7x31
/
anylink
mirror of https://github.com/bjdgyc/anylink.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #146 from lanrenwo/log_audit 

仅在PSH + ACK时分析域名信息
This commit is contained in:
bjdgyc 2022-09-30 10:47:15 +08:00 committed by GitHub
parent 4c37ee5550 edb2d2e19b
commit 290f78d7f3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 35 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
server/handler/payload_access_audit.go
View File

@ -111,6 +111,7 @@ func logAudit(cSess *sessdata.ConnSession, pl *sessdata.Payload) {
binary.BigEndian.PutUint16(key[32:34], ipPort) binary.BigEndian.PutUint16(key[32:34], ipPort)
info := "" info := ""
nu := utils.NowSec().Unix()
if ipProto == waterutil.TCP { if ipProto == waterutil.TCP {
plData := waterutil.IPv4Payload(pl.Data) plData := waterutil.IPv4Payload(pl.Data)
if len(plData) < 14 { if len(plData) < 14 {
@ -119,34 +120,55 @@ func logAudit(cSess *sessdata.ConnSession, pl *sessdata.Payload) {
flags := plData[13] flags := plData[13]
switch flags { switch flags {
case flags & 0x20: case flags & 0x20:
// base.Debug("URG "+info, "#", str) // URG
return
case flags & 0x14:
// RST ACK
return
case flags & 0x12:
// SYN ACK
return
case flags & 0x11:
// Client FIN
return return
case flags & 0x10: case flags & 0x10:
// base.Debug("ACK ", ipSrc, "#", ipDst, "#", ipPort) // ACK
return return
case flags & 0x08: case flags & 0x08:
// base.Debug("PSH "+info, "#", str) // PSH
return return
case flags & 0x04: case flags & 0x04:
// base.Debug("RST "+info, "#", str) // RST
return return
case flags & 0x02: case flags & 0x02:
// base.Debug("SYNC "+info, "#", str) // SYN
return return
case flags & 0x01: case flags & 0x01:
// base.Debug("FIN "+info, "#", str) // FIN
return return
default: case flags & 0x18:
// PSH ACK
accessProto, info = onTCP(plData) accessProto, info = onTCP(plData)
if info != "" {
// 提前存储只含ip数据的key, 避免即记录域名又记录一笔IP数据的记录
ipKey := make([]byte, 51)
copy(ipKey, key)
ipS := utils.BytesToString(ipKey)
cSess.IpAuditMap.Set(ipS, nu)
// 存储含域名的key
key[34] = byte(accessProto)
md5Sum := md5.Sum([]byte(info))
copy(key[35:51], hex.EncodeToString(md5Sum[:]))
}
case flags & 0x19:
// URG
return
case flags & 0xC2:
// SYN-ECE-CWR
return
} }
} }
key[34] = byte(accessProto)
if info != "" {
md5Sum := md5.Sum([]byte(info))
copy(key[35:51], hex.EncodeToString(md5Sum[:]))
}
s := utils.BytesToString(key) s := utils.BytesToString(key)
nu := utils.NowSec().Unix()
// 判断已经存在,并且没有过期 // 判断已经存在,并且没有过期
v, ok := cSess.IpAuditMap.Get(s) v, ok := cSess.IpAuditMap.Get(s)

3
server/handler/payload_tcp_parser.go
View File

@ -15,9 +15,6 @@ var tcpParsers = []func([]byte) (uint8, string){
func onTCP(payload []byte) (uint8, string) { func onTCP(payload []byte) (uint8, string) {
size := len(payload) size := len(payload)
if size < 13 {
return acc_proto_tcp, ""
}
ihl := (payload[12] & 0xf0) >> 2 ihl := (payload[12] & 0xf0) >> 2
if int(ihl) > size { if int(ihl) > size {
return acc_proto_tcp, "" return acc_proto_tcp, ""