示例#1
0
    def test3(self):
        """ Create a regex for a generic exploit and a IPSet with no matching"""
        def ipset_callback(flow):
            self.called_callback += 1

        ipset = pyaiengine.IPSet()
        ipset.add_ip_address("dc20:c7f:2012:11::22")
        ipset.add_ip_address("dc20:c7f:2012:11::1")
        ipset.callback = ipset_callback
        im = pyaiengine.IPSetManager()

        im.add_ip_set(ipset)
        self.s.tcp_ip_set_manager = im

        rm = pyaiengine.RegexManager()
        r1 = pyaiengine.Regex("generic exploit",
                              "\xaa\xbb\xcc\xdd\x90\x90\x90")
        rm.add_regex(r1)
        r2 = pyaiengine.Regex("other exploit", "(this can not match)")
        rm.add_regex(r2)
        self.s.tcp_regex_manager = rm

        self.dis.open("../pcapfiles/generic_exploit_ipv6_defcon20.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(r1.matchs, 0)
        self.assertEqual(r2.matchs, 0)
        self.assertEqual(self.called_callback, 0)
示例#2
0
    def test8(self):
        """ Test the functionality of make graphs of regex, for complex detecctions """

        rmbase = pyaiengine.RegexManager()
        rm2 = pyaiengine.RegexManager()
        r1 = pyaiengine.Regex("r1", b"^(No hacker should visit Las Vegas).*$")

        rmbase.add_regex(r1)

        r1.next_regex_manager = rm2

        r2 = pyaiengine.Regex("r2", b"(this can not match)")
        r3 = pyaiengine.Regex("r3", b"^\x90\x90\x90\x90.*$")
        rm2.add_regex(r2)
        rm2.add_regex(r3)

        self.s.tcp_regex_manager = rmbase

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/generic_exploit_ipv6_defcon20.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(r1.matchs, 1)
        self.assertEqual(r2.matchs, 0)
        self.assertEqual(r3.matchs, 1)
示例#3
0
def loadRegexFromSnort():

    dm_tcp = pyaiengine.RegexManager()
    dm_udp = pyaiengine.RegexManager()

    # Parse the file with the snort rules
    f = open("community.rules","r")

    lines = f.readlines()
    for line in lines:
        if (line.startswith("#")):
            continue

        if (line.startswith("alert tcp")): 
            name,pcre = parseSnortLine(line)
            if (pcre != None):
                try:
                    r = pyaiengine.Regex(name,pcre)
                    r.callback = callback
                    dm_tcp.add_regex(r) 
                except:
                    print("Can not add %s %s" % (name, pcre))

        elif (line.startswith("alert udp")): 
            name,pcre = parseSnortLine(line)
            if (pcre != None):
                try:
                    r = pyaiengine.Regex(name,pcre)
                    r.callback = callback
                    dm_udp.add_regex(r) 
                except:
                    print("Can not add %s %s" % (name, pcre))

    f.close()
    return dm_tcp, dm_udp
示例#4
0
    def test21(self):
        """ Tests the parameters of the callbacks """
        def callback1(flow):
            pass

        def callback2(flow, other):
            pass

        def callback3():
            pass

        r = pyaiengine.Regex("netbios", "CACACACA")

        try:
            r.callback = None
            self.assertTrue(False)
        except:
            self.assertTrue(True)

        try:
            r.callback = callback2
            self.assertTrue(False)
        except:
            self.assertTrue(True)

        try:
            r.callback = callback1
            self.assertTrue(True)
        except:
            self.assertTrue(False)
示例#5
0
    def test11(self):
        """ Verify iterators of the RegexManager """

        rl = [
            pyaiengine.Regex("expression %d" % x, "some regex %d" % x)
            for x in xrange(0, 5)
        ]

        rm = pyaiengine.RegexManager()

        [rm.add_regex(r) for r in rl]

        self.assertEqual(self.s.tcp_regex_manager, None)

        self.s.tcp_regex_manager = rm
        self.s.enable_nids_engine = True

        self.dis.open("../pcapfiles/sslflow.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(len(rm), 5)

        self.assertEqual(rm, self.s.tcp_regex_manager)
        for r in rl:
            self.assertEqual(r.matchs, 0)
示例#6
0
    def test26(self):
        """ Verify the functionatliy of the RegexManager on the HTTP Protocol for analise
            inside the l7 payload of HTTP """
        def callback_domain(flow):
            self.called_callback += 1
            pass

        def callback_regex(flow):
            self.called_callback += 1
            self.assertEqual(flow.packets, 11)
            self.assertEqual(flow.packets_layer7, 4)

        d = pyaiengine.DomainName("Wired domain", ".wired.com")

        rm = pyaiengine.RegexManager()
        r1 = pyaiengine.Regex("Regex for analysing the content of HTTP",
                              b"^\x1f\x8b\x08\x00\x00\x00\x00.*$")
        r2 = pyaiengine.Regex("Regex for analysing the content of HTTP",
                              b"^.{3}\xcd\x9c\xc0\x0a\x34.*$")
        r3 = pyaiengine.Regex("Regex for analysing the content of HTTP",
                              b"^.*\x44\x75\x57\x0c\x22\x7b\xa7\x6d$")

        r2.next_regex = r3
        r1.next_regex = r2
        rm.add_regex(r1)
        r3.callback = callback_regex
        """ So the flows from wired.com will be analise the regexmanager attached """
        d.regex_manager = rm

        dm = pyaiengine.DomainNameManager()
        d.callback = callback_domain
        dm.add_domain_name(d)

        self.s.set_domain_name_manager(dm, "http")

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/two_http_flows_noending.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(self.called_callback, 2)
        self.assertEqual(r1.matchs, 1)
        self.assertEqual(r2.matchs, 1)
        self.assertEqual(r3.matchs, 1)
        self.assertEqual(d.matchs, 1)
示例#7
0
def loadSignaturesForTcp():
    """ Load the signatures from source, Snort, Suricata, etc. """

    sm = pyaiengine.RegexManager()

    sig = pyaiengine.Regex("Shellcode Generic Exploit",
                           "\x90\x90\x90\x90\x90\x90\x90\x90\x90")
    """ Sets a specific callback to the signature created """
    sig.callback = callback_drop_packets
    sm.add_regex(sig)

    return sm
示例#8
0
    def test9(self):
        """ Another test for the functionality of make graphs of regex, for complex detecctions """

        rm1 = pyaiengine.RegexManager()
        rm2 = pyaiengine.RegexManager()
        rm3 = pyaiengine.RegexManager()
        r1 = pyaiengine.Regex("r1", b"^(No hacker should visit Las Vegas).*$")

        r1.next_regex_manager = rm2
        rm1.add_regex(r1)

        r2 = pyaiengine.Regex("r2", b"(this can not match)")
        r3 = pyaiengine.Regex("r3", b"^\x90\x90\x90\x90.*$")
        rm2.add_regex(r2)
        rm2.add_regex(r3)

        r3.next_regex_manager = rm3

        r4 = pyaiengine.Regex("r4", b"^Upgrade.*$")
        r5 = pyaiengine.Regex("r5", b"(this can not match)")

        rm3.add_regex(r4)
        rm3.add_regex(r5)

        self.s.tcp_regex_manager = rm1

        oldstack = None

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/generic_exploit_ipv6_defcon20.pcap") as pd:
            pd.stack = self.s
            pd.run()
            oldstack = self.s

        self.assertEqual(self.s, oldstack)

        self.assertEqual(r1.matchs, 1)
        self.assertEqual(r2.matchs, 0)
        self.assertEqual(r3.matchs, 1)
        self.assertEqual(r4.matchs, 1)
示例#9
0
    def test1(self):
        """ Create a regex for a detect the flow on a openflow network """

        rm = pyaiengine.RegexManager()
        r = pyaiengine.Regex("Bin directory", b"^\x26\x01")
        rm.add_regex(r)
        self.s.tcp_regex_manager = rm

        self.dis.open("../pcapfiles/openflow.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(r.matchs, 1)
示例#10
0
    def test2(self):
        """ Test the with statement of the PacketDispatcher """

        rm = pyaiengine.RegexManager()
        r = pyaiengine.Regex("Bin directory", b"^\x26\x01")
        rm.add_regex(r)
        self.s.tcp_regex_manager = rm

        with pyaiengine.PacketDispatcher("../pcapfiles/openflow.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(r.matchs, 1)
示例#11
0
    def test1(self):
        """ Create a regex for a detect the flow on a virtual network """

        rm = pyaiengine.RegexManager()
        r = pyaiengine.Regex("Bin directory", "^bin$")
        rm.add_regex(r)
        self.s.tcp_regex_manager = rm

        self.dis.open("../pcapfiles/vxlan_ftp.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(r.matchs, 1)
示例#12
0
    def test1(self):
        """ Create a regex for a generic exploit """

        rm = pyaiengine.RegexManager()
        r = pyaiengine.Regex("generic exploit",
                             b"\x90\x90\x90\x90\x90\x90\x90")
        rm.add_regex(r)
        self.s.tcp_regex_manager = rm

        self.dis.open("../pcapfiles/generic_exploit_ipv6_defcon20.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(r.matchs, 1)
示例#13
0
    def test20(self):
        """ Test the chains of regex with RegexManagers """

        rlist = [
            pyaiengine.Regex("expression %d" % x, "some regex %d" % x)
            for x in xrange(0, 5)
        ]

        rmbase = pyaiengine.RegexManager()
        rm1 = pyaiengine.RegexManager()
        rm2 = pyaiengine.RegexManager()
        rm3 = pyaiengine.RegexManager()

        [rmbase.add_regex(r) for r in rlist]

        r1 = pyaiengine.Regex("smtp1", "^AUTH LOGIN")
        r1.next_regex_manager = rm1
        rmbase.add_regex(r1)

        r2 = pyaiengine.Regex("smtp2", "^NO MATCHS")
        r3 = pyaiengine.Regex("smtp3", "^MAIL FROM")

        rm1.add_regex(r2)
        rm1.add_regex(r3)
        r3.next_regex_manager = rm2

        r4 = pyaiengine.Regex("smtp4", "^NO MATCHS")
        r5 = pyaiengine.Regex("smtp5", "^DATA")

        rm2.add_regex(r4)
        rm2.add_regex(r5)
        r5.next_regex_manager = rm3

        r6 = pyaiengine.Regex("smtp6", "^QUIT")
        rm3.add_regex(r6)

        self.s.tcp_regex_manager = rmbase
        self.s.enable_nids_engine = True

        with pyaiengine.PacketDispatcher("../pcapfiles/smtp.pcap") as pd:
            pd.stack = self.s
            pd.run()

        for r in rlist:
            self.assertEqual(r.matchs, 0)

        self.assertEqual(r1.matchs, 1)
        self.assertEqual(r2.matchs, 0)
        self.assertEqual(r3.matchs, 1)
        self.assertEqual(r4.matchs, 0)
        self.assertEqual(r5.matchs, 1)
        self.assertEqual(r6.matchs, 1)
示例#14
0
    def test2(self):
        """ Create a regex for a detect the flow on a virtual network on the GRE side """

        rm = pyaiengine.RegexManager()
        r = pyaiengine.Regex("Bin directory", b"^SSH-2.0.*$")
        rm.add_regex(r)
        self.s.tcp_regex_manager = rm

        self.dis.open("../pcapfiles/gre_ssh.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(r.matchs, 1)

        self.assertEqual(len(self.s.tcp_flow_manager), 1)
        self.assertEqual(len(self.s.udp_flow_manager), 0)
示例#15
0
    def test2(self):
        """ Verify that None is working on the udpregexmanager """
        self.s.link_layer_tag = "vlan"

        rm = pyaiengine.RegexManager()
        r = pyaiengine.Regex("netbios", "CACACACA")
        rm.add_regex(r)
        self.s.udp_regex_manager = rm
        self.s.udp_regex_manager = None

        self.dis.open("../pcapfiles/flow_vlan_netbios.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(r.matchs, 0)
        self.assertEqual(self.s.udp_regex_manager, None)
示例#16
0
    def test1(self):
        """ Create a regex for netbios and detect """
        self.s.link_layer_tag = "vlan"

        rm = pyaiengine.RegexManager()
        r = pyaiengine.Regex("netbios", "CACACACA")
        rm.add_regex(r)
        self.s.udp_regex_manager = rm

        self.dis.open("../pcapfiles/flow_vlan_netbios.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(r.matchs, 1)
        self.assertEqual(self.s.udp_regex_manager, rm)
        self.assertEqual(self.s.link_layer_tag, "vlan")
示例#17
0
def callback_domain(flow):

    d = flow.dnsinfo
    if (d):
        print("Suspicious Domain (%s) from %s" % (d.domainname, flow.srcip))
        print("Add specific regex for OSX_DocksterTrojan")

        reg = pyaiengine.Regex(
            "OSX_DocksterTrojan regex activity",
            "^\xff\xff\xff\xff\xc2\x1f\x96\x9b\x5f\x03\xd3\x3d\x43\xe0\x4f\x8f"
        )

        reg.callback = callback_troyan_activity
        r_mng.add_regex(reg)

        # Something of the references of python are wrong
        # do not remove this call, fix on future.
        st.tcp_regex_manager = r_mng
示例#18
0
    def test31(self):
        """ Verify the functionatliy of the RegexManager on the IPSets """
        def regex_callback(flow):
            r = flow.regex
            i = flow.ip_set
            self.assertEqual(flow.dstip, "95.100.96.10")
            self.assertEqual(r.name, "generic http")
            self.assertEqual(i.name, "Generic set")
            self.called_callback += 1

        def ipset_callback(flow):
            r = flow.regex
            i = flow.ip_set
            self.assertNotEqual(i, None)
            self.assertEqual(i.name, "Generic set")
            self.assertEqual(r, None)
            self.called_callback += 1

        rm = pyaiengine.RegexManager()
        i = pyaiengine.IPSet("Generic set")
        i.add_ip_address("95.100.96.10")
        i.regexmanager = None
        i.callback = ipset_callback
        im = pyaiengine.IPSetManager()

        im.add_ip_set(i)
        self.s.tcp_ip_set_manager = im

        r = pyaiengine.Regex("generic http", "^GET.*HTTP")
        r.callback = regex_callback
        rm.add_regex(r)

        self.s.enable_nids_engine = True

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/two_http_flows_noending.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(self.called_callback, 1)
        self.assertEqual(i.lookups_in, 1)
        self.assertEqual(r.matchs, 0)
示例#19
0
    def test3(self):
        """ Create a regex for netbios with callback """
        def callback(flow):
            self.called_callback += 1
            self.assertEqual(flow.regex.matchs, 1)
            self.assertEqual(flow.regex.name, "netbios")

        self.s.link_layer_tag = "vlan"

        rm = pyaiengine.RegexManager()
        r = pyaiengine.Regex("netbios", "CACACACA")
        r.callback = callback
        rm.add_regex(r)
        self.s.udp_regex_manager = rm

        self.dis.open("../pcapfiles/flow_vlan_netbios.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(r.matchs, 1)
        self.assertEqual(self.called_callback, 1)
示例#20
0
    def test4(self):
        """ Test the extraction of the tag from the flow when matches """
        def virt_callback(flow):
            if ((flow.have_tag == True) and (flow.tag == 1)):
                self.called_callback += 1

        rm = pyaiengine.RegexManager()
        r = pyaiengine.Regex("Bin directory", b"^bin$")
        r.callback = virt_callback
        rm.add_regex(r)
        self.s.tcp_regex_manager = rm

        self.s.enable_nids_engine = True

        self.dis.open("../pcapfiles/vxlan_ftp.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(r.callback, virt_callback)
        self.assertEqual(r.matchs, 1)
        self.assertEqual(self.called_callback, 1)
示例#21
0
    def test3(self):
        """ Inject two pcapfiles with gre and vxlan traffic and verify regex """

        rm = pyaiengine.RegexManager()
        r = pyaiengine.Regex("SSH activity", b"^SSH-2.0.*$")
        rm.add_regex(r)
        self.s.tcp_regex_manager = rm

        self.s.enable_nids_engine = True

        # The first packet of the pcapfile is from 18 sep 2014
        self.dis.open("../pcapfiles/vxlan_ftp.pcap")
        self.dis.run()
        self.dis.close()
        """ This FlowManagers points to the virtualize layer """
        ft = self.s.tcp_flow_manager
        fu = self.s.udp_flow_manager

        self.assertEqual(ft.flows, 1)
        self.assertEqual(ft.process_flows, 1)
        self.assertEqual(ft.timeout_flows, 0)

        self.assertEqual(r.matchs, 0)
        self.assertEqual(len(self.s.tcp_flow_manager), 1)
        self.assertEqual(len(self.s.udp_flow_manager), 0)

        self.s.flows_timeout = (60 * 60 * 24)

        # The first packet of the pcapfile is from 19 sep 2014
        self.dis.open("../pcapfiles/gre_ssh.pcap")
        self.dis.run()
        self.dis.close()

        self.assertEqual(ft.flows, 2)
        self.assertEqual(ft.process_flows, 2)
        self.assertEqual(ft.timeout_flows, 0)

        self.assertEqual(r.matchs, 1)
        self.assertEqual(len(ft), 2)
        self.assertEqual(len(fu), 0)
示例#22
0
    def test12(self):
        """ Verify the functionatliy of the RegexManager on the HTTP Protocol for analise
            inside the l7 payload of HTTP on IPv6 traffic """
        def callback_domain(flow):
            self.called_callback += 1

        def callback_regex(flow):
            self.called_callback += 1
            self.assertEqual(flow.regex.name,
                             "Regex for analysing the content of HTTP")
            self.assertEqual(flow.http_info.host_name, "media.us.listen.com")

        d = pyaiengine.DomainName("Music domain", ".us.listen.com")

        rm = pyaiengine.RegexManager()
        r1 = pyaiengine.Regex("Regex for analysing the content of HTTP",
                              b"^\x89\x50\x4e\x47\x0d\x0a\x1a\x0a.*$")

        rm.add_regex(r1)
        r1.callback = callback_regex
        """ So the flows from listen.com will be analise the regexmanager attached """
        d.regex_manager = rm

        dm = pyaiengine.DomainNameManager()
        d.callback = callback_domain
        dm.add_domain_name(d)

        self.s.set_domain_name_manager(dm, "HTTPProtocol")

        with pyaiengine.PacketDispatcher(
                "../pcapfiles/http_over_ipv6.pcap") as pd:
            pd.stack = self.s
            pd.run()

        self.assertEqual(self.called_callback, 2)
        self.assertEqual(r1.matchs, 1)
        self.assertEqual(d.matchs, 1)
示例#23
0
        lengths = lengths + len(variable_name)
        i += 1

    if (i > 0):
        average = lengths / i
        """ If the average of the variable names is greater than 50 """
        if (average > 50): 
            print("\033[31m" + "ALERT: CVE-2010-0249 Aurora Attack detected on %s" % str(flow) + "\033[0m")

if __name__ == '__main__':

    st = pyaiengine.StackLan()

    dm = pyaiengine.DomainNameManager()
    rm = pyaiengine.RegexManager()
    r = pyaiengine.Regex("Potential JavaScript execution", b"<script>", payload_callback)
    d = pyaiengine.DomainName("All com traffic", "*")

    rm.add_regex(r)

    d.regex_manager = rm

    dm.add_domain_name(d)

    st.set_domain_name_manager(dm, "HTTPProtocol")

    st.set_dynamic_allocated_memory(True)

    source = "EXPLOIT_metasploit_ie_aurora_exploitWin2k3_EvilFingers.pcap"

    with pyaiengine.PacketDispatcher(source) as pd:
示例#24
0
if __name__ == '__main__':

    # Load an instance of a StackLan
    st = pyaiengine.StackLan()

    sm = pyaiengine.RegexManager()
    """ 
    Heartbeat regex expression
    18 -> Content Type: Heartbeat
        0301, 0302 -> Version: TLS
        xxxx -> Length
        01 - Heartbeat
        xx - heartbeat payload length
    """
    ssl_sig = pyaiengine.Regex("SSL Basic regex", "^\x16\x03")

    sig = pyaiengine.Regex("SSL Heartbeat", "^.*\x18\x03(\x01|\x02|\x03).*$")
    sig.callback = callback_heartbeat

    ssl_sig.next_regex = sig

    sm.add_regex(ssl_sig)

    st.tcp_regex_manager = sm

    st.tcp_flows = 327680
    st.udp_flows = 163840

    st.enable_nids_engine(True)
示例#25
0
    with pyaiengine.PacketDispatcher("unknown_traffic.pcap") as pd:
        pd.stack = st1
        pd.run()
    """ Use the method most suitable for your case """
    freq.add_flows_by_destination_port(st1.tcp_flow_manager)
    freq.compute()

    flow_list = freq.get_reference_flows()
    learn.agregate_flows(flow_list)
    learn.compute()
    """ Get the generated regex """
    r_candidate = learn.regex

    print("Generated Regex:", r_candidate)
    rm = pyaiengine.RegexManager()
    r = pyaiengine.Regex("Unknown attack/traffic", r_candidate)
    r.callback = unknown_callback
    rm.add_regex(r)
    """ We create another clean StackLan """
    st2 = pyaiengine.StackLan()

    st2.tcp_regex_manager = rm
    st2.enable_nids_engine = True

    st2.tcp_flows = 327680
    st2.udp_flows = 163840

    with pyaiengine.PacketDispatcher("eth0") as pd:
        """ Plug a new stack """
        pd.stack = st2
        pd.run()
示例#26
0
                if (len(value) > 64):
                    """ Ummmm a value of an argument bigger than 64 """
                    decode = value.replace("%", "").decode("hex")
                    if (decode.find("Runtime.getRuntime().exec") > -1):
                        """ Somebody is executing remote commands """
                        print("[WARNING]: Jboss exploit detected")
                        print("[WARNING]: argument value:%s" % decode)


if __name__ == '__main__':

    st = pyaiengine.StackLan()

    http_mng = pyaiengine.DomainNameManager()
    dom = pyaiengine.DomainName("My jboss host", "52.90.136.228:8080")
    re = pyaiengine.Regex("Set regex for Jboss uris",
                          "^(/jmx-console/HtmlAdaptor).*")
    rm = pyaiengine.RegexManager()

    rm.add_regex(re)

    http_mng.add_domain_name(dom)
    dom.http_uri_regex_manager = rm

    re.callback = callback_uri
    """ Plug the DomainNameManager on the HTTPProtocol """
    st.set_domain_name_manager(http_mng, "HTTPProtocol")

    st.tcp_flows = 50000
    st.udp_flows = 16380

    with pyaiengine.PacketDispatcher("eth0") as pd:
示例#27
0
import pyaiengine


def callback(flow):

    print("Detected Bitcoinminer on ip:", flow.srcip)


if __name__ == '__main__':

    # Load an instance of a Lan Stack
    st = pyaiengine.StackLan()

    r_mng = pyaiengine.RegexManager()

    reg_head = pyaiengine.Regex("First regex", "mining.subscribe")
    reg_tail = pyaiengine.Regex(
        "Second regex",
        "c4758493e4f9804beeb784b4ff0be019b03678952ea8bb6f5c5365b2b76438a7")

    reg_head.next_regex = reg_tail

    reg_tail.callback = callback
    r_mng.add_regex(reg_head)

    st.tcp_regex_manager = r_mng

    st.tcp_flows = 327680
    st.udp_flows = 163840

    with pyaiengine.PacketDispatcher(
示例#28
0
    def insert(self,key):
        pass

    def remove(self,key):
        pass

def callback_eternalblue(flow):

    print("EternaBlue exploit detected on %s" % str(flow))

if __name__ == '__main__':

    st = pyaiengine.StackLan()

    rm = pyaiengine.RegexManager()
    r = pyaiengine.Regex("Eternalblue exploit", b"^.{5}SMB.{57}[\x0e\x51\x52]\x00.*$", callback_eternalblue)

    """ We want to have the packet logged on the adaptor """
    r.write_packet = True

    rm.add_regex(r)

    st.tcp_regex_manager = rm

    l = loggerAdaptor("tcp_logfile.dat")

    st.set_tcp_database_adaptor(l, 512)

    st.set_dynamic_allocated_memory(True)

    st.enable_nids_engine = True
示例#29
0

def payload_callback(flow):

    print("\033[31m" +
          "ALERT: CVE-2018-7600 Attack detected on %s" % str(flow) + "\033[0m")


if __name__ == '__main__':

    st = pyaiengine.StackLan()

    dm = pyaiengine.DomainNameManager()
    rm1 = pyaiengine.RegexManager()
    rm2 = pyaiengine.RegexManager()
    r1 = pyaiengine.Regex("Potential bad drupal", b"^/user/register",
                          uri_callback)
    r2 = pyaiengine.Regex("Bad drupal", "shell.php", payload_callback)
    d = pyaiengine.DomainName("All HTTP traffic", "*")

    d.http_uri_regex_manager = rm1

    rm2.add_regex(r2)

    r1.next_regex_manager = rm2

    rm1.add_regex(r1)
    dm.add_domain_name(d)

    st.set_domain_name_manager(dm, "HTTPProtocol")

    st.set_dynamic_allocated_memory(True)