|
|
|
|
|
|
|
|
|
|
|
|
|
|
//// Version Info |
|
|
//// Version Info |
|
|
|
|
|
|
|
|
const char* SNF_ENGINE_VERSION = "SNFMulti Engine Version 3.1.5 Build: " __DATE__ " " __TIME__; |
|
|
|
|
|
|
|
|
const char* SNF_ENGINE_VERSION = "SNFMulti Engine Version 3.2.0 Build: " __DATE__ " " __TIME__; |
|
|
|
|
|
|
|
|
//// Script Caller Methods |
|
|
//// Script Caller Methods |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
}
|
|
|
|
|
|
|
|
|
static snf_SaccadesHandler SaccadeBrain;
|
|
|
static snf_SaccadesHandler SaccadeBrain;
|
|
|
|
|
|
static snf_IPStrangerList StrangersList;
|
|
|
|
|
|
|
|
|
int snf_EngineHandler::scanMessage( // Scan this message (in buffer). |
|
|
int snf_EngineHandler::scanMessage( // Scan this message (in buffer). |
|
|
const unsigned char* inputMessageBuffer, // -- this is the message buffer. |
|
|
const unsigned char* inputMessageBuffer, // -- this is the message buffer. |
|
|
|
|
|
|
|
|
) { |
|
|
) { |
|
|
|
|
|
|
|
|
// GBUdb training is enabled. |
|
|
// GBUdb training is enabled. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
bool discoveredNewIP = false;
|
|
|
|
|
|
IP4Address theSourceIP = MyScanData.SourceIPRecord().IP;
|
|
|
|
|
|
|
|
|
switch(ScanResultType) { // Evaluate the scan result. |
|
|
switch(ScanResultType) { // Evaluate the scan result. |
|
|
case NoPattern: // On no pattern (benefit of doubt) or |
|
|
case NoPattern: // On no pattern (benefit of doubt) or |
|
|
case WhitePattern: { // a white pattern:
|
|
|
case WhitePattern: { // a white pattern:
|
|
|
|
|
|
|
|
|
GBUdbRecord thisRecord = // Grab the GBUdb record for later |
|
|
GBUdbRecord thisRecord = // Grab the GBUdb record for later |
|
|
MyRulebase->MyGBUdb.addGood( // then add a good count to the |
|
|
MyRulebase->MyGBUdb.addGood( // then add a good count to the |
|
|
MyScanData.SourceIPRecord().IP); // source IP.
|
|
|
|
|
|
|
|
|
theSourceIP); // source IP.
|
|
|
|
|
|
|
|
|
const unsigned int WhiteGuardValue = 7;
|
|
|
|
|
|
bool triggeredWhiteGuard = (0 == thisRecord.Bad() && 1 == thisRecord.Good());
|
|
|
|
|
|
if(triggeredWhiteGuard) {
|
|
|
|
|
|
thisRecord.Good(WhiteGuardValue);
|
|
|
|
|
|
thisRecord.Bad(WhiteGuardValue);
|
|
|
|
|
|
MyRulebase->MyGBUdb.setRecord(
|
|
|
|
|
|
MyScanData.SourceIPRecord().IP,
|
|
|
|
|
|
thisRecord
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
discoveredNewIP = (0 == thisRecord.Bad() && 1 == thisRecord.Good());
|
|
|
|
|
|
|
|
|
|
|
|
if(discoveredNewIP) { // New IPs are strangers.
|
|
|
|
|
|
StrangersList.addStranger(theSourceIP); // Add them to the list
|
|
|
|
|
|
thisRecord.Bad(thisRecord.Good()); // and set their reputation
|
|
|
|
|
|
MyRulebase->MyGBUdb.setRecord(theSourceIP, thisRecord); // to 50/50 at best.
|
|
|
|
|
|
|
|
|
|
|
|
} else
|
|
|
|
|
|
if( // Known IPs that are getting
|
|
|
|
|
|
thisRecord.Good() > thisRecord.Bad() && // an advantage but are on the
|
|
|
|
|
|
StrangersList.isStranger(theSourceIP) // strangers list get put back
|
|
|
|
|
|
) { // to a 50/50 reputation.
|
|
|
|
|
|
unsigned int equalizationValue = thisRecord.Good();
|
|
|
|
|
|
if(1 < equalizationValue) equalizationValue = equalizationValue / 2;
|
|
|
|
|
|
thisRecord.Bad(equalizationValue);
|
|
|
|
|
|
thisRecord.Good(equalizationValue);
|
|
|
|
|
|
MyRulebase->MyGBUdb.setRecord(theSourceIP, thisRecord);
|
|
|
}
|
|
|
}
|
|
|
break; |
|
|
break; |
|
|
} |
|
|
|
|
|
case BlackPattern: { // On a black pattern: |
|
|
|
|
|
MyRulebase->MyGBUdb.addBad( // add a bad count to the source IP |
|
|
|
|
|
MyScanData.SourceIPRecord().IP); // in the GBUdb. |
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
case BlackPattern: { // On a black pattern:
|
|
|
|
|
|
|
|
|
|
|
|
GBUdbRecord thisRecord = // Grab the GBUdb record for later |
|
|
|
|
|
MyRulebase->MyGBUdb.addBad( // Add a bad count to the source IP |
|
|
|
|
|
MyScanData.SourceIPRecord().IP); // in the GBUdb.
|
|
|
|
|
|
|
|
|
|
|
|
discoveredNewIP = (1 == thisRecord.Bad() && 0 == thisRecord.Good());
|
|
|
|
|
|
if(discoveredNewIP) StrangersList.addStranger(theSourceIP);
|
|
|
|
|
|
|
|
|
break; |
|
|
break; |
|
|
} |
|
|
} |
|
|
default: break; // In all other cases, don't train. |
|
|
default: break; // In all other cases, don't train. |