Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-4]: src/dist/ipf/ipsd Pull up revision 1.1.1.1 (new) (requested...
details: https://anonhg.NetBSD.org/src/rev/538a0074f81c
branches: netbsd-1-4
changeset: 469935:538a0074f81c
user: he <he%NetBSD.org@localhost>
date: Mon Dec 20 21:01:48 1999 +0000
description:
Pull up revision 1.1.1.1 (new) (requested by darrenr):
Update IPF to version 3.3.5.
diffstat:
dist/ipf/ipsd/Makefile | 63 +++++++++
dist/ipf/ipsd/README | 32 ++++
dist/ipf/ipsd/ipsd.c | 301 ++++++++++++++++++++++++++++++++++++++++++++++
dist/ipf/ipsd/ipsd.h | 33 +++++
dist/ipf/ipsd/ipsdr.c | 319 +++++++++++++++++++++++++++++++++++++++++++++++++
dist/ipf/ipsd/linux.h | 19 ++
dist/ipf/ipsd/sbpf.c | 198 ++++++++++++++++++++++++++++++
dist/ipf/ipsd/sdlpi.c | 263 ++++++++++++++++++++++++++++++++++++++++
dist/ipf/ipsd/slinux.c | 123 ++++++++++++++++++
dist/ipf/ipsd/snit.c | 233 +++++++++++++++++++++++++++++++++++
10 files changed, 1584 insertions(+), 0 deletions(-)
diffs (truncated from 1624 to 300 lines):
diff -r 1f035780fb4c -r 538a0074f81c dist/ipf/ipsd/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/ipsd/Makefile Mon Dec 20 21:01:48 1999 +0000
@@ -0,0 +1,63 @@
+#
+# Copyright (C) 1993-1998 by Darren Reed.
+#
+# Redistribution and use in source and binary forms are permitted
+# provided that this notice is preserved and due credit is given
+# to the original author and the contributors.
+#
+OBJS=ipsd.o
+BINDEST=/usr/local/bin
+SBINDEST=/sbin
+MANDIR=/usr/share/man
+BPF=sbpf.o
+NIT=snit.o
+SUNOS4=
+BSD=
+LINUX=slinux.o
+SUNOS5=dlcommon.o sdlpi.o
+
+CC=gcc
+CFLAGS=-g -I.. -I../ipsend
+
+all:
+ @echo "Use one of these targets:"
+ @echo " sunos4-nit (standard SunOS 4.1.x)"
+ @echo " sunos4-bpf (SunOS4.1.x with BPF in the kernel)"
+ @echo " bsd-bpf (4.4BSD variant with BPF in the kernel)"
+ @echo " linux (Linux kernels)"
+ @echo " sunos5 (Solaris 2.x)"
+
+.c.o:
+ $(CC) $(CFLAGS) -c $< -o $@
+
+ipsdr: ipsdr.o
+ $(CC) ipsdr.o -o $@ $(LIBS)
+
+bpf sunos4-bpf :
+ make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
+ "CFLAGS=$(CFLAGS)"
+
+nit sunos4 sunos4-nit :
+ make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \
+ "CFLAGS=$(CFLAGS)"
+
+sunos5 :
+ make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \
+ CFLAGS="$(CFLAGS) -Dsolaris" "LIBS=-lsocket -lnsl"
+
+bsd-bpf :
+ make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \
+ "CFLAGS=$(CFLAGS)"
+
+linux :
+ make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \
+ CFLAGS="$(CFLAGS) -I /usr/src/linux"
+
+ipsd: $(OBJS) $(UNIXOBJS)
+ $(CC) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS)
+
+../ipft_sn.o ../ipft_pc.o:
+ (cd ..; make $(@:../%=%))
+
+clean:
+ rm -rf *.o core a.out ipsd ipsdr
diff -r 1f035780fb4c -r 538a0074f81c dist/ipf/ipsd/README
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/ipsd/README Mon Dec 20 21:01:48 1999 +0000
@@ -0,0 +1,32 @@
+
+IP Scan Detetor.
+----------------
+
+This program is designed to be a passive listener for TCP packets sent to
+the host. It does not exercise the promiscous mode of interfaces. For
+routing Unix boxes (and firewalls which route/proxy) this is sufficient to
+detect all packets going to/through them.
+
+Upon compiling, a predefined set of "sensitive" ports are configured into
+the program. Any TCP packets which are seen sent to these ports are counted
+and the IP# of the sending host recorded, along with the time of the first
+packet to that port for that IP#.
+
+After a given number of "hits", it will write the current table of packets
+out to disk. This number defaults to 10,000.
+
+To analyze the information written to disk, a sample program called "ipsdr"
+is used (should but doesn't implement a tree algorithm for storing data)
+which reads all log files it recognises and totals up the number of ports
+each host hit. By default, all ports have the same weighting (1). Another
+group of passes is then made over this table using a netmask of 0xfffffffe,
+grouping all results which fall under the same resulting IP#. This netmask
+is then shrunk back to 0, with a output for each level given. This is aimed
+at detecting port scans done from different hosts on the same subnet (although
+I've not seen this done, if one was trying to do it obscurely...)
+
+Lastly, being passive means that no action is taken to stop port scans being
+done or discourage them.
+
+Darren
+darrenr%pobox.com@localhost
diff -r 1f035780fb4c -r 538a0074f81c dist/ipf/ipsd/ipsd.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/ipsd/ipsd.c Mon Dec 20 21:01:48 1999 +0000
@@ -0,0 +1,301 @@
+/* $NetBSD: ipsd.c,v 1.1.1.1.2.2 1999/12/20 21:01:48 he Exp $ */
+
+/*
+ * (C)opyright 1995-1998 Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ *
+ * The author of this software makes no garuntee about the
+ * performance of this package or its suitability to fulfill any purpose.
+ *
+ */
+#include <stdio.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <netdb.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <netinet/ip_icmp.h>
+#ifndef linux
+#include <netinet/ip_var.h>
+#include <netinet/tcpip.h>
+#endif
+#include "ip_compat.h"
+#ifdef linux
+#include <linux/sockios.h>
+#include "tcpip.h"
+#endif
+#include "ipsd.h"
+
+#ifndef lint
+static const char sccsid[] = "@(#)ipsd.c 1.3 12/3/95 (C)1995 Darren Reed";
+static const char rcsid[] = "@(#)Id: ipsd.c,v 2.1 1999/08/04 17:30:56 darrenr Exp";
+#endif
+
+extern char *optarg;
+extern int optind;
+
+#ifdef linux
+char default_device[] = "eth0";
+#else
+# ifdef sun
+char default_device[] = "le0";
+# else
+# ifdef ultrix
+char default_device[] = "ln0";
+# else
+char default_device[] = "lan0";
+# endif
+# endif
+#endif
+
+#define NPORTS 21
+
+u_short defports[NPORTS] = {
+ 7, 9, 20, 21, 23, 25, 53, 69, 79, 111,
+ 123, 161, 162, 512, 513, 514, 515, 520, 540, 6000, 0
+ };
+
+ipsd_t *iphits[NPORTS];
+int writes = 0;
+
+
+int ipcmp(sh1, sh2)
+sdhit_t *sh1, *sh2;
+{
+ return sh1->sh_ip.s_addr - sh2->sh_ip.s_addr;
+}
+
+
+/*
+ * Check to see if we've already received a packet from this host for this
+ * port.
+ */
+int findhit(ihp, src, dport)
+ipsd_t *ihp;
+struct in_addr src;
+u_short dport;
+{
+ int i, j, k;
+ sdhit_t *sh;
+
+ sh = NULL;
+
+ if (ihp->sd_sz == 4) {
+ for (i = 0, sh = ihp->sd_hit; i < ihp->sd_cnt; i++, sh++)
+ if (src.s_addr == sh->sh_ip.s_addr)
+ return 1;
+ } else {
+ for (i = ihp->sd_cnt / 2, j = (i / 2) - 1; j >= 0; j--) {
+ k = ihp->sd_hit[i].sh_ip.s_addr - src.s_addr;
+ if (!k)
+ return 1;
+ else if (k < 0)
+ i -= j;
+ else
+ i += j;
+ }
+ }
+ return 0;
+}
+
+
+/*
+ * Search for port number amongst the sorted array of targets we're
+ * interested in.
+ */
+int detect(ip, tcp)
+ip_t *ip;
+tcphdr_t *tcp;
+{
+ ipsd_t *ihp;
+ sdhit_t *sh;
+ int i, j, k;
+
+ for (i = 10, j = 4; j >= 0; j--) {
+ k = tcp->th_dport - defports[i];
+ if (!k) {
+ ihp = iphits[i];
+ if (findhit(ihp, ip->ip_src, tcp->th_dport))
+ return 0;
+ sh = ihp->sd_hit + ihp->sd_cnt;
+ sh->sh_date = time(NULL);
+ sh->sh_ip.s_addr = ip->ip_src.s_addr;
+ if (++ihp->sd_cnt == ihp->sd_sz)
+ {
+ ihp->sd_sz += 8;
+ sh = realloc(sh, ihp->sd_sz * sizeof(*sh));
+ ihp->sd_hit = sh;
+ }
+ qsort(sh, ihp->sd_cnt, sizeof(*sh), ipcmp);
+ return 0;
+ }
+ if (k < 0)
+ i -= j;
+ else
+ i += j;
+ }
+ return -1;
+}
+
+
+/*
+ * Allocate initial storage for hosts
+ */
+setuphits()
+{
+ int i;
+
+ for (i = 0; i < NPORTS; i++) {
+ if (iphits[i]) {
+ if (iphits[i]->sd_hit)
+ free(iphits[i]->sd_hit);
+ free(iphits[i]);
+ }
+ iphits[i] = (ipsd_t *)malloc(sizeof(ipsd_t));
+ iphits[i]->sd_port = defports[i];
+ iphits[i]->sd_cnt = 0;
+ iphits[i]->sd_sz = 4;
+ iphits[i]->sd_hit = (sdhit_t *)malloc(sizeof(sdhit_t) * 4);
+ }
+}
+
+
+/*
+ * cleanup exits
+ */
+waiter()
+{
+ wait(0);
+}
+
+
+/*
+ * Write statistics out to a file
+ */
+writestats(nwrites)
+int nwrites;
+{
+ ipsd_t **ipsd, *ips;
+ char fname[32];
+ int i, fd;
+
+ (void) sprintf(fname, "/var/log/ipsd/ipsd-hits.%d", nwrites);
Home |
Main Index |
Thread Index |
Old Index