src/preprocessors/flow/portscan/flowps.h Source File

00001 #ifndef _FLOWPS_H
00002 #define _FLOWPS_H
00003 
00004 #ifdef HAVE_CONFIG_H
00005 #include "config.h"
00006 #endif
00007 
00008 #include <time.h>
00009 
00010 #include "flow.h"
00011 #include "unique_tracker.h"
00012 #include "ipobj.h"
00013 
00014 /* todo, move to scoreboard.h but I don't feel like fighting foward
00015  * declarations at the moment */
00016 #define SDESC_SIZE 256  /**< size of the scoreboard description field */
00017 
00018 #define ALERT_FIXED_TALKER    0x01
00019 #define ALERT_SLIDING_TALKER  0x02
00020 #define ALERT_FIXED_SCANNER   0x04
00021 #define ALERT_SLIDING_SCANNER 0x08
00022 
00023 /* hard coded "last node info" stuff */
00024 #define FLOWPS_HOSTS_SIZE 5
00025 
00026 
00027 typedef struct _SERVER_STATS
00028 {
00029     IPSET   *ipv4_watch; /* network help "learn" */
00030     SFXHASH *ipv4_table;
00031 } SERVER_STATS;
00032 
00033 typedef enum {
00034     TRACKER_ACTIVE=1,
00035     TRACKER_SCANNER=2
00036 } TRACKER_POSITION;
00037 
00038 typedef struct _SCOREBOARD
00039 {
00040     char description[SDESC_SIZE];
00041     TRACKER_POSITION kind;
00042     SFXHASH          *ipv4_table;
00043 } SCOREBOARD;
00044 
00045 
00046 
00047 typedef struct _PS_SCORE
00048 {
00049     u_int32_t score; 
00050     time_t   start;
00051     time_t   ends;
00052 } PS_SCORE;
00053 
00054 typedef struct _CONN_ENTRY
00055 {
00056     u_int32_t ip;
00057     u_int16_t port;
00058     u_int8_t  protocol;
00059     u_int8_t  cflags; /* usually the TCP header flags */
00060 } CONN_ENTRY;
00061 
00062 typedef struct _PS_SCORE_ENTRY
00063 {
00064     TRACKER_POSITION position; /**< which table am I stored in */
00065     time_t           event_sec;  /**< time of original event */
00066     u_int32_t         event_id;   /**< event id of original event */    
00067     u_int32_t         flags;
00068     u_int32_t         last_idx; /* ring idx */
00069     u_int32_t         connections_seen;
00070     CONN_ENTRY       last_hosts[FLOWPS_HOSTS_SIZE]; /* array of most recent connections */
00071     PS_SCORE         fixed_talker;
00072     PS_SCORE         fixed_scanner;
00073     PS_SCORE         sliding_talker;
00074     PS_SCORE         sliding_scanner;
00075 } SCORE_ENTRY;
00076 
00077 typedef struct _SCORE_THRESHOLD
00078 {
00079     int      fixed_size;  /* window sizes */
00080     int      sliding_size;
00081     u_int32_t sliding;     /* thresholds */
00082     u_int32_t fixed;
00083     float    window_scale; /* what to multipl"y the window size by each time */
00084 } SCORE_THRESHOLD;
00085 
00086 /** output mechanism for FLOWPS */
00087 typedef enum {
00088     PKTKLUDGE,   /**< pktkludge + event */
00089     VARIABLEMSG  /**< variable length event message */
00090 } FLOWPS_OUTPUT;
00091 
00092 /**
00093  * Config structure to initialize the table
00094  */
00095 typedef struct _PS_CONFIG
00096 {    
00097     int tcp_penalties; /* give odd flag combinations more credence */
00098     int sb_memcap_total;  /**< scoreboard-memcap */
00099     int sb_memcap_talker;
00100     int sb_memcap_scanner;
00101     int sb_rows_talker;         /**< active row count */
00102     int sb_rows_scanner;        /**< scanner rowcount */
00103 
00104     
00105     int ut_memcap;              /**< uniqueness tracker memcap */
00106     int ut_rows;                /**< uniqueness tracker row count */
00107 
00108     int server_memcap;          /**< server watcher memcap */
00109     int server_rows;            /**< server watcher node count */
00110     int server_learning_time;   /**< how long should we wait until we have
00111                                   "deduced" all the servers on the network */
00112     u_int32_t server_ignore_limit; /**< how many times a service must
00113                                      be hit before it's ignored */
00114     u_int32_t server_scanner_limit; /**< how many times a service must
00115                                     *   be hit before it's considered active traffic
00116                                     */
00117 
00118     int base_score;          /**< default score for a new connection */
00119     int alert_once;         /**< alert only once per node */
00120     int dumpall;            /**< make all the subhashtables
00121                                dump their contents on exit */
00122     IPSET *server_watchnet_ipv4;
00123     IPSET *src_ignore_ipv4;  /**< ignore these sips */
00124     IPSET *dst_ignore_ipv4;  /**< ignore these dips */
00125 
00126     FLOWPS_OUTPUT output_mode;
00127     SCORE_THRESHOLD  limit_talker;  
00128     SCORE_THRESHOLD  limit_scanner;
00129 } PS_CONFIG;
00130 
00131 typedef struct _PS_TRACKER
00132 {
00133     PS_CONFIG        config;         /* configuration options */
00134     SCOREBOARD       table_active;   /* active talkers */
00135     SCOREBOARD       table_scanner;  /* "policy violators" */
00136     UNIQUE_TRACKER   unique_tracker; /* table for determining "unique" connections */
00137     SERVER_STATS     server_stats;   /* table for allowing server learning */
00138 } PS_TRACKER;
00139 
00140 
00141 int flowps_init(PS_TRACKER *trackerp, PS_CONFIG *configp);
00142 int flowps_destroy(PS_TRACKER *trackerp);
00143 
00144 int flowps_mkconfig(PS_CONFIG *configp,
00145                     int sb_memcap_talker,
00146                     int sb_rows_talker,
00147                     int sb_memcap_scanner,
00148                     int sb_rows_scanner,
00149                     int ut_memcap,
00150                     int ut_rows,
00151                     int server_memcap,
00152                     int server_rows,
00153                     int server_learning_time,
00154                     int tcp_penalties,
00155                     u_int32_t server_ignore_limit,
00156                     u_int32_t server_scanner_limit,
00157                     int base_score,
00158                     int alert_once,
00159                     FLOWPS_OUTPUT output_mode);
00160 
00161 int flowps_mkthreshold(SCORE_THRESHOLD *thr,
00162                        int fixed_size, 
00163                        u_int32_t fixed_limit,
00164                        int sliding_size,
00165                        u_int32_t sliding_limit,
00166                        float window_scale);
00167 
00168 int flowps_is_ignored_ipv4(PS_TRACKER *pstp, u_int32_t *sip, u_int32_t *dip);
00169 
00170 int flowps_add_entry(PS_TRACKER *trackerp, TRACKER_POSITION position,
00171                       u_int32_t *address, SCORE_ENTRY **sepp);
00172 int flowps_find_entry(PS_TRACKER *trackerp, u_int32_t *address,
00173                       SCORE_ENTRY **sepp);
00174 int flowps_score_entry(PS_TRACKER *pstp, SCORE_ENTRY *sep, int score,
00175                        TRACKER_POSITION tr_pos, int alert_once,
00176                        u_int32_t *alert_flags);
00177 
00178 int flowps_entry_print(SCORE_ENTRY *entry, u_int32_t *address);     
00179 
00180 int flowps_get_score(PS_TRACKER *pstp, FLOW *flowp, time_t cur,
00181                      u_int32_t flags, int *score, TRACKER_POSITION *type);
00182 
00183 int flowps_sliding_winadj(PS_SCORE *pscp, time_t current_time,
00184                           SCORE_THRESHOLD *threshold);
00185 
00186 int flowps_fixed_winadj(PS_SCORE *pscp, time_t current_time,
00187                         SCORE_THRESHOLD *threshold);
00188 
00189 int flowps_set_last_address(SCORE_ENTRY *sep, FLOW *flowp, u_int8_t cflags);
00190 
00191 int flowps_watch_servers(PS_TRACKER *trackerp);
00192 
00193 int flowps_enabled(void);
00194 int flowps_server_stats_enabled(PS_TRACKER *trackerp);
00195 
00196 
00197 void flowps_stats(PS_TRACKER *pstp);
00198 #endif /* _FLOWPS_H */