LIBNIDS(3) | Library Functions Manual | LIBNIDS(3) |
NAME¶
libnids - network intrusion detection system E-box librarySYNOPSIS¶
#include <nids.h> extern struct nids_prm nids_params; extern char nids_errbuf[]; int nids_init(void); void nids_register_ip_frag(void (*ip_frag_func)(struct ip *pkt, int len)); void nids_unregister_ip_frag(void (*ip_frag_func)(struct ip *pkt, int len)); void nids_register_ip(void (*ip_func)(struct ip *pkt, int len)); void nids_unregister_ip(void (*ip_func)(struct ip *pkt, int len)); void nids_register_udp(void (*udp_func)(struct tuple4 *addr, u_char *data, int len, struct ip *pkt)); void nids_unregister_udp(void (*udp_func)(struct tuple4 *addr, u_char *data, int len, struct ip *pkt)); void nids_register_tcp(void (*tcp_func)(struct tcp_stream *ts, void **param)); void nids_unregister_tcp(void (*tcp_func)(struct tcp_stream *ts, void **param)); void nids_killtcp(struct tcp_stream *ts); void nids_discard(struct tcp_stream *ts, int numbytes); void nids_run(void); int nids_dispatch(int cnt); int nids_next(void); int nids_getfd(void); void nids_register_chksum_ctl(struct nids_chksum_ctl *, int); void nids_pcap_handler(u_char *par, struct pcap_pkthdr *hdr, u_char *data); struct tcp_stream * nids_find_tcp_stream(struct tuple4 *addr);
DESCRIPTION¶
libnids provides the functionality of a network intrusion detection system (NIDS) E-box component. It currently performs:1. IP defragmentation 2. TCP stream reassembly 3. TCP port scan detectionlibnids performs TCP/IP reassembly in exactly the same way as Linux 2.0.36 kernels, and correctly handles all of the attacks implemented in fragrouter(8) (plus many other attacks as well).
ROUTINES¶
nids_init() initializes the application for sniffing, based on the values set in the global variable nids_params, declared as follows:struct nids_prm { int n_tcp_streams; int n_hosts; char *device; char *filename; int sk_buff_size; int dev_addon; void (*syslog)(int type, int err, struct ip *iph, void *data); int syslog_level; int scan_num_hosts; int scan_num_ports; int scan_delay; void (*no_mem)(void); int (*ip_filter)(struct ip *iph); char *pcap_filter; int promisc; int one_loop_less; int pcap_timeout; int multiproc; int queue_limit; int tcp_workarounds; pcap_t *pcap_desc; } nids_params;The members of this structure are:
- n_tcp_streams
- Size of the hash table used for storing TCP connection information ( a maximum of 3/4 * n_tcp_streams TCP connections will be followed simultaneously). Default value: 1024
- n_hosts
- Size of the hash table used for storing IP defragmentation information. Default value: 256
- filename
- It this variable is set, libnids will call pcap_open_offline with this variable as the argument (instead of pcap_open_live()). Default value: NULL
- device
- Interface to monitor. Default value: NULL (in which case an appropriate device is determined automatically). If this variable is assigned value all, libnids will attempt to capture packets on all interfaces (which works on Linux only)
- sk_buff_size
- Size of struct sk_buff (used for queuing packets), which should be set to match the value on the hosts being monitored. Default value: 168
- dev_addon
- Number of bytes in struct sk_buff reserved for link-layer information. Default value: -1 (in which case an appropriate offset if determined automatically based on link-layer type)
- syslog
- Syslog callback function, used to report unusual conditions, such as port scan attempts, invalid TCP header flags, etc. Default value: nids_syslog (which logs messages via syslog(3) without regard for message rate per second or free disk space)
- syslog_level
- Log level used by nids_syslog for reporting events via syslog(3). Default value: LOG_ALERT
- scan_num_hosts
- Size of hash table used for storing portscan information (the maximum number portscans that will be detected simultaneously). If set to 0, portscan detection will be disabled. Default value: 256
- scan_num_ports
- Minimum number of ports that must be scanned from the same source host before it is identifed as a portscan. Default value: 10
- scan_delay
- Maximum delay (in milliseconds) between connections to different ports for them to be identified as part of a portscan. Default value: 3000
- no_mem
- Out-of-memory callback function, used to terminate the calling process gracefully.
- ip_filter
- IP filtering callback function, used to selectively discard IP packets, inspected after reassembly. If the function returns a non-zero value, the packet is processed; otherwise, it is discarded. Default value: nids_ip_filter (which always returns 1)
- pcap_filter
- pcap(3) filter string applied to the link-layer (raw, unassembled) packets. Note: filters like ``tcp dst port 23'' will NOT correctly handle appropriately fragmented traffic, e.g. 8-byte IP fragments; one should add "or (ip[6:2] & 0x1fff != 0)" at the end of the filter to process reassembled packets. Default value: NULL
- promisc
- If non-zero, libnids will set the interface(s) it listens on to promiscuous mode. Default value: 1
- one_loop_less
- Disabled by default; see comments in API.html file
- pcap_timeout
- Sets the pcap read timeout, which may or may not be supported by your platform. Default value: 1024.
- multiproc
- If nonzero, creates a separate thread for packets processing. See API.html. Default value: 0.
- queue_limit
- If multiproc is nonzero, this is the maximum number of packets queued in the thread which reads packets from libpcap. Default value: 20000
- tcp_workarounds
- Enables extra checks for faulty implementations of TCP such as the ones which allow connections to be closed despite the fact that there should be retransmissions for lost packets first (as stated by RFC 793, section 3.5). If non-zero, libnids will set the NIDS_TIMED_OUT state for savagely closed connections. Default value: 0
- pcap_desc
- It this variable is set, libnids will call neither pcap_open_live nor pcap_open_offline, but will use a pre-opened PCAP descriptor; use this with nids_pcap_handler() in order to interactively feed packets to libnids. Default value: NULL
struct tcp_stream { struct tuple4 { u_short source; u_short dest; u_int saddr; u_int daddr; } addr; char nids_state; struct half_stream { char state; char collect; char collect_urg; char *data; u_char urgdata; int count; int offset; int count_new; char count_new_urg; ... } client; struct half_stream server; ... void *user; };The members of the tuple4 structure identify a unique TCP connection:
- source, dest
- Client and server port numbers
- saddr, daddr
- Client and server IP addresses
- state
- Socket state (e.g. TCP_ESTABLISHED).
- collect
- A boolean which specifies whether to collect data for this half of the connection in the data buffer.
- collect_urg
- A boolean which specifies whether to collect urgent data pointed to by the TCP urgent pointer for this half of the connection in the urgdata buffer.
- data
- Buffer for normal data.
- urgdata
- One-byte buffer for urgent data.
- count
- The number of bytes appended to data since the creation of the connection.
- offset
- The current offset from the first byte stored in the data buffer, identifying the start of newly received data.
- count_new
- The number of bytes appended to data since the last invocation of the TCP callback function (if 0, no new data arrived).
- count_new_urg
- The number of bytes appended to urgdata since the last invocation of the TCP callback function (if 0, no new urgent data arrived).
- NIDS_JUST_EST
- Connection just established. Connection parameters in the addr structure are available for inspection. If the connection is interesting, the TCP callback function may specify which data it wishes to receive in the future by setting non-zero values for the collect or collect_urg variables in the appropriate client or server half_stream structure members.
- NIDS_DATA
- New data has arrived on a connection. The half_stream structures contain buffers of data.
- NIDS_CLOSE, NIDS_RESET, NIDS_TIMED_OUT
- Connection has closed. The TCP callback function should free any resources it may have allocated for this connection.
struct nids_chksum_ctl { u_int netaddr; u_int mask; u_int action; /* private members */ };Internal checksumming functions will first check elements of this array one by one, and if the source ip SRCIP of the current packet satisfies condition
(SRCIP&chksum_ctl_array[i].mask)==chksum_ctl_array[i].netaddr