def behavioral_detection(file=None, **kwargs):
"""
Gratuitous ARP detection function
Observes the behavior of the ARP traffic on the network, and flags packets contributing to an abnormal
ARP reply to ARP request ratio.
"""
capture = sniffer.get_capture(file, **kwargs)
was_detected = False
previous_arp_type = None
current_arp_type = None
concurrent_arp_reply_count = 0
request = '1'
reply = '2'
for packet in capture:
if 'arp' in packet:
current_arp_type = packet.arp.opcode
if current_arp_type == reply: # if current ARP message is a reply
if previous_arp_type == request: # if the previous ARP message was a request
# clear the previous message and move on
previous_arp_type = current_arp_type
concurrent_arp_reply_count = 0
else: # if the previous ARP was a reply
concurrent_arp_reply_count += 1
if concurrent_arp_reply_count > CONCURRENT_ARP_REPLY_THRESHOLD: # when the number of concurrent replies reaches Threshold
print("GRATUITOUS ARP DETECTED!!! FLAGGED PACKET:",
packet.number)
was_detected = True
else: # if current ARP message it is a request
previous_arp_type = request
return was_detected
def heuristic_detection(file=None, **kwargs):
"""
ARP Poisoning host discovery detection function
Observes ARP traffic, looking for an abnormal number of concurrent ARP requests.
Given a specific threshold defined as "CONCURRENT_ARP_REPLY_THRESHOLD", this function
counts the number concurrent ARP requests and compares it to the threshold. If the
count exceeds the threshold, each following ARP request from the sender is flagged
as an ARP Poisoning packet and a warning is issued and returned to the ids system.
"""
capture = sniffer.get_capture(file, **kwargs)
was_detected = False
host_in_question = ""
concurrent_arp_req_count = 0
arp_req_threshold = 30
request = '1'
reply = '2'
for packet in capture:
if 'arp' in packet: #if it is an ARP packet
if packet.arp.opcode == request: # if the arp packet is an arp request
if host_in_question == "":
host_in_question = packet.eth.src # set first MAC SRC address for ARP messages
elif host_in_question == packet.eth.src: # if the current mac equals the previous mac
concurrent_arp_req_count += 1
else:
host_in_question = packet.eth.src
concurrent_arp_req_count = 0
# if the number of concurrent arp_requests with the same src exceeds our threshold there's a problem
if concurrent_arp_req_count >= arp_req_threshold:
print("ARP POISONING DETECTED!!! FLAGGED PACKET:",
packet.number)
was_detected = True
return was_detected
def behavioral_detection(file=None, **kwargs):
"""
function to detect responders spoofing attacks
assumes that only one IP is acting as the domain controller and
assume as an admin you know the IP
"""
capture = sniffer.get_capture(file, **kwargs)
detected = False
for packet in capture:
# ensure packet is either an 'NBNS' or 'LLMNR'
# as responder attacks run through these protocols
try:
if ('nbns' in packet
or 'llmnr' in packet) and packet.ip.src != DOMAIN_IP:
print(
f'Responder ATTACK deteced in packet number: {packet.number}'
)
detected = True
except AttributeError:
# some LLMNR packets are transmitted via link layer and not the internet layer
# meaning they only have MAC addresses and not IP
pass
return detected
def signature_detection(file=None, **kwargs):
"""
ms17_010_psexec detection function
Uses the detection of monitoring if a packet
contains SMB files and is looking to access
the path to the ICP$ or ADMIN$ shares.
"""
capture = sniffer.get_capture(file, **kwargs)
for packet in capture:
if ('SMB' in packet):
smb = packet.smb
if ("path" in dir(smb)):
path = smb.path
if (("IPC$" in path) or ("ADMIN$" in path)):
print("MS_010_psexec detected in packet:" +
str(packet.number))
def xmas_signature_detection(file=None, **kwargs):
"""
xmas detection function
uses the signature of TCP Flag == 0x29
"""
capture = sniffer.get_capture(file, **kwargs)
detected = False
for packet in capture:
# ensure packet is TCP as xmas attacks run over TCP
if packet.transport_layer == 'TCP':
# ensure that the only flags set are the push, urgent, and final flags
# usually those flags should not be set, and if they are its probably
# an xmas attack
if int(packet.tcp.flags, 16) == 41: # '0x00000029'
print(f'XMAS ATTACK in packet number: {packet.number}')
detected = True
return detected
def dns_spoofing_detector(file=None, **kwargs):
"""
DNS spoofing detector function
Observes ongoing DNS traffic. Assuming the IDS user has provided the MAC address of the
legitimate gateway, this function observes the MAC address of the host actively
responding the DNS requests. If the MAC address of the active DNS responder does not
match the provided MAC address, an attacker is spoofing DNS.
"""
capture = sniffer.get_capture(file, **kwargs)
was_detected = False
packet_src = None
packet_dst = None
for packet in capture:
if 'DNS' in packet:
packet_src = packet.eth.src
packet_dst = packet.eth.dst
if packet_dst != NETWORK_GATEWAY_ADDRESS and packet_src != NETWORK_GATEWAY_ADDRESS:
print("DNS SPOOFING DETECTED!!! Packet Number:", packet.number)
print("src ip:", packet.ip.src, "src mac:", packet.eth.src)
print("dst ip:", packet.ip.dst, "dst mac:", packet.eth.dst)
was_detected = True
return was_detected
def syn_heuristic_detection(file=None, **kwargs):
"""
syn detection function
uses the heursitic of uniq ports > MAX_UNIQUE_PORTS and if
TCP flag == 0x2
"""
capture = sniffer.get_capture(file, **kwargs)
uniq_ip = collections.defaultdict(set)
detected = False
for packet in capture:
# ensure packet is using TCP as syn attacks run over TCP
if packet.transport_layer == 'TCP':
# ensure packet is only setting the SYN flag
if int(packet.tcp.flags, 16) == 2:
uniq_ip[packet.ip.addr].add(packet.tcp.dstport)
# if the number of unique dst ports are more than MAX_UNIQUE_PORTS flag it
if len(uniq_ip[packet.ip.addr]) > MAX_UNIQUE_PORTS:
print(f'SYN ATTACK in packet number: {packet.number}')
detected = True
return detected