📄 spp_portscan.c
字号:
for(currentDestination = currentSource->destinationsList; currentDestination; currentDestination = currentDestination->nextNode) { strncpy(destinationAddress, inet_ntoa(currentDestination->daddr), 15); for(currentConnection = currentDestination->connectionsList; currentConnection; currentConnection = currentConnection->nextNode) { /* * Apparently, through some stroke of genius and/or luck, * timeval.tv_sec can be used just like time_t. Sweet. And * stuff. */ time = (timeFormat == tLOCAL) ? localtime((time_t *) & currentConnection->timestamp.tv_sec) : gmtime(¤tConnection->timestamp.tv_sec); switch(time->tm_mon) { case 0: month = "Jan"; break; case 1: month = "Feb"; break; case 2: month = "Mar"; break; case 3: month = "Apr"; break; case 4: month = "May"; break; case 5: month = "Jun"; break; case 6: month = "Jul"; break; case 7: month = "Aug"; break; case 8: month = "Sep"; break; case 9: month = "Oct"; break; case 10: month = "Nov"; break; case 11: month = "Dec"; break; default: month = "MONTH IS INVALID!!"; break; } reservedBits = (currentConnection->scanType & sRESERVEDBITS) ? "RESERVEDBITS" : ""; DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"scanType = %x mask = %x result = (%x)\n", currentConnection->scanType, ~sRESERVEDBITS, currentConnection->scanType & ~sRESERVEDBITS);); switch(currentConnection->scanType & ~sRESERVEDBITS) { case sUDP: scanType = "UDP"; break; case sSYN: scanType = "SYN"; break; case sFIN: scanType = "FIN"; break; case sSYNFIN: scanType = "SYNFIN"; break; case sNULL: scanType = "NULL"; break; case sXMAS: scanType = "XMAS"; break; case sFULLXMAS: scanType = "FULLXMAS"; break; case sVECNA: scanType = "VECNA"; break; case sNOACK: scanType = "NOACK"; break; case sNMAPID: scanType = "NMAPID"; break; case sSPAU: scanType = "SPAU"; break; case sINVALIDACK: scanType = "INVALIDACK"; break; default: /* * This used to mean I screwed up, but now since any packet * that has reserved bits set is set as a scan it looks bad * if "ERROR" shows up when the packet really has something * bizarre like "2****P**". */ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"UNKNOWN: scanType = %x (%x)\n", currentConnection->scanType, currentConnection->scanType & ~sRESERVEDBITS);); scanType = "UNKNOWN"; break; } /* I have control of all data here, so this should be safe */ fprintf(logFile, "%s %2d %.2d:%.2d:%.2d %s:%d -> %s:%d %s %s %s\n", month, time->tm_mday, time->tm_hour, time->tm_min, time->tm_sec, sourceAddress, currentConnection->sport, destinationAddress, currentConnection->dport, scanType, currentConnection->tcpFlags, reservedBits); } } /* Now that we're done, flush the buffer to disk. */ fflush(logFile);}/***** AlertIntermediateInfo() ***** Log number of scan packets and types to standard alert mechanism.*/void AlertIntermediateInfo(SourceInfo * currentSource){ char logMessage[160]; Event event; sprintf(logMessage, MODNAME ": portscan status from %s: %d connections " "across %d hosts: TCP(%d), UDP(%d)%s", inet_ntoa(currentSource->saddr), currentSource->numberOfConnections, currentSource->numberOfDestinations, currentSource->numberOfTCPConnections, currentSource->numberOfUDPConnections, (currentSource->stealthScanUsed) ? " STEALTH" : ""); SetEvent(&event, GENERATOR_SPP_PORTSCAN, PORTSCAN_INTER_INFO, 1, 0, 0, currentSource->event_id); CallAlertFuncs(NULL, logMessage, NULL, &event); return;}void ExtractHeaderInfo(Packet * p, struct in_addr * saddr, struct in_addr * daddr, u_short * sport, u_short * dport){ /* * This function seems kinda silly now that I don't have to do protocol * checks to use the proper protocol headers to get the port, but I think * it still makes it easier and I don't have to worry about something * changing later. */ *sport = p->sp; *dport = p->dp; *saddr = p->iph->ip_src; *daddr = p->iph->ip_dst;}/* Check if packet originated from a machine we have been told to ignore SYN and UDP "scans" from, presumably because it's a server.*/int IsServer(Packet * p){ ServerNode *currentServer = serverList;#ifdef DEBUG char sourceIP[16], ruleIP[16], ruleNetMask[16];#endif while(currentServer) { /* * Return 1 if the source addr is in the serverlist, 0 if nothing is * found. */ if(CheckAddrPort(currentServer->address, 0, 0, p, (ANY_SRC_PORT | currentServer->ignoreFlags), CHECK_SRC)) {#ifdef DEBUG memset(sourceIP, '\0', 16); memset(ruleIP, '\0', 16); memset(ruleNetMask, '\0', 16); strncpy(sourceIP, inet_ntoa(p->iph->ip_src), 15); strncpy(ruleIP, inet_ntoa(*(struct in_addr *) & (currentServer->address->ip_addr)), 14); strncpy(ruleNetMask, inet_ntoa(*(struct in_addr *) & (currentServer->address->netmask)), 15); printf(MODNAME ": IsServer(): Server %s found in %s/%s!\n", sourceIP, ruleIP, ruleNetMask);#endif return(1); } currentServer = currentServer->nextNode; } return(0);}void SetupPortscanIgnoreHosts(void){ RegisterPreprocessor("portscan-ignorehosts", PortscanIgnoreHostsInit);}void PortscanIgnoreHostsInit(u_char * args){ CreateServerList(args);}/* Well, it seems we are ignoring more than just servers now. We're also ignoring SYN and UDP scans from our own networks. I guess this is okay. Most networks have a soft, chewy center, anyway. Besides, this makes the coding easier! ;)*/void CreateServerList(u_char * servers){ char **toks; int num_toks; int num_servers = 0; ServerNode *currentServer;#ifdef DEBUG char ruleIP[16], ruleNetMask[16];#endif currentServer = NULL; serverList = NULL; if(servers == NULL) { FatalError(MODNAME ": %s (%d)=> No arguments to portscan-ignorehosts preprocessor!\n", file_name, file_line); } /* tokenize the argument list */ toks = mSplit(servers, " ", 31, &num_toks, '\\'); /* convert the tokens and place them into the server list */ for(num_servers = 0; num_servers < num_toks; num_servers++) { if(currentServer != NULL) { currentServer->nextNode = (ServerNode *) calloc(sizeof(ServerNode), sizeof(char)); currentServer = currentServer->nextNode; } else { currentServer = (ServerNode *) calloc(sizeof(ServerNode), sizeof(char)); serverList = currentServer; } DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,MODNAME ": CreateServerList(): Adding server %s\n", toks[num_servers]);); /* currentServer->ignoreFlags = 0; */ PortscanIgnoreParseIP(toks[num_servers], currentServer); /* ParseIP(toks[num_servers], ¤tServer->address); */#ifdef DEBUG memset(ruleIP, '\0', 16); memset(ruleNetMask, '\0', 16); strncpy(ruleIP, inet_ntoa(*(struct in_addr *) & currentServer->address->ip_addr), 15); strncpy(ruleNetMask, inet_ntoa(*(struct in_addr *) & currentServer->address->netmask), 15); printf(MODNAME ": CreateServerList(): Added server %s/%s\n", ruleIP, ruleNetMask);#endif currentServer->nextNode = NULL; } mSplitFree(&toks, num_toks);}void PortscanParseIP(char *addr){ char **toks; int num_toks; int i; IpAddrSet *tmp_addr; char *tmp; if(*addr == '!') { homeFlags |= EXCEPT_DST_IP; addr++; } if(*addr == '$') { if((tmp = VarGet(addr + 1)) == NULL) { FatalError("%s(%d) => Undefined variable %s\n", file_name, file_line, addr); } } else { tmp = addr; } if (*tmp == '[') { *(strrchr(tmp, (int)']')) = 0; /* null out the en-bracket */ toks = mSplit(tmp+1, ",", 128, &num_toks, 0); for(i = 0; i < num_toks; i++) { tmp_addr = PortscanAllocAddrNode(); ParseIP(toks[i], tmp_addr); } mSplitFree(&toks, num_toks); } else { tmp_addr = PortscanAllocAddrNode(); ParseIP(tmp, tmp_addr); }}void PortscanIgnoreParseIP(char *addr, ServerNode* server){ char **toks; int num_toks; int i; IpAddrSet *tmp_addr; int global_negation_flag; char *tmp; if(addr == NULL) { FatalError("%s(%d) => Undefined address in portscan-ignorehosts directive\n", file_name, file_line); } if(*addr == '!') { global_negation_flag = 1; addr++; } if(*addr == '$') { if((tmp = VarGet(addr + 1)) == NULL) { FatalError("%s (%d) => Undefined variable %s\n", file_name, file_line, addr); } } else { tmp = addr; } if (*tmp == '[') { *(strrchr(tmp, (int)']')) = 0; /* null out the en-bracket */ toks = mSplit(tmp+1, ",", 128, &num_toks, 0); for(i = 0; i < num_toks; i++) { tmp_addr = PortscanIgnoreAllocAddrNode(server); ParseIP(toks[i], tmp_addr); } mSplitFree(&toks, num_toks); } else { tmp_addr = PortscanIgnoreAllocAddrNode(server); ParseIP(tmp, tmp_addr); }}IpAddrSet *PortscanAllocAddrNode(){ IpAddrSet *idx; /* IP struct indexing pointer */ if(homeAddr == NULL) { homeAddr = (IpAddrSet *) calloc(sizeof(IpAddrSet), sizeof(char)); if(homeAddr == NULL) { FatalError("Unable to allocate space for portscan IP addr\n"); } return homeAddr; } idx = homeAddr; while(idx->next != NULL) { idx = idx->next; } idx->next = (IpAddrSet *) calloc(sizeof(IpAddrSet), sizeof(char)); idx = idx->next; if(idx == NULL) { FatalError("Unable to allocate space for portscan IP address\n"); } return idx;}IpAddrSet *PortscanIgnoreAllocAddrNode(ServerNode * server){ IpAddrSet *idx; /* IP struct indexing pointer */ if(server->address == NULL) { server->address = (IpAddrSet *) calloc(sizeof(IpAddrSet), sizeof(char)); if(server->address == NULL) { FatalError("Unable to allocate space for portscan IP addr\n"); } return server->address; } idx = server->address; while(idx->next != NULL) { idx = idx->next; } idx->next = (IpAddrSet *) calloc(sizeof(IpAddrSet), sizeof(char)); idx = idx->next; if(idx == NULL) { FatalError("Unable to allocate space for portscan IP address\n"); } return idx;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -