snort.c

该源码是用C语言编写的,实现网络入侵检测系统的功能

            if(pv.log_flag)
            {
                LogArpPkt(&p);
            }
        }
    }
    /* check or log the packet as necessary */
    if(!pv.use_rules)
    {
        if(pv.log_flag)
        {
            if(pv.logbin_flag)
            {
                LogBin(&p, NULL, NULL);
            }
            else
            {
                if(p.iph != NULL)
                    LogPkt(&p, NULL, NULL);

                if(p.ah != NULL)
                {
                    if(!pv.nolog_flag)
                    {
                        OpenLogFile(ARP, &p);

                        PrintArpHeader(log_ptr, &p);

                        fclose(log_ptr);
                    }
                }
            }
        }
    }
    else
    {
        Preprocess(&p);
    }

    ClearDumpBuf();

#ifdef USE_PTHREADS
    pthread_mutex_unlock(&pt_lock);
#endif
}


/*
 * Function: ShowUsage(char *)
 *
 * Purpose:  Display the program options and exit
 *
 * Arguments: progname => name of the program (argv[0])
 *
 * Returns: 0 => success
 */
int ShowUsage(char *progname)
{
    fprintf(stderr, "USAGE: %s [-options] <filter options>\n", progname);
    fputs("Options:\n", stderr);
    fputs("        -A         Set alert mode: fast, full, or none "
          " (alert file alerts only)"
#ifdef WIN32
		  "\n                  \"unsock\" enables UNIX socket logging (experimental). *\n", stderr);
#else
          "\n                  \"unsock\" enables UNIX socket logging (experimental).\n", stderr);
#endif
    fputs("        -a         Display ARP packets\n", stderr);
    fputs("        -b         Log packets in tcpdump format (much faster!)\n", stderr);
    fputs("        -c <rules> Use Rules File <rules>\n", stderr);
    fputs("        -C         Print out payloads with character data only (no hex)\n", stderr);
    fputs("        -d         Dump the Application Layer\n", stderr);
    fputs("        -D         Run Snort in background (daemon) mode\n", stderr);
    fputs("        -e         Display the second layer header info\n", stderr);
#ifdef WIN32
	fputs("        -E         Log alert messages to NT Eventlog.\n", stderr);
#endif
    fputs("        -F <bpf>   Read BPF filters from file <bpf>\n", stderr);
#ifdef WIN32
	fputs("        -g <gname> Run snort gid as `gname' user or uid after initialization *\n", stderr);
#else
    fputs("        -g <gname> Run snort gid as <gname> group (or gid) after initialization\n", stderr);
#endif
    fputs("        -h <hn>    Home network = <hn>\n", stderr);
    fputs("        -i <if>    Listen on interface <if>\n", stderr);
    fputs("        -I         Add Interface name to alert output\n", stderr);
    fputs("        -l <ld>    Log to directory <ld>\n", stderr);
#ifdef ENABLE_SMB_ALERTS
    fputs("        -M <wrkst> Sends SMB message to workstations in file <wrkst>\n", stderr);
    fputs("                   (Requires smbclient to be in PATH)\n", stderr);
#endif
    fputs("        -n <cnt>   Exit after receiving <cnt> packets\n", stderr);
    fputs("        -N         Turn off logging (alerts still work)\n", stderr);
    fputs("        -o         Change the rule testing order to Pass|Alert|Log\n", stderr);
    fputs("        -O         Obfuscate the logged IP addresses\n", stderr);
    fputs("        -p         Disable promiscuous mode sniffing\n", stderr);
    fprintf(stderr, "        -P <snap>  set explicit snaplen of packet (default: %d)\n",
            SNAPLEN);
    fputs("        -q         Quiet. Don't show banner and status report\n", stderr);
    fputs("        -r <tf>    Read and process tcpdump file <tf>\n", stderr);
#ifdef WIN32
	fputs("        -s <server:port> Log alert messages to syslog server (default port: 514)", stderr);
#else
    fputs("        -s         Log alert messages to syslog\n", stderr);
#endif
    fputs("        -S <n=v>   Set rules file variable n equal to value v\n", stderr);
    fputs("        -t <dir>   Chroots process to <dir> after initialization\n", stderr);
    fputs("        -u <uname> Run snort uid as <uname> user (or uid) after initialization\n", stderr);
    fputs("        -U         Use UTC for timestamps\n", stderr);
    fputs("        -v         Be verbose\n", stderr);
#ifdef WIN32
	fputs("        -W         Lists available interfaces.\n", stderr);
#endif
    fputs("        -V         Show version number\n", stderr);
    fputs("        -X         Dump the raw packet data starting at the link layer\n", stderr);
/* Nobody really uses this, do they?
    fputs( "        -6         Display IPv6 packets\n", stderr);
    fputs( "        -x         Display IPX packets\n", stderr);
*/
    fputs("        -?         Show this information\n", stderr);
    fputs("<Filter Options> are standard BPF options, as seen in TCPDump\n", stderr);
#ifdef WIN32
	fputs("\n* denotes an option that is NOT SUPPORTED in this WIN32 port of snort.", stderr);
#endif
    return 0;
}



/*
 * Function: ParseCmdLine(int, char *)
 *
 * Purpose:  Parse command line args
 *
 * Arguments: argc => count of arguments passed to the routine
 *            argv => 2-D character array, contains list of command line args
 *
 * Returns: 0 => success, 1 => exit on error
 */
extern char *optarg;                /* for getopt */
extern int optind;                /* for getopt */

int ParseCmdLine(int argc, char *argv[])
{
    int ch;                        /* storage var for getopt info */
    int read_bpf = 0;
    char bpf_file[STD_BUF];
    char *eq_n;
    char *eq_p;
    char errorbuf[PCAP_ERRBUF_SIZE];
#ifdef WIN32
	char *devicet;
	int adaplen;
	char **toks;
	int num_toks;
#endif

#ifdef DEBUG
    printf("Parsing command line...\n");
#endif
    /* generally speaking, Snort works best when it's in promiscuous mode */
    pv.promisc_flag = 1;

    /* just to be sane.. */
    username = NULL;
    groupname = NULL;
    chrootdir = NULL;

    /* loop through each command line var and process it */
    while((ch = getopt(argc, argv,
#ifdef WIN32
					   "XL:IOCWqS:pNA:F:DM:br:xeh:l:dc:n:P:i:vV?aEo6u:g:s:t:U")) != -1)
#else
                       "XL:IOCqS:pNA:F:DM:br:xeh:l:dc:n:P:i:vV?aso6u:g:t:U")) != -1)
#endif
    {
#ifdef DEBUG
        printf("Processing cmd line switch: %c\n", ch);
#endif
        switch(ch)
        {
            case 'a':                /* show ARP packets */
#ifdef DEBUG
                printf("Show ARP active\n");
#endif
                pv.showarp_flag = 1;

                break;

            case 'A':                /* alert mode */
                if(!strncasecmp(optarg, "none", 4))
                {
                    pv.alert_mode = ALERT_NONE;
                }
                else if(!strncasecmp(optarg, "full", 4))
                {
                    pv.alert_mode = ALERT_FULL;
                }
                else if(!strncasecmp(optarg, "fast", 4))
                {
                    pv.alert_mode = ALERT_FAST;
                }
                else if(!strncasecmp(optarg, "unsock", 4))
                {
                    pv.alert_mode = ALERT_UNSOCK;
                }
                else
                {
                    FatalError("ERROR => Unknown command line alert option: %s\n", optarg);
                }

                pv.alert_cmd_override = 1;

                break;

            case 'b':                /* log packets in binary format for
                                     * post-processing */
#ifdef DEBUG
                printf("Tcpdump logging mode active\n");
#endif
                pv.logbin_flag = 1;
                pv.log_cmd_override = 1;

                break;

            case 'c':                /* use configuration file x */
                strncpy(pv.config_file, optarg, STD_BUF - 1);
                pv.use_rules = 1;
#ifdef DEBUG
                printf("Config file = %s\n", pv.config_file);
#endif
                break;

            case 'C':                /* dump the application layer as text only */
                pv.char_data_flag = 1;
                break;

            case 'd':                /* dump the application layer data */
                pv.data_flag = 1;
#ifdef DEBUG
                printf("Data Flag active\n");
#endif
                break;

            case 'D':                /* daemon mode */
#ifdef DEBUG
                printf("Daemon mode flag set\n");
#endif
                pv.daemon_flag = 1;
                pv.quiet_flag = 1;
                break;

            case 'e':                /* show second level header info */
#ifdef DEBUG
                printf("Show 2nd level active\n");
#endif
                pv.show2hdr_flag = 1;

                break;
#ifdef WIN32
            case 'E': /* log alerts to Event Log */
                pv.syslog_flag = 1;
				pv.syslog_remote_flag = 0;
#ifdef DEBUG
                printf("Logging alerts to Event Log\n");
#endif
                pv.alert_cmd_override = 1;
#endif
				break;

            case 'F':                /* read BPF filter in from a file */
#ifdef DEBUG
                printf("Tcpdump logging mode active\n");
#endif
                strncpy(bpf_file, optarg, STD_BUF - 1);

                read_bpf = 1;

                break;
#ifndef WIN32
            case 'g':                /* setgid handler */
#ifdef WIN32
			   FatalError("[!] ERROR: Setting the group id is not supported in the WIN32 port of snort!\n");
#endif

                if(groupname != NULL)
                    free(groupname);
                if((groupname = calloc(strlen(optarg) + 1, 1)) == NULL)
                    FatalPrintError("malloc");

                bcopy(optarg, groupname, strlen(optarg));

                if((groupid = atoi(groupname)) == 0)
                {
                    gr = getgrnam(groupname);
                    if(gr == NULL)
                        FatalError("Group \"%s\" unknown\n", groupname);

                    groupid = gr->gr_gid;
                }
                break;
#endif
            case 'h':                /* set home network to x, this will help
                                     * determine what to set logging diectories
                                     * to */
                GenHomenet(optarg);

                break;
#ifdef WIN32
			case 'i':
          
          devicet=NULL;

          if(((adaplen = atoi(optarg)) > 0)){
			
			if ((devicet = pcap_lookupdev(errorbuf)) == NULL){
				perror(errorbuf);
				exit(-1);
            }
			
            if ((pv.interface = GetAdapterFromList(devicet, adaplen)) == NULL){
				printf("Invalid interface '%d'.", atoi(optarg));
				exit(-1);
			}

#ifdef DEBUG
			printf("Interface = %s\n", print_interface(pv.interface));
#endif
            break;
          }
		  else {
					printf("Invalid interface '%d'.", atoi(optarg));
					exit(-1);
		  }
#else      
            case 'i':                /* without PTHREADS we support only single
                                     * listen on interface x interface */
#ifndef USE_PTHREADS
                if(ifr_count)
                {
                    ErrorMessage(
                                "\nMultiple interfaces are not supported. %s is used\n"
#ifdef WIN32
								,print_interface(pv.interfaces[0]));
#else
                                ,pv.interfaces[0]);
#endif
                    break;
                }
#endif
                if(ifr_count == MAX_INTERFACES)
                {
                    ErrorMessage(
                                "\nMaximum number of interfaces (%i) exceeded."
                                "Please recompile to extend it (oops)\n",
                                MAX_INTERFACES);
                    break;
                }
                pv.interfaces[ifr_count] = (char *) malloc(strlen(optarg) + 1);
                bzero((char *) pv.interfaces[ifr_count], strlen(optarg) + 1);
                strncpy(pv.interfaces[ifr_count], optarg, strlen(optarg)+1);
                ifr_count++;
#ifdef DEBUG
                printf("Interface = %s\n", pv.interfaces[ifr_count - 1]);
#endif
                break;
#endif

            case 'I':       /* add interface name to alert string */
                pv.alert_interface_flag = 1;
                break;

            case 'l':                /* use log dir <X> */
                strncpy(pv.log_dir, optarg, STD_BUF - 1);
#ifdef DEBUG
                printf("Log directory = %s\n", pv.log_dir);
#endif
                pv.log_flag = 1;
                break;

            case 'L':              /* set BinLogFile name */
			                       /* implies tcpdump format logging */
                if (strlen(optarg) < 256)
                {
                     pv.binLogFile = strdup(optarg);
			         pv.logbin_flag = 1;
			         pv.log_cmd_override = 1;
                }
                else
                {
                     FatalError("ERROR =>ParseCmdLine, log file: %s, > than 256 characters\n",
			                     optarg);
                }
                break;

            case 'M':                /* SMB Message Option */

                pv.smbmsg_flag = 1;
                strncpy(pv.smbmsg_dir, optarg, STD_BUF - 1);
                pv.alert_cmd_override = 1;

                break;

            case 'n':                /* grab x packets and exit */
                pv.pkt_cnt = atoi(optarg);
#ifdef DEBUG
                printf("Exiting after %d packets\n", pv.pkt_cnt);
#endif
                break;

            case 'N':                /* no logging mode */
#ifdef DEBUG
                printf("Logging deactivated\n");
#endif

                pv.nolog_flag = 1;
                pv.log_cmd_override = 1;

                break;

            case 'o':                /* change the rules processing order to
                                     * passlist first */
                pv.rules_order_flag = 1;
#ifdef DEBUG
                printf("Rule application order changed to Pass->Alert->Log\n");
#endif
                break;

            case 'O':                /* obfuscate the logged IP addresses for
                                     * privacy */
                pv.obfuscation_flag = 1;

                break;

            case 'p':                /* disable explicit promiscuous mode */
                pv.promisc_flag = 0;
#ifdef DEBUG
                printf("Promiscuous mode disabled!\n");
#endif
                break;

            case 'P':                /* explicitly define snaplength of packets */
                pv.pkt_snaplen = atoi(optarg);
#ifdef DEBUG
                printf("Snaplength of Packets set to: %d\n", pv.pkt_snaplen);
#endif
                break;

            case 'q':                /* no stdout output mode */
                pv.quiet_flag = 1;
                break;

            case 'r':                /* read packets from a TCPdump file instead
                                     * of the net */
                strncpy(pv.readfile, optarg, STD_BUF - 1);