1 #ifndef FASTNETMON_TYPES_H
2 #define FASTNETMON_TYPES_H
3 
4 #include <utility> // std::pair
5 #include <stdint.h> // uint32_t
6 #include <sys/time.h> // struct timeval
7 #include <netinet/in.h> // struct in6_addr
8 
9 #include <string>
10 #include <map>
11 #include <vector>
12 
13 #include "packet_storage.h"
14 
15 enum direction { INCOMING = 0, OUTGOING, INTERNAL, OTHER };
16 
17 // simplified packet struct for lightweight save into memory
18 class simple_packet {
19     public:
simple_packet()20     simple_packet()
21     : sample_ratio(1), src_ip(0), dst_ip(0), source_port(0), destination_port(0), protocol(0),
22       length(0), flags(0), number_of_packets(1), ip_fragmented(false), ip_protocol_version(4), ttl(0),
23         packet_payload_pointer(NULL), packet_payload_length(0), packet_direction(OTHER) {
24 
25         ts.tv_usec = 0;
26         ts.tv_sec = 0;
27     }
28     uint32_t sample_ratio;
29     /* IPv4 */
30     uint32_t src_ip;
31     uint32_t dst_ip;
32     /* IPv6 */
33     struct in6_addr src_ipv6;
34     struct in6_addr dst_ipv6;
35     uint8_t ip_protocol_version; /* IPv4 or IPv6 */
36     uint8_t ttl;
37     uint16_t source_port;
38     uint16_t destination_port;
39     unsigned int protocol;
40     uint64_t length;
41     uint64_t number_of_packets; /* for netflow */
42     uint8_t flags; /* tcp flags */
43     bool ip_fragmented; /* If IP packet fragmented */
44     struct timeval ts;
45     void* packet_payload_pointer;
46     int packet_payload_length;
47     // We store packet direction here because direction calculation is very difficult task for cpu
48     direction packet_direction;
49 };
50 
51 class logging_configuration_t {
52     public:
logging_configuration_t()53         logging_configuration_t() :
54             filesystem_logging(true), local_syslog_logging(false), remote_syslog_logging(false), remote_syslog_port(0) {}
55         bool filesystem_logging;
56         std::string filesystem_logging_path;
57 
58         bool local_syslog_logging;
59 
60         bool remote_syslog_logging;
61         std::string remote_syslog_server;
62         unsigned int remote_syslog_port;
63 };
64 
65 typedef std::pair<uint32_t, uint32_t> subnet_t;
66 typedef std::vector<subnet_t> subnet_vector_t;
67 
68 typedef std::map<subnet_t, std::string> subnet_to_host_group_map_t;
69 typedef std::map<std::string, subnet_vector_t> host_group_map_t;
70 
71 typedef void (*process_packet_pointer)(simple_packet&);
72 
73 // Enum with available sort by field
74 enum sort_type { PACKETS, BYTES, FLOWS };
75 
76 // Attack types
77 enum attack_type_t {
78     ATTACK_UNKNOWN = 1,
79     ATTACK_SYN_FLOOD = 2,
80     ATTACK_ICMP_FLOOD = 3,
81     ATTACK_UDP_FLOOD = 4,
82     ATTACK_IP_FRAGMENTATION_FLOOD = 5,
83 };
84 
85 // Amplification types
86 enum amplification_attack_type_t {
87     AMPLIFICATION_ATTACK_UNKNOWN = 1,
88     AMPLIFICATION_ATTACK_DNS     = 2,
89     AMPLIFICATION_ATTACK_NTP     = 3,
90     AMPLIFICATION_ATTACK_SSDP    = 4,
91     AMPLIFICATION_ATTACK_SNMP    = 5,
92     AMPLIFICATION_ATTACK_CHARGEN = 6,
93 };
94 
95 typedef struct {
96     uint64_t bytes;
97     uint64_t packets;
98     uint64_t flows;
99 } total_counter_element;
100 
101 
102 // main data structure for storing traffic and speed data for all our IPs
103 class map_element {
104     public:
map_element()105     map_element()
106     : in_bytes(0), out_bytes(0), in_packets(0), out_packets(0), tcp_in_packets(0), tcp_out_packets(0),
107       tcp_in_bytes(0), tcp_out_bytes(0), tcp_syn_in_packets(0), tcp_syn_out_packets(0),
108       tcp_syn_in_bytes(0), tcp_syn_out_bytes(0), udp_in_packets(0), udp_out_packets(0),
109       udp_in_bytes(0), udp_out_bytes(0), in_flows(0), out_flows(0), fragmented_in_packets(0),
110       fragmented_out_packets(0), fragmented_in_bytes(0), fragmented_out_bytes(0),
111       icmp_in_packets(0), icmp_out_packets(0), icmp_in_bytes(0), icmp_out_bytes(0) {
112     }
113     uint64_t in_bytes;
114     uint64_t out_bytes;
115     uint64_t in_packets;
116     uint64_t out_packets;
117 
118     // Fragmented traffic is so recently used for attacks
119     uint64_t fragmented_in_packets;
120     uint64_t fragmented_out_packets;
121     uint64_t fragmented_in_bytes;
122     uint64_t fragmented_out_bytes;
123 
124     // Additional data for correct attack protocol detection
125     uint64_t tcp_in_packets;
126     uint64_t tcp_out_packets;
127     uint64_t tcp_in_bytes;
128     uint64_t tcp_out_bytes;
129 
130     // Additional details about one of most popular atatck type
131     uint64_t tcp_syn_in_packets;
132     uint64_t tcp_syn_out_packets;
133     uint64_t tcp_syn_in_bytes;
134     uint64_t tcp_syn_out_bytes;
135 
136     uint64_t udp_in_packets;
137     uint64_t udp_out_packets;
138     uint64_t udp_in_bytes;
139     uint64_t udp_out_bytes;
140 
141     uint64_t icmp_in_packets;
142     uint64_t icmp_out_packets;
143     uint64_t icmp_in_bytes;
144     uint64_t icmp_out_bytes;
145 
146     uint64_t in_flows;
147     uint64_t out_flows;
148 };
149 
150 // structure with attack details
151 class attack_details : public map_element {
152     public:
attack_details()153     attack_details()
154     : attack_protocol(0), attack_power(0), max_attack_power(0), average_in_bytes(0),
155       average_out_bytes(0), average_in_packets(0), average_out_packets(0), average_in_flows(0),
156       average_out_flows(0), ban_time(0), attack_direction(OTHER), unban_enabled(true) {
157 
158         customer_network.first = 0;
159         customer_network.second = 0;
160     }
161     direction attack_direction;
162     // first attackpower detected
163     uint64_t attack_power;
164     // max attack power
165     uint64_t max_attack_power;
166     unsigned int attack_protocol;
167 
168     // Average counters
169     uint64_t average_in_bytes;
170     uint64_t average_out_bytes;
171     uint64_t average_in_packets;
172     uint64_t average_out_packets;
173     uint64_t average_in_flows;
174     uint64_t average_out_flows;
175 
176     // time when we but this user
177     time_t ban_timestamp;
178     bool unban_enabled;
179     int ban_time; // seconds of the ban
180 
181     subnet_t customer_network;
182 
183     packet_storage_t pcap_attack_dump;
184 };
185 
186 
187 typedef attack_details banlist_item;
188 
189 // struct for save per direction and per protocol details for flow
190 typedef struct {
191     uint64_t bytes;
192     uint64_t packets;
193     // will be used for Garbage Collection
194     time_t last_update_time;
195 } conntrack_key_struct;
196 
197 typedef uint64_t packed_session;
198 // Main mega structure for storing conntracks
199 // We should use class instead struct for correct std::map allocation
200 typedef std::map<packed_session, conntrack_key_struct> contrack_map_type;
201 
202 class conntrack_main_struct {
203     public:
204     contrack_map_type in_tcp;
205     contrack_map_type in_udp;
206     contrack_map_type in_icmp;
207     contrack_map_type in_other;
208 
209     contrack_map_type out_tcp;
210     contrack_map_type out_udp;
211     contrack_map_type out_icmp;
212     contrack_map_type out_other;
213 };
214 
215 typedef std::map<uint32_t, map_element> map_for_counters;
216 typedef std::vector<map_element> vector_of_counters;
217 
218 typedef std::map<subnet_t, vector_of_counters> map_of_vector_counters;
219 
220 // Flow tracking structures
221 typedef std::vector<conntrack_main_struct> vector_of_flow_counters;
222 typedef std::map<subnet_t, vector_of_flow_counters> map_of_vector_counters_for_flow;
223 
224 typedef map_element subnet_counter_t;
225 typedef std::pair<subnet_t, subnet_counter_t> pair_of_map_for_subnet_counters_elements_t;
226 typedef std::map<subnet_t, subnet_counter_t> map_for_subnet_counters;
227 
228 class packed_conntrack_hash {
229     public:
packed_conntrack_hash()230     packed_conntrack_hash() : opposite_ip(0), src_port(0), dst_port(0) {
231     }
232     // src or dst IP
233     uint32_t opposite_ip;
234     uint16_t src_port;
235     uint16_t dst_port;
236 };
237 
238 // This class consists of all configuration of global or per subnet ban thresholds
239 class ban_settings_t {
240     public:
ban_settings_t()241         ban_settings_t() : enable_ban(false),
242             enable_ban_for_pps(false), enable_ban_for_bandwidth(false), enable_ban_for_flows_per_second(false),
243             enable_ban_for_tcp_pps(false), enable_ban_for_tcp_bandwidth(false),
244             enable_ban_for_udp_pps(false), enable_ban_for_udp_bandwidth(false),
245             enable_ban_for_icmp_pps(false), enable_ban_for_icmp_bandwidth(false),
246             ban_threshold_tcp_mbps(0), ban_threshold_tcp_pps(0),
247             ban_threshold_udp_mbps(0), ban_threshold_udp_pps(0),
248             ban_threshold_icmp_mbps(0), ban_threshold_icmp_pps(0),
249             ban_threshold_mbps(0), ban_threshold_flows(0), ban_threshold_pps(0) {
250 
251         }
252         bool enable_ban;
253 
254         bool enable_ban_for_pps;
255         bool enable_ban_for_bandwidth;
256         bool enable_ban_for_flows_per_second;
257 
258         bool enable_ban_for_tcp_pps;
259         bool enable_ban_for_tcp_bandwidth;
260 
261         bool enable_ban_for_udp_pps;
262         bool enable_ban_for_udp_bandwidth;
263 
264         bool enable_ban_for_icmp_pps;
265         bool enable_ban_for_icmp_bandwidth;
266 
267         unsigned int ban_threshold_tcp_mbps;
268         unsigned int ban_threshold_tcp_pps;
269 
270         unsigned int ban_threshold_udp_mbps;
271         unsigned int ban_threshold_udp_pps;
272 
273         unsigned int ban_threshold_icmp_mbps;
274         unsigned int ban_threshold_icmp_pps;
275 
276         unsigned int ban_threshold_mbps;
277         unsigned int ban_threshold_flows;
278         unsigned int ban_threshold_pps;
279 };
280 
281 
282 typedef std::map<std::string, ban_settings_t> host_group_ban_settings_map_t;
283 
284 // data structure for storing data in Vector
285 typedef std::pair<uint32_t, map_element> pair_of_map_elements;
286 
287 #endif
288