def getRequestList(self, pcapFilePath, whitelist): self.external = External() outputLines = self.external.runExternal( ["tshark", whitelist, "-r", pcapFilePath])[0].split("\n") result = [] for line in outputLines: match = re.search(self.regex, line.strip()) if match is None: continue tmp = {} tmp["id"] = int(match.group("id").strip()) tmp["time"] = match.group("time").strip() tmp["from"] = match.group("from").strip() tmp["to"] = match.group("to").strip() tmp["protocol"] = match.group("protocol").strip() tmp["port"] = match.group("port").strip() tmp["rest"] = match.group("rest").strip() result.append(tmp) return result
class PcapAnalyzeTaskProcessor(HSN2TaskProcessor): parser = None external = None regex = re.compile( "(?P<id>.*?)\s+(?P<time>.*?)\s+(?P<from>.+?)\s*->\s{1,3}(?P<to>.+?)\s{1,3}(?P<protocol>\w+)\s*(?P<port>\d+)(?P<rest>.*)") ipRegex = re.compile( "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}", re.I) dnsRegex = re.compile('Running as user "root"(.*)') def getPcapFilePath(self): return self.dsAdapter.saveTmp(self.currentTask.job, self.objects[0].pcap_content.getKey()) def getRequestList(self, pcapFilePath, whitelist): self.external = External() outputLines = self.external.runExternal( ["tshark", whitelist, "-r", pcapFilePath])[0].split("\n") result = [] for line in outputLines: match = re.search(self.regex, line.strip()) if match is None: continue tmp = {} tmp["id"] = int(match.group("id").strip()) tmp["time"] = match.group("time").strip() tmp["from"] = match.group("from").strip() tmp["to"] = match.group("to").strip() tmp["protocol"] = match.group("protocol").strip() tmp["port"] = match.group("port").strip() tmp["rest"] = match.group("rest").strip() result.append(tmp) return result def processSaveIp(self, pcapFilePath): outputLines = self.external.runExternal( ["tshark", "-r", pcapFilePath, "-Tfields", "-e", "ip.addr"])[0].split("\n") resultSet = set() for line in outputLines: line = line.strip() if line == "": continue arr = line.split(",") for ip in arr: if re.match(self.ipRegex, ip) is not None: resultSet.add(ip.strip()) resultList = list() for ip in resultSet: resultList.append(ip) ipList = ow.toIpAddressList(resultList) self.objects[0].addBytes("pcap_ip", self.dsAdapter.putBytes( bytes(ipList.SerializeToString()), self.currentTask.job)) def processSaveDns(self, pcapFilePath): outputLines = self.external.runExternal( ["tshark", "dns", "-r", pcapFilePath])[0].split("\n") resultList = list() for line in outputLines: match = re.search(self.regex, line.strip()) if match is None: continue resultList.append(line) dnsList = ow.toDnsList(resultList) self.objects[0].addBytes("pcap_dns", self.dsAdapter.putBytes( bytes(dnsList.SerializeToString()), self.currentTask.job)) def processProtocolFilter(self, pcapFilePath, protocolFilter, protocolFields, protocolUnique): protocolFieldsArray = protocolFields.split(",") def prepare(x): return x.strip() protocolFieldsArray = map(prepare, protocolFieldsArray) tsharkExec = ["tshark", protocolFilter, "-r", pcapFilePath, "-Tfields"] for field in protocolFieldsArray: tsharkExec.append("-e") tsharkExec.append(field) outputLines = self.external.runExternal(tsharkExec)[0].split("\n") if protocolUnique: resultSet = set() for line in outputLines: line = line.strip() if re.match(self.dnsRegex, line) or line == "": continue resultSet.add(line) resultList = list() for elem in resultSet: resultList.append(elem) else: resultList = list() for line in outputLines: line = line.strip() if re.match(self.dnsRegex, line) or line == "": continue resultList.append(line) filterList = ow.toFilterList(resultList) self.objects[0].addBytes("pcap_protocol_%s" % protocolFilter, self.dsAdapter.putBytes( bytes(filterList.SerializeToString()), self.currentTask.job)) def taskProcess(self): logging.debug(self.__class__) logging.debug(self.currentTask) logging.debug(self.objects) if len(self.objects) == 0: raise ObjectStoreException( "Task processing didn't find task object.") if not self.objects[0].isSet("pcap_content"): raise ParamException("pcap_content param is missing.") configObj = Config() configObj.getConfig() whitelist = configObj.getWhiteList() pcapFilePath = self.getPcapFilePath() tsharkResultAll = self.getRequestList(pcapFilePath, "") tsharkResultClean = self.getRequestList(pcapFilePath, whitelist) cleanLen = len(tsharkResultClean) allLen = len(tsharkResultAll) pcapNetworkTrafic = (whitelist != "" and cleanLen < allLen) or ( whitelist == "" and allLen == 0) self.objects[0].addBool("pcap_network_traffic", pcapNetworkTrafic) if configObj.getSaveIp(): self.processSaveIp(pcapFilePath) if configObj.getSaveDns(): self.processSaveDns(pcapFilePath) if configObj.hasProtocolFilter(): self.processProtocolFilter(pcapFilePath, configObj.getProtocolFilter( ), configObj.getProtocolFields(), configObj.getProtocolUnique()) return []