├── .vs
└── 入侵检测系统
│ └── v15
│ ├── Server
│ └── sqlite3
│ │ ├── db.lock
│ │ ├── storage.ide-shm
│ │ ├── storage.ide-wal
│ │ └── storage.ide
│ └── .suo
├── obj
└── x86
│ └── Debug
│ ├── Catch.csproj.CopyComplete
│ ├── 入侵检测系统.csproj.CopyComplete
│ ├── Lan_Ids.csproj.FileListAbsolute.txt
│ ├── 入侵检测系统.exe
│ ├── 入侵检测系统.pdb
│ ├── Catch.csproj.CoreCompileInputs.cache
│ ├── 入侵检测系统.csproj.CoreCompileInputs.cache
│ ├── ResolveAssemblyReference.cache
│ ├── 入侵检测系统.csprojAssemblyReference.cache
│ ├── Lan_Ids.csprojResolveAssemblyReference.cache
│ ├── 入侵检测系统.csprojResolveAssemblyReference.cache
│ ├── DesignTimeResolveAssemblyReferencesInput.cache
│ ├── Catch.csproj.FileListAbsolute.txt
│ └── 入侵检测系统.csproj.FileListAbsolute.txt
├── 71.png
├── 991.png
├── 入侵检测系统.suo
├── bin
└── Debug
│ ├── data.sqlite
│ ├── 入侵检测系统.exe
│ ├── 入侵检测系统.pdb
│ ├── SharpPcap.dll
│ ├── PacketDotNet.dll
│ ├── 入侵检测系统.vshost.exe
│ ├── System.Data.SQLite.dll
│ ├── System.Data.SQLite.EF6.dll
│ ├── System.Data.SQLite.Linq.dll
│ ├── 入侵检测系统.vshost.exe.manifest
│ ├── Lan_Ids.vshost.exe.manifest
│ ├── Open_HIDS.vshost.exe.manifest
│ ├── ports.port
│ └── AttacksDB.txt
├── Model
├── Data.cs
├── Protect.cs
├── Unsecur.cs
├── MitmProtcols.cs
├── scan.cs
└── ado.cs
├── 入侵检测系统.csproj.user
├── Properties
└── AssemblyInfo.cs
├── data.txt
├── README.md
├── log.cs
├── 入侵检测系统.csproj
└── Program.cs
/.vs/入侵检测系统/v15/Server/sqlite3/db.lock:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/obj/x86/Debug/Catch.csproj.CopyComplete:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/obj/x86/Debug/入侵检测系统.csproj.CopyComplete:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/obj/x86/Debug/Lan_Ids.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/71.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/71.png
--------------------------------------------------------------------------------
/991.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/991.png
--------------------------------------------------------------------------------
/入侵检测系统.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/入侵检测系统.suo
--------------------------------------------------------------------------------
/.vs/入侵检测系统/v15/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/.vs/入侵检测系统/v15/.suo
--------------------------------------------------------------------------------
/bin/Debug/data.sqlite:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/bin/Debug/data.sqlite
--------------------------------------------------------------------------------
/bin/Debug/入侵检测系统.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/bin/Debug/入侵检测系统.exe
--------------------------------------------------------------------------------
/bin/Debug/入侵检测系统.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/bin/Debug/入侵检测系统.pdb
--------------------------------------------------------------------------------
/bin/Debug/SharpPcap.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/bin/Debug/SharpPcap.dll
--------------------------------------------------------------------------------
/obj/x86/Debug/入侵检测系统.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/obj/x86/Debug/入侵检测系统.exe
--------------------------------------------------------------------------------
/obj/x86/Debug/入侵检测系统.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/obj/x86/Debug/入侵检测系统.pdb
--------------------------------------------------------------------------------
/bin/Debug/PacketDotNet.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/bin/Debug/PacketDotNet.dll
--------------------------------------------------------------------------------
/obj/x86/Debug/Catch.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | 0417115bddb77eb93b0eb7cc104a4373b29ca9ff
2 |
--------------------------------------------------------------------------------
/obj/x86/Debug/入侵检测系统.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | 7059c0ba31a3c12bbb71f196e2bf28b30ffd4a42
2 |
--------------------------------------------------------------------------------
/bin/Debug/入侵检测系统.vshost.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/bin/Debug/入侵检测系统.vshost.exe
--------------------------------------------------------------------------------
/bin/Debug/System.Data.SQLite.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/bin/Debug/System.Data.SQLite.dll
--------------------------------------------------------------------------------
/bin/Debug/System.Data.SQLite.EF6.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/bin/Debug/System.Data.SQLite.EF6.dll
--------------------------------------------------------------------------------
/bin/Debug/System.Data.SQLite.Linq.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/bin/Debug/System.Data.SQLite.Linq.dll
--------------------------------------------------------------------------------
/obj/x86/Debug/ResolveAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/obj/x86/Debug/ResolveAssemblyReference.cache
--------------------------------------------------------------------------------
/.vs/入侵检测系统/v15/Server/sqlite3/storage.ide-shm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/.vs/入侵检测系统/v15/Server/sqlite3/storage.ide-shm
--------------------------------------------------------------------------------
/.vs/入侵检测系统/v15/Server/sqlite3/storage.ide-wal:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/.vs/入侵检测系统/v15/Server/sqlite3/storage.ide-wal
--------------------------------------------------------------------------------
/obj/x86/Debug/入侵检测系统.csprojAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/obj/x86/Debug/入侵检测系统.csprojAssemblyReference.cache
--------------------------------------------------------------------------------
/obj/x86/Debug/Lan_Ids.csprojResolveAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/obj/x86/Debug/Lan_Ids.csprojResolveAssemblyReference.cache
--------------------------------------------------------------------------------
/obj/x86/Debug/入侵检测系统.csprojResolveAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/obj/x86/Debug/入侵检测系统.csprojResolveAssemblyReference.cache
--------------------------------------------------------------------------------
/obj/x86/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KaryKim/C/HEAD/obj/x86/Debug/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/Model/Data.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 |
6 | namespace Ng_IDS.Model
7 | {
8 | class Data
9 | {
10 | public int ID { get; set; }
11 | public string name { get; set; }
12 | public string inter { get; set; }
13 | public string mac { get; set; }
14 | public string ip { get; set; }
15 |
16 | public string date { get; set; }
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/入侵检测系统.csproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | publish\
5 |
6 |
7 |
8 |
9 |
10 | en-US
11 | false
12 |
13 |
--------------------------------------------------------------------------------
/bin/Debug/入侵检测系统.vshost.exe.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/bin/Debug/Lan_Ids.vshost.exe.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/bin/Debug/Open_HIDS.vshost.exe.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/bin/Debug/ports.port:
--------------------------------------------------------------------------------
1 | 80 tcp
2 | #You Are using Clear Text Protocol http Pleas Use secure Protocol Https
3 | 21 tcp
4 | #You Are using Clear Text Protocol FTP Pleas Use secure Protocol like SFTP or FTPS
5 | 143 tcp
6 | #You Are using Clear Text Protocol IMAP Pleas Use secure Protocol IMAP with ssl
7 | 20 tcp
8 | #You Are using Clear Text Protocol FTP Pleas Use secure Protocol like SFTP or FTPS
9 | 110 tcp
10 | #You Are using Clear Text Protocol POP3 Pleas Use secure Protocol POP3 with ssl
11 | 23 tcp
12 | #You Are using Clear Text Protocol Telnet Pleas Use secure Protocol like SSH
13 | 25 tcp
14 | #You Are using Clear Text Protocol SMTP Pleas Use secure Protocol SMTP with ssl
15 |
--------------------------------------------------------------------------------
/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 | [assembly: AssemblyTitle("Lan_Ids")]
5 | [assembly: AssemblyDescription("")]
6 | [assembly: AssemblyConfiguration("")]
7 | [assembly: AssemblyCompany("")]
8 | [assembly: AssemblyProduct("Lan_Ids")]
9 | [assembly: AssemblyCopyright("Copyright © 2017")]
10 | [assembly: AssemblyTrademark("")]
11 | [assembly: AssemblyCulture("")]
12 |
13 |
14 | [assembly: ComVisible(false)]
15 |
16 | [assembly: Guid("6695d590-2895-40bf-b5c9-104c926eab90")]
17 |
18 |
19 | [assembly: AssemblyVersion("1.0.0.0")]
20 | [assembly: AssemblyFileVersion("1.0.0.0")]
21 |
--------------------------------------------------------------------------------
/data.txt:
--------------------------------------------------------------------------------
1 | try
2 | {
3 | SQLiteConnection.CreateFile("data.sqlite");
4 | SQLiteConnection my;
5 | my = new SQLiteConnection("Data Source=data.sqlite;Version=3;");
6 | my.Open();
7 | string sql = "Create Table mac(id integer Primary key AUTOINCREMENT,name varchar(500),inter varchar(500),mac_ad varchar(500),ip varchar(500),date varchar(500))";
8 | SQLiteCommand comm = new SQLiteCommand(sql, my);
9 | comm.ExecuteNonQuery();
10 | }
11 | catch (Exception ex)
12 | {
13 |
14 | MessageBox.Show(ex.ToString());
15 | }
--------------------------------------------------------------------------------
/obj/x86/Debug/Catch.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | H:\C#\new open\Network Analsist\IDS\open source\Host iPS - demo\Lan_Ids\bin\Debug\PacketDotNet.xml
2 | H:\C#\new open\Network Analsist\IDS\open source\Host iPS - demo\Lan_Ids\bin\Debug\SharpPcap.pdb
3 | H:\C#\new open\Network Analsist\IDS\open source\Host iPS - demo\Lan_Ids\bin\Debug\SharpPcap.xml
4 | H:\C#\new open\Network Analsist\IDS\open source\Host iPS - demo\Lan_Ids\bin\Debug\System.Data.SQLite.pdb
5 |
6 | C:\Users\yantao\Desktop\Catch-IDS-master\Lan_Ids\bin\Debug\入侵检测系统.exe
7 | C:\Users\yantao\Desktop\Catch-IDS-master\Lan_Ids\bin\Debug\入侵检测系统.pdb
8 | C:\Users\yantao\Desktop\Catch-IDS-master\Lan_Ids\obj\x86\Debug\入侵检测系统.exe
9 | C:\Users\yantao\Desktop\Catch-IDS-master\Lan_Ids\obj\x86\Debug\入侵检测系统.pdb
10 |
--------------------------------------------------------------------------------
/Model/Protect.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using PacketDotNet;
6 | using System.Net.NetworkInformation;
7 | using System.Net;
8 |
9 | namespace Ng_IDS.Model
10 | {
11 | class Protect
12 | {
13 | public static EthernetPacket Protect_Arp(string Router_mac,string My_pc_mac,string Router_ip,string My_pc_ip)
14 | {
15 | var eth = new EthernetPacket(PhysicalAddress.Parse(Router_mac),PhysicalAddress.Parse(My_pc_mac), EthernetPacketType.Arp);
16 | var arp = new ARPPacket(ARPOperation.Response, PhysicalAddress.Parse(My_pc_mac), IPAddress.Parse(My_pc_ip), PhysicalAddress.Parse(Router_mac), IPAddress.Parse(Router_ip));
17 | eth.PayloadPacket = arp;
18 | return eth;
19 | }
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/Model/Unsecur.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using PacketDotNet;
6 |
7 | namespace Ng_IDS.Model
8 | {
9 | class Unsecur
10 | {
11 | public String GetUNsecurTcp(TcpPacket tcp)
12 | {
13 | if (tcp.DestinationPort == 80)
14 | {
15 | return "HTTP";
16 | }
17 | else if (tcp.DestinationPort == 21)
18 | {
19 | return "FTP";
20 | }
21 | else if (tcp.DestinationPort == 143)
22 | {
23 | return "IMAP";
24 | }
25 | else if (tcp.DestinationPort == 25)
26 | {
27 | return "SMTP";
28 | }
29 | else if (tcp.DestinationPort == 110)
30 | {
31 | return "POP3";
32 | }
33 | return "";
34 | }
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 技术:wincap抓包+ARP+CHTP
2 |
3 | 功能:自动进行监测和分析。对侵犯检测方法进行分类,并对数据包进行协议分析
4 |
5 |
6 |
7 |
8 |
9 | 针对目前越来越多的互联网遭受黑客攻击的现象,单纯依靠防火墙、加密等技术已经难以保证网络的安全性,发展入侵检测技术显得尤其重要。
10 | 入侵检测技术是一种动态的安全技术,异常检测和误用检测是侵犯检测系统设计的最主要的技术,基于这一理论,设计开发了基于winpcap的对于APR、CHTP攻击方式的检测工具。
11 | 对侵犯检测方法进行分类,并对数据包进行协议分析,通过该系统可以对付网络攻击,包括安全审计、监视、攻击识别和响应。
12 |
13 |
14 |
15 |
16 |
17 |
18 | 可以通過編程的方式構建ARP應答數據包,然後發送給欺騙者,用假的IP地址與MAC地址的映射來更新被欺騙者的ARP高速緩存,實現對被欺騙者的ARP欺騙
19 |
20 |
21 |
22 | ##########
23 | #####
24 | 入侵:绕过系统安全机制的非授权行为。
25 |
26 | 入侵检测:是一种对计算机系统或者网络事件进行监测并分析这些入侵事件特征的过程。
27 |
28 | 入侵检测系统:自动进行这种监测和分析过程的软件或硬件产品。
29 |
30 | 误报:检测系统在系统在检测时把系统的正常行为判为入侵行为的错误被称为误报。
31 |
32 | 漏报:检测系统在检测时把某些入侵行为判为正常行为的错误现象称为漏报。
33 |
34 | 检测原理:通过对计算机网络或者计算机系统中得若干关键点收集信息并对其进行分析,从中发现网络或者系统中是否有违反安全策略的行为和被攻击的迹象
35 |
36 | 技术要求:入侵检测系统需要更多的智能,它必须可以将得到的数据进行分析,并得出有用的结果。一个合格的入侵检测系统能大大的简化管理员的工作,保证网络安全的运行
37 |
38 | 系统部署:入侵检测系统是处于防火墙之后对网络活动的实时监控,不仅能检测来自外部的入侵行为,同时也监督内部用户的未授权活动
39 | 
40 | 
41 |
--------------------------------------------------------------------------------
/obj/x86/Debug/入侵检测系统.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | C:\Users\yantao\Desktop\Catch-IDS-master\Lan_Ids\obj\x86\Debug\入侵检测系统.exe
2 | C:\Users\yantao\Desktop\Catch-IDS-master\Lan_Ids\obj\x86\Debug\入侵检测系统.pdb
3 | C:\Users\yantao\Desktop\Catch-IDS-master\Lan_Ids\bin\Debug\入侵检测系统.exe
4 | C:\Users\yantao\Desktop\Catch-IDS-master\Lan_Ids\bin\Debug\入侵检测系统.pdb
5 | C:\Users\yantao\Desktop\Catch-IDS-master\Lan_Ids\obj\x86\Debug\入侵检测系统.csprojResolveAssemblyReference.cache
6 | C:\Users\Administrator\Desktop\14200135116闫涛信息安全期末大作业\源码\Lan_Ids\obj\x86\Debug\入侵检测系统.exe
7 | C:\Users\Administrator\Desktop\14200135116闫涛信息安全期末大作业\源码\Lan_Ids\obj\x86\Debug\入侵检测系统.pdb
8 | C:\Users\Administrator\Desktop\14200135116闫涛信息安全期末大作业\源码\Lan_Ids\bin\Debug\入侵检测系统.exe
9 | C:\Users\Administrator\Desktop\14200135116闫涛信息安全期末大作业\源码\Lan_Ids\bin\Debug\入侵检测系统.pdb
10 | C:\Users\Administrator\Desktop\14200135116闫涛信息安全期末大作业\源码\Lan_Ids\obj\x86\Debug\ResolveAssemblyReference.cache
11 | E:\dasan\网络安全上机报告及大作业\系统代码\Lan_Ids\bin\Debug\入侵检测系统.exe
12 | E:\dasan\网络安全上机报告及大作业\系统代码\Lan_Ids\bin\Debug\入侵检测系统.pdb
13 | E:\dasan\网络安全上机报告及大作业\系统代码\Lan_Ids\obj\x86\Debug\入侵检测系统.csprojAssemblyReference.cache
14 | E:\dasan\网络安全上机报告及大作业\系统代码\Lan_Ids\obj\x86\Debug\入侵检测系统.csproj.CoreCompileInputs.cache
15 | E:\dasan\网络安全上机报告及大作业\系统代码\Lan_Ids\obj\x86\Debug\入侵检测系统.csproj.CopyComplete
16 | E:\dasan\网络安全上机报告及大作业\系统代码\Lan_Ids\obj\x86\Debug\入侵检测系统.exe
17 | E:\dasan\网络安全上机报告及大作业\系统代码\Lan_Ids\obj\x86\Debug\入侵检测系统.pdb
18 |
--------------------------------------------------------------------------------
/log.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.IO;
6 | using Ng_IDS.Model;
7 |
8 | namespace Open_HIDS
9 | {
10 | class log
11 | {
12 | public static void writeError(Exception ex)
13 | {
14 | StreamWriter wr = null;
15 | try
16 | {
17 | wr = new StreamWriter(AppDomain.CurrentDomain.BaseDirectory+"Log.txt",true);
18 | wr.WriteLine(DateTime.Now.ToString()+": "+ex.Source.ToString().Trim() +" ; "+ex.Message.ToString().Trim());
19 | wr.Flush();
20 | wr.Close();
21 | }
22 | catch (Exception)
23 | {
24 |
25 | throw;
26 | }
27 | }
28 |
29 | public static void Evint(string action)
30 | {
31 | StreamWriter wr = null;
32 | try
33 | {
34 | wr = new StreamWriter(AppDomain.CurrentDomain.BaseDirectory + "Log.txt", true);
35 | wr.WriteLine(DateTime.Now.ToString() +": "+action);
36 | wr.Flush();
37 | wr.Close();
38 | }
39 | catch (Exception)
40 | {
41 |
42 | throw;
43 | }
44 | }
45 |
46 | public static void attackLog(scan s)
47 | {
48 | StreamWriter wr = null;
49 | try
50 | {
51 | wr = new StreamWriter(AppDomain.CurrentDomain.BaseDirectory + "AttacksDB.txt", true);
52 | wr.WriteLine(DateTime.Now.ToString() + ": " + "Attacke Name : {0} , Time : {1} , Attacker HardwareAddress : {2} , Attacker ip address : {3} ", s.Attack_data[0], s.Attack_data[3], s.Attack_data[2], s.Attack_data[1]);
53 | wr.Flush();
54 | wr.Close();
55 | }
56 | catch (Exception)
57 | {
58 |
59 | throw;
60 | }
61 | }
62 | }
63 | }
64 |
--------------------------------------------------------------------------------
/Model/MitmProtcols.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using PacketDotNet;
6 | using SharpPcap;
7 |
8 | namespace Ng_IDS.Model
9 | {
10 | class MitmProtcols
11 | {
12 |
13 | public static string GetMitmProtocol(CaptureEventArgs e)
14 | {
15 | var mypacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
16 | var arp = (ARPPacket)mypacket.Extract(typeof(ARPPacket));
17 | var udp = (UdpPacket)mypacket.Extract(typeof(UdpPacket));
18 | if (arp != null)
19 | {
20 | return "ARP";
21 | }
22 | if (udp != null)
23 | {
24 | if (udp.DestinationPort == 67 && udp.DestinationPort == 68)
25 | {
26 | return "DHCP";
27 | }
28 | }
29 | return "";
30 | }
31 |
32 | public static int GetArpTrafic(CaptureEventArgs e)
33 | {
34 | var mypacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
35 | var arp = (ARPPacket)mypacket.Extract(typeof(ARPPacket));
36 | int num = 0;
37 |
38 | if (arp != null)
39 | {
40 | num++;
41 | return num++;
42 | }
43 | return 0;
44 | }
45 |
46 | public static int GetDhcpTrafic(CaptureEventArgs e)
47 | {
48 | var mypacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
49 | var udp = (UdpPacket)mypacket.Extract(typeof(UdpPacket));
50 | int num = 0;
51 | if (udp != null)
52 | {
53 | if (udp.DestinationPort == 67 && udp.DestinationPort == 68)
54 | {
55 | num++;
56 | return num;
57 | }
58 | }
59 | return 0;
60 | }
61 |
62 | public static int GetUdpTrafic(CaptureEventArgs e)
63 | {
64 | var mypacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
65 | var udp = (UdpPacket)mypacket.Extract(typeof(UdpPacket));
66 | int num = 0;
67 | if (udp != null)
68 | {
69 | num++;
70 | return num;
71 |
72 | }
73 | return 0;
74 | }
75 |
76 | public static int GetTCPTrafic(CaptureEventArgs e)
77 | {
78 | var mypacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
79 | var tcp = (TcpPacket)mypacket.Extract(typeof(TcpPacket));
80 | int num = 0;
81 | if (tcp != null)
82 | {
83 | num++;
84 | return num;
85 |
86 | }
87 | return 0;
88 | }
89 |
90 | public static int GetIcmpTrafic(CaptureEventArgs e)
91 | {
92 | var mypacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
93 | var icmp = (ICMPv4Packet)mypacket.Extract(typeof(ICMPv4Packet));
94 | int num = 0;
95 | if (icmp != null)
96 | {
97 | num++;
98 | return num++;
99 |
100 | }
101 | return 0;
102 | }
103 | }
104 | }
105 |
--------------------------------------------------------------------------------
/.vs/入侵检测系统/v15/Server/sqlite3/storage.ide:
--------------------------------------------------------------------------------
1 | SQLite format 3������@ �������������������������������������������������������������������������.�A
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
--------------------------------------------------------------------------------
/bin/Debug/AttacksDB.txt:
--------------------------------------------------------------------------------
1 | 12/6/2017 10:03:20 AM: Attacke Name : arp spofing , Time : 10:03 AM , Attacker HardwareAddress : D0011D440000 , Attacker ip address : 192.168.123.106
2 | 12/6/2017 10:06:25 AM: Attacke Name : arp spofing , Time : 10:06 AM , Attacker HardwareAddress : D00111400000 , Attacker ip address : 192.168.123.106
3 | 12/6/2017 10:06:25 AM: Attacke Name : arp spofing , Time : 10:06 AM , Attacker HardwareAddress : D00111400000 , Attacker ip address : 192.168.123.106
4 | 12/6/2017 10:07:27 AM: Attacke Name : arp spofing , Time : 10:07 AM , Attacker HardwareAddress : D00111400000 , Attacker ip address : 192.168.123.106
5 | 12/15/2017 3:02:35 AM: Attacke Name : arp spofing , Time : 3:02 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
6 | 12/15/2017 3:03:20 AM: Attacke Name : arp spofing , Time : 3:03 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
7 | 12/15/2017 3:04:04 AM: Attacke Name : arp spofing , Time : 3:04 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
8 | 12/15/2017 3:05:01 AM: Attacke Name : arp spofing , Time : 3:05 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
9 | 12/15/2017 3:07:13 AM: Attacke Name : arp spofing , Time : 3:07 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
10 | 12/15/2017 3:07:59 AM: Attacke Name : arp spofing , Time : 3:07 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
11 | 12/15/2017 3:08:00 AM: Attacke Name : arp spofing , Time : 3:08 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
12 | 12/15/2017 3:34:38 AM: Attacke Name : arp spofing , Time : 3:34 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
13 | 12/15/2017 3:35:23 AM: Attacke Name : arp spofing , Time : 3:35 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
14 | 12/15/2017 3:52:27 AM: Attacke Name : arp spofing , Time : 3:52 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
15 | 12/15/2017 3:52:29 AM: Attacke Name : arp spofing , Time : 3:52 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
16 | 12/15/2017 3:52:35 AM: Attacke Name : arp spofing , Time : 3:52 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
17 | 12/15/2017 3:53:00 AM: Attacke Name : arp spofing , Time : 3:53 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
18 | 12/15/2017 3:53:24 AM: Attacke Name : arp spofing , Time : 3:53 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
19 | 12/15/2017 3:53:49 AM: Attacke Name : arp spofing , Time : 3:53 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
20 | 12/15/2017 3:54:16 AM: Attacke Name : arp spofing , Time : 3:54 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
21 | 12/15/2017 3:54:41 AM: Attacke Name : arp spofing , Time : 3:54 AM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
22 | 12/15/2017 3:57:44 PM: Attacke Name : DHCP spofing , Time : 3:57 PM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
23 | 12/15/2017 3:58:41 PM: Attacke Name : DHCP spofing , Time : 3:58 PM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
24 | 12/15/2017 3:59:21 PM: Attacke Name : DHCP spofing , Time : 3:59 PM , Attacker HardwareAddress : 000DB0049044 , Attacker ip address : 192.168.123.106
25 | 2017/12/23 23:31:14: Attacke Name : arp spofing , Time : 23:31 , Attacker HardwareAddress : C4365574F350 , Attacker ip address : 192.168.0.1
26 | 2017/12/23 23:31:53: Attacke Name : arp spofing , Time : 23:31 , Attacker HardwareAddress : C4365574F350 , Attacker ip address : 192.168.0.1
27 | 2017/12/23 23:49:40: Attacke Name : arp spofing , Time : 23:49 , Attacker HardwareAddress : C4365574F350 , Attacker ip address : 192.168.0.1
28 | 2017/12/23 23:53:11: Attacke Name : arp spofing , Time : 23:53 , Attacker HardwareAddress : C4365574F350 , Attacker ip address : 192.168.0.1
29 | 2017/12/23 23:54:00: Attacke Name : arp spofing , Time : 23:53 , Attacker HardwareAddress : C4365574F350 , Attacker ip address : 192.168.0.1
30 |
--------------------------------------------------------------------------------
/入侵检测系统.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Debug
5 | x86
6 | 8.0.30703
7 | 2.0
8 | {27B95FA3-48F3-4035-BC88-82AD847FB8E5}
9 | Exe
10 | Properties
11 | catch
12 | 入侵检测系统
13 | v4.0
14 | Client
15 | 512
16 | publish\
17 | true
18 | Disk
19 | false
20 | Foreground
21 | 7
22 | Days
23 | false
24 | false
25 | true
26 | 0
27 | 1.0.0.%2a
28 | false
29 | false
30 | true
31 |
32 |
33 | x86
34 | true
35 | full
36 | false
37 | bin\Debug\
38 | DEBUG;TRACE
39 | prompt
40 | 4
41 |
42 |
43 | x86
44 | pdbonly
45 | true
46 | bin\Release\
47 | TRACE
48 | prompt
49 | 4
50 |
51 |
52 |
53 | ..\..\Ng_IDS\Ng_IDS\bin\Debug\PacketDotNet.dll
54 |
55 |
56 | ..\..\Ng_IDS\Ng_IDS\bin\Debug\SharpPcap.dll
57 |
58 |
59 |
60 |
61 | ..\..\Ng_IDS\Ng_IDS\bin\Debug\System.Data.SQLite.dll
62 |
63 |
64 | ..\..\Ng_IDS\Ng_IDS\bin\Debug\System.Data.SQLite.EF6.dll
65 |
66 |
67 | ..\..\Ng_IDS\Ng_IDS\bin\Debug\System.Data.SQLite.Linq.dll
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 | False
92 | Microsoft .NET Framework 4 Client Profile %28x86 and x64%29
93 | true
94 |
95 |
96 | False
97 | .NET Framework 3.5 SP1
98 | false
99 |
100 |
101 | False
102 | Windows Installer 4.5
103 | true
104 |
105 |
106 |
107 |
114 |
--------------------------------------------------------------------------------
/Model/scan.cs:
--------------------------------------------------------------------------------
1 | using SharpPcap;
2 | using System;
3 | using System.Collections.Generic;
4 | using System.Linq;
5 | using System.Text;
6 | using System.Data;
7 | using PacketDotNet;
8 |
9 | namespace Ng_IDS.Model
10 | {
11 | class scan
12 | {
13 | public bool Attack { get; set; }
14 | public string Attacker_mac { get; set; }
15 | public string[] Attack_data = new string[10];
16 | public void ScanAttack(CaptureEventArgs e,string Interface,string ip)
17 | {
18 | var mypacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
19 | var arp = (ARPPacket)mypacket.Extract(typeof(ARPPacket));
20 | if (arp !=null)
21 | {
22 | var Operation = arp.Operation.ToString();
23 |
24 | if (arp.SenderProtocolAddress.ToString() == ip)
25 | {
26 | if (arp.Operation == ARPOperation.Response)
27 | {
28 | var dec = arp.SenderHardwareAddress.ToString();
29 | var decip = arp.SenderProtocolAddress.ToString();
30 | ado a = new ado();
31 | DataTable dt = a.selectname("Router", Interface);
32 | if (dt.Rows.Count > 0)
33 | {
34 |
35 | foreach (DataRow item in dt.Rows)
36 | {
37 | string mac = item["mac_ad"].ToString();
38 | if (dec == mac)
39 | {
40 | Attack = false;
41 | }
42 | else
43 | {
44 | Attack = true;
45 | Attack_data[0] = "arp spofing";
46 | Attack_data[1] = decip.ToString();
47 | Attack_data[2] = dec.ToString();
48 | Attack_data[3] = DateTime.Now.ToShortTimeString();
49 | Attacker_mac = dec;
50 | // true data
51 | Attack_data[4] = mac;
52 | Attack_data[5] = item["ip"].ToString();
53 | Attack_data[6] = item["date"].ToString();
54 | Attack_data[7] = item["name"].ToString();
55 | }
56 | }
57 | }
58 | else
59 | {
60 |
61 | }
62 |
63 |
64 | }
65 | }
66 |
67 | }
68 | }
69 |
70 | public void ScanDhcp(CaptureEventArgs e,string Interface)
71 | {
72 | var mypacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
73 | var udp = (UdpPacket)mypacket.Extract(typeof(UdpPacket));
74 | if (udp != null)
75 | {
76 | if (udp.DestinationPort == 68)
77 | {
78 | var DestinationHwAddress = EthernetPacket.GetEncapsulated(mypacket).DestinationHwAddress;
79 | var SourceHwAddress = EthernetPacket.GetEncapsulated(mypacket).SourceHwAddress;
80 | var DestinationipAddress = IpPacket.GetEncapsulated(mypacket).DestinationAddress;
81 | var SourceipAddress = IpPacket.GetEncapsulated(mypacket).SourceAddress;
82 | ado a = new ado();
83 | DataTable dt = a.selectmac(SourceHwAddress.ToString(), Interface);
84 |
85 | if (dt.Rows.Count > 0)
86 | {
87 | Attack = false;
88 | }
89 | else
90 | {
91 | Attack = true;
92 | Attack_data[0] = "DHCP spofing";
93 | Attack_data[1] = SourceipAddress.ToString();
94 | Attack_data[2] = DestinationHwAddress.ToString();
95 | Attack_data[3] = DateTime.Now.ToShortTimeString();
96 | }
97 | }
98 | }
99 | }
100 |
101 | public void ScanDNS(CaptureEventArgs e)
102 | {
103 | var mypacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
104 | var udp = (UdpPacket)mypacket.Extract(typeof(UdpPacket));
105 | if (udp !=null)
106 | {
107 | if (udp.DestinationPort == (ushort)53)
108 | {
109 |
110 | }
111 | }
112 | }
113 |
114 | public void ScanHTTP(CaptureEventArgs e)
115 | {
116 | var mypacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
117 | var tcp = (TcpPacket)mypacket.Extract(typeof(TcpPacket));
118 | if (tcp != null)
119 | {
120 | if (tcp.DestinationPort == 80)
121 | {
122 |
123 | }
124 | }
125 | }
126 |
127 | public void CreatesignatureTCP(CaptureEventArgs e, int port, string data)
128 | {
129 | var mypacket = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
130 | var tcp = (TcpPacket)mypacket.Extract(typeof(TcpPacket));
131 | if (tcp != null)
132 | {
133 | if (tcp.DestinationPort == port)
134 | {
135 |
136 | }
137 | }
138 | }
139 |
140 |
141 | public void FraggleAttack()
142 | {
143 |
144 | }
145 |
146 |
147 | public void SYN_flood_Attack()
148 | {
149 |
150 | }
151 |
152 |
153 | }
154 | }
155 |
--------------------------------------------------------------------------------
/Model/ado.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Data;
6 | using System.Data.SQLite;
7 | using System.IO;
8 |
9 | namespace Ng_IDS.Model
10 | {
11 | class ado
12 | {
13 | public SQLiteConnection conn = new SQLiteConnection("Data Source=data.sqlite;Version=3;");
14 |
15 | public void creatDB()
16 | {
17 | try
18 | {
19 | SQLiteConnection.CreateFile("data.sqlite");
20 | SQLiteConnection my;
21 | my = new SQLiteConnection("Data Source=data.sqlite;Version=3;");
22 | my.Open();
23 | string sql = "Create Table mac(id integer Primary key AUTOINCREMENT,name varchar(500),inter varchar(500),mac_ad varchar(500),ip varchar(500),date varchar(500))";
24 | SQLiteCommand comm = new SQLiteCommand(sql, my);
25 | comm.ExecuteNonQuery();
26 | }
27 | catch (Exception ex)
28 | {
29 | Console.WriteLine(ex.ToString());
30 | }
31 |
32 | }
33 | public void insert(Data dt)
34 | {
35 | if (conn.State == ConnectionState.Closed)
36 | {
37 | conn.Open();
38 | }
39 | var sql = "Insert into mac(name,inter,mac_ad,ip,date) values (@name,@inter,@mac_ad,@ip,@date)";
40 | SQLiteCommand cmd = new SQLiteCommand(sql, conn);
41 |
42 | cmd.Parameters.AddWithValue("@name", dt.name);
43 | cmd.Parameters.AddWithValue("@inter", dt.inter);
44 | cmd.Parameters.AddWithValue("@mac_ad", dt.mac);
45 | cmd.Parameters.AddWithValue("@ip", dt.ip);
46 | cmd.Parameters.AddWithValue("@date", dt.date);
47 | cmd.ExecuteNonQuery();
48 | conn.Close();
49 | }
50 |
51 | public DataTable selectname(string name,string Interface)
52 | {
53 | if (conn.State == ConnectionState.Closed)
54 | {
55 | conn.Open();
56 | }
57 |
58 | var sql =string.Format("Select * from mac where name='{0}' and inter='{1}'", name, Interface);
59 | SQLiteCommand cmd = new SQLiteCommand(sql, conn);
60 | //cmd.ExecuteReader();
61 | DataTable tp = new DataTable();
62 | SQLiteDataAdapter adp = new SQLiteDataAdapter(cmd);
63 | adp.Fill(tp);
64 | return tp;
65 | conn.Close();
66 | }
67 |
68 | public DataTable selectAll()
69 | {
70 | conn.Open();
71 | var sql = "Select * from mac";
72 | SQLiteCommand cmd = new SQLiteCommand(sql, conn);
73 | DataTable tp = new DataTable();
74 | SQLiteDataAdapter adp = new SQLiteDataAdapter(cmd);
75 | adp.Fill(tp);
76 | return tp;
77 | conn.Close();
78 | }
79 |
80 | public void Delete(int id)
81 | {
82 | using (SQLiteConnection con = new SQLiteConnection("Data Source=data.sqlite;Version=3;"))
83 | {
84 | con.Open();
85 | var sql = "DELETE FROM mac where id=@id";
86 | SQLiteCommand cmd = new SQLiteCommand(sql, con);
87 | cmd.Parameters.AddWithValue("@id", id);
88 | cmd.ExecuteNonQuery();
89 | conn.Close();
90 | }
91 | ;
92 |
93 | }
94 |
95 | public DataTable select(Data dt)
96 | {
97 | conn.Open();
98 | var sql = string.Format("Select * from mac where inter='{0}'", dt.inter);
99 | SQLiteCommand cmd = new SQLiteCommand(sql, conn);
100 | //cmd.ExecuteReader();
101 | DataTable tp = new DataTable();
102 | SQLiteDataAdapter adp = new SQLiteDataAdapter(cmd);
103 | adp.Fill(tp);
104 | return tp;
105 | // conn.Close();
106 | }
107 |
108 | public DataTable selectmac(string mac,string inter)
109 | {
110 | conn.Open();
111 | var sql = string.Format("Select * from mac where mac_ad='{0}' and name ='Router' and inter='{1}'", mac,inter);
112 | SQLiteCommand cmd = new SQLiteCommand(sql, conn);
113 | //cmd.ExecuteReader();
114 | DataTable tp = new DataTable();
115 | SQLiteDataAdapter adp = new SQLiteDataAdapter(cmd);
116 | adp.Fill(tp);
117 | return tp;
118 | // conn.Close();
119 | }
120 |
121 | public DataTable checkpc(string ip,string mac, string inter)
122 | {
123 | conn.Open();
124 | var sql = string.Format("Select * from mac where mac_ad='{0}' and name ='PC' and inter='{1}' and ip ='{2}'", mac, inter,ip);
125 | SQLiteCommand cmd = new SQLiteCommand(sql, conn);
126 | //cmd.ExecuteReader();
127 | DataTable tp = new DataTable();
128 | SQLiteDataAdapter adp = new SQLiteDataAdapter(cmd);
129 | adp.Fill(tp);
130 | return tp;
131 | // conn.Close();
132 | }
133 | public string selectmacstring(string inter)
134 | {
135 | conn.Open();
136 | var sql = string.Format("Select * from mac where name='Router' and inter='{0}'", inter);
137 | SQLiteCommand cmd = new SQLiteCommand(sql, conn);
138 | //cmd.ExecuteReader();
139 | DataTable tp = new DataTable();
140 | SQLiteDataAdapter adp = new SQLiteDataAdapter(cmd);
141 | adp.Fill(tp);
142 | if (tp.Rows.Count > 0)
143 | {
144 | foreach (DataRow item in tp.Rows)
145 | {
146 | return item["mac_ad"].ToString();
147 | }
148 | }
149 | return "";
150 |
151 | // conn.Close();
152 | }
153 |
154 | public int selectId(string inter)
155 | {
156 | conn.Open();
157 | var sql = "Select * from mac where inter=@in and name='Router'";
158 | SQLiteCommand cmd = new SQLiteCommand(sql, conn);
159 | cmd.Parameters.AddWithValue("@in", inter);
160 | //cmd.ExecuteReader();
161 | DataTable tp = new DataTable();
162 | SQLiteDataAdapter adp = new SQLiteDataAdapter(cmd);
163 | adp.Fill(tp);
164 | if (tp.Rows.Count > 0)
165 | {
166 | foreach (DataRow item in tp.Rows)
167 | {
168 | int f =Convert.ToInt16(item[0]);
169 | return f;
170 | }
171 | }
172 | return 0;
173 | //conn.Close();
174 | // conn.Close();
175 | }
176 | public void up(int id,string ip,string mac)
177 | {
178 | SQLiteConnection con = new SQLiteConnection("Data Source=data.sqlite;Version=3;");
179 | con.Open();
180 | string sql = string.Format("Update mac SET mac_ad=@mac and ip=@ip and date=@d where id=@id");
181 | // SQLiteCommand cmd = new SQLiteCommand("Update tp Set name = @n Where id= '1'", conn);
182 | SQLiteCommand cmd = new SQLiteCommand(sql, con);
183 | cmd.Parameters.AddWithValue("@ip", "ffdfdf");
184 | cmd.Parameters.AddWithValue("@mac", "Gdsdgzsdf");
185 | cmd.Parameters.AddWithValue("@id", id);
186 | cmd.Parameters.AddWithValue("@d", DateTime.Now.ToString());
187 | cmd.ExecuteNonQuery();
188 | conn.Close();
189 | }
190 | }
191 |
192 | // most id be unic
193 | //
194 | }
195 |
--------------------------------------------------------------------------------
/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using SharpPcap.WinPcap;
6 | using SharpPcap;
7 | using System.Data;
8 | using PacketDotNet;
9 | using System.Net.NetworkInformation;
10 | using System.Net;
11 | using Ng_IDS.Model;
12 | using System.Threading;
13 | using System.Runtime.InteropServices;
14 | using System.Net.Sockets;
15 | using System.IO;
16 | using System.Collections;
17 |
18 | namespace Open_HIDS
19 | {
20 | class Program
21 | {
22 |
23 | static int devIndex;
24 | static public string gat { get; set; }
25 | static public string Hip { get; set; }
26 | static public string Hmac { get; set; }
27 | static public string Hinter { get; set; }
28 | static public string Hdefullt { get; set; }
29 | static public string Rip { get; set; }
30 | static public string Rmac { get; set; }
31 | static public bool RunArp { get; set; }
32 | static public bool RunDhcp { get; set; }
33 | static public bool RunAll { get; set; }
34 | static public bool scan { get; set; }
35 |
36 | static string commend;
37 | public static int num { get; set; }
38 | static void Main(string[] args)
39 | {
40 |
41 | Console.WriteLine(Environment.NewLine);
42 | Console.Title = "入侵检测系统";
43 | Console.WriteLine(@"");
44 | Console.WriteLine(@"计算机1621 ");
45 | Console.WriteLine(@"1630107137 陈灿婷");
46 | Console.WriteLine(@"入侵检测系统的设计与实现");
47 |
48 |
49 | Console.WriteLine(Environment.NewLine);
50 |
51 | if (!File.Exists("data.sqlite"))
52 | {
53 | ado o = new ado();
54 | o.creatDB();
55 |
56 | }
57 | if (!File.Exists("ports.port"))
58 | {
59 | create_file();
60 | }
61 |
62 | try
63 | {
64 | var devic = WinPcapDeviceList.Instance;
65 | }
66 | catch (Exception)
67 | {
68 |
69 | Console.WriteLine("没有发现接口!确保在本地机器上正确安装libpcap /WinPcap.");
70 | Thread.Sleep(5000);
71 | return;
72 | }
73 | var devices = WinPcapDeviceList.Instance;
74 |
75 |
76 |
77 | if (devices.Count < 1)
78 | {
79 | Console.WriteLine("在这台机器上没有发现任何设备,请确认你已经安装了winpcap");
80 | return;
81 | }
82 |
83 | Console.WriteLine("请选择一个选项*** :");
84 | Console.WriteLine("********************************");
85 | Console.WriteLine();
86 |
87 | int i = 0;
88 |
89 | foreach (var dev in devices)
90 | {
91 | Console.WriteLine("{0}) {1}", i, dev.Description);
92 | Console.WriteLine(Environment.NewLine);
93 | i++;
94 | }
95 |
96 | Console.WriteLine();
97 | Console.Write("***请选择一个选项***: ");
98 |
99 | i = int.Parse(Console.ReadLine());
100 |
101 |
102 |
103 |
104 | devIndex = i;
105 | if (devices.Count < i)
106 | {
107 | Console.WriteLine("***{0} 是不正确的*** : ", i.ToString());
108 | Console.WriteLine("***请选择一个选项*** : ");
109 | i = int.Parse(Console.ReadLine());
110 | if (devices.Count < i)
111 | {
112 | return;
113 | }
114 | // ;
115 | }
116 |
117 |
118 | var device = devices[i];
119 |
120 |
121 | device.Open(DeviceMode.Promiscuous, 1000);
122 |
123 | num = 0;
124 | foreach (var item in device.Addresses)
125 | {
126 | if (item.Addr.ipAddress != null)
127 | {
128 |
129 | if (item.Addr.ipAddress.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
130 | {
131 | int inf = Array.IndexOf(device.Addresses.ToArray(), item);
132 | num = inf;
133 | }
134 | }
135 |
136 | }
137 | Console.WriteLine(Environment.NewLine);
138 | Console.WriteLine("界面 : {0}", device.Description);
139 |
140 |
141 | Hip = device.Addresses[num].Addr.ToString();
142 | Hmac = device.MacAddress.ToString();
143 |
144 | if (device.Interface.GatewayAddress == null)
145 | {
146 |
147 | Console.WriteLine("你没有GatewayAddress");
148 | Console.ReadKey();
149 | return;
150 | }
151 | gat = device.Interface.GatewayAddress.ToString();
152 | Hdefullt = device.Interface.GatewayAddress.ToString();
153 | Hinter = device.Description.Replace("'", "");
154 | Console.WriteLine(Environment.NewLine);
155 | Console.WriteLine("IP Address : {0}",device.Addresses[num].Addr);
156 | Console.WriteLine(Environment.NewLine);
157 | Console.WriteLine("MAC Address : {0}",device.MacAddress.ToString());
158 | if (IPAddress.Parse(gat).AddressFamily == AddressFamily.InterNetworkV6)
159 | {
160 | Console.WriteLine("Catch不能找到你的网关地址,请输入你的网关地址 : ");
161 | var g = Console.ReadLine();
162 |
163 |
164 | gat = g;
165 | }
166 |
167 |
168 | Console.WriteLine(Environment.NewLine);
169 | Console.WriteLine("Defult Gatway : {0}",gat);
170 | Console.WriteLine(Environment.NewLine);
171 | Console.WriteLine("__________________________Router_______________________________");
172 | Console.WriteLine("Router IP Address : {0}", gat);
173 |
174 |
175 |
176 | string myip = device.Addresses[num].Addr.ToString();
177 |
178 | try
179 | {
180 | IPAddress address = IPAddress.Parse(gat);
181 | }
182 | catch (Exception ex)
183 | {
184 |
185 | Console.WriteLine(ex.Message + " " + gat);
186 | Thread.Sleep(3000);
187 | return;
188 |
189 | }
190 | if (string.IsNullOrEmpty(gat)!= null)
191 | {
192 | EthernetPacket eth = Protect_Arp(device.MacAddress.ToString(), "FFFFFFFFFFFF", myip, gat);
193 | device.SendPacket(eth);
194 | }
195 |
196 | Thread th = new Thread(() => {
197 | device.OnPacketArrival += new PacketArrivalEventHandler(device_OnPacketArrival);
198 | });
199 | th.Start();
200 | Rmac = getGAtWatWayMac(device,gat);
201 | if (Rmac == "")
202 | {
203 | Console.WriteLine("您没有连接到路由器,重新尝试");
204 |
205 | Console.ReadKey();
206 | return;
207 |
208 | }
209 |
210 | Console.WriteLine("Router MAC Address : {0}", Rmac);
211 |
212 | Rip = gat;
213 |
214 | device.StartCapture();
215 |
216 | Console.WriteLine(Environment.NewLine);
217 |
218 |
219 |
220 |
221 | ado a = new ado();
222 | if (a.checkpc(Hip,Hmac,Hinter).Rows.Count > 0)
223 | {
224 |
225 | }
226 | else
227 | {
228 | Data d = new Data() { date = DateTime.Now.ToString(), inter = Hinter, name="Pc", ip= Hip, mac=Hmac };
229 | a.insert(d);
230 | }
231 |
232 | if (a.selectname("Router", Hinter).Rows.Count > 0)
233 | {
234 | int id = 0;
235 | DataTable dt = a.selectname("Router", Hinter);
236 |
237 | foreach (DataRow item in dt.Rows)
238 | {
239 | string ip = item[4].ToString();
240 | string mac = item[3].ToString();
241 | string Time = item[5].ToString();
242 | id = Convert.ToInt32(item[0]);
243 | if (mac == Rmac)
244 | {
245 |
246 |
247 | }
248 | else
249 | {
250 |
251 | cheeck(new ado(),ip, mac, Time, id);
252 | }
253 |
254 |
255 | }
256 |
257 |
258 |
259 |
260 |
261 | }
262 | else
263 | {
264 | Data d = new Data() { inter = Hinter, date= DateTime.Now.ToString(), ip = Rip, mac = Rmac, name = "Router"};
265 | a.insert(d);
266 | }
267 |
268 | Runcmd();
269 |
270 |
271 | }
272 |
273 | static void device_OnPacketArrival(object sender, CaptureEventArgs e)
274 | {
275 |
276 | scan s = new scan();
277 | if (RunArp == true)
278 | {
279 | s.ScanAttack(e, Hinter,Rip);
280 | }
281 | if (RunDhcp == true)
282 | {
283 | s.ScanDhcp(e, Hinter);
284 | }
285 | if (s.Attack == true)
286 | {
287 | for (int i = 0; i < 3; i++)
288 | {
289 | System.Media.SystemSounds.Hand.Play();
290 | Console.WriteLine("********************* You Have Been Attacked **************************");
291 | Console.WriteLine(Environment.NewLine);
292 | Console.WriteLine("Attack Name : {0} , Time : {1} , Attacker HardwareAddress : {2} , Attacker ip address : {3} ", s.Attack_data[0], s.Attack_data[3], s.Attack_data[2], s.Attack_data[1]);
293 | Console.WriteLine(Environment.NewLine);
294 | Console.WriteLine("Old data {0} {1} {2} {3} ", s.Attack_data[4], s.Attack_data[5], s.Attack_data[6], s.Attack_data[7]);
295 | System.Media.SystemSounds.Hand.Play();
296 | }
297 |
298 | log.attackLog(s);
299 | }
300 |
301 | var txt = File.ReadAllLines("ports.port");
302 | var tcp = (from t in txt where t.Contains("tcp") select t).ToArray();
303 | if (scan == true)
304 | {
305 | foreach (var item in txt)
306 | {
307 |
308 | if (item.Contains("tcp"))
309 | {
310 | int inte = Array.IndexOf(txt, item);
311 | string cm = txt[inte + 1];
312 |
313 | string r = item.Replace("tcp", "");
314 | int p = Convert.ToInt16(r);
315 |
316 | if (cm.StartsWith("#"))
317 | {
318 |
319 | scanTCP(e, p, cm);
320 |
321 |
322 | }
323 | else
324 | {
325 | string commend = "您正在使用非加密的明文协议请求使用安全协议";
326 | scanTCP(e, p, commend);
327 |
328 | }
329 | }
330 |
331 | if (item.Contains("udp"))
332 | {
333 |
334 | int inte = Array.IndexOf(txt, item);
335 | string cm = txt[inte + 1];
336 |
337 | string r = item.Replace("udp", "");
338 | int p = Convert.ToInt16(r);
339 | if (cm.StartsWith("#"))
340 | {
341 |
342 | scanUDP(e, p, cm);
343 |
344 | }
345 | else
346 | {
347 | string commend = "您正在使用非加密的明文协议请求使用安全协议";
348 | scanUDP(e, p, commend);
349 | }
350 |
351 | }
352 | }
353 | }
354 |
355 |
356 |
357 | }
358 |
359 | public static void Runcmd()
360 | {
361 | Cmd();
362 | Console.WriteLine("有关特定命令的更多信息,键入- help命令名");
363 | commend = Console.ReadLine();
364 | if (commend.Equals("--start arp"))
365 | {
366 | Console.WriteLine(" 成功启动Arp欺骗检测工具 ");
367 | RunArp = true;
368 | }
369 | else if (commend == "--start dhcp")
370 | {
371 | Console.WriteLine(" 成功启动dhcp欺骗检测工具");
372 | RunDhcp = true;
373 | }
374 | else if (commend == "--start all")
375 | {
376 | Console.WriteLine(" 成功启动所有工具");
377 | RunArp = true;
378 | RunDhcp = true;
379 | scan = true;
380 | }
381 | else if (commend == "--attacks")
382 | {
383 | if (!File.Exists("AttacksDB.txt"))
384 | {
385 | Console.WriteLine("数据库中没有攻击");
386 |
387 | Thread.Sleep(1000);
388 | Runcmd();
389 | }
390 |
391 | else
392 | {
393 | var txt = File.ReadAllLines("AttacksDB.txt");
394 | foreach (var item in txt)
395 | {
396 | Console.WriteLine(item);
397 | }
398 | Console.WriteLine("按回车键返回 ");
399 |
400 | if (Console.ReadKey().Key == ConsoleKey.Enter)
401 | {
402 | Thread.Sleep(500);
403 | Runcmd();
404 | }
405 |
406 | }
407 | }
408 | else if (commend == "--start scan")
409 | {
410 | scan = true;
411 | Console.WriteLine("Start Scan");
412 | }
413 | else if (commend == "-help")
414 | {
415 | Runcmd();
416 | }
417 | else
418 | {
419 | Console.WriteLine(commend + " 不是命令吗,");
420 | Thread.Sleep(1000);
421 | Runcmd();
422 | }
423 | }
424 | public static string getGAtWatWayMac(WinPcapDevice dev,string GatewayAddress)
425 | {
426 | RawCapture packet;
427 |
428 |
429 |
430 | while ((packet = dev.GetNextPacket()) != null)
431 | {
432 |
433 | var mypacket = Packet.ParsePacket(packet.LinkLayerType, packet.Data);
434 | var arp = (ARPPacket)mypacket.Extract(typeof(ARPPacket));
435 |
436 |
437 | if (arp != null)
438 | {
439 |
440 | if (arp.Operation == ARPOperation.Response)
441 | {
442 | if (arp.SenderProtocolAddress.Address == IPAddress.Parse(GatewayAddress).Address)
443 | {
444 | return arp.SenderHardwareAddress.ToString();
445 | }
446 | }
447 | }
448 |
449 |
450 | }
451 | return "";
452 |
453 | }
454 | public static EthernetPacket Protect_Arp(string Router_mac, string My_pc_mac, string Router_ip, string My_pc_ip)
455 | {
456 | var eth = new EthernetPacket(PhysicalAddress.Parse(Router_mac), PhysicalAddress.Parse(My_pc_mac), EthernetPacketType.Arp);
457 | var arp = new ARPPacket(ARPOperation.Request, PhysicalAddress.Parse(My_pc_mac), IPAddress.Parse(My_pc_ip), PhysicalAddress.Parse(Router_mac), IPAddress.Parse(Router_ip));
458 | eth.PayloadPacket = arp;
459 | return eth;
460 |
461 | }
462 |
463 | static void scanTCP(CaptureEventArgs e, int port, string cm)
464 | {
465 | var _packet = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
466 | var tcp = (TcpPacket)_packet.Extract(typeof(TcpPacket));
467 | if (tcp != null)
468 | {
469 | if (tcp.DestinationPort == port)
470 | {
471 | var dst_ip = IpPacket.GetEncapsulated(_packet).DestinationAddress.ToString();
472 | var src_ip = IpPacket.GetEncapsulated(_packet).SourceAddress.ToString();
473 | Console.WriteLine("******************************************************************************");
474 | Console.WriteLine(cm+" {0}", port.ToString());
475 | Console.WriteLine("Source: {0} " + "Destination: {1}",src_ip,dst_ip);
476 |
477 | }
478 |
479 | }
480 | }
481 |
482 | static void scanUDP(CaptureEventArgs e, int port, string cm)
483 | {
484 | var _packet = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
485 | var udp = (UdpPacket)_packet.Extract(typeof(UdpPacket));
486 | if (udp != null)
487 | {
488 | if (udp.DestinationPort == port)
489 | {
490 | var dst_ip = IpPacket.GetEncapsulated(_packet).DestinationAddress.ToString();
491 | var src_ip = IpPacket.GetEncapsulated(_packet).SourceAddress.ToString();
492 | Console.WriteLine("********************************************************************");
493 | Console.WriteLine(cm + " {0}", port.ToString());
494 | Console.WriteLine("Source: {0} " + "Destination: {1}", src_ip, dst_ip);
495 |
496 | }
497 |
498 | }
499 | }
500 |
501 | static void create_file()
502 | {
503 | using (StreamWriter write = new StreamWriter("ports.port", true))
504 | {
505 |
506 | write.WriteLine("80 tcp");
507 | write.WriteLine("#You Are using Clear Text Protocol http Pleas Use secure Protocol Https");
508 | write.WriteLine("21 tcp");
509 | write.WriteLine("#You Are using Clear Text Protocol FTP Pleas Use secure Protocol like SFTP or FTPS");
510 | write.WriteLine("143 tcp");
511 | write.WriteLine("#You Are using Clear Text Protocol IMAP Pleas Use secure Protocol IMAP with ssl");
512 | write.WriteLine("20 tcp");
513 | write.WriteLine("#You Are using Clear Text Protocol FTP Pleas Use secure Protocol like SFTP or FTPS");
514 | write.WriteLine("110 tcp");
515 | write.WriteLine("#You Are using Clear Text Protocol POP3 Pleas Use secure Protocol POP3 with ssl");
516 | write.WriteLine("23 tcp");
517 | write.WriteLine("#You Are using Clear Text Protocol Telnet Pleas Use secure Protocol like SSH");
518 | write.WriteLine("25 tcp");
519 | write.WriteLine("#You Are using Clear Text Protocol SMTP Pleas Use secure Protocol SMTP with ssl");
520 | }
521 | }
522 | public static void Cmd()
523 | {
524 |
525 | Console.WriteLine(@"
526 | Catch 规则
527 |
528 | --start arp 用于检测Arp攻击检测 (Arp spoofing MITM)
529 | --start dhcp 用于检测Dhcp攻击检测 (Dhcp spoofing MITM )
530 | --start scan 这是在使用明文协议时通知您
531 | Like (Http) or (Telent)
532 |
533 | --Start All 这是开始所有的功能
534 | --attacks 看到以前所有的攻击记录
535 |
536 | ");
537 |
538 | }
539 |
540 | public static void cheeck(ado a, string ip, string mac, string Time, int id)
541 | {
542 | Console.WriteLine("你在处理路由器吗 {0}", Environment.MachineName);
543 | Console.WriteLine("The old Data IP address: {0}, Mac address {1}, Time : {2} , And Interface : {3} , and ID = {4}", ip, mac, Time, Hinter,id);
544 |
545 | Console.Write(Environment.NewLine);
546 | Console.WriteLine("Yas 如果你选择了Yas,Catch会考虑这是你的路由器");
547 | Console.WriteLine("No 如果你没有选择,Catch会认为这是攻击,所以请小心你选择的 ");
548 | string ch = Console.ReadLine();
549 | if (ch == "Yas")
550 | {
551 |
552 | a.Delete(id);
553 | Console.WriteLine("Delete Old Data {0}", id.ToString());
554 |
555 | Data d = new Data() { inter = Hinter, date = DateTime.Now.ToString(), ip = Rip, mac = Rmac, name = "Router" };
556 | a.insert(d);
557 | }
558 | if (ch == "no")
559 | {
560 | Console.WriteLine("********************* You Have Been Attacked **************************");
561 | }
562 | }
563 |
564 |
565 | }
566 | }
567 |
--------------------------------------------------------------------------------