Improve artifact.port.open, fix artifact.mss

code/Attack/PortscanAttack.py

@@ -39,7 +39,8 @@ class PortscanAttack(BaseAttack.BaseAttack):
                 shuffle(temp_array[count])
                 port_dst_shuffled += temp_array[count]
         else: # used for port.open
-            port_dst_shuffled = shuffle(ports_dst)
+            shuffle(ports_dst)
+            port_dst_shuffled = ports_dst
         return port_dst_shuffled
 
 
@@ -165,13 +166,19 @@ class PortscanAttack(BaseAttack.BaseAttack):
         ports_open = self.get_param_value(Param.PORT_OPEN)
         if ports_open == [1,11,111,1111]:  # user did not define open ports
             # the ports that were already used by ip.dst (direction in) in the background traffic are open ports
-            ports_used_by_ip_dst = self.statistics.process_db_query(
-                "SELECT portNumber FROM ip_ports WHERE portDirection='in' AND ipAddress='" + ip_destination + "';")
+            ports_used_by_ip_dst = None #self.statistics.process_db_query(
+                #"SELECT portNumber FROM ip_ports WHERE portDirection='in' AND ipAddress='" + ip_destination + "'")
             if ports_used_by_ip_dst:
                 ports_open = ports_used_by_ip_dst
+                print("\nPorts used by %s: %s" % (ip_destination, ports_open))
             else: # if no ports were retrieved from database
-                ports_open = self.get_ports_from_nmap_service_dst(randint(0,10))
-            #print("\nPorts used by %s: %s" % (ip_destination, ports_open))
+            # Take open ports from nmap-service file
+                #ports_temp = self.get_ports_from_nmap_service_dst(100)
+                #ports_open = ports_temp[0:randint(1,10)]
+            # OR take open ports from the most used ports in traffic statistics
+                ports_open = self.statistics.process_db_query(
+                    "SELECT portNumber FROM ip_ports GROUP BY portNumber ORDER BY COUNT(*) DESC LIMIT "+str(randint(1,10)))
+                print("\nPorts retrieved from statistics: %s" % (ports_open))
         # in case of one open port, convert ports_open to array
         if not isinstance(ports_open, list):
             ports_open = [ports_open]
@@ -180,9 +187,13 @@ class PortscanAttack(BaseAttack.BaseAttack):
 
         # MSS (Maximum Segment Size) for Ethernet. Allowed values [536,1500]
         # Aidmar
+        mss_dst = self.statistics.get_most_used_mss(ip_destination)
+        if mss_dst is None:
+            mss_dst = self.statistics.process_db_query("most_used(mssValue)")
+        mss_src = self.statistics.get_most_used_mss(ip_source)
+        if mss_src is None:
+            mss_src = self.statistics.process_db_query("most_used(mssValue)")
         # mss = self.statistics.get_mss(ip_destination)
-        mss_dst = self.statistics.get_mss(ip_destination)
-        mss_src = self.statistics.get_mss(ip_source)
         # =========================================================================================================
 
         # Set TTL based on TTL distribution of IP address
@@ -204,10 +215,7 @@ class PortscanAttack(BaseAttack.BaseAttack):
             request_ip = IP(src=ip_source, dst=ip_destination, ttl=ttl_value)
             # Aidmar - random src port for each packet
             sport = randint(1, 65535)
-            if mss_src is None:
-                request_tcp = TCP(sport=sport, dport=dport, flags='S')
-            else:
-                request_tcp = TCP(sport=sport, dport=dport, flags='S', options=[('MSS', mss_src)])
+            request_tcp = TCP(sport=sport, dport=dport, flags='S', options=[('MSS', mss_src)])
             # =========================================================================================================
 
             request = (request_ether / request_ip / request_tcp)
@@ -221,10 +229,10 @@ class PortscanAttack(BaseAttack.BaseAttack):
             if dport in ports_open:  # destination port is OPEN
                 reply_ether = Ether(src=mac_destination, dst=mac_source)
                 reply_ip = IP(src=ip_destination, dst=ip_source, flags='DF')
-                if mss_dst is None:
-                    reply_tcp = TCP(sport=dport, dport=sport, seq=0, ack=1, flags='SA', window=29200)
-                else:
-                    reply_tcp = TCP(sport=dport, dport=sport, seq=0, ack=1, flags='SA', window=29200,
+                #if mss_dst is None:
+                #   reply_tcp = TCP(sport=dport, dport=sport, seq=0, ack=1, flags='SA', window=29200)
+                #else:
+                reply_tcp = TCP(sport=dport, dport=sport, seq=0, ack=1, flags='SA', window=29200,
                                     options=[('MSS', mss_dst)])
                 reply = (reply_ether / reply_ip / reply_tcp)
                 timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)

code/ID2TLib/Statistics.py

@@ -242,7 +242,6 @@ class Statistics:
 
     def get_mss(self, ipAddress: str):
         """
-
         :param ipAddress: The IP address whose used MSS should be determined
         :return: The TCP MSS value used by the IP address, or if the IP addresses never specified a MSS,
         then None is returned
@@ -253,6 +252,20 @@ class Statistics:
         else:
             return None
 
+    # Aidmar
+    def get_most_used_mss(self, ipAddress: str):
+        """
+        :param ipAddress: The IP address whose used MSS should be determined
+        :return: The TCP MSS value used by the IP address, or if the IP addresses never specified a MSS,
+        then None is returned
+        """
+        mss_value = self.process_db_query('SELECT mssValue from tcp_mss_dist WHERE ipAddress="' + ipAddress + '" ORDER BY mssCount DESC LIMIT 1')
+        if isinstance(mss_value, int):
+            return mss_value
+        else:
+            return None
+
+
     def get_statistics_database(self):
         """
         :return: A reference to the statistics database object

code/ID2TLib/StatsDatabase.py

@@ -174,6 +174,8 @@ class StatsDatabase:
             "most_used.portnumber": "SELECT portNumber, COUNT(portNumber) as cntPort FROM ip_ports GROUP BY portNumber HAVING cntPort=(SELECT MAX(cntPort) from (SELECT portNumber, COUNT(portNumber) as cntPort FROM ip_ports GROUP BY portNumber))",
             "most_used.protocolname": "SELECT protocolName, COUNT(protocolCount) as countProtocols FROM ip_protocols GROUP BY protocolName HAVING countProtocols=(SELECT COUNT(protocolCount) as cnt FROM ip_protocols GROUP BY protocolName ORDER BY cnt DESC LIMIT 1)",
             "most_used.ttlvalue": "SELECT ttlValue FROM ip_ttl WHERE ttlCount == (SELECT MAX(ttlCount) FROM ip_ttl)",
+            # Aidmar
+            "most_used.mssvalue": "SELECT mssValue FROM tcp_mss_dist WHERE mssCount == (SELECT MAX(mssCount) FROM tcp_mss_dist)",
             "least_used.ipaddress": "SELECT ipAddress FROM ip_statistics WHERE (pktsSent+pktsReceived) == (SELECT MIN(pktsSent+pktsReceived) from ip_statistics)",
             "least_used.macaddress": "SELECT * FROM (SELECT macAddress, COUNT(*) as occ from ip_mac GROUP BY macAddress ORDER BY occ ASC) WHERE occ=(SELECT COUNT(*) as occ from ip_mac GROUP BY macAddress ORDER BY occ ASC LIMIT 1)",
             "least_used.portnumber": "SELECT portNumber, COUNT(portNumber) as cntPort FROM ip_ports GROUP BY portNumber HAVING cntPort=(SELECT MIN(cntPort) from (SELECT portNumber, COUNT(portNumber) as cntPort FROM ip_ports GROUP BY portNumber))",