12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182 |
- from silk import *
-
- myNum = 0
- sipList=[]
- sip_hash = {}
- startDate = "2009/04/20"
- endDate = "2009/04/22"
- p = 2
- ##################################
-
- # TRW con reduccion #
-
- # Para Silk's Data Set #
-
- #################################
-
-
- def ipConversion(number, position):
- mystr = ''
- ipadd = number.split(".") #Devuelve un arreglo
- #print ipadd
- for i in range(position+1):
- if i == position:
- #print ipadd[i]
- mystr = mystr + ipadd[i]
- else:
- # print ipadd[i]
- mystr = mystr + ipadd[i] + '.'
- return mystr #devuelve los numeros en notacion string
-
-
- def AnalisisReduciendo(sipList, num):
- sip_hash = {}
- #print sipList
- flow_counter = 0
- for filename in FGlob(classname="all", type="all", start_date=startDate, end_date=endDate, site_config_file="/data/silk.conf", data_rootdir="/data"):
- for rec in silkfile_open(filename, READ):#reading the flow file
- flow_counter += 1
- if (':' in str(rec.sip)) or (num != 0 and ipConversion(str(rec.sip), num-1) not in sipList):#Si en el paso anterior se vio que no
- #tiene el length de puertos requerido, se ignora
- continue
- else:
- connection = [0] * 2 #Lista para contener los valores de conecciones fallidas y conecciones buenas
- sip = ipConversion(str(rec.sip), num) #Devuelve el ip en notacion punto-decimal
- flags = str(rec.tcpflags) #array of all tcp flags that are set
- if 'A' in flags: #if the acknowledge flag is set
- connection[1]=1 #good conections
- else:
- connection [0] =1 #failed conections
- if sip in sip_hash: #si sip esta en ratioHash => que posA esta en sampleHash
- #por lo tanto ya se puede sumar las conecciones al ratio del dip
- sip_hash[sip][0]+=connection[0]
- sip_hash[sip][1] += connection[1]
- else: #si sip no esta en ratioHash tampoco
- sip_hash[sip] = [connection[0], connection[1]]
- #print sip_hash
- #print flow_counter
- return sip_hash
-
-
- while myNum <4:
- sip_connections_list = AnalisisReduciendo(sipList, myNum)
- sipList = []
- for sip in sip_connections_list:
- if (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1]) < 1) : #si la cantidad de succesful
- #b #g #connections es mas que failed connections
- #not scanner, ignore
- continue
- elif (sip_connections_list[sip][1] != 0) and ((sip_connections_list[sip][0] / sip_connections_list[sip][1]) < p): #mas failed que succesful, pero no llega al threshold
- #not scanner, ignore
- continue #se debe tener en cuenta que es suspicious pero no taaanto
- elif (sip_connections_list[sip][1] == 0 and sip_connections_list[sip][0] > 10): #el ratio de failed a succesful llega al threshold pautado
- #scanner, oh oh
- sipList.append(sip)
- else:
- #scanner, oh oh
- sipList.append(sip)
- #print sipList
-
- #print myNum
- myNum += 1
- #print len(sipList)
|