Merge local and dev trees

2015-03-15 21:00:01 +03:00 · 2015-03-15 21:00:01 +03:00 · 649cb3297b
commit 649cb3297b
parent 0d7493dfad 42c7e49043
17 changed files with 70 additions and 46 deletions
--- a/3
+++ b/3
@ -1,3 +0,0 @@
-12 march 2014
- Add vlan untagging
- Add PF_RING support
--- a/README.md
+++ b/README.md
@ -10,10 +10,10 @@ What can we do? We can detect hosts in our own network with a large amount of pa

 Why did we write this? Because we can't find any software for solving this problem in the open source world! 

- [Install manual for any Linux](INSTALL.md)
- [Install manual for FreeBSD](FreeBSD_INSTALL.md)
- [Install manual for Mac OS X](MAC_OS_INSTALL.md)
- [Install manual for Slackware](SLACKWARE_INSTALL.md)
+- [Install manual for any Linux](docs/INSTALL.md)
+- [Install manual for FreeBSD](docs/FreeBSD_INSTALL.md)
+- [Install manual for Mac OS X](docs/MAC_OS_INSTALL.md)
+- [Install manual for Slackware](docs/SLACKWARE_INSTALL.md)

 [![Build Status](https://travis-ci.org/FastVPSEestiOu/fastnetmon.svg?branch=master)](https://travis-ci.org/FastVPSEestiOu/fastnetmon) [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/FastVPSEestiOu/fastnetmon?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)

--- a/THANKS.md
+++ b/THANKS.md
@ -7,3 +7,4 @@ Thanks file! For all peoples which helped this project :)
 - Martin Stoyanov for guides for Slackware
 - Andreas Begemann for debugging issue https://github.com/FastVPSEestiOu/fastnetmon/issues/90
 - t0ly for VM's with FreebSD 9, 10, 11
+- Cojacfar / https://github.com/Cojacfar help with documentation transaltion! 
--- a/docs/BUILDING_FREEBSD_KERNEL_FOR_NETMAP.md
+++ b/docs/BUILDING_FREEBSD_KERNEL_FOR_NETMAP.md
--- a/docs/FINE_TUNING.md
+++ b/docs/FINE_TUNING.md
--- a/docs/FreeBSD_INSTALL.md
+++ b/docs/FreeBSD_INSTALL.md
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@ -3,7 +3,7 @@ For Debian 6, 7 and CentOS 6 and 7 you should use the automatic installer:
 wget https://raw.githubusercontent.com/FastVPSEestiOu/fastnetmon/master/fastnetmon_install.pl
 perl fastnetmon_install.pl
 ```
-If you want to use netmap module, please install it: [netmap install](docs/NETMAP_INSTALL.md) 
+If you want to use netmap module, please install it: [netmap install](NETMAP_INSTALL.md) 

 It's REQUIRED to add all of your networks in CIDR notation (11.22.33.0/24) to the file /etc/networks_list in the form of one prefix per line. If you are running this software on an OpenVZ node, you may not need to specify networks explicitly, as we can read them from /proc/vz/veip.

--- a/docs/MAC_OS_INSTALL.md
+++ b/docs/MAC_OS_INSTALL.md
--- a/docs/MANUAL_INSTALL.md
+++ b/docs/MANUAL_INSTALL.md
--- a/docs/NETFLOW_DISADVANTAGES.md
+++ b/docs/NETFLOW_DISADVANTAGES.md
--- a/docs/SLACKWARE_INSTALL.md
+++ b/docs/SLACKWARE_INSTALL.md
--- a/docs/reset_redis_stats
+++ b/docs/reset_redis_stats
--- a/fastnetmon.cpp
+++ b/fastnetmon.cpp
@ -360,6 +360,7 @@ bool process_outgoing_traffic = true;
 void block_all_traffic_with_82599_hardware_filtering(std::string client_ip_as_string);
 #endif

+bool we_should_ban_this_ip(map_element* current_average_speed_element);
 std::string get_net_address_from_network_as_string(std::string network_cidr_format);
 unsigned int get_max_used_protocol(uint64_t tcp, uint64_t udp, uint64_t icmp);
 std::string get_printable_protocol_name(unsigned int protocol);
@ -384,7 +385,7 @@ std::string convert_timeval_to_date(struct timeval tv);
 void free_up_all_resources();
 unsigned int get_cidr_mask_from_network_as_string(std::string network_cidr_format);
 std::string print_ddos_attack_details();
-void execute_ip_ban(uint32_t client_ip, map_element new_speed_element, uint64_t in_pps, uint64_t out_pps, uint64_t in_bps, uint64_t out_bps, uint64_t in_flows, uint64_t out_flows, std::string flow_attack_details);
+void execute_ip_ban(uint32_t client_ip, map_element new_speed_element, map_element current_speed_element, std::string flow_attack_details);
 direction get_packet_direction(uint32_t src_ip, uint32_t dst_ip, unsigned long& subnet);
 void recalculate_speed();
 std::string print_channel_speed(std::string traffic_type, direction packet_direction);
@ -1545,36 +1546,9 @@ void recalculate_speed() {
            current_average_speed_element->in_flows = uint64_t(new_speed_element.in_flows + exp_value *
                ((double)current_average_speed_element->in_flows -  (double)new_speed_element.in_flows));

-            uint64_t in_pps_average  = current_average_speed_element->in_packets;
-            uint64_t out_pps_average = current_average_speed_element->out_packets;
-
-            uint64_t in_bps_average  = current_average_speed_element->in_bytes;
-            uint64_t out_bps_average = current_average_speed_element->out_bytes; 
-
-            uint64_t in_flows_average  = current_average_speed_element->in_flows;
-            uint64_t out_flows_average = current_average_speed_element->out_flows;
-
            /* Moving average recalculation end */

-            // we detect overspeed by packets
-            bool attack_detected_by_pps = false;
-            bool attack_detected_by_bandwidth = false;
-            bool attack_detected_by_flow = false;
-
-            if (enable_ban_for_pps && (in_pps_average > ban_threshold_pps or out_pps_average > ban_threshold_pps)) {
-                attack_detected_by_pps = true;
-            }
-
-            // we detect overspeed by bandwidth
-            if (enable_ban_for_bandwidth && (convert_speed_to_mbps(in_bps_average) > ban_threshold_mbps or convert_speed_to_mbps(out_bps_average) > ban_threshold_mbps)) {
-                attack_detected_by_bandwidth = true;
-            }
-
-            if (enable_ban_for_flows_per_second && (in_flows_average > ban_threshold_flows or out_flows_average > ban_threshold_flows)) {
-                attack_detected_by_flow = true; 
-            } 
-
-            if (attack_detected_by_pps or attack_detected_by_bandwidth or attack_detected_by_flow) {
+            if (we_should_ban_this_ip(current_average_speed_element)) {
                std::string flow_attack_details = "";
                
                if (enable_conection_tracking) {
@ -1582,7 +1556,7 @@ void recalculate_speed() {
                }
        
                // TODO: we should pass type of ddos ban source (pps, flowd, bandwidth)!
-                execute_ip_ban(client_ip, new_speed_element, in_pps_average, out_pps_average, in_bps_average, out_bps_average, in_flows_average, out_flows_average, flow_attack_details);
+                execute_ip_ban(client_ip, new_speed_element, *current_average_speed_element, flow_attack_details);
            }
    
            speed_counters_mutex.lock();
@ -2010,10 +1984,17 @@ unsigned int get_max_used_protocol(uint64_t tcp, uint64_t udp, uint64_t icmp) {
    return 0;
 }

-void execute_ip_ban(uint32_t client_ip, map_element speed_element, uint64_t in_pps, uint64_t out_pps, uint64_t in_bps, uint64_t out_bps, uint64_t in_flows, uint64_t out_flows, std::string flow_attack_details) {
+void execute_ip_ban(uint32_t client_ip, map_element speed_element, map_element average_speed_element, std::string flow_attack_details) {
    struct attack_details current_attack;
    uint64_t pps = 0;

+    uint64_t in_pps = average_speed_element.in_packets; 
+    uint64_t out_pps = average_speed_element.out_packets;
+    uint64_t in_bps = average_speed_element.in_bytes;
+    uint64_t out_bps = average_speed_element.out_bytes;
+    uint64_t in_flows = average_speed_element.in_flows;
+    uint64_t out_flows = average_speed_element.out_flows;
+
    direction data_direction;

    if (!we_do_real_ban) {
@ -2736,4 +2717,33 @@ void print_attack_details_to_file(std::string details, std::string client_ip_as_
    }    
 }

+// Return true when we should ban this IP
+bool we_should_ban_this_ip(map_element* average_speed_element) {
+    uint64_t in_pps_average  = average_speed_element->in_packets;
+    uint64_t out_pps_average = average_speed_element->out_packets;

+    uint64_t in_bps_average  = average_speed_element->in_bytes;
+    uint64_t out_bps_average = average_speed_element->out_bytes; 
+
+    uint64_t in_flows_average  = average_speed_element->in_flows;
+    uint64_t out_flows_average = average_speed_element->out_flows;
+
+    // we detect overspeed by packets
+    bool attack_detected_by_pps = false;
+    bool attack_detected_by_bandwidth = false;
+    bool attack_detected_by_flow = false;
+    if (enable_ban_for_pps && (in_pps_average > ban_threshold_pps or out_pps_average > ban_threshold_pps)) {
+        attack_detected_by_pps = true;
+    }    
+
+    // we detect overspeed by bandwidth
+    if (enable_ban_for_bandwidth && (convert_speed_to_mbps(in_bps_average) > ban_threshold_mbps or convert_speed_to_mbps(out_bps_average) > ban_threshold_mbps)) {
+        attack_detected_by_bandwidth = true;
+    }
+
+    if (enable_ban_for_flows_per_second && (in_flows_average > ban_threshold_flows or out_flows_average > ban_threshold_flows)) {
+        attack_detected_by_flow = true;
+    }
+
+    return attack_detected_by_pps or attack_detected_by_bandwidth or attack_detected_by_flow;
+}
--- a/netmap_plugin/netmap_collector.cpp
+++ b/netmap_plugin/netmap_collector.cpp
@ -8,6 +8,8 @@
 #include "log4cpp/PatternLayout.hh"
 #include "log4cpp/Priority.hh"

+#include <boost/algorithm/string.hpp>
+
 // For support uint32_t, uint16_t
 #include <sys/types.h>

@ -48,8 +50,6 @@ extern uint64_t total_unparsed_packets;
 // Global configuration map 
 extern std::map<std::string, std::string> configuration_map;

-std::string interface_for_listening = "";
-
 // This variable name should be uniq for every plugin!
 process_packet_pointer netmap_process_func_ptr = NULL;

@ -114,7 +114,7 @@ void consume_pkt(u_char* buffer, int len) {
    }
 }

-void receiver(void) {
+void receiver(std::string interface_for_listening) {
    struct  nm_desc *netmap_descriptor;

    u_int num_cpus = sysconf( _SC_NPROCESSORS_ONLN );
@ -238,12 +238,28 @@ void start_netmap_collection(process_packet_pointer func_ptr) {
    logger<< log4cpp::Priority::INFO<<"Netmap plugin started";
    netmap_process_func_ptr = func_ptr;

+    std::string interfaces_list = "";
+
    if (configuration_map.count("interfaces") != 0) {
-        interface_for_listening = configuration_map[ "interfaces" ];
+        interfaces_list = configuration_map[ "interfaces" ];
    }

-    logger<< log4cpp::Priority::INFO<<"netmap will sniff interface: "<<interface_for_listening;
+    std::vector<std::string> interfaces_for_listen; 
+    boost::split( interfaces_for_listen, interfaces_list, boost::is_any_of(","), boost::token_compress_on );

-    boost::thread netmap_plugin_main_thread(receiver);
-    netmap_plugin_main_thread.join();
+    logger<< log4cpp::Priority::INFO<<"netmap will listen on "<<interfaces_for_listen.size()<<" interfaces";
+
+    boost::thread* netmap_main_threads[ interfaces_for_listen.size() ];
+
+    unsigned int threads_index = 0;
+
+    for (std::vector<std::string>::iterator interface = interfaces_for_listen.begin();
+        interface != interfaces_for_listen.end(); ++interface) {
+        logger<< log4cpp::Priority::INFO<<"netmap will sniff interface: "<<*interface;
+        netmap_main_threads[ threads_index++ ] = new boost::thread(receiver, *interface);
+    }
+
+    for (int thread_id = 0; thread_id < interfaces_for_listen.size(); thread_id++) {
+        netmap_main_threads[thread_id]->join();
+    }
 }
--- a/syn_umbrella/build_syn_umbrella.sh
+++ b/syn_umbrella/build_syn_umbrella.sh
--- a/syn_umbrella/syn_umbrella.cpp
+++ b/syn_umbrella/syn_umbrella.cpp
--- a/tests/pfring_parser_zc_issue.c
+++ b/tests/pfring_parser_zc_issue.c