1 # This file is part of Scapy 2 # Scapy is free software: you can redistribute it and/or modify 3 # it under the terms of the GNU General Public License as published by 4 # the Free Software Foundation, either version 2 of the License, or 5 # any later version. 6 # 7 # Scapy is distributed in the hope that it will be useful, 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 # GNU General Public License for more details. 11 # 12 # You should have received a copy of the GNU General Public License 13 # along with Scapy. If not, see <http://www.gnu.org/licenses/>. 14 15 # Author: Sylvain SARMEJEANNE 16 17 # scapy.contrib.description = Ubberlogger dissectors 18 # scapy.contrib.status = loads 19 20 from scapy.packet import * 21 from scapy.fields import * 22 23 # Syscalls known by Uberlogger 24 uberlogger_sys_calls = {0:"READ_ID", 25 1:"OPEN_ID", 26 2:"WRITE_ID", 27 3:"CHMOD_ID", 28 4:"CHOWN_ID", 29 5:"SETUID_ID", 30 6:"CHROOT_ID", 31 7:"CREATE_MODULE_ID", 32 8:"INIT_MODULE_ID", 33 9:"DELETE_MODULE_ID", 34 10:"CAPSET_ID", 35 11:"CAPGET_ID", 36 12:"FORK_ID", 37 13:"EXECVE_ID"} 38 39 # First part of the header 40 class Uberlogger_honeypot_caract(Packet): 41 name = "Uberlogger honeypot_caract" 42 fields_desc = [ByteField("honeypot_id", 0), 43 ByteField("reserved", 0), 44 ByteField("os_type_and_version", 0)] 45 46 # Second part of the header 47 class Uberlogger_uber_h(Packet): 48 name = "Uberlogger uber_h" 49 fields_desc = [ByteEnumField("syscall_type", 0, uberlogger_sys_calls), 50 IntField("time_sec", 0), 51 IntField("time_usec", 0), 52 IntField("pid", 0), 53 IntField("uid", 0), 54 IntField("euid", 0), 55 IntField("cap_effective", 0), 56 IntField("cap_inheritable", 0), 57 IntField("cap_permitted", 0), 58 IntField("res", 0), 59 IntField("length", 0)] 60 61 # The 9 following classes are options depending on the syscall type 62 class Uberlogger_capget_data(Packet): 63 name = "Uberlogger capget_data" 64 fields_desc = [IntField("target_pid", 0)] 65 66 class Uberlogger_capset_data(Packet): 67 name = "Uberlogger capset_data" 68 fields_desc = [IntField("target_pid", 0), 69 IntField("effective_cap", 0), 70 IntField("permitted_cap", 0), 71 IntField("inheritable_cap", 0)] 72 73 class Uberlogger_chmod_data(Packet): 74 name = "Uberlogger chmod_data" 75 fields_desc = [ShortField("mode", 0)] 76 77 class Uberlogger_chown_data(Packet): 78 name = "Uberlogger chown_data" 79 fields_desc = [IntField("uid", 0), 80 IntField("gid", 0)] 81 82 class Uberlogger_open_data(Packet): 83 name = "Uberlogger open_data" 84 fields_desc = [IntField("flags", 0), 85 IntField("mode", 0)] 86 87 class Uberlogger_read_data(Packet): 88 name = "Uberlogger read_data" 89 fields_desc = [IntField("fd", 0), 90 IntField("count", 0)] 91 92 class Uberlogger_setuid_data(Packet): 93 name = "Uberlogger setuid_data" 94 fields_desc = [IntField("uid", 0)] 95 96 class Uberlogger_create_module_data(Packet): 97 name = "Uberlogger create_module_data" 98 fields_desc = [IntField("size", 0)] 99 100 class Uberlogger_execve_data(Packet): 101 name = "Uberlogger execve_data" 102 fields_desc = [IntField("nbarg", 0)] 103 104 # Layer bounds for Uberlogger 105 bind_layers(Uberlogger_honeypot_caract,Uberlogger_uber_h) 106 bind_layers(Uberlogger_uber_h,Uberlogger_capget_data) 107 bind_layers(Uberlogger_uber_h,Uberlogger_capset_data) 108 bind_layers(Uberlogger_uber_h,Uberlogger_chmod_data) 109 bind_layers(Uberlogger_uber_h,Uberlogger_chown_data) 110 bind_layers(Uberlogger_uber_h,Uberlogger_open_data) 111 bind_layers(Uberlogger_uber_h,Uberlogger_read_data) 112 bind_layers(Uberlogger_uber_h,Uberlogger_setuid_data) 113 bind_layers(Uberlogger_uber_h,Uberlogger_create_module_data) 114 bind_layers(Uberlogger_uber_h,Uberlogger_execve_data) 115
