def main(arg1): global count global responses global responses_headers global response global response_header #nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note # libnids caution about fragments nids.param("scan_num_hosts", 0) # disable portscan detection #if len(sys.argv) == 2: # read a pcap file? nids.param("filename", arg1) nids.init() nids.register_tcp(handleTcpStream) # Loop forever (network device), or until EOF (pcap file) # Note that an exception in the callback will break the loop! try: nids.run() except nids.error, e: print "nids/pcap error:", e
def main(arg1): global count global responses global responses_headers global response global response_header #global openstreams #pcaps_file = os.listdir(arg1) #for pcap_file in pcaps_file: #print pcap_file #responses_headers = [] #openstreams = {} #responses = [] #print "Atleast entered here" #nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note # libnids caution about fragments nids.param("scan_num_hosts", 0) # disable portscan detection #if len(sys.argv) == 2: # read a pcap file? nids.param("filename", arg1) nids.init() nids.register_tcp(handleTcpStream) # Loop forever (network device), or until EOF (pcap file) # Note that an exception in the callback will break the loop! try: nids.run() except nids.error, e: print "nids/pcap error:", e
def main(): #nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note # libnids caution about fragments nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming if len(sys.argv) == 2: # read a pcap file? nids.param("filename", sys.argv[1]) nids.init() nids.register_tcp(handleTcpStream) nids.register_udp(handleUDP) nids.register_ip(handleIp) print "pid", os.getpid() # Loop forever (network device), or until EOF (pcap file) # Note that an exception in the callback will break the loop! try: nids.run() except nids.error, e: print "nids/pcap error:", e
def main(): # parse args argparser = argparse.ArgumentParser() argparser.add_argument('PCAP', help='Path to the .pcap file to parse') argparser.add_argument('-H', metavar='HOST', default='127.0.0.1', help='Address to listen on (DEFAULT: 127.0.0.1)') argparser.add_argument('-p', metavar='PORT', type=int, default=3128, help='Port to listen on (DEFAULT: 3128)') argparser.add_argument('-v', action='append_const', const=1, default=[], help='Increase the verbosity level') args = argparser.parse_args() HOST, PORT = args.H, args.p verbosity = len(args.v) # setup logger if verbosity == 0: log_level = logging.ERROR elif verbosity == 1: log_level = logging.INFO else: log_level = logging.DEBUG logging.basicConfig(format='%(levelname)s:%(message)s', level=log_level) # setup the reassembler nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl( [('0.0.0.0/0', False)] ) # disable checksum verification: jsunpack says it may cause missed traffic nids.param("filename", args.PCAP) nids.init() nids.register_tcp(reassembleTcpStream) logging.info("Processing TCP streams...") nids.run() # process the open streams, which are not processed by pynids logging.info("Processing open streams...") for c, stream in openstreams.items(): processTcpStream(stream) # run proxy server server = ProxyServer((HOST, PORT), ProxyRequestHandler) server.allow_reuse_address = True try: logging.info("Proxy listening on %s:%d" % (HOST, PORT)) server.serve_forever() except KeyboardInterrupt: return 0
def __init__(self): nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming # Default attribute values self._filter = '' self._device = '' self._pcapfile = '' self._callback = lambda x: x
def main(): if len(sys.argv) == 2: nids.param("filename", sys.argv[1]) nids.init() nids.register_tcp(tcpcallback) try: nids.run() except nids.error, e: print "[-] Error: %s" % (e)
def main(): parser = argparse.ArgumentParser(description='minips.py - A minimal IPS', version='0.1', epilog='EXAMPLE: %(prog)s -p test.pcap -r \'shellcode\' \n') inputparser = parser.add_mutually_exclusive_group(required=True) inputparser.add_argument('-d', '--device', action='store', dest='device', help='network device to collect packets from') inputparser.add_argument('-p', '--pcap', action='store', dest='pcap', help='pcap file to read packets from') parser.add_argument('-r', '--regex', action='store', dest='regex', required=True, help='regex to match over network data') parser.add_argument('-i', '--igncase', action='store_true', dest='igncase', default=False, help='perform case insensitive regex match') parser.add_argument('-m', '--multiline', action='store_true', dest='multiline', default=False, help='perform multiline regex match') parser.add_argument('-k', '--killtcp', action='store_true', dest='killtcp', default=False, help='terminate matching tcp connections') parser.add_argument('-b', '--dispbytes', action='store', dest='dispbytes', required=False, help='max bytes to display') args = parser.parse_args() if args.device: globs['device'] = args.device nids.param('device', globs['device']) if args.pcap: globs['pcap'] = args.pcap nids.param('filename', globs['pcap']) if args.killtcp: globs['killtcp'] = True if args.igncase: globs['regexflags'] |= re.IGNORECASE if args.multiline: globs['regexflags'] |= re.MULTILINE globs['regexflags'] |= re.DOTALL if args.regex: globs['regexstr'] = args.regex globs['regexobj'] = re.compile(globs['regexstr'], globs['regexflags']) if args.dispbytes: globs['dispbytes'] = int(args.dispbytes) nids.init() nids.register_tcp(tcpcallback) nids.register_udp(udpcallback) try: nids.run() except nids.error, e: print "[-] Error: %s" % (e)
def main(): # Packet through Interface OR PCAP check. if pcap_path is not '': nids.param('filename', pcap_path) else: nids.param('device', interface) nids.init() nids.register_tcp(tcpcallback) nids.run()
def run_parser(self, out_queue): try: nids.param("filename", self.pcap_path) nids.param("scan_num_hosts", 0) # disable portscan detection nids.init() nids.chksum_ctl([('0.0.0.0/0', False), ]) nids.register_tcp(self._handleTcpStream) nids.run() except Exception: self.messages = [] out_queue.put(self.messages)
def main(self): #nids.param("scan_num_hosts", 0) nids.param("filename", "test1.pcap") nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming #nids.register_udp() nids.init() nids.register_tcp(self.handleTcpStream) # Loop forever (network device), or until EOF (pcap file) # Note that an exception in the callback will break the loop! try: nids.run() except nids.error, e: print "nids/pcap error:", e
def run_parser(self, out_queue): try: nids.param("filename", self.pcap_path) nids.param("scan_num_hosts", 0) # disable portscan detection nids.init() nids.chksum_ctl([ ('0.0.0.0/0', False), ]) nids.register_tcp(self._handleTcpStream) nids.run() except Exception: self.messages = [] out_queue.put(self.messages)
def run(self, conf): self.conf = conf self.output = open(conf.output_file, 'a') nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.param('scan_num_hosts', 0) # disable portscan detection nids.param('filename', conf.filename) nids.init() nids.register_udp(self.udp_handler) try: nids.run() except nids.error, e: print >> sys.stderr, 'nids/pcap error:', e sys.exit(1)
def logPkt(addr, payload, proto=17): tfilename = nids.param('filename') print tfilename pattern = re.compile(r'\/\w*.pcap') test = re.findall(pattern, tfilename) mystr = str(test).strip('[]\'/') temp = mystr.split(".") filename = temp[0] # log a single packet, for UDP and other IP (non-TCP) ip_p = {'proto1':'icmp', 'proto2':'igmp', 6:'tcp', 17:'udp', 41:'ipv6', 47:'gre', 50:'esp', 51:'ah', 58:'icmp6', 94:'ipip', 115:'l2tp', 255:'raw'} if proto == 17: fname = "%s/%s-%s-%s-%s-%s-%s.udp" % (logdir, filename, int(time.time()), addr[0][0], addr[0][1], addr[1][0], addr[1][1]) else: proto = ip_p.get(proto, proto) print proto # pktproto = ip_p[proto] fname = "%s/%s-%s-%s-%s.%s" % (logdir, filename, int(time.time()), long2ip(addr[0]), long2ip(addr[1]), proto) f = open(fname, "w") f.write(payload) f.close() print fname fname = fname + ".fuzz" try: g = open(fname, "w") except: print "unable to log to", logdir return g.write(spamsum.spamsum(payload)) g.close() print fname
def main(): if len(sys.argv) == 2: nids.param("filename", sys.argv[1]) nids.param("device", "all") nids.param("tcp_workarounds", True) nids.param("pcap_timeout", 128) nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.init() tcpCapturer = TCPPacketCapturer() try: nids.run() except nids.error, e: print "[-] Error: %s" % (e)
def main(): if len(sys.argv) == 2: nids.param("filename", sys.argv[1]) nids.param("device", "all") nids.param("tcp_workarounds", True) nids.param("pcap_timeout", 128) nids.param("scan_num_hosts",0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.init() tcpCapturer = TCPPacketCapturer() try: nids.run() except nids.error, e: print "[-] Error: %s" % (e)
def main(): # parse args argparser = argparse.ArgumentParser() argparser.add_argument('PCAP', help='Path to the .pcap file to parse') argparser.add_argument('-H', metavar='HOST', default='127.0.0.1', help='Address to listen on (DEFAULT: 127.0.0.1)') argparser.add_argument('-p', metavar='PORT', type=int, default=3128, help='Port to listen on (DEFAULT: 3128)') argparser.add_argument('-v', action='append_const', const=1, default=[], help='Increase the verbosity level') args = argparser.parse_args() HOST, PORT = args.H, args.p verbosity = len(args.v) # setup logger if verbosity == 0: log_level = logging.ERROR elif verbosity == 1: log_level = logging.INFO else: log_level = logging.DEBUG logging.basicConfig(format='%(levelname)s:%(message)s', level=log_level) # setup the reassembler nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksum verification: jsunpack says it may cause missed traffic nids.param("filename", args.PCAP) nids.init() nids.register_tcp(reassembleTcpStream) logging.info("Processing TCP streams...") nids.run() # process the open streams, which are not processed by pynids logging.info("Processing open streams...") for c, stream in openstreams.items(): processTcpStream(stream) # run proxy server server = ProxyServer( (HOST,PORT), ProxyRequestHandler) server.allow_reuse_address = True try: logging.info("Proxy listening on %s:%d" % (HOST,PORT)) server.serve_forever() except KeyboardInterrupt: return 0
def process_pcap(filename, protocols=[], dports=[]): global streams_, dports_ streams_ = [] dports_ = dports nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.param("filename", filename) # specify pcap file to parse nids.init() if not protocols or TCP in protocols: nids.register_tcp(handleTcpStream) # Loop forever (network device), or until EOF (pcap file) # Note that an exception in the callback will break the loop! try: nids.run() except nids.error, e: print "nids/pcap error:", e
def logTcp(tcp): tfilename = nids.param('filename') print tfilename pattern = re.compile(r'\/\w*.pcap') test = re.findall(pattern, tfilename) mystr = str(test).strip('[]\'/') temp = mystr.split(".") filename = temp[0] srcip = tcp.addr[0][0] srcport = tcp.addr[0][1] dstip = tcp.addr[1][0] dstport = tcp.addr[1][1] # client to server fname = "%s/%s-%s-%s-%s-%s-%s-CtoS.tcp" % (logdir, filename, int(time.time()), tcp.addr[0][0], tcp.addr[0][1], tcp.addr[1][0], tcp.addr[1][1]) try: f = open(fname, "w") except: print "unable to log to", logdir return toserver = tcp.server.data[:tcp.server.count] f.write(toserver) f.close() print "Client to Server: "+fname fname = "%s/%s-%s-%s-%s-%s-%s-CtoS-tcp.fuzz" % (logdir, filename, int(time.time()), srcip, srcport, dstip, dstport) try: g = open(fname, "w") except: print "unable to log to", logdir return g.write(spamsum.spamsum(toserver)) g.close() print "Client to Server Hashed :"+fname srcip = tcp.addr[0][0] srcport = tcp.addr[0][1] dstip = tcp.addr[1][0] dstport = tcp.addr[1][1] # server to client fname = "%s/%s-%s-%s-%s-%s-%s-StoC.tcp" % (logdir, filename, int(time.time()), tcp.addr[1][0], tcp.addr[1][1], tcp.addr[0][0], tcp.addr[0][1]) f = open(fname, "w") toclient = tcp.client.data[:tcp.client.count] f.write(toclient) f.close() print "Server to Client: "+fname fname = "%s/%s-%s-%s-%s-%s-%s-StoC-tcp.fuzz" % (logdir, filename, int(time.time()), dstip, dstport, srcip, srcport) try: g = open(fname, "w") except: print "unable to log to", logdir return g.write(spamsum.spamsum(toclient)) g.close() print "Sever to Client Hashed: "+fname
def main(): """ Initialise libnids and process the pcap. This is taken from the pynids example code. """ nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note # libnids caution about fragments nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming if len(sys.argv) == 2: # read a pcap file? nids.param("filename", sys.argv[1]) nids.init() nids.register_tcp(handleTcpStream) # Loop forever (network device), or until EOF (pcap file) # Note that an exception in the callback will break the loop! try: nids.run() except nids.error, e: print "nids/pcap error:", e
def main(): args = sys.argv[1:] print args # Default to listening to all devices nids.param("device", 'any') nids.param("pcap_filter", ' '.join(args) + ' and tcp') # disable portscan detection nids.param("scan_num_hosts", 0) # disable check-summing nids.chksum_ctl([('0.0.0.0/0', False)]) nids.init() (uid, gid) = pwd.getpwnam(NOTROOT)[2:4] os.setgroups([gid, ]) os.setgid(gid) os.setuid(uid) if 0 in [os.getuid(), os.getgid()] + list(os.getgroups()): print "error - drop root, please!" sys.exit(1) nids.register_tcp(handle_tcp) while True: try: nids.next() except nids.error, e: print "nids/pcap error:", e
def main(): global count global responses #nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note # libnids caution about fragments nids.param("scan_num_hosts", 0) # disable portscan detection #if len(sys.argv) == 2: # read a pcap file? nids.param("filename", sys.argv[1]) nids.init() nids.register_tcp(handleTcpStream) # Loop forever (network device), or until EOF (pcap file) # Note that an exception in the callback will break the loop! try: nids.run() except nids.error, e: print "nids/pcap error:", e
def __init__( self, protocol_uri, protocol_opts, pcap_filepath, output_dir, log_level, log_to_stdout, stats_file=None, dst=None, dest_port=None, src=None, src_port=None, start_date=None, ): self._log_to_stdout = log_to_stdout self._log_level = log_level self._proto_uri = protocol_uri self._proto_opts = protocol_opts self._dest_port = dest_port self._src_port = src_port self._src = src self._dst = dst self.output_dir = output_dir self._pcap_filepath = pcap_filepath self._start_date = start_date nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.param("filename", pcap_filepath) self.stream_parsers = {} self.stats = {} if stats_file is None: now = datetime.utcnow() formatted_time = now.strftime("%Y-%m-%d--%H-%M-%S") self.stats_file_path = os.path.join( self.output_dir, "stats_{}.txt".format(formatted_time)) else: self.stats_file_path = stats_file
def main(): nids.param("pcap_filter", "vlan and port 25") nids.param("scan_num_hosts", 0) nids.chksum_ctl([('0.0.0.0/0', False)]) nids.param("filename", sys.argv[1]) nids.init() nids.register_tcp(tcp_callback) nids.run()
def nids_init(self): nids.param("device", self.interface) nids.param("pcap_filter", "port 80") nids.param("san_num_hosts", 0) #nids.param("dev_addon", ?) #might need this for monitor mode nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.init() nids.register_tcp(self.handle_tcp) self.nids = nids
def __init__(self,fname=None,iface='all'): threading.Thread.__init__(self) nids.param("scan_num_hosts", 0) nids.chksum_ctl([('0.0.0.0/0', False)]) if fname: nids.param("filename", fname) else: nids.param("device", iface) nids.init() nids.register_tcp(Nids.handler)
def __init__(self, fname=None, iface='all'): threading.Thread.__init__(self) nids.param("scan_num_hosts", 0) nids.chksum_ctl([('0.0.0.0/0', False)]) if fname: nids.param("filename", fname) else: nids.param("device", iface) nids.init() nids.register_tcp(Nids.handler)
def extract_flows(pcap_file): global ts, requestdata, responsedata, requestcounter, http_req ts, requestdata, responsedata, requestcounter, http_req = \ dict([]), dict([]), dict([]), dict([]), dict([]) nids.param("tcp_workarounds", 1) nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.param("filename", pcap_file) nids.init() nids.register_tcp(handle_tcp_stream) # print "pid", os.getpid() if DEBUG: print "Reading from pcap file:", pcap_file try: nids.run() except nids.error, e: print "nids/pcap error: ", pcap_file + " ", e
def start(self): if self._filter: nids.param("pcap_filter", self._filter) if self._pcapfile: nids.param("filename", self._pcapfile) elif self._device: nids.param("device", self._device) # Initializing libnids nids.init() # Registering the handler nids.register_tcp(lambda tcp: self._handle_tcp_stream(tcp)) # Running nids nids.run()
def __init__(self, filename, protocol, port=None): threading.Thread.__init__(self) self.port = port self.protocol = protocol self.done = False self.connection_list = deque() self.lock = threading.Lock() self.delete_read_connections = False self.last_read_index = -1 nids.param("filename", filename) nids.chksum_ctl([('0.0.0.0/0', False)]) if port is None: nids.param("pcap_filter", "{}".format(self.protocol)) else: nids.param("pcap_filter", "{} port {}".format(self.protocol, self.port))
def run(self, config): self.config = config self.config.output = open(self.config.output_file, 'a') nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.param('scan_num_hosts', 0) # disable portscan detection if self.config.filename: nids.param('filename', self.config.filename) else: nids.param('filename', '-') nids.init() self.stream_handler = StreamHandler(self.config) nids.register_tcp(self.stream_handler.handle) try: nids.run() except nids.error, e: print >> sys.stderr, 'nids/pcap error:', e sys.exit(-1)
def main(): global extract extract = False pcap = False if "-e" in sys.argv: extract = True nids.param("scan_num_hosts", 0) for arg in sys.argv[1:]: if arg.endswith('.pcap'): pcap = True nids.param("filename", arg) if not pcap: nids.param("device", "eth0") nids.init() nids.register_tcp(handleTcpStream) try: nids.run() except nids.error, e: print "nids/pcap error:", e
def extract(pcap_file): global ip_to_domain global ips ips = {} ip_to_domain = {} nids.param("tcp_workarounds", 1) nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.param("filename", pcap_file) nids.init() nids.register_tcp(handle_tcp_stream) nids.register_udp(udp_callback) try: nids.run() except Exception, e: print "Exception ", pcap_file + " ", e return
def run(self, config): self.config = config self.stream_handler = StreamHandler(self.config) nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.param('scan_num_hosts', 0) # disable portscan detection if self.config.filename: nids.param('filename', self.config.filename) else: nids.param('device', self.config.interface) nids.init() nids.register_tcp(self.stream_handler.tcp_callback) #nids.register_udp(self.stream_handler.udp_callback) try: nids.run() except nids.error, e: print >> sys.stderr, 'nids/pcap error:', e print >> sys.stderr, 'Error in %s' % self.filename traceback.print_exc(file=sys.stderr)
def parse_pcap(self,options,file): try: import nids except: options.log.error("failed to import LibNIDS are you sure it's installed") sys.exit(-1) self.http_stream_list = [] self.stream_hash = {} self.stream_count = 0 self.filename = os.path.basename(file) self.log = options.log if options.pcap_bpf != None: nids.param("pcap_filter", options.pcap_bpf) nids.param("scan_num_hosts", 0) nids.param("filename", file) nids.init() nids.register_tcp(self.handleTcpStream) try: nids.run() except nids.error, e: options.log.error("nids/pcap error:" % (e))
def sniff(): if not _initialized: raise NameError('Module vars were not initialized.') nids.param('device', _device) nids.param('multiproc', 1) nids.param('scan_num_hosts', 0) nids.chksum_ctl([('0.0.0.0/0', False)]) nids.init() nids.register_tcp(_handle_tcp_stream) nids.register_udp(_handle_udp_stream) nids.register_ip(_handle_ip_packets) arp_sniff = Process(target=scapy_sniff, kwargs=dict(store=0, iface=_device, prn=_parse_arp)) dns_lookups = Process(target=_handle_dns_lookup) traf_dict = Process(target=_handle_new_traf) arp_sniff.start() dns_lookups.start() traf_dict.start() nids.run()
def parse_pcap(self, options, file): try: import nids except: options.log.error( "failed to import LibNIDS are you sure it's installed") sys.exit(-1) self.http_stream_list = [] self.stream_hash = {} self.stream_count = 0 self.filename = os.path.basename(file) self.log = options.log if options.pcap_bpf != None: nids.param("pcap_filter", options.pcap_bpf) nids.param("scan_num_hosts", 0) nids.param("filename", file) nids.init() nids.register_tcp(self.handleTcpStream) try: nids.run() except nids.error, e: options.log.error("nids/pcap error:" % (e))
if self.stopped: break try: while not self.stopped: nids.next() time.sleep(.001) #XXX is this enough or too much? except Exception, e: chop.prnt("Error processing packets", e) #no need to exit else: if options.filename is "": chop.prnt("Empty Filename") self.complete = True return nids.param("scan_num_hosts",0) nids.param("filename",options.filename) try: nids.init() except Exception, e: self.complete = True chop.prnt("Error initting: ", e) return nids.chksum_ctl([('0.0.0.0/0',False),]) nids.register_tcp(handleTcpStreams) nids.register_udp(handleUdpDatagrams) while(True): #This overall while prevents exceptions from halting the long running reading if self.stopped:
def __init__(self, pcap_file=None, device=None, bpf_filter="tcp", dst_tcp_port_filter=None, dst_tcp_ip_filter=None, src_tcp_port_filter=None, src_tcp_ip_filter=None, udp_port_filter=None, udp_ip_filter=None, data_level=1, data_stream_direct=2, std_output_enable=1, file_output_path=None, protocol_parse_conf=None, is_handle_tcp=1, is_handle_udp=1, is_handle_ip=1, sqlite3_output_enable=1, sqlite3_output_path=None, sqlite3_output_schema=None, sqlite3_renew=False): """ Args: pcap_file: device: bpf_filter: dst_port_filter: dst_ip_filter: src_port_filter: src_ip_filter: data_level: data_stream_direct: std_output_enable: file_tcpsession_path: protocol_parse_conf: """ self.is_handle_tcp = is_handle_tcp self.is_handle_udp = is_handle_udp self.is_handle_ip = is_handle_ip self.bpf_filter = bpf_filter self.dst_tcp_port_filter = dst_tcp_port_filter self.dst_tcp_ip_filter = dst_tcp_ip_filter self.src_tcp_port_filter = src_tcp_port_filter self.src_tcp_ip_filter = src_tcp_ip_filter self.udp_ip_filter = udp_ip_filter self.udp_port_filter = udp_port_filter self.device = device self.pcap_file = pcap_file if pcap_file: nids.param("filename", pcap_file) elif device: nids.param("device", device) if bpf_filter: nids.param("pcap_filter", bpf_filter) ## bpf restrict to TCP only, note self.data_level = data_level self.data_stream_direct = data_stream_direct self.std_output_enable = std_output_enable self.file_output_path = file_output_path self.protocol_parse_conf = protocol_parse_conf nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.param("pcap_timeout", 64) nids.param("multiproc", 1) nids.param("tcp_workarounds", 1) # sqlite3 conf which store ip_handle statistic info self.sqlite3_output_enable = sqlite3_output_enable self.sqlite3_output_path = sqlite3_output_path self.sqlite3_output_schema = sqlite3_output_schema self.sqlite3_renew = sqlite3_renew # local ip if self.is_handle_ip: self.local_ip = networktools.get_local_ip(self.device) # var self.tcp_file_fh = None self.udp_file_fh = None self.ip_file_fh = None self.app_proto_fhs = {} if self.file_output_path: # 设置文件输出 if os.path.exists(self.file_output_path) and os.path.isdir( self.file_output_path): # delete old data mills.rm_dir(self.file_output_path) os.mkdir(self.file_output_path) tcp_file_path = mills.path(self.file_output_path, "tcp.txt") self.tcp_file_fh = codecs.open(tcp_file_path, mode='wb', encoding='utf-8', errors='ignore') udp_file_path = mills.path(self.file_output_path, "udp.txt") self.udp_file_fh = codecs.open(udp_file_path, mode='wb', encoding='utf-8', errors='ignore') ip_file_path = mills.path(self.file_output_path, "ip.txt") self.ip_file_fh = codecs.open(ip_file_path, mode='wb', encoding='utf-8', errors='ignore') port_list = set() proto_list = set() for port_filter in [ self.dst_tcp_port_filter, self.src_tcp_port_filter, self.udp_port_filter ]: for port in port_filter: port_list.add(port) for port in port_list: protocol = self.which_protocol_parse(port) if protocol: proto_list.add(protocol) for protocol in proto_list: protocol_file_path = mills.path(self.file_output_path, "%s.txt" % protocol) protocol_file_fh = codecs.open(protocol_file_path, mode='wb', encoding='utf-8', errors='ignore') self.app_proto_fhs[protocol] = protocol_file_fh
def main(): parser = argparse.ArgumentParser( description='minips.py - A minimal IPS', version='0.1', epilog='EXAMPLE: %(prog)s -p test.pcap -r \'shellcode\' \n') inputparser = parser.add_mutually_exclusive_group(required=True) inputparser.add_argument('-d', '--device', action='store', dest='device', help='network device to collect packets from') inputparser.add_argument('-p', '--pcap', action='store', dest='pcap', help='pcap file to read packets from') parser.add_argument('-r', '--regex', action='store', dest='regex', required=True, help='regex to match over network data') parser.add_argument('-i', '--igncase', action='store_true', dest='igncase', default=False, help='perform case insensitive regex match') parser.add_argument('-m', '--multiline', action='store_true', dest='multiline', default=False, help='perform multiline regex match') parser.add_argument('-k', '--killtcp', action='store_true', dest='killtcp', default=False, help='terminate matching tcp connections') parser.add_argument('-b', '--dispbytes', action='store', dest='dispbytes', required=False, help='max bytes to display') args = parser.parse_args() if args.device: globs['device'] = args.device nids.param('device', globs['device']) if args.pcap: globs['pcap'] = args.pcap nids.param('filename', globs['pcap']) if args.killtcp: globs['killtcp'] = True if args.igncase: globs['regexflags'] |= re.IGNORECASE if args.multiline: globs['regexflags'] |= re.MULTILINE globs['regexflags'] |= re.DOTALL if args.regex: globs['regexstr'] = args.regex globs['regexobj'] = re.compile(globs['regexstr'], globs['regexflags']) if args.dispbytes: globs['dispbytes'] = int(args.dispbytes) nids.init() nids.register_tcp(tcpcallback) nids.register_udp(udpcallback) try: nids.run() except nids.error, e: print "[-] Error: %s" % (e)
def main(): banner = '''\ ______ _ __ / __/ /___ _ __(_)___ _________ ___ _____/ /_ / /_/ / __ \ | /| / / / __ \/ ___/ __ \/ _ \/ ___/ __/ / __/ / /_/ / |/ |/ / / / / (__ ) /_/ / __/ /__/ /_ /_/ /_/\____/|__/|__/_/_/ /_/____/ .___/\___/\___/\__/ /_/ ''' import re configopts['regexengine'] = 're' parser = argparse.ArgumentParser() inputgroup = parser.add_mutually_exclusive_group(required=True) inputgroup.add_argument( '-p', metavar='--pcap', dest='pcap', default='', action='store', help='input pcap file') inputgroup.add_argument( '-d', metavar='--device', dest='device', default='lo', action='store', help='listening device') regex_direction_flags = parser.add_argument_group('RegEx per Direction') regex_direction_flags.add_argument( '-c', metavar='--cregex', dest='cres', default=[], action='append', required=False, help='regex to match against CTS data') regex_direction_flags.add_argument( '-s', metavar='--sregex', dest='sres', default=[], action='append', required=False, help='regex to match against STC data') regex_direction_flags.add_argument( '-a', metavar='--aregex', dest='ares', default=[], action='append', required=False, help='regex to match against ANY data') regex_options = parser.add_argument_group('RegEx Options') regex_options.add_argument( '-i', dest='igncase', default=False, action='store_true', required=False, help='ignore case') regex_options.add_argument( '-m', dest='multiline', default=True, action='store_false', required=False, help='disable multiline match') fuzzy_direction_flags = parser.add_argument_group('Fuzzy Patterns per Direction') fuzzy_direction_flags.add_argument( '-G', metavar='--cfuzz', dest='cfuzz', default=[], action='append', required=False, help='string to fuzzy match against CTS data') fuzzy_direction_flags.add_argument( '-H', metavar='--sfuzz', dest='sfuzz', default=[], action='append', required=False, help='string to fuzzy match against STC data') fuzzy_direction_flags.add_argument( '-I', metavar='--afuzz', dest='afuzz', default=[], action='append', required=False, help='string to fuzzy match against ANY data') fuzzy_options = parser.add_argument_group('Fuzzy Options') fuzzy_options.add_argument( '-r', metavar='fuzzminthreshold', dest='fuzzminthreshold', type=int, default=75, action='store', required=False, help='threshold for fuzzy match (1-100) - default 75') yara_direction_flags = parser.add_argument_group('Yara Rules per Direction') yara_direction_flags.add_argument( '-P', metavar='--cyararules', dest='cyararules', default=[], action='append', required=False, help='Yara rules to match on CTS data') yara_direction_flags.add_argument( '-Q', metavar='--syararules', dest='syararules', default=[], action='append', required=False, help='Yara rules to match on STC data') yara_direction_flags.add_argument( '-R', metavar='--ayararules', dest='ayararules', default=[], action='append', required=False, help='Yara rules to match on ANY data') shellcode_options = parser.add_argument_group('Shellcode Detection') shellcode_options.add_argument( '-M', dest='shellcode', default=False, action='store_true', required=False, help='enable shellcode detection') shellcode_options.add_argument( '-J', dest='asm4shellcode', default=False, action='store_true', required=False, help='enable shellcode disassembly') shellcode_options.add_argument( '-y', dest='emuprofile', default=False, action='store_true', required=False, help='generate emulator profile for detected shellcode') shellcode_options.add_argument( '-Y', metavar='--emuprofileoutsize', dest='emuprofileoutsize', default=0, action='store', required=False, help='emulator profile memory size (default 1024K | max: 10240K)') content_modifiers = parser.add_argument_group('Content Modifiers') content_modifiers.add_argument( '-O', metavar='--offset', dest='offset', default=0, action='store', required=False, help='bytes to skip before matching') content_modifiers.add_argument( '-D', metavar='--depth', dest='depth', default=0, action='store', required=False, help='bytes to look at while matching (starting from offset)') inspection_limits = parser.add_argument_group('Inspection Limits') inspection_limits.add_argument( '-T', metavar='--maxinspstreams', dest='maxinspstreams', default=0, action='store', type=int, required=False, help='max streams to inspect') inspection_limits.add_argument( '-U', metavar='--maxinsppackets', dest='maxinsppackets', default=0, action='store', type=int, required=False, help='max packets to inspect') display_limits = parser.add_argument_group('Display Limits') display_limits.add_argument( '-t', metavar='--maxdispstreams', dest='maxdispstreams', default=0, action='store', type=int, required=False, help='max streams to display') display_limits.add_argument( '-u', metavar='--maxdisppackets', dest='maxdisppackets', default=0, action='store', type=int, required=False, help='max packets to display') display_limits.add_argument( '-b', metavar='--maxdispbytes', dest='maxdispbytes', default=0, action='store', type=int, required=False, help='max bytes to display') output_options = parser.add_argument_group('Output Options') output_options.add_argument( '-w', metavar='logdir', dest='writebytes', default='', action='store', required=False, nargs='?', help='write matching packets/streams') output_options.add_argument( '-o', dest='outmodes', choices=('quite', 'meta', 'hex', 'print', 'raw'), action='append', default=[], required=False, help='match output modes') misc_options = parser.add_argument_group('Misc. Options') misc_options.add_argument( '-f', metavar='--bpf', dest='bpf', default='', action='store', required=False, help='BPF expression') misc_options.add_argument( '-v', dest='invmatch', default=False, action='store_true', required=False, help='invert match') misc_options.add_argument( '-V', dest='verbose', default=0, action='count', required=False, help='verbose output (max: 3)') misc_options.add_argument( '-e', dest='colored', default=False, action='store_true', required=False, help='highlight CTS/STC matches') misc_options.add_argument( '-k', dest='killtcp', default=False, action='store_true', required=False, help='kill matching TCP stream') misc_options.add_argument( '-j', dest='tcpmultimatch', default=False, action='store_true', required=False, help='enable TCP multi match mode') pcapwrite = parser.add_mutually_exclusive_group(required=False) pcapwrite.add_argument( '-z', dest='writepcapfast', default=False, action='store_true', help='write matching flows to pcap w/ %d post match packets' % (configopts['pcappacketct'])) pcapwrite.add_argument( '-Z', dest='writepcap', default=False, action='store_true', help='write matching flows to pcap w/ all post match packets') misc_options.add_argument( '-q', metavar='pcappacketct', dest='pcappacketct', default=configopts['pcappacketct'], action='store', help='# of post match packets to write to pcap') misc_options.add_argument( '-L', dest='linemode', default=False, action='store_true', required=False, help='enable linemode (disables inspection)') misc_options.add_argument( '-B', dest='nobanner', default=False, action='store_true', required=False, help='skip banner/version display on startup') misc_options.add_argument( '-S', dest='nosummary', default=False, action='store_true', required=False, help='skip match summary display at exit') misc_options.add_argument( '-n', dest='dumpargs', default=False, action='store_true', required=False, help='show argument stats') args = parser.parse_args() if args.pcap: configopts['pcap'] = args.pcap nids.param('filename', configopts['pcap']) configopts['livemode'] = False elif args.device: configopts['device'] = args.device nids.param('device', configopts['device']) configopts['livemode'] = True if args.igncase: configopts['igncase'] = True configopts['reflags'] |= re.IGNORECASE if args.invmatch: configopts['invertmatch'] = True if args.multiline: configopts['multiline'] = True configopts['reflags'] |= re.MULTILINE configopts['reflags'] |= re.DOTALL if args.tcpmultimatch: configopts['tcpmultimatch'] = True if configopts['regexengine']: if args.cres: if 'regex' not in configopts['inspectionmodes']: configopts['inspectionmodes'].append('regex') for c in args.cres: configopts['ctsregexes'][re.compile(c, configopts['reflags'])] = { 'regexpattern': c } if args.sres: if 'regex' not in configopts['inspectionmodes']: configopts['inspectionmodes'].append('regex') for s in args.sres: configopts['stcregexes'][re.compile(s, configopts['reflags'])] = { 'regexpattern': s } if args.ares: if 'regex' not in configopts['inspectionmodes']: configopts['inspectionmodes'].append('regex') for a in args.ares: configopts['ctsregexes'][re.compile(a, configopts['reflags'])] = { 'regexpattern': a } configopts['stcregexes'][re.compile(a, configopts['reflags'])] = { 'regexpattern': a } if args.cfuzz or args.sfuzz or args.afuzz: try: from fuzzywuzzy import fuzz configopts['fuzzengine'] = 'fuzzywuzzy' except ImportError, ex: dowarn('Import failed: %s' % ex) configopts['fuzzengine'] = None
def main(): logging.basicConfig(filename="mspCapturer.log",level=logging.DEBUG) if (len(sys.argv) != 2): logging.error( 'Invalid arguments. Usage: main.py <monitor port(s)>\n monitor ports should be specified in a comma seperated list ') sys.exit(1) logging.info( 'Set up Reassembler') nids.param("scan_num_hosts",0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.param("pcap_timeout", 128) nids.param("tcp_workarounds", True) nids.param("sk_buff_size", 256) #default 168 nids.param("n_tcp_streams", 2048) #default 1024 nids.param("device", "all") nids.init() assm = Reassembler(ports=sys.argv[1]) try: nids.run() except KeyboardInterrupt: logging.error( "Reassembler Terminated: Quitting") sys.exit(2)
if self.stopped: break try: while not self.stopped: nids.next() time.sleep(.001) #XXX is this enough or too much? except Exception, e: chop.prnt("Error processing packets", e) #no need to exit else: if options['filename'] is "": chop.prnt("Empty Filename") self.complete = True return nids.param("scan_num_hosts",0) nids.param("filename",options['filename']) if options['bpf'] is not None: nids.param("pcap_filter", options['bpf']) try: nids.init() except Exception, e: self.complete = True chop.prnt("Error initting: ", e) return nids.chksum_ctl([('0.0.0.0/0',False),]) nids.register_tcp(handleTcpStreams) nids.register_udp(handleUdpDatagrams) nids.register_ip(handleIpPackets)
def main(): from optparse import OptionParser parser = OptionParser() parser.add_option("-d", "--device", dest="device", help="sniff on network device DEVICE", metavar="DEVICE") parser.add_option("-f", "--file", dest="file", help="use pcap logfile FILE", metavar="FILE") parser.add_option("-l", "--log", dest="log", action="store_true", default=False, help="create logs") parser.add_option("-p", "--pid", dest="pid", help="attach to process PID", metavar="PID") (options, args) = parser.parse_args() nids.param("scan_num_hosts", 0) # Disable portscan detection logfiles = {} sniff = Sniffer() sniff.starttime = datetime.now() def timestring(): td = datetime.now() - sniff.starttime return "[% 8.3f]" % (td.seconds + td.microseconds/1000000.0) def message_output_handler(message): if options.log: connection = message.source.connection if connection.session: if connection in logfiles: logfile = logfiles[connection] else: logname = "%s_%s.wlog" % (connection.session.account, datetime.now().strftime("%Y-%m-%d_%H-%M-%S")) print timestring(), 'Creating log file "%s"' % logname logfile = log.Log(open(logname, "wb")) logfile.write_header() session = connection.session sinfo = log.SessionInfo(session.game, session.version, session.locale, connection.client.address, connection.server.address, session.account) logfile.write(sinfo) logfiles[connection] = logfile if message.source is connection.client: cls = messages.ClientMessage elif message.source is connection.server: cls = messages.ServerMessage else: cls = None if cls: logfile.write(cls(message.opcode, connection.client.address, connection.server.address, message.data)) else: # FIXME: This always discards the first message (SMSG_AUTH_CHALLENGE) because at that point, # the session is not yet known. We should cache this message and output it too. pass print timestring(), opcodes.names[message.opcode].ljust(55), if len(message.data) > 0: print "% 6d bytes" % len(message.data) else: print def session_output_handler(session): print timestring(), "New Session:", session sniff.message_handler = message_output_handler sniff.session_handler = session_output_handler if options.device: nids.param("device", options.device) if options.file: nids.param("filename", options.file) pid = None if options.pid is not None and options.pid.isdigit(): pid = int(options.pid) elif options.pid == "auto": pid = findWowProcess() if pid: print timestring(), "Attaching to process", pid sniff.addProcess(pid) elif not options.file: print timestring(), "Warning: Not attaching to any process" nids.init() nids.register_tcp(sniff.tcp_handler) nids.run()
class ChopCore(Thread): def __init__(self,options, module_list, chp, chophelper): Thread.__init__(self) self.options = options self.module_list = module_list self.chophelper = chophelper self.stopped = False self.complete = False global chop chop = chp def stop(self): self.complete = True self.stopped = True def iscomplete(self): return self.complete def getptime(self): global ptimestamp return ptimestamp def getmeta(self): global metadata return metadata def prep_modules(self): self.chophelper.set_core(self) modules = self.module_list for module in modules: module = module[0] module.chop = self.chophelper.setup_module(module.moduleName) def run(self): global chop #Initialize modules to be run options = self.options modules = self.module_list#module_list module_options = {} chop.prettyprnt("RED", "Initializing Modules ...") for module in modules: name = module[2] arguments = shlex.split(module[1]) module = module[0] #Create module_data for all modules module.module_data = {'args':arguments} module.streaminfo = {} chop.prettyprnt("CYAN", "\tInitializing module '" + name + "'") try: module_options = module.init(module.module_data) except Exception, e: chop.prnt("Error Initializing Module", module.moduleName + ":", e) self.complete = True return if 'error' in module_options: chop.prettyprnt("GREEN", "\t\t%s init failure: %s" % (module.moduleName, module_options['error'])) continue if module_options['proto'] == 'tcp' : tcp_modules.append(module) all_modules.append(module) elif module_options['proto'] == 'ip' : ip_modules.append(module) all_modules.append(module) elif module_options['proto'] == 'udp' : udp_modules.append(module) all_modules.append(module) else: chop.prnt("Undefined Module Type\n") self.complete = True return if not all_modules: chop.prnt("No modules") self.complete = True return chop.prettyprnt("RED", "Running Modules ...") #Actually run the modules if options['interface']: nids.param("scan_num_hosts",0) nids.param("device",options['interface']) if options['bpf'] is not None: nids.param("pcap_filter", options['bpf']) try: nids.init() except Exception, e: chop.prnt("Error initting: ", e) self.complete = True return nids.chksum_ctl([('0.0.0.0/0',False),]) nids.register_tcp(handleTcpStreams) nids.register_udp(handleUdpDatagrams) while(True): #This overall while prevents exceptions from halting the processing of packets if self.stopped: break try: while not self.stopped: nids.next() time.sleep(.001) #XXX is this enough or too much? except Exception, e: chop.prnt("Error processing packets", e)
class ChopCore(Thread): def __init__(self, options, module_list, chp, chophelper): Thread.__init__(self) self.options = options self.module_list = module_list self.chophelper = chophelper self.stopped = False self.complete = False self.abort = False global chop chop = chp def stop(self): self.complete = True self.stopped = True def iscomplete(self): return self.complete def getptime(self): global ptimestamp return ptimestamp def getmeta(self): global metadata return metadata def prep_modules(self): self.chophelper.set_core(self) modules = self.module_list for module in modules: code = module.code code.chop = self.chophelper.setup_module(code.moduleName) def run(self): global chop #Initialize modules to be run options = self.options modules = self.module_list #module_list module_options = {} chop.prettyprnt("RED", "Initializing Modules ...") for module in modules: name = module.name arguments = module.arguments #shlex.split(module[1]) code = module.code #module[0] #Create module_data for all modules module.module_data = {'args': arguments} module.streaminfo = {} chop.prettyprnt("CYAN", "\tInitializing module '" + name + "'") try: module_options = code.init(module.module_data) except Exception, e: chop.prnt("Error Initializing Module", code.moduleName + ":", e) self.complete = True return if 'error' in module_options: chop.prettyprnt( "GREEN", "\t\t%s init failure: %s" % (code.moduleName, module_options['error'])) continue if module.legacy: if module_options['proto'] == 'tcp': tcp_modules.append(module) all_modules.append(module) module.streaminfo['tcp'] = {} elif module_options['proto'] == 'ip': ip_modules.append(module) all_modules.append(module) module.streaminfo['ip'] = {} elif module_options['proto'] == 'udp': udp_modules.append(module) all_modules.append(module) module.streaminfo['udp'] = {} else: chop.prnt("Undefined Module Type\n") self.complete = True return else: all_modules.append(module) #Proto is an array of dictionaries if not isinstance(module_options['proto'], list): #Malformed chop.prnt("%s has malformed proto list" % module.code.moduleName) self.complete = True return for proto in module_options['proto']: #Right now (4.0) each dictionary only has one key #This might change in the future but should be easy #since it's already a separate dictionary if type(proto) is not dict: chop.prnt("%s has malformed proto list" % module.code.moduleName) self.complete = True return for input in proto.keys(): if input not in module.inputs: module.inputs[input] = [] if proto[input] != '': module.inputs[input].append(proto[input]) module.outputs.append(proto[input]) #Initialize the streaminfo array by type if input != 'any' and input != 'ip': module.streaminfo[input] = {} if input == 'tcp': tcp_modules.append(module) elif input == 'udp': udp_modules.append(module) elif input == 'ip': ip_modules.append(module) elif input == 'any': #Special input that catches all non-core types #Initialize the streaminfo for all parents of the 'any' module if not len(module.parents): chop.prettyprnt( "GREEN", "WARNING: No Parent for %s to provide data" % (module.code.moduleName)) else: for parent in module.parents: for output in parent.outputs: module.streaminfo[output] = {} else: # non-core types, e.g., 'http' or 'dns' if len(module.parents ): #Make sure parents give it what it wants for parent in module.parents: if input not in parent.outputs: chop.prettyprnt( "GREEN", "WARNING: Parent to %s not providing %s data" % (module.code.moduleName, input)) else: chop.prettyprnt( "GREEN", "WARNING: No Parent for %s providing %s data" % (module.code.moduleName, input)) if not all_modules: chop.prnt("No modules") self.complete = True return chop.prettyprnt("RED", "Running Modules ...") #Actually run the modules if options['interface']: nids.param("scan_num_hosts", 0) nids.param("device", options['interface']) if options['bpf'] is not None: nids.param("pcap_filter", options['bpf']) try: nids.init() except Exception, e: chop.prnt("Error initting on interface: ", e) self.complete = True return nids.chksum_ctl([ ('0.0.0.0/0', False), ]) nids.register_tcp(handleTcpStreams) nids.register_udp(handleUdpDatagrams) nids.register_ip(handleIpPackets) while ( True ): #This overall while prevents exceptions from halting the processing of packets if self.stopped: break try: while not self.stopped: nids.next() time.sleep(.001) #XXX is this enough or too much? except Exception, e: chop.prnt("Error processing packets", e)
def main(): from optparse import OptionParser parser = OptionParser() parser.add_option("-d", "--device", dest="device", help="sniff on network device DEVICE", metavar="DEVICE") parser.add_option("-f", "--file", dest="file", help="use pcap logfile FILE", metavar="FILE") parser.add_option("-l", "--log", dest="log", action="store_true", default=False, help="create logs") parser.add_option("-p", "--pid", dest="pid", help="attach to process PID", metavar="PID") (options, args) = parser.parse_args() nids.param("scan_num_hosts", 0) # Disable portscan detection logfiles = {} sniff = Sniffer() sniff.starttime = datetime.now() def timestring(): td = datetime.now() - sniff.starttime return "[% 8.3f]" % (td.seconds + td.microseconds / 1000000.0) def message_output_handler(message): if options.log: connection = message.source.connection if connection.session: if connection in logfiles: logfile = logfiles[connection] else: logname = "%s_%s.wlog" % ( connection.session.account, datetime.now().strftime("%Y-%m-%d_%H-%M-%S")) print timestring(), 'Creating log file "%s"' % logname logfile = log.Log(open(logname, "wb")) logfile.write_header() session = connection.session sinfo = log.SessionInfo(session.game, session.version, session.locale, connection.client.address, connection.server.address, session.account) logfile.write(sinfo) logfiles[connection] = logfile if message.source is connection.client: cls = messages.ClientMessage elif message.source is connection.server: cls = messages.ServerMessage else: cls = None if cls: logfile.write( cls(message.opcode, connection.client.address, connection.server.address, message.data)) else: # FIXME: This always discards the first message (SMSG_AUTH_CHALLENGE) because at that point, # the session is not yet known. We should cache this message and output it too. pass print timestring(), opcodes.names[message.opcode].ljust(55), if len(message.data) > 0: print "% 6d bytes" % len(message.data) else: print def session_output_handler(session): print timestring(), "New Session:", session sniff.message_handler = message_output_handler sniff.session_handler = session_output_handler if options.device: nids.param("device", options.device) if options.file: nids.param("filename", options.file) pid = None if options.pid is not None and options.pid.isdigit(): pid = int(options.pid) elif options.pid == "auto": pid = findWowProcess() if pid: print timestring(), "Attaching to process", pid sniff.addProcess(pid) elif not options.file: print timestring(), "Warning: Not attaching to any process" nids.init() nids.register_tcp(sniff.tcp_handler) nids.run()
if self.stopped: break try: while not self.stopped: nids.next() time.sleep(.001) #XXX is this enough or too much? except Exception, e: chop.prnt("Error processing packets", e) #no need to exit else: if options['filename'] is "": chop.prnt("Empty Filename") self.complete = True return nids.param("scan_num_hosts", 0) nids.param("filename", options['filename']) if options['bpf'] is not None: nids.param("pcap_filter", options['bpf']) try: nids.init() except Exception, e: self.complete = True chop.prnt("Error initting: ", e) return nids.chksum_ctl([ ('0.0.0.0/0', False), ]) nids.register_tcp(handleTcpStreams)
_tcp_bag[tcp.addr][2] += 1 _tcp_bag[tcp.addr][3] = tcp.nids_state def handleUdpStream(addrs, payload, pkt): global _udp_pkts _udp_pkts += 1 if len(sys.argv) < 2: print_usage() sys.exit(-1) input_file = sys.argv[1] nids.param("filename", input_file) #nids.param("scan_num_hosts", 0) nids.chksum_ctl([('0.0.0.0/0', False)]) # Loop forever (network device), or until EOF (pcap file) # Note that an exception in the callback will break the loop! try: nids.init() nids.register_tcp(handleTcpStream) nids.register_udp(handleUdpStream) nids.run() except nids.error, e: print "nids/pcap error:", e except Exception, e: print "misc. exception (runtime error in user callback?):", e
try: import pydasm configopts['asm4shellcode'] = True except ImportError, ex: dowarn('Import failed: %s' % ex) if args.emuprofile: configopts['emuprofile'] = True if int(args.emuprofileoutsize) > 0 and int( args.emuprofileoutsize) <= 10240: configopts['emuprofileoutsize'] = int(args.emuprofileoutsize) if args.bpf: configopts['bpf'] = args.bpf nids.param('pcap_filter', configopts['bpf']) if args.killtcp: if configopts['livemode']: configopts['killtcp'] = True if args.writepcap: configopts['writepcap'] = True if args.writepcapfast: configopts['writepcapfast'] = True if int(args.pcappacketct) >= 0: configopts['pcappacketct'] = int(args.pcappacketct) if args.colored: try:
def __init__(self, pcap_file=None, device=None, bpf_filter="tcp", dst_port_filter=None, dst_ip_filter=None, data_level=1, data_stream_direct=2, std_output_enable=1, file_tcpsession_path=None, protocol_parse_conf=None): """ :param pcap_file: :param device: :param bpf_filter: :param dst_port_filter: :param dst_ip_filter: :param data_level: :param data_stream_direct: :param is_human_print: :param file_output_file: """ self.dst_port_filter = dst_port_filter self.dst_ip_filter = dst_ip_filter self.device = device self.pcap_file = pcap_file if pcap_file: nids.param("filename", pcap_file) elif device: nids.param("device", device) if bpf_filter: nids.param("pcap_filter", bpf_filter) ## bpf restrict to TCP only, note self.data_level = data_level self.data_stream_direct = data_stream_direct self.std_output_enable = std_output_enable self.file_tcpsession_path = file_tcpsession_path self.protocol_parse_conf = protocol_parse_conf nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.param("pcap_timeout", 64) nids.param("multiproc", 1) nids.param("tcp_workarounds", 1) self.file_hd_tcpsession = None self.file_hd_tcpsession_parse = None if self.file_tcpsession_path: self.file_hd_tcpsession = codecs.open(self.file_tcpsession_path, mode='wb', encoding='utf-8', errors='ignore') if self.data_stream_direct == 2: file_tcpsession_path_parse = "%s_parse" % self.file_tcpsession_path self.file_hd_tcpsession_parse = codecs.open( file_tcpsession_path_parse, mode='wb', encoding='utf-8', errors='ignore')
"src_ip": src, "src_port": sport, "dst_ip": dst, "dst_port": dport, "time": start_time[tcp.addr], "duration": (ts - start_time[tcp.addr]), "contains_flag": contains_flag[tcp.addr], "starred": 0, "flow": current_data } flows_to_import.append(flow) del data_flow[tcp.addr] nids.param("pcap_filter", "tcp") # restrict to TCP only nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming if len(sys.argv) == 2: filename = sys.argv[1] if "./" in filename: filename = filename[2:] print("importing pcaps from " + filename) nids.param("filename", filename) else: print("pcap file required") exit() nids.init() nids.register_tcp(handleTcpStream) nids.run()
def main(): try: ifile="" global dev global filter global debug global response_dict global interactive global filter_by global cant_bytes_min global ssh_user_string (uid, gid) = pwd.getpwnam(NOTROOT)[2:4] os.setgroups([gid,]) os.setgid(gid) os.setuid(uid) if 0 in [os.getuid(), os.getgid()] + list(os.getgroups()): print "error - drop root, please!" sys.exit(1) opts, args = getopt.getopt(sys.argv[1:], "d:hVi:qf:Dt:b:s:", ["device=","help","version","input-file=","filter=","--debug","session-type=","min-bytes=","ssh-string="]) except getopt.GetoptError: usage() for opt, arg in opts: if opt in ("-h", "--help"): usage() if opt in ("-V", "--version"): version() if opt in ("-i", "--input-file"): ifile = arg if opt in ("-d", "--capture-device"): dev = arg if opt in ("-f", "--filter"): filter = arg if opt in ("-D", "--debug"): debug=1 #if opt in ("-I", "--interactive"): interactive=True if opt in ("-t", "--session-type"): filter_by = arg if opt in ("-b", "--min-bytes"): cant_bytes_min = arg if opt in ("-s", "--ssh-string"): ssh_user_string = arg try: if filter_by != "": interactive = True if ifile!="" and dev=="": if debug: print 'Input File : %s' % (ifile) nids.param("filename", ifile) elif ifile=="" and dev!="": if debug: print 'Capturing from device : %s' % (dev) elif ifile=="" and dev=="": usage() sys.exit(1) if filter: if debug: print 'Filter: %s' % (filter) nids.param("pcap_filter",filter) nids.param("scan_num_hosts", 0) # disable portscan detection nids.init() nids.register_tcp(handleTcpStream) try: if debug: print ' -- Start processing' nids.run() output() except nids.error, e: print "nids/pcap error:", e output() except Exception, e: print "misc. exception (runtime error from user callback?):", e output()
def main(): banner = '''\ ______ _ __ / __/ /___ _ __(_)___ _________ ___ _____/ /_ / /_/ / __ \ | /| / / / __ \/ ___/ __ \/ _ \/ ___/ __/ / __/ / /_/ / |/ |/ / / / / (__ ) /_/ / __/ /__/ /_ /_/ /_/\____/|__/|__/_/_/ /_/____/ .___/\___/\___/\__/ /_/ ''' import re configopts['regexengine'] = 're' parser = argparse.ArgumentParser() inputgroup = parser.add_mutually_exclusive_group(required=True) inputgroup.add_argument('-p', metavar='--pcap', dest='pcap', default='', action='store', help='input pcap file') inputgroup.add_argument('-d', metavar='--device', dest='device', default='lo', action='store', help='listening device') regex_direction_flags = parser.add_argument_group('RegEx per Direction') regex_direction_flags.add_argument('-c', metavar='--cregex', dest='cres', default=[], action='append', required=False, help='regex to match against CTS data') regex_direction_flags.add_argument('-s', metavar='--sregex', dest='sres', default=[], action='append', required=False, help='regex to match against STC data') regex_direction_flags.add_argument('-a', metavar='--aregex', dest='ares', default=[], action='append', required=False, help='regex to match against ANY data') regex_options = parser.add_argument_group('RegEx Options') regex_options.add_argument('-i', dest='igncase', default=False, action='store_true', required=False, help='ignore case') regex_options.add_argument('-m', dest='multiline', default=True, action='store_false', required=False, help='disable multiline match') fuzzy_direction_flags = parser.add_argument_group( 'Fuzzy Patterns per Direction') fuzzy_direction_flags.add_argument( '-G', metavar='--cfuzz', dest='cfuzz', default=[], action='append', required=False, help='string to fuzzy match against CTS data') fuzzy_direction_flags.add_argument( '-H', metavar='--sfuzz', dest='sfuzz', default=[], action='append', required=False, help='string to fuzzy match against STC data') fuzzy_direction_flags.add_argument( '-I', metavar='--afuzz', dest='afuzz', default=[], action='append', required=False, help='string to fuzzy match against ANY data') fuzzy_options = parser.add_argument_group('Fuzzy Options') fuzzy_options.add_argument( '-r', metavar='fuzzminthreshold', dest='fuzzminthreshold', type=int, default=75, action='store', required=False, help='threshold for fuzzy match (1-100) - default 75') yara_direction_flags = parser.add_argument_group( 'Yara Rules per Direction') yara_direction_flags.add_argument('-P', metavar='--cyararules', dest='cyararules', default=[], action='append', required=False, help='Yara rules to match on CTS data') yara_direction_flags.add_argument('-Q', metavar='--syararules', dest='syararules', default=[], action='append', required=False, help='Yara rules to match on STC data') yara_direction_flags.add_argument('-R', metavar='--ayararules', dest='ayararules', default=[], action='append', required=False, help='Yara rules to match on ANY data') shellcode_options = parser.add_argument_group('Shellcode Detection') shellcode_options.add_argument('-M', dest='shellcode', default=False, action='store_true', required=False, help='enable shellcode detection') shellcode_options.add_argument('-J', dest='asm4shellcode', default=False, action='store_true', required=False, help='enable shellcode disassembly') shellcode_options.add_argument( '-y', dest='emuprofile', default=False, action='store_true', required=False, help='generate emulator profile for detected shellcode') shellcode_options.add_argument( '-Y', metavar='--emuprofileoutsize', dest='emuprofileoutsize', default=0, action='store', required=False, help='emulator profile memory size (default 1024K | max: 10240K)') content_modifiers = parser.add_argument_group('Content Modifiers') content_modifiers.add_argument('-O', metavar='--offset', dest='offset', default=0, action='store', required=False, help='bytes to skip before matching') content_modifiers.add_argument( '-D', metavar='--depth', dest='depth', default=0, action='store', required=False, help='bytes to look at while matching (starting from offset)') inspection_limits = parser.add_argument_group('Inspection Limits') inspection_limits.add_argument('-T', metavar='--maxinspstreams', dest='maxinspstreams', default=0, action='store', type=int, required=False, help='max streams to inspect') inspection_limits.add_argument('-U', metavar='--maxinsppackets', dest='maxinsppackets', default=0, action='store', type=int, required=False, help='max packets to inspect') display_limits = parser.add_argument_group('Display Limits') display_limits.add_argument('-t', metavar='--maxdispstreams', dest='maxdispstreams', default=0, action='store', type=int, required=False, help='max streams to display') display_limits.add_argument('-u', metavar='--maxdisppackets', dest='maxdisppackets', default=0, action='store', type=int, required=False, help='max packets to display') display_limits.add_argument('-b', metavar='--maxdispbytes', dest='maxdispbytes', default=0, action='store', type=int, required=False, help='max bytes to display') output_options = parser.add_argument_group('Output Options') output_options.add_argument('-w', metavar='logdir', dest='writebytes', default='', action='store', required=False, nargs='?', help='write matching packets/streams') output_options.add_argument('-o', dest='outmodes', choices=('quite', 'meta', 'hex', 'print', 'raw'), action='append', default=[], required=False, help='match output modes') misc_options = parser.add_argument_group('Misc. Options') misc_options.add_argument('-f', metavar='--bpf', dest='bpf', default='', action='store', required=False, help='BPF expression') misc_options.add_argument('-v', dest='invmatch', default=False, action='store_true', required=False, help='invert match') misc_options.add_argument('-V', dest='verbose', default=0, action='count', required=False, help='verbose output (max: 3)') misc_options.add_argument('-e', dest='colored', default=False, action='store_true', required=False, help='highlight CTS/STC matches') misc_options.add_argument('-k', dest='killtcp', default=False, action='store_true', required=False, help='kill matching TCP stream') misc_options.add_argument('-j', dest='tcpmultimatch', default=False, action='store_true', required=False, help='enable TCP multi match mode') pcapwrite = parser.add_mutually_exclusive_group(required=False) pcapwrite.add_argument( '-z', dest='writepcapfast', default=False, action='store_true', help='write matching flows to pcap w/ %d post match packets' % (configopts['pcappacketct'])) pcapwrite.add_argument( '-Z', dest='writepcap', default=False, action='store_true', help='write matching flows to pcap w/ all post match packets') misc_options.add_argument('-q', metavar='pcappacketct', dest='pcappacketct', default=configopts['pcappacketct'], action='store', help='# of post match packets to write to pcap') misc_options.add_argument('-L', dest='linemode', default=False, action='store_true', required=False, help='enable linemode (disables inspection)') misc_options.add_argument('-B', dest='nobanner', default=False, action='store_true', required=False, help='skip banner/version display on startup') misc_options.add_argument('-S', dest='nosummary', default=False, action='store_true', required=False, help='skip match summary display at exit') misc_options.add_argument('-n', dest='dumpargs', default=False, action='store_true', required=False, help='show argument stats') args = parser.parse_args() if args.pcap: configopts['pcap'] = args.pcap nids.param('filename', configopts['pcap']) configopts['livemode'] = False elif args.device: configopts['device'] = args.device nids.param('device', configopts['device']) configopts['livemode'] = True if args.igncase: configopts['igncase'] = True configopts['reflags'] |= re.IGNORECASE if args.invmatch: configopts['invertmatch'] = True if args.multiline: configopts['multiline'] = True configopts['reflags'] |= re.MULTILINE configopts['reflags'] |= re.DOTALL if args.tcpmultimatch: configopts['tcpmultimatch'] = True if configopts['regexengine']: if args.cres: if 'regex' not in configopts['inspectionmodes']: configopts['inspectionmodes'].append('regex') for c in args.cres: configopts['ctsregexes'][re.compile(c, configopts['reflags'])] = { 'regexpattern': c } if args.sres: if 'regex' not in configopts['inspectionmodes']: configopts['inspectionmodes'].append('regex') for s in args.sres: configopts['stcregexes'][re.compile(s, configopts['reflags'])] = { 'regexpattern': s } if args.ares: if 'regex' not in configopts['inspectionmodes']: configopts['inspectionmodes'].append('regex') for a in args.ares: configopts['ctsregexes'][re.compile(a, configopts['reflags'])] = { 'regexpattern': a } configopts['stcregexes'][re.compile(a, configopts['reflags'])] = { 'regexpattern': a } if args.cfuzz or args.sfuzz or args.afuzz: try: from fuzzywuzzy import fuzz configopts['fuzzengine'] = 'fuzzywuzzy' except ImportError, ex: dowarn('Import failed: %s' % ex) configopts['fuzzengine'] = None