suricata
reputation.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  * Original Idea by Matt Jonkman
24  */
25 
26 #ifndef __REPUTATION_H__
27 #define __REPUTATION_H__
28 
29 #include "host.h"
30 
31 #define SREP_MAX_CATS 60
32 
33 typedef struct SRepCIDRTree_ {
36 } SRepCIDRTree;
37 
38 typedef struct SReputation_ {
39  uint32_t version;
40  uint8_t rep[SREP_MAX_CATS];
41 } SReputation;
42 
43 uint8_t SRepCatGetByShortname(char *shortname);
44 int SRepInit(struct DetectEngineCtx_ *de_ctx);
45 void SRepDestroy(struct DetectEngineCtx_ *de_ctx);
46 void SRepReloadComplete(void);
47 int SRepHostTimedOut(Host *);
48 
49 /** Reputation numbers (types) that we can use to lookup/update, etc
50  * Please, dont convert this to a enum since we want the same reputation
51  * codes always. */
52 #define REPUTATION_SPAM 0 /**< spammer */
53 #define REPUTATION_CNC 1 /**< CnC server */
54 #define REPUTATION_SCAN 2 /**< scanner */
55 #define REPUTATION_HOSTILE 3 /**< hijacked nets, RBN nets, etc */
56 #define REPUTATION_DYNAMIC 4 /**< Known dial up, residential, user networks */
57 #define REPUTATION_PUBLICACCESS 5 /**< known internet cafe's open access points */
58 #define REPUTATION_PROXY 6 /**< known tor out nodes, proxy servers, etc */
59 #define REPUTATION_P2P 7 /**< Heavy p2p node, torrent server, other sharing services */
60 #define REPUTATION_UTILITY 8 /**< known good places like google, yahoo, msn.com, etc */
61 #define REPUTATION_DDOS 9 /**< Known ddos participant */
62 #define REPUTATION_PHISH 10 /**< Known Phishing site */
63 #define REPUTATION_MALWARE 11 /**< Known Malware distribution site. Hacked web server, etc */
64 #define REPUTATION_ZOMBIE 12 /**< Known Zombie (botnet member) They typically are Scanner or Hostile,
65  but if collaboration with botnet snooping, like we did back in
66  2005 or so, can proactively identify online zombies that joined a
67  botnet, you may want to break those out separately */
68 #define REPUTATION_NUMBER 13 /**< number of rep types we have for data structure size (be careful with this) */
69 
70 
71 /* Flags for reputation */
72 #define REPUTATION_FLAG_NEEDSYNC 0x01 /**< rep was changed by engine, needs sync with external hub */
73 
74 /** Reputation Context for IPV4 IPV6 */
75 typedef struct IPReputationCtx_ {
76  /** Radix trees that holds the host reputation information */
77  SCRadixTree *reputationIPV4_tree;
78  SCRadixTree *reputationIPV6_tree;
79 
80  /** Mutex to support concurrent access */
81  SCMutex reputationIPV4_lock;
82  SCMutex reputationIPV6_lock;
84 
85 uint8_t SRepCIDRGetIPRepSrc(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version);
86 uint8_t SRepCIDRGetIPRepDst(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version);
87 void SRepResetVersion(void);
88 int SRepLoadCatFileFromFD(FILE *fp);
89 int SRepLoadFileFromFD(SRepCIDRTree *cidr_ctx, FILE *fp);
90 
91 #if 0
92 /** Reputation Data */
93 //TODO: Add a timestamp here to know the last update of this reputation.
94 typedef struct Reputation_ {
95  uint8_t reps[REPUTATION_NUMBER]; /**< array of 8 bit reputations */
96  uint8_t flags; /**< reputation flags */
97  time_t ctime; /**< creation time (epoch) */
98  time_t mtime; /**< modification time (epoch) */
99 } Reputation;
100 
101 /* flags for transactions */
102 #define TRANSACTION_FLAG_NEEDSYNC 0x01 /**< We will apply the transaction only if necesary */
103 #define TRANSACTION_FLAG_INCS 0x02 /**< We will increment only if necesary */
104 #define TRANSACTION_FLAG_DECS 0x04 /**< We will decrement only if necesary */
105 
106 /* transaction for feedback */
107 typedef struct ReputationTransaction_ {
108  uint16_t inc[REPUTATION_NUMBER];
109  uint16_t dec[REPUTATION_NUMBER];
110  uint8_t flags;
111 } ReputationTransaction;
112 
113 /* API */
114 Reputation *SCReputationAllocData();
115 Reputation *SCReputationClone(Reputation *);
116 void SCReputationFreeData(void *);
117 
118 IPReputationCtx *SCReputationInitCtx(void);
119 void SCReputationFreeCtx(IPReputationCtx *);
120 
121 void SCReputationPrint(Reputation *);
122 #endif
123 void SCReputationRegisterTests(void);
124 
125 #endif /* __REPUTATION_H__ */
void SRepDestroy(struct DetectEngineCtx_ *de_ctx)
Definition: reputation.c:662
uint16_t flags
int SRepInit(struct DetectEngineCtx_ *de_ctx)
init reputation
Definition: reputation.c:579
uint8_t SRepCIDRGetIPRepSrc(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:146
void SRepReloadComplete(void)
Increment effective reputation version after a rule/reputatio reload is complete. ...
Definition: reputation.c:172
uint8_t SRepCatGetByShortname(char *shortname)
Definition: reputation.c:340
SCRadixTree * srepIPV4_tree[SREP_MAX_CATS]
Definition: reputation.h:34
#define SREP_MAX_CATS
Definition: reputation.h:31
uint8_t SRepCIDRGetIPRepDst(SRepCIDRTree *cidr_ctx, Packet *p, uint8_t cat, uint32_t version)
Definition: reputation.c:158
struct SReputation_ SReputation
void SCReputationRegisterTests(void)
Definition: reputation.c:2313
main detection engine ctx
Definition: detect.h:720
int SRepLoadCatFileFromFD(FILE *fp)
Definition: reputation.c:368
SCRadixTree * srepIPV6_tree[SREP_MAX_CATS]
Definition: reputation.h:35
struct SRepCIDRTree_ SRepCIDRTree
uint32_t version
Definition: reputation.h:39
void SRepResetVersion(void)
Definition: reputation.c:60
int SRepHostTimedOut(Host *)
Check if a Host is timed out wrt ip rep, meaning a new version is in place.
Definition: reputation.c:196
int SRepLoadFileFromFD(SRepCIDRTree *cidr_ctx, FILE *fp)
Definition: reputation.c:435
struct IPReputationCtx_ IPReputationCtx
uint8_t version
Definition: decode-gre.h:405
Definition: host.h:58
#define SCMutex
#define REPUTATION_NUMBER
Definition: reputation.h:71
Structure for the radix tree.