File: params.h

package info (click to toggle)
scanlogd 2.2-1
  • links: PTS
  • area: main
  • in suites: woody
  • size: 116 kB
  • ctags: 97
  • sloc: ansic: 514; makefile: 82; sh: 39
file content (85 lines) | stat: -rw-r--r-- 2,318 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
/*
 * Configurable compile-time parameters for scanlogd.
 */

#ifndef _SCANLOGD_PARAMS_H
#define _SCANLOGD_PARAMS_H

#include <time.h>
#include <syslog.h>

/*
 * An unprivileged dummy user to run as. The user and its UID must not be
 * used for any other purpose (that is, don't use "nobody" here). You can
 * #undef this to let scanlogd run as root, but I recommend against doing
 * so.
 */
#define SCANLOGD_USER			"scanlogd"

/*
 * Device to monitor, if you're using libnids or libpcap directly. #undef
 * this either if you're using the raw socket interface on Linux instead,
 * or if you'd like to let libpcap autodetect this for you.
 */
#undef SCANLOGD_DEVICE

/*
 * Whether we want scanlogd to set the device into promiscuous mode, for
 * use with libpcap.
 */
#define SCANLOGD_PROMISC		0

/*
 * High port numbers have a lower weight to reduce the frequency of false
 * positives, such as from passive mode FTP transfers.
 */
#define PORT_WEIGHT_PRIV		3
#define PORT_WEIGHT_HIGH		1

/*
 * Port scan detection thresholds: at least COUNT ports need to be scanned
 * from the same source, with no longer than DELAY ticks between ports.
 */
#define SCAN_MIN_COUNT			7
#define SCAN_MAX_COUNT			(SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
#define SCAN_WEIGHT_THRESHOLD		SCAN_MAX_COUNT
#define SCAN_DELAY_THRESHOLD		(CLK_TCK * 3)

/*
 * Log flood detection thresholds: temporarily stop logging if more than
 * COUNT port scans are detected with no longer than DELAY between them.
 */
#define LOG_COUNT_THRESHOLD		5
#define LOG_DELAY_THRESHOLD		(CLK_TCK * 20)

/*
 * Log line length limit, such as to fit into one SMS message. #undef this
 * for no limit.
 */
#define LOG_MAX_LENGTH			(160 - 40)

/*
 * You might want to adjust these for using your tiny append-only log file.
 */
#define SYSLOG_IDENT			"scanlogd"
#define SYSLOG_FACILITY			LOG_DAEMON
#define SYSLOG_LEVEL			LOG_ALERT

/*
 * librlog ident, don't ask me what this is for now. ;-)
 */
#ifdef USE_RLOG
#define RLOG_ID				SYSLOG_IDENT
#endif

/*
 * Keep track of up to LIST_SIZE source addresses, using a hash table of
 * HASH_SIZE entries for faster lookups, but limiting hash collisions to
 * HASH_MAX source addresses per the same hash value.
 */
#define LIST_SIZE			0x100
#define HASH_LOG			9
#define HASH_SIZE			(1 << HASH_LOG)
#define HASH_MAX			0x10

#endif