elog.c

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

/*
* This file is part of Firestorm NIDS
* Copyright (c) 2002 Gianni Tedesco
* This program is released under the terms of the GNU GPL version 2
*
* This file provides a simple API for reading elog files. It only
* works for files <2GB right now and isn't very secure. Don't read
* untrusted data files just yet.
*
* TODO:
*  o Sliding mmap() to support large files
*/
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <unistd.h>
#include <netinet/in.h>

#include <elog.h>
#include <elog_read.h>

/* Create a new elog parsing structure */
struct elog *elog_new(int fd)
{
	struct efile_hdr *fh;
	struct elog *e;
	struct stat st;
	char *map;

	if ( fd<0 )
		return NULL;

	/* Find length of the file */
	if ( fstat(fd, &st) )
		return NULL;

	/* Make sure file is big enough for header */
	if ( st.st_size < sizeof(*fh) )
		return 0;

	/* Map it all in */
	if ( (map=mmap(NULL, st.st_size, PROT_READ,
		MAP_SHARED, fd, 0))==MAP_FAILED ) {
		return NULL;
	}

	/* Allocate a new structure */
	if ( !(e=calloc(1,sizeof(struct elog))) ) {
		munmap(map, st.st_size);
		return NULL;
	}

	/* Check the header magic and versions */
	fh=(struct efile_hdr *)map;
	if ( ntohl(fh->magic)!=EF_MAGIC ||
		fh->vers_major != EF_VERS_MAJ ||
		fh->vers_minor != EF_VERS_MIN ) {
		munmap(map, st.st_size);
		free(e);
		return NULL;
	}

	/* Fill it in */
	e->fd=fd;
	e->map=map;
	e->end=map+st.st_size;
	e->maplen=st.st_size;

	return e;
}

/* Free the created structure */
void elog_free(struct elog *e)
{
	if ( e->map )
		munmap(e->map, e->maplen);

	if ( e->fd>=0 )
		close(e->fd);

	free(e);
}

/* Set the dispatch function */
proc_elogfn elog_set_alert_fn(struct elog *e, proc_elogfn d)
{
	proc_elogfn old=d;
	e->dispatch=d;
	return old;
}

/* Run a single packet at a given offset */
size_t elog_pkt(struct elog *e, size_t ofs)
{
	struct elog_pkthdr *ph;
	struct elog_pkt pkt;
	char *decode_buf;
	char *pkt_data;
	char *str_g;
	char *str_a;
	char *cur=e->map+ofs;

	if ( cur+sizeof(*ph) > e->end )
		return 0;

	/* We are guaranteed the header */
	ph=(struct elog_pkthdr *)cur;
	decode_buf=cur+sizeof(*ph);
	pkt_data=decode_buf+(ntohs(ph->decode_len)<<2);
	str_g=pkt_data+(ntohl(ph->pkt_caplen));
	str_a=str_g+ph->gen_len;

	if ( ntohs(ph->h.type) != ELOG_ALERT )
		goto skip;

	/* Quick integrity check */
	if ( ntohl(ph->h.reclen) < sizeof(*ph) ) return 0;
	if ( cur+ntohl(ph->h.reclen) > e->end ) return 0;
	if ( str_a+ph->alert_len > e->end ) return 0;

	/* Check null termination of strings */
	if ( str_g[ph->gen_len-1]!=0 ) goto skip;
	if ( str_a[ph->alert_len-1]!=0 ) goto skip;

	/* Dispatch this record to
	 * the appropriate handler */
	pkt.file=e;
	pkt.hdr=ph;
	pkt.decode_buf=decode_buf;
	pkt.data=pkt_data;
	pkt.generator=str_g;
	pkt.alert=str_a;
	if ( e->dispatch && !e->dispatch(&pkt) )
		return 0;

skip:
	return ntohl(ph->h.reclen);
}

/* Run through the packet */
int elog_run(struct elog *e)
{
	size_t ofs=sizeof(struct efile_hdr);
	size_t ret;

	/* Loop through each packet */
	for(; ofs < e->maplen; ofs+=ret) {
		if ( !(ret=elog_pkt(e, ofs)) )
			return 0;
	}

	return 1;
}