flowps_snort.c

入侵检测SNORT.最近更新的基于网络检测的IDS.希望能给大家带来方便.

/****************************************************************************
 *
 * Copyright (C) 2003-2008 Sourcefire, Inc.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License Version 2 as
 * published by the Free Software Foundation.  You may not use, modify or
 * distribute this program under any other version of the GNU General
 * Public License.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 ****************************************************************************/
 
/**
 * @file   flowps_snort.c
 * @author Chris Green <cmg@sourcefire.com>
 * @date   Fri Jun  6 14:49:30 2003
 * 
 * @brief  interface between snort & portscan
 * 
 * Implements the basic functionality required for snort+flow to
 * interact with a portscan procesor that accepts flow events from the
 * flow preprocessor.
 */


#include "debug.h"    /* DEBUG_WRAP */
#include "plugbase.h" /* RegisterPreprocesor */
#include "parser.h"   /* file_name, file_line */
#include "snort.h"
#include "util.h"

#include "scoreboard.h"
#include "server_stats.h"

#include "spp_flow.h" /* make sure that spp_flow is enabled */
#include "flowps.h"
#include "flowps_snort.h"

#include "packet_time.h"
#include "event_wrapper.h"
#include "generators.h"
#include "common_defs.h"
#include "util_str.h"
#include "util_net.h"
#include "util.h"

#ifndef WIN32
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#endif /* WIN32 */

#include <stdlib.h>
#include <ctype.h>

#define PSDEFAULT_SB_ROWS_ACTIVE        1000000
#define PSDEFAULT_SB_MEMCAP_ACTIVE      (ONE_MBYTE * 24)
#define PSDEFAULT_SB_ROWS_SCANNER       (PSDEFAULT_SB_ROWS_ACTIVE/4)
#define PSDEFAULT_SB_MEMCAP_SCANNER     (PSDEFAULT_SB_MEMCAP_ACTIVE/4)
#define PSDEFAULT_UT_ROWS               1000000
#define PSDEFAULT_UT_MEMCAP             (ONE_MBYTE * 24)
#define PSDEFAULT_SERVER_ROWS           (1 << 16) /* 65536 */
#define PSDEFAULT_SERVER_MEMCAP         (ONE_MBYTE * 2)
#define PSDEFAULT_SERVER_LEARNING_TIME  (ONE_HOUR * 8)
#define PSDEFAULT_SERVER_IGNORE_LIMIT   500
#define PSDEFAULT_SERVER_SCANNER_LIMIT  500
#define PSDEFAULT_BASE_SCORE            1
#define PSDEFAULT_ALERT_ONCE            1
#define PSDEFAULT_OUTPUT_MODE           VARIABLEMSG

/** 25% of the memory will be the scanner table */

#define PSDEFAULT_TCP_PENALTIES  1     /**< enable TCP penalities by default */

/* default limits for thresholds */
#define PSTALKER_FIXED_SIZE     30
#define PSTALKER_SLIDING_SIZE   30    /**< window frame */
#define PSTALKER_SLIDING_SCORE  30    /**< pt tally */
#define PSTALKER_FIXED_SCORE    15    /**< pt tally */
#define PSTALKER_WINDOW_SCALE   (0.5) /**< multiplier for wsize*/

#define PSSCANNER_FIXED_SIZE     15
#define PSSCANNER_SLIDING_SIZE   20    /**< window frame */
#define PSSCANNER_SLIDING_SCORE  40    /**< pt tally */
#define PSSCANNER_FIXED_SCORE    15    /**< pt tally */
#define PSSCANNER_WINDOW_SCALE   (0.5) /**< multiplier for wsize*/

#define FLOWPSMAXPKTSIZE        (IP_MAXPACKET - (IP_HEADER_LEN + ETHERNET_HEADER_LEN))

static PS_TRACKER s_tracker; /* snort's portscan stracker */
static int s_debug = 0;
static Packet *s_pkt = NULL;  /* pktkludge output mechanism */
     
void FlowPSRestart(int signal, void *data);
void FlowPSCleanExit(int signal, void *data);
static void FlowPSInit(char *args);
static void FlowPSParseArgs(PS_CONFIG *config , char *args);
static int flowps_generate_flow_event(SCORE_ENTRY *sep, FLOWPACKET *p, u_int32_t *address, FLOWPS_OUTPUT output_type, time_t cur);
static int flowps_init_pkt(void);
 /* pktkludge output system! */
static Packet *flowps_mkpacket(SCORE_ENTRY *sep, FLOWPACKET *orig_packet, u_int32_t *address, time_t cur);


void FlowPSSetDefaults(PS_CONFIG *config)
{
    flowps_mkconfig(config,
                    PSDEFAULT_SB_MEMCAP_ACTIVE,
                    PSDEFAULT_SB_ROWS_ACTIVE,
                    PSDEFAULT_SB_MEMCAP_SCANNER,
                    PSDEFAULT_SB_ROWS_SCANNER,
                    PSDEFAULT_UT_MEMCAP,
                    PSDEFAULT_UT_ROWS,
                    PSDEFAULT_SERVER_MEMCAP,
                    PSDEFAULT_SERVER_ROWS,
                    PSDEFAULT_SERVER_LEARNING_TIME,
                    PSDEFAULT_TCP_PENALTIES,
                    PSDEFAULT_SERVER_IGNORE_LIMIT,
                    PSDEFAULT_SERVER_SCANNER_LIMIT,
                    PSDEFAULT_BASE_SCORE,
                    PSDEFAULT_ALERT_ONCE,
                    PSDEFAULT_OUTPUT_MODE);

    
    flowps_mkthreshold(&config->limit_talker, /* threshold obj */
                       PSTALKER_FIXED_SIZE,  /* default fixed window */
                       PSTALKER_FIXED_SCORE, /* default fixed limit */
                       PSTALKER_SLIDING_SIZE, /* default sliding size */
                       PSTALKER_SLIDING_SCORE,
                       PSTALKER_WINDOW_SCALE); 

    flowps_mkthreshold(&config->limit_scanner, /* threshold obj */
                       PSSCANNER_FIXED_SIZE,  /* default fixed window */
                       PSSCANNER_FIXED_SCORE, /* default fixed limit */
                       PSSCANNER_SLIDING_SIZE, /* default sliding size */
                       PSSCANNER_SLIDING_SCORE,
                       PSSCANNER_WINDOW_SCALE);
}

void SetupFlowPS(void)
{
    RegisterPreprocessor("flow-portscan", FlowPSInit);
}

/** 
 * Display what the underlying tidbits think the config is
 * 
 * @param trackerp grab the configuration info from the portscan tracker
 */
static void FlowPSOutputConfig(PS_TRACKER *trackerp)
{
    if(pv.quiet_flag)
        return;

    flow_printf(",-----------[flow-portscan config]-------------\n");
    flow_printf("| TCP Penalties:  %s\n", trackerp->config.tcp_penalties ? "On": "Off");
    flow_printf("|    Ouput Mode:  %s\n",
                (trackerp->config.output_mode == VARIABLEMSG) ? "msg" : "pktkludge");
    flow_printf("|    Base Score:  %d\n", trackerp->config.base_score);
    
    flow_printf("+----------------------------------------------\n");
    flow_printf("| Scoreboard:  ACTIVE         PORTSCANNER\n");
    flow_printf("|     memcap:  %-8d         %-8d\n",
                scoreboard_memcap(&trackerp->table_active),
                scoreboard_memcap(&trackerp->table_scanner));
    flow_printf("|       rows:  %-8d         %-8d\n",
                scoreboard_row_count(&trackerp->table_active),
                scoreboard_row_count(&trackerp->table_scanner));
    flow_printf("|   overhead:  %-8d(%%%.02f) %-8d(%%%.02f)\n",
                scoreboard_overhead_bytes(&trackerp->table_active),
                calc_percent(scoreboard_overhead_bytes(&trackerp->table_active),
                             scoreboard_memcap(&trackerp->table_active)),
                scoreboard_overhead_bytes(&trackerp->table_scanner),
                calc_percent(scoreboard_overhead_bytes(&trackerp->table_scanner),
                             scoreboard_memcap(&trackerp->table_scanner)));

    flow_printf("|      fixed-size:    %-4ds        %-4ds\n",
                trackerp->config.limit_talker.fixed_size,
                trackerp->config.limit_scanner.fixed_size);
    flow_printf("|    sliding-size:    %-4ds        %-4ds\n",
                trackerp->config.limit_talker.sliding_size,
                trackerp->config.limit_scanner.sliding_size);
    flow_printf("| threshold-fixed:    %-4u         %-4u\n",
                trackerp->config.limit_talker.fixed,
                trackerp->config.limit_scanner.fixed);
    flow_printf("| threshold-sliding:  %-4u         %-4u\n",
                trackerp->config.limit_talker.sliding,
                trackerp->config.limit_scanner.sliding);
    flow_printf("|      window scale:  %-.2lf         %-.2lf\n",
                trackerp->config.limit_talker.window_scale,
                trackerp->config.limit_scanner.window_scale);
    
    
    flow_printf("+----------------------------------------------\n");
    flow_printf("|   Uniqueness:  memcap: %8d rows: %8d\n",
               ut_memcap(&trackerp->unique_tracker),
               ut_row_count(&trackerp->unique_tracker));
    flow_printf("|      overhead: %d (%%%.02f)\n",               
                ut_overhead_bytes(&trackerp->unique_tracker),
                calc_percent(ut_overhead_bytes(&trackerp->unique_tracker),
                             ut_memcap(&trackerp->unique_tracker)));
    
    if(flowps_server_stats_enabled(trackerp) == FLOW_SUCCESS)
    {
        flow_printf("+----------------------------------------------\n");        
        flow_printf("| Server Stats:  memcap: %8d rows: %8d\n",
                    server_stats_memcap(&trackerp->server_stats),
                    server_stats_row_count(&trackerp->server_stats));
        flow_printf("|      overhead: %d (%%%.02f)\n",               
                    server_stats_overhead_bytes(&trackerp->server_stats),
                    calc_percent(server_stats_overhead_bytes(&trackerp->server_stats),
                                 server_stats_memcap(&trackerp->server_stats)));
        flow_printf("|   learning time: %d\n",
                    trackerp->config.server_learning_time);
        flow_printf("|    ignore limit: %u\n",
                    trackerp->config.server_ignore_limit);
        flow_printf("|   scanner limit: %u\n",
                    trackerp->config.server_scanner_limit);
        
        
    }
    else
    {
        flow_printf("| Server Stats: Disabled\n");
    }

    flow_printf("`----------------------------------------------\n");
}
     


/** 
 * Initialize the configuration of the flow preprocessor
 * 
 * @param args command line arguments from snort.conf
 */
static void FlowPSInit(char *args)
{
    static int init_once = 0;    
    int ret;

    PS_TRACKER *pstp = &s_tracker;
    PS_CONFIG  tconfig;

    if(flowps_init_pkt())
    {
        FatalError("Error initializing flowps packet!\n");
    }
    
    if(!SppFlowIsRunning())
    {
        FatalError("%s(%d) flow-portscan requires spp_flow to be enabled!\n",
                        file_name, file_line);
    }
    
    if(init_once)
    {
        FatalError("%s(%d) Unable to reinitialize flow-portscan!\n",
                        file_name, file_line);
    }
    else
    {
        init_once = 1;
    }

    FlowPSSetDefaults(&tconfig);

    FlowPSParseArgs(&tconfig, args);

    
    if((ret = flowps_init(pstp, &tconfig)) != FLOW_SUCCESS)
    {
        FatalError("Unable to initialize the flow cache!"
                        "-- try more memory (current memcap is %d)\n",
                        tconfig.sb_memcap_total);
    }

    FlowPSOutputConfig(pstp);
    
    AddFuncToPreprocCleanExitList(FlowPSCleanExit, NULL, PRIORITY_LAST, PP_FLOW);
    AddFuncToPreprocRestartList(FlowPSRestart, NULL, PRIORITY_LAST, PP_FLOW);
}


static void FlowPSParseOption(PS_CONFIG *config,
                              char *fname, int lineno,
                              char *key, char *value)
{
    int ivalue;

    if(!key || !value)
    {
        FatalError("%s:(%d) Invalid command line arguments!\n");
    }

    if(s_debug > 1)
        flow_printf("key: %s value: %s\n", key, value);
    
    if(!strcasecmp(key, "scoreboard-memcap-talker"))
    {
        ivalue = atoi(value);
        config->sb_memcap_talker = ivalue;
    }
    else if(!strcasecmp(key, "scoreboard-memcap-scanner"))
    {
        ivalue = atoi(value);
        config->sb_memcap_scanner = ivalue;
    }
    else if(!strcasecmp(key,"unique-memcap"))
    {
        ivalue = atoi(value);
        config->ut_memcap = ivalue;
    }
    else if(!strcasecmp(key,"server-memcap"))
    {
        ivalue = atoi(value);
        config->server_memcap = ivalue;
    }
    else if(!strcasecmp(key, "scoreboard-rows-talker"))
    {
        ivalue = atoi(value);
        config->sb_rows_talker = ivalue;
    }
    else if(!strcasecmp(key, "scoreboard-rows-scanner"))
    {
        ivalue = atoi(value);
        config->sb_rows_scanner = ivalue;
    }
    else if(!strcasecmp(key,"unique-rows"))
    {
        ivalue = atoi(value);
        config->ut_rows = ivalue;
    }
    else if(!strcasecmp(key,"server-rows"))
    {
        ivalue = atoi(value);
        config->server_rows = ivalue;
    }
    else if(!strcasecmp(key, "server-watchnet"))
    {
        IPSET *ipset = ipset_new(IPV4_FAMILY);

        if(!ipset || ip4_setparse(ipset, value) !=0)
        {
            FatalError("%s(%d) Unable to create an IPSet from %s\n",
                            file_name,file_line,value);
        }

        config->server_watchnet_ipv4 = ipset;        
    }
    else if(!strcasecmp(key, "src-ignore-net"))
    {
        IPSET *ipset = ipset_new(IPV4_FAMILY);

        if(!ipset || ip4_setparse(ipset, value) !=0)
        {
            FatalError("%s(%d) Unable to create an IPSet from %s\n",
                            file_name,file_line,value);
        }

        config->src_ignore_ipv4 = ipset;        
    }
    else if(!strcasecmp(key, "dst-ignore-net"))