def _inspect_open_ports(self, ip, mac, results, port_type, ports_allow,
ports_severe_alert):
"""
This method inspects the open ports for the given port_type and Alerts if any suspicious open ports are found.
A severe Alert is generated if any ports in ports_info_severe_alert are found.
:param ip: The IP being scanned
:param mac: The MAC corresponding to the IP
:param results: The ports nmap scan results
:param port_type: The port type to inspect, either "tcp" or "udp"
:param ports_allow: The list of allowed ports for this port type
:param ports_severe_alert: Generates a severe Alert if any of these ports are found open
:return: Whether the packet came from a spoofed MAC Address
"""
if port_type in results[ip]:
for port in results[ip][port_type]:
if port not in ports_allow:
alert_obj = Alert(
None,
f'Suspicious open {port_type.upper()} port found: {str(port)}. '
f'Further investigation recommended.',
AlertType.PRIVACY, Severity.INFO)
alert_obj.device_mac = mac
alert_obj.device_ip = ip
alert_obj.alert()
if port in ports_severe_alert:
alert_obj = Alert(
None,
f'Very suspicious open {port_type.upper()} port found: {str(port)}. '
f'Further investigation required.', AlertType.PRIVACY,
Severity.ALERT)
alert_obj.device_mac = mac
alert_obj.device_ip = ip
alert_obj.alert()
def __regex_alert(self, regex_string, alert_string, vuln_target):
"""
Scan the payload with the given regex string and alert if necessary
:param regex_string: The regex string to scan the paylaod with
:param alert_string: The string to pass into the Alert object as the description for the event
:param vuln_target: Either "src" or "dst", depending on where the plaintext vulnerability originiated from
"""
if re.search(regex_string, self.payload):
alert_regex = Alert(None, alert_string, AlertType.PRIVACY,
Severity.ALERT)
alert_regex.device_mac = self.packet[Ether][vuln_target]
alert_regex.device_ip = self.packet[IP][vuln_target]
alert_regex.alert()
def __call__(self, packet_input: Packet):
"""
Handles the privacy detection process and alerting
:param packet_input: The current packet to analyze
"""
self.packet = packet_input
is_TCP = self.packet.haslayer(TCP)
is_UDP = self.packet.haslayer(UDP)
# Perform TCP and UDP checks
if is_TCP or is_UDP:
proto_type = TCP if is_TCP else UDP
# Scan for using port 80 and the plaintext for privacy leaks
if (self.packet[proto_type].dport
== 80) or (self.packet[proto_type].sport == 80):
alert_port_80 = Alert(None,
"Sending data over unencrypted port.",
AlertType.PRIVACY, Severity.ALERT)
if self.packet[proto_type].dport == 80:
vuln_target = "dst"
else:
vuln_target = "src"
alert_port_80.device_mac = self.packet[Ether][vuln_target]
alert_port_80.device_ip = self.packet[IP][vuln_target]
alert_port_80.alert()
self.__scan_plaintext(proto_type, vuln_target)
# Monitor suspicious ports
if self.packet[proto_type].dport in suspicious_ports:
alert_suspicious_ports = Alert(
None, "Suspicious destination port used: " +
str(self.packet[proto_type].dport), AlertType.PRIVACY,
Severity.WARN)
alert_suspicious_ports.device_mac = self.packet[Ether].dst
alert_suspicious_ports.device_ip = self.packet[IP].dst
alert_suspicious_ports.alert()
def __scan_plaintext(self, proto_type, vuln_target):
"""
Scan plaintext for privacy leaks and alert on findings: credit cards, social security numbers, emails,
and suspicious keywords. Note that there is a chance for false positives with credit cards and SSNs,
because they're just numbers
:param proto_type: Either TCP or UDP
:param vuln_target: Either "src" or "dst", depending on where the plaintext vulnerability originiated from
"""
# Try to get the payload
try:
self.payload = str(self.packet[proto_type].payload)
except Exception as e:
run_config.log_event.info('Exception raised: ' + str(e))
return
# Use a regex to look for credit cards, needs a non-number before and after the numbers
self.__regex_alert(
"[\D](?:[0-9]{4}-){3}[0-9]{4}[\D]|[\D][0-9]{16}[\D]",
"Credit card information found in a "
"plaintext packet.", vuln_target)
# Use a regex to look for SSNs, needs a non-number before and after the numbers
self.__regex_alert(
"[\D][0-9]{9}[\D]|[\D][0-9]{3}-[0-9]{2}-[0-9]{4}[\D]",
"SSN information found in a "
"plaintext packet.", vuln_target)
# Use a regex to look for emails - this is not a huge privacy leak, but still mentionable
# The email will not be included in the alert for privacy reasons
self.__regex_alert("[^@]+@[^@]+\.[^@]+",
"Email information found in a plaintext packet.",
vuln_target)
# Search for specific words to alert on
for keyword in suspicious_strings:
if keyword in self.payload:
alert_keyword = Alert(
None,
f'Suspicious keyword found in a plaintext packet: {keyword}',
AlertType.PRIVACY, Severity.ALERT)
alert_keyword.device_mac = self.packet[Ether][vuln_target]
alert_keyword.device_ip = self.packet[IP][vuln_target]
alert_keyword.alert()