---[[ libnids应用实例 ]]----------------------------------

1、nids_next()函数的应用

============================ cut here ============================

/*
This is an example how one can use nids_getfd() and nids_next() functions.
You can replace printall.c's function main with this file.
*/

#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>

int
main ()
{
   // here we can alter libnids params, for instance:
   // nids_params.n_hosts=256;
   int fd;
   int time = 0;
   fd_set rset;
   struct timeval tv;

if (!nids_init ())
   {
         fprintf(stderr,"%s\n",nids_errbuf);
         exit(1);
   }
   nids_register_tcp (tcp_callback);
   fd = nids_getfd ();
   for (;;)
     {
       tv.tv_sec = 1;
       tv.tv_usec = 0;
       FD_ZERO (&rset);
       FD_SET (fd, &rset);
       // add any other fd we need to take care of
       if (select (fd + 1, &rset, 0, 0, &tv))
         {
                 if (FD_ISSET(fd,&rset)   // need to test it if there are other
                                         // fd in rset
                         if (!nids_next ()) break;
         }
       else
         fprintf (stderr, "%i ", time++);
     }
   return 0;
}

============================ cut here ============================

2、Simple sniffer

============================ cut here ============================

/*
    Copyright (c) 1999 Rafal Wojtczuk <nergal@avet.com.pl>. All rights reserved.
    See the file COPYING for license details.
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <fcntl.h>
#include "nids.h"

#define LOG_MAX 100
#define SZLACZEK "\n--------------------------------------------------\n"

#define int_ntoa(x)      inet_ntoa(*((struct in_addr *)&x))

char *
adres (struct tuple4 addr)
{
   static char buf[256];
   strcpy (buf, int_ntoa (addr.saddr));
   sprintf (buf + strlen (buf), ",%i,", addr.source);
   strcat (buf, int_ntoa (addr.daddr));
   sprintf (buf + strlen (buf), ",%i : ", addr.dest);
   return buf;
}

int logfd;
void
do_log (char *adres_txt, char *data, int ile)
{
   write (logfd, adres_txt, strlen (adres_txt));
   write (logfd, data, ile);
   write (logfd, SZLACZEK, strlen (SZLACZEK));
}

void
sniff_callback (struct tcp_stream *a_tcp, void **this_time_not_needed)
{
   int dest;
   if (a_tcp->nids_state == NIDS_JUST_EST)
     {
       dest = a_tcp->addr.dest;
       if (dest == 21 || dest == 23 || dest == 110 || dest == 143 || dest == 513)
         a_tcp->server.collect++;
       return;
     }
   if (a_tcp->nids_state != NIDS_DATA)
     {
       // seems the stream is closing, log as much as possible
       do_log (adres (a_tcp->addr), a_tcp->server.data,
               a_tcp->server.count - a_tcp->server.offset);
       return;
     }
   if (a_tcp->server.count - a_tcp->server.offset < LOG_MAX)
     {
       // we haven't got enough data yet; keep all of it
       nids_discard (a_tcp, 0);
       return;
     }
    
   // enough data  
   do_log (adres (a_tcp->addr), a_tcp->server.data, LOG_MAX);

// Now procedure sniff_callback doesn't want to see this stream anymore.
   // So, we decrease all the "collect" fields we have previously increased.
   // If there were other callbacks following a_tcp stream, they would still
   // receive data
   a_tcp->server.collect--;
}

int
main ()
{
   logfd = open ("./logfile", O_WRONLY | O_CREAT | O_TRUNC, 0600);
   if (logfd < 0)
     {
       perror ("opening ./logfile:");
       exit (1);
     }
   if (!nids_init ())
     {
       fprintf (stderr, "%s\n", nids_errbuf);
       exit (1);
     }
   nids_register_tcp (sniff_callback);
   nids_run ();
   return 0;
}

============================ cut here ============================

3、Wu-FTPd overflow attack detector

============================ cut here ============================

/*
Copyright (c) 1999 Rafal Wojtczuk <nergal@avet.com.pl>. All rights reserved.
See the file COPYING for license details.
*/

/*
This code attempts to detect attack against imapd (AUTHENTICATE hole) and
wuftpd (creation of deep directory). This code is to ilustrate use of libnids;
in order to improve readability, some simplifications were made, which enables
an attacker to bypass this code (note, the below routines should be improved,
not libnids)
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include "nids.h"

#define int_ntoa(x)      inet_ntoa(*((struct in_addr *)&x))

char *
adres (struct tuple4 addr)
{
   static char buf[256];
   strcpy (buf, int_ntoa (addr.saddr));
   sprintf (buf + strlen (buf), ",%i,", addr.source);
   strcat (buf, int_ntoa (addr.daddr));
   sprintf (buf + strlen (buf), ",%i", addr.dest);
   return buf;
}

/*
if we find a pattern AUTHENTICATE {an_int} in data stream sent to an imap
server, where an_int >1024, it means an buffer overflow attempt. We kill the
connection.
*/

#define PATTERN "AUTHENTICATE {"
#define PATLEN strlen(PATTERN)
void
detect_imap (struct tcp_stream *a_tcp)
{
   char numbuf[30];
   int i, j, datalen, numberlen;
   struct half_stream *hlf;
   if (a_tcp->nids_state == NIDS_JUST_EST)
     {
       if (a_tcp->addr.dest == 143)
         {
           a_tcp->server.collect++;
           return;
         }
       else
         return;
     }
   if (a_tcp->nids_state != NIDS_DATA)
     return;
   hlf = &a_tcp->server;
   datalen = hlf->count - hlf->offset;
   if (datalen < PATLEN)
     {
       // we have too small amount of data to work on. Keep all data in buffer.
       nids_discard (a_tcp, 0);
       return;
     }
   for (i = 0; i <= datalen - PATLEN; i++)
     if (!memcmp (PATTERN, hlf->data + i, PATLEN)) //searching for a pattern
       break;
   if (i > datalen - PATLEN)
     {
       // retain PATLEN bytes in buffer
       nids_discard (a_tcp, datalen - PATLEN);
       return;
     }
   for (j = i + PATLEN; j < datalen; j++) // searching for a closing '}'
     if (*(hlf->data + j) == '}')
       break;
   if (j > datalen)
     {
       if (datalen > 20)
         {
           //number too long, perhaps we should log it, too
         }
       return;
     }
   numberlen = j - i - PATLEN;
   memcpy (numbuf, hlf->data + i + PATLEN, numberlen); //numbuf contains
                                                       // AUTH argument
   numbuf[numberlen] = 0;
   if (atoi (numbuf) > 1024)
     {
       // notify admin
       syslog(nids_params.syslog_level,
       "Imapd exploit attempt, connection %s\n",adres(a_tcp->addr));
       // kill the connection
       nids_killtcp (a_tcp);
     }
   nids_discard (a_tcp, datalen - PATLEN);
   return;
}

// auxiliary structure, needed to keep current dir of ftpd daemon
struct supp
{
   char *currdir;
   int last_newline;
};

// the below function adds "elem" string to "path" string, taking care of
// ".." and multiple '/'. If the resulting path is longer than 768,
// return value is 1, otherwise 0
int
add_to_path (char *path, char *elem, int len)
{
int plen;
char * ptr;
   if (len > 768)
     return 1;
   if (len == 2 && elem[0] == '.' && elem[1] == '.')
     {
       ptr = rindex (path, '/');
       if (ptr != path)
         *ptr = 0;
     }
   else if (len > 0)
     {
       plen = strlen (path);
       if (plen + len + 1 > 768)
         return 1;
         if (plen==1)
         {
         strncpy(path+1,elem,len);
         path[1+len]=0;
         }
         else
         {
       path[plen] = '/';
       strncpy (path + plen + 1, elem, len);
       path[plen + 1 + len] = 0;
         }
     }
return 0;
}

void
do_detect_ftp (struct tcp_stream *a_tcp, struct supp **param_ptr)
{
   struct supp *p = *param_ptr;
   int index = p->last_newline + 1;
   char *buf = a_tcp->server.data;
   int offset = a_tcp->server.offset;
   int n_bytes = a_tcp->server.count - offset;
   int path_index, pi2, index2, remcaret;
   for (;;)
     {
       index2 = index;
       while (index2 - offset < n_bytes && buf[index2 - offset] != '\n')
         index2++;
       if (index2 - offset >= n_bytes)
         break;
       if (!strncasecmp (buf + index - offset, "cwd ", 4))
         {
           path_index = index + 4;
           if (buf[path_index - offset] == '/')
             {
               strcpy (p->currdir, "/");
               path_index++;
             }
           for (;;)
             {
               pi2 = path_index;
               while (buf[pi2 - offset] != '\n' && buf[pi2 - offset] != '/')
                 pi2++;
                 if (buf[pi2-offset]=='\n' && buf[pi2-offset-1]=='\r')
                 remcaret=1;
                 else remcaret=0;
               if (add_to_path (p->currdir, buf + path_index-offset, pi2 - path_index-remcaret))
                 {
                   // notify admin
                   syslog(nids_params.syslog_level,
                   "Ftpd exploit attempt, connection %s\n",adres(a_tcp->addr));
                   nids_killtcp (a_tcp);
                   return;
                 }
               if (buf[pi2 - offset] == '\n')
                 break;
               path_index = pi2 + 1;
             }
         }
       index = index2 + 1;
     }
   p->last_newline = index - 1;
   nids_discard (a_tcp, index - offset);
}

void
detect_ftpd (struct tcp_stream *a_tcp, struct supp **param)
{
   if (a_tcp->nids_state == NIDS_JUST_EST)
     {
       if (a_tcp->addr.dest == 21)
         {
           struct supp *one_for_conn;
           a_tcp->server.collect++;
           one_for_conn = (struct supp *) malloc (sizeof (struct supp));
           one_for_conn->currdir = malloc (1024);
           strcpy (one_for_conn->currdir, "/");
           one_for_conn->last_newline = 0;
           *param=one_for_conn;
         }
       return;
     }
   if (a_tcp->nids_state != NIDS_DATA)
     {
       free ((*param)->currdir);
       free (*param);
       return;
     }
   do_detect_ftp (a_tcp, param);
}

int
main ()
{
   if (!nids_init ())
   {
         fprintf(stderr,"%s\n",nids_errbuf);
         exit(1);
   }
   nids_register_tcp (detect_imap);
   nids_register_tcp (detect_ftpd);
   nids_run ();
   return 0;
}

libnids使用举例的更多相关文章

  1. Ajax 概念 分析 举例

    Ajax是结合了访问数据库,数据访问,Jquery 可以做页面局部刷新或者说是页面不刷新,我可以让页面不刷新,仅仅是数据的刷新,没有频繁的刷页面,是现在比较常用的一种方式做页面那么它是怎么实现页面无刷 ...

  2. ValueInjecter----最好用的OOM(以微信消息转对象举例)

    使用数据实体的好处我这里就不多说了,但大家享受这些好处的时候,难免也对那些琐碎的赋值代码感到厌烦,基于此,我认为掌握一个oom的使用,还是很有必要的. 这种类型的工具有很多,比如automapper, ...

  3. Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(上)

    <Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(上)> <Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(下)> 目的:指导项 ...

  4. Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(下)

    <Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(上)> <Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(下)> 目的:指导项 ...

  5. shell-script的简单举例

    #!/bin/bash #defind the path PATH=/usr/local export PATH read -p "please input your first name: ...

  6. 各大浏览器内核特性及对应的Browserhacks举例

    1.浏览器内核指的是什么? 简化的浏览器=用户界面+渲染引擎+js解析引擎+数据存储+网络部件 而通常所说的浏览器内核指的是页面渲染引擎(rendering engine). 2.渲染引擎 The r ...

  7. js调用php和php调用js的方法举例

    js调用php和php调用js的方法举例1 JS方式调用PHP文件并取得php中的值 举一个简单的例子来说明: 如在页面a.html中用下面这句调用: <script type="te ...

  8. c++局部变量经典举例

    局部变量: 在函数内部声明的变量为局部变量,局部变量的意思即该变量只存活在该函数中,假如该函数调用结束,那么该变量的寿命也结束了. 举例: #include<iostream> using ...

  9. HTTPS Web配置举例

    http://www.h3c.com.cn/Products___Technology/Technology/Security_Encrypt/Other_technology/Representat ...

随机推荐

  1. Xamarin 2017.11.9更新

     Xamarin 2017.11.9更新 本次更新主要针对Xamarin.iOS,适配了iOS 11.1和Xcode 9.1.Visual Studio 2017升级到15.4.3获得新功能.Visu ...

  2. 代理设置。 安卓工作室配置用http代理。gradle可能需要这些http代理设置去访问互联网。例如下载依赖。 你想要复制ide的代理配置到这个项目的gradle属性文件吗?

    代理设置. 安卓工作室配置用http代理.gradle可能需要这些http代理设置去访问互联网.例如下载依赖. 你想要复制ide的代理配置到这个项目的gradle属性文件吗? 查看更多细节,请参阅开发 ...

  3. BZOJ.2882.工艺(后缀自动机 最小表示 map)

    题目链接 BZOJ 洛谷 SAM求字符串的最小循环表示. 因为从根节点出发可以得到所有子串,所以每次找字典序最小的一个出边走即可.因为长度问题把原串再拼接在后面一次. 需要用map存转移.复杂度O(n ...

  4. Western Subregional of NEERC, Minsk, Wednesday, November 4, 2015 Problem C. Cargo Transportation 暴力

    Problem C. Cargo Transportation 题目连接: http://opentrains.snarknews.info/~ejudge/team.cgi?SID=c75360ed ...

  5. 七层负载(Application Gateway)+四层负载(LB)

    上次有个电商客户需要搭建如架构. 192.168.1.100/url1(请求url)——>Node1:10.0.0.4.10.0.0.5(服务器IP) 192.168.1.100/url2(请求 ...

  6. VSCode换行符

    如果要显示换行符:\r\n 如果要替换显示出来的\n,替换上要用正则表达式,然后使用\r\n. 如果要直接换行,\n

  7. spring cloud 学习(8) - sleuth & zipkin 调用链跟踪

    业务复杂的微服务架构中,往往服务之间的调用关系比较难梳理,一次http请求中,可能涉及到多个服务的调用(eg: service A -> service B -> service C... ...

  8. HTTP协议GET和POST的区别

    from http://blog.csdn.net/whuslei/article/details/6667095 权威点的说明请参考:http://www.cs.tut.fi/~jkorpela/f ...

  9. windows操作系统查看占用端口的进程

    在开发中有时我们需要确定哪个占用了8080端口,在windows命令行窗口下执行: netstat -aon|findstr 命令执行后打印出来的结果如下所示:

  10. AngularJS动态设置CSS

    使用AngularJS动态设置CSS大致有2种思路: 1.通过动态设置class名称 比如先定义2个样式: .show-true{    display:block;} .show-flase{    ...