CSLab
/
scan_detector
Sledovat 1
Oblíbit 0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Activity
Source Code for network and port scanner, TRW algorithm, and reduction method implementations.
5 Revize
1 Větev
Strom: 28c244f064
scan_detector/Programas/Fedora/fedora_code_trw.py

fedora_code_trw.py 2.6KB
Historie Surový

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 
  1. ##################################

  2. #   TRW sin reduccion           #

  3. #      Para Silk's Data Set     #

  4. ################################

  5. 

  6. 

  7. 

  8. from silk import *

  9. startDate = "2009/04/20"

  10. endDate = "2009/04/22"

  11. p = 2

  12. 

  13. def Analisis():

  14.     counter = 0 # borrar luego

  15.     sampleHash={} #hash para contener los dip con el numero de conecciones y failed coneccciones

  16.     flow_counter = 0

  17.     for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/data/silk.conf", data_rootdir="/data"):

  18.         for rec in silkfile_open(filename, READ):#reading the flow file

  19.             flow_counter += 1

  20.             if (':' in str(rec.sip)):

  21. 				continue

  22. 	    	else:

  23.             	connection = [0] * 2 #Lista para contener los valores de conecciones failed y conecciones buenas

  24.             	sip = str(rec.sip) #Devuelve el ip en notacion punto-decimal

  25.             	flags = str(rec.tcpflags)

  26.             #print sip, flags

  27. 	    #counter +=1

  28.             	if 'A' in flags: ####arreglar

  29.                 	connection[1]=1 #good conections

  30.                 else:

  31.                 	connection [0] =1 #failed conections

  32.             	if sip in sampleHash:

  33. 	                sampleHash[sip][0]+= connection[0]

  34. 	                sampleHash[sip][1]+= connection[1]

  35.             	else:

  36.                 	sampleHash[sip] = [connection[0], connection[1]]

  37. 	    #print sampleHash

  38.     #print flow_counter

  39.     return sampleHash

  40. 

  41. sip_connections_list = Analisis()

  42. #print sip_connections_list

  43. sipList = []

  44. for sip in sip_connections_list:

  45.           if (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1])  < 1) : #si la cantidad de succesful

  46.                                 #b                #g                    #connections es mas que failed connections

  47.                       #not scanner, ignore

  48.                       continue

  49.           elif (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1])  < p): #mas failed que succesful, pero no llega al threshold

  50.                       #not scanner, ignore

  51.                       continue                          #se debe tener en cuenta que es suspicious pero no taaanto

  52.           elif (sip_connections_list[sip][1] == 0 and sip_connections_list[sip][0] > 10): #el ratio de failed a succesful llega al threshold pautado

  53.                             #scanner, oh oh

  54.                     sipList.append(sip)

  55.           else:

  56.                             #scanner, oh oh

  57.                     sipList.append(sip)

  58. 

  59. #print len(sipList)