lehuoing 2015-05-03 15:46 采纳率: 0%
浏览 1618

急!linux系统下的基于特征串匹配攻击检测系统的问题

为什么运行了以后没反应就直接结束了啊?下面附代码

#include
#include
#include
#include
#include
#include
#include
#include

typedef struct Packetinfo{
u_char src_ip[4];
u_char dest_ip[4];
char *packetcontent;
int contentlen;
}PACKETINFO;

typedef struct AttackPattern{
char attackdes[256];
char patterncontent[256];
int patternlen;
struct AttackPattern *next;
}ATTACKPATTERN;

typedef struct{
u_char version:4;
u_char header_len:4;
u_char tos:8;
u_int16_t total_len:16;
u_int16_t ident:16;
u_char flags:3;
u_int16_t fragment:13;
u_char ttl:8;
u_char proto:8;
u_int16_t checksum;
u_char sourceIP[4];
u_char destIP[4];
}IPHEADER;

ATTACKPATTERN *pPatternHeader;
int minpattern_len;

int main(int argc,char *argv[]);
int parse_para(int argc,char *argv[],char *filename);
int readpattern(char *patternfile);
void pcap_callback(u_char *user,const struct pcap_pkthdr *header,const u_char *pkt_data);
int matchpattern(ATTACKPATTERN *pOnepattern,PACKETINFO *pOnepacket);
void output_alert(ATTACKPATTERN *pOnepattern,PACKETINFO *pOnepacket);

int main(int argc,char *argv[]){
char patternfile[256];
char *device;
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t *phandle;
bpf_u_int32 ipaddress,ipmask;
struct bpf_program fcode;
if(parse_para(argc,argv,patternfile))
exit(0);
if(readpattern(patternfile))
exit(0);
if((device=pcap_lookupdev(errbuf))==NULL)
exit(0);
if(pcap_lookupnet(device,&ipaddress,&ipmask,errbuf)==-1)
exit(0);
phandle=pcap_open_live(device,200,1,500,errbuf);
if(phandle==NULL)

exit(0);
if(pcap_compile(phandle,&fcode,"ip and tcp",0,ipmask)==-1)
exit(0);
if(pcap_setfilter(phandle,&fcode)==-1)
exit(0);
printf("开始特征串攻击检测...\n");
pcap_loop(phandle,-1,pcap_callback,NULL);
}

int parse_para(int argc,char *argv[],char *filename){
if(argc!=2){
printf("Usage %s:patternfile\n",argv[0]);
return 1;
}else{
bzero(filename,256);
strncpy(filename,argv[1],255);
return 0;
}
}

int readpattern(char *patternfile){
FILE *file;
char linebuffer[256];
file=fopen(patternfile,"r");
if(file==NULL){
printf("Cann't open the pattern file!Please check it and try again!\n");
return 1;
}
bzero(linebuffer,256);
pPatternHeader=NULL;
minpattern_len=1000;
while(fgets(linebuffer,255,file)){
ATTACKPATTERN *pOnepattern;
int deslen;
char *pchar;
pchar=strchr(linebuffer,'#');
if(pchar==NULL)
continue;
pOnepattern=malloc(sizeof(ATTACKPATTERN));
deslen=pchar-linebuffer;
pOnepattern->patternlen=strlen(linebuffer)-deslen-1-1;
pchar++;
memcpy(pOnepattern->attackdes,linebuffer,deslen);
memcpy(pOnepattern->patterncontent,pchar,pOnepattern->patternlen);
if(pOnepattern->patternlen minpattern_len=pOnepattern->patternlen;
pOnepattern->next=NULL;
if(pPatternHeader==NULL)
pPatternHeader=pOnepattern;
else{
pOnepattern->next=pPatternHeader;
pPatternHeader=pOnepattern;
}
bzero(linebuffer,256);
}
if(pPatternHeader==NULL)
return 1;
return 0;
}

void pcap_callback(u_char *user,const struct pcap_pkthdr *header,const u_char *pkt_data){
IPHEADER *ip_header;
PACKETINFO onepacket;
ATTACKPATTERN *pOnepattern;
bzero(&onepacket,sizeof(PACKETINFO));
if(header->len>=14)
ip_header=(IPHEADER *)(pkt_data+14);
else
return;
if(ip_header->proto==6){
onepacket.contentlen=ip_header->total_len-20-20;
if(onepacket.contentlen return;
onepacket.packetcontent=(char *)(pkt_data+14+20+20);
strncpy(onepacket.src_ip,ip_header->sourceIP,4);
strncpy(onepacket.dest_ip,ip_header->destIP,4);
ATTACKPATTERN *pOnepattern=pPatternHeader;
while(pOnepattern!=NULL){
if(matchpattern(pOnepattern,&onepacket)){
output_alert(pOnepattern,&onepacket);
}
pOnepattern=pOnepattern->next;
}
}
}

int matchpattern(ATTACKPATTERN *pOnepattern,PACKETINFO *pOnepacket){
int leftlen;
char *leftcontent;
leftlen=pOnepacket->contentlen;
leftcontent=pOnepacket->packetcontent;
while(leftlen>=pOnepattern->patternlen){
if(strncmp(leftcontent,pOnepattern->patterncontent,pOnepattern->patternlen)==0)
return 1;
leftlen--;
leftcontent++;
}
return 0;
}

void output_alert(ATTACKPATTERN *pOnepattern,PACKETINFO *pOnepacket){
printf("发现特征串攻击:\n攻击类型%s",pOnepattern->attackdes);
printf("%d.%d.%d.%d==>",pOnepacket->src_ip[0],pOnepacket->src_ip[1],pOnepacket->src_ip[2],pOnepacket->src_ip[3]);
printf("%d.%d.%d.%d\n",pOnepacket->dest_ip[0],pOnepacket->dest_ip[1],pOnepacket->dest_ip[2],pOnepacket->dest_ip[3]);
}

  • 写回答

3条回答 默认 最新

  • oyljerry 2015-05-04 08:57
    关注

    你主函数main中应该有一个loop循环

    评论

报告相同问题?

悬赏问题

  • ¥15 有兄弟姐妹会用word插图功能制作类似citespace的图片吗?
  • ¥200 uniapp长期运行卡死问题解决
  • ¥15 请教:如何用postman调用本地虚拟机区块链接上的合约?
  • ¥15 为什么使用javacv转封装rtsp为rtmp时出现如下问题:[h264 @ 000000004faf7500]no frame?
  • ¥15 乘性高斯噪声在深度学习网络中的应用
  • ¥15 关于docker部署flink集成hadoop的yarn,请教个问题 flink启动yarn-session.sh连不上hadoop,这个整了好几天一直不行,求帮忙看一下怎么解决
  • ¥15 深度学习根据CNN网络模型,搭建BP模型并训练MNIST数据集
  • ¥15 C++ 头文件/宏冲突问题解决
  • ¥15 用comsol模拟大气湍流通过底部加热(温度不同)的腔体
  • ¥50 安卓adb backup备份子用户应用数据失败