1 /* Copyright (C) 2000-2016 Boris Wesslowski */
2 /* $Id: main.h 742 2016-02-19 14:57:49Z bw $ */
3 
4 #ifndef _MAIN_H
5 #define _MAIN_H
6 
7 #define PACKAGE "fwlogwatch"
8 #define VERSION "1.5 2016-02-19"
9 #define COPYRIGHT "Boris Wesslowski"
10 
11 /* Paths */
12 
13 #ifndef INSTALL_DIR
14 #define INSTALL_DIR "/usr/local"
15 #endif
16 #ifndef CONF_DIR
17 #define CONF_DIR "/etc"
18 #endif
19 #ifndef LOCALE_DIR
20 #define LOCALE_DIR "/usr"
21 #endif
22 
23 /* i18n */
24 
25 #ifdef HAVE_GETTEXT
26 #include <libintl.h>
27 #define _(String) gettext(String)
28 #define LOCALEDIR LOCALE_DIR "/share/locale"
29 #else
30 #define _(String) String
31 #endif
32 
33 /* Data sizes */
34 
35 #define BUFSIZE 1024
36 #define BUFSIZE_S "1024"
37 #define FILESIZE 256
38 #define TIMESIZE 64
39 #define HOSTLEN 256
40 #define HOSTLEN_M1_S "255"
41 #define SHOSTLEN 32
42 #define SHOSTLEN_S "32"
43 #define IPLEN 16
44 #define IP6LEN 40
45 #define EMAILSIZE 80
46 #define COLORSIZE 8
47 #define MAXSORTSIZE 24
48 #define USERSIZE 16
49 #define PASSWORDSIZE 76
50 #define WHOISCMDLEN 64
51 #define WHOISDESCLEN 64
52 #define WHOISROUTELEN 20
53 #define TITLESIZE 64
54 #define CSSSIZE 64
55 
56 #ifndef SHORT_NAMES
57 #define SHORTLEN 128
58 #define SHORTLEN_S "128"
59 #else
60 #define SHORTLEN 10
61 #define SHORTLEN_S "10"
62 #endif
63 
64 /* Files */
65 
66 #ifndef SOLARIS
67 #define INFILE "/var/log/messages"
68 #else
69 #define INFILE "/var/adm/messages"
70 #endif
71 #define RCFILE CONF_DIR "/fwlogwatch.config"
72 
73 /* Includes */
74 
75 #ifdef HAVE_ZLIB
76 #include <zlib.h>
77 #endif
78 
79 #ifdef HAVE_GEOIP
80 #include <GeoIP.h>
81 #endif
82 
83 enum {
84   MAY_NOT_EXIST,
85   MUST_EXIST
86 };
87 
88 enum {
89   NO,
90   YES
91 };
92 
93 enum {
94   HASH_IGNORE,
95   HASH_ENDS_INPUT
96 };
97 
98 /* Modes */
99 
100 enum {
101   LOG_SUMMARY,
102   REALTIME_RESPONSE,
103   SHOW_LOG_TIMES
104 };
105 
106 /* Parser */
107 
108 #define PARSER_IPCHAINS 1
109 #define PARSER_NETFILTER 2
110 #define PARSER_CISCO_IOS 4
111 #define PARSER_IPFILTER 8
112 #define PARSER_CISCO_PIX 16
113 #define PARSER_SNORT 64
114 #define PARSER_NETSCREEN 128
115 #define PARSER_LANCOM 256
116 #define PARSER_IPFW 512
117 
118 enum {
119   PARSE_OK,
120   PARSE_ERROR,
121   PARSE_NO_HIT,
122   PARSE_WRONG_FORMAT,
123   PARSE_TOO_OLD,
124   PARSE_EXCLUDED
125 };
126 
127 enum {
128   IN_ADDR_OK,
129   IN_ADDR_ERROR
130 };
131 
132 enum {
133   RCFILE_CF,
134   RCFILE_DNS
135 };
136 
137 /* TCP flags */
138 
139 #define TCP_SYN 1
140 #define TCP_ACK 2
141 #define TCP_FIN 4
142 #define TCP_RST 8
143 #define TCP_PSH 16
144 #define TCP_URG 32
145 
146 /* ipchains support */
147 
148 #define IPCHAINS_DATE 1
149 #define IPCHAINS_DATA 2
150 #define IPCHAINS_IPS 4
151 
152 /* netfilter support */
153 
154 #define NF_DATE 1
155 #define NF_IN 2
156 #define NF_SRC 4
157 #define NF_DST 8
158 #define NF_PROTO 16
159 #define NF_SPT 32
160 #define NF_DPT 64
161 #define NF_TYPE 128
162 #define NF_CODE 256
163 
164 enum {
165   NF_OPT_NOPREFIX,
166   NF_OPT_PREFIX,
167   NF_OPT_PREFIX_KTIME,
168   NF_OPT_SRC,
169   NF_OPT_DST,
170   NF_OPT_SRC6,
171   NF_OPT_DST6
172 };
173 
174 /* cisco ios support */
175 
176 #define CISCO_IOS_DATE 1
177 #define CISCO_IOS_SRC 2
178 #define CISCO_IOS_DST 4
179 #define CISCO_IOS_PROTO 8
180 #define CISCO_IOS_COUNT 16
181 
182 enum {
183   CI_OPT_NONE,
184   CI_OPT_HOST,
185   CI_OPT_MSEC,
186   CI_OPT_PORT,
187   CI_OPT_MISSING,
188   CI_OPT_TYPE
189 };
190 
191 /* cisco pix support */
192 
193 #define CISCO_PIX_DATE 1
194 #define CISCO_PIX_SRC 2
195 #define CISCO_PIX_DST 4
196 #define CISCO_PIX_NO_HIT 8
197 
198 enum {
199   CP_OPT_NONE,
200   CP_OPT_HOST,
201   CP_OPT_TCP,
202   CP_OPT_TCP_S,
203   CP_OPT_TCP_S2,
204   CP_OPT_TCP_N,
205   CP_OPT_TCP_N2,
206   CP_OPT_UDP,
207   CP_OPT_UDP_S,
208   CP_OPT_UDP_S2,
209   CP_OPT_UDP_N,
210   CP_OPT_UDP_N2,
211   CP_OPT_UDP_NOPORT,
212   CP_OPT_ICMP,
213   CP_OPT_ICMP_S,
214   CP_OPT_ICMP_S2,
215   CP_OPT_ICMP_N2,
216   CP_OPT_DST,
217   CP_OPT_DST_S,
218   CP_OPT_DST_S2,
219   CP_OPT_DST_N,
220   CP_OPT_DST_N2,
221   CP_OPT_DST_I
222 };
223 
224 /* ipfilter support */
225 
226 #define IPF_DATE 1
227 #define IPF_DATA 2
228 #define IPF_PROTO 4
229 #define IPF_SRC_IP 8
230 #define IPF_DST_IP 16
231 #define IPF_SRC_PORT 32
232 #define IPF_DST_PORT 64
233 #define IPF_NO_HIT 128
234 
235 #define IPF_OPT_NONE 1
236 #define IPF_OPT_COUNT 2
237 #define IPF_OPT_SRC 4
238 #define IPF_OPT_DST 8
239 #define IPF_OPT_RES 16
240 #define IPF_OPT_PORT 32
241 #define IPF_OPT_RPORT 64
242 
243 /* ipfw support */
244 
245 #define IPFW_DATE 1
246 #define IPFW_CHAIN 2
247 #define IPFW_BRANCH 4
248 #define IPFW_PROTO 8
249 #define IPFW_IPS 16
250 #define IPFW_PORTS 32
251 #define IPFW_IF 64
252 
253 enum {
254   IPFW_OPT_NONE,
255   IPFW_OPT_ICMP,
256   IPFW_OPT_PORTS
257 };
258 
259 /* snort support */
260 
261 #define SNORT_DATE 1
262 #define SNORT_CHAIN 2
263 #define SNORT_BRANCH 4
264 #define SNORT_PROTO 8
265 #define SNORT_SRC 16
266 #define SNORT_DST 32
267 #define SNORT_NO_HIT 64
268 
269 #define SNORT_OPT_SRC 1
270 #define SNORT_OPT_DST 2
271 #define SNORT_OPT_PORT 4
272 
273 /* netscreen support */
274 
275 #define NS_DATE 1
276 #define NS_SRC 2
277 #define NS_DST 4
278 #define NS_SPORT 8
279 #define NS_DPORT 16
280 #define NS_BN 32
281 #define NS_PROTO 64
282 #define NS_NO_HIT 128
283 
284 enum {
285   NETSCREEN_OPT_SRC,
286   NETSCREEN_OPT_DST
287 };
288 
289 /* Sorting */
290 
291 enum {
292   SORT_COUNT,
293   SORT_START_TIME,
294   SORT_END_TIME,
295   SORT_DELTA_TIME,
296   SORT_CHAINLABEL,
297   SORT_PROTOCOL,
298   SORT_DATALEN,
299   SORT_SOURCEHOST,
300   SORT_SOURCEPORT,
301   SORT_DESTHOST,
302   SORT_DESTPORT
303 };
304 
305 enum {
306   ORDER_ASCENDING,
307   ORDER_DESCENDING
308 };
309 
310 /* WHOIS lookup */
311 
312 #define RADB "whois.radb.net"
313 #define WHOIS 43
314 
315 /* HTML output */
316 
317 #define TEXTCOLOR "black"
318 #define BGCOLOR "white"
319 #define ROWCOLOR1 "#EEEEEE"
320 #define ROWCOLOR2 "#DDDDDD"
321 
322 /* Log summary mode */
323 
324 #define SUMMARY_TITLE _("fwlogwatch summary")
325 #define SORTORDER "cd"
326 #define P_SENDMAIL "/usr/sbin/sendmail"
327 
328 /* Realtime response mode */
329 
330 #define ALERT 5
331 #define FORGET 86400
332 #define FWLW_NOTIFY INSTALL_DIR "/sbin/fwlw_notify"
333 #define FWLW_RESPOND INSTALL_DIR "/sbin/fwlw_respond"
334 #define STATUS_TITLE _("fwlogwatch status")
335 #define LISTENIF "::1"
336 #define LISTENPORT 888
337 #define DEFAULT_USER "admin"
338 #define DEFAULT_PASSWORD "2fi4nEVVz0IXo"	/* fwlogwat[ch]
339 						   DES only supports 8 characters */
340 
341 #define OPT_LOG 1
342 #define OPT_NOTIFY 2
343 #define OPT_RESPOND 4
344 
345 #define EX_NOTIFY 1
346 #define EX_RESPOND_ADD 2
347 #define EX_RESPOND_REMOVE 3
348 
349 #define RESP_REMOVE_OPC 1
350 #define RESP_REMOVE_OHS 2
351 
352 /* GeoIP */
353 
354 #define GEOIP_DB_V4 "/var/lib/GeoIP/GeoIP.dat"
355 #define GEOIP_DB_V6 "/var/lib/GeoIP/GeoIPv6.dat"
356 
357 
358 enum {
359   FW_START,
360   FW_STOP
361 };
362 
363 enum {
364   NO_NET_OPTS_PC,
365   NET_OPTS_PC,
366   NO_SORTING,
367   SORTING,
368   SORT_PC,
369   SORT_HS
370 };
371 
372 enum {
373   STATUS_OFF,
374   STATUS_OK,
375   FD_ERROR
376 };
377 
378 enum {
379   HEADER_COMPLETE,
380   HEADER_CONTINUES
381 };
382 
383 /* Data structures */
384 
385 #include <time.h>
386 #define _KERNEL_STRUCTURES
387 #include <sys/param.h>
388 #if __FreeBSD_version > 1400038
389 #include <stdbool.h>
390 #endif
391 #include <netinet/in.h>
392 #undef _KERNEL_STRUCTURES
393 
394 struct log_line {
395   time_t time;
396   char hostname[SHOSTLEN];
397   char chainlabel[SHORTLEN];
398   char branchname[SHORTLEN];
399   char interface[SHORTLEN];
400   int protocol;
401   unsigned long int datalen;
402   struct in6_addr shost;
403   int sport;
404   struct in6_addr dhost;
405   int dport;
406   unsigned char flags;
407   int count;
408 };
409 
410 struct conn_data {
411   int count;
412   time_t start_time;
413   time_t end_time;
414   char *hostname;
415   char *chainlabel;
416   char *branchname;
417   char *interface;
418   int protocol;
419   unsigned long int datalen;
420   struct in6_addr shost;
421   int sport;
422   struct in6_addr dhost;
423   int dport;
424   unsigned char flags;
425   int id;
426   struct conn_data *next;
427 };
428 
429 struct input_file {
430   char *name;
431   struct input_file *next;
432 };
433 
434 struct dns_cache {
435   struct in6_addr ip;
436   char *fqdn;
437   struct dns_cache *next;
438 };
439 
440 struct whois_entry {
441   char *ip_route;
442   int as_number;
443   char *ip_descr;
444   char *as_descr;
445   struct whois_entry *next;
446 };
447 
448 struct known_hosts {
449   time_t time;
450   int count;
451   struct in6_addr shost;
452   struct in6_addr netmask;
453   struct in6_addr dhost;
454   int protocol;
455   int sport;
456   int dport;
457   int id;
458   struct known_hosts *next;
459 };
460 
461 struct parser_options {
462   unsigned char mode;
463   struct in6_addr host;
464   struct in6_addr netmask;
465   unsigned long int value;
466   char *svalue;
467   struct parser_options *next;
468 };
469 
470 #define PARSER_MODE_DEFAULT 0
471 #define PARSER_MODE_NOT 1
472 #define PARSER_MODE_HOST 2
473 #define PARSER_MODE_PORT 4
474 #define PARSER_MODE_SRC 8
475 #define PARSER_MODE_CHAIN 16
476 #define PARSER_MODE_BRANCH 32
477 
478 enum {
479   P_MATCH_NONE,
480   P_MATCH_EXC,
481   P_MATCH_INC
482 };
483 
484 struct options {
485   unsigned char mode;
486   FILE *inputfd;
487 #ifdef HAVE_ZLIB
488   gzFile gzinputfd;
489 #endif
490   unsigned char std_in;
491 
492   unsigned char verbose;
493   unsigned char resolve;
494   unsigned char sresolve;
495   unsigned char whois_lookup;
496   int whois_sock;
497   int filecount;
498   char rcfile[FILESIZE];
499   char rcfile_dns[FILESIZE];
500 
501   struct log_line *line;
502   char format_sel[SHORTLEN];
503   unsigned int format;
504   unsigned int parser;
505   unsigned char repeated;
506   int orig_count;
507 
508   unsigned char src_ip;
509   unsigned char dst_ip;
510   unsigned char proto;
511   unsigned char src_port;
512   unsigned char dst_port;
513   unsigned char opts;
514 
515   unsigned char datalen;
516   unsigned char stimes;
517   unsigned char etimes;
518   unsigned char duration;
519 
520   char sort_order[MAXSORTSIZE];
521   unsigned char sortfield;
522   unsigned char sortmode;
523 
524   unsigned char html;
525   unsigned char use_out;
526   char outputfile[FILESIZE];
527 
528   char title[TITLESIZE];
529   char stylesheet[CSSSIZE];
530   char textcol[COLORSIZE];
531   char bgcol[COLORSIZE];
532   char rowcol1[COLORSIZE];
533   char rowcol2[COLORSIZE];
534 
535   unsigned char loghost;
536   char hostname[SHOSTLEN];
537 
538   unsigned char chains;
539   char chainlabel[SHORTLEN];
540 
541   unsigned char branches;
542   char branchname[SHORTLEN];
543 
544   unsigned char ifs;
545   char interface[SHORTLEN];
546 
547   time_t now;
548   int recent;
549 
550   int threshold;
551   int least;
552   int max;
553   char sender[EMAILSIZE];
554   char recipient[EMAILSIZE];
555   char cc[EMAILSIZE];
556 
557   unsigned char response;
558   unsigned char ipchains_check;
559   char pidfile[FILESIZE];
560   char notify_script[FILESIZE];
561   char respond_script[FILESIZE];
562   char run_as[USERSIZE];
563   unsigned char status;
564   unsigned char stateful_start;
565   int sock;
566   char listenif[IP6LEN];
567   char listento[IP6LEN];
568   int listenport;
569   char user[USERSIZE];
570   char password[PASSWORDSIZE];
571   int refresh;
572   unsigned char webpage;
573   int global_id;
574 
575   char ntop[INET6_ADDRSTRLEN];
576 
577 #ifdef HAVE_GEOIP
578   unsigned char geoip;
579   GeoIP *geoip_v4;
580   GeoIP *geoip_v6;
581   char geoip_db_v4[FILESIZE];
582   char geoip_db_v6[FILESIZE];
583 #endif
584 };
585 
586 #endif
587