diff options
| author | Luca Deri <deri@ntop.org> | 2021-06-08 17:52:03 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-06-08 17:52:03 +0200 |
| commit | d3aa3df97520fb6a00a05cd54aedc8efc35fdeff (patch) | |
| tree | 17109010eac98215f0bb47436776fa64a38b6c0b /wireshark | |
| parent | 41ec807d7974b349d7f0cffbbf002fc853be416b (diff) | |
Updated scripts
Diffstat (limited to 'wireshark')
3 files changed, 109 insertions, 39 deletions
diff --git a/wireshark/sharkfest_scripts/dns_request_reply_ratio.lua b/wireshark/sharkfest_scripts/dns_request_reply_ratio.lua index 4cac059f4..f0b9606a3 100644 --- a/wireshark/sharkfest_scripts/dns_request_reply_ratio.lua +++ b/wireshark/sharkfest_scripts/dns_request_reply_ratio.lua @@ -1,11 +1,10 @@ - -- --- Sharkfest 2021 +-- (C) 2021 - ntop.org -- -- This is going to be an example of a lua script that can be written for cybersecurity reasons. -- DNS Request/Reply Ratio: - +local f_dns = Field.new("dns") local f_dns_response_flag = Field.new("dns.flags.response") local f_ip_src = Field.new("ip.src") local f_ip_dst = Field.new("ip.dst") @@ -41,11 +40,12 @@ end local function processPackets(pinfo,tvb, dns_table) -- Call the function that extracts the field - local dns = f_dns_response_flag() + local dns_traffic = f_dns() + local dns_flag = f_dns_response_flag() --Check if there is an DNS request or reply - if dns then - if dns.value == false then + if dns_traffic then + if dns_flag.value == false then local src = getstring(f_ip_src().value) local dst = getstring(f_ip_dst().value) @@ -87,12 +87,14 @@ local function dnsReqRepRatio() -- This function will be called once every few seconds to update our window function tap.draw(t) tw:clear() + + local dangerous_flows = {} + local ok_flows = {} - for flow in pairs(dns_table) do + for flow, data in pairs(dns_table) do local requests = dns_table[flow]["requests"] local replies = dns_table[flow]["replies"] local ratio = 0 - local danger = "" if replies == 0 then ratio = 0 @@ -101,11 +103,33 @@ local function dnsReqRepRatio() end if ratio ~= 1 then - danger = "-- DANGER: RATIO NOT 1 --\n" + dangerous_flows[#dangerous_flows + 1] = data + dangerous_flows[#dangerous_flows]["flow"] = flow + dangerous_flows[#dangerous_flows]["ratio"] = ratio + else + ok_flows[#ok_flows + 1] = data + ok_flows[#ok_flows]["flow"] = flow + ok_flows[#ok_flows]["ratio"] = ratio end - - tw:append(danger .. flow .. ":\n\tRatio: " .. (ratio) .. "\n\tRequests: " .. requests .. "\n\tReplies: " .. replies .. "\n\n"); end + + if #dangerous_flows > 0 then + tw:append("------------- DETECTED DNS REQUEST/REPLY RATIO -------------\n") + tw:append("------------- TOT SUSPICIOUS FLOWS DETECTED: " .. #dangerous_flows .. " -------------\n") + else + tw:append("------------- DNS REQUEST/REPLY RATIO SEEMS FINE -------------\n") + end + + tw:append("------------- TOTAL DNS FLOWS DETECTED: " .. #dangerous_flows + #ok_flows .. " -------------\n\n") + + for _, data in pairs(dangerous_flows) do + local flow = data["flow"] + local requests = data["requests"] + local replies = data["replies"] + local ratio = data["ratio"] + + tw:append(flow .. ":\n\tRatio: " .. (ratio) .. "\n\tRequests: " .. requests .. "\n\tReplies: " .. replies .. "\n\n"); + end end -- This function will be called whenever a reset is needed @@ -120,4 +144,4 @@ local function dnsReqRepRatio() end -- Register the menu Entry -register_menu("Sharkfest/DNS Request-Reply Ratio", dnsReqRepRatio, MENU_TOOLS_UNSORTED)
\ No newline at end of file +register_menu("Sharkfest/DNS Request-Reply Ratio", dnsReqRepRatio, MENU_TOOLS_UNSORTED) diff --git a/wireshark/sharkfest_scripts/http_request_reply_ratio.lua b/wireshark/sharkfest_scripts/http_request_reply_ratio.lua index 1e89ec033..b10498f7e 100644 --- a/wireshark/sharkfest_scripts/http_request_reply_ratio.lua +++ b/wireshark/sharkfest_scripts/http_request_reply_ratio.lua @@ -1,6 +1,5 @@ - -- --- Sharkfest 2021 +-- (C) 2021 - ntop.org -- -- This is going to be an example of a lua script that can be written for cybersecurity reasons. -- HTTP Request/Reply Ratio: @@ -8,6 +7,7 @@ -- that there are problems with the client that is sending the requests or there are problems with -- the server that should receive those requests. +local f_http = Field.new("http") local f_http_request = Field.new("http.request") local f_http_reply = Field.new("http.response") local f_ip_src = Field.new("ip.src") @@ -44,20 +44,23 @@ end local function processPackets(pinfo,tvb, http_table) -- Call the function that extracts the field + local http_traffic = f_http() local http_request = f_http_request() local http_reply = f_http_reply() --Check if there is an HTTP request or reply - if http_request then - local src = getstring(f_ip_src().value) - local dst = getstring(f_ip_dst().value) - - http_table = processResponse(http_table, "requests", src, dst) - elseif http_reply then - local dst = getstring(f_ip_src().value) - local src = getstring(f_ip_dst().value) - - http_table = processResponse(http_table, "replies", src, dst) + if http_traffic then + if http_request then + local src = getstring(f_ip_src().value) + local dst = getstring(f_ip_dst().value) + + http_table = processResponse(http_table, "requests", src, dst) + elseif http_reply then + local dst = getstring(f_ip_src().value) + local src = getstring(f_ip_dst().value) + + http_table = processResponse(http_table, "replies", src, dst) + end end return http_table @@ -90,7 +93,10 @@ local function httpReqRepRatio() function tap.draw(t) tw:clear() - for flow in pairs(http_table) do + local dangerous_flows = {} + local ok_flows = {} + + for flow, data in pairs(http_table) do local requests = http_table[flow]["requests"] local replies = http_table[flow]["replies"] local ratio = 0 @@ -103,11 +109,33 @@ local function httpReqRepRatio() end if ratio ~= 1 then - danger = "-- DANGER: RATIO NOT 1 --\n" + dangerous_flows[#dangerous_flows + 1] = data + dangerous_flows[#dangerous_flows]["flow"] = flow + dangerous_flows[#dangerous_flows]["ratio"] = ratio + else + ok_flows[#ok_flows + 1] = data + ok_flows[#ok_flows]["flow"] = flow + ok_flows[#ok_flows]["ratio"] = ratio end - - tw:append(danger .. flow .. ":\n\tRatio: " .. (ratio) .. "\n\tRequests: " .. requests .. "\n\tReplies: " .. replies .. "\n\n"); end + + if #dangerous_flows > 0 then + tw:append("------------- DETECTED HTTP REQUEST/REPLY RATIO -------------\n") + tw:append("------------- TOT SUSPICIOUS FLOWS DETECTED: " .. #dangerous_flows .. " -------------\n") + else + tw:append("------------- HTTP REQUEST/REPLY RATIO SEEMS FINE -------------\n") + end + + tw:append("------------- TOTAL HTTP FLOWS DETECTED: " .. #dangerous_flows + #ok_flows .. " -------------\n\n") + + for _, data in pairs(dangerous_flows) do + local flow = data["flow"] + local requests = data["requests"] + local replies = data["replies"] + local ratio = data["ratio"] + + tw:append(flow .. ":\n\tRatio: " .. (ratio) .. "\n\tRequests: " .. requests .. "\n\tReplies: " .. replies .. "\n\n"); + end end -- This function will be called whenever a reset is needed @@ -122,4 +150,4 @@ local function httpReqRepRatio() end -- Register the menu Entry -register_menu("Sharkfest/HTTP Request-Reply Ratio", httpReqRepRatio, MENU_TOOLS_UNSORTED)
\ No newline at end of file +register_menu("Sharkfest/HTTP Request-Reply Ratio", httpReqRepRatio, MENU_TOOLS_UNSORTED) diff --git a/wireshark/sharkfest_scripts/tcp_no_data_exchanged.lua b/wireshark/sharkfest_scripts/tcp_no_data_exchanged.lua index 7d9ac9839..bac378f2b 100644 --- a/wireshark/sharkfest_scripts/tcp_no_data_exchanged.lua +++ b/wireshark/sharkfest_scripts/tcp_no_data_exchanged.lua @@ -1,6 +1,5 @@ - -- --- Sharkfest 2021 +-- (C) 2021 - ntop.org -- -- This is going to be an example of a lua script that can be written for cybersecurity reasons. -- TCP No Data Exchanged: @@ -98,18 +97,37 @@ local function tcpPayload() -- This function will be called once every few seconds to update our window function tap.draw(t) tw:clear() + + local dangerous_flows = {} + local ok_flows = {} - for flow in pairs(tcp_table) do - local payload = tcp_table[flow]["payload"] - local fin = tcp_table[flow]["fin"] - local danger = "" + for flow, data in pairs(tcp_table) do + local payload = data["payload"] if tonumber(payload) == 0 then - danger = "-- DANGER: NO DATA EXCHANGED FOR THIS FLOW --\n" + dangerous_flows[#dangerous_flows + 1] = data + dangerous_flows[#dangerous_flows]["flow"] = flow + else + ok_flows[#ok_flows + 1] = data + ok_flows[#ok_flows]["flow"] = flow end - - tw:append(danger .. flow .. ":\n\tPayload: " .. payload .. "\n\tFlow Ended: " .. tostring(fin) .. "\n\n"); end + + if #dangerous_flows > 0 then + tw:append("------------- DETECTED TCP NO DATA EXCHANGED -------------\n") + tw:append("------------- TOT SUSPICIOUS FLOWS DETECTED: " .. #dangerous_flows .. "\n") + else + tw:append("------------- NO DATA EXCHANGED NOT DETECTED -------------\n") + end + + tw:append("------------- TOTAL FLOWS DETECTED: " .. #dangerous_flows + #ok_flows .. "\n\n") + + for _, data in pairs(dangerous_flows) do + local flow = data["flow"] + local payload = data["payload"] + + tw:append(flow .. ":\n\tPayload Len: " .. payload .. "\n\n"); + end end -- This function will be called whenever a reset is needed @@ -124,4 +142,4 @@ local function tcpPayload() end -- Register the menu Entry -register_menu("Sharkfest/TCP No Data Exchanged", tcpPayload, MENU_TOOLS_UNSORTED)
\ No newline at end of file +register_menu("Sharkfest/TCP No Data Exchanged", tcpPayload, MENU_TOOLS_UNSORTED) |