Skip to content

Commit

Permalink
Enabled timestamped output with debug level and function name display
Browse files Browse the repository at this point in the history
  • Loading branch information
7h3rAm authored and 7h3rAm committed Feb 23, 2014
1 parent 20c7d3f commit 409c162
Show file tree
Hide file tree
Showing 9 changed files with 242 additions and 161 deletions.
99 changes: 55 additions & 44 deletions core/functions.py
View file
Expand Up @@ -4,13 +4,17 @@
from tcphandler import handletcp
from udphandler import handleudp
from iphandler import handleip
from utils import printdict, writepackets
from utils import getcurtime, printdict, writepackets, doinfo, dodebug, dowarn, doerror

import sys, re
import sys


def doexit():
print '[+] Session complete. Exiting.'
configopts['endtime'] = getcurtime()
configopts['totalruntime'] = configopts['endtime'] - configopts['starttime']

print
doinfo('Session completed in %s. Exiting.' % (configopts['totalruntime']))

if configopts['udpmatches'] > 0 or configopts['tcpmatches'] > 0: sys.exit(0)
else: sys.exit(1)
Expand All @@ -28,31 +32,32 @@ def dumpmatchstats():
print
writepackets()

print
print '[U] Processed: %d | Matches: %d' % (configopts['inspudppacketct'], configopts['udpmatches']),
if configopts['udpmatches'] > 0:
print '[Shortest: %dB (#%d) | Longest: %dB (#%d)]' % (
configopts['shortestmatch']['packet'],
configopts['shortestmatch']['packetid'],
configopts['longestmatch']['packet'],
configopts['longestmatch']['packetid'])
else:
if configopts['verbose'] and configopts['verboselevel'] >= 3:
print

print '[T] Processed: %d | Matches: %d' % (configopts['insptcpstreamct'], configopts['tcpmatches']),
if configopts['tcpmatches'] > 0:
print '[Shortest: %dB (#%d) | Longest: %dB (#%d)]' % (
configopts['shortestmatch']['stream'],
configopts['shortestmatch']['streamid'],
configopts['longestmatch']['stream'],
configopts['longestmatch']['streamid'])
else:
if 'quite' in configopts['outmodes']:
print

doinfo('UDP Stats: { Processed: %d, Matched: %d } { Shortest: %dB (#%d), Longest: %dB (#%d) }' % (
configopts['inspudppacketct'],
configopts['udpmatches'],
configopts['shortestmatch']['packet'],
configopts['shortestmatch']['packetid'],
configopts['longestmatch']['packet'],
configopts['longestmatch']['packetid']))

doinfo('TCP Stats: { Processed: %d, Matches: %d } { Shortest: %dB (#%d), Longest: %dB (#%d) }' % (
configopts['insptcpstreamct'],
configopts['tcpmatches'],
configopts['shortestmatch']['stream'],
configopts['shortestmatch']['streamid'],
configopts['longestmatch']['stream'],
configopts['longestmatch']['streamid']))


def dumpopenstreams():
if len(openudpflows) > 0:
print '[DEBUG] Dumping open/tracked UDP streams: %d' % (len(openudpflows))
doinfo('Dumping open/tracked UDP streams: %d' % len(openudpflows))

for (key, value) in openudpflows.items():
id = value['id']
Expand All @@ -61,18 +66,19 @@ def dumpopenstreams():
ctsdatasize = value['ctsdatasize']
stcdatasize = value['stcdatasize']
totdatasize = value['totdatasize']
print '[DEBUG] [%08d] %s - %s (CTS: %dB | STC: %dB | TOT: %dB) [matches: %d]' % (
doinfo('[%08d] %s - %s { CTS: %dB, STC: %dB, TOT: %dB } { matches: %d }' % (
id,
key,
keydst,
ctsdatasize,
stcdatasize,
totdatasize,
matches)
matches),
'DEBUG')

if len(opentcpflows) > 0:
print
print '[DEBUG] Dumping open/tracked TCP streams: %d' % (len(opentcpflows))
doinfo('Dumping open/tracked TCP streams: %d' % (len(opentcpflows)))

for (key, value) in opentcpflows.items():
id = value['id']
Expand All @@ -87,100 +93,100 @@ def dumpopenstreams():
stcdatasize += size

totdatasize = ctsdatasize + stcdatasize
print '[DEBUG] [%08d] %s:%s - %s:%s (CTS: %dB | STC: %dB | TOT: %dB)' % (
doinfo('[%08d] %s:%s - %s:%s { CTS: %dB, STC: %dB, TOT: %dB }' % (
id,
src,
sport,
dst,
dport,
ctsdatasize,
stcdatasize,
totdatasize)
totdatasize))


def dumpippacketsdict():
print
print '[DEBUG] Dumping IP packets dictionary: %d' % (len(ippacketsdict.keys()))
doinfo('Dumping IP packets dictionary: %d' % len(ippacketsdict.keys()))
for key in ippacketsdict.keys():
((src, sport), (dst, dport)) = key
print '[DEBUG] [%s#%08d] %s:%s - %s:%s (Packets: %d | Matched: %s)' % (
doinfo('[%s#%08d] %s:%s - %s:%s { Packets: %d, Matched: %s}' % (
ippacketsdict[key]['proto'],
ippacketsdict[key]['id'],
src,
sport,
dst,
dport,
len(ippacketsdict[key].keys()) - configopts['ipmetavars'],
ippacketsdict[key]['matched'])
ippacketsdict[key]['matched']))


def dumpargstats(configopts):
if configopts['pcap']:
print '%-30s' % '[DEBUG] Input pcap:', ; print '[ %s ]' % (configopts['pcap'])
print '%-30s' % 'Input pcap:', ; print '[ %s ]' % (configopts['pcap'])
elif configopts['device']:
print '%-30s' % '[DEBUG] Listening device:', ;print '[ %s ]' % (configopts['device']),
print '%-30s' % 'Listening device:', ;print '[ %s ]' % (configopts['device']),
if configopts['killtcp']: print '[ w/ killtcp ]'
else: print

print '%-30s' % '[DEBUG] Inspection Modes:', ;print '[',
print '%-30s' % 'Inspection Modes:', ;print '[',
for mode in configopts['inspectionmodes']:
if mode == 'regex': print 'regex (%s)' % (configopts['regexengine']),
if mode == 'fuzzy': print 'fuzzy (%s)' % (configopts['fuzzengine']),
if mode == 'shellcode': print 'shellcode (%s) | memory: %dK' % (configopts['shellcodeengine'], configopts['emuprofileoutsize']),
print ']'

if 'regex' in configopts['inspectionmodes']:
print '%-30s' % '[DEBUG] CTS regex:', ; print '[ %d |' % (len(configopts['ctsregexes'])),
print '%-30s' % 'CTS regex:', ; print '[ %d |' % (len(configopts['ctsregexes'])),
for c in configopts['ctsregexes']:
print '%s' % configopts['ctsregexes'][c]['regexpattern'],
print ']'

print '%-30s' % '[DEBUG] STC regex:', ; print '[ %d |' % (len(configopts['stcregexes'])),
print '%-30s' % 'STC regex:', ; print '[ %d |' % (len(configopts['stcregexes'])),
for s in configopts['stcregexes']:
print '%s' % configopts['stcregexes'][s]['regexpattern'],
print ']'

print '%-30s' % '[DEBUG] RE stats:', ; print '[ Flags: %d (' % (configopts['reflags']),
print '%-30s' % 'RE stats:', ; print '[ Flags: %d (' % (configopts['reflags']),
if configopts['igncase']: print 'ignorecase',
if configopts['multiline']: print 'multiline',
print ') ]'

if 'fuzzy' in configopts['inspectionmodes']:
print '%-30s' % '[DEBUG] CTS fuzz patterns:', ; print '[ %d |' % (len(configopts['ctsfuzzpatterns'])),
print '%-30s' % 'CTS fuzz patterns:', ; print '[ %d |' % (len(configopts['ctsfuzzpatterns'])),
for c in configopts['ctsfuzzpatterns']:
print '%s' % (c),
print ']'

print '%-30s' % '[DEBUG] STC fuzz patterns:', ; print '[ %d |' % (len(configopts['stcfuzzpatterns'])),
print '%-30s' % 'STC fuzz patterns:', ; print '[ %d |' % (len(configopts['stcfuzzpatterns'])),
for s in configopts['stcfuzzpatterns']:
print '%s' % (s),
print ']'

if 'yara' in configopts['inspectionmodes']:
print '%-30s' % '[DEBUG] CTS yara rules:', ; print '[ %d |' % (len(configopts['ctsyararules'])),
print '%-30s' % 'CTS yara rules:', ; print '[ %d |' % (len(configopts['ctsyararules'])),
for c in configopts['ctsyararules']:
print '%s' % (c),
print ']'

print '%-30s' % '[DEBUG] STC yara rules:', ; print '[ %d |' % (len(configopts['stcyararules'])),
print '%-30s' % 'STC yara rules:', ; print '[ %d |' % (len(configopts['stcyararules'])),
for s in configopts['stcyararules']:
print '%s' % (s),
print ']'

print '%-30s' % '[DEBUG] Inspection limits:',
print '%-30s' % 'Inspection limits:',
print '[ Streams: %d | Packets: %d | Offset: %d | Depth: %d ]' % (
configopts['maxinspstreams'],
configopts['maxinsppackets'],
configopts['offset'],
configopts['depth'])

print '%-30s' % '[DEBUG] Display limits:',
print '%-30s' % 'Display limits:',
print '[ Streams: %d | Packets: %d | Bytes: %d ]' % (
configopts['maxdispstreams'],
configopts['maxdisppackets'],
configopts['maxdispbytes'])

print '%-30s' % '[DEBUG] Output modes:', ; print '[',
print '%-30s' % 'Output modes:', ; print '[',
if 'quite' in configopts['outmodes']:
print 'quite',
if configopts['writelogs']: print 'write: %s' % (configopts['logdir']),
Expand All @@ -196,7 +202,7 @@ def dumpargstats(configopts):
if configopts['writepcapfast']: print 'pcap: matched' + '%d packets' % (configopts['pcappacketct']),
print ']'

print '%-30s' % '[DEBUG] Misc options:',
print '%-30s' % 'Misc options:',
print '[ BPF: %s | invertmatch: %s | killtcp: %s | verbose: %s (%d) | linemode: %s | multimatch: %s ]' % (
configopts['bpf'],
configopts['invertmatch'],
Expand All @@ -205,4 +211,9 @@ def dumpargstats(configopts):
configopts['verboselevel'],
configopts['linemode'],
configopts['tcpmultimatch'])
print

try:
print
print "Press any key to continue...",
input()
except: pass
2 changes: 2 additions & 0 deletions core/globals.py
View file
Expand Up @@ -47,6 +47,7 @@

'emuprofile': False,
'emuprofileoutsize': 1024,
'endtime': None,

'fuzzengine': None,
'fuzzminthreshold': 75,
Expand Down Expand Up @@ -90,6 +91,7 @@

'shellcodeengine': None,
'shortestmatch': { 'packet': 0, 'packetid': 0, 'stream': 0, 'streamid': 0 },
'starttime': None,
'stcdirectionflag': '<-',
'stcdirectionstring': 'STC',
'stcfuzzpatterns': [],
Expand Down
34 changes: 17 additions & 17 deletions core/inspector.py
View file
Expand Up @@ -6,7 +6,7 @@

import sys, nids
from globals import configopts, opentcpflows, openudpflows, matchstats
from utils import printdict, hexdump
from utils import printdict, hexdump, doinfo, dodebug, dowarn, doerror


def inspect(proto, data, datalen, regexes, fuzzpatterns, yararuleobjects, addrkey, direction, directionflag):
Expand Down Expand Up @@ -38,15 +38,15 @@ def inspect(proto, data, datalen, regexes, fuzzpatterns, yararuleobjects, addrke
addrkey = dkey

if configopts['verbose'] and configopts['verboselevel'] >= 2:
print '[DEBUG] inspect - [%s#%08d] Received %dB for inspection from %s:%s %s %s:%s' % (
dodebug('[%s#%08d] Received %dB for inspection from %s:%s %s %s:%s' % (
proto,
id,
datalen,
src,
sport,
directionflag,
dst,
dport)
dport))

if 'regex' in configopts['inspectionmodes']:
for regex in regexes:
Expand All @@ -64,15 +64,15 @@ def inspect(proto, data, datalen, regexes, fuzzpatterns, yararuleobjects, addrke
matchstats['end'] = matchstats['match'].end()
matchstats['matchsize'] = matchstats['end'] - matchstats['start']
if configopts['verbose'] and configopts['verboselevel'] >= 2:
print '[DEBUG] inspect - [%s#%08d] %s:%s %s %s:%s matches regex: \'%s\'' % (
dodebug('[%s#%08d] %s:%s %s %s:%s matches regex: \'%s\'' % (
proto,
id,
src,
sport,
directionflag,
dst,
dport,
regexpattern)
regexpattern))
return True

if not matchstats['match'] and configopts['invertmatch']:
Expand All @@ -82,15 +82,15 @@ def inspect(proto, data, datalen, regexes, fuzzpatterns, yararuleobjects, addrke
matchstats['end'] = datalen
matchstats['matchsize'] = matchstats['end'] - matchstats['start']
if configopts['verbose'] and configopts['verboselevel'] >= 2:
print '[DEBUG] inspect - [%s#%08d] %s:%s %s %s:%s matches regex (invert): \'%s\'' % (
dodebug('[%s#%08d] %s:%s %s %s:%s matches regex (invert): \'%s\'' % (
proto,
id,
src,
sport,
directionflag,
dst,
dport,
regexpattern)
regexpattern))
return True

if configopts['verbose'] and configopts['verboselevel'] >= 2:
Expand All @@ -99,7 +99,7 @@ def inspect(proto, data, datalen, regexes, fuzzpatterns, yararuleobjects, addrke
else:
invertstatus = ""

print '[DEBUG] inspect - [%s#%08d] %s:%s %s %s:%s did not match regex%s: \'%s\'' % (
dodebug('[%s#%08d] %s:%s %s %s:%s did not match regex%s: \'%s\'' % (
proto,
id,
src,
Expand All @@ -108,7 +108,7 @@ def inspect(proto, data, datalen, regexes, fuzzpatterns, yararuleobjects, addrke
dst,
dport,
invertstatus,
regexpattern)
regexpattern))

if 'fuzzy' in configopts['inspectionmodes']:
for pattern in fuzzpatterns:
Expand All @@ -134,7 +134,7 @@ def inspect(proto, data, datalen, regexes, fuzzpatterns, yararuleobjects, addrke
matchreason = '<'

if configopts['verbose'] and configopts['verboselevel'] >= 2:
print '[DEBUG] inspect - [%s#%08d] %s:%s %s %s:%s %s \'%s\' (ratio: %d %s threshold: %d)' % (
dodebug('[%s#%08d] %s:%s %s %s:%s %s \'%s\' (ratio: %d %s threshold: %d)' % (
proto,
id,
src,
Expand All @@ -146,7 +146,7 @@ def inspect(proto, data, datalen, regexes, fuzzpatterns, yararuleobjects, addrke
pattern,
partialratio,
matchreason,
configopts['fuzzminthreshold'])
configopts['fuzzminthreshold']))

if matched:
matchstats['detectiontype'] = 'fuzzy'
Expand Down Expand Up @@ -196,15 +196,15 @@ def inspect(proto, data, datalen, regexes, fuzzpatterns, yararuleobjects, addrke
matchstats['end'] = datalen
matchstats['matchsize'] = matchstats['end'] - matchstats['start']
if configopts['verbose'] and configopts['verboselevel'] >= 2:
print '[DEBUG] inspect - [%s#%08d] %s:%s %s %s:%s contains shellcode%s' % (
dodebug('[%s#%08d] %s:%s %s %s:%s contains shellcode%s' % (
proto,
id,
src,
sport,
directionflag,
dst,
dport,
invertstatus)
invertstatus))

if configopts['emuprofile'] and not invert:
filename = '%s-%08d-%s.%s-%s.%s-%s.emuprofile' % (
Expand All @@ -219,26 +219,26 @@ def inspect(proto, data, datalen, regexes, fuzzpatterns, yararuleobjects, addrke
data = emulator.emu_profile_output.decode('utf8')

if emulator.emu_profile_truncated and configopts['verbose'] and configopts['verboselevel'] >= 2:
print '[DEBUG] inspect - [%s#%08d] Skipping emulator profile output generation as its truncated' % (proto, id)
dodebug('[%s#%08d] Skipping emulator profile output generation as its truncated' % (proto, id))
else:
fo = open(filename, 'w')
fo.write(data)
fo.close()
if configopts['verbose'] and configopts['verboselevel'] >= 2:
print '[DEBUG] inspect - [%s#%08d] Wrote %d byte emulator profile output to %s' % (proto, id, len(data), filename)
dodebug('[%s#%08d] Wrote %d byte emulator profile output to %s' % (proto, id, len(data), filename))

return True

if configopts['verbose'] and configopts['verboselevel'] >= 2:
print '[DEBUG] inspect - [%s#%08d] %s:%s %s %s:%s doesnot contain shellcode%s' % (
dodebug('[%s#%08d] %s:%s %s %s:%s doesnot contain shellcode%s' % (
proto,
id,
src,
sport,
directionflag,
dst,
dport,
invertstatus)
invertstatus))

if 'yara' in configopts['inspectionmodes']:
for ruleobj in yararuleobjects:
Expand Down

0 comments on commit 409c162

Please sign in to comment.