-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathids.py
118 lines (87 loc) · 2.97 KB
/
ids.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import subprocess as sub
import time
p = sub.Popen(('sudo', 'tcpdump', '-l', 'port 53'), stdout=sub.PIPE)
start_time = time.time()
elapsed_time = start_time
nullcounter = 0
nullcountertime_start = time.time()
warnedNLL = False
warnedFQN = False
suspiciousness = 0
susptime_start = time.time()
amounttime_start = time.time()
fqnlength = 0
fqncounter = 0
fqnnumberdiff = 0
dnstotal = 0
total_len = 0
for row in iter(p.stdout.readline, b''):
r = row.rstrip() # process here
# print r
elapsed_time = time.time() - start_time
susptime = time.time()
dnstotal = dnstotal +1
total_len = total_len + len(r)
#Looking for suspicious domain names
fqn = r[:r.find(". ")+2]
fqn = fqn[:fqn.find(" (")]
while fqn.find(" ") != -1:
fqn = fqn[fqn.find(" ")+1:]
if len(fqn) > 5:
fqncounter = fqncounter +1
fqnlength = fqnlength + len(fqn)
fqnnumberdiff = fqnnumberdiff + len(set(fqn))
#print fqn
# print suspiciousness
if len(set(fqn)) > 40:
suspiciousness = suspiciousness+1
susptime = time.time()
#print fqn
if len(set(fqn)) > 70:
suspiciousness = suspiciousness+1
susptime = time.time()
#print fqn
if len(fqn) > 300:
suspiciousness = suspiciousness+1
susptime = time.time()
# print fqn
if suspiciousness > 20 and warnedFQN == False:
print "WARNING: suspicious looking FQNs."
warnedFQN = True
if susptime - susptime_start > 20:
suspiciousness = 0
susptime_start = time.time()
warnedFQN = False
# print "Resolved fqns: " + str(fqncounter)
# print "Average amount of different characters: " + str(fqnnumberdiff / fqncounter)
# print "Average length: " + str(fqnlength / fqncounter)
fqncounter = 0
fqnnumberdiff = 0
fqnlength = 0
#Looking for NULL DNS types
if "NULL" in r:
nullcounter = nullcounter +1
nullcountertime = time.time()
if nullcounter > 500 and warnedNLL != True:
print "WARNING: many NULL DNS requests. "
warnedNLL = True
if nullcountertime-nullcountertime_start > 30:
# print "nullcounter: " + str(nullcounter)
nullcounter = 0
nullcountertime_start = time.time()
warnedNLL = False
#counting the amount and length of dns querys
if time.time() - amounttime_start < 30:
continue
else:
#print "dnstotal: " + str(dnstotal)
#print "average length: " + str((total_len * 1.0)/dnstotal)
if dnstotal > 1500:
print "WARNING: high output of DNS messages."
if (total_len * 1.0) / dnstotal > 190:
print "WARNING: very long DNS messages are sent."
dnstotal = 0
total_len = 0
amounttime_start = time.time()