def __init__(self, session={}):
starttime = time.time()
logging.config.fileConfig('logging.conf')
self.logger = logging.getLogger(__name__)
self.session = session
self.session['banner'] = utils.to_base64("""
.___
_______ __ __ __| _/_______ _____
\_ __ \| | \ / __ | \_ __ \\\\__ \\
| | \/| | // /_/ | | | \/ / __ \_
|__| |____/ \____ | |__| (____ / v%s
\/ \/ (%s)
""" % (get_version_string(), get_author()))
print utils.from_base64(self.session['banner'])
self.session['report'] = {}
if self.session['config']['enable_interactive']:
print ' Use the "self" object to analyze files'
self.interactive()
elif self.session['config']['input_files'] and len(
self.session['config']['input_files']) > 0:
for f in self.session['config']['input_files']:
self.analyze(f)
else:
self.logger.error(
'Please use -f to specify a file or use -i for interactive mode'
)
endtime = time.time()
self.session['report']['starttime'] = starttime
self.session['report']['endtime'] = endtime
del starttime, endtime
self.session['report']['elapsedtime'] = self.session['report'][
'endtime'] - self.session['report']['starttime']
print 'Total scan time: %s' % (utils.hms_string(
self.session['report']['elapsedtime']))
def __init__(self, session={}):
starttime = time.time()
logging.config.fileConfig('logging.conf')
self.logger = logging.getLogger(__name__)
self.session = session
self.session['banner'] = utils.to_base64("""
.___
_______ __ __ __| _/_______ _____
\_ __ \| | \ / __ | \_ __ \\\\__ \\
| | \/| | // /_/ | | | \/ / __ \_
|__| |____/ \____ | |__| (____ / v%s
\/ \/ (%s)
""" % (get_version_string(), get_author()))
print utils.from_base64(self.session['banner'])
self.session['report'] = {}
if self.session['config']['enable_interactive']:
print ' Use the "self" object to analyze files'
self.interactive()
elif self.session['config']['input_files'] and len(self.session['config']['input_files']) > 0:
for f in self.session['config']['input_files']:
self.analyze(f)
else:
self.logger.error('Please use -f to specify a file or use -i for interactive mode')
endtime = time.time()
self.session['report']['starttime'] = starttime
self.session['report']['endtime'] = endtime
del starttime, endtime
self.session['report']['elapsedtime'] = self.session['report']['endtime'] - self.session['report']['starttime']
print 'Total scan time: %s' % (utils.hms_string(self.session['report']['elapsedtime']))
def report_sanitize(self, report):
sanreport = copy.deepcopy(report)
if 'filebytefreqhistogram' in report['filestats']:
sanreport['filestats'][
'filebytefreqhistogram_b64'] = utils.to_base64(
report['filestats']['filebytefreqhistogram'])
del sanreport['filestats']['filebytefreqhistogram']
if 'filevis_png' in report['filestats']:
sanreport['filestats']['filevis_png_b64'] = utils.to_base64(
report['filestats']['filevis_png'])
del sanreport['filestats']['filevis_png']
if 'filevis_png_bw' in report['filestats']:
sanreport['filestats']['filevis_png_bw_b64'] = utils.to_base64(
report['filestats']['filevis_png_bw'])
del sanreport['filestats']['filevis_png_bw']
for k in sorted(report['pcap']['flows'].keys()):
proto = k.split(' - ')[2]
for host in report['pcap']['hosts']:
if 'whois_text' in report['pcap']['hosts'][host].keys(
) and 'whois_text_b64' not in sanreport['pcap']['hosts'][
host].keys():
sanreport['pcap']['hosts'][host][
'whois_text_b64'] = utils.to_base64(
report['pcap']['hosts'][host]['whois_text'])
del sanreport['pcap']['hosts'][host]['whois_text']
else:
sanreport['pcap']['hosts'][host]['whois_text_b64'] = None
if 'ctsbuf' in sanreport['pcap']['flows'][k].keys(
) and sanreport['pcap']['flows'][k]['ctsbuf']:
del sanreport['pcap']['flows'][k]['ctsbuf']
if 'stcbuf' in sanreport['pcap']['flows'][k].keys(
) and sanreport['pcap']['flows'][k]['stcbuf']:
del sanreport['pcap']['flows'][k]['stcbuf']
if 'transactions' in report['pcap']['flows'][k].keys(
) and report['pcap']['flows'][k]['transactions']:
for tid in sorted(report['pcap']['flows'][k]['transactions']):
if ('bufvis_png' and 'bufvis_bw_png') in report['pcap'][
'flows'][k]['transactions'][tid].keys():
sanreport['pcap']['flows'][k]['transactions'][tid][
'bufvis_png_b64'] = utils.to_base64(
report['pcap']['flows'][k]['transactions'][tid]
['bufvis_png'])
sanreport['pcap']['flows'][k]['transactions'][tid][
'bufvis_bw_png_b64'] = utils.to_base64(
report['pcap']['flows'][k]['transactions'][tid]
['bufvis_bw_png'])
del sanreport['pcap']['flows'][k]['transactions'][tid][
'bufvis_png']
del sanreport['pcap']['flows'][k]['transactions'][tid][
'bufvis_bw_png']
else:
sanreport['pcap']['flows'][k]['transactions'][tid][
'bufvis_png_b64'] = None
sanreport['pcap']['flows'][k]['transactions'][tid][
'bufvis_bw_png_b64'] = None
if proto == 'UDP':
if 'buf' in report['pcap']['flows'][k]['transactions'][
tid].keys() and report['pcap']['flows'][k][
'transactions'][tid]['buf']:
sanreport['pcap']['flows'][k]['transactions'][tid][
'buf_b64'] = utils.to_base64(
report['pcap']['flows'][k]['transactions']
[tid]['buf'])
del sanreport['pcap']['flows'][k]['transactions'][
tid]['buf']
else:
sanreport['pcap']['flows'][k]['transactions'][tid][
'buf_b64'] = None
del sanreport['pcap']['flows'][k]['transactions'][
tid]['buf']
if proto == 'TCP':
if 'ctsbuf' in report['pcap']['flows'][k][
'transactions'][tid] and report['pcap'][
'flows'][k]['transactions'][tid]['ctsbuf']:
sanreport['pcap']['flows'][k]['transactions'][tid][
'ctsbuf_b64'] = utils.to_base64(
report['pcap']['flows'][k]['transactions']
[tid]['ctsbuf'])
del sanreport['pcap']['flows'][k]['transactions'][
tid]['ctsbuf']
else:
sanreport['pcap']['flows'][k]['transactions'][tid][
'ctsbuf_b64'] = None
del sanreport['pcap']['flows'][k]['transactions'][
tid]['ctsbuf']
for key in report['pcap']['flows'][k]['transactions'][
tid]['ctsdecode'].keys():
sanreport['pcap']['flows'][k]['transactions'][tid][
'ctsdecode']['%s_b64' %
(key)] = utils.to_base64(
report['pcap']['flows'][k]
['transactions'][tid]
['ctsdecode'][key])
del sanreport['pcap']['flows'][k]['transactions'][
tid]['ctsdecode'][key]
if report['pcap']['flows'][k]['transactions'][tid][
'regex']['cts']:
for matchid in report['pcap']['flows'][k][
'transactions'][tid]['regex']['cts'].keys(
):
sanreport['pcap']['flows'][k]['transactions'][
tid]['regex']['cts'][matchid][
'match_b64'] = utils.to_base64(
report['pcap']['flows'][k]
['transactions'][tid]['regex']
['cts'][matchid]['match'])
del sanreport['pcap']['flows'][k][
'transactions'][tid]['regex']['cts'][
matchid]['match']
if report['pcap']['flows'][k]['transactions'][tid][
'shellcode']['cts']:
for matchid in report['pcap']['flows'][k][
'transactions'][tid]['shellcode'][
'cts'].keys():
sanreport['pcap']['flows'][k]['transactions'][
tid]['shellcode']['cts'][
'buf_b64'] = utils.to_base64(
report['pcap']['flows'][k]
['transactions'][tid]['shellcode']
['cts']['buf'])
sanreport['pcap']['flows'][k]['transactions'][
tid]['shellcode']['cts'][
'profile_b64'] = utils.to_base64(
report['pcap']['flows'][k]
['transactions'][tid]['shellcode']
['cts']['profile'])
if 'buf' in sanreport['pcap']['flows'][k][
'transactions'][tid]['shellcode'][
'cts'].keys():
del sanreport['pcap']['flows'][k][
'transactions'][tid]['shellcode'][
'cts']['buf']
if 'profile' in sanreport['pcap']['flows'][k][
'transactions'][tid]['shellcode'][
'cts'].keys():
del sanreport['pcap']['flows'][k][
'transactions'][tid]['shellcode'][
'cts']['profile']
if 'stcbuf' in report['pcap']['flows'][k][
'transactions'][tid] and report['pcap'][
'flows'][k]['transactions'][tid]['stcbuf']:
sanreport['pcap']['flows'][k]['transactions'][tid][
'stcbuf_b64'] = utils.to_base64(
report['pcap']['flows'][k]['transactions']
[tid]['stcbuf'])
del sanreport['pcap']['flows'][k]['transactions'][
tid]['stcbuf']
else:
sanreport['pcap']['flows'][k]['transactions'][tid][
'stcbuf_b64'] = None
del sanreport['pcap']['flows'][k]['transactions'][
tid]['stcbuf']
for key in report['pcap']['flows'][k]['transactions'][
tid]['stcdecode'].keys():
sanreport['pcap']['flows'][k]['transactions'][tid][
'stcdecode']['%s_b64' %
(key)] = utils.to_base64(
report['pcap']['flows'][k]
['transactions'][tid]
['stcdecode'][key])
del sanreport['pcap']['flows'][k]['transactions'][
tid]['stcdecode'][key]
if report['pcap']['flows'][k]['transactions'][tid][
'regex']['stc']:
for matchid in report['pcap']['flows'][k][
'transactions'][tid]['regex']['stc'].keys(
):
sanreport['pcap']['flows'][k]['transactions'][
tid]['regex']['stc'][matchid][
'match_b64'] = utils.to_base64(
report['pcap']['flows'][k]
['transactions'][tid]['regex']
['stc'][matchid]['match'])
del sanreport['pcap']['flows'][k][
'transactions'][tid]['regex']['stc'][
matchid]['match']
if report['pcap']['flows'][k]['transactions'][tid][
'shellcode']['stc']:
for matchid in report['pcap']['flows'][k][
'transactions'][tid]['shellcode'][
'stc'].keys():
sanreport['pcap']['flows'][k]['transactions'][
tid]['shellcode']['stc'][
'buf_b64'] = utils.to_base64(
report['pcap']['flows'][k]
['transactions'][tid]['shellcode']
['stc']['buf'])
sanreport['pcap']['flows'][k]['transactions'][
tid]['shellcode']['stc'][
'profile_b64'] = utils.to_base64(
report['pcap']['flows'][k]
['transactions'][tid]['shellcode']
['stc']['profile'])
if 'buf' in sanreport['pcap']['flows'][k][
'transactions'][tid]['shellcode'][
'stc'].keys():
del sanreport['pcap']['flows'][k][
'transactions'][tid]['shellcode'][
'stc']['buf']
if 'profile' in sanreport['pcap']['flows'][k][
'transactions'][tid]['shellcode'][
'stc'].keys():
del sanreport['pcap']['flows'][k][
'transactions'][tid]['shellcode'][
'stc']['profile']
#pprint.pprint(sanreport)
return dict(sanreport)
def report_sanitize(self, report):
sanreport = copy.deepcopy(report)
if 'filebytefreqhistogram' in report['filestats']:
sanreport['filestats']['filebytefreqhistogram_b64'] = utils.to_base64(report['filestats']['filebytefreqhistogram'])
del sanreport['filestats']['filebytefreqhistogram']
if 'filevis_png' in report['filestats']:
sanreport['filestats']['filevis_png_b64'] = utils.to_base64(report['filestats']['filevis_png'])
del sanreport['filestats']['filevis_png']
if 'filevis_png_bw' in report['filestats']:
sanreport['filestats']['filevis_png_bw_b64'] = utils.to_base64(report['filestats']['filevis_png_bw'])
del sanreport['filestats']['filevis_png_bw']
for k in sorted(report['pcap']['flows'].keys()):
proto = k.split(' - ')[2]
for host in report['pcap']['hosts']:
if 'whois_text' in report['pcap']['hosts'][host].keys() and 'whois_text_b64' not in sanreport['pcap']['hosts'][host].keys():
sanreport['pcap']['hosts'][host]['whois_text_b64'] = utils.to_base64(report['pcap']['hosts'][host]['whois_text'])
del sanreport['pcap']['hosts'][host]['whois_text']
else:
sanreport['pcap']['hosts'][host]['whois_text_b64'] = None
if 'ctsbuf' in sanreport['pcap']['flows'][k].keys() and sanreport['pcap']['flows'][k]['ctsbuf']:
del sanreport['pcap']['flows'][k]['ctsbuf']
if 'stcbuf' in sanreport['pcap']['flows'][k].keys() and sanreport['pcap']['flows'][k]['stcbuf']:
del sanreport['pcap']['flows'][k]['stcbuf']
if 'transactions' in report['pcap']['flows'][k].keys() and report['pcap']['flows'][k]['transactions']:
for tid in sorted(report['pcap']['flows'][k]['transactions']):
if ('bufvis_png' and 'bufvis_bw_png') in report['pcap']['flows'][k]['transactions'][tid].keys():
sanreport['pcap']['flows'][k]['transactions'][tid]['bufvis_png_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['bufvis_png'])
sanreport['pcap']['flows'][k]['transactions'][tid]['bufvis_bw_png_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['bufvis_bw_png'])
del sanreport['pcap']['flows'][k]['transactions'][tid]['bufvis_png']
del sanreport['pcap']['flows'][k]['transactions'][tid]['bufvis_bw_png']
else:
sanreport['pcap']['flows'][k]['transactions'][tid]['bufvis_png_b64'] = None
sanreport['pcap']['flows'][k]['transactions'][tid]['bufvis_bw_png_b64'] = None
if proto == 'UDP':
if 'buf' in report['pcap']['flows'][k]['transactions'][tid].keys() and report['pcap']['flows'][k]['transactions'][tid]['buf']:
sanreport['pcap']['flows'][k]['transactions'][tid]['buf_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['buf'])
del sanreport['pcap']['flows'][k]['transactions'][tid]['buf']
else:
sanreport['pcap']['flows'][k]['transactions'][tid]['buf_b64'] = None
del sanreport['pcap']['flows'][k]['transactions'][tid]['buf']
if proto == 'TCP':
if 'ctsbuf' in report['pcap']['flows'][k]['transactions'][tid] and report['pcap']['flows'][k]['transactions'][tid]['ctsbuf']:
sanreport['pcap']['flows'][k]['transactions'][tid]['ctsbuf_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['ctsbuf'])
del sanreport['pcap']['flows'][k]['transactions'][tid]['ctsbuf']
else:
sanreport['pcap']['flows'][k]['transactions'][tid]['ctsbuf_b64'] = None
del sanreport['pcap']['flows'][k]['transactions'][tid]['ctsbuf']
for key in report['pcap']['flows'][k]['transactions'][tid]['ctsdecode'].keys():
sanreport['pcap']['flows'][k]['transactions'][tid]['ctsdecode']['%s_b64' % (key)] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['ctsdecode'][key])
del sanreport['pcap']['flows'][k]['transactions'][tid]['ctsdecode'][key]
if report['pcap']['flows'][k]['transactions'][tid]['regex']['cts']:
for matchid in report['pcap']['flows'][k]['transactions'][tid]['regex']['cts'].keys():
sanreport['pcap']['flows'][k]['transactions'][tid]['regex']['cts'][matchid]['match_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['regex']['cts'][matchid]['match'])
del sanreport['pcap']['flows'][k]['transactions'][tid]['regex']['cts'][matchid]['match']
if report['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']:
for matchid in report['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts'].keys():
sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']['buf_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']['buf'])
sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']['profile_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']['profile'])
if 'buf' in sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts'].keys():
del sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']['buf']
if 'profile' in sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts'].keys():
del sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']['profile']
if 'stcbuf' in report['pcap']['flows'][k]['transactions'][tid] and report['pcap']['flows'][k]['transactions'][tid]['stcbuf']:
sanreport['pcap']['flows'][k]['transactions'][tid]['stcbuf_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['stcbuf'])
del sanreport['pcap']['flows'][k]['transactions'][tid]['stcbuf']
else:
sanreport['pcap']['flows'][k]['transactions'][tid]['stcbuf_b64'] = None
del sanreport['pcap']['flows'][k]['transactions'][tid]['stcbuf']
for key in report['pcap']['flows'][k]['transactions'][tid]['stcdecode'].keys():
sanreport['pcap']['flows'][k]['transactions'][tid]['stcdecode']['%s_b64' % (key)] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['stcdecode'][key])
del sanreport['pcap']['flows'][k]['transactions'][tid]['stcdecode'][key]
if report['pcap']['flows'][k]['transactions'][tid]['regex']['stc']:
for matchid in report['pcap']['flows'][k]['transactions'][tid]['regex']['stc'].keys():
sanreport['pcap']['flows'][k]['transactions'][tid]['regex']['stc'][matchid]['match_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['regex']['stc'][matchid]['match'])
del sanreport['pcap']['flows'][k]['transactions'][tid]['regex']['stc'][matchid]['match']
if report['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']:
for matchid in report['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc'].keys():
sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']['buf_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']['buf'])
sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']['profile_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']['profile'])
if 'buf' in sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc'].keys():
del sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']['buf']
if 'profile' in sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc'].keys():
del sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']['profile']
#pprint.pprint(sanreport)
return dict(sanreport)