feat: final working demo Dockerfiles

idps/rules/TCP/Scan/ackscan.py

@@ -16,7 +16,11 @@ def rule(packet, tcp_packets, db):
         rule.time_window = db.get_key("ackscan_time", 180)
         rule.seuil = db.get_key("ackscan_count", 5)
 
-    if tcp_packets.count_packet_of_type(["A", "R"], rule.time_window, True) + tcp_packets.count_packet_of_type(["A"], rule.time_window, True) >= rule.seuil:
+    # Comptage nombre de scan ack acceptés et refusés
+    ackdeny_count = tcp_packets.count_packet_of_type(["A", "R"], rule.time_window, True)
+    ackaccept_count = tcp_packets.count_packet_of_type(["A"], rule.time_window, True)
+
+    if (ackaccept_count + ackdeny_count >= rule.seuil):
         db.send_alert(datetime.now(), 5, None, "ACK scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Ack->Reset et Ack pas de réponse", act="Alerte")
         print(f"Alerte, seuil dépassés, risque d'Ack scan")
         rule.cooldown = time.time()

idps/rules/TCP/Scan/finscan.py

@@ -16,7 +16,11 @@ def rule(packet, tcp_packets, db):
         rule.time_window = db.get_key("finscan_time", 180)
         rule.seuil = db.get_key("finscan_count", 5)
 
-    if tcp_packets.count_packet_of_type(["F", "RA"], rule.time_window, True) + tcp_packets.count_packet_of_type(["F"], rule.time_window, True) >= rule.seuil:
+    # Comptage du nombre de scan fin acceptés et refusés
+    findeny_count = tcp_packets.count_packet_of_type(["F", "RA"], rule.time_window, True)
+    finaccept_count = tcp_packets.count_packet_of_type(["F"], rule.time_window, True)
+
+    if (findeny_count + finaccept_count >= rule.seuil):
         db.send_alert(datetime.now(), 5, None, "Fin scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Fin->Reset Ack et Fin->rien", act="Alerte")
         print(f"Alerte, seuil dépassés, risque de Fin Scan")
         rule.cooldown = time.time()

idps/rules/TCP/Scan/nullscan.py

@@ -16,7 +16,11 @@ def rule(packet, tcp_packets, db):
         rule.time_window = db.get_key("nullscan_time", 180)
         rule.seuil = db.get_key("nullscan_count", 5)
 
-    if tcp_packets.count_packet_of_type([""], rule.time_window, True) + tcp_packets.count_packet_of_type(["", "RA"], rule.time_window, True) >= rule.seuil:
+    # Comptage du nombre de scan null acceptés et refusés
+    nulldeny_count = tcp_packets.count_packet_of_type(["", "RA"], rule.time_window, True)
+    nullaccept_count = tcp_packets.count_packet_of_type([""], rule.time_window, True)
+
+    if (nulldeny_count + nulldeny_count >= rule.seuil):
         db.send_alert(datetime.now(), 5, None, "Null scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de None->Reset Ack et None -> rien", act="Alerte")
         print(f"Alerte, seuil dépassés, risque de Null Scan")
         rule.cooldown = time.time()

idps/rules/TCP/Scan/synscan.py

@@ -3,7 +3,7 @@ import time
 
 
 def rule(packet, tcp_packets, db):
-    """Règle SYNScan:
+    """Règle SYN Scan:
     Un SYNScan va envoyer des requêtes TCP avec le flag SYN
     Si le port est ouvert alors le serveur répondra: Syn ACK, puis le client Reset la connexion
     Sinon le port est fermé et le serveur répondra: Reset ACK
@@ -16,7 +16,11 @@ def rule(packet, tcp_packets, db):
         rule.time_window = db.get_key("synscan_time", 180)
         rule.seuil = db.get_key("synscan_count", 5)
 
-    if tcp_packets.count_packet_of_type(["S", "RA"], rule.time_window, True) + tcp_packets.count_packet_of_type(["S", "SA", "R"], rule.time_window, True) >= rule.seuil:
+    # Comptage du nombre de scan syn acceptés et refusés
+    syndeny_count = tcp_packets.count_packet_of_type(["S", "RA"], rule.time_window, True)
+    synaccept_count = tcp_packets.count_packet_of_type(["S", "SA", "R"], rule.time_window, True)
+
+    if (synaccept_count + syndeny_count >= rule.seuil):
         db.send_alert(datetime.now(), 5, None, "Syn scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->Reset et Syn->Reset ACK", act="Alerte")
         print(f"Alerte, seuil dépassés, risque de SynScan")
         rule.cooldown = time.time()

idps/rules/TCP/Scan/tcpconnectscan.py

@@ -17,7 +17,11 @@ def rule(packet, tcp_packets, db):
         rule.time_window = db.get_key("tcpconnectscan_time", 180)
         rule.seuil = db.get_key("tcpconnectscan_count", 5)
 
-    if tcp_packets.count_packet_of_type(["S", "SA", "A", "RA"], rule.time_window, True) + tcp_packets.count_packet_of_type(["S", "RA"], rule.time_window, True) >= rule.seuil:
+    # Comptage du nombre de scan tcp connect acceptés et refusés
+    tcpconnectdeny_count = tcp_packets.count_packet_of_type(["S", "RA"], rule.time_window, True)
+    tcpconnectaccept_count = tcp_packets.count_packet_of_type(["S", "SA", "A", "RA"], rule.time_window, True)
+
+    if (tcpconnectaccept_count + tcpconnectdeny_count >= rule.seuil):
         db.send_alert(datetime.now(), 5, None, "TCPConnect Scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Syn->SynACK->ACK->Reset ACK et Syn->Reset ACK", act="Alerte") 
         print(f"Alerte, seuils dépassés, risque de TCPConnectScan")
         rule.cooldown = time.time()
@@ -25,5 +29,5 @@ def rule(packet, tcp_packets, db):
 
 # Variables statiques
 rule.cooldown = 0
-rule.time_window = 180
-rule.seuil = 5
+rule.time_window = 0
+rule.seuil = 0

idps/rules/TCP/Scan/xmasscan.py

@@ -16,7 +16,11 @@ def rule(packet, tcp_packets, db):
         rule.time_window = db.get_key("xmasscan_time", 180)
         rule.seuil = db.get_key("xmasscan_count", 5)
 
-    if tcp_packets.count_packet_of_type(["FPU", "RA"], rule.time_window, True) + tcp_packets.count_packet_of_type(["FPU"], rule.time_window, True) >= rule.seuil:
+    # Comptage du nombre de scan XMAS acceptés et refusés
+    xmasdeny_count = tcp_packets.count_packet_of_type(["FPU", "RA"], rule.time_window, True)
+    xmasaccept_count = tcp_packets.count_packet_of_type(["FPU"], rule.time_window, True)
+
+    if (xmasaccept_count + xmasdeny_count >= rule.seuil):
         db.send_alert(datetime.now(), 5, None, "XMAS scan", packet['IP'].src, packet['IP'].dst, proto="TCP", reason="Détection de nombreux patterns de Fin Push Urg -> rien et Fin Push Urg->Reset ACK", act="Alerte")
         print(f"Alerte, seuil dépassés, risque de XMAS Scan")
         rule.cooldown = time.time()