基于Linux的ARP攻击检测软件功能及Python实现
基于Linux的ARP攻击检测软件功能及Python实现
本文将介绍基于Linux的ARP攻击检测软件需要具备的功能以及如何使用Python实现这些功能。
功能需求
基于Linux的ARP攻击检测软件需要具备以下功能:
- 捕获ARP数据包并过滤其他数据包。
- 分析ARP包,识别正常主机和疑似异常主机。
- 标记异常主机的IP地址为红色。
- 检测同一IP地址对应多个MAC地址。
- 检测多个IP地址对应同一个MAC地址。
- 检测大量的ARP请求或响应包。
- 检测ARP包中的源MAC地址和目标MAC地址不匹配。
- 输出遭受ARP攻击的信息。
- 输出未遭受ARP攻击的信息。
- 将所有信息保存在日志中。
Python实现
import scapy.all as scapy
import logging
logging.basicConfig(filename='arp_attack.log', level=logging.INFO, format='%(asctime)s %(message)s')
def arp_spoof_detect(packet):
if packet[scapy.ARP].op == 1: # ARP request
arp_requests[packet[scapy.ARP].psrc] = arp_requests.get(packet[scapy.ARP].psrc, 0) + 1
if arp_requests[packet[scapy.ARP].psrc] > 5:
logging.warning('ARP attack detected: too many ARP requests from ' + packet[scapy.ARP].psrc)
print('ARP attack detected: too many ARP requests from ' + packet[scapy.ARP].psrc)
return True
elif packet[scapy.ARP].op == 2: # ARP reply
if packet[scapy.ARP].hwsrc != packet[scapy.ARP].psrc_mac:
logging.warning('ARP attack detected: MAC address mismatch in ARP reply from ' + packet[scapy.ARP].psrc)
print('ARP attack detected: MAC address mismatch in ARP reply from ' + packet[scapy.ARP].psrc)
return True
arp_replies[packet[scapy.ARP].psrc] = arp_replies.get(packet[scapy.ARP].psrc, 0) + 1
if arp_replies[packet[scapy.ARP].psrc] > 5:
logging.warning('ARP attack detected: too many ARP replies from ' + packet[scapy.ARP].psrc)
print('ARP attack detected: too many ARP replies from ' + packet[scapy.ARP].psrc)
return True
return False
def arp_scan(ip):
arp_request = scapy.ARP(pdst=ip)
broadcast = scapy.Ether(dst='ff:ff:ff:ff:ff:ff')
arp_request_broadcast = broadcast/arp_request
answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0]
clients_list = []
for element in answered_list:
client_dict = {'ip': element[1].psrc, 'mac': element[1].hwsrc}
clients_list.append(client_dict)
return clients_list
def arp_attack_detect():
clients = arp_scan('192.168.1.1/24')
ip_to_mac = {}
mac_to_ip = {}
for client in clients:
if client['mac'] in mac_to_ip:
logging.warning('ARP attack detected: multiple IP addresses (' + mac_to_ip[client['mac']] + ', ' + client['ip'] + ') for MAC address ' + client['mac'])
print('ARP attack detected: multiple IP addresses (' + mac_to_ip[client['mac']] + ', ' + client['ip'] + ') for MAC address ' + client['mac'])
ip_to_mac[client['ip']] = 'red'
elif client['ip'] in ip_to_mac:
logging.warning('ARP attack detected: multiple MAC addresses (' + ip_to_mac[client['ip']] + ', ' + client['mac'] + ') for IP address ' + client['ip'])
print('ARP attack detected: multiple MAC addresses (' + ip_to_mac[client['ip']] + ', ' + client['mac'] + ') for IP address ' + client['ip'])
ip_to_mac[client['ip']] = 'red'
else:
ip_to_mac[client['ip']] = client['mac']
mac_to_ip[client['mac']] = client['ip']
arp_requests.clear()
arp_replies.clear()
for packet in scapy.sniff(filter='arp', count=100, prn=arp_spoof_detect):
pass
ar
原文地址: https://www.cveoy.top/t/topic/joD7 著作权归作者所有。请勿转载和采集!