コード例 #1
0
ファイル: dispatcher.go プロジェクト: lytics/wherefore
func (i *Dispatcher) setupNewConnection(flow *types.TcpIpFlow) ConnectionInterface {
	options := ConnectionOptions{
		MaxBufferedPagesTotal:         i.options.BufferedTotal,
		MaxBufferedPagesPerConnection: i.options.BufferedPerConnection,
		MaxRingPackets:                i.options.MaxRingPackets,
		PageCache:                     i.pageCache,
		LogDir:                        i.options.LogDir,
		AttackLogger:                  i.options.Logger,
		LogPackets:                    i.options.LogPackets,
		DetectHijack:                  i.options.DetectHijack,
		DetectInjection:               i.options.DetectInjection,
		DetectCoalesceInjection:       i.options.DetectCoalesceInjection,
		Pool: &i.pool,
	}

	conn := i.connectionFactory.Build(options)
	if i.options.LogPackets {
		packetLogger := i.PacketLoggerFactory.Build(flow)
		conn.SetPacketLogger(packetLogger)
		packetLogger.Start()
	}

	i.pool[flow.ConnectionHash()] = conn
	if i.observeConnectionCount != 0 && i.observeConnectionCount == len(i.connections()) {
		i.observeConnectionChan <- true
	}
	return conn
}
コード例 #2
0
ファイル: connection.go プロジェクト: lytics/wherefore
// detectInjection write an attack report if the given packet indicates a TCP injection attack
// such as segment veto.
func (c *Connection) detectInjection(p *types.PacketManifest, flow *types.TcpIpFlow) {
	var ringPtr *types.Ring
	if flow.Equal(c.clientFlow) {
		ringPtr = c.ServerStreamRing
	} else {
		ringPtr = c.ClientStreamRing
	}
	event := injectionInStreamRing(p, flow, ringPtr, "ordered injection", c.packetCount)
	if event != nil {
		c.AttackLogger.Log(event)
		c.attackDetected = true
		log.Printf("packet # %d\n", c.packetCount)
	} else {
		log.Print("not an attack attempt; a normal TCP retransmission.\n")
	}
}
コード例 #3
0
ファイル: connection.go プロジェクト: lytics/wherefore
// detectHijack checks for duplicate SYN/ACK indicating handshake hijake
// and submits a report if an attack was observed
func (c *Connection) detectHijack(p *types.PacketManifest, flow *types.TcpIpFlow) {
	// check for duplicate SYN/ACK indicating handshake hijake
	if !flow.Equal(c.serverFlow) {
		return
	}
	if p.TCP.ACK && p.TCP.SYN {
		if types.Sequence(p.TCP.Ack).Difference(c.hijackNextAck) == 0 {
			if p.TCP.Seq != c.firstSynAckSeq {
				log.Print("handshake hijack detected\n")
				c.AttackLogger.Log(&types.Event{
					Time:        time.Now(),
					Type:        "handshake-hijack",
					PacketCount: c.packetCount,
					Flow:        flow,
					HijackSeq:   p.TCP.Seq,
					HijackAck:   p.TCP.Ack})
				c.attackDetected = true
			} else {
				log.Print("SYN/ACK retransmission\n")
			}
		}
	}
}