Intrusion Detection Systems
Appendix
Code listing
// Idsdetect.cpp : Defines the entry point for the console application.
// Program to detect network intrusions by
// analysing an Ethereal packet capture
#include "stdafx.h"
#include "stdio.h"
#include "conio.h"
#include "string.h"
#include
/* Structure for holding ethereal packet data ethereal data doctored for spaces and formatting*/
struct ethrec
{
// Local process port ie port 80 etc
char plport[6];
// Source ip of the packet data
char srcip[18];
// destination ip of the packet data
char destip[18];
// Protocol used for packet transfer
char proto[5];
// Local port used
char dport[8];
// Packet length in bytes
char pktlen[4];
// Packet details field
char detail[325];
struct ethrec *next;
} ;
// Various pointers for use with output stats
int r_count,
s_count,
pv_count,
ss_count,
cr_count,
br_count,
sy_count,
bcr_count,
pr_count;
// Illegal IP range
const char badip[18] = "0.0.0.0";
// Illegal ip range
const char badip2[18] = "255.255.255.255";
// Class C private
const char badip3[]= "192";
// reserved class B private
const char badip4[]= "172";
// reserved class A
const char badip5[]= "10.";
// local host
const char badip6[]= "127";
// Bad port
const char badprt[]="0";
//---------broadcast-----
const char badbcast[]="ff:ff:ff:ff:ff";
// --------end ----
//------ subseven-----
const char ssvproto[]="TCP";
const char ssvport[]="1243";
const char ssvinfo[]="trojan_trojan-active-subseven";
//------ end -----
//------ codred -------
const char crproto[]="TCP";
const char crplport[]="80";
const char crinfo[]="trojan_trojan-active-codered";
const char crpktlen[]="62";
//------ end ----------
// ---- Syn flood ----
const char syncombo[]="[SYN]Seq=0Ack=0";
//---- end-----
//-----blindconreset----
const char blindproto[]="ICMP";
const char blind[]="Destinationunreachable";
//-----end--------
//----- ProtosSNMP----
const char ps_prot[]="SNMP";
const char ps_port[]="161";
const char ps_port2[]="162";
//-------end ---------
// Make pointer to struc
typedef struct ethrec *LINK;
// Zero the struct
LINK listhead = NULL;
/* Define funtions for various purposes
such as pushing variable data into the structure
popping the data out for output, for verbose purposes
looking for IP source address violations
*/
void push(char *,char *,char *,char *,char *,char *,char *);
void pop();
void address_violation(char *,char *);
void port_violation(char *);
void subseven(char *,char *);
void codered(char *,char *,char *);
void broadcast(char*);
void synflood(char *);
void blindreset(char *,char *);
void protos(char *, char *);
// main funtion and main while loop
main()
{
// Define local variables for use with the structure
char t_plport[6];
char t_srcip[18];
char t_destip[18];
char t_proto[5];
char t_dport[8];
char t_pktlen[4];
char t_detail[325];
// Zero the counters
r_count =0;
s_count =0;
pv_count =0;
ss_count =0;
cr_count =0;
br_count=0;
sy_count =0;
bcr_count =0;
pr_count =0;
// ------------------
// Open the input file
FILE *eth1 = fopen("ethoutput.txt","rb");
FILE *rep = fopen("report.txt","w");
//---------------------
// Prescan 1 line of input
fscanf(eth1,"%s%s%s%s%s%s%s",t_plport,t_srcip,t_destip,t_proto,t_dport,t_pktlen,t_detail);
// While not at the end of the file
while (feof(eth1)==0)
{
// Push the input into the stack
push(t_plport,t_srcip,t_destip,t_proto,t_dport,t_pktlen,t_detail);
//Scan in linesof input until end of file
fscanf(eth1,"%s%s%s%s%s%s%s",t_plport,t_srcip,t_destip,t_proto,t_dport,t_pktlen,t_detail);
}
//While the stack still holds records
while (listhead != NULL)
{
// Run pop to output and remove a line of input(LIFO)
pop();
// Close the input file
fclose(eth1);
}
// Reporting number of address violations
fprintf(rep," These potential anomolies were detected on your network\n");
printf("\n These potential anomolies were detected on your network\n");
printf("\n Number of address violations detected :%d \n",s_count);
fprintf(rep,"\n Number of address violations detected :%d \n",s_count);
printf(" Number of port violations :%d \n",pv_count);
fprintf(rep," Number of port violations :%d \n",pv_count);
printf(" %s : Detected : %d times\n", ssvinfo,ss_count);
fprintf(rep," %s : Detected : %d times\n", ssvinfo,ss_count);
printf(" %s : Detected : %d times\n", crinfo,cr_count);
fprintf(rep," %s : Detected : %d times\n", crinfo,cr_count);
printf(" Broadcast packets detected : %d times\n", br_count);
fprintf(rep," Broadcast packets detected : %d times\n", br_count);
printf(" Syn flood packets detected : %d times\n",sy_count);
fprintf(rep," Syn flood packets detected : %d times\n",sy_count);
printf(" Attempt to blind reset connections : %d times\n",bcr_count);
fprintf(rep," Attempt to blind reset connections : %d times\n",bcr_count);
printf(" Protos SNMP attack detected : %d times\n",pr_count);
fprintf(rep," Protos SNMP attack detected : %d times\n",pr_count);
//----- End reporting ------------
fclose(rep);
}
// function to push onto stack
void push(char *n_plport,char *n_srcip,char *n_destip,char *n_proto,char *n_dport,char *n_pktlen,char *n_detail)//
{
LINK newpointer ;
newpointer = (LINK)malloc(sizeof(struct ethrec));
if(newpointer == NULL)
{
// Standard error
printf("no memory available\n");
exit(1);
}
else
{
//Copy data into struct (stack)
strcpy (newpointer->plport,n_plport);
strcpy (newpointer->srcip,n_srcip);
strcpy (newpointer->destip,n_destip);
strcpy (newpointer->proto,n_proto);
strcpy (newpointer->dport,n_dport);
strcpy (newpointer->pktlen,n_pktlen);
strcpy (newpointer->detail,n_detail);
//point to next record
newpointer->next = listhead;
listhead = newpointer;
}
}
// Function to remove lines in the stack
void pop()
{
//Add to record counter
r_count++;
// Make a temporary reference to the stack
LINK temp;
///Print the record number
printf("record :%d ",r_count);
// Check for Violations
address_violation(listhead->srcip,listhead->destip);
port_violation(listhead->plport);
subseven(listhead->proto,listhead->dport);
codered(listhead->proto,listhead->plport,listhead->pktlen);
broadcast(listhead->destip);
synflood(listhead->detail);
blindreset(listhead->proto,listhead->detail);
protos(listhead->proto,listhead->plport);
// Standard File echo
printf("%s %s %s %s %s %s %s \n",listhead->plport,listhead->srcip,listhead->destip,listhead->proto,listhead->dport,listhead->pktlen,listhead->detail);//
temp=listhead;
listhead=listhead->next;
free(temp);
}
// Function to check for IP address violations
void address_violation(char *sp_srcip,char *sp_destip)
{
if(strcmp(sp_srcip,sp_destip)==0)
{
s_count++;
}
if(strcmp(sp_destip,badip)==0)
{
s_count++;
}
if(strcmp(sp_destip,badip2)==0)
{
s_count++;
}
if ((sp_destip[0]==badip3[0])&&(sp_destip[1]==badip3[1])&&(sp_destip[2]==badip3[2]))
{
s_count++;
}
if ((sp_destip[0]==badip4[0])&&(sp_destip[1]==badip4[1])&&(sp_destip[2]==badip4[2]))
{
s_count++;
}
if ((sp_destip[0]==badip5[0])&&(sp_destip[1]==badip5[1])&&(sp_destip[2]==badip5[2]))
{
s_count++;
}
if ((sp_destip[0]==badip6[0])&&(sp_destip[1]==badip6[1])&&(sp_destip[2]==badip6[2]))
{
s_count++;
}
}
// Function to port number violations
void port_violation(char *pv_plport)
{
if(strcmp(pv_plport,badprt)==0)
{
pv_count++;
}
}
//Function to look for subseven
void subseven(char *ss_proto,char *ss_dport)
{
if((strcmp(ss_proto,ssvproto)==0)&&(strcmp(ss_dport,ssvport)==0))
{
ss_count++;
}
}
// Function to look for codered
void codered(char *cr_proto,char *cr_plport,char *cr_pktlen)
{
if((strcmp(cr_proto,crproto)==0)&&(strcmp(cr_plport,crplport)==0)&&(strcmp(cr_pktlen,crpktlen)==0))
{
cr_count++;
}
}
//Function to identify broadcast
void broadcast(char *br_ipdest)
{
if((br_ipdest[0]==badbcast[0])&&(br_ipdest[1]==badbcast[1])&&(br_ipdest[2]==badbcast[2]))
{
br_count++;
}
}
// Function to identify synflood packets
void synflood(char *sy_detail)
{
if(strstr(sy_detail,syncombo)==0)
{
sy_count++;
}
}
// Function to look for Blind connection reset attemps
void blindreset(char *bcr_proto, char *bcr_detail)
{
if((strstr(bcr_detail,blind)==0)&&(strcmp(bcr_proto,blindproto)==0))
{
bcr_count++;
}
}
// Function to find the protos SNMP hack
void protos(char *pr_prot,char *pr_port)
{
if((strcmp(pr_prot,ps_prot)==0)&&(strcmp(pr_port,ps_port)==0))
{
pr_count++;
}
if((strcmp(ps_prot,pr_prot)==0)&&(strcmp(ps_port2,pr_port)==0))
{
pr_count++;
}
}
