public override IEnumerable <ScannerResult> Scan(IDataPacketCollection packets) { //Create a list of results we can add to as we find new attacks. var results = new List <ScannerResult>(); //Determine the time period that we should look back for packets at. var lookback = DateTime.Now.AddMinutes(-1).AddSeconds(-30); //Group all ARP packets by the sender. var arp_source = packets.Items.Where( x => x.Protocol == NetworkProtocol.arp).ToLookup( x => x.HardwareAddressSource); //Loop through each source address. foreach (string mac_source in arp_source.Select(x => x.Key)) { //Group all of the sender packets by the target address. var arp_source_target = arp_source[mac_source].ToLookup( x => x.HardwareAddressTarget); //Loop through each target address. foreach (var mac_target in arp_source_target.Select(x => x.Key)) { /* * Determine if a certain number of attack packets were found * for this sender/receiver in the lookback time period. */ if (arp_source_target[mac_target].Where(x => x.Timestamp >= lookback).Count() >= 20) { //Store the packets and result in the list for return. var packet = arp_source_target[mac_target].First(); var result = new ScannerResult(packet.HardwareAddressSource, packet.HardwareAddressTarget, "ARP Spoof", this, arp_source_target[mac_target]); results.Add(result); } } } return(results); }
public override System.Collections.Generic.IEnumerable <ScannerResult> Scan(IDataPacketCollection packets) { //Create a list of results we can add to as we find new attacks. var results = new List <ScannerResult>(); //Determine the time period that we should look back for packets at. var lookback = DateTime.Now.AddMinutes(-1).AddSeconds(-30); //Group all DNS packets by the sender. var dns_source = packets.Items .Where(x => x.Protocol == NetworkProtocol.udp) .Where(x => x.PortSource == 53) .Where(x => x.Timestamp >= lookback).ToLookup(x => x.HardwareAddressSource); foreach (var mac_source in dns_source.Select(x => x.Key)) { } return(results); }
public override IEnumerable <ScannerResult> Scan(IDataPacketCollection packets) { //Create a list of results we can add to as we find new attacks. var results = new List <ScannerResult>(); //Determine the time period that we should look back for packets at. var lookback = DateTime.Now.AddMinutes(-1).AddSeconds(-30); //Group all DNS packets by the sender. var tcp_source = packets.Items .Where(x => x.Protocol == NetworkProtocol.tcp) .Where(x => x.Timestamp >= lookback).ToLookup(x => x.IpAddressSource); foreach (var ip_source in tcp_source.Select(x => x.Key)) { var tcp_destination = tcp_source[ip_source].ToLookup(x => x.IpAddressDestination); foreach (var ip_destination in tcp_destination.Select(x => x.Key)) { var matches = tcp_destination[ip_destination].OrderBy(x => x.PortDestination); var ports = matches.Select(x => x.PortDestination).ToArray(); var longestSequence = LIS(ports); if (longestSequence > 30) { //Store the packets and result in the list for return. var offendingPacket = matches.First(); var result = new ScannerResult(offendingPacket.HardwareAddressSource, offendingPacket.HardwareAddressTarget, "Port Scan", this, matches); results.Add(result); } } } return(results); }
/// <summary> /// Scans the specified packets for patterns. /// </summary> /// <param name='packets'> /// The collection of packets to scan. /// </param> public abstract IEnumerable <ScannerResult> Scan(IDataPacketCollection packets);