Attribution for pcaps
This commit is contained in:
parent
241c52a051
commit
87636b0d1e
GPG key ID:
05EF307E0712FDAA
7 changed files with 40 additions and 10 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -1 +1,2 @@
|
||||||
/target
|
/target
|
||||||
|
/result
|
||||||
|
|
|
||||||
BIN
pcaps/bro_ssh.pcap
Normal file
BIN
pcaps/bro_ssh.pcap
Normal file
Binary file not shown.
BIN
pcaps/godpi_ssh.pcap
Normal file
BIN
pcaps/godpi_ssh.pcap
Normal file
Binary file not shown.
8
pcaps/sources.md
Normal file
8
pcaps/sources.md
Normal file
|
|
@ -0,0 +1,8 @@
|
||||||
|
- http.cap | wireshark
|
||||||
|
- http_image.cap | wireshark
|
||||||
|
- dns.cap | wireshark
|
||||||
|
- NTP_syc | wireshark
|
||||||
|
- telnet-cooked | wireshark
|
||||||
|
- SSHv2 | packetlife
|
||||||
|
- bro_ssh | try-bro
|
||||||
|
- godpi_ssh | go-dpi
|
||||||
|
|
@ -61,7 +61,7 @@ fn main() {
|
||||||
stats.analyzed += 1;
|
stats.analyzed += 1;
|
||||||
}
|
}
|
||||||
if opt.print_analysis {
|
if opt.print_analysis {
|
||||||
info!("{:?}", extracted);
|
println!("{:?}", extracted);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Err(_) => stats.unknown_packets += 1,
|
Err(_) => stats.unknown_packets += 1,
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,6 @@
|
||||||
use dns::{DNSType, DNSValue};
|
use dns::{DNSType, DNSValue};
|
||||||
|
use log::info;
|
||||||
|
use ssh::SSHType;
|
||||||
|
|
||||||
mod dns;
|
mod dns;
|
||||||
mod ssh;
|
mod ssh;
|
||||||
|
|
@ -11,6 +13,7 @@ pub trait KnownProtocol {
|
||||||
#[derive(Debug)]
|
#[derive(Debug)]
|
||||||
pub enum ProtocolType {
|
pub enum ProtocolType {
|
||||||
DNS(DNSType),
|
DNS(DNSType),
|
||||||
|
SSH,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Debug)]
|
#[derive(Debug)]
|
||||||
|
|
@ -21,17 +24,22 @@ pub enum ExtractedInfo {
|
||||||
pub fn extract_info(ptype: ProtocolType, payload: Vec<u8>) -> Option<ExtractedInfo> {
|
pub fn extract_info(ptype: ProtocolType, payload: Vec<u8>) -> Option<ExtractedInfo> {
|
||||||
match ptype {
|
match ptype {
|
||||||
ProtocolType::DNS(x) => match x {
|
ProtocolType::DNS(x) => match x {
|
||||||
DNSType::Query => {
|
//DNSType::Query => Some(ExtractedInfo::DNSQuery(dns::analyse_dns_query(payload))),
|
||||||
return Some(ExtractedInfo::DNSQuery(dns::analyse_dns_query(payload)));
|
DNSType::Query => Some(x.extract_info(payload)),
|
||||||
|
DNSType::Response => {
|
||||||
|
info!("DNS Response processing not handled yet!");
|
||||||
|
None
|
||||||
}
|
}
|
||||||
DNSType::Response => return None,
|
|
||||||
},
|
},
|
||||||
|
ProtocolType::SSH => {
|
||||||
|
todo!()
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn match_protocol(payload: Vec<u8>) -> Result<ProtocolType, ()> {
|
pub fn match_protocol(payload: Vec<u8>) -> Result<ProtocolType, ()> {
|
||||||
if let Ok(x) = dns::is_dns(payload) {
|
if let Ok(x) = dns::DNSType::classify_proto(payload) {
|
||||||
return Ok(ProtocolType::DNS(x));
|
return Ok(x);
|
||||||
};
|
}
|
||||||
Err(())
|
Err(())
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,17 @@
|
||||||
pub fn is_ssh(payload: Vec<u8>) -> bool {
|
use crate::{util::*, ExtractedInfo, KnownProtocol, ProtocolType};
|
||||||
// Check for ASCII "SSH"
|
|
||||||
payload[0] == 0x53 && payload[1] == 0x53 && payload[2] == 0x48
|
pub type SSHType = ();
|
||||||
|
|
||||||
|
impl KnownProtocol for SSHType {
|
||||||
|
fn classify_proto(payload: Vec<u8>) -> Result<ProtocolType, ()> {
|
||||||
|
if payload[0] == 0x53 && payload[1] == 0x53 && payload[2] == 0x48 {
|
||||||
|
Ok(ProtocolType::SSH)
|
||||||
|
} else {
|
||||||
|
Err(())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn extract_info(&self, payload: Vec<u8>) -> ExtractedInfo {
|
||||||
|
todo!()
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue