CSLab
/
scan_detector
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Source Code for network and port scanner, TRW algorithm, and reduction method implementations.
6 Commits
1 Branch
Tree: 255dd1a187
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '255dd1a187'
${ noResults }
scan_detector/Programas/Fedora/fedora_code_scanner.py

fedora_code_scanner.py 2.2KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758 
  1. ##########################################################

  2. 

  3. #  NS or PS Verifier

  4. 

  5. # Receives a List of Source IP Addresses, and depending on the

  6. 

  7. #  ratio of dips and dports, classifies the ip address as ps or ns

  8. 

  9. #########################################################

  10. 

  11. 

  12. 

  13. from silk import *

  14. 

  15. 

  16. startDate = "2009/04/20"

  17. endDate = "2009/04/22"

  18. minPort = 20

  19. maxPort = 5000

  20. verifyHash = {}

  21. 

  22. def verify_type():

  23.     dportHash = {} #contains amount of dport per each sip

  24.     for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/data/silk.conf", data_rootdir="/data"):

  25.         for rec in silkfile_open(filename, READ):#reading the flow file

  26.             sip = str(rec.sip)

  27.             dip = str(rec.dip)

  28.             if (rec.dport >= 1 and rec.dport < minPort) or rec.dport > maxPort: #verifica que sean puertos validos (creo que se dice asi)

  29.                     continue

  30.             else: #agrega a un hash cada puerto con un counter de sus destination ips

  31.                   if sip in dportHash:

  32.                       if dip in dportHash[sip]:

  33.                           dportHash[sip][dip] += 1

  34.                       else:

  35.                           dportHash[sip][dip] = 1

  36.                   else:

  37.                       dportHash[sip] = { dip: 1 }

  38.     return dportHash

  39. total_dports = 0

  40. total_dips = 0

  41. sipList = ' ' #esta lista viene de los codigos de trw

  42. verifyHash = verify_type()

  43. psList = [] #list of ip adresses of port scanners

  44. nsList = [] #list of ip adresses of network scanners

  45. for sip in verifyHash: #itera por cada ip address y sus puertos

  46.     for i in verifyHash[sip]:

  47.         total_dports = total_dports + verifyHash[sip][i]

  48.     total_dips = len(verifyHash[sip])

  49.     #check if it is network scan or port scan

  50.     #casoA        mas dports que dips por mucho. Que el ratio sea 100:1 o mas

  51.     if total_dports / total_dips >= 5:

  52.             #print ("something suspicious...")

  53.         #print "This IP Adress %s is a Port Scanner "

  54.         psList.append(sip)

  55.     #caso B mas dports que dips pero que el ratio sea 5:1 o menos

  56.     elif total_dports / total_dips <= 5:

  57.         #print "This IP Adress %s is a Network Scanner "

  58.         nsList.append(sip)