suricata
reputation.h File Reference
#include "host.h"
Include dependency graph for reputation.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  SRepCIDRTree_
 
struct  SReputation_
 
struct  IPReputationCtx_
 

Macros

#define SREP_MAX_CATS   60
 
#define REPUTATION_SPAM   0
 
#define REPUTATION_CNC   1
 
#define REPUTATION_SCAN   2
 
#define REPUTATION_HOSTILE   3
 
#define REPUTATION_DYNAMIC   4
 
#define REPUTATION_PUBLICACCESS   5
 
#define REPUTATION_PROXY   6
 
#define REPUTATION_P2P   7
 
#define REPUTATION_UTILITY   8
 
#define REPUTATION_DDOS   9
 
#define REPUTATION_PHISH   10
 
#define REPUTATION_MALWARE   11
 
#define REPUTATION_ZOMBIE   12
 
#define REPUTATION_NUMBER   13
 
#define REPUTATION_FLAG_NEEDSYNC   0x01
 

Typedefs

typedef struct SRepCIDRTree_ SRepCIDRTree
 
typedef struct SReputation_ SReputation
 
typedef struct IPReputationCtx_ IPReputationCtx
 

Functions

uint8_t SRepCatGetByShortname (char *shortname)
 
int SRepInit (struct DetectEngineCtx_ *de_ctx)
 init reputation More...
 
void SRepDestroy (struct DetectEngineCtx_ *de_ctx)
 
void SRepReloadComplete (void)
 Increment effective reputation version after a rule/reputatio reload is complete. More...
 
int SRepHostTimedOut (Host *)
 Check if a Host is timed out wrt ip rep, meaning a new version is in place. More...
 
uint8_t SRepCIDRGetIPRepSrc (SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
 
uint8_t SRepCIDRGetIPRepDst (SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
 
void SRepResetVersion (void)
 
int SRepLoadCatFileFromFD (FILE *fp)
 
int SRepLoadFileFromFD (SRepCIDRTree *cidr_ctx, FILE *fp)
 
void SCReputationRegisterTests (void)
 

Detailed Description

Macro Definition Documentation

#define REPUTATION_CNC   1

CnC server

Definition at line 53 of file reputation.h.

#define REPUTATION_DDOS   9

Known ddos participant

Definition at line 61 of file reputation.h.

Referenced by SRepDestroy().

#define REPUTATION_DYNAMIC   4

Known dial up, residential, user networks

Definition at line 56 of file reputation.h.

#define REPUTATION_FLAG_NEEDSYNC   0x01

rep was changed by engine, needs sync with external hub

Definition at line 75 of file reputation.h.

Referenced by SRepDestroy().

#define REPUTATION_HOSTILE   3

hijacked nets, RBN nets, etc

Definition at line 55 of file reputation.h.

#define REPUTATION_MALWARE   11

Known Malware distribution site. Hacked web server, etc

Definition at line 63 of file reputation.h.

Referenced by SRepDestroy().

#define REPUTATION_NUMBER   13

number of rep types we have for data structure size (be careful with this)

Definition at line 71 of file reputation.h.

Referenced by SRepDestroy().

#define REPUTATION_P2P   7

Heavy p2p node, torrent server, other sharing services

Definition at line 59 of file reputation.h.

#define REPUTATION_PHISH   10

Known Phishing site

Definition at line 62 of file reputation.h.

Referenced by SRepDestroy().

#define REPUTATION_PROXY   6

known tor out nodes, proxy servers, etc

Definition at line 58 of file reputation.h.

#define REPUTATION_PUBLICACCESS   5

known internet cafe's open access points

Definition at line 57 of file reputation.h.

#define REPUTATION_SCAN   2

scanner

Definition at line 54 of file reputation.h.

#define REPUTATION_SPAM   0

Reputation numbers (types) that we can use to lookup/update, etc Please, dont convert this to a enum since we want the same reputation codes always. spammer

Definition at line 52 of file reputation.h.

#define REPUTATION_UTILITY   8

known good places like google, yahoo, msn.com, etc

Definition at line 60 of file reputation.h.

#define REPUTATION_ZOMBIE   12

Known Zombie (botnet member) They typically are Scanner or Hostile, but if collaboration with botnet snooping, like we did back in 2005 or so, can proactively identify online zombies that joined a botnet, you may want to break those out separately

Definition at line 64 of file reputation.h.

#define SREP_MAX_CATS   60

Typedef Documentation

Reputation Context for IPV4 IPV6

typedef struct SRepCIDRTree_ SRepCIDRTree
typedef struct SReputation_ SReputation

Function Documentation

void SCReputationRegisterTests ( void  )

Register the following unittests for the Reputation module

Definition at line 2313 of file reputation.c.

References UtRegisterTest().

Here is the call graph for this function:

uint8_t SRepCatGetByShortname ( char *  shortname)

Definition at line 340 of file reputation.c.

References SC_ERR_OPENING_RULE_FILE, SCLogError, SREP_MAX_CATS, and SRepLoadCatFileFromFD().

Referenced by DetectIPRepRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

uint8_t SRepCIDRGetIPRepDst ( SRepCIDRTree cidr_ctx,
Packet p,
uint8_t  cat,
uint32_t  version 
)

Definition at line 158 of file reputation.c.

References GET_IPV4_DST_ADDR_PTR, GET_IPV6_DST_ADDR, PKT_IS_IPV4, and PKT_IS_IPV6.

Referenced by DetectIPRepRegister().

Here is the caller graph for this function:

uint8_t SRepCIDRGetIPRepSrc ( SRepCIDRTree cidr_ctx,
Packet p,
uint8_t  cat,
uint32_t  version 
)

Definition at line 146 of file reputation.c.

References GET_IPV4_SRC_ADDR_PTR, GET_IPV6_SRC_ADDR, PKT_IS_IPV4, and PKT_IS_IPV6.

Referenced by DetectIPRepRegister(), and SRepDestroy().

Here is the caller graph for this function:

int SRepHostTimedOut ( Host h)

Check if a Host is timed out wrt ip rep, meaning a new version is in place.

We clean up the old version here.

Parameters
hhost
Return values
0not timed out
1timed out

Definition at line 196 of file reputation.c.

References Address_::address, BUG_ON, Address_::family, HostDecrUsecnt, Host_::iprep, SCFree, SCLogDebug, SREP_MAX_CATS, strlcpy(), and SReputation_::version.

Referenced by HostGetActiveCount().

Here is the call graph for this function:

Here is the caller graph for this function:

int SRepInit ( DetectEngineCtx de_ctx)

init reputation

Parameters
de_ctxdetection engine ctx for tracking iprep version
Return values
0ok
-1error

If this function is called more than once, the category file is not reloaded.

Definition at line 579 of file reputation.c.

References ConfGet(), ConfGetNode(), DetectEngineCtx_::failure_fatal, HostPrintStats(), next, SC_ATOMIC_INIT, SC_ERR_NO_REPUTATION, SCFree, SCLogDebug, SCLogError, SCLogInfo, SCMalloc, SREP_MAX_CATS, DetectEngineCtx_::srep_version, DetectEngineCtx_::srepCIDR_ctx, SRepCIDRTree_::srepIPV4_tree, SRepCIDRTree_::srepIPV6_tree, TAILQ_FOREACH, and ConfNode_::val.

Referenced by DetectEngineInspectBufferGeneric(), DetectIPRepFree(), and SRepDestroy().

Here is the call graph for this function:

Here is the caller graph for this function:

int SRepLoadCatFileFromFD ( FILE *  fp)

Definition at line 368 of file reputation.c.

References BUG_ON, Address_::family, len, SC_ERR_NO_REPUTATION, SC_ERR_OPENING_RULE_FILE, SCLogDebug, SCLogError, SREP_MAX_CATS, SREP_SHORTNAME_LEN, SRepLoadFileFromFD(), and strlcpy().

Referenced by DetectIPRepFree(), and SRepCatGetByShortname().

Here is the call graph for this function:

Here is the caller graph for this function:

int SRepLoadFileFromFD ( SRepCIDRTree cidr_ctx,
FILE *  fp 
)
void SRepReloadComplete ( void  )

Increment effective reputation version after a rule/reputatio reload is complete.

Definition at line 172 of file reputation.c.

References SC_ATOMIC_ADD, SC_ATOMIC_SET, and SCLogDebug.

Referenced by DetectEngineInspectBufferGeneric().

Here is the caller graph for this function: