aoandon 0.0.6 → 0.0.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +7 -7
- data/lib/aoandon.rb +5 -3
- data/lib/aoandon/analysis/syntax.rb +29 -23
- data/lib/aoandon/dynamic_rule/less1024.rb +1 -1
- data/lib/aoandon/log.rb +10 -6
- data/lib/aoandon/static_rule.rb +1 -1
- data/lib/aoandon/version.rb +5 -0
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0b404ee00be509e8bb241c123cf12145e43028c9ea4e8bd8e3e85e83ab310633
|
4
|
+
data.tar.gz: b755263c90d97d880e36c86a85b654bf8f421889296c3bec01bc03e8a61a8e0e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 35a6d37a43a59c56ee946c2dc440565473bc8d0b1dfece934433c1b6f583de42cc91363374166e5fd8af146f32670fbe5b06e65b109ddef36069ab0903e277b4
|
7
|
+
data.tar.gz: 92c55e993652ef9afa7ceb415ff54864a173717aff11a571cf2558e91380b4aae7a2cbcf872ffd5e6a0a254ff7252a750b93447d5a7c45a3dc7eec260ab16cea
|
data/README.md
CHANGED
@@ -28,7 +28,7 @@ bundle
|
|
28
28
|
Or install it yourself as:
|
29
29
|
|
30
30
|
```sh
|
31
|
-
gem install
|
31
|
+
gem install aoandon
|
32
32
|
```
|
33
33
|
|
34
34
|
## Getting started
|
@@ -215,10 +215,10 @@ Some semantic analysis can also be done through Aoandon NIDS extensions, using m
|
|
215
215
|
module Aoandon
|
216
216
|
module DynamicRule
|
217
217
|
module Less1024
|
218
|
-
MESSAGE = "Port numbers < 1024"
|
218
|
+
MESSAGE = "Port numbers < 1024".freeze
|
219
219
|
PROTO_TCP = 6
|
220
220
|
PROTO_UDP = 17
|
221
|
-
WELL_KNOWN_PORTS = (0..1023)
|
221
|
+
WELL_KNOWN_PORTS = (0..1023).freeze
|
222
222
|
|
223
223
|
def self.control?(packet)
|
224
224
|
(tcp?(packet) || (udp?(packet) && different_ports?(packet.sport, packet.dport))) &&
|
@@ -256,7 +256,7 @@ end
|
|
256
256
|
module Aoandon
|
257
257
|
module DynamicRule
|
258
258
|
module MoreFragments
|
259
|
-
MESSAGE = "More Fragment bit is set"
|
259
|
+
MESSAGE = "More Fragment bit is set".freeze
|
260
260
|
|
261
261
|
def self.control?(packet)
|
262
262
|
packet.ip_mf?
|
@@ -275,8 +275,8 @@ end
|
|
275
275
|
module Aoandon
|
276
276
|
module DynamicRule
|
277
277
|
module SameIp
|
278
|
-
LOCALHOST = "127.0.0.1"
|
279
|
-
MESSAGE = "Same IP"
|
278
|
+
LOCALHOST = "127.0.0.1".freeze
|
279
|
+
MESSAGE = "Same IP".freeze
|
280
280
|
|
281
281
|
def self.control?(packet)
|
282
282
|
packet.ip_src == packet.ip_dst && !loopback?(packet.ip_src)
|
@@ -302,7 +302,7 @@ module Aoandon
|
|
302
302
|
module DynamicRule
|
303
303
|
module SynFlood
|
304
304
|
BUFFER = 20
|
305
|
-
MESSAGE = "SYN flood attack"
|
305
|
+
MESSAGE = "SYN flood attack".freeze
|
306
306
|
PROTO_TCP = 6
|
307
307
|
|
308
308
|
def self.control?(packet)
|
data/lib/aoandon.rb
CHANGED
@@ -1,5 +1,6 @@
|
|
1
1
|
# frozen_string_literal: false
|
2
2
|
|
3
|
+
require "bundler/setup"
|
3
4
|
require "ipaddr"
|
4
5
|
require "optparse"
|
5
6
|
require "pcap"
|
@@ -11,6 +12,7 @@ require_relative "aoandon/analysis/semantic"
|
|
11
12
|
require_relative "aoandon/analysis/syntax"
|
12
13
|
require_relative "aoandon/log"
|
13
14
|
require_relative "aoandon/static_rule"
|
15
|
+
require_relative "aoandon/version"
|
14
16
|
|
15
17
|
Dir["lib/aoandon/dynamic_rule/*.rb"].each do |src|
|
16
18
|
load src
|
@@ -18,10 +20,10 @@ end
|
|
18
20
|
|
19
21
|
module Aoandon
|
20
22
|
class Nids
|
21
|
-
CONF_PATH = "config/rules.yml"
|
23
|
+
CONF_PATH = "config/rules.yml".freeze
|
22
24
|
|
23
25
|
def initialize
|
24
|
-
options =
|
26
|
+
options = self.class.parse
|
25
27
|
options[:file] = CONF_PATH unless options[:file]
|
26
28
|
options[:interface] = Pcap.lookupdev unless options[:interface]
|
27
29
|
puts "Starting Aoandon NIDS on interface #{options[:interface]}..."
|
@@ -48,7 +50,7 @@ module Aoandon
|
|
48
50
|
options = {}
|
49
51
|
|
50
52
|
OptionParser.new do |opts|
|
51
|
-
opts.banner = "Usage: #{$
|
53
|
+
opts.banner = "Usage: #{$PROGRAM_NAME} [options]"
|
52
54
|
opts.on("-f", "--file <path>", "Load the rules contained in file <path>.") { |f| options[:file] = f }
|
53
55
|
opts.on("-h", "--help", "Help.") { puts opts; exit }
|
54
56
|
opts.on("-i", "--interface <if>", "Sniff on network interface <if>.") { |i| options[:interface] = i }
|
@@ -26,22 +26,24 @@ module Aoandon
|
|
26
26
|
protected
|
27
27
|
|
28
28
|
def match?(packet, network_context)
|
29
|
-
network_context.update({ "af" => af2id(packet.ip_ver) }) unless network_context.
|
29
|
+
network_context.update({ "af" => af2id(packet.ip_ver) }) unless network_context.key?("af")
|
30
30
|
match_proto?(packet, network_context) if packet.ip_ver == af(network_context.fetch("af"))
|
31
31
|
end
|
32
32
|
|
33
33
|
def af2id(af)
|
34
|
-
|
34
|
+
case af
|
35
|
+
when 4
|
35
36
|
"inet"
|
36
|
-
|
37
|
+
when 6
|
37
38
|
"inet6"
|
38
39
|
end
|
39
40
|
end
|
40
41
|
|
41
42
|
def af(name)
|
42
|
-
|
43
|
+
case name.to_sym
|
44
|
+
when :inet
|
43
45
|
4
|
44
|
-
|
46
|
+
when :inet6
|
45
47
|
6
|
46
48
|
end
|
47
49
|
end
|
@@ -49,13 +51,14 @@ module Aoandon
|
|
49
51
|
def match_proto?(packet, network_context)
|
50
52
|
if network_context["proto"]
|
51
53
|
if packet.ip_proto == proto(network_context["proto"])
|
52
|
-
|
54
|
+
case packet.ip_proto
|
55
|
+
when 1
|
53
56
|
match_proto_icmp?(packet, network_context)
|
54
|
-
|
57
|
+
when 6
|
55
58
|
match_proto_tcp?(packet, network_context)
|
56
|
-
|
59
|
+
when 17
|
57
60
|
match_proto_udp?(packet, network_context)
|
58
|
-
|
61
|
+
when 58
|
59
62
|
match_proto_icmp6?(packet, network_context)
|
60
63
|
else
|
61
64
|
match_addr?(packet, network_context)
|
@@ -67,13 +70,14 @@ module Aoandon
|
|
67
70
|
end
|
68
71
|
|
69
72
|
def proto(name)
|
70
|
-
|
73
|
+
case name.to_sym
|
74
|
+
when :icmp
|
71
75
|
1
|
72
|
-
|
76
|
+
when :icmp6
|
73
77
|
58
|
74
|
-
|
78
|
+
when :tcp
|
75
79
|
6
|
76
|
-
|
80
|
+
when :udp
|
77
81
|
17
|
78
82
|
end
|
79
83
|
end
|
@@ -102,7 +106,7 @@ module Aoandon
|
|
102
106
|
result = true
|
103
107
|
|
104
108
|
[%w[from sport], %w[to dport]].each do |way, obj|
|
105
|
-
if network_context[way].
|
109
|
+
if network_context[way].key?("port")
|
106
110
|
result &&= refer2port?(packet.send(obj).to_i, network_context[way].fetch("port"))
|
107
111
|
end
|
108
112
|
end
|
@@ -129,23 +133,25 @@ module Aoandon
|
|
129
133
|
end
|
130
134
|
|
131
135
|
def refer2addr?(addr, pattern)
|
132
|
-
|
136
|
+
case pattern
|
137
|
+
when Array
|
133
138
|
pattern.include?(addr.to_num_s) || pattern.include?(addr.hostname)
|
134
|
-
|
135
|
-
pattern.
|
136
|
-
|
137
|
-
addr.to_num_s == pattern
|
139
|
+
when Hash
|
140
|
+
pattern.key?(addr.to_num_s) || pattern.key?(addr.hostname)
|
141
|
+
when String
|
142
|
+
addr.to_num_s == pattern || addr.hostname == pattern
|
138
143
|
else
|
139
144
|
false
|
140
145
|
end
|
141
146
|
end
|
142
147
|
|
143
148
|
def refer2port?(number, pattern)
|
144
|
-
|
149
|
+
case pattern
|
150
|
+
when Array
|
145
151
|
pattern.include?(number)
|
146
|
-
|
147
|
-
pattern.
|
148
|
-
|
152
|
+
when Hash
|
153
|
+
pattern.key?(number)
|
154
|
+
when Integer
|
149
155
|
number == pattern
|
150
156
|
else
|
151
157
|
false
|
@@ -6,7 +6,7 @@ module Aoandon
|
|
6
6
|
MESSAGE = "Port numbers < 1024"
|
7
7
|
PROTO_TCP = 6
|
8
8
|
PROTO_UDP = 17
|
9
|
-
WELL_KNOWN_PORTS = (0..1023)
|
9
|
+
WELL_KNOWN_PORTS = (0..1023).freeze
|
10
10
|
|
11
11
|
def self.control?(packet)
|
12
12
|
(tcp?(packet) || (udp?(packet) && different_ports?(packet.sport, packet.dport))) &&
|
data/lib/aoandon/log.rb
CHANGED
@@ -2,16 +2,20 @@
|
|
2
2
|
|
3
3
|
module Aoandon
|
4
4
|
class Log
|
5
|
+
LOCAL_PATH = "log/aoandon.yml"
|
6
|
+
GLOBAL_PATH = "/var/log/aoandon.yml"
|
7
|
+
|
5
8
|
def initialize(verbose = false)
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
9
|
+
file_path = if File.exist?(LOCAL_PATH)
|
10
|
+
LOCAL_PATH
|
11
|
+
else
|
12
|
+
GLOBAL_PATH
|
13
|
+
end
|
11
14
|
|
15
|
+
@file = ::File.open(file_path, "a")
|
12
16
|
@verbose = verbose
|
13
17
|
|
14
|
-
puts "Log file: #{File.expand_path(@file.path)}"
|
18
|
+
puts "Log file: #{::File.expand_path(@file.path)}"
|
15
19
|
end
|
16
20
|
|
17
21
|
def message(*args)
|
data/lib/aoandon/static_rule.rb
CHANGED
@@ -12,7 +12,7 @@ module Aoandon
|
|
12
12
|
context["to"].update("addr" => "any") unless context["to"]["addr"]
|
13
13
|
|
14
14
|
self.options ||= {}
|
15
|
-
self.options.update("log" => false) unless self.options.
|
15
|
+
self.options.update("log" => false) unless self.options.key?("log")
|
16
16
|
end
|
17
17
|
end
|
18
18
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aoandon
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.7
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Cyril Kato
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-05-
|
11
|
+
date: 2021-05-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: ruby-pcap
|
@@ -152,6 +152,7 @@ files:
|
|
152
152
|
- lib/aoandon/dynamic_rule/less1024.rb
|
153
153
|
- lib/aoandon/log.rb
|
154
154
|
- lib/aoandon/static_rule.rb
|
155
|
+
- lib/aoandon/version.rb
|
155
156
|
homepage: https://github.com/cyril/aoandon.rb
|
156
157
|
licenses:
|
157
158
|
- MIT
|