stratosphereips / ludus Goto Github PK

Apply Machine Learning and Game Theory to improve the security of the Turris network of CZ.NIC

License: GNU General Public License v3.0

Python 100.00%

ludus's Introduction

Stratosphere Windows IPS

Stratosphere Windows IPS is the Microsoft version of the Stratosphere IPS project. The tool runs in the same way as the Stratosphere Linux IPS, but using windows libraries. This tool is provided for being used by personal users in their computers. The tool can provide a reliable detection of malicious connections based on the download models. Please note that this tool is still Beta. See the oficial web page of the Stratosphere Project

How to Use it

There are three ways of using the Stratosphere Windows IPS. By giving the binetflow file as parameter, by reading the binetflow file from Stdin, or by reading the flows from an Argus tool by Stdin. If you want to analyze your own traffic to make detections, you need to install an Argus program in some computer that has access to the traffic. The Argus program can run under the same Windows computer (see [Installation of Argus under Windows](#installation of argus under windows)) or can be run in any other computer. If the Argus server is running in other computer, you still need to have the ra program (from Argus client tools) running in the Windows computer with Stratosphere Windows IPS.

Running it by giving the binetflows file as parameter:

To give the binetflow file as a parameter, just put the name of the file after the StratosphereWatcher program

    python your_path\StratosphereWatcher.py test7.binetflow

The test7.binetflow file is provided as an example. The StratosphereWatcher.py program will first download some necessary files from the Internet and then it will run the detection on the binetflow file. See the following sections to know exactly what StratosphereWatcher.py is doing.

Running it by reading the flows from Stdin

This method can be used to read the flows using Stdin from a file or to read the flows from a ra program (Argus client suite).

From a file

To read the flows from a file do

cat test7.binetflow | python StratosphereFlow.py

Note that we are using now StratosphereFlow.py directly. This is because the StratosphereWatcher takes care of the download of models and that the service is running continually. In this case, StratosphereFlow.py read the flows directly without any update. To be able to use this way of reading a file from Stdin, Stratosphere still needs to create its configuration file, that is way at first is better to run it at least once with the file as a parameter.

From an Argus installation

If you have Argus running in Windows you can start the Argus server in your network like this

argus -i <name of your windows network device>

And then you can run Startosphere like this

ra -n -Z b -S localhost | python StratosphereFlow.py

In case the Argus program is running in other computer, you can connect to it and analyze the flows in your Windows like this

ra -n -Z b -S remote-host:remote-port | python StratosphereFlow.py

Configuration

Stratosphere Windows IPS uses a configuration file to tune its behavior. This file is automatically created when you run StratosphereWatcher.py. After the configuration file is created, you can manually edit it and the program will notice and honor the changes.

What each files does in Stratosphere Windows IPS

StratosphereWatcher.py

Downloads updates, models files and modules files.
Creating the main detection process
In the future it should start windows service.

StratosphereFlow.py

It can read flows from Stdin.
It decides when the time window of the detection starts and ends.
It stores the flows in a queue.
It manages the tuple objects.

StratosphereTuple.py

It creates the tuple objects.
It computes the state of the current tuple.

StratosphereDetector.py

It calls the modules for detecting.
The modules are downloaded from the Internet and may be updated.

StratosphereConfig.py

It creates the config file with implicit settings if there is no config file.

StratosphereOutput.py

For printing a logging.

Installation of Argus under Windows

Coming soon.

TODO

Create install app.
Windows service

ludus's People

Stargazers

Watchers

Forkers

ondrej-lukas oksbsb rubiruchi ja-pa 4n6strider threatintel-c euphorbiacz awesome-security glen61y141 erdoukki sheikhmohamadarsalan dekoder 5l1v3r1

ludus's Issues

Ludus error while running on TurrisOS v4.x

Hi,
I tried to run Ludus on my Turris Omnia router (Turris OS v 4.x) but after while I get an error message (see below). I'm able to reproduce this issue quite reliably now.

I'm not sure what caused the error. I didn't use any special configuration for Suricata so maybe that caused the error. If you have any sample configuration I could try that.

my config file for Ludus /etc/ludus/ludus.config

[strategy]
filename=/usr/share/ludus/Strategizer/strategies/2017-07-18-defenseStrategyWith2HP-v1
[suricata]
allow=True
[output]
filename=/tmp/ludus_output.json
[settings]
router_ip = "192.168.1.1"
timeout=60

Error message:

Suricata is required for running Ludus. Starting Suricata with interface {} and default configuration.
Suricata is running
Ludus started on 2019-04-18 17:14:35.974898

Process Counter-1:1:
Traceback (most recent call last):
  File "/process.py", line 258, in _bootstrap
  File "/usr/share/ludus/Volumeter/volumeter.py", line 231, in run
    self.process_event(line)
  File "/usr/share/ludus/Volumeter/volumeter.py", line 134, in process_event
    dport = int(parts[8].strip("dport="))
ValueError: invalid literal for int() with base 10: 'src=147.229.xxx.xxx'
-------start: 2019-04-18 17:14:36.138427-------

cc @ondrej-lukas

subprocess command sanitization

I would recommend proper argument sanitization for https://github.com/stratosphereips/Ludus/blob/master/ludus.py#L89 and https://github.com/stratosphereips/Ludus/blob/master/ludus.py#L86
It looks like code with potential command injection vulnerability.

500 Internal Server Error (TurrisOS 3.11.6)

Login into dashboard is possible and load of the CPUs is not too high – around 0.10 to 0.20
This is the message I get after logging into dashboard:

Internal Server Error
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

Running jobs are:
751 root 201m S {ludus.fcgi} /usr/bin/python3 /usr/share/ludus-gui/ludus.fcgi
32357 root 46816 S {ludus.py} /usr/bin/python3 /usr/share/ludus/ludus.py -c /etc/ludus/ludus.config --pidfile /var/run/ludus
32363 root 219m S {Suricata-Main} suricata -i eth1 -c /etc/ludus/suricata_for_ludus.yaml -l /var/log/ludus

/var/log/ludus/fast.log shows the service is still running and collecting data.
/etc/init.d/ludus restart makes access to dashboard work again for some minutes. After a reboot of the router access to dashboard works for about 18 hours.

I am currently on Turris Omnia 1GB with TurrisOS 3.11.6 with
ludus_0.8-3_mvebu.ipkand ludus-gui_0.1-3_mvebu.ipk installed.

sincere greetings from Vienna,

KreMic

Turris firewall port forwarding

When is in firewall rule with port range 9911-9912, ludus can't start because of parsing of range fail with parse integer error

2019-11-23 09:45:15 err ludus.py[24255]: Traceback (most recent call last): 2019-11-23 09:45:15 err ludus.py[24255]: File "/usr/share/ludus/ludus.py", line 369, in <module> 2019-11-23 09:45:15 err ludus.py[24255]: ludus.start() 2019-11-23 09:45:15 err ludus.py[24255]: File "/usr/share/ludus/ludus.py", line 330, in start 2019-11-23 09:45:15 err ludus.py[24255]: (self.production_ports, self.active_honeypots)=get_ports_information() 2019-11-23 09:45:15 err ludus.py[24255]: File "/usr/share/ludus/ludus.py", line 127, in get_ports_information 2019-11-23 09:45:15 err ludus.py[24255]: data = IPTablesAnalyzer.iptables_analyzer.get_output() 2019-11-23 09:45:15 err ludus.py[24255]: File "/usr/share/ludus/IPTablesAnalyzer/iptables_analyzer.py", line 193, in get_output 2019-11-23 09:45:15 err ludus.py[24255]: output[protocol, int(port)] = 'production' 2019-11-23 09:45:15 err ludus.py[24255]: ValueError: invalid literal for int() with base 10: 'dpts:9981:9982'

[feature request] suricata interface as command line option

It would be nice if the interface for Suricata was passed as ludus.py command line option since the wan interface has different eth numbers on different systems. (Turris 1.x, Turris Omnia, Turris Mox, etc. )
see
https://github.com/stratosphereips/Ludus/blob/master/ludus.py#L331