我正在尝试根据观看的视频实现一个基本的防火墙,但nimda蠕虫检测不工作,原因不明?
好的,让我先从视频开始说起:https://youtu.be/wReXqe8AFUM?si=%5C_Lm-5DwvffglCYLL
我的设置
- 1个Oracle虚拟机,运行Kali Linux,网络设置除了桥接适配器外都是正常的
- IP地址:192.168.0.24
- 这个虚拟机里运行着我的firewall.py,使用Visual Studio Code在一个虚拟环境中
- 1个Oracle虚拟机,运行Kali Linux,网络设置除了桥接适配器外都是正常的
- IP地址:192.168.0.80
- 这个虚拟机里运行着我的nimda_attack.py,使用Code - OSS
firewall.py的代码
import os
import sys
import time
from collections import defaultdict
from scapy.all import sniff, IP, TCP
THRESHOLD = 40
print(f"THRESHOLD: {THRESHOLD}")
# Read IPs from a file
def read_ip_file(filename):
with open(filename, "r") as file:
ips = [line.strip() for line in file]
return set(ips)
# Check for Nimda worm signature
def is_nimda_worm(packet):
if packet.haslayer(TCP) and packet[TCP].dport == 80:
payload = packet[TCP].payload
return "GET /scripts/root.exe" in str(payload)
return False
# Log events to a file
def log_event(message):
log_folder = "logs"
os.makedirs(log_folder, exist_ok=True)
timestamp = time.strftime("%Y-%m-%d_%H-%M-%S", time.localtime())
log_file = os.path.join(log_folder, f"log_{timestamp}.txt")
with open(log_file, "a") as file:
file.write(f"{message}\n")
def packet_callback(packet):
src_ip = packet[IP].src
# Check if IP is in the whitelist
if src_ip in whitelist_ips:
return
# Check if IP is in the blacklist
if src_ip in blacklist_ips:
os.system(f"iptables -A INPUT -s {src_ip} -j DROP")
log_event(f"Blocking blacklisted IP: {src_ip}")
return
# Check for Nimda worm signature
if is_nimda_worm(packet):
print(f"Blocking Nimda source IP: {src_ip}")
os.system(f"iptables -A INPUT -s {src_ip} -j DROP")
log_event(f"Blocking Nimda source IP: {src_ip}")
return
packet_count[src_ip] += 1
current_time = time.time()
time_interval = current_time - start_time[0]
if time_interval >= 1:
for ip, count in packet_count.items():
packet_rate = count / time_interval
if packet_rate > THRESHOLD and ip not in blocked_ips:
print(f"Blocking IP: {ip}, packet rate: {packet_rate}")
os.system(f"iptables -A INPUT -s {ip} -j DROP")
log_event(f"Blocking IP: {ip}, packet rate: {packet_rate}")
blocked_ips.add(ip)
packet_count.clear()
start_time[0] = current_time
if __name__ == "__main__":
if os.geteuid() != 0:
print("This script requires root privileges.")
sys.exit(1)
# Import whitelist and blacklist IPs
whitelist_ips = read_ip_file("whitelist.txt")
blacklist_ips = read_ip_file("blacklist.txt")
packet_count = defaultdict(int)
start_time = [time.time()]
blocked_ips = set()
print("Monitoring network traffic...")
sniff(filter="ip", prn=packet_callback)
nimda_attack.py的代码
from scapy.all import IP, TCP, Raw, send
def send_nimda_packet(target_ip, target_port=80, source_ip="192.168.0.80", source_port=12345):
try:
packet = (
IP(src=source_ip, dst=target_ip)
/ TCP(sport=source_port, dport=target_port)
/ Raw(load="GET /scripts/root.exe HTTP/1.0\r\nHost: example.com\r\n\r\n")
)
send(packet, verbose=True) # Set verbose=True to enable verbose output
except Exception as e:
print("An error occurred:", e)
if __name__ == "__main__":
target_ip = "192.168.0.24" # Replace with the IP address of the target machine
send_nimda_packet(target_ip)
视频中的那位朋友的代码似乎运行得很好,但不知道为什么在我的设置上却不行。我尝试把阈值调到1,改为嗅探TCP而不是IP来捕捉nimda蠕虫的数据包,但还是不行。我用sudo运行了脚本,并且在和firewall代码同一个文件夹里有whitelist.txt和blacklist.txt。如果我漏掉了什么或者在实现上犯了错误,请告诉我该怎么修正,我是一个正在学习的初学者。谢谢你阅读这些内容,祝你有美好的一天!
0 个回答
暂无回答