icmp.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#include "tcpip.h"
#include <errno.h>

/* Generator */
struct generator icmp_gen=init_generator("sig.icmp", NULL);

struct proto icmp_p=init_proto2("icmp", icmp_decode, icmp_dprint, icmp_match, icmp_commit);
struct proto_req icmp_r[]={
	proto_request("ip", 1),
	null_request()
};

int icmp_dprint(struct layer *l, char *buf, int buflen)
{
	return snprintf(buf, buflen,
		"type=%u code=%u",
		l->h.icmp->type,
		l->h.icmp->code);
}

void icmp_decode(struct packet *p)
{
	int my_layer=p->llen;
	struct layer *l=&p->layer[p->llen];
	struct pkt_icmphdr *icmph=l->h.icmp;

	if ( (p->layer[p->llen+1].h.raw=
		l->h.raw+sizeof(struct pkt_icmphdr)) > p->end ) {
		return;
	}

	p->llen++;

	if ( p->llen >= PKT_LAYERS ) return;

	/* ICMP error codes contain chunks of
	 * the IP packet that caused the error
	 */
	if ( icmph->type==ICMP_DEST_UNREACH ||
	     icmph->type==ICMP_SOURCE_QUENCH ||
	     icmph->type==ICMP_TIME_EXCEEDED ||
	     icmph->type==ICMP_PARAMETERPROB) {
		p->layer[p->llen].flags=0;
		p->layer[p->llen].session=NULL;
		p->layer[p->llen].proto=&ipv4_p;
		ipv4_p.decode(p);
		if ( tcp_stateful ) icmperr_process(p, my_layer);
		return;
	}

	if ( p->layer[p->llen].h.raw<p->end )
		p->layer[p->llen++].proto=NULL;
	dispatch(p);
}

/* ===================================================
 * PACKET MATCHING STUFF BEYOND THIS POINT
 * ===================================================
 */

struct sig_node icmp_root;

void icmp_match(struct packet *p, unsigned int l)
{
	l--;
	detect_set(&cur_alert, &alert_depth);
	detect(icmp_root.child, p, l);
	if ( cur_alert ) alert(&icmp_gen, p, cur_alert);
}

int icmp_commit(struct rule *r)
{
	struct criteria *c;
	struct sig_node *x;
	struct matcher *m;
	struct alert *a;
	unsigned int i;

	/* Can't handle this case */
	if ( r->num_criteria==0 ) return 0;

	if ( !(x=calloc(r->num_criteria, sizeof(*x))) ) return 0;

	/* Copy the alert data */
	if ( !(a=calloc(1, sizeof(*a))) ) {
		free(x);
		return 0;
	}
	memcpy(a, &r->alert, sizeof(*a));

	/* Build an array of all the nodes we want to add */
	for(c=r->criteria,i=0; c; c=c->next,i++) {
		char *key;

		if ( !strcmp(c->crit, "src") ) {
			key="ip_src";
		}else if ( !strcmp(c->crit, "dst") ) {
			key="ip_dst";
		}else if ( !strcmp(c->crit, "sport") ) {
			mesg(M_WARN,"icmp_commit: ICMP src port?");
			key="itype";
		}else if ( !strcmp(c->crit, "dport") ) {
			mesg(M_WARN,"icmp_commit: ICMP dst port?");
			key="icode";
		}else key=c->crit;

		if ( !(m=matcher_find(key)) ) {
			mesg(M_ERR,"icmp_commit: cannot find '%s' matcher", key);
			detect_free_sig(x, i);
			return 0;
		}

		x[i].match=m;
		x[i].n=c->negate;
		x[i].cost=m->cost;
		if ( !(x[i].m=m->validate(c->args,
			&x[i].p, c->modifier, &x[i].cost)) ) {
			detect_free_sig(x, i);
			mesg(M_ERR,"icmp: %s failed", m->name);
			return 0;
		}
	}

	return detect_add_sig(x, r->num_criteria, &icmp_root, a);
}