spp_sfportscan.c File Reference

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include "decode.h"
#include "plugbase.h"
#include "generators.h"
#include "event_wrapper.h"
#include "util.h"
#include "ipobj.h"
#include "checksum.h"
#include "packet_time.h"
#include "snort.h"
#include "sfthreshold.h"
#include "portscan.h"

Go to the source code of this file.

Defines
#define	DELIMITERS   " \t\n"
#define	TOKEN_ARG_BEGIN   "{"
#define	TOKEN_ARG_END   "}"
#define	PROTO_BUFFER_SIZE   256
Functions
static int	PortscanPacketInit (void)
static int	MakeProtoInfo (PS_PROTO *proto, u_char *buffer, u_int *total_size)
static int	LogPortscanAlert (Packet *p, char *msg, u_int32_t event_id, u_int32_t event_ref, u_int32_t gen_id, u_int32_t sig_id)
static int	GeneratePSSnortEvent (Packet *p, u_int32_t gen_id, u_int32_t sig_id, u_int32_t sig_rev, u_int32_t class, u_int32_t priority, char *msg)
static int	GenerateOpenPortEvent (Packet *p, u_int32_t gen_id, u_int32_t sig_id, u_int32_t sig_rev, u_int32_t class, u_int32_t pri, u_int32_t event_ref, struct timeval *event_time, char *msg)
static int	MakeOpenPortInfo (PS_PROTO *proto, u_char *buffer, u_int *total_size, void *user)
static int	MakePortscanPkt (PS_PKT *ps_pkt, PS_PROTO *proto, int proto_type, void *user)
static int	PortscanAlertTcp (Packet *p, PS_PROTO *proto, int proto_type)
static int	PortscanAlertUdp (Packet *p, PS_PROTO *proto, int proto_type)
static int	PortscanAlertIp (Packet *p, PS_PROTO *proto, int proto_type)
static int	PortscanAlertIcmp (Packet *p, PS_PROTO *proto, int proto_type)
static int	PortscanAlert (PS_PKT *ps_pkt, PS_PROTO *proto, int proto_type)
static void	PortscanDetect (Packet *p, void *context)
static void	FatalErrorNoOption (u_char *option)
static void	FatalErrorNoEnd (char *option)
static void	FatalErrorInvalidArg (char *option)
static void	FatalErrorInvalidOption (char *option)
static void	ParseProtos (int *protos)
static void	ParseScanType (int *scan_types)
static void	ParseSenseLevel (int *sense_level)
static void	ParseIpList (IPSET **ip_list, char *option)
static void	ParseMemcap (int *memcap)
static void	PrintPortscanConf (int detect_scans, int detect_scan_type, int sense_level, IPSET *scanner, IPSET *scanned, IPSET *watch, int memcap)
static void	ParseLogFile (FILE **flog, u_char *logfile, int logfile_size)
static void	PortscanInit (u_char *args)
void	SetupPsng (void)
Variables
PV	pv
char *	file_name
int	file_line
static int	g_print_tracker = 0
static u_char	g_logpath [256]
static FILE *	g_logfile = NULL
static Packet *	g_tmp_pkt
int	g_include_midstream = 0

---

Define Documentation

#define DELIMITERS   " \t\n"

Definition at line 45 of file spp_sfportscan.c.

#define PROTO_BUFFER_SIZE   256

Definition at line 49 of file spp_sfportscan.c. Referenced by MakeOpenPortInfo(), and MakeProtoInfo().

#define TOKEN_ARG_BEGIN   "{"

Definition at line 46 of file spp_sfportscan.c. Referenced by PortscanInit().

#define TOKEN_ARG_END   "}"

Definition at line 47 of file spp_sfportscan.c. Referenced by ParseIpList(), ParseLogFile(), ParseMemcap(), ParseProtos(), ParseScanType(), and ParseSenseLevel().

---

Function Documentation

static void FatalErrorInvalidArg (  char *  option  )  [static]

Definition at line 799 of file spp_sfportscan.c. References FatalError(), file_line, and file_name. Referenced by ParseIpList(), ParseLogFile(), ParseMemcap(), ParseProtos(), ParseScanType(), and ParseSenseLevel().

static void FatalErrorInvalidOption (  char *  option  )  [static]

Definition at line 805 of file spp_sfportscan.c. References FatalError(), file_line, and file_name. Referenced by PortscanInit().

static void FatalErrorNoEnd (  char *  option  )  [static]

Definition at line 793 of file spp_sfportscan.c. References FatalError(), file_line, and file_name. Referenced by ParseLogFile(), ParseMemcap(), ParseProtos(), ParseScanType(), and ParseSenseLevel().

static void FatalErrorNoOption (  u_char *  option  )  [static]

Definition at line 785 of file spp_sfportscan.c. References FatalError(), file_line, and file_name. Referenced by PortscanInit().

static int GenerateOpenPortEvent (  Packet *  p, u_int32_t  gen_id, u_int32_t  sig_id, u_int32_t  sig_rev, u_int32_t  class, u_int32_t  pri, u_int32_t  event_ref, struct timeval *  event_time, char *  msg )  [static]

We have to generate open port events differently because we tag these to the original portscan event. Returns: int Return values: 0  success Definition at line 267 of file spp_sfportscan.c. References CallLogFuncs(), _Event::event_id, g_logfile, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, LogPortscanAlert(), NULL, _Packet::pkth, _Event::ref_time, SetEvent(), sfthreshold_reset(), sfthreshold_test(), and pcap_pkthdr::ts. Referenced by PortscanAlert(), and PortscanAlertTcp().

static int GeneratePSSnortEvent (  Packet *  p, u_int32_t  gen_id, u_int32_t  sig_id, u_int32_t  sig_rev, u_int32_t  class, u_int32_t  priority, char *  msg )  [static]

Definition at line 242 of file spp_sfportscan.c. References event_id, g_logfile, GenerateSnortEvent(), and LogPortscanAlert(). Referenced by PortscanAlertIcmp(), PortscanAlertIp(), PortscanAlertTcp(), and PortscanAlertUdp().

static int LogPortscanAlert (  Packet *  p, char *  msg, u_int32_t  event_id, u_int32_t  event_ref, u_int32_t  gen_id, u_int32_t  sig_id )  [static]

Definition at line 202 of file spp_sfportscan.c. References _Packet::data, _Packet::dsize, g_logfile, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, _Packet::pkth, sfthreshold_test(), TIMEBUF_SIZE, pcap_pkthdr::ts, and ts_print(). Referenced by GenerateOpenPortEvent(), and GeneratePSSnortEvent().

static int MakeOpenPortInfo (  PS_PROTO *  proto, u_char *  buffer, u_int *  total_size, void *  user )  [static]

Write out the open ports info for open port alerts. Returns: integer Definition at line 321 of file spp_sfportscan.c. References _Packet::dsize, IP_MAXPACKET, PROTO_BUFFER_SIZE, and snprintf. Referenced by MakePortscanPkt().

static int MakePortscanPkt (  PS_PKT *  ps_pkt, PS_PROTO *  proto, int  proto_type, void *  user )  [static]

Definition at line 359 of file spp_sfportscan.c. References pcap_pkthdr::caplen, _Packet::data, ETHERNET_HEADER_LEN, in_chksum_ip(), _IPHdr::ip_csum, _IPHdr::ip_dst, IP_HLEN, _IPHdr::ip_len, _IPHdr::ip_proto, ip_size(), _IPHdr::ip_src, _IPHdr::ip_ttl, _Packet::iph, pcap_pkthdr::len, MakeOpenPortInfo(), MakeProtoInfo(), memcpy, s_PS_PKT::pkt, _Packet::pkth, PS_PROTO_ICMP, PS_PROTO_IP, PS_PROTO_OPEN_PORT, PS_PROTO_TCP, PS_PROTO_UDP, s_PS_PKT::reverse_pkt, and pcap_pkthdr::ts. Referenced by PortscanAlert(), and PortscanAlertTcp().

static int MakeProtoInfo (  PS_PROTO *  proto, u_char *  buffer, u_int *  total_size )  [static]

This routine makes the portscan payload for the events. The listed info is: priority count (number of error transmissions RST/ICMP UNREACH) connection count (number of protocol connections SYN) ip count (number of IPs that communicated with host) ip range (low to high range of IPs) port count (number of port changes that occurred on host) port range (low to high range of ports connected too) Returns: integer Return values: -1  buffer not large enough 0  successful Definition at line 137 of file spp_sfportscan.c. References s_PS_PROTO::alerts, s_PS_PROTO::connection_count, _Packet::dsize, s_PS_PROTO::high_ip, s_PS_PROTO::high_p, IP_MAXPACKET, s_PS_PROTO::low_ip, s_PS_PROTO::low_p, s_PS_PROTO::priority_count, PROTO_BUFFER_SIZE, PS_ALERT_PORTSWEEP, PS_ALERT_PORTSWEEP_FILTERED, snprintf, s_PS_PROTO::u_ip_count, and s_PS_PROTO::u_port_count. Referenced by MakePortscanPkt().

static void ParseIpList (  IPSET **  ip_list, char *  option )  [static]

Definition at line 915 of file spp_sfportscan.c. References FatalError(), FatalErrorInvalidArg(), file_line, file_name, ip4_setparse(), ipset_new(), IPV4_FAMILY, NULL, and TOKEN_ARG_END. Referenced by PortscanInit().

static void ParseLogFile (  FILE **  flog, u_char *  logfile, int  logfile_size )  [static]

Definition at line 1069 of file spp_sfportscan.c. References DELIMITERS, FatalError(), FatalErrorInvalidArg(), FatalErrorNoEnd(), file_line, file_name, _progvars::log_dir, NULL, snprintf, and TOKEN_ARG_END. Referenced by PortscanInit().

static void ParseMemcap (  int *  memcap  )  [static]

Definition at line 937 of file spp_sfportscan.c. References DELIMITERS, FatalErrorInvalidArg(), FatalErrorNoEnd(), NULL, and TOKEN_ARG_END. Referenced by PortscanInit().

static void ParseProtos (  int *  protos  )  [static]

Definition at line 811 of file spp_sfportscan.c. References DELIMITERS, FatalErrorInvalidArg(), FatalErrorNoEnd(), NULL, PS_PROTO_ALL, PS_PROTO_ICMP, PS_PROTO_IP, PS_PROTO_TCP, PS_PROTO_UDP, strcasecmp, and TOKEN_ARG_END. Referenced by PortscanInit().

static void ParseScanType (  int *  scan_types  )  [static]

Definition at line 847 of file spp_sfportscan.c. References DELIMITERS, FatalErrorInvalidArg(), FatalErrorNoEnd(), NULL, PS_TYPE_ALL, PS_TYPE_DECOYSCAN, PS_TYPE_DISTPORTSCAN, PS_TYPE_PORTSCAN, PS_TYPE_PORTSWEEP, strcasecmp, and TOKEN_ARG_END. Referenced by PortscanInit().

static void ParseSenseLevel (  int *  sense_level  )  [static]

Definition at line 883 of file spp_sfportscan.c. References DELIMITERS, FatalErrorInvalidArg(), FatalErrorNoEnd(), NULL, PS_SENSE_HIGH, PS_SENSE_LOW, PS_SENSE_MEDIUM, strcasecmp, and TOKEN_ARG_END. Referenced by PortscanInit().

static int PortscanAlert (  PS_PKT *  ps_pkt, PS_PROTO *  proto, int  proto_type )  [static]

Definition at line 674 of file spp_sfportscan.c. References s_PS_PROTO::alerts, s_PS_PROTO::event_ref, s_PS_PROTO::event_time, GenerateOpenPortEvent(), GENERATOR_PSNG, MakePortscanPkt(), NULL, s_PS_PKT::pkt, PortscanAlertIcmp(), PortscanAlertIp(), PortscanAlertTcp(), PortscanAlertUdp(), PS_ALERT_OPEN_PORT, PS_PROTO_ICMP, PS_PROTO_IP, PS_PROTO_OPEN_PORT, PS_PROTO_TCP, PS_PROTO_UDP, PSNG_OPEN_PORT, PSNG_OPEN_PORT_STR, and _Packet::sp. Referenced by PortscanDetect().

static int PortscanAlertIcmp (  Packet *  p, PS_PROTO *  proto, int  proto_type )  [static]

Definition at line 650 of file spp_sfportscan.c. References s_PS_PROTO::alerts, GeneratePSSnortEvent(), GENERATOR_PSNG, PS_ALERT_PORTSWEEP, PS_ALERT_PORTSWEEP_FILTERED, PSNG_ICMP_PORTSWEEP, PSNG_ICMP_PORTSWEEP_FILTERED, PSNG_ICMP_PORTSWEEP_FILTERED_STR, and PSNG_ICMP_PORTSWEEP_STR. Referenced by PortscanAlert().

static int PortscanAlertIp (  Packet *  p, PS_PROTO *  proto, int  proto_type )  [static]

Definition at line 595 of file spp_sfportscan.c. References s_PS_PROTO::alerts, GeneratePSSnortEvent(), GENERATOR_PSNG, PS_ALERT_DISTRIBUTED, PS_ALERT_DISTRIBUTED_FILTERED, PS_ALERT_ONE_TO_ONE, PS_ALERT_ONE_TO_ONE_DECOY, PS_ALERT_ONE_TO_ONE_DECOY_FILTERED, PS_ALERT_ONE_TO_ONE_FILTERED, PS_ALERT_PORTSWEEP, PS_ALERT_PORTSWEEP_FILTERED, PSNG_IP_DECOY_PORTSCAN, PSNG_IP_DECOY_PORTSCAN_STR, PSNG_IP_DISTRIBUTED_PORTSCAN, PSNG_IP_DISTRIBUTED_PORTSCAN_STR, PSNG_IP_FILTERED_DECOY_PORTSCAN, PSNG_IP_FILTERED_DECOY_PORTSCAN_STR, PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN, PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN_STR, PSNG_IP_FILTERED_PORTSCAN, PSNG_IP_FILTERED_PORTSCAN_STR, PSNG_IP_PORTSCAN, PSNG_IP_PORTSCAN_STR, PSNG_IP_PORTSWEEP, PSNG_IP_PORTSWEEP_FILTERED, PSNG_IP_PORTSWEEP_FILTERED_STR, and PSNG_IP_PORTSWEEP_STR. Referenced by PortscanAlert().

static int PortscanAlertTcp (  Packet *  p, PS_PROTO *  proto, int  proto_type )  [static]

Definition at line 442 of file spp_sfportscan.c. References s_PS_PROTO::alerts, s_PS_PROTO::event_ref, s_PS_PROTO::event_time, GenerateOpenPortEvent(), GeneratePSSnortEvent(), GENERATOR_PSNG, MakePortscanPkt(), memset, s_PS_PROTO::open_ports, s_PS_PROTO::open_ports_cnt, s_PS_PKT::pkt, _Packet::pkth, PS_ALERT_DISTRIBUTED, PS_ALERT_DISTRIBUTED_FILTERED, PS_ALERT_ONE_TO_ONE, PS_ALERT_ONE_TO_ONE_DECOY, PS_ALERT_ONE_TO_ONE_DECOY_FILTERED, PS_ALERT_ONE_TO_ONE_FILTERED, PS_ALERT_PORTSWEEP, PS_ALERT_PORTSWEEP_FILTERED, PS_PROTO_OPEN_PORT, PSNG_OPEN_PORT, PSNG_OPEN_PORT_STR, PSNG_TCP_DECOY_PORTSCAN, PSNG_TCP_DECOY_PORTSCAN_STR, PSNG_TCP_DISTRIBUTED_PORTSCAN, PSNG_TCP_DISTRIBUTED_PORTSCAN_STR, PSNG_TCP_FILTERED_DECOY_PORTSCAN, PSNG_TCP_FILTERED_DECOY_PORTSCAN_STR, PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN, PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN_STR, PSNG_TCP_FILTERED_PORTSCAN, PSNG_TCP_FILTERED_PORTSCAN_STR, PSNG_TCP_PORTSCAN, PSNG_TCP_PORTSCAN_STR, PSNG_TCP_PORTSWEEP, PSNG_TCP_PORTSWEEP_FILTERED, PSNG_TCP_PORTSWEEP_FILTERED_STR, PSNG_TCP_PORTSWEEP_STR, and pcap_pkthdr::ts. Referenced by PortscanAlert().

static int PortscanAlertUdp (  Packet *  p, PS_PROTO *  proto, int  proto_type )  [static]

Definition at line 540 of file spp_sfportscan.c. References s_PS_PROTO::alerts, GeneratePSSnortEvent(), GENERATOR_PSNG, PS_ALERT_DISTRIBUTED, PS_ALERT_DISTRIBUTED_FILTERED, PS_ALERT_ONE_TO_ONE, PS_ALERT_ONE_TO_ONE_DECOY, PS_ALERT_ONE_TO_ONE_DECOY_FILTERED, PS_ALERT_ONE_TO_ONE_FILTERED, PS_ALERT_PORTSWEEP, PS_ALERT_PORTSWEEP_FILTERED, PSNG_UDP_DECOY_PORTSCAN, PSNG_UDP_DECOY_PORTSCAN_STR, PSNG_UDP_DISTRIBUTED_PORTSCAN, PSNG_UDP_DISTRIBUTED_PORTSCAN_STR, PSNG_UDP_FILTERED_DECOY_PORTSCAN, PSNG_UDP_FILTERED_DECOY_PORTSCAN_STR, PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN, PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN_STR, PSNG_UDP_FILTERED_PORTSCAN, PSNG_UDP_FILTERED_PORTSCAN_STR, PSNG_UDP_PORTSCAN, PSNG_UDP_PORTSCAN_STR, PSNG_UDP_PORTSWEEP, PSNG_UDP_PORTSWEEP_FILTERED, PSNG_UDP_PORTSWEEP_FILTERED_STR, and PSNG_UDP_PORTSWEEP_STR. Referenced by PortscanAlert().

static void PortscanDetect (  Packet *  p, void *  context )  [static]

Definition at line 751 of file spp_sfportscan.c. References _Packet::iph, memset, _Packet::packet_flags, s_PS_PKT::pkt, PKT_REBUILT_STREAM, PortscanAlert(), PP_SFPORTSCAN, _Packet::preprocessors, s_PS_PKT::proto, s_PS_PKT::proto_idx, PS_ALERT_GENERATED, ps_detect(), s_PS_PKT::scanned, and s_PS_PKT::scanner. Referenced by PortscanInit().

static void PortscanInit (  u_char *  args  )  [static]

Definition at line 1097 of file spp_sfportscan.c. References AddFuncToPreprocList(), DELIMITERS, FatalError(), FatalErrorInvalidOption(), FatalErrorNoOption(), file_line, file_name, g_include_midstream, g_logfile, g_logpath, g_print_tracker, NULL, ParseIpList(), ParseLogFile(), ParseMemcap(), ParseProtos(), ParseScanType(), ParseSenseLevel(), PortscanDetect(), PortscanPacketInit(), PrintPortscanConf(), ps_init(), PS_PROTO_TCP, PS_PROTO_UDP, PS_SENSE_LOW, PS_TYPE_ALL, strcasecmp, and TOKEN_ARG_BEGIN.

static int PortscanPacketInit (  void   )  [static]

Initialize the Packet structure buffer so we can generate our alert packets for portscan. We initialize the various fields in the Packet structure and set the hardware layer for easy identification by user interfaces. Returns: int Return values: !0  initialization failed 0  success Definition at line 83 of file spp_sfportscan.c. References _Packet::data, _Packet::eh, _EtherHdr::ether_dst, _EtherHdr::ether_src, _EtherHdr::ether_type, ETHERNET_HEADER_LEN, IP_MAXPACKET, _Packet::iph, memcpy, _Packet::pkt, and _Packet::pkth. Referenced by PortscanInit().

static void PrintPortscanConf (  int  detect_scans, int  detect_scan_type, int  sense_level, IPSET *  scanner, IPSET *  scanned, IPSET *  watch, int  memcap )  [static]

Definition at line 965 of file spp_sfportscan.c. References IPSET::cidr_list, g_logpath, CIDRBLOCK::ip, ip4_sprintx(), LogMessage(), CIDRBLOCK::mask, memset, CIDRBLOCK::notflag, PS_PROTO_ICMP, PS_PROTO_IP, PS_PROTO_TCP, PS_PROTO_UDP, PS_SENSE_HIGH, PS_SENSE_LOW, PS_SENSE_MEDIUM, PS_TYPE_DECOYSCAN, PS_TYPE_DISTPORTSCAN, PS_TYPE_PORTSCAN, PS_TYPE_PORTSWEEP, sflist_first(), sflist_next(), sfsnprintfappend(), snprintf, and STD_BUF. Referenced by PortscanInit().

void SetupPsng (  void   )

Definition at line 1223 of file spp_sfportscan.c. References PortscanInit(), and RegisterPreprocessor(). Referenced by InitPreprocessors().

---

Variable Documentation

int file_line

Definition at line 88 of file parser.c.

char* file_name

external globals from rules.c Definition at line 87 of file parser.c.

int g_include_midstream = 0

Definition at line 65 of file spp_sfportscan.c. Referenced by PortscanInit(), and ps_tracker_update_tcp().

FILE* g_logfile = NULL [static]

Definition at line 62 of file spp_sfportscan.c. Referenced by GenerateOpenPortEvent(), GeneratePSSnortEvent(), LogPortscanAlert(), and PortscanInit().

u_char g_logpath[256] [static]

Definition at line 61 of file spp_sfportscan.c. Referenced by PortscanInit(), and PrintPortscanConf().

int g_print_tracker = 0 [static]

Definition at line 60 of file spp_sfportscan.c. Referenced by PortscanInit().

Packet* g_tmp_pkt [static]

Definition at line 63 of file spp_sfportscan.c.

PV pv

Definition at line 129 of file snort.c.

---