def __init__(self, session={}): starttime = time.time() logging.config.fileConfig('logging.conf') self.logger = logging.getLogger(__name__) self.session = session self.session['banner'] = utils.to_base64(""" .___ _______ __ __ __| _/_______ _____ \_ __ \| | \ / __ | \_ __ \\\\__ \\ | | \/| | // /_/ | | | \/ / __ \_ |__| |____/ \____ | |__| (____ / v%s \/ \/ (%s) """ % (get_version_string(), get_author())) print utils.from_base64(self.session['banner']) self.session['report'] = {} if self.session['config']['enable_interactive']: print ' Use the "self" object to analyze files' self.interactive() elif self.session['config']['input_files'] and len( self.session['config']['input_files']) > 0: for f in self.session['config']['input_files']: self.analyze(f) else: self.logger.error( 'Please use -f to specify a file or use -i for interactive mode' ) endtime = time.time() self.session['report']['starttime'] = starttime self.session['report']['endtime'] = endtime del starttime, endtime self.session['report']['elapsedtime'] = self.session['report'][ 'endtime'] - self.session['report']['starttime'] print 'Total scan time: %s' % (utils.hms_string( self.session['report']['elapsedtime']))
def __init__(self, session={}): starttime = time.time() logging.config.fileConfig('logging.conf') self.logger = logging.getLogger(__name__) self.session = session self.session['banner'] = utils.to_base64(""" .___ _______ __ __ __| _/_______ _____ \_ __ \| | \ / __ | \_ __ \\\\__ \\ | | \/| | // /_/ | | | \/ / __ \_ |__| |____/ \____ | |__| (____ / v%s \/ \/ (%s) """ % (get_version_string(), get_author())) print utils.from_base64(self.session['banner']) self.session['report'] = {} if self.session['config']['enable_interactive']: print ' Use the "self" object to analyze files' self.interactive() elif self.session['config']['input_files'] and len(self.session['config']['input_files']) > 0: for f in self.session['config']['input_files']: self.analyze(f) else: self.logger.error('Please use -f to specify a file or use -i for interactive mode') endtime = time.time() self.session['report']['starttime'] = starttime self.session['report']['endtime'] = endtime del starttime, endtime self.session['report']['elapsedtime'] = self.session['report']['endtime'] - self.session['report']['starttime'] print 'Total scan time: %s' % (utils.hms_string(self.session['report']['elapsedtime']))
def report_sanitize(self, report): sanreport = copy.deepcopy(report) if 'filebytefreqhistogram' in report['filestats']: sanreport['filestats'][ 'filebytefreqhistogram_b64'] = utils.to_base64( report['filestats']['filebytefreqhistogram']) del sanreport['filestats']['filebytefreqhistogram'] if 'filevis_png' in report['filestats']: sanreport['filestats']['filevis_png_b64'] = utils.to_base64( report['filestats']['filevis_png']) del sanreport['filestats']['filevis_png'] if 'filevis_png_bw' in report['filestats']: sanreport['filestats']['filevis_png_bw_b64'] = utils.to_base64( report['filestats']['filevis_png_bw']) del sanreport['filestats']['filevis_png_bw'] for k in sorted(report['pcap']['flows'].keys()): proto = k.split(' - ')[2] for host in report['pcap']['hosts']: if 'whois_text' in report['pcap']['hosts'][host].keys( ) and 'whois_text_b64' not in sanreport['pcap']['hosts'][ host].keys(): sanreport['pcap']['hosts'][host][ 'whois_text_b64'] = utils.to_base64( report['pcap']['hosts'][host]['whois_text']) del sanreport['pcap']['hosts'][host]['whois_text'] else: sanreport['pcap']['hosts'][host]['whois_text_b64'] = None if 'ctsbuf' in sanreport['pcap']['flows'][k].keys( ) and sanreport['pcap']['flows'][k]['ctsbuf']: del sanreport['pcap']['flows'][k]['ctsbuf'] if 'stcbuf' in sanreport['pcap']['flows'][k].keys( ) and sanreport['pcap']['flows'][k]['stcbuf']: del sanreport['pcap']['flows'][k]['stcbuf'] if 'transactions' in report['pcap']['flows'][k].keys( ) and report['pcap']['flows'][k]['transactions']: for tid in sorted(report['pcap']['flows'][k]['transactions']): if ('bufvis_png' and 'bufvis_bw_png') in report['pcap'][ 'flows'][k]['transactions'][tid].keys(): sanreport['pcap']['flows'][k]['transactions'][tid][ 'bufvis_png_b64'] = utils.to_base64( report['pcap']['flows'][k]['transactions'][tid] ['bufvis_png']) sanreport['pcap']['flows'][k]['transactions'][tid][ 'bufvis_bw_png_b64'] = utils.to_base64( report['pcap']['flows'][k]['transactions'][tid] ['bufvis_bw_png']) del sanreport['pcap']['flows'][k]['transactions'][tid][ 'bufvis_png'] del sanreport['pcap']['flows'][k]['transactions'][tid][ 'bufvis_bw_png'] else: sanreport['pcap']['flows'][k]['transactions'][tid][ 'bufvis_png_b64'] = None sanreport['pcap']['flows'][k]['transactions'][tid][ 'bufvis_bw_png_b64'] = None if proto == 'UDP': if 'buf' in report['pcap']['flows'][k]['transactions'][ tid].keys() and report['pcap']['flows'][k][ 'transactions'][tid]['buf']: sanreport['pcap']['flows'][k]['transactions'][tid][ 'buf_b64'] = utils.to_base64( report['pcap']['flows'][k]['transactions'] [tid]['buf']) del sanreport['pcap']['flows'][k]['transactions'][ tid]['buf'] else: sanreport['pcap']['flows'][k]['transactions'][tid][ 'buf_b64'] = None del sanreport['pcap']['flows'][k]['transactions'][ tid]['buf'] if proto == 'TCP': if 'ctsbuf' in report['pcap']['flows'][k][ 'transactions'][tid] and report['pcap'][ 'flows'][k]['transactions'][tid]['ctsbuf']: sanreport['pcap']['flows'][k]['transactions'][tid][ 'ctsbuf_b64'] = utils.to_base64( report['pcap']['flows'][k]['transactions'] [tid]['ctsbuf']) del sanreport['pcap']['flows'][k]['transactions'][ tid]['ctsbuf'] else: sanreport['pcap']['flows'][k]['transactions'][tid][ 'ctsbuf_b64'] = None del sanreport['pcap']['flows'][k]['transactions'][ tid]['ctsbuf'] for key in report['pcap']['flows'][k]['transactions'][ tid]['ctsdecode'].keys(): sanreport['pcap']['flows'][k]['transactions'][tid][ 'ctsdecode']['%s_b64' % (key)] = utils.to_base64( report['pcap']['flows'][k] ['transactions'][tid] ['ctsdecode'][key]) del sanreport['pcap']['flows'][k]['transactions'][ tid]['ctsdecode'][key] if report['pcap']['flows'][k]['transactions'][tid][ 'regex']['cts']: for matchid in report['pcap']['flows'][k][ 'transactions'][tid]['regex']['cts'].keys( ): sanreport['pcap']['flows'][k]['transactions'][ tid]['regex']['cts'][matchid][ 'match_b64'] = utils.to_base64( report['pcap']['flows'][k] ['transactions'][tid]['regex'] ['cts'][matchid]['match']) del sanreport['pcap']['flows'][k][ 'transactions'][tid]['regex']['cts'][ matchid]['match'] if report['pcap']['flows'][k]['transactions'][tid][ 'shellcode']['cts']: for matchid in report['pcap']['flows'][k][ 'transactions'][tid]['shellcode'][ 'cts'].keys(): sanreport['pcap']['flows'][k]['transactions'][ tid]['shellcode']['cts'][ 'buf_b64'] = utils.to_base64( report['pcap']['flows'][k] ['transactions'][tid]['shellcode'] ['cts']['buf']) sanreport['pcap']['flows'][k]['transactions'][ tid]['shellcode']['cts'][ 'profile_b64'] = utils.to_base64( report['pcap']['flows'][k] ['transactions'][tid]['shellcode'] ['cts']['profile']) if 'buf' in sanreport['pcap']['flows'][k][ 'transactions'][tid]['shellcode'][ 'cts'].keys(): del sanreport['pcap']['flows'][k][ 'transactions'][tid]['shellcode'][ 'cts']['buf'] if 'profile' in sanreport['pcap']['flows'][k][ 'transactions'][tid]['shellcode'][ 'cts'].keys(): del sanreport['pcap']['flows'][k][ 'transactions'][tid]['shellcode'][ 'cts']['profile'] if 'stcbuf' in report['pcap']['flows'][k][ 'transactions'][tid] and report['pcap'][ 'flows'][k]['transactions'][tid]['stcbuf']: sanreport['pcap']['flows'][k]['transactions'][tid][ 'stcbuf_b64'] = utils.to_base64( report['pcap']['flows'][k]['transactions'] [tid]['stcbuf']) del sanreport['pcap']['flows'][k]['transactions'][ tid]['stcbuf'] else: sanreport['pcap']['flows'][k]['transactions'][tid][ 'stcbuf_b64'] = None del sanreport['pcap']['flows'][k]['transactions'][ tid]['stcbuf'] for key in report['pcap']['flows'][k]['transactions'][ tid]['stcdecode'].keys(): sanreport['pcap']['flows'][k]['transactions'][tid][ 'stcdecode']['%s_b64' % (key)] = utils.to_base64( report['pcap']['flows'][k] ['transactions'][tid] ['stcdecode'][key]) del sanreport['pcap']['flows'][k]['transactions'][ tid]['stcdecode'][key] if report['pcap']['flows'][k]['transactions'][tid][ 'regex']['stc']: for matchid in report['pcap']['flows'][k][ 'transactions'][tid]['regex']['stc'].keys( ): sanreport['pcap']['flows'][k]['transactions'][ tid]['regex']['stc'][matchid][ 'match_b64'] = utils.to_base64( report['pcap']['flows'][k] ['transactions'][tid]['regex'] ['stc'][matchid]['match']) del sanreport['pcap']['flows'][k][ 'transactions'][tid]['regex']['stc'][ matchid]['match'] if report['pcap']['flows'][k]['transactions'][tid][ 'shellcode']['stc']: for matchid in report['pcap']['flows'][k][ 'transactions'][tid]['shellcode'][ 'stc'].keys(): sanreport['pcap']['flows'][k]['transactions'][ tid]['shellcode']['stc'][ 'buf_b64'] = utils.to_base64( report['pcap']['flows'][k] ['transactions'][tid]['shellcode'] ['stc']['buf']) sanreport['pcap']['flows'][k]['transactions'][ tid]['shellcode']['stc'][ 'profile_b64'] = utils.to_base64( report['pcap']['flows'][k] ['transactions'][tid]['shellcode'] ['stc']['profile']) if 'buf' in sanreport['pcap']['flows'][k][ 'transactions'][tid]['shellcode'][ 'stc'].keys(): del sanreport['pcap']['flows'][k][ 'transactions'][tid]['shellcode'][ 'stc']['buf'] if 'profile' in sanreport['pcap']['flows'][k][ 'transactions'][tid]['shellcode'][ 'stc'].keys(): del sanreport['pcap']['flows'][k][ 'transactions'][tid]['shellcode'][ 'stc']['profile'] #pprint.pprint(sanreport) return dict(sanreport)
def report_sanitize(self, report): sanreport = copy.deepcopy(report) if 'filebytefreqhistogram' in report['filestats']: sanreport['filestats']['filebytefreqhistogram_b64'] = utils.to_base64(report['filestats']['filebytefreqhistogram']) del sanreport['filestats']['filebytefreqhistogram'] if 'filevis_png' in report['filestats']: sanreport['filestats']['filevis_png_b64'] = utils.to_base64(report['filestats']['filevis_png']) del sanreport['filestats']['filevis_png'] if 'filevis_png_bw' in report['filestats']: sanreport['filestats']['filevis_png_bw_b64'] = utils.to_base64(report['filestats']['filevis_png_bw']) del sanreport['filestats']['filevis_png_bw'] for k in sorted(report['pcap']['flows'].keys()): proto = k.split(' - ')[2] for host in report['pcap']['hosts']: if 'whois_text' in report['pcap']['hosts'][host].keys() and 'whois_text_b64' not in sanreport['pcap']['hosts'][host].keys(): sanreport['pcap']['hosts'][host]['whois_text_b64'] = utils.to_base64(report['pcap']['hosts'][host]['whois_text']) del sanreport['pcap']['hosts'][host]['whois_text'] else: sanreport['pcap']['hosts'][host]['whois_text_b64'] = None if 'ctsbuf' in sanreport['pcap']['flows'][k].keys() and sanreport['pcap']['flows'][k]['ctsbuf']: del sanreport['pcap']['flows'][k]['ctsbuf'] if 'stcbuf' in sanreport['pcap']['flows'][k].keys() and sanreport['pcap']['flows'][k]['stcbuf']: del sanreport['pcap']['flows'][k]['stcbuf'] if 'transactions' in report['pcap']['flows'][k].keys() and report['pcap']['flows'][k]['transactions']: for tid in sorted(report['pcap']['flows'][k]['transactions']): if ('bufvis_png' and 'bufvis_bw_png') in report['pcap']['flows'][k]['transactions'][tid].keys(): sanreport['pcap']['flows'][k]['transactions'][tid]['bufvis_png_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['bufvis_png']) sanreport['pcap']['flows'][k]['transactions'][tid]['bufvis_bw_png_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['bufvis_bw_png']) del sanreport['pcap']['flows'][k]['transactions'][tid]['bufvis_png'] del sanreport['pcap']['flows'][k]['transactions'][tid]['bufvis_bw_png'] else: sanreport['pcap']['flows'][k]['transactions'][tid]['bufvis_png_b64'] = None sanreport['pcap']['flows'][k]['transactions'][tid]['bufvis_bw_png_b64'] = None if proto == 'UDP': if 'buf' in report['pcap']['flows'][k]['transactions'][tid].keys() and report['pcap']['flows'][k]['transactions'][tid]['buf']: sanreport['pcap']['flows'][k]['transactions'][tid]['buf_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['buf']) del sanreport['pcap']['flows'][k]['transactions'][tid]['buf'] else: sanreport['pcap']['flows'][k]['transactions'][tid]['buf_b64'] = None del sanreport['pcap']['flows'][k]['transactions'][tid]['buf'] if proto == 'TCP': if 'ctsbuf' in report['pcap']['flows'][k]['transactions'][tid] and report['pcap']['flows'][k]['transactions'][tid]['ctsbuf']: sanreport['pcap']['flows'][k]['transactions'][tid]['ctsbuf_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['ctsbuf']) del sanreport['pcap']['flows'][k]['transactions'][tid]['ctsbuf'] else: sanreport['pcap']['flows'][k]['transactions'][tid]['ctsbuf_b64'] = None del sanreport['pcap']['flows'][k]['transactions'][tid]['ctsbuf'] for key in report['pcap']['flows'][k]['transactions'][tid]['ctsdecode'].keys(): sanreport['pcap']['flows'][k]['transactions'][tid]['ctsdecode']['%s_b64' % (key)] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['ctsdecode'][key]) del sanreport['pcap']['flows'][k]['transactions'][tid]['ctsdecode'][key] if report['pcap']['flows'][k]['transactions'][tid]['regex']['cts']: for matchid in report['pcap']['flows'][k]['transactions'][tid]['regex']['cts'].keys(): sanreport['pcap']['flows'][k]['transactions'][tid]['regex']['cts'][matchid]['match_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['regex']['cts'][matchid]['match']) del sanreport['pcap']['flows'][k]['transactions'][tid]['regex']['cts'][matchid]['match'] if report['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']: for matchid in report['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts'].keys(): sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']['buf_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']['buf']) sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']['profile_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']['profile']) if 'buf' in sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts'].keys(): del sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']['buf'] if 'profile' in sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts'].keys(): del sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['cts']['profile'] if 'stcbuf' in report['pcap']['flows'][k]['transactions'][tid] and report['pcap']['flows'][k]['transactions'][tid]['stcbuf']: sanreport['pcap']['flows'][k]['transactions'][tid]['stcbuf_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['stcbuf']) del sanreport['pcap']['flows'][k]['transactions'][tid]['stcbuf'] else: sanreport['pcap']['flows'][k]['transactions'][tid]['stcbuf_b64'] = None del sanreport['pcap']['flows'][k]['transactions'][tid]['stcbuf'] for key in report['pcap']['flows'][k]['transactions'][tid]['stcdecode'].keys(): sanreport['pcap']['flows'][k]['transactions'][tid]['stcdecode']['%s_b64' % (key)] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['stcdecode'][key]) del sanreport['pcap']['flows'][k]['transactions'][tid]['stcdecode'][key] if report['pcap']['flows'][k]['transactions'][tid]['regex']['stc']: for matchid in report['pcap']['flows'][k]['transactions'][tid]['regex']['stc'].keys(): sanreport['pcap']['flows'][k]['transactions'][tid]['regex']['stc'][matchid]['match_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['regex']['stc'][matchid]['match']) del sanreport['pcap']['flows'][k]['transactions'][tid]['regex']['stc'][matchid]['match'] if report['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']: for matchid in report['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc'].keys(): sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']['buf_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']['buf']) sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']['profile_b64'] = utils.to_base64(report['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']['profile']) if 'buf' in sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc'].keys(): del sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']['buf'] if 'profile' in sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc'].keys(): del sanreport['pcap']['flows'][k]['transactions'][tid]['shellcode']['stc']['profile'] #pprint.pprint(sanreport) return dict(sanreport)