public override IEnumerable <ScannerResult> Scan(IDataPacketCollection packets)
{
//Create a list of results we can add to as we find new attacks.
var results = new List <ScannerResult>();
//Determine the time period that we should look back for packets at.
var lookback = DateTime.Now.AddMinutes(-1).AddSeconds(-30);
//Group all ARP packets by the sender.
var arp_source = packets.Items.Where(
x => x.Protocol == NetworkProtocol.arp).ToLookup(
x => x.HardwareAddressSource);
//Loop through each source address.
foreach (string mac_source in arp_source.Select(x => x.Key))
{
//Group all of the sender packets by the target address.
var arp_source_target = arp_source[mac_source].ToLookup(
x => x.HardwareAddressTarget);
//Loop through each target address.
foreach (var mac_target in arp_source_target.Select(x => x.Key))
{
/*
* Determine if a certain number of attack packets were found
* for this sender/receiver in the lookback time period.
*/
if (arp_source_target[mac_target].Where(x => x.Timestamp >= lookback).Count() >= 20)
{
//Store the packets and result in the list for return.
var packet = arp_source_target[mac_target].First();
var result = new ScannerResult(packet.HardwareAddressSource,
packet.HardwareAddressTarget,
"ARP Spoof",
this,
arp_source_target[mac_target]);
results.Add(result);
}
}
}
return(results);
}
public override System.Collections.Generic.IEnumerable <ScannerResult> Scan(IDataPacketCollection packets)
{
//Create a list of results we can add to as we find new attacks.
var results = new List <ScannerResult>();
//Determine the time period that we should look back for packets at.
var lookback = DateTime.Now.AddMinutes(-1).AddSeconds(-30);
//Group all DNS packets by the sender.
var dns_source = packets.Items
.Where(x => x.Protocol == NetworkProtocol.udp)
.Where(x => x.PortSource == 53)
.Where(x => x.Timestamp >= lookback).ToLookup(x => x.HardwareAddressSource);
foreach (var mac_source in dns_source.Select(x => x.Key))
{
}
return(results);
}
public override IEnumerable <ScannerResult> Scan(IDataPacketCollection packets)
{
//Create a list of results we can add to as we find new attacks.
var results = new List <ScannerResult>();
//Determine the time period that we should look back for packets at.
var lookback = DateTime.Now.AddMinutes(-1).AddSeconds(-30);
//Group all DNS packets by the sender.
var tcp_source = packets.Items
.Where(x => x.Protocol == NetworkProtocol.tcp)
.Where(x => x.Timestamp >= lookback).ToLookup(x => x.IpAddressSource);
foreach (var ip_source in tcp_source.Select(x => x.Key))
{
var tcp_destination = tcp_source[ip_source].ToLookup(x => x.IpAddressDestination);
foreach (var ip_destination in tcp_destination.Select(x => x.Key))
{
var matches = tcp_destination[ip_destination].OrderBy(x => x.PortDestination);
var ports = matches.Select(x => x.PortDestination).ToArray();
var longestSequence = LIS(ports);
if (longestSequence > 30)
{
//Store the packets and result in the list for return.
var offendingPacket = matches.First();
var result = new ScannerResult(offendingPacket.HardwareAddressSource,
offendingPacket.HardwareAddressTarget,
"Port Scan",
this,
matches);
results.Add(result);
}
}
}
return(results);
}
/// <summary> /// Scans the specified packets for patterns. /// </summary> /// <param name='packets'> /// The collection of packets to scan. /// </param> public abstract IEnumerable <ScannerResult> Scan(IDataPacketCollection packets);
