def handleStream(tcp):
chopp = ChopProtocol('http')
((src, sport), (dst, dport)) = parse_addr(tcp)
tcp.stream_data['htpy_obj'].timestamp = tcp.timestamp
if tcp.server.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)"
% (src, sport, dst, dport, tcp.server.count_new))
if tcp.server.count_new == 1 and tcp.module_data['options']['beast']:
tcp.discard(0)
else:
data_size = tcp.server.count - tcp.server.offset
try:
tcp.stream_data['connparser'].\
req_data(tcp.server.data[:data_size])
except htpy.stop:
tcp.stop()
except htpy.error:
if tcp.module_data['options']['verbose']:
chop.tsprnt("Stream error in htpy.")
tcp.stop()
tcp.discard(data_size)
elif tcp.client.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)"
% (src, sport, dst, dport, tcp.client.count_new))
if tcp.client.count_new == 1 and tcp.module_data['options']['beast']:
tcp.discard(0)
else:
data_size = tcp.client.count - tcp.client.offset
try:
tcp.stream_data['connparser'].\
res_data(tcp.client.data[:data_size])
except htpy.stop:
tcp.stop()
except htpy.error:
if tcp.module_data['options']['verbose']:
chop.tsprnt("Stream error in htpy.")
tcp.stop()
tcp.discard(data_size)
if tcp.stream_data['htpy_obj'].ready:
trans = tcp.stream_data['htpy_obj'].transaction
chopp.setClientData(trans['request'])
chopp.setServerData(trans['response'])
chopp.setTimeStamp(trans['timestamp'])
chopp.setAddr(tcp.addr)
chopp.flowStart = tcp.stream_data['htpy_obj'].flowStart
tcp.stream_data['htpy_obj'].ready = False
tcp.stream_data['htpy_obj'].temp = {}
tcp.stream_data['htpy_obj'].transaction = {}
return chopp
return None
def handleProtocol(chopp):
if chopp.type != 'sslim':
return
stream_data = chopp.stream_data
if 'htpy_obj' not in stream_data:
stream_data['htpy_obj'] = {
'options': chopp.module_data['options'],
'timestamp': None,
'temp': {},
'transaction': {},
'lines': Queue.Queue(),
'ready': False,
'flowStart': chopp.timestamp
}
stream_data['connparser'] = register_connparser()
stream_data['connparser'].set_obj(stream_data['htpy_obj'])
((src, sport),(dst,dport)) = chopp.addr
stream_data['htpy_obj']['timestamp'] = chopp.timestamp
if chopp.clientData:
if chopp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s" % (src, sport, dst, dport))
try:
stream_data['connparser'].req_data(chopp.clientData)
except htpy.stop:
chopp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
chopp.stop()
return
if chopp.serverData:
if chopp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s" % (dst, dport, src, sport))
try:
stream_data['connparser'].res_data(chopp.serverData)
except htpy.stop:
chopp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
chopp.stop()
return
if stream_data['htpy_obj']['ready']:
new_chopp = ChopProtocol('http')
trans = stream_data['htpy_obj']['transaction']
new_chopp.setClientData(trans['request'])
new_chopp.setServerData(trans['response'])
new_chopp.setTimeStamp(trans['timestamp'])
new_chopp.setAddr(chopp.addr)
new_chopp.flowStart = stream_data['htpy_obj']['flowStart']
stream_data['htpy_obj']['ready'] = False
return new_chopp
def handleProtocol(chopp):
if chopp.type != 'sslim':
return
stream_data = chopp.stream_data
if 'htpy_obj' not in stream_data:
stream_data['htpy_obj'] = \
__htpyObj__(chopp.module_data['options'], chopp.timestamp)
stream_data['connparser'] = register_connparser()
stream_data['connparser'].set_obj(stream_data['htpy_obj'])
((src, sport), (dst, dport)) = chopp.addr
stream_data['htpy_obj'].timestamp = chopp.timestamp
if chopp.clientData:
if chopp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s" % (src, sport, dst, dport))
try:
stream_data['connparser'].req_data(chopp.clientData)
except htpy.stop:
chopp.stop()
except htpy.error:
if chopp.module_data['options']['verbose']:
chop.tsprnt("Stream error in htpy.")
chopp.stop()
return
if chopp.serverData:
if chopp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s" % (dst, dport, src, sport))
try:
stream_data['connparser'].res_data(chopp.serverData)
except htpy.stop:
chopp.stop()
except htpy.error:
if chopp.module_data['options']['verbose']:
chop.tsprnt("Stream error in htpy.")
chopp.stop()
return
if stream_data['htpy_obj'].ready:
new_chopp = ChopProtocol('http')
trans = stream_data['htpy_obj'].transaction
new_chopp.setClientData(trans['request'])
new_chopp.setServerData(trans['response'])
new_chopp.setTimeStamp(trans['timestamp'])
new_chopp.setAddr(chopp.addr)
new_chopp.flowStart = stream_data['htpy_obj'].flowStart
stream_data['htpy_obj'].ready = False
stream_data['htpy_obj'].temp = {}
stream_data['htpy_obj'].transaction = {}
return new_chopp
def teardownProtocol(protocol):
if protocol.type != 'http':
chop.prnt("Error")
return
module_data = protocol.module_data
data = {'request': protocol.clientData, 'response': protocol.serverData}
if module_data['base64_encode']:
if (data['request'] is not None and 'body' in data['request']
and data['request']['body'] is not None):
data['request']['body'] = b64encode(data['request']['body'])
data['request']['body_encoding'] = 'base64'
if (data['response'] is not None and 'body' in data['response']
and data['response']['body'] is not None):
data['response']['body'] = b64encode(data['response']['body'])
data['response']['body_encoding'] = 'base64'
chopp = ChopProtocol('http_meta')
chopp.data = data
chopp.flowStart = protocol.flowStart
chopp.setTimeStamp(protocol.timestamp)
chopp.setAddr(protocol.addr)
return chopp
def teardownProtocol(protocol):
if protocol.type != 'http':
chop.prnt("Error")
return
module_data = protocol.module_data
data = {'request': protocol.clientData, 'response': protocol.serverData}
if module_data['base64_encode']:
if (data['request'] is not None
and 'body' in data['request']
and data['request']['body'] is not None):
data['request']['body'] = b64encode(data['request']['body'])
data['request']['body_encoding'] = 'base64'
if (data['response'] is not None
and 'body' in data['response']
and data['response']['body'] is not None):
data['response']['body'] = b64encode(data['response']['body'])
data['response']['body_encoding'] = 'base64'
chopp = ChopProtocol('http_meta')
chopp.data = data
chopp.flowStart = protocol.flowStart
chopp.setTimeStamp(protocol.timestamp)
chopp.setAddr(protocol.addr)
return chopp
def handlePacket(ip):
if ip.protocol != 1:
return None
#Okay so we have traffic labeled as ICMP
icmp = ChopProtocol('icmp')
ip_offset = 4 * ip.ihl
icmp_raw = ip.raw[ip_offset:] #separate the icmp data
header = struct.unpack('<BBH', icmp_raw[0:4])
#Since this doesn't fit a client server model
#Created a new 'data' field in the ChopProtocol object
#Note that the _clone method in ChopProtocol uses deepcopy
#so we should be okay
icmp.data = icmp_message()
icmp.data.type = header[0]
icmp.data.code = header[1]
icmp.data.checksum = header[2]
icmp.data.raw = icmp_raw
return icmp
def handlePacket(ip):
if ip.protocol != 1:
return None
#Okay so we have traffic labeled as ICMP
icmp = ChopProtocol('icmp')
ip_offset = 4 * ip.ihl
icmp_raw = ip.raw[ip_offset:] #separate the icmp data
header = struct.unpack('<BBH', icmp_raw[0:4])
#Since this doesn't fit a client server model
#Created a new 'data' field in the ChopProtocol object
#Note that the _clone method in ChopProtocol uses deepcopy
#so we should be okay
icmp.data = icmp_message()
icmp.data.type = header[0]
icmp.data.code = header[1]
icmp.data.checksum = header[2]
icmp.data.raw = icmp_raw
return icmp
def handleStream(tcp):
chopp = ChopProtocol('http')
((src, sport), (dst, dport)) = parse_addr(tcp)
tcp.stream_data['htpy_obj']['timestamp'] = tcp.timestamp
if tcp.server.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.server.count_new))
try:
tcp.stream_data['connparser'].req_data(tcp.server.data[:tcp.server.count_new])
except htpy.stop:
tcp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
tcp.stop()
tcp.discard(tcp.server.count_new)
elif tcp.client.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.client.count_new))
try:
tcp.stream_data['connparser'].res_data(tcp.client.data[:tcp.client.count_new])
except htpy.stop:
tcp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
tcp.stop()
tcp.discard(tcp.client.count_new)
if tcp.stream_data['htpy_obj']['ready']:
trans = tcp.stream_data['htpy_obj']['transaction']
chopp.setClientData(trans['request'])
chopp.setServerData(trans['response'])
chopp.setTimeStamp(trans['timestamp'])
chopp.setAddr(tcp.addr)
chopp.flowStart = tcp.stream_data['htpy_obj']['flowStart']
tcp.stream_data['htpy_obj']['ready'] = False
return chopp
return None
def teardownProtocol(chopp):
if chopp.type != 'sslim':
return
stream_data = chopp.stream_data
# sslim returns an empty object on teardown
if 'htpy_obj' not in stream_data:
return
hchopp = ChopProtocol('http')
((src, sport), (dst, dport)) = chopp.addr
stream_data['htpy_obj'].timestamp = chopp.timestamp
# There's data collected in temp
if len(stream_data['htpy_obj'].temp.keys()) > 1:
# we don't care if only start is populated
t = stream_data['htpy_obj'].temp
if 'request' in t:
if len(t['request'].keys()) == 0:
try:
req = stream_data['htpy_obj'].lines.get(False)
except Queue.Empty:
req = None
else:
req = t['request']
if 'tmp_hash' in t['request']:
if t['request']['body_len'] > 0:
t['request']['body_hash'] = \
t['request']['tmp_hash'].hexdigest()
else:
t['request']['body_hash'] = ""
del t['request']['tmp_hash']
if 'response' in t:
resp = t['response']
if 'tmp_hash' in t['response']:
if t['response']['body_len'] > 0:
t['response']['body_hash'] = \
t['response']['tmp_hash'].hexdigest()
else:
t['response']['body_hash'] = ""
del t['response']['tmp_hash']
else:
resp = None
if req is not None or resp is not None:
hchopp.setClientData(req)
hchopp.setServerData(resp)
hchopp.setTimeStamp(t['start'])
hchopp.setAddr(chopp.addr)
hchopp.setTeardown()
hchopp.flowStart = stream_data['htpy_obj'].flowStart
stream_data['htpy_obj'].ready = False
stream_data['htpy_obj'].temp = {}
stream_data['htpy_obj'].transaction = {}
return hchopp
return None
def handleDatagram(udp):
((src, sport), (dst, dport)) = udp.addr
if sport != 53 and dport != 53:
udp.stop()
return
try:
o = DNSRecord.parse(udp.data)
except KeyError as e:
chop.prnt("Key error: %s" % str(e))
return
except DNSError as e:
chop.prnt("dnslib error: %s" % str(e))
return
except Exception as e:
chop.prnt("Unexpeced exception: %s" % str(e))
return
chopp = ChopProtocol('dns')
# Create the dictionary...
f = [o.header.aa and 'AA',
o.header.tc and 'TC',
o.header.rd and 'RD',
o.header.ra and 'RA']
try:
d = {'header': {'id': o.header.id,
'type': QR[o.header.get_qr()],
'opcode': OPCODE[o.header.get_opcode()],
'flags': ",".join(filter(None, f)),
'rcode': RCODE[o.header.rcode]},
'questions': o.questions}
except DNSError as e:
chop.prnt("dnslib error: %s" % str(e))
return
except Exception as e:
chop.prnt("Unexpeted exception: %s" % str(e))
return
if OPCODE[o.header.opcode] == 'UPDATE':
f1 = 'zo'
f2 = 'pr'
f3 = 'up'
f4 = 'ad'
else:
f1 = 'q'
f2 = 'a'
f3 = 'ns'
f4 = 'ar'
dhdr = d['header']
dhdr[f1] = o.header.q
dhdr[f2] = o.header.a
dhdr[f3] = o.header.auth
dhdr[f4] = o.header.ar
d['questions'] = []
for q in o.questions:
qname = str(q.get_qname())
# Strip trailing dot.
if qname.endswith('.'):
qname = qname[:-1]
try:
dq = {'qname': qname,
'qtype': QTYPE[q.qtype],
'qclass': CLASS[q.qclass]}
d['questions'].append(dq)
except DNSError as e:
chop.prnt("dnslib error: %s" % str(e))
return
except Exception as e:
chop.prnt("Unexpected exception: %s" % str(e))
return
d['rr'] = []
for r in o.rr:
rname = str(r.get_rname())
# Strip trailing dot.
if rname.endswith('.'):
rname = rname[:-1]
rdata = str(r.rdata)
# Strip trailing dot.
if rdata.endswith('.'):
rdata = rdata[:-1]
try:
dr = {'rname': rname,
'rtype': QTYPE[r.rtype],
'rclass': CLASS[r.rclass],
'ttl': r.ttl,
'rdata': rdata}
d['rr'].append(dr)
except DNSError as e:
chop.prnt("dnslib error: %s" % str(e))
return
except Exception as e:
chop.prnt("Unexpected exception: %s" % str(e))
return
if sport == 53:
chopp.serverData = d
return chopp
elif dport == 53:
chopp.clientData = d
return chopp
return None
def teardown(tcp):
chopp = ChopProtocol('http')
((src, sport), (dst, dport)) = tcp.addr
tcp.stream_data['htpy_obj'].timestamp = tcp.timestamp
#There's data collected in temp
if len(tcp.stream_data['htpy_obj'].temp.keys()) > 1: #we don't care if only start is populated
t = tcp.stream_data['htpy_obj'].temp
if 'request' in t:
if len(t['request'].keys()) == 0:
try:
req = tcp.stream_data['htpy_obj'].lines.get(False)
except Queue.Empty:
req = None
else:
req = t['request']
if 'tmp_hash' in t['request']:
if t['request']['body_len'] > 0:
t['request']['body_hash'] = t['request']['tmp_hash'].hexdigest()
else:
t['request']['body_hash'] = ""
del t['request']['tmp_hash']
if 'response' in t:
resp = t['response']
if 'tmp_hash' in t['response']:
if t['response']['body_len'] > 0:
t['response']['body_hash'] = t['response']['tmp_hash'].hexdigest()
else:
t['response']['body_hash'] = ""
del t['response']['tmp_hash']
else:
resp = None
if req is not None or resp is not None:
chopp.setClientData(req)
chopp.setServerData(resp)
chopp.setTimeStamp(t['start'])
chopp.setAddr(tcp.addr)
chopp.setTeardown()
chopp.flowStart = tcp.stream_data['htpy_obj'].flowStart
tcp.stream_data['htpy_obj'].ready = False
tcp.stream_data['htpy_obj'].temp = {}
tcp.stream_data['htpy_obj'].transaction = {}
return chopp
return None
def teardownProtocol(chopp):
if chopp.type != 'sslim':
return
stream_data = chopp.stream_data
# sslim returns an empty object on teardown
if 'htpy_obj' not in stream_data:
return
hchopp = ChopProtocol('http')
((src, sport), (dst, dport)) = chopp.addr
stream_data['htpy_obj'].timestamp = chopp.timestamp
# There's data collected in temp
if len(stream_data['htpy_obj'].temp.keys()) > 1:
# we don't care if only start is populated
t = stream_data['htpy_obj'].temp
if 'request' in t:
if len(t['request'].keys()) == 0:
try:
req = stream_data['htpy_obj'].lines.get(False)
except Queue.Empty:
req = None
else:
req = t['request']
if 'tmp_hash' in t['request']:
if t['request']['body_len'] > 0:
t['request']['body_hash'] = \
t['request']['tmp_hash'].hexdigest()
else:
t['request']['body_hash'] = ""
del t['request']['tmp_hash']
if 'response' in t:
resp = t['response']
if 'tmp_hash' in t['response']:
if t['response']['body_len'] > 0:
t['response']['body_hash'] = \
t['response']['tmp_hash'].hexdigest()
else:
t['response']['body_hash'] = ""
del t['response']['tmp_hash']
else:
resp = None
if req is not None or resp is not None:
hchopp.setClientData(req)
hchopp.setServerData(resp)
hchopp.setTimeStamp(t['start'])
hchopp.setAddr(chopp.addr)
hchopp.setTeardown()
hchopp.flowStart = stream_data['htpy_obj'].flowStart
stream_data['htpy_obj'].ready = False
stream_data['htpy_obj'].temp = {}
stream_data['htpy_obj'].transaction = {}
return hchopp
return None
def teardown(tcp):
chopp = ChopProtocol('http')
((src, sport), (dst, dport)) = tcp.addr
tcp.stream_data['htpy_obj'].timestamp = tcp.timestamp
#There's data collected in temp
if len(tcp.stream_data['htpy_obj'].temp.keys()
) > 1: #we don't care if only start is populated
t = tcp.stream_data['htpy_obj'].temp
if 'request' in t:
if len(t['request'].keys()) == 0:
try:
req = tcp.stream_data['htpy_obj'].lines.get(False)
except Queue.Empty:
req = None
else:
req = t['request']
if 'tmp_hash' in t['request']:
if t['request']['body_len'] > 0:
t['request']['body_hash'] = t['request'][
'tmp_hash'].hexdigest()
else:
t['request']['body_hash'] = ""
del t['request']['tmp_hash']
if 'response' in t:
resp = t['response']
if 'tmp_hash' in t['response']:
if t['response']['body_len'] > 0:
t['response']['body_hash'] = t['response'][
'tmp_hash'].hexdigest()
else:
t['response']['body_hash'] = ""
del t['response']['tmp_hash']
else:
resp = None
if req is not None or resp is not None:
chopp.setClientData(req)
chopp.setServerData(resp)
chopp.setTimeStamp(t['start'])
chopp.setAddr(tcp.addr)
chopp.setTeardown()
chopp.flowStart = tcp.stream_data['htpy_obj'].flowStart
tcp.stream_data['htpy_obj'].ready = False
tcp.stream_data['htpy_obj'].temp = {}
tcp.stream_data['htpy_obj'].transaction = {}
return chopp
return None
def _stream_ended_(frame, direction, tcp):
hash_fn = tcp.module_data['options']['hash_fn']
transaction = {
'timestamp': tcp.stream_data['stream_cache'][frame.stream_id]['start'],
'request': {
'truncated': False, #TODO support this
'body': None,
'body_len': 0,
'body_hash': '',
'hash_fn': hash_fn,
'protocol': '2'
},
'response': {
'truncated': False,
'body': None,
'body_len': 0,
'body_hash': '',
'hash_fn': hash_fn,
}
}
if tcp.stream_data['stream_cache'][frame.stream_id][direction][
'stream_ended'] and tcp.stream_data['stream_cache'][
frame.stream_id][_opposite_direction_(
direction)]['stream_ended']:
#chop.prnt("Stream: %d" % (frame.stream_id))
for d in ['request', 'response']:
headers = copy.deepcopy(
tcp.stream_data['stream_cache'][frame.stream_id][d]['headers'])
if d == 'request':
headers[':stream_id'] = frame.stream_id
method = headers.get(':method', None)
path = headers.get(':path', None)
if ':method' in headers:
del headers[':method']
if ':path' in headers:
del headers[':path']
transaction[d]['method'] = method
transaction[d]['uri'] = path
else:
status = headers.get(':status', None)
if ':status' in headers:
del headers[':status']
transaction[d]['status'] = status
transaction[d]['headers'] = headers
#chop.prnt("\tHeaders: %s" % (headers))
if tcp.stream_data['stream_cache'][
frame.stream_id][d]['data'] is not None:
content_encoding = headers.get('content-encoding', None)
mimetype = headers.get('content-type', None)
if mimetype is not None:
mimetype = mimetype.split(';', 1)[0]
content_disposition = headers.get('content-disposition', None)
if content_encoding == 'gzip':
try:
dataStream = BytesIO(tcp.stream_data['stream_cache'][
frame.stream_id][d]['data'])
gdata = gzip.GzipFile(fileobj=dataStream, mode='rb')
data = gdata.read()
except Exception as e:
chop.prnt("Warning: Unable to gzip file")
data = tcp.stream_data['stream_cache'][
frame.stream_id][d]['data']
else:
data = tcp.stream_data['stream_cache'][
frame.stream_id][d]['data']
if mimetype is None:
try:
import magic
except ImportError:
pass
else:
try:
mimetype = magic.from_buffer(data, mime=True)
except Exception as e:
chop.prnt(
"Warning: Unable to get mime type of file: %s"
% (str(e)))
filename = 'noname'
if d == 'response':
if content_disposition is None:
if transaction['request']['uri'] is not None:
raw_path = transaction['request']['uri']
raw_path = raw_path.split('?', 1)[0]
path_parts = os.path.split(raw_path)
outPath = None
while (len(path_parts) > 0):
if path_parts[-1] == '':
path_parts = path_parts[:-1]
continue
else:
outPath = os.path.basename(path_parts[-1])
break
if outPath is None or outPath == '':
outPath = 'index'
filename = sanitize_filename(outPath)
else:
filename = sanitize_filename(content_disposition)
#chop.prnt("\tData Name: %s, Length: %d, Type: %s" % (filename, len(data), mimetype))
((src, sport), (dst, dport)) = parse_addr(tcp)
chop.savefile(
"%d-%s-%d-%s-%d-%d-%s" %
(tcp.timestamp, src, sport, dst, dport, frame.stream_id,
filename), data)
transaction[d]['body'] = data
transaction[d]['body_len'] = len(data)
transaction[d]['body_hash'] = __hash_function__(
data).hexdigest()
#chop.prnt("\n")
#chop.prnt('\n')
del tcp.stream_data['stream_cache'][frame.stream_id]
#chop.prnt(tcp.stream_data['stream_cache'].keys())
#chop.prnt(json.dumps(transaction, indent=4))
chopp = ChopProtocol('http')
chopp.setClientData(transaction['request'])
chopp.setServerData(transaction['response'])
chopp.setTimeStamp(transaction['timestamp'])
chopp.setAddr(tcp.addr)
chopp.flowStart = tcp.stream_data['flowStart']
return chopp
else:
return None
def handleStream(tcp):
# Make sure this is really SSL. Sadly we can't do this in taste()
# because there is no payload data available that early.
data = ''
((src, sport), (dst, dport)) = parse_addr(tcp)
server_dlen = tcp.server.count - tcp.server.offset
client_dlen = tcp.client.count - tcp.client.offset
# If we haven't identified this as SSL yet
if tcp.stream_data['ssl'] == False:
# Do we have enough data for checks?
if tcp.server.count_new > 0 and server_dlen > 7:
# Check if proxy CONNECT
if tcp.server.data[:8] == "CONNECT ":
if tcp.module_data['verbose']:
chop.tsprnt("%s:%i -> %s:%i (%i) - CONNECT (ignored)" %
(src, sport, dst, dport, server_dlen))
tcp.discard(server_dlen)
return
# Otherwise, prepare to check if SSL handshake
data = tcp.server.data[:3]
# Do we have enough data for checks?
elif tcp.client.count_new > 0 and client_dlen > 5:
# Check if proxy CONNECT response
if tcp.client.data[:6] == "HTTP/1":
if tcp.module_data['verbose']:
chop.tsprnt("%s:%i -> %s:%i (%i) - HTTP/1 (ignored)" %
(src, sport, dst, dport, client_dlen))
tcp.discard(client_dlen)
return
# Otherwise, prepare to check if SSL handshake
data = tcp.client.data[:3]
else:
# Need more data
return
# We have data, so check if it is SSL Handshake.
# There's probably more to this, but this is good enough for now.
if data in ('\x16\x03\x00', '\x16\x03\x01', '\x16\x03\x02',
'\x16\x03\x03'):
tcp.stream_data['ssl'] = True
tcp.stream_data['chopp'] = ChopProtocol('sslim')
tcp.module_data['sslim'].callback_obj = tcp.stream_data['chopp']
else:
if tcp.module_data['verbose']:
chop.tsprnt(
"%s:%i -> %s:%i: Stopping collection, not really SSL!" %
(src, sport, dst, dport))
tcp.module_data['sslim'].done(tcp.addr)
tcp.stop()
return
# Always clear out any existing data.
tcp.stream_data['chopp'].clientData = ''
tcp.stream_data['chopp'].serverData = ''
# We have identified this connection as SSL, so just process the packets
if tcp.server.count_new > 0:
if tcp.module_data['verbose']:
chop.tsprnt("%s:%s -> %s:%s (%i)" %
(src, sport, dst, dport,
len(tcp.server.data[:tcp.server.count_new])))
try:
tcp.module_data['sslim'].parse_to_server(
tcp.server.data[:tcp.server.count_new], tcp.addr)
except sslimException as e:
if tcp.module_data['verbose']:
chop.prnt(e)
tcp.module_data['sslim'].done(tcp.addr)
tcp.stop()
return
tcp.discard(tcp.server.count_new)
if tcp.client.count_new > 0:
if tcp.module_data['verbose']:
chop.tsprnt("%s:%s -> %s:%s (%i)" %
(src, sport, dst, dport,
len(tcp.client.data[:tcp.client.count_new])))
try:
tcp.module_data['sslim'].parse_to_client(
tcp.client.data[:tcp.client.count_new], tcp.addr)
except sslimException as e:
if tcp.module_data['verbose']:
chop.prnt(e)
tcp.module_data['sslim'].done(tcp.addr)
tcp.stop()
return
tcp.discard(tcp.client.count_new)
if tcp.stream_data['chopp'].clientData or tcp.stream_data[
'chopp'].serverData:
return tcp.stream_data['chopp']
return
def handleStream(tcp):
chopp = ChopProtocol('http')
((src, sport), (dst, dport)) = parse_addr(tcp)
tcp.stream_data['htpy_obj']['timestamp'] = tcp.timestamp
if tcp.server.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" %
(src, sport, dst, dport, tcp.server.count_new))
try:
tcp.stream_data['connparser'].req_data(
tcp.server.data[:tcp.server.count_new])
except htpy.stop:
tcp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
tcp.stop()
tcp.discard(tcp.server.count_new)
elif tcp.client.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" %
(src, sport, dst, dport, tcp.client.count_new))
try:
tcp.stream_data['connparser'].res_data(
tcp.client.data[:tcp.client.count_new])
except htpy.stop:
tcp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
tcp.stop()
tcp.discard(tcp.client.count_new)
if tcp.stream_data['htpy_obj']['ready']:
trans = tcp.stream_data['htpy_obj']['transaction']
chopp.setClientData(trans['request'])
chopp.setServerData(trans['response'])
chopp.setTimeStamp(trans['timestamp'])
chopp.setAddr(tcp.addr)
chopp.flowStart = tcp.stream_data['htpy_obj']['flowStart']
tcp.stream_data['htpy_obj']['ready'] = False
return chopp
return None
def handleProtocol(chopp):
if chopp.type != 'sslim':
return
stream_data = chopp.stream_data
if 'htpy_obj' not in stream_data:
stream_data['htpy_obj'] = \
__htpyObj__(chopp.module_data['options'], chopp.timestamp)
stream_data['connparser'] = register_connparser()
stream_data['connparser'].set_obj(stream_data['htpy_obj'])
((src, sport), (dst, dport)) = chopp.addr
stream_data['htpy_obj'].timestamp = chopp.timestamp
if chopp.clientData:
if chopp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s" % (src, sport, dst, dport))
try:
stream_data['connparser'].req_data(chopp.clientData)
except htpy.stop:
chopp.stop()
except htpy.error:
if chopp.module_data['options']['verbose']:
chop.tsprnt("Stream error in htpy.")
chopp.stop()
return
if chopp.serverData:
if chopp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s" % (dst, dport, src, sport))
try:
stream_data['connparser'].res_data(chopp.serverData)
except htpy.stop:
chopp.stop()
except htpy.error:
if chopp.module_data['options']['verbose']:
chop.tsprnt("Stream error in htpy.")
chopp.stop()
return
if stream_data['htpy_obj'].ready:
new_chopp = ChopProtocol('http')
trans = stream_data['htpy_obj'].transaction
new_chopp.setClientData(trans['request'])
new_chopp.setServerData(trans['response'])
new_chopp.setTimeStamp(trans['timestamp'])
new_chopp.setAddr(chopp.addr)
new_chopp.flowStart = stream_data['htpy_obj'].flowStart
stream_data['htpy_obj'].ready = False
stream_data['htpy_obj'].temp = {}
stream_data['htpy_obj'].transaction = {}
return new_chopp
def handleStream(tcp):
chopp = ChopProtocol('http')
((src, sport), (dst, dport)) = parse_addr(tcp)
tcp.stream_data['htpy_obj'].timestamp = tcp.timestamp
if tcp.server.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" %
(src, sport, dst, dport, tcp.server.count_new))
if tcp.server.count_new == 1 and tcp.module_data['options']['beast']:
tcp.discard(0)
else:
data_size = tcp.server.count - tcp.server.offset
try:
tcp.stream_data['connparser'].\
req_data(tcp.server.data[:data_size])
except htpy.stop:
tcp.stop()
except htpy.error:
if tcp.module_data['options']['verbose']:
chop.tsprnt("Stream error in htpy.")
tcp.stop()
tcp.discard(data_size)
elif tcp.client.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" %
(src, sport, dst, dport, tcp.client.count_new))
if tcp.client.count_new == 1 and tcp.module_data['options']['beast']:
tcp.discard(0)
else:
data_size = tcp.client.count - tcp.client.offset
try:
tcp.stream_data['connparser'].\
res_data(tcp.client.data[:data_size])
except htpy.stop:
tcp.stop()
except htpy.error:
if tcp.module_data['options']['verbose']:
chop.tsprnt("Stream error in htpy.")
tcp.stop()
tcp.discard(data_size)
if tcp.stream_data['htpy_obj'].ready:
trans = tcp.stream_data['htpy_obj'].transaction
chopp.setClientData(trans['request'])
chopp.setServerData(trans['response'])
chopp.setTimeStamp(trans['timestamp'])
chopp.setAddr(tcp.addr)
chopp.flowStart = tcp.stream_data['htpy_obj'].flowStart
tcp.stream_data['htpy_obj'].ready = False
tcp.stream_data['htpy_obj'].temp = {}
tcp.stream_data['htpy_obj'].transaction = {}
return chopp
return None
def handleDatagram(udp):
((src, sport), (dst, dport)) = udp.addr
if sport != 53 and dport != 53:
udp.stop()
return
try:
o = DNSRecord.parse(udp.data)
except KeyError as e:
chop.prnt("Key error: %s" % str(e))
return
except DNSError as e:
chop.prnt("dnslib error: %s" % str(e))
return
except Exception as e:
chop.prnt("Unexpeced exception: %s" % str(e))
return
chopp = ChopProtocol('dns')
# Create the dictionary...
f = [
o.header.aa and 'AA', o.header.tc and 'TC', o.header.rd and 'RD',
o.header.ra and 'RA'
]
try:
d = {
'header': {
'id': o.header.id,
'type': QR[o.header.get_qr()],
'opcode': OPCODE[o.header.get_opcode()],
'flags': ",".join(filter(None, f)),
'rcode': RCODE[o.header.rcode]
},
'questions': o.questions
}
except DNSError as e:
chop.prnt("dnslib error: %s" % str(e))
return
except Exception as e:
chop.prnt("Unexpeted exception: %s" % str(e))
return
if OPCODE[o.header.opcode] == 'UPDATE':
f1 = 'zo'
f2 = 'pr'
f3 = 'up'
f4 = 'ad'
else:
f1 = 'q'
f2 = 'a'
f3 = 'ns'
f4 = 'ar'
dhdr = d['header']
dhdr[f1] = o.header.q
dhdr[f2] = o.header.a
dhdr[f3] = o.header.auth
dhdr[f4] = o.header.ar
d['questions'] = []
for q in o.questions:
qname = str(q.get_qname())
# Strip trailing dot.
if qname.endswith('.'):
qname = qname[:-1]
try:
dq = {
'qname': qname,
'qtype': QTYPE[q.qtype],
'qclass': CLASS[q.qclass]
}
d['questions'].append(dq)
except DNSError as e:
chop.prnt("dnslib error: %s" % str(e))
return
except Exception as e:
chop.prnt("Unexpected exception: %s" % str(e))
return
d['rr'] = []
for r in o.rr:
rname = str(r.get_rname())
# Strip trailing dot.
if rname.endswith('.'):
rname = rname[:-1]
rdata = str(r.rdata)
# Strip trailing dot.
if rdata.endswith('.'):
rdata = rdata[:-1]
try:
dr = {
'rname': rname,
'rtype': QTYPE[r.rtype],
'rclass': CLASS[r.rclass],
'ttl': r.ttl,
'rdata': rdata
}
d['rr'].append(dr)
except DNSError as e:
chop.prnt("dnslib error: %s" % str(e))
return
except Exception as e:
chop.prnt("Unexpected exception: %s" % str(e))
return
if sport == 53:
chopp.serverData = d
return chopp
elif dport == 53:
chopp.clientData = d
return chopp
return None
def handleProtocol(chopp):
if chopp.type != 'sslim':
return
stream_data = chopp.stream_data
if 'htpy_obj' not in stream_data:
stream_data['htpy_obj'] = {
'options': chopp.module_data['options'],
'timestamp': None,
'temp': {},
'transaction': {},
'lines': Queue.Queue(),
'ready': False,
'flowStart': chopp.timestamp
}
stream_data['connparser'] = register_connparser()
stream_data['connparser'].set_obj(stream_data['htpy_obj'])
((src, sport), (dst, dport)) = chopp.addr
stream_data['htpy_obj']['timestamp'] = chopp.timestamp
if chopp.clientData:
if chopp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s" % (src, sport, dst, dport))
try:
stream_data['connparser'].req_data(chopp.clientData)
except htpy.stop:
chopp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
chopp.stop()
return
if chopp.serverData:
if chopp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s" % (dst, dport, src, sport))
try:
stream_data['connparser'].res_data(chopp.serverData)
except htpy.stop:
chopp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
chopp.stop()
return
if stream_data['htpy_obj']['ready']:
new_chopp = ChopProtocol('http')
trans = stream_data['htpy_obj']['transaction']
new_chopp.setClientData(trans['request'])
new_chopp.setServerData(trans['response'])
new_chopp.setTimeStamp(trans['timestamp'])
new_chopp.setAddr(chopp.addr)
new_chopp.flowStart = stream_data['htpy_obj']['flowStart']
stream_data['htpy_obj']['ready'] = False
return new_chopp
return module_options
def handleDatagram(udp):
((src, sport), (dst, dport)) = udp.addr
if sport != 53 and dport != 53:
#chop.tsprnt("STOP: %s:%s->%s:%s (%i:%i)" % (src, sport, dst, dport, len(udp.data), len(udp.ip)))
udp.stop()
return
try:
o = DNSRecord.parse(udp.data)
except KeyError, e:
chop.prnt("Key error: %s" % str(e))
return
chopp = ChopProtocol('dns')
# Create the dictionary...
f = [ o.header.aa and 'AA',
o.header.tc and 'TC',
o.header.rd and 'RD',
o.header.ra and 'RA' ]
d = { 'header': {
'id': o.header.id,
'type': QR[o.header.qr],
'opcode': OPCODE[o.header.opcode],
'flags': ",".join(filter(None, f)),
'rcode': RCODE[o.header.rcode],
},
'questions': o.questions
}
