HoneyBadger: github.com/david415/HoneyBadger Index | Files | Directories

package HoneyBadger

import "github.com/david415/HoneyBadger"

Index

Package Files

connection.go dispatcher.go ordered_coalesce.go retrospective.go sniffer.go supervisor.go

Constants

const (
    // Stop looking for handshake hijack after several
    // packets have traversed the connection after entering
    // into TCP_DATA_TRANSFER state
    FIRST_FEW_PACKETS = 12

    // TCP states
    TCP_UNKNOWN                = 0
    TCP_CONNECTION_REQUEST     = 1
    TCP_CONNECTION_ESTABLISHED = 2
    TCP_DATA_TRANSFER          = 3
    TCP_CONNECTION_CLOSING     = 4
    TCP_INVALID                = 5
    TCP_CLOSED                 = 6

    // initiating TCP closing finite state machine
    TCP_FIN_WAIT1 = 0
    TCP_FIN_WAIT2 = 1
    TCP_TIME_WAIT = 2
    TCP_CLOSING   = 3

    // initiated TCP closing finite state machine
    TCP_CLOSE_WAIT = 0
    TCP_LAST_ACK   = 1
)

func NewSniffer Uses

func NewSniffer(options *types.SnifferDriverOptions, dispatcher PacketDispatcher) types.PacketSource

NewSniffer creates a new Sniffer struct

type Connection Uses

type Connection struct {
    ConnectionOptions

    ClientStreamRing *types.Ring
    ServerStreamRing *types.Ring
    ClientCoalesce   *OrderedCoalesce
    ServerCoalesce   *OrderedCoalesce
    PacketLogger     types.PacketLogger
    // contains filtered or unexported fields
}

Connection is used to track client and server flows for a given TCP connection. We implement a basic TCP finite state machine and track state in order to detect hanshake hijack and other TCP attacks such as segment veto and sloppy injection.

func (*Connection) Close Uses

func (c *Connection) Close()

Close can be used by the the connection or the dispatcher to close the connection

func (*Connection) GetClientFlow Uses

func (c *Connection) GetClientFlow() *types.TcpIpFlow

func (*Connection) GetLastSeen Uses

func (c *Connection) GetLastSeen() time.Time

GetLastSeen returns the lastSeen timestamp after grabbing the lock

func (*Connection) ReceivePacket Uses

func (c *Connection) ReceivePacket(p *types.PacketManifest)

ReceivePacket implements a TCP finite state machine which is loosely based off of the simplified FSM in this paper: http://ants.iis.sinica.edu.tw/3bkmj9ltewxtsrrvnoknfdxrm3zfwrr/17/p520460.pdf The goal is to detect all manner of content injection.

func (*Connection) SetPacketLogger Uses

func (c *Connection) SetPacketLogger(logger types.PacketLogger)

type ConnectionFactory Uses

type ConnectionFactory interface {
    Build(ConnectionOptions) ConnectionInterface
}

type ConnectionInterface Uses

type ConnectionInterface interface {
    Close()
    GetClientFlow() *types.TcpIpFlow
    SetPacketLogger(types.PacketLogger)
    GetLastSeen() time.Time
    ReceivePacket(*types.PacketManifest)
}

type ConnectionOptions Uses

type ConnectionOptions struct {
    MaxBufferedPagesTotal         int
    MaxBufferedPagesPerConnection int
    MaxRingPackets                int
    PageCache                     *pageCache
    LogDir                        string
    LogPackets                    bool
    AttackLogger                  types.Logger
    DetectHijack                  bool
    DetectInjection               bool
    DetectCoalesceInjection       bool
}

type DefaultConnFactory Uses

type DefaultConnFactory struct {
}

func (*DefaultConnFactory) Build Uses

func (f *DefaultConnFactory) Build(options ConnectionOptions) ConnectionInterface

type Dispatcher Uses

type Dispatcher struct {
    PacketLoggerFactory types.PacketLoggerFactory
    // contains filtered or unexported fields
}

Inquisitor sets up the connection pool and is an abstraction layer for dealing with incoming packets weather they be from a pcap file or directly off the wire.

func NewDispatcher Uses

func NewDispatcher(options DispatcherOptions, connectionFactory ConnectionFactory, packetLoggerFactory types.PacketLoggerFactory) *Dispatcher

NewInquisitor creates a new Inquisitor struct

func (*Dispatcher) CloseAllConnections Uses

func (i *Dispatcher) CloseAllConnections() int

CloseAllConnections closes all connections in the pool.

func (*Dispatcher) CloseOlderThan Uses

func (i *Dispatcher) CloseOlderThan(t time.Time) int

CloseOlderThan takes a Time argument and closes all the connections that have not received packet since that specified time

func (*Dispatcher) Connections Uses

func (i *Dispatcher) Connections() []ConnectionInterface

connectionsLocked returns a slice of Connection pointers.

func (*Dispatcher) GetObservedConnectionsChan Uses

func (i *Dispatcher) GetObservedConnectionsChan(count int) chan bool

func (*Dispatcher) ReceivePacket Uses

func (i *Dispatcher) ReceivePacket(p *types.PacketManifest)

func (*Dispatcher) Start Uses

func (i *Dispatcher) Start()

Start... starts the TCP attack inquisition!

func (*Dispatcher) Stop Uses

func (i *Dispatcher) Stop()

Stop... stops the TCP attack inquisition!

type DispatcherOptions Uses

type DispatcherOptions struct {
    BufferedPerConnection    int
    BufferedTotal            int
    LogDir                   string
    LogPackets               bool
    MaxPcapLogRotations      int
    MaxPcapLogSize           int
    TcpIdleTimeout           time.Duration
    MaxRingPackets           int
    Logger                   types.Logger
    DetectHijack             bool
    DetectInjection          bool
    DetectCoalesceInjection  bool
    MaxConcurrentConnections int
}

InquisitorOptions are user set parameters for specifying the details of how to proceed with honey_bager's TCP connection monitoring. More parameters should soon be added here!

type OrderedCoalesce Uses

type OrderedCoalesce struct {
    // MaxBufferedPagesTotal is an upper limit on the total number of pages to
    // buffer while waiting for out-of-order packets.  Once this limit is
    // reached, the assembler will degrade to flushing every connection it
    // gets a packet for.  If <= 0, this is ignored.
    MaxBufferedPagesTotal int
    // MaxBufferedPagesPerConnection is an upper limit on the number of pages
    // buffered for a single flow.  Should this limit be reached for a
    // particular flow, the smallest sequence number will be flushed, along
    // with any contiguous data.  If <= 0, this is ignored.
    MaxBufferedPagesPerFlow int

    Flow       *types.TcpIpFlow
    StreamRing *types.Ring

    PageCache *pageCache

    DetectCoalesceInjection bool
    // contains filtered or unexported fields
}

func NewOrderedCoalesce Uses

func NewOrderedCoalesce(logger types.Logger, flow *types.TcpIpFlow, pageCache *pageCache, streamRing *types.Ring, maxBufferedPagesTotal, maxBufferedPagesPerFlow int, DetectCoalesceInjection bool, attackDetected *bool) *OrderedCoalesce

func (*OrderedCoalesce) Close Uses

func (o *OrderedCoalesce) Close()

Close returns all used pages to the page cache

type PacketDispatcher Uses

type PacketDispatcher interface {
    ReceivePacket(*types.PacketManifest)
    GetObservedConnectionsChan(int) chan bool
    Connections() []ConnectionInterface
    Stop()
}

type Sniffer Uses

type Sniffer struct {
    // contains filtered or unexported fields
}

Sniffer sets up the connection pool and is an abstraction layer for dealing with incoming packets weather they be from a pcap file or directly off the wire.

func (*Sniffer) Close Uses

func (i *Sniffer) Close()

func (*Sniffer) GetStartedChan Uses

func (i *Sniffer) GetStartedChan() chan bool

func (*Sniffer) SetSupervisor Uses

func (i *Sniffer) SetSupervisor(supervisor types.Supervisor)

func (*Sniffer) Start Uses

func (i *Sniffer) Start()

Start... starts the TCP attack inquisition!

func (*Sniffer) Stop Uses

func (i *Sniffer) Stop()

type Supervisor Uses

type Supervisor struct {
    // contains filtered or unexported fields
}

func NewSupervisor Uses

func NewSupervisor(options SupervisorOptions) *Supervisor

func (Supervisor) GetDispatcher Uses

func (b Supervisor) GetDispatcher() PacketDispatcher

func (Supervisor) GetSniffer Uses

func (b Supervisor) GetSniffer() types.PacketSource

func (Supervisor) Run Uses

func (b Supervisor) Run()

func (Supervisor) Stopped Uses

func (b Supervisor) Stopped()

type SupervisorOptions Uses

type SupervisorOptions struct {
    SnifferDriverOptions *types.SnifferDriverOptions
    DispatcherOptions    DispatcherOptions
    SnifferFactory       func(*types.SnifferDriverOptions, PacketDispatcher) types.PacketSource
    ConnectionFactory    ConnectionFactory
    PacketLoggerFactory  types.PacketLoggerFactory
}

type TimedRawPacket Uses

type TimedRawPacket struct {
    Timestamp time.Time
    RawPacket []byte
}

Directories

PathSynopsis
attack
blocksmodified to use our Sequence type instead of int64 Package blocks contains logic to detect overlap between segments of a contiguous data stream.
drivers
logging
typesHoneybadger types package

Package HoneyBadger imports 14 packages (graph). Updated 2016-09-08. Refresh now. Tools for package owners.