1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 3 // 4 // This program is free software; you can redistribute it and/or modify it 5 // under the terms of the GNU General Public License Version 2 as published 6 // by the Free Software Foundation. You may not use, modify or distribute 7 // this program under any other version of the GNU General Public License. 8 // 9 // This program is distributed in the hope that it will be useful, but 10 // WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 // General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License along 15 // with this program; if not, write to the Free Software Foundation, Inc., 16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 //-------------------------------------------------------------------------- 18 19 // arp_module.h author Russ Combs <rucombs@cisco.com> 20 21 #ifndef ARP_SPOOF_MODULE_H 22 #define ARP_SPOOF_MODULE_H 23 24 #include "framework/module.h" 25 26 #define MOD_NAME "arp_spoof" 27 #define MOD_HELP "detect ARP attacks and anomalies" 28 29 #define GID_ARP_SPOOF 112 30 31 #define ARPSPOOF_UNICAST_ARP_REQUEST 1 32 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC 2 33 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST 3 34 #define ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK 4 35 36 extern THREAD_LOCAL SimpleStats asstats; 37 extern THREAD_LOCAL snort::ProfileStats arpPerfStats; 38 39 struct IPMacEntry 40 { 41 uint32_t ipv4_addr; 42 uint8_t mac_addr[6]; 43 }; 44 45 typedef std::vector<IPMacEntry> IPMacEntryList; 46 47 struct ArpSpoofConfig 48 { 49 bool check_overwrite; 50 51 IPMacEntryList ipmel; 52 }; 53 54 class ArpSpoofModule : public snort::Module 55 { 56 public: 57 ArpSpoofModule(); 58 ~ArpSpoofModule() override; 59 60 bool set(const char*, snort::Value&, snort::SnortConfig*) override; 61 bool begin(const char*, int, snort::SnortConfig*) override; 62 bool end(const char*, int, snort::SnortConfig*) override; 63 64 ArpSpoofConfig* get_config(); 65 66 const PegInfo* get_pegs() const override; 67 PegCount* get_counts() const override; 68 get_gid()69 unsigned get_gid() const override 70 { return GID_ARP_SPOOF; } 71 72 const snort::RuleMap* get_rules() const override; 73 snort::ProfileStats* get_profile() const override; 74 get_usage()75 Usage get_usage() const override 76 { return INSPECT; } 77 78 private: 79 ArpSpoofConfig* config; 80 IPMacEntry host; 81 }; 82 83 #endif 84 85