src/sfutil/sfthd.h Source File

00001 /*!
00002     \file sfthd.h
00003 */
00004 #ifndef _SF_THRESHOLDING_
00005 #define _SF_THRESHOLDING_
00006 
00007 #include "sflsq.h"
00008 
00009 #include "sfghash.h"
00010 #include "sfxhash.h"
00011 /*!
00012     Max GEN_ID value - Set this to the Max Used by Snort, this is used for the
00013     dimensions of the gen_id lookup array.  
00014         
00015         Rows in each hash table, by gen_id.
00016 */
00017 #define THD_MAX_GENID     8129
00018 #define THD_GEN_ID_1_ROWS 4096
00019 #define THD_GEN_ID_ROWS   512
00020 
00021 #define THD_TOO_MANY_THDOBJ -15 
00022 
00023 /*!
00024    Type of Thresholding
00025 */
00026 enum 
00027 {
00028   THD_TYPE_LIMIT,
00029   THD_TYPE_THRESHOLD,
00030   THD_TYPE_BOTH,
00031   THD_TYPE_SUPPRESS,
00032 };
00033 
00034 /*
00035    Very high priority for suppression objects 
00036    users priorities are limited to this minus one  
00037 */
00038 #define THD_PRIORITY_SUPPRESS 1000000
00039 
00040 /*!
00041    Tracking by src, or by dst
00042 */
00043 enum
00044 {
00045   THD_TRK_SRC,
00046   THD_TRK_DST,
00047 };
00048 
00049 
00050 /*!
00051     THD_IP_NODE
00052 
00053     Dynamic hashed node data - added and deleted during runtime
00054     These are added during run-time, and recycled if we max out memory usage.
00055 */
00056 typedef struct {
00057  
00058  unsigned ip;
00059  unsigned count;
00060  time_t   tstart;
00061 
00062 }THD_IP_NODE;
00063 
00064 
00065 typedef struct {
00066  
00067  unsigned count;
00068  time_t   tstart;
00069 
00070 }THD_IP_GNODE;
00071 
00072 /*!
00073     THD_IP_NODE_KEY
00074 
00075     HASH Key to lookup and store Ip nodes
00076 */
00077 typedef struct{
00078 
00079   int      thd_id;
00080   unsigned ip;
00081 
00082 } THD_IP_NODE_KEY ;
00083 
00084 typedef struct{
00085 
00086   unsigned gen_id;
00087   unsigned sig_id;
00088   unsigned ip;
00089 
00090 } THD_IP_GNODE_KEY ;
00091 
00092 
00093 /*!
00094     THD_NODE
00095 
00096     A Thresholding Object
00097     These are created at program startup, and remain static. 
00098         The THD_IP_NODE elements are dynamic.
00099 */
00100 typedef struct {
00101  
00102  int      thd_id;  /* Id of this node */
00103 
00104  unsigned gen_id; /* Keep these around if needed */
00105  unsigned sig_id;
00106  int      tracking; /* by_src, by_dst */
00107  int      type;
00108  int      priority;
00109  unsigned count;
00110  unsigned seconds;
00111 
00112  unsigned ip_address;
00113  unsigned ip_mask;
00114 
00115  unsigned not_flag; /* 0=not netgated, 1=negated */
00116 
00117 }THD_NODE;
00118 
00119 
00120 /*!
00121     THD_ITEM
00122 
00123     The THD_ITEM acts as a container of gen_id+sig_id based threshold objects,
00124     this allows multiple threshold objects to be applied to a single 
00125     gen_id+sig_id pair. The sflist is created using the priority field, 
00126     so highest priority objects are first in the list. When processing the 
00127     highest priority object will trigger first.  
00128 
00129     These are static data elements, built at program startup.
00130 */
00131 typedef struct {
00132 
00133  unsigned   gen_id; /* just so we know what gen_id we are */
00134  unsigned   sig_id; 
00135  /*
00136    List of THD_NODE's - walk this list and hash the 'THD_NODE->sfthd_id + src_ip or dst_ip'
00137    to get the correct THD_IP_NODE.
00138  */
00139  SF_LIST  * sfthd_node_list;
00140  
00141 }THD_ITEM;
00142 
00143 
00144 /*
00145 *  Temporary structure usefule when parsing the Snort rules
00146 */
00147 typedef struct {
00148   unsigned gen_id;
00149   unsigned sig_id;
00150   int  type;
00151   int  tracking;
00152   int  priority;
00153   int  count;
00154   int  seconds;
00155   int  ip_address;
00156   int  ip_mask;
00157   unsigned not_flag;
00158 }THDX_STRUCT;
00159 
00160 
00161 /*!
00162     THD_STRUCT 
00163 
00164     The main thresholding data structure. 
00165 
00166     Local and global threshold thd_id's are all unqiue, so we use just one ip_nodes lookup table
00167  */
00168 typedef struct {
00169 
00170  SFGHASH  * sfthd_array [THD_MAX_GENID]; /* Local Hash of THD_ITEM nodes,  lookup by key=sig_id */
00171 
00172  THD_NODE * sfthd_garray[THD_MAX_GENID]; /* Global array of THD_NODE nodes,lookup by key=gen_id  */
00173 
00174  SFXHASH  * ip_nodes;  /* Global hash of active IP's key=THD_IP_NODE_KEY, data=THD_IP_NODE */
00175 
00176  int        count;
00177 
00178  SFXHASH  * ip_gnodes;  /* Global hash of active IP's key=THD_IP_GNODE_KEY, data=THD_IP_GNODE */
00179 
00180  SFXHASH  * supress;    /* Global hash of supressed nodes */
00181 
00182                                          
00183 }THD_STRUCT;
00184 
00185 
00186 /*
00187  * Prototypes 
00188  */
00189 THD_STRUCT * sfthd_new( unsigned nbytes );
00190 
00191 int sfthd_create_threshold( THD_STRUCT * thd,
00192                        unsigned     gen_id,
00193                        unsigned     sig_id,
00194                        int          tracking,
00195                        int          type,
00196                        int          priority,
00197                        int          count,
00198                        int          seconds,
00199                        unsigned     ip_address, 
00200                        unsigned     ip_mask, 
00201                        unsigned     not_flag ); 
00202 
00203 int sfthd_test_threshold( THD_STRUCT * thd,
00204                         unsigned     gen_id,  
00205                         unsigned     sig_id,
00206                         unsigned     sip,   
00207                         unsigned     dip,
00208                         long         curtime ) ;
00209 
00210 int sfthd_show_objects( THD_STRUCT * thd );
00211 
00212 #endif