def main():
#nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note
# libnids caution about fragments
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
if len(sys.argv) == 2: # read a pcap file?
nids.param("filename", sys.argv[1])
nids.init()
nids.register_tcp(handleTcpStream)
nids.register_udp(handleUDP)
nids.register_ip(handleIp)
print "pid", os.getpid()
# Loop forever (network device), or until EOF (pcap file)
# Note that an exception in the callback will break the loop!
try:
nids.run()
except nids.error, e:
print "nids/pcap error:", e
def run(self):
"""
:return:
"""
nids.init()
if self.is_handle_tcp:
nids.register_tcp(self.__handleTCPStream)
if self.is_handle_udp:
nids.register_udp(self.__handleUDPDatagram)
if self.is_handle_ip:
nids.register_ip(self.__handleIPPackets)
# Loop forever (network device), or until EOF (pcap file)
# Note that an exception in the callback will break the loop!
try:
nids.run()
except nids.error as e:
logging.error("[NIDS_RUN_Error]: %r" % e)
except (KeyboardInterrupt, SystemExit) as e:
logging.error("[System_Exit]: %r" % e)
except Exception as e:
logging.error("[NIDS RUN Exception]: %r %s" %
(e, traceback.format_exc()))
def main():
parser = argparse.ArgumentParser(description='minips.py - A minimal IPS', version='0.1',
epilog='EXAMPLE: %(prog)s -p test.pcap -r \'shellcode\' \n')
inputparser = parser.add_mutually_exclusive_group(required=True)
inputparser.add_argument('-d', '--device', action='store', dest='device',
help='network device to collect packets from')
inputparser.add_argument('-p', '--pcap', action='store', dest='pcap',
help='pcap file to read packets from')
parser.add_argument('-r', '--regex', action='store', dest='regex', required=True,
help='regex to match over network data')
parser.add_argument('-i', '--igncase', action='store_true', dest='igncase', default=False,
help='perform case insensitive regex match')
parser.add_argument('-m', '--multiline', action='store_true', dest='multiline', default=False,
help='perform multiline regex match')
parser.add_argument('-k', '--killtcp', action='store_true', dest='killtcp', default=False,
help='terminate matching tcp connections')
parser.add_argument('-b', '--dispbytes', action='store', dest='dispbytes', required=False,
help='max bytes to display')
args = parser.parse_args()
if args.device:
globs['device'] = args.device
nids.param('device', globs['device'])
if args.pcap:
globs['pcap'] = args.pcap
nids.param('filename', globs['pcap'])
if args.killtcp:
globs['killtcp'] = True
if args.igncase:
globs['regexflags'] |= re.IGNORECASE
if args.multiline:
globs['regexflags'] |= re.MULTILINE
globs['regexflags'] |= re.DOTALL
if args.regex:
globs['regexstr'] = args.regex
globs['regexobj'] = re.compile(globs['regexstr'], globs['regexflags'])
if args.dispbytes:
globs['dispbytes'] = int(args.dispbytes)
nids.init()
nids.register_tcp(tcpcallback)
nids.register_udp(udpcallback)
try:
nids.run()
except nids.error, e:
print "[-] Error: %s" % (e)
def run(self, conf):
self.conf = conf
self.output = open(conf.output_file, 'a')
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param('scan_num_hosts', 0) # disable portscan detection
nids.param('filename', conf.filename)
nids.init()
nids.register_udp(self.udp_handler)
try:
nids.run()
except nids.error, e:
print >> sys.stderr, 'nids/pcap error:', e
sys.exit(1)
def extract(pcap_file):
global ip_to_domain
global ips
ips = {}
ip_to_domain = {}
nids.param("tcp_workarounds", 1)
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param("filename", pcap_file)
nids.init()
nids.register_tcp(handle_tcp_stream)
nids.register_udp(udp_callback)
try:
nids.run()
except Exception, e:
print "Exception ", pcap_file + " ", e
return
def extract(pcap_file):
global ip_to_domain
global ips
ips = {}
ip_to_domain = {}
nids.param("tcp_workarounds", 1)
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param("filename", pcap_file)
nids.init()
nids.register_tcp(handle_tcp_stream)
nids.register_udp(udp_callback)
try:
nids.run()
except Exception, e:
print "Exception ", pcap_file + " ", e
return
def sniff():
if not _initialized:
raise NameError('Module vars were not initialized.')
nids.param('device', _device)
nids.param('multiproc', 1)
nids.param('scan_num_hosts', 0)
nids.chksum_ctl([('0.0.0.0/0', False)])
nids.init()
nids.register_tcp(_handle_tcp_stream)
nids.register_udp(_handle_udp_stream)
nids.register_ip(_handle_ip_packets)
arp_sniff = Process(target=scapy_sniff, kwargs=dict(store=0,
iface=_device, prn=_parse_arp))
dns_lookups = Process(target=_handle_dns_lookup)
traf_dict = Process(target=_handle_new_traf)
arp_sniff.start()
dns_lookups.start()
traf_dict.start()
nids.run()
self.complete = True
return
nids.param("scan_num_hosts",0)
nids.param("filename",options.filename)
try:
nids.init()
except Exception, e:
self.complete = True
chop.prnt("Error initting: ", e)
return
nids.chksum_ctl([('0.0.0.0/0',False),])
nids.register_tcp(handleTcpStreams)
nids.register_udp(handleUdpDatagrams)
while(True): #This overall while prevents exceptions from halting the long running reading
if self.stopped:
break
try:
if options.longrun: #long running don't stop until the proces is killed externally
while not self.stopped:
if not nids.next():
time.sleep(.001)
else:
while not self.stopped and nids.next():
pass
self.stopped = True #Force it to true and exit
except Exception, e:
if not options.longrun:
class ChopCore(Thread):
def __init__(self, options, module_list, chp, chophelper):
Thread.__init__(self)
self.options = options
self.module_list = module_list
self.chophelper = chophelper
self.stopped = False
self.complete = False
self.abort = False
global chop
chop = chp
def stop(self):
self.complete = True
self.stopped = True
def iscomplete(self):
return self.complete
def getptime(self):
global ptimestamp
return ptimestamp
def getmeta(self):
global metadata
return metadata
def prep_modules(self):
self.chophelper.set_core(self)
modules = self.module_list
for module in modules:
code = module.code
code.chop = self.chophelper.setup_module(code.moduleName)
def run(self):
global chop
#Initialize modules to be run
options = self.options
modules = self.module_list #module_list
module_options = {}
chop.prettyprnt("RED", "Initializing Modules ...")
for module in modules:
name = module.name
arguments = module.arguments #shlex.split(module[1])
code = module.code #module[0]
#Create module_data for all modules
module.module_data = {'args': arguments}
module.streaminfo = {}
chop.prettyprnt("CYAN", "\tInitializing module '" + name + "'")
try:
module_options = code.init(module.module_data)
except Exception, e:
chop.prnt("Error Initializing Module", code.moduleName + ":",
e)
self.complete = True
return
if 'error' in module_options:
chop.prettyprnt(
"GREEN", "\t\t%s init failure: %s" %
(code.moduleName, module_options['error']))
continue
if module.legacy:
if module_options['proto'] == 'tcp':
tcp_modules.append(module)
all_modules.append(module)
module.streaminfo['tcp'] = {}
elif module_options['proto'] == 'ip':
ip_modules.append(module)
all_modules.append(module)
module.streaminfo['ip'] = {}
elif module_options['proto'] == 'udp':
udp_modules.append(module)
all_modules.append(module)
module.streaminfo['udp'] = {}
else:
chop.prnt("Undefined Module Type\n")
self.complete = True
return
else:
all_modules.append(module)
#Proto is an array of dictionaries
if not isinstance(module_options['proto'], list): #Malformed
chop.prnt("%s has malformed proto list" %
module.code.moduleName)
self.complete = True
return
for proto in module_options['proto']:
#Right now (4.0) each dictionary only has one key
#This might change in the future but should be easy
#since it's already a separate dictionary
if type(proto) is not dict:
chop.prnt("%s has malformed proto list" %
module.code.moduleName)
self.complete = True
return
for input in proto.keys():
if input not in module.inputs:
module.inputs[input] = []
if proto[input] != '':
module.inputs[input].append(proto[input])
module.outputs.append(proto[input])
#Initialize the streaminfo array by type
if input != 'any' and input != 'ip':
module.streaminfo[input] = {}
if input == 'tcp':
tcp_modules.append(module)
elif input == 'udp':
udp_modules.append(module)
elif input == 'ip':
ip_modules.append(module)
elif input == 'any': #Special input that catches all non-core types
#Initialize the streaminfo for all parents of the 'any' module
if not len(module.parents):
chop.prettyprnt(
"GREEN",
"WARNING: No Parent for %s to provide data"
% (module.code.moduleName))
else:
for parent in module.parents:
for output in parent.outputs:
module.streaminfo[output] = {}
else: # non-core types, e.g., 'http' or 'dns'
if len(module.parents
): #Make sure parents give it what it wants
for parent in module.parents:
if input not in parent.outputs:
chop.prettyprnt(
"GREEN",
"WARNING: Parent to %s not providing %s data"
% (module.code.moduleName, input))
else:
chop.prettyprnt(
"GREEN",
"WARNING: No Parent for %s providing %s data"
% (module.code.moduleName, input))
if not all_modules:
chop.prnt("No modules")
self.complete = True
return
chop.prettyprnt("RED", "Running Modules ...")
#Actually run the modules
if options['interface']:
nids.param("scan_num_hosts", 0)
nids.param("device", options['interface'])
if options['bpf'] is not None:
nids.param("pcap_filter", options['bpf'])
try:
nids.init()
except Exception, e:
chop.prnt("Error initting on interface: ", e)
self.complete = True
return
nids.chksum_ctl([
('0.0.0.0/0', False),
])
nids.register_tcp(handleTcpStreams)
nids.register_udp(handleUdpDatagrams)
nids.register_ip(handleIpPackets)
while (
True
): #This overall while prevents exceptions from halting the processing of packets
if self.stopped:
break
try:
while not self.stopped:
nids.next()
time.sleep(.001) #XXX is this enough or too much?
except Exception, e:
chop.prnt("Error processing packets", e)
nids.param("filename", options['filename'])
if options['bpf'] is not None:
nids.param("pcap_filter", options['bpf'])
try:
nids.init()
except Exception, e:
self.complete = True
chop.prnt("Error initting: ", e)
return
nids.chksum_ctl([
('0.0.0.0/0', False),
])
nids.register_tcp(handleTcpStreams)
nids.register_udp(handleUdpDatagrams)
nids.register_ip(handleIpPackets)
while (
not self.stopped
): #This overall while prevents exceptions from halting the long running reading
try:
if options[
'longrun']: #long running don't stop until the proces is killed externally
while not self.stopped:
if not nids.next():
if self.abort: #exit if sigabrt if no other data
break
time.sleep(.001)
else:
while not self.stopped and nids.next():
class ChopCore(Thread):
def __init__(self,options, module_list, chp, chophelper):
Thread.__init__(self)
self.options = options
self.module_list = module_list
self.chophelper = chophelper
self.stopped = False
self.complete = False
global chop
chop = chp
def stop(self):
self.complete = True
self.stopped = True
def iscomplete(self):
return self.complete
def getptime(self):
global ptimestamp
return ptimestamp
def getmeta(self):
global metadata
return metadata
def prep_modules(self):
self.chophelper.set_core(self)
modules = self.module_list
for module in modules:
module = module[0]
module.chop = self.chophelper.setup_module(module.moduleName)
def run(self):
global chop
#Initialize modules to be run
options = self.options
modules = self.module_list#module_list
module_options = {}
chop.prettyprnt("RED", "Initializing Modules ...")
for module in modules:
name = module[2]
arguments = shlex.split(module[1])
module = module[0]
#Create module_data for all modules
module.module_data = {'args':arguments}
module.streaminfo = {}
chop.prettyprnt("CYAN", "\tInitializing module '" + name + "'")
try:
module_options = module.init(module.module_data)
except Exception, e:
chop.prnt("Error Initializing Module", module.moduleName + ":", e)
self.complete = True
return
if 'error' in module_options:
chop.prettyprnt("GREEN", "\t\t%s init failure: %s" % (module.moduleName, module_options['error']))
continue
if module_options['proto'] == 'tcp' :
tcp_modules.append(module)
all_modules.append(module)
elif module_options['proto'] == 'ip' :
ip_modules.append(module)
all_modules.append(module)
elif module_options['proto'] == 'udp' :
udp_modules.append(module)
all_modules.append(module)
else:
chop.prnt("Undefined Module Type\n")
self.complete = True
return
if not all_modules:
chop.prnt("No modules")
self.complete = True
return
chop.prettyprnt("RED", "Running Modules ...")
#Actually run the modules
if options['interface']:
nids.param("scan_num_hosts",0)
nids.param("device",options['interface'])
if options['bpf'] is not None:
nids.param("pcap_filter", options['bpf'])
try:
nids.init()
except Exception, e:
chop.prnt("Error initting: ", e)
self.complete = True
return
nids.chksum_ctl([('0.0.0.0/0',False),])
nids.register_tcp(handleTcpStreams)
nids.register_udp(handleUdpDatagrams)
while(True): #This overall while prevents exceptions from halting the processing of packets
if self.stopped:
break
try:
while not self.stopped:
nids.next()
time.sleep(.001) #XXX is this enough or too much?
except Exception, e:
chop.prnt("Error processing packets", e)
configopts['depth'] = 0
del configopts['inspectionmodes'][:]
configopts['invertmatch'] = False
configopts['killtcp'] = False
configopts['livemode'] = False
if args.dumpargs:
dumpargstats(configopts)
try:
nids.chksum_ctl([('0.0.0.0/0', False)])
nids.param('scan_num_hosts', 0)
nids.init()
nids.register_ip(handleip)
nids.register_udp(handleudp)
nids.register_tcp(handletcp)
donorm('NIDS initialized, waiting for events...')
print
try:
nids.run()
except KeyboardInterrupt:
print
dumpmatchstats()
doexit()
except nids.error, nx:
print
doerror('NIDS error: %s' % nx)
if len(sys.argv) < 2:
print_usage()
sys.exit(-1)
input_file = sys.argv[1]
nids.param("filename", input_file)
#nids.param("scan_num_hosts", 0)
nids.chksum_ctl([('0.0.0.0/0', False)])
# Loop forever (network device), or until EOF (pcap file)
# Note that an exception in the callback will break the loop!
try:
nids.init()
nids.register_tcp(handleTcpStream)
nids.register_udp(handleUdpStream)
nids.run()
except nids.error, e:
print "nids/pcap error:", e
except Exception, e:
print "misc. exception (runtime error in user callback?):", e
tcps = _tcp_bag.values()
tcps.sort(None, lambda x: x[0], False)
for tcp in tcps:
if None in tcp:
continue
line = '%.3f\t%.3f\t%d\t%d' % (tcp[0], tcp[1]-tcp[0], tcp[2], tcp[3])
print(line)
def main():
parser = argparse.ArgumentParser(
description='minips.py - A minimal IPS',
version='0.1',
epilog='EXAMPLE: %(prog)s -p test.pcap -r \'shellcode\' \n')
inputparser = parser.add_mutually_exclusive_group(required=True)
inputparser.add_argument('-d',
'--device',
action='store',
dest='device',
help='network device to collect packets from')
inputparser.add_argument('-p',
'--pcap',
action='store',
dest='pcap',
help='pcap file to read packets from')
parser.add_argument('-r',
'--regex',
action='store',
dest='regex',
required=True,
help='regex to match over network data')
parser.add_argument('-i',
'--igncase',
action='store_true',
dest='igncase',
default=False,
help='perform case insensitive regex match')
parser.add_argument('-m',
'--multiline',
action='store_true',
dest='multiline',
default=False,
help='perform multiline regex match')
parser.add_argument('-k',
'--killtcp',
action='store_true',
dest='killtcp',
default=False,
help='terminate matching tcp connections')
parser.add_argument('-b',
'--dispbytes',
action='store',
dest='dispbytes',
required=False,
help='max bytes to display')
args = parser.parse_args()
if args.device:
globs['device'] = args.device
nids.param('device', globs['device'])
if args.pcap:
globs['pcap'] = args.pcap
nids.param('filename', globs['pcap'])
if args.killtcp:
globs['killtcp'] = True
if args.igncase:
globs['regexflags'] |= re.IGNORECASE
if args.multiline:
globs['regexflags'] |= re.MULTILINE
globs['regexflags'] |= re.DOTALL
if args.regex:
globs['regexstr'] = args.regex
globs['regexobj'] = re.compile(globs['regexstr'], globs['regexflags'])
if args.dispbytes:
globs['dispbytes'] = int(args.dispbytes)
nids.init()
nids.register_tcp(tcpcallback)
nids.register_udp(udpcallback)
try:
nids.run()
except nids.error, e:
print "[-] Error: %s" % (e)
configopts['depth'] = 0
del configopts['inspectionmodes'][:]
configopts['invertmatch'] = False
configopts['killtcp'] = False
configopts['livemode'] = False
if args.dumpargs:
dumpargstats(configopts)
try:
nids.chksum_ctl([('0.0.0.0/0', False)])
nids.param('scan_num_hosts', 0)
nids.init()
nids.register_ip(handleip)
nids.register_udp(handleudp)
nids.register_tcp(handletcp)
donorm('NIDS initialized, waiting for events...')
print
try:
nids.run()
except KeyboardInterrupt:
print
dumpmatchstats()
doexit()
except nids.error, nx:
print
doerror('NIDS error: %s' % nx)
