資源簡介
在1998年,Martin Roesch用C語言開發(fā)了開放源代碼(Open Source)的入侵檢測系統(tǒng)Snort。直至今天,Snort已發(fā)展成為一個具有多平臺(Multi-Platform)、實時(Real-Time)流量分析、網(wǎng)絡(luò)IP數(shù)據(jù)包(Pocket)記錄等特性的強(qiáng)大的網(wǎng)絡(luò)入侵檢測/防御系統(tǒng)(Network Intrusion Detection/Prevention System),即NIDS/NIPS。Snort符合通用公共許可(GPL——GNU General Pubic License),在網(wǎng)上可以通過免費下載獲得Snort,并且只需要幾分鐘就可以安裝并開始使用。
代碼片段和文件信息
/*?$Id$?*/
/****************************************************************************
?*
?*?Copyright?(C)?2014-2020?Cisco?and/or?its?affiliates.?All?rights?reserved.
?*?Copyright?(C)?2005-2013?Sourcefire?Inc.
?*
?*?This?program?is?free?software;?you?can?redistribute?it?and/or?modify
?*?it?under?the?terms?of?the?GNU?General?Public?License?Version?2?as
?*?published?by?the?Free?Software?Foundation.??You?may?not?use?modify?or
?*?distribute?this?program?under?any?other?version?of?the?GNU?General
?*?Public?License.
?*
?*?This?program?is?distributed?in?the?hope?that?it?will?be?useful
?*?but?WITHOUT?ANY?WARRANTY;?without?even?the?implied?warranty?of
?*?MERCHANTABILITY?or?FITNESS?FOR?A?PARTICULAR?PURPOSE.??See?the
?*?GNU?General?Public?License?for?more?details.
?*
?*?You?should?have?received?a?copy?of?the?GNU?General?Public?License
?*?along?with?this?program;?if?not?write?to?the?Free?Software
?*?Foundation?Inc.?51?Franklin?Street?Fifth?Floor?Boston?MA??02110-1301?USA.
?*
?****************************************************************************/
//?@file????active.c
//?@author??Russ?Combs?
#ifdef?HAVE_CONFIG_H
#include?“config.h“
#endif
#ifdef?HAVE_DUMBNET_H
#include?
#else
#include?
#endif
#include?“active.h“
#include?“session_api.h“
#include?“stream_api.h“
#include?“snort.h“
#include?“preprocessors/spp_frag3.h“
#ifdef?ACTIVE_RESPONSE
#include?“encode.h“
#include?“sfdaq.h“
#endif
//?these?can‘t?be?pkt?flags?because?we?do?the?handling
//?of?these?flags?following?all?processing?and?the?drop
//?or?response?may?have?been?produced?by?a?pseudopacket.
tActiveDrop?active_drop_pkt?=?ACTIVE_ALLOW;
tActiveSsnDrop?active_drop_ssn?=?ACTIVE_SSN_ALLOW;
//?TBD?consider?performance?of?replacing?active_drop_pkt/ssn
//?with?a?active_verdict.??change?over?if?it?is?a?wash?or?better.
int?active_tunnel_bypass?=?0;
int?active_suspend?=?0;
#ifdef?ACTIVE_RESPONSE
int?active_have_rsp?=?0;
#define?MAX_ATTEMPTS?20
static?uint8_t?s_attempts?=?0;
static?int?s_enabled?=?0;
static?eth_t*?s_link?=?NULL;
static?ip_t*?s_ipnet?=?NULL;
static?void*?s_rejData?*s_rspData;
static?Active_ResponseFunc?s_rejFunc?=?NULL?s_rspFunc?=?NULL;
static?int?Active_Open(const?char*);
static?int?Active_Close(void);
static?int?Active_SendEth(const?DAQ_PktHdr_t*?int?const?uint8_t*?uint32_t);
static?int?Active_SendIp(const?DAQ_PktHdr_t*?int?const?uint8_t*?uint32_t);
typedef?int?(*send_t)?(
????const?DAQ_PktHdr_t*?h?int?rev?const?uint8_t*?buf?uint32_t?len);
static?send_t?s_send?=?DAQ_Inject;
static?uint64_t?s_injects?=?0;
static?inline?PROTO_ID?GetInnerProto?(const?Packet*?p)
{
????if?(?!p->next_layer?)?return?PROTO_MAX;
????return?(?p->layers[p->next_layer-1].proto?);
}
//--------------------------------------------------------------------
//?this?implementation?ensures?that?flexible?responses
//?take?precedence?over?active?responses.
int?Active_QueueReject?(void)
{
????if?(?Active_Suspended()?)
????????return?0;
????if?(?!s_ 評論
共有 條評論
川公網(wǎng)安備 51152502000135號