match_udp.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <netinet/in.h>

#include <firestorm.h>
#include <packet.h>
#include <alert.h>
#include <signature.h>
#include <matcher.h>
#include <plugin.h>

PLUGIN_STD_DEFS();

proc_template template_shortrange;

int udp_src_match(struct packet *pkt, void *priv, unsigned int l, int n)
{
	struct shortrange *p=(struct shortrange *)priv;
	u_int16_t port=ntohs(pkt->layer[l+1].h.udp->sport);
	return n^(port>=p->min && port<=p->max);
}

int udp_dst_match(struct packet *pkt, void *priv, unsigned int l, int n)
{
	struct shortrange *p=(struct shortrange *)priv;
	u_int16_t port=ntohs(pkt->layer[l+1].h.udp->dport);
	return n^(port>=p->min && port<=p->max);
}

proc_match_match udp_port_validate(proc_match_match fn, char *args, void **priv, struct criteria *m)
{
	if ( !args ) return NULL;
	if ( !template_shortrange(args, priv) ) return NULL;
	return fn;
}

proc_match_match udp_src_validate(char *args, void **priv,
	struct criteria *m, u_int32_t *c)
{
	return udp_port_validate(udp_src_match, args, priv, m);
}

proc_match_match udp_dst_validate(char *args, void **priv,
	struct criteria *m, u_int32_t *c)
{
	return udp_port_validate(udp_dst_match, args, priv, m);
}

struct matcher udp_matchers[]={
	matcher_init("udp_sport", 12, udp_src_validate, MCMP_SR, MATCHER_FREE),
	matcher_init("udp_dport", 13, udp_dst_validate, MCMP_SR, MATCHER_FREE),
	matcher_null()
};

int PLUGIN_MATCHER (struct matcher_api *m)
{
	object_check(m);

	template_shortrange=m->template_shortrange;

	if ( !m->matcher_add(udp_matchers) )
		return PLUGIN_ERR_FAIL;

	return PLUGIN_ERR_OK;
}

int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out)
{
	plugin_check(in, out);

	PLUGIN_ID("match.udp", "UDP matching routines");
	PLUGIN_VERSION(2, 0);
	PLUGIN_AUTHOR("Gianni Tedesco", "gianni@scaramanga.co.uk");
	PLUGIN_LICENSE("GPL");

	return PLUGIN_ERR_OK;
}

int PLUGIN_UNLOAD (int code) {
	return PLUGIN_ERR_OK;
}