forked from openwall/scanlogd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
params.h
97 lines (83 loc) · 2.81 KB
/
params.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
/*
* Configurable compile-time parameters for scanlogd.
*/
#ifndef _SCANLOGD_PARAMS_H
#define _SCANLOGD_PARAMS_H
#include <time.h>
#include <syslog.h>
/*
* An unprivileged dummy user to run as. The user and its UID must not be
* used for any other purpose (that is, don't use "nobody" here). You can
* #undef this to let scanlogd run as root, but this is not recommended.
*/
#define SCANLOGD_USER "scanlogd"
/*
* An empty root-owned directory to chroot to. THE DIRECTORY AND ITS PARENT
* DIRECTORIES MUST NOT BE WRITABLE BY ANYONE BUT ROOT.
*/
#define SCANLOGD_CHROOT "/var/empty"
/*
* Device to monitor, if you're using libnids or libpcap directly. #undef
* this either if you're using the raw socket interface on Linux instead,
* or if you'd like to let libpcap autodetect this for you.
*
* Recent versions of libpcap support magic device name "any" and recent
* libnids supports magic device name "all".
*/
#undef SCANLOGD_DEVICE
/*
* Whether we want scanlogd to set the device into promiscuous mode, for
* use with libpcap.
*/
#define SCANLOGD_PROMISC 0
/*
* The libpcap filter expression to use when scanlogd is built with libnids
* or direct libpcap support. The intent is to reduce CPU load by hopefully
* filtering out most of the uninteresting packets at the kernel level if
* supported by libpcap on a given platform.
*/
#define SCANLOGD_PCAP_FILTER \
"tcp and " \
"((tcp[13] != 0x10 and tcp[13] != 0x18) or ip[6:2] & 0x3fff != 0)"
/*
* High port numbers have a lower weight to reduce the frequency of false
* positives, such as from passive mode FTP transfers.
*/
#define PORT_WEIGHT_PRIV 3
#define PORT_WEIGHT_HIGH 1
/*
* Port scan detection thresholds: at least COUNT ports need to be scanned
* from the same source, with no longer than DELAY seconds between ports.
*/
#define SCAN_MIN_COUNT 7
#define SCAN_MAX_COUNT (SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
#define SCAN_WEIGHT_THRESHOLD SCAN_MAX_COUNT
#define SCAN_DELAY_THRESHOLD 3
/*
* Log flood detection thresholds: temporarily stop logging if more than
* COUNT port scans are detected with no longer than DELAY seconds between
* them.
*/
#define LOG_COUNT_THRESHOLD 5
#define LOG_DELAY_THRESHOLD 20
/*
* Log line length limit, such as to fit into one SMS message. #undef this
* for no limit.
*/
#define LOG_MAX_LENGTH (160 - 40)
/*
* You might want to adjust these for using your tiny append-only log file.
*/
#define SYSLOG_IDENT "scanlogd"
#define SYSLOG_FACILITY LOG_DAEMON
#define SYSLOG_LEVEL LOG_ALERT
/*
* Keep track of up to LIST_SIZE source addresses, using a hash table of
* HASH_SIZE entries for faster lookups, but limiting hash collisions to
* HASH_MAX source addresses per the same hash value.
*/
#define LIST_SIZE 0x100
#define HASH_LOG 9
#define HASH_SIZE (1 << HASH_LOG)
#define HASH_MAX 0x10
#endif