/// <summary>
/// constructor
/// </summary>
/// <param name="deviceToCaptureInfo"></param>
/// <param name="filter"></param>
/// <param name="deviceMode"></param>
/// <param name="reportMethods"></param>
/// <param name="heartBeatDelay"></param>
public BaseSensor(CaptureDeviceDescription deviceToCaptureInfo, string filter, DeviceMode deviceMode, List <ISensorReport> reportMethods, int heartBeatDelay, Enumerations.SensorMode sensorMode)
{
_sensorId = Guid.NewGuid();
_lastTimeval = new PosixTimeval(0, 0);
_reportMethods = reportMethods;
_currentCaptureDevice = GetDeviceToCapture(deviceToCaptureInfo);
_currentCaptureDevice.Open(deviceMode);
if (!string.IsNullOrEmpty(filter))
{
_currentCaptureDevice.Filter = filter;
}
//attach listeners
switch (sensorMode)
{
case Enumerations.SensorMode.PacketCapture:
//_currentCaptureDevice.OnPacketArrival += new PacketArrivalEventHandler(_currentCaptureDevice_OnPacketArrival);
_currentCaptureDevice.OnPacketArrival += new PacketArrivalEventHandler(device_OnPacketArrival);
break;
case Enumerations.SensorMode.Statistics:
var device = _currentCaptureDevice as WinPcapDevice;
device.Mode = CaptureMode.Statistics;
device.OnPcapStatistics += device_OnPcapStatistics;
break;
}
//start heartbeat timer
StartHeartbeat(heartBeatDelay, reportMethods);
}
static void Main(string[] args)
{
List <Ids.Common.Interfaces.ISensorReport> reporters = new List <Ids.Common.Interfaces.ISensorReport>();
reporters.Add(new Ids.Common.Reporters.SimpleReportAgent());
string connectionString = @"Data Source=(localdb)\MSSQLLocalDB;Initial Catalog=IDSDB;Persist Security Info=True;User ID=cyberproduct;Password=x2000; Connect Timeout=600;Max Pool Size = 200;Pooling = True";
AzureSqlDbReportAgent cloudDbReportAgent = new AzureSqlDbReportAgent(connectionString, String.Empty);
reporters.Add(cloudDbReportAgent);
CaptureDeviceDescription cdd = new CaptureDeviceDescription()
{
DeviceNumber = 0,
TextInDeviceName = "whatever"
};
//www.google.com = 216.58.209.100
//const string googleIpAddress = "216.58.209.100";
//WebServerDosSensor wds = WebServerDosSensor.FactoryMethod(cdd, googleIpAddress, 443, false, reporters, 5000);
//cloudDbReportAgent.UpdateSensorId(wds.GetSensorId());
//wds.StartCapturing();
//Console.ReadLine();
//wds.StopCapturing();
const string ftpIpAddress = "192.168.1.74";
FtpServerDosSensor fds = FtpServerDosSensor.FactoryMethod(cdd, ftpIpAddress, 443, false, reporters, 5000);
cloudDbReportAgent.UpdateSensorId(fds.GetSensorId());
fds.StartCapturing();
Console.ReadLine();
fds.StopCapturing();
}
static void Main(string[] args)
{
List <Ids.Common.Interfaces.ISensorReport> reporters = new List <Ids.Common.Interfaces.ISensorReport>();
reporters.Add(new Ids.Common.Reporters.SimpleReportAgent());
CaptureDeviceDescription cdd = new CaptureDeviceDescription()
{
DeviceNumber = 0,
TextInDeviceName = "whatever"
};
string enteredChar = "X";
while (enteredChar != "s" && enteredChar != "p")
{
Console.WriteLine("enter type Statistics Capture (s) or Packet Capture (p):");
enteredChar = Console.ReadLine();
}
BaseSensor baseSensor = null;
if (enteredChar == "p")
{
//baseSensor = new BaseSensor(cdd, "tcp and ip and dst port 80", SharpPcap.DeviceMode.Normal,reporters, 1000, Enumerations.SensorMode.PacketCapture);
baseSensor = new BaseSensor(cdd, "dst 192.168.0.103", SharpPcap.DeviceMode.Normal, reporters, 10000, Enumerations.SensorMode.PacketCapture);
}
else
{
baseSensor = new BaseSensor(cdd, "tcp", SharpPcap.DeviceMode.Normal, reporters, 1000, Enumerations.SensorMode.Statistics);
}
baseSensor.StartCapturing();
Console.ReadLine();
baseSensor.StopCapturing();
}
private ICaptureDevice GetDeviceToCapture(CaptureDeviceDescription deviceToCaptureInfo)
{
ICaptureDevice foundDevice = null;
if ((string.IsNullOrEmpty(deviceToCaptureInfo.TextInDeviceName) && (!deviceToCaptureInfo.DeviceNumber.HasValue)))
{
Console.WriteLine("Device description missing valid information");
//throw new MissingFieldException("Device " + deviceToCaptureInfo.DeviceNumber + " was notfound on this machine");
return(foundDevice);
}
// Retrieve the device list
CaptureDeviceList devices = CaptureDeviceList.Instance;
// if we have no device do nothing
if (devices.Count < 1)
{
//possibly want to log an error here
Console.WriteLine("No devices were found on this machine");
//throw new IndexOutOfRangeException("No devices were found on this machine");
}
else if (devices.Count == 1)
{
foundDevice = devices[0];
}
else
{
if (deviceToCaptureInfo.DeviceNumber.HasValue)
{
if (devices.Count < deviceToCaptureInfo.DeviceNumber)
{
Console.WriteLine("Device " + deviceToCaptureInfo.DeviceNumber + " was notfound on this machine");
//throw new IndexOutOfRangeException("Device " + deviceToCaptureInfo.DeviceNumber + " was notfound on this machine");
}
else
{
foundDevice = devices[(int)deviceToCaptureInfo.DeviceNumber];
}
}
else if (!string.IsNullOrEmpty(deviceToCaptureInfo.TextInDeviceName))
{
foreach (var device in devices)
{
if (device.Name.Contains(deviceToCaptureInfo.TextInDeviceName))
{
foundDevice = device;
break;
}
}
}
}
return(foundDevice);
}
public static FtpServerDosSensor FactoryMethod(CaptureDeviceDescription deviceToCaptureInfo, string webServerAdress, int port, bool sensorDeployedOnWebServer, List<ISensorReport> reportMethods, int heartBeatDelay)
{
//string webFilter = string.Format("((dst net {0}) and (dst port {1}))", webServerAdress, port);
//string webFilter = string.Format("dst net {0}", webServerAdress);
DeviceMode sensorListeningMode = DeviceMode.Promiscuous;
string webFilter = "dst net 192.168.1.74";
if (sensorDeployedOnWebServer) sensorListeningMode = DeviceMode.Promiscuous;
return new FtpServerDosSensor(deviceToCaptureInfo, webFilter, sensorListeningMode, reportMethods, heartBeatDelay);
}
public static WebServerDosSensor FactoryMethod(CaptureDeviceDescription deviceToCaptureInfo, string webServerAdress, int port, bool sensorDeployedOnWebServer, List <ISensorReport> reportMethods, int heartBeatDelay)
{
//string webFilter = string.Format("((dst net {0}) and (dst port {1}))", webServerAdress, port);
//string webFilter = string.Format("dst net {0}", webServerAdress);
DeviceMode sensorListeningMode = DeviceMode.Promiscuous;
string webFilter = "port 80";
if (sensorDeployedOnWebServer)
{
sensorListeningMode = DeviceMode.Normal;
}
return(new WebServerDosSensor(deviceToCaptureInfo, webFilter, sensorListeningMode, reportMethods, heartBeatDelay));
}
public void CreateBaseSensor_ReturnsSuccess()
{
//arrange
CaptureDeviceDescription cdd = new CaptureDeviceDescription()
{
DeviceNumber = 0,
TextInDeviceName = "whatever"
};
List <Ids.Common.Interfaces.ISensorReport> reporters = new List <Ids.Common.Interfaces.ISensorReport>();
reporters.Add(new Ids.Common.Reporters.SimpleReportAgent());
const string googleIpAddress = "216.58.209.100";
//act
WebServerDosSensor wds = WebServerDosSensor.FactoryMethod(cdd, googleIpAddress, 443, false, reporters, 1000);
//assert
Assert.IsNotNull(wds);
}
public void CreateWebServerDosSensor_ReturnsSuccess()
{
//arrange
CaptureDeviceDescription cdd = new CaptureDeviceDescription()
{
DeviceNumber = 0,
TextInDeviceName = "whatever"
};
List <Ids.Common.Interfaces.ISensorReport> reporters = new List <Ids.Common.Interfaces.ISensorReport>();
reporters.Add(new Ids.Common.Reporters.SimpleReportAgent());
//act
BaseSensor baseSensor = new BaseSensor(cdd, "tcp and ip and dst port 80", SharpPcap.DeviceMode.Normal, reporters, 1000, Enumerations.SensorMode.PacketCapture);
baseSensor.StartCapturing();
baseSensor.StopCapturing();
//assert
Assert.IsNotNull(baseSensor);
}
public static WebClientSensor FactoryMethod(CaptureDeviceDescription deviceToCaptureInfo, string[] webServers, int port, bool sensorDeployedOnWebServer, List <ISensorReport> reportMethods, int heartBeatDelay)
{
List <string> webFilter = new List <string>();//string.Format("((dst net {0}) and (dst port {1}))", webServerAdress, port);
//string webFilter = string.Format("dst net {0}", webServerAdress);
// for each webserver need the ipaddress
foreach (string ad in webServers)
{
webFilter.Add(string.Format("host {0}", ad.ToString()));
}
DeviceMode sensorListeningMode = DeviceMode.Promiscuous;
//string webFilter = "port 80";
if (sensorDeployedOnWebServer)
{
sensorListeningMode = DeviceMode.Normal;
}
return(new WebClientSensor(deviceToCaptureInfo, String.Join(" and ", webFilter.ToArray()), sensorListeningMode, reportMethods, heartBeatDelay));
}
static void Main(string[] args)
{
List <Ids.Common.Interfaces.ISensorReport> reporters = new List <Ids.Common.Interfaces.ISensorReport>();
string connectionString = @"Data Source=UB1NB092\SQL2012;Initial Catalog=AzureIdsDb;Persist Security Info=True;User ID=cyberproduct;Password=x2000; Connect Timeout=600;Max Pool Size = 200;Pooling = True";
AzureSqlDbReportAgent cloudDbReportAgent = new AzureSqlDbReportAgent(connectionString,
"7C8FA0D3-1F00-42F1-B849-184348D834F6");
reporters.Add(cloudDbReportAgent);
reporters.Add(new SimpleReportAgent());
CaptureDeviceDescription cdd = new CaptureDeviceDescription()
{
DeviceNumber = 0,
TextInDeviceName = "whatever"
};
string enteredChar = "X";
while (enteredChar != "s" && enteredChar != "p")
{
Console.WriteLine("enter type Statistics Capture (s) or Packet Capture (p):");
enteredChar = Console.ReadLine();
}
BaseSensor baseSensor = null;
if (enteredChar == "p")
{
baseSensor = new BaseSensor(cdd, "port 21", SharpPcap.DeviceMode.Normal, reporters, 20000, Enumerations.SensorMode.PacketCapture);
}
else
{
baseSensor = new BaseSensor(cdd, "tcp", SharpPcap.DeviceMode.Normal, reporters, 1000, Enumerations.SensorMode.Statistics);
}
baseSensor.StartCapturing();
Console.ReadLine();
baseSensor.StopCapturing();
}
/// <summary>
///
/// </summary>
/// <param name="deviceToCaptureInfo"></param>
/// <param name="filter"></param>
/// <param name="deviceMode"></param>
/// <param name="reportMethods"></param>
/// <param name="heartBeatDelay"></param>
/// <param name="timeWindow">How big is the window we measure for a DoS attack</param>
///
///
private WebServerDosSensor(CaptureDeviceDescription deviceToCaptureInfo, string filter, DeviceMode deviceMode, List <ISensorReport> reportMethods, int heartBeatDelay)
: base(deviceToCaptureInfo, filter, deviceMode, reportMethods, heartBeatDelay, Enumerations.SensorMode.PacketCapture)
{
}
/// <summary>
///
/// </summary>
/// <param name="deviceToCaptureInfo"></param>
/// <param name="filter"></param>
/// <param name="deviceMode"></param>
/// <param name="reportMethods"></param>
/// <param name="heartBeatDelay"></param>
/// <param name="timeWindow">How big is the window we measure for a DoS attack</param>
///
///
private FtpServerDosSensor(CaptureDeviceDescription deviceToCaptureInfo, string filter, DeviceMode deviceMode, List<ISensorReport> reportMethods, int heartBeatDelay)
: base(deviceToCaptureInfo, filter, deviceMode, reportMethods, heartBeatDelay, Enumerations.SensorMode.PacketCapture)
{
}
