コード例 #1
0
def main():
    banner = '''\
        ______              _                            __
       / __/ /___ _      __(_)___  _________  ___  _____/ /_
      / /_/ / __ \ | /| / / / __ \/ ___/ __ \/ _ \/ ___/ __/
     / __/ / /_/ / |/ |/ / / / / (__  ) /_/ /  __/ /__/ /_
    /_/ /_/\____/|__/|__/_/_/ /_/____/ .___/\___/\___/\__/
                                    /_/
    '''

    import re
    configopts['regexengine'] = 're'

    parser = argparse.ArgumentParser()

    inputgroup = parser.add_mutually_exclusive_group(required=True)
    inputgroup.add_argument('-p',
                            metavar='--pcap',
                            dest='pcap',
                            default='',
                            action='store',
                            help='input pcap file')
    inputgroup.add_argument('-d',
                            metavar='--device',
                            dest='device',
                            default='lo',
                            action='store',
                            help='listening device')

    regex_direction_flags = parser.add_argument_group('RegEx per Direction')
    regex_direction_flags.add_argument('-c',
                                       metavar='--cregex',
                                       dest='cres',
                                       default=[],
                                       action='append',
                                       required=False,
                                       help='regex to match against CTS data')
    regex_direction_flags.add_argument('-s',
                                       metavar='--sregex',
                                       dest='sres',
                                       default=[],
                                       action='append',
                                       required=False,
                                       help='regex to match against STC data')
    regex_direction_flags.add_argument('-a',
                                       metavar='--aregex',
                                       dest='ares',
                                       default=[],
                                       action='append',
                                       required=False,
                                       help='regex to match against ANY data')

    regex_options = parser.add_argument_group('RegEx Options')
    regex_options.add_argument('-i',
                               dest='igncase',
                               default=False,
                               action='store_true',
                               required=False,
                               help='ignore case')
    regex_options.add_argument('-m',
                               dest='multiline',
                               default=True,
                               action='store_false',
                               required=False,
                               help='disable multiline match')

    fuzzy_direction_flags = parser.add_argument_group(
        'Fuzzy Patterns per Direction')
    fuzzy_direction_flags.add_argument(
        '-G',
        metavar='--cfuzz',
        dest='cfuzz',
        default=[],
        action='append',
        required=False,
        help='string to fuzzy match against CTS data')
    fuzzy_direction_flags.add_argument(
        '-H',
        metavar='--sfuzz',
        dest='sfuzz',
        default=[],
        action='append',
        required=False,
        help='string to fuzzy match against STC data')
    fuzzy_direction_flags.add_argument(
        '-I',
        metavar='--afuzz',
        dest='afuzz',
        default=[],
        action='append',
        required=False,
        help='string to fuzzy match against ANY data')
    fuzzy_options = parser.add_argument_group('Fuzzy Options')
    fuzzy_options.add_argument(
        '-r',
        metavar='fuzzminthreshold',
        dest='fuzzminthreshold',
        type=int,
        default=75,
        action='store',
        required=False,
        help='threshold for fuzzy match (1-100) - default 75')

    yara_direction_flags = parser.add_argument_group(
        'Yara Rules per Direction')
    yara_direction_flags.add_argument('-P',
                                      metavar='--cyararules',
                                      dest='cyararules',
                                      default=[],
                                      action='append',
                                      required=False,
                                      help='Yara rules to match on CTS data')
    yara_direction_flags.add_argument('-Q',
                                      metavar='--syararules',
                                      dest='syararules',
                                      default=[],
                                      action='append',
                                      required=False,
                                      help='Yara rules to match on STC data')
    yara_direction_flags.add_argument('-R',
                                      metavar='--ayararules',
                                      dest='ayararules',
                                      default=[],
                                      action='append',
                                      required=False,
                                      help='Yara rules to match on ANY data')

    shellcode_options = parser.add_argument_group('Shellcode Detection')
    shellcode_options.add_argument('-M',
                                   dest='shellcode',
                                   default=False,
                                   action='store_true',
                                   required=False,
                                   help='enable shellcode detection')
    shellcode_options.add_argument('-J',
                                   dest='asm4shellcode',
                                   default=False,
                                   action='store_true',
                                   required=False,
                                   help='enable shellcode disassembly')
    shellcode_options.add_argument(
        '-y',
        dest='emuprofile',
        default=False,
        action='store_true',
        required=False,
        help='generate emulator profile for detected shellcode')
    shellcode_options.add_argument(
        '-Y',
        metavar='--emuprofileoutsize',
        dest='emuprofileoutsize',
        default=0,
        action='store',
        required=False,
        help='emulator profile memory size (default 1024K | max: 10240K)')

    content_modifiers = parser.add_argument_group('Content Modifiers')
    content_modifiers.add_argument('-O',
                                   metavar='--offset',
                                   dest='offset',
                                   default=0,
                                   action='store',
                                   required=False,
                                   help='bytes to skip before matching')
    content_modifiers.add_argument(
        '-D',
        metavar='--depth',
        dest='depth',
        default=0,
        action='store',
        required=False,
        help='bytes to look at while matching (starting from offset)')

    inspection_limits = parser.add_argument_group('Inspection Limits')
    inspection_limits.add_argument('-T',
                                   metavar='--maxinspstreams',
                                   dest='maxinspstreams',
                                   default=0,
                                   action='store',
                                   type=int,
                                   required=False,
                                   help='max streams to inspect')
    inspection_limits.add_argument('-U',
                                   metavar='--maxinsppackets',
                                   dest='maxinsppackets',
                                   default=0,
                                   action='store',
                                   type=int,
                                   required=False,
                                   help='max packets to inspect')

    display_limits = parser.add_argument_group('Display Limits')
    display_limits.add_argument('-t',
                                metavar='--maxdispstreams',
                                dest='maxdispstreams',
                                default=0,
                                action='store',
                                type=int,
                                required=False,
                                help='max streams to display')
    display_limits.add_argument('-u',
                                metavar='--maxdisppackets',
                                dest='maxdisppackets',
                                default=0,
                                action='store',
                                type=int,
                                required=False,
                                help='max packets to display')
    display_limits.add_argument('-b',
                                metavar='--maxdispbytes',
                                dest='maxdispbytes',
                                default=0,
                                action='store',
                                type=int,
                                required=False,
                                help='max bytes to display')

    output_options = parser.add_argument_group('Output Options')
    output_options.add_argument('-w',
                                metavar='logdir',
                                dest='writebytes',
                                default='',
                                action='store',
                                required=False,
                                nargs='?',
                                help='write matching packets/streams')
    output_options.add_argument('-o',
                                dest='outmodes',
                                choices=('quite', 'meta', 'hex', 'print',
                                         'raw'),
                                action='append',
                                default=[],
                                required=False,
                                help='match output modes')

    misc_options = parser.add_argument_group('Misc. Options')
    misc_options.add_argument('-f',
                              metavar='--bpf',
                              dest='bpf',
                              default='',
                              action='store',
                              required=False,
                              help='BPF expression')
    misc_options.add_argument('-v',
                              dest='invmatch',
                              default=False,
                              action='store_true',
                              required=False,
                              help='invert match')
    misc_options.add_argument('-V',
                              dest='verbose',
                              default=0,
                              action='count',
                              required=False,
                              help='verbose output (max: 3)')
    misc_options.add_argument('-e',
                              dest='colored',
                              default=False,
                              action='store_true',
                              required=False,
                              help='highlight CTS/STC matches')
    misc_options.add_argument('-k',
                              dest='killtcp',
                              default=False,
                              action='store_true',
                              required=False,
                              help='kill matching TCP stream')
    misc_options.add_argument('-j',
                              dest='tcpmultimatch',
                              default=False,
                              action='store_true',
                              required=False,
                              help='enable TCP multi match mode')

    pcapwrite = parser.add_mutually_exclusive_group(required=False)
    pcapwrite.add_argument(
        '-z',
        dest='writepcapfast',
        default=False,
        action='store_true',
        help='write matching flows to pcap w/ %d post match packets' %
        (configopts['pcappacketct']))
    pcapwrite.add_argument(
        '-Z',
        dest='writepcap',
        default=False,
        action='store_true',
        help='write matching flows to pcap w/ all post match packets')

    misc_options.add_argument('-q',
                              metavar='pcappacketct',
                              dest='pcappacketct',
                              default=configopts['pcappacketct'],
                              action='store',
                              help='# of post match packets to write to pcap')

    misc_options.add_argument('-L',
                              dest='linemode',
                              default=False,
                              action='store_true',
                              required=False,
                              help='enable linemode (disables inspection)')
    misc_options.add_argument('-B',
                              dest='nobanner',
                              default=False,
                              action='store_true',
                              required=False,
                              help='skip banner/version display on startup')
    misc_options.add_argument('-S',
                              dest='nosummary',
                              default=False,
                              action='store_true',
                              required=False,
                              help='skip match summary display at exit')
    misc_options.add_argument('-n',
                              dest='dumpargs',
                              default=False,
                              action='store_true',
                              required=False,
                              help='show argument stats')

    args = parser.parse_args()

    if args.pcap:
        configopts['pcap'] = args.pcap
        nids.param('filename', configopts['pcap'])
        configopts['livemode'] = False
    elif args.device:
        configopts['device'] = args.device
        nids.param('device', configopts['device'])
        configopts['livemode'] = True

    if args.igncase:
        configopts['igncase'] = True
        configopts['reflags'] |= re.IGNORECASE

    if args.invmatch:
        configopts['invertmatch'] = True

    if args.multiline:
        configopts['multiline'] = True
        configopts['reflags'] |= re.MULTILINE
        configopts['reflags'] |= re.DOTALL

    if args.tcpmultimatch:
        configopts['tcpmultimatch'] = True

    if configopts['regexengine']:
        if args.cres:
            if 'regex' not in configopts['inspectionmodes']:
                configopts['inspectionmodes'].append('regex')
            for c in args.cres:
                configopts['ctsregexes'][re.compile(c,
                                                    configopts['reflags'])] = {
                                                        'regexpattern': c
                                                    }

        if args.sres:
            if 'regex' not in configopts['inspectionmodes']:
                configopts['inspectionmodes'].append('regex')
            for s in args.sres:
                configopts['stcregexes'][re.compile(s,
                                                    configopts['reflags'])] = {
                                                        'regexpattern': s
                                                    }

        if args.ares:
            if 'regex' not in configopts['inspectionmodes']:
                configopts['inspectionmodes'].append('regex')
            for a in args.ares:
                configopts['ctsregexes'][re.compile(a,
                                                    configopts['reflags'])] = {
                                                        'regexpattern': a
                                                    }
                configopts['stcregexes'][re.compile(a,
                                                    configopts['reflags'])] = {
                                                        'regexpattern': a
                                                    }

    if args.cfuzz or args.sfuzz or args.afuzz:
        try:
            from fuzzywuzzy import fuzz
            configopts['fuzzengine'] = 'fuzzywuzzy'
        except ImportError, ex:
            dowarn('Import failed: %s' % ex)
            configopts['fuzzengine'] = None
コード例 #2
0
ファイル: flowinspect.py プロジェクト: 7h3rAm/flowinspect
def main():
    banner = '''\
        ______              _                            __
       / __/ /___ _      __(_)___  _________  ___  _____/ /_
      / /_/ / __ \ | /| / / / __ \/ ___/ __ \/ _ \/ ___/ __/
     / __/ / /_/ / |/ |/ / / / / (__  ) /_/ /  __/ /__/ /_
    /_/ /_/\____/|__/|__/_/_/ /_/____/ .___/\___/\___/\__/
                                    /_/
    '''

    import re
    configopts['regexengine'] = 're'

    parser = argparse.ArgumentParser()

    inputgroup = parser.add_mutually_exclusive_group(required=True)
    inputgroup.add_argument(
                                    '-p',
                                    metavar='--pcap',
                                    dest='pcap',
                                    default='',
                                    action='store',
                                    help='input pcap file')
    inputgroup.add_argument(
                                    '-d',
                                    metavar='--device',
                                    dest='device',
                                    default='lo',
                                    action='store',
                                    help='listening device')

    regex_direction_flags = parser.add_argument_group('RegEx per Direction')
    regex_direction_flags.add_argument(
                                    '-c',
                                    metavar='--cregex',
                                    dest='cres',
                                    default=[],
                                    action='append',
                                    required=False,
                                    help='regex to match against CTS data')
    regex_direction_flags.add_argument(
                                    '-s',
                                    metavar='--sregex',
                                    dest='sres',
                                    default=[],
                                    action='append',
                                    required=False,
                                    help='regex to match against STC data')
    regex_direction_flags.add_argument(
                                    '-a',
                                    metavar='--aregex',
                                    dest='ares',
                                    default=[],
                                    action='append',
                                    required=False,
                                    help='regex to match against ANY data')

    regex_options = parser.add_argument_group('RegEx Options')
    regex_options.add_argument(
                                    '-i',
                                    dest='igncase',
                                    default=False,
                                    action='store_true',
                                    required=False,
                                    help='ignore case')
    regex_options.add_argument(
                                    '-m',
                                    dest='multiline',
                                    default=True,
                                    action='store_false',
                                    required=False,
                                    help='disable multiline match')

    fuzzy_direction_flags = parser.add_argument_group('Fuzzy Patterns per Direction')
    fuzzy_direction_flags.add_argument(
                                    '-G',
                                    metavar='--cfuzz',
                                    dest='cfuzz',
                                    default=[],
                                    action='append',
                                    required=False,
                                    help='string to fuzzy match against CTS data')
    fuzzy_direction_flags.add_argument(
                                    '-H',
                                    metavar='--sfuzz',
                                    dest='sfuzz',
                                    default=[],
                                    action='append',
                                    required=False,
                                    help='string to fuzzy match against STC data')
    fuzzy_direction_flags.add_argument(
                                    '-I',
                                    metavar='--afuzz',
                                    dest='afuzz',
                                    default=[],
                                    action='append',
                                    required=False,
                                    help='string to fuzzy match against ANY data')
    fuzzy_options = parser.add_argument_group('Fuzzy Options')
    fuzzy_options.add_argument(
                                    '-r',
                                    metavar='fuzzminthreshold',
                                    dest='fuzzminthreshold',
                                    type=int,
                                    default=75,
                                    action='store',
                                    required=False,
                                    help='threshold for fuzzy match (1-100) - default 75')

    yara_direction_flags = parser.add_argument_group('Yara Rules per Direction')
    yara_direction_flags.add_argument(
                                    '-P',
                                    metavar='--cyararules',
                                    dest='cyararules',
                                    default=[],
                                    action='append',
                                    required=False,
                                    help='Yara rules to match on CTS data')
    yara_direction_flags.add_argument(
                                    '-Q',
                                    metavar='--syararules',
                                    dest='syararules',
                                    default=[],
                                    action='append',
                                    required=False,
                                    help='Yara rules to match on STC data')
    yara_direction_flags.add_argument(
                                    '-R',
                                    metavar='--ayararules',
                                    dest='ayararules',
                                    default=[],
                                    action='append',
                                    required=False,
                                    help='Yara rules to match on ANY data')

    shellcode_options = parser.add_argument_group('Shellcode Detection')
    shellcode_options.add_argument(
                                    '-M',
                                    dest='shellcode',
                                    default=False,
                                    action='store_true',
                                    required=False,
                                    help='enable shellcode detection')
    shellcode_options.add_argument(
                                    '-J',
                                    dest='asm4shellcode',
                                    default=False,
                                    action='store_true',
                                    required=False,
                                    help='enable shellcode disassembly')
    shellcode_options.add_argument(
                                    '-y',
                                    dest='emuprofile',
                                    default=False,
                                    action='store_true',
                                    required=False,
                                    help='generate emulator profile for detected shellcode')
    shellcode_options.add_argument(
                                    '-Y',
                                    metavar='--emuprofileoutsize',
                                    dest='emuprofileoutsize',
                                    default=0,
                                    action='store',
                                    required=False,
                                    help='emulator profile memory size (default 1024K | max: 10240K)')

    content_modifiers = parser.add_argument_group('Content Modifiers')
    content_modifiers.add_argument(
                                    '-O',
                                    metavar='--offset',
                                    dest='offset',
                                    default=0,
                                    action='store',
                                    required=False,
                                    help='bytes to skip before matching')
    content_modifiers.add_argument(
                                    '-D',
                                    metavar='--depth',
                                    dest='depth',
                                    default=0,
                                    action='store',
                                    required=False,
                                    help='bytes to look at while matching (starting from offset)')

    inspection_limits = parser.add_argument_group('Inspection Limits')
    inspection_limits.add_argument(
                                    '-T',
                                    metavar='--maxinspstreams',
                                    dest='maxinspstreams',
                                    default=0,
                                    action='store',
                                    type=int,
                                    required=False,
                                    help='max streams to inspect')
    inspection_limits.add_argument(
                                    '-U',
                                    metavar='--maxinsppackets',
                                    dest='maxinsppackets',
                                    default=0,
                                    action='store',
                                    type=int,
                                    required=False,
                                    help='max packets to inspect')

    display_limits = parser.add_argument_group('Display Limits')
    display_limits.add_argument(
                                    '-t',
                                    metavar='--maxdispstreams',
                                    dest='maxdispstreams',
                                    default=0,
                                    action='store',
                                    type=int,
                                    required=False,
                                    help='max streams to display')
    display_limits.add_argument(
                                    '-u',
                                    metavar='--maxdisppackets',
                                    dest='maxdisppackets',
                                    default=0,
                                    action='store',
                                    type=int,
                                    required=False,
                                    help='max packets to display')
    display_limits.add_argument(
                                    '-b',
                                    metavar='--maxdispbytes',
                                    dest='maxdispbytes',
                                    default=0,
                                    action='store',
                                    type=int,
                                    required=False,
                                    help='max bytes to display')

    output_options = parser.add_argument_group('Output Options')
    output_options.add_argument(
                                    '-w',
                                    metavar='logdir',
                                    dest='writebytes',
                                    default='',
                                    action='store',
                                    required=False,
                                    nargs='?',
                                    help='write matching packets/streams')
    output_options.add_argument(
                                    '-o',
                                    dest='outmodes',
                                    choices=('quite', 'meta', 'hex', 'print', 'raw'),
                                    action='append',
                                    default=[],
                                    required=False,
                                    help='match output modes')

    misc_options = parser.add_argument_group('Misc. Options')
    misc_options.add_argument(
                                    '-f',
                                    metavar='--bpf',
                                    dest='bpf',
                                    default='',
                                    action='store',
                                    required=False,
                                    help='BPF expression')
    misc_options.add_argument(
                                    '-v',
                                    dest='invmatch',
                                    default=False,
                                    action='store_true',
                                    required=False,
                                    help='invert match')
    misc_options.add_argument(
                                    '-V',
                                    dest='verbose',
                                    default=0,
                                    action='count',
                                    required=False,
                                    help='verbose output (max: 3)')
    misc_options.add_argument(
                                    '-e',
                                    dest='colored',
                                    default=False,
                                    action='store_true',
                                    required=False,
                                    help='highlight CTS/STC matches')
    misc_options.add_argument(
                                    '-k',
                                    dest='killtcp',
                                    default=False,
                                    action='store_true',
                                    required=False,
                                    help='kill matching TCP stream')
    misc_options.add_argument(
                                    '-j',
                                    dest='tcpmultimatch',
                                    default=False,
                                    action='store_true',
                                    required=False,
                                    help='enable TCP multi match mode')

    pcapwrite = parser.add_mutually_exclusive_group(required=False)
    pcapwrite.add_argument(
                                    '-z',
                                    dest='writepcapfast',
                                    default=False,
                                    action='store_true',
                                    help='write matching flows to pcap w/ %d post match packets' % (configopts['pcappacketct']))
    pcapwrite.add_argument(
                                    '-Z',
                                    dest='writepcap',
                                    default=False,
                                    action='store_true',
                                    help='write matching flows to pcap w/ all post match packets')

    misc_options.add_argument(
                                    '-q',
                                    metavar='pcappacketct',
                                    dest='pcappacketct',
                                    default=configopts['pcappacketct'],
                                    action='store',
                                    help='# of post match packets to write to pcap')

    misc_options.add_argument(
                                    '-L',
                                    dest='linemode',
                                    default=False,
                                    action='store_true',
                                    required=False,
                                    help='enable linemode (disables inspection)')
    misc_options.add_argument(
                                    '-B',
                                    dest='nobanner',
                                    default=False,
                                    action='store_true',
                                    required=False,
                                    help='skip banner/version display on startup')
    misc_options.add_argument(
                                    '-S',
                                    dest='nosummary',
                                    default=False,
                                    action='store_true',
                                    required=False,
                                    help='skip match summary display at exit')
    misc_options.add_argument(
                                    '-n',
                                    dest='dumpargs',
                                    default=False,
                                    action='store_true',
                                    required=False,
                                    help='show argument stats')

    args = parser.parse_args()

    if args.pcap:
        configopts['pcap'] = args.pcap
        nids.param('filename', configopts['pcap'])
        configopts['livemode'] = False
    elif args.device:
        configopts['device'] = args.device
        nids.param('device', configopts['device'])
        configopts['livemode'] = True

    if args.igncase:
        configopts['igncase'] = True
        configopts['reflags'] |= re.IGNORECASE

    if args.invmatch:
        configopts['invertmatch'] = True

    if args.multiline:
        configopts['multiline'] = True
        configopts['reflags'] |= re.MULTILINE
        configopts['reflags'] |= re.DOTALL

    if args.tcpmultimatch:
        configopts['tcpmultimatch'] = True

    if configopts['regexengine']:
        if args.cres:
            if 'regex' not in configopts['inspectionmodes']:
                configopts['inspectionmodes'].append('regex')
            for c in args.cres:
                configopts['ctsregexes'][re.compile(c, configopts['reflags'])] = { 'regexpattern': c }

        if args.sres:
            if 'regex' not in configopts['inspectionmodes']:
                configopts['inspectionmodes'].append('regex')
            for s in args.sres:
                configopts['stcregexes'][re.compile(s, configopts['reflags'])] = { 'regexpattern': s }

        if args.ares:
            if 'regex' not in configopts['inspectionmodes']:
                configopts['inspectionmodes'].append('regex')
            for a in args.ares:
                configopts['ctsregexes'][re.compile(a, configopts['reflags'])] = { 'regexpattern': a }
                configopts['stcregexes'][re.compile(a, configopts['reflags'])] = { 'regexpattern': a }

    if args.cfuzz or args.sfuzz or args.afuzz:
        try:
            from fuzzywuzzy import fuzz
            configopts['fuzzengine'] = 'fuzzywuzzy'
        except ImportError, ex:
            dowarn('Import failed: %s' % ex)
            configopts['fuzzengine'] = None
コード例 #3
0
sys.path.insert(0, '%s/%s' % (FLOWINSPECTROOTDIR, 'core'))

from globals import configopts, opentcpflows, openudpflows, ippacketsdict
from functions import dumpargstats, dumpmatchstats, doexit
from tcphandler import handletcp
from udphandler import handleudp
from iphandler import handleip
from utils import NullDevice, getcurtime, donorm, doinfo, dodebug, dowarn, doerror

starttime = getcurtime()
sys.dont_write_bytecode = True

try:
    import nids
except ImportError, ex:
    dowarn('Import failed: %s' % ex)
    sys.exit(1)


def main():
    banner = '''\
        ______              _                            __
       / __/ /___ _      __(_)___  _________  ___  _____/ /_
      / /_/ / __ \ | /| / / / __ \/ ___/ __ \/ _ \/ ___/ __/
     / __/ / /_/ / |/ |/ / / / / (__  ) /_/ /  __/ /__/ /_
    /_/ /_/\____/|__/|__/_/_/ /_/____/ .___/\___/\___/\__/
                                    /_/
    '''

    import re
    configopts['regexengine'] = 're'
コード例 #4
0
ファイル: flowinspect.py プロジェクト: 7h3rAm/flowinspect
from globals import configopts, opentcpflows, openudpflows, ippacketsdict
from functions import dumpargstats, dumpmatchstats, doexit
from tcphandler import handletcp
from udphandler import handleudp
from iphandler import handleip
from utils import NullDevice, getcurtime, donorm, doinfo, dodebug, dowarn, doerror


starttime=getcurtime()
sys.dont_write_bytecode = True


try:
    import nids
except ImportError, ex:
    dowarn('Import failed: %s' % ex)
    sys.exit(1)


def main():
    banner = '''\
        ______              _                            __
       / __/ /___ _      __(_)___  _________  ___  _____/ /_
      / /_/ / __ \ | /| / / / __ \/ ___/ __ \/ _ \/ ___/ __/
     / __/ / /_/ / |/ |/ / / / / (__  ) /_/ /  __/ /__/ /_
    /_/ /_/\____/|__/|__/_/_/ /_/____/ .___/\___/\___/\__/
                                    /_/
    '''

    import re
    configopts['regexengine'] = 're'