Oxbian/SIDPS
1
0
Fork 0
mirror of https://github.com/Oxbian/SIDPS.git synced 2025-07-06 20:05:42 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: protection system for the idps

Browse Source
This commit is contained in:
Oxbian
2024-11-23 12:15:10 -05:00
parent 4b84c4ebb1
commit c4df869596
16 changed files with 259 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
idps/rules/TCP/DOS/syndos.py
View File

@ -2,7 +2,7 @@ from datetime import datetime
import time
def rule(packet, tcp_packets, db):
def rule(packet, objets):
"""
Règle SYN Dos:
Un SYN DOS va envoyer des requêtes TCP avec le flag SYN en très grand nombre afin de surcharger le serveur ou la cible avec des grosses quantités de données
@ -15,17 +15,19 @@ def rule(packet, tcp_packets, db):
return
# Initialisation des paramètres à partir de la configuration si nécessaire
if (rule.seuil == 0 and rule.time_window == 0):
rule.time_window = db.get_key("synsdos_time", 60)
rule.seuil = db.get_key("syndos_count", 100)
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
rule.time_window = objets["config"].get("synsdos_time", 60)
rule.seuil = objets["config"].get("syndos_count", 100)
rule.ban_time = objets["config"].get("syndos_bantime", 300)
# Comptage des paquets TCP correspondant aux motifs spécifiques
syndeny_count = tcp_packets.count_packet_of_type(["S", "RA"], rule.time_window, True)
synaccept_count = tcp_packets.count_packet_of_type(["S", "SA", "R"], rule.time_window, True)
syndeny_count = objets["tcp_packets"].count_packet_of_type(["S", "RA"], rule.time_window, True)
synaccept_count = objets["tcp_packets"].count_packet_of_type(["S", "SA", "R"], rule.time_window, True)
# Détection si le seuil est dépassé et que la charge utile des paquets est non nulle
if (syndeny_count + synaccept_count >= rule.seuil and len(packet['TCP'].payload) > 0):
db.send_alert(datetime.now(), 5, None, "Syn DOS", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->Reset et Syn->Reset ACK", act="Alerte")
objets["database"].send_alert(datetime.now(), 5, None, "Syn DOS", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->Reset et Syn->Reset ACK", act="Alerte")
objets["iptables_manager"].add_rule("iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
print("Alerte, seuil dépassé, risque de Syn DOS détecté.")
rule.cooldown = time.time()
@ -34,3 +36,4 @@ def rule(packet, tcp_packets, db):
rule.cooldown = 0
rule.time_window = 0
rule.seuil = 0
rule.ban_time = 0

17
idps/rules/TCP/DOS/synflood.py
View File

@ -2,7 +2,7 @@ from datetime import datetime
import time
def rule(packet, tcp_packets, db):
def rule(packet, objets):
"""
Règle SYN Flood:
Un SYN Flood va envoyer des requêtes TCP avec le flag SYN en très grand nombre afin de surcharger le serveur ou la cible
@ -15,17 +15,19 @@ def rule(packet, tcp_packets, db):
return
# Initialisation des paramètres à partir de la configuration si nécessaire
if (rule.seuil == 0 and rule.time_window == 0):
rule.time_window = db.get_key("synsflood_time", 60)
rule.seuil = db.get_key("synflood_count", 100)
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
rule.time_window = objets["config"].get("synsflood_time", 60)
rule.seuil = objets["config"].get("synflood_count", 100)
rule.ban_time = objets["config"].get("synflood_bantime", 300)
# Comptage des paquets TCP correspondant aux motifs spécifiques
syndeny_count = tcp_packets.count_packet_of_type(["S", "RA"], rule.time_window, True)
synaccept_count = tcp_packets.count_packet_of_type(["S", "SA", "R"], rule.time_window, True)
syndeny_count = objets["tcp_packets"].count_packet_of_type(["S", "RA"], rule.time_window, True)
synaccept_count = objets["tcp_packets"].count_packet_of_type(["S", "SA", "R"], rule.time_window, True)
# Détection si le seuil est dépassé
if (syndeny_count + synaccept_count >= rule.seuil):
db.send_alert(datetime.now(), 5, None, "Syn flood", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->Reset et Syn->Reset ACK", act="Alerte")
objets["database"].send_alert(datetime.now(), 5, None, "Syn flood", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->Reset et Syn->Reset ACK", act="Alerte")
objets["iptables_manager"].add_rule("iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
print("Alerte, seuil dépassé, risque de Syn Flood détecté.")
rule.cooldown = time.time()
@ -34,3 +36,4 @@ def rule(packet, tcp_packets, db):
rule.cooldown = 0
rule.time_window = 0
rule.seuil = 0
rule.ban_time = 0

20
idps/rules/TCP/DOS/tcpconnectflood.py
View File

@ -2,7 +2,7 @@ from datetime import datetime
import time
def rule(packet, tcp_packets, db):
def rule(packet, objets):
"""Règle TCPConnect Flood:
Un flood TCP connect va effectuer une connexion TCP en très grand nombre
Si le port est ouvert le serveur acceptera la connexion SYN -> SYN ACK -> ACK -> Reset ACK
@ -13,17 +13,19 @@ def rule(packet, tcp_packets, db):
return
# Vérification si nécessaire de récupérer les variables depuis la config
if (rule.seuil == 0 and rule.time_window == 0):
rule.time_window = db.get_key("tcpconnectflood_time", 60)
rule.seuil = db.get_key("tcpconnectflood_count", 100)
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
rule.time_window = objets["config"].get("tcpconnectflood_time", 60)
rule.seuil = objets["config"].get("tcpconnectflood_count", 100)
rule.ban_time = objets["config"].get("tcpconnectflood_bantime", 300)
# Comptage du nombre de scan tcp connect acceptés et refusés
tcpconnectdeny_count = tcp_packets.count_packet_of_type(["S", "RA"], rule.time_window, True)
tcpconnectaccept_count = tcp_packets.count_packet_of_type(["S", "SA", "A", "RA"], rule.time_window, True)
tcpconnectdeny_count = objets["tcp_packets"].count_packet_of_type(["S", "RA"], rule.time_window, True)
tcpconnectaccept_count = objets["tcp_packets"].count_packet_of_type(["S", "SA", "A", "RA"], rule.time_window, True)
if (tcpconnectaccept_count + tcpconnectdeny_count >= rule.seuil):
db.send_alert(datetime.now(), 5, None, "TCPConnect Flood", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->ACK->Reset ACK et Syn->Reset ACK", act="Alerte")
print(f"Alerte, seuils dépassés, risque de TCPconnect Flood")
objets["database"].send_alert(datetime.now(), 5, None, "TCPConnect Flood", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->ACK->Reset ACK et Syn->Reset ACK", act="Alerte")
objets["iptables_manager"].add_rule("iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
print("Alerte, seuils dépassés, risque de TCPconnect Flood")
rule.cooldown = time.time()
@ -31,4 +33,4 @@ def rule(packet, tcp_packets, db):
rule.cooldown = 0
rule.time_window = 0
rule.seuil = 0
rule.ban_time = 0

19
idps/rules/TCP/Scan/ackscan.py
View File

@ -2,7 +2,7 @@ from datetime import datetime
import time
def rule(packet, tcp_packets, db):
def rule(packet, objets):
"""Règle ACK Scan:
Un ACK Scan va envoyer des requêtes TCP avec le flag ACK
Si le firewall ne bloque pas, alors il répond avec le flag Reset
@ -12,17 +12,19 @@ def rule(packet, tcp_packets, db):
return
# Vérification si nécessaire de récupérer les variables depuis la config
if (rule.seuil == 0 and rule.time_window == 0):
rule.time_window = db.get_key("ackscan_time", 180)
rule.seuil = db.get_key("ackscan_count", 5)
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
rule.time_window = objets["config"].get("ackscan_time", 180)
rule.seuil = objets["config"].get("ackscan_count", 5)
rule.ban_time = objets["config"].get("ackscan_bantime", 300)
# Comptage nombre de scan ack acceptés et refusés
ackdeny_count = tcp_packets.count_packet_of_type(["A", "R"], rule.time_window, True)
ackaccept_count = tcp_packets.count_packet_of_type(["A"], rule.time_window, True)
ackdeny_count = objets["tcp_packets"].count_packet_of_type(["A", "R"], rule.time_window, True)
ackaccept_count = objets["tcp_packets"].count_packet_of_type(["A"], rule.time_window, True)
if (ackaccept_count + ackdeny_count >= rule.seuil):
db.send_alert(datetime.now(), 5, None, "ACK scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Ack->Reset et Ack pas de réponse", act="Alerte")
print(f"Alerte, seuil dépassés, risque d'Ack scan")
objets["database"].send_alert(datetime.now(), 5, None, "ACK scan", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de Ack->Reset et Ack pas de réponse", act="Alerte")
print("Alerte, seuil dépassés, risque d'Ack scan")
objets["iptables_manager"].add_rule("iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
rule.cooldown = time.time()
@ -30,3 +32,4 @@ def rule(packet, tcp_packets, db):
rule.cooldown = 0
rule.time_window = 0
rule.seuil = 0
rule.ban_time = 0

20
idps/rules/TCP/Scan/finscan.py
View File

@ -2,27 +2,30 @@ from datetime import datetime
import time
def rule(packet, tcp_packets, db):
def rule(packet, objets):
"""Règle Fin Scan:
Un Fin Scan va envoyer des requêtes TCP avec le flag Fin
Si le port est ouvert alors le serveur répondra pas
Sinon le port est fermé et le serveur répondra: Reset ACK
"""
if (rule.cooldown + rule.time_window > time.time()):
return
# Vérification si nécessaire de récupérer les variables depuis la config
if (rule.seuil == 0 and rule.time_window == 0):
rule.time_window = db.get_key("finscan_time", 180)
rule.seuil = db.get_key("finscan_count", 5)
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
rule.time_window = objets["config"].get("finscan_time", 180)
rule.seuil = objets["config"].get("finscan_count", 5)
rule.ban_time = objets["config"].get("finscan_bantime", 300)
# Comptage du nombre de scan fin acceptés et refusés
findeny_count = tcp_packets.count_packet_of_type(["F", "RA"], rule.time_window, True)
finaccept_count = tcp_packets.count_packet_of_type(["F"], rule.time_window, True)
findeny_count = objets["tcp_packets"].count_packet_of_type(["F", "RA"], rule.time_window, True)
finaccept_count = objets["tcp_packets"].count_packet_of_type(["F"], rule.time_window, True)
if (findeny_count + finaccept_count >= rule.seuil):
db.send_alert(datetime.now(), 5, None, "Fin scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Fin->Reset Ack et Fin->rien", act="Alerte")
print(f"Alerte, seuil dépassés, risque de Fin Scan")
objets["database"].send_alert(datetime.now(), 5, None, "Fin scan", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de Fin->Reset Ack et Fin->rien", act="Alerte")
objets["iptables_manager"].add_rule("iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
print("Alerte, seuil dépassés, risque de Fin Scan")
rule.cooldown = time.time()
@ -30,3 +33,4 @@ def rule(packet, tcp_packets, db):
rule.cooldown = 0
rule.time_window = 0
rule.seuil = 0
rule.ban_time = 0

21
idps/rules/TCP/Scan/nullscan.py
View File

@ -2,7 +2,7 @@ from datetime import datetime
import time
def rule(packet, tcp_packets, db):
def rule(packet, objets):
"""Règle Null Scan:
Un Null Scan va envoyer des requêtes TCP avec aucun flag d'actif
Si le port est ouvert alors le serveur ne répondra pas
@ -12,17 +12,19 @@ def rule(packet, tcp_packets, db):
return
# Vérification si nécessaire de récupérer les variables depuis la config
if (rule.seuil == 0 and rule.time_window == 0):
rule.time_window = db.get_key("nullscan_time", 180)
rule.seuil = db.get_key("nullscan_count", 5)
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
rule.time_window = objets["config"].get("nullscan_time", 180)
rule.seuil = objets["config"].get("nullscan_count", 5)
rule.ban_time = objets["config"].get("nullscan_bantime", 300)
# Comptage du nombre de scan null acceptés et refusés
nulldeny_count = tcp_packets.count_packet_of_type(["", "RA"], rule.time_window, True)
nullaccept_count = tcp_packets.count_packet_of_type([""], rule.time_window, True)
nulldeny_count = objets["tcp_packets"].count_packet_of_type(["", "RA"], rule.time_window, True)
nullaccept_count = objets["tcp_packets"].count_packet_of_type([""], rule.time_window, True)
if (nulldeny_count + nulldeny_count >= rule.seuil):
db.send_alert(datetime.now(), 5, None, "Null scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de None->Reset Ack et None -> rien", act="Alerte")
print(f"Alerte, seuil dépassés, risque de Null Scan")
if (nullaccept_count + nulldeny_count >= rule.seuil):
objets["database"].send_alert(datetime.now(), 5, None, "Null scan", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de None->Reset Ack et None -> rien", act="Alerte")
objets["iptables_manager"].add_rule("iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
print("Alerte, seuil dépassés, risque de Null Scan")
rule.cooldown = time.time()
@ -30,3 +32,4 @@ def rule(packet, tcp_packets, db):
rule.cooldown = 0
rule.time_window = 0
rule.seuil = 0
rule.ban_time = 0

19
idps/rules/TCP/Scan/synscan.py
View File

@ -2,7 +2,7 @@ from datetime import datetime
import time
def rule(packet, tcp_packets, db):
def rule(packet, objets):
"""Règle SYN Scan:
Un SYNScan va envoyer des requêtes TCP avec le flag SYN
Si le port est ouvert alors le serveur répondra: Syn ACK, puis le client Reset la connexion
@ -12,17 +12,19 @@ def rule(packet, tcp_packets, db):
return
# Vérification si nécessaire de récupérer les variables depuis la config
if (rule.seuil == 0 and rule.time_window == 0):
rule.time_window = db.get_key("synscan_time", 180)
rule.seuil = db.get_key("synscan_count", 5)
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
rule.time_window = objets["config"].get("synscan_time", 180)
rule.seuil = objets["config"].get("synscan_count", 5)
rule.ban_time = objets["config"].get("synscan_bantime", 300)
# Comptage du nombre de scan syn acceptés et refusés
syndeny_count = tcp_packets.count_packet_of_type(["S", "RA"], rule.time_window, True)
synaccept_count = tcp_packets.count_packet_of_type(["S", "SA", "R"], rule.time_window, True)
syndeny_count = objets["tcp_packets"].count_packet_of_type(["S", "RA"], rule.time_window, True)
synaccept_count = objets["tcp_packets"].count_packet_of_type(["S", "SA", "R"], rule.time_window, True)
if (synaccept_count + syndeny_count >= rule.seuil):
db.send_alert(datetime.now(), 5, None, "Syn scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->Reset et Syn->Reset ACK", act="Alerte")
print(f"Alerte, seuil dépassés, risque de SynScan")
objets["database"].send_alert(datetime.now(), 5, None, "Syn scan", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->Reset et Syn->Reset ACK", act="Alerte")
objets["iptables_manager"].add_rule("/sbin/iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
print("Alerte, seuil dépassés, risque de SynScan")
rule.cooldown = time.time()
@ -30,3 +32,4 @@ def rule(packet, tcp_packets, db):
rule.cooldown = 0
rule.time_window = 0
rule.seuil = 0
rule.ban_time = 0

19
idps/rules/TCP/Scan/tcpconnectscan.py
View File

@ -2,7 +2,7 @@ from datetime import datetime
import time
def rule(packet, tcp_packets, db):
def rule(packet, objets):
"""Règle TCPConnect Scan:
Un scan TCP connect va effectuer une connexion TCP en entier sur chaque port scanné.
Si le port est ouvert le serveur acceptera la connexion SYN -> SYN ACK -> ACK -> Reset ACK
@ -13,17 +13,19 @@ def rule(packet, tcp_packets, db):
return
# Vérification si nécessaire de récupérer les variables depuis la config
if (rule.seuil == 0 and rule.time_window == 0):
rule.time_window = db.get_key("tcpconnectscan_time", 180)
rule.seuil = db.get_key("tcpconnectscan_count", 5)
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
rule.time_window = objets["config"].get("tcpconnectscan_time", 180)
rule.seuil = objets["config"].get("tcpconnectscan_count", 5)
rule.ban_time = objets["config"].get("tcpconnectscan_bantime", 300)
# Comptage du nombre de scan tcp connect acceptés et refusés
tcpconnectdeny_count = tcp_packets.count_packet_of_type(["S", "RA"], rule.time_window, True)
tcpconnectaccept_count = tcp_packets.count_packet_of_type(["S", "SA", "A", "RA"], rule.time_window, True)
tcpconnectdeny_count = objets["tcp_packets"].count_packet_of_type(["S", "RA"], rule.time_window, True)
tcpconnectaccept_count = objets["tcp_packets"].count_packet_of_type(["S", "SA", "A", "RA"], rule.time_window, True)
if (tcpconnectaccept_count + tcpconnectdeny_count >= rule.seuil):
db.send_alert(datetime.now(), 5, None, "TCPConnect Scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->ACK->Reset ACK et Syn->Reset ACK", act="Alerte")
print(f"Alerte, seuils dépassés, risque de TCPConnectScan")
objets["database"].send_alert(datetime.now(), 5, None, "TCPConnect Scan", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->ACK->Reset ACK et Syn->Reset ACK", act="Alerte")
objets["iptables_manager"].add_rule("iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
print("Alerte, seuils dépassés, risque de TCPConnectScan")
rule.cooldown = time.time()
@ -31,3 +33,4 @@ def rule(packet, tcp_packets, db):
rule.cooldown = 0
rule.time_window = 0
rule.seuil = 0
rule.ban_time = 0

19
idps/rules/TCP/Scan/xmasscan.py
View File

@ -2,7 +2,7 @@ from datetime import datetime
import time
def rule(packet, tcp_packets, db):
def rule(packet, objets):
"""Règle XMAS Scan:
Un XMAS Scan va envoyer des requêtes TCP avec le flag Fin, Push, Urg
Si le port est ouvert alors le serveur répondra pas
@ -12,17 +12,19 @@ def rule(packet, tcp_packets, db):
return
# Vérification si nécessaire de récupérer les variables depuis la config
if (rule.seuil == 0 and rule.time_window == 0):
rule.time_window = db.get_key("xmasscan_time", 180)
rule.seuil = db.get_key("xmasscan_count", 5)
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
rule.time_window = objets["config"].get("xmasscan_time", 180)
rule.seuil = objets["config"].get("xmasscan_count", 5)
rule.ban_time = objets["config"].get("xmasscan_bantime", 300)
# Comptage du nombre de scan XMAS acceptés et refusés
xmasdeny_count = tcp_packets.count_packet_of_type(["FPU", "RA"], rule.time_window, True)
xmasaccept_count = tcp_packets.count_packet_of_type(["FPU"], rule.time_window, True)
xmasdeny_count = objets["tcp_packets"].count_packet_of_type(["FPU", "RA"], rule.time_window, True)
xmasaccept_count = objets["tcp_packets"].count_packet_of_type(["FPU"], rule.time_window, True)
if (xmasaccept_count + xmasdeny_count >= rule.seuil):
db.send_alert(datetime.now(), 5, None, "XMAS scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Fin Push Urg -> rien et Fin Push Urg->Reset ACK", act="Alerte")
print(f"Alerte, seuil dépassés, risque de XMAS Scan")
objets["database"].send_alert(datetime.now(), 5, None, "XMAS scan", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de Fin Push Urg -> rien et Fin Push Urg->Reset ACK", act="Alerte")
objets["iptables_manager"].add_rule("iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
print("Alerte, seuil dépassés, risque de XMAS Scan")
rule.cooldown = time.time()
@ -30,3 +32,4 @@ def rule(packet, tcp_packets, db):
rule.cooldown = 0
rule.time_window = 0
rule.seuil = 0
rule.ban_time = 0