In the past, I have implemented firewall blacklisting using Fail2Ban which is a tool that blocks IP addresses that are doing malicious activities such as multiple failed login attempts and other known malicious activities
What it does
Currently, a csv file is extracted from the packet capture and sorted by three different perspectives. Source IP, Destination IP, and Source->Destination IP are the three ways things are connected. Each of these is sorted by count of packets, average time between packets, packet length, and packet type count.
How I built it
I used wireshark to analyze the pcapng files. After this, I extracted the data from wireshark and imported it into python where I looped through the information and created summaries for each IP or IP pair
Challenges I ran into
I wasn't able to get to the machine learning piece of my blacklisting which is a major part of what this tool is supposed to do. I think I have an idea of how I will build the model going forward.
Accomplishments that I'm proud of
The dictionary that was built is something that I'm happy with and converting those dictionary builders into usable snippets.
What I learned
Pcapng files are very large. Protecting networks has to not only be from the system level, but also the user and sensor levels. Plan to fail and have a contingency plan. Security tools should be open to analysis by a community. Obscurity != Security
What's next for F2B_ML
- Build the algorithm that detects the anomalies and determines whether an IP needs blacklisted.
- Turn the current code into an API that can easily hook up to other tools and hopefully be fast enough to stream live.