Compare commits
5 Commits
Author | SHA1 | Date |
---|---|---|
Gerard Wagener | 16d5435b99 | |
Gerard Wagener | acce48baee | |
Gerard Wagener | 38036c3f47 | |
Gerard Wagener | 347d6e4d71 | |
Gerard Wagener | cb4ca4a778 |
|
@ -1,4 +1,4 @@
|
||||||
all: pibs pibs-stat pibs-BGP-Ranking
|
all: pibs pibs-stat pibs-BGP-Ranking pibs-isn
|
||||||
|
|
||||||
pibs-stat: pibs-stat.o libpibs.o memutils.o synseen.o
|
pibs-stat: pibs-stat.o libpibs.o memutils.o synseen.o
|
||||||
gcc -Wall -o pibs-stat pibs-stat.o libpibs.o memutils.o synseen.o -lwiretap `pkg-config --libs glib-2.0` -lpcap -lhiredis -ggdb
|
gcc -Wall -o pibs-stat pibs-stat.o libpibs.o memutils.o synseen.o -lwiretap `pkg-config --libs glib-2.0` -lpcap -lhiredis -ggdb
|
||||||
|
@ -7,6 +7,12 @@ pibs-stat: pibs-stat.o libpibs.o memutils.o synseen.o
|
||||||
pibs-stat.o: pibs-stat.c
|
pibs-stat.o: pibs-stat.c
|
||||||
gcc -D HASHDEBUG=0 -Wall -c pibs-stat.c `pkg-config --cflags glib-2.0` -I /usr/include/wireshark/wiretap -I /usr/include/wireshark/wsutil -I /usr/include/wireshark `pkg-config --libs glib-2.0` -I /usr/local/include/hiredis -ggdb
|
gcc -D HASHDEBUG=0 -Wall -c pibs-stat.c `pkg-config --cflags glib-2.0` -I /usr/include/wireshark/wiretap -I /usr/include/wireshark/wsutil -I /usr/include/wireshark `pkg-config --libs glib-2.0` -I /usr/local/include/hiredis -ggdb
|
||||||
|
|
||||||
|
pibs-isn: pibs-isn.o libpibs.o memutils.o synseen.o
|
||||||
|
gcc -Wall -o pibs-isn pibs-isn.o libpibs.o memutils.o synseen.o -lwiretap `pkg-config --libs glib-2.0` -lpcap -lhiredis -ggdb
|
||||||
|
|
||||||
|
pibs-stat.o: pibs-isn.c
|
||||||
|
gcc -D HASHDEBUG=0 -Wall -c pibs-isn.c `pkg-config --cflags glib-2.0` -I /usr/include/wireshark/wiretap -I /usr/include/wireshark/wsutil -I /usr/include/wireshark `pkg-config --libs glib-2.0` -I /usr/local/include/hiredis -ggdb
|
||||||
|
|
||||||
pibs-BGP-Ranking: pibs pibs-BGP-Ranking.o libpibs.o memutils.o synseen.o
|
pibs-BGP-Ranking: pibs pibs-BGP-Ranking.o libpibs.o memutils.o synseen.o
|
||||||
gcc -Wall -o pibs-BGP-Ranking pibs-BGP-Ranking.o libpibs.o memutils.o synseen.o -lwiretap `pkg-config --libs glib-2.0` -lpcap -lhiredis -ggdb
|
gcc -Wall -o pibs-BGP-Ranking pibs-BGP-Ranking.o libpibs.o memutils.o synseen.o -lwiretap `pkg-config --libs glib-2.0` -lpcap -lhiredis -ggdb
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,76 @@
|
||||||
|
/*
|
||||||
|
* pibs - Create lists of isn having the same value than ip address
|
||||||
|
*
|
||||||
|
* Copyright (C) 2020 Gerard Wagener
|
||||||
|
* Copyright (C) 2020 CIRCL Computer Incident Response Center Luxembourg
|
||||||
|
* (SMILE gie).
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as published by
|
||||||
|
* the Free Software Foundation, either version 3 of the License, or
|
||||||
|
* (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
#include <stdio.h>
|
||||||
|
#define __USE_XOPEN
|
||||||
|
#include <time.h>
|
||||||
|
#include "pibs.h"
|
||||||
|
|
||||||
|
void usage(void)
|
||||||
|
{
|
||||||
|
printf("Create lists of targets under SYN floods for BGP Ranking\n");
|
||||||
|
printf("\n");
|
||||||
|
printf("OPTIONS\n");
|
||||||
|
printf(" -h Shows this screen\n");
|
||||||
|
printf(" -r inputfile\n");
|
||||||
|
printf(" Read pcap file from inputfile\n");
|
||||||
|
printf("\n");
|
||||||
|
printf("DIRECTORY STRUCTURE\n");
|
||||||
|
printf("<directory>/port/year/month/year-month-day.txt\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
void process(pibs_t* pibs, wtap *wth, uint8_t* eth,
|
||||||
|
struct ip* ipv4, struct tcphdr* tcp)
|
||||||
|
{
|
||||||
|
if (ipv4->ip_dst.s_addr == tcp->seq) {
|
||||||
|
printf("%x\n",ntohl(tcp->seq));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(int argc, char* argv[])
|
||||||
|
{
|
||||||
|
pibs_t* pibs;
|
||||||
|
int opt;
|
||||||
|
pibs = init();
|
||||||
|
|
||||||
|
while ((opt = getopt(argc, argv, "hr:d:")) != -1) {
|
||||||
|
printf("%d\n", opt);
|
||||||
|
switch (opt) {
|
||||||
|
case 'h':
|
||||||
|
usage();
|
||||||
|
break;
|
||||||
|
case 'r':
|
||||||
|
strncpy(pibs->filename, optarg, FILENAME_MAX);
|
||||||
|
pibs->filename[FILENAME_MAX-1] = '\0';
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//Bypass synseen logic to get all TCP packets
|
||||||
|
pibs->bypass = 1;
|
||||||
|
//Set call back function
|
||||||
|
pibs->synseen_callback = &process;
|
||||||
|
|
||||||
|
if (pibs->filename[0]) {
|
||||||
|
process_file(pibs);
|
||||||
|
}
|
||||||
|
|
||||||
|
return EXIT_SUCCESS;
|
||||||
|
}
|
|
@ -112,6 +112,7 @@ typedef struct pibs_s {
|
||||||
pcap_t* outcap;
|
pcap_t* outcap;
|
||||||
uint32_t redisdb;
|
uint32_t redisdb;
|
||||||
void* synseen_callback;
|
void* synseen_callback;
|
||||||
|
int bypass;
|
||||||
} pibs_t;
|
} pibs_t;
|
||||||
|
|
||||||
int load_shmid_file(pibs_t* pibs);
|
int load_shmid_file(pibs_t* pibs);
|
||||||
|
|
|
@ -145,35 +145,37 @@ void synseen_process_frame(pibs_t *pibs, wtap *wth, uint8_t* eth,
|
||||||
uint32_t ip;
|
uint32_t ip;
|
||||||
struct pcap_pkthdr pchdr;
|
struct pcap_pkthdr pchdr;
|
||||||
memcpy(&ip, &ipv4->ip_src, 4);
|
memcpy(&ip, &ipv4->ip_src, 4);
|
||||||
// Record only source ips where syn flag is set
|
if (!pibs->bypass) {
|
||||||
// TODO check other connection establishment alternatives
|
// Record only source ips where syn flag is set
|
||||||
if (tcp->th_flags == 2 ){
|
// TODO check other connection establishment alternatives
|
||||||
insert_ip(pibs, ip, wth->rec.ts.secs);
|
if (tcp->th_flags == 2 ){
|
||||||
return;
|
insert_ip(pibs, ip, wth->rec.ts.secs);
|
||||||
}
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
lastseen = get_last_timestamp(pibs, ip);
|
lastseen = get_last_timestamp(pibs, ip);
|
||||||
|
|
||||||
if (lastseen > 0){
|
if (lastseen > 0){
|
||||||
HDBG("IP %x %s was already seen before at %ld. Time difference %ld.\n"
|
HDBG("IP %x %s was already seen before at %ld. Time difference %ld.\n"
|
||||||
, ip, inet_ntoa(ipv4->ip_src), lastseen, wth->rec.ts.secs-lastseen);
|
, ip, inet_ntoa(ipv4->ip_src), lastseen, wth->rec.ts.secs-lastseen);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
// TODO keep these IPs in a hashtable and rank them
|
// TODO keep these IPs in a hashtable and rank them
|
||||||
if (pibs->show_backscatter) {
|
if (pibs->show_backscatter) {
|
||||||
printf("%ld,%s,%d,%d\n",
|
printf("%ld,%s,%d,%d\n",
|
||||||
wth->rec.ts.secs, inet_ntoa(ipv4->ip_src), tcp->th_flags,
|
wth->rec.ts.secs, inet_ntoa(ipv4->ip_src), tcp->th_flags,
|
||||||
ntohs(tcp->th_sport));
|
ntohs(tcp->th_sport));
|
||||||
}
|
}
|
||||||
//TODO relative time
|
//TODO relative time
|
||||||
//Purge old ips?
|
//Purge old ips?
|
||||||
if (pibs->should_writepcap) {
|
if (pibs->should_writepcap) {
|
||||||
pchdr.ts.tv_sec = wth->rec.ts.secs;
|
pchdr.ts.tv_sec = wth->rec.ts.secs;
|
||||||
//TODO other part of the timestamp
|
//TODO other part of the timestamp
|
||||||
pchdr.ts.tv_usec = wth->rec.ts.nsecs / 1000;
|
pchdr.ts.tv_usec = wth->rec.ts.nsecs / 1000;
|
||||||
pchdr.caplen = wth->rec.rec_header.packet_header.caplen;
|
pchdr.caplen = wth->rec.rec_header.packet_header.caplen;
|
||||||
pchdr.len = wth->rec.rec_header.packet_header.len;
|
pchdr.len = wth->rec.rec_header.packet_header.len;
|
||||||
pcap_dump((u_char*)pibs->dumper, &pchdr, eth);
|
pcap_dump((u_char*)pibs->dumper, &pchdr, eth);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (pibs->synseen_callback) {
|
if (pibs->synseen_callback) {
|
||||||
synseen_callback = pibs->synseen_callback;
|
synseen_callback = pibs->synseen_callback;
|
||||||
|
|
Loading…
Reference in New Issue