libnids安装和用例

原始的libnids是基于libpcap和libnet的,因此在安装的时候,必须要安装这两个模块才行,当然假如你是基于libnids来开发,不需要libnet,可以看下文档写的,disabled掉libnet,或者直接将libnids里的需要的源文件拔出来,供自己用

下面是原始官方的版本,libnids-1.24,libnet-1.19,libpcap-1.3.0,安装顺序和过程如下

依赖的版本有glib,gthread等,具体可以查看configure文件

cd libpcap-1.3.0
./configure && make
make install

cd libnet-1.19
./configure && make
make install

cd libnids-1.24
./configure && make
make install

在这个过程中,可能会出现的问题有:

1:刚在VMware Player里安装的CentOS7.0,安装版本是development版本+gnome桌面,在此过程中gthread的模块貌似缺少了,但是glib的确是安装了,具体如何解决未知

2:在另一个CentOS6.4上,安装没啥问题,但是通过载入libnids库文件之后,执行自己的可执行程序,会报错关于libnet的库出现问题,所以在安装libnet过程中时间比较长,一定要观察每个警告

最终在另一台CentOS6.4上安装无误,在libnids-1.24的文件夹中,带了几个例子,可以用来尝试下

[root@localhost ~]# cd libnids-1.24/samples/
[root@localhost samples]# make
gcc -c -g -O2 -D_BSD_SOURCE -I. -I../src -I/usr/local/include -I/usr/local/include -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H overflows.c
gcc -o overflows overflows.o  -L../src -lnids -L/usr/local/lib -lpcap -lnet -lgthread-2.0 -lnsl 
gcc -c -g -O2 -D_BSD_SOURCE -I. -I../src -I/usr/local/include -I/usr/local/include -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H printall.c
printall.c: In function ?.ain?.
printall.c:117: warning: incompatible implicit declaration of built-in function ?.xit?
gcc -o printall printall.o  -L../src -lnids -L/usr/local/lib -lpcap -lnet -lgthread-2.0 -lnsl 
gcc -c -g -O2 -D_BSD_SOURCE -I. -I../src -I/usr/local/include -I/usr/local/include -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H sniff.c
sniff.c: In function ?.dres?.
sniff.c:24: warning: incompatible implicit declaration of built-in function ?.trcpy?
sniff.c:25: warning: incompatible implicit declaration of built-in function ?.trlen?
sniff.c:26: warning: incompatible implicit declaration of built-in function ?.trcat?
sniff.c: In function ?.o_log?.
sniff.c:35: warning: incompatible implicit declaration of built-in function ?.trlen?
sniff.c: In function ?.ain?.
sniff.c:83: warning: incompatible implicit declaration of built-in function ?.xit?
sniff.c:88: warning: incompatible implicit declaration of built-in function ?.xit?
gcc -o sniff sniff.o  -L../src -lnids -L/usr/local/lib -lpcap -lnet -lgthread-2.0 -lnsl 

这里由于字体安装有问题,有很多字母变成了问号,但是答题意思基本能看懂,基本都是字符串操作以及exit没有包含应有的头文件,如此以其中一个为例,比如sniff.c,添加两个头文件,编译

#include <stdlib.h>
#include <string.h>

然后再make,顺便看下所有依赖的库文件

[root@localhost samples]# make clean
rm -f *.o *~ overflows printall sniff
[root@localhost samples]# make
gcc -c -g -O2 -D_BSD_SOURCE -I. -I../src -I/usr/local/include -I/usr/local/include -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H overflows.c
gcc -o overflows overflows.o  -L../src -lnids -L/usr/local/lib -lpcap -lnet -lgthread-2.0 -lnsl 
gcc -c -g -O2 -D_BSD_SOURCE -I. -I../src -I/usr/local/include -I/usr/local/include -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H printall.c
gcc -o printall printall.o  -L../src -lnids -L/usr/local/lib -lpcap -lnet -lgthread-2.0 -lnsl 
gcc -c -g -O2 -D_BSD_SOURCE -I. -I../src -I/usr/local/include -I/usr/local/include -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H sniff.c
gcc -o sniff sniff.o  -L../src -lnids -L/usr/local/lib -lpcap -lnet -lgthread-2.0 -lnsl

下面是个自带的小例子,添加两行头文件之后

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "nids.h"

#define int_ntoa(x)	inet_ntoa(*((struct in_addr *)&x))

// struct tuple4 contains addresses and port numbers of the TCP connections
// the following auxiliary function produces a string looking like
// 10.0.0.1,1024,10.0.0.2,23
char *
adres (struct tuple4 addr)
{
  static char buf[256];
  strcpy (buf, int_ntoa (addr.saddr));
  sprintf (buf + strlen (buf), ",%i,", addr.source);
  strcat (buf, int_ntoa (addr.daddr));
  sprintf (buf + strlen (buf), ",%i", addr.dest);
  return buf;
}

void
tcp_callback (struct tcp_stream *a_tcp, void ** this_time_not_needed)
{
  char buf[1024];
  strcpy (buf, adres (a_tcp->addr)); // we put conn params into buf
  if (a_tcp->nids_state == NIDS_JUST_EST)
    {
    // connection described by a_tcp is established
    // here we decide, if we wish to follow this stream
    // sample condition: if (a_tcp->addr.dest!=23) return;
    // in this simple app we follow each stream, so..
      a_tcp->client.collect++; // we want data received by a client
      a_tcp->server.collect++; // and by a server, too
      a_tcp->server.collect_urg++; // we want urgent data received by a
                                   // server
#ifdef WE_WANT_URGENT_DATA_RECEIVED_BY_A_CLIENT
      a_tcp->client.collect_urg++; // if we don't increase this value,
                                   // we won't be notified of urgent data
                                   // arrival
#endif
      fprintf (stderr, "%s established\n", buf);
      return;
    }
  if (a_tcp->nids_state == NIDS_CLOSE)
    {
      // connection has been closed normally
      fprintf (stderr, "%s closing\n", buf);
      return;
    }
  if (a_tcp->nids_state == NIDS_RESET)
    {
      // connection has been closed by RST
      fprintf (stderr, "%s reset\n", buf);
      return;
    }

  if (a_tcp->nids_state == NIDS_DATA)
    {
      // new data has arrived; gotta determine in what direction
      // and if it's urgent or not

      struct half_stream *hlf;

      if (a_tcp->server.count_new_urg)
      {
        // new byte of urgent data has arrived 
        strcat(buf,"(urgent->)");
        buf[strlen(buf)+1]=0;
        buf[strlen(buf)]=a_tcp->server.urgdata;
        write(1,buf,strlen(buf));
        return;
      }
      // We don't have to check if urgent data to client has arrived,
      // because we haven't increased a_tcp->client.collect_urg variable.
      // So, we have some normal data to take care of.
      if (a_tcp->client.count_new)
	{
          // new data for client
	  hlf = &a_tcp->client; // from now on, we will deal with hlf var,
                                // which will point to client side of conn
	  strcat (buf, "(<-)"); // symbolic direction of data
	}
      else
	{
	  hlf = &a_tcp->server; // analogical
	  strcat (buf, "(->)");
	}
    fprintf(stderr,"%s",buf); // we print the connection parameters
                              // (saddr, daddr, sport, dport) accompanied
                              // by data flow direction (-> or <-)

   write(2,hlf->data,hlf->count_new); // we print the newly arrived data
      
    }
  return ;
}

int 
main ()
{
  // here we can alter libnids params, for instance:
  // nids_params.n_hosts=256;
  if (!nids_init ())
  {
  	fprintf(stderr,"%s\n",nids_errbuf);
  	exit(1);
  }
  nids_register_tcp (tcp_callback);
  nids_run ();
  return 0;
}

可以看到注册函数里的回调函数tcp_callback,在tcp的各种状态nids_stat不同的情况下,进行不同的统计,比如在建立TCP连接时

  strcpy (buf, adres (a_tcp->addr)); // we put conn params into buf
  if (a_tcp->nids_state == NIDS_JUST_EST)
    {
..................省略...................
      fprintf (stderr, "%s established\n", buf);

会打印出buf里TCP的一些信息,当然TCP的其它状态的时候,肯定也一样会打印相关信息,下面就是执行结果

13.20.51.8,36145,21.45.4.7,22 established
13.20.51.8,36145,21.45.4.7,22(->)SSH-2.0-libssh-0.1
13.20.51.8,36145,21.45.4.7,22(->)./>?@n?S?9?diffie-hellman-group1-sha1ssh-rsa
aes128-cbc
aes128-cbc	hmac-sha1	hmac-sha1nonenone13.20.51.8,36145,21.45.4.7,22(->)..^"@.-GはI.?>.??漭8..?"僵'战DZ??.
       H`.?p.??喷?.v?/P甥?x.敫.傈?B.c-s?_>A?.?9	O??河13.20.51.8,36145,21.45.4.7,22(->)

乱码部分就无视吧,操作系统安装的时候字体不全导致

发表回复