②服务器端发回包含服
?????Ú?þÎñÆ??Ë???Ø?üº??þÎñÆ?µÄ?õÊ?ÐòºÅµÄSYN??ÎÄ?Î????ÎÄ?Î2??×?ΪÓ??ð??Í?Ê???È?ÈϺÅÉèÖÃΪ?Í??µÄISN?Ó1ÒÔ?Ô?Í??µÄSYN??ÎÄ?Î?øÐÐÈ?ÈÏ??Ò??öSYN??Õ?ÓÃÒ??öÐòºÅ??
?Û?Í???ØÐë??È?ÈÏÐòºÅÉèÖÃΪ?þÎñÆ?µÄISN?Ó1ÒÔ?Ô?þÎñÆ?µÄSYN??ÎÄ?Î?øÐÐÈ?ÈÏ????ÎÄ?Î3??
????×Å3?ö??ÎÄ?ÎÍê?ÉÁ??ÓµÄ??Á????ÆΪÈý?ÎÎÕÊÖ??
??(2) TCPÁ??ÓµÄÖÕÖ?
?????ÙTCP?Í???Ë??ËÍÒ??öFIN??ÓÃÀ??Ø?Õ?Í??µ??þÎñÆ?µÄÊý?Ý??ËÍ(??ÎÄ?Î4). ?????Ú?þÎñÆ?ÊÕµ?Õâ?öFIN??Ëü???ØÒ??öACK??È?ÈÏÐòºÅΪÊÕµ?µÄÐòºÅ?Ó1(??ÎÄ?Î5)??ºÍSYNÒ?Ñù??Ò??öFIN??Õ?ÓÃÒ??öÐòºÅ??
?????Û?þÎñÆ??Ø?Õ?Í???˵ÄÁ??Ó????ËÍÒ??öFIN?ø?Í???Ë(??ÎÄ?Î6).
?????Ü?Í???Ë???ØÈ?ÈÏ??????È?ÈÏÐòºÅÉèÖÃΪÊÕµ?ÐòºÅ?Ó1(??ÎÄ?Î7).
?????ÖÎöTCPÁ??Ó?ý?̵ÄÈë?Úº?ÊýÊÇshow_tcp_connecting(),Æäº?Êýµ?ÓÃ?ØϵÈçÍ?3-9ËùÊ??? ????
Í? 3-9 TCPÁ??Ó?ÖÎöÖк?Êýµ?ÓÃ?Øϵ
Ö?ÒªÊÇ?ùÓÚTCPÐ,ÒéµÄÓ?ÓÃ?ãÐ,Òé?????ÉÒÔÍ??ýÉÏÃæµÄʵÏÖÀ??ÖÎöTCPÁ??Ó?ý?Ì??ÎÒÃÇÍ??ýFTPÐ,ÒéÀ?ʵ?Ê?ÖÎöÒ?ÏÂTCPÐ,ÒéµÄÁ??Ó?ý?Ì??ÎÒÃǵÄ?âÊÔ????ÊÇÔÚIPµØÖ?Ϊ210.43.106.28µÄÖ??úÉÏÔËÐÐFTP?þÎñÆ???ÔÚÁíÒ?Ì?IPµØÖ?Ϊ210.43.106.116µÄ?úÆ?ÉÏÖ?ÐÐFTP?Ù×???Õâ?öÈëÇÖ?ì?âϵÍ??á?ì?âFTPµÄÁ??Ó?ý?Ì??ÈçÍ?3-10ËùÊ???
????ÏÂÃæ?Ô?á?û?øÐÐÒ?ÏÂ?òµ?µÄ?ÖÎö???ªÊ?Ò?ÐÐ?ÍÊÇ˵Ã?Á??ö?úÆ???Á?ÁËTCPÁ??Ó??IPµØÖ?Ö??äµÄÁ??ÓÊÇË??ýÍ???È?ºóFTP?þÎñÆ?210.43.106.28ºÍ?Í???Ë210.43.106.116Ö??ä?øÐÐ?ØÖÆÐÅÏ???Êä????Á?Á??ÓÖ?ºó??ÒªÇóÊäÈëÓÃ??Ãû??ÎÒÃÇÊ?ÓõÄÊÇÄäÃûanonymous??È?ºóÒªÇóÊäÈëÃÜÂë??ÔÚ?ØÖÆÌ?ÉÏÊäÈëµÄÃÜÂëÊÇ??ÏÔÊ?µÄ??µ?ÊÇÔÚÎÒÃÇÕâ?öϵÍ?ÖÐ??Ê?ÓÃTCPÁ??Ó?ÖÎö?Í?ÉÒÔ?ÖÎö?öÓÃ??µÄÃÜÂë??ÏÔÊ?ÈçÏÂ?º
210.43.106.116:34536-?µ210.43.106.28:21 PASS 12345
Í? 3-10 ?ÖÎöFTPÐ,ÒéµÄÁ??Ó?ý?Ì
3.3.4 ?ÖÎöHTTPÐ,Òé
????HTTP??Hyper Text Transfer
Protocol????ÎÄ????ÊäÐ,ÒéÊÇÓÃÀ?ÔÚWWWÉÏ????ÎÄ?þ(ÎÄ????Í?ÐÎ??ÉùÒô?????,µÈ)µÄ?æÔò????Ïà?ÔÓÚTCP/IPÐ,Òé×å??HTTPÊÇÓ?ÓÃÐ,Òé??HTTPÐ,Òé?ÉÓÃÁËÇëÇó/ÏìÓ?Ä?ÐÍ??HTTPÊÇÒ??ö?ùÓÚÏûÏ?µÄÐ,Òé??µ??Í???úÏò?þÎñÆ???ËÍÇëÇó?ò?þÎñÆ?Ïò?Í???ú?µ?ØÏìÓ?ÏûÏ?Ê?????ÒªÓõ?HTTPÐ,Òé??Í?3-11?íÊ?ÁËÒ??öµäÐ͵ÄHTTPÐ,ÒéµÄ?Í???úÓë?þÎñÆ?Ö??äµÄ?????ý?Ì??
????????????????????Í? 3-11 HTTP?Í???˺Í?þÎñÆ??á??
HTTPÏûÏ??ñÊ?ÈçÍ?3-12ËùÊ??? Í? 3-12 HTTPÏûÏ??ñÊ?
Í???HTTPÏûÏ??üÀ??Í???úÏò?þÎñÆ?µÄÇëÇóÏûÏ?ºÍ?þÎñÆ?Ïò?Í???úµÄÏìÓ?ÏûÏ???ÕâÁ?ÖÖÀàÐ͵ÄÏûÏ?ÓÉÒ??öÆðÊ?ÐÐ??Ò??ö?òÕß?à?öÍ?Óò??Ò??öÖ?ÊÇÍ?Óò?áÊøµÄ?ÕÐкÍ?ÉÑ?µÄÏûÏ?Ìå×é?É??HTTPµÄÍ?Óò?üÀ?Í?ÓÃÍ???ÇëÇóÍ???ÏìÓ?Í?ºÍʵÌåÍ?ËÄ?ö???Ö??Ã??öÍ?ÓòÓÉÒ??öÓòÃû??Ã?ºÅ(:)ºÍÓòÖµÈý?ö???Ö×é?É??ÓòÃûÊÇ?óÐ?Ð?ÎÞ?صÄ??ÓòÖµÇ?ºó?ÉÒÔÌí?ÓÈκÎÊýÁ?µÄ?Õ?ñ?û??Í?Óò?ÉÒÔ??À?Õ?Ϊ?àÐÐ??ÔÚÃ?ÐÐ?ªÊ?????Ê?ÓÃÖÁÉÙÒ??ö?Õ?ñ?òÖÆ?í?û??
????Í?3-13 ÊÇ?ÖÎöHTTPÐ,ÒéµÄÔËÐÐ?çÃæ??
??????????????????????Í? 3-13 ?ÖÎöHTTPÐ,Òé 3.3.5 ?ì?âÉ?ÃèÐÐΪ
ΪÁË?ì?âµ?ÍøÂçÈëÇÖÐÐΪ???ÉÒÔ??ÓÃ?æÔòÀ?ÃèÊöÈëÇÖÐÐΪ??ÎÒÀûÓÃLibnids?àÐ?ÁËÒ??ö?ì?âº
?ÊýÀ??ì?âÉ?ÃèÐÐΪ???ì?âÉ?ÃèÐÐΪµÄº?ÊýʵÏÖÈçÏÂ?º static void
my_nids_syslog (int type, int errnum, struct ip_header *iph, void *data)
{
static int scan_number = 0;
char saddr[20], daddr[20];
char buf[1024];
struct host *this_host;
unsigned char flagsand = 255, flagsor = 0;
int i;
char content[1024];
if (detect_scanning_yesno == 0) //ÅÐ?ÏÊÇ?ñ?ì?â ????{ return; }
switch (type)
{
case NIDS_WARN_SCAN:
scan_number++;
this_host = (struct host *) data;
sprintf (buf, "Scan from:\n");
sprintf (buf+strlen(buf), "%s\n", inet_ntoa (this_host->addr));
printf("%s\n",buf);
gdk_threads_enter ();
insert_text_to_text4 (buf);
gdk_threads_leave ();