def handletcp(tcp):
id = 0
showmatch = False
addrkey = tcp.addr
((src, sport), (dst, dport)) = tcp.addr
if not configopts['linemode']:
if configopts['tcpdone']:
if configopts['udpdone']:
if configopts['verbose'] and configopts['verboselevel'] >= 1:
if addrkey in opentcpflows: id = opentcpflows[addrkey]['id']
doinfo('[IP#%d.TCP#%d] Done inspecting max packets (%d) and max streams (%d), preparing for exit' % (
opentcpflows[addrkey]['ipct'],
opentcpflows[addrkey]['id'],
configopts['maxinsppackets'],
configopts['maxinspstreams']))
exitwithstats()
else:
if configopts['verbose'] and configopts['verboselevel'] >= 1:
if addrkey in opentcpflows: id = opentcpflows[addrkey]['id']
doinfo('[IP#%d.TCP#%d] Ignoring stream %s:%s %s %s:%s { insptcppacketct: %d == maxinspstreams: %d }' % (
opentcpflows[addrkey]['ipct'],
opentcpflows[addrkey]['id'],
src,
sport,
dst,
dport,
configopts['insptcppacketct'],
configopts['maxinspstreams']))
return
regexes = []
fuzzpatterns = []
yararuleobjects = []
timestamp = datetime.datetime.fromtimestamp(nids.get_pkt_ts()).strftime('%H:%M:%S | %Y/%m/%d')
endstates = [ nids.NIDS_CLOSE, nids.NIDS_TIMED_OUT, nids.NIDS_RESET ]
inspectcts = False
inspectstc = False
if len(configopts['ctsregexes']) > 0 or len(configopts['ctsfuzzpatterns']) > 0 or len(configopts['ctsyararules']) > 0:
inspectcts = True
if len(configopts['stcregexes']) > 0 or len(configopts['stcfuzzpatterns']) > 0 or len(configopts['stcyararules']) > 0:
inspectstc = True
if tcp.nids_state == nids.NIDS_JUST_EST:
if addrkey not in opentcpflows:
tcp.server.collect = 0
tcp.client.collect = 0
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.TCP#%d] %s:%s - %s:%s remains untracked { IP tracking missed this flow }' % (
opentcpflows[addrkey]['ipct'],
opentcpflows[addrkey]['id'],
src,
sport,
dst,
dport))
else:
configopts['insptcpstreamct'] += 1
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.TCP#%d] %s:%s - %s:%s [NEW] { TRACKED: %d }' % (
opentcpflows[addrkey]['ipct'],
opentcpflows[addrkey]['id'],
src,
sport,
dst,
dport,
len(opentcpflows)))
if configopts['linemode'] or 'shellcode' in configopts['inspectionmodes']:
tcp.server.collect = 1
tcp.client.collect = 1
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.TCP#%d] Enabled both CTS and STC data collection for %s:%s - %s:%s' % (
opentcpflows[addrkey]['ipct'],
opentcpflows[addrkey]['id'],
src,
sport,
dst,
dport))
else:
if inspectcts or 'shellcode' in configopts['inspectionmodes']:
tcp.server.collect = 1
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.TCP#%d] Enabled CTS data collection for %s:%s - %s:%s' % (
opentcpflows[addrkey]['ipct'],
opentcpflows[addrkey]['id'],
src,
sport,
dst,
dport))
if inspectstc or 'shellcode' in configopts['inspectionmodes']:
tcp.client.collect = 1
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.TCP#%d] Enabled STC data collection for %s:%s - %s:%s' % (
opentcpflows[addrkey]['ipct'],
opentcpflows[addrkey]['id'],
src,
sport,
dst,
dport))
if tcp.nids_state == nids.NIDS_DATA:
tcp.discard(0)
configopts['insptcppacketct'] += 1
if tcp.server.count_new > 0:
direction = configopts['ctsdirectionstring']
directionflag = configopts['ctsdirectionflag']
count = tcp.server.count
newcount = tcp.server.count_new
start = tcp.server.count - tcp.server.count_new
end = tcp.server.count
opentcpflows[addrkey]['totdatasize'] += tcp.server.count_new
if configopts['offset'] > 0 and configopts['offset'] < count:
offset = configopts['offset']
else:
offset = 0
if configopts['depth'] > 0 and configopts['depth'] <= (count - offset):
depth = configopts['depth'] + offset
else:
depth = count
offset += opentcpflows[addrkey]['multimatchskipoffset']
configopts['inspoffset'] = offset
inspdata = tcp.server.data[offset:depth]
inspdatalen = len(inspdata)
if 'regex' in configopts['inspectionmodes']:
for regex in configopts['ctsregexes'].keys():
regexes.append(regex)
if 'fuzzy' in configopts['inspectionmodes']:
for fuzzpattern in configopts['ctsfuzzpatterns']:
fuzzpatterns.append(fuzzpattern)
if 'yara' in configopts['inspectionmodes']:
for yararuleobj in configopts['ctsyararules']:
yararuleobjects.append(yararuleobj)
if tcp.client.count_new > 0:
direction = configopts['stcdirectionstring']
directionflag = configopts['stcdirectionflag']
count = tcp.client.count
newcount = tcp.client.count_new
start = tcp.client.count - tcp.client.count_new
end = tcp.client.count
opentcpflows[addrkey]['totdatasize'] += tcp.client.count_new
if configopts['offset'] > 0 and configopts['offset'] < count:
offset = configopts['offset']
else:
offset = 0
offset += opentcpflows[addrkey]['multimatchskipoffset']
configopts['inspoffset'] = offset
if configopts['depth'] > 0 and configopts['depth'] < (count - offset):
depth = offset + configopts['depth']
else:
depth = count
inspdata = tcp.client.data[offset:depth]
inspdatalen = len(inspdata)
if 'regex' in configopts['inspectionmodes']:
for regex in configopts['stcregexes'].keys():
regexes.append(regex)
if 'fuzzy' in configopts['inspectionmodes']:
for fuzzpattern in configopts['stcfuzzpatterns']:
fuzzpatterns.append(fuzzpattern)
if 'yara' in configopts['inspectionmodes']:
for yararuleobj in configopts['stcyararules']:
yararuleobjects.append(yararuleobj)
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.TCP#%d] %s:%s %s %s:%s [%dB] { CTS: %d, STC: %d, TOT: %d }' % (
opentcpflows[addrkey]['ipct'],
opentcpflows[addrkey]['id'],
src,
sport,
directionflag,
dst,
dport,
newcount,
tcp.server.count,
tcp.client.count,
opentcpflows[addrkey]['totdatasize']))
if configopts['linemode']:
matchstats['addr'] = addrkey
matchstats['start'] = start
matchstats['end'] = end
matchstats['matchsize'] = matchstats['end'] - matchstats['start']
matchstats['direction'] = direction
matchstats['directionflag'] = directionflag
donorm('[IP#%d.TCP#%d] Skipping inspection as linemode is enabled.' % (opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id']))
showtcpmatches(inspdata[matchstats['start']:matchstats['end']])
if configopts['writepcap']:
markmatchedippackets(addrkey)
return
if configopts['maxinspstreams'] != 0 and configopts['insptcppacketct'] >= configopts['maxinspstreams']:
configopts['tcpdone'] = True
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.TCP#%d] Initiating inspection on %s[%d:%d] - %dB' % (
opentcpflows[addrkey]['ipct'],
opentcpflows[addrkey]['id'],
direction,
offset,
depth,
inspdatalen))
matched = inspect('TCP', inspdata, inspdatalen, regexes, fuzzpatterns, yararuleobjects, addrkey, direction, directionflag)
if matched:
if configopts['killtcp']: tcp.kill
if configopts['writepcap']:
markmatchedippackets(addrkey)
elif configopts['writepcapfast']:
if addrkey in ippacketsdict.keys() and ippacketsdict[addrkey]['proto'] == 'TCP':
ippacketsdict[addrkey]['matched'] = True
ippacketsdict[addrkey]['id'] = opentcpflows[addrkey]['id']
ippacketsdict[addrkey]['matchedid'] = len(ippacketsdict[addrkey].keys()) - configopts['ipmetavars']
else:
((sip, sp), (dip, dp)) = addrkey
newaddrkey = ((dip, dp), (sip, sp))
if newaddrkey in ippacketsdict.keys() and ippacketsdict[newaddrkey]['proto'] == 'TCP':
ippacketsdict[newaddrkey]['matched'] = True
ippacketsdict[newaddrkey]['id'] = opentcpflows[newaddrkey]['id']
ippacketsdict[newaddrkey]['matchedid'] = len(ippacketsdict[newaddrkey].keys()) - configopts['ipmetavars']
if direction == configopts['ctsdirectionstring']:
matchstats['direction'] = configopts['ctsdirectionstring']
matchstats['directionflag'] = configopts['ctsdirectionflag']
elif direction == 'STC':
matchstats['direction'] = configopts['stcdirectionstring']
matchstats['directionflag'] = configopts['stcdirectionflag']
if configopts['tcpmatches'] == 0:
configopts['shortestmatch']['stream'] = matchstats['matchsize']
configopts['shortestmatch']['streamid'] = opentcpflows[addrkey]['id']
configopts['longestmatch']['stream'] = matchstats['matchsize']
configopts['longestmatch']['streamid'] = opentcpflows[addrkey]['id']
else:
if matchstats['matchsize'] <= configopts['shortestmatch']['stream']:
configopts['shortestmatch']['stream'] = matchstats['matchsize']
configopts['shortestmatch']['streamid'] = opentcpflows[addrkey]['id']
if matchstats['matchsize'] >= configopts['longestmatch']['stream']:
configopts['longestmatch']['stream'] = matchstats['matchsize']
configopts['longestmatch']['streamid'] = opentcpflows[addrkey]['id']
configopts['tcpmatches'] += 1
matchstats['addr'] = addrkey
showtcpmatches(inspdata[matchstats['start']:matchstats['end']])
if not configopts['tcpmultimatch']:
tcp.server.collect = 0
tcp.client.collect = 0
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.TCP#%d] %s:%s - %s:%s not being tracked any further { tcpmultimatch: %s }' % (
opentcpflows[addrkey]['ipct'],
opentcpflows[addrkey]['id'],
src,
sport,
dst,
dport,
configopts['tcpmultimatch']))
del opentcpflows[addrkey]
else:
if direction == configopts['ctsdirectionstring']:
opentcpflows[addrkey]['ctspacketlendict'].clear()
elif direction == configopts['stcdirectionstring']:
opentcpflows[addrkey]['stcpacketlendict'].clear()
opentcpflows[addrkey]['multimatchskipoffset'] += matchstats['end']
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.TCP#%d] Marked %dB to be skipped for further %s inspection' % (
opentcpflows[addrkey]['ipct'],
opentcpflows[addrkey]['id'],
opentcpflows[addrkey]['multimatchskipoffset'],
direction))
else:
opentcpflows[addrkey]['previnspbufsize'] = inspdatalen
if tcp.nids_state in endstates:
if addrkey in opentcpflows:
ipct = opentcpflows[addrkey]['ipct']
id = opentcpflows[addrkey]['id']
del opentcpflows[addrkey]
if configopts['verbose'] and configopts['verboselevel'] >= 1:
if tcp.nids_state == nids.NIDS_CLOSE: state = 'FIN'
elif tcp.nids_state == nids.NIDS_TIMED_OUT: state = 'TIMED_OUT'
elif tcp.nids_state == nids.NIDS_RESET: state = 'RST'
else: state = 'UNKNOWN'
doinfo('[IP#%d.TCP#%d] %s:%s - %s:%s [%s] { TRACKED: %d }' % (
ipct,
id,
src,
sport,
dst,
dport,
state,
len(opentcpflows)))
except OSError as e:
if e.errno != errno.EEXIST:
raise
i = 0
last = ''
j = 0
files = glob.glob("tocheck/*.jpg")
ammount = len(files)
f = open('contours.cnt', 'rb')
contours = pickle.load(f)
f.close()
for file in files:
if i == 0 :
n = inspector.inspect(str(file), contours)
last = str(n)
copyfile(file, 'sorted/{}/{}'.format(n, file[8:]))
i=1
else :
i = 0
copyfile(file, 'sorted/{}/{}'.format(last, file[8:]))
j+=1
if j % 5 == 0 : print("{0:.02f}%".format(j/ammount*100))
print('Done')
def handleudp(addr, payload, pkt):
showmatch = False
addrkey = addr
((src, sport), (dst, dport)) = addr
count = len(payload)
start = 0
end = count
data = payload
if len(configopts['ctsregexes']) > 0 or len(configopts['ctsfuzzpatterns']) > 0 or len(configopts['ctsyararules']) > 0:
inspectcts = True
else:
inspectcts = False
if len(configopts['stcregexes']) > 0 or len(configopts['stcfuzzpatterns']) > 0 or len(configopts['stcyararules']) > 0:
inspectstc = True
else:
inspectstc = False
keya = "%s:%s" % (src, sport)
keyb = "%s:%s" % (dst, dport)
key = None
if keya in openudpflows:
key = "%s:%s" % (src, sport)
keydst = "%s:%s" % (dst, dport)
direction = configopts['ctsdirectionstring']
directionflag = configopts['ctsdirectionflag']
elif keyb in openudpflows:
key = "%s:%s" % (dst, dport)
keydst = "%s:%s" % (src, sport)
direction = configopts['stcdirectionstring']
directionflag = configopts['stcdirectionflag']
if key in openudpflows and openudpflows[key]['keydst'] == keydst:
openudpflows[key]['totdatasize'] += count
else:
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.UDP#%d] %s:%s - %s:%s remains untracked { IP tracking missed this flow }' % (
openudpflows[key]['ipct'],
openudpflows[key]['id'],
src,
sport,
dst,
dport))
regexes = []
fuzzpatterns = []
yararuleobjects = []
timestamp = datetime.datetime.fromtimestamp(nids.get_pkt_ts()).strftime('%H:%M:%S | %Y/%m/%d')
if direction == configopts['ctsdirectionstring']:
openudpflows[key]['ctsdatasize'] += count
if 'regex' in configopts['inspectionmodes']:
for regex in configopts['ctsregexes']:
regexes.append(regex)
if 'fuzzy' in configopts['inspectionmodes']:
for fuzzpattern in configopts['ctsfuzzpatterns']:
fuzzpatterns.append(fuzzpattern)
if 'yara' in configopts['inspectionmodes']:
for yararuleobj in configopts['ctsyararules']:
yararuleobjects.append(yararuleobj)
elif direction == configopts['stcdirectionstring']:
openudpflows[key]['stcdatasize'] += count
if 'regex' in configopts['inspectionmodes']:
for regex in configopts['stcregexes']:
regexes.append(regex)
if 'fuzzy' in configopts['inspectionmodes']:
for fuzzpattern in configopts['stcfuzzpatterns']:
fuzzpatterns.append(fuzzpattern)
if 'yara' in configopts['inspectionmodes']:
for yararuleobj in configopts['stcyararules']:
yararuleobjects.append(yararuleobj)
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.UDP#%d] %s %s %s [%dB] { TRACKED: %d } { CTS: %dB, STC: %dB, TOT: %dB }' % (
openudpflows[key]['ipct'],
openudpflows[key]['id'],
key,
directionflag,
keydst,
count,
len(openudpflows),
openudpflows[key]['ctsdatasize'],
openudpflows[key]['stcdatasize'],
openudpflows[key]['totdatasize']))
if not configopts['linemode']:
if configopts['udpdone']:
if configopts['tcpdone']:
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('Done inspecting max packets (%d) and max streams (%d), \
preparing for exit' % (
configopts['maxinsppackets'],
configopts['maxinspstreams']))
exitwithstats()
else:
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('Ignoring packet %s:%s %s %s:%s { inspudppacketct: %d == maxinsppackets: %d }' % (
src,
sport,
dst,
dport,
configopts['inspudppacketct'],
configopts['maxinsppackets']))
return
configopts['inspudppacketct'] += 1
if configopts['linemode']:
matchstats['addr'] = addrkey
matchstats['start'] = start
matchstats['end'] = end
matchstats['matchsize'] = matchstats['end'] - matchstats['start']
matchstats['direction'] = direction
matchstats['directionflag'] = directionflag
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.UDP#%d] Skipping inspection as linemode is enabled.' % (
openudpflows[key]['ipct'],
openudpflows[key]['id']))
showudpmatches(data[matchstats['start']:matchstats['end']])
if configopts['writepcap']:
markmatchedippackets(addrkey)
return
if configopts['maxinsppackets'] != 0 and configopts['inspudppacketct'] >= configopts['maxinsppackets']:
configopts['udpdone'] = True
if configopts['offset'] > 0 and configopts['offset'] < count:
offset = configopts['offset']
else:
offset = 0
if configopts['depth'] > 0 and configopts['depth'] <= (count - offset):
depth = configopts['depth'] + offset
else:
depth = count
inspdata = data[offset:depth]
inspdatalen = len(inspdata)
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.UDP#%d] Initiating inspection on %s[%d:%d] - %dB' % (
openudpflows[key]['ipct'],
openudpflows[key]['id'],
direction,
offset,
depth,
inspdatalen))
matched = inspect('UDP', inspdata, inspdatalen, regexes, fuzzpatterns, yararuleobjects, addrkey, direction, directionflag)
if matched:
openudpflows[key]['matches'] += 1
if configopts['writepcap']:
markmatchedippackets(addrkey)
if configopts['writepcapfast']:
if addrkey in ippacketsdict.keys() and ippacketsdict[addrkey]['proto'] == 'UDP':
ippacketsdict[addrkey]['matched'] = True
ippacketsdict[addrkey]['id'] = configopts['packetct']
ippacketsdict[addrkey]['matchedid'] = len(ippacketsdict[addrkey].keys()) - configopts['ipmetavars']
else:
((sip, sp), (dip, dp)) = addrkey
newaddrkey = ((dip, dp), (sip, sp))
if newaddrkey in ippacketsdict.keys() and ippacketsdict[newaddrkey]['proto'] == 'UDP':
ippacketsdict[newaddrkey]['matched'] = True
ippacketsdict[newaddrkey]['id'] = configopts['packetct']
ippacketsdict[newaddrkey]['matchedid'] = len(ippacketsdict[newaddrkey].keys()) - configopts['ipmetavars']
matchstats['start'] += offset
matchstats['end'] += offset
matchstats['direction'] = direction
matchstats['directionflag'] = directionflag
if configopts['udpmatches'] == 0:
configopts['shortestmatch']['packet'] = matchstats['matchsize']
configopts['shortestmatch']['packetid'] = configopts['packetct']
configopts['longestmatch']['packet'] = matchstats['matchsize']
configopts['longestmatch']['packetid'] = configopts['packetct']
else:
if matchstats['matchsize'] <= configopts['shortestmatch']['packet']:
configopts['shortestmatch']['packet'] = matchstats['matchsize']
configopts['shortestmatch']['packetid'] = configopts['packetct']
if matchstats['matchsize'] >= configopts['longestmatch']['packet']:
configopts['longestmatch']['packet'] = matchstats['matchsize']
configopts['longestmatch']['packetid'] = configopts['packetct']
configopts['udpmatches'] += 1
matchstats['addr'] = addrkey
showudpmatches(data[matchstats['start']:matchstats['end']])
del openudpflows[key]
def handleudp(addr, payload, pkt):
showmatch = False
addrkey = addr
((src, sport), (dst, dport)) = addr
count = len(payload)
start = 0
end = count
data = payload
if len(configopts['ctsregexes']) > 0 or len(
configopts['ctsfuzzpatterns']) > 0 or len(
configopts['ctsyararules']) > 0:
inspectcts = True
else:
inspectcts = False
if len(configopts['stcregexes']) > 0 or len(
configopts['stcfuzzpatterns']) > 0 or len(
configopts['stcyararules']) > 0:
inspectstc = True
else:
inspectstc = False
keya = "%s:%s" % (src, sport)
keyb = "%s:%s" % (dst, dport)
key = None
if keya in openudpflows:
key = "%s:%s" % (src, sport)
keydst = "%s:%s" % (dst, dport)
direction = configopts['ctsdirectionstring']
directionflag = configopts['ctsdirectionflag']
elif keyb in openudpflows:
key = "%s:%s" % (dst, dport)
keydst = "%s:%s" % (src, sport)
direction = configopts['stcdirectionstring']
directionflag = configopts['stcdirectionflag']
if key in openudpflows and openudpflows[key]['keydst'] == keydst:
openudpflows[key]['totdatasize'] += count
else:
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo(
'[IP#%d.UDP#%d] %s:%s - %s:%s remains untracked { IP tracking missed this flow }'
% (openudpflows[key]['ipct'], openudpflows[key]['id'], src,
sport, dst, dport))
regexes = []
fuzzpatterns = []
yararuleobjects = []
timestamp = datetime.datetime.fromtimestamp(
nids.get_pkt_ts()).strftime('%H:%M:%S | %Y/%m/%d')
if direction == configopts['ctsdirectionstring']:
openudpflows[key]['ctsdatasize'] += count
if 'regex' in configopts['inspectionmodes']:
for regex in configopts['ctsregexes']:
regexes.append(regex)
if 'fuzzy' in configopts['inspectionmodes']:
for fuzzpattern in configopts['ctsfuzzpatterns']:
fuzzpatterns.append(fuzzpattern)
if 'yara' in configopts['inspectionmodes']:
for yararuleobj in configopts['ctsyararules']:
yararuleobjects.append(yararuleobj)
elif direction == configopts['stcdirectionstring']:
openudpflows[key]['stcdatasize'] += count
if 'regex' in configopts['inspectionmodes']:
for regex in configopts['stcregexes']:
regexes.append(regex)
if 'fuzzy' in configopts['inspectionmodes']:
for fuzzpattern in configopts['stcfuzzpatterns']:
fuzzpatterns.append(fuzzpattern)
if 'yara' in configopts['inspectionmodes']:
for yararuleobj in configopts['stcyararules']:
yararuleobjects.append(yararuleobj)
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo(
'[IP#%d.UDP#%d] %s %s %s [%dB] { TRACKED: %d } { CTS: %dB, STC: %dB, TOT: %dB }'
% (openudpflows[key]['ipct'],
openudpflows[key]['id'], key, directionflag, keydst, count,
len(openudpflows), openudpflows[key]['ctsdatasize'],
openudpflows[key]['stcdatasize'],
openudpflows[key]['totdatasize']))
if not configopts['linemode']:
if configopts['udpdone']:
if configopts['tcpdone']:
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo(
'Done inspecting max packets (%d) and max streams (%d), \
preparing for exit' %
(configopts['maxinsppackets'],
configopts['maxinspstreams']))
exitwithstats()
else:
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo(
'Ignoring packet %s:%s %s %s:%s { inspudppacketct: %d == maxinsppackets: %d }'
%
(src, sport, dst, dport, configopts['inspudppacketct'],
configopts['maxinsppackets']))
return
configopts['inspudppacketct'] += 1
if configopts['linemode']:
matchstats['addr'] = addrkey
matchstats['start'] = start
matchstats['end'] = end
matchstats['matchsize'] = matchstats['end'] - matchstats['start']
matchstats['direction'] = direction
matchstats['directionflag'] = directionflag
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo(
'[IP#%d.UDP#%d] Skipping inspection as linemode is enabled.' %
(openudpflows[key]['ipct'], openudpflows[key]['id']))
showudpmatches(data[matchstats['start']:matchstats['end']])
if configopts['writepcap']:
markmatchedippackets(addrkey)
return
if configopts['maxinsppackets'] != 0 and configopts[
'inspudppacketct'] >= configopts['maxinsppackets']:
configopts['udpdone'] = True
if configopts['offset'] > 0 and configopts['offset'] < count:
offset = configopts['offset']
else:
offset = 0
if configopts['depth'] > 0 and configopts['depth'] <= (count - offset):
depth = configopts['depth'] + offset
else:
depth = count
inspdata = data[offset:depth]
inspdatalen = len(inspdata)
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.UDP#%d] Initiating inspection on %s[%d:%d] - %dB' %
(openudpflows[key]['ipct'], openudpflows[key]['id'], direction,
offset, depth, inspdatalen))
matched = inspect('UDP', inspdata, inspdatalen, regexes, fuzzpatterns,
yararuleobjects, addrkey, direction, directionflag)
if matched:
openudpflows[key]['matches'] += 1
if configopts['writepcap']:
markmatchedippackets(addrkey)
if configopts['writepcapfast']:
if addrkey in ippacketsdict.keys(
) and ippacketsdict[addrkey]['proto'] == 'UDP':
ippacketsdict[addrkey]['matched'] = True
ippacketsdict[addrkey]['id'] = configopts['packetct']
ippacketsdict[addrkey]['matchedid'] = len(
ippacketsdict[addrkey].keys()) - configopts['ipmetavars']
else:
((sip, sp), (dip, dp)) = addrkey
newaddrkey = ((dip, dp), (sip, sp))
if newaddrkey in ippacketsdict.keys(
) and ippacketsdict[newaddrkey]['proto'] == 'UDP':
ippacketsdict[newaddrkey]['matched'] = True
ippacketsdict[newaddrkey]['id'] = configopts['packetct']
ippacketsdict[newaddrkey]['matchedid'] = len(
ippacketsdict[newaddrkey].keys(
)) - configopts['ipmetavars']
matchstats['start'] += offset
matchstats['end'] += offset
matchstats['direction'] = direction
matchstats['directionflag'] = directionflag
if configopts['udpmatches'] == 0:
configopts['shortestmatch']['packet'] = matchstats['matchsize']
configopts['shortestmatch']['packetid'] = configopts['packetct']
configopts['longestmatch']['packet'] = matchstats['matchsize']
configopts['longestmatch']['packetid'] = configopts['packetct']
else:
if matchstats['matchsize'] <= configopts['shortestmatch']['packet']:
configopts['shortestmatch']['packet'] = matchstats['matchsize']
configopts['shortestmatch']['packetid'] = configopts[
'packetct']
if matchstats['matchsize'] >= configopts['longestmatch']['packet']:
configopts['longestmatch']['packet'] = matchstats['matchsize']
configopts['longestmatch']['packetid'] = configopts['packetct']
configopts['udpmatches'] += 1
matchstats['addr'] = addrkey
showudpmatches(data[matchstats['start']:matchstats['end']])
del openudpflows[key]
