spp_flow.c File Reference

flow integration with snort More...

#include <time.h>
#include "snort.h"
#include "decode.h"
#include "debug.h"
#include "plugbase.h"
#include "util.h"
#include "parser.h"
#include "spp_flow.h"
#include "flow/flow.h"
#include "flow/flow_cache.h"
#include "flow/flow_callback.h"
#include "flow/flow_class.h"
#include "flow/flow_print.h"
#include "flow/portscan/flowps_snort.h"

Go to the source code of this file.

Defines

#define DEFAULT_MEMCAP   (1024 * 1024 * 10)

#define DEFAULT_ROWS   (1024 * 4)

#define DEFAULT_STAT_INTERVAL   0

Typedefs

typedef _SPPFLOW_CONFIG SPPFLOW_CONFIG

Functions

static int FlowParseArgs (SPPFLOW_CONFIG *config, char *args)

static INLINE int FlowPacket (Packet *p)

static void FlowPreprocessor (Packet *p, void *)

static void FlowInit (u_char *args)

static void FlowCleanExit (int signal, void *data)

static void FlowRestart (int signal, void *data)

static void FlowParseOption (SPPFLOW_CONFIG *config, char *fname, int lineno, char *key, char *value)

static void DisplayFlowConfig (void)

void SetupFlow (void)

int CheckFlowShutdown (Packet *p)

int SppFlowIsRunning (void)

Variables

static int s_flow_running = 0

static FLOWCACHE s_fcache

static SPPFLOW_CONFIG s_config

static int s_debug = 0

unsigned int giFlowbitSize = 64

Detailed Description

flow integration with snort

Author:: Chris Green <cmg@sourcefire.com>

Date:: Thu May 29 11:27:17 2003

The purpose of this module is to have an abstract way of detecting significant events to various modules so that everything higher layers see as a session can be tracked in a single spot.

This module completely replaces spp_conversation.

Definition in file spp_flow.c.

Define Documentation

#define DEFAULT_MEMCAP (1024 * 1024 * 10)

Definition at line 50 of file spp_flow.c.
Referenced by FlowInit().

#define DEFAULT_ROWS (1024 * 4)

Definition at line 51 of file spp_flow.c.
Referenced by FlowInit().

#define DEFAULT_STAT_INTERVAL 0

Definition at line 52 of file spp_flow.c.
Referenced by FlowInit().

Typedef Documentation

typedef struct _SPPFLOW_CONFIG SPPFLOW_CONFIG

Function Documentation

int CheckFlowShutdown ( Packet * p )

See if the flow needs to be shutdown and remove it from the cache. This function should be placed AFTER all detection type components.

Parameters:

p packet

Returns:
0 on sucess

Definition at line 290 of file spp_flow.c.
References _Packet::flow, FLOW_BADJUJU, flow_callbacks(), flow_checkflag(), FLOW_CLOSEME, flow_printf(), FLOW_SHUTDOWN, FLOW_SUCCESS, flowcache_releaseflow(), FROM_INITIATOR, and NULL.
Referenced by Preprocess().

static void DisplayFlowConfig ( void ) [static]

Print out some of the common information about the Flow Processor configuration
Definition at line 407 of file spp_flow.c.
References calc_percent(), flowcache_overhead_bytes(), flowcache_row_count(), _SPPFLOW_CONFIG::hashid, LogMessage(), _SPPFLOW_CONFIG::memcap, and _SPPFLOW_CONFIG::stats_interval.
Referenced by FlowInit().

static void FlowCleanExit ( int signal,

void * data

) [static]

Definition at line 166 of file spp_flow.c.
References flowcache_destroy(), flowcache_stats(), LogMessage(), pv, and _progvars::quiet_flag.
Referenced by FlowInit().

static void FlowInit ( u_char * args ) [static]

Initialize the configuration of the flow preprocessor

Parameters:

args command line arguments from snort.conf

Definition at line 127 of file spp_flow.c.
References AddFuncToCleanExitList(), AddFuncToPreprocList(), AddFuncToRestartList(), DEFAULT_MEMCAP, DEFAULT_ROWS, DEFAULT_STAT_INTERVAL, DisplayFlowConfig(), FatalError(), file_line, file_name, FLOW_SUCCESS, flowcache_init(), FlowCleanExit(), FlowParseArgs(), FlowPreprocessor(), FlowRestart(), giFlowbitSize, HASH2, _SPPFLOW_CONFIG::hashid, _SPPFLOW_CONFIG::memcap, NULL, _SPPFLOW_CONFIG::rows, s_flow_running, and _SPPFLOW_CONFIG::stats_interval.

static INLINE int FlowPacket ( Packet * p ) [static]

Condense all the checks into one places
Must be IP Must not be a fragment Must not be a rebuild stream

Parameters:

p packet to inspect

Returns:
1 if this packet is for flow module, 0 otherwise

Definition at line 106 of file spp_flow.c.
References _Packet::frag_flag, and _Packet::iph.
Referenced by FlowPreprocessor().

static int FlowParseArgs ( SPPFLOW_CONFIG * config,

char * args

) [static]

Definition at line 317 of file spp_flow.c.
References FatalError(), file_line, file_name, flow_printf(), FlowParseOption(), NULL, and s_debug.
Referenced by FlowInit().

static void FlowParseOption ( SPPFLOW_CONFIG * config,

char * fname,

int lineno,

char * key,

char * value

) [static]

Definition at line 362 of file spp_flow.c.
References FatalError(), HASH1, HASH2, _SPPFLOW_CONFIG::hashid, _SPPFLOW_CONFIG::memcap, _SPPFLOW_CONFIG::rows, _SPPFLOW_CONFIG::stats_interval, and strcasecmp.
Referenced by FlowParseArgs().

static void FlowPreprocessor ( Packet * p,

void * context

) [static]

The runtime entry point for the flow module from snort
1) Assign each packet a flow 2) Perform various callbacks based on the parameters for the flow

Parameters:

p packet to process

< addressing scheme to use
< which way does the flow go
this should return a direction too for the key
Definition at line 185 of file spp_flow.c.
References _FLOWSTATS::direction, ErrorMessage(), _Packet::flow, FLOW_ADDITIONAL, flow_callbacks(), flow_classifier(), FLOW_FIRST_BIDIRECTIONAL, FLOW_IPV4, FLOW_NEW, flow_printf(), FLOW_SUCCESS, flowcache_find(), flowcache_newflow(), flowcache_stats(), flowkey_make(), flowkey_print(), FlowPacket(), FROM_INITIATOR, FROM_RESPONDER, _Packet::packet_flags, _FLOWSTATS::packets_recv, PKT_REBUILT_STREAM, _Packet::pkth, pv, _progvars::quiet_flag, _FLOW::stats, _SPPFLOW_CONFIG::stats_interval, and pcap_pkthdr::ts.
Referenced by FlowInit().

static void FlowRestart ( int signal,

void * data

) [static]

Definition at line 161 of file spp_flow.c.
Referenced by FlowInit().

void SetupFlow ( void )

Add the Flow Preprocessor to the list of things that snort can configure.
Definition at line 85 of file spp_flow.c.
References FlowInit(), RegisterPreprocessor(), and SetupFlowPS().
Referenced by InitPreprocessors().

int SppFlowIsRunning ( void )

Return 1 if spp_flow has been configured

Returns:
1 if spp_flow is enabled

Definition at line 430 of file spp_flow.c.
References s_flow_running.
Referenced by FlowBitsInit(), and FlowPSInit().

Variable Documentation

unsigned int giFlowbitSize = 64

Definition at line 78 of file spp_flow.c.

SPPFLOW_CONFIG s_config [static]

Definition at line 64 of file spp_flow.c.

int s_debug = 0 [static]

Definition at line 77 of file spp_flow.c.

FLOWCACHE s_fcache [static]

Definition at line 63 of file spp_flow.c.

int s_flow_running = 0 [static]

is flow turned on?
Definition at line 62 of file spp_flow.c.
Referenced by FlowInit(), and SppFlowIsRunning().

Generated on Sun May 14 14:51:25 2006 by

1.4.2


Defines
#define	DEFAULT_MEMCAP (1024 * 1024 * 10)
#define	DEFAULT_ROWS (1024 * 4)
#define	DEFAULT_STAT_INTERVAL 0
Typedefs
typedef _SPPFLOW_CONFIG	SPPFLOW_CONFIG
Functions
static int	FlowParseArgs (SPPFLOW_CONFIG config, char args)
static INLINE int	FlowPacket (Packet *p)
static void	FlowPreprocessor (Packet p, void )
static void	FlowInit (u_char *args)
static void	FlowCleanExit (int signal, void *data)
static void	FlowRestart (int signal, void *data)
static void	FlowParseOption (SPPFLOW_CONFIG config, char fname, int lineno, char key, char value)
static void	DisplayFlowConfig (void)
void	SetupFlow (void)
int	CheckFlowShutdown (Packet *p)
int	SppFlowIsRunning (void)
Variables
static int	s_flow_running = 0
static FLOWCACHE	s_fcache
static SPPFLOW_CONFIG	s_config
static int	s_debug = 0
unsigned int	giFlowbitSize = 64