2022-11-17 05:05:35 +08:00
/*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Maat : Deep Packet Inspection Policy Framework
2022-10-27 17:58:52 +08:00
2022-11-17 05:05:35 +08:00
* Maat is the Goddess of truth and justice in ancient Egyptian concept .
* Her feather was the measure that determined whether the souls ( considered
* to reside in the heart ) of the departed would reach the paradise of afterlife
* successfully .
* Authors : Liu WenTan < liuwentan @ geedgenetworks . com >
* Date : 2022 - 10 - 31
2023-03-23 19:16:23 +08:00
* Copyright : ( c ) 2018 - 2023 Geedge Networks , Inc . All rights reserved .
2022-11-17 05:05:35 +08:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
*/
# ifndef _MAAT_H_
# define _MAAT_H_
2022-10-27 17:58:52 +08:00
2023-02-15 11:53:46 +08:00
# ifdef __cplusplus
2022-11-25 16:32:29 +08:00
extern " C "
{
# endif
2022-10-27 17:58:52 +08:00
# include <stdint.h>
# include <netinet/in.h>
2024-09-20 11:20:21 +00:00
# include <uuid/uuid.h>
2022-10-27 17:58:52 +08:00
2024-10-08 11:10:03 +00:00
# define MAX_ATTR_NAME_LEN 128
2022-11-17 05:05:35 +08:00
/* maat instance handle */
struct maat ;
2022-10-27 17:58:52 +08:00
2023-01-06 18:54:59 +08:00
struct maat_hit_path {
int Nth_scan ;
2024-10-08 11:10:03 +00:00
char attribute_name [ MAX_ATTR_NAME_LEN ] ; // 0 is not a attribute.
2024-08-22 08:28:33 +00:00
int negate_option ; // 1 means negate condition(condition)
2024-08-22 07:35:53 +00:00
int condition_index ; // 0 ~ 7
2024-09-20 11:20:21 +00:00
uuid_t item_uuid ;
uuid_t sub_object_uuid ;
uuid_t top_object_uuid ;
uuid_t rule_uuid ;
2023-01-06 18:54:59 +08:00
} ;
2024-08-22 10:26:59 +00:00
struct maat_hit_object {
2024-09-20 11:20:21 +00:00
uuid_t item_uuid ;
uuid_t object_uuid ;
2024-10-08 11:10:03 +00:00
char attribute_name [ MAX_ATTR_NAME_LEN ] ;
2023-01-06 18:54:59 +08:00
} ;
2023-02-03 17:28:14 +08:00
enum maat_scan_status {
MAAT_SCAN_ERR = - 1 , //scan error
2024-08-22 10:26:59 +00:00
MAAT_SCAN_OK , //scan but not hit(object or rule)
MAAT_SCAN_HALF_HIT , //half hit: hit object, not hit rule
2024-08-22 03:11:15 +00:00
MAAT_SCAN_HIT //scan hit rule
2022-12-09 17:12:18 +08:00
} ;
2023-03-15 11:36:54 +08:00
enum maat_update_type {
MAAT_UPDATE_TYPE_INVALID = 0 ,
MAAT_UPDATE_TYPE_FULL ,
MAAT_UPDATE_TYPE_INC
} ;
2023-11-24 15:36:27 +08:00
/**
* @ brief auto means select engine automatically
* regex rules always use hyperscan
* literal rules : rule_num < = 50 k , use hyperscan
* rule_num > 50 k , use rulescan
*/
2023-08-10 16:10:50 +08:00
enum maat_expr_engine {
2023-11-24 15:36:27 +08:00
MAAT_EXPR_ENGINE_HS = 0 , //hyperscan
MAAT_EXPR_ENGINE_RS , //rulescan
MAAT_EXPR_ENGINE_AUTO //default
2023-08-10 16:10:50 +08:00
} ;
2023-02-20 10:57:40 +08:00
struct ip_addr {
2023-10-10 11:23:44 +00:00
int ip_type ; //4:IPV4, 6:IPV6
2023-02-20 10:57:40 +08:00
union {
unsigned int ipv4 ; //network order
2023-10-10 11:23:44 +00:00
unsigned int ipv6 [ 4 ] ; //network order
2023-02-20 10:57:40 +08:00
} ;
} ;
2024-09-12 09:31:27 +00:00
enum maat_operation {
MAAT_OP_DEL = 0 ,
MAAT_OP_ADD
} ;
2023-03-28 15:41:24 +08:00
enum log_level {
LOG_LEVEL_TRACE ,
LOG_LEVEL_DEBUG ,
LOG_LEVEL_INFO ,
LOG_LEVEL_WARN ,
LOG_LEVEL_ERROR ,
LOG_LEVEL_FATAL
} ;
2023-06-16 15:59:30 +08:00
2023-03-15 11:36:54 +08:00
/* update_type: MAAT_UPDATE_TYPE_FULL or MAAT_UPDATE_TYPE_INC */
2022-11-25 16:32:29 +08:00
typedef void maat_start_callback_t ( int update_type , void * u_param ) ;
2023-06-16 15:59:30 +08:00
2024-09-23 08:52:47 +00:00
typedef void maat_update_callback_t ( const char * table_name , const char * table_line , enum maat_operation op , void * u_para ) ;
2023-06-16 15:59:30 +08:00
2022-11-25 16:32:29 +08:00
typedef void maat_finish_callback_t ( void * u_para ) ;
2024-09-23 08:52:47 +00:00
typedef void maat_ex_new_func_t ( const char * table_name , const char * key ,
2023-03-29 22:25:14 +08:00
const char * table_line , void * * ad , long argl , void * argp ) ;
2023-06-16 15:59:30 +08:00
2024-09-23 08:52:47 +00:00
typedef void maat_ex_free_func_t ( const char * table_name , void * * ad , long argl , void * argp ) ;
2023-06-16 15:59:30 +08:00
2024-09-23 08:52:47 +00:00
typedef void maat_ex_dup_func_t ( const char * table_name , void * * to , void * * from , long argl , void * argp ) ;
2022-12-14 15:28:21 +08:00
2022-11-25 16:32:29 +08:00
/* maat_instance options API */
2022-11-17 05:05:35 +08:00
struct maat_options ;
2023-06-16 15:59:30 +08:00
2023-01-30 21:59:35 +08:00
struct maat_options * maat_options_new ( void ) ;
2023-06-16 15:59:30 +08:00
2023-01-30 21:59:35 +08:00
void maat_options_free ( struct maat_options * opts ) ;
2023-06-16 15:59:30 +08:00
/**
* @ brief set maat instance name
*
* @ note The maximum length of instance_name is 15 bytes
*/
int maat_options_set_instance_name ( struct maat_options * opts , const char * instance_name ) ;
2023-01-06 18:54:59 +08:00
int maat_options_set_caller_thread_number ( struct maat_options * opts , size_t n_thread ) ;
2023-06-16 15:59:30 +08:00
2023-01-30 21:59:35 +08:00
int maat_options_set_accept_tags ( struct maat_options * opts , const char * accept_tags ) ;
2023-06-16 15:59:30 +08:00
2022-11-25 16:32:29 +08:00
int maat_options_set_rule_update_checking_interval_ms ( struct maat_options * opts , int interval_ms ) ;
2023-06-16 15:59:30 +08:00
2022-11-25 16:32:29 +08:00
int maat_options_set_gc_timeout_ms ( struct maat_options * opts , int interval_ms ) ;
2023-06-16 15:59:30 +08:00
2022-11-25 16:32:29 +08:00
int maat_options_set_deferred_load_on ( struct maat_options * opts ) ;
2023-06-16 15:59:30 +08:00
2023-03-30 10:00:38 +08:00
int maat_options_set_stat_on ( struct maat_options * opts ) ;
2023-06-16 15:59:30 +08:00
2023-03-30 10:00:38 +08:00
int maat_options_set_perf_on ( struct maat_options * opts ) ;
2023-06-16 15:59:30 +08:00
2023-03-16 11:59:46 +08:00
int maat_options_set_foreign_cont_dir ( struct maat_options * opts , const char * dir ) ;
2023-06-16 15:59:30 +08:00
int maat_options_set_logger ( struct maat_options * opts , const char * log_path ,
enum log_level level ) ;
2023-03-02 10:18:20 +08:00
2024-08-07 08:47:15 +00:00
int maat_options_set_log_file_max_size ( struct maat_options * opts , size_t max_size_mb ) ; //default is 500MB, 0 for unlimited
2022-12-03 22:23:41 +08:00
int maat_options_set_json_file ( struct maat_options * opts , const char * json_filename ) ;
2023-05-04 17:10:19 +08:00
2023-05-04 17:10:19 +08:00
/**
* Indicate whether the JSON file is compressed by gzip
* flag : 1 ( compressed ) 0 ( uncompressed )
* */
int maat_options_set_json_file_gzip_flag ( struct maat_options * opts , int flag ) ;
2023-05-04 17:10:19 +08:00
/* Specify the decryption key for the JSON file to be decrypted */
int maat_options_set_json_file_decrypt_key ( struct maat_options * opts , const char * decrypt_key ) ;
2023-03-02 10:18:20 +08:00
int maat_options_set_redis ( struct maat_options * opts , const char * redis_ip ,
uint16_t redis_port , int redis_db ) ;
2023-04-20 15:34:56 +08:00
int maat_options_set_stat_file ( struct maat_options * opts , const char * stat_filename ) ;
2023-08-10 16:10:50 +08:00
int maat_options_set_expr_engine ( struct maat_options * opts , enum maat_expr_engine engine ) ;
2023-09-22 14:59:44 +08:00
int maat_options_set_hit_path_enabled ( struct maat_options * opts ) ;
2024-08-22 10:26:59 +00:00
int maat_options_set_hit_object_enabled ( struct maat_options * opts ) ;
2023-09-22 14:59:44 +08:00
2022-11-25 16:32:29 +08:00
/* maat_instance API */
struct maat * maat_new ( struct maat_options * opts , const char * table_info_path ) ;
2022-11-17 05:05:35 +08:00
void maat_free ( struct maat * instance ) ;
2023-12-05 16:31:18 +08:00
void maat_reload_log_level ( struct maat * instance , enum log_level level ) ;
2023-10-13 17:55:51 +08:00
/**
2024-03-29 08:37:40 +00:00
* For xx_plugin table , each thread can call this function initially , maat will maintain the
* thread_id internally and the number of times the xx_plugin_table_get_ex_data interface
* is called by different threads is counted .
2023-12-05 16:31:18 +08:00
*/
2023-10-13 17:55:51 +08:00
void maat_register_thread ( struct maat * instance ) ;
2023-05-09 17:45:43 +08:00
/**
* verify if regex expression is legal
*
* @ param The NULL - terminated expression to parse .
2023-05-11 11:21:46 +08:00
* @ retval 1 ( legal ) 0 ( illegal )
2023-05-09 17:45:43 +08:00
* */
int maat_helper_verify_regex_expression ( const char * expression ) ;
2023-03-02 10:18:20 +08:00
2024-09-23 08:52:47 +00:00
const char * maat_get_table_schema_tag ( struct maat * instance , const char * table_name ) ;
2023-12-18 08:43:54 +00:00
2023-01-30 21:59:35 +08:00
/* return 0 if success, otherwise return -1 */
2024-09-23 08:52:47 +00:00
int maat_table_callback_register ( struct maat * instance , const char * table_name ,
2022-11-25 16:32:29 +08:00
maat_start_callback_t * start ,
maat_update_callback_t * update ,
maat_finish_callback_t * finish ,
void * u_para ) ;
2023-02-09 22:13:15 +08:00
2022-11-25 16:32:29 +08:00
/* maat plugin table API */
2023-03-29 22:25:14 +08:00
int maat_plugin_table_ex_schema_register ( struct maat * instance , const char * table_name ,
2023-02-23 11:37:02 +08:00
maat_ex_new_func_t * new_func ,
maat_ex_free_func_t * free_func ,
maat_ex_dup_func_t * dup_func ,
2023-01-06 18:54:59 +08:00
long argl , void * argp ) ;
2023-05-30 16:16:18 +08:00
/**
2023-06-19 09:44:25 +00:00
* xx_plugin_table_get_ex_data
* returned data is duplicated by dup_func of maat_plugin_table_ex_schema_register ,
* caller is responsible to free the data .
*
* free_func support gargbage collection ( gc ) , gc timeout ( default 0 ) can be configured
* in table_info which means maat will not call free_func until the timeout expires
*/
/**
* NOTE : only plugin table support three key type ( integer , pointer , ip_addr )
2024-08-30 08:28:58 +00:00
* specified in table_info . json . If use ip_addr key type , then key should be
2023-06-19 09:44:25 +00:00
* ip address in network order .
2023-05-30 16:16:18 +08:00
*/
2024-09-23 08:52:47 +00:00
void * maat_plugin_table_get_ex_data ( struct maat * instance , const char * table_name ,
2023-06-08 07:32:41 +00:00
const char * key , size_t key_len ) ;
2023-02-22 15:08:52 +08:00
2024-09-23 08:52:47 +00:00
int maat_ip_plugin_table_get_ex_data ( struct maat * instance , const char * table_name ,
2023-09-27 07:15:29 +00:00
const struct ip_addr * ip_addr ,
void * * ex_data_array , size_t array_size ) ;
2023-10-10 11:23:44 +00:00
/**
* NOTE : @ retval - 1 ( ERROR ) 0 ( no ex_data ) 1 ( only one ex_data )
* this function return only one ex_data if matched
*/
2024-09-23 08:52:47 +00:00
int maat_ipport_plugin_table_get_ex_data ( struct maat * instance , const char * table_name ,
2023-09-27 07:15:29 +00:00
const struct ip_addr * ip_addr , uint16_t port ,
void * * ex_data_array , size_t array_size ) ;
2023-02-20 11:43:43 +08:00
2024-09-23 08:52:47 +00:00
int maat_fqdn_plugin_table_get_ex_data ( struct maat * instance , const char * table_name ,
2023-02-21 11:27:18 +08:00
const char * fqdn , void * * ex_data_array ,
2023-09-27 07:15:29 +00:00
size_t array_size ) ;
2023-02-20 11:43:43 +08:00
2024-09-23 08:52:47 +00:00
int maat_bool_plugin_table_get_ex_data ( struct maat * instance , const char * table_name ,
2023-02-20 11:43:43 +08:00
unsigned long long * item_ids , size_t n_item ,
2023-09-27 07:15:29 +00:00
void * * ex_data_array , size_t array_size ) ;
2022-11-25 16:32:29 +08:00
/* maat scan API */
2022-11-17 05:05:35 +08:00
struct maat_state ;
2023-01-30 21:59:35 +08:00
/**
* @ param instance : maat instance created by maat_new ( )
2024-09-23 09:24:21 +00:00
* @ param table_name : the name of table which to be scanned
2023-01-30 21:59:35 +08:00
* @ param thread_id : thread index
2024-08-22 03:11:15 +00:00
* @ param results : array to store hit rule id
2023-01-30 21:59:35 +08:00
* @ param n_result : the array size
2024-08-22 03:11:15 +00:00
* @ param n_hit_result : the number of hit rule id
2023-01-30 21:59:35 +08:00
* @ param state : scan mid status
*
2023-02-03 17:28:14 +08:00
* @ retval MAAT_SCAN_ERR
* MAAT_SCAN_OK
* MAAT_SCAN_HALF_HIT
* MAAT_SCAN_HIT
2023-01-30 21:59:35 +08:00
*/
2024-09-23 08:52:47 +00:00
int maat_scan_flag ( struct maat * instance , const char * table_name , const char * attribute_name ,
long long flag , uuid_t * results , size_t n_result , size_t * n_hit_result ,
2024-01-05 17:24:06 +08:00
struct maat_state * state ) ;
2024-09-23 08:52:47 +00:00
int maat_scan_integer ( struct maat * instance , const char * table_name , const char * attribute_name ,
long long integer , uuid_t * results , size_t n_result , size_t * n_hit_result ,
2024-01-05 17:24:06 +08:00
struct maat_state * state ) ;
2023-01-30 21:59:35 +08:00
2023-03-27 15:52:47 +08:00
/**
2024-03-27 11:19:39 +00:00
* @ param ip_addr : ipv4 address in network order
* @ param port : port in host order . If the port is not specified , use - 1. Note that 0 is a valid port .
2023-03-27 15:52:47 +08:00
*/
2024-09-23 08:52:47 +00:00
int maat_scan_ipv4_port ( struct maat * instance , const char * table_name , const char * attribute_name ,
uint32_t ip_addr , int port , uuid_t * results , size_t n_result , size_t * n_hit_result ,
struct maat_state * state ) ;
int maat_scan_ipv6_port ( struct maat * instance , const char * table_name , const char * attribute_name ,
uint8_t * ip_addr , int port , uuid_t * results , size_t n_result , size_t * n_hit_result ,
struct maat_state * state ) ;
int maat_scan_ipv4 ( struct maat * instance , const char * table_name , const char * attribute_name ,
uint32_t ip_addr , uuid_t * results , size_t n_result , size_t * n_hit_result ,
struct maat_state * state ) ;
int maat_scan_ipv6 ( struct maat * instance , const char * table_name , const char * attribute_name ,
uint8_t * ip_addr , uuid_t * results , size_t n_result , size_t * n_hit_result ,
struct maat_state * state ) ;
int maat_scan_string ( struct maat * instance , const char * table_name , const char * attribute_name ,
const char * data , size_t data_len , uuid_t * results , size_t n_result ,
2023-11-10 08:26:48 +00:00
size_t * n_hit_result , struct maat_state * state ) ;
2024-09-23 08:52:47 +00:00
int maat_scan_object ( struct maat * instance , const char * table_name , const char * attribute_name ,
struct maat_hit_object * objects , size_t n_object , uuid_t * results , size_t n_result ,
2023-11-10 08:26:48 +00:00
size_t * n_hit_result , struct maat_state * state ) ;
2024-09-23 08:52:47 +00:00
int maat_scan_not_logic ( struct maat * instance , const char * table_name , const char * attribute_name ,
uuid_t * results , size_t n_result , size_t * n_hit_result , struct maat_state * state ) ;
2022-11-17 05:05:35 +08:00
struct maat_stream ;
2024-09-23 08:52:47 +00:00
struct maat_stream * maat_stream_new ( struct maat * instance , const char * table_name , const char * attribute_name , struct maat_state * state ) ;
2022-11-17 05:05:35 +08:00
2023-03-28 14:07:44 +08:00
int maat_stream_scan ( struct maat_stream * stream , const char * data , int data_len ,
2024-09-20 11:20:21 +00:00
uuid_t * results , size_t n_result , size_t * n_hit_result ,
2023-03-23 11:57:17 +08:00
struct maat_state * state ) ;
2022-11-17 05:05:35 +08:00
2023-03-28 14:07:44 +08:00
void maat_stream_free ( struct maat_stream * stream ) ;
2022-11-17 05:05:35 +08:00
2023-01-06 18:54:59 +08:00
/* maat state API */
2023-03-15 11:36:54 +08:00
struct maat_state * maat_state_new ( struct maat * instance , int thread_id ) ;
2024-11-13 09:34:57 +00:00
/*
security rule 1 src_ip & src_port
security rule 2 src_ip & fqdn
statistics rule 3 src_ip & src_port
statistics rule 4 src_ip & fqdn
scan ( src_ip ) ;
scan ( src_port ) ;
maat_state_compile ( " security " , rule_array [ ] ) ;
scan ( src_ip ) ;
scan ( src_port ) ;
scan ( fqdn ) ;
maat_state_compile ( " security " , rule_array [ ] ) ;
maat_state_compile ( " statistics " , rule_array [ ] ) ;
*/
size_t maat_state_compile ( struct maat_state * state , const char * table_name , uuid_t rule_array [ ] , void * ex_data_array [ ] , size_t n_result ) ; //TODO: new API, return all rules every time, without removing duplicate rules
2023-03-15 11:36:54 +08:00
void maat_state_reset ( struct maat_state * state ) ;
2023-03-23 11:57:17 +08:00
void maat_state_free ( struct maat_state * state ) ;
2023-03-15 11:36:54 +08:00
2024-11-13 09:34:57 +00:00
int maat_state_set_scan_rule_table ( struct maat_state * state , const char * rule_table_name ) ; //TODO: delete
2023-01-30 21:59:35 +08:00
2023-09-11 12:00:33 +08:00
int maat_state_get_hit_paths ( struct maat_state * state , struct maat_hit_path * path_array ,
size_t array_size ) ;
2023-10-30 08:00:49 +00:00
2024-09-23 09:24:21 +00:00
int maat_state_get_rule_table_names ( struct maat_state * state , uuid_t * rule_ids ,
2024-11-13 09:34:57 +00:00
size_t n_rule_ids , char * rule_table_names [ ] ) ; //TODO: delete
2023-06-28 11:12:25 +08:00
2023-07-11 11:30:57 +08:00
/**
* @ brief get the total number of scans after maat_state_new
*/
2023-06-28 11:12:25 +08:00
size_t maat_state_get_scan_count ( struct maat_state * state ) ;
2022-12-14 15:28:21 +08:00
2023-07-11 11:30:57 +08:00
/**
2024-08-22 10:26:59 +00:00
* @ brief direct object means object corresponding to item
2023-07-11 11:30:57 +08:00
*
2024-08-22 10:26:59 +00:00
* NOTE : hit objects may be duplicated
2023-12-07 08:08:25 +00:00
*
2023-07-11 11:30:57 +08:00
*/
2024-08-22 10:26:59 +00:00
int maat_state_get_direct_hit_objects ( struct maat_state * state ,
struct maat_hit_object * object_array ,
2024-11-13 09:34:57 +00:00
size_t array_size ) ; //TODO:delete
2024-08-22 10:26:59 +00:00
size_t maat_state_get_direct_hit_object_cnt ( struct maat_state * state ) ;
2023-09-11 12:00:33 +08:00
/**
2024-08-22 10:26:59 +00:00
* @ brief indirect object means superior object
2023-09-11 12:00:33 +08:00
*
2024-08-22 10:26:59 +00:00
* NOTE : hit objects may be duplicated
2023-09-11 12:00:33 +08:00
*/
2024-11-13 09:34:57 +00:00
2022-10-27 17:58:52 +08:00
2023-12-07 08:08:25 +00:00
/**
2024-08-22 10:26:59 +00:00
* @ brief get last scan hit objects ( including direct / indirect )
2023-12-07 08:08:25 +00:00
*/
2024-08-22 10:26:59 +00:00
int maat_state_get_last_hit_objects ( struct maat_state * state ,
struct maat_hit_object * object_array ,
2024-11-13 09:34:57 +00:00
size_t array_size ) ; //TODO:delete
size_t maat_state_get_last_hit_object_cnt ( struct maat_state * state ) ; //TODO:delete
size_t maat_state_get_hit_objects ( struct maat_state * state ,
const char * attribute_name ,
uuid_t object_array [ ] ,
size_t array_size ) ; //TODO: new API, return all hit objects
2024-11-15 08:37:00 +00:00
size_t maat_state_get_attribute_cnt ( struct maat_state * state ) ; //TODO: new API
size_t maat_state_get_attribute_names ( struct maat_state * state , const char * attribute_names [ ] , size_t array_size ) ; //TODO: new API
2024-11-13 09:34:57 +00:00
size_t maat_state_get_hit_object_cnt ( struct maat_state * state ,
const char * attribute_name ) ; //TODO: new API
size_t maat_state_get_hit_items ( struct maat_state * state ,
const char * attribute_name ,
uuid_t item_array [ ] ,
uuid_t direct_object_array [ ] ,
size_t array_size ) ; //TODO: new API, return direct hit items and direct hit objects
size_t maat_state_get_hit_item_cnt ( struct maat_state * state ,
const char * attribute_name ) ; //TODO: new API
size_t maat_state_get_indirect_hit_objects ( struct maat_state * state ,
const char * attribute_name ,
uuid_t object_array [ ] ,
size_t array_size ) ; //TODO: new API
2023-12-13 18:15:28 +08:00
2024-11-13 09:34:57 +00:00
size_t maat_state_get_indirect_hit_object_cnt ( struct maat_state * state , const char * attribute_name ) ; //TODO: add "const" prefix
2023-12-13 18:15:28 +08:00
2023-02-15 11:53:46 +08:00
# ifdef __cplusplus
2022-11-25 16:32:29 +08:00
}
# endif
2022-10-26 14:41:22 +08:00
2023-08-21 17:31:56 +08:00
# endif
