By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
428,813 Members | 2,351 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 428,813 IT Pros & Developers. It's quick & easy.

Building a small ids-firewall setup

P: 1
Hello all :)

I am trying to increase my cyber sec knowledge by creating a small IDS. I was hoping someone could review the code and give me some feed back and maybe point me in the right direction. Currently I am needing intrusion sig's for filters.txt if anyone knows a database of some sort. I also am not too sure where to go next. My current thought is to just check for in/out bin/sh, if bin/sh were to come across the network tap then disconnect and block all future connection attemtps.

Please note that this is basically running Pseudo code.
I am well aware of the pythonic programming, for now I am just trying ideas

Any and all advice would be awesome
Thanks

Expand|Select|Wrap|Line Numbers
  1. import pcap,dpkt
  2. import socket
  3. import os
  4.  
  5. def capture():
  6.     dev= pcap.lookupdev()
  7.     for ts, pkt in pcap.pcap(name=dev, snaplen=65535, promisc=True, immediate=False):
  8.         eth = dpkt.ethernet.Ethernet(pkt)
  9.         if eth.type!=2048: #! if ipv6
  10.             ip = eth.data
  11.             typepack = eth.type
  12.             try:
  13.                 dst_ip_6= socket.inet_ntop(socket.AF_INET6, ip.dst )  #! Dont judge my huge exception block, it will be fixed after testing
  14.             except AttributeError:
  15.                 continue
  16.         else:
  17.             ip = eth.data
  18.             tcp = ip.data
  19.             typepack = eth.type
  20.             try:
  21.                 src_ip = socket.inet_ntoa(ip.src)
  22.                 dst_ip = socket.inet_ntoa(ip.dst)
  23.                 if dst_ip == '192.168.1.2':
  24.                     with open('//usr//home//mrfree//Desktop//Scripts//ipLog.txt','a') as log:
  25.                         log.write('Session:%s:%s,%s\n'%(src_ip,tcp.dport,ts))
  26.                         print('Session:%s:%s,%s\n'%(src_ip,tcp.dport,ts))
  27.                         if tcp.dport < 1028:
  28.                             log.write('Out of bounds connection attempt, Blocking %s \n'%(src_ip))
  29.                             print('Out of bounds connection attempt, Blocking %s \n'%(src_ip))
  30.                     with open('//usr//home//mrfree//Desktop//Scripts//filters.txt','r') as filters:
  31.                         filters = filters.read()
  32.                         if filters in tcp.data:
  33.                                   log.write('Attempted Shell connection, Blocking %s \n'%(src_ip))
  34.                                   subprocess.call('pfctl -k {0}'.format(src_ip))
  35.                                   print('Attempted Shell connection, Blocking %s \n'%(src_ip))
  36.  
  37.             except AttributeError,TypeError:
  38.                 continue
  39.  
  40. if __name__ == "__main__":
  41.     capture()
  42.  
Feb 22 '15 #1
Share this question for a faster answer!
Share on Google+

Post your reply

Sign in to post your reply or Sign up for a free account.