spp_anomsensor.h

该源码是用C语言编写的,实现网络入侵检测系统的功能

/* DO NOT EDIT THIS FILE. EDIT THE ORIGINAL SOURCE FILES INSTEAD AND RUN make */
#ifndef _SPP_ANOMSENSOR_H
#define _SPP_ANOMSENSOR_H
/*********************************************************************
anomsensor.h, distributed as part of Spade v092200.1
Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com)
copyright (c) 2000,2001 by Silicon Defense (http://www.silicondefense.com/)
Released under GNU General Public License, see the COPYING file included
with the distribution or http://www.silicondefense.com/spice/ for details.

anomsensor.h contains the types and some macro function declarations that
are used in the tree in Spade

Please send complaints, kudos, and especially improvements and bugfixes to
hoagland@SiliconDefense.com.  As described in GNU General Public License, no
warranty is expressed for this program.
*********************************************************************/

#ifndef ANOMSENSOR_H
#define ANOMSENSOR_H

#include <stdio.h>
#include <limits.h>

/* this needs to be set to a type capable of storing a 32 bit unsigned int */
typedef unsigned int u32;
#define MAX_U32 UINT_MAX
/* this needs to be set to a type capable of storing a 16 bit unsigned int */
typedef unsigned short u16;
#define MAX_U16 USHRT_MAX


typedef enum _features { SIP, DIP, SPORT, DPORT } features;
#define NUM_FEATURES 4
/*typedef enum _features { SIP, DIP, SPORT, DPORT, TTL, WIN } features;
#define NUM_FEATURES 6*/
extern const char *featurename[NUM_FEATURES];

typedef struct _featcomb {
	struct _featcomb *next[NUM_FEATURES];
	double val[NUM_FEATURES];
} *featcomb;

/* index type into memory block data structures */
typedef u32 mindex;

/* mindex used with top bit indicating if one of two datatypes is present */
typedef u32 dmindex;

/* the type of the values of the features */
typedef u32 valtype;

typedef struct _treeroot {
	mindex next;
	dmindex root; /* root node, if top bit is 1, it is a leafnode */
	features type;
} treeroot;

typedef struct _intnode {
	double sum;
	valtype sortpt;
	dmindex left;  /* left and right node, if top bit is 1,
	                  it is a leafnode */
	dmindex right;
	u16 wait; /* the number of additions to the subtree to wait
	             till checking for reblancing */
} intnode;

typedef struct _leafnode {
	double count;
	valtype value;
	mindex nexttree; 
} leafnode;


#define bits2blocksize(b) (1 << b)

#define ROOT_BLOCK_SIZE bits2blocksize(ROOT_BLOCK_BITS)
#define ROOT_BLOCK_MASK ((1 << ROOT_BLOCK_BITS) -1)
#define tree(i) ROOT_M[i>>ROOT_BLOCK_BITS][i&ROOT_BLOCK_MASK]
#define root_index(p,i) ((p<<ROOT_BLOCK_BITS)+i)

#define INT_BLOCK_SIZE bits2blocksize(INT_BLOCK_BITS)
#define INT_BLOCK_MASK ((1 << INT_BLOCK_BITS) -1)
#define intnode(i) INT_M[i>>INT_BLOCK_BITS][i&INT_BLOCK_MASK]
#define intnode_index(p,i) ((p<<INT_BLOCK_BITS)+i)

#define LEAF_BLOCK_SIZE bits2blocksize(LEAF_BLOCK_BITS)
#define LEAF_BLOCK_MASK ((1 << LEAF_BLOCK_BITS) -1)
#define leafnode(i) LEAF_M[i>>LEAF_BLOCK_BITS][i&LEAF_BLOCK_MASK]
#define leafnode_index(p,i) ((p<<LEAF_BLOCK_BITS)+i)

#define rfreenext(n) (n).next
#define ifreenext(n) (n).left
#define lfreenext(n) (n).nexttree

/* something of valtype that cannot be a sortpt */
#define NOT_A_SORTPT MAX_U32

extern mindex TNULL;
extern dmindex DMINDEXMASK;

extern treeroot **ROOT_M;
extern intnode **INT_M;
extern leafnode **LEAF_M;
extern mindex root_freelist;
extern mindex int_freelist;
extern mindex leaf_freelist;

#endif
/*********************************************************************
anomsensor_plug.h, distributed as part of Spade v092200.1
Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com)
copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
Released under GNU General Public License, see the COPYING file included
with the distribution or http://www.silicondefense.com/spice/ for details.

anomsensor_plug.h is the header file for anomsensor_plug.c.

Please send complaints, kudos, and especially improvements and bugfixes to
hoagland@SiliconDefense.com.  As described in GNU General Public License, no
warranty is expressed for this program.
*********************************************************************/

#ifndef __SPP_ANOMSENSOR_H__
#define __SPP_ANOMSENSOR_H__

#include "snort.h"
#ifndef WIN32
	#include <netinet/in.h>
#endif
#include <signal.h>
#include <math.h>

#define SPP_ANOMSENSOR_ENABLED 1

#define ALMOST_NEVER ((size_t)3999999999)

/* at what size to discard any value in the tree; each observed instances
   adds one but it is multiplied by SCALE_FACTOR every SCALE_FREQ seconds */
/* these values are coordinated to have a half life of 3 days and to have a
   single instance discarded after a little over a week */
#define MIN_NODE_SIZE 0.18
/* the frequency of scaling */
#define SCALE_FREQ ((size_t)14400)
//#define SCALE_FREQ ALMOST_NEVER
/* the amount by which to scale */
#define SCALE_FACTOR 0.96409


typedef struct _ll_double {
	double val;
	struct _ll_double *next;
} ll_double;

typedef struct _dll_double {
	double val;
	struct _dll_double *prev;
	struct _dll_double *next;
} dll_double;

typedef struct _ll_net {
	u_long netaddr;
	u_long netmask;
	struct _ll_net *next;
} ll_net;

/* list of function prototypes for this preprocessor */
void SetupSpade();
void SpadeInit(u_char *);
void ParseSpadeArgs(char *);
void PreprocSpade(Packet *);
void SpadeHomenetInit(u_char *args);
void SpadeStatInit(u_char *args);
void ParseSpadeStatArgs(char *args);
void SpadeThreshlearnInit(u_char *args);
void ParseSpadeThreshlearnArgs(char *args);
void PreprocSpadeThreshlearn(Packet *p);
void SpadeAdaptInit(u_char *args);
void ParseSpadeAdaptArgs(char *args);
void PreprocSpadeAdapt(Packet *p);
void SpadeAdapt2Init(u_char *args);
void ParseSpadeAdapt2Args(char *args);
void PreprocSpadeAdapt2(Packet *p);
void SpadeAdapt3Init(u_char *args);
void ParseSpadeAdapt3Args(char *args);
void PreprocSpadeAdapt3(Packet *p);
void SpadeSurveyInit(u_char *args);
void ParseSpadeSurveyArgs(char *args);
void PreprocSpadeSurvey(Packet *p);
void SpadeCatchSig(int signal,void *arg);
void CleanUpSpade(int);

/* include other functions from anomsensor_plug.c */
ll_net *create_netlist(char *nets[],int count);
void do_adapt();
void do_adapt3();
double calc_new_thresh();
double thresh_from_obslists();
double anom_ave(double a[],int size);
void reset_obslist(int slot);
dll_double *new_dlink(double val);
void free_dlinks(dll_double *start);
ll_double * new_link(double val);
void free_links(ll_double *start);
double survey_ostat(double loc);
int record_maybe_skip(Packet *p);
double calc_anom(valtype val[]);
void record_packet(Packet *p,valtype val[]);
void set_new_threshold(double t);

#endif  /* ! __SPP_ANOMSENSOR_H__ */