portscan.c File Reference

#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include "portscan.h"
#include "decode.h"
#include "packet_time.h"
#include "sfxhash.h"
#include "ipobj.h"
#include "flow.h"

Go to the source code of this file.

Typedefs
typedef s_PS_INIT	PS_INIT
typedef s_PS_HASH_KEY	PS_HASH_KEY
typedef s_PS_ALERT_CONF	PS_ALERT_CONF
Functions
static int	ps_tracker_free (void *key, void *data)
int	ps_init (int detect_scans, int detect_scan_type, int sense_level, IPSET *scanner, IPSET *scanned, IPSET *watch, int memcap)
static int	ps_ignore_ip (unsigned long scanner, unsigned long scanned)
static int	ps_filter_ignore (PS_PKT *ps_pkt)
static int	ps_tracker_init (PS_TRACKER *tracker)
static int	ps_tracker_get (PS_TRACKER **ht, PS_HASH_KEY *key)
static int	ps_tracker_lookup (PS_PKT *ps_pkt, PS_TRACKER **scanner, PS_TRACKER **scanned)
static int	ps_get_proto_index (PS_PKT *ps_pkt, int *proto_index, int *proto)
static int	ps_proto_update_window (PS_PROTO *proto, time_t pkt_time)
static int	ps_proto_update (PS_PROTO *proto, int ps_cnt, int pri_cnt, u_long ip, u_short port, time_t pkt_time)
static int	ps_update_open_ports (PS_PROTO *proto, unsigned short port)
static int	ps_tracker_update_tcp (PS_PKT *ps_pkt, PS_TRACKER *scanner, PS_TRACKER *scanned, int proto_idx)
static int	ps_tracker_update_ip (PS_PKT *ps_pkt, PS_TRACKER *scanner, PS_TRACKER *scanned, int proto_idx)
static int	ps_tracker_update_udp (PS_PKT *ps_pkt, PS_TRACKER *scanner, PS_TRACKER *scanned, int proto_idx)
static int	ps_tracker_update_icmp (PS_PKT *ps_pkt, PS_TRACKER *scanner, PS_TRACKER *scanned, int proto_idx)
static int	ps_tracker_update (PS_PKT *ps_pkt, PS_TRACKER *scanner, PS_TRACKER *scanned)
static int	ps_alert_one_to_one (PS_PROTO *scanner, PS_PROTO *scanned, PS_ALERT_CONF *conf)
static int	ps_alert_one_to_one_decoy (PS_PROTO *scanner, PS_PROTO *scanned, PS_ALERT_CONF *conf)
static int	ps_alert_many_to_one (PS_PROTO *scanner, PS_PROTO *scanned, PS_ALERT_CONF *conf)
static int	ps_alert_one_to_many (PS_PROTO *scanner, PS_PROTO *scanned, PS_ALERT_CONF *conf)
static int	ps_alert_tcp (PS_PROTO *scanner, PS_PROTO *scanned)
static int	ps_alert_ip (PS_PROTO *scanner, PS_PROTO *scanned)
static int	ps_alert_udp (PS_PROTO *scanner, PS_PROTO *scanned)
static int	ps_alert_icmp (PS_PROTO *scanner, PS_PROTO *scanned)
static int	ps_tracker_alert (PS_PKT *ps_pkt, PS_TRACKER *scanner, PS_TRACKER *scanned)
int	ps_detect (PS_PKT *p)
static void	ps_proto_print (PS_PROTO *proto)
void	ps_tracker_print (PS_TRACKER *ps_tracker)
Variables
static int	g_ps_tracker_size
static PS_INIT	g_ps_init
static SFXHASH *	g_hash
int	g_include_midstream
static PS_ALERT_CONF	g_tcp_low_ps = {0,5,25,5}
static PS_ALERT_CONF	g_tcp_low_decoy_ps = {0,15,50,30}
static PS_ALERT_CONF	g_tcp_low_sweep = {0,5,5,15}
static PS_ALERT_CONF	g_tcp_low_dist_ps = {0,15,50,15}
static PS_ALERT_CONF	g_tcp_med_ps = {200,10,60,15}
static PS_ALERT_CONF	g_tcp_med_decoy_ps = {200,30,120,60}
static PS_ALERT_CONF	g_tcp_med_sweep = {30,7,7,10}
static PS_ALERT_CONF	g_tcp_med_dist_ps = {200,30,120,30}
static PS_ALERT_CONF	g_tcp_hi_ps = {200,5,100,10}
static PS_ALERT_CONF	g_tcp_hi_decoy_ps = {200,7,200,60}
static PS_ALERT_CONF	g_tcp_hi_sweep = {30,3,3,10}
static PS_ALERT_CONF	g_tcp_hi_dist_ps = {200,5,200,10}
static PS_ALERT_CONF	g_udp_low_ps = {0,5,25,5}
static PS_ALERT_CONF	g_udp_low_decoy_ps = {0,15,50,30}
static PS_ALERT_CONF	g_udp_low_sweep = {0,5,5,15}
static PS_ALERT_CONF	g_udp_low_dist_ps = {0,15,50,15}
static PS_ALERT_CONF	g_udp_med_ps = {200,10,60,15}
static PS_ALERT_CONF	g_udp_med_decoy_ps = {200,30,120,60}
static PS_ALERT_CONF	g_udp_med_sweep = {30,5,5,20}
static PS_ALERT_CONF	g_udp_med_dist_ps = {200,30,120,30}
static PS_ALERT_CONF	g_udp_hi_ps = {200,3,100,10}
static PS_ALERT_CONF	g_udp_hi_decoy_ps = {200,7,200,60}
static PS_ALERT_CONF	g_udp_hi_sweep = {30,3,3,10}
static PS_ALERT_CONF	g_udp_hi_dist_ps = {200,3,200,10}
static PS_ALERT_CONF	g_ip_low_ps = {0,10,10,50}
static PS_ALERT_CONF	g_ip_low_decoy_ps = {0,40,50,25}
static PS_ALERT_CONF	g_ip_low_sweep = {0,10,10,10}
static PS_ALERT_CONF	g_ip_low_dist_ps = {0,15,25,50}
static PS_ALERT_CONF	g_ip_med_ps = {200,10,10,50}
static PS_ALERT_CONF	g_ip_med_decoy_ps = {200,40,50,25}
static PS_ALERT_CONF	g_ip_med_sweep = {30,10,10,10}
static PS_ALERT_CONF	g_ip_med_dist_ps = {200,15,25,50}
static PS_ALERT_CONF	g_ip_hi_ps = {200,3,3,10}
static PS_ALERT_CONF	g_ip_hi_decoy_ps = {200,7,15,5}
static PS_ALERT_CONF	g_ip_hi_sweep = {30,3,3,7}
static PS_ALERT_CONF	g_ip_hi_dist_ps = {200,3,11,10}
static PS_ALERT_CONF	g_icmp_low_sweep = {0,5,5,5}
static PS_ALERT_CONF	g_icmp_med_sweep = {20,5,5,5}
static PS_ALERT_CONF	g_icmp_hi_sweep = {10,3,3,5}

---

Typedef Documentation

typedef struct s_PS_ALERT_CONF PS_ALERT_CONF

typedef struct s_PS_HASH_KEY PS_HASH_KEY

typedef struct s_PS_INIT PS_INIT

---

Function Documentation

static int ps_alert_icmp (  PS_PROTO *  scanner, PS_PROTO *  scanned )  [static]

Definition at line 1606 of file portscan.c. References s_PS_INIT::detect_scan_type, ps_alert_one_to_many(), PS_SENSE_HIGH, PS_SENSE_LOW, PS_SENSE_MEDIUM, PS_TYPE_PORTSWEEP, and s_PS_INIT::sense_level. Referenced by ps_tracker_alert().

static int ps_alert_ip (  PS_PROTO *  scanner, PS_PROTO *  scanned )  [static]

Definition at line 1464 of file portscan.c. References s_PS_INIT::detect_scan_type, ps_alert_many_to_one(), ps_alert_one_to_many(), ps_alert_one_to_one(), ps_alert_one_to_one_decoy(), PS_SENSE_HIGH, PS_SENSE_LOW, PS_SENSE_MEDIUM, PS_TYPE_DECOYSCAN, PS_TYPE_DISTPORTSCAN, PS_TYPE_PORTSCAN, PS_TYPE_PORTSWEEP, and s_PS_INIT::sense_level. Referenced by ps_tracker_alert().

static int ps_alert_many_to_one (  PS_PROTO *  scanner, PS_PROTO *  scanned, PS_ALERT_CONF *  conf )  [static]

Definition at line 1325 of file portscan.c. References s_PS_PROTO::alerts, s_PS_ALERT_CONF::connection_count, s_PS_PROTO::connection_count, s_PS_ALERT_CONF::priority_count, s_PS_PROTO::priority_count, PS_ALERT_DISTRIBUTED, PS_ALERT_DISTRIBUTED_FILTERED, s_PS_ALERT_CONF::u_ip_count, s_PS_PROTO::u_ip_count, s_PS_ALERT_CONF::u_port_count, and s_PS_PROTO::u_port_count. Referenced by ps_alert_ip(), ps_alert_tcp(), and ps_alert_udp().

static int ps_alert_one_to_many (  PS_PROTO *  scanner, PS_PROTO *  scanned, PS_ALERT_CONF *  conf )  [static]

Definition at line 1359 of file portscan.c. References s_PS_PROTO::alerts, s_PS_ALERT_CONF::connection_count, s_PS_PROTO::connection_count, s_PS_ALERT_CONF::priority_count, s_PS_PROTO::priority_count, PS_ALERT_PORTSWEEP, PS_ALERT_PORTSWEEP_FILTERED, s_PS_ALERT_CONF::u_ip_count, s_PS_PROTO::u_ip_count, s_PS_ALERT_CONF::u_port_count, and s_PS_PROTO::u_port_count. Referenced by ps_alert_icmp(), ps_alert_ip(), ps_alert_tcp(), and ps_alert_udp().

static int ps_alert_one_to_one (  PS_PROTO *  scanner, PS_PROTO *  scanned, PS_ALERT_CONF *  conf )  [static]

Definition at line 1235 of file portscan.c. References s_PS_PROTO::alerts, s_PS_ALERT_CONF::connection_count, s_PS_PROTO::connection_count, s_PS_ALERT_CONF::priority_count, s_PS_PROTO::priority_count, PS_ALERT_ONE_TO_ONE, PS_ALERT_ONE_TO_ONE_FILTERED, s_PS_ALERT_CONF::u_ip_count, s_PS_PROTO::u_ip_count, s_PS_ALERT_CONF::u_port_count, and s_PS_PROTO::u_port_count. Referenced by ps_alert_ip(), ps_alert_tcp(), and ps_alert_udp().

static int ps_alert_one_to_one_decoy (  PS_PROTO *  scanner, PS_PROTO *  scanned, PS_ALERT_CONF *  conf )  [static]

Definition at line 1291 of file portscan.c. References s_PS_PROTO::alerts, s_PS_ALERT_CONF::connection_count, s_PS_PROTO::connection_count, s_PS_ALERT_CONF::priority_count, s_PS_PROTO::priority_count, PS_ALERT_ONE_TO_ONE_DECOY, PS_ALERT_ONE_TO_ONE_DECOY_FILTERED, s_PS_ALERT_CONF::u_ip_count, s_PS_PROTO::u_ip_count, s_PS_ALERT_CONF::u_port_count, and s_PS_PROTO::u_port_count. Referenced by ps_alert_ip(), ps_alert_tcp(), and ps_alert_udp().

static int ps_alert_tcp (  PS_PROTO *  scanner, PS_PROTO *  scanned )  [static]

Definition at line 1393 of file portscan.c. References s_PS_INIT::detect_scan_type, ps_alert_many_to_one(), ps_alert_one_to_many(), ps_alert_one_to_one(), ps_alert_one_to_one_decoy(), PS_SENSE_HIGH, PS_SENSE_LOW, PS_SENSE_MEDIUM, PS_TYPE_DECOYSCAN, PS_TYPE_DISTPORTSCAN, PS_TYPE_PORTSCAN, PS_TYPE_PORTSWEEP, and s_PS_INIT::sense_level. Referenced by ps_tracker_alert().

static int ps_alert_udp (  PS_PROTO *  scanner, PS_PROTO *  scanned )  [static]

Definition at line 1535 of file portscan.c. References s_PS_INIT::detect_scan_type, ps_alert_many_to_one(), ps_alert_one_to_many(), ps_alert_one_to_one(), ps_alert_one_to_one_decoy(), PS_SENSE_HIGH, PS_SENSE_LOW, PS_SENSE_MEDIUM, PS_TYPE_DECOYSCAN, PS_TYPE_DISTPORTSCAN, PS_TYPE_PORTSCAN, PS_TYPE_PORTSWEEP, and s_PS_INIT::sense_level. Referenced by ps_tracker_alert().

int ps_detect (  PS_PKT *  p  )

The design of portscan is as follows: Filter Packet. Is the packet part of the ignore or watch list? Is the packet part of an established TCP session (we ignore it)? Tracker Lookup. We lookup trackers for src and dst if either is in the watch list, or not in the ignore list if there is no watch list. If there is not tracker, we create a new one and keep track, both of the scanned host and the scanning host. Tracker Update. We update the tracker using the incoming packet. If the update causes a portscan alert, then we move into the log alert phase. Tracker Evaluate. Generate an alert from the updated tracker. We decide whether we are logging a portscan or sweep (based on the scanning or scanned host, we decide which is more relevant). Definition at line 1722 of file portscan.c. References NULL, s_PS_PKT::pkt, ps_filter_ignore(), ps_tracker_alert(), ps_tracker_lookup(), ps_tracker_update(), s_PS_PKT::scanned, and s_PS_PKT::scanner. Referenced by PortscanDetect().

static int ps_filter_ignore (  PS_PKT *  ps_pkt  )  [static]

Check the incoming packet to decide whether portscan detection cares about this packet. We try to ignore as many packets as possible. Definition at line 324 of file portscan.c. References s_PS_INIT::detect_scans, _FLOWSTATS::direction, _Packet::flow, flow, FROM_RESPONDER, ICMP_DEST_UNREACH, _Packet::icmph, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, ipset_contains(), IPV4_FAMILY, _Packet::packet_flags, s_PS_PKT::pkt, PKT_FROM_SERVER, PKT_STREAM_EST, PKT_STREAM_TWH, ps_ignore_ip(), PS_PROTO_ICMP, PS_PROTO_IP, PS_PROTO_TCP, PS_PROTO_UDP, s_PS_PKT::reverse_pkt, _FLOW::stats, _Packet::tcph, _TCPHdr::th_flags, TH_RST, _ICMPHdr::type, _Packet::udph, and s_PS_INIT::watch_ip. Referenced by ps_detect().

static int ps_get_proto_index (  PS_PKT *  ps_pkt, int *  proto_index, int *  proto )  [static]

This logic finds the index to the proto array based on the portscan configuration. We need special logic because the index of the protocol changes based on the configuration. Definition at line 552 of file portscan.c. References _ICMPHdr::code, s_PS_INIT::detect_scans, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, ICMP_PROT_UNREACH, _Packet::icmph, _Packet::iph, _Packet::orig_tcph, _Packet::orig_udph, s_PS_PKT::pkt, PS_PROTO_ICMP, PS_PROTO_IP, PS_PROTO_TCP, PS_PROTO_UDP, _Packet::tcph, _ICMPHdr::type, and _Packet::udph. Referenced by ps_tracker_update().

static int ps_ignore_ip (  unsigned long  scanner, unsigned long  scanned )  [static]

Check scanner and scanned ips to see if we can filter them out. Definition at line 299 of file portscan.c. References s_PS_INIT::ignore_scanned, s_PS_INIT::ignore_scanners, ipset_contains(), and IPV4_FAMILY. Referenced by ps_filter_ignore().

int ps_init (  int  detect_scans, int  detect_scan_type, int  sense_level, IPSET *  scanner, IPSET *  scanned, IPSET *  watch, int  memcap )

Definition at line 244 of file portscan.c. References s_PS_INIT::detect_scan_type, s_PS_INIT::detect_scans, g_ps_tracker_size, s_PS_INIT::ignore_scanned, s_PS_INIT::ignore_scanners, NULL, PS_PROTO_ICMP, PS_PROTO_IP, PS_PROTO_TCP, PS_PROTO_UDP, ps_tracker_free(), PS_TYPE_ALL, s_PS_INIT::sense_level, sfxhash_new(), and s_PS_INIT::watch_ip. Referenced by PortscanInit().

static void ps_proto_print (  PS_PROTO *  proto  )  [static]

Definition at line 1753 of file portscan.c. References s_PS_PROTO::alerts, s_PS_PROTO::connection_count, s_PS_PROTO::high_ip, s_PS_PROTO::high_p, s_PS_PROTO::low_ip, s_PS_PROTO::low_p, s_PS_PROTO::open_ports, s_PS_PROTO::open_ports_cnt, s_PS_PROTO::priority_count, s_PS_PROTO::u_ip_count, s_PS_PROTO::u_ips, s_PS_PROTO::u_port_count, s_PS_PROTO::u_ports, and s_PS_PROTO::window. Referenced by ps_tracker_print().

static int ps_proto_update (  PS_PROTO *  proto, int  ps_cnt, int  pri_cnt, u_long  ip, u_short  port, time_t  pkt_time )  [static]

This function updates the PS_PROTO structure. Parameters: PS_PROTO  pointer to structure to update int  number to increment portscan counter u_long  IP address of other host u_short  port/ip_proto to track time_t  time the packet was received. update windows. Definition at line 704 of file portscan.c. References s_PS_PROTO::connection_count, s_PS_PROTO::high_ip, s_PS_PROTO::high_p, s_PS_PROTO::low_ip, s_PS_PROTO::low_p, s_PS_PROTO::priority_count, ps_proto_update_window(), s_PS_PROTO::u_ip_count, s_PS_PROTO::u_ips, s_PS_PROTO::u_port_count, and s_PS_PROTO::u_ports. Referenced by ps_tracker_update_icmp(), ps_tracker_update_ip(), ps_tracker_update_tcp(), and ps_tracker_update_udp().

static int ps_proto_update_window (  PS_PROTO *  proto, time_t  pkt_time )  [static]

Update the proto time windows based on the portscan sensitivity level. Definition at line 652 of file portscan.c. References memset, PS_SENSE_HIGH, PS_SENSE_LOW, PS_SENSE_MEDIUM, s_PS_INIT::sense_level, and s_PS_PROTO::window. Referenced by ps_proto_update().

static int ps_tracker_alert (  PS_PKT *  ps_pkt, PS_TRACKER *  scanner, PS_TRACKER *  scanned )  [static]

This function evaluates the scanner and scanned trackers and if applicable, generate an alert or alerts for either of the trackers. The following alerts can be generated: One to One Portscan One to One Decoy Portscan One to Many Portsweep Distributed Portscan (Many to One) Filtered Portscan? Definition at line 1661 of file portscan.c. References NULL, s_PS_PKT::proto, s_PS_PKT::proto_idx, ps_alert_icmp(), ps_alert_ip(), ps_alert_tcp(), ps_alert_udp(), PS_PROTO_ICMP, PS_PROTO_IP, PS_PROTO_TCP, and PS_PROTO_UDP. Referenced by ps_detect().

static int ps_tracker_free (  void *  key, void *  data )  [static]

This function is passed into the hash algorithm, so that we only reuse nodes that aren't priority nodes. We have to make sure that we only track so many priority nodes, otherwise we could have all priority nodes and not be able to allocate more. Definition at line 205 of file portscan.c. References packet_timeofday(), and s_PS_INIT::proto_cnt. Referenced by ps_init().

static int ps_tracker_get (  PS_TRACKER **  ht, PS_HASH_KEY *  key )  [static]

Get a tracker node by either finding one or starting a new one. We may return NULL, in which case we wait till the next packet. Definition at line 464 of file portscan.c. References NULL, ps_tracker_init(), sfxhash_add(), sfxhash_find(), sfxhash_mru(), and SFXHASH_OK. Referenced by ps_tracker_lookup().

static int ps_tracker_init (  PS_TRACKER *  tracker  )  [static]

Right now all we do is memset, but just in case we want to do more initialization has been extracted. Definition at line 449 of file portscan.c. References g_ps_tracker_size, and memset. Referenced by ps_tracker_get().

static int ps_tracker_lookup (  PS_PKT *  ps_pkt, PS_TRACKER **  scanner, PS_TRACKER **  scanned )  [static]

Definition at line 489 of file portscan.c. References s_PS_INIT::detect_scan_type, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, s_PS_PKT::pkt, ps_tracker_get(), PS_TYPE_DECOYSCAN, PS_TYPE_DISTPORTSCAN, PS_TYPE_PORTSCAN, PS_TYPE_PORTSWEEP, s_PS_PKT::reverse_pkt, s_PS_HASH_KEY::scanned, and s_PS_HASH_KEY::scanner. Referenced by ps_detect().

void ps_tracker_print (  PS_TRACKER *  ps_tracker  )

Definition at line 1792 of file portscan.c. References s_PS_INIT::detect_scans, PS_PROTO_ICMP, PS_PROTO_IP, ps_proto_print(), PS_PROTO_TCP, and PS_PROTO_UDP.

static int ps_tracker_update (  PS_PKT *  ps_pkt, PS_TRACKER *  scanner, PS_TRACKER *  scanned )  [static]

At this point, we should only be looking at tranport protocols that we want to. For instance, if we aren't doing UDP portscans then we won't see UDP packets here because they were ignored. This is where we evaluate the packet to add/subtract portscan tracker values and prioritize a tracker. We also update the time windows. Definition at line 1182 of file portscan.c. References s_PS_PKT::pkt, s_PS_PKT::proto, s_PS_PKT::proto_idx, PS_ALERT_GENERATED, ps_get_proto_index(), PS_PROTO_ICMP, PS_PROTO_IP, PS_PROTO_TCP, PS_PROTO_UDP, ps_tracker_update_icmp(), ps_tracker_update_ip(), ps_tracker_update_tcp(), and ps_tracker_update_udp(). Referenced by ps_detect().

static int ps_tracker_update_icmp (  PS_PKT *  ps_pkt, PS_TRACKER *  scanner, PS_TRACKER *  scanned, int  proto_idx )  [static]

Definition at line 1125 of file portscan.c. References ICMP_ADDRESS, ICMP_DEST_UNREACH, ICMP_ECHO, ICMP_INFO_REQUEST, ICMP_TIMESTAMP, _Packet::icmph, _IPHdr::ip_dst, _Packet::iph, packet_timeofday(), s_PS_PKT::pkt, ps_proto_update(), and _ICMPHdr::type. Referenced by ps_tracker_update().

static int ps_tracker_update_ip (  PS_PKT *  ps_pkt, PS_TRACKER *  scanner, PS_TRACKER *  scanned, int  proto_idx )  [static]

Definition at line 1000 of file portscan.c. References _ICMPHdr::code, _FLOWSTATS::direction, _Packet::flow, flow, FROM_INITIATOR, FROM_RESPONDER, ICMP_DEST_UNREACH, ICMP_PROT_UNREACH, _Packet::icmph, _IPHdr::ip_dst, _IPHdr::ip_proto, _IPHdr::ip_src, _Packet::iph, packet_timeofday(), s_PS_PKT::pkt, ps_proto_update(), _FLOW::stats, and _ICMPHdr::type. Referenced by ps_tracker_update().

static int ps_tracker_update_tcp (  PS_PKT *  ps_pkt, PS_TRACKER *  scanner, PS_TRACKER *  scanned, int  proto_idx )  [static]

Determine how to update the portscan counter depending on the type of TCP packet we have. We are concerned with three types of TCP packets: initiating TCP packets (we don't care about flags) TCP 3-way handshake packets (we decrement the counter) TCP reset packets on unestablished streams. Definition at line 846 of file portscan.c. References _FLOWSTATS::direction, _Packet::dp, _Packet::flow, flow, FROM_INITIATOR, FROM_RESPONDER, g_include_midstream, _Packet::icmph, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, _Packet::orig_tcph, _Packet::packet_flags, packet_timeofday(), s_PS_PKT::pkt, PKT_FROM_SERVER, PKT_STREAM_EST, PKT_STREAM_TWH, PS_ALERT_GENERATED, PS_ALERT_OPEN_PORT, ps_proto_update(), ps_update_open_ports(), _Session::session_flags, _Packet::sp, SSNFLAG_MIDSTREAM, SSNFLAG_SEEN_CLIENT, SSNFLAG_SEEN_SERVER, _Packet::ssnptr, _FLOW::stats, _Packet::tcph, _TCPHdr::th_flags, and TH_RST. Referenced by ps_tracker_update().

static int ps_tracker_update_udp (  PS_PKT *  ps_pkt, PS_TRACKER *  scanner, PS_TRACKER *  scanned, int  proto_idx )  [static]

Definition at line 1064 of file portscan.c. References _ICMPHdr::code, _FLOWSTATS::direction, _Packet::dp, _Packet::flow, flow, FROM_INITIATOR, FROM_RESPONDER, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, _Packet::icmph, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, packet_timeofday(), s_PS_PKT::pkt, ps_proto_update(), _FLOW::stats, _ICMPHdr::type, and _Packet::udph. Referenced by ps_tracker_update().

static int ps_update_open_ports (  PS_PROTO *  proto, unsigned short  port )  [static]

Definition at line 808 of file portscan.c. References s_PS_PROTO::alerts, s_PS_PROTO::open_ports, s_PS_PROTO::open_ports_cnt, PS_ALERT_GENERATED, PS_ALERT_OPEN_PORT, and PS_OPEN_PORTS. Referenced by ps_tracker_update_tcp().

---

Variable Documentation

SFXHASH* g_hash [static]

Definition at line 125 of file portscan.c.

PS_ALERT_CONF g_icmp_hi_sweep = {10,3,3,5} [static]

Definition at line 193 of file portscan.c.

PS_ALERT_CONF g_icmp_low_sweep = {0,5,5,5} [static]

Definition at line 191 of file portscan.c.

PS_ALERT_CONF g_icmp_med_sweep = {20,5,5,5} [static]

Definition at line 192 of file portscan.c.

int g_include_midstream

Definition at line 65 of file spp_sfportscan.c. Referenced by PortscanInit(), and ps_tracker_update_tcp().

PS_ALERT_CONF g_ip_hi_decoy_ps = {200,7,15,5} [static]

Definition at line 184 of file portscan.c.

PS_ALERT_CONF g_ip_hi_dist_ps = {200,3,11,10} [static]

Definition at line 186 of file portscan.c.

PS_ALERT_CONF g_ip_hi_ps = {200,3,3,10} [static]

Definition at line 183 of file portscan.c.

PS_ALERT_CONF g_ip_hi_sweep = {30,3,3,7} [static]

Definition at line 185 of file portscan.c.

PS_ALERT_CONF g_ip_low_decoy_ps = {0,40,50,25} [static]

Definition at line 174 of file portscan.c.

PS_ALERT_CONF g_ip_low_dist_ps = {0,15,25,50} [static]

Definition at line 176 of file portscan.c.

PS_ALERT_CONF g_ip_low_ps = {0,10,10,50} [static]

Definition at line 173 of file portscan.c.

PS_ALERT_CONF g_ip_low_sweep = {0,10,10,10} [static]

Definition at line 175 of file portscan.c.

PS_ALERT_CONF g_ip_med_decoy_ps = {200,40,50,25} [static]

Definition at line 179 of file portscan.c.

PS_ALERT_CONF g_ip_med_dist_ps = {200,15,25,50} [static]

Definition at line 181 of file portscan.c.

PS_ALERT_CONF g_ip_med_ps = {200,10,10,50} [static]

Definition at line 178 of file portscan.c.

PS_ALERT_CONF g_ip_med_sweep = {30,10,10,10} [static]

Definition at line 180 of file portscan.c.

PS_INIT g_ps_init [static]

Definition at line 124 of file portscan.c.

int g_ps_tracker_size [static]

Definition at line 123 of file portscan.c. Referenced by ps_init(), and ps_tracker_init().

PS_ALERT_CONF g_tcp_hi_decoy_ps = {200,7,200,60} [static]

Definition at line 148 of file portscan.c.

PS_ALERT_CONF g_tcp_hi_dist_ps = {200,5,200,10} [static]

Definition at line 150 of file portscan.c.

PS_ALERT_CONF g_tcp_hi_ps = {200,5,100,10} [static]

Definition at line 147 of file portscan.c.

PS_ALERT_CONF g_tcp_hi_sweep = {30,3,3,10} [static]

Definition at line 149 of file portscan.c.

PS_ALERT_CONF g_tcp_low_decoy_ps = {0,15,50,30} [static]

Definition at line 138 of file portscan.c.

PS_ALERT_CONF g_tcp_low_dist_ps = {0,15,50,15} [static]

Definition at line 140 of file portscan.c.

PS_ALERT_CONF g_tcp_low_ps = {0,5,25,5} [static]

Definition at line 137 of file portscan.c.

PS_ALERT_CONF g_tcp_low_sweep = {0,5,5,15} [static]

Definition at line 139 of file portscan.c.

PS_ALERT_CONF g_tcp_med_decoy_ps = {200,30,120,60} [static]

Definition at line 143 of file portscan.c.

PS_ALERT_CONF g_tcp_med_dist_ps = {200,30,120,30} [static]

Definition at line 145 of file portscan.c.

PS_ALERT_CONF g_tcp_med_ps = {200,10,60,15} [static]

Definition at line 142 of file portscan.c.

PS_ALERT_CONF g_tcp_med_sweep = {30,7,7,10} [static]

Definition at line 144 of file portscan.c.

PS_ALERT_CONF g_udp_hi_decoy_ps = {200,7,200,60} [static]

Definition at line 166 of file portscan.c.

PS_ALERT_CONF g_udp_hi_dist_ps = {200,3,200,10} [static]

Definition at line 168 of file portscan.c.

PS_ALERT_CONF g_udp_hi_ps = {200,3,100,10} [static]

Definition at line 165 of file portscan.c.

PS_ALERT_CONF g_udp_hi_sweep = {30,3,3,10} [static]

Definition at line 167 of file portscan.c.

PS_ALERT_CONF g_udp_low_decoy_ps = {0,15,50,30} [static]

Definition at line 156 of file portscan.c.

PS_ALERT_CONF g_udp_low_dist_ps = {0,15,50,15} [static]

Definition at line 158 of file portscan.c.

PS_ALERT_CONF g_udp_low_ps = {0,5,25,5} [static]

Definition at line 155 of file portscan.c.

PS_ALERT_CONF g_udp_low_sweep = {0,5,5,15} [static]

Definition at line 157 of file portscan.c.

PS_ALERT_CONF g_udp_med_decoy_ps = {200,30,120,60} [static]

Definition at line 161 of file portscan.c.

PS_ALERT_CONF g_udp_med_dist_ps = {200,30,120,30} [static]

Definition at line 163 of file portscan.c.

PS_ALERT_CONF g_udp_med_ps = {200,10,60,15} [static]

Definition at line 160 of file portscan.c.

PS_ALERT_CONF g_udp_med_sweep = {30,5,5,20} [static]

Definition at line 162 of file portscan.c.

---