snortpp.c

入侵检测系统.linux下与MySql连用的例子

	RuleKey *lastkey, *newkey;
	char *x, *y, *z;
	char sid[] = "sid";
	char rev[] = "rev";
	lastkey = raw->keys;
	if(tmp && *tmp)
	{
		if(isspace(*tmp) || *tmp == ';' || *tmp == '(')
			*tmp++ = NULL;
		trim(&tmp);
		raw->keystr = calloc(1,strlen(tmp)+1);
		strcpy(raw->keystr, tmp);
	}
	else
		errormsg("Keywords not found, assuming none... weird!\n");
//keywords
	while(tmp && *tmp)
	{
		x = strquotchr(tmp,';');
		splitstr(&tmp, &x);
		if(tmp && !*tmp)
			errormsg("Empty keyword before \';\', ignoring.\n");
		else
		{
			if(lastkey)
				while(newkey = lastkey->next)
					lastkey = newkey;
			newkey = calloc(sizeof(RuleKey),1);
			if(lastkey)
				lastkey->next = newkey;
			else
			{
				raw->keys = newkey;
				lastkey = newkey;
			}
			newkey->next = NULL;
			newkey->keystr = calloc(1,strlen(tmp)+1);
			strcpy(newkey->keystr, tmp);
//parameters
			if(y = strquotchr(tmp,':'))
			{
				splitstr(&tmp, &y);
				if(tmp && !*tmp)
					errormsg("Empty keyword before \':\'. \n");
				else
				{
					newkey->key = calloc(1,strlen(tmp)+1);
					strcpy(newkey->key, tmp);
				}
// parameter lists
				if(y && !*y)
				{
					strcat(errorstr,"Empty parameter after \':\'.\n");
				}
				else
				{
					while(y && *y)
					{
						RuleParm *lastparm, *newparm;
						z = strquotchr(y, ',');
						splitstr(&y, &z);
						if(y && !*y)
							errormsg("Empty parameter before \',\'.\n");
						else
						{
							lastparm = newkey->parms;
							if(lastparm)
								while(newparm = lastparm->next)
									lastparm = newparm;
							newparm = calloc(sizeof(struct strlist),1);
							if(lastparm)
								lastparm->next = newparm;
							else
							{
								newkey->parms = newparm;
								lastparm = newparm;
							}
							newparm->next = NULL;
							newparm->str = calloc(1,strlen(y)+1);
							bcopy(y, newparm->str, strlen(y));
						}
						if(z && !*z)
							errormsg("Empty parameter after \',\'.\n");
						y = z;
					}
				}
			}
			else
			{
				newkey->key = calloc(1,strlen(tmp)+1);
				strcpy(newkey->key, tmp);
			}
			if(newkey && newkey->key && strncmp(newkey->key,sid,3) == 0)
			{
				if(newkey->parms && newkey->parms->str)
					sscanf(newkey->parms->str,"%d",&(raw->sid));
				else
					errormsg("No parameter for sid keyword!\n");
			}
			if(newkey && newkey->key && strncmp(newkey->key,rev,3) == 0)
			{
				if(newkey->parms && newkey->parms->str)
					sscanf(newkey->parms->str,"%d",&(raw->rev));
				else
					errormsg("No parameter for rev keyword!\n");
			}
		}
		tmp = x;
	}
}



int parserule(Rule *raw)
{
// assumes multi-line rules have been glued
// 
char *rulecopy;
char *tmp, *dest, *x, *y, *z;
char preproc[] = "preprocessor";
char var[] = "var";
	if(!raw->rulestr || !*(raw->rulestr))
		return -2;
	rulecopy = (char *)calloc(1,strlen(raw->rulestr)+1);
	strcpy(rulecopy, raw->rulestr);
	if(tmp = strchr(rulecopy, '#'))
	{
		splitstr(&rulecopy,&tmp);
		if(tmp && *tmp )
		{
			raw->comment = calloc(1,strlen(tmp)+1);
			bcopy(tmp,raw->comment, strlen(tmp));
		}
		if(!*rulecopy)
			return 1;
	}
	else
		raw->comment = NULL;
	if(strncasecmp(rulecopy,preproc,12) == 0)
	{
		errormsg("Preprocessor Statement.\n");
		return(0);
	}
		
	if(tmp = strchr(rulecopy, '('))
	{
		while(isspace(*tmp))
			tmp++;
		while(isspace(tmp[strlen(tmp)-1]))
			tmp[strlen(tmp)-1] = '\0';
		for(y = tmp; x = strchr(y+1,')'); y = x)
				;
		splitstr(&tmp,&y);
		if(y && *y)
			errormsg("Junk after keyword end \')\' ignored.\n");
		parsekey(raw,tmp);
	}
	else //try to salvage
	{
		if(!raw->comment)
			errormsg("Beginning of keywords not found, trying to salvage....\n");
		if(tmp = strchr(rulecopy,';'))
		{
			while(!isspace(*tmp))
				tmp--;
			splitstr(&rulecopy, &tmp);
			while(isspace(tmp[strlen(tmp)-1]))
				tmp[strlen(tmp)-1] = '\0';
			if(tmp[strlen(tmp)-1] = ')')
				tmp[strlen(tmp)-1] = '\0';
			while(isspace(tmp[strlen(tmp)-1]))
				tmp[strlen(tmp)-1] = '\0';
			parsekey(raw,tmp);
		}
		else
			if(!raw->comment)
				errormsg("Keywords not found, assuming none... strange rule there!\n");
	}
//direction
	if(!rulecopy || !*rulecopy)
	{
		if(!raw->comment)
			errormsg("Ok... I give up... where is the rule in all this?\n");
		return -2;
	}
	dest = NULL;
	if(strchr(rulecopy,'<'))
	{
		tmp = strchr(rulecopy,'<');
		for(x = tmp-1; isspace(*x); x--)
			*x = '\0';	// eat spaces before direction
		tmp++;
		if(*tmp == '-')
		{
			tmp++;
			raw->dir = DIRREV;
		}
		else if(*tmp == '>')
		{
			tmp++;
			raw->dir = DIRBOTH;
		}
		else
		{
			errormsg("Only \'<\' for rule direction found assuming \'<-\'.\n");
			tmp--;
			raw->dir = DIRREV;
		}
		*tmp++ = '\0';
		dest = tmp;
	}
	else if(strchr(rulecopy,'-'))
	{
		tmp = strchr(rulecopy,'-');
		for(x = tmp-1; isspace(*x); x--)
			*x = '\0';	// eat spaces before direction
		*tmp++ = '\0';
		if(*tmp != '>')
			errormsg("Only \'-\' for rule direction found assuming \'->\'.\n");
		*tmp++ = '\0';
		raw->dir = DIRFORW;
		dest = tmp;
	}
	else if(strchr(rulecopy,'>'))
	{
		tmp = strchr(rulecopy,'>');
		for(x = tmp-1; isspace(*x); x--)
			*x = '\0';	// eat spaces before direction
		*tmp++ = '\0';
		errormsg("Only \'>\' for rule direction found assuming \'->\'.\n");
		raw->dir = DIRFORW;
		dest = tmp;
	}
	else
	{
		errormsg("No rule direction found. Assuming ->...\n");
		raw->dir = DIRFORW;
	}
	if(tmp && *tmp)
	{
		while(isspace(*tmp))
			tmp++;
		while(isspace(tmp[strlen(tmp)-1]))
			tmp[strlen(tmp)-1] = '\0';
	}
	if(rulecopy && *rulecopy)
	{
		while(isspace(*rulecopy))
			rulecopy++;
		while(isspace(rulecopy[strlen(rulecopy)-1]))
			rulecopy[strlen(rulecopy)-1] = '\0';
	}
	else
	{
		errormsg("Ok... I give up... where is the rule?\n");
		return -2;
	}
//type
	if(tmp = strpbrk(rulecopy, " \t"))
	{
		trim(&rulecopy);
		x = strpbrk(rulecopy, "!./$:");
		if(x && x < tmp)
		{
			char alert[] = "alert";
			errormsg("Hmmm... missing fields trying to salvage, using type = \"alert\"\n");
			raw->type = calloc(1,strlen(alert)+1);
			bcopy(alert, raw->type, strlen(alert));
		}
		else
		{
			splitstr(&rulecopy, &tmp);
			if(!rulecopy || !*rulecopy)
			{
				errormsg("Missing fields before source port.\n");
				return -2;
			}
			types = splay(rulecopy,types,strcmp);
			if(types && strcmp(types->key,rulecopy) != 0)
			{
			char alert[] = "alert";
				errormsg("Messed up rule type, using type = \"alert\"\n");
				raw->proto = raw->type;
				raw->type = calloc(1,strlen(alert)+1);
				bcopy(alert, raw->type, strlen(alert));
				if(isproto(rulecopy))
				{
					errormsg("Looks like the ruletype was missing because a protocol was found, compensating.\n");
					while(*(--tmp))
						;
					while(!*(--tmp))
						*tmp = ' ';
				}
				else
					rulecopy = tmp;
			}
			else
			{
				raw->type = calloc(1,strlen(rulecopy)+1);
				bcopy(rulecopy, raw->type, strlen(rulecopy));
				rulecopy = tmp;
			}
		}
	}
	else
	{
		errormsg("Ok... I really don't think this is a much of a rule, I give up.\n");
		return -2;
	}
// proto
	if(tmp = strpbrk(rulecopy, " \t"))
	{
	char tcp[] = "tcp";
		x = strpbrk(rulecopy, "!./$:");
		if(x && x < tmp)
		{
			errormsg("Uh... missing fields trying to salvage, using proto = \"tcp\"\n");
			raw->proto = calloc(1,strlen(tcp)+1);
			strcpy(raw->proto, tcp);
		}
		else
		{
			splitstr(&rulecopy, &tmp);
			if(!rulecopy || !*rulecopy)
			{
				errormsg("Missing fields before source port.\n");
				return -2;
			}
			if(!isproto(rulecopy))
			{
				errormsg("Protocol field trashed, assumming \"tcp\".\n");
				raw->proto = calloc(1,strlen(tcp)+1);
				strcpy(raw->proto, tcp);
			}
			else
			{
				raw->proto = calloc(1,strlen(rulecopy)+1);
				strcpy(raw->proto, rulecopy);
				rulecopy = tmp;
			}
		}
	}

// source address and port
	if(tmp = strpbrk(rulecopy, " \t"))
	{
		while(isspace(tmp[strlen(tmp)-1]))
			tmp[strlen(tmp)-1] = '\0';
		if(!dest)
			dest = strpbrk(tmp+1," \t");
		else
			while(strpbrk(tmp+1, " \t"))
				tmp = strpbrk(tmp+1, " \t");   // find last space in field if luser put spaces in IP addr
		splitstr(&rulecopy,&tmp);
	}
	parseport(raw, tmp, &(raw->sport));
	if(rulecopy)
	{
		raw->daddrstr = calloc(1,strlen(rulecopy)+1);
		strcpy(raw->daddrstr,rulecopy);
	}
	parseaddr(raw, rulecopy, &(raw->saddr));

// on to destination address and port fields

	if(!dest && tmp)
		dest = strpbrk(tmp," \t");
	if(dest && (x = strpbrk(dest, " \t")))
	{
		while(isspace(x[strlen(x)-1]))
			x[strlen(x)-1] = '\0';
		while(strpbrk(x+1, " \t"))
			x = strpbrk(x+1, " \t");   // find last space in field if luser put spaces in IP addr
		splitstr(&dest,&x);
	}
	parseport(raw, x, &(raw->dport));
	if(dest)
	{
		raw->daddrstr = calloc(1,strlen(dest)+1);
		strcpy(raw->daddrstr,dest);
	}
	parseaddr(raw, dest, &(raw->daddr));

//done
	if(strlen(errorstr) > 0)
		return 0;
	return 1;
}

void fprintdir(FILE *f, int dir)
{

	switch(dir)
	{
	case DIRFORW: 
			fprintf(f,"->");
			break;
	case DIRREV: 
			fprintf(f,"<-");
			break;
	case DIRBOTH: 
			fprintf(f,"<>");
			break;
	}
}

void fprintip(FILE *f, RuleIP *ip)
{
	if(!ip)
		return;
	if(ip->any)
		fprintf(f,"Any");
	else
	{
		if(ip->not)
			fprintf(f,"!");
		if(ip->var)
		{
			if(ip->varname)
				fprintf(f,"$%s",ip->varname);
		}
		else
		{
			fprintf(f,"%d.%d.%d.%d",ip->byte[0], ip->byte[1], ip->byte[2], ip->byte[3]);
			if(ip->cidr)
				fprintf(f,"/%d",ip->cidr);
		}
	}
	while(ip->next)
	{
		ip = ip->next;
		fprintf(f,",");
		if(ip->not)
		{
			fprintf(f,"!");
		}
		if(ip->var)
		{
			if(ip->varname)
				fprintf(f,"$%s",ip->varname);
		}
		else
		{
			fprintf(f,"%d.%d.%d.%d",ip->byte[0], ip->byte[1], ip->byte[2], ip->byte[3]);
			if(ip->cidr)
				fprintf(f,"/%d",ip->cidr);
		}
	}
}

void fprintport(FILE *f, RulePort *port)
{
	if(!port)
		return;
	if(port->any)
	{
		fprintf(f,"Any");
	}
	else
	{
		if(port->not)
		{
			fprintf(f,"!");
		}
		if(port->var)
		{
			if(port->varname)
				fprintf(f,"$%s",port->varname);
		}
		else
		{
			if(port->max && port->max != port->min)
				fprintf(f,"%d:%d", port->min, port->max);
			else
				fprintf(f,"%d", port->min);
		}		
	}
}

void fprintkey(FILE *f, RuleKey *key)
{
	if(!key)
		return;
	if(key->keystr)
		fprintf(f,"%s",key->key);
	if(key->parms)
	{