flow_cache.c

入侵检测SNORT.最近更新的基于网络检测的IDS.希望能给大家带来方便.

    
    return FLOW_SUCCESS;
}

/** 
 * Get the least recently used flow from the cache
 * 
 * @param flowcachep flow cache to operate on
 * @param flowp where to put the flow
 * 
 * @return FLOW_SUCCESS on success
 */
static INLINE int flowcache_lru(FLOWCACHE *flowcachep, FLOW **flowpp)
{
    if(!flowcachep  || !flowpp)
        return FLOW_EINVALID;

    *flowpp = sfxhash_lru(flowcachep->ipv4_table);

    if(*flowpp == NULL)
        return FLOW_NOTFOUND;
    
    return FLOW_SUCCESS;
}

/** 
 * Look for the data in the flow tables.
 * 
 * @param flowcachep cache to look in
 * @param keyp pointer to searching key data
 * @param flowpp pointer to set with this module
 * @param direction pass back argument (FROM_INITIATOR or FROM_RESPONDER)
 * 
 * @return FLOW_SUCCESS on success, FLOW_NOTFOUND when not found, else usage error
 */
int flowcache_find(FLOWCACHE *flowcachep, FLOWKEY *keyp, FLOW **flowpp, int *direction)
{
    FLOWKEY search_key;
    FLOW *fp;

    int way;
    
    if(!flowcachep || !keyp || !flowpp || !direction)
    {
        return FLOW_ENULL;
    }
    
    FCS_find(flowcachep, keyp);

    /* give us a single search key that we can hash on */
    flowkey_normalize(&search_key, keyp);

    fp = sfxhash_find(flowcachep->ipv4_table, &search_key);
    
    if(fp == NULL)
    {
        /* we have failed. Nothing else to do here */
        *flowpp = NULL;

        FCS_find_fail(flowcachep, keyp);
        
        return FLOW_NOTFOUND;
    }
    else 
    {
        /* now, lets see which way this flow was stored.  Note, this
           has nothing to do with the search key as that is only good
           for searching */

        if(fp->key.init_address == keyp->init_address &&
           fp->key.init_port == keyp->init_port)
        {
            way = FROM_INITIATOR;
        }
        else
        {
            way = FROM_RESPONDER;
            FCS_revfind(flowcachep, &search_key);
        }
    }

    *direction = way;

    *flowpp = fp;

    FCS_find_success(flowcachep, keyp);
    return FLOW_SUCCESS;
}

/** 
 * map a position to a name
 * 
 * @param position where to return the name of
 * 
 * @return string reprenting position name
 */
const char *flowcache_pname(FLOW_POSITION position)
{
    static const char *position_names[] = {"FLOW_NEW",
                                           "FLOW_FIRST_BIDIRECTIONAL",
                                           "FLOW_ADDITIONAL",
                                           "FLOW_SHUTDOWN",
                                           "FLOW_INVALID" };

    if(position < FLOW_NEW || position >= FLOW_MAX)
    {
        return position_names[4];
    }

    return position_names[position];
}


/** 
 * Automatically recover nodes and make sure that all the other
 * references are taken care of.
 * 
 * @param key hash key
 * @param data ptr to FLOW data
 * 
 * @return 0 if this node can be removed
 */
static int flowcache_anrfree(void *key, void *data)
{
    FLOW *fp;

    if(data)
    {
        fp = (FLOW *) data;
        flow_callbacks(FLOW_SHUTDOWN, fp, 0, NULL);
    }
    
    return 0;
}


/** 
 * Automatically recover nodes and make sure that all the other
 * references are taken care of.
 * 
 * @param key hash key
 * @param data ptr to FLOW data
 * p
 * @return 0 if this node can be removed
 */
static int flowcache_usrfree(void *key, void *data)
{
#ifndef WIN32
    // printf("DEBUG: called %s\n", __func__);
#else
    // printf("DEBUG: called file %s line %d\n", __FILE__, __LINE__);
#endif

    return 0;
}


/* these are just helpers for the flowcache problems */


static INLINE int FCS_find(FLOWCACHE *flowcachecp, FLOWKEY *keyp)
{
    
    flowcachecp->total.find_ops++;
    flowcachecp->per_proto[keyp->protocol].find_ops++;
        
    return 0;
}

static INLINE int FCS_revfind(FLOWCACHE *flowcachecp, FLOWKEY *keyp)
{
    flowcachecp->total.reversed_ops++;
    flowcachecp->per_proto[keyp->protocol].reversed_ops++;
    return 0;
}

static INLINE int FCS_new(FLOWCACHE *flowcachecp, FLOWKEY *keyp)
{
    flowcachecp->total.new_flows++;
    flowcachecp->per_proto[keyp->protocol].new_flows++;
    return 0;
}

static INLINE int FCS_find_success(FLOWCACHE *flowcachecp, FLOWKEY *keyp)
{
    flowcachecp->total.find_success++;
    flowcachecp->per_proto[keyp->protocol].find_success++;
    return 0;
}

static INLINE int FCS_find_fail(FLOWCACHE *flowcachecp, FLOWKEY *keyp)
{
    flowcachecp->total.find_fail++;
    flowcachecp->per_proto[keyp->protocol].find_fail++;
    return 0;
}

void flowcache_stats(FILE *stream, FLOWCACHE *flowcachep)
{
    int could_hold;
    int i;
    time_t low_time = 0, high_time = 0, diff_time = 0;    
    int diff_hours = 0, diff_min = 0, diff_sec = 0;
    int diff_blocks = 0;
    FLOW *flow_mrup, *flow_lrup;

#ifdef INDEPTH_DEBUG
    printf("table max depth: %u\n",
           sfxhash_maxdepth(flowcachep->ipv4_table));
#endif /* INDEPTH_DEBUG */
        
    if((flowcache_mru(flowcachep, &flow_mrup) == FLOW_SUCCESS) &&
       (flowcache_lru(flowcachep, &flow_lrup) == FLOW_SUCCESS))
    {
        low_time = flow_lrup->stats.last_packet;
        high_time = flow_mrup->stats.last_packet;

        diff_time = high_time - low_time;

        diff_hours = diff_time / 3600;
        diff_min = (diff_time - (3600 * diff_hours)) / 60;
        diff_sec = diff_time % 60;
    }

    diff_blocks = flowcachep->ipv4_table->mc.nblocks -
        flowcache_overhead_blocks(flowcachep);


    //could_hold = flowcachep->ipv4_table->mc.memcap /
    //    (sizeof(FLOW) + sizeof(FLOWKEY) + sizeof(SFXHASH_NODE));

    /* this is a bad calculation -- should clean this up */
    if(diff_blocks > 0)
    {
        could_hold = (flowcachep->ipv4_table->mc.memused - flowcache_overhead_bytes(flowcachep)) / diff_blocks;
        could_hold = flowcachep->ipv4_table->mc.memcap / could_hold;
    }
    else
    {
        could_hold = diff_blocks;
    }

    flow_printf(",----[ FLOWCACHE STATS ]----------\n");
    flow_printf("Memcap: %u Overhead Bytes %u used(%%%f)/blocks (%u/%u)\nOverhead blocks: %u Could Hold: (%u)\n",
                flowcachep->ipv4_table->mc.memcap,
                flowcache_overhead_bytes(flowcachep),
                calc_percent(flowcachep->ipv4_table->mc.memused,
                             flowcachep->ipv4_table->mc.memcap),
                flowcachep->ipv4_table->mc.memused,
                flowcachep->ipv4_table->mc.nblocks,
                flowcache_overhead_blocks(flowcachep),
                could_hold);
    
    flow_printf("IPV4 count: %u frees: %u\nlow_time: %u, high_time: %u,"
                " diff: %dh:%02d:%02ds\n",
                sfxhash_count(flowcachep->ipv4_table),
                sfxhash_anr_count(flowcachep->ipv4_table),
                (unsigned) low_time,
                (unsigned) high_time,
                diff_hours,diff_min,diff_sec);
    

    flow_printf("    finds: " STDu64 " reversed: " STDu64 "(%%%f) \n    find_success: " STDu64 " "
                "find_fail: " STDu64 "\npercent_success: (%%%f) new_flows: " STDu64 "\n",
                flowcachep->total.find_ops,
                flowcachep->total.reversed_ops,
                calc_percent64(flowcachep->total.reversed_ops,
                             flowcachep->total.find_ops),
                flowcachep->total.find_success,
                flowcachep->total.find_fail,
                calc_percent64(flowcachep->total.find_success,
                             flowcachep->total.find_ops),
                flowcachep->total.new_flows);
    
    for(i=0;i<256;i++)
    {
        if(flowcachep->per_proto[i].find_ops > 0)
        {
            flow_printf(" Protocol: %d (%%%f)\n"
                        "   finds: " STDu64 "\n"
                        "   reversed: " STDu64 "(%%%f)\n"
                        "   find_success: " STDu64 "\n"
                        "   find_fail: " STDu64 "\n"
                        "   percent_success: (%%%f)\n"
                        "   new_flows: " STDu64 "\n",
                        i,
                        calc_percent64(flowcachep->per_proto[i].find_ops,
                                     flowcachep->total.find_ops),
                        flowcachep->per_proto[i].find_ops,
                        flowcachep->per_proto[i].reversed_ops,
                        calc_percent64(flowcachep->per_proto[i].reversed_ops,
                                     flowcachep->per_proto[i].find_ops),
                        flowcachep->per_proto[i].find_success,
                        flowcachep->per_proto[i].find_fail,
                        calc_percent64(flowcachep->per_proto[i].find_success,
                                     flowcachep->per_proto[i].find_ops),
                        flowcachep->per_proto[i].new_flows);
        }
    }
}

/** 
 * get the row count
 * 
 * @param sbp flowcache ptr to return the memcap of
 * 
 * @return nrows or -1
 */
int flowcache_row_count(FLOWCACHE *sbp)
{
    if(sbp != NULL && sbp->ipv4_table != NULL)        
        return sbp->ipv4_table->nrows;

    return -1;            
}

/** 
 * get the overhead # of bytes
 * 
 * @param sbp flowcache ptr to return the memcap of
 * 
 * @return nrows or -1
 */

int flowcache_overhead_bytes(FLOWCACHE *sbp)
{
    if(sbp != NULL && sbp->ipv4_table != NULL)
        return sfxhash_overhead_bytes(sbp->ipv4_table);

    return -1;            

}