find.c~

一个入侵检测小程序,用C编写,linux环境

	    }
	  else
	    {
	      strcpy(rdmf,"MF");
	    }
	}


      fprintf(f_intru,"[Ethernet]:%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X \n",eh->ether_shost[0],eh->ether_shost[1],eh->ether_shost[2],eh->ether_shost[3],eh->ether_shost[4],eh->ether_shost[5],eh->ether_dhost[0],eh->ether_dhost[1],eh->ether_dhost[2],eh->ether_dhost[3],eh->ether_dhost[4],eh->ether_dhost[5]);

      fprintf(f_intru,"[IP]:%s -> %s \n",inet_ntoa(iph->ip_src),inet_ntoa(iph->ip_dst));
      fprintf(f_intru,"     Version:%d,IHL:%d,Type of service:%c,Total length:%d,Identification:%d,Fragment:%s \n",iph->ip_v,iph->ip_hl,iph->ip_tos,iph->ip_len,iph->ip_id,rdmf); 
      switch(iph->ip_p)
	{
	case IPPROTO_TCP:
	  /*
	  pinfo.tcph_sport=ntohs(tcph->th_sport);
	  pinfo.tcph_dport=ntohs(tcph->th_dport);
	  pinfo.tcph_seq=ntohl(tcph->th_seq);
	  pinfo.tcph_ack=ntohl(tcph->th_ack);
          pinfo.tcph_off=tcph->th_off*4;//how many bytes are contained in the TCP header 
	  pinfo.tcph_flags=tcph->th_flags;
	  pinfo.tcph_win=ntohs(tcph->th_win);
	  pinfo.tcph_sum=ntohs(tcph->th_sum);
	  pinfo.tcph_urp=ntohs(tcph->th_urp);
	  */

	  fprintf(f_intru,"     [TCP]:%d -> %d\n",ntohs(tcph->th_sport),ntohs(tcph->th_dport));
	  fprintf(f_intru,"           SEQ:%d,ACK:%d,WIN:%d,SUM:%d,URP:%d,Flags:",tcph->th_seq,tcph->th_ack,tcph->th_win,tcph->th_sum,tcph->th_urp);
	  if(tcph->th_flags & TH_SYN) 
		fprintf(f_intru,"TH_SYN,");
	  if(tcph->th_flags & TH_FIN) 
		fprintf(f_intru,"TH_FIN,");
	  if(tcph->th_flags & TH_RST)
		fprintf(f_intru,"TH_RST,");
	  if(tcph->th_flags & TH_PUSH) 
		fprintf(f_intru,"TH_PUSH,");
	  if(tcph->th_flags & TH_ACK) 
		fprintf(f_intru,"TH_ACK,");
	  if(tcph->th_flags & TH_URG) 
		fprintf(f_intru,"TH_URG ");

	  fprintf(f_intru,"\n");

	  break;
	case IPPROTO_UDP:

	  /*
	  pinfo.udph_sport=ntohs(udph->uh_sport);
	  pinfo.udph_dport=ntohs(udph->uh_dport);
	  pinfo.udph_ulen=ntohs(udph->uh_ulen);
	  pinfo.udph_sum=ntohs(udph->uh_sum);
	  */
	  fprintf(f_intru,"     [UDP]:%d -> %d\n",ntohs(udph->uh_sport),ntohs(udph->uh_dport));
	  fprintf(f_intru,"           Length:%d,SUM:%d \n",udph->uh_ulen,udph->uh_sum);
	  break;
	case IPPROTO_ICMP:
	  /*
	  pinfo.icmph_type=ntohs(icmph->type);
	  pinfo.icmph_code=ntohs(icmph->code);
	  pinfo.icmph_checksum=ntohs(icmph->checksum);
	  */
	  switch(icmph->type)
	    {
	    case ICMP_ECHOREPLY:
	      sprintf(icmpt,"ECHO REPLY");
	      // pinfo.icmpid = icmph->un.echo.id;
	      // pinfo.icmpseq =icmph->un.echo.sequence;
     
	      break;

	    case ICMP_DEST_UNREACH:
	      switch(icmph->code)
		{
		case ICMP_NET_UNREACH:
		  sprintf(icmpt,"UNREACHABLE:NET UNREACHABLE");
	  	 
		  break;

		case ICMP_HOST_UNREACH:
		  sprintf(icmpt,"UNREACHABLE:HOST UNREACHABLE");
	  
	  	  break;

		case ICMP_PROT_UNREACH:
		  sprintf(icmpt,"UNREACHABLE:PROTOCOL UNREACHABLE");
	  
	  	  break;

		case ICMP_PORT_UNREACH:
		  sprintf(icmpt,"UNREACHABLE:PORT UNREACHABLE");
	  	  break;

		case ICMP_FRAG_NEEDED:
		  sprintf(icmpt,"UNREACHABLE:FRAGMENTATION NEEDED");
		  break;

		case ICMP_SR_FAILED:
		  sprintf(icmpt,"UNREACHABLE:SOURCE ROUTE FAILED");
	  	  break;

		case ICMP_NET_UNKNOWN:
		  sprintf(icmpt,"UNREACHABLE:NETWORK UNKNOWN");
	  	  break;

		case ICMP_HOST_UNKNOWN:
		  sprintf(icmpt,"UNREACHABLE:HOST UNKNOWN");
	  	  break;

		case ICMP_HOST_ISOLATED:
		  sprintf(icmpt,"UNREACHABLE:HOST ISOLATED");
	  	  break;

		case ICMP_NET_ANO:
		  sprintf(icmpt,"UNREACHABLE:NET ANO");
	  	  break;

		case ICMP_HOST_ANO:
		  sprintf(icmpt,"UNREACHABLE:HOST ANO");
	  	  break;

		case ICMP_NET_UNR_TOS:
		  sprintf(icmpt,"UNREACHABLE:NET UNR TOS");
	 
		  break;

		case ICMP_HOST_UNR_TOS:
		  sprintf(icmpt,"UNREACHABLE:HOST UNR TOS");
	  	  break;

		case ICMP_PKT_FILTERED:
		  sprintf(icmpt,"UNREACHABLE:PACKET FILTERED");
	  	  break;

		case ICMP_PREC_VIOLATION:
		  sprintf(icmpt,"UNREACHABLE:PRECEDENCE VIOLATION");
	  	  break;

		case ICMP_PREC_CUTOFF:
		  sprintf(icmpt,"UNREACHABLE:PRECEDENCE CUTOFF");
	  	  break;
		}
	      break;

	    case ICMP_SOURCE_QUENCH:
	      sprintf(icmpt, "SOURCE QUENCH");
	      break;

	    case ICMP_REDIRECT:
	      sprintf(icmpt, "REDIRECT");
	      break;

	    case ICMP_ECHO:
	      sprintf(icmpt,"ECHO");
	      // pinfo.icmpid = icmph->un.echo.id;
	      // pinfo.icmpseq =icmph->un.echo.sequence;
	      break;

	    case ICMP_TIME_EXCEEDED:
	      sprintf(icmpt,"TTL EXCEEDED");
	      break;

	    case ICMP_PARAMETERPROB:
	      sprintf(icmpt,"PARAMETER PROBLEM");
	      break;

	    case ICMP_TIMESTAMP:
	      sprintf(icmpt,"TIMESTAMP");
	      break;

	    case ICMP_TIMESTAMPREPLY:
	      sprintf(icmpt,"TIMESTAMP REPLY");
	      break;

	    case ICMP_INFO_REQUEST:
	      sprintf(icmpt,"INFO REQUEST");
	      break;

	    case ICMP_INFO_REPLY:
	      sprintf(icmpt,"INFO REPLY");
    
	      break;

	    case ICMP_ADDRESS:
	      sprintf(icmpt,"ADDRESS");
	      break;

	    case ICMP_ADDRESSREPLY:
	      sprintf(icmpt,"ADDRESS REPLY");
	      break;
	    }


	  fprintf(f_intru,"     [ICMP]:Type:%s \n",icmpt);

	  break;
	case IPPROTO_IGMP:
	  /*
	  pinfo.igmph_type=ntohs(igmph->igmp_type);
	  pinfo.igmph_code=ntohs(igmph->igmp_code);
	  pinfo.igmph_cksum=ntohs(igmph->igmp_cksum);
	  pinfo.igmph_group=igmph->igmp_group;
	  */
	  fprintf(f_intru,"     [IGMP]:Type:0x%X,Group:%s\n",igmph->igmp_type,inet_ntoa(igmph->igmp_group));
	  break;
	}
#ifdef DEBUG
      printf("%X:%X:%X:%X:%X:%X->\n",pinfo.eth_shost[0],pinfo.eth_shost[1],pinfo.eth_shost[2],pinfo.eth_shost[3],pinfo.eth_shost[4],pinfo.eth_shost[5]);
      printf("%X:%X:%X:%X:%X:%X\n",pinfo.eth_dhost[0],pinfo.eth_dhost[1],pinfo.eth_dhost[2],pinfo.eth_dhost[3],pinfo.eth_dhost[4],pinfo.eth_dhost[5]);
      printf("%s->\n",inet_ntoa(pinfo.iph_src));
      printf("%s\n",inet_ntoa(pinfo.iph_dst));
      for(i=96;i<160;i++)
	{
	  printf("%d",pp[i]);
	  if((i+1)%8==0)
	    printf("\n");
	}
#endif

      

      break;

    case 1:
    
      /*
      //part of ether
      memcpy(pinfo.eth_dhost,eh->ether_dhost,6);
      memcpy(pinfo.eth_shost,eh->ether_shost,6);
      pinfo.eth_type=ntohs(eh->ether_type);
      //part of arp
      memcpy(pinfo.arph_sha,arph->arp_sha,ETH_ALEN);
      memcpy(pinfo.arph_spa,arph->arp_spa,4);
      memcpy(pinfo.arph_tha,arph->arp_tha,ETH_ALEN);
      memcpy(pinfo.arph_tpa,arph->arp_tpa,4);
      pinfo.arph_ar_hrd=ntohs(arph->ea_hdr.ar_hrd);
      pinfo.arph_ar_pro=ntohs(arph->ea_hdr.ar_pro);
      pinfo.arph_ar_hln=ntohs(arph->ea_hdr.ar_hln);
      pinfo.arph_ar_pln=ntohs(arph->ea_hdr.ar_pln);
      pinfo.arph_ar_op=ntohs(arph->ea_hdr.ar_op);
      */
      switch(ntohs(arph->ea_hdr.ar_op))
	{
	case ARPOP_REQUEST:
	  sprintf(arp_str,"ARP request");
	  break;
	case ARPOP_REPLY:
	  sprintf(arp_str,"ARP reply");
	  break;
	case ARPOP_RREQUEST:
	  sprintf(arp_str,"RARP request");
	  break;
	case ARPOP_RREPLY:
	  sprintf(arp_str,"RARP reply");
	  break;
	case ARPOP_InREQUEST:
	  sprintf(arp_str,"InARP request");
	  break;
	case ARPOP_InREPLY:
	  sprintf(arp_str,"InARP reply");
	  break;
	case ARPOP_NAK:
	  sprintf(arp_str,"(ATM)ARP NAK");
	  break;
	default:
	  sprintf(arp_str,"unknown");
	}

      fprintf(f_intru,"[ARP,RARP]:%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X \n",arph->arp_sha[0],arph->arp_sha[1],arph->arp_sha[2],arph->arp_sha[3],arph->arp_sha[4],arph->arp_sha[5],arph->arp_tha[0],arph->arp_tha[1],arph->arp_tha[2],arph->arp_tha[3],arph->arp_tha[4],arph->arp_tha[5]);
      fprintf(f_intru,"           %d.%d.%d.%d -> %d.%d.%d.%d \n",arph->arp_spa[0],arph->arp_spa[1],arph->arp_spa[2],arph->arp_spa[3],arph->arp_tpa[0],arph->arp_tpa[1],arph->arp_tpa[2],arph->arp_tpa[3]);
      fprintf(f_intru,"           Type:%s\n",arp_str);

#ifdef DEBUG
      printf("%X:%X:%X:%X:%X:%X->\n",pinfo.eth_shost[0],pinfo.eth_shost[1],pinfo.eth_shost[2],pinfo.eth_shost[3],pinfo.eth_shost[4],pinfo.eth_shost[5]);
      printf("%X:%X:%X:%X:%X:%X\n",pinfo.eth_dhost[0],pinfo.eth_dhost[1],pinfo.eth_dhost[2],pinfo.eth_dhost[3],pinfo.eth_dhost[4],pinfo.eth_dhost[5]);
      for(i=0;i<96;i++)
	{
	  if((i+1)%8==0)
	    printf("\n");
	  printf("%d",pp[i]);
	}
#endif
      
      break;
    case 2:
      fprintf(f_intru,"Bad packet from ethernet\n");
      break;

    case 3:
      fprintf(f_intru,"Bad packet from ip\n");
      fprintf(f_intru,"[Ethernet]:%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X \n",eh->ether_shost[0],eh->ether_shost[1],eh->ether_shost[2],eh->ether_shost[3],eh->ether_shost[4],eh->ether_shost[5],eh->ether_dhost[0],eh->ether_dhost[1],eh->ether_dhost[2],eh->ether_dhost[3],eh->ether_dhost[4],eh->ether_dhost[5]);
      break;

    case 4:
      fprintf(f_intru,"Bad packet from arp\n");
      fprintf(f_intru,"[Ethernet]:%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X \n",eh->ether_shost[0],eh->ether_shost[1],eh->ether_shost[2],eh->ether_shost[3],eh->ether_shost[4],eh->ether_shost[5],eh->ether_dhost[0],eh->ether_dhost[1],eh->ether_dhost[2],eh->ether_dhost[3],eh->ether_dhost[4],eh->ether_dhost[5]);
      break;

    case 5:
      fprintf(f_intru,"Unknowm ether type!\n");
      fprintf(f_intru,"[Ethernet]:%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X \n",eh->ether_shost[0],eh->ether_shost[1],eh->ether_shost[2],eh->ether_shost[3],eh->ether_shost[4],eh->ether_shost[5],eh->ether_dhost[0],eh->ether_dhost[1],eh->ether_dhost[2],eh->ether_dhost[3],eh->ether_dhost[4],eh->ether_dhost[5]);
      break;
#ifdef DEBUG
      printf("printintru 2~5\n");
#endif
    }


  fclose(f_intru);
  return;

}



/*function GetBit */
void GetBit(u_char *p_index,int p_len)
{
  int i,j;
  int x[8];
  u_char y;
  for(i=0;i<8;i++)
    x[i]=0;
  for(i=0;i<p_len;i++)
    {
      y=*p_index;
      for(j=0;j<8;j++)
	{
	  x[j]=y & 1;
	  y>>=1;
	}
      for(j=7;j>=0;j--)
	{
	  pp[pnp]=x[j];
	  pnp++;
	}
      p_index++;
    }
}