capra 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 5c63e457d5d29a1a32e717b9771a1a77c96c2f473e8e2724ccb19b7bcc1a9969
+  data.tar.gz: a2d6115618a11efcab273d51fd49a8c6c2f48b0debc5fe744d9f4242f20a38b9
+SHA512:
+  metadata.gz: 5fc830199365d7aaa5164856c1c8b4accf135bc553ccbb6366055e9b8edccc4d56fded575a67c7424462ce6ec13c6031a18faba0a089e1756dadb0cf20fe4b97
+  data.tar.gz: f3bcb6939ca831543c5845206a729fab730d03fe395ce31ebd8359d4e74d26c78570a929c259eaaff4111d44422cefb9a96f0362958699f1dcc4250a84eaf005

data/bin/capra

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "capra"
+
+Capra.run_cli!

data/lib/capra.rb

@@ -0,0 +1,83 @@
+require "packetgen"
+require "ipaddr"
+require "fileutils"
+require "command_lion"
+require "capra/version"
+require "capra/private_ips"
+require "capra/packetgen_extensions"
+require "capra/snort_rule_parser"
+require "capra/engine"
+require "capra/version"
+
+require "pry"
+
+module Capra
+  class Error < StandardError; end
+
+  def self.run_cli!
+    CommandLion::App.run do
+      name "Capra"
+      version Capra::VERSION
+      description "Intrusion Detection System"
+
+      command :init do
+        description "create a base Caprafile in the current working directory"
+
+        action do
+          if File.exists?("Caprafile")
+            puts "error: Caprafile already exists!"
+            exit 1
+          end
+          File.open("Caprafile", 'w') do |file| 
+            file.puts '#!/usr/bin/env ruby'
+            file.puts
+            file.puts "interface '#{Interfacez.default}'"
+            file.puts
+            file.puts "# your rules go here"
+          end
+        end
+      end
+
+      command :start do
+        description "start the engine"
+
+        default "Caprafile"
+
+        action do
+          unless File.exists?(argument)
+            puts "error: cannot find #{argument} in the current directory"
+            puts
+            puts "hint: run `capra init` to create a base Caprafile"
+            exit 1
+          end
+
+          Capra::Engine.new(file: argument)
+        end
+      end
+
+      # $ capra convert 'alert tcp any any -> any 21 (msg:"ftp")'
+      # rule 'TCP' do |packet|
+      #   next unless packet.tcp.dport == 21
+      #   alert "ftp"
+      # end
+      command :convert do
+        description "Convert Snort rule(s) to Caprafile syntax"
+
+        type :string
+
+        action do
+          if File.file?(argument)
+            File.foreach(argument) do |line|
+              line = line.strip
+              next if line.empty?
+
+              Capra::SnortRuleParser.convert(line)
+            end
+          else
+            Capra::SnortRuleParser.convert(argument)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/capra/engine.rb

@@ -0,0 +1,100 @@
+module Capra
+  class Engine 
+    attr_accessor :interface
+    attr_accessor :rules
+
+    def initialize(file: nil, &block)
+      default_interface
+      @rules = {}
+      if file
+        instance_eval File.read(file)
+      else
+        instance_eval &block
+      end
+      start!
+    end
+
+    def interface(iface)
+      @interface = iface
+    end
+
+    def default_interface
+      @interface = Interfacez.default
+    end
+
+    def pcap(file)
+      @pcap = file
+    end
+
+    def save_to(file)
+      @save_to = file
+    end
+
+    def debug!
+      binding.pry
+    end
+
+    def rule(type, description: nil, reference: nil, &block)
+      if @rules[type]
+        @rules[type] << block
+      else
+        @rules[type] = [block]
+      end
+    end
+
+    def alert(mesg)
+      puts mesg
+    end
+
+    def email(recpt)
+      puts "Sending email!"
+    end
+
+    def save(packet)
+      @save_to = "capra-save-"+Time.now.utc.to_s.split(" ").join("-")+".pcapng" if @save_to.nil?
+
+      pf = PacketGen::PcapNG::File.new
+      pf.array_to_file [packet]
+      pf.to_f(@save_to, append: true)
+    end
+
+    def start!
+      if @pcap
+        read_pcap_file(@pcap) do |packet|
+          @rules.each do |header, blocks|
+            if header == 'ANY' || packet.is?(header)
+              blocks.each do |block|
+                block.call(packet)
+              end
+            end
+          end
+        end
+      else
+        PacketGen.capture(iface: @interface) do |packet|
+          @rules.each do |header, blocks|
+            if header == 'ANY' || packet.is?(header)
+              blocks.each do |block|
+                block.call(packet)
+              end
+            end
+          end
+        end
+      end
+    end
+
+    private
+
+    def read_pcap_file(filename)
+      PcapNG::File.new.read_packets(filename) do |packet|
+        yield packet
+      end
+    rescue StandardError => e
+      PCAPRUB::Pcap.open_offline(filename).each_packet do |packet|
+        next unless (packet = PacketGen.parse(packet.to_s))
+
+        yield packet
+      end
+    end
+  end
+end
+

data/lib/capra/packetgen_extensions.rb

@@ -0,0 +1,149 @@
+module PacketGen
+  class Packet
+    def ftp?
+      return false unless self.is? 'TCP'
+      self.tcp.dport == 21 || self.tcp.sport == 21
+    end
+
+    def ssh?
+      return false unless self.is? 'TCP'
+      self.tcp.dport == 22 || self.tcp.sport == 22
+    end
+   
+    def icmp?
+      self.is? 'ICMP'
+    end
+
+    def http?
+      return false unless self.is? 'TCP'
+      self.is? 'HTTP::Request' or self.is? 'HTTP::Response'
+    end
+    
+    def https?
+      return false unless self.is? 'TCP'
+      self.tcp.dport == 443 || self.tcp.sport == 443 
+    end
+
+    def telnet?
+      return false unless self.is? 'TCP'
+      self.tcp.dport == 23 || self.tcp.sport == 23
+    end
+
+    def dns?
+      return true if self.is? 'DNS'
+    end
+
+    def ip?
+      return true if self.is? 'IP'
+    end
+    
+    def arp?
+      return true if self.is? 'ARP'
+    end
+  end
+
+  module Header
+    class TCP
+      def port?(int)
+        self.dport == int || self.dport == int
+      end
+    end
+    
+    class DNS
+      def queries
+        return [] unless self.query? || self.response?
+        packet.dns.qd.map { |q| q.name.chop! }
+      end
+
+      def responses
+        return {} unless self.response?
+        info = {}
+        packet.dns.an.map do |a|
+          name = a.name.chop!
+          if info[name]
+            info[name] << a.human_rdata
+          else
+            info[name] = [a.human_rdata]
+          end
+        end
+        info
+      end
+    end
+
+    class IP
+      def internal_communication_only?
+        PRIVATE_IPS.any? { |private_ip| private_ip.include?(self.src) } and PRIVATE_IPS.any? { |private_ip| private_ip.include?(self.dst) }
+      end
+
+      def external_communication?
+        !internal_communication_only?
+      end
+
+      def internal_destination?
+        PRIVATE_IPS.any? { |private_ip| private_ip.include?(self.dst) }
+      end
+      
+      def external_destination?
+        !internal_destination?
+      end
+
+      def internal_source?
+        PRIVATE_IPS.any? { |private_ip| private_ip.include?(self.src) }
+      end
+
+      def external_source?
+        !internal_source? 
+      end
+
+      def within_subnet?(cidr)
+        subnet = IPAddr.new(cidr)
+        subnet.include?(self.src) or subnet.include?(self.dst)
+      end
+      
+      def from_subnet?(cidr)
+        subnet = IPAddr.new(cidr)
+        subnet.include?(self.src)
+      end
+      
+      def from_subnets?(cidrs)
+        cidrs.map { IPAddr.new(cidr) }.include?(self.src)
+      end
+      
+      def to_subnet?(cidr)
+        subnet = IPAddr.new(cidr)
+        subnet.include?(self.dst)
+      end
+
+      def to_subnets?(cidr)
+        cidrs.map { IPAddr.new(cidr) }.include?(self.dst)
+      end
+    end
+
+    class ICMP
+      def echo_reply?
+        self.type == 0
+      end
+
+      def destination_unreachable?
+        self.type == 3
+      end
+
+      def redirect?
+        self.type == 5
+      end
+
+      def echo?
+        self.type == 8
+      end
+
+      def router_advertisement?
+        self.type == 9
+      end
+
+      def router_solicitation?
+        self.type == 10
+      end
+    end
+  end
+end
+

data/lib/capra/private_ips.rb

@@ -0,0 +1,7 @@
+module Capra
+    PRIVATE_IPS = [
+      IPAddr.new('10.0.0.0/8'),
+      IPAddr.new('172.16.0.0/12'),
+      IPAddr.new('192.168.0.0/16'),
+    ].freeze
+end

data/lib/capra/snort_rule_parser.rb

@@ -0,0 +1,117 @@
+module Capra 
+    module SnortRuleParser
+      def self.parse(rule)
+        # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:5;)
+        rule_parts = rule.split
+  
+        rule_options = {} 
+
+        rule_parts[7..-1].join(" ").sub("(",'').sub(")",'').split(";").map { |opt| opt.split(":").map { |val| val.gsub('"', '') }}.each do |k, v|
+          k = k.strip
+  
+          if rule_options[k]
+            rule_options[k] << v
+          else
+            rule_options[k] = [v]
+          end
+        end
+  
+        {
+          action: rule_parts[0],
+          protocol: rule_parts[1],
+          source_ip: rule_parts[2],
+          source_port: rule_parts[3],
+          direction: rule_parts[4], # almost always -> unless you're crazy?
+          destination_ip: rule_parts[5],
+          destination_port: rule_parts[6],     
+          options: rule_options
+        }
+      end
+  
+      def self.convert(rule)
+        parsed_rule = self.parse(rule)
+        puts "rule '#{parsed_rule[:protocol].upcase}' do |packet|"
+        unless parsed_rule[:source_ip] == "any"
+          if parsed_rule[:source_ip] == "$EXTERNAL_NET" # might want to check direction too?
+            puts "\tnext unless packet.ip.external_source?"
+          elsif parsed_rule[:source_ip][0] == "["
+            puts "\tnext unless packet.ip.from_subnets?(#{parsed_rule[:source_ip].sub("[","").sub("]","").split(",").inspect})"
+          else
+            puts "\tnext unless packet.ip.src == '#{parsed_rule[:source_ip]}'"
+          end
+        end
+        unless parsed_rule[:source_port] == "any"
+          puts "\tnext unless packet.#{parsed_rule[:protocol]}.sport == #{parsed_rule[:source_port]}"
+        end
+        unless parsed_rule[:destination_ip] == "any"
+          if parsed_rule[:destination_ip] == "$HOME_NET"
+            puts "\tnext unless packet.ip.internal_destination?"
+          elsif parsed_rule[:source_ip][0] == "["
+            parsed_rule[:source_ip].sub("[","").sub("]","").split(",").each do |cidr|
+              puts "\tnext unless packet.ip.to_subnets?(#{cidr})"
+            end
+          else
+            puts "\tnext unless packet.ip.dst == '#{parsed_rule[:destination_ip]}'"
+          end
+        end
+        unless parsed_rule[:destination_port] == "any"
+          puts "\tnext unless packet.#{parsed_rule[:protocol]}.dport == #{parsed_rule[:destination_port]}"
+        end
+        # TODO: need to support mixed string and byte matching, even though it's insane
+        if parsed_rule[:options]["content"]
+          parsed_rule[:options]["content"].each do |content|
+            if content[0] == "|" and content[-1] == "|"
+              puts "\tnext packet.body.unpack('H*').first.include?(\"#{content.gsub("|","").split.join}\")"
+            else
+              puts "\tnext unless packet.body.include?(\"#{content}\")"
+            end  
+          end
+          #puts "\tnext unless packet.body.include?(\"#{parsed_rule[:options]["content"]}\")"  
+        end
+        if parsed_rule[:options]["pcre"]
+          parsed_rule[:options]["pcre"].each do |pcre|
+            regex, regex_ops = pcre.split("/")[1..-1]
+            regex_ops_value = regex_ops.split('').map do |str|
+              case str
+              when "i"
+                Regexp::IGNORECASE
+              when "m"
+                Regexp::MULTILINE
+              when "x"
+                Regexp::EXTENDED
+              else
+                0
+              end
+            end.sum
+            puts "\tnext unless packet.body.match(Regexp.new('#{regex}', #{regex_ops_value}))"  
+          end
+        end
+        if parsed_rule[:options]['flags']
+          parsed_rule[:options]['flags'].each do |flag_opt|
+            flag_opt.split('').each do |flag|
+              case flag
+              when 'F' #fin
+                puts "\tnext unless packet.tcp.flag_fin?"
+              when 'S' #syn
+                puts "\tnext unless packet.tcp.flag_syn?"
+              when 'R' #rst
+                puts "\tnext unless packet.tcp.flag_rst?"
+              when 'P' #psh
+                puts "\tnext unless packet.tcp.flag_psh?"
+              when 'A' #ack
+                puts "\tnext unless packet.tcp.flag_ack?"
+              when 'U' #urg
+                puts "\tnext unless packet.tcp.flag_urg?"
+              end
+            end
+          end
+        end
+        # alert probably needs to be the last thing in the rule for it to work properly in this case
+        if parsed_rule[:options]["msg"]
+          puts "\talert \"#{parsed_rule[:options]["msg"].first}\""
+        end
+        puts "end"
+      end
+    end
+  end
+  

data/lib/capra/version.rb

@@ -0,0 +1,3 @@
+module Capra
+  VERSION = "1.0.0"
+end

metadata

@@ -0,0 +1,181 @@
+--- !ruby/object:Gem::Specification
+name: capra
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Kent 'picat' Gruber
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-04-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: packetgen
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.1.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.1.2
+- !ruby/object:Gem::Dependency
+  name: oj
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.7.11
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.7.11
+- !ruby/object:Gem::Dependency
+  name: command_lion
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.1
+- !ruby/object:Gem::Dependency
+  name: ipaddr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.2.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.2.2
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.17'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.17'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.12.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.12.2
+- !ruby/object:Gem::Dependency
+  name: pry-coolline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.5
+description: 
+email:
+- kgruber1@emich.edu
+executables:
+- capra
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/capra
+- lib/capra.rb
+- lib/capra/engine.rb
+- lib/capra/packetgen_extensions.rb
+- lib/capra/private_ips.rb
+- lib/capra/snort_rule_parser.rb
+- lib/capra/version.rb
+homepage: https://github.com/picatz/capra
+licenses:
+- MIT
+metadata: {}
+post_install_message: |-
+  Thank you for installing Capra!
+  Make sure to install `libpcap-dev` if you haven't already!
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements:
+- libpcap-dev
+rubyforge_project: 
+rubygems_version: 3.0.0.beta1
+signing_key: 
+specification_version: 4
+summary: Intrusion detection system.
+test_files: []