From b10314df4214a92968b45f62dc042181b7cf1afc Mon Sep 17 00:00:00 2001
From: Chris <christianilhoefer@gmail.com>
Date: Fri, 10 Jan 2025 15:06:36 +0100
Subject: [PATCH] added db based dns spoofing check

---
 README.md                    | 2 +-
 code/src/packet_capturing.py | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 0040e17..4e18e75 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@
     - [X] 3. Rate-Based Anomaly Detection
     - [X] 4. Malformed Packet Detection
     - [X] 5. ICMP Flood Detection
-    - [ ] 6. DNS Spoofing Detection
+    - [X] 6. DNS Spoofing Detection
     - [X] 7. ARP Spoofing Detection
     - [ ] 8. Protocol-Specific Anomalies
     - [X] 9. Content-Learning Mismatch
diff --git a/code/src/packet_capturing.py b/code/src/packet_capturing.py
index 721329c..b845605 100644
--- a/code/src/packet_capturing.py
+++ b/code/src/packet_capturing.py
@@ -147,13 +147,16 @@ def tcp_reset_attack(packet):
 def dns_spoofing(packet):
 	if packet.getlayer(DNS).qr == 1:  # DNS response
 		dns_response = packet.getlayer(DNS)
-		db_conn.contains_address()
 		if dns_response.an is not None:
 			for i in range(dns_response.ancount):
 				dns_rr = dns_response.an[i]
 				if dns_rr.rdata in reserved_ips:
 					print(f"Possible DNS spoofing detected: {dns_rr.rrname} -> {dns_rr.rdata}")
 
+def dns_spoofing_with_db_check(packet):
+	if packet.getlayer(DNS).qr == 1 and db_conn.contains_malicious_address(connection, packet): # DNS response
+		print(f"Possible DNS spoofing: ip address {packet[IP].src} matches a known malicious ip")
+
 # Checks if checksum is corrupted
 def checksum_verification(packet):
 	if IP in packet:
@@ -205,6 +208,7 @@ def packet_handler(packet):
 		tcp_reset_attack(packet)
 	if DNS in packet:
 		dns_spoofing(packet)
+		dns_spoofing_with_db_check(packet)
 	if Raw in packet:
 		payload_pattern_matching(packet)
 		content_length_mismatch(packet)
-- 
GitLab