scan_detector/Programas/Last_work/Filtered_in_Files/bruteforce_filteredbyfiles.py

#Version 2 #Itera por sip /16 y cuenta numero de puertos por cada dip
#hello


from silk import *

global_num = 2 #posicion del subnetwork. 1 implica A.x.x.x, 2 implica A.B.x.x, etc.

#funcion que recibe un string del ip address y devuelve otro string hasta el subnetwork
#que indica el numero de posicion
def ipConversion(number, position):
    mystr = '.'
    ipadd = number.split(".")
    return mystr.join(ipadd[:position])

#Esta funcion recorre la lista de flows, las manda por la funcion de Filter para verificar
#que sean puertos no comunes, luego guarda una lista de esos flows especificos en un file
#y devuelve un hash de los flows filtrados.
def FilterBySIP(flows, flowHash, num):

    fc = 0
    dportHash = {}

    fdout = open("tmpfile%s" % num, "w")

    for filename in flows:
        for rec in silkfile_open(filename, READ):#reading the flow file
		    fc += 1
        	if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no
             		continue
        	dip = str(rec.dip)
        	sip = str(rec.sip)
      		dport= rec.dport
		    sport= rec.sport

		Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash)
		fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))

    # print fc
    fdout.close()
    return dportHash

#Esta funcion recorre la lista de flows guardados en el file creado en el step anterior,
#verifica que esten en el hash creado en el step anterior, las manda por la funcion de Filter para verificar
#que sean puertos no comunes, luego guarda una lista de esos flows especificos en un file
#y devuelve un hash de los flows filtrados.
def FilterBySIPTMP(flowHash, num):

    dportHash = {}

    fdout = open("tmpfile%s" % num, "w")

    with open("tmpfile%s" % (num - 1), "r") as f:
    	for flow in f:
            sip, dip, sport, dport = flow.split(":")
            #print ipConversion(sip, num)
            sport = int(sport)
            dport = int(dport)
            if ipConversion(sip, num) not in flowHash:
                continue
            Filter(fdout, ipConversion(sip, num+1), dip, sport, dport, dportHash)
            fdout.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))
        fdout.close()
    return dportHash

#argumentos consisten del file con los flows, source y destination ip y puertos y
#un hash vacio para guardar los source ips con la lista de puertos a donde se conecta
#la funcion verifica que los puertos no sean puertos comunes, para asi agregar el flow al hash
def Filter(fd, sip, dip, sport, dport, dportHash):

	if dport > 1024 and (sport <= 1024 or (sport >= 8000 and sport < 9000)):
		return
	if sip in dportHash:
#       	if dip in dportHash[sip]["dips"]:
#        	        dportHash[sip]["dips"][dip] += 1
#		else:
#			dportHash[sip]["dips"][dip] = 1
		if dport in dportHash[sip]["dports"]:
               	        dportHash[sip]["dports"][dport] += 1
			#return
               	else:
               		dportHash[sip]["dports"][dport] = 1
     	else:
		dportHash[sip] = {"dports": {}}
		dportHash[sip]["dips"] = {}
	#fd.write("%s:%s:%s:%s\n" % (sip, dip, sport, dport))

def FilterBySIPFull(flowHash, num):
    flow_Counter=0
    dportHash = {}

    for filename in FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf",  data_rootdir="/home/scratch/flow/rwflowpack/"):

        for rec in silkfile_open(filename, READ):#reading the flow file
                if (':' in str(rec.sip)) or (num > global_num and ipConversion(str(rec.sip), num) not in flowHash): #Si en el paso anterior se vio que no
                        continue
                dip = str(rec.dip)
                sip = ipConversion(str(rec.sip), num+1)
                dport= rec.dport
                if sip in dportHash:
                        if dip in dportHash[sip]:
                                if dport in dportHash[sip][dip]:
                                        dportHash[sip][dip][dport] += 1
                                else:
                                        dportHash[sip][dip][dport] = 1
                        else:
                                dportHash[sip][dip] = {dport : 1}
                else:
                        dportHash[sip] = { dip: {dport: 1} }

    return dportHash

#Hace lo mismo que la funcion FilterBySIPTMP, lo unico que esta vez no hace falta verificar los puertos
#y ademas crea otro hash de los source ips con sus destination ips con sus puertos
def last_step(flowHash, num):
    dportHash = {}

    with open("tmpfile%s" % (num), "r") as f:
    	for flow in f:
            sip, dip, sport, dport = flow.split(":")
            sport = int(sport)
            dport = int(dport)
            if (':' in sip) or (num > global_num and sip not in flowHash):
                print sip
                print "Do we ever enter here?"
                continue
            if sip in dportHash:
                if dip in dportHash[sip]:
                    if dport in dportHash[sip][dip]:
                        dportHash[sip][dip][dport] += 1
                    else:
                        dportHash[sip][dip][dport] = 1
                else:
                        dportHash[sip][dip] = {dport : 1}
            else:
                dportHash[sip] = { dip: {dport: 1} }
        return dportHash

#Funcion que verifica que el total de puertos por cada source ip con su destination ip
#sea mayor que 100. Devuelve un hash con los flows filtrados.
def filter_laststep(flowhash):
    otherhash ={}

    for sips in flowhash: #se itera por todos los dip y sus counters o puertos
        for dips, dports in flowhash[sips].items():
            #print "Filter", len(dports)
            if len(dports) >= 100: #si la cantidad de puertos es mayor o igual a 100, nos interesan
                                    #y por lo tanto se guardan en un hash
                if sips in otherhash:
                    otherhash[sips][dips] = dports
                else:
                    otherhash[sips] = {dips: dports}
    return otherhash



def main():
#variable del intervalo de los flows a verificar
    startDate = "2018/08/01"
    endDate = "2018/08/31"

    myNum = global_num #variable que dicta la posicion del subnetwork

    #lista de flows total
    flows = FGlob(type="all", start_date=startDate, end_date=endDate, site_config_file="/etc/silk/conf-v9/silk.conf",  data_rootdir="/home/scratch/flow/rwflowpack/")

    otherHash = {}

    flowHash = FilterBySIP(flows, otherHash, myNum) #hash de todos los sourceip en el subnetwork de posicion myNum con sus puertos

    print "Before thresh 1", len(flowHash)

    #Verifica source ips sospechosos por cantidad de puertos conectados
    #devuelve hash con los source ips filtrados
    for sip in flowHash:
    	if  len(flowHash[sip]["dports"]) >= 100:
    		otherHash[sip] = flowHash[sip]

    print "After thresh 1", len(otherHash)


    while myNum <3:

        flowHash= FilterBySIPTMP(otherHash, myNum + 1)

        #print "Before thresh 2", len(flowHash)
        otherHash = {}
        for sip in flowHash: #se itera por todos los dip y sus counters o puertos
        	if  len(flowHash[sip]["dports"]) >= 100:
        		otherHash[sip] = flowHash[sip]


        #print "After thresh 2", len(otherHash)
        myNum += 1

    final_hash = last_step(otherHash, myNum)
    #print final_hash
    # for sips in final_hash: #se itera por todos los dip y sus counters o puertos
    #     for dips, dports in final_hash[sips].items():
    #         print "final", len(dports)"
    filtered_final_hash = filter_laststep(final_hash)


    fc = 0
    fo=0
    for sip in filtered_final_hash:
        fc +=1
        for dip in filtered_final_hash[sip]:
            fo +=1
            #print sip, dip, filtered_final_hash[sip][dip]
        #print (flowHash)
    print fc
    print fo


if __name__== "__main__":
  main()