portscan.h File Reference

#include <time.h>
#include <sys/time.h>
#include "ipobj.h"

Go to the source code of this file.

Defines

#define INLINE   inline

#define PS_OPEN_PORTS   8

#define PS_PROTO_TCP   0x01

#define PS_PROTO_UDP   0x02

#define PS_PROTO_ICMP   0x04

#define PS_PROTO_IP   0x08

#define PS_PROTO_ALL   0x0f

#define PS_PROTO_OPEN_PORT   0x80

#define PS_TYPE_PORTSCAN   0x01

#define PS_TYPE_PORTSWEEP   0x02

#define PS_TYPE_DECOYSCAN   0x04

#define PS_TYPE_DISTPORTSCAN   0x08

#define PS_TYPE_ALL   0x0f

#define PS_SENSE_HIGH   1

#define PS_SENSE_MEDIUM   2

#define PS_SENSE_LOW   3

#define PS_ALERT_ONE_TO_ONE   1

#define PS_ALERT_ONE_TO_ONE_DECOY   2

#define PS_ALERT_PORTSWEEP   3

#define PS_ALERT_DISTRIBUTED   4

#define PS_ALERT_ONE_TO_ONE_FILTERED   5

#define PS_ALERT_ONE_TO_ONE_DECOY_FILTERED   6

#define PS_ALERT_DISTRIBUTED_FILTERED   7

#define PS_ALERT_PORTSWEEP_FILTERED   8

#define PS_ALERT_OPEN_PORT   9

#define PS_ALERT_GENERATED   255

Typedefs

typedef s_PS_PROTO PS_PROTO

typedef s_PS_TRACKER PS_TRACKER

typedef s_PS_PKT PS_PKT

Functions

int ps_init (int detect_scans, int detect_scan_type, int sense_level, IPSET *ignore_scanners, IPSET *ignore_scanned, IPSET *watch_ip, int memcap)

int ps_detect (PS_PKT *p)

void ps_tracker_print (PS_TRACKER *tracker)

Define Documentation

#define INLINE inline

Definition at line 17 of file portscan.h.

#define PS_ALERT_DISTRIBUTED 4

Definition at line 95 of file portscan.h.
Referenced by PortscanAlertIp(), PortscanAlertTcp(), PortscanAlertUdp(), and ps_alert_many_to_one().

#define PS_ALERT_DISTRIBUTED_FILTERED 7

Definition at line 98 of file portscan.h.
Referenced by PortscanAlertIp(), PortscanAlertTcp(), PortscanAlertUdp(), and ps_alert_many_to_one().

#define PS_ALERT_GENERATED 255

Definition at line 102 of file portscan.h.
Referenced by PortscanDetect(), ps_tracker_update(), ps_tracker_update_tcp(), and ps_update_open_ports().

#define PS_ALERT_ONE_TO_ONE 1

Definition at line 92 of file portscan.h.
Referenced by PortscanAlertIp(), PortscanAlertTcp(), PortscanAlertUdp(), and ps_alert_one_to_one().

#define PS_ALERT_ONE_TO_ONE_DECOY 2

Definition at line 93 of file portscan.h.
Referenced by PortscanAlertIp(), PortscanAlertTcp(), PortscanAlertUdp(), and ps_alert_one_to_one_decoy().

#define PS_ALERT_ONE_TO_ONE_DECOY_FILTERED 6

Definition at line 97 of file portscan.h.
Referenced by PortscanAlertIp(), PortscanAlertTcp(), PortscanAlertUdp(), and ps_alert_one_to_one_decoy().

#define PS_ALERT_ONE_TO_ONE_FILTERED 5

Definition at line 96 of file portscan.h.
Referenced by PortscanAlertIp(), PortscanAlertTcp(), PortscanAlertUdp(), and ps_alert_one_to_one().

#define PS_ALERT_OPEN_PORT 9

Definition at line 100 of file portscan.h.
Referenced by PortscanAlert(), ps_tracker_update_tcp(), and ps_update_open_ports().

#define PS_ALERT_PORTSWEEP 3

Definition at line 94 of file portscan.h.
Referenced by MakeProtoInfo(), PortscanAlertIcmp(), PortscanAlertIp(), PortscanAlertTcp(), PortscanAlertUdp(), and ps_alert_one_to_many().

#define PS_ALERT_PORTSWEEP_FILTERED 8

Definition at line 99 of file portscan.h.
Referenced by MakeProtoInfo(), PortscanAlertIcmp(), PortscanAlertIp(), PortscanAlertTcp(), PortscanAlertUdp(), and ps_alert_one_to_many().

#define PS_OPEN_PORTS 8

Definition at line 25 of file portscan.h.
Referenced by ps_update_open_ports().

#define PS_PROTO_ALL 0x0f

Definition at line 78 of file portscan.h.
Referenced by ParseProtos().

#define PS_PROTO_ICMP 0x04

Definition at line 76 of file portscan.h.
Referenced by MakePortscanPkt(), ParseProtos(), PortscanAlert(), PrintPortscanConf(), ps_filter_ignore(), ps_get_proto_index(), ps_init(), ps_tracker_alert(), ps_tracker_print(), and ps_tracker_update().

#define PS_PROTO_IP 0x08

Definition at line 77 of file portscan.h.
Referenced by MakePortscanPkt(), ParseProtos(), PortscanAlert(), PrintPortscanConf(), ps_filter_ignore(), ps_get_proto_index(), ps_init(), ps_tracker_alert(), ps_tracker_print(), and ps_tracker_update().

#define PS_PROTO_OPEN_PORT 0x80

Definition at line 80 of file portscan.h.
Referenced by MakePortscanPkt(), PortscanAlert(), and PortscanAlertTcp().

#define PS_PROTO_TCP 0x01

Definition at line 74 of file portscan.h.
Referenced by MakePortscanPkt(), ParseProtos(), PortscanAlert(), PortscanInit(), PrintPortscanConf(), ps_filter_ignore(), ps_get_proto_index(), ps_init(), ps_tracker_alert(), ps_tracker_print(), and ps_tracker_update().

#define PS_PROTO_UDP 0x02

Definition at line 75 of file portscan.h.
Referenced by MakePortscanPkt(), ParseProtos(), PortscanAlert(), PortscanInit(), PrintPortscanConf(), ps_filter_ignore(), ps_get_proto_index(), ps_init(), ps_tracker_alert(), ps_tracker_print(), and ps_tracker_update().

#define PS_SENSE_HIGH 1

Definition at line 88 of file portscan.h.
Referenced by ParseSenseLevel(), PrintPortscanConf(), ps_alert_icmp(), ps_alert_ip(), ps_alert_tcp(), ps_alert_udp(), and ps_proto_update_window().

#define PS_SENSE_LOW 3

Definition at line 90 of file portscan.h.
Referenced by ParseSenseLevel(), PortscanInit(), PrintPortscanConf(), ps_alert_icmp(), ps_alert_ip(), ps_alert_tcp(), ps_alert_udp(), and ps_proto_update_window().

#define PS_SENSE_MEDIUM 2

Definition at line 89 of file portscan.h.
Referenced by ParseSenseLevel(), PrintPortscanConf(), ps_alert_icmp(), ps_alert_ip(), ps_alert_tcp(), ps_alert_udp(), and ps_proto_update_window().

#define PS_TYPE_ALL 0x0f

Definition at line 86 of file portscan.h.
Referenced by ParseScanType(), PortscanInit(), and ps_init().

#define PS_TYPE_DECOYSCAN 0x04

Definition at line 84 of file portscan.h.
Referenced by ParseScanType(), PrintPortscanConf(), ps_alert_ip(), ps_alert_tcp(), ps_alert_udp(), and ps_tracker_lookup().

#define PS_TYPE_DISTPORTSCAN 0x08

Definition at line 85 of file portscan.h.
Referenced by ParseScanType(), PrintPortscanConf(), ps_alert_ip(), ps_alert_tcp(), ps_alert_udp(), and ps_tracker_lookup().

#define PS_TYPE_PORTSCAN 0x01

Definition at line 82 of file portscan.h.
Referenced by ParseScanType(), PrintPortscanConf(), ps_alert_ip(), ps_alert_tcp(), ps_alert_udp(), and ps_tracker_lookup().

#define PS_TYPE_PORTSWEEP 0x02

Definition at line 83 of file portscan.h.
Referenced by ParseScanType(), PrintPortscanConf(), ps_alert_icmp(), ps_alert_ip(), ps_alert_tcp(), ps_alert_udp(), and ps_tracker_lookup().

Typedef Documentation

typedef struct s_PS_PKT PS_PKT

typedef struct s_PS_PROTO PS_PROTO

typedef struct s_PS_TRACKER PS_TRACKER

Function Documentation

int ps_detect ( PS_PKT * p )

The design of portscan is as follows:

Filter Packet. Is the packet part of the ignore or watch list? Is the packet part of an established TCP session (we ignore it)?

Tracker Lookup. We lookup trackers for src and dst if either is in the watch list, or not in the ignore list if there is no watch list. If there is not tracker, we create a new one and keep track, both of the scanned host and the scanning host.

Tracker Update. We update the tracker using the incoming packet. If the update causes a portscan alert, then we move into the log alert phase.

Tracker Evaluate. Generate an alert from the updated tracker. We decide whether we are logging a portscan or sweep (based on the scanning or scanned host, we decide which is more relevant).

Definition at line 1722 of file portscan.c.
References NULL, s_PS_PKT::pkt, ps_filter_ignore(), ps_tracker_alert(), ps_tracker_lookup(), ps_tracker_update(), s_PS_PKT::scanned, and s_PS_PKT::scanner.
Referenced by PortscanDetect().

int ps_init ( int detect_scans,

int detect_scan_type,

int sense_level,

IPSET * ignore_scanners,

IPSET * ignore_scanned,

IPSET * watch_ip,

int memcap

)

Definition at line 244 of file portscan.c.
References s_PS_INIT::detect_scan_type, s_PS_INIT::detect_scans, g_ps_tracker_size, s_PS_INIT::ignore_scanned, s_PS_INIT::ignore_scanners, NULL, PS_PROTO_ICMP, PS_PROTO_IP, PS_PROTO_TCP, PS_PROTO_UDP, ps_tracker_free(), PS_TYPE_ALL, s_PS_INIT::sense_level, sfxhash_new(), and s_PS_INIT::watch_ip.
Referenced by PortscanInit().

void ps_tracker_print ( PS_TRACKER * tracker )

Definition at line 1792 of file portscan.c.
References s_PS_INIT::detect_scans, PS_PROTO_ICMP, PS_PROTO_IP, ps_proto_print(), PS_PROTO_TCP, and PS_PROTO_UDP.

Generated on Sun May 14 14:51:25 2006 by

1.4.2


Defines
#define	INLINE inline
#define	PS_OPEN_PORTS 8
#define	PS_PROTO_TCP 0x01
#define	PS_PROTO_UDP 0x02
#define	PS_PROTO_ICMP 0x04
#define	PS_PROTO_IP 0x08
#define	PS_PROTO_ALL 0x0f
#define	PS_PROTO_OPEN_PORT 0x80
#define	PS_TYPE_PORTSCAN 0x01
#define	PS_TYPE_PORTSWEEP 0x02
#define	PS_TYPE_DECOYSCAN 0x04
#define	PS_TYPE_DISTPORTSCAN 0x08
#define	PS_TYPE_ALL 0x0f
#define	PS_SENSE_HIGH 1
#define	PS_SENSE_MEDIUM 2
#define	PS_SENSE_LOW 3
#define	PS_ALERT_ONE_TO_ONE 1
#define	PS_ALERT_ONE_TO_ONE_DECOY 2
#define	PS_ALERT_PORTSWEEP 3
#define	PS_ALERT_DISTRIBUTED 4
#define	PS_ALERT_ONE_TO_ONE_FILTERED 5
#define	PS_ALERT_ONE_TO_ONE_DECOY_FILTERED 6
#define	PS_ALERT_DISTRIBUTED_FILTERED 7
#define	PS_ALERT_PORTSWEEP_FILTERED 8
#define	PS_ALERT_OPEN_PORT 9
#define	PS_ALERT_GENERATED 255
Typedefs
typedef s_PS_PROTO	PS_PROTO
typedef s_PS_TRACKER	PS_TRACKER
typedef s_PS_PKT	PS_PKT
Functions
int	ps_init (int detect_scans, int detect_scan_type, int sense_level, IPSET ignore_scanners, IPSET ignore_scanned, IPSET *watch_ip, int memcap)
int	ps_detect (PS_PKT *p)
void	ps_tracker_print (PS_TRACKER *tracker)