================================================================================ N.A.D.S : Normalized Attack Detection System Copyright (c) 2003 ECSC Ltd. Author: Gianni Tedesco <gianni@scaramanga.co.uk> This is free software; released under the GNU GPL v2 (see: COPYING) ================================================================================ Code Overview: All functions are documented with comments by their definitions. The core of the code is libnads, library coding rules should be applied when working on the library. I shall go over the main points below: ALL symbols should be static if they are not exported API, this is because calls to non-static functions and variables will cause GOT relocations. Functions in the library should NOT call exported APIs. This will cause relocations, and make the library un-sharable. If one module in the library needs to use an symbol in another, you must declare it with __hidden. You must compile with GCC otherwise the library will b0rk (hidden won't work). All API is declared in nads.h and it should stay this way. That is the only installed header. There is no requirement for the library to be thread safe, so it is not. The namespace is nads_ ie: prefix all external API with nads_ for compiler symbols and NADS_ for preprocessor macros. Error Handling Model: All external API functions should also set nads_errcode before returning no matter what happens. Set nads_errcode=0 for OK or set to a defined error code if an error happens. Each type of error should have a NADS_ERR_XXX macro defined, and a descriptive string set in nads.c::estr. All functions must return either NADS_OK or NADS_FAIL. The exception being anything that returns a pointer. Module Overview: There are three modules in libnads: o nads.c contains core API utility functions (such as error code handling stuff) o normalize.c normalization routines, probably should be split out o webservers.c takes care of emulation types, and webserver mappings There are two applications nads, and testnads. Testnads simply takes in URLs and spits out normalized URLs. Nads is the ACL helper for squid. Webserver Mapping Database: NADS supports different levels of normalization for different webservers, currently there is support for "Apache" and "IIS" which broadly match those products. NADS can map an HTTP host/port pair to a given webserver emulation type. For example the site 'www.scaramanga.co.uk' on port 80 can be mapped to Apache, while 'www.microsoft.com' on port 8080 can be mapped to IIS. A default value can also be configured for sites that don't match. The mappings are stored in a hash table in webservers.c. Time complexity should scale very well, but if higher scalability is required the critical tweak is the IPHASH_SIZE macro, increase size for better performance. Powers of two should be OK as the main hash is Fowler/Noll/Vo 1a with the port XORed in. The important thing to remember in configuration is that IPs and all variations need to be added eg: scaramanga.co.uk, www.scaramanga.co.uk, 212.69.230.191, etc. Squid Integration: The ACL helper requires the following squid configuration. external_acl_type nads %PROTO %SRC %DST %PORT %METHOD %PATH /usr/bin/nads acl nads external nads http_access deny nads That means that it takes input on stdin in the format given, ie: http 192.168.0.107 www.scaramanga.co.uk 80 GET /firestorm/index.html