class Distiller: def __init__(self, data_directory, pull_port='5555', push_port='5556'): self.data_directory = data_directory self.messager = Messager(pull_port=pull_port, push_port=push_port) self.build = Builder() self.dict = Rosetta() self.header_marker = '[--> HEADER <--]' self.hm_len = len(self.header_marker) self.broken_header = 'fae' def __on_receive_command(self, message): print message if message['payload']['command'] == 'parse_file_pcap': file_name = message['payload']['filename'] file_path = os.path.join(self.data_directory, file_name) self._read_file(file_path) # x._read_file('../app/uploads/evidence01.pcap') # x._read_file('../app/uploads/evidence-malware.pcap') # x._read_file('../app/uploads/evidence01-talkers.pcap') def _read(self, _hex): read = self._format_lines(binascii.hexlify(_hex)) return read def _read_file(self, afile, num_fails=0, max_fails=3): try: _file = open(afile, 'rb') except: if num_fails < max_fails: num_fails += 1; time.sleep(2*num_fails); self._read_file(afile, num_fails, max_fails) return else: return file_to_list = [] for row in list(_file): '' # get user-agent and host plain_text = row temp = self.dict.sifter(plain_text) if temp is not None: print(temp) pcap_string = self.dict._format_lines(binascii.hexlify(row)) highlight_header = re.sub('[0-9][a-f]000000[0-9][a-f]000000', self.header_marker, pcap_string) file_to_list.append(highlight_header) try: # catch complete packets for line in file_to_list: if self.header_marker in line and not self.broken_header in line: #print(line) # test output is read # setup 1st check hdr_len_byte1 = line.index(self.header_marker) + 28 # find index header_check1 = hdr_len_byte1 + self.hm_len # verify header w/length byte # setup 2nd check hdr_len_byte2 = line.index(self.header_marker) + 92 # find index header_check2 = hdr_len_byte2 + self.hm_len # verify header w/2nd length byte if line[header_check1] is '4': # initial confirmation of header self.peruse_pcap(line) try: if line[header_check2] is '5': # catches only complete headers self.peruse_pcap(line) except: pass except: for line in file_to_list: if self.header_marker in line and not self.broken_header in line: self.peruse_pcap(line) def receive_command(self): self.messager.receive_message(self.__on_receive_command) def peruse_pcap(self, apcap): get_header = apcap.index(self.header_marker) # find header starting index header_offset = get_header + self.hm_len ''' beginning reference point ''' des_mac = header_offset # 1 des_ip = header_offset + 60 # 5 des_port = header_offset + 72 # 7 _src_mac = header_offset + 12 # 2 _src_ip = header_offset + 52 # 4 _src_port = header_offset + 68 # 6 prot = header_offset + 46 # 3 ''' ending reference point''' dest_mac_offset = des_mac + 12 dest_ip_offset = des_ip + 8 dest_port_offset = des_port + 4 _src_mac_offset = _src_mac + 12 _src_ip_offset = _src_ip + 8 _src_port_offset = _src_port + 4 protocol_offset = prot + 2 try: #!works destination_mac = self.build.rebuild_mac(str(apcap[des_mac:dest_mac_offset])) _source_mac = self.build.rebuild_mac(str(apcap[_src_mac:_src_mac_offset])) protocol_type = self.build.define_prot(str(apcap[prot:protocol_offset])) _source_ip = self.build.rebuild_ip(str(apcap[_src_ip:_src_ip_offset])) destination_ip = self.build.rebuild_ip(str(apcap[des_ip:dest_ip_offset])) _source_port = self.build.rebuild_port(str(apcap[_src_port:_src_port_offset])) destination_port = self.build.rebuild_port(str(apcap[des_port:dest_port_offset])) print('Protocol: ' + protocol_type) print('') print('\t\tSource:') # print('\tSource:') print('Mac:\t' + _source_mac) print('IP:\t\t' + _source_ip) # print('IP:\t' + _source_ip) print('Port:\t' + str(_source_port)) print('') print('\t\tDestination:') # print('\tSource:') print('Mac:\t' + destination_mac) print('IP:\t\t' + destination_ip) # print('IP:\t' + destination_ip) print('Port:\t' + str(destination_port)) print('\n------------------------------------------\n') #+ Send Message now = datetime.now().isoformat(' ') message = { 'timestamp': now, 'source': 'Distiller', 'destination': 'SneakPeek', 'payload': { 'command': 'show', 'protocol_type': protocol_type, 'shost': { 'source_mac': _source_mac, 'source_ip': _source_ip, 'source_port': _source_port }, 'dhost': { 'destination_mac': destination_mac, 'destination_ip': destination_ip, 'destination_port': destination_port } } } self.messager.send_message(message); #- Send Message except: pass
class Distiller: def __init__(self, data_directory, pull_port='5555', push_port='5556'): self.data_directory = data_directory self.messager = Messager(pull_port=pull_port, push_port=push_port) self.build = Builder() self.stone = Rosetta() self.ipv4_marker = '[--> IPV4 <--]' self.ipv6_marker = '[--> IPV6 <--]' self.hm_len = len(self.ipv4_marker) self.seperator = '-------------------------------' def __on_receive_command(self, message): print message if message['payload']['command'] == 'parse_file_pcap': file_name = message['payload']['filename'] file_path = os.path.join(self.data_directory, file_name) self.read_file(file_path) def receive_command(self): self.messager.receive_message(self.__on_receive_command) def read(self, _hex): ''' This function reads and parses pcap hex strings. ''' # get user-agent and host and date message = {}; hex_string = _hex recovered_text = self.stone.sifter(hex_string) if recovered_text is not None: print(recovered_text) #send to json directly from sifter else: # converts string to true hex pcap_string = binascii.hexlify(hex_string) ipv4 = self._ipv4(pcap_string) ipv6 = self._ipv6(ipv4) filtered = ipv6 message = self._parse_ipv4(filtered) # self._parse_ipv6(filtered) return message; def read_file(self, afile): ''' This function opens a pcap file and passes it through the read function line by line for parsing. ''' _file = open(afile, 'rb') for row in list(_file): message = self.read(row); if message != None and type(message) == dict: message['payload']['filename'] = afile; self.messager.send_message(message); def _ipv4(self, astring): ''' This function filters for ipv4 header tags. ''' filter1 = re.sub('[1-9][a-f]000000[1-9][a-f]000000', self.ipv4_marker, astring) filter2 = re.sub('[a-f][a-f]0[1-9]0000[a-f][a-f]0[1-9]0000', self.ipv4_marker, filter1) return filter2 def _parse_ipv4(self, astring): ''' This function parses ipv4 strings. Specific slices for specific data. ''' if self.ipv4_marker in astring: header_frame = astring.index(self.ipv4_marker) + self.hm_len try: dmac = str(astring[header_frame:header_frame+12]) smac = str(astring[header_frame+12:header_frame+24]) types = str(astring[header_frame+24:header_frame+28]) prot = str(astring[header_frame+46:header_frame+48]) sip = str(astring[header_frame+52:header_frame+60]) dip = str(astring[header_frame+60:header_frame+68]) sprt = str(astring[header_frame+68:header_frame+72]) dprt = str(astring[header_frame+72:header_frame+76]) except: pass try: type_ = str(self.build.define_type(types)) protocol = str(self.build.define_prot(prot)) dest_mac = str(self.build._mac(dmac)) dest_ip = str(self.build._ip(dip)) dest_port = str(self.build._port(dprt)) src_mac = str(self.build._mac(smac)) src_ip = str(self.build._ip(sip)) src_port = str(self.build._port(sprt)) # quality check qc = str(type_+'\n'+protocol+'\n'+src_mac+'\n'+src_ip+ '\n'+src_port+'\n'+dest_mac+'\n'+dest_ip+'\n'+ dest_port+'\n'+self.seperator) print(qc) #+ Send Message now = datetime.now().isoformat(' ') message = { 'timestamp': now, 'source': 'Distiller', 'destination': 'SneakPeek', 'payload': { 'command': 'show', 'header_type': type_, 'protocol_type': protocol, 'shost': { 'source_mac': src_mac, 'source_ip': src_ip, 'source_port': src_port }, 'dhost': { 'destination_mac': dest_mac, 'destination_ip': dest_ip, 'destination_port': dest_port } } } return message; #- Send Message except: pass else: pass def _ipv6(self, astring): ''' This function filters for ipv6 header tags. ''' filter3 = re.sub('0[1-9]00[1-9]0000000[1-9]0000000', self.ipv6_marker, astring) filter4 = re.sub('00[1-9][1-9]000000[1-9][1-9]000000', self.ipv6_marker, filter3) filter5 = re.sub('00[1-9][a-f]0[1-9]0000[1-9][a-f]0[1-9]0000', self.ipv6_marker, filter4) filter6 = re.sub('00[a-f][1-9]000000[a-f][1-9]000000', self.ipv6_marker, filter5) filter7 = re.sub('010000[a-f][1-9]010000', self.ipv6_marker, filter6) return filter7 def _parse_ipv6(self, astring): ''' This function parses ipv6 strings. Specific slices for specific data. ''' if self.ipv6_marker in astring: header_frame = astring.index(self.ipv6_marker) + self.hm_len try: dmac = str(astring[header_frame:header_frame+12]) smac = str(astring[header_frame+12:header_frame+24]) types = str(astring[header_frame+24:header_frame+28]) prot = str(astring[header_frame+40:header_frame+42]) sip = str(astring[header_frame+44:header_frame+77]) dip = str(astring[header_frame+76:header_frame+109]) sprt = str(astring[header_frame+108:header_frame+112]) dprt = str(astring[header_frame+112:header_frame+116]) except: pass try: type_ = str(self.build.define_type(types)) protocol = str(self.build.define_prot(prot)) dest_mac = str(self.build._mac(dmac)) dest_ip = str(self.build._ipv6_ip(dip)) dest_port = str(self.build._port(dprt)) src_mac = str(self.build._mac(smac)) src_ip = str(self.build._ipv6_ip(sip)) src_port = str(self.build._port(sprt)) # quality check qc = str(type_+'\n'+protocol+'\n'+src_mac+'\n'+src_ip+ '\n'+src_port+'\n'+dest_mac+'\n'+dest_ip+'\n'+ dest_port+'\n'+self.seperator) print(qc) #+ Send Message now = datetime.now().isoformat(' ') message = { 'timestamp': now, 'source': 'Distiller', 'destination': 'SneakPeek', 'payload': { 'command': 'show', 'header_type': type_, 'protocol_type': protocol, 'shost': { 'source_mac': src_mac, 'source_ip': src_ip, 'source_port': src_port }, 'dhost': { 'destination_mac': dest_mac, 'destination_ip': dest_ip, 'destination_port': dest_port } } } # self.messager.send_message(message); #- Send Message # return message; except: pass else: pass
class Distiller: def __init__(self, data_directory, pull_port='5555', push_port='5556'): self.data_directory = data_directory self.messager = Messager(pull_port=pull_port, push_port=push_port) self.build = Builder() self.stone = Rosetta() self.ipv4_marker = '[--> IPV4 <--]' self.ipv6_marker = '[--> IPV6 <--]' self.hm_len = len(self.ipv4_marker) self.seperator = '-------------------------------' def __on_receive_command(self, message): print message if message['payload']['command'] == 'parse_file_pcap': file_name = message['payload']['filename'] file_path = os.path.join(self.data_directory, file_name) self.read_file(file_path) def receive_command(self): self.messager.receive_message(self.__on_receive_command) def read(self, _hex): ''' This function reads and parses pcap hex strings. ''' # get user-agent and host and date message = {} hex_string = _hex recovered_text = self.stone.sifter(hex_string) if recovered_text is not None: print(recovered_text) #send to json directly from sifter else: # converts string to true hex pcap_string = binascii.hexlify(hex_string) ipv4 = self._ipv4(pcap_string) ipv6 = self._ipv6(ipv4) filtered = ipv6 message = self._parse_ipv4(filtered) # self._parse_ipv6(filtered) return message def read_file(self, afile): ''' This function opens a pcap file and passes it through the read function line by line for parsing. ''' _file = open(afile, 'rb') for row in list(_file): message = self.read(row) if message != None and type(message) == dict: message['payload']['filename'] = afile self.messager.send_message(message) def _ipv4(self, astring): ''' This function filters for ipv4 header tags. ''' filter1 = re.sub('[1-9][a-f]000000[1-9][a-f]000000', self.ipv4_marker, astring) filter2 = re.sub('[a-f][a-f]0[1-9]0000[a-f][a-f]0[1-9]0000', self.ipv4_marker, filter1) return filter2 def _parse_ipv4(self, astring): ''' This function parses ipv4 strings. Specific slices for specific data. ''' if self.ipv4_marker in astring: header_frame = astring.index(self.ipv4_marker) + self.hm_len try: dmac = str(astring[header_frame:header_frame + 12]) smac = str(astring[header_frame + 12:header_frame + 24]) types = str(astring[header_frame + 24:header_frame + 28]) prot = str(astring[header_frame + 46:header_frame + 48]) sip = str(astring[header_frame + 52:header_frame + 60]) dip = str(astring[header_frame + 60:header_frame + 68]) sprt = str(astring[header_frame + 68:header_frame + 72]) dprt = str(astring[header_frame + 72:header_frame + 76]) except: pass try: type_ = str(self.build.define_type(types)) protocol = str(self.build.define_prot(prot)) dest_mac = str(self.build._mac(dmac)) dest_ip = str(self.build._ip(dip)) dest_port = str(self.build._port(dprt)) src_mac = str(self.build._mac(smac)) src_ip = str(self.build._ip(sip)) src_port = str(self.build._port(sprt)) # quality check qc = str(type_ + '\n' + protocol + '\n' + src_mac + '\n' + src_ip + '\n' + src_port + '\n' + dest_mac + '\n' + dest_ip + '\n' + dest_port + '\n' + self.seperator) print(qc) #+ Send Message now = datetime.now().isoformat(' ') message = { 'timestamp': now, 'source': 'Distiller', 'destination': 'SneakPeek', 'payload': { 'command': 'show', 'header_type': type_, 'protocol_type': protocol, 'shost': { 'source_mac': src_mac, 'source_ip': src_ip, 'source_port': src_port }, 'dhost': { 'destination_mac': dest_mac, 'destination_ip': dest_ip, 'destination_port': dest_port } } } return message #- Send Message except: pass else: pass def _ipv6(self, astring): ''' This function filters for ipv6 header tags. ''' filter3 = re.sub('0[1-9]00[1-9]0000000[1-9]0000000', self.ipv6_marker, astring) filter4 = re.sub('00[1-9][1-9]000000[1-9][1-9]000000', self.ipv6_marker, filter3) filter5 = re.sub('00[1-9][a-f]0[1-9]0000[1-9][a-f]0[1-9]0000', self.ipv6_marker, filter4) filter6 = re.sub('00[a-f][1-9]000000[a-f][1-9]000000', self.ipv6_marker, filter5) filter7 = re.sub('010000[a-f][1-9]010000', self.ipv6_marker, filter6) return filter7 def _parse_ipv6(self, astring): ''' This function parses ipv6 strings. Specific slices for specific data. ''' if self.ipv6_marker in astring: header_frame = astring.index(self.ipv6_marker) + self.hm_len try: dmac = str(astring[header_frame:header_frame + 12]) smac = str(astring[header_frame + 12:header_frame + 24]) types = str(astring[header_frame + 24:header_frame + 28]) prot = str(astring[header_frame + 40:header_frame + 42]) sip = str(astring[header_frame + 44:header_frame + 77]) dip = str(astring[header_frame + 76:header_frame + 109]) sprt = str(astring[header_frame + 108:header_frame + 112]) dprt = str(astring[header_frame + 112:header_frame + 116]) except: pass try: type_ = str(self.build.define_type(types)) protocol = str(self.build.define_prot(prot)) dest_mac = str(self.build._mac(dmac)) dest_ip = str(self.build._ipv6_ip(dip)) dest_port = str(self.build._port(dprt)) src_mac = str(self.build._mac(smac)) src_ip = str(self.build._ipv6_ip(sip)) src_port = str(self.build._port(sprt)) # quality check qc = str(type_ + '\n' + protocol + '\n' + src_mac + '\n' + src_ip + '\n' + src_port + '\n' + dest_mac + '\n' + dest_ip + '\n' + dest_port + '\n' + self.seperator) print(qc) #+ Send Message now = datetime.now().isoformat(' ') message = { 'timestamp': now, 'source': 'Distiller', 'destination': 'SneakPeek', 'payload': { 'command': 'show', 'header_type': type_, 'protocol_type': protocol, 'shost': { 'source_mac': src_mac, 'source_ip': src_ip, 'source_port': src_port }, 'dhost': { 'destination_mac': dest_mac, 'destination_ip': dest_ip, 'destination_port': dest_port } } } # self.messager.send_message(message); #- Send Message # return message; except: pass else: pass
class Distiller: def __init__(self, data_directory, pull_port='5555', push_port='5556'): self.data_directory = data_directory self.messager = Messager(pull_port=pull_port, push_port=push_port) self.metadata_ext = '.sp' self.build = Builder() self.stone = Rosetta() self.ipv4_marker = '[--> IPV4 <--]' self.ipv6_marker = '[--> IPV6 <--]' self.hm_len = len(self.ipv4_marker) self.seperator = '-------------------------------' def __on_receive_command(self, message): print message if message['payload']['command'] == 'parse_file_pcap': #+ EXAMPLE MESSAGE # message = { # timestamp: now, # source: "SneakPeek", # destination: "Distiller", # payload: { # command: "parse_file_pcap", # filename: file['name'], # _modified_datetime: file['lastModified'], # modified_datetime: file['lastModifiedDate'], # size: file['size'], # type: file['type'] # } # }; #- EXAMPLE MESSAGE payload = message['payload'] file_metadata = { 'filename': payload['filename'], '_modified_datetime': payload['_modified_datetime'], 'modified_datetime': payload['modified_datetime'], 'size': payload['size'], 'type': payload['type'] } file_metadata_path = os.path.join( self.data_directory, os.path.splitext(file_metadata['filename'])[0] + self.metadata_ext) if not os.path.exists(file_metadata_path): print 'Writing metadata to file:', file_metadata_path with open(file_metadata_path, 'w+') as outfile: json.dump(file_metadata, outfile) outfile.flush() print 'Wrote metadata to file.' filename = payload['filename'] file_path = os.path.join(self.data_directory, filename) self.read_file(file_path, file_metadata_path) elif message['payload']['command'] == 'request_metadata_update': #+ Apply the update. payload = message['payload'] filename = payload['filename'] file_path = os.path.join(self.data_directory, filename) file_metadata_path = payload['file_metadata_path'] with open(file_metadata_path, 'r+') as metadata_file: #+ Apply the update. metadata = json.load(metadata_file) for k in payload['update']: metadata[k] = payload['update'][k] metadata_file.seek(0) json.dump(metadata, metadata_file) metadata_file.flush() metadata_file.truncate() #- Apply the update. #+ Notify Sneak Peek now = datetime.now().isoformat(' ') message = { 'timestamp': now, 'source': 'Distiller', 'destination': 'SneakPeek', 'payload': { 'command': 'display_metadata', 'filename': filename, 'file_path': file_path, 'file_metadata_path': file_metadata_path, 'metadata': metadata } } self.messager.send_message(message) #- Notify Sneak Peek def receive_command(self): self.messager.receive_message(self.__on_receive_command) def read(self, _hex): ''' This function reads and parses pcap hex strings. ''' # get user-agent and host and date message = {} hex_string = _hex recovered_text = self.stone.sifter(hex_string) if recovered_text is not None: print(recovered_text) #send to json directly from sifter else: # converts string to true hex pcap_string = binascii.hexlify(hex_string) ipv4 = self._ipv4(pcap_string) ipv6 = self._ipv6(ipv4) filtered = ipv6 message = self._parse_ipv4(filtered) self._parse_ipv6(filtered) return message def read_file(self, file_path, file_metadata_path=None): ''' This function opens a pcap file and passes it through the read function line by line for parsing. ''' filename = os.path.basename(file_path) with open(file_path, 'rb') as _file: for row in list(_file): message = self.read(row) if message != None and type(message) == dict: message['payload']['filename'] = filename message['payload']['file_path'] = file_path message['payload'][ 'file_metadata_path'] = file_metadata_path self.messager.send_message(message) if file_metadata_path != None: #+ UPDATE Metadata #~ Tells Sneak Peek to initiate an update to this file's metadata file. now = datetime.now().isoformat(' ') message = { 'timestamp': now, 'source': 'Distiller', 'destination': 'SneakPeek', 'payload': { 'command': 'request_metadata_update', 'filename': filename, 'file_path': file_path, 'file_metadata_path': file_metadata_path } } self.messager.send_message(message) #~ Tells Sneak Peek to initiate an update to this file's metadata file. #- UPDATE Metadata def _ipv4(self, astring): ''' This function filters for ipv4 header tags. ''' filter1 = re.sub('[1-9][a-f]000000[1-9][a-f]000000', self.ipv4_marker, astring) filter2 = re.sub('[a-f][a-f]0[1-9]0000[a-f][a-f]0[1-9]0000', self.ipv4_marker, filter1) return filter2 def _parse_ipv4(self, astring): ''' This function parses ipv4 strings. Specific slices for specific data. ''' if self.ipv4_marker in astring: header_frame = astring.index(self.ipv4_marker) + self.hm_len try: dmac = str(astring[header_frame:header_frame + 12]) smac = str(astring[header_frame + 12:header_frame + 24]) types = str(astring[header_frame + 24:header_frame + 28]) prot = str(astring[header_frame + 46:header_frame + 48]) sip = str(astring[header_frame + 52:header_frame + 60]) dip = str(astring[header_frame + 60:header_frame + 68]) sprt = str(astring[header_frame + 68:header_frame + 72]) dprt = str(astring[header_frame + 72:header_frame + 76]) except: pass try: type_ = str(self.build.define_type(types)) protocol = str(self.build.define_prot(prot)) dest_mac = str(self.build._mac(dmac)) dest_ip = str(self.build._ip(dip)) dest_port = str(self.build._port(dprt)) src_mac = str(self.build._mac(smac)) src_ip = str(self.build._ip(sip)) src_port = str(self.build._port(sprt)) # quality check qc = str(type_ + '\n' + protocol + '\n' + src_mac + '\n' + src_ip + '\n' + src_port + '\n' + dest_mac + '\n' + dest_ip + '\n' + dest_port + '\n' + self.seperator) print(qc) #+ Send Message now = datetime.now().isoformat(' ') message = { 'timestamp': now, 'source': 'Distiller', 'destination': 'SneakPeek', 'payload': { 'command': 'show', 'header_type': type_, 'protocol_type': protocol, 'shost': { 'source_mac': src_mac, 'source_ip': src_ip, 'source_port': src_port }, 'dhost': { 'destination_mac': dest_mac, 'destination_ip': dest_ip, 'destination_port': dest_port } } } return message #- Send Message except: pass else: pass def _ipv6(self, astring): ''' This function filters for ipv6 header tags. ''' filter3 = re.sub('0[1-9]00[1-9]0000000[1-9]0000000', self.ipv6_marker, astring) filter4 = re.sub('00[1-9][1-9]000000[1-9][1-9]000000', self.ipv6_marker, filter3) filter5 = re.sub('00[1-9][a-f]0[1-9]0000[1-9][a-f]0[1-9]0000', self.ipv6_marker, filter4) filter6 = re.sub('00[a-f][1-9]000000[a-f][1-9]000000', self.ipv6_marker, filter5) filter7 = re.sub('010000[a-f][1-9]010000', self.ipv6_marker, filter6) return filter7 def _parse_ipv6(self, astring): ''' This function parses ipv6 strings. Specific slices for specific data. ''' if self.ipv6_marker in astring: header_frame = astring.index(self.ipv6_marker) + self.hm_len try: dmac = str(astring[header_frame:header_frame + 12]) smac = str(astring[header_frame + 12:header_frame + 24]) types = str(astring[header_frame + 24:header_frame + 28]) prot = str(astring[header_frame + 40:header_frame + 42]) sip = str(astring[header_frame + 44:header_frame + 77]) dip = str(astring[header_frame + 76:header_frame + 109]) sprt = str(astring[header_frame + 108:header_frame + 112]) dprt = str(astring[header_frame + 112:header_frame + 116]) except: pass try: type_ = str(self.build.define_type(types)) protocol = str(self.build.define_prot(prot)) dest_mac = str(self.build._mac(dmac)) dest_ip = str(self.build._ipv6_ip(dip)) dest_port = str(self.build._port(dprt)) src_mac = str(self.build._mac(smac)) src_ip = str(self.build._ipv6_ip(sip)) src_port = str(self.build._port(sprt)) # quality check qc = str(type_ + '\n' + protocol + '\n' + src_mac + '\n' + src_ip + '\n' + src_port + '\n' + dest_mac + '\n' + dest_ip + '\n' + dest_port + '\n' + self.seperator) print(qc) #+ Send Message now = datetime.now().isoformat(' ') message = { 'timestamp': now, 'source': 'Distiller', 'destination': 'SneakPeek', 'payload': { 'command': 'show', 'header_type': type_, 'protocol_type': protocol, 'shost': { 'source_mac': src_mac, 'source_ip': src_ip, 'source_port': src_port }, 'dhost': { 'destination_mac': dest_mac, 'destination_ip': dest_ip, 'destination_port': dest_port } } } # self.messager.send_message(message); #- Send Message return message except: pass else: pass
class Distiller: def __init__(self, data_directory, pull_port='5555', push_port='5556'): self.data_directory = data_directory self.messager = Messager(pull_port=pull_port, push_port=push_port) self.build = Builder() self.dict = Rosetta() self.header_marker = '[--> HEADER <--]' self.hm_len = len(self.header_marker) self.broken_header = 'fae' def __on_receive_command(self, message): print message if message['payload']['command'] == 'parse_file_pcap': file_name = message['payload']['filename'] file_path = os.path.join(self.data_directory, file_name) self._read_file(file_path) # x._read_file('../app/uploads/evidence01.pcap') # x._read_file('../app/uploads/evidence-malware.pcap') # x._read_file('../app/uploads/evidence01-talkers.pcap') def _read(self, _hex): read = self._format_lines(binascii.hexlify(_hex)) return read def _read_file(self, afile, num_fails=0, max_fails=3): try: _file = open(afile, 'rb') except: if num_fails < max_fails: num_fails += 1 time.sleep(2 * num_fails) self._read_file(afile, num_fails, max_fails) return else: return file_to_list = [] for row in list(_file): '' # get user-agent and host plain_text = row temp = self.dict.sifter(plain_text) if temp is not None: print(temp) pcap_string = self.dict._format_lines(binascii.hexlify(row)) highlight_header = re.sub('[0-9][a-f]000000[0-9][a-f]000000', self.header_marker, pcap_string) file_to_list.append(highlight_header) try: # catch complete packets for line in file_to_list: if self.header_marker in line and not self.broken_header in line: #print(line) # test output is read # setup 1st check hdr_len_byte1 = line.index( self.header_marker) + 28 # find index header_check1 = hdr_len_byte1 + self.hm_len # verify header w/length byte # setup 2nd check hdr_len_byte2 = line.index( self.header_marker) + 92 # find index header_check2 = hdr_len_byte2 + self.hm_len # verify header w/2nd length byte if line[header_check1] is '4': # initial confirmation of header self.peruse_pcap(line) try: if line[header_check2] is '5': # catches only complete headers self.peruse_pcap(line) except: pass except: for line in file_to_list: if self.header_marker in line and not self.broken_header in line: self.peruse_pcap(line) def receive_command(self): self.messager.receive_message(self.__on_receive_command) def peruse_pcap(self, apcap): get_header = apcap.index( self.header_marker) # find header starting index header_offset = get_header + self.hm_len ''' beginning reference point ''' des_mac = header_offset # 1 des_ip = header_offset + 60 # 5 des_port = header_offset + 72 # 7 _src_mac = header_offset + 12 # 2 _src_ip = header_offset + 52 # 4 _src_port = header_offset + 68 # 6 prot = header_offset + 46 # 3 ''' ending reference point''' dest_mac_offset = des_mac + 12 dest_ip_offset = des_ip + 8 dest_port_offset = des_port + 4 _src_mac_offset = _src_mac + 12 _src_ip_offset = _src_ip + 8 _src_port_offset = _src_port + 4 protocol_offset = prot + 2 try: #!works destination_mac = self.build.rebuild_mac( str(apcap[des_mac:dest_mac_offset])) _source_mac = self.build.rebuild_mac( str(apcap[_src_mac:_src_mac_offset])) protocol_type = self.build.define_prot( str(apcap[prot:protocol_offset])) _source_ip = self.build.rebuild_ip( str(apcap[_src_ip:_src_ip_offset])) destination_ip = self.build.rebuild_ip( str(apcap[des_ip:dest_ip_offset])) _source_port = self.build.rebuild_port( str(apcap[_src_port:_src_port_offset])) destination_port = self.build.rebuild_port( str(apcap[des_port:dest_port_offset])) print('Protocol: ' + protocol_type) print('') print('\t\tSource:') # print('\tSource:') print('Mac:\t' + _source_mac) print('IP:\t\t' + _source_ip) # print('IP:\t' + _source_ip) print('Port:\t' + str(_source_port)) print('') print('\t\tDestination:') # print('\tSource:') print('Mac:\t' + destination_mac) print('IP:\t\t' + destination_ip ) # print('IP:\t' + destination_ip) print('Port:\t' + str(destination_port)) print('\n------------------------------------------\n') #+ Send Message now = datetime.now().isoformat(' ') message = { 'timestamp': now, 'source': 'Distiller', 'destination': 'SneakPeek', 'payload': { 'command': 'show', 'protocol_type': protocol_type, 'shost': { 'source_mac': _source_mac, 'source_ip': _source_ip, 'source_port': _source_port }, 'dhost': { 'destination_mac': destination_mac, 'destination_ip': destination_ip, 'destination_port': destination_port } } } self.messager.send_message(message) #- Send Message except: pass