snort主要框架
edit by luo 2012
SnortMain函数是Snort中的主要框架函数,在这框架中逐步调用其他函数。不必深究那些函数是如何实现的,只要知道其作用就可以了。这样可以使我们大致了解snort的工作方式。
Snort基本工作原理:
(1)嗅探网络中的数据包 (2)拆解数据包
(3)调用检测引擎,进行数据包与规则的匹配 (4)输出报警或日志信息
1. int SnortMain(int argc, char *argv[]) 2. { 3. 4. 5.
6. /* Make this prog behave nicely when signals come along. 7. * Windows doesn't like all of these signals, and will 8. * set errno for some. Ignore/reset this error so it 9. * doesn't interfere with later checks of errno value. 10. */
11. //对于各种信号的处理
12. signal(SIGTERM, SigTermHandler); if(errno!=0) errno=0; 13. signal(SIGINT, SigIntHandler); if(errno!=0) errno=0; 14. signal(SIGQUIT, SigQuitHandler); if(errno!=0) errno=0; 15. signal(SIGHUP, SigHupHandler); if(errno!=0) errno=0; 16. signal(SIGUSR1, SigUsrHandler); if(errno!=0) errno=0; 17.
18. signal(SIGNAL_SNORT_ROTATE_STATS, SigUsrHandler);
19. if(errno!=0) errno=0; 20. 21. /*
22. * set a global ptr to the program name so other functions can tell what
23. * the program name is 24. */
25. //设置两个全局指针,用于重启Snort 26. progname = argv[0]; 27. progargs = argv; 28.
29. #ifdef WIN32
30. if (!init_winsock())//初始化socket
31. FatalError(\); 32. #endif 33.
34. memset(&pv, 0, sizeof(PV));//清空pv 35. 36. /*
37. * setup some lookup data structs 38. */
39. InitNetmasks();//初始化一个数组,使包含A-D类所有划分的子网 40. InitProtoNames();//初始化协议名,协议号对应协议名 41. 42. /*
43. ** This intializes the detection engine for later configuration 44. */
45. /* TODO: only do this when we know we are going into IDS mode */ 46. //初始化检测引擎,包括模式匹配算法 47. fpInitDetectionEngine(); 48.
49. /* initialize the packet counter to loop forever */ 50. pv.pkt_cnt = -1;//抓包的个数,-1代表用循环 51.
52. /* set the alert filename to NULL */ 53. pv.alert_filename = NULL;//报警文件名 54.
55. /* set the default alert mode */
56. pv.alert_mode = ALERT_FULL;//默认报警模式 57.
58. /* set the default assurance mode (used with stream 4) */ 59. pv.assurance_mode = ASSURE_ALL; 60.
61. pv.use_utc = 0;//是否使用世界时间 62.
63. pv.log_mode = 0;//记录模式 64. 65. /*
66. * provide (limited) status messages by default 67. */
68. pv.quiet_flag = 0;//非安静模式
69. /* initialize \ 70. pv.rotate_perf_file = 0; 71.
72. InitDecoderFlags();//设置默认解码器报警 73.
74. /* turn on checksum verification by default */ 75. //默认和校验
76. pv.checksums_mode = DO_IP_CHECKSUMS | DO_TCP_CHECKSUMS | 77. DO_UDP_CHECKSUMS | DO_ICMP_CHECKSUMS; 78.
79. /* Default event log ID of instance 0 on CPU 0 */ 80. //事件日志id
81. pv.event_log_id = 0x0000; 82.
83. /* Default limit on tagged packets */ 84. pv.tagged_packet_limit = 256; 85.
86. pv.default_rule_state = RULE_STATE_ENABLED; 87.
88. #if defined(WIN32) && defined(ENABLE_WIN32_SERVICE) 89. /* initialize flags which control the Win32 service */ 90. //windows下作为守护进程的相关设置 91. pv.terminate_service_flag = 0; 92. pv.pause_service_flag = 0;
93. #endif /* WIN32 && ENABLE_WIN32_SERVICE */ 94.
95. #ifdef DYNAMIC_PLUGIN
96. /* Initialize storage space for preprocessor defined rule options */ 97. PreprocessorRuleOptionsInit();//以后详细讲解 98. #endif
99. //IPV6相关设置
100. /* Initialize max frag hash for the BSD IPv6 fragmentation exploit */ 101. pv.ipv6_max_frag_sessions = 10000; 102. /* This is the default timeout on BSD */ 103. pv.ipv6_frag_timeout = 60; 104.
105. /* chew up the command line */ 106. ParseCmdLine(argc, argv);//分析命令 107.
108. /* If we are running non-root, install a dummy handler instead. */ 109. if (userid != 0)
110. signal(SIGHUP, SigCantHupHandler); 111.
112. /* determine what run mode we are going to be in */