def get_table(args, seed=0, use_base64=True): cid = communityid.CommunityID(seed=seed, use_base64=use_base64) detail = '(defaults)' if seed != 0 or not use_base64: word = 'w/' if use_base64 else 'w/o' detail = '(seed=%d, %s base64)' % (seed, word) headers = [ 'Proto name', 'Proto number', 'Src address', 'Dst address', 'Src port', 'Dst port', 'Community ID %s' % detail, 'Comment' ] table = [] for a in args: tpl = communityid.FlowTuple(a.p, a.saddr, a.daddr, a.sport, a.dport) table.append([ a.pname, a.p, a.saddr, a.daddr, v2s(a.sport), v2s(a.dport), cid.calc(tpl), a.comment ]) return headers, table
def main(): parser = argparse.ArgumentParser(description='Community ID pcap processor') parser.add_argument('pcaps', metavar='PCAP', nargs='+', help='PCAP packet capture files') parser.add_argument('--seed', type=int, default=0, metavar='NUM', help='Seed value for hash operations') parser.add_argument('--no-base64', action='store_true', default=False, help="Don't base64-encode the SHA1 binary value") args = parser.parse_args() commid = communityid.CommunityID(args.seed, not args.no_base64) GoodPackets = 0 BadPackets = 0 for pcap in args.pcaps: print("Processing: ", pcap) itr = PcapIterator(commid, pcap) itr.process() print( f'Good packets: {itr.GoodPackets}, Bad packets: {itr.BadPackets}') tflows = len(ActualFlows) print(f'Total flows generated {tflows}') bf.printHeaders() for k, Flow in ActualFlows.items(): bf.printFlow(Flow) return 0
def generate_community_id(src_ip, src_port, dest_ip, dest_port, protocol) -> str(): """ Input: source IP address, source port, destination IP address, destination port, protocol Output: CommunityID in string format """ cid = communityid.CommunityID() tpl = None if protocol == "tcp": tpl = communityid.FlowTuple.make_tcp(src_ip, dest_ip, src_port, dest_port) if protocol == "udp": tpl = communityid.FlowTuple.make_udp(src_ip, dest_ip, src_port, dest_port) return cid.calc(tpl)
def generate_community_id(src_ip, src_port, dest_ip, dest_port, protocol): # Init CommunityID object cid = communityid.CommunityID() community_id = str() # Calculate community ID # Protocol # TCP: 6 # UDP: 17 # https://en.wikipedia.org/wiki/IPv4 if protocol == "tcp": tpl = communityid.FlowTuple.make_tcp(src_ip, dest_ip, src_port, dest_port) community_id = cid.calc(tpl) elif protocol == "udp": tpl = communityid.FlowTuple.make_udp(src_ip, dest_ip, src_port, dest_port) community_id = cid.calc(tpl) else: community_id = "Protocol not supported" return community_id
def main(): parser = argparse.ArgumentParser(description='genLabels for communityid') parser.add_argument('txtfiles', metavar='TXTFILES', nargs='+', help='Text files from zeek') parser.add_argument('--seed', type=int, default=0, metavar='NUM', help='Seed value for hash operations') parser.add_argument('--no-base64', action='store_true', default=False, help="Don't base64-encode the SHA1 binary value") args = parser.parse_args() commid = communityid.CommunityID(args.seed, not args.no_base64) for txtfile in args.txtfiles: processfile(commid, txtfile) return 0
def setUp(self): self.cids = [ communityid.CommunityID(), communityid.CommunityID(use_base64=False), communityid.CommunityID(seed=1), ]
def generate(self, context): """ Input: Context contains all the query values passed to Osquery Output: Returns a list which contains a dictonary which contains all the values passed in by context and the calculated CommunityID hash for the network connection """ # Convvert context string into a dicotnary with JSON module query_data = [] temp = json.loads(context.replace("'", "\"")) context_dict = json.loads(temp) # Extract values from dictonary src_ip = dst_ip = str() src_port = dst_port = protocol= int() for constraint in context_dict['constraints']: if constraint['name'] == 'src_ip' and len(constraint['list']) > 0: src_ip = constraint['list'][0]['expr'] elif constraint['name'] == 'src_port' and len(constraint['list']) > 0: src_port = int(constraint['list'][0]['expr']) elif constraint['name'] == 'dst_ip' and len(constraint['list']) > 0: dst_ip = constraint['list'][0]['expr'] elif constraint['name'] == 'dst_port' and len(constraint['list']) > 0: dst_port = int(constraint['list'][0]['expr']) elif constraint['name'] == 'protocol' and len(constraint['list']) > 0: protocol = int(constraint['list'][0]['expr']) else: continue # Init CommunityID object cid = communityid.CommunityID() community_id = str() # Calculate community ID # Protocol # TCP: 6 # UDP: 17 # https://en.wikipedia.org/wiki/IPv4 if protocol == 6: tpl = communityid.FlowTuple.make_tcp(src_ip, dst_ip, src_port, dst_port) community_id = cid.calc(tpl) elif protocol == 17: tpl = communityid.FlowTuple.make_udp(src_ip, dst_ip, src_port, dst_port) community_id = cid.calc(tpl) else: print ( f"[-] - {datetime.now()} - Protocol not supported - \ src_ip: {src_ip} - \ src_port:{src_port} - \ dst_ip: {dst_ip} - \ dst_port:{dst_port} - \ Protocol: {protocol}" ) # Render table row = { "src_ip": src_ip, "src_port": src_port, "dst_ip": dst_ip, "dst_port": dst_port, "protocol": protocol, "community_id": community_id, } query_data.append(row) return query_data