#include <sys/types.h>#include <stdlib.h>#include <string.h>#include <stdio.h>#include <sys/time.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#include "generators.h"#include "log.h"#include "detect.h"#include "decode.h"#include "event.h"#include "plugbase.h"#include "parser.h"#include "mstring.h"#include "debug.h"#include "util.h"#include "event_queue.h"Go to the source code of this file.
Defines | |
| #define | MODNAME "spp_arpspoof" |
| #define | WITHUNICAST "-unicast" |
Typedefs | |
| typedef _IPMacEntry | IPMacEntry |
| typedef _IPMacEntryListNode | IPMacEntryListNode |
| typedef _IPMacEntryList | IPMacEntryList |
Functions | |
| void | ARPspoofInit (u_char *args) |
| void | ARPspoofHostInit (u_char *args) |
| void | ParseARPspoofArgs (char *args) |
| void | ParseARPspoofHostArgs (char *args) |
| void | DetectARPattacks (Packet *p, void *context) |
| void | ARPspoofCleanExit (int signal, void *unused) |
| void | FreeIPMacEntryList (IPMacEntryList *ip_mac_entry_list) |
| int | AddIPMacEntryToList (IPMacEntryList *ip_mac_entry_list, IPMacEntry *ip_mac_entry) |
| IPMacEntry * | LookupIPMacEntryByIP (IPMacEntryList *ip_mac_entry_list, u_int32_t ipv4_addr) |
| void | SetupARPspoof (void) |
Variables | |
| int | check_unicast_arp |
| int | check_overwrite |
| u_int8_t | bcast [6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff} |
| static IPMacEntryList * | ipmel = NULL |
|
|
Definition at line 94 of file spp_arpspoof.c. Referenced by AddConnection(), AddDestination(), AddSource(), AlertIntermediateInfo(), ClearConnectionInfoFromSource(), CreateServerList(), ExpireConnections(), InitIgnoreHosts(), InitIgnorePorts(), IsIgnored(), IsServer(), NewConnection(), NewScan(), NewSource(), ParseARPspoofArgs(), ParsePortscanArgs(), ParseScanmungeArgs(), and PortscanPreprocFunction(). |
|
|
Definition at line 95 of file spp_arpspoof.c. Referenced by ParseARPspoofArgs(). |
|
|
|
|
|
|
|
|
|
|
||||||||||||
|
Add IP/MAC pair to a linked list.
Definition at line 419 of file spp_arpspoof.c. References _IPMacEntryList::head, _IPMacEntryListNode::ip_mac_entry, _IPMacEntryListNode::next, NULL, _IPMacEntryList::size, and _IPMacEntryList::tail. Referenced by ParseARPspoofHostArgs(). |
|
||||||||||||
|
Definition at line 523 of file spp_arpspoof.c. References check_overwrite, check_unicast_arp, FreeIPMacEntryList(), and NULL. Referenced by ARPspoofInit(). |
|
|
Definition at line 208 of file spp_arpspoof.c. References check_overwrite, DEBUG_INIT, DEBUG_WRAP, NULL, ParseARPspoofHostArgs(), and SnortAlloc(). Referenced by SetupARPspoof(). |
|
|
Definition at line 155 of file spp_arpspoof.c. References AddFuncToCleanExitList(), AddFuncToPreprocList(), AddFuncToRestartList(), ARPspoofCleanExit(), DEBUG_INIT, DEBUG_WRAP, DetectARPattacks(), NULL, and ParseARPspoofArgs(). Referenced by SetupARPspoof(). |
|
||||||||||||
|
Detect ARP anomalies and overwrite attacks.
Definition at line 302 of file spp_arpspoof.c. References _Packet::ah, _ARPHdr::ar_hrd, _ARPHdr::ar_op, _ARPHdr::ar_pro, _EtherARP::arp_sha, _EtherARP::arp_spa, _EtherARP::arp_tha, ARPOP_REPLY, ARPOP_REQUEST, ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK, ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST_STR, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC_STR, ARPSPOOF_UNICAST_ARP_REQUEST, ARPSPOOF_UNICAST_ARP_REQUEST_STR, bcast, check_overwrite, check_unicast_arp, DEBUG_PLUGIN, DEBUG_WRAP, _EtherARP::ea_hdr, _Packet::eh, _EtherHdr::ether_dst, _EtherHdr::ether_src, ETHERNET_TYPE_IP, GENERATOR_SPP_ARPSPOOF, LookupIPMacEntryByIP(), _IPMacEntry::mac_addr, memcmp(), NULL, PP_ARPSPOOF, _Packet::preprocessors, and SnortEventqAdd(). Referenced by ARPspoofInit(). |
|
|
Free the linked list of IP/MAC address pairs
Definition at line 498 of file spp_arpspoof.c. References _IPMacEntryList::head, _IPMacEntryListNode::ip_mac_entry, _IPMacEntryListNode::next, NULL, and _IPMacEntryList::size. Referenced by ARPspoofCleanExit(). |
|
||||||||||||
|
Locate a linked list structure node by an IP address.
Definition at line 455 of file spp_arpspoof.c. References DEBUG_PLUGIN, DEBUG_WRAP, _IPMacEntryListNode::ip_mac_entry, _IPMacEntry::ipv4_addr, _IPMacEntryListNode::next, and NULL. Referenced by DetectARPattacks(). |
|
|
Parse arguments passed to the arpspoof keyword.
Definition at line 181 of file spp_arpspoof.c. References check_unicast_arp, FatalError(), file_line, file_name, MODNAME, mSplit(), mSplitFree(), strncasecmp, and WITHUNICAST. Referenced by ARPspoofInit(). |
|
|
Parse arguments passed to the arpspoof_detect_host keyword.
Definition at line 233 of file spp_arpspoof.c. References AddIPMacEntryToList(), FatalError(), file_line, file_name, mSplit(), mSplitFree(), NULL, SnortAlloc(), and strtoul(). Referenced by ARPspoofHostInit(). |
|
|
Definition at line 143 of file spp_arpspoof.c. References ARPspoofHostInit(), ARPspoofInit(), DEBUG_INIT, DEBUG_WRAP, and RegisterPreprocessor(). Referenced by InitPreprocessors(). |
|
|
Definition at line 122 of file spp_arpspoof.c. Referenced by DetectARPattacks(). |
|
|
Definition at line 121 of file spp_arpspoof.c. Referenced by ARPspoofCleanExit(), ARPspoofHostInit(), and DetectARPattacks(). |
|
|
Definition at line 121 of file spp_arpspoof.c. Referenced by ARPspoofCleanExit(), DetectARPattacks(), and ParseARPspoofArgs(). |
|
|
Definition at line 123 of file spp_arpspoof.c. |
1.4.2