mirror of
https://github.com/Oxbian/SIDPS.git
synced 2025-07-07 04:14:46 +02:00
feat: protection system for the idps
This commit is contained in:
@ -2,7 +2,7 @@ from datetime import datetime
|
||||
import time
|
||||
|
||||
|
||||
def rule(packet, tcp_packets, db):
|
||||
def rule(packet, objets):
|
||||
"""
|
||||
Règle SYN Dos:
|
||||
Un SYN DOS va envoyer des requêtes TCP avec le flag SYN en très grand nombre afin de surcharger le serveur ou la cible avec des grosses quantités de données
|
||||
@ -15,17 +15,19 @@ def rule(packet, tcp_packets, db):
|
||||
return
|
||||
|
||||
# Initialisation des paramètres à partir de la configuration si nécessaire
|
||||
if (rule.seuil == 0 and rule.time_window == 0):
|
||||
rule.time_window = db.get_key("synsdos_time", 60)
|
||||
rule.seuil = db.get_key("syndos_count", 100)
|
||||
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
|
||||
rule.time_window = objets["config"].get("synsdos_time", 60)
|
||||
rule.seuil = objets["config"].get("syndos_count", 100)
|
||||
rule.ban_time = objets["config"].get("syndos_bantime", 300)
|
||||
|
||||
# Comptage des paquets TCP correspondant aux motifs spécifiques
|
||||
syndeny_count = tcp_packets.count_packet_of_type(["S", "RA"], rule.time_window, True)
|
||||
synaccept_count = tcp_packets.count_packet_of_type(["S", "SA", "R"], rule.time_window, True)
|
||||
syndeny_count = objets["tcp_packets"].count_packet_of_type(["S", "RA"], rule.time_window, True)
|
||||
synaccept_count = objets["tcp_packets"].count_packet_of_type(["S", "SA", "R"], rule.time_window, True)
|
||||
|
||||
# Détection si le seuil est dépassé et que la charge utile des paquets est non nulle
|
||||
if (syndeny_count + synaccept_count >= rule.seuil and len(packet['TCP'].payload) > 0):
|
||||
db.send_alert(datetime.now(), 5, None, "Syn DOS", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->Reset et Syn->Reset ACK", act="Alerte")
|
||||
objets["database"].send_alert(datetime.now(), 5, None, "Syn DOS", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->Reset et Syn->Reset ACK", act="Alerte")
|
||||
objets["iptables_manager"].add_rule("iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
|
||||
print("Alerte, seuil dépassé, risque de Syn DOS détecté.")
|
||||
rule.cooldown = time.time()
|
||||
|
||||
@ -34,3 +36,4 @@ def rule(packet, tcp_packets, db):
|
||||
rule.cooldown = 0
|
||||
rule.time_window = 0
|
||||
rule.seuil = 0
|
||||
rule.ban_time = 0
|
||||
|
@ -2,7 +2,7 @@ from datetime import datetime
|
||||
import time
|
||||
|
||||
|
||||
def rule(packet, tcp_packets, db):
|
||||
def rule(packet, objets):
|
||||
"""
|
||||
Règle SYN Flood:
|
||||
Un SYN Flood va envoyer des requêtes TCP avec le flag SYN en très grand nombre afin de surcharger le serveur ou la cible
|
||||
@ -15,17 +15,19 @@ def rule(packet, tcp_packets, db):
|
||||
return
|
||||
|
||||
# Initialisation des paramètres à partir de la configuration si nécessaire
|
||||
if (rule.seuil == 0 and rule.time_window == 0):
|
||||
rule.time_window = db.get_key("synsflood_time", 60)
|
||||
rule.seuil = db.get_key("synflood_count", 100)
|
||||
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
|
||||
rule.time_window = objets["config"].get("synsflood_time", 60)
|
||||
rule.seuil = objets["config"].get("synflood_count", 100)
|
||||
rule.ban_time = objets["config"].get("synflood_bantime", 300)
|
||||
|
||||
# Comptage des paquets TCP correspondant aux motifs spécifiques
|
||||
syndeny_count = tcp_packets.count_packet_of_type(["S", "RA"], rule.time_window, True)
|
||||
synaccept_count = tcp_packets.count_packet_of_type(["S", "SA", "R"], rule.time_window, True)
|
||||
syndeny_count = objets["tcp_packets"].count_packet_of_type(["S", "RA"], rule.time_window, True)
|
||||
synaccept_count = objets["tcp_packets"].count_packet_of_type(["S", "SA", "R"], rule.time_window, True)
|
||||
|
||||
# Détection si le seuil est dépassé
|
||||
if (syndeny_count + synaccept_count >= rule.seuil):
|
||||
db.send_alert(datetime.now(), 5, None, "Syn flood", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->Reset et Syn->Reset ACK", act="Alerte")
|
||||
objets["database"].send_alert(datetime.now(), 5, None, "Syn flood", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->Reset et Syn->Reset ACK", act="Alerte")
|
||||
objets["iptables_manager"].add_rule("iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
|
||||
print("Alerte, seuil dépassé, risque de Syn Flood détecté.")
|
||||
rule.cooldown = time.time()
|
||||
|
||||
@ -34,3 +36,4 @@ def rule(packet, tcp_packets, db):
|
||||
rule.cooldown = 0
|
||||
rule.time_window = 0
|
||||
rule.seuil = 0
|
||||
rule.ban_time = 0
|
||||
|
@ -2,7 +2,7 @@ from datetime import datetime
|
||||
import time
|
||||
|
||||
|
||||
def rule(packet, tcp_packets, db):
|
||||
def rule(packet, objets):
|
||||
"""Règle TCPConnect Flood:
|
||||
Un flood TCP connect va effectuer une connexion TCP en très grand nombre
|
||||
Si le port est ouvert le serveur acceptera la connexion SYN -> SYN ACK -> ACK -> Reset ACK
|
||||
@ -13,17 +13,19 @@ def rule(packet, tcp_packets, db):
|
||||
return
|
||||
|
||||
# Vérification si nécessaire de récupérer les variables depuis la config
|
||||
if (rule.seuil == 0 and rule.time_window == 0):
|
||||
rule.time_window = db.get_key("tcpconnectflood_time", 60)
|
||||
rule.seuil = db.get_key("tcpconnectflood_count", 100)
|
||||
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
|
||||
rule.time_window = objets["config"].get("tcpconnectflood_time", 60)
|
||||
rule.seuil = objets["config"].get("tcpconnectflood_count", 100)
|
||||
rule.ban_time = objets["config"].get("tcpconnectflood_bantime", 300)
|
||||
|
||||
# Comptage du nombre de scan tcp connect acceptés et refusés
|
||||
tcpconnectdeny_count = tcp_packets.count_packet_of_type(["S", "RA"], rule.time_window, True)
|
||||
tcpconnectaccept_count = tcp_packets.count_packet_of_type(["S", "SA", "A", "RA"], rule.time_window, True)
|
||||
tcpconnectdeny_count = objets["tcp_packets"].count_packet_of_type(["S", "RA"], rule.time_window, True)
|
||||
tcpconnectaccept_count = objets["tcp_packets"].count_packet_of_type(["S", "SA", "A", "RA"], rule.time_window, True)
|
||||
|
||||
if (tcpconnectaccept_count + tcpconnectdeny_count >= rule.seuil):
|
||||
db.send_alert(datetime.now(), 5, None, "TCPConnect Flood", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->ACK->Reset ACK et Syn->Reset ACK", act="Alerte")
|
||||
print(f"Alerte, seuils dépassés, risque de TCPconnect Flood")
|
||||
objets["database"].send_alert(datetime.now(), 5, None, "TCPConnect Flood", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->ACK->Reset ACK et Syn->Reset ACK", act="Alerte")
|
||||
objets["iptables_manager"].add_rule("iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
|
||||
print("Alerte, seuils dépassés, risque de TCPconnect Flood")
|
||||
rule.cooldown = time.time()
|
||||
|
||||
|
||||
@ -31,4 +33,4 @@ def rule(packet, tcp_packets, db):
|
||||
rule.cooldown = 0
|
||||
rule.time_window = 0
|
||||
rule.seuil = 0
|
||||
|
||||
rule.ban_time = 0
|
||||
|
Reference in New Issue
Block a user