Merge pull request #284 from prince-7/ids

New Attack Detection Modules for IDS
OWASP · Jun 18, 2021 · 22b4d38 · 22b4d38
2 parents 08ee7f5 + 4afb80a
commit 22b4d38
Show file tree

Hide file tree

Showing 12 changed files with 2,107 additions and 2,863 deletions.
diff --git a/ServerApp/requirements.txt b/ServerApp/requirements.txt
@@ -3,4 +3,6 @@ psutil
 flask
 flask_cors
 flask_sqlalchemy
-flask_socketio
+Flask-SocketIO==4.3.1
+python-engineio==3.13.2
+python-socketio==4.6.0
diff --git a/gui/package-lock.json b/gui/package-lock.json
diff --git a/securetea/__init__.py b/securetea/__init__.py
@@ -27,6 +27,8 @@
 from .lib.ids.r2l_rules import ping_of_death
 from .lib.ids.r2l_rules import r2l_engine
 from .lib.ids.r2l_rules import syn_flood
+from .lib.ids.r2l_rules import dns_amp
+from .lib.ids.r2l_rules import bgp_abuse
 from .lib.ids.r2l_rules.wireless import deauth
 from .lib.ids.r2l_rules.wireless import fake_access
 from .lib.ids.r2l_rules.wireless import hidden_node

diff --git a/securetea/core.py b/securetea/core.py
@@ -39,6 +39,7 @@
 from securetea.lib.iot import iot_checker
 from securetea.lib.social_engineering.socialEngineering import SecureTeaSocialEngineering
 from securetea.lib.history_logger.secureTeaHistoryLogger import SecureTeaHistoryLogger
+from securetea.lib.history_logger.historylogger_logger import HistoryLogger
 from securetea.modes import server_mode
 from securetea.modes import system_mode
 from securetea.modes import iot_mode

diff --git a/securetea/lib/__init__.py b/securetea/lib/__init__.py
@@ -24,6 +24,7 @@
 from .ids.r2l_rules import ping_of_death
 from .ids.r2l_rules import r2l_engine
 from .ids.r2l_rules import syn_flood
+from .ids.r2l_rules import dns_amp
 from .ids.r2l_rules.wireless import deauth
 from .ids.r2l_rules.wireless import fake_access
 from .ids.r2l_rules.wireless import hidden_node

diff --git a/securetea/lib/ids/__init__.py b/securetea/lib/ids/__init__.py
@@ -9,6 +9,8 @@
 from .r2l_rules import ping_of_death
 from .r2l_rules import r2l_engine
 from .r2l_rules import syn_flood
+from .r2l_rules import dns_amp
+from .r2l_rules import bgp_abuse
 from .r2l_rules.wireless import deauth
 from .r2l_rules.wireless import fake_access
 from .r2l_rules.wireless import hidden_node

diff --git a/securetea/lib/ids/r2l_rules/__init__.py b/securetea/lib/ids/r2l_rules/__init__.py
@@ -7,6 +7,8 @@
 from . import ping_of_death
 from . import r2l_engine
 from . import syn_flood
+from . import dns_amp
+from . import bgp_abuse
 from .wireless import deauth
 from .wireless import fake_access
 from .wireless import hidden_node

diff --git a/securetea/lib/ids/r2l_rules/bgp_abuse.py b/securetea/lib/ids/r2l_rules/bgp_abuse.py
@@ -0,0 +1,65 @@
+# -*- coding: utf-8
+u"""BGP Abuse Detection detection module for SecureTea IDS.
+
+Project:
+    ╔═╗┌─┐┌─┐┬ ┬┬─┐┌─┐╔╦╗┌─┐┌─┐
+    ╚═╗├┤ │  │ │├┬┘├┤  ║ ├┤ ├─┤
+    ╚═╝└─┘└─┘└─┘┴└─└─┘ ╩ └─┘┴ ┴
+    Author: Aman Singh <[email protected]> , June 16 2021
+    Version: 1.1
+    Module: SecureTea
+
+"""
+
+import scapy.all as scapy
+import scapy.contrib.bgp as bgp
+from securetea import logger
+
+class BGP_Abuse(object):
+    """BGP Abuse class."""
+
+    def __init__(self, debug=False):
+        """
+        Initialize BGP Abuse class.
+
+        Args:
+            debug (bool): Log on terminal or not
+
+        Raises:
+            None
+
+        Returns:
+            None
+        """
+        # Initialize logger
+        self.logger = logger.SecureTeaLogger(
+                __name__,
+                debug=debug
+        )
+
+    def detect_bgp_abuse(self, pkt):
+        """
+        Detect BGP Abuse Attacks by observing set flags and BGPPathAttributes
+
+        Types of attack detected:-
+        1) Blind Disruption
+
+        Args:
+            pkt (scapy_object): Packet to dissect and observe
+
+        Raises:
+            None
+
+        Returns:
+            None
+        """
+
+        # Blind Disruption Detection
+        if (pkt.haslayer(scapy.IP) 
+            and pkt.haslayer(scapy.TCP)):
+            if('RA' in str(pkt[scapy.TCP].flags)):
+                self.logger.log(
+                            "Possible BGP Abuse,Blind Disruption attack detected.",
+                            logtype="warning"
+                        )
+
diff --git a/securetea/lib/ids/r2l_rules/dns_amp.py b/securetea/lib/ids/r2l_rules/dns_amp.py
@@ -0,0 +1,78 @@
+# -*- coding: utf-8
+u"""DNS Amplification detection module for SecureTea IDS.
+
+Project:
+    ╔═╗┌─┐┌─┐┬ ┬┬─┐┌─┐╔╦╗┌─┐┌─┐
+    ╚═╗├┤ │  │ │├┬┘├┤  ║ ├┤ ├─┤
+    ╚═╝└─┘└─┘└─┘┴└─└─┘ ╩ └─┘┴ ┴
+    Author: Aman Singh <[email protected]> , June 14 2021
+    Version: 1.1
+    Module: SecureTea
+
+"""
+
+import scapy.all as scapy
+from subprocess import check_output
+import re
+from securetea import logger
+
+class DNS_Amplification(object):
+    """DNS Amplification class."""
+
+    def __init__(self, debug=False):
+        """
+        Initialize DNS Amplification class.
+
+        Args:
+            debug (bool): Log on terminal or not
+
+        Raises:
+            None
+
+        Returns:
+            None
+        """
+        # Initialize logger
+        self.logger = logger.SecureTeaLogger(
+                __name__,
+                debug=debug
+        )
+
+    def detect_dns_amplification(self, pkt):
+        """
+        Detect detect DNS Amplification by observing source,
+        destination IP & ports.
+
+        Args:
+            pkt (scapy_object): Packet to dissect and observe
+
+        Raises:
+            None
+
+        Returns:
+            None
+        """
+        if (pkt.haslayer(scapy.IP) and
+            pkt.haslayer(scapy.UDP) and
+            pkt.haslayer(scapy.DNS)):
+
+            source_ip = pkt[scapy.IP].src
+            dest_dns = [str(pkt[scapy.IP].dst)]
+
+            udp_port = pkt[scapy.UDP].dport
+            ips = check_output(['hostname', '--all-ip-addresses'])
+            ips = ips.decode("utf-8").split(' ')[:-1]
+
+            # dns ips for top public dns servers
+            dns_dst = ['8.8.8.8','8.8.4.4','9.9.9.9','149.112.112.112','208.67.222.222','208.67.220.220','1.1.1.1','1.0.0.1','185.228.168.9','185.228.169.9','76.76.19.19','76.223.122.150','94.140.14.14','94.140.15.15']
+
+            if ((source_ip in ips) and (udp_port == 53)):
+                for dest in dest_dns:
+                    if(re.search('[a-zA-Z]', dest)):
+                        dest_dns += check_output(['dig', '+short', dest]).decode('utf-8').split('\n')[:-1]
+                    if(dest in dns_dst):
+                        self.logger.log(
+                            "Possible dns amplification attack detected.",
+                            logtype="warning"
+                        )
+                        break
diff --git a/securetea/lib/ids/r2l_rules/r2l_engine.py b/securetea/lib/ids/r2l_rules/r2l_engine.py
@@ -18,6 +18,8 @@
 from securetea.lib.ids.r2l_rules.ping_of_death import PingOfDeath
 from securetea.lib.ids.r2l_rules.syn_flood import SynFlood
 from securetea.lib.ids.r2l_rules.land_attack import LandAttack
+from securetea.lib.ids.r2l_rules.dns_amp import DNS_Amplification
+from securetea.lib.ids.r2l_rules.bgp_abuse import BGP_Abuse
 from securetea.lib.ids.r2l_rules.wireless.deauth import Deauth
 from securetea.lib.ids.r2l_rules.wireless.fake_access import FakeAccessPoint
 from securetea.lib.ids.r2l_rules.wireless.hidden_node import HiddenNode
@@ -49,6 +51,8 @@ def __init__(self, debug=False, interface=None):
         self.land_attack = LandAttack(debug=debug)
         self.ddos = DDoS(debug=debug)
         self.syn_flood = SynFlood(debug=debug)
+        self.dns_amp = DNS_Amplification(debug=debug)
+        self.bgp_abuse = BGP_Abuse(debug=debug)
         # Wireless
         self.deauth = Deauth(debug=debug)
         self.fake_access = FakeAccessPoint(debug=debug)
@@ -77,6 +81,8 @@ def run(self, pkt):
         self.ping_of_death.detect(pkt)
         self.ddos.classify_ddos(pkt)
         self.syn_flood.detect_syn_flood(pkt)
+        self.dns_amp.detect_dns_amplification(pkt)
+        self.bgp_abuse.detect_bgp_abuse(pkt)
         # Wireless
         self.deauth.detect_deauth(pkt)
         self.fake_access.detect_fake_ap(pkt)

diff --git a/test/test_bgp_abuse.py b/test/test_bgp_abuse.py
@@ -0,0 +1,48 @@
+# -*- coding: utf-8 -*-
+import unittest
+from securetea.lib.ids.r2l_rules.bgp_abuse import BGP_Abuse
+import scapy.all as scapy
+from securetea.logger import SecureTeaLogger
+
+try:
+    # if python 3.x.x
+    from unittest.mock import patch
+except ImportError:  # python 2.x.x
+    from mock import patch
+
+
+class TestBGP_Abuse(unittest.TestCase):
+    """
+    Test class for SecureTea IDS BGP_Abuse Detection.
+    """
+
+    def setUp(self):
+        """
+        Setup class for BGP_Abuse.
+        """
+        # Create scapy packet (valid attack)
+        self.pkt = scapy.IP(src="10.0.2.15",
+                            dst="200.10.10.1") \
+                   / scapy.TCP(dport=53, sport=179, flags="RA", seq=123, ack=456)
+
+        # Create a scapy packet (invalid attack)
+        self.pkt2 = scapy.IP(src="10.0.2.15",
+                            dst="200.10.10.1") \
+                   / scapy.TCP(dport=53, sport=179, seq=123, ack=456)
+
+        # Create BGP Abuse object
+        self.bgp_abuse_obj = BGP_Abuse()
+
+    @patch.object(SecureTeaLogger, 'log')
+    def test_detect_bgp_abuse(self, mock_log):
+        """
+        Test detect_bgp_abuse.
+        """
+        # Case 1: When condition for bgp abuse is invalid
+        self.bgp_abuse_obj.detect_bgp_abuse(self.pkt2)
+        self.assertFalse(mock_log.called)
+
+        # Case 2: When condition for bgp abuse is valid
+        self.bgp_abuse_obj.detect_bgp_abuse(self.pkt)
+        mock_log.assert_called_with("Possible BGP Abuse,Blind Disruption attack detected.",
+                                    logtype="warning")
diff --git a/test/test_dns_amp.py b/test/test_dns_amp.py
@@ -0,0 +1,50 @@
+# -*- coding: utf-8 -*-
+import unittest
+from securetea.lib.ids.r2l_rules.dns_amp import DNS_Amplification
+import scapy.all as scapy
+from securetea.logger import SecureTeaLogger
+
+try:
+    # if python 3.x.x
+    from unittest.mock import patch
+except ImportError:  # python 2.x.x
+    from mock import patch
+
+
+class TestDNS_Amplification(unittest.TestCase):
+    """
+    Test class for SecureTea IDS DNS_Amplification Detection.
+    """
+
+    def setUp(self):
+        """
+        Setup class for DNS_Amplification.
+        """
+        # Create scapy packet (valid attack)
+        self.pkt = scapy.IP(src="10.0.2.15",
+                            dst="dns.google") \
+                   / scapy.UDP(dport=53) \
+                   / scapy.DNS(rd=1, qd=scapy.DNSQR(qname="google.com", qtype="ANY"))
+
+        # Create a scapy packet (invalid attack)
+        self.pkt2 = scapy.IP(src="10.0.2.15",
+                            dst="0.0.0.0") \
+                    / scapy.UDP(dport=53) \
+                    / scapy.DNS(rd=1, qd=scapy.DNSQR(qname="google.com", qtype="ANY"))
+
+        # Create DNS Amplification object
+        self.dns_amp_obj = DNS_Amplification()
+
+    @patch.object(SecureTeaLogger, 'log')
+    def test_detect_dns_amplification(self, mock_log):
+        """
+        Test detect_dns_amplification.
+        """
+        # Case 1: When condition for dns amplification is invalid
+        self.dns_amp_obj.detect_dns_amplification(self.pkt2)
+        self.assertFalse(mock_log.called)
+
+        # Case 2: When condition for dns amplification is valid
+        self.dns_amp_obj.detect_dns_amplification(self.pkt)
+        mock_log.assert_called_with("Possible dns amplification attack detected.",
+                                    logtype="warning")