else:
sport = udp.sport
dport = udp.dport
data = udp.data
except: # Getting TCP metadata
try:
tcp = ip.tcp
if tcp.sport != 53 and tcp.dport != 53:
continue
else:
sport = tcp.sport
dport = tcp.dport
data = tcp.data
continue # haven't added tcp dns support yes, so we'll just continue
except:
continue
break
if nmp: break
meta = [dec2ip(unpack('>I',ip.src)[0]),
sport,
dec2ip(unpack('>I',ip.dst)[0]),
dport,
ip.p,
packet[0][0]
]
in_queue.put([meta,udp.data])
# vim:tabstop=4:expandtab:shiftwidth=4:smarttab:softtabstop=4:autoindent:smartindent cinwords=if,elif,else,for,while,try,except,finally,def,class
res = {'white':False,'hard':False}
if name:
ip, ttl = data.an[i].ip, data.an[i].ttl
if settings['dns_answer'] == 'On':
self.iaq.put([meta,data.an[i].name,ip,'R',ttl])
if not (res['white'] and res['hard']):
# known_domains ip support goes here
if settings['known_domains'] == 'On':
ires = self.blipip(ip)
if not ires['white'] and ires['hard'] and ip not in ips:
ires['msg'] = 'Domain Resolution Contained Blacklisted IP Address'
report = { 'type' :'event','agent' :'known_domains',
'event' :{'agent' :'known_domains','meta':meta, 'res':ires, 'host':dec2ip(unpack('>I',ip)[0])}}
if settings['fusion']: self.out_queue.put(report)
ips[ip] = ''
if settings['known_domains'] == 'On' and name[2] not in doms:
report = { 'type' :'event','agent' :'known_domains',
'event' :{'agent' :'known_domains','meta':meta, 'res':res, 'host':name[2]}}
if settings['fusion']: self.out_queue.put(report)
doms[name[2]] = ''
except: pass
elif data.an[i].type == dns.DNS_CNAME:
# if this is in alias, answer(alias) analysis
try:
name = domaintools.tld_detect(data.an[i].name)
def analyze(self,meta,data): # Analyze the DNS packet, handle distribution to agents.
# Meta = [metadata list format]
# Data is a dpkt.dns object
try:
if data.opcode == dns.DNS_QUERY:
# operation is Query or Query Response
# DNS Query Analysis
if data.qr == dns.DNS_Q:
doms = {}
for i in xrange(len(data.qd)): # for domain in query list
try:
name = domaintools.tld_detect(data.qd[i].name))
if settings['blips'] == 'On':
res = self.blip(name[2])
else:
res = {'white':False,'hard':False}
if name:
if not (res['white'] and res['hard']):
# put [meta,name,'Q'] into derpy.hooves queue ('Q' = query)
if settings['hooves'] == 'On':
self.inq.put([meta,name,'Q'])
# put meta and domain into derpy.dash queue
if settings['dash'] == 'On':
self.icq.put([meta,name])
# Blips support goes here
if settings['blips'] == 'On' and name[2] not in doms:
report = { 'type' :'event','agent' :'blips',
'event' :{'agent' :'blips','meta':meta, 'res':res, 'host':name[2]}}
if settings['rainbow']: self.out_queue.put(report)
doms[name[2]] = ''
except: pass
# DNS Response analysis
elif data.qr == dns.DNS_R:
ips,doms = {},{}
for i in xrange(len(data.an)): # cycle through answers
if data.an[i].cls == dns.DNS_IN:
if data.an[i].type == dns.DNS_A:
# if answers, answer(ip) and ttl analysis
try:
name = domaintools.tld_detect(data.an[i].name)
if settings['blips'] == 'On':
res = self.blip(name[2])
else:
res = {'white':False,'hard':False}
if name:
ip, ttl = data.an[i].ip, data.an[i].ttl
if settings['jack'] == 'On':
self.iaq.put([meta,data.an[i].name,ip,'R',ttl])
if not (res['white'] and res['hard']):
# blips ip support goes here
if settings['blips'] == 'On':
ires = self.blipip(ip)
if not ires['white'] and ires['hard'] and ip not in ips:
ires['msg'] = 'Domain Resolution Contained Blacklisted IP Address'
report = { 'type' :'event','agent' :'blips',
'event' :{'agent' :'blips','meta':meta, 'res':ires, 'host':dec2ip(unpack('>I',ip)[0])}}
if settings['rainbow']: self.out_queue.put(report)
ips[ip] = ''
if settings['blips'] == 'On' and name[2] not in doms:
report = { 'type' :'event','agent' :'blips',
'event' :{'agent' :'blips','meta':meta, 'res':res, 'host':name[2]}}
if settings['rainbow']: self.out_queue.put(report)
doms[name[2]] = ''
except: pass
elif data.an[i].type == dns.DNS_CNAME:
# if this is in alias, answer(alias) analysis
try:
name = domaintools.tld_detect(data.an[i].name)
cname = domaintools.tld_detect(data.an[i].cname)
res = self.blip(cname[2])
if (name and cname) and (data.an[i].name != data.an[i].cname):
if settings['jack'] == 'On':
self.iaq.put([meta,data.an[i].name,data.an[i].cname,'A'])
if res['white'] and res1['hard']:
pass
else:
# [meta,cname,'A'] name analysis ('A'=alias)
if settings['hooves'] == 'On':
self.inq.put([meta,cname,'A'])
except: pass
