1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 3 // 4 // This program is free software; you can redistribute it and/or modify it 5 // under the terms of the GNU General Public License Version 2 as published 6 // by the Free Software Foundation. You may not use, modify or distribute 7 // this program under any other version of the GNU General Public License. 8 // 9 // This program is distributed in the hope that it will be useful, but 10 // WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 // General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License along 15 // with this program; if not, write to the Free Software Foundation, Inc., 16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 //-------------------------------------------------------------------------- 18 19 // ps_module.h author Russ Combs <rucombs@cisco.com> 20 21 #ifndef PS_MODULE_H 22 #define PS_MODULE_H 23 24 #include "framework/module.h" 25 #include "main/snort_config.h" 26 #include "ps_detect.h" 27 #include "ps_pegs.h" 28 29 #define PS_NAME "port_scan" 30 #define PS_HELP "detect various ip, icmp, tcp, and udp port or protocol scans" 31 32 //------------------------------------------------------------------------- 33 // gid - sids 34 //------------------------------------------------------------------------- 35 36 #define GID_PORT_SCAN 122 37 38 #define PSNG_TCP_PORTSCAN 1 39 #define PSNG_TCP_DECOY_PORTSCAN 2 40 #define PSNG_TCP_PORTSWEEP 3 41 #define PSNG_TCP_DISTRIBUTED_PORTSCAN 4 42 #define PSNG_TCP_FILTERED_PORTSCAN 5 43 #define PSNG_TCP_FILTERED_DECOY_PORTSCAN 6 44 #define PSNG_TCP_PORTSWEEP_FILTERED 7 45 #define PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN 8 46 47 #define PSNG_IP_PORTSCAN 9 48 #define PSNG_IP_DECOY_PORTSCAN 10 49 #define PSNG_IP_PORTSWEEP 11 50 #define PSNG_IP_DISTRIBUTED_PORTSCAN 12 51 #define PSNG_IP_FILTERED_PORTSCAN 13 52 #define PSNG_IP_FILTERED_DECOY_PORTSCAN 14 53 #define PSNG_IP_PORTSWEEP_FILTERED 15 54 #define PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN 16 55 56 #define PSNG_UDP_PORTSCAN 17 57 #define PSNG_UDP_DECOY_PORTSCAN 18 58 #define PSNG_UDP_PORTSWEEP 19 59 #define PSNG_UDP_DISTRIBUTED_PORTSCAN 20 60 #define PSNG_UDP_FILTERED_PORTSCAN 21 61 #define PSNG_UDP_FILTERED_DECOY_PORTSCAN 22 62 #define PSNG_UDP_PORTSWEEP_FILTERED 23 63 #define PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN 24 64 65 #define PSNG_ICMP_PORTSWEEP 25 66 #define PSNG_ICMP_PORTSWEEP_FILTERED 26 67 68 #define PSNG_OPEN_PORT 27 69 70 //------------------------------------------------------------------------- 71 // rule msgs 72 //------------------------------------------------------------------------- 73 74 #define PSNG_TCP_PORTSCAN_STR \ 75 "TCP portscan" 76 #define PSNG_TCP_DECOY_PORTSCAN_STR \ 77 "TCP decoy portscan" 78 #define PSNG_TCP_PORTSWEEP_STR \ 79 "TCP portsweep" 80 #define PSNG_TCP_DISTRIBUTED_PORTSCAN_STR \ 81 "TCP distributed portscan" 82 #define PSNG_TCP_FILTERED_PORTSCAN_STR \ 83 "TCP filtered portscan" 84 #define PSNG_TCP_FILTERED_DECOY_PORTSCAN_STR \ 85 "TCP filtered decoy portscan" 86 #define PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN_STR \ 87 "TCP filtered distributed portscan" 88 #define PSNG_TCP_PORTSWEEP_FILTERED_STR \ 89 "TCP filtered portsweep" 90 91 #define PSNG_IP_PORTSCAN_STR \ 92 "IP protocol scan" 93 #define PSNG_IP_DECOY_PORTSCAN_STR \ 94 "IP decoy protocol scan" 95 #define PSNG_IP_PORTSWEEP_STR \ 96 "IP protocol sweep" 97 #define PSNG_IP_DISTRIBUTED_PORTSCAN_STR \ 98 "IP distributed protocol scan" 99 #define PSNG_IP_FILTERED_PORTSCAN_STR \ 100 "IP filtered protocol scan" 101 #define PSNG_IP_FILTERED_DECOY_PORTSCAN_STR \ 102 "IP filtered decoy protocol scan" 103 #define PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN_STR \ 104 "IP filtered distributed protocol scan" 105 #define PSNG_IP_PORTSWEEP_FILTERED_STR \ 106 "IP filtered protocol sweep" 107 108 #define PSNG_UDP_PORTSCAN_STR \ 109 "UDP portscan" 110 #define PSNG_UDP_DECOY_PORTSCAN_STR \ 111 "UDP decoy portscan" 112 #define PSNG_UDP_PORTSWEEP_STR \ 113 "UDP portsweep" 114 #define PSNG_UDP_DISTRIBUTED_PORTSCAN_STR \ 115 "UDP distributed portscan" 116 #define PSNG_UDP_FILTERED_PORTSCAN_STR \ 117 "UDP filtered portscan" 118 #define PSNG_UDP_FILTERED_DECOY_PORTSCAN_STR \ 119 "UDP filtered decoy portscan" 120 #define PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN_STR \ 121 "UDP filtered distributed portscan" 122 #define PSNG_UDP_PORTSWEEP_FILTERED_STR \ 123 "UDP filtered portsweep" 124 125 #define PSNG_ICMP_PORTSWEEP_STR \ 126 "ICMP sweep" 127 #define PSNG_ICMP_PORTSWEEP_FILTERED_STR \ 128 "ICMP filtered sweep" 129 130 #define PSNG_OPEN_PORT_STR \ 131 "open port" 132 133 //------------------------------------------------------------------------- 134 // Reload resource tuning 135 //------------------------------------------------------------------------- 136 137 class PortScanReloadTuner : public snort::ReloadResourceTuner 138 { 139 public: PortScanReloadTuner(size_t memcap)140 explicit PortScanReloadTuner(size_t memcap) : memcap(memcap) { } 141 ~PortScanReloadTuner() override = default; 142 tinit()143 bool tinit() override 144 { return ps_init_hash(memcap); } 145 tune_idle_context()146 bool tune_idle_context() override 147 { return ps_prune_hash(max_work_idle); } 148 tune_packet_context()149 bool tune_packet_context() override 150 { return ps_prune_hash(max_work); } 151 152 private: 153 size_t memcap; 154 }; 155 156 //------------------------------------------------------------------------- 157 158 extern THREAD_LOCAL PsPegStats spstats; 159 extern THREAD_LOCAL snort::ProfileStats psPerfStats; 160 161 struct PortscanConfig; 162 163 class PortScanModule : public snort::Module 164 { 165 public: 166 PortScanModule(); 167 ~PortScanModule() override; 168 169 bool set(const char*, snort::Value&, snort::SnortConfig*) override; 170 bool begin(const char*, int, snort::SnortConfig*) override; 171 bool end(const char*, int, snort::SnortConfig*) override; 172 173 const PegInfo* get_pegs() const override; 174 PegCount* get_counts() const override; 175 snort::ProfileStats* get_profile() const override; 176 const snort::RuleMap* get_rules() const override; 177 get_gid()178 unsigned get_gid() const override 179 { return GID_PORT_SCAN; } 180 181 PortscanConfig* get_data(); 182 183 // FIXIT-M this should eventually be CONTEXT. 184 // Set to GLOBAL so this isn't selected away when inspection policy switches get_usage()185 Usage get_usage() const override 186 { return GLOBAL; } 187 188 private: 189 PS_ALERT_CONF* get_alert_conf(const char* fqn); 190 PortscanConfig* config; 191 }; 192 193 #endif 194 195