POP(110)监控
#include "nids.h"
#include <cstdio>
#pragma comment(lib,"ws2_32")
#pragma comment(lib,"wpcap")
#pragma comment(lib,"libnids")
char ascii_string[10000];
char * char_to_ascii(char ch)
{
char * string;
ascii_string[0] = 0;
string = ascii_string;
if(isgraph(ch))
{
*string++ =ch;
}
else if (ch == '\n' || ch == '\r')
{
*string++ =ch;
}
else
{
*string++ = '.';
}
*string = 0;
return ascii_string;
}
void pop3_protocol_callback(struct tcp_stream* pop3_connection, void **arg)
{
int i;
char address_string[1024];
char content[65535];
char content_urgent[65535];
struct tuple4 ip_and_port = pop3_connection->addr;
strcpy(address_string, inet_ntoa(*((struct in_addr*)&(ip_and_port.saddr))));
sprintf(address_string+strlen(address_string),": %i",ip_and_port.source);
strcat(address_string, " <----> ");
strcat(address_string, inet_ntoa(*((struct in_addr*)&(ip_and_port.daddr))));
sprintf(address_string+strlen(address_string),": %i",ip_and_port.dest);
strcat(address_string,"\n");
switch (pop3_connection->nids_state)
{
case NIDS_JUST_EST:
if(pop3_connection->addr.dest == 110)
{
pop3_connection->client.collect++;
pop3_connection->client.collect_urg++;
pop3_connection->server.collect++;
pop3_connection->server.collect_urg++;
printf("%sPOP3客户端和服务端建立连接\n", address_string);
}
return;
case NIDS_CLOSE:
printf("---------------------------------------\n");
printf("%sPOP3客户端和服务端正常关闭\n", address_string);
return;
case NIDS_RESET:
printf("---------------------------------------\n");
printf("%sPOP3客户端和服务端被RST关闭\n", address_string);
return;
case NIDS_DATA:
{
char status_code[5];
struct half_stream* hlf;
if(pop3_connection->server.count_new_urg)
{
printf("----------------------------------------\n");
strcpy(address_string, inet_ntoa(*((struct in_addr*)&(ip_and_port.saddr))));
sprintf(address_string+strlen(address_string),": %i",ip_and_port.source);
strcat(address_string, " urgent----> ");
strcat(address_string, inet_ntoa(*((struct in_addr*)&(ip_and_port.daddr))));
sprintf(address_string+strlen(address_string),": %i",ip_and_port.dest);
strcat(address_string,"\n");
address_string[strlen(address_string)+1] = 0;
address_string[strlen(address_string)] = pop3_connection->server.urgdata;
printf("%s",address_string);
return;
}
if (pop3_connection->client.count_new_urg)
{
printf("----------------------------------------\n");
strcpy(address_string, inet_ntoa(*((struct in_addr*)&(ip_and_port.saddr))));
sprintf(address_string+strlen(address_string),": %i",ip_and_port.source);
strcat(address_string, " <------urgent");
strcat(address_string, inet_ntoa(*((struct in_addr*)&(ip_and_port.daddr))));
sprintf(address_string+strlen(address_string),": %i",ip_and_port.dest);
strcat(address_string,"\n");
address_string[strlen(address_string)+1] = 0;
address_string[strlen(address_string)] = pop3_connection->server.urgdata;
printf("%s",address_string);
return;
}
if (pop3_connection->client.count_new)
{
hlf = &pop3_connection->client;
strcpy(address_string, inet_ntoa(*((struct in_addr*)&(ip_and_port.saddr))));
sprintf(address_string+strlen(address_string),": %i",ip_and_port.source);
strcat(address_string, " <-----");
strcat(address_string, inet_ntoa(*((struct in_addr*)&(ip_and_port.daddr))));
sprintf(address_string+strlen(address_string),": %i",ip_and_port.dest);
strcat(address_string,"\n");
printf("----------------------------------------\n");
printf("%s",address_string);
memcpy(content, hlf->data, hlf->count_new);
content[hlf->count_new] = '\0';
if (strstr(strncpy(status_code,content,4),"+OK"))
printf("操作成功\n");
if (strstr(strncpy(status_code,content,4),"-ERR"))
printf("操作失败\n");
for(i = 0;i<hlf->count_new;i++)
{
printf("%s",char_to_ascii(content[i]));
}
printf("\n");
if (strstr(content,"\n\r.\n\r"))
printf("数据传输结束\n");
}
else
{
hlf = &pop3_connection->server;
strcpy(address_string, inet_ntoa(*((struct in_addr*)&(ip_and_port.saddr))));
sprintf(address_string+strlen(address_string),": %i",ip_and_port.source);
strcat(address_string, " <-----");
strcat(address_string, inet_ntoa(*((struct in_addr*)&(ip_and_port.daddr))));
sprintf(address_string+strlen(address_string),": %i",ip_and_port.dest);
strcat(address_string,"\n");
printf("----------------------------------------\n");
printf("%s",address_string);
memcpy(content, hlf->data, hlf->count_new);
content[hlf->count_new] = '\0';
if(strstr(content, "USER"))
printf("邮件用户名为\n");
if(strstr(content, "PASS"))
printf("用户密码为\n");
if(strstr(content, "STAT"))
printf("返回统计资料\n");
if(strstr(content, "LIST"))
printf("返回邮件数量和大小\n");
if(strstr(content, "RETR"))
printf("获取邮件\n");
if(strstr(content, "DELE"))
printf("删除邮件\n");
if(strstr(content, "QUIT"))
printf("退出连接\n");
for(i = 0;i<hlf->count_new;i++)
{
printf("%s",char_to_ascii(content[i]));
}
printf("\n");
}
}
default:
break;
}
return ;
}
int main(int argc, char **argv)
{
if(!nids_init())
{
printf("出现错误: %s\n", nids_errbuf);
exit(1);
}
nids_register_tcp(pop3_protocol_callback);
nids_run();
return 0;
}