sfthd.c File Reference

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include "sflsq.h"
#include "sfghash.h"
#include "sfxhash.h"
#include "sfthd.h"

Go to the source code of this file.

Functions
THD_STRUCT *	sfthd_new (unsigned nbytes)
static int	sfthd_create_threshold_local (THD_STRUCT *thd, unsigned gen_id, unsigned sig_id, int tracking, int type, int priority, int count, int seconds, unsigned ip_address, unsigned ip_mask, unsigned not_flag)
static int	sfthd_create_threshold_global (THD_STRUCT *thd, unsigned gen_id, unsigned sig_id, int tracking, int type, int priority, int count, int seconds, unsigned ip_address, unsigned ip_mask)
int	sfthd_create_threshold (THD_STRUCT *thd, unsigned gen_id, unsigned sig_id, int tracking, int type, int priority, int count, int seconds, unsigned ip_address, unsigned ip_mask, unsigned not_flag)
static int	sfthd_test_object (THD_STRUCT *thd, THD_NODE *sfthd_node, unsigned sip, unsigned dip, time_t curtime)
static int	sfthd_test_gobject (THD_STRUCT *thd, THD_NODE *sfthd_node, unsigned gen_id, unsigned sig_id, unsigned sip, unsigned dip, time_t curtime)
int	sfthd_test_threshold (THD_STRUCT *thd, unsigned gen_id, unsigned sig_id, unsigned sip, unsigned dip, long curtime)
int	sfthd_show_objects (THD_STRUCT *thd)
Variables
static int	s_id = 1

---

Detailed Description

An Abstracted Event Thresholding System

Copyright (C) 2003 Sourcefire,Inc. Marc Norton

Definition in file sfthd.c.

---

Function Documentation

int sfthd_create_threshold (  THD_STRUCT *  thd, unsigned  gen_id, unsigned  sig_id, int  tracking, int  type, int  priority, int  count, int  seconds, unsigned  ip_address, unsigned  ip_mask, unsigned  not_flag )

Add a permanent threshold object to the threshold table. Multiple objects may be defined for each gen_id and sig_id pair. Internally a unique threshold id is generated for each pair. Threshold objects track the number of events seen during the time interval specified by seconds. Depending on the type of threshold object and the count value, the thresholding object determines if the current event should be logged or dropped. Parameters: thd  Threshold object from sfthd_new() gen_id  Generator id sig_id  Signauture id tracking  Selects tracking by src ip or by dst ip type  Thresholding type: Limit, Threshold, or Limt+Threshold, Suppress priority  Assigns a relative priority to this object, higher numbers imply higher priority count  Number of events seconds  Time duration over which this threshold object acts. ip  IP address, for supression ip-mask  IP mask, applied with ip_mask, for supression Returns: integer Return values: 0  successfully added the thresholding object !0  failed --- Local and Global Thresholding is setup here --- Definition at line 443 of file sfthd.c. References sfthd_create_threshold_global(), and sfthd_create_threshold_local(). Referenced by sfthreshold_create().

static int sfthd_create_threshold_global (  THD_STRUCT *  thd, unsigned  gen_id, unsigned  sig_id, int  tracking, int  type, int  priority, int  count, int  seconds, unsigned  ip_address, unsigned  ip_mask )  [static]

Definition at line 356 of file sfthd.c. References THD_NODE::count, THD_NODE::gen_id, THD_NODE::ip_address, THD_NODE::ip_mask, THD_NODE::priority, s_id, THD_NODE::seconds, THD_STRUCT::sfthd_garray, THD_NODE::sig_id, THD_NODE::thd_id, THD_MAX_GENID, THD_NODE::tracking, and THD_NODE::type. Referenced by sfthd_create_threshold().

static int sfthd_create_threshold_local (  THD_STRUCT *  thd, unsigned  gen_id, unsigned  sig_id, int  tracking, int  type, int  priority, int  count, int  seconds, unsigned  ip_address, unsigned  ip_mask, unsigned  not_flag )  [static]

Add a permanent threshold object to the threshold table. Multiple objects may be defined for each gen_id and sig_id pair. Internally a unique threshold id is generated for each pair. Threshold objects track the number of events seen during the time interval specified by seconds. Depending on the type of threshold object and the count value, the thresholding object determines if the current event should be logged or dropped. Parameters: thd  Threshold object from sfthd_new() gen_id  Generator id sig_id  Signauture id tracking  Selects tracking by src ip or by dst ip type  Thresholding type: Limit, Threshold, or Limt+Threshold, Suppress priority  Assigns a relative priority to this object, higher numbers imply higher priority count  Number of events seconds  Time duration over which this threshold object acts. ip  IP address, for supression ip-mask  IP mask, applied with ip_mask, for supression Returns: integer Return values: 0  successfully added the thresholding object !0  failed Definition at line 140 of file sfthd.c. References THD_STRUCT::count, THD_NODE::count, sf_list::count, THD_NODE::gen_id, THD_ITEM::gen_id, THD_NODE::ip_address, THD_NODE::ip_mask, sf_lnode::ndata, sf_lnode::next, THD_NODE::not_flag, THD_NODE::priority, s_id, THD_NODE::seconds, sfghash_add(), sfghash_find(), sfghash_new(), sflist_add_before(), sflist_add_head(), sflist_add_tail(), sflist_first_node(), sflist_new(), sflist_next_node(), THD_STRUCT::sfthd_array, THD_ITEM::sfthd_node_list, THD_NODE::sig_id, THD_ITEM::sig_id, sf_list::tail, THD_GEN_ID_1_ROWS, THD_GEN_ID_ROWS, THD_NODE::thd_id, THD_MAX_GENID, THD_PRIORITY_SUPPRESS, THD_TOO_MANY_THDOBJ, THD_TYPE_SUPPRESS, THD_NODE::tracking, and THD_NODE::type. Referenced by sfthd_create_threshold().

THD_STRUCT* sfthd_new (  unsigned  nbytes  )

Create a threshold table, initialize the threshold system, and optionally limit it's memory usage. Parameters: nbytes  maximum memory to use for thresholding objects, in bytes. Returns: THD_STRUCT* Return values: 0  error !0  valid THD_STRUCT Definition at line 48 of file sfthd.c. References THD_STRUCT::ip_gnodes, THD_STRUCT::ip_nodes, and sfxhash_new(). Referenced by sfthreshold_init().

int sfthd_show_objects (  THD_STRUCT *  thd  )

A function to print the thresholding objects to stdout. Definition at line 1081 of file sfthd.c. References THD_NODE::count, _sfghash_node::data, THD_NODE::ip_address, THD_NODE::ip_mask, THD_NODE::priority, THD_NODE::seconds, sfghash_findfirst(), sfghash_findnext(), sflist_first(), sflist_next(), THD_STRUCT::sfthd_array, THD_ITEM::sfthd_node_list, THD_ITEM::sig_id, THD_NODE::thd_id, THD_MAX_GENID, THD_TYPE_BOTH, THD_TYPE_LIMIT, THD_TYPE_SUPPRESS, THD_TYPE_THRESHOLD, THD_NODE::tracking, and THD_NODE::type.

static int sfthd_test_gobject (  THD_STRUCT *  thd, THD_NODE *  sfthd_node, unsigned  gen_id, unsigned  sig_id, unsigned  sip, unsigned  dip, time_t  curtime )  [static]

Definition at line 714 of file sfthd.c. References _sfxhash::cnode, THD_NODE::count, THD_IP_GNODE::count, _sfxhash_node::data, THD_NODE::gen_id, THD_IP_GNODE_KEY::gen_id, THD_IP_GNODE_KEY::ip, THD_NODE::ip_address, THD_STRUCT::ip_gnodes, THD_NODE::ip_mask, THD_NODE::seconds, sfxhash_add(), SFXHASH_INTABLE, THD_IP_GNODE_KEY::sig_id, THD_TRK_SRC, THD_TYPE_BOTH, THD_TYPE_LIMIT, THD_TYPE_SUPPRESS, THD_TYPE_THRESHOLD, THD_NODE::tracking, THD_IP_GNODE::tstart, and THD_NODE::type. Referenced by sfthd_test_threshold().

static int sfthd_test_object (  THD_STRUCT *  thd, THD_NODE *  sfthd_node, unsigned  sip, unsigned  dip, time_t  curtime )  [static]

Find/Test/Add an event against a single threshold object. Events without thresholding objects are automatically loggable. Parameters: thd  Threshold table pointer sfthd_node  Permanent Thresholding Object sip  Event/Packet Src IP address- should be host ordered for comparison dip  Event/Packet Dst IP address curtime  Current Event/Packet time in seconds Returns: integer Return values: 0  : Event is loggable >0  : Event should not be logged, try next thd object <0  : Event should never be logged to this user! Suppressed Event+IP Definition at line 517 of file sfthd.c. References _sfxhash::cnode, THD_NODE::count, THD_IP_NODE::count, _sfxhash_node::data, THD_IP_NODE::ip, THD_IP_NODE_KEY::ip, THD_NODE::ip_address, THD_NODE::ip_mask, THD_STRUCT::ip_nodes, THD_NODE::not_flag, THD_NODE::seconds, sfxhash_add(), SFXHASH_INTABLE, THD_NODE::thd_id, THD_IP_NODE_KEY::thd_id, THD_TRK_SRC, THD_TYPE_BOTH, THD_TYPE_LIMIT, THD_TYPE_SUPPRESS, THD_TYPE_THRESHOLD, THD_NODE::tracking, THD_IP_NODE::tstart, and THD_NODE::type. Referenced by sfthd_test_threshold().

int sfthd_test_threshold (  THD_STRUCT *  thd, unsigned  gen_id, unsigned  sig_id, unsigned  sip, unsigned  dip, long  curtime )

Test a an event against the threshold database. Events without thresholding objects are automatically loggable. Parameters: thd  Threshold table pointer gen_id  Generator Id from the event sig_id  Signature Id from the event sip  Event/Packet Src IP address dip  Event/Packet Dst IP address curtime  Current Event/Packet time Returns: integer Return values: 0  : Event is loggable !0  : Event should not be logged Definition at line 923 of file sfthd.c. References THD_ITEM::gen_id, sfghash_find(), sflist_first(), sflist_next(), THD_STRUCT::sfthd_array, THD_STRUCT::sfthd_garray, THD_ITEM::sfthd_node_list, sfthd_test_gobject(), sfthd_test_object(), THD_ITEM::sig_id, THD_NODE::thd_id, THD_MAX_GENID, and THD_NODE::type. Referenced by sfthreshold_test().

---

Variable Documentation

int s_id = 1 [static]

Definition at line 22 of file sfthd.c. Referenced by sfthd_create_threshold_global(), and sfthd_create_threshold_local().

---