Modified tagging code to make it more streamlined

STEELISI · Jul 5, 2022 · 01ed76e · 01ed76e
1 parent 71d6d3b
commit 01ed76e
Show file tree

Hide file tree

Showing 4 changed files with 127 additions and 133 deletions.
diff --git a/B_Root_Anomalies/stats.cc b/B_Root_Anomalies/stats.cc
@@ -129,9 +129,10 @@ void packetHandler(u_char *userData, const struct pcap_pkthdr* pkthdr, const u_c
 	tcpHeader = (struct tcphdr*)(packet + sizeof(struct ether_header) + size_ip);
 	int size_tcp = tcpHeader->th_off*4;
 	size_payload = ip_len - (size_ip + size_tcp);
+	//cout<<"Payload "<<size_payload<<endl;
 	sport = ntohs(tcpHeader->source);
 	dport = ntohs(tcpHeader->dest);
-	if (size_payload > 0)
+	if (size_payload > 8) // size of DNS header
 	  {	    
 	    payload = (u_char*)(packet + sizeof(struct ether_header) + size_ip + size_tcp);
 	    opcode = payload[2]>>4;
@@ -146,7 +147,7 @@ void packetHandler(u_char *userData, const struct pcap_pkthdr* pkthdr, const u_c
 	sport = ntohs(udpHeader->source);
 	dport = ntohs(udpHeader->dest);
 	size_payload = ip_len - (size_ip + size_udp);
-	if (size_payload > 0)
+	if (size_payload > 8) // size of DNS header
 	  {
 	    payload = (u_char*)(packet + sizeof(struct ether_header) + size_ip + size_udp);
 	    opcode = payload[2]>>4;
@@ -158,11 +159,11 @@ void packetHandler(u_char *userData, const struct pcap_pkthdr* pkthdr, const u_c
 
     //std::cout<<std::fixed<<ts<<" proto "<<proto<<" caplen "<<caplen<<" plen "<<plen<<" payload size "<<size_payload<<" opcode "<<opcode<<" payload ";
 
-    if (size_payload > 0 && opcode == 0)
+    if (size_payload > 8 && opcode == 0)
       {
 	//for (int i=0; i<size_payload; i++)
 	//{
-	//  std::cout<<(int)payload[i]<<" ";
+	// std::cout<<(int)payload[i]<<" ";
 	//}
 	//std::cout<<std::endl;
 	for (int i=12; i<size_payload; i++)

diff --git a/B_Root_Anomalies/tag.cc b/B_Root_Anomalies/tag.cc
@@ -3,23 +3,28 @@
 #include<sys/time.h>
 #include<vector>
 #include<deque>
+#include<map>
 #include<algorithm>
 
 #include "utils.h"
 
 bool first = true;
 bool attacksources = false;
+bool atlist = false;
+int PERIOD = 60;
 long int starttime = 0;
 long int endtime = 0;
-long int lasttime = 0;
+double lasttime = 0;
 
 string readfolder = "";
 string infile = "";
 string atfile = "";
 string extension = "";
 
 set<string> queries;
-set<string> attackers;
+
+int attackers[(int)pow(2,27)];
+
 long int total = 0;
 long int afiltered = 0, apassed = 0;
 long int gfiltered = 0, gpassed = 0;
@@ -28,9 +33,10 @@ long int passed = 0;
 // We store delimiters in this array
 int* delimiters;
 
-
 void loadattackers(string infile)
 {
+  memset(attackers, 0, pow(2,24)*8);
+  int i = 0;
   ifstream in(infile, std::ofstream::in);
   while (in.good())
     {
@@ -39,52 +45,71 @@ void loadattackers(string infile)
       in>>ip;
       if (!in.good())
 	break;
-      attackers.insert(ip);
-      //cout<<"Inserted attacker "<<ip<<endl;
+      unsigned int ipi=todec(ip);
+      attackers[int(ipi/32)] = attackers[int(ipi/32)] | (1 >> (ipi % 32));
+      i++;
+      if (i % 100000 == 0)
+	cout<<"Inserted attacker "<<ip<<endl;
     }
   in.close();
 }
 
-
-
-
-int process(char* buffer, double &outtime, int& outlen, int& outttl)
+string process(char* buffer, double &outtime, int& outlen, int& outttl, std::ofstream& output)
 {
   string ip = "";
 
-  bool isquery;
+  int isquery;
   char queryname[MAXLEN];
   char recordID[MAXLEN];
 
   bool toprocess = shouldprocess2(buffer, outtime, outlen, delimiters,
 				  ip, starttime, endtime, isquery, queryname, outttl);
 
+
   strcpy(recordID, buffer);
   if (!toprocess)
+    return "";
+
+  bool isattack = false;
+  if((!isquery || outlen > 256) && queries.size() == 0)
+    isattack = true;
+  //cout<<"For "<<buffer<<" is query "<<isquery<<" queries size "<<queries.size()<<endl;
+  if (isquery == 2 && queries.size() == 0)
+    isattack = true;
+  for (auto qit = queries.begin(); qit != queries.end(); qit++)
+    if (strstr(queryname, qit->c_str()) != 0)
+      {
+	isattack = true;
+      }
+
+  if (attacksources && isattack && !atlist)
     {
-      return 1;
+      unsigned int ipi=todec(ip);
+      attackers[int(ipi/32)] = attackers[int(ipi/32)] | (1 >> (ipi % 32));
     }
-
-    bool isattack = false;
-    if(!isquery || outlen > 256)
-      isattack = true;
-    if (isquery == 2 && queries.size() == 0)
-      isattack = true;
-    for (auto qit = queries.begin(); qit != queries.end(); qit++)
-      if (strstr(queryname, qit->c_str()) != 0)
+  if (attacksources && !isattack)
+    {      
+      unsigned int ipi=todec(ip);
+      int cur = attackers[int(ipi/32)] & (1 >> (ipi % 32));
+      if (cur > 0)
 	{
-	  isattack = true;	  
+	  isattack = true;
 	}
-    if (attackers.find(ip) != attackers.end() && attacksources)
-      {
-	isattack = true;
-      }
-    cout<<recordID<<" ";
-    if (isattack)
-      cout<<"A\n";
-    else
-      cout<<"B\n";
-    return 0;
+    }
+  // Periodic reset
+  if ((outtime > lasttime + PERIOD) && !atlist && attacksources)
+    {
+      memset(attackers, 0, pow(2,24)*8);
+      lasttime = outtime;
+    }
+  char outs[MAXLEN];
+
+  if (isattack)
+    sprintf(outs, "%s A\n", recordID);
+  else
+    sprintf(outs, "%s B\n", recordID);
+
+  return outs;
 }
 
 
@@ -140,6 +165,7 @@ int main(int argc, char** argv)
 	  queries.insert(optarg);
 	  break;
 	case 'a':
+	  atlist = true;
 	  atfile = optarg;
 	  break;
 	case 's':
@@ -160,11 +186,10 @@ int main(int argc, char** argv)
       cout<<"You must specify a directory with pcap.xz files\n";
       exit(0);
     }
-  // Assume the attack has started and this is why we're being invoked
-  // If we are testing it helps to use a file with attackers
-  if (atfile != "")
-    loadattackers(atfile);
 
+  if (atlist)
+    loadattackers(atfile);
+
   //Use for pcap
   loadfiles(readfolder.c_str(), process, extension, starttime, endtime);
 }