def prnp0f(pkt): """Calls p0f and returns a user-friendly output""" # we should print which DB we use try: r = p0f(pkt) except: return if r == []: r = ("UNKNOWN", "[" + ":".join(map(str, packet2p0f(pkt)[1])) + ":?:?]", None) else: r = r[0] uptime = None try: uptime = pkt2uptime(pkt) except: pass if uptime == 0: uptime = None res = pkt.sprintf("%IP.src%:%TCP.sport% - " + r[0] + " " + r[1]) if uptime is not None: res += pkt.sprintf(" (up: " + str(uptime/3600) + " hrs)\n -> %IP.dst%:%TCP.dport% (%TCP.flags%)") else: res += pkt.sprintf("\n -> %IP.dst%:%TCP.dport% (%TCP.flags%)") if r[2] is not None: res += " (distance " + str(r[2]) + ")" print(res)
def prnp0f(pkt): """Calls p0f and returns a user-friendly output""" # we should print which DB we use try: r = p0f(pkt) except Exception: return if r == []: r = ("UNKNOWN", "[" + ":".join(map(str, packet2p0f(pkt)[1])) + ":?:?]", None) # noqa: E501 else: r = r[0] uptime = None try: uptime = pkt2uptime(pkt) except Exception: pass if uptime == 0: uptime = None res = pkt.sprintf("%IP.src%:%TCP.sport% - " + r[0] + " " + r[1]) if uptime is not None: res += pkt.sprintf(" (up: " + str(uptime / 3600) + " hrs)\n -> %IP.dst%:%TCP.dport% (%TCP.flags%)") # noqa: E501 else: res += pkt.sprintf("\n -> %IP.dst%:%TCP.dport% (%TCP.flags%)") if r[2] is not None: res += " (distance " + str(r[2]) + ")" print(res)
def http_correl(self, moduledir, version, headers): """ Correlates http packet with p0f database """ for (ver, horder, habsent, expsw), numlabel in self.base[moduledir]: ver_correl = (ver == '*') or (int(ver) == version) exp_correl = False abs_correl = True ord_correl = True ordi = 0 q_headers = set( map(lambda x: x[0], filter(lambda y: y[1] == None, horder))) # Really weird algorithm # FIXME prevs = set() for name, value in headers: if not ord_correl: break if abs_correl and (name in habsent): abs_correl = False if not exp_correl and (name in {'User-Agent', 'Server' }) and value == expsw: exp_correl = True if ordi >= len(horder): break checked = False while not checked: if name == horder[ordi][0] and (horder[ordi][1] in ('', value)): ordi += 1 prevs = set() checked = True elif horder[ordi][1] == None: prevs.add(horder[ordi][0]) ordi += 1 elif name in prevs: checked = True elif name in q_headers: checked = True ord_correl = False yield (ver_correl, ord_correl, abs_correl, exp_correl), self.labels[numlabel]
def __sr_loop(srfunc, pkts, prn=lambda x: x[1].summary(), prnfail=lambda x: x.summary(), inter=1, timeout=None, count=None, verbose=None, store=1, *args, **kargs): n = 0 r = 0 ct = conf.color_theme if verbose is None: verbose = conf.verb parity = 0 ans = [] unans = [] if timeout is None: timeout = min(2 * inter, 5) try: while True: parity ^= 1 col = [ct.even, ct.odd][parity] if count is not None: if count == 0: break count -= 1 start = time.time() if verbose > 1: print("\rsend...\r", end=' ') res = srfunc(pkts, timeout=timeout, verbose=0, chainCC=True, *args, **kargs) # noqa: E501 n += len(res[0]) + len(res[1]) r += len(res[0]) if verbose > 1 and prn and len(res[0]) > 0: msg = "RECV %i:" % len(res[0]) print("\r" + ct.success(msg), end=' ') for p in res[0]: print(col(prn(p))) print(" " * len(msg), end=' ') if verbose > 1 and prnfail and len(res[1]) > 0: msg = "fail %i:" % len(res[1]) print("\r" + ct.fail(msg), end=' ') for p in res[1]: print(col(prnfail(p))) print(" " * len(msg), end=' ') if verbose > 1 and not (prn or prnfail): print("recv:%i fail:%i" % tuple(map(len, res[:2]))) if store: ans += res[0] unans += res[1] end = time.time() if end - start < inter: time.sleep(inter + start - end) except KeyboardInterrupt: pass if verbose and n > 0: print(ct.normal("\nSent %i packets, received %i packets. %3.1f%% hits." % (n, r, 100.0 * r / n))) # noqa: E501 return SndRcvList(ans), PacketList(unans)
def __sr_loop(srfunc, pkts, prn=lambda x:x[1].summary(), prnfail=lambda x:x.summary(), inter=1, timeout=None, count=None, verbose=None, store=1, *args, **kargs): n = 0 r = 0 ct = conf.color_theme if verbose is None: verbose = conf.verb parity = 0 ans=[] unans=[] if timeout is None: timeout = min(2*inter, 5) try: while True: parity ^= 1 col = [ct.even,ct.odd][parity] if count is not None: if count == 0: break count -= 1 start = time.time() if verbose > 1: print("\rsend...\r", end=' ') res = srfunc(pkts, timeout=timeout, verbose=0, chainCC=1, *args, **kargs) n += len(res[0])+len(res[1]) r += len(res[0]) if verbose > 1 and prn and len(res[0]) > 0: msg = "RECV %i:" % len(res[0]) print("\r"+ct.success(msg), end=' ') for p in res[0]: print(col(prn(p))) print(" "*len(msg), end=' ') if verbose > 1 and prnfail and len(res[1]) > 0: msg = "fail %i:" % len(res[1]) print("\r"+ct.fail(msg), end=' ') for p in res[1]: print(col(prnfail(p))) print(" "*len(msg), end=' ') if verbose > 1 and not (prn or prnfail): print("recv:%i fail:%i" % tuple(map(len, res[:2]))) if store: ans += res[0] unans += res[1] end=time.time() if end-start < inter: time.sleep(inter+start-end) except KeyboardInterrupt: pass if verbose and n>0: print(ct.normal("\nSent %i packets, received %i packets. %3.1f%% hits." % (n,r,100.0*r/n))) return plist.SndRcvList(ans),plist.PacketList(unans)
def parse_tcp_base(self): for moduledir in 'response', 'request': sigdict = self.base['tcp'][moduledir] newsigdict = {} for sig, numlabel in sigdict.items(): ver, ttl, olen, mss, wsize, olayout, quirks, pclass = lparse( sig, 8) wsize, _, scale = wsize.partition(',') quirks = frozenset(map(Quirks_p0f.get, quirks.split(','))) olayout = list( map(lambda x: Layouts_p0f.get(x, x), olayout.split(','))) if isinstance(olayout[-1], str): olayout[-1] = -int(olayout[-1][4:]) olayout = tuple(olayout) newsigdict[(ver, ttl, olen, mss, wsize, scale, olayout, quirks, pclass)] = numlabel self.base['tcp'][moduledir] = newsigdict