3.5. Alert¶

Security alerts.

ALERT(name, nsrc, ntgt)

Utility macro to create a new alert.

Parameters

• name -

  Name of the variable that will be created.

• nsrc -

  Number of sources.

• ntgt -

  Number of targets.

ENDALERT

Finish the alert creation.

ALERT_NODE(alert, name, index, type, ...)

Create an alert node.

Parameters

• alert -

  Alert name.

• name -

  sources or target.

• index -

  Index of the node.

• type -

  Type of node (see :c:type:alert_node_type).

• ... -

  List of strings.

ALERT_REF(alert, count, ...)

Add alert references.

Parameters

• alert -

  Alert name.

• count -

  Number of references.

• ... -

  List of alert ids.

ALERT_METHOD_REF(alert, ...)

Add method references.

Parameters

• alert -

  Alert name.

• ... -

  List of strings.

alert_level enum

Alert level.

Values:

• HAKA_ALERT_LEVEL_NONE -

  Unset value.

• HAKA_ALERT_LOW -

  Low level.

• HAKA_ALERT_MEDIUM -

  Medium level.

• HAKA_ALERT_HIGH -

  High level.

• HAKA_ALERT_NUMERIC -

  Numeric level stored in the alert structure.

• HAKA_ALERT_LEVEL_LAST -

  Last alert level.

alert_completion enum

Alert completion.

Values:

• HAKA_ALERT_COMPLETION_NONE -

  Unset value.

• HAKA_ALERT_FAILED -

  The attack failed.

• HAKA_ALERT_SUCCESSFUL -

  The attach was successful.

• HAKA_ALERT_COMPLETION_LAST -

  Last alert completion value.

alert_node_type enum

Alert node type.

Values:

• HAKA_ALERT_NODE_ADDRESS -

  Address node.

• HAKA_ALERT_NODE_SERVICE -

  Service node.

• HAKA_ALERT_NODE_LAST -

  Last alert node type.

uint64 alert(const struct alert * alert)

Raise a new alert.

Return

The alert unique id.

bool alert_update(uint64 id, const struct alert * alert)

Update an existing alert.

const char * alert_level_to_str(alert_level level)

Convert alert level to human readable string.

const char * alert_completion_to_str(alert_completion completion)

Convert alert completion to human readable string.

const char * alert_node_to_str(alert_node_type type)

Convert alert node to human readable string.

const char * alert_tostring(uint64 id, const struct time * time, const struct alert * alert, const char * header, const char * indent, bool color)

Convert an alert to a string.

void enable_stdout_alert(bool enable)

Enable display of alerts on stdout.

bool add_alerter(struct alerter * alerter)

Add an alert listener.

bool remove_alerter(struct alerter * alerter)

Remove an alert listener.

void remove_all_alerter()

Remove all alert listener.

class alert_node

Alert node.

Public Members

alert_node_type type

Alert node type.

char ** list

NULL terminated array of strings.

class alert

Alert.

Public Members

struct time start_time

Alert time.

struct time end_time

Alert time.

char * description

Alert description.

alert_level severity

Alert severity (HAKA_ALERT_NUMERIC is not a valid value here).

alert_level confidence

Alert confidence.

double confidence_num

Alert confidence numeric value if confidence == HAKA_ALERT_NUMERIC.

alert_completion completion

Alert completion.

char * method_description

Alert method description.

char ** method_ref

Alert method references (NULL terminated array).

struct alert_node ** sources

Alert sources (NULL terminated array of nodes).

struct alert_node ** targets

Alert targets (NULL terminated array of nodes).

size_t alert_ref_count

Reference count.

uint64 * alert_ref

Array of references.

class alerter

Alert listener object.

Public Members

struct list list

void(* destroy)(struct alerter *state)

bool (* alert)(struct alerter *state, uint64 id, const struct time *time, const struct alert *alert)

bool (* update)(struct alerter *state, uint64 id, const struct time *time, const struct alert *alert)

Private Members

bool mark_for_remove

ALERT(invalid_packet, 1, 1)
    description: L"invalid tcp packet, size is too small",
    severity: HAKA_ALERT_LOW,
ENDALERT

ALERT_NODE(invalid_packet, sources, 0, HAKA_ALERT_NODE_ADDRESS, "127.0.0.1");
ALERT_NODE(invalid_packet, targets, 0, HAKA_ALERT_NODE_ADDRESS, "127.0.0.1");

alert(invalid_packet);