linux-nids.c

linux下的入侵检测的代码

{
printf("----------------------\n");
strcpy(address_string,inet_ntoa(*((struct in_addr *)&(ip_and_port.saddr))));
sprintf(address_string+strlen(address_string),":%i",ip_and_port.source);
strcat(address_string,"urgent--->");
strcat(address_string,inet_ntoa(*((struct in_addr *)&(ip_and_port.daddr))));
sprintf(address_string+strlen(address_string),":%i",ip_and_port.dest);
strcat(address_string,"\n");
address_string[strlen(address_string)+1]=0;
address_string[strlen(address_string)]=tcp_connection->server.urgdata;
printf("%s",address_string);
return;

}
if (tcp_connection->client.count_new_urg)//tcp�ͻ��˽��ܵ��µĽ�������
{
printf("----------------------\n");
strcat(address_string,inet_ntoa(*((struct in_addr *)&(ip_and_port.daddr))));
sprintf(address_string+strlen(address_string),":%i",ip_and_port.dest);
strcat(address_string,"<---urgent");
strcat(address_string,inet_ntoa(*((struct in_addr *)&(ip_and_port.daddr))));
sprintf(address_string+strlen(address_string),":%i",ip_and_port.dest);
strcat(address_string,"\n");
address_string[strlen(address_string)+1]=0;
address_string[strlen(address_string)]=tcp_connection->client.urgdata;
printf("%s",address_string);
return;

}
if (tcp_connection->client.count_new)
{
hlf=&tcp_connection->client;//hlf��ʾ���ǿͻ��˵�tcp�����Ϣ
strcat(address_string,inet_ntoa(*((struct in_addr *)&(ip_and_port.daddr))));
sprintf(address_string+strlen(address_string),":%i",ip_and_port.dest);
strcat(address_string,"<---");
strcat(address_string,inet_ntoa(*((struct in_addr *)&(ip_and_port.daddr))));
sprintf(address_string+strlen(address_string),":%i",ip_and_port.dest);
strcat(address_string,"\n");
printf("------------------------\n");
printf("%s",address_string);
memcpy(content,hlf->data,hlf->count_new);
content[hlf->count_new]='\0';
printf("client reseive data !\n");
for (i=0;i<hlf->count_new;i++)
{
printf("%s",char_to_ascii(content[i]));
//�����ͻ��˽��ܵ��µ����ݣ����Դ�ӡ�ַ�������ʾ

}
printf("\n");
}
else//�����˽��ܵ��µ�����
{
hlf=&tcp_connection->server;
strcat(address_string,inet_ntoa(*((struct in_addr *)&(ip_and_port.daddr))));
sprintf(address_string+strlen(address_string),":%i",ip_and_port.dest);
strcat(address_string,"--->");
strcat(address_string,inet_ntoa(*((struct in_addr *)&(ip_and_port.daddr))));
sprintf(address_string+strlen(address_string),":%i",ip_and_port.dest);
strcat(address_string,"\n");
printf("--------------------\n");
printf("%s",address_string);
memcpy(content,hlf->data,hlf->count_new);
content[hlf->count_new='\0'];
printf("server reseive data !");
for (i=0;i<hlf->count_new;i++)
{
printf("%s",char_to_ascii(content[i]));


}
printf("\n");

}
}
default:
break;

}
return;
}

char *nids_warningss[] = {"Murphy - you never should see this message !"};

/*�����Ǽ���ɨ�蹥�����쳣���ݰ��ĺ���*/
static void my_nids_syslog(int type, int errnum, struct ip_header *iph, void *data)
{
        static int scan_number = 0;
        char source_ip[20];
        char destination_ip[20];
        char string_content[1024];
        struct host* host_information;
        unsigned char flagsand = 255,flagsor = 0;
        int i;
        char content[1024];
        //printf("ff");
        switch (type)                                                /*��������*/
        {
        case NIDS_WARN_IP:
                if (errnum !=NIDS_WARN_IP_HDR)
                {
                        sound_alarm();
                        strcpy(source_ip, inet_ntoa(*((struct in_addr *) &(iph->ip_source_address.s_addr))));
                        strcpy(destination_ip, inet_ntoa(*((struct in_addr *) &(iph->ip_destination_address.s_addr))));
                        printf("%s,packet(apparently from %s to %s\n", nids_warnings[errnum],source_ip, destination_ip);
                }
                else
                {
                        printf("%s\n", nids_warnings[errnum]);
                        break;
                }
        case NIDS_WARN_TCP:
                strcpy(source_ip, inet_ntoa(*((struct in_addr *) &(iph->ip_source_address.s_addr))));
                strcpy(destination_ip, inet_ntoa(*((struct in_addr *) &(iph->ip_destination_address.s_addr))));
                if (errnum != NIDS_WARN_TCP_HDR)
                {

                        sound_alarm();
                        printf("%s,from %s:%hi to %s:%hi\n", nids_warnings[errnum], source_ip, ntohs(((struct tcp_header *) data)->th_sport), destination_ip, ntohs(((struct tcp_header *) data)->th_dport));
                }
                else
                {
                        printf("%s,from %s to %s\n", nids_warnings[errnum], source_ip, destination_ip);
                }
                break;
        case NIDS_WARN_SCAN:
                scan_number++;
                sound_alarm();
                FILE * file=fopen("log.txt","a+");

                //printf("%s", string_content);
                printf("----- DISCOVER PORT SCAN! -----\n\n");
                fputs("----- DISCOVER PORT SCAN! -----\n\n",file);
                printf("------------- %d -------------\n\n", scan_number);
                fputs(string_content,file);
                fputc('\n',file);

                host_information = (struct host *) data;
                sprintf(string_content, "SCANER IP:\n");
                printf("%s", string_content);
                fputs(string_content,file);
                fputc('\n',file);

                sprintf(string_content, "%s\n", inet_ntoa(*((struct in_addr *) &(host_information->addr))));
                printf("%s", string_content);
                fputs(string_content,file);
                fputc('\n',file);

                sprintf(string_content, "BEEN SCANED IP:\n");
                printf("%s", string_content);
                fputs(string_content,file);
                fputc('\n',file);

                sprintf(string_content, "");
                for(i = 0; i < host_information->n_packets; i++)
                {
                        strcat(string_content, inet_ntoa(*((struct in_addr *) &(host_information->packets[i].addr))));
                        sprintf(string_content + strlen(string_content), ":%hi\n", host_information->packets[i].port);
                        flagsand &= host_information->packets[i].flags;
                        flagsor |= host_information->packets[i].flags;
                }
                printf("%s", string_content);
                fputs(string_content,file);
                fputc('\n',file);
                sprintf(string_content, "");
                if (flagsand == flagsor)
                {
                        i = flagsand;
                        switch (flagsand)
                        {
                        case 2:
                                strcat(string_content, "SCAN TYPE: SYN\n");

                                break;
                        case 0:
                                strcat(string_content, "SCAN TYPE: NULL\n");
                                break;
                        case 1:
                                strcat(string_content, "SCAN TYPE: FIN\n");
                                break;
                        default:
                                sprintf(string_content + strlen(string_content), "ID=0x%x\n", i);
                        }
                }
                else
                {
                        strcat(string_content, "UNCOMMONT ID\n");
                }
                printf("%s", string_content);
                fputs(string_content,file);
                fputc('\n',file);
                break;
        default:
                sprintf(content, "UNKNOWN");
                printf("%s", string_content);
                fputs(string_content,file);
                fputc('\n',file);
                break;
        }
}

int  main()
{

printf("\n\n\n=+=+=+=+=+=+=+==+=++==++==+=++=+=+==++=+=+=+=+=+=+=+=welcome to the  SIMPLE LINUX NIDS SYSTEM!=+=+=+=+=+=+=+=+=+=+==+==+=+++==+=++=+=+=+=+=+=+=+=+=\n\n\n");

//struct nids_prm nids_params;

if (!nids_init())
        {
                printf("error : %s\n", nids_errbuf);
                exit(0);
        }

printf("=+=+=+=+=+=+=+==+=++==++==+=++=+=+==++=+=+=+=+=+=+=+=WHAT  WOULD  YOU  LIKE  TO  DO ?=+=+=+=+=+=+=+==+=++==++==+=++=+=+==++=+=+=+=+=+=+=+=\n");

printf("*                                                                                                               *\n");
printf("*");
printf("                                           1 :CAP UDP PACKETS !                                                *\n");

printf("*                                                                                                               *\n");
printf("*");
printf("                                           2 :CAP TCP PACKETS !                                                *\n");

printf("*                                                                                                               *\n");
printf("*");
printf("                                           3 :DETECK PORT SCAN !                                               *\n");

printf("*\n");
printf("*");
printf("YOU CHOCIES  :");
unsigned short choice;
scanf("%d",&choice);
printf("\n");
switch(choice)
{
case 1:
printf("*");
printf("you chosice is %d , CAP UDP packets!\n",choice);
nids_register_udp(udp_callback);
break;

case 2:
printf("*");
printf("you chosice is %d , CAP TCP packets\n!",choice);
nids_register_tcp(tcp_protocol_callback);
break;

case 3:
{
printf("*");
printf("you chosice is %d , PORT SCAN NIDS !\n\n",choice);

        nids_params.syslog = my_nids_syslog;
        nids_params.pcap_filter = "ip";
        printf("*\n");
printf("**\n");
printf("***\n");
}
break;

default :break;
}


nids_run();
return 0;
}