def test8(self): """ Test the functionality of make graphs of regex, for complex detecctions """ rmbase = pyaiengine.RegexManager() rm2 = pyaiengine.RegexManager() r1 = pyaiengine.Regex("r1", b"^(No hacker should visit Las Vegas).*$") rmbase.add_regex(r1) r1.next_regex_manager = rm2 r2 = pyaiengine.Regex("r2", b"(this can not match)") r3 = pyaiengine.Regex("r3", b"^\x90\x90\x90\x90.*$") rm2.add_regex(r2) rm2.add_regex(r3) self.s.tcp_regex_manager = rmbase with pyaiengine.PacketDispatcher( "../pcapfiles/generic_exploit_ipv6_defcon20.pcap") as pd: pd.stack = self.s pd.run() self.assertEqual(r1.matchs, 1) self.assertEqual(r2.matchs, 0) self.assertEqual(r3.matchs, 1)
def loadRegexFromSnort(): dm_tcp = pyaiengine.RegexManager() dm_udp = pyaiengine.RegexManager() # Parse the file with the snort rules f = open("community.rules","r") lines = f.readlines() for line in lines: if (line.startswith("#")): continue if (line.startswith("alert tcp")): name,pcre = parseSnortLine(line) if (pcre != None): try: r = pyaiengine.Regex(name,pcre) r.callback = callback dm_tcp.add_regex(r) except: print("Can not add %s %s" % (name, pcre)) elif (line.startswith("alert udp")): name,pcre = parseSnortLine(line) if (pcre != None): try: r = pyaiengine.Regex(name,pcre) r.callback = callback dm_udp.add_regex(r) except: print("Can not add %s %s" % (name, pcre)) f.close() return dm_tcp, dm_udp
def test20(self): """ Test the chains of regex with RegexManagers """ rlist = [ pyaiengine.Regex("expression %d" % x, "some regex %d" % x) for x in xrange(0, 5) ] rmbase = pyaiengine.RegexManager() rm1 = pyaiengine.RegexManager() rm2 = pyaiengine.RegexManager() rm3 = pyaiengine.RegexManager() [rmbase.add_regex(r) for r in rlist] r1 = pyaiengine.Regex("smtp1", "^AUTH LOGIN") r1.next_regex_manager = rm1 rmbase.add_regex(r1) r2 = pyaiengine.Regex("smtp2", "^NO MATCHS") r3 = pyaiengine.Regex("smtp3", "^MAIL FROM") rm1.add_regex(r2) rm1.add_regex(r3) r3.next_regex_manager = rm2 r4 = pyaiengine.Regex("smtp4", "^NO MATCHS") r5 = pyaiengine.Regex("smtp5", "^DATA") rm2.add_regex(r4) rm2.add_regex(r5) r5.next_regex_manager = rm3 r6 = pyaiengine.Regex("smtp6", "^QUIT") rm3.add_regex(r6) self.s.tcp_regex_manager = rmbase self.s.enable_nids_engine = True with pyaiengine.PacketDispatcher("../pcapfiles/smtp.pcap") as pd: pd.stack = self.s pd.run() for r in rlist: self.assertEqual(r.matchs, 0) self.assertEqual(r1.matchs, 1) self.assertEqual(r2.matchs, 0) self.assertEqual(r3.matchs, 1) self.assertEqual(r4.matchs, 0) self.assertEqual(r5.matchs, 1) self.assertEqual(r6.matchs, 1)
def test11(self): """ Verify iterators of the RegexManager """ rl = [ pyaiengine.Regex("expression %d" % x, "some regex %d" % x) for x in xrange(0, 5) ] rm = pyaiengine.RegexManager() [rm.add_regex(r) for r in rl] self.assertEqual(self.s.tcp_regex_manager, None) self.s.tcp_regex_manager = rm self.s.enable_nids_engine = True self.dis.open("../pcapfiles/sslflow.pcap") self.dis.run() self.dis.close() self.assertEqual(len(rm), 5) self.assertEqual(rm, self.s.tcp_regex_manager) for r in rl: self.assertEqual(r.matchs, 0)
def test3(self): """ Create a regex for a generic exploit and a IPSet with no matching""" def ipset_callback(flow): self.called_callback += 1 ipset = pyaiengine.IPSet() ipset.add_ip_address("dc20:c7f:2012:11::22") ipset.add_ip_address("dc20:c7f:2012:11::1") ipset.callback = ipset_callback im = pyaiengine.IPSetManager() im.add_ip_set(ipset) self.s.tcp_ip_set_manager = im rm = pyaiengine.RegexManager() r1 = pyaiengine.Regex("generic exploit", "\xaa\xbb\xcc\xdd\x90\x90\x90") rm.add_regex(r1) r2 = pyaiengine.Regex("other exploit", "(this can not match)") rm.add_regex(r2) self.s.tcp_regex_manager = rm self.dis.open("../pcapfiles/generic_exploit_ipv6_defcon20.pcap") self.dis.run() self.dis.close() self.assertEqual(r1.matchs, 0) self.assertEqual(r2.matchs, 0) self.assertEqual(self.called_callback, 0)
def loadSignaturesForTcp(): """ Load the signatures from source, Snort, Suricata, etc. """ sm = pyaiengine.RegexManager() sig = pyaiengine.Regex("Shellcode Generic Exploit", "\x90\x90\x90\x90\x90\x90\x90\x90\x90") """ Sets a specific callback to the signature created """ sig.callback = callback_drop_packets sm.add_regex(sig) return sm
def test9(self): """ Another test for the functionality of make graphs of regex, for complex detecctions """ rm1 = pyaiengine.RegexManager() rm2 = pyaiengine.RegexManager() rm3 = pyaiengine.RegexManager() r1 = pyaiengine.Regex("r1", b"^(No hacker should visit Las Vegas).*$") r1.next_regex_manager = rm2 rm1.add_regex(r1) r2 = pyaiengine.Regex("r2", b"(this can not match)") r3 = pyaiengine.Regex("r3", b"^\x90\x90\x90\x90.*$") rm2.add_regex(r2) rm2.add_regex(r3) r3.next_regex_manager = rm3 r4 = pyaiengine.Regex("r4", b"^Upgrade.*$") r5 = pyaiengine.Regex("r5", b"(this can not match)") rm3.add_regex(r4) rm3.add_regex(r5) self.s.tcp_regex_manager = rm1 oldstack = None with pyaiengine.PacketDispatcher( "../pcapfiles/generic_exploit_ipv6_defcon20.pcap") as pd: pd.stack = self.s pd.run() oldstack = self.s self.assertEqual(self.s, oldstack) self.assertEqual(r1.matchs, 1) self.assertEqual(r2.matchs, 0) self.assertEqual(r3.matchs, 1) self.assertEqual(r4.matchs, 1)
def test1(self): """ Create a regex for a detect the flow on a openflow network """ rm = pyaiengine.RegexManager() r = pyaiengine.Regex("Bin directory", b"^\x26\x01") rm.add_regex(r) self.s.tcp_regex_manager = rm self.dis.open("../pcapfiles/openflow.pcap") self.dis.run() self.dis.close() self.assertEqual(r.matchs, 1)
def test1(self): """ Create a regex for a detect the flow on a virtual network """ rm = pyaiengine.RegexManager() r = pyaiengine.Regex("Bin directory", "^bin$") rm.add_regex(r) self.s.tcp_regex_manager = rm self.dis.open("../pcapfiles/vxlan_ftp.pcap") self.dis.run() self.dis.close() self.assertEqual(r.matchs, 1)
def test2(self): """ Test the with statement of the PacketDispatcher """ rm = pyaiengine.RegexManager() r = pyaiengine.Regex("Bin directory", b"^\x26\x01") rm.add_regex(r) self.s.tcp_regex_manager = rm with pyaiengine.PacketDispatcher("../pcapfiles/openflow.pcap") as pd: pd.stack = self.s pd.run() self.assertEqual(r.matchs, 1)
def test1(self): """ Create a regex for a generic exploit """ rm = pyaiengine.RegexManager() r = pyaiengine.Regex("generic exploit", b"\x90\x90\x90\x90\x90\x90\x90") rm.add_regex(r) self.s.tcp_regex_manager = rm self.dis.open("../pcapfiles/generic_exploit_ipv6_defcon20.pcap") self.dis.run() self.dis.close() self.assertEqual(r.matchs, 1)
def test1(self): """ Create a regex for netbios and detect """ self.s.link_layer_tag = "vlan" rm = pyaiengine.RegexManager() r = pyaiengine.Regex("netbios", "CACACACA") rm.add_regex(r) self.s.udp_regex_manager = rm self.dis.open("../pcapfiles/flow_vlan_netbios.pcap") self.dis.run() self.dis.close() self.assertEqual(r.matchs, 1) self.assertEqual(self.s.udp_regex_manager, rm) self.assertEqual(self.s.link_layer_tag, "vlan")
def test2(self): """ Verify that None is working on the udpregexmanager """ self.s.link_layer_tag = "vlan" rm = pyaiengine.RegexManager() r = pyaiengine.Regex("netbios", "CACACACA") rm.add_regex(r) self.s.udp_regex_manager = rm self.s.udp_regex_manager = None self.dis.open("../pcapfiles/flow_vlan_netbios.pcap") self.dis.run() self.dis.close() self.assertEqual(r.matchs, 0) self.assertEqual(self.s.udp_regex_manager, None)
def test2(self): """ Create a regex for a detect the flow on a virtual network on the GRE side """ rm = pyaiengine.RegexManager() r = pyaiengine.Regex("Bin directory", b"^SSH-2.0.*$") rm.add_regex(r) self.s.tcp_regex_manager = rm self.dis.open("../pcapfiles/gre_ssh.pcap") self.dis.run() self.dis.close() self.assertEqual(r.matchs, 1) self.assertEqual(len(self.s.tcp_flow_manager), 1) self.assertEqual(len(self.s.udp_flow_manager), 0)
def test26(self): """ Verify the functionatliy of the RegexManager on the HTTP Protocol for analise inside the l7 payload of HTTP """ def callback_domain(flow): self.called_callback += 1 pass def callback_regex(flow): self.called_callback += 1 self.assertEqual(flow.packets, 11) self.assertEqual(flow.packets_layer7, 4) d = pyaiengine.DomainName("Wired domain", ".wired.com") rm = pyaiengine.RegexManager() r1 = pyaiengine.Regex("Regex for analysing the content of HTTP", b"^\x1f\x8b\x08\x00\x00\x00\x00.*$") r2 = pyaiengine.Regex("Regex for analysing the content of HTTP", b"^.{3}\xcd\x9c\xc0\x0a\x34.*$") r3 = pyaiengine.Regex("Regex for analysing the content of HTTP", b"^.*\x44\x75\x57\x0c\x22\x7b\xa7\x6d$") r2.next_regex = r3 r1.next_regex = r2 rm.add_regex(r1) r3.callback = callback_regex """ So the flows from wired.com will be analise the regexmanager attached """ d.regex_manager = rm dm = pyaiengine.DomainNameManager() d.callback = callback_domain dm.add_domain_name(d) self.s.set_domain_name_manager(dm, "http") with pyaiengine.PacketDispatcher( "../pcapfiles/two_http_flows_noending.pcap") as pd: pd.stack = self.s pd.run() self.assertEqual(self.called_callback, 2) self.assertEqual(r1.matchs, 1) self.assertEqual(r2.matchs, 1) self.assertEqual(r3.matchs, 1) self.assertEqual(d.matchs, 1)
def test31(self): """ Verify the functionatliy of the RegexManager on the IPSets """ def regex_callback(flow): r = flow.regex i = flow.ip_set self.assertEqual(flow.dstip, "95.100.96.10") self.assertEqual(r.name, "generic http") self.assertEqual(i.name, "Generic set") self.called_callback += 1 def ipset_callback(flow): r = flow.regex i = flow.ip_set self.assertNotEqual(i, None) self.assertEqual(i.name, "Generic set") self.assertEqual(r, None) self.called_callback += 1 rm = pyaiengine.RegexManager() i = pyaiengine.IPSet("Generic set") i.add_ip_address("95.100.96.10") i.regexmanager = None i.callback = ipset_callback im = pyaiengine.IPSetManager() im.add_ip_set(i) self.s.tcp_ip_set_manager = im r = pyaiengine.Regex("generic http", "^GET.*HTTP") r.callback = regex_callback rm.add_regex(r) self.s.enable_nids_engine = True with pyaiengine.PacketDispatcher( "../pcapfiles/two_http_flows_noending.pcap") as pd: pd.stack = self.s pd.run() self.assertEqual(self.called_callback, 1) self.assertEqual(i.lookups_in, 1) self.assertEqual(r.matchs, 0)
def test3(self): """ Create a regex for netbios with callback """ def callback(flow): self.called_callback += 1 self.assertEqual(flow.regex.matchs, 1) self.assertEqual(flow.regex.name, "netbios") self.s.link_layer_tag = "vlan" rm = pyaiengine.RegexManager() r = pyaiengine.Regex("netbios", "CACACACA") r.callback = callback rm.add_regex(r) self.s.udp_regex_manager = rm self.dis.open("../pcapfiles/flow_vlan_netbios.pcap") self.dis.run() self.dis.close() self.assertEqual(r.matchs, 1) self.assertEqual(self.called_callback, 1)
def test4(self): """ Test the extraction of the tag from the flow when matches """ def virt_callback(flow): if ((flow.have_tag == True) and (flow.tag == 1)): self.called_callback += 1 rm = pyaiengine.RegexManager() r = pyaiengine.Regex("Bin directory", b"^bin$") r.callback = virt_callback rm.add_regex(r) self.s.tcp_regex_manager = rm self.s.enable_nids_engine = True self.dis.open("../pcapfiles/vxlan_ftp.pcap") self.dis.run() self.dis.close() self.assertEqual(r.callback, virt_callback) self.assertEqual(r.matchs, 1) self.assertEqual(self.called_callback, 1)
def test3(self): """ Inject two pcapfiles with gre and vxlan traffic and verify regex """ rm = pyaiengine.RegexManager() r = pyaiengine.Regex("SSH activity", b"^SSH-2.0.*$") rm.add_regex(r) self.s.tcp_regex_manager = rm self.s.enable_nids_engine = True # The first packet of the pcapfile is from 18 sep 2014 self.dis.open("../pcapfiles/vxlan_ftp.pcap") self.dis.run() self.dis.close() """ This FlowManagers points to the virtualize layer """ ft = self.s.tcp_flow_manager fu = self.s.udp_flow_manager self.assertEqual(ft.flows, 1) self.assertEqual(ft.process_flows, 1) self.assertEqual(ft.timeout_flows, 0) self.assertEqual(r.matchs, 0) self.assertEqual(len(self.s.tcp_flow_manager), 1) self.assertEqual(len(self.s.udp_flow_manager), 0) self.s.flows_timeout = (60 * 60 * 24) # The first packet of the pcapfile is from 19 sep 2014 self.dis.open("../pcapfiles/gre_ssh.pcap") self.dis.run() self.dis.close() self.assertEqual(ft.flows, 2) self.assertEqual(ft.process_flows, 2) self.assertEqual(ft.timeout_flows, 0) self.assertEqual(r.matchs, 1) self.assertEqual(len(ft), 2) self.assertEqual(len(fu), 0)
def test12(self): """ Verify the functionatliy of the RegexManager on the HTTP Protocol for analise inside the l7 payload of HTTP on IPv6 traffic """ def callback_domain(flow): self.called_callback += 1 def callback_regex(flow): self.called_callback += 1 self.assertEqual(flow.regex.name, "Regex for analysing the content of HTTP") self.assertEqual(flow.http_info.host_name, "media.us.listen.com") d = pyaiengine.DomainName("Music domain", ".us.listen.com") rm = pyaiengine.RegexManager() r1 = pyaiengine.Regex("Regex for analysing the content of HTTP", b"^\x89\x50\x4e\x47\x0d\x0a\x1a\x0a.*$") rm.add_regex(r1) r1.callback = callback_regex """ So the flows from listen.com will be analise the regexmanager attached """ d.regex_manager = rm dm = pyaiengine.DomainNameManager() d.callback = callback_domain dm.add_domain_name(d) self.s.set_domain_name_manager(dm, "HTTPProtocol") with pyaiengine.PacketDispatcher( "../pcapfiles/http_over_ipv6.pcap") as pd: pd.stack = self.s pd.run() self.assertEqual(self.called_callback, 2) self.assertEqual(r1.matchs, 1) self.assertEqual(d.matchs, 1)
import os sys.path.append("../src/") import pyaiengine def callback(flow): print("Detected Bitcoinminer on ip:", flow.srcip) if __name__ == '__main__': # Load an instance of a Lan Stack st = pyaiengine.StackLan() r_mng = pyaiengine.RegexManager() reg_head = pyaiengine.Regex("First regex", "mining.subscribe") reg_tail = pyaiengine.Regex( "Second regex", "c4758493e4f9804beeb784b4ff0be019b03678952ea8bb6f5c5365b2b76438a7") reg_head.next_regex = reg_tail reg_tail.callback = callback r_mng.add_regex(reg_head) st.tcp_regex_manager = r_mng st.tcp_flows = 327680 st.udp_flows = 163840
# Library General Public License for more details. # # You should have received a copy of the GNU Library General Public # License along with this library; if not, write to the # Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, # Boston, MA 02110-1301, USA. # # Written by Luis Campo Giralte <*****@*****.**> # """ Example of using the pyaiengine """ import pyaiengine import sys st = pyaiengine.StackLan() tcp_rm = pyaiengine.RegexManager() udp_rm = pyaiengine.RegexManager() """ Put here your code for load regexs >>> tcp_rm.add_regex(pyaiengine.Regex("some regex", "\x00\x0a\x0b") >>> tcp_rm.add_regex(pyaiengine.Regex("some regex", "^\x00\x0a.*exe", callback) """ tcp_set = pyaiengine.IPSetManager() udp_set = pyaiengine.IPSetManager() tcp_ipset = pyaiengine.IPSet() udp_ipset = pyaiengine.IPSet() """ Put here your code with your IP lists >>> tcp_ipset.add_ip_address("192.158.1.1") """
def insert(self,key): pass def remove(self,key): pass def callback_eternalblue(flow): print("EternaBlue exploit detected on %s" % str(flow)) if __name__ == '__main__': st = pyaiengine.StackLan() rm = pyaiengine.RegexManager() r = pyaiengine.Regex("Eternalblue exploit", b"^.{5}SMB.{57}[\x0e\x51\x52]\x00.*$", callback_eternalblue) """ We want to have the packet logged on the adaptor """ r.write_packet = True rm.add_regex(r) st.tcp_regex_manager = rm l = loggerAdaptor("tcp_logfile.dat") st.set_tcp_database_adaptor(l, 512) st.set_dynamic_allocated_memory(True)
"WARNING: Possible CVE-2018-7600 Attack detected on %s" % str(flow) + "\033[0m") def payload_callback(flow): print("\033[31m" + "ALERT: CVE-2018-7600 Attack detected on %s" % str(flow) + "\033[0m") if __name__ == '__main__': st = pyaiengine.StackLan() dm = pyaiengine.DomainNameManager() rm1 = pyaiengine.RegexManager() rm2 = pyaiengine.RegexManager() r1 = pyaiengine.Regex("Potential bad drupal", b"^/user/register", uri_callback) r2 = pyaiengine.Regex("Bad drupal", "shell.php", payload_callback) d = pyaiengine.DomainName("All HTTP traffic", "*") d.http_uri_regex_manager = rm1 rm2.add_regex(r2) r1.next_regex_manager = rm2 rm1.add_regex(r1) dm.add_domain_name(d)