYPE, /* ���ı� */
+
+ /* Office 97-2003�ĵ����� */
+ DOC_DOC_TYPE, /* Word 97-2003 */
+ DOC_PPT_TYPE, /* Powerpoint 97-2003 */
+ DOC_XLS_TYPE, /* Excel 97-2003 */
+
+ /* Office 2007�ĵ����� */
+ DOC_DOCX_TYPE, /* Word 2007 */
+ DOC_PPTX_TYPE, /* Powerpoint 2007 */
+ DOC_XLSX_TYPE, /* Excel 2007 */
+
+ /* Open Office�ĵ����� */
+ DOC_ODT_TYPE, /* ODT��ʽ */
+ DOC_ODS_TYPE, /* ODS��ʽ */
+ DOC_ODP_TYPE, /* ODP��ʽ */
+
+ /* iWork�ĵ����� */
+ DOC_PAGES_TYPE, /* iWork Page */
+ DOC_KEY_TYPE, /* iWork Keynote */
+ DOC_NUMBERS_TYPE, /* iWork Numbers */
+
+ /* ���������ĵ����� */
+ DOC_PDF_TYPE, /* pdf��ʽ */
+ DOC_EML_TYPE, /* eml��ʽ */
+ DOC_HTML_TYPE, /* HTML��ʽ */
+ DOC_CHM_TYPE, /* chm��ʽ */
+ DOC_RTF_TYPE, /* rtf��ʽ */
+ DOC_MDB_TYPE, /* Microsoft Access���ݿ��ļ� */
+
+ /* ѹ���ļ���ʽ */
+ DOC_ZIP_TYPE, /* zip��ʽ */
+ DOC_RAR_TYPE, /* rar��ʽ */
+ DOC_GZIP_TYPE, /* gzip��ʽ */
+ DOC_BZIP_TYPE, /* bzip��ʽ */
+ DOC_7Z_TYPE, /* 7z��ʽ */
+ DOC_DEFLATE_TYPE, /* deflate��ʽ */
+
+ /* ͼ���ļ���ʽ */
+ DOC_BMP_TYPE, /* bmp��ʽ */
+ DOC_GIF_TYPE, /* gif��ʽ */
+ DOC_JPEG_TYPE, /* jpeg��ʽ */
+ DOC_RAW_TYPE, /* raw��ʽ */
+ DOC_EMF_TYPE, /* emf��ʽ */
+ DOC_WMF_TYPW, /* wmf��ʽ */
+ DOC_PNG_TYPE, /* png��ʽ */
+ DOC_PCT_TYPE, /* pct��ʽ */
+ DOC_PBM_TYPE, /* pbm��ʽ */
+ DOC_PPM_TYPE, /* ppm��ʽ */
+
+ /* ��Ƶ�ļ���ʽ */
+ DOC_MPEG4_TYPE, /* mpeg4��ʽ */
+ DOC_AV_TYPE, /* av��ʽ */
+ DOC_3GP_TYPE, /* 3gp��ʽ */
+ DOC_ASF_TYPE, /* asf��ʽ */
+ DOC_AVI_TYPE, /* avi��ʽ */
+ DOC_MKV_TYPE, /* mkv��ʽ */
+ DOC_MOV_TYPE, /* mov��ʽ */
+ DOC_MP4_TYPE, /* mp4��ʽ */
+ DOC_RMVB_TYPE, /* rmvb��ʽ */
+ DOC_RM_TYPE, /* rm��ʽ */
+ DOC_WMV_TYPE, /* wmv��ʽ */
+
+ /* ��Ƶ�ļ���ʽ */
+ DOC_MP3_TYPE, /* mp3��ʽ */
+ DOC_WAV_TYPE, /* wav��ʽ */
+ DOC_WMA_TYPE, /* wma��ʽ */
+ DOC_AAC_TYPE, /* aac��ʽ */
+ DOC_OGG_TYPE, /* ogg��ʽ */
+ DOC_APE_TYPE, /* ape��ʽ */
+ DOC_FLAC_TYPE, /* flac��ʽ */
+
+ /* ��ִ���ļ���ʽ */
+ DOC_PE_TYPE, /* Windows��ִ���ļ���ʽ��������exe��dll��vxd��sys��vdm�� */
+ DOC_ELF_TYPE, /* Linux��ִ���ļ���ʽ */
+ };
+
+ /* ����ı��ı������� */
+ enum CodeType
+ {
+ CODE_UNKNOWN_TYPE = 0, /* δ֪���� */
+ CODE_GBK_TYPE, /* GBK */
+ CODE_BIG5_TYPE, /* BIG5 */
+ CODE_UNICODE_TYPE, /* UNICODE */
+ CODE_UTF8_TYPE, /* UTF8 */
+ CODE_UTF7_TYPE, /* UTF7 */
+ };
+
+ /* zip��ѹ���ĵ���eml����Ҫʹ�õ������ĵ����� */
+ enum DocumentSubType
+ {
+ DOC_UNKNOW_SUBTYPE = 0, /* δ֪������ */
+ DOC_FILENAME_SUBTYPE, /* ���ĵ����ļ��� */
+ DOC_CONTENT_SUBTYPE, /* ���ĵ������� */
+ };
+
+ typedef struct _docanalyze_result_t
+ {
+ char * presult; /* ���ݵ����� */
+ int size; /* ���ݵij��� */
+ enum DocumentType doc_type; /* �˶������������ĵ����� */
+ enum DocumentSubType doc_sub_type; /* �˶��������������ĵ����� */
+ enum CodeType code_type; /* �˶����ݵĵ�ǰ�������� */
+ }docanalyze_result_t;
+
+ typedef struct _result_array_t
+ {
+ int result_num; /* ��������Ԫ�ظ��� */
+ docanalyze_result_t * result_buff; /* ������� */
+ }result_array_t;
+
+ typedef void * docanalyze_instance_t;
+ typedef void * docanalyze_streamparam_t;
+
+ /************************��ʽ�ĵ�������غ���*********************************/
+
+ /*
+ ���ܣ�
+ ��ʽ�ĵ�����ʶ�𣬸����ĵ�ͷ����Ϣʶ���ĵ������ͣ������ṩ��ͷ�����ݳ���hlen����64�ֽڡ�
+ ������
+ header : �ļ�ͷ��
+ hlen : �ļ�ͷ���ȣ�
+ ����ֵ��
+ ʶ������ĵ����ͣ���ʶ�� DOC_UNKNOWN_TYPE��
+ */
+ enum DocumentType docanalyze_identify(const char * header, unsigned int hlen);
+
+ /*
+ ���ܣ�
+ ��ʽ�ĵ��������ij�ʼ�������ݴ��������ĵ����ʹ�����Ӧ���ĵ�������
+ �Լ���Ӧ�Ĺ������ݽṹ
+ ������
+ doc_type[in] ���ĵ����ͣ�
+ max_thread_num [in]: ɨ�����ɲ���ִ�е��߳�����
+ ����ֵ��
+ �ֵ�������ָ�룬��ʧ���� NULL��
+ */
+ docanalyze_instance_t docanalyze_initialize(unsigned int max_thread_num);
+
+ /*
+ ���ܣ�
+ �ͷ�ÿ���ĵ����͵ķ������Լ���Ӧ�Ĺ������ݽṹ
+ ������
+ instance[in]���ĵ����������
+ ����ֵ��
+ DOC_PRO_OK ��������
+ DOC_PRO_ERR ��ʧ�ܡ�
+ */
+ int docanalyze_destroy(docanalyze_instance_t instance);
+
+ /*
+ ���ܣ�
+ ����һ����ʽ�ֵ����������뱣����״̬�IJ�����
+ ������
+ instance [in]: �ĵ�������ָ�룻
+ thread_id [in]: ��ǰִ���ĵ��������߳�id�������ڷ�Χ[0, max_thread_num-1]֮�ڡ�
+ ����ֵ��
+ ���ر�����״̬�IJ���������ֵΪNULLʱ����ʾʧ�ܡ�
+ */
+ docanalyze_streamparam_t docanalyze_startstream(enum DocumentType doc_type, docanalyze_instance_t instance, unsigned int thread_id);
+
+ /*
+ ���ܣ�
+ ��ʽ�ĵ������ӿڣ�����һ�������ԭʼ�ĵ�����data����״̬��һЩ����м���������stream_param�У�
+ �����Ľ�������res�У��ռ��ɱ������ڲ�����,������������Ҫ����docanalyze_freeresult�ͷ�res���ڴ�ռ䡣
+ ������
+ stream_param [in] : ������״̬�IJ�����
+ data[in] �����������ĵ����ݣ�
+ dlen[in] �����ݳ��ȣ�
+ result_array[out] �������Ľ����
+ ����ֵ��
+ DOC_PRO_OK ������������
+ DOC_PRO_ERR ������ʧ�ܡ�
+ */
+ int docanalyze_parsestream(docanalyze_streamparam_t stream_param, const char * data, unsigned int dlen, result_array_t * result_array);
+
+ /*
+ ���ܣ�
+ �û�ʹ����Ϻ��ô˺����ͷŽ��result_array���ڴ�ռ�,���������Ҫ��docanalyze_parsestream�ɶ�ʹ��
+ ����ֵ��
+ DOC_PRO_OK ��������
+ DOC_PRO_ERR ��ʧ�ܡ�
+ */
+ int docanalyze_freeresult(result_array_t * result_array);
+
+ /*
+ ���ܣ�������ʽ�������ͷ���������
+ ������
+ stream_param [in]: ������ָ�롣
+ ����ֵ��
+ DOC_PRO_OK ��������
+ DOC_PRO_ERR ��ʧ�ܡ�
+ */
+ int docanalyze_endstream(docanalyze_streamparam_t stream_param);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /*end of defined H_DOCUMENT_ANALYZE_H*/
\ No newline at end of file diff --git a/src/inc/dj_rule.h b/src/inc/dj_rule.h new file mode 100644 index 0000000..f8dbe3d --- /dev/null +++ b/src/inc/dj_rule.h @@ -0,0 +1,69 @@ +#ifndef _DJ_RULE_H_
+#define _DJ_RULE_H_
+
+#include <MESA/Maat_rule.h>
+#include <MESA/stream.h>
+#include <MESA/field_stat.h>
+#include <MESA/magellan_logger.h>
+//global maat scanner
+extern void* g_dj_feather;
+extern void* g_dj_stat_handle;
+
+//global doc analyse instance
+extern void* g_dj_doc_instance;
+
+
+/*cache and send*/
+typedef enum
+{
+ COMPLETE=0,
+ FRAG=1,
+ FRAG_END=2,
+}APPD_MSG_TYPE;
+
+typedef void* opt_unit_t;
+typedef void* dj_cache_t;
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+/*for 056jcq jt and audit*/
+int32_t dj_magellan_write_log (const struct streaminfo* a_tcp,const int user_id, const int table_id, magellan_opt_t* opt_array, int opt_num,int t_id);
+
+dj_cache_t create_dj_cache(const char* protocol, struct streaminfo* a_stream);
+void set_dj_cache_send(dj_cache_t handle);
+void destroy_dj_cache(dj_cache_t handle);
+/*
+*if set_dj_cache_send, callback add_dj_cache will send cache data, otherwise only cache not send
+*return -1: get mem_limit ; return 0: OK
+*opt will be free by add_dj_cache
+*/
+int add_dj_cache(dj_cache_t handle, APPD_MSG_TYPE status, opt_unit_t opt);
+
+/*
+*NULL value means nested option, otherwise is simple option
+*opt will be free by dj_cache, if not add_dj_cache, please do not create_opt_unit
+*/
+opt_unit_t create_opt_unit(const char* opt_name, const void* opt_value, int opt_len);
+void append_opt_nested_value(opt_unit_t ext_opt, opt_unit_t inner_opt);
+
+//return 1 if type match, otherwise return 0;
+int is_zip_type(int doctype);
+int is_scan_type(int doctype);
+
+/*
+ * dj_thread_safe_ctime: thread safe(no lock) time to string
+ * tp:current time
+ * buf: [out] to store the time string
+ * len:buffer length
+ */
+char *dj_thread_safe_ctime(const time_t *tp, char *buf, int len);
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
+
diff --git a/src/inc/qdjcq_magellan_id.h b/src/inc/qdjcq_magellan_id.h new file mode 100644 index 0000000..419f88c --- /dev/null +++ b/src/inc/qdjcq_magellan_id.h @@ -0,0 +1,187 @@ +#ifndef __QDJCQ_MAGELLAN_ID_H__
+#define __QDJCQ_MAGELLAN_ID_H__
+
+#define MAX_OPT_VALUE_LEN 10485760
+
+//ѡ��ID
+#define MAGELLAN_OPT_ID 1
+#define MAGELLAN_OPT_BUSINESS_DETECT_ID 2
+#define MAGELLAN_OPT_NAME 3
+#define MAGELLAN_OPT_STATUS 4
+#define MAGELLAN_OPT_SUBMODULE_NAME 5
+#define MAGELLAN_OPT_SUBMODULE_STATUS 6
+#define MAGELLAN_OPT_SUBMODULE_VERSION 7
+#define MAGELLAN_OPT_SUBMODULE_WARNING 8
+#define MAGELLAN_OPT_INSERT_TIME 9
+#define MAGELLAN_OPT_CAP_TIME 10
+#define MAGELLAN_OPT_FILENAME 11
+#define MAGELLAN_OPT_FILEPATH 12
+#define MAGELLAN_OPT_CHECKSUM 13
+#define MAGELLAN_OPT_FILESIZE 14
+#define MAGELLAN_OPT_FILETYPE 15
+#define MAGELLAN_OPT_PROTOCOL 16
+#define MAGELLAN_OPT_ACCOUNT 17
+#define MAGELLAN_OPT_DOMAIN 18
+#define MAGELLAN_OPT_SYSTEM_DETECT_ID 19
+#define MAGELLAN_OPT_PHYSICAL_ID 20
+#define MAGELLAN_OPT_CPU_USAGE 21
+#define MAGELLAN_OPT_RULE_ID 22
+#define MAGELLAN_OPT_NUM 23
+#define MAGELLAN_OPT_SIP 24
+#define MAGELLAN_OPT_SPORT 25
+#define MAGELLAN_OPT_SMAC 26
+#define MAGELLAN_OPT_DIP 27
+#define MAGELLAN_OPT_DPORT 28
+#define MAGELLAN_OPT_DMAC 29
+#define MAGELLAN_OPT_ALERT_TYPE 30
+#define MAGELLAN_OPT_ALERT_POLICY 31
+#define MAGELLAN_OPT_ALERT_DESC 32
+#define MAGELLAN_OPT_RISK 33
+#define MAGELLAN_OPT_ATTACK_TYPE 34
+#define MAGELLAN_OPT_APPLICATION 35
+#define MAGELLAN_OPT_OS 36
+#define MAGELLAN_OPT_IS_UPLOAD 37
+#define MAGELLAN_OPT_PWD 38
+#define MAGELLAN_OPT_TRANS_DIR 39
+#define MAGELLAN_OPT_PLUGIN_ID 40
+#define MAGELLAN_OPT_CPU_RANGE 41
+#define MAGELLAN_OPT_MEM_RANGE 42
+#define MAGELLAN_OPT_MEM_USAGE 43
+#define MAGELLAN_OPT_DISK_UASAGE 44
+#define MAGELLAN_OPT_APP 45
+#define MAGELLAN_OPT_TIME 46
+#define MAGELLAN_OPT_REQUEST 47
+#define MAGELLAN_OPT_RESPONSE 48
+#define MAGELLAN_OPT_UPTIME 49
+#define MAGELLAN_OPT_SOFT_VERSION 50
+#define MAGELLAN_OPT_MALWARE_TYPE 51
+#define MAGELLAN_OPT_MALWARE_NAME 52
+#define MAGELLAN_OPT_PROTO_INFO 53
+#define MAGELLAN_OPT_TROJAN_ID 54
+#define MAGELLAN_OPT_TROJAN_NAME 55
+#define MAGELLAN_OPT_TROJAN_TYPE 56
+#define MAGELLAN_OPT_DESC 57
+#define MAGELLAN_OPT_URL 58
+#define MAGELLAN_OPT_METHOD 59
+#define MAGELLAN_OPT_RET_CODE 60
+#define MAGELLAN_OPT_USER_AGENT 61
+#define MAGELLAN_OPT_COOKIE 62
+#define MAGELLAN_OPT_SERVER 63
+#define MAGELLAN_OPT_REFER 64
+#define MAGELLAN_OPT_MEM 65
+#define MAGELLAN_OPT_DISK 66
+#define MAGELLAN_OPT_FINGER 67
+#define MAGELLAN_OPT_COUNTRY 68
+#define MAGELLAN_OPT_ORGANIZE 69
+#define MAGELLAN_OPT_CNAME 70
+#define MAGELLAN_OPT_SNI 71
+#define MAGELLAN_OPT_UORGANIZE 72
+#define MAGELLAN_OPT_UCNAME 73
+#define MAGELLAN_OPT_DNS 74
+#define MAGELLAN_OPT_DOMAIN_IP 75
+#define MAGELLAN_OPT_EVENT_TYPE 76
+#define MAGELLAN_OPT_MSG 77
+#define MAGELLAN_OPT_IP 78
+#define MAGELLAN_OPT_USER 79
+#define MAGELLAN_OPT_PROGRAM 80
+#define MAGELLAN_OPT_OBJECT 81
+#define MAGELLAN_OPT_RESULT 82
+#define MAGELLAN_OPT_SM_INPATH 83
+#define MAGELLAN_OPT_SM_SUMMARY 84
+#define MAGELLAN_OPT_SM_DESC 85
+#define MAGELLAN_OPT_XM_DIR 86
+#define MAGELLAN_OPT_PROTOCOL_TYPE 87
+#define MAGELLAN_OPT_PROTOCOL_ID 88
+#define MAGELLAN_OPT_SENDER 89
+#define MAGELLAN_OPT_RECEIVER 90
+#define MAGELLAN_OPT_MSG_CONTENT 91
+#define MAGELLAN_OPT_TCP_FLAG 92
+#define MAGELLAN_OPT_IN_BYTES 93
+#define MAGELLAN_OPT_OUT_BYTES 94
+#define MAGELLAN_OPT_IN_PKTS 95
+#define MAGELLAN_OPT_OUT_PKTS 96
+#define MAGELLAN_OPT_START_TIME 97
+#define MAGELLAN_OPT_END_TIME 98
+#define MAGELLAN_OPT_INTERFACE_SEQ 99
+#define MAGELLAN_OPT_INTERFACE_FLAG 100
+#define MAGELLAN_OPT_INTERFACE_STAT 101
+#define MAGELLAN_OPT_INTERFACE_FLOW 102
+#define MAGELLAN_OPT_INTERFACE_ERROR 103
+#define MAGELLAN_OPT_INTERFACE_DROP 104
+#define MAGELLAN_OPT_DURATION_TIME 105
+#define MAGELLAN_OPT_CC 106
+#define MAGELLAN_OPT_BCC 107
+#define MAGELLAN_OPT_SUBJECT 108
+#define MAGELLAN_OPT_AUTHINFO 109
+#define MAGELLAN_OPT_ATTACHMENT 110
+#define MAGELLAN_OPT_MAIL_CONTENT 111
+#define MAGELLAN_OPT_ATTACHMENT_NAME 112
+#define MAGELLAN_OPT_PLUGIN_VERSION 113
+#define MAGELLAN_OPT_PLUGIN_POLICY_VERSION 114
+#define MAGELLAN_OPT_PLUG_ID 115
+
+//AUTHINFO����ʱ��ʹ��
+#define MAGELLAN_OPT_MAIL_FROM 116
+#define MAGELLAN_OPT_RCPT_TO 117
+#define MAGELLAN_OPT_EHLO 118
+
+
+//�ļ�/PCAPѡ��
+#define MAGELLAN_OPT_STREAM_START 200
+#define MAGELLAN_OPT_STREAM_CONT 201
+#define MAGELLAN_OPT_STREAM_END 202
+
+#define MAGELLAN_OPT_PCAP_START MAGELLAN_OPT_STREAM_START
+#define MAGELLAN_OPT_PCAP_CONT MAGELLAN_OPT_STREAM_CONT
+#define MAGELLAN_OPT_PCAP_END MAGELLAN_OPT_STREAM_END
+
+//��ID
+#define TABID_BUSINESS_MODULE_DETECT_INFO 1
+#define TABID_COMPRESS_ALARM_FILE 2
+#define TABID_KEYWORD_ALARM_FILE 3
+#define TABID_SM_NETDISK_ELEMENT 4
+#define TABID_SYSTEM_CPU_DETECT_INFO 5
+#define TABID_DOMAIN_LISTEN_FILE 9 //9
+#define TABID_ABNORMAL_ALARM 7
+#define TABID_IP_LISTEN_FILE 8
+#define TABID_ATTACK_ALARM 6
+#define TABID_URL_LISTEN_FILE 10 //10
+#define TABID_SM_FILETRANSFER_ELEMENT 38
+#define TABID_SYSTEM_PLUGIN_DETECT_INFO 12
+#define TABID_DNS_AUDIT_LOG 13
+#define TABID_MALWARE_ALARM_FILE 14
+#define TABID_BUSINESS_DETECT_INFO 15
+#define TABID_MALWARE_ALARM 16
+#define TABID_TROJAN_ALARM 17
+#define TABID_FILE_TRNS_AUDIT_LOG 18
+#define TABID_ATTACK_ALARM_FILE 19
+#define TABID_SM_HTTP_ELEMENT 20
+#define TABID_SENSITIVE_ALARM_FILE 21
+#define TABID_SYSTEM_DETECT_INFO 22
+#define TABID_SSL_AUDIT_LOG 23
+#define TABID_DOMAIN_LISTEN_ALARM 24
+#define TABID_ABNORMAL_FILE 25
+#define TABID_URL_LISTEN_ALARM 26
+#define TABID_BUSINESS_SUSPECTED_DETECT_INFO 27
+#define TABID_SYSTEM_AUDIT_LOG 28
+#define TABID_TROJAN_ALARM_FILE 29
+#define TABID_SM_CONTENT_ALARM 30
+#define TABID_SM_IM_ELEMENT 31
+#define TABID_PICTURE_ALARM_FILE 32
+#define TABID_NET_AUDIT 33
+#define TABID_BUSINESS_INTERFACE_DETECT_INFO 34
+#define TABID_SM_EMAIL_ELEMENT 35
+#define TABID_STYLE_ALARM_FILE 36
+#define TABID_MAIL_AUDIT_LOG 37
+#define TABID_ACCOUNT_LISTEN_FILE 11 //11
+#define TABID_WEB_AUDIT_LOG 39
+#define TABID_ENCRYPT_ALARM_FILE 40
+#define TABID_ACCOUNT_LISTEN_ALARM 41
+#define TABID_BUSINESS_PLUGIN_DETECT_INFO 42
+#define TABID_IP_LISTEN_ALARM 43
+#define TABID_PLUG_STATUS_INFO 44
+
+//�û�ID
+#define QDJCQ_MGLL_USERID 1
+
+#endif
|