stellar-stellar/decoders/session_flags/session_flags_internal.h

#pragma once
#include <stdint.h>
#include "onlinemean.h"

#include "stellar/session.h"
#include "stellar/session_flags.h"
#include "toml/toml.h"

#define SESSION_FLAGS_LOG_MODULE "SESSION_FLAGS"

enum random_looking_flags
{
	session_flags_frequency_mask = 0,
	session_flags_block_frequency_mask,
	session_flags_cumulative_sums_mask,
	session_flags_runs_mask,
	session_flags_longest_run_mask,
	session_flags_rank_mask,
	session_flags_non_overlapping_template_matching_mask,
	session_flags_overlapping_template_matching_mask,
	session_flags_universal_mask,
	session_flags_random_excursions_mask,
	session_flags_random_excursions_variant_mask,
	session_flags_poker_detect_mask,
	session_flags_runs_distribution_mask,
	session_flags_self_correlation_mask,
	session_flags_binary_derivative_mask,
};
#define SESSION_FLAGS_FREQUENCY 		(0x0000000000000001)
#define SESSION_FLAGS_BLOCK_FREQUENCY 		(SESSION_FLAGS_FREQUENCY << session_flags_block_frequency_mask)
#define SESSION_FLAGS_CUMULATIVE_SUMS 		(SESSION_FLAGS_FREQUENCY << session_flags_cumulative_sums_mask)
#define SESSION_FLAGS_RUNS 			(SESSION_FLAGS_FREQUENCY << session_flags_runs_mask)
#define SESSION_FLAGS_LONGEST_RUN 		(SESSION_FLAGS_FREQUENCY << session_flags_longest_run_mask)
#define SESSION_FLAGS_RANK 			(SESSION_FLAGS_FREQUENCY << session_flags_rank_mask)
#define SESSION_FLAGS_NON_OVERLAPPING_TEMPLATE_MATCHING 	(SESSION_FLAGS_FREQUENCY << session_flags_non_overlapping_template_matching_mask)
#define SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING 	(SESSION_FLAGS_FREQUENCY << session_flags_overlapping_template_matching_mask)
#define SESSION_FLAGS_UNIVERSAL 		(SESSION_FLAGS_FREQUENCY << session_flags_universal_mask)
#define SESSION_FLAGS_RANDOM_EXCURSIONS 	(SESSION_FLAGS_FREQUENCY << session_flags_random_excursions_mask)
#define SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT 	(SESSION_FLAGS_FREQUENCY << session_flags_random_excursions_variant_mask)
#define SESSION_FLAGS_POKER_DETECT 		(SESSION_FLAGS_FREQUENCY << session_flags_poker_detect_mask)
#define SESSION_FLAGS_RUNS_DISTRIBUTION 	(SESSION_FLAGS_FREQUENCY << session_flags_runs_distribution_mask)
#define SESSION_FLAGS_SELF_CORRELATION 	(SESSION_FLAGS_FREQUENCY << session_flags_self_correlation_mask)
#define SESSION_FLAGS_BINARY_DERIVATIVE 	(SESSION_FLAGS_FREQUENCY << session_flags_binary_derivative_mask)

#define MAIN_DIR_UNKONWN -1

#define START_JUDGE_TIME_MS 5000

struct session_flags_result {
	uint64_t flags;
	uint64_t random_looking_flags;
	uint32_t identify[session_flags_all_mask];
	bool is_tls;
};

struct session_flags_init_conf{
	uint32_t interactive_starttime_ms;
	uint32_t interactive_pulse_num;
	uint32_t main_dir_front_n_pkts;
	uint64_t interactive_latency_ms;
	uint32_t large_ptks_init_size;
	uint32_t random_judge_flags_cnt;
	uint32_t session_max_process_time_ms;
	uint32_t fet_enabled;
	uint32_t tunneling_enabled;
	int32_t random_looking_udp_ignore_pkts;
	uint32_t tunneling_tls_ignore_pkts;
	uint32_t tunneling_max_scan_pkts;
	char tunneling_pcre_list[2048];
	char random_looking_judge_list[2048];
};

struct session_flags_plugin_info{
	int plugin_id;
    int sess_ctx_exdata_idx;
	struct stellar *st;
	struct logger *log_handle;
	int session_flags_topic_id;
	int tcp_topic_id;
	int udp_topic_id;
};

struct session_flags_iter_values
{
	float bulky;
	float CBR;
	float download;
	float interactive;
	float pseudo_unidirectional;
	float streaming;
	OnlineMean_t omean;
};

struct session_flags_iter
{
	uint32_t iter_cnt;
	float bidirectional;
	struct session_flags_iter_values c2s;
	struct session_flags_iter_values s2c;
};

struct flow_stat
{
	uint64_t bytes;
	uint64_t pkts;
	uint64_t payload_pkts;
	uint64_t large_pkts;

	uint32_t delta_pkts;
	uint32_t delta_large_pkts;
	uint32_t delta_payload_pkts;
	uint32_t delta_bytes;

	float rate;
};

struct random_looking_stat_info
{
	uint8_t has_judged_sts;
	uint8_t has_judged_fet;
	uint8_t payload_pkt_num;
};

struct session_flags_stat
{
	struct flow_stat c2s, s2c;
	uint64_t last_pkt_ts_ms;
	uint64_t interactive_pulse_num;
	uint64_t session_start_time_ms;
	uint64_t stream_live_time_ms;
	uint64_t last_iter_ts_ms;
	int main_dir; 
	struct random_looking_stat_info random_looking_stat;
	struct session_flags_iter iter;
	struct session_flags_result result;
};

struct session_flags_ctx
{
	struct session_flags_stat stat;
	uint64_t history_flags;
};

void session_flags_stat_init(struct session_flags_stat *stat, enum session_direction session_dir);
struct session_flags_result *session_flags(struct session_flags_plugin_info *sf_plugin_info, struct session_flags_ctx *ctx, struct session *session, int etopic_id, uint32_t bytes, enum flow_type flow_type, uint64_t ms);
struct session_flags_result *session_flags_get_flags(struct session_flags_stat *session_flags);
struct session_flags_message *session_flags_generate_firewall_message(uint64_t flags, const uint32_t identify[session_flags_all_mask]);
float session_flags_calculate_CV(OnlineMean_t * omean);
add socks_decoder, stratum_decoder and session_flags 2024-09-03 07:01:58 +00:00			`#pragma once`
			`#include <stdint.h>`
			`#include "onlinemean.h"`

			`#include "stellar/session.h"`
			`#include "stellar/session_flags.h"`
			`#include "toml/toml.h"`

			`#define SESSION_FLAGS_LOG_MODULE "SESSION_FLAGS"`

			`enum random_looking_flags`
			`{`
			`session_flags_frequency_mask = 0,`
			`session_flags_block_frequency_mask,`
			`session_flags_cumulative_sums_mask,`
			`session_flags_runs_mask,`
			`session_flags_longest_run_mask,`
			`session_flags_rank_mask,`
			`session_flags_non_overlapping_template_matching_mask,`
			`session_flags_overlapping_template_matching_mask,`
			`session_flags_universal_mask,`
			`session_flags_random_excursions_mask,`
			`session_flags_random_excursions_variant_mask,`
			`session_flags_poker_detect_mask,`
			`session_flags_runs_distribution_mask,`
			`session_flags_self_correlation_mask,`
			`session_flags_binary_derivative_mask,`
			`};`
			`#define SESSION_FLAGS_FREQUENCY (0x0000000000000001)`
			`#define SESSION_FLAGS_BLOCK_FREQUENCY (SESSION_FLAGS_FREQUENCY << session_flags_block_frequency_mask)`
			`#define SESSION_FLAGS_CUMULATIVE_SUMS (SESSION_FLAGS_FREQUENCY << session_flags_cumulative_sums_mask)`
			`#define SESSION_FLAGS_RUNS (SESSION_FLAGS_FREQUENCY << session_flags_runs_mask)`
			`#define SESSION_FLAGS_LONGEST_RUN (SESSION_FLAGS_FREQUENCY << session_flags_longest_run_mask)`
			`#define SESSION_FLAGS_RANK (SESSION_FLAGS_FREQUENCY << session_flags_rank_mask)`
			`#define SESSION_FLAGS_NON_OVERLAPPING_TEMPLATE_MATCHING (SESSION_FLAGS_FREQUENCY << session_flags_non_overlapping_template_matching_mask)`
			`#define SESSION_FLAGS_OVERLAPPING_TEMPLATE_MATCHING (SESSION_FLAGS_FREQUENCY << session_flags_overlapping_template_matching_mask)`
			`#define SESSION_FLAGS_UNIVERSAL (SESSION_FLAGS_FREQUENCY << session_flags_universal_mask)`
			`#define SESSION_FLAGS_RANDOM_EXCURSIONS (SESSION_FLAGS_FREQUENCY << session_flags_random_excursions_mask)`
			`#define SESSION_FLAGS_RANDOM_EXCURSIONS_VARIANT (SESSION_FLAGS_FREQUENCY << session_flags_random_excursions_variant_mask)`
			`#define SESSION_FLAGS_POKER_DETECT (SESSION_FLAGS_FREQUENCY << session_flags_poker_detect_mask)`
			`#define SESSION_FLAGS_RUNS_DISTRIBUTION (SESSION_FLAGS_FREQUENCY << session_flags_runs_distribution_mask)`
			`#define SESSION_FLAGS_SELF_CORRELATION (SESSION_FLAGS_FREQUENCY << session_flags_self_correlation_mask)`
			`#define SESSION_FLAGS_BINARY_DERIVATIVE (SESSION_FLAGS_FREQUENCY << session_flags_binary_derivative_mask)`

			`#define MAIN_DIR_UNKONWN -1`

			`#define START_JUDGE_TIME_MS 5000`

			`struct session_flags_result {`
			`uint64_t flags;`
			`uint64_t random_looking_flags;`
			`uint32_t identify[session_flags_all_mask];`
			`bool is_tls;`
			`};`

			`struct session_flags_init_conf{`
			`uint32_t interactive_starttime_ms;`
			`uint32_t interactive_pulse_num;`
			`uint32_t main_dir_front_n_pkts;`
			`uint64_t interactive_latency_ms;`
			`uint32_t large_ptks_init_size;`
			`uint32_t random_judge_flags_cnt;`
			`uint32_t session_max_process_time_ms;`
			`uint32_t fet_enabled;`
			`uint32_t tunneling_enabled;`
			`int32_t random_looking_udp_ignore_pkts;`
			`uint32_t tunneling_tls_ignore_pkts;`
			`uint32_t tunneling_max_scan_pkts;`
			`char tunneling_pcre_list[2048];`
			`char random_looking_judge_list[2048];`
			`};`

			`struct session_flags_plugin_info{`
			`int plugin_id;`
			`int sess_ctx_exdata_idx;`
			`struct stellar *st;`
			`struct logger *log_handle;`
			`int session_flags_topic_id;`
			`int tcp_topic_id;`
			`int udp_topic_id;`
			`};`

			`struct session_flags_iter_values`
			`{`
			`float bulky;`
			`float CBR;`
			`float download;`
			`float interactive;`
			`float pseudo_unidirectional;`
			`float streaming;`
			`OnlineMean_t omean;`
			`};`

			`struct session_flags_iter`
			`{`
			`uint32_t iter_cnt;`
			`float bidirectional;`
			`struct session_flags_iter_values c2s;`
			`struct session_flags_iter_values s2c;`
			`};`

			`struct flow_stat`
			`{`
			`uint64_t bytes;`
			`uint64_t pkts;`
			`uint64_t payload_pkts;`
			`uint64_t large_pkts;`

			`uint32_t delta_pkts;`
			`uint32_t delta_large_pkts;`
			`uint32_t delta_payload_pkts;`
			`uint32_t delta_bytes;`

			`float rate;`
			`};`

			`struct random_looking_stat_info`
			`{`
			`uint8_t has_judged_sts;`
			`uint8_t has_judged_fet;`
			`uint8_t payload_pkt_num;`
			`};`

			`struct session_flags_stat`
			`{`
			`struct flow_stat c2s, s2c;`
			`uint64_t last_pkt_ts_ms;`
			`uint64_t interactive_pulse_num;`
			`uint64_t session_start_time_ms;`
			`uint64_t stream_live_time_ms;`
			`uint64_t last_iter_ts_ms;`
			`int main_dir;`
			`struct random_looking_stat_info random_looking_stat;`
			`struct session_flags_iter iter;`
			`struct session_flags_result result;`
			`};`

			`struct session_flags_ctx`
			`{`
			`struct session_flags_stat stat;`
			`uint64_t history_flags;`
			`};`

			`void session_flags_stat_init(struct session_flags_stat *stat, enum session_direction session_dir);`
			`struct session_flags_result session_flags(struct session_flags_plugin_info sf_plugin_info, struct session_flags_ctx ctx, struct session session, int etopic_id, uint32_t bytes, enum flow_type flow_type, uint64_t ms);`
			`struct session_flags_result session_flags_get_flags(struct session_flags_stat session_flags);`
			`struct session_flags_message *session_flags_generate_firewall_message(uint64_t flags, const uint32_t identify[session_flags_all_mask]);`
			`float session_flags_calculate_CV(OnlineMean_t * omean);`