2
* Copyright (C) 2000-2001 Luca Deri <deri@ntop.org>
3
* Portions by Stefano Suin <stefano@ntop.org>
7
* This program is free software; you can redistribute it and/or modify
8
* it under the terms of the GNU General Public License as published by
9
* the Free Software Foundation; either version 2 of the License, or
10
* (at your option) any later version.
12
* This program is distributed in the hope that it will be useful,
13
* but WITHOUT ANY WARRANTY; without even the implied warranty of
14
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
* GNU General Public License for more details.
17
* You should have received a copy of the GNU General Public License
18
* along with this program; if not, write to the Free Software
19
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
#define BROADCAST_ADDRESS 1
24
#define MULTICAST_ADDRESS 2
25
#define GATEWAY_ADDRESS 3
27
#define NOT_BROADCAST_ADDRESS 5
28
#define NOT_MULTICAST_ADDRESS 6
29
#define NOT_GATEWAY_ADDRESS 7
30
#define NOT_DNS_ADDRESS 8
32
#define ANY_PORT TOP_ASSIGNED_IP_PORTS
33
#define NOT_ANY_PORT TOP_ASSIGNED_IP_PORTS+1 /* Any port of the target host no matter whether the target port
34
matches the port of the previous packet (this value can be
35
specified only for the 'clear' action) */
36
#define USED_PORT TOP_ASSIGNED_IP_PORTS+2 /* Port on which we've seen traffic before */
37
#define NOT_USED_PORT TOP_ASSIGNED_IP_PORTS+3 /* Port on which we've seen NO traffic before */
39
#define DATA_PACKET 0 /* The rule applies to packets (default) */
40
#define DATA_FRAGMENT 1 /* The rule applies to packet fragments */
42
#define COMPARISON_NONE 0 /* no comparison */
43
#define COMPARISON_LESS_THAN 1 /* A < B */
44
#define COMPARISON_EQUAL_TO 2 /* A == B */
45
#define COMPARISON_MORE_THAN 3 /* A > B */
47
#define PACKET_FRAGMENT_SIZE 0 /* Compare the packet/fragment size */
48
#define PACKET_FRAGMENT_COUNT 1 /* Compare the packet/fragment number */
50
#define ACTION_ALARM 0
53
#define MAX_NUM_RULES 128
55
#define MAX_EVENT_MSG_SIZE 128
57
/* Don't scan for expired rules within... */
58
#define MIN_SCAN_TIMEOUT 10
64
typedef struct matchedRule {
69
time_t firstMatchTime, lastMatchTime;
73
typedef struct filterRule {
76
u_char revert; /* This rule will match with shost/sport & dhost/dport reverted */
77
u_char dataType; /* Either packet (default) or fragment */
78
u_char shostType; /* Source type any/broadcast/... */
79
u_char dhostType; /* Source type any/broadcast/... */
80
u_int sport; /* Source port */
81
u_int dport; /* Destination port */
82
u_int8_t flags; /* ACK,SYN,FIN... or ICMP code (for ICMP packets) */
83
struct re_pattern_buffer *pktContentPattern; /* e.g. "230 User root logged in." */
84
u_char pktComparisonType; /* # packets, packet size */
85
u_char pktComparisonOperator; /* none, <, >, == for the field below */
86
u_char pktComparisonValue;
87
u_short unitValue; /* Time interval on which the match shall occour since the *first* match */
88
u_char actionType; /* Alarm, mark... */
89
u_short rearmTime; /* # seconds after which the rule is operational again */
90
u_short expireTime; /* # seconds after which the marked rule is fired if not cleared before */
91
u_short ruleIdCleared; /* rule that is cleared by this rule */
92
u_char clearAllRule; /* If specified this rule clears all the 'ruleCleared' specified */
93
u_short numMatchedRules; /* # rules in the array below */
94
time_t lastRuleCheck; /* last time the array below has been scanned */
95
MatchedRule *queuedPacketRules[MAX_NUM_RULES];
99
/* ******************** */
101
typedef struct filterRuleChain {
103
struct filterRuleChain *nextRule;
106
/* ******************** */
108
typedef struct eventMsg {
110
struct in_addr sourceHost;
111
struct in_addr destHost;
114
char message[MAX_EVENT_MSG_SIZE];
117
/* ******************** */