def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.server.count_new > 0:
data = tcp.server.data[:tcp.server.count_new]
count = tcp.server.count_new
direction = 'to_server'
color = "RED"
else:
data = tcp.client.data[:tcp.client.count_new]
count = tcp.client.count_new
direction = 'to_client'
color = "GREEN"
if tcp.module_data['verbose']:
chop.tsprettyprnt(
color, "%s:%s -> %s:%s %i bytes (H = %0.2f)" %
(src, sport, dst, dport, count, entropy(data)))
if tcp.module_data['oneshot']:
tcp.stream_data['data'] += data
if tcp.module_data['oneshot_split']:
tcp.stream_data[direction] += data
if tcp.module_data['oneshot'] or tcp.module_data['oneshot_split']:
return
handle_bytes(data, color, direction, tcp.module_data)
tcp.discard(count)
def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.server.count_new > 0:
if tcp.module_data['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" %
(src, sport, dst, dport, tcp.server.count_new))
try:
tcp.stream_data['cp'].req_data(
tcp.server.data[:tcp.server.count_new])
except htpy.stop:
tcp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
tcp.stop()
tcp.discard(tcp.server.count_new)
elif tcp.client.count_new > 0:
if tcp.module_data['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" %
(src, sport, dst, dport, tcp.client.count_new))
try:
tcp.stream_data['cp'].res_data(
tcp.client.data[:tcp.client.count_new])
except htpy.stop:
tcp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
tcp.stop()
tcp.discard(tcp.client.count_new)
return
def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.server.count_new > 0:
data = tcp.server.data[: tcp.server.count_new]
count = tcp.server.count_new
direction = "to_server"
color = "RED"
else:
data = tcp.client.data[: tcp.client.count_new]
count = tcp.client.count_new
direction = "to_client"
color = "GREEN"
if tcp.module_data["verbose"]:
chop.tsprettyprnt(color, "%s:%s -> %s:%s %i bytes (H = %0.2f)" % (src, sport, dst, dport, count, entropy(data)))
if tcp.module_data["oneshot"]:
tcp.stream_data["data"] += data
if tcp.module_data["oneshot_split"]:
tcp.stream_data[direction] += data
if tcp.module_data["oneshot"] or tcp.module_data["oneshot_split"]:
return
handle_bytes(data, color, direction, tcp.module_data)
tcp.discard(count)
def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.client.count_new > 0:
data = tcp.client.data[:tcp.client.count_new]
count = tcp.client.count_new
if tcp.stream_data['dump']:
chop.tsprnt("%s:%s -> %s:%s %i bytes" % (
src,
sport,
dst,
dport,
count,
))
chop.prnt(hexdump(data))
if data[:3] in [
'\x18\x03\x00', '\x18\x03\x01', '\x18\x03\x02', '\x18\x03\x03'
]:
chop.tsprnt("%s:%s -> %s:%s %i bytes" % (
src,
sport,
dst,
dport,
count,
))
chop.prnt(hexdump(data[8:]))
tcp.stream_data['dump'] = True
if tcp.client.server_new > 0:
count = tcp.server.count_new
tcp.discard(count)
def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.server.count_new > 0:
if tcp.module_data['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.server.count_new))
try:
tcp.stream_data['cp'].req_data(tcp.server.data[:tcp.server.count_new])
except htpy.stop:
tcp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
tcp.stop()
tcp.discard(tcp.server.count_new)
elif tcp.client.count_new > 0:
if tcp.module_data['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.client.count_new))
try:
tcp.stream_data['cp'].res_data(tcp.client.data[:tcp.client.count_new])
except htpy.stop:
tcp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
tcp.stop()
tcp.discard(tcp.client.count_new)
return
def handleStream(tcp):
chopp = ChopProtocol('http')
((src, sport), (dst, dport)) = parse_addr(tcp)
tcp.stream_data['htpy_obj'].timestamp = tcp.timestamp
if tcp.server.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" %
(src, sport, dst, dport, tcp.server.count_new))
if tcp.server.count_new == 1 and tcp.module_data['options']['beast']:
tcp.discard(0)
else:
data_size = tcp.server.count - tcp.server.offset
try:
tcp.stream_data['connparser'].\
req_data(tcp.server.data[:data_size])
except htpy.stop:
tcp.stop()
except htpy.error:
if tcp.module_data['options']['verbose']:
chop.tsprnt("Stream error in htpy.")
tcp.stop()
tcp.discard(data_size)
elif tcp.client.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" %
(src, sport, dst, dport, tcp.client.count_new))
if tcp.client.count_new == 1 and tcp.module_data['options']['beast']:
tcp.discard(0)
else:
data_size = tcp.client.count - tcp.client.offset
try:
tcp.stream_data['connparser'].\
res_data(tcp.client.data[:data_size])
except htpy.stop:
tcp.stop()
except htpy.error:
if tcp.module_data['options']['verbose']:
chop.tsprnt("Stream error in htpy.")
tcp.stop()
tcp.discard(data_size)
if tcp.stream_data['htpy_obj'].ready:
trans = tcp.stream_data['htpy_obj'].transaction
chopp.setClientData(trans['request'])
chopp.setServerData(trans['response'])
chopp.setTimeStamp(trans['timestamp'])
chopp.setAddr(tcp.addr)
chopp.flowStart = tcp.stream_data['htpy_obj'].flowStart
tcp.stream_data['htpy_obj'].ready = False
tcp.stream_data['htpy_obj'].temp = {}
tcp.stream_data['htpy_obj'].transaction = {}
return chopp
return None
def handleStream(tcp):
chopp = ChopProtocol('http')
((src, sport), (dst, dport)) = parse_addr(tcp)
tcp.stream_data['htpy_obj'].timestamp = tcp.timestamp
if tcp.server.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)"
% (src, sport, dst, dport, tcp.server.count_new))
if tcp.server.count_new == 1 and tcp.module_data['options']['beast']:
tcp.discard(0)
else:
data_size = tcp.server.count - tcp.server.offset
try:
tcp.stream_data['connparser'].\
req_data(tcp.server.data[:data_size])
except htpy.stop:
tcp.stop()
except htpy.error:
if tcp.module_data['options']['verbose']:
chop.tsprnt("Stream error in htpy.")
tcp.stop()
tcp.discard(data_size)
elif tcp.client.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)"
% (src, sport, dst, dport, tcp.client.count_new))
if tcp.client.count_new == 1 and tcp.module_data['options']['beast']:
tcp.discard(0)
else:
data_size = tcp.client.count - tcp.client.offset
try:
tcp.stream_data['connparser'].\
res_data(tcp.client.data[:data_size])
except htpy.stop:
tcp.stop()
except htpy.error:
if tcp.module_data['options']['verbose']:
chop.tsprnt("Stream error in htpy.")
tcp.stop()
tcp.discard(data_size)
if tcp.stream_data['htpy_obj'].ready:
trans = tcp.stream_data['htpy_obj'].transaction
chopp.setClientData(trans['request'])
chopp.setServerData(trans['response'])
chopp.setTimeStamp(trans['timestamp'])
chopp.setAddr(tcp.addr)
chopp.flowStart = tcp.stream_data['htpy_obj'].flowStart
tcp.stream_data['htpy_obj'].ready = False
tcp.stream_data['htpy_obj'].temp = {}
tcp.stream_data['htpy_obj'].transaction = {}
return chopp
return None
def handleStream(tcp):
"""
Analyze payloads with Yara.
handleStream behaves differently based upon processing mode.
If mode is set to 'packet', each packet's payload is individually analyzed
with yara. If mode is set to 'fixed_buffer' or 'sliding_window', packet
payloads are appended to the analysis buffer. The 'session' mode is not
handled inside of handleStream.
"""
((src, sport), (dst, dport)) = parse_addr(tcp)
# Check for new packets received by the server
if tcp.server.count_new:
tcp.stream_data['server_buffer'] += tcp.server.data[:tcp.server.count_new]
if tcp.module_data['verbose']:
chop.tsprettyprnt("RED", "%s:%s -> %s:%s %i bytes" %
(src, sport, dst, dport, tcp.server.count_new))
if tcp.module_data['mode'] == 'packet':
tcp.stream_data['server_processor'].data = tcp.server.data[:tcp.server.count_new]
results = tcp.stream_data['server_processor'].analyze()
tcp.stream_data['server_results'] += results
elif tcp.module_data['mode'] in ['fixed_buffer', 'sliding_window']:
tcp.stream_data['server_processor'].data += tcp.server.data[:tcp.server.count_new]
# Check for new packets received by the client
if tcp.client.count_new:
tcp.stream_data['client_buffer'] += tcp.client.data[:tcp.client.count_new]
if tcp.module_data['verbose']:
chop.tsprettyprnt("RED", "%s:%s -> %s:%s %i bytes" %
(dst, dport, src, sport, tcp.client.count_new))
if tcp.module_data['mode'] == 'packet':
tcp.stream_data['client_processor'].data = tcp.client.data[:tcp.client.count_new]
results = tcp.stream_data['client_processor'].analyze()
tcp.stream_data['client_results'] += results
elif tcp.module_data['mode'] in ['fixed_buffer', 'sliding_window']:
tcp.stream_data['client_processor'].data += tcp.client.data[:tcp.client.count_new]
# if we are analyzing whole sessions, discard 0 bytes
if tcp.module_data['mode'] == 'session':
tcp.discard(0)
# Handle printing and optionally saving results to file
handle_results(tcp)
def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.client.count_new > 0:
data = tcp.client.data[: tcp.client.count_new]
count = tcp.client.count_new
if tcp.stream_data["dump"]:
chop.tsprnt("%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, count))
chop.prnt(hexdump(data))
if data[:3] in ["\x18\x03\x00", "\x18\x03\x01", "\x18\x03\x02", "\x18\x03\x03"]:
chop.tsprnt("%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, count))
chop.prnt(hexdump(data[8:]))
tcp.stream_data["dump"] = True
tcp.discard(count)
def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.server.count_new > 0:
data = tcp.server.data[:tcp.server.count_new]
count = tcp.server.count_new
direction = 'to_server'
color = "RED"
else:
data = tcp.client.data[:tcp.client.count_new]
count = tcp.client.count_new
direction = 'to_client'
color = "GREEN"
handle_bytes(data, color, direction, tcp.module_data)
tcp.discard(count)
def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.client.count_new > 0:
data = tcp.client.data[:tcp.client.count_new]
count = tcp.client.count_new
if tcp.stream_data['dump']:
chop.tsprnt("%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, count,))
chop.prnt(hexdump(data))
if data[:3] in ['\x18\x03\x00', '\x18\x03\x01', '\x18\x03\x02', '\x18\x03\x03']:
chop.tsprnt("%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, count,))
chop.prnt(hexdump(data[8:]))
tcp.stream_data['dump'] = True
if tcp.client.server_new > 0:
count = tcp.server.count_new
tcp.discard(count)
def decode(msg, tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
# chop.tsprnt("%s:%i->%s:%i" % (src, sport, dst, dport), None)
# If this is a shell session, just dump the contents.
if tcp.stream_data["shell"] == True:
chop.prnt("\n%s" % msg)
return
# Grab the token and decode if possible.
b = struct.unpack("c", msg[:1])[0]
if b in tcp.module_data["tokens"]:
msg = msg[1:]
tcp.module_data["tokens"][b](msg, tcp)
else:
chop.prnt("Unknown token: 0x%02x" % ord(b))
chop.prnt("%s" % hexdump(msg))
def decode(msg, tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
#chop.tsprnt("%s:%i->%s:%i" % (src, sport, dst, dport), None)
# If this is a shell session, just dump the contents.
if tcp.stream_data['shell'] == True:
chop.prnt("\n%s" % msg)
return
# Grab the token and decode if possible.
b = struct.unpack('c', msg[:1])[0]
if b in tcp.module_data['tokens']:
msg = msg[1:]
tcp.module_data['tokens'][b](msg, tcp)
else:
chop.prnt("Unknown token: 0x%02x" % ord(b))
chop.prnt("%s" % hexdump(msg))
def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.server.count_new > 0:
data = tcp.server.data[:tcp.server.count_new]
count = tcp.server.count_new
color = "RED"
else:
data = tcp.client.data[:tcp.client.count_new]
count = tcp.client.count_new
color = "GREEN"
if tcp.module_data['verbose']:
chop.tsprettyprnt(color, "%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, count))
if 'xor_key' in tcp.module_data:
data = multibyte_xor(data, tcp.module_data['xor_key'])
if tcp.module_data['hexdump']:
data = hexdump(data)
chop.prettyprnt(color, data)
tcp.discard(count)
def handleStream(tcp):
chopp = ChopProtocol('http')
((src, sport), (dst, dport)) = parse_addr(tcp)
tcp.stream_data['htpy_obj']['timestamp'] = tcp.timestamp
if tcp.server.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" %
(src, sport, dst, dport, tcp.server.count_new))
try:
tcp.stream_data['connparser'].req_data(
tcp.server.data[:tcp.server.count_new])
except htpy.stop:
tcp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
tcp.stop()
tcp.discard(tcp.server.count_new)
elif tcp.client.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" %
(src, sport, dst, dport, tcp.client.count_new))
try:
tcp.stream_data['connparser'].res_data(
tcp.client.data[:tcp.client.count_new])
except htpy.stop:
tcp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
tcp.stop()
tcp.discard(tcp.client.count_new)
if tcp.stream_data['htpy_obj']['ready']:
trans = tcp.stream_data['htpy_obj']['transaction']
chopp.setClientData(trans['request'])
chopp.setServerData(trans['response'])
chopp.setTimeStamp(trans['timestamp'])
chopp.setAddr(tcp.addr)
chopp.flowStart = tcp.stream_data['htpy_obj']['flowStart']
tcp.stream_data['htpy_obj']['ready'] = False
return chopp
return None
def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.server.count_new > 0:
data = tcp.server.data[:tcp.server.count_new]
count = tcp.server.count_new
color = "RED"
else:
data = tcp.client.data[:tcp.client.count_new]
count = tcp.client.count_new
color = "GREEN"
if tcp.module_data['verbose']:
chop.tsprettyprnt(
color, "%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, count))
if 'xor_key' in tcp.module_data:
data = multibyte_xor(data, tcp.module_data['xor_key'])
if tcp.module_data['hexdump']:
data = hexdump(data)
chop.prettyprnt(color, data)
tcp.discard(count)
def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.server.count_new > 0:
data = tcp.server.data[:tcp.server.count_new]
count = tcp.server.count_new
direction = 'to_server'
color = "RED"
else:
data = tcp.client.data[:tcp.client.count_new]
count = tcp.client.count_new
direction = 'to_client'
color = "GREEN"
if tcp.module_data['verbose']:
chop.tsprettyprnt(
color, "%s:%s -> %s:%s %i bytes (H = %0.2f)" %
(src, sport, dst, dport, count, entropy(data)))
if tcp.module_data['oneshot']:
tcp.stream_data['data'] += data
if tcp.module_data['oneshot_split']:
tcp.stream_data[direction] += data
if tcp.module_data['oneshot'] or tcp.module_data['oneshot_split']:
return
if 'xor_key' in tcp.module_data:
data = multibyte_xor(data, tcp.module_data['xor_key'])
if tcp.module_data['hexdump']:
data = hexdump(data)
if module_data['base64']:
data = b64encode(data)
chop.prettyprnt(color, data)
chop.json({'payload': data, 'direction': direction})
tcp.discard(count)
def find_flag(data, tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
flag = ''
module_data = tcp.module_data
for i in range(tcp.module_data['wsize'] - 3):
compressed_len = struct.unpack('<I', data[i:i + 4])[0]
if compressed_len == len(data):
flag = data[:i]
i += 4
uncompressed_len = struct.unpack('<I', data[i:i + 4])[0]
i += 4
if module_data['verbose']:
chop.tsprnt("Gh0st found: %s:%i->%s:%i (%i)" % (src, sport, dst, dport, compressed_len))
chop.tsprnt("\tFlag: %s (0x%s)" % (flag, binascii.hexlify(flag)))
chop.tsprnt("\tUncompressed length: %i" % uncompressed_len)
zlib_hdr = struct.unpack('>H', data[i:i + 2])[0]
if zlib_hdr == 30876: # \x78\x9c
tcp.stream_data['zlib'] = True
if module_data['verbose']:
chop.tsprnt("\tzlib header found")
if len(data) == compressed_len:
msg = zlib.decompress(data[i:])
# Sanity check
if len(msg) != uncompressed_len:
chop.tsprnt("Uncompressed size mismatch.")
tcp.stop()
return None
else:
tcp.stream_data['zlib'] = False
if module_data['verbose']:
chop.tsprnt("\tno zlib header found")
msg = data[i:]
decode(msg, tcp)
break
return flag
def handleStream(tcp):
chopp = ChopProtocol('http')
((src, sport), (dst, dport)) = parse_addr(tcp)
tcp.stream_data['htpy_obj']['timestamp'] = tcp.timestamp
if tcp.server.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.server.count_new))
try:
tcp.stream_data['connparser'].req_data(tcp.server.data[:tcp.server.count_new])
except htpy.stop:
tcp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
tcp.stop()
tcp.discard(tcp.server.count_new)
elif tcp.client.count_new > 0:
if tcp.module_data['options']['verbose']:
chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.client.count_new))
try:
tcp.stream_data['connparser'].res_data(tcp.client.data[:tcp.client.count_new])
except htpy.stop:
tcp.stop()
except htpy.error:
chop.prnt("Stream error in htpy.")
tcp.stop()
tcp.discard(tcp.client.count_new)
if tcp.stream_data['htpy_obj']['ready']:
trans = tcp.stream_data['htpy_obj']['transaction']
chopp.setClientData(trans['request'])
chopp.setServerData(trans['response'])
chopp.setTimeStamp(trans['timestamp'])
chopp.setAddr(tcp.addr)
chopp.flowStart = tcp.stream_data['htpy_obj']['flowStart']
tcp.stream_data['htpy_obj']['ready'] = False
return chopp
return None
def find_flag(data, tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
flag = ''
for i in range(tcp.module_data['wsize'] - 3):
compressed_len = struct.unpack('<I', data[i:i + 4])[0]
if compressed_len == len(data):
flag = data[:i]
i += 4
uncompressed_len = struct.unpack('<I', data[i:i + 4])[0]
i += 4
if module_data['verbose']:
chop.tsprnt("Gh0st found: %s:%i->%s:%i (%i)" % (src, sport, dst, dport, compressed_len))
chop.tsprnt("\tFlag: %s (0x%s)" % (flag, binascii.hexlify(flag)))
chop.tsprnt("\tUncompressed length: %i" % uncompressed_len)
zlib_hdr = struct.unpack('>H', data[i:i + 2])[0]
if zlib_hdr == 30876: # \x78\x9c
tcp.stream_data['zlib'] = True
if module_data['verbose']:
chop.tsprnt("\tzlib header found")
if len(data) == compressed_len:
msg = zlib.decompress(data[i:])
# Sanity check
if len(msg) != uncompressed_len:
chop.tsprnt("Uncompressed size mismatch.")
tcp.stop()
return None
else:
tcp.stream_data['zlib'] = False
if module_data['verbose']:
chop.tsprnt("\tno zlib header found")
msg = data[i:]
decode(msg, tcp)
break
return flag
def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.server.count_new > 0:
data = tcp.server.data[:tcp.server.count_new]
count = tcp.server.count_new
direction = 'to_server'
color = "RED"
else:
data = tcp.client.data[:tcp.client.count_new]
count = tcp.client.count_new
direction = 'to_client'
color = "GREEN"
if tcp.module_data['verbose']:
chop.tsprettyprnt(color, "%s:%s -> %s:%s %i bytes (H = %0.2f)" % (src, sport, dst, dport, count, entropy(data)))
if tcp.module_data['oneshot']:
tcp.stream_data['data'] += data
if tcp.module_data['oneshot_split']:
tcp.stream_data[direction] += data
if tcp.module_data['oneshot'] or tcp.module_data['oneshot_split']:
return
if 'xor_key' in tcp.module_data:
data = multibyte_xor(data, tcp.module_data['xor_key'])
if tcp.module_data['hexdump']:
data = hexdump(data)
if tcp.module_data['base64']:
data = b64encode(data)
chop.prettyprnt(color, data)
chop.json({'payload': data, 'direction': direction})
tcp.discard(count)
def handle_results(tcp):
"""Print and save results."""
((src, sport), (dst, dport)) = parse_addr(tcp)
# print results
for match in tcp.stream_data['server_processor'].results:
if not module_data['quiet']:
chop.tsprnt('Stream: Match found; %s:%s --> %s:%s' %
(src, sport, dst, dport))
chop.prnt(match)
# Save results
if tcp.module_data['save']:
output = 'Match found in server stream; src=%s; sport=%s; dst=%s; dport=%s\n' \
% (src, sport, dst, dport)
output += str(match) + '\n\n'
output += hexdump(tcp.stream_data['server_buffer']) + '\n'
chop.appendfile(tcp.module_data['save'], output)
chop.json(match)
tcp.stream_data['server_processor'].clear_results()
# print results
for match in tcp.stream_data['client_processor'].results:
if not module_data['quiet']:
chop.tsprnt('Stream: Match found; %s:%s --> %s:%s' %
(dst, dport, src, sport))
chop.tsprnt(match)
# Save results
if tcp.module_data['save']:
output = 'Match found in client stream; src=%s; sport=%s; dst=%s; dport=%s\n' \
% (dst, dport, src, sport)
output += str(match) + '\n\n'
output += hexdump(tcp.stream_data['client_buffer']) + '\n'
chop.appendfile(tcp.module_data['save'], output)
chop.json(match)
tcp.stream_data['client_processor'].clear_results()
def handleStream(tcp):
key = str(tcp.addr)
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.module_data['isodate']:
timestamp = packet_isodate(tcp.timestamp)
else:
timestamp = packet_timedate(tcp.timestamp)
ps = tcp.module_data['pcap_summary']['data']
cs = tcp.module_data['streams'][key]['data']
if tcp.server.count_new > 0:
comm = {
'data_to': 'S',
'data_len': tcp.server.count_new,
'entropy': entropy(tcp.server.data[:tcp.server.count_new])
}
cs['comm_order'].append(comm)
cs['server_data_transfer'] += tcp.server.count_new
ps['total_data_transfer'] += tcp.server.count_new
tcp.discard(tcp.server.count_new)
else:
comm = {
'data_to': 'C',
'data_len': tcp.client.count_new,
'entropy': entropy(tcp.client.data[:tcp.client.count_new])
}
cs['comm_order'].append(comm)
cs['client_data_transfer'] += tcp.client.count_new
ps['total_data_transfer'] += tcp.client.count_new
tcp.discard(tcp.client.count_new)
cs['end_time'] = timestamp
cs['total_packets'] += 1
ps['total_packets'] += 1
ps['end_time'] = timestamp
return
def handleStream(tcp):
key = str(tcp.addr)
((src, sport), (dst, dport)) = parse_addr(tcp)
if tcp.module_data["isodate"]:
timestamp = packet_isodate(tcp.timestamp)
else:
timestamp = packet_timedate(tcp.timestamp)
ps = tcp.module_data["pcap_summary"]["data"]
cs = tcp.module_data["streams"][key]["data"]
if tcp.server.count_new > 0:
comm = {
"data_to": "S",
"data_len": tcp.server.count_new,
"entropy": entropy(tcp.server.data[: tcp.server.count_new]),
}
cs["comm_order"].append(comm)
cs["server_data_transfer"] += tcp.server.count_new
ps["total_data_transfer"] += tcp.server.count_new
tcp.discard(tcp.server.count_new)
else:
comm = {
"data_to": "C",
"data_len": tcp.client.count_new,
"entropy": entropy(tcp.client.data[: tcp.client.count_new]),
}
cs["comm_order"].append(comm)
cs["client_data_transfer"] += tcp.client.count_new
ps["total_data_transfer"] += tcp.client.count_new
tcp.discard(tcp.client.count_new)
cs["end_time"] = timestamp
cs["total_packets"] += 1
ps["total_packets"] += 1
ps["end_time"] = timestamp
return
def handle_results(tcp):
"""Print and save results."""
((src, sport), (dst, dport)) = parse_addr(tcp)
# print results
for match in tcp.stream_data['server_processor'].results:
if not module_data['quiet']:
chop.tsprnt('Stream: Match found; %s:%s --> %s:%s' % (src, sport, dst, dport))
chop.prnt(match)
# Save results
if tcp.module_data['save']:
output = 'Match found in server stream; src=%s; sport=%s; dst=%s; dport=%s\n' \
% (src, sport, dst, dport)
output += str(match) + '\n\n'
output += hexdump(tcp.stream_data['server_buffer']) + '\n'
chop.appendfile(tcp.module_data['save'], output)
chop.json(match)
tcp.stream_data['server_processor'].clear_results()
# print results
for match in tcp.stream_data['client_processor'].results:
if not module_data['quiet']:
chop.tsprnt('Stream: Match found; %s:%s --> %s:%s' % (dst, dport, src, sport))
chop.tsprnt(match)
# Save results
if tcp.module_data['save']:
output = 'Match found in client stream; src=%s; sport=%s; dst=%s; dport=%s\n' \
% (dst, dport, src, sport)
output += str(match) + '\n\n'
output += hexdump(tcp.stream_data['client_buffer']) + '\n'
chop.appendfile(tcp.module_data['save'], output)
chop.json(match)
tcp.stream_data['client_processor'].clear_results()
def handleStream(tcp):
# Make sure this is really SSL. Sadly we can't do this in taste()
# because there is no payload data available that early.
data = ''
((src, sport), (dst, dport)) = parse_addr(tcp)
server_dlen = tcp.server.count - tcp.server.offset
client_dlen = tcp.client.count - tcp.client.offset
# If we haven't identified this as SSL yet
if tcp.stream_data['ssl'] == False:
# Do we have enough data for checks?
if tcp.server.count_new > 0 and server_dlen > 7:
# Check if proxy CONNECT
if tcp.server.data[:8] == "CONNECT ":
if tcp.module_data['verbose']:
chop.tsprnt("%s:%i -> %s:%i (%i) - CONNECT (ignored)" %
(src, sport, dst, dport, server_dlen))
tcp.discard(server_dlen)
return
# Otherwise, prepare to check if SSL handshake
data = tcp.server.data[:3]
# Do we have enough data for checks?
elif tcp.client.count_new > 0 and client_dlen > 5:
# Check if proxy CONNECT response
if tcp.client.data[:6] == "HTTP/1":
if tcp.module_data['verbose']:
chop.tsprnt("%s:%i -> %s:%i (%i) - HTTP/1 (ignored)" %
(src, sport, dst, dport, client_dlen))
tcp.discard(client_dlen)
return
# Otherwise, prepare to check if SSL handshake
data = tcp.client.data[:3]
else:
# Need more data
return
# We have data, so check if it is SSL Handshake.
# There's probably more to this, but this is good enough for now.
if data in ('\x16\x03\x00', '\x16\x03\x01', '\x16\x03\x02',
'\x16\x03\x03'):
tcp.stream_data['ssl'] = True
tcp.stream_data['chopp'] = sslimChopProtocol()
tcp.module_data['sslim'].callback_obj = tcp.stream_data['chopp']
else:
if tcp.module_data['verbose']:
chop.tsprnt("%s:%i -> %s:%i: Stopping, not really SSL!" %
(src, sport, dst, dport))
tcp.module_data['sslim'].done(tcp.addr)
tcp.stop()
return
# Always clear out any existing data.
tcp.stream_data['chopp'].clientData = ''
tcp.stream_data['chopp'].serverData = ''
tcp.stream_data['chopp'].metadata = []
# We have identified this connection as SSL, so just process the packets
if tcp.server.count_new > 0:
if tcp.module_data['verbose']:
chop.tsprnt("%s:%s -> %s:%s (%i)" %
(src, sport, dst, dport,
len(tcp.server.data[:tcp.server.count_new])))
try:
tcp.module_data['sslim'].parse_to_server(
tcp.server.data[:tcp.server.count_new], tcp.addr)
except sslimException as e:
if tcp.module_data['verbose']:
chop.prnt(e)
tcp.module_data['sslim'].done(tcp.addr)
tcp.stop()
return
tcp.discard(tcp.server.count_new)
if tcp.client.count_new > 0:
if tcp.module_data['verbose']:
chop.tsprnt("%s:%s -> %s:%s (%i)" %
(src, sport, dst, dport,
len(tcp.client.data[:tcp.client.count_new])))
try:
tcp.module_data['sslim'].parse_to_client(
tcp.client.data[:tcp.client.count_new], tcp.addr)
except sslimException as e:
if tcp.module_data['verbose']:
chop.prnt(e)
tcp.module_data['sslim'].done(tcp.addr)
tcp.stop()
return
tcp.discard(tcp.client.count_new)
if (tcp.stream_data['chopp'].clientData
or tcp.stream_data['chopp'].serverData
or tcp.stream_data['chopp'].metadata):
return tcp.stream_data['chopp']
return
def handleStream(tcp):
# Make sure this is really SSL. Sadly we can't do this in taste()
# because there is no payload data available that early.
data = ''
((src, sport), (dst, dport)) = parse_addr(tcp)
server_dlen = tcp.server.count - tcp.server.offset
client_dlen = tcp.client.count - tcp.client.offset
# If we haven't identified this as SSL yet
if tcp.stream_data['ssl'] == False:
# Do we have enough data for checks?
if tcp.server.count_new > 0 and server_dlen > 7:
# Check if proxy CONNECT
if tcp.server.data[:8] == "CONNECT ":
if tcp.module_data['verbose']:
chop.tsprnt("%s:%i -> %s:%i (%i) - CONNECT (ignored)" % (src, sport, dst, dport, server_dlen))
tcp.discard(server_dlen)
return
# Otherwise, prepare to check if SSL handshake
data = tcp.server.data[:3]
# Do we have enough data for checks?
elif tcp.client.count_new > 0 and client_dlen > 5:
# Check if proxy CONNECT response
if tcp.client.data[:6] == "HTTP/1":
if tcp.module_data['verbose']:
chop.tsprnt("%s:%i -> %s:%i (%i) - HTTP/1 (ignored)" % (src, sport, dst, dport, client_dlen))
tcp.discard(client_dlen)
return
# Otherwise, prepare to check if SSL handshake
data = tcp.client.data[:3]
else:
# Need more data
return
# We have data, so check if it is SSL Handshake.
# There's probably more to this, but this is good enough for now.
if data in ('\x16\x03\x00', '\x16\x03\x01', '\x16\x03\x02', '\x16\x03\x03'):
tcp.stream_data['ssl'] = True
tcp.stream_data['chopp'] = ChopProtocol('sslim')
tcp.module_data['sslim'].callback_obj = tcp.stream_data['chopp']
else:
if tcp.module_data['verbose']:
chop.tsprnt("%s:%i -> %s:%i: Stopping collection, not really SSL!" % (src, sport, dst, dport))
tcp.module_data['sslim'].done(tcp.addr)
tcp.stop()
return
# Always clear out any existing data.
tcp.stream_data['chopp'].clientData = ''
tcp.stream_data['chopp'].serverData = ''
# We have identified this connection as SSL, so just process the packets
if tcp.server.count_new > 0:
if tcp.module_data['verbose']:
chop.tsprnt("%s:%s -> %s:%s (%i)" % (src, sport, dst, dport, len(tcp.server.data[:tcp.server.count_new])))
try:
tcp.module_data['sslim'].parse_to_server(tcp.server.data[:tcp.server.count_new], tcp.addr)
except sslimException as e:
if tcp.module_data['verbose']:
chop.prnt(e)
tcp.module_data['sslim'].done(tcp.addr)
tcp.stop()
return
tcp.discard(tcp.server.count_new)
if tcp.client.count_new > 0:
if tcp.module_data['verbose']:
chop.tsprnt("%s:%s -> %s:%s (%i)" % (src, sport, dst, dport, len(tcp.client.data[:tcp.client.count_new])))
try:
tcp.module_data['sslim'].parse_to_client(tcp.client.data[:tcp.client.count_new], tcp.addr)
except sslimException as e:
if tcp.module_data['verbose']:
chop.prnt(e)
tcp.module_data['sslim'].done(tcp.addr)
tcp.stop()
return
tcp.discard(tcp.client.count_new)
if tcp.stream_data['chopp'].clientData or tcp.stream_data['chopp'].serverData:
return tcp.stream_data['chopp']
return
def handleStream(tcp):
"""
Analyze payloads with Yara.
handleStream behaves differently based upon processing mode.
If mode is set to 'packet', each packet's payload is individually analyzed
with yara. If mode is set to 'fixed_buffer' or 'sliding_window', packet
payloads are appended to the analysis buffer. The 'session' mode is not
handled inside of handleStream.
"""
((src, sport), (dst, dport)) = parse_addr(tcp)
# Check for new packets received by the server
if tcp.server.count_new:
tcp.stream_data['server_buffer'] += tcp.server.data[:tcp.server.
count_new]
if tcp.module_data['verbose']:
chop.tsprettyprnt(
"RED", "%s:%s -> %s:%s %i bytes" %
(src, sport, dst, dport, tcp.server.count_new))
if tcp.module_data['mode'] == 'packet':
tcp.stream_data[
'server_processor'].data = tcp.server.data[:tcp.server.
count_new]
results = tcp.stream_data['server_processor'].analyze()
tcp.stream_data['server_results'] += results
elif tcp.module_data['mode'] in ['fixed_buffer', 'sliding_window']:
tcp.stream_data[
'server_processor'].data += tcp.server.data[:tcp.server.
count_new]
# Check for new packets received by the client
if tcp.client.count_new:
tcp.stream_data['client_buffer'] += tcp.client.data[:tcp.client.
count_new]
if tcp.module_data['verbose']:
chop.tsprettyprnt(
"RED", "%s:%s -> %s:%s %i bytes" %
(dst, dport, src, sport, tcp.client.count_new))
if tcp.module_data['mode'] == 'packet':
tcp.stream_data[
'client_processor'].data = tcp.client.data[:tcp.client.
count_new]
results = tcp.stream_data['client_processor'].analyze()
tcp.stream_data['client_results'] += results
elif tcp.module_data['mode'] in ['fixed_buffer', 'sliding_window']:
tcp.stream_data[
'client_processor'].data += tcp.client.data[:tcp.client.
count_new]
# if we are analyzing whole sessions, discard 0 bytes
if tcp.module_data['mode'] == 'session':
tcp.discard(0)
# Handle printing and optionally saving results to file
handle_results(tcp)
def _stream_ended_(frame, direction, tcp):
hash_fn = tcp.module_data['options']['hash_fn']
transaction = {
'timestamp': tcp.stream_data['stream_cache'][frame.stream_id]['start'],
'request': {
'truncated': False, #TODO support this
'body': None,
'body_len': 0,
'body_hash': '',
'hash_fn': hash_fn,
'protocol': '2'
},
'response': {
'truncated': False,
'body': None,
'body_len': 0,
'body_hash': '',
'hash_fn': hash_fn,
}
}
if tcp.stream_data['stream_cache'][frame.stream_id][direction][
'stream_ended'] and tcp.stream_data['stream_cache'][
frame.stream_id][_opposite_direction_(
direction)]['stream_ended']:
#chop.prnt("Stream: %d" % (frame.stream_id))
for d in ['request', 'response']:
headers = copy.deepcopy(
tcp.stream_data['stream_cache'][frame.stream_id][d]['headers'])
if d == 'request':
headers[':stream_id'] = frame.stream_id
method = headers.get(':method', None)
path = headers.get(':path', None)
if ':method' in headers:
del headers[':method']
if ':path' in headers:
del headers[':path']
transaction[d]['method'] = method
transaction[d]['uri'] = path
else:
status = headers.get(':status', None)
if ':status' in headers:
del headers[':status']
transaction[d]['status'] = status
transaction[d]['headers'] = headers
#chop.prnt("\tHeaders: %s" % (headers))
if tcp.stream_data['stream_cache'][
frame.stream_id][d]['data'] is not None:
content_encoding = headers.get('content-encoding', None)
mimetype = headers.get('content-type', None)
if mimetype is not None:
mimetype = mimetype.split(';', 1)[0]
content_disposition = headers.get('content-disposition', None)
if content_encoding == 'gzip':
try:
dataStream = BytesIO(tcp.stream_data['stream_cache'][
frame.stream_id][d]['data'])
gdata = gzip.GzipFile(fileobj=dataStream, mode='rb')
data = gdata.read()
except Exception as e:
chop.prnt("Warning: Unable to gzip file")
data = tcp.stream_data['stream_cache'][
frame.stream_id][d]['data']
else:
data = tcp.stream_data['stream_cache'][
frame.stream_id][d]['data']
if mimetype is None:
try:
import magic
except ImportError:
pass
else:
try:
mimetype = magic.from_buffer(data, mime=True)
except Exception as e:
chop.prnt(
"Warning: Unable to get mime type of file: %s"
% (str(e)))
filename = 'noname'
if d == 'response':
if content_disposition is None:
if transaction['request']['uri'] is not None:
raw_path = transaction['request']['uri']
raw_path = raw_path.split('?', 1)[0]
path_parts = os.path.split(raw_path)
outPath = None
while (len(path_parts) > 0):
if path_parts[-1] == '':
path_parts = path_parts[:-1]
continue
else:
outPath = os.path.basename(path_parts[-1])
break
if outPath is None or outPath == '':
outPath = 'index'
filename = sanitize_filename(outPath)
else:
filename = sanitize_filename(content_disposition)
#chop.prnt("\tData Name: %s, Length: %d, Type: %s" % (filename, len(data), mimetype))
((src, sport), (dst, dport)) = parse_addr(tcp)
chop.savefile(
"%d-%s-%d-%s-%d-%d-%s" %
(tcp.timestamp, src, sport, dst, dport, frame.stream_id,
filename), data)
transaction[d]['body'] = data
transaction[d]['body_len'] = len(data)
transaction[d]['body_hash'] = __hash_function__(
data).hexdigest()
#chop.prnt("\n")
#chop.prnt('\n')
del tcp.stream_data['stream_cache'][frame.stream_id]
#chop.prnt(tcp.stream_data['stream_cache'].keys())
#chop.prnt(json.dumps(transaction, indent=4))
chopp = ChopProtocol('http')
chopp.setClientData(transaction['request'])
chopp.setServerData(transaction['response'])
chopp.setTimeStamp(transaction['timestamp'])
chopp.setAddr(tcp.addr)
chopp.flowStart = tcp.stream_data['flowStart']
return chopp
else:
return None
def handleStream(tcp):
((src, sport), (dst, dport)) = parse_addr(tcp)
data = None
discard = 0
new = 0
direction = None
completeStreams = []
if tcp.server.count_new > 0:
direction = 'request'
#chop.prnt(hexdump.hexdump(tcp.server.data[:tcp.server.count_new], result='return'))
if not tcp.stream_data['stream_started']: # Check for preface/magic
if tcp.server.count_new >= len(PREFACE):
if tcp.server.data[:tcp.server.count_new][:24] == PREFACE:
tcp.stream_data['stream_started'] = True
if tcp.module_data['options']['verbose']:
chop.tsprnt("New session: %s:%s->%s:%s" %
(src, sport, dst, dport))
data = tcp.server.data[24:tcp.server.count_new]
discard += 24
else:
tcp.stream_data['client_count'] += 1
if tcp.stream_data['client_count'] < 3 and tcp.module_data[
'options']['forgiving']:
tcp.discard(tcp.server.count_new)
return
else:
tcp.stop()
return
if tcp.stream_data['stream_started']:
if data is None:
data = tcp.server.data[:tcp.server.count - tcp.server.offset]
elif tcp.client.count_new > 0:
direction = 'response'
#chop.prnt(hexdump.hexdump(tcp.stream_data['buffer'], result='return'))
#chop.prnt(tcp.client.offset, tcp.client.count, tcp.client.count_new)
if tcp.stream_data['stream_started']:
if data is None:
data = tcp.client.data[:tcp.client.count - tcp.client.offset]
elif tcp.module_data['options']['forgiving']:
tcp.discard(tcp.client.count_new)
return
else:
return
if tcp.stream_data['stream_started']:
try:
for (frame, ddiscard) in _process_frames_(
data, tcp.stream_data['hpack_client_decoder'] if direction
== 'request' else tcp.stream_data['hpack_server_decoder']):
#chop.prnt("%s\tType: %s, Stream: %d, Length: %d, Flags: %x" % ('==>' if direction == 'request' else '<==', frame.header.frame_type, frame.header.stream_id, frame.header.length, frame.header.flags))
discard += ddiscard
if False and isinstance(frame, HTTP2_RST_Frame):
try:
del tcp.stream_data['stream_cache'][frame.stream_id]
except:
pass
else:
_process_frame_(frame, direction, tcp)
try:
if frame.end_stream:
tcp.stream_data['stream_cache'][frame.stream_id][
direction]['stream_ended'] = True
chopp = _stream_ended_(frame, direction, tcp)
if chopp is not None:
completeStreams.append(chopp)
except AttributeError:
pass
except FrameIncompleteError as e:
tcp.discard(discard)
return
except Exception as e:
chop.prnt(traceback.format_exc())
raise
#chop.prnt("Discarding %d bytes (new %d) " % (discard, new))
tcp.discard(discard)
if len(completeStreams) > 0:
return completeStreams
else:
return None
