tcpbroadcast.java

基于人工免疫原理的入侵检测系统框架

/*=================
 * Copyright (C) 2001  Hajime Inoue
 *
 * Lisys is a program that monitors TCP SYN packets to detect network
 * traffic anomalies.
 *
 * Licensed under the GNU General Public License (GPL), version 2 or
 * higher.  Please see the COPYING and PATENT files included with the 
 * Lisys distribution, which can be found at:
 *
 *   http://www.cs.unm.edu/~judd/lisys/
 *
 * Also, the current text of the GPL can be found at: 
 *
 *   http://www.gnu.org/copyleft/gpl.html
 * 
 * Note that Lisys has NO WARRANTY!
 *=================*/

package edu.unm.cs.lisys.detection.broadcast;

import edu.unm.cs.lisys.debug.*;
import edu.unm.cs.lisys.net.*;

import java.util.*;
import java.io.*;
import java.net.*;

/*==========
 * TCPBroadcast.java
 *   Broadcasts SYN packet info to nodes listed in detection.nodes.
 *   It will send after it receives maxbips packets and at least 3000
 *   ms have elapsed since the last send.
 *
 * Usage: 
 *   Pipe output of tcpdump to TCPBroadcast
 *   Use the following tcpdump flags: -nl -p -tt
 * Suggested tcpdump filter rules:
 *   (tcp[13] & 2 != 0) and not (src port 80) and not (dst port 80) 
 *   and not ((src net 64.106.21) and (src port 9090)) and not 
 *   ((dst net 64.106.21) and (dst port 9090))
 *
 *   One TCPBroadcast should be run on each machine in the network.
 * 
 * Here are the people who have worked on this code in the order they
 * have worked on it:
 *   @author Hajime Inoue <hinoue@cs.unm.edu>
 *   @author Dennis Chao <dlchao@cs.unm.edu>
 *   @author Justin Balthrop <judd@cs.unm.edu>
 *==========*/

public class TCPBroadcast
{
    private PrintWriter tcpout;    // tcpdump log file
    private Properties properties;
    private static final String detectionNodesKey = "detection.nodes";
    private static final String tcpdumpLogFileKey = "tcpdump.log.file";
    private static final String maxClientsKey = "clients.max";
    private static final String clientSleepDurationKey = "clients.sleep.duration";

    private String localIP;       // ip address of this machine
    private String localIPMask;   // first part of the machine's ip address
    private int maxbips = 40;     // broadcast if list has this many bips
    Random r = new Random();

    public static void main(String[] args)
    {
	TCPBroadcast broadcast = new TCPBroadcast(args[0]);
	broadcast.run();
    }
    
    public TCPBroadcast(String propertiesFilename)
    {
	this.properties = readProperties(propertiesFilename);
	this.maxbips = 40;
	String tcpdumpFilename = properties.getProperty(tcpdumpLogFileKey);
	try {
	    localIP = InetAddress.getLocalHost().getHostAddress();
	    localIPMask = localIP.substring(0, localIP.lastIndexOf('.'));
	    Vector v = getDetectionNodeList();
	    System.out.println("IP address: " + localIP);
	    System.out.println("local IP mask: " + localIPMask);
	    System.out.print("Broadcast list: ");
	    for(Enumeration e = v.elements(); e.hasMoreElements(); ) {
		System.out.print(((NodeAddress)e.nextElement()).getHost() + " ");
	    }
	    System.out.println();
	    System.out.flush();
	}
	catch(Exception e) {
	    Debug.exception(this, e);
	}
	try {
	    tcpout = new PrintWriter(new FileOutputStream(tcpdumpFilename, true));
	}
	catch  (IOException ioe) {
	    Debug.exception(this, ioe);
	}
    }

    public String readLine() throws IOException
    {
	String s = new String();
	int c;
	while ((c=System.in.read())!='\n' && c!=-1) {
	    s += (char)c;
	}
	if (c==-1) {  // throw exception on EOF
	    IOException e = new IOException("End of file");
	    throw e;
	}
	return s;
    }
    
    /**==========
     * isValidPacket:
     *   Returns true if the tcpdump line contains the address of this
     *   machine as a source or destination. This is to compensate for
     *   promiscuous cards or stray packets.    
     *==========*/
    private boolean isValidPacket(String s) {
	StringTokenizer st = new StringTokenizer(s, " ");
	// get rid of timestamp
	String temp = st.nextToken();

	String source = st.nextToken();
	source = source.substring(0, source.lastIndexOf("."));
	
	// get rid of ">"
	temp = st.nextToken();
	
	String dest = st.nextToken();
	dest = dest.substring(0, dest.lastIndexOf("."));
	
	if (source.equals(localIP) || dest.equals(localIP)) {
	    return true;
	} else {
	    System.err.println("Packet not for this machine: " + s);
	    return false;
	}
    }
    
    public void run()
    {
	String s;
	Vector v = new Vector();
        
	Date d = new Date();
	Debug.standard("Started TCPBroadcast on " + d.toString());	
	
	long time = 0;
	while(true) {
	    try {
		if ( (s = readLine()) != null && isValidPacket(s)) {
		    tcpout.println(s);
		    tcpout.flush();
		    v.addElement(s);
		    long diff = System.currentTimeMillis() - time;
		    if ( v.size() > maxbips && diff > 3000 ) {
			System.out.println("Sending " +  v.size() + " packets!");
			broadcast(v);
			v.removeAllElements();
			time = diff + time;
		    }
		}
	    }      
	    catch(Exception e) {
		Debug.exception(this, e);
	    }
	}
    }
    
    private void broadcast(Vector tcpData)
    {
	Vector v = getDetectionNodeList();
	System.out.println("BROADCAST BEGINS");
	for(Enumeration e = v.elements(); e.hasMoreElements(); ) {
	    try {
		sendTo((NodeAddress)e.nextElement(), localIPMask, tcpData);
	    }
	    catch(Exception ex) {
		Debug.exception(this, ex);
	    }
	}
	Debug.standard("BROADCAST ENDS");
    }
    
    private Vector getDetectionNodeList()
    {
	Vector vec = new Vector();
	String list = properties.getProperty(detectionNodesKey);
	StringTokenizer st = new StringTokenizer(list, ",");
	
	while (st.hasMoreTokens()) {
	    String item = st.nextToken().trim();
	    StringTokenizer st2 = new StringTokenizer(item, ":");
	    
	    // strip out the host and port -- separated by ":"
	    String host = st2.nextToken();
	    int port = Integer.parseInt(st2.nextToken());
	    NodeAddress na = new NodeAddress(host, port);
	    vec.addElement(na);
	}
	
	return vec;
    }

    private void sendTo(NodeAddress na, String localIPMask, Vector tcpData)
	throws DataSendException
    {             
	try {
	    Thread.sleep((int)r.nextDouble()*3000);
	    Socket s = new Socket(na.getHost(), na.getPort());
	    s.setSoTimeout(500);
	    PrintWriter outsock = new PrintWriter(s.getOutputStream());
	    outsock.println("BROADCAST");
	    outsock.flush();
	    outsock.println(tcpData.size());
	    outsock.flush();
	    for(Enumeration e = tcpData.elements(); e.hasMoreElements(); ) {
		String data = (String)e.nextElement();
		String bip = localIPMask + " " + data;
		outsock.println(bip);
	    }     
	    outsock.println();
	    outsock.println();
	    outsock.flush();
	    Thread.sleep(1000 + (int)r.nextDouble()*1000);
	    s.close();
	}
	catch(Exception e) {
	    Debug.exception(this, e);
	}
    }        
    
    private Properties readProperties(String filename)
    {
	Properties props = new Properties(System.getProperties());
	try {
	    props.load(new BufferedInputStream(new FileInputStream(filename)));
	    System.setProperties(props);
	}
	catch (Exception e) {
	    Debug.exception(this, e);
	    Debug.standard(this.toString() + ": failed to load properties list.");
	    Debug.standard(this.toString() + ": shutting down.");
	    System.exit(1);
	}
	return props;
    }
}