├── Analysis.py ├── Data_Sniff.py ├── Database.py ├── Flitter.py ├── Main.py └── README.md /Analysis.py: -------------------------------------------------------------------------------- 1 | from Database import Mysqldb 2 | from datetime import datetime 3 | from datetime import timedelta 4 | import copy 5 | class AnalysisDP: 6 | def __init__(self, dbs = Mysqldb(), table = "a2017", timecount = 30, rate = 5): 7 | self.Dbs = dbs 8 | self.Table = table 9 | self.Timecount = timecount 10 | self.Rate = rate 11 | self.IP={} 12 | Time1 = datetime.now() - timedelta(seconds = 1) 13 | Time2 = Time1 - timedelta(seconds = timecount) 14 | Time1 = Time1.strftime("%Y-%m-%d %H:%M:%S") 15 | Time2 = Time2.strftime("%Y-%m-%d %H:%M:%S") 16 | self.Condition = ("Dt between '%s' and '%s'")%(Time2,Time1) 17 | def IPAnalysis(self): 18 | Black=[] 19 | sql = ("SELECT SIP,COUNT(*) FROM %s WHERE dport < 30000 and %s group by SIP ORDER BY SIP ASC")%(self.Table, self.Condition) 20 | self.Dbs.Execute(sql) 21 | info = (self.Dbs).Execute(sql) 22 | for i in info: 23 | self.IP[i[0]]=i[1] 24 | if i[1]/self.Timecount >= self.Rate: 25 | print ("High Rate:%s %.2f")%(i[0],i[1]/self.Timecount) 26 | Black.append(i[0]) 27 | return Black 28 | def FlagsAnalysis(self): 29 | Black = [] 30 | Fcount = copy.deepcopy(self.IP) 31 | sql = ("SELECT SIP,flags,COUNT(*) FROM %s WHERE dport < 30000 and %s group by SIP,flags ORDER BY SIP ASC,flags ASC")%(self.Table, self.Condition) 32 | self.Dbs.Execute(sql) 33 | info = (self.Dbs).Execute(sql) 34 | for i in info: 35 | tmp = copy.deepcopy(i[1]) 36 | if 'S' in i[1] or 'F' in i[1] or tmp.strip()=='': 37 | Fcount[i[0]]-=i[2] 38 | 39 | for key in Fcount : 40 | if Fcount[key]*1.0/self.IP[key]<0.2 and self.IP[key]>15: 41 | print ("Flag Anomalies:%s %.2f%%")%(key, Fcount[key]*100.0/self.IP[key]) 42 | Black.append(key) 43 | return Black 44 | def PortAnalysis(self,ports=["80"]): 45 | Black = [] 46 | Ports = ','.join(ports) 47 | sql = ("SELECT SIP,COUNT(*) FROM %s WHERE dport NOT IN (%s) AND dport < 49152 AND %s group by SIP ORDER BY SIP ASC")%(self.Table, Ports, self.Condition) 48 | self.Dbs.Execute(sql) 49 | info = (self.Dbs).Execute(sql) 50 | for i in info: 51 | if i[1]*1.0/self.IP[i[0]] > 0.5: 52 | print ("Port Anomalies:%s %.2f%%")%(i[0], i[1]*100.0/self.IP[i[0]]) 53 | Black.append(i[0]) 54 | return Black 55 | 56 | 57 | 58 | 59 | 60 | if __name__ == '__main__': 61 | a=AnalysisDP() 62 | print a.IPAnalysis() 63 | print a.FlagsAnalysis() 64 | print a.PortAnalysis() 65 | -------------------------------------------------------------------------------- /Data_Sniff.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | from Database import Mysqldb 3 | from datetime import datetime 4 | 5 | class SniffDP: 6 | def __init__(self, dbs = Mysqldb(), table="a2017", claim =" tcp and dst 192.168.154.130", run_time = 60): 7 | self.Claim = claim 8 | self.Run_time = run_time 9 | self.Dbs = dbs 10 | self.Table=table 11 | def Start(self): 12 | sniff(timeout=self.Run_time, filter=self.Claim, prn=lambda x:self.Collect(x)) 13 | def Collect(self,x): 14 | tmp=x.sprintf("('%IP.src%', '%dport%', '%TCP.flags%', ") 15 | dt=datetime.now().strftime("%Y-%m-%d %H:%M:%S") 16 | sql=("INSERT INTO %s (SIP,Dport,Flags,Dt) VALUES %s'%s')")%(self.Table,tmp,dt) 17 | self.Dbs.Execute(sql) 18 | #cursor.execute(sql) 19 | #db.commit() 20 | 21 | if __name__ == '__main__': 22 | #db = MySQLdb.connect(host="localhost", user="root",passwd="", db="Iptables" ) 23 | #cursor = db.cursor() 24 | #sniff(timeout=30,filter="tcp and dst 192.168.154.130",prn=lambda x:Collect(x)) 25 | #sniff(timeout=30,filter="tcp and dst 192.168.154.130") 26 | a=SniffDP() 27 | a.Start() 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | ''' 42 | 43 | 44 | 45 | db = MySQLdb.connect(host="localhost",user="root",passwd="",db="Iptables" ) 46 | 47 | 48 | 49 | cursor = db.cursor() 50 | 51 | cursor.execute( "SELECT count(*) FROM posts" ) 52 | 53 | count = cursor.fetchone()[0] 54 | 55 | print count 56 | 57 | ''' 58 | 59 | 60 | 61 | #class MessageHandler: 62 | 63 | # def __init__(self): 64 | 65 | # a=[] 66 | 67 | # sniff(iface="ens33", count=100, filter="icmp and src 172.20.10.6 and dst 172.20.10.15", prn=callback) 68 | -------------------------------------------------------------------------------- /Database.py: -------------------------------------------------------------------------------- 1 | import MySQLdb 2 | class Mysqldb: 3 | def __init__(self, host = "localhost", user = "root", passwd = ""): 4 | self.Host = host 5 | self.User = user 6 | self.Passwd = passwd 7 | self.Connecting() 8 | def Connecting(self): 9 | try: 10 | self.db = MySQLdb.connect(host=self.Host, user=self.User,passwd=self.Passwd, db="Iptables" ) 11 | self.cursor = self.db.cursor() 12 | except: 13 | pass 14 | def Execute(self,sql): 15 | try: 16 | tmp = self.cursor.execute(sql) 17 | info = self.cursor.fetchmany(tmp) 18 | self.db.commit() 19 | return info 20 | except Exception as e: 21 | print e 22 | pass 23 | def Createtable(self,table): 24 | sql = ("CREATE TABLE IF NOT EXISTS %s (\ 25 | `id` int(11) NOT NULL AUTO_INCREMENT,\ 26 | `SIP` varchar(20) NOT NULL,\ 27 | `Dport` INT DEFAULT NULL,\ 28 | `Flags` varchar(6) DEFAULT NULL,\ 29 | `Dt` datetime DEFAULT NULL,\ 30 | PRIMARY KEY (`id`)\ 31 | ) ENGINE=InnoDB AUTO_INCREMENT=0 ;")%(table) 32 | self.cursor.execute(sql) 33 | self.db.commit() 34 | 35 | 36 | if __name__ == '__main__': 37 | a=Mysqldb() 38 | sql="INSERT INTO a2017 VALUES ('', '127.0.0.1%', '123', 'S')" 39 | a.Execute(sql) 40 | 41 | 42 | 43 | """ 44 | def Analysising(self,t): 45 | Data=self.cursor.fetchmany(self.cursor.execute( "SELECT COUNT(*) FROM a2017" )) 46 | print Data 47 | """ 48 | -------------------------------------------------------------------------------- /Flitter.py: -------------------------------------------------------------------------------- 1 | import iptc 2 | class Policy: 3 | def __init__(self): 4 | self.Rule={} 5 | self.chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT") 6 | def Insert(self,IP): 7 | if IP in self.Rule: 8 | return 9 | rule = iptc.Rule() 10 | rule.src = IP 11 | target = iptc.Target(rule,"DROP") 12 | rule.target = target 13 | #rule.protocol = "tcp" 14 | self.Rule[IP]=rule 15 | self.chain.insert_rule(rule) 16 | 17 | def Del(self,IP): 18 | rule = self.Rule.pop(IP) 19 | self.chain.delete_rule(rule) 20 | 21 | def Show(self): 22 | print "The Blacklist :" 23 | for key in self.Rule: 24 | print key 25 | def Exit(self): 26 | tmp = [] 27 | for key in self.Rule: 28 | tmp.append(key) 29 | for key in tmp: 30 | self.Del(key) 31 | if __name__ == '__main__': 32 | a=Policy() 33 | a.Insert("192.168.123.5") 34 | x=input("check") 35 | a.Del("192.168.123.5") 36 | # a.Del("192.168.1.0") 37 | 38 | 39 | 40 | ''' 41 | 42 | table = iptc.Table(iptc.Table.FILTER) 43 | for chain in table.chains: 44 | print "=======================" 45 | print "Chain ", chain.name 46 | for rule in chain.rules: 47 | print "Rule", "proto:", rule.protocol, "src:", rule.src, "dst:", rule.dst, "in:", rule.in_interface, "out:", rule.out_interface, 48 | print "Matches:", 49 | for match in rule.matches: 50 | print match.name, 51 | print "Target:", 52 | print rule.target.name 53 | print "=======================" 54 | ''' 55 | -------------------------------------------------------------------------------- /Main.py: -------------------------------------------------------------------------------- 1 | from Database import Mysqldb 2 | from datetime import datetime 3 | from Data_Sniff import SniffDP 4 | from Analysis import AnalysisDP 5 | from Flitter import Policy 6 | import threading 7 | import time 8 | import sys 9 | def MSniff(): 10 | global table 11 | global flag 12 | global Sntime 13 | global Hostip 14 | F = (" tcp and dst %s")%Hostip 15 | while(flag): 16 | table = datetime.now().strftime("a%Y%m%d%H") 17 | mysql.Createtable(table) 18 | Sn=SniffDP(mysql, table, F, Sntime) 19 | Sn.Start() 20 | def MPolicy(): 21 | global table 22 | global flag 23 | while(flag): 24 | time.sleep(5) 25 | An = AnalysisDP(mysql2, table, 5, 30) 26 | try: 27 | tmp = An.IPAnalysis() 28 | for i in tmp: 29 | Po.Insert(i) 30 | tmp = An.FlagsAnalysis() 31 | for i in tmp: 32 | Po.Insert(i) 33 | tmp = An.PortAnalysis() 34 | for i in tmp: 35 | Po.Insert(i) 36 | except: 37 | pass 38 | 39 | if __name__ == '__main__': 40 | flag = 1 41 | Sntime = 30 42 | Hostip = "192.168.154.130" 43 | dbhost = "localhost" 44 | user = "root" 45 | passwd = "" 46 | table = datetime.now().strftime("a%Y%m%d%H") 47 | mysql = Mysqldb(dbhost,user,passwd) 48 | mysql2 = Mysqldb(dbhost,user,passwd) 49 | Po=Policy() 50 | s = threading.Thread(target = MSniff) 51 | s.start() 52 | p = threading.Thread(target = MPolicy) 53 | p.start() 54 | time.sleep(3) 55 | while(1): 56 | Po.Show() 57 | cmd = raw_input("Enter 'd' to delete rule,'q' to quit:") 58 | if 'd' in cmd: 59 | tmp = raw_input("Input the Ip address:") 60 | Po.Del(tmp) 61 | if 'q' in cmd: 62 | flag = 0 63 | print ("please wait for %d seconds at most")%Sntime 64 | Po.Exit() 65 | print ("The rule have been Canceled") 66 | break 67 | p.join() 68 | s.join() 69 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 好久好久以前写的练习用的小辣鸡项目,大佬们,基本上就是一点点端口扫描检查,大佬可以不用关注了。 3 | 4 | # TCPfirewall 5 | 6 | TCP入侵检测系统,检测端口扫描、Dos攻击、爬虫联动iptables进行防御 7 | 8 | 1.基于tcp的请求频率 9 | 2.tcp的flag标志位,SYN\FIN\NULL包的比例 10 | 3. 未开放端口的请求比例 11 | 12 | 需要安装的库python-iptables\MySQLdb\scapy 13 | 14 | --------------------------------------------------------------------------------