/// <summary> /// Generate and display the report for the given ip object /// </summary> /// <param name="obj"></param> public void GenerateReport(IPObj obj) { // set the title for the form this.Text = "Report for " + obj.Address.ToString(); // set the fields this.addressField.Text = obj.Address.ToString(); this.accessField.Text = obj.last_access.ToString(); this.averageField.Text = obj.getAverage().ToString(); this.portsField.Text = obj.getTouchedPorts().Count.ToString(); this.portBox.MultiColumn = true; // sort ports List <int> ports = obj.getTouchedPorts(); ports.Sort(); foreach (int p in ports) { portBox.Items.Add(p); } // disable icon this.ShowIcon = false; this.Show(); }
/// <summary> /// This is my janitor tick. If an object hasn't been accessed in 30 seconds, it wipes /// all of its ports. If it hasn't been accessed in a minute, it's removed. /// </summary> /// <param name="sender"></param> /// <param name="e"></param> private void timer_Tick(object sender, EventArgs e) { List <IPAddress> list = new List <IPAddress>(ip_table.Keys); foreach (IPAddress ip in list) { IPObj tmp = (IPObj)ip_table[ip]; if ((DateTime.Now - tmp.last_access).TotalSeconds > 30 && (DateTime.Now - tmp.last_access).TotalSeconds < 60) { tmp.Touched_Ports = new List <int>(); } else if ((DateTime.Now - tmp.last_access).TotalSeconds >= 60) { ip_table.Remove(ip); } } }
/// <summary> /// This is my janitor tick. If an object hasn't been accessed in 30 seconds, it wipes /// all of its ports. If it hasn't been accessed in a minute, it's removed. /// </summary> /// <param name="sender"></param> /// <param name="e"></param> private void timer_Tick(object sender, EventArgs e) { List <IPAddr> list = new List <IPAddr>(ip_table.Keys); foreach (IPAddr ip in list) { IPObj tmp = (IPObj)ip_table[ip]; if (!tmp.Reported) { if ((DateTime.Now.Ticks - tmp.last_access) > (30 * 10000000) && (DateTime.Now.Ticks - tmp.last_access) < (60 * 10000000)) { tmp.Touched_Ports = new SerializableList <int>(); } else if ((DateTime.Now.Ticks - tmp.last_access) >= (60 * 10000000)) { ip_table.Remove(ip); } } } }
/// <summary> /// Generate and display the report for the given ip object /// </summary> /// <param name="obj"></param> public void GenerateReport(IPObj obj) { // set the title for the form this.Text = "Report for " + obj.Address.ToString(); // set the fields this.addressField.Text = obj.Address.ToString(); this.accessField.Text = obj.last_access.ToString(); this.averageField.Text = obj.getAverage().ToString(); this.portsField.Text = obj.getTouchedPorts().Count.ToString(); this.portBox.MultiColumn = true; // sort ports List<int> ports = obj.getTouchedPorts(); ports.Sort(); foreach (int p in ports) { portBox.Items.Add(p); } // disable icon this.ShowIcon = false; this.Show(); }
public override PacketMainReturn interiorMain(ref Packet in_packet) { PacketMainReturn pmr; float av = 0; if (in_packet.ContainsLayer(Protocol.TCP)) { // if we're in cloaked mode, respond with the SYN ACK // More information about this in the GUI code and help string if (data.cloaked_mode && ((TCPPacket)in_packet).SYN) { TCPPacket from = (TCPPacket)in_packet; EthPacket eth = new EthPacket(60); eth.FromMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes(); eth.ToMac = from.FromMac; eth.Proto = new byte[2] { 0x08, 0x00 }; IPPacket ip = new IPPacket(eth); ip.DestIP = from.SourceIP; ip.SourceIP = from.DestIP; ip.NextProtocol = 0x06; ip.TotalLength = 40; ip.HeaderChecksum = ip.GenerateIPChecksum; TCPPacket tcp = new TCPPacket(ip); tcp.SourcePort = from.DestPort; tcp.DestPort = from.SourcePort; tcp.SequenceNumber = (uint)new Random().Next(); tcp.AckNumber = 0; tcp.WindowSize = 8192; tcp.SYN = true; tcp.ACK = true; tcp.Checksum = tcp.GenerateChecksum; tcp.Outbound = true; adapter.SendPacket(tcp); } try { TCPPacket packet = (TCPPacket)in_packet; // if the IP is in the blockcache, then return if (data.BlockCache.ContainsKey(packet.SourceIP)) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Drop; return(pmr); } // checking for TTL allows us to rule out the local network // Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are // fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans. if ((!packet.Outbound) && (packet.TTL < 250)) { IPObj tmp; if (ip_table.ContainsKey(packet.SourceIP)) { tmp = (IPObj)ip_table[packet.SourceIP]; } else { tmp = new IPObj(packet.SourceIP); } // add the port to the ipobj, set the access time, and update the table tmp.addPort(packet.DestPort); tmp.time(packet.PacketTime); ip_table[packet.SourceIP] = tmp; av = tmp.getAverage(); // if they've touched more than 100 ports in less than 30 seconds and the average // packet time was less than 2s, something's wrong if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) && tmp.getAverage() < 2000) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow; pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP, tmp.getTouchedPorts().Count, tmp.getAverage()); // set the reported status of the IP address ip_table[packet.SourceIP].Reported = true; // add the address to the potential list of IPs and to the local SESSION-BASED list if (!data.blockImmediately) { potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]); detect.addPotential(packet.SourceIP); } // else we want to block it immediately else { data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]); } return(pmr); } } } catch (Exception e) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Log; pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace); return(pmr); } } // This will detect UDP knockers. typically UDP scans are slower, but are combined with SYN scans // (-sSU in nmap) so we'll be sure to check for these guys too. else if (in_packet.ContainsLayer(Protocol.UDP)) { try { UDPPacket packet = (UDPPacket)in_packet; // if the source addr is in the block cache, return if (data.BlockCache.ContainsKey(packet.SourceIP)) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Drop; return(pmr); } if ((!packet.Outbound) && (packet.TTL < 250) && (!packet.isDNS())) { IPObj tmp; if (ip_table.ContainsKey(packet.SourceIP)) { tmp = (IPObj)ip_table[packet.SourceIP]; } else { tmp = new IPObj(packet.SourceIP); } tmp.addPort(packet.DestPort); tmp.time(packet.PacketTime); ip_table[packet.SourceIP] = tmp; av = tmp.getAverage(); if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) && (tmp.getAverage() < 2000)) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow; pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP, tmp.getTouchedPorts().Count, tmp.getAverage()); ip_table[packet.SourceIP].Reported = true; if (!data.blockImmediately) { potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]); detect.addPotential(packet.SourceIP); } else { data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]); } return(pmr); } } } catch (Exception e) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Log; pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace); return(pmr); } } return(null); }
public override PacketMainReturn interiorMain(ref Packet in_packet) { PacketMainReturn pmr; float av = 0; if (in_packet.ContainsLayer(Protocol.TCP)) { // if we're in cloaked mode, respond with the SYN ACK // More information about this in the GUI code and help string if (data.cloaked_mode && ((TCPPacket)in_packet).SYN) { TCPPacket from = (TCPPacket)in_packet; EthPacket eth = new EthPacket(60); eth.FromMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes(); eth.ToMac = from.FromMac; eth.Proto = new byte[2] { 0x08, 0x00 }; IPPacket ip = new IPPacket(eth); ip.DestIP = from.SourceIP; ip.SourceIP = from.DestIP; ip.NextProtocol = 0x06; ip.TotalLength = 40; ip.HeaderChecksum = ip.GenerateIPChecksum; TCPPacket tcp = new TCPPacket(ip); tcp.SourcePort = from.DestPort; tcp.DestPort = from.SourcePort; tcp.SequenceNumber = (uint)new Random().Next(); tcp.AckNumber = 0; tcp.WindowSize = 8192; tcp.SYN = true; tcp.ACK = true; tcp.Checksum = tcp.GenerateChecksum; tcp.Outbound = true; adapter.SendPacket(tcp); } try { TCPPacket packet = (TCPPacket)in_packet; // if the IP is in the blockcache, then return if (data.BlockCache.ContainsKey(packet.SourceIP)) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Drop; return pmr; } // checking for TTL allows us to rule out the local network // Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are // fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans. if ((!packet.Outbound) && (packet.TTL < 250)) { IPObj tmp; if (ip_table.ContainsKey(packet.SourceIP)) tmp = (IPObj)ip_table[packet.SourceIP]; else tmp = new IPObj(packet.SourceIP); // add the port to the ipobj, set the access time, and update the table tmp.addPort(packet.DestPort); tmp.time(packet.PacketTime); ip_table[packet.SourceIP] = tmp; av = tmp.getAverage(); // if they've touched more than 100 ports in less than 30 seconds and the average // packet time was less than 2s, something's wrong if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) && tmp.getAverage() < 2000 ) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow; pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP, tmp.getTouchedPorts().Count, tmp.getAverage()); // set the reported status of the IP address ip_table[packet.SourceIP].Reported = true; // add the address to the potential list of IPs and to the local SESSION-BASED list if (!data.blockImmediately) { potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]); detect.addPotential(packet.SourceIP); } // else we want to block it immediately else data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]); return pmr; } } } catch (Exception e) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Log; pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace); return pmr; } } // This will detect UDP knockers. typically UDP scans are slower, but are combined with SYN scans // (-sSU in nmap) so we'll be sure to check for these guys too. else if (in_packet.ContainsLayer(Protocol.UDP)) { try { UDPPacket packet = (UDPPacket)in_packet; // if the source addr is in the block cache, return if (data.BlockCache.ContainsKey(packet.SourceIP)) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Drop; return pmr; } if ((!packet.Outbound) && (packet.TTL < 250) && (!packet.isDNS())) { IPObj tmp; if (ip_table.ContainsKey(packet.SourceIP)) tmp = (IPObj)ip_table[packet.SourceIP]; else tmp = new IPObj(packet.SourceIP); tmp.addPort(packet.DestPort); tmp.time(packet.PacketTime); ip_table[packet.SourceIP] = tmp; av = tmp.getAverage(); if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) && (tmp.getAverage() < 2000)) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow; pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP, tmp.getTouchedPorts().Count, tmp.getAverage()); ip_table[packet.SourceIP].Reported = true; if (!data.blockImmediately) { potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]); detect.addPotential(packet.SourceIP); } else data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]); return pmr; } } } catch (Exception e) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Log; pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace); return pmr; } } return null; }