8ddae1aa96
This commit replaces calloc calls, which called calloc() as if it were malloc() by allocating a multiple of objects as a sizeof multiplied by the number of objects. The patch rectifies this by calling calloc() as it was meant to be called. This commit also replaces realloc() with reallocarray() in a similar fashion as above. Instead of calculating the memory to reallocated (changed) by multiplying sizeof by the number of objects, the sizeof and number are passed as separate arguments to reallocarray(), letting reallocarray() do the multiplication instead. Like the calloc() adjustment above, this is approach is cleaner and more elegant than than the previous code. This has been tested on my production firewall and a laptop (also running ipfilter). Submitted by: pfg MFC after: 6 weeks |
||
---|---|---|
.. | ||
Celler | ||
ipsd.c | ||
ipsd.h | ||
ipsdr.c | ||
linux.h | ||
Makefile | ||
README | ||
sbpf.c | ||
sdlpi.c | ||
slinux.c | ||
snit.c |
IP Scan Detetor. ---------------- This program is designed to be a passive listener for TCP packets sent to the host. It does not exercise the promiscous mode of interfaces. For routing Unix boxes (and firewalls which route/proxy) this is sufficient to detect all packets going to/through them. Upon compiling, a predefined set of "sensitive" ports are configured into the program. Any TCP packets which are seen sent to these ports are counted and the IP# of the sending host recorded, along with the time of the first packet to that port for that IP#. After a given number of "hits", it will write the current table of packets out to disk. This number defaults to 10,000. To analyze the information written to disk, a sample program called "ipsdr" is used (should but doesn't implement a tree algorithm for storing data) which reads all log files it recognises and totals up the number of ports each host hit. By default, all ports have the same weighting (1). Another group of passes is then made over this table using a netmask of 0xfffffffe, grouping all results which fall under the same resulting IP#. This netmask is then shrunk back to 0, with a output for each level given. This is aimed at detecting port scans done from different hosts on the same subnet (although I've not seen this done, if one was trying to do it obscurely...) Lastly, being passive means that no action is taken to stop port scans being done or discourage them. Darren darrenr@pobox.com