connection error

This is a discussion on connection error within the C Programming forums, part of the General Programming Boards category; hello, Here i am collect tcp information and detect some kind of attack using this following program. By default information ...

  1. #1
    Registered User
    Join Date
    Jan 2008
    Posts
    20

    Post connection error

    hello,
    Here i am collect tcp information and detect some kind of attack using this following program. By default information will store syslog. What happened only getting this message

    6:48:45 nasim-desktop tcpguard: TCPguard
    16:48:45 nasim-desktop tcpguard: launched with pid 18261.


    Can any one go through my program and give me right feedback then i can gett the right result.
    This is my program.................

    Code:
     */
    /* #define NO_EUID_CHECK */
    	
    /* If you want TCPguard to announce all connection attemps... */
    #define TCPG_SYN
    
    /* Log QUESO probes. */
    #define TCPG_QUESO
    
    /* SYN flooding detection. */
    #define TCPG_SYNFLOOD
    
    /* WinNuke detection. */
    #define TCPG_OOB
    
    /* Log LAND attacks. */
    #define TCPG_LAND
    
    /* Log HPing probes and port 0 connection packets. */
    #define TCPG_HPING
    
    /* Shell daemon default port probe detection. */
    #define TCPG_PORTD
    
    /* Kill connections to TCP port TCPG_KILL. */
    //#define TCPG_KILL	110 
    
    /* DON'T CHANGE ANYTHING BELOW THIS LINE !!!!!!!!!!!!!! */
    /* DON'T CHANGE ANYTHING BELOW THIS LINE !!!!!!!!!!!!!! */
    /* DON'T CHANGE ANYTHING BELOW THIS LINE !!!!!!!!!!!!!! */
    
    /* Biggest list of includes you've ever seen, eh?! =;-) */
    //#include <libnet.h>
    #include <syslog.h>
    #include <unistd.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <netinet/ip.h>
    #include <netinet/in.h>
    #define __FAVOR_BSD
    #include <netinet/tcp.h>
    /* Why not make all variables global ?! */ 
    struct ippkt {
     struct iphdr ip;
     struct tcphdr tcp;
     char buffer[10000];
    } pkt;
    
    int s, lns;
    struct in_addr src_addr;
    u_char *buff;
    u_int sport, dport;
    
    void tcpg_syn();
    void tcpg_hping();
    void tcpg_synflood();
    void tcpg_portd();
    void tcpg_queso();
    void tcpg_land();
    void tcpg_oob();
    void tcpg_die();
    void tcpg_init();
    void tcpg_kill(u_short);
    
    /***************************************************************************/
    int main(int argc, char *argv[])
     {
     tcpg_init();
     
     if(fork()!=0)
     _exit(0);
     setsid();
    
     syslog(LOG_INFO, "TCPGUARD");
     syslog(LOG_INFO, "launched with pid %d.\n", getpid());
     
     while(1)
     {
      read(s, (struct ippkt *)&pkt,9999);
      src_addr.s_addr=0;
      src_addr.s_addr=pkt.ip.saddr;
     
    #ifdef TCPG_SYN 
      tcpg_syn();
    #endif
    #ifdef TCPG_HPING
      tcpg_hping();
    #endif
    #ifdef TCPG_QUESO
      tcpg_queso();
    #endif
    #ifdef TCPG_SYNFLOOD
      tcpg_synflood();
    #endif
    /*#ifdef TCPG_KILL
      tcpg_kill(TCPG_KILL);
    #endif*/
    #ifdef TCPG_LAND
      tcpg_land();
    #endif
    #ifdef TCPG_OOB
      tcpg_oob();
    #endif
    #ifdef TCPG_PORTD
      tcpg_portd();
    #endif
     }
    }
    /****************************************************************************/
    u_long prev_seq=0;
    
    void tcpg_die() 
    {
      syslog(LOG_INFO, "TCPguard has now found a horrid death.");
      _exit(0);
    } 
    
    void tcpg_init()
     {
     openlog("tcpguard", 0, LOG_DAEMON);
    
    #ifndef NO_EUID_CHECK
     if(geteuid()!=0) {
      syslog(LOG_INFO, "launched by normal user (uid %d).\n", geteuid());
      printf("This program uses raw sockets. On most systems, that requires root.\n");
      printf("If you know that your systems allows usage of raw sockets by normal\n");
      printf("users, re-compile the program with -DNO_EUID_CHECK.\n");
      _exit(1);
     }
    #endif
    
     if((s=socket(AF_INET, SOCK_RAW, IPPROTO_TCP))==-1)
     {
      perror("socket()");
      _exit(2);
     }
    }
    
    /* HPing detection. (also makes noise if it finds packets sent to port 0)
     */
    void tcpg_hping() 
    {
     if(pkt.tcp.th_dport==0)
     if(pkt.tcp.th_flags&TH_FIN)
     syslog(LOG_INFO, "WARNING: HPing packet detected from %s !", inet_ntoa(src_addr));
     else 
     syslog(LOG_INFO, "WARNING: Packet to TCP port 0 from %s !", inet_ntoa(src_addr));
    }
    
    /* OOB check... this usually means WinNuke...
     * There still are many kiddies out there who try to winnuke ppl...
     */
    void tcpg_oob() 
    {
     if(pkt.tcp.th_flags&TH_URG)
     syslog(LOG_INFO, "ATTACK: WinNuke attempt from %s !", inet_ntoa(src_addr));
    }
    
    /* A common shell daemon uses 31337 as the default TCP port...
     * Sscan tries to connect to this port...
     */
    void tcpg_portd() 
    {
     if(pkt.tcp.th_dport==htons(31337))
     syslog(LOG_INFO, "WARNING: Backdoor on 31337 probed from %s !", inet_ntoa(src_addr));
    }
    
    /* Queso sends all its packets with a constant window size ... */
    void tcpg_queso() 
    {
     if(pkt.tcp.th_win==htons(4660))
     syslog(LOG_INFO, "ATTACK: A packet probably sent by QUESO was received !");
    }
    
    /* A rather basic detector for a couple of TCP/IP-based attacks.
     * (especially SYN-flooding)
     */
    void tcpg_synflood()
     {
     if((pkt.tcp.th_flags&TH_SYN)&&(!(pkt.tcp.th_flags&TH_ACK))) 
     if(pkt.tcp.th_seq!=prev_seq) prev_seq=pkt.tcp.th_seq; 
     else
     {
      syslog(LOG_INFO, "ATTACK: YOU ARE BEING SYN-FLOODED !");
      syslog(LOG_INFO, "ATTACK: YOU ARE BEING SYN-FLOODED !!");
      syslog(LOG_INFO, "ATTACK: YOU ARE BEING SYN-FLOODED !!!");
      syslog(LOG_INFO, "TCPguard is dying...");
     }
    }
    
    void tcpg_syn()
     {
     if((pkt.tcp.th_flags&TH_SYN)&&(!(pkt.tcp.th_flags&TH_ACK)))
     syslog(LOG_INFO, "WARNING: TCP connection attempted from %s:%d to port %d.", inet_ntoa(src_addr), ntohs(pkt.tcp.th_sport), ntohs(pkt.tcp.th_dport));
    }
    
    /* Land attack check.
     */
    void tcpg_land()
     {
     if((pkt.ip.saddr==pkt.ip.daddr)&&(pkt.tcp.th_sport==pkt.tcp.th_dport))
     syslog(LOG_INFO, "ATTACK: LAND attack detected !!!");
    }

  2. #2
    Banned
    Join Date
    Nov 2007
    Posts
    678
    I can say, only one thing, explain a little more.
    May be then you get some quick replies.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Another syntax error
    By caldeira in forum C Programming
    Replies: 31
    Last Post: 09-05-2008, 01:01 AM
  2. failure to import external C libraries in C++ project
    By nocturna_gr in forum C++ Programming
    Replies: 3
    Last Post: 12-02-2007, 02:49 PM
  3. Please Help - Problem with Compilers
    By toonlover in forum C++ Programming
    Replies: 5
    Last Post: 07-23-2005, 10:03 AM
  4. Learning OpenGL
    By HQSneaker in forum C++ Programming
    Replies: 7
    Last Post: 08-06-2004, 08:57 AM
  5. Couple C questions :)
    By Divx in forum C Programming
    Replies: 5
    Last Post: 01-28-2003, 12:10 AM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21