📄 spp_portscan2.c
字号:
return idx;}/*******************************************************************//* parses the IP's in the ignore hosts list *//*******************************************************************/void ScanParseIp(char *addr, HostNode *host){ char **toks; int num_toks; int i, not_flag; IpAddrSet *tmp_addr; char *enbracket, *ports; char *tmp; if(addr == NULL) { ErrorMessage("ERROR %s(%d) => Undefine address in " "portscan-ignorehosts directive, igoring.\n", file_name, file_line); return; } if(*addr == '!') { host->flags |= EXCEPT_SRC_IP; addr++; } if(*addr == '$') { if((tmp = VarGet(addr + 1)) == NULL) { ErrorMessage("ERROR %s (%d) => Undefined variable \"%s\", " "ignoring\n", file_name, file_line, addr); return; } } else { tmp = addr; } ports = strrchr(tmp, (int)'@'); if (*tmp == '[') { enbracket = strrchr(tmp, (int)']'); if (enbracket) *enbracket = '\x0'; /* null out the en-bracket */ if (ports && enbracket && (ports < enbracket)) { FatalError("[!] ERROR %s(%d) => syntax error in" "portscan2-ignorehosts \"%s\"\n", file_name, file_line, tmp); } toks = mSplit(tmp+1, ",", 128, &num_toks, 0); for(i = 0; i < num_toks; i++) { tmp_addr = IgnoreAllocAddrNode(host); ParseIP(toks[i], tmp_addr); } mSplitFree(&toks, num_toks); } else { if (ports) *ports = '\x0'; /* null out the at */ tmp_addr = IgnoreAllocAddrNode(host); ParseIP(tmp, tmp_addr); } if (ports) { ports++; if (ParsePort(ports, &(host->hsp), &(host->lsp), "ip", ¬_flag)) host->flags |= ANY_SRC_PORT; if (not_flag) host->flags |= EXCEPT_SRC_PORT; } else { host->flags |= ANY_SRC_PORT; }}/*************************************************************//* Called at runtime to establish the list of source ports *//* which are ignored by the portscan detector *//*************************************************************/void InitIgnoreFrom(u_char *args){ InitIgnorePorts(args, &ignorePortFrom, &num_ports_from);}/*************************************************************//* Called at runtime to establish the list of destination *//* ports which are ignored by the portscan detector *//*************************************************************/void InitIgnoreTo(u_char *args){ InitIgnorePorts(args, &ignorePortTo, &num_ports_to);}/*************************************************************//* Called at runtime to establish the lists of ports which *//* are ignored by the portscan detector *//*************************************************************/void InitIgnorePorts(u_char *list, u_int32_t **ports, int *num){ int new_ports, max_ports; u_int32_t *pool; char **toks; int num_toks; *ports = NULL; *num = 0; max_ports = 0; if(list == NULL) { ErrorMessage(MODNAME ": ERROR: %s(%d)=> No arguments to " "portscan2-ignoreports, ignoring.\n", file_name, file_line); return; } toks = mSplit(list, " ", MAX_PORTS, &num_toks, '\\'); for(;*num < num_toks; (*num)++) { if(*num >= max_ports) { new_ports = max_ports + MEM_CHUNK; if((pool = (u_int32_t *) calloc(new_ports, sizeof(u_int32_t))) == NULL) { FatalError("[!] ERROR: Unable to allocate space for " "portscan2-ignoreports"); } if (*ports != NULL) { memcpy(pool, *ports, max_ports * sizeof(u_int32_t)); free(*ports); } max_ports = new_ports; *ports = pool; } (*ports)[*num] = ScanParsePort(toks[*num]);#ifdef DEBUG printf(MODNAME ": InitIgnorePorts(): Added port %u\n", (unsigned) (*ports)[*num]);#endif /* DEBUG */ } mSplitFree(&toks, num_toks);#ifdef DEBUG printf(MODNAME ": InitIgnorePorts(): %d port(s) added\n", *num);#endif /* DEBUG */}/*******************************************************************//* parses the ports in the ignore ports list *//*******************************************************************/u_int32_t ScanParsePort(char *port){ char *tmp; if(port == NULL) { FatalError("ERROR %s(%d) => Undefined ports in " "portscan2-ignoreports directive\n", file_name, file_line); } if(*port == '$') { if((tmp = VarGet(port + 1)) == NULL) { FatalError("ERROR %s (%d) => Undefined variable \"%s\"\n", file_name, file_line, port); } } else { tmp = port; } if(!isdigit((int)tmp[0])) { FatalError("ERROR %s(%d) => Bad port list to " "portscan2-ignoreports\n", file_name, file_line); } return((u_int32_t)atol(tmp));}/************************************************************//* checks to see if a packet is coming from an ignored host *//************************************************************/int IsIgnored(Packet *p){#ifdef DEBUG char sourceIP[16], ruleIP[16], ruleNetMask[16];#endif HostNode *currentHost = ignoreList; int i; for(i = 0; i < num_ports_from; i++) { if (p->sp == ignorePortFrom[i]) {#ifdef DEBUG memset(sourceIP, '\0', 16); strncpy(sourceIP, inet_ntoa(p->iph->ip_src), 15); printf(MODNAME ": IsIgnored(): Source port %u from %s found!\n", (unsigned) p->sp, sourceIP);#endif /* DEBUG */ return(1); } } for(i = 0; i < num_ports_to; i++) { if (p->dp == ignorePortTo[i]) {#ifdef DEBUG memset(sourceIP, '\0', 16); strncpy(sourceIP, inet_ntoa(p->iph->ip_src), 15); printf(MODNAME ": IsIgnored(): Destination port %u " "from %s found!\n", (unsigned) p->dp, sourceIP);#endif /* DEBUG */ return(1); } } while(currentHost) { /* * Return 1 if the source addr is in the serverlist, 0 if nothing is * found. */ if(CheckAddrPort(currentHost->address, currentHost->hsp, currentHost->lsp, p, currentHost->flags, CHECK_SRC)) {#ifdef DEBUG memset(sourceIP, '\0', 16); memset(ruleIP, '\0', 16); memset(ruleNetMask, '\0', 16); strncpy(sourceIP, inet_ntoa(p->iph->ip_src), 15); strncpy(ruleIP, inet_ntoa(*(struct in_addr*) &(currentHost->address->ip_addr)), 14); strncpy(ruleNetMask, inet_ntoa(*(struct in_addr *) &(currentHost->address->netmask)), 15); printf(MODNAME ": IsIgnored(): Server %s found in %s/%s!\n", sourceIP, ruleIP, ruleNetMask);#endif /* DEBUG */ return(1); } currentHost = currentHost->nextNode; } return(0);}/********************************************************//* takes a target node and zeros out it's port list *//********************************************************/INLINE void InitPortlist(ScanTarget *target){ int i; for(i=0; i<65536/8; i++) { target->plist[i] = 0; }}/***************************************************//* Add a port # to the port array for the target. *//* This is called whenever a portscanner touches *//* a new port on a target. *//***************************************************/INLINE void AddTargetPort(ScanTarget *target, u_int16_t offset, Packet *p){ /* target->plist is an array of char being treated as */ /* a bitfield. There 65535 bits in the char array. */ /* Through a little voodoo we can set any particular */ /* bit in that field to 1, indicating the port has */ /* been hit. offset is the port # we wish to update */ target->plist[(offset/8)] |= 1<<(offset%8); /* voodoo */ /* increment the appropriate counters */ target->port_count++; target->parent->port_count++; if(target->parent->port_count > ps2data.portThreshold) { if(target->parent->portsExceeded == FALSE) /* new ps, alert! */ { SLog(p, 0, target->parent); SAlert(p, 0, target->parent); target->parent->portsExceeded = TRUE; /* dumpPacketStats(target->parent); */ } else /* old portscan, log the packet */ { SLog(p, 0, target->parent); } }}/*********************************//* check to see if a port is set *//*********************************/INLINE int portIsSet(char *portlist, int offset){ /* see comment in AddTargetPort regarding this */ return portlist[(offset/8)] & (1<<(offset%8));}/**************************************************//* Add a target to a portscanners target tree. *//* Called whenever a new target is touched by *//* a portscanner *//**************************************************/void AddTarget(Portscanner *ps, Packet *p){ struct in_addr tmp; ScanTarget *target = NULL; MemBucket *mb = NULL; int pruned; /* grab a node from the target pool */ mb = mempool_alloc(&ps2data.TargetPool); if(mb == NULL) { DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "Outta Target Nodes :(\n");); /* * force prune of the Portscanners ( those should have some * targets associated with them to free up ) */ pruned = PrunePortscanners(p->pkth->ts.tv_sec, 0, ps); if(pruned <= 0) { DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "Pruned got %d nodes --- forcing\n");); pruned = PrunePortscanners(p->pkth->ts.tv_sec, 5, ps); } mb = mempool_alloc(&ps2data.TargetPool); } if(mb == NULL) { DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "[*] Outta Target Nodes -- stage2 returning\n");); return; } target = (ScanTarget *) mb->data; target->bucket = mb; /* target is guaranteed to be set at this point */ /* fill in the target struct */ target->target_ip = (u_int32_t)p->iph->ip_dst.s_addr; target->port_count = 1; target->initial_time.tv_sec = p->pkth->ts.tv_sec; target->last_time.tv_sec = p->pkth->ts.tv_sec; target->parent = ps; InitPortlist(target); /* zeros out the node's port list */ /* insert the new target node into the tree */ if(ubi_sptInsert(ps->targetRootPtr, (ubi_btNodePtr)target, (ubi_btNodePtr)target, NULL) == ubi_trFALSE) { DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "Insert into Targets failed\n");); } /* update the target count */ target->parent->target_count++; /* update the targets port list */ AddTargetPort(target, p->dp, p); /* check thresholds to see if this qualifies as a port scan */ if(ps->target_count > ps2data.tgtThreshold) { if(ps->targetsExceeded == FALSE) /* if FALSE, then new portscan */ { tmp.s_addr = ps->scanner_ip; DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "Portscanner %s # targets exceeded\n", inet_ntoa(tmp));); SLog(p, 0, ps); /* log the packet */ SAlert(p, 0, ps); /* generate an alert */ ps->targetsExceeded = TRUE; /* we have now alerted */ /* dumpPacketStats(ps); */ } else /* alert has already been generated so log the packet */ { SLog(p, 0, ps); } }}/*****************************************************************//* Adds a new portscanner to the portscan tree, builds a target *//* tree for this portscanner. *//*****************************************************************/void AddPortScanner(Packet *p){ Portscanner *ps = NULL; MemBucket *mb = NULL; /* borrow a portscanner node from the portscanner node pool */ mb = mempool_alloc(&ps2data.ScannerPool); if(mb == NULL) { DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "out of Scanner Nodes\n");); /* TBD -- free up one */ return; } ps = (Portscanner *) mb->data; ps->bucket = mb; /* fill in the portscanner struct */ ps->scanner_ip = (u_int32_t)p->iph->ip_src.s_addr; ps->last_time.tv_sec = p->pkth->ts.tv_sec; ps->initial_time.tv_sec = p->pkth->ts.tv_sec; ps->port_count = 0; /* Add target increments this */ ps->target_count = 0; /* Add target increments this */ ps->targetRootPtr = &ps->targetRoot; ps->portsExceeded = FALSE; ps->targetsExceeded = FALSE; DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "Assigning a scanner ip of %s\n", inet_ntoa(p->iph->ip_src));); /* create a new target tree for this portscanner */ if(ubi_trInitTree(ps->targetRootPtr, targetCompareFunc, 0) == ubi_trFALSE) { printf("init tree failed!\n"); } /* Add the target to the target tree */ AddTarget(ps, p); /* get the stats for the initiating packet */ /* addPacketStats(ps, p); Need to figure out what I should do with this right here */ /* add this scanner to the portscan tree */ /* TBD -- error check */ if(ubi_sptInsert(ps2data.ScannersPtr, (ubi_btNodePtr)ps, (ubi_btNodePtr)ps, NULL) == ubi_trFALSE)⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -