📄 portscan.c
字号:
*/ else if((p->packet_flags & PKT_FROM_SERVER) && !(p->packet_flags & PKT_STREAM_EST)) { if(scanned) { ps_update_open_ports(&scanned->proto[proto_idx], p->sp); } if(scanner) { if(scanner->proto[proto_idx].alerts == PS_ALERT_GENERATED) scanner->proto[proto_idx].alerts = PS_ALERT_OPEN_PORT; } } } /* ** Stream didn't create a session on the SYN packet, ** so check specifically for SYN here. */ else if (p->tcph && (p->tcph->th_flags == TH_SYN)) { /* No session established, packet only has SYN. SYN only ** packet always from client, so use dp. */ if(scanned) { ps_proto_update(&scanned->proto[proto_idx],1,0, GET_SRC_IP(p),p->dp, pkt_time); } if(scanner) { ps_proto_update(&scanner->proto[proto_idx],1,0, GET_DST_IP(p),p->dp, pkt_time); } } /* ** Stream didn't create a session on the SYN packet, ** so check specifically for SYN & ACK here. Clear based ** on the 'completion' of three-way handshake. */ else if(p->tcph && (p->tcph->th_flags == (TH_SYN|TH_ACK))) { if(scanned) { ps_proto_update(&scanned->proto[proto_idx],-1,0,CLEARED,0,0); } if(scanner) { ps_proto_update(&scanner->proto[proto_idx],-1,0,CLEARED,0,0); } } /* ** No session created, clear based on the RST on non ** established session. */ else if (p->tcph && (p->tcph->th_flags & TH_RST)) { if(scanned) { ps_proto_update(&scanned->proto[proto_idx],0,1,CLEARED,0,0); scanned->priority_node = 1; } if(scanner) { ps_proto_update(&scanner->proto[proto_idx],0,1,CLEARED,0,0); scanner->priority_node = 1; } } /* ** If we are an icmp unreachable, deal with it here. */ else if(p->icmph && p->orig_tcph) { if(scanned) { ps_proto_update(&scanned->proto[proto_idx],0,1,CLEARED,0,0); scanned->priority_node = 1; } if(scanner) { ps_proto_update(&scanner->proto[proto_idx],0,1,CLEARED,0,0); scanner->priority_node = 1; } } /* ** If we're none of the above, revert to flow to do some basic ** processing. This means that the TCP packet we got is not ** considered a valid initiator, so we didn't start a stream ** tracker. */ else if(flow) { if(flow->stats.direction == FROM_INITIATOR) { if(scanned) { ps_proto_update(&scanned->proto[proto_idx],1,0, GET_SRC_IP(p),p->dp, pkt_time); } if(scanner) { ps_proto_update(&scanner->proto[proto_idx],1,0, GET_DST_IP(p),p->dp, pkt_time); } } else if(flow->stats.direction == FROM_RESPONDER && (p->tcph->th_flags & TH_RST)) { if(scanned) { ps_proto_update(&scanned->proto[proto_idx],0,1,CLEARED,0,0); scanned->priority_node = 1; } if(scanner) { ps_proto_update(&scanner->proto[proto_idx],0,1,CLEARED,0,0); scanner->priority_node = 1; } } } return 0;}static int ps_tracker_update_ip(PS_PKT *ps_pkt, PS_TRACKER *scanner, PS_TRACKER *scanned, int proto_idx){ Packet *p; time_t pkt_time; FLOW *flow; ip_t cleared; IP_CLEAR(cleared); p = (Packet *)ps_pkt->pkt; pkt_time = packet_timeofday(); if(p->iph) { if(p->icmph) { if(p->icmph->type == ICMP_DEST_UNREACH && p->icmph->code == ICMP_PROT_UNREACH) { if(scanned) { ps_proto_update(&scanned->proto[proto_idx],0,1,CLEARED,0,0); scanned->priority_node = 1; } if(scanner) { ps_proto_update(&scanner->proto[proto_idx],0,1,CLEARED,0,0); scanner->priority_node = 1; } } return 0; } if(p->flow) { flow = (FLOW *)p->flow; if(flow->stats.direction == FROM_INITIATOR) { if(scanned) { ps_proto_update(&scanned->proto[proto_idx],1,0, GET_SRC_IP(p),(u_short)p->iph->ip_proto, pkt_time); } if(scanner) { ps_proto_update(&scanner->proto[proto_idx],1,0, GET_DST_IP(p),(u_short)p->iph->ip_proto, pkt_time); } } else if(flow->stats.direction == FROM_RESPONDER) { if(scanned) ps_proto_update(&scanned->proto[proto_idx],-1,0,CLEARED,0,0); if(scanner) ps_proto_update(&scanner->proto[proto_idx],-1,0,CLEARED,0,0); } } } return 0;}static int ps_tracker_update_udp(PS_PKT *ps_pkt, PS_TRACKER *scanner, PS_TRACKER *scanned, int proto_idx){ Packet *p; time_t pkt_time; FLOW *flow; ip_t cleared; IP_CLEAR(cleared); p = (Packet *)ps_pkt->pkt; pkt_time = packet_timeofday(); if(p->icmph) { if(p->icmph->type == ICMP_DEST_UNREACH && p->icmph->code == ICMP_PORT_UNREACH) { if(scanned) { ps_proto_update(&scanned->proto[proto_idx],0,1,CLEARED,0,0); scanned->priority_node = 1; } if(scanner) { ps_proto_update(&scanner->proto[proto_idx],0,1,CLEARED,0,0); scanner->priority_node = 1; } } } else if(p->udph) { if (stream_api && (stream_api->version >= STREAM_API_VERSION5) && p->ssnptr) { u_int32_t direction = stream_api->get_packet_direction(p);#ifdef SUP_IP6 if (direction == PKT_FROM_CLIENT) { if(scanned) { ps_proto_update(&scanned->proto[proto_idx],1,0, GET_SRC_IP(p),p->dp, pkt_time); } if(scanner) { ps_proto_update(&scanner->proto[proto_idx],1,0, GET_DST_IP(p),p->dp, pkt_time); } } else if (direction == PKT_FROM_SERVER) { if(scanned) ps_proto_update(&scanned->proto[proto_idx],-1,0,CLEARED,0,0); if(scanner) ps_proto_update(&scanner->proto[proto_idx],-1,0,CLEARED,0,0); }#else if (direction == PKT_FROM_CLIENT) { if(scanned) { ps_proto_update(&scanned->proto[proto_idx],1,0, p->iph->ip_src.s_addr,p->dp, pkt_time); } if(scanner) { ps_proto_update(&scanner->proto[proto_idx],1,0, p->iph->ip_dst.s_addr,p->dp, pkt_time); } } else if (direction == PKT_FROM_SERVER) { if(scanned) ps_proto_update(&scanned->proto[proto_idx],-1,0,0,0,0); if(scanner) ps_proto_update(&scanner->proto[proto_idx],-1,0,0,0,0); }#endif } else if(p->flow) { flow = (FLOW *)p->flow; if(flow->stats.direction == FROM_INITIATOR) { if(scanned) { ps_proto_update(&scanned->proto[proto_idx],1,0, GET_SRC_IP(p),p->dp, pkt_time); } if(scanner) { ps_proto_update(&scanner->proto[proto_idx],1,0, GET_DST_IP(p),p->dp, pkt_time); } } else if(flow->stats.direction == FROM_RESPONDER) { if(scanned) ps_proto_update(&scanned->proto[proto_idx],-1,0,CLEARED,0,0); if(scanner) ps_proto_update(&scanner->proto[proto_idx],-1,0,CLEARED,0,0); } } } return 0;}static int ps_tracker_update_icmp(PS_PKT *ps_pkt, PS_TRACKER *scanner, PS_TRACKER *scanned, int proto_idx){ Packet *p; time_t pkt_time; ip_t cleared; IP_CLEAR(cleared); p = (Packet *)ps_pkt->pkt; pkt_time = packet_timeofday(); if(p->icmph) { switch(p->icmph->type) { case ICMP_ECHO: case ICMP_TIMESTAMP: case ICMP_ADDRESS: case ICMP_INFO_REQUEST: if(scanner) { ps_proto_update(&scanner->proto[proto_idx],1,0, GET_DST_IP(p), 0, pkt_time); } break; case ICMP_DEST_UNREACH: if(scanner) { ps_proto_update(&scanner->proto[proto_idx],0,1,CLEARED,0,0); scanner->priority_node = 1; } break; default: break; } } return 0;}/*** NAME** ps_tracker_update::*//**** At this point, we should only be looking at tranport protocols** that we want to. For instance, if we aren't doing UDP portscans** then we won't see UDP packets here because they were ignored.**** This is where we evaluate the packet to add/subtract portscan** tracker values and prioritize a tracker. We also update the** time windows.*/static int ps_tracker_update(PS_PKT *ps_pkt, PS_TRACKER *scanner, PS_TRACKER *scanned){ Packet *p; int proto_idx; int proto; p = (Packet *)ps_pkt->pkt; if(ps_get_proto_index(ps_pkt, &proto_idx, &proto)) return -1; if(scanner && scanner->proto[proto_idx].alerts) scanner->proto[proto_idx].alerts = PS_ALERT_GENERATED; if(scanned && scanned->proto[proto_idx].alerts) scanned->proto[proto_idx].alerts = PS_ALERT_GENERATED; switch(proto) { case PS_PROTO_TCP: if(ps_tracker_update_tcp(ps_pkt, scanner, scanned, proto_idx)) return -1; break; case PS_PROTO_UDP: if(ps_tracker_update_udp(ps_pkt, scanner, scanned, proto_idx)) return -1; break; case PS_PROTO_ICMP: if(ps_tracker_update_icmp(ps_pkt, scanner, scanned, proto_idx)) return -1; break; case PS_PROTO_IP: if(ps_tracker_update_ip(ps_pkt, scanner, scanned, proto_idx)) return -1; break; default: return -1; } ps_pkt->proto = proto; ps_pkt->proto_idx = proto_idx; return 0;}static int ps_alert_one_to_one(PS_PROTO *scanner, PS_PROTO *scanned, PS_ALERT_CONF *conf){ if(!conf) return -1; /* ** Let's evaluate the scanned host. */ if(scanned && !scanned->alerts) { if(scanned->priority_count >= conf->priority_count) { if(scanned->u_ip_count < conf->u_ip_count && scanned->u_port_count >= conf->u_port_count) { if(scanner) { if(scanner->priority_count >= conf->priority_count) { /* ** Now let's check to make sure this is one ** to one */ scanned->alerts = PS_ALERT_ONE_TO_ONE; return 0; } } else { /* ** If there is no scanner, then we do the best we can. */ scanned->alerts = PS_ALERT_ONE_TO_ONE; return 0; } } } if(scanned->connection_count >= conf->connection_count) { if(conf->connection_count == 0) return 0; if(scanned->u_ip_count < conf->u_ip_count && scanned->u_port_count >= conf->u_port_count) { scanned->alerts = PS_ALERT_ONE_TO_ONE_FILTERED; return 0; } } } return 0;}static int ps_alert_one_to_one_decoy(PS_PROTO *scanner, PS_PROTO *scanned, PS_ALERT_CONF *conf){ if(!conf) return -1; if(scanned && !scanned->alerts) { if(scanned->priority_count >= conf->priority_count) { if(scanned->u_ip_count >= conf->u_ip_count && scanned->u_port_count >= conf->u_port_count) { scanned->alerts = PS_ALERT_ONE_TO_ONE_DECOY; return 0; } } if(scanned->connection_count >= conf->connection_count) { if(conf->connection_count == 0) return 0; if(scanned->u_ip_count >= conf->u_ip_count && scanned->u_port_count >= conf->u_port_count) { scanned->alerts = PS_ALERT_ONE_TO_ONE_DECOY_FILTERED; return 0; } } } return 0;}static int ps_alert_many_to_one(PS_PROTO *scanner, PS_PROTO *scanned, PS_ALERT_CONF *conf){ if(!conf) return -1; if(scanned && !scanned->alerts) { if(scanned->priority_count >= conf->priority_count) { if(scanned->u_ip_count <= conf->u_ip_count && scanned->u_port_count >= conf->u_port_count) { scanned->alerts = PS_ALERT_DISTRIBUTED; return 0;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -