📄 spp_portscan2.c
字号:
{ DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "Insert into Scanners failed\n");); }}/*********************************************************************//* Callback function used by splay trees to sort portscanner nodes *//*********************************************************************/static int psCompareFunc(ubi_trItemPtr ItemPtr, ubi_trNodePtr NodePtr){ Portscanner *A = (Portscanner *) NodePtr; Portscanner *B = (Portscanner *) ItemPtr;#ifdef DEBUG #define IPLEN 256 char sip[IPLEN]; strncpy(sip, inet_ntoa(*(struct in_addr *) &A->scanner_ip), IPLEN); DebugMessage(DEBUG_PORTSCAN2,"psCompareFunc %s %s\n", sip, inet_ntoa(*(struct in_addr *) &B->scanner_ip)); #undef IPLEN#endif if(A->scanner_ip < B->scanner_ip) { return 1; } else if(A->scanner_ip > B->scanner_ip) { return -1; } return 0;}/*********************************************************************//* Callback function used by splay trees to sort target nodes *//*********************************************************************/static int targetCompareFunc(ubi_trItemPtr ItemPtr, ubi_trNodePtr NodePtr){ ScanTarget *A; ScanTarget *B; A = (ScanTarget *) NodePtr; B = (ScanTarget *) ItemPtr; if(A->target_ip < B->target_ip) return 1; else if(B->target_ip < A->target_ip) return -1; return 0;}/* * Generates a snort alert when a portscan is detected */void SAlert(Packet *p, int scan_type, Portscanner *ps){ Event event; char outstring[255]; snprintf(outstring, 255, SCAN2_PREFIX_STR "%s: %d targets %d ports in %d seconds", inet_ntoa(*((struct in_addr *) &ps->scanner_ip)), ps->target_count, ps->port_count, (int) (p->pkth->ts.tv_sec - ps->initial_time.tv_sec)); DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "%s\n", outstring);); SetEvent(&event, GENERATOR_SPP_SCAN2, SCAN_TYPE, 1, 0, 0, 0); CallAlertFuncs(p, outstring, NULL, &event); ps->event_id = event.event_id;}/*******************************************************************//* Called for each packet of a portscan. Logs interesting packet *//* data to a text file *//*******************************************************************/void SLog(Packet *p, int scan_type, Portscanner *ps){ char src[STD_BUF]; char dst[STD_BUF]; char timestamp[TIMEBUF_SIZE]; char flagString[9]; strlcpy(src, inet_ntoa(p->iph->ip_src), 16); strlcpy(dst, inet_ntoa(p->iph->ip_dst), 16); ts_print((struct timeval *) &p->pkth->ts, timestamp); if(p->tcph) { CreateTCPFlagString(p, flagString); fprintf(ps2data.logfile,"%s TCP src: %s dst: %s sport: %u dport: %u " "tgts: %u ports: %u flags: %s event_id: %u\n", timestamp, src, dst, p->sp, p->dp, ps->target_count, ps->port_count, flagString, ps->event_id); } else if(p->udph) { fprintf(ps2data.logfile, "%s UDP src: %s dst: %s sport: %u dport: %u " "tgts: %u ports: %u event_id: %u\n", timestamp, src, dst, p->sp, p->dp, ps->target_count, ps->port_count, ps->event_id); } else if(p->icmph) { fprintf(ps2data.logfile, "%s ICMP src: %s dst: %s type: %u code: %u " "tgts: %u event_id: %u\n", timestamp, src, dst, p->icmph->type, p->icmph->code, ps->target_count, ps->event_id); } fflush(ps2data.logfile);}/*********************************************************************//* This is the main dude. Called by spp_conversation each time a new *//* session is established. *//*********************************************************************/void psWatch(Packet *p){ Portscanner tmp; Portscanner *returned; ScanTarget tgt; ScanTarget *rtgt;#ifdef DEBUG #define IPLEN 256 char sip[IPLEN]; strncpy(sip, inet_ntoa(p->iph->ip_src), IPLEN); DebugMessage(DEBUG_PORTSCAN2,"In PsWatch... %s:%d->%s:%d state: %p\n", sip, p->dp, inet_ntoa(p->iph->ip_dst), p->sp); #undef IPLEN#endif /* check to see if this guy is on the ignored list, if so bail */ if(IsIgnored(p)) { DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2,"Matched ignore list.\n");); return; } /* search for this portscanner in the portscan tree */ tmp.scanner_ip = (u_int32_t)p->iph->ip_src.s_addr; DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2,"scanner_ip to lookfor: %s\n", inet_ntoa(p->iph->ip_src));); returned = (Portscanner *) ubi_sptFind(ps2data.ScannersPtr, (ubi_btItemPtr)&tmp); if(returned == NULL) /* we have a new potential scanner */ { DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "Portscanner not found. Allocating\n", returned);); AddPortScanner(p); } /* session already logged, get out */ else { DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "Found portscanner: %p, returned->scanner_ip: %s\n", returned, inet_ntoa(*(struct in_addr *) &returned->scanner_ip));); /* Portscanner found, new session, pdate target/port */ returned->last_time.tv_sec = p->pkth->ts.tv_sec; tgt.target_ip = (u_int32_t)p->iph->ip_dst.s_addr; /* check to see if target has been hit before */ rtgt = (ScanTarget *) ubi_sptFind((ubi_trRootPtr)returned->targetRootPtr, (ubi_btItemPtr)&tgt); if(rtgt == NULL) /* no such target in target tree, add him */ { /* AddTarget calls AddTargetPort, so no need to call here */ AddTarget(returned, p); /* if((returned->targetsExceeded == FALSE) && */ /* (returned->portsExceeded == FALSE)) */ /* { */ /* addPacketStats(returned, p); */ /* } */ } else /* target found in target tree */ { /* hasn't hit this port before */ if(!portIsSet(rtgt->plist, p->dp)) { /* update the port list for the target */ AddTargetPort(rtgt, p->dp, p); /* if ((returned->targetsExceeded == FALSE) && */ /* (returned->portsExceeded == FALSE)) */ /* { */ /* addPacketStats(returned, p); */ /* } */ } if(p->pkth->ts.tv_sec >= (returned->initial_time.tv_sec + ps2data.timeout)) { DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "Pruning out targets %p due to timeout\n", returned);); /* Prune out old sessions... we work on a sliding window ya know */ PruneTargets(returned, p->pkth->ts.tv_sec, 0); returned->initial_time.tv_sec = p->pkth->ts.tv_sec; } } } if(p->pkth->ts.tv_sec >= (ps2data.prune_time.tv_sec + ps2data.timeout)) { DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "Pruning out scanners due to timeout\n");); /* Cull any expired sessions out */ PrunePortscanners(p->pkth->ts.tv_sec, 0, NULL); ps2data.prune_time.tv_sec = p->pkth->ts.tv_sec; } DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "leaving pswatch: Scanner count: %u\n", ubi_trCount(ps2data.ScannersPtr)););}void SetupScan2(void){ RegisterPreprocessor("portscan2", Scan2Init); RegisterPreprocessor("portscan2-ignorehosts", InitIgnoreHosts); RegisterPreprocessor("portscan2-ignoreports-from", InitIgnoreFrom); RegisterPreprocessor("portscan2-ignoreports-to", InitIgnoreTo);}/****************************************************//* Called at runtime to set everything up *//****************************************************/void Scan2Init(u_char *args){ struct timeval tv; struct timezone tz; LogMessage("WARNING: the portscan2 preprocessor will be deprecated in " "the next release of snort. Please switch to using SFPortscan.\n"); memset(&ps2data, 0, sizeof(Portscan2Data)); if(conv_data.isInitialized != 1) { FatalError("Please activate spp_conversation before" " trying to activate spp_portscan2\n"); } LogMessage ("Portscan2 config:\n"); ParseScanmungeArgs(args); gettimeofday(&tv, &tz); ps2data.ScannersPtr = &ps2data.Scanners; /* set up the portscanner tree */ ubi_trInitTree(ps2data.ScannersPtr, psCompareFunc, 0); /* set up the node pools */ if(mempool_init(&ps2data.ScannerPool, ps2data.scanner_count, sizeof(Portscanner))) { FatalError("ERROR: Can't initialize mempool for Scanners\n"); } if(mempool_init(&ps2data.TargetPool , ps2data.target_count, sizeof(ScanTarget))) { FatalError("ERROR: Can't initialize mempool for Targets\n"); } ps2data.isInitialized = 1; conv_data.watch_scans = 1;}static void DeleteTarget(ScanTarget *target){ mempool_free(&ps2data.TargetPool,target->bucket);}static void DeletePortscanner(Portscanner *ps){ Portscanner *oldps; /* need to do a walk and delete all the targets */ DEBUG_WRAP(DebugMessage(DEBUG_PORTSCAN2, "Deleteing portscanner %p\n", ps); DebugMessage(DEBUG_PORTSCAN2, "ps->scanner_ip: %X\n", ps->scanner_ip); DebugMessage(DEBUG_PORTSCAN2, "ps->initial_time: %u\n", ps->initial_time.tv_sec); DebugMessage(DEBUG_PORTSCAN2, "ps->last_time: %u\n", ps->last_time.tv_sec); DebugMessage(DEBUG_PORTSCAN2, "ps->targetRootPtr: %p\n", ps->targetRootPtr); ); (void)ubi_trKillTree(ps->targetRootPtr, DeleteTarget); oldps = (Portscanner *) ubi_sptRemove(ps2data.ScannersPtr, (ubi_btNodePtr) ps); mempool_free(&ps2data.ScannerPool,ps->bucket);}/* look familiar! I thought it did. hate redebugging this junk */static int PruneTargets(Portscanner *p, u_int32_t now, int tokill){ ScanTarget *idx; u_int32_t pruned = 0; if(ubi_trCount(p->targetRootPtr) == 0) { return 0; } /* Number of things that need to be deleted */ if(tokill == 0) { idx = (ScanTarget *) ubi_btFirst((ubi_btNodePtr)p->targetRootPtr); if(idx == NULL) { return 0; } do { if((idx->last_time.tv_sec + ps2data.timeout) > now) { ScanTarget *savidx = idx; if(ubi_trCount(p->targetRootPtr) > 1) { idx = (ScanTarget *) ubi_btNext((ubi_btNodePtr)idx); DEBUG_WRAP(DebugMessage(DEBUG_CONVERSATION, "pruning stale target\n");); p->port_count -= savidx->port_count; p->target_count--; savidx = (ScanTarget *)ubi_sptRemove(p->targetRootPtr, (ubi_btNodePtr) savidx); DeleteTarget(savidx); pruned++; } else { p->port_count -= savidx->port_count; p->target_count--; savidx = (ScanTarget *)ubi_sptRemove(p->targetRootPtr, (ubi_btNodePtr) savidx); DeleteTarget(savidx); pruned++; return pruned; } } else { if(idx != NULL && ubi_trCount(p->targetRootPtr)) { idx = (ScanTarget *) ubi_btNext((ubi_btNodePtr)idx); } else { return pruned; } } } while(idx != NULL); return pruned; } else { while(tokill-- && ubi_trCount(p->targetRootPtr) > 1) { idx = (ScanTarget *) ubi_btLeafNode((ubi_btNodePtr)p->targetRootPtr); p->target_count--; DeleteTarget(idx); } return 0; } return 0;}static int PrunePortscanners(u_int32_t now, int tokill, Portscanner *saveme){ Portscanner *idx; u_int32_t pruned = 0; DEBUG_WRAP(DebugMessage(DEBUG_CONVERSATION, "Pruneport scanners called now: " " %u tokill: %d: saveme: %p, count: %u\n", now, tokill, saveme, ubi_trCount(ps2data.ScannersPtr));); if(ubi_trCount(ps2data.ScannersPtr) <= 1) { DEBUG_WRAP(DebugMessage(DEBUG_CONVERSATION, "1 or less to prune. returning\n");); return 0; } /* Number of things that need to be deleted */ if(tokill == 0) { idx = (Portscanner *) ubi_btFirst((ubi_btNodePtr)ps2data.ScannersPtr->root); if(idx == NULL) { return 0; } do { if(idx == saveme) { idx = (Portscanner *) ubi_btNext((ubi_btNodePtr)idx); continue; } if((idx->last_time.tv_sec+ps2data.timeout) > now) { Portscanner *savidx = idx; if(ubi_trCount(ps2data.ScannersPtr) > 1) { idx = (Portscanner *) ubi_btNext((ubi_btNodePtr)idx); DEBUG_WRAP(DebugMessage(DEBUG_CONVERSATION, "pruning stale portscanner\n");); DeletePortscanner(savidx); pruned++; } else { DeletePortscanner(savidx); pruned++; return pruned; } } else { if(idx != NULL && ubi_trCount(ps2data.ScannersPtr)) { idx = (Portscanner *) ubi_btNext((ubi_btNodePtr)idx); } else { return pruned; } } } while(idx != NULL); return pruned; } else { while(tokill-- && ubi_trCount(ps2data.ScannersPtr) > 1) { idx = (Portscanner *) ubi_btLeafNode((ubi_btNodePtr)ps2data.ScannersPtr); DeletePortscanner(idx); } return 0; } return 0;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -