/******************* 程序源代码 ************/
;说明:程序的源码在windows server 2003 EE中使用LCC编译器编译通过,
; 因为我使用的是ANSI-C,一般无序过多修改就可在TC2下编译通过。
; 唯一要注意的就是程序的的printf()函数中的中文要改为英文,否则
; 可能会出现乱码,错误。
■■■■■■■ 以下代码存为logAnalyser.c ■■■■■■■■■
/******************************************
logAnalyser.c
Author:Neil.Ton (mail:neilton1987@gmail.com)
Fuction:Analyse the
Microsoft Internet Connection Firewall
Verson: 1.0
Time Format: Local
I've tested LogAnalyser.exe at
Microsoft(R) Windows(R) XP Professional
Microsoft(R) Windows(R) Server 2003 SE
Microsoft(R) Windows(R) Server 2003 EE
I'm think it will also work well at
Microsoft(R) Windows(R) XP Home
This program will create a analysis.html
at the current directory after analyse.
WISH YOU LIKE IT & ENJOY IT!
THANK YOU FOR USE THIS PROGRAM!
*******************************************/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
#define P 65535
char date[10],time[8];
char action[12],protocol[5];
char srcip[15],dstip[15];
unsigned int srcport,dstport,size;
char tcpflags[5],tcpsyn[10];
char tcpack[10],tcpwin[10];
char icmptype[2],icmpcode[2],info[2];
/*##########################################
##
## 配置文件读取的数据变量
##
###########################################*/
char filepath[256],localip[15],portsfile[256],trojansfile[256],resfile[256],outfile[256];
int ukrecord=0; /* 定义日志中的不明记录 */
int linenum=0,wrongline[P]={0}; /* 日志行号 */
/* 目的个体数据结构定义 */
typedef struct ip{
char ipadd[15]; /*IP address of not local machine*/
char action[12]; /*action*/
unsigned int sport[P],dport[P],size[P]; /*Commuications ports*/
unsigned int init,pass,drop,open; /*Srcip -> dstip then init++
dstip -> srcip then pass++
if Firewalls bllock pack then drop++ */
unsigned int tcp,udp,icmp,arp,unknow; /*TCP,UDP,ICMP.....*/
double s; /*S,.......*/
/* USE FOR PROTS*/
int sp,dp,sz;
struct ip *next;
}IP,*PIP;
PIP head,ptr;
/*-------------------------------------
Deception subFunctions Fields
---------------------------------------*/
void addip(void);
void print(PIP head);
/************************************************
*
* the int main(int argc,char *argv[]) Function.
*
*************************************************/
int main(int argc,char *argv[])
{
/*声明外部函数*/
extern void outhtml(PIP);
extern void readcfg();
readcfg();
/*****************
*
* FILE SYSTEM
*
******************/
FILE *log;
/*日志文件路径*/
if((log=fopen(filepath,"rt"))==NULL){
printf("\n无法打开日志文件。请阅读配置说明进行配置.\n");
}
fseek(log,214,0);
head=NULL;
char ch;
/*char op;*/
system("cls");
printf("\n \n 程序正在解析日志文件%s\n \n \n 如果文件较大将要等待较长时间。",filepath);
printf("\n \n \n 关闭浏览器后,本窗口自动关闭。");
/*while(1){
system("cls");
printf("\n \n 1 --- 添加纪录\n 2 --- 显示记录\n 3 --- 退出\n 4 --- 生成HTML文件\n");
printf("\n \n选择操作(0 --- 3):");
op=getch();
if(op=='3')
break;
switch(op){
case '1':*/
while(!feof(log)){
fscanf(log,"%s %s %s %s %s %s ",date,time,action,protocol,srcip,dstip);
/*******************************************
*
* 对微软防火墙日志进行筛选
*
*******************************************/
if(strcmp(action,"OPEN")==0 || /* IF ACTION IS OPEN*/
strcmp(action,"OPEN-INBOUND")==0){
if(strcmp(protocol,"TCP")==0){
ch='p';
fscanf(log,"%u %u",&srcport,&dstport);
while(ch!='\n' && !feof(log))ch=fgetc(log);
strcpy(tcpflags,"blank");
size=0;
}
if(strcmp(protocol,"UDP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
if(strcmp(protocol,"ARP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
if(strcmp(protocol,"ICMP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
linenum++;
}
else if(strcmp(action,"DROP")==0){ /* IF ACTION IS DROP */
if(strcmp(protocol,"TCP")==0){
fscanf(log,"%u %u %u %s %s %s %s %s %s %s",&srcport,&dstport,
&size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info);
}
if(strcmp(protocol,"UDP")==0){
ch='p';
fscanf(log,"%u %u",&srcport,&dstport);
fscanf(log,"%u",&size);
while(ch!='\n' && !feof(log))ch=fgetc(log);
strcpy(tcpflags,"blank");
}
if(strcmp(protocol,"ARP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
if(strcmp(protocol,"ICMP")==0){
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
strcpy(tcpflags,"blank");
}
linenum++;
}
else { /* LIKE 'INFO-EVENTS-LOST' */
ch='p';
while(ch!='\n' && !feof(log))ch=fgetc(log);
srcport=dstport=size=0;
linenum++;
if(strcmp(action,"CLOSE")!=0){
ukrecord++;
wrongline[ukrecord-1]=linenum;
}
continue;
}
/* **********************END *************************/
/*else if(strcmp(action,"OPEN")==0 ||
strcmp(protocol,"UDP")==0 ||
strcmp(action,"OPEN-INBOUND")==0 ||
(strcmp(action,"DROP")==0 && strcmp(protocol,"UDP")==0)
){
ch='p';
fscanf(log,"%u %u",&srcport,&dstport);
if(strcmp(protocol,"UDP")==0) fscanf(log,"%u",&size);
while(ch!='\n' && !feof(log))ch=fgetc(log);
strcpy(tcpflags,"blank");
}*/
/*else if(strcmp(action,"DROP")==0 &&
strcmp(protocol,"TCP")==0
){
fscanf(log,"%u %u %u %s %s %s %s %s %s %s",&srcport,&dstport,
&size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info);
}*/
/*else if(strcmp(action,"DROP")==0 &&
strcmp(protocol,"UDP")==0
){
ch='p';
fscanf(log,"%u %u %u",&srcport,&dstport,&size);
while(ch!='\n' && !feof(log))ch=fgetc(log);
strcpy(tcpflags,"blank");
}*/
/*NOT USEfscanf(log,"%s %s %s %s %s %s %u %u %u %s %s %s %s %s %s %s",
date,time,action,protocol,srcip,dstip,&srcport,&dstport,
&size,tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info);*/
/*printf("\n%s %s %s %s %s %s %u %u %u %s %s %s %s %s %s %s",
date,time,action,protocol,srcip,dstip,srcport,dstport,size,
tcpflags,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info);*/
addip();
}
/*printf("\n日志文件结束");
getch();break;
case '2':print(head);getch();break;
case '4':system("Analysis.html");break;
}
system("cls");
}*/
outhtml(head);
fclose(log);
return 0;
}