Site News

Science

A survey, shows that less then 40% of the British public feel they are well informed about science.

New Articles - Earth's Carbon Cycle Ultra Sonic Frogs Environmental Niche & Dinosaurs Seismic Waves Global Warming Life Support Systems Introduction to the Big Bang The Problem of Acid Rain

Our science section is in production with a proposed 1 Mar 07 "Grand launch" date.

Technology

The Linux Convert site explains how, even today, building your own linux box can be cheaper than getting an off the shelf Windows PC. There is a new article on why you should use linux there now.

New articles: Firewall Bypass Attack Snort For Newbies Malware and Intrusions Intrusion Detection Systems Malware, Trojans and Virus infections and Infection Removal

If you have any comments or suggestions for topics we should cover under the technology banner then please stop by the discussion board and let us know.

Intrusion Detection Systems

Appendix

Code listing

// Idsdetect.cpp : Defines the entry point for the console application.
// Program to detect network intrusions by
// analysing an Ethereal packet capture

#include "stdafx.h" #include "stdio.h" #include "conio.h" #include "string.h" #include

/* Structure for holding ethereal packet data ethereal data doctored for spaces and formatting*/

struct ethrec
{
// Local process port ie port 80 etc
char plport[6];
// Source ip of the packet data
char srcip[18];
// destination ip of the packet data
char destip[18];
// Protocol used for packet transfer
char proto[5];
// Local port used
char dport[8];
// Packet length in bytes
char pktlen[4];
// Packet details field
char detail[325];
struct ethrec *next;
} ;

// Various pointers for use with output stats
int r_count,
s_count,
pv_count,
ss_count,
cr_count,
br_count,
sy_count,
bcr_count,
pr_count;

// Illegal IP range
const char badip[18] = "0.0.0.0";
// Illegal ip range
const char badip2[18] = "255.255.255.255";
// Class C private
const char badip3[]= "192";
// reserved class B private
const char badip4[]= "172";
// reserved class A
const char badip5[]= "10.";
// local host
const char badip6[]= "127";
// Bad port
const char badprt[]="0";
//---------broadcast-----
const char badbcast[]="ff:ff:ff:ff:ff";
// --------end ----
//------ subseven-----
const char ssvproto[]="TCP";
const char ssvport[]="1243";
const char ssvinfo[]="trojan_trojan-active-subseven";
//------ end -----
//------ codred -------
const char crproto[]="TCP";
const char crplport[]="80";
const char crinfo[]="trojan_trojan-active-codered";
const char crpktlen[]="62";
//------ end ----------
// ---- Syn flood ----
const char syncombo[]="[SYN]Seq=0Ack=0";
//---- end-----
//-----blindconreset----
const char blindproto[]="ICMP";
const char blind[]="Destinationunreachable";
//-----end--------
//----- ProtosSNMP----
const char ps_prot[]="SNMP";
const char ps_port[]="161";
const char ps_port2[]="162";

//-------end ---------

// Make pointer to struc
typedef struct ethrec *LINK;
// Zero the struct
LINK listhead = NULL;

/* Define funtions for various purposes
such as pushing variable data into the structure
popping the data out for output, for verbose purposes
looking for IP source address violations
*/
void push(char *,char *,char *,char *,char *,char *,char *);
void pop();
void address_violation(char *,char *);
void port_violation(char *);
void subseven(char *,char *);
void codered(char *,char *,char *);
void broadcast(char*);
void synflood(char *);
void blindreset(char *,char *);
void protos(char *, char *);
// main funtion and main while loop
main()
{
// Define local variables for use with the structure
char t_plport[6];
char t_srcip[18];
char t_destip[18];
char t_proto[5];
char t_dport[8];
char t_pktlen[4];
char t_detail[325];
// Zero the counters
r_count =0;
s_count =0;
pv_count =0;
ss_count =0;
cr_count =0;
br_count=0;
sy_count =0;
bcr_count =0;
pr_count =0;
// ------------------
// Open the input file
FILE *eth1 = fopen("ethoutput.txt","rb");
FILE *rep = fopen("report.txt","w");
//---------------------

// Prescan 1 line of input
fscanf(eth1,"%s%s%s%s%s%s%s",t_plport,t_srcip,t_destip,t_proto,t_dport,t_pktlen,t_detail);
// While not at the end of the file
while (feof(eth1)==0)
{
// Push the input into the stack
push(t_plport,t_srcip,t_destip,t_proto,t_dport,t_pktlen,t_detail);
//Scan in linesof input until end of file
fscanf(eth1,"%s%s%s%s%s%s%s",t_plport,t_srcip,t_destip,t_proto,t_dport,t_pktlen,t_detail);
}
//While the stack still holds records
while (listhead != NULL)
{
// Run pop to output and remove a line of input(LIFO)
pop();
// Close the input file
fclose(eth1);
}
// Reporting number of address violations
fprintf(rep," These potential anomolies were detected on your network\n");
printf("\n These potential anomolies were detected on your network\n");
printf("\n Number of address violations detected :%d \n",s_count);
fprintf(rep,"\n Number of address violations detected :%d \n",s_count);
printf(" Number of port violations :%d \n",pv_count);
fprintf(rep," Number of port violations :%d \n",pv_count);
printf(" %s : Detected : %d times\n", ssvinfo,ss_count);
fprintf(rep," %s : Detected : %d times\n", ssvinfo,ss_count);
printf(" %s : Detected : %d times\n", crinfo,cr_count);
fprintf(rep," %s : Detected : %d times\n", crinfo,cr_count);
printf(" Broadcast packets detected : %d times\n", br_count);
fprintf(rep," Broadcast packets detected : %d times\n", br_count);
printf(" Syn flood packets detected : %d times\n",sy_count);
fprintf(rep," Syn flood packets detected : %d times\n",sy_count);
printf(" Attempt to blind reset connections : %d times\n",bcr_count);
fprintf(rep," Attempt to blind reset connections : %d times\n",bcr_count);
printf(" Protos SNMP attack detected : %d times\n",pr_count);
fprintf(rep," Protos SNMP attack detected : %d times\n",pr_count);
//----- End reporting ------------
fclose(rep);
}

// function to push onto stack
void push(char *n_plport,char *n_srcip,char *n_destip,char *n_proto,char *n_dport,char *n_pktlen,char *n_detail)//
{
LINK newpointer ;
newpointer = (LINK)malloc(sizeof(struct ethrec));
if(newpointer == NULL)
{
// Standard error
printf("no memory available\n");
exit(1);
}
else
{
//Copy data into struct (stack)
strcpy (newpointer->plport,n_plport);
strcpy (newpointer->srcip,n_srcip);
strcpy (newpointer->destip,n_destip);
strcpy (newpointer->proto,n_proto);
strcpy (newpointer->dport,n_dport);
strcpy (newpointer->pktlen,n_pktlen);
strcpy (newpointer->detail,n_detail);
//point to next record
newpointer->next = listhead;
listhead = newpointer;
}
}
// Function to remove lines in the stack
void pop()
{
//Add to record counter
r_count++;
// Make a temporary reference to the stack
LINK temp;
///Print the record number
printf("record :%d ",r_count);
// Check for Violations
address_violation(listhead->srcip,listhead->destip);
port_violation(listhead->plport);
subseven(listhead->proto,listhead->dport);
codered(listhead->proto,listhead->plport,listhead->pktlen);
broadcast(listhead->destip);
synflood(listhead->detail);
blindreset(listhead->proto,listhead->detail);
protos(listhead->proto,listhead->plport);
// Standard File echo
printf("%s %s %s %s %s %s %s \n",listhead->plport,listhead->srcip,listhead->destip,listhead->proto,listhead->dport,listhead->pktlen,listhead->detail);//
temp=listhead;
listhead=listhead->next;
free(temp);
}
// Function to check for IP address violations

void address_violation(char *sp_srcip,char *sp_destip)
{
if(strcmp(sp_srcip,sp_destip)==0)
{
s_count++;
}
if(strcmp(sp_destip,badip)==0)
{
s_count++;
}
if(strcmp(sp_destip,badip2)==0)
{
s_count++;
}
if ((sp_destip[0]==badip3[0])&&(sp_destip[1]==badip3[1])&&(sp_destip[2]==badip3[2]))
{
s_count++;
}
if ((sp_destip[0]==badip4[0])&&(sp_destip[1]==badip4[1])&&(sp_destip[2]==badip4[2]))
{
s_count++;
}
if ((sp_destip[0]==badip5[0])&&(sp_destip[1]==badip5[1])&&(sp_destip[2]==badip5[2]))
{
s_count++;
}
if ((sp_destip[0]==badip6[0])&&(sp_destip[1]==badip6[1])&&(sp_destip[2]==badip6[2]))
{
s_count++;
}
}
// Function to port number violations
void port_violation(char *pv_plport)
{
if(strcmp(pv_plport,badprt)==0)
{
pv_count++;
}
}

//Function to look for subseven
void subseven(char *ss_proto,char *ss_dport)
{
if((strcmp(ss_proto,ssvproto)==0)&&(strcmp(ss_dport,ssvport)==0))
{
ss_count++;
}
}
// Function to look for codered
void codered(char *cr_proto,char *cr_plport,char *cr_pktlen)
{
if((strcmp(cr_proto,crproto)==0)&&(strcmp(cr_plport,crplport)==0)&&(strcmp(cr_pktlen,crpktlen)==0))
{
cr_count++;
}
}
//Function to identify broadcast
void broadcast(char *br_ipdest)
{
if((br_ipdest[0]==badbcast[0])&&(br_ipdest[1]==badbcast[1])&&(br_ipdest[2]==badbcast[2]))
{
br_count++;
}
}
// Function to identify synflood packets
void synflood(char *sy_detail)
{
if(strstr(sy_detail,syncombo)==0)
{
sy_count++;
}
}
// Function to look for Blind connection reset attemps
void blindreset(char *bcr_proto, char *bcr_detail)
{
if((strstr(bcr_detail,blind)==0)&&(strcmp(bcr_proto,blindproto)==0))
{
bcr_count++;
}
}
// Function to find the protos SNMP hack
void protos(char *pr_prot,char *pr_port)
{
if((strcmp(pr_prot,ps_prot)==0)&&(strcmp(pr_port,ps_port)==0))
{
pr_count++;
}
if((strcmp(ps_prot,pr_prot)==0)&&(strcmp(ps_port2,pr_port)==0))
{
pr_count++;
}
}

IDS Index

XHTML CSS level 2 W3 Sites Any Browser GEO Url

Sci-Tech

RSS Feed

News Provided By The BBC