CSLab
/
scan_detector


			
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182
							from silk import *

myNum = 0
sipList=[]
sip_hash = {}
startDate = "2009/04/20"
endDate = "2009/04/22"
p = 2
##################################

#   TRW con reduccion           #

#      Para Silk's Data Set     #

#################################


def ipConversion(number, position):
    mystr = ''
    ipadd = number.split(".") #Devuelve un arreglo
    #print ipadd
    for i in range(position+1):
        if i == position:
            #print ipadd[i]
            mystr = mystr + ipadd[i]
        else:
           # print ipadd[i]
            mystr = mystr + ipadd[i] + '.'
    return mystr #devuelve los numeros en notacion string


def AnalisisReduciendo(sipList, num):
    sip_hash = {}
    #print sipList
    flow_counter = 0
    for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/data/silk.conf", data_rootdir="/data"):
        for rec in silkfile_open(filename, READ):#reading the flow file
            flow_counter += 1
            if (':' in str(rec.sip)) or (num != 0 and ipConversion(str(rec.sip), num-1) not in sipList):#Si en el paso anterior se vio que no
                                                               #tiene el length de puertos requerido, se ignora
		       continue
            else:
                connection = [0] * 2 #Lista para contener los valores de conecciones fallidas y conecciones buenas
                sip = ipConversion(str(rec.sip), num) #Devuelve el ip en notacion punto-decimal
                flags = str(rec.tcpflags)  #array of all tcp flags that are set
                if 'A' in flags: #if the acknowledge flag is set
                    connection[1]=1 #good conections
                else:
                    connection [0] =1 #failed conections
                if sip in sip_hash: #si sip esta en ratioHash => que posA esta en sampleHash
                                            #por lo tanto ya se puede sumar las conecciones al ratio del dip
                    sip_hash[sip][0]+=connection[0]
                    sip_hash[sip][1] += connection[1]
                else: #si sip no esta en ratioHash tampoco
                    sip_hash[sip] = [connection[0], connection[1]]
                #print sip_hash
    #print flow_counter
    return sip_hash


while myNum <4:
      sip_connections_list = AnalisisReduciendo(sipList, myNum)
      sipList = []
      for sip in sip_connections_list:
          if (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1])  < 1) : #si la cantidad de succesful
                                #b                #g                    #connections es mas que failed connections
                      #not scanner, ignore
                      continue
          elif (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1])  < p): #mas failed que succesful, pero no llega al threshold
                      #not scanner, ignore
                      continue                          #se debe tener en cuenta que es suspicious pero no taaanto
          elif (sip_connections_list[sip][1] == 0 and sip_connections_list[sip][0] > 10): #el ratio de failed a succesful llega al threshold pautado
                            #scanner, oh oh
                    sipList.append(sip)
          else:
                            #scanner, oh oh
                    sipList.append(sip)
      #print sipList

      #print myNum
      myNum += 1
#print len(sipList)