detect_portscan.zip_detect_portscan_fin

#include <pcap.h> #include <arpa/inet.h> #include <string.h> #include <stdlib.h> #define MAXNUM_SCANNEDPORT 10 typedef struct detect_para{ //命令行参数保存的数据结构 int port_num; //一个周期内抓到的数据报个数 int period; //指定的周期 }detect_para; typedef struct { //ip头格式 u_char version:4; u_char header_len:4; u_char tos:8; u_int16_t total_len:16; u_int16_t ident:16; u_char flags:3; u_int16_t fragment:13; u_char ttl:8; u_char proto:8; u_int16_t checksum; u_char sourceIP[4]; u_char destIP[4]; }IPHEADER; typedef struct { //tcp头格式 u_int16_t source_port; u_int16_t dest_port; u_int32_t seq; u_int32_t ack_seq; u_int16_t res1:4; // u_int16_t doff:4; //数据首部长度，一般为5 u_int16_t fin:1; //为1表示关闭连接 u_int16_t syn:1; //为1表示请求连接 u_int16_t rst:1; //rst为1，表示重新连接 u_int16_t psh:1; //为1表示接收方收到数据立即交到上层 u_int16_t ack:1; //如果确认号正确，那么为1 u_int16_t urg:1; //为1表示为紧急数据 u_int16_t res2:2; // u_int16_t window; //窗口,告诉接收者可以接收的大小 u_int16_t check; //对tcp数据进行较核 u_int16_t urg_prt; //如果urg=1,那么指出紧急数据对于历史数据开始的序列号的偏移值 }TCPHEADER; typedef struct DetectedHost { u_char src_ip[4]; u_char dest_ip[4]; u_short port_list[MAXNUM_SCANNEDPORT]; time_t time_list[MAXNUM_SCANNEDPORT]; struct DetectedHost *next; }DetectedHost; DetectedHost* pHostlistHeader;//全局变量，保存了被检测的ip地址链表 detect_para para;//全局变量para,保存了命令行参数的值 int parse_detect_para(int argc,char*argv[],detect_para *result) { if(argc == 1) { result->port_num = 5; result->period = 5; } else if (argc == 3){ result->port_num=atoi(argv[1]); if (result->port_num > MAXNUM_SCANNEDPORT) result->port_num = MAXNUM_SCANNEDPORT; result->period=atoi(argv[2]); } else return 1; //无法解析出参数 return 0; } void add_host(DetectedHost* phost){ if (phost == NULL) return ; if(pHostlistHeader == NULL) pHostlistHeader = phost; else{ phost->next = pHostlistHeader; pHostlistHeader = phost; } return; } void output_alert(DetectedHost *p) { printf("发现扫描攻击:"); printf("%d.%d.%d.%d ==> ",p->src_ip[0],p->src_ip[1],p->src_ip[2],p->src_ip[3]); printf("%d.%d.%d.%d\n",p->dest_ip[0],p->dest_ip[1],p->dest_ip[2],p->dest_ip[3]); } int updatehostinfo(DetectedHost *orignalhostinfo,DetectedHost *newhostinfo, int *foundflag) { int index,found_index = -1; int empty_index = -1; int valid_num = 0; if (*(int*)(orignalhostinfo->dest_ip) == *(int*)(newhostinfo->dest_ip)){ for(index = 0; index < MAXNUM_SCANNEDPORT; index ++){ if(newhostinfo->port_list[0] == orignalhostinfo->port_list[index]){ found_index = index; valid_num ++; continue; } if (newhostinfo->time_list[0] - orignalhostinfo->time_list[index] > para.period) orignalhostinfo->port_list[index] = 0; if (orignalhostinfo->port_list[index] == 0) empty_index = index; else valid_num ++; } if (found_index >= 0) orignalhostinfo->time_list[found_index] = newhostinfo->time_list[0]; else{ if (empty_index >= 0) { orignalhostinfo->time_list[empty_index] = newhostinfo->time_list[0]; orignalhostinfo->port_list[empty_index] = newhostinfo->port_list[0]; } } *foundflag = 1; } else{ for(index = 0; index < MAXNUM_SCANNEDPORT; index ++){ if (newhostinfo->time_list[0] - orignalhostinfo->time_list[index] > para.period) orignalhostinfo->port_list[index] = 0; if (orignalhostinfo->port_list[index] > 0) valid_num ++; } } return valid_num; } void pcap_callback(u_char *user,const struct pcap_pkthdr *header,const u_char *pkt_data) { int existflag; // int count; IPHEADER *ip_header; TCPHEADER *tcp_header; struct timeval current_tv; time_t current_time; gettimeofday(&current_tv,NULL); current_time = current_tv.tv_sec; if(header->len >= 14) ip_header=(IPHEADER*)(pkt_data+14); else return; if(ip_header->proto == 6){ if(header->len >= 34) tcp_header=(TCPHEADER*)(pkt_data+34); else return; if ((tcp_header->syn == 0) || ((tcp_header->ack == 1))) return; DetectedHost *phost=(DetectedHost*)malloc(sizeof(DetectedHost)); bzero(phost,sizeof(DetectedHost)); strncpy(phost->src_ip,ip_header->sourceIP,4); strncpy(phost->dest_ip,ip_header->destIP,4); phost->port_list[0] = tcp_header->dest_port; phost->time_list[0] = current_time; existflag = 0; DetectedHost *p= pHostlistHeader; while(p != NULL){ int validnum_scanedport = updatehostinfo(p,phost,&existflag); DetectedHost *tmphost = NULL; if(validnum_scanedport == 0) tmphost = p; else if(validnum_scanedport >= para.port_num){ tmphost = p; output_alert(p); } p = p->next; if (tmphost) delete_host(tmphost); } if (existflag == 0) add_host(phost); else free(phost); } } int delete_host(DetectedHost *phost) { DetectedHost *p = pHostlistHeader; if ((phost == NULL)||(p == NULL)) return 0; if(p == phost){ pHostlistHeader = phost->next; free(phost); return 1; } while (p->next != NULL) { if(p->next == phost){ p->next = phost->next; free(phost); return 1; } p = p->next; } return 0; } int main(int argc,char *argv[]) { pHostlistHeader = NULL; char *device; char errbuf[PCAP_ERRBUF_SIZE]; pcap_t *phandle; bpf_u_int32 ipaddress, ipmask; struct bpf_program fcode; if(parse_detect_para(argc,argv,&para)){ //解析参数 printf("Usage %s : the amount of scanned ports, detect_period\n",argv[0]); exit(0); } if((device = pcap_lookupdev(errbuf)) == NULL) exit(0); //获得可用的网络设备名. // if(strcmp(device,"peth0") == 0) device="eth0"; if(pcap_lookupnet(device,&ipaddress,&ipmask,errbuf)==-1) //获得ip和子网掩码 exit(0); phandle = pcap_open_live(device,200,1,500,errbuf); //打开设备 if(phandle == NULL) exit(0); if(pcap_compile(phandle,&fcode,"ip and tcp",0,ipmask) == -1) exit(0); //设置过滤器，只捕获ip&tcp报头的包 if(pcap_setfilter(phandle,&fcode) == -1) exit(0); printf("开始检测端口扫描.....\n"); //此函数设置过滤器并开始进行数据包的捕捉 pcap_loop(phandle,-1,pcap_callback ,NULL); }