内容发布更新时间 : 2024/5/14 4:17:54星期一 下面是文章的全部内容请认真阅读。

snort主要框架

edit by luo 2012

SnortMain函数是Snort中的主要框架函数，在这框架中逐步调用其他函数。不必深究那些函数是如何实现的，只要知道其作用就可以了。这样可以使我们大致了解snort的工作方式。

Snort基本工作原理：

（1）嗅探网络中的数据包 （2）拆解数据包

（3）调用检测引擎，进行数据包与规则的匹配 （4）输出报警或日志信息

1. int SnortMain(int argc, char *argv[]) 2. { 3. 4. 5.

6. /* Make this prog behave nicely when signals come along. 7. * Windows doesn't like all of these signals, and will 8. * set errno for some. Ignore/reset this error so it 9. * doesn't interfere with later checks of errno value. 10. */

11. //对于各种信号的处理

12. signal(SIGTERM, SigTermHandler); if(errno!=0) errno=0; 13. signal(SIGINT, SigIntHandler); if(errno!=0) errno=0; 14. signal(SIGQUIT, SigQuitHandler); if(errno!=0) errno=0; 15. signal(SIGHUP, SigHupHandler); if(errno!=0) errno=0; 16. signal(SIGUSR1, SigUsrHandler); if(errno!=0) errno=0; 17.

18. signal(SIGNAL_SNORT_ROTATE_STATS, SigUsrHandler);

19. if(errno!=0) errno=0; 20. 21. /*

22. * set a global ptr to the program name so other functions can tell what

23. * the program name is 24. */

25. //设置两个全局指针，用于重启Snort 26. progname = argv[0]; 27. progargs = argv; 28.

29. #ifdef WIN32

30. if (!init_winsock())//初始化socket

31. FatalError(\); 32. #endif 33.

34. memset(&pv, 0, sizeof(PV));//清空pv 35. 36. /*

37. * setup some lookup data structs 38. */

39. InitNetmasks();//初始化一个数组，使包含A-D类所有划分的子网 40. InitProtoNames();//初始化协议名，协议号对应协议名 41. 42. /*

43. ** This intializes the detection engine for later configuration 44. */

45. /* TODO: only do this when we know we are going into IDS mode */ 46. //初始化检测引擎，包括模式匹配算法 47. fpInitDetectionEngine(); 48.

49. /* initialize the packet counter to loop forever */ 50. pv.pkt_cnt = -1;//抓包的个数，-1代表用循环 51.

52. /* set the alert filename to NULL */ 53. pv.alert_filename = NULL;//报警文件名 54.

55. /* set the default alert mode */

56. pv.alert_mode = ALERT_FULL;//默认报警模式 57.

58. /* set the default assurance mode (used with stream 4) */ 59. pv.assurance_mode = ASSURE_ALL; 60.

61. pv.use_utc = 0;//是否使用世界时间 62.

63. pv.log_mode = 0;//记录模式 64. 65. /*

66. * provide (limited) status messages by default 67. */

68. pv.quiet_flag = 0;//非安静模式

69. /* initialize \ 70. pv.rotate_perf_file = 0; 71.

72. InitDecoderFlags();//设置默认解码器报警 73.

74. /* turn on checksum verification by default */ 75. //默认和校验

76. pv.checksums_mode = DO_IP_CHECKSUMS | DO_TCP_CHECKSUMS | 77. DO_UDP_CHECKSUMS | DO_ICMP_CHECKSUMS; 78.

79. /* Default event log ID of instance 0 on CPU 0 */ 80. //事件日志id

81. pv.event_log_id = 0x0000; 82.

83. /* Default limit on tagged packets */ 84. pv.tagged_packet_limit = 256; 85.

86. pv.default_rule_state = RULE_STATE_ENABLED; 87.

88. #if defined(WIN32) && defined(ENABLE_WIN32_SERVICE) 89. /* initialize flags which control the Win32 service */ 90. //windows下作为守护进程的相关设置 91. pv.terminate_service_flag = 0; 92. pv.pause_service_flag = 0;

93. #endif /* WIN32 && ENABLE_WIN32_SERVICE */ 94.

95. #ifdef DYNAMIC_PLUGIN

96. /* Initialize storage space for preprocessor defined rule options */ 97. PreprocessorRuleOptionsInit();//以后详细讲解 98. #endif

99. //IPV6相关设置

100. /* Initialize max frag hash for the BSD IPv6 fragmentation exploit */ 101. pv.ipv6_max_frag_sessions = 10000; 102. /* This is the default timeout on BSD */ 103. pv.ipv6_frag_timeout = 60; 104.

105. /* chew up the command line */ 106. ParseCmdLine(argc, argv);//分析命令 107.

108. /* If we are running non-root, install a dummy handler instead. */ 109. if (userid != 0)

110. signal(SIGHUP, SigCantHupHandler); 111.

112. /* determine what run mode we are going to be in */