def test6(self): """ Several IPSets with no matching""" def ipset_callback(flow): self.called_callback += 1 ipset1 = pyaiengine.IPSet("IPSet 1") ipset2 = pyaiengine.IPSet("IPSet 2") ipset3 = pyaiengine.IPSet("IPSet 3") ipset3.add_ip_address("dc20:c7f:2012:11::2") ipset2.add_ip_address("dcaa:c7f:2012:11::22") ipset1.add_ip_address("dcbb:c7f:2012:11::22") im = pyaiengine.IPSetManager() im.add_ip_set(ipset1) im.add_ip_set(ipset2) im.add_ip_set(ipset3) self.s.tcp_ip_set_manager = im self.dis.open("../pcapfiles/generic_exploit_ipv6_defcon20.pcap") self.dis.run() self.dis.close() self.assertEqual(len(im), 3) self.assertEqual(self.called_callback, 0) self.assertEqual(self.s.tcp_ip_set_manager, im)
def test7(self): """ Verify SSL traffic with domain callback and IPset""" def ipset_callback(flow): self.ip_called_callback += 1 def domain_callback(flow): self.called_callback += 1 ip = pyaiengine.IPSet("Specific IP address") ip.add_ip_address("74.125.24.189") ip.callback = ipset_callback ipm = pyaiengine.IPSetManager() ipm.add_ip_set(ip) d = pyaiengine.DomainName("Google All", ".google.com") d.callback = domain_callback dm = pyaiengine.DomainNameManager() dm.add_domain_name(d) self.s.tcp_ip_set_manager = ipm self.s.set_domain_name_manager(dm, "SSLProtocol") self.dis.open("../pcapfiles/sslflow.pcap") self.dis.run() self.dis.close() self.assertEqual(d.matchs, 1) self.assertEqual(self.called_callback, 1) self.assertEqual(self.ip_called_callback, 1)
def test3(self): """ Create a regex for a generic exploit and a IPSet with no matching""" def ipset_callback(flow): self.called_callback += 1 ipset = pyaiengine.IPSet() ipset.add_ip_address("dc20:c7f:2012:11::22") ipset.add_ip_address("dc20:c7f:2012:11::1") ipset.callback = ipset_callback im = pyaiengine.IPSetManager() im.add_ip_set(ipset) self.s.tcp_ip_set_manager = im rm = pyaiengine.RegexManager() r1 = pyaiengine.Regex("generic exploit", "\xaa\xbb\xcc\xdd\x90\x90\x90") rm.add_regex(r1) r2 = pyaiengine.Regex("other exploit", "(this can not match)") rm.add_regex(r2) self.s.tcp_regex_manager = rm self.dis.open("../pcapfiles/generic_exploit_ipv6_defcon20.pcap") self.dis.run() self.dis.close() self.assertEqual(r1.matchs, 0) self.assertEqual(r2.matchs, 0) self.assertEqual(self.called_callback, 0)
def test31(self): """ Verify the functionatliy of the RegexManager on the IPSets """ def regex_callback(flow): r = flow.regex i = flow.ip_set self.assertEqual(flow.dstip, "95.100.96.10") self.assertEqual(r.name, "generic http") self.assertEqual(i.name, "Generic set") self.called_callback += 1 def ipset_callback(flow): r = flow.regex i = flow.ip_set self.assertNotEqual(i, None) self.assertEqual(i.name, "Generic set") self.assertEqual(r, None) self.called_callback += 1 rm = pyaiengine.RegexManager() i = pyaiengine.IPSet("Generic set") i.add_ip_address("95.100.96.10") i.regexmanager = None i.callback = ipset_callback im = pyaiengine.IPSetManager() im.add_ip_set(i) self.s.tcp_ip_set_manager = im r = pyaiengine.Regex("generic http", "^GET.*HTTP") r.callback = regex_callback rm.add_regex(r) self.s.enable_nids_engine = True with pyaiengine.PacketDispatcher( "../pcapfiles/two_http_flows_noending.pcap") as pd: pd.stack = self.s pd.run() self.assertEqual(self.called_callback, 1) self.assertEqual(i.lookups_in, 1) self.assertEqual(r.matchs, 0)
sys.path.append("../src/") import urllib2 import pyaiengine def callback_tor(flow): print("Detecting ToR on ", str(flow)) if __name__ == '__main__': # Load an instance of a Network Stack on a Lan network st = pyaiengine.StackLan() ipset = pyaiengine.IPSet() ipset.callback = callback_tor ipset_mng = pyaiengine.IPSetManager() ipset_mng.add_ip_set(ipset) """ Take a big list of IP address that belongs to ToR """ req = urllib2.Request("https://www.dan.me.uk/torlist/") try: response = urllib2.urlopen(req) for line in response.readlines(): ip = line.strip() try: socket.inet_aton(ip) except: continue ipset.add_ip_address(ip)
import pyaiengine import sys st = pyaiengine.StackLan() tcp_rm = pyaiengine.RegexManager() udp_rm = pyaiengine.RegexManager() """ Put here your code for load regexs >>> tcp_rm.add_regex(pyaiengine.Regex("some regex", "\x00\x0a\x0b") >>> tcp_rm.add_regex(pyaiengine.Regex("some regex", "^\x00\x0a.*exe", callback) """ tcp_set = pyaiengine.IPSetManager() udp_set = pyaiengine.IPSetManager() tcp_ipset = pyaiengine.IPSet() udp_ipset = pyaiengine.IPSet() """ Put here your code with your IP lists >>> tcp_ipset.add_ip_address("192.158.1.1") """ http_names = pyaiengine.DomainNameManager() ssl_names = pyaiengine.DomainNameManager() dns_names = pyaiengine.DomainNameManager() """ Put here your code with your domains for matching """ http_names.add_domain_name(pyaiengine.DomainName("Fedora", ".fedora.com")) ssl_names.add_domain_name(pyaiengine.DomainName("Google", ".google.com")) dns_names.add_domain_name(pyaiengine.DomainName("Google DNS", ".google.com")) st.set_domain_name_manager(dns_names, "DNSProtocol") st.set_domain_name_manager(http_names, "HTTPProtocol")