ipx.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#include <stdlib.h>

#include <firestorm.h>
#include <args.h>
#include <packet.h>
#include <plugin.h>
#include <alert.h>
#include <signature.h>
#include <decode.h>
#include <preproc.h>
#include <netinet/in.h>
#include <stdio.h>
#include <string.h>

PLUGIN_STD_DEFS();
proc_dispatch dispatch;

/* IPX: Internetwork Packet eXchange */
int ipx_print(struct layer *l, char *buf, int buflen);
void ipx_decode(struct packet *);
struct proto ipx_p=init_proto("ipx", ipx_decode, ipx_print);
struct proto_req ipx_r[]={
        proto_request("ethernet", __constant_htons(0x8137)),
        proto_request("sll", __constant_htons(0x8137)),
        proto_request("linux", __constant_htons(0x8137)),
        proto_request("802.3-novell", 0),
        proto_request("llc", 0xe0),
	proto_request("__pcap_dlt", 12), /* DLT_RAW */
	null_request()
};

char *pnames[]={
	"SAP/NSP/Hello", "RIP", "Echo", "Error",
	"PEP", "SPX",
};
int ipx_print(struct layer *l, char *buf, int buflen)
{
	char *ptype="Unknown";

	switch (l->h.ipx->type) {
		case 0 ... 5:
			ptype=pnames[l->h.ipx->type];
			break;
		case 17:
			ptype="NCP";
			break;
		case 20:
			ptype="NetBIOS";
			break;
		case 104:
			ptype="NDS NCP";
			break;
	};

	return snprintf(buf,buflen,"len=%u type=0x%.2x(%s) net=0x%.8x:0x%.8x "
		"skt=0x%.4x:0x%.4x",
		ntohs(l->h.ipx->pktsize),
		l->h.ipx->type,
		ptype,
		ntohl(l->h.ipx->src.net),
		ntohl(l->h.ipx->dst.net),
		ntohs(l->h.ipx->src.sock),
		ntohs(l->h.ipx->dst.sock));
}

void ipx_decode(struct packet *p)
{
	struct proto_child *pc;
	struct layer *l=&p->layer[p->llen];

	if ( (p->layer[p->llen+1].h.raw=
		l->h.raw+sizeof(struct pkt_ipxhdr))
		> p->end ) return;

	p->llen++;

	if ( p->llen >= PKT_LAYERS ) return;

	for(pc=l->proto->children; pc; pc=pc->next)
	{
		if ( l->h.ipx->dst.sock == pc->id ) {
			p->layer[p->llen].flags=0;
			p->layer[p->llen].session=NULL;
			p->layer[p->llen].proto=pc->proto;
			pc->proto->decode(p);
			return;
		}
	}

	if ( p->layer[p->llen].h.raw<p->end )
		p->layer[p->llen++].proto=NULL;
	dispatch(p);
}

int PLUGIN_DECODE (struct decode_api *d)
{
	int ok=0;

	object_check(d);

	dispatch=d->dispatch;

	ok+=d->decode_add(&ipx_p, ipx_r);

	return (ok) ? PLUGIN_ERR_OK : PLUGIN_ERR_FAIL;
}

int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out)
{
	plugin_check(in, out);

	PLUGIN_ID("decode.ipx", "Internetwork Packet eXchange");
	PLUGIN_VERSION(1, 1);
	PLUGIN_AUTHOR("John Leach", "john@ecsc.co.uk");
	PLUGIN_LICENSE("GPL");

	return PLUGIN_ERR_OK;
}

int PLUGIN_UNLOAD (int code) {
	return PLUGIN_ERR_OK;
}