1 /* 2 * Copyright (c) 2001 Mark Fullmer and The Ohio State University 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $Id: flow-dscan.h,v 1.9 2003/04/02 18:03:01 maf Exp $ 27 */ 28 29 #include <sys/types.h> 30 31 #define DSCAN_FLAGS_HOSTSCAN 1 /* host scan */ 32 #define DSCAN_FLAGS_PORTSCAN 2 /* port scan */ 33 34 #define DSCAN_IP_DEPTH 200 /* IP's store, IP scan trigger */ 35 #define DSCAN_PORT_TRIGGER 64 /* port scan trigger */ 36 #define DSCAN_HASHSIZE 65536 /* size of hash table */ 37 #define DSCAN_STATEFILE "/var/tmp/dscan.state" 38 #define DSCAN_AGER_TIMEOUT 90000U /* max active flows before aging */ 39 #define DSCAN_AGER_WORK 500 /* ammount of work ager does in a run */ 40 #define DSCAN_HASHFUNC(a) ((a>>16) ^ (a & 0xFFFF)) 41 42 #define DSCAN_SUP_FILE "./dscan.suppress" /* suppress file */ 43 #define DSCAN_SUP_SRCIP 1 /* match src ip */ 44 #define DSCAN_SUP_DSTIP 2 /* match dst ip */ 45 #define DSCAN_SUP_SRCPORT 4 /* match src port */ 46 #define DSCAN_SUP_DSTPORT 8 /* match dst port */ 47 #define DSCAN_SUP_PROTOCOL 16 /* match protocol */ 48 49 50 struct dscan_state { 51 FT_SLIST_HEAD(shead, dscan_rec) hash_scan[DSCAN_HASHSIZE]; 52 FT_SLIST_HEAD(sup_src_head, dscan_sup) hash_sup_src[DSCAN_HASHSIZE]; 53 FT_SLIST_HEAD(sup_dst_head, dscan_sup) hash_sup_dst[DSCAN_HASHSIZE]; 54 unsigned int stat_malloc; /* # of times malloc called */ 55 unsigned int stat_free; /* # of times free called */ 56 unsigned int stat_malloc_dst; /* # of times dst struct allocated */ 57 unsigned int stat_malloc_rec; /* # of times rec struct allocated */ 58 unsigned int stat_free_dst; /* # of times dst struct freed */ 59 unsigned int stat_free_rec; /* # of times rec struct freed */ 60 unsigned int stat_aged_ip; /* # dst ip in the list is removed */ 61 unsigned int stat_aged_dsr; /* # of dscan records removed */ 62 uint32_t ager_timeout; /* how long to keep flows around */ 63 uint32_t dscan_ip_depth; /* lengh of ip destination list */ 64 uint32_t dscan_port_trigger; /* # ports hit before scan trggers */ 65 char *statefile; /* where to store/load state */ 66 char *supfile; /* suppress list file */ 67 }; 68 69 struct dscan_dst { 70 uint32_t ip_dst; /* destination IP */ 71 uint32_t ip_time; /* last time dst IP seen */ 72 struct bit1024 portmap; /* active destination ports */ 73 FT_STAILQ_ENTRY (dscan_dst) chain; /* chain */ 74 }; 75 76 struct dscan_rec { 77 uint8_t depth; /* 0..255 depth of list */ 78 uint8_t flags; /* DSCAN_FLAGS_* */ 79 uint32_t ip_src; /* src ip address (key) */ 80 FT_STAILQ_HEAD(dhead, dscan_dst) dlhead; /* head of dst list */ 81 FT_SLIST_ENTRY (dscan_rec) chain; /* chain */ 82 }; 83 84 struct dscan_sup { 85 uint32_t ip; 86 uint16_t srcport; 87 uint16_t dstport; 88 uint8_t flags; 89 uint8_t protocol; 90 FT_SLIST_ENTRY (dscan_sup) chain; /* chain */ 91 }; 92 93