match_tcp_flags.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#include "match_tcp.h"

/* TODO: Different functions for each mode */

#define MODE_NORMAL	0
#define MODE_ALL	1
#define MODE_NOT	2
#define MODE_ANY	3

struct tcp_flags{
	u_int8_t	flags;
	u_int8_t	mode;
};


int flags_compare(void *p1, void *p2)
{
	struct tcp_flags *f1=(struct tcp_flags *)p1;
	struct tcp_flags *f2=(struct tcp_flags *)p2;

	if ( f1->flags==f2->flags && f1->mode==f2->mode ) return 0;
	return 1;
}

int flags_match(struct packet *p, void *priv, unsigned int l, int n)
{
	struct tcp_flags *x=priv;
	u_int8_t flags=p->layer[++l].h.tcp->flags.flags;

	if ( x->mode==MODE_NORMAL) return n ^ (flags==x->flags);
	if ( x->mode==MODE_ANY) return n ^ ((flags & x->flags) != 0);
	if ( x->mode==MODE_ALL) return n ^ ((flags & x->flags) == x->flags);
	if ( x->mode==MODE_NOT) return n ^ ((flags & x->flags) == 0);
	
	mesg(M_WARN,"match_tcp: Wrong TCP mode. Should never happen!");
	return 0;
}

proc_match_match flags_validate(char *args, void **priv,
	struct criteria *m, u_int32_t *c)
{
	struct tcp_flags *p;
	char *tmp;

	if ( !args )
		return NULL;
	
	if ( !(p=calloc(1, sizeof(*p))) ) return NULL;

	*priv=p;
	
	for(tmp=args; *tmp; tmp++) {
		switch(*tmp) {
		case 'f':
		case 'F':
			p->flags |=  TCP_FIN;
			break;
		case 's':
		case 'S':
			p->flags |= TCP_SYN;
			break;
		case 'r':
		case 'R':
			p->flags |= TCP_RST;
			break;
		case 'p':
		case 'P':
			p->flags |= TCP_PSH;
			break;
		case 'a':
		case 'A':
			p->flags |= TCP_ACK;
			break;
		case 'u':
		case 'U':
			p->flags |= TCP_URG;
			break;
		case 'E':
		case 'e':
		case '2':
			p->flags |= TCP_ECE;
			break;
		case 'C':
		case 'c':
		case '1':
			p->flags |= TCP_CWR;
			break;
		case '0':
			p->flags = 0;
			break;
		case '!':
			p->mode = MODE_NOT;
			break;
		case '*':
			p->mode = MODE_ANY;
			break;

		case '+':
			p->mode = MODE_ALL;
			break;
		case ' ':
		case '\t':
		case ',':
			break;
		default:
			free(p);
			return NULL;
		}
	}
	
	return flags_match;
}