def packethandler(i,payload): dt = time() # Get IP packet data = payload.get_data() pkt = ip.IP(data) # Print some packet info # print "" print ">> Got packet, saddr: " + str(inet_ntoa(pkt.src)) + ", sport: " + str(pkt.tcp.sport) + ", daddr: " + str(inet_ntoa(pkt.dst)) + ", dport: " + str (pkt.tcp.dport) + ", seq: " + str(pkt.tcp.seq) # print "" # Start volatility script to look for the application that matches the port number f = os.popen("python vol.py -l firewire://forensic1394//0 --profile=LinuxLinux-3_13_0-24-genericx64 linux_syswall --dport " + str(pkt.tcp.dport)) content = f.readlines() decision = content[-1].strip() print ">> Volatility plugin decision is: " + decision f.close() # Act on the decision about the packet if decision == 'accept': payload.set_verdict(nfqueue.NF_ACCEPT) elif decision == 'drop': payload.set_verdict(nfqueue.NF_DROP) else: print ">> Unrecognized decision: " + decision + ", allowing packet..." print ">> Dump content:" print content payload.set_verdict(nfqueue.NF_ACCEPT) # Done with one packet print ">> Processed a packet in " + str(round((time() - dt), 2)) + "s" sys.stdout.flush() return 1
def Connection(procmon, dns, packet_id, payload): data = payload pkt = ip.IP(data) src_addr = inet_ntoa(pkt.src) dst_addr = inet_ntoa(pkt.dst) hostname = dns.get_hostname(dst_addr) src_port = None dst_port = None proto = None app = None if pkt.p == ip.IP_PROTO_TCP: proto = 'tcp' src_port = pkt.tcp.sport dst_port = pkt.tcp.dport elif pkt.p == ip.IP_PROTO_UDP: proto = 'udp' src_port = pkt.udp.sport dst_port = pkt.udp.dport elif pkt.p == ip.IP_PROTO_ICMP: proto = 'icmp' src_port = None dst_port = None if proto == 'icmp': app = Application(None, None, None) elif None not in (proto, src_addr, dst_addr): pid = proc.get_pid_by_connection(src_addr, src_port, dst_addr, dst_port, proto) app = Application(pid, *proc._get_app_path_and_cmdline(procmon, pid)) return _Connection(packet_id, data, pkt, src_addr, dst_addr, hostname, src_port, dst_port, proto, app)
def cb(payload): try: print("Packet received") print("seq: [%d]" % payload.get_seq()) print(" payload len ", payload.get_length()) try: tv = payload.get_timestamp() d = datetime.fromtimestamp(tv.tv_sec + (tv.tv_usec / 1000000.)) print(" timestamp: ", d) except RuntimeError as e: #print(e.args[0]) pass data = payload.get_data() pkt = ip.IP(data) if pkt.p == ip.IP_PROTO_ICMP: print(" ICMP: %s > %s type %d code %d" % (inet_ntoa(pkt.src),inet_ntoa(pkt.dst),pkt.icmp.type,pkt.icmp.code)) elif pkt.p == ip.IP_PROTO_TCP: print(" TCP: %s:%d > %s:%d" % (inet_ntoa(pkt.src),pkt.tcp.sport,inet_ntoa(pkt.dst),pkt.tcp.dport)) elif pkt.p == ip.IP_PROTO_UDP: print(" UDP: %s:%d > %s:%d" % (inet_ntoa(pkt.src),pkt.udp.sport,inet_ntoa(pkt.dst),pkt.udp.dport)) else: print(" unknown proto %d: %s > %s" % (pkt.p,inet_ntoa(pkt.src),inet_ntoa(pkt.dst))) sys.stdout.flush() return 1 except KeyboardInterrupt: print("interrupted in callback") global l print("stop the loop") l.stop_loop()
def cb(payload): global count print "python callback called !" count += 1 data = payload.get_data() pkt = ip.IP(data) if pkt.p == ip.IP_PROTO_TCP: print " len %d proto %s src: %s:%s dst %s:%s " % ( payload.get_length(), pkt.p, inet_ntoa(pkt.src), pkt.tcp.sport, inet_ntoa(pkt.dst), pkt.tcp.dport, ) else: print " len %d proto %s src: %s dst %s " % ( payload.get_length(), pkt.p, inet_ntoa(pkt.src), inet_ntoa(pkt.dst), ) payload.set_verdict(nfqueue.NF_ACCEPT) sys.stdout.flush() return 1
def cb(payload): print "payload len ", payload.get_length() data = payload.get_data() pkt = ip.IP(data) print "proto:", pkt.p print "source: %s" % inet_ntoa(pkt.src) print "dest: %s" % inet_ntoa(pkt.dst) if pkt.p == ip.IP_PROTO_TCP: print " sport: %s" % pkt.tcp.sport print " dport: %s" % pkt.tcp.dport print " flags: %s" % pkt.tcp.flags if pkt.tcp.flags & tcp.TH_PUSH: pkt2 = pkt print "PUSH *****" print pkt2.tcp.data old_len = len(pkt2.tcp.data) #pkt2.tcp.data = "GET /\r\n" pkt2.tcp.data = str(pkt2.tcp.data).replace('love', 'hate') print pkt2.tcp.data pkt2.len = pkt2.len - old_len + len(pkt2.tcp.data) pkt2.tcp.sum = 0 pkt2.sum = 0 ret = payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt2), len(pkt2)) print "ret = ", ret return 0 payload.set_verdict(nfqueue.NF_ACCEPT) sys.stdout.flush() return 1
def cb(payload): try: print "Packet received" print "seq: [%d]" % payload.get_seq() print " payload len ", payload.get_length() try: tv = payload.get_timestamp() d = datetime.fromtimestamp(tv.tv_sec + (tv.tv_usec / 1000000.)) print " timestamp: ", d except RuntimeError, e: #print e.args[0] pass data = payload.get_data() pkt = ip.IP(data) if pkt.p == ip.IP_PROTO_ICMP: print " ICMP: %s > %s type %d code %d" % (inet_ntoa(pkt.src),inet_ntoa(pkt.dst),pkt.icmp.type,pkt.icmp.code) elif pkt.p == ip.IP_PROTO_TCP: print " TCP: %s:%d > %s:%d" % (inet_ntoa(pkt.src),pkt.tcp.sport,inet_ntoa(pkt.dst),pkt.tcp.dport) elif pkt.p == ip.IP_PROTO_UDP: print " UDP: %s:%d > %s:%d" % (inet_ntoa(pkt.src),pkt.udp.sport,inet_ntoa(pkt.dst),pkt.udp.dport) else: print " unknown proto %d: %s > %s" % (pkt.p,inet_ntoa(pkt.src),inet_ntoa(pkt.dst)) sys.stdout.flush() return 1
def cb(i, payload): data = payload.get_data() pkt = ip.IP(data) print "" print "proto:", pkt.p print "source: %s" % inet_ntoa(pkt.src) print "dest: %s" % inet_ntoa(pkt.dst) text_dst = None if pkt.p == ip.IP_PROTO_TCP: print " sport: %s" % pkt.tcp.sport print " dport: %s" % pkt.tcp.dport text = "%s:%s => %s:%s" % (inet_ntoa( pkt.src), pkt.tcp.sport, inet_ntoa(pkt.dst), pkt.tcp.dport) text_dst = "%s:%s" % (inet_ntoa(pkt.dst), pkt.tcp.dport) if (not (pkt.tcp.flags & tcp.TH_SYN)): return payload.set_verdict(nfqueue.NF_ACCEPT) else: text = "%s => %s" % (inet_ntoa(pkt.src), inet_ntoa(pkt.dst)) if text_dst and decisions.has_key(text_dst): print "shortcut: %s (%d)" % (text_dst, decisions[text_dst]) return payload.set_verdict(decisions[text_dst]) reply = QMessageBox.question(None, 'accept packet ?', text, QMessageBox.Yes, QMessageBox.No) if reply == QMessageBox.Yes: payload.set_verdict(nfqueue.NF_ACCEPT) decisions[text_dst] = nfqueue.NF_ACCEPT else: payload.set_verdict(nfqueue.NF_DROP) decisions[text_dst] = nfqueue.NF_DROP return 0
def __init__(self, procmon, desktop_parser, payload): self.data = payload self.pkt = ip.IP( self.data ) self.src_addr = inet_ntoa( self.pkt.src ) self.dst_addr = inet_ntoa( self.pkt.dst ) self.hostname = None self.src_port = None self.dst_port = None self.proto = None self.app = None if self.pkt.p == ip.IP_PROTO_TCP: self.proto = 'tcp' self.src_port = self.pkt.tcp.sport self.dst_port = self.pkt.tcp.dport elif self.pkt.p == ip.IP_PROTO_UDP: self.proto = 'udp' self.src_port = self.pkt.udp.sport self.dst_port = self.pkt.udp.dport if None not in ( self.proto, self.src_addr, self.src_port, self.dst_addr, self.dst_port ): try: self.service = getservbyport( int(self.dst_port), self.proto ) except: self.service = None self.pid, self.app_path = get_pid_by_connection( procmon, self.src_addr, self.src_port, self.dst_addr, self.dst_port, self.proto ) self.app = Application(procmon, desktop_parser, self.pid, self.app_path) self.app_path = self.app.path
def main(): # Ethernet header eth = ethernet.Ethernet() eth.src = "\x00\x0c\x29\xdf\xe3\xca" eth.dst = "\x00\x0c\x29\x29\x85\xdc" eth.type = ethernet.ETH_TYPE_IP # IP header ipp = ip.IP() ipp.src = socket.inet_aton("172.168.177.133") ipp.dst = socket.inet_aton("172.168.177.136") ipp.p = ip.IP_PROTO_TCP # TCP header tcpp = tcp.TCP() tcpp.sport = 60001 tcpp.dport = 80 tcpp.flags = tcp.TH_SYN tcpp.sum = 0 tcpp.data = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x10" ipp.data = tcpp ipp.len = len(ipp.pack()) ipp.sum = 0 eth.data = ipp # open sockets using the socket handler sock_l2 = SocketHndl(iface_name="eth2", mode=SocketHndl.MODE_LAYER_2) # send raw bytes sock_l2.send(eth.pack())
def print_and_accept(pkt): global connections, tlsconnections payload = pkt.get_payload() ckey = (socket.inet_ntoa(payload[12:16]), socket.inet_ntoa(payload[16:20]), struct.unpack('!H', payload[20:22])[0], struct.unpack('!H', payload[22:24])[0]) # PHASE 1 try: if ord(payload[9]) == 6: phase1.queue_packet(payload) # phase1.process_pkt(x) if len(payload) == 40: pkt.accept() return except: traceback.print_exc(file=sys.stderr) # PHASE 2 try: if ord(payload[9]) == 6: if ckey in tlsconnections: if tlsconnections[ckey].startreplace: # x = get_packet(payload) w = ip.IP(payload) datasize = len(str(w.tcp.data)) if datasize > 0: #print 'DATA TO REPLACE' newpayload = tlsconnections[ckey].getnewpayload( datasize - 7, w.tcp.seq) if len(newpayload) > 0: print 'SENDING DATA', datetime.datetime.now() padsize = datasize - 7 - len(newpayload) newpayload += '0' * padsize payload = newpayload + struct.pack('>H', padsize) # x[TCP].payload = chr(23) + chr(3) + chr(3) + struct.pack('!H',len(payload)) + payload w.tcp.data = chr(23) + chr(3) + chr(3) + struct.pack( '!H', len(payload)) + payload w.sum = 0 w.tcp.sum = 0 changed = True pkt.set_payload(str(w)) except: print("Padsize {}".format(padsize)) traceback.print_exc(file=sys.stderr) pkt.accept()
def cb(self, i, payload): global count global countH global countHS global countWP global countO global countE print "\n\n========================Packet Detected========================" count += 1 data = payload.get_data() pkt = ip.IP(data) try: print "|-----------------------------------------------------------------|" print "| length | protocol | Source IP : Port | Destination IP : Port |" print "| %s | %s |%s:%s|%s:%s|" % (str( payload.get_length()), protocol[str(pkt.p)], inet_ntoa( pkt.src), pkt.tcp.sport, inet_ntoa(pkt.dst), pkt.tcp.dport) print "|-----------------------------------------------------------------|" except: countE += 1 e = sys.exc_info()[0] logf.write( "%d) Error.\n DateTime: %s" " \n Error: %s \n" % (str(countE), str(time.asctime(time.localtime( time.time()))), str(e))) if str(pkt.p) == "6": print "========================TCP/IP Detected========================" if str(pkt.tcp.dport) == "80": #HTTP port countH += 1 print "========================HTTP==============ACCEPTED==========" payload.set_verdict(nfqueue.NF_ACCEPT) elif str(pkt.tcp.dport) == "443": #HTTPS countHS += 1 print "========================HTTPS============ACCEPTED============" payload.set_verdict(nfqueue.NF_ACCEPT) else: countWP += 1 print "\n========================ERROR!!!!!TCP on %s. Dropping Packet========================\n" % ( str(pkt.tcp.dport)) #print "TCP on %s. Dropping Packet" % (str(pkt.tcp.dport)) payload.set_verdict(nfqueue.NF_DROP) else: countO += 1 print "\n========================NOT TCP. DROPPED========================\n" if str(inet_ntoa(pkt.dst)) == "10.100.99.32": print "\n\n\n\n================================================" print "Connecting to Abhijit? Naughty Naughty." print "404-ing you for your own good. CLOSE DOWN. NOW!" print "\n\n\n\n================================================" payload.set_verdict(nfqueue.NF_DROP) return 1 sys.stdout.flush() return 1
def handleUdp(self, payload): print ("python callback called !") data = payload.get_data() pkt = ip.IP(data) if pkt.p == ip.IP_PROTO_TCP: print (" len %d proto %s src: %s:%s dst %s:%s " % (payload.get_length(),pkt.p,inet_ntoa(pkt.src),pkt.tcp.sport,inet_ntoa(pkt.dst),pkt.tcp.dport)) else: print (" len %d proto %s src: %s dst %s " % (payload.get_length(),pkt.p,inet_ntoa(pkt.src),inet_ntoa(pkt.dst))) payload.set_verdict(nfqueue.NF_ACCEPT) return 1
def init_vj_state(slot_id, piece): vj_state = cstate() vj_state.ip = ip.IP(piece[0:20]) try: vj_state.tcp = tcp.TCP(piece[20:40]) except: try: vj_state.tcp = tcp.TCP(piece[21:41]) except: return vj_state.old_tcp = vj_state.tcp vj_state.old_ip = vj_state.ip comp_dict[slot_id] = vj_state
def process_packet(self, pkt): ip_hdr = ip.IP(pkt.get_payload()) dst_ip = Net.ipbytes_to_int(ip_hdr.dst) src_ip = Net.ipbytes_to_int(ip_hdr.src) if ip_hdr.p == ip.IP_PROTO_TCP: tcp_hdr = ip_hdr.data # See if there is a container registered to the specified dst and port container = self.container_mgr.get_container_by_endpoint( dst_ip, tcp_hdr.dport, 6) # Only track if this is for a container if container is not None: logging.debug('Found container %s', container.name) # Store the dst address of the docker container so that # when the connection is made to the proxy the proxy knows # what container to start self.container_mgr.connections.add(src_ip, tcp_hdr.sport, dst_ip, tcp_hdr.dport) pkt.set_mark(int(self.queue_num)) pkt.accept() else: pkt.drop() elif ip_hdr.p == ip.IP_PROTO_ICMP: # Drop all ICMP packets since the client will respond with # the matching container pkt.drop() container = self.container_mgr.get_container_by_ip(dst_ip) if container is not None: src = ip_hdr.src dst = ip_hdr.dst org_dst_ip = Net.ipbytes_to_str(dst) dst_ip = Net.ipbytes_to_str(src) logging.debug('Echo request for %s %s', container.name, org_dst_ip) icmp_reply = ip_hdr icmp_reply.src = dst icmp_reply.dst = src icmp_reply.data.type = icmp.ICMP_ECHOREPLY # Setting the checksums to 0 allows them to be recalculated when # converted to bytes. Wireshark will not match up requests/reply if # checksums are foo'd' icmp_reply.data.sum = 0 icmp_reply.sum = 0 self.icmp_client.sendto(bytes(icmp_reply), (dst_ip, 1))
def cb(payload): print "python callback called !" print "payload len ", payload.get_length() data = payload.get_data() pkt = ip.IP(data) print "proto:", pkt.p print "source: %s" % inet_ntoa(pkt.src) print "dest: %s" % inet_ntoa(pkt.dst) if pkt.p == ip.IP_PROTO_TCP: print " sport: %s" % pkt.tcp.sport print " dport: %s" % pkt.tcp.dport payload.set_verdict(nfqueue.NF_DROP) sys.stdout.flush() return 1
def sniff(handler): """ Sniffs packets and looks for icmp requests """ sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP) sock.bind(('', 1)) while True: try: data = sock.recv(65535) ip_pkt = ip.IP() ip_pkt.unpack(data) icmp_pkt = ip_pkt.data if icmp_pkt.type == icmp.ICMP_ECHO: ip_src = socket.inet_ntoa(ip_pkt.src) ip_dst = socket.inet_ntoa(ip_pkt.dst) payload = icmp_pkt.data.data handler(payload, ip_src, ip_dst) except: sock.close()
def print_and_accept(pkt): data=pkt.get_payload() res = ip.IP(data) res2 = IP(data) i = ICMP(data) t = TCP(data) u = UDP(data) print "SOURCE IP: %s\tDESTINATION IP: %s" % (socket.inet_ntoa(res.src),socket.inet_ntoa(res.dst)) print res2.show2() resp=srp1(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst='192.168.0.34'),iface="eth0",timeout=2) print resp.dst eth_dst = resp.src eth_src = resp.dst eth = Ether(src=eth_src, dst=eth_dst) eth.type = 2048 sendp(eth/res2/res2,iface="eth0") pkt.accept()
def cb(self, i, payload): global count global countP print "\n\n========================Packet Detected========================" count += 1 data = payload.get_data() pkt = ip.IP(data) #protocol[str(pkt.p)],inet_ntoa(pkt.src),pkt.tcp.sport,inet_ntoa(pkt.dst),pkt.tcp.dport) if inet_ntoa(pkt.dst) == str(ip) or str(pkt.tcp.dport) == "80": #ICMP Protocol print "========================Dest ", inet_ntoa( pkt.dst), " Detected========================" print "========================DROPPED========================" payload.set_verdict(nfqueue.NF_DROP) else: print "========================ACCEPTED========================" payload.set_verdict(nfqueue.NF_ACCEPT)
def cb(payload): try: print "python callback called !" print "payload len ", payload.get_length() data = payload.get_data() pkt = ip.IP(data) print "proto:", pkt.p print "source: %s" % inet_ntoa(pkt.src) print "dest: %s" % inet_ntoa(pkt.dst) if pkt.p == ip.IP_PROTO_TCP: print " sport: %s" % pkt.tcp.sport print " dport: %s" % pkt.tcp.dport sys.stdout.flush() return 1 except KeyboardInterrupt: print "interrupted in callback" global l print "stop the loop" l.stop_loop()
s = (s >> 8 & 0xff) | s << 8 return s & 0xffff tmp_packet =b'\x00\x12\xc0\x02\xac\x56\x00\x12\xc0\x00\x00\x00\x08\x00\x45\x00\x00\x2e\x00\x00\x40\x00\x40\x06\x00\x00\x0a\x0a\x58\x00\x0a\x0a\x58\xac\x00\x00\x00\x50\x00\x00\x00\x00\x00\x00\x00\x00\x50\x10\x00\x10\x00\x00\x00\x00\x41\x43\x4b\x73\x77\x66' def getOnebyte(): tmp = randint(0,255) return tmp.to_bytes(1,byteorder='big',signed=False) eth = ethernet.Ethernet() eth.src = b'\x00\x12\xc0\x02\xac' + getOnebyte() eth.dst = b'x00\x12\xc0\x00\x00\x00' eth_ip = ip.IP() ip_tcp = tcp.TCP() ip_tcp.sport = 8080 ip_tcp.dport = 80 ip_tcp.seq = 0x01 ip_tcp.ack =0x88 ip_tcp.flags = tcp.TH_SYN ip_tcp.data = b'asasdadadadasdasdasdas' eth_ip.len = len(ip_tcp) + 20
from dpkt import ethernet sysintf = 'eth0' hw = dnet.eth(sysintf) intf = dnet.intf() # build a dhcp discover packet to request an ip d = dhcp.DHCP(chaddr=hw.get(), xid=1337, op=dhcp.DHCPDISCOVER, opts=((dhcp.DHCP_OP_REQUEST, ''), (dhcp.DHCP_OPT_REQ_IP, ''), (dhcp.DHCP_OPT_ROUTER, ''), (dhcp.DHCP_OPT_NETMASK, ''), (dhcp.DHCP_OPT_DNS_SVRS, ''))) # build udp packet u = udp.UDP(dport=67, sport=68, data=d) u.ulen = len(u) # build ip packet i = ip.IP(dst=dnet.ip_aton('255.255.255.255'), src=intf.get(sysintf)['addr'].ip, data=u, p=ip.IP_PROTO_UDP) i.len = len(i) # build ethernet frame e = ethernet.Ethernet(dst=dnet.ETH_ADDR_BROADCAST, src=hw.get(), data=i) # send the data out hw.send(str(e))
# Get local ip src_ip = socket.inet_pton(socket.AF_INET, interface.getnet()) # Generate broadcast ip and eth_addr broadcast_ip = socket.inet_pton(socket.AF_INET, '255.255.255.255') broadcast_eth_addr = b'\xFF\xFF\xFF\xFF\xFF\xFF' # build a dhcp discover packet to request an ip d = dhcp.DHCP(xid=1337, op=dhcp.DHCPDISCOVER, opts=((dhcp.DHCP_OP_REQUEST, b''), (dhcp.DHCP_OPT_REQ_IP, b''), (dhcp.DHCP_OPT_ROUTER, b''), (dhcp.DHCP_OPT_NETMASK, b''), (dhcp.DHCP_OPT_DNS_SVRS, b''))) # build udp packet u = udp.UDP(dport=67, sport=68, data=d) u.ulen = len(u) # build ip packet i = ip.IP(dst=broadcast_ip, src=src_ip, data=u, p=ip.IP_PROTO_UDP) i.len = len(i) # build ethernet frame e = ethernet.Ethernet(dst=broadcast_eth_addr, data=i) # Inject the packet (send it out) interface.sendpacket(bytes(e)) print('DHCP request sent!')
# Boston, MA 02110-1301, USA. """ This modules provides classes used for packet processing. """ from abc import ABCMeta import socket import struct from dpkt import dpkt, ethernet, ip, udp from . import vxfld_pb2 # Protocol version VERSION = 3 # UDP header byte length BASE_PKT_SIZE = len(ethernet.Ethernet()) + len(ip.IP()) + len(udp.UDP()) class MsgType(object): """ VXFLD message type. """ # pylint: disable=too-few-public-methods UNKNOWN = 0 # Never used REFRESH = 1 # vxrd <-> vxsnd packet PROXY = 2 # vxsnd <-> vxsnd packet for flooding and proxing SYNC = 3 # vxsnd <-> vxsnd packet for database syncing def __init__(self): raise NotImplementedError
def cb(i, payload): global pkt_counter, oo_tcp_ports, oo_words, options # every n packets, re-read list of ports if pkt_counter % 50 == 0: print "re-reading list of TCP ports" oo_tcp_ports = get_list_of_tcp_ports() print "re-reading list of words" oo_words = get_list_of_words() pkt_counter += 1 #print "payload len ", payload.get_length() data = payload.get_data() pkt = ip.IP(data) decision = nfqueue.NF_DROP #print "proto:", pkt.p #print "source: %s" % inet_ntoa(pkt.src) #print "dest: %s" % inet_ntoa(pkt.dst) if pkt.p == ip.IP_PROTO_TCP: #print " sport: %s" % pkt.tcp.sport #print " dport: %s" % pkt.tcp.dport dport = pkt.tcp.dport if dport in oo_tcp_ports: t = oo_tcp_ports[dport] if t[IDX_VERDICT] == 1: print "Port %d allowed" % dport update_stats_for_port(dport, pkt, 1) decision = nfqueue.NF_ACCEPT else: if t[IDX_VERDICT] == 0: print "Port %d dropped" % dport update_stats_for_port(dport, pkt, 0) decision = nfqueue.NF_DROP payload.set_verdict(decision) sys.stdout.flush() return 1 # don't check for packet return on SYN if pkt.tcp.flags & tcp.TH_SYN and not pkt.tcp.flags & tcp.TH_ACK: payload.set_verdict(decision) sys.stdout.flush() return 1 # crappy reverse check sport = pkt.tcp.sport if sport in oo_tcp_ports and dport >= 1024: t = oo_tcp_ports[sport] if t[IDX_VERDICT] == 1: print "S Port %d allowed" % sport #update_stats_for_port(dport, pkt, 1) decision = nfqueue.NF_ACCEPT else: print "Port %d dropped" % dport #update_stats_for_port(dport, pkt, 0) payload.set_verdict(nfqueue.NF_DROP) sys.stdout.flush() return 1 if options.do_substitution: # accepted data packet need to be modified if pkt.tcp.flags & tcp.TH_PUSH: pkt2 = pkt for word in oo_words.keys(): if str(pkt.tcp.data).find(word) != -1: # Do substitution print "Found %s word" % word print pkt2.tcp.data old_len = len(pkt2.tcp.data) pkt2.tcp.data = str(pkt2.tcp.data).replace( word, oo_words[word][1]) pkt2.len = pkt2.len - old_len + len(pkt2.tcp.data) pkt2.tcp.sum = 0 pkt2.sum = 0 update_stats_for_word(word) payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt2), len(pkt2)) elif decision == nfqueue.NF_DROP: payload.set_verdict(nfqueue.NF_DROP) payload.set_verdict(nfqueue.NF_ACCEPT) sys.stdout.flush() return 1