// main routine public override PacketMainReturnType interiorMain(ref Packet in_packet) { LogEvent le; // if the packet is ICMPv4 if (in_packet.GetHighestLayer() == Protocol.ICMP) { ICMPPacket packet = (ICMPPacket)in_packet; // check if the packet is allowed and deny all is false if (isAllowed(packet.Type.ToString(), packet.Code.ToString(), 4) && !data.DenyIPv4) { return PacketMainReturnType.Allow; } // else, log and drop it else { PacketMainReturnType pmr = PacketMainReturnType.Drop; if (data.Log) { pmr |= PacketMainReturnType.Log; le = new LogEvent(String.Format(multistring.GetString("ICMPv4 was dropped"), packet.SourceIP.ToString(), packet.DestIP.ToString()), this); le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Drop; LogCenter.Instance.LogEvent(le); } return pmr; } } // if the packet is ICMPv6 if (in_packet.GetHighestLayer() == Protocol.ICMPv6) { ICMPv6Packet packet = (ICMPv6Packet)in_packet; if ((isAllowed(packet.Type.ToString(), packet.Code.ToString(), 6) && !data.DenyIPv6) && isDeniedNDP(packet)) { return PacketMainReturnType.Allow; } else { PacketMainReturnType pmr = PacketMainReturnType.Drop; if (data.Log) { pmr |= PacketMainReturnType.Log; le = new LogEvent(String.Format(multistring.GetString("ICMPv6 was dropped"), packet.SourceIP.ToString(), packet.DestIP.ToString()), this); le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Drop; } return pmr; } } return PacketMainReturnType.Allow; }
public void AddLogEvent(LogEvent le) { if (listBox1.InvokeRequired) { ALE ale = new ALE(AddLogEvent); listBox1.Invoke(ale, le); } else { listBox1.Items.Insert(0, le); while (listBox1.Items.Count > 5) { listBox1.Items.RemoveAt(5); } hideTime = DateTime.Now.AddSeconds(10); ShowMe(); } }
/* * Object handles logging of a log event to the window * @param le is the log event object to be logged */ public void AddLogEvent(LogEvent le) { // if the log event is sent from a thread other than the UI thread, invoke it if (listBox1.InvokeRequired) { LogCenter.NewLogEvent d = new LogCenter.NewLogEvent(AddLogEvent); listBox1.Invoke(d, new object[] { le }); } // else log the message else { LogEvent e = (LogEvent)le; listBox1.Items.Insert(0, e.ToString()); while (listBox1.Items.Count > 1000) { listBox1.Items.RemoveAt(1000); } } }
public override PacketMainReturnType interiorMain(ref Packet in_packet) { lock (padlock) { PacketStatus status = PacketStatus.UNDETERMINED; foreach (Rule r in rules) { status = r.GetStatus(in_packet); if (status == PacketStatus.BLOCKED) { PacketMainReturnType pmr; pmr = PacketMainReturnType.Drop | PacketMainReturnType.LogPacket; if (r.GetLogMessage() != null) { LogEvent le = new LogEvent(r.GetLogMessage(), this); le.PMR = PacketMainReturnType.Log; if (r.Notify()) { le.PMR |= PacketMainReturnType.Popup; } LogCenter.Instance.LogEvent(le); } return pmr; } else if (status == PacketStatus.ALLOWED) { return 0; } } } return 0; }
public override PacketMainReturnType interiorMain(ref Packet in_packet) { PacketMainReturnType pmr; LogEvent le; float av = 0; if (in_packet.ContainsLayer(Protocol.TCP)) { // if we're in cloaked mode, respond with the SYN ACK // More information about this in the GUI code and help string if (data.cloaked_mode && ((TCPPacket)in_packet).SYN && !((TCPPacket)in_packet).ACK) { TCPPacket from = (TCPPacket)in_packet; EthPacket eth = new EthPacket(60); eth.FromMac = Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes(); eth.ToMac = from.FromMac; eth.Proto = new byte[2] { 0x08, 0x00 }; IPPacket ip = new IPPacket(eth); ip.DestIP = from.SourceIP; ip.SourceIP = from.DestIP; ip.NextProtocol = 0x06; ip.TotalLength = 40; ip.HeaderChecksum = ip.GenerateIPChecksum; TCPPacket tcp = new TCPPacket(ip); tcp.SourcePort = from.DestPort; tcp.DestPort = from.SourcePort; tcp.SequenceNumber = (uint)new Random().Next(); tcp.AckNumber = 0; tcp.WindowSize = 8192; tcp.SYN = true; tcp.ACK = true; tcp.Checksum = tcp.GenerateChecksum; tcp.Outbound = true; Adapter.SendPacket(tcp); } try { TCPPacket packet = (TCPPacket)in_packet; // if the IP is in the blockcache, then return if (data.BlockCache == null) data.BlockCache = new SerializableDictionary<IPAddr, IPObj>(); IPAddr source = packet.SourceIP; if (data.BlockCache.ContainsKey(source)) { pmr = PacketMainReturnType.Drop; return pmr; } // checking for TTL allows us to rule out the local network // Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are // fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans. if ((!packet.Outbound) && (packet.TTL < 250) && packet.SYN && !packet.ACK) { IPObj tmp; if (ip_table == null) ip_table = new Dictionary<IPAddr, IPObj>(); if (ip_table.ContainsKey(source)) tmp = (IPObj)ip_table[source]; else tmp = new IPObj(source); // add the port to the ipobj, set the access time, and update the table tmp.addPort(packet.DestPort); //tmp.time(packet.PacketTime); ip_table[source] = tmp; av = tmp.getAverage(); // if they've touched more than 100 ports in less than 30 seconds and the average // packet time was less than 2s, something's wrong if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) && tmp.getAverage() < 2000 ) { pmr = PacketMainReturnType.Log | PacketMainReturnType.Allow; le = new LogEvent(String.Format(multistring.GetString("Touched Ports"), source.ToString(), tmp.getTouchedPorts().Count, tmp.getAverage()), this); LogCenter.Instance.LogEvent(le); // set the reported status of the IP address ip_table[source].Reported = true; // add the address to the potential list of IPs and to the local SESSION-BASED list if (!data.blockImmediately) { potentials.Add(source, ip_table[source]); detect.addPotential(source); } // else we want to block it immediately else data.BlockCache.Add(source, ip_table[source]); return pmr; } } } catch (Exception e) { LogCenter.Instance.LogException(e); return PacketMainReturnType.Allow; } } // This will detect UDP knockers. typically UDP scans are slower, but are combined with SYN scans // (-sSU in nmap) so we'll be sure to check for these guys too. else if (in_packet.ContainsLayer(Protocol.UDP)) { try { UDPPacket packet = (UDPPacket)in_packet; IPAddr source = packet.SourceIP; // if the source addr is in the block cache, return if (data.BlockCache.ContainsKey(source)) { return PacketMainReturnType.Drop; } if ((!packet.Outbound) && (packet.TTL < 250) && (!packet.isDNS())) { IPObj tmp; if (ip_table.ContainsKey(source)) tmp = (IPObj)ip_table[source]; else tmp = new IPObj(source); tmp.addPort(packet.DestPort); //tmp.time(packet.PacketTime); ip_table[source] = tmp; av = tmp.getAverage(); if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) && (tmp.getAverage() < 2000)) { pmr = PacketMainReturnType.Log | PacketMainReturnType.Allow; le = new LogEvent(String.Format(multistring.GetString("Touched Ports"), source.ToString(), tmp.getTouchedPorts().Count, tmp.getAverage()), this); LogCenter.Instance.LogEvent(le); ip_table[source].Reported = true; if (!data.blockImmediately) { potentials.Add(source, ip_table[source]); detect.addPotential(source); } else data.BlockCache.Add(source, ip_table[source]); return pmr; } } } catch (Exception e) { LogCenter.Instance.LogException(e); return PacketMainReturnType.Allow; } } return PacketMainReturnType.Allow; }
/// <summary> /// Adds a line to the display queue /// </summary> /// <param name="line"></param> public void AddLine(LogEvent line) { // only display if checked AND the return type is to notify if (GeneralConfiguration.Instance.ShowPopups && line.Module.GetUserInterface() != null && ((line.PMR & fireBwall.Modules.PacketMainReturnType.Popup) == fireBwall.Modules.PacketMainReturnType.Popup)) { //popup.AddLogEvent(line); } }
// main routine public override PacketMainReturnType interiorMain(ref Packet in_packet) { PacketMainReturnType pmr; LogEvent le; // check it the packet is, or contains, IP if (in_packet.ContainsLayer(Protocol.IP)) { // create a temp IPPacket obj and // check the IP address IPPacket temp = (IPPacket)in_packet; if (!isIPAllowed(temp.SourceIP)) { pmr = PacketMainReturnType.Drop; return pmr; } } // simple sanity check to dump the ipcache if it gets too large. // this does not effect the blockcache of banned IPs if ((ipcache.Count) > 500) ipcache.Clear(); // TCP incoming packets if (in_packet.GetHighestLayer() == Protocol.TCP) { TCPPacket packet = ((TCPPacket)in_packet); packet.PacketTime = DateTime.UtcNow; // if it's inbound and the SYN flag is set if (!packet.Outbound && packet.SYN && !packet.ACK) { // first packet init if (TCPprevious_packet == null) TCPprevious_packet = packet; // if the IP hasn't been logged yet if (!(ipcache.ContainsKey(packet.SourceIP))) ipcache.Add(packet.SourceIP, 1); // if the ipcache contains the ip else if (ipcache.ContainsKey(packet.SourceIP)) { // increment the packet count if they're coming in fast if ((packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold) ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1; else ipcache[packet.SourceIP] = 1; // check if this packet = previous, if the packet count is > 50, // and if the time between sent packets is less than the threshhold if (packet.SourceIP.Equals(TCPprevious_packet.SourceIP) && ((ipcache[packet.SourceIP]) > 50) && (packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold) { pmr = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup; le = new LogEvent(String.Format(multistring.GetString("DoS Log"), packet.SourceIP.ToString()), this); le.PMR = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup; LogCenter.Instance.LogEvent(le); data.BlockCache.Add(packet.SourceIP, new BlockedIP(packet.SourceIP, DateTime.UtcNow, "DoS Attempt")); return pmr; } } TCPprevious_packet = packet; } } // fraggle attack mitigation if (in_packet.GetHighestLayer() == Protocol.UDP) { UDPPacket packet = ((UDPPacket)in_packet); packet.PacketTime = DateTime.UtcNow; // if it's inbound if (!(packet.Outbound)) { // add IP to cache or increment packet count if (!(ipcache.ContainsKey(packet.SourceIP))) ipcache.Add(packet.SourceIP, 1); else ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1; // if the packet header is empty, headed towards port (7,13,19,17), and count > 50, // then it's probably a fraggle attack if (packet.isEmpty() && packet.DestPort.Equals(7) || packet.DestPort.Equals(13) || packet.DestPort.Equals(19) || packet.DestPort.Equals(17) && (ipcache[packet.SourceIP]) > 50) { pmr = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup; le = new LogEvent(String.Format(multistring.GetString("Fraggle Log"), packet.SourceIP.ToString()), this); le.PMR = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup; LogCenter.Instance.LogEvent(le); data.BlockCache.Add(packet.SourceIP, new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Fraggle Attempt")); return pmr; } } } // smurf attack mitigation if (in_packet.GetHighestLayer() == Protocol.ICMP) { ICMPPacket packet = ((ICMPPacket)in_packet); packet.PacketTime = DateTime.UtcNow; if (!(packet.Outbound)) { // init the previous packet if (ICMPprevious_packet == null) ICMPprevious_packet = packet; // add IP to cache or increment packet count if (!(ipcache.ContainsKey(packet.SourceIP))) ipcache.Add(packet.SourceIP, 1); // if the packet is >= threshold after the previous and it's the same packet, clear up the cache else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) >= data.dos_threshold && packet.Equals(ICMPprevious_packet)) ipcache[packet.SourceIP] = 1; // if the packet is coming in quickly, add it to the packet count else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold) ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1; // if the packet is an echo reply and the IP source // is the same as localhost and the time between packets is <= threshhold and // there are over 50 accumulated packets, it's probably a smurf attack if (packet.Type.ToString().Equals("0") && packet.Code.ToString().Equals("0") && isLocalIP(packet.SourceIP) && (packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold && ipcache[packet.SourceIP] > 50) { pmr = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup; le = new LogEvent(String.Format(multistring.GetString("Smurf Log"), packet.SourceIP.ToString()), this); le.PMR = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup; LogCenter.Instance.LogEvent(le); data.BlockCache.Add(packet.SourceIP, new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Smurf Attempt")); return pmr; } ICMPprevious_packet = packet; } } return PacketMainReturnType.Allow; }
public void LogEvent(LogEvent e) { EventQueue.Enqueue(e); }
/* * pushes log events to the event log file * Log\Event_<date>.log * * These logs are purged by the cleanLogs() method. */ private void WriteLogFile(LogEvent le) { string currentdate = DateTime.Now.ToString("MM-dd-yyyy"); string folder = ConfigurationManagement.Instance.ConfigurationPath; folder = folder + Path.DirectorySeparatorChar + "Log"; if (!Directory.Exists(folder)) Directory.CreateDirectory(folder); string filepath = folder; string filename = Path.DirectorySeparatorChar + "Event_" + currentdate + ".log"; FileStream stream; // if the log event is not null if (le != null) { // if the file exists, open in append and write to it if (File.Exists(filepath + filename)) stream = new FileStream(filepath + filename, FileMode.Append, FileAccess.Write, FileShare.ReadWrite); else stream = new FileStream(filepath + filename, FileMode.CreateNew, FileAccess.Write, FileShare.ReadWrite); StreamWriter m_streamWriter = new StreamWriter(stream); m_streamWriter.WriteLine(le.time.ToString() + " " + le.Module + ": " + le.Message + "\r"); m_streamWriter.Close(); stream.Close(); } }
public override PacketMainReturnType interiorMain(ref Packet in_packet) { LogEvent le; lock (padlock) { PacketStatus status = PacketStatus.UNDETERMINED; foreach (MacRule r in rules) { status = r.GetStatus(in_packet); if (status == PacketStatus.BLOCKED) { PacketMainReturnType pmr = PacketMainReturnType.Drop; if (r.GetLogMessage() != null) { pmr |= PacketMainReturnType.Log; le = new LogEvent(String.Format(r.GetLogMessage()), this); LogCenter.Instance.LogEvent(le); } if (r.notify) { pmr |= PacketMainReturnType.Popup; } return pmr; } else if (status == PacketStatus.ALLOWED) { return PacketMainReturnType.Allow; } } } return PacketMainReturnType.Allow; }
public override PacketMainReturnType interiorMain(ref Packet in_packet) { if (in_packet.GetHighestLayer() == Protocol.ARP) { ARPPacket arpp = (ARPPacket)in_packet; if (arpp.isRequest && arpp.Outbound) { IPAddr ip = new IPAddr(arpp.ATargetIP.GetAddressBytes()); if (!requestedIPs.Contains(ip)) requestedIPs.Add(ip); } else if (!arpp.Outbound) { IPAddr ip = new IPAddr(arpp.ASenderIP.GetAddressBytes()); if (!arpp.isRequest) { if (requestedIPs.Contains(ip)) { lock (padlock) { if (data.arpCache.ContainsKey(new IPAddr(arpp.ASenderIP.GetAddressBytes()))) { if (!Utility.ByteArrayEq(data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())].AddressBytes, arpp.ASenderMac)) { PacketMainReturnType pmr = 0; if (data.RectifyAttacks) pmr = PacketMainReturnType.Edited; else pmr = PacketMainReturnType.Drop; if (data.LogAttacks) { LogEvent le = new LogEvent(String.Format(multistring.GetString("Response does not equal cache"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this); le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Popup; LogCenter.Instance.LogEvent(le); } if (data.RectifyAttacks) { arpp.ATargetIP = arpp.ASenderIP; arpp.ATargetMac = data.arpCache[new IPAddr(arpp.ATargetIP.GetAddressBytes())].AddressBytes; arpp.ASenderMac = this.Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes(); arpp.FromMac = arpp.ASenderMac; arpp.ToMac = arpp.ATargetMac; arpp.ASenderIP = Adapter.GetAdapterInformation().IPv4; arpp.Outbound = true; in_packet = arpp; } return pmr; } else { requestedIPs.Remove(ip); } } else { data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())] = new MACAddr(arpp.ASenderMac); if (UpdatedArpCache != null) UpdatedArpCache(); requestedIPs.Remove(ip); } } } else { lock (padlock) { if (data.arpCache.ContainsKey(new IPAddr(arpp.ASenderIP.GetAddressBytes()))) { if (!Utility.ByteArrayEq(data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())].AddressBytes, arpp.ASenderMac)) { PacketMainReturnType pmra = 0; if (data.RectifyAttacks) pmra = PacketMainReturnType.Edited; else pmra = PacketMainReturnType.Drop; if (data.LogAttacks) { LogEvent le = new LogEvent(String.Format(multistring.GetString("Response does not equal cache"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this); le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Popup; LogCenter.Instance.LogEvent(le); } if (data.RectifyAttacks) { arpp.ATargetIP = arpp.ASenderIP; arpp.ATargetMac = data.arpCache[new IPAddr(arpp.ATargetIP.GetAddressBytes())].AddressBytes; arpp.ASenderMac = this.Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes(); arpp.FromMac = arpp.ASenderMac; arpp.ToMac = arpp.ATargetMac; arpp.ASenderIP = Adapter.GetAdapterInformation().IPv4; arpp.Outbound = true; in_packet = arpp; } return pmra; } } } PacketMainReturnType pmr = 0; pmr = PacketMainReturnType.Drop; if (data.LogUnsolic) { LogEvent le2 = new LogEvent(String.Format(multistring.GetString("Unsolicited"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this); le2.PMR = PacketMainReturnType.Log; } return pmr; } } else { lock (padlock) { if (data.arpCache.ContainsKey(new IPAddr(arpp.ASenderIP.GetAddressBytes()))) { if (!Utility.ByteArrayEq(data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())].AddressBytes, arpp.ASenderMac)) { PacketMainReturnType pmr = PacketMainReturnType.Drop; if (data.LogAttacks) { LogEvent le = new LogEvent(String.Format(multistring.GetString("Response does not equal cache"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this); le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Popup; LogCenter.Instance.LogEvent(le); } return pmr; } } } } return 0; } return 0; } return 0; }