firecat.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

/*
* This file is part of Firestorm NIDS
* Copyright (c) 2002 Gianni Tedesco
* This program is released under the terms of the GNU GPL version 2
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <unistd.h>
#include <getopt.h>
#include <fcntl.h>
#include <netinet/in.h>

#include <firestorm.h>
#include <packet.h>
#include <cleanup.h>
#include <loader.h>
#include <alert.h>
#include <args.h>
#include <target.h>
#include <signature.h>
#include <decode.h>
#include <matcher.h>
#include <detect.h>
#include <capture.h>
#include <elog.h>
#include <elog_read.h>
#include <target.h>
#include <detect.h>

struct target *t=NULL;
void *t_priv=NULL;
char *fn=NULL;
char *cmd=NULL;

/* Functions we may need to fake */
int return_one(void) {return 1;}
void return_void(void) {return;}
void *return_null(void) {return NULL;}
void serial_number(serial_t *s){*s=0;}
void detect_set(struct alert **a, unsigned int *i) {*a=NULL;*i=0;}

struct {
	const char *name;
	void *data;
}exports[]={
	/* Generic */
	{"mesg",		mesg},
	{"args.parse", 		args_parse},
	{"serial_number",	serial_number},

	/* Object lookup */
	{"decode.subproto", 	decode_subproto},
	{"decode.proto", 	decode_proto},
	{"matcher.find",	return_null},

	/* Needed for signature engines */
	{"alert",		return_void},
	{"generator.add",	return_one},
	{"detect.add_sig",	return_one},
	{"detect.free_sig",	return_void},
	{"detect.set",		detect_set},
	{"detect",		return_void},

	{NULL,NULL}
};

/* Only print wanings,errors,and critical messages */
void mesg(unsigned char code, char *fmt, ...)
{
	va_list va;
	if ( code > M_WARN ) return;
	va_start(va, fmt);
	/* Use stderr cos output may use stdout */
	fprintf(stderr, "%s: ", cmd);
	vfprintf(stderr, fmt, va);
	fprintf(stderr, "\n");
	va_end(va);
}

int firecat_dispatch(struct elog_pkt *p)
{
	return elog_pkt_alert(p, t->target, t_priv);
}

/* Process a file */
void do_file(int fd)
{
	void *ep;

	if ( !(ep=elog_new(fd)) ) {
		mesg(M_ERR, "%s: elog_new(): %s\n", fn, get_err());
		return;
	}

	elog_set_alert_fn(ep, firecat_dispatch);

	if ( elog_run(ep)<=0 ) {
		elog_free(ep);
		cleanup(EXIT_ERR, NULL);
	}

	elog_free(ep);
}

void *plugin_callback(const char *item)
{
	u_int32_t i;

	for(i=0; exports[i].name; i++) {
		if ( !strcmp(exports[i].name, item) ) {
			return exports[i].data;
		}
	}

	fprintf(stderr, "resource: request for unknown object: '%s'\n", item);
	return NULL;
}

struct option opts[]={
	{"plugin-dir", 1, 0, 'p'},
	{"in", 1, 0, 'i'},
	{"format", 1, 0, 'f'},
	{"options", 1, 0, 'o'},
	{"help", 0, 0, 'h'},
	{NULL, 0, 0, 0}
};

extern struct target *targets;
void usage(int ecode)
{
	struct target *t;

	fprintf(stderr, "Usage: %s -f format [-o \"options\"] [FILE]...\n", cmd);
	fprintf(stderr, "Converts the contents of a firestorm extended alert log (elog)\n");
	fprintf(stderr, "in to some other format.\n");
	fprintf(stderr, "\n");
	fprintf(stderr, "    --format, -f      Choose an output format\n");
	fprintf(stderr, "    --options, -o     Plugin specific option string\n");
	fprintf(stderr, "    --plugin-dir, -p  Load extra plugins from this directory\n");
	fprintf(stderr, "    --help, -h        This message\n\n");
	fprintf(stderr, "Loading plugins from: %s\n", PLUGIN_DIR "/protocols");
	fprintf(stderr, "Loading plugins from: %s\n\n", PLUGIN_DIR "/output");
	fprintf(stderr, "Available output formats:\n");

	for(t=targets; t; t=t->next) {
		fprintf(stderr, "    %s\n", t->name);
	}

	cleanup(ecode,NULL);
}

int main(int argc, char **argv)
{
	int c,opti;
	char *oformat=NULL;
	char *p_options=NULL;

	/* Initialise what we need to */
	cmd=argv[0];
	loader_init(plugin_callback);

	/* Initialise subsystems */
	decode_init();

#if 1
	loader_load_dir(PLUGIN_DIR "/protocols");
	loader_load_dir(PLUGIN_DIR "/output");
#else
	loader_load_dir("./decode_plugins/.libs");
	loader_load_dir("./target_plugins/.libs");
#endif

	/* Do command line args */
	while( (c=getopt_long(argc, argv, "p:i:f:o:h?",
		(const struct option *)&opts, &opti))!=-1 ) {
		switch (c) {
		case 'p':
			loader_load_dir(optarg);
			break;
		case 'f':
			if ( oformat ) usage(EXIT_ERR);
			oformat=optarg;
			break;
		case 'o':
			if ( p_options ) usage(EXIT_ERR);
			p_options=optarg;
			break;
		case 'h':
		case '?':
			decode_load();
			target_load();
			usage(EXIT_OK);
			break;
		default:
			usage(EXIT_ERR);
		};
	}

	decode_load();
	target_load();

	if ( !oformat ) {
		mesg(M_ERR, "No output format specified");
		cleanup(EXIT_ERR,NULL);
	}

	/* Get the right output plugin */
	if ( !(t=target_find(oformat)) ) {
		mesg(M_ERR, "%s: Cannot find specified output format",
			oformat);
		cleanup(EXIT_ERR,NULL);
	}

	/* Initialise it with user specified arguments*/
	if ( !t->validate(p_options, &t_priv) ) {
		mesg(M_ERR, "%s: Invalid options for output plugin",
			oformat);
		cleanup(EXIT_ERR,NULL);
	}

	/* Process the input file */
	if ( optind < argc ) {
		int i;
		int fd;

		for(i=optind; i<argc; i++ ) {
			/* Open the input file */
			fn=argv[i];
			if ( (fd=open(argv[i],O_RDONLY))<0 ) {
				mesg(M_ERR, "%s: open(): %s",
					argv[i], get_err());
				cleanup(EXIT_ERR,NULL);
			}

			do_file(fd);
			close(fd);
		}
	}else{
		/* Read from stdin */
		fn="stdin";
		do_file(0);
	}

	cleanup(EXIT_OK,NULL);
	return 0;
}