Beispiel #1
0
    def dump(self):
        print "TCP Header"
        print "SPORT:%u DPORT:%u" % (self.sport,self.dport)
        print "SEQ:%08x ACK:%08x" % (self.seq,self.ack)
        print "HDRLEN:%04x WINDOW:%04x FLAGS:%s" % (self.offset,self.window,self._getflags())
        print "CHEKSUM:%04x URG:%04x" % (self.checksum,self.urgent)

        if len(self.options)>0:
            print "Options"
            dumphexdata(self.options)

            print "Payload"
            dumphexdata(self.payload)
    def dump(self):
        """Dump ip packet"""

        print "IP Header"
        print "Version:0x%x traffic_class:0x%02x flow_label:0x%03x" % (self.version, self.traffic_class, self.flow_label)
        print "payload_len:0x%04x next_header:0x%02x hop_limit:0x%02x" % (self.packet_len, self.protocol, self.hop_limit)
        print "SRC:%s DST:%s" % (self.src_ip, self.dst_ip)

        # Print options
        if len(self.options) > 0:
            print "Dump IP options:"
            dumphexdata(self.options)

        # Dump UDP / TCP / ICMP
        if self.packetpayload != None:
            self.packetpayload.dump()
Beispiel #3
0
    def dump(self):
        """Dump ip packet"""

        print "IP Header"
        print "Version:%02x hdrlen:%02x tos:%02x packetlen:%04x" % (self.version,self.hdrlen,self.tos,self.length)
        print "ID:%04x Flags:%02x FragOffset:%04x" % (self.id,self.flags,self.offset)
        print "TTL:%02x Protocol:%s Checksum:%04x" % (self.ttl,getprotobynumber(self.protocol),self.checksum)
        print "SRC:%s DST:%s" % (socket.inet_ntoa(struct.pack("L",socket.htonl(self.sip))), \
            socket.inet_ntoa(struct.pack("L",socket.htonl(self.dip))))

        # Print options
        if len(self.options)>0:
            print "Dump IP options:"
            dumphexdata(self.options)

        # Dump UDP / TCP / ICMP
        if self.packetpayload!=None:
            self.packetpayload.dump()
Beispiel #4
0
    def dump(self):
        """Dump ip packet"""

        print "IP Header"
        print "Version:0x%x traffic_class:0x%02x flow_label:0x%03x" % (
            self.version, self.traffic_class, self.flow_label)
        print "payload_len:0x%04x next_header:0x%02x hop_limit:0x%02x" % (
            self.packet_len, self.protocol, self.hop_limit)
        print "SRC:%s DST:%s" % (self.src_ip, self.dst_ip)

        # Print options
        if len(self.options) > 0:
            print "Dump IP options:"
            dumphexdata(self.options)

        # Dump UDP / TCP / ICMP
        if self.packetpayload != None:
            self.packetpayload.dump()
Beispiel #5
0
 def dump(self):
     print "UDP Header"
     print "SPORT:%u DPORT:%u LENGTH:%04x CHECKSUM:%04x" % (self.sport,self.dport,self.length,self.checksum)
     print "Payload"
     dumphexdata(self._payload)
Beispiel #6
0
 def dump(self):
     dumphexdata(self._data)
Beispiel #7
0
 def dump_snort_unified2_record(self, type, data):
     if type == SnortUnified.U2_TYPE_PACKET:
         print "Unified2 Packet"
         (
             sensor_id,
             event_id,
             event_second,
             packet_second,
             packet_microsecond,
             lynktype,
             packet_length,
         ) = struct.unpack(">IIIIIII", data[:28])
         print """
         sensor_id: %u
         event_id: %u
         event_second: %u
         packet_second: %u
         packet_microsecond: %u
         lynktype: %u
         packet_length: %u""" % (
             sensor_id,
             event_id,
             event_second,
             packet_second,
             packet_microsecond,
             lynktype,
             packet_length,
         )
         ev = EventSnort(">", unified_version=2, linklayertype="ethernet")
         ev.addpacket(2, data)
         dumphexdata(data[28:])
     elif type == SnortUnified.U2_TYPE_IDS_EVENT:
         print "Unified2 IDS Event"
         (
             sensor_id,
             event_id,
             event_second,
             event_microsecond,
             signature_id,
             generator_id,
             signature_revision,
             classification_id,
             priority_id,
             ip_source,
             ip_destination,
             sport_itype,
             dport_icode,
             protocol,
             packet_action,
         ) = struct.unpack(">IIIIIIIII4s4sHHBB", data)
         print """
         sensor_id: %u
         event_id: %u
         event_second: %u
         event_microsecond: %u
         signature_id: %u
         generator_id: %u
         signature_revision: %u
         classification_id: %u
         priority_id: %u
         ip_source: %s
         ip_destination:%s 
         sport_itype: %u
         dport_icode: %u
         protocol: %u
         action: %u\n""" % (
             sensor_id,
             event_id,
             event_second,
             event_microsecond,
             signature_id,
             generator_id,
             signature_revision,
             classification_id,
             priority_id,
             socket.inet_ntoa(ip_source),
             socket.inet_ntoa(ip_destination),
             sport_itype,
             dport_icode,
             protocol,
             packet_action,
         )
     else:
         print "Unified2 event no implemented %u" % type
Beispiel #8
0
    def addpacket(self, t, data):

        if self._unified_version == 1:
            if t == SnortUnified.U1_TYPE_ALERT:
                logger.debug("No packet information exists in this record.")

            elif t == SnortUnified.U1_TYPE_LOG:

                (
                    self.logflags,
                    self.tv_sec,
                    self.tv_usec,
                    self.__packet_caplen,
                    self.__packet_realcaplen,
                ) = struct.unpack(self._endian + "IIIII", data[36:56])
                self._pkt = data[56:]

                # Snort pseudopacket (from sfportscan)
                if self._pkt[0:12] == "MACDADMACDAD":
                    self.offsetip = 14

                self._ethertype, = struct.unpack("!H", self._pkt[self.offsetip - 2 : self.offsetip])
                # print "Ethertype: %04x" % self._ethertype
                if self._ethertype == ETHERNET_TYPE_IP:
                    self._packet = IPPacket(self._pkt[self.offsetip :])
                    if self._packet.version is 6:
                        logger.debug("Unsupported IP Version 6")
                        dumphexdata(self._pkt)
                        self.sip = self.dip = self.dport = self.sport = 0
                        self.protocol = self.flags = 0
                        self._packet = RawPacket(self._pkt)
                    else:
                        try:
                            self.sip = self._packet.sip
                        except:
                            self.sip = 0
                        try:
                            self.dip = self._packet.dip
                        except:
                            self.dip = 0
                        try:
                            self.dport = self._packet.dport
                        except:
                            self.dport = 0
                        try:
                            self.sport = self._packet.sport
                        except:
                            self.sport = 0
                        try:
                            self.protocol = self._packet.protocol
                        except:
                            self.protocol = 0

                    self.flags = 0

                elif self._ethertype == ETHERNET_TYPE_8021Q:  # VLAN!
                    self.offsetip += 4
                    self._packet = IPPacket(self._pkt[self.offsetip :])
                    if self._packet.version is 6:
                        logger.debug("Unsupported IP Version 6")
                        dumphexdata(self._pkt)
                        self.sip = self.dip = self.dport = self.sport = 0
                        self.protocol = self.flags = 0
                        self._packet = RawPacket(self._pkt)
                    else:
                        try:
                            self.sip = self._packet.sip
                        except:
                            self.sip = 0
                        try:
                            self.dip = self._packet.dip
                        except:
                            self.dip = 0
                        try:
                            self.dport = self._packet.dport
                        except:
                            self.dport = 0
                        try:
                            self.sport = self._packet.sport
                        except:
                            self.sport = 0
                        try:
                            self.protocol = self._packet.protocol
                        except:
                            self.protocol = 0

                    self.flags = 0

                # Further options should be added here
                else:
                    logger.info("Unsupported Ethertype: %04x" % self._ethertype)
                    dumphexdata(self._pkt)
                    self.sip = self.dip = self.dport = self.sport = 0
                    self.protocol = self.flags = 0
                    self._packet = RawPacket(self._pkt)

            else:
                raise Exception, "Unhandled unified1 record type."

        elif self._unified_version == 2:
            if t in [SnortUnified.U2_TYPE_EVENT, SnortUnified.U2_TYPE_IDS_EVENT]:
                logger.debug("No packet information exists in this record.")
            elif t == SnortUnified.U2_TYPE_PACKET:
                (
                    self.sensor_id,
                    self.event_id,
                    self.event_sec,
                    self.tv_sec,
                    self.tv_usec,
                    self._linktype,
                    self.__caplen,
                ) = struct.unpack("!IIIIIII", data[0:28])
                self._pkt = data[28:]
                self._ethertype, = struct.unpack("!H", self._pkt[self.offsetip - 2 : self.offsetip])
                if self._ethertype == ETHERNET_TYPE_IP:
                    self._packet = IPPacket(self._pkt[self.offsetip :])
                    self.flags = 0
                elif self._ethertype == ETHERNET_TYPE_8021Q:  # VLAN!
                    self.offsetip += 4
                    self._sethertype, = struct.unpack("!H", self._pkt[self.offsetip - 2 : self.offsetip])
                    if self._sethertype == ETHERNET_TYPE_IP:  # IP
                        self._packet = IPPacket(self._pkt[self.offsetip :])
                        self.flags = 0
                    elif self._sethertype == ETHERNET_TYPE_IPV6:  # IP V6
                        self._packet = IPV6Packet(self._pkt[self.offsetip :])
                        # self.src_ipv6_ip =self._packet.src_ip
                        # self.dst_ipv6_ip =self._packet.dst_ip
                        self.ipv6Event = True
                        self.flags = 0
                    else:
                        logger.info("L2 Unsupported Ethertype: %04x" % self._sethertype)
                        logger.info("Dump packet %s " % hexlify(self._pkt))
                        self.sip = self.dip = self.dport = self.sport = 0
                        self.protocol = self.flags = 0
                        self._packet = RawPacket(self._pkt)
                elif self._ethertype == ETHERNET_TYPE_IPV6:
                    self._packet = IPV6Packet(self._pkt[self.offsetip :])
                    self.ipv6Event = True
                    # self.src_ipv6_ip =self._packet.src_ip
                    # self.dst_ipv6_ip =self._packet.dst_ip
                # Further options should be added here
                else:
                    logger.info("Unsupported Ethertype: %04x" % self._ethertype)
                    dumphexdata(self._pkt)
                    self.sip = self.dip = self.dport = self.sport = 0
                    self.protocol = self.flags = 0
                    self._packet = RawPacket(self._pkt)
            else:
                raise Exception, "Unhandled unified2 record type."
Beispiel #9
0
 def dump_snort_unified2_record(self, type, data):
     if type == SnortUnified.U2_TYPE_PACKET:
         print "Unified2 Packet"
         (sensor_id, \
         event_id, \
         event_second, \
         packet_second, \
         packet_microsecond, \
         lynktype, \
         packet_length) = struct.unpack(">IIIIIII", data[:28])
         print """
         sensor_id: %u
         event_id: %u
         event_second: %u
         packet_second: %u
         packet_microsecond: %u
         lynktype: %u
         packet_length: %u""" % \
         (sensor_id, event_id, event_second, \
         packet_second, packet_microsecond, \
         lynktype, packet_length)
         ev = EventSnort(">", unified_version=2, linklayertype="ethernet")
         ev.addpacket(2, data)
         dumphexdata(data[28:])
     elif type == SnortUnified.U2_TYPE_IDS_EVENT:
         print "Unified2 IDS Event"
         (sensor_id, \
         event_id, \
         event_second, \
         event_microsecond, \
         signature_id, \
         generator_id, \
         signature_revision, \
         classification_id, \
         priority_id, \
         ip_source, \
         ip_destination, \
         sport_itype, \
         dport_icode, \
         protocol, \
         packet_action) = struct.unpack(">IIIIIIIII4s4sHHBB", data)
         print """
         sensor_id: %u
         event_id: %u
         event_second: %u
         event_microsecond: %u
         signature_id: %u
         generator_id: %u
         signature_revision: %u
         classification_id: %u
         priority_id: %u
         ip_source: %s
         ip_destination:%s 
         sport_itype: %u
         dport_icode: %u
         protocol: %u
         action: %u\n""" \
         % (sensor_id, event_id, event_second, \
         event_microsecond, signature_id, generator_id, \
         signature_revision, classification_id, priority_id, \
         socket.inet_ntoa(ip_source), \
         socket.inet_ntoa(ip_destination), \
         sport_itype, dport_icode, protocol, packet_action)
     else:
         print "Unified2 event no implemented %u" % type
Beispiel #10
0
    def addpacket(self, t, data):

        if self._unified_version == 1:
            if t == SnortUnified.U1_TYPE_ALERT:
                logger.debug("No packet information exists in this record.")

            elif t == SnortUnified.U1_TYPE_LOG:

                (self.logflags, \
                 self.tv_sec, \
                 self.tv_usec, \
                 self.__packet_caplen, \
                 self.__packet_realcaplen) = struct.unpack(self._endian + "IIIII", data[36:56])
                self._pkt = data[56:]

                # Snort pseudopacket (from sfportscan)
                if self._pkt[0:12] == "MACDADMACDAD":
                    self.offsetip = 14

                self._ethertype, = struct.unpack(
                    "!H", self._pkt[self.offsetip - 2:self.offsetip])
                #print "Ethertype: %04x" % self._ethertype
                if self._ethertype == ETHERNET_TYPE_IP:
                    self._packet = IPPacket(self._pkt[self.offsetip:])
                    if self._packet.version is 6:
                        logger.debug("Unsupported IP Version 6")
                        dumphexdata(self._pkt)
                        self.sip = self.dip = self.dport = self.sport = 0
                        self.protocol = self.flags = 0
                        self._packet = RawPacket(self._pkt)
                    else:
                        try:
                            self.sip = self._packet.sip
                        except:
                            self.sip = 0
                        try:
                            self.dip = self._packet.dip
                        except:
                            self.dip = 0
                        try:
                            self.dport = self._packet.dport
                        except:
                            self.dport = 0
                        try:
                            self.sport = self._packet.sport
                        except:
                            self.sport = 0
                        try:
                            self.protocol = self._packet.protocol
                        except:
                            self.protocol = 0

                    self.flags = 0

                elif self._ethertype == ETHERNET_TYPE_8021Q:  #VLAN!
                    self.offsetip += 4
                    self._packet = IPPacket(self._pkt[self.offsetip:])
                    if self._packet.version is 6:
                        logger.debug("Unsupported IP Version 6")
                        dumphexdata(self._pkt)
                        self.sip = self.dip = self.dport = self.sport = 0
                        self.protocol = self.flags = 0
                        self._packet = RawPacket(self._pkt)
                    else:
                        try:
                            self.sip = self._packet.sip
                        except:
                            self.sip = 0
                        try:
                            self.dip = self._packet.dip
                        except:
                            self.dip = 0
                        try:
                            self.dport = self._packet.dport
                        except:
                            self.dport = 0
                        try:
                            self.sport = self._packet.sport
                        except:
                            self.sport = 0
                        try:
                            self.protocol = self._packet.protocol
                        except:
                            self.protocol = 0

                    self.flags = 0

                #Further options should be added here
                else:
                    logger.info("Unsupported Ethertype: %04x" %
                                self._ethertype)
                    dumphexdata(self._pkt)
                    self.sip = self.dip = self.dport = self.sport = 0
                    self.protocol = self.flags = 0
                    self._packet = RawPacket(self._pkt)

            else:
                raise Exception, "Unhandled unified1 record type."

        elif self._unified_version == 2:
            if t in [
                    SnortUnified.U2_TYPE_EVENT, SnortUnified.U2_TYPE_IDS_EVENT
            ]:
                logger.debug("No packet information exists in this record.")
            elif t == SnortUnified.U2_TYPE_PACKET:
                (self.sensor_id, \
                 self.event_id, \
                 self.event_sec, \
                 self.tv_sec, \
                 self.tv_usec, \
                 self._linktype, \
                 self.__caplen) = struct.unpack("!IIIIIII", data[0:28])
                self._pkt = data[28:]
                self._ethertype, = struct.unpack(
                    "!H", self._pkt[self.offsetip - 2:self.offsetip])
                if self._ethertype == ETHERNET_TYPE_IP:
                    self._packet = IPPacket(self._pkt[self.offsetip:])
                    self.flags = 0
                elif self._ethertype == ETHERNET_TYPE_8021Q:  #VLAN!
                    self.offsetip += 4
                    self._sethertype, = struct.unpack(
                        "!H", self._pkt[self.offsetip - 2:self.offsetip])
                    if self._sethertype == ETHERNET_TYPE_IP:  #IP
                        self._packet = IPPacket(self._pkt[self.offsetip:])
                        self.flags = 0
                    elif self._sethertype == ETHERNET_TYPE_IPV6:  #IP V6
                        self.sip = self.dip = self.dport = self.sport = 0
                        self.protocol = self.flags = 0
                        self._packet = RawPacket(self._pkt)
                    else:
                        logger.info("L2 Unsupported Ethertype: %04x" %
                                    self._sethertype)
                        logger.info("Dump packet %s " % hexlify(self._pkt))
                        self.sip = self.dip = self.dport = self.sport = 0
                        self.protocol = self.flags = 0
                        self._packet = RawPacket(self._pkt)
                elif self._ethertype == ETHERNET_TYPE_IPV6:
                    self.sip = self.dip = self.dport = self.sport = 0
                    self.protocol = self.flags = 0
                    self._packet = RawPacket(self._pkt)
                #Further options should be added here
                else:
                    logger.info("Unsupported Ethertype: %04x" %
                                self._ethertype)
                    dumphexdata(self._pkt)
                    self.sip = self.dip = self.dport = self.sport = 0
                    self.protocol = self.flags = 0
                    self._packet = RawPacket(self._pkt)
            else:
                raise Exception, "Unhandled unified2 record type."