refactor flag + memos

alessio-perugini · Oct 20, 2020 · 0c059c6 · 0c059c6
1 parent c3a6d12
commit 0c059c6
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 10 deletions.
diff --git a/cmd/main.go b/cmd/main.go
@@ -42,7 +42,7 @@ func init() {
 	//NetFlow
 	flag.StringVar(&stanislav.FlowPath, "flowPath", "", "dir path to load flows of nProbe")
 	flag.Float64Var(&stanislav.Tolerance, "tolerance", 20, "maximum % tolerance before flag possible periodic flow.")
-	flag.IntVar(&stanislav.NTwToCompare, "nCompare", 1, "number o time windows to compare to evaluate a possible periodicity")
+	flag.IntVar(&stanislav.SeenXtime, "nCompare", 1, "number o time windows to compare to evaluate a possible periodicity")
 	flag.StringVar(&stanislav.IpAddrNF, "ip", "", "ip of netflow collector")
 	flag.StringVar(&stanislav.PortNF, "port", "2055", "port of netflow collector")
 	flag.UintVar(&config.Verbose, "verbose", 0, "verbosity level. (1=low,2=medium,3=high)")

diff --git a/logic.go b/logic.go
@@ -73,21 +73,21 @@ func InspectFlow(rf RawFlow) {
 	}
 	//TODO create a function that handles C2 server blocklist
 	if name, ok := blackListIp[rf.Ipv4DstAddr]; ok {
-		AddPossibleThreat(rf.Ipv4DstAddr, "c2 server " + name)
+		AddPossibleThreat(rf.Ipv4DstAddr, "c2 server "+name)
 		logger.Printf("[%s] appears in the blocked c2 list as %s!\n", rf.Ipv4DstAddr, name)
 	}
 
 	if name, ok := blackListIp[rf.Ipv4SrcAddr]; ok {
-		AddPossibleThreat(rf.Ipv4SrcAddr, "c2 server " + name)
+		AddPossibleThreat(rf.Ipv4SrcAddr, "c2 server "+name)
 		logger.Printf("[%s] appears in the blocked c2 list as %s!\n", rf.Ipv4SrcAddr, name)
 	}
 
 	//https://tools.ietf.org/html/rfc5102#section-5
-	if rf.EndReason == 2 {
+	if rf.EndReason == 2 { //TODO check and remove if in the map
 		return
 	}
 	//https://tools.ietf.org/html/rfc5103
-	if rf.BiFlowDirection == 2 {
+	if rf.BiFlowDirection == 2 { //TODO check and remove if in the map
 		return
 	}
 
@@ -105,15 +105,15 @@ func InspectFlow(rf RawFlow) {
 				flowInfo.LastSwitched = rf.LastSwitched
 			} else { //TW expired
 				if minTime.Before(rf.FirstSwitched) && maxTime.After(rf.FirstSwitched) {
-					SetTwDuration(flowInfo, rf)
+					SetTwDuration(flowInfo, rf) //TODO spostare in fondo all'if e mettere dentro il controllo dell'endreason
 					flowInfo.PeriodicityCounter++
 					flowInfo.LastSwitched = rf.LastSwitched
-					if flowInfo.PeriodicityCounter >= NTwToCompare {
+					if flowInfo.PeriodicityCounter >= SeenXtime {
 						PeriodiFlows[key] = flowInfo
 						ChangePeriodicStatus(key, flowInfo, true)
 					}
 				} else {
-					if flowInfo.PeriodicityCounter >= NTwToCompare {
+					if flowInfo.PeriodicityCounter >= SeenXtime {
 						ChangePeriodicStatus(key, flowInfo, false)
 						ResetCurrentTW(key, flowInfo, rf.LastSwitched)
 					}

diff --git a/options.go b/options.go
@@ -13,7 +13,7 @@ var (
 	IpAddrNF            = ""
 	PortNF              = "2055"
 	Tolerance           = 10.0 //10%
-	NTwToCompare        = 3
+	SeenXtime           = 3
 	FlowPath            = "/tmp/2020" //./flows
 	analisi             = AllFlows{}
 	PeriodiFlows        = PeriodicFlows{}

diff --git a/peng.go b/peng.go
@@ -79,9 +79,10 @@ func (p *Peng) run() {
 
 	packet := gopacket.NewPacketSource(pHandle, pHandle.LinkType())
 
-	time.AfterFunc(p.Config.TimeFrame, p.handler)
+	timer := time.AfterFunc(p.Config.TimeFrame, p.handler)
 	for packet := range packet.Packets() {
 		if p.stop { //TODO forse passare il puntatore di peng
+			timer.Stop()
 			return
 		}
 		p.inspect(packet)