📄 find.c~
字号:
//find.c#include"find.h"void GetEthernet(char *user,struct pcap_pkthdr *pkthdr,u_char *pkt){ int i;//for zero pp[] int neural_yn;//whether find an intrusion s_time=ctime((const time_t*)&pkthdr->ts.tv_sec); if(ctrl_c) { if(study_detect==1) over_for=3; else over_for=1; pcap_close(hand);#ifdef DEBUG3 printf("now is getethernet ctrl_c is true!\n");#endif return; } //initial pnp=0; for(i=0;i<230;i++) { pp[i]=0; } neural_yn=0; eth_index=pkt; eh=(struct ether_header *)eth_index; eth_type=ntohs(eh->ether_type);//$$$$$$$$$$$$$$$$$$$eh->ether_type is net type sequence#ifdef DEBUG // printf("caplen:%d===\n",ntohl(pkthdr->caplen)); printf("no caplen:%d===\n",pkthdr->caplen);#endif if(pkthdr->caplen<ETHER_HEADER_LEN) { if(study_detect) return; PrintIntru(2); return; } switch(eth_type) { case ETHERTYPE_IP: ia_index=eth_index+ETHER_HEADER_LEN; iph=(struct ip *)ia_index; if((pkthdr->caplen-ETHER_HEADER_LEN)<((iph->ip_hl*4)))//1 of ip_hl behalf 32 bits { if(study_detect) return; PrintIntru(3); return; }#ifdef DEBUG printf("ia_index first is %d\n",ia_index); printf("first ia_index is %d\n",*ia_index);#endif GetBit(ia_index,20);#ifdef DEBUG printf("ia_index now is %d\n",ia_index);#endif break; case ETHERTYPE_ARP: case ETHERTYPE_REVARP: ia_index=eth_index+ETHER_HEADER_LEN; arph=(struct ether_arp *)ia_index; if((pkthdr->caplen-ETHER_HEADER_LEN)<sizeof(struct ether_arp)) { if(study_detect) return; PrintIntru(4); return; } GetBit(ia_index,5);//part of struck arphdr ea_hdr ia_index=ia_index+5+6;//part of arp_sha:sender hardware address has been discarded GetBit(ia_index,4);//part of arp_spa ia_index=ia_index+4+6;//part of arp_tha:target hardware address has been discarded GetBit(ia_index,4);//part of arp_tpa //88888888888888888888888888 if(study_detect) {#ifdef DEBUG3 printf("goto artstudy()arp!\n"); for(i=0;i<S1;i++) { printf("%d",pp[i]); if((i+1)%32==0) printf("\n"); } printf("\n"); #endif ArtStudy(pp); return; } else { neural_yn=ArtDetect(pp); } if(neural_yn) PrintIntru(1);#ifdef DEBUG printf("printintru 1\n");#endif return; default: if(study_detect) return; PrintIntru(5); return; } tuii_index=ia_index+iph->ip_hl*4;#ifdef DEBUG printf("tuii_index first is %d\n",tuii_index); printf("ip_p start\n");#endif#ifdef DEBUG printf("ip_p:%d\n",ntohs(iph->ip_p)); printf("NOip_p:%d\n",iph->ip_p);#endif switch(iph->ip_p) { case IPPROTO_TCP: tcph=(struct tcphdr *)tuii_index; GetBit(tuii_index,4);//sport,dport#ifdef DEBUG printf("tuii_index tcp_1 is %d\n",tuii_index);#endif tuii_index=tuii_index+4+8;//discard sequence number and acknowledgement number#ifdef DEBUG printf("tuii_index+4+8 is %d\n",tuii_index);#endif GetBit(tuii_index,4);//...+window size break; case IPPROTO_UDP: udph=(struct udphdr *)tuii_index;#ifdef DEBUG printf("tuii_index udp_1 is %d\n",tuii_index);#endif GetBit(tuii_index,8); break; case IPPROTO_ICMP: icmph=(struct icmphdr *)tuii_index;#ifdef DEBUG printf("tuii_index icmp_1 is %d\n",tuii_index);#endif GetBit(tuii_index,8); break; case IPPROTO_IGMP: igmph=(struct igmp *)tuii_index;#ifdef DEBUG printf("tuii_index igmp_1 is %d\n",tuii_index);#endif GetBit(tuii_index,8); break; default:#ifdef DEBUG3 printf("no ip type!\n");#endif return;#ifdef DEBUG printf("ip_p over\n");#endif }#ifdef DEBUG printf("before printintru 0\n");#endif //888888888888888888888888888888888888 if(study_detect) {#ifdef DEBUG3 printf("goto artstudy()ip!\n"); for(i=0;i<S1;i++) { printf("%d",pp[i]); if((i+1)%32==0) printf("\n"); } printf("\n"); #endif ArtStudy(pp); return; } else { neural_yn=ArtDetect(pp); } if(neural_yn) { PrintIntru(0); }#ifdef DEBUG printf("printintru 0\n");#endif return;}void GetRawIP(char *user,struct pcap_pkthdr *pkthdr,u_char *pkt){ //}/*function PrintPacket(int x)if(x==0)because neural in ip;if(x==1)because neural in arp;if(x==2)because ether head is bad;if(x==3)because ip head is bad;....... . . . . .*****************************/void PrintIntru(int x){ int iph_rf,iph_mf,iph_df; char rdmf[3]; char icmpt[50]; char arp_str[20]; strcpy(p_intru,intru_file); strcat(p_intru,"/intru.txt"); if((f_intru=fopen(p_intru,"a+"))==NULL) { if(mkdir(intru_file,S_IRWXU)<0) { printf("mkdir %s failed:%s!\n",intru_file,strerror(errno)); exit(1); } if((f_intru=fopen(p_intru,"a+"))==NULL) { printf("open file intru.txt to write failed:%s!\n",strerror(errno)); exit(1); } } fprintf(f_intru,"\n-------------------------------ANNIDS-------------------------------\n%s\n",s_time); switch(x) { case 0: /* //part of ether memcpy(pinfo.eth_dhost,eh->ether_dhost,6); memcpy(pinfo.eth_shost,eh->ether_shost,6); pinfo.eth_type=ntohs(eh->ether_type); //part of ip pinfo.iph_hl=ntohl(iph->ip_hl); pinfo.iph_v=ntohl(iph->ip_v); pinfo.iph_ttl=ntohs(iph->ip_ttl); pinfo.iph_len=ntohs(iph->ip_len); pinfo.iph_tos=ntohs(iph->ip_tos); pinfo.iph_id=ntohs(iph->ip_id); pinfo.iph_off=ntohs(iph->ip_off); pinfo.iph_sum=ntohs(iph->ip_sum); pinfo.iph_rf=(pinfo.iph_off & 0x8000) >> 15; pinfo.iph_df=(pinfo.iph_off & 0x4000) >> 14; pinfo.iph_mf=(pinfo.iph_off & 0x2000) >> 13; pinfo.iph_src=iph->ip_src; pinfo.iph_dst=iph->ip_dst; */ iph_rf=(ntohs(iph->ip_off) & 0x8000) >>15; iph_df=(ntohs(iph->ip_off) & 0x4000) >>14; iph_mf=(ntohs(iph->ip_off) & 0x2000) >>13; if(iph_rf) { strcpy(rdmf,"RF"); } else { if(iph_df) { strcpy(rdmf,"DF");⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -