def handletcp(tcp): id = 0 showmatch = False addrkey = tcp.addr ((src, sport), (dst, dport)) = tcp.addr if not configopts['linemode']: if configopts['tcpdone']: if configopts['udpdone']: if configopts['verbose'] and configopts['verboselevel'] >= 1: if addrkey in opentcpflows: id = opentcpflows[addrkey]['id'] doinfo('[IP#%d.TCP#%d] Done inspecting max packets (%d) and max streams (%d), preparing for exit' % ( opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id'], configopts['maxinsppackets'], configopts['maxinspstreams'])) exitwithstats() else: if configopts['verbose'] and configopts['verboselevel'] >= 1: if addrkey in opentcpflows: id = opentcpflows[addrkey]['id'] doinfo('[IP#%d.TCP#%d] Ignoring stream %s:%s %s %s:%s { insptcppacketct: %d == maxinspstreams: %d }' % ( opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id'], src, sport, dst, dport, configopts['insptcppacketct'], configopts['maxinspstreams'])) return regexes = [] fuzzpatterns = [] yararuleobjects = [] timestamp = datetime.datetime.fromtimestamp(nids.get_pkt_ts()).strftime('%H:%M:%S | %Y/%m/%d') endstates = [ nids.NIDS_CLOSE, nids.NIDS_TIMED_OUT, nids.NIDS_RESET ] inspectcts = False inspectstc = False if len(configopts['ctsregexes']) > 0 or len(configopts['ctsfuzzpatterns']) > 0 or len(configopts['ctsyararules']) > 0: inspectcts = True if len(configopts['stcregexes']) > 0 or len(configopts['stcfuzzpatterns']) > 0 or len(configopts['stcyararules']) > 0: inspectstc = True if tcp.nids_state == nids.NIDS_JUST_EST: if addrkey not in opentcpflows: tcp.server.collect = 0 tcp.client.collect = 0 if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.TCP#%d] %s:%s - %s:%s remains untracked { IP tracking missed this flow }' % ( opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id'], src, sport, dst, dport)) else: configopts['insptcpstreamct'] += 1 if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.TCP#%d] %s:%s - %s:%s [NEW] { TRACKED: %d }' % ( opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id'], src, sport, dst, dport, len(opentcpflows))) if configopts['linemode'] or 'shellcode' in configopts['inspectionmodes']: tcp.server.collect = 1 tcp.client.collect = 1 if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.TCP#%d] Enabled both CTS and STC data collection for %s:%s - %s:%s' % ( opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id'], src, sport, dst, dport)) else: if inspectcts or 'shellcode' in configopts['inspectionmodes']: tcp.server.collect = 1 if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.TCP#%d] Enabled CTS data collection for %s:%s - %s:%s' % ( opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id'], src, sport, dst, dport)) if inspectstc or 'shellcode' in configopts['inspectionmodes']: tcp.client.collect = 1 if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.TCP#%d] Enabled STC data collection for %s:%s - %s:%s' % ( opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id'], src, sport, dst, dport)) if tcp.nids_state == nids.NIDS_DATA: tcp.discard(0) configopts['insptcppacketct'] += 1 if tcp.server.count_new > 0: direction = configopts['ctsdirectionstring'] directionflag = configopts['ctsdirectionflag'] count = tcp.server.count newcount = tcp.server.count_new start = tcp.server.count - tcp.server.count_new end = tcp.server.count opentcpflows[addrkey]['totdatasize'] += tcp.server.count_new if configopts['offset'] > 0 and configopts['offset'] < count: offset = configopts['offset'] else: offset = 0 if configopts['depth'] > 0 and configopts['depth'] <= (count - offset): depth = configopts['depth'] + offset else: depth = count offset += opentcpflows[addrkey]['multimatchskipoffset'] configopts['inspoffset'] = offset inspdata = tcp.server.data[offset:depth] inspdatalen = len(inspdata) if 'regex' in configopts['inspectionmodes']: for regex in configopts['ctsregexes'].keys(): regexes.append(regex) if 'fuzzy' in configopts['inspectionmodes']: for fuzzpattern in configopts['ctsfuzzpatterns']: fuzzpatterns.append(fuzzpattern) if 'yara' in configopts['inspectionmodes']: for yararuleobj in configopts['ctsyararules']: yararuleobjects.append(yararuleobj) if tcp.client.count_new > 0: direction = configopts['stcdirectionstring'] directionflag = configopts['stcdirectionflag'] count = tcp.client.count newcount = tcp.client.count_new start = tcp.client.count - tcp.client.count_new end = tcp.client.count opentcpflows[addrkey]['totdatasize'] += tcp.client.count_new if configopts['offset'] > 0 and configopts['offset'] < count: offset = configopts['offset'] else: offset = 0 offset += opentcpflows[addrkey]['multimatchskipoffset'] configopts['inspoffset'] = offset if configopts['depth'] > 0 and configopts['depth'] < (count - offset): depth = offset + configopts['depth'] else: depth = count inspdata = tcp.client.data[offset:depth] inspdatalen = len(inspdata) if 'regex' in configopts['inspectionmodes']: for regex in configopts['stcregexes'].keys(): regexes.append(regex) if 'fuzzy' in configopts['inspectionmodes']: for fuzzpattern in configopts['stcfuzzpatterns']: fuzzpatterns.append(fuzzpattern) if 'yara' in configopts['inspectionmodes']: for yararuleobj in configopts['stcyararules']: yararuleobjects.append(yararuleobj) if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.TCP#%d] %s:%s %s %s:%s [%dB] { CTS: %d, STC: %d, TOT: %d }' % ( opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id'], src, sport, directionflag, dst, dport, newcount, tcp.server.count, tcp.client.count, opentcpflows[addrkey]['totdatasize'])) if configopts['linemode']: matchstats['addr'] = addrkey matchstats['start'] = start matchstats['end'] = end matchstats['matchsize'] = matchstats['end'] - matchstats['start'] matchstats['direction'] = direction matchstats['directionflag'] = directionflag donorm('[IP#%d.TCP#%d] Skipping inspection as linemode is enabled.' % (opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id'])) showtcpmatches(inspdata[matchstats['start']:matchstats['end']]) if configopts['writepcap']: markmatchedippackets(addrkey) return if configopts['maxinspstreams'] != 0 and configopts['insptcppacketct'] >= configopts['maxinspstreams']: configopts['tcpdone'] = True if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.TCP#%d] Initiating inspection on %s[%d:%d] - %dB' % ( opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id'], direction, offset, depth, inspdatalen)) matched = inspect('TCP', inspdata, inspdatalen, regexes, fuzzpatterns, yararuleobjects, addrkey, direction, directionflag) if matched: if configopts['killtcp']: tcp.kill if configopts['writepcap']: markmatchedippackets(addrkey) elif configopts['writepcapfast']: if addrkey in ippacketsdict.keys() and ippacketsdict[addrkey]['proto'] == 'TCP': ippacketsdict[addrkey]['matched'] = True ippacketsdict[addrkey]['id'] = opentcpflows[addrkey]['id'] ippacketsdict[addrkey]['matchedid'] = len(ippacketsdict[addrkey].keys()) - configopts['ipmetavars'] else: ((sip, sp), (dip, dp)) = addrkey newaddrkey = ((dip, dp), (sip, sp)) if newaddrkey in ippacketsdict.keys() and ippacketsdict[newaddrkey]['proto'] == 'TCP': ippacketsdict[newaddrkey]['matched'] = True ippacketsdict[newaddrkey]['id'] = opentcpflows[newaddrkey]['id'] ippacketsdict[newaddrkey]['matchedid'] = len(ippacketsdict[newaddrkey].keys()) - configopts['ipmetavars'] if direction == configopts['ctsdirectionstring']: matchstats['direction'] = configopts['ctsdirectionstring'] matchstats['directionflag'] = configopts['ctsdirectionflag'] elif direction == 'STC': matchstats['direction'] = configopts['stcdirectionstring'] matchstats['directionflag'] = configopts['stcdirectionflag'] if configopts['tcpmatches'] == 0: configopts['shortestmatch']['stream'] = matchstats['matchsize'] configopts['shortestmatch']['streamid'] = opentcpflows[addrkey]['id'] configopts['longestmatch']['stream'] = matchstats['matchsize'] configopts['longestmatch']['streamid'] = opentcpflows[addrkey]['id'] else: if matchstats['matchsize'] <= configopts['shortestmatch']['stream']: configopts['shortestmatch']['stream'] = matchstats['matchsize'] configopts['shortestmatch']['streamid'] = opentcpflows[addrkey]['id'] if matchstats['matchsize'] >= configopts['longestmatch']['stream']: configopts['longestmatch']['stream'] = matchstats['matchsize'] configopts['longestmatch']['streamid'] = opentcpflows[addrkey]['id'] configopts['tcpmatches'] += 1 matchstats['addr'] = addrkey showtcpmatches(inspdata[matchstats['start']:matchstats['end']]) if not configopts['tcpmultimatch']: tcp.server.collect = 0 tcp.client.collect = 0 if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.TCP#%d] %s:%s - %s:%s not being tracked any further { tcpmultimatch: %s }' % ( opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id'], src, sport, dst, dport, configopts['tcpmultimatch'])) del opentcpflows[addrkey] else: if direction == configopts['ctsdirectionstring']: opentcpflows[addrkey]['ctspacketlendict'].clear() elif direction == configopts['stcdirectionstring']: opentcpflows[addrkey]['stcpacketlendict'].clear() opentcpflows[addrkey]['multimatchskipoffset'] += matchstats['end'] if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.TCP#%d] Marked %dB to be skipped for further %s inspection' % ( opentcpflows[addrkey]['ipct'], opentcpflows[addrkey]['id'], opentcpflows[addrkey]['multimatchskipoffset'], direction)) else: opentcpflows[addrkey]['previnspbufsize'] = inspdatalen if tcp.nids_state in endstates: if addrkey in opentcpflows: ipct = opentcpflows[addrkey]['ipct'] id = opentcpflows[addrkey]['id'] del opentcpflows[addrkey] if configopts['verbose'] and configopts['verboselevel'] >= 1: if tcp.nids_state == nids.NIDS_CLOSE: state = 'FIN' elif tcp.nids_state == nids.NIDS_TIMED_OUT: state = 'TIMED_OUT' elif tcp.nids_state == nids.NIDS_RESET: state = 'RST' else: state = 'UNKNOWN' doinfo('[IP#%d.TCP#%d] %s:%s - %s:%s [%s] { TRACKED: %d }' % ( ipct, id, src, sport, dst, dport, state, len(opentcpflows)))
except OSError as e: if e.errno != errno.EEXIST: raise i = 0 last = '' j = 0 files = glob.glob("tocheck/*.jpg") ammount = len(files) f = open('contours.cnt', 'rb') contours = pickle.load(f) f.close() for file in files: if i == 0 : n = inspector.inspect(str(file), contours) last = str(n) copyfile(file, 'sorted/{}/{}'.format(n, file[8:])) i=1 else : i = 0 copyfile(file, 'sorted/{}/{}'.format(last, file[8:])) j+=1 if j % 5 == 0 : print("{0:.02f}%".format(j/ammount*100)) print('Done')
def handleudp(addr, payload, pkt): showmatch = False addrkey = addr ((src, sport), (dst, dport)) = addr count = len(payload) start = 0 end = count data = payload if len(configopts['ctsregexes']) > 0 or len(configopts['ctsfuzzpatterns']) > 0 or len(configopts['ctsyararules']) > 0: inspectcts = True else: inspectcts = False if len(configopts['stcregexes']) > 0 or len(configopts['stcfuzzpatterns']) > 0 or len(configopts['stcyararules']) > 0: inspectstc = True else: inspectstc = False keya = "%s:%s" % (src, sport) keyb = "%s:%s" % (dst, dport) key = None if keya in openudpflows: key = "%s:%s" % (src, sport) keydst = "%s:%s" % (dst, dport) direction = configopts['ctsdirectionstring'] directionflag = configopts['ctsdirectionflag'] elif keyb in openudpflows: key = "%s:%s" % (dst, dport) keydst = "%s:%s" % (src, sport) direction = configopts['stcdirectionstring'] directionflag = configopts['stcdirectionflag'] if key in openudpflows and openudpflows[key]['keydst'] == keydst: openudpflows[key]['totdatasize'] += count else: if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.UDP#%d] %s:%s - %s:%s remains untracked { IP tracking missed this flow }' % ( openudpflows[key]['ipct'], openudpflows[key]['id'], src, sport, dst, dport)) regexes = [] fuzzpatterns = [] yararuleobjects = [] timestamp = datetime.datetime.fromtimestamp(nids.get_pkt_ts()).strftime('%H:%M:%S | %Y/%m/%d') if direction == configopts['ctsdirectionstring']: openudpflows[key]['ctsdatasize'] += count if 'regex' in configopts['inspectionmodes']: for regex in configopts['ctsregexes']: regexes.append(regex) if 'fuzzy' in configopts['inspectionmodes']: for fuzzpattern in configopts['ctsfuzzpatterns']: fuzzpatterns.append(fuzzpattern) if 'yara' in configopts['inspectionmodes']: for yararuleobj in configopts['ctsyararules']: yararuleobjects.append(yararuleobj) elif direction == configopts['stcdirectionstring']: openudpflows[key]['stcdatasize'] += count if 'regex' in configopts['inspectionmodes']: for regex in configopts['stcregexes']: regexes.append(regex) if 'fuzzy' in configopts['inspectionmodes']: for fuzzpattern in configopts['stcfuzzpatterns']: fuzzpatterns.append(fuzzpattern) if 'yara' in configopts['inspectionmodes']: for yararuleobj in configopts['stcyararules']: yararuleobjects.append(yararuleobj) if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.UDP#%d] %s %s %s [%dB] { TRACKED: %d } { CTS: %dB, STC: %dB, TOT: %dB }' % ( openudpflows[key]['ipct'], openudpflows[key]['id'], key, directionflag, keydst, count, len(openudpflows), openudpflows[key]['ctsdatasize'], openudpflows[key]['stcdatasize'], openudpflows[key]['totdatasize'])) if not configopts['linemode']: if configopts['udpdone']: if configopts['tcpdone']: if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('Done inspecting max packets (%d) and max streams (%d), \ preparing for exit' % ( configopts['maxinsppackets'], configopts['maxinspstreams'])) exitwithstats() else: if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('Ignoring packet %s:%s %s %s:%s { inspudppacketct: %d == maxinsppackets: %d }' % ( src, sport, dst, dport, configopts['inspudppacketct'], configopts['maxinsppackets'])) return configopts['inspudppacketct'] += 1 if configopts['linemode']: matchstats['addr'] = addrkey matchstats['start'] = start matchstats['end'] = end matchstats['matchsize'] = matchstats['end'] - matchstats['start'] matchstats['direction'] = direction matchstats['directionflag'] = directionflag if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.UDP#%d] Skipping inspection as linemode is enabled.' % ( openudpflows[key]['ipct'], openudpflows[key]['id'])) showudpmatches(data[matchstats['start']:matchstats['end']]) if configopts['writepcap']: markmatchedippackets(addrkey) return if configopts['maxinsppackets'] != 0 and configopts['inspudppacketct'] >= configopts['maxinsppackets']: configopts['udpdone'] = True if configopts['offset'] > 0 and configopts['offset'] < count: offset = configopts['offset'] else: offset = 0 if configopts['depth'] > 0 and configopts['depth'] <= (count - offset): depth = configopts['depth'] + offset else: depth = count inspdata = data[offset:depth] inspdatalen = len(inspdata) if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.UDP#%d] Initiating inspection on %s[%d:%d] - %dB' % ( openudpflows[key]['ipct'], openudpflows[key]['id'], direction, offset, depth, inspdatalen)) matched = inspect('UDP', inspdata, inspdatalen, regexes, fuzzpatterns, yararuleobjects, addrkey, direction, directionflag) if matched: openudpflows[key]['matches'] += 1 if configopts['writepcap']: markmatchedippackets(addrkey) if configopts['writepcapfast']: if addrkey in ippacketsdict.keys() and ippacketsdict[addrkey]['proto'] == 'UDP': ippacketsdict[addrkey]['matched'] = True ippacketsdict[addrkey]['id'] = configopts['packetct'] ippacketsdict[addrkey]['matchedid'] = len(ippacketsdict[addrkey].keys()) - configopts['ipmetavars'] else: ((sip, sp), (dip, dp)) = addrkey newaddrkey = ((dip, dp), (sip, sp)) if newaddrkey in ippacketsdict.keys() and ippacketsdict[newaddrkey]['proto'] == 'UDP': ippacketsdict[newaddrkey]['matched'] = True ippacketsdict[newaddrkey]['id'] = configopts['packetct'] ippacketsdict[newaddrkey]['matchedid'] = len(ippacketsdict[newaddrkey].keys()) - configopts['ipmetavars'] matchstats['start'] += offset matchstats['end'] += offset matchstats['direction'] = direction matchstats['directionflag'] = directionflag if configopts['udpmatches'] == 0: configopts['shortestmatch']['packet'] = matchstats['matchsize'] configopts['shortestmatch']['packetid'] = configopts['packetct'] configopts['longestmatch']['packet'] = matchstats['matchsize'] configopts['longestmatch']['packetid'] = configopts['packetct'] else: if matchstats['matchsize'] <= configopts['shortestmatch']['packet']: configopts['shortestmatch']['packet'] = matchstats['matchsize'] configopts['shortestmatch']['packetid'] = configopts['packetct'] if matchstats['matchsize'] >= configopts['longestmatch']['packet']: configopts['longestmatch']['packet'] = matchstats['matchsize'] configopts['longestmatch']['packetid'] = configopts['packetct'] configopts['udpmatches'] += 1 matchstats['addr'] = addrkey showudpmatches(data[matchstats['start']:matchstats['end']]) del openudpflows[key]
def handleudp(addr, payload, pkt): showmatch = False addrkey = addr ((src, sport), (dst, dport)) = addr count = len(payload) start = 0 end = count data = payload if len(configopts['ctsregexes']) > 0 or len( configopts['ctsfuzzpatterns']) > 0 or len( configopts['ctsyararules']) > 0: inspectcts = True else: inspectcts = False if len(configopts['stcregexes']) > 0 or len( configopts['stcfuzzpatterns']) > 0 or len( configopts['stcyararules']) > 0: inspectstc = True else: inspectstc = False keya = "%s:%s" % (src, sport) keyb = "%s:%s" % (dst, dport) key = None if keya in openudpflows: key = "%s:%s" % (src, sport) keydst = "%s:%s" % (dst, dport) direction = configopts['ctsdirectionstring'] directionflag = configopts['ctsdirectionflag'] elif keyb in openudpflows: key = "%s:%s" % (dst, dport) keydst = "%s:%s" % (src, sport) direction = configopts['stcdirectionstring'] directionflag = configopts['stcdirectionflag'] if key in openudpflows and openudpflows[key]['keydst'] == keydst: openudpflows[key]['totdatasize'] += count else: if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo( '[IP#%d.UDP#%d] %s:%s - %s:%s remains untracked { IP tracking missed this flow }' % (openudpflows[key]['ipct'], openudpflows[key]['id'], src, sport, dst, dport)) regexes = [] fuzzpatterns = [] yararuleobjects = [] timestamp = datetime.datetime.fromtimestamp( nids.get_pkt_ts()).strftime('%H:%M:%S | %Y/%m/%d') if direction == configopts['ctsdirectionstring']: openudpflows[key]['ctsdatasize'] += count if 'regex' in configopts['inspectionmodes']: for regex in configopts['ctsregexes']: regexes.append(regex) if 'fuzzy' in configopts['inspectionmodes']: for fuzzpattern in configopts['ctsfuzzpatterns']: fuzzpatterns.append(fuzzpattern) if 'yara' in configopts['inspectionmodes']: for yararuleobj in configopts['ctsyararules']: yararuleobjects.append(yararuleobj) elif direction == configopts['stcdirectionstring']: openudpflows[key]['stcdatasize'] += count if 'regex' in configopts['inspectionmodes']: for regex in configopts['stcregexes']: regexes.append(regex) if 'fuzzy' in configopts['inspectionmodes']: for fuzzpattern in configopts['stcfuzzpatterns']: fuzzpatterns.append(fuzzpattern) if 'yara' in configopts['inspectionmodes']: for yararuleobj in configopts['stcyararules']: yararuleobjects.append(yararuleobj) if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo( '[IP#%d.UDP#%d] %s %s %s [%dB] { TRACKED: %d } { CTS: %dB, STC: %dB, TOT: %dB }' % (openudpflows[key]['ipct'], openudpflows[key]['id'], key, directionflag, keydst, count, len(openudpflows), openudpflows[key]['ctsdatasize'], openudpflows[key]['stcdatasize'], openudpflows[key]['totdatasize'])) if not configopts['linemode']: if configopts['udpdone']: if configopts['tcpdone']: if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo( 'Done inspecting max packets (%d) and max streams (%d), \ preparing for exit' % (configopts['maxinsppackets'], configopts['maxinspstreams'])) exitwithstats() else: if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo( 'Ignoring packet %s:%s %s %s:%s { inspudppacketct: %d == maxinsppackets: %d }' % (src, sport, dst, dport, configopts['inspudppacketct'], configopts['maxinsppackets'])) return configopts['inspudppacketct'] += 1 if configopts['linemode']: matchstats['addr'] = addrkey matchstats['start'] = start matchstats['end'] = end matchstats['matchsize'] = matchstats['end'] - matchstats['start'] matchstats['direction'] = direction matchstats['directionflag'] = directionflag if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo( '[IP#%d.UDP#%d] Skipping inspection as linemode is enabled.' % (openudpflows[key]['ipct'], openudpflows[key]['id'])) showudpmatches(data[matchstats['start']:matchstats['end']]) if configopts['writepcap']: markmatchedippackets(addrkey) return if configopts['maxinsppackets'] != 0 and configopts[ 'inspudppacketct'] >= configopts['maxinsppackets']: configopts['udpdone'] = True if configopts['offset'] > 0 and configopts['offset'] < count: offset = configopts['offset'] else: offset = 0 if configopts['depth'] > 0 and configopts['depth'] <= (count - offset): depth = configopts['depth'] + offset else: depth = count inspdata = data[offset:depth] inspdatalen = len(inspdata) if configopts['verbose'] and configopts['verboselevel'] >= 1: doinfo('[IP#%d.UDP#%d] Initiating inspection on %s[%d:%d] - %dB' % (openudpflows[key]['ipct'], openudpflows[key]['id'], direction, offset, depth, inspdatalen)) matched = inspect('UDP', inspdata, inspdatalen, regexes, fuzzpatterns, yararuleobjects, addrkey, direction, directionflag) if matched: openudpflows[key]['matches'] += 1 if configopts['writepcap']: markmatchedippackets(addrkey) if configopts['writepcapfast']: if addrkey in ippacketsdict.keys( ) and ippacketsdict[addrkey]['proto'] == 'UDP': ippacketsdict[addrkey]['matched'] = True ippacketsdict[addrkey]['id'] = configopts['packetct'] ippacketsdict[addrkey]['matchedid'] = len( ippacketsdict[addrkey].keys()) - configopts['ipmetavars'] else: ((sip, sp), (dip, dp)) = addrkey newaddrkey = ((dip, dp), (sip, sp)) if newaddrkey in ippacketsdict.keys( ) and ippacketsdict[newaddrkey]['proto'] == 'UDP': ippacketsdict[newaddrkey]['matched'] = True ippacketsdict[newaddrkey]['id'] = configopts['packetct'] ippacketsdict[newaddrkey]['matchedid'] = len( ippacketsdict[newaddrkey].keys( )) - configopts['ipmetavars'] matchstats['start'] += offset matchstats['end'] += offset matchstats['direction'] = direction matchstats['directionflag'] = directionflag if configopts['udpmatches'] == 0: configopts['shortestmatch']['packet'] = matchstats['matchsize'] configopts['shortestmatch']['packetid'] = configopts['packetct'] configopts['longestmatch']['packet'] = matchstats['matchsize'] configopts['longestmatch']['packetid'] = configopts['packetct'] else: if matchstats['matchsize'] <= configopts['shortestmatch']['packet']: configopts['shortestmatch']['packet'] = matchstats['matchsize'] configopts['shortestmatch']['packetid'] = configopts[ 'packetct'] if matchstats['matchsize'] >= configopts['longestmatch']['packet']: configopts['longestmatch']['packet'] = matchstats['matchsize'] configopts['longestmatch']['packetid'] = configopts['packetct'] configopts['udpmatches'] += 1 matchstats['addr'] = addrkey showudpmatches(data[matchstats['start']:matchstats['end']]) del openudpflows[key]