Adding Current Work files

Programas/Last_work/Multiprocess/bruteforce_sip-dip_threehash.py

@@ -0,0 +1,62 @@
+# Guarda lista de puertos de cada dip por cada sip
+
+from silk import *
+
+
+startDate = "2018/09/1"
+endDate = "2018/09/30"
+#Para filtrar por puertos. Pero no queremos todavia
+#minPort = 20
+#maxPort = 5000
+
+
+def verify_type():
+    x = 0
+    dportHash = {} #contains amount of dport per each sip
+    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
+        for rec in silkfile_open(filename, READ):#reading the flow file
+            sip = str(rec.sip)
+            dip = str(rec.dip)
+            dport = rec.dport
+            if (':' in sip): #Si en el paso anterior se vio que no
+                # print "heeloo", x
+                # x+=1
+                #                                             #tiene el length de puertos requerido, se ignora
+                continue
+            else:
+                if sip in dportHash:
+                    if dip in dportHash[sip]:
+                        if dport in dportHash[sip][dip]:
+                            dportHash[sip][dip][dport] += 1
+                        else:
+                            dportHash[sip][dip][dport] = 1
+                    else:
+                        dportHash[sip][dip] = {dport : 1}
+                else:
+                    dportHash[sip] = { dip: {dport: 1} }
+    return dportHash
+
+
+#MAIN
+otherHash = {}
+counter = 0
+files = FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/")
+files = [x for x in files]
+print "Flow", len(files)
+flowHash = verify_type()
+print "After flow", len(flowHash)
+for sips in flowHash: #se itera por todos los dip y sus counters o puertos
+    for dips, dports in flowHash[sips].items():
+        if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
+                                #y por lo tanto se guardan en un hash
+            print "DIP", dips, len(dports)
+            if sips in otherHash:
+                otherHash[sips][dips] = dports
+            else:
+                otherHash[sips] = {dips: dports}
+
+for dips, dports in otherHash.items():
+    counter +=1 #para contar los elementos del hash
+
+print counter
+#print otherHash

Programas/Last_work/Multiprocess/map_bruteforce_three.py

@@ -0,0 +1,98 @@
+# Guarda lista de puertos de cada dip por cada sip
+#ftp remote edit
+from silk import *
+import multiprocessing as mp
+
+
+#Para filtrar por puertos. Pero no queremos todavia
+#minPort = 20
+#maxPort = 5000
+
+
+def verify_type(filename):
+
+    dportHash = {} #contains amount of dport per each sip
+    filename = [filename]
+    #print "stooy aqui"
+
+    for file in filename:
+
+        for rec in silkfile_open(file, READ):#reading the flow file
+            sip = str(rec.sip)
+            dip = str(rec.dip)
+            dport = rec.dport
+            if (':' in sip): #Si en el paso anterior se vio que n                                                    #tiene el length de puertos requerido, se ignora
+
+                # x+=1
+                continue
+            else:
+                if sip in dportHash:
+                    if dip in dportHash[sip]:
+                        if dport in dportHash[sip][dip]:
+                            dportHash[sip][dip][dport] += 1
+                        else:
+                            dportHash[sip][dip][dport] = 1
+                    else:
+                        dportHash[sip][dip] = {dport : 1}
+                else:
+                    dportHash[sip] = { dip: {dport: 1} }
+
+    return dportHash
+
+def join_hash(list):
+    complete_hash ={}
+    for i in list:
+        for sip, hash in i.items():
+            if sip in complete_hash:
+                #print "hello", sip
+                for dip, dports in i[sip].items():
+                    #print dip
+                    if dip in complete_hash[sip]:
+                        #print "wassup"
+                        for number, value in dports.items():
+                            if number in complete_hash[sip]:
+                                print "DPORTS", number
+                                complete_hash[sip][dip][number] += value
+                            else:
+                                complete_hash[sip][dip][number]= value
+                    else:
+                        complete_hash[sip][dip]= dports
+            else:
+                complete_hash[sip]= hash
+    return complete_hash
+
+
+def main():
+    startDate = "2018/09/1"
+    endDate = "2018/09/30"
+    otherHash = {}
+    counter = 0
+    process_num = 8
+    pool = mp.Pool(processes=process_num)
+    files = FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/")
+
+    files = [x for x in files]
+    print len(files)
+    fileHash = pool.map(verify_type, files) # FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"))
+    flowHash = join_hash(fileHash)
+    print "FLOW", len(flowHash)
+    for sips in flowHash: #se itera por todos los dip y sus counters o puertos
+        #print sips
+        for dips, dports in flowHash[sips].items():
+            #print "Dip", dips, dports
+            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
+                                #y por lo tanto se guardan en un hash
+                print "DIP", dips, len(dports)
+                if sips in otherHash:
+                    otherHash[sips][dips] = dports
+                else:
+                    otherHash[sips] = {dips: dports}
+
+    for dips, dports in otherHash.items():
+        counter +=1 #para contar los elementos del hash
+
+    print counter
+#print otherHash
+
+if __name__== "__main__":
+  main()

Programas/Last_work/Multiprocess/trw.py

@@ -0,0 +1,61 @@
+##################################
+#   TRW sin reduccion           #
+#      Para Data Set de la Uni    #
+################################
+
+
+
+from silk import *
+startDate = "2018/08/14"
+endDate = "2018/08/15"
+p = 2
+
+def Analisis():
+    counter = 0 # borrar luego
+    sampleHash={} #hash para contener los dip con el numero de conecciones y failed coneccciones
+    flow_counter = 0
+    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
+        for rec in silkfile_open(filename, READ):#reading the flow file
+            flow_counter += 1
+            if (':' in str(rec.sip)):
+				continue
+	    else:
+            	connection = [0] * 2 #Lista para contener los valores de conecciones failed y conecciones buenas
+            	sip = str(rec.sip) #Devuelve el ip en notacion punto-decimal
+            	flags = str(rec.tcpflags)
+            #print sip, flags
+	    #counter +=1
+            	if 'A' in flags: ####arreglar
+                	connection[1]=1 #good conections
+                else:
+                	connection [0] =1 #failed conections
+            	if sip in sampleHash:
+	                sampleHash[sip][0]+= connection[0]
+	                sampleHash[sip][1]+= connection[1]
+            	else:
+                	sampleHash[sip] = [connection[0], connection[1]]
+	    #print sampleHash
+    #print flow_counter
+    return sampleHash
+
+sip_connections_list = Analisis()
+#print sip_connections_list
+sipList = {"sipList":[]}
+for sip in sip_connections_list:
+          if (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1])  < 1) : #si la cantidad de succesful
+                                #b                #g                    #connections es mas que failed connections
+                      #not scanner, ignore
+                      continue
+          elif (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1])  < p): #mas failed que succesful, pero no llega al threshold
+                      #not scanner, ignore
+                      continue                          #se debe tener en cuenta que es suspicious pero no taaanto
+          elif (sip_connections_list[sip][1] == 0 and sip_connections_list[sip][0] > 10): #el ratio de failed a succesful llega al threshold pautado
+                            #scanner, oh oh
+                    hash = {sip:sip_connections_list[sip]}
+                    sipList["sipList"].append(hash)
+          else:
+                            #scanner, oh oh
+                    hash = {sip:sip_connections_list[sip]}
+                    sipList["sipList"].append(hash)
+
+print sipList