From 1a8aa7928528f01186fe24b2161f8deb934a2ea0 Mon Sep 17 00:00:00 2001
From: QVPham9601 <vietpham961@gmail.com>
Date: Mon, 9 Dec 2024 13:47:52 +0000
Subject: [PATCH] rule with xml file for python script worked

---
 rules/200_ocpp_dos.xml   | 123 +++++++++++++++++++++++++++++++++++++++
 rules/200_test_rules.xml |  61 -------------------
 src/dpi/mmt_dpi.h        |  12 ++--
 src/lib/mmt_security.c   |   2 +-
 4 files changed, 130 insertions(+), 68 deletions(-)
 create mode 100644 rules/200_ocpp_dos.xml
 delete mode 100644 rules/200_test_rules.xml

diff --git a/rules/200_ocpp_dos.xml b/rules/200_ocpp_dos.xml
new file mode 100644
index 0000000..8cca6c1
--- /dev/null
+++ b/rules/200_ocpp_dos.xml
@@ -0,0 +1,123 @@
+<beginning>
+<!--
+This rule analyses the OCPPFlowMeter data then predict if a packet sent resembles an attacks.
+
+-->
+
+<embedded_functions><![CDATA[
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "mmt_lib.h"
+
+static char* python_script_path = "/home/pqv/Documents/ocpp/detection_PPC_OCPPFLOWMETER_line_by_line.py";
+static char* model_path = "/home/pqv/Documents/ocpp/detection_PPC_OCPPFLOWMETER_20240918_YES_IP.pkl";
+
+static bool em_predict_attack
+
+(int level_0, int index, const char* flow_id, const char* src_ip, const char* dst_ip, 
+int src_port, int dst_port, int total_flow_packets, int total_fw_packets, 
+int total_bw_packets, float flow_duration, float flow_down_up_ratio, 
+int flow_total_SYN_flag, int flow_total_RST_flag, int flow_total_PSH_flag, 
+int flow_total_ACK_flag, int flow_total_URG_flag, int flow_total_CWE_flag, 
+int flow_total_ECE_flag, int flow_total_FIN_flag, const char* flow_start_timestamp, 
+const char* flow_end_timestamp, int flow_total_http_get_packets, int flow_total_http_2xx_packets, 
+int flow_total_http_4xx_packets, int flow_total_http_5xx_packets, 
+float flow_websocket_packts_per_second, float fw_websocket_packts_per_second, 
+float bw_websocket_packts_per_second, float flow_websocket_bytes_per_second, 
+float fw_websocket_bytes_per_second, float bw_websocket_bytes_per_second, 
+int flow_total_websocket_ping_packets, int flow_total_websocket_pong_packets, 
+int flow_total_websocket_close_packets, int flow_total_websocket_data_messages, 
+int flow_total_ocpp16_heartbeat_packets, int flow_total_ocpp16_resetHard_packets, 
+int flow_total_ocpp16_resetSoft_packets, int flow_total_ocpp16_unlockconnector_packets, 
+int flow_total_ocpp16_starttransaction_packets, int flow_total_ocpp16_remotestarttransaction_packets, 
+int flow_total_ocpp16_authorize_not_accepted_packets, int flow_total_ocpp16_setchargingprofile_packets, 
+int flow_avg_ocpp16_setchargingprofile_limit, int flow_max_ocpp16_setchargingprofile_limit, 
+int flow_min_ocpp16_setchargingprofile_limit, float flow_avg_ocpp16_setchargingprofile_minchargingrate, 
+int flow_min_ocpp16_setchargingprofile_minchargingrate, int flow_max_ocpp16_setchargingprofile_minchargingrate, 
+int flow_total_ocpp16_metervalues, int flow_min_ocpp16_metervalues_soc, int flow_max_ocpp16_metervalues_soc, 
+int flow_avg_ocpp16_metervalues_wh_diff, int flow_max_ocpp16_metervalues_wh_diff, int flow_min_ocpp16_metervalues_wh_diff) 
+
+{
+    char buffer[4096];
+    char command[8192];
+
+    snprintf(buffer, sizeof(buffer), 
+            "level_0=%d,index=%d,flow_id=%s,src_ip=%s,dst_ip=%s,src_port=%d,dst_port=%d,total_flow_packets=%d,total_fw_packets=%d,total_bw_packets=%d,flow_duration=%f,flow_down_up_ratio=%f,flow_total_SYN_flag=%d,flow_total_RST_flag=%d,flow_total_PSH_flag=%d,flow_total_ACK_flag=%d,flow_total_URG_flag=%d,flow_total_CWE_flag=%d,flow_total_ECE_flag=%d,flow_total_FIN_flag=%d,flow_start_timestamp=%s,flow_end_timestamp=%s,flow_total_http_get_packets=%d,flow_total_http_2xx_packets=%d,flow_total_http_4xx_packets=%d,flow_total_http_5xx_packets=%d,flow_websocket_packts_per_second=%f,fw_websocket_packts_per_second=%f,bw_websocket_packts_per_second=%f,flow_websocket_bytes_per_second=%f,fw_websocket_bytes_per_second=%f,bw_websocket_bytes_per_second=%f,flow_total_websocket_ping_packets=%d,flow_total_websocket_pong_packets=%d,flow_total_websocket_close_packets=%d,flow_total_websocket_data_messages=%d,flow_total_ocpp16_heartbeat_packets=%d,flow_total_ocpp16_resetHard_packets=%d,flow_total_ocpp16_resetSoft_packets=%d,flow_total_ocpp16_unlockconnector_packets=%d,flow_total_ocpp16_starttransaction_packets=%d,flow_total_ocpp16_remotestarttransaction_packets=%d,flow_total_ocpp16_authorize_not_accepted_packets=%d,flow_total_ocpp16_setchargingprofile_packets=%d,flow_avg_ocpp16_setchargingprofile_limit=%d,flow_max_ocpp16_setchargingprofile_limit=%d,flow_min_ocpp16_setchargingprofile_limit=%d,flow_avg_ocpp16_setchargingprofile_minchargingrate=%f,flow_min_ocpp16_setchargingprofile_minchargingrate=%d,flow_max_ocpp16_setchargingprofile_minchargingrate=%d,flow_total_ocpp16_metervalues=%d,flow_min_ocpp16_metervalues_soc=%d,flow_max_ocpp16_metervalues_soc=%d,flow_avg_ocpp16_metervalues_wh_diff=%d,flow_max_ocpp16_metervalues_wh_diff=%d,flow_min_ocpp16_metervalues_wh_diff=%d", 
+            level_0, index, flow_id, src_ip, dst_ip, src_port, dst_port, total_flow_packets, total_fw_packets, total_bw_packets, flow_duration, flow_down_up_ratio, flow_total_SYN_flag, flow_total_RST_flag, flow_total_PSH_flag, flow_total_ACK_flag, flow_total_URG_flag, flow_total_CWE_flag, flow_total_ECE_flag, flow_total_FIN_flag, flow_start_timestamp, flow_end_timestamp, flow_total_http_get_packets, flow_total_http_2xx_packets, flow_total_http_4xx_packets, flow_total_http_5xx_packets, flow_websocket_packts_per_second, fw_websocket_packts_per_second, bw_websocket_packts_per_second, flow_websocket_bytes_per_second, fw_websocket_bytes_per_second, bw_websocket_bytes_per_second, flow_total_websocket_ping_packets, flow_total_websocket_pong_packets, flow_total_websocket_close_packets, flow_total_websocket_data_messages, flow_total_ocpp16_heartbeat_packets, flow_total_ocpp16_resetHard_packets, flow_total_ocpp16_resetSoft_packets, flow_total_ocpp16_unlockconnector_packets, flow_total_ocpp16_starttransaction_packets, flow_total_ocpp16_remotestarttransaction_packets, flow_total_ocpp16_authorize_not_accepted_packets, flow_total_ocpp16_setchargingprofile_packets, flow_avg_ocpp16_setchargingprofile_limit, flow_max_ocpp16_setchargingprofile_limit, flow_min_ocpp16_setchargingprofile_limit, flow_avg_ocpp16_setchargingprofile_minchargingrate, flow_min_ocpp16_setchargingprofile_minchargingrate, flow_max_ocpp16_setchargingprofile_minchargingrate, flow_total_ocpp16_metervalues, flow_min_ocpp16_metervalues_soc, flow_max_ocpp16_metervalues_soc, flow_avg_ocpp16_metervalues_wh_diff, flow_max_ocpp16_metervalues_wh_diff, flow_min_ocpp16_metervalues_wh_diff);
+    
+    char result[128];
+    char last_result[128] = "";
+    int prediction;
+
+    // Command to call the Python script
+    snprintf(command, sizeof(command),
+             "bash -c 'cd /home/pqv/Documents/ocpp/ && source .venv/bin/activate && python3 %s %s \"%s\"'",
+             python_script_path, model_path, buffer);
+
+
+    FILE *fp = popen(command, "r");
+    if (fp == NULL) {
+        fprintf(stderr, "Failed to run Python script.\n");
+        return -1;
+    }
+
+    // Read the output line by line
+    while (fgets(result, sizeof(result), fp) != NULL) {
+        // Store the current line into `last_result`
+        strncpy(last_result, result, sizeof(last_result) - 1);
+        last_result[sizeof(last_result) - 1] = '\0';  // Ensure null-termination
+    }
+
+    // Close the pipe
+    pclose(fp);
+
+    // Check if we captured any output
+    if (strlen(last_result) == 0) {
+        fprintf(stderr, "No output from Python script.\n");
+        return -1;
+    }
+
+    // Trim any trailing newline or whitespace from `last_result`
+    size_t len = strlen(last_result);
+    if (len > 0 && last_result[len - 1] == '\n') {
+        last_result[len - 1] = '\0';
+    }
+
+    prediction = atoi(last_result);
+    return prediction;
+}
+
+]]></embedded_functions>
+
+<property value="THEN"  property_id="200" type_property="ATTACK" 
+    description="OCPPFlowMeter Attack Dectection">
+    <event value="COMPUTE" event_id="1" 
+        description="Suspiciously high number of packets flowing"
+        boolean_expression="( ocpp_data.total_flow_packets>100 )"/>
+    <event value="COMPUTE" event_id="2" 
+        description="OCPPFlowMeter Attack Detected"
+        boolean_expression="( 
+        (#em_predict_attack(ocpp_data.level_0, ocpp_data.index, ocpp_data.flow_id, ocpp_data.src_ip, ocpp_data.dst_ip, 
+                            ocpp_data.src_port, ocpp_data.dst_port, ocpp_data.total_flow_packets, ocpp_data.total_fw_packets, 
+                            ocpp_data.total_bw_packets, ocpp_data.flow_duration, ocpp_data.flow_down_up_ratio, 
+                            ocpp_data.flow_total_SYN_flag, ocpp_data.flow_total_RST_flag, ocpp_data.flow_total_PSH_flag, 
+                            ocpp_data.flow_total_ACK_flag, ocpp_data.flow_total_URG_flag, ocpp_data.flow_total_CWE_flag, 
+                            ocpp_data.flow_total_ECE_flag, ocpp_data.flow_total_FIN_flag, ocpp_data.flow_start_timestamp, 
+                            ocpp_data.flow_end_timestamp, ocpp_data.flow_total_http_get_packets, ocpp_data.flow_total_http_2xx_packets, 
+                            ocpp_data.flow_total_http_4xx_packets, ocpp_data.flow_total_http_5xx_packets, 
+                            ocpp_data.flow_websocket_packts_per_second, ocpp_data.fw_websocket_packts_per_second, 
+                            ocpp_data.bw_websocket_packts_per_second, ocpp_data.flow_websocket_bytes_per_second, ocpp_data.fw_websocket_bytes_per_second, 
+                            ocpp_data.bw_websocket_bytes_per_second, ocpp_data.flow_total_websocket_ping_packets, ocpp_data.flow_total_websocket_pong_packets, 
+                            ocpp_data.flow_total_websocket_close_packets, ocpp_data.flow_total_websocket_data_messages, 
+                            ocpp_data.flow_total_ocpp16_heartbeat_packets, ocpp_data.flow_total_ocpp16_resetHard_packets, ocpp_data.flow_total_ocpp16_resetSoft_packets, 
+                            ocpp_data.flow_total_ocpp16_unlockconnector_packets, ocpp_data.flow_total_ocpp16_starttransaction_packets, 
+                            ocpp_data.flow_total_ocpp16_remotestarttransaction_packets, ocpp_data.flow_total_ocpp16_authorize_not_accepted_packets, 
+                            ocpp_data.flow_total_ocpp16_setchargingprofile_packets, ocpp_data.flow_avg_ocpp16_setchargingprofile_limit, 
+                            ocpp_data.flow_max_ocpp16_setchargingprofile_limit, ocpp_data.flow_min_ocpp16_setchargingprofile_limit, ocpp_data.flow_avg_ocpp16_setchargingprofile_minchargingrate, 
+                            ocpp_data.flow_min_ocpp16_setchargingprofile_minchargingrate, ocpp_data.flow_max_ocpp16_setchargingprofile_minchargingrate, ocpp_data.flow_total_ocpp16_metervalues, 
+                            ocpp_data.flow_min_ocpp16_metervalues_soc, ocpp_data.flow_max_ocpp16_metervalues_soc, ocpp_data.flow_avg_ocpp16_metervalues_wh_diff, 
+                            ocpp_data.flow_max_ocpp16_metervalues_wh_diff, ocpp_data.flow_min_ocpp16_metervalues_wh_diff) == 1 ) )"/>
+</property>
+</beginning>
\ No newline at end of file
diff --git a/rules/200_test_rules.xml b/rules/200_test_rules.xml
deleted file mode 100644
index f280de2..0000000
--- a/rules/200_test_rules.xml
+++ /dev/null
@@ -1,61 +0,0 @@
-<beginning>
-<!--
-This rule analyses the OCPPFlowMeter data then predict if a packet sent resembles an attacks.
-
--->
-
-<embedded_functions><![CDATA[
-
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include "mmt_lib.h"
-
-static char* python_script_path = "";
-static char* data_path = "";
-static char* model_path = "";
-
-static bool em_predict_attack(int total_flow_packets) {
-    char command[512];
-    int result;
-
-    // Command to call the Python script
-    snprintf(command, sizeof(command),
-             "python3 %s %s %s",
-             python_script_path, data_path, model_path);
-
-    result = system(command);
-    return result;
-
-    /**
-    FILE *fp = popen(command, "r");
-    if (fp == NULL) {
-        fprintf(stderr, "Failed to run Python script.\n");
-        return -1;
-    }
-
-    if (fgets(result, sizeof(result), fp) != NULL) {
-        prediction = atoi(result);  // Convert string to integer
-    } else {
-        fprintf(stderr, "Failed to read prediction.\n");
-        pclose(fp);
-        return -1;
-    }
-
-    pclose(fp);
-    return prediction;
-    **/
-}
-
-]]></embedded_functions>
-
-<property value="THEN"  property_id="200" type_property="ATTACK" 
-    description="OCPPFlowMeter Attack Dectection">
-    <event value="COMPUTE" event_id="1" 
-        description="Suspiciously high number of packets flowing"
-        boolean_expression="( ocpp_data.total_flow_packets>1000 )"/>
-    <event value="COMPUTE" event_id="2" 
-        description="OCPPFlowMeter Attack Detected"
-        boolean_expression="( (#em_predict_attack(ocpp_data.total_flow_packets) == 1 ) )"/>
-</property>
-</beginning>
\ No newline at end of file
diff --git a/src/dpi/mmt_dpi.h b/src/dpi/mmt_dpi.h
index 78734d5..c1d18bf 100644
--- a/src/dpi/mmt_dpi.h
+++ b/src/dpi/mmt_dpi.h
@@ -1,4 +1,4 @@
-/* This code is generated automatically on 2024-12-03 12:58:19 using MMT-DPI v1.7.10 (49dde9f9). */
+/* This code is generated automatically on 2024-12-09 09:57:36 using MMT-DPI v1.7.10 (c13c3533). */
 /* If you want to modify something, goto /home/pqv/Documents/mmt-test/mmt-security/src/main_gen_dpi.c */
  #ifndef __MMT_SEC_DPI_H_
  #define __MMT_SEC_DPI_H_
@@ -9527,8 +9527,8 @@ enum data_types {
 	 { .gid =  7296, .id =    1, .data_type = MMT_U32_DATA           , .name = "level_0"},
 	 { .gid =  7297, .id =    2, .data_type = MMT_U32_DATA           , .name = "index"},
 	 { .gid =  7298, .id =    3, .data_type = MMT_STRING_DATA        , .name = "flow_id"},
-	 { .gid =  7299, .id =    4, .data_type = MMT_DATA_IP_ADDR       , .name = "src_ip"},
-	 { .gid =  7300, .id =    5, .data_type = MMT_DATA_IP_ADDR       , .name = "dst_ip"},
+	 { .gid =  7299, .id =    4, .data_type = MMT_STRING_DATA        , .name = "src_ip"},
+	 { .gid =  7300, .id =    5, .data_type = MMT_STRING_DATA        , .name = "dst_ip"},
 	 { .gid =  7301, .id =    6, .data_type = MMT_U32_DATA           , .name = "src_port"},
 	 { .gid =  7302, .id =    7, .data_type = MMT_U32_DATA           , .name = "dst_port"},
 	 { .gid =  7303, .id =    8, .data_type = MMT_U32_DATA           , .name = "total_flow_packets"},
@@ -9544,8 +9544,8 @@ enum data_types {
 	 { .gid =  7313, .id =   18, .data_type = MMT_U32_DATA           , .name = "flow_total_CWE_flag"},
 	 { .gid =  7314, .id =   19, .data_type = MMT_U32_DATA           , .name = "flow_total_ECE_flag"},
 	 { .gid =  7315, .id =   20, .data_type = MMT_U32_DATA           , .name = "flow_total_FIN_flag"},
-	 { .gid =  7316, .id =   21, .data_type = MMT_DATA_TIMEVAL       , .name = "flow_start_timestamp"},
-	 { .gid =  7317, .id =   22, .data_type = MMT_DATA_TIMEVAL       , .name = "flow_end_timestamp"},
+	 { .gid =  7316, .id =   21, .data_type = MMT_STRING_DATA        , .name = "flow_start_timestamp"},
+	 { .gid =  7317, .id =   22, .data_type = MMT_STRING_DATA        , .name = "flow_end_timestamp"},
 	 { .gid =  7318, .id =   23, .data_type = MMT_U32_DATA           , .name = "flow_total_http_get_packets"},
 	 { .gid =  7319, .id =   24, .data_type = MMT_U32_DATA           , .name = "flow_total_http_2xx_packets"},
 	 { .gid =  7320, .id =   25, .data_type = MMT_U32_DATA           , .name = "flow_total_http_4xx_packets"},
@@ -9862,6 +9862,6 @@ static inline long get_attribute_index( uint32_t p_id, uint32_t a_id ){
 	return -1;
 }
  static inline const char* mmt_version(){
-    return "1.7.10 (49dde9f9)";
+    return "1.7.10 (c13c3533)";
 }
 #endif //__MMT_SEC_DPI_H_
\ No newline at end of file
diff --git a/src/lib/mmt_security.c b/src/lib/mmt_security.c
index 8fc346f..eec9c36 100644
--- a/src/lib/mmt_security.c
+++ b/src/lib/mmt_security.c
@@ -396,7 +396,7 @@ static inline size_t _copy_plein_text( char *dst, int len, const char* src ){
 	return size;
 }
 
-#define MAX_STR_SIZE 10000
+#define MAX_STR_SIZE 50000
 
 static size_t _get_u( const uint8_t *data, int data_len ){
 	switch( data_len ){