def showudpmatches(data):
proto = 'UDP'
((src, sport), (dst, dport)) = matchstats['addr']
key = "%s:%s" % (src, sport)
if key not in openudpflows:
key = "%s:%s" % (dst, dport)
if configopts['maxdispbytes'] > 0: maxdispbytes = configopts['maxdispbytes']
else: maxdispbytes = len(data)
filename = '%s/%s-%08d-%s.%s-%s.%s-%s' % (configopts['logdir'], proto, configopts['packetct'], src, sport, dst, dport, matchstats['direction'])
if configopts['writelogs']:
writetofile(filename, data)
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.UDP#%d] Wrote %dB to %s/%s-%08d.%s.%s.%s.%s' % (
openudpflows[key]['ipct'],
openudpflows[key]['id'],
matchstats['matchsize'],
configopts['logdir'],
proto,
configopts['packetct'],
src,
sport,
dst,
dport))
if 'quite' in configopts['outmodes']:
if matchstats['regex']:
pattern = getregexpattern(matchstats['regex'])
else:
pattern = None
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.UDP#%d] %s:%s %s %s:%s matches \'%s\' @ [%d:%d] - %dB' % (
openudpflows[key]['ipct'],
openudpflows[key]['id'],
src,
sport,
matchstats['directionflag'],
dst,
dport,
pattern,
matchstats['start'],
matchstats['end'],
matchstats['matchsize']))
return
if configopts['maxdisppackets'] != 0 and configopts['disppacketct'] >= configopts['maxdisppackets']:
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('Skipping outmode parsing { disppacketct: %d == maxdisppackets: %d }' % (
configopts['disppacketct'],
configopts['maxdisppackets']))
return
direction = matchstats['direction']
directionflag = matchstats['directionflag']
if 'meta' in configopts['outmodes']:
if configopts['invertmatch']:
invertstatus = " (invert)"
else:
invertstatus = ""
start = matchstats['start']
end = matchstats['end']
matchsize = matchstats['matchsize']
if matchstats['detectiontype'] == 'regex':
metastr = 'matches regex%s: \'%s\'' % (invertstatus, getregexpattern(matchstats['regex']))
elif matchstats['detectiontype'] == 'shellcode':
metastr = 'contains shellcode [Offset: %d]%s' % (matchstats['shellcodeoffset'], invertstatus)
elif matchstats['detectiontype'] == 'yara':
metastr = 'matches rule: \'%s\' from %s' % (matchstats['yararulename'], matchstats['yararulefilepath'])
else:
metastr = ''
if configopts['verbose'] and configopts['verboselevel'] >= 1:
bpfstr = generate_bpf("UDP", src, sport, directionflag, dst, dport)
doinfo('[IP#%d.UDP#%d] BPF: %s' % (
openudpflows[key]['ipct'],
openudpflows[key]['id'],
bpfstr))
print '[MATCH] (%08d/%08d) [IP#%d.UDP#%d] %s:%s %s %s:%s %s' % (
configopts['inspudppacketct'],
configopts['udpmatches'],
openudpflows[key]['ipct'],
openudpflows[key]['id'],
src,
sport,
directionflag,
dst,
dport,
metastr)
print '[MATCH] (%08d/%08d) [IP#%d.UDP#%d] match @ %s[%d:%d] (%dB)' % (
configopts['inspudppacketct'],
configopts['udpmatches'],
openudpflows[key]['ipct'],
openudpflows[key]['id'],
direction,
start,
end,
matchsize)
if 'print' in configopts['outmodes']:
if configopts['colored']:
if direction == configopts['ctsdirectionstring']:
printable(data[:maxdispbytes], configopts['ctsoutcolor'])
elif direction == configopts['stcdirectionstring']:
printable(data[:maxdispbytes], configopts['stcoutcolor'])
else:
printable(data[:maxdispbytes], None)
if 'raw' in configopts['outmodes']:
if configopts['colored']:
print colored(data[:maxdispbytes])
else:
print data[:maxdispbytes]
if 'hex' in configopts['outmodes']:
if configopts['colored']:
if direction == configopts['ctsdirectionstring']:
hexdump(data[:maxdispbytes], configopts['ctsoutcolor'])
elif direction == configopts['stcdirectionstring']:
hexdump(data[:maxdispbytes], configopts['stcoutcolor'])
else:
hexdump(data[:maxdispbytes], None)
if configopts['asm4shellcode']:
print
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.UDP#%d] Generating disassembled output for %dB of detected shellcode' % (
openudpflows[key]['ipct'],
openudpflows[key]['id'],
len(data)))
dumpasm(data)
configopts['dispstreamct'] += 1
if not configopts['colored']:
print
def showtcpmatches(data):
proto = 'TCP'
if configopts['maxdispbytes'] > 0: maxdispbytes = configopts['maxdispbytes']
else: maxdispbytes = len(data)
((src, sport), (dst, dport)) = matchstats['addr']
filename = '%s/%s-%08d-%s.%s-%s.%s-%s' % (configopts['logdir'], proto, opentcpflows[matchstats['addr']]['id'], src, sport, dst, dport, matchstats['direction'])
if configopts['writelogs']:
writetofile(filename, data)
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.TCP#%d] Wrote %dB to %s' % (
opentcpflows[matchstats['addr']]['ipct'],
opentcpflows[matchstats['addr']]['id'],
matchstats['matchsize'],
filename))
if 'quite' in configopts['outmodes']:
if matchstats['detectiontype'] == 'regex':
pattern = getregexpattern(matchstats['regex'])
elif matchstats['detectiontype'] == 'fuzzy':
if matchstats['direction'] == 'CTS':
pattern = configopts['ctsfuzzpatterns']
else:
pattern = configopts['stcfuzzpaterns']
else:
pattern = None
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.TCP#%d] %s:%s %s %s:%s matches \'%s\' @ [%d:%d] - %dB' % (
opentcpflows[matchstats['addr']]['ipct'],
opentcpflows[matchstats['addr']]['id'],
src,
sport,
matchstats['directionflag'],
dst,
dport,
pattern,
matchstats['start'],
matchstats['end'],
matchstats['matchsize']))
return
if configopts['maxdispstreams'] != 0 and configopts['dispstreamct'] >= configopts['maxdispstreams']:
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('Skipping outmode parsing { dispstreamct: %d == maxdispstreams: %d }' % (
configopts['dispstreamct'],
configopts['maxdispstreams']))
return
direction = matchstats['direction']
startpacket = 0
endpacket = 0
if 'meta' in configopts['outmodes']:
if configopts['invertmatch']:
invertstatus = " (invert)"
else:
invertstatus = ""
id = opentcpflows[matchstats['addr']]['id']
if matchstats['direction'] == 'CTS':
packetlendict = opentcpflows[matchstats['addr']]['ctspacketlendict']
else:
packetlendict = opentcpflows[matchstats['addr']]['stcpacketlendict']
direction = matchstats['direction']
directionflag = matchstats['directionflag']
start = matchstats['start']
end = matchstats['end']
matchsize = matchstats['matchsize']
totalcount = 0
startpacket = 0
endpacket = 0
if len(packetlendict) == 1:
startpacket = packetlendict.keys()[0]
endpacket = startpacket
else:
for (pktid, pktlen) in collections.OrderedDict(sorted(packetlendict.items())).items():
totalcount += pktlen
if start <= totalcount and startpacket == 0 and pktlen != 0:
startpacket = pktid
if end <= totalcount:
endpacket = pktid
if configopts['verbose'] and configopts['verboselevel'] >= 5:
dodebug('(%06d:%06d) start:%d <= totalcount:%06d | end:%d <= totalcount:%06d ... %s|%-5s\t' % (
pktid, pktlen, start, totalcount, end, totalcount, (start <= totalcount), (end <= totalcount)))
if endpacket != 0:
if configopts['verbose'] and configopts['verboselevel'] >= 5:
dodebug('startpacket: %d - endpacket: %d' % (startpacket, endpacket))
break
if startpacket > endpacket:
startpacket, endpacket = endpacket, startpacket
if matchstats['detectiontype'] == 'regex':
if direction == configopts['ctsdirectionstring']:
regexpattern = configopts['ctsregexes'][matchstats['regex']]['regexpattern']
elif direction == configopts['stcdirectionstring']:
regexpattern = configopts['stcregexes'][matchstats['regex']]['regexpattern']
metastr = 'matches regex%s: \'%s\'' % (invertstatus, regexpattern)
elif matchstats['detectiontype'] == 'fuzzy':
metastr = 'matches \'%s\' %s%s' % (matchstats['fuzzpattern'], matchstats['fuzzmatchdetails'], invertstatus)
elif matchstats['detectiontype'] == 'shellcode':
metastr = 'contains shellcode [Offset: %d]%s' % (matchstats['shellcodeoffset'], invertstatus)
elif matchstats['detectiontype'] == 'yara':
metastr = 'matches rule: \'%s\' from %s' % (matchstats['yararulename'], matchstats['yararulefilepath'])
else:
metastr = ''
if not configopts['linemode']:
packetstats = ' | packet[%d] - packet[%d]' % (startpacket, endpacket)
else:
packetstats = ''
if configopts['verbose'] and configopts['verboselevel'] >= 1:
bpfstr = generate_bpf("TCP", src, sport, directionflag, dst, dport)
doinfo('[IP#%d.TCP#%d] BPF: %s' % (opentcpflows[matchstats['addr']]['ipct'], opentcpflows[matchstats['addr']]['id'], bpfstr))
print '[MATCH] (%08d/%08d) [IP#%d.TCP#%d] %s:%s %s %s:%s %s' % (
configopts['insptcppacketct'],
configopts['tcpmatches'],
opentcpflows[matchstats['addr']]['ipct'],
opentcpflows[matchstats['addr']]['id'],
src,
sport,
directionflag,
dst,
dport,
metastr)
print '[MATCH] (%08d/%08d) [IP#%d.TCP#%d] match @ %s[%d:%d] (%dB%s)' % (
configopts['insptcppacketct'],
configopts['tcpmatches'],
opentcpflows[matchstats['addr']]['ipct'],
opentcpflows[matchstats['addr']]['id'],
direction,
start + configopts['inspoffset'],
end + configopts['inspoffset'],
matchsize,
packetstats)
if 'print' in configopts['outmodes']:
if configopts['colored']:
if direction == configopts['ctsdirectionstring']:
printable(data[:maxdispbytes], configopts['ctsoutcolor'])
elif direction == configopts['stcdirectionstring']:
printable(data[:maxdispbytes], configopts['stcoutcolor'])
else:
printable(data[:maxdispbytes], None)
if 'raw' in configopts['outmodes']:
if configopts['colored']:
print colored(data[:maxdispbytes])
else:
print data[:maxdispbytes]
if 'hex' in configopts['outmodes']:
if configopts['colored']:
if direction == configopts['ctsdirectionstring']:
hexdump(data[:maxdispbytes], configopts['ctsoutcolor'])
elif direction == configopts['stcdirectionstring']:
hexdump(data[:maxdispbytes], configopts['stcoutcolor'])
else:
hexdump(data[:maxdispbytes], None)
if configopts['asm4shellcode']:
print
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.TCP#%d] Generating disassembled output for %dB of detected shellcode' % (
opentcpflows[matchstats['addr']]['ipct'],
opentcpflows[matchstats['addr']]['id'],
len(data)))
dumpasm(data)
configopts['dispstreamct'] += 1
if not configopts['colored']:
print
def showudpmatches(data):
proto = 'UDP'
((src, sport), (dst, dport)) = matchstats['addr']
key = "%s:%s" % (src, sport)
if key not in openudpflows:
key = "%s:%s" % (dst, dport)
if configopts['maxdispbytes'] > 0:
maxdispbytes = configopts['maxdispbytes']
else:
maxdispbytes = len(data)
filename = '%s/%s-%08d-%s.%s-%s.%s-%s' % (
configopts['logdir'], proto, configopts['packetct'], src, sport, dst,
dport, matchstats['direction'])
if configopts['writelogs']:
writetofile(filename, data)
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo('[IP#%d.UDP#%d] Wrote %dB to %s/%s-%08d.%s.%s.%s.%s' %
(openudpflows[key]['ipct'], openudpflows[key]['id'],
matchstats['matchsize'], configopts['logdir'], proto,
configopts['packetct'], src, sport, dst, dport))
if 'quite' in configopts['outmodes']:
if matchstats['regex']:
pattern = getregexpattern(matchstats['regex'])
else:
pattern = None
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo(
'[IP#%d.UDP#%d] %s:%s %s %s:%s matches \'%s\' @ [%d:%d] - %dB'
% (openudpflows[key]['ipct'], openudpflows[key]['id'], src,
sport, matchstats['directionflag'], dst, dport, pattern,
matchstats['start'], matchstats['end'],
matchstats['matchsize']))
return
if configopts['maxdisppackets'] != 0 and configopts[
'disppacketct'] >= configopts['maxdisppackets']:
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo(
'Skipping outmode parsing { disppacketct: %d == maxdisppackets: %d }'
% (configopts['disppacketct'], configopts['maxdisppackets']))
return
direction = matchstats['direction']
directionflag = matchstats['directionflag']
if 'meta' in configopts['outmodes']:
if configopts['invertmatch']:
invertstatus = " (invert)"
else:
invertstatus = ""
start = matchstats['start']
end = matchstats['end']
matchsize = matchstats['matchsize']
if matchstats['detectiontype'] == 'regex':
metastr = 'matches regex%s: \'%s\'' % (
invertstatus, getregexpattern(matchstats['regex']))
elif matchstats['detectiontype'] == 'shellcode':
metastr = 'contains shellcode [Offset: %d]%s' % (
matchstats['shellcodeoffset'], invertstatus)
elif matchstats['detectiontype'] == 'yara':
metastr = 'matches rule: \'%s\' from %s' % (
matchstats['yararulename'], matchstats['yararulefilepath'])
else:
metastr = ''
if configopts['verbose'] and configopts['verboselevel'] >= 1:
bpfstr = generate_bpf("UDP", src, sport, directionflag, dst, dport)
doinfo(
'[IP#%d.UDP#%d] BPF: %s' %
(openudpflows[key]['ipct'], openudpflows[key]['id'], bpfstr))
print '[MATCH] (%08d/%08d) [IP#%d.UDP#%d] %s:%s %s %s:%s %s' % (
configopts['inspudppacketct'], configopts['udpmatches'],
openudpflows[key]['ipct'], openudpflows[key]['id'], src, sport,
directionflag, dst, dport, metastr)
print '[MATCH] (%08d/%08d) [IP#%d.UDP#%d] match @ %s[%d:%d] (%dB)' % (
configopts['inspudppacketct'], configopts['udpmatches'],
openudpflows[key]['ipct'], openudpflows[key]['id'], direction,
start, end, matchsize)
if 'print' in configopts['outmodes']:
if configopts['colored']:
if direction == configopts['ctsdirectionstring']:
printable(data[:maxdispbytes], configopts['ctsoutcolor'])
elif direction == configopts['stcdirectionstring']:
printable(data[:maxdispbytes], configopts['stcoutcolor'])
else:
printable(data[:maxdispbytes], None)
if 'raw' in configopts['outmodes']:
if configopts['colored']:
print colored(data[:maxdispbytes])
else:
print data[:maxdispbytes]
if 'hex' in configopts['outmodes']:
if configopts['colored']:
if direction == configopts['ctsdirectionstring']:
hexdump(data[:maxdispbytes], configopts['ctsoutcolor'])
elif direction == configopts['stcdirectionstring']:
hexdump(data[:maxdispbytes], configopts['stcoutcolor'])
else:
hexdump(data[:maxdispbytes], None)
if configopts['asm4shellcode']:
print
if configopts['verbose'] and configopts['verboselevel'] >= 1:
doinfo(
'[IP#%d.UDP#%d] Generating disassembled output for %dB of detected shellcode'
% (openudpflows[key]['ipct'], openudpflows[key]['id'],
len(data)))
dumpasm(data)
configopts['dispstreamct'] += 1
if not configopts['colored']:
print