1""" 2Parse traffic to detect scanners based on connection to IPs that are rarely touched by others 3""" 4 5import dshell.core 6 7class DshellPlugin(dshell.core.ConnectionPlugin): 8 9 def __init__(self): 10 super().__init__( 11 name='parse indegree', 12 description='Parse traffic to detect scanners based on connection to IPs that are rarely touched by others', 13 bpf='(tcp or udp)', 14 author='dev195', 15 ) 16 self.client_conns = {} 17 self.server_conns = {} 18 self.minhits = 3 19 20 def connection_handler(self, conn): 21 self.client_conns.setdefault(conn.clientip, set()) 22 self.server_conns.setdefault(conn.serverip, set()) 23 24 self.client_conns[conn.clientip].add(conn.serverip) 25 self.server_conns[conn.serverip].add(conn.clientip) 26 27 def postfile(self): 28 for clientip, serverips in self.client_conns.items(): 29 target_count = len(serverips) 30 S = min((len(self.server_conns[serverip]) for serverip in serverips)) 31 if S > 2 or target_count < 5: 32 continue 33 # TODO implement whitelist 34 self.write("Scanning IP: {} / S score: {:.1f} / Number of records: {}".format(clientip, S, target_count)) 35 36