else return 1;
}
else // state is NODE_STATE_SYN_RECEIVED
{
return 1;
}
}
static void TChTreeNodeDataDeleteNode(ubi_btNodePtr NodePtr)
{
free(NodePtr);
}
// файл tcp_syn_flood_prevention_stat.h
#ifndef _TCP_SYN_FLOOD_PREVENTION_STAT_H_
#define _TCP_SYN_FLOOD_PREVENTION_STAT_H_
//#include "config.h"
#include "decode.h"
#include "sp_tcp_syn_flood.h"
#include "ubi_SplayTree.h"
#define CHANGE_STAT_YES 1
#define CHANGE_STAT_NO 2
typedef struct _TcpSynFloodPreventionModule
{
// the root of the statistics tree
ubi_btRootPtr rootStat;
long totalPacketsCount;
} TcpSynFloodPreventionModule;
// Creates and initializes the prevention module
void* TcpSynFloodPreventionStatCreateModule();
void TcpSynFloodPreventionStatDeinitModule(TcpSynFloodPreventionModule* preventionModule);
int TcpSynFloodPreventionStatProcessPacket(TcpSynFloodPreventionModule* preventionModule, Packet* packet, int changeStat);
// Unified Tcp Syn Flood prevention interface
#define TcpSynFloodPreventionProcessPacket( module, p, changeStat ) TcpSynFloodPreventionStatProcessPacket( (TcpSynFloodPreventionModule*) (module) ,(Packet*) (p), (int) (changeStat) )
#define TcpSynFloodPreventionCreateModule TcpSynFloodPreventionStatCreateModule
#define TcpSynFloodPreventionDeinitModule( module ) TcpSynFloodPreventionStatDeinitModule( (TcpSynFloodPreventionModule*) (module) )
#endif
// файл tcp_syn_flood_prevention_stat.c
#ifndef _TCP_SYN_FLOOD_PREVENTION_STAT_H_
#include "tcp_syn_flood_prevention_stat.h"
#endif
typedef struct _TcpSynFloodPreventionStatTreeNodeData
{
// the node in which data is stored
ubi_trNode Node;
// Fields to identify from what client the packet has came
u_int8_t ttl;
struct in_addr ipSrc;
// the number of packets with TTL=ttl and IPSrc=ipSrc that've been processed
long counter;
} TcpSynFloodPreventionStatTreeNodeData;
/*** TcpSynFloodPreventionStatTreeNodeData manipulation functions ***/
static int TcpSynFloodPreventionStatTreeNodeDataCompareFunc(ubi_trItemPtr ItemPtr, ubi_trNodePtr NodePtr);
static void TcpSynFloodPreventionStatTreeNodeDataDeleteNode(ubi_btNodePtr NodePtr);
void* TcpSynFloodPreventionStatCreateModule()
{
TcpSynFloodPreventionModule* newModule = (TcpSynFloodPreventionModule* )SnortAlloc(sizeof(TcpSynFloodPreventionModule));
newModule->totalPacketsCount = 0l;
int* a = (int*)SnortAlloc(10);
newModule->rootStat = (ubi_btRootPtr)SnortAlloc(sizeof(ubi_btRoot));
ubi_trInitTree(newModule->rootStat,/* ptr to the tree head */
TcpSynFloodPreventionStatTreeNodeDataCompareFunc, /* comparison function */
0); /* do not allow nither OVERWRITE nor DUPLICATES */
return newModule;
}
void TcpSynFloodPreventionStatDeinitModule(TcpSynFloodPreventionModule* preventionModule)
{
// kill tree
ubi_trKillTree(preventionModule->rootStat, TcpSynFloodPreventionStatTreeNodeDataDeleteNode);
free(preventionModule->rootStat);
free(preventionModule);
}
int TcpSynFloodPreventionStatProcessPacket(TcpSynFloodPreventionModule* module, Packet* packet, int changeStat)
{
// try to find
TcpSynFloodPreventionStatTreeNodeData* findNodeData = (TcpSynFloodPreventionStatTreeNodeData*)SnortAlloc(sizeof(TcpSynFloodPreventionStatTreeNodeData));
findNodeData->ipSrc = packet->iph->ip_src;
findNodeData->ttl = packet->iph->ip_ttl;
TcpSynFloodPreventionStatTreeNodeData* currNodeData = (TcpSynFloodPreventionStatTreeNodeData* )ubi_trFind(module->rootStat, findNodeData);
// update statistics
if(changeStat == CHANGE_STAT_YES)
{
if(currNodeData == NULL)
{
// add new node to the tree
TcpSynFloodPreventionStatTreeNodeData* newNodeData = (TcpSynFloodPreventionStatTreeNodeData*)SnortAlloc(sizeof(TcpSynFloodPreventionStatTreeNodeData));
newNodeData->ipSrc = findNodeData->ipSrc;
newNodeData->ttl = findNodeData->ttl;
ubi_trNodePtr newNodePtr = &newNodeData->Node;
ubi_trInsert(module->rootStat, newNodePtr, (ubi_trItemPtr)newNodeData, NULL);
currNodeData = newNodeData;
}
module->totalPacketsCount++;
currNodeData->counter++;
printf("stats is updated %d \n", currNodeData->counter);
}
free(findNodeData);
// Make the decision if the packet is bad
if(currNodeData == NULL) return PREVENTION_PACKET_IS_BAD;
double avg = 0;
double nodesCount = ubi_trCount(module->rootStat);
if(nodesCount != 0)
{
avg = module->totalPacketsCount / nodesCount;
}
if(currNodeData->counter >= avg)
{
printf("packet is OK\n");
return PREVENTION_PACKET_IS_OK;
}
else
{
printf("packet is BAD\n");
return PREVENTION_PACKET_IS_BAD;
}
}
/* Returns -1 if A < B
Returns 1 if A > B
Returns 0 if A = B */
static int TcpSynFloodPreventionStatTreeNodeDataCompareFunc(ubi_trItemPtr ItemPtr, ubi_trNodePtr NodePtr)
{
TcpSynFloodPreventionStatTreeNodeData *A = (TcpSynFloodPreventionStatTreeNodeData *) ItemPtr;
TcpSynFloodPreventionStatTreeNodeData *B = (TcpSynFloodPreventionStatTreeNodeData *) NodePtr;
if((A->ipSrc.s_addr == B->ipSrc.s_addr) && (A->ttl == B->ttl))
return 0;
else
{
if(A->ipSrc.s_addr < B->ipSrc.s_addr)
return -1;
else if(A->ipSrc.s_addr > B->ipSrc.s_addr)
return 1;
else
return (A->ttl < B->ttl ) ? -1 : 1;
}
}
static void TcpSynFloodPreventionStatTreeNodeDataDeleteNode(ubi_btNodePtr NodePtr){
free(NodePtr);
}
Приложение Б
Исходный код вспомогательной утилиты
Утилита предназначена для:
· Извлечения из html страницы списка пингуемых хостов
· Извлечение из логов пингования времени отклика
· Анализ распределения полученных извлеченных значений времени
namespace pings{
class Class1{
public static void ExtractUrls(string FileName){
StreamReader sr = new StreamReader(FileName);
StreamWriter sw = new StreamWriter("run_pings.cmd");
string content = sr.ReadToEnd();
string pattern = @"href=.*""";
System.Text.RegularExpressions.MatchCollection matches = Regex.Matches(content, pattern );
foreach(Match match in matches){
string val = match.Value;
if(val.IndexOf("viacom.local") > -1) continue;
val = val.Replace("href=", "");
val = val.Replace("http://", "");
val = val.Replace(@"""", "");
val = val.Replace("/", "");
sw.WriteLine("ping " + Regex.Split(val, ":")[0]);
}
sr.Close();
sw.Close();
}
public static void ExtractPingTime(string FileName){
StreamReader sr = new StreamReader(FileName);
StreamWriter sw = new StreamWriter("extracted_time.txt");
string str;
int count = 0;
while((str = sr.ReadLine()) != null){
if(str != string.Empty){
string [] tokens = str.Split();
foreach(string token in tokens){
if(token.IndexOf("time=") > -1){
count ++;
sw.WriteLine(token.Replace("time=", "").Replace("ms", ""));
}
}
}
}
sr.Close();
sw.Close();
}
public static void Usage(){
Console.WriteLine("pings <option> <filename>");
Console.WriteLine(" option={url, time}");
}
[STAThread]
static void Main(string[] args){
if(args.Length == 2){
switch(args[0]){
case "url":
ExtractUrls(args[1]);
break;
case "time":
ExtractPingTime(args[1]);
break;
}
}
else{
Usage();
}
}
}
}