flowps_snort.c

入侵检测SNORT.最近更新的基于网络检测的IDS.希望能给大家带来方便.

    flowps_fixed_winadj(&current_entry->fixed_scanner,
                        cur,
                        &pstp->config.limit_scanner);

    /* maintain the list of recent connections */
    flowps_set_last_address(current_entry, flowp, cflags);

    /* windows adjusted, lets get us some alerts */
    if(s_debug > 5 && score > 1)
    {
        flow_printf("XXXX **** got a big old score(%d) because of [%s] -> %s\n",
               score,  mktcpflag_str(cflags),
               inet_ntoa(*(struct in_addr *) (&flowp->key.resp_address)));
        flowps_entry_print(current_entry, address);
        flow_printf("\nXXXX ****\n");
    }

    if(flowps_score_entry(pstp, current_entry, score, tr_pos, 
                          pstp->config.alert_once,
                          &alert_flags) != FLOW_SUCCESS)
    {
#ifndef WIN32
        flow_printf("bad return for finding the entry %s\n", __func__);
#else
        flow_printf("bad return for finding the entry %s(%d)\n", __FILE__, __LINE__);
#endif
        return 0;
    }

    /* If someone generates an event 
     * 
     *
     */
    if(current_entry->position == TRACKER_ACTIVE && tr_pos == TRACKER_SCANNER)
    {
        //flow_printf("moving this one! (cur %d) -> (new %d) %s\n",
        //current_entry->position, tr_pos, inet_ntoa(*(struct in_addr *) address));

        /* move address TO scanner FROM active */
        ret = scoreboard_move(&pstp->table_scanner, &pstp->table_active, address);
        
        if(ret != FLOW_SUCCESS)
        {
            flow_printf("Unable to move %s\n",inet_ntoa(*(struct in_addr *) address));
            return -1;
        }
        else
        {
            /* @todo - move this into the scoreboard mv call */
            current_entry->position = TRACKER_SCANNER;
        }
       
    }

    if(s_debug > 5)
    {
        if(tr_pos == TRACKER_SCANNER)
        {
            flow_printf("Found a tracker scanner!\n");
            flowps_entry_print(current_entry, address);
        }
    }
    
    if(s_debug > 10)
    {
        flowps_entry_print(current_entry, address);
    }
    
    if(alert_flags)        
    {
        /*
        **  We OR the alert_flags here because we only want to add
        **  new alerts and reset alerts that might not be set in
        **  alert_flags.  This is for the case of alert_once being
        **  set.
        */
        current_entry->flags |= alert_flags;
            
        /* push things through the output system */
        
        flowps_generate_flow_event(current_entry, p, address,
                                   pstp->config.output_mode, cur);
    }

    return 0;
}

static int flowps_generate_flow_event(SCORE_ENTRY *sep, FLOWPACKET *orig_packet,
                                      u_int32_t *address,
                                      FLOWPS_OUTPUT output_type,
                                      time_t cur)
{
    Packet *p = orig_packet;
    char buf[1024 + 1];    
    u_int32_t event_id; 
    u_int32_t event_type; /* the sid for the gid */
    /*  Assign an event type to the display
     */
    if(sep->flags & ALERT_FIXED_SCANNER)
    {
        event_type = FLOW_SCANNER_FIXED_ALERT;
    }
    else if(sep->flags & ALERT_SLIDING_SCANNER)
    {
        event_type = FLOW_SCANNER_SLIDING_ALERT;
    }
    else if(sep->flags & ALERT_SLIDING_TALKER)
    {
        event_type = FLOW_TALKER_SLIDING_ALERT;
    }
    else if(sep->flags & ALERT_FIXED_TALKER)
    {
        event_type = FLOW_TALKER_FIXED_ALERT;
    }
    else
    {
        return FLOW_EINVALID;
    }
    
    switch(output_type)
    {
    case PKTKLUDGE:
        /* log a packet to the output system */
        p = flowps_mkpacket(sep, orig_packet, address, cur);      
    case VARIABLEMSG:
        snprintf(buf, 1024,
                 "Portscan detected from %s Talker(fixed: %u sliding: %u) Scanner(fixed: %u sliding: %u)",
                 inet_ntoa(*(struct in_addr *) address),
                 sep->fixed_talker.score, sep->sliding_talker.score,
                 sep->fixed_scanner.score, sep->sliding_scanner.score);
        buf[1024] = '\0';
        
        event_id = GenerateSnortEvent(p,
                                      GENERATOR_FLOW_PORTSCAN,
                                      event_type,
                                      1, /* revision */
                                      1, /* classification */
                                      2, /* medium priority */
                                      buf);
        /*
         *  If this is the first time we have called an alert on this
         *  function, save it off so we have an event reference.
         *
         *  DEPRECATED:
         *    The event_id was to tag additional events to a previous
         *    one, but that logic was ifdef'ed out, so we'll keep it
         *    around anyway.
         */
        sep->event_id = event_id;

        /*
         * this is the last tv_sec from the packet
         */
        sep->event_sec = packet_timeofday(); 
    }
    
    return FLOW_SUCCESS;
}

/** 
 * Print the score entry to a buffer
 *
 * snprintf doesn't protect us any since we are calculating so much
 * but it does make me be explicit on how much data I am putting in.
 * 
 * @param buf buf to print into
 * @param buflen size of buffer
 * @param sep score entry to print
 * @param address address of attacker
 * 
 * @return 0 on sucess
 */
static int score_entry_sprint(unsigned char *buf, int buflen, SCORE_ENTRY *sep, u_int32_t *address)
{
    int printed = 0; /* tmp */
    int total_printed = 0;
    int remaining = buflen;
    u_int32_t i;
    
    if(buf && buflen > 0 && sep && address)
    {
        printed = snprintf((char *)buf + total_printed,
                           remaining,
                           "Address: %s\n"
                           "AT_SCORE: %u\n"
                           "ST_SCORE: %u\n"
                           "AS_SCORE: %u\n"
                           "SS_SCORE: %u\n"
                           "Total Connections: %u\n"
                           "ScanFlags: 0x%x\n"
                           "AT_STARTEND: %u %u\n"
                           "ST_STARTEND: %u %u\n"
                           "AS_STARTEND: %u %u\n"
                           "SS_STARTEND: %u %u\n"
                           "REF_SEC:   %u\n"
                           "REF_EVENT: %u\n",
                           inet_ntoa(*(struct in_addr *)address),
                           sep->fixed_talker.score,
                           sep->sliding_talker.score,
                           sep->fixed_scanner.score,
                           sep->sliding_scanner.score,
                           sep->connections_seen,
                           sep->flags,
                           (unsigned) sep->fixed_talker.start,
                           (unsigned) sep->fixed_talker.ends,
                           (unsigned) sep->sliding_talker.start,
                           (unsigned) sep->sliding_talker.ends,
                           (unsigned) sep->fixed_scanner.start,
                           (unsigned) sep->fixed_scanner.ends,
                           (unsigned) sep->sliding_scanner.start,
                           (unsigned) sep->sliding_scanner.ends,
                           (unsigned) sep->event_sec,
                           sep->event_id);

        if(printed <= 0)
            return -1;

        remaining     -= printed;
        total_printed += printed;
        
        if(remaining <= 0)            
            return -1;

        /* as long as we have a postive # of connections, pump out the info */
        for(i=0; i < sep->connections_seen && i < FLOWPS_HOSTS_SIZE; i++)
        {
            CONN_ENTRY *cp = &sep->last_hosts[i];

            
            printed = snprintf((char *)buf + total_printed,
                               remaining,
                               "ConnInfo: (%d:%s:%d Flags: %x)\n",
                               cp->protocol,
                               inet_ntoa(*(struct in_addr*) &cp->ip),
                               cp->port,
                               cp->cflags);

            if(printed <= 0)
                return -1;
            remaining     -= printed;
            total_printed += printed;
            if(remaining <= 0)            
                return -1;
        }

        /* successful exit! */
        return total_printed;        
    }
    
    return -1;
}

/** 
 * Make a packet with the flowps data in it.
 *
 * This is used to generate a fake IP datagram to carry portscan data
 * from snort so that it can be processed by custom utilities.
 *
 * SRC + DST mac addresses = "MACDAD"
 * sip+dip == attacker 
 * ip proto 255
 * ttl = 0
 * chksum = 0
 *
 * @param sep score entry to generate a packet from
 * @param address ptr to the address of the attacker
 * 
 * @return a pointer to a fully formed packet on success
 */
static Packet *flowps_mkpacket(SCORE_ENTRY *sep, FLOWPACKET *orig_packet, u_int32_t *address, time_t cur)
{
    Packet *p = s_pkt;
    struct pcap_pkthdr *pkth;
    int len;
    u_int32_t dst_ip;
    unsigned short plen;

    pkth = (struct pcap_pkthdr *)p->pkth;
    pkth->ts.tv_sec = cur;


    dst_ip = GetIPv4DstIp(orig_packet);

    memcpy(&((IPHdr *)p->iph)->ip_src.s_addr, address, 4);
    memcpy(&((IPHdr *)p->iph)->ip_dst.s_addr, &dst_ip, 4);

    len = score_entry_sprint((unsigned char *)p->data, FLOWPSMAXPKTSIZE, sep, address);
    
    if(len <= 0)
    {
        /* this can never return more than FLOWPSMAXPKTSIZE */
        return NULL;
    }

    ((u_int8_t *)p->data)[len] = '\0';
    
    /* explicitly cast it down */
    plen = (len & 0xFFFF);

    if((plen + IP_HEADER_LEN) < plen)
    {
        /* wrap around */
        return NULL;
    }
        
    p->dsize = plen;
    
    plen += IP_HEADER_LEN;
    ((IPHdr *)p->iph)->ip_len = htons(plen);

    pkth->caplen = ETHERNET_HEADER_LEN + plen;
    pkth->len    = ETHERNET_HEADER_LEN + plen;
        
    return p;
}

/** 
 * Initialize the static packet used for the portscan flow plugin.
 *
 * This allocates 2 bytes over what it needs to so that the IP header
 * will be 32bit aligned. 
 * 
 * @return FLOW_SUCCESS on sucess
 */
static int flowps_init_pkt(void)     
{
    Packet *p = NULL;
    const char *flow_portscan_mac_addr = "MACDADDY";
    const char twiddlebytes = 2;
    EtherHdr *eh;

    p = (Packet *)SnortAlloc(sizeof(Packet));

    p->pkth = (struct pcap_pkthdr *)SnortAlloc(sizeof(struct pcap_pkthdr) + ETHERNET_HEADER_LEN +
                                               twiddlebytes + IP_MAXPACKET);

    p->pkth = (struct pcap_pkthdr *) (((u_int8_t *) p->pkth) + twiddlebytes);

    p->pkt  =  ((u_int8_t *)p->pkth) + sizeof(struct pcap_pkthdr);
    p->eh   =   (EtherHdr *)((u_int8_t *)p->pkt);
    p->iph  =  (IPHdr *)((u_int8_t *)p->eh + ETHERNET_HEADER_LEN);
    p->data =  ((u_int8_t *)p->iph) + sizeof(IPHdr);
    
    /* p->data is now pkt +
     *  IPMAX_PACKET - (IP_HEADER_LEN + ETHERNET_HEADER_LEN)
     *
     * This is MAXFLOWPSPKTSIZE
     *
     */

    eh = (EtherHdr *)p->eh;
    eh->ether_type = htons(0x0800);
    memcpy(eh->ether_dst, flow_portscan_mac_addr, 6);
    memcpy(eh->ether_src, flow_portscan_mac_addr, 6);
    
    SET_IP_VER((IPHdr *)p->iph,  0x4);
    SET_IP_HLEN((IPHdr *)p->iph, 0x5);
    
    ((IPHdr *)p->iph)->ip_proto = 0xFF;  /* set a reserved protocol */
    ((IPHdr *)p->iph)->ip_ttl   = 0x00;  /* set a TTL we'd never see */
    ((IPHdr *)p->iph)->ip_len = 0x5;
    ((IPHdr *)p->iph)->ip_tos = 0x10;

    /* save off s_pkt for flowps_mkpkt */
    s_pkt = p;

    return FLOW_SUCCESS;
}