Merge branch 'PortScan' into main

SIEM-Neptune.iml

@@ -32,5 +32,9 @@
     <orderEntry type="library" name="Maven: org.codehaus.janino:janino:3.1.2" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:slf4j-simple:1.7.30" level="project" />
     <orderEntry type="library" name="Maven: org.codehaus.janino:commons-compiler:3.1.2" level="project" />
+    <orderEntry type="library" name="Maven: de.siegmar:fastcsv:1.0.3" level="project" />
+    <orderEntry type="library" name="Maven: org.pcap4j:pcap4j-core:1.8.2" level="project" />
+    <orderEntry type="library" name="Maven: net.java.dev.jna:jna:5.3.1" level="project" />
+    <orderEntry type="library" name="Maven: org.pcap4j:pcap4j-packetfactory-static:1.8.2" level="project" />
   </component>
 </module>

pom.xml

@@ -76,7 +76,16 @@
             <artifactId>fastcsv</artifactId>
             <version>1.0.3</version>
         </dependency>
-
+        <dependency>
+            <groupId>org.pcap4j</groupId>
+            <artifactId>pcap4j-core</artifactId>
+            <version>1.8.2</version>
+        </dependency>
+        <dependency>
+            <groupId>org.pcap4j</groupId>
+            <artifactId>pcap4j-packetfactory-static</artifactId>
+            <version>1.8.2</version>
+        </dependency>
 
     </dependencies>
 

src/main/java/CEP/PortScanDetector/BlockPortScanCEP.java

@@ -0,0 +1,27 @@
+package CEP.PortScanDetector;
+
+import Utilities.*;
+import com.espertech.esper.compiler.client.*;
+import com.espertech.esper.runtime.client.*;
+import org.pcap4j.packet.namednumber.*;
+
+import java.io.*;
+import java.net.*;
+
+public class BlockPortScanCEP {
+    public BlockPortScanCEP(int alertPeriod, int interval) throws EPCompileException, EPDeployException, IOException, EPCompileException, EPDeployException {
+
+        new EPAdapter().execute("add-horizontal-port-scan", "insert into BlockPortScanAlert\n" +
+                "select hostPort from HorizontalPortScanAlert#expr(oldest_timestamp > newest_timestamp - 1000)");
+
+        new EPAdapter().execute("add-vertical-port-scan", "insert into BlockPortScanAlert\n" +
+                "select hostAddr from VerticalPortScanAlert#expr(oldest_timestamp > newest_timestamp - 1000)");
+
+        new EPAdapter().execute("alert-block-port-scan", "select * from BlockPortScanAlert#time( " + alertPeriod + " seconds)#expr(oldest_timestamp > newest_timestamp - 1000)\n" +
+                "where exists(select * from HorizontalPortScanAlert)\n" +
+                "and exists(select * from VerticalPortScanAlert)\n"
+                ).addListener((newData, __, ___, ____) -> System.out.println("Alert a block scan:"
+                        + " is happened!"));
+//        new EPAdapter().execute("alert-block-port-scan", "on BlockPortScanAlert delete from BlockPortScanAlert\n");
+    }
+}

src/main/java/CEP/PortScanDetector/BlockPortScanEvent.java

@@ -0,0 +1,32 @@
+package CEP.PortScanDetector;
+
+import org.pcap4j.packet.namednumber.*;
+
+import java.net.*;
+
+public class BlockPortScanEvent {
+    InetAddress hostAddr;
+    Port hostPort;
+    Long timestamp;
+
+    public BlockPortScanEvent(InetAddress hostAddr) {
+        this.hostAddr = hostAddr;
+    }
+
+    public BlockPortScanEvent(Port hostPort) {
+        this.hostPort = hostPort;
+    }
+
+    public BlockPortScanEvent(Long timestamp) {
+        this.timestamp = timestamp;
+    }
+
+    public InetAddress getHostAddr() {
+        return hostAddr;
+    }
+    public Port getHostPort() {
+        return hostPort;
+    }
+    public Long getTimestamp() { return timestamp; }
+
+}

src/main/java/CEP/PortScanDetector/Detector.java

@@ -0,0 +1,76 @@
+package CEP.PortScanDetector;
+
+import CEP.PortScanDetector.*;
+import Utilities.EPAdapter;
+import org.pcap4j.core.*;
+import org.pcap4j.packet.*;
+import org.pcap4j.util.*;
+
+import java.io.IOException;
+
+public class Detector {
+    private static final int snapshotLength = 65536; // in bytes
+    private static final int readTimeout = 100; // in milliseconds
+    private static final int maxPackets = -1;
+    private static final String filter = "tcp";
+
+    public static void main (String [] args) throws Exception {
+        System.out.println("Please wait while I'm configuring the Port Scan... ");
+        new VerticalPortScanCEP(20, 100);
+        new HorizontalPortScanCEP(60, 2, 10); // set to 2 to test, use 5 or more in production
+        new BlockPortScanCEP(20,10);
+
+        PcapNetworkInterface device = getNetworkDevice();
+        System.out.println(device.getName() + "(" + device.getDescription() + ")");
+        System.out.println("You chose: " + device);
+
+        // New code below here
+        if (device == null) {
+            System.out.println("No device chosen.");
+            System.exit(1);
+        }
+
+        final PcapHandle handle = device.openLive(snapshotLength, PcapNetworkInterface.PromiscuousMode.PROMISCUOUS, readTimeout);
+
+        // Set a filter to only listen for tcp packets on port 80 (HTTP)
+        if (filter.length() != 0) {
+            handle.setFilter(filter, BpfProgram.BpfCompileMode.OPTIMIZE);
+        }
+
+        // Tell the handle to loop using the listener we created
+        handle.loop(maxPackets, (PacketListener) packet -> {
+
+            try {
+                IpV4Packet ipV4Packet = packet.get(IpV4Packet.class);
+                TcpPacket tcpPacket = ipV4Packet.get(TcpPacket.class);
+                int port = tcpPacket.getHeader().getSrcPort().valueAsInt();
+                TCPPacket evt = new TCPPacket(
+                        ipV4Packet.getHeader(),
+                        tcpPacket.getHeader()
+                );
+                if (port != 443 && port != 80 && port != 62078 && port != 22) {
+                    sendEvent(evt, TCPPacket.class.getSimpleName());
+                }
+            } catch (Exception ignored) {
+
+            }
+        });
+        // Cleanup when complete
+        handle.close();
+    }
+
+    static <EventType> void sendEvent(EventType event, String eventType) {
+        EPAdapter.runtime.getEventService().sendEventBean(event, eventType);
+    }
+
+    static PcapNetworkInterface getNetworkDevice() {
+        PcapNetworkInterface device = null;
+        try {
+            device = new NifSelector().selectNetworkInterface();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        return device;
+    }
+
+}

src/main/java/CEP/PortScanDetector/HorizontalPortScanCEP.java

@@ -0,0 +1,27 @@
+package CEP.PortScanDetector;
+
+import Utilities.*;
+import com.espertech.esper.compiler.client.*;
+import com.espertech.esper.runtime.client.*;
+import org.pcap4j.packet.namednumber.*;
+
+import java.io.*;
+
+public class HorizontalPortScanCEP {
+    public HorizontalPortScanCEP(int alertPeriod, int consecutiveFailed, int interval) throws EPCompileException, EPDeployException, IOException, EPCompileException, EPDeployException {
+
+        new EPAdapter().execute("get-horizontal-port-scan", "insert into HorizontalPortScanAlert\n" +
+                "select tcpHeader.srcPort\n" +
+                "from TCPPacket#time(" + alertPeriod + " seconds)#expr(oldest_timestamp > newest_timestamp - 10000)\n" +
+                "group by tcpHeader.srcPort\n" +
+                "having count(distinct ipHeader.dstAddr) >= " + consecutiveFailed +
+                "output first every " + interval + " seconds" );
+
+        new EPAdapter().execute("alert-horizontal-port-scan", "select * from HorizontalPortScanAlert")
+                .addListener((newData, __, ___, ____) -> {
+                    Port hostAddr = (Port) newData[0].get("hostPort");
+                    System.out.println("Alert a horizontal scan: Port " + hostAddr.valueAsInt()
+                            + " is under attack!");
+                });
+    }
+}

src/main/java/CEP/PortScanDetector/HorizontalPortScanEvent.java

@@ -0,0 +1,15 @@
+package CEP.PortScanDetector;
+
+import org.pcap4j.packet.namednumber.*;
+
+public class HorizontalPortScanEvent {
+    Port hostPort;
+
+    public HorizontalPortScanEvent(Port hostPort) {
+        this.hostPort = hostPort;
+    }
+
+    public Port getHostPort() {
+        return hostPort;
+    }
+}

src/main/java/CEP/PortScanDetector/TCPPacket.java

@@ -0,0 +1,21 @@
+package CEP.PortScanDetector;
+
+import org.pcap4j.packet.*;
+
+public class TCPPacket {
+    private TcpPacket.TcpHeader tcpHeader;
+    private IpPacket.IpHeader ipHeader;
+
+    public TCPPacket(IpPacket.IpHeader ipHeader, TcpPacket.TcpHeader tcpHeader) {
+        this.ipHeader = ipHeader;
+        this.tcpHeader = tcpHeader;
+    }
+
+    public IpPacket.IpHeader getIpHeader() {
+        return ipHeader;
+    }
+
+    public TcpPacket.TcpHeader getTcpHeader() {
+        return tcpHeader;
+    }
+}

src/main/java/CEP/PortScanDetector/VerticalPortScanCEP.java

@@ -0,0 +1,27 @@
+package CEP.PortScanDetector;
+
+
+import Utilities.*;
+import com.espertech.esper.compiler.client.*;
+import com.espertech.esper.runtime.client.*;
+
+import java.io.*;
+import java.net.*;
+
+public class VerticalPortScanCEP {
+    public VerticalPortScanCEP(int alertPeriod, int consecutiveFailed) throws EPCompileException, EPDeployException, IOException, EPCompileException, EPDeployException {
+
+        new EPAdapter().execute("get-vertical-port-scan", "insert into VerticalPortScanAlert\n" +
+                "select ipHeader.dstAddr\n" +
+                "from TCPPacket#time_batch(" + alertPeriod + " seconds)#expr(oldest_timestamp > newest_timestamp - 10000)\n" +
+                "group by ipHeader.dstAddr\n" +
+                "having count(distinct tcpHeader.dstPort) > " + consecutiveFailed + "");
+
+        new EPAdapter().execute("alert-vertical-port-scan", "select * from VerticalPortScanAlert")
+                .addListener((newData, __, ___, ____) -> {
+                    InetAddress hostAddr = (InetAddress) newData[0].get("hostAddr");
+                    System.out.println("Alert a vertical scan: IP " + hostAddr.getHostAddress()
+                        + " is under attack!");
+        });
+    }
+}

src/main/java/CEP/PortScanDetector/VerticalPortScanEvent.java

@@ -0,0 +1,15 @@
+package CEP.PortScanDetector;
+
+import java.net.*;
+
+public class VerticalPortScanEvent {
+    InetAddress hostAddr;
+
+    public VerticalPortScanEvent(InetAddress hostAddr) {
+        this.hostAddr = hostAddr;
+    }
+
+    public InetAddress getHostAddr() {
+        return hostAddr;
+    }
+}

src/main/java/CEP/WebserverMonitor/ApacheAccessLogEvent.java

@@ -100,7 +100,7 @@ public static ApacheAccessLogEvent nextEvent() throws IOException {
             try {
                 event = new ApacheAccessLogEvent(line);
             } catch (Exception ignored) {
-            
+
             }
             if (now < lastTimestamp) queue.add(event);
         }
@@ -167,4 +167,4 @@ public String getTimeFormatted() {
     public void setTimeFormatted(String timeFormatted) {
         this.timeFormatted = timeFormatted;
     }
-}
+}

src/main/java/Utilities/EPAdapter.java

@@ -1,5 +1,6 @@
 package Utilities;
 
+import CEP.PortScanDetector.*;
 import CEP.WebserverMonitor.*;
 import com.espertech.esper.common.client.EPCompiled;
 import com.espertech.esper.common.client.configuration.Configuration;
@@ -19,6 +20,13 @@ public static void setup() {
         configuration.getCommon().addEventType("NEL_"+ FailedRegisterDuplicateEvent.class.getSimpleName(), FailedRegisterDuplicateEvent.class.getName());
         configuration.getCommon().addEventType("NEL_"+ SuccessChangePasswordEvent.class.getSimpleName(), SuccessChangePasswordEvent.class.getName());
         configuration.getCommon().addEventType("AAL_Event", ApacheAccessLogEvent.class);
+        configuration.getCommon().addEventType("TCPPacket", TCPPacket.class);
+        configuration.getCommon().addEventType("VerticalPortScanAlert", VerticalPortScanEvent.class);
+        configuration.getCommon().addEventType("HorizontalPortScanAlert", HorizontalPortScanEvent.class);
+        configuration.getCommon().addEventType("BlockPortScanAlert", BlockPortScanEvent.class);
+
+        configuration.getRuntime().getLogging().setEnableExecutionDebug(false);
+        configuration.getRuntime().getLogging().setEnableTimerDebug(false);
         runtime = EPRuntimeProvider.getDefaultRuntime(configuration);
         arguments = new CompilerArguments(configuration);
         arguments.getPath().add(runtime.getRuntimePath());