def httpQuerryHandler(self, pkt):
# In not an L3 packet, drop it
if IP not in pkt: return
ip_dst = pkt[IP].dst
ip_src = pkt[IP].src
# Capture only SYN packets
SYN = 0x02
if not pkt['TCP'].flags == SYN: return
# FIXME - Tghe first time tho domain is reached, it is add to DNS tables, beacause of this addition, first request to DNS table can return False if DB is to "slow" to add the DNS entry and commit it
time.sleep(2)
# if else condition to determine in wich sense to packet is going (iot->server or server->iot)
domain = self.db.getDomainFromIp(str(ip_dst))
if domain:
ip = str(pkt[Ether].dst)
else:
domain = self.db.getDomainFromIp(str(ip_src))
if not domain:
# Using ip dst if no domains available to not lose data
# BEGIN - EXPERIMENTAL REVERSE DNS LOOKUP FEATURE
#FIXME - experimental feature
logging.warning("No corresponding domain for " + ip_dst +
", resolving ip ..."
) #("+ip_dst+")")#, using "+ip_dst+" instead")
now = datetime.datetime.now()
domain = socket.getfqdn(ip_dst)
# END - EXPERIMENTAL REVERSE DNS LOOKUP FEATURE
# logging.debug("Resolved ip "+ ip_dst +" added as " + domain)
try:
# determine if "domain" is a domain or just an ip address
socket.inet_aton(domain)
domain = "UNRESOLVED(" + ip_dst + ")"
except OSError:
# if exception, domain is domain and not an ip address
pass
# create a new dnsquery object and store it into the db
dns_querry = httpquery([ip_dst, domain, str(now)])
self.db.insertOrIgnoreIntoTable("dnsqueries",
dns_querry.toTuple())
ip = str(pkt[Ether].src)
now = datetime.datetime.now()
# create a new httpquery object and store it into the db
http_querry = httpquery([ip, domain, str(now)])
if not self.db.insertOrIgnoreIntoTable("httpqueries",
http_querry.toTuple()):
logging.error("failed inserting HTTP tuple in database")
else:
logging.info("new entry in database(HTTP(s)) : " + domain)
def getMaliciousDomainsFromMacAfterX(self, mac, limit_time):
sql = "SELECT * from HTTPQueries WHERE mac_iot = XXX AND domain NOT IN (SELECT domain from HTTPQueries WHERE mac_iot = XXX AND datetime < XXX ORDER BY datetime ) ORDER BY datetime"
sql = sql.replace("XXX", "'" + mac + "'",
2).replace("XXX", "'" + str(limit_time) + "'")
# print(sql)
malicious_requets = self.execquery(sql, [])
malicious_http = []
for mal in malicious_requets:
malicious_http.append(httpquery(mal))
return malicious_http
def insertFakeHTTPQueriesBeforeFirstActivity(self):
hosts = self.getAllFromTable('host', 'host', 'hosts')
for h in hosts:
fa = datetime.strptime(h.first_activity, "%Y-%m-%d %H:%M:%S.%f")
d = fa - timedelta(hours=int(os.environ.get("LEARNING_PERIOD")))
query = httpquery([h.mac, "FAKER.org", str(d)])
if self.insertOrIgnoreIntoTable('httpqueries',
query.toTuple()) is False:
return False
return True
def dnsQuerryHandler(self, pkt):
if IP not in pkt: return
if not pkt.haslayer(DNS): return
if not pkt.ancount > 0 and not isinstance(pkt.an, DNSRR): return
dest = pkt.an.rdata
domain = str(pkt.getlayer(DNS).qd.qname.decode("utf-8"))
if domain.endswith('.'):
domain = domain[:-1]
try:
socket.inet_aton(dest)
except (TypeError, OSError):
# Not a correct packet
return
now = datetime.datetime.now()
dns_querry = httpquery([dest, domain, str(now)])
#Add domain only if ipx domain not present in dns querry table, can be changed by using addTable() function
if self.db.insertOrIgnoreIntoTable("dnsqueries", dns_querry.toTuple()):
logging.info("new entry in database(DNS) : " + domain)
else:
logging.error("failed inserting DNS tuple in database")
def getDateTimeFromHttpQueryFromMacByDate(self, mac):
sql = "SELECT * FROM HTTPQueries WHERE mac_iot = XXX ORDER BY datetime LIMIT 1 "
tmp = self.execquery(sql, [mac])
if not tmp:
return False
return httpquery(tmp[0]).datetime