├── NIDS_python-main
    ├── README.md
    ├── custom_ids.py
    ├── nids_eel.py
    ├── nidsshowpacket
    │   ├── index.html
    │   ├── script.js
    │   └── styles.css
    ├── nidsweb
    │   ├── index.html
    │   ├── script.js
    │   └── styles.css
    ├── rules.txt
    ├── show_packetdat.py
    ├── temp
    │   ├── decrypthttp2.py
    │   ├── httpstreamread.pcap
    │   ├── showpackettemp
    │   │   └── EtherIPv6UDPfe801e61b4fffe08d97638322_ff02cssdpRaw.json
    │   ├── tcpflowdump
    │   │   └── nothing.txt
    │   ├── tcpstreamread.pcap
    │   └── temppackets
    │   │   └── 103257EtherIPTCP2019811984https_192168020852587PARawMSGINCOMINGHOMENETRANGEREAD.pkt
    └── yararules
    │   └── rules1.yara
├── README.md
├── custom_ids.py
├── rules.txt
├── temp
    ├── decrypthttp2.py
    └── tcpflowdump
    │   └── nothing.txt
└── yararules
    └── rules1.yara


/NIDS_python-main/README.md:
--------------------------------------------------------------------------------
1 | # NIDS_python
2 | A custom GUI based NIDS (Network Intrusion Detection System) with stream follow capability for HTTP2 and TLS/TCP.
3 | Savedpcap directory has to be created in root folder.
4 | ssllogs filepath has to be modified in the custom_ids.py code.
5 | 


--------------------------------------------------------------------------------
/NIDS_python-main/custom_ids.py:
--------------------------------------------------------------------------------
  1 | import scapy.all as scp
  2 | import codecs
  3 | import PySimpleGUI as sg
  4 | import os
  5 | import threading
  6 | import sys
  7 | import pyshark
  8 | import socket
  9 | import scapy.arch.windows as scpwinarch
 10 | import json
 11 | import logging
 12 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
 13 | import re
 14 | import ipaddress
 15 | import subprocess
 16 | import yara
 17 | import pprint
 18 | import glob
 19 | 
 20 | def readrules():
 21 |     rulefile = "rules.txt"
 22 |     ruleslist = []
 23 |     with open(rulefile, "r") as rf:
 24 |         ruleslist = rf.readlines()
 25 |     rules_list = []
 26 |     for line in ruleslist:
 27 |         if line.startswith("alert"):
 28 |             rules_list.append(line)
 29 |     print(rules_list)
 30 |     return rules_list
 31 | 
 32 | alertprotocols = []
 33 | alertdestips = []
 34 | alertsrcips = []
 35 | alertsrcports = []
 36 | alertdestports = []
 37 | alertmsgs = []
 38 | 
 39 | # rule format --> "alert [srcip] [srcport] --> [dstip] [dstport] [msg]" [msg] may include spaces and is not within quotes
 40 | 
 41 | def process_rules(rulelist):
 42 |     global alertprotocols
 43 |     global alertdestips
 44 |     global alertsrcips
 45 |     global alertsrcports
 46 |     global alertdestports
 47 |     global alertmsgs
 48 |     alertprotocols = []
 49 |     alertdestips = []
 50 |     alertsrcips = []
 51 |     alertsrcports = []
 52 |     alertdestports = []
 53 |     alertmsgs = []
 54 |     for rule in rulelist:
 55 |         rulewords = rule.split()
 56 |         if rulewords[1] != "any":
 57 |             protocol = rulewords[1]
 58 |             alertprotocols.append(protocol.lower())
 59 |         else:
 60 |             alertprotocols.append("any")
 61 |         if rulewords[2] != "any":
 62 |             srcip = rulewords[2]
 63 |             alertsrcips.append(srcip.lower())
 64 |         else:
 65 |             alertsrcips.append("any")
 66 |         if rulewords[3] != "any":
 67 |             srcport = int(rulewords[3])
 68 |             alertsrcports.append(srcport)
 69 |         else:
 70 |             alertsrcports.append("any")
 71 |         if rulewords[5] != "any":
 72 |             destip = rulewords[5]
 73 |             alertdestips.append(destip.lower())
 74 |         else:
 75 |             alertdestips.append("any")
 76 |         if rulewords[6] != "any":
 77 |             destport = rulewords[6]
 78 |             alertdestports.append(destport.lower())
 79 |         else:
 80 |             alertdestports.append("any")
 81 |         try:
 82 |             alertmsgs.append(" ".join([rulewords[x] for x in range(7, len(rulewords))]))
 83 |         except:
 84 |             pass    
 85 | 
 86 |     print(alertprotocols)
 87 |     print(alertdestips)
 88 |     print(alertsrcips)
 89 |     print(alertsrcports)
 90 |     print(alertdestports)
 91 |     print(alertmsgs)
 92 | 
 93 | process_rules(readrules())
 94 | 
 95 | deviceiplist = []
 96 | for route in scp.read_routes():
 97 |     if str(route[4]) not in deviceiplist:
 98 |         deviceiplist.append(str(route[4]))
 99 |         print(str(route[4]))
100 | 
101 | 
102 | sg.theme('BluePurple')
103 | 
104 | pktsummarylist = []
105 | suspiciouspackets = []
106 | suspacketactual = []
107 | lastpacket = ""
108 | sus_readablepayloads = []
109 | all_readablepayloads = []
110 | tcpstreams = []
111 | SSLLOGFILEPATH = "C:\\Users\\mainak\\ssl1.log"
112 | http2streams=[]
113 | logdecodedtls = True
114 | httpobjectindexes = []
115 | httpobjectactuals = []
116 | httpobjecttypes = []
117 | yaraflagged_filenames = []
118 | reqfilepathbase = "./temp/tcpflowdump/"
119 | 
120 | layout = [[sg.Button('STARTCAP', key="-startcap-"),
121 | 		sg.Button('STOPCAP', key='-stopcap-'), sg.Button('SAVE ALERT', key='-savepcap-'),
122 |         sg.Button('REFRESH RULES', key='-refreshrules-'),
123 |         sg.Button('LOAD TCP/HTTP2 STREAMS', key='-showtcpstreamsbtn-'),
124 |         sg.Button('LOAD HTTP STREAMS', key='-showhttpstreamsbtn-'),
125 |         sg.Button('YARA FILTER STREAMS', key='-yarafilterstreamsbtn-'),],
126 |         [sg.Text("ALERT PACKETS", font=('Arial Bold', 14), size=(60, None), justification="left"),
127 |          sg.Text("ALL PACKETS", font=('Arial Bold', 14), size=(60, None), justification="left")],
128 | 		[sg.Listbox(key='-pkts-', size=(100,20), values=suspiciouspackets, enable_events=True), 
129 |         sg.Listbox(key='-pktsall-', size=(100,20), values=pktsummarylist, enable_events=True),
130 |         ],
131 |         [sg.Text("ALERT DECODED", font=('Arial Bold', 14), size=(35, None),justification="left"),
132 |          sg.Text("HTTP2 STREAMS", font=('Arial Bold', 14),justification="left"),
133 |          sg.Text("TCP STREAMS", font=('Arial Bold', 14),justification="left"),
134 |          sg.Text("HTTP OBJECTS", font=('Arial Bold', 14),justification="left"),
135 |          sg.Text("YARA FLAGGED STREAMS", font=('Arial Bold', 14),justification="left"),],
136 |         [sg.Multiline(size=(60,20), key='-payloaddecoded-'),
137 |         sg.Listbox(key='-http2streams-', size=(20, 20), values=http2streams, enable_events=True),
138 |         sg.Listbox(key='-tcpstreams-', size=(20,20), values=tcpstreams, enable_events=True),
139 |         sg.Listbox(key='-httpobjects-', size=(20, 20), values=httpobjectindexes, enable_events=True),
140 |         sg.Listbox(key='-yaraflaggedstreams-', size=(40, 20), values=yaraflagged_filenames, enable_events=True),
141 |         #sg.Multiline(size=(50,20), key='-payloaddecodedall-')
142 |         ],
143 | 		[sg.Button('EXIT')]]
144 | 
145 | window = sg.Window('Introduction', layout, size=(1600,800), resizable=True)
146 | 
147 | updatepktlist = False
148 | pkt_list = []
149 | 
150 | 
151 | def get_http_headers(http_payload):
152 |     try:
153 |         headers_raw = http_payload[:http_payload.index(b"\r\n\r\n") + 2]
154 |         headers = dict(re.findall(b"(?P<name>.*?): (?P<value>.*?)\\r\\n", headers_raw))
155 | 
156 |     except ValueError as err:
157 |         logging.error('Could not find \\r\\n\\r\\n - %s' % err)
158 |         return None
159 |     except Exception as err:
160 |         logging.error('Exception found trying to parse raw headers - %s' % err)
161 |         logging.debug(str(http_payload))
162 |         return None
163 | 
164 |     if b"Content-Type" not in headers:
165 |         logging.debug('Content Type not present in headers')
166 |         logging.debug(headers.keys())
167 |         return None   
168 |     return headers
169 | 
170 | def extract_object(headers, http_payload):
171 |     object_extracted = None
172 |     object_type = None
173 | 
174 |     content_type_filters = [b'application/x-msdownload', b'application/octet-stream']
175 | 
176 |     try:
177 |         if b'Content-Type' in headers.keys():
178 |             #if headers[b'Content-Type'] in content_type_filters:              
179 |             object_extracted = http_payload[http_payload.index(b"\r\n\r\n") +4:]
180 |             object_type = object_extracted[:2]
181 |             logging.info("Object Type: %s" % object_type)
182 |             # else:
183 |             #     logging.debug('Content Type did not matched with filters - %s' % headers[b'Content-Type'])
184 |             #     if len(http_payload) > 10:
185 |             #         logging.debug('Object first 50 bytes - %s' % str(http_payload[:50]))
186 |         else: 
187 |             logging.info('No Content Type in Package')
188 |             logging.debug(headers.keys())
189 | 
190 |         if b'Content-Length' in headers.keys():
191 |             logging.info( "%s: %s" % (b'Content-Lenght', headers[b'Content-Length']))
192 |     except Exception as err:
193 |         logging.error('Exception found trying to parse headers - %s' % err)
194 |         return None, None
195 |     return object_extracted, object_type
196 | 
197 | def read_http():
198 |     objectlist = []
199 |     objectsactual = []
200 |     objectsactualtypes = []
201 |     objectcount = 0
202 |     global pkt_list
203 |     try:
204 |         os.remove(f".\\temp\\httpstreamread.pcap")
205 |     except:
206 |         pass
207 |     httppcapfile = f".\\temp\\httpstreamread.pcap"
208 |     scp.wrpcap(httppcapfile, pkt_list)
209 |     pcap_flow = scp.rdpcap(httppcapfile)
210 |     sessions_all = pcap_flow.sessions()
211 | 
212 |     for session in sessions_all:
213 |         http_payload = bytes()
214 |         for pkt in sessions_all[session]:
215 |             if pkt.haslayer("TCP"):
216 |                 if pkt["TCP"].dport == 80 or pkt["TCP"].sport == 80 or pkt["TCP"].dport == 8080 or pkt["TCP"].sport == 8080:
217 |                     if pkt["TCP"].payload:
218 |                         payload = pkt["TCP"].payload
219 |                         http_payload += scp.raw(payload)
220 |         if len(http_payload):
221 |             http_headers = get_http_headers(http_payload)
222 | 
223 |             if http_headers is None:
224 |                 continue
225 | 
226 |             object_found, object_type = extract_object(http_headers, http_payload)
227 | 
228 |             if object_found is not None and object_type is not None:
229 |                 objectcount += 1
230 |                 objectlist.append(objectcount-1)
231 |                 objectsactual.append(object_found)
232 |                 objectsactualtypes.append(object_type)
233 |     
234 |     return objectlist, objectsactual, objectsactualtypes
235 | 
236 | 
237 | def proto_name_by_num(proto_num):
238 |     for name,num in vars(socket).items():
239 |         if name.startswith("IPPROTO") and proto_num == num:
240 |             return name[8:]
241 |     return "Protocol not found"
242 | 
243 | def check_rules_warning(pkt):
244 |     global alertprotocols
245 |     global alertdestips
246 |     global alertsrcips
247 |     global alertsrcports
248 |     global alertdestports
249 |     global alertmsgs
250 |     global sus_readablepayloads
251 |     global updatepktlist
252 | 
253 |     if 'IP' in pkt:
254 |         try:
255 |             src = pkt['IP'].src
256 |             dest = pkt['IP'].dst
257 |             proto = proto_name_by_num(pkt['IP'].proto).lower()
258 |             #print(proto)
259 |             sport = pkt['IP'].sport
260 |             dport = pkt['IP'].dport
261 | 
262 |             for i in range(len(alertprotocols)):
263 |                 flagpacket = False
264 |                 if alertprotocols[i] != "any":
265 |                     chkproto = alertprotocols[i]
266 |                 else:
267 |                     chkproto = proto
268 |                 if alertdestips[i] != "any":
269 |                     chkdestip = alertdestips[i]
270 |                 else:
271 |                     chkdestip = dest
272 |                 if alertsrcips[i] != "any":
273 |                     chksrcip = alertsrcips[i]
274 |                 else:
275 |                     chksrcip = src
276 |                 if alertsrcports[i] != "any":
277 |                     chksrcport = alertsrcports[i]
278 |                 else:
279 |                     chksrcport = sport
280 |                 if alertdestports[i] != "any":
281 |                     chkdestport = alertdestports[i]
282 |                 else:
283 |                     chkdestport = dport
284 |                 
285 |                 # print("chk \n", str(chksrcip) , str(chkdestip) , str(chkproto) , str(chkdestport) , str(chksrcport))
286 |                 # print("act \n", str(src) , str(dest) , str(proto) , str(dport) , str(sport))
287 |                 
288 |                 if "/" not in str(chksrcip).strip() and "/" not in str(chkdestip).strip():
289 |                     if (str(src).strip() == str(chksrcip).strip() and str(dest).strip() == str(chkdestip).strip() and str(proto).strip() == str(chkproto).strip() and str(dport).strip() == str(chkdestport).strip() and str(sport).strip() == str(chksrcport).strip()):
290 |                         flagpacket = True
291 |                 if "/" in str(chksrcip).strip() and "/" in str(chkdestip).strip():
292 |                     if (ipaddress.IPv4Address(str(src).strip()) in ipaddress.IPv4Network(str(chksrcip).strip()) and ipaddress.IPv4Address(str(dest).strip()) in ipaddress.IPv4Network(str(chkdestip).strip()) and str(proto).strip() == str(chkproto).strip() and str(dport).strip() == str(chkdestport).strip() and str(sport).strip() == str(chksrcport).strip()):
293 |                         flagpacket = True
294 |                 if "/" in str(chksrcip).strip() and "/" not in str(chkdestip).strip():
295 |                     if (ipaddress.IPv4Address(str(src).strip()) in ipaddress.IPv4Network(str(chksrcip).strip()) and str(dest).strip() == str(chkdestip).strip() and str(proto).strip() == str(chkproto).strip() and str(dport).strip() == str(chkdestport).strip() and str(sport).strip() == str(chksrcport).strip()):
296 |                         flagpacket = True
297 |                 if "/" not in str(chksrcip).strip() and "/" in str(chkdestip).strip():                        
298 |                     if (str(src).strip() == str(chksrcip).strip() and ipaddress.IPv4Address(str(dest).strip()) in ipaddress.IPv4Network(str(chkdestip).strip()) and str(proto).strip() == str(chkproto).strip() and str(dport).strip() == str(chkdestport).strip() and str(sport).strip() == str(chksrcport).strip()):
299 |                         flagpacket = True
300 | 
301 |                 if flagpacket == True:
302 |                         # print("Match")
303 |                     if proto == "tcp":
304 |                         try:
305 |                             readable_payload = bytes(pkt['TCP'].payload).decode('UTF8','replace')
306 |                             sus_readablepayloads.append(readable_payload)
307 |                         except Exception as ex:
308 |                             sus_readablepayloads.append("Error getting tcp payload!!")
309 |                             print(ex)
310 |                             pass
311 |                     elif proto == "udp":
312 |                         try:
313 |                             readable_payload = bytes(pkt['UDP'].payload).decode('UTF8','replace')
314 |                             sus_readablepayloads.append(readable_payload)
315 |                         except Exception as ex:
316 |                             sus_readablepayloads.append("Error getting udp payload!!")
317 |                             print(ex)
318 |                             pass
319 |                     else:
320 |                         sus_readablepayloads.append("NOT TCP PACKET!!")
321 |                     if updatepktlist:
322 |                         window['-payloaddecoded-'].update(value=sus_readablepayloads[len(suspiciouspackets)])
323 |                     return True, str(alertmsgs[i])
324 |         except:
325 |             pkt.show()
326 |         
327 |     # for protocol in alertprotocols:
328 |     #     if protocol.upper() in pkt:
329 |     #         pass
330 |     return False, ""
331 | 
332 | 
333 | def pkt_process(pkt):
334 |     global deviceiplist
335 |     global window
336 |     global updatepktlist
337 |     global suspiciouspackets
338 |     global all_readablepayloads
339 | 
340 |     pkt_summary = pkt.summary()
341 |         #print("\n", src, " : ", dest, "\n")
342 |         # if dest in deviceiplist:
343 |         #     print(f"\n[*] INCOMING PACKET from \n")
344 |         #     if updatepktlist:
345 |                 
346 |         #     lastpacket = pkt_summary
347 |         #     return pkt_summary
348 |     pktsummarylist.append(f"{len(pktsummarylist)} " + pkt_summary)
349 |     pkt_list.append(pkt)
350 |     sus_pkt, sus_msg = check_rules_warning(pkt)
351 |     if sus_pkt == True:
352 |         suspiciouspackets.append(f"{len(suspiciouspackets)} {len(pktsummarylist) - 1}" + pkt_summary + f" MSG: {sus_msg}")
353 |         suspacketactual.append(pkt)
354 | 
355 |     
356 |     # if 'IP' in pkt:
357 |     #     proto = proto_name_by_num(pkt['IP'].proto).lower()
358 |     #     if proto == "tcp":
359 |     #         try:
360 |     #             readable_payload = bytes(pkt['TCP'].payload).decode('UTF8','replace')
361 |     #             all_readablepayloads.append(readable_payload)
362 |     #         except Exception as ex:
363 |     #             all_readablepayloads.append("Error getting tcp payload!!")
364 |     #             print(ex)
365 |     #             pass
366 |     #     elif proto == "udp":
367 |     #         try:
368 |     #             readable_payload = bytes(pkt['UDP'].payload).decode('UTF8','replace')
369 |     #             all_readablepayloads.append(readable_payload)
370 |     #         except Exception as ex:
371 |     #             all_readablepayloads.append("Error getting udp payload!!")
372 |     #             print(ex)
373 |     #             pass
374 |     #     else:
375 |     #         all_readablepayloads.append("NOT TCP PACKET!!")
376 |     #     if updatepktlist:
377 |     #         window['-payloaddecodedall-'].update(value=all_readablepayloads[-1])
378 |         #print(suspiciouspackets)
379 |     #pkt.show()
380 | 
381 |     return
382 | 
383 | ifaces = [str(x["name"]) for x in scpwinarch.get_windows_if_list()]
384 | ifaces1 = [ifaces[6]].append(ifaces[0]) #Ether and VMnet8
385 | sniffthread = threading.Thread(target=scp.sniff, kwargs={"prn":pkt_process, "filter": "", "iface":ifaces[0:6]}, daemon=True)
386 | sniffthread.start()
387 | 
388 | def show_tcp_stream_openwin(tcpstreamtext):
389 |     layout = [[sg.Multiline(tcpstreamtext, size=(100,50), key="tcpnewwintext")]]
390 |     window = sg.Window("TCPSTREAM", layout, modal=True, size=(1200, 600), resizable=True)
391 |     choice = None
392 |     while True:
393 |         event, values = window.read()
394 |         if event == "Exit" or event == sg.WIN_CLOSED:
395 |             break
396 |     window.close()
397 | 
398 | def show_http2_stream_openwin(tcpstreamtext):
399 |     layout = [[sg.Multiline(tcpstreamtext, size=(100,50), key="tcpnewwintext")]]
400 |     window = sg.Window("HTTP2 STREAM", layout, modal=True, size=(1200, 600), resizable=True)
401 |     choice = None
402 |     while True:
403 |         event, values = window.read()
404 |         if event == "Exit" or event == sg.WIN_CLOSED:
405 |             break
406 |     window.close()
407 | 
408 | def load_tcp_streams(window):
409 |     global http2streams
410 |     global logdecodedtls
411 |     try:
412 |         os.remove(f".\\temp\\tcpstreamread.pcap")
413 |     except:
414 |         pass
415 |     scp.wrpcap(f".\\temp\\tcpstreamread.pcap", pkt_list)
416 |     global tcpstreams
417 |     tcpstreams = []
418 |     tcpstreamfilename = ".\\temp\\tcpstreamread.pcap"
419 |     cap1 = pyshark.FileCapture(
420 |         tcpstreamfilename,
421 |         display_filter="tcp.seq==1 && tcp.ack==1 && tcp.len==0",
422 |         keep_packets=True)
423 |     number_of_streams = 0
424 |     for pkt in cap1:
425 |         if pkt.highest_layer.lower() == "tcp" or pkt.highest_layer.lower() == "tls":
426 |             print(pkt.tcp.stream)
427 |             if int(pkt.tcp.stream) > number_of_streams:
428 |                 number_of_streams = int(pkt.tcp.stream) + 1
429 |     for i in range(0, number_of_streams):
430 |         tcpstreams.append(i)
431 |     window["-tcpstreams-"].update(values=[])
432 |     window["-tcpstreams-"].update(values=tcpstreams)
433 | 
434 |     if logdecodedtls == True:
435 |         http2streams = []
436 |         cap2 = pyshark.FileCapture(
437 |         tcpstreamfilename,
438 |         display_filter="http2.streamid",
439 |         keep_packets=True)
440 |         #numberofhttp2streams = 0
441 |         for pkt in cap2:
442 |             field_names = pkt.http2._all_fields
443 |             for field_name in field_names:
444 |                 http2_stream_id = {val for key, val in field_names.items() if key == 'http2.streamid'}
445 |                 http2_stream_id = "".join(http2_stream_id)
446 |             #x1 = str(pkt.http2.stream).split(", ")
447 |             #print(x1)
448 |             #streamid = int(x1[1].strip().split(":")[1].strip())
449 |             #print(streamid)
450 |             if http2_stream_id not in http2streams:
451 |                 http2streams.append(http2_stream_id)
452 |         window['-http2streams-'].update(values=http2streams)
453 |         pass
454 | 
455 | 
456 | def show_http2_stream(window, streamno):
457 |     
458 |     tcpstreamfilename = ".\\temp\\tcpstreamread.pcap"
459 |     cap3 = pyshark.FileCapture(
460 |             tcpstreamfilename,
461 |             # display_filter = f'http2.streamid eq {str(http2streamindex)}',
462 |             display_filter = f'http2.streamid eq {str(streamno)}',
463 |             override_prefs={'ssl.keylog_file': SSLLOGFILEPATH}
464 |         )
465 |     #print(cap3[0].http2.stream)
466 |     dat = ""
467 |     decode_hex = codecs.getdecoder("hex_codec")
468 |     http_payload = bytes()
469 |     for pkt in cap3:
470 |         # for x in pkt[pkt.highest_layer]._get_all_field_lines():
471 |         #     print(x)
472 |         #try:
473 |         try:
474 |             payload = pkt["TCP"].payload
475 |             http_payload += scp.raw(payload)
476 |             #does literally nothing because we do not know the encoding format of the payload so scp.raw returns type error
477 |         except:
478 |             pass
479 | 
480 |         print(pkt.http2.stream)
481 |         if ("DATA" not in pkt.http2.stream):
482 |             http2headerdat = ''
483 |             rawvallengthpassed = False
484 |             print(pkt.http2._all_fields.items())
485 |             for field, val in pkt.http2._all_fields.items():
486 |                 if rawvallengthpassed == False:
487 |                     if field == 'http2.header.name.length':
488 |                         rawvallengthpassed = True
489 |                 else:
490 |                     #if field.split(".")[-1] != "headers":
491 |                     http2headerdat += str(field.split(".")[-1]) + " : " + str(val) + " \n"
492 |                     print(http2headerdat)
493 |             dat += "\n" + http2headerdat
494 |             # httpdat = "".join("".join({val for key,val in pkt.http2._all_fields.items() if key == 'http2.data.data'}).split(":"))
495 |             # httpdatdecoded = decode_hex(httpdat)[0]
496 |             # dat += httpdatdecoded
497 |             # dat = pkt.pretty_print
498 |             # payload = pkt.http2.payload
499 |             # if hasattr(pkt,'http2'):
500 |             #     if hasattr(pkt.http2,'json_object'):
501 |             #         if hasattr(pkt.http2,'body_reassembled_data'):
502 |             #             avp=json.loads(codecs.decode(pkt.http2.body_reassembled_data.raw_value,'hex'))
503 |             # # encryptedapplicationdata_hex = "".join(payload.split(":")[0:len(payload.split(":"))])
504 |             # # encryptedapplicationdata_hex_decoded = decode_hex(encryptedapplicationdata_hex)[0]
505 |             # # dat += encryptedapplicationdata_hex_decoded
506 |             #             dat += avp
507 |             #print(encryptedapplicationdata_hex_decoded)
508 |         # except Exception as ex:
509 |         #     print(ex)
510 |     
511 |     if len(http_payload):
512 |         http_headers = get_http_headers(http_payload)
513 | 
514 |         if http_headers is not None:
515 |             object_found, object_type = extract_object(http_headers, http_payload)
516 | 
517 |             dat += object_type + "\n" + object_found + "\n"
518 | 
519 | 
520 |     print(dat)
521 |     formatteddat = dat
522 |     # formatteddat = str(dat, "ascii", "replace")
523 |     #show_tcp_stream_openwin(formatteddat)
524 |     print(formatteddat)
525 | 
526 |     show_http2_stream_openwin(formatteddat)
527 |     # os.remove(tcpstreamfilename)
528 |     #print(formatteddat)
529 |     pass
530 | 
531 | def show_tcpstream(window, streamno):
532 |     global SSLLOGFILEPATH
533 |     tcpstreamfilename = ".\\temp\\tcpstreamread.pcap"    
534 |     streamnumber = streamno
535 |     cap = pyshark.FileCapture(
536 |         tcpstreamfilename,
537 |         display_filter = 'tcp.stream eq %d' % streamnumber,
538 |         override_prefs={'ssl.keylog_file': SSLLOGFILEPATH}
539 |     )
540 |     dat = b""
541 |     decode_hex = codecs.getdecoder("hex_codec")
542 |     for pkt in cap:
543 |         # for x in pkt[pkt.highest_layer]._get_all_field_lines():
544 |         #     print(x)
545 |         try:
546 |             payload = pkt.tcp.payload
547 |             encryptedapplicationdata_hex = "".join(payload.split(":")[0:len(payload.split(":"))])
548 |             encryptedapplicationdata_hex_decoded = decode_hex(encryptedapplicationdata_hex)[0]
549 |             dat += encryptedapplicationdata_hex_decoded
550 |             #print(encryptedapplicationdata_hex_decoded)
551 |         except Exception as ex:
552 |             print(ex)
553 | 
554 |     formatteddat = str(dat, "ascii", "replace")
555 | 
556 |     # dat1 = ""
557 |     # try:
558 |     #     if pkt.http > 0:
559 |     #         dat1 += "Stream Index :" , str(pkt.tcp.stream) # to print stream index at the start
560 | 
561 |     #         dat1 += "\nHTTP LAYER :", str(pkt.http).replace('\\n', '').replace('\\r', '')
562 | 
563 |     # except:
564 |     #     pass
565 |     #show_tcp_stream_openwin(formatteddat)
566 |     if formatteddat.strip() == "" or len(str(formatteddat.strip)) < 1:
567 |         sg.PopupAutoClose("No data")
568 |     else:
569 |         show_tcp_stream_openwin(formatteddat)
570 |     # os.remove(tcpstreamfilename)
571 |     #print(formatteddat)
572 | 
573 | def yarascan(scanfile, rules):
574 |     matches = []
575 |     if os.path.getsize(scanfile) > 0:
576 |         for match in rules.match(scanfile):
577 |             matches.append({"name":match.rule, "meta":match.meta})
578 | 
579 |     return matches
580 | 
581 | def yarafilterstreams(window):      # window parameter for calling load_tcp_streams if necessary
582 |     
583 |     global yaraflagged_filenames
584 |     global reqfilepathbase
585 | 
586 |     yaraflagged_filenames = []
587 |     # check if pcap files already exist for captured streams
588 |     # pcap file names are tcpstreamread.pcap and httpstreamread.pcap
589 |     # they are stored in ./temp/
590 | 
591 |     if not os.path.isfile("./temp/tcpstreamread.pcap"):
592 |         load_tcp_streams(window)
593 |     if not os.path.isfile("./temp/httpstreamread.pcap"):
594 |         read_http()
595 |     
596 |     # tcpflow64 arguments 
597 |     # -a -r <pcapfile> -o <outputdir>
598 |     
599 |     # clear tcpflowdump directory
600 | 
601 |     dumpfiles = glob.glob(reqfilepathbase + "*")
602 |     for file in dumpfiles:
603 |         os.remove(file)
604 | 
605 |     # generate files for packet streams using tcpflow
606 |     subprocess.call("tcpflow64.exe -a -r temp/httpstreamread.pcap -o temp/tcpflowdump/", shell=True)
607 |     subprocess.call("tcpflow64.exe -a -r temp/tcpstreamread.pcap -o temp/tcpflowdump/", shell=True)
608 | 
609 |     yarafile = "./yararules/rules1.yara"
610 |     yararules = yara.compile(yarafile)      # compile yara rules
611 | 
612 |     
613 |     matchcount = 1
614 |     results = []
615 |     resultstxt = ""
616 |     for req in os.listdir(reqfilepathbase):
617 |         res = yarascan(os.path.join(reqfilepathbase, req), yararules)
618 |         if res:
619 |             for match in res:
620 |                 pprint.pprint(match)
621 |                 results.append({"ruleMatched":match["name"]})
622 |                 resultstxt += str(matchcount) + ". " + str(match["name"]) + "\n"
623 |                 matchcount += 1
624 |             if req != "report.xml":
625 |                 yaraflagged_filenames.append(str(match["name"]) + ":::" + req)  # ::: serves as separator
626 |     with open("yararesults.txt", "w") as resfile:                       # for filename and yara rule name
627 |         resfile.write(resultstxt)
628 |     for file in yaraflagged_filenames:
629 |         print(file)
630 |     window["-yaraflaggedstreams-"].update(values=yaraflagged_filenames) #update gui with yara flagged stream filenames
631 |     return
632 | 
633 | def show_yara_flagged(streamdat):
634 |     layout = [[sg.Multiline(streamdat, size=(100,50), key="yaranewwintext")]]
635 |     window = sg.Window("HTTP2 STREAM", layout, modal=True, size=(1200, 600), resizable=True)
636 |     choice = None
637 |     while True:
638 |         event, values = window.read()
639 |         if event == "Exit" or event == sg.WIN_CLOSED:
640 |             break
641 |     window.close()
642 | 
643 | def event_yaraflagged_selected(stream_idx):
644 |     yarafilename = stream_idx.split(":::")[1]
645 |     filepath = os.path.join(reqfilepathbase, yarafilename)
646 |     with open(filepath, "r", errors="ignore") as yaraflaggedfile:
647 |         yaraflagged_filedat = yaraflaggedfile.read()
648 |     show_yara_flagged(yaraflagged_filedat)
649 | 
650 | while True:
651 | 
652 |     print(suspiciouspackets)
653 | 
654 |     event, values = window.read()
655 |     if event == '-refreshrules-':
656 |         process_rules(readrules())
657 |     if event == "-startcap-":
658 |         updatepktlist = True
659 |         incomingpacketlist = []
660 |         inc_pkt_list = []
661 |         suspiciouspackets = []
662 |         suspacketactual = []
663 |         pktsummarylist = []
664 |         sus_readablepayloads = []
665 |         while True:
666 |             event, values = window.read(timeout=10)
667 |             if event == "-stopcap-":
668 |                 updatepktlist = False
669 |                 break
670 |             if event == '-refreshrules-':
671 |                 process_rules(readrules())
672 |             if event == sg.TIMEOUT_EVENT:
673 |                 #window['-pkts-'].update(pktsummarylist, scroll_to_index=len(pktsummarylist))
674 |                 window['-pkts-'].update(suspiciouspackets, scroll_to_index=len(suspiciouspackets))
675 |                 window['-pktsall-'].update(pktsummarylist, scroll_to_index=len(pktsummarylist))
676 |                 #window['-payloaddecoded-'].update(value=sus_readablepayloads[len(suspiciouspackets)])
677 |             if event in (None, 'Exit'):
678 |                 sys.exit()
679 |                 break
680 |             if event == '-pkts-' and len(values['-pkts-']):     # if a list item is chosen
681 |                 sus_selected = values['-pkts-']
682 |                 #sus_selected_index = int(sus_selected.split()[0][0:2])
683 |                 sus_selected_index = values[event][0]
684 |                 try:
685 |                     window["-tcpstreams-"].update(scroll_to_index=int(suspacketactual[sus_selected_index].tcp.stream))
686 |                 except:
687 |                     pass
688 |                 window['-payloaddecoded-'].update(value=sus_readablepayloads[sus_selected_index])
689 |                 # for i in range(100):
690 |                 #     print(sus_selected_index)
691 |                 #     print("\n")
692 |                 # print(sus_readablepayloads)
693 |             if event == '-pktsall-' and len(values['-pktsall-']):     # if a list item is chosen
694 |                 #pktselected = values['-pktsall-']
695 |                 pkt_selected_index = window["-pktsall-"].get_indexes()
696 |                 try:
697 |                     window["-tcpstreams-"].update(scroll_to_index=int(pkt_list[pkt_selected_index].tcp.stream))
698 |                 except:
699 |                     pass
700 |             #     #sus_selected_index = int(sus_selected.split()[0][0:2])
701 |             #     pktselectedindex = window['-pktsall-'].get_indexes()[0]
702 |             #     window['-payloaddecodedall-'].update(value=all_readablepayloads[pktselectedindex])
703 |             if event == "-showtcpstreamsbtn-":      # load tcp streams btn
704 |                 load_tcp_streams(window)
705 |             if event == "-tcpstreams-":
706 |                 streamindex = window["-tcpstreams-"].get_indexes()
707 |                 show_tcpstream(window, streamindex)
708 |             if event == "-http2streams-":
709 |                 http2streamindex = values[event][0]
710 |                 show_http2_stream(window, int(http2streamindex))
711 |             if event == "-showhttpstreamsbtn-":         # load http streams btn
712 |                 httpobjectindexes = []
713 |                 httpobjectactuals = []
714 |                 httpobjecttypes = []
715 |                 httpobjectindexes, httpobjectactuals, httpobjecttypes = read_http()
716 |                 window["-httpobjects-"].update(values=httpobjectindexes)
717 |             if event == "-httpobjects-":
718 |                 httpobjectindex = values[event][0]
719 |                 show_http2_stream_openwin(httpobjecttypes[httpobjectindex] + b"\n" + httpobjectactuals[httpobjectindex][:900])
720 |             if event == "-yarafilterstreamsbtn-":
721 |                 yarafilterstreams(window)
722 |             if event == "-yaraflaggedstreams-":
723 |                 yaraflaggedstream_idx = values[event][0]
724 |                 event_yaraflagged_selected(yaraflaggedstream_idx)
725 | 
726 |     if event == "-yaraflaggedstreams-":
727 |         yaraflaggedstream_idx = values[event][0]
728 |         #print(yaraflaggedstream_idx)
729 |         event_yaraflagged_selected(yaraflaggedstream_idx)
730 | 
731 |     if event == "-yarafilterstreamsbtn-":
732 |         yarafilterstreams(window)
733 | 
734 |     if event == "-showhttpstreamsbtn-":
735 |         httpobjectindexes = []
736 |         httpobjectactuals = []
737 |         httpobjecttypes = []
738 |         httpobjectindexes, httpobjectactuals, httpobjecttypes = read_http()
739 |         window["-httpobjects-"].update(values=httpobjectindexes)
740 |     
741 |     if event == "-httpobjects-":
742 |         httpobjectindex = values[event][0]
743 |         show_http2_stream_openwin(httpobjecttypes[httpobjectindex] + b"\n" + httpobjectactuals[httpobjectindex][:900])
744 | 
745 |     if event == "-http2streams-":
746 |         http2streamindex = values[event][0]
747 |         print(http2streamindex)
748 |         show_http2_stream(window, str(int(http2streamindex)))
749 |     if event == '-pktsall-' and len(values['-pktsall-']):     # if a list item is chosen
750 |         #pktselected = values['-pktsall-']
751 |         pkt_selected_index = window["-pktsall-"].get_indexes()[0]
752 |         try:
753 |             window["-tcpstreams-"].update(scroll_to_index=int(pkt_list[pkt_selected_index].tcp.stream))
754 |         except:
755 |             pass
756 |     if event == '-savepcap-':
757 |         pcapname = "nettrafic"
758 |         scp.wrpcap(f'.\\savedpcap\\{pcapname}.pcap', inc_pkt_list)
759 |     if event == '-pkts-' and len(values['-pkts-']):     # if a list item is chosen
760 |         sus_selected = values['-pkts-']
761 |         #sus_selected_index = int(sus_selected.split()[0][0:2])
762 |         sus_selected_index = window['-pkts-'].get_indexes()[0]
763 |         try:
764 |             window["-tcpstreams-"].update(scroll_to_index=int(suspacketactual[sus_selected_index].tcp.stream))
765 |         except:
766 |             pass
767 |         window['-payloaddecoded-'].update(value=sus_readablepayloads[sus_selected_index])
768 |     if event == "-showtcpstreamsbtn-":
769 |         load_tcp_streams(window)    
770 |     if event == "-tcpstreams-":
771 |         streamindex = window["-tcpstreams-"].get_indexes()
772 |         show_tcpstream(window, streamindex)            
773 |     # if event == '-pktsall-' and len(values['-pktsall-']):     # if a list item is chosen
774 |     #             pktselected = values['-pktsall-']
775 |     #             #sus_selected_index = int(sus_selected.split()[0][0:2])
776 |     #             pktselectedindex = window['-pktsall-'].get_indexes()[0]
777 |     #             window['-payloaddecodedall-'].update(value=all_readablepayloads[pktselectedindex])
778 |     if event in (None, 'Exit'):
779 |         break
780 |     
781 | 
782 | 
783 | window.close()
784 | 
785 | # port lookup for rule writing
786 | # >>> from socket import getservbyname, getservbyport
787 | # >>> getservbyname("ssh")
788 | # 22
789 | # >>> getservbyname("domain", "udp")
790 | # 53
791 | # >>> getservbyname("https", "tcp")
792 | # 443
793 | 


--------------------------------------------------------------------------------
/NIDS_python-main/nids_eel.py:
--------------------------------------------------------------------------------
  1 | import eel
  2 | import scapy.all as scp
  3 | import codecs
  4 | # import PySimpleGUI as sg
  5 | import os
  6 | import threading
  7 | import sys
  8 | import pyshark
  9 | import socket
 10 | import scapy.arch.windows as scpwinarch
 11 | import json
 12 | import logging
 13 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
 14 | import re
 15 | import ipaddress
 16 | import subprocess
 17 | import yara
 18 | import pprint
 19 | import glob
 20 | import time
 21 | import json
 22 | 
 23 | eel.init("nidsweb")
 24 | 
 25 | def readrules():
 26 |     rulefile = "rules.txt"
 27 |     ruleslist = []
 28 |     with open(rulefile, "r") as rf:
 29 |         ruleslist = rf.readlines()
 30 |     rules_list = []
 31 |     for line in ruleslist:
 32 |         if line.startswith("alert"):
 33 |             rules_list.append(line)
 34 |     print(rules_list)
 35 |     return rules_list
 36 | 
 37 | alertprotocols = []
 38 | alertdestips = []
 39 | alertsrcips = []
 40 | alertsrcports = []
 41 | alertdestports = []
 42 | alertmsgs = []
 43 | 
 44 | # rule format --> "alert [srcip] [srcport] --> [dstip] [dstport] [msg]" [msg] may include spaces and is not within quotes
 45 | 
 46 | def process_rules(rulelist):
 47 |     global alertprotocols
 48 |     global alertdestips
 49 |     global alertsrcips
 50 |     global alertsrcports
 51 |     global alertdestports
 52 |     global alertmsgs
 53 |     alertprotocols = []
 54 |     alertdestips = []
 55 |     alertsrcips = []
 56 |     alertsrcports = []
 57 |     alertdestports = []
 58 |     alertmsgs = []
 59 |     for rule in rulelist:
 60 |         rulewords = rule.split()
 61 |         if rulewords[1] != "any":
 62 |             protocol = rulewords[1]
 63 |             alertprotocols.append(protocol.lower())
 64 |         else:
 65 |             alertprotocols.append("any")
 66 |         if rulewords[2] != "any":
 67 |             srcip = rulewords[2]
 68 |             alertsrcips.append(srcip.lower())
 69 |         else:
 70 |             alertsrcips.append("any")
 71 |         if rulewords[3] != "any":
 72 |             srcport = int(rulewords[3])
 73 |             alertsrcports.append(srcport)
 74 |         else:
 75 |             alertsrcports.append("any")
 76 |         if rulewords[5] != "any":
 77 |             destip = rulewords[5]
 78 |             alertdestips.append(destip.lower())
 79 |         else:
 80 |             alertdestips.append("any")
 81 |         if rulewords[6] != "any":
 82 |             destport = rulewords[6]
 83 |             alertdestports.append(destport.lower())
 84 |         else:
 85 |             alertdestports.append("any")
 86 |         try:
 87 |             alertmsgs.append(" ".join([rulewords[x] for x in range(7, len(rulewords))]))
 88 |         except:
 89 |             pass    
 90 | 
 91 |     print(alertprotocols)
 92 |     print(alertdestips)
 93 |     print(alertsrcips)
 94 |     print(alertsrcports)
 95 |     print(alertdestports)
 96 |     print(alertmsgs)
 97 | 
 98 | process_rules(readrules())
 99 | 
100 | deviceiplist = []
101 | for route in scp.read_routes():
102 |     if str(route[4]) not in deviceiplist:
103 |         deviceiplist.append(str(route[4]))
104 |         print(str(route[4]))
105 | 
106 | pktsummarylist = []
107 | suspiciouspackets = []
108 | suspacketactual = []
109 | lastpacket = ""
110 | sus_readablepayloads = []
111 | all_readablepayloads = []
112 | tcpstreams = []
113 | SSLLOGFILEPATH = "C:\\Users\\mainak\\ssl1.log"
114 | http2streams=[]
115 | logdecodedtls = True
116 | httpobjectindexes = []
117 | httpobjectactuals = []
118 | httpobjecttypes = []
119 | yaraflagged_filenames = []
120 | reqfilepathbase = "./temp/tcpflowdump/"
121 | clearinglists = False
122 | yarafiltering_live = False
123 | 
124 | # updatepktlist = False
125 | updatepktlist = True
126 | pkt_list = []
127 | 
128 | 
129 | def get_http_headers(http_payload):
130 |     try:
131 |         headers_raw = http_payload[:http_payload.index(b"\r\n\r\n") + 2]
132 |         headers = dict(re.findall(b"(?P<name>.*?): (?P<value>.*?)\\r\\n", headers_raw))
133 | 
134 |     except ValueError as err:
135 |         logging.error('Could not find \\r\\n\\r\\n - %s' % err)
136 |         return None
137 |     except Exception as err:
138 |         logging.error('Exception found trying to parse raw headers - %s' % err)
139 |         logging.debug(str(http_payload))
140 |         return None
141 | 
142 |     if b"Content-Type" not in headers:
143 |         logging.debug('Content Type not present in headers')
144 |         logging.debug(headers.keys())
145 |         return None   
146 |     return headers
147 | 
148 | def extract_object(headers, http_payload):
149 |     object_extracted = None
150 |     object_type = None
151 | 
152 |     content_type_filters = [b'application/x-msdownload', b'application/octet-stream']
153 | 
154 |     try:
155 |         if b'Content-Type' in headers.keys():
156 |             #if headers[b'Content-Type'] in content_type_filters:              
157 |             object_extracted = http_payload[http_payload.index(b"\r\n\r\n") +4:]
158 |             object_type = object_extracted[:2]
159 |             logging.info("Object Type: %s" % object_type)
160 |             # else:
161 |             #     logging.debug('Content Type did not matched with filters - %s' % headers[b'Content-Type'])
162 |             #     if len(http_payload) > 10:
163 |             #         logging.debug('Object first 50 bytes - %s' % str(http_payload[:50]))
164 |         else: 
165 |             logging.info('No Content Type in Package')
166 |             logging.debug(headers.keys())
167 | 
168 |         if b'Content-Length' in headers.keys():
169 |             logging.info( "%s: %s" % (b'Content-Lenght', headers[b'Content-Length']))
170 |     except Exception as err:
171 |         logging.error('Exception found trying to parse headers - %s' % err)
172 |         return None, None
173 |     return object_extracted, object_type
174 | 
175 | def read_http():
176 |     objectlist = []
177 |     objectsactual = []
178 |     objectsactualtypes = []
179 |     objectcount = 0
180 |     global pkt_list
181 |     try:
182 |         os.remove(f".\\temp\\httpstreamread.pcap")
183 |     except:
184 |         pass
185 |     httppcapfile = f".\\temp\\httpstreamread.pcap"
186 |     scp.wrpcap(httppcapfile, pkt_list)
187 |     pcap_flow = scp.rdpcap(httppcapfile)
188 |     sessions_all = pcap_flow.sessions()
189 | 
190 |     for session in sessions_all:
191 |         http_payload = bytes()
192 |         for pkt in sessions_all[session]:
193 |             if pkt.haslayer("TCP"):
194 |                 if pkt["TCP"].dport == 80 or pkt["TCP"].sport == 80 or pkt["TCP"].dport == 8080 or pkt["TCP"].sport == 8080:
195 |                     if pkt["TCP"].payload:
196 |                         payload = pkt["TCP"].payload
197 |                         http_payload += scp.raw(payload)
198 |         if len(http_payload):
199 |             http_headers = get_http_headers(http_payload)
200 | 
201 |             if http_headers is None:
202 |                 continue
203 | 
204 |             object_found, object_type = extract_object(http_headers, http_payload)
205 | 
206 |             if object_found is not None and object_type is not None:
207 |                 objectcount += 1
208 |                 objectlist.append(objectcount-1)
209 |                 objectsactual.append(object_found)
210 |                 objectsactualtypes.append(object_type)
211 |     
212 |     return objectlist, objectsactual, objectsactualtypes
213 | 
214 | 
215 | def proto_name_by_num(proto_num):
216 |     for name,num in vars(socket).items():
217 |         if name.startswith("IPPROTO") and proto_num == num:
218 |             return name[8:]
219 |     return "Protocol not found"
220 | 
221 | def check_rules_warning(pkt):
222 |     global alertprotocols
223 |     global alertdestips
224 |     global alertsrcips
225 |     global alertsrcports
226 |     global alertdestports
227 |     global alertmsgs
228 |     global sus_readablepayloads
229 |     global updatepktlist
230 | 
231 |     if 'IP' in pkt:
232 |         try:
233 |             src = pkt['IP'].src
234 |             dest = pkt['IP'].dst
235 |             proto = proto_name_by_num(pkt['IP'].proto).lower()
236 |             #print(proto)
237 |             sport = pkt['IP'].sport
238 |             dport = pkt['IP'].dport
239 | 
240 |             for i in range(len(alertprotocols)):
241 |                 flagpacket = False
242 |                 if alertprotocols[i] != "any":
243 |                     chkproto = alertprotocols[i]
244 |                 else:
245 |                     chkproto = proto
246 |                 if alertdestips[i] != "any":
247 |                     chkdestip = alertdestips[i]
248 |                 else:
249 |                     chkdestip = dest
250 |                 if alertsrcips[i] != "any":
251 |                     chksrcip = alertsrcips[i]
252 |                 else:
253 |                     chksrcip = src
254 |                 if alertsrcports[i] != "any":
255 |                     chksrcport = alertsrcports[i]
256 |                 else:
257 |                     chksrcport = sport
258 |                 if alertdestports[i] != "any":
259 |                     chkdestport = alertdestports[i]
260 |                 else:
261 |                     chkdestport = dport
262 |                 
263 |                 # print("chk \n", str(chksrcip) , str(chkdestip) , str(chkproto) , str(chkdestport) , str(chksrcport))
264 |                 # print("act \n", str(src) , str(dest) , str(proto) , str(dport) , str(sport))
265 |                 
266 |                 if "/" not in str(chksrcip).strip() and "/" not in str(chkdestip).strip():
267 |                     if (str(src).strip() == str(chksrcip).strip() and str(dest).strip() == str(chkdestip).strip() and str(proto).strip() == str(chkproto).strip() and str(dport).strip() == str(chkdestport).strip() and str(sport).strip() == str(chksrcport).strip()):
268 |                         flagpacket = True
269 |                 if "/" in str(chksrcip).strip() and "/" in str(chkdestip).strip():
270 |                     if (ipaddress.IPv4Address(str(src).strip()) in ipaddress.IPv4Network(str(chksrcip).strip()) and ipaddress.IPv4Address(str(dest).strip()) in ipaddress.IPv4Network(str(chkdestip).strip()) and str(proto).strip() == str(chkproto).strip() and str(dport).strip() == str(chkdestport).strip() and str(sport).strip() == str(chksrcport).strip()):
271 |                         flagpacket = True
272 |                 if "/" in str(chksrcip).strip() and "/" not in str(chkdestip).strip():
273 |                     if (ipaddress.IPv4Address(str(src).strip()) in ipaddress.IPv4Network(str(chksrcip).strip()) and str(dest).strip() == str(chkdestip).strip() and str(proto).strip() == str(chkproto).strip() and str(dport).strip() == str(chkdestport).strip() and str(sport).strip() == str(chksrcport).strip()):
274 |                         flagpacket = True
275 |                 if "/" not in str(chksrcip).strip() and "/" in str(chkdestip).strip():                        
276 |                     if (str(src).strip() == str(chksrcip).strip() and ipaddress.IPv4Address(str(dest).strip()) in ipaddress.IPv4Network(str(chkdestip).strip()) and str(proto).strip() == str(chkproto).strip() and str(dport).strip() == str(chkdestport).strip() and str(sport).strip() == str(chksrcport).strip()):
277 |                         flagpacket = True
278 | 
279 |                 if flagpacket == True:
280 |                         # print("Match")
281 |                     if proto == "tcp":
282 |                         try:
283 |                             readable_payload = bytes(pkt['TCP'].payload).decode('UTF8','replace')
284 |                             sus_readablepayloads.append(readable_payload)
285 |                         except Exception as ex:
286 |                             sus_readablepayloads.append("Error getting tcp payload!!")
287 |                             print(ex)
288 |                             pass
289 |                     elif proto == "udp":
290 |                         try:
291 |                             readable_payload = bytes(pkt['UDP'].payload).decode('UTF8','replace')
292 |                             sus_readablepayloads.append(readable_payload)
293 |                         except Exception as ex:
294 |                             sus_readablepayloads.append("Error getting udp payload!!")
295 |                             print(ex)
296 |                             pass
297 |                     else:
298 |                         sus_readablepayloads.append("NOT TCP PACKET!!")
299 |                     # if updatepktlist:
300 |                     #     window['-payloaddecoded-'].update(value=sus_readablepayloads[len(suspiciouspackets)])
301 |                     return True, str(alertmsgs[i])
302 |         except:
303 |             pkt.show()
304 |         
305 |     # for protocol in alertprotocols:
306 |     #     if protocol.upper() in pkt:
307 |     #         pass
308 |     return False, ""
309 | 
310 | 
311 | def pkt_process(pkt):
312 |     global deviceiplist
313 |     global window
314 |     global updatepktlist
315 |     global suspiciouspackets
316 |     global all_readablepayloads
317 | 
318 |     pkt_summary = pkt.summary()
319 |         #print("\n", src, " : ", dest, "\n")
320 |         # if dest in deviceiplist:
321 |         #     print(f"\n[*] INCOMING PACKET from \n")
322 |         #     if updatepktlist:
323 |                 
324 |         #     lastpacket = pkt_summary
325 |         #     return pkt_summary
326 |     # pktsummaryown = ""
327 |     # try:
328 |     #     pktsummaryown = str(pkt["TCP"].time)
329 |     # except:
330 |     #     pass
331 |     pktsummarylist.append(f"{len(pktsummarylist)} " + pkt_summary)
332 |     pkt_list.append(pkt)
333 |     sus_pkt, sus_msg = check_rules_warning(pkt)
334 |     if sus_pkt == True:
335 |         suspiciouspackets.append(f"{len(suspiciouspackets)} {len(pktsummarylist) - 1}" + pkt_summary + f" MSG: {sus_msg}")
336 |         suspacketactual.append(pkt)
337 |         pktsummarylist[-1] = pktsummarylist[-1] + " suspkt_idx: " + str(len(suspiciouspackets) - 1)
338 | 
339 |     
340 |     # if 'IP' in pkt:
341 |     #     proto = proto_name_by_num(pkt['IP'].proto).lower()
342 |     #     if proto == "tcp":
343 |     #         try:
344 |     #             readable_payload = bytes(pkt['TCP'].payload).decode('UTF8','replace')
345 |     #             all_readablepayloads.append(readable_payload)
346 |     #         except Exception as ex:
347 |     #             all_readablepayloads.append("Error getting tcp payload!!")
348 |     #             print(ex)
349 |     #             pass
350 |     #     elif proto == "udp":
351 |     #         try:
352 |     #             readable_payload = bytes(pkt['UDP'].payload).decode('UTF8','replace')
353 |     #             all_readablepayloads.append(readable_payload)
354 |     #         except Exception as ex:
355 |     #             all_readablepayloads.append("Error getting udp payload!!")
356 |     #             print(ex)
357 |     #             pass
358 |     #     else:
359 |     #         all_readablepayloads.append("NOT TCP PACKET!!")
360 |     #     if updatepktlist:
361 |     #         window['-payloaddecodedall-'].update(value=all_readablepayloads[-1])
362 |         #print(suspiciouspackets)
363 |     #pkt.show()
364 | 
365 |     return
366 | 
367 | ifaces = [str(x["name"]) for x in scpwinarch.get_windows_if_list()]
368 | ifaces1 = [ifaces[6]].append(ifaces[0]) #Ether and VMnet8
369 | sniffthread = threading.Thread(target=scp.sniff, kwargs={"prn":pkt_process, "filter": "", "iface":ifaces[0:5]}, daemon=True)
370 | sniffthread.start()
371 | 
372 | # def show_tcp_stream_openwin(tcpstreamtext):
373 | #     layout = [[sg.Multiline(tcpstreamtext, size=(100,50), key="tcpnewwintext")]]
374 | #     window = sg.Window("TCPSTREAM", layout, modal=True, size=(1200, 600), resizable=True)
375 | #     choice = None
376 | #     while True:
377 | #         event, values = window.read()
378 | #         if event == "Exit" or event == sg.WIN_CLOSED:
379 | #             break
380 | #     window.close()
381 | 
382 | # def show_http2_stream_openwin(tcpstreamtext):
383 | #     layout = [[sg.Multiline(tcpstreamtext, size=(100,50), key="tcpnewwintext")]]
384 | #     window = sg.Window("HTTP2 STREAM", layout, modal=True, size=(1200, 600), resizable=True)
385 | #     choice = None
386 | #     while True:
387 | #         event, values = window.read()
388 | #         if event == "Exit" or event == sg.WIN_CLOSED:
389 | #             break
390 | #     window.close()
391 | 
392 | def load_tcp_streams(window=None):
393 |     global http2streams
394 |     global logdecodedtls
395 |     try:
396 |         os.remove(f".\\temp\\tcpstreamread.pcap")
397 |     except:
398 |         pass
399 |     scp.wrpcap(f".\\temp\\tcpstreamread.pcap", pkt_list)
400 |     global tcpstreams
401 |     tcpstreams = []
402 |     tcpstreamfilename = ".\\temp\\tcpstreamread.pcap"
403 |     cap1 = pyshark.FileCapture(
404 |         tcpstreamfilename,
405 |         display_filter="tcp.seq==1 && tcp.ack==1 && tcp.len==0",
406 |         keep_packets=True)
407 |     number_of_streams = 0
408 |     for pkt in cap1:
409 |         if pkt.highest_layer.lower() == "tcp" or pkt.highest_layer.lower() == "tls":
410 |             print(pkt.tcp.stream)
411 |             if int(pkt.tcp.stream) > number_of_streams:
412 |                 number_of_streams = int(pkt.tcp.stream) + 1
413 |     for i in range(0, number_of_streams):
414 |         tcpstreams.append(i)
415 |     # window["-tcpstreams-"].update(values=[])
416 |     # window["-tcpstreams-"].update(values=tcpstreams)
417 | 
418 |     if logdecodedtls == True:
419 |         http2streams = []
420 |         cap2 = pyshark.FileCapture(
421 |         tcpstreamfilename,
422 |         display_filter="http2.streamid",
423 |         keep_packets=True)
424 |         #numberofhttp2streams = 0
425 |         for pkt in cap2:
426 |             field_names = pkt.http2._all_fields
427 |             for field_name in field_names:
428 |                 http2_stream_id = {val for key, val in field_names.items() if key == 'http2.streamid'}
429 |                 http2_stream_id = "".join(http2_stream_id)
430 |             #x1 = str(pkt.http2.stream).split(", ")
431 |             #print(x1)
432 |             #streamid = int(x1[1].strip().split(":")[1].strip())
433 |             #print(streamid)
434 |             if http2_stream_id not in http2streams:
435 |                 http2streams.append(http2_stream_id)
436 |         # window['-http2streams-'].update(values=http2streams)
437 |         pass
438 | 
439 | 
440 | def show_http2_stream(streamno, window=None):
441 |     
442 |     tcpstreamfilename = ".\\temp\\tcpstreamread.pcap"
443 |     cap3 = pyshark.FileCapture(
444 |             tcpstreamfilename,
445 |             display_filter = f'http2.streamid eq {str(streamno)}',
446 |             override_prefs={'ssl.keylog_file': SSLLOGFILEPATH}
447 |         )
448 |     #print(cap3[0].http2.stream)
449 |     dat = ""
450 |     decode_hex = codecs.getdecoder("hex_codec")
451 |     http_payload = bytes()
452 |     for pkt in cap3:
453 |         # for x in pkt[pkt.highest_layer]._get_all_field_lines():
454 |         #     print(x)
455 |         #try:
456 |         try:
457 |             payload = pkt["TCP"].payload
458 |             http_payload += scp.raw(payload)
459 |             #does literally nothing because we do not know the encoding format of the payload so scp.raw returns type error
460 |         except:
461 |             pass
462 | 
463 |         print(pkt.http2.stream)
464 |         if ("DATA" not in pkt.http2.stream):
465 |             http2headerdat = ''
466 |             rawvallengthpassed = False
467 |             print(pkt.http2._all_fields.items())
468 |             for field, val in pkt.http2._all_fields.items():
469 |                 if rawvallengthpassed == False:
470 |                     if field == 'http2.header.name.length':
471 |                         rawvallengthpassed = True
472 |                 else:
473 |                     #if field.split(".")[-1] != "headers":
474 |                     http2headerdat += str(field.split(".")[-1]) + " : " + str(val) + " \n"
475 |                     print(http2headerdat)
476 |             dat += "\n" + http2headerdat
477 |             # httpdat = "".join("".join({val for key,val in pkt.http2._all_fields.items() if key == 'http2.data.data'}).split(":"))
478 |             # httpdatdecoded = decode_hex(httpdat)[0]
479 |             # dat += httpdatdecoded
480 |             # dat = pkt.pretty_print
481 |             # payload = pkt.http2.payload
482 |             # if hasattr(pkt,'http2'):
483 |             #     if hasattr(pkt.http2,'json_object'):
484 |             #         if hasattr(pkt.http2,'body_reassembled_data'):
485 |             #             avp=json.loads(codecs.decode(pkt.http2.body_reassembled_data.raw_value,'hex'))
486 |             # # encryptedapplicationdata_hex = "".join(payload.split(":")[0:len(payload.split(":"))])
487 |             # # encryptedapplicationdata_hex_decoded = decode_hex(encryptedapplicationdata_hex)[0]
488 |             # # dat += encryptedapplicationdata_hex_decoded
489 |             #             dat += avp
490 |             #print(encryptedapplicationdata_hex_decoded)
491 |         # except Exception as ex:
492 |         #     print(ex)
493 |     
494 |     if len(http_payload):
495 |         http_headers = get_http_headers(http_payload)
496 | 
497 |         if http_headers is not None:
498 |             object_found, object_type = extract_object(http_headers, http_payload)
499 | 
500 |             dat += object_type + "\n" + object_found + "\n"
501 | 
502 | 
503 |     print(dat)
504 |     formatteddat = dat
505 |     # formatteddat = str(dat, "ascii", "replace")
506 |     #show_tcp_stream_openwin(formatteddat)
507 |     print(formatteddat)
508 | 
509 |     return formatteddat
510 |     # show_http2_stream_openwin(formatteddat)
511 |     
512 |     # os.remove(tcpstreamfilename)
513 |     #print(formatteddat)
514 |     # pass
515 | 
516 | def show_tcpstream(streamno, window=None):
517 |     global SSLLOGFILEPATH
518 |     tcpstreamfilename = ".\\temp\\tcpstreamread.pcap"    
519 |     streamnumber = streamno
520 |     cap = pyshark.FileCapture(
521 |         tcpstreamfilename,
522 |         display_filter = 'tcp.stream eq %d' % streamnumber,
523 |         override_prefs={'ssl.keylog_file': SSLLOGFILEPATH}
524 |     )
525 |     dat = b""
526 |     decode_hex = codecs.getdecoder("hex_codec")
527 |     for pkt in cap:
528 |         # for x in pkt[pkt.highest_layer]._get_all_field_lines():
529 |         #     print(x)
530 |         try:
531 |             payload = pkt.tcp.payload
532 |             encryptedapplicationdata_hex = "".join(payload.split(":")[0:len(payload.split(":"))])
533 |             encryptedapplicationdata_hex_decoded = decode_hex(encryptedapplicationdata_hex)[0]
534 |             dat += encryptedapplicationdata_hex_decoded
535 |             #print(encryptedapplicationdata_hex_decoded)
536 |         except Exception as ex:
537 |             print("showtcpstream excp!!!")
538 |             print(ex)
539 | 
540 |     formatteddat = str(dat, "ascii", "replace")
541 | 
542 |     # dat1 = ""
543 |     # try:
544 |     #     if pkt.http > 0:
545 |     #         dat1 += "Stream Index :" , str(pkt.tcp.stream) # to print stream index at the start
546 | 
547 |     #         dat1 += "\nHTTP LAYER :", str(pkt.http).replace('\\n', '').replace('\\r', '')
548 | 
549 |     # except:
550 |     #     pass
551 |     #show_tcp_stream_openwin(formatteddat)
552 | 
553 |     # if formatteddat.strip() == "" or len(str(formatteddat.strip)) < 1:
554 |     #     sg.PopupAutoClose("No data")
555 |     # else:
556 |     #     show_tcp_stream_openwin(formatteddat)
557 | 
558 |     if formatteddat.strip() == "" or len(str(formatteddat.strip)) < 1:
559 |         return "No Data"
560 |     else:
561 |         return formatteddat
562 |     
563 |     # os.remove(tcpstreamfilename)
564 |     #print(formatteddat)
565 | 
566 | def yarascan(scanfile, rules):
567 |     matches = []
568 |     if os.path.getsize(scanfile) > 0:
569 |         for match in rules.match(scanfile):
570 |             matches.append({"name":match.rule, "meta":match.meta})
571 | 
572 |     return matches
573 | 
574 | def yarafilterstreams(window=None):      # window parameter for calling load_tcp_streams if necessary
575 |     
576 |     global yaraflagged_filenames
577 |     global reqfilepathbase
578 | 
579 |     yaraflagged_filenames = []
580 |     # check if pcap files already exist for captured streams
581 |     # pcap file names are tcpstreamread.pcap and httpstreamread.pcap
582 |     # they are stored in ./temp/
583 | 
584 |     if not os.path.isfile("./temp/tcpstreamread.pcap"):
585 |         load_tcp_streams(window)
586 |     if not os.path.isfile("./temp/httpstreamread.pcap"):
587 |         read_http()
588 |     
589 |     # tcpflow64 arguments 
590 |     # -a -r <pcapfile> -o <outputdir>
591 |     
592 |     # clear tcpflowdump directory
593 | 
594 |     dumpfiles = glob.glob(reqfilepathbase + "*")
595 |     for file in dumpfiles:
596 |         os.remove(file)
597 | 
598 |     # generate files for packet streams using tcpflow
599 |     subprocess.call("tcpflow64.exe -a -r temp/httpstreamread.pcap -o temp/tcpflowdump/", shell=True)
600 |     subprocess.call("tcpflow64.exe -a -r temp/tcpstreamread.pcap -o temp/tcpflowdump/", shell=True)
601 | 
602 |     yarafile = "./yararules/rules1.yara"
603 |     yararules = yara.compile(yarafile)      # compile yara rules
604 | 
605 |     
606 |     matchcount = 1
607 |     results = []
608 |     resultstxt = ""
609 |     for req in os.listdir(reqfilepathbase):
610 |         res = yarascan(os.path.join(reqfilepathbase, req), yararules)
611 |         if res:
612 |             for match in res:
613 |                 pprint.pprint(match)
614 |                 results.append({"ruleMatched":match["name"]})
615 |                 resultstxt += str(matchcount) + ". " + str(match["name"]) + "\n"
616 |                 matchcount += 1
617 |             if req != "report.xml":
618 |                 yaraflagged_filenames.append(str(match["name"]) + ":::" + req)  # ::: serves as separator
619 |     with open("yararesults.txt", "w") as resfile:                       # for filename and yara rule name
620 |         resfile.write(resultstxt)
621 |     for file in yaraflagged_filenames:
622 |         print(file)
623 |         
624 |     # window["-yaraflaggedstreams-"].update(values=yaraflagged_filenames) #update gui with yara flagged stream filenames
625 |     
626 |     return
627 | 
628 | # def show_yara_flagged(streamdat):
629 | #     layout = [[sg.Multiline(streamdat, size=(100,50), key="yaranewwintext")]]
630 | #     window = sg.Window("HTTP2 STREAM", layout, modal=True, size=(1200, 600), resizable=True)
631 | #     choice = None
632 | #     while True:
633 | #         event, values = window.read()
634 | #         if event == "Exit" or event == sg.WIN_CLOSED:
635 | #             break
636 | #     window.close()
637 | 
638 | def event_yaraflagged_selected(stream_idx):
639 |     yarafilename = stream_idx.split(":::")[1]
640 |     filepath = os.path.join(reqfilepathbase, yarafilename)
641 |     with open(filepath, "r", errors="ignore") as yaraflaggedfile:
642 |         yaraflagged_filedat = yaraflaggedfile.read()
643 | 
644 |     # show_yara_flagged(yaraflagged_filedat)
645 | # updatepktlist = True
646 | # incomingpacketlist = []
647 | # inc_pkt_list = []
648 | # suspiciouspackets = []
649 | # suspacketactual = []
650 | # pktsummarylist = []
651 | # sus_readablepayloads = []
652 | 
653 | @eel.expose
654 | 
655 | def update_allpackets_gui():
656 |     global clearinglists
657 |     global updatepktlist
658 |     if clearinglists == False and updatepktlist == True:
659 |         global pktsummarylist
660 |         # print(pktsummarylist)
661 |         return pktsummarylist
662 | 
663 | @eel.expose
664 | 
665 | def update_allpackets_nidsflagged_gui():
666 |     global clearinglists
667 |     global updatepktlist
668 |     if clearinglists == False and updatepktlist == True:
669 |         global suspiciouspackets
670 |         # print(pktsummarylist)
671 |         return suspiciouspackets
672 | 
673 | @eel.expose
674 | 
675 | def refreshrules():
676 |     print("Refreshing rules")
677 |     try:
678 |         process_rules(readrules())
679 |         return
680 |     except:
681 |         print("Failed to refresh rules")
682 |         sys.exit(1)
683 | 
684 | @eel.expose
685 | 
686 | def pausecap():
687 |     global updatepktlist
688 |     updatepktlist = False
689 |     return
690 | 
691 | @eel.expose
692 | 
693 | def resumecap():
694 |     global updatepktlist
695 |     updatepktlist = True
696 | 
697 | @eel.expose
698 | 
699 | def clearall():
700 |     global clearinglists
701 |     clearinglists = True
702 |     global pktsummarylist
703 |     pktsummarylist = []
704 |     global suspiciouspackets
705 |     suspiciouspackets = []
706 |     global suspacketactual
707 |     suspacketactual = []
708 |     global lastpacket
709 |     lastpacket = ""
710 |     global sus_readablepayloads
711 |     sus_readablepayloads = []
712 |     global all_readablepayloads
713 |     all_readablepayloads = []
714 |     global tcpstreams
715 |     tcpstreams = []
716 |     global http2streams
717 |     http2streams=[]
718 |     global logdecodedtls
719 |     logdecodedtls = True
720 |     global httpobjectindexes
721 |     httpobjectindexes = []
722 |     global httpobjectactuals
723 |     httpobjectactuals = []
724 |     global httpobjecttypes
725 |     httpobjecttypes = []
726 |     global yaraflagged_filenames
727 |     yaraflagged_filenames = []
728 |     # updatepktlist = False
729 |     global updatepktlist
730 |     updatepktlist = True
731 |     global pkt_list
732 |     pkt_list = []
733 | 
734 |     # updatepktlist = True
735 |     global incomingpacketlist
736 |     incomingpacketlist = []
737 |     global inc_pkt_list
738 |     inc_pkt_list = []
739 |     # time.sleep(3)
740 |     clearinglists = False;
741 |     return
742 | 
743 | def show_nidsflagged_pkt_newwindow(pktstring):
744 |     subprocess.call("python show_packetdat.py 11236 " + pktstring.replace(" ", "").replace(":", "").replace(".", "").replace("/", "").replace(">", "_")+".pkt", shell=True)
745 | 
746 | @eel.expose
747 | 
748 | def show_nidsflagged_packet(pktstring):
749 |     global sus_readablepayloads
750 |     suspktindex = int(pktstring.split(" ")[0])
751 |     with open("temp/temppackets/"+pktstring.replace(" ", "").replace(":", "").replace(".", "").replace("/", "").replace(">", "_")+".pkt", "w", errors="ignore") as pktfile:
752 |         print(sus_readablepayloads[suspktindex])
753 |         pktfile.write(sus_readablepayloads[suspktindex])
754 |     # newthread1 = threading.Thread(target=show_nidsflagged_pkt_newwindow, kwargs={"pktstring": pktstring}, daemon=True)
755 |     # newthread1.start()
756 |     if sus_readablepayloads[suspktindex]:
757 |         return sus_readablepayloads[suspktindex]
758 |     return "No Data"
759 | 
760 | @eel.expose
761 | 
762 | def show_packet(pktstring):
763 |     global pkt_list
764 |     pktidx = int(pktstring.split(" ")[0])
765 |     packet = pkt_list[pktidx]
766 |     packet_dict = {}
767 |     for line in packet.show2(dump=True).split('\n'):
768 |         if '###' in line:
769 |             layer = line.strip('#[] ')
770 |             packet_dict[layer] = {}
771 |         elif '=' in line:
772 |             key, val = line.split('=', 1)
773 |             packet_dict[layer][key.strip()] = val.strip()
774 |     pktsummary = pktsummarylist[pktidx]
775 |     decd_pload = None
776 |     if "suspkt_idx" in pktsummary:
777 |         suspktindex = int(pktsummary.split(" ")[-1])
778 |         decd_pload = sus_readablepayloads[suspktindex]
779 |         packet_dict["Payload"] = decd_pload
780 |     filename = str(packet.summary()).replace(" ", "").replace(":", "").replace(".", "").replace("/", "").replace(">", "_") + ".json"
781 |     with open("temp/showpackettemp/" + filename, "w", errors="ignore") as pkt_json_file:
782 |         json.dump(packet_dict, pkt_json_file, ensure_ascii=False, indent=4)
783 |     showpkt_newthread = threading.Thread(target=sp_call_showpkt, kwargs={"jsonfilename":filename, "pktsummary":pktsummary}, daemon=True)
784 |     showpkt_newthread.start()
785 |     return
786 | 
787 | def sp_call_showpkt(jsonfilename, pktsummary):
788 |     subprocess.call("python show_packetdat.py 11236 " + jsonfilename + " \"PACKET: " + pktsummary + "\"", shell=True)
789 | 
790 | 
791 | @eel.expose
792 | 
793 | def show_mainstream_packet(pktstring_mainstream):
794 |     global pkt_list
795 |     pktindex = int(pktstring_mainstream.split(" ")[0])
796 |     pktobject = pkt_list[pktindex]
797 |     pktsummary = pktsummarylist[pktindex]
798 |     suspkt = None
799 |     suspkt_summary = None
800 |     decd_pload = None
801 |     if "suspkt_idx" in pktsummary:
802 |         suspktindex = int(pktsummary.split(" ")[-1])
803 |         suspkt = suspacketactual[suspktindex]
804 |         suspkt_summary = suspiciouspackets[suspktindex]
805 |         decd_pload = sus_readablepayloads[suspktindex]
806 |     pprint.pprint(pktobject)
807 |     try:
808 |         # raw = pktobject["Raw"].load.decode(errors="ignore")
809 |         raw = pktobject["Raw"].load
810 |     except Exception as e:
811 |         raw = "None"
812 |         print(e)
813 |     print("RAW: " + str(raw))
814 | 
815 |     pktid = pktsummary.replace(":", "").replace(".", "").replace("/", "").replace(">", "_")
816 |     try:
817 |         srcip = pktobject["IP"].src
818 |     except:
819 |         srcip = pktobject[0].src
820 |     try:
821 |         dstip = pktobject["IP"].dst
822 |     except:
823 |         dstip = pktobject[0].dst
824 |     try:
825 |         proto = pktobject["IP"].proto
826 |         proto = proto_name_by_num(proto)
827 |     except:
828 |         proto = pktobject[0].type
829 |     # pprint.pprint(decd_pload)
830 |     ret_array = {
831 |         "pktid" : pktid,
832 |         "srcip" : srcip,
833 |         "destip": dstip,
834 |         "proto" : proto,
835 |         "payload" : "None",
836 |         "raw" : str(raw),
837 |     }
838 |     if suspkt is not None:
839 |         ret_array["payload"] = decd_pload
840 |     # print(ret_array)
841 |     return ret_array
842 | 
843 | @eel.expose
844 | 
845 | def load_streams():
846 |     
847 |     # load tcp/http2 streams
848 |     global tcpstreams
849 |     global http2streams
850 | 
851 |     load_tcp_streams()
852 | 
853 |     # load http streams (decoded with tls session keys)
854 |     httpobjectindexes, httpobjectactuals, httpobjecttypes = read_http()
855 | 
856 |     streams_ret_array = ["HTTP STREAM ::: " + str(stream_idx) for stream_idx in httpobjectindexes]
857 |     for tcpstream in tcpstreams:
858 |         streams_ret_array.append("TCP STREAM ::: " + str(tcpstream))
859 |     for http2stream in http2streams:
860 |         streams_ret_array.append("HTTP2 STREAM ::: " + str(http2stream))
861 |     pprint.pprint(streams_ret_array)
862 |     return streams_ret_array
863 | 
864 | @eel.expose
865 | 
866 | def show_stream_data(streamid):
867 |     global httpobjectindexes
868 |     global httpobjectactuals
869 |     global httpobjecttypes
870 |     
871 |     stream_idx = int(streamid.split(":::")[-1].strip())
872 |     streamtype = streamid.split(":::")[0].strip().split("STREAM")[0].strip()
873 |     validstreamtypes = ["HTTP", "TCP", "HTTP2"]
874 |     if streamtype in validstreamtypes:
875 |         if streamtype == "TCP":
876 |             streamdat = show_tcpstream(streamno=stream_idx)
877 |             return streamdat
878 |         if streamtype == "HTTP":
879 |             streamdat = httpobjectactuals[stream_idx]
880 |             return streamdat
881 |         if streamtype == "HTTP2":
882 |             streamdat = show_http2_stream(streamno=stream_idx)
883 |             return streamdat
884 |     return "Failed to fetch stream data!!!" # now show this returned data in nidsweb modal element
885 | 
886 | eel.start("index.html", port=11235)


--------------------------------------------------------------------------------
/NIDS_python-main/nidsshowpacket/index.html:
--------------------------------------------------------------------------------
 1 | <!-- <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta charset="UTF-8">
 5 |     <meta name="viewport" content="width=device-width, initial-scale=1.0">
 6 |     <script type="text/javascript" src="eel.js"></script>
 7 |     <script type="text/javascript" src="./script.js"></script>
 8 |     <link rel="stylesheet" href="styles.css">
 9 |     <title>NIDS 2.0</title>
10 | 
11 | </head>
12 | <body>
13 |     <div class="container">
14 |         <div class="sidebar">
15 |         </div>
16 |         <div class="main-content">
17 |             <div class="grid-container-main">
18 |                 <div class="main-pkt-dat" id="mainpktdatcont"></div>
19 |             </div>
20 |         </div>
21 |     </div>
22 | </body>
23 | </html> -->
24 | 
25 | <!DOCTYPE html>
26 | <html lang="en">
27 |     <head>
28 |         <meta charset="UTF-8">
29 |         <meta name="viewport" content="width=device-width, initial-scale=1.0">
30 |         <title>PACKET DATA</title>
31 |         <link rel="stylesheet" href="styles.css">
32 |         <script type="text/javascript" src="eel.js"></script>
33 |         <script type="text/javascript" src="./script.js"></script>
34 |     </head>
35 |     <body>
36 |         <div id="jsonViewer" class="jsonviewer_maincont"></div>
37 |     </body>
38 | </html>


--------------------------------------------------------------------------------
/NIDS_python-main/nidsshowpacket/script.js:
--------------------------------------------------------------------------------
 1 | // window.onload = async function(){
 2 | //     var pktdat_container = document.getElementById("mainpktdatcont");
 3 | //     // alert("waiting for dat");
 4 | //     let pktdat = await eel.get_packetdat()();
 5 | //     // alert("dat received");
 6 | //     pktdat_container.innerHTML = pktdat;
 7 | //     // alert("dat set");
 8 |     
 9 | // };
10 | 
11 | window.onload = async function(){
12 |     let pagetitle = await eel.ret_pktsummaryname()();
13 |     document.title = pagetitle;
14 | };
15 | 
16 | document.addEventListener("DOMContentLoaded", async function() {
17 |     const jsonViewer = document.getElementById("jsonViewer");
18 |   
19 |     // Example JSON data
20 |     // const jsonData = {
21 |     //   "name": "John",
22 |     //   "age": 30,
23 |     //   "city": "New York",
24 |     //   "children": ["Anna", "Peter", "Tom"]
25 |     // };
26 | 
27 |     let jsonData = await eel.get_packetdat()();
28 |   
29 |     // Function to create JSON viewer
30 |     function createJSONViewer(data, container) {
31 |       container.innerHTML = ""; // Clear existing content
32 |   
33 |       function createNode(key, value, parent) {
34 |         const node = document.createElement("div");
35 |         node.classList.add("json-node");
36 |   
37 |         if (typeof value === "object") {
38 |           node.classList.add("collapsed");
39 |           node.innerHTML = `<span class="json-property">${key}</span>: <span class="json-value">${typeof value}</span>`;
40 |           const objectNode = document.createElement("div");
41 |           objectNode.classList.add("json-object");
42 |           node.appendChild(objectNode);
43 |           node.addEventListener("click", function() {
44 |             if (node.classList.contains("collapsed")) {
45 |               node.classList.remove("collapsed");
46 |               node.classList.add("expanded");
47 |               objectNode.innerHTML = "";
48 |               Object.entries(value).forEach(([k, v]) => {
49 |                 createNode(k, v, objectNode);
50 |               });
51 |             } else {
52 |               node.classList.remove("expanded");
53 |               node.classList.add("collapsed");
54 |               objectNode.innerHTML = "";
55 |             }
56 |           });
57 |         } else {
58 |           node.innerHTML = `<span class="json-property">${key}</span>: <span class="json-value">${JSON.stringify(value)}</span>`;
59 |         }
60 |   
61 |         parent.appendChild(node);
62 |       }
63 |   
64 |       // Iterate over JSON data and create nodes
65 |       Object.entries(data).forEach(([key, value]) => {
66 |         createNode(key, value, container);
67 |       });
68 |     }
69 |   
70 |     // Create JSON viewer
71 |     createJSONViewer(jsonData, jsonViewer);
72 |   });
73 |   


--------------------------------------------------------------------------------
/NIDS_python-main/nidsshowpacket/styles.css:
--------------------------------------------------------------------------------
  1 | /* Styles for JSON Viewer */
  2 | .json-node {
  3 |     margin-left: 20px;
  4 | }
  5 | 
  6 | .json-node.expanded:before {
  7 |     content: "-";
  8 |     cursor: pointer;
  9 | }
 10 | 
 11 | .json-node.collapsed:before {
 12 |     content: ">";
 13 |     cursor: pointer;
 14 | }
 15 | 
 16 | .json-property {
 17 |     color: rgb(0, 0, 0);
 18 | }
 19 | 
 20 | .json-value {
 21 |     color: rgb(0, 0, 0);
 22 | }
 23 | 
 24 | .json-object {
 25 |     margin-left: 20px;
 26 |     margin-right: 20px;
 27 |     margin-top: 5px;
 28 | }
 29 | 
 30 | 
 31 | .jsonviewer_maincont{
 32 |     width:95%;
 33 |     height: 90vh;
 34 |     margin: 20px;
 35 |     background-color: aliceblue;
 36 |     display: inline-block;
 37 |     overflow-y: auto;
 38 |     overflow-wrap: break-word;
 39 |     word-wrap: break-word;
 40 | }
 41 | 
 42 | .teststyle{
 43 |     background-color: #a03939b0;
 44 | }
 45 | 
 46 | body {
 47 |     font-family: Arial, sans-serif;
 48 |     margin: 0;
 49 |     padding: 0;
 50 |     background-color: #333;
 51 |     /* flex-wrap: wrap; */
 52 |     overflow-wrap: break-word;
 53 | }
 54 | 
 55 | .container {
 56 |     display: flex;
 57 |     flex-direction: row;
 58 | }
 59 | 
 60 | .sidebar {
 61 |     background-color: #333;
 62 |     color: #fff;
 63 |     min-width: 200px;
 64 |     padding-top: 5px;
 65 |     height: 100vh;
 66 |     max-width: 230px;
 67 | }
 68 | 
 69 | .main-content {
 70 |     display: flex;
 71 |     flex-direction: column;
 72 |     width: 100%;
 73 |     /* justify-content: space-evenly; */
 74 |     /* flex: 1; */
 75 | }
 76 | 
 77 | .options {
 78 |     list-style-type: none;
 79 |     padding: 0;
 80 | }
 81 | 
 82 | .grid-container-main {
 83 |     width: 98%;
 84 |     margin: 1px;
 85 |     display: flex;
 86 |     flex-direction: row;
 87 |     justify-content: space-between;
 88 |     border: 1px solid transparent; /* Set initial border */
 89 |     border-radius: 1px; /* Adjust as needed */
 90 |     box-shadow: 0 0 10px #00ffff; /* Neon color */
 91 |     animation: glow 1.5s infinite alternate;
 92 |     height: 98vh;
 93 |     padding: 2px;
 94 | }
 95 | 
 96 | .grid-container1 {
 97 |     width: 98%;
 98 |     margin: 5px;
 99 |     display: flex;
100 |     flex-direction: row;
101 |     justify-content:left;
102 |     border: 1px solid transparent; /* Set initial border */
103 |     border-radius: 10px; /* Adjust as needed */
104 |     box-shadow: 0 0 10px #00ffff; /* Neon color */
105 |     animation: glow 1.5s infinite alternate;
106 |     height: 48vh;
107 | }
108 | 
109 | 
110 | .grid-item2 {
111 |     /* width: calc(50% - 20px); */
112 |     width: 40%;
113 |     /* max-width: ; */
114 |     /* margin-bottom: 20px; */
115 |     margin: 1px;
116 |     background-color: #f0f0f0;
117 |     border-radius: 1px;
118 |     padding: 20px;
119 |     overflow-y: auto;
120 |     /* overflow-x: auto; */
121 |     /* white-space: nowrap; */
122 | 
123 | }
124 | 
125 | .grid-item3 {
126 |     /* width: calc(50% - 20px); */
127 |     /* width: 10%; */
128 |     /* max-width: ; */
129 |     /* margin-bottom: 20px; */
130 |     margin: 1px;
131 |     background-color: #f0f0f0;
132 |     border-radius: 1px;
133 |     padding: 20px;
134 |     overflow-y: auto;
135 |     /* overflow-x: auto; */
136 |     /* white-space: nowrap; */
137 | 
138 | }
139 | 
140 | .grid-item1 {
141 |     /* width: calc(50% - 20px); */
142 |     width: 50%;
143 |     display: inline-block;
144 |     /* max-width: ; */
145 |     /* margin-bottom: 20px; */
146 |     margin: 1px;
147 |     background-color: #f0f0f0;
148 |     border-radius: 1px;
149 |     padding: 1px;
150 |     overflow-y: auto;
151 |     overflow-x: auto;
152 |     /* white-space: nowrap; */
153 | 
154 | }
155 | 
156 | 
157 | .main-pkt-dat {
158 |     width: 99%;
159 |     /* margin-bottom: 20px; */
160 |     margin: 4px;
161 |     background-color: #f0f0f0;
162 |     border-radius: 1px;
163 |     /* padding: 2px; */
164 |     overflow-y: auto;
165 | }
166 | 
167 | .actionable_option{
168 |     width: 100%;
169 |     height: 5vh;
170 |     margin-bottom: 3px;
171 |     margin-top: 3px;
172 |     /* padding: 3px; */
173 |     text-align: center;
174 |     /* vertical-align: middle; */
175 |     background-color: #333;
176 |     color: antiquewhite;
177 | }
178 | 
179 | .actionable_option:hover{
180 |     background-color: #696969;
181 |     color: black;
182 | }


--------------------------------------------------------------------------------
/NIDS_python-main/nidsweb/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta charset="UTF-8">
 5 |     <meta name="viewport" content="width=device-width, initial-scale=1.0">
 6 |     <script type="text/javascript" src="eel.js"></script>
 7 |     <script type="text/javascript" src="./script.js"></script>
 8 |     <link rel="stylesheet" href="styles.css">
 9 |     <title>NIDS 2.0</title>
10 | 
11 | </head>
12 | <body>
13 |     <div class="container">
14 |         <div class="sidebar">
15 |             <div class="actionable_option" onclick="return resumecap();">START CAPTURES</div>
16 |             <div class="actionable_option" onclick="return stopcap();">STOP CAPTURES</div>
17 |             <div class="actionable_option" onclick="return refreshrules_call();">REFRESH RULES</div>
18 |             <div class="actionable_option" onclick="return loadstreams();">LOAD STREAMS</div>
19 |             <div class="actionable_option">YARA FILTER STREAMS</div>
20 |             <div class="actionable_option" onclick="return clearall();">CLEAR CAPTURES</div>
21 |         </div>
22 |         <div class="main-content">
23 |             <div id="stream_show_modal" class="modal">
24 |                 <!-- Modal content -->
25 |                 <span class="close" onclick="return close_stream_show_modal();">&times;</span>
26 |                 <div class="modal-content" id="stream_modalcontent">
27 |                     Although the Computer Science Department had joined the ARPANET in July 1983, this did not allow access to the Columbia community at large. Putting CU20B on the ARPANET was the first step in this direction (researchers from all schools and departments and CUCCA staff only, not students). CU20B's ARPANET hostname was COLUMBIA.ARPA. No other Columbia computers (except the ones in the CS department) were on the ARPANET, but of course CU20B had network connections to the other DEC-20s, some internal CUCCA machines, the campus DECnet and the external DECnet-based CCNET, and to BITNET. Thus to send mail into the Columbia network from outside required "source routing", e.g. user%CU20A@COLUMBIA.ARPA. For some years, CU20B was to serve as a mail gateway among these networks, using locally written software. Over the next year or two, CUCCA would purchase a VAX-11/750, called the Gateway VAX, and install it in the CS department, where it was connected to the CS ARPANET IMP and back to the CUCCA hosts via Ethernet. The Gateway VAX ran 4.2BSD UNIX and it made Internet e-mail available to the whole Columbia community, including students, for the first time. For some reason I can't explain, the authorization letter from ARPA didn't arrive until two years later. IBM PC/AT announced, the first IBM PC with memory protection. Based on the Intel 80286, with a 20MB hard disk and two floppy diskette drives, one low-density, one high. Battery powered BIOS configuration memory and clock. Up to 16MB memory. This was the first in the IBM PC line fully capable of running multitasking operating systems, and soon was host to a number of them (some companies had managed to produce Unix variants such as Xenix for the original IBM PC or XT on 8086 but these were not "sustainable".) Of course this machine was of great interest to the Columbia Computer Center, which was looking for ways to deploy desktop networked UNIX workstations for academic use, and we had some internally running different UNIX versions such as SCO Xenix/286. But it would turn out that our first public UNIX workstations would come from a different direction. Three HP-150 MS-DOS microcomputers and one Macintosh were installed in the 272A Engineering Terrace terminal room. They were not on any kind of network and had to be reserved by sign-up sheet. The HP-150s were an equipment grant from HP, along with some color pen plotters that were attached to them. They had touch-screens and integrated thermal printers. A version of Kermit was written to allow them to communicate with the central computers through PACX lines and transfer files to and from their 3.5-inch diskettes (the HP-150 was one of the first, if not the first PC to use the 3.5-inch rigid diskette). Graphic images where generated by software on the mainframes (such as DISSPLA/TELEGRAF on the DEC-20s and SASGRAPH on the IBMs), downloaded with Kermit, and sent to the plotters. 
28 |                 </div>
29 |               
30 |             </div>
31 |             <div class="grid-container">
32 |                 <div class="main-pkt-stream" id="mainpktstreamcont">
33 |                     <div id="anchorelement_mainpktstream" style="overflow-anchor: auto; height: 3px;">
34 |                     </div>
35 |                 </div>
36 |                 <div class="last-seld-pkt" id="lastpktcont"></div>
37 |             </div>
38 |             <div class="grid-container">
39 |                 <div class="grid-item1" id="nidsflaggedpackets">
40 |                     <div id="anchorelement_nidsflaggedpackets" style="overflow-anchor: auto; height: 3px;">
41 |                     </div>
42 |                 </div>
43 |                 <div class="grid-item2" id="gridbox2">Content 2</div>
44 |                 <div class="grid-item3" id="streamscont">Content 2</div>
45 |             </div>
46 |         </div>
47 |     </div>
48 | </body>
49 | </html>
50 | 


--------------------------------------------------------------------------------
/NIDS_python-main/nidsweb/script.js:
--------------------------------------------------------------------------------
  1 | var allpkts_prev = [];
  2 | var nidsflaggedpkts_prev = [];
  3 | var clearinglists = false;
  4 | 
  5 | function mainpkts_anchor_in_viewport(){
  6 |     var scrollableDiv1 = document.getElementById("mainpktstreamcont");
  7 |     var anchorelement1 = document.getElementById("anchorelement_mainpktstream");
  8 |     var rect1 = anchorelement1.getBoundingClientRect();
  9 |     var scrollableDivRect1 = scrollableDiv1.getBoundingClientRect();
 10 | 
 11 |     return (
 12 |         rect1.top + 1 >= scrollableDivRect1.top &&
 13 |         rect1.bottom - 1 <= scrollableDivRect1.bottom
 14 |     );
 15 | }
 16 | 
 17 | async function update_allpkts(){
 18 |     if (clearinglists == false){
 19 |         var mainpktsdiv = document.getElementById("mainpktstreamcont");
 20 |         // mainpktsdiv.innerHTML = "";
 21 |         let autoscroll_mainstream = "FALSE";
 22 |         let pktsummarylist = await eel.update_allpackets_gui()();
 23 |         var newpktsummarylist = pktsummarylist.filter(item => !allpkts_prev.includes(item));
 24 |         if(mainpkts_anchor_in_viewport()){
 25 |             autoscroll_mainstream = "TRUE";
 26 |         }
 27 |         newpktsummarylist.forEach(packetsummary => {
 28 |             var newpktdiv = document.createElement("div");
 29 |             newpktdiv.style.borderBottom = "1px solid black";
 30 |             newpktdiv.style.borderLeft = "1px solid black";
 31 |             newpktdiv.style.borderRight = "1px solid black";
 32 |             newpktdiv.innerText = " " + packetsummary;
 33 |             if (packetsummary.includes("suspkt_idx")){
 34 |                 newpktdiv.style.backgroundColor = "#a03939b0";
 35 |                 newpktdiv.style.color = "antiquewhite";
 36 |             }
 37 |             newpktdiv.onclick = async function(){
 38 |                 let pkt_data = await eel.show_mainstream_packet(packetsummary)();
 39 |                 // alert(pkt_data);
 40 |                 var gb2 = document.getElementById("lastpktcont");
 41 |                 gb2.innerHTML = "";
 42 |                 
 43 |                 var btnopenpacket = document.createElement("div");
 44 |                 btnopenpacket.id = pkt_data["pktid"];
 45 |                 btnopenpacket.innerHTML = "VIEW PACKET";
 46 |                 btnopenpacket.className = "openpkt_btn";
 47 |                 btnopenpacket.onclick = function(){
 48 |                     eel.show_packet(pkt_data["pktid"]);
 49 |                 };
 50 | 
 51 |                 var sourcechild = document.createElement("div");
 52 |                 var destchild = document.createElement("div");
 53 |                 var protochild = document.createElement("div");
 54 |                 var payloadchild = document.createElement("div");
 55 |                 var rawchild = document.createElement("div");
 56 | 
 57 |                 sourcechild.className = "pktdat_lastpktcont";
 58 |                 destchild.className = "pktdat_lastpktcont";
 59 |                 protochild.className = "pktdat_lastpktcont";
 60 |                 payloadchild.className = "pktdat_lastpktcont";
 61 |                 rawchild.className = "pktdat_lastpktcont";
 62 | 
 63 |                 sourcechild.innerHTML = "Source: " + pkt_data["srcip"];
 64 |                 destchild.innerHTML = "Destination: " + pkt_data["destip"];
 65 |                 protochild.innerHTML = "Protocol: " + pkt_data["proto"];
 66 |                 payloadchild.innerHTML = "Payload: " + pkt_data["payload"];
 67 |                 rawchild.innerHTML = "Raw: " + pkt_data["raw"];
 68 |   
 69 |                 gb2.appendChild(btnopenpacket);
 70 |                 gb2.appendChild(sourcechild);
 71 |                 gb2.appendChild(destchild);
 72 |                 gb2.appendChild(protochild);
 73 |                 gb2.appendChild(payloadchild);
 74 |                 gb2.appendChild(rawchild);
 75 | 
 76 |             };
 77 |             // mainpktsdiv.appendChild(newpktdiv);
 78 |             var mainstreamanchorelement = document.getElementById("anchorelement_mainpktstream");
 79 |             mainpktsdiv.insertBefore(newpktdiv, mainstreamanchorelement);
 80 |         });
 81 |         if(autoscroll_mainstream == "TRUE"){
 82 |             mainpktsdiv.scrollTop = mainpktsdiv.scrollHeight;
 83 |         }
 84 |         allpkts_prev = pktsummarylist;
 85 |     }
 86 | }
 87 | 
 88 | 
 89 | function suspkts_anchor_in_viewport(){
 90 |     var scrollableDiv = document.getElementById("nidsflaggedpackets");
 91 |     var anchorelement = document.getElementById("anchorelement_nidsflaggedpackets");
 92 |     var rect = anchorelement.getBoundingClientRect();
 93 |     var scrollableDivRect = scrollableDiv.getBoundingClientRect();
 94 | 
 95 |     return (
 96 |         rect.top >= scrollableDivRect.top &&
 97 |         rect.bottom <= scrollableDivRect.bottom
 98 |     );
 99 | }
100 | 
101 | async function update_nidsflaggedpkts(){
102 |     if (clearinglists ==  false){
103 |         var suspktsdiv = document.getElementById("nidsflaggedpackets");
104 |         // mainpktsdiv.innerHTML = "";
105 |         // suspktsdiv.classList.toggle("atBottom", isScrollAtBottom());
106 |         let autoscroll_suspkts = "FALSE";
107 |         let suspktslist = await eel.update_allpackets_nidsflagged_gui()();
108 |         var newsuspktslist = suspktslist.filter(item => !nidsflaggedpkts_prev.includes(item));
109 |         if(suspkts_anchor_in_viewport()){
110 |             autoscroll_suspkts = "TRUE";
111 |         }
112 |         newsuspktslist.forEach(suspacketsummary => {
113 |             var newsuspktdiv = document.createElement("div");
114 |             newsuspktdiv.style.backgroundColor = "#a03939b0";
115 |             newsuspktdiv.style.color = "antiquewhite";
116 |             // newsuspktdiv.style.borderTop = "1px solid black";
117 |             newsuspktdiv.style.borderBottom = "2px solid black"
118 |             newsuspktdiv.style.width = "100%";
119 |             newsuspktdiv.innerText = suspacketsummary;
120 |             // newsuspktdiv.style.overflowAnchor = "auto";
121 |             newsuspktdiv.onclick = async function(){
122 |                 let pktdata = await eel.show_nidsflagged_packet(suspacketsummary)();
123 |                 var gb2 = document.getElementById("lastpktcont");
124 |                 gb2.innerHTML = pktdata;
125 |             };
126 |             // let elemcnt1 = document.getElementById("nidsflaggedpackets").childElementCount;
127 |             var anchorelement = document.getElementById("anchorelement_nidsflaggedpackets");
128 |             suspktsdiv.insertBefore(newsuspktdiv, anchorelement);
129 |             // suspktsdiv.appendChild(newsuspktdiv);   
130 |         });
131 |         // if(Math.abs(suspktsdiv.scrollHeight - suspktsdiv.scrollTop - suspktsdiv.clientHeight) > 1){
132 |         //     suspktsdiv.style.overflowAnchor = "auto";
133 |         // }
134 |         
135 |         if(autoscroll_suspkts == "TRUE"){
136 |             // alert("updating scroll")    
137 |             suspktsdiv.scrollTop = suspktsdiv.scrollHeight;
138 |         }
139 |         
140 |         nidsflaggedpkts_prev = suspktslist;
141 |     }
142 | }
143 | 
144 | 
145 | function refreshrules_call(){
146 |     // alert("Refresh rules?");
147 |     eel.refreshrules();
148 |     // alert("Rules refreshed");
149 | }
150 | 
151 | async function stopcap(){
152 |     await eel.pausecap()();
153 | }
154 | 
155 | async function resumecap(){
156 |     await eel.resumecap()();
157 | }
158 | 
159 | async function clearall(){
160 |     clearinglists = true;
161 |     allpkts_prev = [];
162 |     nidsflaggedpkts_prev = [];
163 |     await eel.clearall()();
164 |     var suspktsdiv = document.getElementById("nidsflaggedpackets");
165 |     suspktsdiv.innerHTML = "";
166 |     var mainpktsdiv = document.getElementById("mainpktstreamcont");
167 |     mainpktsdiv.innerHTML = "";
168 |     // alert("Cleared...")
169 |     // await new Promise(r => setTimeout(r, 5000));
170 |     clearinglists = false;
171 |     await eel.resumecap()();
172 | }
173 | 
174 | async function loadstreams(){
175 |     let tcp_http_streams = await eel.load_streams()();
176 |     var streamcontdiv = document.getElementById("streamscont");
177 |     streamcontdiv.innerHTML = "";
178 |     tcp_http_streams.forEach(stream => {
179 |         var newstreamdiv = document.createElement("div");
180 |         newstreamdiv.style.borderBottom = "1px solid black";
181 |         newstreamdiv.style.borderLeft = "1px solid black";
182 |         newstreamdiv.style.borderRight = "1px solid black";
183 |         newstreamdiv.id = stream;
184 |         newstreamdiv.innerHTML = stream;
185 |         newstreamdiv.onclick = async function(){
186 |             var streamdat = await eel.show_stream_data(stream)();
187 |             var stream_modal_div = document.getElementById("stream_show_modal");
188 |             stream_modal_div.style.display = "block";
189 |             var modalcontentdiv = document.getElementById("stream_modalcontent");
190 |             modalcontentdiv.innerHTML = streamdat;
191 |         };
192 |         streamcontdiv.appendChild(newstreamdiv);
193 |     });
194 | }
195 | 
196 | function close_stream_show_modal(){
197 |     var modaldiv = document.getElementById("stream_show_modal");
198 |     modaldiv.style.display = "none";
199 | }
200 | 
201 | 
202 | setInterval(update_allpkts, 10)
203 | setInterval(update_nidsflaggedpkts, 10);
204 | 
205 | // window.onload = function(){
206 | //     var suspktsdivelement = document.getElementById("nidsflaggedpackets");
207 | //     var suspkt_anchorelem = document.createElement("div");
208 | //     suspkt_anchorelem.style.overflowAnchor = "auto";
209 | //     suspkt_anchorelem.style.height = "1px";
210 | //     suspktsdivelement.appendChild(suspkt_anchorelem);
211 | //     // suspktsdivelement.scroll(0, 1);
212 | // }
213 | 
214 | // window.onresize = function (){
215 | //     if (window.outerWidth < 1200 || window.outerHeight < 800){
216 | //         window.resizeTo(1200, 800);
217 | //     }
218 | // }


--------------------------------------------------------------------------------
/NIDS_python-main/nidsweb/styles.css:
--------------------------------------------------------------------------------
  1 | .teststyle{
  2 |     background-color: #a03939b0;
  3 | }
  4 | 
  5 | body {
  6 |     font-family: Arial, sans-serif;
  7 |     margin: 0;
  8 |     padding: 0;
  9 |     background-color: #333;
 10 | }
 11 | 
 12 | .container {
 13 |     display: flex;
 14 |     flex-direction: row;
 15 |     /* flex-grow: 0;
 16 |     flex-basis: 100%; */
 17 |     flex-wrap: wrap;
 18 |     /* max-width: 1080px; */
 19 |     /* overflow: hidden; */
 20 | }
 21 | 
 22 | .sidebar {
 23 |     background-color: #333;
 24 |     color: #fff;
 25 |     /* min-width: 200px; */
 26 |     width: 20%;
 27 |     padding-top: 5px;
 28 |     height: 100vh;
 29 |     /* max-width: 230px; */
 30 | }
 31 | 
 32 | .main-content {
 33 |     display: flex;
 34 |     flex-direction: column;
 35 |     width: 79.9%;
 36 |     /* justify-content: space-evenly; */
 37 |     /* flex: 1; */
 38 | }
 39 | 
 40 | .options {
 41 |     list-style-type: none;
 42 |     padding: 0;
 43 | }
 44 | 
 45 | .grid-container {
 46 |     width: 98%;
 47 |     margin: 1px;
 48 |     display: flex;
 49 |     flex-direction: row;
 50 |     justify-content: space-between;
 51 |     border: 1px solid transparent; /* Set initial border */
 52 |     border-radius: 1px; /* Adjust as needed */
 53 |     box-shadow: 0 0 10px #00ffff; /* Neon color */
 54 |     animation: glow 1.5s infinite alternate;
 55 |     height: 48vh;
 56 |     padding: 2px;
 57 |     /* overflow-anchor: none; */
 58 | }
 59 | 
 60 | .grid-container1 {
 61 |     width: 98%;
 62 |     margin: 5px;
 63 |     display: flex;
 64 |     flex-direction: row;
 65 |     justify-content:left;
 66 |     border: 1px solid transparent; /* Set initial border */
 67 |     border-radius: 10px; /* Adjust as needed */
 68 |     box-shadow: 0 0 10px #00ffff; /* Neon color */
 69 |     animation: glow 1.5s infinite alternate;
 70 |     height: 48vh;
 71 | }
 72 | 
 73 | 
 74 | .grid-item2 {
 75 |     /* width: calc(50% - 20px); */
 76 |     width: 35%;
 77 |     /* max-width: ; */
 78 |     /* margin-bottom: 20px; */
 79 |     margin: 1px;
 80 |     background-color: #f0f0f0;
 81 |     border-radius: 1px;
 82 |     padding: 20px;
 83 |     overflow-y: auto;
 84 |     /* overflow-x: auto; */
 85 |     /* white-space: nowrap; */
 86 | 
 87 | }
 88 | 
 89 | .grid-item3 {
 90 |     /* width: calc(50% - 20px); */
 91 |     /* width: 10%; */
 92 |     /* max-width: ; */
 93 |     /* margin-bottom: 20px; */
 94 |     margin: 1px;
 95 |     background-color: #f0f0f0;
 96 |     border-radius: 1px;
 97 |     padding: 1px;
 98 |     overflow-y: auto;
 99 |     font-size: small;
100 |     width: 15%;
101 |     /* overflow-x: auto; */
102 |     /* white-space: nowrap; */
103 | 
104 | }
105 | 
106 | .grid-item1 {
107 |     /* width: calc(50% - 20px); */
108 |     width: 50%;
109 |     /* height: 98%; */
110 |     overflow-y:scroll;
111 |     /* display: inline-block; */
112 |     /* max-width: ; */
113 |     /* margin-bottom: 20px; */
114 |     margin: 1px;
115 |     background-color: #f0f0f0;
116 |     border-radius: 1px;
117 |     padding: 1px;
118 |     /* overflow: auto; */
119 |     /* overflow-x: auto; */
120 |     /* overflow-anchor:none; */
121 |     /* overflow-anchor: none; */
122 |     /* scroll-behavior: smooth; */
123 |     /* white-space: nowrap; */
124 | 
125 | }
126 | 
127 | .anchorelement{
128 |     overflow-anchor: auto;
129 |     height: 1px;
130 |     position: relative;
131 |     bottom: 0;
132 | }
133 | 
134 | .pktdat_lastpktcont{
135 |     border-right: 1px solid black;
136 |     border-bottom: 1px solid black;
137 |     /* border-left: 1px solid black; */
138 |     width: 100%;
139 |     display: inline-block;
140 |     /* overflow-y: auto; */
141 |     overflow-wrap: break-word;
142 |     margin-right: 1px;
143 | }
144 | 
145 | .main-pkt-stream {
146 |     width: 60%;
147 |     max-width: 60%;
148 |     /* margin-bottom: 20px; */
149 |     margin: 4px;
150 |     background-color: #f0f0f0;
151 |     border-radius: 1px;
152 |     /* padding: 2px; */
153 |     overflow-y: scroll;
154 | }
155 | 
156 | .last-seld-pkt {
157 |     max-width: 39%;
158 |     min-width: 39%;
159 |     /* margin-bottom: 20px; */
160 |     margin: 4px;
161 |     background-color: #f0f0f0;
162 |     border-radius: 1px;
163 |     /* padding: 2px; */
164 |     overflow-y: auto;
165 |     overflow-x: hidden;
166 |     display: flex;
167 |     flex-direction: column;
168 |     /* padding-right: 1px; */
169 | }
170 | 
171 | .openpkt_btn{
172 |     width: 100%;
173 |     background-color: #696969;
174 |     color: antiquewhite;
175 |     /* margin-left: 4px; */
176 |     /* margin-right: 4px; */
177 |     margin-bottom: 4px;
178 |     text-align: center;
179 |     /* border: 2px solid white; */
180 | }
181 | 
182 | .openpkt_btn:hover{
183 |     background-color: azure;
184 |     color: #333;
185 | }
186 | 
187 | .actionable_option{
188 |     width: 100%;
189 |     height: 5vh;
190 |     margin-bottom: 3px;
191 |     margin-top: 3px;
192 |     /* padding: 3px; */
193 |     text-align: center;
194 |     /* vertical-align: middle; */
195 |     background-color: #333;
196 |     color: antiquewhite;
197 | }
198 | 
199 | .actionable_option:hover{
200 |     background-color: #696969;
201 |     color: black;
202 | }
203 | 
204 | .modal {
205 |     display: block; /* Hidden by default */
206 |     position: fixed; /* Stay in place */
207 |     z-index: 1; /* Sit on top */
208 |     left: 0;
209 |     top: 0;
210 |     width: 100%; /* Full width */
211 |     height: 95vh; /* Full height */
212 |     background-color: rgb(0,0,0); /* Fallback color */
213 |     background-color: rgba(0, 0, 0, 0.945); /* Black w/ opacity */
214 | }
215 | 
216 | .modal-content{
217 |     margin: 20px auto; /* 15% from the top and centered */
218 |     padding: 20px;
219 |     width: 90%;
220 |     overflow-y: auto;
221 |     height: 80%;
222 |     border: 1px solid transparent #333;
223 |     box-shadow: 0 0 10px #565a5a;
224 |     color: rgb(2, 137, 45);
225 |     overflow-wrap: break-word;
226 |     /* text-shadow: 0 0 1px #26e600, 0 0 1px #26e600, 0 0 1px #26e600, 0 0 1px #26e600, 0 0 1px #00ff22; */
227 |     font: bolder;
228 |     /* height: 95%; */
229 | }
230 | 
231 | .close {
232 |     color: #aaa;
233 |     position: absolute;
234 |     top: 5px;
235 |     right: 5px;
236 |     font-size: 28px;
237 |     font-weight: bold;
238 | }
239 | 
240 | .close:hover,
241 | .close:focus {
242 |     color: black;
243 |     text-decoration: none;
244 |     cursor: pointer;
245 | }


--------------------------------------------------------------------------------
/NIDS_python-main/rules.txt:
--------------------------------------------------------------------------------
1 | !alert udp any any -> any 53 DNS DNS DNS
2 | !alert udp any 53 -> any any DNS DNS DNS
3 | !alert tcp 192.168.0.0/24 any -> any any OUTGOING HOME NET RANGE READ
4 | !alert udp any any -> any any UDP ALERT
5 | alert tcp any any -> 192.168.0.0/24 any INCOMING HOME NET RANGE READ
6 | alert tcp any any -> any 8080 HTTP TRAFFIC
7 | alert tcp any 80 -> any any HTTP TRAFFIC
8 | alert tcp any any -> any 80 HTTP TRAFFIC


--------------------------------------------------------------------------------
/NIDS_python-main/show_packetdat.py:
--------------------------------------------------------------------------------
 1 | import eel
 2 | import sys
 3 | import json
 4 | import pprint
 5 | 
 6 | eel.init("nidsshowpacket")
 7 | 
 8 | def is_port_in_use(port: int) -> bool:
 9 |     import socket
10 |     with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
11 |         return s.connect_ex(('localhost', port)) == 0
12 | 
13 | portdefined = int(sys.argv[1])  # --> argv 1 is port number
14 | # portfree = is_port_in_use(portdefined)
15 | # while not portfree:
16 | #     portdefined += 1
17 | #     portfree = is_port_in_use(portdefined)
18 | 
19 | @eel.expose
20 | 
21 | def ret_pktsummaryname():
22 |     return sys.argv[3]
23 | 
24 | @eel.expose
25 | 
26 | def get_packetdat():
27 |     pktfile = "temp/showpackettemp/" + sys.argv[2]   # --> argv 2 is pktfile addr
28 |     with open(pktfile, "r") as pfile:
29 |         try:
30 |             # pktdat = pfile.read()
31 |             pktdat = json.load(pfile)
32 |         except:
33 |             pktdat = {"No Data":"No Data"}
34 |     # if pktdat.strip() == "":
35 |     #     pktdat = {"No Data":"No Data"}
36 |     # print("1")
37 |     pprint.pprint(pktdat)
38 |     return pktdat
39 | 
40 | eel.start("index.html", port=portdefined, size=(900, 500))


--------------------------------------------------------------------------------
/NIDS_python-main/temp/decrypthttp2.py:
--------------------------------------------------------------------------------
 1 | import pyshark
 2 | 
 3 | key_path = "C:\\Users\\sengu\\ssl1.log"
 4 | pcap_file = 'tcpstreamread.pcap'
 5 | 
 6 | 
 7 | cap = pyshark.FileCapture(pcap_file,
 8 |                           display_filter="http2.streamid eq 5",
 9 |                           override_prefs={'ssl.keylog_file': key_path})
10 | 
11 | dat = ''
12 | rawvallengthpassed = False
13 | for field, val in cap[0].http2._all_fields.items():
14 |     # if rawvallengthpassed == False:
15 |     #     if field == 'http2.header.name.length':
16 |     #         rawvallengthpassed = True
17 |     # else:
18 |     dat += str(field.split(".")[-1]) + " : " + str(val) + " \n\n"
19 | 
20 | print(dat)
21 | 
22 | 


--------------------------------------------------------------------------------
/NIDS_python-main/temp/httpstreamread.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/googleboy-byte/NIDS_python/ea184614eeefb6f84fc76fcfb94ca9d4086fc074/NIDS_python-main/temp/httpstreamread.pcap


--------------------------------------------------------------------------------
/NIDS_python-main/temp/showpackettemp/EtherIPv6UDPfe801e61b4fffe08d97638322_ff02cssdpRaw.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "Ethernet": {
 3 |         "dst": "d0:c6:37:47:8e:02",
 4 |         "src": "1c:61:b4:08:d9:76",
 5 |         "type": "IPv6"
 6 |     },
 7 |     "IPv6": {
 8 |         "version": "6",
 9 |         "tc": "0",
10 |         "fl": "0",
11 |         "plen": "382",
12 |         "nh": "UDP",
13 |         "hlim": "1",
14 |         "src": "fe80::1e61:b4ff:fe08:d976",
15 |         "dst": "ff02::c"
16 |     },
17 |     "UDP": {
18 |         "sport": "38322",
19 |         "dport": "ssdp",
20 |         "len": "382",
21 |         "chksum": "0x8740"
22 |     },
23 |     "Raw": {
24 |         "load": "'NOTIFY * HTTP/1.1\\r\\nHOST: [FF02::C]:1900\\r\\nCACHE-CONTROL: max-age=60\\r\\nLOCATION: http://[::1]:1900/qyyjn/rootDesc.xml\\r\\nSERVER: TP-Link/TP-Link UPnP/1.1 MiniUPnPd/1.8\\r\\nNT: upnp:rootdevice\\r\\nUSN: uuid:e4c797e0-82ce-4f84-b56d-085d9d77c8cd::upnp:rootdevice\\r\\nNTS: ssdp:alive\\r\\nOPT: \"http://schemas.upnp.org/upnp/1/0/\"; ns=01\\r\\n01-NLS: 1\\r\\nBOOTID.UPNP.ORG: 1\\r\\nCONFIGID.UPNP.ORG: 1337\\r\\n\\r\\n'"
25 |     }
26 | }


--------------------------------------------------------------------------------
/NIDS_python-main/temp/tcpflowdump/nothing.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/googleboy-byte/NIDS_python/ea184614eeefb6f84fc76fcfb94ca9d4086fc074/NIDS_python-main/temp/tcpflowdump/nothing.txt


--------------------------------------------------------------------------------
/NIDS_python-main/temp/tcpstreamread.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/googleboy-byte/NIDS_python/ea184614eeefb6f84fc76fcfb94ca9d4086fc074/NIDS_python-main/temp/tcpstreamread.pcap


--------------------------------------------------------------------------------
/NIDS_python-main/temp/temppackets/103257EtherIPTCP2019811984https_192168020852587PARawMSGINCOMINGHOMENETRANGEREAD.pkt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/googleboy-byte/NIDS_python/ea184614eeefb6f84fc76fcfb94ca9d4086fc074/NIDS_python-main/temp/temppackets/103257EtherIPTCP2019811984https_192168020852587PARawMSGINCOMINGHOMENETRANGEREAD.pkt


--------------------------------------------------------------------------------
/NIDS_python-main/yararules/rules1.yara:
--------------------------------------------------------------------------------
 1 | rule zipExtensionFound{
 2 |     strings:
 3 |         $link1 = ".zip"
 4 |     condition:
 5 |         any of them
 6 | }
 7 | 
 8 | rule PE_FILE_HEADER{
 9 |     meta:
10 |         description = "YARA rules for pe detection in the NIDS program"
11 |         author = "cybersecadventures01123"
12 |         reference = "https://www.nextron-systems.com/2018/01/22/write-yara-rules-detect-embedded-exe-files-ole-objects/"
13 |     strings:
14 |         $hex1 = "546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465" ascii
15 |         $hex1_txt = "This program cannot be run in DOS mode"
16 |         $hex2 = "4b45524e454c33322e646c6c" ascii
17 |         $hex2_txt = "KERNEL32.dll" nocase
18 |         $hex3 = {4D 5A 40 00} // MZ@
19 |         //$hex3_txt = "MZ@"    
20 |     condition:
21 |         any of them
22 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # NIDS_python
2 | A custom GUI based NIDS (Network Intrusion Detection System) with stream follow capability for HTTP2 and TLS/TCP and yara rules matching applied for captured network traffic.
3 | Savedpcap directory has to be created in root folder.
4 | ssllogs filepath has to be modified in the custom_ids.py code.
5 | 


--------------------------------------------------------------------------------
/custom_ids.py:
--------------------------------------------------------------------------------
  1 | import scapy.all as scp
  2 | import codecs
  3 | import PySimpleGUI as sg
  4 | import os
  5 | import threading
  6 | import sys
  7 | import pyshark
  8 | import socket
  9 | import scapy.arch.windows as scpwinarch
 10 | import json
 11 | import logging
 12 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
 13 | import re
 14 | import ipaddress
 15 | import subprocess
 16 | import yara
 17 | import pprint
 18 | import glob
 19 | 
 20 | def readrules():
 21 |     rulefile = "rules.txt"
 22 |     ruleslist = []
 23 |     with open(rulefile, "r") as rf:
 24 |         ruleslist = rf.readlines()
 25 |     rules_list = []
 26 |     for line in ruleslist:
 27 |         if line.startswith("alert"):
 28 |             rules_list.append(line)
 29 |     print(rules_list)
 30 |     return rules_list
 31 | 
 32 | alertprotocols = []
 33 | alertdestips = []
 34 | alertsrcips = []
 35 | alertsrcports = []
 36 | alertdestports = []
 37 | alertmsgs = []
 38 | 
 39 | # rule format --> "alert [srcip] [srcport] --> [dstip] [dstport] [msg]" [msg] may include spaces and is not within quotes
 40 | 
 41 | def process_rules(rulelist):
 42 |     global alertprotocols
 43 |     global alertdestips
 44 |     global alertsrcips
 45 |     global alertsrcports
 46 |     global alertdestports
 47 |     global alertmsgs
 48 |     alertprotocols = []
 49 |     alertdestips = []
 50 |     alertsrcips = []
 51 |     alertsrcports = []
 52 |     alertdestports = []
 53 |     alertmsgs = []
 54 |     for rule in rulelist:
 55 |         rulewords = rule.split()
 56 |         if rulewords[1] != "any":
 57 |             protocol = rulewords[1]
 58 |             alertprotocols.append(protocol.lower())
 59 |         else:
 60 |             alertprotocols.append("any")
 61 |         if rulewords[2] != "any":
 62 |             srcip = rulewords[2]
 63 |             alertsrcips.append(srcip.lower())
 64 |         else:
 65 |             alertsrcips.append("any")
 66 |         if rulewords[3] != "any":
 67 |             srcport = int(rulewords[3])
 68 |             alertsrcports.append(srcport)
 69 |         else:
 70 |             alertsrcports.append("any")
 71 |         if rulewords[5] != "any":
 72 |             destip = rulewords[5]
 73 |             alertdestips.append(destip.lower())
 74 |         else:
 75 |             alertdestips.append("any")
 76 |         if rulewords[6] != "any":
 77 |             destport = rulewords[6]
 78 |             alertdestports.append(destport.lower())
 79 |         else:
 80 |             alertdestports.append("any")
 81 |         try:
 82 |             alertmsgs.append(" ".join([rulewords[x] for x in range(7, len(rulewords))]))
 83 |         except:
 84 |             pass    
 85 | 
 86 |     print(alertprotocols)
 87 |     print(alertdestips)
 88 |     print(alertsrcips)
 89 |     print(alertsrcports)
 90 |     print(alertdestports)
 91 |     print(alertmsgs)
 92 | 
 93 | process_rules(readrules())
 94 | 
 95 | deviceiplist = []
 96 | for route in scp.read_routes():
 97 |     if str(route[4]) not in deviceiplist:
 98 |         deviceiplist.append(str(route[4]))
 99 |         print(str(route[4]))
100 | 
101 | 
102 | sg.theme('BluePurple')
103 | 
104 | pktsummarylist = []
105 | suspiciouspackets = []
106 | suspacketactual = []
107 | lastpacket = ""
108 | sus_readablepayloads = []
109 | all_readablepayloads = []
110 | tcpstreams = []
111 | SSLLOGFILEPATH = "C:\\Users\\mainak\\ssl1.log"
112 | http2streams=[]
113 | logdecodedtls = True
114 | httpobjectindexes = []
115 | httpobjectactuals = []
116 | httpobjecttypes = []
117 | yaraflagged_filenames = []
118 | reqfilepathbase = "./temp/tcpflowdump/"
119 | 
120 | layout = [[sg.Button('STARTCAP', key="-startcap-"),
121 | 		sg.Button('STOPCAP', key='-stopcap-'), sg.Button('SAVE ALERT', key='-savepcap-'),
122 |         sg.Button('REFRESH RULES', key='-refreshrules-'),
123 |         sg.Button('LOAD TCP/HTTP2 STREAMS', key='-showtcpstreamsbtn-'),
124 |         sg.Button('LOAD HTTP STREAMS', key='-showhttpstreamsbtn-'),
125 |         sg.Button('YARA FILTER STREAMS', key='-yarafilterstreamsbtn-'),],
126 |         [sg.Text("ALERT PACKETS", font=('Arial Bold', 14), size=(60, None), justification="left"),
127 |          sg.Text("ALL PACKETS", font=('Arial Bold', 14), size=(60, None), justification="left")],
128 | 		[sg.Listbox(key='-pkts-', size=(100,20), values=suspiciouspackets, enable_events=True), 
129 |         sg.Listbox(key='-pktsall-', size=(100,20), values=pktsummarylist, enable_events=True),
130 |         ],
131 |         [sg.Text("ALERT DECODED", font=('Arial Bold', 14), size=(35, None),justification="left"),
132 |          sg.Text("HTTP2 STREAMS", font=('Arial Bold', 14),justification="left"),
133 |          sg.Text("TCP STREAMS", font=('Arial Bold', 14),justification="left"),
134 |          sg.Text("HTTP OBJECTS", font=('Arial Bold', 14),justification="left"),
135 |          sg.Text("YARA FLAGGED STREAMS", font=('Arial Bold', 14),justification="left"),],
136 |         [sg.Multiline(size=(60,20), key='-payloaddecoded-'),
137 |         sg.Listbox(key='-http2streams-', size=(20, 20), values=http2streams, enable_events=True),
138 |         sg.Listbox(key='-tcpstreams-', size=(20,20), values=tcpstreams, enable_events=True),
139 |         sg.Listbox(key='-httpobjects-', size=(20, 20), values=httpobjectindexes, enable_events=True),
140 |         sg.Listbox(key='-yaraflaggedstreams-', size=(40, 20), values=yaraflagged_filenames, enable_events=True),
141 |         #sg.Multiline(size=(50,20), key='-payloaddecodedall-')
142 |         ],
143 | 		[sg.Button('EXIT')]]
144 | 
145 | window = sg.Window('Introduction', layout, size=(1600,800), resizable=True)
146 | 
147 | updatepktlist = False
148 | pkt_list = []
149 | 
150 | 
151 | def get_http_headers(http_payload):
152 |     try:
153 |         headers_raw = http_payload[:http_payload.index(b"\r\n\r\n") + 2]
154 |         headers = dict(re.findall(b"(?P<name>.*?): (?P<value>.*?)\\r\\n", headers_raw))
155 | 
156 |     except ValueError as err:
157 |         logging.error('Could not find \\r\\n\\r\\n - %s' % err)
158 |         return None
159 |     except Exception as err:
160 |         logging.error('Exception found trying to parse raw headers - %s' % err)
161 |         logging.debug(str(http_payload))
162 |         return None
163 | 
164 |     if b"Content-Type" not in headers:
165 |         logging.debug('Content Type not present in headers')
166 |         logging.debug(headers.keys())
167 |         return None   
168 |     return headers
169 | 
170 | def extract_object(headers, http_payload):
171 |     object_extracted = None
172 |     object_type = None
173 | 
174 |     content_type_filters = [b'application/x-msdownload', b'application/octet-stream']
175 | 
176 |     try:
177 |         if b'Content-Type' in headers.keys():
178 |             #if headers[b'Content-Type'] in content_type_filters:              
179 |             object_extracted = http_payload[http_payload.index(b"\r\n\r\n") +4:]
180 |             object_type = object_extracted[:2]
181 |             logging.info("Object Type: %s" % object_type)
182 |             # else:
183 |             #     logging.debug('Content Type did not matched with filters - %s' % headers[b'Content-Type'])
184 |             #     if len(http_payload) > 10:
185 |             #         logging.debug('Object first 50 bytes - %s' % str(http_payload[:50]))
186 |         else: 
187 |             logging.info('No Content Type in Package')
188 |             logging.debug(headers.keys())
189 | 
190 |         if b'Content-Length' in headers.keys():
191 |             logging.info( "%s: %s" % (b'Content-Lenght', headers[b'Content-Length']))
192 |     except Exception as err:
193 |         logging.error('Exception found trying to parse headers - %s' % err)
194 |         return None, None
195 |     return object_extracted, object_type
196 | 
197 | def read_http():
198 |     objectlist = []
199 |     objectsactual = []
200 |     objectsactualtypes = []
201 |     objectcount = 0
202 |     global pkt_list
203 |     try:
204 |         os.remove(f".\\temp\\httpstreamread.pcap")
205 |     except:
206 |         pass
207 |     httppcapfile = f".\\temp\\httpstreamread.pcap"
208 |     scp.wrpcap(httppcapfile, pkt_list)
209 |     pcap_flow = scp.rdpcap(httppcapfile)
210 |     sessions_all = pcap_flow.sessions()
211 | 
212 |     for session in sessions_all:
213 |         http_payload = bytes()
214 |         for pkt in sessions_all[session]:
215 |             if pkt.haslayer("TCP"):
216 |                 if pkt["TCP"].dport == 80 or pkt["TCP"].sport == 80 or pkt["TCP"].dport == 8080 or pkt["TCP"].sport == 8080:
217 |                     if pkt["TCP"].payload:
218 |                         payload = pkt["TCP"].payload
219 |                         http_payload += scp.raw(payload)
220 |         if len(http_payload):
221 |             http_headers = get_http_headers(http_payload)
222 | 
223 |             if http_headers is None:
224 |                 continue
225 | 
226 |             object_found, object_type = extract_object(http_headers, http_payload)
227 | 
228 |             if object_found is not None and object_type is not None:
229 |                 objectcount += 1
230 |                 objectlist.append(objectcount-1)
231 |                 objectsactual.append(object_found)
232 |                 objectsactualtypes.append(object_type)
233 |     
234 |     return objectlist, objectsactual, objectsactualtypes
235 | 
236 | 
237 | def proto_name_by_num(proto_num):
238 |     for name,num in vars(socket).items():
239 |         if name.startswith("IPPROTO") and proto_num == num:
240 |             return name[8:]
241 |     return "Protocol not found"
242 | 
243 | def check_rules_warning(pkt):
244 |     global alertprotocols
245 |     global alertdestips
246 |     global alertsrcips
247 |     global alertsrcports
248 |     global alertdestports
249 |     global alertmsgs
250 |     global sus_readablepayloads
251 |     global updatepktlist
252 | 
253 |     if 'IP' in pkt:
254 |         try:
255 |             src = pkt['IP'].src
256 |             dest = pkt['IP'].dst
257 |             proto = proto_name_by_num(pkt['IP'].proto).lower()
258 |             #print(proto)
259 |             sport = pkt['IP'].sport
260 |             dport = pkt['IP'].dport
261 | 
262 |             for i in range(len(alertprotocols)):
263 |                 flagpacket = False
264 |                 if alertprotocols[i] != "any":
265 |                     chkproto = alertprotocols[i]
266 |                 else:
267 |                     chkproto = proto
268 |                 if alertdestips[i] != "any":
269 |                     chkdestip = alertdestips[i]
270 |                 else:
271 |                     chkdestip = dest
272 |                 if alertsrcips[i] != "any":
273 |                     chksrcip = alertsrcips[i]
274 |                 else:
275 |                     chksrcip = src
276 |                 if alertsrcports[i] != "any":
277 |                     chksrcport = alertsrcports[i]
278 |                 else:
279 |                     chksrcport = sport
280 |                 if alertdestports[i] != "any":
281 |                     chkdestport = alertdestports[i]
282 |                 else:
283 |                     chkdestport = dport
284 |                 
285 |                 # print("chk \n", str(chksrcip) , str(chkdestip) , str(chkproto) , str(chkdestport) , str(chksrcport))
286 |                 # print("act \n", str(src) , str(dest) , str(proto) , str(dport) , str(sport))
287 |                 
288 |                 if "/" not in str(chksrcip).strip() and "/" not in str(chkdestip).strip():
289 |                     if (str(src).strip() == str(chksrcip).strip() and str(dest).strip() == str(chkdestip).strip() and str(proto).strip() == str(chkproto).strip() and str(dport).strip() == str(chkdestport).strip() and str(sport).strip() == str(chksrcport).strip()):
290 |                         flagpacket = True
291 |                 if "/" in str(chksrcip).strip() and "/" in str(chkdestip).strip():
292 |                     if (ipaddress.IPv4Address(str(src).strip()) in ipaddress.IPv4Network(str(chksrcip).strip()) and ipaddress.IPv4Address(str(dest).strip()) in ipaddress.IPv4Network(str(chkdestip).strip()) and str(proto).strip() == str(chkproto).strip() and str(dport).strip() == str(chkdestport).strip() and str(sport).strip() == str(chksrcport).strip()):
293 |                         flagpacket = True
294 |                 if "/" in str(chksrcip).strip() and "/" not in str(chkdestip).strip():
295 |                     if (ipaddress.IPv4Address(str(src).strip()) in ipaddress.IPv4Network(str(chksrcip).strip()) and str(dest).strip() == str(chkdestip).strip() and str(proto).strip() == str(chkproto).strip() and str(dport).strip() == str(chkdestport).strip() and str(sport).strip() == str(chksrcport).strip()):
296 |                         flagpacket = True
297 |                 if "/" not in str(chksrcip).strip() and "/" in str(chkdestip).strip():                        
298 |                     if (str(src).strip() == str(chksrcip).strip() and ipaddress.IPv4Address(str(dest).strip()) in ipaddress.IPv4Network(str(chkdestip).strip()) and str(proto).strip() == str(chkproto).strip() and str(dport).strip() == str(chkdestport).strip() and str(sport).strip() == str(chksrcport).strip()):
299 |                         flagpacket = True
300 | 
301 |                 if flagpacket == True:
302 |                         # print("Match")
303 |                     if proto == "tcp":
304 |                         try:
305 |                             readable_payload = bytes(pkt['TCP'].payload).decode('UTF8','replace')
306 |                             sus_readablepayloads.append(readable_payload)
307 |                         except Exception as ex:
308 |                             sus_readablepayloads.append("Error getting tcp payload!!")
309 |                             print(ex)
310 |                             pass
311 |                     elif proto == "udp":
312 |                         try:
313 |                             readable_payload = bytes(pkt['UDP'].payload).decode('UTF8','replace')
314 |                             sus_readablepayloads.append(readable_payload)
315 |                         except Exception as ex:
316 |                             sus_readablepayloads.append("Error getting udp payload!!")
317 |                             print(ex)
318 |                             pass
319 |                     else:
320 |                         sus_readablepayloads.append("NOT TCP PACKET!!")
321 |                     if updatepktlist:
322 |                         window['-payloaddecoded-'].update(value=sus_readablepayloads[len(suspiciouspackets)])
323 |                     return True, str(alertmsgs[i])
324 |         except:
325 |             pkt.show()
326 |         
327 |     # for protocol in alertprotocols:
328 |     #     if protocol.upper() in pkt:
329 |     #         pass
330 |     return False, ""
331 | 
332 | 
333 | def pkt_process(pkt):
334 |     global deviceiplist
335 |     global window
336 |     global updatepktlist
337 |     global suspiciouspackets
338 |     global all_readablepayloads
339 | 
340 |     pkt_summary = pkt.summary()
341 |         #print("\n", src, " : ", dest, "\n")
342 |         # if dest in deviceiplist:
343 |         #     print(f"\n[*] INCOMING PACKET from \n")
344 |         #     if updatepktlist:
345 |                 
346 |         #     lastpacket = pkt_summary
347 |         #     return pkt_summary
348 |     pktsummarylist.append(f"{len(pktsummarylist)} " + pkt_summary)
349 |     pkt_list.append(pkt)
350 |     sus_pkt, sus_msg = check_rules_warning(pkt)
351 |     if sus_pkt == True:
352 |         suspiciouspackets.append(f"{len(suspiciouspackets)} {len(pktsummarylist) - 1}" + pkt_summary + f" MSG: {sus_msg}")
353 |         suspacketactual.append(pkt)
354 | 
355 |     
356 |     # if 'IP' in pkt:
357 |     #     proto = proto_name_by_num(pkt['IP'].proto).lower()
358 |     #     if proto == "tcp":
359 |     #         try:
360 |     #             readable_payload = bytes(pkt['TCP'].payload).decode('UTF8','replace')
361 |     #             all_readablepayloads.append(readable_payload)
362 |     #         except Exception as ex:
363 |     #             all_readablepayloads.append("Error getting tcp payload!!")
364 |     #             print(ex)
365 |     #             pass
366 |     #     elif proto == "udp":
367 |     #         try:
368 |     #             readable_payload = bytes(pkt['UDP'].payload).decode('UTF8','replace')
369 |     #             all_readablepayloads.append(readable_payload)
370 |     #         except Exception as ex:
371 |     #             all_readablepayloads.append("Error getting udp payload!!")
372 |     #             print(ex)
373 |     #             pass
374 |     #     else:
375 |     #         all_readablepayloads.append("NOT TCP PACKET!!")
376 |     #     if updatepktlist:
377 |     #         window['-payloaddecodedall-'].update(value=all_readablepayloads[-1])
378 |         #print(suspiciouspackets)
379 |     #pkt.show()
380 | 
381 |     return
382 | 
383 | ifaces = [str(x["name"]) for x in scpwinarch.get_windows_if_list()]
384 | ifaces1 = [ifaces[6]].append(ifaces[0]) #Ether and VMnet8
385 | sniffthread = threading.Thread(target=scp.sniff, kwargs={"prn":pkt_process, "filter": "", "iface":ifaces[0:6]}, daemon=True)
386 | sniffthread.start()
387 | 
388 | def show_tcp_stream_openwin(tcpstreamtext):
389 |     layout = [[sg.Multiline(tcpstreamtext, size=(100,50), key="tcpnewwintext")]]
390 |     window = sg.Window("TCPSTREAM", layout, modal=True, size=(1200, 600), resizable=True)
391 |     choice = None
392 |     while True:
393 |         event, values = window.read()
394 |         if event == "Exit" or event == sg.WIN_CLOSED:
395 |             break
396 |     window.close()
397 | 
398 | def show_http2_stream_openwin(tcpstreamtext):
399 |     layout = [[sg.Multiline(tcpstreamtext, size=(100,50), key="tcpnewwintext")]]
400 |     window = sg.Window("HTTP2 STREAM", layout, modal=True, size=(1200, 600), resizable=True)
401 |     choice = None
402 |     while True:
403 |         event, values = window.read()
404 |         if event == "Exit" or event == sg.WIN_CLOSED:
405 |             break
406 |     window.close()
407 | 
408 | def load_tcp_streams(window):
409 |     global http2streams
410 |     global logdecodedtls
411 |     try:
412 |         os.remove(f".\\temp\\tcpstreamread.pcap")
413 |     except:
414 |         pass
415 |     scp.wrpcap(f".\\temp\\tcpstreamread.pcap", pkt_list)
416 |     global tcpstreams
417 |     tcpstreams = []
418 |     tcpstreamfilename = ".\\temp\\tcpstreamread.pcap"
419 |     cap1 = pyshark.FileCapture(
420 |         tcpstreamfilename,
421 |         display_filter="tcp.seq==1 && tcp.ack==1 && tcp.len==0",
422 |         keep_packets=True)
423 |     number_of_streams = 0
424 |     for pkt in cap1:
425 |         if pkt.highest_layer.lower() == "tcp" or pkt.highest_layer.lower() == "tls":
426 |             print(pkt.tcp.stream)
427 |             if int(pkt.tcp.stream) > number_of_streams:
428 |                 number_of_streams = int(pkt.tcp.stream) + 1
429 |     for i in range(0, number_of_streams):
430 |         tcpstreams.append(i)
431 |     window["-tcpstreams-"].update(values=[])
432 |     window["-tcpstreams-"].update(values=tcpstreams)
433 | 
434 |     if logdecodedtls == True:
435 |         http2streams = []
436 |         cap2 = pyshark.FileCapture(
437 |         tcpstreamfilename,
438 |         display_filter="http2.streamid",
439 |         keep_packets=True)
440 |         #numberofhttp2streams = 0
441 |         for pkt in cap2:
442 |             field_names = pkt.http2._all_fields
443 |             for field_name in field_names:
444 |                 http2_stream_id = {val for key, val in field_names.items() if key == 'http2.streamid'}
445 |                 http2_stream_id = "".join(http2_stream_id)
446 |             #x1 = str(pkt.http2.stream).split(", ")
447 |             #print(x1)
448 |             #streamid = int(x1[1].strip().split(":")[1].strip())
449 |             #print(streamid)
450 |             if http2_stream_id not in http2streams:
451 |                 http2streams.append(http2_stream_id)
452 |         window['-http2streams-'].update(values=http2streams)
453 |         pass
454 | 
455 | 
456 | def show_http2_stream(window, streamno):
457 |     
458 |     tcpstreamfilename = ".\\temp\\tcpstreamread.pcap"
459 |     cap3 = pyshark.FileCapture(
460 |             tcpstreamfilename,
461 |             display_filter = f'http2.streamid eq {str(http2streamindex)}',
462 |             override_prefs={'ssl.keylog_file': SSLLOGFILEPATH}
463 |         )
464 |     #print(cap3[0].http2.stream)
465 |     dat = ""
466 |     decode_hex = codecs.getdecoder("hex_codec")
467 |     http_payload = bytes()
468 |     for pkt in cap3:
469 |         # for x in pkt[pkt.highest_layer]._get_all_field_lines():
470 |         #     print(x)
471 |         #try:
472 |         try:
473 |             payload = pkt["TCP"].payload
474 |             http_payload += scp.raw(payload)
475 |             #does literally nothing because we do not know the encoding format of the payload so scp.raw returns type error
476 |         except:
477 |             pass
478 | 
479 |         print(pkt.http2.stream)
480 |         if ("DATA" not in pkt.http2.stream):
481 |             http2headerdat = ''
482 |             rawvallengthpassed = False
483 |             print(pkt.http2._all_fields.items())
484 |             for field, val in pkt.http2._all_fields.items():
485 |                 if rawvallengthpassed == False:
486 |                     if field == 'http2.header.name.length':
487 |                         rawvallengthpassed = True
488 |                 else:
489 |                     #if field.split(".")[-1] != "headers":
490 |                     http2headerdat += str(field.split(".")[-1]) + " : " + str(val) + " \n"
491 |                     print(http2headerdat)
492 |             dat += "\n" + http2headerdat
493 |             # httpdat = "".join("".join({val for key,val in pkt.http2._all_fields.items() if key == 'http2.data.data'}).split(":"))
494 |             # httpdatdecoded = decode_hex(httpdat)[0]
495 |             # dat += httpdatdecoded
496 |             # dat = pkt.pretty_print
497 |             # payload = pkt.http2.payload
498 |             # if hasattr(pkt,'http2'):
499 |             #     if hasattr(pkt.http2,'json_object'):
500 |             #         if hasattr(pkt.http2,'body_reassembled_data'):
501 |             #             avp=json.loads(codecs.decode(pkt.http2.body_reassembled_data.raw_value,'hex'))
502 |             # # encryptedapplicationdata_hex = "".join(payload.split(":")[0:len(payload.split(":"))])
503 |             # # encryptedapplicationdata_hex_decoded = decode_hex(encryptedapplicationdata_hex)[0]
504 |             # # dat += encryptedapplicationdata_hex_decoded
505 |             #             dat += avp
506 |             #print(encryptedapplicationdata_hex_decoded)
507 |         # except Exception as ex:
508 |         #     print(ex)
509 |     
510 |     if len(http_payload):
511 |         http_headers = get_http_headers(http_payload)
512 | 
513 |         if http_headers is not None:
514 |             object_found, object_type = extract_object(http_headers, http_payload)
515 | 
516 |             dat += object_type + "\n" + object_found + "\n"
517 | 
518 | 
519 |     print(dat)
520 |     formatteddat = dat
521 |     # formatteddat = str(dat, "ascii", "replace")
522 |     #show_tcp_stream_openwin(formatteddat)
523 |     print(formatteddat)
524 | 
525 |     show_http2_stream_openwin(formatteddat)
526 |     # os.remove(tcpstreamfilename)
527 |     #print(formatteddat)
528 |     pass
529 | 
530 | def show_tcpstream(window, streamno):
531 |     global SSLLOGFILEPATH
532 |     tcpstreamfilename = ".\\temp\\tcpstreamread.pcap"    
533 |     streamnumber = streamno
534 |     cap = pyshark.FileCapture(
535 |         tcpstreamfilename,
536 |         display_filter = 'tcp.stream eq %d' % streamnumber,
537 |         override_prefs={'ssl.keylog_file': SSLLOGFILEPATH}
538 |     )
539 |     dat = b""
540 |     decode_hex = codecs.getdecoder("hex_codec")
541 |     for pkt in cap:
542 |         # for x in pkt[pkt.highest_layer]._get_all_field_lines():
543 |         #     print(x)
544 |         try:
545 |             payload = pkt.tcp.payload
546 |             encryptedapplicationdata_hex = "".join(payload.split(":")[0:len(payload.split(":"))])
547 |             encryptedapplicationdata_hex_decoded = decode_hex(encryptedapplicationdata_hex)[0]
548 |             dat += encryptedapplicationdata_hex_decoded
549 |             #print(encryptedapplicationdata_hex_decoded)
550 |         except Exception as ex:
551 |             print(ex)
552 | 
553 |     formatteddat = str(dat, "ascii", "replace")
554 | 
555 |     # dat1 = ""
556 |     # try:
557 |     #     if pkt.http > 0:
558 |     #         dat1 += "Stream Index :" , str(pkt.tcp.stream) # to print stream index at the start
559 | 
560 |     #         dat1 += "\nHTTP LAYER :", str(pkt.http).replace('\\n', '').replace('\\r', '')
561 | 
562 |     # except:
563 |     #     pass
564 |     #show_tcp_stream_openwin(formatteddat)
565 |     if formatteddat.strip() == "" or len(str(formatteddat.strip)) < 1:
566 |         sg.PopupAutoClose("No data")
567 |     else:
568 |         show_tcp_stream_openwin(formatteddat)
569 |     # os.remove(tcpstreamfilename)
570 |     #print(formatteddat)
571 | 
572 | def yarascan(scanfile, rules):
573 |     matches = []
574 |     if os.path.getsize(scanfile) > 0:
575 |         for match in rules.match(scanfile):
576 |             matches.append({"name":match.rule, "meta":match.meta})
577 | 
578 |     return matches
579 | 
580 | def yarafilterstreams(window):      # window parameter for calling load_tcp_streams if necessary
581 |     
582 |     global yaraflagged_filenames
583 |     global reqfilepathbase
584 | 
585 |     yaraflagged_filenames = []
586 |     # check if pcap files already exist for captured streams
587 |     # pcap file names are tcpstreamread.pcap and httpstreamread.pcap
588 |     # they are stored in ./temp/
589 | 
590 |     if not os.path.isfile("./temp/tcpstreamread.pcap"):
591 |         load_tcp_streams(window)
592 |     if not os.path.isfile("./temp/httpstreamread.pcap"):
593 |         read_http()
594 |     
595 |     # tcpflow64 arguments 
596 |     # -a -r <pcapfile> -o <outputdir>
597 |     
598 |     # clear tcpflowdump directory
599 | 
600 |     dumpfiles = glob.glob(reqfilepathbase + "*")
601 |     for file in dumpfiles:
602 |         os.remove(file)
603 | 
604 |     # generate files for packet streams using tcpflow
605 |     subprocess.call("tcpflow64.exe -a -r temp/httpstreamread.pcap -o temp/tcpflowdump/", shell=True)
606 |     subprocess.call("tcpflow64.exe -a -r temp/tcpstreamread.pcap -o temp/tcpflowdump/", shell=True)
607 | 
608 |     yarafile = "./yararules/rules1.yara"
609 |     yararules = yara.compile(yarafile)      # compile yara rules
610 | 
611 |     
612 |     matchcount = 1
613 |     results = []
614 |     resultstxt = ""
615 |     for req in os.listdir(reqfilepathbase):
616 |         res = yarascan(os.path.join(reqfilepathbase, req), yararules)
617 |         if res:
618 |             for match in res:
619 |                 pprint.pprint(match)
620 |                 results.append({"ruleMatched":match["name"]})
621 |                 resultstxt += str(matchcount) + ". " + str(match["name"]) + "\n"
622 |                 matchcount += 1
623 |             if req != "report.xml":
624 |                 yaraflagged_filenames.append(str(match["name"]) + ":::" + req)  # ::: serves as separator
625 |     with open("yararesults.txt", "w") as resfile:                       # for filename and yara rule name
626 |         resfile.write(resultstxt)
627 |     for file in yaraflagged_filenames:
628 |         print(file)
629 |     window["-yaraflaggedstreams-"].update(values=yaraflagged_filenames) #update gui with yara flagged stream filenames
630 |     return
631 | 
632 | def show_yara_flagged(streamdat):
633 |     layout = [[sg.Multiline(streamdat, size=(100,50), key="yaranewwintext")]]
634 |     window = sg.Window("HTTP2 STREAM", layout, modal=True, size=(1200, 600), resizable=True)
635 |     choice = None
636 |     while True:
637 |         event, values = window.read()
638 |         if event == "Exit" or event == sg.WIN_CLOSED:
639 |             break
640 |     window.close()
641 | 
642 | def event_yaraflagged_selected(stream_idx):
643 |     yarafilename = stream_idx.split(":::")[1]
644 |     filepath = os.path.join(reqfilepathbase, yarafilename)
645 |     with open(filepath, "r", errors="ignore") as yaraflaggedfile:
646 |         yaraflagged_filedat = yaraflaggedfile.read()
647 |     show_yara_flagged(yaraflagged_filedat)
648 | 
649 | while True:
650 | 
651 |     print(suspiciouspackets)
652 | 
653 |     event, values = window.read()
654 |     if event == '-refreshrules-':
655 |         process_rules(readrules())
656 |     if event == "-startcap-":
657 |         updatepktlist = True
658 |         incomingpacketlist = []
659 |         inc_pkt_list = []
660 |         suspiciouspackets = []
661 |         suspacketactual = []
662 |         pktsummarylist = []
663 |         sus_readablepayloads = []
664 |         while True:
665 |             event, values = window.read(timeout=10)
666 |             if event == "-stopcap-":
667 |                 updatepktlist = False
668 |                 break
669 |             if event == '-refreshrules-':
670 |                 process_rules(readrules())
671 |             if event == sg.TIMEOUT_EVENT:
672 |                 #window['-pkts-'].update(pktsummarylist, scroll_to_index=len(pktsummarylist))
673 |                 window['-pkts-'].update(suspiciouspackets, scroll_to_index=len(suspiciouspackets))
674 |                 window['-pktsall-'].update(pktsummarylist, scroll_to_index=len(pktsummarylist))
675 |                 #window['-payloaddecoded-'].update(value=sus_readablepayloads[len(suspiciouspackets)])
676 |             if event in (None, 'Exit'):
677 |                 sys.exit()
678 |                 break
679 |             if event == '-pkts-' and len(values['-pkts-']):     # if a list item is chosen
680 |                 sus_selected = values['-pkts-']
681 |                 #sus_selected_index = int(sus_selected.split()[0][0:2])
682 |                 sus_selected_index = values[event][0]
683 |                 try:
684 |                     window["-tcpstreams-"].update(scroll_to_index=int(suspacketactual[sus_selected_index].tcp.stream))
685 |                 except:
686 |                     pass
687 |                 window['-payloaddecoded-'].update(value=sus_readablepayloads[sus_selected_index ])
688 |             if event == '-pktsall-' and len(values['-pktsall-']):     # if a list item is chosen
689 |                 #pktselected = values['-pktsall-']
690 |                 pkt_selected_index = window["-pktsall-"].get_indexes()
691 |                 try:
692 |                     window["-tcpstreams-"].update(scroll_to_index=int(pkt_list[pkt_selected_index].tcp.stream))
693 |                 except:
694 |                     pass
695 |             #     #sus_selected_index = int(sus_selected.split()[0][0:2])
696 |             #     pktselectedindex = window['-pktsall-'].get_indexes()[0]
697 |             #     window['-payloaddecodedall-'].update(value=all_readablepayloads[pktselectedindex])
698 |             if event == "-showtcpstreamsbtn-":      # load tcp streams btn
699 |                 load_tcp_streams(window)
700 |             if event == "-tcpstreams-":
701 |                 streamindex = window["-tcpstreams-"].get_indexes()
702 |                 show_tcpstream(window, streamindex)
703 |             if event == "-http2streams-":
704 |                 http2streamindex = values[event][0]
705 |                 show_http2_stream(window, int(http2streamindex))
706 |             if event == "-showhttpstreamsbtn-":         # load http streams btn
707 |                 httpobjectindexes = []
708 |                 httpobjectactuals = []
709 |                 httpobjecttypes = []
710 |                 httpobjectindexes, httpobjectactuals, httpobjecttypes = read_http()
711 |                 window["-httpobjects-"].update(values=httpobjectindexes)
712 |             if event == "-httpobjects-":
713 |                 httpobjectindex = values[event][0]
714 |                 show_http2_stream_openwin(httpobjecttypes[httpobjectindex] + b"\n" + httpobjectactuals[httpobjectindex][:900])
715 |             if event == "-yarafilterstreamsbtn-":
716 |                 yarafilterstreams(window)
717 |             if event == "-yaraflaggedstreams-":
718 |                 yaraflaggedstream_idx = values[event][0]
719 |                 event_yaraflagged_selected(yaraflaggedstream_idx)
720 | 
721 |     if event == "-yaraflaggedstreams-":
722 |         yaraflaggedstream_idx = values[event][0]
723 |         #print(yaraflaggedstream_idx)
724 |         event_yaraflagged_selected(yaraflaggedstream_idx)
725 | 
726 |     if event == "-yarafilterstreamsbtn-":
727 |         yarafilterstreams(window)
728 | 
729 |     if event == "-showhttpstreamsbtn-":
730 |         httpobjectindexes = []
731 |         httpobjectactuals = []
732 |         httpobjecttypes = []
733 |         httpobjectindexes, httpobjectactuals, httpobjecttypes = read_http()
734 |         window["-httpobjects-"].update(values=httpobjectindexes)
735 |     
736 |     if event == "-httpobjects-":
737 |         httpobjectindex = values[event][0]
738 |         show_http2_stream_openwin(httpobjecttypes[httpobjectindex] + b"\n" + httpobjectactuals[httpobjectindex][:900])
739 | 
740 |     if event == "-http2streams-":
741 |         http2streamindex = values[event][0]
742 |         print(http2streamindex)
743 |         show_http2_stream(window, str(int(http2streamindex)))
744 |     if event == '-pktsall-' and len(values['-pktsall-']):     # if a list item is chosen
745 |         #pktselected = values['-pktsall-']
746 |         pkt_selected_index = window["-pktsall-"].get_indexes()[0]
747 |         try:
748 |             window["-tcpstreams-"].update(scroll_to_index=int(pkt_list[pkt_selected_index].tcp.stream))
749 |         except:
750 |             pass
751 |     if event == '-savepcap-':
752 |         pcapname = "nettrafic"
753 |         scp.wrpcap(f'.\\savedpcap\\{pcapname}.pcap', inc_pkt_list)
754 |     if event == '-pkts-' and len(values['-pkts-']):     # if a list item is chosen
755 |         sus_selected = values['-pkts-']
756 |         #sus_selected_index = int(sus_selected.split()[0][0:2])
757 |         sus_selected_index = window['-pkts-'].get_indexes()[0]
758 |         try:
759 |             window["-tcpstreams-"].update(scroll_to_index=int(suspacketactual[sus_selected_index].tcp.stream))
760 |         except:
761 |             pass
762 |         window['-payloaddecoded-'].update(value=sus_readablepayloads[sus_selected_index])
763 |     if event == "-showtcpstreamsbtn-":
764 |         load_tcp_streams(window)    
765 |     if event == "-tcpstreams-":
766 |         streamindex = window["-tcpstreams-"].get_indexes()
767 |         show_tcpstream(window, streamindex)            
768 |     # if event == '-pktsall-' and len(values['-pktsall-']):     # if a list item is chosen
769 |     #             pktselected = values['-pktsall-']
770 |     #             #sus_selected_index = int(sus_selected.split()[0][0:2])
771 |     #             pktselectedindex = window['-pktsall-'].get_indexes()[0]
772 |     #             window['-payloaddecodedall-'].update(value=all_readablepayloads[pktselectedindex])
773 |     if event in (None, 'Exit'):
774 |         break
775 |     
776 | 
777 | 
778 | window.close()
779 | 
780 | # port lookup for rule writing
781 | # >>> from socket import getservbyname, getservbyport
782 | # >>> getservbyname("ssh")
783 | # 22
784 | # >>> getservbyname("domain", "udp")
785 | # 53
786 | # >>> getservbyname("https", "tcp")
787 | # 443
788 | 


--------------------------------------------------------------------------------
/rules.txt:
--------------------------------------------------------------------------------
1 | !alert udp any any -> any 53 DNS DNS DNS
2 | !alert udp any 53 -> any any DNS DNS DNS
3 | !alert tcp 192.168.0.0/24 any -> any any OUTGOING HOME NET RANGE READ
4 | !alert udp any any -> any any UDP ALERT
5 | alert tcp any any -> 192.168.0.0/24 any INCOMING HOME NET RANGE READ
6 | alert tcp any any -> any 8080 HTTP TRAFFIC
7 | alert tcp any 80 -> any any HTTP TRAFFIC
8 | alert tcp any any -> any 80 HTTP TRAFFIC


--------------------------------------------------------------------------------
/temp/decrypthttp2.py:
--------------------------------------------------------------------------------
 1 | import pyshark
 2 | 
 3 | key_path = "C:\\Users\\sengu\\ssl1.log"
 4 | pcap_file = 'tcpstreamread.pcap'
 5 | 
 6 | 
 7 | cap = pyshark.FileCapture(pcap_file,
 8 |                           display_filter="http2.streamid eq 5",
 9 |                           override_prefs={'ssl.keylog_file': key_path})
10 | 
11 | dat = ''
12 | rawvallengthpassed = False
13 | for field, val in cap[0].http2._all_fields.items():
14 |     # if rawvallengthpassed == False:
15 |     #     if field == 'http2.header.name.length':
16 |     #         rawvallengthpassed = True
17 |     # else:
18 |     dat += str(field.split(".")[-1]) + " : " + str(val) + " \n\n"
19 | 
20 | print(dat)
21 | 
22 | 


--------------------------------------------------------------------------------
/temp/tcpflowdump/nothing.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/googleboy-byte/NIDS_python/ea184614eeefb6f84fc76fcfb94ca9d4086fc074/temp/tcpflowdump/nothing.txt


--------------------------------------------------------------------------------
/yararules/rules1.yara:
--------------------------------------------------------------------------------
 1 | rule zipExtensionFound{
 2 |     strings:
 3 |         $link1 = ".zip"
 4 |     condition:
 5 |         any of them
 6 | }
 7 | 
 8 | rule PE_FILE_HEADER{
 9 |     meta:
10 |         description = "YARA rules for pe detection in the NIDS program"
11 |         author = "cybersecadventures01123"
12 |         reference = "https://www.nextron-systems.com/2018/01/22/write-yara-rules-detect-embedded-exe-files-ole-objects/"
13 |     strings:
14 |         $hex1 = "546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465" ascii
15 |         $hex1_txt = "This program cannot be run in DOS mode"
16 |         $hex2 = "4b45524e454c33322e646c6c" ascii
17 |         $hex2_txt = "KERNEL32.dll" nocase
18 |         $hex3 = {4D 5A 40 00} // MZ@
19 |         //$hex3_txt = "MZ@"    
20 |     condition:
21 |         any of them
22 | }


--------------------------------------------------------------------------------