1 #ifndef FASTNETMON_TYPES_H 2 #define FASTNETMON_TYPES_H 3 4 #include <utility> // std::pair 5 #include <stdint.h> // uint32_t 6 #include <sys/time.h> // struct timeval 7 #include <netinet/in.h> // struct in6_addr 8 9 #include <string> 10 #include <map> 11 #include <vector> 12 13 #include "packet_storage.h" 14 15 enum direction { INCOMING = 0, OUTGOING, INTERNAL, OTHER }; 16 17 // simplified packet struct for lightweight save into memory 18 class simple_packet { 19 public: simple_packet()20 simple_packet() 21 : sample_ratio(1), src_ip(0), dst_ip(0), source_port(0), destination_port(0), protocol(0), 22 length(0), flags(0), number_of_packets(1), ip_fragmented(false), ip_protocol_version(4), ttl(0), 23 packet_payload_pointer(NULL), packet_payload_length(0), packet_direction(OTHER) { 24 25 ts.tv_usec = 0; 26 ts.tv_sec = 0; 27 } 28 uint32_t sample_ratio; 29 /* IPv4 */ 30 uint32_t src_ip; 31 uint32_t dst_ip; 32 /* IPv6 */ 33 struct in6_addr src_ipv6; 34 struct in6_addr dst_ipv6; 35 uint8_t ip_protocol_version; /* IPv4 or IPv6 */ 36 uint8_t ttl; 37 uint16_t source_port; 38 uint16_t destination_port; 39 unsigned int protocol; 40 uint64_t length; 41 uint64_t number_of_packets; /* for netflow */ 42 uint8_t flags; /* tcp flags */ 43 bool ip_fragmented; /* If IP packet fragmented */ 44 struct timeval ts; 45 void* packet_payload_pointer; 46 int packet_payload_length; 47 // We store packet direction here because direction calculation is very difficult task for cpu 48 direction packet_direction; 49 }; 50 51 class logging_configuration_t { 52 public: logging_configuration_t()53 logging_configuration_t() : 54 filesystem_logging(true), local_syslog_logging(false), remote_syslog_logging(false), remote_syslog_port(0) {} 55 bool filesystem_logging; 56 std::string filesystem_logging_path; 57 58 bool local_syslog_logging; 59 60 bool remote_syslog_logging; 61 std::string remote_syslog_server; 62 unsigned int remote_syslog_port; 63 }; 64 65 typedef std::pair<uint32_t, uint32_t> subnet_t; 66 typedef std::vector<subnet_t> subnet_vector_t; 67 68 typedef std::map<subnet_t, std::string> subnet_to_host_group_map_t; 69 typedef std::map<std::string, subnet_vector_t> host_group_map_t; 70 71 typedef void (*process_packet_pointer)(simple_packet&); 72 73 // Enum with available sort by field 74 enum sort_type { PACKETS, BYTES, FLOWS }; 75 76 // Attack types 77 enum attack_type_t { 78 ATTACK_UNKNOWN = 1, 79 ATTACK_SYN_FLOOD = 2, 80 ATTACK_ICMP_FLOOD = 3, 81 ATTACK_UDP_FLOOD = 4, 82 ATTACK_IP_FRAGMENTATION_FLOOD = 5, 83 }; 84 85 // Amplification types 86 enum amplification_attack_type_t { 87 AMPLIFICATION_ATTACK_UNKNOWN = 1, 88 AMPLIFICATION_ATTACK_DNS = 2, 89 AMPLIFICATION_ATTACK_NTP = 3, 90 AMPLIFICATION_ATTACK_SSDP = 4, 91 AMPLIFICATION_ATTACK_SNMP = 5, 92 AMPLIFICATION_ATTACK_CHARGEN = 6, 93 }; 94 95 typedef struct { 96 uint64_t bytes; 97 uint64_t packets; 98 uint64_t flows; 99 } total_counter_element; 100 101 102 // main data structure for storing traffic and speed data for all our IPs 103 class map_element { 104 public: map_element()105 map_element() 106 : in_bytes(0), out_bytes(0), in_packets(0), out_packets(0), tcp_in_packets(0), tcp_out_packets(0), 107 tcp_in_bytes(0), tcp_out_bytes(0), tcp_syn_in_packets(0), tcp_syn_out_packets(0), 108 tcp_syn_in_bytes(0), tcp_syn_out_bytes(0), udp_in_packets(0), udp_out_packets(0), 109 udp_in_bytes(0), udp_out_bytes(0), in_flows(0), out_flows(0), fragmented_in_packets(0), 110 fragmented_out_packets(0), fragmented_in_bytes(0), fragmented_out_bytes(0), 111 icmp_in_packets(0), icmp_out_packets(0), icmp_in_bytes(0), icmp_out_bytes(0) { 112 } 113 uint64_t in_bytes; 114 uint64_t out_bytes; 115 uint64_t in_packets; 116 uint64_t out_packets; 117 118 // Fragmented traffic is so recently used for attacks 119 uint64_t fragmented_in_packets; 120 uint64_t fragmented_out_packets; 121 uint64_t fragmented_in_bytes; 122 uint64_t fragmented_out_bytes; 123 124 // Additional data for correct attack protocol detection 125 uint64_t tcp_in_packets; 126 uint64_t tcp_out_packets; 127 uint64_t tcp_in_bytes; 128 uint64_t tcp_out_bytes; 129 130 // Additional details about one of most popular atatck type 131 uint64_t tcp_syn_in_packets; 132 uint64_t tcp_syn_out_packets; 133 uint64_t tcp_syn_in_bytes; 134 uint64_t tcp_syn_out_bytes; 135 136 uint64_t udp_in_packets; 137 uint64_t udp_out_packets; 138 uint64_t udp_in_bytes; 139 uint64_t udp_out_bytes; 140 141 uint64_t icmp_in_packets; 142 uint64_t icmp_out_packets; 143 uint64_t icmp_in_bytes; 144 uint64_t icmp_out_bytes; 145 146 uint64_t in_flows; 147 uint64_t out_flows; 148 }; 149 150 // structure with attack details 151 class attack_details : public map_element { 152 public: attack_details()153 attack_details() 154 : attack_protocol(0), attack_power(0), max_attack_power(0), average_in_bytes(0), 155 average_out_bytes(0), average_in_packets(0), average_out_packets(0), average_in_flows(0), 156 average_out_flows(0), ban_time(0), attack_direction(OTHER), unban_enabled(true) { 157 158 customer_network.first = 0; 159 customer_network.second = 0; 160 } 161 direction attack_direction; 162 // first attackpower detected 163 uint64_t attack_power; 164 // max attack power 165 uint64_t max_attack_power; 166 unsigned int attack_protocol; 167 168 // Average counters 169 uint64_t average_in_bytes; 170 uint64_t average_out_bytes; 171 uint64_t average_in_packets; 172 uint64_t average_out_packets; 173 uint64_t average_in_flows; 174 uint64_t average_out_flows; 175 176 // time when we but this user 177 time_t ban_timestamp; 178 bool unban_enabled; 179 int ban_time; // seconds of the ban 180 181 subnet_t customer_network; 182 183 packet_storage_t pcap_attack_dump; 184 }; 185 186 187 typedef attack_details banlist_item; 188 189 // struct for save per direction and per protocol details for flow 190 typedef struct { 191 uint64_t bytes; 192 uint64_t packets; 193 // will be used for Garbage Collection 194 time_t last_update_time; 195 } conntrack_key_struct; 196 197 typedef uint64_t packed_session; 198 // Main mega structure for storing conntracks 199 // We should use class instead struct for correct std::map allocation 200 typedef std::map<packed_session, conntrack_key_struct> contrack_map_type; 201 202 class conntrack_main_struct { 203 public: 204 contrack_map_type in_tcp; 205 contrack_map_type in_udp; 206 contrack_map_type in_icmp; 207 contrack_map_type in_other; 208 209 contrack_map_type out_tcp; 210 contrack_map_type out_udp; 211 contrack_map_type out_icmp; 212 contrack_map_type out_other; 213 }; 214 215 typedef std::map<uint32_t, map_element> map_for_counters; 216 typedef std::vector<map_element> vector_of_counters; 217 218 typedef std::map<subnet_t, vector_of_counters> map_of_vector_counters; 219 220 // Flow tracking structures 221 typedef std::vector<conntrack_main_struct> vector_of_flow_counters; 222 typedef std::map<subnet_t, vector_of_flow_counters> map_of_vector_counters_for_flow; 223 224 typedef map_element subnet_counter_t; 225 typedef std::pair<subnet_t, subnet_counter_t> pair_of_map_for_subnet_counters_elements_t; 226 typedef std::map<subnet_t, subnet_counter_t> map_for_subnet_counters; 227 228 class packed_conntrack_hash { 229 public: packed_conntrack_hash()230 packed_conntrack_hash() : opposite_ip(0), src_port(0), dst_port(0) { 231 } 232 // src or dst IP 233 uint32_t opposite_ip; 234 uint16_t src_port; 235 uint16_t dst_port; 236 }; 237 238 // This class consists of all configuration of global or per subnet ban thresholds 239 class ban_settings_t { 240 public: ban_settings_t()241 ban_settings_t() : enable_ban(false), 242 enable_ban_for_pps(false), enable_ban_for_bandwidth(false), enable_ban_for_flows_per_second(false), 243 enable_ban_for_tcp_pps(false), enable_ban_for_tcp_bandwidth(false), 244 enable_ban_for_udp_pps(false), enable_ban_for_udp_bandwidth(false), 245 enable_ban_for_icmp_pps(false), enable_ban_for_icmp_bandwidth(false), 246 ban_threshold_tcp_mbps(0), ban_threshold_tcp_pps(0), 247 ban_threshold_udp_mbps(0), ban_threshold_udp_pps(0), 248 ban_threshold_icmp_mbps(0), ban_threshold_icmp_pps(0), 249 ban_threshold_mbps(0), ban_threshold_flows(0), ban_threshold_pps(0) { 250 251 } 252 bool enable_ban; 253 254 bool enable_ban_for_pps; 255 bool enable_ban_for_bandwidth; 256 bool enable_ban_for_flows_per_second; 257 258 bool enable_ban_for_tcp_pps; 259 bool enable_ban_for_tcp_bandwidth; 260 261 bool enable_ban_for_udp_pps; 262 bool enable_ban_for_udp_bandwidth; 263 264 bool enable_ban_for_icmp_pps; 265 bool enable_ban_for_icmp_bandwidth; 266 267 unsigned int ban_threshold_tcp_mbps; 268 unsigned int ban_threshold_tcp_pps; 269 270 unsigned int ban_threshold_udp_mbps; 271 unsigned int ban_threshold_udp_pps; 272 273 unsigned int ban_threshold_icmp_mbps; 274 unsigned int ban_threshold_icmp_pps; 275 276 unsigned int ban_threshold_mbps; 277 unsigned int ban_threshold_flows; 278 unsigned int ban_threshold_pps; 279 }; 280 281 282 typedef std::map<std::string, ban_settings_t> host_group_ban_settings_map_t; 283 284 // data structure for storing data in Vector 285 typedef std::pair<uint32_t, map_element> pair_of_map_elements; 286 287 #endif 288