Esempio n. 1
0
    def test6(self):
        """ Several IPSets with no matching"""
        def ipset_callback(flow):
            self.called_callback += 1

        ipset1 = pyaiengine.IPSet("IPSet 1")
        ipset2 = pyaiengine.IPSet("IPSet 2")
        ipset3 = pyaiengine.IPSet("IPSet 3")
        ipset3.add_ip_address("dc20:c7f:2012:11::2")
        ipset2.add_ip_address("dcaa:c7f:2012:11::22")
        ipset1.add_ip_address("dcbb:c7f:2012:11::22")
        im = pyaiengine.IPSetManager()

        im.add_ip_set(ipset1)
        im.add_ip_set(ipset2)
        im.add_ip_set(ipset3)

        self.s.tcp_ip_set_manager = im

        self.dis.open("../pcapfiles/generic_exploit_ipv6_defcon20.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(len(im), 3)
        self.assertEqual(self.called_callback, 0)
        self.assertEqual(self.s.tcp_ip_set_manager, im)
Esempio n. 2
0
    def test7(self):
        """ Verify SSL traffic with domain callback and IPset"""
        def ipset_callback(flow):
            self.ip_called_callback += 1

        def domain_callback(flow):
            self.called_callback += 1

        ip = pyaiengine.IPSet("Specific IP address")
        ip.add_ip_address("74.125.24.189")
        ip.callback = ipset_callback

        ipm = pyaiengine.IPSetManager()
        ipm.add_ip_set(ip)

        d = pyaiengine.DomainName("Google All", ".google.com")
        d.callback = domain_callback

        dm = pyaiengine.DomainNameManager()
        dm.add_domain_name(d)

        self.s.tcp_ip_set_manager = ipm
        self.s.set_domain_name_manager(dm, "SSLProtocol")

        self.dis.open("../pcapfiles/sslflow.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(d.matchs, 1)
        self.assertEqual(self.called_callback, 1)
        self.assertEqual(self.ip_called_callback, 1)
Esempio n. 3
0
    def test3(self):
        """ Create a regex for a generic exploit and a IPSet with no matching"""
        def ipset_callback(flow):
            self.called_callback += 1

        ipset = pyaiengine.IPSet()
        ipset.add_ip_address("dc20:c7f:2012:11::22")
        ipset.add_ip_address("dc20:c7f:2012:11::1")
        ipset.callback = ipset_callback
        im = pyaiengine.IPSetManager()

        im.add_ip_set(ipset)
        self.s.tcp_ip_set_manager = im

        rm = pyaiengine.RegexManager()
        r1 = pyaiengine.Regex("generic exploit",
                              "\xaa\xbb\xcc\xdd\x90\x90\x90")
        rm.add_regex(r1)
        r2 = pyaiengine.Regex("other exploit", "(this can not match)")
        rm.add_regex(r2)
        self.s.tcp_regex_manager = rm

        self.dis.open("../pcapfiles/generic_exploit_ipv6_defcon20.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(r1.matchs, 0)
        self.assertEqual(r2.matchs, 0)
        self.assertEqual(self.called_callback, 0)
Esempio n. 4
0
    def test31(self):
        """ Verify the functionatliy of the RegexManager on the IPSets """
        def regex_callback(flow):
            r = flow.regex
            i = flow.ip_set
            self.assertEqual(flow.dstip, "95.100.96.10")
            self.assertEqual(r.name, "generic http")
            self.assertEqual(i.name, "Generic set")
            self.called_callback += 1

        def ipset_callback(flow):
            r = flow.regex
            i = flow.ip_set
            self.assertNotEqual(i, None)
            self.assertEqual(i.name, "Generic set")
            self.assertEqual(r, None)
            self.called_callback += 1

        rm = pyaiengine.RegexManager()
        i = pyaiengine.IPSet("Generic set")
        i.add_ip_address("95.100.96.10")
        i.regexmanager = None
        i.callback = ipset_callback
        im = pyaiengine.IPSetManager()

        im.add_ip_set(i)
        self.s.tcp_ip_set_manager = im

        r = pyaiengine.Regex("generic http", "^GET.*HTTP")
        r.callback = regex_callback
        rm.add_regex(r)

        self.s.enable_nids_engine = True

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/two_http_flows_noending.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(self.called_callback, 1)
        self.assertEqual(i.lookups_in, 1)
        self.assertEqual(r.matchs, 0)
Esempio n. 5
0
sys.path.append("../src/")
import urllib2
import pyaiengine


def callback_tor(flow):

    print("Detecting ToR on ", str(flow))


if __name__ == '__main__':

    # Load an instance of a Network Stack on a Lan network
    st = pyaiengine.StackLan()

    ipset = pyaiengine.IPSet()
    ipset.callback = callback_tor

    ipset_mng = pyaiengine.IPSetManager()
    ipset_mng.add_ip_set(ipset)
    """ Take a big list of IP address that belongs to ToR """
    req = urllib2.Request("https://www.dan.me.uk/torlist/")
    try:
        response = urllib2.urlopen(req)
        for line in response.readlines():
            ip = line.strip()
            try:
                socket.inet_aton(ip)
            except:
                continue
            ipset.add_ip_address(ip)
Esempio n. 6
0
import pyaiengine
import sys

st = pyaiengine.StackLan()

tcp_rm = pyaiengine.RegexManager()
udp_rm = pyaiengine.RegexManager()
""" Put here your code for load regexs 
    >>> tcp_rm.add_regex(pyaiengine.Regex("some regex", "\x00\x0a\x0b")
    >>> tcp_rm.add_regex(pyaiengine.Regex("some regex", "^\x00\x0a.*exe", callback)
"""

tcp_set = pyaiengine.IPSetManager()
udp_set = pyaiengine.IPSetManager()

tcp_ipset = pyaiengine.IPSet()
udp_ipset = pyaiengine.IPSet()
""" Put here your code with your IP lists
    >>> tcp_ipset.add_ip_address("192.158.1.1")
"""

http_names = pyaiengine.DomainNameManager()
ssl_names = pyaiengine.DomainNameManager()
dns_names = pyaiengine.DomainNameManager()
""" Put here your code with your domains for matching """
http_names.add_domain_name(pyaiengine.DomainName("Fedora", ".fedora.com"))
ssl_names.add_domain_name(pyaiengine.DomainName("Google", ".google.com"))
dns_names.add_domain_name(pyaiengine.DomainName("Google DNS", ".google.com"))

st.set_domain_name_manager(dns_names, "DNSProtocol")
st.set_domain_name_manager(http_names, "HTTPProtocol")