"Fossies" - the Fresh Open Source Software Archive

Member "scanlogd-2.2.8/params.h" (10 Mar 2021, 2875 Bytes) of package /linux/misc/scanlogd-2.2.8.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "params.h" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.2.7_vs_2.2.8.

    1 /*
    2  * Configurable compile-time parameters for scanlogd.
    3  */
    4 
    5 #ifndef _SCANLOGD_PARAMS_H
    6 #define _SCANLOGD_PARAMS_H
    7 
    8 #include <time.h>
    9 #include <syslog.h>
   10 
   11 /*
   12  * An unprivileged dummy user to run as.  The user and its UID must not be
   13  * used for any other purpose (that is, don't use "nobody" here).  You can
   14  * #undef this to let scanlogd run as root, but this is not recommended.
   15  */
   16 #define SCANLOGD_USER           "scanlogd"
   17 
   18 /*
   19  * An empty root-owned directory to chroot to.  THE DIRECTORY AND ITS PARENT
   20  * DIRECTORIES MUST NOT BE WRITABLE BY ANYONE BUT ROOT.
   21  */
   22 #define SCANLOGD_CHROOT         "/var/empty"
   23 
   24 /*
   25  * Device to monitor, if you're using libnids or libpcap directly. #undef
   26  * this either if you're using the raw socket interface on Linux instead,
   27  * or if you'd like to let libpcap autodetect this for you.
   28  *
   29  * Recent versions of libpcap support magic device name "any" and recent
   30  * libnids supports magic device name "all".
   31  */
   32 #undef SCANLOGD_DEVICE
   33 
   34 /*
   35  * Whether we want scanlogd to set the device into promiscuous mode, for
   36  * use with libpcap.
   37  */
   38 #define SCANLOGD_PROMISC        0
   39 
   40 /*
   41  * The libpcap filter expression to use when scanlogd is built with libnids
   42  * or direct libpcap support.  The intent is to reduce CPU load by hopefully
   43  * filtering out most of the uninteresting packets at the kernel level if
   44  * supported by libpcap on a given platform.
   45  */
   46 #define SCANLOGD_PCAP_FILTER \
   47     "tcp and " \
   48     "((tcp[13] != 0x10 and tcp[13] != 0x18) or ip[6:2] & 0x3fff != 0)"
   49 
   50 /*
   51  * High port numbers have a lower weight to reduce the frequency of false
   52  * positives, such as from passive mode FTP transfers.
   53  */
   54 #define PORT_WEIGHT_PRIV        3
   55 #define PORT_WEIGHT_HIGH        1
   56 
   57 /*
   58  * Port scan detection thresholds: at least COUNT ports need to be scanned
   59  * from the same source, with no longer than DELAY seconds between ports.
   60  */
   61 #define SCAN_MIN_COUNT          7
   62 #define SCAN_MAX_COUNT          (SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
   63 #define SCAN_WEIGHT_THRESHOLD       SCAN_MAX_COUNT
   64 #define SCAN_DELAY_THRESHOLD        3
   65 
   66 /*
   67  * Log flood detection thresholds: temporarily stop logging if more than
   68  * COUNT port scans are detected with no longer than DELAY seconds between
   69  * them.
   70  */
   71 #define LOG_COUNT_THRESHOLD     5
   72 #define LOG_DELAY_THRESHOLD     20
   73 
   74 /*
   75  * Log line length limit, such as to fit into one SMS message. #undef this
   76  * for no limit.
   77  */
   78 #define LOG_MAX_LENGTH          (160 - 40)
   79 
   80 /*
   81  * You might want to adjust these for using your tiny append-only log file.
   82  */
   83 #define SYSLOG_IDENT            "scanlogd"
   84 #define SYSLOG_FACILITY         LOG_DAEMON
   85 #define SYSLOG_LEVEL            LOG_ALERT
   86 
   87 /*
   88  * Keep track of up to LIST_SIZE source addresses, using a hash table of
   89  * HASH_SIZE entries for faster lookups, but limiting hash collisions to
   90  * HASH_MAX source addresses per the same hash value.
   91  */
   92 #define LIST_SIZE           0x100
   93 #define HASH_LOG            9
   94 #define HASH_SIZE           (1 << HASH_LOG)
   95 #define HASH_MAX            0x10
   96 
   97 #endif