def _ddos_inspect(self, packet):
ddos = self.ddos_tracker[packet.protocol]
with ddos.lock:
if not self._ddos_detected(ddos.tracker, packet): return
if (self._IPS.ids_mode):
Log.log(packet, IPS.LOGGED, engine=IPS.DDOS)
elif (self._IPS.ddos_prevention):
IPTableManager.proxy_add_rule(packet.conn.tracked_ip,
table='mangle',
chain='IPS')
Log.log(packet, IPS.FILTERED, engine=IPS.DDOS)
def _portscan_inspect(self, IPS_IDS, packet):
pscan = self.pscan_tracker[packet.protocol]
with pscan.lock:
initial_block, active_scanner, pre_detection_logging = self._portscan_detect(
pscan.tracker, packet)
if (not active_scanner):
Log.debug(
f'PROXY ACCEPT | {packet.src_ip}:{packet.src_port} > {packet.dst_ip}:{packet.dst_port}.'
)
IPS_IDS.forward_packet(packet.nfqueue)
return
if (IPS_IDS.ids_mode):
IPS_IDS.forward_packet(packet.nfqueue)
block_status = IPS.LOGGED
elif (IPS_IDS.portscan_prevention):
packet.nfqueue.drop()
# if rejection is enabled on top of prevention port uncreachable packets will be sent back to the scanner.
if (IPS_IDS.portscan_reject):
self._portscan_reject(pre_detection_logging, packet,
initial_block)
# if initial block is not set then the current host has already been effectively blocked and does not need
# to do anything beyond this point.
if (not initial_block): return
block_status = self._get_block_status(pre_detection_logging,
packet.protocol)
Log.debug(
f'PROXY INITIAL SCANNER | {block_status.name} | {packet.src_ip}:{packet.src_port} > {packet.dst_ip}:{packet.dst_port}.'
)
# NOTE: i think this is stupid. this would effectivly block all portscan logging while passive blocking is
# active, right???? if that is the case, we need to figure out a different way to deal with this. i think this
# was to ensure ddos wasnt logged as portscan first, but this doesnt soudn liek a good way to do this anymore.
if (not IPS_IDS.fw_rules):
scan_info = IPS_SCAN_RESULTS(initial_block, active_scanner,
block_status)
Log.log(packet, scan_info, engine=IPS.PORTSCAN)
else: # NOTE: for testing purposes only
Log.debug(
'ACTIVE DDOS WHEN ATTEMPTING TO LOG PORTSCAN, LOG HAULTED.')
def _portscan_inspect(self, packet):
# TODO: optimize _IPS reference please! :)
pscan = self.pscan_tracker[packet.protocol]
with pscan.lock:
initial_block, active_scanner, pre_detection_logging = self._portscan_detect(
pscan.tracker, packet)
if (not active_scanner):
Log.debug(
f'PROXY ACCEPT | {packet.src_ip}:{packet.src_port} > {packet.dst_ip}:{packet.dst_port}.'
)
self._IPS.forward_packet(packet.nfqueue)
return
if (self._IPS.ids_mode):
self._IPS.forward_packet(packet.nfqueue)
block_status = IPS.LOGGED
elif (self._IPS.portscan_prevention):
packet.nfqueue.drop()
# if rejection is enabled on top of prevention port uncreachable packets will be sent back to the scanner.
if (self._IPS.portscan_reject):
self._portscan_reject(pre_detection_logging, packet,
initial_block)
# if initial block is not set then the current host has already been effectively blocked and does not need
# to do anything beyond this point.
if (not initial_block): return
block_status = self._get_block_status(pre_detection_logging,
packet.protocol)
Log.debug(
f'PROXY INITIAL SCANNER | {block_status.name} | {packet.src_ip}:{packet.src_port} > {packet.dst_ip}:{packet.dst_port}.'
)
if (not self._IPS.fw_rules):
scan_info = IPS_SCAN_RESULTS(initial_block, active_scanner,
block_status)
Log.log(packet, scan_info, engine=IPS.PORTSCAN)
else: # NOTE: for testing purposes only
Log.debug(
'ACTIVE DDOS WHEN ATTEMPTING TO LOG PORTSCAN, LOG HAULTED.')
def _ddos_inspect(self):
ddos = self.ddos_tracker.get(self._packet.protocol)
with ddos['lock']:
if not self._ddos_detected(ddos['tracker']): return
# this is to supress log entries for ddos hosts that are being detected by the engine, but not blocked
# this behavior would only happen in informational logging mode without block enabled.
if self._recently_detected(self._packet.conn.tracked_ip): return
if (self._IPS.ddos_prevention):
IPTableManager.proxy_add_rule(self._packet.conn.tracked_ip,
table='mangle',
chain='IPS')
# TODO: add entry for ids mode
Log.log(self._packet, engine=IPS.DDOS)
def _portscan_inspect(self):
pscan = self.pscan_tracker.get(self._packet.protocol)
with pscan['lock']:
initial_block, active_scanner, pre_detection_logging = self._portscan_detect(
pscan['tracker'])
if (not active_scanner):
Log.informational(
f'PROXY ACCEPT | {self._packet.src_ip}:{self._packet.src_port} > {self._packet.dst_ip}:{self._packet.dst_port}.'
)
self._IPS.forward_packet(self._packet.nfqueue)
return
if (self._IPS.portscan_prevention):
if (self._IPS.ids_mode):
self._IPS.forward_packet(self._packet.nfqueue)
block_status = IPS.LOGGED
else:
self._packet.nfqueue.drop()
if (self._IPS.portscan_reject):
self._portscan_reject(pre_detection_logging)
if (pre_detection_logging):
block_status = self._get_block_status(pre_detection_logging)
Log.informational(
f'PROXY ACTIVE SCANNER DROP {self._packet.src_ip}:{self._packet.src_port} > {self._packet.dst_ip}:{self._packet.dst_port}.'
)
if (not self.active_ddos):
scan_info = IPS_SCAN_RESULTS(initial_block, active_scanner,
block_status)
Log.log(self._packet, scan_info, engine=IPS.PORTSCAN)
else: # NOTE: for testing purposes only
Log.informational(
'ACTIVE DDOS WHEN ATTEMPTING TO LOG PORTSCAN, LOG HAULTED.'
)