def process_UDP_packets(self):
self.fork_database()
while True:
try:
packet = NSD_Packets_Queue.get_UDP_packet()
Source_IP = socket.inet_ntoa(packet[26:30])
Dest_IP = socket.inet_ntoa(packet[30:34])
Source_Port = int.from_bytes(packet[34:36], byteorder='big')
Dest_Port = int.from_bytes(packet[36:38], byteorder='big')
Length = int.from_bytes(packet[38:40], byteorder='big')
Checksum = int.from_bytes(packet[40:42], byteorder='big')
UDP_type = int.from_bytes(packet[42:43], byteorder='big')
Data = packet[42:]
Traffic_CC = self.pcap_type
self.DB.insert_UDP_packet([
Source_IP, Dest_IP, Source_Port, Dest_Port, Length,
Checksum, UDP_type, Data, Traffic_CC
])
NSD_Monitor_Data.increment_total_database_UDP()
except KeyboardInterrupt:
if self.log_level >= vrb.INFO:
self.logger.info('Closing UDP process..')
return
def process_ICMP_packets(self):
self.fork_database()
while True:
try:
packet = NSD_Packets_Queue.get_UDP_packet()
Source_IP = socket.inet_ntoa(packet[26:30])
Dest_IP = socket.inet_ntoa(packet[30:34])
Type = int.from_bytes(packet[34:35], byteorder='big')
Code = int.from_bytes(packet[35:36], byteorder='big')
Checksum = int.from_bytes(packet[36:38], byteorder='big')
Header = int.from_bytes(packet[38:42], byteorder='big')
Payload = int.from_bytes(packet[42:50], byteorder='big')
Traffic_CC = self.pcap_type
self.DB.insert_ICMP_packet([
Source_IP, Dest_IP, Type, Code, Checksum, Header, Payload,
Traffic_CC
])
NSD_Monitor_Data.increment_total_database_ICMP()
except KeyboardInterrupt:
if self.log_level >= vrb.INFO:
self.logger.info('Closing ICMP process..')
return
def process_TCP_packets(self):
self.fork_database()
while True:
try:
packet = NSD_Packets_Queue.get_TCP_packet()
Source_IP = socket.inet_ntoa(packet[26:30])
Dest_IP = socket.inet_ntoa(packet[30:34])
Source_Port = int.from_bytes(packet[34:36], byteorder='big')
Dest_Port = int.from_bytes(packet[36:38], byteorder='big')
Sequence_Number = int.from_bytes(packet[38:42],
byteorder='big')
ACK_Number = int.from_bytes(packet[42:46], byteorder='big')
Flags = int.from_bytes(packet[46:48], byteorder='big')
Window = int.from_bytes(packet[48:50], byteorder='big')
Checksum = int.from_bytes(packet[50:52], byteorder='big')
Urgent_Pointer = int.from_bytes(packet[52:54], byteorder='big')
Data = packet[54:]
Traffic_CC = self.pcap_type
self.DB.insert_TCP_packet([
Source_IP, Dest_IP, Source_Port, Dest_Port,
Sequence_Number, ACK_Number, Flags, Window, Checksum,
Urgent_Pointer, Data, Traffic_CC
])
NSD_Monitor_Data.increment_total_database_TCP()
except KeyboardInterrupt:
if self.log_level >= vrb.INFO:
self.logger.info('Closing TCP process..')
return
def RTP_get_training_datasets(self):
dataset_CC = []
dataset_NCC = []
counter_flows = 0
still_flows = True
flows = self.get_flows('RTP')
while still_flows:
flow = next(flows)
counter_flows += 1
pkts = self.DB.get_RTP_traffic_by_id(flow[0])
if self.log_level >= vrb.INFO_ML:
self.logger.info('Get Training Dataset: {} -> {}'.format(
flow[0], int(flow[2])))
if int(flow[2]) == 1:
dataset_CC.extend(self.get_counter_PDU(pkts))
else:
dataset_NCC.extend(self.get_counter_PDU(pkts))
if self.log_level >= vrb.DEBUG:
self.logger.debug('counter {} | flows {}'.format(
counter_flows, NSD_Monitor_Data.get_total_flows_RTP()))
if counter_flows == NSD_Monitor_Data.get_total_flows_RTP():
still_flows = False
total_len = min(len(dataset_NCC), len(dataset_CC))
return dataset_NCC[:total_len], dataset_CC[:total_len]
def evaluate(self, pcap):
sum_prediction = 0
self.fork_database()
while True:
if self.log_level >= vrb.INFO:
self.logger.info('Evaluate: getting data set...')
flow_info = NSD_Packets_Queue.get_RTP_PDU_Groups()
self.logger.info('Evaluate: predicting for id \'{}\'..'.format(
flow_info[0]))
for feat in flow_info[1]:
sum_prediction += int(
self.CLF.predict(np.array(feat).reshape(1, -1)))
flow_status = NSD_Monitor_Data.get_status_flow_RTP(flow_info[0])
if sum_prediction == 0 and self.log_level == vrb.DEBUG:
if flow_status[0] == vrb.FLOW_FINISHED:
self.logger.info(
'NSD_Flow \'{}\' does not seem to have a network covert channel!'
.format(flow_info[0]))
NSD_Monitor_Data.update_status_flow_RTP(
flow_info[0], [
flow_status[0], vrb.FLOW_ML_FINISHED,
vrb.FLOW_ML_NEGATIVE
])
else:
self.logger.info(
'NSD_Flow \'{}\' does not seem to have a network covert channel... by now'
.format(flow_info[0]))
else:
IP = self.DB.get_RTP_identification_by_id(flow_info[0])
self.logger.critical(
'NETWORK COVERT CHANNEL! With {} MCC metric, Source IP {} and Destination IP {}, RTP'
.format(self.MCC, IP[0], IP[1]))
NSD_Monitor_Data.update_status_flow_RTP(
flow_info[0], [
flow_status[0], vrb.FLOW_ML_FINISHED,
vrb.FLOW_ML_POSITIVE
])
sum_prediction = 0
if pcap:
if self.log_level >= vrb.INFO_ML:
self.logger.info('Dropping temporal database..')
self.DB.drop_database()
self.SQ.put('KILL')
def get_flows(self, prot):
flows_returned = []
while True:
for flow in getattr(NSD_Monitor_Data(), 'get_flows_' + prot)():
if flow not in flows_returned:
flows_returned.append(flow)
yield flow
def process_pcapfile(self):
self.logger.info('Getting packets from file...')
for ts, pkt in self.file:
prot = int.from_bytes(pkt[23:24], byteorder='big')
if prot == 6:
NSD_Packets_Queue.insert_TCP_packet(pkt)
NSD_Monitor_Data.increment_total_received_TCP()
elif prot == 17:
NSD_Packets_Queue.insert_UDP_packet(pkt)
NSD_Monitor_Data.increment_total_received_UDP()
elif prot == 2:
NSD_Packets_Queue.insert_ICMP_packet(pkt)
NSD_Monitor_Data.increment_total_received_ICMP()
else:
NSD_Monitor_Data.increment_total_received_ERROR()
self.logger.info('All packets readed!')
self.SQ.put('PCAP_FINISHED')
if not self.set_analyze:
self.SQ.put('KILL')
def receiver(self):
self.logger.info('Ready to receive packets!')
while True:
try:
packet = self.sock.recv(65565)
prot = int.from_bytes(packet[23:24], byteorder='big')
if prot == 6:
NSD_Packets_Queue.insert_TCP_packet(packet)
NSD_Monitor_Data.increment_total_received_TCP()
elif prot == 17:
NSD_Packets_Queue.insert_UDP_packet(packet)
NSD_Monitor_Data.increment_total_received_UDP()
elif prot == 2:
NSD_Packets_Queue.insert_ICMP_packet(packet)
NSD_Monitor_Data.increment_total_received_ICMP()
else:
NSD_Monitor_Data.increment_total_received_ERROR()
except KeyboardInterrupt:
if self.log_level >= vrb.INFO:
self.logger.info('Closing sockets...')
return
def get_flow_UDP(self, tagged):
self.fork_database()
if self.log_level >= vrb.INFO:
self.logger.debug('get_flow_UDP: get packets from database..')
flows = self.get_flows('UDP', tagged)
while True:
flow = next(flows)
# flow_id will be the objectID assigned by the database of the first packet inserted
# The database will ensure it's the only one
flow_id = str(flow[0]['_id'])
# Update the status dict
if NSD_Monitor_Data.get_status_flow_UDP(flow_id) is None:
flow_status = int(flow[0]['cc'])
NSD_Monitor_Data.update_status_flow_UDP(flow_id, flow_status)
# Update counters
NSD_Monitor_Data.update_counter_flow_UDP(flow_id, len(flow))
NSD_Monitor_Data.update_counter_flows_UDP()
def control_RTP_flows(self):
self.fork_database()
if self.log_level >= vrb.INFO:
self.logger.debug('control_RTP_flows: starting..')
flows = self.get_flows('RTP', tagged)
while True:
flow = next(flows)
flow_id = str(flow[0]['_id'])
if self.log_level >= vrb.DEBUG:
self.logger.debug(
'NSD_Flow: RTP: flow id {}, category {}'.format(
flow_id, flow[0]['cc']))
flow_status = NSD_Monitor_Data.get_status_flow_RTP(flow_id)
if flow_status[0] == FLOW_FINISHED and status[
1] == FLOW_ML_FINISHED:
if self.log_level >= vrb.INFO:
self.logger.debug(
'NSD_Flow: control RTP: flow id {} to be deleted'.
format(flow_id))
def get_flow_RTP(self, tagged):
self.fork_database()
if self.log_level >= vrb.INFO:
self.logger.debug('get_flow_RTP: get packets from database..')
flows = self.get_flows('RTP', tagged)
while True:
flow = next(flows)
# flow_id will be the objectID assigned by the database of the first packet inserted
# The database will ensure it's the only one
flow_id = str(flow[0]['_id'])
rt_counter = len(flow)
if self.log_level >= vrb.DEBUG:
self.logger.debug(
'NSD_Flow: get RTP: flow id {}, category {}'.format(
flow_id, flow[0]['cc']))
# Update the status dict
flow_status = NSD_Monitor_Data.get_status_flow_RTP(flow_id)
if flow_status is None:
#flow_status = int(flow[0]['cc'])
NSD_Monitor_Data.update_status_flow_RTP(
flow_id, [
vrb.FLOW_UPDATING, vrb.FLOW_ML_NOT_STARTED,
vrb.FLOW_ML_SUSPECT
])
else:
if flow_status[0] == vrb.FLOW_FINISHED and flow_status[
1] == vrb.FLOW_ML_FINISHED:
NSD_Monitor_Data.delete_flow_RTP(flow_id)
elif flow_status[0] == vrb.FLOW_UPDATING:
if rt_counter == NSD_Monitor_Data.get_counter_flow_RTP(
flow_id):
NSD_Monitor_Data.update_status_flow_RTP(
flow_id, [
vrb.FLOW_FINISHED, flow_status[1],
flow_status[2]
])
else:
# Update counters
NSD_Monitor_Data.update_counter_flow_RTP(
flow_id, rt_counter)
NSD_Monitor_Data.update_counter_flows_RTP()