def check_ping_of_death(self, pkt, attack_type): if ('ip' in pkt and pkt.ip.dst == self.get_ip()) or ('ipv6' in pkt and pkt.ipv6.dst == self.get_ipv6()): if int(pkt.length) > 64: self.process_pkt_counter(pkt, attack_type) self.logger.info("----------------------------------------------------------------------------------") self.logger.critical("BAD TRAFFIC : POTENTIAL ICMP PING OF DEATH ATTACK") self.print_logger(pkt) insert_packet_info((int(pkt.frame_info.number), str(pkt.frame_info.time), str(pkt.ip.src) if 'ip' in pkt else str(pkt.ipv6.src) if 'ipv6' in pkt else 0, 0, str(pkt.ip.dst) if 'ip' in pkt else str(pkt.ipv6.dst) if 'ipv6' in pkt else 0, 0, int(pkt.length), "BAD TRAFFIC : POTENTIAL ICMP PING OF DEATH ATTACK"))
def check_http_payload_injection(self, pkt, attack_type): if ('ip' in pkt and pkt.ip.dst == "10.0.0.227"): for x in self.xss_check: if x in str(pkt.http.request_full_uri): self.process_pkt_counter(pkt, attack_type) self.logger.info( "--------------------------------------------------------------------------------------------------------------------" ) self.logger.warning("BAD PACKET : HTTP PAYLOAD INJECTION") self.print_logger(pkt) insert_packet_info( (int(pkt.frame_info.number), str(pkt.frame_info.time), str(pkt.ip.src) if 'ip' in pkt else str(pkt.ipv6.src) if 'ipv6' in pkt else 0, 0, str(pkt.ip.dst) if 'ip' in pkt else str(pkt.ipv6.dst) if 'ipv6' in pkt else 0, 0, int(pkt.length), "BAD PACKET : HTTP PAYLOAD INJECTION"))
def check_icmp_flood(self, pkt, attack_type): pkt_counter_key = self.get_pkt_counter_key(attack_type) if ('ip' in pkt and pkt.ip.dst == self.get_ip()) or ('ipv6' in pkt and pkt.ipv6.dst == self.get_ipv6()): prev_time_slot = self.pkt_time_slot_dict[attack_type][1] - self.first_pkt_time_dict[attack_type] self.process_pkt_counter(pkt, attack_type) current_slot = self.pkt_time_slot_dict[attack_type][1] - self.first_pkt_time_dict[attack_type] if (prev_time_slot != current_slot) and \ self.pkt_counter_dict[attack_type][prev_time_slot][pkt_counter_key] <= self.threshold: self.pkt_counter_dict[attack_type][prev_time_slot][pkt_counter_key] = 0 if self.pkt_counter_dict[attack_type][current_slot][pkt_counter_key] > self.threshold: self.logger.info( "--------------------------------------------------------------------------------------------------------------------") self.logger.critical("BAD TRAFFIC : POTENTIAL ICMP FLOODING ATTACK") self.print_logger(pkt) insert_packet_info((int(pkt.frame_info.number) , str(pkt.frame_info.time) , str(pkt.ip.src) if 'ip' in pkt else str(pkt.ipv6.src) if 'ipv6' in pkt else 0 , 0 , str(pkt.ip.dst) if 'ip' in pkt else str(pkt.ipv6.dst) if 'ipv6' in pkt else 0 , 0 , int(pkt.length) , "BAD TRAFFIC : POTENTIAL ICMP FLOODING ATTACK"))
def check_syn_flood(self, pkt, attack_type): pkt_counter_key = self.get_pkt_counter_key(attack_type) if (('ip' in pkt and pkt.ip.dst == self.get_ip()) or ('ipv6' in pkt and pkt.ipv6.dst == self.get_ipv6())) and \ pkt.tcp.seq == '0' and pkt.tcp.flags_syn == '1': prev_time_slot = self.pkt_time_slot_dict[attack_type][1] - self.first_pkt_time_dict[attack_type] self.process_pkt_counter(pkt , attack_type) current_slot = self.pkt_time_slot_dict[attack_type][1] - self.first_pkt_time_dict[attack_type] if (prev_time_slot != current_slot) and \ self.pkt_counter_dict[attack_type][prev_time_slot][pkt_counter_key]<= 0: self.pkt_counter_dict[attack_type][prev_time_slot][pkt_counter_key] = 0 if self.pkt_counter_dict[attack_type][current_slot][pkt_counter_key] > 0: self.logger.info("--------------------------------------------------------------------------------------------------------------------") self.logger.critical("BAD TRAFFIC : POTENTIAL SYN FLOODING ATTACK") self.print_logger(pkt) self.logger.debug("Source Port : %s" , pkt.tcp.srcport) self.logger.debug("Destination Port : %s" , pkt.tcp.dstport) insert_packet_info((int(pkt.frame_info.number) , str(pkt.frame_info.time) , str(pkt.ip.src) if 'ip' in pkt else str(pkt.ipv6.src) if 'ipv6' in pkt else 0 , int(pkt.tcp.srcport) , str(pkt.ip.dst) if 'ip' in pkt else str(pkt.ipv6.dst) if 'ipv6' in pkt else 0 , int(pkt.tcp.dstport) , int(pkt.length) , "BAD TRAFFIC : POTENTIAL SYN FLOODING ATTACK"))
tcp_stream.add(key) for pkt in cap: if "tcp" in pkt and pkt.tcp.stream in tcp_stream: if len(tcp_stream) > 2: logger.info( "------------------------------------------------------------------------------------------------------------------------------------------------" ) logger.critical("BAD TRAFFIC : POTENTIAL SYN SCAN ATTACK") print_logger(pkt) logger.debug("Source Port : %s", pkt.tcp.srcport) logger.debug("Destination Port : %s", pkt.tcp.dstport) insert_packet_info( (int(pkt.frame_info.number), str(pkt.frame_info.time), str(pkt.ip.src) if 'ip' in pkt else str(pkt.ipv6.src) if 'ipv6' in pkt else 0, int(pkt.tcp.srcport), str(pkt.ip.dst) if 'ip' in pkt else str(pkt.ipv6.dst) if 'ipv6' in pkt else 0, int(pkt.tcp.dstport), int(pkt.length), "BAD TRAFFIC : POTENTIAL SYN SCAN ATTACK")) start_timestamp = 0.0 for pkt in cap: if "tcp" in pkt and pkt.tcp.stream in tcp_stream: start_timestamp = float(pkt.frame_info.time_epoch) break end_timestamp = start_timestamp + 1 relative_timestamp = 0.0 firstPkt_timestamp = start_timestamp incoming_traffic_plot = []