Beispiel #1
def snort_flow_alert(): 
    conn_db = dboperate.snortdb_connect()
    cur_db = conn_db.cursor()
    iplinks = query_alert(cur_db)   
    result = cur_db.execute("select * from IDS_flow_baseline") 
    flow_baseline = cur_db.fetchall()
    current_flow = []
    #flow_insert_values = []
    for i in range(len(iplinks)):
        ip1 = iplinks[i]['ip_src']
        ip2 = iplinks[i]['ip_dst']
        proto = iplinks[i]['sig_name'].split()[0]
        values = (ip1,ip2,iplinks[i]['sig_name'])
        result = cur_db.execute("select count(cid) from acid_event where ip_src=%s and ip_dst=%s and sig_name = %s",values)
        count = cur_db.fetchall()[0]['count(cid)']
    alertflow_list = generate_flowalert(flow_baseline,current_flow)
    IDS_snort_flow = []
    for i in alertflow_list:
        tempdict = {}
        tempdict = collections.OrderedDict() #Python字典默认是无序的 导入collections模块 tempdict 变成有序的字典 这样输出就按照赋值的顺序了。
        ip1 = i['ip1']
        ip2 = i['ip2']
        tempdict['ip1'] = socket.inet_ntoa(struct.pack('I',socket.htonl(ip1)))
        tempdict['ip2'] = socket.inet_ntoa(struct.pack('I',socket.htonl(ip2)))
        tempdict['proto'] = i['proto']
        tempdict['msg'] = i['msg']
        tempdict['count'] = i['count']
    return IDS_snort_flow
Beispiel #2
def query_vul_iplinks():
    #print time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(time.time()))
    conn_db = dboperate.snortdb_connect()
    cur_db = conn_db.cursor()
    #print "the time of query database is:",
    #result = cur_db.execute("select max(cid) from acid_event;")
    #current_cid = cur_db.fetchall()
    #print current_cid[0].values()[0]
    #result = cur_db.execute("""select DISTINCT ip_src,ip_dst,sig_name from acid_event where sig_name like %s or sig_name like %s;""",("buffer overflow","passwd detection"))
    #result = cur_db.execute("select count(cid) from event;")
    #count_cid = cur_db.fetchall()
    #print "count_cid: %s" %count_cid 
    result = cur_db.execute("""SELECT DISTINCT ip_src, ip_dst, sig_name,GROUP_CONCAT(DISTINCT tcp_sport) as ip_sport,GROUP_CONCAT(DISTINCT tcp_dport) as ip_dport FROM event INNER JOIN iphdr ON (event.sid=iphdr.sid AND event.cid=iphdr.cid) LEFT JOIN signature on(event.signature=signature.sig_id) LEFT JOIN tcphdr on(event.cid = tcphdr.cid) where iphdr.ip_proto = "6" and sig_name like "%packets" group by ip_src;""")
    tcplinks = cur_db.fetchall()

    result = cur_db.execute("""SELECT DISTINCT ip_src, ip_dst, sig_name,GROUP_CONCAT(DISTINCT udp_sport) as ip_sport,GROUP_CONCAT(DISTINCT udp_dport) as ip_dport FROM event INNER JOIN iphdr ON (event.sid=iphdr.sid AND event.cid=iphdr.cid) LEFT JOIN signature on(event.signature=signature.sig_id) LEFT JOIN udphdr on(event.cid = udphdr.cid) where iphdr.ip_proto = "17" and sig_name like "%packets" group by ip_src;""")
    udplinks = cur_db.fetchall()

    result = cur_db.execute("""SELECT DISTINCT ip_src, ip_dst, sig_name FROM event INNER JOIN iphdr ON (event.sid=iphdr.sid AND event.cid=iphdr.cid) LEFT JOIN signature on(event.signature=signature.sig_id)  where iphdr.ip_proto = "1" and sig_name like "%packets" group by ip_src;""")
    icmplinks = cur_db.fetchall()

    result = cur_db.execute("""SELECT DISTINCT ip_src, ip_dst, sig_name FROM event INNER JOIN iphdr ON (event.sid=iphdr.sid AND event.cid=iphdr.cid) LEFT JOIN signature on(event.signature=signature.sig_id) where ip_proto NOT IN (1,6,17) and sig_name like "%packets" group by ip_src;""")
    other_links = cur_db.fetchall()

    # the all protocol iplinks
    iplinks = tcplinks + udplinks + icmplinks + other_links
Beispiel #3
def main():
    #conn_db = dboperate.snortdb_connect() # connect to the database
    #print "the time of clear database is:",
    #os.system("supervisorctl stop barnyard2")
    #dboperate.cleartables(conn_db) #delete all the date
    #os.system("supervisorctl start barnyard2")
    #print "the time of starting sleeping is:",
    internal_time = int(sys.argv[1]) #read the given the sleep argument
    #switch_ip_list = GetSwitchIp() #get the all ip in the switch
    #print switch_ip_list

    while True:
        conn_db = dboperate.snortdb_connect() # connect to the database
        #print "the time of clear database is:",
        dboperate.cleartables(conn_db) #delete all the date
        #cur_db = conn_db.cursor()
        #result = cur_db.execute("select max(cid) from acid_event;")
        #current_cid = cur_db.fetchall()
        #init_cid = current_cid[0].values()[0]
        #print type(init_cid),init_cid
        #print "the time of starting sleeping is:", 
        time.sleep(internal_time) #sleep
        iplinks = query_vul_iplinks()#get the vul alert information
        #filter_iplink_list = Filter_ip(iplinks,switch_ip_list) #filter the ip which is not belong to the switch
        IDS_snort_vul = generate_vul_alert(filter_iplink_list) #generate the output list
        #print "\n"
        print json.dumps(IDS_snort_vul)
        print "the program of ending time is:",
        print "\n"*2
def main(argv):

    conn_db = dboperate.snortdb_connect()
    global cur_db, internal_time, url_tag, gotten_host_url, exist_protocol
    cur_db = conn_db.cursor()
    internal_time = int(argv)
    url_tag = ["HOST:", "URI:", "Allow-Origin:", "Location:"]
    gotten_host_url = [{
        "host_addr": []
    }, {
        "host_uri": []
    }, {
        "Allow-Origin": []
    }, {
        "Location": []
    exist_protocol = [u'HTTP', u'DNS', u'SSH', u'TELNET', u'FTP', u'ICMP']
    while True:
        iplinks = query_alert(cur_db)
        flow_alert_output = proto_classify(iplinks)
        #f = open("/home/john/myrules/scripts/alert_output.json",'w')
Beispiel #5
def main():

    conn_db = dboperate.snortdb_connect()
    global cur_db
    cur_db = conn_db.cursor()
    global internal_time
    internal_time = int(sys.argv[1])
    while True:
        iplinks = query_alert(cur_db)
        flow_oneway_values = generate_singal_link(iplinks)
        flow_doubleway_values = flow_one2double_way(flow_oneway_values)
        flow_alert_output = generate_alertdict(flow_doubleway_values)
        print json.dumps(flow_alert_output)
Beispiel #6
def main():

    conn_db = dboperate.snortdb_connect()
    global cur_db
    cur_db = conn_db.cursor()
    result = cur_db.execute("select * from IDS_flow_baseline")
    flow_baseline = cur_db.fetchall()
    internal_time = int(sys.argv[1])
    while True:
        result = cur_db.execute("select max(cid) from acid_event;")
        current_cid = cur_db.fetchall()
        init_cid = current_cid[0].values()[0]
        iplinks = query_alert(cur_db, init_cid)
        IDS_snort_flow = snort_flow_alert(iplinks, flow_baseline)
        print IDS_snort_flow
def main():
    #global conn_db
    conn_db = dboperate.snortdb_connect()
    #cur_db = conn_db.cursor()
    #result = cur_db.execute("select max(cid) from acid_event;")
    #current_cid = cur_db.fetchall()
    #init_cid = current_cid[0].values()[0]
    #print type(init_cid),init_cid
    global internal_time
    internal_time = int(sys.argv[1])
    #internal_time = 120
    print "the program of ending time is:",
Beispiel #8
def snort_vul_alert():  
    conn_db = dboperate.snortdb_connect()
    cur_db = conn_db.cursor()
    iplinks = query_alert(cur_db)  
    IDS_snort_vul = []
    for i in range(len(iplinks)):
        attacker = iplinks[i]['ip_src']
        attacker = socket.inet_ntoa(struct.pack('I',socket.htonl(attacker)))
        victim = iplinks[i]['ip_dst']
        victim = socket.inet_ntoa(struct.pack('I',socket.htonl(victim)))
        proto = iplinks[i]['sig_name'].split()[0] #sig_name 第一个字符串表示协议
        msg = iplinks[i]['sig_name'].split()[1:][0] #sig_name 从第二项开始 表示报警信息
        tempdict = {}
        tempdict = collections.OrderedDict() #Python字典默认是无序的 导入collections模块 tempdict 变成有序的字典 这样输出就按照赋值的顺序了。
        tempdict['attacker'] = attacker
        tempdict['victim'] = victim
        tempdict['proto'] = str(proto)
        tempdict['msg'] = str(msg)

    return IDS_snort_vul
Beispiel #9
#select count(cid) from acid_event where ip_src='1920103026' and ip_dst='168430600' and sig_name = 'DNS packets';
#select DISTINCT ip_src,ip_dst, sig_name from acid_event;

class snort_vulalert:
    def __init__(self,*argv):
        self.v = list(argv)
    def __str__(self):          
        print str(self.v)
    def Additems(self,item):
conn_db = dboperate.snortdb_connect()

def query_alert(conn_db):
    cur_db = conn_db.cursor()
    result = cur_db.execute("select DISTINCT ip_src,ip_dst,sig_name from acid_event;")
    iplinks = cur_db.fetchall()
IDS_snort_vul = []
for i in range(len(iplinks)):
    attacker = iplinks[i]['ip_src']
    attacker = socket.inet_ntoa(struct.pack('I',socket.htonl(attacker)))
    victim = iplinks[i]['ip_dst']
    victim = socket.inet_ntoa(struct.pack('I',socket.htonl(victim)))
    proto = iplinks[i]['sig_name'].split()[0] #sig_name 第一个字符串表示协议
    msg = iplinks[i]['sig_name'].split()[1:][0] #sig_name 从第二项开始 表示报警信息
    tempdict = {}
def flow_count():
    conn_db = dboperate.snortdb_connect()
    cur_db = conn_db.cursor()
    #result = cur_db.execute("select count(cid) from event;")
    #current_cid = cur_db.fetchall()
    #print current_cid[0].values()[0]
    #result = cur_db.execute("""select DISTINCT ip_src,ip_dst,sig_name from acid_event where sig_name like %s and cid > %s;""",("%packets",init_cid))
    result = cur_db.execute(
        """SELECT DISTINCT ip_src, ip_dst, sig_name FROM event INNER JOIN iphdr ON (event.sid=iphdr.sid AND event.cid=iphdr.cid) LEFT JOIN signature on(event.signature=signature.sig_id) where sig_name like "%packets";"""

    iplinks = cur_db.fetchall()

    print len(iplinks)
    print iplinks
    print "\n" * 2
    flow_oneway_values = []
    begin_time =
    print "the time of query database is: ", begin_time
    for i in range(len(iplinks)):
        ip1 = iplinks[i]['ip_src']
        ip_src = socket.inet_ntoa(struct.pack('I', socket.htonl(ip1)))
        ip2 = iplinks[i]['ip_dst']
        ip_dst = socket.inet_ntoa(struct.pack(
            'I', socket.htonl(ip2)))  #将十进制转换成ip地址字符串。
        proto = iplinks[i]['sig_name'].split()[0]
        values = (ip1, ip2, iplinks[i]['sig_name'])
        result = cur_db.execute(
            """select count(iphdr.cid) from iphdr LEFT JOIN event on(iphdr.cid = event.cid) LEFT JOIN signature on(event.signature = signature.sig_id) where ip_src=%s and ip_dst=%s and sig_name = %s""",
            values)  #查询包的个数
        count = cur_db.fetchall()[0].values()[0]
        result = cur_db.execute(
            """select sum(iphdr.ip_len) from iphdr LEFT JOIN event on(iphdr.cid = event.cid) LEFT JOIN signature on(event.signature = signature.sig_id) where ip_src=%s and ip_dst=%s and sig_name = %s""",
            values)  #查询流量大小(不算以太网的14个字节)
        ip_packet_len = cur_db.fetchall()
        packet_len = int(
            ip_packet_len[0].values()[0]) + count * 14  #加上以太网的14字节
        packets_persec = round(float(count) / internal_time,
                               3)  #保留3位小数有效位round()
        flow_persec = round(float(packet_len) / internal_time, 3)
        flow_persec = flowunit_convert(flow_persec)
            (ip_src, ip_dst, proto, packets_persec, flow_persec))

    flow_insert_values = flow_one2double_way(flow_oneway_values)
    end_time =
    print "the time of query over is: ", end_time
    print end_time - begin_time

    result = cur_db.execute("select * from IDS_flow_baseline")
    if result != 0:
        dboperate.clearflowtables(conn_db, 'IDS_flow_baseline')

    flow_insert_values_tuple = tuple(flow_insert_values)
    print len(flow_insert_values_tuple)
    print flow_insert_values_tuple
    print "\n" * 2
    result = cur_db.executemany(
        "insert into IDS_flow_baseline(ip_src,ip_dst,proto,packets_persec,flow_persec) values(%s,%s,%s,%s,%s)",