def test_has_scanning(self): id_syslog = intrusion_detect.IdParse(self.syslog_file) # Check to make sure the ip spoofing information got added to the dataframe # Get a subset of the whole dataframe # s=spoof df=dataframe sdf = id_syslog.df[id_syslog.df['ID'] == 733101] # Expecting 1 source address self.assertTrue((sdf['Source'] == '192.168.3.10').all()) self.assertTrue(id_syslog.has_scanning())
def test_acl_drop_parse_log(self): # Create an IdParse object id_syslog = intrusion_detect.IdParse(self.syslog_file) sdf = id_syslog.df[id_syslog.df['ID'] == 733100] # Expecting 255 total records self.assertEqual(255, len(sdf)) # Expecting 255 unique destination addresses self.assertEqual(255, sdf['DropRate'].nunique()) self.assertEqual(255, sdf['BurstRate'].nunique()) self.assertEqual(255, sdf['MaxConfigRate1'].nunique()) self.assertEqual(255, sdf['CurrentAverageRate'].nunique()) self.assertEqual(255, sdf['MaxConfigRate2'].nunique()) self.assertEqual(255, sdf['TotalCount'].nunique())
def test_denial_of_service_parse_log(self): # Create an IdParse object id_syslog = id_pkg.IdParse(self.syslog_file) # Check to make sure the information got added to the dataframe # Get a subset of the whole dataframe # dss=denial of service df=dataframe dosdf = id_syslog.df[id_syslog.df['ID'] == 109017] # Expecting 255 total records self.assertEqual(255, len(dosdf)) # Expecting 1 non-unique source address self.assertTrue((dosdf['Source'] == '10.203.254.158').all())
def test_ACLDrop_parse_log(self): # Create an IdParse object id_syslog = intrusion_detect.IdParse(self.syslog_file) # Check to make sure the ip spoofing information got added to the dataframe # Get a subset of the whole dataframe # s=spoof df=dataframe sdf = id_syslog.df[id_syslog.df['ID'] == 710003] # Expecting 255 total records self.assertEqual(255, len(sdf)) # Expecting 1 source address self.assertTrue((sdf['Source'] == '10.1.1.1').all())
def test_firewall_parse_log(self): id_syslog = intrusion_detect.IdParse(self.syslog_file) dataFrame = id_syslog.df[id_syslog.df['ID'] == 713162] #expecting list of 255 self.assertEqual(255, len(dataFrame)) # expecting 1 session id self.assertTrue( (dataFrame['Session'] == 'db248b6cbdc547bbc6c6fdfb6916eeb').all()) # expecting 255 unique id self.assertEqual(255, dataFrame['Identifier'].nunique())
def test_scanning_threat_parse_log(self): id_syslog = intrusion_detect.IdParse(self.syslog_file) # st = scanning threat df = data frame stdf = id_syslog.df[id_syslog.df['ID'] == 733101] # expecting a list of 255 self.assertEqual(255, len(stdf)) # expecting burst rates above 0 self.assertTrue((stdf['Burst_Rate'] > 0).all()) self.assertTrue((stdf['Max Configured Rate 1'] > 0).all()) self.assertTrue((stdf['Average Rate'] > 0).all()) self.assertTrue((stdf['Max Configured Rate 2'] > 0).all()) self.assertTrue((stdf['Total Count'] > 0).all())
def test_icmp_command_parse_log(self): id_syslog = intrusion_detect.IdParse(self.syslog_file) # Check to make sure the icmp information got added to the dataframe # Get a subset of the whole dataframe # s=spoof df=dataframe sdf = id_syslog.df[id_syslog.df['ID'] == 313008] # Expecting 255 total records self.assertEqual(255, len(sdf)) # Expecting 255 unique source addresses self.assertEqual(255, sdf['Source'].nunique()) # Expecting 1 source address self.assertTrue((sdf['Interface'] == 'TestInterface').all())
def test_denied_icmp_parse_log(self): id_syslog = id_pkg.IdParse(self.syslog_file) # get dataframe logs with this ID dataframe = id_syslog.df[id_syslog.df['ID'] == 313004] # should have 255 entries self.assertEqual(255, len(dataframe)) # should have 255 unique source addresses self.assertTrue(255, dataframe['Source'].nunique()) # should have 255 unique destination addresses self.assertTrue(255, dataframe['Destination'].nunique()) # should have 40 different icmp types self.assertTrue(40, dataframe['ICMPType'].nunique())
def pandas_demo(): """Shows how to use some pandas features needed to implement sprint 4""" # The pandas help guide can be found here: # https://pandas.pydata.org/docs/user_guide/index.html # build a platform-safe path to the log file # PC paths are "c:\dir\file" where linux and mac use "/dir/file" # os.path.join() guarantees the correct path separator is used log_file = os.path.join('id_pkg', 'data') log_file = os.path.join(log_file, 'intrusion_logs.txt') # Create an intrusion detection object similar to # what was done during sprint 3 log = intrusion_detect.IdParse(log_file) # Are there spoofing attacks in this log? if log.has_ip_spoofing(): print('Spoofing attacks are present')
def test_interface_parse_log(self): # Create an IdParse object id_syslog = intrusion_detect.IdParse(self.syslog_file) # %ASA-2-106001: Inbound TCP connection denied from 10.132.0.147/2257 to 172.16.10.10/80 flags SYN on interface inside # Check to make sure the ip spoofing information got added to the dataframe # Get a subset of the whole dataframe # s=spoof df=dataframe sdf = id_syslog.df[id_syslog.df['ID'] == 106001] # Expecting 255 total records self.assertEqual(255, len(sdf)) # Expecting 1 source address self.assertTrue((sdf['Source'] == '10.132.0.147').all()) # Expecting 1 source port self.assertTrue((sdf['SourcePort'] == '2257').all()) # Expecting 255 unique destination addresses self.assertEqual(255, sdf['Destination'].nunique()) # Expecting 1 destination port self.assertTrue((sdf['DestinationPort'] == '80').all())
def test_has_interface(self): id_syslog = intrusion_detect.IdParse(self.syslog_file) # The test file generated has ip spoofing present # so expect this to return true self.assertTrue(id_syslog.has_interface())
def test_has_firewall(self): id_syslog = intrusion_detect.IdParse(self.syslog_file) self.assertTrue(id_syslog.has_firewall())
def test_has_icmp_command(self): id_syslog = intrusion_detect.IdParse(self.syslog_file) # self.assertEqual(True, id_syslog.has_icmp()) self.assertTrue(id_syslog.has_icmp())
def test_has_dos_attack(self): id_syslog = id_pkg.IdParse(self.syslog_file) self.assertTrue(id_syslog.has_dos_attack())
def test_has_scanning_threat(self): id_syslog = intrusion_detect.IdParse(self.syslog_file) self.assertTrue(id_syslog.has_scanning_threat())
def test_has_denied_icmp(self): id_syslog = id_pkg.IdParse(self.syslog_file) # test file should contain denied ICMP, this should be true self.assertTrue(id_syslog.has_denied_icmp())