def test_is_encrypted(self):
print '------------------- test_is_encrypted -------------------'
reassembler = Session_Reassembler(self.pcap)
pairs = reassembler.get_session_pairs()
pair_id = self.stream_with_ssl_handshake
pair = pairs[pair_id]
stream_status = pair.get_stream_status()
is_encrypted = stream_status.ssl_status.is_encrypted
self.assertEquals(is_encrypted, Is_Encrypted_Enum.YES)
def test_ssl_svr_ccs_is_seen(self):
print '------------------- test_ssl_svr_ccs_is_seen -------------------'
reassembler = Session_Reassembler(self.pcap)
pairs = reassembler.get_session_pairs()
pair_id = self.stream_with_ssl_handshake
pair = pairs[pair_id]
pair._ssl_handshake_server_analysis()
ssl_status = pair._ssl_status
svr_ccs_is_seen = ssl_status.ssl_svr_ccs
self.assertTrue(svr_ccs_is_seen)
def test_ssl_cli_ccs_is_not_seen(self):
print '------------------- test_ssl_cli_hello_is_seen -------------------'
reassembler = Session_Reassembler(self.pcap)
pairs = reassembler.get_session_pairs()
pair_id = self.stream_without_ssl_handshake
pair = pairs[pair_id]
pair._ssl_handshake_client_analysis()
ssl_status = pair._ssl_status
cli_ccs_is_seen = ssl_status.ssl_cli_ccs
self.assertFalse(cli_ccs_is_seen)
def test_is_not_encrypted(self):
print '------------------- test_is_not_encrypted -------------------'
reassembler = Session_Reassembler(self.pcap)
pairs = reassembler.get_session_pairs()
pair_id = self.stream_using_http
pair = pairs[pair_id]
#ssl_status = pair._get_ssl_status()
stream_status = pair.get_stream_status()
is_encrypted = stream_status.ssl_status.is_encrypted
self.assertEquals(is_encrypted, Is_Encrypted_Enum.NO)
def __init__(self, existing_pcap_filename=None):
self._existing_pcap_filename = existing_pcap_filename
if self._existing_pcap_filename is None:
self._sniffer = Sniffer()
pcap_filename = self._sniffer.get_pcap_filename()
else:
pcap_filename = self._existing_pcap_filename
self._session_reassembler = Session_Reassembler(pcap_filename)
self._stream_db = Stream_DB()
def test_ssl_version_is_correct(self):
print '------------------- test_ssl_version_is_correct -------------------'
version_in_pcap = 'TLS 1.2'
reassembler = Session_Reassembler(self.pcap)
pairs = reassembler.get_session_pairs()
pair_id = self.stream_with_ssl_handshake
pair = pairs[pair_id]
pair._ssl_handshake_server_analysis()
ssl_status = pair._ssl_status
ssl_version = ssl_status.ssl_version
self.assertEquals(ssl_version, version_in_pcap)
def test_ssl_cipher_is_correct(self):
print '------------------- test_ssl_cipher_is_correct -------------------'
cipher_in_pcap = 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256'
reassembler = Session_Reassembler(self.pcap)
pairs = reassembler.get_session_pairs()
pair_id = self.stream_with_ssl_handshake
pair = pairs[pair_id]
pair._ssl_handshake_server_analysis()
ssl_status = pair._ssl_status
ssl_cipher = ssl_status.ssl_cipher
self.assertEquals(ssl_cipher, cipher_in_pcap)
def test_only_duplicate_ack_removed(self):
"""Given a PacketList with three packets, only the duplicate should be removed.
The other two should remain.
Duplicates: a pair of ACK packets (ACK flag set, same SEQ and ACK numbers)
Other: SYN packet (SYN flag set)
"""
non_dup = Ether()/IP()/TCP(flags='S', seq=0, ack=0)
ack1 = Ether()/IP()/TCP(flags='A', seq=1, ack=1)
ack2 = Ether()/IP()/TCP(flags='A', seq=1, ack=1)
pkts = PacketList([non_dup, ack1, ack2])
sr = Session_Reassembler()
deduped_pkts = sr._remove_duplicate_packets(pkts)
self.assertTrue(deduped_pkts[0][TCP].flags == 'S')
self.assertTrue(len(deduped_pkts) == 2)
def test_only_duplicate_synack_removed(self):
"""Given a PacketList with three packets, only the duplicate should be removed.
The other two should remain.
Duplicates: a pair of SYN/ACK packets (SYN and ACK flag set, same SEQ and ACK numbers)
Other: ACK packet (ACK flag set)
"""
synack1 = Ether()/IP()/TCP(flags='SA', seq=0, ack=1)
synack2 = Ether()/IP()/TCP(flags='SA', seq=0, ack=1)
non_dup = Ether()/IP()/TCP(flags='A', seq=10, ack=11)
pkts = PacketList([synack1, synack2, non_dup])
sr = Session_Reassembler()
deduped_pkts = sr._remove_duplicate_packets(pkts)
self.assertTrue(deduped_pkts[-1][TCP].flags == 'A')
self.assertTrue(len(deduped_pkts) == 2)
def test_only_duplicate_ack_removed(self):
"""Given a PacketList with three packets, only the duplicate should be removed.
The other two should remain.
Duplicates: a pair of ACK packets (ACK flag set, same SEQ and ACK numbers)
Other: SYN packet (SYN flag set)
"""
non_dup = Ether() / IP() / TCP(flags='S', seq=0, ack=0)
ack1 = Ether() / IP() / TCP(flags='A', seq=1, ack=1)
ack2 = Ether() / IP() / TCP(flags='A', seq=1, ack=1)
pkts = PacketList([non_dup, ack1, ack2])
sr = Session_Reassembler()
deduped_pkts = sr._remove_duplicate_packets(pkts)
self.assertTrue(deduped_pkts[0][TCP].flags == 'S')
self.assertTrue(len(deduped_pkts) == 2)
def test_only_duplicate_synack_removed(self):
"""Given a PacketList with three packets, only the duplicate should be removed.
The other two should remain.
Duplicates: a pair of SYN/ACK packets (SYN and ACK flag set, same SEQ and ACK numbers)
Other: ACK packet (ACK flag set)
"""
synack1 = Ether() / IP() / TCP(flags='SA', seq=0, ack=1)
synack2 = Ether() / IP() / TCP(flags='SA', seq=0, ack=1)
non_dup = Ether() / IP() / TCP(flags='A', seq=10, ack=11)
pkts = PacketList([synack1, synack2, non_dup])
sr = Session_Reassembler()
deduped_pkts = sr._remove_duplicate_packets(pkts)
self.assertTrue(deduped_pkts[-1][TCP].flags == 'A')
self.assertTrue(len(deduped_pkts) == 2)
def __init__(self, existing_pcap_filename=None):
self._existing_pcap_filename = existing_pcap_filename
if self._existing_pcap_filename is None:
self._sniffer = Sniffer()
pcap_filename = self._sniffer.get_pcap_filename()
else:
pcap_filename = self._existing_pcap_filename
self._session_reassembler = Session_Reassembler(pcap_filename)
self._stream_db = Stream_DB()
def test_only_duplicate_data_removed(self):
"""Given a PacketList with three packets, only the duplicate should be removed.
The other two should remain.
Duplicates: a pair of data packets (PUSH and ACK flags set, same SEQ and ACK numbers)
Other: SYN packet (SYN flag set)
"""
non_dup = Ether()/IP()/TCP(flags='S', seq=0, ack=0)
data1 = Ether() \
/IP() \
/TCP(flags='PA', seq=10, ack=11, chksum=0xccfe ) \
/Raw(load='abc')
data2 = Ether() \
/IP() \
/TCP(flags='PA', seq=10, ack=11, chksum=0xccfe ) \
/Raw(load='abc')
pkts = PacketList([non_dup, data1, data2])
sr = Session_Reassembler()
deduped_pkts = sr._remove_duplicate_packets(pkts)
self.assertTrue(deduped_pkts[0][TCP].flags == 'S')
self.assertTrue(len(deduped_pkts) == 2)
def test_only_duplicate_data_removed(self):
"""Given a PacketList with three packets, only the duplicate should be removed.
The other two should remain.
Duplicates: a pair of data packets (PUSH and ACK flags set, same SEQ and ACK numbers)
Other: SYN packet (SYN flag set)
"""
non_dup = Ether() / IP() / TCP(flags='S', seq=0, ack=0)
data1 = Ether() \
/IP() \
/TCP(flags='PA', seq=10, ack=11, chksum=0xccfe ) \
/Raw(load='abc')
data2 = Ether() \
/IP() \
/TCP(flags='PA', seq=10, ack=11, chksum=0xccfe ) \
/Raw(load='abc')
pkts = PacketList([non_dup, data1, data2])
sr = Session_Reassembler()
deduped_pkts = sr._remove_duplicate_packets(pkts)
self.assertTrue(deduped_pkts[0][TCP].flags == 'S')
self.assertTrue(len(deduped_pkts) == 2)
class Analyser(object):
def __init__(self, existing_pcap_filename=None):
self._existing_pcap_filename = existing_pcap_filename
if self._existing_pcap_filename is None:
self._sniffer = Sniffer()
pcap_filename = self._sniffer.get_pcap_filename()
else:
pcap_filename = self._existing_pcap_filename
self._session_reassembler = Session_Reassembler(pcap_filename)
self._stream_db = Stream_DB()
def results_no_db(self):
session_pairs = self._get_session_pairs()
stream_statuses = [ pair.get_stream_status() for pair in session_pairs ]
return Stream_Table(stream_statuses)
def get_analysis_results(self):
session_pairs = self._get_session_pairs()
stream_statuses = [ pair.get_stream_status() for pair in session_pairs ]
db = self._stream_db
db.clear_streams()
db.persist_streams(stream_statuses)
stream_statuses = db.select_all_streams() # list of lists (rows)
results = []
for ss in stream_statuses:
svr_ip_addr = ss[1]
fqdn = self._get_fqdn(svr_ip_addr)
result = list(ss)
result.append(fqdn)
results.append(result)
return results
def _get_fqdn(self, ip_addr):
try:
fqdn = socket.gethostbyaddr(ip_addr)[0]
except socket.herror:
fqdn = ip_addr
return fqdn
def get_connection_details_row(self, conn_id):
db = self._stream_db
row = db.get_connection_details_row(int(conn_id))
result = list(row)
svr_ip_addr = result[2]
fqdn = self._get_fqdn(svr_ip_addr)
result.append(fqdn)
return result
def get_encryption_details_row(self, conn_id):
db = self._stream_db
return db.get_encryption_details_row(int(conn_id))
def start_sniffing(self):
self._sniffer.start()
def stop_sniffing(self):
self._sniffer.stop()
def _get_sniffer(self):
return self._sniffer
def _get_session_pairs(self):
return self._session_reassembler.get_session_pairs().values()
def _get_session_reassembler(self):
return self._session_reassembler
class Analyser(object):
def __init__(self, existing_pcap_filename=None):
self._existing_pcap_filename = existing_pcap_filename
if self._existing_pcap_filename is None:
self._sniffer = Sniffer()
pcap_filename = self._sniffer.get_pcap_filename()
else:
pcap_filename = self._existing_pcap_filename
self._session_reassembler = Session_Reassembler(pcap_filename)
self._stream_db = Stream_DB()
def results_no_db(self):
session_pairs = self._get_session_pairs()
stream_statuses = [pair.get_stream_status() for pair in session_pairs]
return Stream_Table(stream_statuses)
def get_analysis_results(self):
session_pairs = self._get_session_pairs()
stream_statuses = [pair.get_stream_status() for pair in session_pairs]
db = self._stream_db
db.clear_streams()
db.persist_streams(stream_statuses)
stream_statuses = db.select_all_streams() # list of lists (rows)
results = []
for ss in stream_statuses:
svr_ip_addr = ss[1]
fqdn = self._get_fqdn(svr_ip_addr)
result = list(ss)
result.append(fqdn)
results.append(result)
return results
def _get_fqdn(self, ip_addr):
try:
fqdn = socket.gethostbyaddr(ip_addr)[0]
except socket.herror:
fqdn = ip_addr
return fqdn
def get_connection_details_row(self, conn_id):
db = self._stream_db
row = db.get_connection_details_row(int(conn_id))
result = list(row)
svr_ip_addr = result[2]
fqdn = self._get_fqdn(svr_ip_addr)
result.append(fqdn)
return result
def get_encryption_details_row(self, conn_id):
db = self._stream_db
return db.get_encryption_details_row(int(conn_id))
def start_sniffing(self):
self._sniffer.start()
def stop_sniffing(self):
self._sniffer.stop()
def _get_sniffer(self):
return self._sniffer
def _get_session_pairs(self):
return self._session_reassembler.get_session_pairs().values()
def _get_session_reassembler(self):
return self._session_reassembler
