Пример #1
0
        // main routine
        public override PacketMainReturnType interiorMain(ref Packet in_packet)
        {
            LogEvent le;

            // if the packet is ICMPv4
            if (in_packet.GetHighestLayer() == Protocol.ICMP)
            {
                ICMPPacket packet = (ICMPPacket)in_packet;
                // check if the packet is allowed and deny all is false
                if (isAllowed(packet.Type.ToString(), packet.Code.ToString(), 4) &&
                    !data.DenyIPv4)
                {
                    return PacketMainReturnType.Allow;
                }
                // else, log and drop it
                else
                {
                    PacketMainReturnType pmr = PacketMainReturnType.Drop;
                    if (data.Log)
                    {
                        pmr |= PacketMainReturnType.Log;
                        le = new LogEvent(String.Format(multistring.GetString("ICMPv4 was dropped"), packet.SourceIP.ToString(), packet.DestIP.ToString()), this);
                        le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Drop;
                        LogCenter.Instance.LogEvent(le);
                    }
                    return pmr;
                }
            }

            // if the packet is ICMPv6
            if (in_packet.GetHighestLayer() == Protocol.ICMPv6)
            {
                ICMPv6Packet packet = (ICMPv6Packet)in_packet;
                if ((isAllowed(packet.Type.ToString(), packet.Code.ToString(), 6) &&
                    !data.DenyIPv6) && isDeniedNDP(packet))
                {
                    return PacketMainReturnType.Allow;
                }
                else
                {
                    PacketMainReturnType pmr = PacketMainReturnType.Drop;
                    if (data.Log)
                    {
                        pmr |= PacketMainReturnType.Log;
                        le = new LogEvent(String.Format(multistring.GetString("ICMPv6 was dropped"), packet.SourceIP.ToString(), packet.DestIP.ToString()), this);
                        le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Drop;
                    }
                    return pmr;
                }
            }
            return PacketMainReturnType.Allow;
        }
Пример #2
0
 public void AddLogEvent(LogEvent le)
 {
     if (listBox1.InvokeRequired)
     {
         ALE ale = new ALE(AddLogEvent);
         listBox1.Invoke(ale, le);
     }
     else
     {
         listBox1.Items.Insert(0, le);
         while (listBox1.Items.Count > 5)
         {
             listBox1.Items.RemoveAt(5);
         }
         hideTime = DateTime.Now.AddSeconds(10);
         ShowMe();
     }
 }
Пример #3
0
 /*
  * Object handles logging of a log event to the window
  * @param le is the log event object to be logged
  */
 public void AddLogEvent(LogEvent le)
 {
     // if the log event is sent from a thread other than the UI thread, invoke it
     if (listBox1.InvokeRequired)
     {
         LogCenter.NewLogEvent d = new LogCenter.NewLogEvent(AddLogEvent);
         listBox1.Invoke(d, new object[] { le });
     }
     // else log the message
     else
     {
         LogEvent e = (LogEvent)le;
         listBox1.Items.Insert(0, e.ToString());
         while (listBox1.Items.Count > 1000)
         {
             listBox1.Items.RemoveAt(1000);
         }
     }
 }
Пример #4
0
 public override PacketMainReturnType interiorMain(ref Packet in_packet)
 {
     lock (padlock)
     {
         PacketStatus status = PacketStatus.UNDETERMINED;
         foreach (Rule r in rules)
         {
             status = r.GetStatus(in_packet);
             if (status == PacketStatus.BLOCKED)
             {
                 PacketMainReturnType pmr;
                 pmr = PacketMainReturnType.Drop | PacketMainReturnType.LogPacket;                        
                 if (r.GetLogMessage() != null)
                 {
                     LogEvent le = new LogEvent(r.GetLogMessage(), this);
                     le.PMR = PacketMainReturnType.Log;    
                     if (r.Notify())
                     {
                         le.PMR |= PacketMainReturnType.Popup;
                     }
                     LogCenter.Instance.LogEvent(le);
                 }                        
                 return pmr;
             }
             else if (status == PacketStatus.ALLOWED)
             {
                 return 0;
             }
         }
     }
     return 0;
 }
Пример #5
0
        public override PacketMainReturnType interiorMain(ref Packet in_packet)
        {
            PacketMainReturnType pmr;
            LogEvent le;
            float av = 0;

            if (in_packet.ContainsLayer(Protocol.TCP))
            {
                // if we're in cloaked mode, respond with the SYN ACK
                // More information about this in the GUI code and help string
                if (data.cloaked_mode && ((TCPPacket)in_packet).SYN && !((TCPPacket)in_packet).ACK)
                {
                    TCPPacket from = (TCPPacket)in_packet;

                    EthPacket eth = new EthPacket(60);
                    eth.FromMac = Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
                    eth.ToMac = from.FromMac;
                    eth.Proto = new byte[2] { 0x08, 0x00 };

                    IPPacket ip = new IPPacket(eth);
                    ip.DestIP = from.SourceIP;
                    ip.SourceIP = from.DestIP;
                    ip.NextProtocol = 0x06;
                    ip.TotalLength = 40;
                    ip.HeaderChecksum = ip.GenerateIPChecksum;

                    TCPPacket tcp = new TCPPacket(ip);
                    tcp.SourcePort = from.DestPort;
                    tcp.DestPort = from.SourcePort;
                    tcp.SequenceNumber = (uint)new Random().Next();
                    tcp.AckNumber = 0;
                    tcp.WindowSize = 8192;
                    tcp.SYN = true;
                    tcp.ACK = true;
                    tcp.Checksum = tcp.GenerateChecksum;
                    tcp.Outbound = true;
                    Adapter.SendPacket(tcp);
                }

                try
                {
                    TCPPacket packet = (TCPPacket)in_packet;

                    // if the IP is in the blockcache, then return 
                    if (data.BlockCache == null)
                        data.BlockCache = new SerializableDictionary<IPAddr, IPObj>();
                    IPAddr source = packet.SourceIP;
                    if (data.BlockCache.ContainsKey(source))
                    {
                        pmr = PacketMainReturnType.Drop;
                        return pmr;
                    }

                    // checking for TTL allows us to rule out the local network
                    // Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are 
                    // fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans.
                    if ((!packet.Outbound) && (packet.TTL < 250) && packet.SYN && !packet.ACK)
                    {
                        IPObj tmp;
                        if (ip_table == null) ip_table = new Dictionary<IPAddr, IPObj>();
                        if (ip_table.ContainsKey(source))
                            tmp = (IPObj)ip_table[source];
                        else
                            tmp = new IPObj(source);

                        // add the port to the ipobj, set the access time, and update the table
                        tmp.addPort(packet.DestPort);
                        //tmp.time(packet.PacketTime);
                        ip_table[source] = tmp;
                        av = tmp.getAverage();

                        // if they've touched more than 100 ports in less than 30 seconds and the average
                        // packet time was less than 2s, something's wrong
                        if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) &&
                             tmp.getAverage() < 2000 )
                        {
                            pmr = PacketMainReturnType.Log | PacketMainReturnType.Allow;
                            le = new LogEvent(String.Format(multistring.GetString("Touched Ports"),
                                                source.ToString(), tmp.getTouchedPorts().Count, tmp.getAverage()), this);
                            LogCenter.Instance.LogEvent(le);

                            // set the reported status of the IP address
                            ip_table[source].Reported = true;

                            // add the address to the potential list of IPs and to the local SESSION-BASED list
                            if (!data.blockImmediately)
                            {
                                potentials.Add(source, ip_table[source]);
                                detect.addPotential(source);
                            }
                            // else we want to block it immediately
                            else
                                data.BlockCache.Add(source, ip_table[source]);
                            
                            return pmr;
                        }
                    }
                }
                catch (Exception e)
                {
                    LogCenter.Instance.LogException(e);
                    return PacketMainReturnType.Allow;
                }
            }
            // This will detect UDP knockers.  typically UDP scans are slower, but are combined with SYN scans
            // (-sSU in nmap) so we'll be sure to check for these guys too.
            else if (in_packet.ContainsLayer(Protocol.UDP))
            {
                try
                {
                    UDPPacket packet = (UDPPacket)in_packet;
                    IPAddr source = packet.SourceIP;
                    // if the source addr is in the block cache, return 
                    if (data.BlockCache.ContainsKey(source))
                    {
                        return PacketMainReturnType.Drop;
                    }

                    if ((!packet.Outbound) && (packet.TTL < 250) && 
                        (!packet.isDNS()))
                    {
                        IPObj tmp;
                        if (ip_table.ContainsKey(source))
                            tmp = (IPObj)ip_table[source];
                        else
                            tmp = new IPObj(source);

                        tmp.addPort(packet.DestPort);
                        //tmp.time(packet.PacketTime);
                        ip_table[source] = tmp;
                        av = tmp.getAverage();

                        if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) &&
                                (tmp.getAverage() < 2000))
                        {
                            pmr = PacketMainReturnType.Log | PacketMainReturnType.Allow;
                            le = new LogEvent(String.Format(multistring.GetString("Touched Ports"),
                                        source.ToString(), tmp.getTouchedPorts().Count, tmp.getAverage()), this);
                            LogCenter.Instance.LogEvent(le);

                            ip_table[source].Reported = true;

                            if (!data.blockImmediately)
                            {
                                potentials.Add(source, ip_table[source]);
                                detect.addPotential(source);
                            }
                            else
                                data.BlockCache.Add(source, ip_table[source]);
                            return pmr;
                        }
                    }
                }
                catch (Exception e)
                {
                    LogCenter.Instance.LogException(e);
                    return PacketMainReturnType.Allow;
                }
            }
            return PacketMainReturnType.Allow;
        }   
Пример #6
0
 /// <summary>
 /// Adds a line to the display queue
 /// </summary>
 /// <param name="line"></param>
 public void AddLine(LogEvent line)
 {
     // only display if checked AND the return type is to notify
     if (GeneralConfiguration.Instance.ShowPopups && line.Module.GetUserInterface() != null && ((line.PMR & fireBwall.Modules.PacketMainReturnType.Popup) == fireBwall.Modules.PacketMainReturnType.Popup))
     {
         //popup.AddLogEvent(line);
     }
 }
Пример #7
0
        // main routine
        public override PacketMainReturnType interiorMain(ref Packet in_packet)
        {
            PacketMainReturnType pmr;
            LogEvent le;

            // check it the packet is, or contains, IP
            if (in_packet.ContainsLayer(Protocol.IP))
            {
                // create a temp IPPacket obj and
                // check the IP address
                IPPacket temp = (IPPacket)in_packet;
                if (!isIPAllowed(temp.SourceIP))
                {
                    pmr = PacketMainReturnType.Drop;
                    return pmr;
                }
            }

            // simple sanity check to dump the ipcache if it gets too large.
            // this does not effect the blockcache of banned IPs
            if ((ipcache.Count) > 500)
                ipcache.Clear();

            // TCP incoming packets
            if (in_packet.GetHighestLayer() == Protocol.TCP)
            {
                TCPPacket packet = ((TCPPacket)in_packet);
                packet.PacketTime = DateTime.UtcNow;

                // if it's inbound and the SYN flag is set
                if (!packet.Outbound && packet.SYN && !packet.ACK)
                {
                    // first packet init
                    if (TCPprevious_packet == null)
                        TCPprevious_packet = packet;

                    // if the IP hasn't been logged yet 
                    if (!(ipcache.ContainsKey(packet.SourceIP)))
                        ipcache.Add(packet.SourceIP, 1);
                    // if the ipcache contains the ip
                    else if (ipcache.ContainsKey(packet.SourceIP))
                    {
                        // increment the packet count if they're coming in fast
                        if ((packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
                            ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
                        else ipcache[packet.SourceIP] = 1;

                        // check if this packet = previous, if the packet count is > 50, 
                        // and if the time between sent packets is less than the threshhold
                        if (packet.SourceIP.Equals(TCPprevious_packet.SourceIP) &&
                            ((ipcache[packet.SourceIP]) > 50) &&
                            (packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
                        {
                            pmr = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                            le = new LogEvent(String.Format(multistring.GetString("DoS Log"), packet.SourceIP.ToString()), this);
                            le.PMR = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                            LogCenter.Instance.LogEvent(le);
                            data.BlockCache.Add(packet.SourceIP, new BlockedIP(packet.SourceIP, DateTime.UtcNow, "DoS Attempt"));
                            return pmr;
                        }
                    }
                    TCPprevious_packet = packet;
                }
            }

            // fraggle attack mitigation
            if (in_packet.GetHighestLayer() == Protocol.UDP)
            {
                UDPPacket packet = ((UDPPacket)in_packet);
                packet.PacketTime = DateTime.UtcNow;

                // if it's inbound
                if (!(packet.Outbound))
                {
                    // add IP to cache or increment packet count
                    if (!(ipcache.ContainsKey(packet.SourceIP)))
                        ipcache.Add(packet.SourceIP, 1);
                    else
                        ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;

                    // if the packet header is empty, headed towards port (7,13,19,17), and count > 50,
                    // then it's probably a fraggle attack
                    if (packet.isEmpty() && packet.DestPort.Equals(7) || packet.DestPort.Equals(13) ||
                         packet.DestPort.Equals(19) || packet.DestPort.Equals(17) &&
                         (ipcache[packet.SourceIP]) > 50)
                    {
                        pmr = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                        le = new LogEvent(String.Format(multistring.GetString("Fraggle Log"), packet.SourceIP.ToString()), this);
                        le.PMR = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                        LogCenter.Instance.LogEvent(le);
                        data.BlockCache.Add(packet.SourceIP, new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Fraggle Attempt"));
                        return pmr;
                    }
                }
            }

            // smurf attack mitigation
            if (in_packet.GetHighestLayer() == Protocol.ICMP)
            {
                ICMPPacket packet = ((ICMPPacket)in_packet);
                packet.PacketTime = DateTime.UtcNow;

                if (!(packet.Outbound))
                {
                    // init the previous packet
                    if (ICMPprevious_packet == null)
                        ICMPprevious_packet = packet;

                    // add IP to cache or increment packet count
                    if (!(ipcache.ContainsKey(packet.SourceIP)))
                        ipcache.Add(packet.SourceIP, 1);
                    // if the packet is >= threshold after the previous and it's the same packet, clear up the cache
                    else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) >= data.dos_threshold &&
                                packet.Equals(ICMPprevious_packet))
                        ipcache[packet.SourceIP] = 1;
                    // if the packet is coming in quickly, add it to the packet count
                    else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold)
                        ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;

                    // if the packet is an echo reply and the IP source
                    // is the same as localhost and the time between packets is <= threshhold and
                    // there are over 50 accumulated packets, it's probably a smurf attack
                    if (packet.Type.ToString().Equals("0") &&
                         packet.Code.ToString().Equals("0") &&
                         isLocalIP(packet.SourceIP) &&
                         (packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold &&
                         ipcache[packet.SourceIP] > 50)
                    {
                        pmr = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                        le = new LogEvent(String.Format(multistring.GetString("Smurf Log"), packet.SourceIP.ToString()), this);
                        le.PMR = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
                        LogCenter.Instance.LogEvent(le);
                        data.BlockCache.Add(packet.SourceIP, new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Smurf Attempt"));
                        return pmr;
                    }
                    ICMPprevious_packet = packet;
                }
            }

            return PacketMainReturnType.Allow;
        }
Пример #8
0
 public void LogEvent(LogEvent e)
 {
     EventQueue.Enqueue(e);
 }
Пример #9
0
        /*
        * pushes log events to the event log file
        * Log\Event_<date>.log
        * 
        * These logs are purged by the cleanLogs() method.
        */
        private void WriteLogFile(LogEvent le)
        {
            string currentdate = DateTime.Now.ToString("MM-dd-yyyy");
            string folder = ConfigurationManagement.Instance.ConfigurationPath;
            folder = folder + Path.DirectorySeparatorChar + "Log";
            if (!Directory.Exists(folder))
                Directory.CreateDirectory(folder);
            string filepath = folder;
            string filename = Path.DirectorySeparatorChar + "Event_" + currentdate + ".log";

            FileStream stream;
            // if the log event is not null
            if (le != null)
            {
                // if the file exists, open in append and write to it
                if (File.Exists(filepath + filename))
                    stream = new FileStream(filepath + filename, FileMode.Append, FileAccess.Write, FileShare.ReadWrite);
                else
                    stream = new FileStream(filepath + filename, FileMode.CreateNew, FileAccess.Write, FileShare.ReadWrite);

                StreamWriter m_streamWriter = new StreamWriter(stream);
                m_streamWriter.WriteLine(le.time.ToString() + " " + le.Module + ": " + le.Message + "\r");
                m_streamWriter.Close();
                stream.Close();
            }
        }
Пример #10
0
 public void LogEvent(LogEvent e)
 {
     EventQueue.Enqueue(e);
 }
Пример #11
0
 public override PacketMainReturnType interiorMain(ref Packet in_packet)
 {
     LogEvent le;
     lock (padlock)
     {
         PacketStatus status = PacketStatus.UNDETERMINED;
         foreach (MacRule r in rules)
         {
             status = r.GetStatus(in_packet);
             if (status == PacketStatus.BLOCKED)
             {
                 PacketMainReturnType pmr = PacketMainReturnType.Drop;
                 if (r.GetLogMessage() != null)
                 {
                     pmr |= PacketMainReturnType.Log;
                     le = new LogEvent(String.Format(r.GetLogMessage()), this);
                     LogCenter.Instance.LogEvent(le);
                 }
                 if (r.notify)
                 {
                     pmr |= PacketMainReturnType.Popup;
                 }
                 return pmr;
             }
             else if (status == PacketStatus.ALLOWED)
             {
                 return PacketMainReturnType.Allow;
             }
         }
     }
     return PacketMainReturnType.Allow;
 }
Пример #12
0
 public override PacketMainReturnType interiorMain(ref Packet in_packet)
 {
     if (in_packet.GetHighestLayer() == Protocol.ARP)
     {
         ARPPacket arpp = (ARPPacket)in_packet;
         if (arpp.isRequest && arpp.Outbound)
         {
             IPAddr ip = new IPAddr(arpp.ATargetIP.GetAddressBytes());
             if (!requestedIPs.Contains(ip))
                 requestedIPs.Add(ip);
         }
         else if (!arpp.Outbound)
         {
             IPAddr ip = new IPAddr(arpp.ASenderIP.GetAddressBytes());
             if (!arpp.isRequest)
             {
                 if (requestedIPs.Contains(ip))
                 {
                     lock (padlock)
                     {
                         if (data.arpCache.ContainsKey(new IPAddr(arpp.ASenderIP.GetAddressBytes())))
                         {
                             if (!Utility.ByteArrayEq(data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())].AddressBytes, arpp.ASenderMac))
                             {
                                 PacketMainReturnType pmr = 0;
                                 if (data.RectifyAttacks)
                                     pmr = PacketMainReturnType.Edited;
                                 else
                                     pmr = PacketMainReturnType.Drop;
                                 if (data.LogAttacks)
                                 {
                                     LogEvent le = new LogEvent(String.Format(multistring.GetString("Response does not equal cache"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this);
                                     le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Popup;
                                     LogCenter.Instance.LogEvent(le);
                                 }
                                 if (data.RectifyAttacks)
                                 {
                                     arpp.ATargetIP = arpp.ASenderIP;
                                     arpp.ATargetMac = data.arpCache[new IPAddr(arpp.ATargetIP.GetAddressBytes())].AddressBytes;
                                     arpp.ASenderMac = this.Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
                                     arpp.FromMac = arpp.ASenderMac;
                                     arpp.ToMac = arpp.ATargetMac;
                                     arpp.ASenderIP = Adapter.GetAdapterInformation().IPv4;
                                     arpp.Outbound = true;
                                     in_packet = arpp;
                                 }
                                 return pmr;
                             }
                             else
                             {
                                 requestedIPs.Remove(ip);
                             }
                         }
                         else
                         {
                             data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())] = new MACAddr(arpp.ASenderMac);
                             if (UpdatedArpCache != null)
                                 UpdatedArpCache();
                             requestedIPs.Remove(ip);
                         }
                     }
                 }
                 else
                 {
                     lock (padlock)
                     {
                         if (data.arpCache.ContainsKey(new IPAddr(arpp.ASenderIP.GetAddressBytes())))
                         {
                             if (!Utility.ByteArrayEq(data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())].AddressBytes, arpp.ASenderMac))
                             {
                                 PacketMainReturnType pmra = 0;
                                 if (data.RectifyAttacks)
                                     pmra = PacketMainReturnType.Edited;
                                 else
                                     pmra = PacketMainReturnType.Drop;
                                 if (data.LogAttacks)
                                 {
                                     LogEvent le = new LogEvent(String.Format(multistring.GetString("Response does not equal cache"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this);
                                     le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Popup;
                                     LogCenter.Instance.LogEvent(le);
                                 }
                                 if (data.RectifyAttacks)
                                 {
                                     arpp.ATargetIP = arpp.ASenderIP;
                                     arpp.ATargetMac = data.arpCache[new IPAddr(arpp.ATargetIP.GetAddressBytes())].AddressBytes;
                                     arpp.ASenderMac = this.Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
                                     arpp.FromMac = arpp.ASenderMac;
                                     arpp.ToMac = arpp.ATargetMac;
                                     arpp.ASenderIP = Adapter.GetAdapterInformation().IPv4;
                                     arpp.Outbound = true;
                                     in_packet = arpp;
                                 }
                                 return pmra;
                             }
                         }
                     }
                     PacketMainReturnType pmr = 0;
                     pmr = PacketMainReturnType.Drop;
                     if (data.LogUnsolic)
                     {
                         LogEvent le2 = new LogEvent(String.Format(multistring.GetString("Unsolicited"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this);
                         le2.PMR = PacketMainReturnType.Log;
                     }
                     return pmr;
                 }
             }
             else
             {
                 lock (padlock)
                 {
                     if (data.arpCache.ContainsKey(new IPAddr(arpp.ASenderIP.GetAddressBytes())))
                     {
                         if (!Utility.ByteArrayEq(data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())].AddressBytes, arpp.ASenderMac))
                         {
                             PacketMainReturnType pmr = PacketMainReturnType.Drop;
                             if (data.LogAttacks)
                             {
                                 LogEvent le = new LogEvent(String.Format(multistring.GetString("Response does not equal cache"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this);
                                 le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Popup;
                                 LogCenter.Instance.LogEvent(le);
                             }
                             return pmr;
                         }
                     }
                 }
             }
             return 0;
         }
         return 0;
     }
     return 0;
 }