├── Licesin ├── BlackSword ├── script │ ├── rule.txt.lex │ ├── rule.txt │ └── lex.py ├── analysis │ ├── ip.c │ ├── func.c │ ├── http.c │ ├── tcp.c │ ├── derule.c │ ├── pdata.c │ ├── sysconfig.c │ ├── icmp.c │ └── udp.c ├── include │ ├── ip.h │ ├── http.h │ ├── pdata.h │ ├── derule.h │ ├── output.h │ ├── reasoning.h │ ├── sysconfig.h │ ├── bspcap.h │ ├── eth.h │ ├── type.h │ ├── platform.h │ ├── udp.h │ ├── analysis.h │ ├── icmp.h │ ├── tcp.h │ ├── abuse.h │ └── func.h ├── config │ ├── bs.conf │ ├── bs.conf.bak │ └── bs.kl ├── abuse │ ├── abuse_http.c │ ├── abuse_icmp.c │ ├── abuse_tcp.c │ ├── abuse_udp.c │ └── abuse.c ├── pcap │ ├── .bspcap.h.swp │ ├── test.c │ ├── ntest.c │ └── bspcap.c ├── rule │ ├── test.bsr │ └── test.bsr.bak ├── main │ └── main.c └── makefile ├── .gitignore └── README.md /Licesin: -------------------------------------------------------------------------------- 1 | this ia a test 2 | -------------------------------------------------------------------------------- /BlackSword/script/rule.txt.lex: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .o 2 | .out 3 | tags 4 | -------------------------------------------------------------------------------- /BlackSword/analysis/ip.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/analysis/ip.c -------------------------------------------------------------------------------- /BlackSword/include/ip.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/include/ip.h -------------------------------------------------------------------------------- /BlackSword/analysis/func.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/analysis/func.c -------------------------------------------------------------------------------- /BlackSword/analysis/http.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/analysis/http.c -------------------------------------------------------------------------------- /BlackSword/analysis/tcp.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/analysis/tcp.c -------------------------------------------------------------------------------- /BlackSword/config/bs.conf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/config/bs.conf -------------------------------------------------------------------------------- /BlackSword/include/http.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/include/http.h -------------------------------------------------------------------------------- /BlackSword/include/pdata.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/include/pdata.h -------------------------------------------------------------------------------- /BlackSword/script/rule.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/script/rule.txt -------------------------------------------------------------------------------- /BlackSword/abuse/abuse_http.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/abuse/abuse_http.c -------------------------------------------------------------------------------- /BlackSword/analysis/derule.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/analysis/derule.c -------------------------------------------------------------------------------- /BlackSword/analysis/pdata.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/analysis/pdata.c -------------------------------------------------------------------------------- /BlackSword/config/bs.conf.bak: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/config/bs.conf.bak -------------------------------------------------------------------------------- /BlackSword/include/derule.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/include/derule.h -------------------------------------------------------------------------------- /BlackSword/include/output.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/include/output.h -------------------------------------------------------------------------------- /BlackSword/pcap/.bspcap.h.swp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/pcap/.bspcap.h.swp -------------------------------------------------------------------------------- /BlackSword/rule/test.bsr: -------------------------------------------------------------------------------- 1 | BSRule http any any -> any any time_test 1 {httpurl("/bstest");log("this is a test")} -------------------------------------------------------------------------------- /BlackSword/analysis/sysconfig.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/analysis/sysconfig.c -------------------------------------------------------------------------------- /BlackSword/include/reasoning.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/include/reasoning.h -------------------------------------------------------------------------------- /BlackSword/include/sysconfig.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yixuanzi/blocksword/HEAD/BlackSword/include/sysconfig.h -------------------------------------------------------------------------------- /BlackSword/rule/test.bsr.bak: -------------------------------------------------------------------------------- 1 | BSRule http any any -> any any time_test 1 {httpurl("/bstest");log("this is a test");} -------------------------------------------------------------------------------- /BlackSword/include/bspcap.h: -------------------------------------------------------------------------------- 1 | #ifndef bspcap_h 2 | #define bspcap_h 3 | struct info{ 4 | int lenght; 5 | char time[24]; 6 | }; 7 | int run(); 8 | #endif -------------------------------------------------------------------------------- /BlackSword/abuse/abuse_icmp.c: -------------------------------------------------------------------------------- 1 | #include "tcp.h" 2 | #include "sysconfig.h" 3 | #include "derule.h" 4 | 5 | int abuse_icmp(struct icmpp *icmp){ 6 | return 0; 7 | } -------------------------------------------------------------------------------- /BlackSword/abuse/abuse_tcp.c: -------------------------------------------------------------------------------- 1 | #include "tcp.h" 2 | #include "sysconfig.h" 3 | #include "derule.h" 4 | 5 | int abuse_tcp(struct tcpp *tcp){ 6 | return 0; 7 | } -------------------------------------------------------------------------------- /BlackSword/abuse/abuse_udp.c: -------------------------------------------------------------------------------- 1 | #include "tcp.h" 2 | #include "sysconfig.h" 3 | #include "derule.h" 4 | 5 | int abuse_udp(struct udpp *udp){ 6 | return 0; 7 | } -------------------------------------------------------------------------------- /BlackSword/include/eth.h: -------------------------------------------------------------------------------- 1 | #ifndef eth_h 2 | #define eth_h 3 | #include "sysconfig.h" 4 | struct eth{ 5 | uchar smac[6]; 6 | uchar dmac[6]; 7 | ushort protocol; 8 | }; 9 | #endif -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NIDS With C 2 | ## author:yixuanzi 3 | ## date:2013-04-01 4 | ## version:v1.0.0 5 | ## email:yeying0311@126.com 6 | -------- 7 | >一个用C语言编写的NIDS,实现了检测引擎和规则描述语言,研究实验类项目 8 | 9 | -------------------------------------------------------------------------------- /BlackSword/include/type.h: -------------------------------------------------------------------------------- 1 | #ifndef TYPE 2 | #define TYPE 3 | #define uchar unsigned char 4 | #define ushort unsigned short 5 | #define ulong unsigned long 6 | #define uint unsigned int 7 | #endif 8 | -------------------------------------------------------------------------------- /BlackSword/include/platform.h: -------------------------------------------------------------------------------- 1 | #ifndef platform_h 2 | #define platform_h 3 | #ifdef WIN32 4 | #include 5 | #pragma comment(lib, "Ws2_32.lib") 6 | #else 7 | #include 8 | #include 9 | #include 10 | #endif 11 | #endif 12 | -------------------------------------------------------------------------------- /BlackSword/analysis/icmp.c: -------------------------------------------------------------------------------- 1 | #include "icmp.h" 2 | #include "sysconfig.h" 3 | #include "ip.h" 4 | #include "platform.h" 5 | struct icmpp* icmp_getstruct(struct ipp *ip){ 6 | struct icmpp *icmp=(void*)0; 7 | int l=ip_gethlenght(ip); 8 | icmp=(struct icmpp *)((uchar*)ip+l); 9 | return icmp; 10 | } 11 | -------------------------------------------------------------------------------- /BlackSword/main/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "sysconfig.h" 3 | #include "derule.h" 4 | #include "bspcap.h" 5 | 6 | int main(int argc,char *argv[]){ 7 | int status=0; 8 | char *syspath="F:\\Paper\\BlockSword\\config\\bs.conf"; 9 | status=sysconfig(syspath); 10 | status=createrulelink(); 11 | run(); 12 | } 13 | -------------------------------------------------------------------------------- /BlackSword/include/udp.h: -------------------------------------------------------------------------------- 1 | #ifndef udp_h 2 | #define udp_h 3 | #include "sysconfig.h" 4 | #include "ip.h" 5 | struct udpp{ 6 | ushort sport; 7 | ushort dport; 8 | ushort lenght; 9 | ushort chucksum; 10 | }; 11 | int udp_checusum(struct udpp*); 12 | unsigned char* udp_getdata(struct udpp*); 13 | struct udpp* udp_getstruct(struct ipp *); 14 | #endif 15 | -------------------------------------------------------------------------------- /BlackSword/include/analysis.h: -------------------------------------------------------------------------------- 1 | #ifndef __ANALYSIS__ 2 | #define __ANALYSIS__ 3 | #include 4 | #include "type.h" 5 | void displayMac(uchar *mac); 6 | void displayIP(uchar *ip); 7 | void udpanalysis(uchar *packet); 8 | void tcpanalysis(uchar *packet); 9 | void ipanalysis(uchar *packet); 10 | void arpanalysis(uchar *packet); 11 | void analysis(struct pcap_pkthdr *pkthdr,const uchar *packet); 12 | #endif 13 | -------------------------------------------------------------------------------- /BlackSword/analysis/udp.c: -------------------------------------------------------------------------------- 1 | #include "udp.h" 2 | #include "sysconfig.h" 3 | #include "ip.h" 4 | #include "platform.h" 5 | uchar *udp_getdata(struct udpp *udp){ 6 | uchar *p=(uchar *)udp; 7 | return p+sizeof(struct udpp); 8 | } 9 | struct udpp* udp_getstruct(struct ipp *ip){ 10 | struct udpp *udp=(void*)0; 11 | int l=ip_gethlenght(ip); 12 | udp=(struct tcpp *)((uchar*)ip+l); 13 | udp->sport=ntohs(udp->sport); 14 | udp->dport=ntohs(udp->dport); 15 | return udp; 16 | } 17 | -------------------------------------------------------------------------------- /BlackSword/include/icmp.h: -------------------------------------------------------------------------------- 1 | #ifndef icmp_h 2 | #define icmp_h 3 | #include "sysconfig.h" 4 | #include "ip.h" 5 | struct icmpp{ 6 | uchar type; 7 | uchar code; 8 | ushort checksum; 9 | union{ 10 | struct{ 11 | ushort id; 12 | ushort seq; 13 | }echo; /* echo datagram */ 14 | uint gateway; /* gateway address */ 15 | struct{ 16 | ushort __unused; 17 | ushort mtu; 18 | }frag; /* path mtu discovery */ 19 | }un; 20 | }; 21 | 22 | struct icmpp *icmp_getstruct(struct ipp*); 23 | #endif 24 | -------------------------------------------------------------------------------- /BlackSword/include/tcp.h: -------------------------------------------------------------------------------- 1 | #ifndef tcp_h 2 | #define tcp_h 3 | #include "sysconfig.h" 4 | struct tcpp{ 5 | ushort sport; 6 | ushort dport; 7 | uint seq; 8 | uint ack; 9 | struct dss{ 10 | ushort offset:4; 11 | ushort retain:6; 12 | ushort urg:1; 13 | ushort ack:1; 14 | ushort psh:1; 15 | ushort rst:1; 16 | ushort syn:1; 17 | ushort fin:1; 18 | }ds; 19 | ushort window; 20 | ushort checksum; 21 | ushort urgp; 22 | }; 23 | int tcp_checusum(struct tcpp*); 24 | uchar* tcp_getdata(struct tcpp*); 25 | int tcp_ishttp(uchar *); 26 | #endif -------------------------------------------------------------------------------- /BlackSword/pcap/test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() 5 | { 6 | pcap_t* pd; 7 | char ebuf[PCAP_ERRBUF_SIZE], *dev; 8 | const u_char* pkt; 9 | struct pcap_pkthdr ph; 10 | dev = pcap_lookupdev(ebuf); 11 | if (!dev) { 12 | fprintf(stderr, "%s\n", ebuf); 13 | return -1; 14 | } 15 | 16 | printf("get net device -> %s\n", dev); 17 | 18 | pd = pcap_open_live(dev, 65535, 0, 0, ebuf); 19 | if (!pd) { 20 | fprintf(stderr, "%s\n", ebuf); 21 | return -1; 22 | } 23 | 24 | pkt = pcap_next(pd, &ph); 25 | printf("A packet is captured.\n"); 26 | 27 | pcap_close(pd); 28 | 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /BlackSword/config/bs.kl: -------------------------------------------------------------------------------- 1 | #risk 1 2 3 4 2 | id:1; condition:maxargs_g(30);result:abnormal; probability:30; risk:1 3 | id:2; condition:lenhost_g(30);result:abnormal; probability;80; risk:2 4 | id:3; condition:httpurl('////'); result:abnormal; probability:90; risk:3 5 | id:4; condition:httpurl('../|\..'); result:abnormal; probability:50; risk:3 6 | id:5; condition:args('http|https'); result:remote file; probability:70; risk:4 7 | id:6; condition:args('%7c|%26'); result:command exec; probability:80; risk:4 8 | id:7; condition:args('script'); result:XSS; probability:80; risk:3 9 | id:8; condition:args('select|update'); result:sql inject; porbability:20; risk:4 10 | id:9; condition:httprepeat(10); result:abnormal; probability:30; risk:3 11 | 12 | 13 | id:; condition:$1,$3;result:sql inject; probability:50; risk:alert 14 | 15 | -------------------------------------------------------------------------------- /BlackSword/makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | LD=ld 3 | 4 | bs:abuse.o abuse_http.o abuse_icmp.o abuse_tcp.o abuse_udp.o derule.o func.o http.o icmp.o ip.o pdata.o sysconfig.o tcp.o udp.o main.o bspcap.o 5 | $(LD) -o $@ $^ -lpcap 6 | 7 | abuse.o:abuse/abuse.c 8 | $(CC) -c -I include $^ -o $@ 9 | abuse_http.o:abuse/abuse_http.c 10 | $(CC) -c -I include $^ -o $@ 11 | abuse_icmp.o:abuse/abuse_icmp.c 12 | $(CC) -c -I include $^ -o $@ 13 | abuse_tcp.o:abuse/abuse_tcp.c 14 | $(CC) -c -I include $^ -o $@ 15 | abuse_udp.o:abuse/abuse_udp.c 16 | $(CC) -c -I include $^ -o $@ 17 | derule.o:analysis/derule.c 18 | $(CC) -c -I include $^ -o $@ 19 | func.o:analysis/func.c 20 | $(CC) -c -I include $^ -o $@ 21 | http.o:analysis/http.c 22 | $(CC) -c -I include $^ -o $@ 23 | icmp.o:analysis/icmp.c 24 | $(CC) -c -I include $^ -o $@ 25 | ip.o:analysis/ip.c 26 | $(CC) -c -I include $^ -o $@ 27 | pdata.o:analysis/pdata.c 28 | $(CC) -c -I include $^ -o $@ 29 | sysconfig.o:analysis/sysconfig.c 30 | $(CC) -c -I include $^ -o $@ 31 | tcp.o:analysis/tcp.c 32 | $(CC) -c -I include $^ -o $@ 33 | udp.o:analysis/udp.c 34 | $(CC) -c -I include $^ -o $@ 35 | main.o:main/main.c 36 | $(CC) -c -I include $^ -o $@ 37 | bspcap.o:pcap/bspcap.c 38 | $(CC) -c -I include $^ -o $@ 39 | 40 | 41 | clean: 42 | rm *.o 43 | -------------------------------------------------------------------------------- /BlackSword/include/abuse.h: -------------------------------------------------------------------------------- 1 | #ifndef abuse_h 2 | #define abuse_h 3 | #include "tcp.h" 4 | #include "sysconfig.h" 5 | #include "icmp.h" 6 | #include "udp.h" 7 | #include "http.h" 8 | #include "derule.h" 9 | #include 10 | #include "bspcap.h" 11 | int abuse_tcp(struct tcpp *,struct info *,struct iport *); 12 | int abuse_http_request(struct http_request *,struct info *,struct iport *); 13 | int abuse_http_response(struct http_response *,struct info *,struct iport *); 14 | int abuse_udp(struct udpp *,struct info *,struct iport *); 15 | int abuse_icmp(struct icmpp *,struct info *,struct iport *); 16 | 17 | int getfuncid(char *); 18 | int callfunc(struct rule *,struct function *,void *,int); 19 | int getvarvalue_i(struct rule *r,struct variable_func *var); 20 | char *getvarvalue_s(struct rule *r,struct variable_func *var); 21 | 22 | int _addself(struct rule *,struct variable_func *); 23 | int _delself(struct rule *,struct variable_func *); 24 | int _greater(struct rule *,struct variable_func *); 25 | int _less(struct rule *,struct variable_func *); 26 | int _equal(struct rule *,struct variable_func *); 27 | int _unequal(struct rule *,struct variable_func *); 28 | 29 | int _log(struct rule *,struct variable_func *); 30 | int _alert(struct rule *,struct variable_func *); 31 | int _go(struct rule *,struct variable_func *); 32 | int _icmpinfo(struct rule *,struct variable_func *); 33 | int _icmpdata(struct rule *,struct variable_func *); 34 | int _tcpinfo(struct rule *,struct variable_func *); 35 | int _tcpdata(struct rule *,struct variable_func *); 36 | int _udpinfo(struct rule *,struct variable_func *); 37 | int _udpdata(struct rule *,struct variable_func *); 38 | int _httpinfo(struct rule *,struct variable_func *); 39 | int _httpurl(struct rule *,struct variable_func *); 40 | int _httpargs(struct rule *,struct variable_func *); 41 | int _httpgargs(struct rule *,struct variable_func *); 42 | int _httppargs(struct rule *,struct variable_func *); 43 | int _httpcookie(struct rule *,struct variable_func *); 44 | int _httpagent(struct rule *,struct variable_func *); 45 | int _httpserver(struct rule *,struct variable_func *); 46 | int _httphead(struct rule *,struct variable_func *); 47 | #endif 48 | -------------------------------------------------------------------------------- /BlackSword/include/func.h: -------------------------------------------------------------------------------- 1 | #ifndef func_h 2 | #define func_h 3 | #include "derule.h" 4 | 5 | #define FUNC_LOG 11 6 | #define FUNC_ALERT 12 7 | #define FUNC_GO 13 8 | #define FUNC_ICMPINFO 14 9 | #define FUNC_ICMPDATA 15 10 | #define FUNC_TCPINFO 16 11 | #define FUNC_TCPDATA 17 12 | #define FUNC_UDPINFO 18 13 | #define FUNC_UDPDATA 19 14 | #define FUNC_HTTPINFO 20 15 | #define FUNC_HTTPURL 21 16 | #define FUNC_HTTPARGS 22 17 | #define FUNC_HTTPGARGS 23 18 | #define FUNC_HTTPPARGS 24 19 | #define FUNC_HTTPCOOKIE 25 20 | #define FUNC_HTTPAGENT 26 21 | #define FUNC_HTTPSERVER 27 22 | #define FUNC_HTTPHEAD 28 23 | 24 | #define ICMP_TEYP 101 25 | #define ICMP_CODE 102 26 | #define ICMP_LDATA 103 27 | 28 | #define TCP_SIP 111 29 | #define TCP_SPORT 112 30 | #define TCP_DIP 113 31 | #define TCP_DPORT 114 32 | #define TCP_FLAG 115 33 | 34 | #define UDP_SIP 121 35 | #define UDP_SPORT 122 36 | #define UDP_DIP 123 37 | #define UDP_DPORT 124 38 | 39 | #define HTTP_STATUS 131 40 | #define HTTP_DESC 132 41 | #define HTTP_LURL 133 42 | #define HTTP_LHOST 134 43 | 44 | int set_addself(struct rule *,struct function *,char *); 45 | int set_delself(struct rule *,struct function *,char *); 46 | int set_greater(struct rule *,struct function *,char *,char *); 47 | int set_less(struct rule *,struct function *,char *,char *); 48 | int set_equal(struct rule *,struct function *,char *,char *); 49 | int set_unequal(struct rule *,struct function *,char *,char *); 50 | int set_function(struct rule *,struct function *,char *); 51 | int set_log(struct rule *,struct function *,char *); 52 | int set_alert(struct rule *,struct function *,char *); 53 | int set_go(struct rule *,struct function *,char *); 54 | int set_icmpinfo(struct rule *,struct function *,char *,char *); 55 | int set_icmpdata(struct rule *,struct function *,char *); 56 | int set_tcpinfo(struct rule *,struct function *,char *,char *); 57 | int set_tcpdata(struct rule *,struct function *,char *); 58 | int set_udpinfo(struct rule *,struct function *,char *,char *); 59 | int set_udpdata(struct rule *,struct function *,char *); 60 | int set_httpinfo(struct rule *,struct function *,char *,char *); 61 | int set_httpurl(struct rule *,struct function *,char *); 62 | int set_httpargs(struct rule *,struct function *,char *,char *); 63 | int set_httpgargs(struct rule *,struct function *,char *,char *); 64 | int set_httppargs(struct rule *,struct function *,char *,char *); 65 | int set_httpcookie(struct rule *,struct function *,char *); 66 | int set_httpagent(struct rule *,struct function *,char *); 67 | int set_httpserver(struct rule *,struct function *,char *); 68 | int set_httphead(struct rule *,struct function *,char *); 69 | 70 | int getfuncid(char *); 71 | int getvarid(char *,struct rule*,int); 72 | int getvarid_r(char *,struct rule *,int); 73 | int getvarid_f(char *); 74 | char *blank(char *); 75 | char * isstring(char *); 76 | #endif -------------------------------------------------------------------------------- /BlackSword/abuse/abuse.c: -------------------------------------------------------------------------------- 1 | #include "abuse.h" 2 | #include 3 | #include 4 | #include 5 | #include "func.h" 6 | struct http_request *chr=NULL; //1 7 | struct http_response *chp=NULL;//2 8 | struct tcpp *ctcp=NULL;//3 9 | struct udpp *cudp=NULL;//4 10 | struct icmpp *cicmp=NULL;//5 11 | int getvarvalue_i(struct rule *r,struct variable_func *var){ 12 | int id=var->id; 13 | if(id) 14 | return r->vb[id].value.var; 15 | else 16 | return var->value.var; 17 | } 18 | char *getvarvalue_s(struct rule *r,struct variable_func *var){ 19 | int id=var->id; 20 | if(id) 21 | return r->vb[id].value.str; 22 | else 23 | return var->value.str; 24 | } 25 | int callfunc(struct rule *r,struct function *f,void *dp,int type){ 26 | int i=0; 27 | int fid=f->fid; 28 | for(i=0;i<10;i++){ 29 | if(!fid) 30 | break; 31 | switch (fid) 32 | { 33 | case 1: 34 | _addself(r,f->pt); 35 | break; 36 | case 2: 37 | _delself(r,f->pt); 38 | break; 39 | case 3: 40 | _greater(r,f->pt); 41 | break; 42 | case 4: 43 | _less(r,f->pt); 44 | break; 45 | case 5: 46 | _equal(r,f->pt); 47 | break; 48 | case 6: 49 | _unequal(r,f->pt); 50 | break; 51 | case FUNC_LOG: 52 | _log(r,f->pt); 53 | case FUNC_ALERT: 54 | _alert(r,f->pt); 55 | 56 | } 57 | } 58 | } 59 | 60 | int _addself(struct rule *r,struct variable_func *var){ 61 | int id=var->id; 62 | if(id){ 63 | r->vb[id].value.var++; 64 | return 1; 65 | } 66 | return -1; 67 | } 68 | int _delself(struct rule *r,struct variable_func *var){ 69 | int id=var->id; 70 | if(id){ 71 | r->vb[id].value.var--; 72 | return 1; 73 | } 74 | return -1; 75 | } 76 | 77 | int _greater(struct rule *r,struct variable_func *var){ 78 | int v1=getvarvalue_i(r,var); 79 | int v2=getvarvalue_i(r,(struct variable_func *)(var+1)); 80 | if(v1>v2) 81 | return 1; 82 | return 0; 83 | } 84 | int _less(struct rule *r,struct variable_func *var){ 85 | int v1=getvarvalue_i(r,var); 86 | int v2=getvarvalue_i(r,(struct variable_func *)(var+1)); 87 | if(v1 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "nids.h" 9 | 10 | #define int_ntoa(x) inet_ntoa(*((struct in_addr *)&x)) 11 | 12 | // struct tuple4 contains addresses and port numbers of the TCP connections 13 | // the following auxiliary function produces a string looking like 14 | // 10.0.0.1,1024,10.0.0.2,23 15 | char * 16 | adres (struct tuple4 addr) 17 | { 18 | static char buf[256]; 19 | strcpy (buf, int_ntoa (addr.saddr)); 20 | sprintf (buf + strlen (buf), ",%i,", addr.source); 21 | strcat (buf, int_ntoa (addr.daddr)); 22 | sprintf (buf + strlen (buf), ",%i", addr.dest); 23 | return buf; 24 | } 25 | 26 | void 27 | tcp_callback (struct tcp_stream *a_tcp, void ** this_time_not_needed) 28 | { 29 | char buf[1024]; 30 | strcpy (buf, adres (a_tcp->addr)); // we put conn params into buf 31 | if (a_tcp->nids_state == NIDS_JUST_EST) 32 | { 33 | // connection described by a_tcp is established 34 | // here we decide, if we wish to follow this stream 35 | // sample condition: if (a_tcp->addr.dest!=23) return; 36 | // in this simple app we follow each stream, so.. 37 | a_tcp->client.collect++; // we want data received by a client 38 | a_tcp->server.collect++; // and by a server, too 39 | a_tcp->server.collect_urg++; // we want urgent data received by a 40 | // server 41 | #ifdef WE_WANT_URGENT_DATA_RECEIVED_BY_A_CLIENT 42 | a_tcp->client.collect_urg++; // if we don't increase this value, 43 | // we won't be notified of urgent data 44 | // arrival 45 | #endif 46 | fprintf (stderr, "%s established\n", buf); 47 | return; 48 | } 49 | if (a_tcp->nids_state == NIDS_CLOSE) 50 | { 51 | // connection has been closed normally 52 | fprintf (stderr, "%s closing\n", buf); 53 | return; 54 | } 55 | if (a_tcp->nids_state == NIDS_RESET) 56 | { 57 | // connection has been closed by RST 58 | fprintf (stderr, "%s reset\n", buf); 59 | return; 60 | } 61 | 62 | if (a_tcp->nids_state == NIDS_DATA) 63 | { 64 | // new data has arrived; gotta determine in what direction 65 | // and if it's urgent or not 66 | 67 | struct half_stream *hlf; 68 | 69 | if (a_tcp->server.count_new_urg) 70 | { 71 | // new byte of urgent data has arrived 72 | strcat(buf,"(urgent->)"); 73 | buf[strlen(buf)+1]=0; 74 | buf[strlen(buf)]=a_tcp->server.urgdata; 75 | write(1,buf,strlen(buf)); 76 | return; 77 | } 78 | // We don't have to check if urgent data to client has arrived, 79 | // because we haven't increased a_tcp->client.collect_urg variable. 80 | // So, we have some normal data to take care of. 81 | if (a_tcp->client.count_new) 82 | { 83 | // new data for the client 84 | hlf = &a_tcp->client; // from now on, we will deal with hlf var, 85 | // which will point to client side of conn 86 | strcat (buf, "(<-)"); // symbolic direction of data 87 | } 88 | else 89 | { 90 | hlf = &a_tcp->server; // analogical 91 | strcat (buf, "(->)"); 92 | } 93 | fprintf(stderr,"%s",buf); // we print the connection parameters 94 | // (saddr, daddr, sport, dport) accompanied 95 | // by data flow direction (-> or <-) 96 | 97 | write(2,hlf->data,hlf->count_new); // we print the newly arrived data 98 | 99 | } 100 | return ; 101 | } 102 | 103 | int 104 | main () 105 | { 106 | // here we can alter libnids params, for instance: 107 | // nids_params.n_hosts=256; 108 | if (!nids_init ()) 109 | { 110 | fprintf(stderr,"%s\n",nids_errbuf); 111 | exit(1); 112 | } 113 | nids_register_tcp (tcp_callback); 114 | nids_run (); 115 | return 0; 116 | } 117 | 118 | -------------------------------------------------------------------------------- /BlackSword/pcap/bspcap.c: -------------------------------------------------------------------------------- 1 | #ifdef _MSC_VER 2 | /* 3 | * we do not want the warnings about the old deprecated and unsecure CRT functions 4 | * since these examples can be compiled under *nix as well 5 | */ 6 | #define _CRT_SECURE_NO_WARNINGS 7 | #endif 8 | #include "pdata.h" 9 | #include "pcap.h" 10 | #include 11 | #include "bspcap.h" 12 | 13 | u_char data[1600]={0}; 14 | /* prototype of the packet handler */ 15 | void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data); 16 | void getcurrent(){ 17 | time_t rawtime; 18 | struct tm * timeinfo; 19 | time ( &rawtime ); 20 | timeinfo = localtime ( &rawtime ); 21 | printf ( "\007The current date/time is: %s", asctime (timeinfo) ); 22 | } 23 | int run() 24 | { 25 | pcap_if_t *alldevs; 26 | pcap_if_t *d; 27 | int inum; 28 | int i=0; 29 | pcap_t *adhandle; 30 | struct bpf_program filter; 31 | char errbuf[PCAP_ERRBUF_SIZE]; 32 | 33 | /* Retrieve the device list */ 34 | if(pcap_findalldevs(&alldevs, errbuf) == -1) 35 | { 36 | fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf); 37 | exit(1); 38 | } 39 | 40 | /* Print the list */ 41 | for(d=alldevs; d; d=d->next) 42 | { 43 | printf("%d. %s", ++i, d->name); 44 | if (d->description) 45 | printf(" (%s)\n", d->description); 46 | else 47 | printf(" (No description available)\n"); 48 | } 49 | 50 | if(i==0) 51 | { 52 | printf("\nNo interfaces found! Make sure WinPcap is installed.\n"); 53 | return -1; 54 | } 55 | 56 | printf("Enter the interface number (1-%d):",i); 57 | scanf("%d", &inum); 58 | 59 | if(inum < 1 || inum > i) 60 | { 61 | printf("\nInterface number out of range.\n"); 62 | /* Free the device list */ 63 | pcap_freealldevs(alldevs); 64 | return -1; 65 | } 66 | 67 | /* Jump to the selected adapter */ 68 | for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++); 69 | 70 | /* Open the device */ 71 | /* Open the adapter */ 72 | if ((adhandle= pcap_open_live(d->name, // name of the device 73 | 65536, // portion of the packet to capture. 74 | // 65536 grants that the whole packet will be captured on all the MACs. 75 | 1, // promiscuous mode (nonzero means promiscuous) 76 | 1000, // read timeout 77 | errbuf // error buffer 78 | )) == NULL) 79 | { 80 | fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name); 81 | /* Free the device list */ 82 | pcap_freealldevs(alldevs); 83 | return -1; 84 | } 85 | 86 | printf("\nlistening on %s...\n", d->description); 87 | 88 | /* At this point, we don't need any more the device list. Free it */ 89 | pcap_freealldevs(alldevs); 90 | //filter 91 | pcap_compile(adhandle,&filter,"icmp||tcp||udp",1,0); 92 | pcap_setfilter(adhandle,&filter); 93 | 94 | /* start the capture */ 95 | pcap_loop(adhandle, -1, packet_handler, NULL); 96 | pcap_close(adhandle); 97 | return 0; 98 | } 99 | void debug_printf_data(struct info *cinfo,u_char *data){ 100 | int lenght=cinfo->lenght; 101 | int i=0; 102 | for(i=0;icaplen); 120 | cinfo.lenght=header->caplen; 121 | //debug_printf_data(&cinfo,data); 122 | //* convert the timestamp to readable format 123 | local_tv_sec = header->ts.tv_sec; 124 | ltime=localtime(&local_tv_sec); 125 | strftime( timestr, sizeof timestr, "%H:%M:%S", ltime); 126 | sprintf(cinfo.time,"%s,%.6d len:%d\n", timestr, header->ts.tv_usec, header->len); 127 | //printf("%s,%.6d len:%d\n", timestr, header->ts.tv_usec, header->len); 128 | start_packet(&cinfo,data); 129 | } 130 | -------------------------------------------------------------------------------- /BlackSword/script/lex.py: -------------------------------------------------------------------------------- 1 | import re 2 | text='jiangxi' 3 | ''' 4 | regexes=[re.compile(p) 5 | for p in ['\(','\)','\++','\--','>','<','==','!=','=',':',#opertion char 6 | '@[a-zA-Z\.]+',#protocol variable 7 | '#[a-zA-Z\.]+',#protocol variable 8 | '\$\w+',#rule variable 9 | '".*"', #string 10 | 'normal','triggle','type','ip','arp','icmp','tcp','if','protocol','continuation','yes','no',#keyword 11 | '[A-Za-z]\w*', #ID str 12 | '[0-9]+',#int 13 | ] 14 | ] 15 | for regex in regexes: 16 | for match in regex.finditer(text): 17 | if match: 18 | s=match.start() 19 | e=match.end() 20 | print (text[s:e]) 21 | text=text[:s]+'\x00'*(e-s)+text[e:] 22 | print (text) 23 | ''' 24 | #sort for result 25 | def sort(result): 26 | l=len(result) 27 | if l<1: 28 | return 29 | for i in range(1,l,1): 30 | for j in range(1,l-i+1,1): 31 | if result[j-1][0]>result[j][0]: 32 | result[j-1],result[j]=result[j],result[j-1] 33 | 34 | 35 | def lex(path): 36 | try: 37 | f=open(path) 38 | except: 39 | print ("open file failed") 40 | return 41 | try: 42 | r=open(path+".lex","w") 43 | except: 44 | print ("create lex file failed") 45 | return 46 | text=f.readline() 47 | while text: 48 | rs=lex_line(text) 49 | print (rs,file=r) 50 | text=f.readline() 51 | f.close() 52 | r.close() 53 | def lex_line(text): 54 | result=[] 55 | for regex in regexes_oc: 56 | for match in regex.finditer(text): 57 | if match: 58 | s=match.start() 59 | e=match.end() 60 | ss=text[s:e] 61 | text=text[:s]+'\x00'*(e-s)+text[e:] 62 | tp=(s,'oc',ss) 63 | result.append(tp) 64 | 65 | for match in regexes_pv.finditer(text): 66 | if match: 67 | s=match.start() 68 | e=match.end() 69 | ss=text[s:e] 70 | text=text[:s]+'\x00'*(e-s)+text[e:] 71 | tp=(s,'pv',ss) 72 | result.append(tp) 73 | for match in regexes_rv.finditer(text): 74 | if match: 75 | s=match.start() 76 | e=match.end() 77 | ss=text[s:e] 78 | text=text[:s]+'\x00'*(e-s)+text[e:] 79 | tp=(s,'rv',ss) 80 | result.append(tp) 81 | for match in regexes_str.finditer(text): 82 | if match: 83 | s=match.start() 84 | e=match.end() 85 | ss=text[s:e] 86 | text=text[:s]+'\x00'*(e-s)+text[e:] 87 | tp=(s,'str',ss) 88 | result.append(tp) 89 | for match in regexes_id.finditer(text): 90 | if match: 91 | s=match.start() 92 | e=match.end() 93 | ss=text[s:e] 94 | text=text[:s]+'\x00'*(e-s)+text[e:] 95 | tp=(s,'id',ss) 96 | result.append(tp) 97 | for regex in regexes_kw: 98 | for match in regex.finditer(text): 99 | if match: 100 | s=match.start() 101 | e=match.end() 102 | ss=text[s:e] 103 | text=text[:s]+'\x00'*(e-s)+text[e:] 104 | tp=(s,'kw',ss) 105 | result.append(tp) 106 | for regex in regexes_fc: 107 | for match in regex.finditer(text): 108 | if match: 109 | s=match.start() 110 | e=match.end() 111 | ss=text[s:e] 112 | text=text[:s]+'\x00'*(e-s)+text[e:] 113 | tp=(s,'fc',ss) 114 | result.append(tp) 115 | 116 | for match in regexes_int.finditer(text): 117 | if match: 118 | s=match.start() 119 | e=match.end() 120 | ss=text[s:e] 121 | text=text[:s]+'\x00'*(e-s)+text[e:] 122 | tp=(s,'int',ss) 123 | result.append(tp) 124 | 125 | sort(result) 126 | return result 127 | 128 | 129 | 130 | if __name__=='__main__': 131 | regexes_oc=[re.compile(p) 132 | for p in ['\(','\)','\++','\--','>','<','==','!=','=',':']#opertion char 133 | ] 134 | regexes_pv=re.compile('[@#][a-zA-Z\.]+')#protocol variable 135 | 136 | regexes_rv=re.compile('\$\w+')#rule variable 137 | 138 | regexes_str=re.compile('\".*\"')#string 139 | 140 | regexes_kw=[re.compile(p) 141 | for p in['normal','triggle','type','ip','arp','icmp','tcp','if','protocol','continuation','yes','no']#keyword 142 | ] 143 | regexes_fc=[re.compile(p) 144 | for p in['find','alert','log','pass','chunk'] 145 | ] 146 | regexes_id=re.compile('[a-zA-Z]\w*')#id string 147 | 148 | regexes_int=re.compile('[0-9]+') 149 | 150 | lex('rule.txt') 151 | --------------------------------------------------------------------------------