From a011f87f21fc25df3b85b7bfefcbc98176a6059f Mon Sep 17 00:00:00 2001 From: liuyang Date: Mon, 17 Dec 2018 14:48:08 +0800 Subject: [PATCH] =?UTF-8?q?1=E3=80=81kni.conf=E5=A2=9E=E5=8A=A0[send=5Flog?= =?UTF-8?q?];2=E3=80=81log=5Fdebug=E6=94=AF=E6=8C=81TCP/UDP=E5=8D=8F?= =?UTF-8?q?=E8=AE=AE=EF=BC=9B3=E3=80=81IPV4/V6=5Fentry=E4=B8=ADaddr=5Ftype?= =?UTF-8?q?=E6=9B=B4=E6=AD=A3=EF=BC=9B4=E3=80=81redirect=E6=97=A5=E5=BF=97?= =?UTF-8?q?=E6=9B=B4=E6=96=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bin/kniconf/kni.conf | 6 +++++ bin/kniconf/maat_test.json.dnat | 48 +++++++++++++++++++++++++++++++++ bin/kniconf/maat_test.json.snat | 48 +++++++++++++++++++++++++++++++++ kni_comm.c | 27 ++++++++++++++----- kni_entry.c | 4 +-- kni_redirect.c | 4 +-- 6 files changed, 127 insertions(+), 10 deletions(-) create mode 100644 bin/kniconf/maat_test.json.dnat create mode 100644 bin/kniconf/maat_test.json.snat diff --git a/bin/kniconf/kni.conf b/bin/kniconf/kni.conf index 3a4a75a..9a2103e 100644 --- a/bin/kniconf/kni.conf +++ b/bin/kniconf/kni.conf @@ -53,6 +53,12 @@ table_info_path=./kniconf/maat_table_info.conf full_cfg_dir=/home/mesasoft/tango_rules/full/index inc_cfg_dir=/home/mesasoft/tango_rules/inc/index +[send_log] +send_log_switch=0 +NIC_NAME=eth0 +ENTRANCE_ID=0 +KAFKA_BROKERLIST=192.168.10.73:9092 + [Module] diff --git a/bin/kniconf/maat_test.json.dnat b/bin/kniconf/maat_test.json.dnat new file mode 100644 index 0000000..a95531b --- /dev/null +++ b/bin/kniconf/maat_test.json.dnat @@ -0,0 +1,48 @@ +{ + "compile_table": "PXY_INTERCEPT_COMPILE", + "group_table": "PXY_INTERCEPT_GROUP", + "rules": [ + { + "compile_id": 1, + "service": 1, + "action":48, + "do_blacklist": 1, + "do_log": 1, + "effective_rage": 0, + "user_region": "spoofing_ip_pool=10;nat_type=dnat;", + "is_valid": "yes", + "groups": [ + { + "group_name": "Untitled", + "regions": [ + { + "table_name": "PXY_INTERCEPT_IP", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "src_ip": "192.168.11.80", + "mask_src_ip": "255.255.255.255", + "src_port": "0", + "mask_src_port": "65535", + "dst_ip": "61.135.169.125", + "mask_dst_ip": "255.255.255.255", + "dst_port": "0", + "mask_dst_port": "65535", + "protocol": 0, + "direction": "double" + } + } + ] + } + ] + } + ], + "plugin_table": [ + { + "table_name": "PXY_OBJ_SPOOFING_IP_POOL", + "table_content": [ + "1\t4\t0\t123.57.35.217\t0\t0\t\t0\t0\t1\t123\t10\t{}\t20181217-0:22" + ] + } + ] + } diff --git a/bin/kniconf/maat_test.json.snat b/bin/kniconf/maat_test.json.snat new file mode 100644 index 0000000..e144d6a --- /dev/null +++ b/bin/kniconf/maat_test.json.snat @@ -0,0 +1,48 @@ +{ + "compile_table": "PXY_INTERCEPT_COMPILE", + "group_table": "PXY_INTERCEPT_GROUP", + "rules": [ + { + "compile_id": 1, + "service": 1, + "action":48, + "do_blacklist": 1, + "do_log": 1, + "effective_rage": 0, + "user_region": "spoofing_ip_pool=10;nat_type=snat;", + "is_valid": "yes", + "groups": [ + { + "group_name": "Untitled", + "regions": [ + { + "table_name": "PXY_INTERCEPT_IP", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "src_ip": "192.168.11.80", + "mask_src_ip": "255.255.255.255", + "src_port": "0", + "mask_src_port": "65535", + "dst_ip": "0.0.0.0", + "mask_dst_ip": "255.255.255.255", + "dst_port": "0", + "mask_dst_port": "65535", + "protocol": 0, + "direction": "double" + } + } + ] + } + ] + } + ], + "plugin_table": [ + { + "table_name": "PXY_OBJ_SPOOFING_IP_POOL", + "table_content": [ + "1\t4\t0\t192.168.11.127\t0\t0\t\t0\t0\t1\t123\t10\t{}\t20181217-0:22" + ] + } + ] + } diff --git a/kni_comm.c b/kni_comm.c index f871027..62882b2 100644 --- a/kni_comm.c +++ b/kni_comm.c @@ -126,10 +126,11 @@ int kni_log_debug(int level,char* module,const void* a_packet,const char* format char saddr_str[INET6_ADDRSTRLEN ]={0}; char daddr_str[INET6_ADDRSTRLEN ]={0}; + int protocol=0; struct ip* ipv4_hdr = (struct ip*)a_packet; struct kni_ipv6_hdr* ipv6_hdr = (struct kni_ipv6_hdr*)a_packet; - struct tcphdr* tcphdr = NULL; - struct udphdr* udphdr = NULL; + struct kni_tcp_hdr* tcphdr=NULL; + struct kni_udp_hdr* udphdr=NULL; char buf[4096] = {0}; @@ -143,11 +144,14 @@ int kni_log_debug(int level,char* module,const void* a_packet,const char* format if(ipv4_hdr->ip_v==4) { - tcphdr=(struct tcphdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl)); + tcphdr=(struct kni_tcp_hdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl)); + udphdr=(struct kni_udp_hdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl)); inet_ntop(AF_INET, (void *)&((ipv4_hdr->ip_src).s_addr), saddr_str, INET_ADDRSTRLEN); inet_ntop(AF_INET, (void *)&((ipv4_hdr->ip_dst).s_addr), daddr_str, INET_ADDRSTRLEN); + protocol = ipv4_hdr->ip_p; + } else if((ipv6_hdr->ip6_flags[0] & 0xF0) == 0x60) { @@ -156,15 +160,26 @@ int kni_log_debug(int level,char* module,const void* a_packet,const char* format return -1; } - tcphdr =(struct tcphdr*)( (unsigned char*)ipv6_hdr + sizeof(struct kni_ipv6_hdr)); + tcphdr =(struct kni_tcp_hdr*)( (unsigned char*)ipv6_hdr + sizeof(struct kni_ipv6_hdr)); + udphdr =(struct kni_udp_hdr*)( (unsigned char*)ipv6_hdr + sizeof(struct kni_ipv6_hdr)); inet_ntop(AF_INET6, (void *)&(ipv6_hdr->ip6_src), saddr_str, INET6_ADDRSTRLEN); inet_ntop(AF_INET6, (void *)&(ipv6_hdr->ip6_dst), daddr_str, INET6_ADDRSTRLEN); + + protocol= ipv6_hdr->ip6_nex_hdr; } - sport=ntohs(tcphdr->source); - dport=ntohs(tcphdr->dest); + if(protocol == PROTO_TYPE_TCP) + { + sport=ntohs(tcphdr->th_sport); + dport=ntohs(tcphdr->th_dport); + } + else if(protocol == PROTO_TYPE_UDP) + { + sport=ntohs(udphdr->uh_sport); + dport=ntohs(udphdr->uh_dport); + } MESA_handle_runtime_log(g_kni_comminfo.logger,level,module,"addr:%s,%d,%s,%d %s",saddr_str,sport,daddr_str,dport,buf); diff --git a/kni_entry.c b/kni_entry.c index 6f934ba..b5b75a8 100644 --- a/kni_entry.c +++ b/kni_entry.c @@ -1113,7 +1113,7 @@ extern "C" char kni_ipv4_entry(const struct streaminfo *pstream,unsigned char ro ret = process_redirect_pending(pstream,&pmeinfo,thread_seq,ipv4_hdr,0,routedir); return ret; } - else if(redirect_search_htable(pstream->addr.addrtype,&pmeinfo,thread_seq,ipv4_hdr,0) == 1) + else if(redirect_search_htable(ADDR_TYPE_IPV4,&pmeinfo,thread_seq,ipv4_hdr,0) == 1) { ret = process_redirect_data(pstream,&pmeinfo,thread_seq,ipv4_hdr,0,routedir); return ret; @@ -1169,7 +1169,7 @@ extern "C" char kni_ipv6_entry(const struct streaminfo *pstream,unsigned char ro ret = process_redirect_pending(pstream,&pmeinfo,thread_seq,ipv6_hdr,0,routedir); return ret; } - else if(redirect_search_htable(pstream->addr.addrtype,&pmeinfo,thread_seq,ipv6_hdr,0) == 1) + else if(redirect_search_htable(ADDR_TYPE_IPV6,&pmeinfo,thread_seq,ipv6_hdr,0) == 1) { ret = process_redirect_data(pstream,&pmeinfo,thread_seq,ipv6_hdr,0,routedir); return ret; diff --git a/kni_redirect.c b/kni_redirect.c index fb89262..e87be10 100644 --- a/kni_redirect.c +++ b/kni_redirect.c @@ -105,7 +105,7 @@ int redirect_search_htable(unsigned char addr_type,struct kni_pme_info* pmeinfo, { pmeinfo->action=KNI_ACTION_REDIRECT; - kni_log_debug(RLOG_LV_DEBUG,(char*)"redirect",a_packet,"redirect_search_htable()"); + kni_log_debug(RLOG_LV_DEBUG,(char*)"redirect_search_htable",a_packet,"search htable_data succ!"); kni_filestate2_set(thread_seq,FS_REDIRECT_REPLY,0,1); } @@ -528,7 +528,7 @@ int redirect_sendlog(const struct streaminfo* pstream,struct kni_pme_info* pmein kni_send_log(&log_msg,(char*)"redirect",content); - kni_log_debug(RLOG_LV_DEBUG,(char*)"redirect",a_packet,"process_redirect_pending(),%s",content); + kni_log_debug(RLOG_LV_DEBUG,(char*)"redirect_pending",a_packet,"content:%s",content); kni_filestate2_set(thread_seq,FS_REDIRECT,0,1); return 0;