// Convert the RangeEvaluation into the configured Code | // Convert the RangeEvaluation into the configured Code | ||||
switch(I.R) { | switch(I.R) { | ||||
case Unknown: // Unknown - not defined. | |||||
case Normal: // Benefit of the doubt. | |||||
case New: { // It is new to us. | |||||
case snfIPRange::Unknown: // Unknown - not defined. | |||||
case snfIPRange::Normal: // Benefit of the doubt. | |||||
case snfIPRange::New: { // It is new to us. | |||||
I.Code = 0; // Zero is the default - no code. | I.Code = 0; // Zero is the default - no code. | ||||
break; | break; | ||||
} | } | ||||
case White: { // This is a good guy. | |||||
case snfIPRange::White: { // This is a good guy. | |||||
I.Code = MyCFGPacket.Config()->WhiteRangeHandler.Symbol; | I.Code = MyCFGPacket.Config()->WhiteRangeHandler.Symbol; | ||||
break; | break; | ||||
} | } | ||||
case Caution: { // This is suspicious. | |||||
case snfIPRange::Caution: { // This is suspicious. | |||||
I.Code = MyCFGPacket.Config()->CautionRangeHandler.Symbol; | I.Code = MyCFGPacket.Config()->CautionRangeHandler.Symbol; | ||||
break; | break; | ||||
} | } | ||||
case Black: { // This is bad. | |||||
case snfIPRange::Black: { // This is bad. | |||||
I.Code = MyCFGPacket.Config()->BlackRangeHandler.Symbol; | I.Code = MyCFGPacket.Config()->BlackRangeHandler.Symbol; | ||||
break; | break; | ||||
} | } | ||||
case Truncate: { // Don't even bother looking. | |||||
case snfIPRange::Truncate: { // Don't even bother looking. | |||||
I.Code = MyCFGPacket.Config() | I.Code = MyCFGPacket.Config() | ||||
->gbudb_regions_black_truncate_symbol; | ->gbudb_regions_black_truncate_symbol; | ||||
break; | break; | ||||
// We will also emit a range identifier for pattern matches that might use it. | // We will also emit a range identifier for pattern matches that might use it. | ||||
switch(IPR) { | switch(IPR) { | ||||
case Unknown: { S << " Unknown"; break; } // Unknown - not defined. | |||||
case White: { S << " White"; break; } // This is a good guy. | |||||
case Normal: { S << " Normal"; break; } // Benefit of the doubt. | |||||
case New: { S << " New"; break; } // It is new to us. | |||||
case Caution: { S << " Caution"; break; } // This is suspicious. | |||||
case Black: { S << " Black"; break; } // This is bad. | |||||
case Truncate: { S << " Truncate"; break; } // Don't even bother looking. | |||||
case snfIPRange::Unknown: { S << " Unknown"; break; } // Unknown - not defined. | |||||
case snfIPRange::White: { S << " White"; break; } // This is a good guy. | |||||
case snfIPRange::Normal: { S << " Normal"; break; } // Benefit of the doubt. | |||||
case snfIPRange::New: { S << " New"; break; } // It is new to us. | |||||
case snfIPRange::Caution: { S << " Caution"; break; } // This is suspicious. | |||||
case snfIPRange::Black: { S << " Black"; break; } // This is bad. | |||||
case snfIPRange::Truncate: { S << " Truncate"; break; } // Don't even bother looking. | |||||
} | } | ||||
ScanData->SourceIPEvaluation = S.str(); // Capture the source IP eval. | ScanData->SourceIPEvaluation = S.str(); // Capture the source IP eval. | ||||
// range. If the Good flag is set the function always returns White so | // range. If the Good flag is set the function always returns White so | ||||
// here we only have to check for the Truncate flag. | // here we only have to check for the Truncate flag. | ||||
if(Truncate == IPR) { // If all of the conditions are met | |||||
if(snfIPRange::Truncate == IPR) { // If all of the conditions are met | |||||
ScanData->GBUdbTruncateTriggered = true; // then Truncate has been triggered. | ScanData->GBUdbTruncateTriggered = true; // then Truncate has been triggered. | ||||
ScanData->GBUdbPeekTriggered = LOGmgr->OkToPeek( // Since truncate was triggered, see if | ScanData->GBUdbPeekTriggered = LOGmgr->OkToPeek( // Since truncate was triggered, see if | ||||
CFGData->gbudb_regions_black_truncate_peek_one_in); // we would also trigger a peek. | CFGData->gbudb_regions_black_truncate_peek_one_in); // we would also trigger a peek. | ||||
switch(MyScanData.SourceIPRange()) { | switch(MyScanData.SourceIPRange()) { | ||||
case White: { // If the IP was in the white zone | |||||
case snfIPRange::White: { // If the IP was in the white zone | |||||
MyScanData.GBUdbWhiteTriggered = true; // mark that down. | MyScanData.GBUdbWhiteTriggered = true; // mark that down. | ||||
if(MyCFGPacket.Config()->WhiteRangeHandler.On_Off) { // If we're also turned on then | if(MyCFGPacket.Config()->WhiteRangeHandler.On_Off) { // If we're also turned on then | ||||
if( // do we need to force the symbol? | if( // do we need to force the symbol? | ||||
break; | break; | ||||
} | } | ||||
case Normal: { // If the IP is normal... | |||||
case snfIPRange::Normal: { // If the IP is normal... | |||||
MyScanData.GBUdbNormalTriggered = true; // Count the event. | MyScanData.GBUdbNormalTriggered = true; // Count the event. | ||||
break; // That's all. | break; // That's all. | ||||
} | } | ||||
case New: { | |||||
case snfIPRange::New: { | |||||
break; | break; | ||||
} | } | ||||
case Caution: { // If the IP is in the caution range. | |||||
case snfIPRange::Caution: { // If the IP is in the caution range. | |||||
MyScanData.GBUdbCautionTriggered = true; // Track that this range fired. | MyScanData.GBUdbCautionTriggered = true; // Track that this range fired. | ||||
if( | if( | ||||
MyCFGPacket.Config()->CautionRangeHandler.On_Off && // If we're also turned on and there | MyCFGPacket.Config()->CautionRangeHandler.On_Off && // If we're also turned on and there | ||||
// peek cases or if Truncate is turned off then Truncate might not | // peek cases or if Truncate is turned off then Truncate might not | ||||
// execute-- when that happens we need to fall back to Black behavior. | // execute-- when that happens we need to fall back to Black behavior. | ||||
case Truncate: // If the IP was in the truncate range | |||||
case Black: { // and/or If the IP is in the black range | |||||
case snfIPRange::Truncate: // If the IP was in the truncate range | |||||
case snfIPRange::Black: { // and/or If the IP is in the black range | |||||
MyScanData.GBUdbBlackTriggered = true; // mark that down. | MyScanData.GBUdbBlackTriggered = true; // mark that down. | ||||
if(MyScanData.GBUdbTruncateExecuted) { // If the truncate action was executed | if(MyScanData.GBUdbTruncateExecuted) { // If the truncate action was executed | ||||
break; | break; | ||||
} | } | ||||
case Unknown: // Unknown - most likely we couldn't | |||||
case snfIPRange::Unknown: // Unknown - most likely we couldn't | |||||
default: { // find a usable source. | default: { // find a usable source. | ||||
break; // Do nothing. | break; // Do nothing. | ||||
} | } |
snfIPRange snfCFGData::RangeEvaluation(GBUdbRecord& R) { // Returns the range for a GBUdbRecord. | snfIPRange snfCFGData::RangeEvaluation(GBUdbRecord& R) { // Returns the range for a GBUdbRecord. | ||||
if(Good == R.Flag()) { // If the flag on the IP is Good | if(Good == R.Flag()) { // If the flag on the IP is Good | ||||
return White; // then this IP is automatically white. | |||||
return snfIPRange::White; // then this IP is automatically white. | |||||
} else | } else | ||||
if(Bad == R.Flag()) { // If the flag on this IP is Bad | if(Bad == R.Flag()) { // If the flag on this IP is Bad | ||||
if(true == gbudb_regions_black_truncate_on_off) { // and truncate is turned on then | if(true == gbudb_regions_black_truncate_on_off) { // and truncate is turned on then | ||||
return Truncate; // the IP is automatically in the | |||||
return snfIPRange::Truncate; // the IP is automatically in the | |||||
} else { // truncate range. If truncate is off | } else { // truncate range. If truncate is off | ||||
return Black; // then this IP is automatically black. | |||||
return snfIPRange::Black; // then this IP is automatically black. | |||||
} | } | ||||
} | } | ||||
// If it's not so simple then get a | // If it's not so simple then get a | ||||
0.0 == p.Confidence && // by a zero confidence and | 0.0 == p.Confidence && // by a zero confidence and | ||||
0.0 == p.Probability // a zero probability, then | 0.0 == p.Probability // a zero probability, then | ||||
) { // the range point cannot be "in" | ) { // the range point cannot be "in" | ||||
return New; // any range. | |||||
return snfIPRange::New; // any range. | |||||
} | } | ||||
if(WhiteRangeHandler.isInWhite(p)) { // If it's in the white range, | if(WhiteRangeHandler.isInWhite(p)) { // If it's in the white range, | ||||
return White; // return White. | |||||
return snfIPRange::White; // return White. | |||||
} else // White has priority over all others. | } else // White has priority over all others. | ||||
if(BlackRangeHandler.isInBlack(p)) { // If it's in the black range then | if(BlackRangeHandler.isInBlack(p)) { // If it's in the black range then | ||||
if(p.Probability >= gbudb_regions_black_truncate_probability) { // determine if it's also in the truncate | if(p.Probability >= gbudb_regions_black_truncate_probability) { // determine if it's also in the truncate | ||||
return Truncate; // range, and if so - send back Truncate. | |||||
return snfIPRange::Truncate; // range, and if so - send back Truncate. | |||||
} else { // If not then we can send back a | } else { // If not then we can send back a | ||||
return Black; // normal black result. | |||||
return snfIPRange::Black; // normal black result. | |||||
} | } | ||||
} else // Black takes precedence over caution. | } else // Black takes precedence over caution. | ||||
if(CautionRangeHandler.isInBlack(p)) { // If we're in the caution range | if(CautionRangeHandler.isInBlack(p)) { // If we're in the caution range | ||||
return Caution; // then return caution. | |||||
return snfIPRange::Caution; // then return caution. | |||||
} // If none of those ranges matched then | } // If none of those ranges matched then | ||||
return Normal; // the IP is in the normal range. | |||||
return snfIPRange::Normal; // the IP is in the normal range. | |||||
} | } | ||||
//// snfCFGmgr ///////////////////////////////////////////////////////////////// | //// snfCFGmgr ///////////////////////////////////////////////////////////////// |
} | } | ||||
}; | }; | ||||
enum snfIPRange { // IP action ranges | |||||
enum class snfIPRange { // IP action ranges | |||||
Unknown, // Unknown - not defined. | Unknown, // Unknown - not defined. | ||||
White, // This is a good guy. | White, // This is a good guy. | ||||
Normal, // Benefit of the doubt. | Normal, // Benefit of the doubt. |
SourceIPOrdinal = -1; // There is no source IP because it | SourceIPOrdinal = -1; // There is no source IP because it | ||||
SourceIPFoundFlag = false; // has not yet been found. | SourceIPFoundFlag = false; // has not yet been found. | ||||
SourceIPRangeFlag = Unknown; // Range flag is not yet known. | |||||
SourceIPRangeFlag = snfIPRange::Unknown; // Range flag is not yet known. | |||||
SourceIPEvaluation.clear(); // No eval yet. | SourceIPEvaluation.clear(); // No eval yet. | ||||
myHeaderDirectiveSourceIP = 0UL; // Header directive source is empty now. | myHeaderDirectiveSourceIP = 0UL; // Header directive source is empty now. | ||||
<< "c=\'" << ScanData.SourceIPRecord().GBUdbData.Confidence() << "\' " | << "c=\'" << ScanData.SourceIPRecord().GBUdbData.Confidence() << "\' " | ||||
<< "p=\'" << ScanData.SourceIPRecord().GBUdbData.Probability() << "\' " | << "p=\'" << ScanData.SourceIPRecord().GBUdbData.Probability() << "\' " | ||||
<< "r=\'" << | << "r=\'" << | ||||
((Unknown == ScanData.SourceIPRange())? "Unknown" : | |||||
((White == ScanData.SourceIPRange())? "White" : | |||||
((Normal == ScanData.SourceIPRange())? "Normal" : | |||||
((New == ScanData.SourceIPRange())? "New" : | |||||
((Caution == ScanData.SourceIPRange())? "Caution" : | |||||
((Black == ScanData.SourceIPRange())? "Black" : | |||||
((Truncate == ScanData.SourceIPRange())? "Truncate" : | |||||
((snfIPRange::Unknown == ScanData.SourceIPRange())? "Unknown" : | |||||
((snfIPRange::White == ScanData.SourceIPRange())? "White" : | |||||
((snfIPRange::Normal == ScanData.SourceIPRange())? "Normal" : | |||||
((snfIPRange::New == ScanData.SourceIPRange())? "New" : | |||||
((snfIPRange::Caution == ScanData.SourceIPRange())? "Caution" : | |||||
((snfIPRange::Black == ScanData.SourceIPRange())? "Black" : | |||||
((snfIPRange::Truncate == ScanData.SourceIPRange())? "Truncate" : | |||||
"Fault"))))))) | "Fault"))))))) | ||||
<< "\'/>" | << "\'/>" | ||||
<< std::endl; | << std::endl; | ||||
<< "c=\'" << I.G.Confidence() << "\' " | << "c=\'" << I.G.Confidence() << "\' " | ||||
<< "p=\'" << I.G.Probability() << "\' " | << "p=\'" << I.G.Probability() << "\' " | ||||
<< "r=\'" << | << "r=\'" << | ||||
((Unknown == I.R)? "Unknown" : | |||||
((White == I.R)? "White" : | |||||
((Normal == I.R)? "Normal" : | |||||
((New == I.R)? "New" : | |||||
((Caution == I.R)? "Caution" : | |||||
((Black == I.R)? "Black" : | |||||
((Truncate == I.R)? "Truncate" : | |||||
((snfIPRange::Unknown == I.R)? "Unknown" : | |||||
((snfIPRange::White == I.R)? "White" : | |||||
((snfIPRange::Normal == I.R)? "Normal" : | |||||
((snfIPRange::New == I.R)? "New" : | |||||
((snfIPRange::Caution == I.R)? "Caution" : | |||||
((snfIPRange::Black == I.R)? "Black" : | |||||
((snfIPRange::Truncate == I.R)? "Truncate" : | |||||
"Fault"))))))) | "Fault"))))))) | ||||
<< "\' " | << "\' " | ||||
<< "a=\'" << Action << "\'" | << "a=\'" << Action << "\'" |
XML << "<ip range=\'"; | XML << "<ip range=\'"; | ||||
std::string IPRange; | std::string IPRange; | ||||
switch(ScanData.SourceIPRange()) { | switch(ScanData.SourceIPRange()) { | ||||
case Unknown: { IPRange = "Unknown"; break; } // Unknown - not defined. | |||||
case White: { IPRange = "White"; break; } // This is a good guy. | |||||
case Normal: { IPRange = "Normal"; break; } // Benefit of the doubt. | |||||
case New: { IPRange = "New"; break; } // It is new to us. | |||||
case Caution: { IPRange = "Caution"; break; } // This is suspicious. | |||||
case Black: { IPRange = "Black"; break; } // This is bad. | |||||
case Truncate: { IPRange = "Truncate"; break; } // Don't even bother looking. | |||||
case snfIPRange::Unknown: { IPRange = "Unknown"; break; } // Unknown - not defined. | |||||
case snfIPRange::White: { IPRange = "White"; break; } // This is a good guy. | |||||
case snfIPRange::Normal: { IPRange = "Normal"; break; } // Benefit of the doubt. | |||||
case snfIPRange::New: { IPRange = "New"; break; } // It is new to us. | |||||
case snfIPRange::Caution: { IPRange = "Caution"; break; } // This is suspicious. | |||||
case snfIPRange::Black: { IPRange = "Black"; break; } // This is bad. | |||||
case snfIPRange::Truncate: { IPRange = "Truncate"; break; } // Don't even bother looking. | |||||
} | } | ||||
cd::SocketAddress IP; | cd::SocketAddress IP; |
<< "\' b=\'" << IPState.G.Bad() // Emit the bad count. | << "\' b=\'" << IPState.G.Bad() // Emit the bad count. | ||||
<< "\' g=\'" << IPState.G.Good() // Emit the good count. | << "\' g=\'" << IPState.G.Good() // Emit the good count. | ||||
<< "\' range=\'" | << "\' range=\'" | ||||
<< ((Unknown == IPState.R) ? "unknown" : | |||||
((White == IPState.R) ? "white" : | |||||
((Normal == IPState.R) ? "normal" : | |||||
((New == IPState.R) ? "new" : | |||||
((Caution == IPState.R) ? "caution" : | |||||
((Black == IPState.R) ? "black" : | |||||
((Truncate == IPState.R) ? "truncate" : "error"))))))) | |||||
<< ((snfIPRange::Unknown == IPState.R) ? "unknown" : | |||||
((snfIPRange::White == IPState.R) ? "white" : | |||||
((snfIPRange::Normal == IPState.R) ? "normal" : | |||||
((snfIPRange::New == IPState.R) ? "new" : | |||||
((snfIPRange::Caution == IPState.R) ? "caution" : | |||||
((snfIPRange::Black == IPState.R) ? "black" : | |||||
((snfIPRange::Truncate == IPState.R) ? "truncate" : "error"))))))) | |||||
<< "\' code=\'" << IPState.Code | << "\' code=\'" << IPState.Code | ||||
<< "\'" | << "\'" | ||||
<< "/></gbudb></xci></snf>" // Finish it up. | << "/></gbudb></xci></snf>" // Finish it up. |