def detect_os_scan(self, packet):
"""
Detect possible OS fingerprinting scan.
Args:
packet (scapy_object): Packet to dissect and observe
Raises:
None
Returns:
None
"""
if packet is not None:
if packet.haslayer(scapy.TCP):
flag = str(packet[scapy.TCP].flags)
if ("SF" in flag or
"FS" in flag):
packet_ip = None
try:
packet_ip = str(packet[scapy.IP].src)
except Exception as e:
# If IP layer is missing
self.logger.log(
"Error occurred: " + str(e),
logtype="error"
)
if packet_ip:
self.eligibility_trace[packet_ip] = (1 - self._SEVERITY_FACTOR) * self.eligibility_trace[packet_ip] + self._SEVERITY_FACTOR
if self.eligibility_trace[packet_ip] <= self._ELIGIBILITY_THRESHOLD:
utils.excecute_command("iptables -A INPUT -s " + packet_ip + " -j DROP")
utils.excecute_command("iptables-save")
else:
utils.excecute_command("iptables -D INPUT -s " + packet_ip + " -j DROP")
utils.excecute_command("iptables-save")
try:
# Check if the IP exists in the dict or not
count = self.os_scan[packet_ip]["count"]
new_port = int(packet[scapy.TCP].dport)
if (new_port not in
self.os_scan[packet_ip]["ports"]):
self.os_scan[packet_ip]["ports"].append(new_port)
self.os_scan[packet_ip]["count"] = count + 1
except KeyError:
# Packet from a new IP address
self.os_scan[packet_ip] = {
"start_time": time.time(),
"count": 1,
"ports": [int(packet[scapy.TCP].dport)]
}
except Exception as e:
self.logger.log(
"Error occurred: " + str(e),
logtype="error"
)
# Check if there has been an intrusion attack
self.calc_intrusion(scan_dict=self.os_scan,
msg="OS Fingerprinting Scan detected")
def detect_icmp(self, packet=None):
"""
Detect possible ICMP scan.
Args:
packet (scapy_object): Packet to dissect and observe
Raises:
None
Returns:
None
"""
if packet is not None:
if (packet.haslayer(scapy.ICMP) and
packet.haslayer(scapy.Ether)):
dst = str(packet[scapy.Ether].dst)
if (dst == "ff:ff:ff:ff:ff:ff" and
(int(packet[scapy.ICMP].type) == 8)):
packet_ip = None
try:
packet_ip = str(packet[scapy.IP].src)
except Exception as e:
# If IP layer is missing
self.logger.log(
"Error occurred: " + str(e),
logtype="error"
)
if packet_ip:
self.eligibility_trace[packet_ip] = (1 - self._SEVERITY_FACTOR) * self.eligibility_trace[packet_ip] + self._SEVERITY_FACTOR
if self.eligibility_trace[packet_ip] <= self._ELIGIBILITY_THRESHOLD:
utils.excecute_command("iptables -A INPUT -s " + packet_ip + " -j DROP")
utils.excecute_command("iptables-save")
else:
utils.excecute_command("iptables -D INPUT -s " + packet_ip + " -j DROP")
utils.excecute_command("iptables-save")
try:
# Check if the IP exists in the dict ot not
count = self.icmp_scan[packet_ip]["count"]
sellf.icmp_scan[packet_ip]["count"] = count + 1
except KeyError:
# Packet from a new IP address
self.icmp_scan[packet_ip] = {
"start_time": time.time(),
"count": 1
}
except Exception as e:
self.logger.log(
"Error occurred: " + str(e),
logtype="error"
)
# Check if there has been an intrusion attack
for key in self.icmp_scan.keys():
current_time = time.time()
start_time = self.icmp_scan[key]["start_time"]
delta_time = int(current_time - start_time)
count = int(self.icmp_scan[key]["count"])
try:
calc_threshold = int(count / delta_time)
except ZeroDivisionError:
calc_threshold = int(count)
if (calc_threshold > self._THRESHOLD):
self.logger.log(
"ICMP Scan detected from: " + str(key),
logtype="warning"
)