/******************* 程序源代碼 ************/
;說(shuō)明:程序的源碼在windows server 2003 EE中使用LCC編譯器編譯通過(guò),
; 因?yàn)槲沂褂玫氖茿NSI-C,一般無(wú)序過(guò)多修改就可在TC2下編譯通過(guò)。
; 唯一要注意的就是程序的的printf()函數(shù)中的中文要改為英文,否則
; 可能會(huì)出現(xiàn)亂碼,錯(cuò)誤。
■■■■■■■ 以下代碼存為logAnalyser.c ■■■■■■■■■
/******************************************
logAnalyser.c
Author:Neil.Ton (mail:neilton1987@gmail.com)
Fuction:Analyse the
Microsoft Internet Connection Firewall
Verson: 1.0
Time Format: Local
I've tested LogAnalyser.exe at
Microsoft(R) Windows(R) XP Professional
Microsoft(R) Windows(R) Server 2003 SE
Microsoft(R) Windows(R) Server 2003 EE
I'm think it will also work well at
Microsoft(R) Windows(R) XP Home
This program will create a analysis.html
at the current directory after analyse.
WISH YOU LIKE IT & ENJOY IT!
THANK YOU FOR USE THIS PROGRAM!
*******************************************/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
#define P 65535
char date[10],time[8];
char action[12],protocol[5];
char srcip[15],dstip[15];
unsigned int srcport,dstport,size;
char tcpflags[5],tcpsyn[10];
char tcpack[10],tcpwin[10];
char icmptype[2],icmpcode[2],info[2];
/*##########################################
##
## 配置文件讀取的數(shù)據(jù)變量
##
###########################################*/
char filepath[256],localip[15],portsfile[256],trojansfile[256],resfile[256],outfile[256];
int ukrecord=0; /* 定義日志中的不明記錄 */
int linenum=0,wrongline[P]={0}; /* 日志行號(hào) */
/* 目的個(gè)體數(shù)據(jù)結(jié)構(gòu)定義 */
typedef struct ip{
char ipadd[15]; /*IP address of not local machine*/
char action[12]; /*action*/
unsigned int sport[P],dport[P],size[P]; /*Commuications ports*/
unsigned int init,pass,drop,open; /*Srcip -> dstip then init++
dstip -> srcip then pass++
if Firewalls bllock pack then drop++ */
unsigned int tcp,udp,icmp,arp,unknow; /*TCP,UDP,ICMP.....*/
double s; /*S,.......*/
/* USE FOR PROTS*/
int sp,dp,sz;
struct ip *next;
}IP,*PIP;
PIP head,ptr;
/*-------------------------------------
Deception subFunctions Fields
---------------------------------------*/
void addip(void);
void print(PIP head);
/************************************************
*
* the int main(int argc,char *argv[]) Function.
*
*************************************************/
int main(int argc,char *argv[])
{
/*聲明外部函數(shù)*/
extern void outhtml(PIP);
extern void readcfg();
readcfg();
/*****************
*
* FILE SYSTEM
*
******************/
FILE *log;
/*日志文件路徑*/
if((log=fopen(filepath,"rt"))==NULL){
printf("\n無(wú)法打開(kāi)日志文件。請(qǐng)閱讀配置說(shuō)明進(jìn)行配置.\n");
}
fseek(log,214,0);
head=NULL;
char ch;
/*char op;*/
system("cls");
printf("\n \n 程序正在解析日志文件%s\n \n \n 如果文件較大將要等待較長(zhǎng)時(shí)間。",filepath);
printf("\n \n \n 關(guān)閉瀏覽器后,本窗口自動(dòng)關(guān)閉。");
/*while(1){
system("cls");
printf("\n \n 1 --- 添加紀(jì)錄\n 2 --- 顯示記錄\n 3 --- 退出\n 4 --- 生成HTML文件\n");
printf("\n \n選擇操作(0 --- 3):");
op=getch();
if(op=='3')
break;
switch(op){
case '1':*/
while(!feof(log)){
fscanf(log,"%s %s %s %s %s %s ",date,time,action,protocol,srcip,dstip);
/*******************************************
*
* 對(duì)微軟防火墻日志進(jìn)行篩選
*
*******************************************/
if(strcmp(action,"OPEN")==0 || /* IF ACTION IS OPEN*/
strcmp(action,"OPEN-INBOUND")==0){
if(strcmp(protocol,"TCP")==0){
ch='p';
fscanf(log,"%u %u",&srcport,&dstport);
while(ch!='\n' && !feof(log))ch=fgetc(log);
strcpy(tcpflags,"blank");
size=0;
}
if(strcmp(protocol,"UDP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
if(strcmp(protocol,"ARP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
if(strcmp(protocol,"ICMP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
linenum++;
}
else if(strcmp(action,"DROP")==0){ /* IF ACTION IS DROP */
if(strcmp(protocol,"TCP")==0){
fscanf(log,"%u %u %u %s %s %s %s %s %s %s",&srcport,&dstport,
&size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info);
}
if(strcmp(protocol,"UDP")==0){
ch='p';
fscanf(log,"%u %u",&srcport,&dstport);
fscanf(log,"%u",&size);
while(ch!='\n' && !feof(log))ch=fgetc(log);
strcpy(tcpflags,"blank");
}
if(strcmp(protocol,"ARP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
if(strcmp(protocol,"ICMP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
linenum++;
}
else { /* LIKE 'INFO-EVENTS-LOST' */
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
linenum++;
if(strcmp(action,"CLOSE")!=0){
ukrecord++;
wrongline[ukrecord-1]=linenum;
}
continue;
}
/* **********************END *************************/
/*else if(strcmp(action,"OPEN")==0 ||
strcmp(protocol,"UDP")==0 ||
strcmp(action,"OPEN-INBOUND")==0 ||
(strcmp(action,"DROP")==0 && strcmp(protocol,"UDP")==0)
){
ch='p';
fscanf(log,"%u %u",&srcport,&dstport);
if(strcmp(protocol,"UDP")==0) fscanf(log,"%u",&size);
while(ch!='\n' && !feof(log))ch=fgetc(log);
strcpy(tcpflags,"blank");
}*/
/*else if(strcmp(action,"DROP")==0 &&
strcmp(protocol,"TCP")==0
){
fscanf(log,"%u %u %u %s %s %s %s %s %s %s",&srcport,&dstport,
&size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info);
}*/
/*else if(strcmp(action,"DROP")==0 &&
strcmp(protocol,"UDP")==0
){
ch='p';
fscanf(log,"%u %u %u",&srcport,&dstport,&size);
while(ch!='\n' && !feof(log))ch=fgetc(log);
strcpy(tcpflags,"blank");
}*/
/*NOT USEfscanf(log,"%s %s %s %s %s %s %u %u %u %s %s %s %s %s %s %s",
date,time,action,protocol,srcip,dstip,&srcport,&dstport,
&size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info);*/
/*printf("\n%s %s %s %s %s %s %u %u %u %s %s %s %s %s %s %s",
date,time,action,protocol,srcip,dstip,srcport,dstport,size,
tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info);*/
addip();
}
/*printf("\n日志文件結(jié)束");
getch();break;
case '2':print(head);getch();break;
case '4':system("Analysis.html");break;
}
system("cls");
}*/
outhtml(head);
fclose(log);
return 0;
}