def __init__(self, debug=False, interface=None):
"""
Initialize R2LEngine.
Args:
interface (str): Name of interface on which to monitor
debug (bool): Log on terminal or not
Raises:
None
Returns:
None
"""
# Create objects of all the imported class
self.arp_spoof = ARPCache(debug=debug)
self.cam_attack = CAM(debug=debug)
self.dhcp = DHCP(debug=debug)
self.ping_of_death = PingOfDeath(debug=debug)
self.land_attack = LandAttack(debug=debug)
self.ddos = DDoS(debug=debug)
self.syn_flood = SynFlood(debug=debug)
self.dns_amp = DNS_Amplification(debug=debug)
self.bgp_abuse = BGP_Abuse(debug=debug)
# Wireless
self.deauth = Deauth(debug=debug)
self.fake_access = FakeAccessPoint(debug=debug)
self.hidden_node = HiddenNode(debug=debug)
self.ssid_spoof = SSIDSpoof(debug=debug, interface=interface)
class R2LEngine(object):
"""R2LEngine class."""
def __init__(self, debug=False, interface=None):
"""
Initialize R2LEngine.
Args:
interface (str): Name of interface on which to monitor
debug (bool): Log on terminal or not
Raises:
None
Returns:
None
"""
# Create objects of all the imported class
self.arp_spoof = ARPCache(debug=debug)
self.cam_attack = CAM(debug=debug)
self.dhcp = DHCP(debug=debug)
self.ping_of_death = PingOfDeath(debug=debug)
self.land_attack = LandAttack(debug=debug)
self.ddos = DDoS(debug=debug)
self.syn_flood = SynFlood(debug=debug)
# Wireless
self.deauth = Deauth(debug=debug)
self.fake_access = FakeAccessPoint(debug=debug)
self.hidden_node = HiddenNode(debug=debug)
self.ssid_spoof = SSIDSpoof(debug=debug, interface=interface)
def run(self, pkt):
"""
Pass the packet through all the
filter rules.
Args:
pkt (scapy_object): Packet to dissect and observe
Raises:
None
Returns:
None
"""
# Pass the packets
self.arp_spoof.proces_packet(pkt)
self.cam_attack.detect_cam(pkt)
self.dhcp.detect_dhcp(pkt)
self.land_attack.detect_land_attack(pkt)
self.ping_of_death.detect(pkt)
self.ddos.classify_ddos(pkt)
self.syn_flood.detect_syn_flood(pkt)
# Wireless
self.deauth.detect_deauth(pkt)
self.fake_access.detect_fake_ap(pkt)
self.hidden_node.detect_hidden_node(pkt)
self.ssid_spoof.start_process()
def setUp(self):
"""
Setup class for SynFlood.
"""
# Packet with SYN flag
self.pkt1 = scapy.IP(src="192.168.0.1") \
/ scapy.TCP(flags="S")
# Packet with ACK flag (handshake completed)
self.pkt2 = scapy.IP(src="192.168.0.1") \
/ scapy.TCP(flags="A")
# Create SynFlood object
self.syn_flood = SynFlood()
class TestSynFlood(unittest.TestCase):
"""
Test class for SecureTea IDS SYN Flood Attack Detection.
"""
def setUp(self):
"""
Setup class for SynFlood.
"""
# Packet with SYN flag
self.pkt1 = scapy.IP(src="192.168.0.1") \
/ scapy.TCP(flags="S")
# Packet with ACK flag (handshake completed)
self.pkt2 = scapy.IP(src="192.168.0.1") \
/ scapy.TCP(flags="A")
# Create SynFlood object
self.syn_flood = SynFlood()
@patch("securetea.lib.ids.r2l_rules.syn_flood.time.time")
def test_detect_syn_flood(self, mock_time):
"""
Test detect_syn_flood.
"""
mock_time.return_value = 10
# Pass SYN packet, it should be added to dict
self.syn_flood.detect_syn_flood(self.pkt1)
self.assertTrue(self.syn_flood.syn_dict.get("192.168.0.1"))
temp_dict = {"start_time": 10, "count": 1}
self.assertEqual(self.syn_flood.syn_dict["192.168.0.1"], temp_dict)
# Pass ACK packet, IP entry should be removed now
# as handshake is completed, hence not suspicious
self.syn_flood.detect_syn_flood(self.pkt2)
self.assertFalse(self.syn_flood.syn_dict.get("192.168.0.1"))
@patch("securetea.lib.ids.r2l_rules.syn_flood.time.time")
@patch.object(SecureTeaLogger, 'log')
def test_calc_intrusion(self, mock_log, mock_time):
"""
Test calc_intrusion.
"""
mock_time.return_value = 11
# Replicate a non attack SYN packet flow
for _ in range(10):
self.syn_flood.syn_dict[str(scapy.RandIP())] = {
"start_time": 10,
"count": 1
}
self.syn_flood.calc_intrusion()
self.assertFalse(mock_log.called)
# Replicate a SYN Flood attack
for _ in range(2000):
self.syn_flood.syn_dict[str(scapy.RandIP())] = {
"start_time": 10,
"count": 1
}
self.syn_flood.calc_intrusion()
mock_log.assert_called_with("Possible SYN flood attack detected.",
logtype="warning")