def only_possible_number(grid, i, j, m, n):
"""
Loops through all squares and checks to see if only 1 number is allowed
"""
must = []
only_possible_number_placed = False
for x in range(1, 10):
if grid[i][j] == 0:
allowed = check_rules(grid, x, i, j, m, n)
if allowed == 1:
must.append([x, [i, j]])
if (len(must) == 1):
row = must[0][1][0]
col = must[0][1][1]
grid[row][col] = must[0][0]
print("{} placed in position {}, {}".format(must[0][0], row, col))
only_possible_number_placed = True
return grid, only_possible_number_placed
def check_files(template, incoming_files):
results = {}
for pattern, filename in template.known_files.items():
regex = re.compile(pattern)
matched = filter(regex.search, incoming_files)
if not matched:
print("No files matched with the regex %s." % pattern)
continue
with xr.open_dataset(filename) as known_dataset:
for f in matched:
with xr.open_dataset(f) as spooky_dataset:
rules = apply_rules(template.rules, known_dataset,
spooky_dataset)
results[f] = ([str(check_rules(rules))] + rules)
return results
def only_possible_squares(x, grid):
"""
Picks a box, loops through all squares looking to see if a number has to go in that square
Picks next box, repeats
"""
only_possible_squares_placed = False
for col_def in [(0, 1, 2), (3, 4, 5), (6, 7, 8)]:
for row_def in [(0, 1, 2), (3, 4, 5), (6, 7, 8)]:
poss_posn = 0
for i in col_def:
for j in row_def:
if (grid[i][j] == 0):
m, n = box_finder(i, j)
allowed = check_rules(grid, x, i, j, m, n)
if allowed == 1:
poss_posn += 1
row = i
col = j
if poss_posn == 1:
grid[row][col] = x
print("{} placed in position {}, {}".format(x, row, col))
only_possible_squares_placed = True
return grid, only_possible_squares_placed
def http_start():
_thread.start_new_thread(getPacketDetails,())
GETS=[]
#print("AM AJUNS AICI")
configDetails = readConfig()
ip=get_ip_address(configDetails['interface'])
#ip='kali'
start_http=1
signatures=read_file('signatures')
URLS=[]
URL=''
Cookie=''
GET=[]
db=MySQLdb.connect(host="localhost",user="******",passwd="FlagFlag123.",db="licenta" )
cursor = db.cursor()
last_res=''
global continutPachetAPI
global continutHexAPI
global destinationAPI
global sourceAPI
global cookieAPI
global agentAPI
while(start_http!=0):
#print ("------------------DADADADADADADA")
added=0
added_GET=0
cmd="sudo tcpdump -i "+configDetails['interface']+" -xxv -A -s 0 'tcp dst port http and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -c 1 2>/dev/null"
print ("HTTP REQUEST SENT")
agent_found = 0
cookie_found = 0
host_found = 0
get_found = 0
founda = 0
cmdout = subprocess.check_output(cmd, shell=True).decode('utf-8')
if "192.168.1.5" not in cmdout:
HOST, continutHexAPI = rules.check_rules('HTTP',cmdout)
sourceAPI = HOST
if check_whitelist(HOST,"./modules/Filters/whitelist_sources.txt") == 0:
result=cmdout.split("\n\t\n\t")[0].split('\n')
continutPachetAPI = cmdout.split("\n\t\n\t")[0]
for i in range(len(result)):
result[i]=result[i].split(': ')
if 'Agent' in result[i][0]:
agentAPI=result[i][1]
if agent_found == 0:
if check_whitelist_user_agent(result[i][1]) == 0:
agent_found = 1
cursor.execute("INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('HTTP', 'User-Agent!','MEDIUM','"+HOST+"','-','"+result[i][1]+"','"+str(datetime.now())+"')")
#cursor.execute("INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('HTTP', 'User-Agent!','MEDIUM'"+HOST+"','-','"+"CIOCI"+"','"+str(datetime.now())+"')")
db.commit()
if cookie_found == 0:
if 'Cookie' in result[i][0]:
Cookie=result[i][1]
cookieAPI = Cookie
cookie_found = 1
if host_found == 0:
if 'Host' in result[i][0]:
host_found = 1
URL=result[i][1]
destinationAPI = URL
if get_found == 0:
if 'GET' in result[i][0]:
GET=result[i][0]
try:
GET=GET.split('?')[1].split(' ')[0].split('&')
for i in range(len(GET)):
GET[i]=GET[i].split("=")
get_found = 1
except:
GET=GET.split(' ')
path=[]
path2=[]
for counter in range(len(GET)):
if "HTTP" in GET[counter]:
path.append(GET[counter-1])
path2.append(GET[counter])
if "GET" in str(path):
GET=path2
get_found = 1
else:
GET=path
get_found = 1
stop=0
banana=0
try:
for i in range(len(GETS)):
try:
if GETS[i] == GET[0][1:]:
stop = 1
except:
banana = 0
except:
banana = 1
pass
if banana == 0:
try:
GETS.append(GET[0][1:])
except:
pass
auxiliar_URL=URL.split('.')
new_URL=[]
for i in range(len(auxiliar_URL)-1):
if auxiliar_URL[i]!='www':
new_URL.append(auxiliar_URL[i])
x=check_whitelist('.'.join(new_URL),"./modules/Filters/whitelist.txt")
if x == 0:
ok_http = 0
if URL != '':
try:
if len(GET[0][1:]) > 0:
try:
if verify_encoding(GET[0][1:]) <= 10:
if stop == 0:
if ok_http == 0:
ok_http = 1
print ("ALERT HTTP! UNKNOWN BASE FOUND!!! --> "+ str(GET[0][1:]))
#cursor.execute("INSERT INTO http (ID_event,Name,Alert_Type,Domain,Payload) VALUES('2', 'HTTP', 'UNKNOWN BASE FOUND!!!','"+URL+"','"+GET[0][1:]+"' )")
cursor.execute("INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('HTTP', 'UNKNOWN BASE FOUND!','MEDIUM','"+HOST+"','"+URL+"','"+GET[0][1:]+"','"+str(datetime.now())+"')")
db.commit()
#print ("AM AJUNS AICI!!!")
except:
pass
except:
print ("UITE AICI E O EROARE SI NU STIU DE CE",str(GET))
pass
if len(URLS) == 0:
x=WEB()
try:
x.add(URL,Cookie,GET,str(int(time.time())))
except:
x.add(URL,Cookie,[],str(int(time.time())))
for count2 in range(len(signatures)):
try:
if founda==0:
if long_to_bytes(signatures[count2]) == base64.b64decode(GET[0]):
if stop == 0:
#print ("ALERT! GET FILE SIGNATURE FOUND AS BASE64! :"+GET[0])
#cursor.execute("INSERT INTO http (ID_event,Name,Alert_Type,Domain,Payload) VALUES('2', 'HTTP', 'GET FILE SIGNATURE FOUND AS BASE64!','"+URL+"','"+GET[0]+"' )")
cursor.execute("INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('HTTP', 'GET FILE SIGNATURE FOUND AS BASE64!','HIGH','"+HOST+"','"+URL+"','"+GET[0]+"','"+str(datetime.now())+"')")
db.commit()
founda=1
except:
pass
try:
if founda==0:
if signatures[count2] in GET[0]:
if stop == 0:
#print ("ALERT! GET FILE SIGNATURE FOUND AS HEX! :"+GET[0])
#cursor.execute("INSERT INTO http (ID_event,Name,Alert_Type,Domain,Payload) VALUES('2', 'HTTP', 'GET FILE SIGNATURE FOUND AS HEX!','"+URL+"','"+GET[0]+"' )")
cursor.execute("INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('HTTP', 'GET FILE SIGNATURE FOUND AS HEX!','HIGH','"+HOST+"','"+URL+"','"+GET[0]+"','"+str(datetime.now())+"')")
db.commit()
founda=1
except:
pass
URLS.append(x)
else:
ok=0
for i in range(len(URLS)):
if URL==URLS[i].URL:
for ii in range(len(URLS[i].GET)):
ok3=0
if URLS[i].GET[ii] == GET:
ok3=1
if ok3== 0:
URLS[i].GET.append(GET)
URLS[i].GET_time.append(str(int(time.time())))
for count in range(len(GET)):
if len(GET[count])>15:
if stop == 0:
#print ("ALERT! GET LEN: "+GET[count])
#cursor.execute("INSERT INTO http (ID_event,Name,Alert_Type,Domain,Payload) VALUES('2', 'HTTP', 'GET LENGTH!','"+URL+"','"+GET[count]+"' )")
cursor.execute("INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('HTTP', 'GET LENGTH > 15','MEDIUM','"+HOST+"','"+URL+"','"+GET[count]+"','"+str(datetime.now())+"')")
db.commit()
break
for count2 in range(len(signatures)):
try:
if founda==0:
if long_to_bytes(signatures[count2] == base64.b64decode(GET[count])):
if stop == 0:
#print ("ALERT! GET FILE SIGNATURE FOUND AS BASE64! :"+GET[count])
#cursor.execute("INSERT INTO http (ID_event,Name,Alert_Type,Domain,Payload) VALUES('2', 'HTTP', 'GET FILE SIGNATURE FOUND AS BASE64!','"+URL+"','"+GET[count]+"' )")
cursor.execute("INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('HTTP', 'GET FILE SIGNATURE FOUND AS BASE64!','HIGH','"+HOST+"','"+URL+"','"+GET[count]+"','"+str(datetime.now())+"')")
db.commit()
founda=1
except:
pass
if founda==0:
if signatures[count2] == GET[count]:
if stop == 0:
#print ("ALERT! GET FILE SIGNATURE FOUND AS HEX! :"+GET[count])
#cursor.execute("INSERT INTO http (ID_event,Name,Alert_Type,Domain,Payload) VALUES('2', 'HTTP', 'GET FILE SIGNATURE FOUND AS HEX!','"+URL+"','"+GET[count]+"' )")
cursor.execute("INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('HTTP', 'GET FILE SIGNATURE FOUND AS HEX!','HIGH','"+HOST+"','"+URL+"','"+GET[count]+"','"+str(datetime.now())+"')")
db.commit()
founda=1
#print ("AM AJUNS LA COOKIES")
#print (URLS[i].adds)
for ii in range(len(URLS[i].Cookies)):
ok2=0
if URLS[i].Cookies[ii] == Cookie:
ok2=1
if ok2 == 0:
URLS[i].Cookies.append(Cookie)
URLS[i].adds+=1
if URLS[i].adds>2:
#print ("ALERT! MULTIPLE COOKIES SENT TO "+ URLS[i].URL)
#cursor.execute("INSERT INTO http (ID_event,Name,Alert_Type,Domain,Payload) VALUES('2', 'HTTP', 'MULTIPLE COOKIES SENT','"+URL+"','"+URLS[i].URL+"' )")
cursor.execute("INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('HTTP', 'MULTIPLE COOKIES SENT','HIGH','"+HOST+"','"+URLS[i].URL+"','"+Cookie+"','"+str(datetime.now())+"')")
db.commit()
print ("COOKIE COMMITED")
ok=1
if ok==0:
x=WEB()
try:
x.add(URL,Cookie,GET,str(int(time.time())))
except:
x.add(URL,Cookie,[],str(int(time.time())))
URLS.append(x)
for i in range(len(URLS)):
pass
def test_all_rights_without_set_card_strictly_false():
user = User(all_rights_without_set_card)
assert check_rules(rules_array, user, strictly=False) == True
def test_all_rights_strictly_false():
user = User(all_rights)
assert check_rules(rules_array, user, strictly=False) == True
def test_root_rights_only_strictly_false():
user = User(root_rights_only)
assert check_rules(rules_array, user, strictly=False) == True
def test_root_rights_only():
user = User(root_rights_only)
assert check_rules(rules_array, user) == False
def test_all_rights():
user = User(all_rights)
assert check_rules(rules_array, user) == True
def test_one_not_valid_rights():
user = User(one_not_valid_rights)
assert check_rules(rules_array, user) == False
def dns_start():
_thread.start_new_thread(getPacketDetails, ())
dns_time = []
times = []
SUBD = []
puncte = 0
db = MySQLdb.connect(host="localhost",
user="******",
passwd="FlagFlag123.",
db="licenta")
cursor = db.cursor()
configDetails = readConfig()
ip = get_ip_address(configDetails['interface'])
tld = read_file('TLD')
signatures = read_file('signatures')
database = []
global start_dns
start_dns = 1
global continutPachetAPI
global continutHexAPI
global destinationAPI
global sourceAPI
global subdomainAPI
while (start_dns != 0):
#try:
#cmd="-xxv -i "+configDetails['interface']+" -c1 -l -v -n -t port 53 2>/dev/null"
ok_txt = 0
puncte = 0
#result = subprocess.check_output(cmd, shell=True).decode('utf-8')
result = []
nr_magic = 0
last = 'a'
last_last = ''
last_ML = 'a'
last_last_ML = ''
p = subprocess.Popen(
('sudo', 'tcpdump', '-l', '-xxv', 'port 53', '-n', '-v', '-t'),
stdout=subprocess.PIPE,
stderr=subprocess.DEVNULL)
for row in iter(p.stdout.readline, b''):
if len(result) > 0:
if row.strip().decode()[0] == 'I' and row.strip().decode(
)[1] == 'P':
result = '\n'.join(result)
for_check = result
print("AICI E FORCHECK", for_check)
HOST, continutHexAPI = rules.check_rules('DNS', for_check)
continutPachetAPI = result.split('\n\t')[0]
if check_whitelist(
HOST,
"./modules/Filters/whitelist_sources.txt") == 0:
sourceAPI = HOST
result = result.split('\n\t')[0].replace('\t', '')
#try:
result = result.split('\n')
flag = result[0].split('[')[1].split(']')[0]
for i in range(len(result)):
res = result[i].split(' ')
for j in range(len(res)):
if res[j].replace('?', '') == 'TXT':
ok_txt = 1
if res[j].count('.') > 2:
url = res[j].split('.')
if res[j].count('.') == 2:
puncte = 1
#print ("FLAG:",flag)
passed = 0
if flag == 'none':
try:
for i in range(len(result)):
scan_url = result[i].replace('\t',
'').split(' ')
for j in range(len(scan_url) - 1):
if scan_url[j] == '>':
url = scan_url[j + 1]
payload = result[1].split('?')[1].split(' ')[1]
if 'addr' not in payload:
if len(url[len(url) - 2]) > 0:
if payload.count('.') < 2:
if len(payload) > 0:
raspuns_ML = predict.check_model_3(
payload)
if (raspuns_ML == 1):
print(
"SUBDOMENIU OK",
payload)
else:
print(
"SUBDOMENIU MALITIOS",
payload)
if payload != last_ML:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('Machine Learning', 'DNS - DIG EXFILTRATION','HIGH','"
+ HOST + "','" +
url[:-4] + "','" +
payload + "','" +
str(datetime.now())
+ "')")
db.commit()
last_last_ML = last_ML
last_ML = payload
subdomainAPI = payload
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('DNS', 'DIG EXFILTRATION','HIGH','"
+ HOST + "','" + url[:-4] +
"','" + payload + "','" +
str(datetime.now()) + "')")
db.commit()
passed = 1
else:
url = payload.split('.')
except:
pass
try:
url.remove("www")
except:
pass
if passed == 0:
nope = 0
if puncte == 0:
if len(url) > 4:
nope = 1
else:
nope = 1
for i in range(len(url)):
if url[i] == None:
del url[i]
bd = url
destinationAPI = '.'.join(url)
exfil_check = 0
exfil_check = check_TLD_exfil(bd, tld, HOST)
if exfil_check == 0:
domain = []
for i in range(len(tld)):
tld[i] = tld[i].lower()
for i in range(len(url)):
for j in range(len(tld)):
try:
if url[i] == tld[j]:
domain.append(url[i])
del url[i]
if url[i] == "www":
del url[i]
del bd[i]
except:
pass
if ok_txt == 1:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('DNS', 'TXT RECORDS','MEDIUM','"
+ HOST + "','" + bd[len(bd) - 2] +
"','-','" + str(datetime.now()) + "')")
db.commit()
if nope == 0:
z = DNS_time(bd[len(bd) - 2], HOST)
dns_ok = 0
if len(dns_time) > 0:
for k in range(len(dns_time)):
if dns_time[k].domain == bd[len(bd)
- 2]:
dns_ok = 1
dns_time[k].add()
if dns_ok == 0:
dns_time.append(z)
else:
dns_time.append(z)
var = check_whitelist(
bd[len(bd) - 2],
"./modules/Filters/whitelist.txt")
DNS_domain = "http://" + bd[
len(bd) - 2] + "." + '.'.join(domain)
cursor3 = db.cursor()
cursor3.execute("SELECT * FROM domains")
data3 = (cursor3.fetchall())
DNS_ok = 0
for i in data3:
if i[1] == DNS_domain:
DNS_ok = 1
break
if DNS_ok == 0:
sql = "INSERT INTO domains (Domains) VALUES('" + DNS_domain + "')"
cursor.execute(sql)
db.commit()
print("AICI E DNSOK", DNS_ok)
if var == 0:
if DNS_ok == 0:
#try:
vt = search_url("http://" +
bd[len(bd) - 2] +
"." +
'.'.join(domain))
for i in vt:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('VirusTotal', '"
+ i[0] + "','HIGH','" +
HOST + "','" +
bd[len(bd) - 2] + "." +
'.'.join(domain) + "','" +
i[2] + "','" +
str(datetime.now()) + "')")
db.commit()
#except:
#print ("PASS BOSS")
#pass
stop = 0
for i in range(len(SUBD)):
if SUBD[i] == bd[0]:
stop = 1
if stop == 0:
SUBD.append(bd[0])
ok = 0
if len(bd) > 2:
for i in range(len(database)):
if (database[i].check(
bd[len(bd) -
2]) == 1):
for j in range(
len(bd) - 2):
subdomainAPI = bd[
j]
if len(bd[j]) > 0:
raspuns_ML = predict.check_model_3(
bd[j])
if (raspuns_ML
== 1):
print(
"SUBDOMENIU OK",
bd[j])
else:
if bd[j] != last_ML:
print(
"SUBDOMENIU MALITIOS",
bd[j]
)
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('Machine Learning', 'DNS EXFILTRATION','UNKNOWN','"
+
HOST
+
"','"
+
bd[len(
bd
) -
2]
+
"','"
+
bd[j]
+
"','"
+
str(
datetime
.
now(
)
) +
"')"
)
db.commit(
)
last_last_ML = last_ML
last_ML = bd[
j]
if len(str(bd[j])
) > 10:
#cursor.execute("INSERT INTO dns (ID_event,Name,Alert_Type,Domain,Subdomain) VALUES('1', 'DNS', 'DNS EXFILTRATION LENGTH','"+bd[len(bd)-2]+"','"+bd[j]+"' )")
if bd[j] != last:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('DNS', 'DNS EXFILTRATION LENGTH','HIGH','"
+
HOST +
"','" +
bd[len(
bd)
-
2] +
"','" +
bd[j] +
"','" +
str(datetime
.
now(
))
+ "')")
db.commit()
print(
"ALERT! DNS EXFILTRATION LEN - "
+ str(
len(
str(bd[
j]
)
))
+ " " +
bd[j])
last_last = last
last = bd[
j]
if check_chars(
bd[j]
) == 1:
print(
"ALERT! DNS EXFILTRATION NONASCII CHARS - "
+ bd[j])
#cursor.execute("INSERT INTO dns (ID_event,Name,Alert_Type,Domain,Subdomain) VALUES('1', 'DNS', 'DNS EXFILTRATION NONASCII CHARS','"+bd[len(bd)-2]+"','"+bd[j]+"' )")
if bd[j] != last:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('DNS', 'DNS EXFILTRATION NONASCII CHARS','HIGH','"
+
HOST +
"','" +
bd[len(
bd)
-
2] +
"','" +
bd[j] +
"','" +
str(datetime
.
now(
))
+ "')")
db.commit()
last_last = last
last = bd[
j]
#print verify_encoding(bd[j])
if verify_encoding(
bd[j]
) <= 10:
print(
"ALERT! UNKNOWN BASE FOUND!!! --> "
+ bd[j])
#cursor.execute("INSERT INTO dns (ID_event,Name,Alert_Type,Domain,Subdomain) VALUES('1', 'DNS', 'UNKNOWN BASE FOUND','"+bd[len(bd)-2]+"','"+bd[j]+"' )")
if bd[j] != last:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('DNS', 'UNKNOWN BASE FOUND','HIGH','"
+
HOST +
"','" +
bd[len(
bd)
-
2] +
"','" +
bd[j] +
"','" +
str(datetime
.
now(
))
+ "')")
db.commit()
last_last = last
last = bd[
j]
kappa.add(
bd[j],
int(time.time(
)))
ok = 1
if ok == 0:
#print ("Domain added! "+ bd[len(bd)-2])
kappa = DNS(bd[len(bd) -
2])
for j in range(
len(bd) - 2):
subdomainAPI = bd[j]
kappa.add(
bd[j],
int(time.time()))
if len(bd[j]) > 0:
raspuns_ML = predict.check_model_3(
bd[j])
if (raspuns_ML == 1
):
print(
"SUBDOMENIU OK",
bd[j])
else:
print(
"SUBDOMENIU MALITIOS",
bd[j])
if bd[j] != last_ML:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('Machine Learning', 'DNS EXFILTRATION','UNKNOWN','"
+
HOST +
"','" +
bd[len(
bd)
-
2] +
"','" +
bd[j] +
"','" +
str(datetime
.
now(
))
+ "')")
db.commit()
last_last_ML = last_ML
last_ML = bd[
j]
if len(str(
bd[j])) > 10:
print(
"ALERT! DNS EXFILTRATION LEN - "
+ str(
len(
str(bd[
j])
)))
if bd[j] != last:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('DNS', 'DNS EXFILTRATION LENGTH','HIGH','"
+ HOST +
"','" +
bd[len(bd)
- 2] +
"','" +
bd[j] +
"','" +
str(datetime
.now())
+ "')")
#cursor.execute("INSERT INTO dns (ID_event,Name,Alert_Type,Domain,Subdomain) VALUES('1', 'DNS', 'DNS EXFILTRATION LENGTH','"+bd[len(bd)-2]+"','"+bd[j]+"' )")
db.commit()
last_last = last
last = bd[j]
if check_chars(
bd[j]) == 1:
print(
"ALERT! DNS EXFILTRATION NONASCII CHARS"
+ bd[j])
#cursor.execute("INSERT INTO dns (ID_event,Name,Alert_Type,Domain,Subdomain) VALUES('1', 'DNS', 'DNS EXFILTRATION NONASCII CHARS','"+bd[len(bd)-2]+"','"+bd[j]+"' )")
if bd[j] != last:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('DNS', 'DNS EXFILTRATION NONASCII CHARS','HIGH','"
+ HOST +
"','" +
bd[len(bd)
- 2] +
"','" +
bd[j] +
"','" +
str(datetime
.now())
+ "')")
db.commit()
last_last = last
last = bd[j]
print(
"AICI E ENCODING-ul:",
verify_encoding(
bd[j]))
if verify_encoding(
bd[j]) <= 10:
print(
"ALERT! UNKNOWN BASE FOUND!!! --> "
+ bd[j])
#cursor.execute("INSERT INTO dns (ID_event,Name,Alert_Type,Domain,Subdomain) VALUES('1', 'DNS', 'UNKNOWN BASE FOUND','"+bd[len(bd)-2]+"','"+bd[j]+"' )")
if bd[j] != last:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('DNS', 'UNKNOWN BASE FOUND','HIGH','"
+ HOST +
"','" +
bd[len(bd)
- 2] +
"','" +
bd[j] +
"','" +
str(datetime
.now())
+ "')")
db.commit()
last_last = last
last = bd[j]
database.append(kappa)
ok_signature = 0
print("AICI E OK_SIGNATURE:",
ok_signature)
for i in range(len(database)):
if ok_signature == 0:
#print (database[i].d,database[i].sd)
for j in range(
len(database[i].sd)
):
try:
for k in signatures:
if ok_signature == 0:
if k in database[
i].sd[
j]:
if ok_signature == 0:
print(
"ALERT! DNS EXFILTRATION - "
+
str(
k
)
)
if bd[j] != last:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('DNS', 'SIGNATURE FOUND','HIGH','"
+
HOST
+
"','"
+
bd[len(
bd
) -
2]
+
"','"
+
bd[j]
+
"','"
+
str(
datetime
.
now(
)
)
+
"')"
)
db.commit(
)
db.close(
)
last_last = last
last = bd[
j]
ok_signature = 1
except:
pass
else:
match = re.findall(
r'((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)',
'.'.join(url)) #match url
if len(match) == 0:
if (check_whitelist(
bd[len(bd) - 2],
"./modules/Filters/whitelist.txt"
) == 0):
raspuns_ML = predict.check_model_3(
'.'.join(url[:-2]))
if len('.'.join(url[:-2])) > 0:
if (raspuns_ML == 1):
print(
"SUBDOMENIU OK",
'.'.join(url[:-2]))
else:
print(
"SUBDOMENIU MALITIOS",
'.'.join(url[:-2]))
if '.'.join(url[:-2]
) != last_ML:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('Machine Learning', 'DNS EXFILTRATION','UNKNOWN','"
+ HOST + "','" +
''.join(bd[len(bd)
- 2]) +
"','" + '.'.join(
url[:-2]) +
"','" +
str(datetime.now())
+ "')")
db.commit()
last_last_ML = last_ML
last_ML = '.'.join(
url[:-2])
ok_signature = 1
z = DNS_time(bd[len(bd) - 2], HOST)
dns_ok = 0
if len(dns_time) > 0:
for k in range(len(dns_time)):
if dns_time[
k].domain == bd[
len(bd) - 2]:
dns_ok = 1
dns_time[k].add()
if dns_ok == 0:
dns_time.append(z)
else:
dns_time.append(z)
for i in range(len(url)):
tld_ver = 0
if url[i] not in tld:
subdomainAPI = ''.join(
bd[len(bd) - 2])
if verify_encoding(
url[i]) != None:
if verify_encoding(
url[i]) <= 10:
if url[i] != last:
cursor.execute(
"INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('DNS', 'UNKNOWN BASE FOUND','HIGH','"
+ HOST +
"','" +
''.join(bd[
len(bd)
- 2]) +
"','" +
url[i] +
"','" +
str(datetime
.now())
+ "')")
db.commit()
last_last = last
last = url[i]
ok_signature = 1
result = []
nr_magic = 0
if nr_magic > 2:
nr_magic += 1
result.append('\t' + row.strip().decode())
else:
nr_magic += 1
result.append(' ' + row.strip().decode())
else:
result.append(row.strip().decode())