📄 find_scanners
字号:
} return(1);}###sub find_top{ my $suspectdb = shift; my $tops = shift; $suspectdb->climb( sub { my $node = $_[0]; my $top_flows = 0; my $top_pkts = 0; my $top_bytes = 0; my $ip = inet_ntoa(pack("N", $node->{addr})); print("Checking: $ip\n") if ($opt_x); # # Gather the stats # my $count = $node->{remote}->climb(sub { $top_flows += $_[0]->{flows}; $top_pkts += $_[0]->{pkts}; $top_bytes += $_[0]->{bytes}; return(1); }); # # Save the host's info # push(@$tops, [$ip, $count, $top_flows, $top_pkts, $top_bytes]); # # Done # return(1); } );}###sub print_top{ my $suspectdb = shift; my $ip_sort_sub = shift; my $port_sort_sub = shift; my $ntop = shift; my $tops = shift; my $all_top_flows = 0; my $all_top_pkts = 0; my $all_top_bytes = 0; my $top; print("print_top()\n") if ($opt_x); # # # foreach $top (sort($ip_sort_sub @$tops)) { my ($ip, $count, $top_flows, $top_pkts, $top_bytes) = @{$top}; my $node = $suspectdb->match_exact_string($ip); my $all_flows_ratio; my $all_pkts_ratio; my $all_bytes_ratio; # # sanity check # die("$ip was not found in the suspectdb!") if (!defined($node)); # # Header information # print("Scanner: $ip"); if (!$opt_n) { my $hostname = gethostbyaddr(pack("N", $node->{addr}), AF_INET); if (defined($hostname)) { print(" ($hostname)"); } else { print(" ($ip)"); } } print("\t$count hosts touched\n"); # # Times # my ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst); ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = localtime($node->{startime}); $year += 1900; $mon++; printf("\t%04d/%02d/%02d %02d:%02d:%02d ->", $year, $mon, $mday, $hour, $min, $sec); ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = localtime($node->{endtime}); $year += 1900; $mon++; printf("%04d/%02d/%02d %02d:%02d:%02d\n", $year, $mon, $mday, $hour, $min, $sec); # # Flow counts # $all_flows_ratio = ($top_flows / $all_flows) * 100.0; printf("\tFLOWS: %21d (%6.2f%%)\n", $top_flows, $all_flows_ratio); # # Packet counts # $all_pkts_ratio = ($top_pkts / $all_pkts) * 100.0; printf("\tPKTS: %21d (%6.2f%%)\n", $top_pkts, $all_pkts_ratio); # # Byte counts # $all_bytes_ratio = ($top_bytes / $all_bytes) * 100.0; printf("\tBYTES: %21d (%6.2f%%)\n", $top_bytes, $all_bytes_ratio); # # sort and show all protocol/port pairs # my @pps; my $pp; my $nports; # # # if ($opt_d > 0) { @pps = (); foreach $pp (keys(%{$node->{dstprotocolport}})) { my ($protocol, $port) = split(/-/, $pp); push(@pps, { flows => $node->{dstprotocolport}->{$pp}->{flows}, pkts => $node->{dstprotocolport}->{$pp}->{pkts}, bytes => $node->{dstprotocolport}->{$pp}->{bytes}, protocol => $protocol, port => $port }); } print("\n\tAll Destination Ports:\n"); print(" PROTO/PORT\t FLOWS\t PKTS\t BYTES\n"); $nports = $opt_d; foreach $pp (sort($port_sort_sub @pps)) { # fill the protocol cache my $protocol = $protocol_cache{$pp->{protocol}}; if (! defined($protocol)) { $protocol = getprotobynumber($pp->{protocol}); $protocol = $pp->{protocol} if (! defined($protocol)); $protocol_cache{$pp->{protocol}} = $protocol; } # fill the service cache if ($pp->{protocol} == 1) { my $ICMPType = ($pp->{port} >> 8) & 0xff; my $ICMPCode = $pp->{port} & 0xff; printf("%14s%7s/%-6s\t%10d\t%10d\t%10d\n", $ICMPType, $ICMPCode, $protocol, $pp->{flows}, $pp->{pkts}, $pp->{bytes}); } else { my $service = $service_cache{$pp->{port}."/".$pp->{protocol}}; if (! defined($service)) { $service = getservbyport($pp->{port}, $protocol); $service = "" if (! defined($service)); $service_cache{$pp->{port}."/".$pp->{protocol}} = $service; } printf("%14s%7s/%-6s\t%10d\t%10d\t%10d\n", $service, "(".$pp->{port}.")", $protocol, $pp->{flows}, $pp->{pkts}, $pp->{bytes}); } last if (--$nports == 0); } } # # # if ($opt_s > 0) { @pps = (); foreach $pp (keys(%{$node->{srcprotocolport}})) { my ($protocol, $port) = split(/-/, $pp); push(@pps, { flows => $node->{srcprotocolport}->{$pp}->{flows}, pkts => $node->{srcprotocolport}->{$pp}->{pkts}, bytes => $node->{srcprotocolport}->{$pp}->{bytes}, protocol => $protocol, port => $port }); } print("\n\tAll Source Ports:\n"); print(" PROTO/PORT\t FLOWS\t PKTS\t BYTES\n"); $nports = $opt_s; foreach $pp (sort($port_sort_sub @pps)) { # fill the protocol cache my $protocol = $protocol_cache{$pp->{protocol}}; if (! defined($protocol)) { $protocol = getprotobynumber($pp->{protocol}); $protocol = $pp->{protocol} if (! defined($protocol)); $protocol_cache{$pp->{protocol}} = $protocol; } # fill the service cache if ($pp->{protocol} == 1) { my $ICMPType = ($pp->{port} >> 8) & 0xff; my $ICMPCode = $pp->{port} & 0xff; printf("%14s%7s/%-6s\t%10d\t%10d\t%10d\n", $ICMPType, $ICMPCode, $protocol, $pp->{flows}, $pp->{pkts}, $pp->{bytes}); } else { my $service = $service_cache{$pp->{port}."/".$pp->{protocol}}; if (! defined($service)) { $service = getservbyport($pp->{port}, $protocol); $service = "" if (! defined($service)); $service_cache{$pp->{port}."/".$pp->{protocol}} = $service; } printf("%14s%7s/%-6s\t%10d\t%10d\t%10d\n", $service, "(".$pp->{port}.")", $protocol, $pp->{flows}, $pp->{pkts}, $pp->{bytes}); } last if (--$nports == 0); } } # # Save top counts # $all_top_flows += $top_flows; $all_top_pkts += $top_pkts; $all_top_bytes += $top_bytes; print("\n"); # # # $ntop--; last if ($ntop == 0); } # # # if ($all_top_flows > 0) { my $all_flows_ratio = ($all_top_flows / $all_flows) * 100.0; my $all_pkts_ratio = ($all_top_pkts / $all_pkts) * 100.0; my $all_bytes_ratio = ($all_top_bytes / $all_bytes) * 100.0; $all_top_bytes /= 1024 * 1024; my $tmp = $all_bytes / (1024 * 1024); print("Top: $all_top_flows flows\t$all_top_pkts pkts\t$all_top_bytes MB\n"); print("All: $all_flows flows\t$all_pkts pkts\t$tmp MB\n\n"); printf("Top FLOWS: %15d (%6.2f%%)\n", $all_top_flows, $all_flows_ratio); printf("Top PKTS: %15d (%6.2f%%)\n", $all_top_pkts, $all_pkts_ratio); printf("Top BYTES: %12.2f MB (%6.2f%%)\n\n", $all_top_bytes, $all_bytes_ratio); }}## ip_by_count#sub ip_by_count{ my ($aip, $acount, $atop_flows, $atop_pkts, $atop_bytes) = @{$a}; my ($bip, $bcount, $btop_flows, $btop_pkts, $btop_bytes) = @{$b}; print("$aip, $acount <=> $bip, $bcount\n") if ($opt_x); return($bcount <=> $acount);}## ip_by_flows#sub ip_by_flows{ my ($aip, $acount, $atop_flows, $atop_pkts, $atop_bytes) = @{$a}; my ($bip, $bcount, $btop_flows, $btop_pkts, $btop_bytes) = @{$b}; print("$aip, $atop_flows <=> $bip, $btop_flows\n") if ($opt_x); return($btop_flows <=> $atop_flows);}## ip_by_pkts#sub ip_by_pkts{ my ($aip, $acount, $atop_flows, $atop_pkts, $atop_bytes) = @{$a}; my ($bip, $bcount, $btop_flows, $btop_pkts, $btop_bytes) = @{$b}; print("$aip, $atop_pkts <=> $bip, $atop_pkts\n") if ($opt_x); return($btop_pkts <=> $atop_pkts);}## ip_by_bytes#sub ip_by_bytes{ my ($aip, $acount, $atop_flows, $atop_pkts, $atop_bytes) = @{$a}; my ($bip, $bcount, $btop_flows, $btop_pkts, $btop_bytes) = @{$b}; print("$aip, $atop_bytes <=> $bip, $atop_bytes\n") if ($opt_x); return($btop_bytes <=> $atop_bytes);}## port_by_flows#sub port_by_flows{ return($b->{flows} <=> $a->{flows});}## port_by_pkts#sub port_by_pkts{ return($b->{pkts} <=> $a->{pkts});}## port_by_bytes#sub port_by_bytes{ return($b->{bytes} <=> $a->{bytes});}###sub TCP{ return(1) if ($protocol == 6); return(0);}###sub UDP{ return(1) if ($protocol == 17); return(0);}###sub ICMP{ return(1) if ($protocol == 1); return(0);}###sub kazaa{ return(0) if ($protocol != 6); return(1) if (($srcport == 1214) || ($dstport == 1214)); return(0);}###sub gnutella{ return(0) if ($protocol != 6); return(1) if (($srcport == 6346) || ($dstport == 6346)); return(1) if (($srcport == 6347) && ($dstport == 6347)); return(0);}###sub hotline{ return(0) if ($protocol != 6); return(1) if (($dstport == 5501) || ($dstport == 5502)); return(0);}###sub ntp{ return(1) if (($protocol == 6) && ($dstport == 123)); return(1) if (($protocol == 17) && ($dstport == 123)); return(0);}###sub ftp{ return(1) if (($protocol == 6) && ($dstport == 21)); return(1) if (($protocol == 6) && ($srcport == 20)); return(0);}###sub http{ return(1) if (($protocol == 6) && ($dstport == 80)); return(0);}###sub irc{ return(0) if ($protocol != 6); return(1) if (($srcport == 6666) || ($dstport == 6666)); return(1) if (($srcport == 6667) || ($dstport == 6667)); return(0);}###sub dns{ return(1) if (($protocol == 6) && ($dstport == 53)); return(1) if (($protocol == 17) && ($dstport == 53)); return(0);}###sub usage{ my $progname = shift; print(STDERR "usage: $progname [-h] [-x] [-n] [-S]|[-D] [-c]|[-f]|[-p]|[-b] [-i] [-o] [-s N] [-d N] [flow_file [...]]\n"); print(STDERR "\n"); print(STDERR " -h\thelp\n"); print(STDERR " -x\tdebug\n"); print(STDERR "\n"); print(STDERR " -n\tno name lookups\n"); print(STDERR "\n"); print(STDERR " -S\tanalyze source machines\n"); print(STDERR " -D\tanalyze destination machines\n"); print(STDERR "\n"); print(STDERR " -c N\tsort by number of hosts contacted (default)\n"); print(STDERR " -f N\tsort by number of flows\n"); print(STDERR " -p N\tsort by number of packets\n"); print(STDERR " -b N\tsort by number of bytes\n"); print(STDERR "\n"); print(STDERR " N is the number of hosts to show (default is 10)\n"); print(STDERR "\n"); print(STDERR " -i\tanalyze inbound traffic (default)\n"); print(STDERR " -o\tanalyze outbound traffic\n"); print(STDERR "\n"); print(STDERR " -s N\tshow top N source ports\n"); print(STDERR " -d N\tshow top N destination ports (default with N = 10)\n"); print(STDERR "\n"); print(STDERR " -F 'filter'\tonly analyze the flows for which filter returns true\n"); exit($opt_h ? 0 : 2);}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -