arp.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>

#include <firestorm.h>
#include <args.h>
#include <packet.h>
#include <plugin.h>
#include <alert.h>
#include <signature.h>
#include <decode.h>
#include <preproc.h>

PLUGIN_STD_DEFS();
proc_dispatch dispatch;

void arp_decode(struct packet *);
int arp_print(struct layer *l, char *buf, int buflen);
void rarp_decode(struct packet *);

struct proto rarp_p=init_proto("rarp", rarp_decode, NULL);
struct proto_req rarp_r[]={
	proto_request("ethernet", __constant_htons(0x0835)),
	proto_request("sll", __constant_htons(0x0835)),
	proto_request("linux", __constant_htons(0x0835)),
	null_request()
};

struct proto arp_p=init_proto("arp", arp_decode, arp_print);
struct proto_req arp_r[]={
	/* IP ARP */
	proto_request("ethernet", __constant_htons(0x0806)),
	proto_request("sll", __constant_htons(0x0806)),
	proto_request("linux", __constant_htons(0x0806)),

	/* AppleTalk ARP */
	proto_request("ethernet", __constant_htons(0x80f3)),
	proto_request("sll", __constant_htons(0x80f3)),
	proto_request("linux", __constant_htons(0x80f3)),

	null_request()
};

char *opnames[]={NULL,
	"Hardware request","Hardware reply",
	"Protocol request","Protocol reply",
	NULL, NULL, NULL,
	"Peer request","Peer reply"
};

void arp_decode(struct packet *p)
{
	struct layer *l=&p->layer[p->llen];

	if ( l->h.raw+sizeof(struct pkt_arphdr) > p->end ) {
		return;
	}

	p->llen++;
	dispatch(p);
}

int arp_print(struct layer *l, char *buf, int buflen)
{
	u_int16_t op=ntohs(l->h.arp->op);

	if ( op < (sizeof(opnames)/sizeof(*opnames)) && opnames[op] ) {
		return snprintf(buf, buflen, opnames[op]); /* not user input */
	}else{
		return snprintf(buf, buflen,
			"Unknown opcode (0x%.4x)", op);
	}
}

void rarp_decode(struct packet *p)
{
	struct layer *l=&p->layer[p->llen];

	if ( l->h.raw+sizeof(struct pkt_arphdr) > p->end ) {
		return;
	}

	p->llen++;
	dispatch(p);
}

int PLUGIN_DECODE (struct decode_api *d)
{
	int ok=0;

	object_check(d);

	dispatch=d->dispatch;

	ok+=d->decode_add(&arp_p, arp_r);
	ok+=d->decode_add(&rarp_p, rarp_r);

	return (ok) ? PLUGIN_ERR_OK : PLUGIN_ERR_FAIL;
}

int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out)
{
	plugin_check(in, out);

	PLUGIN_ID("decode.arp", "ARP/RARP");
	PLUGIN_VERSION(2, 0);
	PLUGIN_AUTHOR("Gianni Tedesco", "gianni@scaramanga.co.uk");
	PLUGIN_LICENSE("GPL");

	return PLUGIN_ERR_OK;
}

int PLUGIN_UNLOAD (int code) {
	return PLUGIN_ERR_OK;
}