/* * ModSecurity for Apache 2.x, http://www.modsecurity.org/ * Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License.  You may obtain a copy of the License at * *     http://www.apache.org/licenses/LICENSE-2.0 * * If any of the files related to licensing are missing or if you have any * other questions related to licensing please contact Trustwave Holdings, Inc. * directly using the email address security@modsecurity.org. */ #ifndef _ALP2_H_ #define _ALP2_H_ #include #include #include "alp2_pp.h" #include "pcre.h" /* -- Data structures -- */ typedef struct alp2_msg_t alp2_msg_t; struct alp2_msg_t { const char *engine_message; const char *target; const char *id; const char *rev; const char *msg; const char *data; const char *file; unsigned long file_line; size_t offset; int severity; int warning; apr_array_header_t *tags; }; typedef struct auditlog2_t auditlog2_t; struct auditlog2_t { apr_pool_t *mp; /* Transaction data */ const char *id; apr_time_t timestamp; unsigned int duration; const char *src_ip; unsigned int src_port; const char *dst_ip; unsigned int dst_port; /* Request */ unsigned int request_line_valid; const char *request_line; const char *request_method; const char *request_uri; apr_uri_t *parsed_uri; const char *request_protocol; apr_table_t *request_headers; /* Determine the hostname: The hostname from the URI is * used where present, otherwise the value of the Host * request header is used. * * If neither of these two is available we will use the * combination of the destination IP and port as hostname. * * The resulting hostname may have the port attached. */ const char *hostname; /* Response */ const char *response_protocol; unsigned int response_status; const char *response_message; apr_table_t *response_headers; const char *response_tfn; /* Other */ apr_table_t *trailer_headers; unsigned int was_intercepted; unsigned int intercept_phase; /* -1 if interception did not happen */ const char *producer; const char *server; const char *handler; const char *application_id; const char *session_id; const char *user_id; apr_array_header_t *messages; alp2_pp_entry_t *pp_entry; }; typedef struct alp2_t alp2_t; struct alp2_t { apr_pool_t *mp; void *user_data; int (*user_callback)(alp2_t *alp); alp2_pp_t *pp; unsigned int previous_part_id; unsigned int part_line_counter; unsigned int part_data_done; unsigned int seen_part_h; unsigned int done; unsigned int parse_error; apr_array_header_t *errors; /* Regular expression patterns. */ // TODO All these need reviewing pcre *part_a_pattern; pcre *request_line_pattern; pcre *header_pattern; pcre *response_line_pattern; pcre *trailer_action_pattern; pcre *trailer_stopwatch_pattern; pcre *trailer_webappinfo_pattern; auditlog2_t *auditlog; }; /* Higher-level (user) parser. */ /* NOTE Parser will create a subpool for its own use, but each * entry will be created in a separate subpool directly * under the main pool. This allows the created audit log * entries to survive the death of the parser. */ /* -- Functions -- */ int alp2_create(alp2_t **_alp, apr_pool_t *mp, void *user_data, int (*user_callback)(alp2_t *alp)); int alp2_process(alp2_t *alp, const char *data, size_t len); void alp2_destroy(alp2_t *alp); auditlog2_t *alp2_auditlog_create(apr_pool_t *mp); void alp2_auditlog_destroy(auditlog2_t *al); #endif