#Version 2 #Itera por sip /16 y cuenta numero de puertos por cada dip from silk import * startDate = "2018/08/10" endDate = "2018/08/15" #Para filtrar por puertos. Pero no queremos todavia #minPort = 20 #maxPort = 5000 def ipConversion(number, position): mystr = '.' ipadd = number.split(".") #Devuelve un arreglo return mystr.join(ipadd[:position]) #devuelve los numeros en notacion string def FilterBySIP(flows, flowHash, num): fc = 0 dportHash = {} fdout = open("tmpfile%s" % num, "w") for filename in flows: for rec in silkfile_open(filename, READ):#reading the flow file fc += 1 if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no continue dip = str(rec.dip) sip = str(rec.sip) dport= rec.dport sport= rec.sport Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash) fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport)) print fc fdout.close() return dportHash def FilterBySIPTMP(flowHash, num): dportHash = {} fdout = open("tmpfile%s" % num, "w") with open("tmpfile%s" % (num - 1), "r") as f: for flow in f: sip, dip, sport, dport = flow.split(":") sport = int(sport) dport = int(dport) if ipConversion(sip, num) not in flowHash: continue Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash) fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport)) fdout.close() return dportHash def Filter(fd, sip, dip, sport, dport, dportHash): if dport > 1024 and (sport <= 1024 or (sport >= 8000 and sport < 9000)): return if sip in dportHash: # if dip in dportHash[sip]["dips"]: # dportHash[sip]["dips"][dip] += 1 # else: # dportHash[sip]["dips"][dip] = 1 if dport in dportHash[sip]["dports"]: dportHash[sip]["dports"][dport] += 1 #return else: dportHash[sip]["dports"][dport] = 1 else: dportHash[sip] = {"dports": {}} dportHash[sip]["dips"] = {} #fd.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport)) def FilterBySIPFull(flowHash, num): flow_Counter=0 dportHash = {} for filename in FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"): for rec in silkfile_open(filename, READ):#reading the flow file if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no continue dip = str(rec.dip) sip = ipConversion(str(rec.sip), num+1) dport= rec.dport if sip in dportHash: if dip in dportHash[sip]: if dport in dportHash[sip][dip]: dportHash[sip][dip][dport] += 1 else: dportHash[sip][dip][dport] = 1 else: dportHash[sip][dip] = {dport : 1} else: dportHash[sip] = { dip: {dport: 1} } return dportHash def last_step(flowHash, num): dportHash = {} with open("tmpfile%s" % (num - 1), "r") as f: for flow in f: sip, dip, sport, dport = flow.split(":") sport = int(sport) dport = int(dport) if (':' in sip) or (num > global_num and sip not in flowHash): continue if sip in dportHash: if dip in dportHash[sip]: if dport in dportHash[sip][dip]: dportHash[sip][dip][dport] += 1 else: dportHash[sip][dip][dport] = 1 else: dportHash[sip][dip] = {dport : 1} else: dportHash[sip] = { dip: {dport: 1} } return dportHash def filter_laststep(flowhash): otherHash ={} for sips in flowHash: #se itera por todos los dip y sus counters o puertos for dips, dports in flowHash[sips].items(): if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan #y por lo tanto se guardan en un hash if sips in otherHash: otherHash[sips][dips] = dports else: otherHash[sips] = {dips: dports} return otherHash global_num = 2 myNum = global_num flows = FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/") otherHash = {} flowHash = FilterBySIP(flows, otherHash, myNum) print "Before thresh", len(flowHash) for sip in flowHash: #se itera por todos los dip y sus counters o puertos if len(flowHash[sip]["dports"]) >= 100: otherHash[sip] = flowHash[sip] print "After thresh", len(otherHash) myNum += 1 while myNum <3: #Se itera las cuatro veces de acuerdo con la notacion de ipv4 flowHash= FilterBySIPTMP(otherHash, myNum) print "Before thresh", len(flowHash) otherHash = {} for sip in flowHash: #se itera por todos los dip y sus counters o puertos if len(flowHash[sip]["dports"]) >= 100: otherHash[sip] = flowHash[sip] print "After thresh", len(otherHash) myNum += 1 final_hash = last_step(otherHash, myNum) filtered_final_hash = filter_laststep(final_hash) fc = 0 #print final_hash for sip in filtered_final_hash: fc +=1 for dip in filtered_final_hash[sip]: print sip, dip, filtered_final_hash[sip][dip] #print (flowHash) print fc #for sip in otherHash: # print sip, sorted(otherHash[sip]["dports"].keys())