def write(self, *args, **kwargs):
# Change output format depending on if we're handling a connection or
# a single packet
if not self.format_is_set:
if "clientip" in kwargs:
self.set_format(self._CONNECTION_FORMAT)
else:
self.set_format(self._PACKET_FORMAT)
self.format_is_set = True
if self.group:
# If grouping, check if the IP tuple is in the cache already.
# If not, check the reverse of the tuple (i.e. opposite direction)
try:
key = tuple([kwargs[g] for g in self.group_fields])
except KeyError as e:
self.logger.error("Could not group by key %s" % str(e))
Output.write(self, *args, **kwargs)
return
if key not in self.group_cache:
rkey = key[::-1]
if rkey in self.group_cache:
key = rkey
else:
self.group_cache[key] = []
self.group_cache[key].append(kwargs)
else:
# If not grouping, just write out the connection immediately
Output.write(self, *args, **kwargs)
def __init__(self, *args, **kwargs):
# Are we grouping the results, and by what fields?
if 'group' in kwargs:
self.group = True
self.group_fields = kwargs['group'].split('/')
else:
self.group = False
self.group_cache = {} # results will be stored here, if grouping
self.format_is_set = False
Output.__init__(self, *args, **kwargs)
def close(self):
if self.group:
self.group = False # we're done grouping, so turn it off
for key in sorted(self.group_cache.keys()):
# write header by mapping key index with user's group list
self.fh.write(' '.join([
'%s=%s' % (self.group_fields[i], key[i])
for i in range(len(self.group_fields))
]) + "\n")
for kw in self.group_cache[key]:
self.fh.write("\t")
Output.write(self, **kw)
self.fh.write("\n")
Output.close(self)
def __init__(self, *args, **kwargs):
super().__init__(
name="Ethernet",
description=
"Show MAC address information and optionally filter by it",
author="dev195",
output=Output(label=__name__, format=self.OUTPUT_FORMAT),
optiondict={
"org": {
"default": [],
"action":
"append",
"metavar":
"ORGANIZATION",
"help":
"Organizations owning MAC address to inclusively filter on (exact match only). Can be used multiple times to look for multiple organizations."
},
"org_exclusive": {
"default": False,
"action": "store_true",
"help": "Set organization filter to be exclusive"
},
'quiet': {
'action': 'store_true',
'default': False,
'help': 'disable alerts for this plugin'
}
})
self.oui_map = {}
def __init__(self, *args, **kwargs):
super().__init__(
name="802.11",
description="Show 802.11 packet information",
author="dev195",
bpf="wlan type mgt or wlan type ctl or wlan type data",
output=Output(label=__name__, format=self.OUTPUT_FORMAT),
optiondict={
"ignore_mgt": {
"action": "store_true",
"help": "Ignore management frames"
},
"ignore_ctl": {
"action": "store_true",
"help": "Ignore control frames"
},
"ignore_data": {
"action": "store_true",
"help": "Ignore data frames"
},
"ignore_beacon": {
"action": "store_true",
"help": "Ignore beacons"
},
},
longdescription="""
Shows basic information for 802.11 packets, including:
- Frame type
- Encryption
- Frame subtype
- Data sample
""")
def __init__(self):
super().__init__(
name="xor",
description="XOR every packet with a given key",
output=Output(label=__name__),
bpf="tcp",
author="twp,dev195",
optiondict={
"key": {
"type": str,
"default": "0xff",
"help": "xor key in hex format (default: 0xff)",
"metavar": "0xHH"
},
"cskey": {
"type": str,
"default": None,
"help": "xor key to use for client-to-server data (default: None)",
"metavar": "0xHH"
},
"sckey": {
"type": str,
"default": None,
"help": "xor key to use for server-to-client data (default: None)",
"metavar": "0xHH"
},
"resync": {
"action": "store_true",
"help": "resync the key index if the key is seen in the data"
}
}
)
def __init__(self, *args, **kwargs):
super().__init__(name="Wi-fi Beacons",
description="Show SSIDs of 802.11 wireless beacons",
author="dev195",
bpf="wlan type mgt subtype beacon",
output=Output(label=__name__,
format=self.OUTPUT_FORMAT),
optiondict={
"group": {
"action": "store_true",
"help": "Group beacons together with counts"
},
})
self.group_counts = defaultdict(int)
self.group_times = defaultdict(datetime.now)
def __init__(self, *args, **kwargs):
super().__init__(
name="trw",
author="dev195",
bpf="tcp",
output=Output(label=__name__, format=OUTPUT_FORMAT),
description="Uses Threshold Random Walk to detect network scanners",
optiondict={
"mark_benigns": {
"action":
"store_true",
"help":
"Use an upper threshold to mark IPs as benign, thus removing them from consideration as scanners"
}
})
self.synners = set()
self.ip_scores = defaultdict(lambda: 1)
self.classified_ips = set()
def close(self):
self.fh.write(self._HTML_FOOTER)
Output.close(self)
def setup(self):
Output.setup(self)
self.fh.write(self._HTML_HEADER)