class Distiller:
def __init__(self, data_directory, pull_port='5555', push_port='5556'):
self.data_directory = data_directory
self.messager = Messager(pull_port=pull_port, push_port=push_port)
self.build = Builder()
self.dict = Rosetta()
self.header_marker = '[--> HEADER <--]'
self.hm_len = len(self.header_marker)
self.broken_header = 'fae'
def __on_receive_command(self, message):
print message
if message['payload']['command'] == 'parse_file_pcap':
file_name = message['payload']['filename']
file_path = os.path.join(self.data_directory, file_name)
self._read_file(file_path)
# x._read_file('../app/uploads/evidence01.pcap')
# x._read_file('../app/uploads/evidence-malware.pcap')
# x._read_file('../app/uploads/evidence01-talkers.pcap')
def _read(self, _hex):
read = self._format_lines(binascii.hexlify(_hex))
return read
def _read_file(self, afile, num_fails=0, max_fails=3):
try:
_file = open(afile, 'rb')
except:
if num_fails < max_fails:
num_fails += 1;
time.sleep(2*num_fails);
self._read_file(afile, num_fails, max_fails)
return
else:
return
file_to_list = []
for row in list(_file):
''
# get user-agent and host
plain_text = row
temp = self.dict.sifter(plain_text)
if temp is not None:
print(temp)
pcap_string = self.dict._format_lines(binascii.hexlify(row))
highlight_header = re.sub('[0-9][a-f]000000[0-9][a-f]000000', self.header_marker, pcap_string)
file_to_list.append(highlight_header)
try:
# catch complete packets
for line in file_to_list:
if self.header_marker in line and not self.broken_header in line:
#print(line) # test output is read
# setup 1st check
hdr_len_byte1 = line.index(self.header_marker) + 28 # find index
header_check1 = hdr_len_byte1 + self.hm_len # verify header w/length byte
# setup 2nd check
hdr_len_byte2 = line.index(self.header_marker) + 92 # find index
header_check2 = hdr_len_byte2 + self.hm_len # verify header w/2nd length byte
if line[header_check1] is '4': # initial confirmation of header
self.peruse_pcap(line)
try:
if line[header_check2] is '5': # catches only complete headers
self.peruse_pcap(line)
except:
pass
except:
for line in file_to_list:
if self.header_marker in line and not self.broken_header in line:
self.peruse_pcap(line)
def receive_command(self):
self.messager.receive_message(self.__on_receive_command)
def peruse_pcap(self, apcap):
get_header = apcap.index(self.header_marker) # find header starting index
header_offset = get_header + self.hm_len
''' beginning reference point '''
des_mac = header_offset # 1
des_ip = header_offset + 60 # 5
des_port = header_offset + 72 # 7
_src_mac = header_offset + 12 # 2
_src_ip = header_offset + 52 # 4
_src_port = header_offset + 68 # 6
prot = header_offset + 46 # 3
''' ending reference point'''
dest_mac_offset = des_mac + 12
dest_ip_offset = des_ip + 8
dest_port_offset = des_port + 4
_src_mac_offset = _src_mac + 12
_src_ip_offset = _src_ip + 8
_src_port_offset = _src_port + 4
protocol_offset = prot + 2
try:
#!works
destination_mac = self.build.rebuild_mac(str(apcap[des_mac:dest_mac_offset]))
_source_mac = self.build.rebuild_mac(str(apcap[_src_mac:_src_mac_offset]))
protocol_type = self.build.define_prot(str(apcap[prot:protocol_offset]))
_source_ip = self.build.rebuild_ip(str(apcap[_src_ip:_src_ip_offset]))
destination_ip = self.build.rebuild_ip(str(apcap[des_ip:dest_ip_offset]))
_source_port = self.build.rebuild_port(str(apcap[_src_port:_src_port_offset]))
destination_port = self.build.rebuild_port(str(apcap[des_port:dest_port_offset]))
print('Protocol: ' + protocol_type)
print('')
print('\t\tSource:') # print('\tSource:')
print('Mac:\t' + _source_mac)
print('IP:\t\t' + _source_ip) # print('IP:\t' + _source_ip)
print('Port:\t' + str(_source_port))
print('')
print('\t\tDestination:') # print('\tSource:')
print('Mac:\t' + destination_mac)
print('IP:\t\t' + destination_ip) # print('IP:\t' + destination_ip)
print('Port:\t' + str(destination_port))
print('\n------------------------------------------\n')
#+ Send Message
now = datetime.now().isoformat(' ')
message = {
'timestamp': now,
'source': 'Distiller',
'destination': 'SneakPeek',
'payload': {
'command': 'show',
'protocol_type': protocol_type,
'shost': {
'source_mac': _source_mac,
'source_ip': _source_ip,
'source_port': _source_port
},
'dhost': {
'destination_mac': destination_mac,
'destination_ip': destination_ip,
'destination_port': destination_port
}
}
}
self.messager.send_message(message);
#- Send Message
except:
pass
class Distiller:
def __init__(self, data_directory, pull_port='5555', push_port='5556'):
self.data_directory = data_directory
self.messager = Messager(pull_port=pull_port, push_port=push_port)
self.build = Builder()
self.stone = Rosetta()
self.ipv4_marker = '[--> IPV4 <--]'
self.ipv6_marker = '[--> IPV6 <--]'
self.hm_len = len(self.ipv4_marker)
self.seperator = '-------------------------------'
def __on_receive_command(self, message):
print message
if message['payload']['command'] == 'parse_file_pcap':
file_name = message['payload']['filename']
file_path = os.path.join(self.data_directory, file_name)
self.read_file(file_path)
def receive_command(self):
self.messager.receive_message(self.__on_receive_command)
def read(self, _hex):
'''
This function reads and parses pcap hex strings.
'''
# get user-agent and host and date
message = {};
hex_string = _hex
recovered_text = self.stone.sifter(hex_string)
if recovered_text is not None:
print(recovered_text)
#send to json directly from sifter
else:
# converts string to true hex
pcap_string = binascii.hexlify(hex_string)
ipv4 = self._ipv4(pcap_string)
ipv6 = self._ipv6(ipv4)
filtered = ipv6
message = self._parse_ipv4(filtered)
# self._parse_ipv6(filtered)
return message;
def read_file(self, afile):
'''
This function opens a pcap file and passes
it through the read function line by
line for parsing.
'''
_file = open(afile, 'rb')
for row in list(_file):
message = self.read(row);
if message != None and type(message) == dict:
message['payload']['filename'] = afile;
self.messager.send_message(message);
def _ipv4(self, astring):
'''
This function filters for ipv4 header tags.
'''
filter1 = re.sub('[1-9][a-f]000000[1-9][a-f]000000', self.ipv4_marker, astring)
filter2 = re.sub('[a-f][a-f]0[1-9]0000[a-f][a-f]0[1-9]0000', self.ipv4_marker, filter1)
return filter2
def _parse_ipv4(self, astring):
'''
This function parses ipv4 strings.
Specific slices for specific data.
'''
if self.ipv4_marker in astring:
header_frame = astring.index(self.ipv4_marker) + self.hm_len
try:
dmac = str(astring[header_frame:header_frame+12])
smac = str(astring[header_frame+12:header_frame+24])
types = str(astring[header_frame+24:header_frame+28])
prot = str(astring[header_frame+46:header_frame+48])
sip = str(astring[header_frame+52:header_frame+60])
dip = str(astring[header_frame+60:header_frame+68])
sprt = str(astring[header_frame+68:header_frame+72])
dprt = str(astring[header_frame+72:header_frame+76])
except:
pass
try:
type_ = str(self.build.define_type(types))
protocol = str(self.build.define_prot(prot))
dest_mac = str(self.build._mac(dmac))
dest_ip = str(self.build._ip(dip))
dest_port = str(self.build._port(dprt))
src_mac = str(self.build._mac(smac))
src_ip = str(self.build._ip(sip))
src_port = str(self.build._port(sprt))
# quality check
qc = str(type_+'\n'+protocol+'\n'+src_mac+'\n'+src_ip+
'\n'+src_port+'\n'+dest_mac+'\n'+dest_ip+'\n'+
dest_port+'\n'+self.seperator)
print(qc)
#+ Send Message
now = datetime.now().isoformat(' ')
message = {
'timestamp': now,
'source': 'Distiller',
'destination': 'SneakPeek',
'payload': {
'command': 'show',
'header_type': type_,
'protocol_type': protocol,
'shost': {
'source_mac': src_mac,
'source_ip': src_ip,
'source_port': src_port
},
'dhost': {
'destination_mac': dest_mac,
'destination_ip': dest_ip,
'destination_port': dest_port
}
}
}
return message;
#- Send Message
except:
pass
else:
pass
def _ipv6(self, astring):
'''
This function filters for ipv6 header tags.
'''
filter3 = re.sub('0[1-9]00[1-9]0000000[1-9]0000000', self.ipv6_marker, astring)
filter4 = re.sub('00[1-9][1-9]000000[1-9][1-9]000000', self.ipv6_marker, filter3)
filter5 = re.sub('00[1-9][a-f]0[1-9]0000[1-9][a-f]0[1-9]0000', self.ipv6_marker, filter4)
filter6 = re.sub('00[a-f][1-9]000000[a-f][1-9]000000', self.ipv6_marker, filter5)
filter7 = re.sub('010000[a-f][1-9]010000', self.ipv6_marker, filter6)
return filter7
def _parse_ipv6(self, astring):
'''
This function parses ipv6 strings.
Specific slices for specific data.
'''
if self.ipv6_marker in astring:
header_frame = astring.index(self.ipv6_marker) + self.hm_len
try:
dmac = str(astring[header_frame:header_frame+12])
smac = str(astring[header_frame+12:header_frame+24])
types = str(astring[header_frame+24:header_frame+28])
prot = str(astring[header_frame+40:header_frame+42])
sip = str(astring[header_frame+44:header_frame+77])
dip = str(astring[header_frame+76:header_frame+109])
sprt = str(astring[header_frame+108:header_frame+112])
dprt = str(astring[header_frame+112:header_frame+116])
except:
pass
try:
type_ = str(self.build.define_type(types))
protocol = str(self.build.define_prot(prot))
dest_mac = str(self.build._mac(dmac))
dest_ip = str(self.build._ipv6_ip(dip))
dest_port = str(self.build._port(dprt))
src_mac = str(self.build._mac(smac))
src_ip = str(self.build._ipv6_ip(sip))
src_port = str(self.build._port(sprt))
# quality check
qc = str(type_+'\n'+protocol+'\n'+src_mac+'\n'+src_ip+
'\n'+src_port+'\n'+dest_mac+'\n'+dest_ip+'\n'+
dest_port+'\n'+self.seperator)
print(qc)
#+ Send Message
now = datetime.now().isoformat(' ')
message = {
'timestamp': now,
'source': 'Distiller',
'destination': 'SneakPeek',
'payload': {
'command': 'show',
'header_type': type_,
'protocol_type': protocol,
'shost': {
'source_mac': src_mac,
'source_ip': src_ip,
'source_port': src_port
},
'dhost': {
'destination_mac': dest_mac,
'destination_ip': dest_ip,
'destination_port': dest_port
}
}
}
# self.messager.send_message(message);
#- Send Message
# return message;
except:
pass
else:
pass
class Distiller:
def __init__(self, data_directory, pull_port='5555', push_port='5556'):
self.data_directory = data_directory
self.messager = Messager(pull_port=pull_port, push_port=push_port)
self.build = Builder()
self.stone = Rosetta()
self.ipv4_marker = '[--> IPV4 <--]'
self.ipv6_marker = '[--> IPV6 <--]'
self.hm_len = len(self.ipv4_marker)
self.seperator = '-------------------------------'
def __on_receive_command(self, message):
print message
if message['payload']['command'] == 'parse_file_pcap':
file_name = message['payload']['filename']
file_path = os.path.join(self.data_directory, file_name)
self.read_file(file_path)
def receive_command(self):
self.messager.receive_message(self.__on_receive_command)
def read(self, _hex):
'''
This function reads and parses pcap hex strings.
'''
# get user-agent and host and date
message = {}
hex_string = _hex
recovered_text = self.stone.sifter(hex_string)
if recovered_text is not None:
print(recovered_text)
#send to json directly from sifter
else:
# converts string to true hex
pcap_string = binascii.hexlify(hex_string)
ipv4 = self._ipv4(pcap_string)
ipv6 = self._ipv6(ipv4)
filtered = ipv6
message = self._parse_ipv4(filtered)
# self._parse_ipv6(filtered)
return message
def read_file(self, afile):
'''
This function opens a pcap file and passes
it through the read function line by
line for parsing.
'''
_file = open(afile, 'rb')
for row in list(_file):
message = self.read(row)
if message != None and type(message) == dict:
message['payload']['filename'] = afile
self.messager.send_message(message)
def _ipv4(self, astring):
'''
This function filters for ipv4 header tags.
'''
filter1 = re.sub('[1-9][a-f]000000[1-9][a-f]000000', self.ipv4_marker,
astring)
filter2 = re.sub('[a-f][a-f]0[1-9]0000[a-f][a-f]0[1-9]0000',
self.ipv4_marker, filter1)
return filter2
def _parse_ipv4(self, astring):
'''
This function parses ipv4 strings.
Specific slices for specific data.
'''
if self.ipv4_marker in astring:
header_frame = astring.index(self.ipv4_marker) + self.hm_len
try:
dmac = str(astring[header_frame:header_frame + 12])
smac = str(astring[header_frame + 12:header_frame + 24])
types = str(astring[header_frame + 24:header_frame + 28])
prot = str(astring[header_frame + 46:header_frame + 48])
sip = str(astring[header_frame + 52:header_frame + 60])
dip = str(astring[header_frame + 60:header_frame + 68])
sprt = str(astring[header_frame + 68:header_frame + 72])
dprt = str(astring[header_frame + 72:header_frame + 76])
except:
pass
try:
type_ = str(self.build.define_type(types))
protocol = str(self.build.define_prot(prot))
dest_mac = str(self.build._mac(dmac))
dest_ip = str(self.build._ip(dip))
dest_port = str(self.build._port(dprt))
src_mac = str(self.build._mac(smac))
src_ip = str(self.build._ip(sip))
src_port = str(self.build._port(sprt))
# quality check
qc = str(type_ + '\n' + protocol + '\n' + src_mac + '\n' +
src_ip + '\n' + src_port + '\n' + dest_mac + '\n' +
dest_ip + '\n' + dest_port + '\n' + self.seperator)
print(qc)
#+ Send Message
now = datetime.now().isoformat(' ')
message = {
'timestamp': now,
'source': 'Distiller',
'destination': 'SneakPeek',
'payload': {
'command': 'show',
'header_type': type_,
'protocol_type': protocol,
'shost': {
'source_mac': src_mac,
'source_ip': src_ip,
'source_port': src_port
},
'dhost': {
'destination_mac': dest_mac,
'destination_ip': dest_ip,
'destination_port': dest_port
}
}
}
return message
#- Send Message
except:
pass
else:
pass
def _ipv6(self, astring):
'''
This function filters for ipv6 header tags.
'''
filter3 = re.sub('0[1-9]00[1-9]0000000[1-9]0000000', self.ipv6_marker,
astring)
filter4 = re.sub('00[1-9][1-9]000000[1-9][1-9]000000',
self.ipv6_marker, filter3)
filter5 = re.sub('00[1-9][a-f]0[1-9]0000[1-9][a-f]0[1-9]0000',
self.ipv6_marker, filter4)
filter6 = re.sub('00[a-f][1-9]000000[a-f][1-9]000000',
self.ipv6_marker, filter5)
filter7 = re.sub('010000[a-f][1-9]010000', self.ipv6_marker, filter6)
return filter7
def _parse_ipv6(self, astring):
'''
This function parses ipv6 strings.
Specific slices for specific data.
'''
if self.ipv6_marker in astring:
header_frame = astring.index(self.ipv6_marker) + self.hm_len
try:
dmac = str(astring[header_frame:header_frame + 12])
smac = str(astring[header_frame + 12:header_frame + 24])
types = str(astring[header_frame + 24:header_frame + 28])
prot = str(astring[header_frame + 40:header_frame + 42])
sip = str(astring[header_frame + 44:header_frame + 77])
dip = str(astring[header_frame + 76:header_frame + 109])
sprt = str(astring[header_frame + 108:header_frame + 112])
dprt = str(astring[header_frame + 112:header_frame + 116])
except:
pass
try:
type_ = str(self.build.define_type(types))
protocol = str(self.build.define_prot(prot))
dest_mac = str(self.build._mac(dmac))
dest_ip = str(self.build._ipv6_ip(dip))
dest_port = str(self.build._port(dprt))
src_mac = str(self.build._mac(smac))
src_ip = str(self.build._ipv6_ip(sip))
src_port = str(self.build._port(sprt))
# quality check
qc = str(type_ + '\n' + protocol + '\n' + src_mac + '\n' +
src_ip + '\n' + src_port + '\n' + dest_mac + '\n' +
dest_ip + '\n' + dest_port + '\n' + self.seperator)
print(qc)
#+ Send Message
now = datetime.now().isoformat(' ')
message = {
'timestamp': now,
'source': 'Distiller',
'destination': 'SneakPeek',
'payload': {
'command': 'show',
'header_type': type_,
'protocol_type': protocol,
'shost': {
'source_mac': src_mac,
'source_ip': src_ip,
'source_port': src_port
},
'dhost': {
'destination_mac': dest_mac,
'destination_ip': dest_ip,
'destination_port': dest_port
}
}
}
# self.messager.send_message(message);
#- Send Message
# return message;
except:
pass
else:
pass
class Distiller:
def __init__(self, data_directory, pull_port='5555', push_port='5556'):
self.data_directory = data_directory
self.messager = Messager(pull_port=pull_port, push_port=push_port)
self.metadata_ext = '.sp'
self.build = Builder()
self.stone = Rosetta()
self.ipv4_marker = '[--> IPV4 <--]'
self.ipv6_marker = '[--> IPV6 <--]'
self.hm_len = len(self.ipv4_marker)
self.seperator = '-------------------------------'
def __on_receive_command(self, message):
print message
if message['payload']['command'] == 'parse_file_pcap':
#+ EXAMPLE MESSAGE
# message = {
# timestamp: now,
# source: "SneakPeek",
# destination: "Distiller",
# payload: {
# command: "parse_file_pcap",
# filename: file['name'],
# _modified_datetime: file['lastModified'],
# modified_datetime: file['lastModifiedDate'],
# size: file['size'],
# type: file['type']
# }
# };
#- EXAMPLE MESSAGE
payload = message['payload']
file_metadata = {
'filename': payload['filename'],
'_modified_datetime': payload['_modified_datetime'],
'modified_datetime': payload['modified_datetime'],
'size': payload['size'],
'type': payload['type']
}
file_metadata_path = os.path.join(
self.data_directory,
os.path.splitext(file_metadata['filename'])[0] +
self.metadata_ext)
if not os.path.exists(file_metadata_path):
print 'Writing metadata to file:', file_metadata_path
with open(file_metadata_path, 'w+') as outfile:
json.dump(file_metadata, outfile)
outfile.flush()
print 'Wrote metadata to file.'
filename = payload['filename']
file_path = os.path.join(self.data_directory, filename)
self.read_file(file_path, file_metadata_path)
elif message['payload']['command'] == 'request_metadata_update':
#+ Apply the update.
payload = message['payload']
filename = payload['filename']
file_path = os.path.join(self.data_directory, filename)
file_metadata_path = payload['file_metadata_path']
with open(file_metadata_path, 'r+') as metadata_file:
#+ Apply the update.
metadata = json.load(metadata_file)
for k in payload['update']:
metadata[k] = payload['update'][k]
metadata_file.seek(0)
json.dump(metadata, metadata_file)
metadata_file.flush()
metadata_file.truncate()
#- Apply the update.
#+ Notify Sneak Peek
now = datetime.now().isoformat(' ')
message = {
'timestamp': now,
'source': 'Distiller',
'destination': 'SneakPeek',
'payload': {
'command': 'display_metadata',
'filename': filename,
'file_path': file_path,
'file_metadata_path': file_metadata_path,
'metadata': metadata
}
}
self.messager.send_message(message)
#- Notify Sneak Peek
def receive_command(self):
self.messager.receive_message(self.__on_receive_command)
def read(self, _hex):
'''
This function reads and parses pcap hex strings.
'''
# get user-agent and host and date
message = {}
hex_string = _hex
recovered_text = self.stone.sifter(hex_string)
if recovered_text is not None:
print(recovered_text)
#send to json directly from sifter
else:
# converts string to true hex
pcap_string = binascii.hexlify(hex_string)
ipv4 = self._ipv4(pcap_string)
ipv6 = self._ipv6(ipv4)
filtered = ipv6
message = self._parse_ipv4(filtered)
self._parse_ipv6(filtered)
return message
def read_file(self, file_path, file_metadata_path=None):
'''
This function opens a pcap file and passes
it through the read function line by
line for parsing.
'''
filename = os.path.basename(file_path)
with open(file_path, 'rb') as _file:
for row in list(_file):
message = self.read(row)
if message != None and type(message) == dict:
message['payload']['filename'] = filename
message['payload']['file_path'] = file_path
message['payload'][
'file_metadata_path'] = file_metadata_path
self.messager.send_message(message)
if file_metadata_path != None:
#+ UPDATE Metadata
#~ Tells Sneak Peek to initiate an update to this file's metadata file.
now = datetime.now().isoformat(' ')
message = {
'timestamp': now,
'source': 'Distiller',
'destination': 'SneakPeek',
'payload': {
'command': 'request_metadata_update',
'filename': filename,
'file_path': file_path,
'file_metadata_path': file_metadata_path
}
}
self.messager.send_message(message)
#~ Tells Sneak Peek to initiate an update to this file's metadata file.
#- UPDATE Metadata
def _ipv4(self, astring):
'''
This function filters for ipv4 header tags.
'''
filter1 = re.sub('[1-9][a-f]000000[1-9][a-f]000000', self.ipv4_marker,
astring)
filter2 = re.sub('[a-f][a-f]0[1-9]0000[a-f][a-f]0[1-9]0000',
self.ipv4_marker, filter1)
return filter2
def _parse_ipv4(self, astring):
'''
This function parses ipv4 strings.
Specific slices for specific data.
'''
if self.ipv4_marker in astring:
header_frame = astring.index(self.ipv4_marker) + self.hm_len
try:
dmac = str(astring[header_frame:header_frame + 12])
smac = str(astring[header_frame + 12:header_frame + 24])
types = str(astring[header_frame + 24:header_frame + 28])
prot = str(astring[header_frame + 46:header_frame + 48])
sip = str(astring[header_frame + 52:header_frame + 60])
dip = str(astring[header_frame + 60:header_frame + 68])
sprt = str(astring[header_frame + 68:header_frame + 72])
dprt = str(astring[header_frame + 72:header_frame + 76])
except:
pass
try:
type_ = str(self.build.define_type(types))
protocol = str(self.build.define_prot(prot))
dest_mac = str(self.build._mac(dmac))
dest_ip = str(self.build._ip(dip))
dest_port = str(self.build._port(dprt))
src_mac = str(self.build._mac(smac))
src_ip = str(self.build._ip(sip))
src_port = str(self.build._port(sprt))
# quality check
qc = str(type_ + '\n' + protocol + '\n' + src_mac + '\n' +
src_ip + '\n' + src_port + '\n' + dest_mac + '\n' +
dest_ip + '\n' + dest_port + '\n' + self.seperator)
print(qc)
#+ Send Message
now = datetime.now().isoformat(' ')
message = {
'timestamp': now,
'source': 'Distiller',
'destination': 'SneakPeek',
'payload': {
'command': 'show',
'header_type': type_,
'protocol_type': protocol,
'shost': {
'source_mac': src_mac,
'source_ip': src_ip,
'source_port': src_port
},
'dhost': {
'destination_mac': dest_mac,
'destination_ip': dest_ip,
'destination_port': dest_port
}
}
}
return message
#- Send Message
except:
pass
else:
pass
def _ipv6(self, astring):
'''
This function filters for ipv6 header tags.
'''
filter3 = re.sub('0[1-9]00[1-9]0000000[1-9]0000000', self.ipv6_marker,
astring)
filter4 = re.sub('00[1-9][1-9]000000[1-9][1-9]000000',
self.ipv6_marker, filter3)
filter5 = re.sub('00[1-9][a-f]0[1-9]0000[1-9][a-f]0[1-9]0000',
self.ipv6_marker, filter4)
filter6 = re.sub('00[a-f][1-9]000000[a-f][1-9]000000',
self.ipv6_marker, filter5)
filter7 = re.sub('010000[a-f][1-9]010000', self.ipv6_marker, filter6)
return filter7
def _parse_ipv6(self, astring):
'''
This function parses ipv6 strings.
Specific slices for specific data.
'''
if self.ipv6_marker in astring:
header_frame = astring.index(self.ipv6_marker) + self.hm_len
try:
dmac = str(astring[header_frame:header_frame + 12])
smac = str(astring[header_frame + 12:header_frame + 24])
types = str(astring[header_frame + 24:header_frame + 28])
prot = str(astring[header_frame + 40:header_frame + 42])
sip = str(astring[header_frame + 44:header_frame + 77])
dip = str(astring[header_frame + 76:header_frame + 109])
sprt = str(astring[header_frame + 108:header_frame + 112])
dprt = str(astring[header_frame + 112:header_frame + 116])
except:
pass
try:
type_ = str(self.build.define_type(types))
protocol = str(self.build.define_prot(prot))
dest_mac = str(self.build._mac(dmac))
dest_ip = str(self.build._ipv6_ip(dip))
dest_port = str(self.build._port(dprt))
src_mac = str(self.build._mac(smac))
src_ip = str(self.build._ipv6_ip(sip))
src_port = str(self.build._port(sprt))
# quality check
qc = str(type_ + '\n' + protocol + '\n' + src_mac + '\n' +
src_ip + '\n' + src_port + '\n' + dest_mac + '\n' +
dest_ip + '\n' + dest_port + '\n' + self.seperator)
print(qc)
#+ Send Message
now = datetime.now().isoformat(' ')
message = {
'timestamp': now,
'source': 'Distiller',
'destination': 'SneakPeek',
'payload': {
'command': 'show',
'header_type': type_,
'protocol_type': protocol,
'shost': {
'source_mac': src_mac,
'source_ip': src_ip,
'source_port': src_port
},
'dhost': {
'destination_mac': dest_mac,
'destination_ip': dest_ip,
'destination_port': dest_port
}
}
}
# self.messager.send_message(message);
#- Send Message
return message
except:
pass
else:
pass
class Distiller:
def __init__(self, data_directory, pull_port='5555', push_port='5556'):
self.data_directory = data_directory
self.messager = Messager(pull_port=pull_port, push_port=push_port)
self.build = Builder()
self.dict = Rosetta()
self.header_marker = '[--> HEADER <--]'
self.hm_len = len(self.header_marker)
self.broken_header = 'fae'
def __on_receive_command(self, message):
print message
if message['payload']['command'] == 'parse_file_pcap':
file_name = message['payload']['filename']
file_path = os.path.join(self.data_directory, file_name)
self._read_file(file_path)
# x._read_file('../app/uploads/evidence01.pcap')
# x._read_file('../app/uploads/evidence-malware.pcap')
# x._read_file('../app/uploads/evidence01-talkers.pcap')
def _read(self, _hex):
read = self._format_lines(binascii.hexlify(_hex))
return read
def _read_file(self, afile, num_fails=0, max_fails=3):
try:
_file = open(afile, 'rb')
except:
if num_fails < max_fails:
num_fails += 1
time.sleep(2 * num_fails)
self._read_file(afile, num_fails, max_fails)
return
else:
return
file_to_list = []
for row in list(_file):
''
# get user-agent and host
plain_text = row
temp = self.dict.sifter(plain_text)
if temp is not None:
print(temp)
pcap_string = self.dict._format_lines(binascii.hexlify(row))
highlight_header = re.sub('[0-9][a-f]000000[0-9][a-f]000000',
self.header_marker, pcap_string)
file_to_list.append(highlight_header)
try:
# catch complete packets
for line in file_to_list:
if self.header_marker in line and not self.broken_header in line:
#print(line) # test output is read
# setup 1st check
hdr_len_byte1 = line.index(
self.header_marker) + 28 # find index
header_check1 = hdr_len_byte1 + self.hm_len # verify header w/length byte
# setup 2nd check
hdr_len_byte2 = line.index(
self.header_marker) + 92 # find index
header_check2 = hdr_len_byte2 + self.hm_len # verify header w/2nd length byte
if line[header_check1] is '4': # initial confirmation of header
self.peruse_pcap(line)
try:
if line[header_check2] is '5': # catches only complete headers
self.peruse_pcap(line)
except:
pass
except:
for line in file_to_list:
if self.header_marker in line and not self.broken_header in line:
self.peruse_pcap(line)
def receive_command(self):
self.messager.receive_message(self.__on_receive_command)
def peruse_pcap(self, apcap):
get_header = apcap.index(
self.header_marker) # find header starting index
header_offset = get_header + self.hm_len
''' beginning reference point '''
des_mac = header_offset # 1
des_ip = header_offset + 60 # 5
des_port = header_offset + 72 # 7
_src_mac = header_offset + 12 # 2
_src_ip = header_offset + 52 # 4
_src_port = header_offset + 68 # 6
prot = header_offset + 46 # 3
''' ending reference point'''
dest_mac_offset = des_mac + 12
dest_ip_offset = des_ip + 8
dest_port_offset = des_port + 4
_src_mac_offset = _src_mac + 12
_src_ip_offset = _src_ip + 8
_src_port_offset = _src_port + 4
protocol_offset = prot + 2
try:
#!works
destination_mac = self.build.rebuild_mac(
str(apcap[des_mac:dest_mac_offset]))
_source_mac = self.build.rebuild_mac(
str(apcap[_src_mac:_src_mac_offset]))
protocol_type = self.build.define_prot(
str(apcap[prot:protocol_offset]))
_source_ip = self.build.rebuild_ip(
str(apcap[_src_ip:_src_ip_offset]))
destination_ip = self.build.rebuild_ip(
str(apcap[des_ip:dest_ip_offset]))
_source_port = self.build.rebuild_port(
str(apcap[_src_port:_src_port_offset]))
destination_port = self.build.rebuild_port(
str(apcap[des_port:dest_port_offset]))
print('Protocol: ' + protocol_type)
print('')
print('\t\tSource:') # print('\tSource:')
print('Mac:\t' + _source_mac)
print('IP:\t\t' + _source_ip) # print('IP:\t' + _source_ip)
print('Port:\t' + str(_source_port))
print('')
print('\t\tDestination:') # print('\tSource:')
print('Mac:\t' + destination_mac)
print('IP:\t\t' + destination_ip
) # print('IP:\t' + destination_ip)
print('Port:\t' + str(destination_port))
print('\n------------------------------------------\n')
#+ Send Message
now = datetime.now().isoformat(' ')
message = {
'timestamp': now,
'source': 'Distiller',
'destination': 'SneakPeek',
'payload': {
'command': 'show',
'protocol_type': protocol_type,
'shost': {
'source_mac': _source_mac,
'source_ip': _source_ip,
'source_port': _source_port
},
'dhost': {
'destination_mac': destination_mac,
'destination_ip': destination_ip,
'destination_port': destination_port
}
}
}
self.messager.send_message(message)
#- Send Message
except:
pass
