SaraBeatriz před 6 roky
rodič
revize
723db0c5a5

+ 7
- 0
Programas/Fedora/Plots/plot_hash.html Zobrazit soubor

@@ -0,0 +1,7 @@
1
+import plotly
2
+import plotly.graph_objs as go
3
+
4
+plotly.offline.plot({
5
+    "data": [go.Scatter(x=[1, 2, 3, 4], y=[4, 3, 2, 1])],
6
+    "layout": go.Layout(title="hello world")
7
+}, auto_open=True)

+ 1
- 1
Programas/Fedora/Three_Hash/bruteforce_sip-dip_threehash.py Zobrazit soubor

@@ -49,5 +49,5 @@ for sips in flowHash: #se itera por todos los dip y sus counters o puertos
49 49
 
50 50
 for dips, dports in otherHash.items():
51 51
     counter +=1 #para contar los elementos del hash
52
-
52
+return otherHash
53 53
 print counter

+ 38
- 0
Programas/Fedora/Three_Hash/erase.py Zobrazit soubor

@@ -0,0 +1,38 @@
1
+import json
2
+
3
+PATH = '../../netflows.txt'
4
+
5
+myFile = open(PATH, 'r')
6
+ip = myFile.read()
7
+print type(ip)
8
+flow = json.loads(ip)
9
+dportHash = {}
10
+otherHash = {}
11
+for i in flow["flows"]:
12
+    sip = i['sip']
13
+    dip = i['dip']
14
+    dport = i['dport']
15
+    if sip in dportHash:
16
+        if dip in dportHash[sip]:
17
+            if dport in dportHash[sip][dip]:
18
+                dportHash[sip][dip][dport] += 1
19
+            else:
20
+                dportHash[sip][dip][dport] = 1
21
+        else:
22
+            dportHash[sip][dip] = {dport : 1}
23
+    else:
24
+        dportHash[sip] = { dip: {dport: 1} }
25
+print dportHash
26
+
27
+
28
+for sips in dportHash: #se itera por todos los dip y sus counters o puertos
29
+    for dips, dports in dportHash[sips].items():
30
+        print sips, dips, dports
31
+        print len(dports)
32
+        if sips in otherHash:
33
+            otherHash[sips][dips] = dports
34
+            print "OtherHash", otherHash
35
+        else:
36
+            hash = {dips: dports}
37
+            print hash
38
+            otherHash[sips] = {dips: dports}

+ 31
- 0
Programas/Fedora/Three_Hash/erase2.py Zobrazit soubor

@@ -0,0 +1,31 @@
1
+import json
2
+
3
+PATH = '../../netflows.txt'
4
+myFile = open(PATH, 'r')
5
+ip = myFile.read()
6
+flow = json.loads(ip)
7
+dportHash = {}
8
+otherHash = {}
9
+for i in flow["flows"]:
10
+    sip = i['sip']
11
+    dip = i['dip']
12
+    dport = i['dport']
13
+    if sip in dportHash:
14
+        if dip in dportHash[sip]:
15
+            dportHash[sip][dip].append(dport)
16
+        else:
17
+            dportHash[sip][dip] = [dport]
18
+    else:
19
+        dportHash[sip] = { dip: [dport] }
20
+
21
+print dportHash
22
+
23
+for sips in dportHash: #se itera por todos los dip y sus counters o puertos
24
+    for dips, dports in dportHash[sips].items():
25
+        print sips, dips, dports
26
+        print len(dports)
27
+        if sips in otherHash:
28
+            otherHash[sips][dips] = dports
29
+            print "OtherHash", otherHash[sips][dips]
30
+        else:
31
+            otherHash[sips] = {dips: dports}

+ 1
- 0
Programas/Fedora/Three_Hash/flow.txt
Diff nebyl zobrazen, protože je příliš veliký
Zobrazit soubor


+ 21
- 0
Programas/Fedora/Three_Hash/unite.py Zobrazit soubor

@@ -0,0 +1,21 @@
1
+import random
2
+false = 0
3
+hash = {"sips": {'192.168.231.3': [21, 0], '136.145.178.65': [8171, 0], '136.145.178.44': [4087, 0], '136.145.178.60': [10424, 0], '136.145.178.57': [17319, 0], '136.145.178.58': [14799, 0], '136.145.231.38': [53482, 0], '136.145.231.11': [2705, 0], '136.145.231.10': [39608, 0], '136.145.231.15': [104993, 0], '136.145.178.78': [752, 0], '136.145.231.31': [1199, 0], '136.145.231.19': [2094, 0], '136.145.231.32': [6142, 0], '136.145.231.34': [8992, 0], '136.145.231.37': [1330, 0], '136.145.178.70': [549, 0], '136.145.178.55': [6002, 0], '10.255.87.39': [1, 0], '136.145.178.247': [593, 0], '136.145.231.71': [2602, 0], '136.145.231.70': [3569, 0], '136.145.231.73': [2018, 0], '136.145.231.72': [11622, 0], '172.17.0.2': [5, 0], '10.255.86.22': [1, 0], '136.145.178.249': [597, 0], '136.145.178.248': [602, 0], '136.145.231.52': [3697, 0], '136.145.178.90': [24543, 0], '136.145.178.93': [809, 0], '136.145.178.95': [1078, 0], '136.145.178.94': [2966, 0], '10.255.87.28': [1, 0], '136.145.178.99': [1920, 0], '10.255.87.27': [1, 0], '10.255.87.24': [1, 0], '10.255.87.22': [1, 0], '136.145.178.107': [11012, 0], '10.255.87.20': [1, 0], '136.145.178.105': [8970, 0], '136.145.178.245': [620, 0], '10.255.86.19': [1, 0], '136.145.178.47': [6620, 0], '10.255.86.15': [1, 0], '136.145.231.9': [11356, 0], '10.255.86.17': [1, 0], '136.145.178.62': [16838, 0], '169.254.254.254': [3, 0], '10.255.87.26': [1, 0], '136.145.178.251': [671, 0], '136.145.178.20': [541, 0], '136.145.178.79': [2226, 0], '136.145.178.51': [3970, 0], '136.145.231.20': [1992, 0], '0.0.0.0': [21, 0], '136.145.231.25': [2209, 0], '136.145.178.252': [606, 0], '136.145.178.253': [558, 0], '136.145.231.42': [4679, 0], '136.145.231.43': [11221, 0], '136.145.178.42': [3441, 0], '136.145.178.43': [8283, 0], '136.145.231.46': [1557, 0], '136.145.231.12': [83180, 0], '136.145.231.48': [36993, 0], '136.145.178.67': [28, 0], '10.255.87.23': [1, 0], '136.145.178.82': [22282, 0], '136.145.178.68': [356, 0], '10.255.87.38': [1, 0], '136.145.178.85': [24081, 0], '136.145.178.45': [12308, 0], '136.145.87.253': [5, 0], '136.145.178.88': [7457, 0], '10.255.87.21': [1, 0], '10.255.87.34': [1, 0]}}
4
+
5
+
6
+otherHash= {"nodes":[]}
7
+sourceHash= []
8
+counter = -1
9
+for i in hash:
10
+    for j in hash[i]:
11
+        counter+=1
12
+        hash_part = {"id":counter,"reflexive":"false","color":"#ba55d3","name":j,"index":counter,"weight":1,"x":random.randint(600, 900),"y":random.randint(300, 500),"px":random.randint(600, 900),"py":random.randint(300, 500)}
13
+        otherHash["nodes"].append(hash_part)
14
+        counter +=1
15
+        hash_part = {"id":counter,"reflexive":"false","color":"#ba55d3","name":str(hash[i][j]),"index":counter,"weight":1,"x":random.randint(600, 900),"y":random.randint(300, 500),"px":random.randint(600, 900),"py":random.randint(300, 500)}
16
+        print hash_part
17
+        otherHash["nodes"].append(hash_part)
18
+        source_part = {"source":counter-1,"target":counter,"left":"false","right":"true"}
19
+        sourceHash.append(source_part)
20
+otherHash["nodes"].append(sourceHash)
21
+print otherHash

+ 1
- 0
Programas/Fedora/bruteforce_sip-dip-ports.py Zobrazit soubor

@@ -46,5 +46,6 @@ for sips in flowHash: #se itera por todos los dip y sus counters o puertos
46 46
 
47 47
 for dips, dports in otherHash.items():
48 48
     counter +=1 #para contar los elementos del hash
49
+    
49 50
 
50 51
 print (counter)

+ 191
- 0
Programas/Fedora/cheo2.py Zobrazit soubor

@@ -0,0 +1,191 @@
1
+#Version 2 #Itera por sip /16 y cuenta numero de puertos por cada dip
2
+
3
+
4
+
5
+from silk import *
6
+
7
+startDate = "2018/08/10"
8
+endDate = "2018/08/15"
9
+
10
+#Para filtrar por puertos. Pero no queremos todavia
11
+
12
+#minPort = 20
13
+
14
+#maxPort = 5000
15
+
16
+def ipConversion(number, position):
17
+    mystr = '.'
18
+    ipadd = number.split(".") #Devuelve un arreglo
19
+    return mystr.join(ipadd[:position]) #devuelve los numeros en notacion string
20
+
21
+
22
+def FilterBySIP(flows, flowHash, num):
23
+
24
+    fc = 0
25
+    dportHash = {}
26
+
27
+    fdout = open("tmpfile%s" % num, "w")
28
+
29
+    for filename in flows:
30
+        for rec in silkfile_open(filename, READ):#reading the flow file
31
+		fc += 1
32
+        	if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no
33
+             		continue
34
+        	dip = str(rec.dip)
35
+        	sip = str(rec.sip)
36
+      		dport= rec.dport
37
+		sport= rec.sport
38
+
39
+		Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash)
40
+		fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
41
+
42
+    print fc
43
+    fdout.close()
44
+    return dportHash
45
+
46
+def FilterBySIPTMP(flowHash, num):
47
+
48
+    dportHash = {}
49
+
50
+    fdout = open("tmpfile%s" % num, "w")
51
+
52
+    with open("tmpfile%s" % (num - 1), "r") as f:
53
+    	for flow in f:
54
+		sip, dip, sport, dport = flow.split(":")
55
+		sport = int(sport)
56
+		dport = int(dport)
57
+
58
+		if ipConversion(sip, num) not in flowHash:
59
+			continue
60
+		Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash)
61
+		fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
62
+    fdout.close()
63
+    return dportHash
64
+
65
+def Filter(fd, sip, dip, sport, dport, dportHash):
66
+
67
+	if dport > 1024 and (sport <= 1024 or (sport >= 8000 and sport < 9000)):
68
+		return
69
+	if sip in dportHash:
70
+#       	if dip in dportHash[sip]["dips"]:
71
+#        	        dportHash[sip]["dips"][dip] += 1
72
+#		else:
73
+#			dportHash[sip]["dips"][dip] = 1
74
+		if dport in dportHash[sip]["dports"]:
75
+               	        dportHash[sip]["dports"][dport] += 1
76
+			#return
77
+               	else:
78
+               		dportHash[sip]["dports"][dport] = 1
79
+     	else:
80
+		dportHash[sip] = {"dports": {}}
81
+		dportHash[sip]["dips"] = {}
82
+	#fd.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
83
+
84
+def FilterBySIPFull(flowHash, num):
85
+
86
+    flow_Counter=0
87
+
88
+    dportHash = {}
89
+
90
+    for filename in FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf",  data_rootdir="/home/scratch/flow/rwflowpack/"):
91
+
92
+        for rec in silkfile_open(filename, READ):#reading the flow file
93
+                if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no
94
+                        continue
95
+                dip = str(rec.dip)
96
+                sip = ipConversion(str(rec.sip), num+1)
97
+                dport= rec.dport
98
+                if sip in dportHash:
99
+                        if dip in dportHash[sip]:
100
+                                if dport in dportHash[sip][dip]:
101
+                                        dportHash[sip][dip][dport] += 1
102
+                                else:
103
+                                        dportHash[sip][dip][dport] = 1
104
+                        else:
105
+                                dportHash[sip][dip] = {dport : 1}
106
+                else:
107
+                        dportHash[sip] = { dip: {dport: 1} }
108
+
109
+    return dportHash
110
+
111
+def last_step(flowHash, num):
112
+    dportHash = {}
113
+    with open("tmpfile%s" % (num - 1), "r") as f:
114
+    	for flow in f:
115
+            sip, dip, sport, dport = flow.split(":")
116
+            sport = int(sport)
117
+            dport = int(dport)
118
+            if (':' in sip) or (num > global_num and sip not in flowHash):
119
+                continue
120
+            if sip in dportHash:
121
+                if dip in dportHash[sip]:
122
+                    if dport in dportHash[sip][dip]:
123
+                        dportHash[sip][dip][dport] += 1
124
+                    else:
125
+                        dportHash[sip][dip][dport] = 1
126
+                else:
127
+                        dportHash[sip][dip] = {dport : 1}
128
+            else:
129
+                dportHash[sip] = { dip: {dport: 1} }
130
+        return dportHash
131
+
132
+def filter_laststep(flowhash):
133
+    otherHash ={}
134
+    for sips in flowHash: #se itera por todos los dip y sus counters o puertos
135
+        for dips, dports in flowHash[sips].items():
136
+            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
137
+                                    #y por lo tanto se guardan en un hash
138
+                if sips in otherHash:
139
+                    otherHash[sips][dips] = dports
140
+                else:
141
+                    otherHash[sips] = {dips: dports}
142
+    return otherHash
143
+
144
+global_num = 2
145
+myNum = global_num
146
+
147
+flows = FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf",  data_rootdir="/home/scratch/flow/rwflowpack/")
148
+
149
+otherHash = {}
150
+
151
+flowHash = FilterBySIP(flows, otherHash, myNum)
152
+
153
+print "Before thresh", len(flowHash)
154
+
155
+for sip in flowHash: #se itera por todos los dip y sus counters o puertos
156
+	if  len(flowHash[sip]["dports"]) >= 100:
157
+		otherHash[sip] = flowHash[sip]
158
+
159
+print "After thresh", len(otherHash)
160
+
161
+myNum += 1
162
+
163
+while myNum <3: #Se itera las cuatro veces de acuerdo con la notacion de ipv4
164
+
165
+    flowHash= FilterBySIPTMP(otherHash, myNum)
166
+
167
+    print "Before thresh", len(flowHash)
168
+    otherHash = {}
169
+    for sip in flowHash: #se itera por todos los dip y sus counters o puertos
170
+    	if  len(flowHash[sip]["dports"]) >= 100:
171
+    		otherHash[sip] = flowHash[sip]
172
+
173
+
174
+    print "After thresh", len(otherHash)
175
+    myNum += 1
176
+
177
+final_hash = last_step(otherHash, myNum)
178
+filtered_final_hash = filter_laststep(final_hash)
179
+
180
+fc = 0
181
+#print final_hash
182
+for sip in filtered_final_hash:
183
+    fc +=1
184
+    for dip in filtered_final_hash[sip]:
185
+
186
+        print sip, dip, filtered_final_hash[sip][dip]
187
+
188
+    #print (flowHash)
189
+print fc
190
+#for sip in otherHash:
191
+#	print sip, sorted(otherHash[sip]["dports"].keys())

+ 10
- 8
Programas/Fedora/fedora_code_trw.py Zobrazit soubor

@@ -6,20 +6,20 @@
6 6
 
7 7
 
8 8
 from silk import *
9
-startDate = "2009/04/20"
10
-endDate = "2009/04/22"
9
+startDate = "2018/08/14"
10
+endDate = "2018/08/15"
11 11
 p = 2
12 12
 
13 13
 def Analisis():
14 14
     counter = 0 # borrar luego
15 15
     sampleHash={} #hash para contener los dip con el numero de conecciones y failed coneccciones
16 16
     flow_counter = 0
17
-    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/data/silk.conf", data_rootdir="/data"):
17
+    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
18 18
         for rec in silkfile_open(filename, READ):#reading the flow file
19 19
             flow_counter += 1
20 20
             if (':' in str(rec.sip)):
21 21
 				continue
22
-	    	else:
22
+	        else:
23 23
             	connection = [0] * 2 #Lista para contener los valores de conecciones failed y conecciones buenas
24 24
             	sip = str(rec.sip) #Devuelve el ip en notacion punto-decimal
25 25
             	flags = str(rec.tcpflags)
@@ -40,7 +40,7 @@ def Analisis():
40 40
 
41 41
 sip_connections_list = Analisis()
42 42
 #print sip_connections_list
43
-sipList = []
43
+sipList = {"sipList":[]}
44 44
 for sip in sip_connections_list:
45 45
           if (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1])  < 1) : #si la cantidad de succesful
46 46
                                 #b                #g                    #connections es mas que failed connections
@@ -51,9 +51,11 @@ for sip in sip_connections_list:
51 51
                       continue                          #se debe tener en cuenta que es suspicious pero no taaanto
52 52
           elif (sip_connections_list[sip][1] == 0 and sip_connections_list[sip][0] > 10): #el ratio de failed a succesful llega al threshold pautado
53 53
                             #scanner, oh oh
54
-                    sipList.append(sip)
54
+                    hash = {sip:sip_connections_list[sip]}
55
+                    sipList["sipList"].append(hash)
55 56
           else:
56 57
                             #scanner, oh oh
57
-                    sipList.append(sip)
58
+                    hash = {sip:sip_connections_list[sip]}
59
+                    sipList["sipList"].append(hash)
58 60
 
59
-#print len(sipList)
61
+print sipList

+ 0
- 217
Programas/Filtered_in_Files/bruteforce_filteredbyfiles.py Zobrazit soubor

@@ -1,217 +0,0 @@
1
-#Version 2 #Itera por sip /16 y cuenta numero de puertos por cada dip
2
-#hello
3
-
4
-
5
-from silk import *
6
-
7
-global_num = 2 #posicion del subnetwork. 1 implica A.x.x.x, 2 implica A.B.x.x, etc.
8
-
9
-#funcion que recibe un string del ip address y devuelve otro string hasta el subnetwork
10
-#que indica el numero de posicion
11
-def ipConversion(number, position):
12
-    mystr = '.'
13
-    ipadd = number.split(".")
14
-    return mystr.join(ipadd[:position])
15
-
16
-#Esta funcion recorre la lista de flows, las manda por la funcion de Filter para verificar
17
-#que sean puertos no comunes, luego guarda una lista de esos flows especificos en un file
18
-#y devuelve un hash de los flows filtrados.
19
-def FilterBySIP(flows, flowHash, num):
20
-
21
-    fc = 0
22
-    dportHash = {}
23
-
24
-    fdout = open("tmpfile%s" % num, "w")
25
-
26
-    for filename in flows:
27
-        for rec in silkfile_open(filename, READ):#reading the flow file
28
-		    fc += 1
29
-        	if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no
30
-             		continue
31
-        	dip = str(rec.dip)
32
-        	sip = str(rec.sip)
33
-      		dport= rec.dport
34
-		    sport= rec.sport
35
-
36
-		Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash)
37
-		fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
38
-
39
-    # print fc
40
-    fdout.close()
41
-    return dportHash
42
-
43
-#Esta funcion recorre la lista de flows guardados en el file creado en el step anterior,
44
-#verifica que esten en el hash creado en el step anterior, las manda por la funcion de Filter para verificar
45
-#que sean puertos no comunes, luego guarda una lista de esos flows especificos en un file
46
-#y devuelve un hash de los flows filtrados.
47
-def FilterBySIPTMP(flowHash, num):
48
-
49
-    dportHash = {}
50
-
51
-    fdout = open("tmpfile%s" % num, "w")
52
-
53
-    with open("tmpfile%s" % (num - 1), "r") as f:
54
-    	for flow in f:
55
-            sip, dip, sport, dport = flow.split(":")
56
-            #print ipConversion(sip, num)
57
-            sport = int(sport)
58
-            dport = int(dport)
59
-            if ipConversion(sip, num) not in flowHash:
60
-                continue
61
-            Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash)
62
-            fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
63
-        fdout.close()
64
-    return dportHash
65
-
66
-#argumentos consisten del file con los flows, source y destination ip y puertos y
67
-#un hash vacio para guardar los source ips con la lista de puertos a donde se conecta
68
-#la funcion verifica que los puertos no sean puertos comunes, para asi agregar el flow al hash
69
-def Filter(fd, sip, dip, sport, dport, dportHash):
70
-
71
-	if dport > 1024 and (sport <= 1024 or (sport >= 8000 and sport < 9000)):
72
-		return
73
-	if sip in dportHash:
74
-#       	if dip in dportHash[sip]["dips"]:
75
-#        	        dportHash[sip]["dips"][dip] += 1
76
-#		else:
77
-#			dportHash[sip]["dips"][dip] = 1
78
-		if dport in dportHash[sip]["dports"]:
79
-               	        dportHash[sip]["dports"][dport] += 1
80
-			#return
81
-               	else:
82
-               		dportHash[sip]["dports"][dport] = 1
83
-     	else:
84
-		dportHash[sip] = {"dports": {}}
85
-		dportHash[sip]["dips"] = {}
86
-	#fd.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
87
-
88
-def FilterBySIPFull(flowHash, num):
89
-    flow_Counter=0
90
-    dportHash = {}
91
-
92
-    for filename in FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf",  data_rootdir="/home/scratch/flow/rwflowpack/"):
93
-
94
-        for rec in silkfile_open(filename, READ):#reading the flow file
95
-                if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no
96
-                        continue
97
-                dip = str(rec.dip)
98
-                sip = ipConversion(str(rec.sip), num+1)
99
-                dport= rec.dport
100
-                if sip in dportHash:
101
-                        if dip in dportHash[sip]:
102
-                                if dport in dportHash[sip][dip]:
103
-                                        dportHash[sip][dip][dport] += 1
104
-                                else:
105
-                                        dportHash[sip][dip][dport] = 1
106
-                        else:
107
-                                dportHash[sip][dip] = {dport : 1}
108
-                else:
109
-                        dportHash[sip] = { dip: {dport: 1} }
110
-
111
-    return dportHash
112
-
113
-#Hace lo mismo que la funcion FilterBySIPTMP, lo unico que esta vez no hace falta verificar los puertos
114
-#y ademas crea otro hash de los source ips con sus destination ips con sus puertos
115
-def last_step(flowHash, num):
116
-    dportHash = {}
117
-
118
-    with open("tmpfile%s" % (num), "r") as f:
119
-    	for flow in f:
120
-            sip, dip, sport, dport = flow.split(":")
121
-            sport = int(sport)
122
-            dport = int(dport)
123
-            if (':' in sip) or (num > global_num and sip not in flowHash):
124
-                print sip
125
-                print "Do we ever enter here?"
126
-                continue
127
-            if sip in dportHash:
128
-                if dip in dportHash[sip]:
129
-                    if dport in dportHash[sip][dip]:
130
-                        dportHash[sip][dip][dport] += 1
131
-                    else:
132
-                        dportHash[sip][dip][dport] = 1
133
-                else:
134
-                        dportHash[sip][dip] = {dport : 1}
135
-            else:
136
-                dportHash[sip] = { dip: {dport: 1} }
137
-        return dportHash
138
-
139
-#Funcion que verifica que el total de puertos por cada source ip con su destination ip
140
-#sea mayor que 100. Devuelve un hash con los flows filtrados.
141
-def filter_laststep(flowhash):
142
-    otherhash ={}
143
-
144
-    for sips in flowhash: #se itera por todos los dip y sus counters o puertos
145
-        for dips, dports in flowhash[sips].items():
146
-            #print "Filter", len(dports)
147
-            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
148
-                                    #y por lo tanto se guardan en un hash
149
-                if sips in otherhash:
150
-                    otherhash[sips][dips] = dports
151
-                else:
152
-                    otherhash[sips] = {dips: dports}
153
-    return otherhash
154
-
155
-
156
-
157
-def main():
158
-#variable del intervalo de los flows a verificar
159
-    startDate = "2018/08/01"
160
-    endDate = "2018/08/31"
161
-
162
-    myNum = global_num #variable que dicta la posicion del subnetwork
163
-
164
-    #lista de flows total
165
-    flows = FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf",  data_rootdir="/home/scratch/flow/rwflowpack/")
166
-
167
-    otherHash = {}
168
-
169
-    flowHash = FilterBySIP(flows, otherHash, myNum) #hash de todos los sourceip en el subnetwork de posicion myNum con sus puertos
170
-
171
-    print "Before thresh 1", len(flowHash)
172
-
173
-    #Verifica source ips sospechosos por cantidad de puertos conectados
174
-    #devuelve hash con los source ips filtrados
175
-    for sip in flowHash:
176
-    	if  len(flowHash[sip]["dports"]) >= 100:
177
-    		otherHash[sip] = flowHash[sip]
178
-
179
-    print "After thresh 1", len(otherHash)
180
-
181
-
182
-    while myNum <3:
183
-
184
-        flowHash= FilterBySIPTMP(otherHash, myNum + 1)
185
-
186
-        #print "Before thresh 2", len(flowHash)
187
-        otherHash = {}
188
-        for sip in flowHash: #se itera por todos los dip y sus counters o puertos
189
-        	if  len(flowHash[sip]["dports"]) >= 100:
190
-        		otherHash[sip] = flowHash[sip]
191
-
192
-
193
-        #print "After thresh 2", len(otherHash)
194
-        myNum += 1
195
-
196
-    final_hash = last_step(otherHash, myNum)
197
-    #print final_hash
198
-    # for sips in final_hash: #se itera por todos los dip y sus counters o puertos
199
-    #     for dips, dports in final_hash[sips].items():
200
-    #         print "final", len(dports)"
201
-    filtered_final_hash = filter_laststep(final_hash)
202
-
203
-
204
-    fc = 0
205
-    fo=0
206
-    for sip in filtered_final_hash:
207
-        fc +=1
208
-        for dip in filtered_final_hash[sip]:
209
-            fo +=1
210
-            #print sip, dip, filtered_final_hash[sip][dip]
211
-        #print (flowHash)
212
-    print fc
213
-    print fo
214
-
215
-
216
-if __name__== "__main__":
217
-  main()

+ 0
- 62
Programas/Multiprocess/bruteforce_sip-dip_threehash.py Zobrazit soubor

@@ -1,62 +0,0 @@
1
-# Guarda lista de puertos de cada dip por cada sip
2
-
3
-from silk import *
4
-
5
-
6
-startDate = "2018/09/1"
7
-endDate = "2018/09/30"
8
-#Para filtrar por puertos. Pero no queremos todavia
9
-#minPort = 20
10
-#maxPort = 5000
11
-
12
-
13
-def verify_type():
14
-    x = 0
15
-    dportHash = {} #contains amount of dport per each sip
16
-    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
17
-        for rec in silkfile_open(filename, READ):#reading the flow file
18
-            sip = str(rec.sip)
19
-            dip = str(rec.dip)
20
-            dport = rec.dport
21
-            if (':' in sip): #Si en el paso anterior se vio que no
22
-                # print "heeloo", x
23
-                # x+=1
24
-                #                                             #tiene el length de puertos requerido, se ignora
25
-                continue
26
-            else:
27
-                if sip in dportHash:
28
-                    if dip in dportHash[sip]:
29
-                        if dport in dportHash[sip][dip]:
30
-                            dportHash[sip][dip][dport] += 1
31
-                        else:
32
-                            dportHash[sip][dip][dport] = 1
33
-                    else:
34
-                        dportHash[sip][dip] = {dport : 1}
35
-                else:
36
-                    dportHash[sip] = { dip: {dport: 1} }
37
-    return dportHash
38
-
39
-
40
-#MAIN
41
-otherHash = {}
42
-counter = 0
43
-files = FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/")
44
-files = [x for x in files]
45
-print "Flow", len(files)
46
-flowHash = verify_type()
47
-print "After flow", len(flowHash)
48
-for sips in flowHash: #se itera por todos los dip y sus counters o puertos
49
-    for dips, dports in flowHash[sips].items():
50
-        if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
51
-                                #y por lo tanto se guardan en un hash
52
-            print "DIP", dips, len(dports)
53
-            if sips in otherHash:
54
-                otherHash[sips][dips] = dports
55
-            else:
56
-                otherHash[sips] = {dips: dports}
57
-
58
-for dips, dports in otherHash.items():
59
-    counter +=1 #para contar los elementos del hash
60
-
61
-print counter
62
-#print otherHash

+ 0
- 98
Programas/Multiprocess/map_bruteforce_three.py Zobrazit soubor

@@ -1,98 +0,0 @@
1
-# Guarda lista de puertos de cada dip por cada sip
2
-#ftp remote edit
3
-from silk import *
4
-import multiprocessing as mp
5
-
6
-
7
-#Para filtrar por puertos. Pero no queremos todavia
8
-#minPort = 20
9
-#maxPort = 5000
10
-
11
-
12
-def verify_type(filename):
13
-
14
-    dportHash = {} #contains amount of dport per each sip
15
-    filename = [filename]
16
-    #print "stooy aqui"
17
-
18
-    for file in filename:
19
-
20
-        for rec in silkfile_open(file, READ):#reading the flow file
21
-            sip = str(rec.sip)
22
-            dip = str(rec.dip)
23
-            dport = rec.dport
24
-            if (':' in sip): #Si en el paso anterior se vio que n                                                    #tiene el length de puertos requerido, se ignora
25
-
26
-                # x+=1
27
-                continue
28
-            else:
29
-                if sip in dportHash:
30
-                    if dip in dportHash[sip]:
31
-                        if dport in dportHash[sip][dip]:
32
-                            dportHash[sip][dip][dport] += 1
33
-                        else:
34
-                            dportHash[sip][dip][dport] = 1
35
-                    else:
36
-                        dportHash[sip][dip] = {dport : 1}
37
-                else:
38
-                    dportHash[sip] = { dip: {dport: 1} }
39
-
40
-    return dportHash
41
-
42
-def join_hash(list):
43
-    complete_hash ={}
44
-    for i in list:
45
-        for sip, hash in i.items():
46
-            if sip in complete_hash:
47
-                #print "hello", sip
48
-                for dip, dports in i[sip].items():
49
-                    #print dip
50
-                    if dip in complete_hash[sip]:
51
-                        #print "wassup"
52
-                        for number, value in dports.items():
53
-                            if number in complete_hash[sip]:
54
-                                print "DPORTS", number
55
-                                complete_hash[sip][dip][number] += value
56
-                            else:
57
-                                complete_hash[sip][dip][number]= value
58
-                    else:
59
-                        complete_hash[sip][dip]= dports
60
-            else:
61
-                complete_hash[sip]= hash
62
-    return complete_hash
63
-
64
-
65
-def main():
66
-    startDate = "2018/09/1"
67
-    endDate = "2018/09/30"
68
-    otherHash = {}
69
-    counter = 0
70
-    process_num = 8
71
-    pool = mp.Pool(processes=process_num)
72
-    files = FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/")
73
-
74
-    files = [x for x in files]
75
-    print len(files)
76
-    fileHash = pool.map(verify_type, files) # FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"))
77
-    flowHash = join_hash(fileHash)
78
-    print "FLOW", len(flowHash)
79
-    for sips in flowHash: #se itera por todos los dip y sus counters o puertos
80
-        #print sips
81
-        for dips, dports in flowHash[sips].items():
82
-            #print "Dip", dips, dports
83
-            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
84
-                                #y por lo tanto se guardan en un hash
85
-                print "DIP", dips, len(dports)
86
-                if sips in otherHash:
87
-                    otherHash[sips][dips] = dports
88
-                else:
89
-                    otherHash[sips] = {dips: dports}
90
-
91
-    for dips, dports in otherHash.items():
92
-        counter +=1 #para contar los elementos del hash
93
-
94
-    print counter
95
-#print otherHash
96
-
97
-if __name__== "__main__":
98
-  main()

+ 0
- 61
Programas/Multiprocess/trw.py Zobrazit soubor

@@ -1,61 +0,0 @@
1
-##################################
2
-#   TRW sin reduccion           #
3
-#      Para Data Set de la Uni    #
4
-################################
5
-
6
-
7
-
8
-from silk import *
9
-startDate = "2018/08/14"
10
-endDate = "2018/08/15"
11
-p = 2
12
-
13
-def Analisis():
14
-    counter = 0 # borrar luego
15
-    sampleHash={} #hash para contener los dip con el numero de conecciones y failed coneccciones
16
-    flow_counter = 0
17
-    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
18
-        for rec in silkfile_open(filename, READ):#reading the flow file
19
-            flow_counter += 1
20
-            if (':' in str(rec.sip)):
21
-				continue
22
-	    else:
23
-            	connection = [0] * 2 #Lista para contener los valores de conecciones failed y conecciones buenas
24
-            	sip = str(rec.sip) #Devuelve el ip en notacion punto-decimal
25
-            	flags = str(rec.tcpflags)
26
-            #print sip, flags
27
-	    #counter +=1
28
-            	if 'A' in flags: ####arreglar
29
-                	connection[1]=1 #good conections
30
-                else:
31
-                	connection [0] =1 #failed conections
32
-            	if sip in sampleHash:
33
-	                sampleHash[sip][0]+= connection[0]
34
-	                sampleHash[sip][1]+= connection[1]
35
-            	else:
36
-                	sampleHash[sip] = [connection[0], connection[1]]
37
-	    #print sampleHash
38
-    #print flow_counter
39
-    return sampleHash
40
-
41
-sip_connections_list = Analisis()
42
-#print sip_connections_list
43
-sipList = {"sipList":[]}
44
-for sip in sip_connections_list:
45
-          if (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1])  < 1) : #si la cantidad de succesful
46
-                                #b                #g                    #connections es mas que failed connections
47
-                      #not scanner, ignore
48
-                      continue
49
-          elif (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1])  < p): #mas failed que succesful, pero no llega al threshold
50
-                      #not scanner, ignore
51
-                      continue                          #se debe tener en cuenta que es suspicious pero no taaanto
52
-          elif (sip_connections_list[sip][1] == 0 and sip_connections_list[sip][0] > 10): #el ratio de failed a succesful llega al threshold pautado
53
-                            #scanner, oh oh
54
-                    hash = {sip:sip_connections_list[sip]}
55
-                    sipList["sipList"].append(hash)
56
-          else:
57
-                            #scanner, oh oh
58
-                    hash = {sip:sip_connections_list[sip]}
59
-                    sipList["sipList"].append(hash)
60
-
61
-print sipList

+ 0
- 75
Programas/Reduction_Method/bruteforce_reduc_sip-dip_threehash.py Zobrazit soubor

@@ -1,75 +0,0 @@
1
-#Itera por sip /16 y cuenta numero de puertos por cada dip
2
-
3
-from silk import *
4
-
5
-
6
-startDate = "2018/06/01"
7
-endDate = "2018/06/30"
8
-#Para filtrar por puertos. Pero no queremos todavia
9
-#minPort = 20
10
-#maxPort = 5000
11
-
12
-
13
-def ipConversion(number, position):
14
-    mystr = ''
15
-    ipadd = number.split(".") #Devuelve un arreglo
16
-    for i in range(position+1):
17
-        if i ==position:
18
-            mystr = mystr + ipadd[i]
19
-        else:
20
-            mystr = mystr + ipadd[i] + '.'
21
-    return mystr #devuelve los numeros en notacion string
22
-
23
-
24
-
25
-def UltimoAnalisis(flowHash, num):
26
-    dportHash={}
27
-    flow_Counter=0
28
-    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
29
-        for rec in silkfile_open(filename, READ):#reading the flow file
30
-            if (':' in str(rec.sip)) or (num != 0 and ipConversion(str(rec.sip), num-1) not in flowHash): #Si en el paso anterior se vio que no
31
-                                                                         #tiene el length de puertos requerido, se ignora
32
-                continue
33
-            else: #agrega a un hash cada puerto con un counter de sus destination ips
34
-                dip = str(rec.dip)
35
-                sip = ipConversion(str(rec.sip), num)
36
-                dport= rec.dport
37
-                if sip in dportHash:
38
-                    if dip in dportHash[sip]:
39
-                        if dport in dportHash[sip][dip]:
40
-                            dportHash[sip][dip][dport] += 1
41
-                        else:
42
-                            dportHash[sip][dip][dport] = 1
43
-                    else:
44
-                        dportHash[sip][dip] = {dport : 1}
45
-                else:
46
-                    dportHash[sip] = { dip: {dport: 1} }
47
-
48
-    #print flow_Counter
49
-    return dportHash
50
-
51
-#main
52
-
53
-myNum = 0
54
-otherHash = {}
55
-while myNum <4: #Se itera las cuatro veces de acuerdo con la notacion de ipv4
56
-    flowHash= UltimoAnalisis(otherHash, myNum)
57
-    otherHash = {} #Se borra el hash para agregar elementos nuevos con la nueva etapa de la busqueda
58
-    for sips in flowHash: #se itera por todos los dip y sus counters o puertos
59
-        for dips, dports in flowHash[sips].items():
60
-            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
61
-                                    #y por lo tanto se guardan en un hash
62
-                if sips in otherHash:
63
-                    otherHash[sips][dips] = dports
64
-                else:
65
-                    otherHash[sips] = {dips: dports}
66
-    myNum += 1
67
-
68
-    #print (flowHash)
69
-
70
-counter = 0
71
-
72
-for dips, dports in otherHash.items():
73
-    counter +=1 #para contar los elementos del hash
74
-
75
-print counter

+ 0
- 145
Programas/Reduction_Method/bruteforce_reduc_sip_threehash.py Zobrazit soubor

@@ -1,145 +0,0 @@
1
-#Itera por sip /16 y cuenta numero de puertos por cada dip
2
-
3
-
4
-
5
-from silk import *
6
-
7
-
8
-
9
-
10
-
11
-startDate = "2018/06/01"
12
-
13
-endDate = "2018/06/30"
14
-
15
-#Para filtrar por puertos. Pero no queremos todavia
16
-
17
-#minPort = 20
18
-
19
-#maxPort = 5000
20
-
21
-
22
-
23
-
24
-
25
-def ipConversion(number, position):
26
-
27
-    mystr = ''
28
-
29
-    ipadd = number.split(".") #Devuelve un arreglo
30
-
31
-    for i in range(position+1):
32
-
33
-        if i ==position:
34
-
35
-            mystr = mystr + ipadd[i]
36
-
37
-        else:
38
-
39
-            mystr = mystr + ipadd[i] + '.'
40
-
41
-    return mystr #devuelve los numeros en notacion string
42
-
43
-
44
-
45
-def UltimoAnalisis(flowHash, num):
46
-
47
-    dportHash={}
48
-
49
-    flow_Counter=0
50
-
51
-    for filename in FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf",  data_rootdir="/home/scratch/flow/rwflowpack/"):
52
-
53
-        for rec in silkfile_open(filename, READ):#reading the flow file
54
-
55
-            if (':' in str(rec.sip)) or (num != 0 and ipConversion(str(rec.sip), num-1) not in flowHash): #Si en el paso anterior se vio que no
56
-
57
-                                                                         #tiene el length de puertos requerido, se ignora
58
-
59
-                continue
60
-
61
-            else: #agrega a un hash cada puerto con un counter de sus destination ips
62
-
63
-                dip = str(rec.dip)
64
-
65
-                sip = ipConversion(str(rec.sip), num)
66
-
67
-                dport= rec.dport
68
-
69
-                if sip in dportHash:
70
-
71
-                    if dip in dportHash[sip]:
72
-
73
-                        if dport in dportHash[sip][dip]:
74
-
75
-                            dportHash[sip][dip][dport] += 1
76
-
77
-                        else:
78
-
79
-                            dportHash[sip][dip][dport] = 1
80
-
81
-                    else:
82
-
83
-                        dportHash[sip][dip] = {dport : 1}
84
-
85
-                else:
86
-
87
-                    dportHash[sip] = { dip: {dport: 1} }
88
-
89
-
90
-
91
-    #print flow_Counter
92
-
93
-    return dportHash
94
-
95
-
96
-
97
-#main
98
-
99
-
100
-
101
-myNum = 0
102
-
103
-otherHash = {}
104
-
105
-while myNum <4: #Se itera las cuatro veces de acuerdo con la notacion de ipv4
106
-
107
-    flowHash= UltimoAnalisis(otherHash, myNum)
108
-
109
-    otherHash = {} #Se borra el hash para agregar elementos nuevos con la nueva etapa de la busqueda
110
-
111
-    for sips in flowHash: #se itera por todos los dip y sus counters o puertos
112
-
113
-        for dips, dports in flowHash[sips].items():
114
-
115
-            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
116
-
117
-                                    #y por lo tanto se guardan en un hash
118
-
119
-                if sips in otherHash:
120
-
121
-                    otherHash[sips][dips] = dports
122
-
123
-                else:
124
-
125
-                    otherHash[sips] = {dips: dports}
126
-
127
-    myNum += 1
128
-
129
-
130
-
131
-    #print (flowHash)
132
-
133
-
134
-
135
-counter = 0
136
-
137
-
138
-
139
-for dips, dports in otherHash.items():
140
-
141
-    counter +=1 #para contar los elementos del hash
142
-
143
-
144
-
145
-print counter

+ 0
- 74
Programas/Reduction_Method/bruteforce_reduc_threehash.py Zobrazit soubor

@@ -1,74 +0,0 @@
1
-#Itera a la vez el sip y el dip y guarda en un hash los puertos
2
-
3
-from silk import *
4
-
5
-
6
-startDate = "2018/08/14"
7
-endDate = "2018/08/15"
8
-#Para filtrar por puertos. Pero no queremos todavia
9
-#minPort = 20
10
-#maxPort = 5000
11
-
12
-
13
-def ipConversion(number, position):
14
-    mystr = ''
15
-    ipadd = number.split(".") #Devuelve un arreglo
16
-    for i in range(position+1):
17
-        if i ==position:
18
-            mystr = mystr + ipadd[i]
19
-        else:
20
-            mystr = mystr + ipadd[i] + '.'
21
-    return mystr #devuelve los numeros en notacion string
22
-
23
-
24
-def UltimoAnalisis(flowHash, num):
25
-    dportHash={}
26
-    flow_Counter=0
27
-    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
28
-        for rec in silkfile_open(filename, READ):#reading the flow file
29
-            if (':' in str(rec.sip)) or (num != 0 and ipConversion(str(rec.sip), num-1) not in flowHash): #Si en el paso anterior se vio que no
30
-                                                                         #tiene el length de puertos requerido, se ignora
31
-                continue
32
-            else: #agrega a un hash cada puerto con un counter de sus destination ips
33
-                dip = ipConversion(str(rec.dip), num)
34
-                sip = ipConversion(str(rec.sip), num)
35
-                dport= rec.dport
36
-                if sip in dportHash:
37
-                    if dip in dportHash[sip]:
38
-                        if dport in dportHash[sip][dip]:
39
-                            dportHash[sip][dip][dport] += 1
40
-                        else:
41
-                            dportHash[sip][dip][dport] = 1
42
-                    else:
43
-                        dportHash[sip][dip] = {dport : 1}
44
-                else:
45
-                    dportHash[sip] = { dip: {dport: 1} }
46
-
47
-    #print flow_Counter
48
-    return dportHash
49
-
50
-
51
-#main
52
-
53
-myNum = 0
54
-otherHash = {}
55
-while myNum <4: #Se itera las cuatro veces de acuerdo con la notacion de ipv4
56
-    flowHash= UltimoAnalisis(otherHash, myNum)
57
-    otherHash = {} #Se borra el hash para agregar elementos nuevos con la nueva etapa de la busqueda
58
-    for sips in flowHash: #se itera por todos los dip y sus counters o puertos
59
-        for dips, dports in flowHash[sips].items():
60
-            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
61
-                                    #y por lo tanto se guardan en un hash
62
-                if sips in otherHash:
63
-                    otherHash[sips][dips] = dports
64
-                else:
65
-                    otherHash[sips] = {dips: dports}
66
-                print sips, len(dports)
67
-    myNum += 1
68
-
69
-
70
-counter = 0
71
-for dips, dports in otherHash.items():
72
-    counter +=1 #para contar los elementos del hash
73
-
74
-print counter

+ 73
- 73
Programas/bruteforce_reduc_threehash.py Zobrazit soubor

@@ -1,73 +1,73 @@
1
-#Itera a la vez el sip y el dip y guarda en un hash los puertos
2
-
3
-from silk import *
4
-
5
-
6
-startDate = "2009/04/20"
7
-endDate = "2009/04/22"
8
-#Para filtrar por puertos. Pero no queremos todavia
9
-#minPort = 20
10
-#maxPort = 5000
11
-
12
-
13
-def ipConversion(number, position):
14
-    mystr = ''
15
-    ipadd = number.split(".") #Devuelve un arreglo
16
-    for i in range(position+1):
17
-        if i ==position:
18
-            mystr = mystr + ipadd[i]
19
-        else:
20
-            mystr = mystr + ipadd[i] + '.'
21
-    return mystr #devuelve los numeros en notacion string
22
-
23
-
24
-def UltimoAnalisis(flowHash, num):
25
-    dportHash={}
26
-    flow_Counter=0
27
-    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/data/silk.conf", data_rootdir="/data"):
28
-        for rec in silkfile_open(filename, READ):#reading the flow file
29
-            if (':' in str(rec.sip)) or (num != 0 and ipConversion(str(rec.sip), num-1) not in flowHash): #Si en el paso anterior se vio que no
30
-                                                                         #tiene el length de puertos requerido, se ignora
31
-                continue
32
-            else: #agrega a un hash cada puerto con un counter de sus destination ips
33
-                dip = ipConversion(str(rec.dip), num)
34
-                sip = ipConversion(str(rec.sip), num)
35
-                dport= rec.dport
36
-                if sip in dportHash:
37
-                    if dip in dportHash[sip]:
38
-                        if dport in dportHash[sip][dip]:
39
-                            dportHash[sip][dip][dport] += 1
40
-                        else:
41
-                            dportHash[sip][dip][dport] = 1
42
-                    else:
43
-                        dportHash[sip][dip] = {dport : 1}
44
-                else:
45
-                    dportHash[sip] = { dip: {dport: 1} }
46
-
47
-    #print flow_Counter
48
-    return dportHash
49
-
50
-
51
-#main
52
-
53
-myNum = 0
54
-otherHash = {}
55
-while myNum <4: #Se itera las cuatro veces de acuerdo con la notacion de ipv4
56
-    flowHash= UltimoAnalisis(otherHash, myNum)
57
-    otherHash = {} #Se borra el hash para agregar elementos nuevos con la nueva etapa de la busqueda
58
-    for sips in flowHash: #se itera por todos los dip y sus counters o puertos
59
-        for dips, dports in flowHash[sips].items():
60
-            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
61
-                                    #y por lo tanto se guardan en un hash
62
-                if sips in otherHash:
63
-                    otherHash[sips][dips] = dports
64
-                else:
65
-                    otherHash[sips] = {dips: dports}
66
-    myNum += 1
67
-    print (otherHash)
68
-
69
-
70
-for dips, dports in otherHash.items():
71
-    counter +=1 #para contar los elementos del hash
72
-
73
-print (counter)
1
+#Itera a la vez el sip y el dip y guarda en un hash los puertos
2
+
3
+from silk import *
4
+
5
+
6
+startDate = "2009/04/20"
7
+endDate = "2009/04/22"
8
+#Para filtrar por puertos. Pero no queremos todavia
9
+#minPort = 20
10
+#maxPort = 5000
11
+
12
+
13
+def ipConversion(number, position):
14
+    mystr = ''
15
+    ipadd = number.split(".") #Devuelve un arreglo
16
+    for i in range(position+1):
17
+        if i ==position:
18
+            mystr = mystr + ipadd[i]
19
+        else:
20
+            mystr = mystr + ipadd[i] + '.'
21
+    return mystr #devuelve los numeros en notacion string
22
+
23
+
24
+def UltimoAnalisis(flowHash, num):
25
+    dportHash={}
26
+    flow_Counter=0
27
+    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/data/silk.conf", data_rootdir="/data"):
28
+        for rec in silkfile_open(filename, READ):#reading the flow file
29
+            if (':' in str(rec.sip)) or (num != 0 and ipConversion(str(rec.sip), num-1) not in flowHash): #Si en el paso anterior se vio que no
30
+                                                                         #tiene el length de puertos requerido, se ignora
31
+                continue
32
+            else: #agrega a un hash cada puerto con un counter de sus destination ips
33
+                dip = ipConversion(str(rec.dip), num)
34
+                sip = ipConversion(str(rec.sip), num)
35
+                dport= rec.dport
36
+                if sip in dportHash:
37
+                    if dip in dportHash[sip]:
38
+                        if dport in dportHash[sip][dip]:
39
+                            dportHash[sip][dip][dport] += 1
40
+                        else:
41
+                            dportHash[sip][dip][dport] = 1
42
+                    else:
43
+                        dportHash[sip][dip] = {dport : 1}
44
+                else:
45
+                    dportHash[sip] = { dip: {dport: 1} }
46
+
47
+    #print flow_Counter
48
+    return dportHash
49
+
50
+
51
+#main
52
+
53
+myNum = 0
54
+otherHash = {}
55
+while myNum <4: #Se itera las cuatro veces de acuerdo con la notacion de ipv4
56
+    flowHash= UltimoAnalisis(otherHash, myNum)
57
+    otherHash = {} #Se borra el hash para agregar elementos nuevos con la nueva etapa de la busqueda
58
+    for sips in flowHash: #se itera por todos los dip y sus counters o puertos
59
+        for dips, dports in flowHash[sips].items():
60
+            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
61
+                                    #y por lo tanto se guardan en un hash
62
+                if sips in otherHash:
63
+                    otherHash[sips][dips] = dports
64
+                else:
65
+                    otherHash[sips] = {dips: dports}
66
+    myNum += 1
67
+    print (otherHash)
68
+
69
+
70
+for dips, dports in otherHash.items():
71
+    counter +=1 #para contar los elementos del hash
72
+
73
+print (counter)

+ 14
- 15
Programas/erase.py Zobrazit soubor

@@ -1,19 +1,18 @@
1 1
 
2
-flowHash = {'hola':{'wassup':{'bleh':9000, 'hi':9000}}}
3
-sip = 'hola'
4
-dip = 'wassup'
5
-dport = 90
6
-otherHash = {}
7 2
 
8
-for sips in flowHash: #se itera por todos los dip y sus counters o puertos
9
-    for dips, dports in flowHash[sips].items():
10
-        if len(dports) >= 1: #si la cantidad de puertos es mayor o igual a 100, nos interesan
11
-                                #y por lo tanto se guardan en un hash
12
-            print len(dports)
13
-            if sips in otherHash:
14
-                otherHash[sips][dips] = dports
3
+hash = {"123": {"hola":{"wassup":9}}}
4
+sip = "123"
5
+dip = "hola"
6
+dport = "wassup"
15 7
 
16
-            else:
17
-                otherHash[sips] = {dips: dports}
8
+if not hash.get(sip):
9
+    hash[sip] = {dip :{ dport: 5}}
10
+if not hash.get(sip).get(dip):
11
+    hash[sip][dip] = {dport:1}
12
+    print "hola"
13
+if not hash.get(sip).get(dip).get(dport):
14
+    hash[sip][dip][dport] = 7
15
+else:
16
+    hash[sip][dip][dport] +=1
18 17
 
19
-print otherHash
18
+print hash