########################################################## # NS or PS Verifier # Receives a List of Source IP Addresses, and depending on the # ratio of dips and dports, classifies the ip address as ps or ns ######################################################### from silk import * startDate = "2009/04/20" endDate = "2009/04/22" minPort = 20 maxPort = 5000 verifyHash = {} def verify_type(): dportHash = {} #contains amount of dport per each sip for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/data/silk.conf", data_rootdir="/data"): for rec in silkfile_open(filename, READ):#reading the flow file sip = str(rec.sip) dip = str(rec.dip) if (rec.dport >= 1 and rec.dport < minPort) or rec.dport > maxPort: #verifica que sean puertos validos (creo que se dice asi) continue else: #agrega a un hash cada puerto con un counter de sus destination ips if sip in dportHash: if dip in dportHash[sip]: dportHash[sip][dip] += 1 else: dportHash[sip][dip] = 1 else: dportHash[sip] = { dip: 1 } return dportHash total_dports = 0 total_dips = 0 sipList = ' ' #esta lista viene de los codigos de trw verifyHash = verify_type() psList = [] #list of ip adresses of port scanners nsList = [] #list of ip adresses of network scanners for sip in verifyHash: #itera por cada ip address y sus puertos for i in verifyHash[sip]: total_dports = total_dports + verifyHash[sip][i] total_dips = len(verifyHash[sip]) #check if it is network scan or port scan #casoA mas dports que dips por mucho. Que el ratio sea 100:1 o mas if total_dports / total_dips >= 5: #print ("something suspicious...") #print "This IP Adress %s is a Port Scanner " psList.append(sip) #caso B mas dports que dips pero que el ratio sea 5:1 o menos elif total_dports / total_dips <= 5: #print "This IP Adress %s is a Network Scanner " nsList.append(sip)