summaryrefslogtreecommitdiffstats
path: root/scripts/external_libs/scapy-2.3.1/python2/scapy/contrib/ubberlogger.py
blob: 1c01db2f600e6884e1e08df8b7f3eadcdfe7dcfb (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

@media only all and (prefers-color-scheme: dark) {
.highlight .hll { background-color: #49483e }
.highlight .c { color: #75715e } /* Comment */
.highlight .err { color: #960050; background-color: #1e0010 } /* Error */
.highlight .k { color: #66d9ef } /* Keyword */
.highlight .l { color: #ae81ff } /* Literal */
.highlight .n { color: #f8f8f2 } /* Name */
.highlight .o { color: #f92672 } /* Operator */
.highlight .p { color: #f8f8f2 } /* Punctuation */
.highlight .ch { color: #75715e } /* Comment.Hashbang */
.highlight .cm { color: #75715e } /* Comment.Multiline */
.highlight .cp { color: #75715e } /* Comment.Preproc */
.highlight .cpf { color: #75715e } /* Comment.PreprocFile */
.highlight .c1 { color: #75715e } /* Comment.Single */
.highlight .cs { color: #75715e } /* Comment.Special */
.highlight .gd { color: #f92672 } /* Generic.Deleted */
.highlight .ge { font-style: italic } /* Generic.Emph */
.highlight .gi { color: #a6e22e } /* Generic.Inserted */
.highlight .gs { font-weight: bold } /* Generic.Strong */
.highlight .gu { color: #75715e } /* Generic.Subheading */
.highlight .kc { color: #66d9ef } /* Keyword.Constant */
.highlight .kd { color: #66d9ef } /* Keyword.Declaration */
.highlight .kn { color: #f92672 } /* Keyword.Namespace */
.highlight .kp { color: #66d9ef } /* Keyword.Pseudo */
.hi
# Author: Sylvain SARMEJEANNE
# http://trac.secdev.org/scapy/ticket/1

# scapy.contrib.description = Ubberlogger dissectors
# scapy.contrib.status = untested

from scapy.packet import *
from scapy.fields import *

# Syscalls known by Uberlogger
uberlogger_sys_calls = {0:"READ_ID",
             1:"OPEN_ID",
             2:"WRITE_ID",
             3:"CHMOD_ID",
             4:"CHOWN_ID",
             5:"SETUID_ID",
             6:"CHROOT_ID",
             7:"CREATE_MODULE_ID",
             8:"INIT_MODULE_ID",
             9:"DELETE_MODULE_ID",
             10:"CAPSET_ID",
             11:"CAPGET_ID",
             12:"FORK_ID",
             13:"EXECVE_ID"}

# First part of the header
class Uberlogger_honeypot_caract(Packet):
    name = "Uberlogger honeypot_caract"
    fields_desc = [ByteField("honeypot_id", 0),
                   ByteField("reserved", 0),
                   ByteField("os_type_and_version", 0)]

# Second part of the header
class Uberlogger_uber_h(Packet):
    name  = "Uberlogger uber_h"
    fields_desc = [ByteEnumField("syscall_type", 0, uberlogger_sys_calls),
                   IntField("time_sec", 0),
                   IntField("time_usec", 0),
                   IntField("pid", 0),
                   IntField("uid", 0),
                   IntField("euid", 0),
                   IntField("cap_effective", 0),
                   IntField("cap_inheritable", 0),
                   IntField("cap_permitted", 0),
                   IntField("res", 0),
                   IntField("length", 0)]

# The 9 following classes are options depending on the syscall type
class Uberlogger_capget_data(Packet):
    name  = "Uberlogger capget_data"
    fields_desc = [IntField("target_pid", 0)]

class Uberlogger_capset_data(Packet):
    name  = "Uberlogger capset_data"
    fields_desc = [IntField("target_pid", 0),
                   IntField("effective_cap", 0),
                   IntField("permitted_cap", 0),
                   IntField("inheritable_cap", 0)]

class Uberlogger_chmod_data(Packet):
    name  = "Uberlogger chmod_data"
    fields_desc = [ShortField("mode", 0)]

class Uberlogger_chown_data(Packet):
    name  = "Uberlogger chown_data"
    fields_desc = [IntField("uid", 0),
                   IntField("gid", 0)]

class Uberlogger_open_data(Packet):
    name  = "Uberlogger open_data"
    fields_desc = [IntField("flags", 0),
                   IntField("mode", 0)]
                   
class Uberlogger_read_data(Packet):
    name  = "Uberlogger read_data"
    fields_desc = [IntField("fd", 0),
                   IntField("count", 0)]
                   
class Uberlogger_setuid_data(Packet):
    name  = "Uberlogger setuid_data"
    fields_desc = [IntField("uid", 0)]

class Uberlogger_create_module_data(Packet):
    name  = "Uberlogger create_module_data"
    fields_desc = [IntField("size", 0)]

class Uberlogger_execve_data(Packet):
    name  = "Uberlogger execve_data"
    fields_desc = [IntField("nbarg", 0)]

# Layer bounds for Uberlogger
bind_layers(Uberlogger_honeypot_caract,Uberlogger_uber_h)
bind_layers(Uberlogger_uber_h,Uberlogger_capget_data)
bind_layers(Uberlogger_uber_h,Uberlogger_capset_data)
bind_layers(Uberlogger_uber_h,Uberlogger_chmod_data)
bind_layers(Uberlogger_uber_h,Uberlogger_chown_data)
bind_layers(Uberlogger_uber_h,Uberlogger_open_data)
bind_layers(Uberlogger_uber_h,Uberlogger_read_data)
bind_layers(Uberlogger_uber_h,Uberlogger_setuid_data)
bind_layers(Uberlogger_uber_h,Uberlogger_create_module_data)
bind_layers(Uberlogger_uber_h,Uberlogger_execve_data)