📄 spp_sfportscan.c
字号:
else FatalErrorInvalidArg("proto"); pcTok = strtok(NULL, DELIMITERS); } if(!pcTok) FatalErrorNoEnd("proto"); return;}static void ParseScanType(int *scan_types){ char *pcTok; if(!scan_types) return; *scan_types = 0; pcTok = strtok(NULL, DELIMITERS); while(pcTok) { if(!strcasecmp(pcTok, "portscan")) *scan_types |= PS_TYPE_PORTSCAN; else if(!strcasecmp(pcTok, "portsweep")) *scan_types |= PS_TYPE_PORTSWEEP; else if(!strcasecmp(pcTok, "decoy_portscan")) *scan_types |= PS_TYPE_DECOYSCAN; else if(!strcasecmp(pcTok, "distributed_portscan")) *scan_types |= PS_TYPE_DISTPORTSCAN; else if(!strcasecmp(pcTok, "all")) *scan_types = PS_TYPE_ALL; else if(!strcasecmp(pcTok, TOKEN_ARG_END)) return; else FatalErrorInvalidArg("scan_type"); pcTok = strtok(NULL, DELIMITERS); } if(!pcTok) FatalErrorNoEnd("scan_type"); return;}static void ParseSenseLevel(int *sense_level){ char *pcTok; if(!sense_level) return; *sense_level = 0; pcTok = strtok(NULL, DELIMITERS); while(pcTok) { if(!strcasecmp(pcTok, "low")) *sense_level = PS_SENSE_LOW; else if(!strcasecmp(pcTok, "medium")) *sense_level = PS_SENSE_MEDIUM; else if(!strcasecmp(pcTok, "high")) *sense_level = PS_SENSE_HIGH; else if(!strcmp(pcTok, TOKEN_ARG_END)) return; else FatalErrorInvalidArg("sense_level"); pcTok = strtok(NULL, DELIMITERS); } if(!pcTok) FatalErrorNoEnd("sense_level"); return;}static void ParseIpList(IPSET **ip_list, char *option){ char *pcTok; if(!ip_list) return; pcTok = strtok(NULL, TOKEN_ARG_END); if(!pcTok) FatalErrorInvalidArg(option); *ip_list = ipset_new(IPV4_FAMILY); if(!*ip_list) FatalError("Failed to initialize ip_list in portscan preprocessor.\n"); if(ip4_setparse(*ip_list, pcTok)) FatalError("%s(%d) => Invalid ip_list to '%s' option.\n", file_name, file_line, option); return;}static void ParseMemcap(int *memcap){ char *pcTok; if(!memcap) return; *memcap = 0; pcTok = strtok(NULL, DELIMITERS); if(!pcTok) FatalErrorNoEnd("memcap"); *memcap = atoi(pcTok); if(*memcap <= 0) FatalErrorInvalidArg("memcap"); pcTok = strtok(NULL, DELIMITERS); if(!pcTok) FatalErrorNoEnd("memcap"); if(strcmp(pcTok, TOKEN_ARG_END)) FatalErrorInvalidArg("memcap"); return;}static void PrintPortscanConf(int detect_scans, int detect_scan_type, int sense_level, IPSET *scanner, IPSET *scanned, IPSET *watch, int memcap){ char buf[STD_BUF+1]; char ip_str[80], mask_str[80]; int proto_cnt = 0; CIDRBLOCK *p; LogMessage("Portscan Detection Config:\n"); memset(buf, 0, STD_BUF+1); snprintf(buf, STD_BUF, " Detect Protocols: "); if(detect_scans & PS_PROTO_TCP) { sfsnprintfappend(buf, STD_BUF, "TCP "); proto_cnt++; } if(detect_scans & PS_PROTO_UDP) { sfsnprintfappend(buf, STD_BUF, "UDP "); proto_cnt++; } if(detect_scans & PS_PROTO_ICMP) { sfsnprintfappend(buf, STD_BUF, "ICMP "); proto_cnt++; } if(detect_scans & PS_PROTO_IP) { sfsnprintfappend(buf, STD_BUF, "IP"); proto_cnt++; } LogMessage("%s\n", buf); memset(buf, 0, STD_BUF+1); snprintf(buf, STD_BUF, " Detect Scan Type: "); if(detect_scan_type & PS_TYPE_PORTSCAN) sfsnprintfappend(buf, STD_BUF, "portscan "); if(detect_scan_type & PS_TYPE_PORTSWEEP) sfsnprintfappend(buf, STD_BUF, "portsweep "); if(detect_scan_type & PS_TYPE_DECOYSCAN) sfsnprintfappend(buf, STD_BUF, "decoy_portscan "); if(detect_scan_type & PS_TYPE_DISTPORTSCAN) sfsnprintfappend(buf, STD_BUF, "distributed_portscan"); LogMessage("%s\n", buf); memset(buf, 0, STD_BUF+1); snprintf(buf, STD_BUF, " Sensitivity Level: "); if(sense_level == PS_SENSE_HIGH) sfsnprintfappend(buf, STD_BUF, "High/Experimental"); if(sense_level == PS_SENSE_MEDIUM) sfsnprintfappend(buf, STD_BUF, "Medium"); if(sense_level == PS_SENSE_LOW) sfsnprintfappend(buf, STD_BUF, "Low"); LogMessage("%s\n", buf); LogMessage(" Memcap (in bytes): %d\n", memcap); LogMessage(" Number of Nodes: %d\n", memcap / (sizeof(PS_PROTO)*proto_cnt-1)); if(g_logpath[0]) LogMessage(" Logfile: %s\n", g_logpath); if(scanner) { LogMessage(" Ignore Scanner IP List:\n"); for(p = (CIDRBLOCK*)sflist_first(&scanner->cidr_list); p; p = (CIDRBLOCK*)sflist_next(&scanner->cidr_list)) { ip4_sprintx(ip_str, sizeof(ip_str), &p->ip); ip4_sprintx(mask_str, sizeof(mask_str), &p->mask); if(p->notflag) LogMessage(" !%s / %s\n", ip_str, mask_str); else LogMessage(" %s / %s\n", ip_str, mask_str); } } if(scanned) { LogMessage(" Ignore Scanned IP List:\n"); for(p = (CIDRBLOCK*)sflist_first(&scanned->cidr_list); p; p = (CIDRBLOCK*)sflist_next(&scanned->cidr_list)) { ip4_sprintx(ip_str, sizeof(ip_str), &p->ip); ip4_sprintx(mask_str, sizeof(mask_str), &p->mask); if(p->notflag) LogMessage(" !%s / %s\n", ip_str, mask_str); else LogMessage(" %s / %s\n", ip_str, mask_str); } } if(watch) { LogMessage(" Ignore Watch IP List:\n"); for(p = (CIDRBLOCK*)sflist_first(&watch->cidr_list); p; p = (CIDRBLOCK*)sflist_next(&watch->cidr_list)) { ip4_sprintx(ip_str, sizeof(ip_str), &p->ip); ip4_sprintx(mask_str, sizeof(mask_str), &p->mask); if(p->notflag) LogMessage(" !%s / %s\n", ip_str, mask_str); else LogMessage(" %s / %s\n", ip_str, mask_str); } } LogMessage("\n"); return;}static void ParseLogFile(FILE **flog, u_char *logfile, int logfile_size){ char *pcTok; pcTok = strtok(NULL, DELIMITERS); if(!pcTok) FatalErrorNoEnd("logfile"); if(pcTok[0] == '/') snprintf(logfile, logfile_size, "%s", pcTok); else snprintf(logfile, logfile_size, "%s/%s", pv.log_dir,pcTok); pcTok = strtok(NULL, DELIMITERS); if(!pcTok) FatalErrorNoEnd("logfile"); if(strcmp(pcTok, TOKEN_ARG_END)) FatalErrorInvalidArg("logfile"); *flog = fopen(logfile, "a+"); if(!(*flog)) FatalError("%s(%d) => '%s' could not be opened.\n", file_name, file_line, logfile); return;} static void PortscanInit(u_char *args){ int sense_level = PS_SENSE_LOW; int protos = (PS_PROTO_TCP | PS_PROTO_UDP); int scan_types = PS_TYPE_ALL; int memcap = 1048576; IPSET *ignore_scanners = NULL; IPSET *ignore_scanned = NULL; IPSET *watch_ip = NULL; char *pcTok; int iRet; g_logpath[0] = 0x00; if(args) { pcTok = strtok(args, DELIMITERS); while(pcTok) { if(!strcasecmp(pcTok, "proto")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption("proto"); ParseProtos(&protos); } else if(!strcasecmp(pcTok, "scan_type")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption("scan_type"); ParseScanType(&scan_types); } else if(!strcasecmp(pcTok, "sense_level")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption("sense_level"); ParseSenseLevel(&sense_level); } else if(!strcasecmp(pcTok, "ignore_scanners")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption("ignore_scanners"); ParseIpList(&ignore_scanners, "ignore_scanners"); } else if(!strcasecmp(pcTok, "ignore_scanned")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption("ignore_scanned"); ParseIpList(&ignore_scanned, "ignore_scanned"); } else if(!strcasecmp(pcTok, "watch_ip")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption("watch_ip"); ParseIpList(&watch_ip, "watch_ip"); } else if(!strcasecmp(pcTok, "print_tracker")) { g_print_tracker = 1; } else if(!strcasecmp(pcTok, "memcap")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption("memcap"); ParseMemcap(&memcap); } else if(!strcasecmp(pcTok, "logfile")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption("logfile"); ParseLogFile(&g_logfile, g_logpath, sizeof(g_logpath)); } else if(!strcasecmp(pcTok, "include_midstream")) { g_include_midstream = 1; } else { FatalErrorInvalidOption(pcTok); } pcTok = strtok(NULL, DELIMITERS); } } if((iRet = ps_init(protos, scan_types, sense_level, ignore_scanners, ignore_scanned, watch_ip, memcap))) { if(iRet == -2) { FatalError("%s(%d) => 'memcap' limit not sufficient to run " "sfportscan preprocessor. Please increase this " "value or keep the default memory usage.\n", file_name, file_line); } FatalError("Failed to initialize the sfportscan detection module. " "Please check your configuration before submitting a " "bug.\n"); } AddFuncToPreprocList(PortscanDetect); PrintPortscanConf(protos, scan_types, sense_level, ignore_scanners, ignore_scanned, watch_ip, memcap); PortscanPacketInit(); return;}void SetupPsng(void){ RegisterPreprocessor("sfportscan", PortscanInit); return;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -