int main(int argc, char **argv) { char *buffer; char *string = STRING_TO_SEARCH; int length = strlen(string); __u32 *skip_table; __u32 *shift_table; if((sock = socket(PF_PACKET,SOCK_RAW,htons(ETH_P_ALL))) < 0) { perror("socket"); exit(1); } atexit(terminate); skip_table = make_skip(string,length); shift_table = make_shift(string,length); printf("Search string = %s\n",string); init(); signal(SIGINT,handler); #ifdef SLEEP signal(SIGALRM,handler); alarm(SLEEP_TIME); #endif buffer = alloca(rbuf_size); while(1) { int n; if((n = recvfrom(sock,buffer,rbuf_size,MSG_TRUNC,NULL,NULL)) < 0) { perror("recvfrom"); exit(1); } if(search_substring(buffer,n,string,length,skip_table,shift_table)) { counter++; } } return 0; }
static int strsearch_init(mapidflib_function_instance_t *instance, MAPI_UNUSED int fd) //Initializes the function { char *str, *strbak; int off, dpth; unsigned char *tmpstr, *tstrbak; unsigned char *ret; // holds the final parsed string int len=0; // length of the final parsed string unsigned short pattern_ctr = 0; char hexpair[3]; mapiFunctArg* fargs; struct mapid_strsearch_pattern *pattern = NULL; struct mapid_strsearch_pattern *lastptrn, *tmpptrn = NULL; fargs=instance->args; str = getargstr(&fargs); off = getargint(&fargs); dpth = getargint(&fargs); /* parse pattern * * Non printable characters or general binary content can be specified by * using pipes enclosing the binary data which are represented in hex * values for each byte. For example, 'abcd' is the same as '|61 62 63 * 64|' or 'ab|63 64|' or '|61|b|6364|. If the pipe character needs to be * searched, it should be preceeded by a '\'. */ strbak = str; // backup pointer tstrbak = tmpstr = (unsigned char *)malloc(strlen(str)*sizeof(char)); ret=tmpstr; hexpair[2]='\0'; while(*str!='\0') { // Two pipes "||" separates two match strings. // A||B will match both a packet with either A or B in it. if (*str == '|' && *(str+1) == '|') // Should be safe since last char will be '\0' { if (!isEscaped(str)) { len=tmpstr-ret; if (len <= 0) { // Empty OR node, skip str += 2; continue; } if((dpth > 0) && (dpth < len)) { DEBUG_CMD(Debug_Message("The depth (%d) is less than the size of the pattern (%d)", dpth, len)); return MDLIB_STRSEARCH_DEPTH_LESS_THAN_PTRN_ERR; } tmpptrn = malloc(sizeof(struct mapid_strsearch_pattern)); tmpptrn->str = (unsigned char *)malloc(len * sizeof(char)); tmpptrn->slen = len; tmpptrn->offset = off; tmpptrn->depth = dpth; memcpy(tmpptrn->str, ret, len); //compute Boyer-Moore's shift and skip tables tmpptrn->shift = make_shift((char *)ret, len); tmpptrn->skip = make_skip((char *)ret, len); tmpptrn->next = NULL; if (pattern == NULL) { pattern = tmpptrn; lastptrn = tmpptrn; } else { lastptrn->next = tmpptrn; lastptrn = tmpptrn; } tmpptrn = NULL; ret = tmpstr; pattern_ctr++; } else { *tmpstr=*str; tmpstr++; } str++; } // '|' means that hex mode begins unless it is escaped \| // every hex number consists of two characters ,e.g A is written as 0A else if(*str=='|') { if(!isEscaped(str)) { int hexcount=0; str++; //parse until closing '|' while(*str!='|') { if(*str=='\0') { return MDLIB_STRSEARCH_UNTERMINATED_PIPE_ERR; } // |AC DE| => ignore white spaces between hex numbers if(*str==' ') { str++; continue; } //convert hex to character hexpair[hexcount++]=*str; if(hexcount==2) { hexcount=0; sscanf(hexpair,"%x",(int *)tmpstr); tmpstr++; } str++; } } else { *tmpstr=*str; tmpstr++; } } // special case for escape character '\\' else if(*str=='\\') { if(isEscaped(str)) { *tmpstr=*str; tmpstr++; } } else { *tmpstr=*str; tmpstr++; } str++; } len=tmpstr-ret; /* end of pattern parsing */ /* Arne: Will fix it later funct = fhlp_get_first(); while (funct) { if(strcmp(funct->name,"STR_SEARCH")==0) if(funct->internal_data) if(memcmp(((struct mapid_strsearch *)funct->internal_data)->str, ret, ((struct mapid_strsearch *)funct->internal_data)->slen) == 0) if(((struct mapid_strsearch *)funct->internal_data)->offset == off && ((struct mapid_strsearch *)funct->internal_data)->depth == dpth){ instance->internal_data = funct->internal_data; printf("added optimised string search: %s offset: %d depth: %d\n",strbak, off, dpth); return 0; } funct = funct->next; } */ if((dpth > 0) && (dpth < len)) { DEBUG_CMD(Debug_Message("The depth (%d) is less than the size of the pattern (%d)", dpth, len)); return MDLIB_STRSEARCH_DEPTH_LESS_THAN_PTRN_ERR; } if (len > 0) { tmpptrn = malloc(sizeof(struct mapid_strsearch_pattern)); tmpptrn->str = (unsigned char *)malloc(len * sizeof(char)); tmpptrn->slen = len; tmpptrn->offset = off; tmpptrn->depth = dpth; memcpy(tmpptrn->str, ret, len); //compute Boyer-Moore's shift and skip tables tmpptrn->shift = make_shift((char *)ret, len); tmpptrn->skip = make_skip((char *)ret, len); tmpptrn->next = NULL; if (pattern == NULL) pattern = tmpptrn; else lastptrn->next = tmpptrn; pattern_ctr++; } if (pattern == NULL) { // Invalid search term return MDLIB_STRSEARCH_NOT_A_VALID_SEARCH_STRING; } instance->internal_data = malloc(sizeof(struct mapid_strsearch)); /* ((struct mapid_strsearch *)instance->internal_data)->str = (unsigned char *)malloc(len * sizeof(char)); ((struct mapid_strsearch *)instance->internal_data)->slen = len; ((struct mapid_strsearch *)instance->internal_data)->offset = off; ((struct mapid_strsearch *)instance->internal_data)->depth = dpth; memcpy(((struct mapid_strsearch *)instance->internal_data)->str, ret, len); //compute Boyer-Moore's shift and skip tables ((struct mapid_strsearch *)instance->internal_data)->shift = make_shift((char *)ret, len); ((struct mapid_strsearch *)instance->internal_data)->skip = make_skip((char *)ret, len); */ ((struct mapid_strsearch *)instance->internal_data)->pattern = pattern; ((struct mapid_strsearch *)instance->internal_data)->num_patterns = pattern_ctr; ((struct mapid_strsearch *)instance->internal_data)->currentIteration = 0; DEBUG_CMD(Debug_Message("added string search: %s offset: %d depth: %d nodes: %u", strbak, off, dpth, pattern_ctr)); free(tstrbak); return 0; }