ChipMaster
/
Poor-Mans-IDS
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The Poor Man's (or Woman's) Intrusion Detection System
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
133 KiB
Tree: 8a33f5fdd8
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8a33f5fdd8'
${ noResults }
Poor-Mans-IDS/iptraffic.cpp

iptraffic.cpp 4.4 KiB
Raw Normal View History

Initial import This is the first attempt to track who's making DNS queries.
2 years ago
Wildcard ignore match & C++ < 11
2 years ago
Initial import This is the first attempt to track who's making DNS queries.
2 years ago
Wildcard ignore match & C++ < 11
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Prepare for first PUSH to the 'Shack * Add README.md * Reorder Makefile * Remove remarks that don't have any baring outside of here. * Add INI based conig file for defining local networks and ignores. * Break out data classes into their own module (needed for config). * Break out string utilities into their own module. * Remove "us" & "ignore" definitions from source.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Break analyzer out of iptraffic & tests Added tests for testing address wild card matching and a test jig to put tests in. I moved the core of the log analyzer out of iptraffic and into data.o for use in multiple tools.
2 years ago
Initial import This is the first attempt to track who's making DNS queries.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Prepare for first PUSH to the 'Shack * Add README.md * Reorder Makefile * Remove remarks that don't have any baring outside of here. * Add INI based conig file for defining local networks and ignores. * Break out data classes into their own module (needed for config). * Break out string utilities into their own module. * Remove "us" & "ignore" definitions from source.
2 years ago
Initial import This is the first attempt to track who's making DNS queries.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Initial import This is the first attempt to track who's making DNS queries.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Initial import This is the first attempt to track who's making DNS queries.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Break analyzer out of iptraffic & tests Added tests for testing address wild card matching and a test jig to put tests in. I moved the core of the log analyzer out of iptraffic and into data.o for use in multiple tools.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Initial import This is the first attempt to track who's making DNS queries.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Break analyzer out of iptraffic & tests Added tests for testing address wild card matching and a test jig to put tests in. I moved the core of the log analyzer out of iptraffic and into data.o for use in multiple tools.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
whitespace removal
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Initial import This is the first attempt to track who's making DNS queries.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Wildcard ignore match & C++ < 11
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Wildcard ignore match & C++ < 11
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Initial import This is the first attempt to track who's making DNS queries.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
whitespace removal
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
whitespace removal
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
whitespace removal
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
whitespace removal
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
whitespace removal
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
whitespace removal
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Break analyzer out of iptraffic & tests Added tests for testing address wild card matching and a test jig to put tests in. I moved the core of the log analyzer out of iptraffic and into data.o for use in multiple tools.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Break analyzer out of iptraffic & tests Added tests for testing address wild card matching and a test jig to put tests in. I moved the core of the log analyzer out of iptraffic and into data.o for use in multiple tools.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Break analyzer out of iptraffic & tests Added tests for testing address wild card matching and a test jig to put tests in. I moved the core of the log analyzer out of iptraffic and into data.o for use in multiple tools.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Break analyzer out of iptraffic & tests Added tests for testing address wild card matching and a test jig to put tests in. I moved the core of the log analyzer out of iptraffic and into data.o for use in multiple tools.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Break analyzer out of iptraffic & tests Added tests for testing address wild card matching and a test jig to put tests in. I moved the core of the log analyzer out of iptraffic and into data.o for use in multiple tools.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Initial import This is the first attempt to track who's making DNS queries.
2 years ago
Wildcard ignore match & C++ < 11
2 years ago
Initial import This is the first attempt to track who's making DNS queries.
2 years ago
whitespace removal
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
whitespace removal
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Initial import This is the first attempt to track who's making DNS queries.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
Initial import This is the first attempt to track who's making DNS queries.
2 years ago
Proper CLI interface for iptraffic * Wrapped in application object * Getting config file name from CLI args * Getting input and output filenams from CLI args * Reading and writing from STDIN & STDOUT * Send all non-data output to stderr
2 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185 
  1. //////////////////////////////////////////////////////////////////////

  2. // IP traffic analyzer

  3. // Written by Jonathan A. Foster <ChipMaster@YeOlPiShack.net>

  4. // Started April 23rd, 2021

  5. //

  6. // The idea is to analyze iptables LOG entries in combination with

  7. // DNSmasq's query log entries and combine them to list the hosts

  8. // that were accessed. The main reasons for not just inspecting HTTP

  9. // packets through a netfilter socket is due to HTTPS hiding the

  10. // "host" field. So I'm deducing based on DNS query timing.

  11. //

  12. // NOTE: its assumed that the log being processed is in chronological

  13. // order. This is the usual way things get logged. ;-)

  14. //

  15. // 2021-05-14 <ChipMaster@YeOlPiShack.net>

  16. //   Dumbed down for < C++11.

  17. //   Split into modules

  18. //

  19. // 2021-06-18 <ChipMaster@YeOlPiShack.net>

  20. //   Wrapped in application object and added command line handling.

  21. //   This includes:

  22. //     - Getting config file name from CLI args

  23. //     - Getting input and output filenams from CLI args

  24. //     - Reading and writing from STDIN & STDOUT

  25. //     - Send all non-data output to stderr

  26. //

  27. // 2021-08-11 <ChipMaster@YeOlPiShack.net>

  28. //   Move main data colation routine into its own class to be shared

  29. //   with multiple tools.

  30. //////////////////////////////////////////////////////////////////////

  31. 

  32. #include <string.h>

  33. #include <string>

  34. #include <iostream>

  35. #include <fstream>

  36. #include <stdexcept>

  37. #include <vector>

  38. #include <map>

  39. #include "cli.h"

  40. #include "strutil.h"

  41. #include "data.h"

  42. #include "config.h"

  43. using namespace std;

  44. 

  45. 

  46. 

  47. //////////////////////////////////////////////////////////////////////

  48. // Application class to process files.

  49. //////////////////////////////////////////////////////////////////////

  50. //#define DEBUG

  51. 

  52. struct IPtraffic: public cBaseApp {

  53.   Config      config;

  54.   LogAnalyzer analyze;

  55.   istream    *log;

  56.   ostream    *out;

  57.   LiveBug     bug;

  58.   int         line_no;

  59. 

  60. 

  61. 

  62.   IPtraffic(): out(&cout), log(0)

  63.   { // I'd rather this initialization be static...

  64.     analyze.us = &(config.us);

  65.   }

  66. 

  67. 

  68. 

  69.   ~IPtraffic() {  if(log && log!=&cin) delete(log); }

  70. 

  71. 

  72. 

  73.   void dlog(const string msg) {

  74. #ifdef DEBUG

  75.     cerr << line_no << ": " << msg << endl;

  76. #endif

  77.   }

  78. 

  79. 

  80.   // TODO: elaborate

  81.   void help() {

  82.     cerr <<

  83.       "\n"

  84.       "iptraffic -c {config file} [-o {output file}] [{input file} [...]]\n";

  85.     ExitCode = 1;

  86.   }

  87. 

  88. 

  89. 

  90.   unsigned do_switch(const char *sw) {

  91.     if((sw[0]=='c' || sw[0]=='o') && sw[1]==0) return 1;

  92.     throw CLIerror("Unrecognized Switch");

  93.   }

  94. 

  95. 

  96. 

  97.   void do_switch_arg(const char *sw, const std::string &val) {

  98.     switch(*sw) {

  99.     case 'c':

  100.       config.load(val);

  101.       if(!config.us.size()) throw CLIerror(

  102.         "The configuration files MUST contain an [us] section with "

  103.         "appropriate values"

  104.       );

  105.       break;

  106. 

  107.     case 'o':

  108.       if(out!=&cout)

  109.         throw CLIerror("Output file has already been specified");

  110.       out = new ofstream(val.c_str()); // c_str(), really?!?!

  111.     }

  112.   }

  113. 

  114. 

  115. 

  116.   void do_arg(const char *fname) {

  117.     if(log && log!=&cin) delete(log);

  118.     log = 0;

  119.     log = new ifstream(fname);

  120.     ExitCode = do_log();

  121.   }

  122. 

  123. 

  124. 

  125.   // NOTE: the return values isn't really used yet but the channel is here if

  126.   // it can be of use.

  127.   int do_log() {

  128.     int ict=0; // ignored netfilter lines

  129.     std::string l;

  130. 

  131.     /// parse log file ///

  132. 

  133.     if(!config.us.size()) throw CLIerror(

  134.       "A configuration file must be specified before input files."

  135.     );

  136.     line_no=0;

  137.     while(std::getline(*log, l)) {

  138.       line_no++;

  139.       cerr << bug << ' ' << line_no << '\r' << flush;

  140. 

  141.       /// process connections ///

  142. 

  143.       if(analyze.line(l)) {

  144.         if(config.ignores.find(analyze.conn)<0)

  145.           *out << analyze.ln[0] << " " << analyze.ln[1] << " " << analyze.ln[2]

  146.                << " " << analyze.conn << "\n";

  147.         else

  148.           ict++;

  149.       }

  150.     }

  151.     *out << flush; // make sure all data gets written.

  152.     cerr << "\nLines:      " << line_no

  153.          << "\nIgnored:    " << ict

  154.          << "\nTotal rDNS: " << analyze.rdns.size() << endl;

  155.     return 0;

  156.   }

  157. 

  158. 

  159. 

  160.   int main() {

  161.     try {

  162.       cBaseApp::main();

  163.       if(!log) {

  164.         // no inputs were specified run stdin.

  165.         log = &cin;

  166.         ExitCode = do_log();

  167.       }

  168.     } catch(const CLIerror &e) {

  169.       cerr << "ERROR: " << e.what() << "\n";

  170.       help();

  171.     }

  172.     return ExitCode;

  173.   }

  174. 

  175. 

  176. 

  177. };

  178. 

  179. 

  180. 

  181. //////////////////////////////////////////////////////////////////////

  182. // Run it

  183. //////////////////////////////////////////////////////////////////////

  184. 

  185. MAIN(IPtraffic)