Oxbian/SIDPS
1
0
Fork 0
mirror of https://github.com/Oxbian/SIDPS.git synced 2025-07-07 12:24:38 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update dataExfiltration.py

Browse Source
This commit is contained in:
SofianeElNaggar
2024-11-20 19:02:42 -05:00
parent e19b197acc
commit 6efbe6e2e4
1 changed files with 28 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
idps/rules/TCP/Scan/dataExfiltration.py
View File

@ -1,6 +1,7 @@
from collections import defaultdict from collections import defaultdict
from scapy.all import IP from scapy.all import IP
import time import time
from datetime import datetime
data_transfer = defaultdict(lambda: {"current": 0, "daily": 0, "last_reset": time.time()}) data_transfer = defaultdict(lambda: {"current": 0, "daily": 0, "last_reset": time.time()})
@ -22,28 +23,37 @@ def rule(packet, _, db):
data_transfer[src_ip]["current"] += payload_size data_transfer[src_ip]["current"] += payload_size
data_transfer[src_ip]["daily"] += payload_size data_transfer[src_ip]["daily"] += payload_size
# Déclencher une alerte si un seuil est atteint # Exfiltration de données instantané
if data_transfer[src_ip]["current"] > rule.seuil_session: if data_transfer[src_ip]["current"] > rule.seuil_session:
alert = { db.send_alert(
"type": "Exfiltration de données détectée (instantané)", datetime.now(),
"source_ip": src_ip, 5,
"destination_ip": dst_ip, None,
"volume": data_transfer[src_ip]["current"] / (1024 ** 3), "Exfiltration de données détectée (instantané)",
"threshold": rule.seuil_session / (1024 ** 3), src_ip,
"time": time.strftime("%Y-%m-%d %H:%M:%S", time.gmtime()), dst_ip,
} "TCP",
db.save_alert(alert) reason="Exfiltration de données détectée (instantané)",
act="Alerte"
)
data_transfer[src_ip]["current"] = 0 # Réinitialiser pour les prochaines sessions data_transfer[src_ip]["current"] = 0 # Réinitialiser pour les prochaines sessions
print(f"Alerte, data transfer, transfert instantané important")
# Exfiltration de données journalière
if data_transfer[src_ip]["daily"] > rule.seuil_journalier: if data_transfer[src_ip]["daily"] > rule.seuil_journalier:
alert = { db.send_alert(
"type": "Exfiltration de données détectée (journalière)", datetime.now(),
"source_ip": src_ip, 5,
"volume": data_transfer[src_ip]["daily"] / (1024 ** 3), None,
"threshold": rule.seuil_journalier / (1024 ** 3), "Exfiltration de données détectée (journalière)",
"time": time.strftime("%Y-%m-%d %H:%M:%S", time.gmtime()), src_ip,
} dst_ip,
db.save_alert(alert) "TCP",
reason="Exfiltration de données détectée (journalière)",
act="Alerte"
)
print(f"Alerte, data transfer, transfert journalier important")
rule.reset_time = 24 * 3600 # 24 heures en secondes rule.reset_time = 24 * 3600 # 24 heures en secondes
rule.seuil_session = 5 * 1024 * 1024 * 1024 # 5 Go en octets rule.seuil_session = 5 * 1024 * 1024 * 1024 # 5 Go en octets