Inspiration

In the past, I have implemented firewall blacklisting using Fail2Ban which is a tool that blocks IP addresses that are doing malicious activities such as multiple failed login attempts and other known malicious activities

What it does

Currently, a csv file is extracted from the packet capture and sorted by three different perspectives. Source IP, Destination IP, and Source->Destination IP are the three ways things are connected. Each of these is sorted by count of packets, average time between packets, packet length, and packet type count.

How I built it

I used wireshark to analyze the pcapng files. After this, I extracted the data from wireshark and imported it into python where I looped through the information and created summaries for each IP or IP pair

Challenges I ran into

I wasn't able to get to the machine learning piece of my blacklisting which is a major part of what this tool is supposed to do. I think I have an idea of how I will build the model going forward.

Accomplishments that I'm proud of

The dictionary that was built is something that I'm happy with and converting those dictionary builders into usable snippets.

What I learned

Pcapng files are very large. Protecting networks has to not only be from the system level, but also the user and sensor levels. Plan to fail and have a contingency plan. Security tools should be open to analysis by a community. Obscurity != Security

What's next for F2B_ML

  • Build the algorithm that detects the anomalies and determines whether an IP needs blacklisted.
  • Turn the current code into an API that can easily hook up to other tools and hopefully be fast enough to stream live.

Built With

Share this project:
×

Updates

Harrison Koll posted an update

#!/usr/bin/python2

import sys import socket import smtplib from email.MIMEMultipart import MIMEMultipart from email.MIMEText import MIMEText from threading import Thread,Lock from scapy.all import sniff,IP,sendp,srp1,Ether,ARP,get_if_list,get_if_hwaddr go = True defuser = 'user@gmail.com' defpass = 'pass' while go == True: go = False user =input("Enter Username: ") if user != defuser: go = True passw = input("Enter Password: ") if passw != defpass go = True

msg = MIMEMultipart() msg['From'] = user msg['To'] = user msg['Subj'] = 'LOGGED IN' msg.attach(MIMEText('YOU JUST LOGGED IN'))

try: mailServer - smtplib.SMTP('smtp.gmail.com', 587)

mailServer.ehlo()
mailServer.starttls()
mailServer.ehlo()
mailServer.login(user, passw)
mailServer.sendmail(user, user, msg.as_String())
mailServer.close()

except: goto 13

s = socket.socket(AF_INET, SOCK_STREAM)
s.bind(socket.gethostbyaddr(), 47808)
dest = socket.socket(AF_INET, SOCK_STREAM)

while True:

    s.listen(1)
conn, addr = s.accept()
data = conn.recv(524)

dest.connect(192.168.1.168, 47808)
dest.sendall()

Log in or sign up for Devpost to join the conversation.