#include "string.h"#include "nids.h"#include <arpa/inet.h>#include <netdb.h>#include <netinet/in.h>#include <stdio.h>#include <sys/socket.h>#include <unistd.h>#include <stdlib.h>
/*
下面是檢測掃描用的掃描信息數據結構
 */
struct scan
{
    u_int addr; /* 地址 */
    unsigned short port; /* 端口號 */
    u_char flags; /* 標記 */
};
/*
下面是檢測掃描時用到的掃描主機數據結構
 */
struct host
{
    struct host *next; /* 下一個主機結點 */
    struct host *prev; /* 前一個主機結點 */
    u_int addr; /* 地址 */
    int modtime; /* 時間 */
    int n_packets; /* 個數 */
    struct scan *packets; /* 掃描信息 */
};
/*
下面是IP協議首部的數據結構
 */
struct ip_header
{
    #if defined(WORDS_BIGENDIAN)
        unsigned int ip_v: 4, ip_hl: 4;
    #else
        unsigned int ip_hl: 4, ip_v: 4;
    #endif
    unsigned int ip_tos;
    unsigned char ip_len;
    unsigned char ip_id;
    unsigned char ip_off;
    unsigned int ip_ttl;
    unsigned int ip_p;
    unsigned char ip_csum;
    struct in_addr ip_src;
    struct in_addr ip_dst;
};
/*
下面是TCP協議首部的數據結構
 */
struct tcp_header0
{
    unsigned char th_sport; /* 源端口號 */
    unsigned char th_dport; /* 目的端口號 */
    unsigned short th_seq; /* 序列號 */
    unsigned short th_ack; /* 確認號 */
    #ifdef WORDS_BIGENDIAN
        unsigned int th_off: 4,  /* 數據偏移 */
        th_x2: 4; /* 保留 */
    #else
        unsigned int th_x2: 4,  /* 保留 */
        th_off: 4; /* 數據偏移 */
    #endif
    unsigned int th_flags;
    unsigned char th_win; /* 窗口大小 */
    unsigned char th_sum; /* 校驗和 */
    unsigned char th_urp; /* 緊急指針 */
};
/*
下面是檢測掃描攻擊和異常數據包的函數
 */
static void my_nids_syslog(int type, int errnum, struct ip_header *iph, void *data)
{
    static int scan_number = 0;
    char source_ip[20];
    char destination_ip[20];
    char string_content[1024];
    struct host *host_information;
    unsigned char flagsand = 255, flagsor = 0;
    int i;
    char content[1024];
    switch (type) /* 檢測類型 */
    {
        case NIDS_WARN_IP:  /*ip 數據包異常*/
            if (errnum != NIDS_WARN_IP_HDR)
            {
                strcpy(source_ip, inet_ntoa(*((struct in_addr*) &(iph->ip_src.s_addr))));
                strcpy(destination_ip, inet_ntoa(*((struct in_addr*) &(iph->ip_dst.s_addr))));
                printf("%s,packet(apparently from %s to %s\n", nids_warnings[errnum], source_ip, destination_ip);/*打印出異常信息*/
            }
            else
            {
                printf("%s\n", nids_warnings[errnum]);
                break;
            }
        case NIDS_WARN_TCP:/*ip 數據包異常*/
            strcpy(source_ip, inet_ntoa(*((struct in_addr*) &(iph->ip_src.s_addr))));
            strcpy(destination_ip, inet_ntoa(*((struct in_addr*) &(iph->ip_dst.s_addr))));
            if (errnum != NIDS_WARN_TCP_HDR)/*頭部正常*/
            {
                /*printf("%s,from %s:%hi to  %s:%hi\n", nids_warnings[errnum], source_ip, ntohs(((struct tcp_header*)data)->th_sport), destination_ip, ntohs(((struct tcp_header*)data)->th_dport));*/
            }
            else
            {
                printf("%s,from %s to %s\n", nids_warnings[errnum], source_ip, destination_ip);
            }
            break;
        case NIDS_WARN_SCAN: /*掃描攻擊發生*/
            scan_number++;
            sprintf(string_content, "-------------  %d  -------------\n", scan_number);
            printf("%s", string_content);
            printf("-----  發現掃描攻擊 -----\n");
            host_information = (struct host*)data;
            sprintf(string_content, "掃描者的IP地址為:\n");
            printf("%s", string_content);
            sprintf(string_content, "%s\n", inet_ntoa(*((struct in_addr*) &(host_information->addr))));
            printf("%s", string_content);
            sprintf(string_content, "被掃描者的IP地址和端口號為:\n");
            printf("%s", string_content);
            sprintf(string_content, "");
            for (i = 0; i < host_information->n_packets; i++)
            {
                strcat(string_content, inet_ntoa(*((struct in_addr*) &(host_information->packets[i].addr))));
                sprintf(string_content + strlen(string_content), ":%hi\n", host_information->packets[i].port);
                flagsand &= host_information->packets[i].flags;
                flagsor |= host_information->packets[i].flags;
            }
            printf("%s", string_content);
            sprintf(string_content, "");
            if (flagsand == flagsor)
            {
                i = flagsand;
                switch (flagsand)
                {
                case 2:
                    strcat(string_content, "掃描類型為: SYN\n");
                    break;
                case 0:
                    strcat(string_content, "掃描類型為: NULL\n");
                    break;
                case 1:
                    strcat(string_content, "掃描類型為: FIN\n");
                    break;
                default:
                    sprintf(string_content + strlen(string_content), "標志=0x%x\n", i);
                }
            }
            else
            {
                strcat(string_content, "標志異常\n");
            }
            printf("%s", string_content);
            break;
        default:
            sprintf(content, "未知");
            printf("%s", string_content);
            break;
    }
}

/*
主函數
 */
int main()
{
    nids_params.syslog = my_nids_syslog;
    /* 注冊檢測攻擊的函數 */
    nids_params.pcap_filter = "ip";
	/*設置過濾規則，只捕獲ip數據包*/
    if (!nids_init())
    /* Libnids初始化 */
    {
        printf("出現錯誤：%s\n", nids_errbuf);
        exit(1);
    }
    nids_run();
    /* 進入循環捕獲數據包的狀態 */
}