Skip to content

D4-project/analyzer-d4-isn

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

src

src

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

install.sh

install.sh

 
 

launch.sh

launch.sh

 
 

local-redis.conf

local-redis.conf

 
 

Repository files navigation

analyzer-d4-isn

Analyzer D4 ISN is a D4 analyser to get stats and graphs on TCP SYN packets where IP_DST==ISN. Those packet are interesting because they are used by smart scanner to avoid keeping network connection state. This smart scan was first widely used by the Mirai botnet to scan for new potential targets.

Install

$ ./install.sh

The script will install those dependencies using apt:

  • python3
  • python3-redis
  • screen
  • redis-tools

The script will download and compile redis from GitHub in the ./redis directory and create the ./db directory to store the database dump.

The script will finally create the ./image directory to store created images graphs.

Launch

$ ./launch.sh

This script will first trigger the installation script to make sure everything is settled. Then, it will find the first available port to launch the local redis server, incrementing from port 6379. You can change this port at ./launch.sh line 34. After making sure redis is ready, the script will load the 2 python workers: pcap_to_csv and csv_to_stats.

The workers will automatically create stats inside the local redis database without creating plots or images.

Graphs

To get graph images, use the script ./src/stats_to_plot.py. This will create images for all interesting ports inside the ./images directory. You can change thresholds used to define interesting ports at ./src/config.py line 13.

To automatically create graphs everyday, you can create a cronjob with this script. Example for everyday at 3am:

0 3 * * * /usr/bin/python3 /PATH/TO/src/stats_to_plot.py

First launch

If your D4 server is in production for a long time and you create a new queue for this analyser, it start empty and you will not get past data. You then should wait 30 days to get 30-days stats in the database and get nice graphs. If you want to get stats about the past, you can manually add PCAP to the processing queue.

⚠️ A misuse of this tool can make PCAP files to be processed twice and create wrong stats!

This tool will effectively check that PCAP files already in the queue will NOT be added twice. Though it has no knownledge about PCAP files already poped from the queue. To avoid data duplication, it is advised to run this tool when your database is empty and workers are stopped. To empty your database, you need to stop the redis server (CTRL^C) and delete the ./db/dump.rdb file.

To add pcap files inside a folder (including in subfolders), run this command:

$ python3 ./src/add_files.py DIRECTORY

Then you can start the workers again with ./launch.sh.

About

D4 Analyser to get stats and graphs on TCP SYN packets where IP_DST==ISN

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

12 watching

Forks

1 fork
Report repository

Releases 1

v0.1of analyzer-d4-isn released Latest
Jul 28, 2020

Packages

No packages published

Languages