public override PacketMainReturn interiorMain(ref Packet in_packet)
{
if (in_packet.Outbound && in_packet.ContainsLayer(Protocol.DNS))
{
DNSPacket dns = (DNSPacket)in_packet;
lock (cache)
{
DNSPacket.DNSAnswer[] answer;
if (dns.Queries.Length > 0 && cache.TryGetValue(dns.Queries[0].ToString(), out answer))
{
DNSPacket.DNSAnswer[] answers = answer;
dns.Answers = answers;
dns.DNSFlags = 0x8180;
dns.UDPLength = (ushort)(8 + dns.LayerLength());
dns.TotalLength = (ushort)(20 + dns.UDPLength);
dns.UDPChecksum = dns.GenerateUDPChecksum;
dns.Outbound = false;
IPAddress temp = dns.SourceIP;
dns.SourceIP = dns.DestIP;
dns.DestIP = temp;
ushort t = dns.SourcePort;
dns.SourcePort = dns.DestPort;
dns.DestPort = t;
dns.HeaderChecksum = dns.GenerateIPChecksum;
dns.UDPChecksum = dns.GenerateUDPChecksum;
return new PacketMainReturn("DNSCache") { returnType = PacketMainReturnType.Edited };
}
else
return null;
}
}
else if (!in_packet.Outbound && in_packet.ContainsLayer(Protocol.DNS))
{
lock (cache)
{
DNSPacket dns = (DNSPacket)in_packet;
cache[dns.Queries[0].ToString()] = dns.Answers;
}
if (CacheUpdate != null)
new System.Threading.Thread(CacheUpdate).Start();
return null;
}
return null;
}
/// <summary>
/// chuck out bad packets
/// </summary>
/// <param name="in_packet"></param>
/// <returns></returns>
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
try
{
PacketMainReturn pmr;
if (in_packet.ContainsLayer(Protocol.TCP))
{
// cast the packet and check for SYN/outbound
TCPPacket packet = (TCPPacket)in_packet;
if (packet.SYN && packet.Outbound)
{
// check if it's blocked
for (int i = 0; i < block_ranges.Count; ++i)
{
// if its heading towards a blacklisted IP
if (block_ranges[i].IsInRange(packet.DestIP))
{
pmr = new PacketMainReturn("IPGuard");
// check if we should log it
if (this.data.logBlocked)
{
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log;
pmr.logMessage = "IPGuard has blocked outgoing packets to " + packet.DestIP;
}
else
pmr.returnType = PacketMainReturnType.Drop;
return pmr;
}
}
}
// check if they want to block incoming packets from these addresses
// as well.
if (this.data.blockIncoming && !(packet.Outbound))
{
for (int i = 0; i < block_ranges.Count; ++i)
{
if (block_ranges[i].IsInRange(packet.SourceIP))
{
pmr = new PacketMainReturn("IPGuard");
// check if we should log it
if (this.data.logBlocked)
{
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log;
pmr.logMessage = "IPGuard has blocked incoming packets from " + packet.SourceIP;
}
else
pmr.returnType = PacketMainReturnType.Drop;
return pmr;
}
}
}
}
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine("error processing pmr: " + e.Message );
System.Diagnostics.Debug.WriteLine(e.StackTrace);
}
return null;
}
public PacketStatus GetStatus(Packet pkt)
{
if (pkt.ContainsLayer(Protocol.TCP))
{
TCPPacket tcppkt = (TCPPacket)pkt;
if (tcppkt.SYN && !(tcppkt.ACK))
{
if (pkt.Outbound && (direction & Direction.OUT) == Direction.OUT)
{
if (port.Contains(tcppkt.DestPort) ||
inPortRange(tcppkt.DestPort))
{
if (log)
message = " TCP packet from " + tcppkt.SourceIP.ToString() +
":" + tcppkt.SourcePort.ToString() + " to " +
tcppkt.DestIP.ToString() + ":" + tcppkt.DestPort.ToString();
return ps;
}
}
else if (!pkt.Outbound && (direction & Direction.IN) == Direction.IN)
{
if (port.Contains(tcppkt.DestPort) ||
inPortRange(tcppkt.DestPort))
{
if (log)
message = " TCP packet from " + tcppkt.SourceIP.ToString() +
":" + tcppkt.SourcePort.ToString() + " to " + tcppkt.DestIP.ToString() +
":" + tcppkt.DestPort.ToString();
return ps;
}
}
}
}
return PacketStatus.UNDETERMINED;
}
public PacketStatus GetStatus(Packet pkt)
{
if (pkt.ContainsLayer(Protocol.IP))
{
IPPacket tcppkt = (IPPacket)pkt;
if (pkt.Outbound && (direction & Direction.OUT) == Direction.OUT)
{
if ( ips.Contains(tcppkt.DestIP))
{
if (log)
message = " IP packet from " + tcppkt.SourceIP.ToString() + " to " + tcppkt.DestIP.ToString();
return ps;
}
}
else if (!pkt.Outbound && (direction & Direction.IN) == Direction.IN)
{
if ( ips.Contains(tcppkt.DestIP))
{
if (log)
message = " IP packet from " + tcppkt.SourceIP.ToString() + " to " + tcppkt.DestIP.ToString();
return ps;
}
}
}
return PacketStatus.UNDETERMINED;
}
Quad MakeQuad(Packet in_packet)
{
if (in_packet.ContainsLayer(Protocol.TCP))
{
TCPPacket tcp = (TCPPacket)in_packet;
Quad q = new Quad
{
dstIP = tcp.DestIP,
dstPort = tcp.DestPort,
srcPort = tcp.SourcePort,
srcIP = tcp.SourceIP
};
return q;
}
return null;
}
public PacketStatus GetStatus(Packet pkt)
{
if (pkt.ContainsLayer(Protocol.UDP))
{
UDPPacket udppkt = (UDPPacket)pkt;
if (pkt.Outbound && (direction & Direction.OUT) == Direction.OUT)
{
if (log)
message = " UDP packet from " + udppkt.SourceIP.ToString() + ":" +
udppkt.SourcePort.ToString() + " to " + udppkt.DestIP.ToString() +
":" + udppkt.DestPort.ToString();
return ps;
}
else if (!pkt.Outbound && (direction & Direction.IN) == Direction.IN)
{
if (log)
message = " UDP packet from " + udppkt.SourceIP.ToString() + ":" +
udppkt.SourcePort.ToString() + " to " + udppkt.DestIP.ToString() + ":" + udppkt.DestPort.ToString();
return ps;
}
}
return PacketStatus.UNDETERMINED;
}
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
if (in_packet.ContainsLayer(Protocol.TCP) && !in_packet.Outbound)
{
TCPPacket tcp = (TCPPacket)in_packet;
Quad q = new Quad() { dstIP = tcp.DestIP, dstPort = tcp.DestPort, srcIP = tcp.SourceIP, srcPort = tcp.SourcePort };
VideoInformation vid;
if(videos.TryGetValue(q, out vid))
{
if (tcp.SourcePort == 80 && tcp.ACK)
{
if (tcp.FIN)
{
//finish the file
vid.Done();
lock (videos)
{
videos.Remove(q);
}
}
else
{
//continue writing then update the openFiles dictionary
byte[] data = tcp.GetApplicationLayer_safe();
if (data != null && data.Length != 0)
{
vid.AddData(data, tcp.SequenceNumber);
}
}
}
}
else if (tcp.SourcePort == 80 && tcp.ACK)
{
byte[] data = tcp.GetApplicationLayer_safe();
string str = ASCIIEncoding.ASCII.GetString(data);
if (!str.StartsWith("HTTP/1.1 200 OK"))
return null;
if (str.Contains("Content-Type: "))
{
string type = null;
string strLen = null;
if (!str.Contains("Content-Length: "))
{
strLen = "0";
}
string[] lines = str.Replace("\r","").Split("\n".ToCharArray());
foreach (string line in lines)
{
if (type == null && line.StartsWith("Content-Type: "))
{
type = line.Replace("Content-Type: ", "").Replace("\n", "");
}
else if (strLen == null && line.StartsWith("Content-Length: "))
{
strLen = line.Replace("Content-Length: ", "").Replace("\n", "");
}
if (type != null && strLen != null)
break;
}
if (type.StartsWith("video/") || type == "flv-application/octet-stream" || type.StartsWith("audio/"))
{
ulong length = ulong.Parse(strLen);
if (!videos.ContainsKey(q))
{
VideoInformation vi = new VideoInformation(q, length, tcp.GetNextSequenceNumber(), type);
if (str.Contains("\r\n\r\n"))
{
int dataStart = str.IndexOf("\r\n\r\n") + 4;
if (data.Length > dataStart)
{
byte[] first = new byte[data.Length - dataStart];
Buffer.BlockCopy(data, dataStart, first, 0, first.Length);
vi.AddData(first);
}
}
vi.SetSequence(tcp.GetNextSequenceNumber());
lock (videos)
{
videos[q] = vi;
}
}
}
}
}
}
return null;
}
// main routine
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
PacketMainReturn pmr;
// check it the packet is, or contains, IP
if (in_packet.ContainsLayer(Protocol.IP))
{
// create a temp IPPacket obj and
// check the IP address
IPPacket temp = (IPPacket)in_packet;
if (!(isIPAllowed(temp.SourceIP)))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return pmr;
}
}
// simple sanity check to dump the ipcache if it gets too large.
// this does not effect the blockcache of banned IPs
if ((ipcache.Count) > 200)
ipcache.Clear();
// TCP incoming packets
if (in_packet.GetHighestLayer() == Protocol.TCP)
{
TCPPacket packet = ((TCPPacket)in_packet);
packet.PacketTime = DateTime.UtcNow;
// if it's inbound and the SYN flag is set
if (!packet.Outbound && packet.SYN && !packet.ACK)
{
// first packet init
if (TCPprevious_packet == null)
TCPprevious_packet = packet;
// if the IP hasn't been logged yet
if (!(ipcache.ContainsKey(packet.SourceIP)))
ipcache.Add(packet.SourceIP, 1);
// if the ipcache contains the ip
else if (ipcache.ContainsKey(packet.SourceIP))
{
// increment the packet count if they're coming in fast
if ((packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
else ipcache[packet.SourceIP] = 1;
// check if this packet = previous, if the packet count is > 50,
// and if the time between sent packets is less than the threshhold
if (packet.SourceIP.Equals(TCPprevious_packet.SourceIP) &&
((ipcache[packet.SourceIP]) > 50) &&
(packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
pmr.logMessage = "DoS attempt detected from IP " + packet.SourceIP + " (likely spoofed). "
+ " Packets from this IP will be dropped. You can unblock this IP from the module interface.";
data.BlockCache.Add(new BlockedIP(packet.SourceIP, DateTime.UtcNow, "DoS Attempt"));
return pmr;
}
}
TCPprevious_packet = packet;
}
}
// fraggle attack mitigation
if (in_packet.GetHighestLayer() == Protocol.UDP)
{
UDPPacket packet = ((UDPPacket)in_packet);
packet.PacketTime = DateTime.UtcNow;
// if it's inbound
if (!(packet.Outbound))
{
// add IP to cache or increment packet count
if (!(ipcache.ContainsKey(packet.SourceIP)))
ipcache.Add(packet.SourceIP, 1);
else
ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
// if the packet header is empty, headed towards port (7,13,19,17), and count > 50,
// then it's probably a fraggle attack
if (packet.isEmpty() && packet.DestPort.Equals(7) || packet.DestPort.Equals(13) ||
packet.DestPort.Equals(19) || packet.DestPort.Equals(17) &&
(ipcache[packet.SourceIP]) > 50)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
pmr.logMessage = "Potential fraggle attack from " + packet.SourceIP + " (likely spoofed). "
+ " Packets from this IP will be dropped. You can unblock this IP from the module interface.";
data.BlockCache.Add(new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Fraggle Attempt"));
return pmr;
}
}
}
// smurf attack mitigation
if (in_packet.GetHighestLayer() == Protocol.ICMP)
{
ICMPPacket packet = ((ICMPPacket)in_packet);
packet.PacketTime = DateTime.UtcNow;
if (!(packet.Outbound))
{
// init the previous packet
if (ICMPprevious_packet == null)
ICMPprevious_packet = packet;
// add IP to cache or increment packet count
if (!(ipcache.ContainsKey(packet.SourceIP)))
ipcache.Add(packet.SourceIP, 1);
// if the packet is >= threshold after the previous and it's the same packet, clear up the cache
else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) >= data.dos_threshold &&
packet.Equals(ICMPprevious_packet))
ipcache[packet.SourceIP] = 1;
// if the packet is coming in quickly, add it to the packet count
else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold)
ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
// if the packet is an echo reply and the IP source
// is the same as localhost and the time between packets is <= threshhold and
// there are over 50 accumulated packets, it's probably a smurf attack
if (packet.Type.ToString().Equals("0") &&
packet.Code.ToString().Equals("0") &&
packet.SourceIP.Equals(getLocalIP()) &&
(packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold &&
ipcache[packet.SourceIP] > 50)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
pmr.logMessage = "Potential Smurf attack from " + packet.SourceIP + " (likely spoofed). "
+ " Packets from this IP will be dropped. You can unblock this IP from the module interface.";
data.BlockCache.Add(new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Smurf Attempt"));
return pmr;
}
ICMPprevious_packet = packet;
}
}
return null;
}
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
PacketMainReturn pmr;
float av = 0;
if (in_packet.ContainsLayer(Protocol.TCP))
{
// if we're in cloaked mode, respond with the SYN ACK
// More information about this in the GUI code and help string
if (data.cloaked_mode && ((TCPPacket)in_packet).SYN)
{
TCPPacket from = (TCPPacket)in_packet;
EthPacket eth = new EthPacket(60);
eth.FromMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
eth.ToMac = from.FromMac;
eth.Proto = new byte[2] { 0x08, 0x00 };
IPPacket ip = new IPPacket(eth);
ip.DestIP = from.SourceIP;
ip.SourceIP = from.DestIP;
ip.NextProtocol = 0x06;
ip.TotalLength = 40;
ip.HeaderChecksum = ip.GenerateIPChecksum;
TCPPacket tcp = new TCPPacket(ip);
tcp.SourcePort = from.DestPort;
tcp.DestPort = from.SourcePort;
tcp.SequenceNumber = (uint)new Random().Next();
tcp.AckNumber = 0;
tcp.WindowSize = 8192;
tcp.SYN = true;
tcp.ACK = true;
tcp.Checksum = tcp.GenerateChecksum;
tcp.Outbound = true;
adapter.SendPacket(tcp);
}
try
{
TCPPacket packet = (TCPPacket)in_packet;
// if the IP is in the blockcache, then return
if (data.BlockCache.ContainsKey(packet.SourceIP))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return pmr;
}
// checking for TTL allows us to rule out the local network
// Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are
// fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans.
if ((!packet.Outbound) && (packet.TTL < 250))
{
IPObj tmp;
if (ip_table.ContainsKey(packet.SourceIP))
tmp = (IPObj)ip_table[packet.SourceIP];
else
tmp = new IPObj(packet.SourceIP);
// add the port to the ipobj, set the access time, and update the table
tmp.addPort(packet.DestPort);
tmp.time(packet.PacketTime);
ip_table[packet.SourceIP] = tmp;
av = tmp.getAverage();
// if they've touched more than 100 ports in less than 30 seconds and the average
// packet time was less than 2s, something's wrong
if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) &&
tmp.getAverage() < 2000 )
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow;
pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP,
tmp.getTouchedPorts().Count, tmp.getAverage());
// set the reported status of the IP address
ip_table[packet.SourceIP].Reported = true;
// add the address to the potential list of IPs and to the local SESSION-BASED list
if (!data.blockImmediately)
{
potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]);
detect.addPotential(packet.SourceIP);
}
// else we want to block it immediately
else
data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]);
return pmr;
}
}
}
catch (Exception e)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log;
pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace);
return pmr;
}
}
// This will detect UDP knockers. typically UDP scans are slower, but are combined with SYN scans
// (-sSU in nmap) so we'll be sure to check for these guys too.
else if (in_packet.ContainsLayer(Protocol.UDP))
{
try
{
UDPPacket packet = (UDPPacket)in_packet;
// if the source addr is in the block cache, return
if (data.BlockCache.ContainsKey(packet.SourceIP))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return pmr;
}
if ((!packet.Outbound) && (packet.TTL < 250) &&
(!packet.isDNS()))
{
IPObj tmp;
if (ip_table.ContainsKey(packet.SourceIP))
tmp = (IPObj)ip_table[packet.SourceIP];
else
tmp = new IPObj(packet.SourceIP);
tmp.addPort(packet.DestPort);
tmp.time(packet.PacketTime);
ip_table[packet.SourceIP] = tmp;
av = tmp.getAverage();
if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) &&
(tmp.getAverage() < 2000))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow;
pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP,
tmp.getTouchedPorts().Count, tmp.getAverage());
ip_table[packet.SourceIP].Reported = true;
if (!data.blockImmediately)
{
potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]);
detect.addPotential(packet.SourceIP);
}
else
data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]);
return pmr;
}
}
}
catch (Exception e)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log;
pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace);
return pmr;
}
}
return null;
}