HLBR: routes/route_bns.c Source File

00001 /************************************************
00002 * This module handles BNS style honeypot routing
00003 * It's similar to macfilter
00004 ************************************************/
00005 #include "route_bns.h"
00006 #include <string.h>
00007 #include <stdio.h>
00008 #include <stdlib.h>
00009 #include "../packets/packet.h"
00010 #include "../engine/num_list.h"
00011 #include "../decoders/decode.h"
00012 #include "../decoders/decode_ethernet.h"
00013 #include "../decoders/decode_arp.h"
00014 #include "../decoders/decode_ip.h"
00015 #include "../decoders/decode_tcp.h"
00016 #include "../decoders/decode_udp.h"
00017 #include <netinet/in.h>
00018 #include <arpa/inet.h>
00019 #ifdef _SOLARIS_
00020 #include <strings.h>
00021 #endif
00022 
00023 #define BNS_PRODUCTION          1
00024 #define BNS_HONEY                       2
00025 #define BNS_INTERNET            3
00026 
00027 BNS_MAC BMAC[MAX_BNS];
00028 int             BNSNumMac;
00029 BNS_IP  BIP[MAX_BNS];
00030 int             BNSNumIP;
00031 
00032 int             InternetIF;
00033 int             ProductionIF;
00034 int             HoneyIF;
00035 
00036 int             EthernetDecoderID;
00037 int             ARPDecoderID;
00038 int             IPDecoderID;
00039 int             TCPDecoderID;
00040 int             UDPDecoderID;
00041 
00042 /*TODO: put these in a num list*/
00043 typedef struct bns_note{
00044         unsigned int    HIP;
00045         unsigned short  HPort;
00046         unsigned int    IIP;
00047         unsigned int    IPort;
00048         unsigned char   Proto;
00049 } BNSNote;
00050 
00051 #define BNS_MAX_NOTES   128
00052 
00053 BNSNote Notes[BNS_MAX_NOTES];
00054 int     ThisNote;
00055 
00056 //#define DEBUG
00057 
00058 extern GlobalVars       Globals;
00059 
00060 
00061 /**************************************
00062 * Windows boxes don't arp properly, so
00063 * we need to tickle them occasionally
00064 ***************************************/
00065 int SendARP(unsigned int IP, int Interface){
00066         int                     NewPacketSlot;
00067         EtherHdr*       Eth;
00068         ARPHdr*         Arp;
00069         ARPEtherIP*     ArpEth;
00070         PacketRec*      p;
00071         
00072 #ifdef DEBUGPATH
00073         printf("In SendARP\n");
00074 #endif
00075 
00076         NewPacketSlot=GetEmptyPacket();
00077         if (!NewPacketSlot==PACKET_NONE){
00078 #ifdef DEBUG
00079                 printf("Couldn't get a packet for the ARP request\n");
00080 #endif  
00081                 return FALSE;
00082         }
00083         
00084         p=&Globals.Packets[NewPacketSlot];
00085         p->RawPacket=p->TypicalPacket;
00086         
00087         Eth=(EtherHdr*)p->RawPacket;
00088         Eth->DstMac[0]=0xFF;
00089         Eth->DstMac[1]=0xFF;
00090         Eth->DstMac[2]=0xFF;
00091         Eth->DstMac[3]=0xFF;
00092         Eth->DstMac[4]=0xFF;
00093         Eth->DstMac[5]=0xFF;
00094         Eth->SrcMac[0]=0x00;
00095         Eth->SrcMac[1]=0x00;
00096         Eth->SrcMac[2]=0x00;
00097         Eth->SrcMac[3]=0x00;
00098         Eth->SrcMac[4]=0x00;
00099         Eth->SrcMac[5]=0x00;
00100         Eth->Type=htons(ETHERNET_TYPE_ARP);
00101         p->PacketLen+=sizeof(EtherHdr);
00102 
00103         Arp=(ARPHdr*)(p->RawPacket+sizeof(EtherHdr));
00104         Arp->HardwareType=htons(ARP_TYPE_ETHERNET);
00105         Arp->ProtocolType=htons(ARP_TYPE_IP);
00106         Arp->HardwareLen=6;
00107         Arp->ProtocolLen=4;
00108         Arp->Operation=htons(ARP_OP_REQUEST);
00109         p->PacketLen+=sizeof(ARPHdr);
00110         
00111         ArpEth=(ARPEtherIP*)(p->RawPacket+sizeof(EtherHdr)+sizeof(ARPHdr));
00112         ArpEth->SenderMac[0]=0x00;
00113         ArpEth->SenderMac[1]=0x00;
00114         ArpEth->SenderMac[2]=0x00;
00115         ArpEth->SenderMac[3]=0x00;
00116         ArpEth->SenderMac[4]=0x00;
00117         ArpEth->SenderMac[5]=0x00;
00118         ArpEth->SenderIP[0]=10;
00119         ArpEth->SenderIP[1]=10;
00120         ArpEth->SenderIP[2]=10;
00121         ArpEth->SenderIP[3]=10;
00122         ArpEth->TargetMac[0]=0x00;
00123         ArpEth->TargetMac[1]=0x00;
00124         ArpEth->TargetMac[2]=0x00;
00125         ArpEth->TargetMac[3]=0x00;
00126         ArpEth->TargetMac[4]=0x00;
00127         ArpEth->TargetMac[5]=0x00;
00128         ArpEth->TargetIP[0]=((char*)&IP)[0];
00129         ArpEth->TargetIP[1]=((char*)&IP)[1];
00130         ArpEth->TargetIP[2]=((char*)&IP)[2];
00131         ArpEth->TargetIP[3]=((char*)&IP)[3];
00132         p->PacketLen+=sizeof(ARPEtherIP);
00133 
00134         p->TargetInterface=Interface;
00135 
00136         WritePacket(NewPacketSlot);
00137 
00138         ReturnEmptyPacket(NewPacketSlot);
00139 
00140         return FALSE;
00141 }
00142 
00143 /***************************************
00144 * Return the BNS rec that has this Mac
00145 ***************************************/
00146 int FindMac(unsigned char Mac[6]){
00147         int i;
00148         
00149 #ifdef DEBUGPATH
00150         printf("In FindMac\n");
00151 #endif  
00152 
00153         for (i=0;i<BNSNumMac;i++){
00154                 if ( (BMAC[i].Mac[0]==Mac[0]) &&
00155              (BMAC[i].Mac[1]==Mac[1]) &&
00156              (BMAC[i].Mac[2]==Mac[2]) &&
00157              (BMAC[i].Mac[3]==Mac[3]) &&
00158              (BMAC[i].Mac[4]==Mac[4]) &&
00159              (BMAC[i].Mac[5]==Mac[5])
00160                 ) return i;
00161         }
00162 
00163         return -1;
00164 }
00165 
00166 /**************************************
00167 * Add the Mac to the list
00168 **************************************/
00169 int AddMac(unsigned char Mac[6], int Interface){
00170 
00171 #ifdef DEBUGPATH
00172         printf("In AddMac\n");
00173 #endif
00174 
00175         if (BNSNumMac==MAX_BNS){
00176 #ifdef DEBUG
00177                 printf("Out of slots to hold BNS Mac records\n");
00178 #endif  
00179                 return -1;
00180         }
00181 
00182         if ( (Mac[0]==0xFF) &&
00183                 (Mac[1]==0xFF) &&
00184                 (Mac[2]==0xFF) &&
00185                 (Mac[3]==0xFF) &&
00186                 (Mac[4]==0xFF) &&
00187                 (Mac[5]==0xFF)
00188         ){
00189 #ifdef DEBUG
00190                 printf("Ignoring Broadcast MAC\n");
00191 #endif  
00192         }
00193 
00194         bzero(&BMAC[BNSNumMac], sizeof(BNS_MAC));
00195         BMAC[BNSNumMac].Mac[0]=Mac[0];
00196         BMAC[BNSNumMac].Mac[1]=Mac[1];
00197         BMAC[BNSNumMac].Mac[2]=Mac[2];
00198         BMAC[BNSNumMac].Mac[3]=Mac[3];
00199         BMAC[BNSNumMac].Mac[4]=Mac[4];
00200         BMAC[BNSNumMac].Mac[5]=Mac[5];
00201         BMAC[BNSNumMac].Interface=Interface;
00202 
00203         BNSNumMac++;
00204         
00205         return BNSNumMac-1;
00206 }
00207 
00208 
00209 
00210 /***************************************
00211 * Return the BNS rec that has this IP
00212 ***************************************/
00213 int FindIP(unsigned int IP){
00214         int i;
00215         
00216 #ifdef DEBUGPATH
00217         printf("In FindIP\n");
00218 #endif  
00219 
00220         for (i=0;i<BNSNumIP;i++){
00221                 if (BIP[i].IP==IP) return i;
00222         }
00223 
00224         return -1;
00225 }
00226 
00227 /**************************************
00228 * Add the IP to the list
00229 **************************************/
00230 int UpdateIP(unsigned int IP, unsigned char Mac[6], int Interface){
00231         int     IPID;
00232         
00233 #ifdef DEBUGPATH
00234         printf("In AddIP\n");
00235 #endif
00236 
00237         IPID=FindIP(IP);
00238 
00239         if ((IPID==-1) && (BNSNumIP==MAX_BNS)){
00240 #ifdef DEBUG
00241                 printf("Out of slots to hold BNS IP records\n");
00242 #endif  
00243                 return -1;
00244         }
00245 
00246 #ifdef DEBUG
00247         if (Interface==BNS_HONEY)
00248                 printf("%s(%02X:%02X:%02X:%02X:%02X:%02X) is on Honey\n",
00249                         inet_ntoa(*(struct in_addr*)&IP),
00250                         Mac[0],Mac[1],Mac[2],Mac[3],Mac[4],Mac[5]
00251                 );
00252         else
00253                 printf("%s(%02X:%02X:%02X:%02X:%02X:%02X) is on Production\n",
00254                         inet_ntoa(*(struct in_addr*)&IP),
00255                         Mac[0],Mac[1],Mac[2],Mac[3],Mac[4],Mac[5]
00256                 );      
00257 #endif
00258         
00259         if (IPID==-1){ 
00260                 /*this one's new*/
00261                 IPID=BNSNumIP;
00262                 bzero(&BIP[IPID], sizeof(BNS_IP));
00263                 BIP[IPID].IP=IP;
00264                 BNSNumIP++;
00265                 BIP[IPID].HoneyMac[0]=0xFF;
00266                 BIP[IPID].HoneyMac[1]=0xFF;
00267                 BIP[IPID].HoneyMac[2]=0xFF;
00268                 BIP[IPID].HoneyMac[3]=0xFF;
00269                 BIP[IPID].HoneyMac[4]=0xFF;
00270                 BIP[IPID].HoneyMac[5]=0xFF;             
00271                 BIP[IPID].ProdMac[0]=0xFF;
00272                 BIP[IPID].ProdMac[1]=0xFF;
00273                 BIP[IPID].ProdMac[2]=0xFF;
00274                 BIP[IPID].ProdMac[3]=0xFF;
00275                 BIP[IPID].ProdMac[4]=0xFF;
00276                 BIP[IPID].ProdMac[5]=0xFF;
00277                 BIP[IPID].HasHoney=FALSE;
00278                 BIP[IPID].HasProd=FALSE;
00279         }
00280 
00281         switch (Interface){
00282         case BNS_HONEY:
00283                 BIP[IPID].HoneyMac[0]=Mac[0];
00284                 BIP[IPID].HoneyMac[1]=Mac[1];
00285                 BIP[IPID].HoneyMac[2]=Mac[2];
00286                 BIP[IPID].HoneyMac[3]=Mac[3];
00287                 BIP[IPID].HoneyMac[4]=Mac[4];
00288                 BIP[IPID].HoneyMac[5]=Mac[5];
00289                 BIP[IPID].HasHoney=TRUE;
00290                 break;
00291         case BNS_PRODUCTION:
00292                 BIP[IPID].ProdMac[0]=Mac[0];
00293                 BIP[IPID].ProdMac[1]=Mac[1];
00294                 BIP[IPID].ProdMac[2]=Mac[2];
00295                 BIP[IPID].ProdMac[3]=Mac[3];
00296                 BIP[IPID].ProdMac[4]=Mac[4];
00297                 BIP[IPID].ProdMac[5]=Mac[5];
00298                 BIP[IPID].HasProd=TRUE;
00299                 break;
00300         default:
00301                 return -1;
00302         }
00303                 
00304         return IPID;
00305 }
00306 
00307 /**************************************
00308 * If this is a normal IP packet...
00309 **************************************/
00310 int HandleIPPacket(int PacketSlot, IPData* IData){
00311         PacketRec*              p;
00312         int                             SrcSlot;
00313         int                             DstSlot;
00314         EthernetData*   EData;
00315         TCPData*                TData=NULL;
00316         UDPData*                UData=NULL;
00317         
00318         int                             i;
00319         int                             IPID;
00320         
00321 #ifdef DEBUGPATH
00322         printf("In HandleIPPacket\n");
00323 #endif
00324         p=&Globals.Packets[PacketSlot];
00325 
00326         /*pull out the ethernet header*/
00327         if (!GetDataByID(p->PacketSlot, EthernetDecoderID, (void**)&EData)){
00328 #ifdef DEBUG
00329                 printf("This is an Ethernet packet\n");
00330 #endif  
00331                 return ROUTE_RESULT_DROP;
00332         }
00333 
00334         /*pull out the tcp header if it exists*/
00335         GetDataByID(p->PacketSlot, TCPDecoderID, (void**)&TData);
00336 
00337         /*pull out the udp header if it exists*/
00338         GetDataByID(p->PacketSlot, UDPDecoderID, (void**)&UData);
00339 
00340 
00341         /*go find the src*/
00342         SrcSlot=FindMac(EData->Header->SrcMac);
00343         /*if not found, add it*/
00344         if (SrcSlot==-1){
00345 #ifdef DEBUG
00346                 printf("We've never seen src %s before\n",inet_ntoa(*(struct in_addr*)&IData->Header->saddr));
00347 #endif  
00348                 SrcSlot=AddMac(EData->Header->SrcMac, p->InterfaceNum);
00349         }
00350         
00351         /*go find the dst*/
00352         DstSlot=FindMac(EData->Header->DstMac);
00353         /*if not found, drop the packet*/
00354         if (DstSlot==-1){
00355 #ifdef DEBUG
00356                 printf("We don't know where to send %s\n",inet_ntoa(*(struct in_addr*)&IData->Header->daddr));
00357 #endif  
00358                 SendARP(IData->Header->daddr, ProductionIF);
00359                 SendARP(IData->Header->daddr, HoneyIF);
00360                 SendARP(IData->Header->daddr, InternetIF);
00361 
00362                 return ROUTE_RESULT_DROP;
00363         }
00364 
00365         /*we have a src and a dst*/
00366 #ifdef DEBUG
00367         printf("%s+%i->",inet_ntoa(*(struct in_addr*)&IData->Header->saddr), BMAC[SrcSlot].Interface);
00368         printf("%s+%i\n",inet_ntoa(*(struct in_addr*)&IData->Header->daddr), BMAC[DstSlot].Interface);
00369 #endif  
00370         
00371         /*check to see if the src and dst interface is the same*/
00372         if (BMAC[SrcSlot].Interface==BMAC[DstSlot].Interface){
00373 #ifdef DEBUG
00374                 printf("This is passing traffic, ignore\n");
00375 #endif  
00376                 return ROUTE_RESULT_DROP;
00377         }
00378 
00379         if (p->InterfaceNum==ProductionIF){
00380 #ifdef DEBUG
00381                 printf("From Production, send out Internet\n");
00382 #endif  
00383                 p->TargetInterface=InternetIF;
00384                 return ROUTE_RESULT_DONE;
00385         }else if (p->InterfaceNum==HoneyIF){
00386 #ifdef DEBUG
00387                 printf("From Honeypot, Note, Mangle, and send out Internet\n");
00388 #endif  
00389 
00390                 /*make note of the connection so we can route return packets*/
00391                 if (TData){
00392 #ifdef DEBUG            
00393                         printf("Making note of %s:%u\n",inet_ntoa(*(struct in_addr*)&IData->Header->saddr),ntohs(TData->Header->source));
00394 #endif                  
00395                         /*TODO: These will go in a NUM_List*/
00396                         /*This is very slow*/
00397                         Notes[ThisNote].HIP=IData->Header->saddr;
00398                         Notes[ThisNote].HPort=TData->Header->source;
00399                         Notes[ThisNote].IIP=IData->Header->daddr;
00400                         Notes[ThisNote].IPort=TData->Header->dest;
00401                         Notes[ThisNote].Proto=IData->Header->protocol;
00402                         ThisNote++;
00403                         if (ThisNote>=BNS_MAX_NOTES) ThisNote=0;                        
00404                 }else if (UData){
00405 #ifdef DEBUG            
00406                         printf("Making note of %s:%u\n",inet_ntoa(*(struct in_addr*)&IData->Header->saddr),ntohs(UData->Header->source));
00407 #endif          
00408                         /*TODO: These will go in a NUM_List*/                   
00409                         Notes[ThisNote].HIP=IData->Header->saddr;
00410                         Notes[ThisNote].HPort=UData->Header->source;
00411                         Notes[ThisNote].IIP=IData->Header->daddr;
00412                         Notes[ThisNote].IPort=UData->Header->dest;
00413                         Notes[ThisNote].Proto=IData->Header->protocol;
00414                         ThisNote++;
00415                         if (ThisNote>=BNS_MAX_NOTES) ThisNote=0;
00416                 }else{
00417 #ifdef DEBUG
00418                         printf("We can only keep state on TCP and UDP\n");
00419 #endif          
00420                 }
00421 
00422                 /*TODO: Look up the correct src mac*/
00423                 
00424                 p->TargetInterface=InternetIF;
00425                 return ROUTE_RESULT_DONE;
00426         }else if (p->InterfaceNum==InternetIF){
00427 #ifdef DEBUG
00428                 printf("From Internet.  Check the Notes.\n");
00429 #endif  
00430                 /*see if this ip is blacklisted*/
00431 #ifdef DEBUG            
00432                 printf("Checking to see if %s is blacklisted\n",inet_ntoa(*(struct in_addr*)&IData->Header->saddr));
00433 #endif          
00434                 if (IsInListTime(BNSRerouteList, ntohl(IData->Header->saddr),p->tv.tv_sec)){
00435 #ifdef DEBUG
00436                         printf("This IP is blacklisted. Routing to Honeypot\n");
00437 #endif          
00438                         /*mangle*/
00439                         IPID=FindIP(IData->Header->daddr);
00440                         if (IPID==-1){
00441 #ifdef DEBUG
00442                                 printf("1Couldn't find this IP\n");
00443 #endif                                  
00444                                 SendARP(IData->Header->daddr, HoneyIF);
00445 
00446                                 EData->Header->DstMac[0]=0xFF;
00447                                 EData->Header->DstMac[1]=0xFF;
00448                                 EData->Header->DstMac[2]=0xFF;
00449                                 EData->Header->DstMac[3]=0xFF;
00450                                 EData->Header->DstMac[4]=0xFF;
00451                                 EData->Header->DstMac[5]=0xFF;
00452                         }else{          
00453                                 if (!BIP[IPID].HasHoney){
00454 #ifdef DEBUG
00455                                         printf("IP found, no honey record\n");
00456 #endif                          
00457                                         SendARP(IData->Header->daddr, HoneyIF);
00458                                 }                                               
00459                                 EData->Header->DstMac[0]=BIP[IPID].HoneyMac[0];
00460                                 EData->Header->DstMac[1]=BIP[IPID].HoneyMac[1];
00461                                 EData->Header->DstMac[2]=BIP[IPID].HoneyMac[2];
00462                                 EData->Header->DstMac[3]=BIP[IPID].HoneyMac[3];
00463                                 EData->Header->DstMac[4]=BIP[IPID].HoneyMac[4];
00464                                 EData->Header->DstMac[5]=BIP[IPID].HoneyMac[5];
00465                         }
00466 
00467                         p->TargetInterface=HoneyIF;
00468                         return ROUTE_RESULT_DONE;
00469                 }
00470         
00471                 /*see if there is a note*/
00472                 if (TData){
00473                         for (i=0;i<BNS_MAX_NOTES;i++){
00474                                 if ( (Notes[i].HIP==IData->Header->daddr) &&
00475                                      (Notes[i].HPort==TData->Header->dest) &&
00476                                          (Notes[i].IIP==IData->Header->saddr) &&
00477                                      (Notes[i].IPort==TData->Header->source)
00478                                 ){
00479 #ifdef DEBUG
00480                                         printf("Found Note Sending out Honey\n");
00481 #endif                          
00482                                         /*mangle*/
00483                                         IPID=FindIP(IData->Header->daddr);
00484                                         if (IPID==-1){
00485 #ifdef DEBUG
00486                                                 printf("2Couldn't find this IP\n");
00487 #endif                                  
00488                                                 SendARP(IData->Header->daddr, HoneyIF);
00489                                                 
00490                                                 EData->Header->DstMac[0]=0xFF;
00491                                                 EData->Header->DstMac[1]=0xFF;
00492                                                 EData->Header->DstMac[2]=0xFF;
00493                                                 EData->Header->DstMac[3]=0xFF;
00494                                                 EData->Header->DstMac[4]=0xFF;
00495                                                 EData->Header->DstMac[5]=0xFF;
00496                                         }else{          
00497                                                 if (!BIP[IPID].HasHoney){
00498 #ifdef DEBUG
00499                                                         printf("2IP found, no honey record\n");
00500 #endif                          
00501                                                         SendARP(IData->Header->daddr, HoneyIF);
00502                                                 }
00503                                                 EData->Header->DstMac[0]=BIP[IPID].HoneyMac[0];
00504                                                 EData->Header->DstMac[1]=BIP[IPID].HoneyMac[1];
00505                                                 EData->Header->DstMac[2]=BIP[IPID].HoneyMac[2];
00506                                                 EData->Header->DstMac[3]=BIP[IPID].HoneyMac[3];
00507                                                 EData->Header->DstMac[4]=BIP[IPID].HoneyMac[4];
00508                                                 EData->Header->DstMac[5]=BIP[IPID].HoneyMac[5];
00509                                         }
00510 
00511                                         p->TargetInterface=HoneyIF;
00512                                         return ROUTE_RESULT_DONE;
00513                                 }
00514                         }               
00515                 }else if (UData){
00516                         for (i=0;i<BNS_MAX_NOTES;i++){
00517                                 if ( (Notes[i].HIP==IData->Header->daddr) &&
00518                                      (Notes[i].HPort==UData->Header->dest) &&
00519                                          (Notes[i].IIP==IData->Header->saddr) &&
00520                                      (Notes[i].IPort==UData->Header->source)
00521                                 ){
00522 #ifdef DEBUG
00523                                         printf("Found Note Sending out Honey\n");
00524 #endif                          
00525                                         /*mangle*/
00526                                         IPID=FindIP(IData->Header->daddr);
00527                                         if (IPID==-1){
00528 #ifdef DEBUG
00529                                                 printf("3Couldn't find this IP\n");
00530 #endif                                  
00531                                                 SendARP(IData->Header->daddr, HoneyIF);
00532 
00533                                                 EData->Header->DstMac[0]=0xFF;
00534                                                 EData->Header->DstMac[1]=0xFF;
00535                                                 EData->Header->DstMac[2]=0xFF;
00536                                                 EData->Header->DstMac[3]=0xFF;
00537                                                 EData->Header->DstMac[4]=0xFF;
00538                                                 EData->Header->DstMac[5]=0xFF;
00539                                         }else{          
00540                                                 if (!BIP[IPID].HasHoney){
00541 #ifdef DEBUG
00542                                                         printf("3IP found, no honey record\n");
00543 #endif                          
00544                                                         SendARP(IData->Header->daddr, HoneyIF);
00545                                                 }                                               
00546                                                 EData->Header->DstMac[0]=BIP[IPID].HoneyMac[0];
00547                                                 EData->Header->DstMac[1]=BIP[IPID].HoneyMac[1];
00548                                                 EData->Header->DstMac[2]=BIP[IPID].HoneyMac[2];
00549                                                 EData->Header->DstMac[3]=BIP[IPID].HoneyMac[3];
00550                                                 EData->Header->DstMac[4]=BIP[IPID].HoneyMac[4];
00551                                                 EData->Header->DstMac[5]=BIP[IPID].HoneyMac[5];
00552                                         }
00553                                         
00554                                         p->TargetInterface=HoneyIF;
00555                                         return ROUTE_RESULT_DONE;
00556                                 }
00557                         }                               
00558                 }
00559 
00560 #ifdef DEBUG
00561                 printf("Sending out Production\n");
00562 #endif
00563                 p->TargetInterface=ProductionIF;
00564                 return ROUTE_RESULT_DONE;
00565         }
00566         
00567         p->TargetInterface=BMAC[DstSlot].Interface;
00568 
00569         return ROUTE_RESULT_DONE;
00570 }
00571 
00572 /**************************************
00573 * If this is an ARP packet...
00574 **************************************/
00575 int HandleARPPacket(int PacketSlot, ARPData* AData){
00576         PacketRec*              p;
00577         EthernetData*   EData;
00578         int                             IPID;
00579         
00580 #ifdef DEBUGPATH
00581         printf("In HandleARPPacket\n");
00582 #endif
00583 
00584         p=&Globals.Packets[PacketSlot];
00585 
00586         /*pull out the ethernet header*/
00587         if (!GetDataByID(p->PacketSlot, EthernetDecoderID, (void**)&EData)){
00588 #ifdef DEBUG
00589                 printf("This is an Ethernet packet\n");
00590 #endif  
00591                 return ROUTE_RESULT_DROP;
00592         }
00593 
00594         /*check to see if this is a request or a reply*/
00595         if (ntohs(AData->Header->Operation)==ARP_OP_REQUEST){
00596         
00597 #ifdef DEBUG
00598                 printf("ARP Request from %s\n",inet_ntoa(*(struct in_addr*)AData->EthernetARPHeader->SenderIP));
00599 #endif  
00600 
00601                 if (FindMac(AData->EthernetARPHeader->SenderMac)==-1)
00602                         AddMac(AData->EthernetARPHeader->SenderMac,     p->InterfaceNum);
00603         
00604                 if (p->InterfaceNum==InternetIF){
00605 #ifdef DEBUG
00606                         printf("ARP Request from Internet.  Sending out Both\n");
00607 #endif  
00608                         EData->Header->DstMac[0]=0xFF;
00609                         EData->Header->DstMac[1]=0xFF;
00610                         EData->Header->DstMac[2]=0xFF;
00611                         EData->Header->DstMac[3]=0xFF;
00612                         EData->Header->DstMac[4]=0xFF;
00613                         EData->Header->DstMac[5]=0xFF;
00614 
00615                         p->TargetInterface=INTERFACE_BROADCAST;
00616                         return ROUTE_RESULT_DONE;
00617                 }else if (p->InterfaceNum==ProductionIF){
00618 #ifdef DEBUG
00619                         printf("ARP Request from Production.  Sending out Internet\n");
00620 #endif  
00621                         UpdateIP(*(int*)AData->EthernetARPHeader->SenderIP, 
00622                                  AData->EthernetARPHeader->SenderMac,
00623                                          BNS_PRODUCTION);
00624                         p->TargetInterface=InternetIF;
00625                         return ROUTE_RESULT_DONE;
00626                 }else if (p->InterfaceNum==HoneyIF){
00627 #ifdef DEBUG
00628                         printf("ARP Request from Honeypot.  Mangling and send out Internet.\n");
00629 #endif  
00630                         IPID=UpdateIP(*(int*)AData->EthernetARPHeader->SenderIP, 
00631                                  AData->EthernetARPHeader->SenderMac,
00632                                          BNS_HONEY);
00633                                          
00634                         /*find the mac address of the production box with the same IP*/
00635                         if (IPID==-1) return ROUTE_RESULT_DROP;
00636                         if ( (BIP[IPID].ProdMac[0]==0) &&
00637                              (BIP[IPID].ProdMac[1]==0) &&
00638                                  (BIP[IPID].ProdMac[2]==0) &&
00639                                  (BIP[IPID].ProdMac[3]==0) &&
00640                                  (BIP[IPID].ProdMac[4]==0) &&
00641                                  (BIP[IPID].ProdMac[5]==0)
00642                         ){
00643 #ifdef DEBUG
00644                                 printf("There is no production machine with this IP yet\n");
00645 #endif                  
00646                                 return ROUTE_RESULT_DROP;
00647                         }else{
00648                                 /*change the src mac in ethernet header*/
00649                                 EData->Header->SrcMac[0]=BIP[IPID].ProdMac[0];
00650                                 EData->Header->SrcMac[1]=BIP[IPID].ProdMac[1];
00651                                 EData->Header->SrcMac[2]=BIP[IPID].ProdMac[2];
00652                                 EData->Header->SrcMac[3]=BIP[IPID].ProdMac[3];
00653                                 EData->Header->SrcMac[4]=BIP[IPID].ProdMac[4];
00654                                 EData->Header->SrcMac[5]=BIP[IPID].ProdMac[5];
00655                                 
00656                                 /*chg the src mac in arp header*/
00657                                 AData->EthernetARPHeader->SenderMac[0]=BIP[IPID].ProdMac[0];
00658                                 AData->EthernetARPHeader->SenderMac[1]=BIP[IPID].ProdMac[1];
00659                                 AData->EthernetARPHeader->SenderMac[2]=BIP[IPID].ProdMac[2];
00660                                 AData->EthernetARPHeader->SenderMac[3]=BIP[IPID].ProdMac[3];
00661                                 AData->EthernetARPHeader->SenderMac[4]=BIP[IPID].ProdMac[4];
00662                                 AData->EthernetARPHeader->SenderMac[5]=BIP[IPID].ProdMac[5];
00663                                 
00664                                 
00665                                 /*send it out*/
00666                                 p->TargetInterface=InternetIF;
00667                                 
00668                                 return ROUTE_RESULT_DONE;
00669                         }
00670                                                                                         
00671                         return ROUTE_RESULT_DROP;                       
00672                 }
00673         }else if (ntohs(AData->Header->Operation)==ARP_OP_REPLY){
00674 
00675 #ifdef DEBUG
00676                 printf("ARP Reply from %s\n",inet_ntoa(*(struct in_addr*)AData->EthernetARPHeader->SenderIP));
00677 #endif  
00678 
00679                 if (FindMac(AData->EthernetARPHeader->SenderMac)==-1)
00680                         AddMac(AData->EthernetARPHeader->SenderMac,     p->InterfaceNum);
00681 
00682 
00683                 if (p->InterfaceNum==InternetIF){
00684 #ifdef DEBUG
00685                         printf("ARP Reply from Internet.  Sending out Both\n");
00686 #endif  
00687                         /*change the dest mac to the broadcast addr*/
00688                         /*so it'll be seen by both machines*/
00689                         EData->Header->DstMac[0]=0xFF;
00690                         EData->Header->DstMac[1]=0xFF;
00691                         EData->Header->DstMac[2]=0xFF;
00692                         EData->Header->DstMac[3]=0xFF;
00693                         EData->Header->DstMac[4]=0xFF;
00694                         EData->Header->DstMac[5]=0xFF;
00695                                                 
00696                         p->TargetInterface=INTERFACE_BROADCAST;
00697                         return ROUTE_RESULT_DONE;
00698                 }else if (p->InterfaceNum==ProductionIF){
00699 #ifdef DEBUG
00700                         printf("ARP Reply from Production.  Sending out Internet\n");
00701 #endif  
00702                         /*make note of this mac address*/
00703                         UpdateIP(*(unsigned int*)AData->EthernetARPHeader->SenderIP, 
00704                                 AData->EthernetARPHeader->SenderMac,
00705                                 BNS_PRODUCTION);
00706 
00707                         p->TargetInterface=InternetIF;
00708                         return ROUTE_RESULT_DONE;
00709                 }else if (p->InterfaceNum==HoneyIF){
00710 #ifdef DEBUG
00711                         printf("ARP Reply from Honeypot.  Dropping.\n");
00712 #endif  
00713                         /*make note of this mac address*/
00714                         UpdateIP(*(unsigned int*)AData->EthernetARPHeader->SenderIP, 
00715                                 AData->EthernetARPHeader->SenderMac,
00716                                 BNS_HONEY);
00717                         
00718                         return ROUTE_RESULT_DROP;                       
00719                 }
00720         }
00721 
00722         return ROUTE_RESULT_DROP;
00723 }
00724 
00725 /**************************************
00726 * Apply BNS Routing
00727 **************************************/
00728 int RouteBNS(int PacketSlot){
00729         PacketRec*              p;
00730         IPData*                 IData;
00731         ARPData*                AData;
00732 
00733 #ifdef DEBUGPATH
00734         printf("In RouteMacFilter\n");
00735 #endif
00736         
00737         p=&Globals.Packets[PacketSlot];
00738         
00739         if ( (p->InterfaceNum!=InternetIF) && 
00740              (p->InterfaceNum!=ProductionIF) &&
00741                  (p->InterfaceNum!=HoneyIF)
00742         ){
00743 #ifdef DEBUG
00744                 printf("We don't handle this interface\n");
00745 #endif  
00746                 return ROUTE_RESULT_CONTINUE;
00747         }
00748         
00749         if (GetDataByID(p->PacketSlot, IPDecoderID, (void**)&IData)){
00750 #ifdef DEBUG1
00751                 printf("This is an IP packet\n");
00752 #endif  
00753                 return HandleIPPacket(PacketSlot, IData);
00754         }else if (GetDataByID(p->PacketSlot, ARPDecoderID, (void**)&AData)){
00755 #ifdef DEBUG1
00756                 printf("This is an ARP packet\n");
00757 #endif  
00758                 return HandleARPPacket(PacketSlot, AData);
00759         }
00760 
00761         return ROUTE_RESULT_DROP;
00762 }
00763 
00764 /*********************************
00765 * Turn on BNS Routing
00766 **********************************/
00767 int RouteBNSAddNode(int RouteID, char* Args){
00768         char*   c1;
00769         char*   c2;
00770         
00771 #ifdef DEBUGPATH
00772         printf("In RouteBNSAddNode\n");
00773 #endif
00774 
00775 #ifdef DEBUG
00776         printf("AddNode was called with args %s\n", Args);
00777 #endif      
00778 
00779         if (!Args) return FALSE;
00780         
00781         /*pop off the first arg*/
00782         /*first arg is Internet Interface*/
00783         c1=Args;
00784         while ((*c1==' ') && (*c1!=0x00)) c1++;
00785         c2=strchr(Args, ',');
00786         if (!c2){
00787                 printf("Expected \",\"\n");
00788                 printf("Usage BNS(<InternetIF>, <ProductionIF>, <HoneyIF>, <BlackList>)\n");
00789                 return FALSE;
00790         }
00791         *c2=0x00;
00792         c2++;
00793 
00794         InternetIF=GetInterfaceByName(c1);
00795         
00796         if (InternetIF==INTERFACE_NONE){
00797                 printf("There is no interface %s\n",c1);
00798                 return FALSE;
00799         }
00800 
00801 #ifdef DEBUG
00802         printf("Internet Interface Set to %i(%s)\n",InternetIF, Globals.Interfaces[InternetIF].Name);
00803 #endif  
00804 
00805         /*pop off the second arg*/
00806         /*second arg is Production Interface*/
00807         c1=c2;
00808         while ((*c1==' ') && (*c1!=0x00)) c1++;
00809         c2=strchr(c1, ',');
00810         if (!c2){
00811                 printf("Expected \",\"\n");
00812                 printf("Usage BNS(<InternetIF>, <ProductionIF>, <HoneyIF>, <BlackList>)\n");
00813                 return FALSE;
00814         }
00815         *c2=0x00;
00816         c2++;
00817 
00818         ProductionIF=GetInterfaceByName(c1);
00819         
00820         if (ProductionIF==INTERFACE_NONE){
00821                 printf("There is no interface %s\n",c1);
00822                 return FALSE;
00823         }
00824 
00825 #ifdef DEBUG
00826         printf("Production Interface Set to %i(%s)\n",ProductionIF, Globals.Interfaces[ProductionIF].Name);
00827 #endif  
00828         
00829 
00830         /*pop off the third arg*/
00831         /*third arg is Honeypot Interface*/
00832         c1=c2;
00833         while ((*c1==' ') && (*c1!=0x00)) c1++;
00834         c2=strchr(c1, ',');
00835         if (!c2){
00836                 printf("Expected \",\"\n");
00837                 printf("Usage BNS(<InternetIF>, <ProductionIF>, <HoneyIF>, <BlackList>)\n");
00838                 return FALSE;
00839         }
00840 
00841         *c2=0x00;
00842         c2++;
00843         HoneyIF=GetInterfaceByName(c1);
00844         
00845         if (HoneyIF==INTERFACE_NONE){
00846                 printf("There is no interface %s\n",c1);
00847                 return FALSE;
00848         }
00849 
00850 #ifdef DEBUG
00851         printf("Honeypot Interface Set to %i(%s)\n",HoneyIF, Globals.Interfaces[HoneyIF].Name);
00852 #endif  
00853 
00854         /*pop off the fourth arg*/
00855         /*third arg is the blacklist*/
00856         c1=c2;
00857         while ((*c1==' ') && (*c1!=0x00)) c1++;
00858         
00859         if (!AddIPRanges(BNSRerouteList, c1)){
00860                 printf("Couldn't understand blacklist\n");
00861                 return FALSE;
00862         }
00863 
00864 #ifdef DEBUG
00865         printf("Added BlackList\n");
00866 #endif  
00867 
00868         
00869         return TRUE;
00870 }
00871 
00872 /*********************************
00873 * Set up everything to do bns routing
00874 **********************************/
00875 int InitRouteBNS(){
00876         int RouteID;
00877         
00878 #ifdef DEBUGPATH
00879         printf("In InitBNS\n");
00880 #endif  
00881 
00882         bzero(BIP, sizeof(BNS_IP) * MAX_BNS);
00883         BNSNumIP=0;
00884         bzero(BMAC, sizeof(BNS_MAC) * MAX_BNS);
00885         BNSNumMac=0;
00886         bzero(Notes, sizeof(BNSNote) * BNS_MAX_NOTES);
00887         ThisNote=0;
00888         
00889         if ( (RouteID=CreateRoute("BNS"))==ROUTE_NONE){
00890                 printf("Couldn't create route BNS\n");
00891                 return FALSE;
00892         }
00893         
00894         Globals.Routes[RouteID].RouteFunc=RouteBNS;
00895         Globals.Routes[RouteID].AddNode=RouteBNSAddNode;
00896         BNSRerouteList=InitNumList(LIST_TYPE_TIME);
00897                 
00898         if ( (EthernetDecoderID=GetDecoderByName("Ethernet"))==DECODER_NONE){
00899                 printf("Couldn't find the Ethernet Decoder\n");
00900                 return FALSE;
00901         }
00902 
00903         if ( (ARPDecoderID=GetDecoderByName("ARP"))==DECODER_NONE){
00904                 printf("Couldn't find the ARP Decoder\n");
00905                 return FALSE;
00906         }
00907 
00908         if ( (IPDecoderID=GetDecoderByName("IP"))==DECODER_NONE){
00909                 printf("Couldn't find the IP Decoder\n");
00910                 return FALSE;
00911         }
00912 
00913         if ( (TCPDecoderID=GetDecoderByName("TCP"))==DECODER_NONE){
00914                 printf("Couldn't find the TCP Decoder\n");
00915                 return FALSE;
00916         }
00917         
00918         if ( (UDPDecoderID=GetDecoderByName("UDP"))==DECODER_NONE){
00919                 printf("Couldn't find the UDP Decoder\n");
00920                 return FALSE;
00921         }
00922         
00923         return TRUE;
00924 }
00925 
00926