| 订阅 | 在线投稿
分享
 
 
 

用PERL实现一个简单的NIDS

2008-05-19 03:00:21 编辑來源:互联网 国际版 评论
 
 
本文为【用PERL实现一个简单的NIDS】的汉字拼音对照版显示拼音
  suizheduiwangluoanquanxuqiudeshenrukaifajiyuwangluoderuqinjiancejishuyijingchengweiyigechongyaoqieyouyisideyanjiufangxiangxiangxuexiNIDSjishuchulequduyixiexianchengdeziliaoheyixiekaiyuanxitongdeyuanmazuihaodebanfamoguoyuzijiquxieyigeNIDSchengxuzhiyounayangcainengzhenzhengtihuidaoyixieNIDSdeshixianxuqiuheshejimiaochu

  benzhishangshuoNIDSzhishiyizhongwangluoliuliangdefenxigongjutongguoduiwangluoliuliangdefenxishibiechuyixieyizhihuoweizhidegongjixingweiyigezuijiandandeNIDSwanchengdezhuyaogongzuoyejiushizhuabao-xieyijiema-pipeizhongsuozhouzhiPERLshijiqiqiangdadejiaobenyuyanyouqishitadezifuchuanchulinenglikeyifang便biandishixianduiyuwangluoliuliangzhongeyitezhengjinxingpipeidangranPERLbijingzhishijiaobenyuyantadezhixingxiaolvbuyuanxuyongyuzhenzhengdaliuliangshengchanxinghuanjingdanPERLdejiandanyixuejiqiangdagongnengduiyushixianyigejiandandeNIDSdadaoxuexidemudewuyishifeichanghaodexiamianwojieshaoyigeyongPERLshixiandejiandanNIDSkuangjiawomenjiangzaiLinuxxiashixiantazaiqitacaozuoxitongshangleisi

  PERLdeyigeqiangdatexingjiuzaiyutahailiangdeCPANmokuaikuhenduonixiangshixiandegongnengdoukeyizhaodaoxianchengdemokuainisuoyaozuodezhishianzhuangshangnaxiemokuaijikeguanyuPERLdemokuaijimianxiangduixiangtexingdeguanlihe使shiyongzaizhejiubujieshaoleqingshenkanxiangguanziliaobiruO'REILLYchubandegaojiPerlbianchengzaiyongPERLbianxiewangluoliuliangfenxijiaobenzhiqianxuyaoanzhuangyixiedicengdezhuabaojijibendeshujubaojiemamokuaibaokuoruxiazhexie

  http://www.tcpdump.org/release/libpcap-0.8.1.tar.gz

  dicengjibendezhuabaoku

  http://www.cpan.org/authors/id/T/TI/TIMPOTTER/Net-Pcap-0.04.tar.gz

  libpcapdePERLjiekou

  http://www.cpan.org/authors/id/T/TI/TIMPOTTER/Net-PcapUtils-0.01.tar.gz

  Net-PcapmokuaidewrapperbaozhuangNet-Pcapdehanshukeyigengfang便biandizaiPERLlitiaoyongzhuabao

  http://www.cpan.org/authors/id/T/TI/TIMPOTTER/NetPacket-0.03.tar.gz

  yongyujibendeIP/TCP/UDPdengbaojiemademokuaibochugezhongxieyitouchouqugegeziduan

  xiamiandedaimayanshileyigedaiyoujibenSMBheFTPxieyijiemamokuaidezuijiandanNIDSkuangjiacichengxushixianzuijiandandeNIDSgongnengmianxiangdanbaobuguanxinbaodezhuangtaibujubeigaojideshangyeNIDSchanpinzhuruliuchongzubaozhuangtaijiyingyongcengxieyidegenzongdenggongnengweiletigaojiancedezhunquexingyuSnortzhijiepipeishujuqubutongdeshizhegejiaobenshixianlelianggeyingyongcengxieyiSMBFTPdejiandanjiemajiemawanquanshimianxiangNIDSdexuyaodaimayemeiyoujingguozaixideceshikenengcunzaiwentiyoushenmejianyikelianxiwo

  perl-ids.pl

  shixianzhuabaojijiancefenxidezhuchengxu

  ------------------------------ 8< ----------------------------------------

  #!/usr/bin/perl

  #

  # Comments/suggestions to stardust at xfocus dot org

  #

  #

  # $Id: perl-ids.pl,v 1.16 2004/03/04 21:51:12 stardust Exp $

  #

  # yinyongsuoyouxiangguandemokuai

  use Net::PcapUtils;

  use NetPacket::Ethernet qw(:strip);

  use NetPacket::TCP;

  use NetPacket::IP qw(:protos);

  use NetPacket::SMB;

  use NetPacket::FTP;

  # dingyirizhiwenjianming

  $workingdir = "./";

  $attacklog = "attack.log";

  $monitorlog = "monitor.log";

  # yihoutaijinchengfangshiyunxing

  daemon ();

  sub daemon {

  unless (fork) {

  SniffLoop ();

  exit 0;

  }

  exit 1;

  }

  # zhuabaoxunhuan

  sub SniffLoop {

  # jinrugongzuomulu

  chdir ("$workingdir");

  # dakairizhiwenjian

  open (ATTACKLOG," $attacklog");

  open (MONITORLOG," $monitorlog");

  # shezhiwenjianduxieweifeihuanchongmoshi

  select(ATTACKLOG); $|++; select(MONITORLOG); $|++; select(STDOUT); $|++;

  # shezhixinhaochulihanshuyinweichengxuyunxingyuhoutai退tuichushixuyaoliyongxinhaochulihanshuzuoxieqingligongzuo

  $SIG{"INT"} = 'HandleINT';

  $SIG{"TERM"} = 'HandleTERM';

  # jinruzhuabaohuitiaohanshu

  Net::PcapUtils::loop(\&sniffit, SNAPLEN = 1800, Promisc = 1, FILTER = 'tcp or udp', DEV = 'eth0');

  }

  sub sniffit {

  my ($args,$header,$packet) = @_;

  # jiemaIPbao

  $ip = NetPacket::IP-decode(eth_strip($packet));

  # TCPxieyi

  if ($ip-{proto} == IP_PROTO_TCP) {

  # jiemaTCPbao

  $tcp = NetPacket::TCP-decode($ip-{data});

  # jianchalaiziSMBkehuduandebao

  if (($tcp-{dest_port} == 139) || ($tcp-{dest_port} == 445)) {

  # ruguomudeduankoushi139huo445renweishiSMBxieyibaozuoxiangyingdejiancha

  SmbClientCheck ($ip-{src_ip},$tcp-{src_port},$ip-{dest_ip},$tcp-{dest_port},$tcp-{data});

  } elsif ($tcp-{dest_port} == 21) {

  # ruguomudeduankoushi21renweishiFTPxieyizuoxiangyingdejiancha

  FtpClientCheck ($ip-{src_ip},$tcp-{src_port},$ip-{dest_ip},$tcp-{dest_port},$tcp-{data});

  } else {}

  # UDPxieyi

  } elsif ($ip-{proto} == IP_PROTO_UDP) {

  } else {}

  }

  sub SmbClientCheck {

  my ($src_ip,$src_port,$dest_ip,$dst_port,$data) = @_;

  # tiaoyongSMBjiemamokuaijiema

  $smb = NetPacket::SMB-decode($data);

  # ruguojiemachenggong

  if ($smb-{valid}) {

  # shilijiancexinjingongbueeyedenageASN.1jiemacuowudaozhideduipohuailoudong

  # BID9633,9635 CVEIDCAN-2003-0818 NSFOCUSID6000

  # ruguoSMBminglingshiSession Setup AndX

  if ($smb-{cmd} == 0x73) {

  # ruguoshezhileExtended Security NegotiationweibiaoshiyoubaoliyouSecurity Blob

  if ($smb-{flags2} & F2_EXTSECURINEG) {

  # yongzhengzebiaodashipipeitongchanghuizaigongjibaolichuxiandeOIDjiyinfacuowudejixingshujuchuan

  # youyubushicongyuanlishangjiancejiazhiASN.1bianmadelinghuoxingzheyangdejiancehuidaozhiloubao

  if (($smb-{bytecount} 0) && ($smb-{bytes} =~ m/\x06\x06\x2b\x06\x01\x05\x05\x02.*[\xa1\x05\x23\x03\x03\x01\x07|\x84\xff\xff\xff]/)) {

  # jirurizhiwenjian

  LogAlert ($src_ip,$src_port,$dest_ip,$dst_port,"ASN.1 malform encode attack!");

  }

  }

  }

  }

  }

  sub FtpClientCheck {

  my ($src_ip,$src_port,$dest_ip,$dst_port,$data) = @_;

  # tiaoyongFTPjiemamokuaijiema

  $ftp = NetPacket::FTP-decode($data);

  # ruguojiemachenggong

  if ($ftp-{valid}) {

  # shilijiancexinjingongbudeServ-U < 5.0.0.4banFTPfuwuqiMDTMminglingyichugongji

  # BID9751 NSFOCUSID6078

  # bianlicongshujubaolijiemachulaideFTPminglingjiqishenshu

  for (my $i = 1;$i <= $ftp-{cmdcount};$i++) {

  my $cmd = "cmd"."$i";

  my $para = "para"."$i";

  # ruguoFTPminglingshiMDTM

  if (uc($ftp-{$cmd}) eq "MDTM") {

  # yongzhengzebiaodashipipeiyinfayichudeshenshuchuanzhelitixianlezhengze

  # biaodashideqiangdayongcipipeikeyicongyuanlishangjiancedaojixingshenshuchuan

  if ($ftp-{$para} =~ m/\d{14}[+|-]\S{5,}\s+\S{1,}/) {

  LogAlert ($src_ip,$src_port,$dest_ip,$dst_port,"Serv-U < v5.0.0.4 MDTM command long timezone string overflow attack!");

  }

  }

  }

  }

  }

  # jilugongjigaojing

  sub LogAlert {

  my ($src_ip,$src_port,$dest_ip,$dst_port,$message) = @_;

  my $nowtime = localtime;

  printf ATTACKLOG ("%s\t%s:%s - %s:%s\t%s\n",$nowtime,$src_ip,$src_port,$dest_ip,$dst_port,$message);

  printf ("%s\t%s:%s - %s:%s\t%s\n",$nowtime,$src_ip,$src_port,$dest_ip,$dst_port,$message);

  }

  # jilujiankongxinxi

  sub LogMonitor {

  my ($src_ip,$src_port,$dest_ip,$dst_port,$message) = @_;

  my $nowtime = localtime;

  printf MONITORLOG ("%s\t%s:%s - %s:%s\t%s\n",$nowtime,$src_ip,$src_port,$dest_ip,$dst_port,$message);

  printf ("%s\t%s:%s - %s:%s\t%s\n",$nowtime,$src_ip,$src_port,$dest_ip,$dst_port,$message);

  }

  # INTxinhaochulilicheng

  sub HandleINT {

  CleanUp ();

  exit (0);

  }

  # TERMxinhaochulilicheng

  sub HandleTERM {

  CleanUp ();

  exit (0);

  }

  # qinglizhuyaogongzuoshiguanbiwenjianjubing

  sub CleanUp {

  close (ATTACKLOG); close (MONITORLOG);

  }

  ------------------------------ 8< ----------------------------------------

  FTP.pm

  FTPxieyijiemamokuaichouqushujubaolideFTPminglingjixiangyingdeshenshuciwenjianxuyaokaobeidaoNetPacketxiliemokuaisuozaidemulutongchangshizai/usr/lib/perl5/site_perl/5.x.x/NetPacket/

  ------------------------------ 8< ----------------------------------------

  #

  # NetPacket::FTP - Decode FTP packets

  #

  # Comments/suggestions to stardust at xfocus dot org

  #

  #

  # $Id: FTP.pm,v 1.16 2004/03/03 l1:16:20 stardust Exp $

  #原文
 
 
  随着对网络安全需求的深入开发,基于网络的入侵检测技术已经成为一个重要且有意思的研究方向。想学习NIDS技术除了去读一些现成的资料和一些开源系统的源码,最好的办法莫过于自己去写一个NIDS程序,只有那样才能真正体会到一些NIDS的实现需求和设计妙处。   本质上说NIDS只是一种网络流量的分析工具,通过对网络流量的分析识别出一些已知或未知的攻击行为,一个最简单的NIDS完成的主要工作也就是抓包-协议解码-匹配,众所周知PERL是极其强大的脚本语言,尤其是它的字符串处理能力可以方便地实现对于网络流量中恶意特征进行匹配。当然PERL毕竟只是脚本语言,它的执行效率不允许用于真正大流量生产性环境,但PERL的简单易学及强大功能对于实现一个简单的NIDS达到学习的目的无疑是非常好的,下面我介绍一个用PERL实现的简单NIDS框架,我们将在Linux下实现它,在其他操作系统上类似。   PERL的一个强大特性就在于它海量的CPAN模块库,很多你想实现的功能都可以找到现成的模块,你所要做的只是安装上那些模块即可,关于PERL的模块及面向对象特性的管理和使用在这就不介绍了,请参看相关资料,比如O'REILLY出版的《高级Perl编程》。在用PERL编写网络流量分析脚本之前,需要安装一些底层的抓包及基本的数据包解码模块,包括如下这些:   http://www.tcpdump.org/release/libpcap-0.8.1.tar.gz   底层基本的抓包库。   http://www.cpan.org/authors/id/T/TI/TIMPOTTER/Net-Pcap-0.04.tar.gz   libpcap的PERL接口。   http://www.cpan.org/authors/id/T/TI/TIMPOTTER/Net-PcapUtils-0.01.tar.gz   Net-Pcap模块的wrapper,包装Net-Pcap的函数,可以更方便地在PERL里调用抓包。   http://www.cpan.org/authors/id/T/TI/TIMPOTTER/NetPacket-0.03.tar.gz   用于基本的IP/TCP/UDP等包解码的模块,剥除各种协议头,抽取各个字段。   下面的代码演示了一个带有基本SMB和FTP协议解码模块的最简单NIDS框架,此程序实现最简单的NIDS功能,面向单包,不关心包的状态,不具备高级的商业NIDS产品诸如流重组,包状态及应用层协议的跟踪等功能。为了提高检测的准确性,与Snort直接匹配数据区不同的是,这个脚本实现了两个应用层协议:SMB、FTP的简单解码,解码完全是面向NIDS的需要,代码也没有经过仔细的测试可能存在问题,有什么建议可联系我。   perl-ids.pl   实现抓包及检测分析的主程序。   ------------------------------ 8< ----------------------------------------   #!/usr/bin/perl   #   # Comments/suggestions to stardust at xfocus dot org   #   #   # $Id: perl-ids.pl,v 1.16 2004/03/04 21:51:12 stardust Exp $   #   # 引用所有相关的模块   use Net::PcapUtils;   use NetPacket::Ethernet qw(:strip);   use NetPacket::TCP;   use NetPacket::IP qw(:protos);   use NetPacket::SMB;   use NetPacket::FTP;   # 定义日志文件名   $workingdir = "./";   $attacklog = "attack.log";   $monitorlog = "monitor.log";   # 以后台进程方式运行   daemon ();   sub daemon {   unless (fork) {   SniffLoop ();   exit 0;   }   exit 1;   }   # 抓包循环   sub SniffLoop {   # 进入工作目录   chdir ("$workingdir");   # 打开日志文件   open (ATTACKLOG," $attacklog");   open (MONITORLOG," $monitorlog");   # 设置文件读写为非缓冲模式   select(ATTACKLOG); $|++; select(MONITORLOG); $|++; select(STDOUT); $|++;   # 设置信号处理函数,因为程序运行于后台,退出时需要利用信号处理函数做些清理工作   $SIG{"INT"} = 'HandleINT';   $SIG{"TERM"} = 'HandleTERM';   # 进入抓包回调函数   Net::PcapUtils::loop(\&sniffit, SNAPLEN = 1800, Promisc = 1, FILTER = 'tcp or udp', DEV = 'eth0');   }   sub sniffit {   my ($args,$header,$packet) = @_;   # 解码IP包   $ip = NetPacket::IP-decode(eth_strip($packet));   # TCP协议   if ($ip-{proto} == IP_PROTO_TCP) {   # 解码TCP包   $tcp = NetPacket::TCP-decode($ip-{data});   # 检查来自SMB客户端的包   if (($tcp-{dest_port} == 139) || ($tcp-{dest_port} == 445)) {   # 如果目的端口是139或445,认为是SMB协议包,做相应的检查   SmbClientCheck ($ip-{src_ip},$tcp-{src_port},$ip-{dest_ip},$tcp-{dest_port},$tcp-{data});   } elsif ($tcp-{dest_port} == 21) {   # 如果目的端口是21,认为是FTP协议,做相应的检查   FtpClientCheck ($ip-{src_ip},$tcp-{src_port},$ip-{dest_ip},$tcp-{dest_port},$tcp-{data});   } else {}   # UDP协议   } elsif ($ip-{proto} == IP_PROTO_UDP) {   } else {}   }   sub SmbClientCheck {   my ($src_ip,$src_port,$dest_ip,$dst_port,$data) = @_;   # 调用SMB解码模块解码   $smb = NetPacket::SMB-decode($data);   # 如果解码成功   if ($smb-{valid}) {   # 示例检测新近公布eeye的那个ASN.1解码错误导致的堆破坏漏洞   # BID:9633,9635 CVEID:CAN-2003-0818 NSFOCUSID:6000   # 如果SMB命令是Session Setup AndX   if ($smb-{cmd} == 0x73) {   # 如果设置了Extended Security Negotiation位,表示有包里有Security Blob   if ($smb-{flags2} & F2_EXTSECURINEG) {   # 用正则表达式匹配通常会在攻击包里出现的OID及引发错误的畸形数据串   # 由于不是从原理上检测加之ASN.1编码的灵活性,这样的检测会导致漏报   if (($smb-{bytecount} 0) && ($smb-{bytes} =~ m/\x06\x06\x2b\x06\x01\x05\x05\x02.*[\xa1\x05\x23\x03\x03\x01\x07|\x84\xff\xff\xff]/)) {   # 记入日志文件   LogAlert ($src_ip,$src_port,$dest_ip,$dst_port,"ASN.1 malform encode attack!");   }   }   }   }   }   sub FtpClientCheck {   my ($src_ip,$src_port,$dest_ip,$dst_port,$data) = @_;   # 调用FTP解码模块解码   $ftp = NetPacket::FTP-decode($data);   # 如果解码成功   if ($ftp-{valid}) {   # 示例检测新近公布的Serv-U < 5.0.0.4版FTP服务器MDTM命令溢出攻击   # BID:9751 NSFOCUSID:6078   # 遍历从数据包里解码出来的FTP命令及其参数   for (my $i = 1;$i <= $ftp-{cmdcount};$i++) {   my $cmd = "cmd"."$i";   my $para = "para"."$i";   # 如果FTP命令是MDTM   if (uc($ftp-{$cmd}) eq "MDTM") {   # 用正则表达式匹配引发溢出的参数串,这里体现了正则   # 表达式的强大,用此匹配可以从原理上检测到畸形参数串   if ($ftp-{$para} =~ m/\d{14}[+|-]\S{5,}\s+\S{1,}/) {   LogAlert ($src_ip,$src_port,$dest_ip,$dst_port,"Serv-U < v5.0.0.4 MDTM command long timezone string overflow attack!");   }   }   }   }   }   # 记录攻击告警   sub LogAlert {   my ($src_ip,$src_port,$dest_ip,$dst_port,$message) = @_;   my $nowtime = localtime;   printf ATTACKLOG ("%s\t%s:%s - %s:%s\t%s\n",$nowtime,$src_ip,$src_port,$dest_ip,$dst_port,$message);   printf ("%s\t%s:%s - %s:%s\t%s\n",$nowtime,$src_ip,$src_port,$dest_ip,$dst_port,$message);   }   # 记录监控信息   sub LogMonitor {   my ($src_ip,$src_port,$dest_ip,$dst_port,$message) = @_;   my $nowtime = localtime;   printf MONITORLOG ("%s\t%s:%s - %s:%s\t%s\n",$nowtime,$src_ip,$src_port,$dest_ip,$dst_port,$message);   printf ("%s\t%s:%s - %s:%s\t%s\n",$nowtime,$src_ip,$src_port,$dest_ip,$dst_port,$message);   }   # INT信号处理例程   sub HandleINT {   CleanUp ();   exit (0);   }   # TERM信号处理例程   sub HandleTERM {   CleanUp ();   exit (0);   }   # 清理,主要工作是关闭文件句柄   sub CleanUp {   close (ATTACKLOG); close (MONITORLOG);   }   ------------------------------ 8< ----------------------------------------   FTP.pm   FTP协议解码模块,抽取数据包里的FTP命令及相应的参数,此文件需要拷贝到NetPacket系列模块所在的目录,通常是在/usr/lib/perl5/site_perl/5.x.x/NetPacket/   ------------------------------ 8< ----------------------------------------   #   # NetPacket::FTP - Decode FTP packets   #   # Comments/suggestions to stardust at xfocus dot org   #   #   # $Id: FTP.pm,v 1.16 2004/03/03 l1:16:20 stardust Exp $   #
󰈣󰈤
日版宠物情人插曲《Winding Road》歌词

日版宠物情人2017的插曲,很带节奏感,日语的,女生唱的。 最后听见是在第8集的时候女主手割伤了,然后男主用嘴帮她吸了一下,插曲就出来了。 歌手:Def...

兄弟共妻,我成了他们夜里的美食

老钟家的两个儿子很特别,就是跟其他的人不太一样,魔一般的执着。兄弟俩都到了要结婚的年龄了,不管自家老爹怎么磨破嘴皮子,兄弟俩说不娶就不娶,老父母为兄弟两操碎了心...

网络安全治理:国家安全保障的主要方向是打击犯罪,而不是处置和惩罚受害者

来源:中国青年报 新的攻击方法不断涌现,黑客几乎永远占据网络攻击的上风,我们不可能通过技术手段杜绝网络攻击。国家安全保障的主要方向是打击犯罪,而不是处置和惩罚...

 
 
 
>>返回首页<<
 为你推荐
 
 
 
 转载本文
 UBB代码 HTML代码
复制到剪贴板...
 
 
 热帖排行
 
纯美的她_仔婷
苏州河畔_秀气女生
痞子的甘南日记
疑是银河落九天
 
 
王朝网络微信公众号
微信扫码关注本站公众号wangchaonetcn
 
  免责声明:本文仅代表作者个人观点,与王朝网络无关。王朝网络登载此文出于传递更多信息之目的,并不意味着赞同其观点或证实其描述,其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
©2005- 王朝网络 版权所有