flowps_snort.c File Reference

interface between snort & portscan More...

#include "debug.h"
#include "plugbase.h"
#include "parser.h"
#include "snort.h"
#include "scoreboard.h"
#include "server_stats.h"
#include "spp_flow.h"
#include "flowps.h"
#include "flowps_snort.h"
#include "packet_time.h"
#include "event_wrapper.h"
#include "generators.h"
#include "common_defs.h"
#include "util_str.h"
#include "util_net.h"
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <ctype.h>

Go to the source code of this file.

Defines
#define	PSDEFAULT_SB_ROWS_ACTIVE   1000000
#define	PSDEFAULT_SB_MEMCAP_ACTIVE   (ONE_MBYTE * 24)
#define	PSDEFAULT_SB_ROWS_SCANNER   (PSDEFAULT_SB_ROWS_ACTIVE/4)
#define	PSDEFAULT_SB_MEMCAP_SCANNER   (PSDEFAULT_SB_MEMCAP_ACTIVE/4)
#define	PSDEFAULT_UT_ROWS   1000000
#define	PSDEFAULT_UT_MEMCAP   (ONE_MBYTE * 24)
#define	PSDEFAULT_SERVER_ROWS   (1 << 16)
#define	PSDEFAULT_SERVER_MEMCAP   (ONE_MBYTE * 2)
#define	PSDEFAULT_SERVER_LEARNING_TIME   (ONE_HOUR * 8)
#define	PSDEFAULT_SERVER_IGNORE_LIMIT   500
#define	PSDEFAULT_SERVER_SCANNER_LIMIT   500
#define	PSDEFAULT_BASE_SCORE   1
#define	PSDEFAULT_ALERT_ONCE   1
#define	PSDEFAULT_OUTPUT_MODE   VARIABLEMSG
#define	PSDEFAULT_TCP_PENALTIES   1
#define	PSTALKER_FIXED_SIZE   30
#define	PSTALKER_SLIDING_SIZE   30
#define	PSTALKER_SLIDING_SCORE   30
#define	PSTALKER_FIXED_SCORE   15
#define	PSTALKER_WINDOW_SCALE   (0.5)
#define	PSSCANNER_FIXED_SIZE   15
#define	PSSCANNER_SLIDING_SIZE   20
#define	PSSCANNER_SLIDING_SCORE   40
#define	PSSCANNER_FIXED_SCORE   15
#define	PSSCANNER_WINDOW_SCALE   (0.5)
#define	FLOWPSMAXPKTSIZE   (IP_MAXPACKET - (IP_HEADER_LEN + ETHERNET_HEADER_LEN))
Functions
void	FlowPSRestart (int signal, void *data)
void	FlowPSCleanExit (int signal, void *data)
static void	FlowPSInit (u_char *args)
static void	FlowPSParseArgs (PS_CONFIG *config, char *args)
static int	flowps_generate_flow_event (SCORE_ENTRY *sep, FLOWPACKET *p, u_int32_t *address, FLOWPS_OUTPUT output_type, time_t cur)
static int	flowps_init_pkt (void)
static Packet *	flowps_mkpacket (SCORE_ENTRY *sep, FLOWPACKET *orig_packet, u_int32_t *address, time_t cur)
void	FlowPSSetDefaults (PS_CONFIG *config)
void	SetupFlowPS (void)
static void	FlowPSOutputConfig (PS_TRACKER *trackerp)
static void	FlowPSParseOption (PS_CONFIG *config, char *fname, int lineno, char *key, char *value)
int	flowps_newflow_callback (FLOW_POSITION position, FLOW *flowp, int direction, time_t cur, FLOWPACKET *p)
static int	score_entry_sprint (unsigned char *buf, int buflen, SCORE_ENTRY *sep, u_int32_t *address)
Variables
static PS_TRACKER	s_tracker
static int	s_debug = 0
static Packet *	s_pkt = NULL

---

Detailed Description

interface between snort & portscan

Author:

Chris Green <cmg@sourcefire.com>

Date:

Fri Jun 6 14:49:30 2003

Implements the basic functionality required for snort+flow to interact with a portscan procesor that accepts flow events from the flow preprocessor.

Definition in file flowps_snort.c.

---

Define Documentation

#define FLOWPSMAXPKTSIZE   (IP_MAXPACKET - (IP_HEADER_LEN + ETHERNET_HEADER_LEN))

Definition at line 74 of file flowps_snort.c. Referenced by flowps_mkpacket().

#define PSDEFAULT_ALERT_ONCE   1

Definition at line 54 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_BASE_SCORE   1

Definition at line 53 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_OUTPUT_MODE   VARIABLEMSG

Definition at line 55 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_SB_MEMCAP_ACTIVE   (ONE_MBYTE * 24)

Definition at line 43 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_SB_MEMCAP_SCANNER   (PSDEFAULT_SB_MEMCAP_ACTIVE/4)

Definition at line 45 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_SB_ROWS_ACTIVE   1000000

Definition at line 42 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_SB_ROWS_SCANNER   (PSDEFAULT_SB_ROWS_ACTIVE/4)

Definition at line 44 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_SERVER_IGNORE_LIMIT   500

Definition at line 51 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_SERVER_LEARNING_TIME   (ONE_HOUR * 8)

Definition at line 50 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_SERVER_MEMCAP   (ONE_MBYTE * 2)

Definition at line 49 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_SERVER_ROWS   (1 << 16)

Definition at line 48 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_SERVER_SCANNER_LIMIT   500

Definition at line 52 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_TCP_PENALTIES   1

enable TCP penalities by default Definition at line 59 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_UT_MEMCAP   (ONE_MBYTE * 24)

Definition at line 47 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSDEFAULT_UT_ROWS   1000000

Definition at line 46 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSSCANNER_FIXED_SCORE   15

pt tally Definition at line 71 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSSCANNER_FIXED_SIZE   15

Definition at line 68 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSSCANNER_SLIDING_SCORE   40

pt tally Definition at line 70 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSSCANNER_SLIDING_SIZE   20

window frame Definition at line 69 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSSCANNER_WINDOW_SCALE   (0.5)

multiplier for wsize Definition at line 72 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSTALKER_FIXED_SCORE   15

pt tally Definition at line 65 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSTALKER_FIXED_SIZE   30

Definition at line 62 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSTALKER_SLIDING_SCORE   30

pt tally Definition at line 64 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSTALKER_SLIDING_SIZE   30

window frame Definition at line 63 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

#define PSTALKER_WINDOW_SCALE   (0.5)

multiplier for wsize Definition at line 66 of file flowps_snort.c. Referenced by FlowPSSetDefaults().

---

Function Documentation

static int flowps_generate_flow_event (  SCORE_ENTRY *  sep, FLOWPACKET *  p, u_int32_t *  address, FLOWPS_OUTPUT  output_type, time_t  cur )  [static]

Definition at line 805 of file flowps_snort.c. References ALERT_FIXED_SCANNER, ALERT_FIXED_TALKER, ALERT_SLIDING_SCANNER, ALERT_SLIDING_TALKER, _PS_SCORE_ENTRY::event_id, event_id, _PS_SCORE_ENTRY::event_sec, _PS_SCORE_ENTRY::fixed_scanner, _PS_SCORE_ENTRY::fixed_talker, _PS_SCORE_ENTRY::flags, FLOW_EINVALID, FLOW_SCANNER_FIXED_ALERT, FLOW_SCANNER_SLIDING_ALERT, FLOW_SUCCESS, FLOW_TALKER_FIXED_ALERT, FLOW_TALKER_SLIDING_ALERT, flowps_mkpacket(), GenerateSnortEvent(), GENERATOR_FLOW_PORTSCAN, NULL, packet_timeofday(), PKTKLUDGE, _PS_SCORE::score, _PS_SCORE_ENTRY::sliding_scanner, _PS_SCORE_ENTRY::sliding_talker, snprintf, and VARIABLEMSG. Referenced by flowps_newflow_callback().

static int flowps_init_pkt (  void   )  [static]

Initialize the static packet used for the portscan flow plugin. This allocates 2 bytes over what it needs to so that the IP header will be 32bit aligned. Returns: FLOW_SUCCESS on sucess Definition at line 1041 of file flowps_snort.c. References _Packet::data, _Packet::eh, _EtherHdr::ether_dst, _EtherHdr::ether_src, _EtherHdr::ether_type, ETHERNET_HEADER_LEN, flow_fatalerror(), FLOW_SUCCESS, _IPHdr::ip_len, IP_MAXPACKET, _IPHdr::ip_proto, _IPHdr::ip_tos, _IPHdr::ip_ttl, _Packet::iph, memcpy, NULL, _Packet::pkt, _Packet::pkth, SET_IP_HLEN, and SET_IP_VER. Referenced by FlowPSInit().

static Packet * flowps_mkpacket (  SCORE_ENTRY *  sep, FLOWPACKET *  orig_packet, u_int32_t *  address, time_t  cur )  [static]

Make a packet with the flowps data in it. This is used to generate a fake IP datagram to carry portscan data from snort so that it can be processed by custom utilities. SRC + DST mac addresses = "MACDAD" sip+dip == attacker ip proto 255 ttl = 0 chksum = 0 Parameters: sep  score entry to generate a packet from address  ptr to the address of the attacker Returns: a pointer to a fully formed packet on success Definition at line 988 of file flowps_snort.c. References pcap_pkthdr::caplen, _Packet::data, _Packet::dsize, ETHERNET_HEADER_LEN, FLOWPSMAXPKTSIZE, GetIPv4DstIp(), _IPHdr::ip_dst, IP_HEADER_LEN, _IPHdr::ip_len, _IPHdr::ip_src, _Packet::iph, pcap_pkthdr::len, memcpy, NULL, _Packet::pkth, score_entry_sprint(), and pcap_pkthdr::ts. Referenced by flowps_generate_flow_event().

int flowps_newflow_callback (  FLOW_POSITION  position, FLOW *  flowp, int  direction, time_t  cur, FLOWPACKET *  p )

The callback for the flow-portscan module This function's purpose is to do about the same thing as a traditional snort preprocessor. The only difference is that this occurs only on a specific FLOW position. This individual callback position is only valid in the "NEW" flow position. The operations are pretty much the same as laid out by Chris Green, Marc Norton, Dan Roelker Basic code flow: 1) Get the score and flag type 2) return if the score is 0 3) Get the score entry node 4) Perform time window maintence includes flushing the "scan data" out of the subsys 5) Process the score data 6) Generate alerts if necessary Parameters: position  where in the flow module this is being called from flow  the flow that the stats are kept for direction  the direction of the flow cur  the current time p  the current packet (may be NULL) Returns: TBD Definition at line 605 of file flowps_snort.c. References _PS_CONFIG::alert_once, _PS_TRACKER::config, _Packet::dp, _PS_SCORE_ENTRY::fixed_scanner, _PS_SCORE_ENTRY::fixed_talker, _PS_SCORE_ENTRY::flags, FLOW_NEW, FLOW_NOTFOUND, flow_printf(), FLOW_SUCCESS, flowkey_print(), flowps_add_entry(), flowps_enabled(), flowps_entry_print(), flowps_find_entry(), flowps_fixed_winadj(), flowps_generate_flow_event(), flowps_get_score(), flowps_is_ignored_ipv4(), flowps_score_entry(), flowps_set_last_address(), flowps_sliding_winadj(), GetTcpFlags(), inet_ntoax(), _FLOWKEY::init_address, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, IsTcpPacket(), _FLOW::key, _PS_CONFIG::limit_scanner, _PS_CONFIG::limit_talker, mktcpflag_str(), NULL, _PS_CONFIG::output_mode, _PS_SCORE_ENTRY::position, _FLOWKEY::resp_address, s_debug, scoreboard_move(), _PS_SCORE_ENTRY::sliding_scanner, _PS_SCORE_ENTRY::sliding_talker, _Packet::sp, _PS_TRACKER::table_active, _PS_TRACKER::table_scanner, TRACKER_ACTIVE, and TRACKER_SCANNER. Referenced by flow_callbacks().

void FlowPSCleanExit (  int  signal, void *  data )

Definition at line 558 of file flowps_snort.c. References flowps_destroy(), flowps_stats(), NULL, pv, and _progvars::quiet_flag. Referenced by FlowPSInit().

static void FlowPSInit (  u_char *  args  )  [static]

Initialize the configuration of the flow preprocessor Parameters: args  command line arguments from snort.conf Definition at line 222 of file flowps_snort.c. References AddFuncToCleanExitList(), AddFuncToRestartList(), file_line, file_name, flow_fatalerror(), FLOW_SUCCESS, flowps_init(), flowps_init_pkt(), FlowPSCleanExit(), FlowPSOutputConfig(), FlowPSParseArgs(), FlowPSRestart(), FlowPSSetDefaults(), NULL, _PS_CONFIG::sb_memcap_total, and SppFlowIsRunning(). Referenced by SetupFlowPS().

static void FlowPSOutputConfig (  PS_TRACKER *  trackerp  )  [static]

Display what the underlying tidbits think the config is Parameters: trackerp  grab the configuration info from the portscan tracker Definition at line 135 of file flowps_snort.c. References _PS_CONFIG::base_score, calc_percent(), _PS_TRACKER::config, _SCORE_THRESHOLD::fixed, _SCORE_THRESHOLD::fixed_size, flow_printf(), FLOW_SUCCESS, flowps_server_stats_enabled(), _PS_CONFIG::limit_scanner, _PS_CONFIG::limit_talker, _PS_CONFIG::output_mode, pv, _progvars::quiet_flag, scoreboard_memcap(), scoreboard_overhead_bytes(), scoreboard_row_count(), _PS_CONFIG::server_ignore_limit, _PS_CONFIG::server_learning_time, _PS_CONFIG::server_scanner_limit, _PS_TRACKER::server_stats, server_stats_memcap(), server_stats_overhead_bytes(), server_stats_row_count(), _SCORE_THRESHOLD::sliding, _SCORE_THRESHOLD::sliding_size, _PS_TRACKER::table_active, _PS_TRACKER::table_scanner, _PS_CONFIG::tcp_penalties, _PS_TRACKER::unique_tracker, ut_memcap(), ut_overhead_bytes(), ut_row_count(), VARIABLEMSG, and _SCORE_THRESHOLD::window_scale. Referenced by FlowPSInit().

static void FlowPSParseArgs (  PS_CONFIG *  config, char *  args )  [static]

Parse out the snort.conf line output type - (variable alert string, custom file, pktkludge) watch-net - optional ignore-net - optional Parameters: config  config to set args  string to parse Definition at line 490 of file flowps_snort.c. References file_line, file_name, flow_fatalerror(), FlowPSParseOption(), NULL, _PS_CONFIG::server_ignore_limit, _PS_CONFIG::server_scanner_limit, and _PS_CONFIG::server_watchnet_ipv4. Referenced by FlowPSInit().

static void FlowPSParseOption (  PS_CONFIG *  config, char *  fname, int  lineno, char *  key, char *  value )  [static]

Definition at line 270 of file flowps_snort.c. References _PS_CONFIG::alert_once, _PS_CONFIG::base_score, _PS_CONFIG::dst_ignore_ipv4, _PS_CONFIG::dumpall, file_line, file_name, _SCORE_THRESHOLD::fixed, _SCORE_THRESHOLD::fixed_size, flow_fatalerror(), flow_printf(), ip4_setparse(), ipset_new(), IPV4_FAMILY, _PS_CONFIG::limit_scanner, _PS_CONFIG::limit_talker, NULL, _PS_CONFIG::output_mode, PKTKLUDGE, s_debug, _PS_CONFIG::sb_memcap_scanner, _PS_CONFIG::sb_memcap_talker, _PS_CONFIG::sb_rows_scanner, _PS_CONFIG::sb_rows_talker, _PS_CONFIG::server_ignore_limit, _PS_CONFIG::server_learning_time, _PS_CONFIG::server_memcap, _PS_CONFIG::server_rows, _PS_CONFIG::server_scanner_limit, _PS_CONFIG::server_watchnet_ipv4, _SCORE_THRESHOLD::sliding, _SCORE_THRESHOLD::sliding_size, _PS_CONFIG::src_ignore_ipv4, strcasecmp, _PS_CONFIG::tcp_penalties, toggle_option(), _PS_CONFIG::ut_memcap, _PS_CONFIG::ut_rows, VARIABLEMSG, and _SCORE_THRESHOLD::window_scale. Referenced by FlowPSParseArgs().

void FlowPSRestart (  int  signal, void *  data )

Definition at line 553 of file flowps_snort.c. Referenced by FlowPSInit().

void FlowPSSetDefaults (  PS_CONFIG *  config  )

Definition at line 90 of file flowps_snort.c. References flowps_mkconfig(), flowps_mkthreshold(), _PS_CONFIG::limit_scanner, _PS_CONFIG::limit_talker, PSDEFAULT_ALERT_ONCE, PSDEFAULT_BASE_SCORE, PSDEFAULT_OUTPUT_MODE, PSDEFAULT_SB_MEMCAP_ACTIVE, PSDEFAULT_SB_MEMCAP_SCANNER, PSDEFAULT_SB_ROWS_ACTIVE, PSDEFAULT_SB_ROWS_SCANNER, PSDEFAULT_SERVER_IGNORE_LIMIT, PSDEFAULT_SERVER_LEARNING_TIME, PSDEFAULT_SERVER_MEMCAP, PSDEFAULT_SERVER_ROWS, PSDEFAULT_SERVER_SCANNER_LIMIT, PSDEFAULT_TCP_PENALTIES, PSDEFAULT_UT_MEMCAP, PSDEFAULT_UT_ROWS, PSSCANNER_FIXED_SCORE, PSSCANNER_FIXED_SIZE, PSSCANNER_SLIDING_SCORE, PSSCANNER_SLIDING_SIZE, PSSCANNER_WINDOW_SCALE, PSTALKER_FIXED_SCORE, PSTALKER_FIXED_SIZE, PSTALKER_SLIDING_SCORE, PSTALKER_SLIDING_SIZE, and PSTALKER_WINDOW_SCALE. Referenced by FlowPSInit().

static int score_entry_sprint (  unsigned char *  buf, int  buflen, SCORE_ENTRY *  sep, u_int32_t *  address )  [static]

Print the score entry to a buffer snprintf doesn't protect us any since we are calculating so much but it does make me be explicit on how much data I am putting in. Parameters: buf  buf to print into buflen  size of buffer sep  score entry to print address  address of attacker Returns: 0 on sucess Definition at line 891 of file flowps_snort.c. References _CONN_ENTRY::cflags, _PS_SCORE_ENTRY::connections_seen, _PS_SCORE::ends, _PS_SCORE_ENTRY::event_id, _PS_SCORE_ENTRY::event_sec, _PS_SCORE_ENTRY::fixed_scanner, _PS_SCORE_ENTRY::fixed_talker, _PS_SCORE_ENTRY::flags, FLOWPS_HOSTS_SIZE, _CONN_ENTRY::ip, _PS_SCORE_ENTRY::last_hosts, _CONN_ENTRY::port, _CONN_ENTRY::protocol, _PS_SCORE::score, _PS_SCORE_ENTRY::sliding_scanner, _PS_SCORE_ENTRY::sliding_talker, snprintf, and _PS_SCORE::start. Referenced by flowps_mkpacket().

void SetupFlowPS (  void   )

Definition at line 125 of file flowps_snort.c. References FlowPSInit(), and RegisterPreprocessor(). Referenced by SetupFlow().

---

Variable Documentation

int s_debug = 0 [static]

Definition at line 77 of file flowps_snort.c.

Packet* s_pkt = NULL [static]

Definition at line 78 of file flowps_snort.c.

PS_TRACKER s_tracker [static]

Definition at line 76 of file flowps_snort.c.

---