예제 #1
 * Function: ftp_bounce_lookup_add(BOUNCE_LOOKUP *BounceLookup,
 *                                 char *ip, int len,
 *                                 FTP_BOUNCE_TO *BounceTo)
 * Purpose: Add a bounce configuration to the list.  IP is stored
 *          in dot notation order.  When the lookup happens, we
 *          compare up to len bytes of the address.
 * Arguments: BounceLookup => a pointer to the lookup structure
 *            IP           => the ftp bounce address
 *            BounceTo     => a pointer to the bounce configuration structure
 * Returns: int => return code indicating error or success
int ftp_bounce_lookup_add(BOUNCE_LOOKUP *BounceLookup,
		snort_ip_p Ip, FTP_BOUNCE_TO *BounceTo)
    int iRet;

    if(!BounceLookup || !BounceTo)
        return FTPP_INVALID_ARG;

    iRet = KMapAdd(BounceLookup, (void*)IP_PTR(Ip), IP_SIZE(Ip), (void*)BounceTo);

    if (iRet)
         * This means the key has already been added.
        if(iRet == 1)
            return FTPP_NONFATAL_ERR;
            return FTPP_MEM_ALLOC_FAIL;

    return FTPP_SUCCESS;
예제 #2
 * Function: ftp_bounce_lookup_find(BOUNCE_LOOKUP *BounceLookup,
 *                                  snort_ip_p ip, int *iError)
 * Purpose: Find a bounce configuration given a IP.
 *          We look up a bounce configuration given an IP and
 *          return a pointer to that bounce configuration if found.
 * Arguments: BounceLookup => a pointer to the lookup structure
 *            IP           => the ftp bounce address
 *            iError       => a pointer to an error code
 * Returns: int => return code indicating error or success
 * Returns: FTP_BOUNCE_TO* => Pointer to bounce configuration structure
 *                            matching IP if found, NULL otherwise.
FTP_BOUNCE_TO  *ftp_bounce_lookup_find(
        BOUNCE_LOOKUP *BounceLookup, snort_ip_p Ip, int *iError )
    FTP_BOUNCE_TO *BounceTo = NULL;

        return NULL;

        *iError = FTPP_INVALID_ARG;
        return NULL;

    *iError = FTPP_SUCCESS;

    BounceTo = (FTP_BOUNCE_TO *)KMapFind(BounceLookup, (void*)IP_PTR(Ip), IP_SIZE(Ip));
    if (!BounceTo)
        *iError = FTPP_NOT_FOUND;

    return BounceTo;
예제 #3
void ICMPSniffer::run()
    char dev[DEV_MAX] ;			/* set device name */
    char errbuf[PCAP_ERRBUF_SIZE];		/* error buffer */
    /* find a capture device if not specified by dev */
    //dev = pcap_lookupdev(errbuf);
    if (dev == NULL)

    /* get network number and mask associated with capture device */
    bpf_u_int32 mask;			/* subnet mask */
    bpf_u_int32 net;			/* ip */
    if (pcap_lookupnet(dev, &net, &mask, errbuf) == -1)

    /* open capture device */
    pcap_t *handle;				/* packet capture handle */
    handle = pcap_open_live(dev, SNAP_LEN, 0, 1000, errbuf); // needn't to be promiscuous
    if (handle == NULL)

    /* make sure we're capturing on an Ethernet device [2] */
    if (pcap_datalink(handle) != DLT_EN10MB)

    /* compile the filter expression */
    struct bpf_program fp;			/* compiled filter program (expression) */
    char filter_exp[] = "icmp";
    if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1)

    /* apply the compiled filter */
    if (pcap_setfilter(handle, &fp) == -1)

    /* now we can start capturing packets */
    struct pcap_pkthdr header;	/* The header that pcap gives us */
    //const struct libnet_ethernet_hdr *ethernet; /* The ethernet header */
    const struct libnet_ipv4_hdr *ip; /* The IP header */
    const struct libnet_icmpv4_hdr *icmp; /* The ICMP header */
    const u_char *packet;   // the actual packet we picked
    u_int size_ip;
        packet = pcap_next(handle,&header);
        if( NULL==packet )
        //ethernet = (struct libnet_ethernet_hdr*)(packet);
        ip = (struct libnet_ipv4_hdr*)(packet + LIBNET_ETH_H);
        size_ip = IP_SIZE(ip);
        icmp = (struct libnet_icmpv4_hdr*)(packet + LIBNET_ETH_H + size_ip);
        unsigned int ipSource = ip->ip_src.s_addr;
        //unsigned short ipID = ntohs(ip->ip_id);
        unsigned short icmpID = ntohs(icmp->hun.echo.id);
        // check whether the packet is corresponding to our sender
        QList<IPID_Info>::iterator start=m_info.begin(), last=m_info.end();
            // check if the response is corresponding to my ping
            if((*start).ip==ipSource && //(*start).IPid==ipID && //!!!!!!!!!!!!! sina don't reply the same!
                emit pingFounded(ipSource,0,PROTOCOL_ICMP);
                m_info.erase(start);    // to avoid the duplicate table row same icmp response

    /* cleanup */
