29 #include <arpa/inet.h>
37 #ifdef HAVE_LIBPACKETDUMP
38 #include "libpacketdump.h"
50 #include "corsaro_dos.h"
61 #define CORSARO_DOS_MAGIC 0x45444F53
64 #define PLUGIN_NAME "dos"
72 #define PLUGIN_NAME_DEPRECATED "edgar_dos"
94 #define CORSARO_DOS_INTERVAL 300
97 #define CORSARO_DOS_VECTOR_TIMEOUT CORSARO_DOS_INTERVAL
100 #define CORSARO_DOS_ATTACK_VECTOR_MIN_PACKETS 25
103 #define CORSARO_DOS_ATTACK_VECTOR_MIN_DURATION 60
106 #define CORSARO_DOS_ATTACK_VECTOR_MIN_PPM 30
109 #define CORSARO_DOS_ATTACK_VECTOR_BYTECNT (4+4+4+4+4+8+4+8+4+8+4+4+4+4+4)
112 #define CORSARO_DOS_PPM_WINDOW_SIZE 60
115 #define CORSARO_DOS_PPM_WINDOW_PRECISION 10
118 #define CORSARO_DOS_PPS_BUCKET_CNT (CORSARO_DOS_PPM_WINDOW_SIZE/ \
119 CORSARO_DOS_PPM_WINDOW_PRECISION)
127 KHASH_SET_INIT_INT(32xx)
130 typedef struct ppm_window
133 uint32_t window_start;
137 uint8_t current_bucket;
146 typedef struct attack_vector
152 uint8_t *initial_packet;
155 uint32_t initial_packet_len;
158 uint32_t attacker_ip;
161 uint32_t responder_ip;
170 uint32_t interval_packet_cnt;
176 uint32_t interval_byte_cnt;
182 struct timeval start_time;
185 struct timeval latest_time;
188 kh_32xx_t *attack_ip_hash;
191 kh_32xx_t *attack_port_hash;
194 kh_32xx_t *target_port_hash;
197 uint32_t attack_ip_cnt;
214 corsaro_log(__func__, corsaro,
"could not malloc memory for attack vector");
218 av->attack_ip_hash = kh_init(32xx);
219 assert(av->attack_ip_hash != NULL);
221 av->attack_port_hash = kh_init(32xx);
222 assert(av->attack_port_hash != NULL);
224 av->target_port_hash = kh_init(32xx);
225 assert(av->target_port_hash != NULL);
241 if(av->initial_packet != NULL)
244 free(av->initial_packet);
247 if(av->attack_ip_hash != NULL)
249 kh_destroy(32xx, av->attack_ip_hash);
251 if(av->attack_port_hash != NULL)
253 kh_destroy(32xx, av->attack_port_hash);
255 if(av->target_port_hash != NULL)
257 kh_destroy(32xx, av->target_port_hash);
272 av->interval_packet_cnt = 0;
273 av->interval_byte_cnt = 0;
274 av->attack_ip_cnt = kh_size(av->attack_ip_hash);
278 #define attack_vector_hash_equal(a, b) ( \
279 (a)->target_ip == (b)->target_ip \
288 return (khint32_t)av->target_ip*59;
296 struct corsaro_dos_state_t {
298 uint32_t first_interval;
301 uint16_t number_mismatched_packets;
303 khash_t(av) *attack_hash;
309 struct corsaro_dos_in_state_t {
319 #define STATE(corsaro) \
320 (CORSARO_PLUGIN_STATE(corsaro, dos,CORSARO_PLUGIN_ID_DOS))
322 #define STATE_IN(corsaro) \
323 (CORSARO_PLUGIN_STATE(corsaro, dos_in, \
324 CORSARO_PLUGIN_ID_DOS))
326 #define PLUGIN(corsaro) \
327 (CORSARO_PLUGIN_PLUGIN(corsaro, CORSARO_PLUGIN_ID_DOS))
356 this_ppm += ppm_window->buckets[i];
358 if(this_ppm > ppm_window->max_ppm)
360 ppm_window->max_ppm = this_ppm;
448 bucket_offset = (tv.tv_sec-ppm_window->window_start)/
452 if(bucket_offset > 0)
457 for(i = 0; i < bucket_offset && i < 6; i++)
459 ppm_window->current_bucket =
461 ppm_window->buckets[ppm_window->current_bucket] = 0;
464 ppm_window->window_start += bucket_offset*
470 ppm_window->buckets[ppm_window->current_bucket]++;
486 struct timeval duration;
496 &vector->start_time) == 1)
498 corsaro_log(__func__, corsaro,
"last packet seen before first packet!");
508 ppm = vector->ppm_window.max_ppm;
530 tmp = htonl(vector->target_ip);
531 inet_ntop(AF_INET,&tmp, &t_ip[0], 16);
544 ",%"PRIu32
".%06"PRIu32
545 ",%"PRIu32
".%06"PRIu32
548 kh_size(vector->attack_ip_hash),
549 kh_size(vector->attack_ip_hash)-vector->attack_ip_cnt,
550 kh_size(vector->attack_port_hash),
551 kh_size(vector->target_port_hash),
553 vector->interval_packet_cnt,
555 vector->interval_byte_cnt,
556 vector->ppm_window.max_ppm,
557 (uint32_t)vector->start_time.tv_sec,
558 (uint32_t)vector->start_time.tv_usec,
559 (uint32_t)vector->latest_time.tv_sec,
560 (uint32_t)vector->latest_time.tv_usec);
573 uint8_t *ptr = &av_bytes[0];
589 bytes_htonl(ptr, kh_size(vector->attack_ip_hash)-vector->attack_ip_cnt);
592 bytes_htonl(ptr, kh_size(vector->attack_port_hash));
595 bytes_htonl(ptr, kh_size(vector->target_port_hash));
643 corsaro_log(__func__, corsaro,
"could not dump vector byte array to file");
648 vector->initial_packet_len) !=
649 vector->initial_packet_len)
651 corsaro_log(__func__, corsaro,
"could not dump packet to file");
670 corsaro_log_in(__func__, corsaro,
"failed to read dos header from file");
682 record->
buffer)->attack_vector_cnt;
742 "failed to read dos attack vector from file");
751 corsaro_log_in(__func__, corsaro,
"could not validate attack vector");
764 "failed to read initial packet from file");
777 STATE_IN(corsaro)->vector_total = 0;
838 struct corsaro_dos_state_t *state;
841 assert(plugin != NULL);
847 if((state =
malloc_zero(
sizeof(
struct corsaro_dos_state_t))) == NULL)
850 "could not malloc corsaro_dos_state_t");
860 state->attack_hash = kh_init(av);
872 struct corsaro_dos_in_state_t *state;
874 assert(plugin != NULL);
876 if((state =
malloc_zero(
sizeof(
struct corsaro_dos_in_state_t)))
880 "could not malloc corsaro_dos_state_t");
900 struct corsaro_dos_in_state_t *state =
STATE_IN(corsaro);
912 struct corsaro_dos_state_t *state =
STATE(corsaro);
916 if(state->attack_hash != NULL)
919 kh_destroy(av, state->attack_hash);
920 state->attack_hash = NULL;
923 if(state->outfile != NULL)
926 state->outfile = NULL;
938 struct corsaro_dos_in_state_t *state =
STATE_IN(corsaro);
940 off_t bytes_read = -1;
944 switch(state->expected_type)
949 record_type, record);
958 bytes_read =
read_header(corsaro, record_type, record);
969 record_type, record);
977 corsaro_log_in(__func__, corsaro,
"invalid expected record type");
1001 corsaro_log_in(__func__, corsaro,
"could not validate global header");
1017 if(
STATE(corsaro)->outfile == NULL &&
1018 (
STATE(corsaro)->outfile =
1020 int_start)) == NULL)
1022 corsaro_log(__func__, corsaro,
"could not open %s output file",
1027 if(
STATE(corsaro)->first_interval == 0)
1030 STATE(corsaro)->first_interval = int_start->
time-1;
1039 int this_interval = int_end->
time-
STATE(corsaro)->first_interval;
1044 int attack_arr_cnt = 0;
1058 STATE(corsaro)->first_interval = int_end->
time;
1068 kh_size(
STATE(corsaro)->attack_hash))) == NULL)
1071 "could not malloc array for attack vectors");
1077 for(i = kh_begin(
STATE(corsaro)->attack_hash);
1078 i != kh_end(
STATE(corsaro)->attack_hash); ++i)
1080 if(kh_exist(
STATE(corsaro)->attack_hash, i))
1082 vector = kh_key(
STATE(corsaro)->attack_hash, i);
1086 kh_del(av,
STATE(corsaro)->attack_hash, i);
1095 attack_arr[attack_arr_cnt] = vector;
1119 "mismatch: %"PRIu32
"\n"
1120 "attack_vectors: %"PRIu32
"\n"
1121 "non-attack_vectors: %"PRIu32
"\n",
1122 STATE(corsaro)->number_mismatched_packets,
1124 kh_size(
STATE(corsaro)->attack_hash)
1132 for(i = 0; i < attack_arr_cnt; i++)
1136 corsaro_log(__func__, corsaro,
"could not dump hash");
1151 kh_size(
STATE(corsaro)->attack_hash)-attack_arr_cnt);
1153 &gbuf[0], 12) != 12)
1156 "could not dump global stats to file");
1164 &cntbuf[0], 4) != 4)
1167 "could not dump vector count to file");
1171 for(i = 0; i < attack_arr_cnt; i++)
1175 corsaro_log(__func__, corsaro,
"could not dump hash");
1193 STATE(corsaro)->number_mismatched_packets = 0;
1201 if(
STATE(corsaro)->outfile != NULL)
1204 STATE(corsaro)->outfile = NULL;
1215 libtrace_packet_t *ltpacket =
LT_PKT(packet);
1220 libtrace_ip_t *ip_hdr = NULL;
1221 libtrace_icmp_t *icmp_hdr = NULL;
1222 libtrace_ip_t *inner_ip_hdr = NULL;
1230 uint16_t attacker_port = 0;
1231 uint16_t target_port = 0;
1238 uint8_t *pkt_buf = NULL;
1239 libtrace_linktype_t linktype;
1252 if((ip_hdr = trace_get_ip(ltpacket)) == NULL)
1259 if((temp = trace_get_transport(ltpacket, &proto, &remaining)) == NULL)
1265 findme.target_ip = 0;
1267 if(ip_hdr->ip_p == TRACE_IPPROTO_ICMP && remaining >= 2)
1269 icmp_hdr = (libtrace_icmp_t *)temp;
1271 if((icmp_hdr->type == 3 ||
1272 icmp_hdr->type == 4 ||
1273 icmp_hdr->type == 5 ||
1274 icmp_hdr->type == 11 ||
1275 icmp_hdr->type == 12) &&
1276 ((temp = trace_get_payload_from_icmp(icmp_hdr, &remaining)) != NULL
1277 && remaining >= 20 && (inner_ip_hdr = (libtrace_ip_t *)temp) &&
1278 inner_ip_hdr->ip_v == 4))
1281 if(inner_ip_hdr->ip_src.s_addr != ip_hdr->ip_dst.s_addr)
1283 STATE(corsaro)->number_mismatched_packets++;
1286 findme.target_ip = ntohl(inner_ip_hdr->ip_dst.s_addr);
1289 if((temp = trace_get_payload_from_ip(inner_ip_hdr, NULL,
1290 &remaining)) != NULL
1293 attacker_port = ntohs(((
struct ports_t *)temp)->src);
1294 target_port = ntohs(((
struct ports_t *)temp)->dst);
1299 findme.target_ip = ntohl(ip_hdr->ip_src.s_addr);
1300 attacker_port = ntohs(icmp_hdr->code);
1301 target_port = ntohs(icmp_hdr->type);
1304 else if((ip_hdr->ip_p == TRACE_IPPROTO_TCP ||
1305 ip_hdr->ip_p == TRACE_IPPROTO_UDP) &&
1308 findme.target_ip = ntohl(ip_hdr->ip_src.s_addr);
1309 attacker_port = trace_get_destination_port(ltpacket);
1310 target_port = trace_get_source_port(ltpacket);
1313 if(findme.target_ip == 0)
1319 tv = trace_get_timeval(ltpacket);
1322 assert(
STATE(corsaro)->attack_hash != NULL);
1323 if((khiter = kh_get(av,
STATE(corsaro)->attack_hash, &findme))
1324 != kh_end(
STATE(corsaro)->attack_hash))
1327 vector = kh_key(
STATE(corsaro)->attack_hash, khiter);
1331 kh_del(av,
STATE(corsaro)->attack_hash, khiter);
1342 corsaro_log(__func__, corsaro,
"failed to create new attack vector");
1349 vector->initial_packet_len = trace_get_capture_length(ltpacket);
1351 if((vector->initial_packet = malloc(vector->initial_packet_len)) == NULL)
1353 corsaro_log(__func__, corsaro,
"could not malloc initial packet");
1357 if((pkt_buf = trace_get_packet_buffer(ltpacket,
1358 &linktype, NULL)) == NULL)
1360 corsaro_log(__func__, corsaro,
"could not get packet buffer");
1364 memcpy(vector->initial_packet, pkt_buf, vector->initial_packet_len);
1366 vector->attacker_ip = ntohl(ip_hdr->ip_dst.s_addr);
1367 vector->responder_ip = ntohl(ip_hdr->ip_src.s_addr);
1368 vector->target_ip = findme.target_ip;
1370 vector->start_time = tv;
1372 vector->ppm_window.window_start = tv.tv_sec;
1375 khiter = kh_put(av,
STATE(corsaro)->attack_hash, vector, &khret);
1378 assert(vector != NULL);
1380 vector->packet_cnt++;
1381 vector->interval_packet_cnt++;
1382 vector->byte_cnt += ntohs(ip_hdr->ip_len);
1383 vector->interval_byte_cnt += ntohs(ip_hdr->ip_len);
1385 vector->latest_time = tv;
1390 kh_put(32xx, vector->attack_ip_hash, ntohl(ip_hdr->ip_dst.s_addr), &khret);
1393 kh_put(32xx, vector->attack_port_hash, attacker_port, &khret);
1394 kh_put(32xx, vector->target_port_hash, target_port, &khret);
1404 libtrace_packet_t *
packet)
1406 assert(packet != NULL);
1408 trace_construct_packet(packet, TRACE_TYPE_ETH,
1418 assert(corsaro != NULL);
1419 assert(file != NULL);
1420 assert(header != NULL);
1423 "mismatch: %"PRIu32
"\n"
1424 "attack_vectors: %"PRIu32
"\n"
1425 "non-attack_vectors: %"PRIu32
"\n",
1435 assert(header != NULL);
1437 fprintf(stdout,
"mismatch: %"PRIu32
"\n"
1438 "attack_vectors: %"PRIu32
"\n"
1439 "non-attack_vectors: %"PRIu32
"\n",
1456 assert(corsaro != NULL);
1457 assert(file != NULL);
1461 inet_ntop(AF_INET,&tmp, &t_ip[0], 16);
1474 ",%"PRIu32
".%06"PRIu32
1475 ",%"PRIu32
".%06"PRIu32
1499 libtrace_packet_t *
packet;
1504 inet_ntop(AF_INET,&tmp, &t_ip[0], 16);
1517 ",%"PRIu32
".%06"PRIu32
1518 ",%"PRIu32
".%06"PRIu32
1536 if ((packet = trace_create_packet()) == NULL) {
1543 #if HAVE_LIBPACKETDUMP
1544 fprintf(stdout,
"START PACKET\n");
1545 trace_dump_packet(packet);
1546 fprintf(stdout,
"\nEND PACKET\n");
1548 fprintf(stdout,
"corsaro not built with libpacketdump support\n"
1549 "not dumping initial packet\n");
1558 assert(corsaro != NULL);
1559 assert(file != NULL);
1560 assert(header != NULL);
1571 assert(header != NULL);
1601 corsaro_log(__func__, corsaro,
"record_type %d not a dos record",
1633 "record_type %d not a dos record",
Structure representing the start or end of an interval.
uint32_t start_time_usec
The time of the initial packet (usec)
An opaque structure defining an corsaro input file.
int corsaro_dos_probe_filename(const char *fname)
Implements the probe_filename function of the plugin API.
Header file dealing with the corsaro plugin manager.
void bytes_htonl(uint8_t *bytes, uint32_t u32)
Convert a host ordered long to a network ordered byte array.
static int read_attack_vector(corsaro_in_t *corsaro, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read an attack vector record.
int corsaro_dos_close_output(corsaro_t *corsaro)
Implements the close_output function of the plugin API.
Header file dealing with the corsaro logging sub-system.
off_t corsaro_dos_header_fprint(corsaro_t *corsaro, corsaro_file_t *file, corsaro_dos_header_t *header)
Print a header record to stdout in ASCII format.
An opaque structure defining an corsaro output file.
int corsaro_dos_close_input(corsaro_in_t *corsaro)
Implements the close_input function of the plugin API.
static attack_vector_t * attack_vector_init(corsaro_t *corsaro)
Create an attack vector object.
off_t corsaro_file_printf(struct corsaro *corsaro, corsaro_file_t *file, const char *format,...)
Print a string to an corsaro file.
static corsaro_plugin_t corsaro_dos_plugin
Common plugin information across all instances.
uint64_t packet_cnt
The number of packets that comprise this vector.
A reusable opaque structure for corsaro to read an input record into.
#define CORSARO_DOS_INTERVAL
The interval that this plugin would like to dump at.
#define CORSARO_DOS_ATTACK_VECTOR_MIN_DURATION
The minimum number of seconds before a vector can be an attack.
corsaro_plugin_manager_t * plugin_manager
A pointer to the corsaro plugin manager state.
int corsaro_dos_end_interval(corsaro_t *corsaro, corsaro_interval_t *int_end)
Implements the end_interval function of the plugin API.
off_t corsaro_dos_read_record(struct corsaro_in *corsaro, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Implements the read_record function of the plugin API.
#define LT_PKT(corsaro_packet)
Convenience macro to get to the libtrace packet inside an corsaro packet.
void corsaro_dos_attack_vector_get_packet(corsaro_dos_attack_vector_in_t *attack_vector, libtrace_packet_t *packet)
Extract the initial packet from an attack vector record.
#define CORSARO_FILE_MODE(file)
Accessor macro for getting the mode of a file.
int corsaro_dos_probe_magic(corsaro_in_t *corsaro, corsaro_file_in_t *file)
Implements the probe_magic function of the plugin API.
int corsaro_dos_record_print(corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
Print any DoS record to a file in ASCII format.
void corsaro_file_close(struct corsaro *corsaro, corsaro_file_t *file)
Closes an corsaro output file and frees the writer structure.
#define CORSARO_DOS_MAGIC
The magic number for this plugin - "EDOS".
static libtrace_packet_t * packet
A pointer to a libtrace packet.
void corsaro_plugin_free_state(corsaro_plugin_manager_t *manager, corsaro_plugin_t *plugin)
Free the state for a plugin.
off_t corsaro_io_read_bytes_offset(corsaro_in_t *corsaro, corsaro_in_record_t *record, off_t offset, off_t len)
Read the given number of bytes into the record buffer at the given offset.
#define CORSARO_DOS_PPM_WINDOW_PRECISION
The amount to slide the window by in seconds.
off_t corsaro_dos_read_global_data_record(struct corsaro_in *corsaro, enum corsaro_in_record_type *record_type, struct corsaro_in_record *record)
Implements the read_global_data_record function of the plugin API.
Header file for common utility functions.
A lightweight wrapper around a libtrace packet.
corsaro_plugin_manager_t * plugin_manager
A pointer to the corsaro plugin manager state.
static void attack_vector_update_ppm(ppm_window_t *ppm_window)
Update the max ppm value given the current window values.
#define CORSARO_PLUGIN_GENERATE_PTRS(plugin)
Convenience macro that defines all the function pointers for the corsaro plugin API.
corsaro_in_record_type
Corsaro input record types.
corsaro_file_t * corsaro_io_prepare_file(corsaro_t *corsaro, const char *plugin_name, corsaro_interval_t *interval)
Uses the current settings to open an corsaro file for the given plugin.
off_t corsaro_io_read_interval_end(corsaro_in_t *corsaro, corsaro_file_in_t *file, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read the appropriate interval trailers from the file.
void corsaro_plugin_register_state(corsaro_plugin_manager_t *manager, corsaro_plugin_t *plugin, void *state)
Register the state for a plugin.
int corsaro_dos_init_output(corsaro_t *corsaro)
Implements the init_output function of the plugin API.
int corsaro_plugin_probe_filename(const char *fname, corsaro_plugin_t *plugin)
Check a filename to see if it contains a plugin's name.
off_t corsaro_io_write_interval_end(corsaro_t *corsaro, corsaro_file_t *file, corsaro_interval_t *int_end)
Write the appropriate interval trailers to the file.
struct ppm_window ppm_window_t
Initialize the hash types needed to hold maps in vectors.
uint32_t initial_packet_len
The length of the initial packet (bytes)
static void attack_vector_free(attack_vector_t *av)
Free the memory allocated to an attack vector object.
#define CORSARO_PLUGIN_GENERATE_TAIL
Convenience macro that defines all the 'remaining' blank fields in a corsaro plugin object...
void * malloc_zero(const size_t size)
Allocate memory and set it to zero.
Header file dealing with the low-level file IO.
static corsaro_in_record_t * record
A pointer to a corsaro record.
void corsaro_log_in(const char *func, corsaro_in_t *corsaro, const char *format,...)
Write a formatted string to the logfile associated with an corsaro input object.
static void attack_vector_update_ppm_window(attack_vector_t *vector, struct timeval tv)
Update the packet rate window.
off_t corsaro_dos_attack_vector_fprint(corsaro_t *corsaro, corsaro_file_t *file, corsaro_dos_attack_vector_in_t *av)
Print an attack vector record to stdout in ASCII format.
KHASH_INIT(av, attack_vector_t *, char, 0, attack_vector_hash_func, attack_vector_hash_equal)
Initialize the hash functions and datatypes.
off_t corsaro_io_read_interval_start(corsaro_in_t *corsaro, corsaro_file_in_t *file, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read the appropriate interval headers from the file.
uint32_t latest_time_sec
The time of the last packet (seconds)
#define PLUGIN_NAME
The name of this plugin.
int corsaro_is_rotate_interval(corsaro_t *corsaro)
Convenience function to determine if the output files should be rotated.
off_t corsaro_io_read_bytes(corsaro_in_t *corsaro, corsaro_in_record_t *record, off_t len)
Read the given number of bytes into the record.
struct attack_vector attack_vector_t
A record for a potential attack vector.
uint32_t interval_attacker_ip_cnt
Number of IP addresses the alleged attack has originated from in the current interval.
off_t corsaro_dos_record_fprint(corsaro_t *corsaro, corsaro_file_t *file, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
Print any DoS record to stdout in ASCII format.
corsaro_packet_state_t state
The corsaro state associated with this packet.
#define CORSARO_DOS_ATTACK_VECTOR_MIN_PACKETS
The minimum number of packets before a vector can be an attack.
uint8_t flags
Features of the packet that have been identified by earlier plugins.
#define CORSARO_DOS_ATTACK_VECTOR_BYTECNT
The length (in bytes) of an attack vector record.
uint8_t * buffer
The buffer to read the record into.
corsaro_interval_t interval_start
State for the current interval.
off_t corsaro_io_write_plugin_end(corsaro_t *corsaro, corsaro_file_t *file, corsaro_plugin_t *plugin)
Write the appropriate plugin trailer to the file.
Structure to hold a dos attack vector.
The packet is classified as backscatter.
void corsaro_log_file(const char *func, corsaro_file_t *logfile, const char *format,...)
Write a formatted string to a generic log file.
uint32_t time
The time this interval started/ended.
off_t corsaro_file_write(struct corsaro *corsaro, corsaro_file_t *file, const void *buffer, off_t len)
Writes the contents of a buffer using an corsaro output file.
#define CORSARO_DOS_PPS_BUCKET_CNT
The number of buckets.
#define STATE(corsaro)
Extends the generic plugin state convenience macro in corsaro_plugin.h.
off_t corsaro_dos_global_header_fprint(corsaro_t *corsaro, corsaro_file_t *file, corsaro_dos_global_header_t *header)
Print a global header record to stdout in ASCII format.
void corsaro_dos_global_header_print(corsaro_dos_global_header_t *header)
Print a global header record to a file in ASCII format.
The start of an interval.
int corsaro_dos_start_interval(corsaro_t *corsaro, corsaro_interval_t *int_start)
Implements the start_interval function of the plugin API.
static int validate_attack_vector(corsaro_dos_attack_vector_in_t *av)
Check an attack vector record is valid.
#define CORSARO_DOS_VECTOR_TIMEOUT
The length of time after which an inactive attack vector is expired.
#define CORSARO_DOS_ATTACK_VECTOR_MIN_PPM
The minimum packet rate before a vector can be an attack.
The corsaro_dos attack vector record.
The corsaro_dos global header record.
static int attack_vector_is_attack(corsaro_t *corsaro, attack_vector_t *vector, uint32_t time)
Determine whether a vector is indeed an attack vector.
The corsaro_dos header record.
static int binary_dump(corsaro_t *corsaro, attack_vector_t *vector)
Dump the given vector to the plugin output file in binary.
uint32_t interval_packet_cnt
The number of packets added to this vector in the current interval.
uint8_t * initial_packet
A copy of the packet that caused the vector to be created.
static int attack_vector_is_expired(attack_vector_t *vector, uint32_t time)
Check if a vector has had a packet added to it recently.
void corsaro_dos_header_print(corsaro_dos_header_t *header)
Print a header record to a file in ASCII format.
static int read_header(corsaro_in_t *corsaro, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read a dos header.
Header file dealing with the corsaro file IO.
The null type used for wildcard matching.
#define attack_vector_hash_equal(a, b)
Compare two attack vectors for equality.
uint32_t latest_time_usec
The time of the last packet (usec)
uint64_t byte_cnt
The number of bytes that comprise this vector.
void bytes_htonll(uint8_t *bytes, uint64_t u64)
Convert a host ordered long-long (64 bit) to a network ordered byte array.
uint32_t attacker_ip_cnt
Number of IP addresses the alleged attack has originated from.
uint32_t attack_port_cnt
Number of ports that alleged attack packets have originated from.
uint32_t target_port_cnt
Number of ports that alleged attack packets were directed to.
corsaro_file_t * global_file
The corsaro output file to write global output to.
int timeval_subtract(struct timeval *result, const struct timeval *x, const struct timeval *y)
Find the delta between two timevals.
static int ascii_dump(corsaro_t *corsaro, attack_vector_t *vector)
Dump the given vector to the plugin output file in ASCII.
void corsaro_dos_attack_vector_print(corsaro_dos_attack_vector_in_t *av)
Print an attack vector record to a file in ASCII format.
int corsaro_dos_process_packet(corsaro_t *corsaro, corsaro_packet_t *packet)
Implements the process_packet function of the plugin API.
static void attack_vector_reset(attack_vector_t *av)
Reset the per-interval counters in an attack vector.
static khint32_t attack_vector_hash_func(attack_vector_t *av)
Hash an attack vector.
uint32_t start_time_sec
The time of the initial packet (seconds)
off_t corsaro_io_write_interval_start(corsaro_t *corsaro, corsaro_file_t *file, corsaro_interval_t *int_start)
Write the appropriate interval headers to the file.
void corsaro_log(const char *func, corsaro_t *corsaro, const char *format,...)
Write a formatted string to the logfile associated with an corsaro object.
uint32_t target_ip
The IP address of the alleged target of the attack.
#define PLUGIN(corsaro)
Extends the generic plugin plugin convenience macro in corsaro_plugin.h.
off_t corsaro_io_write_plugin_start(corsaro_t *corsaro, corsaro_file_t *file, corsaro_plugin_t *plugin)
Write the appropriate plugin header to the file.
corsaro_plugin_t * corsaro_dos_alloc(corsaro_t *corsaro)
Implements the alloc function of the plugin API.
uint64_t max_ppm
The maximum packet rate observed thus far.
static int validate_global_header(corsaro_dos_global_header_t *g)
Check that a global file header record is valid.
enum corsaro_in_record_type corsaro_in_record_type_t
Corsaro input record types.
#define STATE_IN(corsaro)
Extends the generic plugin state convenience macro in corsaro_plugin.h.
An corsaro packet processing plugin.
uint32_t interval_byte_cnt
The number of bytes added to this vector in the current interval.
int corsaro_dos_init_input(corsaro_in_t *corsaro)
Implements the init_input function of the plugin API.
#define ntohll(x)
Byte-swap a 64-bit integer.
#define PLUGIN_NAME_DEPRECATED
The old name of this plugin.
corsaro_file_in_t * file
The corsaro input file to read data from.
Header file dealing with the internal corsaro functions.
![[CAIDA - Center for Applied Internet Data Analysis logo]](https://www.caida.org/images/caida_globe_faded.png)
![[CAIDA]](https://www.caida.org/images/caida_whitewords.png "Go to CAIDA home page"){kind=small}