From a129479c0197df5171b455a0f6ef026842cdd525 Mon Sep 17 00:00:00 2001 From: Yash Sancheti <32770175+Onyx2406@users.noreply.github.com> Date: Sat, 18 Mar 2023 23:19:19 +0530 Subject: [PATCH 1/3] Update http_analyzer.py --- modules/http_analyzer/http_analyzer.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/modules/http_analyzer/http_analyzer.py b/modules/http_analyzer/http_analyzer.py index 969cd00e2..b81e26233 100644 --- a/modules/http_analyzer/http_analyzer.py +++ b/modules/http_analyzer/http_analyzer.py @@ -3,6 +3,8 @@ import multiprocessing from slips_files.core.database.database import __database__ from slips_files.common.config_parser import ConfigParser +from typing import Optional +from user_agents import parse as ua_parse from slips_files.common.slips_utils import utils import sys import traceback @@ -53,6 +55,14 @@ def print(self, text, verbose=1, debug=0): def read_configuration(self): conf = ConfigParser() self.pastebin_downloads_threshold = conf.get_pastebin_download_threshold() + + def findject(self, host: str, uri: str, user_agent: str) -> Optional[str]: + parsed_ua = ua_parse(user_agent) + if not parsed_ua.is_bot and not parsed_ua.is_mobile and not parsed_ua.is_tablet: + if host.lower() in self.hosts: + if "html" in uri.lower() or "htm" in uri.lower(): + return f"Possible QuantumInsert MOTS attack: {host}{uri} with user-agent {user_agent}" + return None def check_suspicious_user_agents( self, uid, host, uri, timestamp, user_agent, profileid, twid @@ -81,6 +91,12 @@ def check_suspicious_user_agents( profileid=profileid, twid=twid, uid=uid) return True return False + + findject_result = self.findject(host, uri, user_agent) + if findject_result: + self.print(findject_result, verbose=2) + return True + return False def check_multiple_empty_connections( self, uid, contacted_host, timestamp, request_body_len, profileid, twid From 4a24fb774f02b28362a48ef6fbc51f53754bb204 Mon Sep 17 00:00:00 2001 From: Yash Sancheti <32770175+Onyx2406@users.noreply.github.com> Date: Sat, 18 Mar 2023 23:43:46 +0530 Subject: [PATCH 2/3] Update http_analyzer.py --- modules/http_analyzer/http_analyzer.py | 38 +++++++++++++++++--------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/modules/http_analyzer/http_analyzer.py b/modules/http_analyzer/http_analyzer.py index b81e26233..30d410c75 100644 --- a/modules/http_analyzer/http_analyzer.py +++ b/modules/http_analyzer/http_analyzer.py @@ -1,6 +1,8 @@ from slips_files.common.abstracts import Module import multiprocessing +from scapy.all import sniff, IP, TCP +from collections import defaultdict from slips_files.core.database.database import __database__ from slips_files.common.config_parser import ConfigParser from typing import Optional @@ -11,6 +13,7 @@ import json import urllib import requests +import hashlib class Module(Module, multiprocessing.Process): @@ -56,13 +59,26 @@ def read_configuration(self): conf = ConfigParser() self.pastebin_downloads_threshold = conf.get_pastebin_download_threshold() - def findject(self, host: str, uri: str, user_agent: str) -> Optional[str]: - parsed_ua = ua_parse(user_agent) - if not parsed_ua.is_bot and not parsed_ua.is_mobile and not parsed_ua.is_tablet: - if host.lower() in self.hosts: - if "html" in uri.lower() or "htm" in uri.lower(): - return f"Possible QuantumInsert MOTS attack: {host}{uri} with user-agent {user_agent}" - return None + def detect_quantum_insert_mots(self, packet): + """ + Detect Quantum Insert attacks with More-On-The-Side (MOTS) technique. + """ + if IP in packet and TCP in packet: + src_ip = packet[IP].src + dst_ip = packet[IP].dst + src_port = packet[TCP].sport + dst_port = packet[TCP].dport + seq = packet[TCP].seq + payload = packet[TCP].payload + payload_hash = hashlib.sha256(bytes(payload)).hexdigest() + + connection_key = (src_ip, dst_ip, src_port, dst_port, seq) + if connection_key in self.packet_hashes: + # Check if payloads are different for the same connection_key + if payload_hash != self.packet_hashes[connection_key]: + self.print(f"Potential Quantum Insert MOTS detected: {connection_key}", verbose=1) + else: + self.packet_hashes[connection_key] = payload_hash def check_suspicious_user_agents( self, uid, host, uri, timestamp, user_agent, profileid, twid @@ -91,12 +107,6 @@ def check_suspicious_user_agents( profileid=profileid, twid=twid, uid=uid) return True return False - - findject_result = self.findject(host, uri, user_agent) - if findject_result: - self.print(findject_result, verbose=2) - return True - return False def check_multiple_empty_connections( self, uid, contacted_host, timestamp, request_body_len, profileid, twid @@ -469,6 +479,7 @@ def shutdown_gracefully(self): def run(self): utils.drop_root_privs() + self.packet_hashes = defaultdict(str) # Main loop function while True: try: @@ -561,6 +572,7 @@ def run(self): twid, uid ) + sniff(filter="tcp", prn=self.detect_quantum_insert_mots, count=10000) except KeyboardInterrupt: self.shutdown_gracefully() From 8fedd51deea67768ebf986b465c64764273c430e Mon Sep 17 00:00:00 2001 From: Yash Sancheti <32770175+Onyx2406@users.noreply.github.com> Date: Sun, 19 Mar 2023 00:52:50 +0530 Subject: [PATCH 3/3] Added function to detect http executable mime type --- modules/http_analyzer/http_analyzer.py | 34 ++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/modules/http_analyzer/http_analyzer.py b/modules/http_analyzer/http_analyzer.py index 30d410c75..543294a7a 100644 --- a/modules/http_analyzer/http_analyzer.py +++ b/modules/http_analyzer/http_analyzer.py @@ -59,6 +59,31 @@ def read_configuration(self): conf = ConfigParser() self.pastebin_downloads_threshold = conf.get_pastebin_download_threshold() + def detect_executable_mime_types(self, resp_mime_types, profileid, twid, uid, timestamp): + if resp_mime_types: + executable_mime_types = [ + 'application/x-msdownload', + 'application/x-ms-dos-executable', + 'application/x-ms-exe', + 'application/x-exe', + 'application/x-winexe', + 'application/x-winhlp', + 'application/x-winhelp', + 'application/octet-stream' + ] + + for mime_type in resp_mime_types: + if mime_type in executable_mime_types: + self.print(f'Detected executable mime type: {mime_type}', 0, 1) + self.report_executable_mime_type( + mime_type, + profileid, + twid, + uid, + timestamp + ) + break + def detect_quantum_insert_mots(self, packet): """ Detect Quantum Insert attacks with More-On-The-Side (MOTS) technique. @@ -572,6 +597,15 @@ def run(self): twid, uid ) + + self.detect_executable_mime_types( + resp_mime_types, + profileid, + twid, + uid, + timestamp + ) + sniff(filter="tcp", prn=self.detect_quantum_insert_mots, count=10000) except KeyboardInterrupt: