snortpp.c

入侵检测系统.linux下与MySql连用的例子

/* $Id: snortpp.c,v 1.1 2001/08/11 05:12:27 dragosr Exp $ */
/*
** Copyright (C) 2001 Dragos Ruiu <dr@kyx.net>
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include "splay.c"

#ifndef NULL
#define NULL	0
#endif
#ifndef TRUE
#define TRUE	1
#endif
#ifndef FALSE
#define FALSE 0
#endif


char *validproto[] = { "ip", "arp", "tcp", "udp", "icmp", "" };

	
typedef struct ruleip RuleIP;
struct ruleip
{
	char * ipstr;
	char any;
	char not;
	int byte[4];
	int cidr;
	char var;
	char *varname;
 	struct ruleip *next;	
};


struct ruleport
{
	char *portstr;
	char any;
	char not;
	char var;
	char * varname;
	int min, max;
	struct ruleport *next;
};

typedef struct ruleport RulePort;

struct strlist
{
	char *str;
	struct strlist *next;
};

typedef struct strlist RuleParm;
typedef struct strlist StrList;

struct rulekey
{
	char *keystr;
	char *key;
	RuleParm *parms;
	struct rulekey *next;
};

typedef struct rulekey RuleKey;

#define DIRFORW 1
#define DIRREV  2	
#define DIRBOTH 3

struct ruletext
{
	char *rulestr;
	char *type;
	char *proto;
	char *saddrstr;
	char *daddrstr;
	char *sportstr;
	char *dportstr;
	char *dirstr;
	char *keystr;
 	RuleIP *saddr, *daddr;
	RulePort *sport, *dport;	
	RuleKey *keys;
	int dir;
	char *comment;
	int sid, rev;
	struct ruletext *next;
};

typedef struct ruletext Rule;

char errorstr[32767];

struct varlist
{
	char *name;
	char *val;
	struct varlist *next;
};

typedef struct varlist SnortVar;

SnortVar *variables;
SplayTree *vars, *ruletree, *types;
FILE *outf;
int localsid;

/**********************End of Global Declaration:Start of Code***********************/

int varcmp(SnortVar *x, SnortVar *y)
{
	return(strcmp(x->name, y->name));
}

inline void errormsg(char *str)
{
	if(strlen(errorstr) < 32700)
		strcat(errorstr,str);
}

inline char *strquotchr(char *str, char c)
{
	if(!str)
		return NULL;
again:
	if(strchr(str,(int)'\"') && strchr(str,(int)'\"') < strchr(str,(int)c))
	{
		str = strchr(str,(int)'\"');
		if(*(str-1) == '\\')
		{
			str++;
			goto again;
		}
		if(!str || !*str)
			return NULL;
		while((*str != '\"' || (*str == '\"' && *((char*)str-1) != '\\')) && *str != c)
		{
			str++;
			if(!str || !*str)
				return NULL;
		}
		if(*str == c)
			return str;
		return(strquotchr(str,c));
	}
	else return(strchr(str,(int)c));
}


inline void splitstr(char *main[], char **split)
{
	if(*split)
	{
		*((*split)++) = '\0';
		while(isspace(**split))
			(*split)++;
	}
	if(*main)
		while(isspace((*main)[strlen(*main)-1]))
			(*main)[strlen(*main)-1] = '\0';
}

inline void trim(char *str[])
{
	if(*str)
	{
		while(isspace(**str))
			(*str)++;
		while(isspace((*str)[strlen(*str)-1]))
			(*str)[strlen(*str)-1] = '\0';
	}
}

int isproto(char *test)
{
	char *p;
	int i;
	for(i = 0; *(validproto[i]); i++)
		if(strcmp(test,validproto[i]) == 0)
			return TRUE;
	return FALSE;
}

void parseport(Rule *raw, char *tmp, RulePort **portptr)
{
	char *x, *y;
	const char any[] = "any";
	x = tmp;
	*portptr = calloc(1,sizeof(RulePort)+1);
	if(x && *x)
	{
		(*portptr)->portstr = calloc(1,strlen(x)+1);
		strcpy((*portptr)->portstr, x);
		if(strncasecmp(x,any,3) == 0)
			(*portptr)->any = TRUE;
		else
		{
			if(*x == '!')
			{
				(*portptr)->not = TRUE;
				splitstr(&tmp,&x);
			}
			if(*x == '$')
			{
				(*portptr)->var = TRUE;
				splitstr(&tmp,&x);
				if(!*x)
				{
					errormsg("Empty port after \'$\' ignoring and using any.\n");
					(*portptr)->any = TRUE;
					(*portptr)->portstr = calloc(4,1);
					strcpy((*portptr)->portstr,any);
				}
				else
				{
					if(!vars)
					{
						errormsg("No variables defined, using port = \"any\".\n");
						(*portptr)->any = TRUE;
						free((*portptr)->portstr);
						(*portptr)->portstr = calloc(4,1);
						strcpy((*portptr)->portstr,any);
					}
					else
					{
						SnortVar *n;
						(*portptr)->var = TRUE;
						(*portptr)->varname = calloc(1,strlen(x)+1);
						strcpy((*portptr)->varname,x);
						n = calloc(sizeof(SnortVar),1);
						n->name = (*portptr)->varname;
						vars = splay(n,vars,varcmp);
						if(vars && varcmp(vars->key,n) != 0)
						{
							errormsg("Undefined variable, using port = \"any\".\n");
							(*portptr)->any = TRUE;
							free((*portptr)->portstr);
							(*portptr)->portstr = calloc(4,1);
							strcpy((*portptr)->portstr,any);
						}
						free(n);
					}
				}
			}
			else if(y = strchr(x, ':'))
			{
				splitstr(&x, &y);
				if(!*x)
				{
					errormsg("Empty destination port before \':\' assuming 1 minimum.\n");
					(*portptr)->min = 1;
				}
				else
					sscanf(x,"%d",&((*portptr)->min));
				if(!*y)
				{
					errormsg("Empty destination port after \':\' assuming 65535 maximum.\n");
					(*portptr)->max = 65535;
				}
				else
					sscanf(y,"%d",&((*portptr)->max));
			}
			else
			{
				if(!*x)
				{
					errormsg("Empty destination port, ignoring and using any.\n");
					(*portptr)->any = TRUE;
					(*portptr)->portstr = calloc(4,1);
					strcpy((*portptr)->portstr,any);
				}
				else 
				{
					sscanf(x,"%d",&((*portptr)->min));
					(*portptr)->max = (*portptr)->min;
				}
			}
		}
	}
	else if(!x || !*x)
	{
		errormsg("Missing destination field assuming port = any.\n");
		(*portptr)->any = TRUE;
		(*portptr)->portstr = calloc(4,1);
		strcpy((*portptr)->portstr,any);
	}
}

void parseaddr(Rule *raw, char *tmp, RuleIP **addrptr)
{
	RuleIP *lastaddr, *newaddr;
	char *x, *y, *z;
	const char any[] = "Any";
	lastaddr = *addrptr;
	if(tmp)
		while(isspace(tmp[strlen(tmp)-1]))
			tmp[strlen(tmp)-1] = '\0';
	if(!tmp || !*tmp)
	{
		errormsg("No address found, assuming any.\n");
		*addrptr = calloc(sizeof(RuleIP),1);
		(*addrptr)->any = TRUE;
		(*addrptr)->ipstr = calloc(4,1);
		strcpy((*addrptr)->ipstr,any);
	}
	else while(tmp && *tmp)
	{
		trim(&tmp);
		x = strchr(tmp,',');
		splitstr(&tmp,&x);
		if(tmp && !*tmp)
			errormsg("No address found before \',\', ignoring.\n");
		else
		{
			if(lastaddr)
				while(newaddr = lastaddr->next)
					lastaddr = newaddr;
			newaddr = calloc(sizeof(RuleIP),1);
			if(lastaddr)
				lastaddr->next = newaddr;
			else
			{
				(*addrptr) = newaddr;
				lastaddr = newaddr;
			}
			newaddr->byte[0] = 0;
			newaddr->byte[1] = 0;
			newaddr->byte[2] = 0;
			newaddr->byte[3] = 0;
			newaddr->cidr = 0;
			newaddr->next = NULL;
			newaddr->ipstr = calloc(1,strlen(tmp)+1);
			strcpy(newaddr->ipstr,tmp);
			if(strncasecmp(tmp,any,3) == 0)
			{
				newaddr->any = TRUE;
			}
			else
			{
				if(*tmp == '!')
				{
					newaddr->not = TRUE;
					splitstr(&tmp,&tmp);
				}
				if(*tmp == '$')
				{
					SnortVar n;
					splitstr(&tmp,&tmp);
					if(tmp && !*tmp)
					{
						strcat(errorstr,"Empty variable name after \'$\' ignoring.");
						free(newaddr->ipstr);
						free(newaddr);
					}
					else
					{
						if(!vars)
						{
							errormsg("No variables defined, assuming address = \"Any\".\n");
							newaddr->any = TRUE;
							free(newaddr->ipstr);
							newaddr->ipstr = calloc(4,1);
							strcpy(newaddr->ipstr,any);
						}
						else
						{
							SnortVar *n;
							newaddr->var = TRUE;
							newaddr->varname = calloc(1,strlen(tmp)+1);
							strcpy(newaddr->varname,tmp);
							n = calloc(sizeof(SnortVar),1);
							n->name = newaddr->varname;
							vars = splay(n,vars,varcmp);
							if(vars && varcmp(vars->key,n) != 0)
							{
								errormsg("No address found, assuming any.\n");
								newaddr->any = TRUE;
								free(newaddr->ipstr);
								newaddr->ipstr = calloc(4,1);
								strcpy(newaddr->ipstr,any);
							}
							free(n);
						}
					}
				}
				else
				{
					if(y = strchr(tmp,'/'))
					{
						splitstr(&tmp,&y);
						if(!y || !*y)
						{
							if(strlen(errorstr) < 32700)
								strcat(errorstr,"Empty CIDR ignoring.\n");
						}
						else
							sscanf(y,"%d",&(newaddr->cidr));
					}
					if(tmp && !*tmp)
					{
						errormsg("Empty address following \'!\', or before \'/\' ignoring.\n");
						free(newaddr->ipstr);
						free(newaddr);
					}
					else if(y = strchr(tmp,'.'))
					{
						splitstr(&tmp, &y);
						if(!*tmp)
							errormsg("Empty first address octet, using 0.\n");
						else
							sscanf(tmp,"%d",&(newaddr->byte[0]));
						tmp = y;
						if(y = strchr(tmp,'.'))
						{
							splitstr(&tmp,&y);
							if(!*tmp)
								errormsg("Empty second address octet, using 0.\n");
							else
								sscanf(tmp,"%d",&(newaddr->byte[1]));
							tmp = y;
							if(y = strchr(tmp,'.'))
							{
								splitstr(&tmp,&y);
								if(!*tmp)
									errormsg("Empty third address octet, using 0.\n");
								else
									sscanf(tmp,"%d",&(newaddr->byte[2]));
								tmp = y;
								if(!tmp || !*tmp)
									errormsg("Address missing last octet after \'.\', using 0.\n");
								else
									sscanf(tmp,"%d",&(newaddr->byte[3]));
									
							}
							else
								errormsg("Address missing missing two octets and \'.\' ignoring, using 0.\n");
						}
						else
							errormsg("Address missing three octets following \'.\' ignoring, using 0.\n");
					}
					else
					{
						errormsg("Address missing dots... ignoring, using \'Any\'.\n");
						newaddr->any = TRUE;
						newaddr->ipstr = calloc(4,1);
						strcpy(newaddr->ipstr,any);
					}
				}
			}
		}
		if(x && !*x)
			errormsg("No address found after \',\', ignoring.\n");
		tmp = x;
	}
	if(!*addrptr)
	{
		errormsg("Empty address assuming \"Any\".\n");
		*addrptr = calloc(sizeof(RuleIP),1);
		(*addrptr)->any = TRUE;
		(*addrptr)->ipstr = calloc(4,1);
		strcpy((*addrptr)->ipstr,any);
	}
}

void parsekey(Rule *raw, char *tmp)
{
	RuleKey **tkey;