sap.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#include <stdlib.h>
#include <firestorm.h>
#include <args.h>
#include <packet.h>
#include <plugin.h>
#include <alert.h>
#include <signature.h>
#include <decode.h>
#include <preproc.h>
#include <netinet/in.h>
#include <stdio.h>
#include <string.h>

PLUGIN_STD_DEFS();
proc_dispatch dispatch;

/* SAP: Novell's Service Advertising Protocol */
int sap_print(struct layer *l, char *buf, int buflen);
void sap_decode(struct packet *p);
struct proto sap_p=init_proto("sap", sap_decode, sap_print);
struct proto_req sap_r[]={
        proto_request("ipx", __constant_htons(0x0452)),
	null_request()
};

int sap_print(struct layer *l, char *buf, int buflen)
{
	char *type="Unknown";
	char sname[49];

	switch (htons(l->h.sap->op)) {
		case 1:
		case 2:
			type="General service";
			break;
		case 3:
		case 4:
			type="Nearest service";
			break;
	};
	if (htons(l->h.sap->op)%2==0) {
		strncpy(sname,l->h.sap->server_name,49);
		sname[48]=0;
		return snprintf(buf,buflen,"%s reponse server=%s",type,sname);
	} else {
		return snprintf(buf,buflen,"%s query",type);
	}
}

void sap_decode(struct packet *p)
{
	struct layer *l=&p->layer[p->llen];

	if ( l->h.raw+sizeof(struct pkt_sap) > p->end ) {
		return;
	}

	p->llen++;
	dispatch(p);
}

int PLUGIN_DECODE (struct decode_api *d)
{
	int ok=0;

	object_check(d);

	dispatch=d->dispatch;

	ok+=d->decode_add(&sap_p, sap_r);

	return (ok) ? PLUGIN_ERR_OK : PLUGIN_ERR_FAIL;
}

int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out)
{
	plugin_check(in, out);

	PLUGIN_ID("decode.sap", "Service Advertising Protocol");
	PLUGIN_VERSION(0, 2);
	PLUGIN_AUTHOR("John Leach", "john@ecsc.co.uk");
	PLUGIN_LICENSE("GPL");

	return PLUGIN_ERR_OK;
}

int PLUGIN_UNLOAD (int code) {
	return PLUGIN_ERR_OK;
}