📄 551.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center"> ● UNIX网络编程 (BM: clown) </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="517.htm">上一层</a>][<a href="552.htm">下一篇</a>]
<hr><p align="left"><small>:回复:网络安全工具开发函数库介绍之三——libnids(续) <br>
---------------------------------------------------------------------------- <br>
---- <br>
: backend 于 00-7-17 14:50:32 加贴在 绿盟科技论坛(bbs.nsfocus.com)--UNIX系统安 <br>
:全: <br>
:绿色兵团版权所有。未经允许,不得转载! <br>
:---[[ libnids应用实例 ]]---------------------------------- <br>
______________ <br>
:1、nids_next()函数的应用 <br>
============================ cut here ============================ <br>
/* <br>
This is an example how one can use nids_getfd() and nids_next() functions. <br>
You can replace printall.c's function main with this file. <br>
*/ <br>
#include <sys/time.h> <br>
#include <sys/types.h> <br>
#include <unistd.h> <br>
int <br>
main () <br>
{ <br>
// here we can alter libnids params, for instance: <br>
// nids_params.n_hosts=256; <br>
int fd; <br>
int fd; <br>
int time = 0; <br>
fd_set rset; <br>
struct timeval tv; <br>
if (!nids_init ()) <br>
{ <br>
fprintf(stderr,"%s\n",nids_errbuf); <br>
exit(1); <br>
} <br>
nids_register_tcp (tcp_callback); <br>
fd = nids_getfd (); <br>
for (;;) <br>
{ <br>
tv.tv_sec = 1; <br>
tv.tv_usec = 0; <br>
FD_ZERO (&rset); <br>
FD_SET (fd, &rset); <br>
// add any other fd we need to take care of <br>
if (select (fd + 1, &rset, 0, 0, &tv)) <br>
{ <br>
if (FD_ISSET(fd,&rset) // need to test it if there are othe <br>
r <br>
// fd in rset <br>
if (!nids_next ()) break; <br>
} <br>
else <br>
fprintf (stderr, "%i ", time++); <br>
} <br>
return 0; <br>
} <br>
============================ cut here ============================ <br>
:2、Simple sniffer <br>
============================ cut here ============================ <br>
/* <br>
Copyright (c) 1999 Rafal Wojtczuk <nergal@avet.com.pl>. All rights reserv <br>
ed. <br>
See the file COPYING for license details. <br>
*/ <br>
#include <sys/types.h> <br>
#include <sys/socket.h> <br>
#include <netinet/in.h> <br>
#include <netinet/in_systm.h> <br>
#include <arpa/inet.h> <br>
#include <stdio.h> <br>
#include <fcntl.h> <br>
#include "nids.h" <br>
#define LOG_MAX 100 <br>
#define SZLACZEK "\n--------------------------------------------------\n" <br>
#define int_ntoa(x) inet_ntoa(*((struct in_addr *)&x)) <br>
char * <br>
adres (struct tuple4 addr) <br>
{ <br>
static char buf[256]; <br>
strcpy (buf, int_ntoa (addr.saddr)); <br>
sprintf (buf + strlen (buf), ",%i,", addr.source); <br>
strcat (buf, int_ntoa (addr.daddr)); <br>
sprintf (buf + strlen (buf), ",%i : ", addr.dest); <br>
return buf; <br>
} <br>
int logfd; <br>
void <br>
do_log (char *adres_txt, char *data, int ile) <br>
{ <br>
write (logfd, adres_txt, strlen (adres_txt)); <br>
write (logfd, data, ile); <br>
write (logfd, SZLACZEK, strlen (SZLACZEK)); <br>
} <br>
} <br>
void <br>
sniff_callback (struct tcp_stream *a_tcp, void **this_time_not_needed) <br>
{ <br>
int dest; <br>
if (a_tcp->nids_state == NIDS_JUST_EST) <br>
{ <br>
dest = a_tcp->addr.dest; <br>
if (dest == 21 || dest == 23 || dest == 110 || dest == 143 || dest == <br>
513) <br>
a_tcp->server.collect++; <br>
return; <br>
} <br>
if (a_tcp->nids_state != NIDS_DATA) <br>
{ <br>
// seems the stream is closing, log as much as possible <br>
do_log (adres (a_tcp->addr), a_tcp->server.data, <br>
a_tcp->server.count - a_tcp->server.offset); <br>
return; <br>
} <br>
if (a_tcp->server.count - a_tcp->server.offset < LOG_MAX) <br>
{ <br>
// we haven't got enough data yet; keep all of it <br>
nids_discard (a_tcp, 0); <br>
return; <br>
} <br>
// enough data <br>
do_log (adres (a_tcp->addr), a_tcp->server.data, LOG_MAX); <br>
// Now procedure sniff_callback doesn't want to see this stream anymore. <br>
// So, we decrease all the "collect" fields we have previously increased. <br>
// If there were other callbacks following a_tcp stream, they would still <br>
// receive data <br>
a_tcp->server.collect--; <br>
} <br>
int <br>
main () <br>
{ <br>
logfd = open ("./logfile", O_WRONLY | O_CREAT | O_TRUNC, 0600); <br>
if (logfd < 0) <br>
{ <br>
perror ("opening ./logfile:"); <br>
exit (1); <br>
} <br>
if (!nids_init ()) <br>
{ <br>
{ <br>
fprintf (stderr, "%s\n", nids_errbuf); <br>
exit (1); <br>
} <br>
nids_register_tcp (sniff_callback); <br>
nids_run (); <br>
return 0; <br>
} <br>
============================ cut here ============================ <br>
:3、Wu-FTPd overflow attack detector <br>
============================ cut here ============================ <br>
/* <br>
Copyright (c) 1999 Rafal Wojtczuk <nergal@avet.com.pl>. All rights reserved. <br>
<br>
See the file COPYING for license details. <br>
*/ <br>
/* <br>
This code attempts to detect attack against imapd (AUTHENTICATE hole) and <br>
wuftpd (creation of deep directory). This code is to ilustrate use of libnid <br>
s; <br>
in order to improve readability, some simplifications were made, which enabl <br>
es <br>
an attacker to bypass this code (note, the below routines should be improved <br>
, <br>
not libnids) <br>
*/ <br>
#include <sys/types.h> <br>
#include <sys/socket.h> <br>
#include <netinet/in.h> <br>
#include <netinet/in_systm.h> <br>
#include <arpa/inet.h> <br>
#include <stdio.h> <br>
#include <stdlib.h> <br>
#include <string.h> <br>
#include <syslog.h> <br>
#include "nids.h" <br>
#define int_ntoa(x) inet_ntoa(*((struct in_addr *)&x)) <br>
char * <br>
adres (struct tuple4 addr) <br>
{ <br>
static char buf[256]; <br>
strcpy (buf, int_ntoa (addr.saddr)); <br>
sprintf (buf + strlen (buf), ",%i,", addr.source); <br>
strcat (buf, int_ntoa (addr.daddr)); <br>
sprintf (buf + strlen (buf), ",%i", addr.dest); <br>
return buf; <br>
} <br>
/* <br>
if we find a pattern AUTHENTICATE {an_int} in data stream sent to an imap <br>
server, where an_int >1024, it means an buffer overflow attempt. We kill the <br>
<br>
connection. <br>
*/ <br>
#define PATTERN "AUTHENTICATE {" <br>
#define PATLEN strlen(PATTERN) <br>
void <br>
detect_imap (struct tcp_stream *a_tcp) <br>
{ <br>
char numbuf[30]; <br>
int i, j, datalen, numberlen; <br>
struct half_stream *hlf; <br>
if (a_tcp->nids_state == NIDS_JUST_EST) <br>
{ <br>
if (a_tcp->addr.dest == 143) <br>
{ <br>
a_tcp->server.collect++; <br>
return; <br>
} <br>
else <br>
return; <br>
} <br>
if (a_tcp->nids_state != NIDS_DATA) <br>
return; <br>
hlf = &a_tcp->server; <br>
datalen = hlf->count - hlf->offset; <br>
if (datalen < PATLEN) <br>
{ <br>
// we have too small amount of data to work on. Keep all data in buffe <br>
r. <br>
nids_discard (a_tcp, 0); <br>
return; <br>
} <br>
for (i = 0; i <= datalen - PATLEN; i++) <br>
if (!memcmp (PATTERN, hlf->data + i, PATLEN)) //searching for a pattern <br>
break; <br>
if (i > datalen - PATLEN) <br>
{ <br>
// retain PATLEN bytes in buffer <br>
nids_discard (a_tcp, datalen - PATLEN); <br>
return; <br>
} <br>
for (j = i + PATLEN; j < datalen; j++) // searching for a closing '}' <br>
if (*(hlf->data + j) == '}') <br>
break; <br>
if (j > datalen) <br>
{ <br>
if (datalen > 20) <br>
{ <br>
//number too long, perhaps we should log it, too <br>
} <br>
return; <br>
} <br>
numberlen = j - i - PATLEN; <br>
memcpy (numbuf, hlf->data + i + PATLEN, numberlen); //numbuf contains <br>
// AUTH argument <br>
numbuf[numberlen] = 0; <br>
if (atoi (numbuf) > 1024) <br>
{ <br>
// notify admin <br>
syslog(nids_params.syslog_level, <br>
"Imapd exploit attempt, connection %s\n",adres(a_tcp->addr)); <br>
// kill the connection <br>
nids_killtcp (a_tcp); <br>
} <br>
nids_discard (a_tcp, datalen - PATLEN); <br>
return; <br>
} <br>
// auxiliary structure, needed to keep current dir of ftpd daemon <br>
struct supp <br>
{ <br>
char *currdir; <br>
int last_newline; <br>
}; <br>
// the below function adds "elem" string to "path" string, taking care of <br>
// ".." and multiple '/'. If the resulting path is longer than 768, <br>
// return value is 1, otherwise 0 <br>
int <br>
add_to_path (char *path, char *elem, int len) <br>
{ <br>
int plen; <br>
char * ptr; <br>
if (len > 768) <br>
return 1; <br>
return 1; <br>
if (len == 2 && elem[0] == '.' && elem[1] == '.') <br>
{ <br>
ptr = rindex (path, '/'); <br>
if (ptr != path) <br>
*ptr = 0; <br>
} <br>
else if (len > 0) <br>
{ <br>
plen = strlen (path); <br>
if (plen + len + 1 > 768) <br>
return 1; <br>
if (plen==1) <br>
{ <br>
strncpy(path+1,elem,len); <br>
path[1+len]=0; <br>
} <br>
else <br>
{ <br>
path[plen] = '/'; <br>
strncpy (path + plen + 1, elem, len); <br>
path[plen + 1 + len] = 0; <br>
} <br>
} <br>
} <br>
return 0; <br>
} <br>
void <br>
do_detect_ftp (struct tcp_stream *a_tcp, struct supp **param_ptr) <br>
{ <br>
struct supp *p = *param_ptr; <br>
int index = p->last_newline + 1; <br>
char *buf = a_tcp->server.data; <br>
int offset = a_tcp->server.offset; <br>
int n_bytes = a_tcp->server.count - offset; <br>
int path_index, pi2, index2, remcaret; <br>
for (;;) <br>
{ <br>
index2 = index; <br>
while (index2 - offset < n_bytes && buf[index2 - offset] != '\n') <br>
index2++; <br>
if (index2 - offset >= n_bytes) <br>
break; <br>
if (!strncasecmp (buf + index - offset, "cwd ", 4)) <br>
{ <br>
path_index = index + 4; <br>
if (buf[path_index - offset] == '/') <br>
{ <br>
strcpy (p->currdir, "/"); <br>
path_index++; <br>
} <br>
for (;;) <br>
{ <br>
pi2 = path_index; <br>
while (buf[pi2 - offset] != '\n' && buf[pi2 - offset] != '/') <br>
pi2++; <br>
if (buf[pi2-offset]=='\n' && buf[pi2-offset-1]=='\r') <br>
remcaret=1; <br>
else remcaret=0; <br>
if (add_to_path (p->currdir, buf + path_index-offset, pi2 - pa <br>
th_index-remcaret)) <br>
{ <br>
// notify admin <br>
syslog(nids_params.syslog_level, <br>
"Ftpd exploit attempt, connection %s\n",adres(a_tcp->addr) <br>
); <br>
// Kill this connection here if necessary. <br>
return; <br>
} <br>
if (buf[pi2 - offset] == '\n') <br>
break; <br>
path_index = pi2 + 1; <br>
} <br>
} <br>
index = index2 + 1; <br>
} <br>
p->last_newline = index - 1; <br>
nids_discard (a_tcp, index - offset); <br>
} <br>
void <br>
detect_ftpd (struct tcp_stream *a_tcp, struct supp **param) <br>
{ <br>
if (a_tcp->nids_state == NIDS_JUST_EST) <br>
{ <br>
if (a_tcp->addr.dest == 21) <br>
{ <br>
struct supp *one_for_conn; <br>
a_tcp->server.collect++; <br>
one_for_conn = (struct supp *) malloc (sizeof (struct supp)); <br>
one_for_conn->currdir = malloc (1024); <br>
strcpy (one_for_conn->currdir, "/"); <br>
one_for_conn->last_newline = 0; <br>
*param=one_for_conn; <br>
} <br>
return; <br>
} <br>
if (a_tcp->nids_state != NIDS_DATA) <br>
{ <br>
free ((*param)->currdir); <br>
free (*param); <br>
return; <br>
} <br>
do_detect_ftp (a_tcp, param); <br>
} <br>
int <br>
main () <br>
{ <br>
if (!nids_init ()) <br>
{ <br>
fprintf(stderr,"%s\n",nids_errbuf); <br>
exit(1); <br>
} <br>
nids_register_tcp (detect_imap); <br>
nids_register_tcp (detect_ftpd); <br>
nids_run (); <br>
return 0; <br>
} <br>
============================ cut here ============================ <br>
<<< 待续 >>> <br>
绿色兵团版权所有。未经允许,不得转载! <br>
=== 说难不难,说易不易。=== <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="517.htm">上一层</a>][<a href="552.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -