Oxbian/SIDPS
1
0
Fork 0
mirror of https://github.com/Oxbian/SIDPS.git synced 2025-07-07 20:33:51 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

update dataExfiltration

Browse Source 
c'est pas encore ça mais il y a de l'idée
This commit is contained in:
SofianeElNaggar
2024-11-20 19:41:46 -05:00
parent 6efbe6e2e4
commit 17a6e3def2
3 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
idps/main.py
View File

@ -91,10 +91,10 @@ def packet_callback(packet, rules_functions, tcp_packets, db):
@param db: Objet database pour envoyer des alertes à la BDD @param db: Objet database pour envoyer des alertes à la BDD
""" """
#print(packet) ##print(packet)
if IP in packet and TCP in packet: if IP in packet and TCP in packet:
tcp_packets.add_packet(packet[IP].src, packet[TCP].sport, packet[IP].dst, packet[TCP].dport, packet[TCP].flags, time.time()) tcp_packets.add_packet(packet[IP].src, packet[TCP].sport, packet[IP].dst, packet[TCP].dport, packet[TCP].flags, time.time())
print(tcp_packets[packet[IP].src]) #print(tcp_packets[packet[IP].src])
check_frame_w_rules(packet, rules_functions['TCP'], tcp_packets, db) check_frame_w_rules(packet, rules_functions['TCP'], tcp_packets, db)
tcp_packets.clean_old_packets() tcp_packets.clean_old_packets()

6
idps/rules/TCP/Scan/dataExfiltration.py
View File

@ -23,6 +23,8 @@ def rule(packet, _, db):
data_transfer[src_ip]["current"] += payload_size data_transfer[src_ip]["current"] += payload_size
data_transfer[src_ip]["daily"] += payload_size data_transfer[src_ip]["daily"] += payload_size
print(data_transfer[src_ip]["current"])
# Exfiltration de données instantané # Exfiltration de données instantané
if data_transfer[src_ip]["current"] > rule.seuil_session: if data_transfer[src_ip]["current"] > rule.seuil_session:
db.send_alert( db.send_alert(
@ -32,7 +34,7 @@ def rule(packet, _, db):
"Exfiltration de données détectée (instantané)", "Exfiltration de données détectée (instantané)",
src_ip, src_ip,
dst_ip, dst_ip,
"TCP", proto = "TCP",
reason="Exfiltration de données détectée (instantané)", reason="Exfiltration de données détectée (instantané)",
act="Alerte" act="Alerte"
) )
@ -48,7 +50,7 @@ def rule(packet, _, db):
"Exfiltration de données détectée (journalière)", "Exfiltration de données détectée (journalière)",
src_ip, src_ip,
dst_ip, dst_ip,
"TCP", proto = "TCP",
reason="Exfiltration de données détectée (journalière)", reason="Exfiltration de données détectée (journalière)",
act="Alerte" act="Alerte"
) )

10
idps/tcp.py
View File

@ -34,7 +34,7 @@ class TCP:
i, ip = self.find_packet_to_replace(ip_src, port_src, ip_dst, port_dst, "S") i, ip = self.find_packet_to_replace(ip_src, port_src, ip_dst, port_dst, "S")
if i is not None: if i is not None:
print(f"i: {i}, {ip_src}:{port_src}->{ip_dst}:{port_dst}, paquets: \n{self.packets}") #print(f"i: {i}, {ip_src}:{port_src}->{ip_dst}:{port_dst}, paquets: \n{self.packets}")
self.packets[ip][i][3].append("SA") self.packets[ip][i][3].append("SA")
self.packets[ip][i][4] = timestamp self.packets[ip][i][4] = timestamp
return return
@ -48,7 +48,7 @@ class TCP:
i, ip = self.find_packet_to_replace(ip_src, port_src, ip_dst, port_dst, "R") i, ip = self.find_packet_to_replace(ip_src, port_src, ip_dst, port_dst, "R")
if i is not None: if i is not None:
print(f"i: {i}, {ip_src}:{port_src}->{ip_dst}:{port_dst}, paquets: \n{self.packets}") #print(f"i: {i}, {ip_src}:{port_src}->{ip_dst}:{port_dst}, paquets: \n{self.packets}")
self.packets[ip][i][3].append("A") self.packets[ip][i][3].append("A")
self.packets[ip][i][4] = timestamp self.packets[ip][i][4] = timestamp
return return
@ -63,7 +63,7 @@ class TCP:
i, ip = self.find_packet_to_replace(ip_src, port_src, ip_dst, port_dst, "S") i, ip = self.find_packet_to_replace(ip_src, port_src, ip_dst, port_dst, "S")
if i is not None: if i is not None:
print(f"i: {i}, {ip_src}:{port_src}->{ip_dst}:{port_dst}, paquets: \n{self.packets}") #print(f"i: {i}, {ip_src}:{port_src}->{ip_dst}:{port_dst}, paquets: \n{self.packets}")
self.packets[ip][i][3].append("RA") self.packets[ip][i][3].append("RA")
self.packets[ip][i][4] = timestamp self.packets[ip][i][4] = timestamp
return return
@ -78,7 +78,7 @@ class TCP:
i, ip = self.find_packet_to_replace(ip_src, port_src, ip_dst, port_dst, "S") i, ip = self.find_packet_to_replace(ip_src, port_src, ip_dst, port_dst, "S")
if i is not None: if i is not None:
print(f"i: {i}, {ip_src}:{port_src}->{ip_dst}:{port_dst}, paquets: \n{self.packets}") #print(f"i: {i}, {ip_src}:{port_src}->{ip_dst}:{port_dst}, paquets: \n{self.packets}")
self.packets[ip][i][3].append("R") self.packets[ip][i][3].append("R")
self.packets[ip][i][4] = timestamp self.packets[ip][i][4] = timestamp
return return
@ -90,7 +90,7 @@ class TCP:
i, ip = self.find_packet_to_replace(ip_src, port_src, ip_dst, port_dst, "A") i, ip = self.find_packet_to_replace(ip_src, port_src, ip_dst, port_dst, "A")
if i is not None: if i is not None:
print(f"i: {i}, {ip_src}:{port_src}->{ip_dst}:{port_dst}, paquets: \n{self.packets}") #print(f"i: {i}, {ip_src}:{port_src}->{ip_dst}:{port_dst}, paquets: \n{self.packets}")
self.packets[ip][i][3].append("F") self.packets[ip][i][3].append("F")
self.packets[ip][i][4] = timestamp self.packets[ip][i][4] = timestamp
return return