此博客给出一段Linux内核代码,用于网络数据包检测。代码包含多个头文件引入,定义了数据包处理函数sample,可对IP、TCP、UDP等不同协议数据包进行分析,能检测如land攻击、winnuke攻击等多种异常情况,最后实现了钩子函数的注册与注销。
#ifndef __KERNEL__
#define __KERNEL__
#endif
#ifndef MODULE
#define MODULE
#endif
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/types.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4.h>
#include <linux/inet.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/netlink.h>
#include <linux/spinlock.h>
#include <asm/semaphore.h>
#include <net/sock.h>
#include <linux/config.h>
#include <linux/udp.h>
#define ALERT(fmt,args...) printk("nsfocus: " fmt, ##args)
/*message will be print to screen(too many~),and logged to /var/log/message*/
static unsigned int sample(unsigned int hooknum,struct sk_buff **skb,
const struct net_device *in,
const struct net_device *out,int (*okfn)(struct sk_buff *))
{
struct iphdr *iph;
struct tcphdr *tcph;
struct udphdr *udph;
struct in_addr src_addr;
struct in_addr dest_addr;
__u32 sip;
__u32 dip;
__u16 sport;
__u16 dport;
iph=(*skb)->nh.iph;
sip=iph->saddr;
dip=iph->daddr;
src_addr.s_addr=sip;
dest_addr.s_addr=dip;
/* printk("IP packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip)); */
/*play ip packet here
(note:checksum has been checked,if connection track is enabled,defrag have been done )*/
if(iph->ihl!=5){
ALERT("IP packet with packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if(iph->protocol==6){
tcph=(struct tcphdr*)((__u32 *)iph+iph->ihl);
sport=tcph->source;
dport=tcph->dest;
/*play tcp packet here*/
printk("IP packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD((*skb)->nh.iph->saddr),NIPQUAD((*skb)->nh.iph->daddr));
if((tcph->syn)&&(sport==dport)&&(sip==dip)){
ALERT("maybe land attack/n");
}
if(ntohs(tcph->dest)==139&&tcph->urg){
ALERT("maybe winnuke a from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if(tcph->ece&&tcph->cwr){
ALERT("queso from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if((tcph->fin)&&(tcph->syn)&&(!tcph->rst)&&(!tcph->psh)&&(!tcph->ack)&&(!tcph->urg)){
ALERT("SF_scan from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if((!tcph->fin)&&(!tcph->syn)&&(!tcph->rst)&&(!tcph->psh)&&(!tcph->ack)&&(!tcph->urg)){
ALERT("NULL_scan from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if(tcph->fin&&tcph->syn&&tcph->rst&&tcph->psh&&tcph->ack&&tcph->urg){
ALERT("FULL_Xmas_scan from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if((tcph->fin)&&(!tcph->syn)&&(!tcph->rst)&&(tcph->psh)&&(!tcph->ack)&&(tcph->urg)){
ALERT("XMAS_Scan(FPU)from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
}
else if(iph->protocol==17){
udph=(struct udphdr *)((__u32 *)iph+iph->ihl);
sport=udph->source;
dport=udph->dest;
printk("IP packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD((*skb)->nh.iph->saddr),NIPQUAD((*skb)->nh.iph->daddr));
/*play udp packet here*/
}
else if(iph->protocol==1){
/*play icmp packet here*/
}
else if(iph->protocol==2){
ALERT("igmp packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
/*play igmp packet here*/
}
else{
ALERT("unknown protocol%d packet from %d.%d.%d.%d to %d.%d.%d.%d/n",iph->protocol,NIPQUAD(sip),NIPQUAD(dip));
}
return NF_ACCEPT;
/*for it is IDS,we just accept all packet,
if you really want to drop this skb,just return NF_DROP*/
}
static struct nf_hook_ops imp2_ops =
{
.list={NULL,NULL},
.hook = sample,
.pf = PF_INET,
.hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_PRI_FILTER -1,
};
static int __init init(void)
{
return nf_register_hook(&imp2_ops);
}
static void __exit fini(void)
{
nf_unregister_hook(&imp2_ops);
}
module_init(init);
module_exit(fini);
#define __KERNEL__
#endif
#ifndef MODULE
#define MODULE
#endif
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/types.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4.h>
#include <linux/inet.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/netlink.h>
#include <linux/spinlock.h>
#include <asm/semaphore.h>
#include <net/sock.h>
#include <linux/config.h>
#include <linux/udp.h>
#define ALERT(fmt,args...) printk("nsfocus: " fmt, ##args)
/*message will be print to screen(too many~),and logged to /var/log/message*/
static unsigned int sample(unsigned int hooknum,struct sk_buff **skb,
const struct net_device *in,
const struct net_device *out,int (*okfn)(struct sk_buff *))
{
struct iphdr *iph;
struct tcphdr *tcph;
struct udphdr *udph;
struct in_addr src_addr;
struct in_addr dest_addr;
__u32 sip;
__u32 dip;
__u16 sport;
__u16 dport;
iph=(*skb)->nh.iph;
sip=iph->saddr;
dip=iph->daddr;
src_addr.s_addr=sip;
dest_addr.s_addr=dip;
/* printk("IP packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip)); */
/*play ip packet here
(note:checksum has been checked,if connection track is enabled,defrag have been done )*/
if(iph->ihl!=5){
ALERT("IP packet with packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if(iph->protocol==6){
tcph=(struct tcphdr*)((__u32 *)iph+iph->ihl);
sport=tcph->source;
dport=tcph->dest;
/*play tcp packet here*/
printk("IP packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD((*skb)->nh.iph->saddr),NIPQUAD((*skb)->nh.iph->daddr));
if((tcph->syn)&&(sport==dport)&&(sip==dip)){
ALERT("maybe land attack/n");
}
if(ntohs(tcph->dest)==139&&tcph->urg){
ALERT("maybe winnuke a from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if(tcph->ece&&tcph->cwr){
ALERT("queso from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if((tcph->fin)&&(tcph->syn)&&(!tcph->rst)&&(!tcph->psh)&&(!tcph->ack)&&(!tcph->urg)){
ALERT("SF_scan from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if((!tcph->fin)&&(!tcph->syn)&&(!tcph->rst)&&(!tcph->psh)&&(!tcph->ack)&&(!tcph->urg)){
ALERT("NULL_scan from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if(tcph->fin&&tcph->syn&&tcph->rst&&tcph->psh&&tcph->ack&&tcph->urg){
ALERT("FULL_Xmas_scan from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if((tcph->fin)&&(!tcph->syn)&&(!tcph->rst)&&(tcph->psh)&&(!tcph->ack)&&(tcph->urg)){
ALERT("XMAS_Scan(FPU)from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
}
else if(iph->protocol==17){
udph=(struct udphdr *)((__u32 *)iph+iph->ihl);
sport=udph->source;
dport=udph->dest;
printk("IP packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD((*skb)->nh.iph->saddr),NIPQUAD((*skb)->nh.iph->daddr));
/*play udp packet here*/
}
else if(iph->protocol==1){
/*play icmp packet here*/
}
else if(iph->protocol==2){
ALERT("igmp packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
/*play igmp packet here*/
}
else{
ALERT("unknown protocol%d packet from %d.%d.%d.%d to %d.%d.%d.%d/n",iph->protocol,NIPQUAD(sip),NIPQUAD(dip));
}
return NF_ACCEPT;
/*for it is IDS,we just accept all packet,
if you really want to drop this skb,just return NF_DROP*/
}
static struct nf_hook_ops imp2_ops =
{
.list={NULL,NULL},
.hook = sample,
.pf = PF_INET,
.hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_PRI_FILTER -1,
};
static int __init init(void)
{
return nf_register_hook(&imp2_ops);
}
static void __exit fini(void)
{
nf_unregister_hook(&imp2_ops);
}
module_init(init);
module_exit(fini);
扫一扫
315
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
