ChipMaster
/
Poor-Mans-IDS


			
							//////////////////////////////////////////////////////////////////////
// IP traffic analyzer - data objects
// Written by Jonathan A. Foster <ChipMaster@YeOlPiShack.net>
// Started April 23rd, 2021
// Copyright JF Possibilities, Inc. All rights reserved.
//////////////////////////////////////////////////////////////////////
#include <string.h>
#include <stdlib.h>
#include <stdexcept>
#include "data.h"


//////////////////////////////////////////////////////////////////////
// Conn
//////////////////////////////////////////////////////////////////////

void Conn::clear() {
  us = them = name = protocol = "";
  in=false;
  us_port = them_port = 0;
}


void Conn::swap() {
  std::string s;
  int x;

  s = us;
  us = them;
  them =s;

  x = us_port;
  us_port = them_port;
  them_port = x;

  in=!in;
}


Conn &Conn::operator=(const Splits &sp) {
  int x;

  clear();
  for(x=0; x<sp.count; x++) {
    if(!strncmp(sp.fields[x], "SRC=", 4)) {
      us = sp.fields[x]+4;
      continue;
    }
    if(!strncmp(sp.fields[x], "DST=", 4)) {
      them = sp.fields[x]+4;
      continue;
    }
    if(!strncmp(sp.fields[x], "SPT=", 4)) {
      us_port = atoi(sp.fields[x]+4);
      continue;
    }
    if(!strncmp(sp.fields[x], "DPT=", 4)) {
      them_port = atoi(sp.fields[x]+4);
      continue;
    }
    if(!strncmp(sp.fields[x], "TYPE=", 5) && protocol=="ICMP") {
      us_port = them_port = atoi(sp.fields[x]+5);
      continue;
    }
    if(!strncmp(sp.fields[x], "PROTO=", 6))
      protocol = sp.fields[x]+6;
  }
}


// TODO: does < > have any actual meaning in this context?
int Conn::cmp(const Conn &gtr) const {
  if(us!="*" && gtr.us!="*") {
    if(us<gtr.us) return -1;
    if(us>gtr.us) return  1;
  }
  // TODO: auto-wildcard port based on in?
  if(us_port && gtr.us_port) { // 0 = no comparison wildcard
    if(us_port<gtr.us_port) return -1;
    if(us_port>gtr.us_port) return  1;
  }
  if(them!="*" && gtr.them!="*") {
    if(them<gtr.them) return -1;
    if(them>gtr.them) return  1;
  }
  if(them_port && gtr.them_port) { // 0 = no comparison wildcard
    if(them_port<gtr.them_port) return -1;
    if(them_port>gtr.them_port) return  1;
  }
  // TODO:  do we want to consider the name?
  if(name!="*" && gtr.name!="*") {
    if(name<gtr.name) return -1;
    if(name>gtr.name) return  1;
  }
  if(protocol<gtr.protocol) return -1;
  if(protocol>gtr.protocol) return  1;
  if(in<gtr.in) return -1;
  if(in>gtr.in) return  1;
  return 0;
}


std::ostream &operator<<(std::ostream &out, const Conn &c) {
  out << c.us
      << ( c.in ? " <- " : " -> " )
      << c.them
      << " " << c.protocol
      << "[" << ( c.in ? c.us_port : c.them_port ) << "] "
      << c.name;
  return out;
}


const Splits &operator>>(const Splits &tsv, Conn &conn) {
  if(tsv.count<7) throw std::runtime_error("Conn=TSV: too few columns");
  conn.clear();
  conn.us        = tsv[0];
  conn.us_port   = atoi(tsv.fields[1]);
  conn.them      = tsv[2];
  conn.them_port = atoi(tsv.fields[3]);
  conn.name      = tsv[4];
  conn.protocol  = tsv[5];
  conn.in        = tsv[6]=="1";
  return tsv;
}


//////////////////////////////////////////////////////////////////////
// ConnList
//////////////////////////////////////////////////////////////////////

int ConnList::find(Conn &needle) {
  int r;

  for(r=0; r<size(); r++) if((*this)[r]==needle) return r;
  return -1;
}