spp_anomsensor.c

该源码是用C语言编写的,实现网络入侵检测系统的功能

			printf("packet # %d has been added\n",tot_packets);
		}
		if ((tot_packets % checkpoint_freq) == 0) {
			if (strcmp(statefile,"0")) checkpoint(statefile);
		}

		if (need_anom) {
			last_anom_score= calc_anom(val);
			//printf("last_anom_score=%f\n",last_anom_score);
		}
	} else {
		pp_run_on_pkt++;
		if (skip_packet) return 1;
	}
	
	return 0;
}


double calc_anom(valtype val[]) {
	double prob;
	if (!parts) {
		features fl[]= {DIP,DPORT,SIP,SPORT};
		features vl[]= {val[DIP],val[DPORT],val[SIP],val[SPORT]};
		if (prob_mode == 0) {
			prob= prob_simple(DPORT,val[DPORT]) *  /* P(dport) */
				prob_cond2(SIP,val[SIP],DPORT,val[DPORT],SPORT,val[SPORT]) *  /* P(sip|dport,sport) */
				prob_cond1(SPORT,val[SPORT],DPORT,val[DPORT]) *  /* P(sport|dport) */
				prob_cond2(DIP,val[DIP],SPORT,val[SPORT],SIP,val[SIP]);  /* P(dip|sport,sip) */
			return -1*(log(prob)/LOG2);
		} else if (prob_mode == 1) {
			return -1.0*log((double)prob_Njoint(4,fl,vl)/LOG2);
		} else if (prob_mode == 2) {
			return -1.0*log((double)prob_Njoint(3,fl,vl)/LOG2);
		} else if (prob_mode == 3) {
			return -1.0*log((double)prob_2joint(DIP,val[DIP],DPORT,val[DPORT])/LOG2);
		} 
		return 9999999.0;
	} else return 999999.0;
}

void record_packet(Packet *p,valtype val[]) {
	char sip[16];
	char dip[16];
	recent_packets++;
	tot_packets++;
	val[SIP]= p->iph->ip_src.s_addr;
	val[DIP]= p->iph->ip_dst.s_addr;
	val[SPORT]= p->sp;
	val[DPORT]= p->dp;
	//val[TTL]= p->iph->ip_ttl;
	//val[WIN] = p->tcph->th_win;
	
	if (as_debug > 2) {
		strncpy(sip, inet_ntoa(p->iph->ip_src), 16);
		strncpy(dip, inet_ntoa(p->iph->ip_dst), 16);
		printf("adding %s, %s, %d, %d\n",sip,dip,val[SPORT],val[DPORT]);
	}
	if (parts) {
		if (part == 0) {
			/* full all at once */
			
			/* record needed conditional probabilities */
			increment_4joint_count(SIP,val[SIP],DIP,val[DIP],SPORT,val[SPORT],DPORT,val[DPORT],0);
			increment_4joint_count(DIP,val[DIP],SPORT,val[SPORT],DPORT,val[DPORT],SIP,val[SIP],0);
			increment_4joint_count(SIP,val[SIP],DIP,val[DIP],DPORT,val[DPORT],SPORT,val[SPORT],2);
			increment_4joint_count(SIP,val[SIP],SPORT,val[SPORT],DPORT,val[DPORT],DIP,val[DIP],1);
			
			/*increment_3joint_count(SIP,val[SIP],DIP,val[DIP],DPORT,val[DPORT],3);*/
			increment_3joint_count(SIP,val[SIP],DPORT,val[DPORT],DIP,val[DIP],1);
			increment_3joint_count(DIP,val[DIP],DPORT,val[DPORT],SIP,val[SIP],1);

			increment_3joint_count(SIP,val[SIP],SPORT,val[SPORT],DIP,val[DIP],2);
			/*increment_3joint_count(SIP,val[SIP],DIP,val[DIP],SPORT,val[SPORT],3);*/
			increment_3joint_count(DIP,val[DIP],SPORT,val[SPORT],SIP,val[SIP],2);

			/*increment_3joint_count(SIP,val[SIP],SPORT,val[SPORT],DPORT,val[DPORT],3);*/
			increment_3joint_count(SIP,val[SIP],DPORT,val[DPORT],SPORT,val[SPORT],2);
			increment_3joint_count(SPORT,val[SPORT],DPORT,val[DPORT],SIP,val[SIP],0);

			increment_2joint_count(DIP,val[DIP],SIP,val[SIP],1);
			increment_2joint_count(SPORT,val[SPORT],SIP,val[SIP],1);
			increment_2joint_count(DPORT,val[DPORT],SIP,val[SIP],0);
			/*increment_2joint_count(SIP,val[SIP],DIP,val[DIP],2);*/
			increment_2joint_count(SPORT,val[SPORT],DIP,val[DIP],1);
			increment_2joint_count(DPORT,val[DPORT],DIP,val[DIP],1);
			/*increment_2joint_count(SIP,val[SIP],SPORT,val[SPORT],2);*/
			/*increment_2joint_count(DIP,val[DIP],SPORT,val[SPORT],2);*/
			increment_2joint_count(DPORT,val[DPORT],SPORT,val[SPORT],1);
			/*increment_2joint_count(SIP,val[SIP],DPORT,val[DPORT],2);*/
			/*increment_2joint_count(DIP,val[DIP],DPORT,val[DPORT],2);*/
			/*increment_2joint_count(SPORT,val[SPORT],DPORT,val[DPORT],2);*/
		} else if (part == 1) {
			increment_4joint_count(SIP,val[SIP],DIP,val[DIP],SPORT,val[SPORT],DPORT,val[DPORT],0);
			increment_4joint_count(SIP,val[SIP],DIP,val[DIP],DPORT,val[DPORT],SPORT,val[SPORT],2);
		} else if (part == 2) {
			increment_4joint_count(SIP,val[SIP],SPORT,val[SPORT],DPORT,val[DPORT],DIP,val[DIP],0);
			increment_3joint_count(SIP,val[SIP],SPORT,val[SPORT],DIP,val[DIP],2);
		} else if (part == 3) {
			increment_3joint_count(SIP,val[SIP],DPORT,val[DPORT],DIP,val[DIP],0);
			increment_3joint_count(SIP,val[SIP],DPORT,val[DPORT],SPORT,val[SPORT],2);
		} else if (part == 4) {
			increment_2joint_count(DIP,val[DIP],SIP,val[SIP],0);
			increment_3joint_count(DIP,val[DIP],SPORT,val[SPORT],SIP,val[SIP],1);
			increment_4joint_count(DIP,val[DIP],SPORT,val[SPORT],DPORT,val[DPORT],SIP,val[SIP],2);
		} else if (part == 5) {
			increment_3joint_count(DIP,val[DIP],DPORT,val[DPORT],SIP,val[SIP],0);
			increment_3joint_count(DIP,val[DIP],DPORT,val[DPORT],SPORT,val[SPORT],2);
		} else if (part == 6) {
			increment_2joint_count(SPORT,val[SPORT],DIP,val[DIP],0);
		} else if (part == 7) {
			increment_3joint_count(SPORT,val[SPORT],DPORT,val[DPORT],SIP,val[SIP],0);
			increment_3joint_count(SPORT,val[SPORT],DPORT,val[DPORT],DIP,val[DIP],2);
		} else if (part == 8) {
			increment_3joint_count(DPORT,val[DPORT],SIP,val[SIP],DIP,val[DIP],0);
			increment_2joint_count(DPORT,val[DPORT],DIP,val[DIP],1);
			increment_2joint_count(DPORT,val[DPORT],SPORT,val[SPORT],1);
		} else if (part == 9) {
			increment_2joint_count(SIP,val[SIP],DIP,val[DIP],0);
			increment_2joint_count(SIP,val[SIP],SPORT,val[SPORT],1);
			increment_2joint_count(SIP,val[SIP],DPORT,val[DPORT],1);
			increment_2joint_count(DIP,val[DIP],SIP,val[SIP],0);
			increment_2joint_count(DIP,val[DIP],SPORT,val[SPORT],1);
			increment_2joint_count(DIP,val[DIP],DPORT,val[DPORT],1);
			increment_2joint_count(SPORT,val[SPORT],SIP,val[SIP],0);
			increment_2joint_count(SPORT,val[SPORT],DIP,val[DIP],1);
			increment_2joint_count(SPORT,val[SPORT],DPORT,val[DPORT],1);
			increment_2joint_count(DPORT,val[DPORT],SIP,val[SIP],0);
			increment_2joint_count(DPORT,val[DPORT],DIP,val[DIP],1);
			increment_2joint_count(DPORT,val[DPORT],SPORT,val[SPORT],1);
		} /*else if (part == 10) {
			increment_2joint_count(TTL,val[TTL],DIP,val[DIP],0);
			increment_2joint_count(TTL,val[TTL],SPORT,val[SPORT],1);
			increment_2joint_count(TTL,val[TTL],DPORT,val[DPORT],1);
			increment_2joint_count(TTL,val[TTL],SIP,val[SIP],1);
			increment_2joint_count(DIP,val[DIP],TTL,val[TTL],0);
			increment_2joint_count(SPORT,val[SPORT],TTL,val[TTL],0);
			increment_2joint_count(DPORT,val[DPORT],TTL,val[TTL],0);
			increment_2joint_count(SIP,val[SIP],TTL,val[TTL],0);
		} else if (part == 11) {
			increment_2joint_count(WIN,val[WIN],DIP,val[DIP],0);
			increment_2joint_count(WIN,val[WIN],SPORT,val[SPORT],1);
			increment_2joint_count(WIN,val[WIN],DPORT,val[DPORT],1);
			increment_2joint_count(WIN,val[WIN],SIP,val[SIP],1);
			increment_2joint_count(WIN,val[WIN],TTL,val[TTL],1);
			increment_2joint_count(DIP,val[DIP],WIN,val[WIN],0);
			increment_2joint_count(SPORT,val[SPORT],WIN,val[WIN],0);
			increment_2joint_count(DPORT,val[DPORT],WIN,val[WIN],0);
			increment_2joint_count(SIP,val[SIP],WIN,val[WIN],0);
			increment_2joint_count(TTL,val[TTL],WIN,val[WIN],0);
		}*/
	} else {
		if (prob_mode == 0) {
			increment_3joint_count(SPORT,val[SPORT],SIP,val[SIP],DIP,val[DIP],0);
			increment_3joint_count(DPORT,val[DPORT],SPORT,val[SPORT],SIP,val[SIP],0);
		} else if (prob_mode == 1) {
			increment_4joint_count(DIP,val[DIP],DPORT,val[DPORT],SIP,val[SIP],SPORT,val[SPORT],0);
		} else if (prob_mode == 2) {
			increment_3joint_count(DIP,val[DIP],DPORT,val[DPORT],SIP,val[SIP],0);
		} else if (prob_mode == 3) {
			increment_2joint_count(DIP,val[DIP],DPORT,val[DPORT],0);
		} 
	}
}


void set_new_threshold(double t) {
	char logMessage[85];
	
	report_anom_thres= t;
	sprintf(logMessage,"spp_anomsensor: Threshold adjusted to %.4f after %d alerts (of %d)",report_anom_thres,recent_alert_count,recent_packets);
	(*AlertFunc)(NULL, logMessage);
}

/**********************************************************
 * Called on signals
 *****************************************************/
void SpadeCatchSig(int signal,void *arg) {
	if (signal == SIGQUIT || signal == SIGHUP || signal == SIGUSR1) {
		CleanUpSpade(signal);
	}
}

void CleanUpSpade(int signal) 
{
	featcomb H;
    FILE *file;
    
    if (!tot_packets) return;
    
    if (strcmp(statefile,"0")) checkpoint(statefile);
    
    if (!strcmp(outfile,"-")) {
    	file= stdout;
    } else {
	    file = fopen(outfile, "w");
    	if(!file) FatalError("spp_anomsensor: unable to open %s",outfile);
    }

	fprintf(file,"%d packets recorded\n",tot_packets);
	if (alert_count > 0) fprintf(file,"%d packets reported as alerts\n",alert_count);
	
	if (tl_obs_size && top_anom_list_size > 1 && last_pkt_time-obs_start_time>0) {
		ll_double *n;
		double obs_hours= (last_pkt_time-obs_start_time)/3600.0;
		fprintf(file,"Threshold learning results: top %d anomaly scores over %.5f hours\n",top_anom_list_size-1,obs_hours);
		fprintf(file,"  Suggested threshold based on observation: %.6f\n",(top_anom_list->val+top_anom_list->next->val)/2);
		fprintf(file,"  Top scores: %.5f",top_anom_list->next->val);
		for (n=top_anom_list->next->next; n != NULL; n=n->next) {
			fprintf(file,",%.5f",n->val);
		}
		fprintf(file,"\n  First runner up is %.5f, so use threshold between %.5f and %.5f for %.3f packets/hr\n",top_anom_list->val,top_anom_list->val,top_anom_list->next->val,(top_anom_list_size/obs_hours));
	}

	if (print_entropy) {
		H= calc_all_entropies();
		write_all_entropies(file,H);
	}
	if (print_uncondprob) write_all_uncond_probs(file);
	if (print_condprob) write_all_cond_probs(file);
	
	if (file != stdout) {
		fclose(file);
	}
	
	if (survey_log != NULL) {
		fflush(survey_log);
	}
}


/* creation and recylcling routines for ll_double's */
ll_double *free_link_list=NULL;

ll_double *new_link(double val) {
	ll_double *link;
	if (free_link_list != NULL) {
		link= free_link_list;
		free_link_list= link->next;
	} else {
		link= (ll_double *)malloc(sizeof(ll_double));
	}
	link->val= val;
	link->next= NULL;
	return link;
}

void free_links(ll_double *start) {
	ll_double *end,*next;
	for (end= start, next=start->next; next != NULL; end=next,next=next->next);
	end->next= free_link_list;
	free_link_list= start;
}

/* creation and recylcling routines for dll_double's */
dll_double *free_dlink_list= NULL;

dll_double *new_dlink(double val) {
	dll_double *link;
	if (free_dlink_list != NULL) {
		link= free_dlink_list;
		free_dlink_list= link->next;
	} else {
		link= (dll_double *)malloc(sizeof(dll_double));
	}
	link->val= val;
	link->prev= NULL;
	link->next= NULL;
	return link;
}

void free_dlinks(dll_double *start) {
	dll_double *end;
	for (end= start; end->next != NULL; end=end->next);
	end->next= free_dlink_list;
	free_dlink_list= start;
}
/*********************************************************************
tree.c, distributed as part of Spade v092200.1
Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com)
copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
Released under GNU General Public License, see the COPYING file included
with the distribution or http://www.silicondefense.com/spice/ for details.

tree.h contains all the routines to build and maintain the tree structure
that Spade uses to maintain its probability tables.  It also contains the
access functions.

Please send complaints, kudos, and especially improvements and bugfixes to
hoagland@SiliconDefense.com.  As described in GNU General Public License, no
warranty is expressed for this program.
*********************************************************************/

#include <limits.h>
#include <math.h>

#ifndef LOG2
/*#define LOG2 log(2);*/
#define LOG2 ((double)0.693147180559945)
#endif

void tree_init() {
	int i;
	for (i=0; i < NUM_FEATURES; i++) {
		T[i]= TNULL;
	}
}

#ifndef WIN32
inline int min(int a,int b) {
	return a < b ? a : b;
}

inline int max(int a,int b) {
	return a > b ? a : b;
}
#endif

void increment_simple_count(features type1,valtype val1) {
	if (T[type1] == TNULL) {
		T[type1]= new_treeinfo(type1);
	}
	incr_tree_value_count(T[type1],val1);
}

/* assumes type1 and type2 are in a consistant order */
void increment_2joint_count(features type1,valtype val1,features type2,valtype val2,int skip) {
	mindex leaf1,tree2;
	
	if (skip >= 1) {
		/* this should always find something and T[type1] should be non-NULL since has been marked before */
		leaf1= find_leaf(T[type1],val1);
	} else {
		if (T[type1] == TNULL) {
			T[type1]= new_treeinfo(type1);
		}
		leaf1= incr_tree_value_count(T[type1],val1);
	}
	tree2= get_nexttree_of_type(leaf1,type2);
	incr_tree_value_count(tree2,val2);
}

void increment_3joint_count(features type1,valtype val1,features type2,valtype val2,features type3,valtype val3,int skip) {
	mindex leaf1,leaf2,tree2,tree3;
	
	if (skip >= 1) {
		/* this should always find something and T[type1] should be non-NULL since has been marked before */
		leaf1= find_leaf(T[type1],val1);
	} else {
		if (T[type1] == TNULL) {
			T[type1]= new_treeinfo(type1);
		}
		leaf1= incr_tree_value_count(T[type1],val1);
	}
	tree2= get_nexttree_of_type(leaf1,type2);
	/* skip case: find_leaf should always find something since has been marked before */
	leaf2= skip >= 2 ? find_leaf(tree2,val2) : incr_tree_value_count(tree2,val2);
	tree3= get_nexttree_of_type(leaf2,type3);
	incr_tree_value_count(tree3,val3);
}

void increment_4joint_count(features type1,valtype val1,features type2,valtype val2,features type3,valtype val3,features type4,valtype val4,int skip) {
	mindex leaf1,leaf2,leaf3,tree2,tree3,tree4;
	
	if (skip >= 1) {
		/* this should always find something and T[type1] should be non-NULL since has been marked bef