Update block scan

pom.xml

@@ -7,11 +7,23 @@
     <groupId>com.tvhoang</groupId>
     <artifactId>SIEM-Neptune</artifactId>
     <version>1.0-SNAPSHOT</version>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>13</source>
+                    <target>13</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
 
     <properties>
-        <java.version>11</java.version>
-        <maven.compiler.source>11</maven.compiler.source>
-        <maven.compiler.target>11</maven.compiler.target>
+        <java.version>15</java.version>
+        <maven.compiler.source>15</maven.compiler.source>
+        <maven.compiler.target>15</maven.compiler.target>
     </properties>
 
     <dependencies>

src/main/java/CEP/PortScanDetector/BlockPortScan.java

@@ -0,0 +1,27 @@
+package CEP.PortScanDetector;
+
+import Utilities.*;
+import com.espertech.esper.compiler.client.*;
+import com.espertech.esper.runtime.client.*;
+import org.pcap4j.packet.namednumber.*;
+
+import java.io.*;
+import java.net.*;
+
+public class BlockPortScan {
+    public BlockPortScan(int alertPeriod, int interval) throws EPCompileException, EPDeployException, IOException, EPCompileException, EPDeployException {
+
+        new EPAdapter().execute("add-horizontal-port-scan", "insert into BlockPortScanAlert\n" +
+                "select hostPort from HorizontalPortScanAlert#expr(oldest_timestamp > newest_timestamp - 1000)");
+
+        new EPAdapter().execute("add-vertical-port-scan", "insert into BlockPortScanAlert\n" +
+                "select hostAddr from VerticalPortScanAlert#expr(oldest_timestamp > newest_timestamp - 1000)");
+
+        new EPAdapter().execute("alert-block-port-scan", "select * from BlockPortScanAlert#time( " + alertPeriod + " seconds)#expr(oldest_timestamp > newest_timestamp - 1000)\n" +
+                "where exists(select * from HorizontalPortScanAlert)\n" +
+                "and exists(select * from VerticalPortScanAlert)\n"
+                ).addListener((newData, __, ___, ____) -> System.out.println("Alert a block scan:"
+                        + " is happened!"));
+//        new EPAdapter().execute("alert-block-port-scan", "on BlockPortScanAlert delete from BlockPortScanAlert\n");
+    }
+}

src/main/java/CEP/PortScanDetector/BlockPortScanAlert.java

@@ -0,0 +1,32 @@
+package CEP.PortScanDetector;
+
+import org.pcap4j.packet.namednumber.*;
+
+import java.net.*;
+
+public class BlockPortScanAlert {
+    InetAddress hostAddr;
+    Port hostPort;
+    Long timestamp;
+
+    public BlockPortScanAlert(InetAddress hostAddr) {
+        this.hostAddr = hostAddr;
+    }
+
+    public BlockPortScanAlert(Port hostPort) {
+        this.hostPort = hostPort;
+    }
+
+    public BlockPortScanAlert(Long timestamp) {
+        this.timestamp = timestamp;
+    }
+
+    public InetAddress getHostAddr() {
+        return hostAddr;
+    }
+    public Port getHostPort() {
+        return hostPort;
+    }
+    public Long getTimestamp() { return timestamp; }
+
+}

src/main/java/CEP/WebserverMonitor/Monitor.java

@@ -10,7 +10,7 @@
 import java.util.ArrayList;
 
 public class Monitor {
-    private static String fileErrorlog = "/var/log/apache2/error.log";    
+    private static String fileErrorlog = "/var/log/apache2/error.log";
     private static String fileAccesslog = "/var/log/apache2/access.log";
     private static ArrayList<String> allLines = new ArrayList<String>();
     private static int currentLine = 0;
@@ -27,6 +27,7 @@ public static void main (String [] args) throws Exception {
 //        new NeptuneErrorLogCEP(10,3);
         new VerticalPortScan(20, 100);
         new HorizontalPortScan(60, 2, 10); // set to 2 to test, use 5 or more in production
+        new BlockPortScan(20,10);
 
         PcapNetworkInterface device = getNetworkDevice();
         System.out.println(device.getName() + "(" + device.getDescription() + ")");
@@ -46,36 +47,32 @@ public static void main (String [] args) throws Exception {
         }
 
         // Tell the handle to loop using the listener we created
-        try {
-            handle.loop(maxPackets, (PacketListener) packet -> {
-                try {
-                    IpV4Packet ipV4Packet = packet.get(IpV4Packet.class);
-                    TcpPacket tcpPacket = ipV4Packet.get(TcpPacket.class);
-                    int port = tcpPacket.getHeader().getSrcPort().valueAsInt();
-                    TCPPacket evt = new TCPPacket(
-                            ipV4Packet.getHeader(),
-                            tcpPacket.getHeader()
-                    );
-                    if (port != 443 && port != 80 && port != 62078) {
-                        sendEvent(evt, TCPPacket.class.getSimpleName());
-                    }
-                } catch (Exception ignored) {
-
+        handle.loop(maxPackets, (PacketListener) packet -> {
+
+            try {
+                IpV4Packet ipV4Packet = packet.get(IpV4Packet.class);
+                TcpPacket tcpPacket = ipV4Packet.get(TcpPacket.class);
+                int port = tcpPacket.getHeader().getSrcPort().valueAsInt();
+                TCPPacket evt = new TCPPacket(
+                        ipV4Packet.getHeader(),
+                        tcpPacket.getHeader()
+                );
+                if (port != 443 && port != 80 && port != 62078) {
+                    sendEvent(evt, TCPPacket.class.getSimpleName());
                 }
+            } catch (Exception ignored) {
 
-                ApacheAccessLogEvent aal = null;
-                try {
-                    aal = ApacheAccessLogEvent.nextEvent();
-                } catch (IOException e) {
-                    e.printStackTrace();
-                }
-                if (aal != null) sendEvent(aal, "AAL_Event");
+            }
 
-            });
+            ApacheAccessLogEvent aal = null;
+            try {
+                aal = ApacheAccessLogEvent.nextEvent();
+            } catch (IOException e) {
+                e.printStackTrace();
+            }
+            if (aal != null) sendEvent(aal, "AAL_Event");
 
-        } catch (InterruptedException e) {
-            e.printStackTrace();
-        }
+        });
 
         // Cleanup when complete
         handle.close();

src/main/java/Utilities/EPAdapter.java

@@ -21,6 +21,8 @@ public static void setup() {
         configuration.getCommon().addEventType("TCPPacket", TCPPacket.class);
         configuration.getCommon().addEventType("VerticalPortScanAlert",VerticalPortScanAlert.class);
         configuration.getCommon().addEventType("HorizontalPortScanAlert",HorizontalPortScanAlert.class);
+        configuration.getCommon().addEventType("BlockPortScanAlert",BlockPortScanAlert.class);
+
         configuration.getRuntime().getLogging().setEnableExecutionDebug(false);
         configuration.getRuntime().getLogging().setEnableTimerDebug(false);
         runtime = EPRuntimeProvider.getDefaultRuntime(configuration);