|
15 | 15 | IoCType, |
16 | 16 | Direction, |
17 | 17 | ) |
| 18 | +from slips_files.core.structures.flow_attributes import State |
18 | 19 |
|
19 | 20 |
|
20 | 21 | class HorizontalPortscan: |
@@ -72,29 +73,6 @@ def get_twid_identifier(self, profileid: str, twid: str, dport) -> str: |
72 | 73 |
|
73 | 74 | return f"{profileid}:{twid}:dport:{dport}" |
74 | 75 |
|
75 | | - def get_packets_sent(self, dstips: dict) -> int: |
76 | | - """ |
77 | | - returns the total amount of packets sent to all dst IPs |
78 | | - :param dstips: dict with info about in the following format |
79 | | - { dstip: { |
80 | | - 'pkts': src+dst packets sent to this dstip, |
81 | | - 'spkts': src packets sent to this dstip, |
82 | | - 'stime': timestamp of the first flow in the uid list, |
83 | | - 'uid': [uids of flows to this ip] |
84 | | - } |
85 | | - } |
86 | | - """ |
87 | | - pkts_sent = 0 |
88 | | - for dstip in dstips: |
89 | | - if "spkts" not in dstips[dstip]: |
90 | | - # In argus files there are no src pkts, only pkts. |
91 | | - # So it is better to have the total pkts than |
92 | | - # to have no packets count |
93 | | - pkts_sent += int(dstips[dstip]["pkts"]) |
94 | | - else: |
95 | | - pkts_sent += int(dstips[dstip]["spkts"]) |
96 | | - return pkts_sent |
97 | | - |
98 | 76 | def are_dstips_greater_or_eq_minimum_dstips(self, dstips) -> bool: |
99 | 77 | return dstips >= self.minimum_dstips_to_set_evidence |
100 | 78 |
|
@@ -193,48 +171,46 @@ def set_evidence_horizontal_portscan(self, evidence: dict): |
193 | 171 | def is_valid_twid(twid: str) -> bool: |
194 | 172 | return not (twid in ("", None) or "timewindow" not in twid) |
195 | 173 |
|
196 | | - def check(self, profileid: str, twid: str): |
| 174 | + def check(self, profileid: ProfileID, twid: TimeWindow): |
197 | 175 | if not utils.are_scan_detection_modules_interested_in_this_ip( |
198 | 176 | profileid.ip |
199 | | - ) or not self.is_valid_twid(twid): |
| 177 | + ): |
200 | 178 | return False |
201 | 179 | # if you're portscaning a port that is open it's gonna be established |
202 | 180 | # the amount of open ports we find is gonna be so small |
203 | 181 | # theoretically this is incorrect bc we'll be ignoring |
204 | 182 | # established evidence, |
205 | 183 | # but usually open ports are very few compared to the whole range |
206 | | - # so, practically this is correct to avoid FP |
207 | | - state = "Not Established" |
| 184 | + # so, practically using not established only this is correct to |
| 185 | + # avoid FP |
208 | 186 | for protocol in (Protocol.TCP, Protocol.UDP): |
209 | | - dports: dict = self.get_not_estab_dst_ports( |
210 | | - protocol, state, profileid, twid |
211 | | - ) |
212 | | - |
213 | 187 | # For each port, see if the amount is over the threshold |
214 | | - for dport in dports.keys(): |
215 | | - # PortScan Type 2. Direction OUT |
216 | | - twid_identifier: str = self.get_twid_identifier( |
217 | | - profileid, twid, dport |
| 188 | + for ( |
| 189 | + dport, |
| 190 | + total_pkts, |
| 191 | + ) in self.db.get_dstports_of_not_established_flows( |
| 192 | + profileid, twid, protocol |
| 193 | + ): |
| 194 | + |
| 195 | + amount_of_dstips: int = ( |
| 196 | + self.db.get_amount_of_dstips_for_not_established_flows_on_port( |
| 197 | + profileid, twid, protocol, dport |
| 198 | + ) |
218 | 199 | ) |
219 | | - if not twid_identifier: |
220 | | - continue |
221 | | - |
222 | | - dstips: dict = dports[dport]["dstips"] |
223 | | - amount_of_dips = len(dstips) |
224 | | - |
225 | 200 | if self.check_if_enough_dstips_to_trigger_an_evidence( |
226 | | - twid_identifier, amount_of_dips |
| 201 | + profileid, twid, dport, amount_of_dstips |
227 | 202 | ): |
228 | 203 | evidence = { |
229 | | - "protocol": protocol, |
230 | | - "profileid": profileid, |
231 | | - "twid": twid, |
232 | | - "uids": self.get_uids(dstips), |
| 204 | + "protocol": protocol.name.lower(), |
| 205 | + "profileid": str(profileid), |
| 206 | + "twid": str(twid), |
| 207 | + "uids": [], |
233 | 208 | "dport": dport, |
234 | | - "pkts_sent": self.get_packets_sent(dstips), |
235 | | - "timestamp": next(iter(dstips.values()))["stime"], |
236 | | - "state": state, |
237 | | - "amount_of_dips": amount_of_dips, |
| 209 | + "pkts_sent": total_pkts, |
| 210 | + "timestamp": "", # TODO, |
| 211 | + "state": State.NOT_EST.name.lower(), |
| 212 | + "amount_of_dips": amount_of_dstips, |
238 | 213 | } |
239 | 214 |
|
240 | 215 | self.set_evidence_horizontal_portscan(evidence) |
| 216 | + return |
0 commit comments