From e483da10e1ecb53a9538aac47cce917098cdeced Mon Sep 17 00:00:00 2001 From: lanrenwo Date: Thu, 29 Sep 2022 22:08:20 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E4=BB=85=E5=9C=A8PSH=20+=20ACK=E6=97=B6?= =?UTF-8?q?=E5=88=86=E6=9E=90=E5=9F=9F=E5=90=8D=E4=BF=A1=E6=81=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- server/handler/payload_access_audit.go | 45 ++++++++++++++++++-------- server/handler/payload_tcp_parser.go | 3 -- 2 files changed, 32 insertions(+), 16 deletions(-) diff --git a/server/handler/payload_access_audit.go b/server/handler/payload_access_audit.go index 59012ab..c9e7423 100644 --- a/server/handler/payload_access_audit.go +++ b/server/handler/payload_access_audit.go @@ -111,6 +111,7 @@ func logAudit(cSess *sessdata.ConnSession, pl *sessdata.Payload) { binary.BigEndian.PutUint16(key[32:34], ipPort) info := "" + nu := utils.NowSec().Unix() if ipProto == waterutil.TCP { plData := waterutil.IPv4Payload(pl.Data) if len(plData) < 14 { @@ -119,34 +120,52 @@ func logAudit(cSess *sessdata.ConnSession, pl *sessdata.Payload) { flags := plData[13] switch flags { case flags & 0x20: - // base.Debug("URG "+info, "#", str) + // URG + return + case flags & 0x14: + // RST ACK + return + case flags & 0x12: + // SYN ACK + return + case flags & 0x11: + // Client FIN return case flags & 0x10: - // base.Debug("ACK ", ipSrc, "#", ipDst, "#", ipPort) + // ACK return case flags & 0x08: - // base.Debug("PSH "+info, "#", str) + // PSH return case flags & 0x04: - // base.Debug("RST "+info, "#", str) + // RST return case flags & 0x02: - // base.Debug("SYNC "+info, "#", str) + // SYN return case flags & 0x01: - // base.Debug("FIN "+info, "#", str) + // FIN return - default: + case flags & 0x18: + // PSH ACK accessProto, info = onTCP(plData) + if info != "" { + // 提前存储只含ip数据的key, 避免即记录域名又记录一笔IP数据的记录 + ipKey := make([]byte, 51) + copy(ipKey, key) + ipS := utils.BytesToString(ipKey) + cSess.IpAuditMap.Set(ipS, nu) + // 存储含域名的key + key[34] = byte(accessProto) + md5Sum := md5.Sum([]byte(info)) + copy(key[35:51], hex.EncodeToString(md5Sum[:])) + } + case flags & 0x19: + // URG + return } } - key[34] = byte(accessProto) - if info != "" { - md5Sum := md5.Sum([]byte(info)) - copy(key[35:51], hex.EncodeToString(md5Sum[:])) - } s := utils.BytesToString(key) - nu := utils.NowSec().Unix() // 判断已经存在,并且没有过期 v, ok := cSess.IpAuditMap.Get(s) diff --git a/server/handler/payload_tcp_parser.go b/server/handler/payload_tcp_parser.go index a6f9a7f..bece94d 100644 --- a/server/handler/payload_tcp_parser.go +++ b/server/handler/payload_tcp_parser.go @@ -15,9 +15,6 @@ var tcpParsers = []func([]byte) (uint8, string){ func onTCP(payload []byte) (uint8, string) { size := len(payload) - if size < 13 { - return acc_proto_tcp, "" - } ihl := (payload[12] & 0xf0) >> 2 if int(ihl) > size { return acc_proto_tcp, "" From edb2d2e19bc228249e78c52b89cdf97419a219aa Mon Sep 17 00:00:00 2001 From: lanrenwo Date: Fri, 30 Sep 2022 09:59:54 +0800 Subject: [PATCH 2/2] =?UTF-8?q?=E6=8E=92=E9=99=A4=E6=8B=A5=E5=A1=9E?= =?UTF-8?q?=E6=8E=A7=E5=88=B6=E7=9A=84IP=E5=8C=85:=20SYN-ECE-CWR?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- server/handler/payload_access_audit.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/server/handler/payload_access_audit.go b/server/handler/payload_access_audit.go index c9e7423..df50c42 100644 --- a/server/handler/payload_access_audit.go +++ b/server/handler/payload_access_audit.go @@ -163,6 +163,9 @@ func logAudit(cSess *sessdata.ConnSession, pl *sessdata.Payload) { case flags & 0x19: // URG return + case flags & 0xC2: + // SYN-ECE-CWR + return } } s := utils.BytesToString(key)