Skip to content

Commit

Permalink
Merge pull request #5 from DevoInc/logwrite
Browse files Browse the repository at this point in the history
Logwrite
  • Loading branch information
stricaud authored Feb 2, 2021
2 parents ecb89c6 + 344b42f commit 089bac6
Show file tree
Hide file tree
Showing 27 changed files with 862 additions and 556 deletions.
113 changes: 113 additions & 0 deletions LogWrite.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
#!/usr/bin/env python3
import pyshark
import sys
import glob
import importlib
import os
import re
import shutil

from logwriter.plugins import *

class LogWrite(object):
def __init__(self, pcap_file, output_dir, force_mkdir=False):
self.layer_that_do_not_match_plugin = 0
self.pcap_file = pcap_file
self.output_dir = output_dir
self.has_error = False

try:
os.makedirs(self.output_dir)
except FileExistsError:
if force_mkdir:
shutil.rmtree(self.output_dir)
os.makedirs(self.output_dir)
else:
print("Error: Cannot make directory %s: Directory already exists!" % self.output_dir)
self.has_error = True
return
except:
print("Error: Cannot make directory %s" % self.output_dir)
self.has_error = True
return

# self.loaded_plugins = self.load_plugins(os.path.join(os.path.dirname(__file__), "logwriter", "plugins"), self.output_dir)
self.loaded_plugins = self.load_plugins(os.path.join("logwriter", "plugins"), self.output_dir)
print("Loaded %d plugins" % len(self.loaded_plugins))

self.plugins_by_layer = {}
for p in self.loaded_plugins:
try:
self.plugins_by_layer[self.loaded_plugins[p].active_layer].append(p)
except KeyError:
self.plugins_by_layer[self.loaded_plugins[p].active_layer] = []
self.plugins_by_layer[self.loaded_plugins[p].active_layer].append(p)

print(self.plugins_by_layer)

def load_plugins(self, plugins_dir, outpath):
plugins_dir += os.sep
loaded_plugins = {}
plugins = glob.glob(plugins_dir + "*.py")
plugins = [x for x in plugins if not x.endswith("__init__.py")]
for modfile in plugins:
plugin_name = os.path.basename(modfile)[:-3]
import_plugin = modfile.replace("/",".")[:-3]
module = importlib.import_module(import_plugin)
loaded_plugins[plugin_name] = module.LogPlugin(outpath)
# print(str(loaded_plugins))
return loaded_plugins

def process(self):
cap = pyshark.FileCapture(self.pcap_file)
#cap.set_debug()

pktid=0
for pkt in cap:
# Controller from pcraft, to call plugins such as EDR
# When PCAP is not enough...
# This is cheating, we make sure our pcap has ip source and destination of 10.10.10.10 and port source and destination of 666
# Then, we get the plugin in the URI and the data from the User Agent field.
# TODO: Must be fixed by using pcap-ng ASAP
# print(pkt)
if hasattr(pkt, 'http'):
# print("This packet is http")
if pkt.tcp.dstport == "666" and pkt.tcp.srcport == "666" and pkt.ip.src == "10.10.10.10" and pkt.ip.dst == "10.10.10.10":
# print("This is a controller packet")
# The plugin name comes from the URI
plugin = pkt.http.request_uri[1:].lower()
# The key=values comes from the User Agent
keysvalues = pkt.http.get_field_value('user_agent')
kvdict = dict(re.findall(r"(\S+)=('''.*?'''|\S+)", keysvalues))
for k,v in kvdict.items():
kvdict[k] = v.strip("'")

self.loaded_plugins[plugin].run(cap, pkt, pktid, kvdict)
continue

for layer in pkt.layers:
layer_name = layer.layer_name
try:
for p in self.plugins_by_layer[layer_name]:
# try:
self.loaded_plugins[p].run(cap, pkt, pktid, layer)
# except:
# print("x", end="")
except KeyError:
self.layer_that_do_not_match_plugin += 1

print("Layers that did not match a plugin: %d" % self.layer_that_do_not_match_plugin)


if __name__ == "__main__":
if len(sys.argv) < 3:
print("Syntax: %s pcap_file output_dir" % sys.argv[0])
sys.exit(1)

writer = LogWrite(sys.argv[1], sys.argv[2], "-f" in sys.argv)
if writer.has_error:
print("Error. Exiting.")
sys.exit(1)

writer.process()

73 changes: 27 additions & 46 deletions ami/bin/amidebug.c
Original file line number Diff line number Diff line change
Expand Up @@ -7,37 +7,35 @@
#include <ami/khash.h>

void simple_print_global_variables(ami_t *ami);
void simple_print_repeat_variables(ami_t *ami);
void simple_print_local_variables(ami_t *ami);
void simple_print_local_variables(ami_action_t *action);

void foreach_action(ami_action_t *action, void *userdata)
void foreach_action(ami_action_t *action, void *userdata1, void *userdata2)
{
ami_t *ami = (ami_t *)userdata;
ami_t *ami = (ami_t *)userdata1;
/* printf("===== Running action =====\n"); */
ami_action_debug(ami, action);
/* printf("Running %s\n", action->name); */
}

void quiet_foreach_action(ami_action_t *action, void *userdata)
void quiet_foreach_action(ami_action_t *action, void *userdata1, void *userdata2)
{
ami_field_action_t *field_action;

ami_t *ami = (ami_t *)userdata;
ami_t *ami = (ami_t *)userdata1;
for (field_action=action->field_actions; field_action; field_action=field_action->next) {
}

}

void simple_foreach_action(ami_action_t *action, void *userdata)
void simple_foreach_action(ami_action_t *action, void *userdata1, void *userdata2)
{
ami_field_action_t *field_action;

ami_t *ami = (ami_t *)userdata;
ami_t *ami = (ami_t *)userdata1;
printf("------------------------\n");
printf("* Action name(%s) exec(%s) ami->sleep_cursor(%f); sleep_cursor(%f) repeat_index(%d)\n", action->name, action->exec, ami->sleep_cursor, action->sleep_cursor, action->repeat_index);
simple_print_repeat_variables(ami);
simple_print_local_variables(ami);

simple_print_local_variables(action);

printf("* Field Actions:\n");
for (field_action=action->field_actions; field_action; field_action=field_action->next) {

Expand All @@ -52,47 +50,30 @@ void simple_print_global_variables(ami_t *ami)
int count = 0;

printf("* Global Variables:\n");
if (ami->global_variables) {
for (k = 0; k < kh_end(ami->global_variables); ++k)
if (kh_exist(ami->global_variables, k)) {
char *key = (char *)kh_key(ami->global_variables, k);
char *value = (char *)kh_value(ami->global_variables, k);
printf(" gv:[%d] %s = %s\n", count, key, ami_get_variable(ami, value));
if (ami->variables) {
for (k = 0; k < kh_end(ami->variables); ++k)
if (kh_exist(ami->variables, k)) {
char *key = (char *)kh_key(ami->variables, k);
printf("[%d] %s\n", count, key);
ami_variable_t *value = (ami_variable_t *)kh_value(ami->variables, k);
ami_variable_debug(value);
count++;
}
}
}

void simple_print_repeat_variables(ami_t *ami)
void simple_print_local_variables(ami_action_t *action)
{
khint_t k;
int count = 0;

printf("* Repeat Variables:\n");
if (ami->repeat_variables) {
for (k = 0; k < kh_end(ami->repeat_variables); ++k)
if (kh_exist(ami->repeat_variables, k)) {
char *key = (char *)kh_key(ami->repeat_variables, k);
char *value = (char *)kh_value(ami->repeat_variables, k);
printf(" rv:[%d] %s = %s\n", count, key, ami_get_variable(ami, value));
count++;
}
}
}

void simple_print_local_variables(ami_t *ami)
{
khint_t k;
int count = 0;

printf("* Local Variables:\n");
if (ami->local_variables) {
for (k = 0; k < kh_end(ami->local_variables); ++k)
if (kh_exist(ami->local_variables, k)) {
char *key = (char *)kh_key(ami->local_variables, k);
char *value = (char *)kh_value(ami->local_variables, k);
printf(" lv:[%d] %s = %s\n", count, key, ami_get_variable(ami, value));
count++;
if (action->variables) {
for (k = 0; k < kh_end(action->variables); ++k)
if (kh_exist(action->variables, k)) {
char *key = (char *)kh_key(action->variables, k);
printf("_%s\n", key);
ami_variable_t *value = (ami_variable_t *)kh_value(action->variables, k);
ami_variable_debug(value);
}
}
}
Expand All @@ -101,7 +82,7 @@ int simple_debug(const char *amifile)
{
ami_t *ami;
ami = ami_new();
ami_set_action_callback(ami, simple_foreach_action, ami);
ami_set_action_callback(ami, simple_foreach_action, ami, NULL);
ami_parse_file(ami, amifile);
printf("ami_version %d\n", ami->version);
ami_ast_walk_actions(ami);
Expand All @@ -116,7 +97,7 @@ int quiet_debug(const char *amifile)
{
ami_t *ami;
ami = ami_new();
ami_set_action_callback(ami, quiet_foreach_action, ami);
ami_set_action_callback(ami, quiet_foreach_action, ami, NULL);
ami_parse_file(ami, amifile);
ami_ast_walk_actions(ami);
ami_close(ami);
Expand Down Expand Up @@ -155,7 +136,7 @@ int main(int argc, char **argv)
}


ami_set_action_callback(ami, foreach_action, ami);
ami_set_action_callback(ami, foreach_action, ami, NULL);
ami->debug = 1;

ret = ami_parse_file(ami, argv[1]);
Expand Down
Loading

0 comments on commit 089bac6

Please sign in to comment.