Main Page | Modules | Class List | Directories | File List | Class Members | File Members | Related Pages
src / preprocessors

spp_portscan.c File Reference

#include <sys/types.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include "rules.h"
#include "log.h"
#include "util.h"
#include "debug.h"
#include "generators.h"
#include "detect.h"
#include "plugbase.h"
#include "parser.h"
#include "mstring.h"
#include "snort.h"

Go to the source code of this file.

Defines

#define MODNAME   "spp_portscan"

Typedefs

typedef enum _scanType ScanType
typedef enum _logLevel LogLevel
typedef _connectionInfo ConnectionInfo
typedef _destinationInfo DestinationInfo
typedef _sourceInfo SourceInfo
typedef _scanList ScanList
typedef _serverNode ServerNode
typedef _CPConfig CPConfig

Enumerations

enum  _scanType {
  sNONE = 0, sUDP = 1, sSYN = 2, sSYNFIN = 4,
  sFIN = 8, sNULL = 16, sXMAS = 32, sFULLXMAS = 64,
  sRESERVEDBITS = 128, sVECNA = 256, sNOACK = 512, sNMAPID = 1024,
  sSPAU = 2048, sINVALIDACK = 4096
}
enum  _logLevel { lNONE = 0, lFILE = 1, lEXTENDED = 2, lPACKET = 4 }
enum  _timeFormat { tLOCAL, tGMT }

Functions

void PortscanInit (u_char *)
void ParsePortscanArgs (u_char *)
void PortscanPreprocFunction (Packet *, void *)
void ExtractHeaderInfo (Packet *, struct in_addr *, struct in_addr *, u_short *, u_short *)
void PortscanIgnoreHostsInit (u_char *)
int NewScan (ScanList *, Packet *, ScanType)
ConnectionInfoNewConnection (Packet *, ScanType)
ConnectionInfoAddConnection (ConnectionInfo *, Packet *, ScanType)
DestinationInfoNewDestination (Packet *, ScanType)
DestinationInfoAddDestination (DestinationInfo *, Packet *, ScanType)
SourceInfoNewSource (Packet *, ScanType)
SourceInfoAddSource (SourceInfo *, Packet *, ScanType)
void ExpireConnections (ScanList *, struct spp_timeval, struct spp_timeval)
void RemoveConnection (ConnectionInfo *)
void RemoveDestination (DestinationInfo *)
void RemoveSource (SourceInfo *)
void ClearConnectionInfoFromSource (SourceInfo *)
void LogScanInfoToSeparateFile (SourceInfo *)
void AlertIntermediateInfo (SourceInfo *)
ScanListCreateScanList (void)
ScanType CheckTCPFlags (u_char)
int IsServer (Packet *)
IpAddrSetPortscanAllocAddrNode ()
void PortscanParseIP (char *)
void CreateServerList (u_char *)
IpAddrSetPortscanIgnoreAllocAddrNode (ServerNode *)
void PortscanIgnoreParseIP (char *, ServerNode *)
void SetupPortscan (void)
void SetupPortscanIgnoreHosts (void)

Variables

ScanListscanList
ServerNodeserverList
ScanType scansToWatch
CPConfig configdata
IpAddrSethomeAddr
char homeFlags
spp_timeval maxTime
long maxPorts
LogLevel logLevel
enum _timeFormat timeFormat
FILE * logFile
int packetLogSize
u_int32_t event_id

Define Documentation

#define MODNAME   "spp_portscan"
 

Definition at line 59 of file spp_portscan.c.

Typedef Documentation

typedef struct _connectionInfo ConnectionInfo
 

typedef struct _CPConfig CPConfig
 

typedef struct _destinationInfo DestinationInfo
 

typedef enum _logLevel LogLevel
 

typedef struct _scanList ScanList
 

typedef enum _scanType ScanType
 

typedef struct _serverNode ServerNode
 

typedef struct _sourceInfo SourceInfo
 

Enumeration Type Documentation

enum _logLevel
 

Enumeration values:
lNONE 
lFILE 
lEXTENDED 
lPACKET 

Definition at line 95 of file spp_portscan.c.

enum _scanType
 

Enumeration values:
sNONE 
sUDP 
sSYN 
sSYNFIN 
sFIN 
sNULL 
sXMAS 
sFULLXMAS 
sRESERVEDBITS 
sVECNA 
sNOACK 
sNMAPID 
sSPAU 
sINVALIDACK 

Definition at line 87 of file spp_portscan.c.

enum _timeFormat
 

Enumeration values:
tLOCAL 
tGMT 

Definition at line 233 of file spp_portscan.c.

Function Documentation

ConnectionInfo * AddConnection ConnectionInfo ,
Packet ,
ScanType 
 

Definition at line 305 of file spp_portscan.c.

References FatalError(), MODNAME, NewConnection(), _connectionInfo::nextNode, and _connectionInfo::prevNode.

Referenced by NewScan().

DestinationInfo * AddDestination DestinationInfo ,
Packet ,
ScanType 
 

Definition at line 331 of file spp_portscan.c.

References FatalError(), MODNAME, NewDestination(), _destinationInfo::nextNode, and _destinationInfo::prevNode.

Referenced by NewScan().

SourceInfo * AddSource SourceInfo ,
Packet ,
ScanType 
 

Definition at line 389 of file spp_portscan.c.

References FatalError(), MODNAME, NewSource(), _sourceInfo::nextNode, and _sourceInfo::prevNode.

Referenced by NewScan().

void AlertIntermediateInfo SourceInfo  ) 
 

Definition at line 1530 of file spp_portscan.c.

References CallAlertFuncs(), _sourceInfo::event_id, GENERATOR_SPP_PORTSCAN, MODNAME, NULL, _sourceInfo::numberOfConnections, _sourceInfo::numberOfDestinations, _sourceInfo::numberOfTCPConnections, _sourceInfo::numberOfUDPConnections, PORTSCAN_INTER_INFO, _sourceInfo::saddr, SetEvent(), and _sourceInfo::stealthScanUsed.

Referenced by PortscanPreprocFunction().

ScanType CheckTCPFlags u_char   ) 
 

Definition at line 1107 of file spp_portscan.c.

References DEBUG_PLUGIN, DEBUG_WRAP, R_ACK, R_FIN, R_PSH, R_RES1, R_RES2, R_RST, R_SYN, R_URG, sFIN, sFULLXMAS, sINVALIDACK, sNMAPID, sNOACK, sNONE, sNULL, sSPAU, sSYN, sSYNFIN, sVECNA, and sXMAS.

Referenced by PortscanPreprocFunction().

void ClearConnectionInfoFromSource SourceInfo  ) 
 

Definition at line 1041 of file spp_portscan.c.

References _destinationInfo::connectionsList, DEBUG_PLUGIN, DEBUG_WRAP, _sourceInfo::destinationsList, MODNAME, _destinationInfo::nextNode, _connectionInfo::nextNode, NULL, _sourceInfo::numberOfConnections, _destinationInfo::numberOfConnections, _sourceInfo::numberOfDestinations, _sourceInfo::numberOfTCPConnections, _sourceInfo::numberOfUDPConnections, RemoveConnection(), RemoveDestination(), _sourceInfo::saddr, _connectionInfo::scanType, and sUDP.

Referenced by PortscanPreprocFunction().

ScanList * CreateScanList void   ) 
 

Definition at line 797 of file spp_portscan.c.

References _scanList::lastSource, _scanList::listHead, NULL, and _scanList::numberOfSources.

Referenced by PortscanInit().

void CreateServerList u_char *   ) 
 

Definition at line 1630 of file spp_portscan.c.

References _serverNode::address, DEBUG_PLUGIN, DEBUG_WRAP, FatalError(), file_line, file_name, _IpAddrSet::ip_addr, memset, MODNAME, mSplit(), mSplitFree(), _IpAddrSet::netmask, _serverNode::nextNode, NULL, and PortscanIgnoreParseIP().

Referenced by PortscanIgnoreHostsInit().

void ExpireConnections ScanList ,
struct  spp_timeval,
struct  spp_timeval
 

Definition at line 492 of file spp_portscan.c.

References _destinationInfo::connectionsList, DEBUG_PLUGIN, DEBUG_WRAP, _sourceInfo::destinationsList, _scanList::listHead, MODNAME, _destinationInfo::nextNode, _connectionInfo::nextNode, _sourceInfo::nextNode, NULL, _destinationInfo::numberOfConnections, _sourceInfo::numberOfConnections, _sourceInfo::numberOfDestinations, _scanList::numberOfSources, _sourceInfo::numberOfTCPConnections, _sourceInfo::numberOfUDPConnections, _destinationInfo::prevNode, _connectionInfo::prevNode, RemoveConnection(), RemoveDestination(), RemoveSource(), _sourceInfo::saddr, _sourceInfo::scanDetected, _connectionInfo::scanType, sUDP, _connectionInfo::timestamp, and spp_timeval::tv_sec.

Referenced by PortscanPreprocFunction().

void ExtractHeaderInfo Packet ,
struct in_addr *  ,
struct in_addr *  ,
u_short *  ,
u_short * 
 

Definition at line 1553 of file spp_portscan.c.

References _Packet::dp, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, and _Packet::sp.

Referenced by NewScan().

int IsServer Packet  ) 
 

Definition at line 1574 of file spp_portscan.c.

References _serverNode::address, ANY_SRC_PORT, CHECK_SRC, CheckAddrPort(), _serverNode::ignoreFlags, _IpAddrSet::ip_addr, _IPHdr::ip_src, _Packet::iph, memset, MODNAME, _IpAddrSet::netmask, and _serverNode::nextNode.

void LogScanInfoToSeparateFile SourceInfo  ) 
 

Definition at line 1381 of file spp_portscan.c.

References _destinationInfo::connectionsList, _destinationInfo::daddr, DEBUG_PLUGIN, DEBUG_WRAP, _sourceInfo::destinationsList, _connectionInfo::dport, logFile, memset, _connectionInfo::nextNode, _destinationInfo::nextNode, _sourceInfo::saddr, _connectionInfo::scanType, sFIN, sFULLXMAS, sINVALIDACK, sNMAPID, sNOACK, sNULL, _connectionInfo::sport, sRESERVEDBITS, sSPAU, sSYN, sSYNFIN, sUDP, sVECNA, sXMAS, _connectionInfo::tcpFlags, timeFormat, _connectionInfo::timestamp, tLOCAL, and spp_timeval::tv_sec.

Referenced by PortscanPreprocFunction().

ConnectionInfo * NewConnection Packet ,
ScanType 
 

Definition at line 245 of file spp_portscan.c.

References CreateTCPFlagString(), _Packet::dp, _connectionInfo::dport, FatalError(), _IPHdr::ip_proto, _Packet::iph, logLevel, lPACKET, MODNAME, _connectionInfo::nextNode, NULL, _Packet::pkth, _connectionInfo::prevNode, _connectionInfo::scanType, _Packet::sp, _connectionInfo::sport, _connectionInfo::tcpFlags, _connectionInfo::timestamp, pcap_pkthdr::ts, spp_timeval::tv_sec, and spp_timeval::tv_usec.

Referenced by AddConnection(), and NewDestination().

DestinationInfo * NewDestination Packet ,
ScanType 
 

Definition at line 317 of file spp_portscan.c.

References _destinationInfo::connectionsList, _destinationInfo::daddr, _IPHdr::ip_dst, _Packet::iph, NewConnection(), _destinationInfo::nextNode, NULL, _destinationInfo::numberOfConnections, and _destinationInfo::prevNode.

Referenced by AddDestination(), NewScan(), and NewSource().

int NewScan ScanList ,
Packet ,
ScanType 
 

FUNCTION PROTOTYPES

Definition at line 608 of file spp_portscan.c.

References AddConnection(), AddDestination(), AddSource(), _destinationInfo::connectionsList, _destinationInfo::daddr, DEBUG_PLUGIN, DEBUG_WRAP, _sourceInfo::destinationsList, _connectionInfo::dport, ExtractHeaderInfo(), FatalError(), _scanList::lastSource, _scanList::listHead, MODNAME, NewDestination(), NewSource(), _sourceInfo::nextNode, _destinationInfo::nextNode, _connectionInfo::nextNode, NULL, _destinationInfo::numberOfConnections, _sourceInfo::numberOfConnections, _sourceInfo::numberOfDestinations, _scanList::numberOfSources, _sourceInfo::numberOfTCPConnections, _sourceInfo::numberOfUDPConnections, _Packet::pkth, _sourceInfo::saddr, _connectionInfo::scanType, _connectionInfo::sport, sUDP, _connectionInfo::timestamp, _sourceInfo::totalNumberOfDestinations, pcap_pkthdr::ts, spp_timeval::tv_sec, and spp_timeval::tv_usec.

Referenced by PortscanPreprocFunction().

SourceInfo * NewSource Packet ,
ScanType 
 

Definition at line 343 of file spp_portscan.c.

References DEBUG_PLUGIN, DEBUG_WRAP, _sourceInfo::destinationsList, _sourceInfo::firstPacketTime, _IPHdr::ip_src, _Packet::iph, _sourceInfo::lastPacketTime, MODNAME, NewDestination(), _sourceInfo::nextNode, NULL, _sourceInfo::numberOfConnections, _sourceInfo::numberOfDestinations, _sourceInfo::numberOfTCPConnections, _sourceInfo::numberOfUDPConnections, _Packet::pkth, _sourceInfo::prevNode, _sourceInfo::reportStealth, _sourceInfo::saddr, _sourceInfo::scanDetected, _sourceInfo::stealthScanUsed, sUDP, _sourceInfo::totalNumberOfDestinations, _sourceInfo::totalNumberOfTCPConnections, _sourceInfo::totalNumberOfUDPConnections, pcap_pkthdr::ts, spp_timeval::tv_sec, and spp_timeval::tv_usec.

Referenced by AddSource(), and NewScan().

void ParsePortscanArgs u_char *   ) 
 

Definition at line 1233 of file spp_portscan.c.

References DEBUG_PLUGIN, DEBUG_WRAP, FatalError(), file_line, file_name, lEXTENDED, lFILE, lNONE, _progvars::log_dir, logFile, logLevel, maxPorts, MODNAME, mSplit(), mSplitFree(), packetLogSize, PortscanParseIP(), pv, _progvars::quiet_flag, scansToWatch, sRESERVEDBITS, sUDP, tGMT, timeFormat, tLOCAL, spp_timeval::tv_sec, spp_timeval::tv_usec, and _progvars::use_utc.

Referenced by PortscanInit().

IpAddrSet * PortscanAllocAddrNode  ) 
 

Definition at line 1794 of file spp_portscan.c.

References FatalError(), _IpAddrSet::next, and NULL.

Referenced by PortscanParseIP().

IpAddrSet * PortscanIgnoreAllocAddrNode ServerNode  ) 
 

Definition at line 1831 of file spp_portscan.c.

References _serverNode::address, FatalError(), _IpAddrSet::next, and NULL.

Referenced by PortscanIgnoreParseIP().

void PortscanIgnoreHostsInit u_char *   ) 
 

Definition at line 1619 of file spp_portscan.c.

References CreateServerList().

Referenced by SetupPortscanIgnoreHosts().

void PortscanIgnoreParseIP char *  ,
ServerNode
 

Definition at line 1737 of file spp_portscan.c.

References FatalError(), file_line, file_name, mSplit(), mSplitFree(), NULL, ParseIP(), PortscanIgnoreAllocAddrNode(), and VarGet().

Referenced by CreateServerList().

void PortscanInit u_char *   ) 
 

Definition at line 1090 of file spp_portscan.c.

References AddFuncToPreprocList(), CreateScanList(), LogMessage(), NULL, ParsePortscanArgs(), and PortscanPreprocFunction().

Referenced by SetupPortscan(), and SetupPsng().

void PortscanParseIP char *   ) 
 

Definition at line 1687 of file spp_portscan.c.

References EXCEPT_DST_IP, FatalError(), file_line, file_name, homeFlags, mSplit(), mSplitFree(), NULL, ParseIP(), PortscanAllocAddrNode(), and VarGet().

Referenced by ParsePortscanArgs().

void PortscanPreprocFunction Packet ,
void * 
 

Definition at line 810 of file spp_portscan.c.

References _progvars::alert_interface_flag, AlertIntermediateInfo(), ANY_DST_PORT, CallAlertFuncs(), CHECK_DST, CheckAddrPort(), CheckTCPFlags(), ClearConnectionInfoFromSource(), DEBUG_PLUGIN, DEBUG_WRAP, _Packet::dp, event_id, _sourceInfo::event_id, ExpireConnections(), _sourceInfo::firstPacketTime, GENERATOR_SPP_PORTSCAN, homeFlags, _progvars::interface, _IPHdr::ip_proto, _Packet::iph, IsServer(), _sourceInfo::lastPacketTime, _scanList::lastSource, lEXTENDED, lFILE, _scanList::listHead, logLevel, LogScanInfoToSeparateFile(), maxPorts, MODNAME, NewScan(), _sourceInfo::nextNode, NULL, _sourceInfo::numberOfConnections, _sourceInfo::numberOfTCPConnections, _sourceInfo::numberOfUDPConnections, _Packet::packet_flags, PKT_REBUILT_STREAM, _Packet::pkth, PORTSCAN_SCAN_DETECT, PORTSCAN_SCAN_END, PP_PORTSCAN, _Packet::preprocessors, PRINT_INTERFACE, pv, _sourceInfo::reportStealth, _sourceInfo::reportTime, _sourceInfo::saddr, _sourceInfo::scanDetected, scansToWatch, SetEvent(), sRESERVEDBITS, sSYN, _sourceInfo::stealthScanUsed, sUDP, _Packet::tcph, _TCPHdr::th_flags, _sourceInfo::totalNumberOfDestinations, _sourceInfo::totalNumberOfTCPConnections, _sourceInfo::totalNumberOfUDPConnections, pcap_pkthdr::ts, spp_timeval::tv_sec, and spp_timeval::tv_usec.

Referenced by PortscanInit().

void RemoveConnection ConnectionInfo  ) 
 

Definition at line 401 of file spp_portscan.c.

References _connectionInfo::nextNode, NULL, and _connectionInfo::prevNode.

Referenced by ClearConnectionInfoFromSource(), and ExpireConnections().

void RemoveDestination DestinationInfo  ) 
 

Definition at line 430 of file spp_portscan.c.

References _destinationInfo::nextNode, NULL, and _destinationInfo::prevNode.

Referenced by ClearConnectionInfoFromSource(), and ExpireConnections().

void RemoveSource SourceInfo  ) 
 

Definition at line 459 of file spp_portscan.c.

References _sourceInfo::nextNode, NULL, and _sourceInfo::prevNode.

Referenced by ExpireConnections().

void SetupPortscan void   ) 
 

Definition at line 1084 of file spp_portscan.c.

References PortscanInit(), and RegisterPreprocessor().

Referenced by InitPreprocessors().

void SetupPortscanIgnoreHosts void   ) 
 

Definition at line 1613 of file spp_portscan.c.

References PortscanIgnoreHostsInit(), and RegisterPreprocessor().

Referenced by InitPreprocessors().

Variable Documentation

CPConfig configdata
 

Definition at line 225 of file spp_portscan.c.

u_int32_t event_id
 

Definition at line 99 of file detect.c.

IpAddrSet* homeAddr
 

Definition at line 228 of file spp_portscan.c.

char homeFlags
 

Definition at line 229 of file spp_portscan.c.

Referenced by PortscanParseIP(), and PortscanPreprocFunction().

FILE* logFile
 

Definition at line 237 of file spp_portscan.c.

Referenced by LogScanInfoToSeparateFile(), and ParsePortscanArgs().

LogLevel logLevel
 

Definition at line 232 of file spp_portscan.c.

Referenced by NewConnection(), ParsePortscanArgs(), and PortscanPreprocFunction().

long maxPorts
 

Definition at line 231 of file spp_portscan.c.

Referenced by ParsePortscanArgs(), and PortscanPreprocFunction().

struct spp_timeval maxTime
 

Definition at line 230 of file spp_portscan.c.

int packetLogSize
 

Definition at line 238 of file spp_portscan.c.

Referenced by ParsePortscanArgs().

ScanList* scanList
 

Definition at line 222 of file spp_portscan.c.

ScanType scansToWatch
 

Definition at line 224 of file spp_portscan.c.

Referenced by ParsePortscanArgs(), and PortscanPreprocFunction().

ServerNode* serverList
 

Definition at line 223 of file spp_portscan.c.

enum _timeFormat timeFormat
 

Referenced by LogScanInfoToSeparateFile(), and ParsePortscanArgs().

Generated on Sun May 14 14:51:25 2006 by  doxygen 1.4.2