Threaded Mode | Linear Mode

***5ynL0rd*** · 04-27-2012, 07:45 AM

Code:

#!/usr/bin/python

# Simple Network Intrussion Prevention System

# Sample Case: Ping Flooding

#

# Module Requirement: python-pcapy

# testing on Ubuntu

#

# coded by: 5ynL0rd

import pcapy

import re

import binascii

import os

import json

from datetime import datetime

class VoidSniff:

    def __init__(self, pcap_filter):

         self.device = "any"  

         self.snaplen = 2048    

         self.promisc = 1     

         self.to_ms = 100        

         self.pcap_filter = pcap_filter

         self.max_pkts = -1

         self.p = pcapy.open_live(self.device, self.snaplen, self.promisc, self.to_ms)

    def packethandler(self, hdr, data):

         byte = len(data)

         timestamp = datetime.now()

         contain = binascii.b2a_hex(data)

         src_ip = '%s.%s.%s.%s' %(int('0x'+contain[56:58], 0),int('0x'+contain[58:60], 0),int('0x'+contain[60:62], 0),int('0x'+contain[62:64], 0))

         dst_ip = '%s.%s.%s.%s' %(int('0x'+contain[64:66], 0),int('0x'+contain[66:68], 0),int('0x'+contain[68:70], 0),int('0x'+contain[70:72], 0))

         src_port = str(int('0x'+contain[72:76], 0))

         dst_port = str(int('0x'+contain[76:80], 0))

         # PING Flooding Detection

         if self.pcap_filter == 'icmp':

             data = [{'ip': src_ip,

                     'timestamp': '%s-%s-%s-%s-%s-%s-%s' % (datetime.utcnow().year,

                                                                datetime.utcnow().month,

                                                                datetime.utcnow().day, 

                                                                datetime.utcnow().hour, 

                                                                datetime.utcnow().minute,

                                                                datetime.utcnow().second,

                                                                datetime.utcnow().microsecond

                                                                ),

             }]

             data = json.dumps(data)

             try:

                 data_prev = open('dump.json', 'r').read()

             except Exception, err:

                 open('dump.json', 'w').write(data)

             else:

                 data_prev = json.loads(data_prev)

                 data = json.loads(data)

                 data = data_prev + data

                 open('dump.json', 'w').write(json.dumps(data))

             try:

                 blacklist = open('blacklist.json', 'r').read()

             except Exception, err:

                 blacklist = []

             else:

                 blacklist = json.loads(blacklist)

             data_from_json = open('dump.json','r').read()

             data_from_json = json.loads(data_from_json)

             if len(data_from_json) >= 50 and {'ip': src_ip} not in blacklist:

                 first = data[0]['timestamp']

                 delta = datetime.utcnow() - datetime(int(first.split('-')[0]),

                                                          int(first.split('-')[1]),

                                                          int(first.split('-')[2]),

                                                          int(first.split('-')[3]),

                                                          int(first.split('-')[4]),

                                                          int(first.split('-')[5]),

                                                          int(first.split('-')[6]))

                 if delta.seconds == 0:

                     print '[!] ALERT! PING FLOODING FROM: %s' % src_ip

                     b_data = json.dumps([{'ip':src_ip}])

                     try:

                         b_data_prev = open('blacklist.json', 'r').read()

                     except Exception:

                         pass

                     else:

                         b_data = b_data_prev + b_data

                     open('blacklist.json', 'w').write(b_data)

                     os.system('iptables -A INPUT -s %s -p ICMP --icmp-type 8 -j DROP' % src_ip)

                     print '[!] IP %s Blocked!' % src_ip

                 os.remove('dump.json')

    def run(self):

         self.p.setfilter(self.pcap_filter)

         self.p.loop(self.max_pkts, self.packethandler)

if __name__ == '__main__':    

    icmp_sniff = VoidSniff('icmp')

    icmp_sniff.run()

http://void-labs.appspot.com/pastebin?pa...c1081ee9a8

fungsi scriptnya utk auto blocking IP yg melakukan ping flooding (taruh script di PC router)

sudah diuji di OS Ubuntu (jalankan script dengan akses root atau sudo).
modul bantu yg perlu diinstall: python-pcapy
$ sudo apt-get install python-pcapy

semoga berguna dan bisa dikembangkan lebih lanjut, sorry kalo code nya agak kotor & boros.

**chaer.newbie** · 04-27-2012, 07:48 AM

baca timeline dc ditwitter. penasaran siapa yg posting, taunya emnag dewa yg posting ketawa

,

kalo ping flooding ini berdasarkan jumlah paket apa yang terus menerus om ? malu

***5ynL0rd*** · (This post was last modified: 04-27-2012 08:49 AM by 5ynL0rd.)

(04-27-2012 07:48 AM)chaer.newbie Wrote: baca timeline dc ditwitter. penasaran siapa yg posting, taunya emnag dewa yg posting ,

kalo ping flooding ini berdasarkan jumlah paket apa yang terus menerus om ?

berdasarkan waktu & jumlah paket. saya filternya dari paket ICMP yg masuk dalam waktu tertentu. (kasarnya yg dempet2 per paketnya). tau kan yg dempet2? mepet2.. rapet.. tau donk yg suka rapet2an.. tidur

kalo ada bug monggo di post & dibahas bareng2

ada bug dari script diatas. masalah dump & load json data dari blacklist.json silahkan dibahas gmn perbaikinya. ada bug juga di preventionnya. Biar ada diskusi programming & lebih hidup :)

update codenya:
http://void-labs.appspot.com/pastebin?pa...211a02c7e2

klo mau edit2 rule preventionnya mainin aj iptables command nya.

***ditatompel*** · 04-27-2012, 10:27 AM

Ane udah coba omz di kompi ane.. mantap

Btw, buat terminate scriptnya gimana yak? Ane coba pake CTRL + C kaga mau omz.. bingung

akhirnya ane kill pidnya.. nangis

***5ynL0rd*** · 04-27-2012, 10:37 AM

(04-27-2012 10:27 AM)ditatompel Wrote: Ane udah coba omz di kompi ane..

Btw, buat terminate scriptnya gimana yak? Ane coba pake CTRL + C kaga mau omz..
akhirnya ane kill pidnya..

sbnernya pake ctrl+C sih, nunggu ada paket lewat dlu baru ke terminate. nanti ditempatin eksepsinya deh biar langsung. Update dikit codenya:

Code:

#!/usr/bin/python

# Simple Network Intrussion Prevention System

# Sample Case: Ping Flooding

#

# Module Requirement: python-pcapy

# testing on Ubuntu

#

# coded by: 5ynL0rd

import pcapy

import re

import binascii

import os

import subprocess

import sys

import json

import time

import commands

from datetime import datetime

from multiprocessing import Process, Lock

class VoidSniff:

    def __init__(self, pcap_filter):

         self.device = "any"  

         self.snaplen = 2048    

         self.promisc = 1     

         self.to_ms = 100        

         self.pcap_filter = pcap_filter

         self.max_pkts = -1

         self.total_byte_http_downstream = 0

         self.total_byte_http_upstream = 0

         self.p = pcapy.open_live(self.device, self.snaplen, self.promisc, self.to_ms)

    def packethandler(self, hdr, data):

         byte = len(data)

         timestamp = datetime.now()

         contain = binascii.b2a_hex(data)

         src_ip = '%s.%s.%s.%s' %(int('0x'+contain[56:58], 0),int('0x'+contain[58:60], 0),int('0x'+contain[60:62], 0),int('0x'+contain[62:64], 0))

         dst_ip = '%s.%s.%s.%s' %(int('0x'+contain[64:66], 0),int('0x'+contain[66:68], 0),int('0x'+contain[68:70], 0),int('0x'+contain[70:72], 0))

         src_port = str(int('0x'+contain[72:76], 0))

         dst_port = str(int('0x'+contain[76:80], 0))

         # PING Flooding Detection

         if self.pcap_filter == 'icmp':

             data = [{'ip': src_ip,

                     'timestamp': '%s-%s-%s-%s-%s-%s-%s' % (datetime.utcnow().year,

                                                                datetime.utcnow().month,

                                                                datetime.utcnow().day, 

                                                                datetime.utcnow().hour, 

                                                                datetime.utcnow().minute,

                                                                datetime.utcnow().second,

                                                                datetime.utcnow().microsecond

                                                                ),

             }]

             data = json.dumps(data)

             try:

                 data_prev = open('dump.json', 'r').read()

             except Exception, err:

                 open('dump.json', 'w').write(data)

             else:

                 data_prev = json.loads(data_prev)

                 data = json.loads(data)

                 data = data_prev + data

                 open('dump.json', 'w').write(json.dumps(data))

             try:

                 blacklist = open('blacklist.json', 'r').read()

             except Exception, err:

                 blacklist = []

             else:

                 blacklist = json.loads(blacklist)

             data_from_json = open('dump.json','r').read()

             data_from_json = json.loads(data_from_json)

             if len(data_from_json) >= 50 and {'ip': src_ip} not in blacklist:

                 first = data[0]['timestamp']

                 delta = datetime.utcnow() - datetime(int(first.split('-')[0]),

                                                          int(first.split('-')[1]),

                                                          int(first.split('-')[2]),

                                                          int(first.split('-')[3]),

                                                          int(first.split('-')[4]),

                                                          int(first.split('-')[5]),

                                                          int(first.split('-')[6]))

                 if delta.seconds == 0 and src_ip not in protect_ip:

                     print '[!] ALERT! PING FLOODING FROM: %s' % src_ip

                     b_data = json.dumps([{'ip':src_ip}])

                     try:

                         b_data_prev = open('blacklist.json', 'r').read()

                     except Exception:

                         pass

                     else:

                         b_data = json.loads(b_data_prev) + json.loads(b_data)

                         b_data = json.dumps(b_data)

                     open('blacklist.json', 'w').write(b_data)

                     os.system('iptables -A FORWARD -s %s -p icmp -j DROP' % src_ip)

                     #os.system('iptables -A OUTPUT -s %s -p icmp -j DROP' % src_ip)

                     print '[!] IP %s:%s Blocked!: dest %s:%s' % (src_ip, src_port, dst_ip, dst_port)

                 os.remove('dump.json')

         #print 'src_ip -> %s:%s\ndest_ip -> %s:%s\n' % (src_ip, src_port, dst_ip, dst_port)

    def run(self):

         print '[+] Thread %s start' % self.pcap_filter

         self.p.setfilter(self.pcap_filter)

         self.p.loop(self.max_pkts, self.packethandler)

if __name__ == '__main__':

    PROJECT_PATH = os.path.abspath(os.path.dirname(__file__))

    dev_list = pcapy.findalldevs()

    protect_ip = []

    for i in dev_list:

        x = commands.getoutput('ifconfig %s | grep "inet addr"' % i)

        if re.search(r'inet addr:([0-9\.]+)', x):

            protect_ip.append(re.search(r'inet addr:([0-9\.]+)', x).groups()[0])

    gateway_ip = commands.getoutput('route | grep default')

    protect_ip.append(re.search(r'default[ ]+([0-9\.]+) ', gateway_ip).groups()[0])

    tcp_sniff = VoidSniff('tcp')

    icmp_sniff = VoidSniff('icmp')

    tcp_run = Process(target=tcp_sniff.run)

    icmp_run = Process(target=icmp_sniff.run)

    tcp_run.start()

    icmp_run.start()

    open(os.path.join(PROJECT_PATH, 'pid.txt'), 'w').write('%s:%s' %(tcp_run.pid, icmp_run.pid))

ada project kecil2an kbneran jadi di update2 codenya. tapi casenya ga bisa blocking diri sendiri atau gatewaynya & posisi script jalan di router. yg di blocking client2nya..

repos publicnya kalo mau ngikutin ada disini:
https://bitbucket.org/synl0rd/bams

***ditatompel*** · 04-27-2012, 10:50 AM

(04-27-2012 10:37 AM)5ynL0rd Wrote:
(04-27-2012 10:27 AM)ditatompel Wrote: Ane udah coba omz di kompi ane..

Btw, buat terminate scriptnya gimana yak? Ane coba pake CTRL + C kaga mau omz..
akhirnya ane kill pidnya..

sbnernya pake ctrl+C sih, nunggu ada paket lewat dlu baru ke terminate. nanti ditempatin eksepsinya deh biar langsung. Update dikit codenya:

Code:

#!/usr/bin/python # Simple Network Intrussion Prevention System # Sample Case: Ping Flooding # # Module Requirement: python-pcapy # testing on Ubuntu # # coded by: 5ynL0rd import pcapy import re import binascii import os import subprocess import sys import json import time import commands from datetime import datetime from multiprocessing import Process, Lock class VoidSniff: def __init__(self, pcap_filter): self.device = "any" self.snaplen = 2048 self.promisc = 1 self.to_ms = 100 self.pcap_filter = pcap_filter self.max_pkts = -1 self.total_byte_http_downstream = 0 self.total_byte_http_upstream = 0 self.p = pcapy.open_live(self.device, self.snaplen, self.promisc, self.to_ms) def packethandler(self, hdr, data): byte = len(data) timestamp = datetime.now() contain = binascii.b2a_hex(data) src_ip = '%s.%s.%s.%s' %(int('0x'+contain[56:58], 0),int('0x'+contain[58:60], 0),int('0x'+contain[60:62], 0),int('0x'+contain[62:64], 0)) dst_ip = '%s.%s.%s.%s' %(int('0x'+contain[64:66], 0),int('0x'+contain[66:68], 0),int('0x'+contain[68:70], 0),int('0x'+contain[70:72], 0)) src_port = str(int('0x'+contain[72:76], 0)) dst_port = str(int('0x'+contain[76:80], 0)) # PING Flooding Detection if self.pcap_filter == 'icmp': data = [{'ip': src_ip, 'timestamp': '%s-%s-%s-%s-%s-%s-%s' % (datetime.utcnow().year, datetime.utcnow().month, datetime.utcnow().day, datetime.utcnow().hour, datetime.utcnow().minute, datetime.utcnow().second, datetime.utcnow().microsecond ), }] data = json.dumps(data) try: data_prev = open('dump.json', 'r').read() except Exception, err: open('dump.json', 'w').write(data) else: data_prev = json.loads(data_prev) data = json.loads(data) data = data_prev + data open('dump.json', 'w').write(json.dumps(data)) try: blacklist = open('blacklist.json', 'r').read() except Exception, err: blacklist = [] else: blacklist = json.loads(blacklist) data_from_json = open('dump.json','r').read() data_from_json = json.loads(data_from_json) if len(data_from_json) >= 50 and {'ip': src_ip} not in blacklist: first = data[0]['timestamp'] delta = datetime.utcnow() - datetime(int(first.split('-')[0]), int(first.split('-')[1]), int(first.split('-')[2]), int(first.split('-')[3]), int(first.split('-')[4]), int(first.split('-')[5]), int(first.split('-')[6])) if delta.seconds == 0 and src_ip not in protect_ip: print '[!] ALERT! PING FLOODING FROM: %s' % src_ip b_data = json.dumps([{'ip':src_ip}]) try: b_data_prev = open('blacklist.json', 'r').read() except Exception: pass else: b_data = json.loads(b_data_prev) + json.loads(b_data) b_data = json.dumps(b_data) open('blacklist.json', 'w').write(b_data) os.system('iptables -A FORWARD -s %s -p icmp -j DROP' % src_ip) #os.system('iptables -A OUTPUT -s %s -p icmp -j DROP' % src_ip) print '[!] IP %s:%s Blocked!: dest %s:%s' % (src_ip, src_port, dst_ip, dst_port) os.remove('dump.json') #print 'src_ip -> %s:%s\ndest_ip -> %s:%s\n' % (src_ip, src_port, dst_ip, dst_port) def run(self): print '[+] Thread %s start' % self.pcap_filter self.p.setfilter(self.pcap_filter) self.p.loop(self.max_pkts, self.packethandler) if __name__ == '__main__': PROJECT_PATH = os.path.abspath(os.path.dirname(__file__)) dev_list = pcapy.findalldevs() protect_ip = [] for i in dev_list: x = commands.getoutput('ifconfig %s | grep "inet addr"' % i) if re.search(r'inet addr:([0-9\.]+)', x): protect_ip.append(re.search(r'inet addr:([0-9\.]+)', x).groups()[0]) gateway_ip = commands.getoutput('route | grep default') protect_ip.append(re.search(r'default[ ]+([0-9\.]+) ', gateway_ip).groups()[0]) tcp_sniff = VoidSniff('tcp') icmp_sniff = VoidSniff('icmp') tcp_run = Process(target=tcp_sniff.run) icmp_run = Process(target=icmp_sniff.run) tcp_run.start() icmp_run.start() open(os.path.join(PROJECT_PATH, 'pid.txt'), 'w').write('%s:%s' %(tcp_run.pid, icmp_run.pid))

ada project kecil2an kbneran jadi di update2 codenya. tapi casenya ga bisa blocking diri sendiri atau gatewaynya & posisi script jalan di router. yg di blocking client2nya..

repos publicnya kalo mau ngikutin ada disini:
https://bitbucket.org/synl0rd/bams

Owh gitu ya...
Jd dia ambil whitelist ip dan gatewaynya dari ifconfig ya?
Ane pelajari dulu omz... smangat

tabun · 04-27-2012, 11:06 AM

keren, ane ambil buat belajar.. belajar

***5ynL0rd*** · 04-27-2012, 11:08 AM

yup ngambil ip dlu ceritanya sih, biar ga blocking diri sendiri atau gatewaynya. rencananya mau jadi service yg sediain rest utk bisa diambil informasinya dari luar.

besok jadi kan kita ke mandi bareng?

**mariachi** · (This post was last modified: 04-27-2012 03:14 PM by mariachi.)

saya udah nyoba om mantap

ane bikin report sederhana dari file json nya biar gampang liatnya ketawa

tapi lumayan makan resource cpu yah processnya om piss

***5ynL0rd*** · 04-27-2012, 07:52 PM

iya om soalnya read write file plus arraynya dijumlah2.. berat pasti tanpa db engine. mungkin diganti ke db engine berbentuk file semodel sqlite atau Berkeley DB (bsddb). reposnya blm diupdate lagi kerjaan masih numpuk :)

Possibly Related Threads...
Thread:		Author	Replies:	Views:	Last Post
	chac*.py flooding	CitooZz	7	298	02-17-2013 12:48 PM Last Post: brianfahmi
	New tool from indonesianbacktrack - simple phpmyadmin dictionary attack	mywisdom	3	228	01-10-2013 08:16 PM Last Post: haXna
	simple python.cgi buat back connect	ev1lut10n	6	1,676	10-27-2012 08:58 AM Last Post: sec0day
	[cherrypy]simple buat web	schumbag	14	1,592	07-21-2012 07:01 AM Last Post: monyett
	Simple Python Keylogger	ubuntux	9	1,003	06-24-2012 07:49 AM Last Post: ubuntux
	Simple Network Intrussion Detection System with .py	5ynL0rd	7	1,971	01-20-2011 04:44 PM Last Post: pyhx0r
	voidbot (IRC bot simple example with python)	5ynL0rd	8	2,454	11-29-2010 11:01 AM Last Post: mariachi
	simple RAT with .py	5ynL0rd	4	1,336	11-18-2010 10:35 AM Last Post: fernando