snortpp.c

入侵检测系统.linux下与MySql连用的例子

		RuleParm *tmp;
		if(key->parms->str)
			fprintf(f,":%s",key->parms->str);
		tmp = key->parms->next;
		while(tmp)
		{
			if(tmp->str)
				fprintf(f,",%s",tmp->str);
			tmp = tmp->next;
		}
	}
}

	
void clearrule(Rule *r)
{
	r->rulestr = NULL;
	r->type = NULL;
	r->proto = NULL;
	r->saddrstr = NULL;
	r->daddrstr = NULL;
	r->sportstr = NULL;
	r->dportstr = NULL;
	r->dirstr = NULL;
	r->keystr = NULL;
 	r->saddr = (RuleIP*)NULL;
	r->daddr = (RuleIP*)NULL;
	r->sport = (RulePort*)NULL;
	r->dport = (RulePort*)NULL;	
	r->keys = (RuleKey*)NULL;
	r->dir = NULL;
	r->comment = NULL;
	r->sid = NULL;
	r->rev = NULL;
	r->next = (Rule*)NULL;
};
	
inline Rule *newrule()
{
	return(calloc(1,sizeof(Rule)));
}

void freerule(Rule *rule)
{
	if(rule->rulestr)
		free(rule->rulestr);
	if(rule->type)
		free(rule->type);
	if(rule->proto)
		free(rule->proto);
	if(rule->daddrstr)
		free(rule->daddrstr);
	if(rule->saddrstr)
		free(rule->saddrstr);
	if(rule->sportstr)
		free(rule->sportstr);
	if(rule->dirstr)
		free(rule->dirstr);
	if(rule->keystr)
		free(rule->keystr);
	if(rule->comment)
		free(rule->comment);
	while(rule->saddr)
	{
		RuleIP *tmp;
		if(rule->saddr->ipstr)
			free(rule->saddr->ipstr);
		if(rule->saddr->varname)
			free(rule->saddr->varname);
		tmp = rule->saddr;
		rule->saddr = rule->saddr->next;
		free(tmp);
	}
	while(rule->daddr)
	{
		RuleIP *tmp;
		if(rule->daddr->ipstr)
			free(rule->daddr->ipstr);
		if(rule->daddr->varname)
			free(rule->daddr->varname);
		tmp = rule->daddr;
		rule->daddr = rule->daddr->next;
		free(tmp);
	}
	while(rule->sport)
	{
		RulePort *tmp;
		if(rule->sport->portstr)
			free(rule->sport->portstr);
		if(rule->sport->varname)
			free(rule->saddr->varname);
		tmp = rule->sport;
		rule->sport = rule->sport->next;
		free(tmp);
	}
	while(rule->dport)
	{
		RulePort *tmp;
		if(rule->dport->portstr)
			free(rule->dport->portstr);
		if(rule->dport->varname)
			free(rule->daddr->varname);
		tmp = rule->dport;
		rule->dport = rule->dport->next;
		free(tmp);
	}
	while(rule->keys)
	{
		RuleKey *tkey;
		tkey = rule->keys;
		if(tkey->keystr)
			free(tkey->keystr);
		if(tkey->key)
			free(tkey->key);
		while(rule->keys->parms)
		{
			RuleParm *tmp;
			tmp = rule->keys->parms;
			if(tmp->str)
				free(tmp->str);
			if(tmp->next)
				rule->keys->parms = tmp->next;
			free(tmp);
		}
		rule->keys = rule->keys->next;
		free(tkey);
	}
}
	
rulecmp(Rule *x, Rule *y)
{
	if(x->sid < y->sid)
		return 1;
	else if(x->sid == y->sid)
		return 0;
	return -1;
}

void *fprintrule(FILE *f, Rule *raw)
{
	if(!raw->type || !raw->proto || !raw->saddr || !raw->sport ||
		!raw->dir || !raw->daddr || !raw->dport)
	{
		fprintf(stderr,"Not outputing incomplete rule SID:%d\n",raw->sid);
		return;
	}
	if(raw->type)
		fprintf(f,"%s ",raw->type);
	if(raw->proto)
		fprintf(f,"%s ",raw->proto);
	fprintip(f,raw->saddr);
	fprintf(f," ");
	fprintport(f,raw->sport);
	fprintf(f," ");
	fprintdir(f,raw->dir);
	fprintf(f," ");
	fprintip(f,raw->daddr);
	fprintf(f," ");
	fprintport(f,raw->dport);
	if(raw->keys)
	{
		RuleKey *tmp;
		fprintf(f," ( ");
		fprintkey(f,raw->keys);
		tmp = raw->keys->next;
		while(tmp)
		{
			fprintf(f,"; ");
			fprintkey(f,tmp);
			tmp = tmp->next;
		}
		fprintf(f,"; )");
	}
	if(raw->comment)
	{
		fprintf(f,"# %s",raw->comment);
	}
	fputs("\n",f);
}

parsefile(char *fname)
{
FILE *fd;
Rule *raw;
char rulebuf[8192];
size_t len;
char *buf, *rulecopy, *tmp, *x;
char ruletype[] = "ruletype";
char preprocessor[] = "preprocessor";
char var[] = "var";
char include[] = "include";
char stin[] = "-";
char type[] = "type";
char output[] = "output";
char start[] = "{";
char stop[] = "}";


	fprintf(stderr,"Loading file: %s\n",fname);
	if(strcmp(fname,stin) == 0)
	{
		fd = stdin;
		fputs("Reading from standard input...\n",stderr);
	}
	else if(!(fd = fopen(fname,"r")))
	{
		fprintf(stderr,"Rule file not found: %s\n",fname);
		return;
	}
	while(!feof(fd))
	{
		fgets(rulebuf, 1024, fd);
		if(feof(fd))
		{
			printf("\n");
			break;
		}
more:
		while(rulebuf[strlen(rulebuf)-1] == '\\')
		{
			fgets(&(rulebuf[strlen(rulebuf)-1]),1024,fd);
			if(strlen(rulebuf) > 7168)
				break;
		}
		// brand new fresh and clean blank error message
		*errorstr = (char) NULL; 
		tmp = rulebuf;
		trim(&tmp);
		if(strncmp(tmp,preprocessor,12) == 0)
			fputs("Preprocessor configuration declaration, stripping...\n",stderr);
		else if(strncasecmp(tmp, var, 3) == 0)
		{
			rulecopy = calloc(1,strlen(tmp)+1);
			bcopy(tmp,rulecopy,strlen(tmp));
			if(!(tmp = strpbrk(rulecopy, " \t")))
			{
				errormsg("Bogus variable declaration, dude.\n");
			}
			else
			{
				splitstr(&rulecopy,&tmp);
				if(*tmp == '$')
				{
					errormsg("Extra \'$\' in var decraration stripped.\n");
					splitstr(&tmp,&tmp);
				}
				if(tmp && *tmp)
				{
					SnortVar *n;
					if(!(x = strpbrk(tmp, " \t")))
					{
						errormsg("Empty variable declaration value, ignoring.\n");
					}
					else
					{

						splitstr(&tmp,&x);
						n = (SnortVar *) calloc(sizeof(SnortVar),1);
						n->name = calloc(1,strlen(tmp)+1);
						bcopy(tmp,n->name,strlen(tmp));
						n->next = variables;
						variables = n;
						vars = splay(n,vars,varcmp);
						if(vars && varcmp(vars->key,n) == 0)
						{
							errormsg("Duplicate var declaration.\n");
							free(n);
						}
						else
						{
							vars = splayinsert(n,vars,varcmp);
							if(*x == '\"' || *x == '\'')
							{
								x++;
								errormsg("Removing broken quotes around variable value.\n");
								if(x[strlen(x)-1] = '\"')
									x[strlen(x)-1] = '\0';
								if(x[strlen(x)-1] = '\'')
									x[strlen(x)-1] = '\0';
								trim(&x);
							}
							n->val = calloc(1,strlen(x)+1);
							bcopy(x,n->val,strlen(x));
						}
					}
				}
				else
				{
					errormsg("Messed up variable declaration, no varname.\n");
				}
			}
			
			if(*errorstr)
				fprintf(stderr,"Declaration: %s\nErrors: %s\n--\n",rulebuf,errorstr);
			free(rulecopy);
		}
		else if(strncasecmp(tmp,ruletype,8) == 0)
		{
		char *name;
			x = strpbrk(tmp," \t");
			splitstr(&tmp,&x);
			if(x)
			{
				name = calloc(1,strlen(x)+1);
				bcopy(x,name,strlen(x));
				fgets(rulebuf,1024,fd);
				tmp = rulebuf;
				trim(&tmp);
				if(strcmp(tmp,start) == 0)
				{
					fprintf(outf,"ruletype %s\n",name);
					types = splayinsert(name,types,strcmp);
					fputs(tmp,outf);
					fputs("\n",outf);
					fgets(rulebuf,1024,fd);
					tmp = rulebuf;
					trim(&tmp);
					while(!strncmp(tmp,type,4) || !strncmp(tmp,output,6))
					{
						fputs(rulebuf,outf);
						fputs("\n",outf);
						fgets(rulebuf,1024,fd);
						tmp = rulebuf;
						trim(&tmp);
					}
					if(strncmp(tmp,stop,1))
					{
						fputs("Ruletype without closing \'}\', inserting.\n",stderr);
						fputs("}\n",outf);
						goto more;
					}
					else
						fputs("}\n",outf);
				}
				else
				{
					fputs("Ruletype without following declaration, ignoring.\n",stderr);
					goto more;
				}
			}
		}
		else if(strncmp(tmp,include,7) == 0)
		{
			x = strpbrk(tmp," \t");
			if(x)
			{
				splitstr(&tmp,&x);
				if(x)
					parsefile(x);
				else
					errormsg("Missing include filename after space...\n");
			}
			else
				errormsg("Missing include filename...\n");
		}
		else
		{
			raw = newrule();
			raw->rulestr = calloc(1,strlen(rulebuf)+1);
			bcopy(rulebuf,raw->rulestr,strlen(rulebuf));
			fflush(stdout);
			parserule(raw);
			if(!raw->sid)
			{
				raw->sid = localsid++;
				raw->rev = 1;
				errormsg("No SID, assigned temporary local SID.\n");
			}
			ruletree = splay(raw, ruletree, rulecmp);
			if(ruletree && rulecmp(raw,ruletree->key) == 0)
			{
				if(raw->rev <= ((Rule *)(ruletree->key))->rev)
					if(raw->sid)
						errormsg("Duplicate SID, ignoring equal or lower rev...\n");
				else
				{
					freerule((Rule *)(ruletree->key));
					ruletree->key = raw;
					errormsg("Replacing with higher revision level.\n");
				}
			}
			else
				ruletree = splayinsert(raw, ruletree, rulecmp);
			if(*errormsg)
			{
				if(raw->sid)
					fprintf(stderr,"SID:%d rev:%d\n",raw->sid, raw->rev);
				fprintf(stderr, "\nOriginal: %s\n",rulebuf);
				fprintf(stderr, "Modified: ");
				fprintrule(stderr, raw);
				fprintf(stderr,"\nErrors:\n%s",errorstr);
				fprintf(stderr,"\n--\n");
			}
		}
	}
}


void usage()
{
	fputs("This program reads in all the snort rules files on the command line\n",stderr);
	fputs("and merges their rules while cleaning the sysntax.\n",stderr);
	fputs("Default output is stdout unless -o <filename> is used.\n",stderr);
	fputs("The special filename \"-\" can be used for stdin.\n",stderr);
	fputs("Preprocessor configuration statements and duplicate SIDs are removed.\n",stderr);
	fputs("In the case of duplicates, the highest rev:number wins.\n",stderr);
	fputs("Please send bug reports to <dr@kyx.net>. --dr\n",stderr);
	fputs("\n",stderr);
	exit(1);
}

// test stub
main(int argc, char *argv[])
{
char pass[] = "pass";
char log[] = "log";
char alert[] = "alert";
extern char *optarg;
extern int optind;
extern int errno;
List *outlist;
int ch;

	variables = NULL;
	vars = NULL;
	ruletree = NULL;
	types = NULL;
	localsid = 2000000;
	outf = stdout;
	types = splayinsert(pass,types,strcmp);
	types = splayinsert(log,types,strcmp);
	types = splayinsert(alert,types,strcmp);

	fputs("snortpp: rules preprocessor - merger cleaner stripper and desert topping (by Dragos Ruiu <dr@kyx.net>)\n",stderr);
	if(argc < 2)
	{
		fprintf(stderr,"No arguments given. Blech!\nI suppose now you want some mamby-pamby usage diagnostic... use -h for help.\n");
		exit(1);
	}
	fprintf(stderr,"\n");
	fflush(stdout);
	fflush(stderr);


	while ((ch = getopt(argc, argv, "ho:")) != -1)
	{
		switch (ch)
		{
		case 'o':
				if (!(outf = fopen(optarg, "w+")))
				{
					fprintf(stderr, "snortpp: %s: %s\n", optarg, strerror(errno));
					exit(1);
				}
				break;
		     default:
			     usage();
		}
	}
	fputs("# Rules File generated by snortpp <dr@kyx.net>\n",outf);
	fputs("#\n# Rule Type Definitions\n#\n",outf);
	for(ch = optind; ch < argc; ch++)
	{
		parsefile(argv[ch]);
	}
	// ok lets print out this junk
	fputs("#\n# Variable Declarations\n#\n",outf);
	outlist = splaytolist(vars);
	while(outlist)
	{
		fprintf(outf,"var %s %s\n", ((SnortVar *)(outlist->key))->name, ((SnortVar *)(outlist->key))->val);
		outlist = outlist->next;
	}
	fputs("#\n# Rule Definitions\n#\n",outf);
	outlist = splaytolist(ruletree);
	while(outlist)
	{
		fprintrule(outf,(Rule *)outlist->key);
		outlist = outlist->next;
	}
	fputs("#\n# end of file generated by snortpp\n#\n",outf);
	if(outf != stdout)
		fclose(outf);
//phew... --dr
}