1 /**************************************************************************** 2 * 3 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 4 * Copyright (C) 2004-2013 Sourcefire, Inc. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License Version 2 as 8 * published by the Free Software Foundation. You may not use, modify or 9 * distribute this program under any other version of the GNU General 10 * Public License. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 * 21 ****************************************************************************/ 22 23 #ifndef __PORTSCAN_H__ 24 #define __PORTSCAN_H__ 25 26 #ifdef HAVE_CONFIG_H 27 #include "config.h" 28 #endif 29 30 #include <time.h> 31 #ifndef WIN32 32 #include <sys/time.h> 33 #endif /* !WIN32 */ 34 35 #include "ipobj.h" 36 37 #include "ipv6_port.h" 38 #include "sfPolicy.h" 39 40 #define PS_OPEN_PORTS 8 41 42 typedef struct _PortscanConfig 43 { 44 int disabled; 45 unsigned long memcap; 46 int detect_scans; 47 int detect_scan_type; 48 int sense_level; 49 int proto_cnt; 50 int include_midstream; 51 int print_tracker; 52 char *logfile; 53 IPSET *ignore_scanners; 54 IPSET *ignore_scanned; 55 IPSET *watch_ip; 56 57 } PortscanConfig; 58 59 typedef struct s_PS_PROTO 60 { 61 short connection_count; 62 short priority_count; 63 short u_ip_count; 64 short u_port_count; 65 66 unsigned short high_p; 67 unsigned short low_p; 68 unsigned short u_ports; 69 70 sfaddr_t high_ip; 71 sfaddr_t low_ip; 72 sfaddr_t u_ips; 73 74 unsigned short open_ports[PS_OPEN_PORTS]; 75 unsigned char open_ports_cnt; 76 77 struct timeval event_time; 78 unsigned int event_ref; 79 80 unsigned char alerts; 81 82 time_t window; 83 84 } PS_PROTO; 85 86 typedef struct s_PS_TRACKER 87 { 88 int priority_node; 89 int protocol; 90 PS_PROTO proto; 91 92 } PS_TRACKER; 93 94 typedef struct s_PS_PKT 95 { 96 void *pkt; 97 int proto; 98 int reverse_pkt; 99 PS_TRACKER *scanner; 100 PS_TRACKER *scanned; 101 102 } PS_PKT; 103 104 #define PS_PROTO_NONE 0x00 105 #define PS_PROTO_TCP 0x01 106 #define PS_PROTO_UDP 0x02 107 #define PS_PROTO_ICMP 0x04 108 #define PS_PROTO_IP 0x08 109 #define PS_PROTO_ALL 0x0f 110 111 #define PS_PROTO_OPEN_PORT 0x80 112 113 #define PS_TYPE_PORTSCAN 0x01 114 #define PS_TYPE_PORTSWEEP 0x02 115 #define PS_TYPE_DECOYSCAN 0x04 116 #define PS_TYPE_DISTPORTSCAN 0x08 117 #define PS_TYPE_ALL 0x0f 118 119 #define PS_SENSE_HIGH 1 120 #define PS_SENSE_MEDIUM 2 121 #define PS_SENSE_LOW 3 122 123 #define PS_ALERT_ONE_TO_ONE 1 124 #define PS_ALERT_ONE_TO_ONE_DECOY 2 125 #define PS_ALERT_PORTSWEEP 3 126 #define PS_ALERT_DISTRIBUTED 4 127 #define PS_ALERT_ONE_TO_ONE_FILTERED 5 128 #define PS_ALERT_ONE_TO_ONE_DECOY_FILTERED 6 129 #define PS_ALERT_DISTRIBUTED_FILTERED 7 130 #define PS_ALERT_PORTSWEEP_FILTERED 8 131 #define PS_ALERT_OPEN_PORT 9 132 133 #define PS_ALERT_GENERATED 255 134 135 int ps_init(struct _SnortConfig *, PortscanConfig *, int, int, int, IPSET *, IPSET *, IPSET *, unsigned long); 136 void ps_cleanup(void); 137 void ps_reset(void); 138 139 int ps_detect(PS_PKT *p); 140 void ps_tracker_print(PS_TRACKER *tracker); 141 142 int ps_get_protocols(struct _SnortConfig *sc, tSfPolicyId policyId); 143 void ps_init_hash(unsigned long); 144 #ifdef SNORT_RELOAD 145 bool ps_reload_adjust(unsigned long memcap, unsigned max_work); 146 unsigned int ps_hash_overhead_bytes(); 147 #endif 148 149 #endif 150 151