过滤的一个例子
来源:互联网 发布:共享网络 编辑:程序博客网 时间:2024/04/28 19:48
#ifndef __KERNEL__
#define __KERNEL__
#endif
#ifndef MODULE
#define MODULE
#endif
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/types.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4.h>
#include <linux/inet.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/netlink.h>
#include <linux/spinlock.h>
#include <asm/semaphore.h>
#include <net/sock.h>
#include <linux/config.h>
#include <linux/udp.h>
#define ALERT(fmt,args...) printk("nsfocus: " fmt, ##args)
/*message will be print to screen(too many~),and logged to /var/log/message*/
static unsigned int sample(unsigned int hooknum,struct sk_buff **skb,
const struct net_device *in,
const struct net_device *out,int (*okfn)(struct sk_buff *))
{
struct iphdr *iph;
struct tcphdr *tcph;
struct udphdr *udph;
struct in_addr src_addr;
struct in_addr dest_addr;
__u32 sip;
__u32 dip;
__u16 sport;
__u16 dport;
iph=(*skb)->nh.iph;
sip=iph->saddr;
dip=iph->daddr;
src_addr.s_addr=sip;
dest_addr.s_addr=dip;
/* printk("IP packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip)); */
/*play ip packet here
(note:checksum has been checked,if connection track is enabled,defrag have been done )*/
if(iph->ihl!=5){
ALERT("IP packet with packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if(iph->protocol==6){
tcph=(struct tcphdr*)((__u32 *)iph+iph->ihl);
sport=tcph->source;
dport=tcph->dest;
/*play tcp packet here*/
printk("IP packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD((*skb)->nh.iph->saddr),NIPQUAD((*skb)->nh.iph->daddr));
if((tcph->syn)&&(sport==dport)&&(sip==dip)){
ALERT("maybe land attack/n");
}
if(ntohs(tcph->dest)==139&&tcph->urg){
ALERT("maybe winnuke a from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if(tcph->ece&&tcph->cwr){
ALERT("queso from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if((tcph->fin)&&(tcph->syn)&&(!tcph->rst)&&(!tcph->psh)&&(!tcph->ack)&&(!tcph->urg)){
ALERT("SF_scan from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if((!tcph->fin)&&(!tcph->syn)&&(!tcph->rst)&&(!tcph->psh)&&(!tcph->ack)&&(!tcph->urg)){
ALERT("NULL_scan from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if(tcph->fin&&tcph->syn&&tcph->rst&&tcph->psh&&tcph->ack&&tcph->urg){
ALERT("FULL_Xmas_scan from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if((tcph->fin)&&(!tcph->syn)&&(!tcph->rst)&&(tcph->psh)&&(!tcph->ack)&&(tcph->urg)){
ALERT("XMAS_Scan(FPU)from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
}
else if(iph->protocol==17){
udph=(struct udphdr *)((__u32 *)iph+iph->ihl);
sport=udph->source;
dport=udph->dest;
printk("IP packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD((*skb)->nh.iph->saddr),NIPQUAD((*skb)->nh.iph->daddr));
/*play udp packet here*/
}
else if(iph->protocol==1){
/*play icmp packet here*/
}
else if(iph->protocol==2){
ALERT("igmp packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
/*play igmp packet here*/
}
else{
ALERT("unknown protocol%d packet from %d.%d.%d.%d to %d.%d.%d.%d/n",iph->protocol,NIPQUAD(sip),NIPQUAD(dip));
}
return NF_ACCEPT;
/*for it is IDS,we just accept all packet,
if you really want to drop this skb,just return NF_DROP*/
}
static struct nf_hook_ops imp2_ops =
{
.list={NULL,NULL},
.hook = sample,
.pf = PF_INET,
.hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_PRI_FILTER -1,
};
static int __init init(void)
{
return nf_register_hook(&imp2_ops);
}
static void __exit fini(void)
{
nf_unregister_hook(&imp2_ops);
}
module_init(init);
module_exit(fini);
#define __KERNEL__
#endif
#ifndef MODULE
#define MODULE
#endif
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/types.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4.h>
#include <linux/inet.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/netlink.h>
#include <linux/spinlock.h>
#include <asm/semaphore.h>
#include <net/sock.h>
#include <linux/config.h>
#include <linux/udp.h>
#define ALERT(fmt,args...) printk("nsfocus: " fmt, ##args)
/*message will be print to screen(too many~),and logged to /var/log/message*/
static unsigned int sample(unsigned int hooknum,struct sk_buff **skb,
const struct net_device *in,
const struct net_device *out,int (*okfn)(struct sk_buff *))
{
struct iphdr *iph;
struct tcphdr *tcph;
struct udphdr *udph;
struct in_addr src_addr;
struct in_addr dest_addr;
__u32 sip;
__u32 dip;
__u16 sport;
__u16 dport;
iph=(*skb)->nh.iph;
sip=iph->saddr;
dip=iph->daddr;
src_addr.s_addr=sip;
dest_addr.s_addr=dip;
/* printk("IP packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip)); */
/*play ip packet here
(note:checksum has been checked,if connection track is enabled,defrag have been done )*/
if(iph->ihl!=5){
ALERT("IP packet with packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if(iph->protocol==6){
tcph=(struct tcphdr*)((__u32 *)iph+iph->ihl);
sport=tcph->source;
dport=tcph->dest;
/*play tcp packet here*/
printk("IP packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD((*skb)->nh.iph->saddr),NIPQUAD((*skb)->nh.iph->daddr));
if((tcph->syn)&&(sport==dport)&&(sip==dip)){
ALERT("maybe land attack/n");
}
if(ntohs(tcph->dest)==139&&tcph->urg){
ALERT("maybe winnuke a from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if(tcph->ece&&tcph->cwr){
ALERT("queso from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if((tcph->fin)&&(tcph->syn)&&(!tcph->rst)&&(!tcph->psh)&&(!tcph->ack)&&(!tcph->urg)){
ALERT("SF_scan from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if((!tcph->fin)&&(!tcph->syn)&&(!tcph->rst)&&(!tcph->psh)&&(!tcph->ack)&&(!tcph->urg)){
ALERT("NULL_scan from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if(tcph->fin&&tcph->syn&&tcph->rst&&tcph->psh&&tcph->ack&&tcph->urg){
ALERT("FULL_Xmas_scan from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
if((tcph->fin)&&(!tcph->syn)&&(!tcph->rst)&&(tcph->psh)&&(!tcph->ack)&&(tcph->urg)){
ALERT("XMAS_Scan(FPU)from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
}
}
else if(iph->protocol==17){
udph=(struct udphdr *)((__u32 *)iph+iph->ihl);
sport=udph->source;
dport=udph->dest;
printk("IP packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD((*skb)->nh.iph->saddr),NIPQUAD((*skb)->nh.iph->daddr));
/*play udp packet here*/
}
else if(iph->protocol==1){
/*play icmp packet here*/
}
else if(iph->protocol==2){
ALERT("igmp packet from %d.%d.%d.%d to %d.%d.%d.%d/n",NIPQUAD(sip),NIPQUAD(dip));
/*play igmp packet here*/
}
else{
ALERT("unknown protocol%d packet from %d.%d.%d.%d to %d.%d.%d.%d/n",iph->protocol,NIPQUAD(sip),NIPQUAD(dip));
}
return NF_ACCEPT;
/*for it is IDS,we just accept all packet,
if you really want to drop this skb,just return NF_DROP*/
}
static struct nf_hook_ops imp2_ops =
{
.list={NULL,NULL},
.hook = sample,
.pf = PF_INET,
.hooknum = NF_IP_PRE_ROUTING,
.priority = NF_IP_PRI_FILTER -1,
};
static int __init init(void)
{
return nf_register_hook(&imp2_ops);
}
static void __exit fini(void)
{
nf_unregister_hook(&imp2_ops);
}
module_init(init);
module_exit(fini);
- 过滤的一个例子
- DataGrid 过滤的例子
- 串口的过滤驱动例子
- 《开发自己的搜索引擎》读书笔记——一个简单的过滤的例子
- jquery 实现百度搜索过滤的例子
- 一个简单的文字过滤
- 举一个nspredicate来过滤array的例子,给你一个数字组成的NSArray,写一个predicate,将返回数组中的偶数。
- 一个触发器的例子
- LineDDA的一个例子
- 一个函数的例子
- 一个触发器的例子
- DirectX的一个例子
- 一个Hibernate的例子
- ACE的一个例子
- 一个分页的例子
- JSTL的一个例子
- 多线程的一个例子
- 一个axis的例子
- osworkflow入门篇
- C/C++头文件一览
- 美女同桌与VXER
- 今天算是第一天上班了。
- Netfilter 基本的数据报过滤技术
- 过滤的一个例子
- 关于注册表应用我有一个问题,望不吝赐教,谢谢
- JavaBeans 程序开发从入门到精通教程
- 如何拥有好的人缘
- FreeSWAN 结构框架
- 深入Linux网络核心堆栈
- Linux netfilter机制应用浅释
- AnsiString 原來是一個字符數組.
- Oracle的存储过程怎么写呀?
