def get_table(args, seed=0, use_base64=True):
cid = communityid.CommunityID(seed=seed, use_base64=use_base64)
detail = '(defaults)'
if seed != 0 or not use_base64:
word = 'w/' if use_base64 else 'w/o'
detail = '(seed=%d, %s base64)' % (seed, word)
headers = [
'Proto name', 'Proto number', 'Src address', 'Dst address', 'Src port',
'Dst port',
'Community ID %s' % detail, 'Comment'
]
table = []
for a in args:
tpl = communityid.FlowTuple(a.p, a.saddr, a.daddr, a.sport, a.dport)
table.append([
a.pname, a.p, a.saddr, a.daddr,
v2s(a.sport),
v2s(a.dport),
cid.calc(tpl), a.comment
])
return headers, table
def main():
parser = argparse.ArgumentParser(description='Community ID pcap processor')
parser.add_argument('pcaps',
metavar='PCAP',
nargs='+',
help='PCAP packet capture files')
parser.add_argument('--seed',
type=int,
default=0,
metavar='NUM',
help='Seed value for hash operations')
parser.add_argument('--no-base64',
action='store_true',
default=False,
help="Don't base64-encode the SHA1 binary value")
args = parser.parse_args()
commid = communityid.CommunityID(args.seed, not args.no_base64)
GoodPackets = 0
BadPackets = 0
for pcap in args.pcaps:
print("Processing: ", pcap)
itr = PcapIterator(commid, pcap)
itr.process()
print(
f'Good packets: {itr.GoodPackets}, Bad packets: {itr.BadPackets}')
tflows = len(ActualFlows)
print(f'Total flows generated {tflows}')
bf.printHeaders()
for k, Flow in ActualFlows.items():
bf.printFlow(Flow)
return 0
def generate_community_id(src_ip, src_port, dest_ip, dest_port,
protocol) -> str():
"""
Input: source IP address, source port, destination IP address, destination port, protocol
Output: CommunityID in string format
"""
cid = communityid.CommunityID()
tpl = None
if protocol == "tcp":
tpl = communityid.FlowTuple.make_tcp(src_ip, dest_ip, src_port,
dest_port)
if protocol == "udp":
tpl = communityid.FlowTuple.make_udp(src_ip, dest_ip, src_port,
dest_port)
return cid.calc(tpl)
def generate_community_id(src_ip, src_port, dest_ip, dest_port, protocol):
# Init CommunityID object
cid = communityid.CommunityID()
community_id = str()
# Calculate community ID
# Protocol
# TCP: 6
# UDP: 17
# https://en.wikipedia.org/wiki/IPv4
if protocol == "tcp":
tpl = communityid.FlowTuple.make_tcp(src_ip, dest_ip, src_port,
dest_port)
community_id = cid.calc(tpl)
elif protocol == "udp":
tpl = communityid.FlowTuple.make_udp(src_ip, dest_ip, src_port,
dest_port)
community_id = cid.calc(tpl)
else:
community_id = "Protocol not supported"
return community_id
def main():
parser = argparse.ArgumentParser(description='genLabels for communityid')
parser.add_argument('txtfiles',
metavar='TXTFILES',
nargs='+',
help='Text files from zeek')
parser.add_argument('--seed',
type=int,
default=0,
metavar='NUM',
help='Seed value for hash operations')
parser.add_argument('--no-base64',
action='store_true',
default=False,
help="Don't base64-encode the SHA1 binary value")
args = parser.parse_args()
commid = communityid.CommunityID(args.seed, not args.no_base64)
for txtfile in args.txtfiles:
processfile(commid, txtfile)
return 0
def setUp(self):
self.cids = [
communityid.CommunityID(),
communityid.CommunityID(use_base64=False),
communityid.CommunityID(seed=1),
]
def generate(self, context):
"""
Input: Context contains all the query values passed to Osquery
Output: Returns a list which contains a dictonary which contains all
the values passed in by context and the calculated CommunityID hash
for the network connection
"""
# Convvert context string into a dicotnary with JSON module
query_data = []
temp = json.loads(context.replace("'", "\""))
context_dict = json.loads(temp)
# Extract values from dictonary
src_ip = dst_ip = str()
src_port = dst_port = protocol= int()
for constraint in context_dict['constraints']:
if constraint['name'] == 'src_ip' and len(constraint['list']) > 0:
src_ip = constraint['list'][0]['expr']
elif constraint['name'] == 'src_port' and len(constraint['list']) > 0:
src_port = int(constraint['list'][0]['expr'])
elif constraint['name'] == 'dst_ip' and len(constraint['list']) > 0:
dst_ip = constraint['list'][0]['expr']
elif constraint['name'] == 'dst_port' and len(constraint['list']) > 0:
dst_port = int(constraint['list'][0]['expr'])
elif constraint['name'] == 'protocol' and len(constraint['list']) > 0:
protocol = int(constraint['list'][0]['expr'])
else:
continue
# Init CommunityID object
cid = communityid.CommunityID()
community_id = str()
# Calculate community ID
# Protocol
# TCP: 6
# UDP: 17
# https://en.wikipedia.org/wiki/IPv4
if protocol == 6:
tpl = communityid.FlowTuple.make_tcp(src_ip, dst_ip, src_port, dst_port)
community_id = cid.calc(tpl)
elif protocol == 17:
tpl = communityid.FlowTuple.make_udp(src_ip, dst_ip, src_port, dst_port)
community_id = cid.calc(tpl)
else:
print ( f"[-] - {datetime.now()} - Protocol not supported - \
src_ip: {src_ip} - \
src_port:{src_port} - \
dst_ip: {dst_ip} - \
dst_port:{dst_port} - \
Protocol: {protocol}" )
# Render table
row = {
"src_ip": src_ip,
"src_port": src_port,
"dst_ip": dst_ip,
"dst_port": dst_port,
"protocol": protocol,
"community_id": community_id,
}
query_data.append(row)
return query_data