Intrusion detection tool Watcher

xiaoxiao2021-03-06  110

Intrusion detection tool Watcher

Create time: 2000-07-24

Article attribute: original

Article submission:

Quack (QUACK_AT_XFOCUS.ORG)

Intrusion detection tool Watcher

===================

By QUACK

Reference Watcher by Hyperion in Pharck

First, write in front

How do you know if the system is overlink? When you find more strange accounts or some Troy procedures in the system,

Everything is too late. Unless your machine is very powerful, your chance only exists when you are scanned in the machine,

The short period of time before the attack occurs. Of course, you can use programs similar to TCP Wrappers to ensure the system

Connection security, but it does not monitor Stealth Scan or DOS attack, you can also purchase commercial versions

Infading monitoring system - as long as you are not too expensive, in fact, the most cost-effective is to get similar free from the Internet

Software, install or transform it to accommodate your needs, Watcher is such a guy.

Second, the function

Watcher detects all the information packages, and will think that it is a malicious attack behavior record in syslog, current

Watcher can detect the following attack behavior:

- All TCP scans

- All UDP scans

- SYNFLOOD attack

TEARDROP attack

- LAND attack

- Smurf attack

- ping of death attack

All parameters and configuration are given in the command line, you can configure it only to monitor scan behavior or only

Attacking the DOS. Its monitoring behavior is this: If there is more than 7 ports in a short time to receive the packet

(Regardless of the type), then this event is recorded as a port scan. The principle of UDP scanning is also one

kind. When Watcher receives more than 8 SYN packages in the same port, there is no ACK or FIN bit, it will be determined that

SYNFLOOD Attack event. If the UDP's fragmentation package - IP package is 242, it thinks it is a TEARDROP attack.

Because the published attack code is used 242 ID number - this is insufficient; (. Large TCP on the same port)

SYN package, source address and target address, will be considered LAND attack, if there are more than 5 ICMP Echo Replies

The appearance in a short period of time (time can be customized), will be recorded as a smurf attack ...

Watcher has three monitoring modes, in the default mode, it only monitors the attack behavior of this host, the second

Mode can monitor all hosts in the Class C subnet, and the third mode can monitor all the mains that can receive the packet.

machine. When you put Watcher on the external host, monitoring the multi-host is particularly effective, when a host's log file is

When destroying, there is also a record on other hosts.

Since Watcher uses all the packets as "attack", then the analysis is made extremely rough,

May be missed, so the author has added some filtration skills in the code.

For example, some Web Server will have a beautiful GIF image or Flash and other things, and the client will often open it.

Multiple threads download it, then Watcher's rules will think this is a TCP Scan, so the author has to add it.

The rules that only over 40 TCP connections are recorded - these are customizable. It is not detailed, you can

See the code below.

Its output is very simple. It will record possible attack behavior every 10 seconds in syslog, and the source IP and the target IP or even relevant information will be recorded, if the number of port numbers, packages, etc. The IP of the attack behavior is

False, then it will record the MAC address - if the attack comes from the outside, the address will be the route you have received the package.

The address, if the attack comes from internal, oh, you can use your own way to "thanks" attackers;)

Third, program parameters

Watcher is used for Linux systems, usually you only need to run it in the back of the command line, its parameters are as follows:

USAGE: WATCHER [parameter]

-d Device Sets 'Device' to the current network card, the default is the first non-loopback interfab

-f flood setting After receiving how much incomplete connection, it is considered to be a FLOOD attack

-H Help information

-i ICMPLIMIT settings How much ICMP Echo replies is considered to be a smurf attack

-m Level can set monitoring machines, such as subnets for machines in subdomains, or all for all

-p portlimit how many ports received in Timeout's restrictions are a port scan

-r reporttype If the ReportType is set to DOS, then only the denial of the service attack will be recorded, if it is scan

If the scan behavior will be recorded, the default is recorded.

-t timeout records packets and prints potential attack behavior every time Timeout time

-w Webcount settings How much information we receive from 80 is only a port scan (CGI)

I hope this little thing will make your system slightly safe, but you have to warn you that system security is multi-facete, don't

Counting an app or something that can make you absolutely safe - if you don't believe, you have to reload the system sooner or later;)

---- [Code

< > EX / Watcher.c

/ ************************************************** *******************

Program: Watcher

A NetWork Level Monitoring Tool To Detect Incoming Packets Indicative of

Potential Attacks.

This Software Detects Low Level Packet Scanners and SEVERAL DOS ATTACks.

ITS Primary Use is to detect low level packet scans, Since these is usually

Done First To Identify Active Systems and Services To Mount Further Attacks.

The Package Assumes Every Incoming Packet Is Potentially Hostile. Some Checks

Are Done to Minimize False Positives, But On Occasion a Site May Be falsely

Identified as havning performed a packet scan or synflood attack. this usually

Occurs if A Large Number of Connections Are Done in a brief Time Right Before

The Reporting Timeout Period (I.E.When Browsing A WWW Site with Lots of Lots of A WIWW SITE

Little Gif's, Each Requiring a connection to download. You can Also Get False

Positives if you scan another site, since the targets responses will be viewed

As a potential scan of your system.

By Default, Alerts Are Printed to Syslog Every 10 Seconds.

*********************************************************** ******************** /

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#define pktlen 96 / * Should Be ENOUGH for What We want * /

#ifndef ip_mf

#define ip_mf 0x2000

#ENDIF

/ ***** Watch level limited ****** /

#define myselfonly 1

#define mysubnet 2

#define humanitarian 3

/ ***** Report Levels ****** /

#define reportall 1

#define reportdos 2

#define reportscan 3

Struct floodinfo {

U_SHORT SPORT;

Struct Floodinfo * Next;

}

Struct addrlist {

U_long saddr;

int CNT;

Int wwwcnt;

Struct AddRlist * Next;

}

Struct atk {

U_long saddr;

u_char eaddr [eth_alent];

Time_t atktime;

}

Struct pktin {

U_long saddr;

U_SHORT SPORT;

U_SHORT DPORT;

TIME_T TIMEIN

u_char eaddr [eth_alent];

Struct floodinfo * fi;

Struct pktin * next;

}

Struct scanfo {

U_long addr; struct atk teardrop;

Struct atk land;

Struct atk icmpfrag;

Struct pktin * tcpin;

Struct pktin * udpin;

Struct scanfo * next;

u_long ICMPCNT;

}

Struct scanfo * gsilist = null, * GSI;

u_long gmaddr;

Time_t gtimer = 10, gtimein

INT gportlimit = 7;

INT gsynflood = 8;

INT gwebcount = 40;

INT GICMPLIMIT = 5;

INT gwatchlevel = myselfonly;

INT greportlevel = reportall;

Char * gprogramname, * gDevice = "eth0";

/ ******** ip packet info ******** /

u_long gsaddr, gdaddr;

Int Giplen, Gisfrag, GID

/ ****** EXTERNALS ************* /

EXTERN INT errno;

EXTERN CHAR * OPTARG;

Extern Int Optind, Opterr;

Void do_tcp (), do_udp (), do_ICMP (), Print_INFO (), process_packet ();

Void Addtcp (), clear_pktin (), buildnet ();

Void doargs (), usage (), addfloodinfo (), RMFLODInfo ();

Struct scanfo * doicare (), * addtarget ();

Char * anetaddr (), * ether_ntoa ();

u_char * readDevice ();

Main (Argc, Argv)

Int argc;

Char * argv [];

{

INT pktlen = 0, i, netfd;

U_CHAR * PKT;

Char Hostname [32];

Struct hostent * hp;

Time_t t;

Doargs (Argc, Argv);

OpenLog ("Watcher", 0, Log_Daemon;

IF (getName (Hostname, Hostname) <0)

{

PERROR ("gethostname");

EXIT (-1);

}

IF ((HP = gethostByname) == null)

{

FPrintf (stderr, "cannot find ion address / n");

EXIT (-1);

}

Memcpy (CHAR *) & gmaddr, hp-> h_addr, hp-> h_length;

Buildnet ();

IF ((Netfd = INITDEVICE (O_RDWR, 0)) <0)

EXIT (-1);

/ * Now read packets forver and process them. * /

T = TIME ((TIME_T *) 0);

While (pkt = readDevice (netfd, & pktlen))

{

Process_packet (PKT, PKTLEN);

IF (Time_T *) 0) - T> gtimer)

{

/ * Times Up. Print What We Found and Clean Out Old Stuff. * / For (GSI = GSILIST, I = 0; GSI; GSI = GSI-> Next, i )

{

Clear_pktin (GSI);

Print_info ();

GSI-> ICMPCNT = 0;

}

T = TIME ((TIME_T *) 0);

}

}

}

/ ************************************************** ********************

Function: doargs

Purpose: Sets Values ​​from Environment OR Command Line Arguments.

*********************************************************** ******************* /

Void Doargs (Argc, Argv)

Int argc;

Char ** argv;

{

Char C;

Gprogramname = argv [0];

While ((C = Getopt (Argc, Argv, "D: F: Hi: M: P: R: T: w:"))! = EOF)

{

Switch (c)

{

Case 'd':

GDEVICE = OPTARG;

Break;

Case 'f':

Gsynflood = atoi (OPTARG);

Break;

Case 'h':

USAGE ();

exit (0);

Case 'I':

GICMPLIMIT = ATOI (OPTARG);

Break;

Case 'M':

IF (Strcmp (Optarg, "ALL") == 0)

GWatchLevel = Humanitarian;

ELSE IF (Strcmp (Optarg, "Subnet") == 0)

GWatchLevel = mysubnet;

Else

{

USAGE ();

EXIT (-1);

}

Break;

Case 'P':

Gportlimit = ATOI (OPTARG);

Break;

Case 'R':

IF (Strcmp (Optarg, "DOS") == 0)

Greportlevel = Reportdos;

ELSE IF (Strcmp (Optarg, "Scan") == 0)

GreportLevel = Reportscan;

Else

{

EXIT (-1);

}

Break;

Case 'T':

Gtimer = atoi (OPTARG);

Break;

Case 'W':

Gwebcount = atoi (OPTARG);

Break;

DEFAULT:

USAGE ();

EXIT (-1);

}

}

}

/ ************************************************** ********************

Function: usage

Purpose: Display The Usage of the Program

*********************************************************** ******************* /

Void usage ()

{

Printf ("USAGE:% s [options] / n", gprogramname); Printf ("-d device use 'device' as the network interface device / n");

Printf ("THE FIRST NON-loopback interface is the default / n");

Printf ("-f flood assume a synflood attck occurred if more Than / n");

Printf ("'Flood' Uncompleted Connections Are Received / N");

Printf ("-h a little help here / n");

Printf ("-i Icmplimit Assume We May Be Part of A Smurf Attack IF More / N");

Printf ("Than Icmplimit ICMP Echo Replies Are Seen / N");

Printf ("-M Level Monitor More Than Just Our Own Host./N");

Printf ("A level of 'subnet' Watches All Addresses IN OUR / N);

Printf ("Subnet and 'All' Watches All Addresses / N");

Printf ("-P PortLimit Logs a Portscan Alert if Packets Are Received FOR / N");

Printf ("More Tan Portlimit Ports in the Timeout Period./N");

Printf ("-r ReportType if ReportType IS DOS, ONLY DENIAL OF Service / N");

Printf ("Attacks Are Reported. if ReportType IS SCAN / N);

PRINTF ("" "" "

Printf ("Reported by Default./N");

Printf ("-t Timeout Count Packets and Print Potential Attacks Every / N");

Printf ("Timeout Seconds / N");

Printf ("-w Webcount Assume We are Being PortScanned if more Than / N);

Printf ("Webcount Packets Are Received from Port 80 / N");

}

/ ************************************************** ********************* FUNCTION: Buildnet

Purpose: setup for monitoring of our host or entire subnet.

*********************************************************** ******************* /

Void buildnet ()

{

U_long addr;

u_char * p;

INT I;

IF (gwatchlevel == myselfonly) / * Just Care About me * /

{

(void) ADDTARGET (GMADDR);

}

Else if (gwatchlevel == mysubnet) / * Friends and neighbors * /

{

Addr = HTONL (Gmaddr);

Addr = addr & 0xffffff00;

For (i = 0; i <256; i )

(void) Adtarget (NTOHL (AddR i));

}

}

/ ************************************************** ********************

Function: DOICARE

Purpose: See If We Monitor this Address

*********************************************************** ******************* /

Struct Scanfo * DoiiiCare (AddR)

U_long addr;

{

Struct scanfo * si;

INT I;

For (Si = Gsilist; Si; Si = Si-> Next)

{

IF (Si-> Addr == Addr)

Return (Si);

}

IF (gwatchlevel == humanitarian) / * Add a new address, we always cre * /

{

Si = addTarget (addr);

Return (Si);

}

Return (NULL);

}

/ ************************************************** ********************

Function: addtarget

Purpose: add a new ip address to the list of hosts to watch.

*********************************************************** ******************* /

Struct Scanfo * AddTarget (AddR)

U_long addr;

{

Struct scanfo * si;

IF ((Si = (Struct ScanInfo *) Malloc (Struct ScanInfo)) == NULL)

{

PERROR ("Malloc ScanInfo";

EXIT (-1);

}

MEMSET (Si, 0, SIZEOF (Struct ScanInfo);

Si-> addr = addr;

Si-> Next = GSILIST;

Gsilist = si;

Return (Si);

}

/ ************************************************** ******************** FUNCTION: Process_packet

Purpose: Process Raw Packet and Figure Out What We need to to with it.

Pulls The Packet Apart and Stores Key Data in Global Areas for Reference

By Other functions.

*********************************************************** ******************* /

Void Process_packet (PKT, PKTLEN)

U_CHAR * PKT;

Int pktlen;

{

Struct Ethhdr * EP;

Struct iphdr * ip;

Static struct align {struct iPhdr ip; char buf [pktlen];} a1;

U_SHORT OFF;

Gtimein = Time ((Time_t *) 0);

EP = (struct ethhhdr *) pkt;

IF (NTOHS (EP-> h_proto)! = Eth_P_IP)

Return;

PKT = SIZEOF (struct ethhdr);

Pktlen - = SIZEOF (Struct Ethhdr);

Memcpy (& A1, PKT, PKTLEN);

IP = & A1.IP;

GSADDR = IP-> Saddr;

GDADDR = IP-> DADDR;

IF ((GSI = DOICARE (GDADDR)) == NULL)

Return;

OFF = NTOHS (IP-> FRAG_OFF);

Gisfrag = (OFF & IP_MF); / * set if packet is fragmented * /

Giplen = NTOHS (IP-> TOT_LEN);

GID = NTOHS (IP-> ID);

PKT = (u_char *) IP (IP-> IHL << 2);

Giplen - = (IP-> IHL << 2);

Switch (ip-> protocol)

{

Case ipproto_tcp:

DO_TCP (EP, PKT);

Break;

Case ipproto_udp:

DO_UDP (EP, PKT);

Break;

Case ipproto_ICMP:

DO_ICMP (EP, PKT);

Break;

DEFAULT:

Break;

}

}

/ ************************************************** ********************

Function: do_tcp

Purpose: Process this TCP packet if it is important.

*********************************************************** ******************* /

Void DO_TCP (EP, PKT)

Struct Ethhdr * EP;

U_CHAR * PKT;

{

Struct TCPHDR * THDR;

U_SHORT SPORT, DPORT;

THDR = (struct tcphdr *) pkt;

IF (THDR-> TH_FLAGS & TH_RST) / * RST generates no response * / return; / * therefore can't be used to scan. * /

Sport = NTOHS (THDR-> TH_SPORT);

DPORT = NTOHS (THDR-> TH_DPORT);

IF (THDR-> TH_FLAGS & TH_SYN)

{

IF (gsaddr == gdaddr && sport == DPORT)

{

GSI-> land.atktime = gtimein;

GSI-> land.saddr = gsaddr;

Memcpy (gsi-> land.eaddr, ep-> h_source, eth_alent);

}

}

AddTCP (Sport, Dport, THDR-> TH_FLAGS, EP-> h_source);

}

/ ************************************************** ********************

Function: AddTCP

PURPOSE: Add this TCP Packet to Our List.

*********************************************************** ******************* /

Void AddTCP (Sport, Dport, Flags, EADDR)

U_SHORT SPORT;

U_SHORT DPORT;

U_CHAR FLAGS;

U_CHAR * EADDR;

{

Struct Pktin * Pi, * Last, * TPI;

/ * See if if this packet relates to other packets already received. * /

For (pi = gsi-> tcpin; pi; pi = pi-> Next)

{

IF (pi-> saddr == gsaddr && pi-> dport == dport)

{

IF (Flags == TH_SYN)

AddFloodInfo (PI, Sport);

ELSE IF ((Flags & TH_FIN) || (Flags & TH_Ack))

RMFLODINFO (PI, SPORT);

Return;

}

Last = Pi;

}

/ * Must Be new entry * /

IF ((tpi = (struct pktin *) malloc (Struct Pktin)) == NULL)

{

PERROR ("malloc");

EXIT (-1);

}

MEMSET (TPI, 0, SIZEOF (STRUCT PKTI));

Memcpy (TPI-> Eth_alen);

TPI-> Saddr = GsAddr;

TPI-> Sport = Sport;

TPI-> DPORT = DPORT;

TPI-> timein = GTIMEIN

IF (Flags == TH_SYN)

AddFloodInfo (TPI, Sport);

IF (gsi-> tcpin)

Last-> Next = TPI;

Else

GSI-> TCPIN = TPI;

}

/ ************************************************** ******************** Function: AddFloodInfo

Purpose: add floodinfo information

*********************************************************** ******************* /

Void AddfloodInfo (Pi, Sport)

Struct pktin * pi;

U_SHORT SPORT;

{

Struct floodinfo * fi;

Fi = (struct floodinfo *) Malloc (Struct FloodInfo);

IF (fi == null)

{

"Malloc of FloodInfo";

EXIT (-1);

}

MEMSET (Fi, 0, Sizeof (Struct FloodInfo);

Fi-> Sport = Sport;

FI-> Next = Pi-> Fi;

Pi-> Fi = Fi;

}

/ ************************************************** ********************

Function: RMFLOODInfo

Purpose: Removes FloodInfo Information

*********************************************************** ******************* /

Void RMFLODInfo (Pi, Sport)

Struct pktin * pi;

U_SHORT SPORT;

{

Struct Floodinfo * Fi, * prev = null;

For (fi = pi-> fi; fi; fi = FI-> next)

{

IF (Fi-> Sport == Sport)

Break;

prev = Fi;

}

IF (fi == null)

Return;

IF (prev == null) / * first element * /

Pi-> fi = FI-> next;

Else

Prev-> next = FI-> next;

Free (fi);

}

/ ************************************************** ********************

Function: Do_UDP

PURPOSE: Process this udp packet.

Currently Teardrop and All ITS DeriVitives Put 242 in The IP ID Field.

This Could obviously be change. The truly paranoid mightow to flag all

Fragmented udp packets. The Truly Adventurous Might Enhance To Code To

TRACK FRAGMENTS AND CHECK The for overlaping boundaries.

*********************************************************** ******************* /

Void Do_UDP (EP, PKT)

Struct Ethhdr * EP;

U_CHAR * PKT;

{

Struct udphdr * UHDR;

U_SHORT SPORT, DPORT;

UHDR = (struct udphdr *) pkt;

IF (GID == 242 && gisfrag) / * probable teardrop * /

{

GSI-> Teardrop.saddr = GsAddr;

Memcpy (GSI-> Teardrop.EADDR, EP-> h_source, eth_alent;

GSI-> Teardrop.atktime = gtimein;

}

Sport = NTOHS (UHDR-> SOURCE);

Dport = NTOHS (UHDR-> DEST);

AddUDP (Sport, Dport, EP-> h_source);

}

/ ************************************************** ********************

Function: Addudp

PURPOSE: Add this udp packet to our list.

*********************************************************** ******************* /

Void Add (Sport, Dport, EADDR)

U_SHORT SPORT;

U_SHORT DPORT;

U_CHAR * EADDR;

{

Struct Pktin * Pi, * Last, * TPI;

For (pi = gsi-> udpin; pi; pi = pi-> next)

{

IF (pi-> saddr == gsaddr && pi-> dport == dport)

{

PI-> timein = gtimein;

Return;

}

Last = Pi;

}

/ * Must Be new entry * /

IF ((tpi = (struct pktin *) malloc (Struct Pktin)) == NULL)

{

PERROR ("malloc");

EXIT (-1);

}

MEMSET (TPI, 0, SIZEOF (STRUCT PKTI));

Memcpy (TPI-> Eth_alen);

TPI-> Saddr = GsAddr;

TPI-> Sport = Sport;

TPI-> DPORT = DPORT;

TPI-> timein = GTIMEIN

IF (gsi-> udpin)

Last-> Next = TPI;

Else

GSI-> udpin = TPI;

}

/ ************************************************** ********************

Function: do_icmp

Purpose: Process An ICMP Packet.

We Assume The is no valid reason to receive a fragmented icmp packet.

*********************************************************** ******************* /

Void do_icmp (EP, PKT)

Struct Ethhdr * EP;

U_CHAR * PKT;

{

Struct ICMPHDR * ICMP;

ICMP = (struct icmphdr *) pkt;

IF (gisfrag) / * Probable ICMP Attack (i.e. ping of devath) * / {

GSI-> ICMPFRAG.SADDR = GsAddr;

Memcpy (GSI-> ICMPFRAG.EADDR, EP-> H_Source, Eth_ALEN);

GSI-> ICMPFRAG.ATKTIME = GTIMEIN;

}

IF (ICMP-> Type == ICMP_ECHOREPLY)

GSI-> ICMPCNT ;

Return;

}

/ ************************************************** ********************

Function: Clear_PKT

Purpose: Delete and Free Space for any Old Packets.

*********************************************************** ******************* /

Void Clear_pktin (Si)

Struct scanfo * si;

{

Struct pktin * pi;

Struct Floodinfo * Fi, * TFI;

TIME_T T, T2;

T = TIME ((TIME_T *) 0);

While (Si-> TCPIN)

{

T2 = T - Si-> TCPIN-> TimeIn

IF (t2> gtimer)

{

PI = Si-> TCPIN;

Fi = pi-> fi;

While (Fi)

{

TFI = Fi;

Fi = FI-> next;

Free (TFI);

}

Si-> tcpin = pi-> next;

Free (pi);

}

Else

Break;

}

While (Si-> udpin)

{

T2 = T - Si-> udpin-> timein;

IF (t2> gtimer)

{

PI = Si-> udpin;

Si-> udpin = pi-> next;

Free (pi);

}

Else

Break;

}

}

/ ************************************************** ********************

Function: Print_Info

Purpose: Print Out Any Alerts.

*********************************************************** ******************* /

Void Print_info ()

{

Struct pktin * pi;

Struct addrlist * tcplist = null, * udplist = null, * al;

Struct floodinfo * fi;

Char BUF [1024], * EADDR, ABUF [32];

INT I;

STRCPY (ABUF, AnetAddr (GSI-> AddR);

IF (Greportlevel == Reportall || GreportLevel == Reportdos)

{

IF (GSI-> Teardrop.atkTime)

{

EADDR = Ether_NTOA (GSI-> Teardrop.EADDR);

Sprintf (BUF, "Possible Teardrop Attack from% s (% s) against% s",

Anetaddr (GSI-> Teardrop), EADDR, ABUF; syslog (log_alert, buf);

MEMSET (& GSI-> Teardrop, 0, Sizeof (Struct Atk);

}

IF (gsi-> land.atktime)

{

EADDR = Ether_NTOA (GSI-> Land.EADDR);

Sprintf (BUF, "Possible Land Attack from (% s) against% s",

EADDR, ABUF);

Syslog (log_alert, buf);

MEMSET (& GSI-> LAND, 0, SIZEOF (Struct Atk);

}

IF (GSI-> ICMPFRAG.ATKTIME)

{

EADDR = Ether_NTOA (GSI-> ICMPFRAG.EADDR);

Sprintf (BUF, "ICMP Fragment Detected from% s (% s) against% s",

Anetdr (GSI-> ICMPFRAG), EADDR, ABUF;

Syslog (log_alert, buf);

MEMSET (& GSI-> ICMPFRAG, 0, SIZEOF (Struct Atk);

}

IF (GSI-> ICMPCNT> GICMPLIMIT)

{

Sprintf (BUF, "ICMP Echo Threshold Exceeded, Smurfs Up. I SAW% D Packets / N", GSI-> ICMPCNT);

Syslog (log_alert, buf);

GSI-> ICMPCNT = 0;

}

}

For (pi = gsi-> tcpin; pi; pi = pi-> Next)

{

i = 0;

For (fi = pi-> fi; fi; fi = FI-> next)

i ;

IF (Greportlevel == Reportall || GreportLevel == Reportdos)

{

IF (i> gsynflood)

{

EADDR = Ether_NTOA (PI-> EADDR);

Sprintf (BUF, "Possible Synflood from% s (% s), Against% s. I SAW% D Packets / N",

Anetdr (Pi-> Saddr), EADDR, ABUF, I);

Syslog (log_alert, buf);

}

}

For (al = tcplist; al; al = al-> next)

{

IF (pi-> saddr == al-> saddr)

{

Al-> CNT ;

IF (Pi-> Sport == 80)

Al-> wwwcnt ;

Break;

}

}

IF (al == null) / * new address * /

{

Al = (struct addrlist *) malloc (Struct Addrlist);

IF (al == NULL)

{

PERROR ("Malloc Address List";

EXIT (-1);

}

MEMSET (Al, 0, SIZEOF (STRUCT Addrlist);

Al-> Saddr = pi-> saddr;

Al-> CNT = 1; if (pi-> sport == 80)

Al-> wwwcnt = 1;

Al-> next = tcplist;

Tcplist = al;

}

}

IF (GreportLevel == ReportAll || GreportLevel == Reportscan)

{

For (al = tcplist; al; al = al-> next)

{

IF ((al-> cnt - al-> wwwcnt)> gportlimit || Al-> wwwcnt> gwebcount)

{

Sprintf (BUF, "Possible TCP port scan from% s (% d ports) against% s / n",

Anetdr (al-> saddr), al-> cnt, abuf);

Syslog (log_alert, buf);

}

}

For (pi = gsi-> udpin; pi; pi = pi-> next)

{

For (al = udplist; al; al = al-> Next)

{

IF (pi-> saddr == al-> saddr)

{

Al-> CNT ;

Break;

}

}

IF (al == null) / * new address * /

{

Al = (struct addrlist *) malloc (Struct Addrlist);

IF (al == NULL)

{

PERROR ("Malloc Address List";

EXIT (-1);

}

MEMSET (Al, 0, SIZEOF (STRUCT Addrlist);

Al-> Saddr = pi-> saddr;

Al-> CNT = 1;

Al-> next = udplist;

Udplist = al;

}

}

For (al = udplist; al; al = al-> Next)

{

IF (al-> cnt> gportlimit)

{

Sprintf (BUF, "Possible UDP Port Scan from% s (% D ports) against% s / n",

Anetdr (al-> saddr), al-> cnt, abuf);

Syslog (log_alert, buf);

}

}

}

While (TCPLIST)

{

Al = tcplist-> next;

Free (TCPLIST);

Tcplist = al;

}

While (udplist)

{

Al = udplist-> next;

Free (udplist);

Udplist = al;

}

}

/ ************************************************** **********************

Function: anetaddr

Description:

Another Version of the Intoa Function.

*********************************************************** ********************* /

Char * anetdr (addr)

U_long addr;

{

u_long naddr;

Static char buf [16];

U_CHAR B [4];

INT I;

NADDR = NTOHL (AddR);

For (i = 3; I> = 0; I -)

{

B [i] = (u_char) (NADDR & 0xFF);

NADDR >> = 8;

}

Sprintf (buf, "% d.% d.% d.% d", b [0], b [1], b [2], b [3]);

Return (BUF);

}

/ ************************************************** **********************

Function: InitDevice

Description: SET UP IT.

*********************************************************** *********************** /

InitDevice (fd_flags, dflags)

INT fd_flags;

u_long dflags;

{

Struct ifReq IFR;

INT FD, FLAGS = 0;

IF ((fd = socket (pf_inet, sock_packet, htons (0x0003))) <0)

{

"" canNot Open Device Socket ";

EXIT (-1);

}

/ * Get the existing interface flags * /

STRCPY (ifr.ifr_name, gdevice);

IF (IOCTL (FD, Siocgifflags, & IFR) <0)

{

"Cannot Get Interface Flags";

EXIT (-1);

}

IFR.IFR_FLAGS | = IFF_Promisc;

IF (IOCTL (FD, Siocsifflags, & IFR) <0)

{

PERROR ("Cannot Set Interface Flags);

EXIT (-1);

}

Return (FD);

}

/ ************************************************** **********************

Function: ReadDevice

Description: Read a packet from the device.

*********************************************************** *********************** /

u_char * readdevice (fd, pktlen)

Int fd;

INT * pktlen;

{

INT CC = 0, from_len, readmore = 1;

Struct sockaddr from;

Static u_char pktbuffer [pktlen];

U_CHAR * CP;

While (readmore)

{

From_len = sizeof (from);

IF ((cc = recvfrom (fd, pktbuffer, pktlen, 0, & from, & from_len) <0)

{

IF (Errno! = EWOULDBLOCK)

Return (NULL);

}

IF (strcmp (gdevice, from.sa_data) == 0)

Readmore = 0;

}

* pktlen = cc;

Return (pktbuffer);

}

/ ************************************************** *********************** FUNCTION: Ether_NTOA

Description:

TRANSLATES A MAC Address Into Ascii. This function emulates

The Ether_NTOA FUNCTION That Exists on sun and solris, but not on linux.

IT Could Probably (Almost Certainly) Be More Efficent, But It Will Do.

*********************************************************** ********************** /

Char * Ether_NTOA (EtherAddr)

U_CHAR ETHERADDR [Eth_alent];

{

INT I, J;

Static Char Eout [32];

Char TBUF [10];

For (i = 0, j = 0; i <5; i )

{

Eout [J ] = EtherAddr [I] >> 4;

Eout [J ] = EtherAddr [i] & 0xF;

Eout [J ] = ':';

}

Eout [J ] = EtherAddr [I] >> 4;

Eout [J ] = EtherAddr [i] & 0xF;

Eout [J ] = '/ 0';

For (i = 0; i <17; i )

{

IF (Eout [I] <10)

Eout [i] = 0x30;

ELSE IF (Eout [i] <16)

Eout [i] = 0x57;

}

Return (Eout);

}

/ * At least to join a header file of Linux / Sockios.h - in my linux box, I

It also changed Netinet / TCP.H, it would be willing to run ... :( ******************* /

转载请注明原文地址:https://www.9cbs.com/read-124656.html

New Post(0)