Corsaro new_rsdos plugin implementation. More...

Macros
#define	CORSARO_DOS_MAGIC 0x45444F53
	The magic number for this plugin - "EDOS". More...

#define	PLUGIN_NAME "dos"
	The name of this plugin. More...

#define	PLUGIN_NAME_DEPRECATED "edgar_dos"
	The old name of this plugin. More...

#define	CORSARO_DOS_INTERVAL 300
	The interval that this plugin would like to dump at. More...

#define	CORSARO_DOS_VECTOR_TIMEOUT CORSARO_DOS_INTERVAL
	The length of time after which an inactive attack vector is expired. More...

#define	CORSARO_DOS_ATTACK_VECTOR_MIN_PACKETS 25
	The minimum number of packets before a vector can be an attack. More...

#define	CORSARO_DOS_ATTACK_VECTOR_MIN_DURATION 60
	The minimum number of seconds before a vector can be an attack. More...

#define	CORSARO_DOS_ATTACK_VECTOR_MIN_PPM 30
	The minimum packet rate before a vector can be an attack. More...

#define	CORSARO_DOS_ATTACK_VECTOR_BYTECNT (4+4+4+4+4+8+4+8+4+8+4+4+4+4+4)
	The length (in bytes) of an attack vector record. More...

#define	CORSARO_DOS_PPM_WINDOW_SIZE 60
	The length of the pps sliding window in seconds. More...

#define	CORSARO_DOS_PPM_WINDOW_PRECISION 10
	The amount to slide the window by in seconds. More...

#define	CORSARO_DOS_PPS_BUCKET_CNT
	The number of buckets. More...

#define	attack_vector_hash_equal(a, b)
	Compare two attack vectors for equality. More...

#define	STATE(corsaro) (CORSARO_PLUGIN_STATE(corsaro, dos,CORSARO_PLUGIN_ID_DOS))
	Extends the generic plugin state convenience macro in corsaro_plugin.h. More...

#define	STATE_IN(corsaro)
	Extends the generic plugin state convenience macro in corsaro_plugin.h. More...

#define	PLUGIN(corsaro) (CORSARO_PLUGIN_PLUGIN(corsaro, CORSARO_PLUGIN_ID_DOS))
	Extends the generic plugin plugin convenience macro in corsaro_plugin.h. More...

Typedefs
typedef struct ppm_window	ppm_window_t
	Initialize the hash types needed to hold maps in vectors. More...

typedef struct attack_vector	attack_vector_t
	A record for a potential attack vector. More...

Functions
static attack_vector_t *	attack_vector_init (corsaro_t *corsaro)
	Create an attack vector object. More...

static void	attack_vector_free (attack_vector_t *av)
	Free the memory allocated to an attack vector object. More...

static void	attack_vector_reset (attack_vector_t *av)
	Reset the per-interval counters in an attack vector. More...

static khint32_t	attack_vector_hash_func (attack_vector_t *av)
	Hash an attack vector. More...

	KHASH_INIT (av, attack_vector_t *, char, 0, attack_vector_hash_func, attack_vector_hash_equal)
	Initialize the hash functions and datatypes. More...

static int	attack_vector_is_expired (attack_vector_t *vector, uint32_t time)
	Check if a vector has had a packet added to it recently. More...

static void	attack_vector_update_ppm (ppm_window_t *ppm_window)
	Update the max ppm value given the current window values. More...

static void	attack_vector_update_ppm_window (attack_vector_t *vector, struct timeval tv)
	Update the packet rate window. More...

static int	attack_vector_is_attack (corsaro_t corsaro, attack_vector_t vector, uint32_t time)
	Determine whether a vector is indeed an attack vector. More...

static int	ascii_dump (corsaro_t corsaro, attack_vector_t vector)
	Dump the given vector to the plugin output file in ASCII. More...

static int	binary_dump (corsaro_t corsaro, attack_vector_t vector)
	Dump the given vector to the plugin output file in binary. More...

static int	read_header (corsaro_in_t corsaro, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
	Read a dos header. More...

static int	validate_attack_vector (corsaro_dos_attack_vector_in_t *av)
	Check an attack vector record is valid. More...

static int	read_attack_vector (corsaro_in_t corsaro, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
	Read an attack vector record. More...

static int	validate_global_header (corsaro_dos_global_header_t *g)
	Check that a global file header record is valid. More...

corsaro_plugin_t *	corsaro_dos_alloc (corsaro_t *corsaro)
	Implements the alloc function of the plugin API. More...

int	corsaro_dos_probe_filename (const char *fname)
	Implements the probe_filename function of the plugin API. More...

int	corsaro_dos_probe_magic (corsaro_in_t corsaro, corsaro_file_in_t file)
	Implements the probe_magic function of the plugin API. More...

int	corsaro_dos_init_output (corsaro_t *corsaro)
	Implements the init_output function of the plugin API. More...

int	corsaro_dos_init_input (corsaro_in_t *corsaro)
	Implements the init_input function of the plugin API. More...

int	corsaro_dos_close_input (corsaro_in_t *corsaro)
	Implements the close_input function of the plugin API. More...

int	corsaro_dos_close_output (corsaro_t *corsaro)
	Implements the close_output function of the plugin API. More...

off_t	corsaro_dos_read_record (struct corsaro_in corsaro, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
	Implements the read_record function of the plugin API. More...

off_t	corsaro_dos_read_global_data_record (struct corsaro_in corsaro, enum corsaro_in_record_type record_type, struct corsaro_in_record *record)
	Implements the read_global_data_record function of the plugin API. More...

int	corsaro_dos_start_interval (corsaro_t corsaro, corsaro_interval_t int_start)
	Implements the start_interval function of the plugin API. More...

int	corsaro_dos_end_interval (corsaro_t corsaro, corsaro_interval_t int_end)
	Implements the end_interval function of the plugin API. More...

int	corsaro_dos_process_packet (corsaro_t corsaro, corsaro_packet_t packet)
	Implements the process_packet function of the plugin API. More...

void	corsaro_dos_attack_vector_get_packet (corsaro_dos_attack_vector_in_t attack_vector, libtrace_packet_t packet)
	Extract the initial packet from an attack vector record. More...

off_t	corsaro_dos_global_header_fprint (corsaro_t corsaro, corsaro_file_t file, corsaro_dos_global_header_t *header)
	Print a global header record to stdout in ASCII format. More...

void	corsaro_dos_global_header_print (corsaro_dos_global_header_t *header)
	Print a global header record to a file in ASCII format. More...

off_t	corsaro_dos_attack_vector_fprint (corsaro_t corsaro, corsaro_file_t file, corsaro_dos_attack_vector_in_t *av)
	Print an attack vector record to stdout in ASCII format. More...

void	corsaro_dos_attack_vector_print (corsaro_dos_attack_vector_in_t *av)
	Print an attack vector record to a file in ASCII format. More...

off_t	corsaro_dos_header_fprint (corsaro_t corsaro, corsaro_file_t file, corsaro_dos_header_t *header)
	Print a header record to stdout in ASCII format. More...

void	corsaro_dos_header_print (corsaro_dos_header_t *header)
	Print a header record to a file in ASCII format. More...

off_t	corsaro_dos_record_fprint (corsaro_t corsaro, corsaro_file_t file, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
	Print any DoS record to stdout in ASCII format. More...

int	corsaro_dos_record_print (corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
	Print any DoS record to a file in ASCII format. More...

Variables
static corsaro_plugin_t	corsaro_dos_plugin
	Common plugin information across all instances. More...

Detailed Description

Corsaro new_rsdos plugin implementation.

Author: Alistair King

Definition in file corsaro_dos.c.

Macro Definition Documentation

#define attack_vector_hash_equal	(	a,
		b
	)

Value:

(                               \
                                        (a)->target_ip == (b)->target_ip \
                                                                        )

Compare two attack vectors for equality.

Definition at line 278 of file corsaro_dos.c.

#define CORSARO_DOS_ATTACK_VECTOR_BYTECNT (4+4+4+4+4+8+4+8+4+8+4+4+4+4+4)

The length (in bytes) of an attack vector record.

Definition at line 109 of file corsaro_dos.c.

Referenced by binary_dump().

#define CORSARO_DOS_ATTACK_VECTOR_MIN_DURATION 60

The minimum number of seconds before a vector can be an attack.

Definition at line 103 of file corsaro_dos.c.

Referenced by attack_vector_is_attack().

#define CORSARO_DOS_ATTACK_VECTOR_MIN_PACKETS 25

The minimum number of packets before a vector can be an attack.

Definition at line 100 of file corsaro_dos.c.

Referenced by attack_vector_is_attack().

#define CORSARO_DOS_ATTACK_VECTOR_MIN_PPM 30

The minimum packet rate before a vector can be an attack.

Definition at line 106 of file corsaro_dos.c.

Referenced by attack_vector_is_attack().

#define CORSARO_DOS_INTERVAL 300

The interval that this plugin would like to dump at.

NOTE THIS WELL! There is a known issue with how this plugin computes which corsaro intervals to dump on. IF the corsaro interval is set to longer than the time in the trace, and this is longer than the dos interval, it WILL NOT dump anything

To fix this, we should implement some method for plugins to choose an interval which corsaro will call them on its closest interval.

Definition at line 94 of file corsaro_dos.c.

Referenced by corsaro_dos_end_interval().

#define CORSARO_DOS_MAGIC 0x45444F53

The magic number for this plugin - "EDOS".

Definition at line 61 of file corsaro_dos.c.

#define CORSARO_DOS_PPM_WINDOW_PRECISION 10

The amount to slide the window by in seconds.

Definition at line 115 of file corsaro_dos.c.

Referenced by attack_vector_update_ppm_window().

#define CORSARO_DOS_PPM_WINDOW_SIZE 60

The length of the pps sliding window in seconds.

Definition at line 112 of file corsaro_dos.c.

#define CORSARO_DOS_PPS_BUCKET_CNT

Value:

(CORSARO_DOS_PPM_WINDOW_SIZE/ \

CORSARO_DOS_PPM_WINDOW_PRECISION)

CORSARO_DOS_PPM_WINDOW_PRECISION

#define CORSARO_DOS_PPM_WINDOW_PRECISION

The amount to slide the window by in seconds.

Definition: corsaro_dos.c:115

CORSARO_DOS_PPM_WINDOW_SIZE

#define CORSARO_DOS_PPM_WINDOW_SIZE

The length of the pps sliding window in seconds.

Definition: corsaro_dos.c:112

The number of buckets.

Definition at line 118 of file corsaro_dos.c.

Referenced by attack_vector_update_ppm(), and attack_vector_update_ppm_window().

#define CORSARO_DOS_VECTOR_TIMEOUT CORSARO_DOS_INTERVAL

The length of time after which an inactive attack vector is expired.

Definition at line 97 of file corsaro_dos.c.

Referenced by attack_vector_is_expired().

#define PLUGIN ( corsaro ) (CORSARO_PLUGIN_PLUGIN(corsaro, CORSARO_PLUGIN_ID_DOS))

Extends the generic plugin plugin convenience macro in corsaro_plugin.h.

Definition at line 326 of file corsaro_dos.c.

Referenced by corsaro_dos_close_input(), corsaro_dos_close_output(), corsaro_dos_end_interval(), corsaro_dos_init_input(), corsaro_dos_init_output(), and corsaro_dos_start_interval().

#define PLUGIN_NAME "dos"

The name of this plugin.

Definition at line 64 of file corsaro_dos.c.

#define PLUGIN_NAME_DEPRECATED "edgar_dos"

The old name of this plugin.

Because the original files created with the dos plugin do not have a magic number, we rely on the filename check. This is pretty fragile, but it's all we have right now

Definition at line 72 of file corsaro_dos.c.

Referenced by corsaro_dos_probe_filename().

#define STATE ( corsaro ) (CORSARO_PLUGIN_STATE(corsaro, dos,CORSARO_PLUGIN_ID_DOS))

Extends the generic plugin state convenience macro in corsaro_plugin.h.

Definition at line 319 of file corsaro_dos.c.

Referenced by ascii_dump(), binary_dump(), corsaro_dos_close_output(), corsaro_dos_end_interval(), corsaro_dos_process_packet(), and corsaro_dos_start_interval().

#define STATE_IN ( corsaro )

Value:

(CORSARO_PLUGIN_STATE(corsaro, dos_in, \

CORSARO_PLUGIN_ID_DOS))

CORSARO_PLUGIN_STATE

#define CORSARO_PLUGIN_STATE(corsaro, type, id)

Convenience macro to cast the state pointer in the plugin.

Definition: corsaro_plugin.h:147

CORSARO_PLUGIN_ID_DOS

RS DoS plugin.

Definition: corsaro_plugin.h:195

corsaro

Corsaro output state.

Definition: corsaro_int.h:230

Extends the generic plugin state convenience macro in corsaro_plugin.h.

Definition at line 322 of file corsaro_dos.c.

Referenced by corsaro_dos_close_input(), corsaro_dos_read_record(), read_attack_vector(), and read_header().

Typedef Documentation

typedef struct attack_vector attack_vector_t

A record for a potential attack vector.

All values are in HOST byte order

typedef struct ppm_window ppm_window_t

Initialize the hash types needed to hold maps in vectors.

The convention is a 4 digit name, where the first two digits indicate the length of the key, and the last two indicate the length of the value e.g. 3264 means 32 bit integer keys with 64bit integer valuesState for the sliding packet rate algorithm

Function Documentation

static int ascii_dump	(	corsaro_t *	corsaro,
		attack_vector_t *	vector
	)

static

Dump the given vector to the plugin output file in ASCII.

Parameters

corsaro	The corsaro object associated with the vector
vector	The vector to dump

Returns: 0 if the vector is dumped successfully, -1 if an error occurs

Definition at line 525 of file corsaro_dos.c.

References corsaro_file_printf(), and STATE.

Referenced by corsaro_dos_end_interval().

static void attack_vector_free ( attack_vector_t * av )

static

Free the memory allocated to an attack vector object.

Parameters

av	The attack vector to be freed

Definition at line 234 of file corsaro_dos.c.

Referenced by corsaro_dos_close_output(), corsaro_dos_end_interval(), and corsaro_dos_process_packet().

static khint32_t attack_vector_hash_func ( attack_vector_t * av )

inlinestatic

Hash an attack vector.

Parameters

av	The attack vector to be hashed

Definition at line 286 of file corsaro_dos.c.

static attack_vector_t* attack_vector_init ( corsaro_t * corsaro )

static

Create an attack vector object.

Parameters

corsaro The corsaro object associated with the vector

Returns: an empty attack vector object

Definition at line 209 of file corsaro_dos.c.

References corsaro_log(), and malloc_zero().

Referenced by corsaro_dos_process_packet().

static int attack_vector_is_attack	(	corsaro_t *	corsaro,
		attack_vector_t *	vector,
		uint32_t	time
	)

static

Determine whether a vector is indeed an attack vector.

Parameters

corsaro	The corsaro object associated with the vector
vector	The vector to check
time	The current trace time

Returns: 1 if the vector is an attack, 0 if non-attack, -1 if an error occurs

Definition at line 482 of file corsaro_dos.c.

References attack_vector_update_ppm(), CORSARO_DOS_ATTACK_VECTOR_MIN_DURATION, CORSARO_DOS_ATTACK_VECTOR_MIN_PACKETS, CORSARO_DOS_ATTACK_VECTOR_MIN_PPM, corsaro_log(), and timeval_subtract().

Referenced by corsaro_dos_end_interval().

static int attack_vector_is_expired	(	attack_vector_t *	vector,
		uint32_t	time
	)

static

Check if a vector has had a packet added to it recently.

Parameters

vector	The attack vector to check
time	The current trace time

Definition at line 334 of file corsaro_dos.c.

References CORSARO_DOS_VECTOR_TIMEOUT.

Referenced by corsaro_dos_end_interval(), and corsaro_dos_process_packet().

static void attack_vector_reset ( attack_vector_t * av )

static

Reset the per-interval counters in an attack vector.

Parameters

av	The attack vector to be reset

Definition at line 268 of file corsaro_dos.c.

Referenced by corsaro_dos_end_interval().

static void attack_vector_update_ppm ( ppm_window_t * ppm_window )

static

Update the max ppm value given the current window values.

Parameters

ppm_window The packet rate window to update

Definition at line 347 of file corsaro_dos.c.

References CORSARO_DOS_PPS_BUCKET_CNT.

Referenced by attack_vector_is_attack(), and attack_vector_update_ppm_window().

static void attack_vector_update_ppm_window	(	attack_vector_t *	vector,
		struct timeval	tv
	)

static

Update the packet rate window.

Parameters

vector	The attack vector to update
tv	The time the packet arrived at

PPS Sliding Window

In order to properly handle short-duration spikes in the PPS rate, we use a sliding window for each attack vector.

When a vector is first created, the initial packet time is used as the start of the window. Thereafter, packets added to the vector are used to update a sliding window of values.

Updating the window: When a packet is received, it is first checked to determine whether the window must be moved. It will be moved if this packet arrived more than PPM_WINDOW_SIZE seconds after the ppm_window.window_size value. If this is the case, the current bucket pointer is moved on onePPS_BUCKET_CNT this now has it pointing at the old start of the window, this value is then zeroed and ppm_window.window_start is incremented by PPM_WINDOW_PRECISION. This move is repeated until the new value falls into the bucket pointed to by the current_bucket pointer I.e. Its time, x, satisfies (window_start+(PPM_WINDOW_PRECISION * (PPS_BUCKET_CNT-1))) <= x < (window_start+(PPM_WINDOW_PRECISION * PPS_BUCKET_CNT)) The value of buckets[current_bucket] is then incremented by one

Computing the PPS rate: The maximum PPS rate for an attack vector is the maximum PPS rate across all of the windows observed. As such, every time the window is moved, we update the max_ppm value by summing the value in each bucket

For example: window_start: 1320969600 max_ppm: 56 current_bucket: 5 bucket | value 0 | 12 1 | 2 2 | 3 3 | 6 4 | 8 5 | 1

the current bucket of 5 covers times from (1320969600+(10*(6-1))) up to, but not including (1320969600+(10*6)) or, 1320969650 <= x < 1320969660

we receive a packet at 1320969665 which is 65 seconds after 1320969600 this means we will need to move the window, we first compute the ppm for the window that just ended by summing all buckets (12+2+3+6+8+1) is 32, not higher than the max so nothing is done we then advance the window by setting the current bucket to (5+1)%6, or, 0 and then setting the value in this bucket to 0. Because this example had the next packet arrive in the very next window, the window only needs to be advanced once, if it had been later, the window would have been advanced multiple times until the packet fell into the last window.

This implementation will work fairly efficiently if packets tend to arrive close together, if they are spaced by long amounts of time, it will be less efficient. We can help this by calculating how many times the window will need to be advanced and then zeroing the appropriate number of buckets before calculating the new ppm rate and updating the current window pointer. The formula for this calculation is delta: ((new_time) - (window_start+(PPM_WINDOW_SIZE))) buckets to zero: min(PPS_BUCKET_CNT, (delta/PPM_WINDOW_PRECISION)+1)) (assuming delta is > 0)

In our previous example, if the new packet had arrived at 1320969700, the delta would be (1320969700-(1320969600+60)) = 40 we would need to zero (min(6, (40/10)+1)) = 5 buckets

the truth is in the code, see attack_vector_update_ppm_window

Definition at line 440 of file corsaro_dos.c.

References attack_vector_update_ppm(), CORSARO_DOS_PPM_WINDOW_PRECISION, and CORSARO_DOS_PPS_BUCKET_CNT.

Referenced by corsaro_dos_process_packet().

static int binary_dump	(	corsaro_t *	corsaro,
		attack_vector_t *	vector
	)

static

Dump the given vector to the plugin output file in binary.

Parameters

corsaro	The corsaro object associated with the vector
vector	The vector to dump

Returns: 0 if the vector is dumped successfully, -1 if an error occurs

Definition at line 570 of file corsaro_dos.c.

References bytes_htonl(), bytes_htonll(), CORSARO_DOS_ATTACK_VECTOR_BYTECNT, corsaro_file_write(), corsaro_log(), and STATE.

Referenced by corsaro_dos_end_interval().

corsaro_plugin_t* corsaro_dos_alloc ( corsaro_t * corsaro )

Implements the alloc function of the plugin API.

Definition at line 800 of file corsaro_dos.c.

References corsaro_dos_plugin.

off_t corsaro_dos_attack_vector_fprint	(	corsaro_t *	corsaro,
		corsaro_file_t *	file,
		corsaro_dos_attack_vector_in_t *	av
	)

Print an attack vector record to stdout in ASCII format.

Write a dos attack vector to the given corsaro file in ascii.

Todo:: extend libpacketdump to allow to dump to a file

Definition at line 1449 of file corsaro_dos.c.

Referenced by corsaro_dos_record_fprint().

void corsaro_dos_attack_vector_get_packet	(	corsaro_dos_attack_vector_in_t *	attack_vector,
		libtrace_packet_t *	packet
	)

Extract the initial packet from an attack vector record.

Definition at line 1402 of file corsaro_dos.c.

References corsaro_dos_attack_vector_in::initial_packet, and corsaro_dos_attack_vector_in::initial_packet_len.

Referenced by corsaro_dos_attack_vector_print().

void corsaro_dos_attack_vector_print ( corsaro_dos_attack_vector_in_t * av )

Print an attack vector record to a file in ASCII format.

Write a dos attack vector to stdout in ascii format.

Definition at line 1495 of file corsaro_dos.c.

Referenced by corsaro_dos_record_print().

int corsaro_dos_close_input ( corsaro_in_t * corsaro )

Implements the close_input function of the plugin API.

Definition at line 898 of file corsaro_dos.c.

References corsaro_plugin_free_state(), PLUGIN, corsaro_in::plugin_manager, and STATE_IN.

Referenced by corsaro_dos_init_input().

int corsaro_dos_close_output ( corsaro_t * corsaro )

Implements the close_output function of the plugin API.

Definition at line 910 of file corsaro_dos.c.

References attack_vector_free(), corsaro_file_close(), corsaro_plugin_free_state(), PLUGIN, corsaro::plugin_manager, and STATE.

Referenced by corsaro_dos_init_output().

int corsaro_dos_end_interval	(	corsaro_t *	corsaro,
		corsaro_interval_t *	int_end
	)

Implements the end_interval function of the plugin API.

Definition at line 1037 of file corsaro_dos.c.

References ascii_dump(), attack_vector_free(), attack_vector_is_attack(), attack_vector_is_expired(), attack_vector_reset(), binary_dump(), bytes_htonl(), CORSARO_DOS_INTERVAL, corsaro_file_close(), CORSARO_FILE_MODE, CORSARO_FILE_MODE_ASCII, CORSARO_FILE_MODE_BINARY, corsaro_file_printf(), corsaro_file_write(), corsaro_io_write_interval_end(), corsaro_io_write_interval_start(), corsaro_io_write_plugin_end(), corsaro_io_write_plugin_start(), corsaro_is_rotate_interval(), corsaro_log(), corsaro::global_file, corsaro::interval_start, PLUGIN, STATE, and corsaro_interval::time.

off_t corsaro_dos_global_header_fprint	(	corsaro_t *	corsaro,
		corsaro_file_t *	file,
		corsaro_dos_global_header_t *	header
	)

Print a global header record to stdout in ASCII format.

Write a global dos header record to the given corsaro file in ascii.

Definition at line 1414 of file corsaro_dos.c.

References corsaro_dos_global_header::attack_vector_cnt, corsaro_file_printf(), corsaro_dos_global_header::mismatched_pkt_cnt, and corsaro_dos_global_header::non_attack_vector_cnt.

Referenced by corsaro_dos_record_fprint().

void corsaro_dos_global_header_print ( corsaro_dos_global_header_t * header )

Print a global header record to a file in ASCII format.

Write a global dos header record to stdout in ascii format.

Definition at line 1433 of file corsaro_dos.c.

References corsaro_dos_global_header::attack_vector_cnt, corsaro_dos_global_header::mismatched_pkt_cnt, and corsaro_dos_global_header::non_attack_vector_cnt.

Referenced by corsaro_dos_record_print().

off_t corsaro_dos_header_fprint	(	corsaro_t *	corsaro,
		corsaro_file_t *	file,
		corsaro_dos_header_t *	header
	)

Print a header record to stdout in ASCII format.

Write a dos header record to the given corsaro file in ascii.

Definition at line 1554 of file corsaro_dos.c.

References corsaro_dos_header::attack_vector_cnt, and corsaro_file_printf().

Referenced by corsaro_dos_record_fprint().

void corsaro_dos_header_print ( corsaro_dos_header_t * header )

Print a header record to a file in ASCII format.

Write a dos header record to stdout in ascii format.

Definition at line 1569 of file corsaro_dos.c.

References corsaro_dos_header::attack_vector_cnt.

Referenced by corsaro_dos_record_print().

int corsaro_dos_init_input ( corsaro_in_t * corsaro )

Implements the init_input function of the plugin API.

Definition at line 870 of file corsaro_dos.c.

References corsaro_dos_close_input(), CORSARO_IN_RECORD_TYPE_IO_INTERVAL_START, corsaro_log_in(), corsaro_plugin_register_state(), malloc_zero(), PLUGIN, and corsaro_in::plugin_manager.

int corsaro_dos_init_output ( corsaro_t * corsaro )

Implements the init_output function of the plugin API.

Definition at line 836 of file corsaro_dos.c.

References corsaro_dos_close_output(), corsaro_log(), corsaro_plugin_register_state(), malloc_zero(), PLUGIN, and corsaro::plugin_manager.

int corsaro_dos_probe_filename ( const char * fname )

Implements the probe_filename function of the plugin API.

Definition at line 806 of file corsaro_dos.c.

References corsaro_plugin_probe_filename(), and PLUGIN_NAME_DEPRECATED.

int corsaro_dos_probe_magic	(	corsaro_in_t *	corsaro,
		corsaro_file_in_t *	file
	)

Implements the probe_magic function of the plugin API.

Todo:: add a magic number and make it backwards compatible

Definition at line 827 of file corsaro_dos.c.

int corsaro_dos_process_packet	(	corsaro_t *	corsaro,
		corsaro_packet_t *	packet
	)

Implements the process_packet function of the plugin API.

< Source port

< Destination port

Definition at line 1212 of file corsaro_dos.c.

References attack_vector_free(), attack_vector_init(), attack_vector_is_expired(), attack_vector_update_ppm_window(), corsaro_log(), CORSARO_PACKET_STATE_FLAG_BACKSCATTER, corsaro_packet_state::flags, LT_PKT, corsaro_packet::state, and STATE.

off_t corsaro_dos_read_global_data_record	(	struct corsaro_in *	corsaro,
		enum corsaro_in_record_type *	record_type,
		struct corsaro_in_record *	record
	)

Implements the read_global_data_record function of the plugin API.

Definition at line 984 of file corsaro_dos.c.

References corsaro_in_record::buffer, CORSARO_IN_RECORD_TYPE_DOS_GLOBAL_HEADER, CORSARO_IN_RECORD_TYPE_NULL, corsaro_io_read_bytes(), corsaro_log_in(), and validate_global_header().

off_t corsaro_dos_read_record	(	struct corsaro_in *	corsaro,
		corsaro_in_record_type_t *	record_type,
		corsaro_in_record_t *	record
	)

Implements the read_record function of the plugin API.

Definition at line 934 of file corsaro_dos.c.

References CORSARO_IN_RECORD_TYPE_DOS_ATTACK_VECTOR, CORSARO_IN_RECORD_TYPE_DOS_HEADER, CORSARO_IN_RECORD_TYPE_IO_INTERVAL_END, CORSARO_IN_RECORD_TYPE_IO_INTERVAL_START, corsaro_io_read_interval_end(), corsaro_io_read_interval_start(), corsaro_log_in(), corsaro_in::file, read_attack_vector(), read_header(), and STATE_IN.

off_t corsaro_dos_record_fprint	(	corsaro_t *	corsaro,
		corsaro_file_t *	file,
		corsaro_in_record_type_t	record_type,
		corsaro_in_record_t *	record
	)

Print any DoS record to stdout in ASCII format.

Write a generic dos record to the given corsaro file in ascii.

Definition at line 1578 of file corsaro_dos.c.

References corsaro_in_record::buffer, corsaro_dos_attack_vector_fprint(), corsaro_dos_global_header_fprint(), corsaro_dos_header_fprint(), CORSARO_IN_RECORD_TYPE_DOS_ATTACK_VECTOR, CORSARO_IN_RECORD_TYPE_DOS_GLOBAL_HEADER, CORSARO_IN_RECORD_TYPE_DOS_HEADER, and corsaro_log().

Referenced by corsaro_io_write_record().

int corsaro_dos_record_print	(	corsaro_in_record_type_t	record_type,
		corsaro_in_record_t *	record
	)

Print any DoS record to a file in ASCII format.

Write a generic dos record to stdout in ascii format.

Definition at line 1611 of file corsaro_dos.c.

References corsaro_in_record::buffer, corsaro_dos_attack_vector_print(), corsaro_dos_global_header_print(), corsaro_dos_header_print(), CORSARO_IN_RECORD_TYPE_DOS_ATTACK_VECTOR, CORSARO_IN_RECORD_TYPE_DOS_GLOBAL_HEADER, CORSARO_IN_RECORD_TYPE_DOS_HEADER, and corsaro_log_file().

Referenced by corsaro_io_print_record().

int corsaro_dos_start_interval	(	corsaro_t *	corsaro,
		corsaro_interval_t *	int_start
	)

Implements the start_interval function of the plugin API.

Definition at line 1014 of file corsaro_dos.c.

References corsaro_io_prepare_file(), corsaro_log(), PLUGIN, STATE, and corsaro_interval::time.

KHASH_INIT	(	av	,
		attack_vector_t *	,
		char	,
		0	,
		attack_vector_hash_func	,
		attack_vector_hash_equal
	)

Initialize the hash functions and datatypes.

static int read_attack_vector	(	corsaro_in_t *	corsaro,
		corsaro_in_record_type_t *	record_type,
		corsaro_in_record_t *	record
	)

static

Read an attack vector record.

Definition at line 723 of file corsaro_dos.c.

References corsaro_in_record::buffer, CORSARO_IN_RECORD_TYPE_DOS_ATTACK_VECTOR, CORSARO_IN_RECORD_TYPE_IO_INTERVAL_END, CORSARO_IN_RECORD_TYPE_NULL, corsaro_io_read_bytes(), corsaro_io_read_bytes_offset(), corsaro_log_in(), corsaro_dos_attack_vector_in::initial_packet, corsaro_dos_attack_vector_in::initial_packet_len, STATE_IN, and validate_attack_vector().

Referenced by corsaro_dos_read_record().

static int read_header	(	corsaro_in_t *	corsaro,
		corsaro_in_record_type_t *	record_type,
		corsaro_in_record_t *	record
	)

static

Read a dos header.

Definition at line 659 of file corsaro_dos.c.

References corsaro_in_record::buffer, CORSARO_IN_RECORD_TYPE_DOS_ATTACK_VECTOR, CORSARO_IN_RECORD_TYPE_DOS_HEADER, CORSARO_IN_RECORD_TYPE_IO_INTERVAL_END, CORSARO_IN_RECORD_TYPE_NULL, corsaro_io_read_bytes(), corsaro_log_in(), and STATE_IN.

Referenced by corsaro_dos_read_record().

static int validate_attack_vector ( corsaro_dos_attack_vector_in_t * av )

static

Check an attack vector record is valid.

Definition at line 692 of file corsaro_dos.c.

Referenced by read_attack_vector().

static int validate_global_header ( corsaro_dos_global_header_t * g )

static

Check that a global file header record is valid.

Definition at line 788 of file corsaro_dos.c.

References corsaro_dos_global_header::attack_vector_cnt, corsaro_dos_global_header::mismatched_pkt_cnt, and corsaro_dos_global_header::non_attack_vector_cnt.

Referenced by corsaro_dos_read_global_data_record().

Variable Documentation

corsaro_plugin_t corsaro_dos_plugin

static

Initial value:

= {
  PLUGIN_NAME,                                 
  CORSARO_PLUGIN_ID_DOS,                         
  CORSARO_DOS_MAGIC,                                           
  CORSARO_PLUGIN_GENERATE_PTRS(corsaro_dos),  
  CORSARO_PLUGIN_GENERATE_TAIL,
}

Common plugin information across all instances.

Definition at line 75 of file corsaro_dos.c.

Referenced by corsaro_dos_alloc().

Macros

Typedefs

Functions

Variables

Detailed Description

Macro Definition Documentation

Typedef Documentation

Function Documentation

Variable Documentation