public List <ProbeEvent> Search(List <SniffedPacket> packets)
{
var allProbes = new List <ProbeEvent>();
//get a list of unique source IP's in the list of packets
//look at each session (comms between a src and dst)
var sessions = packets.GroupBy(x => x.sessionID);
//vertical probe - when a srcip scans many ports of a dst
foreach (var group in sessions)
{
//get the number of unique dst ports in this session
var uniquePorts = group.Select(x => x.application.tcp.DestinationPort).Distinct();
var numOfUniquePorts = uniquePorts.Count();
if (numOfUniquePorts > 6)
{
//possible vertical probe event
var vprobe = new ProbeEvent();
var sniffedPacketsJson = new List <SniffedPacketJSON>();
group.ToList().ForEach(delegate(SniffedPacket sp)
{
sniffedPacketsJson.Add(sp.ToJSON());
});
vprobe.Create(sniffedPacketsJson, "Vertical");
allProbes.Add(vprobe);
}
}
//horizontal probe - when a srcip has many dst's but a single port
var srcs = packets.GroupBy(x => x.transport.SourceAddress);
foreach (var srcgroup in srcs)
{
//get a unique list of all the ports this src has tried to reach
var uniquePorts = srcgroup.Select(x => x.application.tcp.DestinationPort).Distinct();
//loop throug each port and get the number of unique destination ip's
foreach (var port in uniquePorts)
{
var uniqueDstIPs = srcgroup.Select(x => x.transport.DestinationAddress).Distinct();
if (uniqueDstIPs.Count() > 5)
{
//possible horizontal probing event
//looking for open port on this unique port
//becuase there are more than 3 destinations bieng accessed by a signle source
//possible vertical probe event
var hprobe = new ProbeEvent();
var sniffedPacketsJson = new List <SniffedPacketJSON>();
srcgroup.ToList().ForEach(delegate(SniffedPacket sp)
{
sniffedPacketsJson.Add(sp.ToJSON());
});
hprobe.Create(sniffedPacketsJson, "Horizontal");
allProbes.Add(hprobe);
}
}
}
//strobe probes
//multiple ports multiple IPss
//we can scan for events that trigger multiple vetical and horizontal ports
//vertical probe - when a srcip scans many ports of a dst
foreach (var group in sessions)
{
//get the number of unique dst ports in this session
var uniquePorts = group.Select(x => x.application.tcp.DestinationPort).Distinct();
var uniqueDst = group.Select(x => x.transport.DestinationAddress).Distinct();
if (uniquePorts.Count() > 6 && uniqueDst.Count() > 5)
{
//possible vertical probe event
var sprobe = new ProbeEvent();
var sniffedPacketsJson = new List <SniffedPacketJSON>();
group.ToList().ForEach(delegate(SniffedPacket sp)
{
sniffedPacketsJson.Add(sp.ToJSON());
});
sprobe.Create(sniffedPacketsJson, "Strobe");
allProbes.Add(sprobe);
}
}
return(allProbes);
}
public void HandleEvent(ProbeEvent probeEvent)
{
if (_owner == null)
{
DebugLog.ToConsole($"Error - Trying to handle event on probe with no owner.", OWML.Common.MessageType.Error);
return;
}
switch (probeEvent)
{
case ProbeEvent.Launch:
_anchored = false;
gameObject.SetActive(true);
transform.position = _owner.ProbeLauncher.transform.position;
transform.rotation = _owner.ProbeLauncher.transform.rotation;
if (OnLaunchProbe == null)
{
DebugLog.ToConsole($"Warning - OnLaunchProbe is null!", OWML.Common.MessageType.Warning);
break;
}
OnLaunchProbe();
break;
case ProbeEvent.Anchor:
_anchored = true;
if (OnAnchorProbe == null)
{
DebugLog.ToConsole($"Warning - OnAnchorProbe is null!", OWML.Common.MessageType.Warning);
break;
}
OnAnchorProbe();
break;
case ProbeEvent.Unanchor:
_anchored = false;
OnUnanchorProbe();
break;
case ProbeEvent.Retrieve:
_anchored = false;
if (OnRetrieveProbe == null)
{
DebugLog.ToConsole($"Warning - OnRetrieveProbe is null!", OWML.Common.MessageType.Warning);
break;
}
OnRetrieveProbe();
break;
case ProbeEvent.Destroy:
_anchored = false;
Destroy(gameObject);
if (OnProbeDestroyed == null)
{
DebugLog.ToConsole($"Warning - OnProbeDestroyed is null!", OWML.Common.MessageType.Warning);
break;
}
OnProbeDestroyed();
break;
case ProbeEvent.Invalid:
default:
DebugLog.ToConsole($"Warning - Unknown/Invalid probe event.", OWML.Common.MessageType.Warning);
break;
}
}
