參考
Snort源碼分析報告(持續更新)
《Snort 入侵檢測系統源碼分析–獨孤九賤》
雜
在成功寫出一個HelloWorld預處理器之後就可以考慮怎麼去實現想要的功能了
snort:預處理器開發HelloWorld
這部分內容需要對源碼有一定了解,所以建議結合一些源碼分析的相關書籍來看
另外看源碼的話我是在CLion上看的,這種工作還是有個牛逼的IDE比較好
重要的數據結構 _Packet
位置
src/decode.h 1687到1856行
源碼如下,註釋都蠻清楚的
typedef struct _Packet
{
// libpcap捕獲到的包頭
const DAQ_PktHdr_t *pkth;
// 指向捕獲的原始數據包
const uint8_t *pkt; // raw packet data
//vvv------------------------------------------------
// TODO convenience stuff to be refactored for layers
//^^^------------------------------------------------
//vvv-----------------------------
EtherARP *ah;
const EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */
const VlanTagHdr *vh;
EthLlc *ehllc;
EthLlcOther *ehllcother;
const PPPoEHdr *pppoeh; /* Encapsulated PPP of Ether header */
const GREHdr *greh;
uint32_t *mpls;
const CiscoMetaHdr *cmdh; /* Cisco Metadata Header */
const IPHdr *iph, *orig_iph;/* and orig. headers for ICMP_*_UNREACH family */
const IPHdr *inner_iph; /* if IP-in-IP, this will be the inner IP header */
const IPHdr *outer_iph; /* if IP-in-IP, this will be the outer IP header */
const TCPHdr *tcph, *orig_tcph;
const UDPHdr *udph, *orig_udph;
const UDPHdr *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */
const UDPHdr *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */
const ICMPHdr *icmph, *orig_icmph;
const uint8_t *data; /* packet payload pointer */
const uint8_t *ip_data; /* IP payload pointer */
const uint8_t *outer_ip_data; /* Outer IP payload pointer */
//^^^-----------------------------
void *ssnptr; /* for tcp session tracking info... */
void *fragtracker; /* for ip fragmentation tracking info... */
//vvv-----------------------------
IP4Hdr *ip4h, *orig_ip4h;
IP6Hdr *ip6h, *orig_ip6h;
ICMP6Hdr *icmp6h, *orig_icmp6h;
IPH_API* iph_api;
IPH_API* orig_iph_api;
IPH_API* outer_iph_api;
IPH_API* outer_orig_iph_api;
int family;
int orig_family;
int outer_family;
//^^^-----------------------------
PreprocEnableMask preprocessor_bits; /* flags for preprocessors to check */
uint64_t packet_flags; /* special flags for the packet */
uint32_t xtradata_mask;
uint16_t proto_bits;
//vvv-----------------------------
uint16_t dsize; /* packet payload size */
uint16_t ip_dsize; /* IP payload size */
uint16_t alt_dsize; /* the dsize of a packet before munging (used for log)*/
uint16_t actual_ip_len; /* for logging truncated pkts (usually by small snaplen)*/
uint16_t outer_ip_dsize; /* Outer IP payload size */
//^^^-----------------------------
uint16_t frag_offset; /* fragment offset number */
uint16_t ip_frag_len;
uint16_t ip_options_len;
uint16_t tcp_options_len;
//vvv-----------------------------
uint16_t sp; /* source port (TCP/UDP) */
uint16_t dp; /* dest port (TCP/UDP) */
uint16_t orig_sp; /* source port (TCP/UDP) of original datagram */
uint16_t orig_dp; /* dest port (TCP/UDP) of original datagram */
//^^^-----------------------------
// and so on ...
int16_t application_protocol_ordinal;
uint8_t frag_flag; /* flag to indicate a fragmented packet */
uint8_t mf; /* more fragments flag */
uint8_t df; /* don't fragment flag */
uint8_t rf; /* IP reserved bit */
uint8_t ip_option_count; /* number of options in this packet */
uint8_t tcp_option_count;
uint8_t ip6_extension_count;
uint8_t ip6_frag_index;
uint8_t error_flags; /* flags indicate checksum errors, bad TTLs, etc. */
uint8_t encapsulated;
uint8_t GTPencapsulated;
uint8_t next_layer; /* index into layers for next encap */
#ifndef NO_NON_ETHER_DECODER
const Fddi_hdr *fddihdr; /* FDDI support headers */
Fddi_llc_saps *fddisaps;
Fddi_llc_sna *fddisna;
Fddi_llc_iparp *fddiiparp;
Fddi_llc_other *fddiother;
const Trh_hdr *trh; /* Token Ring support headers */
Trh_llc *trhllc;
Trh_mr *trhmr;
Pflog1Hdr *pf1h; /* OpenBSD pflog interface header - version 1 */
Pflog2Hdr *pf2h; /* OpenBSD pflog interface header - version 2 */
Pflog3Hdr *pf3h; /* OpenBSD pflog interface header - version 3 */
Pflog4Hdr *pf4h; /* OpenBSD pflog interface header - version 4 */
#ifdef DLT_LINUX_SLL
const SLLHdr *sllh; /* Linux cooked sockets header */
#endif
#ifdef DLT_IEEE802_11
const WifiHdr *wifih; /* wireless LAN header */
#endif
const EtherEapol *eplh; /* 802.1x EAPOL header */
const EAPHdr *eaph;
const uint8_t *eaptype;
EapolKey *eapolk;
#endif
// nothing after this point is zeroed ...
Options ip_options[IP_OPTMAX]; /* ip options decode structure */
Options tcp_options[TCP_OPTLENMAX]; /* tcp options decode struct */
IP6Option *ip6_extensions; /* IPv6 Extension References */
CiscoMetaOpt *cmd_options; /* Cisco Metadata header options */
const uint8_t *ip_frag_start;
const uint8_t *ip_options_data;
const uint8_t *tcp_options_data;
const IP6RawHdr* raw_ip6h; // innermost raw ip6 header
Layer layers[LAYER_MAX]; /* decoded encapsulations */
IPAddresses inner_ips, inner_orig_ips;
IP4Hdr inner_ip4h, inner_orig_ip4h;
IP6Hdr inner_ip6h, inner_orig_ip6h;
IPAddresses outer_ips, outer_orig_ips;
IP4Hdr outer_ip4h, outer_orig_ip4h;
IP6Hdr outer_ip6h, outer_orig_ip6h;
MplsHdr mplsHdr;
H2Hdr *h2Hdr;
PseudoPacketType pseudo_type; // valid only when PKT_PSEUDO is set
uint16_t max_dsize;
/**policyId provided in configuration file. Used for correlating configuration
* with event output
*/
uint16_t configPolicyId;
uint32_t iplist_id;
unsigned char iprep_layer;
uint8_t ps_proto; // Used for portscan and unified2 logging
uint8_t ips_os_selected;
void *cur_pp;
// Expected session created due to this packet.
struct _ExpectNode* expectedSession;
} Packet;
_Packet
的成員共有三種
- 指向原始數據包信息的指針:pkth 和 pkt
- 當前數據包經過不同協議解析後得到的信息,如
sp
表示TCP/ UDP
的源端口。這一類成員最多,需要對各類協議有一定了解 - ?新版本好像不太一樣了。留坑