prelude.c

来自「Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目」· C语言 代码 · 共 226 行

#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#include <time.h>
#include <inttypes.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/utsname.h>
#include <netinet/in.h>

#include <firestorm.h>
#include <packet.h>
#include <signature.h>
#include <cleanup.h>
#include <capture.h>
#include <decode.h>
#include <alert.h>
#include <target.h>
#include <plugin.h>
#include <config.h>

#include <libprelude/list.h>
#include <libprelude/prelude-log.h>
#include <libprelude/plugin-common.h>
#include <libprelude/prelude-io.h>
#include <libprelude/prelude-message.h>
#include <libprelude/idmef-message-id.h>
#include <libprelude/prelude-message-id.h>
#include <libprelude/idmef-tree.h>
#include <libprelude/idmef-tree-func.h>
#include <libprelude/prelude-message-buffered.h>
#include <libprelude/prelude-client.h>
#include <libprelude/idmef-msg-send.h>
#include <libprelude/prelude-getopt.h>
#include <libprelude/sensor.h>
#include <libprelude/prelude-list.h>
#include <libprelude/prelude-async.h>

PLUGIN_STD_DEFS();

typedef enum {
        p_null,
	p_raw,
        p_ether,
        p_ip,
        p_ipopts,
        p_ipencap,
        p_ipicmp,
        p_arp,
        p_rarp,
        p_udp,
        p_tcp,
        p_tcpopts,
        p_icmp,
        p_igmp,
        p_data,
        p_all,
        p_external,
        p_end
} proto_enum_t;

static idmef_analyzer_t analyzer;

prelude_msgbuf_t *m=NULL;
int pinit=0;

int prelude_a(struct generator *, struct packet *, struct alert*, void *);
void prelude_h(void *ptr){return;};
int prelude_v(char *, void **);
void prelude_c(void *);

struct target prelude_t[]={
	target_init("prelude", prelude_a, prelude_v, prelude_c, prelude_h),
	target_null()
};

static void send_additional_data(prelude_msgbuf_t *msgbuf,
	idmef_additional_data_type_t type,
	const char *meaning,
	size_t mlen, 
	const char *data,
	size_t dlen) 
{        
        type = htonl(type);
        
        prelude_msgbuf_set(msgbuf, MSG_ADDITIONALDATA_TAG, 0, NULL);
        prelude_msgbuf_set(msgbuf, MSG_ADDITIONALDATA_TYPE, sizeof(type), &type);
        prelude_msgbuf_set(msgbuf, MSG_ADDITIONALDATA_MEANING, mlen, meaning);
        prelude_msgbuf_set(msgbuf, MSG_ADDITIONALDATA_DATA, dlen, data);
        prelude_msgbuf_set(msgbuf, MSG_END_OF_TAG, 0, NULL);
}

int prelude_a(struct generator *gen,
	struct packet *pkt,
	struct alert *a,
	void *priv)
{
#if 0
	uint8_t tag;
	int i;
#endif
	struct list_head head;
	idmef_classification_t cls;
	const char meaning[] = "Attack description";
        const char pname[] = "Detection Plugin Name",
                pauthor[] = "Detection Plugin Author",
                pcontact[] = "Detection Plugin Contact",
                pdesc[] = "Detection Plugin Description";

	if ( !pkt ) return 0;

	prelude_msgbuf_set_header(m, PRELUDE_MSG_IDMEF,
		PRELUDE_MSG_PRIORITY_MID);

#if 0
	tag=MSG_FORMAT_PRELUDE_NIDS;
	prelude_msgbuf_set(m, MSG_OWN_FORMAT, sizeof(uint8_t), &tag);
	prelude_msgbuf_set(m, 4, 0, NULL);

	/* Loop through layers here */
	for(i=0; i<pkt->llen; i++) {
		if ( pkt->layer[i].proto==NULL ) {
			prelude_msgbuf_set(m, p_end, 0, NULL);
		}else{
		}
	}
	
	prelude_msgbuf_set(m, MSG_END_OF_TAG, 0, NULL);
#endif

	prelude_msgbuf_set(m, MSG_ALERT_TAG, 0, NULL);
	idmef_send_analyzer(m, &analyzer);
	idmef_send_create_time(m, (idmef_time_t *)&pkt->time);
	idmef_send_detect_time(m, (idmef_time_t *)&pkt->time);
	send_additional_data(m, string, pname, sizeof(pname),
		gen->name, strlen(gen->name)+1);
	send_additional_data(m, string, pauthor, sizeof(pauthor),
		gen->name, strlen(gen->name)+1);
	send_additional_data(m, string, pcontact, sizeof(pcontact),
		gen->name, strlen(gen->name)+1);
	send_additional_data(m, string, pdesc, sizeof(pdesc),
		gen->name, strlen(gen->name)+1);
	send_additional_data(m, string, meaning, sizeof(meaning),
		a->alert, strlen(a->alert)+1);

	INIT_LIST_HEAD(&head);
	idmef_send_additional_data_list(m, &head);

	memset(&cls, 0, sizeof(cls));
	cls.name.string=a->alert;
	cls.name.len=strlen(a->alert)+1;
	idmef_send_classification(m, &cls);

	prelude_msgbuf_set(m, MSG_END_OF_TAG, 0, NULL);
	prelude_msgbuf_mark_end(m);	

	return 1;
}

int prelude_v(char *args, void **ptr)
{
	char *argv[]={"firestorm", NULL};
	int ret;

	if ( pinit ) return 1;

	/* Initialise as prelude sensor */
	ret=prelude_sensor_init("firestorm-nids",NULL,1,argv);
	if ( ret==prelude_option_error || ret==prelude_option_end ) {
		return 0;
	}

	/* Use asynchronous messaging */
	if ( prelude_async_init()<0 ) return 0;
	if ( !(m=prelude_msgbuf_new(1)) ) return 0;

	/* Setup analyzer structure */
	prelude_analyzer_fill_infos(&analyzer);
	idmef_string_set_constant(&analyzer.version,
		VERSION);
	idmef_string_set_constant(&analyzer.manufacturer,
		"www.scaramanga.co.uk");
	idmef_string_set_constant(&analyzer.model,
		"Firestorm NIDS");
	idmef_string_set_constant(&analyzer.class,
		"Network Intrusion Detection System");
	
	/* Dont initialise twice */
	pinit=1;

	return 1;
}

void prelude_c(void *priv)
{
	/* Nothing to cleanup */
}

int PLUGIN_TARGET (struct target_api *t)
{
	object_check(t);

	args_parse=t->args_parse;

	if ( !t->target_add(prelude_t) )
		return PLUGIN_ERR_FAIL;

	return PLUGIN_ERR_OK;
}
	
int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out)
{
	plugin_check(in, out);

	PLUGIN_ID("target.prelude", "Alert to prelude-manager");
	PLUGIN_VERSION(0,1);
	PLUGIN_AUTHOR("Gianni Tedesco", "gianni@scaramanga.co.uk");
	PLUGIN_LICENSE("GPL");

	return PLUGIN_ERR_OK;
}

int PLUGIN_UNLOAD (int code) {
	return PLUGIN_ERR_OK;
}