// main routine
public override PacketMainReturnType interiorMain(ref Packet in_packet)
{
LogEvent le;
// if the packet is ICMPv4
if (in_packet.GetHighestLayer() == Protocol.ICMP)
{
ICMPPacket packet = (ICMPPacket)in_packet;
// check if the packet is allowed and deny all is false
if (isAllowed(packet.Type.ToString(), packet.Code.ToString(), 4) &&
!data.DenyIPv4)
{
return PacketMainReturnType.Allow;
}
// else, log and drop it
else
{
PacketMainReturnType pmr = PacketMainReturnType.Drop;
if (data.Log)
{
pmr |= PacketMainReturnType.Log;
le = new LogEvent(String.Format(multistring.GetString("ICMPv4 was dropped"), packet.SourceIP.ToString(), packet.DestIP.ToString()), this);
le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Drop;
LogCenter.Instance.LogEvent(le);
}
return pmr;
}
}
// if the packet is ICMPv6
if (in_packet.GetHighestLayer() == Protocol.ICMPv6)
{
ICMPv6Packet packet = (ICMPv6Packet)in_packet;
if ((isAllowed(packet.Type.ToString(), packet.Code.ToString(), 6) &&
!data.DenyIPv6) && isDeniedNDP(packet))
{
return PacketMainReturnType.Allow;
}
else
{
PacketMainReturnType pmr = PacketMainReturnType.Drop;
if (data.Log)
{
pmr |= PacketMainReturnType.Log;
le = new LogEvent(String.Format(multistring.GetString("ICMPv6 was dropped"), packet.SourceIP.ToString(), packet.DestIP.ToString()), this);
le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Drop;
}
return pmr;
}
}
return PacketMainReturnType.Allow;
}
public void AddLogEvent(LogEvent le)
{
if (listBox1.InvokeRequired)
{
ALE ale = new ALE(AddLogEvent);
listBox1.Invoke(ale, le);
}
else
{
listBox1.Items.Insert(0, le);
while (listBox1.Items.Count > 5)
{
listBox1.Items.RemoveAt(5);
}
hideTime = DateTime.Now.AddSeconds(10);
ShowMe();
}
}
/*
* Object handles logging of a log event to the window
* @param le is the log event object to be logged
*/
public void AddLogEvent(LogEvent le)
{
// if the log event is sent from a thread other than the UI thread, invoke it
if (listBox1.InvokeRequired)
{
LogCenter.NewLogEvent d = new LogCenter.NewLogEvent(AddLogEvent);
listBox1.Invoke(d, new object[] { le });
}
// else log the message
else
{
LogEvent e = (LogEvent)le;
listBox1.Items.Insert(0, e.ToString());
while (listBox1.Items.Count > 1000)
{
listBox1.Items.RemoveAt(1000);
}
}
}
public override PacketMainReturnType interiorMain(ref Packet in_packet)
{
lock (padlock)
{
PacketStatus status = PacketStatus.UNDETERMINED;
foreach (Rule r in rules)
{
status = r.GetStatus(in_packet);
if (status == PacketStatus.BLOCKED)
{
PacketMainReturnType pmr;
pmr = PacketMainReturnType.Drop | PacketMainReturnType.LogPacket;
if (r.GetLogMessage() != null)
{
LogEvent le = new LogEvent(r.GetLogMessage(), this);
le.PMR = PacketMainReturnType.Log;
if (r.Notify())
{
le.PMR |= PacketMainReturnType.Popup;
}
LogCenter.Instance.LogEvent(le);
}
return pmr;
}
else if (status == PacketStatus.ALLOWED)
{
return 0;
}
}
}
return 0;
}
public override PacketMainReturnType interiorMain(ref Packet in_packet)
{
PacketMainReturnType pmr;
LogEvent le;
float av = 0;
if (in_packet.ContainsLayer(Protocol.TCP))
{
// if we're in cloaked mode, respond with the SYN ACK
// More information about this in the GUI code and help string
if (data.cloaked_mode && ((TCPPacket)in_packet).SYN && !((TCPPacket)in_packet).ACK)
{
TCPPacket from = (TCPPacket)in_packet;
EthPacket eth = new EthPacket(60);
eth.FromMac = Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
eth.ToMac = from.FromMac;
eth.Proto = new byte[2] { 0x08, 0x00 };
IPPacket ip = new IPPacket(eth);
ip.DestIP = from.SourceIP;
ip.SourceIP = from.DestIP;
ip.NextProtocol = 0x06;
ip.TotalLength = 40;
ip.HeaderChecksum = ip.GenerateIPChecksum;
TCPPacket tcp = new TCPPacket(ip);
tcp.SourcePort = from.DestPort;
tcp.DestPort = from.SourcePort;
tcp.SequenceNumber = (uint)new Random().Next();
tcp.AckNumber = 0;
tcp.WindowSize = 8192;
tcp.SYN = true;
tcp.ACK = true;
tcp.Checksum = tcp.GenerateChecksum;
tcp.Outbound = true;
Adapter.SendPacket(tcp);
}
try
{
TCPPacket packet = (TCPPacket)in_packet;
// if the IP is in the blockcache, then return
if (data.BlockCache == null)
data.BlockCache = new SerializableDictionary<IPAddr, IPObj>();
IPAddr source = packet.SourceIP;
if (data.BlockCache.ContainsKey(source))
{
pmr = PacketMainReturnType.Drop;
return pmr;
}
// checking for TTL allows us to rule out the local network
// Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are
// fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans.
if ((!packet.Outbound) && (packet.TTL < 250) && packet.SYN && !packet.ACK)
{
IPObj tmp;
if (ip_table == null) ip_table = new Dictionary<IPAddr, IPObj>();
if (ip_table.ContainsKey(source))
tmp = (IPObj)ip_table[source];
else
tmp = new IPObj(source);
// add the port to the ipobj, set the access time, and update the table
tmp.addPort(packet.DestPort);
//tmp.time(packet.PacketTime);
ip_table[source] = tmp;
av = tmp.getAverage();
// if they've touched more than 100 ports in less than 30 seconds and the average
// packet time was less than 2s, something's wrong
if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) &&
tmp.getAverage() < 2000 )
{
pmr = PacketMainReturnType.Log | PacketMainReturnType.Allow;
le = new LogEvent(String.Format(multistring.GetString("Touched Ports"),
source.ToString(), tmp.getTouchedPorts().Count, tmp.getAverage()), this);
LogCenter.Instance.LogEvent(le);
// set the reported status of the IP address
ip_table[source].Reported = true;
// add the address to the potential list of IPs and to the local SESSION-BASED list
if (!data.blockImmediately)
{
potentials.Add(source, ip_table[source]);
detect.addPotential(source);
}
// else we want to block it immediately
else
data.BlockCache.Add(source, ip_table[source]);
return pmr;
}
}
}
catch (Exception e)
{
LogCenter.Instance.LogException(e);
return PacketMainReturnType.Allow;
}
}
// This will detect UDP knockers. typically UDP scans are slower, but are combined with SYN scans
// (-sSU in nmap) so we'll be sure to check for these guys too.
else if (in_packet.ContainsLayer(Protocol.UDP))
{
try
{
UDPPacket packet = (UDPPacket)in_packet;
IPAddr source = packet.SourceIP;
// if the source addr is in the block cache, return
if (data.BlockCache.ContainsKey(source))
{
return PacketMainReturnType.Drop;
}
if ((!packet.Outbound) && (packet.TTL < 250) &&
(!packet.isDNS()))
{
IPObj tmp;
if (ip_table.ContainsKey(source))
tmp = (IPObj)ip_table[source];
else
tmp = new IPObj(source);
tmp.addPort(packet.DestPort);
//tmp.time(packet.PacketTime);
ip_table[source] = tmp;
av = tmp.getAverage();
if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) &&
(tmp.getAverage() < 2000))
{
pmr = PacketMainReturnType.Log | PacketMainReturnType.Allow;
le = new LogEvent(String.Format(multistring.GetString("Touched Ports"),
source.ToString(), tmp.getTouchedPorts().Count, tmp.getAverage()), this);
LogCenter.Instance.LogEvent(le);
ip_table[source].Reported = true;
if (!data.blockImmediately)
{
potentials.Add(source, ip_table[source]);
detect.addPotential(source);
}
else
data.BlockCache.Add(source, ip_table[source]);
return pmr;
}
}
}
catch (Exception e)
{
LogCenter.Instance.LogException(e);
return PacketMainReturnType.Allow;
}
}
return PacketMainReturnType.Allow;
}
/// <summary>
/// Adds a line to the display queue
/// </summary>
/// <param name="line"></param>
public void AddLine(LogEvent line)
{
// only display if checked AND the return type is to notify
if (GeneralConfiguration.Instance.ShowPopups && line.Module.GetUserInterface() != null && ((line.PMR & fireBwall.Modules.PacketMainReturnType.Popup) == fireBwall.Modules.PacketMainReturnType.Popup))
{
//popup.AddLogEvent(line);
}
}
// main routine
public override PacketMainReturnType interiorMain(ref Packet in_packet)
{
PacketMainReturnType pmr;
LogEvent le;
// check it the packet is, or contains, IP
if (in_packet.ContainsLayer(Protocol.IP))
{
// create a temp IPPacket obj and
// check the IP address
IPPacket temp = (IPPacket)in_packet;
if (!isIPAllowed(temp.SourceIP))
{
pmr = PacketMainReturnType.Drop;
return pmr;
}
}
// simple sanity check to dump the ipcache if it gets too large.
// this does not effect the blockcache of banned IPs
if ((ipcache.Count) > 500)
ipcache.Clear();
// TCP incoming packets
if (in_packet.GetHighestLayer() == Protocol.TCP)
{
TCPPacket packet = ((TCPPacket)in_packet);
packet.PacketTime = DateTime.UtcNow;
// if it's inbound and the SYN flag is set
if (!packet.Outbound && packet.SYN && !packet.ACK)
{
// first packet init
if (TCPprevious_packet == null)
TCPprevious_packet = packet;
// if the IP hasn't been logged yet
if (!(ipcache.ContainsKey(packet.SourceIP)))
ipcache.Add(packet.SourceIP, 1);
// if the ipcache contains the ip
else if (ipcache.ContainsKey(packet.SourceIP))
{
// increment the packet count if they're coming in fast
if ((packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
else ipcache[packet.SourceIP] = 1;
// check if this packet = previous, if the packet count is > 50,
// and if the time between sent packets is less than the threshhold
if (packet.SourceIP.Equals(TCPprevious_packet.SourceIP) &&
((ipcache[packet.SourceIP]) > 50) &&
(packet.PacketTime - TCPprevious_packet.PacketTime).TotalMilliseconds <= data.dos_threshold)
{
pmr = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
le = new LogEvent(String.Format(multistring.GetString("DoS Log"), packet.SourceIP.ToString()), this);
le.PMR = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
LogCenter.Instance.LogEvent(le);
data.BlockCache.Add(packet.SourceIP, new BlockedIP(packet.SourceIP, DateTime.UtcNow, "DoS Attempt"));
return pmr;
}
}
TCPprevious_packet = packet;
}
}
// fraggle attack mitigation
if (in_packet.GetHighestLayer() == Protocol.UDP)
{
UDPPacket packet = ((UDPPacket)in_packet);
packet.PacketTime = DateTime.UtcNow;
// if it's inbound
if (!(packet.Outbound))
{
// add IP to cache or increment packet count
if (!(ipcache.ContainsKey(packet.SourceIP)))
ipcache.Add(packet.SourceIP, 1);
else
ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
// if the packet header is empty, headed towards port (7,13,19,17), and count > 50,
// then it's probably a fraggle attack
if (packet.isEmpty() && packet.DestPort.Equals(7) || packet.DestPort.Equals(13) ||
packet.DestPort.Equals(19) || packet.DestPort.Equals(17) &&
(ipcache[packet.SourceIP]) > 50)
{
pmr = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
le = new LogEvent(String.Format(multistring.GetString("Fraggle Log"), packet.SourceIP.ToString()), this);
le.PMR = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
LogCenter.Instance.LogEvent(le);
data.BlockCache.Add(packet.SourceIP, new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Fraggle Attempt"));
return pmr;
}
}
}
// smurf attack mitigation
if (in_packet.GetHighestLayer() == Protocol.ICMP)
{
ICMPPacket packet = ((ICMPPacket)in_packet);
packet.PacketTime = DateTime.UtcNow;
if (!(packet.Outbound))
{
// init the previous packet
if (ICMPprevious_packet == null)
ICMPprevious_packet = packet;
// add IP to cache or increment packet count
if (!(ipcache.ContainsKey(packet.SourceIP)))
ipcache.Add(packet.SourceIP, 1);
// if the packet is >= threshold after the previous and it's the same packet, clear up the cache
else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) >= data.dos_threshold &&
packet.Equals(ICMPprevious_packet))
ipcache[packet.SourceIP] = 1;
// if the packet is coming in quickly, add it to the packet count
else if ((packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold)
ipcache[packet.SourceIP] = (ipcache[packet.SourceIP]) + 1;
// if the packet is an echo reply and the IP source
// is the same as localhost and the time between packets is <= threshhold and
// there are over 50 accumulated packets, it's probably a smurf attack
if (packet.Type.ToString().Equals("0") &&
packet.Code.ToString().Equals("0") &&
isLocalIP(packet.SourceIP) &&
(packet.PacketTime.Millisecond - ICMPprevious_packet.PacketTime.Millisecond) <= data.dos_threshold &&
ipcache[packet.SourceIP] > 50)
{
pmr = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
le = new LogEvent(String.Format(multistring.GetString("Smurf Log"), packet.SourceIP.ToString()), this);
le.PMR = PacketMainReturnType.Drop | PacketMainReturnType.Log | PacketMainReturnType.Popup;
LogCenter.Instance.LogEvent(le);
data.BlockCache.Add(packet.SourceIP, new BlockedIP(packet.SourceIP, DateTime.UtcNow, "Smurf Attempt"));
return pmr;
}
ICMPprevious_packet = packet;
}
}
return PacketMainReturnType.Allow;
}
public void LogEvent(LogEvent e)
{
EventQueue.Enqueue(e);
}
/*
* pushes log events to the event log file
* Log\Event_<date>.log
*
* These logs are purged by the cleanLogs() method.
*/
private void WriteLogFile(LogEvent le)
{
string currentdate = DateTime.Now.ToString("MM-dd-yyyy");
string folder = ConfigurationManagement.Instance.ConfigurationPath;
folder = folder + Path.DirectorySeparatorChar + "Log";
if (!Directory.Exists(folder))
Directory.CreateDirectory(folder);
string filepath = folder;
string filename = Path.DirectorySeparatorChar + "Event_" + currentdate + ".log";
FileStream stream;
// if the log event is not null
if (le != null)
{
// if the file exists, open in append and write to it
if (File.Exists(filepath + filename))
stream = new FileStream(filepath + filename, FileMode.Append, FileAccess.Write, FileShare.ReadWrite);
else
stream = new FileStream(filepath + filename, FileMode.CreateNew, FileAccess.Write, FileShare.ReadWrite);
StreamWriter m_streamWriter = new StreamWriter(stream);
m_streamWriter.WriteLine(le.time.ToString() + " " + le.Module + ": " + le.Message + "\r");
m_streamWriter.Close();
stream.Close();
}
}
public void LogEvent(LogEvent e)
{
EventQueue.Enqueue(e);
}
public override PacketMainReturnType interiorMain(ref Packet in_packet)
{
LogEvent le;
lock (padlock)
{
PacketStatus status = PacketStatus.UNDETERMINED;
foreach (MacRule r in rules)
{
status = r.GetStatus(in_packet);
if (status == PacketStatus.BLOCKED)
{
PacketMainReturnType pmr = PacketMainReturnType.Drop;
if (r.GetLogMessage() != null)
{
pmr |= PacketMainReturnType.Log;
le = new LogEvent(String.Format(r.GetLogMessage()), this);
LogCenter.Instance.LogEvent(le);
}
if (r.notify)
{
pmr |= PacketMainReturnType.Popup;
}
return pmr;
}
else if (status == PacketStatus.ALLOWED)
{
return PacketMainReturnType.Allow;
}
}
}
return PacketMainReturnType.Allow;
}
public override PacketMainReturnType interiorMain(ref Packet in_packet)
{
if (in_packet.GetHighestLayer() == Protocol.ARP)
{
ARPPacket arpp = (ARPPacket)in_packet;
if (arpp.isRequest && arpp.Outbound)
{
IPAddr ip = new IPAddr(arpp.ATargetIP.GetAddressBytes());
if (!requestedIPs.Contains(ip))
requestedIPs.Add(ip);
}
else if (!arpp.Outbound)
{
IPAddr ip = new IPAddr(arpp.ASenderIP.GetAddressBytes());
if (!arpp.isRequest)
{
if (requestedIPs.Contains(ip))
{
lock (padlock)
{
if (data.arpCache.ContainsKey(new IPAddr(arpp.ASenderIP.GetAddressBytes())))
{
if (!Utility.ByteArrayEq(data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())].AddressBytes, arpp.ASenderMac))
{
PacketMainReturnType pmr = 0;
if (data.RectifyAttacks)
pmr = PacketMainReturnType.Edited;
else
pmr = PacketMainReturnType.Drop;
if (data.LogAttacks)
{
LogEvent le = new LogEvent(String.Format(multistring.GetString("Response does not equal cache"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this);
le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Popup;
LogCenter.Instance.LogEvent(le);
}
if (data.RectifyAttacks)
{
arpp.ATargetIP = arpp.ASenderIP;
arpp.ATargetMac = data.arpCache[new IPAddr(arpp.ATargetIP.GetAddressBytes())].AddressBytes;
arpp.ASenderMac = this.Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
arpp.FromMac = arpp.ASenderMac;
arpp.ToMac = arpp.ATargetMac;
arpp.ASenderIP = Adapter.GetAdapterInformation().IPv4;
arpp.Outbound = true;
in_packet = arpp;
}
return pmr;
}
else
{
requestedIPs.Remove(ip);
}
}
else
{
data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())] = new MACAddr(arpp.ASenderMac);
if (UpdatedArpCache != null)
UpdatedArpCache();
requestedIPs.Remove(ip);
}
}
}
else
{
lock (padlock)
{
if (data.arpCache.ContainsKey(new IPAddr(arpp.ASenderIP.GetAddressBytes())))
{
if (!Utility.ByteArrayEq(data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())].AddressBytes, arpp.ASenderMac))
{
PacketMainReturnType pmra = 0;
if (data.RectifyAttacks)
pmra = PacketMainReturnType.Edited;
else
pmra = PacketMainReturnType.Drop;
if (data.LogAttacks)
{
LogEvent le = new LogEvent(String.Format(multistring.GetString("Response does not equal cache"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this);
le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Popup;
LogCenter.Instance.LogEvent(le);
}
if (data.RectifyAttacks)
{
arpp.ATargetIP = arpp.ASenderIP;
arpp.ATargetMac = data.arpCache[new IPAddr(arpp.ATargetIP.GetAddressBytes())].AddressBytes;
arpp.ASenderMac = this.Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
arpp.FromMac = arpp.ASenderMac;
arpp.ToMac = arpp.ATargetMac;
arpp.ASenderIP = Adapter.GetAdapterInformation().IPv4;
arpp.Outbound = true;
in_packet = arpp;
}
return pmra;
}
}
}
PacketMainReturnType pmr = 0;
pmr = PacketMainReturnType.Drop;
if (data.LogUnsolic)
{
LogEvent le2 = new LogEvent(String.Format(multistring.GetString("Unsolicited"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this);
le2.PMR = PacketMainReturnType.Log;
}
return pmr;
}
}
else
{
lock (padlock)
{
if (data.arpCache.ContainsKey(new IPAddr(arpp.ASenderIP.GetAddressBytes())))
{
if (!Utility.ByteArrayEq(data.arpCache[new IPAddr(arpp.ASenderIP.GetAddressBytes())].AddressBytes, arpp.ASenderMac))
{
PacketMainReturnType pmr = PacketMainReturnType.Drop;
if (data.LogAttacks)
{
LogEvent le = new LogEvent(String.Format(multistring.GetString("Response does not equal cache"), new PhysicalAddress(arpp.ASenderMac).ToString(), arpp.ASenderIP.ToString()), this);
le.PMR = PacketMainReturnType.Log | PacketMainReturnType.Popup;
LogCenter.Instance.LogEvent(le);
}
return pmr;
}
}
}
}
return 0;
}
return 0;
}
return 0;
}
