基于Linux的ARP攻击检测软件:功能需求与Python实现
基于Linux的ARP攻击检测软件:功能需求与Python实现
本文将介绍如何使用Python开发一个基于Linux的ARP攻击检测软件,该软件能够捕获数据包,分析ARP协议数据包,并根据预设规则判断网络是否遭受ARP攻击。
功能需求
- 捕获数据包,过滤规则设置为ARP包
- 分析ARP包,区分正常主机和疑似异常主机
- 标记异常主机的IP地址为红色
- 检测应答报文时,是否出现同一IP地址对应不同的MAC地址
- 检测请求报文时,是否合法且是否出现不同IP地址对应同一个MAC地址
- 检测大量的ARP请求或响应包,是否为同一IP地址或同一MAC地址发出
- 输出遭受ARP攻击或未遭受ARP攻击的信息
- 将所有信息保存在日志中
Python实现
- 使用Scapy库捕获数据包,过滤规则设置为ARP包
from scapy.all import *
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
# 处理ARP包
- 解析数据包,判断是否为ARP包,区分正常主机和疑似异常主机
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
# 处理ARP请求
elif arp_pkt.op == 2: # ARP应答
# 处理ARP应答
- 使用颜色输出库将异常主机的IP地址标为红色
from termcolor import colored
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
# 处理ARP请求
elif arp_pkt.op == 2: # ARP应答
# 处理ARP应答
if arp_pkt.psrc in suspicious_hosts:
print(colored(arp_pkt.psrc, 'red'))
- 遍历数据包,检测应答报文时,是否出现同一IP地址对应不同的MAC地址
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
# 处理ARP请求
elif arp_pkt.op == 2: # ARP应答
# 处理ARP应答
if arp_pkt.psrc in suspicious_hosts:
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
- 遍历数据包,检测请求报文时,是否合法且是否出现不同IP地址对应同一个MAC地址
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
# 处理ARP请求
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
elif arp_pkt.op == 2: # ARP应答
# 处理ARP应答
if arp_pkt.psrc in suspicious_hosts:
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.hwsrc in suspicious_macs:
if arp_pkt.hwsrc in mac_cache and mac_cache[arp_pkt.hwsrc] != arp_pkt.psrc:
print(colored('ARP spoofing detected!', 'red'))
mac_cache[arp_pkt.hwsrc] = arp_pkt.psrc
- 统计ARP请求或响应包的数量,判断是否为同一IP地址或同一MAC地址发出
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
# 处理ARP请求
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.psrc in req_count:
req_count[arp_pkt.psrc] += 1
if req_count[arp_pkt.psrc] > 10:
print(colored('ARP flooding detected!', 'red'))
else:
req_count[arp_pkt.psrc] = 1
elif arp_pkt.op == 2: # ARP应答
# 处理ARP应答
if arp_pkt.psrc in suspicious_hosts:
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.psrc in resp_count:
resp_count[arp_pkt.psrc] += 1
if resp_count[arp_pkt.psrc] > 10:
print(colored('ARP poisoning detected!', 'red'))
else:
resp_count[arp_pkt.psrc] = 1
if arp_pkt.hwsrc in suspicious_macs:
if arp_pkt.hwsrc in mac_cache and mac_cache[arp_pkt.hwsrc] != arp_pkt.psrc:
print(colored('ARP spoofing detected!', 'red'))
mac_cache[arp_pkt.hwsrc] = arp_pkt.psrc
- 根据规则判断是否遭受ARP攻击,输出相应信息
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
# 处理ARP请求
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.psrc in req_count:
req_count[arp_pkt.psrc] += 1
if req_count[arp_pkt.psrc] > 10:
print(colored('ARP flooding detected!', 'red'))
else:
req_count[arp_pkt.psrc] = 1
elif arp_pkt.op == 2: # ARP应答
# 处理ARP应答
if arp_pkt.psrc in suspicious_hosts:
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.psrc in resp_count:
resp_count[arp_pkt.psrc] += 1
if resp_count[arp_pkt.psrc] > 10:
print(colored('ARP poisoning detected!', 'red'))
else:
resp_count[arp_pkt.psrc] = 1
if arp_pkt.hwsrc in suspicious_macs:
if arp_pkt.hwsrc in mac_cache and mac_cache[arp_pkt.hwsrc] != arp_pkt.psrc:
print(colored('ARP spoofing detected!', 'red'))
mac_cache[arp_pkt.hwsrc] = arp_pkt.psrc
if arp_pkt.hwsrc in mac_count:
mac_count[arp_pkt.hwsrc] += 1
if mac_count[arp_pkt.hwsrc] > 10:
print(colored('ARP flooding detected!', 'red'))
else:
mac_count[arp_pkt.hwsrc] = 1
- 将所有信息保存在日志中,使用Python自带的logging库
import logging
logging.basicConfig(filename='arp_detection.log', level=logging.INFO)
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
# 处理ARP请求
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
logging.warning('ARP spoofing detected! IP: %s, MAC: %s' % (arp_pkt.psrc, arp_pkt.hwsrc))
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.psrc in req_count:
req_count[arp_pkt.psrc] += 1
if req_count[arp_pkt.psrc] > 10:
logging.warning('ARP flooding detected! IP: %s' % arp_pkt.psrc)
print(colored('ARP flooding detected!', 'red'))
else:
req_count[arp_pkt.psrc] = 1
elif arp_pkt.op == 2: # ARP应答
# 处理ARP应答
if arp_pkt.psrc in suspicious_hosts:
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
logging.warning('ARP spoofing detected! IP: %s, MAC: %s' % (arp_pkt.psrc, arp_pkt.hwsrc))
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.psrc in resp_count:
resp_count[arp_pkt.psrc] += 1
if resp_count[arp_pkt.psrc] > 10:
logging.warning('ARP poisoning detected! IP: %s' % arp_pkt.psrc)
print(colored('ARP poisoning detected!', 'red'))
else:
resp_count[arp_pkt.psrc] = 1
if arp_pkt.hwsrc in suspicious_macs:
if arp_pkt.hwsrc in mac_cache and mac_cache[arp_pkt.hwsrc] != arp_pkt.psrc:
logging.warning('ARP spoofing detected! IP: %s, MAC: %s' % (arp_pkt.psrc, arp_pkt.hwsrc))
print(colored('ARP spoofing detected!', 'red'))
mac_cache[arp_pkt.hwsrc] = arp_pkt.psrc
if arp_pkt.hwsrc in mac_count:
mac_count[arp_pkt.hwsrc] += 1
if mac_count[arp_pkt.hwsrc] > 10:
logging.warning('ARP flooding detected! MAC: %s' % arp_pkt.hwsrc)
print(colored('ARP flooding detected!', 'red'))
else:
mac_count[arp_pkt.hwsrc] = 1
详细实现
- 使用Scapy库捕获数据包
from scapy.all import *
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
# 处理ARP包
print(pkt.show())
sniff(prn=arp_sniffer, filter='arp', store=0)
- 解析数据包,判断是否为ARP包,区分正常主机和疑似异常主机
from scapy.all import *
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
print('ARP Request: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
elif arp_pkt.op == 2: # ARP应答
print('ARP Reply: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
sniff(prn=arp_sniffer, filter='arp', store=0)
- 使用颜色输出库将异常主机的IP地址标为红色
from scapy.all import *
from termcolor import colored
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
print('ARP Request: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
elif arp_pkt.op == 2: # ARP应答
print('ARP Reply: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
if arp_pkt.psrc in suspicious_hosts:
print(colored(arp_pkt.psrc, 'red'))
sniff(prn=arp_sniffer, filter='arp', store=0)
- 遍历数据包,检测应答报文时,是否出现同一IP地址对应不同的MAC地址
from scapy.all import *
from termcolor import colored
arp_cache = {}
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
print('ARP Request: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
elif arp_pkt.op == 2: # ARP应答
print('ARP Reply: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
if arp_pkt.psrc in suspicious_hosts:
print(colored(arp_pkt.psrc, 'red'))
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
sniff(prn=arp_sniffer, filter='arp', store=0)
- 遍历数据包,检测请求报文时,是否合法且是否出现不同IP地址对应同一个MAC地址
from scapy.all import *
from termcolor import colored
arp_cache = {}
mac_cache = {}
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
print('ARP Request: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
elif arp_pkt.op == 2: # ARP应答
print('ARP Reply: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
if arp_pkt.psrc in suspicious_hosts:
print(colored(arp_pkt.psrc, 'red'))
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.hwsrc in suspicious_macs:
if arp_pkt.hwsrc in mac_cache and mac_cache[arp_pkt.hwsrc] != arp_pkt.psrc:
print(colored('ARP spoofing detected!', 'red'))
mac_cache[arp_pkt.hwsrc] = arp_pkt.psrc
sniff(prn=arp_sniffer, filter='arp', store=0)
- 统计ARP请求或响应包的数量,判断是否为同一IP地址或同一MAC地址发出
from scapy.all import *
from termcolor import colored
arp_cache = {}
mac_cache = {}
req_count = {}
resp_count = {}
mac_count = {}
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
print('ARP Request: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.psrc in req_count:
req_count[arp_pkt.psrc] += 1
if req_count[arp_pkt.psrc] > 10:
print(colored('ARP flooding detected!', 'red'))
else:
req_count[arp_pkt.psrc] = 1
elif arp_pkt.op == 2: # ARP应答
print('ARP Reply: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
if arp_pkt.psrc in suspicious_hosts:
print(colored(arp_pkt.psrc, 'red'))
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.psrc in resp_count:
resp_count[arp_pkt.psrc] += 1
if resp_count[arp_pkt.psrc] > 10:
print(colored('ARP poisoning detected!', 'red'))
else:
resp_count[arp_pkt.psrc] = 1
if arp_pkt.hwsrc in suspicious_macs:
if arp_pkt.hwsrc in mac_cache and mac_cache[arp_pkt.hwsrc] != arp_pkt.psrc:
print(colored('ARP spoofing detected!', 'red'))
mac_cache[arp_pkt.hwsrc] = arp_pkt.psrc
if arp_pkt.hwsrc in mac_count:
mac_count[arp_pkt.hwsrc] += 1
if mac_count[arp_pkt.hwsrc] > 10:
print(colored('ARP flooding detected!', 'red'))
else:
mac_count[arp_pkt.hwsrc] = 1
sniff(prn=arp_sniffer, filter='arp', store=0)
- 根据规则判断是否遭受ARP攻击,输出相应信息
from scapy.all import *
from termcolor import colored
arp_cache = {}
mac_cache = {}
req_count = {}
resp_count = {}
mac_count = {}
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
print('ARP Request: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.psrc in req_count:
req_count[arp_pkt.psrc] += 1
if req_count[arp_pkt.psrc] > 10:
print(colored('ARP flooding detected!', 'red'))
else:
req_count[arp_pkt.psrc] = 1
elif arp_pkt.op == 2: # ARP应答
print('ARP Reply: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
if arp_pkt.psrc in suspicious_hosts:
print(colored(arp_pkt.psrc, 'red'))
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.psrc in resp_count:
resp_count[arp_pkt.psrc] += 1
if resp_count[arp_pkt.psrc] > 10:
print(colored('ARP poisoning detected!', 'red'))
else:
resp_count[arp_pkt.psrc] = 1
if arp_pkt.hwsrc in suspicious_macs:
if arp_pkt.hwsrc in mac_cache and mac_cache[arp_pkt.hwsrc] != arp_pkt.psrc:
print(colored('ARP spoofing detected!', 'red'))
mac_cache[arp_pkt.hwsrc] = arp_pkt.psrc
if arp_pkt.hwsrc in mac_count:
mac_count[arp_pkt.hwsrc] += 1
if mac_count[arp_pkt.hwsrc] > 10:
print(colored('ARP flooding detected!', 'red'))
else:
mac_count[arp_pkt.hwsrc] = 1
sniff(prn=arp_sniffer, filter='arp', store=0)
- 将所有信息保存在日志中,使用Python自带的logging库
from scapy.all import *
from termcolor import colored
import logging
arp_cache = {}
mac_cache = {}
req_count = {}
resp_count = {}
mac_count = {}
logging.basicConfig(filename='arp_detection.log', level=logging.INFO)
def arp_sniffer(pkt):
if pkt.haslayer(ARP):
arp_pkt = pkt[ARP]
if arp_pkt.op == 1: # ARP请求
print('ARP Request: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
logging.warning('ARP spoofing detected! IP: %s, MAC: %s' % (arp_pkt.psrc, arp_pkt.hwsrc))
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.psrc in req_count:
req_count[arp_pkt.psrc] += 1
if req_count[arp_pkt.psrc] > 10:
logging.warning('ARP flooding detected! IP: %s' % arp_pkt.psrc)
print(colored('ARP flooding detected!', 'red'))
else:
req_count[arp_pkt.psrc] = 1
elif arp_pkt.op == 2: # ARP应答
print('ARP Reply: Source IP:', arp_pkt.psrc, 'Source MAC:', arp_pkt.hwsrc, 'Target IP:', arp_pkt.pdst, 'Target MAC:', arp_pkt.hwdst)
if arp_pkt.psrc in suspicious_hosts:
print(colored(arp_pkt.psrc, 'red'))
if arp_pkt.psrc in arp_cache and arp_cache[arp_pkt.psrc] != arp_pkt.hwsrc:
logging.warning('ARP spoofing detected! IP: %s, MAC: %s' % (arp_pkt.psrc, arp_pkt.hwsrc))
print(colored('ARP spoofing detected!', 'red'))
arp_cache[arp_pkt.psrc] = arp_pkt.hwsrc
if arp_pkt.psrc in resp_count:
resp_count[arp_pkt.psrc] += 1
if resp_count[arp_pkt.psrc] > 10:
logging.warning('ARP poisoning detected! IP: %s' % arp_pkt.psrc)
print(colored('ARP poisoning detected!', 'red'))
else:
resp_count[arp_pkt.psrc] = 1
if arp_pkt.hwsrc in suspicious_macs:
if arp_pkt.hwsrc in mac_cache and mac_cache[arp_pkt.hwsrc] != arp_pkt.psrc:
logging.warning('ARP spoofing detected! IP: %s, MAC: %s' % (arp_pkt.psrc, arp_pkt.hwsrc))
print(colored('ARP spoofing detected!', 'red'))
mac_cache[arp_pkt.hwsrc] = arp_pkt.psrc
if arp_pkt.hwsrc in mac_count:
mac_count[arp_pkt.hwsrc] += 1
if mac_count[arp_pkt.hwsrc] > 10:
logging.warning('ARP flooding detected! MAC: %s' % arp_pkt.hwsrc)
print(colored('ARP flooding detected!', 'red'))
else:
mac_count[arp_pkt.hwsrc] = 1
sniff(prn=arp_sniffer, filter='arp', store=0)
该代码示例展示了如何使用Scapy库捕获数据包并分析ARP协议数据包,并根据预设规则判断网络是否遭受ARP攻击。同时,代码也使用了termcolor库将异常主机的IP地址标为红色,以及logging库将所有信息保存在日志中。
总结
本文介绍了基于Linux的ARP攻击检测软件的功能需求,并使用Python语言进行实现。软件通过捕获数据包、分析ARP包、标记异常主机IP地址、检测ARP请求和响应报文等步骤,识别ARP攻击行为,并将信息保存在日志中。
注
该代码示例仅仅提供了一个基本框架,实际应用中还需要根据具体需求进行调整和完善。例如,可以增加对ARP攻击类型进行更详细的识别,以及设置更复杂的攻击检测规则等。
原文地址: https://www.cveoy.top/t/topic/joFu 著作权归作者所有。请勿转载和采集!