def get_RTP_features(self, features, T, S):
counter_flows = 0
self.fork_database()
flows = self.get_flows('RTP')
while True:
flow = next(flows)
self.logger.info('Getting features for flow \'{}\'..'.format(
flow[0]))
counter_flows += 1
pkts = self.DB.get_RTP_traffic_by_id(flow[0])
groups_PDU = self.get_counter_PDU(pkts)
if len(groups_PDU) < (features + T):
groups_PDU.clear()
self.logger.error(
'NSD_Flow \'{}\' does not have enough traffic.'.format(
flow[0]))
if not self.daemon:
self.SQ.put('KILL')
else:
feat = self.get_features(groups_PDU, T, S, features)
NSD_Packets_Queue.insert_RTP_Group_Features([flow[0], feat])
self.logger.info('Got features for flow \'{}\''.format(
flow[0]))
def process_UDP_packets(self):
self.fork_database()
while True:
try:
packet = NSD_Packets_Queue.get_UDP_packet()
Source_IP = socket.inet_ntoa(packet[26:30])
Dest_IP = socket.inet_ntoa(packet[30:34])
Source_Port = int.from_bytes(packet[34:36], byteorder='big')
Dest_Port = int.from_bytes(packet[36:38], byteorder='big')
Length = int.from_bytes(packet[38:40], byteorder='big')
Checksum = int.from_bytes(packet[40:42], byteorder='big')
UDP_type = int.from_bytes(packet[42:43], byteorder='big')
Data = packet[42:]
Traffic_CC = self.pcap_type
self.DB.insert_UDP_packet([
Source_IP, Dest_IP, Source_Port, Dest_Port, Length,
Checksum, UDP_type, Data, Traffic_CC
])
NSD_Monitor_Data.increment_total_database_UDP()
except KeyboardInterrupt:
if self.log_level >= vrb.INFO:
self.logger.info('Closing UDP process..')
return
def process_TCP_packets(self):
self.fork_database()
while True:
try:
packet = NSD_Packets_Queue.get_TCP_packet()
Source_IP = socket.inet_ntoa(packet[26:30])
Dest_IP = socket.inet_ntoa(packet[30:34])
Source_Port = int.from_bytes(packet[34:36], byteorder='big')
Dest_Port = int.from_bytes(packet[36:38], byteorder='big')
Sequence_Number = int.from_bytes(packet[38:42],
byteorder='big')
ACK_Number = int.from_bytes(packet[42:46], byteorder='big')
Flags = int.from_bytes(packet[46:48], byteorder='big')
Window = int.from_bytes(packet[48:50], byteorder='big')
Checksum = int.from_bytes(packet[50:52], byteorder='big')
Urgent_Pointer = int.from_bytes(packet[52:54], byteorder='big')
Data = packet[54:]
Traffic_CC = self.pcap_type
self.DB.insert_TCP_packet([
Source_IP, Dest_IP, Source_Port, Dest_Port,
Sequence_Number, ACK_Number, Flags, Window, Checksum,
Urgent_Pointer, Data, Traffic_CC
])
NSD_Monitor_Data.increment_total_database_TCP()
except KeyboardInterrupt:
if self.log_level >= vrb.INFO:
self.logger.info('Closing TCP process..')
return
def process_ICMP_packets(self):
self.fork_database()
while True:
try:
packet = NSD_Packets_Queue.get_UDP_packet()
Source_IP = socket.inet_ntoa(packet[26:30])
Dest_IP = socket.inet_ntoa(packet[30:34])
Type = int.from_bytes(packet[34:35], byteorder='big')
Code = int.from_bytes(packet[35:36], byteorder='big')
Checksum = int.from_bytes(packet[36:38], byteorder='big')
Header = int.from_bytes(packet[38:42], byteorder='big')
Payload = int.from_bytes(packet[42:50], byteorder='big')
Traffic_CC = self.pcap_type
self.DB.insert_ICMP_packet([
Source_IP, Dest_IP, Type, Code, Checksum, Header, Payload,
Traffic_CC
])
NSD_Monitor_Data.increment_total_database_ICMP()
except KeyboardInterrupt:
if self.log_level >= vrb.INFO:
self.logger.info('Closing ICMP process..')
return
def evaluate(self, pcap):
sum_prediction = 0
self.fork_database()
while True:
if self.log_level >= vrb.INFO:
self.logger.info('Evaluate: getting data set...')
flow_info = NSD_Packets_Queue.get_RTP_PDU_Groups()
self.logger.info('Evaluate: predicting for id \'{}\'..'.format(
flow_info[0]))
for feat in flow_info[1]:
sum_prediction += int(
self.CLF.predict(np.array(feat).reshape(1, -1)))
flow_status = NSD_Monitor_Data.get_status_flow_RTP(flow_info[0])
if sum_prediction == 0 and self.log_level == vrb.DEBUG:
if flow_status[0] == vrb.FLOW_FINISHED:
self.logger.info(
'NSD_Flow \'{}\' does not seem to have a network covert channel!'
.format(flow_info[0]))
NSD_Monitor_Data.update_status_flow_RTP(
flow_info[0], [
flow_status[0], vrb.FLOW_ML_FINISHED,
vrb.FLOW_ML_NEGATIVE
])
else:
self.logger.info(
'NSD_Flow \'{}\' does not seem to have a network covert channel... by now'
.format(flow_info[0]))
else:
IP = self.DB.get_RTP_identification_by_id(flow_info[0])
self.logger.critical(
'NETWORK COVERT CHANNEL! With {} MCC metric, Source IP {} and Destination IP {}, RTP'
.format(self.MCC, IP[0], IP[1]))
NSD_Monitor_Data.update_status_flow_RTP(
flow_info[0], [
flow_status[0], vrb.FLOW_ML_FINISHED,
vrb.FLOW_ML_POSITIVE
])
sum_prediction = 0
if pcap:
if self.log_level >= vrb.INFO_ML:
self.logger.info('Dropping temporal database..')
self.DB.drop_database()
self.SQ.put('KILL')
def process_pcapfile(self):
self.logger.info('Getting packets from file...')
for ts, pkt in self.file:
prot = int.from_bytes(pkt[23:24], byteorder='big')
if prot == 6:
NSD_Packets_Queue.insert_TCP_packet(pkt)
NSD_Monitor_Data.increment_total_received_TCP()
elif prot == 17:
NSD_Packets_Queue.insert_UDP_packet(pkt)
NSD_Monitor_Data.increment_total_received_UDP()
elif prot == 2:
NSD_Packets_Queue.insert_ICMP_packet(pkt)
NSD_Monitor_Data.increment_total_received_ICMP()
else:
NSD_Monitor_Data.increment_total_received_ERROR()
self.logger.info('All packets readed!')
self.SQ.put('PCAP_FINISHED')
if not self.set_analyze:
self.SQ.put('KILL')
def receiver(self):
self.logger.info('Ready to receive packets!')
while True:
try:
packet = self.sock.recv(65565)
prot = int.from_bytes(packet[23:24], byteorder='big')
if prot == 6:
NSD_Packets_Queue.insert_TCP_packet(packet)
NSD_Monitor_Data.increment_total_received_TCP()
elif prot == 17:
NSD_Packets_Queue.insert_UDP_packet(packet)
NSD_Monitor_Data.increment_total_received_UDP()
elif prot == 2:
NSD_Packets_Queue.insert_ICMP_packet(packet)
NSD_Monitor_Data.increment_total_received_ICMP()
else:
NSD_Monitor_Data.increment_total_received_ERROR()
except KeyboardInterrupt:
if self.log_level >= vrb.INFO:
self.logger.info('Closing sockets...')
return