예제 #1
0
def parse_flow(IP):
    styleID = ''.join(choice(string.ascii_lowercase + string.digits) for x in range(randint(8, 12)))
    ssize = len(styleID)
    p = sub.Popen(['tcpflow', '-T %T--%A-%B', '-cJB', '-r', (os.getenv('PROCDOTPLUGIN_WindumpFilePcap'))], stdout=sub.PIPE, stderr=sub.PIPE)
    stdout, stderr = p.communicate()
    stdout = stdout.replace('\r\n', '\n')

    if IP not in stdout:
        e = str("No tcp flows found for ")+IP
        open(out, 'ab').write(e)
    
    else:
        if os.getenv('PROCDOTPLUGIN_PluginEngineVersion') is not None:
            open(out,'ab').write('{{{style-id:default;color:blue;style-id:'+styleID+';color:red}}}')
        m = re.findall ( '\x1b\[0;31m(.*?)\x1b\[0m|\x1b\[0;34m(.*?)\x1b\[0m', stdout, re.DOTALL)
        m = iter(m)
        for b, r in m:
            if b == '':
                if IP in r:
                    r = r[56:]
                    r = re.sub( '[^!\"#\$%&\'\(\)\*\+,-\./0-9:;<=>\?@A-Z\[\]\^_`a-z\{\|\}\\\~\t\n\r ]','.', r)
                    if os.stat(out).st_size <= 53 + ssize:
                        if os.getenv('PROCDOTPLUGIN_PluginEngineVersion') is not None:
                            open(out,'ab').write('<'+styleID+'>'+r+'</'+styleID+'>')
                        else:
                            open(out,'ab').write(r)
                    else:
                        if os.getenv('PROCDOTPLUGIN_PluginEngineVersion') is not None:
                            open(out,'ab').write('\n\n'+'<'+styleID+'>'+r+'</'+styleID+'>')
                        else:
                            open(out,'ab').write('\n\n'+r)
            else:
                if IP in b:
                    b = b[56:]
                    match = re.match( '^HTTP.*', b)
                    try:
                        if match:
                            length = 1
                            num = 0
                            while length != num:
                                d = zlib.decompressobj(16+zlib.MAX_WBITS)
                                output = StringIO.StringIO(b)
                                status_line = output.readline()
                                msg = HTTPMessage(output, 0)
                                isLength = msg.get('Content-Length')
                                isGZipped = msg.get('content-encoding', '').find('gzip') >= 0
                                isChunked = msg.get('Transfer-Encoding', '').find('chunked') >= 0
                                if isGZipped and isChunked:
                                    offset = msg.fp.readline()
                                    body = msg.fp.read()
                                    num = int(offset, 16)
                                    encdata = ''
                                    newdata = ''
                                    encdata =body[:num]
                                    length = len(encdata)
                                    if length != num:
                                        c = next(m)
                                        d, e = c
                                        b = b + d[56:]
                                    else:    
                                        newdata = d.decompress(encdata)
                                        header = str(msg)
                                        open(out,'ab').write(status_line)
                                        open(out,'ab').write(header)
                                        open(out,'ab').write('\n')
                                        open(out,'ab').write(newdata)
                                elif isGZipped:
                                    length = int(isLength)
                                    body = msg.fp.read()
                                    num = len(body)
                                    if length != num:
                                        c = next(m)
                                        d, e = c
                                        if IP in d:
                                            b = b + d[56:]
                                    else:
                                        data = d.decompress(body)
                                        header = str(msg)
                                        open(out,'ab').write(status_line)
                                        open(out,'ab').write(header)
                                        open(out,'ab').write('\n')
                                        open(out,'ab').write(data)
                                else:
                                    length = 1
                                    num = 1
                                    body = msg.fp.read()
                                    body = re.sub( '[^!\"#\$%&\'\(\)\*\+,-\./0-9:;<=>\?@A-Z\[\]\^_`a-z\{\|\}\\\~\t\n\r ]','.', body)
                                    header = str(msg)
                                    open(out,'ab').write(status_line)
                                    open(out,'ab').write(header)
                                    open(out,'ab').write('\n')
                                    open(out,'ab').write(body)
                        else:
                            b = re.sub( '[^!\"#\$%&\'\(\)\*\+,-\./0-9:;<=>\?@A-Z\[\]\^_`a-z\{\|\}\\\~\t\n\r ]','.', b)
                            open(out,'ab').write(b)
                    except:
                        open(out,'ab').write('DECOMPRESSION ERROR')
                        open(out,'ab').write('\n\n')
                        b = re.sub( '[^!\"#\$%&\'\(\)\*\+,-\./0-9:;<=>\?@A-Z\[\]\^_`a-z\{\|\}\\\~\t\n\r ]','.', b)
                        open(out,'ab').write(b)
예제 #2
0
def parse_flow(IP):
    p = sub.Popen(['tcpflow', '-T %T--%A-%B', '-cJB', '-r', (os.getenv('PROCDOTPLUGIN_WindumpFilePcap'))], stdout=sub.PIPE, stderr=sub.PIPE)
    stdout, stderr = p.communicate()
    stdout = stdout.replace('\r\n', '\n')

    if IP not in stdout:
        e = str("No tcp flows found for ")+IP
        open(out, 'ab').write(e)
    
    else:
        m = re.findall ( '\x1b\[0;3[1|4]m(.*?)\x1b\[0m', stdout, re.DOTALL)
        m = iter(m)    
        for line in m:
            if IP in line:
                line = line[56:]
                match = re.match( '^HTTP.*', line)
                try:
                    if match:
                        length = 1
                        num = 0
                        while length != num:
                            d = zlib.decompressobj(16+zlib.MAX_WBITS)
                            output = StringIO.StringIO(line)
                            status_line = output.readline()
                            msg = HTTPMessage(output, 0)
                            isGZipped = msg.get('content-encoding', '').find('gzip') >= 0
                            isChunked = msg.get('Transfer-Encoding', '').find('chunked') >= 0
                            if isGZipped and isChunked:
                                offset = msg.fp.readline()
                                body = msg.fp.read()
                                num = int(offset, 16)
                                encdata = ''
                                newdata = ''
                                encdata =body[:num]
                                length = len(encdata)
                                if length != num:
                                    line = line + next(m)[56:]
                                else:    
                                    newdata = d.decompress(encdata)
                                    header = str(msg)
                                    open(out,'ab').write(status_line)
                                    open(out,'ab').write(header)
                                    open(out,'ab').write('\n')
                                    open(out,'ab').write(newdata)
                            elif isGZipped:
                                length = 1
                                num = 1
                                body = msg.fp.read()
                                data = d.decompress(body)
                                header = str(msg)
                                open(out,'ab').write(status_line)
                                open(out,'ab').write(header)
                                open(out,'ab').write('\n')
                                open(out,'ab').write(data)
                            else:
                                break
                    else:
                        line = re.sub( '[^!\"#\$%&\'\(\)\*\+,-\./0-9:;<=>\?@A-Z\[\]\^_`a-z\{\|\}\\\~\t\n\r ]','.', line)
                        open(out,'ab').write(line)
                except:
                    open(out,'ab').write('DECOMPRESSION ERROR')
                    open(out,'ab').write('\n\n')
                    open(out,'ab').write(line)
예제 #3
0
def parse_flow(IP):
    p = sub.Popen([
        'tcpflow', '-T %T--%A-%B', '-cJB', '-r',
        (os.getenv('PROCDOTPLUGIN_WindumpFilePcap'))
    ],
                  stdout=sub.PIPE,
                  stderr=sub.PIPE)
    stdout, stderr = p.communicate()
    stdout = stdout.replace('\r\n', '\n')

    if IP not in stdout:
        e = str("No tcp flows found for ") + IP
        open(out, 'ab').write(e)

    else:
        m = re.findall('\x1b\[0;3[1|4]m(.*?)\x1b\[0m', stdout, re.DOTALL)
        m = iter(m)
        for line in m:
            if IP in line:
                line = line[56:]
                match = re.match('^HTTP.*', line)
                try:
                    if match:
                        length = 1
                        num = 0
                        while length != num:
                            d = zlib.decompressobj(16 + zlib.MAX_WBITS)
                            output = StringIO.StringIO(line)
                            status_line = output.readline()
                            msg = HTTPMessage(output, 0)
                            isGZipped = msg.get('content-encoding',
                                                '').find('gzip') >= 0
                            isChunked = msg.get('Transfer-Encoding',
                                                '').find('chunked') >= 0
                            if isGZipped and isChunked:
                                offset = msg.fp.readline()
                                body = msg.fp.read()
                                num = int(offset, 16)
                                encdata = ''
                                newdata = ''
                                encdata = body[:num]
                                length = len(encdata)
                                if length != num:
                                    line = line + next(m)[56:]
                                else:
                                    newdata = d.decompress(encdata)
                                    header = str(msg)
                                    open(out, 'ab').write(status_line)
                                    open(out, 'ab').write(header)
                                    open(out, 'ab').write('\n')
                                    open(out, 'ab').write(newdata)
                            elif isGZipped:
                                length = 1
                                num = 1
                                body = msg.fp.read()
                                data = d.decompress(body)
                                header = str(msg)
                                open(out, 'ab').write(status_line)
                                open(out, 'ab').write(header)
                                open(out, 'ab').write('\n')
                                open(out, 'ab').write(data)
                            else:
                                length = 1
                                num = 1
                                body = msg.fp.read()
                                body = re.sub(
                                    '[^!\"#\$%&\'\(\)\*\+,-\./0-9:;<=>\?@A-Z\[\]\^_`a-z\{\|\}\\\~\t\n\r ]',
                                    '.', body)
                                header = str(msg)
                                open(out, 'ab').write(status_line)
                                open(out, 'ab').write(header)
                                open(out, 'ab').write('\n')
                                open(out, 'ab').write(body)
                    else:
                        line = re.sub(
                            '[^!\"#\$%&\'\(\)\*\+,-\./0-9:;<=>\?@A-Z\[\]\^_`a-z\{\|\}\\\~\t\n\r ]',
                            '.', line)
                        open(out, 'ab').write(line)
                except:
                    open(out, 'ab').write('DECOMPRESSION ERROR')
                    open(out, 'ab').write('\n\n')
                    open(out, 'ab').write(line)