def packethandler(i,payload):
dt = time()
# Get IP packet
data = payload.get_data()
pkt = ip.IP(data)
# Print some packet info
# print ""
print ">> Got packet, saddr: " + str(inet_ntoa(pkt.src)) + ", sport: " + str(pkt.tcp.sport) + ", daddr: " + str(inet_ntoa(pkt.dst)) + ", dport: " + str (pkt.tcp.dport) + ", seq: " + str(pkt.tcp.seq)
# print ""
# Start volatility script to look for the application that matches the port number
f = os.popen("python vol.py -l firewire://forensic1394//0 --profile=LinuxLinux-3_13_0-24-genericx64 linux_syswall --dport " + str(pkt.tcp.dport))
content = f.readlines()
decision = content[-1].strip()
print ">> Volatility plugin decision is: " + decision
f.close()
# Act on the decision about the packet
if decision == 'accept':
payload.set_verdict(nfqueue.NF_ACCEPT)
elif decision == 'drop':
payload.set_verdict(nfqueue.NF_DROP)
else:
print ">> Unrecognized decision: " + decision + ", allowing packet..."
print ">> Dump content:"
print content
payload.set_verdict(nfqueue.NF_ACCEPT)
# Done with one packet
print ">> Processed a packet in " + str(round((time() - dt), 2)) + "s"
sys.stdout.flush()
return 1
def Connection(procmon, dns, packet_id, payload):
data = payload
pkt = ip.IP(data)
src_addr = inet_ntoa(pkt.src)
dst_addr = inet_ntoa(pkt.dst)
hostname = dns.get_hostname(dst_addr)
src_port = None
dst_port = None
proto = None
app = None
if pkt.p == ip.IP_PROTO_TCP:
proto = 'tcp'
src_port = pkt.tcp.sport
dst_port = pkt.tcp.dport
elif pkt.p == ip.IP_PROTO_UDP:
proto = 'udp'
src_port = pkt.udp.sport
dst_port = pkt.udp.dport
elif pkt.p == ip.IP_PROTO_ICMP:
proto = 'icmp'
src_port = None
dst_port = None
if proto == 'icmp':
app = Application(None, None, None)
elif None not in (proto, src_addr, dst_addr):
pid = proc.get_pid_by_connection(src_addr, src_port, dst_addr,
dst_port, proto)
app = Application(pid, *proc._get_app_path_and_cmdline(procmon, pid))
return _Connection(packet_id, data, pkt, src_addr, dst_addr, hostname,
src_port, dst_port, proto, app)
def cb(payload):
try:
print("Packet received")
print("seq: [%d]" % payload.get_seq())
print(" payload len ", payload.get_length())
try:
tv = payload.get_timestamp()
d = datetime.fromtimestamp(tv.tv_sec + (tv.tv_usec / 1000000.))
print(" timestamp: ", d)
except RuntimeError as e:
#print(e.args[0])
pass
data = payload.get_data()
pkt = ip.IP(data)
if pkt.p == ip.IP_PROTO_ICMP:
print(" ICMP: %s > %s type %d code %d" % (inet_ntoa(pkt.src),inet_ntoa(pkt.dst),pkt.icmp.type,pkt.icmp.code))
elif pkt.p == ip.IP_PROTO_TCP:
print(" TCP: %s:%d > %s:%d" % (inet_ntoa(pkt.src),pkt.tcp.sport,inet_ntoa(pkt.dst),pkt.tcp.dport))
elif pkt.p == ip.IP_PROTO_UDP:
print(" UDP: %s:%d > %s:%d" % (inet_ntoa(pkt.src),pkt.udp.sport,inet_ntoa(pkt.dst),pkt.udp.dport))
else:
print(" unknown proto %d: %s > %s" % (pkt.p,inet_ntoa(pkt.src),inet_ntoa(pkt.dst)))
sys.stdout.flush()
return 1
except KeyboardInterrupt:
print("interrupted in callback")
global l
print("stop the loop")
l.stop_loop()
def cb(payload):
global count
print "python callback called !"
count += 1
data = payload.get_data()
pkt = ip.IP(data)
if pkt.p == ip.IP_PROTO_TCP:
print " len %d proto %s src: %s:%s dst %s:%s " % (
payload.get_length(),
pkt.p,
inet_ntoa(pkt.src),
pkt.tcp.sport,
inet_ntoa(pkt.dst),
pkt.tcp.dport,
)
else:
print " len %d proto %s src: %s dst %s " % (
payload.get_length(),
pkt.p,
inet_ntoa(pkt.src),
inet_ntoa(pkt.dst),
)
payload.set_verdict(nfqueue.NF_ACCEPT)
sys.stdout.flush()
return 1
def cb(payload):
print "payload len ", payload.get_length()
data = payload.get_data()
pkt = ip.IP(data)
print "proto:", pkt.p
print "source: %s" % inet_ntoa(pkt.src)
print "dest: %s" % inet_ntoa(pkt.dst)
if pkt.p == ip.IP_PROTO_TCP:
print " sport: %s" % pkt.tcp.sport
print " dport: %s" % pkt.tcp.dport
print " flags: %s" % pkt.tcp.flags
if pkt.tcp.flags & tcp.TH_PUSH:
pkt2 = pkt
print "PUSH *****"
print pkt2.tcp.data
old_len = len(pkt2.tcp.data)
#pkt2.tcp.data = "GET /\r\n"
pkt2.tcp.data = str(pkt2.tcp.data).replace('love', 'hate')
print pkt2.tcp.data
pkt2.len = pkt2.len - old_len + len(pkt2.tcp.data)
pkt2.tcp.sum = 0
pkt2.sum = 0
ret = payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt2),
len(pkt2))
print "ret = ", ret
return 0
payload.set_verdict(nfqueue.NF_ACCEPT)
sys.stdout.flush()
return 1
def cb(payload):
try:
print "Packet received"
print "seq: [%d]" % payload.get_seq()
print " payload len ", payload.get_length()
try:
tv = payload.get_timestamp()
d = datetime.fromtimestamp(tv.tv_sec + (tv.tv_usec / 1000000.))
print " timestamp: ", d
except RuntimeError, e:
#print e.args[0]
pass
data = payload.get_data()
pkt = ip.IP(data)
if pkt.p == ip.IP_PROTO_ICMP:
print " ICMP: %s > %s type %d code %d" % (inet_ntoa(pkt.src),inet_ntoa(pkt.dst),pkt.icmp.type,pkt.icmp.code)
elif pkt.p == ip.IP_PROTO_TCP:
print " TCP: %s:%d > %s:%d" % (inet_ntoa(pkt.src),pkt.tcp.sport,inet_ntoa(pkt.dst),pkt.tcp.dport)
elif pkt.p == ip.IP_PROTO_UDP:
print " UDP: %s:%d > %s:%d" % (inet_ntoa(pkt.src),pkt.udp.sport,inet_ntoa(pkt.dst),pkt.udp.dport)
else:
print " unknown proto %d: %s > %s" % (pkt.p,inet_ntoa(pkt.src),inet_ntoa(pkt.dst))
sys.stdout.flush()
return 1
def cb(i, payload):
data = payload.get_data()
pkt = ip.IP(data)
print ""
print "proto:", pkt.p
print "source: %s" % inet_ntoa(pkt.src)
print "dest: %s" % inet_ntoa(pkt.dst)
text_dst = None
if pkt.p == ip.IP_PROTO_TCP:
print " sport: %s" % pkt.tcp.sport
print " dport: %s" % pkt.tcp.dport
text = "%s:%s => %s:%s" % (inet_ntoa(
pkt.src), pkt.tcp.sport, inet_ntoa(pkt.dst), pkt.tcp.dport)
text_dst = "%s:%s" % (inet_ntoa(pkt.dst), pkt.tcp.dport)
if (not (pkt.tcp.flags & tcp.TH_SYN)):
return payload.set_verdict(nfqueue.NF_ACCEPT)
else:
text = "%s => %s" % (inet_ntoa(pkt.src), inet_ntoa(pkt.dst))
if text_dst and decisions.has_key(text_dst):
print "shortcut: %s (%d)" % (text_dst, decisions[text_dst])
return payload.set_verdict(decisions[text_dst])
reply = QMessageBox.question(None, 'accept packet ?', text,
QMessageBox.Yes, QMessageBox.No)
if reply == QMessageBox.Yes:
payload.set_verdict(nfqueue.NF_ACCEPT)
decisions[text_dst] = nfqueue.NF_ACCEPT
else:
payload.set_verdict(nfqueue.NF_DROP)
decisions[text_dst] = nfqueue.NF_DROP
return 0
def __init__(self, procmon, desktop_parser, payload):
self.data = payload
self.pkt = ip.IP( self.data )
self.src_addr = inet_ntoa( self.pkt.src )
self.dst_addr = inet_ntoa( self.pkt.dst )
self.hostname = None
self.src_port = None
self.dst_port = None
self.proto = None
self.app = None
if self.pkt.p == ip.IP_PROTO_TCP:
self.proto = 'tcp'
self.src_port = self.pkt.tcp.sport
self.dst_port = self.pkt.tcp.dport
elif self.pkt.p == ip.IP_PROTO_UDP:
self.proto = 'udp'
self.src_port = self.pkt.udp.sport
self.dst_port = self.pkt.udp.dport
if None not in ( self.proto, self.src_addr, self.src_port, self.dst_addr, self.dst_port ):
try:
self.service = getservbyport( int(self.dst_port), self.proto )
except:
self.service = None
self.pid, self.app_path = get_pid_by_connection( procmon,
self.src_addr,
self.src_port,
self.dst_addr,
self.dst_port,
self.proto )
self.app = Application(procmon, desktop_parser,
self.pid, self.app_path)
self.app_path = self.app.path
def main():
# Ethernet header
eth = ethernet.Ethernet()
eth.src = "\x00\x0c\x29\xdf\xe3\xca"
eth.dst = "\x00\x0c\x29\x29\x85\xdc"
eth.type = ethernet.ETH_TYPE_IP
# IP header
ipp = ip.IP()
ipp.src = socket.inet_aton("172.168.177.133")
ipp.dst = socket.inet_aton("172.168.177.136")
ipp.p = ip.IP_PROTO_TCP
# TCP header
tcpp = tcp.TCP()
tcpp.sport = 60001
tcpp.dport = 80
tcpp.flags = tcp.TH_SYN
tcpp.sum = 0
tcpp.data = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x10"
ipp.data = tcpp
ipp.len = len(ipp.pack())
ipp.sum = 0
eth.data = ipp
# open sockets using the socket handler
sock_l2 = SocketHndl(iface_name="eth2", mode=SocketHndl.MODE_LAYER_2)
# send raw bytes
sock_l2.send(eth.pack())
def print_and_accept(pkt):
global connections, tlsconnections
payload = pkt.get_payload()
ckey = (socket.inet_ntoa(payload[12:16]), socket.inet_ntoa(payload[16:20]),
struct.unpack('!H', payload[20:22])[0],
struct.unpack('!H', payload[22:24])[0])
# PHASE 1
try:
if ord(payload[9]) == 6:
phase1.queue_packet(payload)
# phase1.process_pkt(x)
if len(payload) == 40:
pkt.accept()
return
except:
traceback.print_exc(file=sys.stderr)
# PHASE 2
try:
if ord(payload[9]) == 6:
if ckey in tlsconnections:
if tlsconnections[ckey].startreplace:
# x = get_packet(payload)
w = ip.IP(payload)
datasize = len(str(w.tcp.data))
if datasize > 0:
#print 'DATA TO REPLACE'
newpayload = tlsconnections[ckey].getnewpayload(
datasize - 7, w.tcp.seq)
if len(newpayload) > 0:
print 'SENDING DATA', datetime.datetime.now()
padsize = datasize - 7 - len(newpayload)
newpayload += '0' * padsize
payload = newpayload + struct.pack('>H', padsize)
# x[TCP].payload = chr(23) + chr(3) + chr(3) + struct.pack('!H',len(payload)) + payload
w.tcp.data = chr(23) + chr(3) + chr(3) + struct.pack(
'!H', len(payload)) + payload
w.sum = 0
w.tcp.sum = 0
changed = True
pkt.set_payload(str(w))
except:
print("Padsize {}".format(padsize))
traceback.print_exc(file=sys.stderr)
pkt.accept()
def cb(self, i, payload):
global count
global countH
global countHS
global countWP
global countO
global countE
print "\n\n========================Packet Detected========================"
count += 1
data = payload.get_data()
pkt = ip.IP(data)
try:
print "|-----------------------------------------------------------------|"
print "| length | protocol | Source IP : Port | Destination IP : Port |"
print "| %s | %s |%s:%s|%s:%s|" % (str(
payload.get_length()), protocol[str(pkt.p)], inet_ntoa(
pkt.src), pkt.tcp.sport, inet_ntoa(pkt.dst), pkt.tcp.dport)
print "|-----------------------------------------------------------------|"
except:
countE += 1
e = sys.exc_info()[0]
logf.write(
"%d) Error.\n DateTime: %s"
" \n Error: %s \n" %
(str(countE), str(time.asctime(time.localtime(
time.time()))), str(e)))
if str(pkt.p) == "6":
print "========================TCP/IP Detected========================"
if str(pkt.tcp.dport) == "80":
#HTTP port
countH += 1
print "========================HTTP==============ACCEPTED=========="
payload.set_verdict(nfqueue.NF_ACCEPT)
elif str(pkt.tcp.dport) == "443":
#HTTPS
countHS += 1
print "========================HTTPS============ACCEPTED============"
payload.set_verdict(nfqueue.NF_ACCEPT)
else:
countWP += 1
print "\n========================ERROR!!!!!TCP on %s. Dropping Packet========================\n" % (
str(pkt.tcp.dport))
#print "TCP on %s. Dropping Packet" % (str(pkt.tcp.dport))
payload.set_verdict(nfqueue.NF_DROP)
else:
countO += 1
print "\n========================NOT TCP. DROPPED========================\n"
if str(inet_ntoa(pkt.dst)) == "10.100.99.32":
print "\n\n\n\n================================================"
print "Connecting to Abhijit? Naughty Naughty."
print "404-ing you for your own good. CLOSE DOWN. NOW!"
print "\n\n\n\n================================================"
payload.set_verdict(nfqueue.NF_DROP)
return 1
sys.stdout.flush()
return 1
def handleUdp(self, payload):
print ("python callback called !")
data = payload.get_data()
pkt = ip.IP(data)
if pkt.p == ip.IP_PROTO_TCP:
print (" len %d proto %s src: %s:%s dst %s:%s " % (payload.get_length(),pkt.p,inet_ntoa(pkt.src),pkt.tcp.sport,inet_ntoa(pkt.dst),pkt.tcp.dport))
else:
print (" len %d proto %s src: %s dst %s " % (payload.get_length(),pkt.p,inet_ntoa(pkt.src),inet_ntoa(pkt.dst)))
payload.set_verdict(nfqueue.NF_ACCEPT)
return 1
def init_vj_state(slot_id, piece):
vj_state = cstate()
vj_state.ip = ip.IP(piece[0:20])
try:
vj_state.tcp = tcp.TCP(piece[20:40])
except:
try:
vj_state.tcp = tcp.TCP(piece[21:41])
except:
return
vj_state.old_tcp = vj_state.tcp
vj_state.old_ip = vj_state.ip
comp_dict[slot_id] = vj_state
def process_packet(self, pkt):
ip_hdr = ip.IP(pkt.get_payload())
dst_ip = Net.ipbytes_to_int(ip_hdr.dst)
src_ip = Net.ipbytes_to_int(ip_hdr.src)
if ip_hdr.p == ip.IP_PROTO_TCP:
tcp_hdr = ip_hdr.data
# See if there is a container registered to the specified dst and port
container = self.container_mgr.get_container_by_endpoint(
dst_ip, tcp_hdr.dport, 6)
# Only track if this is for a container
if container is not None:
logging.debug('Found container %s', container.name)
# Store the dst address of the docker container so that
# when the connection is made to the proxy the proxy knows
# what container to start
self.container_mgr.connections.add(src_ip, tcp_hdr.sport,
dst_ip, tcp_hdr.dport)
pkt.set_mark(int(self.queue_num))
pkt.accept()
else:
pkt.drop()
elif ip_hdr.p == ip.IP_PROTO_ICMP:
# Drop all ICMP packets since the client will respond with
# the matching container
pkt.drop()
container = self.container_mgr.get_container_by_ip(dst_ip)
if container is not None:
src = ip_hdr.src
dst = ip_hdr.dst
org_dst_ip = Net.ipbytes_to_str(dst)
dst_ip = Net.ipbytes_to_str(src)
logging.debug('Echo request for %s %s', container.name,
org_dst_ip)
icmp_reply = ip_hdr
icmp_reply.src = dst
icmp_reply.dst = src
icmp_reply.data.type = icmp.ICMP_ECHOREPLY
# Setting the checksums to 0 allows them to be recalculated when
# converted to bytes. Wireshark will not match up requests/reply if
# checksums are foo'd'
icmp_reply.data.sum = 0
icmp_reply.sum = 0
self.icmp_client.sendto(bytes(icmp_reply), (dst_ip, 1))
def cb(payload):
print "python callback called !"
print "payload len ", payload.get_length()
data = payload.get_data()
pkt = ip.IP(data)
print "proto:", pkt.p
print "source: %s" % inet_ntoa(pkt.src)
print "dest: %s" % inet_ntoa(pkt.dst)
if pkt.p == ip.IP_PROTO_TCP:
print " sport: %s" % pkt.tcp.sport
print " dport: %s" % pkt.tcp.dport
payload.set_verdict(nfqueue.NF_DROP)
sys.stdout.flush()
return 1
def sniff(handler):
""" Sniffs packets and looks for icmp requests """
sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
sock.bind(('', 1))
while True:
try:
data = sock.recv(65535)
ip_pkt = ip.IP()
ip_pkt.unpack(data)
icmp_pkt = ip_pkt.data
if icmp_pkt.type == icmp.ICMP_ECHO:
ip_src = socket.inet_ntoa(ip_pkt.src)
ip_dst = socket.inet_ntoa(ip_pkt.dst)
payload = icmp_pkt.data.data
handler(payload, ip_src, ip_dst)
except:
sock.close()
def print_and_accept(pkt):
data=pkt.get_payload()
res = ip.IP(data)
res2 = IP(data)
i = ICMP(data)
t = TCP(data)
u = UDP(data)
print "SOURCE IP: %s\tDESTINATION IP: %s" % (socket.inet_ntoa(res.src),socket.inet_ntoa(res.dst))
print res2.show2()
resp=srp1(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst='192.168.0.34'),iface="eth0",timeout=2)
print resp.dst
eth_dst = resp.src
eth_src = resp.dst
eth = Ether(src=eth_src, dst=eth_dst)
eth.type = 2048
sendp(eth/res2/res2,iface="eth0")
pkt.accept()
def cb(self, i, payload):
global count
global countP
print "\n\n========================Packet Detected========================"
count += 1
data = payload.get_data()
pkt = ip.IP(data)
#protocol[str(pkt.p)],inet_ntoa(pkt.src),pkt.tcp.sport,inet_ntoa(pkt.dst),pkt.tcp.dport)
if inet_ntoa(pkt.dst) == str(ip) or str(pkt.tcp.dport) == "80":
#ICMP Protocol
print "========================Dest ", inet_ntoa(
pkt.dst), " Detected========================"
print "========================DROPPED========================"
payload.set_verdict(nfqueue.NF_DROP)
else:
print "========================ACCEPTED========================"
payload.set_verdict(nfqueue.NF_ACCEPT)
def cb(payload):
try:
print "python callback called !"
print "payload len ", payload.get_length()
data = payload.get_data()
pkt = ip.IP(data)
print "proto:", pkt.p
print "source: %s" % inet_ntoa(pkt.src)
print "dest: %s" % inet_ntoa(pkt.dst)
if pkt.p == ip.IP_PROTO_TCP:
print " sport: %s" % pkt.tcp.sport
print " dport: %s" % pkt.tcp.dport
sys.stdout.flush()
return 1
except KeyboardInterrupt:
print "interrupted in callback"
global l
print "stop the loop"
l.stop_loop()
s = (s >> 8 & 0xff) | s << 8
return s & 0xffff
tmp_packet =b'\x00\x12\xc0\x02\xac\x56\x00\x12\xc0\x00\x00\x00\x08\x00\x45\x00\x00\x2e\x00\x00\x40\x00\x40\x06\x00\x00\x0a\x0a\x58\x00\x0a\x0a\x58\xac\x00\x00\x00\x50\x00\x00\x00\x00\x00\x00\x00\x00\x50\x10\x00\x10\x00\x00\x00\x00\x41\x43\x4b\x73\x77\x66'
def getOnebyte():
tmp = randint(0,255)
return tmp.to_bytes(1,byteorder='big',signed=False)
eth = ethernet.Ethernet()
eth.src = b'\x00\x12\xc0\x02\xac' + getOnebyte()
eth.dst = b'x00\x12\xc0\x00\x00\x00'
eth_ip = ip.IP()
ip_tcp = tcp.TCP()
ip_tcp.sport = 8080
ip_tcp.dport = 80
ip_tcp.seq = 0x01
ip_tcp.ack =0x88
ip_tcp.flags = tcp.TH_SYN
ip_tcp.data = b'asasdadadadasdasdasdas'
eth_ip.len = len(ip_tcp) + 20
from dpkt import ethernet
sysintf = 'eth0'
hw = dnet.eth(sysintf)
intf = dnet.intf()
# build a dhcp discover packet to request an ip
d = dhcp.DHCP(chaddr=hw.get(),
xid=1337,
op=dhcp.DHCPDISCOVER,
opts=((dhcp.DHCP_OP_REQUEST, ''), (dhcp.DHCP_OPT_REQ_IP, ''),
(dhcp.DHCP_OPT_ROUTER, ''), (dhcp.DHCP_OPT_NETMASK, ''),
(dhcp.DHCP_OPT_DNS_SVRS, '')))
# build udp packet
u = udp.UDP(dport=67, sport=68, data=d)
u.ulen = len(u)
# build ip packet
i = ip.IP(dst=dnet.ip_aton('255.255.255.255'),
src=intf.get(sysintf)['addr'].ip,
data=u,
p=ip.IP_PROTO_UDP)
i.len = len(i)
# build ethernet frame
e = ethernet.Ethernet(dst=dnet.ETH_ADDR_BROADCAST, src=hw.get(), data=i)
# send the data out
hw.send(str(e))
# Get local ip
src_ip = socket.inet_pton(socket.AF_INET, interface.getnet())
# Generate broadcast ip and eth_addr
broadcast_ip = socket.inet_pton(socket.AF_INET, '255.255.255.255')
broadcast_eth_addr = b'\xFF\xFF\xFF\xFF\xFF\xFF'
# build a dhcp discover packet to request an ip
d = dhcp.DHCP(xid=1337,
op=dhcp.DHCPDISCOVER,
opts=((dhcp.DHCP_OP_REQUEST, b''), (dhcp.DHCP_OPT_REQ_IP, b''),
(dhcp.DHCP_OPT_ROUTER, b''), (dhcp.DHCP_OPT_NETMASK, b''),
(dhcp.DHCP_OPT_DNS_SVRS, b'')))
# build udp packet
u = udp.UDP(dport=67, sport=68, data=d)
u.ulen = len(u)
# build ip packet
i = ip.IP(dst=broadcast_ip, src=src_ip, data=u, p=ip.IP_PROTO_UDP)
i.len = len(i)
# build ethernet frame
e = ethernet.Ethernet(dst=broadcast_eth_addr, data=i)
# Inject the packet (send it out)
interface.sendpacket(bytes(e))
print('DHCP request sent!')
# Boston, MA 02110-1301, USA.
""" This modules provides classes used for packet processing.
"""
from abc import ABCMeta
import socket
import struct
from dpkt import dpkt, ethernet, ip, udp
from . import vxfld_pb2
# Protocol version
VERSION = 3
# UDP header byte length
BASE_PKT_SIZE = len(ethernet.Ethernet()) + len(ip.IP()) + len(udp.UDP())
class MsgType(object):
""" VXFLD message type.
"""
# pylint: disable=too-few-public-methods
UNKNOWN = 0 # Never used
REFRESH = 1 # vxrd <-> vxsnd packet
PROXY = 2 # vxsnd <-> vxsnd packet for flooding and proxing
SYNC = 3 # vxsnd <-> vxsnd packet for database syncing
def __init__(self):
raise NotImplementedError
def cb(i, payload):
global pkt_counter, oo_tcp_ports, oo_words, options
# every n packets, re-read list of ports
if pkt_counter % 50 == 0:
print "re-reading list of TCP ports"
oo_tcp_ports = get_list_of_tcp_ports()
print "re-reading list of words"
oo_words = get_list_of_words()
pkt_counter += 1
#print "payload len ", payload.get_length()
data = payload.get_data()
pkt = ip.IP(data)
decision = nfqueue.NF_DROP
#print "proto:", pkt.p
#print "source: %s" % inet_ntoa(pkt.src)
#print "dest: %s" % inet_ntoa(pkt.dst)
if pkt.p == ip.IP_PROTO_TCP:
#print " sport: %s" % pkt.tcp.sport
#print " dport: %s" % pkt.tcp.dport
dport = pkt.tcp.dport
if dport in oo_tcp_ports:
t = oo_tcp_ports[dport]
if t[IDX_VERDICT] == 1:
print "Port %d allowed" % dport
update_stats_for_port(dport, pkt, 1)
decision = nfqueue.NF_ACCEPT
else:
if t[IDX_VERDICT] == 0:
print "Port %d dropped" % dport
update_stats_for_port(dport, pkt, 0)
decision = nfqueue.NF_DROP
payload.set_verdict(decision)
sys.stdout.flush()
return 1
# don't check for packet return on SYN
if pkt.tcp.flags & tcp.TH_SYN and not pkt.tcp.flags & tcp.TH_ACK:
payload.set_verdict(decision)
sys.stdout.flush()
return 1
# crappy reverse check
sport = pkt.tcp.sport
if sport in oo_tcp_ports and dport >= 1024:
t = oo_tcp_ports[sport]
if t[IDX_VERDICT] == 1:
print "S Port %d allowed" % sport
#update_stats_for_port(dport, pkt, 1)
decision = nfqueue.NF_ACCEPT
else:
print "Port %d dropped" % dport
#update_stats_for_port(dport, pkt, 0)
payload.set_verdict(nfqueue.NF_DROP)
sys.stdout.flush()
return 1
if options.do_substitution:
# accepted data packet need to be modified
if pkt.tcp.flags & tcp.TH_PUSH:
pkt2 = pkt
for word in oo_words.keys():
if str(pkt.tcp.data).find(word) != -1:
# Do substitution
print "Found %s word" % word
print pkt2.tcp.data
old_len = len(pkt2.tcp.data)
pkt2.tcp.data = str(pkt2.tcp.data).replace(
word, oo_words[word][1])
pkt2.len = pkt2.len - old_len + len(pkt2.tcp.data)
pkt2.tcp.sum = 0
pkt2.sum = 0
update_stats_for_word(word)
payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt2),
len(pkt2))
elif decision == nfqueue.NF_DROP:
payload.set_verdict(nfqueue.NF_DROP)
payload.set_verdict(nfqueue.NF_ACCEPT)
sys.stdout.flush()
return 1
