📄 find.c
字号:
//find.c#include"find.h"void GetEthernet(char *user,struct pcap_pkthdr *pkthdr,u_char *pkt){ int i;//for zero pp[] int neural_yn;//whether find an intrusion s_time=ctime((const time_t*)&pkthdr->ts.tv_sec); if(ctrl_c) { if(study_detect==1) over_for=3; else over_for=1; pcap_close(hand);#ifdef DEBUG3 printf("now is getethernet ctrl_c is true!\n");#endif return; } //initial pnp=0; for(i=0;i<230;i++) { pp[i]=0; } neural_yn=0; eth_index=pkt; eh=(struct ether_header *)eth_index; eth_type=ntohs(eh->ether_type);//$$$$$$$$$$$$$$$$$$$eh->ether_type is net type sequence#ifdef DEBUG // printf("caplen:%d===\n",ntohl(pkthdr->caplen)); printf("no caplen:%d===\n",pkthdr->caplen);#endif if(pkthdr->caplen<ETHER_HEADER_LEN) { if(study_detect) return; PrintIntru(2); return; } switch(eth_type) { case ETHERTYPE_IP: ia_index=eth_index+ETHER_HEADER_LEN; iph=(struct ip *)ia_index; if((pkthdr->caplen-ETHER_HEADER_LEN)<((iph->ip_hl*4)))//1 of ip_hl behalf 32 bits { if(study_detect) return; PrintIntru(3); return; }#ifdef DEBUG printf("ia_index first is %d\n",ia_index); printf("first ia_index is %d\n",*ia_index);#endif GetBit(ia_index,20);#ifdef DEBUG printf("ia_index now is %d\n",ia_index);#endif break; case ETHERTYPE_ARP: case ETHERTYPE_REVARP: ia_index=eth_index+ETHER_HEADER_LEN; arph=(struct ether_arp *)ia_index; if((pkthdr->caplen-ETHER_HEADER_LEN)<sizeof(struct ether_arp)) { if(study_detect) return; PrintIntru(4); return; } GetBit(ia_index,5);//part of struck arphdr ea_hdr ia_index=ia_index+5+6;//part of arp_sha:sender hardware address has been discarded GetBit(ia_index,4);//part of arp_spa ia_index=ia_index+4+6;//part of arp_tha:target hardware address has been discarded GetBit(ia_index,4);//part of arp_tpa //88888888888888888888888888 if(study_detect) {#ifdef DEBUG3 printf("goto artstudy()arp!\n"); for(i=0;i<S1;i++) { printf("%d",pp[i]); if((i+1)%32==0) printf("\n"); } printf("\n"); #endif ArtStudy(pp); return; } else { neural_yn=ArtDetect(pp); } if(neural_yn) PrintIntru(1);#ifdef DEBUG printf("printintru 1\n");#endif return; default: if(study_detect) return; PrintIntru(5); return; } tuii_index=ia_index+iph->ip_hl*4;#ifdef DEBUG printf("tuii_index first is %d\n",tuii_index); printf("ip_p start\n");#endif#ifdef DEBUG printf("ip_p:%d\n",ntohs(iph->ip_p)); printf("NOip_p:%d\n",iph->ip_p);#endif switch(iph->ip_p) { case IPPROTO_TCP: tcph=(struct tcphdr *)tuii_index; GetBit(tuii_index,4);//sport,dport#ifdef DEBUG printf("tuii_index tcp_1 is %d\n",tuii_index);#endif tuii_index=tuii_index+4+8;//discard sequence number and acknowledgement number#ifdef DEBUG printf("tuii_index+4+8 is %d\n",tuii_index);#endif GetBit(tuii_index,4);//...+window size break; case IPPROTO_UDP: udph=(struct udphdr *)tuii_index;#ifdef DEBUG printf("tuii_index udp_1 is %d\n",tuii_index);#endif GetBit(tuii_index,8); break; case IPPROTO_ICMP: icmph=(struct icmphdr *)tuii_index;#ifdef DEBUG printf("tuii_index icmp_1 is %d\n",tuii_index);#endif GetBit(tuii_index,8); break; case IPPROTO_IGMP: igmph=(struct igmp *)tuii_index;#ifdef DEBUG printf("tuii_index igmp_1 is %d\n",tuii_index);#endif GetBit(tuii_index,8); break; default:#ifdef DEBUG3 printf("no ip type!\n");#endif return;#ifdef DEBUG printf("ip_p over\n");#endif }#ifdef DEBUG printf("before printintru 0\n");#endif //888888888888888888888888888888888888 if(study_detect) {#ifdef DEBUG3 printf("goto artstudy()ip!\n"); for(i=0;i<S1;i++) { printf("%d",pp[i]); if((i+1)%32==0) printf("\n"); } printf("\n"); #endif ArtStudy(pp); return; } else { neural_yn=ArtDetect(pp); } if(neural_yn) { PrintIntru(0); }#ifdef DEBUG printf("printintru 0\n");#endif return;}void GetRawIP(char *user,struct pcap_pkthdr *pkthdr,u_char *pkt){ //}/*function PrintPacket(int x)if(x==0)because neural in ip;if(x==1)because neural in arp;if(x==2)because ether head is bad;if(x==3)because ip head is bad;....... . . . . .*****************************/void PrintIntru(int x){ int iph_rf,iph_mf,iph_df; char rdmf[3]; char icmpt[50]; char arp_str[20]; strcpy(p_intru,intru_file); strcat(p_intru,"/intru.txt"); if((f_intru=fopen(p_intru,"a+"))==NULL) { if(mkdir(intru_file,S_IRWXU)<0) { printf("mkdir %s failed:%s!\n",intru_file,strerror(errno)); exit(1); } if((f_intru=fopen(p_intru,"a+"))==NULL) { printf("open file intru.txt to write failed:%s!\n",strerror(errno)); exit(1); } } fprintf(f_intru,"\n------------------------------------------------ANNIDS------------------------------------------\n"); fprintf(f_intru,"\n %s\n",s_time); switch(x) { case 0: iph_rf=(ntohs(iph->ip_off) & 0x8000) >>15; iph_df=(ntohs(iph->ip_off) & 0x4000) >>14; iph_mf=(ntohs(iph->ip_off) & 0x2000) >>13; if(iph_rf) { strcpy(rdmf,"RF"); } else { if(iph_df) { strcpy(rdmf,"DF"); } else { strcpy(rdmf,"MF"); } } fprintf(f_intru,"[Ethernet]:%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X \n",eh->ether_shost[0],eh->ether_shost[1],eh->ether_shost[2],eh->ether_shost[3],eh->ether_shost[4],eh->ether_shost[5],eh->ether_dhost[0],eh->ether_dhost[1],eh->ether_dhost[2],eh->ether_dhost[3],eh->ether_dhost[4],eh->ether_dhost[5]); fprintf(f_intru,"[IP]:%s -> %s \n",inet_ntoa(iph->ip_src),inet_ntoa(iph->ip_dst)); fprintf(f_intru," Version:%d,IHL:%d,Type of service:%c,Total length:%d,Identification:%d,Fragment:%s \n",iph->ip_v,iph->ip_hl,iph->ip_tos,iph->ip_len,iph->ip_id,rdmf); switch(iph->ip_p) { case IPPROTO_TCP: fprintf(f_intru," [TCP]:%d -> %d\n",ntohs(tcph->th_sport),ntohs(tcph->th_dport)); fprintf(f_intru," SEQ:%d,ACK:%d,WIN:%d,SUM:%d,URP:%d,Flags:",tcph->th_seq,tcph->th_ack,tcph->th_win,tcph->th_sum,tcph->th_urp); if(tcph->th_flags & TH_SYN) fprintf(f_intru,"TH_SYN,"); if(tcph->th_flags & TH_FIN) fprintf(f_intru,"TH_FIN,"); if(tcph->th_flags & TH_RST) fprintf(f_intru,"TH_RST,"); if(tcph->th_flags & TH_PUSH) fprintf(f_intru,"TH_PUSH,"); if(tcph->th_flags & TH_ACK) fprintf(f_intru,"TH_ACK,"); if(tcph->th_flags & TH_URG) fprintf(f_intru,"TH_URG "); fprintf(f_intru,"\n"); break; case IPPROTO_UDP: fprintf(f_intru," [UDP]:%d -> %d\n",ntohs(udph->uh_sport),ntohs(udph->uh_dport)); fprintf(f_intru," Length:%d,SUM:%d \n",udph->uh_ulen,udph->uh_sum); break; case IPPROTO_ICMP: switch(icmph->type) { case ICMP_ECHOREPLY: sprintf(icmpt,"ECHO REPLY"); // pinfo.icmpid = icmph->un.echo.id; // pinfo.icmpseq =icmph->un.echo.sequence; break; case ICMP_DEST_UNREACH: switch(icmph->code) { case ICMP_NET_UNREACH: sprintf(icmpt,"UNREACHABLE:NET UNREACHABLE"); break; case ICMP_HOST_UNREACH: sprintf(icmpt,"UNREACHABLE:HOST UNREACHABLE"); break; case ICMP_PROT_UNREACH: sprintf(icmpt,"UNREACHABLE:PROTOCOL UNREACHABLE"); break; case ICMP_PORT_UNREACH: sprintf(icmpt,"UNREACHABLE:PORT UNREACHABLE"); break; case ICMP_FRAG_NEEDED: sprintf(icmpt,"UNREACHABLE:FRAGMENTATION NEEDED"); break; case ICMP_SR_FAILED: sprintf(icmpt,"UNREACHABLE:SOURCE ROUTE FAILED"); break; case ICMP_NET_UNKNOWN: sprintf(icmpt,"UNREACHABLE:NETWORK UNKNOWN"); break; case ICMP_HOST_UNKNOWN: sprintf(icmpt,"UNREACHABLE:HOST UNKNOWN"); break; case ICMP_HOST_ISOLATED: sprintf(icmpt,"UNREACHABLE:HOST ISOLATED"); break; case ICMP_NET_ANO: sprintf(icmpt,"UNREACHABLE:NET ANO"); break; case ICMP_HOST_ANO: sprintf(icmpt,"UNREACHABLE:HOST ANO"); break; case ICMP_NET_UNR_TOS: sprintf(icmpt,"UNREACHABLE:NET UNR TOS"); break; case ICMP_HOST_UNR_TOS: sprintf(icmpt,"UNREACHABLE:HOST UNR TOS"); break; case ICMP_PKT_FILTERED: sprintf(icmpt,"UNREACHABLE:PACKET FILTERED"); break; case ICMP_PREC_VIOLATION: sprintf(icmpt,"UNREACHABLE:PRECEDENCE VIOLATION"); break; case ICMP_PREC_CUTOFF: sprintf(icmpt,"UNREACHABLE:PRECEDENCE CUTOFF"); break; } break; case ICMP_SOURCE_QUENCH: sprintf(icmpt, "SOURCE QUENCH"); break; case ICMP_REDIRECT: sprintf(icmpt, "REDIRECT"); break; case ICMP_ECHO: sprintf(icmpt,"ECHO"); // pinfo.icmpid = icmph->un.echo.id; // pinfo.icmpseq =icmph->un.echo.sequence; break; case ICMP_TIME_EXCEEDED: sprintf(icmpt,"TTL EXCEEDED"); break; case ICMP_PARAMETERPROB: sprintf(icmpt,"PARAMETER PROBLEM"); break; case ICMP_TIMESTAMP: sprintf(icmpt,"TIMESTAMP"); break; case ICMP_TIMESTAMPREPLY: sprintf(icmpt,"TIMESTAMP REPLY"); break; case ICMP_INFO_REQUEST: sprintf(icmpt,"INFO REQUEST"); break; case ICMP_INFO_REPLY: sprintf(icmpt,"INFO REPLY"); break; case ICMP_ADDRESS: sprintf(icmpt,"ADDRESS"); break; case ICMP_ADDRESSREPLY: sprintf(icmpt,"ADDRESS REPLY"); break; } fprintf(f_intru," [ICMP]:Type:%s \n",icmpt); break; case IPPROTO_IGMP: fprintf(f_intru," [IGMP]:Type:0x%X,Group:%s\n",igmph->igmp_type,inet_ntoa(igmph->igmp_group)); break; }#ifdef DEBUG printf("%X:%X:%X:%X:%X:%X->\n",pinfo.eth_shost[0],pinfo.eth_shost[1],pinfo.eth_shost[2],pinfo.eth_shost[3],pinfo.eth_shost[4],pinfo.eth_shost[5]); printf("%X:%X:%X:%X:%X:%X\n",pinfo.eth_dhost[0],pinfo.eth_dhost[1],pinfo.eth_dhost[2],pinfo.eth_dhost[3],pinfo.eth_dhost[4],pinfo.eth_dhost[5]); printf("%s->\n",inet_ntoa(pinfo.iph_src)); printf("%s\n",inet_ntoa(pinfo.iph_dst)); for(i=96;i<160;i++) { printf("%d",pp[i]); if((i+1)%8==0) printf("\n"); }#endif break; case 1: switch(ntohs(arph->ea_hdr.ar_op)) { case ARPOP_REQUEST: sprintf(arp_str,"ARP request"); break; case ARPOP_REPLY: sprintf(arp_str,"ARP reply"); break; case ARPOP_RREQUEST: sprintf(arp_str,"RARP request"); break; case ARPOP_RREPLY: sprintf(arp_str,"RARP reply"); break; case ARPOP_InREQUEST: sprintf(arp_str,"InARP request"); break; case ARPOP_InREPLY: sprintf(arp_str,"InARP reply"); break; case ARPOP_NAK: sprintf(arp_str,"(ATM)ARP NAK"); break; default: sprintf(arp_str,"unknown"); } fprintf(f_intru,"[ARP,RARP]:%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X \n",arph->arp_sha[0],arph->arp_sha[1],arph->arp_sha[2],arph->arp_sha[3],arph->arp_sha[4],arph->arp_sha[5],arph->arp_tha[0],arph->arp_tha[1],arph->arp_tha[2],arph->arp_tha[3],arph->arp_tha[4],arph->arp_tha[5]); fprintf(f_intru," %d.%d.%d.%d -> %d.%d.%d.%d \n",arph->arp_spa[0],arph->arp_spa[1],arph->arp_spa[2],arph->arp_spa[3],arph->arp_tpa[0],arph->arp_tpa[1],arph->arp_tpa[2],arph->arp_tpa[3]); fprintf(f_intru," Type:%s\n",arp_str);#ifdef DEBUG printf("%X:%X:%X:%X:%X:%X->\n",pinfo.eth_shost[0],pinfo.eth_shost[1],pinfo.eth_shost[2],pinfo.eth_shost[3],pinfo.eth_shost[4],pinfo.eth_shost[5]); printf("%X:%X:%X:%X:%X:%X\n",pinfo.eth_dhost[0],pinfo.eth_dhost[1],pinfo.eth_dhost[2],pinfo.eth_dhost[3],pinfo.eth_dhost[4],pinfo.eth_dhost[5]); for(i=0;i<96;i++) { if((i+1)%8==0) printf("\n"); printf("%d",pp[i]); }#endif break; case 2: fprintf(f_intru,"Bad packet from ethernet\n"); break; case 3: fprintf(f_intru,"Bad packet from ip\n"); fprintf(f_intru,"[Ethernet]:%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X \n",eh->ether_shost[0],eh->ether_shost[1],eh->ether_shost[2],eh->ether_shost[3],eh->ether_shost[4],eh->ether_shost[5],eh->ether_dhost[0],eh->ether_dhost[1],eh->ether_dhost[2],eh->ether_dhost[3],eh->ether_dhost[4],eh->ether_dhost[5]); break; case 4: fprintf(f_intru,"Bad packet from arp\n"); fprintf(f_intru,"[Ethernet]:%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X \n",eh->ether_shost[0],eh->ether_shost[1],eh->ether_shost[2],eh->ether_shost[3],eh->ether_shost[4],eh->ether_shost[5],eh->ether_dhost[0],eh->ether_dhost[1],eh->ether_dhost[2],eh->ether_dhost[3],eh->ether_dhost[4],eh->ether_dhost[5]); break; case 5: fprintf(f_intru,"Unknowm ether type!\n"); fprintf(f_intru,"[Ethernet]:%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X \n",eh->ether_shost[0],eh->ether_shost[1],eh->ether_shost[2],eh->ether_shost[3],eh->ether_shost[4],eh->ether_shost[5],eh->ether_dhost[0],eh->ether_dhost[1],eh->ether_dhost[2],eh->ether_dhost[3],eh->ether_dhost[4],eh->ether_dhost[5]); break;#ifdef DEBUG printf("printintru 2~5\n");#endif } fclose(f_intru); return;}/*function GetBit */void GetBit(u_char *p_index,int p_len){ int i,j; int x[8]; u_char y; for(i=0;i<8;i++) x[i]=0; for(i=0;i<p_len;i++) { y=*p_index; for(j=0;j<8;j++) { x[j]=y & 1; y>>=1; } for(j=7;j>=0;j--) { pp[pnp]=x[j]; pnp++; } p_index++; }} ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -