public override PacketMainReturn interiorMain(ref Packet in_packet)
{
lock (padlock)
{
PacketStatus status = PacketStatus.UNDETERMINED;
foreach (MacRule r in rules)
{
status = r.GetStatus(in_packet);
if (status == PacketStatus.BLOCKED)
{
PacketMainReturn pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
if (r.GetLogMessage() != null)
{
pmr.returnType |= PacketMainReturnType.Log;
pmr.logMessage = r.GetLogMessage();
}
if (r.notify)
{
pmr.returnType |= PacketMainReturnType.Popup;
}
return pmr;
}
else if (status == PacketStatus.ALLOWED)
{
return null;
}
}
}
return null;
}
public LogEvent(PacketMainReturn pmr)
{
Module = pmr.Module;
Message = pmr.logMessage;
time = DateTime.Now;
PMR = pmr;
}
public LogEvent(PacketMainReturn pmr)
{
Module = pmr.Module;
Message = pmr.logMessage;
time = DateTime.Now;
PMR = pmr;
}
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
lock (padlock)
{
PacketStatus status = PacketStatus.UNDETERMINED;
foreach (MacRule r in rules)
{
status = r.GetStatus(in_packet);
if (status == PacketStatus.BLOCKED)
{
PacketMainReturn pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
if (r.GetLogMessage() != null)
{
pmr.returnType |= PacketMainReturnType.Log;
pmr.logMessage = r.GetLogMessage();
}
if (r.notify)
{
pmr.returnType |= PacketMainReturnType.Popup;
}
return(pmr);
}
else if (status == PacketStatus.ALLOWED)
{
return(null);
}
}
}
return(null);
}
// main routine
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
// if the packet is ICMPv4
if (in_packet.GetHighestLayer() == Protocol.ICMP)
{
ICMPPacket packet = (ICMPPacket)in_packet;
// check if the packet is allowed and deny all is false
if (isAllowed(packet.Type.ToString(), packet.Code.ToString(), 4) &&
!data.DenyIPv4)
{
return(null);
}
// else, log and drop it
else
{
PacketMainReturn pmr;
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
if (data.Log)
{
pmr.returnType |= PacketMainReturnType.Log;
pmr.logMessage = "ICMP from " + packet.SourceIP.ToString() + " for " +
packet.DestIP.ToString() + " was dropped.";
}
return(pmr);
}
}
// if the packet is ICMPv6
if (in_packet.GetHighestLayer() == Protocol.ICMPv6)
{
ICMPv6Packet packet = (ICMPv6Packet)in_packet;
if ((isAllowed(packet.Type.ToString(), packet.Code.ToString(), 6) &&
!data.DenyIPv6) && isDeniedNDP(packet))
{
return(null);
}
else
{
PacketMainReturn pmr;
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
if (data.Log)
{
pmr.returnType |= PacketMainReturnType.Log;
pmr.logMessage = "ICMPv6 from " + packet.SourceIP.ToString() + " for " +
packet.DestIP.ToString() + " was dropped.";
}
return(pmr);
}
}
return(null);
}
// main routine
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
// if the packet is ICMPv4
if (in_packet.GetHighestLayer() == Protocol.ICMP)
{
ICMPPacket packet = (ICMPPacket)in_packet;
// check if the packet is allowed and deny all is false
if (isAllowed(packet.Type.ToString(), packet.Code.ToString(), 4) &&
!data.DenyIPv4)
{
return null;
}
// else, log and drop it
else
{
PacketMainReturn pmr;
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
if (data.Log)
{
pmr.returnType |= PacketMainReturnType.Log;
pmr.logMessage = "ICMP from " + packet.SourceIP.ToString() + " for " +
packet.DestIP.ToString() + " was dropped.";
}
return pmr;
}
}
// if the packet is ICMPv6
if (in_packet.GetHighestLayer() == Protocol.ICMPv6)
{
ICMPv6Packet packet = (ICMPv6Packet)in_packet;
if ((isAllowed(packet.Type.ToString(), packet.Code.ToString(), 6) &&
!data.DenyIPv6) && isDeniedNDP(packet))
{
return null;
}
else
{
PacketMainReturn pmr;
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
if (data.Log)
{
pmr.returnType |= PacketMainReturnType.Log;
pmr.logMessage = "ICMPv6 from " + packet.SourceIP.ToString() + " for " +
packet.DestIP.ToString() + " was dropped.";
}
return pmr;
}
}
return null;
}
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
if (!in_packet.Outbound && in_packet.ContainsLayer(Protocol.TCP))
{
TCPPacket tcp = (TCPPacket)in_packet;
if (IPAddress.Parse("192.168.1.4").Equals(tcp.SourceIP))
{
if (tcp.SYN && tcp.ACK)
{
PacketMainReturn pmr = new PacketMainReturn("PortScanner")
{
logMessage = "Port " + tcp.SourcePort.ToString() + " is open on " + tcp.SourceIP.ToString(), returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log
};
return(pmr);
}
}
}
return(null);
}
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
if (in_packet.GetHighestLayer() == Protocol.ARP)
{
ARPPacket arpp = (ARPPacket)in_packet;
if (arpp.isRequest && arpp.Outbound)
{
int ip = arpp.ATargetIP.GetHashCode();
if (!requestedIPs.Contains(ip))
{
requestedIPs.Add(ip);
}
}
else if (!arpp.Outbound)
{
int ip = arpp.ASenderIP.GetHashCode();
if (!arpp.isRequest)
{
if (requestedIPs.Contains(ip))
{
lock (padlock)
{
if (data.arpCache.ContainsKey(arpp.ASenderIP))
{
if (!Compare(data.arpCache[arpp.ASenderIP], arpp.ASenderMac))
{
PacketMainReturn pmr = new PacketMainReturn(this);
if (data.RectifyAttacks)
{
pmr.returnType = PacketMainReturnType.Edited;
}
else
{
pmr.returnType = PacketMainReturnType.Drop;
}
if (data.LogAttacks)
{
pmr.returnType |= PacketMainReturnType.Log | PacketMainReturnType.Popup;
}
switch (LanguageConfig.GetCurrentLanguage())
{
case LanguageConfig.Language.NONE:
case LanguageConfig.Language.ENGLISH:
pmr.logMessage = "ARP Response from " + new PhysicalAddress(arpp.ASenderMac).ToString() + " for " + arpp.ASenderIP.ToString() + " does not match the ARP cache.";
break;
case LanguageConfig.Language.CHINESE:
pmr.logMessage = new PhysicalAddress(arpp.ASenderMac).ToString() + "为" + arpp.ASenderIP.ToString() + "的ARP响应不匹配的ARP缓存。";
break;
case LanguageConfig.Language.GERMAN:
pmr.logMessage = "ARP Response von " + new PhysicalAddress(arpp.ASenderMac).ToString() + " für " + arpp.ASenderIP.ToString() + " nicht mit dem ARP-Cache.";
break;
case LanguageConfig.Language.RUSSIAN:
pmr.logMessage = "ARP-ответ от " + new PhysicalAddress(arpp.ASenderMac).ToString() + " для " + arpp.ASenderIP.ToString() + " не соответствует кэш ARP.";
break;
case LanguageConfig.Language.SPANISH:
pmr.logMessage = "Respuesta de ARP de " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString() + " no coincide con la caché ARP.";
break;
case LanguageConfig.Language.PORTUGUESE:
pmr.logMessage = "Resposta da ARP " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString() + " não coincide com o cache ARP.";
break;
}
if (data.RectifyAttacks)
{
arpp.ATargetIP = arpp.ASenderIP;
arpp.ATargetMac = data.arpCache[arpp.ATargetIP];
arpp.ASenderMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
arpp.FromMac = arpp.ASenderMac;
arpp.ToMac = arpp.ATargetMac;
foreach (UnicastIPAddressInformation ipv4 in adapter.InterfaceInformation.GetIPProperties().UnicastAddresses)
{
if (ipv4.Address.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
{
arpp.ASenderIP = ipv4.Address;
break;
}
}
arpp.Outbound = true;
in_packet = arpp;
}
return(pmr);
}
else
{
requestedIPs.Remove(ip);
}
}
else
{
data.arpCache[arpp.ASenderIP] = arpp.ASenderMac;
if (UpdatedArpCache != null)
{
UpdatedArpCache();
}
requestedIPs.Remove(ip);
}
}
}
else
{
lock (padlock)
{
if (data.arpCache.ContainsKey(arpp.ASenderIP))
{
if (!Compare(data.arpCache[arpp.ASenderIP], arpp.ASenderMac))
{
PacketMainReturn pmra = new PacketMainReturn(this);
if (data.RectifyAttacks)
{
pmra.returnType = PacketMainReturnType.Edited;
}
else
{
pmra.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Popup;
}
switch (LanguageConfig.GetCurrentLanguage())
{
case LanguageConfig.Language.NONE:
case LanguageConfig.Language.ENGLISH:
pmra.logMessage = "ARP Response from " + new PhysicalAddress(arpp.ASenderMac).ToString() + " for " + arpp.ASenderIP.ToString() + " does not match the ARP cache.";
break;
case LanguageConfig.Language.CHINESE:
pmra.logMessage = new PhysicalAddress(arpp.ASenderMac).ToString() + "为" + arpp.ASenderIP.ToString() + "的ARP响应不匹配的ARP缓存。";
break;
case LanguageConfig.Language.GERMAN:
pmra.logMessage = "ARP Response von " + new PhysicalAddress(arpp.ASenderMac).ToString() + " für " + arpp.ASenderIP.ToString() + " nicht mit dem ARP-Cache.";
break;
case LanguageConfig.Language.RUSSIAN:
pmra.logMessage = "ARP-ответ от " + new PhysicalAddress(arpp.ASenderMac).ToString() + " для " + arpp.ASenderIP.ToString() + " не соответствует кэш ARP.";
break;
case LanguageConfig.Language.SPANISH:
pmra.logMessage = "Respuesta de ARP de " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString() + " no coincide con la caché ARP.";
break;
case LanguageConfig.Language.PORTUGUESE:
pmra.logMessage = "Resposta da ARP " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString() + " não coincide com o cache ARP.";
break;
}
if (data.RectifyAttacks)
{
arpp.ATargetIP = arpp.ASenderIP;
arpp.ATargetMac = data.arpCache[arpp.ATargetIP];
arpp.ASenderMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
arpp.FromMac = arpp.ASenderMac;
arpp.ToMac = arpp.ATargetMac;
foreach (UnicastIPAddressInformation ipv4 in adapter.InterfaceInformation.GetIPProperties().UnicastAddresses)
{
if (ipv4.Address.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
{
arpp.ASenderIP = ipv4.Address;
break;
}
}
arpp.Outbound = true;
in_packet = arpp;
}
return(pmra);
}
}
}
PacketMainReturn pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
if (data.LogUnsolic)
{
pmr.returnType |= PacketMainReturnType.Log;
}
switch (LanguageConfig.GetCurrentLanguage())
{
case LanguageConfig.Language.NONE:
case LanguageConfig.Language.ENGLISH:
pmr.logMessage = "Unsolicited ARP Response from " + new PhysicalAddress(arpp.ASenderMac).ToString() + " for " + arpp.ASenderIP.ToString();
break;
case LanguageConfig.Language.CHINESE:
pmr.logMessage = "未经请求的ARP应答为" + arpp.ASenderIP.ToString() + "从" + new PhysicalAddress(arpp.ASenderMac).ToString();
break;
case LanguageConfig.Language.GERMAN:
pmr.logMessage = "Initiativbewerbung ARP Response von " + new PhysicalAddress(arpp.ASenderMac).ToString() + " für " + arpp.ASenderIP.ToString();
break;
case LanguageConfig.Language.RUSSIAN:
pmr.logMessage = "Незапрошенные ответ ARP от " + new PhysicalAddress(arpp.ASenderMac).ToString() + " для " + arpp.ASenderIP.ToString();
break;
case LanguageConfig.Language.SPANISH:
pmr.logMessage = "Respuesta ARP no solicitados de " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString();
break;
case LanguageConfig.Language.PORTUGUESE:
pmr.logMessage = "Resposta ARP não solicitadas a partir de " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString();
break;
}
return(pmr);
}
}
else
{
lock (padlock)
{
if (data.arpCache.ContainsKey(arpp.ASenderIP))
{
if (!Compare(data.arpCache[arpp.ASenderIP], arpp.ASenderMac))
{
PacketMainReturn pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
if (data.LogAttacks)
{
pmr.returnType |= PacketMainReturnType.Log | PacketMainReturnType.Popup;
}
switch (LanguageConfig.GetCurrentLanguage())
{
case LanguageConfig.Language.NONE:
case LanguageConfig.Language.ENGLISH:
pmr.logMessage = "ARP Response from " + new PhysicalAddress(arpp.ASenderMac).ToString() + " for " + arpp.ASenderIP.ToString() + " does not match the ARP cache.";
break;
case LanguageConfig.Language.CHINESE:
pmr.logMessage = new PhysicalAddress(arpp.ASenderMac).ToString() + "为" + arpp.ASenderIP.ToString() + "的ARP响应不匹配的ARP缓存。";
break;
case LanguageConfig.Language.GERMAN:
pmr.logMessage = "ARP Response von " + new PhysicalAddress(arpp.ASenderMac).ToString() + " für " + arpp.ASenderIP.ToString() + " nicht mit dem ARP-Cache.";
break;
case LanguageConfig.Language.RUSSIAN:
pmr.logMessage = "ARP-ответ от " + new PhysicalAddress(arpp.ASenderMac).ToString() + " для " + arpp.ASenderIP.ToString() + " не соответствует кэш ARP.";
break;
case LanguageConfig.Language.SPANISH:
pmr.logMessage = "Respuesta de ARP de " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString() + " no coincide con la caché ARP.";
break;
case LanguageConfig.Language.PORTUGUESE:
pmr.logMessage = "Resposta da ARP " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString() + " não coincide com o cache ARP.";
break;
}
return(pmr);
}
}
}
}
return(null);
}
return(null);
}
return(null);
}
public void Push(PacketMainReturn pmr)
{
logQueue.Enqueue(new LogEvent(pmr));
}
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
PacketMainReturn pmr;
float av = 0;
if (in_packet.ContainsLayer(Protocol.TCP))
{
// if we're in cloaked mode, respond with the SYN ACK
// More information about this in the GUI code and help string
if (data.cloaked_mode && ((TCPPacket)in_packet).SYN)
{
TCPPacket from = (TCPPacket)in_packet;
EthPacket eth = new EthPacket(60);
eth.FromMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
eth.ToMac = from.FromMac;
eth.Proto = new byte[2] { 0x08, 0x00 };
IPPacket ip = new IPPacket(eth);
ip.DestIP = from.SourceIP;
ip.SourceIP = from.DestIP;
ip.NextProtocol = 0x06;
ip.TotalLength = 40;
ip.HeaderChecksum = ip.GenerateIPChecksum;
TCPPacket tcp = new TCPPacket(ip);
tcp.SourcePort = from.DestPort;
tcp.DestPort = from.SourcePort;
tcp.SequenceNumber = (uint)new Random().Next();
tcp.AckNumber = 0;
tcp.WindowSize = 8192;
tcp.SYN = true;
tcp.ACK = true;
tcp.Checksum = tcp.GenerateChecksum;
tcp.Outbound = true;
adapter.SendPacket(tcp);
}
try
{
TCPPacket packet = (TCPPacket)in_packet;
// if the IP is in the blockcache, then return
if (data.BlockCache.ContainsKey(packet.SourceIP))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return pmr;
}
// checking for TTL allows us to rule out the local network
// Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are
// fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans.
if ((!packet.Outbound) && (packet.TTL < 250))
{
IPObj tmp;
if (ip_table.ContainsKey(packet.SourceIP))
tmp = (IPObj)ip_table[packet.SourceIP];
else
tmp = new IPObj(packet.SourceIP);
// add the port to the ipobj, set the access time, and update the table
tmp.addPort(packet.DestPort);
tmp.time(packet.PacketTime);
ip_table[packet.SourceIP] = tmp;
av = tmp.getAverage();
// if they've touched more than 100 ports in less than 30 seconds and the average
// packet time was less than 2s, something's wrong
if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) &&
tmp.getAverage() < 2000 )
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow;
pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP,
tmp.getTouchedPorts().Count, tmp.getAverage());
// set the reported status of the IP address
ip_table[packet.SourceIP].Reported = true;
// add the address to the potential list of IPs and to the local SESSION-BASED list
if (!data.blockImmediately)
{
potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]);
detect.addPotential(packet.SourceIP);
}
// else we want to block it immediately
else
data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]);
return pmr;
}
}
}
catch (Exception e)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log;
pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace);
return pmr;
}
}
// This will detect UDP knockers. typically UDP scans are slower, but are combined with SYN scans
// (-sSU in nmap) so we'll be sure to check for these guys too.
else if (in_packet.ContainsLayer(Protocol.UDP))
{
try
{
UDPPacket packet = (UDPPacket)in_packet;
// if the source addr is in the block cache, return
if (data.BlockCache.ContainsKey(packet.SourceIP))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return pmr;
}
if ((!packet.Outbound) && (packet.TTL < 250) &&
(!packet.isDNS()))
{
IPObj tmp;
if (ip_table.ContainsKey(packet.SourceIP))
tmp = (IPObj)ip_table[packet.SourceIP];
else
tmp = new IPObj(packet.SourceIP);
tmp.addPort(packet.DestPort);
tmp.time(packet.PacketTime);
ip_table[packet.SourceIP] = tmp;
av = tmp.getAverage();
if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) &&
(tmp.getAverage() < 2000))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow;
pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP,
tmp.getTouchedPorts().Count, tmp.getAverage());
ip_table[packet.SourceIP].Reported = true;
if (!data.blockImmediately)
{
potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]);
detect.addPotential(packet.SourceIP);
}
else
data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]);
return pmr;
}
}
}
catch (Exception e)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log;
pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace);
return pmr;
}
}
return null;
}
/// <summary>
/// chuck out bad packets
/// </summary>
/// <param name="in_packet"></param>
/// <returns></returns>
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
try
{
PacketMainReturn pmr;
if (in_packet.ContainsLayer(Protocol.TCP))
{
// cast the packet and check for SYN/outbound
TCPPacket packet = (TCPPacket)in_packet;
if (packet.SYN && packet.Outbound)
{
// check if it's blocked
for (int i = 0; i < block_ranges.Count; ++i)
{
// if its heading towards a blacklisted IP
if (block_ranges[i].IsInRange(packet.DestIP))
{
pmr = new PacketMainReturn("IPGuard");
// check if we should log it
if (this.data.logBlocked)
{
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log;
pmr.logMessage = "IPGuard has blocked outgoing packets to " + packet.DestIP;
}
else
{
pmr.returnType = PacketMainReturnType.Drop;
}
return(pmr);
}
}
}
// check if they want to block incoming packets from these addresses
// as well.
if (this.data.blockIncoming && !(packet.Outbound))
{
for (int i = 0; i < block_ranges.Count; ++i)
{
if (block_ranges[i].IsInRange(packet.SourceIP))
{
pmr = new PacketMainReturn("IPGuard");
// check if we should log it
if (this.data.logBlocked)
{
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log;
pmr.logMessage = "IPGuard has blocked incoming packets from " + packet.SourceIP;
}
else
{
pmr.returnType = PacketMainReturnType.Drop;
}
return(pmr);
}
}
}
}
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine("error processing pmr: " + e.Message);
System.Diagnostics.Debug.WriteLine(e.StackTrace);
}
return(null);
}
public void Push(PacketMainReturn pmr)
{
logQueue.Enqueue(new LogEvent(pmr));
}
// main routine
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
PacketMainReturn pmr;
// check it the packet is, or contains, IP
if (in_packet.ContainsLayer(Protocol.IP))
{
// create a temp IPPacket obj and
// check the IP address
IPPacket temp = (IPPacket)in_packet;
if (!(isIPAllowed(temp.SourceIP)))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return pmr;
}
}
// simple sanity check to dump the ipcache if it gets too large.
// this does not effect the blockcache of banned IPs
if ((ipcache.Count) > 200)
ipcache.Clear();
// TCP incoming packets
if (in_packet.GetHighestLayer() == Protocol.TCP)
{
TCPPacket packet = ((TCPPacket)in_packet);
packet.PacketTime = DateTime.UtcNow;
// if it's inbound and the SYN flag is set
if (!packet.Outbound && packet.SYN && !packet.ACK)
{
// first packet init
if (TCPprevious_packet == null)
TCPprevious_packet = packet;
// if the IP hasn't been logged yet
if (!(ipcache.ContainsKey(packet.SourceIP)))
ipcache.Add(packet.SourceIP, 1);
// if the ipcache contains the ip
else if (ipcache.ContainsKey(packet.SourceIP))
{
// increment the packet count if they're coming in fast
if ((packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
else ipcache[packet.SourceIP] = 1;
// check if this packet = previous, if the packet count is > 50,
// and if the time between sent packets is less than the threshhold
if (packet.SourceIP.Equals(TCPprevious_packet.SourceIP) &&
((ipcache[packet.SourceIP]) > 50) &&
(packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
pmr.logMessage = "DoS attempt detected from IP " + packet.SourceIP + " (likely spoofed). "
+ " Packets from this IP will be dropped. You can unblock this IP from the module interface.";
data.BlockCache.Add(new BlockedIP(packet.SourceIP, DateTime.UtcNow, "DoS Attempt"));
return pmr;
}
}
TCPprevious_packet = packet;
}
}
// fraggle attack mitigation
if (in_packet.GetHighestLayer() == Protocol.UDP)
{
UDPPacket packet = ((UDPPacket)in_packet);
packet.PacketTime = DateTime.UtcNow;
// if it's inbound
if (!(packet.Outbound))
{
// add IP to cache or increment packet count
if (!(ipcache.ContainsKey(packet.SourceIP)))
ipcache.Add(packet.SourceIP, 1);
else
ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
// if the packet header is empty, headed towards port (7,13,19,17), and count > 50,
// then it's probably a fraggle attack
if (packet.isEmpty() && packet.DestPort.Equals(7) || packet.DestPort.Equals(13) ||
packet.DestPort.Equals(19) || packet.DestPort.Equals(17) &&
(ipcache[packet.SourceIP]) > 50)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
pmr.logMessage = "Potential fraggle attack from " + packet.SourceIP + " (likely spoofed). "
+ " Packets from this IP will be dropped. You can unblock this IP from the module interface.";
data.BlockCache.Add(new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Fraggle Attempt"));
return pmr;
}
}
}
// smurf attack mitigation
if (in_packet.GetHighestLayer() == Protocol.ICMP)
{
ICMPPacket packet = ((ICMPPacket)in_packet);
packet.PacketTime = DateTime.UtcNow;
if (!(packet.Outbound))
{
// init the previous packet
if (ICMPprevious_packet == null)
ICMPprevious_packet = packet;
// add IP to cache or increment packet count
if (!(ipcache.ContainsKey(packet.SourceIP)))
ipcache.Add(packet.SourceIP, 1);
// if the packet is >= threshold after the previous and it's the same packet, clear up the cache
else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) >= data.dos_threshold &&
packet.Equals(ICMPprevious_packet))
ipcache[packet.SourceIP] = 1;
// if the packet is coming in quickly, add it to the packet count
else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold)
ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
// if the packet is an echo reply and the IP source
// is the same as localhost and the time between packets is <= threshhold and
// there are over 50 accumulated packets, it's probably a smurf attack
if (packet.Type.ToString().Equals("0") &&
packet.Code.ToString().Equals("0") &&
packet.SourceIP.Equals(getLocalIP()) &&
(packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold &&
ipcache[packet.SourceIP] > 50)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
pmr.logMessage = "Potential Smurf attack from " + packet.SourceIP + " (likely spoofed). "
+ " Packets from this IP will be dropped. You can unblock this IP from the module interface.";
data.BlockCache.Add(new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Smurf Attempt"));
return pmr;
}
ICMPprevious_packet = packet;
}
}
return null;
}
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
// let the packet through
PacketMainReturn pmr = new PacketMainReturn(MODULE_NAME);
pmr.returnType = PacketMainReturnType.Allow;
try
{
// get a usable form of the packet
Protocol highestLayer = in_packet.GetHighestLayer();
string type = "";
bool outbound = false;
uint length = 0;
string ip = "";
switch (highestLayer)
{
case Protocol.TCP:
TCPPacket tcpPacket = (TCPPacket)in_packet;
type = TCP;
outbound = tcpPacket.Outbound;
length = tcpPacket.Length();
ip = outbound ? tcpPacket.DestIP.ToString() : tcpPacket.SourceIP.ToString();
break;
case Protocol.UDP:
UDPPacket udpPacket = (UDPPacket)in_packet;
type = UDP;
length = udpPacket.Length();
ip = outbound ? udpPacket.DestIP.ToString() : udpPacket.SourceIP.ToString();
break;
case Protocol.ARP:
ARPPacket arpPacket = (ARPPacket)in_packet;
type = ARP;
outbound = arpPacket.Outbound;
length = arpPacket.Length();
ip = outbound ? arpPacket.ATargetIP.ToString() : arpPacket.ASenderIP.ToString();
break;
case Protocol.DHCP:
// no packet structure for this type
break;
case Protocol.DNS:
DNSPacket dnsPacket = (DNSPacket)in_packet;
type = DNS;
outbound = dnsPacket.Outbound;
length = dnsPacket.Length();
ip = outbound ? dnsPacket.DestIP.ToString() : dnsPacket.SourceIP.ToString();
break;
case Protocol.EEth:
EETHPacket eethPacket = (EETHPacket)in_packet;
type = EETH;
outbound = eethPacket.Outbound;
length = eethPacket.Length();
ip = NO_IP;
break;
case Protocol.Ethernet:
EthPacket ethPacket = (EthPacket)in_packet;
type = ETHERNET;
outbound = ethPacket.Outbound;
length = ethPacket.Length();
ip = NO_IP;
break;
case Protocol.ICMP:
ICMPPacket icmpPacket = (ICMPPacket)in_packet;
type = ICMP;
outbound = icmpPacket.Outbound;
length = icmpPacket.Length();
ip = ip = outbound ? icmpPacket.DestIP.ToString() : icmpPacket.SourceIP.ToString();
break;
case Protocol.ICMPv6:
ICMPv6Packet icmpv6Packet = (ICMPv6Packet)in_packet;
type = ICMPV6;
outbound = icmpv6Packet.Outbound;
length = icmpv6Packet.Length();
ip = outbound ? icmpv6Packet.DestIP.ToString() : icmpv6Packet.SourceIP.ToString();
break;
case Protocol.IP:
IPPacket ipPacket = (IPPacket)in_packet;
type = IP;
outbound = ipPacket.Outbound;
length = ipPacket.Length();
ip = outbound ? ipPacket.DestIP.ToString() : ipPacket.SourceIP.ToString();
break;
case Protocol.SNMP:
// no packet structure available for this type
break;
default:
break;
}
if (type != "")
{
bufferStatement("insert into connection_log values (" + (outbound ? DIRECTION_OUTBOUND : DIRECTION_INBOUND) + "," +
DateTime.Now.Ticks + ",'" + ip + "'," + length + ",'" + type + "')"); // using Length here...
// should TotalLength be used instead?
}
}
catch (Exception e)
{
PassThru.LogCenter.Instance.Push(MODULE_NAME, e.Message);
}
return pmr;
}
unsafe void ProcessLoop()
{
// Allocate and initialize packet structures
ETH_REQUEST Request = new ETH_REQUEST();
INTERMEDIATE_BUFFER PacketBuffer = new INTERMEDIATE_BUFFER();
IntPtr PacketBufferIntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(PacketBuffer));
try
{
win32api.ZeroMemory(PacketBufferIntPtr, Marshal.SizeOf(PacketBuffer));
Request.hAdapterHandle = adapterHandle;
Request.EthPacket.Buffer = PacketBufferIntPtr;
modules = new ModuleList(this);
modules.LoadExternalModules();
modules.UpdateModuleOrder();
string folder = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
folder = folder + System.IO.Path.DirectorySeparatorChar + "firebwall";
if (!System.IO.Directory.Exists(folder))
{
System.IO.Directory.CreateDirectory(folder);
}
folder = folder + System.IO.Path.DirectorySeparatorChar + "pcapLogs";
if (!System.IO.Directory.Exists(folder))
{
System.IO.Directory.CreateDirectory(folder);
}
string f = folder + System.IO.Path.DirectorySeparatorChar + "blocked-" + this.InterfaceInformation.Name + "-" + PcapCreator.Instance.GetNewDate() + ".pcap";
pcaplog = new PcapFileWriter(f);
INTERMEDIATE_BUFFER *PacketPointer;
while (true)
{
hEvent.WaitOne();
while (Ndisapi.ReadPacket(hNdisapi, ref Request))
{
PacketPointer = (INTERMEDIATE_BUFFER *)PacketBufferIntPtr;
//PacketBuffer = (INTERMEDIATE_BUFFER)Marshal.PtrToStructure(PacketBufferIntPtr, typeof(INTERMEDIATE_BUFFER));
Packet pkt = new EthPacket(PacketPointer).MakeNextLayerPacket();
if (pkt.Outbound)
{
OutBandwidth.AddBits(pkt.Length());
}
else
{
InBandwidth.AddBits(pkt.Length());
}
bool drop = false;
bool edit = false;
if (enabled)
{
for (int x = 0; x < modules.Count; x++)
{
FirewallModule fm = modules.GetModule(x);
PacketMainReturn pmr = fm.PacketMain(ref pkt);
if (pmr == null)
{
continue;
}
if ((pmr.returnType & PacketMainReturnType.Log) == PacketMainReturnType.Log && pmr.logMessage != null)
{
LogCenter.Instance.Push(pmr);
}
if ((pmr.returnType & PacketMainReturnType.Drop) == PacketMainReturnType.Drop)
{
drop = true;
break;
}
if ((pmr.returnType & PacketMainReturnType.Edited) == PacketMainReturnType.Edited)
{
edit = true;
}
}
}
if (!drop)
{
if (pkt.Outbound)
{
Ndisapi.SendPacketToAdapter(hNdisapi, ref Request);
}
else
{
Ndisapi.SendPacketToMstcp(hNdisapi, ref Request);
}
}
else
{
pcaplog.AddPacket(pkt.Data(), (int)pkt.Length());
}
}
//OM NOM NOM PASTA!
while (processQueue.Count != 0)
{
Packet pkt = processQueue.Dequeue().MakeNextLayerPacket();
if (pkt.Outbound)
{
OutBandwidth.AddBits(pkt.Length());
}
else
{
InBandwidth.AddBits(pkt.Length());
}
bool drop = false;
bool edit = false;
if (enabled)
{
for (int x = 0; x < modules.Count; x++)
{
FirewallModule fm = modules.GetModule(x);
PacketMainReturn pmr = fm.PacketMain(ref pkt);
if (pmr == null)
{
continue;
}
if ((pmr.returnType & PacketMainReturnType.Log) == PacketMainReturnType.Log && pmr.logMessage != null)
{
LogCenter.Instance.Push(pmr.Module, pmr.logMessage);
}
if ((pmr.returnType & PacketMainReturnType.Drop) == PacketMainReturnType.Drop)
{
drop = true;
break;
}
if ((pmr.returnType & PacketMainReturnType.Edited) == PacketMainReturnType.Edited)
{
edit = true;
}
}
}
if (!drop)
{
if (pkt.Outbound)
{
Ndisapi.SendPacketToAdapter(hNdisapi, ref Request);
}
else
{
Ndisapi.SendPacketToMstcp(hNdisapi, ref Request);
}
}
else
{
pcaplog.AddPacket(pkt.Data(), (int)pkt.Length());
}
}
hEvent.Reset();
}
}
catch (Exception tae)
{
Marshal.FreeHGlobal(PacketBufferIntPtr);
}
}
/// <summary>
/// chuck out bad packets
/// </summary>
/// <param name="in_packet"></param>
/// <returns></returns>
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
try
{
PacketMainReturn pmr;
if (in_packet.ContainsLayer(Protocol.TCP))
{
// cast the packet and check for SYN/outbound
TCPPacket packet = (TCPPacket)in_packet;
if (packet.SYN && packet.Outbound)
{
// check if it's blocked
for (int i = 0; i < block_ranges.Count; ++i)
{
// if its heading towards a blacklisted IP
if (block_ranges[i].IsInRange(packet.DestIP))
{
pmr = new PacketMainReturn("IPGuard");
// check if we should log it
if (this.data.logBlocked)
{
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log;
pmr.logMessage = "IPGuard has blocked outgoing packets to " + packet.DestIP;
}
else
pmr.returnType = PacketMainReturnType.Drop;
return pmr;
}
}
}
// check if they want to block incoming packets from these addresses
// as well.
if (this.data.blockIncoming && !(packet.Outbound))
{
for (int i = 0; i < block_ranges.Count; ++i)
{
if (block_ranges[i].IsInRange(packet.SourceIP))
{
pmr = new PacketMainReturn("IPGuard");
// check if we should log it
if (this.data.logBlocked)
{
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log;
pmr.logMessage = "IPGuard has blocked incoming packets from " + packet.SourceIP;
}
else
pmr.returnType = PacketMainReturnType.Drop;
return pmr;
}
}
}
}
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine("error processing pmr: " + e.Message );
System.Diagnostics.Debug.WriteLine(e.StackTrace);
}
return null;
}
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
if (in_packet.GetHighestLayer() == Protocol.ARP)
{
ARPPacket arpp = (ARPPacket)in_packet;
if (arpp.isRequest && arpp.Outbound)
{
int ip = arpp.ATargetIP.GetHashCode();
if (!requestedIPs.Contains(ip))
requestedIPs.Add(ip);
}
else if (!arpp.Outbound)
{
int ip = arpp.ASenderIP.GetHashCode();
if (!arpp.isRequest)
{
if (requestedIPs.Contains(ip))
{
lock (padlock)
{
if (data.arpCache.ContainsKey(arpp.ASenderIP))
{
if (!Compare(data.arpCache[arpp.ASenderIP], arpp.ASenderMac))
{
PacketMainReturn pmr = new PacketMainReturn(this);
if (data.RectifyAttacks)
pmr.returnType = PacketMainReturnType.Edited;
else
pmr.returnType = PacketMainReturnType.Drop;
if (data.LogAttacks)
pmr.returnType |= PacketMainReturnType.Log | PacketMainReturnType.Popup;
switch (LanguageConfig.GetCurrentLanguage())
{
case LanguageConfig.Language.NONE:
case LanguageConfig.Language.ENGLISH:
pmr.logMessage = "ARP Response from " + new PhysicalAddress(arpp.ASenderMac).ToString() + " for " + arpp.ASenderIP.ToString() + " does not match the ARP cache.";
break;
case LanguageConfig.Language.CHINESE:
pmr.logMessage = new PhysicalAddress(arpp.ASenderMac).ToString() + "为" + arpp.ASenderIP.ToString() + "的ARP响应不匹配的ARP缓存。";
break;
case LanguageConfig.Language.GERMAN:
pmr.logMessage = "ARP Response von " + new PhysicalAddress(arpp.ASenderMac).ToString() + " für " + arpp.ASenderIP.ToString() + " nicht mit dem ARP-Cache.";
break;
case LanguageConfig.Language.RUSSIAN:
pmr.logMessage = "ARP-ответ от " + new PhysicalAddress(arpp.ASenderMac).ToString() + " для " + arpp.ASenderIP.ToString() + " не соответствует кэш ARP.";
break;
case LanguageConfig.Language.SPANISH:
pmr.logMessage = "Respuesta de ARP de " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString() + " no coincide con la caché ARP.";
break;
case LanguageConfig.Language.PORTUGUESE:
pmr.logMessage = "Resposta da ARP " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString() + " não coincide com o cache ARP.";
break;
}
if (data.RectifyAttacks)
{
arpp.ATargetIP = arpp.ASenderIP;
arpp.ATargetMac = data.arpCache[arpp.ATargetIP];
arpp.ASenderMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
arpp.FromMac = arpp.ASenderMac;
arpp.ToMac = arpp.ATargetMac;
foreach (UnicastIPAddressInformation ipv4 in adapter.InterfaceInformation.GetIPProperties().UnicastAddresses)
{
if (ipv4.Address.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
{
arpp.ASenderIP = ipv4.Address;
break;
}
}
arpp.Outbound = true;
in_packet = arpp;
}
return pmr;
}
else
{
requestedIPs.Remove(ip);
}
}
else
{
data.arpCache[arpp.ASenderIP] = arpp.ASenderMac;
if (UpdatedArpCache != null)
UpdatedArpCache();
requestedIPs.Remove(ip);
}
}
}
else
{
lock (padlock)
{
if (data.arpCache.ContainsKey(arpp.ASenderIP))
{
if (!Compare(data.arpCache[arpp.ASenderIP], arpp.ASenderMac))
{
PacketMainReturn pmra = new PacketMainReturn(this);
if (data.RectifyAttacks)
pmra.returnType = PacketMainReturnType.Edited;
else
pmra.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Popup;
switch (LanguageConfig.GetCurrentLanguage())
{
case LanguageConfig.Language.NONE:
case LanguageConfig.Language.ENGLISH:
pmra.logMessage = "ARP Response from " + new PhysicalAddress(arpp.ASenderMac).ToString() + " for " + arpp.ASenderIP.ToString() + " does not match the ARP cache.";
break;
case LanguageConfig.Language.CHINESE:
pmra.logMessage = new PhysicalAddress(arpp.ASenderMac).ToString() + "为" + arpp.ASenderIP.ToString() + "的ARP响应不匹配的ARP缓存。";
break;
case LanguageConfig.Language.GERMAN:
pmra.logMessage = "ARP Response von " + new PhysicalAddress(arpp.ASenderMac).ToString() + " für " + arpp.ASenderIP.ToString() + " nicht mit dem ARP-Cache.";
break;
case LanguageConfig.Language.RUSSIAN:
pmra.logMessage = "ARP-ответ от " + new PhysicalAddress(arpp.ASenderMac).ToString() + " для " + arpp.ASenderIP.ToString() + " не соответствует кэш ARP.";
break;
case LanguageConfig.Language.SPANISH:
pmra.logMessage = "Respuesta de ARP de " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString() + " no coincide con la caché ARP.";
break;
case LanguageConfig.Language.PORTUGUESE:
pmra.logMessage = "Resposta da ARP " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString() + " não coincide com o cache ARP.";
break;
}
if (data.RectifyAttacks)
{
arpp.ATargetIP = arpp.ASenderIP;
arpp.ATargetMac = data.arpCache[arpp.ATargetIP];
arpp.ASenderMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
arpp.FromMac = arpp.ASenderMac;
arpp.ToMac = arpp.ATargetMac;
foreach (UnicastIPAddressInformation ipv4 in adapter.InterfaceInformation.GetIPProperties().UnicastAddresses)
{
if (ipv4.Address.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
{
arpp.ASenderIP = ipv4.Address;
break;
}
}
arpp.Outbound = true;
in_packet = arpp;
}
return pmra;
}
}
}
PacketMainReturn pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
if (data.LogUnsolic)
pmr.returnType |= PacketMainReturnType.Log;
switch (LanguageConfig.GetCurrentLanguage())
{
case LanguageConfig.Language.NONE:
case LanguageConfig.Language.ENGLISH:
pmr.logMessage = "Unsolicited ARP Response from " + new PhysicalAddress(arpp.ASenderMac).ToString() + " for " + arpp.ASenderIP.ToString();
break;
case LanguageConfig.Language.CHINESE:
pmr.logMessage = "未经请求的ARP应答为" + arpp.ASenderIP.ToString() + "从" + new PhysicalAddress(arpp.ASenderMac).ToString();
break;
case LanguageConfig.Language.GERMAN:
pmr.logMessage = "Initiativbewerbung ARP Response von " + new PhysicalAddress(arpp.ASenderMac).ToString() + " für " + arpp.ASenderIP.ToString();
break;
case LanguageConfig.Language.RUSSIAN:
pmr.logMessage = "Незапрошенные ответ ARP от " + new PhysicalAddress(arpp.ASenderMac).ToString() + " для " + arpp.ASenderIP.ToString();
break;
case LanguageConfig.Language.SPANISH:
pmr.logMessage = "Respuesta ARP no solicitados de " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString();
break;
case LanguageConfig.Language.PORTUGUESE:
pmr.logMessage = "Resposta ARP não solicitadas a partir de " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString();
break;
}
return pmr;
}
}
else
{
lock (padlock)
{
if (data.arpCache.ContainsKey(arpp.ASenderIP))
{
if (!Compare(data.arpCache[arpp.ASenderIP], arpp.ASenderMac))
{
PacketMainReturn pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
if (data.LogAttacks)
pmr.returnType |= PacketMainReturnType.Log | PacketMainReturnType.Popup;
switch (LanguageConfig.GetCurrentLanguage())
{
case LanguageConfig.Language.NONE:
case LanguageConfig.Language.ENGLISH:
pmr.logMessage = "ARP Response from " + new PhysicalAddress(arpp.ASenderMac).ToString() + " for " + arpp.ASenderIP.ToString() + " does not match the ARP cache.";
break;
case LanguageConfig.Language.CHINESE:
pmr.logMessage = new PhysicalAddress(arpp.ASenderMac).ToString() + "为" + arpp.ASenderIP.ToString() + "的ARP响应不匹配的ARP缓存。";
break;
case LanguageConfig.Language.GERMAN:
pmr.logMessage = "ARP Response von " + new PhysicalAddress(arpp.ASenderMac).ToString() + " für " + arpp.ASenderIP.ToString() + " nicht mit dem ARP-Cache.";
break;
case LanguageConfig.Language.RUSSIAN:
pmr.logMessage = "ARP-ответ от " + new PhysicalAddress(arpp.ASenderMac).ToString() + " для " + arpp.ASenderIP.ToString() + " не соответствует кэш ARP.";
break;
case LanguageConfig.Language.SPANISH:
pmr.logMessage = "Respuesta de ARP de " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString() + " no coincide con la caché ARP.";
break;
case LanguageConfig.Language.PORTUGUESE:
pmr.logMessage = "Resposta da ARP " + new PhysicalAddress(arpp.ASenderMac).ToString() + " para " + arpp.ASenderIP.ToString() + " não coincide com o cache ARP.";
break;
}
return pmr;
}
}
}
}
return null;
}
return null;
}
return null;
}
// main routine
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
PacketMainReturn pmr;
// check it the packet is, or contains, IP
if (in_packet.ContainsLayer(Protocol.IP))
{
// create a temp IPPacket obj and
// check the IP address
IPPacket temp = (IPPacket)in_packet;
if (!(isIPAllowed(temp.SourceIP)))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return(pmr);
}
}
// simple sanity check to dump the ipcache if it gets too large.
// this does not effect the blockcache of banned IPs
if ((ipcache.Count) > 200)
{
ipcache.Clear();
}
// TCP incoming packets
if (in_packet.GetHighestLayer() == Protocol.TCP)
{
TCPPacket packet = ((TCPPacket)in_packet);
packet.PacketTime = DateTime.UtcNow;
// if it's inbound and the SYN flag is set
if (!packet.Outbound && packet.SYN && !packet.ACK)
{
// first packet init
if (TCPprevious_packet == null)
{
TCPprevious_packet = packet;
}
// if the IP hasn't been logged yet
if (!(ipcache.ContainsKey(packet.SourceIP)))
{
ipcache.Add(packet.SourceIP, 1);
}
// if the ipcache contains the ip
else if (ipcache.ContainsKey(packet.SourceIP))
{
// increment the packet count if they're coming in fast
if ((packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
{
ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
}
else
{
ipcache[packet.SourceIP] = 1;
}
// check if this packet = previous, if the packet count is > 50,
// and if the time between sent packets is less than the threshhold
if (packet.SourceIP.Equals(TCPprevious_packet.SourceIP) &&
((ipcache[packet.SourceIP]) > 50) &&
(packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
pmr.logMessage = "DoS attempt detected from IP " + packet.SourceIP + " (likely spoofed). "
+ " Packets from this IP will be dropped. You can unblock this IP from the module interface.";
data.BlockCache.Add(new BlockedIP(packet.SourceIP, DateTime.UtcNow, "DoS Attempt"));
return(pmr);
}
}
TCPprevious_packet = packet;
}
}
// fraggle attack mitigation
if (in_packet.GetHighestLayer() == Protocol.UDP)
{
UDPPacket packet = ((UDPPacket)in_packet);
packet.PacketTime = DateTime.UtcNow;
// if it's inbound
if (!(packet.Outbound))
{
// add IP to cache or increment packet count
if (!(ipcache.ContainsKey(packet.SourceIP)))
{
ipcache.Add(packet.SourceIP, 1);
}
else
{
ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
}
// if the packet header is empty, headed towards port (7,13,19,17), and count > 50,
// then it's probably a fraggle attack
if (packet.isEmpty() && packet.DestPort.Equals(7) || packet.DestPort.Equals(13) ||
packet.DestPort.Equals(19) || packet.DestPort.Equals(17) &&
(ipcache[packet.SourceIP]) > 50)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
pmr.logMessage = "Potential fraggle attack from " + packet.SourceIP + " (likely spoofed). "
+ " Packets from this IP will be dropped. You can unblock this IP from the module interface.";
data.BlockCache.Add(new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Fraggle Attempt"));
return(pmr);
}
}
}
// smurf attack mitigation
if (in_packet.GetHighestLayer() == Protocol.ICMP)
{
ICMPPacket packet = ((ICMPPacket)in_packet);
packet.PacketTime = DateTime.UtcNow;
if (!(packet.Outbound))
{
// init the previous packet
if (ICMPprevious_packet == null)
{
ICMPprevious_packet = packet;
}
// add IP to cache or increment packet count
if (!(ipcache.ContainsKey(packet.SourceIP)))
{
ipcache.Add(packet.SourceIP, 1);
}
// if the packet is >= threshold after the previous and it's the same packet, clear up the cache
else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) >= data.dos_threshold &&
packet.Equals(ICMPprevious_packet))
{
ipcache[packet.SourceIP] = 1;
}
// if the packet is coming in quickly, add it to the packet count
else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold)
{
ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
}
// if the packet is an echo reply and the IP source
// is the same as localhost and the time between packets is <= threshhold and
// there are over 50 accumulated packets, it's probably a smurf attack
if (packet.Type.ToString().Equals("0") &&
packet.Code.ToString().Equals("0") &&
packet.SourceIP.Equals(getLocalIP()) &&
(packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold &&
ipcache[packet.SourceIP] > 50)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
pmr.logMessage = "Potential Smurf attack from " + packet.SourceIP + " (likely spoofed). "
+ " Packets from this IP will be dropped. You can unblock this IP from the module interface.";
data.BlockCache.Add(new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Smurf Attempt"));
return(pmr);
}
ICMPprevious_packet = packet;
}
}
return(null);
}
/// <summary>
/// handle incoming packets
/// </summary>
/// <param name="in_packet"></param>
/// <returns></returns>
public override PacketMainReturn handlePacket(Packet in_packet)
{
PacketMainReturn pmr;
if (isPoisoning)
{
if (in_packet.ContainsLayer(Protocol.Ethernet) && !(in_packet.Outbound))
{
EthPacket packet = (EthPacket)in_packet;
if (in_packet.ContainsLayer(Protocol.IP))
{
IPPacket ip = (IPPacket)in_packet;
if (ip.DestIP.Equals(GetLocalIP()))
{
return(null);
}
}
// check if the packet is from our USER; if it is, rewrite the destination MAC to the
// router MAC address
if (new PhysicalAddress(packet.FromMac).ToString().Equals(from_mac.ToString()))
{
packet.ToMac = to_mac.GetAddressBytes();
packet.FromMac = local_mac.GetAddressBytes();
packet.Outbound = true;
// send the packet and drop the pmr so the packet isn't processed any further
adapter.SendPacket(packet);
pmr = new PacketMainReturn("PoisonIvy");
pmr.returnType = PacketMainReturnType.Drop;
return(pmr);
}
// check for the TO MAC address; if it's from our gateway, then it needs to be forwarded
// to our poisoned user
if (new PhysicalAddress(packet.FromMac).ToString().Equals(to_mac.ToString()))
{
// swap out the MAC and forward it
packet.ToMac = from_mac.GetAddressBytes();
packet.FromMac = local_mac.GetAddressBytes();
packet.Outbound = true;
// send the packet and drop the pmr so the packet isn't processed any further
adapter.SendPacket(packet);
pmr = new PacketMainReturn("PoisonIvy");
pmr.returnType = PacketMainReturnType.Drop;
return(pmr);
}
}
// repoison if we catch the FROM or TO address making ARP requests to the opposite party
if (in_packet.ContainsLayer(Protocol.ARP) && !(in_packet.Outbound))
{
ARPPacket request = (ARPPacket)in_packet;
// if it's from our FROM ip
if (request.ASenderIP.Equals(from))
{
// if they're requesting the TO ip address, respond. This is a race condition!
if (request.ATargetIP.Equals(to))
{
System.Diagnostics.Debug.WriteLine("repoisoning USER ip " + request.ASenderIP.ToString());
for (int i = 0; i < 10; ++i)
{
adapter.SendPacket(generateARP(to, request.ASenderIP,
local_mac,
new PhysicalAddress(request.ASenderMac)));
System.Threading.Thread.Sleep(500);
}
}
}
// if it's from our TO ip
if (request.ASenderIP.Equals(to))
{
if (request.ATargetIP.Equals(from))
{
System.Diagnostics.Debug.WriteLine("repoisoning GATEWAY ip " + request.ASenderIP.ToString());
for (int i = 0; i < 10; ++i)
{
adapter.SendPacket(generateARP(from, to, local_mac,
to_mac));
System.Threading.Thread.Sleep(500);
}
}
}
}
}
/// if we're waiting for a packet to come through with the FROM address IP, check if this packet is it, and if it is,
/// grab the MAC and save it
if (isWaitingFROM)
{
if (in_packet.ContainsLayer(Protocol.IP) && !(in_packet.Outbound))
{
IPPacket packet = (IPPacket)in_packet;
if (packet.SourceIP.Equals(from))
{
from_mac = new PhysicalAddress(packet.FromMac);
System.Diagnostics.Debug.WriteLine("Caught FROM MAC at: " + from_mac.ToString());
isWaitingFROM = false;
}
}
}
// likewise above with TO address
if (isWaitingTO)
{
if (in_packet.ContainsLayer(Protocol.IP) && !(in_packet.Outbound))
{
IPPacket packet = (IPPacket)in_packet;
if (packet.SourceIP.Equals(to))
{
to_mac = new PhysicalAddress(packet.FromMac);
System.Diagnostics.Debug.WriteLine("Caught TO MAC at: " + to_mac.ToString());
isWaitingTO = false;
}
}
}
return(null);
}
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
PacketMainReturn pmr;
float av = 0;
if (in_packet.ContainsLayer(Protocol.TCP))
{
// if we're in cloaked mode, respond with the SYN ACK
// More information about this in the GUI code and help string
if (data.cloaked_mode && ((TCPPacket)in_packet).SYN)
{
TCPPacket from = (TCPPacket)in_packet;
EthPacket eth = new EthPacket(60);
eth.FromMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
eth.ToMac = from.FromMac;
eth.Proto = new byte[2] {
0x08, 0x00
};
IPPacket ip = new IPPacket(eth);
ip.DestIP = from.SourceIP;
ip.SourceIP = from.DestIP;
ip.NextProtocol = 0x06;
ip.TotalLength = 40;
ip.HeaderChecksum = ip.GenerateIPChecksum;
TCPPacket tcp = new TCPPacket(ip);
tcp.SourcePort = from.DestPort;
tcp.DestPort = from.SourcePort;
tcp.SequenceNumber = (uint)new Random().Next();
tcp.AckNumber = 0;
tcp.WindowSize = 8192;
tcp.SYN = true;
tcp.ACK = true;
tcp.Checksum = tcp.GenerateChecksum;
tcp.Outbound = true;
adapter.SendPacket(tcp);
}
try
{
TCPPacket packet = (TCPPacket)in_packet;
// if the IP is in the blockcache, then return
if (data.BlockCache.ContainsKey(packet.SourceIP))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return(pmr);
}
// checking for TTL allows us to rule out the local network
// Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are
// fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans.
if ((!packet.Outbound) && (packet.TTL < 250))
{
IPObj tmp;
if (ip_table.ContainsKey(packet.SourceIP))
{
tmp = (IPObj)ip_table[packet.SourceIP];
}
else
{
tmp = new IPObj(packet.SourceIP);
}
// add the port to the ipobj, set the access time, and update the table
tmp.addPort(packet.DestPort);
tmp.time(packet.PacketTime);
ip_table[packet.SourceIP] = tmp;
av = tmp.getAverage();
// if they've touched more than 100 ports in less than 30 seconds and the average
// packet time was less than 2s, something's wrong
if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) &&
tmp.getAverage() < 2000)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow;
pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP,
tmp.getTouchedPorts().Count, tmp.getAverage());
// set the reported status of the IP address
ip_table[packet.SourceIP].Reported = true;
// add the address to the potential list of IPs and to the local SESSION-BASED list
if (!data.blockImmediately)
{
potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]);
detect.addPotential(packet.SourceIP);
}
// else we want to block it immediately
else
{
data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]);
}
return(pmr);
}
}
}
catch (Exception e)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log;
pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace);
return(pmr);
}
}
// This will detect UDP knockers. typically UDP scans are slower, but are combined with SYN scans
// (-sSU in nmap) so we'll be sure to check for these guys too.
else if (in_packet.ContainsLayer(Protocol.UDP))
{
try
{
UDPPacket packet = (UDPPacket)in_packet;
// if the source addr is in the block cache, return
if (data.BlockCache.ContainsKey(packet.SourceIP))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return(pmr);
}
if ((!packet.Outbound) && (packet.TTL < 250) &&
(!packet.isDNS()))
{
IPObj tmp;
if (ip_table.ContainsKey(packet.SourceIP))
{
tmp = (IPObj)ip_table[packet.SourceIP];
}
else
{
tmp = new IPObj(packet.SourceIP);
}
tmp.addPort(packet.DestPort);
tmp.time(packet.PacketTime);
ip_table[packet.SourceIP] = tmp;
av = tmp.getAverage();
if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) &&
(tmp.getAverage() < 2000))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow;
pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP,
tmp.getTouchedPorts().Count, tmp.getAverage());
ip_table[packet.SourceIP].Reported = true;
if (!data.blockImmediately)
{
potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]);
detect.addPotential(packet.SourceIP);
}
else
{
data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]);
}
return(pmr);
}
}
}
catch (Exception e)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log;
pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace);
return(pmr);
}
}
return(null);
}