Oxbian/SIDPS
1
0
Fork 0
mirror of https://github.com/Oxbian/SIDPS.git synced 2025-07-08 12:53:47 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: protection system for the idps

Browse Source
This commit is contained in:
Oxbian
2024-11-23 12:15:10 -05:00
parent 4b84c4ebb1
commit c4df869596
16 changed files with 259 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
idps/rules/TCP/Scan/nullscan.py
View File

@ -2,7 +2,7 @@ from datetime import datetime
import time
def rule(packet, tcp_packets, db):
def rule(packet, objets):
"""Règle Null Scan:
Un Null Scan va envoyer des requêtes TCP avec aucun flag d'actif
Si le port est ouvert alors le serveur ne répondra pas
@ -12,17 +12,19 @@ def rule(packet, tcp_packets, db):
return
# Vérification si nécessaire de récupérer les variables depuis la config
if (rule.seuil == 0 and rule.time_window == 0):
rule.time_window = db.get_key("nullscan_time", 180)
rule.seuil = db.get_key("nullscan_count", 5)
if (rule.seuil == 0 and rule.time_window == 0 and rule.ban_time == 0):
rule.time_window = objets["config"].get("nullscan_time", 180)
rule.seuil = objets["config"].get("nullscan_count", 5)
rule.ban_time = objets["config"].get("nullscan_bantime", 300)
# Comptage du nombre de scan null acceptés et refusés
nulldeny_count = tcp_packets.count_packet_of_type(["", "RA"], rule.time_window, True)
nullaccept_count = tcp_packets.count_packet_of_type([""], rule.time_window, True)
nulldeny_count = objets["tcp_packets"].count_packet_of_type(["", "RA"], rule.time_window, True)
nullaccept_count = objets["tcp_packets"].count_packet_of_type([""], rule.time_window, True)
if (nulldeny_count + nulldeny_count >= rule.seuil):
db.send_alert(datetime.now(), 5, None, "Null scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de None->Reset Ack et None -> rien", act="Alerte")
print(f"Alerte, seuil dépassés, risque de Null Scan")
if (nullaccept_count + nulldeny_count >= rule.seuil):
objets["database"].send_alert(datetime.now(), 5, None, "Null scan", objets["pkt_origin"][0], objets["pkt_origin"][2], proto="TCP", reason="Détection de nombreux patterns de None->Reset Ack et None -> rien", act="Alerte")
objets["iptables_manager"].add_rule("iptables -I FORWARD -s " + objets["pkt_origin"][0] + " -j DROP", rule.ban_time)
print("Alerte, seuil dépassés, risque de Null Scan")
rule.cooldown = time.time()
@ -30,3 +32,4 @@ def rule(packet, tcp_packets, db):
rule.cooldown = 0
rule.time_window = 0
rule.seuil = 0
rule.ban_time = 0