interface fix for detect_flood and getIP

lalithsuresh · Dec 16, 2010 · ce64929 · ce64929
1 parent 1292f5b
commit ce64929
Show file tree

Hide file tree

Showing 8 changed files with 15 additions and 235 deletions.
diff --git a/analysis.cc b/analysis.cc
@@ -169,7 +169,7 @@ void show_acpi_power_line(double rate, double cap, double capdelta, time_t ti)
 	else if (ti>120 && capdelta > 0.001)
 		sprintf(buffer, _("Power usage (5 minute ACPI estimate) : %5.1f W (%3.1f hours left)"), 3600*capdelta / ti, cap / (3600*capdelta/ti+0.01));
 
-	print(battery_power_window, 0, 0, "%s\n", buffer);	
+	//print(battery_power_window, 0, 0, "%s\n", buffer);	
 	wrefresh(battery_power_window);
 }
 
@@ -207,7 +207,7 @@ void show_pmu_power_line(unsigned sum_voltage_mV,
 			 _("no power usage estimate available") );
 
 	werase(battery_power_window);
-	print(battery_power_window, 0, 0, "%s\n", buffer);
+	//print(battery_power_window, 0, 0, "%s\n", buffer);
 	wrefresh(battery_power_window);
 }
 

diff --git a/attack_detection/detect_flood.sh b/attack_detection/detect_flood.sh
@@ -2,6 +2,7 @@
 
 cd attack_detection
 logfile="/var/log/batcop/detect_flood.log"
+interface=wlan0
 sudo touch $logfile
 
 #reading the subnet value from conf file
@@ -29,7 +30,7 @@ echo "var HOME_NET "$subnet > subnet.txt
 cat subnet.txt $snortrules > myrules_temp.conf
 
 # Starting snort in daemon mode and then sleeping for a few seconds
-sudo snort -d -l ./log -c myrules_temp.conf  -A fast -D
+sudo snort -d -l ./log -c myrules_temp.conf  -A fast -D -i $interface
 sleep $seconds 
 
 # Killing snort after sleeping for $seconds
@@ -38,7 +39,7 @@ sudo killall snort
 # Outputting the snort results
 if [ `cat log/alert | wc -l` -eq 0  ];
 then
-echo [`date +%s`]" Boring network, no attacks detected."
+echo [`date`]" Boring network, no attacks detected." | tee -a $logfile
 else
 #commented to fix uniq problem cat log/alert | awk '{print $4","$9","$11}' | sort | uniq > log/attacks_detected.txt
 #cat log/alert | awk '{print $4","substr($9,1,index($9,":")-1)","substr($11,1,index($11,":")-1)}' | sort | uniq > log/attacks_detected.txt
@@ -49,7 +50,7 @@ cat log/alert | awk '{print $4","$9","$11}' | awk -F',' '{
         else
           print $1","$2","$3
 }' | sort | uniq > log/attacks_detected.txt
-sudo cat log/attacks_detected.txt | awk '{print d,$0}' "d=$(date +%s)" >> $logfile
+sudo cat log/attacks_detected.txt | awk '{print d,$0}' "d=$(date)" | tee -a $logfile
 # Taking actions on the attacks if configured in recovery.conf 
 attacks=`cat log/attacks_detected.txt`
 for attack in $attacks
@@ -60,12 +61,12 @@ attack_src=`echo $attack | awk -F',' '{print $2}' | awk -F':' '{print $1}'`
 attack_dst=`echo $attack | awk -F',' '{print $3}' | awk -F':' '{print $1}'`
 if [ "$attack_src" != `./getIP.sh` ];
 then
-sudo echo `date +%s`" "$attack_type" detected from "$attack_src >> $logfile
+sudo echo `date +%s`" "$attack_type" detected from "$attack_src | tee -a $logfile
 
 	list_of_scripts=`cat $recovery_scripts_file | grep $attack_type | awk '{print $2}'`
         for script in $list_of_scripts
                do
-               sudo ./$script $attack_src >> $logfile
+               sudo ./$script $attack_src | tee -a $logfile
                done
 fi
 done

diff --git a/attack_detection/getIP.sh b/attack_detection/getIP.sh
@@ -9,9 +9,10 @@
 # -------------------------------------------------------------------------
 # Get OS name
 OS=`uname`
+interface=wlan0
 IO="" # store IP
 case $OS in
-   Linux) IP=`ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
+   Linux) IP=`ifconfig $interface | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
    FreeBSD|OpenBSD) IP=`ifconfig  | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}'` ;;
    SunOS) IP=`ifconfig -a | grep inet | grep -v '127.0.0.1' | awk '{ print $2} '` ;;
    *) IP="Unknown";;

diff --git a/attack_detection/log/alert b/attack_detection/log/alert
diff --git a/attack_detection/log/attacks_detected.txt b/attack_detection/log/attacks_detected.txt
@@ -1 +1,2 @@
-Abnormal_TCP_Upload,192.168.1.91,192.168.1.254
+Abnormal_TCP_Upload,192.168.2.110,192.168.2.113
+Abnormal_TCP_Upload,192.168.2.113,192.168.2.110
diff --git a/conf/myrules.conf b/conf/myrules.conf
@@ -4,5 +4,5 @@
 alert icmp any any -> $HOME_NET any (msg:"ICMP_flood"; itype:8; threshold: type threshold, track by_dst, count 50, seconds 5; sid:477000; rev:3;)
 
 #This rules will alert if an abonormal number of TCP packets are being uploaded   
-alert tcp $HOME_NET any -> any any (msg:"Abnormal_TCP_Upload"; flow: stateless; threshold: type threshold, track by_src, count 50, seconds 5; sid:477001; rev:3;)
+alert tcp $HOME_NET any -> any any (msg:"Abnormal_TCP_Upload"; flow: stateless; threshold: type threshold, track by_src, count 5, seconds 5; sid:477001; rev:3;)
 
diff --git a/conf/subnetCIDR.conf b/conf/subnetCIDR.conf
@@ -1 +1 @@
-192.168.1.0/24
+192.168.2.0/24
diff --git a/conf/temp.conf b/conf/temp.conf
@@ -1,2 +1,3 @@
 attack_detection/blah.sh PS/2 keyboard/mouse/touchpad interrupt
 attack_detection/lolz.sh PS/2 keyboard/mouse/touchpad interrupt
+attack_detection/detect_flood.sh [iwlagn] <interrupt>