================================================================================
N.A.D.S : Normalized Attack Detection System
Copyright (c) 2003 ECSC Ltd.
Author: Gianni Tedesco <gianni@scaramanga.co.uk>
This is free software; released under the GNU GPL v2 (see: COPYING)
================================================================================
Code Overview:
All functions are documented with comments by their definitions.
The core of the code is libnads, library coding rules should be applied when
working on the library. I shall go over the main points below:
ALL symbols should be static if they are not exported API, this is because
calls to non-static functions and variables will cause GOT relocations.
Functions in the library should NOT call exported APIs. This will cause
relocations, and make the library un-sharable.
If one module in the library needs to use an symbol in another, you must
declare it with __hidden. You must compile with GCC otherwise the library
will b0rk (hidden won't work).
All API is declared in nads.h and it should stay this way. That is the only
installed header.
There is no requirement for the library to be thread safe, so it is not.
The namespace is nads_ ie: prefix all external API with nads_ for compiler
symbols and NADS_ for preprocessor macros.
Error Handling Model:
All external API functions should also set nads_errcode before returning
no matter what happens. Set nads_errcode=0 for OK or set to a defined
error code if an error happens. Each type of error should have a
NADS_ERR_XXX macro defined, and a descriptive string set in nads.c::estr.
All functions must return either NADS_OK or NADS_FAIL. The exception being
anything that returns a pointer.
Module Overview:
There are three modules in libnads:
o nads.c
contains core API utility functions (such as error code handling stuff)
o normalize.c
normalization routines, probably should be split out
o webservers.c
takes care of emulation types, and webserver mappings
There are two applications nads, and testnads. Testnads simply takes in
URLs and spits out normalized URLs. Nads is the ACL helper for squid.
Webserver Mapping Database:
NADS supports different levels of normalization for different webservers,
currently there is support for "Apache" and "IIS" which broadly match those
products.
NADS can map an HTTP host/port pair to a given webserver emulation type. For
example the site 'www.scaramanga.co.uk' on port 80 can be mapped to Apache,
while 'www.microsoft.com' on port 8080 can be mapped to IIS. A default value
can also be configured for sites that don't match.
The mappings are stored in a hash table in webservers.c. Time complexity should
scale very well, but if higher scalability is required the critical tweak is
the IPHASH_SIZE macro, increase size for better performance. Powers of two
should be OK as the main hash is Fowler/Noll/Vo 1a with the port XORed in.
The important thing to remember in configuration is that IPs and all variations
need to be added eg:
scaramanga.co.uk, www.scaramanga.co.uk, 212.69.230.191, etc.
Squid Integration:
The ACL helper requires the following squid configuration.
external_acl_type nads %PROTO %SRC %DST %PORT %METHOD %PATH /usr/bin/nads
acl nads external nads
http_access deny nads
That means that it takes input on stdin in the format given, ie:
http 192.168.0.107 www.scaramanga.co.uk 80 GET /firestorm/index.html
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
ce1a7ab1df98ced2004d1969f7e2aada
>
files
>
8
