-
Notifications
You must be signed in to change notification settings - Fork 1
/
config.h
271 lines (183 loc) · 6.54 KB
/
config.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
/*
p0f - vaguely configurable bits
-------------------------------
Copyright (C) 2012 by Michal Zalewski <[email protected]>
Distributed under the terms and conditions of GNU LGPL.
*/
#ifndef _HAVE_CONFIG_H
#define _HAVE_CONFIG_H
#include "types.h"
/********************************************
* Things you may reasonably want to change *
********************************************/
/* Default location of p0f.fp: */
#ifndef FP_FILE
# define FP_FILE "p0f.fp"
#endif /* !FP_FILE */
/* Initial permissions on log files: */
#ifndef LOG_MODE
# define LOG_MODE 0600
#endif /* !LOG_MODE */
/* Initial permissions on API sockets: */
#ifndef API_MODE
# define API_MODE 0666
#endif /* !API_MODE */
/* Default connection and host cache sizes (adjustable via -m): */
#ifndef MAX_HOSTS
# define MAX_CONN 1000
# define MAX_HOSTS 10000
#endif /* !MAX_HOSTS */
/* Default connection and host time limits (adjustable via -t): */
#ifndef HOST_IDLE_LIMIT
# define CONN_MAX_AGE 30 /* seconds */
# define HOST_IDLE_LIMIT 120 /* minutes */
#endif /* !HOST_IDLE_LIMIT */
/* Default number of API connections permitted (adjustable via -c): */
#ifndef API_MAX_CONN
# define API_MAX_CONN 20
#endif /* !API_MAX_CONN */
/* Maximum TTL distance for non-fuzzy signature matching: */
#ifndef MAX_DIST
# define MAX_DIST 35
#endif /* !MAX_DIST */
/* Detect use-after-free, at the expense of some performance cost: */
#define CHECK_UAF 1
/************************
* Really obscure stuff *
************************/
/* Maximum allocator request size (keep well under INT_MAX): */
#define MAX_ALLOC 0x40000000
/* Percentage of host entries / flows to prune when limits exceeded: */
#define KILL_PERCENT 10
/* PCAP snapshot length: */
#define SNAPLEN 65535
/* Maximum request, response size to keep per flow: */
#define MAX_FLOW_DATA 8192
/* Maximum number of TCP options we will process (< 256): */
#define MAX_TCP_OPT 24
/* Minimum and maximum frequency for timestamp clock (Hz). Note that RFC
1323 permits 1 - 1000 Hz . At 1000 Hz, the 32-bit counter overflows
after about 50 days. */
#define MIN_TSCALE 0.7
#define MAX_TSCALE 1500
/* Minimum and maximum interval (ms) for measuring timestamp progrssion. This
is used to make sure the timestamps are fresh enough to be of any value,
and that the measurement is not affected by network performance too
severely. */
#define MIN_TWAIT 25
#define MAX_TWAIT (1000 * 60 * 10)
/* Time window in which to tolerate timestamps going back slightly or
otherwise misbehaving during NAT checks (ms): */
#define TSTAMP_GRACE 100
/* Maximum interval between packets used for TS-based NAT checks (ms): */
#define MAX_NAT_TS (1000 * 60 * 60 * 24)
/* Minimum port drop to serve as a NAT detection signal: */
#define MIN_PORT_DROP 64
/* Threshold before letting NAT detection make a big deal out of TTL change
for remote hosts (this is to account for peering changes): */
#define SMALL_TTL_CHG 2
/* The distance up to which the system is considered to be local, and therefore
the SMALL_TTL_CHG threshold should not be taken account: */
#define LOCAL_TTL_LIMIT 5
/* The distance past which the system is considered to be really distant,
and therefore, changes within SMALL_TTL_CHG should be completely ignored: */
#define NEAR_TTL_LIMIT 9
/* Number of packet scores to keep for NAT detection (< 256): */
#define NAT_SCORES 32
/* Number of hash buckets for p0f.fp signatures: */
#define SIG_BUCKETS 64
/* Number of hash buckets for active connections: */
#define FLOW_BUCKETS 256
/* Number of hash buckets for host data: */
#define HOST_BUCKETS 1024
/* Cache expiration interval (every n packets received): */
#define EXPIRE_INTERVAL 50
/* Non-alphanumeric chars to permit in OS names. This is to allow 'sys' syntax
to be used unambiguously, yet allow some freedom: */
#define NAME_CHARS " ./-_!?()"
/* Special window size and MSS used by p0f-sendsyn, and detected by p0f: */
#define SPECIAL_MSS 1331
#define SPECIAL_WIN 1337
/* Maximum length of an HTTP URL line we're willing to entertain. The same
limit is also used for the first line of a response: */
#define HTTP_MAX_URL 1024
/* Maximum number of HTTP headers: */
#define HTTP_MAX_HDRS 32
/* Maximum length of a header name: */
#define HTTP_MAX_HDR_NAME 32
/* Maximum length of a header value: */
#define HTTP_MAX_HDR_VAL 1024
/* Maximum length of a header value for display purposes: */
#define HTTP_MAX_SHOW 200
/* Maximum HTTP 'Date' progression jitter to overlook (s): */
#define HTTP_MAX_DATE_DIFF 10
#ifdef _FROM_FP_HTTP
#include "fp_http.h"
/* Headers that should be tagged as optional by the HTTP fingerprinter in any
generated signatures: */
static struct http_id req_optional[] = {
{ "Cookie", 0 },
{ "Referer", 0 },
{ "Origin", 0 },
{ "Range", 0 },
{ "If-Modified-Since", 0 },
{ "If-None-Match", 0 },
{ "Via", 0 },
{ "X-Forwarded-For", 0 },
{ "Authorization", 0 },
{ "Proxy-Authorization", 0 },
{ "Cache-Control", 0 },
{ 0, 0 }
};
static struct http_id resp_optional[] = {
{ "Set-Cookie", 0 },
{ "Last-Modified", 0 },
{ "ETag", 0 },
{ "Content-Length", 0 },
{ "Content-Disposition", 0 },
{ "Cache-Control", 0 },
{ "Expires", 0 },
{ "Pragma", 0 },
{ "Location", 0 },
{ "Refresh", 0 },
{ "Content-Range", 0 },
{ "Vary", 0 },
{ 0, 0 }
};
/* Common headers that are expected to be present at all times, and deserve
a special mention if absent in a signature: */
static struct http_id req_common[] = {
{ "Host", 0 },
{ "User-Agent", 0 },
{ "Connection", 0 },
{ "Accept", 0 },
{ "Accept-Encoding", 0 },
{ "Accept-Language", 0 },
{ "Accept-Charset", 0 },
{ "Keep-Alive", 0 },
{ 0, 0 }
};
static struct http_id resp_common[] = {
{ "Content-Type", 0 },
{ "Connection", 0 },
{ "Keep-Alive", 0 },
{ "Accept-Ranges", 0 },
{ "Date", 0 },
{ 0, 0 }
};
/* Headers for which values change depending on the context, and therefore
should not be included in proposed signatures. This is on top of the
"optional" header lists, which already implies skipping the value. */
static struct http_id req_skipval[] = {
{ "Host", 0 },
{ "User-Agent", 0 },
{ 0, 0 }
};
static struct http_id resp_skipval[] = {
{ "Date", 0 },
{ "Content-Type", 0 },
{ "Server", 0 },
{ 0, 0 }
};
#endif /* _FROM_FP_HTTP */
#endif /* ! _HAVE_CONFIG_H */