def fix_datatype(row):
for key, value in row.items():
try:
if key in ['AnalyzerIPV4', 'SourceIPV4', 'TargetIPV4']:
if value is not None:
row[key] = str(ipaddr.IPv4Address(abs(value)))
elif key in ['AnalyzerIPV6', 'SourceIPV6', 'TargetIPV6']:
if value is not None:
row[key] = str(ipaddr.IPv6Address(ipaddr.Bytes(value)))
elif value is None:
row[key] = 'NULL'
elif type(value) is bytes:
row[key] = unicodedata.normalize('NFKD', value).encode(
'ascii', 'ignore')
elif type(value) is datetime.datetime:
row[key] = value.isoformat()
elif type(value) is uuid.UUID:
row[key] = value.hex
elif 'java class' in str(type(value)):
try:
row[key] = value.toString()
except:
row[key] = value
except Exception as e:
logger.warning(f"value of '{key}' is not valid. Warning: {e}")
return row
def format_ip(self, bytes):
b = ipaddr.Bytes(base64.b64decode(bytes))
if len(b) == 4:
ip = ipaddr.IPv4Address(b)
else:
ip = ipaddr.IPv6Address(b)
return unicode(ip)
def ipv6_link_eth_mcast(dst_ip):
"""Return an Ethernet multicast address from an IPv6 address.
See RFC 2464 section 7.
Args:
dst_ip (ipaddr.IPv6Address): IPv6 address.
Returns:
str: Ethernet multicast address.
"""
mcast_mac_bytes = ipaddr.Bytes('\x33\x33') + dst_ip.packed[-4:]
mcast_mac = ':'.join(['%02X' % ord(x) for x in mcast_mac_bytes])
return mcast_mac
def ipv6_solicited_node_from_ucast(ucast):
"""Return IPv6 solicited node multicast address from IPv6 unicast address.
See RFC 3513 section 2.7.1.
Args:
ucast (ipaddr.IPv6Address): IPv6 unicast address.
Returns:
ipaddr.IPv6Address: IPv6 solicited node multicast address.
"""
link_mcast_prefix = ipaddr.IPv6Network('ff02::1:ff00:0/104')
mcast_bytes = ipaddr.Bytes(link_mcast_prefix.packed[:13] +
ucast.packed[-3:])
link_mcast = ipaddr.IPv6Address(mcast_bytes)
return link_mcast
def FormatPackedIP(packed_ip):
"""Formats packed binary data to a readable ip address.
Args:
packed_ip: The packed binary data to be converted.
Returns:
A readable ip address.
Returns:
bigquery_client.BigqueryInvalidQueryError: If the address is not valid.
"""
packed_ip = ipaddr.Bytes(str(packed_ip))
try:
ip_address = ipaddr.IPv4Address(packed_ip)
return str(ip_address)
except ipaddr.AddressValueError as e:
pass
try:
ip_address = ipaddr.IPv6Address(packed_ip)
return str(ip_address)
except ipaddr.AddressValueError as e:
raise bigquery_client.BigqueryInvalidQueryError(e, None, None, None)
def parse_response(self):
if self.answer.type == dpkt.dns.DNS_A: # DNS_A
try:
ipadd = struct.unpack("!L", self.answer.rdata)[0] # resolved self.ip
dstIP = struct.unpack("!L", self.ip.dst)[0] # Destination self.ip
if self.mode < 2:
print (self.dnsPktCount, '\t', self.dns.id, '\tResponse\t', self.answer.name, '->',
socket.inet_ntoa(self.answer.rdata), '\t', self.answer.ttl, '\t', self.answer.type, '\t',
socket.inet_ntoa(self.ip.dst), '\t',
str(datetime.datetime.utcfromtimestamp(self.ts).strftime("%H:%M:%S")))
if self.mode > 0:
if self.c_name == "":
self.update_response(self.dns.id, socket.inet_ntoa(self.ip.dst), self.answer.name,
self.answer.type, self.dns.rcode, self.answer.ttl,
socket.inet_ntoa(self.answer.rdata), str(
datetime.datetime.utcfromtimestamp(self.ts).strftime("%d/%m/%y %H:%M:%S")))
else:
self.update_response(self.dns.id, socket.inet_ntoa(self.ip.dst), self.c_name, self.answer.type,
self.dns.rcode, self.answer.ttl, socket.inet_ntoa(self.answer.rdata), str(
datetime.datetime.utcfromtimestamp(self.ts).strftime("%d/%m/%y %H:%M:%S")))
except:
if self.mode < 3:
print(self.dnsPktCount, '\t', "Unhandled Record Response type : " + str(self.answer.type))
elif self.answer.type == dpkt.dns.DNS_CNAME: # DNS_CNAME
try:
c_name = self.answer.name
if self.mode < 2:
print (self.dnsPktCount, '\t', self.dns.id, '\tResponse\t', self.answer.name, '->',
self.answer.cname, '\t',
self.answer.ttl, '\t', self.answer.type, '\t',
socket.inet_ntoa(self.ip.dst), '\t',
str(datetime.datetime.utcfromtimestamp(self.ts).strftime("%H:%M:%S"))
)
except:
print (self.dnsPktCount, '\t', "Failed")
elif self.answer.type == dpkt.dns.DNS_MX: # DNS_MX
try:
ipadd = struct.unpack("!L", self.answer.rdata)[0] # resolved self.ip
dstIP = struct.unpack("!L", self.ip.dst)[0] # Destination self.ip
if self.mode < 2:
print (self.dnsPktCount, '\t', self.dns.id, '\tResponse\t', self.answer.name, '->',
socket.inet_ntoa(self.answer.rdata), '\t', self.answer.ttl, '\t', self.answer.type, '\t',
socket.inet_ntoa(self.ip.dst), '\t',
str(datetime.datetime.utcfromtimestamp(self.ts).strftime("%H:%M:%S")))
if self.mode > 0:
if self.c_name == "":
self.updateResponse(self.csv_obj, self.dns.id, socket.inet_ntoa(self.ip.dst), self.answer.name,
self.answer.type,
self.dns.rcode, self.answer.ttl, socket.inet_ntoa(self.answer.rdata), str(
datetime.datetime.utcfromtimestamp(self.ts).strftime("%d/%m/%y %H:%M:%S")))
else:
self.updateResponse(self.csv_obj, self.dns.id, socket.inet_ntoa(self.ip.dst), self.cname,
self.answer.type,
self.dns.rcode, self.answer.ttl, socket.inet_ntoa(self.answer.rdata), str(
datetime.datetime.utcfromtimestamp(self.ts).strftime("%d/%m/%y %H:%M:%S")))
except:
if self.mode < 3:
print(self.dnsPktCount, '\t', "Unhandled Record Response type : " + str(self.answer.type))
elif self.answer.type == dpkt.dns.DNS_NS: # DNS_NS
try:
# ipadd = struct.unpack("!L", self.answer.rdata)[0] # resolved self.ip
dstIP = struct.unpack("!L", self.ip.dst)[0] # Destination self.ip
if self.mode < 2:
print (self.dnsPktCount, '\t', self.dns.id, '\tResponse\t', self.answer.name, '->',
self.answer.nsname, '\t', self.answer.ttl, '\t', self.answer.type, '\t',
socket.inet_ntoa(self.ip.dst), '\t',
str(datetime.datetime.utcfromtimestamp(self.ts).strftime("%H:%M:%S")))
if self.mode > 0:
if self.c_name == "":
if self.answer.rlen == 4:
self.update_response(self.dns.id, socket.inet_ntoa(self.ip.dst), self.answer.name,
self.answer.type,
self.dns.rcode, self.answer.ttl, socket.inet_ntoa(self.answer.rdata), str(
datetime.datetime.utcfromtimestamp(self.ts).strftime("%d/%m/%y %H:%M:%S")))
else:
# Ignore NS Records for TLD as they are not returning any IP and causing Exception in inet_itoa
if self.answer.rlen == 4:
self.update_response(self.dns.id, socket.inet_ntoa(self.ip.dst), self.c_name, self.answer.type,
self.dns.rcode, self.answer.ttl, socket.inet_ntoa(self.answer.rdata), str(
datetime.datetime.utcfromtimestamp(self.ts).strftime("%d/%m/%y %H:%M:%S")))
except:
if self.mode < 3:
print(self.dnsPktCount, '\t', "Unhandled Record Response type : " + str(self.answer.type))
elif self.answer.type == dpkt.dns.DNS_AAAA: # DNS_AAAA
try:
# dstIP = struct.unpack("!L", self.ip.dst)[0] # Destination self.ip
if self.mode < 2:
print(self.dnsPktCount, '\t', self.dns.id, '\tResponse\t', self.answer.name, '->',
str(ipaddr.IPv6Address(ipaddr.Bytes(self.answer.rdata))), '\t', self.answer.ttl, '\t',
self.answer.type, '\t',
socket.inet_ntoa(self.ip.dst), '\t',
str(datetime.datetime.utcfromtimestamp(self.ts).strftime(" %H:%M:%S")))
except:
print (self.dnsPktCount, '\t', self.dns.id, '\tResponse\t', "Failed Parsing DNS_AAAA ")
# DNSSEC Unhandled , txt records ,SRV records,PTR
elif self.answer.type == 12 or self.answer.type == 43 or self.answer.type == 46 or self.answer.type == 48 or \
self.answer.type == 16 or self.answer.type == 33 or self.answer.type == 6 or self.answer.type == 13:
if self.mode < 2:
print(self.dnsPktCount, '\t', self.dns.id, '\tResponse\t DNS SEC :Unhandled type ', self.answer.type)
else:
if self.mode < 3:
print(self.dnsPktCount, '\t', "Unhandled Record Response type : " + str(self.answer.type))
def solicited_node_multicast_address(ipv6_address):
ipv6_b = in6_getnsma(inet_pton(socket.AF_INET6, ipv6_address))
return ipaddr.IPv6Address(ipaddr.Bytes(ipv6_b)).__str__()
def ipv6_link_mcast_from_ucast(ucast):
link_mcast_prefix = ipaddr.IPv6Network('ff02::1:ff00:0/104')
mcast_bytes = ipaddr.Bytes(
link_mcast_prefix.packed[:13] + ucast.packed[-3:])
link_mcast = ipaddr.IPv6Address(mcast_bytes)
return link_mcast
def ipv6_link_eth_mcast(ucast):
nd_mac_bytes = ipaddr.Bytes('\x33\x33') + ucast.packed[-4:]
nd_mac = ':'.join(['%02X' % ord(x) for x in nd_mac_bytes])
return nd_mac
def __init__(self, data):
self.ipv6 = IPv6Address(ipaddr.Bytes(data[:16]))
self.ipv4 = self.ipv6.ipv4_mapped
self.port = int.from_bytes(data[16:], byteorder='little')
def parse(cls, buffer, length):
data = str(ipaddr.IPAddress(ipaddr.Bytes(buffer.get(length))))
return cls(data)