ChipMaster
/
Poor-Mans-IDS
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The Poor Man's (or Woman's) Intrusion Detection System
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
133 KiB
 
 
 
 
Tree: e63d932ab8
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e63d932ab8'
${ noResults }
Poor-Mans-IDS/iptraffic.cpp

400 lines
11 KiB
Raw Blame History 

  1. //////////////////////////////////////////////////////////////////////

  2. // IP traffic analyzer

  3. // Written by Jonathan A. Foster <ChipMaster@YeOlPiShack.net>

  4. // Started April 23rd, 2021

  5. //

  6. // The idea is to analyze iptables LOG entries in combination with

  7. // DNSmasq's query log entries and combine them to list the hosts

  8. // that were accessed. The main reasons for not just inspecting HTTP

  9. // packets through a netfilter socket is due to HTTPS hiding the

  10. // "host" field. So I'm deducing based on DNS query timing.

  11. //

  12. // NOTE: its assumed that the log being processed is in chronological

  13. // order. This is the usual way things get logged. ;-)

  14. //

  15. // 2021-05-14 <ChipMaster@YeOlPiShack.net>

  16. //   Dumbed down for C++ < 11.

  17. //////////////////////////////////////////////////////////////////////

  18. 

  19. //////////////////////////////////////////////////////////////////////

  20. // Additional Router setup:

  21. //

  22. // ipset -N evilhosts iphash

  23. // ipset -N evilnets nethash

  24. //////////////////////////////////////////////////////////////////////

  25. 

  26. //////////////////////////////////////////////////////////////////////

  27. // Obvious ignores:

  28. //

  29. // 10.10.10.1 -> 134.215.160.1 ICMP[8]

  30. //

  31. //////////////////////////////////////////////////////////////////////

  32. // TODO: map names according to time and host. time is probably automatic

  33. 

  34. #include <string.h>

  35. #include <stdlib.h>

  36. #include <string>

  37. #include <iostream>

  38. #include <fstream>

  39. #include <stdexcept>

  40. #include <vector>

  41. #include <map>

  42. using namespace std;

  43. 

  44. 

  45. 

  46. //////////////////////////////////////////////////////////////////////

  47. // Splits: a util class to devide a line into space sep pieces

  48. //////////////////////////////////////////////////////////////////////

  49. // TODO: implement begin() + end() to make "for( : )" work

  50. // TODO: implement field enclosing & escaping chars

  51. 

  52. struct Splits {

  53. 

  54.   /// CONFIG ///

  55. 

  56.   enum  { FieldMax=256, LineMax=1024 };

  57. 

  58.   /// properties ///

  59. 

  60.   char  line[LineMax];    // Line buffer

  61.   int   len;              // Length of line (after split())

  62.   char  sep;              // Separator character.

  63.   bool  combine;          // Treat multiple consecutive seps as one (combine)

  64.   char *fields[FieldMax]; // pointers to fields in line

  65.   int   count;            // How many fields there were

  66. 

  67.   // construct

  68.   Splits(): count(0), len(0), sep(' '), combine(true) { line[LineMax-1] = 0; }

  69. 

  70.   // Convert field[] to string

  71.   inline string operator[](int i) const { string s(fields[i]); return s; }

  72. 

  73.   // split line. Returns count.

  74.   int split() {

  75.     len = count = 0;

  76.     if(!*line) return count;

  77.     fields[0] = line;

  78.     while(len<LineMax && line[len]) {

  79.       if(line[len]==sep) {

  80.         line[len++]=0;

  81.         if(combine) while(len<LineMax && line[len]==sep) len++;

  82.         if(++count<FieldMax) {

  83.           // this shouldn't happen

  84.           if(len>=LineMax) throw

  85.             runtime_error("Splits::split: end of buffer null missing!");

  86.           fields[count] = line+len;

  87.         } else

  88.           throw runtime_error("Splits::split: Too many fields in the line");

  89.       } else

  90.         len++;

  91.     }

  92.     return count++;

  93.   }

  94. };

  95. 

  96. // istream >> operator: getline() + .split()

  97. istream &operator>>(istream &in, Splits &sp) {

  98.   if(in.getline(sp.line, sp.LineMax-1)) sp.split();

  99.   return in;

  100. }

  101. 

  102. 

  103. 

  104. //////////////////////////////////////////////////////////////////////

  105. // TSV version of Splits

  106. //////////////////////////////////////////////////////////////////////

  107. 

  108. struct TSV: public Splits {

  109.   TSV() { sep='\t'; combine=false; }

  110. };

  111. 

  112. 

  113. 

  114. 

  115. //////////////////////////////////////////////////////////////////////

  116. // Function to match a list of prefixes against a string

  117. //

  118. // Since C++ < 11 doesn't support constant vector initialization we'll

  119. // do this the old fashioned way with a null terminated char*[].

  120. //////////////////////////////////////////////////////////////////////

  121. 

  122. bool pre_match(char **list, const string &s) {

  123.   const char *p = s.c_str();

  124.   for(; *list; list++)

  125.     if(!strncmp(*list, p, strlen(*list))) return true;

  126.   return false;

  127. }

  128. /* And because I think this may be useful in the future I'll hang on to it.

  129. bool pre_match(const vector<string> &list, const string &s) {

  130.   for(

  131.     vector<string>::const_iterator p=list.begin();

  132.     p!=list.end();

  133.     p++

  134.   )

  135.     if(s.substr(0, p->size())==*p) return true;

  136.   return false;

  137. }*/

  138. 

  139. 

  140. //////////////////////////////////////////////////////////////////////

  141. // Connection between "us" and "them"

  142. //////////////////////////////////////////////////////////////////////

  143. typedef unsigned short word;

  144. struct Conn {

  145.   string us;        // address on our side

  146.   word   us_port;   // the port on our side

  147.   string them;      // address on their side

  148.   word   them_port; // the port on their side

  149.   string name;      // name of the address

  150.   string protocol;  // protocol used to communicate

  151.   bool   in;        // whether this was an inward bound connection.

  152. 

  153.   Conn(): in(false) {}

  154.   Conn &clear() { us = them = name = protocol = ""; in=false; us_port = them_port = 0;  }

  155. 

  156.   // swap polarity of record

  157.   Conn &swap() {

  158.     string s;

  159.     int x;

  160.     s = us;

  161.     us = them;

  162.     them =s;

  163.     x = us_port;

  164.     us_port = them_port;

  165.     them_port = x;

  166.     in=!in;

  167.     return *this;

  168.   }

  169. 

  170.   // scan & copy data from log record in

  171.   Conn &operator=(const Splits &sp) {

  172.     int x;

  173.     clear();

  174.     for(x=0; x<sp.count; x++) {

  175.       if(!strncmp(sp.fields[x], "SRC=", 4)) {

  176.         us = sp.fields[x]+4;

  177.         continue;

  178.       }

  179.       if(!strncmp(sp.fields[x], "DST=", 4)) {

  180.         them = sp.fields[x]+4;

  181.         continue;

  182.       }

  183.       if(!strncmp(sp.fields[x], "SPT=", 4)) {

  184.         us_port = atoi(sp.fields[x]+4);

  185.         continue;

  186.       }

  187.       if(!strncmp(sp.fields[x], "DPT=", 4)) {

  188.         them_port = atoi(sp.fields[x]+4);

  189.         continue;

  190.       }

  191.       if(!strncmp(sp.fields[x], "TYPE=", 5) && protocol=="ICMP") {

  192.         us_port = them_port = atoi(sp.fields[x]+5);

  193.         continue;

  194.       }

  195.       if(!strncmp(sp.fields[x], "PROTO=", 6))

  196.         protocol = sp.fields[x]+6;

  197.     }

  198.   }

  199. 

  200.   // TODO: does < > have any actual meaning in this context?

  201.   int cmp(const Conn &gtr) const {

  202.     if(us!="*" && gtr.us!="*") {

  203.       if(us<gtr.us) return -1;

  204.       if(us>gtr.us) return  1;

  205.     }

  206.     // TODO: auto-wildcard port based on in?

  207.     if(us_port && gtr.us_port) { // 0 = no comparison wildcard

  208.       if(us_port<gtr.us_port) return -1;

  209.       if(us_port>gtr.us_port) return  1;

  210.     }

  211.     if(them!="*" && gtr.them!="*") {

  212.       if(them<gtr.them) return -1;

  213.       if(them>gtr.them) return  1;

  214.     }

  215.     if(them_port && gtr.them_port) { // 0 = no comparison wildcard

  216.       if(them_port<gtr.them_port) return -1;

  217.       if(them_port>gtr.them_port) return  1;

  218.     }

  219.     // TODO:  do we want to consider the name?

  220.     if(name!="*" && gtr.name!="*") {

  221.       if(name<gtr.name) return -1;

  222.       if(name>gtr.name) return  1;

  223.     }

  224.     if(protocol<gtr.protocol) return -1;

  225.     if(protocol>gtr.protocol) return  1;

  226.     if(in<gtr.in) return -1;

  227.     if(in>gtr.in) return  1;

  228.     return 0;

  229.   }

  230. 

  231.   inline bool  operator<(const Conn &gtr) const { return cmp(gtr) <0; }

  232.   inline bool operator<=(const Conn &gtr) const { return cmp(gtr)<=0; }

  233.   inline bool  operator>(const Conn &gtr) const { return cmp(gtr) >0; }

  234.   inline bool operator>=(const Conn &gtr) const { return cmp(gtr)>=0; }

  235.   inline bool operator==(const Conn &gtr) const { return cmp(gtr)==0; }

  236.   inline bool operator!=(const Conn &gtr) const { return cmp(gtr)!=0; }

  237. 

  238. };

  239. 

  240. // A text output of this record

  241. ostream &operator<<(ostream &out, const Conn &c) {

  242.   out << c.us

  243.       << ( c.in ? " <- " : " -> " )

  244.       << c.them

  245.       << " " << c.protocol

  246.       << "[" << ( c.in ? c.us_port : c.them_port ) << "] "

  247.       << c.name;

  248.   return out;

  249. }

  250. 

  251. // Copy data from TSV in

  252. const TSV &operator>>(const TSV &tsv, Conn &conn) {

  253.   if(tsv.count<7) throw runtime_error("Conn=TSV: too few columns");

  254.   conn.clear();

  255.   conn.us        = tsv[0];

  256.   conn.us_port   = atoi(tsv.fields[1]);

  257.   conn.them      = tsv[2];

  258.   conn.them_port = atoi(tsv.fields[3]);

  259.   conn.name      = tsv[4];

  260.   conn.protocol  = tsv[5];

  261.   conn.in        = tsv[6]=="1";

  262.   return tsv;

  263. }

  264. 

  265. 

  266. 

  267. //////////////////////////////////////////////////////////////////////

  268. // List of connections

  269. //////////////////////////////////////////////////////////////////////

  270. 

  271. struct ConnList: public vector<Conn> {

  272.   int find(Conn &needle) {

  273.     int r;

  274.     for(r=0; r<size(); r++) if((*this)[r]==needle) return r;

  275.     return -1;

  276.   }

  277. };

  278. 

  279. 

  280. 

  281. //////////////////////////////////////////////////////////////////////

  282. // Busy indicator aka. "Live Bug"

  283. //////////////////////////////////////////////////////////////////////

  284. 

  285. struct LiveBug {

  286.   string seq;

  287.   char   pre;

  288.   int    p;

  289.   LiveBug(): seq("-\\|/"), pre('\r'), p(0) {}

  290.   inline char next() { if(p>=seq.size()) p=0; return seq[p++]; }

  291. };

  292. ostream &operator<<(ostream &o, LiveBug &bug) {

  293.   return o << bug.pre << bug.next();

  294. }

  295. 

  296. 

  297. 

  298. //////////////////////////////////////////////////////////////////////

  299. // Roll through file

  300. //////////////////////////////////////////////////////////////////////

  301. //#define DEBUG

  302. 

  303. typedef map<string,string> NameVal;

  304. 

  305. // TODO: define us[] in conf file

  306. char *us[]         = { (char *)"10.10.10.", (char *)"192.168.255.", (char *)"2001:470:a:169:", 0 };

  307. char *dns_ignore[] = { (char *)"v=spf1", (char *)"https:", 0 };

  308. char *dns_del[]    = { (char *)"NODATA-", (char *)"NXDOMAIN-", 0 };

  309. #define PATH "/srv/backups/iptraffic"

  310. ifstream log(PATH "/test.log");

  311. ofstream out(PATH "/processed.log");

  312. Splits ln;

  313. int lnno = 0, ict = 0;

  314. LiveBug bug;

  315. NameVal rdns;

  316. NameVal::iterator nvp;

  317. string name, address, s;

  318. Conn conn;

  319. bool match;

  320. ConnList ignores;

  321. 

  322. 

  323. 

  324. void dlog(const string msg) {

  325. #ifdef DEBUG

  326.   cerr << "\r" << lnno << ": " << msg << endl;

  327. #endif

  328. }

  329. 

  330. 

  331. 

  332. int main(int argc, char **argv) {

  333. 

  334.   /// Load lists ///

  335. 

  336. 

  337. 

  338.   /// Read in ignore list ///

  339. 

  340.   {

  341.     TSV tsv;

  342.     ifstream in(PATH "/ignores.lst");

  343.     while(in >> tsv) {

  344.       if(tsv.count>6) {

  345.         tsv >> conn;

  346.         ignores.push_back(conn);

  347.       }

  348.     }

  349.   }

  350. 

  351.   /// parse log file ///

  352. 

  353.   while((log >> ln)) {

  354.     lnno++;

  355.     cout << bug << " " << lnno << flush;

  356. 

  357.     ///  DNS query result ///

  358. 

  359.     // TODO: need to get more specific on tying us + them + time to DNS

  360.     if(ln.count>8 && strncmp(ln.fields[4], "dnsmasq[", 8)==0) {

  361.       if(ln[5]=="reply") {

  362.         name = ln[6];

  363.         address = ln[8];

  364.         // Hmm... is this reply an address?

  365.         if(pre_match(dns_ignore, address)) continue; // nope

  366.         if(pre_match(dns_del,    address)) continue; // does not exist reply

  367.         if((nvp=rdns.find(address))!=rdns.end()) {

  368.           if(nvp->second==name) continue;

  369.           dlog("WARN: DNS address overlap "+address+": "+nvp->second+" : "+name);

  370.         }

  371.         rdns[address] = name;

  372.         dlog("Added "+address+" = "+name);

  373. #ifdef DEBUG

  374.         cout << '\r' << lnno << ": " << name << endl;

  375. #endif

  376.         continue;

  377.       }

  378.     }

  379. 

  380.     /// process connections ///

  381. 

  382.     if(ln.count>5

  383.     && ln[4]=="kernel:"

  384.     && ln[5]=="ACCEPT"

  385.     ) {

  386.       conn = ln;

  387.       if(!pre_match(us, conn.us)) conn.swap();

  388.       if((nvp=rdns.find(conn.them))!=rdns.end())

  389.         conn.name = nvp->second;

  390.       if(ignores.find(conn)<0)

  391.         out << ln[0] << " " << ln[1] << " " << ln[2] << " " << conn << "\n";

  392.       else

  393.         ict++;

  394.     }

  395.   }

  396.   cout << "\nIgnored: " << ict << endl;

  397.   cout << "Total rDNS: " << rdns.size() << "\n";

  398.   return 0;

  399. }