def test_insert_device_information(self): DeviceInformation.insert_new_object(self.device_info) result = self.db.session.query(DeviceInformation).filter( DeviceInformation.mac_address == "00:00:00:00:00:00") \ .first() self.assertEqual(self.device_info, result) self.db.session.delete(result)
def packet_parse(packet: Packet): """ Runs privacy analysis rules and checks packet against IDS signatures :param packet: packet to analyze :return: nothing """ for rule in rules_packet_privacy: try: rule(packet) except Exception as e: run_config.log_event.info( 'Exception raised in a privacy rule check: ' + str(e)) # For each triggered signature generate an alert for the user try: triggered_rules = signature_detector.check_signatures(packet) if len(triggered_rules) > 0: for triggered_rule in triggered_rules: is_dst = packet[ Ether].src in DeviceInformation.get_mac_addresses() alert_object = Alert(packet, triggered_rule.msg, AlertType.IDS, Severity.ALERT, is_dst) alert_object.alert() except Exception as e: run_config.log_event.info('Exception raised in an IDS rule check: ' + str(e)) # For each packet, pass through frequency detection engine try: anomaly_engine.check_signatures(packet) except Exception as e: run_config.log_event.info( 'Exception raised in an Anomaly Engine check: ' + str(e))
def __call__(self, packet: Packet): """ Function call to trigger the signature, alerts if matches and is over set limit :param packet: Packet being analyzed :return: None """ if self._layer in packet: # Calculate the hour in which the packet was transmitted hour = (packet.time % 86400) / 3600 # Adjust frequencies and limits based on time self.adjust_frequencies(hour) # If the frequency is above the adjusted average, create and Alert if self._current_average + self._current_deviation * 2 < self._window_frequency and \ not self._alerted_for_window: dst = False if packet[ "Ethernet"].src not in DeviceInformation.get_mac_addresses( ): dst = True Alert( packet, "Traffic based anomaly detection shows above usual rates of {0} traffic. {1} packets" " seen in last {2} seconds".format(self._layer, self._window_frequency, self._window_size), AlertType.ANOMALY, Severity.WARN, dst).alert() self._alerted_for_window = True
def _device_configuration(form_data: dict, ip_neighbors): """ Handler for device configuration form, inserts and removes devices the user would like monitored by the IDS :param form_data: Form data submitted by the user from the webpage :param ip_neighbors: List of neighboring devices displayed to the user :return: nothing """ # insert unique devices into the database to be monitored by our IDS mac_addresses = {key for key in form_data.keys()} existing_devices = set(DeviceInformation.get_mac_addresses(g.db)) new_devices_macs = mac_addresses - existing_devices new_devices = [ neigh for neigh in ip_neighbors if neigh.mac in new_devices_macs ] for item in new_devices: d = DeviceInformation(mac_address=item.mac, name="", ip_address=item.ip) DeviceInformation.insert_new_object(d) # remove devices that were unchecked devices_to_delete = [ DeviceInformation.get_by_pk(DeviceInformation.mac_address, mac_address, g.db) for mac_address in existing_devices - mac_addresses ] for device in devices_to_delete: device.delete(False, g.db) DeviceInformation.safe_commit(g.db)
def main(): """ Main loop of the program, does the following 1. Runs system privacy checks 2. Runs scanning analysis of the IoT devices 3. Sniffs packets on "br-lan" and analyzes the packet against signatures and privacy rules :return: nothing """ # 1) Perform a system configuration security check try: for rule in rules_system_privacy: rule() except Exception as e: run_config.log_event.info( f"Exception when running system privacy rule {e}") # Wait until there are mac_addresses to sniff for, max count equates to the maximum time to wait between polls max_count = 7 # 3 minutes count = 0 while True: n = (2**count) - 1 sleep(n) if count != max_count: count += 1 if DeviceInformation.get_mac_addresses(): break # 2) Run a scanning analysis of the IoT devices mac_addresses = DeviceInformation.get_mac_addresses() ip_to_mac = _pair_ip_to_mac(mac_addresses) try: for rule in rules_scanning_privacy: rule(ip_to_mac) except Exception as e: run_config.log_event.info( f"Exception when running scanning privacy rule {e}") # 3) Capture IoT packets only with crafted sniff and analyze the packet against signatures and privacy rules print("Capturing IoT packets only") sniff(iface=run_config.sniffing_interface, lfilter=_sniff_filter, prn=packet_parse, count=num_packets, store=0)
def settings(): """ Serves the template for the ids configuration page :return: Rendered jinja-2 template """ ip_neighbors = get_neighboring_devices() if request.method == 'POST' and 'device-form' in request.form: _device_configuration(request.form, ip_neighbors) elif request.method == 'POST' and 'email-form' in request.form: _email_configuration(request.form) elif request.method == 'POST' and 'equations-form' in request.form: _anomaly_configuration(request.form) return render_template( 'config.html', neighboring_devices=ip_neighbors, existing_devices=DeviceInformation.get_mac_addresses(g.db))
def setUp(self) -> None: self.db = db self.db.create_session() self.alert = Alerts(alert_type='IDS', description='test', severity=1, mac_address='00:00:00:00:00', payload='foobar') self.anamoly_eq = AnomalyEquations(average_equation="test", adjustment_equation="test") self.email_info = EmailInformation( recipient_addresses='[email protected], [email protected]', sender_address='*****@*****.**', sender_email_password='******', smtp_server='smtp.test.com') self.device_info = DeviceInformation(mac_address='00:00:00:00:00:00', name='test', ip_address='192.168.0.1')
def _sniff_filter(packet: Packet): results = DeviceInformation.get_mac_addresses() return packet.src in results or packet.dst in results