elog_pkt.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

/*
* This file is part of Firestorm NIDS
* Copyright (c) 2002 Gianni Tedesco
* This program is released under the terms of the GNU GPL version 2
*
* This is for converting elog files in to firestorm packet structures,
* just as if they were generated from within firestorm itself.
*/
#include <stdlib.h>
#include <netinet/in.h>

#include <firestorm.h>
#include <args.h>
#include <packet.h>
#include <alert.h>
#include <signature.h>
#include <decode.h>
#include <capture.h>
#include <target.h>

#include <elog.h>
#include <elog_read.h>

struct capdev null_capdev={.name="elog_read"};
struct capture null_cap={
	.capdev=&null_capdev,
	.state=CAP_STATE_CAPTURE,
	.args="elog",
};

/* Free up any session data */
void elog_free_sessions(struct packet *pkt)
{
	int i;
	struct layer *l;
	for(i=0; i<pkt->llen; i++) {
		l=&pkt->layer[i];
		if ( l->session && l->proto && l->proto->free ) {
			l->proto->free(l->session);
		}
	}
}

/* Parse alert decode data */
int elog_decode(struct packet *pkt, char *buf, int buflen)
{
	struct elog_dhdr *d;
	char *end=buf+buflen;
	struct proto *p;

	while(buf+sizeof(*d)<=end) {
		char *pnam, *pser, *dend;

		d=(struct elog_dhdr *)buf;

		/* Check the validity */
		if ( (d->tot_len<<2)<sizeof(*d) )
			return 0;
		if ( (d->tot_len<<2)<(d->name_len<<2)+sizeof(*d) )
			return 0;
		if ( buf+(d->tot_len<<2) > end )
			return 0;

		/* Work out where stuff is */
		pnam=(buf+sizeof(*d));
		pser=pnam+(d->name_len<<2);
		dend=buf+(d->tot_len<<2);

		if ( d->name_len==0 ) {
			p=NULL;
		}else{
			p=decode_proto(pnam);
		}

		pkt->layer[pkt->llen].h.raw=
			pkt->base+ntohs(d->pkt_ofs);
		pkt->layer[pkt->llen].proto=p;
		pkt->layer[pkt->llen].flags=ntohl(d->flags);

		if ( p && p->deserialize && dend>pser ) {
			pkt->layer[pkt->llen].session=p->deserialize(
				pkt, pkt->llen, pser, dend-pser);
		}else{
			pkt->layer[pkt->llen].session=NULL;
		}

		if ( pkt->llen++ >= PKT_LAYERS )
			return 1;

		buf+=d->tot_len<<2;
	}
	return 1;
}

/* Handler for alert records */
int elog_pkt_alert(struct elog_pkt *p, proc_target fn, void *priv)
{
	struct generator gen;
	struct packet pkt;
	struct alert a;
	int ret;

	/* Fill in generator and alert structures */
	gen.next=NULL;
	gen.name=p->generator;
	a.alert=p->alert;
	a.sid=ntohl(p->hdr->sid);
	a.rev=ntohl(p->hdr->rev);
	a.priority=p->hdr->h.prio;

	/* Fill in packet structure */
	pkt.serial=0;
	pkt.len=ntohl(p->hdr->pkt_len);
	pkt.caplen=ntohl(p->hdr->pkt_caplen);
	pkt.llen=0;
	pkt.base=p->data;
	pkt.end=p->data+pkt.caplen;
	pkt.time.tv_sec=ntohl(p->hdr->h.ts.tv_sec);
	pkt.time.tv_usec=ntohl(p->hdr->h.ts.tv_usec);
	pkt.capture=&null_cap;
	pkt.flags=ntohl(p->hdr->pflags);

	/* Fill in decode data */
	if ( !elog_decode(&pkt, p->decode_buf,
		ntohs(p->hdr->decode_len)<<2) ) {
		return 0;
	}

	/* Call the output plugin */
	ret=fn(&gen, &pkt, &a, priv);

	/* Free up session data */
	elog_free_sessions(&pkt);

	return ret;
}