def test_insert_device_information(self):
DeviceInformation.insert_new_object(self.device_info)
result = self.db.session.query(DeviceInformation).filter(
DeviceInformation.mac_address == "00:00:00:00:00:00") \
.first()
self.assertEqual(self.device_info, result)
self.db.session.delete(result)
def packet_parse(packet: Packet):
"""
Runs privacy analysis rules and checks packet against IDS signatures
:param packet: packet to analyze
:return: nothing
"""
for rule in rules_packet_privacy:
try:
rule(packet)
except Exception as e:
run_config.log_event.info(
'Exception raised in a privacy rule check: ' + str(e))
# For each triggered signature generate an alert for the user
try:
triggered_rules = signature_detector.check_signatures(packet)
if len(triggered_rules) > 0:
for triggered_rule in triggered_rules:
is_dst = packet[
Ether].src in DeviceInformation.get_mac_addresses()
alert_object = Alert(packet, triggered_rule.msg, AlertType.IDS,
Severity.ALERT, is_dst)
alert_object.alert()
except Exception as e:
run_config.log_event.info('Exception raised in an IDS rule check: ' +
str(e))
# For each packet, pass through frequency detection engine
try:
anomaly_engine.check_signatures(packet)
except Exception as e:
run_config.log_event.info(
'Exception raised in an Anomaly Engine check: ' + str(e))
def __call__(self, packet: Packet):
"""
Function call to trigger the signature, alerts if matches and is over set limit
:param packet: Packet being analyzed
:return: None
"""
if self._layer in packet:
# Calculate the hour in which the packet was transmitted
hour = (packet.time % 86400) / 3600
# Adjust frequencies and limits based on time
self.adjust_frequencies(hour)
# If the frequency is above the adjusted average, create and Alert
if self._current_average + self._current_deviation * 2 < self._window_frequency and \
not self._alerted_for_window:
dst = False
if packet[
"Ethernet"].src not in DeviceInformation.get_mac_addresses(
):
dst = True
Alert(
packet,
"Traffic based anomaly detection shows above usual rates of {0} traffic. {1} packets"
" seen in last {2} seconds".format(self._layer,
self._window_frequency,
self._window_size),
AlertType.ANOMALY, Severity.WARN, dst).alert()
self._alerted_for_window = True
def _device_configuration(form_data: dict, ip_neighbors):
"""
Handler for device configuration form, inserts and removes devices the user would like monitored by the IDS
:param form_data: Form data submitted by the user from the webpage
:param ip_neighbors: List of neighboring devices displayed to the user
:return: nothing
"""
# insert unique devices into the database to be monitored by our IDS
mac_addresses = {key for key in form_data.keys()}
existing_devices = set(DeviceInformation.get_mac_addresses(g.db))
new_devices_macs = mac_addresses - existing_devices
new_devices = [
neigh for neigh in ip_neighbors if neigh.mac in new_devices_macs
]
for item in new_devices:
d = DeviceInformation(mac_address=item.mac,
name="",
ip_address=item.ip)
DeviceInformation.insert_new_object(d)
# remove devices that were unchecked
devices_to_delete = [
DeviceInformation.get_by_pk(DeviceInformation.mac_address, mac_address,
g.db)
for mac_address in existing_devices - mac_addresses
]
for device in devices_to_delete:
device.delete(False, g.db)
DeviceInformation.safe_commit(g.db)
def main():
"""
Main loop of the program, does the following
1. Runs system privacy checks
2. Runs scanning analysis of the IoT devices
3. Sniffs packets on "br-lan" and analyzes the packet against signatures and privacy rules
:return: nothing
"""
# 1) Perform a system configuration security check
try:
for rule in rules_system_privacy:
rule()
except Exception as e:
run_config.log_event.info(
f"Exception when running system privacy rule {e}")
# Wait until there are mac_addresses to sniff for, max count equates to the maximum time to wait between polls
max_count = 7 # 3 minutes
count = 0
while True:
n = (2**count) - 1
sleep(n)
if count != max_count:
count += 1
if DeviceInformation.get_mac_addresses():
break
# 2) Run a scanning analysis of the IoT devices
mac_addresses = DeviceInformation.get_mac_addresses()
ip_to_mac = _pair_ip_to_mac(mac_addresses)
try:
for rule in rules_scanning_privacy:
rule(ip_to_mac)
except Exception as e:
run_config.log_event.info(
f"Exception when running scanning privacy rule {e}")
# 3) Capture IoT packets only with crafted sniff and analyze the packet against signatures and privacy rules
print("Capturing IoT packets only")
sniff(iface=run_config.sniffing_interface,
lfilter=_sniff_filter,
prn=packet_parse,
count=num_packets,
store=0)
def settings():
"""
Serves the template for the ids configuration page
:return: Rendered jinja-2 template
"""
ip_neighbors = get_neighboring_devices()
if request.method == 'POST' and 'device-form' in request.form:
_device_configuration(request.form, ip_neighbors)
elif request.method == 'POST' and 'email-form' in request.form:
_email_configuration(request.form)
elif request.method == 'POST' and 'equations-form' in request.form:
_anomaly_configuration(request.form)
return render_template(
'config.html',
neighboring_devices=ip_neighbors,
existing_devices=DeviceInformation.get_mac_addresses(g.db))
def setUp(self) -> None:
self.db = db
self.db.create_session()
self.alert = Alerts(alert_type='IDS',
description='test',
severity=1,
mac_address='00:00:00:00:00',
payload='foobar')
self.anamoly_eq = AnomalyEquations(average_equation="test",
adjustment_equation="test")
self.email_info = EmailInformation(
recipient_addresses='[email protected], [email protected]',
sender_address='*****@*****.**',
sender_email_password='******',
smtp_server='smtp.test.com')
self.device_info = DeviceInformation(mac_address='00:00:00:00:00:00',
name='test',
ip_address='192.168.0.1')
def _sniff_filter(packet: Packet):
results = DeviceInformation.get_mac_addresses()
return packet.src in results or packet.dst in results