Example #1
0
def showudpmatches(data):
    proto = 'UDP'

    ((src, sport), (dst, dport)) = matchstats['addr']

    key = "%s:%s" % (src, sport)
    if key not in openudpflows:
        key = "%s:%s" % (dst, dport)

    if configopts['maxdispbytes'] > 0: maxdispbytes = configopts['maxdispbytes']
    else: maxdispbytes = len(data)

    filename = '%s/%s-%08d-%s.%s-%s.%s-%s' % (configopts['logdir'], proto, configopts['packetct'], src, sport, dst, dport, matchstats['direction'])

    if configopts['writelogs']:
        writetofile(filename, data)

        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            doinfo('[IP#%d.UDP#%d] Wrote %dB to %s/%s-%08d.%s.%s.%s.%s' % (
                    openudpflows[key]['ipct'],
                    openudpflows[key]['id'],
                    matchstats['matchsize'],
                    configopts['logdir'],
                    proto,
                    configopts['packetct'],
                    src,
                    sport,
                    dst,
                    dport))

    if 'quite' in configopts['outmodes']:
        if matchstats['regex']:
            pattern = getregexpattern(matchstats['regex'])
        else:
            pattern = None

        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            doinfo('[IP#%d.UDP#%d] %s:%s %s %s:%s matches \'%s\' @ [%d:%d] - %dB' % (
                    openudpflows[key]['ipct'],
                    openudpflows[key]['id'],
                    src,
                    sport,
                    matchstats['directionflag'],
                    dst,
                    dport,
                    pattern,
                    matchstats['start'],
                    matchstats['end'],
                    matchstats['matchsize']))
        return

    if configopts['maxdisppackets'] != 0 and configopts['disppacketct'] >= configopts['maxdisppackets']:
        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            doinfo('Skipping outmode parsing { disppacketct: %d == maxdisppackets: %d }' % (
                    configopts['disppacketct'],
                    configopts['maxdisppackets']))
        return

    direction = matchstats['direction']
    directionflag = matchstats['directionflag']
    if 'meta' in configopts['outmodes']:
        if configopts['invertmatch']:
            invertstatus = " (invert)"
        else:
            invertstatus = ""

        start = matchstats['start']
        end = matchstats['end']
        matchsize = matchstats['matchsize']

        if matchstats['detectiontype'] == 'regex':
            metastr = 'matches regex%s: \'%s\'' % (invertstatus, getregexpattern(matchstats['regex']))

        elif matchstats['detectiontype'] == 'shellcode':
            metastr = 'contains shellcode [Offset: %d]%s' % (matchstats['shellcodeoffset'], invertstatus)

        elif matchstats['detectiontype'] == 'yara':
            metastr = 'matches rule: \'%s\' from %s' % (matchstats['yararulename'], matchstats['yararulefilepath'])

        else:
            metastr = ''

        if configopts['verbose'] and configopts['verboselevel'] >= 1:
             bpfstr = generate_bpf("UDP", src, sport, directionflag, dst, dport)
             doinfo('[IP#%d.UDP#%d] BPF: %s' % (
                openudpflows[key]['ipct'],
                openudpflows[key]['id'],
                bpfstr))

        print '[MATCH] (%08d/%08d) [IP#%d.UDP#%d] %s:%s %s %s:%s %s' % (
                configopts['inspudppacketct'],
                configopts['udpmatches'],
                openudpflows[key]['ipct'],
                openudpflows[key]['id'],
                src,
                sport,
                directionflag,
                dst,
                dport,
                metastr)

        print '[MATCH] (%08d/%08d) [IP#%d.UDP#%d] match @ %s[%d:%d] (%dB)' % (
                configopts['inspudppacketct'],
                configopts['udpmatches'],
                openudpflows[key]['ipct'],
                openudpflows[key]['id'],
                direction,
                start,
                end,
                matchsize)

    if 'print' in configopts['outmodes']:
        if configopts['colored']:
            if direction == configopts['ctsdirectionstring']:
                printable(data[:maxdispbytes], configopts['ctsoutcolor'])
            elif direction == configopts['stcdirectionstring']:
                printable(data[:maxdispbytes], configopts['stcoutcolor'])
        else:
            printable(data[:maxdispbytes], None)

    if 'raw' in configopts['outmodes']:
        if configopts['colored']:
            print colored(data[:maxdispbytes])
        else:
            print data[:maxdispbytes]

    if 'hex' in configopts['outmodes']:
        if configopts['colored']:
            if direction == configopts['ctsdirectionstring']:
                hexdump(data[:maxdispbytes], configopts['ctsoutcolor'])
            elif direction == configopts['stcdirectionstring']:
                hexdump(data[:maxdispbytes], configopts['stcoutcolor'])
        else:
            hexdump(data[:maxdispbytes], None)

    if configopts['asm4shellcode']:
        print
        if configopts['verbose'] and configopts['verboselevel'] >= 1:
             doinfo('[IP#%d.UDP#%d] Generating disassembled output for %dB of detected shellcode' % (
                        openudpflows[key]['ipct'],
                        openudpflows[key]['id'],
                        len(data)))
        dumpasm(data)

    configopts['dispstreamct'] += 1

    if not configopts['colored']:
        print
Example #2
0
def showtcpmatches(data):
    proto = 'TCP'

    if configopts['maxdispbytes'] > 0: maxdispbytes = configopts['maxdispbytes']
    else: maxdispbytes = len(data)

    ((src, sport), (dst, dport)) = matchstats['addr']
    filename = '%s/%s-%08d-%s.%s-%s.%s-%s' % (configopts['logdir'], proto, opentcpflows[matchstats['addr']]['id'], src, sport, dst, dport, matchstats['direction'])

    if configopts['writelogs']:
        writetofile(filename, data)

        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            doinfo('[IP#%d.TCP#%d] Wrote %dB to %s' % (
                    opentcpflows[matchstats['addr']]['ipct'],
                    opentcpflows[matchstats['addr']]['id'],
                    matchstats['matchsize'],
                    filename))

    if 'quite' in configopts['outmodes']:
        if matchstats['detectiontype'] == 'regex':
            pattern = getregexpattern(matchstats['regex'])
        elif matchstats['detectiontype'] == 'fuzzy':
            if matchstats['direction'] == 'CTS':
                pattern = configopts['ctsfuzzpatterns']
            else:
                pattern = configopts['stcfuzzpaterns']
        else:
            pattern = None

        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            doinfo('[IP#%d.TCP#%d] %s:%s %s %s:%s matches \'%s\' @ [%d:%d] - %dB' % (
                        opentcpflows[matchstats['addr']]['ipct'],
                        opentcpflows[matchstats['addr']]['id'],
                        src,
                        sport,
                        matchstats['directionflag'],
                        dst,
                        dport,
                        pattern,
                        matchstats['start'],
                        matchstats['end'],
                        matchstats['matchsize']))
        return

    if configopts['maxdispstreams'] != 0 and configopts['dispstreamct'] >= configopts['maxdispstreams']:
        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            doinfo('Skipping outmode parsing { dispstreamct: %d == maxdispstreams: %d }' % (
                    configopts['dispstreamct'],
                    configopts['maxdispstreams']))
        return

    direction = matchstats['direction']
    startpacket = 0
    endpacket = 0
    if 'meta' in configopts['outmodes']:
        if configopts['invertmatch']:
            invertstatus = " (invert)"
        else:
            invertstatus = ""

        id = opentcpflows[matchstats['addr']]['id']

        if matchstats['direction'] == 'CTS':
            packetlendict = opentcpflows[matchstats['addr']]['ctspacketlendict']
        else:
            packetlendict = opentcpflows[matchstats['addr']]['stcpacketlendict']

        direction = matchstats['direction']
        directionflag = matchstats['directionflag']
        start = matchstats['start']
        end = matchstats['end']
        matchsize = matchstats['matchsize']

        totalcount = 0
        startpacket = 0
        endpacket = 0
        if len(packetlendict) == 1:
            startpacket = packetlendict.keys()[0]
            endpacket = startpacket
        else:
            for (pktid, pktlen) in collections.OrderedDict(sorted(packetlendict.items())).items():
                totalcount += pktlen

                if start <= totalcount and startpacket == 0 and pktlen != 0:
                    startpacket = pktid

                if end <= totalcount:
                    endpacket = pktid

                if configopts['verbose'] and configopts['verboselevel'] >= 5:
                    dodebug('(%06d:%06d) start:%d <= totalcount:%06d | end:%d <= totalcount:%06d ... %s|%-5s\t' % (
                                pktid, pktlen, start, totalcount, end, totalcount, (start <= totalcount), (end <= totalcount)))

                if endpacket != 0:
                    if configopts['verbose'] and configopts['verboselevel'] >= 5:
                        dodebug('startpacket: %d - endpacket: %d' % (startpacket, endpacket))
                    break

            if startpacket > endpacket:
                startpacket, endpacket = endpacket, startpacket

        if matchstats['detectiontype'] == 'regex':
            if direction == configopts['ctsdirectionstring']:
                regexpattern = configopts['ctsregexes'][matchstats['regex']]['regexpattern']
            elif direction == configopts['stcdirectionstring']:
                regexpattern = configopts['stcregexes'][matchstats['regex']]['regexpattern']

            metastr = 'matches regex%s: \'%s\'' % (invertstatus, regexpattern)

        elif matchstats['detectiontype'] == 'fuzzy':
            metastr = 'matches \'%s\' %s%s' % (matchstats['fuzzpattern'], matchstats['fuzzmatchdetails'], invertstatus)

        elif matchstats['detectiontype'] == 'shellcode':
            metastr = 'contains shellcode [Offset: %d]%s' % (matchstats['shellcodeoffset'], invertstatus)

        elif matchstats['detectiontype'] == 'yara':
            metastr = 'matches rule: \'%s\' from %s' % (matchstats['yararulename'], matchstats['yararulefilepath'])

        else:
            metastr = ''

        if not configopts['linemode']:
            packetstats = ' | packet[%d] - packet[%d]' % (startpacket, endpacket)
        else:
            packetstats = ''

        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            bpfstr = generate_bpf("TCP", src, sport, directionflag, dst, dport)
            doinfo('[IP#%d.TCP#%d] BPF: %s' % (opentcpflows[matchstats['addr']]['ipct'], opentcpflows[matchstats['addr']]['id'], bpfstr))

        print '[MATCH] (%08d/%08d) [IP#%d.TCP#%d] %s:%s %s %s:%s %s' % (
                configopts['insptcppacketct'],
                configopts['tcpmatches'],
                opentcpflows[matchstats['addr']]['ipct'],
                opentcpflows[matchstats['addr']]['id'],
                src,
                sport,
                directionflag,
                dst,
                dport,
                metastr)

        print '[MATCH] (%08d/%08d) [IP#%d.TCP#%d] match @ %s[%d:%d] (%dB%s)' % (
                configopts['insptcppacketct'],
                configopts['tcpmatches'],
                opentcpflows[matchstats['addr']]['ipct'],
                opentcpflows[matchstats['addr']]['id'],
                direction,
                start + configopts['inspoffset'],
                end + configopts['inspoffset'],
                matchsize,
                packetstats)

    if 'print' in configopts['outmodes']:
        if configopts['colored']:
            if direction == configopts['ctsdirectionstring']:
                printable(data[:maxdispbytes], configopts['ctsoutcolor'])
            elif direction == configopts['stcdirectionstring']:
                printable(data[:maxdispbytes], configopts['stcoutcolor'])
        else:
            printable(data[:maxdispbytes], None)

    if 'raw' in configopts['outmodes']:
        if configopts['colored']:
            print colored(data[:maxdispbytes])
        else:
            print data[:maxdispbytes]

    if 'hex' in configopts['outmodes']:
        if configopts['colored']:
            if direction == configopts['ctsdirectionstring']:
                hexdump(data[:maxdispbytes], configopts['ctsoutcolor'])
            elif direction == configopts['stcdirectionstring']:
                hexdump(data[:maxdispbytes], configopts['stcoutcolor'])
        else:
            hexdump(data[:maxdispbytes], None)

    if configopts['asm4shellcode']:
        print
        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            doinfo('[IP#%d.TCP#%d] Generating disassembled output for %dB of detected shellcode' % (
                        opentcpflows[matchstats['addr']]['ipct'],
                        opentcpflows[matchstats['addr']]['id'],
                        len(data)))
        dumpasm(data)

    configopts['dispstreamct'] += 1

    if not configopts['colored']:
        print
Example #3
0
def showudpmatches(data):
    proto = 'UDP'

    ((src, sport), (dst, dport)) = matchstats['addr']

    key = "%s:%s" % (src, sport)
    if key not in openudpflows:
        key = "%s:%s" % (dst, dport)

    if configopts['maxdispbytes'] > 0:
        maxdispbytes = configopts['maxdispbytes']
    else:
        maxdispbytes = len(data)

    filename = '%s/%s-%08d-%s.%s-%s.%s-%s' % (
        configopts['logdir'], proto, configopts['packetct'], src, sport, dst,
        dport, matchstats['direction'])

    if configopts['writelogs']:
        writetofile(filename, data)

        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            doinfo('[IP#%d.UDP#%d] Wrote %dB to %s/%s-%08d.%s.%s.%s.%s' %
                   (openudpflows[key]['ipct'], openudpflows[key]['id'],
                    matchstats['matchsize'], configopts['logdir'], proto,
                    configopts['packetct'], src, sport, dst, dport))

    if 'quite' in configopts['outmodes']:
        if matchstats['regex']:
            pattern = getregexpattern(matchstats['regex'])
        else:
            pattern = None

        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            doinfo(
                '[IP#%d.UDP#%d] %s:%s %s %s:%s matches \'%s\' @ [%d:%d] - %dB'
                % (openudpflows[key]['ipct'], openudpflows[key]['id'], src,
                   sport, matchstats['directionflag'], dst, dport, pattern,
                   matchstats['start'], matchstats['end'],
                   matchstats['matchsize']))
        return

    if configopts['maxdisppackets'] != 0 and configopts[
            'disppacketct'] >= configopts['maxdisppackets']:
        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            doinfo(
                'Skipping outmode parsing { disppacketct: %d == maxdisppackets: %d }'
                % (configopts['disppacketct'], configopts['maxdisppackets']))
        return

    direction = matchstats['direction']
    directionflag = matchstats['directionflag']
    if 'meta' in configopts['outmodes']:
        if configopts['invertmatch']:
            invertstatus = " (invert)"
        else:
            invertstatus = ""

        start = matchstats['start']
        end = matchstats['end']
        matchsize = matchstats['matchsize']

        if matchstats['detectiontype'] == 'regex':
            metastr = 'matches regex%s: \'%s\'' % (
                invertstatus, getregexpattern(matchstats['regex']))

        elif matchstats['detectiontype'] == 'shellcode':
            metastr = 'contains shellcode [Offset: %d]%s' % (
                matchstats['shellcodeoffset'], invertstatus)

        elif matchstats['detectiontype'] == 'yara':
            metastr = 'matches rule: \'%s\' from %s' % (
                matchstats['yararulename'], matchstats['yararulefilepath'])

        else:
            metastr = ''

        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            bpfstr = generate_bpf("UDP", src, sport, directionflag, dst, dport)
            doinfo(
                '[IP#%d.UDP#%d] BPF: %s' %
                (openudpflows[key]['ipct'], openudpflows[key]['id'], bpfstr))

        print '[MATCH] (%08d/%08d) [IP#%d.UDP#%d] %s:%s %s %s:%s %s' % (
            configopts['inspudppacketct'], configopts['udpmatches'],
            openudpflows[key]['ipct'], openudpflows[key]['id'], src, sport,
            directionflag, dst, dport, metastr)

        print '[MATCH] (%08d/%08d) [IP#%d.UDP#%d] match @ %s[%d:%d] (%dB)' % (
            configopts['inspudppacketct'], configopts['udpmatches'],
            openudpflows[key]['ipct'], openudpflows[key]['id'], direction,
            start, end, matchsize)

    if 'print' in configopts['outmodes']:
        if configopts['colored']:
            if direction == configopts['ctsdirectionstring']:
                printable(data[:maxdispbytes], configopts['ctsoutcolor'])
            elif direction == configopts['stcdirectionstring']:
                printable(data[:maxdispbytes], configopts['stcoutcolor'])
        else:
            printable(data[:maxdispbytes], None)

    if 'raw' in configopts['outmodes']:
        if configopts['colored']:
            print colored(data[:maxdispbytes])
        else:
            print data[:maxdispbytes]

    if 'hex' in configopts['outmodes']:
        if configopts['colored']:
            if direction == configopts['ctsdirectionstring']:
                hexdump(data[:maxdispbytes], configopts['ctsoutcolor'])
            elif direction == configopts['stcdirectionstring']:
                hexdump(data[:maxdispbytes], configopts['stcoutcolor'])
        else:
            hexdump(data[:maxdispbytes], None)

    if configopts['asm4shellcode']:
        print
        if configopts['verbose'] and configopts['verboselevel'] >= 1:
            doinfo(
                '[IP#%d.UDP#%d] Generating disassembled output for %dB of detected shellcode'
                % (openudpflows[key]['ipct'], openudpflows[key]['id'],
                   len(data)))
        dumpasm(data)

    configopts['dispstreamct'] += 1

    if not configopts['colored']:
        print