1 /************************************************************************** 2 **SA Network Connection Profiler [sancp] - A TCP/IP statistical/collection tool 3 * ************************************************************************ 4 * * Copyright (C) 2003 John Curry <john.curry@metre.net> 5 * * 6 * * This program is distributed under the terms of version 1.0 of the 7 * * Q Public License. See LICENSE.QPL for further details. 8 * * 9 * * This program is distributed in the hope that it will be useful, 10 * * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 12 * * 13 * ***********************************************************************/ 14 15 #define SANCP_H 16 17 18 //#define DEBUG 1 19 20 #include <signal.h> // set_signals(), SIGHUP, signal, SIGUSR1, SIGUSR2, SIGTERM, SIGINT, SIGKILL, SIGQUIT 21 #include <arpa/inet.h> // inet_aton(), inet_ntoa() 22 #include <errno.h> // errno, EINTR, EAGAIN, EIO, EISDIR, EBADF, EINVAL, EFAULT 23 #include <syslog.h> // LOG_ERR, LOG_CONS, LOG_INFO, LOG_CRIT 24 // LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7 25 26 #include <ctype.h> 27 #include <time.h> 28 //#include <net/ethernet.h> 29 30 //#include <stdio.h> 31 //#include <unistd.h> 32 //#include <sys/socket.h> 33 34 // Required for BSD 35 #include <netinet/in.h> 36 37 //#include <net/if.h> 38 //#include <fcntl.h> 39 //#include <stdlib.h> 40 //#include <sys/ioctl.h> 41 //#include <time.h> 42 //#include <sys/time.h> 43 //#include <ctype.h> 44 //#include <string.h> 45 46 #ifndef GVARS_H 47 #include "gvars.h" 48 #endif 49 50 #define NCP_H 51 #define Y 'Y' 52 #define N 'N' 53 #define MIN_WAIT_TIME 4 // We will wait at least this many seconds before expiring a closed connection 54 55 // Include our own version of ether_addr since linux/solaris 56 // differ from bsd systems on definition of struct ether_addr 57 58 #define ETHER_ADDR_LEN 6 /* length of an Ethernet address */ 59 60 struct myether_addr { 61 u_char octet[ETHER_ADDR_LEN]; 62 }; 63 64 /* 65 * Structure of a 10Mb/s Ethernet header. 66 */ 67 struct ether_header { // we pulled this from net/ethernet.h 68 u_char ether_dhost[ETHER_ADDR_LEN]; 69 u_char ether_shost[ETHER_ADDR_LEN]; 70 u_short ether_type; 71 }; 72 73 74 75 struct vars { 76 char *key; 77 char *value; 78 int vclass; // variable class 79 struct vars *next; 80 }; 81 82 int main(int argc, char *argv[]); 83 struct cnx *process(struct cnx*, int len, u_char * pkt); 84 char * createPcapFileName(); 85 char * createFileName(const char* filename); 86 char * createFileName(const char* filename, bool); 87 char * createPcapFileName(const struct acl* tacl); 88 char * createPcapFileName(const struct cnx* tcnx); 89 extern "C" pcap_t * open_pcap_live(char *,char *); 90 extern "C" pcap_t * open_pcap_file(char *,char *); 91 extern "C" void close_pcap_file(pcap_t *); 92 extern "C" void start_pcap_loop(pcap_t *); 93 extern "C" void print_linktype(pcap_t *); 94 void erase_idle(int a); 95 void reopen_files(int a); 96 void expire_connections(); 97 struct cnx *update_state_node(struct cnx *); 98 void build_config(int a); 99 void parse_args(int arg, char* argv[]); 100 void parse_format(const char *,const char *); 101 void print_acl(int a); 102 void print_stats(int a); 103 void print_output_schema(outputFileHandle *fH, char *fmtcols, int fmtlen); 104 void write_schema(char *name, char *fmt, int fmtlen); 105 void print_schemas(); 106 int fgetcline(char **buf, int size, FILE *fp); 107 int promisc_mode(char *, int); 108 void close_files(int a); 109 void open_files(); 110 void reload_config(int a); 111 void record_all(int a); 112 void free_all(int a); 113 void exit_all(int a); 114 void manage_cid(int a); 115 116 void record(struct cnx *, outputFileHandle *fH); 117 void set_signals(); 118 void decode(struct cnx*, int len, const u_char * pkt); 119 void decode_pcap(struct cnx*,struct pcap_pkthdr * pkthdr, u_char * pkt); 120 int CheckPort(u_int8_t proto,u_int16_t port); 121 void SChangeUserGroup(); 122 void apply_rule(struct cnx*); 123 void parse_var(char *,char *); 124 void parse_known_ports(char *, struct vars*, char *); 125 void parse_connection_rule(char *, struct vars*, char *); 126 void open_pcap_output(); 127 128 /* Hash Table Protos */ 129 #define DEFAULT_FLUSH_INTERVAL 1800 130 #define DEFAULT_EXPIRE_INTERVAL 10 131 #define VERSION "1.6.1-stable" 132 #define NAME "sancp" 133 #define LOG_DIR "./" /* default relative to current working directory */ 134 #define CONFIG_DIR "/etc/sancp/" 135 #define CONFIG_FILE "sancp.conf" 136 #define PCAP_RAW_FNAME "debug_pcap_raw" 137 #define PCAP_FNAME "pcap" 138 #define STATS_FNAME "stats" 139 #define REALTIME_FNAME "realtime" 140 #define true 1 141 #define false 0 142 #define PROMISC 1 143 #define MAX_VAR 256 144 #define MAXFLDS 85 // define number of elements in fmtnames[] 145 #define MAXFLDSIZE 19 // define largest element in fmtnames[MAXFLDS][MAXFLDLEN] 146 #define MAXENTRYLEN 256 147 #define DELIMITER '|' 148 #define READ_TIMEOUT 500 149 #define ETHPROTO_IP 0x0008 150 // network order bytes 0x0806 151 #define ETHPROTO_ARP 0x0608 152 // network order bytes 0x8035 153 #define ETHPROTO_RARP 0x3580 154 // network order bytes 0x8100 155 #define ETHPROTO_8021Q 0x0081 156 #define DEFAULT_DEVICE "any" 157 #define DEFAULT_NODE 0 158 #define DEFAULT_LIMIT 0 159 #define DEFAULT_RID 0 160 #define DEFAULT_RGID 0 161 #define DEFAULT_ZONE 0 162 //#define TCP_TIMEOUT 120 163 //#define UDP_TIMEOUT 300 164 //#define ICMP_TIMEOUT 120 165 #define DEFAULT_TIMEOUT 300 166 #define DEFAULT_STATUS 0 167 #define DEFAULT_LAG 0 168 #define DEFAULT_DELIMITER '|' 169 #define DEFAULT_EOR '\n' 170 #define MAX_PORTS 65536 171 #define FROM_INITIATOR 0 172 #define FROM_TARGET 1 173 #define ACTION_PASS 0 174 #define ACTION_LOG 1 175 #define ACTION_DEFAULT 2 176 #define CMODE_NONE 0 177 #define CMODE_BOTH 1 178 #define CMODE_SRC 2 179 #define CMODE_DST 3 180 #define OMODE_PASS 0 181 #define OMODE_LOG 1 182 #define OMODE_DEFAULT 2 183 #define OMODE_FILENAME 3 184 #define OMODE_TSFILENAME 4 185 #define OMODE_RULE 5 186 #define OMODE_UNIQ 6 187 188 // Need to distinguish between classes of variables 189 #define VCLASS_0 1 // eth_proto class vars 190 #define VCLASS_1 2 // ip_addr class vars 191 #define VCLASS_2 3 // ip_proto class vars 192 #define VCLASS_3 4 // port class vars 193 #define VCLASS_4 5 // rid class vars 194 #define VCLASS_5 6 // rgid class vars 195 #define VCLASS_6 7 // zone class vars 196 #define VCLASS_7 8 // node class vars 197 #define VCLASS_8 9 // status class vars 198 199 #define DISABLED 0 200 #define ENABLED 1 201 #define CNX_REVERSED 1 202 #define CNX_BOTH_PORTS_KNOWN 2 203 #define CNX_BOTH_PORTS_UNKNOWN 3 204 #define CNX_REREVERSED 4 205 #define MAX_PACK_LEN 20000 /* Sufficient for ethernet packets. */ 206 #define ETHER_SIZE 14 207 #ifdef EXPERIMENTAL_TCPOPTIONS 208 #define TCPOPT_EOL 0 209 #define TCPOPT_NOP 1 210 #define TCPOPT_MAXSEG 2 211 #define TCPOPT_SACKOK 4 /* Experimental */ 212 #define TCPOPT_WSCALE 3 213 #define TCPOPTIONS_MAX 8 /* Maximum number of tcpoptions to parse */ 214 #endif 215 216 217 #define R_FIN 0x01 218 #define R_SYN 0x02 219 #define R_RST 0x04 220 #define R_PSH 0x08 221 #define R_ACK 0x10 222 #define R_URG 0x20 223 #define R_RES2 0x40 224 #define R_RES1 0x80 225 #define max(i,j) (((i)>(j)) ? (i) : (j)) 226 #define SIZE_OF_CLASS_C 11 227 228 struct t_ports { 229 u_int16_t l_port; 230 u_int16_t h_port; 231 struct t_ports *next; 232 }; 233 234 235 struct os_info { 236 u_int8_t ttl; 237 u_int16_t len; 238 u_int16_t wss; 239 #ifdef EXPERIMENTAL_TCPOPTIONS 240 u_int8_t df:1, nop:1, sack_ok:1; 241 u_int16_t mss; 242 short wscale; 243 #else 244 u_int8_t df:1; 245 #endif 246 247 }; 248 249 250 struct acl { 251 struct ether_header eth_hdr; 252 u_int16_t h_proto_h; 253 u_int16_t h_proto_l; 254 u_int32_t s_ip; 255 u_int32_t s_mask; 256 u_int16_t s_port_l; 257 u_int16_t s_port_h; 258 u_int32_t d_ip; 259 u_int32_t d_mask; 260 u_int16_t d_port_l; 261 u_int16_t d_port_h; 262 u_int8_t proto_l; 263 u_int8_t proto_h; 264 u_int32_t offset; 265 u_int32_t mask; 266 u_int32_t value; 267 pcapFileHandle * fH; 268 u_int8_t stats:1, realtime:1, pcap:1, retro:1, smode:2, rmode:2; 269 u_int8_t cmode:2, pmode:4; 270 u_int16_t tcplag; 271 u_int16_t timeout; 272 u_int64_t limit; 273 u_int16_t status; 274 u_int32_t ctr; 275 u_int32_t rid; 276 u_int16_t rgid; 277 u_int16_t node; 278 u_int16_t zone; 279 CBuffer *CBufferPtr; 280 struct acl *next; 281 }; 282 283 void retroactive(struct acl*); 284 285 struct cnx { 286 struct ether_header eth_hdr; 287 u_int16_t h_proto; 288 u_int8_t proto; 289 u_int32_t s_ip; 290 u_int32_t d_ip; 291 u_int16_t s_port; 292 u_int16_t d_port; 293 u_int64_t s_total_pkts; 294 u_int64_t s_total_bytes; 295 u_int64_t d_total_pkts; 296 u_int64_t d_total_bytes; 297 u_int64_t total_bytes; 298 time_t start_time; 299 time_t last_pkt; 300 u_int8_t free:1,direction:1; 301 pcapFileHandle *fH; 302 u_int8_t cmode:4, pcap:1, realtime:1, stats:1, retro:1; 303 u_int8_t tcpFlags[2]; 304 u_int8_t tcpCFlags; 305 u_int8_t reversed; 306 u_int16_t tcplag; 307 u_int64_t limit; 308 u_int16_t status; 309 u_int64_t collected; 310 u_int64_t cid; 311 u_int16_t timeout; 312 u_int16_t hash; 313 u_int32_t rid; 314 u_int16_t rgid; 315 u_int16_t node; 316 u_int16_t zone; 317 CBuffer *CBufferPtr; 318 struct os_info os_info; 319 struct os_info os_info2; 320 struct cnx *next; 321 struct cnx *prev; 322 }; 323 324 325 void usage(); 326 void outputfields(); 327 void rule_syntax(); 328