def detect(self, pkt): """ Detect ping of death attack by calculating load threshold. Args: pkt (scapy_object): Packet to dissect and observe Raises: None Returns: None """ if (pkt.haslayer(scapy.IP) and pkt.haslayer(scapy.ICMP)): # If packet has load if pkt.haslayer(scapy.Raw): load_len = len(pkt[scapy.Raw].load) if (load_len >= self._THRESHOLD): source_ip = pkt[scapy.IP].src msg = "Possible ping of death attack detected " \ "from: {}".format(source_ip) self.logger.log(msg, logtype="warning") # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(source_ip.strip(" ")) # Write malicious IP to file write_mal_ip(str(source_ip).strip(" "))
def detect_port_scan(self, data): """ Detect possible Port Scan recon attacks. Look for a possible port scan user agent payload in the user agent field. Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): user_agent = data[ip]["ua"] if (self.payload_match(user_agent)): if ip not in self.logged_IP: self.logged_IP.append(ip) last_time = data[ip]["ep_time"][0] msg = "Possible port scan detected from: " + str(ip) + \ " on: " + utils.epoch_to_date(last_time) self.logger.log(msg, logtype="warning") utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def detect_web_shell(self, data): """ Detect possible Web Shell attacks. Use string comparison to scan GET request with the list of possible web shell payloads. Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): get_req = data[ip]["get"] if (self.payload_match(get_req)): if ip not in self.logged_IP: # if not logged earlier self.logged_IP.append(ip) last_time = data[ip]["ep_time"][0] msg = "Possible web shell detected from: " + str(ip) + \ " on: " + str(utils.epoch_to_date(last_time)) self.logger.log(msg, logtype="warning") utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def detect_port_scan(self): """ Detect port scan by comparing the calculated ratio with the set threshold. Args: None Raises: None Returns: None """ for ip in self.ip_dict.keys(): count = self.ip_dict[ip]["count"] last_time = self.ip_dict[ip]["last_time"] current_time = time.time() try: delta_time = int(current_time - last_time) calc_threshold = count / delta_time except ZeroDivisionError: calc_threshold = int(count) if calc_threshold > self.THRESHOLD: msg = "Possible port scan detected from: " \ + ip.split(self.SALT)[0] + " on " \ + ip.split(self.SALT)[1] self.logger.log(msg, logtype="warning") # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan( ip.split(self.SALT)[0].strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.split(self.SALT)[0].strip(" "))
def calc_intrusion(self, scan_dict, msg): """ Detect intrusion by comparing observed and expected threshold ratio. Args: scan_dict (dict): IP dictionary msg (str): Message to display when intrusion is detected Raises: None Returns: None """ for key in scan_dict.keys(): current_time = time.time() start_time = scan_dict[key]["start_time"] port_len = len(scan_dict[key]["ports"]) count = scan_dict[key]["count"] delta_time = int(current_time - start_time) try: calc_threshold = int(port_len / delta_time) except ZeroDivisionError: calc_threshold = int(port_len) if (calc_threshold >= self._THRESHOLD or count >= self._COUNT): # Intrusion detected new_msg = msg + " from IP: " + str(key) self.logger.log(new_msg, logtype="warning") # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(str(key).strip(" ")) # Write malicious IP to file write_mal_ip(str(key).strip(" "))
def detect_sqli(self, data): """ Detect possible SQL Injection (sqli) attacks. Use regex rules and string matching to detect SQLi attacks. 4 Level rules: - Simple regex - Hex regex - Payload string matching - URI encoded string matching Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): get_req = data[ip]["get"] last_time = data[ip]["ep_time"][0] if (self.payload_match(get_req) or self.regex_check(get_req)): if ip not in self.logged_IP: # if not logged earlier self.logged_IP.append(ip) msg = "Possible SQL injection (sqli) detected from: " + str(ip) + \ " on: " + str(utils.epoch_to_date(last_time)) self.logger.log(msg, logtype="warning") utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def check_ssh_bruteforce(self): """ Check for SSH brute-force by comparing the calculated ratio with the set threshold. Args: None Raises: None Returns: None """ for user in self.username_dict.keys(): no_of_ip = len(self.username_dict[user]["ip"]) count = self.username_dict[user]["count"] last_time = self.username_dict[user]["last_time"] current_time = time.time() try: delta_time = int(current_time - last_time) calc_threshold_ip = no_of_ip / delta_time calc_threshold_count = count / delta_time except ZeroDivisionError: calc_threshold_ip = int(no_of_ip) calc_threshold_count = int(count) if (calc_threshold_ip > self.THRESHOLD or calc_threshold_count > self.THRESHOLD): if no_of_ip == 1: # if a single IP in user list msg = "Possible SSH brute force detected for the user: "******" from: " + \ self.username_dict[user]["ip"][0] + " on: " + \ user.split(self.SALT)[1] self.logger.log( msg, logtype="warning" ) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(self.username_dict[user]["ip"][0].strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(self.username_dict[user]["ip"][0].strip(" ")) else: for ip in self.username_dict[user]["ip"]: msg = "Possible SSH brute force detected for the user: "******" from: " + ip + " on: " + \ user.split(self.SALT)[1] self.logger.log( msg, logtype="warning" ) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def detect_ddos(self, data): """ Detect DoS attack. Classify DoS attack into two categories: - Single IP Single Port DoS Attack - Single IP Multiple Port DoS Attack Look for IP addresses having high number of GET request and a small time difference to predict SISP DoS attack. High number of alarms triggered for SISP DoS attack indicates MISP DoS attack. Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): count = data[ip]["count"] last_time = data[ip]["ep_time"][0] initial_time = data[ip]["ep_time"][int( len(data[ip]["ep_time"]) - 1)] delta = abs(int(last_time - initial_time)) try: calc_count_thresh = int(count / delta) except ZeroDivisionError: calc_count_thresh = int(count) if calc_count_thresh > self._SISP_THRESHOLD: # if crosses threshold, trigger alarm msg = "Possible Single IP DoS Attack Detected from: " + \ str(ip) + " on: " + utils.epoch_to_date(last_time) self.logger.log(msg, logtype="warning") if ip not in self.SISP_LIST: self.SISP_LIST.append(ip) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" ")) if len(self.SISP_LIST ) > self._SIMP_THRESHOLD: # if no. of SISP is huge for ip in self.SISP_LIST: self.logger.log( "Possible Multiple IP DoS Attack Detected from: " + str(ip), logtype="warning")
def detect_spider(self, data): """ Detect possible Web Crawler / Spider / Bad user agents. High amount of unique GET request from an IP within a small period of time are likely to indicate a web crawler / spider. Look for bad user agents payload to guess a bad user agent. Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): count = data[ip]["count"] last_time = data[ip]["ep_time"][0] initial_time = data[ip]["ep_time"][int( len(data[ip]["ep_time"]) - 1)] delta = abs(int(last_time - initial_time)) try: calc_count_thresh = count / delta calc_get_thresh = len(data[ip]["unique_get"]) / delta except ZeroDivisionError: calc_count_thresh = count calc_get_thresh = len(data[ip]["unique_get"]) if (calc_count_thresh > self._THRESHOLD or calc_get_thresh > self._THRESHOLD or self.payload_match(data[ip]["ua"])): if ip not in self.logged_IP: self.logged_IP.append(ip) self.logger.log( "Possible web crawler / spider / bad user agent detected from: " + str(ip), logtype="warning") utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def detect_ssrf(self , data): """ Detects SSRF Args: data (dict): Parsed Log File Raises: None Returns: None """ for ip in data.keys(): get_req = data[ip]["get"] last_time = data[ip]["ep_time"][0] # extracting all the urls in path urls=re.findall(r"https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+", get_req[0]) for url in urls: resolved_ip=utils.resolver(url) if resolved_ip: if (self.rmatch(resolved_ip)): if ip not in self.logged_IP: # if not logged earlier self.logged_IP.append(ip) msg = "Possible SSRF detected From: " + str(ip) + \ " on: " + str(utils.epoch_to_date(last_time)) self.logger.log( msg, logtype="warning" ) utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" ")) if(self.payload_match(url) or self.regex_match(get_req)): if ip not in self.logged_IP: self.logged_IP.append(ip) msg = "Possible SSRF detected From " + str(ip) + \ " on: " + str(utils.epoch_to_date(last_time)) self.logger.log(msg,logtype="warning") utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def detect_fuzzer(self, data): """ Detect possible URL fuzzing attacks. High number of failure codes (400-500) range from an IP within a small period of time indicates a possible fuzzing attack. Args: data (dict): Parsed log file data Raises: None Returns: None """ for ip in data.keys(): status_code = data[ip]["status_code"] # Count failure attempts for that IP failure_count = self.count_failure(status_code) last_time = data[ip]["ep_time"][0] initial_time = data[ip]["ep_time"][int( len(data[ip]["ep_time"]) - 1)] delta = abs(int(last_time - initial_time)) try: calc_count_thresh = failure_count / delta calc_get_thresh = len(data[ip]["get"]) / delta except ZeroDivisionError: calc_count_thresh = failure_count calc_get_thresh = len(data[ip]["get"]) if (calc_count_thresh > self._THRESHOLD or calc_get_thresh > self._THRESHOLD): if ip not in self.logged_IP: self.logged_IP.append(ip) msg = "Possible URL fuzzing detected from: " + str(ip) + \ " on: " + utils.epoch_to_date(data[ip]["ep_time"][0]) self.logger.log(msg, logtype="warning") utils.write_ip(str(ip)) # Generate CSV report using OSINT tools self.osint_obj.perform_osint_scan(ip.strip(" ")) # Write malicious IP to file, to teach Firewall about the IP write_mal_ip(ip.strip(" "))
def test_write_mal_ip(mck_open): """ Test write_mal_ip. """ common.write_mal_ip("10.0.0.0") mck_open.assert_called_with('/etc/securetea/mal_ip.txt', 'a')