123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217 |
- #Version 2 #Itera por sip /16 y cuenta numero de puertos por cada dip
- #hello
-
-
- from silk import *
-
- global_num = 2 #posicion del subnetwork. 1 implica A.x.x.x, 2 implica A.B.x.x, etc.
-
- #funcion que recibe un string del ip address y devuelve otro string hasta el subnetwork
- #que indica el numero de posicion
- def ipConversion(number, position):
- mystr = '.'
- ipadd = number.split(".")
- return mystr.join(ipadd[:position])
-
- #Esta funcion recorre la lista de flows, las manda por la funcion de Filter para verificar
- #que sean puertos no comunes, luego guarda una lista de esos flows especificos en un file
- #y devuelve un hash de los flows filtrados.
- def FilterBySIP(flows, flowHash, num):
-
- fc = 0
- dportHash = {}
-
- fdout = open("tmpfile%s" % num, "w")
-
- for filename in flows:
- for rec in silkfile_open(filename, READ):#reading the flow file
- fc += 1
- if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no
- continue
- dip = str(rec.dip)
- sip = str(rec.sip)
- dport= rec.dport
- sport= rec.sport
-
- Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash)
- fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
-
- # print fc
- fdout.close()
- return dportHash
-
- #Esta funcion recorre la lista de flows guardados en el file creado en el step anterior,
- #verifica que esten en el hash creado en el step anterior, las manda por la funcion de Filter para verificar
- #que sean puertos no comunes, luego guarda una lista de esos flows especificos en un file
- #y devuelve un hash de los flows filtrados.
- def FilterBySIPTMP(flowHash, num):
-
- dportHash = {}
-
- fdout = open("tmpfile%s" % num, "w")
-
- with open("tmpfile%s" % (num - 1), "r") as f:
- for flow in f:
- sip, dip, sport, dport = flow.split(":")
- #print ipConversion(sip, num)
- sport = int(sport)
- dport = int(dport)
- if ipConversion(sip, num) not in flowHash:
- continue
- Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash)
- fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
- fdout.close()
- return dportHash
-
- #argumentos consisten del file con los flows, source y destination ip y puertos y
- #un hash vacio para guardar los source ips con la lista de puertos a donde se conecta
- #la funcion verifica que los puertos no sean puertos comunes, para asi agregar el flow al hash
- def Filter(fd, sip, dip, sport, dport, dportHash):
-
- if dport > 1024 and (sport <= 1024 or (sport >= 8000 and sport < 9000)):
- return
- if sip in dportHash:
- # if dip in dportHash[sip]["dips"]:
- # dportHash[sip]["dips"][dip] += 1
- # else:
- # dportHash[sip]["dips"][dip] = 1
- if dport in dportHash[sip]["dports"]:
- dportHash[sip]["dports"][dport] += 1
- #return
- else:
- dportHash[sip]["dports"][dport] = 1
- else:
- dportHash[sip] = {"dports": {}}
- dportHash[sip]["dips"] = {}
- #fd.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
-
- def FilterBySIPFull(flowHash, num):
- flow_Counter=0
- dportHash = {}
-
- for filename in FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/"):
-
- for rec in silkfile_open(filename, READ):#reading the flow file
- if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no
- continue
- dip = str(rec.dip)
- sip = ipConversion(str(rec.sip), num+1)
- dport= rec.dport
- if sip in dportHash:
- if dip in dportHash[sip]:
- if dport in dportHash[sip][dip]:
- dportHash[sip][dip][dport] += 1
- else:
- dportHash[sip][dip][dport] = 1
- else:
- dportHash[sip][dip] = {dport : 1}
- else:
- dportHash[sip] = { dip: {dport: 1} }
-
- return dportHash
-
- #Hace lo mismo que la funcion FilterBySIPTMP, lo unico que esta vez no hace falta verificar los puertos
- #y ademas crea otro hash de los source ips con sus destination ips con sus puertos
- def last_step(flowHash, num):
- dportHash = {}
-
- with open("tmpfile%s" % (num), "r") as f:
- for flow in f:
- sip, dip, sport, dport = flow.split(":")
- sport = int(sport)
- dport = int(dport)
- if (':' in sip) or (num > global_num and sip not in flowHash):
- print sip
- print "Do we ever enter here?"
- continue
- if sip in dportHash:
- if dip in dportHash[sip]:
- if dport in dportHash[sip][dip]:
- dportHash[sip][dip][dport] += 1
- else:
- dportHash[sip][dip][dport] = 1
- else:
- dportHash[sip][dip] = {dport : 1}
- else:
- dportHash[sip] = { dip: {dport: 1} }
- return dportHash
-
- #Funcion que verifica que el total de puertos por cada source ip con su destination ip
- #sea mayor que 100. Devuelve un hash con los flows filtrados.
- def filter_laststep(flowhash):
- otherhash ={}
-
- for sips in flowhash: #se itera por todos los dip y sus counters o puertos
- for dips, dports in flowhash[sips].items():
- #print "Filter", len(dports)
- if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
- #y por lo tanto se guardan en un hash
- if sips in otherhash:
- otherhash[sips][dips] = dports
- else:
- otherhash[sips] = {dips: dports}
- return otherhash
-
-
-
- def main():
- #variable del intervalo de los flows a verificar
- startDate = "2018/08/01"
- endDate = "2018/08/31"
-
- myNum = global_num #variable que dicta la posicion del subnetwork
-
- #lista de flows total
- flows = FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf", data_rootdir="/home/scratch/flow/rwflowpack/")
-
- otherHash = {}
-
- flowHash = FilterBySIP(flows, otherHash, myNum) #hash de todos los sourceip en el subnetwork de posicion myNum con sus puertos
-
- print "Before thresh 1", len(flowHash)
-
- #Verifica source ips sospechosos por cantidad de puertos conectados
- #devuelve hash con los source ips filtrados
- for sip in flowHash:
- if len(flowHash[sip]["dports"]) >= 100:
- otherHash[sip] = flowHash[sip]
-
- print "After thresh 1", len(otherHash)
-
-
- while myNum <3:
-
- flowHash= FilterBySIPTMP(otherHash, myNum + 1)
-
- #print "Before thresh 2", len(flowHash)
- otherHash = {}
- for sip in flowHash: #se itera por todos los dip y sus counters o puertos
- if len(flowHash[sip]["dports"]) >= 100:
- otherHash[sip] = flowHash[sip]
-
-
- #print "After thresh 2", len(otherHash)
- myNum += 1
-
- final_hash = last_step(otherHash, myNum)
- #print final_hash
- # for sips in final_hash: #se itera por todos los dip y sus counters o puertos
- # for dips, dports in final_hash[sips].items():
- # print "final", len(dports)"
- filtered_final_hash = filter_laststep(final_hash)
-
-
- fc = 0
- fo=0
- for sip in filtered_final_hash:
- fc +=1
- for dip in filtered_final_hash[sip]:
- fo +=1
- #print sip, dip, filtered_final_hash[sip][dip]
- #print (flowHash)
- print fc
- print fo
-
-
- if __name__== "__main__":
- main()
|