Merge branch 'main' of https://gitlab.kit.edu/ugmom/ids-pse

4275be21 · Daniel Yang · 5ee61605 · 30c4b937 · 4275be21
Commit 4275be21 authored 4 months ago by Daniel Yang
--- a/code/src/packet_capturing.py
+++ b/code/src/packet_capturing.py
 from scapy.layers.inet import IP, TCP
-from scapy.layers.l2 import Ether
+from scapy.layers.l2 import Ether, ARP
 from scapy.all import sniff
+from collections import defaultdict
+import time

 reserved_ips = ["192.168.1.4", "192.168.1.1", "192.168.1.7", "172.16.0.3"]

+syn_counts = defaultdict()
+syn_counts_last_checked = time.time()
+
+arp_table = defaultdict()
+
 def ip_spoofing(src_mac, src_ip):
 	if src_ip not in reserved_ips:
 		if src_ip.startswith("10.") or src_ip.startswith("192.168.") or src_ip.startswith("169.254."):
@@ -42,6 +49,42 @@ def destination_check(packet):
 			print("Packets with broadcast destination address detected.")
 			print(f"MAC Address of malicious agent: {packet[Ether].src}")

+# Simple Check to see if the Packet has a valid format
+def malformed_check(packet):
+	try:
+		# Attempt to parse packet
+		packet.show()
+	except Exception as e:
+		print(f"Malformed packet detected: {e}")
+		print(f"Source: {packet[IP].src if IP in packet else 'Unknown'}")
+
+# Detect if a certain IP is sending a suspiciously large amount of SYN packets
+def syn_flood_detection(packet):
+	global syn_counts_last_checked
+	if TCP in packet and packet[TCP].flags == 'S':
+		syn_counts[packet[IP].src] += 1
+
+	# Check counts periodically (every 10s)
+	if time.time() - syn_counts_last_checked > 10:
+		for ip, count in syn_counts.items():
+			if count > 100:
+				print(f"Possible SYN flood from {ip}. Number of SYN Packets in last {time.time() - syn_counts_last_checked} seconds: {count}")
+		syn_counts.clear()
+		syn_counts_last_checked = time.time()
+
+# Checks if the same IP has a consistent MAC.
+# Otherwise, an attacker might try to use an IP already in use, like e.g. the gateway's IP, to intercept traffic
+def arp_spoofing(packet):
+	# op == 2 checks for an ARP reply (they say what their MAC is)
+	if ARP in packet and packet[ARP].op == 2:
+		src_ip = packet[ARP].psrc
+		src_mac = packet[ARP].hwsrc
+		if src_ip in arp_table:
+			if arp_table[src_ip] != src_mac:
+				print(f"Possible ARP spoofing detected from IP {src_ip}. Conflicting MACs: {arp_table[src_ip]} and {src_mac}")
+		else:
+			arp_table[src_ip] = src_mac
+
 def packet_handler(packet):
 	if IP in packet:
 		src_ip = packet[IP].src
@@ -54,6 +97,9 @@ def packet_handler(packet):
 		null_packet(packet)
 		port_check(packet)
 	destination_check(packet)
+	malformed_check(packet)
+	syn_flood_detection(packet)
+	arp_spoofing(packet)

 def main():
 	print("Starting packet capture...")