def analyse_mac(self, pkt):
macs = pkt.Ether.src
addrs = pkt.Ether.payload.src
macd = pkt.Ether.dst
addrd = pkt.Ether.payload.dst
bsrc = netutils.ip_is_reserved(addrs)
bdst = netutils.ip_is_reserved(addrd)
# if macs == 0 or macd == 0 or macs == 0xffffffffffff or macd == 0xffffffffffff:
# return
# if (addrs >> 24) == 255 or (addrd >> 24) == 255:
# return
if (not bsrc and not bdst) or addrs == addrd:
self.alert.add("outside %s [%s] to %s [%s]" % (pcap.ntoa(addrs), netutils.mac_to_string(macs), pcap.ntoa(addrd), netutils.mac_to_string(macd)))
else:
adds = self.add_mac(macs, addrs)
addd = self.add_mac(macd, addrd)
if not (adds and addd):
if not adds:
self.alert.add("on source %s [%s] (to %s [%s])" % (pcap.ntoa(addrs), netutils.mac_to_string(macs), pcap.ntoa(addrd), netutils.mac_to_string(self.lmac[addrd])))
else:
self.alert.add("on dest %s [%s] (from %s [%s])" % (pcap.ntoa(addrd), netutils.mac_to_string(macd), pcap.ntoa(addrs), netutils.mac_to_string(self.lmac[addrs])))
def flow_handler(self, flow):
protocol = flow.prot
if type(self.ignore_ipprotocol) is list and protocol in self.ignore_ipprotocol:
protocol = -1
try:
netdata.IPTYPE[protocol]
if protocol in self.lIPProtocol:
self.lIPProtocol[protocol] += flow.dPkts
else:
self.lIPProtocol[protocol] = flow.dPkts
self.lIPList.append(protocol)
except KeyError:
pass
if protocol == netdata.IPTYPE_TCP or protocol == netdata.IPTYPE_UDP:
src = netutils.ip_reverse(flow.srcaddr_raw)
dst = netutils.ip_reverse(flow.dstaddr_raw)
bsrc = netutils.ip_is_reserved(src)
bdst = netutils.ip_is_reserved(dst)
port = -1
if not bsrc:
port = flow.srcport
elif not bdst:
port = flow.dstport
# Remove local ports (cannot determine good port)
# else:
# try:
# netdata.PORTSLIST[flow.srcport]
# port = flow.srcport
# except KeyError:
# try:
# netdata.PORTSLIST[flow.dstport]
# port = flow.dstport
# except KeyError:
# pass
# List of IP protocols
if type(self.ignore_port) is list and port in self.ignore_port:
port = -1
if port > 0:
try:
netdata.PORTSLIST[port]
try:
self.lPortProtocol[port] += flow.dPkts
except KeyError:
self.lPortProtocol[port] = flow.dPkts
except KeyError:
pass
def flow_handler(self, flow):
protocol = flow.prot
if type(self.ignore_ipprotocol
) is list and protocol in self.ignore_ipprotocol:
protocol = -1
try:
netdata.IPTYPE[protocol]
if protocol in self.lIPProtocol:
self.lIPProtocol[protocol] += flow.dPkts
else:
self.lIPProtocol[protocol] = flow.dPkts
self.lIPList.append(protocol)
except KeyError:
pass
if protocol == netdata.IPTYPE_TCP or protocol == netdata.IPTYPE_UDP:
src = netutils.ip_reverse(flow.srcaddr_raw)
dst = netutils.ip_reverse(flow.dstaddr_raw)
bsrc = netutils.ip_is_reserved(src)
bdst = netutils.ip_is_reserved(dst)
port = -1
if not bsrc:
port = flow.srcport
elif not bdst:
port = flow.dstport
# Remove local ports (cannot determine good port)
# else:
# try:
# netdata.PORTSLIST[flow.srcport]
# port = flow.srcport
# except KeyError:
# try:
# netdata.PORTSLIST[flow.dstport]
# port = flow.dstport
# except KeyError:
# pass
# List of IP protocols
if type(self.ignore_port) is list and port in self.ignore_port:
port = -1
if port > 0:
try:
netdata.PORTSLIST[port]
try:
self.lPortProtocol[port] += flow.dPkts
except KeyError:
self.lPortProtocol[port] = flow.dPkts
except KeyError:
pass
def flow_handler(self, flow):
src = netutils.ip_reverse(flow.srcaddr_raw)
dst = netutils.ip_reverse(flow.dstaddr_raw)
bsrc = netutils.ip_is_reserved(src)
bdst = netutils.ip_is_reserved(dst)
if bsrc and bdst:
self.add_loccomm(src, dst, flow.dOctets)
elif not bsrc and bdst:
self.add_loccomm(-1, dst, flow.dOctets)
elif bsrc and not bdst:
self.add_loccomm(src, -1, flow.dOctets)
else:
print "This packet is stupid"
def pkt_handler(self, pkt):
if pkt.Ether.is_type(netdata.ETHERTYPE_IPv4):
pkt_ipv4 = pkt.Ether.payload
src = pkt_ipv4.src
dst = pkt_ipv4.dst
bsrc = netutils.ip_is_reserved(src)
bdst = netutils.ip_is_reserved(dst)
if bsrc and bdst:
self.data["net_load_loc"] += pkt.pktlen
elif not bsrc and bdst:
self.data["net_load_in"] += pkt.pktlen
elif bsrc and not bdst:
self.data["net_load_out"] += pkt.pktlen
pass
def pkt_handler(self, pkt):
if pkt.Ether.is_type(netdata.ETHERTYPE_IPv4):
pkt_ipv4 = pkt.Ether.payload
src = pkt_ipv4.src
dst = pkt_ipv4.dst
bsrc = netutils.ip_is_reserved(src)
bdst = netutils.ip_is_reserved(dst)
if bsrc and bdst:
self.add_loccomm(src, dst, pkt.pktlen)
elif not bsrc and bdst:
self.add_loccomm(-1, dst, pkt.pktlen)
elif bsrc and not bdst:
self.add_loccomm(src, -1, pkt.pktlen)
else:
print "This packet is stupid"
def add_ip_list_outside(self, src):
# use only src address to avoid broadcast address in dst
bsrc = netutils.ip_is_reserved(src)
if len(self.last_ip) <= MAX_IP_LIST_SEND and not bsrc:
self.last_ip.add(src)
def pkt_handler(self, pkt):
if pkt.Ether.is_type(netdata.ETHERTYPE_IPv4):
pkt_ipv4 = pkt.Ether.payload
src = pkt_ipv4.src
dst = pkt_ipv4.dst
bsrc = netutils.ip_is_reserved(src)
bdst = netutils.ip_is_reserved(dst)
if bsrc and bdst:
self.data["net_load_loc"] += pkt.pktlen
elif not bsrc and bdst:
self.data["net_load_in"] += pkt.pktlen
elif bsrc and not bdst:
self.data["net_load_out"] += pkt.pktlen
pass
def flow_handler(self, flow):
# print "FLOW HANDLER", flow.srcaddr
src = pcap.aton(flow.srcaddr)
dst = pcap.aton(flow.dstaddr)
bsrc = netutils.ip_is_reserved(src)
bdst = netutils.ip_is_reserved(dst)
db = flow.dOctets
if bsrc and bdst:
self.data["net_load_loc"] += db
elif not bsrc and bdst:
self.data["net_load_in"] += db
elif bsrc and not bdst:
self.data["net_load_out"] += db
else:
print "Raaa"
def flow_handler(self, flow):
# print "FLOW HANDLER", flow.srcaddr
src = pcap.aton(flow.srcaddr)
dst = pcap.aton(flow.dstaddr)
bsrc = netutils.ip_is_reserved(src)
bdst = netutils.ip_is_reserved(dst)
db = flow.dOctets
if bsrc and bdst:
self.data["net_load_loc"] += db
elif not bsrc and bdst:
self.data["net_load_in"] += db
elif bsrc and not bdst:
self.data["net_load_out"] += db
else:
print "Raaa"
def analyse_mac(self, pkt):
macs = pkt.Ether.src
addrs = pkt.Ether.payload.src
macd = pkt.Ether.dst
addrd = pkt.Ether.payload.dst
bsrc = netutils.ip_is_reserved(addrs)
bdst = netutils.ip_is_reserved(addrd)
# if macs == 0 or macd == 0 or macs == 0xffffffffffff or macd == 0xffffffffffff:
# return
# if (addrs >> 24) == 255 or (addrd >> 24) == 255:
# return
if (not bsrc and not bdst) or addrs == addrd:
self.alert.add("outside %s [%s] to %s [%s]" %
(pcap.ntoa(addrs), netutils.mac_to_string(macs),
pcap.ntoa(addrd), netutils.mac_to_string(macd)))
else:
adds = self.add_mac(macs, addrs)
addd = self.add_mac(macd, addrd)
if not (adds and addd):
if not adds:
self.alert.add(
"on source %s [%s] (to %s [%s])" %
(pcap.ntoa(addrs), netutils.mac_to_string(macs),
pcap.ntoa(addrd),
netutils.mac_to_string(self.lmac[addrd])))
else:
self.alert.add(
"on dest %s [%s] (from %s [%s])" %
(pcap.ntoa(addrd), netutils.mac_to_string(macd),
pcap.ntoa(addrs),
netutils.mac_to_string(self.lmac[addrs])))