示例#1
0
    def httpQuerryHandler(self, pkt):
        # In not an L3 packet, drop it
        if IP not in pkt: return
        ip_dst = pkt[IP].dst
        ip_src = pkt[IP].src

        # Capture only SYN packets
        SYN = 0x02
        if not pkt['TCP'].flags == SYN: return

        # FIXME - Tghe first time tho domain is reached, it is add to DNS tables, beacause of this addition, first request to DNS table can return False if DB is to "slow" to add the DNS entry and commit it
        time.sleep(2)

        # if else condition to determine in wich sense to packet is going (iot->server or server->iot)
        domain = self.db.getDomainFromIp(str(ip_dst))
        if domain:
            ip = str(pkt[Ether].dst)
        else:
            domain = self.db.getDomainFromIp(str(ip_src))
            if not domain:
                # Using ip dst if no domains available to not lose data
                # BEGIN - EXPERIMENTAL REVERSE DNS LOOKUP FEATURE
                #FIXME - experimental feature
                logging.warning("No corresponding domain for " + ip_dst +
                                ", resolving ip ..."
                                )  #("+ip_dst+")")#, using "+ip_dst+" instead")
                now = datetime.datetime.now()
                domain = socket.getfqdn(ip_dst)
                # END - EXPERIMENTAL REVERSE DNS LOOKUP FEATURE
                # logging.debug("Resolved ip "+ ip_dst +" added as " + domain)
                try:
                    # determine if "domain" is a domain or just an ip address
                    socket.inet_aton(domain)
                    domain = "UNRESOLVED(" + ip_dst + ")"
                except OSError:
                    # if exception, domain is domain and not an ip address
                    pass
                # create a new dnsquery object and store it into the db
                dns_querry = httpquery([ip_dst, domain, str(now)])
                self.db.insertOrIgnoreIntoTable("dnsqueries",
                                                dns_querry.toTuple())
            ip = str(pkt[Ether].src)

        now = datetime.datetime.now()
        # create a new httpquery object and store it into the db
        http_querry = httpquery([ip, domain, str(now)])
        if not self.db.insertOrIgnoreIntoTable("httpqueries",
                                               http_querry.toTuple()):
            logging.error("failed inserting HTTP tuple in database")
        else:
            logging.info("new entry in database(HTTP(s)) : " + domain)
示例#2
0
 def getMaliciousDomainsFromMacAfterX(self, mac, limit_time):
     sql = "SELECT * from HTTPQueries WHERE mac_iot = XXX AND domain NOT IN (SELECT domain from HTTPQueries WHERE mac_iot = XXX AND datetime < XXX ORDER BY datetime ) ORDER BY datetime"
     sql = sql.replace("XXX", "'" + mac + "'",
                       2).replace("XXX", "'" + str(limit_time) + "'")
     # print(sql)
     malicious_requets = self.execquery(sql, [])
     malicious_http = []
     for mal in malicious_requets:
         malicious_http.append(httpquery(mal))
     return malicious_http
示例#3
0
 def insertFakeHTTPQueriesBeforeFirstActivity(self):
     hosts = self.getAllFromTable('host', 'host', 'hosts')
     for h in hosts:
         fa = datetime.strptime(h.first_activity, "%Y-%m-%d %H:%M:%S.%f")
         d = fa - timedelta(hours=int(os.environ.get("LEARNING_PERIOD")))
         query = httpquery([h.mac, "FAKER.org", str(d)])
         if self.insertOrIgnoreIntoTable('httpqueries',
                                         query.toTuple()) is False:
             return False
     return True
示例#4
0
    def dnsQuerryHandler(self, pkt):
        if IP not in pkt: return
        if not pkt.haslayer(DNS): return
        if not pkt.ancount > 0 and not isinstance(pkt.an, DNSRR): return
        dest = pkt.an.rdata
        domain = str(pkt.getlayer(DNS).qd.qname.decode("utf-8"))
        if domain.endswith('.'):
            domain = domain[:-1]

        try:
            socket.inet_aton(dest)
        except (TypeError, OSError):
            # Not a correct packet
            return
        now = datetime.datetime.now()
        dns_querry = httpquery([dest, domain, str(now)])
        #Add domain only if ipx domain not present in dns querry table, can be changed by using addTable() function
        if self.db.insertOrIgnoreIntoTable("dnsqueries", dns_querry.toTuple()):
            logging.info("new entry in database(DNS) : " + domain)
        else:
            logging.error("failed inserting DNS tuple in database")
示例#5
0
 def getDateTimeFromHttpQueryFromMacByDate(self, mac):
     sql = "SELECT * FROM HTTPQueries WHERE mac_iot = XXX ORDER BY datetime LIMIT 1 "
     tmp = self.execquery(sql, [mac])
     if not tmp:
         return False
     return httpquery(tmp[0]).datetime