def test_acl(): from modules.arp.arp_module import ACL acl = ACL({ '00:11:22:aa:bb:cd': '10.10.10.2', '11:de:fa:ce:d0:11': ['10.10.10.3', '10.10.10.4'], }) assert acl.mac_ip_is_in_acl('00:11:22:aa:bb:cd', '10.10.10.2') assert not acl.mac_ip_is_in_acl('00:11:22:aa:bb:cd', '10.10.10.3') assert not acl.mac_ip_is_in_acl('00:11:22:aa:bb:ca', '10.10.10.2') assert acl.mac_ip_is_in_acl('11:de:fa:ce:d0:11', '10.10.10.3') assert acl.mac_ip_is_in_acl('11:de:fa:ce:d0:11', '10.10.10.4')
def test_permitted_when_ip_in_acl(): from modules.arp.arp_module import ARPModule arp = ARPModule(ACL({'00:11:22:aa:bb:cc': '10.10.10.2'})) e = Ether(src='00:11:22:aa:bb:cc', dst='00:11:22:aa:bb:cd') a = ARP(hwsrc='00:11:22:aa:bb:cc', hwdst='00:11:22:aa:bb:cd', psrc='10.10.10.2', op='is-at') response = arp.receive_packet(e / a) assert type(response) == PermittedResponse
def ether_loop(sniffer): if args.arp_config: arp_module = ARPModule(ACL.from_file(Path(args.arp_config))) else: arp_module = ARPModule() for ts, pkt in sniffer: e = Ether(pkt) try: if e.type == ETHER_TYPE_ARP: log().info('Received ARP packet') arp_module.receive_packet(e, ts) else: log().info('Received packet not supported by IPS') except AttributeError: log().info('Received packet does not have a type') continue
def ether_loop(sniffer): if args.arp_config: arp_module = ARPModule(ACL.from_file(Path(args.arp_config))) else: arp_module = ARPModule() if not args.pred_ssl_out: pred_ssl_out = dir_path / 'out_pred_ssl' else: pred_ssl_out = Path(args.pred_ssl_out) ssl_module = PredictSSLModule(pred_ssl_out) if not args.pred_pop_out: pred_pop_out = dir_path / 'out_pred_pop.txt' else: pred_pop_out = Path(args.pred_pop_out) pop_module = PredictPopModule(pred_pop_out) count = 0 for ts, pkt in sniffer: count += 1 e = Ether(pkt) try: if e.type == ETHER_TYPE_ARP: log.info('Received ARP packet') arp_module.receive_packet(e, ts) if e.type == ETHER_TYPE_IPV4: if e.haslayer(TCP): if (e[TCP].sport == SSL_PORT) or (e[TCP].dport == SSL_PORT): ssl_module.receive_packet(str(e), ts) if (e[TCP].sport == POP_PORT) or (e[TCP].dport == POP_PORT): pop_module.receive_packet(str(e), ts) else: log.info('Received packet not supported by IPS') except AttributeError as e: log.info('Received packet does not have a type {}'.format(e)) continue
def test_acl_from_file(): from modules.arp.arp_module import ACL p = Path('temp_test_acl_from_file.txt') with p.open(mode='w') as f: f.writelines([ '10.0.0.1 11:ba:da:a5:55:11\n', '10.0.0.2 11:ba:da:a5:55:11\n', '192.168.178.5 11:8b:ad:f0:0d:11\n', '12.12.12.12 11:de:fa:ce:d0:11\n', '12.12.12.12 11:de:fa:ce:d0:13\n' ]) acl = ACL.from_file(p) assert dict(acl.acl) == { '10.0.0.1': ['11:ba:da:a5:55:11'], '10.0.0.2': ['11:ba:da:a5:55:11'], '192.168.178.5': ['11:8b:ad:f0:0d:11'], '12.12.12.12': ['11:de:fa:ce:d0:11', '11:de:fa:ce:d0:13'] } p.unlink()
type=str, help='pcap file input or name of suitable network device') parser.add_argument('log_out', type=str, help='output file for a json log') parser.add_argument('--arp-acl-config', dest='arp_config', type=str, help='configuration file with IP to MAC bindings') args = parser.parse_args() if args.pcap_in and args.log_out: init_logger(args.log_out) log().info('IPS STARTED') if args.arp_config: arp_module = ARPModule(ACL.from_file(Path(args.arp_config))) else: arp_module = ARPModule() sniffer = pcap.pcap(name=args.pcap_in, promisc=True, immediate=True, timeout_ms=50) for ts, pkt in sniffer: e = Ether(pkt) try: if e.type == ETHER_TYPE_ARP: log().info('Received ARP packet') arp_module.receive_packet(e) else: log().info('Received packet not supported by IPS')