ChipMaster
/
Poor-Mans-IDS
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The Poor Man's (or Woman's) Intrusion Detection System
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14 Commits
1 Branch
133 KiB
 
 
 
 
Tree: 9ca68a65f5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9ca68a65f5'
${ noResults }
Poor-Mans-IDS/data.cpp

281 lines
7.3 KiB
Raw Blame History 

  1. //////////////////////////////////////////////////////////////////////

  2. // IP traffic analyzer - data objects

  3. // Written by Jonathan A. Foster <ChipMaster@YeOlPiShack.net>

  4. // Started April 23rd, 2021

  5. // Copyright JF Possibilities, Inc. All rights reserved.

  6. //////////////////////////////////////////////////////////////////////

  7. #include <arpa/inet.h>

  8. #include <string.h>

  9. #include <stdlib.h>

  10. #include <stdexcept>

  11. #include <iostream>

  12. #include "data.h"

  13. 

  14. 

  15. 

  16. //////////////////////////////////////////////////////////////////////

  17. // Utils

  18. //////////////////////////////////////////////////////////////////////

  19. 

  20. std::string ipv6opt(const std::string &addr) {

  21.   in6_addr buf;

  22.   char s[256];

  23. 

  24.   if(inet_pton(AF_INET6, addr.c_str(), &buf)<1) throw

  25.     std::runtime_error("ipv6opt: inet_pton() says '"+addr+"' is not a valid IPv6 address");

  26.   if(!inet_ntop(AF_INET6, &buf, s, 255)) throw // should never happen

  27.     std::runtime_error("ipv6opt: inet_ntop() refused to convert the address back");

  28.   return std::string(s);

  29. }

  30. 

  31. 

  32. 

  33. int addr_wild_comp(const std::string &str1, const std::string &str2) {

  34.   int spre1=0, spre2=0;

  35. 

  36.   if(str1=="*" || str2=="*") return 0;

  37.   if(str1!="" && (str1.end()[-1]=='.' || str1.end()[-1]==':')) spre1=str1.size();

  38.   if(str2!="" && (str2.end()[-1]=='.' || str2.end()[-1]==':')) spre2=str2.size();

  39.   if(spre2>spre1) spre1=spre2;

  40.   if(spre1)          return strncmp(str1.c_str(), str2.c_str(), spre1);

  41.   else if(str1<str2) return -1;

  42.   else if(str1>str2) return  1;

  43.                      return  0;

  44. }

  45. 

  46. 

  47. 

  48. //////////////////////////////////////////////////////////////////////

  49. // Conn

  50. //////////////////////////////////////////////////////////////////////

  51. 

  52. void Conn::clear() {

  53.   us = them = name = protocol = "";

  54.   in=false;

  55.   us_port = them_port = 0;

  56. }

  57. 

  58. 

  59. 

  60. void Conn::compact() {

  61.   if(us.find(':')!=us.npos)   us=ipv6opt(us);

  62.   if(them.find(':')!=us.npos) them=ipv6opt(them);

  63. }

  64. 

  65. 

  66. 

  67. void Conn::swap() {

  68.   std::string s;

  69.   int x;

  70. 

  71.   s = us;

  72.   us = them;

  73.   them =s;

  74. 

  75.   x = us_port;

  76.   us_port = them_port;

  77.   them_port = x;

  78. 

  79.   in=!in;

  80. }

  81. 

  82. 

  83. 

  84. Conn &Conn::operator=(const Splits &sp) {

  85.   int x;

  86. 

  87.   clear();

  88.   for(x=0; x<sp.count; x++) {

  89.     if(!strncmp(sp.fields[x], "SRC=", 4)) {

  90.       us = sp.fields[x]+4;

  91.       continue;

  92.     }

  93.     if(!strncmp(sp.fields[x], "DST=", 4)) {

  94.       them = sp.fields[x]+4;

  95.       continue;

  96.     }

  97.     if(!strncmp(sp.fields[x], "SPT=", 4)) {

  98.       us_port = atoi(sp.fields[x]+4);

  99.       continue;

  100.     }

  101.     if(!strncmp(sp.fields[x], "DPT=", 4)) {

  102.       them_port = atoi(sp.fields[x]+4);

  103.       continue;

  104.     }

  105.     if(!strncmp(sp.fields[x], "TYPE=", 5) && protocol=="ICMP") {

  106.       us_port = them_port = atoi(sp.fields[x]+5);

  107.       continue;

  108.     }

  109.     if(!strncmp(sp.fields[x], "PROTO=", 6))

  110.       protocol = sp.fields[x]+6;

  111.   }

  112. }

  113. 

  114. 

  115. 

  116. // TODO: does < > have any actual meaning in this context?

  117. int Conn::cmp(const Conn &gtr) const {

  118.   int r;

  119. 

  120.   if(r = addr_wild_comp(us, gtr.us)) return r;

  121.   // TODO: auto-wildcard port based on in?

  122.   if(us_port && gtr.us_port) { // 0 = no comparison wildcard

  123.     if(us_port<gtr.us_port) return -1;

  124.     if(us_port>gtr.us_port) return  1;

  125.   }

  126.   if(r = addr_wild_comp(them, gtr.them)) return r;

  127.   if(them_port && gtr.them_port) { // 0 = no comparison wildcard

  128.     if(them_port<gtr.them_port) return -1;

  129.     if(them_port>gtr.them_port) return  1;

  130.   }

  131.   // TODO:  do we want to consider the name?

  132.   if(name!="*" && gtr.name!="*") {

  133.     if(name<gtr.name) return -1;

  134.     if(name>gtr.name) return  1;

  135.   }

  136.   if(protocol<gtr.protocol) return -1;

  137.   if(protocol>gtr.protocol) return  1;

  138.   if(in<gtr.in) return -1;

  139.   if(in>gtr.in) return  1;

  140.   return 0;

  141. }

  142. 

  143. 

  144. 

  145. std::ostream &operator<<(std::ostream &out, const Conn &c) {

  146.   out << c.us

  147.       << ( c.in ? " <- " : " -> " )

  148.       << c.them

  149.       << " " << c.protocol

  150.       << "[" << ( c.in ? c.us_port : c.them_port ) << "] "

  151.       << c.name;

  152.   return out;

  153. }

  154. 

  155. 

  156. 

  157. const Splits &operator>>(const Splits &tsv, Conn &conn) {

  158.   if(tsv.count<7) throw std::runtime_error("Conn=TSV: too few columns");

  159.   conn.clear();

  160.   conn.us        = tsv[0];

  161.   conn.us_port   = atoi(tsv.fields[1]);

  162.   conn.them      = tsv[2];

  163.   conn.them_port = atoi(tsv.fields[3]);

  164.   conn.name      = tsv[4];

  165.   conn.protocol  = tsv[5];

  166.   conn.in        = tsv[6]=="1";

  167.   return tsv;

  168. }

  169. 

  170. 

  171. 

  172. //////////////////////////////////////////////////////////////////////

  173. // ConnList

  174. //////////////////////////////////////////////////////////////////////

  175. 

  176. int ConnList::find(Conn &needle) {

  177.   int r;

  178. 

  179.   for(r=0; r<size(); r++) if((*this)[r]==needle) return r;

  180.   return -1;

  181. }

  182. 

  183. 

  184. 

  185. //////////////////////////////////////////////////////////////////////

  186. // LogAnalyzer

  187. //////////////////////////////////////////////////////////////////////

  188. 

  189. LogAnalyzer::LogAnalyzer():

  190.   us(0)

  191. { // I'd rather this initialization be static...

  192.   dns_ignore.push_back("v=spf1");

  193.   dns_ignore.push_back("https:");

  194.   dns_del.push_back("NODATA-");

  195.   dns_del.push_back("NXDOMAIN-");

  196. }

  197. 

  198. 

  199. 

  200. bool LogAnalyzer::line(const std::string &in) {

  201.   int ict=0;

  202.   NameVal::iterator nvp;

  203.   std::string name, address, s;

  204. 

  205.   /// setup ///

  206. 

  207.   if(!us)

  208.     throw std::runtime_error("LogAnalyzer::line: us list is not assigned");

  209.   ln=in;

  210. 

  211.   ///  DNS query result ///

  212. 

  213.   // TODO: need to get more specific on tying us + them + time to DNS

  214.   if(ln.count>8 && strncmp(ln.fields[4], "dnsmasq[", 8)==0) {

  215.     if(ln[5]=="reply" || ln[5]=="cached") {

  216.       name = ln[6];

  217.       address = ln[8];

  218. 

  219.       /* NOTE: CNAME resolution seems to follow this order in logs:

  220.            1. A result line (reply/cached) with an address of <CNAME>

  221.            2. One or more consecutive result lines for the canonical name

  222.          Looking over the logs it doesn't appear that dnsmasq will log

  223.          anything between the original and CNAME resolutions. The exception

  224.          is if a CNAME record is cached and it has to resolve what it

  225.          points to. In this case there would be a "cached" and then a

  226.          "forwarded" record eventually followed by "reply ... <CNAME>".

  227.          In that case we want to operate on the reply.

  228.       */

  229.       /* record we're handling a CNAME cycle */

  230.       if(address=="<CNAME>") {

  231.         alias = name;

  232.         cname = "";

  233.         return 0;

  234.       }

  235.       /* If in cname _mode_: */

  236.       if(alias!="") {

  237.         if(cname=="") {

  238.           cname = name; /* This is our target name */

  239.           name = alias; /* substitute the alias */

  240.         } else if(cname==name) {

  241.           name = alias; /* substitute the alias */

  242.         } else {

  243.           cname = "";   /* These are different records reset */

  244.           name = "";

  245.         }

  246.       }

  247. 

  248.       // Hmm... is this reply an address?

  249.       if(pre_match(dns_ignore, address)) return 0; // nope

  250.       if(pre_match(dns_del,    address)) return 0; // does not exist reply

  251.       if((nvp=rdns.find(address))!=rdns.end()) {

  252.         if(nvp->second==name) return 0;

  253.         //dlog("WARN: DNS address overlap "+address+": "+nvp->second+" : "+name);

  254.       }

  255.       rdns[address] = name;

  256.       //dlog("Added "+address+" = "+name);

  257.       return 0;

  258.     } else if(alias!="") {

  259.       alias = ""; /* we've fallen out of CNAME resolution. */

  260.       cname = "";

  261.     }

  262.   }

  263. 

  264.   /// process connections ///

  265. 

  266.   if((ln.count>5  // old Linux style

  267.   && ln[4]=="kernel:"

  268.   && ln[5]=="ACCEPT"

  269.   ) || (ln.count>6  // new Linux style

  270.   && ln[4]=="vmunix:"

  271.   && ln[6]=="ACCEPT")

  272.   ) {

  273.     conn = ln;

  274.     conn.compact();

  275.     if(!pre_match(*us, conn.us)) conn.swap();

  276.     if((nvp=rdns.find(conn.them))!=rdns.end()) conn.name = nvp->second;

  277.     return 1;

  278.   }

  279.   return 0;

  280. }