#include "flowps.h"#include "scoreboard.h"#include "unique_tracker.h"#include "server_stats.h"#include "packet_time.h"#include "util_net.h"Go to the source code of this file.
Defines | |
| #define | TH_FIN 0x01 |
| #define | TH_SYN 0x02 |
| #define | TH_RST 0x04 |
| #define | TH_PUSH 0x08 |
| #define | TH_ACK 0x10 |
| #define | TH_URG 0x20 |
| #define | TH_RES2 0x40 |
| #define | TH_RES1 0x80 |
| #define | FLOWPS_NC 1000000 |
Functions | |
| int | flowps_mkthreshold (SCORE_THRESHOLD *thr, int fixed_size, u_int32_t fixed_limit, int sliding_size, u_int32_t sliding_limit, float window_scale) |
| int | flowps_mkconfig (PS_CONFIG *configp, int sb_memcap_talker, int sb_rows_talker, int sb_memcap_scanner, int sb_rows_scanner, int ut_memcap, int ut_rows, int server_memcap, int server_rows, int server_learning_time, int tcp_penalties, u_int32_t server_ignore_limit, u_int32_t server_scanner_limit, int base_score, int alert_once, FLOWPS_OUTPUT output_mode) |
| int | flowps_server_stats_enabled (PS_TRACKER *trackerp) |
| int | flowps_server_watch (PS_TRACKER *trackerp, u_int32_t address) |
| int | flowps_init (PS_TRACKER *trackerp, PS_CONFIG *configp) |
| int | flowps_destroy (PS_TRACKER *trackerp) |
| static INLINE void | flowps_reset_alert_flags (u_int32_t type, u_int32_t *alert_flags, u_int32_t *score) |
| int | flowps_score_entry (PS_TRACKER *pstp, SCORE_ENTRY *sep, int score, TRACKER_POSITION tr_pos, int alert_once, u_int32_t *alert_flags) |
| int | flowps_find_entry (PS_TRACKER *trackerp, u_int32_t *address, SCORE_ENTRY **sepp) |
| int | flowps_add_entry (PS_TRACKER *trackerp, TRACKER_POSITION position, u_int32_t *address, SCORE_ENTRY **sepp) |
| int | flowps_score_print (PS_SCORE *ps_score) |
| int | flowps_entry_print (SCORE_ENTRY *entry, u_int32_t *address) |
| void | flowps_stats (PS_TRACKER *pstp) |
| static INLINE void | flowps_tcp_penalty (u_int32_t flags, int base_score, int *score) |
| int | flowps_get_score (PS_TRACKER *pstp, FLOW *flowp, time_t cur, u_int32_t flags, int *score, TRACKER_POSITION *type) |
| int | flowps_fixed_winadj (PS_SCORE *pscp, time_t current_time, SCORE_THRESHOLD *threshold) |
| int | flowps_sliding_winadj (PS_SCORE *pscp, time_t current_time, SCORE_THRESHOLD *threshold) |
| int | flowps_set_last_address (SCORE_ENTRY *sep, FLOW *flowp, u_int8_t cflags) |
| int | flowps_enabled (void) |
| int | flowps_is_ignored_ipv4 (PS_TRACKER *pstp, u_int32_t *sip, u_int32_t *dip) |
Variables | |
| static int | s_debug = 0 |
| static int | s_enabled = 0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||||||
|
Register a new node in the portscan tracker. This does not enforce that a node can only be in one table at a time to avoid the 2 extra searching operations. All uses of this should be done after performing a find to make sure the trackers do not already exist.
Definition at line 426 of file flowps.c. References FLOW_SUCCESS, scoreboard_add(), _PS_TRACKER::table_active, _PS_TRACKER::table_scanner, and TRACKER_ACTIVE. Referenced by flowps_newflow_callback(). |
|
|
Definition at line 239 of file flowps.c. References FLOW_ENULL, FLOW_SUCCESS, scoreboard_destroy(), _PS_TRACKER::table_active, _PS_TRACKER::table_scanner, _PS_TRACKER::unique_tracker, and ut_destroy(). Referenced by FlowPSCleanExit(). |
|
|
see if flowps is turned on
Definition at line 871 of file flowps.c. References s_enabled. Referenced by flowps_newflow_callback(). |
|
||||||||||||
|
||||||||||||||||
|
find the trackers in the table Currently, it first looks it up in the active table and then the scanner table
Definition at line 382 of file flowps.c. References FLOW_ENULL, FLOW_NOTFOUND, scoreboard_find(), _PS_TRACKER::table_active, and _PS_TRACKER::table_scanner. Referenced by flowps_newflow_callback(). |
|
||||||||||||||||
|
Expire a fixed scale PS_SCORE
Definition at line 729 of file flowps.c. References _PS_SCORE::ends, _SCORE_THRESHOLD::fixed_size, FLOW_SUCCESS, _PS_SCORE::score, and _PS_SCORE::start. Referenced by flowps_newflow_callback(). |
|
||||||||||||||||||||||||||||
|
Get the score and the type of connection this is If the score is 0, this is an already existing connection and can be successfully ignored.
Definition at line 600 of file flowps.c. References _PS_CONFIG::base_score, _PS_TRACKER::config, FLOW_ENULL, flow_printf(), FLOW_SUCCESS, flowps_server_watch(), flowps_tcp_penalty(), _FLOW::key, packet_first_time(), _FLOWKEY::protocol, _FLOWKEY::resp_address, _FLOWKEY::resp_port, s_debug, _PS_CONFIG::server_ignore_limit, _PS_CONFIG::server_learning_time, _PS_CONFIG::server_scanner_limit, _PS_TRACKER::server_stats, server_stats_add_ipv4(), server_stats_hitcount_ipv4(), _PS_CONFIG::tcp_penalties, TRACKER_SCANNER, _PS_TRACKER::unique_tracker, ut_check(), and UT_OLD. Referenced by flowps_newflow_callback(). |
|
||||||||||||
|
initialize the Portscan Tracker. This takes several arguments, all, on the PS_CONFIG structure.
Definition at line 174 of file flowps.c. References _PS_TRACKER::config, FLOW_ENULL, FLOW_SUCCESS, flowps_server_stats_enabled(), memcpy, s_enabled, _PS_CONFIG::sb_memcap_scanner, _PS_CONFIG::sb_memcap_talker, _PS_CONFIG::sb_rows_scanner, _PS_CONFIG::sb_rows_talker, scoreboard_destroy(), scoreboard_init(), _PS_CONFIG::server_memcap, _PS_CONFIG::server_rows, _PS_TRACKER::server_stats, server_stats_init(), _PS_CONFIG::server_watchnet_ipv4, _PS_TRACKER::table_active, _PS_TRACKER::table_scanner, TRACKER_ACTIVE, TRACKER_SCANNER, _PS_TRACKER::unique_tracker, ut_destroy(), ut_init(), _PS_CONFIG::ut_memcap, and _PS_CONFIG::ut_rows. Referenced by FlowPSInit(). |
|
||||||||||||||||
|
Check to see if this IPv4 Address should be ignored by the portscan tracker. This checks both the src and dst lists.
Definition at line 889 of file flowps.c. References _PS_TRACKER::config, _PS_CONFIG::dst_ignore_ipv4, FLOW_DISABLED, FLOW_ENULL, FLOW_SUCCESS, ipset_contains(), IPV4_FAMILY, and _PS_CONFIG::src_ignore_ipv4. Referenced by flowps_newflow_callback(). |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Initialize the configuration structure and set everything to 0
Definition at line 80 of file flowps.c. References _PS_CONFIG::alert_once, _PS_CONFIG::base_score, _PS_CONFIG::dumpall, FLOW_ENULL, FLOW_SUCCESS, memset, _PS_CONFIG::output_mode, _PS_CONFIG::sb_memcap_scanner, _PS_CONFIG::sb_memcap_talker, _PS_CONFIG::sb_memcap_total, _PS_CONFIG::sb_rows_scanner, _PS_CONFIG::sb_rows_talker, _PS_CONFIG::server_ignore_limit, _PS_CONFIG::server_learning_time, _PS_CONFIG::server_memcap, _PS_CONFIG::server_rows, _PS_CONFIG::server_scanner_limit, _PS_CONFIG::tcp_penalties, _PS_CONFIG::ut_memcap, and _PS_CONFIG::ut_rows. Referenced by FlowPSSetDefaults(). |
|
||||||||||||||||||||||||||||
|
Setup a SCORE_THRESHOLD object. This contains the limits and window sizes that will be used each time we evaluate a SCORE_ENTRY from one of the scoreboards.
Definition at line 50 of file flowps.c. References _SCORE_THRESHOLD::fixed, _SCORE_THRESHOLD::fixed_size, FLOW_ENULL, FLOW_SUCCESS, _SCORE_THRESHOLD::sliding, _SCORE_THRESHOLD::sliding_size, and _SCORE_THRESHOLD::window_scale. Referenced by FlowPSSetDefaults(). |
|
||||||||||||||||
|
Reset a single flag in the alert_flags entry if the score is 0
Definition at line 258 of file flowps.c. Referenced by flowps_score_entry(). |
|
||||||||||||||||||||||||||||
|
Evaluate the score on an entry, generating alerts if needed.
Definition at line 281 of file flowps.c. References ALERT_FIXED_SCANNER, ALERT_FIXED_TALKER, ALERT_SLIDING_SCANNER, ALERT_SLIDING_TALKER, _PS_TRACKER::config, _SCORE_THRESHOLD::fixed, _PS_SCORE_ENTRY::fixed_scanner, _PS_SCORE_ENTRY::fixed_talker, _PS_SCORE_ENTRY::flags, FLOW_ENULL, FLOW_SUCCESS, FLOWASSERT, flowps_reset_alert_flags(), _PS_CONFIG::limit_scanner, _PS_CONFIG::limit_talker, _PS_SCORE::score, _SCORE_THRESHOLD::sliding, _PS_SCORE_ENTRY::sliding_scanner, _PS_SCORE_ENTRY::sliding_talker, TRACKER_ACTIVE, and TRACKER_SCANNER. Referenced by flowps_newflow_callback(). |
|
|
Printout a score entry
Definition at line 458 of file flowps.c. References _PS_SCORE::ends, flow_printf(), FLOW_SUCCESS, _PS_SCORE::score, and _PS_SCORE::start. Referenced by flowps_entry_print(). |
|
|
Determine if the server stats feature is enabled
Definition at line 134 of file flowps.c. References _PS_TRACKER::config, FLOW_DISABLED, FLOW_SUCCESS, and _PS_CONFIG::server_watchnet_ipv4. Referenced by flowps_init(), and FlowPSOutputConfig(). |
|
||||||||||||
|
Determine if server stats is enabled for this particular IP address.
Definition at line 150 of file flowps.c. References _PS_TRACKER::config, FLOW_DISABLED, FLOW_SUCCESS, FLOWASSERT, NULL, _PS_TRACKER::server_stats, server_stats_contains(), and _PS_CONFIG::server_watchnet_ipv4. Referenced by flowps_get_score(). |
|
||||||||||||||||
|
Maintain the ring buffer of most recent connections
Definition at line 839 of file flowps.c. References _CONN_ENTRY::cflags, _PS_SCORE_ENTRY::connections_seen, FLOW_SUCCESS, FLOWPS_HOSTS_SIZE, _CONN_ENTRY::ip, _FLOW::key, _PS_SCORE_ENTRY::last_hosts, _PS_SCORE_ENTRY::last_idx, _CONN_ENTRY::port, _CONN_ENTRY::protocol, _FLOWKEY::protocol, _FLOWKEY::resp_address, and _FLOWKEY::resp_port. Referenced by flowps_newflow_callback(). |
|
||||||||||||||||
|
Expire a sliding scale PS_SCORE considerably more complicated than the fixed time window stuff. This really should be simplified.
Definition at line 756 of file flowps.c. References _PS_SCORE::ends, FLOW_SUCCESS, _PS_SCORE::score, _SCORE_THRESHOLD::sliding_size, _PS_SCORE::start, and _SCORE_THRESHOLD::window_scale. Referenced by flowps_newflow_callback(). |
|
|
Definition at line 531 of file flowps.c. References _PS_TRACKER::config, _PS_CONFIG::dumpall, flow_printf(), scoreboard_stats(), server_stats(), _PS_TRACKER::server_stats, _PS_TRACKER::table_active, _PS_TRACKER::table_scanner, _PS_TRACKER::unique_tracker, and ut_stats(). Referenced by FlowPSCleanExit(). |
|
||||||||||||||||
|
Assign TCP penalty points have an optional penalty for odd flags combinations on TCP -- this should probably promote people to the TRACKER_SCANNER table as well. Perhaps we should extend this to non-common ICMP errors as well. S,12 & SYN are the 1 ptrs. XMAS w/ ACK is a 5 ptr SF+ is a 3 ptr.
Definition at line 563 of file flowps.c. References TH_ACK, TH_FIN, TH_RES1, TH_RES2, and TH_SYN. Referenced by flowps_get_score(). |
|
|
|
|
|
Definition at line 33 of file flowps.c. Referenced by flowps_enabled(), flowps_init(), ParseThreshold2(), ProcessThresholdOptions(), sfthreshold_create(), sfthreshold_init(), and sfthreshold_test(). |
1.4.2