xbase-util 0.9.6__tar.gz → 0.9.8__tar.gz
Sign up to get free protection for your applications and to get access to all the features.
- {xbase_util-0.9.6 → xbase_util-0.9.8}/PKG-INFO +1 -1
- {xbase_util-0.9.6 → xbase_util-0.9.8}/setup.py +1 -1
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/common_util.py +2 -2
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/packet_util.py +53 -3
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/xbase_constant.py +6 -2
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util.egg-info/PKG-INFO +2 -2
- {xbase_util-0.9.6 → xbase_util-0.9.8}/README.md +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/setup.cfg +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/__init__.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/add_column_util.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/dangerous_util.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/db/__init__.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/db/bean/ConfigBean.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/db/bean/CurrentConfigBean.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/db/bean/FlowBean.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/db/bean/TaskTemplateBean.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/db/bean/__init__.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/db/dao/ConfigDao.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/db/dao/CurrentConfigDao.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/db/dao/FlowDao.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/db/dao/TaskTemplateDao.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/db/dao/__init__.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/db/initsqlite3.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/es_db_util.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/esreq.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/geo_util.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/handle_features_util.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util/pcap_util.py +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util.egg-info/SOURCES.txt +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util.egg-info/dependency_links.txt +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util.egg-info/not-zip-safe +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util.egg-info/top_level.txt +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util_assets/GeoLite2-City.mmdb +0 -0
- {xbase_util-0.9.6 → xbase_util-0.9.8}/xbase_util_assets/arkimeparse.js +0 -0
|
@@ -230,8 +230,8 @@ def get_statistic_fields(packets):
|
|
|
230
230
|
packet_len_rate = round((packet_len_total_count / total_time) / 1000, 5) if total_time > 0 else 0
|
|
231
231
|
packet_size = [len(p) for p in packets]
|
|
232
232
|
field_map = {
|
|
233
|
-
"packet_size_mean": float(round(np.mean(packet_size), 5)),
|
|
234
|
-
"packet_size_variance": float(round(np.var(packet_size), 5)),
|
|
233
|
+
"packet_size_mean": float(round(np.mean(packet_size), 5)) if len(packet_size) > 0 else -1,
|
|
234
|
+
"packet_size_variance": float(round(np.var(packet_size), 5)) if len(packet_size) > 0 else -1,
|
|
235
235
|
'packet_len_total_count': packet_len_total_count,
|
|
236
236
|
'packet_len_total_average': packet_len_average,
|
|
237
237
|
'packet_len_total_min': packet_len_min,
|
|
@@ -1,8 +1,9 @@
|
|
|
1
1
|
import copy
|
|
2
|
+
import re
|
|
2
3
|
|
|
3
4
|
from xbase_util.xbase_constant import plain_content_type_columns, packetKeyname, src_dst_header, statisticHeader, \
|
|
4
5
|
features_key, plain_body_columns, http_version_pattern, http_req_method_pattern, http_req_path_pattern, \
|
|
5
|
-
res_status_code_pattern
|
|
6
|
+
res_status_code_pattern, pcap_flow_text_column, abnormal_features_column
|
|
6
7
|
|
|
7
8
|
|
|
8
9
|
def content_type_is_plain(packet):
|
|
@@ -28,7 +29,8 @@ def get_all_columns(
|
|
|
28
29
|
contains_statistic_column=False,
|
|
29
30
|
contains_features_column=False,
|
|
30
31
|
contains_plain_body_column=False,
|
|
31
|
-
contains_pcap_flow_text=False
|
|
32
|
+
contains_pcap_flow_text=False,
|
|
33
|
+
contains_abnormal_features_column=False,
|
|
32
34
|
):
|
|
33
35
|
result_columns = []
|
|
34
36
|
if contains_packet_column:
|
|
@@ -42,7 +44,9 @@ def get_all_columns(
|
|
|
42
44
|
if contains_plain_body_column:
|
|
43
45
|
result_columns += plain_body_columns
|
|
44
46
|
if contains_pcap_flow_text:
|
|
45
|
-
result_columns.append(
|
|
47
|
+
result_columns.append(pcap_flow_text_column)
|
|
48
|
+
if contains_abnormal_features_column:
|
|
49
|
+
result_columns.append(abnormal_features_column)
|
|
46
50
|
return result_columns
|
|
47
51
|
|
|
48
52
|
|
|
@@ -122,4 +126,50 @@ def get_detail_by_package(publicField, req_header, req_body, res_header, res_bod
|
|
|
122
126
|
res_field[f"src_{key}"] = value
|
|
123
127
|
if f"dst_{key}" in src_dst_header:
|
|
124
128
|
res_field[f"dst_{key}"] = value
|
|
129
|
+
res_field['abnormal_has_xff'] = has_xss_injection([req_body])
|
|
130
|
+
res_field['abnormal_has_dir_penetration'] = has_dir_penetration([req_header,req_body])
|
|
131
|
+
res_field['abnormal_has_templates_injection'] = has_templates_injection([req_header,req_body])
|
|
132
|
+
res_field['abnormal_has_crlf_injection'] = has_crlf_injection([req_header,req_body])
|
|
133
|
+
res_field['abnormal_has_xxe_attack'] = has_xxe_attack([req_header,req_body])
|
|
134
|
+
res_field['abnormal_has_code_injection_or_execute'] = has_code_injection_or_execute([req_header,req_body])
|
|
135
|
+
res_field['abnormal_has_sql_injection'] = has_sql_injection([req_header,req_body])
|
|
125
136
|
return res_field
|
|
137
|
+
|
|
138
|
+
|
|
139
|
+
def str_list_in_list(str_list, features_list):
|
|
140
|
+
for str_item in str_list:
|
|
141
|
+
if len([item for item in features_list if item in str_item]):
|
|
142
|
+
return True
|
|
143
|
+
return False
|
|
144
|
+
|
|
145
|
+
|
|
146
|
+
def has_dir_penetration(str_list):
|
|
147
|
+
return str_list_in_list(str_list, features_list=["../", "/..", "..", "%2e%2e", "%2F.."])
|
|
148
|
+
|
|
149
|
+
|
|
150
|
+
def has_sql_injection(str_list):
|
|
151
|
+
return str_list_in_list(str_list, features_list=['%20union%20select', '--'])
|
|
152
|
+
|
|
153
|
+
|
|
154
|
+
def has_xss_injection(str_list):
|
|
155
|
+
pattern = re.compile(r"<script>alert.*?onerror=alert.*?<script>prompt.*?alert\(")
|
|
156
|
+
for str_item in str_list:
|
|
157
|
+
if pattern.search(str_item):
|
|
158
|
+
return True
|
|
159
|
+
return False
|
|
160
|
+
|
|
161
|
+
|
|
162
|
+
def has_templates_injection(str_list):
|
|
163
|
+
return str_list_in_list(str_list, features_list=["{{", "}}"])
|
|
164
|
+
|
|
165
|
+
|
|
166
|
+
def has_crlf_injection(str_list):
|
|
167
|
+
return str_list_in_list(str_list, features_list=["%0D%0A"])
|
|
168
|
+
|
|
169
|
+
|
|
170
|
+
def has_xxe_attack(str_list):
|
|
171
|
+
return str_list_in_list(str_list, features_list=['"SYSTEM "'])
|
|
172
|
+
|
|
173
|
+
|
|
174
|
+
def has_code_injection_or_execute(str_list):
|
|
175
|
+
return str_list_in_list(str_list, features_list=['command', 'var_dump', 'execute(', 'md5('])
|
|
@@ -223,7 +223,7 @@ regex_patterns = {
|
|
|
223
223
|
re.IGNORECASE)
|
|
224
224
|
}
|
|
225
225
|
# 可见的content-type值
|
|
226
|
-
plain_content_type_columns = ['text/json;charset=gbk','text/javascript','text/css','text/html;charset=gb2312',
|
|
226
|
+
plain_content_type_columns = ['text/json;charset=gbk', 'text/javascript', 'text/css', 'text/html;charset=gb2312',
|
|
227
227
|
'application/xml;charset=gbk', 'application/xml;charset=utf_8', 'application/tlt_notify',
|
|
228
228
|
'application/json;charset=gbk', 'text/xml;charset=utf_8', 'application/json',
|
|
229
229
|
'text/csv;charset=utf_8', 'application/json;charse=utf_8',
|
|
@@ -285,6 +285,10 @@ packetKeyname = ['id', 'segmentCnt', 'tcpflags.rst', 'tcpflags.ack', 'tcpflags.s
|
|
|
285
285
|
"ua_duplicate_count"]
|
|
286
286
|
plain_body_columns = ["plain_body_src",
|
|
287
287
|
"plain_body_dst"]
|
|
288
|
+
abnormal_features_column = ['abnormal_has_xff', 'abnormal_has_dir_penetration', 'abnormal_has_templates_injection',
|
|
289
|
+
'abnormal_has_crlf_injection', 'abnormal_has_xxe_attack',
|
|
290
|
+
'abnormal_has_code_injection_or_execute', 'abnormal_has_sql_injection']
|
|
291
|
+
pcap_flow_text_column = ['pcap_flow_text']
|
|
288
292
|
|
|
289
293
|
pattern_chuncked = re.compile(rb"Transfer-Encoding:\s*chunked", re.IGNORECASE)
|
|
290
294
|
pattern_gzip = re.compile(rb"Content-Encoding:\s*gzip", re.IGNORECASE)
|
|
@@ -292,4 +296,4 @@ pattern_gzip = re.compile(rb"Content-Encoding:\s*gzip", re.IGNORECASE)
|
|
|
292
296
|
http_version_pattern = re.compile(r"HTTP\/(\d\.\d)")
|
|
293
297
|
http_req_method_pattern = re.compile(r"(GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH) \/[^\s]* HTTP\/\d\.\d")
|
|
294
298
|
http_req_path_pattern = re.compile(r"(?:GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH)\s+(\/[^\s]*)\s+HTTP\/\d\.\d")
|
|
295
|
-
res_status_code_pattern = re.compile(r"HTTP\/\d\.\d\s+(\d{3})\s+.*")
|
|
299
|
+
res_status_code_pattern = re.compile(r"HTTP\/\d\.\d\s+(\d{3})\s+.*")
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|