STAT Core API Documentation
1.2
This is the documentation for the STAT Core C API. It is mainly intended for developers involved in extending the STAT Core by writing extension, provider, and response modules.
Those hacking on the Core itself or writing applications using the STAT Core as an IDS engine may also find these documents useful. If, however, you are looking for administration or theoretical documentation regarding STAT and available STAT-based sensors, you would probably be better served by perusing the STAT Framework Reference Manual available at the STAT homepage.
Modules, as explained in the STAT Framework Reference Manual, are the primary means by which the STAT Core is extended to produce a useful sensor. There are four types of modules which the Core knows about:
-
extensions
-
providers
-
scenarios
-
responses
By implementing new modules and reusing existing modules, one can easily create a powerful, custom IDS with the STAT Framework. Scenarios, however, are typically not written to interface with the STAT core by hand; rather, they are modeled using the STATL attack language and compiled with the STATL compiler included with the STAT Core. Thus, while the scenario plugin C interface is documented in this reference, its direct use is deprecated.
If any of this is unclear, the reader is encouraged to review the aforementioned reference manual, which includes a detailed theoretical treatment of the necessary concepts.
The following sections detail how to implement new modules that can be loaded by the STAT Core.
Extensions are modules which implement domain-dependent types, events, and predicates which can be manipulated by scenarios in order to model attacks in a certain domain.
Detailed information on writing a new language extension is located in the extension module.
Providers are modules which parse an event source, e.g. network packets or a system event log, and encapsulate those raw events as STAT events, defined in a language extension, to the Core for usage by attack scenarios.
Detailed information on writing a new event provider is located in the provider module.
Scenarios are modules which model an attack as a series of states and transitions. The Core maintains lists of scenarios subscribing to certain types of events; when an event provider provides an event that a scenario subscribes to, that event is made available to that scenario by the Core.
For more information on writing scenarios, please refer to the STAT Framework Reference Manual.
Responses are modules which can perform an action when a certain state in a scenario is reached. Response modules are most often used to perform logging of attacks, but are not limited to this function. For example, a response module could be used to insert rules into a firewall to block a SYN flood detected by a scenario.
Detailed information on writing a new response module is located in the response module.
Generated on Mon Jan 24 19:14:49 2005 for STAT Core by
1.3.9.1