README
¶
=========== HoneyBadger =========== .. image:: http://honeybadger.readthedocs.org/en/latest/_images/honey_badger-white-sm-1.png | .. image:: https://drone.io/github.com/david415/HoneyBadger/status.png :target: https://drone.io/github.com/david415/HoneyBadger/latest .. image:: https://coveralls.io/repos/david415/HoneyBadger/badge.svg?branch=master :target: https://coveralls.io/r/david415/HoneyBadger?branch=master .. image:: https://api.flattr.com/button/flattr-badge-large.png :target: https://flattr.com/submit/auto?user_id=david415&url=https%3A%2F%2Fgithub.com%2Fdavid415%2FHoneyBadger project goals ------------- * HoneyBadger is primarily a comprehensive TCP stream analysis tool for detecting and recording TCP attacks. Perhaps it can assist in discovering 0-days and botnets. * HoneyBadger will include a variety of TCP stream injections attacks (it now includes 2) which prove that the TCP attack detection is reliable. details ------- * Read about HoneyBadger's design and implementation: https://honeybadger.readthedocs.org/ * Read the `manual integration procedure`_ - a reproduciable procedure which proves HoneyBadger's TCP injection attack detection is reliable; **in less than 2 minutes you can perform a test on your loopback interface... and test that HoneyBadger can detect injected data into a netcat client-server connection.** .. _manual integration procedure: https://honeybadger.readthedocs.org/en/latest/#manual-integration-test-with-netcat * Read the godoc `autogenerated API documentation`_ .. _autogenerated API documentation: https://godoc.org/github.com/david415/HoneyBadger usage note ---------- It is not a good idea to run network traffic analysis tools as root. In Linux you can run these tools as an unprivileged user after you run setcap as root like this:: # setcap cap_net_raw,cap_net_admin=eip honeyBadger ======= license ======= HoneyBadger is free software made available via the GPL3... except for small sections of code which are BSD licensed. ======= contact ======= * email dstainton415@gmail.com * gpg key ID 0x836501BE9F27A723 * gpg fingerprint F473 51BD 87AB 7FCF 6F88 80C9 8365 01BE 9F27 A723
Documentation
¶
Index ¶
- Constants
- type CloseRequest
- type ClosedList
- type Connection
- type ConnectionOptions
- type ConnectionPool
- func (c *ConnectionPool) CloseAllConnections() int
- func (c *ConnectionPool) CloseOlderThan(t time.Time) int
- func (c *ConnectionPool) Connections() []*Connection
- func (c *ConnectionPool) Delete(flow *types.TcpIpFlow)
- func (c *ConnectionPool) Get(flow *types.TcpIpFlow) (*Connection, error)
- func (c *ConnectionPool) Has(flow *types.TcpIpFlow) bool
- func (c *ConnectionPool) Put(flow *types.TcpIpFlow, conn *Connection)
- type OrderedCoalesce
- type PacketManifest
- type PageReplaceRequest
- type PageRequest
- type Pager
Constants ¶
const ( // Stop looking for handshake hijack after several // packets have traversed the connection after entering // into TCP_DATA_TRANSFER state FIRST_FEW_PACKETS = 12 // TCP states TCP_UNKNOWN = 0 TCP_CONNECTION_REQUEST = 1 TCP_CONNECTION_ESTABLISHED = 2 TCP_DATA_TRANSFER = 3 TCP_CONNECTION_CLOSING = 4 TCP_INVALID = 5 // initiating TCP closing finite state machine TCP_FIN_WAIT1 = 0 TCP_FIN_WAIT2 = 1 TCP_TIME_WAIT = 2 TCP_CLOSING = 3 // initiated TCP closing finite state machine TCP_CLOSE_WAIT = 0 TCP_LAST_ACK = 1 )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CloseRequest ¶
type ClosedList ¶
func NewClosedList ¶
func NewClosedList() *ClosedList
func (*ClosedList) Put ¶
func (c *ClosedList) Put(flow *types.TcpIpFlow)
type Connection ¶
type Connection struct {
ConnectionOptions
ClientStreamRing *ring.Ring
ServerStreamRing *ring.Ring
ClientCoalesce *OrderedCoalesce
ServerCoalesce *OrderedCoalesce
PacketLogger *logging.PcapLogger
// contains filtered or unexported fields
}
Connection is used to track client and server flows for a given TCP connection. We implement a basic TCP finite state machine and track state in order to detect hanshake hijack and other TCP attacks such as segment veto and sloppy injection.
func NewConnection ¶
func NewConnection(options *ConnectionOptions) *Connection
NewConnection returns a new Connection struct
func (*Connection) Close ¶
func (c *Connection) Close()
Close is used by the Connection to shutdown itself. Firstly it removes it's entry from the connection pool... if CloseRequestChanListening is set to true. After that Stop is called.
func (*Connection) ReceivePacket ¶
func (c *Connection) ReceivePacket(p *PacketManifest)
func (*Connection) Start ¶
func (c *Connection) Start(closeRequestChanListening bool)
Start is used to start the packet receiving goroutine for this connection... closeRequestChanListening shall be set to false for many of the TCP FSM unit tests.
func (*Connection) Stop ¶
func (c *Connection) Stop()
Stop frees up all resources used by the connection
type ConnectionOptions ¶
type ConnectionOptions struct {
MaxBufferedPagesTotal int
MaxBufferedPagesPerConnection int
MaxRingPackets int
CloseRequestChan chan CloseRequest
Pager *Pager
LogDir string
LogPackets bool
AttackLogger types.Logger
DetectHijack bool
DetectInjection bool
DetectCoalesceInjection bool
ClosedList *ClosedList
}
type ConnectionPool ¶
type ConnectionPool struct {
// contains filtered or unexported fields
}
ConnectionPool is used to track TCP connections. This is inspired by gopacket.tcpassembly's StreamPool.
func NewConnectionPool ¶
func NewConnectionPool() *ConnectionPool
NewConnectionPool returns a new ConnectionPool struct
func (*ConnectionPool) CloseAllConnections ¶
func (c *ConnectionPool) CloseAllConnections() int
CloseAllConnections closes all connections in the pool. Note that honey badger is a passive observer of network events... Closing a Connection means freeing up any resources that a honey badger's Connection struct was using; namely goroutines and memory.
func (*ConnectionPool) CloseOlderThan ¶
func (c *ConnectionPool) CloseOlderThan(t time.Time) int
CloseOlderThan takes a Time argument and closes all the connections that have not received packet since that specified time
func (*ConnectionPool) Connections ¶
func (c *ConnectionPool) Connections() []*Connection
connectionsLocked returns a slice of Connection pointers. connectionsLocked is meant to be used by some of the other ConnectionPool methods once they've acquired a lock.
func (*ConnectionPool) Delete ¶
func (c *ConnectionPool) Delete(flow *types.TcpIpFlow)
Delete removes a connection from the pool
func (*ConnectionPool) Get ¶
func (c *ConnectionPool) Get(flow *types.TcpIpFlow) (*Connection, error)
Get returns the Connection struct pointer corresponding to the given TcpIpFlow key in one of the flow maps flowAMap or flowBMap
func (*ConnectionPool) Has ¶
func (c *ConnectionPool) Has(flow *types.TcpIpFlow) bool
Has returns true if the given TcpIpFlow is a key in our either of flowAMap or flowBMap
func (*ConnectionPool) Put ¶
func (c *ConnectionPool) Put(flow *types.TcpIpFlow, conn *Connection)
Put sets the connectionMap's key/value.. where a given TcpBidirectionalFlow is the key and a Connection struct pointer is the value.
type OrderedCoalesce ¶
type OrderedCoalesce struct {
// MaxBufferedPagesTotal is an upper limit on the total number of pages to
// buffer while waiting for out-of-order packets. Once this limit is
// reached, the assembler will degrade to flushing every connection it
// gets a packet for. If <= 0, this is ignored.
MaxBufferedPagesTotal int
// MaxBufferedPagesPerConnection is an upper limit on the number of pages
// buffered for a single flow. Should this limit be reached for a
// particular flow, the smallest sequence number will be flushed, along
// with any contiguous data. If <= 0, this is ignored.
MaxBufferedPagesPerFlow int
ConnectionClose func()
Flow *types.TcpIpFlow
StreamRing *ring.Ring
DetectCoalesceInjection bool
// contains filtered or unexported fields
}
func NewOrderedCoalesce ¶
func (*OrderedCoalesce) Close ¶
func (o *OrderedCoalesce) Close()
Close returns all used pages to the page cache via the Pager
type PacketManifest ¶
type PacketManifest struct {
Timestamp time.Time
Flow *types.TcpIpFlow
RawPacket []byte
IP layers.IPv4
TCP layers.TCP
Payload gopacket.Payload
}
PacketManifest is used to send parsed packets via channels to other goroutines
type PageReplaceRequest ¶
type PageReplaceRequest struct {
Page *page
DoneChan chan bool
}
type PageRequest ¶
PageRequest is used to request a page from the Pager The new page will be sent on the ResponseChan and have it's timestamp set to Timestamp.
type Pager ¶
type Pager struct {
// contains filtered or unexported fields
}
Pager is used to synchronize access to our pagecache among many goroutines. No locks are used here. Instead, we use channels to send page points between goroutines.
func NewPager ¶
func NewPager() *Pager
NewPager creates a new Pager struct with an initialized pagecache and channels with which to access it.
func (*Pager) Next ¶
Next takes a timestamp argument and constructs a PageRequest, sends it to pager's requestPageChan, waits to receive a page pointer on the response channel and then returns it.
func (*Pager) Replace ¶
func (p *Pager) Replace(pagePtr *page)
Replace takes a page pointer argument and appends it to the pagecache's free list
func (*Pager) Start ¶
func (p *Pager) Start()
Start causes our Pager to start it's own goroutine to process pagecache requests over channels.
Source Files
Directories