📄 portscan.c
字号:
} } if(scanned->connection_count >= conf->connection_count) { if(conf->connection_count == 0) return 0; if(scanned->u_ip_count <= conf->u_ip_count && scanned->u_port_count >= conf->u_port_count) { scanned->alerts = PS_ALERT_DISTRIBUTED_FILTERED; return 0; } } } return 0;}static int ps_alert_one_to_many(PS_PROTO *scanner, PS_PROTO *scanned, PS_ALERT_CONF *conf){ if(!conf) return -1; if(scanner && !scanner->alerts) { if(scanner->priority_count >= conf->priority_count) { if(scanner->u_ip_count >= conf->u_ip_count && scanner->u_port_count <= conf->u_port_count) { scanner->alerts = PS_ALERT_PORTSWEEP; return 1; } } if(scanner->connection_count >= conf->connection_count) { if(conf->connection_count == 0) return 0; if(scanner->u_ip_count >= conf->u_ip_count && scanner->u_port_count <= conf->u_port_count) { scanner->alerts = PS_ALERT_PORTSWEEP_FILTERED; return 1; } } } return 0;}static int ps_alert_tcp(PS_PROTO *scanner, PS_PROTO *scanned){ static PS_ALERT_CONF *one_to_one; static PS_ALERT_CONF *one_to_one_decoy; static PS_ALERT_CONF *one_to_many; static PS_ALERT_CONF *many_to_one; /* ** Set the configurations depending on the sensitivity ** level. */ switch(g_ps_init.sense_level) { case PS_SENSE_HIGH: one_to_one = &g_tcp_hi_ps; one_to_one_decoy = &g_tcp_hi_decoy_ps; one_to_many = &g_tcp_hi_sweep; many_to_one = &g_tcp_hi_dist_ps; break; case PS_SENSE_MEDIUM: one_to_one = &g_tcp_med_ps; one_to_one_decoy = &g_tcp_med_decoy_ps; one_to_many = &g_tcp_med_sweep; many_to_one = &g_tcp_med_dist_ps; break; case PS_SENSE_LOW: one_to_one = &g_tcp_low_ps; one_to_one_decoy = &g_tcp_low_decoy_ps; one_to_many = &g_tcp_low_sweep; many_to_one = &g_tcp_low_dist_ps; break; default: return -1; } /* ** Do detection on the different portscan types. */ if((g_ps_init.detect_scan_type & PS_TYPE_PORTSCAN) && ps_alert_one_to_one(scanner, scanned, one_to_one)) { return 0; } if((g_ps_init.detect_scan_type & PS_TYPE_DECOYSCAN) && ps_alert_one_to_one_decoy(scanner, scanned, one_to_one_decoy)) { return 0; } if((g_ps_init.detect_scan_type & PS_TYPE_PORTSWEEP) && ps_alert_one_to_many(scanner, scanned, one_to_many)) { return 0; } if((g_ps_init.detect_scan_type & PS_TYPE_DISTPORTSCAN) && ps_alert_many_to_one(scanner, scanned, many_to_one)) { return 0; } return 0;}static int ps_alert_ip(PS_PROTO *scanner, PS_PROTO *scanned){ static PS_ALERT_CONF *one_to_one; static PS_ALERT_CONF *one_to_one_decoy; static PS_ALERT_CONF *one_to_many; static PS_ALERT_CONF *many_to_one; /* ** Set the configurations depending on the sensitivity ** level. */ switch(g_ps_init.sense_level) { case PS_SENSE_HIGH: one_to_one = &g_ip_hi_ps; one_to_one_decoy = &g_ip_hi_decoy_ps; one_to_many = &g_ip_hi_sweep; many_to_one = &g_ip_hi_dist_ps; break; case PS_SENSE_MEDIUM: one_to_one = &g_ip_med_ps; one_to_one_decoy = &g_ip_med_decoy_ps; one_to_many = &g_ip_med_sweep; many_to_one = &g_ip_med_dist_ps; break; case PS_SENSE_LOW: one_to_one = &g_ip_low_ps; one_to_one_decoy = &g_ip_low_decoy_ps; one_to_many = &g_ip_low_sweep; many_to_one = &g_ip_low_dist_ps; break; default: return -1; } /* ** Do detection on the different portscan types. */ if((g_ps_init.detect_scan_type & PS_TYPE_PORTSCAN) && ps_alert_one_to_one(scanner, scanned, one_to_one)) { return 0; } if((g_ps_init.detect_scan_type & PS_TYPE_DECOYSCAN) && ps_alert_one_to_one_decoy(scanner, scanned, one_to_one_decoy)) { return 0; } if((g_ps_init.detect_scan_type & PS_TYPE_PORTSWEEP) && ps_alert_one_to_many(scanner, scanned, one_to_many)) { return 0; } if((g_ps_init.detect_scan_type & PS_TYPE_DISTPORTSCAN) && ps_alert_many_to_one(scanner, scanned, many_to_one)) { return 0; } return 0;}static int ps_alert_udp(PS_PROTO *scanner, PS_PROTO *scanned){ static PS_ALERT_CONF *one_to_one; static PS_ALERT_CONF *one_to_one_decoy; static PS_ALERT_CONF *one_to_many; static PS_ALERT_CONF *many_to_one; /* ** Set the configurations depending on the sensitivity ** level. */ switch(g_ps_init.sense_level) { case PS_SENSE_HIGH: one_to_one = &g_udp_hi_ps; one_to_one_decoy = &g_udp_hi_decoy_ps; one_to_many = &g_udp_hi_sweep; many_to_one = &g_udp_hi_dist_ps; break; case PS_SENSE_MEDIUM: one_to_one = &g_udp_med_ps; one_to_one_decoy = &g_udp_med_decoy_ps; one_to_many = &g_udp_med_sweep; many_to_one = &g_udp_med_dist_ps; break; case PS_SENSE_LOW: one_to_one = &g_udp_low_ps; one_to_one_decoy = &g_udp_low_decoy_ps; one_to_many = &g_udp_low_sweep; many_to_one = &g_udp_low_dist_ps; break; default: return -1; } /* ** Do detection on the different portscan types. */ if((g_ps_init.detect_scan_type & PS_TYPE_PORTSCAN) && ps_alert_one_to_one(scanner, scanned, one_to_one)) { return 0; } if((g_ps_init.detect_scan_type & PS_TYPE_DECOYSCAN) && ps_alert_one_to_one_decoy(scanner, scanned, one_to_one_decoy)) { return 0; } if((g_ps_init.detect_scan_type & PS_TYPE_PORTSWEEP) && ps_alert_one_to_many(scanner, scanned, one_to_many)) { return 0; } if((g_ps_init.detect_scan_type & PS_TYPE_DISTPORTSCAN) && ps_alert_many_to_one(scanner, scanned, many_to_one)) { return 0; } return 0;}static int ps_alert_icmp(PS_PROTO *scanner, PS_PROTO *scanned){ static PS_ALERT_CONF *one_to_many; /* ** Set the configurations depending on the sensitivity ** level. */ switch(g_ps_init.sense_level) { case PS_SENSE_HIGH: one_to_many = &g_icmp_hi_sweep; break; case PS_SENSE_MEDIUM: one_to_many = &g_icmp_med_sweep; break; case PS_SENSE_LOW: one_to_many = &g_icmp_low_sweep; break; default: return -1; } /* ** Do detection on the different portscan types. */ if((g_ps_init.detect_scan_type & PS_TYPE_PORTSWEEP) && ps_alert_one_to_many(scanner, scanned, one_to_many)) { return 0; } return 0;}/*** NAME** ps_tracker_alert::*//**** This function evaluates the scanner and scanned trackers and if** applicable, generate an alert or alerts for either of the trackers.**** The following alerts can be generated:** - One to One Portscan** - One to One Decoy Portscan** - One to Many Portsweep** - Distributed Portscan (Many to One)** - Filtered Portscan?*/static int ps_tracker_alert(PS_PKT *ps_pkt, PS_TRACKER *scanner, PS_TRACKER *scanned){ if(!ps_pkt) return -1; switch(ps_pkt->proto) { case PS_PROTO_TCP: ps_alert_tcp((scanner ? &scanner->proto[ps_pkt->proto_idx] : NULL), (scanned ? &scanned->proto[ps_pkt->proto_idx] : NULL)); break; case PS_PROTO_UDP: ps_alert_udp((scanner ? &scanner->proto[ps_pkt->proto_idx] : NULL), (scanned ? &scanned->proto[ps_pkt->proto_idx] : NULL)); break; case PS_PROTO_ICMP: ps_alert_icmp((scanner ? &scanner->proto[ps_pkt->proto_idx] : NULL), (scanned ? &scanned->proto[ps_pkt->proto_idx] : NULL)); break; case PS_PROTO_IP: ps_alert_ip((scanner ? &scanner->proto[ps_pkt->proto_idx] : NULL), (scanned ? &scanned->proto[ps_pkt->proto_idx] : NULL)); break; default: return -1; } return 0;}/*** NAME** ps_detect::*//**** The design of portscan is as follows:**** - Filter Packet. Is the packet part of the ignore or watch list? Is** the packet part of an established TCP session (we ignore it)?**** - Tracker Lookup. We lookup trackers for src and dst if either is in** the watch list, or not in the ignore list if there is no watch list.** If there is not tracker, we create a new one and keep track, both of** the scanned host and the scanning host.**** - Tracker Update. We update the tracker using the incoming packet. If** the update causes a portscan alert, then we move into the log alert** phase.**** - Tracker Evaluate. Generate an alert from the updated tracker. We** decide whether we are logging a portscan or sweep (based on the** scanning or scanned host, we decide which is more relevant).*/int ps_detect(PS_PKT *ps_pkt){ PS_TRACKER *scanner = NULL; PS_TRACKER *scanned = NULL; int check_tcp_rst_other_dir = 1; Packet *p; if(!ps_pkt || !ps_pkt->pkt) return -1; if(ps_filter_ignore(ps_pkt)) return 0; p = (Packet *)ps_pkt->pkt; //printf("** ignore\n"); do { if(ps_tracker_lookup(ps_pkt, &scanner, &scanned)) return 0; //printf("** lookup\n"); if(ps_tracker_update(ps_pkt, scanner, scanned)) return 0; //printf("** update\n"); if(ps_tracker_alert(ps_pkt, scanner, scanned)) return 0; /* This is added to address the case of no Stream5 * session and a RST packet going back from the Server. */ if (p->tcph && (p->tcph->th_flags & TH_RST) && !p->ssnptr && stream_api && (stream_api->version >= STREAM_API_VERSION5)) { if (ps_pkt->reverse_pkt == 1) { check_tcp_rst_other_dir = 0; } else { ps_pkt->reverse_pkt = 1; } } else { check_tcp_rst_other_dir = 0; } } while (check_tcp_rst_other_dir); //printf("** alert\n"); ps_pkt->scanner = scanner; ps_pkt->scanned = scanned; return 1;}static void ps_proto_print(PS_PROTO *proto){#ifdef SUP_IP6// XXX-IPv6 debugging#else int iCtr; struct in_addr ip; if(!proto) return; printf(" priority count = %d\n", proto->priority_count); printf(" connection count = %d\n", proto->connection_count); printf(" unique IP count = %d\n", proto->u_ip_count); ip.s_addr = proto->low_ip; printf(" IP range = %s:", inet_ntoa(ip)); ip.s_addr = proto->high_ip; printf("%s\n", inet_ntoa(ip)); printf(" unique port count = %d\n", proto->u_port_count); printf(" port range = %d:%d\n", proto->low_p, proto->high_p); printf(" open ports = "); for(iCtr = 0; iCtr < proto->open_ports_cnt; iCtr++) { printf("%d ", proto->open_ports[iCtr]); } printf("\n"); printf(" alerts = %.2x\n", proto->alerts); ip.s_addr = proto->u_ips; printf(" Last IP: %s\n", inet_ntoa(ip)); printf(" Last Port: %d\n", proto->u_ports); printf(" Time: %s\n", ctime(&proto->window));#endif return;}void ps_tracker_print(PS_TRACKER* ps_tracker){ int proto_index = 0; if(!ps_tracker) return; printf(" -- PS_TRACKER --\n"); printf(" priority_node = %d\n", ps_tracker->priority_node); if(g_ps_init.detect_scans & PS_PROTO_TCP) { printf(" ** TCP **\n"); ps_proto_print(&ps_tracker->proto[proto_index]); proto_index++; } if(g_ps_init.detect_scans & PS_PROTO_UDP) { printf(" ** UDP **\n"); ps_proto_print(&ps_tracker->proto[proto_index]); proto_index++; } if(g_ps_init.detect_scans & PS_PROTO_IP) { printf(" ** IP **\n"); ps_proto_print(&ps_tracker->proto[proto_index]); proto_index++; } if(g_ps_init.detect_scans & PS_PROTO_ICMP) { printf(" ** ICMP **\n"); ps_proto_print(&ps_tracker->proto[proto_index]); proto_index++; } printf(" -- END --\n\n"); return;}int ps_get_protocols(){ return g_ps_init.detect_scans;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -