📄 snort.c
字号:
pv.readmode_flag = 1;
break;
case 's': /* log alerts to syslog */
pv.syslog_flag = 1;
#ifdef DEBUG
printf("Logging alerts to syslog\n");
#endif
pv.alert_cmd_override = 1;
#ifdef WIN32
pv.syslog_remote_flag = 1;
toks = mSplit(optarg, ":", 2, &num_toks, 0);
strncpy(pv.syslog_server, toks[0], STD_BUF-1);
pv.syslog_server_port = (num_toks == 1) ? 514 : atoi(toks[1]);
#ifdef DEBUG
printf("Logging alerts to syslog server %s on port %d\n", pv.syslog_server, pv.syslog_server_port);
#endif
#endif
break;
case 'S': /* set a rules file variable */
if((eq_p = strchr(optarg, '=')) != NULL)
{
struct VarEntry *p;
eq_n = (char *) malloc(eq_p - optarg + 1);
bzero(eq_n, eq_p - optarg + 1);
strncpy(eq_n, optarg, eq_p - optarg);
p = VarDefine(eq_n, eq_p + 1);
p->flags |= VAR_STATIC;
free(eq_n);
}
break;
case 't':
#ifdef WIN32
FatalError("[!] ERROR: Setting the chroot directory is not supported in the WIN32 port of snort!\n");
#endif
if((chrootdir = calloc(strlen(optarg) + 2, 1)) == NULL)
FatalPrintError("malloc");
/* make sure '/' is appended */
sprintf(chrootdir, "%s/", optarg);
break;
#ifndef WIN32
case 'u':
#ifdef WIN32
FatalError("[!] ERROR: Setting the user id is not supported in the WIN32 port of snort!\n");
#endif
if((username = calloc(strlen(optarg) + 1, 1)) == NULL)
FatalPrintError("malloc");
bcopy(optarg, username, strlen(optarg));
if((userid = atoi(username)) == 0)
{
pw = getpwnam(username);
if(pw == NULL)
FatalError("User \"%s\" unknown\n", username);
userid = pw->pw_uid;
}
else
{
pw = getpwuid(userid);
if(pw == NULL)
FatalError(
"Can not obtain username for uid: %lu\n",
(u_long) userid);
}
if(groupname == NULL)
{
char name[256];
snprintf(name, 255, "%lu", (u_long) pw->pw_gid);
if((groupname = calloc(strlen(name) + 1, 1)) == NULL)
{
FatalPrintError("malloc");
}
groupid = pw->pw_gid;
}
#if DEBUG
printf("UserID: %lu GroupID: %lu\n",
(unsigned long) userid, (unsigned long) groupid);
#endif
break;
#endif
case 'U': /* use UTC */
pv.use_utc = 1;
break;
#ifdef WIN32
case 'W':
if ((pv.interface = pcap_lookupdev(errorbuf)) == NULL)
perror(errorbuf);
DisplayBanner();
PrintDeviceList(pv.interface);
exit(0);
break;
#endif
case 'v': /* be verbose */
pv.verbose_flag = 1;
#ifdef DEBUG
printf("Verbose Flag active\n");
#endif
break;
case 'V': /* prog ver already gets printed out, so we
* just exit */
DisplayBanner();
exit(0);
case 'x': /* display IPX packets (decoder not
* implemented yet) */
#ifdef DEBUG
printf("Show IPX active\n");
#endif
pv.showipx_flag = 1;
break;
case 'X': /* display verbose packet bytecode dumps */
#ifdef DEBUG
printf("Verbose packet bytecode dumps enabled\n");
#endif
pv.verbose_bytedump_flag = 1;
break;
case '?': /* show help and exit */
DisplayBanner();
ShowUsage(progname);
exit(0);
case '6': /* display IPv6 packets (decoder not
* implemented yet) */
#ifdef DEBUG
printf("Show IPv6 active\n");
#endif
pv.showipv6_flag = 1;
break;
}
}
/* if we're reading in BPF filters from a file */
if(read_bpf)
{
/* suck 'em in */
pv.pcap_cmd = read_infile(bpf_file);
}
else
{
/* set the BPF rules string (thanks Mike!) */
pv.pcap_cmd = copy_argv(&argv[optind]);
}
if(pv.interfaces[0] == NULL)
{
pv.interfaces[0] = pcap_lookupdev(errorbuf);
if(pv.interfaces[0] == NULL)
FatalError( "Failed to lookup for interface: %s."
" Please specify one with -i switch\n", errorbuf);
}
#ifdef DEBUG
if(pv.pcap_cmd != NULL)
{
printf("pcap_cmd = %s\n", pv.pcap_cmd);
}
else
{
printf("pcap_cmd is NULL!\n");
}
#endif
return 0;
}
/*
* Function: GenHomenet(char *)
*
* Purpose: Translate the command line character string into its equivalent
* 32-bit network byte ordered value (with netmask)
*
* Arguments: netdata => The address/CIDR block
*
* Returns: void function
*/
void GenHomenet(char *netdata)
{
struct in_addr net; /* place to stick the local network data */
char **toks; /* dbl ptr to store mSplit return data in */
int num_toks; /* number of tokens mSplit returns */
int nmask; /* temporary netmask storage */
int i;
/* break out the CIDR notation from the IP address */
toks = mSplit(optarg, "/", 2, &num_toks, 0);
if(num_toks > 1)
{
/* convert the CIDR notation into a real live netmask */
nmask = atoi(toks[1]);
if((nmask > 0) && (nmask < 33))
{
pv.netmask = netmasks[nmask];
}
else
{
FatalError("ERROR: Bad CIDR block [%s:%d], 1 to 32 please!\n",
toks[1], nmask);
}
}
else
{
FatalError("ERROR: No netmask specified for home network!\n");
}
pv.netmask = htonl(pv.netmask);
#ifdef DEBUG
printf("homenet netmask = %#8lX\n", pv.netmask);
#endif
/* convert the IP addr into its 32-bit value */
if((net.s_addr = inet_addr(toks[0])) == -1)
{
FatalError("ERROR: Homenet (%s) didn't x-late, WTF?\n",
toks[0]);
}
else
{
#ifdef DEBUG
struct in_addr sin;
printf("Net = %s (%X)\n", inet_ntoa(net), net.s_addr);
#endif
/* set the final homenet address up */
pv.homenet = ((u_long) net.s_addr & pv.netmask);
#ifdef DEBUG
sin.s_addr = pv.homenet;
printf("Homenet = %s (%X)\n", inet_ntoa(sin), sin.s_addr);
#endif
}
for(i = 0; i < num_toks; i++)
{
free(toks[i]);
}
}
/*
* Function: SetPktProcessors()
*
* Purpose: initializes PktProcessors per-interface
*/
void SetPktProcessors()
{
int i;
for(i = 0; i < ifr_count; i++)
{
SetPktProcessor(i);
}
}
/*
* Function: SetPktProcessor()
*
* Purpose: Set which packet processing function we're going to use based on
* what type of datalink layer we're using
*
* Arguments: int num => number of interface
*
* Returns: 0 => success
*/
int SetPktProcessor(int num)
{
switch(datalinks[num])
{
case DLT_EN10MB: /* Ethernet */
if(!pv.readmode_flag)
{
if(!pv.quiet_flag)
printf("Decoding Ethernet on interface %s\n",
#ifdef WIN32
print_interface(pv.interfaces[num]));
#else
pv.interfaces[num]);
#endif
}
grinders[num] = DecodeEthPkt;
break;
case 13:
case DLT_IEEE802: /* Token Ring */
if(!pv.readmode_flag)
{
if(!pv.quiet_flag)
printf("Decoding Token Ring on interface %s\n",
#ifdef WIN32
print_interface(pv.interfaces[num]));
#else
pv.interfaces[num]);
#endif
}
grinders[num] = DecodeTRPkt;
break;
case DLT_FDDI: /* FDDI */
if(!pv.readmode_flag)
{
if(!pv.quiet_flag)
#ifdef WIN32
printf("Decoding FDDI on interface %s\n", print_interface(pv.interfaces[num]));
#else
printf("Decoding FDDI on interface %s\n", pv.interfaces[num]);
#endif
}
grinders[num] = DecodeFDDIPkt;
break;
case DLT_SLIP: /* Serial Line Internet Protocol */
if(!pv.readmode_flag)
{
if(!pv.quiet_flag)
printf("Decoding Slip on interface %s\n",
#ifdef WIN32
print_interface(pv.interfaces[num]));
#else
pv.interfaces[num]);
#endif
}
if(pv.show2hdr_flag == 1)
{
printf("Second layer header parsing for this datalink "
"isn't implemented yet\n");
pv.show2hdr_flag = 0;
}
grinders[num] = DecodeSlipPkt;
break;
case DLT_PPP: /* point-to-point protocol */
if(!pv.readmode_flag)
{
if(!pv.quiet_flag)
printf("Decoding PPP on interface %s\n",
#ifdef WIN32
print_interface(pv.interfaces[num]));
#else
pv.interfaces[num]);
#endif
}
if(pv.show2hdr_flag == 1)
{
/* do we need ppp header showup? it's only 4 bytes anyway ;-) */
printf("Second layer header parsing for this datalink "
"isn't implemented yet\n");
pv.show2hdr_flag = 0;
}
grinders[num] = DecodePppPkt;
break;
#ifdef DLT_LOOP
case DLT_LOOP:
#endif
#ifdef DLT_LINUX_SLL
case DLT_LINUX_SLL:
#endif
case DLT_NULL: /* loopback and stuff.. you wouldn't perform
* intrusion detection on it, but it's ok for
* testing. */
if(!pv.readmode_flag)
{
if(!pv.quiet_flag)
{
#ifdef WIN32
printf("Decoding LoopBack on interface %s\n", print_interface(pv.interfaces[num]));
#else
printf("Decoding LoopBack on interface %s\n", pv.interfaces[num]);
#endif
}
}
if(pv.show2hdr_flag == 1)
{
printf("Data link layer header parsing for this network type "
"isn't implemented yet\n");
pv.show2hdr_flag = 0;
}
grinders[num] = DecodeNullPkt;
break;
#ifdef DLT_RAW /* Not supported in some arch or older pcap
* versions */
case DLT_RAW:
if(!pv.readmode_flag)
{
if(!pv.quiet_flag)
printf("Decoding raw data on interface %s\n",
#ifdef WIN32
print_interface(pv.interfaces[num]));
#else
pv.interfaces[num]);
#endif
}
if(pv.show2hdr_flag == 1)
{
printf("There's no second layer header available for this datalink\n");
pv.show2hdr_flag = 0;
}
grinders[num] = DecodeRawPkt;
break;
#endif
/*
* you need the I4L modified version of libpcap to get this stuff
* working
*/
#ifdef DLT_I4L_RAWIP
case DLT_I4L_RAWIP:
if (! pv.readmode_flag && !pv.quiet_flag)
#ifdef WIN32
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -