Irongeek

Simple Coffee House IDS, needs a name

51 posts in this topic

I'm pretty sure the "invalid" error was in my old version as well. Yeah, my parse code needs some work. :) Right now I'm working on getting the GUI more responsive, which I think I can do with timerdiff.

Edited by Irongeek
0

Share this post


Link to post
Share on other sites

Ok, here is version 0.04t

The t is for timer, it now goes through the cycle of checking ARP, FW and SecLog every 3 sec.

I also fixed the "invalid" problem I think. Let me know, and I'll post it the the main page soon.

decaffeinatid0.04t.zip

0

Share this post


Link to post
Share on other sites

The results aren't displayed/recorded quite instantaneously but they are within a few seconds which should be well within acceptable ranges for this application at this point in development.

I don't see the arp-errors returning on my end though so I'd this this release is good to go online - as it is *much* more responsive.

I'll add the default systray click event action (View Logs) tomorrow if you don't get to it before I do; we can really start hacking away at the todo list with it seems like the speed issue somewhat taken care of.

At least with so few processes being monitored.. were we to add 'nbtstat -c', 'ipconfig /all', 'ipconfig /displaydns' and 'route print' it might slow down a bit, especially if we throw in the hosts and lmhosts file monitoring, which I'm thinking we could.. as well as windows proxy settings.

Edited by jabzor
0

Share this post


Link to post
Share on other sites

Damn, you plan to add a lot of functions. :) I'm glad you rewrote some of my code to make it easier to maintain/follow.

0

Share this post


Link to post
Share on other sites

Ver 0.05 has been posted.

0

Share this post


Link to post
Share on other sites
Ver 0.05 has been posted.

Was waiting for you to post that so I could edit it and post my 0.05a.

Added the default left-click action (if you double-click on the icon, it opens the log-file (and moved this in to a new function, with an ifexists pre-check)), as well as changed the menu side-text background and the ini icon.

post-3438-1214195483.png

decaffeinatid0.05a.zip

Edited by jabzor
0

Share this post


Link to post
Share on other sites

Thanks. I'll roll this in the next time I put a version up.

0

Share this post


Link to post
Share on other sites

Posted. Thanks Jabzor.

0

Share this post


Link to post
Share on other sites

Every thing is nice....

Please add a help file..so that novices can know things :)

Help file may contain

1.whats ARP cache and all?

2.Description of important events with proper explanation

3.Things in the INI file..(eventhough some fields are obvious :) )

For example description of

"ignorenetworksrc" ,what are the values that can be assigned and what are their behaviour...

Good work!!!! i really like it Irongeek Rocks!

0

Share this post


Link to post
Share on other sites

I discovered a bug or something..I am using windows vista...After an hour runtime or something..I cannot right or left click the icon on the tray..

I don't know whether its a fault in vista or the decaffeinatid0.05a...??

0

Share this post


Link to post
Share on other sites
I discovered a bug or something..I am using windows vista...After an hour runtime or something..I cannot right or left click the icon on the tray..

I don't know whether its a fault in vista or the decaffeinatid0.05a...??

A little of both. :) Can you attach your log file?

Thanks

0

Share this post


Link to post
Share on other sites
I discovered a bug or something..I am using windows vista...After an hour runtime or something..I cannot right or left click the icon on the tray..

I don't know whether its a fault in vista or the decaffeinatid0.05a...??

I don't know about Irongeek but I have done zero-testing of Decaffeinatid in Vista.

I have though I left 0.05a running all night with all the options enabled and it worked fine this morning so it might be Vista??

I have a 0.06a I am working on. Fixed a few other minor bugs (like setting a trayicon in script form) and increased the speed a bit by removing some redundant calls.

Adding a Gateway monitor and a Route monitor but things are getting tricky so that is going to take some time.

0

Share this post


Link to post
Share on other sites

Attached 0.06a

Change Log:

- NEW: some 'TODO' comments in the code (issues that need to be addressed)

- NEW: added a msgbox if no gateways are found for the arp-function.. might want to give the option to 'never show this again' if users are running without gateways? - should never come up though as it is written

- STYLE: setup concatenation (replaced all lines like "$output = $output & $line" with $output &= $line)

- STYLE: setup incrementors (replaced all lines like "$j = $j + 1" with $j += 1)

- STYLE: made all non-global variables local to their function / loop / etc, double-check for me to make sure they are all working.. this should be the future standard

- STYLE: removed some redundant lines, increased speed etc (ex Global $NewARPArray = $OldARPArray)

- FIX: gateway info is now reloaded every time arp-watch is loaded in case the gateways are changed (got rid of Global $IP_Gateway_List entirely, called directly now)

- FIX: non-default systray icon when running as a script (added a conditional to check if compiled or scripting) (I broke back in 0.03, working now though)

May need to be further code-tested so run some tests before implementing any changes in to newer builds. We need beta-testers and a set of test functions to perform. :unsure:

----

There could be one issue that I can think of SAGA and I've addressed it with the TODO comments in the code, though not fixed it here in 0.06a:

Currently, if you have a menu option set to disabled when decaf loads it will start a timer for the function but never reset it.

I don't know what happens if the timer overflows or if it can? This might be what you are having trouble with.

We need to add prechecks, as all code is run once on startup regardless of the ini and a timer is started, this shouldn't happen if the ini isn't set to load that feature when the program is loaded.

We also need to set the menu processing code to start or stop the timer for the specific function.

----

Default-gateway and route monitoring hopefully in next version, still too beta to include - but it does process ospf/igrp/static/network-mgmt (automatically created by the adapter), etc and all the metrics therein.

Monitoring for DNS Poisoning and changes to the dns server entry will also eventually see the light of day.

decaffeinatid0.06a.zip

Edited by jabzor
0

Share this post


Link to post
Share on other sites

Thanks Jabzor. I'll roll this in the next time time I post to the page.

0

Share this post


Link to post
Share on other sites

I figured it out (guess)...

I cannot right click or left click on the tray icon after locking vista machine and unlocking it!!!

do you want me to send idslog file?

I have attached it!!!

idslog.txt

0

Share this post


Link to post
Share on other sites

Weird, but it may be something that will have to be fixed in Autoit or the UDF. Jabzor, what do you think?

0

Share this post


Link to post
Share on other sites
Weird, but it may be something that will have to be fixed in Autoit or the UDF. Jabzor, what do you think?

Installing Vista-lite in a vm, going to see if I can reproduce the issue and if I can figure out what is causing it.

0

Share this post


Link to post
Share on other sites

I posted your changes Jabzor. Ver 0.07.

0

Share this post


Link to post
Share on other sites

Cool tool guys! I've been looking for something like this for a while. I'll be sending you guys some of my changes when I've got them totally completed. Thanks,

Int3grate

0

Share this post


Link to post
Share on other sites

SAGA, found some definite issues with Decaff and Vista, but I cannot get your problem to repeat on any of my tests.

I'll work on fixing the issues I have found as I pin them down though.

0

Share this post


Link to post
Share on other sites

Still working on fixing the bugs and adding the monitor gateway feature when I find time, but while you wait:

Vista.. so very ugly.

post-3438-1215361701_thumb.png

Oh for fun and in perl (of course), my ipv4 arp parser, eventually we'll have to use ip helper dll calls (like GetIpNetTable), but in the mean time:

#!/usr/bin/perl  -w
use strict;

while (`arp -a` =~ m/^\w+ *?: ([\d.]{7,15}).+?(\w+) *?\n.+?\n(.+?)(?:\n{2}|\Z)/smg){
my ($int_ip, $int_id, $int_maps) = ($1, $2, $3);
print "\nInterface: $int_ip --- $int_id\n";
print " Internet Address\tPhysical Address Type\n";
while ($int_maps =~ m/^.+?([\d.]{7,15}).+?([0-9a-f-]{17}).+?(\w+)/mg){
my ($map_ip,$map_mac,$map_type)=($1, $2, $3);
print " $map_ip",14<length $map_ip?"\t":"\t\t","$map_mac $map_type\n";
}
}

Edit: added multi-lingual support to the arp-parser.pl above.

I wonder, is there a WMI interface to the arp-cache, there has to be?

We could likely also add ipv6 NDP support along side ARP. ;)

Edited by jabzor
0

Share this post


Link to post
Share on other sites

Hi Irongeek,

An easy way to get the avi file always displayed into the DecaffeinatID's About box is...

Modify the following line to:

Local $aboutimage = @TempDir & "\delogo.avi" ; TODO: figure out how to include in exe so there are no external files (only works if \art\delogo.ani is present in exe folder)

Add the following line before the 'GUICtrlCreateAvi($aboutimage...' line:

FileInstall("art\delogo.avi", @TempDir & "\delogo.avi", 1)

Compile it and that's it!

D. Gravel

0

Share this post


Link to post
Share on other sites

Awesome, thanks.

Hi Irongeek,

An easy way to get the avi file always displayed into the DecaffeinatID's About box is...

Modify the following line to:

Local $aboutimage = @TempDir & "\delogo.avi" ; TODO: figure out how to include in exe so there are no external files (only works if \art\delogo.ani is present in exe folder)

Add the following line before the 'GUICtrlCreateAvi($aboutimage...' line:

FileInstall("art\delogo.avi", @TempDir & "\delogo.avi", 1)

Compile it and that's it!

D. Gravel

0

Share this post


Link to post
Share on other sites

SAGA, found some definite issues with Decaff and Vista, but I cannot get your problem to repeat on any of my tests.

I'll work on fixing the issues I have found as I pin them down though.

Any update on the 'Visa issues'? As a Win 7 user I'm curious because there are issues running DecaffeinatID 0.09 under Win7.

Most noticeably although the UI continues to respond the program is no longer notifying of alerts and the programs CPU use is very high.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now