Please code this using Python In this problem, you will write a simple intrusion

Question

Please code this using Python In this problem, you will write a simple intrusion detection system to detect potential attacks or dangerous behavior in network activity. Attached includes two pcaps with example attacks 1 arpspoofing pcap includes an ARP spoof attack IP address 192 168 0 100 advertises the wrong MAC address for 192 16801 2 portscan.pcap includes a TCP SYN port scan (This is for CSe 6222 only). Your job is to wite a software IDS executable (in Java) or script (in Python) that takes as input a pcap trace and looks for such malicious behavior. The local network you are protecting is configured with two machines (192 168 0 100 with MAC address 7cdl c394 9eb8 and 192168.0103 with MAC address 896 9501a5c9) and a router (192 168.0.1 with MAC address f8 1a 67.od 57 6e. Your scanner should 1. Detect ARP spoofing attempts. Output a warning including the offending MAC address and the packet number of the offending packet 2. Detect port scans. A port scan is defined to occur whenever TCP SYNs or UDP packets are sent to a 100 or more different ports on a target system. The scanner should output a warning including the offending source IP address, the victim destination IP address, and the offending packet numbers Your program should take as input the flename of a pcap file that contains captured network packets. The output of your program will be the warning messages as descibed above The format of your resutis tree bur e shouis be clear to the user. You should use either Java or Python. Check that your scanner runs properly on the mumble machines before turning it in. The sample pcap files can be used to test your scanner. We will also test your scanner on fresh pcaps we generate that include other non-malicious behaviors, as well as boundary conditions.

Explanation / Answer

from scapy.all import *
from datetime import datetime

class id:
__flagsTCP = {
'F': 'FIN',
'S': 'SYN',
'R': 'RST',
'P': 'PSH',
'A': 'ACK',
'U': 'URG',
'E': 'ECE',
'C': 'CWR',
}

__ip_cnt_TCP = {} #ip address requests counter

__THRESH=1000

def sniffPackets(self,pckt):
if pckt.haslayer(IP):
packet_src=pckt[IP].src
packet_dst=pckt[IP].dst
print("IP pckt: %s ==> %s , %s"%(packet_src,packet_dst,str(datetime.now().strftime("%Y-%m-%d %H:%M:%S"))), end=' ')

if pckt.haslayer(TCP):
source_port=pckt.sport
destination_port=pckt.dport
print(", Port: %s --> %s, "%(source_port,destination_port), end='')
print([type(self).__flagsTCP[x] for x in pckt.sprintf('%TCP.flags%')])
self.detect_TCPflood(pckt)
else:
print()

def detect_TCPflood(self,pckt):
if pckt.haslayer(TCP):
packet_src=pckt[IP].src
packet_dst=pckt[IP].dst
stream = packet_src + ':' + packet_dst

if stream in type(self).__ip_cnt_TCP:
type(self).__ip_cnt_TCP[stream] += 1
else:
type(self).__ip_cnt_TCP[stream] = 1

for stream in type(self).__ip_cnt_TCP:
pckts_sent = type(self).__ip_cnt_TCP[stream]
if pckts_sent > type(self).__THRESH:
src = stream.split(':')[0]
dst = stream.split(':')[1]
print("Possible Flooding Attack from %s --> %s"%(src,dst))

if _name_ == '__main__':
print("custom pckt sniffer ")
sniff(filter="ip",iface="enp0s3",prn=id().sniffPackets)

Related Questions

Navigate

• Browse (All)
• Browse P
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.