def test8(self):
""" Test the functionality of make graphs of regex, for complex detecctions """
rmbase = pyaiengine.RegexManager()
rm2 = pyaiengine.RegexManager()
r1 = pyaiengine.Regex("r1", b"^(No hacker should visit Las Vegas).*$")
rmbase.add_regex(r1)
r1.next_regex_manager = rm2
r2 = pyaiengine.Regex("r2", b"(this can not match)")
r3 = pyaiengine.Regex("r3", b"^\x90\x90\x90\x90.*$")
rm2.add_regex(r2)
rm2.add_regex(r3)
self.s.tcp_regex_manager = rmbase
with pyaiengine.PacketDispatcher(
"../pcapfiles/generic_exploit_ipv6_defcon20.pcap") as pd:
pd.stack = self.s
pd.run()
self.assertEqual(r1.matchs, 1)
self.assertEqual(r2.matchs, 0)
self.assertEqual(r3.matchs, 1)
def loadRegexFromSnort():
dm_tcp = pyaiengine.RegexManager()
dm_udp = pyaiengine.RegexManager()
# Parse the file with the snort rules
f = open("community.rules","r")
lines = f.readlines()
for line in lines:
if (line.startswith("#")):
continue
if (line.startswith("alert tcp")):
name,pcre = parseSnortLine(line)
if (pcre != None):
try:
r = pyaiengine.Regex(name,pcre)
r.callback = callback
dm_tcp.add_regex(r)
except:
print("Can not add %s %s" % (name, pcre))
elif (line.startswith("alert udp")):
name,pcre = parseSnortLine(line)
if (pcre != None):
try:
r = pyaiengine.Regex(name,pcre)
r.callback = callback
dm_udp.add_regex(r)
except:
print("Can not add %s %s" % (name, pcre))
f.close()
return dm_tcp, dm_udp
def test20(self):
""" Test the chains of regex with RegexManagers """
rlist = [
pyaiengine.Regex("expression %d" % x, "some regex %d" % x)
for x in xrange(0, 5)
]
rmbase = pyaiengine.RegexManager()
rm1 = pyaiengine.RegexManager()
rm2 = pyaiengine.RegexManager()
rm3 = pyaiengine.RegexManager()
[rmbase.add_regex(r) for r in rlist]
r1 = pyaiengine.Regex("smtp1", "^AUTH LOGIN")
r1.next_regex_manager = rm1
rmbase.add_regex(r1)
r2 = pyaiengine.Regex("smtp2", "^NO MATCHS")
r3 = pyaiengine.Regex("smtp3", "^MAIL FROM")
rm1.add_regex(r2)
rm1.add_regex(r3)
r3.next_regex_manager = rm2
r4 = pyaiengine.Regex("smtp4", "^NO MATCHS")
r5 = pyaiengine.Regex("smtp5", "^DATA")
rm2.add_regex(r4)
rm2.add_regex(r5)
r5.next_regex_manager = rm3
r6 = pyaiengine.Regex("smtp6", "^QUIT")
rm3.add_regex(r6)
self.s.tcp_regex_manager = rmbase
self.s.enable_nids_engine = True
with pyaiengine.PacketDispatcher("../pcapfiles/smtp.pcap") as pd:
pd.stack = self.s
pd.run()
for r in rlist:
self.assertEqual(r.matchs, 0)
self.assertEqual(r1.matchs, 1)
self.assertEqual(r2.matchs, 0)
self.assertEqual(r3.matchs, 1)
self.assertEqual(r4.matchs, 0)
self.assertEqual(r5.matchs, 1)
self.assertEqual(r6.matchs, 1)
def test11(self):
""" Verify iterators of the RegexManager """
rl = [
pyaiengine.Regex("expression %d" % x, "some regex %d" % x)
for x in xrange(0, 5)
]
rm = pyaiengine.RegexManager()
[rm.add_regex(r) for r in rl]
self.assertEqual(self.s.tcp_regex_manager, None)
self.s.tcp_regex_manager = rm
self.s.enable_nids_engine = True
self.dis.open("../pcapfiles/sslflow.pcap")
self.dis.run()
self.dis.close()
self.assertEqual(len(rm), 5)
self.assertEqual(rm, self.s.tcp_regex_manager)
for r in rl:
self.assertEqual(r.matchs, 0)
def test3(self):
""" Create a regex for a generic exploit and a IPSet with no matching"""
def ipset_callback(flow):
self.called_callback += 1
ipset = pyaiengine.IPSet()
ipset.add_ip_address("dc20:c7f:2012:11::22")
ipset.add_ip_address("dc20:c7f:2012:11::1")
ipset.callback = ipset_callback
im = pyaiengine.IPSetManager()
im.add_ip_set(ipset)
self.s.tcp_ip_set_manager = im
rm = pyaiengine.RegexManager()
r1 = pyaiengine.Regex("generic exploit",
"\xaa\xbb\xcc\xdd\x90\x90\x90")
rm.add_regex(r1)
r2 = pyaiengine.Regex("other exploit", "(this can not match)")
rm.add_regex(r2)
self.s.tcp_regex_manager = rm
self.dis.open("../pcapfiles/generic_exploit_ipv6_defcon20.pcap")
self.dis.run()
self.dis.close()
self.assertEqual(r1.matchs, 0)
self.assertEqual(r2.matchs, 0)
self.assertEqual(self.called_callback, 0)
def loadSignaturesForTcp():
""" Load the signatures from source, Snort, Suricata, etc. """
sm = pyaiengine.RegexManager()
sig = pyaiengine.Regex("Shellcode Generic Exploit",
"\x90\x90\x90\x90\x90\x90\x90\x90\x90")
""" Sets a specific callback to the signature created """
sig.callback = callback_drop_packets
sm.add_regex(sig)
return sm
def test9(self):
""" Another test for the functionality of make graphs of regex, for complex detecctions """
rm1 = pyaiengine.RegexManager()
rm2 = pyaiengine.RegexManager()
rm3 = pyaiengine.RegexManager()
r1 = pyaiengine.Regex("r1", b"^(No hacker should visit Las Vegas).*$")
r1.next_regex_manager = rm2
rm1.add_regex(r1)
r2 = pyaiengine.Regex("r2", b"(this can not match)")
r3 = pyaiengine.Regex("r3", b"^\x90\x90\x90\x90.*$")
rm2.add_regex(r2)
rm2.add_regex(r3)
r3.next_regex_manager = rm3
r4 = pyaiengine.Regex("r4", b"^Upgrade.*$")
r5 = pyaiengine.Regex("r5", b"(this can not match)")
rm3.add_regex(r4)
rm3.add_regex(r5)
self.s.tcp_regex_manager = rm1
oldstack = None
with pyaiengine.PacketDispatcher(
"../pcapfiles/generic_exploit_ipv6_defcon20.pcap") as pd:
pd.stack = self.s
pd.run()
oldstack = self.s
self.assertEqual(self.s, oldstack)
self.assertEqual(r1.matchs, 1)
self.assertEqual(r2.matchs, 0)
self.assertEqual(r3.matchs, 1)
self.assertEqual(r4.matchs, 1)
def test1(self):
""" Create a regex for a detect the flow on a openflow network """
rm = pyaiengine.RegexManager()
r = pyaiengine.Regex("Bin directory", b"^\x26\x01")
rm.add_regex(r)
self.s.tcp_regex_manager = rm
self.dis.open("../pcapfiles/openflow.pcap")
self.dis.run()
self.dis.close()
self.assertEqual(r.matchs, 1)
def test1(self):
""" Create a regex for a detect the flow on a virtual network """
rm = pyaiengine.RegexManager()
r = pyaiengine.Regex("Bin directory", "^bin$")
rm.add_regex(r)
self.s.tcp_regex_manager = rm
self.dis.open("../pcapfiles/vxlan_ftp.pcap")
self.dis.run()
self.dis.close()
self.assertEqual(r.matchs, 1)
def test2(self):
""" Test the with statement of the PacketDispatcher """
rm = pyaiengine.RegexManager()
r = pyaiengine.Regex("Bin directory", b"^\x26\x01")
rm.add_regex(r)
self.s.tcp_regex_manager = rm
with pyaiengine.PacketDispatcher("../pcapfiles/openflow.pcap") as pd:
pd.stack = self.s
pd.run()
self.assertEqual(r.matchs, 1)
def test1(self):
""" Create a regex for a generic exploit """
rm = pyaiengine.RegexManager()
r = pyaiengine.Regex("generic exploit",
b"\x90\x90\x90\x90\x90\x90\x90")
rm.add_regex(r)
self.s.tcp_regex_manager = rm
self.dis.open("../pcapfiles/generic_exploit_ipv6_defcon20.pcap")
self.dis.run()
self.dis.close()
self.assertEqual(r.matchs, 1)
def test1(self):
""" Create a regex for netbios and detect """
self.s.link_layer_tag = "vlan"
rm = pyaiengine.RegexManager()
r = pyaiengine.Regex("netbios", "CACACACA")
rm.add_regex(r)
self.s.udp_regex_manager = rm
self.dis.open("../pcapfiles/flow_vlan_netbios.pcap")
self.dis.run()
self.dis.close()
self.assertEqual(r.matchs, 1)
self.assertEqual(self.s.udp_regex_manager, rm)
self.assertEqual(self.s.link_layer_tag, "vlan")
def test2(self):
""" Verify that None is working on the udpregexmanager """
self.s.link_layer_tag = "vlan"
rm = pyaiengine.RegexManager()
r = pyaiengine.Regex("netbios", "CACACACA")
rm.add_regex(r)
self.s.udp_regex_manager = rm
self.s.udp_regex_manager = None
self.dis.open("../pcapfiles/flow_vlan_netbios.pcap")
self.dis.run()
self.dis.close()
self.assertEqual(r.matchs, 0)
self.assertEqual(self.s.udp_regex_manager, None)
def test2(self):
""" Create a regex for a detect the flow on a virtual network on the GRE side """
rm = pyaiengine.RegexManager()
r = pyaiengine.Regex("Bin directory", b"^SSH-2.0.*$")
rm.add_regex(r)
self.s.tcp_regex_manager = rm
self.dis.open("../pcapfiles/gre_ssh.pcap")
self.dis.run()
self.dis.close()
self.assertEqual(r.matchs, 1)
self.assertEqual(len(self.s.tcp_flow_manager), 1)
self.assertEqual(len(self.s.udp_flow_manager), 0)
def test26(self):
""" Verify the functionatliy of the RegexManager on the HTTP Protocol for analise
inside the l7 payload of HTTP """
def callback_domain(flow):
self.called_callback += 1
pass
def callback_regex(flow):
self.called_callback += 1
self.assertEqual(flow.packets, 11)
self.assertEqual(flow.packets_layer7, 4)
d = pyaiengine.DomainName("Wired domain", ".wired.com")
rm = pyaiengine.RegexManager()
r1 = pyaiengine.Regex("Regex for analysing the content of HTTP",
b"^\x1f\x8b\x08\x00\x00\x00\x00.*$")
r2 = pyaiengine.Regex("Regex for analysing the content of HTTP",
b"^.{3}\xcd\x9c\xc0\x0a\x34.*$")
r3 = pyaiengine.Regex("Regex for analysing the content of HTTP",
b"^.*\x44\x75\x57\x0c\x22\x7b\xa7\x6d$")
r2.next_regex = r3
r1.next_regex = r2
rm.add_regex(r1)
r3.callback = callback_regex
""" So the flows from wired.com will be analise the regexmanager attached """
d.regex_manager = rm
dm = pyaiengine.DomainNameManager()
d.callback = callback_domain
dm.add_domain_name(d)
self.s.set_domain_name_manager(dm, "http")
with pyaiengine.PacketDispatcher(
"../pcapfiles/two_http_flows_noending.pcap") as pd:
pd.stack = self.s
pd.run()
self.assertEqual(self.called_callback, 2)
self.assertEqual(r1.matchs, 1)
self.assertEqual(r2.matchs, 1)
self.assertEqual(r3.matchs, 1)
self.assertEqual(d.matchs, 1)
def test31(self):
""" Verify the functionatliy of the RegexManager on the IPSets """
def regex_callback(flow):
r = flow.regex
i = flow.ip_set
self.assertEqual(flow.dstip, "95.100.96.10")
self.assertEqual(r.name, "generic http")
self.assertEqual(i.name, "Generic set")
self.called_callback += 1
def ipset_callback(flow):
r = flow.regex
i = flow.ip_set
self.assertNotEqual(i, None)
self.assertEqual(i.name, "Generic set")
self.assertEqual(r, None)
self.called_callback += 1
rm = pyaiengine.RegexManager()
i = pyaiengine.IPSet("Generic set")
i.add_ip_address("95.100.96.10")
i.regexmanager = None
i.callback = ipset_callback
im = pyaiengine.IPSetManager()
im.add_ip_set(i)
self.s.tcp_ip_set_manager = im
r = pyaiengine.Regex("generic http", "^GET.*HTTP")
r.callback = regex_callback
rm.add_regex(r)
self.s.enable_nids_engine = True
with pyaiengine.PacketDispatcher(
"../pcapfiles/two_http_flows_noending.pcap") as pd:
pd.stack = self.s
pd.run()
self.assertEqual(self.called_callback, 1)
self.assertEqual(i.lookups_in, 1)
self.assertEqual(r.matchs, 0)
def test3(self):
""" Create a regex for netbios with callback """
def callback(flow):
self.called_callback += 1
self.assertEqual(flow.regex.matchs, 1)
self.assertEqual(flow.regex.name, "netbios")
self.s.link_layer_tag = "vlan"
rm = pyaiengine.RegexManager()
r = pyaiengine.Regex("netbios", "CACACACA")
r.callback = callback
rm.add_regex(r)
self.s.udp_regex_manager = rm
self.dis.open("../pcapfiles/flow_vlan_netbios.pcap")
self.dis.run()
self.dis.close()
self.assertEqual(r.matchs, 1)
self.assertEqual(self.called_callback, 1)
def test4(self):
""" Test the extraction of the tag from the flow when matches """
def virt_callback(flow):
if ((flow.have_tag == True) and (flow.tag == 1)):
self.called_callback += 1
rm = pyaiengine.RegexManager()
r = pyaiengine.Regex("Bin directory", b"^bin$")
r.callback = virt_callback
rm.add_regex(r)
self.s.tcp_regex_manager = rm
self.s.enable_nids_engine = True
self.dis.open("../pcapfiles/vxlan_ftp.pcap")
self.dis.run()
self.dis.close()
self.assertEqual(r.callback, virt_callback)
self.assertEqual(r.matchs, 1)
self.assertEqual(self.called_callback, 1)
def test3(self):
""" Inject two pcapfiles with gre and vxlan traffic and verify regex """
rm = pyaiengine.RegexManager()
r = pyaiengine.Regex("SSH activity", b"^SSH-2.0.*$")
rm.add_regex(r)
self.s.tcp_regex_manager = rm
self.s.enable_nids_engine = True
# The first packet of the pcapfile is from 18 sep 2014
self.dis.open("../pcapfiles/vxlan_ftp.pcap")
self.dis.run()
self.dis.close()
""" This FlowManagers points to the virtualize layer """
ft = self.s.tcp_flow_manager
fu = self.s.udp_flow_manager
self.assertEqual(ft.flows, 1)
self.assertEqual(ft.process_flows, 1)
self.assertEqual(ft.timeout_flows, 0)
self.assertEqual(r.matchs, 0)
self.assertEqual(len(self.s.tcp_flow_manager), 1)
self.assertEqual(len(self.s.udp_flow_manager), 0)
self.s.flows_timeout = (60 * 60 * 24)
# The first packet of the pcapfile is from 19 sep 2014
self.dis.open("../pcapfiles/gre_ssh.pcap")
self.dis.run()
self.dis.close()
self.assertEqual(ft.flows, 2)
self.assertEqual(ft.process_flows, 2)
self.assertEqual(ft.timeout_flows, 0)
self.assertEqual(r.matchs, 1)
self.assertEqual(len(ft), 2)
self.assertEqual(len(fu), 0)
def test12(self):
""" Verify the functionatliy of the RegexManager on the HTTP Protocol for analise
inside the l7 payload of HTTP on IPv6 traffic """
def callback_domain(flow):
self.called_callback += 1
def callback_regex(flow):
self.called_callback += 1
self.assertEqual(flow.regex.name,
"Regex for analysing the content of HTTP")
self.assertEqual(flow.http_info.host_name, "media.us.listen.com")
d = pyaiengine.DomainName("Music domain", ".us.listen.com")
rm = pyaiengine.RegexManager()
r1 = pyaiengine.Regex("Regex for analysing the content of HTTP",
b"^\x89\x50\x4e\x47\x0d\x0a\x1a\x0a.*$")
rm.add_regex(r1)
r1.callback = callback_regex
""" So the flows from listen.com will be analise the regexmanager attached """
d.regex_manager = rm
dm = pyaiengine.DomainNameManager()
d.callback = callback_domain
dm.add_domain_name(d)
self.s.set_domain_name_manager(dm, "HTTPProtocol")
with pyaiengine.PacketDispatcher(
"../pcapfiles/http_over_ipv6.pcap") as pd:
pd.stack = self.s
pd.run()
self.assertEqual(self.called_callback, 2)
self.assertEqual(r1.matchs, 1)
self.assertEqual(d.matchs, 1)
import os
sys.path.append("../src/")
import pyaiengine
def callback(flow):
print("Detected Bitcoinminer on ip:", flow.srcip)
if __name__ == '__main__':
# Load an instance of a Lan Stack
st = pyaiengine.StackLan()
r_mng = pyaiengine.RegexManager()
reg_head = pyaiengine.Regex("First regex", "mining.subscribe")
reg_tail = pyaiengine.Regex(
"Second regex",
"c4758493e4f9804beeb784b4ff0be019b03678952ea8bb6f5c5365b2b76438a7")
reg_head.next_regex = reg_tail
reg_tail.callback = callback
r_mng.add_regex(reg_head)
st.tcp_regex_manager = r_mng
st.tcp_flows = 327680
st.udp_flows = 163840
# Library General Public License for more details.
#
# You should have received a copy of the GNU Library General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# Written by Luis Campo Giralte <*****@*****.**>
#
""" Example of using the pyaiengine """
import pyaiengine
import sys
st = pyaiengine.StackLan()
tcp_rm = pyaiengine.RegexManager()
udp_rm = pyaiengine.RegexManager()
""" Put here your code for load regexs
>>> tcp_rm.add_regex(pyaiengine.Regex("some regex", "\x00\x0a\x0b")
>>> tcp_rm.add_regex(pyaiengine.Regex("some regex", "^\x00\x0a.*exe", callback)
"""
tcp_set = pyaiengine.IPSetManager()
udp_set = pyaiengine.IPSetManager()
tcp_ipset = pyaiengine.IPSet()
udp_ipset = pyaiengine.IPSet()
""" Put here your code with your IP lists
>>> tcp_ipset.add_ip_address("192.158.1.1")
"""
def insert(self,key):
pass
def remove(self,key):
pass
def callback_eternalblue(flow):
print("EternaBlue exploit detected on %s" % str(flow))
if __name__ == '__main__':
st = pyaiengine.StackLan()
rm = pyaiengine.RegexManager()
r = pyaiengine.Regex("Eternalblue exploit", b"^.{5}SMB.{57}[\x0e\x51\x52]\x00.*$", callback_eternalblue)
""" We want to have the packet logged on the adaptor """
r.write_packet = True
rm.add_regex(r)
st.tcp_regex_manager = rm
l = loggerAdaptor("tcp_logfile.dat")
st.set_tcp_database_adaptor(l, 512)
st.set_dynamic_allocated_memory(True)
"WARNING: Possible CVE-2018-7600 Attack detected on %s" % str(flow) +
"\033[0m")
def payload_callback(flow):
print("\033[31m" +
"ALERT: CVE-2018-7600 Attack detected on %s" % str(flow) + "\033[0m")
if __name__ == '__main__':
st = pyaiengine.StackLan()
dm = pyaiengine.DomainNameManager()
rm1 = pyaiengine.RegexManager()
rm2 = pyaiengine.RegexManager()
r1 = pyaiengine.Regex("Potential bad drupal", b"^/user/register",
uri_callback)
r2 = pyaiengine.Regex("Bad drupal", "shell.php", payload_callback)
d = pyaiengine.DomainName("All HTTP traffic", "*")
d.http_uri_regex_manager = rm1
rm2.add_regex(r2)
r1.next_regex_manager = rm2
rm1.add_regex(r1)
dm.add_domain_name(d)
