match_std.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

/*
 * This file is part of firestorm NIDS
 * Copyright (c) 2002 Gianni Tedesco
 */

#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <netinet/in.h>

#include <firestorm.h>
#include <packet.h>
#include <alert.h>
#include <signature.h>
#include <matcher.h>
#include <plugin.h>

PLUGIN_STD_DEFS();

#define DSM_EQ	0
#define DSM_LT	1
#define DSM_GT	2

struct ds_priv {
	size_t dsize;
};

int ds_compare(void *p1, void *p2)
{
	struct ds_priv *d1=(struct ds_priv *)p1;
	struct ds_priv *d2=(struct ds_priv *)p2;

	if ( d1->dsize==d2->dsize ) return 0;
	return 1;
}

/* dsize matcher: match packet payload size */
int ds_match_eq(struct packet *p, void *priv, unsigned int l, int n)
{
	struct ds_priv *dsp=priv;
	size_t dsize;
	l+=2;
	if ( l>=p->llen ) return n^0;
	dsize=p->end - p->layer[l].h.raw;
	return n ^ (dsize==dsp->dsize);
}

int ds_match_gt(struct packet *p, void *priv, unsigned int l, int n)
{
	struct ds_priv *dsp=priv;
	size_t dsize;
	l+=2;
	if ( l>=p->llen ) return n^0;
	dsize=p->end - p->layer[l].h.raw;
	return n ^ (dsize>dsp->dsize);
}

int ds_match_lt(struct packet *p, void *priv, unsigned int l, int n)
{
	struct ds_priv *dsp=priv;
	size_t dsize;
	l+=2;
	if ( l>=p->llen ) return n^0;
	dsize=p->end - p->layer[l].h.raw;
	return n ^ (dsize<dsp->dsize);
}

proc_match_match ds_validate(char *args, void **priv,
	struct criteria *m, u_int32_t *c)
{
	struct ds_priv *dsp;
	proc_match_match ret=ds_match_eq;
	unsigned int num;
	char *val;

	if ( !args ) return NULL;
	
	for(val=args; *val; val++) {
		if ( *val>='0' && *val<='9' ) {
			break;	
		}
		if ( *val=='<' ) {
			ret=ds_match_lt;
		}else if ( *val=='>' ){
			ret=ds_match_gt;
		}
	}

	if ( strtouint(val, &num) ) return NULL;

	if ( !(dsp=malloc(sizeof(*dsp))) )
		return NULL;

	dsp->dsize=num;
	*priv=dsp;

	return ret;
}

struct matcher std_matchers[]={
	matcher_init("dsize", 100, ds_validate, ds_compare, MATCHER_FREE),
	matcher_null()
};

int PLUGIN_MATCHER (struct matcher_api *m)
{
	object_check(m);

	if ( !m->matcher_add(std_matchers) )
		return PLUGIN_ERR_FAIL;

	return PLUGIN_ERR_OK;
}

int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out)
{
	plugin_check(in, out);
	
	PLUGIN_ID("match.std", "Generic matching routines");
	PLUGIN_VERSION(2, 0);
	PLUGIN_AUTHOR("Gianni Tedesco", "gianni@scaramanga.co.uk");
	PLUGIN_LICENSE("GPL");

	return PLUGIN_ERR_OK;
}

int PLUGIN_UNLOAD (int code) {
	return PLUGIN_ERR_OK;
}