GSoC'23 Project: Implement an Interactive GUI for presenting Network-Based Indicators summary

fakenet/diverters/diverterbase.py

@@ -90,7 +90,12 @@ def first_packet_new_session(self):
         Returns:
             True if this pair of endpoints hasn't conversed before, else False
         """
-        return not (self.diverter.sessions.get(self.pkt.sport) ==
+        # sessions.get returns (ip, port, pid and comm) or None.
+        # We just want ip and port for comparison.
+        s_dst_ip_port = self.diverter.sessions.get(self.pkt.sport)
+        if s_dst_ip_port:
+            s_dst_ip_port = s_dst_ip_port[:2]
+        return not (s_dst_ip_port ==
                     (self.pkt.dst_ip, self.pkt.dport))
 
 
@@ -534,6 +539,12 @@ def __init__(self, diverter_config, listeners_config, ip_addrs,
         self.logger = logging.getLogger('Diverter')
         self.logger.setLevel(logging_level)
 
+        # Network Based Indicators
+        self.nbiDict = {}
+
+        # proxy to original source ports mapping
+        self.proxy_original_source_ports = {}
+
         # Rate limiting for displaying pid/comm/proto/IP/port
         self.last_conn = None
 
@@ -1761,7 +1772,8 @@ def addSession(self, pkt):
         Returns:
             None
         """
-        self.sessions[pkt.sport] = (pkt.dst_ip, pkt.dport)
+        pid, comm = self.get_pid_comm(pkt)
+        self.sessions[pkt.sport] = (pkt.dst_ip, pkt.dport, pid, comm)
 
     def maybeExecuteCmd(self, pkt, pid, comm):
         """Execute any ExecuteCmd associated with this port/listener.
@@ -1782,3 +1794,24 @@ def maybeExecuteCmd(self, pkt, pid, comm):
             self.logger.info('Executing command: %s' % (execCmd))
             self.execute_detached(execCmd)
 
+    def map_orig_sport_to_proxy_sport(self, orig_sport, proxy_sport):
+        self.proxy_original_source_ports[proxy_sport] = orig_sport
+
+    def logNBI(self, listener_port, nbi):
+        proxied_nbi = listener_port in self.proxy_original_source_ports.keys()
+        orig_source_port = self.proxy_original_source_ports[listener_port] if proxied_nbi else listener_port
+        _, __, pid, comm = self.sessions[orig_source_port]
+
+        # If it's a new NBI from an exisitng process, append nbi, else create new key
+        existing_process = (pid, comm) in self.nbiDict.keys()
+        if existing_process:
+            # {(123, chrome.exe): {"host": ["www.google.com"], "version": ["HTTP1.1"]}}
+            for nbi_attributes in nbi.keys():
+                if nbi_attributes in self.nbiDict[(pid, comm)].keys():
+                    self.nbiDict[(pid, comm)][nbi_attributes].append(nbi[nbi_attributes][0])
+                else:
+                    self.nbiDict[(pid, comm)][nbi_attributes] = nbi[nbi_attributes]
+
+        else:
+            self.nbiDict[(pid, comm)] = nbi
+

fakenet/listeners/HTTPListener.py

@@ -35,7 +35,6 @@
 
 INDENT = '  '
 
-
 def qualify_file_path(filename, fallbackdir):
     path = filename
     if path:
@@ -193,6 +192,7 @@ def start(self):
         self.server.config = self.config
         self.server.webroot_path = self.webroot_path
         self.server.extensions_map = self.extensions_map
+        self.server.diverter = None
 
         if self.config.get('usessl') == 'Yes':
             self.logger.debug('Using SSL socket.')
@@ -246,6 +246,9 @@ def stop(self):
             self.server.shutdown()
             self.server.server_close()
 
+    def acceptDiverter(self, diverter):
+        self.server.diverter = diverter
+
 
 class ThreadedHTTPServer(http.server.HTTPServer):
 
@@ -284,6 +287,9 @@ def do_HEAD(self):
         for line in str(self.headers).split("\n"):
             self.server.logger.info(INDENT + line)
 
+        # collect nbi
+        self.collect_nbi(self.requestline, self.headers)
+
         # Prepare response
         if not self.doCustomResponse('HEAD'):
             self.send_response(200)
@@ -296,6 +302,9 @@ def do_GET(self):
         for line in str(self.headers).split("\n"):
             self.server.logger.info(INDENT + line)
 
+        # collect nbi
+        self.collect_nbi(self.requestline, self.headers)
+
         # Prepare response
         if not self.doCustomResponse('GET'):
             # Get response type based on the requested path
@@ -322,6 +331,9 @@ def do_POST(self):
         for line in post_body.split(b"\n"):
             self.server.logger.info(INDENT.encode('utf-8') + line)
 
+        # collect nbi
+        self.collect_nbi(self.requestline, self.headers, post_body)
+
         # Store HTTP Posts
         if self.server.config.get('dumphttpposts') and self.server.config['dumphttpposts'].lower() == 'yes':
                 http_filename = "%s_%s.txt" % (self.server.config.get('dumphttppostsfileprefix', 'http'), time.strftime("%Y%m%d_%H%M%S"))
@@ -350,6 +362,23 @@ def do_POST(self):
             self.end_headers()
 
             self.wfile.write(response)
+
+    def collect_nbi(self, requestline, headers, post_data=None):
+        nbi = {}
+        method, uri, version = requestline.split(" ")
+        nbi["method"] = [method]
+        nbi["uri"] = [uri]
+        nbi["version"] = [version]
+
+        for line in str(headers).rstrip().split("\n"):
+            key, _, value = line.partition(":")
+            nbi[key] = [value.lstrip()]
+
+        if post_data:
+            nbi["post_data"] = [post_data]
+
+        # report diverter each time when NBI is reported
+        self.server.diverter.logNBI(self.client_address[1], nbi)
 
     def get_response(self, path):
         response = "<html><head><title>FakeNet</title><body><h1>FakeNet</h1></body></html>"

fakenet/listeners/ProxyListener.py

@@ -112,10 +112,20 @@ def __init__(self, ip, port, listener_q, remote_q, config, log):
         self.logger = log
         self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
+    def connect(self):
+        try:
+            self.sock.connect((self.ip, self.port))
+            new_sport = self.sock.getsockname()[1]
+            return new_sport
+
+        except Exception as e:
+            self.logger.debug('Listener socket exception while attempting connection %s' % e.message)
+
+        return None
+
     def run(self):
 
         try:
-            self.sock.connect((self.ip, self.port))
             while True:
                 readable, writable, exceptional = select.select([self.sock],
                         [], [], .001)
@@ -225,6 +235,12 @@ def handle(self):
                 listener_sock = ThreadedTCPClientSocket(self.server.local_ip,
                         top_listener.port, listener_q, remote_q,
                         self.server.config, self.server.logger)
+
+                # Get proxy initiated source port and report to diverter
+                new_sport = listener_sock.connect()
+                if new_sport:
+                    self.server.diverter.map_orig_sport_to_proxy_sport(orig_src_port, new_sport)
+
                 listener_sock.daemon = True
                 listener_sock.start()
                 remote_sock.setblocking(0)