def domainCheck(ip, direction, domain):
# domain length distribution
AddLengthDistribution(len(domain))
# domain max length
if len(domain) > int(confloader.getParameters('DomainMaxLength')):
AddElement(ip, 'above_max_domain_length_times')
# domain lable nums
lables = domain.split('.')
if len(lables) > int(confloader.getParameters('LableMaxNum')):
AddElement(ip, 'above_max_lable_num_times')
# domain lable limit
for lable in lables:
if len(lable) >= int(confloader.getParameters('LableMaxLimit')):
AddElement(ip, 'above_max_lable_limit_times')
break
# has upper
if domain.lower() != domain:
AddElement(ip, 'has_upper_character_times')
# add direction
if direction == 'request':
AddElement(ip, 'request_times')
elif direction == 'response':
AddElement(ip, 'response_times')
return
def DnsLog():
global DnsMap
global ExcelTitle
LOG_PATH = confloader.getParameters('LOG_PATH')
LOG_DNS_NAME = confloader.getParameters('LOG_DNS_NAME')
f = open(LOG_PATH + '/' + LOG_DNS_NAME, 'a') # use 'a' not 'w'
if ExcelTitle == 'false':
title = 'ip, '
title = title + 'request_times, '
title = title + 'response_times, '
title = title + 'above_max_domain_length_times, '
title = title + 'above_max_lable_num_times, '
title = title + 'above_max_lable_limit_times, '
title = title + 'has_upper_character_times, '
title = title + 'response_txt_times\n'
f.write(title)
ExcelTitle = 'true'
for key, value in DnsMap.items():
tmp = ''
tmp = str(value['request_times'])
tmp = tmp + ', ' + str(value['response_times'])
tmp = tmp + ', ' + str(value['above_max_domain_length_times'])
tmp = tmp + ', ' + str(value['above_max_lable_num_times'])
tmp = tmp + ', ' + str(value['above_max_lable_limit_times'])
tmp = tmp + ', ' + str(value['has_upper_character_times'])
tmp = tmp + ', ' + str(value['response_txt_times'])
f.write(key + ', ' + tmp + '\n')
f.close()
return
def executeSql(sql):
# load conf info
My_SQL_IP = confloader.getParameters('My_SQL_IP')
My_SQL_USERNAME = confloader.getParameters('My_SQL_USERNAME')
My_SQL_PASSWORD = confloader.getParameters('My_SQL_PASSWORD')
My_SQL_DB_NAME = confloader.getParameters('My_SQL_DB_NAME')
My_SQL_DB_PORT = confloader.getParameters('My_SQL_DB_PORT')
try:
conn = MySQLdb.connect(host=My_SQL_IP,
user=My_SQL_USERNAME,
passwd=My_SQL_PASSWORD,
db=My_SQL_DB_NAME,
port=int(My_SQL_DB_PORT))
cur = conn.cursor()
cur.execute(sql)
data = cur.fetchall()
cur.close()
conn.close()
return data
except Exception, e:
print Exception, e
print 'sqldb.py exception'
def SnmpStore():
global SnmpLogMap
LOG_PATH = confloader.getParameters('LOG_PATH')
LOG_SNMP_STORE_NAME = confloader.getParameters('LOG_SNMP_STORE_NAME')
f = open(LOG_PATH + '/' + LOG_SNMP_STORE_NAME, 'a') # use 'a' not 'w'
buf = 'sip->dip, times\n'
for key, value in SnmpLogMap.items():
buf = buf + (key + ',' + str(value) + '\n')
f.write(buf)
f.close()
return
def Icmp_Compare_Log_Store():
global Global_Icmp_Result
# load conf info
LOG_PATH = confloader.getParameters('LOG_PATH')
LOG_ICMP_COMPARE_LOG_STORE_NAME = confloader.getParameters(
'LOG_ICMP_COMPARE_LOG_STORE_NAME')
# use 'a' not 'w'
f = open(LOG_PATH + '/' + LOG_ICMP_COMPARE_LOG_STORE_NAME, 'a')
for key, value in Global_Icmp_Result.items():
f.write(key + ' : ' + str(value) + '\n')
f.close()
return
def IcmpCompareStore():
global IcmpCompareMap
LOG_PATH = confloader.getParameters('LOG_PATH')
LOG_ICMP_COMPARE_LOG_STORE_NAME = confloader.getParameters(
'LOG_ICMP_COMPARE_LOG_STORE_NAME')
f = open(LOG_PATH + '/' + LOG_ICMP_COMPARE_LOG_STORE_NAME,
'a') # use 'a' not 'w'
for key, value in IcmpCompareMap.items():
f.write(key + ' : ' + str(value) + '\n')
f.close()
return
def checkBlackIP():
global ALL_IP
# load conf info
LOG_PATH = confloader.getParameters('LOG_PATH')
LOG_FOR_BLACK_IP_NAME = confloader.getParameters('LOG_FOR_BLACK_IP_NAME')
# add test ip
ALL_IP.add('52.200.243.123')
result = sqldb.checkBlack(ALL_IP)
# use 'a' not 'w'
f = open(LOG_PATH + '/' + LOG_FOR_BLACK_IP_NAME, 'a')
f.write(result)
f.close()
return
def PortProtoStore():
global PortProtoDict
global titleHasWrite
LOG_PATH = confloader.getParameters('LOG_PATH')
LOG_PROT_PROTOCOL_NAME = confloader.getParameters('LOG_PROT_PROTOCOL_NAME')
f = open(LOG_PATH + '/' + LOG_PROT_PROTOCOL_NAME, 'a') # use 'a' not 'w'
if titleHasWrite == 'false':
f.write('ip and abnormal proto, times\n')
titleHasWrite = 'true'
for key, value in PortProtoDict.items():
f.write(key + ', ' + str(value) + '\n')
f.close()
return
def Dispatcher(source):
layers = DataBean.getItem('layers').upper()
highest_layer = DataBean.getItem('highest_layer').upper()
# Just confirm by protocol name
if (('DNS' == highest_layer) and (confloader.getParameters('DnsCheck').lower() == 'yes')):
DnsAnalyser.Analysis(source)
elif (('HTTP' in layers) and (confloader.getParameters('HttpCheck').lower() == 'yes')):
# 1. eth:ip:http:media
# 2. https ???????????
HttpAnalyser.Analysis(source)
elif 'SNMP' in layers:
SnmpAnalyser.Analysis()
else:
UnknownProtoAnalyser.Analysis()
return
def domainCheck(key, domain):
# domain length distribution
addLengthDistribution(len(domain))
# domain length check
Domain_Max_Length = int(confloader.getParameters('Domain_Max_Length'))
if len(domain) > Domain_Max_Length:
addElement(key, 'domain_times')
# domain lables
Lable_Max_Num = int(confloader.getParameters('Lable_Max_Num'))
if len(domain.split('.')) > Lable_Max_Num:
addElement(key, 'lable_num_times')
# upper
if domain.lower() != domain:
addElement(key, 'upper_times')
return
def LengthDistributionLog():
global LengthDistribution
tmp = ''
tmp = tmp + '(0_10]' + ', ' + str(LengthDistribution['block_10']) + '\n'
tmp = tmp + '(10_20]' + ', ' + str(LengthDistribution['block_20']) + '\n'
tmp = tmp + '(20_30]' + ', ' + str(LengthDistribution['block_30']) + '\n'
tmp = tmp + '(30_40]' + ', ' + str(LengthDistribution['block_40']) + '\n'
tmp = tmp + '(40_50]' + ', ' + str(LengthDistribution['block_50']) + '\n'
tmp = tmp + '(60_..)' + ', ' + str(LengthDistribution['block_60']) + '\n'
LOG_PATH = confloader.getParameters('LOG_PATH')
LOG_DNS_LENGTH_DISTRIBUTION_NAME = confloader.getParameters(
'LOG_DNS_LENGTH_DISTRIBUTION_NAME')
f = open(LOG_PATH + '/' + LOG_DNS_LENGTH_DISTRIBUTION_NAME,
'a') # use 'a' not 'w'
f.write(tmp)
f.close()
return
def Icmp_Class_Log_Store():
global Icmp_Map
# load conf info
LOG_PATH = confloader.getParameters('LOG_PATH')
LOG_ICMP_CLASS_LOG_STORE_NAME = confloader.getParameters(
'LOG_ICMP_CLASS_LOG_STORE_NAME')
# use 'a' not 'w'
f = open(LOG_PATH + '/' + LOG_ICMP_CLASS_LOG_STORE_NAME, 'a')
for key, value in Icmp_Map.items():
string = ''
try:
string = binascii.a2b_hex(key.strip())
string = string.strip().replace(',', '_') # for excel format
except:
string = 'cant decode'
finally:
f.write(key + ',' + string + ',' + str(value) + '\n')
f.close()
return
def dns_Log():
global Global_DNS_MAP
# load conf info
LOG_PATH = confloader.getParameters('LOG_PATH')
LOG_DNS_NAME = confloader.getParameters('LOG_DNS_NAME')
# use 'a' not 'w'
f = open(LOG_PATH + '/' + LOG_DNS_NAME, 'a')
for key, value in Global_DNS_MAP.items():
tmp = ''
tmp = str(value['domain_times'])
tmp = tmp + ', ' + str(value['lable_num_times'])
tmp = tmp + ', ' + str(value['upper_times'])
tmp = tmp + ', ' + str(value['domain_equals'])
tmp = tmp + ', ' + str(value['dns_resp_len_times'])
tmp = tmp + ', ' + str(value['author_times'])
tmp = tmp + ', ' + str(value['addition_times'])
f.write(key + ", " + tmp + '\n')
f.close()
# delete all itmes
Global_DNS_MAP.clear()
return