agent.c

作者自己修改的一个基于网络的入侵检测系统

#include "head.h" 


int packetfd; 
struct trafflog log;
struct attack_stats attack;

int SNIFFER_MODE=0;
char old_log_buff[MAXBUFFSIZE];
int  old_log_buff_count=0;

main(int argc,char * argv[])
{
   int 		n=0,loop=0;
   char  	buff[MAXBUFFSIZE];
   struct iphdr *iph;
   struct ifreq ifr;
   struct sbuff *sbuffptr;
  
   if((argc!=2))
      err_quit("Usage: please choose -d or not\n");
 
   if(!strcmp(argv[1],"-d"))
   	{ 
        SNIFFER_MODE=1; 
        printf("Enter sniffer mode...\n");  
        }
   packetfd=socket(PF_PACKET,SOCK_DGRAM,htons(ETH_P_IP));
  
  if(packetfd<0)
      err_quit("packet socket wrong--are you root?\n");
  
      strcpy(ifr.ifr_name,"eth0");
      if(ioctl(packetfd,SIOCGIFFLAGS,&ifr)<0)
         err_quit("ioctl can not get flags\n");
      ifr.ifr_flags |= IFF_PROMISC;
      if(ioctl(packetfd,SIOCSIFFLAGS,&ifr)<0)
         err_quit("can not set PROMISC mode\n");
  
   process_cfg(); /*Define what port to open*/

   signal(SIGINT,final_quit);
   signal(SIGALRM,stats);
   bzero(&log,sizeof(log));
   bzero(&attack,sizeof(attack));
   alarm(1);


logfd=fopen("./logfile","a");
  if(logfd<0) 
  err_quit("logerro");

   printf("Begain to loop\n");
   for(;;){

      if(SNIFFER_MODE)
      {loop++;
      printf("\nPacket NO.%d------------------------------\n",loop);
       }

      sbuffptr=malloc(sizeof(struct sbuff));
      n=recv(packetfd,buff,sizeof(buff),0); 
          
      if(n<0)
         err_quit("read wrong\n");    
      log.totalbytes+=n;   
   
      iph=(struct iphdr *)buff;


      if( SNIFFER_MODE)
      print_iph(iph);
      
     sbuffptr->nh.iph=iph;
      sbuffptr->data=buff;
      
      if(iph->ihl<5||iph->version!=4)
      {
      		log.bad_ippacket++;
                continue;
      }

      log.ippacket++;     
  
       if (iph->frag_off & htons(IP_MF|IP_OFFSET)) 
       {  
                   log.fragment++;
		   check_dos_pingofdeath(sbuffptr);
       }
       if (!sbuffptr)
        	continue;
     

     iph=sbuffptr->nh.iph;

     switch(iph->protocol){

      	case 6: log.tcppacket++;
                sbuffptr->h.tcph=(struct tcphdr *)&buff[iph->ihl<<2];
                sbuffptr->data=buff+(iph->ihl*4)+(sbuffptr->h.tcph->doff<<2);
                process_tcp(sbuffptr);
                break;

      	case 17: log.udppacket++;
                 sbuffptr->h.udph=(struct udphdr *)&buff[iph->ihl<<2];
                 sbuffptr->data=buff+(iph->ihl*4)+8;
                 process_udp(sbuffptr); 
                 break;

      	case 1: log.icmppacket++; 
                sbuffptr->h.icmph=(struct icmphdr *)&buff[iph->ihl<<2];
                sbuffptr->data=buff+(iph->ihl*4)+8;
do_log("asdfasfderqtwe",sbuffptr);

	        process_icmp(sbuffptr);
                break;

      	case 2: log.igmppacket++; 
                sbuffptr->h.igmph=(struct igmphdr *)&buff[iph->ihl<<2];
                process_igmp(sbuffptr); 
                break;

      	default: log.unknownpacket++;
                 printf("Unkown Protocol:%d\n",iph->protocol);
		 break;
      }            

      free(sbuffptr);
   } 
}