First working sensor prototype for DREI (#162)

stamparm · Sep 10, 2019 · a8a4a18 · a8a4a18
1 parent ef8e5f5
commit a8a4a18
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 11 deletions.
diff --git a/core/enums.py b/core/enums.py
@@ -7,12 +7,15 @@
 
 import sys
 
+from thirdparty import six
+
 class _(type):
    def __getattr__(self, attr):
      return attr
 
+@six.add_metaclass(_)
 class TRAIL(object):
-   __metaclass__ = _
+    pass
 
 if sys.version_info >= (3, 0):
     class BLOCK_MARKER:

diff --git a/core/log.py b/core/log.py
@@ -164,7 +164,7 @@ def log_event(event_tuple, packet=None, skip_write=False, skip_condensing=False)
                 event = "%s %s %s\n" % (safe_value(localtime), safe_value(config.SENSOR_NAME), " ".join(safe_value(_) for _ in event_tuple[2:]))
                 if not config.DISABLE_LOCAL_LOG_STORAGE:
                     handle = get_event_log_handle(sec)
-                    os.write(handle, event)
+                    os.write(handle, event.encode(UNICODE_ENCODING))
 
                 if config.LOG_SERVER:
                     if config.LOG_SERVER.count(':') > 1:
@@ -180,14 +180,14 @@ def log_event(event_tuple, packet=None, skip_write=False, skip_condensing=False)
                         _address = (remote_host, int(remote_port))
 
                     s = socket.socket(socket.AF_INET if len(_address) == 2 else socket.AF_INET6, socket.SOCK_DGRAM)
-                    s.sendto("%s %s" % (sec, event), _address)
+                    s.sendto(("%s %s" % (sec, event)).encode(UNICODE_ENCODING), _address)
 
                 if config.SYSLOG_SERVER:
                     extension = "src=%s spt=%s dst=%s dpt=%s trail=%s ref=%s" % (src_ip, src_port, dst_ip, dst_port, trail, reference)
                     _ = CEF_FORMAT.format(syslog_time=time.strftime("%b %d %H:%M:%S", time.localtime(int(sec))), host=HOSTNAME, device_vendor=NAME, device_product="sensor", device_version=VERSION, signature_id=time.strftime("%Y-%m-%d", time.localtime(os.path.getctime(config.TRAILS_FILE))), name=info, severity=0, extension=extension)
                     remote_host, remote_port = config.SYSLOG_SERVER.split(':')
                     s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-                    s.sendto(_, (remote_host, int(remote_port)))
+                    s.sendto(_.encode(UNICODE_ENCODING), (remote_host, int(remote_port)))
 
                 if config.DISABLE_LOCAL_LOG_STORAGE and not any(config.LOG_SERVER, config.SYSLOG_SERVER) or config.console:
                     sys.stderr.write(event)

diff --git a/core/settings.py b/core/settings.py
@@ -22,7 +22,7 @@
 from thirdparty.six.moves import urllib as _urllib
 
 NAME = "Maltrail"
-VERSION = "0.13.82"
+VERSION = "0.13.83"
 PLATFORM = os.name
 PYVERSION = sys.version.split()[0]
 IS_WIN = PLATFORM == "nt"
@@ -350,7 +350,7 @@ def read_config(config_file):
         else:
             exit("[!] invalid configuration value for 'CAPTURE_BUFFER' ('%s')" % config.CAPTURE_BUFFER)
 
-        config.CAPTURE_BUFFER = config.CAPTURE_BUFFER // (BLOCK_LENGTH * BLOCK_LENGTH)
+        config.CAPTURE_BUFFER = config.CAPTURE_BUFFER // BLOCK_LENGTH * BLOCK_LENGTH
 
     if config.PROXY_ADDRESS:
         PROXIES.update({"http": config.PROXY_ADDRESS, "https": config.PROXY_ADDRESS})

diff --git a/sensor.py b/sensor.py
@@ -570,7 +570,7 @@ def _(value):
 
                         parts = query.split('.')
 
-                        if ord(dns_data[2]) & 0xfe == 0x00:  # standard query (both recursive and non-recursive)
+                        if ord(dns_data[2:3]) & 0xfe == 0x00:  # standard query (both recursive and non-recursive)
                             type_, class_ = struct.unpack("!HH", dns_data[offset + 1:offset + 5])
 
                             if len(parts) > 2:
@@ -615,12 +615,12 @@ def _(value):
                                 _check_domain(query, sec, usec, src_ip, src_port, dst_ip, dst_port, PROTO.UDP, packet)
 
                         elif config.USE_HEURISTICS:
-                            if ord(dns_data[2]) & 0x80:  # standard response
-                                if ord(dns_data[3]) == 0x80:  # recursion available, no error
+                            if ord(dns_data[2:3]) & 0x80:  # standard response
+                                if ord(dns_data[3:4]) == 0x80:  # recursion available, no error
                                     _ = offset + 5
                                     try:
                                         while _ < len(dns_data):
-                                            if ord(dns_data[_]) & 0xc0 != 0 and dns_data[_ + 2] == "\00" and dns_data[_ + 3] == "\x01":  # Type A
+                                            if ord(dns_data[_:_ + 1]) & 0xc0 != 0 and dns_data[_ + 2] == "\00" and dns_data[_ + 3] == "\x01":  # Type A
                                                 break
                                             else:
                                                 _ += 12 + struct.unpack("!H", dns_data[_ + 10: _ + 12])[0]
@@ -639,7 +639,7 @@ def _(value):
                                     except IndexError:
                                         pass
 
-                                elif ord(dns_data[3]) == 0x83:  # recursion available, no such name
+                                elif ord(dns_data[3:4]) == 0x83:  # recursion available, no such name
                                     if '.'.join(parts[-2:]) not in _dns_exhausted_domains and not _check_domain_whitelisted(query) and not _check_domain_member(query, trails):
                                         if parts[-1].isdigit():
                                             return