diff against snapshot 08/04/04 * replace is_etherbcast and pkttypeflag macros with inline functions * check malloc return codes * added a missing done from 0.5 :) * priority ordered the todo list John. -- GPG: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047 WEB: http://www.johnleach.co.uk
--- firestorm-snapshot/preproc_plugins/macwatch.c 2004-03-27 00:52:02.000000000 +0000 +++ firestorm-devel/preproc_plugins/macwatch.c 2004-04-10 18:37:27.337524088 +0100 @@ -1,25 +1,24 @@ /* * macwatch - Firestorm arp-shannanigans detector - * Copyright (c) 2003 John Leach <john@xxxxxxxxxxxxxxx> + * Copyright (c) 2003-2004 John Leach <john@xxxxxxxxxxxxxxx> * Released under the terms of the GNU GPL v2 * $Id: macwatch.c 391 2004-03-27 00:52:02Z scara $ - * + * * TODO: + * o consider order of alerts (only one alert per packet is allowed) * o DoS protection (hi/lo memory watermarks with LFU lists) (should we actually remove older entries?) - * o ARP sweep detection? * o Saving of tuple database in between restarts - * o RARP and other arp type support? + * o ARP sweep detection? + * o MAC flooding detection + * o duplicate detection alert expiry time * o Alert on replies with no requests + * o handle requests from 0.0.0.0 (dhcp/bootp (RFC 1541) suggests verifying lease using arp request FROM 0.0.0.0)? * o IP handler - * o Other protocols? Netbios names? * o Router tracker, track MAC addresses of non local IP traffic? + * o alert on incorrect address lengths + * o Other protocols? Netbios names? * o Only one entry per protocol address? * o Keep track of requests+replies. Ensure from different stations. Alert on unsolicited - * o MAC flooding detection - * o ignore requests from 0.0.0.0 (dhcp/bootp (RFC 1541) suggests verifying lease using arp request FROM 0.0.0.0)? - * o duplicate detection alert expiry time - * o alert on incorrect address lengths - * o consider order of alerts (only one alert per packet is allowed) * * DONE: * o Better IP hash @@ -33,6 +32,9 @@ * o Gratuitous arp detection (sender/target protocol addresses match) * o Unicast request detection (toggleable to disable as routers often use this as cache verification) * o Code tidy up + * o Toggleable new address reporting + * o Replace is_etherbcast and pkttypeflag macros with inline functions + * o check malloc return codes */ #include <firestorm.h> @@ -49,9 +50,9 @@ #include <preproc.h> /* Configuration */ -static unsigned int check_gratuitous = 0; -static unsigned int check_unirequest = 0; -static unsigned int alertnew = 0; +static unsigned int check_gratuitous; +static unsigned int check_unirequest; +static unsigned int alertnew; static struct arg args[] = { {"check_gratuitous", ARGTYPE_PBOOL, NULL, {vp_bool:&check_gratuitous}}, @@ -60,6 +61,9 @@ {NULL, ARGTYPE_NOP, NULL} }; +/* Stats */ +static unsigned int newaddrs, duplicates; + /* Protocol and hardware address sizes */ #define MAX_PLN 16 /* to accommodate up to ipv6 (128bit) */ #define MAX_HLN 6 @@ -81,14 +85,22 @@ #define MW_ADDR_HASH_SIZE 256 #define MW_ADDR_HASH_MASK (MW_ADDR_HASH_SIZE-1) -/* Check that specified flag is set and assured */ -#define pkttypeflag(a,b) ( (a & (b|FP_PKTTYPE)) == (b|FP_PKTTYPE) ) -/* Check if address is ethernet broadcast (6x0xff) */ -#define is_etherbcast(a) (memcmp(a, etherbcast, sizeof(etherbcast))==0) - static struct arpaddr *addrhash[MW_ADDR_HASH_SIZE]; static proc_decode ethdecode; +/* Check that specified flag is set and assured */ +static inline int pkttypeflag(u_int32_t flags, u_int32_t flag) +{ + return ( ( flags & ( flag | FP_PKTTYPE ) ) == ( flag | FP_PKTTYPE ) ); +} + +/* Check if address is ethernet broadcast (6 X 0xff) */ +static inline int is_etherbcast(u_int8_t *addr) +{ + return ( addr && memcmp( addr, etherbcast, sizeof( etherbcast ) ) == 0 ); +} + + /* Alert stuff */ static struct tokenbucket mw_tb; static struct generator mw_gen = init_generator("macwatch", &mw_tb); @@ -181,6 +193,10 @@ /* Reached end of linked list, create new entry */ mwn = malloc(sizeof(struct arpaddr)); + if (!mwn) { + mesg(M_ERR,"macwatch: malloc(): %s", sys_err()); + return; + } memcpy(&mwn->haddr, ha, hln); memcpy(&mwn->paddr, pa, pln); mwn->hln = hln; @@ -191,10 +207,13 @@ addrhash[hashval] = mwn; /* Alert accordingly */ - if (tuple_count) + if (tuple_count) { alert_tag(pkt, &alert_dupha); - else if (alertnew) - alert_tag(pkt, &alert_newpa); + duplicates++; + } else { + if (alertnew) alert_tag(pkt, &alert_newpa); + newaddrs++; + } } /* Pre-process arp packets */ @@ -289,7 +308,8 @@ static void macwatch_free(void *priv) { - int i, hashes = 0, ips = 0; + int i; + unsigned int ips=0, hashes=0; struct arpaddr *mw, *mwp; for (i = 0; i < MW_ADDR_HASH_SIZE; i++) @@ -302,6 +322,9 @@ free(mwp); } } + mesg(M_INFO, "macwatch: %i new addresses, %i duplicates", newaddrs, duplicates); + mesg(M_INFO, "macwatch: %i address in %i hashes", ips, hashes); + return; }; @@ -334,5 +357,5 @@ .author_name = "John Leach", .author_email = "john@xxxxxxxxxxxxxxx", .ver_major = 0, - .ver_minor = 5, + .ver_minor = 6, };
Attachment:
signature.asc
Description: This is a digitally signed message part