Ejemplo n.º 1
0
    def test13(self):
        """ Verify the functionatliy of the Evidence manager with IPv6 and UDP """
        def domain_callback(flow):
            self.called_callback += 1
            flow.evidence = True

        d = pyaiengine.DomainName("Google domain", ".google.com")

        dm = pyaiengine.DomainNameManager()
        d.callback = domain_callback
        dm.add_domain_name(d)

        self.s.set_domain_name_manager(dm, "DNSProtocol")

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/ipv6_google_dns.pcap") as pd:
            pd.evidences = True
            pd.stack = self.s
            pd.run()

        self.assertEqual(self.called_callback, 1)
        self.assertEqual(d.matchs, 1)
        """ verify the integrity of the new file created """
        files = glob.glob("evidences.*.pcap")
        os.remove(files[0])
Ejemplo n.º 2
0
 def setUp(self):
     self.s = pyaiengine.StackLan()
     self.dis = pyaiengine.PacketDispatcher()
     self.dis.stack = self.s
     self.s.tcp_flows = 2048
     self.s.udp_flows = 1024
     self.f = pyaiengine.FrequencyGroup()
Ejemplo n.º 3
0
    def test29(self):
        """ Verify the functionatliy of the Evidence manager """
        def domain_callback(flow):
            self.called_callback += 1
            flow.evidence = True

        d = pyaiengine.DomainName("Wired domain", ".wired.com")

        dm = pyaiengine.DomainNameManager()
        d.callback = domain_callback
        dm.add_domain_name(d)

        self.s.set_domain_name_manager(dm, "HTTPProtocol")

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/two_http_flows_noending.pcap") as pd:
            pd.evidences = True
            pd.stack = self.s
            pd.run()

        self.assertEqual(self.called_callback, 1)
        self.assertEqual(d.matchs, 1)
        """ verify the integrity of the new file created """
        files = glob.glob("evidences.*.pcap")
        os.remove(files[0])
Ejemplo n.º 4
0
    def test8(self):
        """ Test the functionality of make graphs of regex, for complex detecctions """

        rmbase = pyaiengine.RegexManager()
        rm2 = pyaiengine.RegexManager()
        r1 = pyaiengine.Regex("r1", b"^(No hacker should visit Las Vegas).*$")

        rmbase.add_regex(r1)

        r1.next_regex_manager = rm2

        r2 = pyaiengine.Regex("r2", b"(this can not match)")
        r3 = pyaiengine.Regex("r3", b"^\x90\x90\x90\x90.*$")
        rm2.add_regex(r2)
        rm2.add_regex(r3)

        self.s.tcp_regex_manager = rmbase

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/generic_exploit_ipv6_defcon20.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(r1.matchs, 1)
        self.assertEqual(r2.matchs, 0)
        self.assertEqual(r3.matchs, 1)
Ejemplo n.º 5
0
 def setUp(self):
     self.s = pyaiengine.StackLanIPv6()
     self.dis = pyaiengine.PacketDispatcher()
     self.dis.stack = self.s
     self.s.tcp_flows = 2048
     self.s.udp_flows = 1024
     self.called_callback = 0
Ejemplo n.º 6
0
    def test19(self):
        """ Verify SMTP traffic with domain callback """
        self.from_correct = False

        def domain_callback(flow):
            s = flow.smtp_info
            if (s):
                if (str(s.mail_from) == "*****@*****.**"):
                    self.from_correct = True
            self.called_callback += 1

        d = pyaiengine.DomainName("Some domain", ".patriots.in")
        d.callback = domain_callback

        dm = pyaiengine.DomainNameManager()
        dm.add_domain_name(d)

        self.s.set_domain_name_manager(dm, "SMTPProtocol")

        oldstack = None

        with pyaiengine.PacketDispatcher("../pcapfiles/smtp.pcap") as pd:
            pd.stack = self.s
            pd.run()
            oldstack = pd.stack

        self.assertEqual(oldstack, self.s)

        self.assertEqual(d.matchs, 1)
        self.assertEqual(self.called_callback, 1)
        self.assertEqual(self.from_correct, True)
Ejemplo n.º 7
0
    def test24(self):
        """ Verify the property of the PacketDispatcher.stack """

        p = pyaiengine.PacketDispatcher()

        self.assertEqual(p.stack, None)

        # p.stack = p
        self.dis.stack = None

        self.assertEqual(self.dis.stack, None)
Ejemplo n.º 8
0
    def test11(self):
        """ Verify the correctness of the HTTP Protocol on IPv6 """

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/http_over_ipv6.pcap") as pd:
            pd.stack = self.s
            pd.run()

        c = self.s.get_counters("HTTPProtocol")
        self.assertEqual(c["requests"], 11)
        self.assertEqual(c["responses"], 11)
Ejemplo n.º 9
0
    def test20(self):
        """ Test the chains of regex with RegexManagers """

        rlist = [
            pyaiengine.Regex("expression %d" % x, "some regex %d" % x)
            for x in xrange(0, 5)
        ]

        rmbase = pyaiengine.RegexManager()
        rm1 = pyaiengine.RegexManager()
        rm2 = pyaiengine.RegexManager()
        rm3 = pyaiengine.RegexManager()

        [rmbase.add_regex(r) for r in rlist]

        r1 = pyaiengine.Regex("smtp1", "^AUTH LOGIN")
        r1.next_regex_manager = rm1
        rmbase.add_regex(r1)

        r2 = pyaiengine.Regex("smtp2", "^NO MATCHS")
        r3 = pyaiengine.Regex("smtp3", "^MAIL FROM")

        rm1.add_regex(r2)
        rm1.add_regex(r3)
        r3.next_regex_manager = rm2

        r4 = pyaiengine.Regex("smtp4", "^NO MATCHS")
        r5 = pyaiengine.Regex("smtp5", "^DATA")

        rm2.add_regex(r4)
        rm2.add_regex(r5)
        r5.next_regex_manager = rm3

        r6 = pyaiengine.Regex("smtp6", "^QUIT")
        rm3.add_regex(r6)

        self.s.tcp_regex_manager = rmbase
        self.s.enable_nids_engine = True

        with pyaiengine.PacketDispatcher("../pcapfiles/smtp.pcap") as pd:
            pd.stack = self.s
            pd.run()

        for r in rlist:
            self.assertEqual(r.matchs, 0)

        self.assertEqual(r1.matchs, 1)
        self.assertEqual(r2.matchs, 0)
        self.assertEqual(r3.matchs, 1)
        self.assertEqual(r4.matchs, 0)
        self.assertEqual(r5.matchs, 1)
        self.assertEqual(r6.matchs, 1)
Ejemplo n.º 10
0
    def test28(self):
        """ Verify the correctness of the HTTP Protocol """
        """ The filter tcp and port 49503 will filter just one HTTP flow
            that contains exactly 39 requests and 38 responses """
        with pyaiengine.PacketDispatcher(
                "../pcapfiles/two_http_flows_noending.pcap") as pd:
            pd.pcap_filter = "tcp and port 49503"
            pd.stack = self.s
            pd.run()

        c = self.s.get_counters("HTTPProtocol")
        self.assertEqual(c["requests"], 3)
        self.assertEqual(c["responses"], 3)
Ejemplo n.º 11
0
    def test2(self):
        """ Test the with statement of the PacketDispatcher """

        rm = pyaiengine.RegexManager()
        r = pyaiengine.Regex("Bin directory", b"^\x26\x01")
        rm.add_regex(r)
        self.s.tcp_regex_manager = rm

        with pyaiengine.PacketDispatcher("../pcapfiles/openflow.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(r.matchs, 1)
Ejemplo n.º 12
0
    def test10(self):
        """ Verify the functionality of the getCache method """

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/ipv6_google_dns.pcap") as pd:
            pd.stack = self.s
            pd.run()

        d = self.s.get_cache("DNSProtocol")
        self.assertEqual(len(self.s.get_cache("DNSProtocol")), 1)
        self.assertEqual(len(self.s.get_cache("DNSProtocolNoExists")), 0)
        self.s.release_cache("DNSProtocol")
        self.assertEqual(len(self.s.get_cache("DNSProtocol")), 0)
        self.assertEqual(len(self.s.get_cache("HTTPProtocol")), 0)
        self.assertEqual(len(self.s.get_cache("SSLProtocol")), 0)
Ejemplo n.º 13
0
    def test25(self):
        """ Verify the functionatliy of the SSDP Protocol """

        with pyaiengine.PacketDispatcher("../pcapfiles/ssdp_flow.pcap") as pd:
            pd.stack = self.s
            pd.run()

        fu = self.s.udp_flow_manager
        for flow in fu:
            s = flow.ssdp_info
            if (s):
                self.assertEqual(s.uri, "*")
                self.assertEqual(s.host_name, "239.255.255.250:1900")
            else:
                self.assertFalse(False)
Ejemplo n.º 14
0
def threadHandler(netmask):

    # Load an instance of a Network Stack on Lan Network
    st = pyaiengine.StackLan()

    st.tcp_flows = 327680
    st.udp_flows = 163840

    with pyaiengine.PacketDispatcher("re0") as pd:
        pd.stack = st
        pd.pcap_filter = netmask
        pd.run()

    st.stats_level = 5
    f = open("statistics.log.%d" % os.getpid(), "w")
    f.write(str(st))
    f.close()
Ejemplo n.º 15
0
    def test26(self):
        """ Verify the functionatliy of the RegexManager on the HTTP Protocol for analise
            inside the l7 payload of HTTP """
        def callback_domain(flow):
            self.called_callback += 1
            pass

        def callback_regex(flow):
            self.called_callback += 1
            self.assertEqual(flow.packets, 11)
            self.assertEqual(flow.packets_layer7, 4)

        d = pyaiengine.DomainName("Wired domain", ".wired.com")

        rm = pyaiengine.RegexManager()
        r1 = pyaiengine.Regex("Regex for analysing the content of HTTP",
                              b"^\x1f\x8b\x08\x00\x00\x00\x00.*$")
        r2 = pyaiengine.Regex("Regex for analysing the content of HTTP",
                              b"^.{3}\xcd\x9c\xc0\x0a\x34.*$")
        r3 = pyaiengine.Regex("Regex for analysing the content of HTTP",
                              b"^.*\x44\x75\x57\x0c\x22\x7b\xa7\x6d$")

        r2.next_regex = r3
        r1.next_regex = r2
        rm.add_regex(r1)
        r3.callback = callback_regex
        """ So the flows from wired.com will be analise the regexmanager attached """
        d.regex_manager = rm

        dm = pyaiengine.DomainNameManager()
        d.callback = callback_domain
        dm.add_domain_name(d)

        self.s.set_domain_name_manager(dm, "http")

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/two_http_flows_noending.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(self.called_callback, 2)
        self.assertEqual(r1.matchs, 1)
        self.assertEqual(r2.matchs, 1)
        self.assertEqual(r3.matchs, 1)
        self.assertEqual(d.matchs, 1)
Ejemplo n.º 16
0
    def test31(self):
        """ Verify the functionatliy of the RegexManager on the IPSets """
        def regex_callback(flow):
            r = flow.regex
            i = flow.ip_set
            self.assertEqual(flow.dstip, "95.100.96.10")
            self.assertEqual(r.name, "generic http")
            self.assertEqual(i.name, "Generic set")
            self.called_callback += 1

        def ipset_callback(flow):
            r = flow.regex
            i = flow.ip_set
            self.assertNotEqual(i, None)
            self.assertEqual(i.name, "Generic set")
            self.assertEqual(r, None)
            self.called_callback += 1

        rm = pyaiengine.RegexManager()
        i = pyaiengine.IPSet("Generic set")
        i.add_ip_address("95.100.96.10")
        i.regexmanager = None
        i.callback = ipset_callback
        im = pyaiengine.IPSetManager()

        im.add_ip_set(i)
        self.s.tcp_ip_set_manager = im

        r = pyaiengine.Regex("generic http", "^GET.*HTTP")
        r.callback = regex_callback
        rm.add_regex(r)

        self.s.enable_nids_engine = True

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/two_http_flows_noending.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(self.called_callback, 1)
        self.assertEqual(i.lookups_in, 1)
        self.assertEqual(r.matchs, 0)
Ejemplo n.º 17
0
    def test22(self):
        """ Verify the functionatliy of the HTTPUriSets with the callbacks """

        self.uset = pyaiengine.HTTPUriSet()

        def domain_callback(flow):
            self.called_callback += 1

        def uri_callback(flow):
            self.assertEqual(self.uset.uris, 1)
            self.assertEqual(self.uset.lookups, 39)
            self.assertEqual(self.uset.lookups_in, 1)
            self.assertEqual(self.uset.lookups_out, 38)
            self.called_callback += 1

        d = pyaiengine.DomainName("Wired domain", ".wired.com")

        dm = pyaiengine.DomainNameManager()
        d.callback = domain_callback
        dm.add_domain_name(d)

        self.uset.add_uri(
            "/images_blogs/gadgetlab/2013/08/AP090714043057-60x60.jpg")
        self.uset.callback = uri_callback

        d.http_uri_set = self.uset

        self.s.set_domain_name_manager(dm, "HTTPProtocol")

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/two_http_flows_noending.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(d.http_uri_set, self.uset)
        self.assertEqual(self.uset.uris, 1)
        self.assertEqual(self.uset.lookups, 39)
        self.assertEqual(self.uset.lookups_in, 1)
        self.assertEqual(self.uset.lookups_out, 38)

        self.assertEqual(self.called_callback, 2)
Ejemplo n.º 18
0
    def test9(self):
        """ Another test for the functionality of make graphs of regex, for complex detecctions """

        rm1 = pyaiengine.RegexManager()
        rm2 = pyaiengine.RegexManager()
        rm3 = pyaiengine.RegexManager()
        r1 = pyaiengine.Regex("r1", b"^(No hacker should visit Las Vegas).*$")

        r1.next_regex_manager = rm2
        rm1.add_regex(r1)

        r2 = pyaiengine.Regex("r2", b"(this can not match)")
        r3 = pyaiengine.Regex("r3", b"^\x90\x90\x90\x90.*$")
        rm2.add_regex(r2)
        rm2.add_regex(r3)

        r3.next_regex_manager = rm3

        r4 = pyaiengine.Regex("r4", b"^Upgrade.*$")
        r5 = pyaiengine.Regex("r5", b"(this can not match)")

        rm3.add_regex(r4)
        rm3.add_regex(r5)

        self.s.tcp_regex_manager = rm1

        oldstack = None

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/generic_exploit_ipv6_defcon20.pcap") as pd:
            pd.stack = self.s
            pd.run()
            oldstack = self.s

        self.assertEqual(self.s, oldstack)

        self.assertEqual(r1.matchs, 1)
        self.assertEqual(r2.matchs, 0)
        self.assertEqual(r3.matchs, 1)
        self.assertEqual(r4.matchs, 1)
Ejemplo n.º 19
0
    def test23(self):
        """ Verify the functionatliy of the HTTPUriSets with the callbacks """

        self.uset = pyaiengine.HTTPUriSet()

        def domain_callback(flow):
            self.called_callback += 1

        def uri_callback(flow):
            self.assertEqual(self.uset.uris, 1)
            self.assertEqual(self.uset.lookups, 4)
            self.assertEqual(self.uset.lookups_in, 1)
            self.assertEqual(self.uset.lookups_out, 3)
            self.called_callback += 1

        d = pyaiengine.DomainName("Wired domain", ".wired.com")

        dm = pyaiengine.DomainNameManager()
        d.callback = domain_callback
        dm.add_domain_name(d)

        # This uri is the thrid of the wired.com flow
        self.uset.add_uri("/js/scrolldock/scrolldock.css?v=20121120a")
        self.uset.callback = uri_callback

        d.http_uri_set = self.uset

        self.s.set_domain_name_manager(dm, "HTTPProtocol")

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/two_http_flows_noending.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(self.uset.uris, 1)
        self.assertEqual(self.uset.lookups, 39)
        self.assertEqual(self.uset.lookups_in, 1)
        self.assertEqual(self.uset.lookups_out, 38)
        self.assertEqual(self.called_callback, 2)
Ejemplo n.º 20
0
    def domain_names(self):
        """Fit the pcap as input file to pyaiengine.PacketDispatcher,
           Gets the total number of packets process by the PacketDispatcher.

                Returns
                -------
                self : dictionary object or raise PcapFileNotFoundError
                    Returns domains.

                if pcap is not None:
                    :return domains
                else:
                    :return raise PcapFileNotFoundError
        """
        try:
            if self.pcap is not None:
                with pyaiengine.PacketDispatcher(self.pcap) as pd:
                    pd.stack = self.st
                    pd.run()

                # Get the UDP flows processed
                self.flows = self.st.udp_flow_manager

                for flow in self.flows:
                    if flow.bytes > 0:
                        if flow.dns_info:
                            name = flow.dns_info.domain_name
                            if not self.domains.has_key(name):
                                self.domains[name] = 1
                            else:
                                self.domains[name] += 1

            raise PcapFileNotFoundError('Pcap file not found : {}'.format(self.pcap))

        except Exception as excep:
            # print('I/O Exception occured: ', error.message)
            pass

        return self.domains
Ejemplo n.º 21
0
    def test12(self):
        """ Verify the functionatliy of the RegexManager on the HTTP Protocol for analise
            inside the l7 payload of HTTP on IPv6 traffic """
        def callback_domain(flow):
            self.called_callback += 1

        def callback_regex(flow):
            self.called_callback += 1
            self.assertEqual(flow.regex.name,
                             "Regex for analysing the content of HTTP")
            self.assertEqual(flow.http_info.host_name, "media.us.listen.com")

        d = pyaiengine.DomainName("Music domain", ".us.listen.com")

        rm = pyaiengine.RegexManager()
        r1 = pyaiengine.Regex("Regex for analysing the content of HTTP",
                              b"^\x89\x50\x4e\x47\x0d\x0a\x1a\x0a.*$")

        rm.add_regex(r1)
        r1.callback = callback_regex
        """ So the flows from listen.com will be analise the regexmanager attached """
        d.regex_manager = rm

        dm = pyaiengine.DomainNameManager()
        d.callback = callback_domain
        dm.add_domain_name(d)

        self.s.set_domain_name_manager(dm, "HTTPProtocol")

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/http_over_ipv6.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(self.called_callback, 2)
        self.assertEqual(r1.matchs, 1)
        self.assertEqual(d.matchs, 1)
Ejemplo n.º 22
0
    st = pyaiengine.StackLan()

    dm = pyaiengine.DomainNameManager()

    st.tcp_flows = 200000
    st.udp_flows = 100000

    d1 = pyaiengine.DomainName("Generic com", ".com")
    d2 = pyaiengine.DomainName("Generic org", ".com")
    d3 = pyaiengine.DomainName("Generic net", ".org")

    d1.callback = random_callback_name
    d2.callback = random_callback_name
    d3.callback = random_callback_name

    dm.add_domain_name(d1)
    dm.add_domain_name(d2)
    dm.add_domain_name(d3)

    st.set_domain_name_manager(dm, "DNSProtocol")
    st.set_domain_name_manager(dm, "SSLProtocol")
    st.set_domain_name_manager(dm, "HTTPProtocol")

    with pyaiengine.PacketDispatcher("enp0s25") as pd:
        pd.stack = st
        pd.run()

    dm.show()
    sys.exit(0)
Ejemplo n.º 23
0
if __name__ == '__main__':

    # Load an instance of a Network Stack on Lan network
    st = pyaiengine.StackLan()

    dm = pyaiengine.DomainNameManager()

    dom = pyaiengine.DomainName("Service to analyze", "marca.com")
    dom.callback = callback_host
    dm.add_domain_name(dom)

    st.set_domain_name_manager(dm, "HTTPProtocol")

    st.tcp_flows = 327680
    st.udp_flows = 163840

    with pyaiengine.PacketDispatcher("eth0") as pd:
        # Plug the stack on the PacketDispatcher
        pd.stack = st
        pd.run()

    # Dump on file the statistics of the stack
    st.stats_level = 5
    f = open("statistics.log", "w")
    f.write(str(st))
    f.close()

    print(top_ips)

    sys.exit(0)
Ejemplo n.º 24
0
        output_path = "/aiengine_vol/"
        filename = "aiengine_pkt_results.json"

    # scan every file in the /pcap/ dir
    json_output = {}
    for filename in os.listdir("pcap"):
        print("[AIEngine] Scanning: " + filename)
        packet_dump_filename = "aiengine_packet_scans_{}_{}.json".format(
            filename, time.strftime('%H-%M-%S', time.localtime()))

        # update tcp & udp traffic every 16 packets
        db = fileAdaptor(output_path + packet_dump_filename)
        st.set_udp_database_adaptor(db, 16)
        st.set_tcp_database_adaptor(db, 16)

        with pyaiengine.PacketDispatcher("/pcap/" + filename) as pd:
            pd.stack = st
            pd.run()

        old_stdout_fd = os.dup(1)
        fd = redirect_stdout_to_file("/stdout_temp.txt")

        # parse redirected summary messages
        json_output[filename] = {
            "protocol_statistics": parse_protocol_summary(st, fd),
            "flow_statistics": parse_flows_summary(st, fd),
            "anomaly_statistics": parse_anomaly_summary(st, fd)
        }

        # put stdout back
        os.dup2(old_stdout_fd, 1)
Ejemplo n.º 25
0
    con = dict()

    for f in ssh_connections:
        """ Normally connections between 4000 and 3000 encrypted bytes are fail logins """
        if (4000 > f.ssh_info.encrypted_bytes > 3000):
            """ Store the source IP address of the SSH connection """
            if (f.src_ip not in con):
                con[f.src_ip] = 0

            con[f.src_ip] += 1
    """ Check the IPs that have been abuse """
    for k, v in con.iteritems():
        if (v > 5):
            print("IP %s is bruting force the SSH service" % k)


if __name__ == '__main__':

    # Load an instance of a Network Stack on a LAN
    st = pyaiengine.StackLan()

    st.tcp_flows = 327680
    st.udp_flows = 163840

    with pyaiengine.PacketDispatcher("lo") as pd:
        pd.stack = st
        pd.add_timer(timer_5seconds, 5)
        pd.run()

    sys.exit(0)
Ejemplo n.º 26
0
    total_ips = dict()
    print("NTP DDoS Checker")
    c = st.get_counters("NTPProtocol")

    # Count the number different ips of the NTP flows
    for flow in st.udp_flow_manager:
        if (flow.l7_protocol_name == "NTPProtocol"):
            total_ips[flow.src_ip] = 1

    if (total_ips.len() == len(fu)):
        print("System under a NTP DDoS attack")


if __name__ == '__main__':

    # Load an instance of a Network Stack Lan
    st = pyaiengine.StackLan()

    st.tcp_flows = 327680
    st.udp_flows = 163840

    # Create a instace of a PacketDispatcher
    with pyaiengine.PacketDispatcher("ens7") as pd:
        pd.stack = st
        # Sets a handler method that will be call
        # every 5 seconds for check the values
        pd.set_scheduler(scheduler_handler_tcp, 5)
        pd.run()

    sys.exit(0)
Ejemplo n.º 27
0
    ipstats = st.get_counters("IP")

    current_ip_packets = ipstats["packets"]
    current_fragmented = ipstats["fragmented packets"]

    print("\033[34m" + "INFO: " + str(ipstats) + "\033[0m")

    if (current_fragmented > previous_fragments + delta):
        print("\033[31m" + "ALERT: IP Fragment attack on the network" +
              "\033[0m")

    previous_ip_packets = current_ip_packets
    previous_fragments = current_fragmented


if __name__ == '__main__':

    st = pyaiengine.StackLan()

    st.tcp_flows = 327680
    st.udp_flows = 163840

    source = "enp0s31f6"

    with pyaiengine.PacketDispatcher(source) as pd:
        pd.stack = st
        pd.add_timer(timer_5seconds, 5)
        pd.run()

    sys.exit(0)
Ejemplo n.º 28
0

if __name__ == '__main__':

    # Load an instance of a Network Stack on a Lan network
    st1 = pyaiengine.StackLan()

    st1.tcp_flows = 327680
    st1.udp_flows = 163840
    """ Generate two instances of the FrequencyGroup and LearnerEngine """
    learn = pyaiengine.LearnerEngine()
    freq = pyaiengine.FrequencyGroup()
    """ Tell the stack that should store the payloads """
    st1.enable_frequency_engine = True
    """ Open the pcapfile and process """
    with pyaiengine.PacketDispatcher("unknown_traffic.pcap") as pd:
        pd.stack = st1
        pd.run()
    """ Use the method most suitable for your case """
    freq.add_flows_by_destination_port(st1.tcp_flow_manager)
    freq.compute()

    flow_list = freq.get_reference_flows()
    learn.agregate_flows(flow_list)
    learn.compute()
    """ Get the generated regex """
    r_candidate = learn.regex

    print("Generated Regex:", r_candidate)
    rm = pyaiengine.RegexManager()
    r = pyaiengine.Regex("Unknown attack/traffic", r_candidate)
Ejemplo n.º 29
0
                    # The URI is encoded, so decode for analysis
                    try:
                        urie = base64.b64decode(uri)
                        print "Original:", uri
                        print "Decoded:", urie
                    except:
                        pass


if __name__ == '__main__':

    # Load an instance of a Network Stack on mobile network
    st = pyaiengine.StackMobile()

    # Create a instace of a PacketDispatcher
    pdis = pyaiengine.PacketDispatcher()

    # Plug the stack on the PacketDispatcher
    pdis.stack = st

    dm = pyaiengine.DomainNameManager()

    dom = pyaiengine.DomainName("Service to analyze", "facebook.com")
    dom.callback = callback_uri
    dm.add_domain_name(dom)

    st.set_domain_name_manager(dm, "http")

    st.tcp_flows = 327680
    st.udp_flows = 163840
Ejemplo n.º 30
0
    r_mng = pyaiengine.RegexManager()

    reg_head = pyaiengine.Regex("First regex", "mining.subscribe")
    reg_tail = pyaiengine.Regex(
        "Second regex",
        "c4758493e4f9804beeb784b4ff0be019b03678952ea8bb6f5c5365b2b76438a7")

    reg_head.next_regex = reg_tail

    reg_tail.callback = callback
    r_mng.add_regex(reg_head)

    st.tcp_regex_manager = r_mng

    st.tcp_flows = 327680
    st.udp_flows = 163840

    with pyaiengine.PacketDispatcher(
            "/home/luis/pcapfiles/bitcoinminer.pcap") as pd:
        pd.stack = st
        pd.run()

    st.show_flows()
    # Dump on file the statistics of the stack
    st.stats_level = 5
    f = open("statistics.log", "w")
    f.write(str(st))
    f.close()

    sys.exit(0)