📄 listen.c

📁 又一个检测黑客远程禁止服务攻击主机的程序
💻 C
字号:
#include <stdio.h>#include <unistd.h>#include <errno.h>#include <string.h>#include <stdlib.h>#include <time.h>#include <sys/time.h>/* Local defines */#include "netconfig.h"#include "functions.h"#include <netinet/udp.h>#include <netinet/tcp.h>extern int FlgDebug;extern int FlgExtraDebug;extern u_short PcapOffset;extern u_long TO;extern struct icmp_item *ICMP_Recv;extern struct udp_item *UDP_Recv;extern struct tcp_item *TCP_Recv;u_short ICMPMIN=sizeof(struct icmp) + sizeof(struct ip);u_short UDPMIN=sizeof(struct udphdr) + sizeof(struct ip);u_short TCPMIN=sizeof(struct tcphdr) + sizeof(struct ip);void dolisten(pcap_t *pd){u_char 		*recvpack;struct timeval 	now;struct timeval 	start;int		n;  if(FlgExtraDebug)	printf("Starting listener. Data offset = %d\n", PcapOffset);   gettimeofday(&start, NULL);   now.tv_sec = start.tv_sec;   now.tv_usec = start.tv_usec; while(getppid()!=1){   do {     switch(pcap_dispatch(pd, 1, (pcap_handler )read_processor, recvpack))     {           case 0: /* read nothing. decrement counter below */ 		gettimeofday(&now, NULL);		break;           case -1: /* Error */                fprintf(stderr, "pcap_dispatch error: %s\n",                        pcap_geterr(pd));		gettimeofday(&now, NULL);                break;           default: /* Read something. reset timer */                 gettimeofday(&start, NULL); break;		 now.tv_sec=start.tv_sec;		 now.tv_usec=start.tv_usec;		 break;      }   } while(TIMEVAL_SUBTRACT(now, start) < (TO*3000000)); }}void read_processor(u_char *disp, struct pcap_pkthdr *h, u_char *data){struct ip	*srcip;  data+=PcapOffset;	/* Skip device header */  srcip = (struct ip *)data;  if((long)srcip & 3){	printf("Fragmented packet encountered. I don't deal with these.\n");	return;  }  switch(srcip->ip_p){	case IPPROTO_ICMP: check_icmp(data, h->caplen - PcapOffset); break;	case IPPROTO_UDP: check_udp(data, h->caplen - PcapOffset); break;	case IPPROTO_TCP: check_tcp(data, h->caplen - PcapOffset); break;        /* 	  Not satisfactory but working to detect Stacheldraht V4 Agents 	  (per CERTA)	*/        case IPPROTO_EGP: check_icmp(data, h->caplen - PcapOffset); break;	default: break;  }}void check_tcp(u_char *data, u_short len){struct tcphdr	*itcp;struct ip	*sip;struct tcp_item *current;char		*temp;int		status;  current=TCP_Recv;  sip = (struct ip *)data;  itcp = (struct tcphdr *) (data + (sip->ip_hl << 2));  while(current){	status=0;	if(ntohs(itcp->th_sport) == current->sport) status++;	if(ntohs(itcp->th_dport) == current->dport) status++;	if(len > TCPMIN && current->string != NULL){	   temp = (char *) itcp + (itcp->th_off << 2);	   if(strstr(temp, current->string) != NULL) status++;	}        if(FlgExtraDebug)	  printf("%s TCP Status: %d\n", inet_ntoa(sip->ip_src), status);  	if(status >=current->nmatch) {	  printf("**** %s infected with %s\n", inet_ntoa(sip->ip_src), current->name);	  fflush(NULL);	}	current=current->Next;  }}void check_udp(u_char *data, u_short len){struct udphdr	*iudp;struct ip	*sip;struct udp_item *current;char		*temp;int		status;  current=UDP_Recv;  sip = (struct ip *)data;  iudp = (struct udphdr *) (data + (sizeof(struct ip)));  while(current){	status=0;	if(ntohs(iudp->uh_sport) == current->sport) status++;	if(ntohs(iudp->uh_dport) == current->dport) status++;	if(len > UDPMIN && current->string != NULL){	   temp = (char *) iudp + sizeof(struct udphdr);	   if(strstr(temp, current->string) != NULL) status++;	}        if(FlgExtraDebug)	  printf("%s UDP Status: %d\n", inet_ntoa(sip->ip_src), status);  	if(status >=current->nmatch) {	  printf("**** %s infected with %s\n", inet_ntoa(sip->ip_src), current->name);	  fflush(NULL);	}	current=current->Next;  }}void check_icmp(u_char *data, u_short len){struct icmp	*icp;struct ip	*sip;struct icmp_item *current;char		*temp;int		status;		/* Status of check */  current = ICMP_Recv;  sip=(struct ip *)data;  icp = (struct icmp *) (data + (sizeof(struct ip)));  while(current){	status = 0;	if(icp->icmp_type == current->type) status++;	if(ntohs(icp->icmp_id) == current->id) status++;	if(ntohs(icp->icmp_seq) == current->seq) status++;	if(icp->icmp_code == current->code) status++;	if(len > ICMPMIN && current->string!=NULL){	  temp = (char *) icp + sizeof(struct icmp);	  if(strstr(temp, current->string) != NULL) status++;	}        if(FlgExtraDebug)	  printf("%s ICMP status: %d\n", inet_ntoa(sip->ip_src), status);  	if(status >=current->nmatch) {	  printf("**** %s infected with %s\n", inet_ntoa(sip->ip_src), current->name);	  fflush(NULL);        }	current=current->Next;  }}
💿 文件大小 120 K
👤 上传用户 zhiver
📂 所属分类 Internet/网络编程
🏷️ 相关标签

#检测 #服务 #攻击 #主机
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -