psa-chapter10.txt

perl语言的经典文章

	# case #1 & #2 from above: is this either exact or substring match?
	return if (index($_,$dn) > -1); 

	# check case #3 from above, i.e. is the stored domain data
	# a substring of the domain name we are checking?
	if (index($dn,$_) > -1){
	    $_ = $dn; # swap current & stored values
	    return;
	} 
    }
    
    # otherwise, this is a new domain, add it to the list
    push @{$userinfo{$user}}, $dn;
}

for (sort keys %userinfo){
    if ($#{$userinfo{$_}} > $maxdomains){
	print "\n\n$_ has logged in from:\n";
	print join("\n",sort @{$userinfo{$_}});
    }
}
print "\n";
-------
#*
#* query the number of interfaces on a particular device using SNMP
#*

use Net::SNMP;

# requires a host name and a community string as its arguments
($session,$error) = Net::SNMP->session(Hostname => $ARGV[0],
                                       Community => $ARGV[1]);

die "session error: $error" unless ($session);

# iso.org.dod.internet.mgmt.mib-2.interfaces.ifNumber.0 = 
#   1.3.6.1.2.1.2.1.0
$result = $session->get_request("1.3.6.1.2.1.2.1.0");

die "request error: ".$session->error unless (defined $result);

$session->close;

print "Number of interfaces: ".$result->{"1.3.6.1.2.1.2.1.0"}."\n";
-------
#*
#* print out the ARP table of a device using SNMP
#*

use SNMP;

# requires a host name and a community string as its arguments
$session = new SNMP::Session(DestHost => $ARGV[0], Community => $ARGV[1],
                             UseSprintValue => 1);

die "session creation error: $SNMP::Session::ErrorStr" unless 
  (defined $session);

# set up the data structure for the getnext command
$vars = new SNMP::VarList(['ipNetToMediaNetAddress'],
			  ['ipNetToMediaPhysAddress']);

# get first row
($ip,$mac) = $session->getnext($vars);
die $session->{ErrorStr} if ($session->{ErrorStr});

# and all subsequent rows
while (!$session->{ErrorStr} and $$vars[0]->tag eq "ipNetToMediaNetAddress"){
    print "$ip -> $mac\n";
    ($ip,$mac) = $session->getnext($vars);
};
-------
#*
#* show the port to ethernet address mapping on a Cisco Catalyst 5x00 switch
#*

use SNMP;

# These are the extra MIB module files we need, found in the same 
# directory as this script
$ENV{'MIBFILES'}=
  "CISCO-SMI.my:FDDI-SMT73-MIB.my:CISCO-STACK-MIB.my:BRIDGE-MIB.my";

# Connect and get the list of VLANs on this switch
$session = new SNMP::Session(DestHost => $ARGV[0], 
                             Community => $ARGV[1]);
die "session creation error: $SNMP::Session::ErrorStr" unless 
  (defined $session);

# enterprises.cisco.workgroup.ciscoStackMIB.vlanGrp.vlanTable.vlanEntry 
# in CISCO-STACK-MIB
$vars = new SNMP::VarList(['vlanIndex']);
                          
$vlan = $session->getnext($vars);
die $session->{ErrorStr} if ($session->{ErrorStr});

while (!$session->{ErrorStr} and $$vars[0]->tag eq "vlanIndex"){

    # VLANS 1000 and over are not "real" ON A CISCO CATALYST 5XXX
    # (this limit is likely to be different on different switches)
    push(@vlans,$vlan) if $vlan < 1000;

    $vlan = $session->getnext($vars);
};

undef $session,$vars;

# for each VLAN, query for the bridge port, the interface number 
# associated with that port, and then the interface name for that 
# port number
foreach $vlan (@vlans){
    # note our use of "community string indexing" as part 
    # of the session setup
    $session = new SNMP::Session(DestHost => $ARGV[0], 
                                 Community => $ARGV[1]."@".$vlan,
                                 UseSprintValue => 1);

    die "session creation error: $SNMP::Session::ErrorStr" 
      unless (defined $session);
  
    # from transparent forwarding port table at 
    # dot1dBridge.dot1dTp.dot1dTpFdbTable.dot1dTpFdbEntry 
    # in RFC1493 BRIDGE-MIB
    $vars = new SNMP::VarList(['dot1dTpFdbAddress'],['dot1dTpFdbPort']);

    ($macaddr,$portnum) = $session->getnext($vars);
    die $session->{ErrorStr} if ($session->{ErrorStr});

    while (!$session->{ErrorStr} and 
           $$vars[0]->tag eq "dot1dTpFdbAddress"){

        # dot1dBridge.dot1dBase.dot1dBasePortTable.dot1dBasePortEntry
        # in RFC1493 BRIDGE-MIB
        $ifnum = (exists $ifnum{$portnum}) ? $ifnum{$portnum} :
	  ($ifnum{$portnum} = 
	   $session->get("dot1dBasePortIfIndex\.$portnum"));

        # from ifMIB.ifMIBObjects.ifXTable.ifXEntry in RFC1573 IF-MIB
        $portname = (exists $portname{$ifnum}) ? $portname{$ifnum} :
	  ($portname{$ifnum}=$session->get("ifName\.$ifnum"));            

        print "$macaddr on VLAN $vlan at $portname\n";

        ($macaddr,$portnum) = $session->getnext($vars);
    };

    undef $session, $vars, %ifnum, %portname;
}
-------
#*
#* using external program to watch for SYN packets and ping back
#*

$clogex   = "/usr/local/bin/clog";      # location/switches for clog
$fpingex  = "/usr/local/bin/fping -r1"; # location/switches for fping

$localnet = "192.168.1";                # local network prefix

open CLOG, "$clogex|" or die "Unable to run clog:$!\n";
while(<CLOG>){
    ($date,$orighost,$origport,$desthost,$destport) = split(/\|/);
    next if ($orighost =~ /^$localnet/);
    next if (exists $cache{$orighost});
    print `$fpingex $orighost`;
    $cache{$orighost}=1;
}
-------
#*
#* network sniffing using Net::Pcap (prints the packet length of all SYNs)
#*

use Net::Pcap;

# find the sniffable network device
$dev = Net::Pcap::lookupdev(\$err) ;
die "can't find suitable device: $err\n" unless $dev;

# figure out the network number and mask of that device
die "can't figure out net info for dev:$err\n"
  if (Net::Pcap::lookupnet($dev,\$netnum,\$netmask,\$err));

# open that interface for live capture
$descript = Net::Pcap::open_live($dev,100,1,1000,\$err) ;
die "can't obtain pcap descriptor:$err\n" unless $descript;

$prog = "tcp[13] = 2"; 

# compile and set our "filter program" 
die "unable to compile $prog\n" 
  if (Net::Pcap::compile($descript ,\$compprog,$prog,0,$netmask)) ;
die "unable to set filter\n" 
  if (Net::Pcap::setfilter($descript,$compprog));

$prog = "tcp[13] = 2"; 

die "Unable to perform capture:".Net::Pcap::geterr($descript)."\n"
  if (Net::Pcap::loop($descript,-1,\&printpacketlength, ''));

die "Unable to close device nicely\n" 
  if (Net::Pcap::close($descript));

sub printpacketlength {
    print length($_[2]),"\n";
}
-------
#*
#* network sniff for SYN packets and ping back (all in Perl)
#*

use Net::PcapUtils;

use NetPacket::Ethernet;
use NetPacket::IP;

use Net::Ping;

# local network 
$localnet = "192.168.1";
# filter string that looks for SYN-only packets not originating from 
# local network
$prog = "tcp[13] = 2 and src net not $localnet"; 

$| = 1; # unbuffer STDIO

# construct the ping object we'll use later
$p = new Net::Ping("icmp");

# and away we go
die "Unable to perform capture:".Net::Pcap::geterr($descript)."\n"
  if (Net::PcapUtils::open_live(\&grab_ip_and_ping, FILTER => $prog));

# find the source IP address of a packet, and ping it (once per run)
sub grab_ip_and_ping{
    my ($arg,$hdr,$pkt) = @_ ;

    # get the source IP adrress
    $src_ip = NetPacket::IP->decode(
			    NetPacket::Ethernet::strip($pkt))->{src_ip};

    print "$src_ip is ".(($p->ping($src_ip)) ? "alive" : "unreachable")."\n" 
      unless $cache{$src_ip}++;
}
-------
#*
#* Cracklib.xs for Cracklib module
#*

PROTOTYPES: ENABLE
 
char *
FascistCheck(pw,dictpath)
      char *pw
      char *dictpath
      CODE:
           RETVAL = (char *)FascistCheck(pw,dictpath);
      OUTPUT:
           RETVAL
-------
#*
#* change to Makefile.PL for Cracklib module
#*

  'LIBS'      => [''],   # e.g., '-lm'
  'MYEXTLIB' => '/usr/local/lib/libcrack$(LIB_EXT)' # location of cracklib
  'DEFINE'    => '',     # e.g., '-DHAVE_SOMETHING' 
-------
#*
#* example code for using Cracklib
#*

use Cracklib;
use Term::ReadKey;    # for reading of password
$dictpath = "/usr/local/etc/cracklib/pw_dict";

print "Please enter a password: ";
ReadMode 2;           # turn off echo
chomp($pw = ReadLine);# read password
ReadMode 0;           # return tty to prev state
print "\n";

$result = Cracklib::FascistCheck($pw,$dictpath);
if (defined $result){
    print "That is not a valid password because $result.\n";
}
else {
    print "That password is peachy, thanks!\n";
}
-------
#*
#* test program for Cracklib module
#*

# location of our cracklib dictionary files
$dictpath = "/usr/local/etc/pw_dict"; 

# test strings and their known cracklib responses
%test = 
  ("happy"        => "it is too short",
   "a"            => "it's WAY too short",
   "asdfasdf"     => "it does not contain enough DIFFERENT characters",
   "minicomputer" => "it is based on a dictionary word",
   "1ftm2tgr3fts" => "");

# Cycle through all of the keys in our mapping, checking to see if 
# cracklib returns the expected response. If it does, print "ok",
# otherwise print "not ok"
$testnum = 2;
foreach $pw (keys %test){
    my ($result) = Cracklib::FascistCheck($pw,$dictpath);
    if ((defined $result and $result eq $test{$pw}) or
	(!defined $result and $test{$pw} eq "")){
	print "ok ",$testnum++,"\n";
    }
    else {
	print "not ok ",$testnum++,"\n";
    }
}