#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include "nids.h"
#include <string>
#include <queue>
#include <map>
#include "../common/packet_dump.h"
#include "../common/packet_functions.h"
#include "../common/packet_types.h"
#include "../common/PyRep.h"
#include "../common/EVEUnmarshal.h"
#include "../common/PyPacket.h"
#include "../common/PyVisitor.h"
#include "../common/logsys.h"
#include "../common/StreamPacketizer.h"
#include "../common/CachedObjectMgr.h"
#include "../common/PyXMLGenerator.h"
#include "../common/PyDumpVisitor.h"
#include "../common/PyLookupDump.h"
#include "EVECollectDisp.h"
#include "../packets/General.h"

Include dependency graph for EVEnids.cpp:

Macros
#define	int_ntoa(x) inet_ntoa(((struct in_addr )&x))

Functions
char *	adres (struct tuple4 addr)

void	ProcessCallRequest (PyPacket *packet)

void	tcp_callback (struct tcp_stream a_tcp, void *this_time_not_needed)

int	EVE_NIDS_main (EVECollectDispatcher disp, int argc, char argv[])

Variables
static EVECollectDispatcher *	CollectDispatcher = NULL

StreamPacketizer	clientPacketizer

StreamPacketizer	serverPacketizer

Macro Definition Documentation

#define int_ntoa ( x ) inet_ntoa(*((struct in_addr *)&x))

Definition at line 61 of file EVEnids.cpp.

Referenced by adres().

Function Documentation

char* adres ( struct tuple4 addr )

Definition at line 67 of file EVEnids.cpp.

References int_ntoa, and sprintf().

Referenced by tcp_callback().

 {
   static char buf[256];
   strcpy (buf, int_ntoa (addr.saddr));
   sprintf (buf + strlen (buf), ",%i,", addr.source);
   strcat (buf, int_ntoa (addr.daddr));
   sprintf (buf + strlen (buf), ",%i", addr.dest);
   return buf;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

int EVE_NIDS_main	(	EVECollectDispatcher *	disp,
		int	argc,
		char *	argv[]
	)

Definition at line 196 of file EVEnids.cpp.

References strdup, and tcp_callback().

Referenced by main().

                                                                       {
     if(disp == NULL) {
         fprintf(stderr,"NULL dispatcher provided to NIDS, not running\n",nids_errbuf);
         return(1);
     }
     CollectDispatcher = disp;
 
     // here we can alter libnids params, for instance:
     // nids_params.n_hosts=256;
     if(argc == 2)
         nids_params.filename = strdup(argv[1]);
     if(argc == 3)    //hack
         nids_params.device = strdup(argv[2]);
     if (!nids_init ()) {
         fprintf(stderr,"%s\n",nids_errbuf);
         return(1);
     }
 
     nids_register_tcp ((void *) tcp_callback);
     printf("Starting NIDS loop...\n");
     nids_run ();
     return(0);
 }

Here is the call graph for this function:

Here is the caller graph for this function:

void ProcessCallRequest ( PyPacket * packet )

Definition at line 77 of file EVEnids.cpp.

                                           {
 
 }

void tcp_callback	(	struct tcp_stream *	a_tcp,
		void **	this_time_not_needed
	)

Definition at line 88 of file EVEnids.cpp.

References _hex, _log, adres(), clientPacketizer, PyPacket::Decode(), EVEPacketDispatcher::DispatchPacket(), PyPacket::Dump(), is_log_enabled, EVECollectDispatcher::lookResolver, PyPacket::payload, StreamPacketizer::PopPacket(), serverPacketizer, PyRep::visit(), and PyTuple::visit().

Referenced by EVE_NIDS_main().

                                                                            {
     char buf[1024];
     strcpy (buf, adres (a_tcp->addr)); // we put conn params into buf
 
     if (a_tcp->nids_state == NIDS_JUST_EST) {
 
         //see if this is a stream we care about...
         if(a_tcp->addr.source != 26000 && a_tcp->addr.dest != 26000 &&
            a_tcp->addr.source != 26001 && a_tcp->addr.dest != 26001)
             return;
 
         a_tcp->client.collect++; // we want data received by a client
         a_tcp->server.collect++; // and by a server, too
         _log(COLLECT__TCP, "%s established", buf);
         return;
     }
     if (a_tcp->nids_state == NIDS_CLOSE) {
         // connection has been closed normally
         _log(COLLECT__TCP, "%s closing", buf);
         return;
     }
     if (a_tcp->nids_state == NIDS_RESET) {
         // connection has been closed by RST
         _log(COLLECT__TCP, "%s reset", buf);
         return;
     }
 
     if (a_tcp->nids_state == NIDS_DATA) {
         // new data has arrived; gotta determine in what direction
         // and if it's urgent or not
 
         struct half_stream *hlf;
         StreamPacketizer *sp;
 
         if (a_tcp->client.count_new) {
             // new data for client
             hlf = &a_tcp->client; // from now on, we will deal with hlf var,
             // which will point to client side of conn
             sp = &clientPacketizer;
             strcat (buf, "(<-)"); // symbolic direction of data
         } else {
             sp = &serverPacketizer;
             hlf = &a_tcp->server; // analogical
             strcat (buf, "(->)");
         }
 
         _log(COLLECT__TCP, "Data %s (len %d)", buf, hlf->count_new); // we print the connection parameters
                                   // (saddr, daddr, sport, dport) accompanied
                                   // by data flow direction (-> or <-)
 
         sp->InputBytes((const byte *) hlf->data, hlf->count_new);
 
         StreamPacketizer::Packet *p;
         while((p = sp->PopPacket()) != NULL) {
             //const PacketHeader *head = (const PacketHeader *) p->data;
 
             uint32 body_len = p->length;
             const byte *body = p->data;
 
             _log(COLLECT__RAW_HEX, "Raw Hex Dump of len %d:", body_len);
             _hex(COLLECT__RAW_HEX, body, body_len);
 
             PyRep *rep = InflateAndUnmarshal(body, body_len);
             if(rep == NULL) {
                 printf("Failed to inflate or unmarshal!");
                 delete p;
                 continue;
             }
 
             if(is_log_enabled(COLLECT__PYREP_DUMP)) {
                 //decode substreams to facilitate dumping better:
                 SubStreamDecoder v;
                 rep->visit(&v);
                 //TODO: make dump use logsys.
                 _log(COLLECT__PYREP_DUMP, "Unmarshaled PyRep:");
                 PyLookupDump dumper(&CollectDispatcher->lookResolver, COLLECT__PYREP_DUMP);
                 rep->visit(&dumper);
             }
 
             PyPacket *packet = new PyPacket;
             if(!packet->Decode(rep)) {
                 _log(COLLECT__ERROR, "Failed to decode packet rep");
             } else {
                 if(is_log_enabled(COLLECT__PACKET_DUMP)) {
                     //decode substreams to facilitate dumping better:
                     SubStreamDecoder v;
                     packet->payload->visit(&v);
 
                     //TODO: make dump use logsys.
                     _log(COLLECT__PACKET_DUMP, "Decoded message:");
                     PyLookupDump dumper(&CollectDispatcher->lookResolver, COLLECT__PACKET_DUMP);
                     packet->Dump(COLLECT__PACKET_DUMP, &dumper);
 
 
                     printf("\n\n");
                 }
                 fflush(stdout);
 
                 CollectDispatcher->DispatchPacket(&packet);
             }
             delete packet;
 
             delete p;
         } //end "while pop packet"
     }
     return ;
 }

Here is the call graph for this function:

Here is the caller graph for this function:

Variable Documentation

StreamPacketizer clientPacketizer

Definition at line 86 of file EVEnids.cpp.

Referenced by tcp_callback().

EVECollectDispatcher* CollectDispatcher = NULL

static

Definition at line 82 of file EVEnids.cpp.

StreamPacketizer serverPacketizer

Definition at line 87 of file EVEnids.cpp.

Referenced by tcp_callback().

Macros

Functions

Variables

Macro Definition Documentation

Function Documentation

Variable Documentation