Exemple #1
0
// createTrigger executes a POST request to create a trigger and returns the
// resulting triggerID. If there was an error the triggerID is set to -1
func createTrigger(script, sessionName string) int {
	ehop.CreateEhopRequest("POST", "triggers", script, APIKey, Path)
	response, err := ehop.CreateEhopRequest("GET", "triggers", "none", APIKey, Path)
	if err != nil {
		terminate(err.Error())
	}
	results := ConvertResponseToJSONArray(response)
	for _, value := range results {
		if value["name"] == sessionName {
			return int(value["id"].(float64))
		}
	}
	return -1
}
Exemple #2
0
func GetPcaps(sessionName string, finish <-chan bool) {
	ticker := time.NewTicker(time.Second * 2).C
	for {
		select {
		case <-finish:
			return
		case <-ticker:
			response, err := ehop.CreateEhopRequest("GET", "packetcaptures", "none", APIKey, Path)
			if err != nil {
				terminate(err.Error())
			}
			results := ConvertResponseToJSONArray(response)
			for _, value := range results {
				if value["name"] == sessionName && set[value["id"].(string)] == "" {
					set[value["id"].(string)] = value["ipaddr1"].(string) + " " + fmt.Sprint(float64(value["port1"].(float64))) + " --- " + value["ipaddr2"].(string) + " " + fmt.Sprint(float64(value["port2"].(float64))) + " " + value["l7proto"].(string)
					count++
					fmt.Printf("%d %s \n", count, set[value["id"].(string)])
				}
			}
		}
	}
}
Exemple #3
0
// cleanup attempts to delete any created trigger
func cleanup() {
	if triggerID != -1 {
		ehop.CreateEhopRequest("DELETE", "triggers/"+fmt.Sprint(float64(triggerID)), "none", APIKey, Path)
	}
}
Exemple #4
0
func main() {
	flag.Parse()
	getKeys()
	reader := bufio.NewReader(os.Stdin)
	sessionName := askForInput("Please enter a name to be used for this session. (Single Word Only Please)")
	fmt.Println("A -- > To capture all packets to a single IP address")
	fmt.Println("B -- > To capture all packets sent between 2 IP addresses")
	answer5, _ := reader.ReadString('\n')

	if strings.TrimSpace(answer5) == "A" {
		firstIP := askForInput("Please enter the IP address of the server you would like to do a packet capture on")
		code := `if(Flow.client.ipaddr.toString() == '` + firstIP + `' || Flow.server.ipaddr.toString() == '` + firstIP + `'){\nFlow.captureStart('` + sessionName + `');\n}`
		script := `{ "apply_all": true, "author": "GO", "debug": false, "description": "Scripted PCAP", "disabled": false, "event": "FLOW_CLASSIFY", "hints": {"packetCapture": true}, "name": "` + sessionName + `", "priority": 0, "script": "` + code + `" }`
		triggerID = createTrigger(script, sessionName)
	} else if strings.TrimSpace(answer5) == "B" {
		firstIP := askForInput("Please enter the first IP address of the server you would like to do a packet capture on")
		secondIP := ("Please enter the second IP address of the server you would like to do a packet capture on")
		code := `if(Flow.client.ipaddr.toString() == '` + firstIP + `' && Flow.server.ipaddr.toString() == '` + secondIP + `'){\nFlow.captureStart('` + sessionName + `');\n}\nif(Flow.client.ipaddr.toString() == '` + secondIP + `' && Flow.server.ipaddr.toString() == '` + firstIP + `'){\nFlow.captureStart('` + sessionName + `');\n }`
		script := `{ "apply_all": true, "author": "GO", "debug": false, "description": "Scripted PCAP", "disabled": false, "event": "FLOW_CLASSIFY", "hints": {"packetCapture": true}, "name": "` + sessionName + `", "priority": 0, "script": "` + code + `" }`
		triggerID = createTrigger(script, sessionName)
	} else {
		terminate("Need to select either A or B")
	}
	if triggerID < 0 {
		terminate("Could not create new trigger for packet captures")
	}

	fmt.Printf("Waiting a bit for captures to show up... Press 1 to Quit\n")
	finish := make(chan bool)
	go GetPcaps(sessionName, finish)
	for {
		killsignal, _ := reader.ReadString('\n')
		if strings.TrimSpace(killsignal) == "1" {
			finish <- true
			break
		}
	}
	filename := ""
	counter := 1
	os.Mkdir("."+string(filepath.Separator)+"pcap", 0777)
	for value := range set {
		filename = set[value]
		response, err := ehop.CreateEhopRequest("GET", "packetcaptures/"+value, "none", APIKey, Path)
		if err != nil {
			terminate(err.Error())
		}
		fmt.Println("Downloading... " + filename)
		filename += strconv.Itoa(counter) + ".pcap"
		counter++
		buf := new(bytes.Buffer)
		buf.ReadFrom(response.Body)
		ioutil.WriteFile("."+string(filepath.Separator)+"pcap"+string(filepath.Separator)+filename, buf.Bytes(), 0777)
		response.Body.Close()
	}
	fmt.Println("Download successful.... attempting to merge")
	mergecap := ""
	installed := false
	if strings.Index(runtime.GOOS, "windows") > -1 {
		if _, err := os.Stat("C:\\Program Files\\Wireshark\\mergecap.exe"); err == nil {
			mergecap = "C:\\Program Files\\Wireshark\\mergecap.exe"
			installed = true
		}
	} else {
		_, err := exec.LookPath("mergecap")
		if err != nil {
			installed = false
		} else {
			installed = true
			mergecap = "mergecap"
		}
	}
	if installed != true {
		log.Fatal("If you would like to have all the packet captures combined into a single one.. please install wireshark")
	} else {
		var out bytes.Buffer
		var stderr bytes.Buffer
		os.Chdir("pcap")
		files, _ := ioutil.ReadDir("." + string(filepath.Separator))
		bigstring := "-w,combined.pcap"
		for _, f := range files {
			if strings.Index(f.Name(), "pcap") > -1 {
				bigstring = bigstring + "," + f.Name()
			}
		}
		args := strings.SplitAfter(bigstring, ",")
		for y := range args {
			if strings.Index(args[y], ",") > -1 {
				args[y] = args[y][:len(args[y])-1]
			}
		}
		//		cmd := exec.Command("mergecap", "-w", "combined.pcap", "pcap"+string(filepath.Separator)+"*")
		cmd := exec.Command(mergecap, args...)
		cmd.Stdout = &out
		cmd.Stderr = &stderr
		//test
		err := cmd.Run()
		if err != nil {
			terminate("Failed during merge process...")
			fmt.Println(fmt.Sprint(err) + ": " + stderr.String())
		} else {
			fmt.Println("Successfully combined pcaps")
		}
	}
	cleanup()
}