def run(self, f): # code to handle compressed or uncompressed pcap files tmpf, deletetmp = check_pcap_file(f) # we will just write to stdout out = honeysnap.output.outputSTDOUT() # handle each honeypot IP individually, makes for nicer results # we could sort them out afterwords and only go through the pcap once # but this is the lazy man's approach, and I'm lazy today for hp in self.options['honeypots']: p = pcap.pcap(tmpf) # instantiate packetSummary object # this object sorts the pcap data into flow data s = honeysnap.packetSummary.Summarize(p, verbose=1) # filter the pcap data by honeypot IP filt = 'host %s' % hp s.setFilter(filt, file) # tell the object to write to stdout s.setOutput(out) # run it s.start() good = {} # next we have to go through the data collected by summarize and find the data we want # UDP and TCP are handled in separate dictionaries, so we will handle each of them # (I suppose it would be nice if this tool allowed you to specify if you wanted tcp OR udp) # tcp first for k, v in s.tcpports.iteritems(): # find flows that meet constraints if (v[1] - v[0] < self.options['seconds']) and ( v[3] > self.options['bytes']): good[k] = v # replace summarize's tcpdata with our filtered data s.tcpports = good good = {} # now udp for k, v in s.udpports.iteritems(): # find flows that meet constraints if (v[1] - v[0] < self.options['seconds']) and ( v[3] > self.options['bytes']): good[k] = v # replace summarize's udpdata with our filtered data s.udpports = good # being lazy again, using summarize's output func instead of writing one specific to this script # if I wanted different output I could use s.tcpports and s.udpports myself for my own output s.writeResults(limit=0) # all done, delete the tmp file if deletetmp: os.unlink(tmpf)
def run(self, f): # code to handle compressed or uncompressed pcap files tmpf, deletetmp = check_pcap_file(f) # we will just write to stdout out = honeysnap.output.outputSTDOUT() # handle each honeypot IP individually, makes for nicer results # we could sort them out afterwords and only go through the pcap once # but this is the lazy man's approach, and I'm lazy today for hp in self.options['honeypots']: p = pcap.pcap(tmpf) # instantiate packetSummary object # this object sorts the pcap data into flow data s = honeysnap.packetSummary.Summarize(p, verbose=1) # filter the pcap data by honeypot IP filt = 'host %s' % hp s.setFilter(filt, file) # tell the object to write to stdout s.setOutput(out) # run it s.start() good = {} # next we have to go through the data collected by summarize and find the data we want # UDP and TCP are handled in separate dictionaries, so we will handle each of them # (I suppose it would be nice if this tool allowed you to specify if you wanted tcp OR udp) # tcp first for k,v in s.tcpports.iteritems(): # find flows that meet constraints if (v[1]-v[0] < self.options['seconds']) and (v[3] > self.options['bytes']): good[k] = v # replace summarize's tcpdata with our filtered data s.tcpports = good good = {} # now udp for k,v in s.udpports.iteritems(): # find flows that meet constraints if (v[1]-v[0] < self.options['seconds']) and (v[3] > self.options['bytes']): good[k] = v # replace summarize's udpdata with our filtered data s.udpports = good # being lazy again, using summarize's output func instead of writing one specific to this script # if I wanted different output I could use s.tcpports and s.udpports myself for my own output s.writeResults(limit=0) # all done, delete the tmp file if deletetmp: os.unlink(tmpf)
def run(self, f): # code to handle compressed or uncompressed pcap files tmpf, deletetmp = check_pcap_file(f) # we will just write to stdout out = honeysnap.output.outputSTDOUT() # if --or specified, then violation of any threshold will log the flow # otherwise all thresholds must be crossed if self.options["join"]: cmp = lambda x, y, z: x or y or z else: cmp = lambda x, y, z: x and y and z # handle each honeypot IP individually, makes for nicer results # we could sort them out afterwords and only go through the pcap once # but this is the lazy man's approach, and I'm lazy today for hp in self.options["honeypots"]: p = pcap.pcap(tmpf) # instantiate packetSummary object # this object sorts the pcap data into flow data s = honeysnap.packetSummary.Summarize(p) # filter the pcap data by honeypot IP filt = "host %s" % hp if self.options["filter"] is not None: filt += " and " filt += self.options["filter"] s.setFilter(filt, file) # tell the object to write to stdout s.setOutput(out) # run it s.start() good = {} # next we have to go through the data collected by summarize and find the data we want # UDP and TCP are handled in separate dictionaries, so we will handle each of them # (I suppose it would be nice if this tool allowed you to specify if you wanted tcp OR udp) # tcp first for k, v in s.tcpports.iteritems(): # find flows that meet constraints start, end, count, bytes = v duration = end - start if cmp( (duration > self.options["seconds"]), (bytes > self.options["bytes"]), (count > self.options["packets"]), ): good[k] = v # replace summarize's tcpdata with our filtered data s.tcpports = good good = {} # now udp for k, v in s.udpports.iteritems(): start, end, count, bytes = v duration = end - start if cmp( (duration > self.options["seconds"]), (bytes > self.options["bytes"]), (count > self.options["packets"]), ): good[k] = v # replace summarize's udpdata with our filtered data s.udpports = good # being lazy again, using summarize's output func instead of writing one specific to this script # if I wanted different output I could use s.tcpports and s.udpports myself for my own output s.writeResults(limit=0) # all done, delete the tmp file if deletetmp: os.unlink(tmpf)
def run(self, f): # code to handle compressed or uncompressed pcap files tmpf, deletetmp = check_pcap_file(f) # we will just write to stdout out = honeysnap.output.outputSTDOUT() # if --or specified, then violation of any threshold will log the flow # otherwise all thresholds must be crossed if self.options['join']: cmp = lambda x,y,z: x or y or z else: cmp = lambda x,y,z: x and y and z # handle each honeypot IP individually, makes for nicer results # we could sort them out afterwords and only go through the pcap once # but this is the lazy man's approach, and I'm lazy today for hp in self.options['honeypots']: p = pcap.pcap(tmpf) # instantiate packetSummary object # this object sorts the pcap data into flow data s = honeysnap.packetSummary.Summarize(p) # filter the pcap data by honeypot IP filt = 'host %s' % hp if self.options['filter'] is not None: filt += " and " filt += self.options['filter'] s.setFilter(filt, file) # tell the object to write to stdout s.setOutput(out) # run it s.start() good = {} # next we have to go through the data collected by summarize and find the data we want # UDP and TCP are handled in separate dictionaries, so we will handle each of them # (I suppose it would be nice if this tool allowed you to specify if you wanted tcp OR udp) # tcp first for k,v in s.tcpports.iteritems(): # find flows that meet constraints start, end, count, bytes = v duration = end - start if cmp((duration > self.options['seconds']), (bytes > self.options['bytes']), (count > self.options['packets'])): good[k] = v # replace summarize's tcpdata with our filtered data s.tcpports = good good = {} # now udp for k,v in s.udpports.iteritems(): start, end, count, bytes = v duration = end - start if cmp((duration > self.options['seconds']), (bytes > self.options['bytes']), (count > self.options['packets'])): good[k] = v # replace summarize's udpdata with our filtered data s.udpports = good # being lazy again, using summarize's output func instead of writing one specific to this script # if I wanted different output I could use s.tcpports and s.udpports myself for my own output s.writeResults(limit=0) # all done, delete the tmp file if deletetmp: os.unlink(tmpf)