1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation.  You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
17 //--------------------------------------------------------------------------
18 
19 // ps_module.h author Russ Combs <rucombs@cisco.com>
20 
21 #ifndef PS_MODULE_H
22 #define PS_MODULE_H
23 
24 #include "framework/module.h"
25 #include "main/snort_config.h"
26 #include "ps_detect.h"
27 #include "ps_pegs.h"
28 
29 #define PS_NAME "port_scan"
30 #define PS_HELP "detect various ip, icmp, tcp, and udp port or protocol scans"
31 
32 //-------------------------------------------------------------------------
33 // gid - sids
34 //-------------------------------------------------------------------------
35 
36 #define GID_PORT_SCAN 122
37 
38 #define PSNG_TCP_PORTSCAN                      1
39 #define PSNG_TCP_DECOY_PORTSCAN                2
40 #define PSNG_TCP_PORTSWEEP                     3
41 #define PSNG_TCP_DISTRIBUTED_PORTSCAN          4
42 #define PSNG_TCP_FILTERED_PORTSCAN             5
43 #define PSNG_TCP_FILTERED_DECOY_PORTSCAN       6
44 #define PSNG_TCP_PORTSWEEP_FILTERED            7
45 #define PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN 8
46 
47 #define PSNG_IP_PORTSCAN                       9
48 #define PSNG_IP_DECOY_PORTSCAN                 10
49 #define PSNG_IP_PORTSWEEP                      11
50 #define PSNG_IP_DISTRIBUTED_PORTSCAN           12
51 #define PSNG_IP_FILTERED_PORTSCAN              13
52 #define PSNG_IP_FILTERED_DECOY_PORTSCAN        14
53 #define PSNG_IP_PORTSWEEP_FILTERED             15
54 #define PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN  16
55 
56 #define PSNG_UDP_PORTSCAN                      17
57 #define PSNG_UDP_DECOY_PORTSCAN                18
58 #define PSNG_UDP_PORTSWEEP                     19
59 #define PSNG_UDP_DISTRIBUTED_PORTSCAN          20
60 #define PSNG_UDP_FILTERED_PORTSCAN             21
61 #define PSNG_UDP_FILTERED_DECOY_PORTSCAN       22
62 #define PSNG_UDP_PORTSWEEP_FILTERED            23
63 #define PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN 24
64 
65 #define PSNG_ICMP_PORTSWEEP                    25
66 #define PSNG_ICMP_PORTSWEEP_FILTERED           26
67 
68 #define PSNG_OPEN_PORT                         27
69 
70 //-------------------------------------------------------------------------
71 // rule msgs
72 //-------------------------------------------------------------------------
73 
74 #define PSNG_TCP_PORTSCAN_STR \
75     "TCP portscan"
76 #define PSNG_TCP_DECOY_PORTSCAN_STR \
77     "TCP decoy portscan"
78 #define PSNG_TCP_PORTSWEEP_STR \
79     "TCP portsweep"
80 #define PSNG_TCP_DISTRIBUTED_PORTSCAN_STR \
81     "TCP distributed portscan"
82 #define PSNG_TCP_FILTERED_PORTSCAN_STR \
83     "TCP filtered portscan"
84 #define PSNG_TCP_FILTERED_DECOY_PORTSCAN_STR \
85     "TCP filtered decoy portscan"
86 #define PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN_STR \
87     "TCP filtered distributed portscan"
88 #define PSNG_TCP_PORTSWEEP_FILTERED_STR \
89     "TCP filtered portsweep"
90 
91 #define PSNG_IP_PORTSCAN_STR \
92     "IP protocol scan"
93 #define PSNG_IP_DECOY_PORTSCAN_STR \
94     "IP decoy protocol scan"
95 #define PSNG_IP_PORTSWEEP_STR \
96     "IP protocol sweep"
97 #define PSNG_IP_DISTRIBUTED_PORTSCAN_STR \
98     "IP distributed protocol scan"
99 #define PSNG_IP_FILTERED_PORTSCAN_STR \
100     "IP filtered protocol scan"
101 #define PSNG_IP_FILTERED_DECOY_PORTSCAN_STR \
102     "IP filtered decoy protocol scan"
103 #define PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN_STR \
104     "IP filtered distributed protocol scan"
105 #define PSNG_IP_PORTSWEEP_FILTERED_STR \
106     "IP filtered protocol sweep"
107 
108 #define PSNG_UDP_PORTSCAN_STR \
109     "UDP portscan"
110 #define PSNG_UDP_DECOY_PORTSCAN_STR \
111     "UDP decoy portscan"
112 #define PSNG_UDP_PORTSWEEP_STR \
113     "UDP portsweep"
114 #define PSNG_UDP_DISTRIBUTED_PORTSCAN_STR \
115     "UDP distributed portscan"
116 #define PSNG_UDP_FILTERED_PORTSCAN_STR \
117     "UDP filtered portscan"
118 #define PSNG_UDP_FILTERED_DECOY_PORTSCAN_STR \
119     "UDP filtered decoy portscan"
120 #define PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN_STR \
121     "UDP filtered distributed portscan"
122 #define PSNG_UDP_PORTSWEEP_FILTERED_STR \
123     "UDP filtered portsweep"
124 
125 #define PSNG_ICMP_PORTSWEEP_STR \
126     "ICMP sweep"
127 #define PSNG_ICMP_PORTSWEEP_FILTERED_STR \
128     "ICMP filtered sweep"
129 
130 #define PSNG_OPEN_PORT_STR \
131     "open port"
132 
133 //-------------------------------------------------------------------------
134 // Reload resource tuning
135 //-------------------------------------------------------------------------
136 
137 class PortScanReloadTuner : public snort::ReloadResourceTuner
138 {
139 public:
PortScanReloadTuner(size_t memcap)140     explicit PortScanReloadTuner(size_t memcap) : memcap(memcap) { }
141     ~PortScanReloadTuner() override = default;
142 
tinit()143     bool tinit() override
144     { return ps_init_hash(memcap); }
145 
tune_idle_context()146     bool tune_idle_context() override
147     { return ps_prune_hash(max_work_idle); }
148 
tune_packet_context()149     bool tune_packet_context() override
150     { return ps_prune_hash(max_work); }
151 
152 private:
153     size_t memcap;
154 };
155 
156 //-------------------------------------------------------------------------
157 
158 extern THREAD_LOCAL PsPegStats spstats;
159 extern THREAD_LOCAL snort::ProfileStats psPerfStats;
160 
161 struct PortscanConfig;
162 
163 class PortScanModule : public snort::Module
164 {
165 public:
166     PortScanModule();
167     ~PortScanModule() override;
168 
169     bool set(const char*, snort::Value&, snort::SnortConfig*) override;
170     bool begin(const char*, int, snort::SnortConfig*) override;
171     bool end(const char*, int, snort::SnortConfig*) override;
172 
173     const PegInfo* get_pegs() const override;
174     PegCount* get_counts() const override;
175     snort::ProfileStats* get_profile() const override;
176     const snort::RuleMap* get_rules() const override;
177 
get_gid()178     unsigned get_gid() const override
179     { return GID_PORT_SCAN; }
180 
181     PortscanConfig* get_data();
182 
183     // FIXIT-M this should eventually be CONTEXT.
184     // Set to GLOBAL so this isn't selected away when inspection policy switches
get_usage()185     Usage get_usage() const override
186     { return GLOBAL; }
187 
188 private:
189     PS_ALERT_CONF* get_alert_conf(const char* fqn);
190     PortscanConfig* config;
191 };
192 
193 #endif
194 
195