[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-register-public] [task #3771] Submission of Big Bear Honeypot
|
From: |
Johann Cornet |
|
Subject: |
[Savannah-register-public] [task #3771] Submission of Big Bear Honeypot |
|
Date: |
Tue, 22 Feb 2005 02:25:46 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050105 Debian/1.7.5-1 |
URL:
<http://savannah.gnu.org/task/?func=detailitem&item_id=3771>
Summary: Submission of Big Bear Honeypot
Project: Savannah Administration
Submitted by: cast
Submitted on: Tue 02/22/05 at 02:25
Should Start On:
Should be Finished on:
Category: Project Approval
Priority: 5 - Normal
Status: None
Privacy: Public
Percent Complete: 0%
Assigned to: None
Open/Closed: Open
Effort: 0.00
_______________________________________________________
Details:
Site Admin. Approval/Edition URL:
<https://savannah.gnu.org/admin/groupedit.php?group_id=7349>
###### ORIGINAL SUBMISSION DETAILS ######
System Group Name:
-----------------
bigbear
Full Name:
----------
Big Bear Honeypot
Type:
-----
non-GNU
License:
--------
GNU General Public License V2 or later
Other License:
--------------
Description:
------------
The project, is an Honeypot system, including a sniffer an Intrusion
Detection System (IDS) and a php frontend.This project is the main subject of
my final year study of B.Sc computer system security at swansea institute of
high education, (sihe.ac.uk), but as i want to find a job in this domain , i
will clearly continue to works on the project after my graduation.
The main objectives of this one, are to improve my knowledge in C
programation about Linux networks and gain knowledge about computer threats
based on networks use.
So the programation start at a really basic level and do not use a lot of
external program (libpcap (under GPL) for the moment)
Others characteristics of the projects are a description in details of the
source code, testing of the Honeypots, explanation of the technologies chosen
for the project, comparison of the Honeypot with other Honeypot, management of
a team (if possible), management of feedback. As i am supposed to write a a
huge report on this one for my graduation i will include it in the projects
(as related works and documentation of the projects)
The aim of Honeypots can be defined by : Learning the tools, tactics, and
motives involved in computer and network attacks, and share the lessons
learned. for more information on honeypot i advise you to have a look on
www.honeypots.com and www.honeynet.org
For the moment a simple TCP-IP sniffer improved as an IDS is done, but
unfortunately it is not avaible on the web.
below the code source (sorry for the barbarian way to present the source
code, if you want me to send a copy via e mail just contact me)
do not care about headers structure they are just here to avoid
incompatibility
//////////////
//Listen computer interface with the help of libpcap
#include <stdio.h>
#include <stdlib.h>
#include <pcap.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/types.h>
typedef unsigned int u_int32;
/*
struct in_addr {
u_long s_addr;
};
*/
//***********************************Ethernet header
structure*********************************
struct ether_header {
u_char ether_dhost[6]; //destination host (adresse de destination)
u_char ether_shost[6]; //source host (adresse source)
u_short ether_type; //type de trame
};
//**********************************IP header structure
***************************************
#define ETHERTYPE_IP 0x0800
struct ip_header {
#if BYTE_ORDER == LITTLE_ENDIAN // l'ordre des bits dépendant des systèmes
u_char ip_hl:4; // header length (taille)
u_char ip_v:4; // version
#endif
#if BYTE_ORDER == BIG_ENDIAN
u_char ip_v:4; // version 4 4
u_char ip_hl:4; // header length 4 8 start
at the 61th bit
?
#endif
u_char ip_tos; // Type de service 8 16
short ip_len; // taille totale 16 32
u_short ip_id; // identification 15? 47
short ip_off; // champ de décalage du fragment 3
50
#define IP_DF 0x4000 // drapeau de non fragmentation 13
63
#define IP_MF 0x2000 // drapeau de fragmentation
#define IP_OFFMASK 0x1fff // masque pour la fragmentation
u_char ip_ttl; // time to live 8 71
u_char ip_p; // protocole 8 79
u_short ip_sum; // somme de controle 16 95 141 en
realitee
struct in_addr ip_src; // adresse source 32 start
at the 144th bit
struct in_addr ip_dest; // adresse destination 32
};
//************************************** TCP header
****************************************
typedef u_int32_t tcp_seq; //declaration of tcp_seq
struct tcp_header {
u_short th_sport; /* source port */
u_short th_dport; /* destination port */
tcp_seq th_seq; /* sequence number */
tcp_seq th_ack; /* acknowledgement number */
#if BYTE_ORDER == LITTLE_ENDIAN
u_int th_x2:4, /* (unused) */
th_off:4; /* data offset */
#endif
#if BYTE_ORDER == BIG_ENDIAN
u_int th_off:4, /* data offset */
th_x2:4; /* (unused) */
#endif
u_char th_flags;
#define TH_FIN 0x01
#define TH_SYN 0x02
#define TH_RST 0x04
#define TH_PUSH 0x08
#define TH_ACK 0x10
#define TH_URG 0x20
#define TH_ECE 0x40
#define TH_CWR 0x80
#define TH_FLAGS (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR)
u_short th_win; /* window */
u_short th_sum; /* checksum */
u_short th_urp; /* urgent pointer */
};
//******************************Network device variable
declaration****************************
char *dev;
char *net;
char *mask;
char *buffer; //pointer to the buffer countaining the ip adress in the packet
?
struct ip *paquetip; //pointer to the IP packet
struct sniff_tcp *paquettcp;
struct in_addr addr;
bpf_u_int32 maski; /* netmask */
bpf_u_int32 neti; /* IP */
//****************************Pcap varaiables
declaration************************************
char errbuf[PCAP_ERRBUF_SIZE]; /* Error string */
int packetsize; //size of the packet captured
int timer; //timer to capture the packet
int ret; //return code value (error or not)
int display_flag;
pcap_t *handle; //handle session
int datalink; //data from the physical layer
int offset;
struct pcap_pkthdr header; //structure defining the header from
pcap
u_char *packet; // the packet
int counter;
int i;
int port[18] =
{9,13,21,22,25,37,80,111,113,139,445,538,869,893,1313,3306,10000,32768};
int p;
int packetcounter;
//**********************************Function to read and print data inside
the ethernet headers*************
void print_ether_header(struct ether_header *paquet)
{
printf ( "\n\n---------------Packet intercepted , bytes %d\n" , header.len);
printf ("\n\n:::::::::::::::::::::Ethernet
HEADER:::::::::::::::::\n");
printf("%d",sizeof (struct ether_header));
printf ("\n-----MAC DESTINATION ADRESS: ");
for (i=0 ; i <6 ; i++)
{
printf("%.2x ",paquet->ether_shost[i]); //print the
value contain in the
ether_shost (source host), two by two
// packet ++;
}
printf ("\n-----MAC SOURCE ADRESS : ");
for (i=0 ; i <6 ; i++) //same with destination host
{
printf("%.2x ",paquet->ether_dhost[i]);
}
printf ("\nType of packet : ");
printf("%.4x ",ntohs(paquet->ether_type)); //this is the
last information
in the Ethernet layer
//packet ++;
}
//***************************************function to read data into the IP
headers***********
void print_ip_header(struct ip_header *paquetip)
{
//IP header in case of 0800 (display as 0008 because it
is not display as
hexa as it should be)
//IP packet start here (RFC 894)
//source adress start after bit 96 (RFC 791) it
is 2*12 hexa value
2(12*byte) = 2(12*4) = 48 bit
printf ("\n\n:::::::::::::::::::::IP
HEADER:::::::::::::::::\n"); printf("%d", sizeof(struct ip_header));
printf ("\n ::::::::from the structure::::::::: : ");
printf ("\n IP IHL------->");
printf("%d",paquetip->ip_hl);
printf ("\n IP Version--->"); //4bit
printf("%d",paquetip->ip_v);
printf ("\n Protocol----->"); //4bit
printf("%.4x",paquetip->ip_p);
printf ("\n IP Length----->"); //4bit
printf("%d",paquetip->ip_len);
printf ("\n\n IP source adress----->"); //32 bit
printf(inet_ntoa (paquetip->ip_src));
printf ("\n IP destination adress----->");
printf(inet_ntoa(paquetip->ip_dest));
printf ("\n\n");
}
//***************************Print TCP headers info*************
//void print_ether_header(struct ether_header *paquet)
void print_tcp_header(struct tcp_header *paquettcp)
{
//printf ( "\n\n---------------Packet intercepted , bytes %d\n" ,
header.len);
printf ("::::::::::::::::::::TCP HEADER:::::::::::::::::\n");
printf("%d ",sizeof (struct tcp_header));
printf ("\n-----TCP source port: \n");
printf("%d",htons(paquettcp->th_sport)); //print the
value contain in the
ether_shost (source host), two by two
//packet ++;
//printf("%.4x ",paquettcp->th_sport);
printf ("\n-----TCP destination port: \n");
printf("%d",htons(paquettcp->th_dport)); //print the
value contain in the
ether_shost (source host), two by two
//packet ++; ip_src.s_addr
printf ("\n\n");
}
int sort_by_prot(struct ether_header *paquet)
{
if (ntohs (paquet->ether_type) == ETHERTYPE_IP)
{
display_flag = 1;
}
return (display_flag);
}
int sort_by_ip(struct ip_header *paquetip)
{
if (strcmp (inet_ntoa(paquetip->ip_src), "192.168.1.1") == 0)
{
display_flag = 0 ;
}
if (strcmp (inet_ntoa(paquetip->ip_dest), "192.168.1.1") == 0)
{
display_flag = 0 ;
}
return (display_flag);
}
int sort_by_port(struct tcp_header *paquettcp)
{
display_flag = 0 ; //reinitialize the flag
for (p=0;p<17;p++)
{
if (htons(paquettcp->th_dport) == port[p])
{
display_flag = 1 ;
}
//printf("%d",port[p]);
}
return (display_flag);
}
//**********************************Main of the prog=NIC
initialization**********************************
int main(int argc ,char *argv[]) //argc = nb of arguments argv = dev
{
//interface to listen
if (argc < 2 )
{
printf ("Please insert the name of the interface use to listen (eth0)");
}
// find propertie of the interface
dev = argv[1];
ret = pcap_lookupnet (dev , &neti , &maski , errbuf);
if (ret == -1)
{
printf ("%s\n", errbuf);
exit(-1);
}
//display the adresse
addr.s_addr = neti; //convert from computer name to human
net = inet_ntoa(addr);
//display error
if (net == NULL)
{
perror ("inet_ntoa");
exit(-1);
}
printf("NET: %s\n",net);
//display the mask
addr.s_addr = maski; //convert from computer name to human
mask = inet_ntoa(addr);
//display error
if (net == NULL)
{
perror ("inet_ntoa");
exit(1);
}
printf("MASK: %s\n",mask);
printf("Sniffing in progress \n");
if (!(handle = pcap_open_live (dev , BUFSIZ , 0 , 1000 , errbuf))) //read
on
dev , bufsiz value , no promiscuous , error string
{
perror("can t open device\n");
exit(1);
}
datalink = pcap_datalink (handle); //the datalink (physical layer type) of
the handling packet
//###################################################READING THE
PACKET##################################
int size_ethernet = sizeof(struct ether_header);
int size_ip = sizeof(struct ip_header);
//grap 10 packets (one by one)
counter = 0;
while (counter!=100000)
{
counter++;
//printf (" ca marche jusque la");
if ((packet = (u_char *) pcap_next (handle , &header)) != NULL )
//if a
packet exist
{
paquetip=(struct ip_header*)(packet + size_ethernet);
//declaration of the
ip packet (ip layer)
paquettcp=(struct tcp_header*)(packet + size_ip +
size_ethernet);
display_flag = 0 ; //initialize the flag
sort_by_prot((struct ether_header*)packet);
if (display_flag == 1)
{
sort_by_port((struct tcp_header*)paquettcp); //selection
packet to display
due to port
}
if (display_flag == 1)
{
sort_by_ip((struct ip_header*)paquetip); //selection
packet to display due
to port
}
/*if (display_flag != 1)
{
printf("non non non\n");
}
else
{
sort_by_ip((struct ip_header*)paquetip);
if (display_flag != 1)
{
printf("j ai dit non \n");
}
else
{
sort_by_port((struct tcp_header*)paquettcp);
//selection packet to
display due to port
if (display_flag != 1)
{
printf("relou \n");
}
}
}
*/
if (display_flag == 1)
{
print_ether_header((struct ether_header*)packet); //call the
function and
formate the packet with the ether_header structure (packet = rawpacket
paquet=formated packet)
print_ip_header((struct ip_header*)paquetip); //call the
function and
formate the packet with the ether_header structure (packet = rawpacket
paquet=formated packet)
//tcp = (struct sniff_tcp*)(packet + size_ethernet + size_ip);
print_tcp_header((struct tcp_header*)paquettcp);
}
else
{
//printf("********************DROPPED**********************\n");
packetcounter++;
}
}
}
printf ("\n Number of packets Ignored : ");
printf ("%d",packetcounter);
printf ("\n");
return 0;
}
////////////////////////
Other Software Required:
------------------------
#include <stdio.h>
#include <stdlib.h>
#include <pcap.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/types.h>
program used , libpcap
i will certainly use also mysql and php
Other Comments:
---------------
Sorry about my english, i am french (but it is not my fault !! (This is a
bad french joke...)) but as a student in uk i will do use english language as
main language for the project
#########################################
_______________________________________________________
This item URL is:
<http://savannah.gnu.org/task/?func=detailitem&item_id=3771>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [Savannah-register-public] [task #3771] Submission of Big Bear Honeypot,
Johann Cornet <=