[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

macwatch 0.6

To: firestorm@xxxxxxxxxxxxxxxx
Subject: macwatch 0.6
From: John Leach <john@xxxxxxxxxxxxxxx>
Date: Wed, 14 Apr 2004 22:44:17 +0100
Delivered-to: mailing list firestorm@scaramanga.co.uk
Mailing-list: contact firestorm-help@scaramanga.co.uk; run by ezmlm

diff against snapshot 08/04/04

* replace is_etherbcast and pkttypeflag macros with inline functions
* check malloc return codes
* added a missing done from 0.5 :)
* priority ordered the todo list

John.

-- 
GPG: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047
WEB: http://www.johnleach.co.uk

--- firestorm-snapshot/preproc_plugins/macwatch.c	2004-03-27 00:52:02.000000000 +0000
+++ firestorm-devel/preproc_plugins/macwatch.c	2004-04-10 18:37:27.337524088 +0100
@@ -1,25 +1,24 @@
 /*
  * macwatch - Firestorm arp-shannanigans detector
- * Copyright (c) 2003 John Leach <john@xxxxxxxxxxxxxxx>
+ * Copyright (c) 2003-2004 John Leach <john@xxxxxxxxxxxxxxx>
  * Released under the terms of the GNU GPL v2
  * $Id: macwatch.c 391 2004-03-27 00:52:02Z scara $
- *
+ * 
  * TODO:
+ * o consider order of alerts (only one alert per packet is allowed)
  * o DoS protection (hi/lo memory watermarks with LFU lists) (should we actually remove older entries?)
- * o ARP sweep detection?
  * o Saving of tuple database in between restarts
- * o RARP and other arp type support?
+ * o ARP sweep detection?
+ * o MAC flooding detection
+ * o duplicate detection alert expiry time
  * o Alert on replies with no requests
+ * o handle requests from 0.0.0.0 (dhcp/bootp (RFC 1541) suggests verifying lease using arp request FROM 0.0.0.0)?
  * o IP handler
- * o Other protocols?  Netbios names?
  * o Router tracker, track MAC addresses of non local IP traffic?
+ * o alert on incorrect address lengths
+ * o Other protocols?  Netbios names?
  * o Only one entry per protocol address?
  * o Keep track of requests+replies.  Ensure from different stations.  Alert on unsolicited 	
- * o MAC flooding detection
- * o ignore requests from 0.0.0.0 (dhcp/bootp (RFC 1541) suggests verifying lease using arp request FROM 0.0.0.0)?
- * o duplicate detection alert expiry time
- * o alert on incorrect address lengths
- * o consider order of alerts (only one alert per packet is allowed)
  * 
  * DONE:
  * o Better IP hash
@@ -33,6 +32,9 @@
  * o Gratuitous arp detection (sender/target protocol addresses match)
  * o Unicast request detection (toggleable to disable as routers often use this as cache verification)
  * o Code tidy up
+ * o Toggleable new address reporting
+ * o Replace is_etherbcast and pkttypeflag macros with inline functions
+ * o check malloc return codes
 */
 
 #include <firestorm.h>
@@ -49,9 +50,9 @@
 #include <preproc.h>
 
 /* Configuration */
-static unsigned int check_gratuitous = 0;
-static unsigned int check_unirequest = 0;
-static unsigned int alertnew = 0;
+static unsigned int check_gratuitous;
+static unsigned int check_unirequest;
+static unsigned int alertnew;
 
 static struct arg args[] = {
       {"check_gratuitous", ARGTYPE_PBOOL, NULL, {vp_bool:&check_gratuitous}},
@@ -60,6 +61,9 @@
       {NULL, ARGTYPE_NOP, NULL}
 };
 
+/* Stats */
+static unsigned int newaddrs, duplicates;
+
 /* Protocol and hardware address sizes */
 #define MAX_PLN 	16	/* to accommodate up to ipv6 (128bit) */
 #define MAX_HLN 	6
@@ -81,14 +85,22 @@
 #define MW_ADDR_HASH_SIZE 256
 #define MW_ADDR_HASH_MASK (MW_ADDR_HASH_SIZE-1)
 
-/* Check that specified flag is set and assured */
-#define pkttypeflag(a,b) ( (a & (b|FP_PKTTYPE)) == (b|FP_PKTTYPE) )
-/* Check if address is ethernet broadcast (6x0xff) */
-#define is_etherbcast(a) (memcmp(a, etherbcast, sizeof(etherbcast))==0)
-
 static struct arpaddr *addrhash[MW_ADDR_HASH_SIZE];
 static proc_decode ethdecode;
 
+/* Check that specified flag is set and assured */
+static inline int pkttypeflag(u_int32_t flags, u_int32_t flag)
+{
+       return ( ( flags & ( flag | FP_PKTTYPE ) ) == ( flag | FP_PKTTYPE ) );
+}
+
+/* Check if address is ethernet broadcast (6 X 0xff) */
+static inline int is_etherbcast(u_int8_t *addr)
+{
+       return ( addr && memcmp( addr, etherbcast, sizeof( etherbcast ) ) == 0 );
+}
+
+
 /* Alert stuff */
 static struct tokenbucket mw_tb;
 static struct generator mw_gen = init_generator("macwatch", &mw_tb);
@@ -181,6 +193,10 @@
 
 	/* Reached end of linked list, create new entry */
 	mwn = malloc(sizeof(struct arpaddr));
+	if (!mwn) {
+		mesg(M_ERR,"macwatch: malloc(): %s", sys_err());
+		return;
+	}
 	memcpy(&mwn->haddr, ha, hln);
 	memcpy(&mwn->paddr, pa, pln);
 	mwn->hln = hln;
@@ -191,10 +207,13 @@
 	addrhash[hashval] = mwn;
 
 	/* Alert accordingly */
-	if (tuple_count)
+	if (tuple_count) {
 		alert_tag(pkt, &alert_dupha);
-	else if (alertnew)
-		alert_tag(pkt, &alert_newpa);
+		duplicates++;
+	} else {
+		if (alertnew) alert_tag(pkt, &alert_newpa);
+		newaddrs++;
+	}
 }
 
 /* Pre-process arp packets */
@@ -289,7 +308,8 @@
 
 static void macwatch_free(void *priv)
 {
-	int i, hashes = 0, ips = 0;
+	int i;
+	unsigned int ips=0, hashes=0;
 	struct arpaddr *mw, *mwp;
 
 	for (i = 0; i < MW_ADDR_HASH_SIZE; i++)
@@ -302,6 +322,9 @@
 				free(mwp);
 			}
 		}
+	mesg(M_INFO, "macwatch: %i new addresses, %i duplicates", newaddrs, duplicates);
+	mesg(M_INFO, "macwatch: %i address in %i hashes", ips, hashes);
+	
 	return;
 };
 
@@ -334,5 +357,5 @@
 	.author_name = "John Leach",
 	.author_email = "john@xxxxxxxxxxxxxxx",
 	.ver_major = 0,
-	.ver_minor = 5,
+	.ver_minor = 6,
 };

Attachment: signature.asc
Description: This is a digitally signed message part

Prev by Date: macwatch 0.5
Next by Date: config parser bug
Previous by thread: macwatch 0.5
Next by thread: config parser bug
Index(es):
- Date
- Thread