match_ip_frag.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#include "match_ip.h"

#define FBM_NORMAL	0
#define FBM_ALL		1
#define FBM_ANY		2
#define FBM_NOT		3

struct fragbits_priv {
	u_int8_t	mode;
	u_int16_t	fragbits;
};

/* Mask off the bits we need in the frag_off field */
u_int16_t fbmask=__constant_htons(~IP_OFFMASK);

/* id - Match the fragment ID */
int id_match(struct packet *p, void *priv, unsigned int l, int n)
{
	struct pkt_iphdr *iph=p->layer[l].h.ip;
	struct shortrange *sr=priv;
	unsigned short id=ntohs(iph->id);

	return n ^ (id>=sr->min && id<=sr->max);
}

proc_match_match id_validate(char *args, void **priv,
	struct criteria *m, u_int32_t *c)
{
	if ( !args )
		return NULL;

	if ( template_shortrange(args, priv) )
		return id_match;
	else
		return NULL;
}

/* fragoffset - Match the fragmentation offset */
int fo_match(struct packet *p, void *priv, unsigned int l, int n)
{
	struct pkt_iphdr *iph=p->layer[l].h.ip;
	struct shortrange *sr=priv;
	unsigned short fo=ntohs(iph->frag_off);

	fo&=IP_OFFMASK;
	fo<<=3;

	return n ^ (fo>=sr->min && fo<=sr->max);
}

proc_match_match fo_validate(char *args, void **priv,
	struct criteria *m, u_int32_t *c)
{
	if ( !args )
		return NULL;

	if ( template_shortrange(args, priv) )
		return fo_match;
	else
		return NULL;
}

/* fragbits - Match the fragmentation flag bits (in frag_off) */
int fb_compare(void *p1, void *p2)
{
	struct fragbits_priv *a1=(struct fragbits_priv *)p1;
	struct fragbits_priv *a2=(struct fragbits_priv *)p2;

	if ( a1->fragbits==a2->fragbits && a1->mode==a2->mode ) return 0;
	return 1;
}

int fb_match(struct packet *p, void *priv, unsigned int l, int n)
{
	struct fragbits_priv *x=priv;
	u_int16_t ipfb=p->layer[l].h.ip->frag_off&fbmask;

	switch ( x->mode ) {
		case FBM_NORMAL:
			return n ^ (ipfb == x->fragbits);
		case FBM_NOT:
			return n ^ ((ipfb & x->fragbits)==0);
		case FBM_ALL:
			return n ^ ((ipfb & x->fragbits) == x->fragbits);
		case FBM_ANY:
			return n ^ ((ipfb & x->fragbits)!=0);
		default:
			return 0;
	}
}

proc_match_match fb_validate(char *args, void **priv,
	struct criteria *m, u_int32_t *c)
{
	struct fragbits_priv *fb;
	char *tmp;

	if ( !(fb=calloc(1, sizeof(*fb))) ) {
		return NULL;
	}

	for(tmp=args; *tmp; tmp++) {
		switch(*tmp) {
			case 'd':
			case 'D':
				fb->fragbits |= IP_DF;
				break;
			case 'm':
			case 'M':
				fb->fragbits |= IP_MF;
				break;
			case 'r':
			case 'R':
			case 'c':
			case 'C':
				fb->fragbits |= IP_CE;
				break;
			case '!':
				fb->mode=FBM_NOT;
				break;
			case '+':
				fb->mode=FBM_ANY;
				break;
			case '*':
				fb->mode=FBM_ALL;
				break;
			case ' ':
			case '\t':
			case ',':
				break;
			default:
				free(fb);
				return 0;
		}
	}

	fb->fragbits=htons(fb->fragbits);
	*priv=(void *)fb;
	return fb_match;
}