snort  2.9.17
About: Snort is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.
  Fossies Dox: snort-2.9.17.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

spp_sfportscan.c File Reference
#include <assert.h>
#include <sys/types.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include "decode.h"
#include "encode.h"
#include "plugbase.h"
#include "generators.h"
#include "event_wrapper.h"
#include "util.h"
#include "ipobj.h"
#include "checksum.h"
#include "packet_time.h"
#include "snort.h"
#include "sfthreshold.h"
#include "sfsnprintfappend.h"
#include "sf_iph.h"
#include "session_api.h"
#include "sfdaq.h"
#include "portscan.h"
#include "profiler.h"
#include "reload.h"
Include dependency graph for spp_sfportscan.c:

Go to the source code of this file.

Macros

#define DELIMITERS   " \t\n"
 
#define TOKEN_ARG_BEGIN   "{"
 
#define TOKEN_ARG_END   "}"
 
#define PROTO_BUFFER_SIZE   256
 
#define IPPROTO_PS   0xFF
 

Functions

static void PortscanResetFunction (int signal, void *foo)
 
static void PortscanResetStatsFunction (int signal, void *foo)
 
static void ParsePortscan (struct _SnortConfig *, PortscanConfig *, char *)
 
static void PortscanFreeConfigs (tSfPolicyUserContextId)
 
static void PortscanFreeConfig (PortscanConfig *)
 
static void PortscanOpenLogFile (struct _SnortConfig *, void *)
 
static int PortscanGetProtoBits (int)
 
static int PortscanPacketInit (void)
 
void PortscanCleanExitFunction (int signal, void *foo)
 
static int MakeProtoInfo (PS_PROTO *proto, u_char *buffer, u_int *total_size)
 
static int LogPortscanAlert (Packet *p, const char *msg, uint32_t event_id, uint32_t event_ref, uint32_t gen_id, uint32_t sig_id)
 
static int GeneratePSSnortEvent (Packet *p, uint32_t gen_id, uint32_t sig_id, uint32_t sig_rev, uint32_t class, uint32_t priority, const char *msg)
 
static int GenerateOpenPortEvent (Packet *p, uint32_t gen_id, uint32_t sig_id, uint32_t sig_rev, uint32_t class, uint32_t pri, uint32_t event_ref, struct timeval *event_time, const char *msg)
 
static int MakeOpenPortInfo (PS_PROTO *proto, u_char *buffer, u_int *total_size, void *user)
 
static int MakePortscanPkt (PS_PKT *ps_pkt, PS_PROTO *proto, int proto_type, void *user)
 
static int PortscanAlertTcp (Packet *p, PS_PROTO *proto, int proto_type)
 
static int PortscanAlertUdp (Packet *p, PS_PROTO *proto, int proto_type)
 
static int PortscanAlertIp (Packet *p, PS_PROTO *proto, int proto_type)
 
static int PortscanAlertIcmp (Packet *p, PS_PROTO *proto, int proto_type)
 
static int PortscanAlert (PS_PKT *ps_pkt, PS_PROTO *proto, int proto_type)
 
static void PortscanDetect (Packet *p, void *context)
 
static void FatalErrorNoOption (u_char *option)
 
static void FatalErrorNoEnd (char *option)
 
static void FatalErrorInvalidArg (char *option)
 
static void FatalErrorInvalidOption (char *option)
 
static void ParseProtos (int *protos, char **savptr)
 
static void ParseScanType (int *scan_types, char **savptr)
 
static void ParseSenseLevel (int *sense_level, char **savptr)
 
static void ParseIpList (IPSET **ip_list, char *option, char **savptr)
 
static void ParseMemcap (unsigned long *memcap, char **savptr)
 
static void PrintIPPortSet (IP_PORT *p)
 
static void PrintPortscanConf (int detect_scans, int detect_scan_type, int sense_level, IPSET *scanner, IPSET *scanned, IPSET *watch, unsigned long memcap, char *logpath, int disabled)
 
static void ParseLogFile (struct _SnortConfig *sc, PortscanConfig *config, char **savptr)
 
static void PortscanInit (struct _SnortConfig *sc, char *args)
 
void SetupSfPortscan (void)
 
static int PortscanFreeConfigPolicy (tSfPolicyUserContextId config, tSfPolicyId policyId, void *pData)
 

Variables

char * file_name
 
int file_line
 
tSfPolicyUserContextId portscan_config = 0
 
PortscanConfigportscan_eval_config = 0
 
static Packetg_tmp_pkt = 0
 
static FILE * g_logfile = 0
 

Macro Definition Documentation

◆ DELIMITERS

#define DELIMITERS   " \t\n"

Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. Copyright (C) 2004-2013 Sourcefire, Inc.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License Version 2 as published by the Free Software Foundation. You may not use, modify or distribute this program under any other version of the GNU General Public License.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

Definition at line 84 of file spp_sfportscan.c.

◆ IPPROTO_PS

#define IPPROTO_PS   0xFF

Initialize the Packet structure buffer so we can generate our alert packets for portscan. We initialize the various fields in the Packet structure and set the hardware layer for easy identification by user interfaces.

Returns
int
Return values
!0initialization failed
0success

Definition at line 133 of file spp_sfportscan.c.

◆ PROTO_BUFFER_SIZE

#define PROTO_BUFFER_SIZE   256

Definition at line 88 of file spp_sfportscan.c.

◆ TOKEN_ARG_BEGIN

#define TOKEN_ARG_BEGIN   "{"

Definition at line 85 of file spp_sfportscan.c.

◆ TOKEN_ARG_END

#define TOKEN_ARG_END   "}"

Definition at line 86 of file spp_sfportscan.c.

Function Documentation

◆ FatalErrorInvalidArg()

static void FatalErrorInvalidArg ( char *  option)
static

Definition at line 881 of file spp_sfportscan.c.

References FatalError(), file_line, and file_name.

Referenced by ParseIpList(), ParseMemcap(), ParseProtos(), ParseScanType(), and ParseSenseLevel().

◆ FatalErrorInvalidOption()

static void FatalErrorInvalidOption ( char *  option)
static

Definition at line 887 of file spp_sfportscan.c.

References FatalError(), file_line, and file_name.

Referenced by ParsePortscan().

◆ FatalErrorNoEnd()

static void FatalErrorNoEnd ( char *  option)
static

Definition at line 875 of file spp_sfportscan.c.

References FatalError(), file_line, and file_name.

Referenced by ParseMemcap(), ParseProtos(), ParseScanType(), and ParseSenseLevel().

◆ FatalErrorNoOption()

static void FatalErrorNoOption ( u_char *  option)
static

Definition at line 869 of file spp_sfportscan.c.

References FatalError(), file_line, and file_name.

Referenced by ParsePortscan().

◆ GenerateOpenPortEvent()

static int GenerateOpenPortEvent ( Packet p,
uint32_t  gen_id,
uint32_t  sig_id,
uint32_t  sig_rev,
uint32_t  class,
uint32_t  pri,
uint32_t  event_ref,
struct timeval *  event_time,
const char *  msg 
)
static

We have to generate open port events differently because we tag these to the original portscan event.

Returns
int
Return values
0success

Definition at line 327 of file spp_sfportscan.c.

References CallLogFuncs(), g_logfile, GET_DST_IP, GET_SRC_IP, LogPortscanAlert(), NULL, _Packet::pkth, SetEvent(), sfthreshold_reset(), and sfthreshold_test().

Referenced by PortscanAlert(), and PortscanAlertTcp().

◆ GeneratePSSnortEvent()

static int GeneratePSSnortEvent ( Packet p,
uint32_t  gen_id,
uint32_t  sig_id,
uint32_t  sig_rev,
uint32_t  class,
uint32_t  priority,
const char *  msg 
)
static

◆ LogPortscanAlert()

static int LogPortscanAlert ( Packet p,
const char *  msg,
uint32_t  event_id,
uint32_t  event_ref,
uint32_t  gen_id,
uint32_t  sig_id 
)
static

◆ MakeOpenPortInfo()

static int MakeOpenPortInfo ( PS_PROTO proto,
u_char *  buffer,
u_int *  total_size,
void *  user 
)
static

Write out the open ports info for open port alerts.

Returns
integer

Definition at line 389 of file spp_sfportscan.c.

References buffer, _Packet::dsize, g_tmp_pkt, _Packet::max_dsize, PROTO_BUFFER_SIZE, SnortSnprintf(), and SnortStrnlen().

Referenced by MakePortscanPkt().

◆ MakePortscanPkt()

◆ MakeProtoInfo()

static int MakeProtoInfo ( PS_PROTO proto,
u_char *  buffer,
u_int *  total_size 
)
static

This routine makes the portscan payload for the events. The listed info is:

  • priority count (number of error transmissions RST/ICMP UNREACH)
  • connection count (number of protocol connections SYN)
  • ip count (number of IPs that communicated with host)
  • ip range (low to high range of IPs)
  • port count (number of port changes that occurred on host)
  • port range (low to high range of ports connected too)
Returns
integer
Return values
-1buffer not large enough
0successful

Definition at line 182 of file spp_sfportscan.c.

References s_PS_PROTO::alerts, buffer, s_PS_PROTO::connection_count, _Packet::dsize, g_tmp_pkt, s_PS_PROTO::high_ip, s_PS_PROTO::high_p, inet_ntoa, s_PS_PROTO::low_ip, s_PS_PROTO::low_p, _Packet::max_dsize, s_PS_PROTO::priority_count, PROTO_BUFFER_SIZE, PS_ALERT_PORTSWEEP, PS_ALERT_PORTSWEEP_FILTERED, SnortSnprintf(), SnortSnprintfAppend(), SnortStrnlen(), s_PS_PROTO::u_ip_count, and s_PS_PROTO::u_port_count.

Referenced by MakePortscanPkt().

◆ ParseIpList()

static void ParseIpList ( IPSET **  ip_list,
char *  option,
char **  savptr 
)
static

◆ ParseLogFile()

static void ParseLogFile ( struct _SnortConfig sc,
PortscanConfig config,
char **  savptr 
)
static

◆ ParseMemcap()

static void ParseMemcap ( unsigned long *  memcap,
char **  savptr 
)
static

Definition at line 1019 of file spp_sfportscan.c.

References DELIMITERS, FatalErrorInvalidArg(), FatalErrorNoEnd(), NULL, strtok_r(), and TOKEN_ARG_END.

Referenced by ParsePortscan().

◆ ParsePortscan()

◆ ParseProtos()

static void ParseProtos ( int protos,
char **  savptr 
)
static

◆ ParseScanType()

static void ParseScanType ( int scan_types,
char **  savptr 
)
static

◆ ParseSenseLevel()

static void ParseSenseLevel ( int sense_level,
char **  savptr 
)
static

◆ PortscanAlert()

◆ PortscanAlertIcmp()

◆ PortscanAlertIp()

◆ PortscanAlertTcp()

◆ PortscanAlertUdp()

◆ PortscanCleanExitFunction()

void PortscanCleanExitFunction ( int  signal,
void *  foo 
)

Definition at line 141 of file spp_sfportscan.c.

References Encode_Delete(), g_tmp_pkt, NULL, portscan_config, PortscanFreeConfigs(), and ps_cleanup().

Referenced by PortscanInit().

◆ PortscanDetect()

◆ PortscanFreeConfig()

static void PortscanFreeConfig ( PortscanConfig config)
static

Definition at line 1467 of file spp_sfportscan.c.

References config, ipset_free(), and NULL.

Referenced by PortscanFreeConfigPolicy().

◆ PortscanFreeConfigPolicy()

static int PortscanFreeConfigPolicy ( tSfPolicyUserContextId  config,
tSfPolicyId  policyId,
void *  pData 
)
static

Definition at line 1449 of file spp_sfportscan.c.

References config, PortscanFreeConfig(), and sfPolicyUserDataClear().

Referenced by PortscanFreeConfigs().

◆ PortscanFreeConfigs()

static void PortscanFreeConfigs ( tSfPolicyUserContextId  config)
static

◆ PortscanGetProtoBits()

static int PortscanGetProtoBits ( int  detect_scans)
static

◆ PortscanInit()

◆ PortscanOpenLogFile()

static void PortscanOpenLogFile ( struct _SnortConfig sc,
void *  data 
)
static

◆ PortscanPacketInit()

static int PortscanPacketInit ( void  )
static

Definition at line 135 of file spp_sfportscan.c.

References Encode_New(), and g_tmp_pkt.

Referenced by PortscanInit().

◆ PortscanResetFunction()

static void PortscanResetFunction ( int  signal,
void *  foo 
)
static

Definition at line 153 of file spp_sfportscan.c.

References ps_reset().

Referenced by PortscanInit().

◆ PortscanResetStatsFunction()

static void PortscanResetStatsFunction ( int  signal,
void *  foo 
)
static

Definition at line 158 of file spp_sfportscan.c.

Referenced by PortscanInit().

◆ PrintIPPortSet()

◆ PrintPortscanConf()

static void PrintPortscanConf ( int  detect_scans,
int  detect_scan_type,
int  sense_level,
IPSET scanner,
IPSET scanned,
IPSET watch,
unsigned long  memcap,
char *  logpath,
int  disabled 
)
static

◆ SetupSfPortscan()

void SetupSfPortscan ( void  )

Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. Copyright (C) 2004-2013 Sourcefire, Inc.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License Version 2 as published by the Free Software Foundation. You may not use, modify or distribute this program under any other version of the GNU General Public License.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

Definition at line 1287 of file spp_sfportscan.c.

References PortscanInit(), and RegisterPreprocessor().

Referenced by RegisterPreprocessors().

Variable Documentation

◆ file_line

◆ file_name

◆ g_logfile

FILE* g_logfile = 0
static

◆ g_tmp_pkt

◆ portscan_config

◆ portscan_eval_config