public List <ProbeEvent> Search(List <SniffedPacket> packets) { var allProbes = new List <ProbeEvent>(); //get a list of unique source IP's in the list of packets //look at each session (comms between a src and dst) var sessions = packets.GroupBy(x => x.sessionID); //vertical probe - when a srcip scans many ports of a dst foreach (var group in sessions) { //get the number of unique dst ports in this session var uniquePorts = group.Select(x => x.application.tcp.DestinationPort).Distinct(); var numOfUniquePorts = uniquePorts.Count(); if (numOfUniquePorts > 6) { //possible vertical probe event var vprobe = new ProbeEvent(); var sniffedPacketsJson = new List <SniffedPacketJSON>(); group.ToList().ForEach(delegate(SniffedPacket sp) { sniffedPacketsJson.Add(sp.ToJSON()); }); vprobe.Create(sniffedPacketsJson, "Vertical"); allProbes.Add(vprobe); } } //horizontal probe - when a srcip has many dst's but a single port var srcs = packets.GroupBy(x => x.transport.SourceAddress); foreach (var srcgroup in srcs) { //get a unique list of all the ports this src has tried to reach var uniquePorts = srcgroup.Select(x => x.application.tcp.DestinationPort).Distinct(); //loop throug each port and get the number of unique destination ip's foreach (var port in uniquePorts) { var uniqueDstIPs = srcgroup.Select(x => x.transport.DestinationAddress).Distinct(); if (uniqueDstIPs.Count() > 5) { //possible horizontal probing event //looking for open port on this unique port //becuase there are more than 3 destinations bieng accessed by a signle source //possible vertical probe event var hprobe = new ProbeEvent(); var sniffedPacketsJson = new List <SniffedPacketJSON>(); srcgroup.ToList().ForEach(delegate(SniffedPacket sp) { sniffedPacketsJson.Add(sp.ToJSON()); }); hprobe.Create(sniffedPacketsJson, "Horizontal"); allProbes.Add(hprobe); } } } //strobe probes //multiple ports multiple IPss //we can scan for events that trigger multiple vetical and horizontal ports //vertical probe - when a srcip scans many ports of a dst foreach (var group in sessions) { //get the number of unique dst ports in this session var uniquePorts = group.Select(x => x.application.tcp.DestinationPort).Distinct(); var uniqueDst = group.Select(x => x.transport.DestinationAddress).Distinct(); if (uniquePorts.Count() > 6 && uniqueDst.Count() > 5) { //possible vertical probe event var sprobe = new ProbeEvent(); var sniffedPacketsJson = new List <SniffedPacketJSON>(); group.ToList().ForEach(delegate(SniffedPacket sp) { sniffedPacketsJson.Add(sp.ToJSON()); }); sprobe.Create(sniffedPacketsJson, "Strobe"); allProbes.Add(sprobe); } } return(allProbes); }
public void HandleEvent(ProbeEvent probeEvent) { if (_owner == null) { DebugLog.ToConsole($"Error - Trying to handle event on probe with no owner.", OWML.Common.MessageType.Error); return; } switch (probeEvent) { case ProbeEvent.Launch: _anchored = false; gameObject.SetActive(true); transform.position = _owner.ProbeLauncher.transform.position; transform.rotation = _owner.ProbeLauncher.transform.rotation; if (OnLaunchProbe == null) { DebugLog.ToConsole($"Warning - OnLaunchProbe is null!", OWML.Common.MessageType.Warning); break; } OnLaunchProbe(); break; case ProbeEvent.Anchor: _anchored = true; if (OnAnchorProbe == null) { DebugLog.ToConsole($"Warning - OnAnchorProbe is null!", OWML.Common.MessageType.Warning); break; } OnAnchorProbe(); break; case ProbeEvent.Unanchor: _anchored = false; OnUnanchorProbe(); break; case ProbeEvent.Retrieve: _anchored = false; if (OnRetrieveProbe == null) { DebugLog.ToConsole($"Warning - OnRetrieveProbe is null!", OWML.Common.MessageType.Warning); break; } OnRetrieveProbe(); break; case ProbeEvent.Destroy: _anchored = false; Destroy(gameObject); if (OnProbeDestroyed == null) { DebugLog.ToConsole($"Warning - OnProbeDestroyed is null!", OWML.Common.MessageType.Warning); break; } OnProbeDestroyed(); break; case ProbeEvent.Invalid: default: DebugLog.ToConsole($"Warning - Unknown/Invalid probe event.", OWML.Common.MessageType.Warning); break; } }