connection error
hello,
Here i am collect tcp information and detect some kind of attack using this following program. By default information will store syslog. What happened only getting this message
6:48:45 nasim-desktop tcpguard: TCPguard
16:48:45 nasim-desktop tcpguard: launched with pid 18261.
Can any one go through my program and give me right feedback then i can gett the right result.
This is my program.................
Code:*/ /* #define NO_EUID_CHECK */ /* If you want TCPguard to announce all connection attemps... */ #define TCPG_SYN /* Log QUESO probes. */ #define TCPG_QUESO /* SYN flooding detection. */ #define TCPG_SYNFLOOD /* WinNuke detection. */ #define TCPG_OOB /* Log LAND attacks. */ #define TCPG_LAND /* Log HPing probes and port 0 connection packets. */ #define TCPG_HPING /* Shell daemon default port probe detection. */ #define TCPG_PORTD /* Kill connections to TCP port TCPG_KILL. */ //#define TCPG_KILL 110 /* DON'T CHANGE ANYTHING BELOW THIS LINE !!!!!!!!!!!!!! */ /* DON'T CHANGE ANYTHING BELOW THIS LINE !!!!!!!!!!!!!! */ /* DON'T CHANGE ANYTHING BELOW THIS LINE !!!!!!!!!!!!!! */ /* Biggest list of includes you've ever seen, eh?! =;-) */ //#include <libnet.h> #include <syslog.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <netinet/ip.h> #include <netinet/in.h> #define __FAVOR_BSD #include <netinet/tcp.h> /* Why not make all variables global ?! */ struct ippkt { struct iphdr ip; struct tcphdr tcp; char buffer[10000]; } pkt; int s, lns; struct in_addr src_addr; u_char *buff; u_int sport, dport; void tcpg_syn(); void tcpg_hping(); void tcpg_synflood(); void tcpg_portd(); void tcpg_queso(); void tcpg_land(); void tcpg_oob(); void tcpg_die(); void tcpg_init(); void tcpg_kill(u_short); /***************************************************************************/ int main(int argc, char *argv[]) { tcpg_init(); if(fork()!=0) _exit(0); setsid(); syslog(LOG_INFO, "TCPGUARD"); syslog(LOG_INFO, "launched with pid %d.\n", getpid()); while(1) { read(s, (struct ippkt *)&pkt,9999); src_addr.s_addr=0; src_addr.s_addr=pkt.ip.saddr; #ifdef TCPG_SYN tcpg_syn(); #endif #ifdef TCPG_HPING tcpg_hping(); #endif #ifdef TCPG_QUESO tcpg_queso(); #endif #ifdef TCPG_SYNFLOOD tcpg_synflood(); #endif /*#ifdef TCPG_KILL tcpg_kill(TCPG_KILL); #endif*/ #ifdef TCPG_LAND tcpg_land(); #endif #ifdef TCPG_OOB tcpg_oob(); #endif #ifdef TCPG_PORTD tcpg_portd(); #endif } } /****************************************************************************/ u_long prev_seq=0; void tcpg_die() { syslog(LOG_INFO, "TCPguard has now found a horrid death."); _exit(0); } void tcpg_init() { openlog("tcpguard", 0, LOG_DAEMON); #ifndef NO_EUID_CHECK if(geteuid()!=0) { syslog(LOG_INFO, "launched by normal user (uid %d).\n", geteuid()); printf("This program uses raw sockets. On most systems, that requires root.\n"); printf("If you know that your systems allows usage of raw sockets by normal\n"); printf("users, re-compile the program with -DNO_EUID_CHECK.\n"); _exit(1); } #endif if((s=socket(AF_INET, SOCK_RAW, IPPROTO_TCP))==-1) { perror("socket()"); _exit(2); } } /* HPing detection. (also makes noise if it finds packets sent to port 0) */ void tcpg_hping() { if(pkt.tcp.th_dport==0) if(pkt.tcp.th_flags&TH_FIN) syslog(LOG_INFO, "WARNING: HPing packet detected from %s !", inet_ntoa(src_addr)); else syslog(LOG_INFO, "WARNING: Packet to TCP port 0 from %s !", inet_ntoa(src_addr)); } /* OOB check... this usually means WinNuke... * There still are many kiddies out there who try to winnuke ppl... */ void tcpg_oob() { if(pkt.tcp.th_flags&TH_URG) syslog(LOG_INFO, "ATTACK: WinNuke attempt from %s !", inet_ntoa(src_addr)); } /* A common shell daemon uses 31337 as the default TCP port... * Sscan tries to connect to this port... */ void tcpg_portd() { if(pkt.tcp.th_dport==htons(31337)) syslog(LOG_INFO, "WARNING: Backdoor on 31337 probed from %s !", inet_ntoa(src_addr)); } /* Queso sends all its packets with a constant window size ... */ void tcpg_queso() { if(pkt.tcp.th_win==htons(4660)) syslog(LOG_INFO, "ATTACK: A packet probably sent by QUESO was received !"); } /* A rather basic detector for a couple of TCP/IP-based attacks. * (especially SYN-flooding) */ void tcpg_synflood() { if((pkt.tcp.th_flags&TH_SYN)&&(!(pkt.tcp.th_flags&TH_ACK))) if(pkt.tcp.th_seq!=prev_seq) prev_seq=pkt.tcp.th_seq; else { syslog(LOG_INFO, "ATTACK: YOU ARE BEING SYN-FLOODED !"); syslog(LOG_INFO, "ATTACK: YOU ARE BEING SYN-FLOODED !!"); syslog(LOG_INFO, "ATTACK: YOU ARE BEING SYN-FLOODED !!!"); syslog(LOG_INFO, "TCPguard is dying..."); } } void tcpg_syn() { if((pkt.tcp.th_flags&TH_SYN)&&(!(pkt.tcp.th_flags&TH_ACK))) syslog(LOG_INFO, "WARNING: TCP connection attempted from %s:%d to port %d.", inet_ntoa(src_addr), ntohs(pkt.tcp.th_sport), ntohs(pkt.tcp.th_dport)); } /* Land attack check. */ void tcpg_land() { if((pkt.ip.saddr==pkt.ip.daddr)&&(pkt.tcp.th_sport==pkt.tcp.th_dport)) syslog(LOG_INFO, "ATTACK: LAND attack detected !!!"); }
