match_dns.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

/*
 * This file is part of firestorm NIDS
 * Copyright (c) 2002 Gianni Tedesco
 */

#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <netinet/in.h>

#include <firestorm.h>
#include <packet.h>
#include <alert.h>
#include <signature.h>
#include <matcher.h>
#include <plugin.h>

PLUGIN_STD_DEFS();

struct dns_hdr {
	u_int16_t	id;
	u_int16_t	flags;
	u_int16_t	questions;
	u_int16_t	answers;
	u_int16_t	auth;
	u_int16_t	additional;
};

u_int16_t dns_rflag=__constant_htons(1<<8);
u_int16_t dns_qflag=__constant_htons(1<<15);

int dns_compare(void *p1, void *p2)
{
	return 0;
}

int dnsr_match(struct packet *p, void *priv, unsigned int l, int n)
{
	struct dns_hdr *dnshdr;

	if ( l+2 >= p->llen ) return n^0;
	if ( p->layer[l+2].h.raw + sizeof(struct dns_hdr) >= p->end )
		return n^0;

	dnshdr=p->layer[l+2].h.raw;

	return n ^ ((dnshdr->flags&dns_rflag)==1) && ((dnshdr->flags&dns_qflag)==0);
}

int dnsi_match(struct packet *p, void *priv, unsigned int l, int n)
{
	struct dns_hdr *dnshdr;

	if ( l+2 >= p->llen ) return n^0;
	if ( p->layer[l+2].h.raw + sizeof(struct dns_hdr) >= p->end )
		return n^0;

	dnshdr=p->layer[l+2].h.raw;

	return n ^ ((dnshdr->flags&dns_rflag)==0) && ((dnshdr->flags&dns_qflag)==0);
}

proc_match_match dnsr_validate(char *args, void **priv,
	struct criteria *m, u_int32_t *c)
{
	if ( args ) return NULL;
	*priv=NULL;
	return dnsr_match;
}
proc_match_match dnsi_validate(char *args, void **priv,
	struct criteria *m, u_int32_t *c)
{
	if ( args ) return NULL;
	*priv=NULL;
	return dnsi_match;
}

struct matcher dns_matchers[]={
	matcher_init("dns_recursive", MCOST_APP+2, dnsr_validate, dns_compare, NULL),
	matcher_init("dns_iterative", MCOST_APP+2, dnsi_validate, dns_compare, NULL),
	matcher_null()
};

int PLUGIN_MATCHER (struct matcher_api *m)
{
	object_check(m);

	if ( !m->matcher_add(dns_matchers) )
		return PLUGIN_ERR_FAIL;

	return PLUGIN_ERR_OK;
}

int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out)
{
	plugin_check(in, out);

	PLUGIN_ID("match.dns", "DNS matching routines");
	PLUGIN_VERSION(0, 1);
	PLUGIN_AUTHOR("Gianni Tedesco", "gianni@scaramanga.co.uk");
	PLUGIN_LICENSE("GPL");

	return PLUGIN_ERR_OK;
}

int PLUGIN_UNLOAD (int code) {
	return PLUGIN_ERR_OK;
}