def main(arg1):
global count
global responses
global responses_headers
global response
global response_header
#nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note
# libnids caution about fragments
nids.param("scan_num_hosts", 0) # disable portscan detection
#if len(sys.argv) == 2: # read a pcap file?
nids.param("filename", arg1)
nids.init()
nids.register_tcp(handleTcpStream)
# Loop forever (network device), or until EOF (pcap file)
# Note that an exception in the callback will break the loop!
try:
nids.run()
except nids.error, e:
print "nids/pcap error:", e
def main(arg1):
global count
global responses
global responses_headers
global response
global response_header
#global openstreams
#pcaps_file = os.listdir(arg1)
#for pcap_file in pcaps_file:
#print pcap_file
#responses_headers = []
#openstreams = {}
#responses = []
#print "Atleast entered here"
#nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note
# libnids caution about fragments
nids.param("scan_num_hosts", 0) # disable portscan detection
#if len(sys.argv) == 2: # read a pcap file?
nids.param("filename", arg1)
nids.init()
nids.register_tcp(handleTcpStream)
# Loop forever (network device), or until EOF (pcap file)
# Note that an exception in the callback will break the loop!
try:
nids.run()
except nids.error, e:
print "nids/pcap error:", e
def main():
#nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note
# libnids caution about fragments
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
if len(sys.argv) == 2: # read a pcap file?
nids.param("filename", sys.argv[1])
nids.init()
nids.register_tcp(handleTcpStream)
nids.register_udp(handleUDP)
nids.register_ip(handleIp)
print "pid", os.getpid()
# Loop forever (network device), or until EOF (pcap file)
# Note that an exception in the callback will break the loop!
try:
nids.run()
except nids.error, e:
print "nids/pcap error:", e
def main():
# parse args
argparser = argparse.ArgumentParser()
argparser.add_argument('PCAP', help='Path to the .pcap file to parse')
argparser.add_argument('-H',
metavar='HOST',
default='127.0.0.1',
help='Address to listen on (DEFAULT: 127.0.0.1)')
argparser.add_argument('-p',
metavar='PORT',
type=int,
default=3128,
help='Port to listen on (DEFAULT: 3128)')
argparser.add_argument('-v',
action='append_const',
const=1,
default=[],
help='Increase the verbosity level')
args = argparser.parse_args()
HOST, PORT = args.H, args.p
verbosity = len(args.v)
# setup logger
if verbosity == 0:
log_level = logging.ERROR
elif verbosity == 1:
log_level = logging.INFO
else:
log_level = logging.DEBUG
logging.basicConfig(format='%(levelname)s:%(message)s', level=log_level)
# setup the reassembler
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl(
[('0.0.0.0/0', False)]
) # disable checksum verification: jsunpack says it may cause missed traffic
nids.param("filename", args.PCAP)
nids.init()
nids.register_tcp(reassembleTcpStream)
logging.info("Processing TCP streams...")
nids.run()
# process the open streams, which are not processed by pynids
logging.info("Processing open streams...")
for c, stream in openstreams.items():
processTcpStream(stream)
# run proxy server
server = ProxyServer((HOST, PORT), ProxyRequestHandler)
server.allow_reuse_address = True
try:
logging.info("Proxy listening on %s:%d" % (HOST, PORT))
server.serve_forever()
except KeyboardInterrupt:
return 0
def __init__(self):
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
# Default attribute values
self._filter = ''
self._device = ''
self._pcapfile = ''
self._callback = lambda x: x
def main():
if len(sys.argv) == 2:
nids.param("filename", sys.argv[1])
nids.init()
nids.register_tcp(tcpcallback)
try:
nids.run()
except nids.error, e:
print "[-] Error: %s" % (e)
def main():
parser = argparse.ArgumentParser(description='minips.py - A minimal IPS', version='0.1',
epilog='EXAMPLE: %(prog)s -p test.pcap -r \'shellcode\' \n')
inputparser = parser.add_mutually_exclusive_group(required=True)
inputparser.add_argument('-d', '--device', action='store', dest='device',
help='network device to collect packets from')
inputparser.add_argument('-p', '--pcap', action='store', dest='pcap',
help='pcap file to read packets from')
parser.add_argument('-r', '--regex', action='store', dest='regex', required=True,
help='regex to match over network data')
parser.add_argument('-i', '--igncase', action='store_true', dest='igncase', default=False,
help='perform case insensitive regex match')
parser.add_argument('-m', '--multiline', action='store_true', dest='multiline', default=False,
help='perform multiline regex match')
parser.add_argument('-k', '--killtcp', action='store_true', dest='killtcp', default=False,
help='terminate matching tcp connections')
parser.add_argument('-b', '--dispbytes', action='store', dest='dispbytes', required=False,
help='max bytes to display')
args = parser.parse_args()
if args.device:
globs['device'] = args.device
nids.param('device', globs['device'])
if args.pcap:
globs['pcap'] = args.pcap
nids.param('filename', globs['pcap'])
if args.killtcp:
globs['killtcp'] = True
if args.igncase:
globs['regexflags'] |= re.IGNORECASE
if args.multiline:
globs['regexflags'] |= re.MULTILINE
globs['regexflags'] |= re.DOTALL
if args.regex:
globs['regexstr'] = args.regex
globs['regexobj'] = re.compile(globs['regexstr'], globs['regexflags'])
if args.dispbytes:
globs['dispbytes'] = int(args.dispbytes)
nids.init()
nids.register_tcp(tcpcallback)
nids.register_udp(udpcallback)
try:
nids.run()
except nids.error, e:
print "[-] Error: %s" % (e)
def main():
# Packet through Interface OR PCAP check.
if pcap_path is not '':
nids.param('filename', pcap_path)
else:
nids.param('device', interface)
nids.init()
nids.register_tcp(tcpcallback)
nids.run()
def run_parser(self, out_queue):
try:
nids.param("filename", self.pcap_path)
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.init()
nids.chksum_ctl([('0.0.0.0/0', False), ])
nids.register_tcp(self._handleTcpStream)
nids.run()
except Exception:
self.messages = []
out_queue.put(self.messages)
def main(self):
#nids.param("scan_num_hosts", 0)
nids.param("filename", "test1.pcap")
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
#nids.register_udp()
nids.init()
nids.register_tcp(self.handleTcpStream)
# Loop forever (network device), or until EOF (pcap file)
# Note that an exception in the callback will break the loop!
try:
nids.run()
except nids.error, e:
print "nids/pcap error:", e
def run_parser(self, out_queue):
try:
nids.param("filename", self.pcap_path)
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.init()
nids.chksum_ctl([
('0.0.0.0/0', False),
])
nids.register_tcp(self._handleTcpStream)
nids.run()
except Exception:
self.messages = []
out_queue.put(self.messages)
def run(self, conf):
self.conf = conf
self.output = open(conf.output_file, 'a')
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param('scan_num_hosts', 0) # disable portscan detection
nids.param('filename', conf.filename)
nids.init()
nids.register_udp(self.udp_handler)
try:
nids.run()
except nids.error, e:
print >> sys.stderr, 'nids/pcap error:', e
sys.exit(1)
def logPkt(addr, payload, proto=17):
tfilename = nids.param('filename')
print tfilename
pattern = re.compile(r'\/\w*.pcap')
test = re.findall(pattern, tfilename)
mystr = str(test).strip('[]\'/')
temp = mystr.split(".")
filename = temp[0]
# log a single packet, for UDP and other IP (non-TCP)
ip_p = {'proto1':'icmp', 'proto2':'igmp', 6:'tcp', 17:'udp', 41:'ipv6', 47:'gre',
50:'esp', 51:'ah', 58:'icmp6', 94:'ipip', 115:'l2tp', 255:'raw'}
if proto == 17:
fname = "%s/%s-%s-%s-%s-%s-%s.udp" % (logdir, filename, int(time.time()),
addr[0][0], addr[0][1], addr[1][0], addr[1][1])
else:
proto = ip_p.get(proto, proto)
print proto
# pktproto = ip_p[proto]
fname = "%s/%s-%s-%s-%s.%s" % (logdir, filename, int(time.time()),
long2ip(addr[0]), long2ip(addr[1]), proto)
f = open(fname, "w")
f.write(payload)
f.close()
print fname
fname = fname + ".fuzz"
try: g = open(fname, "w")
except:
print "unable to log to", logdir
return
g.write(spamsum.spamsum(payload))
g.close()
print fname
def main():
if len(sys.argv) == 2:
nids.param("filename", sys.argv[1])
nids.param("device", "all")
nids.param("tcp_workarounds", True)
nids.param("pcap_timeout", 128)
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.init()
tcpCapturer = TCPPacketCapturer()
try:
nids.run()
except nids.error, e:
print "[-] Error: %s" % (e)
def main():
if len(sys.argv) == 2:
nids.param("filename", sys.argv[1])
nids.param("device", "all")
nids.param("tcp_workarounds", True)
nids.param("pcap_timeout", 128)
nids.param("scan_num_hosts",0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.init()
tcpCapturer = TCPPacketCapturer()
try:
nids.run()
except nids.error, e:
print "[-] Error: %s" % (e)
def main():
# parse args
argparser = argparse.ArgumentParser()
argparser.add_argument('PCAP', help='Path to the .pcap file to parse')
argparser.add_argument('-H', metavar='HOST', default='127.0.0.1', help='Address to listen on (DEFAULT: 127.0.0.1)')
argparser.add_argument('-p', metavar='PORT', type=int, default=3128, help='Port to listen on (DEFAULT: 3128)')
argparser.add_argument('-v', action='append_const', const=1, default=[], help='Increase the verbosity level')
args = argparser.parse_args()
HOST, PORT = args.H, args.p
verbosity = len(args.v)
# setup logger
if verbosity == 0:
log_level = logging.ERROR
elif verbosity == 1:
log_level = logging.INFO
else:
log_level = logging.DEBUG
logging.basicConfig(format='%(levelname)s:%(message)s', level=log_level)
# setup the reassembler
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksum verification: jsunpack says it may cause missed traffic
nids.param("filename", args.PCAP)
nids.init()
nids.register_tcp(reassembleTcpStream)
logging.info("Processing TCP streams...")
nids.run()
# process the open streams, which are not processed by pynids
logging.info("Processing open streams...")
for c, stream in openstreams.items():
processTcpStream(stream)
# run proxy server
server = ProxyServer( (HOST,PORT), ProxyRequestHandler)
server.allow_reuse_address = True
try:
logging.info("Proxy listening on %s:%d" % (HOST,PORT))
server.serve_forever()
except KeyboardInterrupt:
return 0
def process_pcap(filename, protocols=[], dports=[]):
global streams_, dports_
streams_ = []
dports_ = dports
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param("filename", filename) # specify pcap file to parse
nids.init()
if not protocols or TCP in protocols:
nids.register_tcp(handleTcpStream)
# Loop forever (network device), or until EOF (pcap file)
# Note that an exception in the callback will break the loop!
try:
nids.run()
except nids.error, e:
print "nids/pcap error:", e
def logTcp(tcp):
tfilename = nids.param('filename')
print tfilename
pattern = re.compile(r'\/\w*.pcap')
test = re.findall(pattern, tfilename)
mystr = str(test).strip('[]\'/')
temp = mystr.split(".")
filename = temp[0]
srcip = tcp.addr[0][0]
srcport = tcp.addr[0][1]
dstip = tcp.addr[1][0]
dstport = tcp.addr[1][1]
# client to server
fname = "%s/%s-%s-%s-%s-%s-%s-CtoS.tcp" % (logdir, filename, int(time.time()),
tcp.addr[0][0], tcp.addr[0][1], tcp.addr[1][0], tcp.addr[1][1])
try: f = open(fname, "w")
except:
print "unable to log to", logdir
return
toserver = tcp.server.data[:tcp.server.count]
f.write(toserver)
f.close()
print "Client to Server: "+fname
fname = "%s/%s-%s-%s-%s-%s-%s-CtoS-tcp.fuzz" % (logdir, filename, int(time.time()),
srcip, srcport, dstip, dstport)
try: g = open(fname, "w")
except:
print "unable to log to", logdir
return
g.write(spamsum.spamsum(toserver))
g.close()
print "Client to Server Hashed :"+fname
srcip = tcp.addr[0][0]
srcport = tcp.addr[0][1]
dstip = tcp.addr[1][0]
dstport = tcp.addr[1][1]
# server to client
fname = "%s/%s-%s-%s-%s-%s-%s-StoC.tcp" % (logdir, filename, int(time.time()),
tcp.addr[1][0], tcp.addr[1][1], tcp.addr[0][0], tcp.addr[0][1])
f = open(fname, "w")
toclient = tcp.client.data[:tcp.client.count]
f.write(toclient)
f.close()
print "Server to Client: "+fname
fname = "%s/%s-%s-%s-%s-%s-%s-StoC-tcp.fuzz" % (logdir, filename, int(time.time()),
dstip, dstport, srcip, srcport)
try: g = open(fname, "w")
except:
print "unable to log to", logdir
return
g.write(spamsum.spamsum(toclient))
g.close()
print "Sever to Client Hashed: "+fname
def main():
"""
Initialise libnids and process the pcap. This is taken from the pynids
example code.
"""
nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note
# libnids caution about fragments
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
if len(sys.argv) == 2: # read a pcap file?
nids.param("filename", sys.argv[1])
nids.init()
nids.register_tcp(handleTcpStream)
# Loop forever (network device), or until EOF (pcap file)
# Note that an exception in the callback will break the loop!
try:
nids.run()
except nids.error, e:
print "nids/pcap error:", e
def main():
args = sys.argv[1:]
print args
# Default to listening to all devices
nids.param("device", 'any')
nids.param("pcap_filter", ' '.join(args) + ' and tcp')
# disable portscan detection
nids.param("scan_num_hosts", 0)
# disable check-summing
nids.chksum_ctl([('0.0.0.0/0', False)])
nids.init()
(uid, gid) = pwd.getpwnam(NOTROOT)[2:4]
os.setgroups([gid, ])
os.setgid(gid)
os.setuid(uid)
if 0 in [os.getuid(), os.getgid()] + list(os.getgroups()):
print "error - drop root, please!"
sys.exit(1)
nids.register_tcp(handle_tcp)
while True:
try:
nids.next()
except nids.error, e:
print "nids/pcap error:", e
def main():
global count
global responses
#nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note
# libnids caution about fragments
nids.param("scan_num_hosts", 0) # disable portscan detection
#if len(sys.argv) == 2: # read a pcap file?
nids.param("filename", sys.argv[1])
nids.init()
nids.register_tcp(handleTcpStream)
# Loop forever (network device), or until EOF (pcap file)
# Note that an exception in the callback will break the loop!
try:
nids.run()
except nids.error, e:
print "nids/pcap error:", e
def __init__(
self,
protocol_uri,
protocol_opts,
pcap_filepath,
output_dir,
log_level,
log_to_stdout,
stats_file=None,
dst=None,
dest_port=None,
src=None,
src_port=None,
start_date=None,
):
self._log_to_stdout = log_to_stdout
self._log_level = log_level
self._proto_uri = protocol_uri
self._proto_opts = protocol_opts
self._dest_port = dest_port
self._src_port = src_port
self._src = src
self._dst = dst
self.output_dir = output_dir
self._pcap_filepath = pcap_filepath
self._start_date = start_date
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param("filename", pcap_filepath)
self.stream_parsers = {}
self.stats = {}
if stats_file is None:
now = datetime.utcnow()
formatted_time = now.strftime("%Y-%m-%d--%H-%M-%S")
self.stats_file_path = os.path.join(
self.output_dir, "stats_{}.txt".format(formatted_time))
else:
self.stats_file_path = stats_file
def main():
nids.param("pcap_filter", "vlan and port 25")
nids.param("scan_num_hosts", 0)
nids.chksum_ctl([('0.0.0.0/0', False)])
nids.param("filename", sys.argv[1])
nids.init()
nids.register_tcp(tcp_callback)
nids.run()
def nids_init(self):
nids.param("device", self.interface)
nids.param("pcap_filter", "port 80")
nids.param("san_num_hosts", 0)
#nids.param("dev_addon", ?) #might need this for monitor mode
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.init()
nids.register_tcp(self.handle_tcp)
self.nids = nids
def __init__(self,fname=None,iface='all'):
threading.Thread.__init__(self)
nids.param("scan_num_hosts", 0)
nids.chksum_ctl([('0.0.0.0/0', False)])
if fname:
nids.param("filename", fname)
else:
nids.param("device", iface)
nids.init()
nids.register_tcp(Nids.handler)
def __init__(self, fname=None, iface='all'):
threading.Thread.__init__(self)
nids.param("scan_num_hosts", 0)
nids.chksum_ctl([('0.0.0.0/0', False)])
if fname:
nids.param("filename", fname)
else:
nids.param("device", iface)
nids.init()
nids.register_tcp(Nids.handler)
def extract_flows(pcap_file):
global ts, requestdata, responsedata, requestcounter, http_req
ts, requestdata, responsedata, requestcounter, http_req = \
dict([]), dict([]), dict([]), dict([]), dict([])
nids.param("tcp_workarounds", 1)
nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param("filename", pcap_file)
nids.init()
nids.register_tcp(handle_tcp_stream)
# print "pid", os.getpid()
if DEBUG: print "Reading from pcap file:", pcap_file
try:
nids.run()
except nids.error, e:
print "nids/pcap error: ", pcap_file + " ", e
def start(self):
if self._filter:
nids.param("pcap_filter", self._filter)
if self._pcapfile:
nids.param("filename", self._pcapfile)
elif self._device:
nids.param("device", self._device)
# Initializing libnids
nids.init()
# Registering the handler
nids.register_tcp(lambda tcp: self._handle_tcp_stream(tcp))
# Running nids
nids.run()
def __init__(self, filename, protocol, port=None):
threading.Thread.__init__(self)
self.port = port
self.protocol = protocol
self.done = False
self.connection_list = deque()
self.lock = threading.Lock()
self.delete_read_connections = False
self.last_read_index = -1
nids.param("filename", filename)
nids.chksum_ctl([('0.0.0.0/0', False)])
if port is None:
nids.param("pcap_filter", "{}".format(self.protocol))
else:
nids.param("pcap_filter",
"{} port {}".format(self.protocol, self.port))
def run(self, config):
self.config = config
self.config.output = open(self.config.output_file, 'a')
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param('scan_num_hosts', 0) # disable portscan detection
if self.config.filename:
nids.param('filename', self.config.filename)
else:
nids.param('filename', '-')
nids.init()
self.stream_handler = StreamHandler(self.config)
nids.register_tcp(self.stream_handler.handle)
try:
nids.run()
except nids.error, e:
print >> sys.stderr, 'nids/pcap error:', e
sys.exit(-1)
def main():
global extract
extract = False
pcap = False
if "-e" in sys.argv:
extract = True
nids.param("scan_num_hosts", 0)
for arg in sys.argv[1:]:
if arg.endswith('.pcap'):
pcap = True
nids.param("filename", arg)
if not pcap:
nids.param("device", "eth0")
nids.init()
nids.register_tcp(handleTcpStream)
try:
nids.run()
except nids.error, e:
print "nids/pcap error:", e
def extract(pcap_file):
global ip_to_domain
global ips
ips = {}
ip_to_domain = {}
nids.param("tcp_workarounds", 1)
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param("filename", pcap_file)
nids.init()
nids.register_tcp(handle_tcp_stream)
nids.register_udp(udp_callback)
try:
nids.run()
except Exception, e:
print "Exception ", pcap_file + " ", e
return
def extract(pcap_file):
global ip_to_domain
global ips
ips = {}
ip_to_domain = {}
nids.param("tcp_workarounds", 1)
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param("filename", pcap_file)
nids.init()
nids.register_tcp(handle_tcp_stream)
nids.register_udp(udp_callback)
try:
nids.run()
except Exception, e:
print "Exception ", pcap_file + " ", e
return
def run(self, config):
self.config = config
self.stream_handler = StreamHandler(self.config)
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param('scan_num_hosts', 0) # disable portscan detection
if self.config.filename:
nids.param('filename', self.config.filename)
else:
nids.param('device', self.config.interface)
nids.init()
nids.register_tcp(self.stream_handler.tcp_callback)
#nids.register_udp(self.stream_handler.udp_callback)
try:
nids.run()
except nids.error, e:
print >> sys.stderr, 'nids/pcap error:', e
print >> sys.stderr, 'Error in %s' % self.filename
traceback.print_exc(file=sys.stderr)
def run(self, config):
self.config = config
self.stream_handler = StreamHandler(self.config)
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param('scan_num_hosts', 0) # disable portscan detection
if self.config.filename:
nids.param('filename', self.config.filename)
else:
nids.param('device', self.config.interface)
nids.init()
nids.register_tcp(self.stream_handler.tcp_callback)
#nids.register_udp(self.stream_handler.udp_callback)
try:
nids.run()
except nids.error, e:
print >> sys.stderr, 'nids/pcap error:', e
print >> sys.stderr, 'Error in %s' % self.filename
traceback.print_exc(file=sys.stderr)
def parse_pcap(self,options,file):
try:
import nids
except:
options.log.error("failed to import LibNIDS are you sure it's installed")
sys.exit(-1)
self.http_stream_list = []
self.stream_hash = {}
self.stream_count = 0
self.filename = os.path.basename(file)
self.log = options.log
if options.pcap_bpf != None:
nids.param("pcap_filter", options.pcap_bpf)
nids.param("scan_num_hosts", 0)
nids.param("filename", file)
nids.init()
nids.register_tcp(self.handleTcpStream)
try:
nids.run()
except nids.error, e:
options.log.error("nids/pcap error:" % (e))
def sniff():
if not _initialized:
raise NameError('Module vars were not initialized.')
nids.param('device', _device)
nids.param('multiproc', 1)
nids.param('scan_num_hosts', 0)
nids.chksum_ctl([('0.0.0.0/0', False)])
nids.init()
nids.register_tcp(_handle_tcp_stream)
nids.register_udp(_handle_udp_stream)
nids.register_ip(_handle_ip_packets)
arp_sniff = Process(target=scapy_sniff, kwargs=dict(store=0,
iface=_device, prn=_parse_arp))
dns_lookups = Process(target=_handle_dns_lookup)
traf_dict = Process(target=_handle_new_traf)
arp_sniff.start()
dns_lookups.start()
traf_dict.start()
nids.run()
def parse_pcap(self, options, file):
try:
import nids
except:
options.log.error(
"failed to import LibNIDS are you sure it's installed")
sys.exit(-1)
self.http_stream_list = []
self.stream_hash = {}
self.stream_count = 0
self.filename = os.path.basename(file)
self.log = options.log
if options.pcap_bpf != None:
nids.param("pcap_filter", options.pcap_bpf)
nids.param("scan_num_hosts", 0)
nids.param("filename", file)
nids.init()
nids.register_tcp(self.handleTcpStream)
try:
nids.run()
except nids.error, e:
options.log.error("nids/pcap error:" % (e))
if self.stopped:
break
try:
while not self.stopped:
nids.next()
time.sleep(.001) #XXX is this enough or too much?
except Exception, e:
chop.prnt("Error processing packets", e)
#no need to exit
else:
if options.filename is "":
chop.prnt("Empty Filename")
self.complete = True
return
nids.param("scan_num_hosts",0)
nids.param("filename",options.filename)
try:
nids.init()
except Exception, e:
self.complete = True
chop.prnt("Error initting: ", e)
return
nids.chksum_ctl([('0.0.0.0/0',False),])
nids.register_tcp(handleTcpStreams)
nids.register_udp(handleUdpDatagrams)
while(True): #This overall while prevents exceptions from halting the long running reading
if self.stopped:
def __init__(self,
pcap_file=None,
device=None,
bpf_filter="tcp",
dst_tcp_port_filter=None,
dst_tcp_ip_filter=None,
src_tcp_port_filter=None,
src_tcp_ip_filter=None,
udp_port_filter=None,
udp_ip_filter=None,
data_level=1,
data_stream_direct=2,
std_output_enable=1,
file_output_path=None,
protocol_parse_conf=None,
is_handle_tcp=1,
is_handle_udp=1,
is_handle_ip=1,
sqlite3_output_enable=1,
sqlite3_output_path=None,
sqlite3_output_schema=None,
sqlite3_renew=False):
"""
Args:
pcap_file:
device:
bpf_filter:
dst_port_filter:
dst_ip_filter:
src_port_filter:
src_ip_filter:
data_level:
data_stream_direct:
std_output_enable:
file_tcpsession_path:
protocol_parse_conf:
"""
self.is_handle_tcp = is_handle_tcp
self.is_handle_udp = is_handle_udp
self.is_handle_ip = is_handle_ip
self.bpf_filter = bpf_filter
self.dst_tcp_port_filter = dst_tcp_port_filter
self.dst_tcp_ip_filter = dst_tcp_ip_filter
self.src_tcp_port_filter = src_tcp_port_filter
self.src_tcp_ip_filter = src_tcp_ip_filter
self.udp_ip_filter = udp_ip_filter
self.udp_port_filter = udp_port_filter
self.device = device
self.pcap_file = pcap_file
if pcap_file:
nids.param("filename", pcap_file)
elif device:
nids.param("device", device)
if bpf_filter:
nids.param("pcap_filter",
bpf_filter) ## bpf restrict to TCP only, note
self.data_level = data_level
self.data_stream_direct = data_stream_direct
self.std_output_enable = std_output_enable
self.file_output_path = file_output_path
self.protocol_parse_conf = protocol_parse_conf
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param("pcap_timeout", 64)
nids.param("multiproc", 1)
nids.param("tcp_workarounds", 1)
# sqlite3 conf which store ip_handle statistic info
self.sqlite3_output_enable = sqlite3_output_enable
self.sqlite3_output_path = sqlite3_output_path
self.sqlite3_output_schema = sqlite3_output_schema
self.sqlite3_renew = sqlite3_renew
# local ip
if self.is_handle_ip:
self.local_ip = networktools.get_local_ip(self.device)
# var
self.tcp_file_fh = None
self.udp_file_fh = None
self.ip_file_fh = None
self.app_proto_fhs = {}
if self.file_output_path:
# 设置文件输出
if os.path.exists(self.file_output_path) and os.path.isdir(
self.file_output_path):
# delete old data
mills.rm_dir(self.file_output_path)
os.mkdir(self.file_output_path)
tcp_file_path = mills.path(self.file_output_path, "tcp.txt")
self.tcp_file_fh = codecs.open(tcp_file_path,
mode='wb',
encoding='utf-8',
errors='ignore')
udp_file_path = mills.path(self.file_output_path, "udp.txt")
self.udp_file_fh = codecs.open(udp_file_path,
mode='wb',
encoding='utf-8',
errors='ignore')
ip_file_path = mills.path(self.file_output_path, "ip.txt")
self.ip_file_fh = codecs.open(ip_file_path,
mode='wb',
encoding='utf-8',
errors='ignore')
port_list = set()
proto_list = set()
for port_filter in [
self.dst_tcp_port_filter, self.src_tcp_port_filter,
self.udp_port_filter
]:
for port in port_filter:
port_list.add(port)
for port in port_list:
protocol = self.which_protocol_parse(port)
if protocol:
proto_list.add(protocol)
for protocol in proto_list:
protocol_file_path = mills.path(self.file_output_path,
"%s.txt" % protocol)
protocol_file_fh = codecs.open(protocol_file_path,
mode='wb',
encoding='utf-8',
errors='ignore')
self.app_proto_fhs[protocol] = protocol_file_fh
def main():
parser = argparse.ArgumentParser(
description='minips.py - A minimal IPS',
version='0.1',
epilog='EXAMPLE: %(prog)s -p test.pcap -r \'shellcode\' \n')
inputparser = parser.add_mutually_exclusive_group(required=True)
inputparser.add_argument('-d',
'--device',
action='store',
dest='device',
help='network device to collect packets from')
inputparser.add_argument('-p',
'--pcap',
action='store',
dest='pcap',
help='pcap file to read packets from')
parser.add_argument('-r',
'--regex',
action='store',
dest='regex',
required=True,
help='regex to match over network data')
parser.add_argument('-i',
'--igncase',
action='store_true',
dest='igncase',
default=False,
help='perform case insensitive regex match')
parser.add_argument('-m',
'--multiline',
action='store_true',
dest='multiline',
default=False,
help='perform multiline regex match')
parser.add_argument('-k',
'--killtcp',
action='store_true',
dest='killtcp',
default=False,
help='terminate matching tcp connections')
parser.add_argument('-b',
'--dispbytes',
action='store',
dest='dispbytes',
required=False,
help='max bytes to display')
args = parser.parse_args()
if args.device:
globs['device'] = args.device
nids.param('device', globs['device'])
if args.pcap:
globs['pcap'] = args.pcap
nids.param('filename', globs['pcap'])
if args.killtcp:
globs['killtcp'] = True
if args.igncase:
globs['regexflags'] |= re.IGNORECASE
if args.multiline:
globs['regexflags'] |= re.MULTILINE
globs['regexflags'] |= re.DOTALL
if args.regex:
globs['regexstr'] = args.regex
globs['regexobj'] = re.compile(globs['regexstr'], globs['regexflags'])
if args.dispbytes:
globs['dispbytes'] = int(args.dispbytes)
nids.init()
nids.register_tcp(tcpcallback)
nids.register_udp(udpcallback)
try:
nids.run()
except nids.error, e:
print "[-] Error: %s" % (e)
def main():
banner = '''\
______ _ __
/ __/ /___ _ __(_)___ _________ ___ _____/ /_
/ /_/ / __ \ | /| / / / __ \/ ___/ __ \/ _ \/ ___/ __/
/ __/ / /_/ / |/ |/ / / / / (__ ) /_/ / __/ /__/ /_
/_/ /_/\____/|__/|__/_/_/ /_/____/ .___/\___/\___/\__/
/_/
'''
import re
configopts['regexengine'] = 're'
parser = argparse.ArgumentParser()
inputgroup = parser.add_mutually_exclusive_group(required=True)
inputgroup.add_argument(
'-p',
metavar='--pcap',
dest='pcap',
default='',
action='store',
help='input pcap file')
inputgroup.add_argument(
'-d',
metavar='--device',
dest='device',
default='lo',
action='store',
help='listening device')
regex_direction_flags = parser.add_argument_group('RegEx per Direction')
regex_direction_flags.add_argument(
'-c',
metavar='--cregex',
dest='cres',
default=[],
action='append',
required=False,
help='regex to match against CTS data')
regex_direction_flags.add_argument(
'-s',
metavar='--sregex',
dest='sres',
default=[],
action='append',
required=False,
help='regex to match against STC data')
regex_direction_flags.add_argument(
'-a',
metavar='--aregex',
dest='ares',
default=[],
action='append',
required=False,
help='regex to match against ANY data')
regex_options = parser.add_argument_group('RegEx Options')
regex_options.add_argument(
'-i',
dest='igncase',
default=False,
action='store_true',
required=False,
help='ignore case')
regex_options.add_argument(
'-m',
dest='multiline',
default=True,
action='store_false',
required=False,
help='disable multiline match')
fuzzy_direction_flags = parser.add_argument_group('Fuzzy Patterns per Direction')
fuzzy_direction_flags.add_argument(
'-G',
metavar='--cfuzz',
dest='cfuzz',
default=[],
action='append',
required=False,
help='string to fuzzy match against CTS data')
fuzzy_direction_flags.add_argument(
'-H',
metavar='--sfuzz',
dest='sfuzz',
default=[],
action='append',
required=False,
help='string to fuzzy match against STC data')
fuzzy_direction_flags.add_argument(
'-I',
metavar='--afuzz',
dest='afuzz',
default=[],
action='append',
required=False,
help='string to fuzzy match against ANY data')
fuzzy_options = parser.add_argument_group('Fuzzy Options')
fuzzy_options.add_argument(
'-r',
metavar='fuzzminthreshold',
dest='fuzzminthreshold',
type=int,
default=75,
action='store',
required=False,
help='threshold for fuzzy match (1-100) - default 75')
yara_direction_flags = parser.add_argument_group('Yara Rules per Direction')
yara_direction_flags.add_argument(
'-P',
metavar='--cyararules',
dest='cyararules',
default=[],
action='append',
required=False,
help='Yara rules to match on CTS data')
yara_direction_flags.add_argument(
'-Q',
metavar='--syararules',
dest='syararules',
default=[],
action='append',
required=False,
help='Yara rules to match on STC data')
yara_direction_flags.add_argument(
'-R',
metavar='--ayararules',
dest='ayararules',
default=[],
action='append',
required=False,
help='Yara rules to match on ANY data')
shellcode_options = parser.add_argument_group('Shellcode Detection')
shellcode_options.add_argument(
'-M',
dest='shellcode',
default=False,
action='store_true',
required=False,
help='enable shellcode detection')
shellcode_options.add_argument(
'-J',
dest='asm4shellcode',
default=False,
action='store_true',
required=False,
help='enable shellcode disassembly')
shellcode_options.add_argument(
'-y',
dest='emuprofile',
default=False,
action='store_true',
required=False,
help='generate emulator profile for detected shellcode')
shellcode_options.add_argument(
'-Y',
metavar='--emuprofileoutsize',
dest='emuprofileoutsize',
default=0,
action='store',
required=False,
help='emulator profile memory size (default 1024K | max: 10240K)')
content_modifiers = parser.add_argument_group('Content Modifiers')
content_modifiers.add_argument(
'-O',
metavar='--offset',
dest='offset',
default=0,
action='store',
required=False,
help='bytes to skip before matching')
content_modifiers.add_argument(
'-D',
metavar='--depth',
dest='depth',
default=0,
action='store',
required=False,
help='bytes to look at while matching (starting from offset)')
inspection_limits = parser.add_argument_group('Inspection Limits')
inspection_limits.add_argument(
'-T',
metavar='--maxinspstreams',
dest='maxinspstreams',
default=0,
action='store',
type=int,
required=False,
help='max streams to inspect')
inspection_limits.add_argument(
'-U',
metavar='--maxinsppackets',
dest='maxinsppackets',
default=0,
action='store',
type=int,
required=False,
help='max packets to inspect')
display_limits = parser.add_argument_group('Display Limits')
display_limits.add_argument(
'-t',
metavar='--maxdispstreams',
dest='maxdispstreams',
default=0,
action='store',
type=int,
required=False,
help='max streams to display')
display_limits.add_argument(
'-u',
metavar='--maxdisppackets',
dest='maxdisppackets',
default=0,
action='store',
type=int,
required=False,
help='max packets to display')
display_limits.add_argument(
'-b',
metavar='--maxdispbytes',
dest='maxdispbytes',
default=0,
action='store',
type=int,
required=False,
help='max bytes to display')
output_options = parser.add_argument_group('Output Options')
output_options.add_argument(
'-w',
metavar='logdir',
dest='writebytes',
default='',
action='store',
required=False,
nargs='?',
help='write matching packets/streams')
output_options.add_argument(
'-o',
dest='outmodes',
choices=('quite', 'meta', 'hex', 'print', 'raw'),
action='append',
default=[],
required=False,
help='match output modes')
misc_options = parser.add_argument_group('Misc. Options')
misc_options.add_argument(
'-f',
metavar='--bpf',
dest='bpf',
default='',
action='store',
required=False,
help='BPF expression')
misc_options.add_argument(
'-v',
dest='invmatch',
default=False,
action='store_true',
required=False,
help='invert match')
misc_options.add_argument(
'-V',
dest='verbose',
default=0,
action='count',
required=False,
help='verbose output (max: 3)')
misc_options.add_argument(
'-e',
dest='colored',
default=False,
action='store_true',
required=False,
help='highlight CTS/STC matches')
misc_options.add_argument(
'-k',
dest='killtcp',
default=False,
action='store_true',
required=False,
help='kill matching TCP stream')
misc_options.add_argument(
'-j',
dest='tcpmultimatch',
default=False,
action='store_true',
required=False,
help='enable TCP multi match mode')
pcapwrite = parser.add_mutually_exclusive_group(required=False)
pcapwrite.add_argument(
'-z',
dest='writepcapfast',
default=False,
action='store_true',
help='write matching flows to pcap w/ %d post match packets' % (configopts['pcappacketct']))
pcapwrite.add_argument(
'-Z',
dest='writepcap',
default=False,
action='store_true',
help='write matching flows to pcap w/ all post match packets')
misc_options.add_argument(
'-q',
metavar='pcappacketct',
dest='pcappacketct',
default=configopts['pcappacketct'],
action='store',
help='# of post match packets to write to pcap')
misc_options.add_argument(
'-L',
dest='linemode',
default=False,
action='store_true',
required=False,
help='enable linemode (disables inspection)')
misc_options.add_argument(
'-B',
dest='nobanner',
default=False,
action='store_true',
required=False,
help='skip banner/version display on startup')
misc_options.add_argument(
'-S',
dest='nosummary',
default=False,
action='store_true',
required=False,
help='skip match summary display at exit')
misc_options.add_argument(
'-n',
dest='dumpargs',
default=False,
action='store_true',
required=False,
help='show argument stats')
args = parser.parse_args()
if args.pcap:
configopts['pcap'] = args.pcap
nids.param('filename', configopts['pcap'])
configopts['livemode'] = False
elif args.device:
configopts['device'] = args.device
nids.param('device', configopts['device'])
configopts['livemode'] = True
if args.igncase:
configopts['igncase'] = True
configopts['reflags'] |= re.IGNORECASE
if args.invmatch:
configopts['invertmatch'] = True
if args.multiline:
configopts['multiline'] = True
configopts['reflags'] |= re.MULTILINE
configopts['reflags'] |= re.DOTALL
if args.tcpmultimatch:
configopts['tcpmultimatch'] = True
if configopts['regexengine']:
if args.cres:
if 'regex' not in configopts['inspectionmodes']:
configopts['inspectionmodes'].append('regex')
for c in args.cres:
configopts['ctsregexes'][re.compile(c, configopts['reflags'])] = { 'regexpattern': c }
if args.sres:
if 'regex' not in configopts['inspectionmodes']:
configopts['inspectionmodes'].append('regex')
for s in args.sres:
configopts['stcregexes'][re.compile(s, configopts['reflags'])] = { 'regexpattern': s }
if args.ares:
if 'regex' not in configopts['inspectionmodes']:
configopts['inspectionmodes'].append('regex')
for a in args.ares:
configopts['ctsregexes'][re.compile(a, configopts['reflags'])] = { 'regexpattern': a }
configopts['stcregexes'][re.compile(a, configopts['reflags'])] = { 'regexpattern': a }
if args.cfuzz or args.sfuzz or args.afuzz:
try:
from fuzzywuzzy import fuzz
configopts['fuzzengine'] = 'fuzzywuzzy'
except ImportError, ex:
dowarn('Import failed: %s' % ex)
configopts['fuzzengine'] = None
def main():
logging.basicConfig(filename="mspCapturer.log",level=logging.DEBUG)
if (len(sys.argv) != 2):
logging.error( 'Invalid arguments. Usage: main.py <monitor port(s)>\n monitor ports should be specified in a comma seperated list ')
sys.exit(1)
logging.info( 'Set up Reassembler')
nids.param("scan_num_hosts",0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param("pcap_timeout", 128)
nids.param("tcp_workarounds", True)
nids.param("sk_buff_size", 256) #default 168
nids.param("n_tcp_streams", 2048) #default 1024
nids.param("device", "all")
nids.init()
assm = Reassembler(ports=sys.argv[1])
try:
nids.run()
except KeyboardInterrupt:
logging.error( "Reassembler Terminated: Quitting")
sys.exit(2)
if self.stopped:
break
try:
while not self.stopped:
nids.next()
time.sleep(.001) #XXX is this enough or too much?
except Exception, e:
chop.prnt("Error processing packets", e)
#no need to exit
else:
if options['filename'] is "":
chop.prnt("Empty Filename")
self.complete = True
return
nids.param("scan_num_hosts",0)
nids.param("filename",options['filename'])
if options['bpf'] is not None:
nids.param("pcap_filter", options['bpf'])
try:
nids.init()
except Exception, e:
self.complete = True
chop.prnt("Error initting: ", e)
return
nids.chksum_ctl([('0.0.0.0/0',False),])
nids.register_tcp(handleTcpStreams)
nids.register_udp(handleUdpDatagrams)
nids.register_ip(handleIpPackets)
def main():
from optparse import OptionParser
parser = OptionParser()
parser.add_option("-d", "--device", dest="device", help="sniff on network device DEVICE", metavar="DEVICE")
parser.add_option("-f", "--file", dest="file", help="use pcap logfile FILE", metavar="FILE")
parser.add_option("-l", "--log", dest="log", action="store_true", default=False, help="create logs")
parser.add_option("-p", "--pid", dest="pid", help="attach to process PID", metavar="PID")
(options, args) = parser.parse_args()
nids.param("scan_num_hosts", 0) # Disable portscan detection
logfiles = {}
sniff = Sniffer()
sniff.starttime = datetime.now()
def timestring():
td = datetime.now() - sniff.starttime
return "[% 8.3f]" % (td.seconds + td.microseconds/1000000.0)
def message_output_handler(message):
if options.log:
connection = message.source.connection
if connection.session:
if connection in logfiles:
logfile = logfiles[connection]
else:
logname = "%s_%s.wlog" % (connection.session.account, datetime.now().strftime("%Y-%m-%d_%H-%M-%S"))
print timestring(), 'Creating log file "%s"' % logname
logfile = log.Log(open(logname, "wb"))
logfile.write_header()
session = connection.session
sinfo = log.SessionInfo(session.game, session.version, session.locale, connection.client.address, connection.server.address, session.account)
logfile.write(sinfo)
logfiles[connection] = logfile
if message.source is connection.client:
cls = messages.ClientMessage
elif message.source is connection.server:
cls = messages.ServerMessage
else:
cls = None
if cls:
logfile.write(cls(message.opcode, connection.client.address, connection.server.address, message.data))
else:
# FIXME: This always discards the first message (SMSG_AUTH_CHALLENGE) because at that point,
# the session is not yet known. We should cache this message and output it too.
pass
print timestring(), opcodes.names[message.opcode].ljust(55),
if len(message.data) > 0:
print "% 6d bytes" % len(message.data)
else:
print
def session_output_handler(session):
print timestring(), "New Session:", session
sniff.message_handler = message_output_handler
sniff.session_handler = session_output_handler
if options.device:
nids.param("device", options.device)
if options.file:
nids.param("filename", options.file)
pid = None
if options.pid is not None and options.pid.isdigit():
pid = int(options.pid)
elif options.pid == "auto":
pid = findWowProcess()
if pid:
print timestring(), "Attaching to process", pid
sniff.addProcess(pid)
elif not options.file:
print timestring(), "Warning: Not attaching to any process"
nids.init()
nids.register_tcp(sniff.tcp_handler)
nids.run()
class ChopCore(Thread):
def __init__(self,options, module_list, chp, chophelper):
Thread.__init__(self)
self.options = options
self.module_list = module_list
self.chophelper = chophelper
self.stopped = False
self.complete = False
global chop
chop = chp
def stop(self):
self.complete = True
self.stopped = True
def iscomplete(self):
return self.complete
def getptime(self):
global ptimestamp
return ptimestamp
def getmeta(self):
global metadata
return metadata
def prep_modules(self):
self.chophelper.set_core(self)
modules = self.module_list
for module in modules:
module = module[0]
module.chop = self.chophelper.setup_module(module.moduleName)
def run(self):
global chop
#Initialize modules to be run
options = self.options
modules = self.module_list#module_list
module_options = {}
chop.prettyprnt("RED", "Initializing Modules ...")
for module in modules:
name = module[2]
arguments = shlex.split(module[1])
module = module[0]
#Create module_data for all modules
module.module_data = {'args':arguments}
module.streaminfo = {}
chop.prettyprnt("CYAN", "\tInitializing module '" + name + "'")
try:
module_options = module.init(module.module_data)
except Exception, e:
chop.prnt("Error Initializing Module", module.moduleName + ":", e)
self.complete = True
return
if 'error' in module_options:
chop.prettyprnt("GREEN", "\t\t%s init failure: %s" % (module.moduleName, module_options['error']))
continue
if module_options['proto'] == 'tcp' :
tcp_modules.append(module)
all_modules.append(module)
elif module_options['proto'] == 'ip' :
ip_modules.append(module)
all_modules.append(module)
elif module_options['proto'] == 'udp' :
udp_modules.append(module)
all_modules.append(module)
else:
chop.prnt("Undefined Module Type\n")
self.complete = True
return
if not all_modules:
chop.prnt("No modules")
self.complete = True
return
chop.prettyprnt("RED", "Running Modules ...")
#Actually run the modules
if options['interface']:
nids.param("scan_num_hosts",0)
nids.param("device",options['interface'])
if options['bpf'] is not None:
nids.param("pcap_filter", options['bpf'])
try:
nids.init()
except Exception, e:
chop.prnt("Error initting: ", e)
self.complete = True
return
nids.chksum_ctl([('0.0.0.0/0',False),])
nids.register_tcp(handleTcpStreams)
nids.register_udp(handleUdpDatagrams)
while(True): #This overall while prevents exceptions from halting the processing of packets
if self.stopped:
break
try:
while not self.stopped:
nids.next()
time.sleep(.001) #XXX is this enough or too much?
except Exception, e:
chop.prnt("Error processing packets", e)
class ChopCore(Thread):
def __init__(self, options, module_list, chp, chophelper):
Thread.__init__(self)
self.options = options
self.module_list = module_list
self.chophelper = chophelper
self.stopped = False
self.complete = False
self.abort = False
global chop
chop = chp
def stop(self):
self.complete = True
self.stopped = True
def iscomplete(self):
return self.complete
def getptime(self):
global ptimestamp
return ptimestamp
def getmeta(self):
global metadata
return metadata
def prep_modules(self):
self.chophelper.set_core(self)
modules = self.module_list
for module in modules:
code = module.code
code.chop = self.chophelper.setup_module(code.moduleName)
def run(self):
global chop
#Initialize modules to be run
options = self.options
modules = self.module_list #module_list
module_options = {}
chop.prettyprnt("RED", "Initializing Modules ...")
for module in modules:
name = module.name
arguments = module.arguments #shlex.split(module[1])
code = module.code #module[0]
#Create module_data for all modules
module.module_data = {'args': arguments}
module.streaminfo = {}
chop.prettyprnt("CYAN", "\tInitializing module '" + name + "'")
try:
module_options = code.init(module.module_data)
except Exception, e:
chop.prnt("Error Initializing Module", code.moduleName + ":",
e)
self.complete = True
return
if 'error' in module_options:
chop.prettyprnt(
"GREEN", "\t\t%s init failure: %s" %
(code.moduleName, module_options['error']))
continue
if module.legacy:
if module_options['proto'] == 'tcp':
tcp_modules.append(module)
all_modules.append(module)
module.streaminfo['tcp'] = {}
elif module_options['proto'] == 'ip':
ip_modules.append(module)
all_modules.append(module)
module.streaminfo['ip'] = {}
elif module_options['proto'] == 'udp':
udp_modules.append(module)
all_modules.append(module)
module.streaminfo['udp'] = {}
else:
chop.prnt("Undefined Module Type\n")
self.complete = True
return
else:
all_modules.append(module)
#Proto is an array of dictionaries
if not isinstance(module_options['proto'], list): #Malformed
chop.prnt("%s has malformed proto list" %
module.code.moduleName)
self.complete = True
return
for proto in module_options['proto']:
#Right now (4.0) each dictionary only has one key
#This might change in the future but should be easy
#since it's already a separate dictionary
if type(proto) is not dict:
chop.prnt("%s has malformed proto list" %
module.code.moduleName)
self.complete = True
return
for input in proto.keys():
if input not in module.inputs:
module.inputs[input] = []
if proto[input] != '':
module.inputs[input].append(proto[input])
module.outputs.append(proto[input])
#Initialize the streaminfo array by type
if input != 'any' and input != 'ip':
module.streaminfo[input] = {}
if input == 'tcp':
tcp_modules.append(module)
elif input == 'udp':
udp_modules.append(module)
elif input == 'ip':
ip_modules.append(module)
elif input == 'any': #Special input that catches all non-core types
#Initialize the streaminfo for all parents of the 'any' module
if not len(module.parents):
chop.prettyprnt(
"GREEN",
"WARNING: No Parent for %s to provide data"
% (module.code.moduleName))
else:
for parent in module.parents:
for output in parent.outputs:
module.streaminfo[output] = {}
else: # non-core types, e.g., 'http' or 'dns'
if len(module.parents
): #Make sure parents give it what it wants
for parent in module.parents:
if input not in parent.outputs:
chop.prettyprnt(
"GREEN",
"WARNING: Parent to %s not providing %s data"
% (module.code.moduleName, input))
else:
chop.prettyprnt(
"GREEN",
"WARNING: No Parent for %s providing %s data"
% (module.code.moduleName, input))
if not all_modules:
chop.prnt("No modules")
self.complete = True
return
chop.prettyprnt("RED", "Running Modules ...")
#Actually run the modules
if options['interface']:
nids.param("scan_num_hosts", 0)
nids.param("device", options['interface'])
if options['bpf'] is not None:
nids.param("pcap_filter", options['bpf'])
try:
nids.init()
except Exception, e:
chop.prnt("Error initting on interface: ", e)
self.complete = True
return
nids.chksum_ctl([
('0.0.0.0/0', False),
])
nids.register_tcp(handleTcpStreams)
nids.register_udp(handleUdpDatagrams)
nids.register_ip(handleIpPackets)
while (
True
): #This overall while prevents exceptions from halting the processing of packets
if self.stopped:
break
try:
while not self.stopped:
nids.next()
time.sleep(.001) #XXX is this enough or too much?
except Exception, e:
chop.prnt("Error processing packets", e)
def main():
from optparse import OptionParser
parser = OptionParser()
parser.add_option("-d",
"--device",
dest="device",
help="sniff on network device DEVICE",
metavar="DEVICE")
parser.add_option("-f",
"--file",
dest="file",
help="use pcap logfile FILE",
metavar="FILE")
parser.add_option("-l",
"--log",
dest="log",
action="store_true",
default=False,
help="create logs")
parser.add_option("-p",
"--pid",
dest="pid",
help="attach to process PID",
metavar="PID")
(options, args) = parser.parse_args()
nids.param("scan_num_hosts", 0) # Disable portscan detection
logfiles = {}
sniff = Sniffer()
sniff.starttime = datetime.now()
def timestring():
td = datetime.now() - sniff.starttime
return "[% 8.3f]" % (td.seconds + td.microseconds / 1000000.0)
def message_output_handler(message):
if options.log:
connection = message.source.connection
if connection.session:
if connection in logfiles:
logfile = logfiles[connection]
else:
logname = "%s_%s.wlog" % (
connection.session.account,
datetime.now().strftime("%Y-%m-%d_%H-%M-%S"))
print timestring(), 'Creating log file "%s"' % logname
logfile = log.Log(open(logname, "wb"))
logfile.write_header()
session = connection.session
sinfo = log.SessionInfo(session.game, session.version,
session.locale,
connection.client.address,
connection.server.address,
session.account)
logfile.write(sinfo)
logfiles[connection] = logfile
if message.source is connection.client:
cls = messages.ClientMessage
elif message.source is connection.server:
cls = messages.ServerMessage
else:
cls = None
if cls:
logfile.write(
cls(message.opcode, connection.client.address,
connection.server.address, message.data))
else:
# FIXME: This always discards the first message (SMSG_AUTH_CHALLENGE) because at that point,
# the session is not yet known. We should cache this message and output it too.
pass
print timestring(), opcodes.names[message.opcode].ljust(55),
if len(message.data) > 0:
print "% 6d bytes" % len(message.data)
else:
print
def session_output_handler(session):
print timestring(), "New Session:", session
sniff.message_handler = message_output_handler
sniff.session_handler = session_output_handler
if options.device:
nids.param("device", options.device)
if options.file:
nids.param("filename", options.file)
pid = None
if options.pid is not None and options.pid.isdigit():
pid = int(options.pid)
elif options.pid == "auto":
pid = findWowProcess()
if pid:
print timestring(), "Attaching to process", pid
sniff.addProcess(pid)
elif not options.file:
print timestring(), "Warning: Not attaching to any process"
nids.init()
nids.register_tcp(sniff.tcp_handler)
nids.run()
if self.stopped:
break
try:
while not self.stopped:
nids.next()
time.sleep(.001) #XXX is this enough or too much?
except Exception, e:
chop.prnt("Error processing packets", e)
#no need to exit
else:
if options['filename'] is "":
chop.prnt("Empty Filename")
self.complete = True
return
nids.param("scan_num_hosts", 0)
nids.param("filename", options['filename'])
if options['bpf'] is not None:
nids.param("pcap_filter", options['bpf'])
try:
nids.init()
except Exception, e:
self.complete = True
chop.prnt("Error initting: ", e)
return
nids.chksum_ctl([
('0.0.0.0/0', False),
])
nids.register_tcp(handleTcpStreams)
_tcp_bag[tcp.addr][2] += 1
_tcp_bag[tcp.addr][3] = tcp.nids_state
def handleUdpStream(addrs, payload, pkt):
global _udp_pkts
_udp_pkts += 1
if len(sys.argv) < 2:
print_usage()
sys.exit(-1)
input_file = sys.argv[1]
nids.param("filename", input_file)
#nids.param("scan_num_hosts", 0)
nids.chksum_ctl([('0.0.0.0/0', False)])
# Loop forever (network device), or until EOF (pcap file)
# Note that an exception in the callback will break the loop!
try:
nids.init()
nids.register_tcp(handleTcpStream)
nids.register_udp(handleUdpStream)
nids.run()
except nids.error, e:
print "nids/pcap error:", e
except Exception, e:
print "misc. exception (runtime error in user callback?):", e
try:
import pydasm
configopts['asm4shellcode'] = True
except ImportError, ex:
dowarn('Import failed: %s' % ex)
if args.emuprofile:
configopts['emuprofile'] = True
if int(args.emuprofileoutsize) > 0 and int(
args.emuprofileoutsize) <= 10240:
configopts['emuprofileoutsize'] = int(args.emuprofileoutsize)
if args.bpf:
configopts['bpf'] = args.bpf
nids.param('pcap_filter', configopts['bpf'])
if args.killtcp:
if configopts['livemode']: configopts['killtcp'] = True
if args.writepcap:
configopts['writepcap'] = True
if args.writepcapfast:
configopts['writepcapfast'] = True
if int(args.pcappacketct) >= 0:
configopts['pcappacketct'] = int(args.pcappacketct)
if args.colored:
try:
def __init__(self,
pcap_file=None,
device=None,
bpf_filter="tcp",
dst_port_filter=None,
dst_ip_filter=None,
data_level=1,
data_stream_direct=2,
std_output_enable=1,
file_tcpsession_path=None,
protocol_parse_conf=None):
"""
:param pcap_file:
:param device:
:param bpf_filter:
:param dst_port_filter:
:param dst_ip_filter:
:param data_level:
:param data_stream_direct:
:param is_human_print:
:param file_output_file:
"""
self.dst_port_filter = dst_port_filter
self.dst_ip_filter = dst_ip_filter
self.device = device
self.pcap_file = pcap_file
if pcap_file:
nids.param("filename", pcap_file)
elif device:
nids.param("device", device)
if bpf_filter:
nids.param("pcap_filter",
bpf_filter) ## bpf restrict to TCP only, note
self.data_level = data_level
self.data_stream_direct = data_stream_direct
self.std_output_enable = std_output_enable
self.file_tcpsession_path = file_tcpsession_path
self.protocol_parse_conf = protocol_parse_conf
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param("pcap_timeout", 64)
nids.param("multiproc", 1)
nids.param("tcp_workarounds", 1)
self.file_hd_tcpsession = None
self.file_hd_tcpsession_parse = None
if self.file_tcpsession_path:
self.file_hd_tcpsession = codecs.open(self.file_tcpsession_path,
mode='wb',
encoding='utf-8',
errors='ignore')
if self.data_stream_direct == 2:
file_tcpsession_path_parse = "%s_parse" % self.file_tcpsession_path
self.file_hd_tcpsession_parse = codecs.open(
file_tcpsession_path_parse,
mode='wb',
encoding='utf-8',
errors='ignore')
"src_ip": src,
"src_port": sport,
"dst_ip": dst,
"dst_port": dport,
"time": start_time[tcp.addr],
"duration": (ts - start_time[tcp.addr]),
"contains_flag": contains_flag[tcp.addr],
"starred": 0,
"flow": current_data
}
flows_to_import.append(flow)
del data_flow[tcp.addr]
nids.param("pcap_filter", "tcp") # restrict to TCP only
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
if len(sys.argv) == 2:
filename = sys.argv[1]
if "./" in filename:
filename = filename[2:]
print("importing pcaps from " + filename)
nids.param("filename", filename)
else:
print("pcap file required")
exit()
nids.init()
nids.register_tcp(handleTcpStream)
nids.run()
def main():
try:
ifile=""
global dev
global filter
global debug
global response_dict
global interactive
global filter_by
global cant_bytes_min
global ssh_user_string
(uid, gid) = pwd.getpwnam(NOTROOT)[2:4]
os.setgroups([gid,])
os.setgid(gid)
os.setuid(uid)
if 0 in [os.getuid(), os.getgid()] + list(os.getgroups()):
print "error - drop root, please!"
sys.exit(1)
opts, args = getopt.getopt(sys.argv[1:], "d:hVi:qf:Dt:b:s:", ["device=","help","version","input-file=","filter=","--debug","session-type=","min-bytes=","ssh-string="])
except getopt.GetoptError: usage()
for opt, arg in opts:
if opt in ("-h", "--help"): usage()
if opt in ("-V", "--version"): version()
if opt in ("-i", "--input-file"): ifile = arg
if opt in ("-d", "--capture-device"): dev = arg
if opt in ("-f", "--filter"): filter = arg
if opt in ("-D", "--debug"): debug=1
#if opt in ("-I", "--interactive"): interactive=True
if opt in ("-t", "--session-type"): filter_by = arg
if opt in ("-b", "--min-bytes"): cant_bytes_min = arg
if opt in ("-s", "--ssh-string"): ssh_user_string = arg
try:
if filter_by != "":
interactive = True
if ifile!="" and dev=="":
if debug:
print 'Input File : %s' % (ifile)
nids.param("filename", ifile)
elif ifile=="" and dev!="":
if debug:
print 'Capturing from device : %s' % (dev)
elif ifile=="" and dev=="":
usage()
sys.exit(1)
if filter:
if debug:
print 'Filter: %s' % (filter)
nids.param("pcap_filter",filter)
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.init()
nids.register_tcp(handleTcpStream)
try:
if debug:
print ' -- Start processing'
nids.run()
output()
except nids.error, e:
print "nids/pcap error:", e
output()
except Exception, e:
print "misc. exception (runtime error from user callback?):", e
output()
def main():
banner = '''\
______ _ __
/ __/ /___ _ __(_)___ _________ ___ _____/ /_
/ /_/ / __ \ | /| / / / __ \/ ___/ __ \/ _ \/ ___/ __/
/ __/ / /_/ / |/ |/ / / / / (__ ) /_/ / __/ /__/ /_
/_/ /_/\____/|__/|__/_/_/ /_/____/ .___/\___/\___/\__/
/_/
'''
import re
configopts['regexengine'] = 're'
parser = argparse.ArgumentParser()
inputgroup = parser.add_mutually_exclusive_group(required=True)
inputgroup.add_argument('-p',
metavar='--pcap',
dest='pcap',
default='',
action='store',
help='input pcap file')
inputgroup.add_argument('-d',
metavar='--device',
dest='device',
default='lo',
action='store',
help='listening device')
regex_direction_flags = parser.add_argument_group('RegEx per Direction')
regex_direction_flags.add_argument('-c',
metavar='--cregex',
dest='cres',
default=[],
action='append',
required=False,
help='regex to match against CTS data')
regex_direction_flags.add_argument('-s',
metavar='--sregex',
dest='sres',
default=[],
action='append',
required=False,
help='regex to match against STC data')
regex_direction_flags.add_argument('-a',
metavar='--aregex',
dest='ares',
default=[],
action='append',
required=False,
help='regex to match against ANY data')
regex_options = parser.add_argument_group('RegEx Options')
regex_options.add_argument('-i',
dest='igncase',
default=False,
action='store_true',
required=False,
help='ignore case')
regex_options.add_argument('-m',
dest='multiline',
default=True,
action='store_false',
required=False,
help='disable multiline match')
fuzzy_direction_flags = parser.add_argument_group(
'Fuzzy Patterns per Direction')
fuzzy_direction_flags.add_argument(
'-G',
metavar='--cfuzz',
dest='cfuzz',
default=[],
action='append',
required=False,
help='string to fuzzy match against CTS data')
fuzzy_direction_flags.add_argument(
'-H',
metavar='--sfuzz',
dest='sfuzz',
default=[],
action='append',
required=False,
help='string to fuzzy match against STC data')
fuzzy_direction_flags.add_argument(
'-I',
metavar='--afuzz',
dest='afuzz',
default=[],
action='append',
required=False,
help='string to fuzzy match against ANY data')
fuzzy_options = parser.add_argument_group('Fuzzy Options')
fuzzy_options.add_argument(
'-r',
metavar='fuzzminthreshold',
dest='fuzzminthreshold',
type=int,
default=75,
action='store',
required=False,
help='threshold for fuzzy match (1-100) - default 75')
yara_direction_flags = parser.add_argument_group(
'Yara Rules per Direction')
yara_direction_flags.add_argument('-P',
metavar='--cyararules',
dest='cyararules',
default=[],
action='append',
required=False,
help='Yara rules to match on CTS data')
yara_direction_flags.add_argument('-Q',
metavar='--syararules',
dest='syararules',
default=[],
action='append',
required=False,
help='Yara rules to match on STC data')
yara_direction_flags.add_argument('-R',
metavar='--ayararules',
dest='ayararules',
default=[],
action='append',
required=False,
help='Yara rules to match on ANY data')
shellcode_options = parser.add_argument_group('Shellcode Detection')
shellcode_options.add_argument('-M',
dest='shellcode',
default=False,
action='store_true',
required=False,
help='enable shellcode detection')
shellcode_options.add_argument('-J',
dest='asm4shellcode',
default=False,
action='store_true',
required=False,
help='enable shellcode disassembly')
shellcode_options.add_argument(
'-y',
dest='emuprofile',
default=False,
action='store_true',
required=False,
help='generate emulator profile for detected shellcode')
shellcode_options.add_argument(
'-Y',
metavar='--emuprofileoutsize',
dest='emuprofileoutsize',
default=0,
action='store',
required=False,
help='emulator profile memory size (default 1024K | max: 10240K)')
content_modifiers = parser.add_argument_group('Content Modifiers')
content_modifiers.add_argument('-O',
metavar='--offset',
dest='offset',
default=0,
action='store',
required=False,
help='bytes to skip before matching')
content_modifiers.add_argument(
'-D',
metavar='--depth',
dest='depth',
default=0,
action='store',
required=False,
help='bytes to look at while matching (starting from offset)')
inspection_limits = parser.add_argument_group('Inspection Limits')
inspection_limits.add_argument('-T',
metavar='--maxinspstreams',
dest='maxinspstreams',
default=0,
action='store',
type=int,
required=False,
help='max streams to inspect')
inspection_limits.add_argument('-U',
metavar='--maxinsppackets',
dest='maxinsppackets',
default=0,
action='store',
type=int,
required=False,
help='max packets to inspect')
display_limits = parser.add_argument_group('Display Limits')
display_limits.add_argument('-t',
metavar='--maxdispstreams',
dest='maxdispstreams',
default=0,
action='store',
type=int,
required=False,
help='max streams to display')
display_limits.add_argument('-u',
metavar='--maxdisppackets',
dest='maxdisppackets',
default=0,
action='store',
type=int,
required=False,
help='max packets to display')
display_limits.add_argument('-b',
metavar='--maxdispbytes',
dest='maxdispbytes',
default=0,
action='store',
type=int,
required=False,
help='max bytes to display')
output_options = parser.add_argument_group('Output Options')
output_options.add_argument('-w',
metavar='logdir',
dest='writebytes',
default='',
action='store',
required=False,
nargs='?',
help='write matching packets/streams')
output_options.add_argument('-o',
dest='outmodes',
choices=('quite', 'meta', 'hex', 'print',
'raw'),
action='append',
default=[],
required=False,
help='match output modes')
misc_options = parser.add_argument_group('Misc. Options')
misc_options.add_argument('-f',
metavar='--bpf',
dest='bpf',
default='',
action='store',
required=False,
help='BPF expression')
misc_options.add_argument('-v',
dest='invmatch',
default=False,
action='store_true',
required=False,
help='invert match')
misc_options.add_argument('-V',
dest='verbose',
default=0,
action='count',
required=False,
help='verbose output (max: 3)')
misc_options.add_argument('-e',
dest='colored',
default=False,
action='store_true',
required=False,
help='highlight CTS/STC matches')
misc_options.add_argument('-k',
dest='killtcp',
default=False,
action='store_true',
required=False,
help='kill matching TCP stream')
misc_options.add_argument('-j',
dest='tcpmultimatch',
default=False,
action='store_true',
required=False,
help='enable TCP multi match mode')
pcapwrite = parser.add_mutually_exclusive_group(required=False)
pcapwrite.add_argument(
'-z',
dest='writepcapfast',
default=False,
action='store_true',
help='write matching flows to pcap w/ %d post match packets' %
(configopts['pcappacketct']))
pcapwrite.add_argument(
'-Z',
dest='writepcap',
default=False,
action='store_true',
help='write matching flows to pcap w/ all post match packets')
misc_options.add_argument('-q',
metavar='pcappacketct',
dest='pcappacketct',
default=configopts['pcappacketct'],
action='store',
help='# of post match packets to write to pcap')
misc_options.add_argument('-L',
dest='linemode',
default=False,
action='store_true',
required=False,
help='enable linemode (disables inspection)')
misc_options.add_argument('-B',
dest='nobanner',
default=False,
action='store_true',
required=False,
help='skip banner/version display on startup')
misc_options.add_argument('-S',
dest='nosummary',
default=False,
action='store_true',
required=False,
help='skip match summary display at exit')
misc_options.add_argument('-n',
dest='dumpargs',
default=False,
action='store_true',
required=False,
help='show argument stats')
args = parser.parse_args()
if args.pcap:
configopts['pcap'] = args.pcap
nids.param('filename', configopts['pcap'])
configopts['livemode'] = False
elif args.device:
configopts['device'] = args.device
nids.param('device', configopts['device'])
configopts['livemode'] = True
if args.igncase:
configopts['igncase'] = True
configopts['reflags'] |= re.IGNORECASE
if args.invmatch:
configopts['invertmatch'] = True
if args.multiline:
configopts['multiline'] = True
configopts['reflags'] |= re.MULTILINE
configopts['reflags'] |= re.DOTALL
if args.tcpmultimatch:
configopts['tcpmultimatch'] = True
if configopts['regexengine']:
if args.cres:
if 'regex' not in configopts['inspectionmodes']:
configopts['inspectionmodes'].append('regex')
for c in args.cres:
configopts['ctsregexes'][re.compile(c,
configopts['reflags'])] = {
'regexpattern': c
}
if args.sres:
if 'regex' not in configopts['inspectionmodes']:
configopts['inspectionmodes'].append('regex')
for s in args.sres:
configopts['stcregexes'][re.compile(s,
configopts['reflags'])] = {
'regexpattern': s
}
if args.ares:
if 'regex' not in configopts['inspectionmodes']:
configopts['inspectionmodes'].append('regex')
for a in args.ares:
configopts['ctsregexes'][re.compile(a,
configopts['reflags'])] = {
'regexpattern': a
}
configopts['stcregexes'][re.compile(a,
configopts['reflags'])] = {
'regexpattern': a
}
if args.cfuzz or args.sfuzz or args.afuzz:
try:
from fuzzywuzzy import fuzz
configopts['fuzzengine'] = 'fuzzywuzzy'
except ImportError, ex:
dowarn('Import failed: %s' % ex)
configopts['fuzzengine'] = None
