// Ctor allows conversion from L4Packet to Connection.
public Connection(IPV4_PACKET pkt)
{
Type = new ConnectionType(pkt.protocol);
_state = new ConnectionState(TransmissionDirection.ONE_WAY);
SrcHost = new ConnectionAddress(pkt.source_address);
DstHost = new ConnectionAddress(pkt.destination_address);
SrcPort = pkt.source_port;
DstPort = pkt.destination_port;
DstGeo = new GeoData();
_packetCount = 1;
_dataSize = pkt.payload_size;
TimeStamp = DateTime.Now;
DstASN = null;
DstASNOrg = "--";
}
public override bool Equals(Object obj)
{
// Check for null and compare run-time types.
if (obj != null && obj is ConnectionAddress)
{
// Cast objest to usable current type.
ConnectionAddress addr = obj as ConnectionAddress;
if (Equals(this.Address, addr.Address))
{
return(true);
}
}
return(false);
}
// Used to ensure that a valid filter is constructed.
static public bool TryParse(Argument argument, Modifyer modifyer, string value, out Filter filter)
{
// Set default value of filter incase parsing fails.
filter = new Filter(Argument.NULL, Modifyer.NONE, string.Empty, string.Empty);
// Create empty potential secondaryValue (may be used by some arguments).
string secondaryValue = String.Empty;
// Don't allow modifyers on arguments that don't use them.
if (!(argument == Argument.HOST || argument == Argument.PORT) &&
modifyer != Modifyer.NONE)
{
return(false);
}
// Validate host argument.
if (argument == Argument.HOST)
{
// Check for an IP range.
if (value.Split('-').Length == 2)
{
// Split string based on '-' delimiter (represents a range).
secondaryValue = value.Split('-')[1];
value = value.Split('-')[0];
// Check IP against regex before TryParse.
if (Regex.Match(secondaryValue, Filter.nonNumericAndDotRegex).Length > 0)
{
return(false);
}
// Make sure secondary IP is valid.
if (!IPAddress.TryParse(secondaryValue, out IPAddress _))
{
return(false);
}
}
// Check IP against regex before TryParse.
if (Regex.Match(value, Filter.nonNumericAndDotRegex).Length > 0)
{
return(false);
}
// Make sure primary IP is valid.
if (!IPAddress.TryParse(value, out IPAddress _))
{
return(false);
}
// Make sure range is sane.
if (secondaryValue != string.Empty && ConnectionAddress.IPV4ToUint32(IPAddress.Parse(value))
>= ConnectionAddress.IPV4ToUint32(IPAddress.Parse(secondaryValue)))
{
return(false);
}
}
// Validate port argument.
else if (argument == Argument.PORT)
{
// Check for a port range.
if (value.Split('-').Length == 2)
{
// Split string based on '-' delimiter (represents a range).
secondaryValue = value.Split('-')[1];
value = value.Split('-')[0];
// Check Port against regex before TryParse.
if (Regex.Match(secondaryValue, Filter.nonNumericRegex).Length > 0)
{
return(false);
}
// Make sure we have a valid secondary port value.
if (!UInt16.TryParse(secondaryValue, out _))
{
return(false);
}
}
// Check Port against regex before TryParse.
if (Regex.Match(value, Filter.nonNumericRegex).Length > 0)
{
return(false);
}
// Make sure we have a valid primary port value.
if (!UInt16.TryParse(value, out _))
{
return(false);
}
// Make sure range is sane.
if (secondaryValue != string.Empty && UInt16.Parse(value) >= UInt16.Parse(secondaryValue))
{
return(false);
}
}
else if (argument == Argument.ISO)
{
// ISO code should have at 2 or 5 chars.
if (!(value.Length == 2 || value.Length == 5))
{
return(false);
}
// Check string against regex before.
if (Regex.Match(value, Filter.nonAlphaAndDashRegex).Length > 0)
{
return(false);
}
}
else if (argument == Argument.ASN)
{
// Check string against regex before.
if (Regex.Match(value, Filter.nonAlphaNumericAndSeparatorsRegex).Length > 0)
{
return(false);
}
}
// Create new filter on successful parse.
filter = new Filter(argument, modifyer, value, secondaryValue);
return(true);
}
// Checks if a connection matches the filter.
public bool IsMatch(Connection conn)
{
// If we have no filters, nothing can match.
if (!(Filters.Count > 0))
{
return(false);
}
// Check all active filters against the connection.
foreach (Filter filter in Filters)
{
// Drop through each possible filter type and run the matching argument test.
if (filter.Argument == Argument.TCP && conn.Type.Protocol != L4_PROTOCOL.TCP)
{
return(false);
}
else if (filter.Argument == Argument.UDP && conn.Type.Protocol != L4_PROTOCOL.UDP)
{
return(false);
}
else if (filter.Argument == Argument.HOST)
{
// Handle ANY matching host.
if (filter.Modifyer == Modifyer.NONE)
{
// Handle range based values.
if (filter.SecondaryValue != String.Empty)
{
UInt32 lowerRange = ConnectionAddress.IPV4ToUint32(IPAddress.Parse(filter.Value));
UInt32 upperRange = ConnectionAddress.IPV4ToUint32(IPAddress.Parse(filter.SecondaryValue));
if (!(conn.SrcHost.AddressValue() >= lowerRange && conn.SrcHost.AddressValue() <= upperRange) &&
!(conn.DstHost.AddressValue() >= lowerRange && conn.DstHost.AddressValue() <= upperRange))
{
return(false);
}
}
// Handle single value.
else if (!conn.SrcHost.Address.ToString().Equals(filter.Value) &&
!conn.DstHost.Address.ToString().Equals(filter.Value))
{
return(false);
}
}
// Handle SRC matching host.
else if (filter.Modifyer == Modifyer.SRC)
{
// Handle range based values.
if (filter.SecondaryValue != String.Empty)
{
UInt32 lowerRange = ConnectionAddress.IPV4ToUint32(IPAddress.Parse(filter.Value));
UInt32 upperRange = ConnectionAddress.IPV4ToUint32(IPAddress.Parse(filter.SecondaryValue));
if (!(conn.SrcHost.AddressValue() >= lowerRange && conn.SrcHost.AddressValue() <= upperRange))
{
return(false);
}
}
// Handle single value.
else if (!conn.SrcHost.Address.ToString().Equals(filter.Value))
{
return(false);
}
}
// Handle DST matching host.
else if (filter.Modifyer == Modifyer.DST)
{
// Handle range based values.
if (filter.SecondaryValue != String.Empty)
{
UInt32 lowerRange = ConnectionAddress.IPV4ToUint32(IPAddress.Parse(filter.Value));
UInt32 upperRange = ConnectionAddress.IPV4ToUint32(IPAddress.Parse(filter.SecondaryValue));
if (!(conn.DstHost.AddressValue() >= lowerRange && conn.DstHost.AddressValue() <= upperRange))
{
return(false);
}
}
// Handle single value.
else if (!conn.DstHost.Address.ToString().Equals(filter.Value))
{
return(false);
}
}
}
else if (filter.Argument == Argument.PORT)
{
// Handle ANY matching port.
if (filter.Modifyer == Modifyer.NONE)
{
// Handle range based values.
if (filter.SecondaryValue != String.Empty)
{
UInt16 lowerRange = UInt16.Parse(filter.Value);
UInt16 upperRange = UInt16.Parse(filter.SecondaryValue);
if (!(conn.SrcPort >= lowerRange && conn.SrcPort <= upperRange) &&
!(conn.DstPort >= lowerRange && conn.DstPort <= upperRange))
{
return(false);
}
}
// Handle single value.
else if (!conn.SrcPort.ToString().Equals(filter.Value) && !conn.DstPort.ToString().Equals(filter.Value))
{
return(false);
}
}
// Handle SRC matching port.
else if (filter.Modifyer == Modifyer.SRC)
{
// Handle range based values.
if (filter.SecondaryValue != String.Empty)
{
UInt16 lowerRange = UInt16.Parse(filter.Value);
UInt16 upperRange = UInt16.Parse(filter.SecondaryValue);
if (!(conn.SrcPort >= lowerRange && conn.SrcPort <= upperRange))
{
return(false);
}
}
// Handle single value.
else if (!conn.SrcPort.ToString().Equals(filter.Value))
{
return(false);
}
}
// Handle DST matching port.
else if (filter.Modifyer == Modifyer.DST)
{
// Handle range based values.
if (filter.SecondaryValue != String.Empty)
{
UInt16 lowerRange = UInt16.Parse(filter.Value);
UInt16 upperRange = UInt16.Parse(filter.SecondaryValue);
if (!(conn.DstPort >= lowerRange && conn.DstPort <= upperRange))
{
return(false);
}
}
// Handle single value.
else if (!conn.DstPort.ToString().Equals(filter.Value))
{
return(false);
}
}
}
else if (filter.Argument == Argument.ISO)
{
if (!(Regex.Match(conn.DstGeo.ToString().ToLower(), filter.Value).Length > 0))
{
return(false);
}
}
else if (filter.Argument == Argument.ASN)
{
if (!(Regex.Match(conn.DstASNOrg.ToLower(), filter.Value).Length > 0))
{
return(false);
}
}
}
// No non-matches were found with active filters, so we must have a match.
return(true);
}