📄 snort.c
字号:
char *eq_n;
char *eq_p;
#ifdef DEBUG
printf("Parsing command line...\n");
#endif
/* generally speaking, Snort works best when it's in promiscuous mode */
pv.promisc_flag = 1;
/* loop through each command line var and process it */
while ((ch = getopt(argc, argv, "XOg:u:t:CqS:pNA:F:DM:br:xeh:l:dc:n:P:i:vV?aso6")) != -1)
{
#ifdef DEBUG
printf("Processing cmd line switch: %c\n", ch);
#endif
switch (ch)
{
case 'A': /* alert mode */
if (!strncasecmp(optarg,"none", 4))
{
pv.alert_mode = ALERT_NONE;
}
else if (!strncasecmp(optarg,"full", 4))
{
pv.alert_mode = ALERT_FULL;
}
else if (!strncasecmp(optarg,"fast", 4))
{
pv.alert_mode = ALERT_FAST;
}
else if (!strncasecmp(optarg,"unsock", 4))
{
pv.alert_mode = ALERT_UNSOCK;
}
else
{
FatalError("ERROR => Unknown command line alert option: %s\n", optarg);
}
pv.alert_cmd_override = 1;
break;
case 'C':
pv.char_data_flag = 1;
break;
case 'D': /* daemon mode */
#ifdef DEBUG
printf("Daemon mode flag set\n");
#endif
pv.daemon_flag = 1;
pv.quiet_flag = 1;
break;
case 'q': /* no stdout output mode */
pv.quiet_flag = 1;
break;
case 't':
if ((pv.chroot_dir = calloc(strlen(optarg)+1, 1)) == NULL)
{
FatalError("[!] ERROR: chroot directory variable calloc failed!\n");
}
bcopy(optarg,pv.chroot_dir,strlen(optarg));
#ifdef DEBUG
printf("chroot directory set to: %s\n", pv.chroot_dir);
#endif
break;
case 'u': /* setuid */
if((pv.user_name = calloc(strlen(optarg)+1, 1)) == NULL)
FatalError("[!] ERROR: UID variable calloc failed!\n");
bcopy(optarg,pv.user_name,strlen(optarg));
if((pv.userid = atoi(pv.user_name)) == 0)
{
pv.pw = getpwnam(pv.user_name);
if(pv.pw == NULL)
{
FatalError("[!] ERROR: User \"%s\" unknown\n",pv.user_name);
}
pv.userid = pv.pw->pw_uid;
}
else
{
pv.pw = getpwuid(pv.userid);
if(pv.pw == NULL)
{
FatalError("[!] ERROR: Can not obtain username"
" for uid: %lu\n", (u_long) pv.userid);
}
}
if(pv.group_name == NULL)
{
char name[STD_BUF];
bzero(name, STD_BUF);
sprintf(name,"%lu",(u_long)pv.pw->pw_gid);
if ((pv.group_name = calloc(strlen(name)+1, 1)) == NULL)
{
FatalError("[!] ERROR: Unable to calloc for pv.group_name\n");
}
pv.groupid = pv.pw->pw_gid;
}
#if DEBUG
printf("UserID: %lu GroupID: %lu\n", (unsigned long)pv.userid,
(unsigned long)pv.groupid);
#endif
break;
case 'g':
if (pv.group_name != NULL)
free(pv.group_name);
if ((pv.group_name = calloc(strlen(optarg)+1, 1)) == NULL)
FatalError("[!] ERROR: malloc for group name failed!\n");
bcopy(optarg,pv.group_name,strlen(optarg));
if ((pv.groupid = atoi(pv.group_name)) == 0) {
pv.gr = getgrnam(pv.group_name);
if (pv.gr == NULL)
FatalError("[!] ERROR: Group \"%s\" unknown\n",pv.group_name);
pv.groupid = pv.gr->gr_gid;
}
#if DEBUG
printf("GroupID: %lu\n",(unsigned long)pv.groupid);
#endif
break;
case 'N': /* no logging mode */
#ifdef DEBUG
printf("Logging deactivated\n");
#endif
pv.nolog_flag = 1;
pv.log_cmd_override = 1;
break;
case 'O': /* obfuscate the logged IP addresses for privacy */
pv.obfuscation_flag = 1;
break;
case 'l': /* use log dir <X> */
strncpy(pv.log_dir, optarg, STD_BUF-1);
#ifdef DEBUG
printf("Log directory = %s\n", pv.log_dir);
#endif
pv.log_flag = 1;
break;
case 'e': /* show second level header info */
#ifdef DEBUG
printf("Show 2nd level active\n");
#endif
pv.show2hdr_flag = 1;
break;
case 'b': /* log packets in binary format for post-processing */
#ifdef DEBUG
printf("Tcpdump logging mode active\n");
#endif
pv.logbin_flag = 1;
pv.log_cmd_override = 1;
break;
case 'F': /* read BPF filter in from a file */
#ifdef DEBUG
printf("Tcpdump logging mode active\n");
#endif
strncpy(bpf_file, optarg, STD_BUF - 1);
read_bpf = 1;
break;
case 'a': /* show ARP packets */
#ifdef DEBUG
printf("Show ARP active\n");
#endif
pv.showarp_flag = 1;
break;
case 'd': /* dump the application layer data */
pv.data_flag = 1;
#ifdef DEBUG
printf("Data Flag active\n");
#endif
break;
case 'v': /* be verbose */
pv.verbose_flag = 1;
#ifdef DEBUG
printf("Verbose Flag active\n");
#endif
break;
case 'n': /* grab x packets and exit */
pv.pkt_cnt = atoi(optarg);
#ifdef DEBUG
printf("Exiting after %d packets\n", pv.pkt_cnt);
#endif
break;
case 'c': /* use configuration file x ( which currently isn't used) */
strncpy(pv.config_file, optarg, STD_BUF - 1);
pv.use_rules = 1;
#ifdef DEBUG
printf("Config file = %s\n", pv.config_file);
#endif
break;
case 'i': /* listen on interface x */
pv.interface = (char *) malloc(strlen(optarg) + 1);
bzero((char *)pv.interface, strlen(optarg)+1);
strncpy(pv.interface, optarg, strlen(optarg));
#ifdef DEBUG
printf("Interface = %s\n", pv.interface);
#endif
break;
case 'o': /* change the rules processing order to passlist first */
pv.rules_order_flag = 1;
#ifdef DEBUG
printf("Rule application order changed to Pass->Alert->Log\n");
#endif
break;
case 'p': /* disable explicit promiscuous mode */
pv.promisc_flag = 0;
#ifdef DEBUG
printf("Promiscuous mode disabled!\n");
#endif
break;
case 'P': /* explicitly define snaplength of packets */
pv.pkt_snaplen = atoi(optarg);
#ifdef DEBUG
printf("Snaplength of Packets set to: %d\n", pv.pkt_snaplen);
#endif
break;
case 'r': /* read packets from a TCPdump file instead of the net */
strncpy(pv.readfile, optarg, STD_BUF - 1);
pv.readmode_flag = 1;
break;
case 's': /* log alerts to syslog */
pv.syslog_flag = 1;
#ifdef DEBUG
printf("Logging alerts to syslog\n");
#endif
pv.alert_cmd_override = 1;
break;
case '6': /* display IPv6 packets (decoder not implemented yet)*/
#ifdef DEBUG
printf("Show IPv6 active\n");
#endif
pv.showipv6_flag = 1;
break;
case 'x': /* display IPX packets (decoder not implemented yet)*/
#ifdef DEBUG
printf("Show IPX active\n");
#endif
pv.showipx_flag = 1;
break;
case 'X': /* display verbose packet bytecode dumps */
#ifdef DEBUG
printf("Verbose packet bytecode dumps enabled\n");
#endif
pv.verbose_bytedump_flag = 1;
break;
case 'M': /* SMB Message Option */
pv.smbmsg_flag = 1;
strncpy(pv.smbmsg_dir, optarg, STD_BUF-1);
pv.alert_cmd_override = 1;
break;
case '?': /* show help and exit */
DisplayBanner();
ShowUsage(progname);
exit(0);
case 'V': /* prog ver already gets printed out, so we just exit */
DisplayBanner();
exit(0);
case 'h': /* set home network to x, this will help determine what to
set logging diectories to */
GenHomenet(optarg);
break;
case 'S': /* set a rules file variable */
if ((eq_p = strchr(optarg, '=')) != NULL)
{
eq_n = (char *) malloc(eq_p - optarg + 1);
bzero(eq_n, eq_p - optarg + 1);
strncpy(eq_n, optarg, eq_p - optarg);
VarDefine(eq_n, eq_p + 1);
free(eq_n);
}
}
}
/* if we're reading in BPF filters from a file */
if (read_bpf)
{
/* suck 'em in */
pv.pcap_cmd = read_infile(bpf_file);
}
else
{
/* set the BPF rules string (thanks Mike!) */
pv.pcap_cmd = copy_argv(&argv[optind]);
}
#ifdef DEBUG
if (pv.pcap_cmd != NULL)
{
printf("pcap_cmd = %s\n", pv.pcap_cmd);
}
else
{
printf("pcap_cmd is NULL!\n");
}
#endif
return 0;
}
/****************************************************************************
*
* Function: GenHomenet(char *)
*
* Purpose: Translate the command line character string into its equivalent
* 32-bit network byte ordered value (with netmask)
*
* Arguments: netdata => The address/CIDR block
*
* Returns: void function
*
****************************************************************************/
void GenHomenet(char *netdata)
{
struct in_addr net; /* place to stick the local network data */
char **toks; /* dbl ptr to store mSplit return data in */
int num_toks; /* number of tokens mSplit returns */
int nmask; /* temporary netmask storage */
/* break out the CIDR notation from the IP address */
toks = mSplit(optarg,"/",2,&num_toks,0);
if (num_toks > 1)
{
/* convert the CIDR notation into a real live netmask */
nmask = atoi(toks[1]);
if ((nmask > 0) && (nmask < 33))
{
pv.netmask = netmasks[nmask];
}
else
{
FatalError("ERROR: Bad CIDR block [%s:%d], 1 to 32 please!\n",
toks[1],nmask);
}
}
else
{
FatalError("ERROR: No netmask specified for home network!\n");
}
/* since PC's store things the "wrong" way, shuffle the bytes into
the right order */
#ifndef WORDS_BIGENDIAN
pv.netmask = htonl(pv.netmask);
#endif
#ifdef DEBUG
printf("homenet netmask = %#8lX\n", pv.netmask);
#endif
/* convert the IP addr into its 32-bit value */
if ((net.s_addr = inet_addr(toks[0])) ==-1)
{
FatalError("ERROR: Homenet (%s) didn't x-late, WTF?\n",
toks[0]);
}
else
{
#ifdef DEBUG
struct in_addr sin;
printf("Net = %s (%X)\n", inet_ntoa(net), net.s_addr);
#endif
/* set the final homenet address up */
pv.homenet = ((u_long)net.s_addr & pv.netmask);
#ifdef DEBUG
sin.s_addr = pv.homenet;
printf("Homenet = %s (%X)\n", inet_ntoa(sin), sin.s_addr);
#endif
}
free(toks);
}
/****************************************************************************
*
* Function: SetPktProcessor()
*
* Purpose: Set which packet processing function we're going to use based on
* what type of datalink layer we're using
*
* Arguments: None.
*
* Returns: 0 => success
*
****************************************************************************/
int SetPktProcessor()
{
switch (datalink)
{
case DLT_EN10MB: /* Ethernet */
if (!pv.readmode_flag)
printf(" => Decoding Ethernet on interface %s\n", pv.interface);
else
printf("Entering readback mode....\n");
grinder = DecodeEthPkt;
break;
case 13:
case DLT_IEEE802: /* Token Ring */
if (!pv.readmode_flag)
printf(" => Decoding Token Ring on interface %s\n", pv.interface);
else
printf("Entering readback mode...\n");
grinder = DecodeTRPkt;
break;
case DLT_FDDI: /* FDDI */
if (!pv.readmode_flag)
{
printf(" => Decoding FDDI on interface %s\n", pv.interface);
}
else
{
printf("Entering readback mode...\n");
}
grinder = DecodeFDDIPkt;
break;
case DLT_SLIP: /* Serial Line Internet Protocol */
if (!pv.readmode_flag)
printf(" => Decoding Slip on interface %s\n", pv.interface);
else
printf("Entering readback mode....\n");
if (pv.show2hdr_flag == 1)
{
printf("Second layer header parsing for this datalink "
"isn't implemented yet\n");
pv.show2hdr_flag = 0;
}
grinder = DecodeSlipPkt;
break;
case DLT_PPP: /* point-to-point protocol */
if (!pv.readmode_flag)
printf(" => Decoding PPP on interface %s\n", pv.interface);
else
printf("Entering readback mode....\n");
if (pv.show2hdr_flag == 1)
{
/* do we need ppp header showup? it's only 4 bytes anyway ;-) */
printf("Second layer header parsing for this datalink "
"isn't implemented yet\n");
pv.show2hdr_flag = 0;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -