📄 snot_parse_rules.c
字号:
break;
case '0':
*flags = TZERO;
break;
default:
printf("parse_rules: [line %d]: Illegal tcpflags char \"%c\", ignoring\n", line, *arg);
goto ignore;
break;
}
arg++;
}
if(*flags == 0)
{
printf("parse_rules: [line %d]: No tcp flags provided, ignoring\n",line);
goto ignore;
}
r->optionlist[i] = (char *)flags;
break;
case CONTENT:
/* First skip past all the spaces */
while(isspace(*arg))
{
arg++;
}
/* First char must be the open quote */
if(*arg != '\"')
{
printf("parse_rules: [line %d]: Missing open quote on content string, ignoring\n",line);
goto ignore;
}
if((r->optionlist[i] = malloc(sizeof(struct content))) == NULL)
{
printf("parse_rules: [line %d]: malloc failed..\n",line);
}
/* If our content string is bigger than 1500 bytes, we have a problem */
if((temp = malloc(1500)) == NULL)
{
printf("parse_rules: [line %d]: malloc failed..\n",line);
return(1);
}
temp2 = temp;
/* Make a nice blank space to work with */
memset(temp,0,1500);
/* Kill leading spaces */
while(isspace(*arg))
{
arg++;
}
/* Trim opening quote */
if (*arg == '\"')
{
arg++;
}
else
{
printf("parse_rules: [line %d]: Missing open quote on content string, ignoring\n",line);
goto ignore;
}
/* Loop till we reach the close quote */
while(*arg != '\"')
{
if(*arg == '\0')
{
printf("parse_rules: [line %d]: Missing close quote on content string, ignoring\n",line);
goto ignore;
}
if(*arg == '|')
{
arg++;
while(*arg != '|')
{
while(isspace(*arg))
{
arg++;
}
if((*arg >= 'A' && *arg <= 'F') || (*arg >= 'a' && *arg <= 'f') || (*arg >= '0' && *arg <= '9'))
{
/* Calculate the value of this hex char */
if((*arg >= 'A' && *arg <= 'F') || (*arg >= 'a' && *arg <= 'f'))
{
hex1 = tolower(*arg);
hex2 = ((hex1 - 'a') + 10) * 16;
}
else
{
hex2 = (*arg - '0') * 16;
}
arg++;
if(!((*arg >= 'A' && *arg <= 'F') || (*arg >= 'a' && *arg <= 'f') || (*arg >= '0' && *arg <= '9')))
{
/* Dont allow those stupid odd sized hex chars - ambiguity in network byte ordering marty */
if((isspace(*arg))||(*arg == '|'))
{
printf("parse_rules: [line %d]: Hex char too short in content string, ignoring\n",line);
}
else
{
printf("parse_rules: [line %d]: Invalid char \"%c\" found in hex component of content string, ignoring\n",line,*temp);
}
free(temp2);
goto ignore;
}
if((*arg >= 'A' && *arg <= 'F') || (*arg >= 'a' && *arg <= 'f'))
{
hex1 = tolower(*arg);
hex2 = hex2 + ((hex1 - 'a') + 10);
}
else
{
hex2 = hex2 + (*arg - '0');
}
*temp = hex2;
arg++;
temp++;
if((temp - temp2) == 1500)
{
printf("parse_rules: [line %d]: Content string too large.. ignoring\n",line);
free(temp2);
goto ignore;
}
}
else
{
printf("parse_rules: [line %d]: Invalid char \"%c\" found in hex component of content string, ignoring\n",line,*temp);
free(temp2);
goto ignore;
}
}
}
else
{
*temp = *arg;
/* Its just a normal char so it goes straight into the buffer */
temp++;
}
if((temp - temp2) == 1500)
{
printf("parse_rules: [line %d]: Content string too large.. ignoring\n",line);
goto ignore;
}
arg++;
}
if ((((struct content *)r->optionlist[i])->pcont = malloc(temp-temp2)) == NULL)
{
printf("parse_rules: [line %d]: Couldn't malloc..\n",line);
return(1);
}
memcpy(((struct content *)r->optionlist[i])->pcont,temp2,temp-temp2);
((struct content *)r->optionlist[i])->size = (temp - temp2);
free(temp2);
break;
case CONTENT_LIST:
case RPC:
case REFERENCE:
break;
default:
printf("parse_rules: [line %d]: !! Cant get here.. parse_rules.c\n");
return(1);
}
}
}
// end of matching each option_text[] with each olcur->option_string
if (found == 0)
{
printf("parse_rules: [line %d]: Unknown Option \"%s\", ignoring option\n", line, token);
}
}
// end of one olcur->option_string, olcur should point to next option_list node
else
{
printf("parse_rules: [line %d]: Illegal Option String, ignoring\n",line);
goto ignore;
}
oltemp = olcur->next;
free(olcur->option_string);
free(olcur);
olcur = oltemp;
}
}
// end of parsing rule string followed '('
#ifdef DEBUG
print_rule(r);
#endif
/* Post rule process size sanity checks */
pmin = 0;
pmax = (1500-(LIBNET_PACKET));
if (r->optionlist[OFFSET] != NULL)
{
offset = *(r->optionlist[OFFSET]);
}
else
{
offset = 0;
}
if (r->optionlist[DEPTH] != NULL)
{
depth = *(r->optionlist[DEPTH]);
}
else
{
depth = 0;
}
if (r->optionlist[CONTENT] != NULL)
{
contsize = ((struct content *)r->optionlist[CONTENT])->size;
}
else
{
contsize = 0;
}
if ((r->optionlist[DSIZE]) != NULL)
{
if(((struct dsize *)r->optionlist[DSIZE])->gtlt == DSIZEGT)
{
pmin = ((struct dsize *)r->optionlist[DSIZE])->size;
}
else if(((struct dsize *)r->optionlist[DSIZE])->gtlt == DSIZELT)
{
pmax = ((struct dsize *)r->optionlist[DSIZE])->size;
}
else
{
pmin = pmax = ((struct dsize *)r->optionlist[DSIZE])->size;
}
}
if (depth > pmax)
{
printf("parse_rules: [line %d]: depth is greater than the dsize, ignoring\n",line);
goto ignore;
}
if (offset > pmax)
{
printf("parse_rules: [line %d]: offset is greater than the dsize, ignoring\n",line);
goto ignore;
}
if (pmax < (offset + depth))
{
printf("parse_rules: [line %d]: conflict between offset, depth and dsize, ignoring\n",line);
goto ignore;
}
if (pmax < (offset + contsize))
{
printf("parse_rules: [line %d]: conflict between offset, content size and dsize, ignoring\n",line);
goto ignore;
}
/* Put the rule at the head of the linked list */
r->next = rulehead;
rulehead = r;
/* Successfully parsed! */
total_rules++;
ignore:
;
}
// end of parsing a "alert " or "log" rule
}
// end of parsing a none "var" rule
else
{
printf("parse_rules: [line %d]: \"%s\" token not handled, ignoring..\n",line);
}
free(optstring);
}
free(ruletemp);
}
}
else
{
perror("fopen");
return(1);
}
return(0);
}
/* end parse_rules */
/*
* print_var: print out a variable
*
* Input:
*
* var_list: a variable entry
*
*/
void print_var(struct var_list *var)
{
printf("==================\n");
printf("Var Name : %s\n",var->varname);
printf("Var Value : %s\n",var->value);
printf("==================\n");
}
/* end print_var */
/*
* print_rule: print out a stored rule
*
* Input:
*
* rulepnt: a rule structure
*
*/
void print_rule(struct rule *rulepnt)
{
int i,j;
char *temp;
struct in_addr ina;
struct addr_list *addrlist;
printf("==================\n");
printf("Rule Protocol : ");
if(rulepnt->proto == TCP) printf("TCP\n");
else if(rulepnt->proto == UDP) printf("UDP\n");
else if(rulepnt->proto == ICMP) printf("ICMP\n");
i = rulepnt->srcnum;
addrlist = rulepnt->srcaddr;
while(i)
{
i--;
ina.s_addr = addrlist->addr;
printf("Rule Source Addr: ");
if(addrlist->addrnot) printf("NOT ");
printf("%s\n",inet_ntoa(ina));
ina.s_addr = addrlist->addrmask;
printf("Rule Source Mask: %s\n",inet_ntoa(ina));
addrlist=addrlist->next;
}
printf("Rule Source Port: ");
if(rulepnt->srcportnot) printf("NOT ");
if (rulepnt->srcport == ANY)
{
printf("ANY\n");
}
else
{
printf("%d\n",rulepnt->srcport);
}
i = rulepnt->destnum;
addrlist = rulepnt->destaddr;
while(i)
{
i--;
ina.s_addr = addrlist->addr;
printf("Rule Dest Addr: ");
if(addrlist->addrnot) printf("NOT ");
printf("%s\n",inet_ntoa(ina));
ina.s_addr = addrlist->addrmask;
printf("Rule Dest Mask: %s\n",inet_ntoa(ina));
addrlist=addrlist->next;
}
printf("Rule Dest Port : ");
if(rulepnt->destportnot) printf("NOT ");
if (rulepnt->destport == ANY)
{
printf("ANY\n");
}
else
{
printf("%d\n",rulepnt->destport);
}
printf("Rule Bidir : ");
if (rulepnt->bidirectional == TRUE)
{
printf("TRUE\n");
}
else
{
printf("FALSE\n");
}
for(i=0;(i!=OPTION_MAX);i++)
{
if(rulepnt->optionlist[i] != NULL)
{
switch(i)
{
case IPOPTS:
for(j=0; (j!=IPOPTS_MAX);j++)
if((rulepnt->optionlist[i][j]) != FALSE)
{
printf("IP Option: %s\n",ipopts_text[j]);
}
break;
case DSIZE:
printf("Dsize: ");
if((((struct dsize *)rulepnt->optionlist[i])->gtlt) == 2)
{
printf("<");
}
else if((((struct dsize *)rulepnt->optionlist[i])->gtlt) == 1)
{
printf(">");
}
printf("%d\n",(((struct dsize *)rulepnt->optionlist[i])->size));
break;
case FLAGS:
printf("TCP Flags: ");
if((int)*(rulepnt->optionlist[i]) & TZERO)
{
printf("0");
}
else
{
if((int)*(rulepnt->optionlist[i]) & TFIN) printf("F");
if((int)*(rulepnt->optionlist[i]) & TSYN) printf("S");
if((int)*(rulepnt->optionlist[i]) & TRST) printf("R");
if((int)*(rulepnt->optionlist[i]) & TPSH) printf("P");
if((int)*(rulepnt->optionlist[i]) & TACK) printf("A");
if((int)*(rulepnt->optionlist[i]) & TURG) printf("U");
if((int)*(rulepnt->optionlist[i]) & TRES2) printf("2");
if((int)*(rulepnt->optionlist[i]) & TRES1) printf("1");
if((int)*(rulepnt->optionlist[i]) & TPLUS) printf("+");
if((int)*(rulepnt->optionlist[i]) & TSTAR) printf("*");
if((int)*(rulepnt->optionlist[i]) & TMINUS) printf("-");
}
printf("\n");
break;
case FRAGBITS:
printf("Frag Bits: ");
if(*(rulepnt->optionlist[i]) & FRAGR) printf("R");
if(*(rulepnt->optionlist[i]) & FRAGD) printf("D");
if(*(rulepnt->optionlist[i]) & FRAGM) printf("M");
if(*(rulepnt->optionlist[i]) & FRAGPLUS) printf("+");
if(*(rulepnt->optionlist[i]) & FRAGSTAR) printf("*");
if(*(rulepnt->optionlist[i]) & FRAGMINUS) printf("-");
printf("\n");
break;
case NOCASE:
printf("Nocase - not implemented\n");
break;
case MSG:
printf("Message : %s\n", rulepnt->optionlist[i]);
break;
case RPC:
printf("RPC - not implemented\n");
break;
case ID:
case SEQ:
case ACK:
case ITYPE:
case ICODE:
case TTL:
case TOS:
// unsigned char
break;
case ICMP_ID:
case ICMP_SEQ:
printf("ICMP %s: %d\n", option_text[i], *(rulepnt->optionlist[i]));
break;
case DEPTH:
printf("Depth: %d\n",*(rulepnt->optionlist[i]));
break;
case OFFSET:
printf("Offset %d\n", *(rulepnt->optionlist[i]));
break;
case CONTENT:
temp = rulepnt->optionlist[i];
temp++;
printf("Content String: ");
for(j=0; j<(*(rulepnt->optionlist[i])); j++)
{
printf("%02x ",*temp);
temp++;
}
printf("\n");
break;
default:
printf("option %s, arg %s\n",option_text[i], rulepnt->optionlist[i]);
break;
}
}
}
printf("==================\n\n");
}
/* end print_rule */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -