From da62135f4bd64342e46d88626a726fcd6a184b91 Mon Sep 17 00:00:00 2001
From: Pavel Odintsov <pavel.odintsov@gmail.com>
Date: Fri, 13 Mar 2015 18:25:13 +0300
Subject: [PATCH] Move logic for checking if we should ban IP or not to
 separate function

---
 fastnetmon.cpp | 55 +++++++++++++++++++++++++++++++-------------------
 1 file changed, 34 insertions(+), 21 deletions(-)

diff --git a/fastnetmon.cpp b/fastnetmon.cpp
index 899335b71..935948356 100644
--- a/fastnetmon.cpp
+++ b/fastnetmon.cpp
@@ -360,6 +360,7 @@ bool process_outgoing_traffic = true;
 void block_all_traffic_with_82599_hardware_filtering(std::string client_ip_as_string);
 #endif
 
+bool we_should_ban_this_ip(map_element* current_average_speed_element);
 std::string get_net_address_from_network_as_string(std::string network_cidr_format);
 unsigned int get_max_used_protocol(uint64_t tcp, uint64_t udp, uint64_t icmp);
 std::string get_printable_protocol_name(unsigned int protocol);
@@ -1546,6 +1547,9 @@ void recalculate_speed() {
             current_average_speed_element->in_flows = uint64_t(new_speed_element.in_flows + exp_value *
                 ((double)current_average_speed_element->in_flows -  (double)new_speed_element.in_flows));
 
+            /* Moving average recalculation end */
+
+            // TODO: remove this useless variables!
             uint64_t in_pps_average  = current_average_speed_element->in_packets;
             uint64_t out_pps_average = current_average_speed_element->out_packets;
 
@@ -1555,27 +1559,7 @@ void recalculate_speed() {
             uint64_t in_flows_average  = current_average_speed_element->in_flows;
             uint64_t out_flows_average = current_average_speed_element->out_flows;
 
-            /* Moving average recalculation end */
-
-            // we detect overspeed by packets
-            bool attack_detected_by_pps = false;
-            bool attack_detected_by_bandwidth = false;
-            bool attack_detected_by_flow = false;
-
-            if (enable_ban_for_pps && (in_pps_average > ban_threshold_pps or out_pps_average > ban_threshold_pps)) {
-                attack_detected_by_pps = true;
-            }
-
-            // we detect overspeed by bandwidth
-            if (enable_ban_for_bandwidth && (convert_speed_to_mbps(in_bps_average) > ban_threshold_mbps or convert_speed_to_mbps(out_bps_average) > ban_threshold_mbps)) {
-                attack_detected_by_bandwidth = true;
-            }
-
-            if (enable_ban_for_flows_per_second && (in_flows_average > ban_threshold_flows or out_flows_average > ban_threshold_flows)) {
-                attack_detected_by_flow = true; 
-            } 
-
-            if (attack_detected_by_pps or attack_detected_by_bandwidth or attack_detected_by_flow) {
+            if (we_should_ban_this_ip(current_average_speed_element)) {
                 std::string flow_attack_details = "";
                 
                 if (enable_conection_tracking) {
@@ -2738,4 +2722,33 @@ void print_attack_details_to_file(std::string details, std::string client_ip_as_
     }    
 }
 
+// Return true when we should ban this IP
+bool we_should_ban_this_ip(map_element* current_average_speed_element) {
+    uint64_t in_pps_average  = current_average_speed_element->in_packets;
+    uint64_t out_pps_average = current_average_speed_element->out_packets;
+
+    uint64_t in_bps_average  = current_average_speed_element->in_bytes;
+    uint64_t out_bps_average = current_average_speed_element->out_bytes; 
+
+    uint64_t in_flows_average  = current_average_speed_element->in_flows;
+    uint64_t out_flows_average = current_average_speed_element->out_flows;
+
+    // we detect overspeed by packets
+    bool attack_detected_by_pps = false;
+    bool attack_detected_by_bandwidth = false;
+    bool attack_detected_by_flow = false;
+    if (enable_ban_for_pps && (in_pps_average > ban_threshold_pps or out_pps_average > ban_threshold_pps)) {
+        attack_detected_by_pps = true;
+    }    
+
+    // we detect overspeed by bandwidth
+    if (enable_ban_for_bandwidth && (convert_speed_to_mbps(in_bps_average) > ban_threshold_mbps or convert_speed_to_mbps(out_bps_average) > ban_threshold_mbps)) {
+        attack_detected_by_bandwidth = true;
+    }
 
+    if (enable_ban_for_flows_per_second && (in_flows_average > ban_threshold_flows or out_flows_average > ban_threshold_flows)) {
+        attack_detected_by_flow = true;
+    }
+
+    return attack_detected_by_pps or attack_detected_by_bandwidth or attack_detected_by_flow;
+}