/******************* 程序源代碼 ************/
;說明:程序的源碼在windows server 2003 EE中使用LCC編譯器編譯通過,
; 因為我使用的是ANSI-C,一般無序過多修改就可在TC2下編譯通過。
; 唯一要注意的就是程序的的printf()函數中的中文要改為英文,否則
; 可能會出現亂碼,錯誤。
■■■■■■■ 以下代碼存為logAnalyser.c ■■■■■■■■■
/******************************************
logAnalyser.c
Author:Neil.Ton (mail:neilton1987@gmail.com)
Fuction:Analyse the
Microsoft Internet Connection Firewall
Verson: 1.0
Time Format: Local
I've tested LogAnalyser.exe at
Microsoft(R) Windows(R) XP Professional
Microsoft(R) Windows(R) Server 2003 SE
Microsoft(R) Windows(R) Server 2003 EE
I'm think it will also work well at
Microsoft(R) Windows(R) XP Home
This program will create a analysis.html
at the current directory after analyse.
WISH YOU LIKE IT & ENJOY IT!
THANK YOU FOR USE THIS PROGRAM!
*******************************************/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
#define P 65535
char date[10],time[8];
char action[12],protocol[5];
char srcip[15],dstip[15];
unsigned int srcport,dstport,size;
char tcpflags[5],tcpsyn[10];
char tcpack[10],tcpwin[10];
char icmptype[2],icmpcode[2],info[2];
/*##########################################
##
## 配置文件讀取的數據變量
##
###########################################*/
char filepath[256],localip[15],portsfile[256],trojansfile[256],resfile[256],outfile[256];
int ukrecord=0; /* 定義日志中的不明記錄 */
int linenum=0,wrongline[P]={0}; /* 日志行號 */
/* 目的個體數據結構定義 */
typedef struct ip{
char ipadd[15]; /*IP address of not local machine*/
char action[12]; /*action*/
unsigned int sport[P],dport[P],size[P]; /*Commuications ports*/
unsigned int init,pass,drop,open; /*Srcip -> dstip then init++
dstip -> srcip then pass++
if Firewalls bllock pack then drop++ */
unsigned int tcp,udp,icmp,arp,unknow; /*TCP,UDP,ICMP.....*/
double s; /*S,.......*/
/* USE FOR PROTS*/
int sp,dp,sz;
struct ip *next;
}IP,*PIP;
PIP head,ptr;
/*-------------------------------------
Deception subFunctions Fields
---------------------------------------*/
void addip(void);
void print(PIP head);
/************************************************
*
* the int main(int argc,char *argv[]) Function.
*
*************************************************/
int main(int argc,char *argv[])
{
/*聲明外部函數*/
extern void outhtml(PIP);
extern void readcfg();
readcfg();
/*****************
*
* FILE SYSTEM
*
******************/
FILE *log;
/*日志文件路徑*/
if((log=fopen(filepath,"rt"))==NULL){
printf("\n無法打開日志文件。請閱讀配置說明進行配置.\n");
}
fseek(log,214,0);
head=NULL;
char ch;
/*char op;*/
system("cls");
printf("\n \n 程序正在解析日志文件%s\n \n \n 如果文件較大將要等待較長時間。",filepath);
printf("\n \n \n 關閉瀏覽器后,本窗口自動關閉。");
/*while(1){
system("cls");
printf("\n \n 1 --- 添加紀錄\n 2 --- 顯示記錄\n 3 --- 退出\n 4 --- 生成HTML文件\n");
printf("\n \n選擇操作(0 --- 3):");
op=getch();
if(op=='3')
break;
switch(op){
case '1':*/
while(!feof(log)){
fscanf(log,"%s %s %s %s %s %s ",date,time,action,protocol,srcip,dstip);
/*******************************************
*
* 對微軟防火墻日志進行篩選
*
*******************************************/
if(strcmp(action,"OPEN")==0 || /* IF ACTION IS OPEN*/
strcmp(action,"OPEN-INBOUND")==0){
if(strcmp(protocol,"TCP")==0){
ch='p';
fscanf(log,"%u %u",&srcport,&dstport);
while(ch!='\n' && !feof(log))ch=fgetc(log);
strcpy(tcpflags,"blank");
size=0;
}
if(strcmp(protocol,"UDP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
if(strcmp(protocol,"ARP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
if(strcmp(protocol,"ICMP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
linenum++;
}
else if(strcmp(action,"DROP")==0){ /* IF ACTION IS DROP */
if(strcmp(protocol,"TCP")==0){
fscanf(log,"%u %u %u %s %s %s %s %s %s %s",&srcport,&dstport,
&size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info);
}
if(strcmp(protocol,"UDP")==0){
ch='p';
fscanf(log,"%u %u",&srcport,&dstport);
fscanf(log,"%u",&size);
while(ch!='\n' && !feof(log))ch=fgetc(log);
strcpy(tcpflags,"blank");
}
if(strcmp(protocol,"ARP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
if(strcmp(protocol,"ICMP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
linenum++;
}
else { /* LIKE 'INFO-EVENTS-LOST' */
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
linenum++;
if(strcmp(action,"CLOSE")!=0){
ukrecord++;
wrongline[ukrecord-1]=linenum;
}
continue;
}
/* **********************END *************************/
/*else if(strcmp(action,"OPEN")==0 ||
strcmp(protocol,"UDP")==0 ||
strcmp(action,"OPEN-INBOUND")==0 ||
(strcmp(action,"DROP")==0 && strcmp(protocol,"UDP")==0)
){
ch='p';
fscanf(log,"%u %u",&srcport,&dstport);
if(strcmp(protocol,"UDP")==0) fscanf(log,"%u",&size);
while(ch!='\n' && !feof(log))ch=fgetc(log);
strcpy(tcpflags,"blank");
}*/
/*else if(strcmp(action,"DROP")==0 &&
strcmp(protocol,"TCP")==0
){
fscanf(log,"%u %u %u %s %s %s %s %s %s %s",&srcport,&dstport,
&size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info);
}*/
/*else if(strcmp(action,"DROP")==0 &&
strcmp(protocol,"UDP")==0
){
ch='p';
fscanf(log,"%u %u %u",&srcport,&dstport,&size);
while(ch!='\n' && !feof(log))ch=fgetc(log);
strcpy(tcpflags,"blank");
}*/
/*NOT USEfscanf(log,"%s %s %s %s %s %s %u %u %u %s %s %s %s %s %s %s",
date,time,action,protocol,srcip,dstip,&srcport,&dstport,
&size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info);*/
/*printf("\n%s %s %s %s %s %s %u %u %u %s %s %s %s %s %s %s",
date,time,action,protocol,srcip,dstip,srcport,dstport,size,
tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info);*/
addip();
}
/*printf("\n日志文件結束");
getch();break;
case '2':print(head);getch();break;
case '4':system("Analysis.html");break;
}
system("cls");
}*/
outhtml(head);
fclose(log);
return 0;
}