def test_is_encrypted(self): print '------------------- test_is_encrypted -------------------' reassembler = Session_Reassembler(self.pcap) pairs = reassembler.get_session_pairs() pair_id = self.stream_with_ssl_handshake pair = pairs[pair_id] stream_status = pair.get_stream_status() is_encrypted = stream_status.ssl_status.is_encrypted self.assertEquals(is_encrypted, Is_Encrypted_Enum.YES)
def test_ssl_svr_ccs_is_seen(self): print '------------------- test_ssl_svr_ccs_is_seen -------------------' reassembler = Session_Reassembler(self.pcap) pairs = reassembler.get_session_pairs() pair_id = self.stream_with_ssl_handshake pair = pairs[pair_id] pair._ssl_handshake_server_analysis() ssl_status = pair._ssl_status svr_ccs_is_seen = ssl_status.ssl_svr_ccs self.assertTrue(svr_ccs_is_seen)
def test_ssl_cli_ccs_is_not_seen(self): print '------------------- test_ssl_cli_hello_is_seen -------------------' reassembler = Session_Reassembler(self.pcap) pairs = reassembler.get_session_pairs() pair_id = self.stream_without_ssl_handshake pair = pairs[pair_id] pair._ssl_handshake_client_analysis() ssl_status = pair._ssl_status cli_ccs_is_seen = ssl_status.ssl_cli_ccs self.assertFalse(cli_ccs_is_seen)
def test_is_not_encrypted(self): print '------------------- test_is_not_encrypted -------------------' reassembler = Session_Reassembler(self.pcap) pairs = reassembler.get_session_pairs() pair_id = self.stream_using_http pair = pairs[pair_id] #ssl_status = pair._get_ssl_status() stream_status = pair.get_stream_status() is_encrypted = stream_status.ssl_status.is_encrypted self.assertEquals(is_encrypted, Is_Encrypted_Enum.NO)
def __init__(self, existing_pcap_filename=None): self._existing_pcap_filename = existing_pcap_filename if self._existing_pcap_filename is None: self._sniffer = Sniffer() pcap_filename = self._sniffer.get_pcap_filename() else: pcap_filename = self._existing_pcap_filename self._session_reassembler = Session_Reassembler(pcap_filename) self._stream_db = Stream_DB()
def test_ssl_version_is_correct(self): print '------------------- test_ssl_version_is_correct -------------------' version_in_pcap = 'TLS 1.2' reassembler = Session_Reassembler(self.pcap) pairs = reassembler.get_session_pairs() pair_id = self.stream_with_ssl_handshake pair = pairs[pair_id] pair._ssl_handshake_server_analysis() ssl_status = pair._ssl_status ssl_version = ssl_status.ssl_version self.assertEquals(ssl_version, version_in_pcap)
def test_ssl_cipher_is_correct(self): print '------------------- test_ssl_cipher_is_correct -------------------' cipher_in_pcap = 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256' reassembler = Session_Reassembler(self.pcap) pairs = reassembler.get_session_pairs() pair_id = self.stream_with_ssl_handshake pair = pairs[pair_id] pair._ssl_handshake_server_analysis() ssl_status = pair._ssl_status ssl_cipher = ssl_status.ssl_cipher self.assertEquals(ssl_cipher, cipher_in_pcap)
def test_only_duplicate_ack_removed(self): """Given a PacketList with three packets, only the duplicate should be removed. The other two should remain. Duplicates: a pair of ACK packets (ACK flag set, same SEQ and ACK numbers) Other: SYN packet (SYN flag set) """ non_dup = Ether()/IP()/TCP(flags='S', seq=0, ack=0) ack1 = Ether()/IP()/TCP(flags='A', seq=1, ack=1) ack2 = Ether()/IP()/TCP(flags='A', seq=1, ack=1) pkts = PacketList([non_dup, ack1, ack2]) sr = Session_Reassembler() deduped_pkts = sr._remove_duplicate_packets(pkts) self.assertTrue(deduped_pkts[0][TCP].flags == 'S') self.assertTrue(len(deduped_pkts) == 2)
def test_only_duplicate_synack_removed(self): """Given a PacketList with three packets, only the duplicate should be removed. The other two should remain. Duplicates: a pair of SYN/ACK packets (SYN and ACK flag set, same SEQ and ACK numbers) Other: ACK packet (ACK flag set) """ synack1 = Ether()/IP()/TCP(flags='SA', seq=0, ack=1) synack2 = Ether()/IP()/TCP(flags='SA', seq=0, ack=1) non_dup = Ether()/IP()/TCP(flags='A', seq=10, ack=11) pkts = PacketList([synack1, synack2, non_dup]) sr = Session_Reassembler() deduped_pkts = sr._remove_duplicate_packets(pkts) self.assertTrue(deduped_pkts[-1][TCP].flags == 'A') self.assertTrue(len(deduped_pkts) == 2)
def test_only_duplicate_ack_removed(self): """Given a PacketList with three packets, only the duplicate should be removed. The other two should remain. Duplicates: a pair of ACK packets (ACK flag set, same SEQ and ACK numbers) Other: SYN packet (SYN flag set) """ non_dup = Ether() / IP() / TCP(flags='S', seq=0, ack=0) ack1 = Ether() / IP() / TCP(flags='A', seq=1, ack=1) ack2 = Ether() / IP() / TCP(flags='A', seq=1, ack=1) pkts = PacketList([non_dup, ack1, ack2]) sr = Session_Reassembler() deduped_pkts = sr._remove_duplicate_packets(pkts) self.assertTrue(deduped_pkts[0][TCP].flags == 'S') self.assertTrue(len(deduped_pkts) == 2)
def test_only_duplicate_synack_removed(self): """Given a PacketList with three packets, only the duplicate should be removed. The other two should remain. Duplicates: a pair of SYN/ACK packets (SYN and ACK flag set, same SEQ and ACK numbers) Other: ACK packet (ACK flag set) """ synack1 = Ether() / IP() / TCP(flags='SA', seq=0, ack=1) synack2 = Ether() / IP() / TCP(flags='SA', seq=0, ack=1) non_dup = Ether() / IP() / TCP(flags='A', seq=10, ack=11) pkts = PacketList([synack1, synack2, non_dup]) sr = Session_Reassembler() deduped_pkts = sr._remove_duplicate_packets(pkts) self.assertTrue(deduped_pkts[-1][TCP].flags == 'A') self.assertTrue(len(deduped_pkts) == 2)
def test_only_duplicate_data_removed(self): """Given a PacketList with three packets, only the duplicate should be removed. The other two should remain. Duplicates: a pair of data packets (PUSH and ACK flags set, same SEQ and ACK numbers) Other: SYN packet (SYN flag set) """ non_dup = Ether()/IP()/TCP(flags='S', seq=0, ack=0) data1 = Ether() \ /IP() \ /TCP(flags='PA', seq=10, ack=11, chksum=0xccfe ) \ /Raw(load='abc') data2 = Ether() \ /IP() \ /TCP(flags='PA', seq=10, ack=11, chksum=0xccfe ) \ /Raw(load='abc') pkts = PacketList([non_dup, data1, data2]) sr = Session_Reassembler() deduped_pkts = sr._remove_duplicate_packets(pkts) self.assertTrue(deduped_pkts[0][TCP].flags == 'S') self.assertTrue(len(deduped_pkts) == 2)
def test_only_duplicate_data_removed(self): """Given a PacketList with three packets, only the duplicate should be removed. The other two should remain. Duplicates: a pair of data packets (PUSH and ACK flags set, same SEQ and ACK numbers) Other: SYN packet (SYN flag set) """ non_dup = Ether() / IP() / TCP(flags='S', seq=0, ack=0) data1 = Ether() \ /IP() \ /TCP(flags='PA', seq=10, ack=11, chksum=0xccfe ) \ /Raw(load='abc') data2 = Ether() \ /IP() \ /TCP(flags='PA', seq=10, ack=11, chksum=0xccfe ) \ /Raw(load='abc') pkts = PacketList([non_dup, data1, data2]) sr = Session_Reassembler() deduped_pkts = sr._remove_duplicate_packets(pkts) self.assertTrue(deduped_pkts[0][TCP].flags == 'S') self.assertTrue(len(deduped_pkts) == 2)
class Analyser(object): def __init__(self, existing_pcap_filename=None): self._existing_pcap_filename = existing_pcap_filename if self._existing_pcap_filename is None: self._sniffer = Sniffer() pcap_filename = self._sniffer.get_pcap_filename() else: pcap_filename = self._existing_pcap_filename self._session_reassembler = Session_Reassembler(pcap_filename) self._stream_db = Stream_DB() def results_no_db(self): session_pairs = self._get_session_pairs() stream_statuses = [ pair.get_stream_status() for pair in session_pairs ] return Stream_Table(stream_statuses) def get_analysis_results(self): session_pairs = self._get_session_pairs() stream_statuses = [ pair.get_stream_status() for pair in session_pairs ] db = self._stream_db db.clear_streams() db.persist_streams(stream_statuses) stream_statuses = db.select_all_streams() # list of lists (rows) results = [] for ss in stream_statuses: svr_ip_addr = ss[1] fqdn = self._get_fqdn(svr_ip_addr) result = list(ss) result.append(fqdn) results.append(result) return results def _get_fqdn(self, ip_addr): try: fqdn = socket.gethostbyaddr(ip_addr)[0] except socket.herror: fqdn = ip_addr return fqdn def get_connection_details_row(self, conn_id): db = self._stream_db row = db.get_connection_details_row(int(conn_id)) result = list(row) svr_ip_addr = result[2] fqdn = self._get_fqdn(svr_ip_addr) result.append(fqdn) return result def get_encryption_details_row(self, conn_id): db = self._stream_db return db.get_encryption_details_row(int(conn_id)) def start_sniffing(self): self._sniffer.start() def stop_sniffing(self): self._sniffer.stop() def _get_sniffer(self): return self._sniffer def _get_session_pairs(self): return self._session_reassembler.get_session_pairs().values() def _get_session_reassembler(self): return self._session_reassembler
class Analyser(object): def __init__(self, existing_pcap_filename=None): self._existing_pcap_filename = existing_pcap_filename if self._existing_pcap_filename is None: self._sniffer = Sniffer() pcap_filename = self._sniffer.get_pcap_filename() else: pcap_filename = self._existing_pcap_filename self._session_reassembler = Session_Reassembler(pcap_filename) self._stream_db = Stream_DB() def results_no_db(self): session_pairs = self._get_session_pairs() stream_statuses = [pair.get_stream_status() for pair in session_pairs] return Stream_Table(stream_statuses) def get_analysis_results(self): session_pairs = self._get_session_pairs() stream_statuses = [pair.get_stream_status() for pair in session_pairs] db = self._stream_db db.clear_streams() db.persist_streams(stream_statuses) stream_statuses = db.select_all_streams() # list of lists (rows) results = [] for ss in stream_statuses: svr_ip_addr = ss[1] fqdn = self._get_fqdn(svr_ip_addr) result = list(ss) result.append(fqdn) results.append(result) return results def _get_fqdn(self, ip_addr): try: fqdn = socket.gethostbyaddr(ip_addr)[0] except socket.herror: fqdn = ip_addr return fqdn def get_connection_details_row(self, conn_id): db = self._stream_db row = db.get_connection_details_row(int(conn_id)) result = list(row) svr_ip_addr = result[2] fqdn = self._get_fqdn(svr_ip_addr) result.append(fqdn) return result def get_encryption_details_row(self, conn_id): db = self._stream_db return db.get_encryption_details_row(int(conn_id)) def start_sniffing(self): self._sniffer.start() def stop_sniffing(self): self._sniffer.stop() def _get_sniffer(self): return self._sniffer def _get_session_pairs(self): return self._session_reassembler.get_session_pairs().values() def _get_session_reassembler(self): return self._session_reassembler