📄 spp_sfportscan.c
字号:
}static void ParseScanType(int *scan_types){ char *pcTok; if(!scan_types) return; *scan_types = 0; pcTok = strtok(NULL, DELIMITERS); while(pcTok) { if(!strcasecmp(pcTok, "portscan")) *scan_types |= PS_TYPE_PORTSCAN; else if(!strcasecmp(pcTok, "portsweep")) *scan_types |= PS_TYPE_PORTSWEEP; else if(!strcasecmp(pcTok, "decoy_portscan")) *scan_types |= PS_TYPE_DECOYSCAN; else if(!strcasecmp(pcTok, "distributed_portscan")) *scan_types |= PS_TYPE_DISTPORTSCAN; else if(!strcasecmp(pcTok, "all")) *scan_types = PS_TYPE_ALL; else if(!strcasecmp(pcTok, TOKEN_ARG_END)) return; else FatalErrorInvalidArg("scan_type"); pcTok = strtok(NULL, DELIMITERS); } if(!pcTok) FatalErrorNoEnd("scan_type"); return;}static void ParseSenseLevel(int *sense_level){ char *pcTok; if(!sense_level) return; *sense_level = 0; pcTok = strtok(NULL, DELIMITERS); while(pcTok) { if(!strcasecmp(pcTok, "low")) *sense_level = PS_SENSE_LOW; else if(!strcasecmp(pcTok, "medium")) *sense_level = PS_SENSE_MEDIUM; else if(!strcasecmp(pcTok, "high")) *sense_level = PS_SENSE_HIGH; else if(!strcmp(pcTok, TOKEN_ARG_END)) return; else FatalErrorInvalidArg("sense_level"); pcTok = strtok(NULL, DELIMITERS); } if(!pcTok) FatalErrorNoEnd("sense_level"); return;}static void ParseIpList(IPSET **ip_list, char *option){ char *pcTok; if(!ip_list) return; pcTok = strtok(NULL, TOKEN_ARG_END); if(!pcTok) FatalErrorInvalidArg(option); *ip_list = ipset_new(IPV4_FAMILY); if(!*ip_list) FatalError("Failed to initialize ip_list in portscan preprocessor.\n"); if(ip4_setparse(*ip_list, pcTok)) FatalError("%s(%d) => Invalid ip_list to '%s' option.\n", file_name, file_line, option); return;}static void ParseMemcap(int *memcap){ char *pcTok; if(!memcap) return; *memcap = 0; pcTok = strtok(NULL, DELIMITERS); if(!pcTok) FatalErrorNoEnd("memcap"); *memcap = atoi(pcTok); if(*memcap <= 0) FatalErrorInvalidArg("memcap"); pcTok = strtok(NULL, DELIMITERS); if(!pcTok) FatalErrorNoEnd("memcap"); if(strcmp(pcTok, TOKEN_ARG_END)) FatalErrorInvalidArg("memcap"); return;}static void PrintCIDRBLOCK(CIDRBLOCK *p){ char ip_str[80], mask_str[80]; PORTRANGE *pr; ip4_sprintx(ip_str, sizeof(ip_str), &p->ip); ip4_sprintx(mask_str, sizeof(mask_str), &p->mask); if(p->notflag) LogMessage(" !%s / %s", ip_str, mask_str); else LogMessage(" %s / %s", ip_str, mask_str); pr=(PORTRANGE*)sflist_first(&p->portset.port_list); if ( pr && pr->port_lo != 0 ) LogMessage(" : "); for( ; pr != 0; pr=(PORTRANGE*)sflist_next(&p->portset.port_list) ) { if ( pr->port_lo != 0 ) { LogMessage("%d", pr->port_lo); if ( pr->port_hi != pr->port_lo ) { LogMessage("-%d", pr->port_hi); } LogMessage(" "); } } LogMessage("\n");}static void PrintPortscanConf(int detect_scans, int detect_scan_type, int sense_level, IPSET *scanner, IPSET *scanned, IPSET *watch, int memcap){ char buf[STD_BUF + 1]; int proto_cnt = 0; CIDRBLOCK *p; LogMessage("Portscan Detection Config:\n"); memset(buf, 0, STD_BUF + 1); SnortSnprintf(buf, STD_BUF + 1, " Detect Protocols: "); if(detect_scans & PS_PROTO_TCP) { sfsnprintfappend(buf, STD_BUF, "TCP "); proto_cnt++; } if(detect_scans & PS_PROTO_UDP) { sfsnprintfappend(buf, STD_BUF, "UDP "); proto_cnt++; } if(detect_scans & PS_PROTO_ICMP) { sfsnprintfappend(buf, STD_BUF, "ICMP "); proto_cnt++; } if(detect_scans & PS_PROTO_IP) { sfsnprintfappend(buf, STD_BUF, "IP"); proto_cnt++; } LogMessage("%s\n", buf); memset(buf, 0, STD_BUF + 1); SnortSnprintf(buf, STD_BUF + 1, " Detect Scan Type: "); if(detect_scan_type & PS_TYPE_PORTSCAN) sfsnprintfappend(buf, STD_BUF, "portscan "); if(detect_scan_type & PS_TYPE_PORTSWEEP) sfsnprintfappend(buf, STD_BUF, "portsweep "); if(detect_scan_type & PS_TYPE_DECOYSCAN) sfsnprintfappend(buf, STD_BUF, "decoy_portscan "); if(detect_scan_type & PS_TYPE_DISTPORTSCAN) sfsnprintfappend(buf, STD_BUF, "distributed_portscan"); LogMessage("%s\n", buf); memset(buf, 0, STD_BUF + 1); SnortSnprintf(buf, STD_BUF + 1, " Sensitivity Level: "); if(sense_level == PS_SENSE_HIGH) sfsnprintfappend(buf, STD_BUF, "High/Experimental"); if(sense_level == PS_SENSE_MEDIUM) sfsnprintfappend(buf, STD_BUF, "Medium"); if(sense_level == PS_SENSE_LOW) sfsnprintfappend(buf, STD_BUF, "Low"); LogMessage("%s\n", buf); LogMessage(" Memcap (in bytes): %d\n", memcap); LogMessage(" Number of Nodes: %d\n", memcap / (sizeof(PS_PROTO)*proto_cnt-1)); if(g_logpath[0]) LogMessage(" Logfile: %s\n", g_logpath); if(scanner) { LogMessage(" Ignore Scanner IP List:\n"); for(p = (CIDRBLOCK*)sflist_first(&scanner->cidr_list); p; p = (CIDRBLOCK*)sflist_next(&scanner->cidr_list)) { PrintCIDRBLOCK(p); } } if(scanned) { LogMessage(" Ignore Scanned IP List:\n"); for(p = (CIDRBLOCK*)sflist_first(&scanned->cidr_list); p; p = (CIDRBLOCK*)sflist_next(&scanned->cidr_list)) { PrintCIDRBLOCK(p); } } if(watch) { LogMessage(" Ignore Watch IP List:\n"); for(p = (CIDRBLOCK*)sflist_first(&watch->cidr_list); p; p = (CIDRBLOCK*)sflist_next(&watch->cidr_list)) { PrintCIDRBLOCK(p); } } LogMessage("\n"); return;}static void ParseLogFile(FILE **flog, u_char *logfile, int logfile_size){ char *pcTok; pcTok = strtok(NULL, DELIMITERS); if (pcTok == NULL) { FatalError("%s(%d) => No ending brace to '%s' config option.\n", file_name, file_line, "logfile"); } if (pcTok[0] == '/') SnortSnprintf((char *)logfile, logfile_size, "%s", pcTok); else SnortSnprintf((char *)logfile, logfile_size, "%s/%s", pv.log_dir, pcTok); pcTok = strtok(NULL, DELIMITERS); if (pcTok == NULL) { FatalError("%s(%d) => No ending brace to '%s' config option.\n", file_name, file_line, "logfile"); } if (strcmp(pcTok, TOKEN_ARG_END) != 0) { FatalError("%s(%d) => Invalid argument to '%s' config option.\n", file_name, file_line, "logfile"); } *flog = fopen((const char *)logfile, "a+"); if (*flog == NULL) { FatalError("%s(%d) => '%s' could not be opened.\n", file_name, file_line, logfile); } return;} static void PortscanInit(char *args){ int sense_level = PS_SENSE_LOW; int protos = (PS_PROTO_TCP | PS_PROTO_UDP); int scan_types = PS_TYPE_ALL; int memcap = 1048576; IPSET *ignore_scanners = NULL; IPSET *ignore_scanned = NULL; IPSET *watch_ip = NULL; char *pcTok; int iRet; g_logpath[0] = 0x00; if(args) { pcTok = strtok(args, DELIMITERS); while(pcTok) { if(!strcasecmp(pcTok, "proto")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption((u_char *)"proto"); ParseProtos(&protos); } else if(!strcasecmp(pcTok, "scan_type")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption((u_char *)"scan_type"); ParseScanType(&scan_types); } else if(!strcasecmp(pcTok, "sense_level")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption((u_char *)"sense_level"); ParseSenseLevel(&sense_level); } else if(!strcasecmp(pcTok, "ignore_scanners")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption((u_char *)"ignore_scanners"); ParseIpList(&ignore_scanners, "ignore_scanners"); } else if(!strcasecmp(pcTok, "ignore_scanned")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption((u_char *)"ignore_scanned"); ParseIpList(&ignore_scanned, "ignore_scanned"); } else if(!strcasecmp(pcTok, "watch_ip")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption((u_char *)"watch_ip"); ParseIpList(&watch_ip, "watch_ip"); } else if(!strcasecmp(pcTok, "print_tracker")) { g_print_tracker = 1; } else if(!strcasecmp(pcTok, "memcap")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption((u_char *)"memcap"); ParseMemcap(&memcap); } else if(!strcasecmp(pcTok, "logfile")) { pcTok = strtok(NULL, DELIMITERS); if(!pcTok || strcmp(pcTok, TOKEN_ARG_BEGIN)) FatalErrorNoOption((u_char *)"logfile"); ParseLogFile(&g_logfile, g_logpath, sizeof(g_logpath)); } else if(!strcasecmp(pcTok, "include_midstream")) { /* Do not ignore packets in sessions picked up mid-stream */ g_include_midstream = 1; } else if(!strcasecmp(pcTok, "detect_ack_scans")) { /* * We will only see ack scan packets if we are looking at sessions that the * have been flagged as being picked up mid-stream */ g_include_midstream = 1; } else { FatalErrorInvalidOption(pcTok); } pcTok = strtok(NULL, DELIMITERS); } } iRet = ps_init(protos, scan_types, sense_level, ignore_scanners, ignore_scanned, watch_ip, memcap); if (iRet) { if(iRet == -2) { FatalError("%s(%d) => 'memcap' limit not sufficient to run " "sfportscan preprocessor. Please increase this " "value or keep the default memory usage.\n", file_name, file_line); } FatalError("Failed to initialize the sfportscan detection module. " "Please check your configuration before submitting a " "bug.\n"); } AddFuncToPreprocList(PortscanDetect, PRIORITY_SCANNER, PP_SFPORTSCAN); AddFuncToPreprocCleanExitList(PortscanCleanExitFunction, NULL, PRIORITY_SCANNER, PP_SFPORTSCAN); AddFuncToPreprocRestartList(PortscanRestartFunction, NULL, PRIORITY_SCANNER, PP_SFPORTSCAN); PrintPortscanConf(protos, scan_types, sense_level, ignore_scanners, ignore_scanned, watch_ip, memcap); PortscanPacketInit();#ifdef PERF_PROFILING RegisterPreprocessorProfile("sfportscan", &sfpsPerfStats, 0, &totalPerfStats);#endif return;}void SetupPsng(void){ RegisterPreprocessor("sfportscan", PortscanInit); return;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -