This page is written from the high-level view by system users to the low-level API needed by developers of the NEMEA Modules/Detectors and by developers of the libraries contained in the NEMEA Framework
Usage by User
A default path of the installed modules is in
Users can read documentation of the modules in
Each module has
-h parameters to print the module’s help. The header of the help
shows number of communication interfaces (IFC). All IFCs are configured at the startup
of a module using
-i parameter with an argument.
-i parameter is also described in the module’s help in a separate section:
-h 1 or
It is also described at TRAP IFCSPEC page.
Example of help header of a module
$ /usr/bin/nemea/vportscan_detector -h TRAP module, libtrap version: 0.11.2 =========================================== Name: vportscan_detector Inputs: 1 Outputs: 1 Description: Vportscan detector is a simple, threshold-based detector for vertical scans detection. The detection algorithm uses information from basic flow records (source and destination IP addresses and ports, protocol, #packets, #bytes). ...
This output says that
vportscan_detector has 1 input IFC and 1 output IFC.
Example of a command to start the module
/usr/bin/nemea/vportscan_detector -i u:flow_data_source,u:vportscan_out
This command starts
vportscan_detector. The input IFC is set to
u type (UNIX socket)
flow_data_source is and identifier of the IFC.
Comma is a separater of IFCs, so that the second IFC is also of
u type and the identifier
Note: any input IFC can be connected to one output IFC, this can be done by specifying the same IFC type and identifier.
Note2: See TRAP IFCSPEC for more detailed information about IFC configuration and types.
Usage by Programmer
This section covers documentation of the NEMEA Framework, which is the main part of the NEMEA System shared within all NEMEA Modules and Detectors. It consists of (GitHub links):
- libtrap: https://github.com/CESNET/Nemea-Framework/tree/master/libtrap
- UniRec: https://github.com/CESNET/Nemea-Framework/tree/master/unirec
- nemea-common: https://github.com/CESNET/Nemea-Framework/tree/master/common
- pytrap: https://github.com/CESNET/Nemea-Framework/tree/master/pytrap
- pycommon: https://github.com/CESNET/Nemea-Framework/tree/master/pycommon
These components are described in the following subsections.
libtrap is a library (shared object) written in C.
The aim of
libtrap is to provide implementation of various types of communication interfaces (IFC)
that can be used by modules to send or receive data messages.
A developer may choose a number of output and input IFCs.
Configuration of IFCs is given by a user (not by a developer) when a module is being started. From the developer’đ point of view, it does not matter what type of IFC is used or what parameters are used.
A developer of a module must take care of initialization and finalization of the libtrap context,
however, it can be copied from an existing examples.
Basically, there are two main functions of libtrap that are used by repeatedly used by a developer:
trap_send() to send a message via an output IFC and
trap_recv() to receive a message via an input
UniRec is a definition of binary data representation (format) and an implementation
of functions to work with it.
To understand UniRec, we have to split two terms:
A template is a definition of fields that are present in every message.
A field is defined by name and type.
There is a list of currently used UniRec fields: unirec_fields.md. Developers can easily define any field.
|UniRec Field Type||CPP Constant||C Type||Size in Bytes|
|string||UR_TYPE_STRING||char||-1 (variable size)|
|bytes||UR_TYPE_BYTES||char||-1 (variable size)|
nemea-common is a collection of various functions and data structures
that are generally useful in modules. There are e.g. prefix tree, B+ tree,
hashing functions, hash table, …
pytrap is a native module for Python 2 and 3 that wraps API of
It allows writing new NEMEA modules in the Python language.
Examples can be found at https://github.com/CESNET/Nemea-Framework/tree/master/examples/python
The main part of
pycommon is a python module
report2idea for reporting
alerts generated by NEMEA detectors.
There is currently no development documentation for this module.
For user documentation of the configuration of reporter modules see Reporting Modules and Alert Filtering.