spoon.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#include <stdlib.h>
#include <stdio.h>

#include <firestorm.h>
#include <packet.h>
#include <plugin.h>
#include <args.h>
#include <alert.h>
#include <signature.h>
#include <decode.h>
#include <preproc.h>

PLUGIN_STD_DEFS();

/* Training mode or not */
unsigned int training=0;

/* Structure on disk */
struct svr_dtuple {
	u_int32_t count;
	u_int32_t addr;
	u_int16_t port;
};

/* Structure in memory */
struct svr_tuple {
	struct svr_tuple *next;
	struct svr_dtuple t;
};

/* Allocator */
#define SPOON_ALLOC_CHUNK 8192
struct svr_tuple *alloc_block=NULL;
int alloc_next=SPOON_ALLOC_CHUNK;

/* Training hash table */
#define SHASH_SIZE 4096
struct svr_tuple *shash[SHASH_SIZE];

proc_preproc_activate preproc_activate;
proc_args_parse args_parse;

/* Learn about packets */
int spoon_training(struct packet *pkt, unsigned int l, void *priv)
{
	struct pkt_iphdr *iph=pkt->layer[l-1].h.ip;
	struct pkt_tcphdr *tcph;
	u_int32_t flags;
	u_int32_t addr;
	u_int16_t port;

	tcph=pkt->layer[l].h.tcp;
	flags=pkt->layer[l].flags;

	/* We want to get addresses/ports of all servers
	 * connected to during the training period */
	if ( flags & FLAG_TCP_TRACK ) {
		/* Only look at packets which signal the establishment
		 * of a successful connection. */
		struct tcp_session *s=pkt->layer[l].session;
		if ( !(flags&FLAG_TCP_CT_EST) )
			return PREPROC_OK;
		addr=s->s_addr;
		port=s->s_port;
	}else{
		/* Poor mans version, just check for tcp syn packets */
		if ( iph->protocol!=6 || (tcph->flags.flags&TCP_STD)!=TCP_SYN ) {
			return PREPROC_OK;
		}
		addr=iph->daddr;
		port=tcph->dport;
	}

	/* TODO: Add this tuple to the database */

	return PREPROC_OK;
}

void spoon_free(void *priv){return;};

int spoon_init(char *args)
{
	struct arg spoon_args[]={
		{"training", ARGTYPE_PBOOL, NULL, {vp_bool:&training}},
		{NULL, ARGTYPE_NOP, NULL}
	};

	if ( args ) {
		switch( args_parse(spoon_args, args, NULL) ) {
		case -1:
			mesg(M_ERR,"spoon: parse error: %s", args);
			/* fall through */
		case 0:
			return 0;
		default:
			break;
		}
	}

	if ( training ) {
		return preproc_activate("tcp", spoon_training, spoon_free, NULL);
	}else{
		mesg(M_ERR,"spoon: not finished yet...");
		return 0;
	}
}

int PLUGIN_PREPROC (struct preproc_api *p)
{
	object_check(p);

	preproc_activate=p->preproc_activate;
	args_parse=p->args_parse;

	if ( !p->preproc_add("spoon", spoon_init) )
		return PLUGIN_ERR_FAIL;

	return PLUGIN_ERR_OK;
}
int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out)
{
	plugin_check(in, out);

	/* Statistical Packet Orthodontist Oracle of Necromancy */
	PLUGIN_ID("preproc.spoon", "S.P.O.O.N. Anomaly Detection");
	PLUGIN_VERSION(0, 1);
	PLUGIN_AUTHOR("Gianni Tedesco", "gianni@scaramanga.co.uk");
	PLUGIN_LICENSE("GPL");

	return PLUGIN_ERR_OK;
}

int PLUGIN_UNLOAD (int code) {
	return PLUGIN_ERR_OK;
}