ascii.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <ctype.h>
#include <time.h>

#include <firestorm.h>
#include <packet.h>
#include <strtouint.h>
#include <args.h>
#include <cleanup.h>
#include <alert.h>
#include <signature.h>
#include <decode.h>
#include <target.h>
#include <plugin.h>
#include <capture.h>

PLUGIN_STD_DEFS();

/* Imported functions */
proc_args_parse args_parse;

/* Private data structure */
struct ascii_priv {
	FILE *f;
	char *fn;
	int hex;
	unsigned int llen;
};

/* Arguments */
int cb_file(struct arg *, void *);
int cb_nohex(struct arg *, void *);
int cb_len(struct arg *, void *);
struct arg ascii_args[]={
	{"nohex", ARGTYPE_NOP, cb_nohex},
	{"file", ARGTYPE_STRING, cb_file},
	{"len", ARGTYPE_NOP, cb_len},
	{NULL, ARGTYPE_NOP, NULL},
};

/* The alert structures */
int ascii_a(struct generator *, struct packet *, struct alert*, void *);
int ascii_v(char *, void **);
void ascii_h(void *);
void ascii_c(void *);
struct target ascii_t[]={
	target_init("ascii", ascii_a, ascii_v, ascii_h, ascii_c),
	target_null()
};

/* Helper function to open a file */
int ascii_openfile(struct ascii_priv *p)
{
	int fd;

	if ( !p ) return 0;

	if ( !p->fn ) {
		p->f=stdout;
		return 1;
	}

	if ( (fd=open(p->fn, O_WRONLY|O_APPEND|O_CREAT, 00640))<0 ) {
		mesg(M_ERR,"ascii: %s: open(): %s", p->fn, get_err());
		return 0;
	}

	if ( (p->f=fdopen(fd, "a")) ) {
		return 1;
	}else{
		mesg(M_ERR,"ascii: %s: fdopen(): %s", p->fn, get_err());
		close(fd);
		return 0;
	}
}

/* Configuration callbacks */
int cb_file(struct arg *a, void *priv)
{
	struct ascii_priv *p=priv;
	
	if ( !p ) return 0;

	if ( p->fn ) {
		mesg(M_ERR,"ascii: Can't log to two files!");
		return 0;
	}

	if ( (p->fn=strdup(a->val.v_str))==NULL ) {
		mesg(M_ERR,"ascii: strdup: %s", get_err());
		return 0;
	}
	
	return 1;
}

int cb_nohex(struct arg *a, void *priv)
{
	struct ascii_priv *p=priv;
	
	if ( !p ) return 0;
	p->hex=0;
	return 1;
}

int cb_len(struct arg *a, void *priv)
{
	struct ascii_priv *p=priv;
	
	if ( !p ) return 0;
	return !strtouint(a->val.v_str, &p->llen);
}

void hex_dump(FILE *f, char *ptr, unsigned int len, unsigned int llen)
{
	unsigned int i, j;
	unsigned int line;
	unsigned char *tmp=(unsigned char *)ptr;

	for(j=0; j<len; ) {
		if ( j+llen > len ) {
			line=len-j;
		}else{
			line=llen;
		}

		fprintf(f, "%05X : ", j);

		for(i=0; i<llen; i++) {
			if ( i<line ) {
				if ( isprint(tmp[i]) ) {
					fprintf(f, "%c", tmp[i]);
				}else{
					fprintf(f, ".");
				}
			}else{
				fprintf(f, " ");
			}
		}
		
		for(i=0; i<line; i++) {
			fprintf(f, " %02X", tmp[i]);
		}

		j+=line;
		tmp+=line;
		fprintf(f, "\n");
	}
}

int ascii_a(struct generator *gen,
	struct packet *pkt,
	struct alert *a,
	void *priv)
{
	int i;
	static char ln[256];
	struct tm *rtime;
	struct ascii_priv *p=priv;

	if ( !pkt ) return 0;
	
	rtime=localtime(&pkt->time.tv_sec);
	strftime(ln, sizeof(ln)-1, "%Y-%m-%d %H:%M:%S", rtime);

	/* Basic alert information */
	fprintf(p->f, "   alert: %s.%.6lu sid=%u.%u prio=%u\n",
		ln, pkt->time.tv_usec,
		a->sid, a->rev, a->priority);

	fprintf(p->f, "    desc: [%s] %s\n",
		gen->name, a->alert);

	/* Capture level stuff */
	fprintf(p->f, " capture: %s[%s]: len=%u caplen=%u\n",
		pkt->capture->capdev->name,
		pkt->capture->args,
		pkt->len,
		pkt->caplen);
	
	/* Print all the layers */
	for(i=0; i<pkt->llen; i++) {
		if ( !pkt->layer[i].proto ) {
			fprintf(p->f, "    data: Application "
				"layer data (%u bytes)\n",
				pkt->end-pkt->layer[i].h.raw);
			continue;
		}

		if ( pkt->layer[i].proto->print ) {
			pkt->layer[i].proto->print(
				&pkt->layer[i], ln, sizeof(ln));
		}else{
			sprintf(ln, "(no information)");
		}
		fprintf(p->f, "%8s: %s\n",
			pkt->layer[i].proto->name,
			ln);
	}

	/* hex dump the mofo */
	if ( p->hex>0 ) {
		hex_dump(p->f, pkt->base, pkt->caplen, p->llen);
	}

	fprintf(p->f, "\n");
	fflush(p->f);
	return 1;
}

int ascii_v(char *args, void **ptr)
{
	struct ascii_priv *p=NULL;
	
	if ( !(p=calloc(1, sizeof(*p))) )
		return 0;

	/* Defaults */
	p->f=stdout;
	p->llen=16;
	p->hex=1;

	if ( args ) {
		switch ( args_parse(ascii_args, args, p) ) {
		case -1:
			mesg(M_ERR,"ascii: parse error: %s", args);
		case 0: /* fall through */
			free(p);
			p=NULL;
			return 0;
		default:
			break;
		}
	}

	if ( !ascii_openfile(p) ) {
		free(p);
		return 0;
	}

	*ptr=p;
	return 1;
}

void ascii_h(void *priv)
{
	struct ascii_priv *p=priv;
	
	if ( !p ) return;
	if ( p->f != stdout ) {
		fclose(p->f);
		ascii_openfile(p);
	}
}

void ascii_c(void *priv)
{
	struct ascii_priv *p=priv;
	
	if ( !p ) return;
	if ( p->f != stdout ) fclose(p->f);
	free(p);
}

int PLUGIN_TARGET (struct target_api *t)
{
	object_check(t);

	args_parse=t->args_parse;

	if ( !t->target_add(ascii_t) )
		return PLUGIN_ERR_FAIL;

	return PLUGIN_ERR_OK;
}
	
int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out)
{
	plugin_check(in, out);
	
	PLUGIN_ID("target.ascii", "Print a message to stdout");
	PLUGIN_VERSION(1,1);
	PLUGIN_AUTHOR("Gianni Tedesco", "gianni@scaramanga.co.uk");
	PLUGIN_LICENSE("GPL");
	
	return PLUGIN_ERR_OK;
}

int PLUGIN_UNLOAD (int code) {
	return PLUGIN_ERR_OK;
}