| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191 |
- #Version 2 #Itera por sip /16 y cuenta numero de puertos por cada dip
-
-
-
- from silk import *
-
- startDate = "2018/08/10"
- endDate = "2018/08/15"
-
- #Para filtrar por puertos. Pero no queremos todavia
-
- #minPort = 20
-
- #maxPort = 5000
-
- def ipConversion(number, position):
- mystr = '.'
- ipadd = number.split(".") #Devuelve un arreglo
- return mystr.join(ipadd[:position]) #devuelve los numeros en notacion string
-
-
- def FilterBySIP(flows, flowHash, num):
-
- fc = 0
- dportHash = {}
-
- fdout = open("tmpfile%s" % num, "w")
-
- for filename in flows:
- for rec in silkfile_open(filename, READ):#reading the flow file
- fc += 1
- if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no
- continue
- dip = str(rec.dip)
- sip = str(rec.sip)
- dport= rec.dport
- sport= rec.sport
-
- Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash)
- fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
-
- print fc
- fdout.close()
- return dportHash
-
- def FilterBySIPTMP(flowHash, num):
-
- dportHash = {}
-
- fdout = open("tmpfile%s" % num, "w")
-
- with open("tmpfile%s" % (num - 1), "r") as f:
- for flow in f:
- sip, dip, sport, dport = flow.split(":")
- sport = int(sport)
- dport = int(dport)
-
- if ipConversion(sip, num) not in flowHash:
- continue
- Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash)
- fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
- fdout.close()
- return dportHash
-
- def Filter(fd, sip, dip, sport, dport, dportHash):
-
- if dport > 1024 and (sport <= 1024 or (sport >= 8000 and sport < 9000)):
- return
- if sip in dportHash:
- # if dip in dportHash[sip]["dips"]:
- # dportHash[sip]["dips"][dip] += 1
- # else:
- # dportHash[sip]["dips"][dip] = 1
- if dport in dportHash[sip]["dports"]:
- dportHash[sip]["dports"][dport] += 1
- #return
- else:
- dportHash[sip]["dports"][dport] = 1
- else:
- dportHash[sip] = {"dports": {}}
- dportHash[sip]["dips"] = {}
- #fd.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
-
- def FilterBySIPFull(flowHash, num):
-
- flow_Counter=0
-
- dportHash = {}
-
- for filename in FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
-
- for rec in silkfile_open(filename, READ):#reading the flow file
- if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no
- continue
- dip = str(rec.dip)
- sip = ipConversion(str(rec.sip), num+1)
- dport= rec.dport
- if sip in dportHash:
- if dip in dportHash[sip]:
- if dport in dportHash[sip][dip]:
- dportHash[sip][dip][dport] += 1
- else:
- dportHash[sip][dip][dport] = 1
- else:
- dportHash[sip][dip] = {dport : 1}
- else:
- dportHash[sip] = { dip: {dport: 1} }
-
- return dportHash
-
- def last_step(flowHash, num):
- dportHash = {}
- with open("tmpfile%s" % (num - 1), "r") as f:
- for flow in f:
- sip, dip, sport, dport = flow.split(":")
- sport = int(sport)
- dport = int(dport)
- if (':' in sip) or (num > global_num and sip not in flowHash):
- continue
- if sip in dportHash:
- if dip in dportHash[sip]:
- if dport in dportHash[sip][dip]:
- dportHash[sip][dip][dport] += 1
- else:
- dportHash[sip][dip][dport] = 1
- else:
- dportHash[sip][dip] = {dport : 1}
- else:
- dportHash[sip] = { dip: {dport: 1} }
- return dportHash
-
- def filter_laststep(flowhash):
- otherHash ={}
- for sips in flowHash: #se itera por todos los dip y sus counters o puertos
- for dips, dports in flowHash[sips].items():
- if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
- #y por lo tanto se guardan en un hash
- if sips in otherHash:
- otherHash[sips][dips] = dports
- else:
- otherHash[sips] = {dips: dports}
- return otherHash
-
- global_num = 2
- myNum = global_num
-
- flows = FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/")
-
- otherHash = {}
-
- flowHash = FilterBySIP(flows, otherHash, myNum)
-
- print "Before thresh", len(flowHash)
-
- for sip in flowHash: #se itera por todos los dip y sus counters o puertos
- if len(flowHash[sip]["dports"]) >= 100:
- otherHash[sip] = flowHash[sip]
-
- print "After thresh", len(otherHash)
-
- myNum += 1
-
- while myNum <3: #Se itera las cuatro veces de acuerdo con la notacion de ipv4
-
- flowHash= FilterBySIPTMP(otherHash, myNum)
-
- print "Before thresh", len(flowHash)
- otherHash = {}
- for sip in flowHash: #se itera por todos los dip y sus counters o puertos
- if len(flowHash[sip]["dports"]) >= 100:
- otherHash[sip] = flowHash[sip]
-
-
- print "After thresh", len(otherHash)
- myNum += 1
-
- final_hash = last_step(otherHash, myNum)
- filtered_final_hash = filter_laststep(final_hash)
-
- fc = 0
- #print final_hash
- for sip in filtered_final_hash:
- fc +=1
- for dip in filtered_final_hash[sip]:
-
- print sip, dip, filtered_final_hash[sip][dip]
-
- #print (flowHash)
- print fc
- #for sip in otherHash:
- # print sip, sorted(otherHash[sip]["dports"].keys())
|
