月度归档:2015年01月

dns anti DDoS

iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSQF --rsource
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 --name DNSQF --rsource -j DROP
iptables -A INPUT -p udp --dport 53 -m string --from 30 --to 50 --algo bm --hex-string '|01780a7869707a65727373636303636f6d00|' -j DROP -m comment --comment "DROP DNS Q ANY Name: x.xipzersscc.com"
iptables -A INPUT -p udp --dport 53 -m string --from 30 --to 60 --algo bm --hex-string '|057064646f7303636f6d00|' -j DROP -m comment --comment "DROP DNS Q pddos.com"
iptables -A INPUT -p udp --dport 53 -m string --from 30 --to 50 --algo bm --hex-string '|09686363666f72756d73026e6c0000ff|' -j DROP -m comment --comment "DROP DNS Q ANY hccforums.nl"
iptables -A INPUT -p udp --dport 53 -m string --from 30 --to 54 --algo bm --hex-string '|0973617665726f61647302727500|' -j DROP -m comment --comment "DROP DNS Q saveroads.ru"
iptables -A INPUT -p udp --dport 53 -m string --from 30 --to 54 --algo bm --hex-string '|0948697a62756c6c6168026d6500|' -j DROP -m comment --comment "DROP DNS Q Hizbullah.me"
iptables -A INPUT -p udp --dport 53 -m string --from 32 --to 44 --algo bm --hex-string '|076765726461723302727500|' -j DROP -m comment --comment "DROP DNS Q gerdar3.ru"
iptables -A INPUT -p udp --dport 53 -m string --from 32 --to 56 --algo bm --hex-string '|77777705677839313103636f6d00|' -j DROP -m comment --comment "DROP DNS Q www.gx911.com"
iptables -A INPUT -p udp --dport 53 -m string --from 32 --to 56 --algo bm --hex-string '|777777053939397170036e657400|' -j DROP -m comment --comment "DROP DNS Q www.999qp.net"
iptables -A INPUT -p udp --dport 53 -m string --from 32 --to 40 --algo bm --hex-string '|03646f6303676f7600|' -j DROP -m comment --comment "DROP DNS Q doc.gov"

去两个文件中相同的行

最近拿到这问题觉得非常简单

grep -wvf file1 file2

可后来发现两个文件都非常大的时候会出现内存用完的情况。正准备自己写程序来解决这问题时,突然发现万能的awk

awk '{print $0}' bailing.txt good.txt |sort |uniq -u >no_new_bailing.txt

修改banner-grab-tcp.c 使支持关键字,并保存到结果文件中

/*
 * Banner Grab Copyright 2013 Regents of the University of Michigan 
 * 
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
 * use this file except in compliance with the License. You may obtain a copy
 * of the License at http://www.apache.org/licenses/LICENSE-2.0
 */

#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include "logger.h"

#include <event2/event.h>
#include <event2/buffer.h>
#include <event2/bufferevent.h>
#include <event2/bufferevent_ssl.h>

#include <getopt.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <ulimit.h>

#define MAX_BANNER_LEN 1024
#define BASE64_ALPHABET  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

struct config {
	uint16_t port;
	int connect_timeout;	// how long to wait for connecting (seconds)
	int read_timeout;		// how long to wait once connected for the banner (seconds)
	int current_running;
	int max_concurrent;
	struct event_base *base;
	struct bufferevent *stdin_bev;
	int stdin_closed;
	enum {FORMAT_HEX, FORMAT_BASE64, FORMAT_ASCII} format;
	char *send_str;
	long send_str_size;

	struct stats_st {
		int init_connected_hosts;	// Number of hosts we have even tried to connect to
		int connected_hosts;		// # hosts that picked up
		int conn_timed_out;			// # hosts that timed out during connection
		int read_timed_out;			// # hosts that connected, but sent no data (banner)
		int timed_out;				// # hosts that timed out at all (conn_timed_out+read_timed_out)?
		int completed_hosts;		// # hosts that presented a banner
	} stats;
	char *findstr;
};


struct state {
	struct config *conf;
	uint32_t ip;
	enum {CONNECTING, CONNECTED, RECEIVED} state;
};

void stdin_readcb(struct bufferevent *bev, void *arg);

void print_status(evutil_socket_t fd, short events, void *arg)
{
	struct event *ev;
	struct config *conf = arg;
	struct event_base *base = conf->base;
	struct timeval status_timeout = {1, 0};
	ev = evtimer_new(base, print_status, conf);
	evtimer_add(ev, &status_timeout);
	(void)fd; (void)events;

	//log_info("banner-grab-tcp", "(%d/%d in use) - Totals: %d inited, %d connected, %d conn timeout, %d read timeout %d completed", 
	//		conf->current_running, conf->max_concurrent, 
	//		conf->stats.init_connected_hosts,
	//		conf->stats.connected_hosts, conf->stats.conn_timed_out, 
	//		conf->stats.read_timed_out, conf->stats.completed_hosts);
}

void decrement_cur_running(struct state *st)
{	
	struct config *conf = st->conf;
	conf->current_running--;
	//log_debug("banner-grab-tcp", "done, down to %d",
	//		conf->current_running);
	if (evbuffer_get_length(bufferevent_get_input(conf->stdin_bev)) > 0) {
		stdin_readcb(conf->stdin_bev, conf);
	}
	free(st);

	if (conf->stdin_closed && conf->current_running == 0) {
		// Done
		log_info("banner-grab-tcp", "done");
		print_status(0, 0, conf);
		exit(0);
	}

}

void connect_cb(struct bufferevent *bev, short events, void *arg)
{
	struct state *st = arg;
	struct config *conf = st->conf;
	struct in_addr addr;
	addr.s_addr = st->ip;
	FILE *fpbailing;
	if (events & BEV_EVENT_CONNECTED) {
		struct timeval tv = {st->conf->read_timeout, 0};
		//log_debug("banner-grab-tcp", "%s connected", inet_ntoa(addr));
	
		// Send data
		if (conf->send_str) {
			struct evbuffer *evout = bufferevent_get_output(bev);
			// HACK!!! TODO: make some messy parser that replaces ${IP} with IP etc
			// and allow null characters
			evbuffer_add_printf(evout, conf->send_str,
					inet_ntoa(addr), inet_ntoa(addr), inet_ntoa(addr), inet_ntoa(addr));	
		}

		// Change from connect timeout to read timeout
		bufferevent_set_timeouts(bev, &tv, &tv);

		// Update state/stats
		st->state = CONNECTED;
		st->conf->stats.connected_hosts++;
	} else {
		if (st->state == CONNECTED) {
			// Print out that we just didn't receive data
			printf("%s X\n", inet_ntoa(addr));
			fflush(stdout);

			st->conf->stats.read_timed_out++;
		} else {
			st->conf->stats.conn_timed_out++;
		}
		fpbailing=fopen("bailing.txt","a+");
		fputs(strcat(inet_ntoa(addr),"\n"),fpbailing);
		fclose(fpbailing);
		//log_debug("banner-grab-tcp", "%s bailing..", inet_ntoa(addr));
		bufferevent_free(bev);
		st->conf->stats.timed_out++;
		decrement_cur_running(st);
	}
}

// Grab these bytes, and close the connection.
// Even if we don't need to read any bytes,
// we have to have this so that libevent thinks we have
// a read event, so that it can timeout TCP connects
// (as a read timeout)
void read_cb(struct bufferevent *bev, void *arg)
{
	struct evbuffer *in = bufferevent_get_input(bev);
	struct state *st = arg;
	size_t len = evbuffer_get_length(in);
	struct in_addr addr;
	addr.s_addr = st->ip;
	char *pfind ="php";
	FILE *fpgood;

	//log_debug("banner-grab-tcp", "read_cb for %s", inet_ntoa(addr));

	if (len > MAX_BANNER_LEN) {
		len = MAX_BANNER_LEN;
	}

	if (len > 0) {
		// Grab the banner	
		unsigned int i;
		unsigned char *buf = malloc(len+1);

		st->state = RECEIVED;

		if (!buf) {
			log_fatal("banner-grab-tcp", "cannot alloc %d byte buf", len+1);
			return;
		}
		evbuffer_remove(in, buf, len);
		
		//printf("%s ", inet_ntoa(addr));

		if (st->conf->format == FORMAT_ASCII) {
			// Ascii
			buf[len] = '\0';
			pfind=st->conf->findstr;
			if(strstr(buf,pfind)){
				printf("%s ", inet_ntoa(addr));
				printf("%s\n",buf);
		                fpgood=fopen("result.txt","a+");
       			        fputs(strcat(inet_ntoa(addr),"\n"),fpgood);
                		fclose(fpgood);
			}
			//printf("%s\n", buf);
		} else if (st->conf->format == FORMAT_HEX) {
			// Hex output
			for (i=0; i<len; i++) {
				printf("%02x", buf[i]);
			}
			printf("\n");
		} else if (st->conf->format == FORMAT_BASE64) {
			// Base64
			int i=0;
			char out[4] = {0,0,0,0};
			while (i < len) {
				uint32_t value = 0;
				value += (i < len) ? buf[i++] << 16 : 0; 	
				value += (i < len) ? buf[i++] <<  8 : 0;
				value += (i < len) ? buf[i++]       : 0;
				out[0] = BASE64_ALPHABET[(value >> 18) & 0x3F];
				out[1] = BASE64_ALPHABET[(value >> 12) & 0x3F];                                                                           
				out[2] = BASE64_ALPHABET[(value >>  6) & 0x3F];
				out[3] = BASE64_ALPHABET[(value      ) & 0x3F];
				if (i < len) {
					printf("%c%c%c%c", out[0], out[1], out[2], out[3]);
				}
			}
			if (len > 0) {
				switch (len % 3) {
				case 1:
					out[2] = '=';
				case 2:
					out[3] = '=';
				default:
					break;
				}
				printf("%c%c%c%c\n", out[0], out[1], out[2], out[3]);
			}
		}
		fflush(stdout);

		free(buf);
		st->conf->stats.completed_hosts++;
	}
	bufferevent_free(bev);
	decrement_cur_running(st);
}

void grab_banner(struct state *st)
{
	struct sockaddr_in addr;
	struct bufferevent *bev;
	struct timeval read_to = {st->conf->connect_timeout, 0};

	addr.sin_family = AF_INET;
	addr.sin_port = htons(st->conf->port);
	addr.sin_addr.s_addr = st->ip;
	//log_debug("banner-grab-tcp", "connect %s:%d", 
	//		  inet_ntoa(addr.sin_addr), st->conf->port);

	bev = bufferevent_socket_new(st->conf->base, -1, BEV_OPT_CLOSE_ON_FREE);

	bufferevent_set_timeouts(bev, &read_to, &read_to);

	bufferevent_setcb(bev, read_cb, NULL, connect_cb, st);
	bufferevent_enable(bev, EV_READ);

	st->state = CONNECTING;

	st->conf->stats.init_connected_hosts++;

	if (bufferevent_socket_connect(bev, 
		(struct sockaddr *)&addr, sizeof(addr)) < 0) {
		log_warn("banner-grab-tcp", "could not connect socket %d (%d open) %d %d", 
			bufferevent_getfd(bev), st->conf->current_running, errno, ENFILE);
		perror("connect");

		
		bufferevent_free(bev);
		decrement_cur_running(st);
		return;
	}
}

void stdin_eventcb(struct bufferevent *bev, short events, void *ptr) {
	struct config *conf = ptr;

	if (events & BEV_EVENT_EOF) {
		log_debug("banner-grab-tcp", 
				  "received EOF; quitting after buffer empties");
		conf->stdin_closed = 1; 
		if (conf->current_running == 0) {
			log_info("banner-grab-tcp", "done");
			print_status(0, 0, conf);
			exit(0);
		}
	} 
}

void stdin_readcb(struct bufferevent *bev, void *arg)
{
	struct evbuffer *in = bufferevent_get_input(bev);
	struct config *conf = arg;

	//log_debug("banner-grab-tcp", "stdin cb %d < %d ?", 
	//	conf->current_running, conf->max_concurrent);

	while (conf->current_running < conf->max_concurrent && 
		   evbuffer_get_length(in) > 0) {
		char *ip_str;
		size_t line_len;
		char *line = evbuffer_readln(in, &line_len, EVBUFFER_EOL_LF);
		struct state *st;
		if (!line)
			break;
		log_debug("banner-grab-tcp", "line: %s", line);

		ip_str = line;
		/*
		port_str = strstr(line, ":") + 1;
		if (!port_str)
			port_str = strstr(line, " ") + 1;
		if (!port_str)
			break;

		*(port_str-1) = '\0';
		port = atoi(port_str);
		*/
		//printf("scanning %s:%d\n", ip
		
		conf->current_running++;
		st = malloc(sizeof(*st));
		st->conf = conf;
		st->ip = inet_addr(ip_str);
		grab_banner(st);
	}
}

int main(int argc, char *argv[])
{
	struct event_base *base;
	struct event *status_timer;
	struct timeval status_timeout = {1, 0};
	int c;
	struct option long_options[] = {
		{"concurrent", required_argument, 0, 'c'},
		{"port", required_argument, 0, 'p'},
		{"conn-timeout", required_argument, 0, 't'},
		{"read-timeout", required_argument, 0, 'r'},
		{"verbosity", required_argument, 0, 'v'},
		{"format", no_argument, 0, 'f'},
		{"data", required_argument, 0, 'd'},
		{0, 0, 0, 0}, 
		{"key", required_argument, 0, 'k'} };

	struct config conf;
	int ret;
	FILE *fp;

	log_init(stderr, LOG_INFO, 0, "banner-grab");

	ret = ulimit(4, 1000000);	// Allow us to open 1 million fds (instead of 1024)
	if (ret < 0) {
		log_fatal("banner-grab-tcp", "cannot set ulimit");
		perror("ulimit");
		exit(1);
	}

	base = event_base_new();
	conf.base = base;

	// buffer stdin as an event
	conf.stdin_bev = bufferevent_socket_new(base, 0, BEV_OPT_DEFER_CALLBACKS);
	bufferevent_setcb(conf.stdin_bev, stdin_readcb, NULL, stdin_eventcb, &conf);
	bufferevent_enable(conf.stdin_bev, EV_READ);

	// Status timer
	status_timer = evtimer_new(base, print_status, &conf);
	evtimer_add(status_timer, &status_timeout);

	// Defaults
	conf.max_concurrent = 1;
	conf.current_running = 0;
	memset(&conf.stats, 0, sizeof(conf.stats));
	conf.connect_timeout = 4;
	conf.read_timeout = 4;
	conf.stdin_closed = 0;
	conf.format = FORMAT_BASE64;
	conf.send_str = NULL;

	// Parse command line args
	while (1) {
		int option_index = 0;
		c = getopt_long(argc, argv, "c:p:t:r:v:f:d:k:",
				long_options, &option_index);

		if (c < 0) {
			break;
		}

		switch (c) {
		case 'c':
			conf.max_concurrent = atoi(optarg);
			break;
		case 'p':
			conf.port = atoi(optarg);
			break;
		case 'k':
			conf.findstr=optarg;
			break;
		case 't':
			conf.connect_timeout = atoi(optarg);
			break;
		case 'r':
			conf.read_timeout = atoi(optarg);
			break;
		case 'v':
			if (atoi(optarg) >= 0 && atoi(optarg) <= 5) {
				log_init(stderr, atoi(optarg), 0, "banner-grab");
			}
			break;
		case 'f':
			if (strcmp(optarg, "hex") == 0) {
				conf.format = FORMAT_HEX;
			} else if (strcmp(optarg, "base64") == 0) {
				conf.format = FORMAT_BASE64;
			} else if (strcmp(optarg, "ascii") == 0) {
				conf.format = FORMAT_ASCII;
			} else {
				log_fatal("banner-grab-tcp", "Unknown format '%s'; use 'hex', 'base64', or 'ascii'",
						  optarg);
			}
			break;
		case 'd':
			fp = fopen(optarg, "r");
			if (!fp) {
				log_error("banner-grab-tcp", "Could not open send data file '%s':", optarg);
				perror("fopen");
				exit(-1);
			}
			fseek(fp, 0L, SEEK_END);
			conf.send_str_size = ftell(fp);
			fseek(fp, 0L, SEEK_SET);
			//assert(conf.send_str_size < 10000);	// jumbo frames?
			conf.send_str = malloc(conf.send_str_size+1);
			if (!conf.send_str) {
				log_fatal("banner-grab-tcp", "Could not malloc %d bytes", conf.send_str_size+1);
			}
			if (fread(conf.send_str, conf.send_str_size, 1, fp) != 1) {
				log_fatal("banner-grab-tcp", "Couldn't read from send data file '%s':", optarg);
			}
			conf.send_str[conf.send_str_size] = '\0';
			fclose(fp);	
			break;
		case '?':
			printf("Usage:\n");
			printf("\t%s [-c max_concurrency] [-t connect_timeout] [-r read_timeout] \n\t"
				   "[-v verbosity=0-5] [-d send_data_file] [-f ascii|hex|base64] -p port\n", argv[0]);
			exit(1);
		default:
			log_info("banner-grab-tcp", "hmmm..");
			break;
		}
	}
	
	log_info("banner-grab-tcp", "Using port %d with max_concurrency %d, %d s conn timeout, %d s read timeout",
			conf.port, conf.max_concurrent, conf.connect_timeout, conf.read_timeout);

	event_base_dispatch(base);

	return 0;
}

使用方法  加上-k “xxx” 就行了。 匹配的结果保存在result.txt文件中

解决编译zmap下的forge-socket时出现的对‘unlock_file’未定义的引用 错误

今天没事编译forge-socket时出现的对‘unlock_file’未定义的引用 错误 

cd zmap/examples/forge-socket
mkdir forge-socket-utl
cd forge-socket-utl
git clone https://github.com/ewust/forge_socket/
cd forge_socket
make
insmod forge_socket.ko
cp forge_socket.h ../../
cd ../../
make

这时出现了

root@xxx-All-Series:~/soft/zmap/zmap-master/examples/forge-socket# make
cc -I../../lib/ -I../../forge_socket -Wall -g -O2 -fstack-protector-all --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIC forge-socket.o xalloc.o logger.o -o forge-socket -lpcap -levent -levent_extra -lm -Wl,-Bsymbolic-functions -Wl,-z,relro,-z,now
logger.o:在函数‘LogLogVA’中:
/home/xxx/soft/zmap/zmap-master/examples/forge-socket/../../lib/logger.c:99:对‘unlock_file’未定义的引用
/home/xxx/soft/zmap/zmap-master/examples/forge-socket/../../lib/logger.c:67:对‘lock_file’未定义的引用

初看下应该是make文件中少了一个包含文件 

查看Makefile文件 

CFLAGS+=-I../../lib/ -I../../forge_socket -Wall
LDFLAGS+=-lpcap -levent -levent_extra -lm
VPATH=../../lib/

# from dpkg-buildflags --get CFLAGS, but use stack-protector-all and fPIC
GCCHARDENING=-g -O2 -fstack-protector-all --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIC
# from gpkg-buildflags --get LDFLAGS, + -z,now
LDHARDENING=-Wl,-Bsymbolic-functions -Wl,-z,relro,-z,now

CFLAGS+=$(GCCHARDENING)
LDFLAGS+=$(LDHARDENING)


all: forge-socket

forge-socket: forge-socket.o xalloc.o logger.o
	$(CC) $(CFLAGS) $^ -o $@ $(LDFLAGS)

clean:
	rm -f forge-socket *.o

然后grep “unlock_file” ./ -r   发现  unlock_file函数是在 lockfd.h 这个文件中声明的。   赶紧在Makefile中  

forge-socket: forge-socket.o xalloc.o logger.o

改为

forge-socket: forge-socket.o xalloc.o logger.o lockfd.o

然后 解决问题。

PFQ 网络监控框架

PFQ 是一个支持多语言的网络框架,主要用于 Linux 操作系统下进行高效的包捕获和传输,适用于多核处理器系统中的网络监控框架。

PFQ 专门为多核处理器而优化,包括对多个硬件队列的网络设备优化,支持任意网络设备驱动,并提供一个脚本用来加速和优化对设备数据的获取。

该框架可用来开发高性能的应用,使用 C、C++11 和 Haskell 。此外 PFQ 还包含一个纯函数语言 PFQ/lang 。

PFQ/lang 灵感来自于 Haskell 可以用来创建运行在内核空间中网络设备驱动之上的小应用程序,例如用来创建高效的桥接程序、端口镜像、简单防火墙和网络均衡器等等。

特性

  • 完全无锁和非堵塞架构

  • 预先分配 Socket 缓冲池

  • 兼容绝大多数网络设备驱动

  • Rx and Tx 10-Gbit line-rate (14,8Mpps), 基于 Intel ixgbe vanilla 驱动

  • 透明的支持核心线程,用于异步包交换

  • 通过 socket 组并发监控多线程应用

  • 通过随机化哈希和固定分类进行 Per-group 包管理

  • Per-group Berkeley 和 VLAN 过滤器.

  • 内核中用于包处理的函数化引擎: PFQ/lang v4.x.

  • 为 C、C++11-14 和 Haskell 语言提供用户空间库

  • PFQ/lang as eDLS for C++11-14 and Haskell language.

  • 加速的 pcap 库用于包捕获和传输

  • pfqd, 用来配置和并行化多实例传统应用的守护进程.

  • pfq-omatic, 用来动态加速 vanilla 驱动的脚本

  • I/O user<->kernel 共享内存 基于 HugePages


PFQ 的性能高度依赖于所运行的硬件环境。在至强处理器、Intel 82599 10G 控制器上,PFQ 每秒可处理约 1480 万的数据包(2 或者 3 核心线程),详细配置请看 Intel processors.

php日历

<?php
function list_days($year_start,$year_end){
    if($year_end<$year_start){
        return array();
    }
    $result=array();
    for($year=$year_start;$year<=$year_end;$year=$year+1){
        for($month=1;$month<=12;$month=$month+1){
            $day_nums=cal_days_in_month(CAL_GREGORIAN,$month,$year);
            for($day=1;$day<=$day_nums;$day=$day+1){
                $tmp=$year."-".$month."-".$day;
                $now=date("Y-m-d",time());
                $times=date("Y-m-d",strtotime($tmp));
                $result[]=$times;
                if($times==$now){
                    break 3;
                }
            }
        }
    }
    return $result;
}

function list_month($year_start,$year_end){
    if($year_end<$year_start){
        return array();
    }
    $result=array();
    for($year=$year_start;$year<=$year_end;$year=$year+1){
        for($month=1;$month<=12;$month=$month+1){
                $tmp=$year."-".$month;
                $now=date("Y-m",time());
                $times=date("Y-m",strtotime($tmp));
                $result[]=$times;
                if($times==$now){
                    break 2;
                }

        }
    }
    return $result;
}
$day_month=list_month(2013,2016);
$day_list=list_days(2013,2016);
var_dump($day_month);
?>