Libnids is a professional programming interface for network intrusion detection and development. It uses libpcap, so it has the ability to capture data packets. At the same time, libnids provides the function of reorganizing TCP Data Streams. Therefore, libnids can be used to analyze various TCP-based protocols. libnids also provides the function of reorganizing IP segments, as well as port scan detection and abnormal packet detection. Libnids Data Structure I. Basic Constants 1. Alarm Type
Enum
{
Nids_warn_ip = 1, // ip packet exception
Nids_warn_tcp, // TCP packet exception
Nids_warn_udp, // UDP packet exception
Nids_warn_scan // indicates a scan attack has occurred.
}
Enum
{
Nids_warn_undefined = 0, // indicates undefined
Nids_warn_ip_oversized. // indicates that the IP data packet is too long.
Nids_warn_ip_invlist, // indicates that the shard queue is invalid.
Nids_warn_ip_overlap, // indicates overlap
Nids_warn_ip_hdr, // indicates that the IP address header is invalid and the IP data packet is abnormal.
Nids_warn_ip_srr, // indicates the Source Route IP packet
Nids_warn_tcp_toomuch, // indicates that the number of TCP data is too large, because the maximum number of TCP packets captured at the same time in libnids is 3/4 in length in the hash table of the TCP connection parameter.
Nids_warn_tcp_hdr, // indicates that the TCP header is invalid and the TCP packet is abnormal.
Nids_warn_tcp_bigaqueue, // indicates that too much queue data is received by TCP
Nids_warn_tcp_badflags // indicates the error mark.
}
2. libnids status When reorganizing TCP data streams, the TCP connection status must be taken into account. In libnids, six libnids statuses are defined to facilitate development (the logical status of the connection is described) # Define nids_just_est 1 // indicates that a TCP connection is established. # Define nids_data 2 // indicates the status of the received data # Define nids_close 3 // indicates that the TCP connection is closed normally. # Define nids_reset 4 // indicates that the TCP connection is reset and closed. # Define nids_timed_out 5 // indicates that the TCP connection is closed due to timeout. # Define nids_exiting 6 // indicates that libnids is exiting There are 11 real TCP connection statuses Enum {
Tcp_established = 1, // indicates the establish status. The TCP connection is established and data transmission starts.
Tcp_syn_sent, // indicates the syn_sent status, active open
Tcp_syn_recv, // indicates the syn_recv status and receives SYN
Tcp_fin_wait1, // indicates the fin_wait_1 status
Tcp_fin_wait2, // indicates the fin_wait2 status
Tcp_time_wait // indicates the time_wait status
Tcp_close, // indicates the closed status
Tcp_close_wait, // indicates the close_wait status
Tcp_last_ack, // indicates the last_ack status
Tcp_listen, // indicates the listen status
Tcp_closing // indicates the closing status
} 3. checksum. constants related to this are defined as follows: # Define nids_do_chksum 0 // indicates that libnids needs to calculate the checksum. # Define nids_dont_chksum 1 // indicates that libnids does not need to calculate the checksum. II. Data Structure 1. tuple4: This data structure is the most basic data structure in libnids. Struct tuple4 {
U_short source; // Source Port
U_short DEST; // target port
U_int saddr; // source IP address
U_int daddr; // destination IP address
}; // Describes an address and port pair, which indicates the sender's IP address and port, and the receiver's IP address and port. 2. half_stream: This data structure is used to describe all information of a client in a TCP connection. It can be a client or a server. Struct half_stream {
Char state; // indicates the socket status, that is, the TCP connection status.
Char collect; // indicates whether to store data to data. If it is greater than 0, it is stored; otherwise, it is ignored.
Char collect_urg; // whether to store emergency data to urgdata. If it is greater than 0, it is stored; otherwise, it is ignored.
Char * data; // stores normally received data
Int offset; // the offset of the first byte of data stored in Data
Int count; // The number of bytes of data that has been stored in data since the TCP connection.
Int count_new; // indicates how much new data is stored in the data.
Int bufsize ;//
Int rmem_alloc;
Int urg_count;
U_int acked;
U_int seq;
U_int ack_seq;
U_int first_data_seg;
U_char urgdata; // used to store emergency data
U_char count_new_urg; // indicates whether new emergency data has arrived.
U_char urg_seen;
U_int urg_ptr;
U_short window;
U_char ts_on;
U_int curr_ts;
Struct skbuff * List;
Struct skbuff * listtail;
} 3. tcp_stream: Describes all information about a TCP connection. Struct tcp_stream {
Struct tuple4 ADDR; // a member of The tuple4 type. It indicates four important information of a TCP connection.
Char nids_state; // indicates the logical connection status.
Struct lurker_node * listeners;
Struct half_stream client;
Struct half_stream server;
Struct tcp_stream * next_node;
Struct tcp_stream * prev_node;
Int hash_index;
Struct tcp_stream * next_time;
Struct tcp_stream * prev_time;
Int read;
Struct tcp_stream * next_free;
}; // Describes the complete information of a TCP connection. 4. nids_prm: Describes some global parameter information of libnids. Struct nids_prm {
Int n_tcp_streams; // indicates the size of the Hasse table, which is used to store the tcp_stream data structure,
Int n_hosts; // the size of the Hasse table that stores IP Fragment information.
Char * device;
Char * filename; // used to store network data capture files. If a file is set, set the member device to null. The default value is null.
Int sk_buff_size; // indicates the size of the data structure sk_buff. The data structure sk_buff is an important data structure in the Linux kernel and is used for packet queue operations.
Int dev_addon; // indicates the number of bytes used for information on network interfaces in the data structure sk_buff. If it is-1 (default), libnids will be modified based on different network interfaces.
Void (* syslog) (); // function pointer. The default value is the nids_syslog () function. You can detect intrusion attacks in Syslog, such as network scan attacks.
Function Definition type: nids_syslog (INT type, int errnum, struct ip_header * IPH, void * Data)
Int syslog_level; // indicates the log level. The default value is log_alert.
Int scan_num_hosts; // the size of the Hasse table storing port scan information
Int scan_delay; // indicates the interval between two port scans during scan detection.
Int scan_num_ports; // number of TCP ports that must be scanned at the same source address
Void (* no_mem) (char *); // called when libnids memory overflow occurs
INT (* ip_filter) (); // function pointer. This function can be used to analyze IP data packets. When an IP data packet arrives, this function is called. the default value is nids_ip_filter. The function is defined as follows:
Static int nids_ip_filter (struct IP * X, int Len)
Char * pcap_filter; // indicates the filter rule.
Int promisc; // indicates the NIC mode. If the value is not 0, the NIC mode is mixed. Otherwise, the NIC mode is non-mixed. The default value is 1.
Int one_loop_less; // the time when the data is returned. The default value is 1024.
Int pcap_timeout;
}; In libnids, a global variable nids_params is defined using the nids_prm data structure. Its definition and initial value are as follows: Struct nids_prm nids_params = {
1040, // n_tcp_streams
256, // n_hosts
Null, // Device
Null, // filename
168, // sk_buff_size
-1, // dev_addon
Nids_syslog, // syslog ()
Log_alert, // syslog_level
256, // scan_num_hosts
3000, // scan_delay
10, // scan_num_prots
Nids_no_mem, // no_mem ()
Nids_ip_filter, // ip_filter
Null, // pcap_filter
1, // promisc
0, // one_loop_less
1024 // pcap_timeout
} When developing a program using libnids, You can first modify the value of the nids_params global variable so that the entire libnids is valid. 5. nids_chksum_ctl: Describes the calculation checksum. Struct nids_chksum_ctl {
U_int netaddr;
U_int mask;
U_int action; // indicates the action. If it is nids_do_chksum, the checksum is calculated. If it is nids_dont_chksum, the checksum is not calculated.
U_int reserved;
} Iii. libnids Functions 1. Basic functions
(1) int nids_init (void); // initialize libnids
(2) void nids_run (void); // run libnids to enter the cyclic packet capture status.
(3) int nids_getfd (void); // obtain the file description number.
(4) int nids_dispatch (int cnt) // The function is to call the capture data packet function pcap_dispatch () in Libpcap ().
(5) int nids_next (void) // call the packet capture function pcap_next () in libpcap ()
(6) void nids_register_chksum_ctl (struct nids_chksum_ctl * PTR, int nr) // determines whether to calculate the checksum. It is determined based on the action in the data structure nids_chksum_ctl.
2. IP fragmentation Function
(1) void nids_register_ip_frag (void (*) // This function registers a callback function that can detect all IP data packets, including IP fragmentation.
Eg: nids_register_ip_frag (ip_frag_function );
In this way, a callback function ip_frag_function is defined as follows:
Void ip_frag_function (struct IP * a_packet, int Len)
(2) void nids_register_ip (void (*) // This function defines a callback function, which can accept normal IP packets. For example:
Nids_register_ip (ip_function );
The callback function is defined as follows:
Void ip_function (struct IP * a_packet)
3. TCP Data Stream reorganization function
(1) void nids_register_tcp (void (*))
The callback function registers a callback function for a TCP connection. The callback function type is defined as follows:
Void tcp_callback (struct tcp_stream * NS, void ** PARAM );
The NS parameter indicates all information of a TCP connection. Its type is tcp_stream data structure. The param parameter indicates the connection parameter information to be passed and can point to the private data of a TCP connection.
(2) void nids_killtcp (struct tcp_stream * a_tcp) // This function is used to terminate a TCP connection.
(3) void nids_discard (struct tcp_stream * a_tcp, int num) // discard num bytes of TCP data for storing more data
4. UDP registration function
(1) void nids_register_udp (void (*));
This function registers a callback function that analyzes the UDP protocol. The type of the callback function is defined as follows:
Void udp_callback (struct tuple4 * ADDR, char * Buf, int Len, struct IP * iph );
The ADDR parameter indicates the port information, the Buf parameter indicates the UDP protocol load data content, and the Len parameter indicates the UDP load data length. The IPH parameter indicates an IP packet, including the IP header, UDP header and UDP load content
Development Process Using libnids Use the nids_init () function for initialization. Then register the corresponding callback function. Different callback functions implement different functions Finally, the function nids_run () is used to capture data packets cyclically. |