PyPI - xbase-util - Versions diffs - 0.4.1__tar.gz → 0.4.3__tar.gz - Mend

xbase-util 0.4.1tar.gz → 0.4.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

{xbase_util-0.4.1 → xbase_util-0.4.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: xbase_util
-Version: 0.4.1
+Version: 0.4.3
 Summary: 网络安全基础工具
 Home-page: https://gitee.com/jimonik/xbase_util.git
 Author: xyt

{xbase_util-0.4.1 → xbase_util-0.4.3}/setup.py RENAMED Viewed

@@ -3,7 +3,7 @@ from distutils.core import setup
 from setuptools import find_packages
 setup(name="xbase_util",
-      version="0.4.1",
+      version="0.4.3",
       description="网络安全基础工具",
       long_description="包含提取，预测，训练的基础工具",
       author="xyt",

xbase_util-0.4.3/xbase_util/packet_util.py ADDED Viewed

@@ -0,0 +1,171 @@
+import re
+from scapy.layers.inet import TCP
+from xbase_util.xbase_constant import plain_content_type_columns, packetKeyname, src_dst_header, statisticHeader, \
+    features_key, plain_body_columns
+from xbase_util.xbase_util import firstOrZero
+def content_type_is_plain(packet):
+    """
+    从单个包（包括header和body）中获取content-type并判断是否为可见类型
+    :param packet:
+    :return:
+    """
+    if ":" not in packet:
+        return False
+    for item in packet.replace("-", "_").replace(" ", "").lower().split("\n"):
+        if "content_type" in item:
+            if ":" not in item:
+                continue
+            content_type = item.split(":")[1].replace("\r", "").strip()
+            return content_type in plain_content_type_columns
+    return False
+def filter_visible_chars(data):
+    """
+    过滤不可见字符，仅保留可打印的ASCII字符
+    :param data:
+    :return:
+    """
+    return ''.join(chr(b) for b in data if 32 <= b <= 126 or b in (9, 10, 13))
+def get_all_columns(
+        contains_packet_column=False,
+        contains_src_dst_column=False,
+        contains_statistic_column=False,
+        contains_features_column=False,
+        contains_plain_body_column=False,
+        contains_pcap_flow_text=False
+):
+    result_columns = []
+    if contains_packet_column:
+        result_columns += packetKeyname
+    if contains_src_dst_column:
+        result_columns += src_dst_header
+    if contains_statistic_column:
+        result_columns += statisticHeader
+    if contains_features_column:
+        result_columns += features_key
+    if contains_plain_body_column:
+        result_columns += plain_body_columns
+    if contains_pcap_flow_text:
+        result_columns.append(contains_pcap_flow_text)
+    return result_columns
+def get_all_packets_by_regx(packets):
+    """
+    通过正则pcap获取所有包的数据
+    :param packets:
+    :return:
+    """
+    streams = b""
+    for pkt in packets:
+        if TCP in pkt:
+            streams += bytes(pkt[TCP].payload)
+    text = filter_visible_chars(streams)
+    pattern = r"(GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH) \/[^\s]* HTTP\/\d\.\d"
+    requests = re.split(f"(?={pattern})", text, re.M)
+    all_packets = []
+    for item in requests:
+        if len(re.findall(pattern, item)) != 0:
+            request_text = ""
+            response_text = ""
+            response_text_list = re.findall(r"HTTP/\d\.\d \d{3}[\s\S]*", item)
+            if len(response_text_list) != 0:
+                # 有响应数据
+                response_text = response_text_list[0]
+            if response_text == "":
+                # 没有响应数据，那么全是请求数据
+                request_text = item
+            else:
+                # 有响应数据，用正则获取请求数据
+                request_re = re.search(
+                    r"(GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH) \/[^\s]* HTTP\/\d\.\d[\s\S]*?\r\n\r\n", item)
+                if request_re:
+                    request_text = request_re.group(0)
+                else:
+                    request_text = ""
+            all_packets.append({"req": request_text, "res": response_text})
+    return all_packets
+def get_body(param, is_src):
+    body = param.split("\r\n\r\n")[1].strip()
+    return "" if body is None else body
+def get_header_value(header_set, value):
+    result = [item for item in header_set if value in item]
+    if len(result) != 0:
+        return result[0].replace(f"{value}:", "").strip()
+    else:
+        return ""
+def get_detail_by_package(packets_from_pcap, publicField, use_regx):
+    """
+    通过pcap的数量分离session并完善相关字段
+    :param packets_from_pcap: 通过PcAp解析出的包
+    :param publicField: 原始的session单条数据
+    :return: 完整的单条数据
+    """
+    res_field = publicField.copy()
+    if use_regx:
+        req = packets_from_pcap['req']
+        res = packets_from_pcap['res']
+    else:
+        res = packets_from_pcap["response"]
+        req = packets_from_pcap["request"]
+    res_field["initRTT"] = firstOrZero(res_field.get("initRTT", 0))
+    res_field["length"] = firstOrZero(res_field.get("length", 0))
+    request_lines = req.strip().split("\n")
+    http_request_lines = [item for item in request_lines if "HTTP" in item]
+    if len(http_request_lines) != 0:
+        first_line = http_request_lines[0].split(" ")
+        res_field['http.clientVersion'] = str(first_line[2]).replace("\n", "").replace("\r", "")
+        res_field['http.path'] = first_line[1]
+        res_field['http.method'] = first_line[0]
+    else:
+        res_field['http.clientVersion'] = ''
+        res_field['http.path'] = ''
+        res_field['http.method'] = ''
+    res_field['http.request-referer'] = get_header_value(header_set=request_lines, value="Referer")
+    res_field['http.request-content-type'] = get_header_value(header_set=request_lines,
+                                                              value="Content-Type")
+    res_field['http.hostTokens'] = get_header_value(header_set=request_lines, value="Host")
+    if use_regx:
+        res_field['plain_body_src'] = ""
+        res_field['plain_body_dst'] = ""
+        if content_type_is_plain(req):
+            res_field['plain_body_src'] = get_body(req, is_src=True)
+        if content_type_is_plain(res):
+            res_field['plain_body_dst'] = get_body(res, is_src=False)
+    response_lines = res.strip().split("\n")
+    http_response_lines = [item for item in response_lines if "HTTP" in item]
+    if len(http_response_lines) != 0:
+        first_line = http_response_lines[0].strip().split(" ")
+        res_field['http.statuscode'] = first_line[1]
+        res_field['http.serverVersion'] = first_line[0].split("/")[1]
+    else:
+        res_field['http.statuscode'] = ""
+        res_field['http.serverVersion'] = ""
+    res_field['http.response-server'] = get_header_value(header_set=response_lines, value="Server")
+    res_field['http.response-content-type'] = get_header_value(header_set=response_lines,
+                                                               value="Content-Type")
+    for response in list(set(response_lines + request_lines)):
+        key_value = response.replace("\r", "").split(":")
+        if len(key_value) == 2:
+            key = key_value[0].replace(" ", "").replace("-", "_").lower()
+            value = key_value[1].replace(" ", "")
+            if f"src_{key}" in src_dst_header:
+                res_field[f"src_{key}"] = value
+            if f"dst_{key}" in src_dst_header:
+                res_field[f"dst_{key}"] = value
+    return res_field

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/pcap_util.py RENAMED Viewed

@@ -4,7 +4,6 @@ import struct
 import time
 import zlib
 from datetime import datetime
 from Crypto.Cipher import AES
 from zstandard import ZstdDecompressor

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/xbase_constant.py RENAMED Viewed

@@ -206,19 +206,82 @@ features_key = [
     'UserAgent_platform', 'UserAgent_is_bot', 'UserAgent_language', 'UserAgent_special_char_count',
     'UserAgent_is_unknown']
 regex_patterns = {
-        "sql": re.compile(
-            r"\b(select|union|insert|update|delete|drop|--|#| or |' or '|information_schema|database\(\)|version\(\))\b",
-            re.IGNORECASE),
-        "xss": re.compile(r"(<script\b|javascript:|onload=|onclick=|<iframe\b|src=)", re.IGNORECASE),
-        "cmd": re.compile(
-            r"(/etc/passwd\b|/etc/shadow\b|;|&&|\||\$\(.+\)|\bcurl\b|\bwget\b|\bexec\b|\bsystem\b|cmd=|proc/self/environ)",
-            re.IGNORECASE),
-        "path": re.compile(r"(\.\./|\.\.%2f|\.\.%5c|\.\.\\|\.\.;|%2f%2e%2e%2f)", re.IGNORECASE),
-        "redirect": re.compile(r"(redirect=|url=|next=|redirect_uri=|redirect:|RedirectTo=)", re.IGNORECASE),
-        "danger": re.compile(
-            r"(%3C|%3E|%27|%22|%00|%2F|%5C|%3B|%7C|%28|%29|%20|%3D|%3A|%3F|%26|%23|%2B|%25|file://|<foo|xmlns:|/etc/passwd|windows/win\.ini)",
-            re.IGNORECASE),
-        "suspicious_ext": re.compile(
-            r"\.(exe|sh|py|pl|bak|php5|jspx|bat|cmd|pif|js|vbs|vbe|sct|ini|inf|tmp|swp|jar|java|class|ps1)\b",
-            re.IGNORECASE)
-    }
+    "sql": re.compile(
+        r"\b(select|union|insert|update|delete|drop|--|#| or |' or '|information_schema|database\(\)|version\(\))\b",
+        re.IGNORECASE),
+    "xss": re.compile(r"(<script\b|javascript:|onload=|onclick=|<iframe\b|src=)", re.IGNORECASE),
+    "cmd": re.compile(
+        r"(/etc/passwd\b|/etc/shadow\b|;|&&|\||\$\(.+\)|\bcurl\b|\bwget\b|\bexec\b|\bsystem\b|cmd=|proc/self/environ)",
+        re.IGNORECASE),
+    "path": re.compile(r"(\.\./|\.\.%2f|\.\.%5c|\.\.\\|\.\.;|%2f%2e%2e%2f)", re.IGNORECASE),
+    "redirect": re.compile(r"(redirect=|url=|next=|redirect_uri=|redirect:|RedirectTo=)", re.IGNORECASE),
+    "danger": re.compile(
+        r"(%3C|%3E|%27|%22|%00|%2F|%5C|%3B|%7C|%28|%29|%20|%3D|%3A|%3F|%26|%23|%2B|%25|file://|<foo|xmlns:|/etc/passwd|windows/win\.ini)",
+        re.IGNORECASE),
+    "suspicious_ext": re.compile(
+        r"\.(exe|sh|py|pl|bak|php5|jspx|bat|cmd|pif|js|vbs|vbe|sct|ini|inf|tmp|swp|jar|java|class|ps1)\b",
+        re.IGNORECASE)
+}
+# 可见的content-type值
+plain_content_type_columns = ['text/json;charset=gbk',
+                              'application/xml;charset=gbk', 'application/xml;charset=utf_8', 'application/tlt_notify',
+                              'application/json;charset=gbk', 'text/xml;charset=utf_8', 'application/json',
+                              'text/csv;charset=utf_8', 'application/json;charse=utf_8',
+                              'application/soap+xml;charset=utf_8;action="urn:dopricetaxseparated"',
+                              'text/xml;charset=gbk', 'text/xml', 'application/x_cm_json;charset=utf_8',
+                              'application/xml;tz=utc', 'text/xml;charset="utf_8"', 'application/x_java_archive',
+                              'application/msword', 'image/png', 'application/xml',
+                              'application/x_stapler_method_invocation;charset=utf_8', 'text/plain;charset=iso_8859_1',
+                              'application/x_www_form_urlencoded;charset=utf_8', 'text/plain;charset=gbk',
+                              'application/octet_stream;charset=utf_8', 'application/x_tika_ooxml',
+                              'application/soap+xml;charset=utf_8;action="urn:sendcommand"', 'application/dns_message',
+                              'application/json;charset=utf_8', 'application/vnd.docker.distribution.manifest.v2+json',
+                              'application/vnd.elasticsearch+json;compatible_with=8', 'off/ping', 'text/plain',
+                              'application/x_git_upload_pack_request', 'application/json;charset=gbk',
+                              'text/html;charset=iso_8859_1', 'text/http;charset=utf_8',
+                              'application/soap+xml;charset=gbk', 'text/html',
+                              'application/vnd.openxmlformats_officedocument.spreadsheetml.sheet',
+                              'application/x_www_form_urlencoded;charset=gbk', 'text/plain;charset=utf_8',
+                              'text/html;charset=gbk', 'application/soap+xml;charset=gbk;',
+                              'application/x_www_form_urlencoded', 'application/x_ndjson', 'text/xml;charset=gbk',
+                              'application/json;chartset=utf_8',
+                              'application/soap+xml;charset=utf_8;action="urn:getcostbyruleengine"',
+                              'application/json_rpc', 'text/json;charset=utf_8', 'application/json;charset=utf8',
+                              'application/xml;charset=utf_8', 'application/x_www_form_urlencoded;charset=gbk',
+                              'application/soap+xml;charset=utf_8;', 'application/merge_patch+json',
+                              'application/json;', 'text/xml;charset="utf_16le"', 'text/html;charset=utf_8']
+packetKeyname = ['id', 'segmentCnt', 'tcpflags.rst', 'tcpflags.ack', 'tcpflags.syn', 'tcpflags.urg', 'tcpflags.psh',
+                 'tcpflags.syn-ack', 'tcpflags.fin', 'source.ip', 'destination.ip', 'source.port', 'source.packets',
+                 'source.bytes', 'destination.port', 'destination.bytes', 'destination.packets', 'initRTT',
+                 'firstPacket', 'lastPacket', 'ipProtocol', 'protocolCnt', 'protocol', 'server.bytes', 'totDataBytes',
+                 'network.packets', 'network.bytes', 'length', 'client.bytes', 'http.uri',
+                 'http.response-content-type', 'http.bodyMagicCnt', 'http.statuscodeCnt', 'http.clientVersionCnt',
+                 'http.response-content-typeCnt', 'http.xffIpCnt', 'http.requestHeaderCnt', 'http.serverVersion',
+                 'http.responseHeaderCnt', 'http.xffIp', 'http.clientVersion', 'http.uriTokens',
+                 'http.request-refererCnt', 'http.useragentCnt', 'http.statuscode', 'http.bodyMagic', 'http.methodCnt',
+                 'http.request-content-type', 'http.uriCnt', 'http.serverVersionCnt', 'http.useragent', 'http.keyCnt',
+                 'http.request-referer', 'http.path', 'http.hostCnt', 'http.response-server', 'http.pathCnt',
+                 'http.useragentTokens', 'http.method-GET', 'http.method', 'http.key', 'http.hostTokens',
+                 'http.requestHeader', 'http.responseHeader', 'http.method-POST', 'dns.ASN', 'dns.RIR', 'dns.GEO',
+                 'dns.alpn', 'dns.alpnCnt', 'dns.ip', 'dns.host', 'dns.ipCnt', 'dns.OpCode', 'dns.OpCodeCnt',
+                 'dns.Puny', 'dns.PunyCnt', 'dns.QueryClass', 'dns.QueryClassCnt', 'dns.QueryType', 'dns.QueryTypeCnt',
+                 'dns.status', 'dns.statusCnt', 'tls.cipher', 'tls.cipherCnt', 'tls.dstSessionId', 'tls.ja3',
+                 'tls.ja3Cnt', 'tls.ja3s', 'tls.ja3sCnt', 'tls.ja4', 'tls.ja4Cnt', 'tls.srcSessionId', 'tls.version',
+                 'tls.versionCnt', 'tls.ja4_r', 'tls.ja4_rCnt', 'packetPos', 'source.ip_Country_IsoCode',
+                 'source.ip_Country_Name', 'source.ip_Country_SpecificName',
+                 'source.ip_Country_SpecificIsoCode', 'source.ip_City_Name', 'source.ip_City_PostalCode',
+                 'source.ip_Location_Latitude', 'source.ip_Location_Longitude', 'destination.ip_Country_IsoCode',
+                 'destination.ip_Country_Name', 'destination.ip_Country_SpecificName',
+                 'destination.ip_Country_SpecificIsoCode', 'destination.ip_City_Name',
+                 'destination.ip_City_PostalCode', 'destination.ip_Location_Latitude',
+                 'destination.ip_Location_Longitude', 'http.uri_length_mean', 'http.uri_length_var',
+                 "http.uri_param_count_mean", "http.uri_param_count_var", "http.uri_depth_mean", "http.uri_depth_var",
+                 "http.uri_filename_length_mean", "http.uri_filename_length_var", "dns_domain_length_mean",
+                 "dns_domain_length_var", "traffic_type", "PROTOCOL", "DENY_METHOD", "THREAT_SUMMARY", "SEVERITY",
+                 "dns_domain_length", "dns_domain_suffix", "dns_domain", "dns_domain_suffix_length", "dns_base_domain",
+                 "dns_base_domain_length", "req_res_period_mean", "req_res_period_var", "status_code_1x_count",
+                 "status_code_2x_count", "status_code_3x_count", "status_code_4x_count", "status_code_5x_count",
+                 "req_bytes_percentage", "res_bytes_percentage", "cookie_end_with_semicolon_count",
+                 "ua_duplicate_count"]
+plain_body_columns = ["plain_body_src",
+                      "plain_body_dst"]

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: xbase-util
-Version: 0.4.1
+Version: 0.4.3
 Summary: 网络安全基础工具
 Home-page: https://gitee.com/jimonik/xbase_util.git
 Author: xyt

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util.egg-info/SOURCES.txt RENAMED Viewed

@@ -6,6 +6,7 @@ xbase_util/es_db_util.py
 xbase_util/esreq.py
 xbase_util/geo_util.py
 xbase_util/handle_features_util.py
+xbase_util/packet_util.py
 xbase_util/pcap_util.py
 xbase_util/xbase_constant.py
 xbase_util/xbase_util.py

{xbase_util-0.4.1 → xbase_util-0.4.3}/README.md RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/setup.cfg RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/__init__.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/add_column_util.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/db/__init__.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/db/bean/ConfigBean.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/db/bean/CurrentConfigBean.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/db/bean/FlowBean.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/db/bean/TaskTemplateBean.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/db/bean/__init__.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/db/dao/ConfigDao.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/db/dao/CurrentConfigDao.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/db/dao/FlowDao.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/db/dao/TaskTemplateDao.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/db/dao/__init__.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/db/initsqlite3.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/es_db_util.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/esreq.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/geo_util.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/handle_features_util.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util/xbase_util.py RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util.egg-info/dependency_links.txt RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util.egg-info/not-zip-safe RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util.egg-info/top_level.txt RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util_assets/GeoLite2-City.mmdb RENAMED Viewed

File without changes

{xbase_util-0.4.1 → xbase_util-0.4.3}/xbase_util_assets/arkimeparse.js RENAMED Viewed

File without changes

xbase-util 0.4.1__tar.gz → 0.4.3__tar.gz

xbase-util 0.4.1tar.gz → 0.4.3tar.gz