Exemplo n.º 1
        // main routine
        public override PacketMainReturnType interiorMain(ref Packet in_packet)
            LogEvent le;

            // if the packet is ICMPv4
            if (in_packet.GetHighestLayer() == Protocol.ICMP)
                ICMPPacket packet = (ICMPPacket)in_packet;
                // check if the packet is allowed and deny all is false
                if (isAllowed(packet.Type.ToString(), packet.Code.ToString(), 4) &&
                    return PacketMainReturnType.Allow;
                // else, log and drop it
                    PacketMainReturnType pmr = PacketMainReturnType.Drop;
                    if (data.Log)
                        pmr |= PacketMainReturnType.Log;
                        le = new LogEvent(String.Format(multistring.GetString("ICMPv4 was dropped"), packet.SourceIP.ToString(), packet.DestIP.ToString()), this);
                        le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Drop;
                    return pmr;

            // if the packet is ICMPv6
            if (in_packet.GetHighestLayer() == Protocol.ICMPv6)
                ICMPv6Packet packet = (ICMPv6Packet)in_packet;
                if ((isAllowed(packet.Type.ToString(), packet.Code.ToString(), 6) &&
                    !data.DenyIPv6) && isDeniedNDP(packet))
                    return PacketMainReturnType.Allow;
                    PacketMainReturnType pmr = PacketMainReturnType.Drop;
                    if (data.Log)
                        pmr |= PacketMainReturnType.Log;
                        le = new LogEvent(String.Format(multistring.GetString("ICMPv6 was dropped"), packet.SourceIP.ToString(), packet.DestIP.ToString()), this);
                        le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Drop;
                    return pmr;
            return PacketMainReturnType.Allow;
Exemplo n.º 2
 public override PacketMainReturnType interiorMain(ref Packet in_packet)
     if (in_packet.Outbound && in_packet.GetHighestLayer() == Protocol.TCP)
         TCPPacket tcp = (TCPPacket)in_packet;
         if (tcp.SYN && !tcp.ACK)
             foreach (KnockRule rule in rules)
                 if (tcp.DestPort == rule.triggerPort && tcp.DestIP.Equals(rule.triggerIP))
                     Adapter.SendPacket(PacketFactory.MakeSynPacket(Adapter, tcp.ToMac, rule.knockIP.AddressBytes, tcp.SourcePort, rule.knockPort));
     return 0;
Exemplo n.º 3
        // main routine
        public override PacketMainReturnType interiorMain(ref Packet in_packet)
            PacketMainReturnType pmr;
            LogEvent le;

            // check it the packet is, or contains, IP
            if (in_packet.ContainsLayer(Protocol.IP))
                // create a temp IPPacket obj and
                // check the IP address
                IPPacket temp = (IPPacket)in_packet;
                if (!isIPAllowed(temp.SourceIP))
                    pmr = PacketMainReturnType.Drop;
                    return pmr;

            // simple sanity check to dump the ipcache if it gets too large.
            // this does not effect the blockcache of banned IPs
            if ((ipcache.Count) > 500)

            // TCP incoming packets
            if (in_packet.GetHighestLayer() == Protocol.TCP)
                TCPPacket packet = ((TCPPacket)in_packet);
                packet.PacketTime = DateTime.UtcNow;

                // if it's inbound and the SYN flag is set
                if (!packet.Outbound && packet.SYN && !packet.ACK)
                    // first packet init
                    if (TCPprevious_packet == null)
                        TCPprevious_packet = packet;

                    // if the IP hasn't been logged yet 
                    if (!(ipcache.ContainsKey(packet.SourceIP)))
                        ipcache.Add(packet.SourceIP, 1);
                    // if the ipcache contains the ip
                    else if (ipcache.ContainsKey(packet.SourceIP))
                        // increment the packet count if they're coming in fast
                        if ((packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
                            ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
                        else ipcache[packet.SourceIP] = 1;

                        // check if this packet = previous, if the packet count is > 50, 
                        // and if the time between sent packets is less than the threshhold
                        if (packet.SourceIP.Equals(TCPprevious_packet.SourceIP) &&
                            ((ipcache[packet.SourceIP]) > 50) &&
                            (packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
                            pmr = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                            le = new LogEvent(String.Format(multistring.GetString("DoS Log"), packet.SourceIP.ToString()), this);
                            le.PMR = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                            data.BlockCache.Add(packet.SourceIP, new BlockedIP(packet.SourceIP, DateTime.UtcNow, "DoS Attempt"));
                            return pmr;
                    TCPprevious_packet = packet;

            // fraggle attack mitigation
            if (in_packet.GetHighestLayer() == Protocol.UDP)
                UDPPacket packet = ((UDPPacket)in_packet);
                packet.PacketTime = DateTime.UtcNow;

                // if it's inbound
                if (!(packet.Outbound))
                    // add IP to cache or increment packet count
                    if (!(ipcache.ContainsKey(packet.SourceIP)))
                        ipcache.Add(packet.SourceIP, 1);
                        ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;

                    // if the packet header is empty, headed towards port (7,13,19,17), and count > 50,
                    // then it's probably a fraggle attack
                    if (packet.isEmpty() && packet.DestPort.Equals(7) || packet.DestPort.Equals(13) ||
                         packet.DestPort.Equals(19) || packet.DestPort.Equals(17) &&
                         (ipcache[packet.SourceIP]) > 50)
                        pmr = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                        le = new LogEvent(String.Format(multistring.GetString("Fraggle Log"), packet.SourceIP.ToString()), this);
                        le.PMR = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                        data.BlockCache.Add(packet.SourceIP, new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Fraggle Attempt"));
                        return pmr;

            // smurf attack mitigation
            if (in_packet.GetHighestLayer() == Protocol.ICMP)
                ICMPPacket packet = ((ICMPPacket)in_packet);
                packet.PacketTime = DateTime.UtcNow;

                if (!(packet.Outbound))
                    // init the previous packet
                    if (ICMPprevious_packet == null)
                        ICMPprevious_packet = packet;

                    // add IP to cache or increment packet count
                    if (!(ipcache.ContainsKey(packet.SourceIP)))
                        ipcache.Add(packet.SourceIP, 1);
                    // if the packet is >= threshold after the previous and it's the same packet, clear up the cache
                    else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) >= data.dos_threshold &&
                        ipcache[packet.SourceIP] = 1;
                    // if the packet is coming in quickly, add it to the packet count
                    else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold)
                        ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;

                    // if the packet is an echo reply and the IP source
                    // is the same as localhost and the time between packets is <= threshhold and
                    // there are over 50 accumulated packets, it's probably a smurf attack
                    if (packet.Type.ToString().Equals("0") &&
                         packet.Code.ToString().Equals("0") &&
                         isLocalIP(packet.SourceIP) &&
                         (packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold &&
                         ipcache[packet.SourceIP] > 50)
                        pmr = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                        le = new LogEvent(String.Format(multistring.GetString("Smurf Log"), packet.SourceIP.ToString()), this);
                        le.PMR = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                        data.BlockCache.Add(packet.SourceIP, new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Smurf Attempt"));
                        return pmr;
                    ICMPprevious_packet = packet;

            return PacketMainReturnType.Allow;
Exemplo n.º 4
 public override PacketMainReturnType interiorMain(ref Packet in_packet)
     if (in_packet.GetHighestLayer() == Protocol.ARP)
         ARPPacket arpp = (ARPPacket)in_packet;
         if (arpp.isRequest && arpp.Outbound)
             IPAddr ip = new IPAddr(arpp.ATargetIP.GetAddressBytes());
             if (!requestedIPs.Contains(ip))
         else if (!arpp.Outbound)
             IPAddr ip = new IPAddr(arpp.ASenderIP.GetAddressBytes());
             if (!arpp.isRequest)
                 if (requestedIPs.Contains(ip))
                     lock (padlock)
                         if (data.arpCache.ContainsKey(new IPAddr(arpp.ASenderIP.GetAddressBytes())))
                             if (!Utility.ByteArrayEq(data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())].AddressBytes, arpp.ASenderMac))
                                 PacketMainReturnType pmr = 0;
                                 if (data.RectifyAttacks)
                                     pmr = PacketMainReturnType.Edited;
                                     pmr = PacketMainReturnType.Drop;
                                 if (data.LogAttacks)
                                     LogEvent le = new LogEvent(String.Format(multistring.GetString("Response does not equal cache"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this);
                                     le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Popup;
                                 if (data.RectifyAttacks)
                                     arpp.ATargetIP = arpp.ASenderIP;
                                     arpp.ATargetMac = data.arpCache[new IPAddr(arpp.ATargetIP.GetAddressBytes())].AddressBytes;
                                     arpp.ASenderMac = this.Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
                                     arpp.FromMac = arpp.ASenderMac;
                                     arpp.ToMac = arpp.ATargetMac;
                                     arpp.ASenderIP = Adapter.GetAdapterInformation().IPv4;
                                     arpp.Outbound = true;
                                     in_packet = arpp;
                                 return pmr;
                             data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())] = new MACAddr(arpp.ASenderMac);
                             if (UpdatedArpCache != null)
                     lock (padlock)
                         if (data.arpCache.ContainsKey(new IPAddr(arpp.ASenderIP.GetAddressBytes())))
                             if (!Utility.ByteArrayEq(data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())].AddressBytes, arpp.ASenderMac))
                                 PacketMainReturnType pmra = 0;
                                 if (data.RectifyAttacks)
                                     pmra = PacketMainReturnType.Edited;
                                     pmra = PacketMainReturnType.Drop;
                                 if (data.LogAttacks)
                                     LogEvent le = new LogEvent(String.Format(multistring.GetString("Response does not equal cache"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this);
                                     le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Popup;
                                 if (data.RectifyAttacks)
                                     arpp.ATargetIP = arpp.ASenderIP;
                                     arpp.ATargetMac = data.arpCache[new IPAddr(arpp.ATargetIP.GetAddressBytes())].AddressBytes;
                                     arpp.ASenderMac = this.Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
                                     arpp.FromMac = arpp.ASenderMac;
                                     arpp.ToMac = arpp.ATargetMac;
                                     arpp.ASenderIP = Adapter.GetAdapterInformation().IPv4;
                                     arpp.Outbound = true;
                                     in_packet = arpp;
                                 return pmra;
                     PacketMainReturnType pmr = 0;
                     pmr = PacketMainReturnType.Drop;
                     if (data.LogUnsolic)
                         LogEvent le2 = new LogEvent(String.Format(multistring.GetString("Unsolicited"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this);
                         le2.PMR = PacketMainReturnType.Log;
                     return pmr;
                 lock (padlock)
                     if (data.arpCache.ContainsKey(new IPAddr(arpp.ASenderIP.GetAddressBytes())))
                         if (!Utility.ByteArrayEq(data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())].AddressBytes, arpp.ASenderMac))
                             PacketMainReturnType pmr = PacketMainReturnType.Drop;
                             if (data.LogAttacks)
                                 LogEvent le = new LogEvent(String.Format(multistring.GetString("Response does not equal cache"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this);
                                 le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Popup;
                             return pmr;
             return 0;
         return 0;
     return 0;