Ejemplo n.º 1
0
    def run(self, f):
        # code to handle compressed or uncompressed pcap files
        tmpf, deletetmp = check_pcap_file(f)

        # we will just write to stdout
        out = honeysnap.output.outputSTDOUT()

        # handle each honeypot IP individually, makes for nicer results
        # we could sort them out afterwords and only go through the pcap once
        # but this is the lazy man's approach, and I'm lazy today
        for hp in self.options['honeypots']:
            p = pcap.pcap(tmpf)
            # instantiate packetSummary object
            # this object sorts the pcap data into flow data
            s = honeysnap.packetSummary.Summarize(p, verbose=1)
            # filter the pcap data by honeypot IP
            filt = 'host %s' % hp
            s.setFilter(filt, file)
            # tell the object to write to stdout
            s.setOutput(out)
            # run it
            s.start()
            good = {}
            # next we have to go through the data collected by summarize and find the data we want
            # UDP and TCP are handled in separate dictionaries, so we will handle each of them
            # (I suppose it would be nice if this tool allowed you to specify if you wanted tcp OR udp)
            # tcp first
            for k, v in s.tcpports.iteritems():
                # find flows that meet constraints
                if (v[1] - v[0] < self.options['seconds']) and (
                        v[3] > self.options['bytes']):
                    good[k] = v
            # replace summarize's tcpdata with our filtered data
            s.tcpports = good
            good = {}
            # now udp
            for k, v in s.udpports.iteritems():
                # find flows that meet constraints
                if (v[1] - v[0] < self.options['seconds']) and (
                        v[3] > self.options['bytes']):
                    good[k] = v
            # replace summarize's udpdata with our filtered data
            s.udpports = good
            # being lazy again, using summarize's output func instead of writing one specific to this script
            # if I wanted different output I could use s.tcpports and s.udpports myself for my own output
            s.writeResults(limit=0)

        # all done, delete the tmp file
        if deletetmp:
            os.unlink(tmpf)
Ejemplo n.º 2
0
    def run(self, f):
        # code to handle compressed or uncompressed pcap files
        tmpf, deletetmp = check_pcap_file(f)

        # we will just write to stdout
        out = honeysnap.output.outputSTDOUT()

        # handle each honeypot IP individually, makes for nicer results
        # we could sort them out afterwords and only go through the pcap once
        # but this is the lazy man's approach, and I'm lazy today
        for hp in self.options['honeypots']:
            p = pcap.pcap(tmpf)
            # instantiate packetSummary object
            # this object sorts the pcap data into flow data
            s = honeysnap.packetSummary.Summarize(p, verbose=1)
            # filter the pcap data by honeypot IP
            filt = 'host %s' % hp
            s.setFilter(filt, file)
            # tell the object to write to stdout
            s.setOutput(out)
            # run it
            s.start()
            good = {}
            # next we have to go through the data collected by summarize and find the data we want
            # UDP and TCP are handled in separate dictionaries, so we will handle each of them
            # (I suppose it would be nice if this tool allowed you to specify if you wanted tcp OR udp)
            # tcp first
            for k,v in s.tcpports.iteritems():
                # find flows that meet constraints
                if (v[1]-v[0] < self.options['seconds']) and (v[3] > self.options['bytes']):
                    good[k] = v
            # replace summarize's tcpdata with our filtered data
            s.tcpports = good
            good = {}
            # now udp
            for k,v in s.udpports.iteritems():
                # find flows that meet constraints
                if (v[1]-v[0] < self.options['seconds']) and (v[3] > self.options['bytes']):
                    good[k] = v
            # replace summarize's udpdata with our filtered data
            s.udpports = good
            # being lazy again, using summarize's output func instead of writing one specific to this script
            # if I wanted different output I could use s.tcpports and s.udpports myself for my own output
            s.writeResults(limit=0)

        # all done, delete the tmp file
        if deletetmp:
            os.unlink(tmpf)
Ejemplo n.º 3
0
    def run(self, f):
        # code to handle compressed or uncompressed pcap files
        tmpf, deletetmp = check_pcap_file(f)

        # we will just write to stdout
        out = honeysnap.output.outputSTDOUT()

        # if --or specified, then violation of any threshold will log the flow
        # otherwise all thresholds must be crossed
        if self.options["join"]:
            cmp = lambda x, y, z: x or y or z
        else:
            cmp = lambda x, y, z: x and y and z

        # handle each honeypot IP individually, makes for nicer results
        # we could sort them out afterwords and only go through the pcap once
        # but this is the lazy man's approach, and I'm lazy today
        for hp in self.options["honeypots"]:
            p = pcap.pcap(tmpf)
            # instantiate packetSummary object
            # this object sorts the pcap data into flow data
            s = honeysnap.packetSummary.Summarize(p)
            # filter the pcap data by honeypot IP
            filt = "host %s" % hp
            if self.options["filter"] is not None:
                filt += " and "
                filt += self.options["filter"]
            s.setFilter(filt, file)
            # tell the object to write to stdout
            s.setOutput(out)
            # run it
            s.start()
            good = {}
            # next we have to go through the data collected by summarize and find the data we want
            # UDP and TCP are handled in separate dictionaries, so we will handle each of them
            # (I  suppose it would be nice if this tool allowed you to specify if you wanted tcp OR udp)
            # tcp first
            for k, v in s.tcpports.iteritems():
                # find flows that meet constraints
                start, end, count, bytes = v
                duration = end - start
                if cmp(
                    (duration > self.options["seconds"]),
                    (bytes > self.options["bytes"]),
                    (count > self.options["packets"]),
                ):
                    good[k] = v
            # replace summarize's tcpdata with our filtered data
            s.tcpports = good
            good = {}
            # now udp
            for k, v in s.udpports.iteritems():
                start, end, count, bytes = v
                duration = end - start
                if cmp(
                    (duration > self.options["seconds"]),
                    (bytes > self.options["bytes"]),
                    (count > self.options["packets"]),
                ):
                    good[k] = v
            # replace summarize's udpdata with our filtered data
            s.udpports = good
            # being lazy again, using summarize's output func instead of writing one specific to this script
            # if I wanted different output I could use s.tcpports and s.udpports myself for my own output
            s.writeResults(limit=0)

        # all done, delete the tmp file
        if deletetmp:
            os.unlink(tmpf)
Ejemplo n.º 4
0
    def run(self, f):
        # code to handle compressed or uncompressed pcap files
        tmpf, deletetmp = check_pcap_file(f)

        # we will just write to stdout
        out = honeysnap.output.outputSTDOUT()

        # if --or specified, then violation of any threshold will log the flow
        # otherwise all thresholds must be crossed
        if self.options['join']:
            cmp = lambda x,y,z: x or y or z
        else:
            cmp = lambda x,y,z: x and y and z

        # handle each honeypot IP individually, makes for nicer results
        # we could sort them out afterwords and only go through the pcap once
        # but this is the lazy man's approach, and I'm lazy today
        for hp in self.options['honeypots']:
            p = pcap.pcap(tmpf)
            # instantiate packetSummary object
            # this object sorts the pcap data into flow data
            s = honeysnap.packetSummary.Summarize(p)
            # filter the pcap data by honeypot IP
            filt = 'host %s' % hp
            if self.options['filter'] is not None:
                filt += " and "
                filt += self.options['filter']
            s.setFilter(filt, file)
            # tell the object to write to stdout
            s.setOutput(out)
            # run it
            s.start()
            good = {}
            # next we have to go through the data collected by summarize and find the data we want
            # UDP and TCP are handled in separate dictionaries, so we will handle each of them
            # (I  suppose it would be nice if this tool allowed you to specify if you wanted tcp OR udp)
            # tcp first
            for k,v in s.tcpports.iteritems():
                # find flows that meet constraints
                start, end, count, bytes = v
                duration = end - start
                if cmp((duration > self.options['seconds']), (bytes > self.options['bytes']),
                    (count > self.options['packets'])):
                    good[k] = v
            # replace summarize's tcpdata with our filtered data
            s.tcpports = good
            good = {}
            # now udp
            for k,v in s.udpports.iteritems():
                start, end, count, bytes = v
                duration = end - start
                if cmp((duration > self.options['seconds']), (bytes > self.options['bytes']),
                    (count > self.options['packets'])):
                    good[k] = v
            # replace summarize's udpdata with our filtered data
            s.udpports = good
            # being lazy again, using summarize's output func instead of writing one specific to this script
            # if I wanted different output I could use s.tcpports and s.udpports myself for my own output
            s.writeResults(limit=0)

        # all done, delete the tmp file
        if deletetmp:
            os.unlink(tmpf)