test.cpp

一款轻量级的入侵检测系统 对于网页中的shellcode有一定的防范能力

	      alertFile.Flush();
	      alertFile.Close();
		}
	}
	//int count=0;

	return;
	
}
bool checkpayload(ContentRule * content,char * payload,int payloadLen)//按照payload检查规则检查数据包payload
{   
	for(int i=0;i<100;i++)
	{  
       if(content[i].flag==false)break;//对应每一条payload检测规则
       if(content[i].nocase==false)
	   {
		   if(content[i].offset>payloadLen||content[i].depth>payloadLen||content[i].distance>payloadLen)return false;
		   if(content[i].offset>(payloadLen-content[i].distance))return false;
		   char * result=new char [1000];
		   int len;
		   strtohex(content[i].payload,result,&len);//把规则定义的特征字符串转化为16进制
		   if(content[i].depth!=0&&content[i].depth<=(payloadLen-content[i].distance))
		   {
		       if(memmem(payload+content[i].offset,result,content[i].depth,len)==NULL)
			   {
				   if(result!=NULL)free(result);
				   return false;
			   }
		   }//按照规则定义寻找子字节串
		   if(content[i].depth!=0&&content[i].depth>(payloadLen-content[i].distance))
		   {
		       if(memmem(payload+content[i].offset,result,(payloadLen-content[i].distance),len)==NULL)
			   {
				   if(result!=NULL)free(result);
				   return false;
			   }
		   }//按照规则定义寻找子字节串
		   else if(content[i].depth==0)
		   {
			   if(memmem(payload+content[i].offset,result,payloadLen-content[i].distance,len)==NULL)
			   {
				   if(result!=NULL)free(result);
				   return false;
			   }
		   }//按照规则定义寻找子字节串
		   if(result!=NULL)free(result);
	   }
	   if(content[i].nocase==true)//不区分大小写的情况
	   {
		   if(content[i].offset>payloadLen||content[i].depth>payloadLen||content[i].distance>payloadLen)return false;
		   if(content[i].offset>(payloadLen-content[i].distance))return false;
		   char * result=new char [1000];
		   int len;
		   strtohex(content[i].payload,result,&len);
		   memlowcase(result,len);
		   memlowcase(payload,payloadLen);
		   if(content[i].depth!=0&&content[i].depth<=(payloadLen-content[i].distance))
		   {
		       if(memmem(payload+content[i].offset,result,content[i].depth,len)==NULL)
			   {
				   if(result!=NULL)free(result);
				   return false;
			   }
		   }
		   if(content[i].depth!=0&&content[i].depth>(payloadLen-content[i].distance))
		   {
		       if(memmem(payload+content[i].offset,result,(payloadLen-content[i].distance),len)==NULL)
			   {
				   if(result!=NULL)free(result);
				   return false;
			   }
		   }
		   else if(content[i].depth==0)
		   {
			   if(memmem(payload+content[i].offset,result,payloadLen-content[i].distance,len)==NULL)
			   {
				   if(result!=NULL)free(result);
				   return false;
			   }
		   }
           if (result!=NULL)free(result);
	   }
	}
	return true;
}
char * memmem(char * source,char * dest,unsigned int sourceLen,unsigned int destLen)//子字节串函数
{
	if(sourceLen<destLen)return NULL;//子串要比目标串小
	int count=0;
	while(1)
	{
		if((sourceLen-count)<destLen)return NULL;
		if(memcmp(source+count,dest,destLen)==0)return source+count;//寻找子串
		count++;
	}
		

}

char * memlowcase(char * str,int len)//把payload内容小写化
{
	if(str==NULL||len<=0)return NULL;
	for(int i=0;i<len;i++)
	{
		if(str[i]>=65&&str[i]<=90)str[i]=str[i]+32;
	}
	return str;
}



void loadrule(rule * rules)//读入规则
{
    CString xmlStr;
	CFile xmlFile;
	CString filePath;
	CString csText;
	filePath="rule.xml";
	if(!xmlFile.Open(filePath,CFile::modeRead))
	{
		cout<<"file open error;"<<endl;
		return ;
	}
	int fileLen =xmlFile.GetLength();
	unsigned char* pBuffer = new unsigned char[fileLen + 2];
	fileLen = xmlFile.Read( pBuffer, fileLen );//把xml文件内容读入缓冲
	xmlFile.Close();
	pBuffer[fileLen] = '\0';
	pBuffer[fileLen+1] = '\0'; // in case 2-byte encoded
		if ( pBuffer[0] == 0xff && pBuffer[1] == 0xfe )
	{
		// Contains byte order mark, so assume wide char content
		// non _UNICODE builds should perform UCS-2 (wide char) to UTF-8 conversion here
		csText = (LPCWSTR)(&pBuffer[2]);
		//csNotes += _T("File starts with hex FFFE, assumed to be wide char format. ");
	}
	else
	{
		//_UNICODE builds should perform UTF-8 to UCS-2 (wide char) conversion here
		csText = (LPCSTR)pBuffer;
	}
	delete [] pBuffer;
	//int nTimeLoading = TimeStop();

	// If it is too short, assume it got truncated due to non-text content
	if ( csText.GetLength() < fileLen / 2 - 20 )
	{
		//OutputParseResults( _T("Error converting file to string (may contain binary data)") );
		cout<<"error converting file to string may contain binary data"<<endl;
		return;
	}
	CMarkup xml;//cmarkup，操控xml的类
	xml.SetDoc(csText);
	if(!(xml.IsWellFormed()))//xml语法出错
	{
		cout<<"rule.xml is not wellformed"<<endl;
		return;
	}
	if (!(xml.FindElem("rules")))
	{
		cout<<"rules element not found,maybe rules element are not wellformed"<<endl;
		return;

	}
	xml.IntoElem();
	int count=0;
	while(xml.FindElem("rule"))//初始化并且读rule内容
	{
		rules[count].proto=-1;
		rules[count].sourceIP=-1;
		rules[count].srcmask=-1;
		rules[count].dstIP=-1;
		rules[count].dstmask=-1;
		rules[count].direction=false;
		rules[count].sourcePort=-1;
		rules[count].dstPort=-1;
		rules[count].ttl=-1;
		rules[count].tos=-1;
		rules[count].identity=-1;
		rules[count].dsize=-1;
		rules[count].flags=-1;
		rules[count].seq=-1;
		rules[count].ack=-1;
		rules[count].window=-1;
		rules[count].activity=false;
		for(int i=0;i<100;i++)
		{
			rules[count].content[i].offset=0;
			rules[count].content[i].depth=0;
			rules[count].content[i].distance=0;
			rules[count].content[i].nocase=false;
			rules[count].content[i].flag=false;
		}

		xml.IntoElem();
		if(xml.FindElem("proto")==true)
		{
          CString proto=xml.GetData();
		  if(proto!="")
		  {
			  if(proto=="tcp")rules[count].proto=6;
			  if(proto=="udp")rules[count].proto=17;
			  if(proto=="ip")rules[count].proto=0;
			  if(proto=="icmp")rules[count].proto=1;
		  }
		  else 
		  {
			  xml.OutOfElem();
			  continue;
		  }

		}
		else 
		{
			xml.OutOfElem();
			continue;
		}
		if(xml.FindElem("srcip")==true)
		{
			CString srcip=xml.GetData();
			if(srcip==""||srcip=="any"||inet_addr(srcip.GetBuffer(srcip.GetLength()))==INADDR_NONE)rules[count].sourceIP=-1;
			else rules[count].sourceIP=inet_addr(srcip.GetBuffer(srcip.GetLength()));			
		}
		if(xml.FindElem("srcmask")==true)
		{
			CString srcmask=xml.GetData();
			if(srcmask==""||inet_addr(srcmask.GetBuffer(srcmask.GetLength()))==INADDR_NONE)rules[count].srcmask=-1;
			else rules[count].srcmask=inet_addr(srcmask.GetBuffer(srcmask.GetLength()));
		}
		if(xml.FindElem("dstip")==true)
		{
			CString dstip=xml.GetData();
			if(dstip==""||dstip=="any"||inet_addr(dstip.GetBuffer(dstip.GetLength()))==INADDR_NONE)rules[count].dstIP=-1;
			else rules[count].dstIP=inet_addr(dstip.GetBuffer(dstip.GetLength()));			
		}
		if(xml.FindElem("dstmask")==true)
		{
			CString dstmask=xml.GetData();
			if(dstmask==""||inet_addr(dstmask.GetBuffer(dstmask.GetLength()))==INADDR_NONE)rules[count].dstmask=-1;
			else rules[count].dstmask=inet_addr(dstmask.GetBuffer(dstmask.GetLength()));
		}
        if(xml.FindElem("srcport")==true)
		{
			CString srcport=xml.GetData();
			if(srcport==""||srcport=="any")rules[count].sourcePort=-1;
			else rules[count].sourcePort=atoi(srcport);
		}
        if(xml.FindElem("dstport")==true)
		{
			CString dstport=xml.GetData();
			if(dstport==""||dstport=="any")rules[count].dstPort=-1;
			else rules[count].dstPort=atoi(dstport);
		}
		if(xml.FindElem("direction")==true)
		{
            CString direction=xml.GetData();
			if(direction==""||direction=="single")rules[count].direction=false;
			else if(direction=="double")rules[count].direction=true;
			//xml.ResetMainPos();

		}
        if(xml.FindElem("ttl")==true)
		{
			CString ttl=xml.GetData();
			if(ttl=="")rules[count].ttl=-1;
			else rules[count].ttl=atoi(ttl);
		}
        if(xml.FindElem("tos")==true)
		{
			CString tos=xml.GetData();
			if(tos=="")rules[count].tos=-1;
			else rules[count].tos=atoi(tos);
		}
        if(xml.FindElem("identity")==true)
		{
			CString identity=xml.GetData();
			if(identity=="")rules[count].identity=-1;
			else rules[count].identity=atoi(identity);
		}
        if(xml.FindElem("dsize")==true)
		{
			CString dsize=xml.GetData();
			if(dsize=="")rules[count].dsize=-1;
			else rules[count].dsize=atoi(dsize);
		}
		if(xml.FindElem("flags")==true)
		{
			CString flags=xml.GetData();
			if(flags=="")rules[count].flags=-1;
			else rules[count].flags=atoi(flags);
		}
		if(xml.FindElem("seq")==true)
		{
			CString seq=xml.GetData();
			if(seq=="")rules[count].seq=-1;
			else rules[count].seq=atol(seq);
		}
		if(xml.FindElem("ack")==true)
		{
			CString ack=xml.GetData();
			if(ack=="")rules[count].ack=-1;
			else rules[count].ack=atol(ack);
		}
		if(xml.FindElem("window")==true)
		{
			CString window=xml.GetData();
			if(window=="")rules[count].window=-1;
			else rules[count].window=atol(window);
		}
		int count1=0;
		while(xml.FindElem("content")==true)
		{
			xml.IntoElem();
			if(xml.FindElem("payload")==true)
			{
				CString payload=xml.GetData();
				if(payload=="")
				{
					
                  xml.OutOfElem();
				  continue;
				}
				else
				{
				   rules[count].content[count1].payload=payload;
				   rules[count].content[count1].flag=true;
                   xml.ResetMainPos();
				   if(xml.FindElem("depth")==true)
				   {
					   CString depth=xml.GetData();
					   if(depth!="")rules[count].content[count1].depth=atol(depth);
					   xml.ResetMainPos();
				   }
				   if(xml.FindElem("offset")==true)
				   {   
					   CString offset=xml.GetData();
					   if(offset!="")rules[count].content[count1].offset=atol(offset);
					   xml.ResetMainPos();
				   }

                   if(xml.FindElem("distance")==true)
				   {
					   CString distance=xml.GetData();
					   if(distance!="")rules[count].content[count1].distance=atol(distance);
					   xml.ResetMainPos();
				   }
				   if(xml.FindElem("nocase")==true)
				   {
					   CString nocase=xml.GetData();
					   if(nocase=="true")rules[count].content[count1].nocase=true;
					   xml.ResetMainPos();
				   }
				   rules[count].content[count1].flag=true;
				   count1++;
				}
			}
			else
			{                  
				xml.OutOfElem();
				continue;
			}
			xml.OutOfElem();			
		}
		if(xml.FindElem("msg")==true)
		{
			CString msg=xml.GetData();
			rules[count].msg=msg;
		}

        rules[count].activity=true;
		count++;
		xml.OutOfElem();
	}
	cout<<count<<"rules loaded......"<<endl;

}

char * strtohex(CString str,char * result,int * len)//把||之间的字符串转化为十六进制的数组
{
	strcpy(result,str.GetBuffer(str.GetLength()));
	if(str.GetLength()<3)
	{
		*len=str.GetLength();
		return result;
	}
	if(result[0]!='|'||result[str.GetLength()-1]!='|')
	{
		*len=str.GetLength();
		return result;
	}
	else 
	{
		char * temp=new char [1000];
		strcpy(temp,result+1);
		memset(result,0,1000);
	    char * seps=" |";
		char * p;
		char * end;
		int i=0;
		p=strtok(temp,seps);
		while(p)
		{   
			long hex=strtol(p,&end,16);
            if(hex>255||hex<0)return NULL;
			result[i]=hex;
			i++;
			p=strtok(NULL,seps);
		}
		if(temp!=NULL)free(temp);
		*len=i;
		return result;

	}
	return NULL;
}

char * ipconv(char * strip,unsigned int ip)//把整数型表示的ip转化为ip格式的字符串
{
  sprintf(strip,"%d.%d.%d.%d",ip%256,(ip>>8)%256,(ip>>16)%256,ip>>24); 
  return strip;
}

unsigned long GetLocalIP()//得到本机接口的ip
{
    char szLocalIP[20] = {0};
    char szHostName[128+1] = "\0";

    hostent *phe;
    int i;
    if( gethostname(szHostName, 128 ) == 0 ) {
        // Get host adresses
        phe = gethostbyname(szHostName);
        for( i = 0; phe != NULL && phe->h_addr_list[i]!= NULL; i++ )
        {
            sprintf(szLocalIP, "%d.%d.%d.%d",
                (UINT)((UCHAR*)phe->h_addr_list[i])[0],
                (UINT)((UCHAR*)phe->h_addr_list[i])[1],
                (UINT)((UCHAR*)phe->h_addr_list[i])[2],
                (UINT)((UCHAR*)phe->h_addr_list[i])[3]);
            printf(szLocalIP, "%d.%d.%d.%d",
                (UINT)((UCHAR*)phe->h_addr_list[i])[0],
                (UINT)((UCHAR*)phe->h_addr_list[i])[1],
                (UINT)((UCHAR*)phe->h_addr_list[i])[2],
                (UINT)((UCHAR*)phe->h_addr_list[i])[3]);
        }
    }
    else
	{
		cout<<"error"<<endl;
        return 0;
	}

    return inet_addr(szLocalIP);
}