#include <time.h>#include "flow.h"#include "unique_tracker.h"#include "ipobj.h"Go to the source code of this file.
Defines | |
| #define | SDESC_SIZE 256 |
| #define | ALERT_FIXED_TALKER 0x01 |
| #define | ALERT_SLIDING_TALKER 0x02 |
| #define | ALERT_FIXED_SCANNER 0x04 |
| #define | ALERT_SLIDING_SCANNER 0x08 |
| #define | FLOWPS_HOSTS_SIZE 5 |
Typedefs | |
| typedef _SERVER_STATS | SERVER_STATS |
| typedef _SCOREBOARD | SCOREBOARD |
| typedef _PS_SCORE | PS_SCORE |
| typedef _CONN_ENTRY | CONN_ENTRY |
| typedef _PS_SCORE_ENTRY | SCORE_ENTRY |
| typedef _SCORE_THRESHOLD | SCORE_THRESHOLD |
| typedef _PS_CONFIG | PS_CONFIG |
| typedef _PS_TRACKER | PS_TRACKER |
Enumerations | |
| enum | TRACKER_POSITION { TRACKER_ACTIVE = 1, TRACKER_SCANNER = 2 } |
| enum | FLOWPS_OUTPUT { PKTKLUDGE, VARIABLEMSG } |
Functions | |
| int | flowps_init (PS_TRACKER *trackerp, PS_CONFIG *configp) |
| int | flowps_destroy (PS_TRACKER *trackerp) |
| int | flowps_mkconfig (PS_CONFIG *configp, int sb_memcap_talker, int sb_rows_talker, int sb_memcap_scanner, int sb_rows_scanner, int ut_memcap, int ut_rows, int server_memcap, int server_rows, int server_learning_time, int tcp_penalties, u_int32_t server_ignore_limit, u_int32_t server_scanner_limit, int base_score, int alert_once, FLOWPS_OUTPUT output_mode) |
| int | flowps_mkthreshold (SCORE_THRESHOLD *thr, int fixed_size, u_int32_t fixed_limit, int sliding_size, u_int32_t sliding_limit, float window_scale) |
| int | flowps_is_ignored_ipv4 (PS_TRACKER *pstp, u_int32_t *sip, u_int32_t *dip) |
| int | flowps_add_entry (PS_TRACKER *trackerp, TRACKER_POSITION position, u_int32_t *address, SCORE_ENTRY **sepp) |
| int | flowps_find_entry (PS_TRACKER *trackerp, u_int32_t *address, SCORE_ENTRY **sepp) |
| int | flowps_score_entry (PS_TRACKER *pstp, SCORE_ENTRY *sep, int score, TRACKER_POSITION tr_pos, int alert_once, u_int32_t *alert_flags) |
| int | flowps_entry_print (SCORE_ENTRY *entry, u_int32_t *address) |
| int | flowps_get_score (PS_TRACKER *pstp, FLOW *flowp, time_t cur, u_int32_t flags, int *score, TRACKER_POSITION *type) |
| int | flowps_sliding_winadj (PS_SCORE *pscp, time_t current_time, SCORE_THRESHOLD *threshold) |
| int | flowps_fixed_winadj (PS_SCORE *pscp, time_t current_time, SCORE_THRESHOLD *threshold) |
| int | flowps_set_last_address (SCORE_ENTRY *sep, FLOW *flowp, u_int8_t cflags) |
| int | flowps_watch_servers (PS_TRACKER *trackerp) |
| int | flowps_enabled (void) |
| int | flowps_server_stats_enabled (PS_TRACKER *trackerp) |
| void | flowps_stats (PS_TRACKER *pstp) |
|
|
Definition at line 20 of file flowps.h. Referenced by flowps_entry_print(), flowps_generate_flow_event(), and flowps_score_entry(). |
|
|
Definition at line 18 of file flowps.h. Referenced by flowps_entry_print(), flowps_generate_flow_event(), and flowps_score_entry(). |
|
|
Definition at line 21 of file flowps.h. Referenced by flowps_entry_print(), flowps_generate_flow_event(), and flowps_score_entry(). |
|
|
Definition at line 19 of file flowps.h. Referenced by flowps_entry_print(), flowps_generate_flow_event(), and flowps_score_entry(). |
|
|
Definition at line 24 of file flowps.h. Referenced by flowps_entry_print(), flowps_set_last_address(), and score_entry_sprint(). |
|
|
size of the scoreboard description field Definition at line 16 of file flowps.h. Referenced by scoreboard_init(). |
|
|
|
|
|
Config structure to initialize the table |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
output mechanism for FLOWPS |
|
|
|
|
||||||||||||||||||||
|
Register a new node in the portscan tracker. This does not enforce that a node can only be in one table at a time to avoid the 2 extra searching operations. All uses of this should be done after performing a find to make sure the trackers do not already exist.
Definition at line 426 of file flowps.c. References FLOW_SUCCESS, scoreboard_add(), _PS_TRACKER::table_active, _PS_TRACKER::table_scanner, and TRACKER_ACTIVE. Referenced by flowps_newflow_callback(). |
|
|
Definition at line 239 of file flowps.c. References FLOW_ENULL, FLOW_SUCCESS, scoreboard_destroy(), _PS_TRACKER::table_active, _PS_TRACKER::table_scanner, _PS_TRACKER::unique_tracker, and ut_destroy(). Referenced by FlowPSCleanExit(). |
|
|
see if flowps is turned on
Definition at line 871 of file flowps.c. References s_enabled. Referenced by flowps_newflow_callback(). |
|
||||||||||||
|
||||||||||||||||
|
find the trackers in the table Currently, it first looks it up in the active table and then the scanner table
Definition at line 382 of file flowps.c. References FLOW_ENULL, FLOW_NOTFOUND, scoreboard_find(), _PS_TRACKER::table_active, and _PS_TRACKER::table_scanner. Referenced by flowps_newflow_callback(). |
|
||||||||||||||||
|
Expire a fixed scale PS_SCORE
Definition at line 729 of file flowps.c. References _PS_SCORE::ends, _SCORE_THRESHOLD::fixed_size, FLOW_SUCCESS, _PS_SCORE::score, and _PS_SCORE::start. Referenced by flowps_newflow_callback(). |
|
||||||||||||||||||||||||||||
|
Get the score and the type of connection this is If the score is 0, this is an already existing connection and can be successfully ignored.
Definition at line 600 of file flowps.c. References _PS_CONFIG::base_score, _PS_TRACKER::config, FLOW_ENULL, flow_printf(), FLOW_SUCCESS, flowps_server_watch(), flowps_tcp_penalty(), _FLOW::key, packet_first_time(), _FLOWKEY::protocol, _FLOWKEY::resp_address, _FLOWKEY::resp_port, s_debug, _PS_CONFIG::server_ignore_limit, _PS_CONFIG::server_learning_time, _PS_CONFIG::server_scanner_limit, _PS_TRACKER::server_stats, server_stats_add_ipv4(), server_stats_hitcount_ipv4(), _PS_CONFIG::tcp_penalties, TRACKER_SCANNER, _PS_TRACKER::unique_tracker, ut_check(), and UT_OLD. Referenced by flowps_newflow_callback(). |
|
||||||||||||
|
initialize the Portscan Tracker. This takes several arguments, all, on the PS_CONFIG structure.
Definition at line 174 of file flowps.c. References _PS_TRACKER::config, FLOW_ENULL, FLOW_SUCCESS, flowps_server_stats_enabled(), memcpy, s_enabled, _PS_CONFIG::sb_memcap_scanner, _PS_CONFIG::sb_memcap_talker, _PS_CONFIG::sb_rows_scanner, _PS_CONFIG::sb_rows_talker, scoreboard_destroy(), scoreboard_init(), _PS_CONFIG::server_memcap, _PS_CONFIG::server_rows, _PS_TRACKER::server_stats, server_stats_init(), _PS_CONFIG::server_watchnet_ipv4, _PS_TRACKER::table_active, _PS_TRACKER::table_scanner, TRACKER_ACTIVE, TRACKER_SCANNER, _PS_TRACKER::unique_tracker, ut_destroy(), ut_init(), _PS_CONFIG::ut_memcap, and _PS_CONFIG::ut_rows. Referenced by FlowPSInit(). |
|
||||||||||||||||
|
Check to see if this IPv4 Address should be ignored by the portscan tracker. This checks both the src and dst lists.
Definition at line 889 of file flowps.c. References _PS_TRACKER::config, _PS_CONFIG::dst_ignore_ipv4, FLOW_DISABLED, FLOW_ENULL, FLOW_SUCCESS, ipset_contains(), IPV4_FAMILY, and _PS_CONFIG::src_ignore_ipv4. Referenced by flowps_newflow_callback(). |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Initialize the configuration structure and set everything to 0
Definition at line 80 of file flowps.c. References _PS_CONFIG::alert_once, _PS_CONFIG::base_score, _PS_CONFIG::dumpall, FLOW_ENULL, FLOW_SUCCESS, memset, _PS_CONFIG::output_mode, _PS_CONFIG::sb_memcap_scanner, _PS_CONFIG::sb_memcap_talker, _PS_CONFIG::sb_memcap_total, _PS_CONFIG::sb_rows_scanner, _PS_CONFIG::sb_rows_talker, _PS_CONFIG::server_ignore_limit, _PS_CONFIG::server_learning_time, _PS_CONFIG::server_memcap, _PS_CONFIG::server_rows, _PS_CONFIG::server_scanner_limit, _PS_CONFIG::tcp_penalties, _PS_CONFIG::ut_memcap, and _PS_CONFIG::ut_rows. Referenced by FlowPSSetDefaults(). |
|
||||||||||||||||||||||||||||
|
Setup a SCORE_THRESHOLD object. This contains the limits and window sizes that will be used each time we evaluate a SCORE_ENTRY from one of the scoreboards.
Definition at line 50 of file flowps.c. References _SCORE_THRESHOLD::fixed, _SCORE_THRESHOLD::fixed_size, FLOW_ENULL, FLOW_SUCCESS, _SCORE_THRESHOLD::sliding, _SCORE_THRESHOLD::sliding_size, and _SCORE_THRESHOLD::window_scale. Referenced by FlowPSSetDefaults(). |
|
||||||||||||||||||||||||||||
|
Evaluate the score on an entry, generating alerts if needed.
Definition at line 281 of file flowps.c. References ALERT_FIXED_SCANNER, ALERT_FIXED_TALKER, ALERT_SLIDING_SCANNER, ALERT_SLIDING_TALKER, _PS_TRACKER::config, _SCORE_THRESHOLD::fixed, _PS_SCORE_ENTRY::fixed_scanner, _PS_SCORE_ENTRY::fixed_talker, _PS_SCORE_ENTRY::flags, FLOW_ENULL, FLOW_SUCCESS, FLOWASSERT, flowps_reset_alert_flags(), _PS_CONFIG::limit_scanner, _PS_CONFIG::limit_talker, _PS_SCORE::score, _SCORE_THRESHOLD::sliding, _PS_SCORE_ENTRY::sliding_scanner, _PS_SCORE_ENTRY::sliding_talker, TRACKER_ACTIVE, and TRACKER_SCANNER. Referenced by flowps_newflow_callback(). |
|
|
Determine if the server stats feature is enabled
Definition at line 134 of file flowps.c. References _PS_TRACKER::config, FLOW_DISABLED, FLOW_SUCCESS, and _PS_CONFIG::server_watchnet_ipv4. Referenced by flowps_init(), and FlowPSOutputConfig(). |
|
||||||||||||||||
|
Maintain the ring buffer of most recent connections
Definition at line 839 of file flowps.c. References _CONN_ENTRY::cflags, _PS_SCORE_ENTRY::connections_seen, FLOW_SUCCESS, FLOWPS_HOSTS_SIZE, _CONN_ENTRY::ip, _FLOW::key, _PS_SCORE_ENTRY::last_hosts, _PS_SCORE_ENTRY::last_idx, _CONN_ENTRY::port, _FLOWKEY::protocol, _CONN_ENTRY::protocol, _FLOWKEY::resp_address, and _FLOWKEY::resp_port. Referenced by flowps_newflow_callback(). |
|
||||||||||||||||
|
Expire a sliding scale PS_SCORE considerably more complicated than the fixed time window stuff. This really should be simplified.
Definition at line 756 of file flowps.c. References _PS_SCORE::ends, FLOW_SUCCESS, _PS_SCORE::score, _SCORE_THRESHOLD::sliding_size, _PS_SCORE::start, and _SCORE_THRESHOLD::window_scale. Referenced by flowps_newflow_callback(). |
|
|
Definition at line 531 of file flowps.c. References _PS_TRACKER::config, _PS_CONFIG::dumpall, flow_printf(), scoreboard_stats(), _PS_TRACKER::server_stats, server_stats(), _PS_TRACKER::table_active, _PS_TRACKER::table_scanner, _PS_TRACKER::unique_tracker, and ut_stats(). Referenced by FlowPSCleanExit(). |
|
|
|
1.4.2