def test_has_scanning(self):
id_syslog = intrusion_detect.IdParse(self.syslog_file)
# Check to make sure the ip spoofing information got added to the dataframe
# Get a subset of the whole dataframe
# s=spoof df=dataframe
sdf = id_syslog.df[id_syslog.df['ID'] == 733101]
# Expecting 1 source address
self.assertTrue((sdf['Source'] == '192.168.3.10').all())
self.assertTrue(id_syslog.has_scanning())
def test_acl_drop_parse_log(self):
# Create an IdParse object
id_syslog = intrusion_detect.IdParse(self.syslog_file)
sdf = id_syslog.df[id_syslog.df['ID'] == 733100]
# Expecting 255 total records
self.assertEqual(255, len(sdf))
# Expecting 255 unique destination addresses
self.assertEqual(255, sdf['DropRate'].nunique())
self.assertEqual(255, sdf['BurstRate'].nunique())
self.assertEqual(255, sdf['MaxConfigRate1'].nunique())
self.assertEqual(255, sdf['CurrentAverageRate'].nunique())
self.assertEqual(255, sdf['MaxConfigRate2'].nunique())
self.assertEqual(255, sdf['TotalCount'].nunique())
def test_denial_of_service_parse_log(self):
# Create an IdParse object
id_syslog = id_pkg.IdParse(self.syslog_file)
# Check to make sure the information got added to the dataframe
# Get a subset of the whole dataframe
# dss=denial of service df=dataframe
dosdf = id_syslog.df[id_syslog.df['ID'] == 109017]
# Expecting 255 total records
self.assertEqual(255, len(dosdf))
# Expecting 1 non-unique source address
self.assertTrue((dosdf['Source'] == '10.203.254.158').all())
def test_ACLDrop_parse_log(self):
# Create an IdParse object
id_syslog = intrusion_detect.IdParse(self.syslog_file)
# Check to make sure the ip spoofing information got added to the dataframe
# Get a subset of the whole dataframe
# s=spoof df=dataframe
sdf = id_syslog.df[id_syslog.df['ID'] == 710003]
# Expecting 255 total records
self.assertEqual(255, len(sdf))
# Expecting 1 source address
self.assertTrue((sdf['Source'] == '10.1.1.1').all())
def test_firewall_parse_log(self):
id_syslog = intrusion_detect.IdParse(self.syslog_file)
dataFrame = id_syslog.df[id_syslog.df['ID'] == 713162]
#expecting list of 255
self.assertEqual(255, len(dataFrame))
# expecting 1 session id
self.assertTrue(
(dataFrame['Session'] == 'db248b6cbdc547bbc6c6fdfb6916eeb').all())
# expecting 255 unique id
self.assertEqual(255, dataFrame['Identifier'].nunique())
def test_scanning_threat_parse_log(self):
id_syslog = intrusion_detect.IdParse(self.syslog_file)
# st = scanning threat df = data frame
stdf = id_syslog.df[id_syslog.df['ID'] == 733101]
# expecting a list of 255
self.assertEqual(255, len(stdf))
# expecting burst rates above 0
self.assertTrue((stdf['Burst_Rate'] > 0).all())
self.assertTrue((stdf['Max Configured Rate 1'] > 0).all())
self.assertTrue((stdf['Average Rate'] > 0).all())
self.assertTrue((stdf['Max Configured Rate 2'] > 0).all())
self.assertTrue((stdf['Total Count'] > 0).all())
def test_icmp_command_parse_log(self):
id_syslog = intrusion_detect.IdParse(self.syslog_file)
# Check to make sure the icmp information got added to the dataframe
# Get a subset of the whole dataframe
# s=spoof df=dataframe
sdf = id_syslog.df[id_syslog.df['ID'] == 313008]
# Expecting 255 total records
self.assertEqual(255, len(sdf))
# Expecting 255 unique source addresses
self.assertEqual(255, sdf['Source'].nunique())
# Expecting 1 source address
self.assertTrue((sdf['Interface'] == 'TestInterface').all())
def test_denied_icmp_parse_log(self):
id_syslog = id_pkg.IdParse(self.syslog_file)
# get dataframe logs with this ID
dataframe = id_syslog.df[id_syslog.df['ID'] == 313004]
# should have 255 entries
self.assertEqual(255, len(dataframe))
# should have 255 unique source addresses
self.assertTrue(255, dataframe['Source'].nunique())
# should have 255 unique destination addresses
self.assertTrue(255, dataframe['Destination'].nunique())
# should have 40 different icmp types
self.assertTrue(40, dataframe['ICMPType'].nunique())
def pandas_demo():
"""Shows how to use some pandas features needed to implement sprint 4"""
# The pandas help guide can be found here:
# https://pandas.pydata.org/docs/user_guide/index.html
# build a platform-safe path to the log file
# PC paths are "c:\dir\file" where linux and mac use "/dir/file"
# os.path.join() guarantees the correct path separator is used
log_file = os.path.join('id_pkg', 'data')
log_file = os.path.join(log_file, 'intrusion_logs.txt')
# Create an intrusion detection object similar to
# what was done during sprint 3
log = intrusion_detect.IdParse(log_file)
# Are there spoofing attacks in this log?
if log.has_ip_spoofing():
print('Spoofing attacks are present')
def test_interface_parse_log(self):
# Create an IdParse object
id_syslog = intrusion_detect.IdParse(self.syslog_file)
# %ASA-2-106001: Inbound TCP connection denied from 10.132.0.147/2257 to 172.16.10.10/80 flags SYN on interface inside
# Check to make sure the ip spoofing information got added to the dataframe
# Get a subset of the whole dataframe
# s=spoof df=dataframe
sdf = id_syslog.df[id_syslog.df['ID'] == 106001]
# Expecting 255 total records
self.assertEqual(255, len(sdf))
# Expecting 1 source address
self.assertTrue((sdf['Source'] == '10.132.0.147').all())
# Expecting 1 source port
self.assertTrue((sdf['SourcePort'] == '2257').all())
# Expecting 255 unique destination addresses
self.assertEqual(255, sdf['Destination'].nunique())
# Expecting 1 destination port
self.assertTrue((sdf['DestinationPort'] == '80').all())
def test_has_interface(self):
id_syslog = intrusion_detect.IdParse(self.syslog_file)
# The test file generated has ip spoofing present
# so expect this to return true
self.assertTrue(id_syslog.has_interface())
def test_has_firewall(self):
id_syslog = intrusion_detect.IdParse(self.syslog_file)
self.assertTrue(id_syslog.has_firewall())
def test_has_icmp_command(self):
id_syslog = intrusion_detect.IdParse(self.syslog_file)
# self.assertEqual(True, id_syslog.has_icmp())
self.assertTrue(id_syslog.has_icmp())
def test_has_dos_attack(self):
id_syslog = id_pkg.IdParse(self.syslog_file)
self.assertTrue(id_syslog.has_dos_attack())
def test_has_scanning_threat(self):
id_syslog = intrusion_detect.IdParse(self.syslog_file)
self.assertTrue(id_syslog.has_scanning_threat())
def test_has_denied_icmp(self):
id_syslog = id_pkg.IdParse(self.syslog_file)
# test file should contain denied ICMP, this should be true
self.assertTrue(id_syslog.has_denied_icmp())
