def main(): # This code allows this program to run equally well on my laptop and my desktop. I did it this # way to demonstrate different interface names. If I was really clever, I'd figure out how to do this # under MS-Windows if sys.argv[1] == "-i": pc = pcap.pcap(sys.argv[2]) elif sys.argv[1] == "-f": pc = dpkt.pcap.Reader(open(sys.argv[2])) else: print """Use -i INTERFACE to [packet capture from an interface. Use -f FILENAME to read a packet capture file""" sys.exit(2) initialize_tables() for (src, sport, dst, dport, data) in udp_iterator(pc): # Uncomment if you want to see all UDP packets # print "from ", socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport if dport == 53: # UDP/53 is a DNS query dns = dpkt.dns.DNS(data) if dns.opcode != dpkt.dns.DNS_QUERY: print "A DNS packet was sent to the nameserver, but the opcode was %d instead of DNS_QUERY (this is a software error)" % dns.opcode if dns.qr != dpkt.dns.DNS_Q: print "A DNS packet was sent to the name server, but dns.qr is not 0 and should be. It is %d" % dns.qr print "query for ", dns.qd[ 0].name, "ID is ", dns.id, "dns.qr is ", dns.qr, "query type is ", dns.qd[ 0].type, type_table[dns.qd[0].type] print "dns.qd is ", dns.qd elif sport == 53: # UDP/53 is a DNS response dns = dpkt.dns.DNS(data) print "responding to ", dns.id, "dns.qr is ", dns.qr if dns.qr != dpkt.dns.DNS_R: print "A DNS packet was received from a name server, but dns.qr is not 1 and should be. It is %d" % dns.qr if dns.get_rcode() == dpkt.dns.DNS_RCODE_NOERR: print "Response has no error" elif dns.get_rcode() == dpkt.dns.DNS_RCODE_NXDOMAIN: print "There is no name in this domain" else: print "Response is something other than NOERR or NXDOMAIN %d - this software is incomplete" % dns.get_rcode( ) print "The response packet has %d RRs" % len(dns.an) # Decode the RR records in the NS section for rr in dns.ns: decode_dns_response(rr, "NS") # Decode the answers in the DNS answer for rr in dns.an: decode_dns_response(rr, "AN") # Decode the additional responses for rr in dns.ar: decode_dns_response(rr, "AR") print "dns.qd is ", dns.qd
def main() : # This code allows this program to run equally well on my laptop and my desktop. I did it this # way to demonstrate different interface names. If I was really clever, I'd figure out how to do this # under MS-Windows if sys.argv[1] == "-i" : pc = pcap.pcap( sys.argv[2] ) elif sys.argv[1] == "-f" : pc = dpkt.pcap.Reader( open ( sys.argv[2] ) ) else : print """Use -i INTERFACE to [packet capture from an interface. Use -f FILENAME to read a packet capture file""" sys.exit(2) initialize_tables() for (src, sport, dst, dport, data ) in udp_iterator(pc) : # Uncomment if you want to see all UDP packets # print "from ", socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport if dport == 53 : # UDP/53 is a DNS query dns = dpkt.dns.DNS(data) if dns.opcode != dpkt.dns.DNS_QUERY : print "A DNS packet was sent to the nameserver, but the opcode was %d instead of DNS_QUERY (this is a software error)" % dns.opcode if dns.qr != dpkt.dns.DNS_Q : print "A DNS packet was sent to the name server, but dns.qr is not 0 and should be. It is %d" % dns.qr print "query for ", dns.qd[0].name, "ID is ", dns.id, "dns.qr is ", dns.qr, "query type is ", dns.qd[0].type, type_table[dns.qd[0].type] print "dns.qd is ", dns.qd elif sport == 53 : # UDP/53 is a DNS response dns = dpkt.dns.DNS(data) print "responding to ", dns.id, "dns.qr is ", dns.qr if dns.qr != dpkt.dns.DNS_R : print "A DNS packet was received from a name server, but dns.qr is not 1 and should be. It is %d" % dns.qr if dns.get_rcode() == dpkt.dns.DNS_RCODE_NOERR : print "Response has no error" elif dns.get_rcode() == dpkt.dns.DNS_RCODE_NXDOMAIN : print "There is no name in this domain" else : print "Response is something other than NOERR or NXDOMAIN %d - this software is incomplete" % dns.get_rcode() print "The response packet has %d RRs" % len(dns.an) # Decode the RR records in the NS section for rr in dns.ns : decode_dns_response ( rr, "NS") # Decode the answers in the DNS answer for rr in dns.an : decode_dns_response ( rr, "AN" ) # Decode the additional responses for rr in dns.ar : decode_dns_response ( rr, "AR" ) print "dns.qd is ", dns.qd
def main(): # This code allows this program to run equally well on my laptop and my desktop. I did it this # way to demonstrate different interface names. If I was really clever, I'd figure out how to do this # under MS-Windows if sys.argv[1] == "-i": pc = pcap.pcap(sys.argv[2]) elif sys.argv[1] == "-f": pc = dpkt.pcap.Reader(open(sys.argv[2])) else: print """Use -i INTERFACE to [packet capture from an interface. Use -f FILENAME to read a packet capture file""" sys.exit(2) initialize_tables() mdns_ip = socket.inet_aton('224.0.0.251') for (src, sport, dst, dport, data) in udp_iterator(pc): # Uncomment if you want to see all UDP packets #print "from ", socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport if src != mdns_ip and dst != mdns_ip and dport != 5353 and sport != 5353: continue assert dport == 5353 or sport == 5353 dns = dpkt.dns.DNS(data) print '\n', datetime.datetime.now(), socket.inet_ntoa( src), ":", sport, " to ", socket.inet_ntoa(dst), ":", dport print_hdr(dns) #print dns.__repr__() #print '%r' % data if dns.qr == 0: #print "from ", socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport,type(data),len(data),'%r' % data # UDP/53 is a DNS query if dns.opcode != dpkt.dns.DNS_QUERY: print "A DNS packet was sent to the nameserver, but the opcode was %d instead of DNS_QUERY (this is a software error)" % dns.opcode, 'dns.id is', dns.id if dns.qr != dpkt.dns.DNS_Q: print "A DNS packet was sent to the name server, but dns.qr is not 0 and should be. It is %d" % dns.qr if (len(dns.qd) > 0): for i in range(len(dns.qd)): print "query for ", dns.qd[ i].name, "query type is ", dns.qd[i].type, type_table[ dns.qd[i].type] else: print "query for ", '????' if dns.qr == 1 or len(dns.an) > 0: # UDP/53 is a DNS response if dns.qr != dpkt.dns.DNS_R: #this is not an error, a query packet may contain answers print "A DNS packet was received from a name server, but dns.qr is not 1 and should be. It is %d" % dns.qr if dns.rcode == dpkt.dns.DNS_RCODE_NOERR: pass #print "no error", elif dns.rcode == dpkt.dns.DNS_RCODE_NXDOMAIN: print "There is no name in this domain" else: print "Response is something other than NOERR or NXDOMAIN %d - this software is incomplete" % dns.get_rcode( ) # Decode the RR records in the NS section for rr in dns.ns: decode_dns_response(rr, "NS") # Decode the answers in the DNS answer i = 0 for rr in dns.an: #print 'RR[%d]:%r'%(i,rr);i +=1 decode_dns_response(rr, "AN") # Decode the additional responses for rr in dns.ar: decode_dns_response(rr, "AR")
def main() : # This code allows this program to run equally well on my laptop and my desktop. I did it this # way to demonstrate different interface names. If I was really clever, I'd figure out how to do this # under MS-Windows if sys.argv[1] == "-i" : pc = pcap.pcap( sys.argv[2] ) elif sys.argv[1] == "-f" : pc = dpkt.pcap.Reader( open ( sys.argv[2] ) ) else : print """Use -i INTERFACE to [packet capture from an interface. Use -f FILENAME to read a packet capture file""" sys.exit(2) initialize_tables() mdns_ip=socket.inet_aton('224.0.0.251'); for (src, sport, dst, dport, data ) in udp_iterator(pc) : # Uncomment if you want to see all UDP packets #print "from ", socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport if src != mdns_ip and dst != mdns_ip and dport != 5353 and sport != 5353:continue assert dport == 5353 or sport == 5353 dns = dpkt.dns.DNS(data) print '\n',datetime.datetime.now(), socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport print_hdr(dns) #print dns.__repr__() #print '%r' % data if dns.qr == 0: #print "from ", socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport,type(data),len(data),'%r' % data # UDP/53 is a DNS query if dns.opcode != dpkt.dns.DNS_QUERY : print "A DNS packet was sent to the nameserver, but the opcode was %d instead of DNS_QUERY (this is a software error)" % dns.opcode,'dns.id is',dns.id if dns.qr != dpkt.dns.DNS_Q : print "A DNS packet was sent to the name server, but dns.qr is not 0 and should be. It is %d" % dns.qr if (len(dns.qd)>0): for i in range(len(dns.qd)): print "query for ", dns.qd[i].name, "query type is ", dns.qd[i].type, type_table[dns.qd[i].type] else: print "query for ", '????' if dns.qr == 1 or len(dns.an)>0: # UDP/53 is a DNS response if dns.qr != dpkt.dns.DNS_R : #this is not an error, a query packet may contain answers print "A DNS packet was received from a name server, but dns.qr is not 1 and should be. It is %d" % dns.qr if dns.rcode == dpkt.dns.DNS_RCODE_NOERR : pass#print "no error", elif dns.rcode == dpkt.dns.DNS_RCODE_NXDOMAIN : print "There is no name in this domain" else : print "Response is something other than NOERR or NXDOMAIN %d - this software is incomplete" % dns.get_rcode() # Decode the RR records in the NS section for rr in dns.ns : decode_dns_response ( rr, "NS") # Decode the answers in the DNS answer i=0 for rr in dns.an : #print 'RR[%d]:%r'%(i,rr);i +=1 decode_dns_response ( rr, "AN" ) # Decode the additional responses for rr in dns.ar : decode_dns_response ( rr, "AR" )
def processa(src, dst, sport, dport, data,timestamp): # loadSitiMalevoli() try: sorgente=socket.inet_ntoa(src) destinazione = socket.inet_ntoa(dst) timestamp="{:.9f}".format(timestamp) timestamp = str(datetime.fromtimestamp( float(timestamp) )) try: dns = dpkt.dns.DNS(data) except (IndexError, dpkt.dpkt.UnpackError) as x: print x return if dns.qr == dpkt.dns.DNS_Q:#dport == 53 : # UDP/53 is a DNS query #richiesta if dst in dns_blacklist: ## è un allarme! ##lascio in binario in quanto faccio la comparazione in binario è ultrarapida if crea_risposta==1: manda_risposta_fantoccio(dns,sorgente,destinazione,sport,dport) if crea_risposta==2: manda_risposta_NXD(dns,sorgente,destinazione,sport,dport) ##ricordo che la src sarà il destinatario e la dst sarà la sorgente line=timestamp+", "+str(sorgente) +", "+str(destinazione)+","+dns.qd[0].name+", DomandaADnsNonLecito" scrivi(line,output_ALARM) if dst not in dns_whitelist: line=timestamp+", "+str(sorgente) +", "+str(destinazione)+", "+dns.qd[0].name scrivi(line,output_Q) if dns.qr == dpkt.dns.DNS_R: # UDP/53 is a DNS response if dns.get_rcode() == dpkt.dns.DNS_RCODE_NOERR: if src in dns_blacklist: ## è un allarme! ##lascio in binario in quanto faccio la comparazione in binario è ultrarapida line=timestamp+", "+str(destinazione) +", "+str(sorgente)+","+dns.qd[0].name+", RispostaDaDnsNonLecito" scrivi(line,output_ALARM) line=timestamp+", "+str(destinazione) +", "+str(sorgente)+", "+str(dns.qd[0].name) sito= dns.qd[0].name result = regexp.match(sito,re.IGNORECASE) if result == None :#and not malevoli.has_key(sito) : ##è una ricerca precisa di chiave... quindi non è ottima me funziona ##qui loggo i siti leciti che NON fanno parte di unimore scrivi(line,output_R_ok) return if dns.get_rcode() == dpkt.dns.DNS_RCODE_NXDOMAIN: line=timestamp+", "+str(destinazione) +", "+str(sorgente)+", "+str(dns.qd[0].name) sito= dns.qd[0].name result = regexp.match(sito,re.IGNORECASE) if result == None : ##anche qui,stampo solo i siti che risultano errati ma che NON sono universitari scrivi(line,output_R_no) except dpkt.dpkt.NeedData, KeyboardInterrupt: global errati errati=errati+1