Beispiel #1
0
def concatPCAPs(ssh, tmpPath, sensor, files):

    concPath = tmpPath + 'concatenated'

    stdWriteFlush("Concatenating PCAPs on %s...\n" % sensor)
    
    stdin, stdout, stderr = ssh.exec_command('find /tmp/ -name "%s*" | sort | xargs mergecap -a -w %s' % (os.path.basename(tmpPath), concPath))
    stdout.read()
Beispiel #2
0
def mergePCAPGroups(event):        
    for name, match in [x.strip().split(':') for x in confVars.mergeGroups.split(',')]:
        matched = [x for x in event.pcaps if match in x]
        if matched:
            stdWriteFlush('Merging %s sensor group...\n' % name)
            mergedPCAP = '%s.%s.pcap' % (event._baseFilePath, name)
            out = runBash('mergecap -w %s %s' % (mergedPCAP, ' '.join(matched)))
            for pcap in matched:
                event.pcaps.remove(pcap)
            event.pcaps.append(mergedPCAP)
Beispiel #3
0
def tcpdumpFiles(event, ssh, server, dailies):
    
    def pcapNotEmpty(ssh, pcapFile):
       
        stdin, stdout, stderr = ssh.exec_command('/usr/sbin/tcpdump -s 1515 -nn -c 1 -r %s' % (pcapFile))
        output = stdout.readlines()
        return len(output)
    
    #event.pcaps = []

    for sensor, logs in dailies.iteritems():
        tmpPath = '/tmp/%s_%s' % (os.path.basename(event._baseFilePath), sensor)
        
        i = 0
        count = 1
        total = len(logs)
        absTempPaths = []
        tempFiles = []
        #stdWriteFlush()
        for pcapFile in logs:
            stdWriteFlush(precentComplete('Processing PCAPs on %s: ' % sensor, count, total))
            count += 1
            #stdWriteFlush('.')
            absTempPath = "%s%06d" % (tmpPath, i)
            stdin, stdout, stderr = ssh.exec_command('/usr/sbin/tcpdump -s 1515 -nn -r %s -w %s %s' % (pcapFile, absTempPath, event._pcapBPF))
            error = stderr.read()
            stdout.read()
            
            if 'tcpdump: syntax error' in error:
                log.error("Error: Invalid BPF, '%s'" % event._pcapBPF)
                log.debug('msg="invalid bpf" bpf="%s"' % event._pcapBPF)
                raise error
           
            if pcapNotEmpty(ssh, absTempPath):
                i += 1
                absTempPaths.append(absTempPath)
                tempFiles.append(absTempPath.split('/')[-1])
           
        stdWriteFlush('\n')
        
        if absTempPaths:
            concatPCAPs(ssh, tmpPath, sensor, absTempPaths)
            #print('scp %s:%sconcatenated %s.%s.pcap' % (server, tmpPath, event._baseFilePath, sensor))
            print('Transferring PCAP from %s...\n' % sensor)
            dstPCAP = '%s.%s.pcap' % (event._baseFilePath, sensor)
            event.pcaps.append(dstPCAP)
            out = runBash('scp %s:%sconcatenated %s.%s.pcap' % (server, tmpPath, event._baseFilePath, sensor))
        
        ssh.exec_command('rm %s*' % tmpPath)