Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
I
IDS PSE
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Daniel Yang
IDS PSE
Commits
1a5fc734
Commit
1a5fc734
authored
3 months ago
by
Chris
Browse files
Options
Downloads
Patches
Plain Diff
added protocol valid handshake check
parent
463a28d4
No related branches found
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
README.md
+2
-0
2 additions, 0 deletions
README.md
code/src/packet_capturing.py
+23
-0
23 additions, 0 deletions
code/src/packet_capturing.py
with
25 additions
and
0 deletions
README.md
+
2
−
0
View file @
1a5fc734
...
...
@@ -14,6 +14,8 @@
-
[X] 6. DNS Spoofing Detection
-
[X] 7. ARP Spoofing Detection
-
[ ] 8. Protocol-Specific Anomalies
-
[ ] 8.1 Fragment checks
-
[X] 8.2 Valid Handshake Check
-
[X] 9. Content-Learning Mismatch
-
[ ] Module 2: Rule-based detection
-
[ ] Module 3: Anomaly-based detection
\ No newline at end of file
This diff is collapsed.
Click to expand it.
code/src/packet_capturing.py
+
23
−
0
View file @
1a5fc734
...
...
@@ -24,6 +24,9 @@ arp_table = defaultdict(int)
icmp_counts
=
defaultdict
(
int
)
icmp_counts_last_checked
=
time
.
time
()
# 1 -> SYN received, 2 -> SYN-ACK rec., 3 -> ACK rec.
handshake_states
=
defaultdict
(
int
)
######################
## Utilities for unit testing ##
...
...
@@ -188,6 +191,25 @@ def content_length_mismatch(packet):
db_conn
.
update_address
(
connection
=
connection
,
packet
=
packet
,
is_dangerous
=
True
,
type_of_threat
=
"
Content-Length Mismatch
"
)
print
(
f
"
Content length mismatch from
{
packet
[
IP
].
src
}
"
)
def
protocol_valid_handshake_check
(
packet
):
tcp_flags
=
packet
[
TCP
].
flags
if
not
packet
[
IP
].
src
in
handshake_states
:
# First packet must be SYN or SYN-ACK
if
tcp_flags
==
0x02
:
# SYN
handshake_states
[
packet
[
IP
].
src
]
=
1
elif
tcp_flags
==
0x12
:
# SYN-ACK
handshake_states
[
packet
[
IP
].
src
]
=
2
else
:
db_conn
.
update_address
(
connection
=
connection
,
packet
=
packet
,
is_dangerous
=
True
,
type_of_threat
=
"
invalid tcp handshake
"
)
print
(
"
invalid tcp handshake: first packet wasn
'
t SYN or SYN-ACK
"
)
elif
handshake_states
[
packet
[
IP
].
src
]
==
1
:
# First (and most recent) packet was SYN
if
tcp_flags
==
0x10
:
# ACK
handshake_states
[
packet
[
IP
].
src
]
=
3
else
:
db_conn
.
update_address
(
connection
=
connection
,
packet
=
packet
,
is_dangerous
=
True
,
type_of_threat
=
"
invalid tcp handshake
"
)
print
(
"
invalid tcp handshake: first packet was SYN, but second one wasn
'
t SYN-ACK
"
)
def
packet_handler
(
packet
):
db_conn
.
add_address
(
connection
=
connection
,
packet
=
packet
)
src
=
packet
[
IP
].
src
if
IP
in
packet
else
packet
[
Ether
].
src
...
...
@@ -209,6 +231,7 @@ def packet_handler(packet):
null_packet
(
packet
)
port_check
(
packet
)
tcp_reset_attack
(
packet
)
protocol_valid_handshake_check
(
packet
)
if
DNS
in
packet
:
dns_spoofing
(
packet
)
dns_spoofing_with_db_check
(
packet
)
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
