The libunified2 from wtfbbqhax

libunified2's People

Stargazers

Watchers

libunified2's Issues

Unified2ExtraData support

Library does have support for the Unified2ExtraData data type(s) records which can exist.

For list of useful things you'll only ever see if using Unified2- See the ExtraInfoEnum below.

This is a blocking feature for the next u2json.

typedef struct _Unified2ExtraDataHdr{
    uint32_t event_type;
    uint32_t event_length;
}Unified2ExtraDataHdr;

//UNIFIED2_EXTRA_DATA - type 110
typedef struct _SerialUnified2ExtraData{
    uint32_t sensor_id;
    uint32_t event_id;
    uint32_t event_second;
    uint32_t type;              /* EventInfo */
    uint32_t data_type;         /*EventDataType */
    uint32_t blob_length;       /* Length of the data + sizeof(blob_length) + sizeof(data_type)*/
} SerialUnified2ExtraData;

typedef struct _Data_Blob
{
    uint32_t length;
    const uint8_t *data;
} Data_Blob;

//UNIFIED2_EXTRA_DATA - type 110
typedef struct _Serial_Unified2ExtraData{
    uint32_t sensor_id;
    uint32_t event_id;
    uint32_t event_second;
    uint32_t type;
    Data_Blob data;
} Unified2ExtraData;

typedef enum _EventInfoEnum
{
    EVENT_INFO_XFF_IPV4 = 1,
    EVENT_INFO_XFF_IPV6,
    EVENT_INFO_REVIEWED_BY,
    EVENT_INFO_GZIP_DATA,
    EVENT_INFO_SMTP_FILENAME,
    EVENT_INFO_SMTP_MAILFROM,
    EVENT_INFO_SMTP_RCPTTO,
    EVENT_INFO_SMTP_EMAIL_HDRS,
    EVENT_INFO_HTTP_URI,
    EVENT_INFO_HTTP_HOSTNAME,
    EVENT_INFO_IPV6_SRC,
    EVENT_INFO_IPV6_DST,
    EVENT_INFO_JSNORM_DATA
}EventInfoEnum;

typedef enum _EventDataType
{
    EVENT_DATA_TYPE_BLOB = 1,
    EVENT_DATA_TYPE_MAX
}EventDataType;