|
| |
|
|
Plugin
development - Logged events processing
|
|
The Logged Events plugin API relies on the pluginAPI.h file which is common to all plugin types. The following 8 functions can be used in a logged events plugin, the first four being mandatory.
(Please contact us to get a logged events plugin VC++ 6.0 sample project.)
- PiInit - PlugIn initialisation
- PiUninit - PlugIn uninitialisation
- PiConfigure - PlugIn configuration through any plugin specific functions.
- PiInfo - PlugIn information to provide to Look 'n' Stop.
- PiLogDisplayEntryPF - Display a Packet Filtering entry from the Log page
- PiHandleAlertPF - Handle a new Packet Filtering event.
- PiLogDisplayEntryAF - Display an Application Filtering entry from the Log page
- PiHandleAlertAF - Handle a Application Filtering event.
AF: Application Filtering
PF: Packet Filtering (i.e. Internet Filtering)
- PiInit - PlugIn initialisation
The plugin initialisation function is used by the plugin to transmit to Look 'n' Stop various data like the plugin name (ShortName), the plugin type (type) an array (of size *nb_values) of integer values (tab_values) and an array (of size *nb_values_str) of strings (tab_values_str) .
All these plugin data will be stored by Look 'n' Stop in the registry.
The PiInit function can also be used to allocate some memory for the plugin.
Here is an example of PiInit function.
| #define PLUGIN_TYPE TYPE_PLUGIN_RULE
#define NB_VALUES 5
#define NB_VALUES_STR 2
int tab_val[NB_VALUES];
char ValStr1[16];
char ValStr2[16];
char *tab_val_str[NB_VALUES_STR] = { ValStr1, ValStr2 };
char *pShortName = "My Plugin";
extern "C" __declspec( dllexport) int PiInit(
char **ShortName,
int *type,
int *nb_values,
int **tab_values,
int *nb_values_str,
char ***tab_values_str)
{
unsigned int i;
AFX_MANAGE_STATE(AfxGetStaticModuleState());
*ShortName = pShortName;
*type = PLUGIN_TYPE;
*nb_values = NB_VALUES;
*tab_values = tab_val;
*nb_values_str = NB_VALUES_STR;
*tab_values_str = tab_val_str;
strcpy(ValStr1, "Test1Test1");
strcpy(ValStr1, "Test2Test2");
for(i=0;i<NB_VALUES;i++)
{
tab_val[i] = i*10;
}
return 1;
} |
- PiUninit - PlugIn uninitialisation
The PiUninit function is called by Look 'n' Stop when the user closes Look 'n' Stop.
It can be used to deallocate memory previously allocated in PiInit.
- PiConfigure - PlugIn configuration through any plugin specific functions.
The PiConfigure function is called by Look 'n' Stop when the user clicks on the
Options > Advanced Options > Plugin > Configure button after having selected the plugin to configure in the plugin list.
The PiConfigure function is usually used to open a configuration window from which the end user will configure various options in the plugin.
Here is an example of simple PiConfigure function.
extern "C" __declspec( dllexport) int PiConfigure(unsigned int Info)
{
AFX_MANAGE_STATE(AfxGetStaticModuleState());
CConfigure config;
return config.DoModal();
} |
- PiInfo - PlugIn information to provide to Look 'n' Stop.
When the users selects a plugin from the Options > Advanced Options > Plugin window, Look 'n' Stop displays information about the plugin in the right part of the window. Those information are provided by the plugin through the PiInfo function.
Here is an example of simple PiInfo function.
char *pShortName = "My Rule Editor";
char *pDescription = "Customized rules.";
char *pVersion = "1.01";
char *pAuthor = "Your name";
char *pEmail = "[email protected]";
extern "C" __declspec( dllexport) int PiInfo(
char **ShortName,
char **Description,
char **Version,
char **Author,
char **Email,
int *Type)
{
AFX_MANAGE_STATE(AfxGetStaticModuleState());
*ShortName = pShortName;
*Description = pDescription;
*Version = pVersion;
*Author = pAuthor;
*Email = pEmail;
*Type = TYPE_PLUGIN_RULE;
return 1;
} |
- PiLogDisplayEntryPF - Display a packet filtering entry from the Log page
///////////////////////////////////////////////////////
// This function is called by Look 'n' Stop when
// the user chooses to see a log entry with the plugin,
// the log entry is a packet filter alert
///////////////////////////////////////////////////////
extern "C" __declspec( dllexport) int PiLogDisplayEntryPF(
unsigned long Type,
unsigned long Action,
char *RuleName,
unsigned int Direction,
unsigned char *Packet,
unsigned int PacketSize)
{
...
}
|
Type
Type of Packet Filtering alert. Authorized values:
#define PF_TYPE_STANDARD 0x0100
Packet filtered when an Internet Filtering rule applies
#define PF_TYPE_TCP_SPI 0x0101
Packet filtered because of TCP Stateful Packet Inspection
#define PF_TYPE_SPARE_UNUSED 0x0102
Unused value
#define PF_TYPE_PROTOCOL 0x0103
Packet filtered because the protocol used is not allowed
Action
Allows to know if the filtered packet was blocked or allowed. Authorized values:
#define ACTION_BLOCK 0
Packet or application was blocked
#define ACTION_ALLOW 1
Packet or application was allowed
RuleName
Pointer to the rule name that filtered the packet.
Direction
Allows to know the filtered packet direction. Authorized values:
#define DIRECTION_UL 1
Outbound/Uplink
#define DIRECTION_DL 2
Inbound/Downlink
Packet
Pointer to the packet content, starting from the MAC address.
PacketSize
Size of the packet (number of bytes)
- PiHandleAlertPF - Real-time handling of a new Packet Filtering event.
////////////////////////////////////////////////////
// This function is called by Look 'n' Stop
// everytime an alert is being added to the log.
// The alert is a packet filter one. Parameters are // the same as the PiLogDisplayEntryPF function
////////////////////////////////////////////////////
extern "C" __declspec( dllexport) int PiHandleAlertPF(
unsigned long Type,
unsigned long Action,
char *RuleName,
unsigned int Direction,
unsigned char *Packet,
unsigned int PacketSize)
{
...
} |
- PiLogDisplayEntryAF - Display an Application Filtering entry from the Log page
///////////////////////////////////////////////////////////
// This function is called by Look 'n' Stop when the user // chooses to see a log entry with the plugin, the log
// entry is an application filtering alert
///////////////////////////////////////////////////////////
extern "C" __declspec( dllexport) int PiLogDisplayEntryAF(
unsigned long Type,
unsigned long Action,
char *ApplicationPathName,
char *AdditionalInfo)
{
...
} |
Type
Type of Application Filtering event. Authorized values:
#define AF_TYPE_STANDARD 0
An application connects to the Internet
AdditionalInfo is not used.
#define AF_TYPE_LAUNCH 16
An application started another one that connects.
AdditionalInfo = PathName of the application Starter.
#define AF_TYPE_DLL 32
An application connects to the Internet through a DLL.
AdditionalInfo = PathName of the DLL.
#define AF_TYPE_IPPORT 128
An application has been blocked because of a blocked port or IP address.
AdditionalInfo = Port & IP the application tried to use
Action
Allows to know if the Application Filtering event was blocked or allowed.
Authorized values:
#define ACTION_BLOCK 0
Packet or application was blocked
#define ACTION_ALLOW 1
Packet or application was allowed
ApplicationPathName
Pathname of the application
AdditionalInfo
Additionnal string depending of the Application Filtering alert type.
- PiHandleAlertAF - Real-time handling of a new Application Filtering event.
///////////////////////////////////////////////////////////
// This function is called by Look 'n' Stop everytime an
// Application Filtering alert is being added
// to the Log. The parameters are the same as the
// PiLogDisplayEntryAF function
///////////////////////////////////////////////////////////
extern "C" __declspec( dllexport) int
PiHandleAlertAF(
unsigned long Type,
unsigned long Action,
char *ApplicationPathName,
char *AdditionalInfo)
{
...
} |
|
|
|
