├── NEWS ├── makedocs ├── .gitmodules ├── thirdparty └── libsmee-2.2.2.tar.gz ├── docs ├── doxygen │ └── static │ │ ├── images │ │ ├── arch_diagram.png │ │ └── arch_diagram_xsmall.png │ │ ├── tutorials-ft.md │ │ ├── tutorials-tool.md │ │ ├── tutorials.md │ │ ├── footer_caida.html │ │ ├── footer.html │ │ ├── zchangelog.md │ │ ├── corsaro.bib │ │ ├── corsaro.md │ │ ├── aaaquickstart.md │ │ ├── header_caida.html │ │ ├── agoals.md │ │ └── fileformats.md └── Makefile.am ├── AUTHORS ├── generate_log.sh ├── tools ├── cors-ft-timeseries.pl ├── Makefile.am ├── cors-splitascii.pl ├── cors2ascii.c └── cors-trace2tuple.c ├── libcorsaro ├── plugins │ ├── corsaro_pcap.h │ ├── corsaro_smee.h │ ├── corsaro_tagstats.h │ ├── corsaro_filterbpf.h │ ├── corsaro_anon.h │ ├── corsaro_filtergeo.h │ ├── corsaro_filterpfx.h │ ├── libanon │ │ ├── Makefile.am │ │ ├── panon.h │ │ ├── corsaro_libanon.h │ │ ├── corsaro_libanon.c │ │ ├── rijndael.h │ │ └── panon.c │ ├── corsaro_ipmeta.h │ ├── Makefile.am │ ├── corsaro_dos.h │ ├── corsaro_pcap.c │ ├── corsaro_anon.c │ └── corsaro_tagstats.c ├── Makefile.am ├── corsaro_log.h ├── corsaro_log.c ├── corsaro_tag.c ├── corsaro_file.h └── corsaro_tag.h ├── .gitignore ├── ChangeLog ├── Makefile.am ├── m4 ├── ax_lib_socket_nsl.m4 └── ed_with_plugin.m4 ├── publish_docs.pl ├── README ├── libtrace-3.0.13-wandio_export.patch ├── README.md └── configure.ac /NEWS: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /makedocs: -------------------------------------------------------------------------------- 1 | cd docs; make clean; make; cd .. 2 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "common"] 2 | path = common 3 | url = git://github.com/alistairking/cc-common.git 4 | -------------------------------------------------------------------------------- /thirdparty/libsmee-2.2.2.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CAIDA/corsaro/HEAD/thirdparty/libsmee-2.2.2.tar.gz -------------------------------------------------------------------------------- /docs/doxygen/static/images/arch_diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CAIDA/corsaro/HEAD/docs/doxygen/static/images/arch_diagram.png -------------------------------------------------------------------------------- /docs/doxygen/static/tutorials-ft.md: -------------------------------------------------------------------------------- 1 | Working with FlowTuple Data {#tutorials_ft} 2 | =========================== 3 | 4 | _Coming Soon!_ 5 | -------------------------------------------------------------------------------- /docs/doxygen/static/images/arch_diagram_xsmall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CAIDA/corsaro/HEAD/docs/doxygen/static/images/arch_diagram_xsmall.png -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | Alistair King initial versions of all files except 2 | functions noted in utils.c, utils.h, 3 | and corsaro_log.c 4 | -------------------------------------------------------------------------------- /docs/doxygen/static/tutorials-tool.md: -------------------------------------------------------------------------------- 1 | Using libcorsaro for Trace Analysis {#tutorials_tool} 2 | =================================== 3 | 4 | _Coming Soon!_ 5 | -------------------------------------------------------------------------------- /generate_log.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | #git --no-pager log --format="%ai %aN %n%n%x09* %s%d%n" > ChangeLog; 4 | 5 | cp docs/doxygen/static/zchangelog.md ChangeLog 6 | -------------------------------------------------------------------------------- /docs/doxygen/static/tutorials.md: -------------------------------------------------------------------------------- 1 | Tutorials {#tutorials} 2 | ========= 3 | 4 | The following are a collection of tutorials which step through common tasks when 5 | using and/or extending Corsaro. 6 | 7 | -# \subpage tutorials_plugin 8 | - Creating and implementing a new trace analysis plugin 9 | -# \subpage tutorials_ft 10 | - Performing analysis using \ref plugins_ft data 11 | -# \subpage tutorials_tool 12 | - Integrating Corsaro into an existing trace analysis tool 13 | -------------------------------------------------------------------------------- /tools/cors-ft-timeseries.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env perl 2 | 3 | use strict; 4 | 5 | my $sum; 6 | my $time; 7 | while(<>) 8 | { 9 | if(/CORSARO_INTERVAL_START/../CORSARO_INTERVAL_END/) 10 | { 11 | if(/CORSARO_INTERVAL_START\s+(\d+)\s+(\d+)/) 12 | { 13 | $time = $2; 14 | $sum = 0; 15 | } 16 | elsif(/CORSARO_INTERVAL_END/) 17 | { 18 | print "$time,$sum\n"; 19 | } 20 | else 21 | { 22 | my ($tuple, $val) = split(/,/); 23 | $sum+=$val; 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /docs/doxygen/static/footer_caida.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /docs/doxygen/static/footer.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 9 | 10 | 11 |
12 | Copyright © 2012 The Regents of the University of California. 13 |
14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /libcorsaro/plugins/corsaro_pcap.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | 27 | #ifndef __CORSARO_PCAP_H 28 | #define __CORSARO_PCAP_H 29 | 30 | #include "corsaro_plugin.h" 31 | 32 | CORSARO_PLUGIN_GENERATE_PROTOS(corsaro_pcap) 33 | 34 | #endif /* __CORSARO_PCAP_H */ 35 | -------------------------------------------------------------------------------- /libcorsaro/plugins/corsaro_smee.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | 27 | #ifndef __CORSARO_SMEE_H 28 | #define __CORSARO_SMEE_H 29 | 30 | #include "corsaro_plugin.h" 31 | 32 | CORSARO_PLUGIN_GENERATE_PROTOS(corsaro_smee) 33 | 34 | #endif /* __CORSARO_SMEE_H */ 35 | -------------------------------------------------------------------------------- /libcorsaro/plugins/corsaro_tagstats.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | 27 | #ifndef __CORSARO_TAGSTATS_H 28 | #define __CORSARO_TAGSTATS_H 29 | 30 | #include "corsaro_plugin.h" 31 | 32 | CORSARO_PLUGIN_GENERATE_PROTOS(corsaro_tagstats) 33 | 34 | #endif /* __CORSARO_TAGSTATS_H */ 35 | -------------------------------------------------------------------------------- /libcorsaro/plugins/corsaro_filterbpf.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | 27 | #ifndef __CORSARO_FILTERBPF_H 28 | #define __CORSARO_FILTERBPF_H 29 | 30 | #include "corsaro_plugin.h" 31 | 32 | CORSARO_PLUGIN_GENERATE_PROTOS(corsaro_filterbpf) 33 | 34 | #endif /* __CORSARO_FILTERBPF_H */ 35 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # temp files 2 | *~ 3 | *.#* 4 | .DS_Store 5 | 6 | # Compiled Object files 7 | *.slo 8 | *.lo 9 | *.o 10 | 11 | # Compiled Dynamic libraries 12 | *.so 13 | 14 | # Compiled Static libraries 15 | *.lai 16 | *.la 17 | *.a 18 | 19 | # helpful to me only? 20 | TAGS 21 | #makedocs 22 | #publish_docs.sh 23 | 24 | # Compiled programs 25 | corsaro 26 | cors2ascii 27 | cors-ft-aggregate 28 | cors-ft-reports 29 | cors-trace2tuple 30 | corsaro-*.tar.gz 31 | 32 | # doxygen files 33 | docs/doxygen/caida-html 34 | docs/doxygen/html 35 | docs/doxygen/latex 36 | docs/doxygen/man 37 | docs/corsaro.caida.doxygen 38 | docs/corsaro.doxygen 39 | 40 | # Autotools files 41 | # http://www.gnu.org/software/automake 42 | 43 | Makefile.in 44 | Makefile 45 | 46 | # http://www.gnu.org/software/autoconf 47 | 48 | /autom4te.cache 49 | /aclocal.m4 50 | /compile 51 | /configure 52 | /depcomp 53 | /install-sh 54 | /missing 55 | .deps/ 56 | /config.h 57 | config.status 58 | config.h.in 59 | config.log 60 | configure.scan 61 | stamp-h1 62 | .libs/ 63 | autoscan.log 64 | config.guess 65 | config.sub 66 | libtool 67 | ltmain.sh 68 | m4/libtool.m4 69 | m4/ltoptions.m4 70 | m4/ltsugar.m4 71 | m4/ltversion.m4 72 | m4/lt~obsolete.m4 73 | -------------------------------------------------------------------------------- /libcorsaro/plugins/corsaro_anon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | 27 | #ifndef __CORSARO_ANON_H 28 | #define __CORSARO_ANON_H 29 | 30 | #include "corsaro_plugin.h" 31 | 32 | CORSARO_PLUGIN_GENERATE_PROTOS(corsaro_anon) 33 | 34 | #ifdef WITH_PLUGIN_SIXT 35 | CORSARO_PLUGIN_GENERATE_FT_PROTO(corsaro_anon) 36 | #endif 37 | 38 | #endif /* __CORSARO_ANON_H */ 39 | -------------------------------------------------------------------------------- /ChangeLog: -------------------------------------------------------------------------------- 1 | Change Log{#changelog} 2 | ========== 3 | 4 | See the [Corsaro](http://www.caida.org/tools/measurement/corsaro/) website for 5 | download information. 6 | 7 | Corsaro 2.0.0 8 | ============= 9 | - Released 2013-11-21 10 | - All users should upgrade to this release. Contact corsaro-info@caida.org for 11 | help upgrading. 12 | 13 | Major Features 14 | -------------- 15 | - Adds several plugins 16 | - Smee 17 | - CryptoPAn Anonymization 18 | - Prefix-to-AS 19 | - Geolocation 20 | - Geographic Filter 21 | - Prefix Filter 22 | - Adds geolocation framework 23 | - Adds full realtime support (including output rotation) 24 | 25 | Corsaro 1.0.2 26 | ============= 27 | - Released 2013-02-20 28 | 29 | Bug Fixes 30 | --------- 31 | - Fix issue which prevented corsaro from detecting libwandio in libtrace 32 | versions >= 3.0.15 33 | 34 | Corsaro 1.0.1 35 | ============= 36 | - Released 2012-10-22 37 | 38 | Bug Fixes 39 | --------- 40 | - Fix bug introduced in pre-release version which prevented DoS plugin from 41 | writing data for the final interval to be processed. 42 | - Removed extraneous argument to dump_hash function in cors-ft-aggregate. 43 | 44 | Corsaro 1.0.0 45 | ============= 46 | - Released 2012-10-01 47 | - Initial public release 48 | -------------------------------------------------------------------------------- /libcorsaro/plugins/corsaro_filtergeo.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | 27 | #ifndef __CORSARO_FILTERGEO_H 28 | #define __CORSARO_FILTERGEO_H 29 | 30 | #include "corsaro_plugin.h" 31 | 32 | CORSARO_PLUGIN_GENERATE_PROTOS(corsaro_filtergeo) 33 | 34 | #ifdef WITH_PLUGIN_SIXT 35 | CORSARO_PLUGIN_GENERATE_FT_PROTO(corsaro_filtergeo) 36 | #endif 37 | 38 | #endif /* __CORSARO_FILTERGEO_H */ 39 | -------------------------------------------------------------------------------- /libcorsaro/plugins/corsaro_filterpfx.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | 27 | #ifndef __CORSARO_FILTERPFX_H 28 | #define __CORSARO_FILTERPFX_H 29 | 30 | #include "corsaro_plugin.h" 31 | 32 | CORSARO_PLUGIN_GENERATE_PROTOS(corsaro_filterpfx) 33 | 34 | #ifdef WITH_PLUGIN_SIXT 35 | CORSARO_PLUGIN_GENERATE_FT_PROTO(corsaro_filterpfx) 36 | #endif 37 | 38 | #endif /* __CORSARO_FILTERPFX_H */ 39 | -------------------------------------------------------------------------------- /docs/doxygen/static/zchangelog.md: -------------------------------------------------------------------------------- 1 | Change Log{#changelog} 2 | ========== 3 | 4 | See the [Corsaro](http://www.caida.org/tools/measurement/corsaro/) website for 5 | download information. 6 | 7 | Corsaro 2.0.0 8 | ============= 9 | - Released 2013-11-21 10 | - All users should upgrade to this release. Contact corsaro-info@caida.org for 11 | help upgrading. 12 | 13 | Major Features 14 | -------------- 15 | - Adds several plugins 16 | - Smee 17 | - CryptoPAn Anonymization 18 | - Prefix-to-AS 19 | - Geolocation 20 | - Geographic Filter 21 | - Prefix Filter 22 | - Adds geolocation framework 23 | - Adds full realtime support (including output rotation) 24 | 25 | Corsaro 1.0.2 26 | ============= 27 | - Released 2013-02-20 28 | 29 | Bug Fixes 30 | --------- 31 | - Fix issue which prevented corsaro from detecting libwandio in libtrace 32 | versions >= 3.0.15 33 | 34 | Corsaro 1.0.1 35 | ============= 36 | - Released 2012-10-22 37 | 38 | Bug Fixes 39 | --------- 40 | - Fix bug introduced in pre-release version which prevented DoS plugin from 41 | writing data for the final interval to be processed. 42 | - Removed extraneous argument to dump_hash function in cors-ft-aggregate. 43 | 44 | Corsaro 1.0.0 45 | ============= 46 | - Released 2012-10-01 47 | - Initial public release 48 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # corsaro 3 | # 4 | # Alistair King, CAIDA, UC San Diego 5 | # corsaro-info@caida.org 6 | # 7 | # Copyright (C) 2012 The Regents of the University of California. 8 | # 9 | # This file is part of corsaro. 10 | # 11 | # corsaro is free software: you can redistribute it and/or modify 12 | # it under the terms of the GNU General Public License as published by 13 | # the Free Software Foundation, either version 3 of the License, or 14 | # (at your option) any later version. 15 | # 16 | # corsaro is distributed in the hope that it will be useful, 17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | # GNU General Public License for more details. 20 | # 21 | # You should have received a copy of the GNU General Public License 22 | # along with corsaro. If not, see . 23 | # 24 | 25 | SUBDIRS = common docs libcorsaro tools 26 | AM_CPPFLAGS = -I$(top_srcdir) -I$(top_srcdir)/libcorsaro -I$(top_srcdir)/common \ 27 | -I$(top_srcdir)/libcorsaro/plugins 28 | 29 | bin_PROGRAMS = corsaro 30 | 31 | # main corsaro program 32 | corsaro_SOURCES = \ 33 | corsaro_main.c 34 | 35 | corsaro_LDADD = -lcorsaro 36 | 37 | corsaro_LDFLAGS = -L$(top_builddir)/libcorsaro 38 | 39 | EXTRA_DIST = libtrace-3.0.13-wandio_export.patch thirdparty/libsmee-2.2.2.tar.gz 40 | 41 | ACLOCAL_AMFLAGS = -I m4 42 | 43 | CLEANFILES = *~ 44 | -------------------------------------------------------------------------------- /libcorsaro/plugins/libanon/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # corsaro 3 | # 4 | # Alistair King, CAIDA, UC San Diego 5 | # corsaro-info@caida.org 6 | # 7 | # Copyright (C) 2012 The Regents of the University of California. 8 | # 9 | # This file is part of corsaro. 10 | # 11 | # corsaro is free software: you can redistribute it and/or modify 12 | # it under the terms of the GNU General Public License as published by 13 | # the Free Software Foundation, either version 3 of the License, or 14 | # (at your option) any later version. 15 | # 16 | # corsaro is distributed in the hope that it will be useful, 17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | # GNU General Public License for more details. 20 | # 21 | # You should have received a copy of the GNU General Public License 22 | # along with corsaro. If not, see . 23 | # 24 | # This file is a modified version of the 'Makefile.am' file included with 25 | # the 'traceanon' tool in libtrace 26 | # (http://research.wand.net.nz/software/libtrace.php) 27 | 28 | AM_CPPFLAGS = 29 | 30 | noinst_LTLIBRARIES = libanon.la 31 | 32 | libanon_la_SOURCES = corsaro_libanon.h corsaro_libanon.c \ 33 | rijndael.h rijndael.c panon.h panon.c 34 | 35 | # rijndael.c does lots of nasty casting that is going to be a nightmare to fix 36 | # and debug - I'm going to disable this warning in the interim, as it's really 37 | # messy and hopefully isn't actually an issue. 38 | libanon_la_CFLAGS = -fno-strict-aliasing $(AM_CFLAGS) 39 | -------------------------------------------------------------------------------- /m4/ax_lib_socket_nsl.m4: -------------------------------------------------------------------------------- 1 | # =========================================================================== 2 | # http://www.gnu.org/software/autoconf-archive/ax_lib_socket_nsl.html 3 | # =========================================================================== 4 | # 5 | # SYNOPSIS 6 | # 7 | # AX_LIB_SOCKET_NSL 8 | # 9 | # DESCRIPTION 10 | # 11 | # This macro figures out what libraries are required on this platform to 12 | # link sockets programs. 13 | # 14 | # The common cases are not to need any extra libraries, or to need 15 | # -lsocket and -lnsl. We need to avoid linking with libnsl unless we need 16 | # it, though, since on some OSes where it isn't necessary it will totally 17 | # break networking. Unisys also includes gethostbyname() in libsocket but 18 | # needs libnsl for socket(). 19 | # 20 | # LICENSE 21 | # 22 | # Copyright (c) 2008 Russ Allbery 23 | # Copyright (c) 2008 Stepan Kasal 24 | # Copyright (c) 2008 Warren Young 25 | # 26 | # Copying and distribution of this file, with or without modification, are 27 | # permitted in any medium without royalty provided the copyright notice 28 | # and this notice are preserved. This file is offered as-is, without any 29 | # warranty. 30 | 31 | #serial 6 32 | 33 | AU_ALIAS([LIB_SOCKET_NSL], [AX_LIB_SOCKET_NSL]) 34 | AC_DEFUN([AX_LIB_SOCKET_NSL], 35 | [ 36 | AC_SEARCH_LIBS([gethostbyname], [nsl]) 37 | AC_SEARCH_LIBS([socket], [socket], [], [ 38 | AC_CHECK_LIB([socket], [socket], [LIBS="-lsocket -lnsl $LIBS"], 39 | [], [-lnsl])]) 40 | ]) 41 | 42 | -------------------------------------------------------------------------------- /libcorsaro/plugins/libanon/panon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | * This file is a modified version of the 'panon.h' file included with 25 | * libtrace (http://research.wand.net.nz/software/libtrace.php) 26 | * 27 | */ 28 | 29 | #ifndef _PANON_H_ 30 | #define _PANON_H_ 31 | 32 | /* $Id: panon.h 1448 2009-10-15 05:25:10Z perry $ */ 33 | 34 | #include "rijndael.h" 35 | #include 36 | 37 | uint32_t anonymize( const uint32_t orig_addr ); 38 | uint32_t pp_anonymize( const uint32_t orig_addr ); 39 | uint32_t cpp_anonymize( const uint32_t orig_addr ); 40 | void panon_init_decrypt(const uint8_t * key); 41 | void panon_init(const char * key); 42 | void panon_init_cache(void); 43 | 44 | #endif 45 | -------------------------------------------------------------------------------- /docs/doxygen/static/corsaro.bib: -------------------------------------------------------------------------------- 1 | @article{ccr-alcock-2012, 2 | author = {Alcock, Shane and Lorier, Perry and Nelson, Richard}, 3 | title = {Libtrace: a packet capture and analysis library}, 4 | journal = {SIGCOMM Comput. Commun. Rev.}, 5 | issue_date = {April 2012}, 6 | volume = {42}, 7 | number = {2}, 8 | issn = {0146-4833}, 9 | pages = {42--48}, 10 | numpages = {7}, 11 | url = {http://doi.acm.org/10.1145/2185376.2185382}, 12 | doi = {10.1145/2185376.2185382}, 13 | acmid = {2185382}, 14 | publisher = {ACM}, 15 | address = {New York, NY, USA}, 16 | keywords = {packet capture, protocol decoding, trace analysis}, 17 | } 18 | 19 | @ARTICLE{ton-moore-2006, 20 | Author = {Moore, D. and Shannon, C. and Brown, D. and Voelker, G. and Savage, S.}, 21 | Title = {{Inferring Internet Denial-of-Service Activity}}, 22 | Journal = {ACM Transactions on Computer Systems}, 23 | Volume = {24}, 24 | Number = {2}, 25 | Pages = {115-139}, 26 | Month = {May}, 27 | Year = {2006}, 28 | Keywords = {security network telescope} 29 | } 30 | 31 | @INPROCEEDINGS{pam-brownlee-2012, 32 | Author = {Brownlee, N.}, 33 | Title = {{One-way Traffic Monitoring with iatmon}}, 34 | BookTitle = {Passive and Active Network Measurement Workshop (PAM)}, 35 | Publisher = {PAM 2012}, 36 | Address = {Vienna, Austria}, 37 | Institution = {Cooperative Association for Internet Data Analysis (CAIDA)}, 38 | Month = {Mar}, 39 | Year = {2012}, 40 | Keywords = {measurement methodology routing software/tools} 41 | } 42 | -------------------------------------------------------------------------------- /libcorsaro/plugins/corsaro_ipmeta.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | 27 | #ifndef __CORSARO_IPMETA_H 28 | #define __CORSARO_IPMETA_H 29 | 30 | #include 31 | 32 | #include "corsaro_plugin.h" 33 | 34 | CORSARO_PLUGIN_GENERATE_PROTOS(corsaro_ipmeta) 35 | 36 | #ifdef WITH_PLUGIN_SIXT 37 | CORSARO_PLUGIN_GENERATE_FT_PROTO(corsaro_ipmeta) 38 | #endif 39 | 40 | ipmeta_record_t *corsaro_ipmeta_get_record(struct corsaro_packet_state *pkt_state, 41 | ipmeta_provider_id_t provider_id); 42 | 43 | ipmeta_record_t *corsaro_ipmeta_get_default_record( 44 | struct corsaro_packet_state *pkt_state); 45 | 46 | ipmeta_provider_t *corsaro_ipmeta_get_provider(corsaro_t *corsaro, 47 | ipmeta_provider_id_t provider_id); 48 | 49 | #endif /* __CORSARO_IPMETA_H */ 50 | -------------------------------------------------------------------------------- /libcorsaro/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # corsaro 3 | # 4 | # Alistair King, CAIDA, UC San Diego 5 | # corsaro-info@caida.org 6 | # 7 | # Copyright (C) 2012 The Regents of the University of California. 8 | # 9 | # This file is part of corsaro. 10 | # 11 | # corsaro is free software: you can redistribute it and/or modify 12 | # it under the terms of the GNU General Public License as published by 13 | # the Free Software Foundation, either version 3 of the License, or 14 | # (at your option) any later version. 15 | # 16 | # corsaro is distributed in the hope that it will be useful, 17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | # GNU General Public License for more details. 20 | # 21 | # You should have received a copy of the GNU General Public License 22 | # along with corsaro. If not, see . 23 | # 24 | 25 | SUBDIRS = plugins 26 | AM_CPPFLAGS = -I$(top_srcdir) -I$(top_srcdir)/common \ 27 | -I$(top_srcdir)/common/libpatricia \ 28 | -I$(top_srcdir)/libcorsaro/plugins 29 | 30 | lib_LTLIBRARIES = libcorsaro.la 31 | 32 | include_HEADERS = corsaro.h corsaro_log.h corsaro_io.h 33 | 34 | libcorsaro_la_SOURCES = \ 35 | corsaro.c \ 36 | corsaro.h \ 37 | corsaro_file.c \ 38 | corsaro_file.h \ 39 | corsaro_int.h \ 40 | corsaro_io.c \ 41 | corsaro_io.h \ 42 | corsaro_log.c \ 43 | corsaro_log.h \ 44 | corsaro_plugin.c \ 45 | corsaro_plugin.h \ 46 | corsaro_tag.c \ 47 | corsaro_tag.h 48 | 49 | libcorsaro_la_LIBADD = $(top_builddir)/common/libcccommon.la \ 50 | $(top_builddir)/libcorsaro/plugins/libcorsaroplugins.la 51 | 52 | libcorsaro_la_LDFLAGS = -version-info @CORSARO_MAJOR_VERSION@:@CORSARO_MINOR_VERSION@:@CORSARO_MID_VERSION@ 53 | 54 | ACLOCAL_AMFLAGS = -I m4 55 | 56 | CLEANFILES = *~ 57 | -------------------------------------------------------------------------------- /tools/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # corsaro 3 | # 4 | # Alistair King, CAIDA, UC San Diego 5 | # corsaro-info@caida.org 6 | # 7 | # Copyright (C) 2012 The Regents of the University of California. 8 | # 9 | # This file is part of corsaro. 10 | # 11 | # corsaro is free software: you can redistribute it and/or modify 12 | # it under the terms of the GNU General Public License as published by 13 | # the Free Software Foundation, either version 3 of the License, or 14 | # (at your option) any later version. 15 | # 16 | # corsaro is distributed in the hope that it will be useful, 17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | # GNU General Public License for more details. 20 | # 21 | # You should have received a copy of the GNU General Public License 22 | # along with corsaro. If not, see . 23 | # 24 | 25 | AM_CPPFLAGS = -I$(top_srcdir) -I$(top_srcdir)/common -I$(top_srcdir)/libcorsaro \ 26 | -I$(top_srcdir)/libcorsaro/plugins 27 | 28 | dist_bin_SCRIPTS = \ 29 | cors-splitascii.pl \ 30 | cors-ft-timeseries.pl 31 | 32 | bin_PROGRAMS = cors-trace2tuple cors2ascii 33 | 34 | # corsaro2ascii program 35 | cors2ascii_SOURCES = \ 36 | cors2ascii.c 37 | cors2ascii_LDADD = -lcorsaro 38 | cors2ascii_LDFLAGS = -L$(top_builddir)/libcorsaro 39 | 40 | # not really a part of corsaro, but lets call corsaro the caida telescope 41 | # toolset :) 42 | cors_trace2tuple_SOURCES = \ 43 | cors-trace2tuple.c 44 | cors_trace2tuple_LDADD = -ltrace 45 | 46 | if WITH_PLUGIN_SIXT 47 | bin_PROGRAMS += cors-ft-aggregate 48 | cors_ft_aggregate_SOURCES = \ 49 | cors-ft-aggregate.c 50 | cors_ft_aggregate_LDADD = -lcorsaro 51 | cors_ft_aggregate_LDFLAGS = -L$(top_builddir)/libcorsaro 52 | endif 53 | 54 | ACLOCAL_AMFLAGS = -I m4 55 | 56 | CLEANFILES = *~ 57 | -------------------------------------------------------------------------------- /tools/cors-splitascii.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env perl 2 | # 3 | # corsaro 4 | # 5 | # Alistair King, CAIDA, UC San Diego 6 | # corsaro-info@caida.org 7 | # 8 | # Copyright (C) 2012 The Regents of the University of California. 9 | # 10 | # This file is part of corsaro. 11 | # 12 | # corsaro is free software: you can redistribute it and/or modify 13 | # it under the terms of the GNU General Public License as published by 14 | # the Free Software Foundation, either version 3 of the License, or 15 | # (at your option) any later version. 16 | # 17 | # corsaro is distributed in the hope that it will be useful, 18 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 19 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 20 | # GNU General Public License for more details. 21 | # 22 | # You should have received a copy of the GNU General Public License 23 | # along with corsaro. If not, see . 24 | # 25 | 26 | use strict; 27 | 28 | if(@ARGV < 1 || @ARGV > 2) 29 | { 30 | print STDERR "usage: $0 output_pattern [input_file]\n"; 31 | print STDERR "\twhere output_pattern must include %INTERVAL% to be replaced with\n"; 32 | print STDERR "\tthe interval timestamp\n"; 33 | exit -1; 34 | } 35 | 36 | my $output = $ARGV[0]; 37 | my $infile = $ARGV[1] ? $ARGV[1] : "-"; 38 | 39 | unless($output =~ /%INTERVAL%/) 40 | { 41 | print STDERR "output pattern MUST contain %INTERVAL%\n"; 42 | exit -1; 43 | } 44 | 45 | open(INFILE, $infile) or die "could not open $infile"; 46 | 47 | my $outfile; 48 | 49 | while() 50 | { 51 | if(/CORSARO_INTERVAL_START/../CORSARO_INTERVAL_END/) 52 | { 53 | if(/CORSARO_INTERVAL_START\s+\d+\s+(\d+)/) 54 | { 55 | #switch to a new output file 56 | my $time = $1; 57 | close $outfile if $outfile; 58 | my $this_file = $output; 59 | $this_file =~ s/%INTERVAL%/$time/; 60 | open($outfile, "> $this_file") or die 61 | "could not open interval file $this_file\n"; 62 | } 63 | print $outfile $_; 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /m4/ed_with_plugin.m4: -------------------------------------------------------------------------------- 1 | # SYNOPSIS 2 | # 3 | # ED_WITH_PLUGIN 4 | # 5 | # DESCRIPTION 6 | # 7 | # This macro 8 | # 9 | # LICENSE 10 | # 11 | # corsaro 12 | # 13 | # Alistair King, CAIDA, UC San Diego 14 | # corsaro-info@caida.org 15 | # 16 | # Copyright (C) 2012 The Regents of the University of California. 17 | # 18 | # This file is part of corsaro. 19 | # 20 | # corsaro is free software: you can redistribute it and/or modify 21 | # it under the terms of the GNU General Public License as published by 22 | # the Free Software Foundation, either version 3 of the License, or 23 | # (at your option) any later version. 24 | # 25 | # corsaro is distributed in the hope that it will be useful, 26 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 27 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 28 | # GNU General Public License for more details. 29 | # 30 | # You should have received a copy of the GNU General Public License 31 | # along with corsaro. If not, see . 32 | # 33 | # ED_WITH_PLUGIN([plugin_name], [short_name], [CAPS_name], [enabled_by_default]) 34 | # 35 | AC_DEFUN([ED_WITH_PLUGIN], 36 | [ 37 | AC_MSG_CHECKING([whether to build with $2 plugin]) 38 | 39 | if test "x$4" == xyes; then 40 | AC_ARG_WITH([$2], 41 | [AS_HELP_STRING([--without-$2], 42 | [build without the $2 plugin])], 43 | [with_plugin_$2=$with_$2], 44 | [with_plugin_$2=yes]) 45 | else 46 | AC_ARG_WITH([$2], 47 | [AS_HELP_STRING([--with-$2], 48 | [build with the $2 plugin])], 49 | [with_plugin_$2=$with_$2], 50 | [with_plugin_$2=no]) 51 | fi 52 | 53 | WITH_PLUGIN_$3= 54 | AS_IF([test "x$with_plugin_$2" != xno], 55 | [ 56 | AC_DEFINE([WITH_PLUGIN_$3],[1],[Building with $2]) 57 | ED_PLUGIN_INIT_ALL_ENABLED="${ED_PLUGIN_INIT_ALL_ENABLED}PLUGIN_INIT_ADD($1);" 58 | ]) 59 | AC_MSG_RESULT([$with_plugin_$2]) 60 | 61 | AM_CONDITIONAL([WITH_PLUGIN_$3], [test "x$with_plugin_$2" != xno]) 62 | ]) 63 | -------------------------------------------------------------------------------- /docs/Makefile.am: -------------------------------------------------------------------------------- 1 | DOXYGEN_CONF = corsaro.doxygen 2 | DOXYGEN_CAIDA_CONF = corsaro.caida.doxygen 3 | DOXYGEN_FOLDERS = doxygen/html doxygen/man doxygen/latex 4 | DOXYGEN_CAIDA_FOLDERS = doxygen/caida-html 5 | DOXYGEN_BIB_FILES = doxygen/bib*.aux doxygen/citelist.doc* 6 | 7 | EXTRA_DIST = doxygen/static 8 | 9 | if HAS_DOXYGEN 10 | EXTRA_DIST += $(DOXYGEN_FOLDERS) 11 | corsaro_doxygen=yes 12 | endif 13 | 14 | doxygen/caida-html: doxy-caida 15 | 16 | doxygen/html: doxy 17 | 18 | doxygen/latex: doxy 19 | 20 | doxygen/man: doxy 21 | 22 | documentation: latex 23 | 24 | latex: *.tex 25 | latex2html -dir html -split 0 *.tex 26 | 27 | all: doxy 28 | 29 | distclean: doxyclean 30 | rm -rf $(DOXYGEN_CONF) 31 | 32 | clean: doxyclean 33 | 34 | doxy: 35 | @for folder in $(DOXYGEN_FOLDERS) ; do \ 36 | if test -d $$folder ; then \ 37 | break ; \ 38 | else \ 39 | if test x"$(corsaro_doxygen)" = xyes ; then \ 40 | if test -f $(DOXYGEN_CONF) ; then \ 41 | CORSARO_VERSION=@CORSARO_MAJOR_VERSION@.@CORSARO_MID_VERSION@.@CORSARO_MINOR_VERSION@ doxygen $(DOXYGEN_CONF) ; \ 42 | else \ 43 | echo "Sorry, doxygen conf file $(DOXYGEN_CONF) does not exist" ; \ 44 | fi ; \ 45 | else \ 46 | echo "Sorry, you do not have doxygen in your PATH." ; \ 47 | fi ; \ 48 | fi \ 49 | done 50 | 51 | doxy-caida: 52 | @for folder in $(DOXYGEN_CAIDA_FOLDERS) ; do \ 53 | if test -d $$folder ; then \ 54 | break ; \ 55 | else \ 56 | if test x"$(corsaro_doxygen)" = xyes ; then \ 57 | if test -f $(DOXYGEN_CAIDA_CONF) ; then \ 58 | CORSARO_VERSION=@CORSARO_MAJOR_VERSION@.@CORSARO_MID_VERSION@.@CORSARO_MINOR_VERSION@ doxygen $(DOXYGEN_CAIDA_CONF) ; \ 59 | else \ 60 | echo "Sorry, doxygen conf file $(DOXYGEN_CAIDA_CONF) does not exist" ; \ 61 | fi ; \ 62 | else \ 63 | echo "Sorry, you do not have doxygen in your PATH." ; \ 64 | fi ; \ 65 | fi \ 66 | done 67 | 68 | doxyclean: 69 | rm -rf $(DOXYGEN_FOLDERS) $(DOXYGEN_CAIDA_FOLDERS) $(DOXYGEN_BIB_FILES) 70 | # @for folder in $(DOXYGEN_FOLDERS) ; do \ 71 | # if test -d $$folder ; then \ 72 | # rm -rf $$folder ; \ 73 | # fi \ 74 | # done 75 | -------------------------------------------------------------------------------- /libcorsaro/plugins/libanon/corsaro_libanon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | * This file is a modified version of the 'ipanon.h' file included with 25 | * libtrace (http://research.wand.net.nz/software/libtrace.php) 26 | * 27 | */ 28 | 29 | #ifndef __CORSARO_LIBANON_H 30 | #define __CORSARO_LIBANON_H 31 | 32 | #include 33 | 34 | /** The encryption algorithm used */ 35 | typedef enum corsaro_anon_enc_type { 36 | CORSARO_ANON_ENC_NONE, /**< No encryption */ 37 | CORSARO_ANON_ENC_PREFIX_SUBSTITUTION, /**< Substitute a prefix */ 38 | CORSARO_ANON_ENC_CRYPTOPAN /**< Prefix preserving encryption */ 39 | } corsaro_anon_enc_type_t; 40 | 41 | /** Initialize the anonymization module 42 | * 43 | * @param type The encryption type to use 44 | * @param key The encryption key to use 45 | * @return 0 if the plugin was successfully enabled, -1 otherwise 46 | */ 47 | void corsaro_anon_init(corsaro_anon_enc_type_t type, char *key); 48 | 49 | /** Anonymize an IP address 50 | * 51 | * @param orig_addr The IP address to anonymize 52 | * @return the anonymized IP address 53 | */ 54 | uint32_t corsaro_anon_ip(uint32_t orig_addr); 55 | 56 | /** Anonymize the source/destination addresses in an IP header 57 | * 58 | * @param ip A pointer to the IP header 59 | * @param enc_source Should the source address be anonymized 60 | * @param enc_dest Should the destination address be anonymized 61 | * 62 | * This function will attempt to anonymize addresses in returned ICMP packets 63 | * also. It will also update the checksums. 64 | */ 65 | void corsaro_anon_ip_header(struct libtrace_ip *ip, 66 | int enc_source, 67 | int enc_dest); 68 | 69 | #endif /* __CORSARO_LIBANON_H */ 70 | -------------------------------------------------------------------------------- /libcorsaro/plugins/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # corsaro 3 | # 4 | # Alistair King, CAIDA, UC San Diego 5 | # corsaro-info@caida.org 6 | # 7 | # Copyright (C) 2012 The Regents of the University of California. 8 | # 9 | # This file is part of corsaro. 10 | # 11 | # corsaro is free software: you can redistribute it and/or modify 12 | # it under the terms of the GNU General Public License as published by 13 | # the Free Software Foundation, either version 3 of the License, or 14 | # (at your option) any later version. 15 | # 16 | # corsaro is distributed in the hope that it will be useful, 17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | # GNU General Public License for more details. 20 | # 21 | # You should have received a copy of the GNU General Public License 22 | # along with corsaro. If not, see . 23 | # 24 | 25 | SUBDIRS = 26 | 27 | AM_CPPFLAGS = -I$(top_srcdir) -I$(top_srcdir)/common \ 28 | -I$(top_srcdir)/common/libpatricia \ 29 | -I$(top_srcdir)/common/libcsv \ 30 | -I$(top_srcdir)/libcorsaro 31 | 32 | noinst_LTLIBRARIES = libcorsaroplugins.la 33 | 34 | include_HEADERS = 35 | PLUGIN_SRC= 36 | PLUGIN_LIBS= 37 | 38 | if WITH_PLUGIN_PCAP 39 | PLUGIN_SRC+=corsaro_pcap.c corsaro_pcap.h 40 | endif 41 | if WITH_PLUGIN_SIXT 42 | PLUGIN_SRC+=corsaro_flowtuple.c corsaro_flowtuple.h 43 | include_HEADERS+=corsaro_flowtuple.h 44 | endif 45 | if WITH_PLUGIN_DOS 46 | PLUGIN_SRC+=corsaro_dos.c corsaro_dos.h 47 | include_HEADERS+=corsaro_dos.h 48 | endif 49 | if WITH_PLUGIN_SMEE 50 | PLUGIN_SRC+=corsaro_smee.c corsaro_smee.h 51 | endif 52 | if WITH_PLUGIN_ANON 53 | SUBDIRS += libanon 54 | PLUGIN_LIBS += $(top_builddir)/libcorsaro/plugins/libanon/libanon.la 55 | AM_CPPFLAGS += -I$(top_srcdir)/libcorsaro/plugins/libanon 56 | PLUGIN_SRC+=corsaro_anon.c corsaro_anon.h 57 | endif 58 | if WITH_PLUGIN_IPMETA 59 | PLUGIN_SRC+=corsaro_ipmeta.c corsaro_ipmeta.h 60 | endif 61 | if WITH_PLUGIN_FILTERGEO 62 | PLUGIN_SRC+=corsaro_filtergeo.c corsaro_filtergeo.h 63 | endif 64 | if WITH_PLUGIN_FILTERPFX 65 | PLUGIN_SRC+=corsaro_filterpfx.c corsaro_filterpfx.h 66 | endif 67 | if WITH_PLUGIN_FILTERBPF 68 | PLUGIN_SRC+=corsaro_filterbpf.c corsaro_filterbpf.h 69 | endif 70 | if WITH_PLUGIN_TAGSTATS 71 | PLUGIN_SRC+=corsaro_tagstats.c corsaro_tagstats.h 72 | endif 73 | 74 | ################################################################################ 75 | # Add new plugins below here using: 76 | # (ordering is not important) 77 | # 78 | # if WITH_PLUGIN_ 79 | # PLUGIN_SRC += .c .h 80 | # endif 81 | # 82 | ################################################################################ 83 | 84 | libcorsaroplugins_la_SOURCES = \ 85 | $(PLUGIN_SRC) 86 | 87 | libcorsaroplugins_la_LIBADD = \ 88 | $(PLUGIN_LIBS) 89 | 90 | ACLOCAL_AMFLAGS = -I m4 91 | 92 | CLEANFILES = *~ 93 | -------------------------------------------------------------------------------- /publish_docs.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env perl 2 | # 3 | # corsaro 4 | # 5 | # Alistair King, CAIDA, UC San Diego 6 | # corsaro-info@caida.org 7 | # 8 | # Copyright (C) 2012 The Regents of the University of California. 9 | # 10 | # This file is part of corsaro. 11 | # 12 | # corsaro is free software: you can redistribute it and/or modify 13 | # it under the terms of the GNU General Public License as published by 14 | # the Free Software Foundation, either version 3 of the License, or 15 | # (at your option) any later version. 16 | # 17 | # corsaro is distributed in the hope that it will be useful, 18 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 19 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 20 | # GNU General Public License for more details. 21 | # 22 | # You should have received a copy of the GNU General Public License 23 | # along with corsaro. If not, see . 24 | # 25 | 26 | use strict; 27 | 28 | unless (@ARGV == 1 || @ARGV == 2) 29 | { 30 | print STDERR "usage: $0 [caida|test|dist] [ssh location]\n"; 31 | exit -1; 32 | } 33 | 34 | my $type = $ARGV[0]; 35 | my $location = $ARGV[1]; 36 | 37 | my $caida_host = "cider.caida.org"; 38 | my $caida_dir = "/home/alistair/private_html/corsaro"; 39 | 40 | print STDERR "ensuring docs are built...\n"; 41 | my $target; 42 | if($type =~ /caida/ || $type =~ /test/) 43 | { 44 | $target = "doxy-caida"; 45 | } 46 | 47 | my $make_docs = "cd docs; make clean; make $target; cd .."; 48 | print STDERR "$make_docs\n"; 49 | `$make_docs`; 50 | 51 | print STDERR "publishing docs...\n"; 52 | my $src_dir = "docs/doxygen/html/"; 53 | my $dst_dir; 54 | 55 | if($type =~ /caida/ || $type =~ /test/) 56 | { 57 | $dst_dir = "$caida_host:$caida_dir/"; 58 | $src_dir = "docs/doxygen/caida-html/"; 59 | } 60 | else 61 | { 62 | unless($location) 63 | { 64 | print STDERR "a location must be specified when using " 65 | ."the 'test' and 'dist' types\n"; 66 | exit -1; 67 | } 68 | $dst_dir = $ARGV[1]; 69 | } 70 | 71 | my $rsync = "rsync -av $src_dir $dst_dir"; 72 | print STDERR "$rsync\n"; 73 | open(RSYNC, "$rsync |") or die "$! ($rsync)\n"; 74 | 75 | my @files; 76 | 77 | while() 78 | { 79 | chomp; 80 | next if(/building file list/); 81 | next if(/^\.\/$/); 82 | next if(/^\s*$/); 83 | next if(/sent \d+ bytes/); 84 | next if(/total size is/); 85 | push @files, "$caida_dir/$_"; 86 | } 87 | 88 | #foreach my $file (@files) 89 | #{ 90 | # print "$caida_dir/$file\n"; 91 | # `ssh $caida_host wcs add "$caida_dir/$file"`; 92 | #} 93 | 94 | if($type =~ /caida/) 95 | { 96 | local $" = " "; 97 | 98 | my $add_files = "ssh $caida_host wcs add @files"; 99 | #print "$add_files\n"; 100 | `$add_files`; 101 | 102 | `ssh $caida_host wcs pub "$caida_dir"`; 103 | } 104 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | Corsaro 2 | ======= 3 | 4 | Corsaro is a software suite for performing large-scale analysis of trace 5 | data. It was specifically designed to be used with passive traces captured by 6 | darknets, but the overall structure is generic enough to be used with any type 7 | of passive trace data. 8 | 9 | Because of the scale of passive trace data, Corsaro has been designed from the 10 | ground up to be fast and efficient, both in terms of run-time and output data 11 | size. For more details about the design goals of Corsaro, see the goals section 12 | of the manual. 13 | 14 | Corsaro allows high-speed analysis of trace data on a per-packet basis and 15 | provides a mechanism for aggregating results based on customizable time 16 | intervals. Trace data is read using the 17 | http://research.wand.net.nz/software/libtrace.php trace processing library, and 18 | a high-level IO abstraction layer allows results to be transparently written to 19 | compressed files, using threaded IO. The actual trace analysis logic is clearly 20 | separated into a set of plugins, several of which are shipped with Corsaro. For 21 | more information about how the pieces of Corsaro fit together, see the 22 | Architecture section of the manual. 23 | 24 | In addition to the Core Plugins which are shipped with Corsaro, the plugin 25 | framework makes the creation of new plugins as simple as possible. The low 26 | overhead involved in creating a new plugin, coupled with the efficiency and 27 | reliability of Corsaro means that it can be used both to perform ad-hoc 28 | exploratory investigations as well as in a production context to carry out 29 | large-scale near-realtime analysis. To learn how to create a plugin, or perform 30 | analysis on existing Corsaro results, see the Tutorials section. 31 | 32 | Corsaro can be used both as a library and as a stand-alone application for 33 | processing any format of trace data that libtrace supports. The Corsaro 34 | distribution also includes several other supporting tools for basic analysis of 35 | Corsaro output data. For information on using the Corsaro application and the 36 | other tools included, see the Tools section. 37 | 38 | Download 39 | ======== 40 | 41 | The latest version of Corsaro is 2.0.0 42 | http://www.caida.org/tools/measurement/corsaro/downloads/corsaro-2.0.0.tar.gz 43 | and was released on November 21 2013. 44 | 45 | We also maintain a detailed Changelog at 46 | http://www.caida.org/tools/measurement/corsaro/docs/changelog.html 47 | 48 | Dependencies {#dependencies} 49 | ============ 50 | 51 | Corsaro is written in C and should compile with any ANSI compliant C Compiler 52 | which supports the C99 standard. Please email corsaro-info@caida.org with any 53 | issues. 54 | 55 | Corsaro requires [libtrace](http://research.wand.net.nz/software/libtrace.php) 56 | version 3.0.14 or higher. (3.0.8 or higher can be used if the libwandio patch 57 | included in the corsaro distribution is applied). 58 | 59 | Usage {#usage} 60 | ===== 61 | 62 | Corsaro has many different usage scenarios which are outlined in this manual, 63 | but if you are looking to just run the analysis engine with the bundled plugins, 64 | see the Corsaro section of the Tools page of the manual 65 | (http://www.caida.org/tools/measurement/corsaro/docs/tools.html#tool_corsaro). 66 | 67 | 68 | Documentation {#docs} 69 | ============= 70 | 71 | The online Corsaro Documentation 72 | (http://www.caida.org/tools/measurement/corsaro/docs/) is the best source of 73 | information about using Corsaro. It contains full API documentation, usage 74 | instructions for the Corsaro tools. It also has tutorials about writing Corsaro 75 | plugins and using the libcorsaro library to perform analysis on 76 | Corsaro-generated data. 77 | -------------------------------------------------------------------------------- /tools/cors2ascii.c: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | #include "config.h" 27 | 28 | #include 29 | #include 30 | #include 31 | #include 32 | 33 | #include "libtrace.h" 34 | 35 | #include "corsaro.h" 36 | #include "corsaro_log.h" 37 | #include "corsaro_io.h" 38 | 39 | /** @file 40 | * 41 | * @brief Code which uses libcorsaro to convert an corsaro output file to ascii 42 | * 43 | * @author Alistair King 44 | * 45 | */ 46 | 47 | /** The corsaro_in object for reading the input file */ 48 | static corsaro_in_t *corsaro = NULL; 49 | 50 | /** The record object to read into */ 51 | static corsaro_in_record_t *record = NULL; 52 | 53 | /** Cleanup and free state */ 54 | static void clean() 55 | { 56 | if(record != NULL) 57 | { 58 | corsaro_in_free_record(record); 59 | record = NULL; 60 | } 61 | 62 | if(corsaro != NULL) 63 | { 64 | corsaro_finalize_input(corsaro); 65 | corsaro = NULL; 66 | } 67 | } 68 | 69 | /** Initialize a corsaro_in object for the given file name */ 70 | static int init_corsaro(char *corsarouri) 71 | { 72 | /* get an corsaro_in object */ 73 | if((corsaro = corsaro_alloc_input(corsarouri)) == NULL) 74 | { 75 | fprintf(stderr, "could not alloc corsaro_in\n"); 76 | clean(); 77 | return -1; 78 | } 79 | 80 | /* get a record */ 81 | if ((record = corsaro_in_alloc_record(corsaro)) == NULL) { 82 | fprintf(stderr, "could not alloc record\n"); 83 | clean(); 84 | return -1; 85 | } 86 | 87 | /* start corsaro */ 88 | if(corsaro_start_input(corsaro) != 0) 89 | { 90 | fprintf(stderr, "could not start corsaro\n"); 91 | clean(); 92 | return -1; 93 | } 94 | 95 | return 0; 96 | } 97 | 98 | /** Print usage information to stderr */ 99 | static void usage(const char *name) 100 | { 101 | fprintf(stderr, 102 | "usage: %s input_file\n", name); 103 | } 104 | 105 | /** Entry point for the cors2ascii tool */ 106 | int main(int argc, char *argv[]) 107 | { 108 | char *file = NULL; 109 | 110 | corsaro_in_record_type_t type = CORSARO_IN_RECORD_TYPE_NULL; 111 | off_t len = 0; 112 | 113 | if(argc != 2) 114 | { 115 | usage(argv[0]); 116 | exit(-1); 117 | } 118 | 119 | /* argv[1] is the corsaro file */ 120 | file = argv[1]; 121 | 122 | /* this must be done before corsaro_init_output */ 123 | if(init_corsaro(file) != 0) 124 | { 125 | fprintf(stderr, "failed to init corsaro\n"); 126 | clean(); 127 | return -1; 128 | } 129 | 130 | while ((len = corsaro_in_read_record(corsaro, &type, record)) > 0) { 131 | if(type == CORSARO_IN_RECORD_TYPE_NULL) 132 | { 133 | clean(); 134 | return -1; 135 | } 136 | 137 | corsaro_io_print_record(corsaro->plugin_manager, type, record); 138 | 139 | /* reset the type to NULL to indicate we don't care */ 140 | type = CORSARO_IN_RECORD_TYPE_NULL; 141 | } 142 | 143 | if(len < 0) 144 | { 145 | fprintf(stderr, "corsaro_in_read_record failed to read record\n"); 146 | clean(); 147 | return -1; 148 | } 149 | 150 | clean(); 151 | return 0; 152 | } 153 | -------------------------------------------------------------------------------- /docs/doxygen/static/corsaro.md: -------------------------------------------------------------------------------- 1 | Overview {#index} 2 | ======== 3 | 4 | @note Both Corsaro and this documentation are still under active development and 5 | features will likely change between versions. 6 | @note Please contact corsaro-info@caida.org with any questions and/or suggestions. 7 | 8 | Introduction {#intro} 9 | ============ 10 | 11 | Corsaro is a software suite for performing large-scale analysis of trace 12 | data. It was specifically designed to be used with passive traces captured by 13 | darknets, but the overall structure is generic enough to be used with any type 14 | of passive trace data. 15 | 16 | Because of the scale of passive trace data, Corsaro has been designed from the 17 | ground up to be fast and efficient, both in terms of run-time and output data 18 | size. For more details about the design goals of Corsaro, see the 19 | \ref goals "Goals" section. 20 | 21 | Corsaro allows high-speed analysis of trace data on a per-packet basis and 22 | provides a mechanism for aggregating results based on customizable time 23 | intervals. Trace data is read using the 24 | [libtrace](http://research.wand.net.nz/software/libtrace.php) trace processing 25 | library, and a high-level IO abstraction layer allows results to be 26 | transparently written to compressed files, using threaded IO. The actual trace 27 | analysis logic is clearly separated into a set of plugins, several of which are 28 | shipped with Corsaro. For more information about how the pieces of Corsaro fit 29 | together, see the \ref arch "Architecture" section. 30 | 31 | In addition to the \ref plugins "Core Plugins" which are shipped with Corsaro, 32 | the plugin framework makes the creation of new plugins as simple as 33 | possible. The low overhead involved in creating a new plugin, coupled with the 34 | efficiency and reliability of Corsaro means that it can be used both to perform 35 | ad-hoc exploratory investigations as well as in a production context to carry 36 | out large-scale near-realtime analysis. To learn how to create a plugin, or 37 | perform analysis on existing Corsaro results, see the \ref tutorials "Tutorials" 38 | section. 39 | 40 | Corsaro can be used both as a library and as a stand-alone application for 41 | processing any format of trace data that \a libtrace supports. The Corsaro 42 | distribution also includes several other supporting tools for basic analysis of 43 | Corsaro output data. For information on using the Corsaro application and the 44 | other tools included, see the \ref tools "Tools" section. 45 | 46 | Download {#download} 47 | ======== 48 | 49 | The latest version of Corsaro is 50 | [$(CORSARO_VERSION)](http://www.caida.org/tools/measurement/corsaro/downloads/corsaro-2.0.0.tar.gz), 51 | released on June 11 2014. 52 | 53 | We also maintain a detailed \ref changelog. 54 | 55 | Quick Start {#qstart} 56 | =========== 57 | 58 | If you want to just dive right in and get started using Corsaro, take a look at 59 | the \ref quickstart "Quick Start" guide. 60 | 61 | Dependencies {#dependencies} 62 | ============ 63 | 64 | Corsaro is written in C and should compile with any ANSI compliant C Compiler 65 | which supports the C99 standard. Please email corsaro-info@caida.org with any 66 | issues. 67 | 68 | Corsaro requires [libtrace](http://research.wand.net.nz/software/libtrace.php) 69 | version 3.0.14 or higher. (3.0.8 or higher can be used if the libwandio patch 70 | included in the corsaro distribution is applied). 71 | 72 | Usage {#usage} 73 | ===== 74 | 75 | Corsaro has many different usage scenarios which are outlined in this manual, 76 | but if you are looking to just run the analysis engine with the bundled plugins, 77 | see the \ref tool_corsaro "Corsaro" section of the \ref tools "Tools" page. 78 | 79 | 80 | Documentation {#docs} 81 | ============= 82 | 83 | The online 84 | [Corsaro Documentation](http://www.caida.org/tools/measurement/corsaro/docs/) is 85 | the best source of information about using Corsaro. It contains full API 86 | documentation, usage instructions for the Corsaro tools. It also has tutorials 87 | about writing Corsaro plugins and using the libcorsaro library to perform 88 | analysis on Corsaro-generated data. 89 | -------------------------------------------------------------------------------- /libtrace-3.0.13-wandio_export.patch: -------------------------------------------------------------------------------- 1 | --- libtrace-3.0.13/lib/wandio.h 2011-09-15 15:14:11.000000000 -0700 2 | +++ libtrace-3.0.13.wandio_export/lib/wandio.h 2012-03-04 11:00:33.000000000 -0800 3 | @@ -49,6 +49,20 @@ 4 | * @version $Id: wandio.h 1727 2011-09-15 22:14:11Z salcock $ 5 | */ 6 | 7 | +/* Alistair added these to allow wandio functions to be exported */ 8 | +#if __GNUC__ >= 4 9 | +#ifdef LT_BUILDING_DLL 10 | +#define DLLEXPORT __attribute__ ((visibility("default"))) 11 | +#define DLLLOCAL __attribute__ ((visibility("hidden"))) 12 | +#else 13 | +#define DLLEXPORT 14 | +#define DLLLOCAL 15 | +#endif 16 | +#else 17 | +#define DLLEXPORT 18 | +#define DLLLOCAL 19 | +#endif 20 | + 21 | typedef struct io_t io_t; /**< Opaque IO handle structure for reading */ 22 | typedef struct iow_t iow_t; /**< Opaque IO handle structure for writing */ 23 | 24 | @@ -208,14 +222,14 @@ iow_t *stdio_wopen(const char *filename, 25 | * given file (if any), provided that libtrace was built with the appropriate 26 | * libraries. 27 | */ 28 | -io_t *wandio_create(const char *filename); 29 | +DLLEXPORT io_t *wandio_create(const char *filename); 30 | 31 | /** Returns the current offset of the read pointer for a libtrace IO reader. 32 | * 33 | * @param io The IO reader to get the read offset for 34 | * @return The offset of the read pointer, or -1 if an error occurs 35 | */ 36 | -off_t wandio_tell(io_t *io); 37 | +DLLEXPORT off_t wandio_tell(io_t *io); 38 | 39 | /** Changes the read pointer offset to the specified value for a libtrace IO 40 | * reader. 41 | @@ -229,7 +243,7 @@ off_t wandio_tell(io_t *io); 42 | * The arguments for this function are the same as those for lseek(2). See the 43 | * lseek(2) manpage for more details. 44 | */ 45 | -off_t wandio_seek(io_t *io, off_t offset, int whence); 46 | +DLLEXPORT off_t wandio_seek(io_t *io, off_t offset, int whence); 47 | 48 | /** Reads from a libtrace IO reader into the provided buffer. 49 | * 50 | @@ -238,7 +252,7 @@ off_t wandio_seek(io_t *io, off_t offset 51 | * @param len The size of the buffer 52 | * @return The amount of bytes read, 0 if EOF is reached, -1 if an error occurs 53 | */ 54 | -off_t wandio_read(io_t *io, void *buffer, off_t len); 55 | +DLLEXPORT off_t wandio_read(io_t *io, void *buffer, off_t len); 56 | 57 | /** Reads from a libtrace IO reader into the provided buffer, but does not 58 | * update the read pointer. 59 | @@ -248,14 +262,14 @@ off_t wandio_read(io_t *io, void *buffer 60 | * @param len The size of the buffer 61 | * @return The amount of bytes read, 0 if EOF is reached, -1 if an error occurs 62 | */ 63 | -off_t wandio_peek(io_t *io, void *buffer, off_t len); 64 | +DLLEXPORT off_t wandio_peek(io_t *io, void *buffer, off_t len); 65 | 66 | /** Destroys a libtrace IO reader, closing the file and freeing the reader 67 | * structure. 68 | * 69 | * @param io The IO reader to destroy 70 | */ 71 | -void wandio_destroy(io_t *io); 72 | +DLLEXPORT void wandio_destroy(io_t *io); 73 | 74 | /** Creates a new libtrace IO writer and opens the provided file for writing. 75 | * 76 | @@ -266,7 +280,7 @@ void wandio_destroy(io_t *io); 77 | * O_CREATE 78 | * @return A pointer to the new libtrace IO writer, or NULL if an error occurs 79 | */ 80 | -iow_t *wandio_wcreate(const char *filename, int compression_type, int compression_level, int flags); 81 | +DLLEXPORT iow_t *wandio_wcreate(const char *filename, int compression_type, int compression_level, int flags); 82 | 83 | /** Writes the contents of a buffer using a libtrace IO writer. 84 | * 85 | @@ -275,14 +289,14 @@ iow_t *wandio_wcreate(const char *filena 86 | * @param len The amount of writable data in the buffer 87 | * @return The amount of data written, or -1 if an error occurs 88 | */ 89 | -off_t wandio_wwrite(iow_t *iow, const void *buffer, off_t len); 90 | +DLLEXPORT off_t wandio_wwrite(iow_t *iow, const void *buffer, off_t len); 91 | 92 | /** Destroys a libtrace IO writer, closing the file and freeing the writer 93 | * structure. 94 | * 95 | * @param iow The IO writer to destroy 96 | */ 97 | -void wandio_wdestroy(iow_t *iow); 98 | +DLLEXPORT void wandio_wdestroy(iow_t *iow); 99 | 100 | /** @} */ 101 | 102 | -------------------------------------------------------------------------------- /docs/doxygen/static/aaaquickstart.md: -------------------------------------------------------------------------------- 1 | Quick Start {#quickstart} 2 | ============ 3 | 4 | [TOC] 5 | 6 | If you want to just dive right in and run corsaro on an interface or existing 7 | pcap files, this is the place to start. 8 | 9 | Getting Corsaro {#quick_get} 10 | =============== 11 | 12 | The latest version of Corsaro is 13 | [$(CORSARO_VERSION)](http://www.caida.org/corsaro/downloads/corsaro-2.0.0.tar.gz). 14 | 15 | You will also need to have 16 | [libtrace](http://research.wand.net.nz/software/libtrace.php) installed before 17 | building Corsaro (see below for instructions). 18 | 19 | Installation {#quick_inst} 20 | ============ 21 | 22 | The following commands will build and install both libtrace and Corsaro into a 23 | custom directory, assuming that the user **does not** have root privileges. 24 | 25 | In these examples, we will install everything into `$HOME/corsaro`, meaning that 26 | all Corsaro and libtrace tools will be installed to `$HOME/corsaro/bin`. 27 | 28 | ### libtrace ### 29 | 30 | ~~~ 31 | tar zxf libtrace-X.X.X.tar.bz2 32 | cd libtrace-X.X.X 33 | ./configure --prefix=$HOME/corsaro 34 | make 35 | make install 36 | ~~~ 37 | 38 | ### Corsaro ### 39 | 40 | ~~~ 41 | tar zxf corsaro-2.0.0.tar.gz 42 | cd corsaro-2.0.0 43 | ./configure CPPFLAGS="-I$HOME/corsaro/include" LDFLAGS="-L$HOME/corsaro/lib" 44 | make 45 | make install 46 | ~~~ 47 | 48 | This will build Corsaro with the \ref plugins_ft plugin only. 49 | 50 | For a more detailed description of the configuration options (and to enable more 51 | plugins), see the \ref installation section. If you require the \ref 52 | plugins_smee plugin, you will need to install the included _libsmee_ 53 | library. See the \ref plugins_smee page for more information. 54 | 55 | Running Corsaro {#quick_run} 56 | =============== 57 | 58 | To run the \ref tool_corsaro tool on an existing pcap file to generate \ref 59 | plugins_ft output data, use the following command: 60 | 61 | ~~~ 62 | corsaro -o /path/to/output/file.%P.cors.gz /path/to/pcap/file.pcap.gz 63 | ~~~ 64 | 65 | Replace `/path/to/output/file` with an actual path to the desired output 66 | directory. 67 | Note that the `%%P` is required and will be replaced with a string representing 68 | each component that generates an output file (e.g. `log`, `flowtuple`, etc). 69 | 70 | Replace `/path/to/pcap/file` with an actual path to a pcap (or any format 71 | supported by _libtrace_) file. 72 | 73 | By default Corsaro will write output data in a compact binary 74 | format where possible. The \ref tool_cors2ascii tool can be used to convert the 75 | binary output files to a human-readable ASCII format. 76 | 77 | Running this command will process the given trace file and create four output 78 | files, using the output file template given. Each file will have the `%%P` 79 | replaced with the name of the component that created it. 80 | That is, `global`, `log`, and `flowtuple`. 81 | 82 | Corsaro also supports processing packets directly from a live interface. To use 83 | this functionality, replace the pcap file path with: 84 | 85 | ~~~ 86 | pcapint: 87 | ~~~ 88 | 89 | The \ref tool_corsaro section of this manual contains a more detailed 90 | description of the Corsaro command-line tool. 91 | 92 | Viewing the Output {#quick_view} 93 | ================== 94 | 95 | Once Corsaro has processed the trace file, the resulting data can then be viewed 96 | using the included \ref tool_cors2ascii tool. Note, the log file is always 97 | written in uncompressed ASCII format, so can be directly viewed using `less` 98 | etc. 99 | 100 | To view the \ref plugins_ft output, use the following command: 101 | 102 | ~~~ 103 | cors2ascii /path/to/output/file.flowtuple.cors.gz | less 104 | ~~~ 105 | 106 | This will convert the binary data to a (somewhat) readable ASCII representation. 107 | 108 | See the \ref tool_cors2ascii section for a more detailed description of the 109 | tool, and the \ref formats page for a description of the ASCII output. 110 | 111 | Further Reading {#quick_further} 112 | =============== 113 | 114 | This guide provides a very brief description of using Corsaro to analyze trace 115 | data, which should enable you to get started using it quickly. 116 | 117 | For more information, take a look through the rest of this manual, starting with 118 | the \ref installation section for practical help getting started, or the \ref 119 | arch section for a description of how the system is designed, and how to extend 120 | it. 121 | 122 | -------------------------------------------------------------------------------- /libcorsaro/corsaro_log.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | #ifndef __CORSARO_LOG_H 27 | #define __CORSARO_LOG_H 28 | 29 | #include 30 | 31 | #include "corsaro_int.h" 32 | #include "corsaro_file.h" 33 | 34 | /** @file 35 | * 36 | * @brief Header file dealing with the corsaro logging sub-system 37 | * 38 | * @author Alistair King 39 | * 40 | */ 41 | 42 | /** Write a formatted string to the logfile associated with an corsaro object 43 | * 44 | * @param func The name of the calling function (__func__) 45 | * @param corsaro The corsaro output object to log for 46 | * @param format The printf style formatting string 47 | * @param args Variable list of arguments to the format string 48 | * 49 | * This function takes the same style of arguments that printf(3) does. 50 | */ 51 | void corsaro_log_va(const char *func, corsaro_t *corsaro, 52 | const char *format, va_list args); 53 | 54 | /** Write a formatted string to the logfile associated with an corsaro object 55 | * 56 | * @param func The name of the calling function (__func__) 57 | * @param corsaro The corsaro output object to log for 58 | * @param format The printf style formatting string 59 | * @param ... Variable list of arguments to the format string 60 | * 61 | * This function takes the same style of arguments that printf(3) does. 62 | */ 63 | void corsaro_log(const char *func, corsaro_t *corsaro, const char *format, ...); 64 | 65 | /** Write a formatted string to the logfile associated with an corsaro input object 66 | * 67 | * @param func The name of the calling function (__func__) 68 | * @param corsaro The corsaro input object to log for 69 | * @param format The printf style formatting string 70 | * @param ... Variable list of arguments to the format string 71 | * 72 | * This function takes the same style of arguments that printf(3) does. 73 | */ 74 | void corsaro_log_in(const char *func, corsaro_in_t *corsaro, const char *format, ...); 75 | 76 | /** Write a formatted string to a generic log file 77 | * 78 | * @param func The name of the calling function (__func__) 79 | * @param logfile The file to log to (STDERR if NULL is passed) 80 | * @param format The printf style formatting string 81 | * @param ... Variable list of arguments to the format string 82 | * 83 | * This function takes the same style of arguments that printf(3) does. 84 | */ 85 | void corsaro_log_file(const char *func, corsaro_file_t *logfile, 86 | const char *format, ...); 87 | 88 | /** Initialize the logging sub-system for an corsaro output object 89 | * 90 | * @param corsaro The corsaro object to associate the logger with 91 | * @return 0 if successful, -1 if an error occurs 92 | */ 93 | int corsaro_log_init(corsaro_t *corsaro); 94 | 95 | /** Initialize the logging sub-system for an corsaro input object 96 | * 97 | * @param corsaro The corsaro object to associate the logger with 98 | * @return 0 if successful, -1 if an error occurs 99 | */ 100 | int corsaro_log_in_init(corsaro_in_t *corsaro); 101 | 102 | /** Close the log file for an corsaro output object 103 | * 104 | * @param corsaro The corsaro output object to close logging for 105 | */ 106 | void corsaro_log_close(corsaro_t *corsaro); 107 | 108 | /** Close the log file for an corsaro input object 109 | * 110 | * @param corsaro The corsaro output object to close logging for 111 | */ 112 | void corsaro_log_in_close(corsaro_in_t *corsaro); 113 | 114 | #endif /* __CORSARO_LOG_H */ 115 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # READ THIS! 2 | This repository has been deprecated and made read-only. Ongoing Corsaro development is happening at the [CAIDA/corsaro3](https://github.com/CAIDA/corsaro3) repository. 3 | 4 | Existing users should upgrade to Corsaro3. For help with this, please contact corsaro-info@caida.org. There will no longer be any updates to this code, and support will be limited to assisting users process/convert existing Corsaro V2 data. 5 | 6 | Contact corsaro-info@caida.org with any questions. 7 | 8 | Introduction 9 | ============ 10 | 11 | Corsaro is a software suite for performing large-scale analysis of trace 12 | data. It was specifically designed to be used with passive traces captured by 13 | darknets, but the overall structure is generic enough to be used with any type 14 | of passive trace data. 15 | 16 | Because of the scale of passive trace data, Corsaro has been designed from the 17 | ground up to be fast and efficient, both in terms of run-time and output data 18 | size. For more details about the design goals of Corsaro, see the 19 | [Goals](http://www.caida.org/tools/measurement/corsaro/docs/goals.html) section. 20 | 21 | Corsaro allows high-speed analysis of trace data on a per-packet basis and 22 | provides a mechanism for aggregating results based on customizable time 23 | intervals. Trace data is read using the 24 | [libtrace](http://research.wand.net.nz/software/libtrace.php) trace processing 25 | library, and a high-level IO abstraction layer allows results to be 26 | transparently written to compressed files, using threaded IO. The actual trace 27 | analysis logic is clearly separated into a set of plugins, several of which are 28 | shipped with Corsaro. For more information about how the pieces of Corsaro fit 29 | together, see the [Architecture](http://www.caida.org/tools/measurement/corsaro/docs/arch.html) section. 30 | 31 | In addition to the [Core Plugins](http://www.caida.org/tools/measurement/corsaro/docs/plugins.html) which are shipped with Corsaro, 32 | the plugin framework makes the creation of new plugins as simple as 33 | possible. The low overhead involved in creating a new plugin, coupled with the 34 | efficiency and reliability of Corsaro means that it can be used both to perform 35 | ad-hoc exploratory investigations as well as in a production context to carry 36 | out large-scale near-realtime analysis. To learn how to create a plugin, or 37 | perform analysis on existing Corsaro results, see the [Tutorials](http://www.caida.org/tools/measurement/corsaro/docs/tutorials.html) 38 | section. 39 | 40 | Corsaro can be used both as a library and as a stand-alone application for 41 | processing any format of trace data that _libtrace_ supports. The Corsaro 42 | distribution also includes several other supporting tools for basic analysis of 43 | Corsaro output data. For information on using the Corsaro application and the 44 | other tools included, see the [Tools](http://www.caida.org/tools/measurement/corsaro/docs/tools.html) section. 45 | 46 | Download 47 | ======== 48 | 49 | The latest version of Corsaro is 50 | [2.0.0](http://www.caida.org/tools/measurement/corsaro/downloads/corsaro-2.0.0.tar.gz), 51 | released on November 21 2013. 52 | 53 | We also maintain a detailed [Change Log](http://www.caida.org/tools/measurement/corsaro/docs/changelog.html). 54 | 55 | Quick Start 56 | =========== 57 | 58 | If you want to just dive right in and get started using Corsaro, take a look at 59 | the [Quick Start](http://www.caida.org/tools/measurement/corsaro/docs/quickstart.html) guide. 60 | 61 | Dependencies 62 | ============ 63 | 64 | Corsaro is written in C and should compile with any ANSI compliant C Compiler 65 | which supports the C99 standard. Please email corsaro-info@caida.org with any 66 | issues. 67 | 68 | Corsaro requires [libtrace](http://research.wand.net.nz/software/libtrace.php) 69 | version 3.0.14 or higher. (3.0.8 or higher can be used if the libwandio patch 70 | included in the corsaro distribution is applied). 71 | 72 | Usage 73 | ===== 74 | 75 | Corsaro has many different usage scenarios which are outlined in this manual, 76 | but if you are looking to just run the analysis engine with the bundled plugins, 77 | see the [Corsaro](http://www.caida.org/tools/measurement/corsaro/docs/tools.html#tool_corsaro) section of the [Tools](http://www.caida.org/tools/measurement/corsaro/docs/tools.html) page. 78 | 79 | 80 | Documentation 81 | ============= 82 | 83 | The online 84 | [Corsaro Documentation](http://www.caida.org/tools/measurement/corsaro/docs/) is 85 | the best source of information about using Corsaro. It contains full API 86 | documentation, usage instructions for the Corsaro tools. It also has tutorials 87 | about writing Corsaro plugins and using the libcorsaro library to perform 88 | analysis on Corsaro-generated data. 89 | -------------------------------------------------------------------------------- /docs/doxygen/static/header_caida.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | $projectname: $title 7 | $title 8 | 9 | 10 | 11 | $treeview 12 | $search 13 | $mathjax 14 | 15 | 16 | 17 | 18 | 19 | 24 | 25 | 27 | 28 | 29 | 30 |
31 | 32 |
33 | Skip to Content 34 |
35 |
36 | [CAIDA - Center for Applied Internet Data Analysis logo]
37 | 40 |
41 |
The Center for Applied Internet Data Analysis
42 |
43 |
44 | 52 | 53 | 61 |
62 | 63 |
64 |
65 |
66 | 92 |
93 |
94 | 96 |
97 |
98 |
99 | 100 | 101 | -------------------------------------------------------------------------------- /libcorsaro/corsaro_log.c: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * corsaro_log and timestamp_str functions adapted from scamper: 8 | * http://www.wand.net.nz/scamper 9 | * 10 | * Copyright (C) 2012 The Regents of the University of California. 11 | * 12 | * This file is part of corsaro. 13 | * 14 | * corsaro is free software: you can redistribute it and/or modify 15 | * it under the terms of the GNU General Public License as published by 16 | * the Free Software Foundation, either version 3 of the License, or 17 | * (at your option) any later version. 18 | * 19 | * corsaro is distributed in the hope that it will be useful, 20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 22 | * GNU General Public License for more details. 23 | * 24 | * You should have received a copy of the GNU General Public License 25 | * along with corsaro. If not, see . 26 | * 27 | */ 28 | 29 | #include "config.h" 30 | #include "corsaro_int.h" 31 | 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | 39 | #ifdef HAVE_SYS_TIME_H 40 | #include 41 | #endif 42 | #ifdef HAVE_TIME_H 43 | #include 44 | #endif 45 | 46 | #include "corsaro_file.h" 47 | #include "corsaro_io.h" 48 | #include "utils.h" 49 | 50 | #include "corsaro_log.h" 51 | 52 | static char *timestamp_str(char *buf, const size_t len) 53 | { 54 | struct timeval tv; 55 | struct tm *tm; 56 | int ms; 57 | time_t t; 58 | 59 | buf[0] = '\0'; 60 | gettimeofday_wrap(&tv); 61 | t = tv.tv_sec; 62 | if((tm = localtime(&t)) == NULL) return buf; 63 | 64 | ms = tv.tv_usec / 1000; 65 | snprintf(buf, len, "[%02d:%02d:%02d:%03d] ", 66 | tm->tm_hour, tm->tm_min, tm->tm_sec, ms); 67 | 68 | return buf; 69 | } 70 | 71 | void generic_log(const char *func, corsaro_file_t *logfile, const char *format, 72 | va_list ap) 73 | { 74 | char message[512]; 75 | char ts[16]; 76 | char fs[64]; 77 | 78 | assert(format != NULL); 79 | 80 | vsnprintf(message, sizeof(message), format, ap); 81 | 82 | timestamp_str(ts, sizeof(ts)); 83 | 84 | if(func != NULL) snprintf(fs, sizeof(fs), "%s: ", func); 85 | else fs[0] = '\0'; 86 | 87 | if(logfile == NULL) 88 | { 89 | fprintf(stderr, "%s%s%s\n", ts, fs, message); 90 | fflush(stderr); 91 | } 92 | else 93 | { 94 | /* we're special. we know that corsaro_file_printf can do without corsaro */ 95 | corsaro_file_printf(NULL, logfile, "%s%s%s\n", ts, fs, message); 96 | corsaro_file_flush(NULL, logfile); 97 | 98 | #ifdef DEBUG 99 | /* we've been asked to dump debugging information */ 100 | fprintf(stderr, "%s%s%s\n", ts, fs, message); 101 | fflush(stderr); 102 | #endif 103 | } 104 | } 105 | 106 | void corsaro_log_va(const char *func, corsaro_t *corsaro, 107 | const char *format, va_list args) 108 | { 109 | corsaro_file_t *lf = (corsaro == NULL) ? NULL : corsaro->logfile; 110 | generic_log(func, lf, format, args); 111 | } 112 | 113 | void corsaro_log(const char *func, corsaro_t *corsaro, const char *format, ...) 114 | { 115 | va_list ap; 116 | va_start(ap, format); 117 | corsaro_log_va(func, corsaro, format, ap); 118 | va_end(ap); 119 | } 120 | 121 | void corsaro_log_in(const char *func, corsaro_in_t *corsaro, 122 | const char *format, ...) 123 | { 124 | #ifdef DEBUG 125 | va_list ap; 126 | va_start(ap, format); 127 | generic_log(func, NULL, format, ap); 128 | va_end(ap); 129 | #endif 130 | } 131 | 132 | void corsaro_log_file(const char *func, corsaro_file_t *logfile, 133 | const char *format, ...) 134 | { 135 | va_list ap; 136 | va_start(ap, format); 137 | generic_log(func, logfile, format, ap); 138 | va_end(ap); 139 | } 140 | 141 | int corsaro_log_init(corsaro_t *corsaro) 142 | { 143 | if((corsaro->logfile = corsaro_io_prepare_file_full(corsaro, 144 | CORSARO_IO_LOG_NAME, 145 | &corsaro->interval_start, 146 | CORSARO_FILE_MODE_ASCII, 147 | CORSARO_FILE_COMPRESS_NONE, 148 | 0, O_CREAT)) == NULL) 149 | { 150 | fprintf(stderr, "could not open log for writing\n"); 151 | return -1; 152 | } 153 | return 0; 154 | } 155 | 156 | int corsaro_log_in_init(corsaro_in_t *corsaro) 157 | { 158 | /* nothing to do, corsaro_log_in only logs to stderr, and iff --enable-debug 159 | is passed to configure */ 160 | return 0; 161 | } 162 | 163 | void corsaro_log_close(corsaro_t *corsaro) 164 | { 165 | if(corsaro->logfile != NULL) 166 | { 167 | corsaro_file_close(NULL, corsaro->logfile); 168 | corsaro->logfile = NULL; 169 | } 170 | } 171 | 172 | void corsaro_log_in_close(corsaro_in_t *corsaro) 173 | { 174 | /* nothing to be done */ 175 | } 176 | 177 | 178 | -------------------------------------------------------------------------------- /libcorsaro/plugins/libanon/corsaro_libanon.c: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | * This file is a modified version of the 'ipanon.c' file included with 25 | * libtrace (http://research.wand.net.nz/software/libtrace.php) 26 | * 27 | */ 28 | 29 | #include "config.h" 30 | 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | #include 37 | 38 | #include "corsaro_libanon.h" 39 | #include "panon.h" 40 | 41 | #ifndef HAVE_STRLCPY 42 | #if !HAVE_DECL_STRLCPY 43 | static size_t strlcpy(char *dest, const char *src, size_t size) 44 | { 45 | size_t ret; 46 | for(ret=0;src[ret] && ret=0 && bits<=32); 79 | netmask = masks[bits]; 80 | } 81 | 82 | static uint32_t prefix_substitute(uint32_t ip) 83 | { 84 | return (prefix & netmask) | (ip & ~netmask); 85 | } 86 | 87 | /* Incrementally update a checksum */ 88 | static void update_in_cksum(uint16_t *csum, uint16_t old, uint16_t new) 89 | { 90 | uint32_t sum = (~htons(*csum) & 0xFFFF) 91 | + (~htons(old) & 0xFFFF) 92 | + htons(new); 93 | sum = (sum & 0xFFFF) + (sum >> 16); 94 | *csum = htons(~(sum + (sum >> 16))); 95 | } 96 | 97 | static void update_in_cksum32(uint16_t *csum, uint32_t old, uint32_t new) 98 | { 99 | update_in_cksum(csum,(uint16_t)(old>>16),(uint16_t)(new>>16)); 100 | update_in_cksum(csum,(uint16_t)(old&0xFFFF),(uint16_t)(new&0xFFFF)); 101 | } 102 | 103 | void corsaro_anon_init(corsaro_anon_enc_type_t type, char *key) 104 | { 105 | char cryptopan_key[32]; 106 | memset(cryptopan_key,0,sizeof(cryptopan_key)); 107 | enc_type = type; 108 | switch (enc_type) { 109 | case CORSARO_ANON_ENC_NONE: 110 | break; 111 | case CORSARO_ANON_ENC_PREFIX_SUBSTITUTION: 112 | init_prefix(key); 113 | break; 114 | case CORSARO_ANON_ENC_CRYPTOPAN: 115 | strlcpy(cryptopan_key,key,sizeof(cryptopan_key)); 116 | panon_init(cryptopan_key); 117 | break; 118 | default: 119 | /* unknown encryption type */ 120 | assert(0 && "Unknown encryption type"); 121 | } 122 | } 123 | 124 | uint32_t corsaro_anon_ip(uint32_t orig_addr) 125 | { 126 | switch (enc_type) { 127 | case CORSARO_ANON_ENC_NONE: 128 | return orig_addr; 129 | case CORSARO_ANON_ENC_PREFIX_SUBSTITUTION: 130 | return prefix_substitute(orig_addr); 131 | case CORSARO_ANON_ENC_CRYPTOPAN: 132 | return cpp_anonymize(orig_addr); 133 | default: 134 | /* unknown encryption type */ 135 | assert(0 && "Unknown encryption type"); 136 | return -1; 137 | } 138 | } 139 | 140 | /* Ok this is remarkably complicated 141 | * 142 | * We want to change one, or the other IP address, while preserving 143 | * the checksum. TCP and UDP both include the faux header in their 144 | * checksum calculations, so you have to update them too. ICMP is 145 | * even worse -- it can include the original IP packet that caused the 146 | * error! So anonymise that too, but remember that it's travelling in 147 | * the opposite direction so we need to encrypt the destination and 148 | * source instead of the source and destination! 149 | */ 150 | void corsaro_anon_ip_header(struct libtrace_ip *ip, 151 | int enc_source, 152 | int enc_dest) 153 | { 154 | struct libtrace_tcp *tcp; 155 | struct libtrace_udp *udp; 156 | struct libtrace_icmp *icmp; 157 | 158 | tcp=trace_get_tcp_from_ip(ip,NULL); 159 | udp=trace_get_udp_from_ip(ip,NULL); 160 | icmp=trace_get_icmp_from_ip(ip,NULL); 161 | 162 | if (enc_source) { 163 | uint32_t old_ip=ip->ip_src.s_addr; 164 | uint32_t new_ip=htonl(corsaro_anon_ip( 165 | htonl(ip->ip_src.s_addr) 166 | )); 167 | update_in_cksum32(&ip->ip_sum,old_ip,new_ip); 168 | if (tcp) update_in_cksum32(&tcp->check,old_ip,new_ip); 169 | if (udp) update_in_cksum32(&udp->check,old_ip,new_ip); 170 | ip->ip_src.s_addr = new_ip; 171 | } 172 | 173 | if (enc_dest) { 174 | uint32_t old_ip=ip->ip_dst.s_addr; 175 | uint32_t new_ip=htonl(corsaro_anon_ip( 176 | htonl(ip->ip_dst.s_addr) 177 | )); 178 | update_in_cksum32(&ip->ip_sum,old_ip,new_ip); 179 | if (tcp) update_in_cksum32(&tcp->check,old_ip,new_ip); 180 | if (udp) update_in_cksum32(&udp->check,old_ip,new_ip); 181 | ip->ip_dst.s_addr = new_ip; 182 | } 183 | 184 | if (icmp) { 185 | /* These are error codes that return the IP packet 186 | * internally 187 | */ 188 | if (icmp->type == 3 189 | || icmp->type == 5 190 | || icmp->type == 11) { 191 | corsaro_anon_ip_header((struct libtrace_ip*)icmp+ 192 | sizeof(struct libtrace_icmp), 193 | enc_dest, 194 | enc_source); 195 | } 196 | } 197 | } 198 | -------------------------------------------------------------------------------- /libcorsaro/plugins/libanon/rijndael.h: -------------------------------------------------------------------------------- 1 | #ifndef _RIJNDAEL_H_ 2 | #define _RIJNDAEL_H_ 3 | 4 | /* $Id: rijndael.h 1342 2008-04-02 03:39:06Z spa1 $ 5 | // 6 | // File : rijndael.h 7 | // Creation date : Sun Nov 5 2000 03:21:05 CEST 8 | // Author : Szymon Stefanek (stefanek@tin.it) 9 | // 10 | // Another implementation of the Rijndael cipher. 11 | // This is intended to be an easily usable library file. 12 | // This code is public domain. 13 | // Based on the Vincent Rijmen and K.U.Leuven implementation 2.4. 14 | */ 15 | 16 | /* 17 | // Original Copyright notice: 18 | // 19 | // rijndael-alg-fst.c v2.4 April '2000 20 | // rijndael-alg-fst.h 21 | // rijndael-api-fst.c 22 | // rijndael-api-fst.h 23 | // 24 | // Optimised ANSI C code 25 | // 26 | // authors: v1.0: Antoon Bosselaers 27 | // v2.0: Vincent Rijmen, K.U.Leuven 28 | // v2.3: Paulo Barreto 29 | // v2.4: Vincent Rijmen, K.U.Leuven 30 | // 31 | // This code is placed in the public domain. 32 | */ 33 | 34 | /* 35 | // This implementation works on 128 , 192 , 256 bit keys 36 | // and on 128 bit blocks 37 | */ 38 | 39 | /* 40 | // Example of usage: 41 | // 42 | // // Input data 43 | // unsigned char key[32]; // The key 44 | // initializeYour256BitKey(); // Obviously initialized with sth 45 | // const unsigned char * plainText = getYourPlainText(); // Your plain text 46 | // int plainTextLen = strlen(plainText); // Plain text length 47 | // 48 | // // Encrypting 49 | // Rijndael rin; 50 | // unsigned char output[plainTextLen + 16]; 51 | // 52 | // rin.init(Rijndael::CBC,Rijndael::Encrypt,key,Rijndael::Key32Bytes); 53 | // // It is a good idea to check the error code 54 | // int len = rin.padEncrypt(plainText,len,output); 55 | // if(len >= 0)useYourEncryptedText(); 56 | // else encryptError(len); 57 | // 58 | // // Decrypting: we can reuse the same object 59 | // unsigned char output2[len]; 60 | // rin.init(Rijndael::CBC,Rijndael::Decrypt,key,Rijndael::Key32Bytes)); 61 | // len = rin.padDecrypt(output,len,output2); 62 | // if(len >= 0)useYourDecryptedText(); 63 | // else decryptError(len); 64 | */ 65 | 66 | #include 67 | 68 | #define _MAX_KEY_COLUMNS (256/32) 69 | #define _MAX_ROUNDS 14 70 | #define MAX_IV_SIZE 16 71 | 72 | #if 0 /** ak - UGH! */ 73 | /* We assume that unsigned int is 32 bits long.... */ 74 | typedef unsigned char UINT8; 75 | typedef unsigned int UINT32; 76 | typedef unsigned short UINT16; 77 | #endif 78 | 79 | #define UINT8 uint8_t 80 | #define UINT16 uint16_t 81 | #define UINT32 uint32_t 82 | 83 | /* Error codes */ 84 | #define RIJNDAEL_SUCCESS 0 85 | #define RIJNDAEL_UNSUPPORTED_MODE -1 86 | #define RIJNDAEL_UNSUPPORTED_DIRECTION -2 87 | #define RIJNDAEL_UNSUPPORTED_KEY_LENGTH -3 88 | #define RIJNDAEL_BAD_KEY -4 89 | #define RIJNDAEL_NOT_INITIALIZED -5 90 | #define RIJNDAEL_BAD_DIRECTION -6 91 | #define RIJNDAEL_CORRUPTED_DATA -7 92 | 93 | /*class Rijndael 94 | //{ 95 | //public: 96 | */ 97 | 98 | typedef enum Direction_e { Encrypt , Decrypt } Direction; 99 | typedef enum Mode_e { ECB , CBC , CFB1 } Mode; 100 | typedef enum KeyLength_e { Key16Bytes , Key24Bytes , Key32Bytes } KeyLength; 101 | typedef enum State_e { Valid , Invalid } State; 102 | 103 | #if 0 104 | typedef enum Mode_e Mode; 105 | typedef enum Direction_e Direction; 106 | typedef enum KeyLength_e KeyLength; 107 | typedef enum State_e State; 108 | #endif 109 | /* 110 | // Creates a Rijndael cipher object 111 | // You have to call init() before you can encrypt or decrypt stuff 112 | // 113 | // Rijndael(); 114 | // ~Rijndael(); 115 | //protected: 116 | // // Internal stuff 117 | 118 | //public: 119 | ////////////////////////////////////////////////////////////////////////////////////////// 120 | // API 121 | ////////////////////////////////////////////////////////////////////////////////////////// 122 | 123 | // init(): Initializes the crypt session 124 | // Returns RIJNDAEL_SUCCESS or an error code 125 | // mode : Rijndael::ECB, Rijndael::CBC or Rijndael::CFB1 126 | // You have to use the same mode for encrypting and decrypting 127 | // dir : Rijndael::Encrypt or Rijndael::Decrypt 128 | // A cipher instance works only in one direction 129 | // (Well , it could be easily modified to work in both 130 | // directions with a single init() call, but it looks 131 | // useless to me...anyway , it is a matter of generating 132 | // two expanded keys) 133 | // key : array of unsigned octets , it can be 16 , 24 or 32 bytes long 134 | // this CAN be binary data (it is not expected to be null terminated) 135 | // keyLen : Rijndael::Key16Bytes , Rijndael::Key24Bytes or Rijndael::Key32Bytes 136 | // initVector: initialization vector, you will usually use 0 here 137 | */ 138 | int rijndael_init(Mode mode, Direction dir, const UINT8 *key, KeyLength keyLen, UINT8 * initVector); 139 | 140 | /* 141 | // Encrypts the input array (can be binary data) 142 | // The input array length must be a multiple of 16 bytes, the remaining part 143 | // is DISCARDED. 144 | // so it actually encrypts inputLen / 128 blocks of input and puts it in outBuffer 145 | // Input len is in BITS! 146 | // outBuffer must be at least inputLen / 8 bytes long. 147 | // Returns the encrypted buffer length in BITS or an error code < 0 in case of error 148 | */ 149 | int blockEncrypt(const UINT8 *input, int inputLen, UINT8 *outBuffer); 150 | 151 | /* 152 | // Encrypts the input array (can be binary data) 153 | // The input array can be any length , it is automatically padded on a 16 byte boundary. 154 | // Input len is in BYTES! 155 | // outBuffer must be at least (inputLen + 16) bytes long 156 | // Returns the encrypted buffer length in BYTES or an error code < 0 in case of error 157 | */ 158 | int padEncrypt(const UINT8 *input, int inputOctets, UINT8 *outBuffer); 159 | 160 | /* 161 | // Decrypts the input vector 162 | // Input len is in BITS! 163 | // outBuffer must be at least inputLen / 8 bytes long 164 | // Returns the decrypted buffer length in BITS and an error code < 0 in case of error 165 | */ 166 | int blockDecrypt(const UINT8 *input, int inputLen, UINT8 *outBuffer); 167 | 168 | /* 169 | // Decrypts the input vector 170 | // Input len is in BYTES! 171 | // outBuffer must be at least inputLen bytes long 172 | // Returns the decrypted buffer length in BYTES and an error code < 0 in case of error 173 | */ 174 | int padDecrypt(const UINT8 *input, int inputOctets, UINT8 *outBuffer); 175 | /*protected:*/ 176 | /* 177 | void keySched(UINT8 key[_MAX_KEY_COLUMNS][4]); 178 | void keyEncToDec(); 179 | void r_encrypt(const UINT8 a[16], UINT8 b[16]); 180 | void r_decrypt(const UINT8 a[16], UINT8 b[16]); 181 | */ 182 | /*};*/ 183 | 184 | #endif /* _RIJNDAEL_H_ */ 185 | -------------------------------------------------------------------------------- /tools/cors-trace2tuple.c: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * Code in this file is adapted from tracestats.c from libtrace: 12 | * tracestats.c 1730 2011-09-20 02:23:33Z salcock 13 | * 14 | * corsaro is free software: you can redistribute it and/or modify 15 | * it under the terms of the GNU General Public License as published by 16 | * the Free Software Foundation, either version 3 of the License, or 17 | * (at your option) any later version. 18 | * 19 | * corsaro is distributed in the hope that it will be useful, 20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 22 | * GNU General Public License for more details. 23 | * 24 | * You should have received a copy of the GNU General Public License 25 | * along with corsaro. If not, see . 26 | * 27 | */ 28 | 29 | /* 30 | * This program takes a series of traces and bpf filters and dumps a record 31 | * for each packet which is perhaps a cross between the coral t2 format and 32 | * the default tcpdump ascii output. 33 | * That is, it dumps: 34 | * 35 | * 36 | * The original tracestats output has been retained, but diverted to stderr 37 | * so at the end of dumping each packet, stats about the file are dumped 38 | * to stderr. 39 | */ 40 | 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | 49 | #include 50 | #include 51 | #include 52 | #include 53 | #include 54 | #include 55 | #include 56 | #include 57 | #include 58 | #include 59 | 60 | #include "libtrace.h" 61 | 62 | struct libtrace_t *trace; 63 | 64 | static volatile int done=0; 65 | 66 | static void cleanup_signal(int signal) 67 | { 68 | (void)signal; 69 | done=1; 70 | trace_interrupt(); 71 | } 72 | 73 | struct filter_t { 74 | char *expr; 75 | struct libtrace_filter_t *filter; 76 | uint64_t count; 77 | uint64_t bytes; 78 | } *filters = NULL; 79 | int filter_count=0; 80 | uint64_t totcount; 81 | uint64_t totbytes; 82 | 83 | /* Process a trace, counting packets that match filter(s) */ 84 | static void run_trace(char *uri) 85 | { 86 | struct libtrace_packet_t *packet = trace_create_packet(); 87 | int i; 88 | uint64_t count = 0; 89 | uint64_t bytes = 0; 90 | uint64_t packets; 91 | 92 | fprintf(stderr,"%s:\n",uri); 93 | 94 | trace = trace_create(uri); 95 | 96 | if (trace_is_err(trace)) { 97 | trace_perror(trace,"Failed to create trace"); 98 | return; 99 | } 100 | 101 | if (trace_start(trace)==-1) { 102 | trace_perror(trace,"Failed to start trace"); 103 | return; 104 | } 105 | 106 | 107 | for (;;) { 108 | int psize; 109 | int wlen; 110 | int match = 0; 111 | if ((psize = trace_read_packet(trace, packet)) <1) { 112 | break; 113 | } 114 | 115 | if (done) 116 | break; 117 | wlen = trace_get_wire_length(packet); 118 | 119 | for(i=0;i 0) { 123 | ++filters[i].count; 124 | filters[i].bytes+=wlen; 125 | match = 1; 126 | } 127 | if (trace_is_err(trace)) { 128 | trace_perror(trace, "trace_apply_filter"); 129 | fprintf(stderr, "Removing filter from filterlist\n"); 130 | filters[i].filter = NULL; 131 | } 132 | } 133 | 134 | if(match == 1 || filter_count == 0) 135 | { 136 | libtrace_ip_t *ip_hdr = trace_get_ip(packet); 137 | if(ip_hdr != NULL) 138 | { 139 | char src_ip[INET_ADDRSTRLEN]; 140 | char dst_ip[INET_ADDRSTRLEN]; 141 | 142 | inet_ntop(AF_INET, &ip_hdr->ip_src, &src_ip[0], INET_ADDRSTRLEN); 143 | inet_ntop(AF_INET, &ip_hdr->ip_dst, &dst_ip[0], INET_ADDRSTRLEN); 144 | 145 | printf("%f\t%s\t%s\t%"PRIu16"\t%"PRIu16"\t" 146 | "%"PRIu8"\t%"PRIu16"\t%"PRIu16"\n", 147 | trace_get_seconds(packet), src_ip, dst_ip, 148 | trace_get_source_port(packet), 149 | trace_get_destination_port(packet), 150 | ip_hdr->ip_p, 151 | ntohs(ip_hdr->ip_id), 152 | ntohs(ip_hdr->ip_len) 153 | ); 154 | } 155 | } 156 | 157 | ++count; 158 | bytes+=wlen; 159 | } 160 | 161 | fprintf(stderr, "%-30s\t%12s\t%12s\t%7s\n","filter","count","bytes","%"); 162 | for(i=0;i argc - 1) 240 | { 241 | usage(argv[0]); 242 | exit(-1); 243 | } 244 | 245 | sigact.sa_handler = cleanup_signal; 246 | sigemptyset(&sigact.sa_mask); 247 | sigact.sa_flags = SA_RESTART; 248 | 249 | sigaction(SIGINT, &sigact, NULL); 250 | sigaction(SIGTERM, &sigact, NULL); 251 | 252 | for(i=optind;i` would be replaced with a trace uri string in the actual 44 | output 45 | - Bit lengths for binary fields are given using array notation 46 | - e.g. `` indicates an 8 bit value describing the major 47 | version number. 48 | 49 | Global Output File {#formats_global} 50 | ================== 51 | 52 | The Corsaro global output file follows the following structure: 53 | 54 | ASCII 55 | ----- 56 | 57 | ~~~ 58 | # CORSARO_VERSION 59 | # CORSARO_INITTIME 60 | # CORSARO_INTERVAL 61 | # CORSARO_TRACEURI **optional** 62 | # CORSARO_PLUGIN 63 | # CORSARO_PLUGIN 64 | ... 65 | # CORSARO_INTERVAL_START 66 | # CORSARO_PLUGIN_DATA_START 67 | 68 | # CORSARO_PLUGIN_DATA_END 69 | # CORSARO_PLUGIN_DATA_START 70 | 71 | # CORSARO_PLUGIN_DATA_END 72 | ... 73 | # CORSARO_INTERVAL_END 74 | ... 75 | # CORSARO_PACKETCNT 76 | # CORSARO_FIRSTPKT 77 | # CORSARO_LASTPKT 78 | # CORSARO_FINALTIME 79 | # CORSARO_RUNTIME 80 | ~~~ 81 | 82 | Binary 83 | ------ 84 | 85 | ### Header Format ### 86 | ~~~ 87 | 88 | 89 | 90 | 91 | 92 | 93 | ~~~ 94 | 95 | ### Interval Format ### 96 | 97 | \verbatim 98 | | 99 | | 100 | | | 101 | | | -- plugin data (variable length) 102 | | | 103 | | -- repeats, one per plugin listed in header 104 | | 105 | | 106 | -- repeats, one per interval in trace 107 | \endverbatim 108 | 109 | ### Trailer Format ### 110 | ~~~ 111 | 112 | 113 | 114 | 115 | 116 | 117 | EOF 118 | ~~~ 119 | 120 | Magic Numbers: 121 | Field | ASCII | Hex 122 | ------|-------|----- 123 | Magic Number | `EDGR` | `0x45444752` 124 | Header Magic | `HEAD` | `0x48454148` 125 | Interval Magic | `INTR` | `0x494E5452` 126 | Data Magic | `DATA` | `0x44415441` 127 | Trailer Magic | `FOOT` | `0x464F4F54` 128 | 129 | The plugin list in the Binary output format is an array of `uint16_t` numbers 130 | which correspond to the plugin IDs given by the \ref corsaro_plugin_id enum. 131 | 132 | Note, the pluin ids 0x4544, 0x4845 and 0x464F are reserved for corsaro use 133 | 134 | FlowTuple {#formats_ft} 135 | ========= 136 | 137 | Global Output 138 | ------------- 139 | 140 | ### ASCII ### 141 | NONE 142 | 143 | ### Binary ### 144 | NONE 145 | 146 | Plugin Output 147 | ------------- 148 | ### ASCII ### 149 | Note, all values are in decimal except the ip addresses, and the TCP flags. 150 | IP addresses are given in dotted decimal, and TCP flags are in hex. 151 | ~~~ 152 | START 153 | ||||| \ 154 | ||, 155 | END 156 | ~~~ 157 | 158 | ### Binary ### 159 | ~~~ 160 | 161 | \ 162 | \ 163 | # 160 bit record length 164 | 165 | ~~~ 166 | 167 | Two bit lengths are given for the `dst_ip` field. If Corsaro is built using the 168 | `--with-slash-eight=X` option only the three least significant bytes (24 bits) 169 | of destination IP addresses are serialized (the assumption being that the most 170 | significant byte can easily be re-created upon deserialization). The 32 bit 171 | length is for the normal behavior where all 4 bytes of the address is stored. 172 | 173 | Magic Number is `SIXT` (`0x53495854`) when using /8 optimaizations, `SIXU` 174 | (`0x53495855`) without. 175 | 176 | For a list of class IDs, see \ref corsaro_flowtuple_class_type. 177 | 178 | RS DoS {#formats_dos} 179 | ====== 180 | 181 | Global Output 182 | ------------- 183 | 184 | ### ASCII ### 185 | ~~~ 186 | mismatch: 187 | attack_vectors: 188 | non-attack_vectors: 189 | ~~~ 190 | ### Binary ### 191 | ~~~ 192 | 193 | ~~~ 194 | 195 | Plugin Output 196 | ------------- 197 | 198 | ### ASCII ### 199 | Note, all values are in decimal form except the target IP address, which is 200 | given in dotted decimal format. 201 | ~~~ 202 | 203 | ,<#attacker_ips>,<#interval_attacker_ips><#attacker_ports>, 204 | <#target_ports>,,, 205 | ,,, 206 | ., 207 | . 208 | START PACKET 209 | 210 | END PACKET 211 | ~~~ 212 | 213 | If Corsaro is built with a version of _libtrace_ that does not include 214 | _libpacketdump_ then the initial packet will not be output when using the \ref 215 | tool_cors2ascii tool. 216 | 217 | ### Binary ### 218 | ~~~ 219 | 220 | <#attacker_ips[32]><#interval_attacker_ips[32]> 221 | <#attacker_ports[32]><#target_ports[32]> 222 | 223 | 224 | 225 | 226 | 227 | 228 | ~~~ 229 | 230 | There is a known bug in the binary output of the RS DoS plugin which causes it 231 | not to write a magic number to the output file. This has the unfortunate effect 232 | of requiring RS DoS files to be correctly named so that plugin detection does 233 | not need to inspect the file contents as described in the \ref arch_corsaro_in 234 | section. 235 | -------------------------------------------------------------------------------- /libcorsaro/plugins/corsaro_dos.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | #ifndef __CORSARO_DOS_H 27 | #define __CORSARO_DOS_H 28 | 29 | #include "corsaro_plugin.h" 30 | 31 | CORSARO_PLUGIN_GENERATE_PROTOS(corsaro_dos) 32 | 33 | /** 34 | * @name DoS Structures 35 | * 36 | * These data structures are used when reading DoS files. 37 | */ 38 | 39 | /** Structure to hold the dos record in the global output file 40 | * 41 | * All values are in HOST byte order 42 | */ 43 | typedef struct corsaro_dos_global_header 44 | { 45 | /** The number of packets which had mismatched IP addresses in the header 46 | * 47 | * This is specific to ICMP packets which have a quoted source IP address 48 | * which does not match the destination address. 49 | */ 50 | uint32_t mismatched_pkt_cnt; 51 | 52 | /** The number of attack vectors in this interval */ 53 | uint32_t attack_vector_cnt; 54 | 55 | /** The number of potential attack vectors which were not classified as being 56 | * part of an attack 57 | */ 58 | uint32_t non_attack_vector_cnt; 59 | } PACKED corsaro_dos_global_header_t; 60 | 61 | /** Structure to hold the dos header details for an interval 62 | * 63 | * All values are in HOST byte order 64 | */ 65 | typedef struct corsaro_dos_header 66 | { 67 | /** The number of attack vectors in this interval */ 68 | uint32_t attack_vector_cnt; 69 | } PACKED corsaro_dos_header_t; 70 | 71 | /** Structure to hold a dos attack vector 72 | * 73 | * This structure is only used when READING the dos record from a file 74 | * The output vector structure (internal to the plugin) contains much 75 | * more state 76 | * 77 | * All values are in HOST byte order. 78 | */ 79 | typedef struct corsaro_dos_attack_vector_in 80 | { 81 | /** The IP address of the alleged target of the attack */ 82 | uint32_t target_ip; 83 | 84 | /** Number of IP addresses the alleged attack has originated from */ 85 | uint32_t attacker_ip_cnt; 86 | 87 | /** Number of IP addresses the alleged attack has originated from in the 88 | current interval */ 89 | uint32_t interval_attacker_ip_cnt; 90 | 91 | /** Number of ports that alleged attack packets have originated from */ 92 | uint32_t attack_port_cnt; 93 | 94 | /** Number of ports that alleged attack packets were directed to */ 95 | uint32_t target_port_cnt; 96 | 97 | /** The number of packets that comprise this vector */ 98 | uint64_t packet_cnt; 99 | 100 | /** The number of packets added to this vector in the current interval */ 101 | uint32_t interval_packet_cnt; 102 | 103 | /** The number of bytes that comprise this vector */ 104 | uint64_t byte_cnt; 105 | 106 | /** The number of bytes added to this vector in the current interval */ 107 | uint32_t interval_byte_cnt; 108 | 109 | /** The maximum packet rate observed thus far */ 110 | uint64_t max_ppm; 111 | 112 | /** The time of the initial packet (seconds) */ 113 | uint32_t start_time_sec; 114 | 115 | /** The time of the initial packet (usec) */ 116 | uint32_t start_time_usec; 117 | 118 | /** The time of the last packet (seconds) */ 119 | uint32_t latest_time_sec; 120 | 121 | /** The time of the last packet (usec) */ 122 | uint32_t latest_time_usec; 123 | 124 | /** The length of the initial packet (bytes) */ 125 | uint32_t initial_packet_len; 126 | 127 | /** A copy of the packet that caused the vector to be created 128 | * 129 | * Can be reconstituted into a libtrace packet buffer using 130 | * corsaro_dos_attack_vector_get_packet 131 | * 132 | * We don't store an actual libtrace packet in here because the 133 | * libtrace_packet_t structure is very inefficient (64k per packet). 134 | */ 135 | uint8_t *initial_packet; 136 | } PACKED corsaro_dos_attack_vector_in_t; 137 | 138 | /** @} */ 139 | 140 | /** 141 | * @name DoS Convenience Functions 142 | * 143 | * These functions can be used to do some higher-level manipulation with 144 | * dos records that have been read from a file. They are 'class' 145 | * functions that can be used without needing an instance of the actual 146 | * plugin. Note that writing to a file always requires an corsaro output 147 | * object however. 148 | */ 149 | 150 | void corsaro_dos_attack_vector_get_packet( 151 | corsaro_dos_attack_vector_in_t *attack_vector, 152 | libtrace_packet_t *packet); 153 | 154 | /** Write a global dos header record to the given corsaro file in ascii 155 | * 156 | * @param corsaro The corsaro object associated with the file 157 | * @param file The corsaro file to write to 158 | * @param header The global header record to write out 159 | * @return the number of bytes written, -1 if an error occurs 160 | */ 161 | off_t corsaro_dos_global_header_fprint(corsaro_t *corsaro, 162 | corsaro_file_t *file, 163 | corsaro_dos_global_header_t *header); 164 | 165 | /** Write a global dos header record to stdout in ascii format 166 | * 167 | * @param header The global header record to write out 168 | */ 169 | void corsaro_dos_global_header_print(corsaro_dos_global_header_t *header); 170 | 171 | /** Write a dos attack vector to the given corsaro file in ascii 172 | * 173 | * @param corsaro The corsaro object associated with the file 174 | * @param file The corsaro file to write to 175 | * @param av The attack vector to write out 176 | * @return the number of bytes written, -1 if an error occurs 177 | */ 178 | off_t corsaro_dos_attack_vector_fprint(corsaro_t *corsaro, 179 | corsaro_file_t *file, 180 | corsaro_dos_attack_vector_in_t *av); 181 | 182 | /** Write a dos attack vector to stdout in ascii format 183 | * 184 | * @param av The attack vector to write out 185 | */ 186 | void corsaro_dos_attack_vector_print(corsaro_dos_attack_vector_in_t *av); 187 | 188 | /** Write a dos header record to the given corsaro file in ascii 189 | * 190 | * @param corsaro The corsaro object associated with the file 191 | * @param file The corsaro file to write to 192 | * @param header The header record to write out 193 | * @return the number of bytes written, -1 if an error occurs 194 | */ 195 | off_t corsaro_dos_header_fprint(corsaro_t *corsaro, 196 | corsaro_file_t *file, 197 | corsaro_dos_header_t *header); 198 | 199 | /** Write a dos header record to stdout in ascii format 200 | * 201 | * @param header The header record to write out 202 | */ 203 | void corsaro_dos_header_print(corsaro_dos_header_t *header); 204 | 205 | /** Write a generic dos record to the given corsaro file in 206 | * ascii 207 | * 208 | * @param corsaro The corsaro object associated with the file 209 | * @param file The corsaro file to write to 210 | * @param record_type The type of the record 211 | * @param record The record to write out 212 | * @return the number of bytes written, -1 if an error occurs 213 | */ 214 | off_t corsaro_dos_record_fprint(corsaro_t *corsaro, 215 | corsaro_file_t *file, 216 | corsaro_in_record_type_t record_type, 217 | corsaro_in_record_t *record); 218 | 219 | /** Write a generic dos record to stdout in ascii format 220 | * 221 | * @param record_type The type of the record 222 | * @param record The record to write out 223 | * @return 0 if successful, -1 if an error occurs 224 | */ 225 | int corsaro_dos_record_print(corsaro_in_record_type_t record_type, 226 | corsaro_in_record_t *record); 227 | 228 | /** @} */ 229 | 230 | #endif /* __CORSARO_DOS_H */ 231 | -------------------------------------------------------------------------------- /libcorsaro/plugins/corsaro_pcap.c: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | #include "config.h" 27 | #include "corsaro_int.h" 28 | 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | 35 | #include "libtrace.h" 36 | 37 | #include "utils.h" 38 | 39 | #include "corsaro_io.h" 40 | #include "corsaro_file.h" 41 | #include "corsaro_log.h" 42 | #include "corsaro_plugin.h" 43 | 44 | #include "corsaro_pcap.h" 45 | 46 | /** @file 47 | * 48 | * @brief Corsaro raw pcap pass-through plugin 49 | * 50 | * @author Alistair King 51 | * 52 | */ 53 | 54 | /** The magic number for this plugin - "PCAP" */ 55 | #define CORSARO_PCAP_MAGIC 0x50434150 56 | 57 | /** The name of this plugin */ 58 | #define PLUGIN_NAME "pcap" 59 | 60 | /** The number of output file pointers to support non-blocking close at the end 61 | of an interval. If the wandio buffers are large enough that it takes more 62 | than 1 interval to drain the buffers, consider increasing this number */ 63 | #define OUTFILE_POINTERS 2 64 | 65 | /** Common plugin information across all instances */ 66 | static corsaro_plugin_t corsaro_pcap_plugin = { 67 | PLUGIN_NAME, /* name */ 68 | CORSARO_PLUGIN_ID_PCAP, /* id */ 69 | CORSARO_PCAP_MAGIC, /* magic */ 70 | CORSARO_PLUGIN_GENERATE_PTRS(corsaro_pcap), /* func ptrs */ 71 | CORSARO_PLUGIN_GENERATE_TAIL, 72 | }; 73 | 74 | /** Holds the state for an instance of this plugin */ 75 | struct corsaro_pcap_state_t { 76 | /** The outfile for the plugin */ 77 | corsaro_file_t *outfile; 78 | /** A set of pointers to outfiles to support non-blocking close */ 79 | corsaro_file_t *outfile_p[OUTFILE_POINTERS]; 80 | /** The current outfile */ 81 | int outfile_n; 82 | }; 83 | 84 | /** Extends the generic plugin state convenience macro in corsaro_plugin.h */ 85 | #define STATE(corsaro) \ 86 | (CORSARO_PLUGIN_STATE(corsaro, pcap, CORSARO_PLUGIN_ID_PCAP)) 87 | /** Extends the generic plugin plugin convenience macro in corsaro_plugin.h */ 88 | #define PLUGIN(corsaro) \ 89 | (CORSARO_PLUGIN_PLUGIN(corsaro, CORSARO_PLUGIN_ID_PCAP)) 90 | 91 | /* == PUBLIC PLUGIN FUNCS BELOW HERE == */ 92 | 93 | /** Implements the alloc function of the plugin API */ 94 | corsaro_plugin_t *corsaro_pcap_alloc(corsaro_t *corsaro) 95 | { 96 | return &corsaro_pcap_plugin; 97 | } 98 | 99 | /** Implements the probe_filename function of the plugin API */ 100 | int corsaro_pcap_probe_filename(const char *fname) 101 | { 102 | /* cannot read raw pcap files using corsaro_in */ 103 | return 0; 104 | } 105 | 106 | /** Implements the probe_magic function of the plugin API */ 107 | int corsaro_pcap_probe_magic(corsaro_in_t *corsaro, corsaro_file_in_t *file) 108 | { 109 | /* cannot read raw pcap files using corsaro_in */ 110 | return 0; 111 | } 112 | 113 | /** Implements the init_output function of the plugin API */ 114 | int corsaro_pcap_init_output(corsaro_t *corsaro) 115 | { 116 | struct corsaro_pcap_state_t *state; 117 | corsaro_plugin_t *plugin = PLUGIN(corsaro); 118 | assert(plugin != NULL); 119 | 120 | if((state = malloc_zero(sizeof(struct corsaro_pcap_state_t))) == NULL) 121 | { 122 | corsaro_log(__func__, corsaro, 123 | "could not malloc corsaro_pcap_state_t"); 124 | goto err; 125 | } 126 | corsaro_plugin_register_state(corsaro->plugin_manager, plugin, state); 127 | 128 | /* defer opening the output file until we start the first interval */ 129 | 130 | return 0; 131 | 132 | err: 133 | corsaro_pcap_close_output(corsaro); 134 | return -1; 135 | } 136 | 137 | /** Implements the init_output function of the plugin API */ 138 | int corsaro_pcap_init_input(corsaro_in_t *corsaro) 139 | { 140 | return -1; 141 | } 142 | 143 | /** Implements the close_input function of the plugin API */ 144 | int corsaro_pcap_close_input(corsaro_in_t *corsaro) 145 | { 146 | return -1; 147 | } 148 | 149 | /** Implements the close_output function of the plugin API */ 150 | int corsaro_pcap_close_output(corsaro_t *corsaro) 151 | { 152 | int i; 153 | struct corsaro_pcap_state_t *state = STATE(corsaro); 154 | 155 | if(state != NULL) 156 | { 157 | /* close all the outfile pointers */ 158 | for(i = 0; i < OUTFILE_POINTERS; i++) 159 | { 160 | if(state->outfile_p[i] != NULL) 161 | { 162 | corsaro_file_close(corsaro, state->outfile_p[i]); 163 | state->outfile_p[i] = NULL; 164 | } 165 | } 166 | state->outfile = NULL; 167 | 168 | corsaro_plugin_free_state(corsaro->plugin_manager, PLUGIN(corsaro)); 169 | } 170 | 171 | return 0; 172 | } 173 | 174 | /** Implements the read_record function of the plugin API */ 175 | off_t corsaro_pcap_read_record(struct corsaro_in *corsaro, 176 | corsaro_in_record_type_t *record_type, 177 | corsaro_in_record_t *record) 178 | { 179 | /* This plugin can't read it's data back. just use libtrace */ 180 | corsaro_log_in(__func__, corsaro, "pcap files are simply trace files." 181 | " use libtrace instead of corsaro"); 182 | return -1; 183 | } 184 | 185 | /** Implements the read_global_data_record function of the plugin API */ 186 | off_t corsaro_pcap_read_global_data_record(struct corsaro_in *corsaro, 187 | enum corsaro_in_record_type *record_type, 188 | struct corsaro_in_record *record) 189 | { 190 | /* we write nothing to the global file. someone messed up */ 191 | return -1; 192 | } 193 | 194 | /** Implements the start_interval function of the plugin API */ 195 | int corsaro_pcap_start_interval(corsaro_t *corsaro, corsaro_interval_t *int_start) 196 | { 197 | if(STATE(corsaro)->outfile == NULL) 198 | { 199 | /* open the output file */ 200 | if(( 201 | STATE(corsaro)->outfile_p[STATE(corsaro)->outfile_n] = 202 | corsaro_io_prepare_file_full(corsaro, 203 | PLUGIN(corsaro)->name, 204 | int_start, 205 | CORSARO_FILE_MODE_TRACE, 206 | corsaro->compress, 207 | corsaro->compress_level, 208 | 0)) == NULL) 209 | { 210 | corsaro_log(__func__, corsaro, "could not open %s output file", 211 | PLUGIN(corsaro)->name); 212 | return -1; 213 | } 214 | STATE(corsaro)->outfile = STATE(corsaro)-> 215 | outfile_p[STATE(corsaro)->outfile_n]; 216 | } 217 | return 0; 218 | } 219 | 220 | /** Implements the end_interval function of the plugin API */ 221 | int corsaro_pcap_end_interval(corsaro_t *corsaro, corsaro_interval_t *int_end) 222 | { 223 | struct corsaro_pcap_state_t *state = STATE(corsaro); 224 | 225 | /* if we are rotating, now is when we should do it */ 226 | if(corsaro_is_rotate_interval(corsaro)) 227 | { 228 | /* leave the current file to finish draining buffers */ 229 | assert(state->outfile != NULL); 230 | 231 | /* move on to the next output pointer */ 232 | state->outfile_n = (state->outfile_n+1) % 233 | OUTFILE_POINTERS; 234 | 235 | if(state->outfile_p[state->outfile_n] != NULL) 236 | { 237 | /* we're gonna have to wait for this to close */ 238 | corsaro_file_close(corsaro, 239 | state->outfile_p[state->outfile_n]); 240 | state->outfile_p[state->outfile_n] = NULL; 241 | } 242 | 243 | state->outfile = NULL; 244 | } 245 | return 0; 246 | } 247 | 248 | /** Implements the process_packet function of the plugin API */ 249 | int corsaro_pcap_process_packet(corsaro_t *corsaro, 250 | corsaro_packet_t *packet) 251 | { 252 | if(corsaro_file_write_packet(corsaro, STATE(corsaro)->outfile, 253 | LT_PKT(packet)) <= 0) 254 | { 255 | corsaro_log(__func__, corsaro, "could not write packet"); 256 | return -1; 257 | } 258 | return 0; 259 | } 260 | 261 | 262 | 263 | -------------------------------------------------------------------------------- /libcorsaro/plugins/libanon/panon.c: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | * This file is a modified version of the 'panon.c' file included with 25 | * libtrace (http://research.wand.net.nz/software/libtrace.php) 26 | * 27 | */ 28 | 29 | // $Id: panon.c 1744 2012-01-10 01:15:58Z salcock $ 30 | 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include "panon.h" 36 | 37 | static uint8_t m_key[16]; 38 | static uint8_t m_pad[16]; 39 | 40 | #define CACHEBITS 20 41 | #define CACHESIZE (1 << CACHEBITS) 42 | 43 | //static uint32_t enc_cache[CACHESIZE]; 44 | 45 | static uint32_t *enc_cache = 0; 46 | static uint32_t fullcache[2][2]; 47 | 48 | /** 49 | @todo remove the static variables, and free malloc'd memory 50 | */ 51 | void panon_init_cache(void) { 52 | if (enc_cache == 0) { 53 | enc_cache = (uint32_t *)malloc(CACHESIZE * sizeof(uint32_t)); 54 | } 55 | memset(enc_cache,0,(CACHESIZE * sizeof(uint32_t))); 56 | fullcache[0][0] = 0; 57 | fullcache[0][1] = 0; 58 | fullcache[1][0] = 0; 59 | fullcache[1][1] = 0; 60 | } 61 | 62 | static void cache_update(uint32_t scan) { 63 | uint8_t rin_output[16]; 64 | uint8_t rin_input[16]; 65 | uint32_t orig_addr = 0; 66 | uint32_t result = 0; 67 | uint32_t first4bytes_pad, first4bytes_input; 68 | int pos; 69 | 70 | memcpy(rin_input, m_pad, 16); 71 | first4bytes_pad = (((uint32_t) m_pad[0]) << 24) + 72 | (((uint32_t) m_pad[1]) << 16 ) + 73 | (((uint32_t) m_pad[2]) << 8) + 74 | (uint32_t) m_pad[3]; 75 | 76 | 77 | memcpy(rin_input, m_pad, 16); 78 | orig_addr = (scan << (32 - CACHEBITS)); 79 | result = 0; 80 | for (pos = 0; pos < CACHEBITS; pos++) { 81 | 82 | if (pos == 0) { 83 | first4bytes_input = first4bytes_pad; 84 | } else { 85 | first4bytes_input = 86 | ((orig_addr >> (32 - pos)) << (32 - pos)) | 87 | ((first4bytes_pad << pos) >> pos); 88 | } 89 | rin_input[0] = (uint8_t) (first4bytes_input >> 24); 90 | rin_input[1] = (uint8_t) ((first4bytes_input << 8) >> 24); 91 | rin_input[2] = (uint8_t) ((first4bytes_input << 16) >> 24); 92 | rin_input[3] = (uint8_t) ((first4bytes_input << 24) >> 24); 93 | 94 | blockEncrypt(rin_input, 128, rin_output); 95 | 96 | result |= (rin_output[0] >> 7) << (31 - pos); 97 | } 98 | enc_cache[scan] = (result >> (32 - CACHEBITS)); 99 | 100 | } 101 | 102 | static uint32_t lookup_cache(uint32_t orig_addr) { 103 | uint32_t lookup_addr = (orig_addr >> (32 - CACHEBITS)); 104 | if (enc_cache[lookup_addr] == 0) { 105 | cache_update(lookup_addr); 106 | } 107 | return enc_cache[lookup_addr]; 108 | } 109 | 110 | void panon_init(const char * key) { 111 | // initialise the 128-bit secret key 112 | memcpy(m_key, key, 16); 113 | // initialise the Rijndael cipher 114 | rijndael_init(ECB, Encrypt, (const UINT8*)key, Key16Bytes,0); 115 | blockEncrypt((const UINT8*)key + 16, 128, m_pad); 116 | panon_init_cache(); 117 | } 118 | void panon_init_decrypt(const uint8_t * key) { 119 | memcpy(m_key, key, 16); 120 | rijndael_init(ECB, Decrypt, key, Key16Bytes,0); 121 | blockEncrypt(key + 16, 128, m_pad); 122 | } 123 | 124 | uint32_t pp_anonymize(const uint32_t orig_addr) { 125 | uint8_t rin_output[16]; 126 | uint8_t rin_input[16]; 127 | 128 | uint32_t result = 0; 129 | uint32_t first4bytes_pad, first4bytes_input; 130 | int pos; 131 | 132 | memcpy(rin_input, m_pad, 16); 133 | first4bytes_pad = (((uint32_t) m_pad[0]) << 24) + 134 | (((uint32_t) m_pad[1]) << 16 ) + 135 | (((uint32_t) m_pad[2]) << 8) + 136 | (uint32_t) m_pad[3]; 137 | 138 | // For each prefix with length 0 to 31, generate a bit using the 139 | // rijndael cipher, which is used as a pseudorandom function here. 140 | // The bits generated in every round are combined into a pseudorandom 141 | // one-time-pad. 142 | 143 | for (pos = 0; pos <= 31; pos++) { 144 | // Padding: The most significant pos bits are taken from orig_addr. 145 | // The other 128-pos bits are taken from m_pad. The variables 146 | // first4bytes_pad and first4bytes_input are used to handle the annoying 147 | // byte order problem 148 | 149 | if (pos == 0) { 150 | first4bytes_input = first4bytes_pad; 151 | } else { 152 | first4bytes_input = ((orig_addr >> (32 - pos)) << (32 - pos)) | 153 | ((first4bytes_pad << pos) >> pos); 154 | } 155 | rin_input[0] = (uint8_t) (first4bytes_input >> 24); 156 | rin_input[1] = (uint8_t) ((first4bytes_input << 8) >> 24); 157 | rin_input[2] = (uint8_t) ((first4bytes_input << 16) >> 24); 158 | rin_input[3] = (uint8_t) ((first4bytes_input << 24) >> 24); 159 | 160 | // Encryption: The rijndael cipher is used as a pseudorandom function. 161 | // During each round, only the first bit of rin_output is used. 162 | blockEncrypt(rin_input, 128, rin_output); 163 | 164 | // Combination: the bits are combined into a pseudorandom one-time-pad. 165 | result |= (rin_output[0] >> 7) << (31 - pos); 166 | } 167 | 168 | return result ^ orig_addr; 169 | } 170 | 171 | 172 | uint32_t cpp_anonymize(const uint32_t orig_addr) { 173 | uint8_t rin_output[16]; 174 | uint8_t rin_input[16]; 175 | 176 | //uint32_t firstnbits; 177 | 178 | uint32_t result = 0; 179 | uint32_t first4bytes_pad, first4bytes_input; 180 | int pos; 181 | 182 | 183 | if (fullcache[0][0] == orig_addr) { 184 | return fullcache[0][1]; 185 | } else if (fullcache[1][0] == orig_addr) { 186 | uint32_t tmp = fullcache[1][1]; 187 | // move to "top" of "cache" 188 | fullcache[1][0] = fullcache[0][0]; 189 | fullcache[1][1] = fullcache[0][1]; 190 | fullcache[0][0] = orig_addr; 191 | fullcache[0][1] = tmp; 192 | return tmp; 193 | } 194 | 195 | memcpy(rin_input, m_pad, 16); 196 | first4bytes_pad = (((uint32_t) m_pad[0]) << 24) + 197 | (((uint32_t) m_pad[1]) << 16 ) + 198 | (((uint32_t) m_pad[2]) << 8) + 199 | (uint32_t) m_pad[3]; 200 | 201 | // Look up the first CACHESIZE bits from enc_cache and start the 202 | // result with this, then proceed 203 | 204 | //firstnbits = (uint32_t) orig_addr >> (32 - CACHEBITS); 205 | //result = (enc_cache[firstnbits] << (32 - CACHEBITS)); 206 | 207 | 208 | result = (lookup_cache(orig_addr) << (32 - CACHEBITS)); 209 | // For each prefix with length CACHEBITS to 31, generate a bit using the 210 | // rijndael cipher, which is used as a pseudorandom function here. 211 | // The bits generated in every round are combined into a pseudorandom 212 | // one-time-pad. 213 | 214 | for (pos = CACHEBITS ; pos <= 31; pos++) { 215 | // Padding: The most significant pos bits are taken from orig_addr. 216 | // The other 128-pos bits are taken from m_pad. The variables 217 | // first4bytes_pad and first4bytes_input are used to handle the annoying 218 | // byte order problem 219 | 220 | if (pos == 0) { 221 | first4bytes_input = first4bytes_pad; 222 | } else { 223 | first4bytes_input = ((orig_addr >> (32 - pos)) << (32 - pos)) | 224 | ((first4bytes_pad << pos) >> pos); 225 | } 226 | rin_input[0] = (uint8_t) (first4bytes_input >> 24); 227 | rin_input[1] = (uint8_t) ((first4bytes_input << 8) >> 24); 228 | rin_input[2] = (uint8_t) ((first4bytes_input << 16) >> 24); 229 | rin_input[3] = (uint8_t) ((first4bytes_input << 24) >> 24); 230 | 231 | // Encryption: The rijndael cipher is used as a pseudorandom function. 232 | // During each round, only the first bit of rin_output is used. 233 | blockEncrypt(rin_input, 128, rin_output); 234 | 235 | // Combination: the bits are combined into a pseudorandom one-time-pad. 236 | result |= (rin_output[0] >> 7) << (31 - pos); 237 | } 238 | 239 | fullcache[1][0] = fullcache[0][0]; 240 | fullcache[1][1] = fullcache[0][1]; 241 | fullcache[0][0] = orig_addr; 242 | fullcache[0][1] = result ^ orig_addr; 243 | 244 | return result ^ orig_addr; 245 | } 246 | 247 | uint32_t anonymize(const uint32_t orig_addr) { 248 | uint8_t rin_output[16]; 249 | uint8_t rin_input[16]; 250 | 251 | uint32_t result = 0; 252 | 253 | memcpy(rin_input, m_pad, 16); 254 | 255 | rin_input[0] = (uint8_t) (orig_addr >> 24); 256 | rin_input[1] = (uint8_t) ((orig_addr << 8) >> 24); 257 | rin_input[2] = (uint8_t) ((orig_addr << 16) >> 24); 258 | rin_input[3] = (uint8_t) ((orig_addr << 24) >> 24); 259 | 260 | blockEncrypt(rin_input, 128, rin_output); 261 | 262 | result = 0; 263 | result += (rin_output[0] <<24); 264 | result += (rin_output[1] <<16); 265 | result += (rin_output[2] <<8); 266 | result += (rin_output[3]); 267 | return result; 268 | } 269 | 270 | -------------------------------------------------------------------------------- /libcorsaro/plugins/corsaro_anon.c: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | #include "config.h" 27 | #include "corsaro_int.h" 28 | 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | #include "libtrace.h" 37 | 38 | #include "utils.h" 39 | 40 | #include "corsaro_libanon.h" 41 | #include "corsaro_log.h" 42 | #include "corsaro_plugin.h" 43 | 44 | #ifdef WITH_PLUGIN_SIXT 45 | #include "corsaro_flowtuple.h" 46 | #endif 47 | 48 | #include "corsaro_anon.h" 49 | 50 | /** @file 51 | * 52 | * @brief Corsaro IP anonymization plugin 53 | * 54 | * @author Alistair King 55 | * 56 | */ 57 | 58 | /** The magic number for this plugin - "ANON" */ 59 | #define CORSARO_ANON_MAGIC 0x414E4F4E 60 | 61 | /** The name of this plugin */ 62 | #define PLUGIN_NAME "anon" 63 | 64 | /** The default anonymization type */ 65 | #define ANON_ENC_TYPE CORSARO_ANON_ENC_CRYPTOPAN 66 | 67 | /** The configuration string for the CORSARO_ANON_ENC_CRYPTOPAN type */ 68 | #define ENC_TYPE_CRYPTOPAN "cryptopan" 69 | 70 | /** The configuration string for the CORSARO_ANON_ENC_PREFIX type */ 71 | #define ENC_TYPE_PREFIX "prefix" 72 | 73 | /** Anonymize the Source IP by default? */ 74 | #define ANON_SOURCE 0 75 | 76 | /** Anonymize the Destination IP by default? */ 77 | #define ANON_DEST 0 78 | 79 | /** Common plugin information across all instances */ 80 | static corsaro_plugin_t corsaro_anon_plugin = { 81 | PLUGIN_NAME, /* name */ 82 | CORSARO_PLUGIN_ID_ANON, /* id */ 83 | CORSARO_ANON_MAGIC, /* magic */ 84 | #ifdef WITH_PLUGIN_SIXT 85 | CORSARO_PLUGIN_GENERATE_PTRS_FT(corsaro_anon), /* func ptrs */ 86 | #else 87 | CORSARO_PLUGIN_GENERATE_PTRS(corsaro_anon), 88 | #endif 89 | CORSARO_PLUGIN_GENERATE_TAIL, 90 | }; 91 | 92 | /** Holds the state for an instance of this plugin */ 93 | struct corsaro_anon_state_t { 94 | /** The encryption type to use */ 95 | corsaro_anon_enc_type_t encryption_type; 96 | /** The CryptoPAn encryption key or prefix to use */ 97 | char *encryption_key; 98 | /** Should source addresses be encrypted? */ 99 | int encrypt_source; 100 | /** Should destination addresses be encrypted? */ 101 | int encrypt_destination; 102 | }; 103 | 104 | /** Extends the generic plugin state convenience macro in corsaro_plugin.h */ 105 | #define STATE(corsaro) \ 106 | (CORSARO_PLUGIN_STATE(corsaro, anon, CORSARO_PLUGIN_ID_ANON)) 107 | 108 | /** Extends the generic plugin plugin convenience macro in corsaro_plugin.h */ 109 | #define PLUGIN(corsaro) \ 110 | (CORSARO_PLUGIN_PLUGIN(corsaro, CORSARO_PLUGIN_ID_ANON)) 111 | 112 | /** Print usage information to stderr */ 113 | static void usage(corsaro_plugin_t *plugin) 114 | { 115 | fprintf(stderr, 116 | "plugin usage: %s [-sd] [-t encryption_type] encryption_key[prefix]\n" 117 | " -d enable destination address encryption\n" 118 | " -s enable source address encryption\n" 119 | " -t encryption type (default: %s)\n" 120 | " must be either '%s', or '%s'\n", 121 | plugin->argv[0], 122 | ENC_TYPE_CRYPTOPAN, 123 | ENC_TYPE_CRYPTOPAN, 124 | ENC_TYPE_PREFIX); 125 | } 126 | 127 | /** Parse the arguments given to the plugin */ 128 | static int parse_args(corsaro_t *corsaro) 129 | { 130 | corsaro_plugin_t *plugin = PLUGIN(corsaro); 131 | struct corsaro_anon_state_t *state = STATE(corsaro); 132 | int opt; 133 | 134 | /* NB: remember to reset optind to 1 before using getopt! */ 135 | optind = 1; 136 | 137 | while((opt = getopt(plugin->argc, plugin->argv, ":dst:?")) >= 0) 138 | { 139 | switch(opt) 140 | { 141 | case 'd': 142 | state->encrypt_destination = 1; 143 | break; 144 | 145 | case 's': 146 | state->encrypt_source = 1; 147 | break; 148 | 149 | case 't': 150 | if(strcasecmp(optarg, ENC_TYPE_CRYPTOPAN) == 0) 151 | { 152 | state->encryption_type = CORSARO_ANON_ENC_CRYPTOPAN; 153 | } 154 | else if(strcasecmp(optarg, ENC_TYPE_PREFIX) == 0) 155 | { 156 | state->encryption_type = CORSARO_ANON_ENC_PREFIX_SUBSTITUTION; 157 | } 158 | else 159 | { 160 | fprintf(stderr, "ERROR: invalid encryption type (%s)\n", 161 | optarg); 162 | usage(plugin); 163 | return -1; 164 | } 165 | break; 166 | 167 | case '?': 168 | case ':': 169 | default: 170 | usage(plugin); 171 | return -1; 172 | } 173 | } 174 | 175 | /* the last (and only required argument) must be the key */ 176 | if(optind != (plugin->argc - 1)) 177 | { 178 | fprintf(stderr, "ERROR: missing encryption key\n"); 179 | usage(plugin); 180 | return -1; 181 | } 182 | 183 | state->encryption_key = plugin->argv[optind]; 184 | 185 | if(state->encrypt_source == 0 && state->encrypt_destination == 0) 186 | { 187 | fprintf(stderr, 188 | "WARNING: anon plugin is encrypting nothing\n"); 189 | } 190 | 191 | return 0; 192 | } 193 | 194 | /* == PUBLIC PLUGIN FUNCS BELOW HERE == */ 195 | 196 | /** Implements the alloc function of the plugin API */ 197 | corsaro_plugin_t *corsaro_anon_alloc(corsaro_t *corsaro) 198 | { 199 | return &corsaro_anon_plugin; 200 | } 201 | 202 | /** Implements the probe_filename function of the plugin API */ 203 | int corsaro_anon_probe_filename(const char *fname) 204 | { 205 | /* this writes no files! */ 206 | return 0; 207 | } 208 | 209 | /** Implements the probe_magic function of the plugin API */ 210 | int corsaro_anon_probe_magic(corsaro_in_t *corsaro, corsaro_file_in_t *file) 211 | { 212 | /* this writes no files! */ 213 | return 0; 214 | } 215 | 216 | /** Implements the init_output function of the plugin API */ 217 | int corsaro_anon_init_output(corsaro_t *corsaro) 218 | { 219 | struct corsaro_anon_state_t *state; 220 | corsaro_plugin_t *plugin = PLUGIN(corsaro); 221 | 222 | assert(plugin != NULL); 223 | 224 | if((state = malloc_zero(sizeof(struct corsaro_anon_state_t))) == NULL) 225 | { 226 | corsaro_log(__func__, corsaro, 227 | "could not malloc corsaro_anon_state_t"); 228 | goto err; 229 | } 230 | corsaro_plugin_register_state(corsaro->plugin_manager, plugin, state); 231 | 232 | /* set the defaults */ 233 | state->encryption_type = CORSARO_ANON_ENC_CRYPTOPAN; 234 | state->encrypt_source = ANON_SOURCE; 235 | state->encrypt_destination = ANON_DEST; 236 | 237 | /* parse the arguments */ 238 | if(parse_args(corsaro) != 0) 239 | { 240 | return -1; 241 | } 242 | 243 | assert(state->encryption_key != NULL); 244 | 245 | corsaro_anon_init(state->encryption_type, state->encryption_key); 246 | return 0; 247 | 248 | err: 249 | corsaro_anon_close_output(corsaro); 250 | return -1; 251 | } 252 | 253 | /** Implements the init_input function of the plugin API */ 254 | int corsaro_anon_init_input(corsaro_in_t *corsaro) 255 | { 256 | assert(0); 257 | return -1; 258 | } 259 | 260 | /** Implements the close_input function of the plugin API */ 261 | int corsaro_anon_close_input(corsaro_in_t *corsaro) 262 | { 263 | assert(0); 264 | return -1; 265 | } 266 | 267 | /** Implements the close_output function of the plugin API */ 268 | int corsaro_anon_close_output(corsaro_t *corsaro) 269 | { 270 | return 0; 271 | } 272 | 273 | /** Implements the read_record function of the plugin API */ 274 | off_t corsaro_anon_read_record(struct corsaro_in *corsaro, 275 | corsaro_in_record_type_t *record_type, 276 | corsaro_in_record_t *record) 277 | { 278 | assert(0); 279 | return -1; 280 | } 281 | 282 | /** Implements the read_global_data_record function of the plugin API */ 283 | off_t corsaro_anon_read_global_data_record(struct corsaro_in *corsaro, 284 | enum corsaro_in_record_type *record_type, 285 | struct corsaro_in_record *record) 286 | { 287 | /* we write nothing to the global file. someone messed up */ 288 | return -1; 289 | } 290 | 291 | /** Implements the start_interval function of the plugin API */ 292 | int corsaro_anon_start_interval(corsaro_t *corsaro, 293 | corsaro_interval_t *int_start) 294 | { 295 | /* we don't care */ 296 | return 0; 297 | } 298 | 299 | /** Implements the end_interval function of the plugin API */ 300 | int corsaro_anon_end_interval(corsaro_t *corsaro, 301 | corsaro_interval_t *int_end) 302 | { 303 | /* we don't care */ 304 | return 0; 305 | } 306 | 307 | /** Implements the process_packet function of the plugin API */ 308 | int corsaro_anon_process_packet(corsaro_t *corsaro, 309 | corsaro_packet_t *packet) 310 | { 311 | struct corsaro_anon_state_t *state = STATE(corsaro); 312 | libtrace_ip_t *iphdr = trace_get_ip(LT_PKT(packet)); 313 | 314 | if(iphdr != NULL && (state->encrypt_source || state->encrypt_destination)) 315 | { 316 | corsaro_anon_ip_header(iphdr, state->encrypt_source, 317 | state->encrypt_destination); 318 | } 319 | 320 | return 0; 321 | } 322 | 323 | #ifdef WITH_PLUGIN_SIXT 324 | /** Implements the process_flowtuple function of the plugin API */ 325 | int corsaro_anon_process_flowtuple(corsaro_t *corsaro, 326 | corsaro_flowtuple_t *flowtuple, 327 | corsaro_packet_state_t *state) 328 | { 329 | uint32_t src_ip = corsaro_flowtuple_get_source_ip(flowtuple); 330 | uint32_t dst_ip = corsaro_flowtuple_get_destination_ip(flowtuple); 331 | 332 | uint32_t src_ip_anon = corsaro_anon_ip(ntohl(src_ip)); 333 | uint32_t dst_ip_anon = corsaro_anon_ip(ntohl(dst_ip)); 334 | 335 | flowtuple->src_ip = htonl(src_ip_anon); 336 | CORSARO_FLOWTUPLE_IP_TO_SIXT(htonl(dst_ip_anon), flowtuple); 337 | 338 | return 0; 339 | } 340 | 341 | /** Implements the process_flowtuple_class_start function of the plugin API */ 342 | int corsaro_anon_process_flowtuple_class_start(corsaro_t *corsaro, 343 | corsaro_flowtuple_class_start_t *class) 344 | { 345 | /* we dont care about these */ 346 | return 0; 347 | } 348 | 349 | /** Implements the process_flowtuple_class_end function of the plugin API */ 350 | int corsaro_anon_process_flowtuple_class_end(corsaro_t *corsaro, 351 | corsaro_flowtuple_class_end_t *class) 352 | { 353 | /* dont care */ 354 | return 0; 355 | } 356 | #endif 357 | -------------------------------------------------------------------------------- /configure.ac: -------------------------------------------------------------------------------- 1 | # 2 | # corsaro 3 | # 4 | # Alistair King, CAIDA, UC San Diego 5 | # corsaro-info@caida.org 6 | # 7 | # Copyright (C) 2012 The Regents of the University of California. 8 | # 9 | # This file is part of corsaro. 10 | # 11 | # corsaro is free software: you can redistribute it and/or modify 12 | # it under the terms of the GNU General Public License as published by 13 | # the Free Software Foundation, either version 3 of the License, or 14 | # (at your option) any later version. 15 | # 16 | # corsaro is distributed in the hope that it will be useful, 17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | # GNU General Public License for more details. 20 | # 21 | # You should have received a copy of the GNU General Public License 22 | # along with corsaro. If not, see . 23 | # 24 | 25 | AC_INIT([corsaro], [2.0.0], [corsaro-info@caida.org]) 26 | 27 | # Corsaro versions... 28 | # this may need some re-thinking 29 | # currently increment: 30 | # MAJOR: if the interfaces have been added, removed or changed 31 | # MID: if source code has been changed 32 | # MINOR: if interfaces have been added 33 | # 34 | # there will need to be some thought put into the binary file versioning 35 | # if the format changes 36 | # perhaps use the major version to indicate changes in file format 37 | 38 | CORSARO_MAJOR_VERSION=2 39 | CORSARO_MID_VERSION=0 40 | CORSARO_MINOR_VERSION=0 41 | 42 | AC_DEFINE_UNQUOTED([CORSARO_MAJOR_VERSION],$CORSARO_MAJOR_VERSION, 43 | [corsaro major version]) 44 | AC_DEFINE_UNQUOTED([CORSARO_MID_VERSION],$CORSARO_MID_VERSION, 45 | [corsaro mid version]) 46 | AC_DEFINE_UNQUOTED([CORSARO_MINOR_VERSION],$CORSARO_MINOR_VERSION, 47 | [corsaro minor version]) 48 | 49 | LT_INIT 50 | 51 | AM_INIT_AUTOMAKE 52 | 53 | AC_CONFIG_MACRO_DIR([m4]) 54 | 55 | AC_CONFIG_SRCDIR([libcorsaro/corsaro.c]) 56 | AC_CONFIG_HEADERS([config.h]) 57 | 58 | # Checks for programs. 59 | AC_PROG_LIBTOOL 60 | AC_PROG_CC_C99 61 | 62 | AC_SYS_LARGEFILE 63 | 64 | AH_VERBATIM([_GNU_SOURCE], 65 | [/* Enable GNU extensions on systems that have them. */ 66 | #ifndef _GNU_SOURCE 67 | #define _GNU_SOURCE 68 | #endif]) 69 | 70 | AC_CHECK_PROG([corsaro_doxygen_avail], [doxygen], [yes], [no]) 71 | 72 | AC_MSG_CHECKING([whether to compile the docs]) 73 | AC_ARG_WITH([doxygen], 74 | [AS_HELP_STRING([--without-doxygen], 75 | [do not compile the doxygen generated docs])], 76 | [corsaro_doxygen=no], 77 | [if test "x$corsaro_doxygen_avail" == xyes; then 78 | corsaro_doxygen=yes 79 | else 80 | corsaro_doxygen=no 81 | fi 82 | ]) 83 | AC_MSG_RESULT([$corsaro_doxygen]) 84 | 85 | AM_CONDITIONAL(HAS_DOXYGEN, [test x"$corsaro_doxygen" = xyes]) 86 | 87 | AC_CHECK_FUNCS([gettimeofday memset strdup strstr strsep strlcpy vasprintf]) 88 | 89 | # OSX Mavericks has replaced strlcpy with a macro that is not found by 90 | # AC_CHECK_FUNCS 91 | AC_CHECK_DECLS([strlcpy]) 92 | 93 | # should we dump debug output to stderr and not optmize the build? 94 | 95 | AC_MSG_CHECKING([whether to build with debug information]) 96 | AC_ARG_ENABLE([debug], 97 | [AS_HELP_STRING([--enable-debug], 98 | [enable debug data generation (def=no)])], 99 | [debugit="$enableval"], 100 | [debugit=no]) 101 | AC_MSG_RESULT([$debugit]) 102 | 103 | if test x"$debugit" = x"yes"; then 104 | AC_DEFINE([DEBUG],[],[Debug Mode]) 105 | else 106 | AC_DEFINE([NDEBUG],[],[No-debug Mode]) 107 | fi 108 | 109 | # Configure options for man pages 110 | AC_ARG_WITH(man, 111 | AS_HELP_STRING(--with-man,install man pages by default),[ 112 | if test "$withval" = yes 113 | then 114 | MANPAGES="docs/man/man3/[a-zA-Z]*.3" 115 | else 116 | MANPAGES="" 117 | fi 118 | ]) 119 | 120 | # Checks for typedefs, structures, and compiler characteristics. 121 | #AC_C_INLINE # 2014-04-14 AK removes because it causes problems with clang3.4 122 | AC_TYPE_SIZE_T 123 | AC_TYPE_UINT16_T 124 | AC_TYPE_UINT32_T 125 | AC_TYPE_UINT64_T 126 | AC_TYPE_UINT8_T 127 | 128 | # Checks for library functions. 129 | AC_FUNC_MALLOC 130 | AC_FUNC_REALLOC 131 | 132 | 133 | AX_LIB_SOCKET_NSL 134 | 135 | 136 | # Checks for libraries. 137 | AC_CHECK_LIB([packetdump], [trace_dump_packet], ,[AC_MSG_WARN( 138 | [libpacketdump missing. ascii packet dumps not available])]) 139 | AC_CHECK_LIB([trace], [trace_get_payload_length], ,[AC_MSG_ERROR( 140 | [libtrace >= 3.0.8 required])]) 141 | AC_SEARCH_LIBS([wandio_create], [wandio trace], ,[AC_MSG_ERROR( 142 | [libwandio required (included with libtrace since 3.0.15)] 143 | )]) 144 | 145 | # Checks for header files. 146 | AC_CHECK_HEADERS([arpa/inet.h inttypes.h limits.h math.h stdlib.h string.h \ 147 | time.h sys/time.h]) 148 | 149 | # configure options for this monitor 150 | 151 | # monitor name 152 | AC_MSG_CHECKING([for the monitor name to use]) 153 | AC_ARG_WITH([monitorname], 154 | [AS_HELP_STRING([--with-monitorname=NAME], 155 | [explicitly define the monitor name (defaults to system hostname)])], 156 | [if test "x$withval" == xyes || test "x$withval" == ""; then 157 | with_monitorname=`hostname` 158 | else 159 | with_monitorname=$withval 160 | fi], 161 | [with_monitorname=`hostname`]) 162 | AC_MSG_RESULT([$with_monitorname]) 163 | 164 | AC_DEFINE_UNQUOTED([CORSARO_MONITOR_NAME],[$with_monitorname],[Monitor Name]) 165 | 166 | # are we dealing with a slash eight? 167 | AC_MSG_CHECKING([whether to use /8 optimizations]) 168 | AC_ARG_WITH([slash-eight], 169 | [AS_HELP_STRING([--with-slash-eight=FIRST_OCTET], 170 | [make use of optimizations for a /8 darknet (defaults to no)])], 171 | [if test "x$withval" == xyes || test "x$withval" == ""; then 172 | AC_MSG_ERROR([--with-slash-eight requires an octet value]) 173 | else 174 | with_slash_eight=$withval 175 | fi], 176 | [with_slash_eight=no]) 177 | 178 | AS_IF([test "x$with_slash_eight" != xno], 179 | [ 180 | AC_DEFINE_UNQUOTED([CORSARO_SLASH_EIGHT],[$with_slash_eight], 181 | [Slash Eight Octet]) 182 | ]) 183 | 184 | AC_MSG_RESULT([$with_slash_eight]) 185 | 186 | # are we going to dump some plugin timing information? (useful for debugging 187 | # where corsaro spends its time given a complicated plugin chain) 188 | AC_MSG_CHECKING([whether to monitor plugin runtimes]) 189 | AC_ARG_WITH([plugin-timing], 190 | [AS_HELP_STRING([--with-plugin-timing], 191 | [time how long each plugin takes to process packets (defaults to no)])], 192 | [], 193 | [with_plugin_timing=no]) 194 | 195 | AS_IF([test "x$with_plugin_timing" != xno], 196 | [ 197 | AC_DEFINE_UNQUOTED([WITH_PLUGIN_TIMING],[1], 198 | [Monitor plugin timing]) 199 | ]) 200 | 201 | AC_MSG_RESULT([$with_plugin_timing]) 202 | 203 | # configure options to disable plugins 204 | #AC_DEFINE([ED_PLUGIN_INIT_ALL_ENABLED],[],[Plugin init functions]) 205 | 206 | ################################################################################ 207 | # Plugin Configuration Macros # 208 | # --------------------------- # 209 | # # 210 | # Each ED_WITH_PLUGIN macro defines a plugin which can be compiled into # 211 | # Corsaro. # 212 | # # 213 | # The order in which these plugins are listed is the _default_ order in which # 214 | # they will be run. # 215 | ################################################################################ 216 | 217 | ## meta plugins. these do not write output, they add metadata to the packet 218 | ## seems that the most common use-case will be to run them first 219 | ED_WITH_PLUGIN([corsaro_anon],[anon],[ANON],[no]) 220 | ED_WITH_PLUGIN([corsaro_ipmeta],[ipmeta],[IPMETA],[no]) 221 | 222 | # filter plugins. these do not write output, they indicate which packets 223 | # should [not] be written out 224 | ED_WITH_PLUGIN([corsaro_filtergeo],[filtergeo],[FILTERGEO],[no]) 225 | ED_WITH_PLUGIN([corsaro_filterpfx],[filterpfx],[FILTERPFX],[no]) 226 | ED_WITH_PLUGIN([corsaro_filterbpf],[filterbpf],[FILTERBPF],[no]) 227 | 228 | #pass-through pcap plugin 229 | # the pcap plugin only makes sense in live mode, so disable it by default 230 | ED_WITH_PLUGIN([corsaro_pcap],[pcap],[PCAP],[no]) 231 | 232 | # default plugins 233 | ED_WITH_PLUGIN([corsaro_flowtuple],[flowtuple],[SIXT],[yes]) 234 | 235 | # optional plugins 236 | ED_WITH_PLUGIN([corsaro_dos],[dos],[DOS],[no]) 237 | ED_WITH_PLUGIN([corsaro_smee],[smee],[SMEE],[no]) 238 | ED_WITH_PLUGIN([corsaro_tagstats],[tagstats],[TAGSTATS],[no]) 239 | 240 | # this MUST go after all the ED_WITH_PLUGIN macro calls 241 | AC_DEFINE_UNQUOTED([ED_PLUGIN_INIT_ALL_ENABLED], $ED_PLUGIN_INIT_ALL_ENABLED, 242 | [plugins to call the init macro for in corsaro_plugin.c]) 243 | 244 | #------------------------------------------------------------------------------# 245 | # Extra tests or config needed for plugins should go below here # 246 | #------------------------------------------------------------------------------# 247 | 248 | # the ipmeta plugin requires libipmeta 249 | if test "x$with_plugin_ipmeta" == xyes; then 250 | AC_CHECK_LIB([ipmeta], [ipmeta_init], ,[ 251 | AC_MSG_ERROR([libipmeta is required by the corsaro_ipmeta plugin]) 252 | ]) 253 | fi 254 | 255 | # the filtergeo plugin requires the ipmeta plugin 256 | if test "x$with_plugin_filtergeo" == xyes && 257 | test "x$with_plugin_ipmeta" != xyes; then 258 | AC_MSG_ERROR([corsaro_filtergeo plugin requires corsaro_ipmeta plugin]) 259 | fi 260 | 261 | # the dos plugin needs flowtuple also 262 | if test "x$with_plugin_dos" == xyes && 263 | test "x$with_plugin_flowtuple" != xyes; then 264 | AC_MSG_ERROR([corsaro_dos plugin requires corsaro_flowtuple plugin]) 265 | fi 266 | 267 | # these are only used by libsmee 268 | if test "x$with_plugin_smee" == xyes; then 269 | AC_CHECK_LIB([smee], [iat_init], ,[ 270 | AC_MSG_ERROR([libsmee >= 2.2.2 is required (see http://www.caida.org/tools/measurement/corsaro/docs/plugins.html@%:@plugins_smee)]) 271 | ]) 272 | fi 273 | 274 | # unfortunately we have to generate all of these Makefiles because of make dist 275 | # they will not however be compiled into the binary unless they are used 276 | 277 | ################################################################################ 278 | # END PLUGIN CONFIGURATION # 279 | ################################################################################ 280 | 281 | AC_HEADER_ASSERT 282 | 283 | AC_SUBST([CORSARO_MAJOR_VERSION]) 284 | AC_SUBST([CORSARO_MID_VERSION]) 285 | AC_SUBST([CORSARO_MINOR_VERSION]) 286 | 287 | AC_HEADER_ASSERT 288 | 289 | AC_CONFIG_FILES([Makefile libcorsaro/Makefile libcorsaro/plugins/Makefile 290 | libcorsaro/plugins/libanon/Makefile 291 | tools/Makefile common/Makefile 292 | common/libpatricia/Makefile 293 | common/libcsv/Makefile 294 | docs/Makefile 295 | docs/corsaro.doxygen 296 | docs/corsaro.caida.doxygen]) 297 | AC_OUTPUT 298 | -------------------------------------------------------------------------------- /libcorsaro/corsaro_tag.c: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | #include "config.h" 27 | #include "corsaro_int.h" 28 | 29 | #include 30 | #include 31 | #include 32 | 33 | #include "utils.h" 34 | 35 | #include "corsaro_log.h" 36 | 37 | #include "corsaro_tag.h" 38 | 39 | /** ==== PUBLIC API FUNCTIONS BELOW HERE ==== */ 40 | 41 | /* ========== TAG MANAGER ========== */ 42 | 43 | corsaro_tag_manager_t *corsaro_tag_manager_init(corsaro_t *corsaro) 44 | { 45 | corsaro_tag_manager_t *manager; 46 | 47 | if((manager = malloc_zero(sizeof(corsaro_tag_manager_t))) == NULL) 48 | { 49 | corsaro_log(__func__, corsaro, "failed to malloc tag manager"); 50 | return NULL; 51 | } 52 | 53 | /* annnnd, we're done */ 54 | return manager; 55 | } 56 | 57 | void corsaro_tag_manager_free(corsaro_tag_manager_t *manager) 58 | { 59 | int i; 60 | 61 | assert(manager != NULL); 62 | 63 | /* free all the groups that we have allocated */ 64 | if(manager->groups != NULL) 65 | { 66 | for(i=0; igroups_cnt; i++) 67 | { 68 | corsaro_tag_group_free(manager->groups[i]); 69 | manager->groups[i] = NULL; 70 | } 71 | free(manager->groups); 72 | manager->groups = NULL; 73 | manager->groups_cnt = 0; 74 | } 75 | 76 | /* free all the tags that we have allocated */ 77 | if(manager->tags != NULL) 78 | { 79 | for(i=0; itags_cnt; i++) 80 | { 81 | corsaro_tag_free(manager->tags[i]); 82 | manager->tags[i] = NULL; 83 | } 84 | free(manager->tags); 85 | manager->tags = NULL; 86 | manager->tags_cnt = 0; 87 | } 88 | 89 | free(manager); 90 | 91 | return; 92 | } 93 | 94 | 95 | /* ========== TAG STATE ========== */ 96 | 97 | void corsaro_tag_state_reset(corsaro_packet_state_t *state) 98 | { 99 | int i; 100 | /* reset each matched tag */ 101 | for(i=0; itags.tag_matches_cnt; i++) 102 | { 103 | state->tags.tag_matches[i] = 0; 104 | } 105 | /* reset the number of matched tag */ 106 | state->tags.tag_matches_set_cnt = 0; 107 | } 108 | 109 | void corsaro_tag_state_free(corsaro_packet_state_t *state) 110 | { 111 | if(state->tags.tag_matches != NULL) 112 | { 113 | free(state->tags.tag_matches); 114 | state->tags.tag_matches = NULL; 115 | state->tags.tag_matches_cnt = 0; 116 | } 117 | } 118 | 119 | /* ========== TAGS ========== */ 120 | 121 | corsaro_tag_t *corsaro_tag_init(corsaro_t *corsaro, const char *name, 122 | void *user) 123 | { 124 | assert(corsaro != NULL); 125 | 126 | corsaro_tag_t *tag; 127 | corsaro_tag_manager_t *manager = corsaro->tag_manager; 128 | 129 | assert(manager != NULL); 130 | 131 | /* now check that a tag with this name does not already exist */ 132 | if((tag = corsaro_tag_get(corsaro, name)) != NULL) 133 | { 134 | return tag; 135 | } 136 | 137 | if((tag = malloc_zero(sizeof(corsaro_tag_t))) == NULL) 138 | { 139 | corsaro_log(__func__, corsaro, "failed to malloc tag"); 140 | return NULL; 141 | } 142 | 143 | /* get the next available tag id (starting from 0)*/ 144 | tag->id = manager->tags_cnt++; 145 | 146 | /* save the name */ 147 | tag->name = strdup(name); 148 | 149 | /* save us */ 150 | tag->manager = manager; 151 | 152 | /* save them */ 153 | tag->user = user; 154 | 155 | /* resize the array of tags to hold this one */ 156 | if((manager->tags = realloc(manager->tags, sizeof(corsaro_tag_t*) * 157 | manager->tags_cnt)) == NULL) 158 | { 159 | corsaro_log(__func__, corsaro, "failed to malloc tag array"); 160 | corsaro_tag_free(tag); 161 | return NULL; 162 | } 163 | 164 | manager->tags[tag->id] = tag; 165 | 166 | /* resize the array of matched tags to hold this one */ 167 | if((corsaro->packet->state.tags.tag_matches = 168 | realloc(corsaro->packet->state.tags.tag_matches, 169 | sizeof(uint8_t) * manager->tags_cnt)) == NULL) 170 | { 171 | corsaro_log(__func__, corsaro, "failed to malloc tag result array"); 172 | return NULL; 173 | } 174 | corsaro->packet->state.tags.tag_matches[tag->id] = 0; 175 | corsaro->packet->state.tags.tag_matches_cnt = manager->tags_cnt; 176 | 177 | return tag; 178 | } 179 | 180 | corsaro_tag_t *corsaro_tag_get(corsaro_t *corsaro, const char *name) 181 | { 182 | assert(corsaro != NULL); 183 | assert(corsaro->tag_manager != NULL); 184 | corsaro_tag_manager_t *manager = corsaro->tag_manager; 185 | 186 | int i; 187 | 188 | for(i=0; itags_cnt; i++) 189 | { 190 | if(manager->tags[i] != NULL && 191 | manager->tags[i]->name != NULL && 192 | (strcmp(manager->tags[i]->name, name) == 0)) 193 | { 194 | return manager->tags[i]; 195 | } 196 | } 197 | 198 | return NULL; 199 | } 200 | 201 | int corsaro_tag_get_all(corsaro_t *corsaro, corsaro_tag_t ***tags) 202 | { 203 | assert(corsaro != NULL); 204 | assert(corsaro->tag_manager != NULL); 205 | *tags = corsaro->tag_manager->tags; 206 | return corsaro->tag_manager->tags_cnt; 207 | } 208 | 209 | void corsaro_tag_free(corsaro_tag_t *tag) 210 | { 211 | /* we will be nice and let people free tags that they created */ 212 | if(tag == NULL) 213 | { 214 | return; 215 | } 216 | 217 | assert(tag->manager != NULL); 218 | 219 | tag->manager->tags[tag->id] = NULL; 220 | 221 | if(tag->name != NULL) 222 | { 223 | free(tag->name); 224 | tag->name = NULL; 225 | } 226 | 227 | /* we do not own 'manager' */ 228 | 229 | /* we do not own 'user' */ 230 | 231 | free(tag); 232 | } 233 | 234 | int corsaro_tag_is_match(corsaro_packet_state_t *state, 235 | corsaro_tag_t *tag) 236 | { 237 | assert(state != NULL); 238 | assert(tag != NULL); 239 | assert(tag->id <= tag->manager->tags_cnt); 240 | 241 | return state->tags.tag_matches[tag->id]; 242 | } 243 | 244 | int corsaro_tag_is_match_any(corsaro_packet_state_t *state) 245 | { 246 | return state->tags.tag_matches_set_cnt; 247 | } 248 | 249 | void corsaro_tag_set_match(corsaro_packet_state_t *state, 250 | corsaro_tag_t *tag, 251 | int match) 252 | { 253 | assert(state != NULL); 254 | assert(tag != NULL); 255 | assert(tag->id < tag->manager->tags_cnt); 256 | 257 | #if 0 258 | fprintf(stderr, "setting match for %s:%d to %d (used to be %d)\n", 259 | tag->name, tag->id, match, state->tag_matches[tag->id]); 260 | #endif 261 | 262 | if(match != 0) 263 | { 264 | state->tags.tag_matches_set_cnt++; 265 | } 266 | 267 | state->tags.tag_matches[tag->id] = match; 268 | return; 269 | } 270 | 271 | /* ========== TAG GROUPS ========== */ 272 | 273 | corsaro_tag_group_t *corsaro_tag_group_init(corsaro_t *corsaro, 274 | const char *name, 275 | corsaro_tag_group_match_mode_t mode, 276 | void *user) 277 | { 278 | assert(corsaro != NULL); 279 | 280 | corsaro_tag_group_t *group; 281 | corsaro_tag_manager_t *manager = corsaro->tag_manager; 282 | 283 | assert(manager != NULL); 284 | 285 | /* now check that a group with this name does not already exist */ 286 | if((group = corsaro_tag_group_get(corsaro, name)) != NULL) 287 | { 288 | return group; 289 | } 290 | 291 | if((group = malloc_zero(sizeof(corsaro_tag_group_t))) == NULL) 292 | { 293 | corsaro_log(__func__, corsaro, "failed to malloc group"); 294 | return NULL; 295 | } 296 | 297 | /* get the next available group id (starting from 0)*/ 298 | group->id = manager->groups_cnt++; 299 | 300 | /* save the name */ 301 | group->name = strdup(name); 302 | 303 | /* the match mode */ 304 | group->mode = mode; 305 | 306 | /* save us */ 307 | group->manager = manager; 308 | 309 | /* save them */ 310 | group->user = user; 311 | 312 | /* resize the array of tags to hold this one */ 313 | if((manager->groups = realloc(manager->groups, sizeof(corsaro_tag_group_t*) * 314 | manager->groups_cnt)) == NULL) 315 | { 316 | corsaro_log(__func__, corsaro, "failed to malloc group array"); 317 | corsaro_tag_group_free(group); 318 | return NULL; 319 | } 320 | 321 | manager->groups[group->id] = group; 322 | 323 | return group; 324 | } 325 | 326 | void corsaro_tag_group_free(corsaro_tag_group_t *group) 327 | { 328 | int i; 329 | 330 | /* we will be nice and let people free groups that they created */ 331 | if(group == NULL) 332 | { 333 | return; 334 | } 335 | 336 | assert(group->manager != NULL); 337 | 338 | group->manager->groups[group->id] = NULL; 339 | 340 | if(group->name != NULL) 341 | { 342 | free(group->name); 343 | group->name = NULL; 344 | } 345 | 346 | /* we don't free the tags, but remove the ref cnt */ 347 | for(i=0; itags_cnt; i++) 348 | { 349 | if(group->tags[i] != NULL) 350 | { 351 | assert(group->tags[i]->groups_cnt >= 1); 352 | group->tags[i]->groups_cnt--; 353 | } 354 | group->tags[i] = NULL; 355 | } 356 | 357 | /* we do not own 'manager' */ 358 | 359 | /* we do not own 'user' */ 360 | 361 | free(group); 362 | } 363 | 364 | corsaro_tag_group_t *corsaro_tag_group_get(corsaro_t *corsaro, const char *name) 365 | { 366 | assert(corsaro != NULL); 367 | assert(corsaro->tag_manager != NULL); 368 | corsaro_tag_manager_t *manager = corsaro->tag_manager; 369 | 370 | int i; 371 | 372 | for(i=0; igroups_cnt; i++) 373 | { 374 | if(manager->groups[i] != NULL && 375 | manager->groups[i]->name != NULL && 376 | (strcmp(manager->groups[i]->name, name) == 0)) 377 | { 378 | return manager->groups[i]; 379 | } 380 | } 381 | 382 | return NULL; 383 | } 384 | 385 | int corsaro_tag_group_get_all(corsaro_t *corsaro, corsaro_tag_group_t ***groups) 386 | { 387 | assert(corsaro != NULL); 388 | assert(corsaro->tag_manager != NULL); 389 | *groups = corsaro->tag_manager->groups; 390 | return corsaro->tag_manager->groups_cnt; 391 | } 392 | 393 | int corsaro_tag_group_add_tag(corsaro_tag_group_t *group, 394 | corsaro_tag_t *tag) 395 | { 396 | assert(group != NULL); 397 | assert(tag != NULL); 398 | 399 | if((group->tags = realloc(group->tags, sizeof(corsaro_tag_t*) * 400 | (group->tags_cnt+1))) == NULL) 401 | { 402 | return -1; 403 | } 404 | 405 | group->tags[group->tags_cnt++] = tag; 406 | 407 | tag->groups_cnt++; 408 | return 0; 409 | } 410 | 411 | int corsaro_tag_group_get_tags(corsaro_tag_group_t *group, 412 | corsaro_tag_t ***tags) 413 | { 414 | assert(group != NULL); 415 | *tags = group->tags; 416 | return group->tags_cnt; 417 | } 418 | 419 | int corsaro_tag_group_is_match(corsaro_packet_state_t *state, 420 | corsaro_tag_group_t *group) 421 | { 422 | int i; 423 | int matches = 0; 424 | assert(state != NULL); 425 | assert(group != NULL); 426 | assert(group->id <= group->manager->groups_cnt); 427 | 428 | for(i=0; itags_cnt; i++) 429 | { 430 | if(corsaro_tag_is_match(state, group->tags[i]) > 0) 431 | { 432 | matches++; 433 | } 434 | } 435 | 436 | switch(group->mode) 437 | { 438 | case CORSARO_TAG_GROUP_MATCH_MODE_ANY: 439 | return matches; 440 | break; 441 | 442 | case CORSARO_TAG_GROUP_MATCH_MODE_ALL: 443 | return matches == group->tags_cnt; 444 | break; 445 | 446 | default: 447 | return -1; 448 | break; 449 | } 450 | 451 | return -1; 452 | } 453 | -------------------------------------------------------------------------------- /libcorsaro/corsaro_file.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | #ifndef __CORSARO_FILE_H 27 | #define __CORSARO_FILE_H 28 | 29 | #include "config.h" 30 | #include "corsaro_int.h" 31 | 32 | #include 33 | #include 34 | 35 | #include "libtrace.h" 36 | #include "wandio.h" 37 | 38 | /** @file 39 | * 40 | * @brief Header file dealing with the low-level file IO 41 | * 42 | * @author Alistair King 43 | * 44 | */ 45 | 46 | /** The default compression level 47 | * 48 | * @todo make this an option to corsaro_main.c and \link corsaro_alloc_output 49 | * \endlink 50 | */ 51 | #define CORSARO_FILE_COMPRESS_LEVEL_DEFAULT 6 52 | 53 | /** The suffix used to detect gzip output is desired */ 54 | #define CORSARO_FILE_ZLIB_SUFFIX ".gz" 55 | 56 | /** The suffix used to detect bzip output is desired */ 57 | #define CORSARO_FILE_BZ2_SUFFIX ".bz2" 58 | 59 | /** An opaque structure defining an corsaro output file */ 60 | typedef struct corsaro_file 61 | { 62 | /** The requested output format for the file */ 63 | corsaro_file_mode_t mode; 64 | 65 | /** Per-framework state for the file */ 66 | union 67 | { 68 | /** ASCII & Binary mode state */ 69 | struct 70 | { 71 | /** The wandio output file handle */ 72 | iow_t *io; 73 | } ms_wandio; 74 | 75 | /** Trace mode state */ 76 | struct 77 | { 78 | /** The libtrace object used to create the trace */ 79 | libtrace_out_t *trace; 80 | } ms_trace; 81 | } mode_state; 82 | 83 | } corsaro_file_t; 84 | 85 | /** An opaque structure defining an corsaro input file */ 86 | typedef struct corsaro_file_in 87 | { 88 | /** The requested/detected input format for the file */ 89 | corsaro_file_mode_t mode; 90 | 91 | /** Per-framework state for the file */ 92 | union 93 | { 94 | /** ASCII & Binary mode state */ 95 | struct 96 | { 97 | /** The wandio input file handle */ 98 | io_t *io; 99 | } ms_wandio; 100 | 101 | /** Trace mode state */ 102 | struct 103 | { 104 | /** The libtrace object used to create the trace */ 105 | libtrace_t *trace; 106 | } ms_trace; 107 | } mode_state; 108 | 109 | } corsaro_file_in_t; 110 | 111 | /** Accessor macro for getting the mode of a file */ 112 | /* this is what the 'public' should use to retrieve the mode */ 113 | #define CORSARO_FILE_MODE(file) (file->mode) 114 | 115 | /** Shortcut to the non-trace (wandio) state structure */ 116 | #define state_wandio mode_state.ms_wandio 117 | /** Shortcut to a non-trace io object */ 118 | #define wand_io mode_state.ms_wandio.io 119 | 120 | /** Shortcut to the trace state structure */ 121 | #define state_trace mode_state.ms_trace 122 | /** Shortcut to the libtrace object */ 123 | #define trace_io mode_state.ms_trace.trace 124 | 125 | /** 126 | * @name Corsaro file output API functions 127 | * 128 | * These are the functions that should be called by the plugins to open 129 | * and write to files with the corsaro IO sub-system. 130 | * 131 | * @{ */ 132 | 133 | /** Attempts to detect the type of compression for a file based on the suffix 134 | * 135 | * @param filename The name of the file to check 136 | * @return the compression type to use, -1 if an error occurs 137 | */ 138 | corsaro_file_compress_t corsaro_file_detect_compression(char *filename); 139 | 140 | /** Creates a new corsaro file write and opens the provided file for writing. 141 | * 142 | * @param corsaro The corsaro object the file is associated with 143 | * @param filename The name of the file to open 144 | * @param mode The corsaro output mode to use when writing 145 | * @param compress_type Compression type 146 | * @param compress_level The compression level to use when writing 147 | * @param flags Flags to apply when opening the file, e.g. O_CREATE 148 | * @return A pointer to a new corsaro output file, or NULL if an error occurs 149 | */ 150 | corsaro_file_t *corsaro_file_open(struct corsaro *corsaro, 151 | const char *filename, 152 | corsaro_file_mode_t mode, 153 | corsaro_file_compress_t compress_type, 154 | int compress_level, 155 | int flags); 156 | 157 | /** Writes the contents of a buffer using an corsaro output file 158 | * 159 | * @param corsaro The corsaro object the file is associated with 160 | * @param file The file to write the data to 161 | * @param buffer The buffer to write out 162 | * @param len The amount of writable data in the buffer 163 | * @return The amount of data written, or -1 if an error occurs 164 | */ 165 | off_t corsaro_file_write(struct corsaro *corsaro, 166 | corsaro_file_t *file, const void *buffer, off_t len); 167 | 168 | 169 | /** Write a libtrace packet to an corsaro output file 170 | * 171 | * @param corsaro The corsaro object the file is associated with 172 | * @param file The file to write the packet to 173 | * @param packet The packet to written 174 | * @return The amount of bytes written, 0 if EOF is reached, -1 if an error occurs 175 | * 176 | * This can be used on Corsaro Binary and Libtrace mode file to write a single 177 | * packet. 178 | */ 179 | off_t corsaro_file_write_packet(struct corsaro *corsaro, 180 | corsaro_file_t *file, libtrace_packet_t *packet); 181 | 182 | /** Print a string to an corsaro file 183 | * 184 | * @param corsaro The corsaro object the file is associated with 185 | * @param file The file to write to 186 | * @param format The format string to write 187 | * @param args The arguments to the format string 188 | * @return The amount of data written, or -1 if an error occurs 189 | * 190 | * The arguments for this function are the same as those for vprintf(3). See the 191 | * vprintf(3) manpage for more details. 192 | */ 193 | off_t corsaro_file_vprintf(struct corsaro *corsaro, corsaro_file_t *file, 194 | const char *format, va_list args); 195 | 196 | /** Print a string to an corsaro file 197 | * 198 | * @param corsaro The corsaro object the file is associated with 199 | * @param file The file to write to 200 | * @param format The format string to write 201 | * @param ... The arguments to the format string 202 | * @return The amount of data written, or -1 if an error occurs 203 | * 204 | * The arguments for this function are the same as those for printf(3). See the 205 | * printf(3) manpage for more details. 206 | */ 207 | off_t corsaro_file_printf(struct corsaro *corsaro, corsaro_file_t *file, 208 | const char *format, ...); 209 | 210 | /** Force all buffered data for the file to be written out 211 | * 212 | * @param corsaro The corsaro object the file is associated with 213 | * @param file The file to flush 214 | */ 215 | void corsaro_file_flush(struct corsaro *corsaro, corsaro_file_t *file); 216 | 217 | /** Closes an corsaro output file and frees the writer structure. 218 | * 219 | * @param corsaro The corsaro object the file is associated with 220 | * @param file The file to close 221 | */ 222 | void corsaro_file_close(struct corsaro *corsaro, corsaro_file_t *file); 223 | 224 | /** @} */ 225 | 226 | /** 227 | * @name Corsaro file input API functions 228 | * 229 | * These are the functions that should be called by the plugins to open 230 | * and read from files with the corsaro IO sub-system. 231 | * 232 | * @todo create a corsaro_file_rreadline function? 233 | * @{ */ 234 | 235 | /** Creates a new corsaro file reader and opens the provided file for reading. 236 | * 237 | * @param filename The name of the file to open 238 | * @return A pointer to a new corsaro input file, or NULL if an error occurs 239 | * 240 | * This function will use wandio/libtrace to attempt to detect the compression 241 | * format used for given file (if any), provided that libtrace was built with 242 | * the appropriate libraries. It will also attempt to detect the mode that was 243 | * used to write the file. 244 | */ 245 | corsaro_file_in_t *corsaro_file_ropen(const char *filename); 246 | 247 | /** Reads from an corsaro input file into the provided buffer. 248 | * 249 | * @param file The file to read from 250 | * @param buffer The buffer to read into 251 | * @param len The size of the buffer 252 | * @return The amount of bytes read, 0 if EOF is reached, -1 if an error occurs 253 | */ 254 | off_t corsaro_file_rread(corsaro_file_in_t *file, void *buffer, off_t len); 255 | 256 | /** Reads a string from an corsaro input file into the provided buffer. 257 | * 258 | * @param file The file to read from 259 | * @param buffer The buffer to read into 260 | * @param len The size of the buffer 261 | * @return The amount of bytes read, 0 if EOF is reached, -1 if an error occurs 262 | * 263 | * This function is almost identical to fgets(3), it will read at most one less 264 | * than len bytes from the file and store them in buffer. Reading stops after an 265 | * EOF or a newline. If a newline is read, it is stored in the buffer. A null 266 | * byte will also be stored after the last character in the buffer. 267 | */ 268 | off_t corsaro_file_rgets(corsaro_file_in_t *file, void *buffer, off_t len); 269 | 270 | /** Read a libtrace packet from an corsaro input file 271 | * 272 | * @param file The file to read from 273 | * @param packet The packet to read into 274 | * @param len The size of the packet to be read 275 | * @return The amount of bytes read, 0 if EOF is reached, -1 if an error occurs 276 | * 277 | * This can be used on Corsaro Binary and Libtrace mode file to retrieve a single 278 | * packet. If the file is in trace mode, the len parameter is ignored. 279 | */ 280 | off_t corsaro_file_rread_packet(corsaro_file_in_t *file, 281 | libtrace_packet_t *packet, 282 | uint16_t len); 283 | 284 | /** Reads from an corsaro input file into the provided buffer, but does not 285 | * update the read pointer. 286 | * 287 | * @param file The file to read from 288 | * @param buffer The buffer to read into 289 | * @param len The size of the buffer 290 | * @return The amount of bytes read, 0 if EOF is reached, -1 if an error occurs 291 | */ 292 | off_t corsaro_file_rpeek(corsaro_file_in_t *file, void *buffer, off_t len); 293 | 294 | /** Changes the read pointer offset to the specified value for an corsaro input 295 | * file. 296 | * 297 | * @param file The file to adjust the read pointer for 298 | * @param offset The new offset for the read pointer 299 | * @param whence Indicates where to set the read pointer from. Can be 300 | * one of SEEK_SET, SEEK_CUR or SEEK_END. 301 | * @return The new value for the read pointer, or -1 if an error occurs 302 | * 303 | * The arguments for this function are the same as those for lseek(2). See the 304 | * lseek(2) manpage for more details. 305 | */ 306 | off_t corsaro_file_rseek(corsaro_file_in_t *file, off_t offset, int whence); 307 | 308 | /** Returns the current offset of the read pointer for an corsaro input file. 309 | * 310 | * @param file The file to get the read offset for 311 | * @return The offset of the read pointer, or -1 if an error occurs 312 | */ 313 | off_t corsaro_file_rtell(corsaro_file_in_t *file); 314 | 315 | /** Closes an corsaro input file and frees the reader structure. 316 | * 317 | * @param file The file to close 318 | */ 319 | void corsaro_file_rclose(corsaro_file_in_t *file); 320 | 321 | /** @} */ 322 | 323 | #endif /* __CORSARO_FILE_H */ 324 | -------------------------------------------------------------------------------- /libcorsaro/corsaro_tag.h: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | #ifndef __CORSARO_TAG_H 27 | #define __CORSARO_TAG_H 28 | 29 | #include "corsaro_int.h" 30 | 31 | /** @file 32 | * 33 | * @brief Header file dealing with the corsaro tag manager 34 | * 35 | * A plugin can ask to register a new tag (most likely one of the filter* 36 | * plugins, but really any plugin could do this), and then when it checks a 37 | * packet against this tag, it asks the tag manager to mark the packet as 38 | * matched. Other plugins can then look this tag up by name (and thenceforth 39 | * check if a packet matches using this manager), or perhaps even get a list of 40 | * all tags and dynamically do something with each tag). 41 | * 42 | * @author Alistair King 43 | * 44 | */ 45 | 46 | /** Modes for determining if a packet matches a group of tags */ 47 | typedef enum corsaro_tag_group_match_mode 48 | { 49 | /** A packet matches this group if ANY of the tags match */ 50 | CORSARO_TAG_GROUP_MATCH_MODE_ANY = 0, 51 | 52 | /** A packet matches this group if ALL of the tags match */ 53 | CORSARO_TAG_GROUP_MATCH_MODE_ALL = 1, 54 | 55 | /** Default matching mode for a group (ANY tag matches) */ 56 | CORSARO_TAG_GROUP_MATCH_MODE_DEFAULT = CORSARO_TAG_GROUP_MATCH_MODE_ANY, 57 | } corsaro_tag_group_match_mode_t; 58 | 59 | /** Instance of a single tag */ 60 | typedef struct corsaro_tag 61 | { 62 | /** Name of the tag */ 63 | char *name; 64 | 65 | /** ID of the tag */ 66 | uint8_t id; 67 | 68 | /** Pointer to the tag manager that owns this tag */ 69 | struct corsaro_tag_manager *manager; 70 | 71 | /** Number of groups that this tag belongs to */ 72 | int groups_cnt; 73 | 74 | /** User-provided void pointer */ 75 | void *user; 76 | 77 | } corsaro_tag_t; 78 | 79 | /** Instance of a tag group */ 80 | typedef struct corsaro_tag_group 81 | { 82 | /** Name of the group */ 83 | char *name; 84 | 85 | /** ID of the group */ 86 | uint8_t id; 87 | 88 | /** Array of tags in this group */ 89 | corsaro_tag_t **tags; 90 | 91 | /** Number of tags in this group */ 92 | int tags_cnt; 93 | 94 | /** Mode for determining if a packet matches this group */ 95 | corsaro_tag_group_match_mode_t mode; 96 | 97 | /** Pointer to the tag manager that owns this group */ 98 | struct corsaro_tag_manager *manager; 99 | 100 | /** User provided pointer */ 101 | void *user; 102 | 103 | } corsaro_tag_group_t; 104 | 105 | /** State for the tag manager */ 106 | typedef struct corsaro_tag_manager 107 | { 108 | /** Array of currently allocated tags */ 109 | corsaro_tag_t **tags; 110 | 111 | /** Number of allocated tags */ 112 | int tags_cnt; 113 | 114 | /** Array of currently allocated tag groups */ 115 | corsaro_tag_group_t **groups; 116 | 117 | /** Number of allocated groups */ 118 | int groups_cnt; 119 | 120 | } corsaro_tag_manager_t; 121 | 122 | /** State information for a specific packet */ 123 | typedef struct corsaro_tag_state 124 | { 125 | /** Array of boolean values indicating which tags have been matched by this 126 | packet. corsaro_tag is responsible for dynamically allocating tag IDs 127 | based on requests by plugins */ 128 | uint8_t *tag_matches; 129 | 130 | /** Total number of tags in the tag_matches array (this is always the same as 131 | the total number of tags allocated) */ 132 | int tag_matches_cnt; 133 | 134 | /** Number of tags that are set to matching for the current packet. 135 | Provides an efficient way to check if *any* tag matches the current 136 | packet */ 137 | int tag_matches_set_cnt; 138 | } corsaro_tag_state_t; 139 | 140 | /** Create a tag manager instance and associate it with the given corsaro instance 141 | * 142 | * @param corsaro corsaro instance to associate the tag manager with 143 | * @return pointer to the tag manager created, NULL if an error occurred. 144 | */ 145 | corsaro_tag_manager_t *corsaro_tag_manager_init(corsaro_t *corsaro); 146 | 147 | /** Free the tag manager associated with a corsaro instance 148 | * 149 | * @param corsaro corsaro instance to free the tag manager for 150 | */ 151 | void corsaro_tag_manager_free(corsaro_tag_manager_t *manager); 152 | 153 | /** Reset the tag state in the given packet state 154 | * 155 | * @param state pointer to a packet state instance to reset 156 | */ 157 | void corsaro_tag_state_reset(corsaro_packet_state_t *state); 158 | 159 | /** Free the tag state in the given packet state 160 | * 161 | * @param state pointer to the packet state instance to free 162 | */ 163 | void corsaro_tag_state_free(corsaro_packet_state_t *state); 164 | 165 | /** Create a new tag with the given name 166 | * 167 | * @param corsaro corsaro instance to create a new tag for 168 | * @param name name of the tag to create 169 | * @param user void pointer for use by the tag owner 170 | * 171 | * @return a corsaro tag instance if the tag was allocated successfully, 172 | * NULL otherwise 173 | * 174 | * @note the name parameter must be unique within an instance of corsaro. If 175 | * the name is not unique, the pre-existing tag with the same name will be 176 | * returned (and the user pointer will **not** be updated). 177 | */ 178 | corsaro_tag_t *corsaro_tag_init(corsaro_t *corsaro, const char *name, 179 | void *user); 180 | 181 | /** Free the given tag 182 | * 183 | * @param corsaro pointer to the corsaro instance that the tag is 184 | * associated with 185 | * @param tag pointer to the tag to free 186 | */ 187 | void corsaro_tag_free(corsaro_tag_t *tag); 188 | 189 | /** Get the tag that matches the given name 190 | * 191 | * @param corsaro pointer to the corsaro instance to get the tag from 192 | * @param name name of the tag to retrieve 193 | * @return the tag that matches the name given, NULL if there were no matches 194 | * 195 | * @note this function searches a list of tags, so it should not be run on a 196 | * per-packet basis. i.e. keep a pointer to the tag that you are interested 197 | * in. 198 | */ 199 | corsaro_tag_t *corsaro_tag_get(corsaro_t *corsaro, const char *name); 200 | 201 | /** Get the tag that matches the given name 202 | * 203 | * @param corsaro pointer to the corsaro instance to get the tag from 204 | * @param[out] tags filled with a pointer to an array of tags 205 | * @return the number of tags in the returned array 206 | */ 207 | int corsaro_tag_get_all(corsaro_t *corsaro, corsaro_tag_t ***tags); 208 | 209 | /** Check if a packet matches the given tag 210 | * 211 | * @param packet pointer to a corsaro packet to check the tag against 212 | * @param tag pointer to a tag to check against the given packet 213 | * @return > 0 if the packet matches, 0 if not 214 | * 215 | * @note this function **does not** actually apply the tag, it simply checks 216 | * the result of a previous call to corsaro_tag_set_match. 217 | */ 218 | int corsaro_tag_is_match(corsaro_packet_state_t *state, 219 | corsaro_tag_t *tag); 220 | 221 | /** Check if a packet matches any current tag 222 | * 223 | * @param packet pointer to a corsaro packet to check the tag against 224 | * @return > 0 if the packet matches any tag, 0 if not 225 | * 226 | * @note this function **does not** actually apply the tag, it simply checks 227 | * the results previous calls to corsaro_tag_set_match. 228 | */ 229 | int corsaro_tag_is_match_any(corsaro_packet_state_t *state); 230 | 231 | /** Set whether a packet matches the given tag 232 | * 233 | * @param packet pointer to a corsaro packet 234 | * @param tag tag to update the match value for 235 | * @param match 0 indicates no match, any other value indicates a match 236 | * 237 | * @return 0 if the packet was successfully updated, -1 otherwise 238 | */ 239 | void corsaro_tag_set_match(corsaro_packet_state_t *state, 240 | corsaro_tag_t *tag, 241 | int match); 242 | 243 | /** Create a new tag group with the given name 244 | * 245 | * @param corsaro corsaro instance to create a new tag for 246 | * @param name name of the tag to create 247 | * @param user void pointer for use by the tag owner 248 | * 249 | * @return a corsaro tag group instance if the group was allocated successfully, 250 | * NULL otherwise 251 | * 252 | * @note the name parameter must be unique within an instance of corsaro. If the 253 | * name is not unique, the pre-existing group with the same name will be 254 | * returned (and the user pointer will **not** be updated). 255 | */ 256 | corsaro_tag_group_t *corsaro_tag_group_init(corsaro_t *corsaro, 257 | const char *name, 258 | corsaro_tag_group_match_mode_t mode, 259 | void *user); 260 | 261 | /** Free the given tag group 262 | * 263 | * @param corsaro pointer to the corsaro instance that the group is 264 | * to be associated with 265 | * @param group pointer to the group to free 266 | */ 267 | void corsaro_tag_group_free(corsaro_tag_group_t *group); 268 | 269 | /** Get the tag group that matches the given name 270 | * 271 | * @param corsaro pointer to the corsaro instance to get the group from 272 | * @param name name of the group to retrieve 273 | * @return the group that matches the name given, NULL if there were no matches 274 | * 275 | * @note this function searches a list of groups, so it should not be run on a 276 | * per-packet basis. i.e. keep a pointer to the group that you are interested in. 277 | */ 278 | corsaro_tag_group_t *corsaro_tag_group_get(corsaro_t *corsaro, const char *name); 279 | 280 | /** Get the tag that matches the given name 281 | * 282 | * @param corsaro pointer to the corsaro instance to get the group from 283 | * @param[out] groups filled with a pointer to an array of tag groups 284 | * @return the number of groups in the returned array 285 | */ 286 | int corsaro_tag_group_get_all(corsaro_t *corsaro, corsaro_tag_group_t ***groups); 287 | 288 | /** Add a tag to a group 289 | * 290 | * @param group pointer to the group to add the tag to 291 | * @param tag pointer to the tag to add 292 | * @return 0 if the tag was added successfully, -1 otherwise 293 | */ 294 | int corsaro_tag_group_add_tag(corsaro_tag_group_t *group, 295 | corsaro_tag_t *tag); 296 | 297 | /** Get the tags that are part of the given group 298 | * 299 | * @param group pointer to the group to retrieve the tags from 300 | * @param[out] tags filled with a pointer to an array of tags 301 | * @return the number of tags in the returned array 302 | */ 303 | int corsaro_tag_group_get_tags(corsaro_tag_group_t *group, 304 | corsaro_tag_t ***tags); 305 | 306 | /** Check if a packet matches the given tag group 307 | * 308 | * @param packet pointer to a corsaro packet to check the group against 309 | * @param group pointer to a tag group to check against the given packet 310 | * @return > 0 if the packet matches, 0 if not 311 | * 312 | * @note this function **does not** actually apply the tags, it simply checks 313 | * the result of previous calls to corsaro_tag_set_match for tags within the 314 | * group. The result is dependent on the match mode of the group. 315 | */ 316 | int corsaro_tag_group_is_match(corsaro_packet_state_t *state, 317 | corsaro_tag_group_t *group); 318 | 319 | 320 | #endif /* __CORSARO_TAG_H */ 321 | -------------------------------------------------------------------------------- /libcorsaro/plugins/corsaro_tagstats.c: -------------------------------------------------------------------------------- 1 | /* 2 | * corsaro 3 | * 4 | * Alistair King, CAIDA, UC San Diego 5 | * corsaro-info@caida.org 6 | * 7 | * Copyright (C) 2012 The Regents of the University of California. 8 | * 9 | * This file is part of corsaro. 10 | * 11 | * corsaro is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * corsaro is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License 22 | * along with corsaro. If not, see . 23 | * 24 | */ 25 | 26 | #include "config.h" 27 | #include "corsaro_int.h" 28 | 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | 35 | #include "libtrace.h" 36 | 37 | #include "utils.h" 38 | 39 | #include "corsaro_io.h" 40 | #include "corsaro_file.h" 41 | #include "corsaro_log.h" 42 | #include "corsaro_plugin.h" 43 | 44 | #include "corsaro_tagstats.h" 45 | 46 | /** @file 47 | * 48 | * @brief Corsaro tag statistics plugin 49 | * 50 | * @author Alistair King 51 | * 52 | */ 53 | 54 | /** The magic number for this plugin - "TAGS" */ 55 | #define CORSARO_TAGSTATS_MAGIC 0x54414753 56 | 57 | /** The name of this plugin */ 58 | #define PLUGIN_NAME "tagstats" 59 | 60 | /** Common plugin information across all instances */ 61 | static corsaro_plugin_t corsaro_tagstats_plugin = { 62 | PLUGIN_NAME, /* name */ 63 | CORSARO_PLUGIN_ID_TAGSTATS, /* id */ 64 | CORSARO_TAGSTATS_MAGIC, /* magic */ 65 | CORSARO_PLUGIN_GENERATE_PTRS(corsaro_tagstats), /* func ptrs */ 66 | CORSARO_PLUGIN_GENERATE_TAIL, 67 | }; 68 | 69 | /* DELETE ME 70 | #pkts-matched #pkts-unmatched 71 | group-name 72 | tag-name 73 | tag-name 74 | tag-name 75 | 76 | ... 77 | 78 | un-grouped 79 | tag-name 80 | tag-name 81 | tag-name 82 | TOTAL 83 | 84 | overall 85 | */ 86 | 87 | typedef struct groupstat 88 | { 89 | /* group corresponding to the stats */ 90 | corsaro_tag_group_t *group; 91 | 92 | /* number of packets matched by this group for the current interval */ 93 | uint64_t pkts_matched; 94 | 95 | /* number of packets matched by this group over all time */ 96 | uint64_t pkts_matched_total; 97 | 98 | /* number of packets not matched by this group for the current interval */ 99 | uint64_t pkts_unmatched; 100 | 101 | /* number of packets not matched by this group over all time */ 102 | uint64_t pkts_unmatched_total; 103 | 104 | } groupstat_t; 105 | 106 | typedef struct tagstat 107 | { 108 | /* tag corresponding to the stats */ 109 | corsaro_tag_t *tag; 110 | 111 | /* number of packets matched by this tag for the current interval */ 112 | uint64_t pkts_matched; 113 | 114 | /* number of packets matched by this tag over all time */ 115 | uint64_t pkts_matched_total; 116 | 117 | /* number of packets not matched by this tag for the current interval */ 118 | uint64_t pkts_unmatched; 119 | 120 | /* number of packets not matched by this tag over all time */ 121 | uint64_t pkts_unmatched_total; 122 | 123 | } tagstat_t; 124 | 125 | /** Holds the state for an instance of this plugin */ 126 | struct corsaro_tagstats_state_t { 127 | /** Array of per-group packet counts */ 128 | groupstat_t *groups; 129 | 130 | /** Number of groups that we are tracking pkt cnts for */ 131 | int groups_cnt; 132 | 133 | /** Array of per-group packet counts */ 134 | tagstat_t *tags; 135 | 136 | /** Number of tags that we are tracking pkt cnts for */ 137 | int tags_cnt; 138 | 139 | /** Overall count of packets that we processed this interval */ 140 | uint64_t pkt_cnt; 141 | 142 | /** Overall count of packets that we processed over all time */ 143 | uint64_t pkt_cnt_total; 144 | 145 | }; 146 | 147 | /** Extends the generic plugin state convenience macro in corsaro_plugin.h */ 148 | #define STATE(corsaro) \ 149 | (CORSARO_PLUGIN_STATE(corsaro, tagstats, CORSARO_PLUGIN_ID_TAGSTATS)) 150 | /** Extends the generic plugin plugin convenience macro in corsaro_plugin.h */ 151 | #define PLUGIN(corsaro) \ 152 | (CORSARO_PLUGIN_PLUGIN(corsaro, CORSARO_PLUGIN_ID_TAGSTATS)) 153 | 154 | /* == PUBLIC PLUGIN FUNCS BELOW HERE == */ 155 | 156 | /** Implements the alloc function of the plugin API */ 157 | corsaro_plugin_t *corsaro_tagstats_alloc(corsaro_t *corsaro) 158 | { 159 | return &corsaro_tagstats_plugin; 160 | } 161 | 162 | /** Implements the probe_filename function of the plugin API */ 163 | int corsaro_tagstats_probe_filename(const char *fname) 164 | { 165 | /* cannot read raw tagstats files using corsaro_in */ 166 | return 0; 167 | } 168 | 169 | /** Implements the probe_magic function of the plugin API */ 170 | int corsaro_tagstats_probe_magic(corsaro_in_t *corsaro, corsaro_file_in_t *file) 171 | { 172 | /* cannot read raw tagstats files using corsaro_in */ 173 | return 0; 174 | } 175 | 176 | /** Implements the init_output function of the plugin API */ 177 | int corsaro_tagstats_init_output(corsaro_t *corsaro) 178 | { 179 | int i; 180 | struct corsaro_tagstats_state_t *state; 181 | corsaro_plugin_t *plugin = PLUGIN(corsaro); 182 | 183 | corsaro_tag_group_t **groups; 184 | corsaro_tag_t **tags; 185 | 186 | assert(plugin != NULL); 187 | 188 | if((state = malloc_zero(sizeof(struct corsaro_tagstats_state_t))) == NULL) 189 | { 190 | corsaro_log(__func__, corsaro, 191 | "could not malloc corsaro_tagstats_state_t"); 192 | goto err; 193 | } 194 | corsaro_plugin_register_state(corsaro->plugin_manager, plugin, state); 195 | 196 | /* get all the groups that are registered */ 197 | if((state->groups_cnt = corsaro_tag_group_get_all(corsaro, &groups)) < 0) 198 | { 199 | fprintf(stderr, "ERROR: Could not retrieve tag groups\n"); 200 | goto err; 201 | } 202 | if((state->groups = malloc_zero(sizeof(groupstat_t)*state->groups_cnt)) == NULL) 203 | { 204 | corsaro_log(__func__, corsaro, "could not malloc group stats"); 205 | goto err; 206 | } 207 | for(i=0; igroups_cnt; i++) 208 | { 209 | state->groups[i].group = groups[i]; 210 | } 211 | 212 | /* get all the tags that are registered */ 213 | if((state->tags_cnt = corsaro_tag_get_all(corsaro, &tags)) <= 0) 214 | { 215 | fprintf(stderr, "ERROR: Could not retrieve tags\n"); 216 | goto err; 217 | } 218 | if((state->tags = malloc_zero(sizeof(tagstat_t)*state->tags_cnt)) == NULL) 219 | { 220 | corsaro_log(__func__, corsaro, "could not malloc tag stats"); 221 | goto err; 222 | } 223 | for(i=0; itags_cnt; i++) 224 | { 225 | state->tags[i].tag = tags[i]; 226 | } 227 | 228 | return 0; 229 | 230 | err: 231 | corsaro_tagstats_close_output(corsaro); 232 | return -1; 233 | } 234 | 235 | /** Implements the init_output function of the plugin API */ 236 | int corsaro_tagstats_init_input(corsaro_in_t *corsaro) 237 | { 238 | return -1; 239 | } 240 | 241 | /** Implements the close_input function of the plugin API */ 242 | int corsaro_tagstats_close_input(corsaro_in_t *corsaro) 243 | { 244 | return -1; 245 | } 246 | 247 | /** Implements the close_output function of the plugin API */ 248 | int corsaro_tagstats_close_output(corsaro_t *corsaro) 249 | { 250 | int i, j; 251 | struct corsaro_tagstats_state_t *state = STATE(corsaro); 252 | groupstat_t *gs; 253 | tagstat_t *ts; 254 | 255 | if(state == NULL) 256 | { 257 | return 0; 258 | } 259 | 260 | fprintf(stdout, "OVERALL STATS\n"); 261 | fprintf(stdout, "\t\t#matched\t#un-matched\n"); 262 | /* write out the group stats */ 263 | for(i=0; igroups_cnt; i++) 264 | { 265 | gs = &state->groups[i]; 266 | fprintf(stdout, "%s\t\t%"PRIu64"\t%"PRIu64"\n", 267 | gs->group->name, gs->pkts_matched_total, gs->pkts_unmatched_total); 268 | /** now print all the tags in this group */ 269 | for(j=0; jgroup->tags_cnt; j++) 270 | { 271 | ts = &state->tags[gs->group->tags[j]->id]; 272 | assert(ts != NULL); 273 | fprintf(stdout, "\t%s\t%"PRIu64"\t%"PRIu64"\n", 274 | ts->tag->name, ts->pkts_matched_total, ts->pkts_unmatched_total); 275 | } 276 | fprintf(stdout, "\n"); 277 | } 278 | 279 | fprintf(stdout, "un-grouped\n"); 280 | for(i=0; itags_cnt; i++) 281 | { 282 | ts = &state->tags[i]; 283 | assert(ts != NULL); 284 | if(ts->tag->groups_cnt == 0) 285 | { 286 | fprintf(stdout, "\t%s\t%"PRIu64"\t%"PRIu64"\n", 287 | ts->tag->name, ts->pkts_matched_total, ts->pkts_unmatched_total); 288 | } 289 | } 290 | fprintf(stdout, "\n"); 291 | 292 | /* now, clean up */ 293 | if(state->groups != NULL) 294 | { 295 | free(state->groups); 296 | state->groups = NULL; 297 | } 298 | state->groups_cnt = 0; 299 | 300 | if(state->tags != NULL) 301 | { 302 | free(state->tags); 303 | state->tags = NULL; 304 | } 305 | state->tags_cnt = 0; 306 | 307 | corsaro_plugin_free_state(corsaro->plugin_manager, PLUGIN(corsaro)); 308 | 309 | return 0; 310 | } 311 | 312 | /** Implements the read_record function of the plugin API */ 313 | off_t corsaro_tagstats_read_record(struct corsaro_in *corsaro, 314 | corsaro_in_record_type_t *record_type, 315 | corsaro_in_record_t *record) 316 | { 317 | return -1; 318 | } 319 | 320 | /** Implements the read_global_data_record function of the plugin API */ 321 | off_t corsaro_tagstats_read_global_data_record(struct corsaro_in *corsaro, 322 | enum corsaro_in_record_type *record_type, 323 | struct corsaro_in_record *record) 324 | { 325 | /* we write nothing to the global file. someone messed up */ 326 | return -1; 327 | } 328 | 329 | /** Implements the start_interval function of the plugin API */ 330 | int corsaro_tagstats_start_interval(corsaro_t *corsaro, corsaro_interval_t *int_start) 331 | { 332 | int i; 333 | struct corsaro_tagstats_state_t *state = STATE(corsaro); 334 | 335 | /* zero out the stats */ 336 | for(i=0; igroups_cnt; i++) 337 | { 338 | state->groups[i].pkts_matched = 0; 339 | state->groups[i].pkts_unmatched = 0; 340 | } 341 | 342 | for(i=0; itags_cnt; i++) 343 | { 344 | state->tags[i].pkts_matched = 0; 345 | state->tags[i].pkts_unmatched = 0; 346 | } 347 | 348 | state->pkt_cnt = 0; 349 | return 0; 350 | } 351 | 352 | /** Implements the end_interval function of the plugin API */ 353 | int corsaro_tagstats_end_interval(corsaro_t *corsaro, corsaro_interval_t *int_end) 354 | { 355 | int i, j; 356 | struct corsaro_tagstats_state_t *state = STATE(corsaro); 357 | groupstat_t *gs; 358 | tagstat_t *ts; 359 | 360 | fprintf(stdout, "\t\t#matched\t#un-matched\n"); 361 | /* write out the group stats */ 362 | for(i=0; igroups_cnt; i++) 363 | { 364 | gs = &state->groups[i]; 365 | fprintf(stdout, "%s\t\t%"PRIu64"\t%"PRIu64"\n", 366 | gs->group->name, gs->pkts_matched, gs->pkts_unmatched); 367 | /** now print all the tags in this group */ 368 | for(j=0; jgroup->tags_cnt; j++) 369 | { 370 | ts = &state->tags[gs->group->tags[j]->id]; 371 | assert(ts != NULL); 372 | fprintf(stdout, "\t%s\t%"PRIu64"\t%"PRIu64"\n", 373 | ts->tag->name, ts->pkts_matched, ts->pkts_unmatched); 374 | } 375 | fprintf(stdout, "\n"); 376 | } 377 | 378 | fprintf(stdout, "un-grouped\n"); 379 | for(i=0; itags_cnt; i++) 380 | { 381 | ts = &state->tags[i]; 382 | assert(ts != NULL); 383 | if(ts->tag->groups_cnt == 0) 384 | { 385 | fprintf(stdout, "\t%s\t%"PRIu64"\t%"PRIu64"\n", 386 | ts->tag->name, ts->pkts_matched, ts->pkts_unmatched); 387 | } 388 | } 389 | fprintf(stdout, "\n\n"); 390 | 391 | return 0; 392 | } 393 | 394 | /** Implements the process_packet function of the plugin API */ 395 | int corsaro_tagstats_process_packet(corsaro_t *corsaro, 396 | corsaro_packet_t *packet) 397 | { 398 | int i; 399 | struct corsaro_tagstats_state_t *state = STATE(corsaro); 400 | groupstat_t *gs; 401 | tagstat_t *ts; 402 | 403 | /* look at each group */ 404 | for(i=0; igroups_cnt; i++) 405 | { 406 | gs = &state->groups[i]; 407 | if(corsaro_tag_group_is_match(&packet->state, gs->group) > 0) 408 | { 409 | gs->pkts_matched++; 410 | gs->pkts_matched_total++; 411 | } 412 | else 413 | { 414 | gs->pkts_unmatched++; 415 | gs->pkts_unmatched_total++; 416 | } 417 | } 418 | 419 | /* look at each tag */ 420 | for(i=0; itags_cnt; i++) 421 | { 422 | ts = &state->tags[i]; 423 | if(corsaro_tag_is_match(&packet->state, ts->tag) > 0) 424 | { 425 | ts->pkts_matched++; 426 | ts->pkts_matched_total++; 427 | } 428 | else 429 | { 430 | ts->pkts_unmatched++; 431 | ts->pkts_unmatched_total++; 432 | } 433 | } 434 | return 0; 435 | } 436 | 437 | 438 | 439 | --------------------------------------------------------------------------------