def build(self): #Simple HTTP string based checks httpCheck = ["POST","GET","User-Agent","Host","Cookie"] #if self.flow and self.flow.established: # to be investigated if self.flow or self.proto == "tcp" or self.proto == "http" or self.proto == "ftp" : self.build_handshake() oldc = None itered = [] # output the data and metadata about a loaded rule #for pm in self.contents: #print pm if self.dsize: self.dsize_flag = True #checking to see if dsize is present in the rule for c in self.contents: # if not oldc: c.ini = 0 c.end = len(c.payload) else: if c.distance == 0: c.ini = oldc.end else: c.ini = oldc.end + 1 #c.ini = oldc.end + 1 #c.end = c.ini + len(c.content) c.end = c.ini + len(c.payload) if c.offset and not oldc: c.ini = c.ini + c.offset c.end = c.end + c.offset if c.offset and oldc: # Here we should check for conflicts if c.ini < c.offset: c.ini = c.offset #c.end = c.ini + len(c.content) c.end = c.ini + len(c.payload) if c.distance and oldc: if oldc.end + c.distance > c.ini: c.ini = oldc.end + c.distance #c.end = oldc.end + c.distance + len(c.content) c.end = oldc.end + c.distance + len(c.payload) # Checks if c.depth and c.end > c.depth: print "Error here depth!" # Checks if c.within and c.end > oldc.end + c.within: print "Error here within!" oldc = c itered.append(c) #print "-> Ini: " + str(c.ini) + " End: " + str(c.end) #added dsize keyword >> if self.dsize_flag: if len(self.dsize_list) == 1: c.end = int(self.dsize_list[0]) if len(self.dsize_list) == 3 and self.dsize_list[1] == "<>": #checking for dsize specifics - dsize:100<>200 c.end = random.randint((int(self.dsize_list[0])+1),(int(self.dsize_list[2])-1)) if self.dsize_list[0] == "<": #checking for dsize specifics - dsize:<200 c.end = (int(self.dsize_list[1])-1) if self.dsize_list[0] == ">": #checking for dsize specifics - dsize:>200 c.end = c.end + int(self.dsize_list[1]) + random.randint(0,int(self.dsize_list[1])) if self.dsize_list[1] == "0": #check if it is not - dsize:>0 , for example c.end = c.end + random.randint(64,1024) #added dsize keyword << # buffer size max = 0 for c in itered: if c.end > max: max = c.end # perform padding with ' 's (blank spaces) padding = "" for i in range(0,max): padding = padding + " " self.payload = create_string_buffer(max) struct.pack_into(str(max) + "s", self.payload, 0, padding) # write payloads for c in itered: fmt = str(c.end - c.ini) + "s" struct.pack_into(fmt, self.payload, c.ini, c.payload) self.itered = itered # #ADDED - FOR HTTP SUPPORT h = None if self.sport == "80" or self.dport == "80" or self.proto == "http": for check in httpCheck: if self.payload.raw.lower().find(check.lower()) != -1: h = HTTP() h.check(self.payload.raw) h.build() break if self.uricontents: if not h: h = HTTP() uri = "" for u in self.uricontents: uri = "%s%s" % (uri, str(u.uricontent)) h.uri = uri h.build() if h: if self.payload.raw: h.payload = h.payload + self.payload.raw self.build_packet(h.payload) return h.payload else: self.build_packet(self.payload.raw) return self.payload
def build(self): #Simple HTTP string based checks httpCheck = ["POST","GET","User-Agent","Host","Cookie"] if self.flow and self.flow.established: self.build_handshake() oldc = None itered = [] for c in self.contents: if not oldc: c.ini = 0 c.end = len(c.payload) else: if c.distance == 0: c.ini = oldc.end else: c.ini = oldc.end + 1 #c.ini = oldc.end + 1 #c.end = c.ini + len(c.content) c.end = c.ini + len(c.payload) if c.offset and not oldc: c.ini = c.ini + c.offset c.end = c.end + c.offset if c.offset and oldc: # Here we should check for conflicts if c.ini < c.offset: c.ini = c.offset #c.end = c.ini + len(c.content) c.end = c.ini + len(c.payload) if c.distance and oldc: if oldc.end + c.distance > c.ini: c.ini = oldc.end + c.distance #c.end = oldc.end + c.distance + len(c.content) c.end = oldc.end + c.distance + len(c.payload) # Checks if c.depth and c.end > c.depth: print "Error here depth!" # Checks if c.within and c.end > oldc.end + c.within: print "Error here within!" oldc = c itered.append(c) #print "-> Ini: " + str(c.ini) + " End: " + str(c.end) # buffer size max = 0 for c in itered: if c.end > max: max = c.end # perform padding with ' 's (blank spaces) padding = "" for i in range(0,max): padding = padding + " " self.payload = create_string_buffer(max) struct.pack_into(str(max) + "s", self.payload, 0, padding) # write payloads for c in itered: fmt = str(c.end - c.ini) + "s" struct.pack_into(fmt, self.payload, c.ini, c.payload) self.itered = itered #ADDED - FOR HTTP SUPPORT h = None if self.sport == "80" or self.dport == "80": for check in httpCheck: if self.payload.raw.lower().find(check.lower()) != -1: h = HTTP() h.check(self.payload.raw) h.build() break if self.uricontents: if not h: h = HTTP() uri = "" for u in self.uricontents: uri = "%s%s" % (uri, str(u.uricontent)) h.uri = uri h.build() if h: if self.payload.raw: h.payload = h.payload + self.payload.raw self.build_packet(h.payload) return h.payload else: self.build_packet(self.payload.raw) return self.payload
def build(self):
#Simple HTTP string based checks
httpCheck = ["POST", "GET", "User-Agent", "Host", "Cookie"]
#if self.flow and self.flow.established: # to be investigated
if self.flow or self.proto == "tcp" or self.proto == "http" or self.proto == "ftp":
self.build_handshake()
oldc = None
itered = []
# output the data and metadata about a loaded rule
#for pm in self.contents:
#print pm
if self.dsize:
self.dsize_flag = True
#checking to see if dsize is present in the rule
for c in self.contents:
#
if not oldc:
c.ini = 0
c.end = len(c.payload)
else:
if c.distance == 0:
c.ini = oldc.end
else:
c.ini = oldc.end + 1
#c.ini = oldc.end + 1
#c.end = c.ini + len(c.content)
c.end = c.ini + len(c.payload)
if c.offset and not oldc:
c.ini = c.ini + c.offset
c.end = c.end + c.offset
if c.offset and oldc:
# Here we should check for conflicts
if c.ini < c.offset:
c.ini = c.offset
#c.end = c.ini + len(c.content)
c.end = c.ini + len(c.payload)
if c.distance and oldc:
if oldc.end + c.distance > c.ini:
c.ini = oldc.end + c.distance
#c.end = oldc.end + c.distance + len(c.content)
c.end = oldc.end + c.distance + len(c.payload)
# Checks
if c.depth and c.end > c.depth:
print "Error here depth!"
# Checks
if c.within and c.end > oldc.end + c.within:
print "Error here within!"
oldc = c
itered.append(c)
#print "-> Ini: " + str(c.ini) + " End: " + str(c.end)
#added dsize keyword >>
if self.dsize_flag:
if len(self.dsize_list) == 1:
c.end = int(self.dsize_list[0])
if len(self.dsize_list) == 3 and self.dsize_list[
1] == "<>": #checking for dsize specifics - dsize:100<>200
c.end = random.randint((int(self.dsize_list[0]) + 1),
(int(self.dsize_list[2]) - 1))
if self.dsize_list[
0] == "<": #checking for dsize specifics - dsize:<200
c.end = (int(self.dsize_list[1]) - 1)
if self.dsize_list[
0] == ">": #checking for dsize specifics - dsize:>200
c.end = c.end + int(self.dsize_list[1]) + random.randint(
0, int(self.dsize_list[1]))
if self.dsize_list[
1] == "0": #check if it is not - dsize:>0 , for example
c.end = c.end + random.randint(64, 1024)
#added dsize keyword <<
# buffer size
max = 0
for c in itered:
if c.end > max:
max = c.end
# perform padding with ' 's (blank spaces)
padding = ""
for i in range(0, max):
padding = padding + " "
self.payload = create_string_buffer(max)
struct.pack_into(str(max) + "s", self.payload, 0, padding)
# write payloads
for c in itered:
fmt = str(c.end - c.ini) + "s"
struct.pack_into(fmt, self.payload, c.ini, c.payload)
self.itered = itered
#
#ADDED - FOR HTTP SUPPORT
h = None
if self.sport == "80" or self.dport == "80" or self.proto == "http":
for check in httpCheck:
if self.payload.raw.lower().find(check.lower()) != -1:
h = HTTP()
h.check(self.payload.raw)
h.build()
break
if self.uricontents:
if not h: h = HTTP()
uri = ""
for u in self.uricontents:
uri = "%s%s" % (uri, str(u.uricontent))
h.uri = uri
h.build()
if h:
if self.payload.raw:
h.payload = h.payload + self.payload.raw
self.build_packet(h.payload)
return h.payload
else:
self.build_packet(self.payload.raw)
return self.payload
