def main(): banner = '''\ ______ _ __ / __/ /___ _ __(_)___ _________ ___ _____/ /_ / /_/ / __ \ | /| / / / __ \/ ___/ __ \/ _ \/ ___/ __/ / __/ / /_/ / |/ |/ / / / / (__ ) /_/ / __/ /__/ /_ /_/ /_/\____/|__/|__/_/_/ /_/____/ .___/\___/\___/\__/ /_/ ''' import re configopts['regexengine'] = 're' parser = argparse.ArgumentParser() inputgroup = parser.add_mutually_exclusive_group(required=True) inputgroup.add_argument('-p', metavar='--pcap', dest='pcap', default='', action='store', help='input pcap file') inputgroup.add_argument('-d', metavar='--device', dest='device', default='lo', action='store', help='listening device') regex_direction_flags = parser.add_argument_group('RegEx per Direction') regex_direction_flags.add_argument('-c', metavar='--cregex', dest='cres', default=[], action='append', required=False, help='regex to match against CTS data') regex_direction_flags.add_argument('-s', metavar='--sregex', dest='sres', default=[], action='append', required=False, help='regex to match against STC data') regex_direction_flags.add_argument('-a', metavar='--aregex', dest='ares', default=[], action='append', required=False, help='regex to match against ANY data') regex_options = parser.add_argument_group('RegEx Options') regex_options.add_argument('-i', dest='igncase', default=False, action='store_true', required=False, help='ignore case') regex_options.add_argument('-m', dest='multiline', default=True, action='store_false', required=False, help='disable multiline match') fuzzy_direction_flags = parser.add_argument_group( 'Fuzzy Patterns per Direction') fuzzy_direction_flags.add_argument( '-G', metavar='--cfuzz', dest='cfuzz', default=[], action='append', required=False, help='string to fuzzy match against CTS data') fuzzy_direction_flags.add_argument( '-H', metavar='--sfuzz', dest='sfuzz', default=[], action='append', required=False, help='string to fuzzy match against STC data') fuzzy_direction_flags.add_argument( '-I', metavar='--afuzz', dest='afuzz', default=[], action='append', required=False, help='string to fuzzy match against ANY data') fuzzy_options = parser.add_argument_group('Fuzzy Options') fuzzy_options.add_argument( '-r', metavar='fuzzminthreshold', dest='fuzzminthreshold', type=int, default=75, action='store', required=False, help='threshold for fuzzy match (1-100) - default 75') yara_direction_flags = parser.add_argument_group( 'Yara Rules per Direction') yara_direction_flags.add_argument('-P', metavar='--cyararules', dest='cyararules', default=[], action='append', required=False, help='Yara rules to match on CTS data') yara_direction_flags.add_argument('-Q', metavar='--syararules', dest='syararules', default=[], action='append', required=False, help='Yara rules to match on STC data') yara_direction_flags.add_argument('-R', metavar='--ayararules', dest='ayararules', default=[], action='append', required=False, help='Yara rules to match on ANY data') shellcode_options = parser.add_argument_group('Shellcode Detection') shellcode_options.add_argument('-M', dest='shellcode', default=False, action='store_true', required=False, help='enable shellcode detection') shellcode_options.add_argument('-J', dest='asm4shellcode', default=False, action='store_true', required=False, help='enable shellcode disassembly') shellcode_options.add_argument( '-y', dest='emuprofile', default=False, action='store_true', required=False, help='generate emulator profile for detected shellcode') shellcode_options.add_argument( '-Y', metavar='--emuprofileoutsize', dest='emuprofileoutsize', default=0, action='store', required=False, help='emulator profile memory size (default 1024K | max: 10240K)') content_modifiers = parser.add_argument_group('Content Modifiers') content_modifiers.add_argument('-O', metavar='--offset', dest='offset', default=0, action='store', required=False, help='bytes to skip before matching') content_modifiers.add_argument( '-D', metavar='--depth', dest='depth', default=0, action='store', required=False, help='bytes to look at while matching (starting from offset)') inspection_limits = parser.add_argument_group('Inspection Limits') inspection_limits.add_argument('-T', metavar='--maxinspstreams', dest='maxinspstreams', default=0, action='store', type=int, required=False, help='max streams to inspect') inspection_limits.add_argument('-U', metavar='--maxinsppackets', dest='maxinsppackets', default=0, action='store', type=int, required=False, help='max packets to inspect') display_limits = parser.add_argument_group('Display Limits') display_limits.add_argument('-t', metavar='--maxdispstreams', dest='maxdispstreams', default=0, action='store', type=int, required=False, help='max streams to display') display_limits.add_argument('-u', metavar='--maxdisppackets', dest='maxdisppackets', default=0, action='store', type=int, required=False, help='max packets to display') display_limits.add_argument('-b', metavar='--maxdispbytes', dest='maxdispbytes', default=0, action='store', type=int, required=False, help='max bytes to display') output_options = parser.add_argument_group('Output Options') output_options.add_argument('-w', metavar='logdir', dest='writebytes', default='', action='store', required=False, nargs='?', help='write matching packets/streams') output_options.add_argument('-o', dest='outmodes', choices=('quite', 'meta', 'hex', 'print', 'raw'), action='append', default=[], required=False, help='match output modes') misc_options = parser.add_argument_group('Misc. Options') misc_options.add_argument('-f', metavar='--bpf', dest='bpf', default='', action='store', required=False, help='BPF expression') misc_options.add_argument('-v', dest='invmatch', default=False, action='store_true', required=False, help='invert match') misc_options.add_argument('-V', dest='verbose', default=0, action='count', required=False, help='verbose output (max: 3)') misc_options.add_argument('-e', dest='colored', default=False, action='store_true', required=False, help='highlight CTS/STC matches') misc_options.add_argument('-k', dest='killtcp', default=False, action='store_true', required=False, help='kill matching TCP stream') misc_options.add_argument('-j', dest='tcpmultimatch', default=False, action='store_true', required=False, help='enable TCP multi match mode') pcapwrite = parser.add_mutually_exclusive_group(required=False) pcapwrite.add_argument( '-z', dest='writepcapfast', default=False, action='store_true', help='write matching flows to pcap w/ %d post match packets' % (configopts['pcappacketct'])) pcapwrite.add_argument( '-Z', dest='writepcap', default=False, action='store_true', help='write matching flows to pcap w/ all post match packets') misc_options.add_argument('-q', metavar='pcappacketct', dest='pcappacketct', default=configopts['pcappacketct'], action='store', help='# of post match packets to write to pcap') misc_options.add_argument('-L', dest='linemode', default=False, action='store_true', required=False, help='enable linemode (disables inspection)') misc_options.add_argument('-B', dest='nobanner', default=False, action='store_true', required=False, help='skip banner/version display on startup') misc_options.add_argument('-S', dest='nosummary', default=False, action='store_true', required=False, help='skip match summary display at exit') misc_options.add_argument('-n', dest='dumpargs', default=False, action='store_true', required=False, help='show argument stats') args = parser.parse_args() if args.pcap: configopts['pcap'] = args.pcap nids.param('filename', configopts['pcap']) configopts['livemode'] = False elif args.device: configopts['device'] = args.device nids.param('device', configopts['device']) configopts['livemode'] = True if args.igncase: configopts['igncase'] = True configopts['reflags'] |= re.IGNORECASE if args.invmatch: configopts['invertmatch'] = True if args.multiline: configopts['multiline'] = True configopts['reflags'] |= re.MULTILINE configopts['reflags'] |= re.DOTALL if args.tcpmultimatch: configopts['tcpmultimatch'] = True if configopts['regexengine']: if args.cres: if 'regex' not in configopts['inspectionmodes']: configopts['inspectionmodes'].append('regex') for c in args.cres: configopts['ctsregexes'][re.compile(c, configopts['reflags'])] = { 'regexpattern': c } if args.sres: if 'regex' not in configopts['inspectionmodes']: configopts['inspectionmodes'].append('regex') for s in args.sres: configopts['stcregexes'][re.compile(s, configopts['reflags'])] = { 'regexpattern': s } if args.ares: if 'regex' not in configopts['inspectionmodes']: configopts['inspectionmodes'].append('regex') for a in args.ares: configopts['ctsregexes'][re.compile(a, configopts['reflags'])] = { 'regexpattern': a } configopts['stcregexes'][re.compile(a, configopts['reflags'])] = { 'regexpattern': a } if args.cfuzz or args.sfuzz or args.afuzz: try: from fuzzywuzzy import fuzz configopts['fuzzengine'] = 'fuzzywuzzy' except ImportError, ex: dowarn('Import failed: %s' % ex) configopts['fuzzengine'] = None
def main(): banner = '''\ ______ _ __ / __/ /___ _ __(_)___ _________ ___ _____/ /_ / /_/ / __ \ | /| / / / __ \/ ___/ __ \/ _ \/ ___/ __/ / __/ / /_/ / |/ |/ / / / / (__ ) /_/ / __/ /__/ /_ /_/ /_/\____/|__/|__/_/_/ /_/____/ .___/\___/\___/\__/ /_/ ''' import re configopts['regexengine'] = 're' parser = argparse.ArgumentParser() inputgroup = parser.add_mutually_exclusive_group(required=True) inputgroup.add_argument( '-p', metavar='--pcap', dest='pcap', default='', action='store', help='input pcap file') inputgroup.add_argument( '-d', metavar='--device', dest='device', default='lo', action='store', help='listening device') regex_direction_flags = parser.add_argument_group('RegEx per Direction') regex_direction_flags.add_argument( '-c', metavar='--cregex', dest='cres', default=[], action='append', required=False, help='regex to match against CTS data') regex_direction_flags.add_argument( '-s', metavar='--sregex', dest='sres', default=[], action='append', required=False, help='regex to match against STC data') regex_direction_flags.add_argument( '-a', metavar='--aregex', dest='ares', default=[], action='append', required=False, help='regex to match against ANY data') regex_options = parser.add_argument_group('RegEx Options') regex_options.add_argument( '-i', dest='igncase', default=False, action='store_true', required=False, help='ignore case') regex_options.add_argument( '-m', dest='multiline', default=True, action='store_false', required=False, help='disable multiline match') fuzzy_direction_flags = parser.add_argument_group('Fuzzy Patterns per Direction') fuzzy_direction_flags.add_argument( '-G', metavar='--cfuzz', dest='cfuzz', default=[], action='append', required=False, help='string to fuzzy match against CTS data') fuzzy_direction_flags.add_argument( '-H', metavar='--sfuzz', dest='sfuzz', default=[], action='append', required=False, help='string to fuzzy match against STC data') fuzzy_direction_flags.add_argument( '-I', metavar='--afuzz', dest='afuzz', default=[], action='append', required=False, help='string to fuzzy match against ANY data') fuzzy_options = parser.add_argument_group('Fuzzy Options') fuzzy_options.add_argument( '-r', metavar='fuzzminthreshold', dest='fuzzminthreshold', type=int, default=75, action='store', required=False, help='threshold for fuzzy match (1-100) - default 75') yara_direction_flags = parser.add_argument_group('Yara Rules per Direction') yara_direction_flags.add_argument( '-P', metavar='--cyararules', dest='cyararules', default=[], action='append', required=False, help='Yara rules to match on CTS data') yara_direction_flags.add_argument( '-Q', metavar='--syararules', dest='syararules', default=[], action='append', required=False, help='Yara rules to match on STC data') yara_direction_flags.add_argument( '-R', metavar='--ayararules', dest='ayararules', default=[], action='append', required=False, help='Yara rules to match on ANY data') shellcode_options = parser.add_argument_group('Shellcode Detection') shellcode_options.add_argument( '-M', dest='shellcode', default=False, action='store_true', required=False, help='enable shellcode detection') shellcode_options.add_argument( '-J', dest='asm4shellcode', default=False, action='store_true', required=False, help='enable shellcode disassembly') shellcode_options.add_argument( '-y', dest='emuprofile', default=False, action='store_true', required=False, help='generate emulator profile for detected shellcode') shellcode_options.add_argument( '-Y', metavar='--emuprofileoutsize', dest='emuprofileoutsize', default=0, action='store', required=False, help='emulator profile memory size (default 1024K | max: 10240K)') content_modifiers = parser.add_argument_group('Content Modifiers') content_modifiers.add_argument( '-O', metavar='--offset', dest='offset', default=0, action='store', required=False, help='bytes to skip before matching') content_modifiers.add_argument( '-D', metavar='--depth', dest='depth', default=0, action='store', required=False, help='bytes to look at while matching (starting from offset)') inspection_limits = parser.add_argument_group('Inspection Limits') inspection_limits.add_argument( '-T', metavar='--maxinspstreams', dest='maxinspstreams', default=0, action='store', type=int, required=False, help='max streams to inspect') inspection_limits.add_argument( '-U', metavar='--maxinsppackets', dest='maxinsppackets', default=0, action='store', type=int, required=False, help='max packets to inspect') display_limits = parser.add_argument_group('Display Limits') display_limits.add_argument( '-t', metavar='--maxdispstreams', dest='maxdispstreams', default=0, action='store', type=int, required=False, help='max streams to display') display_limits.add_argument( '-u', metavar='--maxdisppackets', dest='maxdisppackets', default=0, action='store', type=int, required=False, help='max packets to display') display_limits.add_argument( '-b', metavar='--maxdispbytes', dest='maxdispbytes', default=0, action='store', type=int, required=False, help='max bytes to display') output_options = parser.add_argument_group('Output Options') output_options.add_argument( '-w', metavar='logdir', dest='writebytes', default='', action='store', required=False, nargs='?', help='write matching packets/streams') output_options.add_argument( '-o', dest='outmodes', choices=('quite', 'meta', 'hex', 'print', 'raw'), action='append', default=[], required=False, help='match output modes') misc_options = parser.add_argument_group('Misc. Options') misc_options.add_argument( '-f', metavar='--bpf', dest='bpf', default='', action='store', required=False, help='BPF expression') misc_options.add_argument( '-v', dest='invmatch', default=False, action='store_true', required=False, help='invert match') misc_options.add_argument( '-V', dest='verbose', default=0, action='count', required=False, help='verbose output (max: 3)') misc_options.add_argument( '-e', dest='colored', default=False, action='store_true', required=False, help='highlight CTS/STC matches') misc_options.add_argument( '-k', dest='killtcp', default=False, action='store_true', required=False, help='kill matching TCP stream') misc_options.add_argument( '-j', dest='tcpmultimatch', default=False, action='store_true', required=False, help='enable TCP multi match mode') pcapwrite = parser.add_mutually_exclusive_group(required=False) pcapwrite.add_argument( '-z', dest='writepcapfast', default=False, action='store_true', help='write matching flows to pcap w/ %d post match packets' % (configopts['pcappacketct'])) pcapwrite.add_argument( '-Z', dest='writepcap', default=False, action='store_true', help='write matching flows to pcap w/ all post match packets') misc_options.add_argument( '-q', metavar='pcappacketct', dest='pcappacketct', default=configopts['pcappacketct'], action='store', help='# of post match packets to write to pcap') misc_options.add_argument( '-L', dest='linemode', default=False, action='store_true', required=False, help='enable linemode (disables inspection)') misc_options.add_argument( '-B', dest='nobanner', default=False, action='store_true', required=False, help='skip banner/version display on startup') misc_options.add_argument( '-S', dest='nosummary', default=False, action='store_true', required=False, help='skip match summary display at exit') misc_options.add_argument( '-n', dest='dumpargs', default=False, action='store_true', required=False, help='show argument stats') args = parser.parse_args() if args.pcap: configopts['pcap'] = args.pcap nids.param('filename', configopts['pcap']) configopts['livemode'] = False elif args.device: configopts['device'] = args.device nids.param('device', configopts['device']) configopts['livemode'] = True if args.igncase: configopts['igncase'] = True configopts['reflags'] |= re.IGNORECASE if args.invmatch: configopts['invertmatch'] = True if args.multiline: configopts['multiline'] = True configopts['reflags'] |= re.MULTILINE configopts['reflags'] |= re.DOTALL if args.tcpmultimatch: configopts['tcpmultimatch'] = True if configopts['regexengine']: if args.cres: if 'regex' not in configopts['inspectionmodes']: configopts['inspectionmodes'].append('regex') for c in args.cres: configopts['ctsregexes'][re.compile(c, configopts['reflags'])] = { 'regexpattern': c } if args.sres: if 'regex' not in configopts['inspectionmodes']: configopts['inspectionmodes'].append('regex') for s in args.sres: configopts['stcregexes'][re.compile(s, configopts['reflags'])] = { 'regexpattern': s } if args.ares: if 'regex' not in configopts['inspectionmodes']: configopts['inspectionmodes'].append('regex') for a in args.ares: configopts['ctsregexes'][re.compile(a, configopts['reflags'])] = { 'regexpattern': a } configopts['stcregexes'][re.compile(a, configopts['reflags'])] = { 'regexpattern': a } if args.cfuzz or args.sfuzz or args.afuzz: try: from fuzzywuzzy import fuzz configopts['fuzzengine'] = 'fuzzywuzzy' except ImportError, ex: dowarn('Import failed: %s' % ex) configopts['fuzzengine'] = None
sys.path.insert(0, '%s/%s' % (FLOWINSPECTROOTDIR, 'core')) from globals import configopts, opentcpflows, openudpflows, ippacketsdict from functions import dumpargstats, dumpmatchstats, doexit from tcphandler import handletcp from udphandler import handleudp from iphandler import handleip from utils import NullDevice, getcurtime, donorm, doinfo, dodebug, dowarn, doerror starttime = getcurtime() sys.dont_write_bytecode = True try: import nids except ImportError, ex: dowarn('Import failed: %s' % ex) sys.exit(1) def main(): banner = '''\ ______ _ __ / __/ /___ _ __(_)___ _________ ___ _____/ /_ / /_/ / __ \ | /| / / / __ \/ ___/ __ \/ _ \/ ___/ __/ / __/ / /_/ / |/ |/ / / / / (__ ) /_/ / __/ /__/ /_ /_/ /_/\____/|__/|__/_/_/ /_/____/ .___/\___/\___/\__/ /_/ ''' import re configopts['regexengine'] = 're'
from globals import configopts, opentcpflows, openudpflows, ippacketsdict from functions import dumpargstats, dumpmatchstats, doexit from tcphandler import handletcp from udphandler import handleudp from iphandler import handleip from utils import NullDevice, getcurtime, donorm, doinfo, dodebug, dowarn, doerror starttime=getcurtime() sys.dont_write_bytecode = True try: import nids except ImportError, ex: dowarn('Import failed: %s' % ex) sys.exit(1) def main(): banner = '''\ ______ _ __ / __/ /___ _ __(_)___ _________ ___ _____/ /_ / /_/ / __ \ | /| / / / __ \/ ___/ __ \/ _ \/ ___/ __/ / __/ / /_/ / |/ |/ / / / / (__ ) /_/ / __/ /__/ /_ /_/ /_/\____/|__/|__/_/_/ /_/____/ .___/\___/\___/\__/ /_/ ''' import re configopts['regexengine'] = 're'