flowps_snort.c
来自「snort-2.1.0入侵检测」· C语言 代码 · 共 1,109 行 · 第 1/3 页
C
1,109 行
* * */ if(current_entry->position == TRACKER_ACTIVE && tr_pos == TRACKER_SCANNER) { int ret; //flow_printf("moving this one! (cur %d) -> (new %d) %s\n", //current_entry->position, tr_pos, inet_ntoa(*(struct in_addr *) address)); /* move address TO scanner FROM active */ ret = scoreboard_move(&pstp->table_scanner, &pstp->table_active, address); if(ret != FLOW_SUCCESS) { flow_printf("Unable to move %s\n",inet_ntoa(*(struct in_addr *) address)); return -1; } else { /* @todo - move this into the scoreboard mv call */ current_entry->position = TRACKER_SCANNER; } } if(s_debug > 5) { if(tr_pos == TRACKER_SCANNER) { flow_printf("Found a tracker scanner!\n"); flowps_entry_print(current_entry, address); } } if(s_debug > 10) { flowps_entry_print(current_entry, address); } if(alert_flags) { if(alert_flags != current_entry->flags) { current_entry->flags = alert_flags; if(s_debug > 4) { flowps_entry_print(current_entry, address); } } /* push things through the output system */ flowps_generate_flow_event(current_entry, p, address, pstp->config.output_mode, cur); } return 0;}static int flowps_generate_flow_event(SCORE_ENTRY *sep, FLOWPACKET *orig_packet, uint32_t *address, FLOWPS_OUTPUT output_type, time_t cur){ Packet *p = NULL; char buf[1024 + 1]; uint32_t event_id; uint32_t event_type; /* the sid for the gid */ /* Assign an event type to the display */ if(sep->flags & ALERT_FIXED_SCANNER) { event_type = FLOW_SCANNER_FIXED_ALERT; } else if(sep->flags & ALERT_SLIDING_SCANNER) { event_type = FLOW_SCANNER_SLIDING_ALERT; } else if(sep->flags & ALERT_SLIDING_TALKER) { event_type = FLOW_TALKER_SLIDING_ALERT; } else if(sep->flags & ALERT_FIXED_TALKER) { event_type = FLOW_TALKER_FIXED_ALERT; } else { return FLOW_EINVALID; } switch(output_type) { case PKTKLUDGE: /* log a packet to the output system */ p = flowps_mkpacket(sep, orig_packet, address, cur); case VARIABLEMSG: snprintf(buf, 1024, "Portscan detected from %s Talker(fixed: %u sliding: %u) Scanner(fixed: %u sliding: %u)", inet_ntoa(*(struct in_addr *) address), sep->fixed_talker.score, sep->sliding_talker.score, sep->fixed_scanner.score, sep->sliding_scanner.score); buf[1024] = '\0'; if(sep->event_id == 0) { /* p is NULL w/ the VARIABLEMSG fmt */ event_id = GenerateSnortEvent(p, GENERATOR_FLOW_PORTSCAN, event_type, 1, /* revision */ 1, /* classification */ 2, /* medium priority */ buf); /* * If this is the first time we have called an alert on this * function, save it off so we have an event reference. */ sep->event_id = event_id; /* * this is the last tv_sec from the packet */ sep->event_sec = packet_timeofday(); }#if XXX else { LogTagData(p, GENERATOR_FLOW_PORTSCAN, FLOW_PORTSCAN_ALERT, 1, /* revision */ 1, /* classification */ 2, /* medium priority */ sep->event_id, /* ref event */ sep->event_sec, /* reference sec */ buf); }#endif /* XXX */ } return FLOW_SUCCESS;}/** * Print the score entry to a buffer * * snprintf doesn't protect us any since we are calculating so much * but it does make me be explicit on how much data I am putting in. * * @param buf buf to print into * @param buflen size of buffer * @param sep score entry to print * @param address address of attacker * * @return 0 on sucess */static int score_entry_sprint(unsigned char *buf, int buflen, SCORE_ENTRY *sep, uint32_t *address){ int printed = 0; /* tmp */ int total_printed = 0; int remaining = buflen; int i; if(buf && buflen > 0 && sep && address) { printed = snprintf(buf + total_printed, remaining, "Address: %s\n" "AT_SCORE: %u\n" "ST_SCORE: %u\n" "AS_SCORE: %u\n" "SS_SCORE: %u\n" "Total Connections: %u\n" "ScanFlags: 0x%x\n" "AT_STARTEND: %u %u\n" "ST_STARTEND: %u %u\n" "AS_STARTEND: %u %u\n" "SS_STARTEND: %u %u\n" "REF_SEC: %u\n" "REF_EVENT: %u\n", inet_ntoa(*(struct in_addr *)address), sep->fixed_talker.score, sep->sliding_talker.score, sep->fixed_scanner.score, sep->sliding_scanner.score, sep->connections_seen, sep->flags, (unsigned) sep->fixed_talker.start, (unsigned) sep->fixed_talker.ends, (unsigned) sep->sliding_talker.start, (unsigned) sep->sliding_talker.ends, (unsigned) sep->fixed_scanner.start, (unsigned) sep->fixed_scanner.ends, (unsigned) sep->sliding_scanner.start, (unsigned) sep->sliding_scanner.ends, (unsigned) sep->event_sec, sep->event_id); if(printed <= 0) return -1; remaining -= printed; total_printed += printed; if(remaining <= 0) return -1; /* as long as we have a postive # of connections, pump out the info */ for(i=0; i < sep->connections_seen && i < FLOWPS_HOSTS_SIZE; i++) { CONN_ENTRY *cp = &sep->last_hosts[i]; printed = snprintf(buf + total_printed, remaining, "ConnInfo: (%d:%s:%d Flags: %x)\n", cp->protocol, inet_ntoa(*(struct in_addr*) &cp->ip), cp->port, cp->cflags); if(printed <= 0) return -1; remaining -= printed; total_printed += printed; if(remaining <= 0) return -1; } /* successful exit! */ return total_printed; } return -1;}/** * Make a packet with the flowps data in it. * * This is used to generate a fake IP datagram to carry portscan data * from snort so that it can be processed by custom utilities. * * SRC + DST mac addresses = "MACDAD" * sip+dip == attacker * ip proto 255 * ttl = 0 * chksum = 0 * * @param sep score entry to generate a packet from * @param address ptr to the address of the attacker * * @return a pointer to a fully formed packet on success */static Packet *flowps_mkpacket(SCORE_ENTRY *sep, FLOWPACKET *orig_packet, uint32_t *address, time_t cur){ Packet *p = s_pkt; int len; uint32_t dst_ip; unsigned short plen; p->pkth->ts.tv_sec = cur; dst_ip = GetIPv4DstIp(orig_packet); memcpy(&p->iph->ip_src.s_addr, address, 4); memcpy(&p->iph->ip_dst.s_addr, &dst_ip, 4); len = score_entry_sprint(p->data, FLOWPSMAXPKTSIZE, sep, address); if(len <= 0) { /* this can never return more than FLOWPSMAXPKTSIZE */ return NULL; } p->data[len] = '\0'; /* explicitly cast it down */ plen = (len & 0xFFFF); if((plen + IP_HEADER_LEN) < plen) { /* wrap around */ return NULL; } p->dsize = plen; plen += IP_HEADER_LEN; p->iph->ip_len = htons(plen); p->pkth->caplen = ETHERNET_HEADER_LEN + plen; p->pkth->len = ETHERNET_HEADER_LEN + plen; return p;}/** * Initialize the static packet used for the portscan flow plugin. * * This allocates 2 bytes over what it needs to so that the IP header * will be 32bit aligned. * * @return FLOW_SUCCESS on sucess */static int flowps_init_pkt(void) { Packet *p = NULL; const char *flow_portscan_mac_addr = "MACDADDY"; const char twiddlebytes = 2; p = calloc(1,sizeof(Packet)); if(!p) { flow_fatalerror("Unable to alloc memory for the flow-portscan packet!\n"); } p->pkth = calloc(1, sizeof(struct pcap_pkthdr) + ETHERNET_HEADER_LEN + twiddlebytes + IP_MAXPACKET); if(!p->pkth) { flow_fatalerror("Unable to alloc memory for the flow-portscan packet!\n"); } else { p->pkth = (struct pcap_pkthdr *) (((uint8_t *) p->pkth) + twiddlebytes); } p->pkt = ((uint8_t *)p->pkth) + sizeof(SnortPktHeader); p->eh = (EtherHdr *)((uint8_t *)p->pkt); p->iph = (IPHdr *)((uint8_t *)p->eh + ETHERNET_HEADER_LEN); p->data = ((uint8_t *)p->iph) + sizeof(IPHdr); /* p->data is now pkt + * IPMAX_PACKET - (IP_HEADER_LEN + ETHERNET_HEADER_LEN) * * This is MAXFLOWPSPKTSIZE * */ p->eh->ether_type = htons(0x0800); memcpy(p->eh->ether_dst, flow_portscan_mac_addr, 6); memcpy(p->eh->ether_src, flow_portscan_mac_addr, 6); SET_IP_VER(p->iph, 0x4); SET_IP_HLEN(p->iph, 0x5); p->iph->ip_proto = 0xFF; /* set a reserved protocol */ p->iph->ip_ttl = 0x00; /* set a TTL we'd never see */ p->iph->ip_len = 0x5; p->iph->ip_tos = 0x10; /* save off s_pkt for flowps_mkpkt */ s_pkt = p; return FLOW_SUCCESS;}⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?