1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation.  You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
17 //--------------------------------------------------------------------------
18 
19 // arp_module.h author Russ Combs <rucombs@cisco.com>
20 
21 #ifndef ARP_SPOOF_MODULE_H
22 #define ARP_SPOOF_MODULE_H
23 
24 #include "framework/module.h"
25 
26 #define MOD_NAME "arp_spoof"
27 #define MOD_HELP "detect ARP attacks and anomalies"
28 
29 #define GID_ARP_SPOOF 112
30 
31 #define ARPSPOOF_UNICAST_ARP_REQUEST          1
32 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC  2
33 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST  3
34 #define ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK   4
35 
36 extern THREAD_LOCAL SimpleStats asstats;
37 extern THREAD_LOCAL snort::ProfileStats arpPerfStats;
38 
39 struct IPMacEntry
40 {
41     uint32_t ipv4_addr;
42     uint8_t mac_addr[6];
43 };
44 
45 typedef std::vector<IPMacEntry> IPMacEntryList;
46 
47 struct ArpSpoofConfig
48 {
49     bool check_overwrite;
50 
51     IPMacEntryList ipmel;
52 };
53 
54 class ArpSpoofModule : public snort::Module
55 {
56 public:
57     ArpSpoofModule();
58     ~ArpSpoofModule() override;
59 
60     bool set(const char*, snort::Value&, snort::SnortConfig*) override;
61     bool begin(const char*, int, snort::SnortConfig*) override;
62     bool end(const char*, int, snort::SnortConfig*) override;
63 
64     ArpSpoofConfig* get_config();
65 
66     const PegInfo* get_pegs() const override;
67     PegCount* get_counts() const override;
68 
get_gid()69     unsigned get_gid() const override
70     { return GID_ARP_SPOOF; }
71 
72     const snort::RuleMap* get_rules() const override;
73     snort::ProfileStats* get_profile() const override;
74 
get_usage()75     Usage get_usage() const override
76     { return INSPECT; }
77 
78 private:
79     ArpSpoofConfig* config;
80     IPMacEntry host;
81 };
82 
83 #endif
84 
85