libnids study

最新推荐文章于 2021-05-14 02:16:35 发布

原创最新推荐文章于 2021-05-14 02:16:35 发布 · 686 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#callback #filter #struct #tcp #function #descriptor

Linux 专栏收录该内容

0 篇文章

订阅专栏

本文介绍了NIDS网络入侵检测系统的实现原理与核心组件。详细解释了main()函数的工作流程，包括初始化、注册回调函数及运行等过程。此外，还深入解析了nids_params结构体的各参数配置及其作用。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

首先是main()函数，格式是:

int main ()



{



  if (!nids_init ())



  {



  	fprintf(stderr,"%s/n",nids_errbuf);



  	exit(1);



  }



  nids_register_tcp (tcp_callback);//registration of callback functions



  nids_run ();



 // not reached in normal situation



  return 0;



}



nids_init()初始话抓包的应用程序，基于全局变量nids_params,格式如下：

struct nids_prm {
    int    n_tcp_streams;// Size of the hash table used for storing TCP connection information, defult 1024
    int    n_hosts;          // Size of the hash table used for storing IP defragmentation information. Default value: 256
    char    *device;/* Interface to monitor. Default value: NULL (in which case an appropriate device is determined automatically). If this variable is assigned value all , libnids will attempt to capture packets on all interfaces (which works on Linux only) */
    char    *filename; //call pcap_open_offline with this variable as the argument
    int    sk_buff_size;
    int    dev_addon;
    void    (*syslog)(int type, int err, struct ip *iph, void *data);
    int    syslog_level;
    int    scan_num_hosts;
    int    scan_num_ports;
    int    scan_delay;
    void    (*no_mem)(void);
    int    (*ip_filter)(struct ip *iph);
    char    *pcap_filter;
    int    promisc;
    int    one_loop_less;
    int    pcap_timeout;
    int    multiproc;
    int    queue_limit;
    int    tcp_workarounds;
    pcap_t    *pcap_desc;
} nids_params;

sk_buff_size

Size of struct sk_buff (used for queuing packets), which should be set to match the value on the hosts being monitored. Default value: 168

dev_addon

Number of bytes in struct sk_buff reserved for link-layer information. Default value: -1 (in which case an appropriate offset if determined automatically based on link-layer type)

syslog

Syslog callback function, used to report unusual conditions, such as port scan attempts, invalid TCP header flags, etc. Default value: nids_syslog (which logs messages via syslog (3) without regard for message rate per second or free disk space)

syslog_level

Log level used by nids_syslog for reporting events via syslog (3) . Default value: LOG_ALERT

scan_num_hosts

Size of hash table used for storing portscan information (the maximum number portscans that will be detected simultaneously). If set to 0, portscan detection will be disabled. Default value: 256

scan_num_ports

Minimum number of ports that must be scanned from the same source host before it is identifed as a portscan. Default value: 10

scan_delay

Maximum delay (in milliseconds) between connections to different ports for them to be identified as part of a portscan. Default value: 3000

no_mem

Out-of-memory callback function, used to terminate the calling process gracefully.

ip_filter

IP filtering callback function, used to selectively discard IP packets, inspected after reassembly. If the function returns a non-zero value, the packet is processed; otherwise, it is discarded. Default value: nids_ip_filter (which always returns 1)

pcap_filter

pcap (3) filter string applied to the link-layer (raw, unassembled) packets. Note : filters like ''tcp dst port 23'' will NOT correctly handle appropriately fragmented traffic, e.g. 8-byte IP fragments; one should add "or (ip[6:2] & 0x1fff != 0)" at the end of the filter to process reassembled packets. Default value: NULL

promisc

If non-zero, libnids will set the interface (s) it listens on to promiscuous mode. Default value: 1

one_loop_less

Disabled by default; see comments in API.html file

pcap_timeout

Sets the pcap read timeout, which may or may not be supported by your platform. Default value: 1024.

multiproc

If nonzero, creates a separate thread for packets processing. See API.html. Default value: 0.

queue_limit

If multiproc is nonzero, this is the maximum number of packets queued in the thread which reads packets from libpcap. Default value: 20000

tcp_workarounds

Enables extra checks for faulty implementations of TCP such as the ones which allow connections to be closed despite the fact that there should be retransmissions for lost packets first (as stated by RFC 793, section 3.5). If non-zero, libnids will set the NIDS_TIMED_OUT state for savagely closed connections. Default value: 0

pcap_desc

It this variable is set, libnids will call neither pcap_open_live nor pcap_open_offline, but will use a pre-opened PCAP descriptor; use this with nids_pcap_handler() in order to interactively feed packets to libnids. Default value: NULL