def __init__(self, verbose, debug, whois):
self.addresses = {}
self.active_addresses = set()
self.verbose = verbose
self.debug = debug
self.whois = whois
self.whois_handler = WhoisHandler("WhoisData.txt")
self.prior_probabilities = {}
self.default_prior = 0.0001
#read prior probabilities
filename = "priors.txt"
try:
with open(filename) as f:
for line in f:
s = re.split("\t", line.strip())
if len(s) > 1:
self.prior_probabilities[s[0]] = s[1]
print "{} with prior {}".format(s[0], s[1])
print "Prior probabilities file '{}' loaded successfully".format(
filename)
except IOError:
print "Prior propabilities file:'{}' doesn't exist!".format(
filename)
pass
def __init__(self, verbose, debug, whois):
self.addresses = {}
self.active_addresses = set()
self.verbose = verbose
self.debug = debug
self.whois = whois
self.whois_handler = WhoisHandler("WhoisData.txt")
class IpHandler(object):
"""Class which handles all IP actions for slips. Stores every IP object in the session, provides summary, statistics etc."""
def __init__(self, verbose, debug, whois):
self.addresses = {}
self.verbose = verbose
self.debug = debug
self.whois = whois
self.whois_handler = WhoisHandler("WhoisData.txt")
# Using this decorator we can measure the time of a function
# @timing
def print_addresses(self, start_time, end_time, tw_index, threshold,
sdw_width, print_all):
""" Print information about all the IP addresses in the time window specified in the parameters."""
if self.debug:
print "\tTimewindow index:{}, threshold:{},SDW width: {}".format(
tw_index, threshold, sdw_width)
# If we should print all the addresses, because we finish processing.
if print_all:
print "\nFinal summary using the complete capture as a unique Time Window (Threshold = %f):" % (
threshold)
# For all the addresses stored in total
for address in self.addresses.values():
# print "********BEGINNIG {} *******".format(address.address)
# Process this IP for the time window specified. So we can compute the detection value.
address.process_timewindow(start_time, end_time, tw_index,
sdw_width, threshold)
# Get a printable version of this IP's data
#string = address.print_last_result(self.verbose, start_time, end_time, threshold,self.whois, print_all, True)
address.print_last_result(self.verbose, start_time, end_time,
threshold, self.whois,
self.whois_handler)
#print "***********************"
# If we should NOT print all the addresses, because we are inside a time window
if not print_all:
# We should not process all the ips here...
for address in self.addresses.values():
# print "********BEGINNIG {} *******".format(address.address)
# Process this IP for the time window specified. So we can compute the detection value.
address.process_timewindow(start_time, end_time, tw_index,
sdw_width, threshold)
# Get a printable version of this IP's data
#string = address.print_last_result(self.verbose, start_time, end_time, threshold,self.whois, print_all, True)
address.print_last_result(self.verbose, start_time, end_time,
threshold, self.whois,
self.whois_handler)
#print "***********************"
def get_ip(self, ip_string):
""" TODO put description here"""
#Have I seen this IP before?
try:
ip = self.addresses[ip_string]
# No, create it
except KeyError:
ip = IpAddress(ip_string, self.verbose, self.debug)
self.addresses[ip_string] = ip
return ip
def print_alerts(self):
""" TODO put description here"""
detected_counter = 0
self.whois_handler.store_whois_data_in_file()
print '\nFinal Alerts generated:'
f = open(filename, "w")
f.write("DATE:\t{}\nSummary of adresses in this capture:\n\n".format(
datetime.now().strftime('%Y/%m/%d %H:%M:%S')))
f.write('Alerts:\n')
for ip in self.addresses.values():
if len(ip.alerts) > 0:
detected_counter += 1
print "\t - " + ip.address
f.write('\t - ' + ip.address + '\n')
for alert in ip.get_alerts():
print "\t\t" + str(alert)
f.write('\t\t' + str(alert) + '\n')
s = "{} IP(s) out of {} detected as malicious.".format(
detected_counter, len(self.addresses.keys()))
f.write(s)
print s
f.close()
class IpHandler(object):
"""Class which handles all IP actions for slips. Stores every IP object in the session, provides summary, statistics etc."""
def __init__(self, verbose, debug, whois):
self.addresses = {}
self.active_addresses = set()
self.verbose = verbose
self.debug = debug
self.whois = whois
self.whois_handler = WhoisHandler("WhoisData.txt")
self.prior_probabilities = {}
self.default_prior = 0.0001
#read prior probabilities
filename = "priors.txt"
try:
with open(filename) as f:
for line in f:
s = re.split("\t", line.strip())
if len(s) > 1:
self.prior_probabilities[s[0]] = s[1]
print "{} with prior {}".format(s[0], s[1])
print "Prior probabilities file '{}' loaded successfully".format(
filename)
except IOError:
print "Prior propabilities file:'{}' doesn't exist!".format(
filename)
pass
# Using this decorator we can measure the time of a function
# @timing
def print_addresses(self, start_time, end_time, tw_index, threshold,
sdw_width, print_all):
""" Print information about all the IP addresses in the time window specified in the parameters."""
if self.debug:
print "\tTimewindow index:{}, threshold:{},SDW width: {}".format(
tw_index, threshold, sdw_width)
# If we should print all the addresses, because we finish processing.
if print_all:
print "\nFinal summary using the complete capture as a unique Time Window (Threshold = %f):" % (
threshold)
# For all the addresses stored in total
for ip in self.active_addresses:
#Get the IpAddress object
address = self.addresses[ip]
# Process this IP for the time window specified. So we can compute the detection value.
address.process_timewindow(start_time, end_time, tw_index, 10,
threshold)
# Get a printable version of this IP's data
address.print_last_result(self.verbose, start_time, end_time,
threshold, self.whois,
self.whois_handler)
# If we should NOT print all the addresses, because we are inside a time window
if not print_all:
# We should not process all the ips here...
for ip in self.active_addresses:
#Get the IpAddress object
address = self.addresses[ip]
# Process this IP for the time window specified. So we can compute the detection value.
address.process_timewindow(start_time, end_time, tw_index,
sdw_width, threshold)
# Get a printable version of this IP's data
address.print_last_result(self.verbose, start_time, end_time,
threshold, self.whois,
self.whois_handler)
#print "***********************"
def get_ip(self, ip_string):
"""Get the IpAddress object with id 'ip_string'. If it doesn't exists, create it"""
#Have I seen this IP before?
try:
ip = self.addresses[ip_string]
# No, create it
except KeyError:
if self.prior_probabilities.has_key(ip_string):
ip = IpAddress(ip_string, self.prior_probabilities[ip_string],
self.debug)
else:
ip = IpAddress(ip_string, self.default_prior, self.debug)
self.addresses[ip_string] = ip
#register ip as active in this TW
self.active_addresses.add(ip_string)
return ip
def print_alerts(self):
""" Gater all the alerts in the handler and print them"""
detected_counter = 0
self.whois_handler.store_whois_data_in_file()
print '\nFinal Alerts generated:'
f = open(filename, "w")
f.write("DATE:\t{}\nSummary of adresses in this capture:\n\n".format(
datetime.now().strftime('%Y/%m/%d %H:%M:%S')))
f.write('Alerts:\n')
for ip in self.addresses.values():
if len(ip.alerts) > 0:
detected_counter += 1
print "\t - " + ip.address
f.write('\t - ' + ip.address + '\n')
for alert in ip.get_alerts():
print "\t\t" + str(alert)
f.write('\t\t' + str(alert) + '\n')
s = "{} IP(s) out of {} detected as malicious.".format(
detected_counter, len(self.addresses.keys()))
f.write(s)
print s
f.close()
def close_time_window(self):
"""Clears all the active objects in the timewindow. Should be called at the end of every TW"""
#close tw in all active IpAddress objects
for ip in self.active_addresses:
self.addresses[ip].close_time_window()
#clear the active_addresses set
if self.debug:
print "# active IPs: {}".format(len(self.active_addresses))
self.active_addresses.clear()
class IpHandler(object):
"""Class which handles all IP actions for slips. Stores every IP object in the session, provides summary, statistics etc."""
def __init__(self, verbose, debug, whois):
self.addresses = {}
self.active_addresses = set()
self.verbose = verbose
self.debug = debug
self.whois = whois
self.whois_handler = WhoisHandler("WhoisData.txt")
def unblock(self, ip, unblocking_at_start=False):
""" Unblock this ip """
print cyan('\t\tAt {}, your IP address {} is not blocked'.format(
datetime.now(), ip))
file = open('block.log', 'a')
if unblocking_at_start:
file.write(
'Real time {}.The IP address {} UNBLOCKED when SLIPS started\n'
.format(datetime.now(), ip))
else:
file.write(
'Real time {}. The IP address {} was UNblocked because it was blocked in the last TW\n'
.format(datetime.now(), ip))
file.flush()
file.close()
ip_blocker.remove_reject_rule(ip)
# Using this decorator we can measure the time of a function
# @timing
def print_addresses(self, start_time, end_time, tw_index, threshold,
sdw_width, print_all):
""" Print information about all the IP addresses in the time window specified in the parameters."""
if self.debug:
print "\tTimewindow index:{}, threshold:{},SDW width: {}".format(
tw_index, threshold, sdw_width)
# If we should print all the addresses, because we finish processing.
if print_all:
print "\nFinal summary using the complete capture as a unique Time Window (Threshold = %f):" % (
threshold)
# For all the addresses stored in total
for ip in self.active_addresses:
#Get the IpAddress object
address = self.addresses[ip]
# Process this IP for the time window specified. So we can compute the detection value.
address.process_timewindow(start_time, end_time, tw_index, 10,
threshold)
# Get a printable version of this IP's data
address.print_last_result(self.verbose, start_time, end_time,
threshold, self.whois,
self.whois_handler)
# If we should NOT print all the addresses, because we are inside a time window
if not print_all:
# We should not process all the ips here...
for ip in self.active_addresses:
#Get the IpAddress object
address = self.addresses[ip]
# Process this IP for the time window specified. So we can compute the detection value.
address.process_timewindow(start_time, end_time, tw_index,
sdw_width, threshold)
# Get a printable version of this IP's data
address.print_last_result(self.verbose, start_time, end_time,
threshold, self.whois,
self.whois_handler)
def get_ip(self, ip_string):
"""Get the IpAddress object with id 'ip_string'. If it doesn't exists, create it"""
#Have I seen this IP before?
ip = None
if ip_string not in self.addresses.keys():
ip = IpAddress(ip_string, self.debug)
self.addresses[ip_string] = ip
ip = self.addresses[ip_string]
self.active_addresses.add(ip_string)
return ip
def print_alerts(self):
""" Gater all the alerts in the handler and print them"""
detected_counter = 0
self.whois_handler.store_whois_data_in_file()
print '\nFinal Alerts generated:'
f = open(filename, "w")
f.write("DATE:\t{}\nSummary of addresses in this capture:\n\n".format(
datetime.now().strftime('%Y/%m/%d %H:%M:%S')))
f.write('Alerts:\n')
for ip in self.addresses.values():
if len(ip.alerts) > 0:
detected_counter += 1
print "\t - " + ip.address
f.write('\t - ' + ip.address + '\n')
for alert in ip.get_alerts():
print "\t\t" + str(alert)
f.write('\t\t' + str(alert) + '\n')
s = "{} IP(s) out of {} detected as malicious.".format(
detected_counter, len(self.addresses.keys()))
f.write(s)
print s
f.close()
def close_time_window(self):
"""Clears all the active objects in the timewindow. Should be called at the end of every TW"""
#close tw in all active IpAddress objects
for ip in self.active_addresses:
self.addresses[ip].close_time_window()
#clear the active_addresses set
if self.debug:
print "# active IPs: {}".format(len(self.active_addresses))
self.active_addresses.clear()