---[[ libnids应用实例 ]]----------------------------------

1、nids_next()函数的应用

============================ cut here ============================

/*
This is an example how one can use nids_getfd() and nids_next() functions.
You can replace printall.c's function main with this file.
*/

#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>

int
main ()
{
   // here we can alter libnids params, for instance:
   // nids_params.n_hosts=256;
   int fd;
   int time = 0;
   fd_set rset;
   struct timeval tv;

if (!nids_init ())
   {
         fprintf(stderr,"%s\n",nids_errbuf);
         exit(1);
   }
   nids_register_tcp (tcp_callback);
   fd = nids_getfd ();
   for (;;)
     {
       tv.tv_sec = 1;
       tv.tv_usec = 0;
       FD_ZERO (&rset);
       FD_SET (fd, &rset);
       // add any other fd we need to take care of
       if (select (fd + 1, &rset, 0, 0, &tv))
         {
                 if (FD_ISSET(fd,&rset)   // need to test it if there are other
                                         // fd in rset
                         if (!nids_next ()) break;
         }
       else
         fprintf (stderr, "%i ", time++);
     }
   return 0;
}

============================ cut here ============================

2、Simple sniffer

============================ cut here ============================

/*
    Copyright (c) 1999 Rafal Wojtczuk <nergal@avet.com.pl>. All rights reserved.
    See the file COPYING for license details.
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <fcntl.h>
#include "nids.h"

#define LOG_MAX 100
#define SZLACZEK "\n--------------------------------------------------\n"

#define int_ntoa(x)      inet_ntoa(*((struct in_addr *)&x))

char *
adres (struct tuple4 addr)
{
   static char buf[256];
   strcpy (buf, int_ntoa (addr.saddr));
   sprintf (buf + strlen (buf), ",%i,", addr.source);
   strcat (buf, int_ntoa (addr.daddr));
   sprintf (buf + strlen (buf), ",%i : ", addr.dest);
   return buf;
}

int logfd;
void
do_log (char *adres_txt, char *data, int ile)
{
   write (logfd, adres_txt, strlen (adres_txt));
   write (logfd, data, ile);
   write (logfd, SZLACZEK, strlen (SZLACZEK));
}

void
sniff_callback (struct tcp_stream *a_tcp, void **this_time_not_needed)
{
   int dest;
   if (a_tcp->nids_state == NIDS_JUST_EST)
     {
       dest = a_tcp->addr.dest;
       if (dest == 21 || dest == 23 || dest == 110 || dest == 143 || dest == 513)
         a_tcp->server.collect++;
       return;
     }
   if (a_tcp->nids_state != NIDS_DATA)
     {
       // seems the stream is closing, log as much as possible
       do_log (adres (a_tcp->addr), a_tcp->server.data,
               a_tcp->server.count - a_tcp->server.offset);
       return;
     }
   if (a_tcp->server.count - a_tcp->server.offset < LOG_MAX)
     {
       // we haven't got enough data yet; keep all of it
       nids_discard (a_tcp, 0);
       return;
     }
    
   // enough data  
   do_log (adres (a_tcp->addr), a_tcp->server.data, LOG_MAX);

// Now procedure sniff_callback doesn't want to see this stream anymore.
   // So, we decrease all the "collect" fields we have previously increased.
   // If there were other callbacks following a_tcp stream, they would still
   // receive data
   a_tcp->server.collect--;
}

int
main ()
{
   logfd = open ("./logfile", O_WRONLY | O_CREAT | O_TRUNC, 0600);
   if (logfd < 0)
     {
       perror ("opening ./logfile:");
       exit (1);
     }
   if (!nids_init ())
     {
       fprintf (stderr, "%s\n", nids_errbuf);
       exit (1);
     }
   nids_register_tcp (sniff_callback);
   nids_run ();
   return 0;
}

============================ cut here ============================

3、Wu-FTPd overflow attack detector

============================ cut here ============================

/*
Copyright (c) 1999 Rafal Wojtczuk <nergal@avet.com.pl>. All rights reserved.
See the file COPYING for license details.
*/

/*
This code attempts to detect attack against imapd (AUTHENTICATE hole) and
wuftpd (creation of deep directory). This code is to ilustrate use of libnids;
in order to improve readability, some simplifications were made, which enables
an attacker to bypass this code (note, the below routines should be improved,
not libnids)
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include "nids.h"

#define int_ntoa(x)      inet_ntoa(*((struct in_addr *)&x))

char *
adres (struct tuple4 addr)
{
   static char buf[256];
   strcpy (buf, int_ntoa (addr.saddr));
   sprintf (buf + strlen (buf), ",%i,", addr.source);
   strcat (buf, int_ntoa (addr.daddr));
   sprintf (buf + strlen (buf), ",%i", addr.dest);
   return buf;
}

/*
if we find a pattern AUTHENTICATE {an_int} in data stream sent to an imap
server, where an_int >1024, it means an buffer overflow attempt. We kill the
connection.
*/

#define PATTERN "AUTHENTICATE {"
#define PATLEN strlen(PATTERN)
void
detect_imap (struct tcp_stream *a_tcp)
{
   char numbuf[30];
   int i, j, datalen, numberlen;
   struct half_stream *hlf;
   if (a_tcp->nids_state == NIDS_JUST_EST)
     {
       if (a_tcp->addr.dest == 143)
         {
           a_tcp->server.collect++;
           return;
         }
       else
         return;
     }
   if (a_tcp->nids_state != NIDS_DATA)
     return;
   hlf = &a_tcp->server;
   datalen = hlf->count - hlf->offset;
   if (datalen < PATLEN)
     {
       // we have too small amount of data to work on. Keep all data in buffer.
       nids_discard (a_tcp, 0);
       return;
     }
   for (i = 0; i <= datalen - PATLEN; i++)
     if (!memcmp (PATTERN, hlf->data + i, PATLEN)) //searching for a pattern
       break;
   if (i > datalen - PATLEN)
     {
       // retain PATLEN bytes in buffer
       nids_discard (a_tcp, datalen - PATLEN);
       return;
     }
   for (j = i + PATLEN; j < datalen; j++) // searching for a closing '}'
     if (*(hlf->data + j) == '}')
       break;
   if (j > datalen)
     {
       if (datalen > 20)
         {
           //number too long, perhaps we should log it, too
         }
       return;
     }
   numberlen = j - i - PATLEN;
   memcpy (numbuf, hlf->data + i + PATLEN, numberlen); //numbuf contains
                                                       // AUTH argument
   numbuf[numberlen] = 0;
   if (atoi (numbuf) > 1024)
     {
       // notify admin
       syslog(nids_params.syslog_level,
       "Imapd exploit attempt, connection %s\n",adres(a_tcp->addr));
       // kill the connection
       nids_killtcp (a_tcp);
     }
   nids_discard (a_tcp, datalen - PATLEN);
   return;
}

// auxiliary structure, needed to keep current dir of ftpd daemon
struct supp
{
   char *currdir;
   int last_newline;
};

// the below function adds "elem" string to "path" string, taking care of
// ".." and multiple '/'. If the resulting path is longer than 768,
// return value is 1, otherwise 0
int
add_to_path (char *path, char *elem, int len)
{
int plen;
char * ptr;
   if (len > 768)
     return 1;
   if (len == 2 && elem[0] == '.' && elem[1] == '.')
     {
       ptr = rindex (path, '/');
       if (ptr != path)
         *ptr = 0;
     }
   else if (len > 0)
     {
       plen = strlen (path);
       if (plen + len + 1 > 768)
         return 1;
         if (plen==1)
         {
         strncpy(path+1,elem,len);
         path[1+len]=0;
         }
         else
         {
       path[plen] = '/';
       strncpy (path + plen + 1, elem, len);
       path[plen + 1 + len] = 0;
         }
     }
return 0;
}

void
do_detect_ftp (struct tcp_stream *a_tcp, struct supp **param_ptr)
{
   struct supp *p = *param_ptr;
   int index = p->last_newline + 1;
   char *buf = a_tcp->server.data;
   int offset = a_tcp->server.offset;
   int n_bytes = a_tcp->server.count - offset;
   int path_index, pi2, index2, remcaret;
   for (;;)
     {
       index2 = index;
       while (index2 - offset < n_bytes && buf[index2 - offset] != '\n')
         index2++;
       if (index2 - offset >= n_bytes)
         break;
       if (!strncasecmp (buf + index - offset, "cwd ", 4))
         {
           path_index = index + 4;
           if (buf[path_index - offset] == '/')
             {
               strcpy (p->currdir, "/");
               path_index++;
             }
           for (;;)
             {
               pi2 = path_index;
               while (buf[pi2 - offset] != '\n' && buf[pi2 - offset] != '/')
                 pi2++;
                 if (buf[pi2-offset]=='\n' && buf[pi2-offset-1]=='\r')
                 remcaret=1;
                 else remcaret=0;
               if (add_to_path (p->currdir, buf + path_index-offset, pi2 - path_index-remcaret))
                 {
                   // notify admin
                   syslog(nids_params.syslog_level,
                   "Ftpd exploit attempt, connection %s\n",adres(a_tcp->addr));
                   nids_killtcp (a_tcp);
                   return;
                 }
               if (buf[pi2 - offset] == '\n')
                 break;
               path_index = pi2 + 1;
             }
         }
       index = index2 + 1;
     }
   p->last_newline = index - 1;
   nids_discard (a_tcp, index - offset);
}

void
detect_ftpd (struct tcp_stream *a_tcp, struct supp **param)
{
   if (a_tcp->nids_state == NIDS_JUST_EST)
     {
       if (a_tcp->addr.dest == 21)
         {
           struct supp *one_for_conn;
           a_tcp->server.collect++;
           one_for_conn = (struct supp *) malloc (sizeof (struct supp));
           one_for_conn->currdir = malloc (1024);
           strcpy (one_for_conn->currdir, "/");
           one_for_conn->last_newline = 0;
           *param=one_for_conn;
         }
       return;
     }
   if (a_tcp->nids_state != NIDS_DATA)
     {
       free ((*param)->currdir);
       free (*param);
       return;
     }
   do_detect_ftp (a_tcp, param);
}

int
main ()
{
   if (!nids_init ())
   {
         fprintf(stderr,"%s\n",nids_errbuf);
         exit(1);
   }
   nids_register_tcp (detect_imap);
   nids_register_tcp (detect_ftpd);
   nids_run ();
   return 0;
}

libnids使用举例的更多相关文章

  1. Ajax 概念 分析 举例

    Ajax是结合了访问数据库,数据访问,Jquery 可以做页面局部刷新或者说是页面不刷新,我可以让页面不刷新,仅仅是数据的刷新,没有频繁的刷页面,是现在比较常用的一种方式做页面那么它是怎么实现页面无刷 ...

  2. ValueInjecter----最好用的OOM(以微信消息转对象举例)

    使用数据实体的好处我这里就不多说了,但大家享受这些好处的时候,难免也对那些琐碎的赋值代码感到厌烦,基于此,我认为掌握一个oom的使用,还是很有必要的. 这种类型的工具有很多,比如automapper, ...

  3. Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(上)

    <Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(上)> <Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(下)> 目的:指导项 ...

  4. Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(下)

    <Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(上)> <Oracle简单常用的数据泵导出导入(expdp/impdp)命令举例(下)> 目的:指导项 ...

  5. shell-script的简单举例

    #!/bin/bash #defind the path PATH=/usr/local export PATH read -p "please input your first name: ...

  6. 各大浏览器内核特性及对应的Browserhacks举例

    1.浏览器内核指的是什么? 简化的浏览器=用户界面+渲染引擎+js解析引擎+数据存储+网络部件 而通常所说的浏览器内核指的是页面渲染引擎(rendering engine). 2.渲染引擎 The r ...

  7. js调用php和php调用js的方法举例

    js调用php和php调用js的方法举例1 JS方式调用PHP文件并取得php中的值 举一个简单的例子来说明: 如在页面a.html中用下面这句调用: <script type="te ...

  8. c++局部变量经典举例

    局部变量: 在函数内部声明的变量为局部变量,局部变量的意思即该变量只存活在该函数中,假如该函数调用结束,那么该变量的寿命也结束了. 举例: #include<iostream> using ...

  9. HTTPS Web配置举例

    http://www.h3c.com.cn/Products___Technology/Technology/Security_Encrypt/Other_technology/Representat ...

随机推荐

  1. Python之路,入门学习(一)

    一.变量\字符编码 声明变量 #_*_coding:utf-8_*_ name = "Alex Li" 上述代码声明了一个变量,变量名为: name,变量name的值为:" ...

  2. 【HDU 5382】 GCD?LCM! (数论、积性函数)

    GCD?LCM! Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 131072/131072 K (Java/Others)Total ...

  3. codeforces 596E Wilbur and Strings

    题意:一个矩阵上面有0~9的数字,可以从任意一个格子出发,每次根据格子上的数字会前进到另一个格子(或原地不动),现在给出q个数位串,问是否有走法可以取出这个串(走到格子上的时候可以不取). 思路:发现 ...

  4. HICON泄漏

    通常,我们使用的HICON对象只需用DestroyIcon后就不存在内存泄漏了,但是当我们使用GetIconInfo后会发现程序GDI资源存在泄漏,原因是GetIconInfo会产生2个HBITMAP ...

  5. Slickflow.NET 开源工作流引擎高级开发(二) -- 流程快速测试增值服务工具介绍

    前言:流程是由若干个任务节点组成,流转过程就是从一个节点转移到下一个节点,通常需要不断切换用户身份来完成流程的测试,这样使得测试效率比较低下,本文从实战出发,介绍常见的两种快速测试方法,用于提升流程测 ...

  6. ConcurrentHashMap内存溢出问题

    写在前面 上周,同事写了一段ConcurrentHashMap的测试代码,说往map里放了32个元素就内存溢出了,我大致看了一下他的代码及运行的jvm参数,觉得很奇怪,于是就自己捣鼓了一下.首先上一段 ...

  7. HDU 4771 Stealing Harry Potter's Precious (2013杭州赛区1002题,bfs,状态压缩)

    Stealing Harry Potter's Precious Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 32768/32768 ...

  8. 关于Reactor和Proactor的差别

    /*********************************************************************  * Author  : Samson  * Date   ...

  9. 网站前端优化技术 BigPipe分块处理技术

    前端优化已经到极致了么?业务还在为看到不停的而揪心么?还在为2秒率不达标苦恼么? 好吧我知道答案,大家一如既往的烦恼中... 那么接下来我们看看,facebook,淘宝,人人网,一淘都是怎么做前端优化 ...

  10. 在ASP.NET MVC中使用typeahead.js支持预先输入,即智能提示

    使用typeahead.js可以实现预先输入,即智能提示,本篇在ASP.NET MVC下实现.实现效果如下: 首先是有关城市的模型. public class City { public int Id ...