def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.server.count_new > 0: data = tcp.server.data[:tcp.server.count_new] count = tcp.server.count_new direction = 'to_server' color = "RED" else: data = tcp.client.data[:tcp.client.count_new] count = tcp.client.count_new direction = 'to_client' color = "GREEN" if tcp.module_data['verbose']: chop.tsprettyprnt( color, "%s:%s -> %s:%s %i bytes (H = %0.2f)" % (src, sport, dst, dport, count, entropy(data))) if tcp.module_data['oneshot']: tcp.stream_data['data'] += data if tcp.module_data['oneshot_split']: tcp.stream_data[direction] += data if tcp.module_data['oneshot'] or tcp.module_data['oneshot_split']: return handle_bytes(data, color, direction, tcp.module_data) tcp.discard(count)
def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.server.count_new > 0: if tcp.module_data['verbose']: chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.server.count_new)) try: tcp.stream_data['cp'].req_data( tcp.server.data[:tcp.server.count_new]) except htpy.stop: tcp.stop() except htpy.error: chop.prnt("Stream error in htpy.") tcp.stop() tcp.discard(tcp.server.count_new) elif tcp.client.count_new > 0: if tcp.module_data['verbose']: chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.client.count_new)) try: tcp.stream_data['cp'].res_data( tcp.client.data[:tcp.client.count_new]) except htpy.stop: tcp.stop() except htpy.error: chop.prnt("Stream error in htpy.") tcp.stop() tcp.discard(tcp.client.count_new) return
def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.server.count_new > 0: data = tcp.server.data[: tcp.server.count_new] count = tcp.server.count_new direction = "to_server" color = "RED" else: data = tcp.client.data[: tcp.client.count_new] count = tcp.client.count_new direction = "to_client" color = "GREEN" if tcp.module_data["verbose"]: chop.tsprettyprnt(color, "%s:%s -> %s:%s %i bytes (H = %0.2f)" % (src, sport, dst, dport, count, entropy(data))) if tcp.module_data["oneshot"]: tcp.stream_data["data"] += data if tcp.module_data["oneshot_split"]: tcp.stream_data[direction] += data if tcp.module_data["oneshot"] or tcp.module_data["oneshot_split"]: return handle_bytes(data, color, direction, tcp.module_data) tcp.discard(count)
def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.client.count_new > 0: data = tcp.client.data[:tcp.client.count_new] count = tcp.client.count_new if tcp.stream_data['dump']: chop.tsprnt("%s:%s -> %s:%s %i bytes" % ( src, sport, dst, dport, count, )) chop.prnt(hexdump(data)) if data[:3] in [ '\x18\x03\x00', '\x18\x03\x01', '\x18\x03\x02', '\x18\x03\x03' ]: chop.tsprnt("%s:%s -> %s:%s %i bytes" % ( src, sport, dst, dport, count, )) chop.prnt(hexdump(data[8:])) tcp.stream_data['dump'] = True if tcp.client.server_new > 0: count = tcp.server.count_new tcp.discard(count)
def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.server.count_new > 0: if tcp.module_data['verbose']: chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.server.count_new)) try: tcp.stream_data['cp'].req_data(tcp.server.data[:tcp.server.count_new]) except htpy.stop: tcp.stop() except htpy.error: chop.prnt("Stream error in htpy.") tcp.stop() tcp.discard(tcp.server.count_new) elif tcp.client.count_new > 0: if tcp.module_data['verbose']: chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.client.count_new)) try: tcp.stream_data['cp'].res_data(tcp.client.data[:tcp.client.count_new]) except htpy.stop: tcp.stop() except htpy.error: chop.prnt("Stream error in htpy.") tcp.stop() tcp.discard(tcp.client.count_new) return
def handleStream(tcp): chopp = ChopProtocol('http') ((src, sport), (dst, dport)) = parse_addr(tcp) tcp.stream_data['htpy_obj'].timestamp = tcp.timestamp if tcp.server.count_new > 0: if tcp.module_data['options']['verbose']: chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.server.count_new)) if tcp.server.count_new == 1 and tcp.module_data['options']['beast']: tcp.discard(0) else: data_size = tcp.server.count - tcp.server.offset try: tcp.stream_data['connparser'].\ req_data(tcp.server.data[:data_size]) except htpy.stop: tcp.stop() except htpy.error: if tcp.module_data['options']['verbose']: chop.tsprnt("Stream error in htpy.") tcp.stop() tcp.discard(data_size) elif tcp.client.count_new > 0: if tcp.module_data['options']['verbose']: chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.client.count_new)) if tcp.client.count_new == 1 and tcp.module_data['options']['beast']: tcp.discard(0) else: data_size = tcp.client.count - tcp.client.offset try: tcp.stream_data['connparser'].\ res_data(tcp.client.data[:data_size]) except htpy.stop: tcp.stop() except htpy.error: if tcp.module_data['options']['verbose']: chop.tsprnt("Stream error in htpy.") tcp.stop() tcp.discard(data_size) if tcp.stream_data['htpy_obj'].ready: trans = tcp.stream_data['htpy_obj'].transaction chopp.setClientData(trans['request']) chopp.setServerData(trans['response']) chopp.setTimeStamp(trans['timestamp']) chopp.setAddr(tcp.addr) chopp.flowStart = tcp.stream_data['htpy_obj'].flowStart tcp.stream_data['htpy_obj'].ready = False tcp.stream_data['htpy_obj'].temp = {} tcp.stream_data['htpy_obj'].transaction = {} return chopp return None
def handleStream(tcp): """ Analyze payloads with Yara. handleStream behaves differently based upon processing mode. If mode is set to 'packet', each packet's payload is individually analyzed with yara. If mode is set to 'fixed_buffer' or 'sliding_window', packet payloads are appended to the analysis buffer. The 'session' mode is not handled inside of handleStream. """ ((src, sport), (dst, dport)) = parse_addr(tcp) # Check for new packets received by the server if tcp.server.count_new: tcp.stream_data['server_buffer'] += tcp.server.data[:tcp.server.count_new] if tcp.module_data['verbose']: chop.tsprettyprnt("RED", "%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, tcp.server.count_new)) if tcp.module_data['mode'] == 'packet': tcp.stream_data['server_processor'].data = tcp.server.data[:tcp.server.count_new] results = tcp.stream_data['server_processor'].analyze() tcp.stream_data['server_results'] += results elif tcp.module_data['mode'] in ['fixed_buffer', 'sliding_window']: tcp.stream_data['server_processor'].data += tcp.server.data[:tcp.server.count_new] # Check for new packets received by the client if tcp.client.count_new: tcp.stream_data['client_buffer'] += tcp.client.data[:tcp.client.count_new] if tcp.module_data['verbose']: chop.tsprettyprnt("RED", "%s:%s -> %s:%s %i bytes" % (dst, dport, src, sport, tcp.client.count_new)) if tcp.module_data['mode'] == 'packet': tcp.stream_data['client_processor'].data = tcp.client.data[:tcp.client.count_new] results = tcp.stream_data['client_processor'].analyze() tcp.stream_data['client_results'] += results elif tcp.module_data['mode'] in ['fixed_buffer', 'sliding_window']: tcp.stream_data['client_processor'].data += tcp.client.data[:tcp.client.count_new] # if we are analyzing whole sessions, discard 0 bytes if tcp.module_data['mode'] == 'session': tcp.discard(0) # Handle printing and optionally saving results to file handle_results(tcp)
def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.client.count_new > 0: data = tcp.client.data[: tcp.client.count_new] count = tcp.client.count_new if tcp.stream_data["dump"]: chop.tsprnt("%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, count)) chop.prnt(hexdump(data)) if data[:3] in ["\x18\x03\x00", "\x18\x03\x01", "\x18\x03\x02", "\x18\x03\x03"]: chop.tsprnt("%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, count)) chop.prnt(hexdump(data[8:])) tcp.stream_data["dump"] = True tcp.discard(count)
def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.server.count_new > 0: data = tcp.server.data[:tcp.server.count_new] count = tcp.server.count_new direction = 'to_server' color = "RED" else: data = tcp.client.data[:tcp.client.count_new] count = tcp.client.count_new direction = 'to_client' color = "GREEN" handle_bytes(data, color, direction, tcp.module_data) tcp.discard(count)
def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.client.count_new > 0: data = tcp.client.data[:tcp.client.count_new] count = tcp.client.count_new if tcp.stream_data['dump']: chop.tsprnt("%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, count,)) chop.prnt(hexdump(data)) if data[:3] in ['\x18\x03\x00', '\x18\x03\x01', '\x18\x03\x02', '\x18\x03\x03']: chop.tsprnt("%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, count,)) chop.prnt(hexdump(data[8:])) tcp.stream_data['dump'] = True if tcp.client.server_new > 0: count = tcp.server.count_new tcp.discard(count)
def decode(msg, tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) # chop.tsprnt("%s:%i->%s:%i" % (src, sport, dst, dport), None) # If this is a shell session, just dump the contents. if tcp.stream_data["shell"] == True: chop.prnt("\n%s" % msg) return # Grab the token and decode if possible. b = struct.unpack("c", msg[:1])[0] if b in tcp.module_data["tokens"]: msg = msg[1:] tcp.module_data["tokens"][b](msg, tcp) else: chop.prnt("Unknown token: 0x%02x" % ord(b)) chop.prnt("%s" % hexdump(msg))
def decode(msg, tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) #chop.tsprnt("%s:%i->%s:%i" % (src, sport, dst, dport), None) # If this is a shell session, just dump the contents. if tcp.stream_data['shell'] == True: chop.prnt("\n%s" % msg) return # Grab the token and decode if possible. b = struct.unpack('c', msg[:1])[0] if b in tcp.module_data['tokens']: msg = msg[1:] tcp.module_data['tokens'][b](msg, tcp) else: chop.prnt("Unknown token: 0x%02x" % ord(b)) chop.prnt("%s" % hexdump(msg))
def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.server.count_new > 0: data = tcp.server.data[:tcp.server.count_new] count = tcp.server.count_new color = "RED" else: data = tcp.client.data[:tcp.client.count_new] count = tcp.client.count_new color = "GREEN" if tcp.module_data['verbose']: chop.tsprettyprnt(color, "%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, count)) if 'xor_key' in tcp.module_data: data = multibyte_xor(data, tcp.module_data['xor_key']) if tcp.module_data['hexdump']: data = hexdump(data) chop.prettyprnt(color, data) tcp.discard(count)
def handleStream(tcp): chopp = ChopProtocol('http') ((src, sport), (dst, dport)) = parse_addr(tcp) tcp.stream_data['htpy_obj']['timestamp'] = tcp.timestamp if tcp.server.count_new > 0: if tcp.module_data['options']['verbose']: chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.server.count_new)) try: tcp.stream_data['connparser'].req_data( tcp.server.data[:tcp.server.count_new]) except htpy.stop: tcp.stop() except htpy.error: chop.prnt("Stream error in htpy.") tcp.stop() tcp.discard(tcp.server.count_new) elif tcp.client.count_new > 0: if tcp.module_data['options']['verbose']: chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.client.count_new)) try: tcp.stream_data['connparser'].res_data( tcp.client.data[:tcp.client.count_new]) except htpy.stop: tcp.stop() except htpy.error: chop.prnt("Stream error in htpy.") tcp.stop() tcp.discard(tcp.client.count_new) if tcp.stream_data['htpy_obj']['ready']: trans = tcp.stream_data['htpy_obj']['transaction'] chopp.setClientData(trans['request']) chopp.setServerData(trans['response']) chopp.setTimeStamp(trans['timestamp']) chopp.setAddr(tcp.addr) chopp.flowStart = tcp.stream_data['htpy_obj']['flowStart'] tcp.stream_data['htpy_obj']['ready'] = False return chopp return None
def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.server.count_new > 0: data = tcp.server.data[:tcp.server.count_new] count = tcp.server.count_new color = "RED" else: data = tcp.client.data[:tcp.client.count_new] count = tcp.client.count_new color = "GREEN" if tcp.module_data['verbose']: chop.tsprettyprnt( color, "%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, count)) if 'xor_key' in tcp.module_data: data = multibyte_xor(data, tcp.module_data['xor_key']) if tcp.module_data['hexdump']: data = hexdump(data) chop.prettyprnt(color, data) tcp.discard(count)
def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.server.count_new > 0: data = tcp.server.data[:tcp.server.count_new] count = tcp.server.count_new direction = 'to_server' color = "RED" else: data = tcp.client.data[:tcp.client.count_new] count = tcp.client.count_new direction = 'to_client' color = "GREEN" if tcp.module_data['verbose']: chop.tsprettyprnt( color, "%s:%s -> %s:%s %i bytes (H = %0.2f)" % (src, sport, dst, dport, count, entropy(data))) if tcp.module_data['oneshot']: tcp.stream_data['data'] += data if tcp.module_data['oneshot_split']: tcp.stream_data[direction] += data if tcp.module_data['oneshot'] or tcp.module_data['oneshot_split']: return if 'xor_key' in tcp.module_data: data = multibyte_xor(data, tcp.module_data['xor_key']) if tcp.module_data['hexdump']: data = hexdump(data) if module_data['base64']: data = b64encode(data) chop.prettyprnt(color, data) chop.json({'payload': data, 'direction': direction}) tcp.discard(count)
def find_flag(data, tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) flag = '' module_data = tcp.module_data for i in range(tcp.module_data['wsize'] - 3): compressed_len = struct.unpack('<I', data[i:i + 4])[0] if compressed_len == len(data): flag = data[:i] i += 4 uncompressed_len = struct.unpack('<I', data[i:i + 4])[0] i += 4 if module_data['verbose']: chop.tsprnt("Gh0st found: %s:%i->%s:%i (%i)" % (src, sport, dst, dport, compressed_len)) chop.tsprnt("\tFlag: %s (0x%s)" % (flag, binascii.hexlify(flag))) chop.tsprnt("\tUncompressed length: %i" % uncompressed_len) zlib_hdr = struct.unpack('>H', data[i:i + 2])[0] if zlib_hdr == 30876: # \x78\x9c tcp.stream_data['zlib'] = True if module_data['verbose']: chop.tsprnt("\tzlib header found") if len(data) == compressed_len: msg = zlib.decompress(data[i:]) # Sanity check if len(msg) != uncompressed_len: chop.tsprnt("Uncompressed size mismatch.") tcp.stop() return None else: tcp.stream_data['zlib'] = False if module_data['verbose']: chop.tsprnt("\tno zlib header found") msg = data[i:] decode(msg, tcp) break return flag
def handleStream(tcp): chopp = ChopProtocol('http') ((src, sport), (dst, dport)) = parse_addr(tcp) tcp.stream_data['htpy_obj']['timestamp'] = tcp.timestamp if tcp.server.count_new > 0: if tcp.module_data['options']['verbose']: chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.server.count_new)) try: tcp.stream_data['connparser'].req_data(tcp.server.data[:tcp.server.count_new]) except htpy.stop: tcp.stop() except htpy.error: chop.prnt("Stream error in htpy.") tcp.stop() tcp.discard(tcp.server.count_new) elif tcp.client.count_new > 0: if tcp.module_data['options']['verbose']: chop.tsprnt("%s:%s->%s:%s (%i)" % (src, sport, dst, dport, tcp.client.count_new)) try: tcp.stream_data['connparser'].res_data(tcp.client.data[:tcp.client.count_new]) except htpy.stop: tcp.stop() except htpy.error: chop.prnt("Stream error in htpy.") tcp.stop() tcp.discard(tcp.client.count_new) if tcp.stream_data['htpy_obj']['ready']: trans = tcp.stream_data['htpy_obj']['transaction'] chopp.setClientData(trans['request']) chopp.setServerData(trans['response']) chopp.setTimeStamp(trans['timestamp']) chopp.setAddr(tcp.addr) chopp.flowStart = tcp.stream_data['htpy_obj']['flowStart'] tcp.stream_data['htpy_obj']['ready'] = False return chopp return None
def find_flag(data, tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) flag = '' for i in range(tcp.module_data['wsize'] - 3): compressed_len = struct.unpack('<I', data[i:i + 4])[0] if compressed_len == len(data): flag = data[:i] i += 4 uncompressed_len = struct.unpack('<I', data[i:i + 4])[0] i += 4 if module_data['verbose']: chop.tsprnt("Gh0st found: %s:%i->%s:%i (%i)" % (src, sport, dst, dport, compressed_len)) chop.tsprnt("\tFlag: %s (0x%s)" % (flag, binascii.hexlify(flag))) chop.tsprnt("\tUncompressed length: %i" % uncompressed_len) zlib_hdr = struct.unpack('>H', data[i:i + 2])[0] if zlib_hdr == 30876: # \x78\x9c tcp.stream_data['zlib'] = True if module_data['verbose']: chop.tsprnt("\tzlib header found") if len(data) == compressed_len: msg = zlib.decompress(data[i:]) # Sanity check if len(msg) != uncompressed_len: chop.tsprnt("Uncompressed size mismatch.") tcp.stop() return None else: tcp.stream_data['zlib'] = False if module_data['verbose']: chop.tsprnt("\tno zlib header found") msg = data[i:] decode(msg, tcp) break return flag
def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.server.count_new > 0: data = tcp.server.data[:tcp.server.count_new] count = tcp.server.count_new direction = 'to_server' color = "RED" else: data = tcp.client.data[:tcp.client.count_new] count = tcp.client.count_new direction = 'to_client' color = "GREEN" if tcp.module_data['verbose']: chop.tsprettyprnt(color, "%s:%s -> %s:%s %i bytes (H = %0.2f)" % (src, sport, dst, dport, count, entropy(data))) if tcp.module_data['oneshot']: tcp.stream_data['data'] += data if tcp.module_data['oneshot_split']: tcp.stream_data[direction] += data if tcp.module_data['oneshot'] or tcp.module_data['oneshot_split']: return if 'xor_key' in tcp.module_data: data = multibyte_xor(data, tcp.module_data['xor_key']) if tcp.module_data['hexdump']: data = hexdump(data) if tcp.module_data['base64']: data = b64encode(data) chop.prettyprnt(color, data) chop.json({'payload': data, 'direction': direction}) tcp.discard(count)
def handle_results(tcp): """Print and save results.""" ((src, sport), (dst, dport)) = parse_addr(tcp) # print results for match in tcp.stream_data['server_processor'].results: if not module_data['quiet']: chop.tsprnt('Stream: Match found; %s:%s --> %s:%s' % (src, sport, dst, dport)) chop.prnt(match) # Save results if tcp.module_data['save']: output = 'Match found in server stream; src=%s; sport=%s; dst=%s; dport=%s\n' \ % (src, sport, dst, dport) output += str(match) + '\n\n' output += hexdump(tcp.stream_data['server_buffer']) + '\n' chop.appendfile(tcp.module_data['save'], output) chop.json(match) tcp.stream_data['server_processor'].clear_results() # print results for match in tcp.stream_data['client_processor'].results: if not module_data['quiet']: chop.tsprnt('Stream: Match found; %s:%s --> %s:%s' % (dst, dport, src, sport)) chop.tsprnt(match) # Save results if tcp.module_data['save']: output = 'Match found in client stream; src=%s; sport=%s; dst=%s; dport=%s\n' \ % (dst, dport, src, sport) output += str(match) + '\n\n' output += hexdump(tcp.stream_data['client_buffer']) + '\n' chop.appendfile(tcp.module_data['save'], output) chop.json(match) tcp.stream_data['client_processor'].clear_results()
def handleStream(tcp): key = str(tcp.addr) ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.module_data['isodate']: timestamp = packet_isodate(tcp.timestamp) else: timestamp = packet_timedate(tcp.timestamp) ps = tcp.module_data['pcap_summary']['data'] cs = tcp.module_data['streams'][key]['data'] if tcp.server.count_new > 0: comm = { 'data_to': 'S', 'data_len': tcp.server.count_new, 'entropy': entropy(tcp.server.data[:tcp.server.count_new]) } cs['comm_order'].append(comm) cs['server_data_transfer'] += tcp.server.count_new ps['total_data_transfer'] += tcp.server.count_new tcp.discard(tcp.server.count_new) else: comm = { 'data_to': 'C', 'data_len': tcp.client.count_new, 'entropy': entropy(tcp.client.data[:tcp.client.count_new]) } cs['comm_order'].append(comm) cs['client_data_transfer'] += tcp.client.count_new ps['total_data_transfer'] += tcp.client.count_new tcp.discard(tcp.client.count_new) cs['end_time'] = timestamp cs['total_packets'] += 1 ps['total_packets'] += 1 ps['end_time'] = timestamp return
def handleStream(tcp): key = str(tcp.addr) ((src, sport), (dst, dport)) = parse_addr(tcp) if tcp.module_data["isodate"]: timestamp = packet_isodate(tcp.timestamp) else: timestamp = packet_timedate(tcp.timestamp) ps = tcp.module_data["pcap_summary"]["data"] cs = tcp.module_data["streams"][key]["data"] if tcp.server.count_new > 0: comm = { "data_to": "S", "data_len": tcp.server.count_new, "entropy": entropy(tcp.server.data[: tcp.server.count_new]), } cs["comm_order"].append(comm) cs["server_data_transfer"] += tcp.server.count_new ps["total_data_transfer"] += tcp.server.count_new tcp.discard(tcp.server.count_new) else: comm = { "data_to": "C", "data_len": tcp.client.count_new, "entropy": entropy(tcp.client.data[: tcp.client.count_new]), } cs["comm_order"].append(comm) cs["client_data_transfer"] += tcp.client.count_new ps["total_data_transfer"] += tcp.client.count_new tcp.discard(tcp.client.count_new) cs["end_time"] = timestamp cs["total_packets"] += 1 ps["total_packets"] += 1 ps["end_time"] = timestamp return
def handleStream(tcp): # Make sure this is really SSL. Sadly we can't do this in taste() # because there is no payload data available that early. data = '' ((src, sport), (dst, dport)) = parse_addr(tcp) server_dlen = tcp.server.count - tcp.server.offset client_dlen = tcp.client.count - tcp.client.offset # If we haven't identified this as SSL yet if tcp.stream_data['ssl'] == False: # Do we have enough data for checks? if tcp.server.count_new > 0 and server_dlen > 7: # Check if proxy CONNECT if tcp.server.data[:8] == "CONNECT ": if tcp.module_data['verbose']: chop.tsprnt("%s:%i -> %s:%i (%i) - CONNECT (ignored)" % (src, sport, dst, dport, server_dlen)) tcp.discard(server_dlen) return # Otherwise, prepare to check if SSL handshake data = tcp.server.data[:3] # Do we have enough data for checks? elif tcp.client.count_new > 0 and client_dlen > 5: # Check if proxy CONNECT response if tcp.client.data[:6] == "HTTP/1": if tcp.module_data['verbose']: chop.tsprnt("%s:%i -> %s:%i (%i) - HTTP/1 (ignored)" % (src, sport, dst, dport, client_dlen)) tcp.discard(client_dlen) return # Otherwise, prepare to check if SSL handshake data = tcp.client.data[:3] else: # Need more data return # We have data, so check if it is SSL Handshake. # There's probably more to this, but this is good enough for now. if data in ('\x16\x03\x00', '\x16\x03\x01', '\x16\x03\x02', '\x16\x03\x03'): tcp.stream_data['ssl'] = True tcp.stream_data['chopp'] = sslimChopProtocol() tcp.module_data['sslim'].callback_obj = tcp.stream_data['chopp'] else: if tcp.module_data['verbose']: chop.tsprnt("%s:%i -> %s:%i: Stopping, not really SSL!" % (src, sport, dst, dport)) tcp.module_data['sslim'].done(tcp.addr) tcp.stop() return # Always clear out any existing data. tcp.stream_data['chopp'].clientData = '' tcp.stream_data['chopp'].serverData = '' tcp.stream_data['chopp'].metadata = [] # We have identified this connection as SSL, so just process the packets if tcp.server.count_new > 0: if tcp.module_data['verbose']: chop.tsprnt("%s:%s -> %s:%s (%i)" % (src, sport, dst, dport, len(tcp.server.data[:tcp.server.count_new]))) try: tcp.module_data['sslim'].parse_to_server( tcp.server.data[:tcp.server.count_new], tcp.addr) except sslimException as e: if tcp.module_data['verbose']: chop.prnt(e) tcp.module_data['sslim'].done(tcp.addr) tcp.stop() return tcp.discard(tcp.server.count_new) if tcp.client.count_new > 0: if tcp.module_data['verbose']: chop.tsprnt("%s:%s -> %s:%s (%i)" % (src, sport, dst, dport, len(tcp.client.data[:tcp.client.count_new]))) try: tcp.module_data['sslim'].parse_to_client( tcp.client.data[:tcp.client.count_new], tcp.addr) except sslimException as e: if tcp.module_data['verbose']: chop.prnt(e) tcp.module_data['sslim'].done(tcp.addr) tcp.stop() return tcp.discard(tcp.client.count_new) if (tcp.stream_data['chopp'].clientData or tcp.stream_data['chopp'].serverData or tcp.stream_data['chopp'].metadata): return tcp.stream_data['chopp'] return
def handleStream(tcp): # Make sure this is really SSL. Sadly we can't do this in taste() # because there is no payload data available that early. data = '' ((src, sport), (dst, dport)) = parse_addr(tcp) server_dlen = tcp.server.count - tcp.server.offset client_dlen = tcp.client.count - tcp.client.offset # If we haven't identified this as SSL yet if tcp.stream_data['ssl'] == False: # Do we have enough data for checks? if tcp.server.count_new > 0 and server_dlen > 7: # Check if proxy CONNECT if tcp.server.data[:8] == "CONNECT ": if tcp.module_data['verbose']: chop.tsprnt("%s:%i -> %s:%i (%i) - CONNECT (ignored)" % (src, sport, dst, dport, server_dlen)) tcp.discard(server_dlen) return # Otherwise, prepare to check if SSL handshake data = tcp.server.data[:3] # Do we have enough data for checks? elif tcp.client.count_new > 0 and client_dlen > 5: # Check if proxy CONNECT response if tcp.client.data[:6] == "HTTP/1": if tcp.module_data['verbose']: chop.tsprnt("%s:%i -> %s:%i (%i) - HTTP/1 (ignored)" % (src, sport, dst, dport, client_dlen)) tcp.discard(client_dlen) return # Otherwise, prepare to check if SSL handshake data = tcp.client.data[:3] else: # Need more data return # We have data, so check if it is SSL Handshake. # There's probably more to this, but this is good enough for now. if data in ('\x16\x03\x00', '\x16\x03\x01', '\x16\x03\x02', '\x16\x03\x03'): tcp.stream_data['ssl'] = True tcp.stream_data['chopp'] = ChopProtocol('sslim') tcp.module_data['sslim'].callback_obj = tcp.stream_data['chopp'] else: if tcp.module_data['verbose']: chop.tsprnt("%s:%i -> %s:%i: Stopping collection, not really SSL!" % (src, sport, dst, dport)) tcp.module_data['sslim'].done(tcp.addr) tcp.stop() return # Always clear out any existing data. tcp.stream_data['chopp'].clientData = '' tcp.stream_data['chopp'].serverData = '' # We have identified this connection as SSL, so just process the packets if tcp.server.count_new > 0: if tcp.module_data['verbose']: chop.tsprnt("%s:%s -> %s:%s (%i)" % (src, sport, dst, dport, len(tcp.server.data[:tcp.server.count_new]))) try: tcp.module_data['sslim'].parse_to_server(tcp.server.data[:tcp.server.count_new], tcp.addr) except sslimException as e: if tcp.module_data['verbose']: chop.prnt(e) tcp.module_data['sslim'].done(tcp.addr) tcp.stop() return tcp.discard(tcp.server.count_new) if tcp.client.count_new > 0: if tcp.module_data['verbose']: chop.tsprnt("%s:%s -> %s:%s (%i)" % (src, sport, dst, dport, len(tcp.client.data[:tcp.client.count_new]))) try: tcp.module_data['sslim'].parse_to_client(tcp.client.data[:tcp.client.count_new], tcp.addr) except sslimException as e: if tcp.module_data['verbose']: chop.prnt(e) tcp.module_data['sslim'].done(tcp.addr) tcp.stop() return tcp.discard(tcp.client.count_new) if tcp.stream_data['chopp'].clientData or tcp.stream_data['chopp'].serverData: return tcp.stream_data['chopp'] return
def handleStream(tcp): """ Analyze payloads with Yara. handleStream behaves differently based upon processing mode. If mode is set to 'packet', each packet's payload is individually analyzed with yara. If mode is set to 'fixed_buffer' or 'sliding_window', packet payloads are appended to the analysis buffer. The 'session' mode is not handled inside of handleStream. """ ((src, sport), (dst, dport)) = parse_addr(tcp) # Check for new packets received by the server if tcp.server.count_new: tcp.stream_data['server_buffer'] += tcp.server.data[:tcp.server. count_new] if tcp.module_data['verbose']: chop.tsprettyprnt( "RED", "%s:%s -> %s:%s %i bytes" % (src, sport, dst, dport, tcp.server.count_new)) if tcp.module_data['mode'] == 'packet': tcp.stream_data[ 'server_processor'].data = tcp.server.data[:tcp.server. count_new] results = tcp.stream_data['server_processor'].analyze() tcp.stream_data['server_results'] += results elif tcp.module_data['mode'] in ['fixed_buffer', 'sliding_window']: tcp.stream_data[ 'server_processor'].data += tcp.server.data[:tcp.server. count_new] # Check for new packets received by the client if tcp.client.count_new: tcp.stream_data['client_buffer'] += tcp.client.data[:tcp.client. count_new] if tcp.module_data['verbose']: chop.tsprettyprnt( "RED", "%s:%s -> %s:%s %i bytes" % (dst, dport, src, sport, tcp.client.count_new)) if tcp.module_data['mode'] == 'packet': tcp.stream_data[ 'client_processor'].data = tcp.client.data[:tcp.client. count_new] results = tcp.stream_data['client_processor'].analyze() tcp.stream_data['client_results'] += results elif tcp.module_data['mode'] in ['fixed_buffer', 'sliding_window']: tcp.stream_data[ 'client_processor'].data += tcp.client.data[:tcp.client. count_new] # if we are analyzing whole sessions, discard 0 bytes if tcp.module_data['mode'] == 'session': tcp.discard(0) # Handle printing and optionally saving results to file handle_results(tcp)
def _stream_ended_(frame, direction, tcp): hash_fn = tcp.module_data['options']['hash_fn'] transaction = { 'timestamp': tcp.stream_data['stream_cache'][frame.stream_id]['start'], 'request': { 'truncated': False, #TODO support this 'body': None, 'body_len': 0, 'body_hash': '', 'hash_fn': hash_fn, 'protocol': '2' }, 'response': { 'truncated': False, 'body': None, 'body_len': 0, 'body_hash': '', 'hash_fn': hash_fn, } } if tcp.stream_data['stream_cache'][frame.stream_id][direction][ 'stream_ended'] and tcp.stream_data['stream_cache'][ frame.stream_id][_opposite_direction_( direction)]['stream_ended']: #chop.prnt("Stream: %d" % (frame.stream_id)) for d in ['request', 'response']: headers = copy.deepcopy( tcp.stream_data['stream_cache'][frame.stream_id][d]['headers']) if d == 'request': headers[':stream_id'] = frame.stream_id method = headers.get(':method', None) path = headers.get(':path', None) if ':method' in headers: del headers[':method'] if ':path' in headers: del headers[':path'] transaction[d]['method'] = method transaction[d]['uri'] = path else: status = headers.get(':status', None) if ':status' in headers: del headers[':status'] transaction[d]['status'] = status transaction[d]['headers'] = headers #chop.prnt("\tHeaders: %s" % (headers)) if tcp.stream_data['stream_cache'][ frame.stream_id][d]['data'] is not None: content_encoding = headers.get('content-encoding', None) mimetype = headers.get('content-type', None) if mimetype is not None: mimetype = mimetype.split(';', 1)[0] content_disposition = headers.get('content-disposition', None) if content_encoding == 'gzip': try: dataStream = BytesIO(tcp.stream_data['stream_cache'][ frame.stream_id][d]['data']) gdata = gzip.GzipFile(fileobj=dataStream, mode='rb') data = gdata.read() except Exception as e: chop.prnt("Warning: Unable to gzip file") data = tcp.stream_data['stream_cache'][ frame.stream_id][d]['data'] else: data = tcp.stream_data['stream_cache'][ frame.stream_id][d]['data'] if mimetype is None: try: import magic except ImportError: pass else: try: mimetype = magic.from_buffer(data, mime=True) except Exception as e: chop.prnt( "Warning: Unable to get mime type of file: %s" % (str(e))) filename = 'noname' if d == 'response': if content_disposition is None: if transaction['request']['uri'] is not None: raw_path = transaction['request']['uri'] raw_path = raw_path.split('?', 1)[0] path_parts = os.path.split(raw_path) outPath = None while (len(path_parts) > 0): if path_parts[-1] == '': path_parts = path_parts[:-1] continue else: outPath = os.path.basename(path_parts[-1]) break if outPath is None or outPath == '': outPath = 'index' filename = sanitize_filename(outPath) else: filename = sanitize_filename(content_disposition) #chop.prnt("\tData Name: %s, Length: %d, Type: %s" % (filename, len(data), mimetype)) ((src, sport), (dst, dport)) = parse_addr(tcp) chop.savefile( "%d-%s-%d-%s-%d-%d-%s" % (tcp.timestamp, src, sport, dst, dport, frame.stream_id, filename), data) transaction[d]['body'] = data transaction[d]['body_len'] = len(data) transaction[d]['body_hash'] = __hash_function__( data).hexdigest() #chop.prnt("\n") #chop.prnt('\n') del tcp.stream_data['stream_cache'][frame.stream_id] #chop.prnt(tcp.stream_data['stream_cache'].keys()) #chop.prnt(json.dumps(transaction, indent=4)) chopp = ChopProtocol('http') chopp.setClientData(transaction['request']) chopp.setServerData(transaction['response']) chopp.setTimeStamp(transaction['timestamp']) chopp.setAddr(tcp.addr) chopp.flowStart = tcp.stream_data['flowStart'] return chopp else: return None
def handleStream(tcp): ((src, sport), (dst, dport)) = parse_addr(tcp) data = None discard = 0 new = 0 direction = None completeStreams = [] if tcp.server.count_new > 0: direction = 'request' #chop.prnt(hexdump.hexdump(tcp.server.data[:tcp.server.count_new], result='return')) if not tcp.stream_data['stream_started']: # Check for preface/magic if tcp.server.count_new >= len(PREFACE): if tcp.server.data[:tcp.server.count_new][:24] == PREFACE: tcp.stream_data['stream_started'] = True if tcp.module_data['options']['verbose']: chop.tsprnt("New session: %s:%s->%s:%s" % (src, sport, dst, dport)) data = tcp.server.data[24:tcp.server.count_new] discard += 24 else: tcp.stream_data['client_count'] += 1 if tcp.stream_data['client_count'] < 3 and tcp.module_data[ 'options']['forgiving']: tcp.discard(tcp.server.count_new) return else: tcp.stop() return if tcp.stream_data['stream_started']: if data is None: data = tcp.server.data[:tcp.server.count - tcp.server.offset] elif tcp.client.count_new > 0: direction = 'response' #chop.prnt(hexdump.hexdump(tcp.stream_data['buffer'], result='return')) #chop.prnt(tcp.client.offset, tcp.client.count, tcp.client.count_new) if tcp.stream_data['stream_started']: if data is None: data = tcp.client.data[:tcp.client.count - tcp.client.offset] elif tcp.module_data['options']['forgiving']: tcp.discard(tcp.client.count_new) return else: return if tcp.stream_data['stream_started']: try: for (frame, ddiscard) in _process_frames_( data, tcp.stream_data['hpack_client_decoder'] if direction == 'request' else tcp.stream_data['hpack_server_decoder']): #chop.prnt("%s\tType: %s, Stream: %d, Length: %d, Flags: %x" % ('==>' if direction == 'request' else '<==', frame.header.frame_type, frame.header.stream_id, frame.header.length, frame.header.flags)) discard += ddiscard if False and isinstance(frame, HTTP2_RST_Frame): try: del tcp.stream_data['stream_cache'][frame.stream_id] except: pass else: _process_frame_(frame, direction, tcp) try: if frame.end_stream: tcp.stream_data['stream_cache'][frame.stream_id][ direction]['stream_ended'] = True chopp = _stream_ended_(frame, direction, tcp) if chopp is not None: completeStreams.append(chopp) except AttributeError: pass except FrameIncompleteError as e: tcp.discard(discard) return except Exception as e: chop.prnt(traceback.format_exc()) raise #chop.prnt("Discarding %d bytes (new %d) " % (discard, new)) tcp.discard(discard) if len(completeStreams) > 0: return completeStreams else: return None