def domainCheck(ip, direction, domain): # domain length distribution AddLengthDistribution(len(domain)) # domain max length if len(domain) > int(confloader.getParameters('DomainMaxLength')): AddElement(ip, 'above_max_domain_length_times') # domain lable nums lables = domain.split('.') if len(lables) > int(confloader.getParameters('LableMaxNum')): AddElement(ip, 'above_max_lable_num_times') # domain lable limit for lable in lables: if len(lable) >= int(confloader.getParameters('LableMaxLimit')): AddElement(ip, 'above_max_lable_limit_times') break # has upper if domain.lower() != domain: AddElement(ip, 'has_upper_character_times') # add direction if direction == 'request': AddElement(ip, 'request_times') elif direction == 'response': AddElement(ip, 'response_times') return
def DnsLog(): global DnsMap global ExcelTitle LOG_PATH = confloader.getParameters('LOG_PATH') LOG_DNS_NAME = confloader.getParameters('LOG_DNS_NAME') f = open(LOG_PATH + '/' + LOG_DNS_NAME, 'a') # use 'a' not 'w' if ExcelTitle == 'false': title = 'ip, ' title = title + 'request_times, ' title = title + 'response_times, ' title = title + 'above_max_domain_length_times, ' title = title + 'above_max_lable_num_times, ' title = title + 'above_max_lable_limit_times, ' title = title + 'has_upper_character_times, ' title = title + 'response_txt_times\n' f.write(title) ExcelTitle = 'true' for key, value in DnsMap.items(): tmp = '' tmp = str(value['request_times']) tmp = tmp + ', ' + str(value['response_times']) tmp = tmp + ', ' + str(value['above_max_domain_length_times']) tmp = tmp + ', ' + str(value['above_max_lable_num_times']) tmp = tmp + ', ' + str(value['above_max_lable_limit_times']) tmp = tmp + ', ' + str(value['has_upper_character_times']) tmp = tmp + ', ' + str(value['response_txt_times']) f.write(key + ', ' + tmp + '\n') f.close() return
def executeSql(sql): # load conf info My_SQL_IP = confloader.getParameters('My_SQL_IP') My_SQL_USERNAME = confloader.getParameters('My_SQL_USERNAME') My_SQL_PASSWORD = confloader.getParameters('My_SQL_PASSWORD') My_SQL_DB_NAME = confloader.getParameters('My_SQL_DB_NAME') My_SQL_DB_PORT = confloader.getParameters('My_SQL_DB_PORT') try: conn = MySQLdb.connect(host=My_SQL_IP, user=My_SQL_USERNAME, passwd=My_SQL_PASSWORD, db=My_SQL_DB_NAME, port=int(My_SQL_DB_PORT)) cur = conn.cursor() cur.execute(sql) data = cur.fetchall() cur.close() conn.close() return data except Exception, e: print Exception, e print 'sqldb.py exception'
def SnmpStore(): global SnmpLogMap LOG_PATH = confloader.getParameters('LOG_PATH') LOG_SNMP_STORE_NAME = confloader.getParameters('LOG_SNMP_STORE_NAME') f = open(LOG_PATH + '/' + LOG_SNMP_STORE_NAME, 'a') # use 'a' not 'w' buf = 'sip->dip, times\n' for key, value in SnmpLogMap.items(): buf = buf + (key + ',' + str(value) + '\n') f.write(buf) f.close() return
def Icmp_Compare_Log_Store(): global Global_Icmp_Result # load conf info LOG_PATH = confloader.getParameters('LOG_PATH') LOG_ICMP_COMPARE_LOG_STORE_NAME = confloader.getParameters( 'LOG_ICMP_COMPARE_LOG_STORE_NAME') # use 'a' not 'w' f = open(LOG_PATH + '/' + LOG_ICMP_COMPARE_LOG_STORE_NAME, 'a') for key, value in Global_Icmp_Result.items(): f.write(key + ' : ' + str(value) + '\n') f.close() return
def IcmpCompareStore(): global IcmpCompareMap LOG_PATH = confloader.getParameters('LOG_PATH') LOG_ICMP_COMPARE_LOG_STORE_NAME = confloader.getParameters( 'LOG_ICMP_COMPARE_LOG_STORE_NAME') f = open(LOG_PATH + '/' + LOG_ICMP_COMPARE_LOG_STORE_NAME, 'a') # use 'a' not 'w' for key, value in IcmpCompareMap.items(): f.write(key + ' : ' + str(value) + '\n') f.close() return
def checkBlackIP(): global ALL_IP # load conf info LOG_PATH = confloader.getParameters('LOG_PATH') LOG_FOR_BLACK_IP_NAME = confloader.getParameters('LOG_FOR_BLACK_IP_NAME') # add test ip ALL_IP.add('52.200.243.123') result = sqldb.checkBlack(ALL_IP) # use 'a' not 'w' f = open(LOG_PATH + '/' + LOG_FOR_BLACK_IP_NAME, 'a') f.write(result) f.close() return
def PortProtoStore(): global PortProtoDict global titleHasWrite LOG_PATH = confloader.getParameters('LOG_PATH') LOG_PROT_PROTOCOL_NAME = confloader.getParameters('LOG_PROT_PROTOCOL_NAME') f = open(LOG_PATH + '/' + LOG_PROT_PROTOCOL_NAME, 'a') # use 'a' not 'w' if titleHasWrite == 'false': f.write('ip and abnormal proto, times\n') titleHasWrite = 'true' for key, value in PortProtoDict.items(): f.write(key + ', ' + str(value) + '\n') f.close() return
def Dispatcher(source): layers = DataBean.getItem('layers').upper() highest_layer = DataBean.getItem('highest_layer').upper() # Just confirm by protocol name if (('DNS' == highest_layer) and (confloader.getParameters('DnsCheck').lower() == 'yes')): DnsAnalyser.Analysis(source) elif (('HTTP' in layers) and (confloader.getParameters('HttpCheck').lower() == 'yes')): # 1. eth:ip:http:media # 2. https ??????????? HttpAnalyser.Analysis(source) elif 'SNMP' in layers: SnmpAnalyser.Analysis() else: UnknownProtoAnalyser.Analysis() return
def domainCheck(key, domain): # domain length distribution addLengthDistribution(len(domain)) # domain length check Domain_Max_Length = int(confloader.getParameters('Domain_Max_Length')) if len(domain) > Domain_Max_Length: addElement(key, 'domain_times') # domain lables Lable_Max_Num = int(confloader.getParameters('Lable_Max_Num')) if len(domain.split('.')) > Lable_Max_Num: addElement(key, 'lable_num_times') # upper if domain.lower() != domain: addElement(key, 'upper_times') return
def LengthDistributionLog(): global LengthDistribution tmp = '' tmp = tmp + '(0_10]' + ', ' + str(LengthDistribution['block_10']) + '\n' tmp = tmp + '(10_20]' + ', ' + str(LengthDistribution['block_20']) + '\n' tmp = tmp + '(20_30]' + ', ' + str(LengthDistribution['block_30']) + '\n' tmp = tmp + '(30_40]' + ', ' + str(LengthDistribution['block_40']) + '\n' tmp = tmp + '(40_50]' + ', ' + str(LengthDistribution['block_50']) + '\n' tmp = tmp + '(60_..)' + ', ' + str(LengthDistribution['block_60']) + '\n' LOG_PATH = confloader.getParameters('LOG_PATH') LOG_DNS_LENGTH_DISTRIBUTION_NAME = confloader.getParameters( 'LOG_DNS_LENGTH_DISTRIBUTION_NAME') f = open(LOG_PATH + '/' + LOG_DNS_LENGTH_DISTRIBUTION_NAME, 'a') # use 'a' not 'w' f.write(tmp) f.close() return
def Icmp_Class_Log_Store(): global Icmp_Map # load conf info LOG_PATH = confloader.getParameters('LOG_PATH') LOG_ICMP_CLASS_LOG_STORE_NAME = confloader.getParameters( 'LOG_ICMP_CLASS_LOG_STORE_NAME') # use 'a' not 'w' f = open(LOG_PATH + '/' + LOG_ICMP_CLASS_LOG_STORE_NAME, 'a') for key, value in Icmp_Map.items(): string = '' try: string = binascii.a2b_hex(key.strip()) string = string.strip().replace(',', '_') # for excel format except: string = 'cant decode' finally: f.write(key + ',' + string + ',' + str(value) + '\n') f.close() return
def dns_Log(): global Global_DNS_MAP # load conf info LOG_PATH = confloader.getParameters('LOG_PATH') LOG_DNS_NAME = confloader.getParameters('LOG_DNS_NAME') # use 'a' not 'w' f = open(LOG_PATH + '/' + LOG_DNS_NAME, 'a') for key, value in Global_DNS_MAP.items(): tmp = '' tmp = str(value['domain_times']) tmp = tmp + ', ' + str(value['lable_num_times']) tmp = tmp + ', ' + str(value['upper_times']) tmp = tmp + ', ' + str(value['domain_equals']) tmp = tmp + ', ' + str(value['dns_resp_len_times']) tmp = tmp + ', ' + str(value['author_times']) tmp = tmp + ', ' + str(value['addition_times']) f.write(key + ", " + tmp + '\n') f.close() # delete all itmes Global_DNS_MAP.clear() return