def test_acl():
from modules.arp.arp_module import ACL
acl = ACL({
'00:11:22:aa:bb:cd': '10.10.10.2',
'11:de:fa:ce:d0:11': ['10.10.10.3', '10.10.10.4'],
})
assert acl.mac_ip_is_in_acl('00:11:22:aa:bb:cd', '10.10.10.2')
assert not acl.mac_ip_is_in_acl('00:11:22:aa:bb:cd', '10.10.10.3')
assert not acl.mac_ip_is_in_acl('00:11:22:aa:bb:ca', '10.10.10.2')
assert acl.mac_ip_is_in_acl('11:de:fa:ce:d0:11', '10.10.10.3')
assert acl.mac_ip_is_in_acl('11:de:fa:ce:d0:11', '10.10.10.4')
def test_permitted_when_ip_in_acl():
from modules.arp.arp_module import ARPModule
arp = ARPModule(ACL({'00:11:22:aa:bb:cc': '10.10.10.2'}))
e = Ether(src='00:11:22:aa:bb:cc', dst='00:11:22:aa:bb:cd')
a = ARP(hwsrc='00:11:22:aa:bb:cc',
hwdst='00:11:22:aa:bb:cd',
psrc='10.10.10.2',
op='is-at')
response = arp.receive_packet(e / a)
assert type(response) == PermittedResponse
def ether_loop(sniffer):
if args.arp_config:
arp_module = ARPModule(ACL.from_file(Path(args.arp_config)))
else:
arp_module = ARPModule()
for ts, pkt in sniffer:
e = Ether(pkt)
try:
if e.type == ETHER_TYPE_ARP:
log().info('Received ARP packet')
arp_module.receive_packet(e, ts)
else:
log().info('Received packet not supported by IPS')
except AttributeError:
log().info('Received packet does not have a type')
continue
def ether_loop(sniffer):
if args.arp_config:
arp_module = ARPModule(ACL.from_file(Path(args.arp_config)))
else:
arp_module = ARPModule()
if not args.pred_ssl_out:
pred_ssl_out = dir_path / 'out_pred_ssl'
else:
pred_ssl_out = Path(args.pred_ssl_out)
ssl_module = PredictSSLModule(pred_ssl_out)
if not args.pred_pop_out:
pred_pop_out = dir_path / 'out_pred_pop.txt'
else:
pred_pop_out = Path(args.pred_pop_out)
pop_module = PredictPopModule(pred_pop_out)
count = 0
for ts, pkt in sniffer:
count += 1
e = Ether(pkt)
try:
if e.type == ETHER_TYPE_ARP:
log.info('Received ARP packet')
arp_module.receive_packet(e, ts)
if e.type == ETHER_TYPE_IPV4:
if e.haslayer(TCP):
if (e[TCP].sport == SSL_PORT) or (e[TCP].dport
== SSL_PORT):
ssl_module.receive_packet(str(e), ts)
if (e[TCP].sport == POP_PORT) or (e[TCP].dport
== POP_PORT):
pop_module.receive_packet(str(e), ts)
else:
log.info('Received packet not supported by IPS')
except AttributeError as e:
log.info('Received packet does not have a type {}'.format(e))
continue
def test_acl_from_file():
from modules.arp.arp_module import ACL
p = Path('temp_test_acl_from_file.txt')
with p.open(mode='w') as f:
f.writelines([
'10.0.0.1 11:ba:da:a5:55:11\n', '10.0.0.2 11:ba:da:a5:55:11\n',
'192.168.178.5 11:8b:ad:f0:0d:11\n',
'12.12.12.12 11:de:fa:ce:d0:11\n',
'12.12.12.12 11:de:fa:ce:d0:13\n'
])
acl = ACL.from_file(p)
assert dict(acl.acl) == {
'10.0.0.1': ['11:ba:da:a5:55:11'],
'10.0.0.2': ['11:ba:da:a5:55:11'],
'192.168.178.5': ['11:8b:ad:f0:0d:11'],
'12.12.12.12': ['11:de:fa:ce:d0:11', '11:de:fa:ce:d0:13']
}
p.unlink()
type=str,
help='pcap file input or name of suitable network device')
parser.add_argument('log_out', type=str, help='output file for a json log')
parser.add_argument('--arp-acl-config',
dest='arp_config',
type=str,
help='configuration file with IP to MAC bindings')
args = parser.parse_args()
if args.pcap_in and args.log_out:
init_logger(args.log_out)
log().info('IPS STARTED')
if args.arp_config:
arp_module = ARPModule(ACL.from_file(Path(args.arp_config)))
else:
arp_module = ARPModule()
sniffer = pcap.pcap(name=args.pcap_in,
promisc=True,
immediate=True,
timeout_ms=50)
for ts, pkt in sniffer:
e = Ether(pkt)
try:
if e.type == ETHER_TYPE_ARP:
log().info('Received ARP packet')
arp_module.receive_packet(e)
else:
log().info('Received packet not supported by IPS')