Olá, eu achei num site, um arquivo com o nome de synsniff.pl
Não consegui identificar qual lingagem é...
Estou desconfiada de que seja perl ou pascal devido a estenção e a data do arquivo :S
Se alguem souber qual linguagem é, eu agradeço
require 'sys/socket.ph';
# modify these for your particular network
@exclude_ports = (80, 113); # www, ident
$net = "134.114.84"; # ignore SYNs from this subnet, but
# watch SYNs to this subnet
# number of repeated connects from a host during a timestamp period (1 second)
# to be considered a portscan/port flood
$srcmax = "3";
$dstmax = "3";
# build tcpdump command line
@ex = @exclude_ports;
$line="";
while (@ex) {
$port = shift @ex;
$line="$line and not port $port";
}
#$tcpdump = "tcpdump -n -q -l 'tcp[13] & 2 != 0' or 'udp[13] & 2 != 0' and src net not $net $excludes 2> /dev/null";
$tcpdump = "tcpdump -n -q -l 'tcp[13] & 2 != 0' or 'udp[13] & 2 != 0' and src net not $net $line";
$stamp = ×tamp();
print "$stamp -- monitoring network $net\n";
print "$stamp -- ignoring ports [@exclude_ports]\n";
print "$stamp -- [$tcpdump]\n";
print "$stamp -- logging started\n";
&flush(STDOUT);
open (TCPDUMP, "$tcpdump |") || die "couldn't launch tcpdump: $!\n";
while ($line = <TCPDUMP>) {
$timestamp = ×tamp();
# extract the output from tcpdump
($gmttime, $src, $whoot, $dst, $type, $blah) = split (/ /, $line);
($one, $two, $three, $four, $port) = split (/\./, $src);
$srcip = "$one.$two.$three.$four";
$srcport = $port;
$srcname = &get_host_name($srcip);
$dst =~ s/://g;
($one, $two, $three, $four, $port) = split (/\./, $dst);
$dstip = "$one.$two.$three.$four";
$dstport = $port;
$dstname = &get_host_name($dstip);
# - compare $network_filter to dstip -- useful if we're on a gateway net
# (this will ignore all packets with a destination net other than our own --
# you can prolly do this in tcpdump, but I couldn't figure it out :-)
# - ignore all broadcast packets (dst ip 
.x.255 or .x.0)
if ((index($dstip, $net) >= 0) && ($fouffr ne "255")) {
$flags = "";
if ($srcname eq $osrcname) { $srchits++ }
if ($dstname eq $odstname) { $dsthits++ }
if ($mytime ne $otime) { $srchits=0; $dsthits=0; }
if ($srchits >= $srcmax) {
$flags="[PORTSCAN]";
$srchits=0;
}
if ($dsthits >= $dstmax) {
$flags="[PORTSCAN]";
$dsthits=0;
}
print "$mytime $type $srcname:$srcport -> $dstname:$dstport $flags\n";
$osrcname = $srcname;
$odstname = $dstname;
$otime = $mytime;
&flush(STDOUT);
}
}
# simple routine to pad numbers w/ zeros
sub pad
{
$what = shift @_;
$countn = shift @_;
$pad = "";
$size = length ($what);
$count = $countn - length ($what);
$padded = "";
for ($i=0; $i<$count; $i++) {
$padded="0$padded";
}
$padded = "$padded$what";
return $padded;
}
#
# this code snagged from satan-1.0 (zen & wzv)
#
# Lookup the FQDN for a host name or address with cacheing.
sub get_host_name {
local($host) = @_;
local($aliases, $type, $len, @ip, $a,$b,$c,$d);
$orig = $host;
# do cache lookup first
if (exists($host_name_cache{$host})) {
return($host_name_cache{$host});
}
# if host is ip address
if ($host =~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) {
($a,$b,$c,$d) = split(/\./, $host);
@ip = ($a,$b,$c,$d);
($host) = gethostbyaddr(pack("C4", @ip), &AF_INET);
}
# if host is name, not ip address
else {
($host, $aliases, $type, $len, @ip) = gethostbyname($host);
($a,$b,$c,$d) = unpack('C4',$ip[0]);
}
# success:
if ($host eq "") {
$host = $orig;
}
if ($host && @ip) {
$host =~ tr /A-Z/a-z/;
return $host_name_cache{$host} = $host;
}
# failure:
else {
return $host_name_cache{$host} = "";
}
}
sub timestamp {
($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = localtime(time);
$mday = &pad($mday,2);
$mon = &pad($mon, 2);
$hour = &pad($hour, 2);
$min = &pad($min, 2);
$sec = &pad($sec, 2);
$mytime = "$mon/$mday $hour:$min:$sec";
return $mytime;
}
