Compare commits

...

5 Commits
v0.2 ... master

Author SHA1 Message Date
Gerard Wagener 16d5435b99 chg: [pibs-isn] apply isn matching rule on all packets 2020-02-19 17:20:45 +01:00
Gerard Wagener acce48baee chg: [pibs] bypass flag for the synseen logic 2020-02-19 17:18:35 +01:00
Gerard Wagener 38036c3f47 chg: [pibs] added option to bypass synseen logic 2020-02-19 17:18:06 +01:00
Gerard Wagener 347d6e4d71 chg: [pibs-isn] updated Makefile 2020-02-19 17:16:04 +01:00
Gerard Wagener cb4ca4a778 add: [pibs-isn] identify packets that have destination ip set to tcp sequence number 2020-02-19 16:44:48 +01:00
4 changed files with 113 additions and 28 deletions

View File

@ -1,4 +1,4 @@
all: pibs pibs-stat pibs-BGP-Ranking all: pibs pibs-stat pibs-BGP-Ranking pibs-isn
pibs-stat: pibs-stat.o libpibs.o memutils.o synseen.o pibs-stat: pibs-stat.o libpibs.o memutils.o synseen.o
gcc -Wall -o pibs-stat pibs-stat.o libpibs.o memutils.o synseen.o -lwiretap `pkg-config --libs glib-2.0` -lpcap -lhiredis -ggdb gcc -Wall -o pibs-stat pibs-stat.o libpibs.o memutils.o synseen.o -lwiretap `pkg-config --libs glib-2.0` -lpcap -lhiredis -ggdb
@ -7,6 +7,12 @@ pibs-stat: pibs-stat.o libpibs.o memutils.o synseen.o
pibs-stat.o: pibs-stat.c pibs-stat.o: pibs-stat.c
gcc -D HASHDEBUG=0 -Wall -c pibs-stat.c `pkg-config --cflags glib-2.0` -I /usr/include/wireshark/wiretap -I /usr/include/wireshark/wsutil -I /usr/include/wireshark `pkg-config --libs glib-2.0` -I /usr/local/include/hiredis -ggdb gcc -D HASHDEBUG=0 -Wall -c pibs-stat.c `pkg-config --cflags glib-2.0` -I /usr/include/wireshark/wiretap -I /usr/include/wireshark/wsutil -I /usr/include/wireshark `pkg-config --libs glib-2.0` -I /usr/local/include/hiredis -ggdb
pibs-isn: pibs-isn.o libpibs.o memutils.o synseen.o
gcc -Wall -o pibs-isn pibs-isn.o libpibs.o memutils.o synseen.o -lwiretap `pkg-config --libs glib-2.0` -lpcap -lhiredis -ggdb
pibs-stat.o: pibs-isn.c
gcc -D HASHDEBUG=0 -Wall -c pibs-isn.c `pkg-config --cflags glib-2.0` -I /usr/include/wireshark/wiretap -I /usr/include/wireshark/wsutil -I /usr/include/wireshark `pkg-config --libs glib-2.0` -I /usr/local/include/hiredis -ggdb
pibs-BGP-Ranking: pibs pibs-BGP-Ranking.o libpibs.o memutils.o synseen.o pibs-BGP-Ranking: pibs pibs-BGP-Ranking.o libpibs.o memutils.o synseen.o
gcc -Wall -o pibs-BGP-Ranking pibs-BGP-Ranking.o libpibs.o memutils.o synseen.o -lwiretap `pkg-config --libs glib-2.0` -lpcap -lhiredis -ggdb gcc -Wall -o pibs-BGP-Ranking pibs-BGP-Ranking.o libpibs.o memutils.o synseen.o -lwiretap `pkg-config --libs glib-2.0` -lpcap -lhiredis -ggdb

76
bin/pibs-isn.c Normal file
View File

@ -0,0 +1,76 @@
/*
* pibs - Create lists of isn having the same value than ip address
*
* Copyright (C) 2020 Gerard Wagener
* Copyright (C) 2020 CIRCL Computer Incident Response Center Luxembourg
* (SMILE gie).
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <stdio.h>
#define __USE_XOPEN
#include <time.h>
#include "pibs.h"
void usage(void)
{
printf("Create lists of targets under SYN floods for BGP Ranking\n");
printf("\n");
printf("OPTIONS\n");
printf(" -h Shows this screen\n");
printf(" -r inputfile\n");
printf(" Read pcap file from inputfile\n");
printf("\n");
printf("DIRECTORY STRUCTURE\n");
printf("<directory>/port/year/month/year-month-day.txt\n");
}
void process(pibs_t* pibs, wtap *wth, uint8_t* eth,
struct ip* ipv4, struct tcphdr* tcp)
{
if (ipv4->ip_dst.s_addr == tcp->seq) {
printf("%x\n",ntohl(tcp->seq));
}
}
int main(int argc, char* argv[])
{
pibs_t* pibs;
int opt;
pibs = init();
while ((opt = getopt(argc, argv, "hr:d:")) != -1) {
printf("%d\n", opt);
switch (opt) {
case 'h':
usage();
break;
case 'r':
strncpy(pibs->filename, optarg, FILENAME_MAX);
pibs->filename[FILENAME_MAX-1] = '\0';
break;
}
}
//Bypass synseen logic to get all TCP packets
pibs->bypass = 1;
//Set call back function
pibs->synseen_callback = &process;
if (pibs->filename[0]) {
process_file(pibs);
}
return EXIT_SUCCESS;
}

View File

@ -112,6 +112,7 @@ typedef struct pibs_s {
pcap_t* outcap; pcap_t* outcap;
uint32_t redisdb; uint32_t redisdb;
void* synseen_callback; void* synseen_callback;
int bypass;
} pibs_t; } pibs_t;
int load_shmid_file(pibs_t* pibs); int load_shmid_file(pibs_t* pibs);

View File

@ -145,35 +145,37 @@ void synseen_process_frame(pibs_t *pibs, wtap *wth, uint8_t* eth,
uint32_t ip; uint32_t ip;
struct pcap_pkthdr pchdr; struct pcap_pkthdr pchdr;
memcpy(&ip, &ipv4->ip_src, 4); memcpy(&ip, &ipv4->ip_src, 4);
// Record only source ips where syn flag is set if (!pibs->bypass) {
// TODO check other connection establishment alternatives // Record only source ips where syn flag is set
if (tcp->th_flags == 2 ){ // TODO check other connection establishment alternatives
insert_ip(pibs, ip, wth->rec.ts.secs); if (tcp->th_flags == 2 ){
return; insert_ip(pibs, ip, wth->rec.ts.secs);
} return;
}
lastseen = get_last_timestamp(pibs, ip); lastseen = get_last_timestamp(pibs, ip);
if (lastseen > 0){ if (lastseen > 0){
HDBG("IP %x %s was already seen before at %ld. Time difference %ld.\n" HDBG("IP %x %s was already seen before at %ld. Time difference %ld.\n"
, ip, inet_ntoa(ipv4->ip_src), lastseen, wth->rec.ts.secs-lastseen); , ip, inet_ntoa(ipv4->ip_src), lastseen, wth->rec.ts.secs-lastseen);
return; return;
} }
// TODO keep these IPs in a hashtable and rank them // TODO keep these IPs in a hashtable and rank them
if (pibs->show_backscatter) { if (pibs->show_backscatter) {
printf("%ld,%s,%d,%d\n", printf("%ld,%s,%d,%d\n",
wth->rec.ts.secs, inet_ntoa(ipv4->ip_src), tcp->th_flags, wth->rec.ts.secs, inet_ntoa(ipv4->ip_src), tcp->th_flags,
ntohs(tcp->th_sport)); ntohs(tcp->th_sport));
} }
//TODO relative time //TODO relative time
//Purge old ips? //Purge old ips?
if (pibs->should_writepcap) { if (pibs->should_writepcap) {
pchdr.ts.tv_sec = wth->rec.ts.secs; pchdr.ts.tv_sec = wth->rec.ts.secs;
//TODO other part of the timestamp //TODO other part of the timestamp
pchdr.ts.tv_usec = wth->rec.ts.nsecs / 1000; pchdr.ts.tv_usec = wth->rec.ts.nsecs / 1000;
pchdr.caplen = wth->rec.rec_header.packet_header.caplen; pchdr.caplen = wth->rec.rec_header.packet_header.caplen;
pchdr.len = wth->rec.rec_header.packet_header.len; pchdr.len = wth->rec.rec_header.packet_header.len;
pcap_dump((u_char*)pibs->dumper, &pchdr, eth); pcap_dump((u_char*)pibs->dumper, &pchdr, eth);
}
} }
if (pibs->synseen_callback) { if (pibs->synseen_callback) {
synseen_callback = pibs->synseen_callback; synseen_callback = pibs->synseen_callback;