1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 3 // Copyright (C) 2004-2013 Sourcefire, Inc. 4 // 5 // This program is free software; you can redistribute it and/or modify it 6 // under the terms of the GNU General Public License Version 2 as published 7 // by the Free Software Foundation. You may not use, modify or distribute 8 // this program under any other version of the GNU General Public License. 9 // 10 // This program is distributed in the hope that it will be useful, but 11 // WITHOUT ANY WARRANTY; without even the implied warranty of 12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 // General Public License for more details. 14 // 15 // You should have received a copy of the GNU General Public License along 16 // with this program; if not, write to the Free Software Foundation, Inc., 17 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 18 //-------------------------------------------------------------------------- 19 20 #ifndef PS_DETECT_H 21 #define PS_DETECT_H 22 23 #include <sys/time.h> 24 25 #include <ctime> 26 27 #include "sfip/sf_ip.h" 28 #include "ipobj.h" 29 30 namespace snort 31 { 32 struct Packet; 33 } 34 35 #define PS_OPEN_PORTS 8 36 37 #define PS_PROTO_NONE 0x00 38 #define PS_PROTO_TCP 0x01 39 #define PS_PROTO_UDP 0x02 40 #define PS_PROTO_ICMP 0x04 41 #define PS_PROTO_IP 0x08 42 #define PS_PROTO_ALL 0x0f 43 44 #define PS_PROTO_OPEN_PORT 0x80 45 46 #define PS_TYPE_PORTSCAN 0x01 47 #define PS_TYPE_PORTSWEEP 0x02 48 #define PS_TYPE_DECOYSCAN 0x04 49 #define PS_TYPE_DISTPORTSCAN 0x08 50 #define PS_TYPE_ALL 0x0f 51 52 #define PS_SENSE_HIGH 3 53 #define PS_SENSE_MEDIUM 2 54 #define PS_SENSE_LOW 1 55 56 #define PS_ALERT_ONE_TO_ONE 1 57 #define PS_ALERT_ONE_TO_ONE_DECOY 2 58 #define PS_ALERT_PORTSWEEP 3 59 #define PS_ALERT_DISTRIBUTED 4 60 #define PS_ALERT_ONE_TO_ONE_FILTERED 5 61 #define PS_ALERT_ONE_TO_ONE_DECOY_FILTERED 6 62 #define PS_ALERT_DISTRIBUTED_FILTERED 7 63 #define PS_ALERT_PORTSWEEP_FILTERED 8 64 65 #define PS_ALERT_GENERATED 255 66 67 //------------------------------------------------------------------------- 68 69 struct PS_ALERT_CONF 70 { 71 short connection_count; 72 short priority_count; 73 short u_ip_count; 74 short u_port_count; 75 }; 76 77 struct PortscanConfig 78 { 79 size_t memcap; 80 81 int detect_scans; 82 int detect_scan_type; 83 int proto_cnt; 84 int include_midstream; 85 int print_tracker; 86 87 bool alert_all; 88 bool logfile; 89 90 unsigned tcp_window; 91 unsigned udp_window; 92 unsigned ip_window; 93 unsigned icmp_window; 94 95 IPSET* ignore_scanners; 96 IPSET* ignore_scanned; 97 IPSET* watch_ip; 98 99 PS_ALERT_CONF tcp_ports; 100 PS_ALERT_CONF tcp_decoy; 101 PS_ALERT_CONF tcp_sweep; 102 PS_ALERT_CONF tcp_dist; 103 104 PS_ALERT_CONF udp_ports; 105 PS_ALERT_CONF udp_decoy; 106 PS_ALERT_CONF udp_sweep; 107 PS_ALERT_CONF udp_dist; 108 109 PS_ALERT_CONF ip_proto; 110 PS_ALERT_CONF ip_decoy; 111 PS_ALERT_CONF ip_sweep; 112 PS_ALERT_CONF ip_dist; 113 114 PS_ALERT_CONF icmp_sweep; 115 116 PortscanConfig(); 117 ~PortscanConfig(); 118 }; 119 120 struct PS_PROTO 121 { 122 int connection_count; 123 int priority_count; 124 int u_ip_count; 125 int u_port_count; 126 127 unsigned short high_p; 128 unsigned short low_p; 129 unsigned short u_ports; 130 131 snort::SfIp high_ip; 132 snort::SfIp low_ip; 133 snort::SfIp u_ips; 134 135 unsigned short open_ports[PS_OPEN_PORTS]; 136 unsigned char open_ports_cnt; 137 138 unsigned char alerts; 139 140 time_t window; 141 }; 142 143 struct PS_TRACKER 144 { 145 int priority_node; 146 int protocol; 147 PS_PROTO proto; 148 }; 149 150 struct PS_PKT 151 { 152 snort::Packet* pkt; 153 154 PS_TRACKER* scanner; 155 PS_TRACKER* scanned; 156 157 int proto; 158 int reverse_pkt; 159 160 PS_PKT(snort::Packet*); 161 }; 162 163 void ps_cleanup(); 164 void ps_reset(); 165 166 unsigned ps_node_size(); 167 bool ps_init_hash(unsigned long); 168 bool ps_prune_hash(unsigned); 169 int ps_detect(PS_PKT*); 170 171 #endif 172 173