def analyse_mac(self, pkt): macs = pkt.Ether.src addrs = pkt.Ether.payload.src macd = pkt.Ether.dst addrd = pkt.Ether.payload.dst bsrc = netutils.ip_is_reserved(addrs) bdst = netutils.ip_is_reserved(addrd) # if macs == 0 or macd == 0 or macs == 0xffffffffffff or macd == 0xffffffffffff: # return # if (addrs >> 24) == 255 or (addrd >> 24) == 255: # return if (not bsrc and not bdst) or addrs == addrd: self.alert.add("outside %s [%s] to %s [%s]" % (pcap.ntoa(addrs), netutils.mac_to_string(macs), pcap.ntoa(addrd), netutils.mac_to_string(macd))) else: adds = self.add_mac(macs, addrs) addd = self.add_mac(macd, addrd) if not (adds and addd): if not adds: self.alert.add("on source %s [%s] (to %s [%s])" % (pcap.ntoa(addrs), netutils.mac_to_string(macs), pcap.ntoa(addrd), netutils.mac_to_string(self.lmac[addrd]))) else: self.alert.add("on dest %s [%s] (from %s [%s])" % (pcap.ntoa(addrd), netutils.mac_to_string(macd), pcap.ntoa(addrs), netutils.mac_to_string(self.lmac[addrs])))
def flow_handler(self, flow): protocol = flow.prot if type(self.ignore_ipprotocol) is list and protocol in self.ignore_ipprotocol: protocol = -1 try: netdata.IPTYPE[protocol] if protocol in self.lIPProtocol: self.lIPProtocol[protocol] += flow.dPkts else: self.lIPProtocol[protocol] = flow.dPkts self.lIPList.append(protocol) except KeyError: pass if protocol == netdata.IPTYPE_TCP or protocol == netdata.IPTYPE_UDP: src = netutils.ip_reverse(flow.srcaddr_raw) dst = netutils.ip_reverse(flow.dstaddr_raw) bsrc = netutils.ip_is_reserved(src) bdst = netutils.ip_is_reserved(dst) port = -1 if not bsrc: port = flow.srcport elif not bdst: port = flow.dstport # Remove local ports (cannot determine good port) # else: # try: # netdata.PORTSLIST[flow.srcport] # port = flow.srcport # except KeyError: # try: # netdata.PORTSLIST[flow.dstport] # port = flow.dstport # except KeyError: # pass # List of IP protocols if type(self.ignore_port) is list and port in self.ignore_port: port = -1 if port > 0: try: netdata.PORTSLIST[port] try: self.lPortProtocol[port] += flow.dPkts except KeyError: self.lPortProtocol[port] = flow.dPkts except KeyError: pass
def flow_handler(self, flow): protocol = flow.prot if type(self.ignore_ipprotocol ) is list and protocol in self.ignore_ipprotocol: protocol = -1 try: netdata.IPTYPE[protocol] if protocol in self.lIPProtocol: self.lIPProtocol[protocol] += flow.dPkts else: self.lIPProtocol[protocol] = flow.dPkts self.lIPList.append(protocol) except KeyError: pass if protocol == netdata.IPTYPE_TCP or protocol == netdata.IPTYPE_UDP: src = netutils.ip_reverse(flow.srcaddr_raw) dst = netutils.ip_reverse(flow.dstaddr_raw) bsrc = netutils.ip_is_reserved(src) bdst = netutils.ip_is_reserved(dst) port = -1 if not bsrc: port = flow.srcport elif not bdst: port = flow.dstport # Remove local ports (cannot determine good port) # else: # try: # netdata.PORTSLIST[flow.srcport] # port = flow.srcport # except KeyError: # try: # netdata.PORTSLIST[flow.dstport] # port = flow.dstport # except KeyError: # pass # List of IP protocols if type(self.ignore_port) is list and port in self.ignore_port: port = -1 if port > 0: try: netdata.PORTSLIST[port] try: self.lPortProtocol[port] += flow.dPkts except KeyError: self.lPortProtocol[port] = flow.dPkts except KeyError: pass
def flow_handler(self, flow): src = netutils.ip_reverse(flow.srcaddr_raw) dst = netutils.ip_reverse(flow.dstaddr_raw) bsrc = netutils.ip_is_reserved(src) bdst = netutils.ip_is_reserved(dst) if bsrc and bdst: self.add_loccomm(src, dst, flow.dOctets) elif not bsrc and bdst: self.add_loccomm(-1, dst, flow.dOctets) elif bsrc and not bdst: self.add_loccomm(src, -1, flow.dOctets) else: print "This packet is stupid"
def pkt_handler(self, pkt): if pkt.Ether.is_type(netdata.ETHERTYPE_IPv4): pkt_ipv4 = pkt.Ether.payload src = pkt_ipv4.src dst = pkt_ipv4.dst bsrc = netutils.ip_is_reserved(src) bdst = netutils.ip_is_reserved(dst) if bsrc and bdst: self.data["net_load_loc"] += pkt.pktlen elif not bsrc and bdst: self.data["net_load_in"] += pkt.pktlen elif bsrc and not bdst: self.data["net_load_out"] += pkt.pktlen pass
def pkt_handler(self, pkt): if pkt.Ether.is_type(netdata.ETHERTYPE_IPv4): pkt_ipv4 = pkt.Ether.payload src = pkt_ipv4.src dst = pkt_ipv4.dst bsrc = netutils.ip_is_reserved(src) bdst = netutils.ip_is_reserved(dst) if bsrc and bdst: self.add_loccomm(src, dst, pkt.pktlen) elif not bsrc and bdst: self.add_loccomm(-1, dst, pkt.pktlen) elif bsrc and not bdst: self.add_loccomm(src, -1, pkt.pktlen) else: print "This packet is stupid"
def add_ip_list_outside(self, src): # use only src address to avoid broadcast address in dst bsrc = netutils.ip_is_reserved(src) if len(self.last_ip) <= MAX_IP_LIST_SEND and not bsrc: self.last_ip.add(src)
def flow_handler(self, flow): # print "FLOW HANDLER", flow.srcaddr src = pcap.aton(flow.srcaddr) dst = pcap.aton(flow.dstaddr) bsrc = netutils.ip_is_reserved(src) bdst = netutils.ip_is_reserved(dst) db = flow.dOctets if bsrc and bdst: self.data["net_load_loc"] += db elif not bsrc and bdst: self.data["net_load_in"] += db elif bsrc and not bdst: self.data["net_load_out"] += db else: print "Raaa"
def analyse_mac(self, pkt): macs = pkt.Ether.src addrs = pkt.Ether.payload.src macd = pkt.Ether.dst addrd = pkt.Ether.payload.dst bsrc = netutils.ip_is_reserved(addrs) bdst = netutils.ip_is_reserved(addrd) # if macs == 0 or macd == 0 or macs == 0xffffffffffff or macd == 0xffffffffffff: # return # if (addrs >> 24) == 255 or (addrd >> 24) == 255: # return if (not bsrc and not bdst) or addrs == addrd: self.alert.add("outside %s [%s] to %s [%s]" % (pcap.ntoa(addrs), netutils.mac_to_string(macs), pcap.ntoa(addrd), netutils.mac_to_string(macd))) else: adds = self.add_mac(macs, addrs) addd = self.add_mac(macd, addrd) if not (adds and addd): if not adds: self.alert.add( "on source %s [%s] (to %s [%s])" % (pcap.ntoa(addrs), netutils.mac_to_string(macs), pcap.ntoa(addrd), netutils.mac_to_string(self.lmac[addrd]))) else: self.alert.add( "on dest %s [%s] (from %s [%s])" % (pcap.ntoa(addrd), netutils.mac_to_string(macd), pcap.ntoa(addrs), netutils.mac_to_string(self.lmac[addrs])))