File: params.h

package info (click to toggle)
scanlogd 2.2.5-2
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 120 kB
  • ctags: 90
  • sloc: ansic: 492; makefile: 81; sh: 80
file content (97 lines) | stat: -rw-r--r-- 2,887 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
/*
 * Configurable compile-time parameters for scanlogd.
 */

#ifndef _SCANLOGD_PARAMS_H
#define _SCANLOGD_PARAMS_H

#include <time.h>
#include <syslog.h>

/*
 * An unprivileged dummy user to run as. The user and its UID must not be
 * used for any other purpose (that is, don't use "nobody" here). You can
 * #undef this to let scanlogd run as root, but I recommend against doing
 * so.
 */
#define SCANLOGD_USER			"scanlogd"

/*
 * An empty directory to chroot to. The directory and its parent directories
 * must not be writable by anyone but root.
 */
#define SCANLOGD_CHROOT			"/var/run/scanlogd"

/*
 * Device to monitor, if you're using libnids or libpcap directly. #undef
 * this either if you're using the raw socket interface on Linux instead,
 * or if you'd like to let libpcap autodetect this for you.
 *
 * Recent versions of libpcap support magic device name "any" and recent
 * libnids supports magic device name "all".
 */
#undef SCANLOGD_DEVICE

/*
 * Whether we want scanlogd to set the device into promiscuous mode, for
 * use with libpcap.
 */
#define SCANLOGD_PROMISC		0

/*
 * The libpcap filter expression to use when scanlogd is built with libnids
 * or direct libpcap support.  The intent is to reduce CPU load by hopefully
 * filtering out most of the uninteresting packets at the kernel level if
 * supported by libpcap on a given platform.
 */
#define SCANLOGD_PCAP_FILTER \
	"tcp and " \
	"((tcp[13] != 0x10 and tcp[13] != 0x18) or ip[6:2] & 0x3fff != 0)"

/*
 * High port numbers have a lower weight to reduce the frequency of false
 * positives, such as from passive mode FTP transfers.
 */
#define PORT_WEIGHT_PRIV		3
#define PORT_WEIGHT_HIGH		1

/*
 * Port scan detection thresholds: at least COUNT ports need to be scanned
 * from the same source, with no longer than DELAY ticks between ports.
 */
#define SCAN_MIN_COUNT			7
#define SCAN_MAX_COUNT			(SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
#define SCAN_WEIGHT_THRESHOLD		SCAN_MAX_COUNT
#define SCAN_DELAY_THRESHOLD		(CLK_TCK * 3)

/*
 * Log flood detection thresholds: temporarily stop logging if more than
 * COUNT port scans are detected with no longer than DELAY between them.
 */
#define LOG_COUNT_THRESHOLD		5
#define LOG_DELAY_THRESHOLD		(CLK_TCK * 20)

/*
 * Log line length limit, such as to fit into one SMS message. #undef this
 * for no limit.
 */
#define LOG_MAX_LENGTH			(160 - 40)

/*
 * You might want to adjust these for using your tiny append-only log file.
 */
#define SYSLOG_IDENT			"scanlogd"
#define SYSLOG_FACILITY			LOG_DAEMON
#define SYSLOG_LEVEL			LOG_ALERT

/*
 * Keep track of up to LIST_SIZE source addresses, using a hash table of
 * HASH_SIZE entries for faster lookups, but limiting hash collisions to
 * HASH_MAX source addresses per the same hash value.
 */
#define LIST_SIZE			0x100
#define HASH_LOG			9
#define HASH_SIZE			(1 << HASH_LOG)
#define HASH_MAX			0x10

#endif