Skip to content

Commit

Permalink
change the attacker direction of HTTP traffic, C&C channel, and conn …
Browse files Browse the repository at this point in the history
…to blacklisted IPs detections
  • Loading branch information
AlyaGomaa committed Dec 16, 2023
1 parent 8953556 commit 2444830
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 6 deletions.
2 changes: 1 addition & 1 deletion modules/http_analyzer/http_analyzer.py
Original file line number Diff line number Diff line change
Expand Up @@ -421,7 +421,7 @@ def set_evidence_http_traffic(self, daddr, profileid, twid, uid, timestamp):
source_target_tag = 'SendingUnencryptedData'
category = 'Anomaly.Traffic'
evidence_type = 'HTTPtraffic'
attacker_direction = 'dstip'
attacker_direction = 'srcip'
attacker = daddr
saddr = profileid.split('_')[-1]
description = f'Unencrypted HTTP traffic from {saddr} to {daddr}.'
Expand Down
2 changes: 1 addition & 1 deletion modules/rnn_cc_detection/rnn_cc_detection.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ def set_evidence(

tupleid = tupleid.split('-')
dstip, port, proto = tupleid[0], tupleid[1], tupleid[2]
attacker_direction = 'dstip'
attacker_direction = 'srcip'
attacker = dstip
source_target_tag = 'Botnet'
evidence_type = 'Command-and-Control-channels-detection'
Expand Down
10 changes: 6 additions & 4 deletions modules/threat_intelligence/threat_intelligence.py
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ def set_evidence_malicious_asn(
"""
:param asn_info: the malicious asn info taken from own_malicious_iocs.csv
"""
attacker_direction = 'dstip'
attacker_direction = 'srcip'
category = 'Anomaly.Traffic'
evidence_type = 'ThreatIntelligenceBlacklistedASN'
confidence = 0.8
Expand Down Expand Up @@ -161,16 +161,18 @@ def set_evidence_malicious_ip(

confidence = 1
category = 'Anomaly.Traffic'
if 'src' in attacker_direction:
if 'src' in ip_state:
direction = 'from'
opposite_dir = 'to'
victim = daddr
elif 'dst' in attacker_direction:
attacker_direction = 'srcip'
elif 'dst' in ip_state:
direction = 'to'
opposite_dir = 'from'
victim = profileid.split("_")[-1]
attacker_direction = 'srcip'
else:
# attacker_dir is not specified?
# ip_state is not specified?
return


Expand Down

0 comments on commit 2444830

Please sign in to comment.