line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Virani; |
2
|
|
|
|
|
|
|
|
3
|
1
|
|
|
1
|
|
71600
|
use 5.006; |
|
1
|
|
|
|
|
3
|
|
4
|
1
|
|
|
1
|
|
7
|
use strict; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
34
|
|
5
|
1
|
|
|
1
|
|
6
|
use warnings; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
30
|
|
6
|
1
|
|
|
1
|
|
557
|
use TOML; |
|
1
|
|
|
|
|
30857
|
|
|
1
|
|
|
|
|
55
|
|
7
|
1
|
|
|
1
|
|
617
|
use File::Slurp; |
|
1
|
|
|
|
|
32253
|
|
|
1
|
|
|
|
|
63
|
|
8
|
1
|
|
|
1
|
|
472
|
use Net::Subnet; |
|
1
|
|
|
|
|
5956
|
|
|
1
|
|
|
|
|
63
|
|
9
|
1
|
|
|
1
|
|
516
|
use File::Find::IncludesTimeRange; |
|
1
|
|
|
|
|
12004
|
|
|
1
|
|
|
|
|
40
|
|
10
|
1
|
|
|
1
|
|
487
|
use File::Find::Rule; |
|
1
|
|
|
|
|
8506
|
|
|
1
|
|
|
|
|
8
|
|
11
|
1
|
|
|
1
|
|
56
|
use Digest::MD5 qw(md5_hex); |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
71
|
|
12
|
1
|
|
|
1
|
|
11
|
use File::Spec; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
21
|
|
13
|
1
|
|
|
1
|
|
745
|
use IPC::Cmd qw(run); |
|
1
|
|
|
|
|
42719
|
|
|
1
|
|
|
|
|
79
|
|
14
|
1
|
|
|
1
|
|
636
|
use File::Copy "cp"; |
|
1
|
|
|
|
|
2538
|
|
|
1
|
|
|
|
|
98
|
|
15
|
1
|
|
|
1
|
|
761
|
use Sys::Syslog; |
|
1
|
|
|
|
|
8832
|
|
|
1
|
|
|
|
|
66
|
|
16
|
1
|
|
|
1
|
|
811
|
use JSON; |
|
1
|
|
|
|
|
8883
|
|
|
1
|
|
|
|
|
6
|
|
17
|
1
|
|
|
1
|
|
116
|
use Time::Piece; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
8
|
|
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
=head1 NAME |
20
|
|
|
|
|
|
|
|
21
|
|
|
|
|
|
|
Virani - PCAP retrieval for a FPC setup writing to PCAP files. |
22
|
|
|
|
|
|
|
|
23
|
|
|
|
|
|
|
=head1 VERSION |
24
|
|
|
|
|
|
|
|
25
|
|
|
|
|
|
|
Version 1.0.1 |
26
|
|
|
|
|
|
|
|
27
|
|
|
|
|
|
|
=cut |
28
|
|
|
|
|
|
|
|
29
|
|
|
|
|
|
|
our $VERSION = '1.0.1'; |
30
|
|
|
|
|
|
|
|
31
|
|
|
|
|
|
|
=head1 SYNOPSIS |
32
|
|
|
|
|
|
|
|
33
|
|
|
|
|
|
|
use Virani; |
34
|
|
|
|
|
|
|
|
35
|
|
|
|
|
|
|
my $virani = Virani->new(); |
36
|
|
|
|
|
|
|
... |
37
|
|
|
|
|
|
|
|
38
|
|
|
|
|
|
|
=head1 METHODS |
39
|
|
|
|
|
|
|
|
40
|
|
|
|
|
|
|
=head2 new_from_conf |
41
|
|
|
|
|
|
|
|
42
|
|
|
|
|
|
|
Initiates the Virani object from the specified file. |
43
|
|
|
|
|
|
|
|
44
|
|
|
|
|
|
|
- conf :: The config TOML to use. |
45
|
|
|
|
|
|
|
- Default :: /usr/local/etc/virani.toml |
46
|
|
|
|
|
|
|
|
47
|
|
|
|
|
|
|
=cut |
48
|
|
|
|
|
|
|
|
49
|
|
|
|
|
|
|
sub new_from_conf { |
50
|
0
|
|
|
0
|
1
|
|
my ( $blank, %opts ) = @_; |
51
|
|
|
|
|
|
|
|
52
|
0
|
0
|
|
|
|
|
if ( !defined( $opts{conf} ) ) { |
53
|
0
|
|
|
|
|
|
$opts{conf} = '/usr/local/etc/virani.toml'; |
54
|
|
|
|
|
|
|
} |
55
|
|
|
|
|
|
|
|
56
|
0
|
0
|
|
|
|
|
if ( !-f $opts{conf} ) { |
57
|
0
|
|
|
|
|
|
die( "'" . $opts{conf} . "' is not a file or does not exist" ); |
58
|
|
|
|
|
|
|
} |
59
|
|
|
|
|
|
|
|
60
|
0
|
|
|
|
|
|
my $raw_toml; |
61
|
0
|
|
|
|
|
|
eval { $raw_toml = read_file( $opts{conf} ); }; |
|
0
|
|
|
|
|
|
|
62
|
0
|
0
|
0
|
|
|
|
if ( $@ || !defined($raw_toml) ) { |
63
|
0
|
|
|
|
|
|
my $error = 'Failed to read config file, "' . $opts{conf} . '"'; |
64
|
0
|
0
|
|
|
|
|
if ($@) { |
65
|
0
|
|
|
|
|
|
$error = $error . ' ' . $@; |
66
|
|
|
|
|
|
|
} |
67
|
0
|
|
|
|
|
|
die($error); |
68
|
|
|
|
|
|
|
} |
69
|
|
|
|
|
|
|
|
70
|
0
|
|
|
|
|
|
my $toml; |
71
|
0
|
|
|
|
|
|
eval { $toml = from_toml($raw_toml); }; |
|
0
|
|
|
|
|
|
|
72
|
0
|
0
|
|
|
|
|
if ($@) { |
73
|
0
|
|
|
|
|
|
die($@); |
74
|
|
|
|
|
|
|
} |
75
|
|
|
|
|
|
|
|
76
|
0
|
|
|
|
|
|
return Virani->new( %{$toml} ); |
|
0
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
} ## end sub new_from_conf |
78
|
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
=head2 new |
80
|
|
|
|
|
|
|
|
81
|
|
|
|
|
|
|
Initiates the object. |
82
|
|
|
|
|
|
|
|
83
|
|
|
|
|
|
|
- allowed_subnets :: The allowed subnets for fetching PCAPs for mojo-varini. |
84
|
|
|
|
|
|
|
Defaults :: [ '192.168.0.0/', '127.0.0.1/8', '::1/127', '172.16.0.0/12' ] |
85
|
|
|
|
|
|
|
|
86
|
|
|
|
|
|
|
- apikey :: Optional API key for mojo-varini. |
87
|
|
|
|
|
|
|
Defaults :: undef |
88
|
|
|
|
|
|
|
|
89
|
|
|
|
|
|
|
- auth_by_IP_only :: Auth by IP only and don't use a API key. |
90
|
|
|
|
|
|
|
Default :: 1 |
91
|
|
|
|
|
|
|
|
92
|
|
|
|
|
|
|
- default_set :: The default set to use. |
93
|
|
|
|
|
|
|
Default :: default |
94
|
|
|
|
|
|
|
|
95
|
|
|
|
|
|
|
- cache :: Cache directory to write to. |
96
|
|
|
|
|
|
|
Default :: /var/cache/virani |
97
|
|
|
|
|
|
|
|
98
|
|
|
|
|
|
|
- default_regex :: The regex to use for getting the timestamp. The regex to pass to |
99
|
|
|
|
|
|
|
File::Find::IncludesTimeRange for finding PCAP files with timestamps |
100
|
|
|
|
|
|
|
that include the range in question. |
101
|
|
|
|
|
|
|
Default :: (?\\d\\d\\d\\d\\d\\d+)(\\.pcap|(?\\.\\d+)\\.pcap)$ |
102
|
|
|
|
|
|
|
|
103
|
|
|
|
|
|
|
- verbose_to_syslog :: Send verbose items to syslog. This is used by mojo-virani. |
104
|
|
|
|
|
|
|
Default :: 0 |
105
|
|
|
|
|
|
|
|
106
|
|
|
|
|
|
|
- verbose :: Print verbose info. |
107
|
|
|
|
|
|
|
Default :: 1 |
108
|
|
|
|
|
|
|
|
109
|
|
|
|
|
|
|
- type :: Either tcpdump, tshark, or bpf2tshark, which to use for filtering PCAP files in the |
110
|
|
|
|
|
|
|
specified time slot. tcpdump is faster, but in general will not nicely handles |
111
|
|
|
|
|
|
|
some VLAN types. For that tshark is needed, but it is signfigantly slower. bpf2tshark |
112
|
|
|
|
|
|
|
is handled via Virani->bpf2tshark and that should be seen for more info on that. |
113
|
|
|
|
|
|
|
Default :: tcpdump |
114
|
|
|
|
|
|
|
|
115
|
|
|
|
|
|
|
- padding :: How many seconds to add to the start and end time stamps to ensure the specified |
116
|
|
|
|
|
|
|
time slot is definitely included. |
117
|
|
|
|
|
|
|
Default :: 5 |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
- sets :: A hash of hashes of available sets. |
120
|
|
|
|
|
|
|
Default :: { default => { path => '/var/log/daemonlogger' } } |
121
|
|
|
|
|
|
|
|
122
|
|
|
|
|
|
|
For sets, the following keys are usable, of which only path is required. |
123
|
|
|
|
|
|
|
|
124
|
|
|
|
|
|
|
- path :: The base path of which the PCAPs are located. |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
- padding :: Padding value for this set. |
127
|
|
|
|
|
|
|
|
128
|
|
|
|
|
|
|
- regex :: The timestamp regex to use with this set. |
129
|
|
|
|
|
|
|
|
130
|
|
|
|
|
|
|
- type :: The default filter type to use with this set. |
131
|
|
|
|
|
|
|
|
132
|
|
|
|
|
|
|
=cut |
133
|
|
|
|
|
|
|
|
134
|
|
|
|
|
|
|
sub new { |
135
|
0
|
|
|
0
|
1
|
|
my ( $blank, %opts ) = @_; |
136
|
|
|
|
|
|
|
|
137
|
0
|
|
|
|
|
|
my $self = { |
138
|
|
|
|
|
|
|
allowed_subnets => [ '192.168.0.0/', '127.0.0.1/8', '::1/127', '172.16.0.0/12' ], |
139
|
|
|
|
|
|
|
apikey => undef, |
140
|
|
|
|
|
|
|
auth_by_IP_only => 1, |
141
|
|
|
|
|
|
|
default_set => 'default', |
142
|
|
|
|
|
|
|
cache => '/var/cache/virani', |
143
|
|
|
|
|
|
|
default_regex => '(?\\d\\d\\d\\d\\d\\d+)(\\.pcap|(?\\.\\d+)\\.pcap)$', |
144
|
|
|
|
|
|
|
default_max_time => '3600', |
145
|
|
|
|
|
|
|
verbose_to_syslog => 0, |
146
|
|
|
|
|
|
|
verbose => 1, |
147
|
|
|
|
|
|
|
type => 'tcpdump', |
148
|
|
|
|
|
|
|
padding => 5, |
149
|
|
|
|
|
|
|
sets => { |
150
|
|
|
|
|
|
|
default => { |
151
|
|
|
|
|
|
|
path => '/var/log/daemonlogger', |
152
|
|
|
|
|
|
|
} |
153
|
|
|
|
|
|
|
}, |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
}; |
156
|
0
|
|
|
|
|
|
bless $self; |
157
|
|
|
|
|
|
|
|
158
|
0
|
0
|
0
|
|
|
|
if ( defined( $opts{allowed_subnets} ) && ref( $opts{allowed_subnets} ) eq 'ARRAY' ) { |
|
|
0
|
0
|
|
|
|
|
159
|
0
|
|
|
|
|
|
$self->{allowed_subnets} = $opts{allowed_subnets}; |
160
|
|
|
|
|
|
|
} elsif ( defined( $opts{allowed_subnets} ) && ref( $opts{allowed_subnets} ) ne 'ARRAY' ) { |
161
|
0
|
|
|
|
|
|
die("$opts{allowed_subnets} defined, but not a array"); |
162
|
|
|
|
|
|
|
} |
163
|
|
|
|
|
|
|
|
164
|
0
|
0
|
0
|
|
|
|
if ( defined( $opts{sets} ) && ref( $opts{sets} ) eq 'HASH' ) { |
|
|
0
|
0
|
|
|
|
|
165
|
0
|
|
|
|
|
|
$self->{sets} = $opts{sets}; |
166
|
|
|
|
|
|
|
} elsif ( defined( $opts{sets} ) && ref( $opts{allowed_subnets} ) ne 'HASH' ) { |
167
|
0
|
|
|
|
|
|
die("$opts{sets} defined, but not a hash"); |
168
|
|
|
|
|
|
|
} |
169
|
|
|
|
|
|
|
|
170
|
|
|
|
|
|
|
# real in basic values |
171
|
0
|
|
|
|
|
|
my @real_in = ( |
172
|
|
|
|
|
|
|
'apikey', 'default_set', 'cache', 'padding', |
173
|
|
|
|
|
|
|
'default_max_time', 'verbose_to_syslog', 'verbose', 'auth_by_IP_only', |
174
|
|
|
|
|
|
|
'type' |
175
|
|
|
|
|
|
|
); |
176
|
0
|
|
|
|
|
|
for my $key (@real_in) { |
177
|
0
|
0
|
|
|
|
|
if ( defined( $opts{$key} ) ) { |
178
|
0
|
|
|
|
|
|
$self->{$key} = $opts{$key}; |
179
|
|
|
|
|
|
|
} |
180
|
|
|
|
|
|
|
} |
181
|
|
|
|
|
|
|
|
182
|
0
|
|
|
|
|
|
return $self; |
183
|
|
|
|
|
|
|
} ## end sub new |
184
|
|
|
|
|
|
|
|
185
|
|
|
|
|
|
|
=head2 bpf2tshark |
186
|
|
|
|
|
|
|
|
187
|
|
|
|
|
|
|
Does a quick and dumb conversion of a BPF filter to tshark. |
188
|
|
|
|
|
|
|
|
189
|
|
|
|
|
|
|
my $tshark=$virani->bpf2tshark($bpf); |
190
|
|
|
|
|
|
|
|
191
|
|
|
|
|
|
|
|
192
|
|
|
|
|
|
|
|
193
|
|
|
|
|
|
|
() -> () |
194
|
|
|
|
|
|
|
not () -> !() |
195
|
|
|
|
|
|
|
|
196
|
|
|
|
|
|
|
icmp -> icmp |
197
|
|
|
|
|
|
|
tcp -> tcp |
198
|
|
|
|
|
|
|
udp -> udp |
199
|
|
|
|
|
|
|
|
200
|
|
|
|
|
|
|
port $port -> ( tcp.port == $port or udp.port == $port ) |
201
|
|
|
|
|
|
|
not port $port -> ( tcp.port != $port or udp.port != $port ) |
202
|
|
|
|
|
|
|
|
203
|
|
|
|
|
|
|
dst port $port -> ( tcp.dstport == $port or udp.dstport == $port ) |
204
|
|
|
|
|
|
|
not dst port $port -> ( tcp.dstport != $port or udp.dstport != $port ) |
205
|
|
|
|
|
|
|
|
206
|
|
|
|
|
|
|
src port $port -> ( tcp.srcport == $port or udp.srcport == $port ) |
207
|
|
|
|
|
|
|
not src port $port -> ( tcp.srcport != $port or udp.srcport != $port ) |
208
|
|
|
|
|
|
|
|
209
|
|
|
|
|
|
|
host $host -> ip.addr == $host |
210
|
|
|
|
|
|
|
not host $host -> ip.addr != $host |
211
|
|
|
|
|
|
|
|
212
|
|
|
|
|
|
|
dst host $host -> ip.dst == $host |
213
|
|
|
|
|
|
|
not dst host $host -> ip.dst != $host |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
src host $host -> ip.src == $host |
216
|
|
|
|
|
|
|
not src host $host -> ip.src != $host |
217
|
|
|
|
|
|
|
|
218
|
|
|
|
|
|
|
dst $host -> ip.dst == $host |
219
|
|
|
|
|
|
|
not host $host -> ip.dst != $host |
220
|
|
|
|
|
|
|
|
221
|
|
|
|
|
|
|
src src $host -> ip.src == $host |
222
|
|
|
|
|
|
|
not src $host -> ip.src != $host |
223
|
|
|
|
|
|
|
|
224
|
|
|
|
|
|
|
=cut |
225
|
|
|
|
|
|
|
|
226
|
|
|
|
|
|
|
sub bpf2tshark { |
227
|
0
|
|
|
0
|
1
|
|
my $self = $_[0]; |
228
|
0
|
|
|
|
|
|
my $bpf = $_[1]; |
229
|
|
|
|
|
|
|
|
230
|
0
|
0
|
|
|
|
|
if ( !defined($bpf) ) { |
231
|
0
|
|
|
|
|
|
return ''; |
232
|
|
|
|
|
|
|
} |
233
|
|
|
|
|
|
|
|
234
|
|
|
|
|
|
|
# make sure that () have spaces on either side |
235
|
0
|
|
|
|
|
|
$bpf =~ s/\(/\ \(\ /g; |
236
|
0
|
|
|
|
|
|
$bpf =~ s/\)/\ \)\ /g; |
237
|
|
|
|
|
|
|
|
238
|
0
|
|
|
|
|
|
my @bpf_split = split( /[\ \t]+/, $bpf ); |
239
|
0
|
|
|
|
|
|
my @tshark_args; |
240
|
|
|
|
|
|
|
my @previous; |
241
|
0
|
|
|
|
|
|
my $not = 0; |
242
|
0
|
|
|
|
|
|
foreach my $item (@bpf_split) { |
243
|
|
|
|
|
|
|
|
244
|
|
|
|
|
|
|
# sets the equality operator based of if not is true or not |
245
|
0
|
|
|
|
|
|
my $equality = '=='; |
246
|
0
|
0
|
|
|
|
|
if ($not) { |
247
|
0
|
|
|
|
|
|
$equality = '!='; |
248
|
|
|
|
|
|
|
} |
249
|
|
|
|
|
|
|
|
250
|
|
|
|
|
|
|
# tcp/udp/icmp |
251
|
0
|
0
|
0
|
|
|
|
if ( $item eq 'tcp' || $item eq 'udp' || $item eq 'icmp' ) { |
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
252
|
0
|
|
|
|
|
|
push( @tshark_args, $item ); |
253
|
0
|
|
|
|
|
|
$not = 0; |
254
|
0
|
|
|
|
|
|
@previous = (); |
255
|
|
|
|
|
|
|
} |
256
|
|
|
|
|
|
|
|
257
|
|
|
|
|
|
|
# handle negation |
258
|
|
|
|
|
|
|
elsif ( $item eq 'not' ) { |
259
|
0
|
|
|
|
|
|
$not = 1; |
260
|
|
|
|
|
|
|
} |
261
|
|
|
|
|
|
|
|
262
|
|
|
|
|
|
|
# handles closing ) |
263
|
|
|
|
|
|
|
elsif ( $item eq ')' ) { |
264
|
0
|
|
|
|
|
|
$not = 0; |
265
|
0
|
|
|
|
|
|
push( @tshark_args, ')' ); |
266
|
0
|
|
|
|
|
|
@previous = (); |
267
|
|
|
|
|
|
|
} |
268
|
|
|
|
|
|
|
|
269
|
|
|
|
|
|
|
# handles opening ( |
270
|
|
|
|
|
|
|
elsif ( $item eq ')' ) { |
271
|
0
|
0
|
|
|
|
|
if ($not) { |
272
|
0
|
|
|
|
|
|
push( @tshark_args, '!(' ); |
273
|
|
|
|
|
|
|
} else { |
274
|
0
|
|
|
|
|
|
push( @tshark_args, '(' ); |
275
|
|
|
|
|
|
|
} |
276
|
0
|
|
|
|
|
|
$not = 0; |
277
|
0
|
|
|
|
|
|
@previous = (); |
278
|
|
|
|
|
|
|
} |
279
|
|
|
|
|
|
|
|
280
|
|
|
|
|
|
|
# and/or |
281
|
|
|
|
|
|
|
elsif ( $item eq 'or' || $item eq 'and' ) { |
282
|
|
|
|
|
|
|
# make sure we not add it twice |
283
|
0
|
0
|
0
|
|
|
|
if ( $tshark_args[$#tshark_args] ne 'and' && $tshark_args[$#tshark_args] ne 'or' ) { |
284
|
0
|
|
|
|
|
|
push( @tshark_args, $item ); |
285
|
|
|
|
|
|
|
} |
286
|
0
|
|
|
|
|
|
$not = 0; |
287
|
0
|
|
|
|
|
|
@previous = (); |
288
|
|
|
|
|
|
|
} |
289
|
|
|
|
|
|
|
|
290
|
|
|
|
|
|
|
# start of src/dst |
291
|
|
|
|
|
|
|
elsif ( !defined( $previous[0] ) && ( $item eq 'src' || $item eq 'dst' ) ) { |
292
|
0
|
|
|
|
|
|
push( @previous, $item ); |
293
|
|
|
|
|
|
|
} |
294
|
|
|
|
|
|
|
|
295
|
|
|
|
|
|
|
# start of ether |
296
|
|
|
|
|
|
|
elsif ( !defined( $previous[0] ) && $item eq 'ether' ) { |
297
|
0
|
|
|
|
|
|
push( @previous, $item ); |
298
|
|
|
|
|
|
|
} |
299
|
|
|
|
|
|
|
|
300
|
|
|
|
|
|
|
# adding src/dst/host to ether |
301
|
|
|
|
|
|
|
elsif (defined( $previous[0] ) |
302
|
|
|
|
|
|
|
&& $previous[0] eq 'ether' |
303
|
|
|
|
|
|
|
&& ( $item eq 'src' || $item eq 'dst' || $item eq 'host' ) ) |
304
|
|
|
|
|
|
|
{ |
305
|
0
|
|
|
|
|
|
push( @previous, $item ); |
306
|
|
|
|
|
|
|
} |
307
|
|
|
|
|
|
|
|
308
|
|
|
|
|
|
|
# generic host/port |
309
|
|
|
|
|
|
|
elsif ( !defined( $previous[0] ) && ( $item eq 'port' || $item eq 'host' ) ) { |
310
|
0
|
|
|
|
|
|
push( @previous, $item ); |
311
|
|
|
|
|
|
|
} |
312
|
|
|
|
|
|
|
|
313
|
|
|
|
|
|
|
# adding host/port to src/dst |
314
|
|
|
|
|
|
|
elsif (defined( $previous[0] ) |
315
|
|
|
|
|
|
|
&& ( $previous[0] eq 'src' || $previous[0] eq 'dst' ) |
316
|
|
|
|
|
|
|
&& ( $item eq 'host' || $item eq 'port' ) ) |
317
|
|
|
|
|
|
|
{ |
318
|
0
|
|
|
|
|
|
push( @previous, $item ); |
319
|
|
|
|
|
|
|
} |
320
|
|
|
|
|
|
|
|
321
|
|
|
|
|
|
|
# add ether src $ether |
322
|
|
|
|
|
|
|
elsif (defined( $previous[0] ) |
323
|
|
|
|
|
|
|
&& defined( $previous[1] ) |
324
|
|
|
|
|
|
|
&& $previous[0] eq 'ether' |
325
|
|
|
|
|
|
|
&& $previous[1] eq 'src' ) |
326
|
|
|
|
|
|
|
{ |
327
|
0
|
|
|
|
|
|
push( @tshark_args, 'etc.src', $equality, $item ); |
328
|
0
|
|
|
|
|
|
$not = 0; |
329
|
0
|
|
|
|
|
|
@previous = (); |
330
|
|
|
|
|
|
|
} |
331
|
|
|
|
|
|
|
|
332
|
|
|
|
|
|
|
# add ether src $ether |
333
|
|
|
|
|
|
|
elsif (defined( $previous[0] ) |
334
|
|
|
|
|
|
|
&& defined( $previous[1] ) |
335
|
|
|
|
|
|
|
&& $previous[0] eq 'ether' |
336
|
|
|
|
|
|
|
&& $previous[1] eq 'dst' ) |
337
|
|
|
|
|
|
|
{ |
338
|
0
|
|
|
|
|
|
push( @tshark_args, 'etc.dst', $equality, $item ); |
339
|
0
|
|
|
|
|
|
$not = 0; |
340
|
0
|
|
|
|
|
|
@previous = (); |
341
|
|
|
|
|
|
|
} |
342
|
|
|
|
|
|
|
|
343
|
|
|
|
|
|
|
# add ether host $ether |
344
|
|
|
|
|
|
|
elsif (defined( $previous[0] ) |
345
|
|
|
|
|
|
|
&& defined( $previous[1] ) |
346
|
|
|
|
|
|
|
&& $previous[0] eq 'ether' |
347
|
|
|
|
|
|
|
&& $previous[1] eq 'host' ) |
348
|
|
|
|
|
|
|
{ |
349
|
0
|
|
|
|
|
|
push( @tshark_args, 'etc.addr', $equality, $item ); |
350
|
0
|
|
|
|
|
|
$not = 0; |
351
|
0
|
|
|
|
|
|
@previous = (); |
352
|
|
|
|
|
|
|
} |
353
|
|
|
|
|
|
|
|
354
|
|
|
|
|
|
|
# add src port $port |
355
|
|
|
|
|
|
|
elsif (defined( $previous[0] ) |
356
|
|
|
|
|
|
|
&& defined( $previous[1] ) |
357
|
|
|
|
|
|
|
&& $previous[0] eq 'src' |
358
|
|
|
|
|
|
|
&& $previous[1] eq 'port' ) |
359
|
|
|
|
|
|
|
{ |
360
|
0
|
|
|
|
|
|
push( @tshark_args, '(', 'tcp.srcport', $equality, $item, 'or', 'udp.srcport', $equality, $item, ')' ); |
361
|
0
|
|
|
|
|
|
$not = 0; |
362
|
0
|
|
|
|
|
|
@previous = (); |
363
|
|
|
|
|
|
|
} |
364
|
|
|
|
|
|
|
|
365
|
|
|
|
|
|
|
# add dst port $port |
366
|
|
|
|
|
|
|
elsif (defined( $previous[0] ) |
367
|
|
|
|
|
|
|
&& defined( $previous[1] ) |
368
|
|
|
|
|
|
|
&& $previous[0] eq 'dst' |
369
|
|
|
|
|
|
|
&& $previous[1] eq 'port' ) |
370
|
|
|
|
|
|
|
{ |
371
|
0
|
|
|
|
|
|
push( @tshark_args, '(', 'tcp.dstport', $equality, $item, 'or', 'udp.dstport', $equality, $item, ')' ); |
372
|
0
|
|
|
|
|
|
$not = 0; |
373
|
0
|
|
|
|
|
|
@previous = (); |
374
|
|
|
|
|
|
|
} |
375
|
|
|
|
|
|
|
|
376
|
|
|
|
|
|
|
# add src host $host |
377
|
|
|
|
|
|
|
elsif (defined( $previous[0] ) |
378
|
|
|
|
|
|
|
&& defined( $previous[1] ) |
379
|
|
|
|
|
|
|
&& $previous[0] eq 'src' |
380
|
|
|
|
|
|
|
&& $previous[1] eq 'host' ) |
381
|
|
|
|
|
|
|
{ |
382
|
0
|
|
|
|
|
|
push( @tshark_args, 'ip.src', $equality, $item ); |
383
|
0
|
|
|
|
|
|
$not = 0; |
384
|
0
|
|
|
|
|
|
@previous = (); |
385
|
|
|
|
|
|
|
} |
386
|
|
|
|
|
|
|
|
387
|
|
|
|
|
|
|
# add dst host $host |
388
|
|
|
|
|
|
|
elsif (defined( $previous[0] ) |
389
|
|
|
|
|
|
|
&& defined( $previous[1] ) |
390
|
|
|
|
|
|
|
&& $previous[0] eq 'dst' |
391
|
|
|
|
|
|
|
&& $previous[1] eq 'host' ) |
392
|
|
|
|
|
|
|
{ |
393
|
0
|
|
|
|
|
|
push( @tshark_args, 'ip.dst', $equality, $item ); |
394
|
0
|
|
|
|
|
|
$not = 0; |
395
|
0
|
|
|
|
|
|
@previous = (); |
396
|
|
|
|
|
|
|
} |
397
|
|
|
|
|
|
|
|
398
|
|
|
|
|
|
|
# add port $port |
399
|
|
|
|
|
|
|
elsif ( defined( $previous[0] ) && !defined( $previous[1] ) && $previous[0] eq 'port' ) { |
400
|
0
|
|
|
|
|
|
push( @tshark_args, '(', 'tcp.port', $equality, $item, 'or', 'udp.port', $equality, $item, ')' ); |
401
|
0
|
|
|
|
|
|
$not = 0; |
402
|
0
|
|
|
|
|
|
@previous = (); |
403
|
|
|
|
|
|
|
} |
404
|
|
|
|
|
|
|
|
405
|
|
|
|
|
|
|
# add host $host |
406
|
|
|
|
|
|
|
elsif ( defined( $previous[0] ) && !defined( $previous[1] ) && $previous[0] eq 'host' ) { |
407
|
0
|
|
|
|
|
|
push( @tshark_args, 'ip.addr', $equality, $item ); |
408
|
0
|
|
|
|
|
|
$not = 0; |
409
|
0
|
|
|
|
|
|
@previous = (); |
410
|
|
|
|
|
|
|
} |
411
|
|
|
|
|
|
|
|
412
|
|
|
|
|
|
|
# add src $host |
413
|
|
|
|
|
|
|
elsif ( defined( $previous[0] ) && !defined( $previous[1] ) && $previous[0] eq 'src' ) { |
414
|
0
|
|
|
|
|
|
push( @tshark_args, 'ip.src', $equality, $item ); |
415
|
0
|
|
|
|
|
|
$not = 0; |
416
|
0
|
|
|
|
|
|
@previous = (); |
417
|
|
|
|
|
|
|
} |
418
|
|
|
|
|
|
|
|
419
|
|
|
|
|
|
|
# add dst $host |
420
|
|
|
|
|
|
|
elsif ( defined( $previous[0] ) && !defined( $previous[1] ) && $previous[0] eq 'dst' ) { |
421
|
0
|
|
|
|
|
|
push( @tshark_args, 'ip.dst', $equality, $item ); |
422
|
0
|
|
|
|
|
|
$not = 0; |
423
|
0
|
|
|
|
|
|
@previous = (); |
424
|
|
|
|
|
|
|
} |
425
|
|
|
|
|
|
|
|
426
|
|
|
|
|
|
|
# if anything else is found, skip it |
427
|
|
|
|
|
|
|
else { |
428
|
0
|
|
|
|
|
|
$not = 0; |
429
|
0
|
|
|
|
|
|
@previous = (); |
430
|
|
|
|
|
|
|
} |
431
|
|
|
|
|
|
|
} ## end foreach my $item (@bpf_split) |
432
|
|
|
|
|
|
|
|
433
|
0
|
|
|
|
|
|
return join( ' ', @tshark_args ); |
434
|
|
|
|
|
|
|
} ## end sub bpf2tshark |
435
|
|
|
|
|
|
|
|
436
|
|
|
|
|
|
|
=head2 filter_clean |
437
|
|
|
|
|
|
|
|
438
|
|
|
|
|
|
|
Removes starting and trailing whitespace as well as collapsing |
439
|
|
|
|
|
|
|
consecutive whitespace to a single space. |
440
|
|
|
|
|
|
|
|
441
|
|
|
|
|
|
|
The purpose for this is to make sure that tshark/BPF filters passed |
442
|
|
|
|
|
|
|
are consistent for cacheing, even if their white space differs. |
443
|
|
|
|
|
|
|
|
444
|
|
|
|
|
|
|
A undef passed to it will return ''. |
445
|
|
|
|
|
|
|
|
446
|
|
|
|
|
|
|
Will die if the filter matches /^\w*\-/ as it starts with a '-', which |
447
|
|
|
|
|
|
|
tcpdump will interpret as a switch. |
448
|
|
|
|
|
|
|
|
449
|
|
|
|
|
|
|
my $cleaned_bpf=$virani->filter_clean($bpf); |
450
|
|
|
|
|
|
|
|
451
|
|
|
|
|
|
|
=cut |
452
|
|
|
|
|
|
|
|
453
|
|
|
|
|
|
|
sub filter_clean { |
454
|
0
|
|
|
0
|
1
|
|
my $self = $_[0]; |
455
|
0
|
|
|
|
|
|
my $string = $_[1]; |
456
|
|
|
|
|
|
|
|
457
|
0
|
0
|
|
|
|
|
if ( !defined($string) ) { |
458
|
0
|
|
|
|
|
|
return ''; |
459
|
|
|
|
|
|
|
} |
460
|
|
|
|
|
|
|
|
461
|
0
|
0
|
|
|
|
|
if ( $string =~ /^\w*\-/ ) { |
462
|
0
|
|
|
|
|
|
die( 'The filter, "' . $string . '", begins with a "-", which dieing for safety reasons' ); |
463
|
|
|
|
|
|
|
} |
464
|
|
|
|
|
|
|
|
465
|
|
|
|
|
|
|
# remove white space at the start and end |
466
|
0
|
|
|
|
|
|
$string =~ s/^\s*//g; |
467
|
0
|
|
|
|
|
|
$string =~ s/\s+$//g; |
468
|
|
|
|
|
|
|
|
469
|
|
|
|
|
|
|
# replace all multiple white space characters with a single space |
470
|
0
|
|
|
|
|
|
$string =~ s/\s\s+/ /g; |
471
|
|
|
|
|
|
|
|
472
|
0
|
|
|
|
|
|
return $string; |
473
|
|
|
|
|
|
|
} ## end sub filter_clean |
474
|
|
|
|
|
|
|
|
475
|
|
|
|
|
|
|
=head1 check_apikey |
476
|
|
|
|
|
|
|
|
477
|
|
|
|
|
|
|
Checks the API key. |
478
|
|
|
|
|
|
|
|
479
|
|
|
|
|
|
|
If auth_via_IP_only is 1, this will always return true. |
480
|
|
|
|
|
|
|
|
481
|
|
|
|
|
|
|
my $apikey=$c->param('apikey'); |
482
|
|
|
|
|
|
|
if (!$virani->check_apikey($apikey)) { |
483
|
|
|
|
|
|
|
$c->render( text => "Invalid API key\n", status=>403, ); |
484
|
|
|
|
|
|
|
return; |
485
|
|
|
|
|
|
|
} |
486
|
|
|
|
|
|
|
|
487
|
|
|
|
|
|
|
=cut |
488
|
|
|
|
|
|
|
|
489
|
|
|
|
|
|
|
sub check_apikey { |
490
|
0
|
|
|
0
|
0
|
|
my $self = $_[0]; |
491
|
0
|
|
|
|
|
|
my $apikey = $_[1]; |
492
|
|
|
|
|
|
|
|
493
|
0
|
0
|
|
|
|
|
if ( $self->{auth_by_IP_only} ) { |
494
|
0
|
|
|
|
|
|
return 1; |
495
|
|
|
|
|
|
|
} |
496
|
|
|
|
|
|
|
|
497
|
0
|
0
|
|
|
|
|
if ( !defined($apikey) ) { |
498
|
0
|
|
|
|
|
|
return 0; |
499
|
|
|
|
|
|
|
} |
500
|
|
|
|
|
|
|
|
501
|
0
|
0
|
0
|
|
|
|
if ( !defined( $self->{apikey} ) || $self->{apikey} eq '' ) { |
502
|
0
|
|
|
|
|
|
return 0; |
503
|
|
|
|
|
|
|
} |
504
|
|
|
|
|
|
|
|
505
|
0
|
0
|
|
|
|
|
if ( $apikey ne $self->{apikey} ) { |
506
|
0
|
|
|
|
|
|
return 0; |
507
|
|
|
|
|
|
|
} |
508
|
|
|
|
|
|
|
|
509
|
0
|
|
|
|
|
|
return 1; |
510
|
|
|
|
|
|
|
} ## end sub check_apikey |
511
|
|
|
|
|
|
|
|
512
|
|
|
|
|
|
|
=head1 check_remote_ip |
513
|
|
|
|
|
|
|
|
514
|
|
|
|
|
|
|
Checks if the remote IP is allowed or not. |
515
|
|
|
|
|
|
|
|
516
|
|
|
|
|
|
|
if ( ! $virani->check_remote_ip( $c->{tx}{original_remote_address} )){ |
517
|
|
|
|
|
|
|
$c->render( text => "IP or subnet not allowed\n", status=>403, ); |
518
|
|
|
|
|
|
|
return; |
519
|
|
|
|
|
|
|
} |
520
|
|
|
|
|
|
|
|
521
|
|
|
|
|
|
|
=cut |
522
|
|
|
|
|
|
|
|
523
|
|
|
|
|
|
|
sub check_remote_ip { |
524
|
0
|
|
|
0
|
0
|
|
my $self = $_[0]; |
525
|
0
|
|
|
|
|
|
my $ip = $_[1]; |
526
|
|
|
|
|
|
|
|
527
|
0
|
0
|
|
|
|
|
if ( !defined($ip) ) { |
528
|
0
|
|
|
|
|
|
return 0; |
529
|
|
|
|
|
|
|
} |
530
|
|
|
|
|
|
|
|
531
|
0
|
0
|
|
|
|
|
if ( !defined( $self->{allowed_subnets}[0] ) ) { |
532
|
0
|
|
|
|
|
|
return 0; |
533
|
|
|
|
|
|
|
} |
534
|
|
|
|
|
|
|
|
535
|
0
|
|
|
|
|
|
my $allowed_subnets; |
536
|
0
|
|
|
|
|
|
eval { $allowed_subnets = subnet_matcher( @{ $self->{allowed_subnets} } ); }; |
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
537
|
0
|
0
|
|
|
|
|
if ($@) { |
|
|
0
|
|
|
|
|
|
538
|
0
|
|
|
|
|
|
die( 'Failed it init subnet matcher... ' . $@ ); |
539
|
|
|
|
|
|
|
} elsif ( !defined($allowed_subnets) ) { |
540
|
0
|
|
|
|
|
|
die('Failed it init subnet matcher... sub_matcher returned undef'); |
541
|
|
|
|
|
|
|
} |
542
|
|
|
|
|
|
|
|
543
|
0
|
0
|
|
|
|
|
if ( $allowed_subnets->($ip) ) { |
544
|
0
|
|
|
|
|
|
return 1; |
545
|
|
|
|
|
|
|
} |
546
|
|
|
|
|
|
|
|
547
|
0
|
|
|
|
|
|
return 0; |
548
|
|
|
|
|
|
|
} ## end sub check_remote_ip |
549
|
|
|
|
|
|
|
|
550
|
|
|
|
|
|
|
=head1 check_type |
551
|
|
|
|
|
|
|
|
552
|
|
|
|
|
|
|
Verify if the check is valid or note |
553
|
|
|
|
|
|
|
|
554
|
|
|
|
|
|
|
Returns 0/1 based on if it a known type or not. |
555
|
|
|
|
|
|
|
|
556
|
|
|
|
|
|
|
if ( ! $virani->check_type( $type )){ |
557
|
|
|
|
|
|
|
print $type." is not known\n"; |
558
|
|
|
|
|
|
|
} |
559
|
|
|
|
|
|
|
|
560
|
|
|
|
|
|
|
=cut |
561
|
|
|
|
|
|
|
|
562
|
|
|
|
|
|
|
sub check_type { |
563
|
0
|
|
|
0
|
0
|
|
my $self = $_[0]; |
564
|
0
|
|
|
|
|
|
my $type = $_[1]; |
565
|
|
|
|
|
|
|
|
566
|
0
|
0
|
|
|
|
|
if ( !defined($type) ) { |
567
|
0
|
|
|
|
|
|
return 0; |
568
|
|
|
|
|
|
|
} |
569
|
|
|
|
|
|
|
|
570
|
0
|
0
|
0
|
|
|
|
if ( $type ne 'tshark' && $type ne 'tcpdump' && $type ne 'bpf2tshark' ) { |
|
|
|
0
|
|
|
|
|
571
|
0
|
|
|
|
|
|
return 0; |
572
|
|
|
|
|
|
|
} |
573
|
|
|
|
|
|
|
|
574
|
0
|
|
|
|
|
|
return 1; |
575
|
|
|
|
|
|
|
} ## end sub check_type |
576
|
|
|
|
|
|
|
|
577
|
|
|
|
|
|
|
=head2 get_default_set |
578
|
|
|
|
|
|
|
|
579
|
|
|
|
|
|
|
Returns the deefault set to use. |
580
|
|
|
|
|
|
|
|
581
|
|
|
|
|
|
|
my $set=$virani->get_default_set; |
582
|
|
|
|
|
|
|
|
583
|
|
|
|
|
|
|
=cut |
584
|
|
|
|
|
|
|
|
585
|
|
|
|
|
|
|
sub get_default_set { |
586
|
0
|
|
|
0
|
1
|
|
my ($self) = @_; |
587
|
|
|
|
|
|
|
|
588
|
0
|
|
|
|
|
|
return $self->{default_set}; |
589
|
|
|
|
|
|
|
} |
590
|
|
|
|
|
|
|
|
591
|
|
|
|
|
|
|
=head2 get_cache_file |
592
|
|
|
|
|
|
|
|
593
|
|
|
|
|
|
|
Takes the same args as get_pcap_lcal. |
594
|
|
|
|
|
|
|
|
595
|
|
|
|
|
|
|
Returns the path to the file. |
596
|
|
|
|
|
|
|
|
597
|
|
|
|
|
|
|
my $cache_file=$virani->get_cache_file(%opts); |
598
|
|
|
|
|
|
|
if (! -f $cache_file.'json'){ |
599
|
|
|
|
|
|
|
echo "Cache file metadata does not exist, so either get_pcap_local died or it has not been ran\n"; |
600
|
|
|
|
|
|
|
} |
601
|
|
|
|
|
|
|
|
602
|
|
|
|
|
|
|
=cut |
603
|
|
|
|
|
|
|
|
604
|
|
|
|
|
|
|
sub get_cache_file { |
605
|
0
|
|
|
0
|
1
|
|
my ( $self, %opts ) = @_; |
606
|
|
|
|
|
|
|
|
607
|
|
|
|
|
|
|
# make sure we have something for type and check to make sure it is sane |
608
|
0
|
0
|
|
|
|
|
if ( !defined( $opts{type} ) ) { |
609
|
0
|
|
|
|
|
|
$opts{type} = $self->{type}; |
610
|
0
|
0
|
|
|
|
|
if ( defined( $self->{sets}{ $opts{set} }{type} ) ) { |
611
|
0
|
|
|
|
|
|
$opts{type} = $self->{sets}{ $opts{set} }{type}; |
612
|
|
|
|
|
|
|
} |
613
|
|
|
|
|
|
|
} |
614
|
|
|
|
|
|
|
|
615
|
|
|
|
|
|
|
# check it here incase the config includes something off |
616
|
0
|
0
|
|
|
|
|
if ( !$self->check_type( $opts{type} ) ) { |
617
|
0
|
|
|
|
|
|
die( 'type "' . $opts{type} . '" is not a supported type, tcpdump or tshark,' ); |
618
|
|
|
|
|
|
|
} |
619
|
|
|
|
|
|
|
|
620
|
|
|
|
|
|
|
# basic sanity checking |
621
|
0
|
0
|
0
|
|
|
|
if ( !defined( $opts{start} ) ) { |
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
622
|
0
|
|
|
|
|
|
die('$opts{start} not defined'); |
623
|
|
|
|
|
|
|
} elsif ( !defined( $opts{end} ) ) { |
624
|
0
|
|
|
|
|
|
die('$opts{start} not defined'); |
625
|
|
|
|
|
|
|
} elsif ( ref( $opts{start} ) ne 'Time::Piece' ) { |
626
|
0
|
|
|
|
|
|
die('$opts{start} is not a Time::Piece object'); |
627
|
|
|
|
|
|
|
} elsif ( ref( $opts{end} ) ne 'Time::Piece' ) { |
628
|
0
|
|
|
|
|
|
die('$opts{end} is not a Time::Piece object'); |
629
|
|
|
|
|
|
|
} elsif ( defined( $opts{padding} ) && $opts{padding} !~ /^\d+/ ) { |
630
|
0
|
|
|
|
|
|
die('$opts{padding} is not numeric'); |
631
|
|
|
|
|
|
|
} |
632
|
|
|
|
|
|
|
|
633
|
0
|
0
|
|
|
|
|
if ( !defined( $opts{auto_no_cache} ) ) { |
634
|
0
|
|
|
|
|
|
$opts{auto_no_cache} = 1; |
635
|
|
|
|
|
|
|
} |
636
|
|
|
|
|
|
|
|
637
|
0
|
0
|
0
|
|
|
|
if ( !defined( $opts{set} ) || $opts{set} eq '' ) { |
638
|
0
|
|
|
|
|
|
$opts{set} = $self->get_default_set; |
639
|
|
|
|
|
|
|
} |
640
|
|
|
|
|
|
|
|
641
|
|
|
|
|
|
|
# make sure the set exists |
642
|
0
|
0
|
|
|
|
|
if ( !defined( $self->{sets}->{ $opts{set} } ) ) { |
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
643
|
0
|
|
|
|
|
|
die( 'The set "' . $opts{set} . '" is not defined' ); |
644
|
|
|
|
|
|
|
} elsif ( !defined( $self->{sets}->{ $opts{set} }{path} ) ) { |
645
|
0
|
|
|
|
|
|
die( 'The path for set "' . $opts{set} . '" is not defined' ); |
646
|
|
|
|
|
|
|
} elsif ( !-d $self->{sets}->{ $opts{set} }{path} ) { |
647
|
|
|
|
|
|
|
die( 'The path for set "' |
648
|
|
|
|
|
|
|
. $opts{set} . '", "' |
649
|
|
|
|
|
|
|
. $self->{sets}->{ $opts{set} }{path} |
650
|
0
|
|
|
|
|
|
. '" is not exist or is not a directory' ); |
651
|
|
|
|
|
|
|
} |
652
|
|
|
|
|
|
|
|
653
|
|
|
|
|
|
|
# get the paddimg, make sure it is sane, and apply it |
654
|
0
|
0
|
|
|
|
|
if ( !defined( $opts{padding} ) ) { |
655
|
0
|
|
|
|
|
|
$opts{padding} = $self->{padding}; |
656
|
0
|
0
|
|
|
|
|
if ( defined( $self->{sets}{ $opts{set} }{padding} ) ) { |
657
|
0
|
|
|
|
|
|
$opts{padding} = $self->{sets}{ $opts{set} }{padding}; |
658
|
|
|
|
|
|
|
} |
659
|
|
|
|
|
|
|
} |
660
|
|
|
|
|
|
|
|
661
|
|
|
|
|
|
|
# clean the filter |
662
|
0
|
|
|
|
|
|
$opts{filter} = $self->filter_clean( $opts{filter} ); |
663
|
|
|
|
|
|
|
|
664
|
0
|
|
|
|
|
|
my $cache_file; |
665
|
0
|
0
|
|
|
|
|
if ( defined( $opts{file} ) ) { |
666
|
0
|
|
|
|
|
|
my ( $volume, $directories, $file ) = File::Spec->splitpath( $opts{file} ); |
667
|
|
|
|
|
|
|
|
668
|
|
|
|
|
|
|
# make sure the directory the output file is using exists |
669
|
0
|
0
|
0
|
|
|
|
if ( $directories ne '' && !-d $directories ) { |
670
|
|
|
|
|
|
|
die( '$opts{file} is set to "' |
671
|
|
|
|
|
|
|
. $opts{file} |
672
|
0
|
|
|
|
|
|
. '" but the directory part,"' |
673
|
|
|
|
|
|
|
. $directories |
674
|
|
|
|
|
|
|
. '", does not exist' ); |
675
|
|
|
|
|
|
|
} |
676
|
|
|
|
|
|
|
|
677
|
|
|
|
|
|
|
# figure what what to use as the cache file |
678
|
0
|
0
|
0
|
|
|
|
if ( $opts{no_cache} ) { |
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
679
|
0
|
|
|
|
|
|
$cache_file = $opts{file}; |
680
|
|
|
|
|
|
|
} elsif ( $opts{auto_no_cache} && ( !-d $self->{cache} || !-w $self->{cache} ) ) { |
681
|
0
|
|
|
|
|
|
$cache_file = $opts{file}; |
682
|
|
|
|
|
|
|
|
683
|
|
|
|
|
|
|
} elsif ( $opts{auto_no_cache} && ( -d $self->{cache} || -w $self->{cache} ) ) { |
684
|
|
|
|
|
|
|
$cache_file |
685
|
|
|
|
|
|
|
= $self->{cache} . '/' |
686
|
|
|
|
|
|
|
. $opts{set} . '-' |
687
|
|
|
|
|
|
|
. $opts{type} . '-' |
688
|
|
|
|
|
|
|
. $opts{start}->epoch . '-' |
689
|
|
|
|
|
|
|
. $opts{end}->epoch . "-" |
690
|
0
|
|
|
|
|
|
. lc( md5_hex( $opts{filter} ) ); |
691
|
|
|
|
|
|
|
} elsif ( !$opts{auto_no_cache} && ( !-d $self->{cache} || !-w $self->{cache} ) ) { |
692
|
|
|
|
|
|
|
die( '$opts{auto_no_cache} is false and $opts{no_cache} is false, but the cache dir "' |
693
|
|
|
|
|
|
|
. $self->{dir} |
694
|
0
|
|
|
|
|
|
. '" does not exist, is not a dir, or is not writable' ); |
695
|
|
|
|
|
|
|
} |
696
|
|
|
|
|
|
|
} else { |
697
|
|
|
|
|
|
|
# make sure the cache is usable |
698
|
0
|
0
|
|
|
|
|
if ( !-d $self->{cache} ) { |
|
|
0
|
|
|
|
|
|
699
|
0
|
|
|
|
|
|
die( 'Cache dir,"' . $self->{cache} . '", does not exist or is not a dir' ); |
700
|
|
|
|
|
|
|
} elsif ( !-w $self->{cache} ) { |
701
|
0
|
|
|
|
|
|
die( 'Cache dir,"' . $self->{cache} . '", is not writable' ); |
702
|
|
|
|
|
|
|
} |
703
|
|
|
|
|
|
|
|
704
|
|
|
|
|
|
|
$cache_file |
705
|
|
|
|
|
|
|
= $self->{cache} . '/' |
706
|
|
|
|
|
|
|
. $opts{set} . '-' |
707
|
|
|
|
|
|
|
. $opts{start}->epoch . '-' |
708
|
|
|
|
|
|
|
. $opts{type} . '-' |
709
|
|
|
|
|
|
|
. $opts{end}->epoch . "-" |
710
|
0
|
|
|
|
|
|
. lc( md5_hex( $opts{filter} ) ); |
711
|
|
|
|
|
|
|
} ## end else [ if ( defined( $opts{file} ) ) ] |
712
|
|
|
|
|
|
|
|
713
|
0
|
|
|
|
|
|
return $cache_file; |
714
|
|
|
|
|
|
|
} ## end sub get_cache_file |
715
|
|
|
|
|
|
|
|
716
|
|
|
|
|
|
|
=head2 get_pcap_local |
717
|
|
|
|
|
|
|
|
718
|
|
|
|
|
|
|
Generates a PCAP locally and returns the path to it. |
719
|
|
|
|
|
|
|
|
720
|
|
|
|
|
|
|
- start :: A L object of when to start looking. |
721
|
|
|
|
|
|
|
- Default :: undef |
722
|
|
|
|
|
|
|
|
723
|
|
|
|
|
|
|
- end :: A L object of when to stop looking. |
724
|
|
|
|
|
|
|
- Default :: undef |
725
|
|
|
|
|
|
|
|
726
|
|
|
|
|
|
|
- padding :: Number of seconds to pad the start and end with. |
727
|
|
|
|
|
|
|
- Default :: 5 |
728
|
|
|
|
|
|
|
|
729
|
|
|
|
|
|
|
- filter :: The BPF or tshark filter to use. |
730
|
|
|
|
|
|
|
- Default :: '' |
731
|
|
|
|
|
|
|
|
732
|
|
|
|
|
|
|
- set :: The PCAP set to use. Will use what ever the default is set to if undef or blank. |
733
|
|
|
|
|
|
|
- Default :: $virani->get_default_set |
734
|
|
|
|
|
|
|
|
735
|
|
|
|
|
|
|
- file :: The file to output to. If undef it just returns the path to |
736
|
|
|
|
|
|
|
the cache file. |
737
|
|
|
|
|
|
|
- Default :: undef |
738
|
|
|
|
|
|
|
|
739
|
|
|
|
|
|
|
- no_cache :: If cached, don't return that, but regen and if applicable re-cache. |
740
|
|
|
|
|
|
|
- Default :: 0 |
741
|
|
|
|
|
|
|
|
742
|
|
|
|
|
|
|
- auto_no_cache :: If the cache dir is being used and not writeable and a file |
743
|
|
|
|
|
|
|
as been specified, don't die, but use the output file name |
744
|
|
|
|
|
|
|
as the basis of for the tmp file. |
745
|
|
|
|
|
|
|
- Default :: 1 |
746
|
|
|
|
|
|
|
|
747
|
|
|
|
|
|
|
- type :: 'tcpdump' or 'tshark', depending on what one wants the filter todo. |
748
|
|
|
|
|
|
|
- Default :: tcpdump |
749
|
|
|
|
|
|
|
|
750
|
|
|
|
|
|
|
The return is a hash reference that includes the following keys. |
751
|
|
|
|
|
|
|
|
752
|
|
|
|
|
|
|
- pcaps :: A array of PCAPs used. |
753
|
|
|
|
|
|
|
|
754
|
|
|
|
|
|
|
- pcap_count :: A count of used PCAPs. |
755
|
|
|
|
|
|
|
|
756
|
|
|
|
|
|
|
- failed :: A hash of PCAPs that failed. PCAP path as key and value being the reason. |
757
|
|
|
|
|
|
|
|
758
|
|
|
|
|
|
|
- failed_count :: A count of failed PCAPs. |
759
|
|
|
|
|
|
|
|
760
|
|
|
|
|
|
|
- path :: The path to the results file. If undef, unable it was unable |
761
|
|
|
|
|
|
|
to process any of them. |
762
|
|
|
|
|
|
|
|
763
|
|
|
|
|
|
|
- success_found :: A count of successfully processed PCAPs. |
764
|
|
|
|
|
|
|
|
765
|
|
|
|
|
|
|
- filter :: The used filter. |
766
|
|
|
|
|
|
|
|
767
|
|
|
|
|
|
|
- total_size :: The size of all PCAP files checked. |
768
|
|
|
|
|
|
|
|
769
|
|
|
|
|
|
|
- failed_size :: The size of the PCAP files that failed. |
770
|
|
|
|
|
|
|
|
771
|
|
|
|
|
|
|
- success_size :: the size of the PCAP files that successfully processed |
772
|
|
|
|
|
|
|
|
773
|
|
|
|
|
|
|
- type :: The value of $opts{type} |
774
|
|
|
|
|
|
|
|
775
|
|
|
|
|
|
|
- padding :: The value of padding. |
776
|
|
|
|
|
|
|
|
777
|
|
|
|
|
|
|
- start_s :: Start time in seconds since epoch, not including pading. |
778
|
|
|
|
|
|
|
|
779
|
|
|
|
|
|
|
- end :: Send time in the format '%Y-%m-%dT%H:%M:%S%z'. |
780
|
|
|
|
|
|
|
|
781
|
|
|
|
|
|
|
- end_s :: End time in seconds since epoch, not including pading. |
782
|
|
|
|
|
|
|
|
783
|
|
|
|
|
|
|
- end :: End time in the format '%Y-%m-%dT%H:%M:%S%z'. |
784
|
|
|
|
|
|
|
|
785
|
|
|
|
|
|
|
- using_cache :: If the cache was used or not. |
786
|
|
|
|
|
|
|
|
787
|
|
|
|
|
|
|
- req_start :: Timestamp of when the it started. In the format |
788
|
|
|
|
|
|
|
%Y-%m-%dT%H:%M:%S%z |
789
|
|
|
|
|
|
|
|
790
|
|
|
|
|
|
|
- req_start_s :: Same as req_start, but unixtime. |
791
|
|
|
|
|
|
|
|
792
|
|
|
|
|
|
|
- req_end :: Timestamp of when the it finished. In the format |
793
|
|
|
|
|
|
|
%Y-%m-%dT%H:%M:%S%z |
794
|
|
|
|
|
|
|
|
795
|
|
|
|
|
|
|
- req_end_s :: Same as req_end, but unixtime. |
796
|
|
|
|
|
|
|
|
797
|
|
|
|
|
|
|
- req_time :: Number of seconds it took. |
798
|
|
|
|
|
|
|
|
799
|
|
|
|
|
|
|
=cut |
800
|
|
|
|
|
|
|
|
801
|
|
|
|
|
|
|
sub get_pcap_local { |
802
|
0
|
|
|
0
|
1
|
|
my ( $self, %opts ) = @_; |
803
|
|
|
|
|
|
|
|
804
|
|
|
|
|
|
|
# start of the request |
805
|
0
|
|
|
|
|
|
my $req_start = localtime; |
806
|
|
|
|
|
|
|
|
807
|
|
|
|
|
|
|
# make sure we have something for type and check to make sure it is sane |
808
|
0
|
0
|
|
|
|
|
if ( !defined( $opts{type} ) ) { |
809
|
0
|
|
|
|
|
|
$opts{type} = $self->{type}; |
810
|
0
|
0
|
|
|
|
|
if ( defined( $self->{sets}{ $opts{set} }{type} ) ) { |
811
|
0
|
|
|
|
|
|
$opts{type} = $self->{sets}{ $opts{set} }{type}; |
812
|
|
|
|
|
|
|
} |
813
|
|
|
|
|
|
|
} |
814
|
|
|
|
|
|
|
|
815
|
|
|
|
|
|
|
# check it here incase the config includes something off |
816
|
0
|
0
|
|
|
|
|
if ( !$self->check_type( $opts{type} ) ) { |
817
|
0
|
|
|
|
|
|
die( 'type "' . $opts{type} . '" is not a supported type, tcpdump or tshark,' ); |
818
|
|
|
|
|
|
|
} |
819
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'Type: ' . $opts{type} ); |
820
|
|
|
|
|
|
|
|
821
|
|
|
|
|
|
|
# basic sanity checking |
822
|
0
|
0
|
0
|
|
|
|
if ( !defined( $opts{start} ) ) { |
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
823
|
0
|
|
|
|
|
|
die('$opts{start} not defined'); |
824
|
|
|
|
|
|
|
} elsif ( !defined( $opts{end} ) ) { |
825
|
0
|
|
|
|
|
|
die('$opts{start} not defined'); |
826
|
|
|
|
|
|
|
} elsif ( ref( $opts{start} ) ne 'Time::Piece' ) { |
827
|
0
|
|
|
|
|
|
die('$opts{start} is not a Time::Piece object'); |
828
|
|
|
|
|
|
|
} elsif ( ref( $opts{end} ) ne 'Time::Piece' ) { |
829
|
0
|
|
|
|
|
|
die('$opts{end} is not a Time::Piece object'); |
830
|
|
|
|
|
|
|
} elsif ( defined( $opts{padding} ) && $opts{padding} !~ /^\d+$/ ) { |
831
|
0
|
|
|
|
|
|
die('$opts{padding} is not numeric'); |
832
|
|
|
|
|
|
|
} |
833
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'Start: ' . $opts{start}->strftime('%Y-%m-%dT%H:%M:%S%z') . ', ' . $opts{start}->epoch ); |
834
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'End: ' . $opts{end}->strftime('%Y-%m-%dT%H:%M:%S%z') . ', ' . $opts{end}->epoch ); |
835
|
|
|
|
|
|
|
|
836
|
0
|
0
|
|
|
|
|
if ( !defined( $opts{auto_no_cache} ) ) { |
837
|
0
|
|
|
|
|
|
$opts{auto_no_cache} = 1; |
838
|
|
|
|
|
|
|
} |
839
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'auto_no_cache: ' . $opts{auto_no_cache} ); |
840
|
|
|
|
|
|
|
|
841
|
0
|
0
|
|
|
|
|
if ( !defined( $opts{no_cache} ) ) { |
842
|
0
|
|
|
|
|
|
$opts{no_cache} = 0; |
843
|
|
|
|
|
|
|
} |
844
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'no_cache: ' . $opts{no_cache} ); |
845
|
|
|
|
|
|
|
|
846
|
0
|
0
|
0
|
|
|
|
if ( !defined( $opts{set} ) || $opts{set} eq '' ) { |
847
|
0
|
|
|
|
|
|
$opts{set} = $self->get_default_set; |
848
|
|
|
|
|
|
|
} |
849
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'Set: ' . $opts{set} ); |
850
|
|
|
|
|
|
|
|
851
|
|
|
|
|
|
|
# make sure the set exists |
852
|
0
|
0
|
|
|
|
|
if ( !defined( $self->{sets}->{ $opts{set} } ) ) { |
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
853
|
0
|
|
|
|
|
|
die( 'The set "' . $opts{set} . '" is not defined' ); |
854
|
|
|
|
|
|
|
} elsif ( !defined( $self->{sets}->{ $opts{set} }{path} ) ) { |
855
|
0
|
|
|
|
|
|
die( 'The path for set "' . $opts{set} . '" is not defined' ); |
856
|
|
|
|
|
|
|
} elsif ( !-d $self->{sets}->{ $opts{set} }{path} ) { |
857
|
|
|
|
|
|
|
die( 'The path for set "' |
858
|
|
|
|
|
|
|
. $opts{set} . '", "' |
859
|
|
|
|
|
|
|
. $self->{sets}->{ $opts{set} }{path} |
860
|
0
|
|
|
|
|
|
. '" is not exist or is not a directory' ); |
861
|
|
|
|
|
|
|
} |
862
|
|
|
|
|
|
|
|
863
|
|
|
|
|
|
|
# get the paddimg, make sure it is sane, and apply it |
864
|
0
|
0
|
|
|
|
|
if ( !defined( $opts{padding} ) ) { |
865
|
0
|
|
|
|
|
|
$opts{padding} = $self->{padding}; |
866
|
0
|
0
|
|
|
|
|
if ( defined( $self->{sets}{ $opts{set} }{padding} ) ) { |
867
|
0
|
|
|
|
|
|
$opts{padding} = $self->{sets}{ $opts{set} }{padding}; |
868
|
|
|
|
|
|
|
} |
869
|
|
|
|
|
|
|
} |
870
|
|
|
|
|
|
|
|
871
|
|
|
|
|
|
|
# clean the filter |
872
|
0
|
|
|
|
|
|
$opts{filter} = $self->filter_clean( $opts{filter} ); |
873
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'Filter: ' . $opts{filter} ); |
874
|
|
|
|
|
|
|
|
875
|
|
|
|
|
|
|
# get the cache file to use |
876
|
0
|
|
|
|
|
|
my $cache_file; |
877
|
0
|
|
|
|
|
|
eval { $cache_file = $self->get_cache_file(%opts); }; |
|
0
|
|
|
|
|
|
|
878
|
0
|
0
|
|
|
|
|
if ($@) { |
879
|
0
|
|
|
|
|
|
die( '$self->get_cache_files(%opts) failed... ' . $@ ); |
880
|
|
|
|
|
|
|
} |
881
|
|
|
|
|
|
|
|
882
|
|
|
|
|
|
|
# if applicable return the cache file |
883
|
0
|
|
|
|
|
|
my $return_cache = 0; |
884
|
0
|
0
|
0
|
|
|
|
if ( |
|
|
0
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
885
|
|
|
|
|
|
|
defined( $opts{file} ) |
886
|
|
|
|
|
|
|
&& $opts{file} ne $cache_file |
887
|
|
|
|
|
|
|
&& !$opts{no_cache} |
888
|
|
|
|
|
|
|
&& -f $cache_file |
889
|
|
|
|
|
|
|
&& -f $cache_file . '.json' |
890
|
|
|
|
|
|
|
|
891
|
|
|
|
|
|
|
) |
892
|
|
|
|
|
|
|
{ |
893
|
0
|
|
|
|
|
|
$return_cache = 1; |
894
|
|
|
|
|
|
|
} elsif ( !defined( $opts{file} ) && !$opts{no_cache} && -f $cache_file && -f $cache_file . '.json' ) { |
895
|
0
|
|
|
|
|
|
$return_cache = 1; |
896
|
|
|
|
|
|
|
} |
897
|
0
|
0
|
|
|
|
|
if ($return_cache) { |
898
|
0
|
|
|
|
|
|
my $cache_message = 'Already cached... "' . $cache_file . '"'; |
899
|
0
|
0
|
0
|
|
|
|
if ( defined( $opts{file} ) && $opts{file} ne $cache_file ) { |
900
|
0
|
|
|
|
|
|
$cache_message = $cache_message . ' -> "' . $opts{file} . '"'; |
901
|
|
|
|
|
|
|
} |
902
|
0
|
|
|
|
|
|
$self->verbose( 'info', $cache_message ); |
903
|
0
|
0
|
0
|
|
|
|
if ( defined( $opts{file} ) && $opts{file} ne $cache_file ) { |
904
|
0
|
|
|
|
|
|
cp( $cache_file, $opts{file} ); |
905
|
|
|
|
|
|
|
} |
906
|
0
|
|
|
|
|
|
my $to_return; |
907
|
0
|
|
|
|
|
|
eval { |
908
|
0
|
|
|
|
|
|
my $cache_meta_raw = read_file( $cache_file . '.json' ); |
909
|
0
|
|
|
|
|
|
$to_return = decode_json($cache_meta_raw); |
910
|
|
|
|
|
|
|
}; |
911
|
0
|
0
|
|
|
|
|
if ($@) { |
912
|
0
|
|
|
|
|
|
die( 'Failed to read cache metadata JSON, "' . $cache_file . '.json"' ); |
913
|
|
|
|
|
|
|
} |
914
|
0
|
|
|
|
|
|
$to_return->{using_cache} = 1; |
915
|
0
|
|
|
|
|
|
return $to_return; |
916
|
|
|
|
|
|
|
} ## end if ($return_cache) |
917
|
|
|
|
|
|
|
|
918
|
|
|
|
|
|
|
# check it here incase the config includes something off |
919
|
0
|
0
|
|
|
|
|
if ( $opts{padding} !~ /^[0-9]+$/ ) { |
920
|
0
|
|
|
|
|
|
die( '"' . $opts{padding} . '" is not a numeric' ); |
921
|
|
|
|
|
|
|
} |
922
|
|
|
|
|
|
|
|
923
|
|
|
|
|
|
|
# set the padding |
924
|
0
|
|
|
|
|
|
my $start = $opts{start} - $opts{padding}; |
925
|
0
|
|
|
|
|
|
my $end = $opts{end} + $opts{padding}; |
926
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'Padded Start: ' . $start->strftime('%Y-%m-%dT%H:%M:%S%z') . ', ' . $start->epoch ); |
927
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'Padded End: ' . $end->strftime('%Y-%m-%dT%H:%M:%S%z') . ', ' . $end->epoch ); |
928
|
|
|
|
|
|
|
|
929
|
|
|
|
|
|
|
# get the set |
930
|
0
|
|
|
|
|
|
my $set_path = $self->get_set_path( $opts{set} ); |
931
|
0
|
0
|
|
|
|
|
if ( !defined($set_path) ) { |
932
|
0
|
|
|
|
|
|
die( 'The set "' . $opts{set} . '" does not either exist or the path value for it is undef' ); |
933
|
|
|
|
|
|
|
} |
934
|
|
|
|
|
|
|
|
935
|
|
|
|
|
|
|
# get the pcaps |
936
|
0
|
|
|
|
|
|
my @pcaps = File::Find::Rule->file()->name("*.pcap*")->in($set_path); |
937
|
|
|
|
|
|
|
|
938
|
|
|
|
|
|
|
# get the ts_regexp to use |
939
|
0
|
|
|
|
|
|
my $ts_regexp; |
940
|
0
|
0
|
|
|
|
|
if ( defined( $self->{sets}{ $opts{set} }{regex} ) ) { |
941
|
0
|
|
|
|
|
|
$ts_regexp = $self->{sets}{ $opts{set} }{regex}; |
942
|
|
|
|
|
|
|
} else { |
943
|
0
|
|
|
|
|
|
$ts_regexp = $self->{default_regex}; |
944
|
|
|
|
|
|
|
} |
945
|
|
|
|
|
|
|
|
946
|
0
|
|
|
|
|
|
my $to_check = File::Find::IncludesTimeRange->find( |
947
|
|
|
|
|
|
|
items => \@pcaps, |
948
|
|
|
|
|
|
|
start => $start, |
949
|
|
|
|
|
|
|
end => $end, |
950
|
|
|
|
|
|
|
regex => $ts_regexp, |
951
|
|
|
|
|
|
|
); |
952
|
|
|
|
|
|
|
|
953
|
|
|
|
|
|
|
# The return hash and what will be used for the cache JSON |
954
|
|
|
|
|
|
|
# req_end stuff set later |
955
|
|
|
|
|
|
|
my $to_return = { |
956
|
|
|
|
|
|
|
pcaps => $to_check, |
957
|
|
|
|
|
|
|
pcap_count => 0, |
958
|
|
|
|
|
|
|
failed => {}, |
959
|
|
|
|
|
|
|
failed_count => 0, |
960
|
|
|
|
|
|
|
success_count => 0, |
961
|
|
|
|
|
|
|
path => $cache_file, |
962
|
|
|
|
|
|
|
filter => $opts{filter}, |
963
|
|
|
|
|
|
|
total_size => 0, |
964
|
|
|
|
|
|
|
failed_size => 0, |
965
|
|
|
|
|
|
|
success_size => 0, |
966
|
|
|
|
|
|
|
tmp_size => 0, |
967
|
|
|
|
|
|
|
final_size => 0, |
968
|
|
|
|
|
|
|
type => $opts{type}, |
969
|
|
|
|
|
|
|
padding => $opts{padding}, |
970
|
|
|
|
|
|
|
start_s => $opts{start}->epoch, |
971
|
|
|
|
|
|
|
start => $opts{start}->strftime('%Y-%m-%dT%H:%M:%S%z'), |
972
|
|
|
|
|
|
|
end_s => $opts{end}->epoch, |
973
|
0
|
|
|
|
|
|
end => $opts{end}->strftime('%Y-%m-%dT%H:%M:%S%z'), |
974
|
|
|
|
|
|
|
req_start => $req_start->strftime('%Y-%m-%dT%H:%M:%S%z'), |
975
|
|
|
|
|
|
|
req_start_s => $req_start->epoch, |
976
|
|
|
|
|
|
|
}; |
977
|
|
|
|
|
|
|
|
978
|
|
|
|
|
|
|
# used for tracking the files to cleanup |
979
|
0
|
|
|
|
|
|
my @tmp_files; |
980
|
|
|
|
|
|
|
|
981
|
|
|
|
|
|
|
# puts together the tshark filter if needed |
982
|
0
|
|
|
|
|
|
my $tshark_filter = $opts{filter}; |
983
|
0
|
0
|
|
|
|
|
if ( $opts{type} eq 'bpf2tshark' ) { |
984
|
0
|
|
|
|
|
|
$tshark_filter = $self->bpf2tshark( $opts{filter} ); |
985
|
0
|
|
|
|
|
|
$to_return->{filter_translated} = $tshark_filter; |
986
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'Translated Filter ' . $tshark_filter ); |
987
|
|
|
|
|
|
|
} |
988
|
|
|
|
|
|
|
|
989
|
|
|
|
|
|
|
# the merge command |
990
|
0
|
|
|
|
|
|
my $to_merge = [ 'mergecap', '-w', $cache_file ]; |
991
|
0
|
|
|
|
|
|
foreach my $pcap ( @{$to_check} ) { |
|
0
|
|
|
|
|
|
|
992
|
|
|
|
|
|
|
|
993
|
|
|
|
|
|
|
# get stat info for the file |
994
|
0
|
|
|
|
|
|
my ( $dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks ) |
995
|
|
|
|
|
|
|
= stat($pcap); |
996
|
0
|
|
|
|
|
|
$to_return->{total_size} += $size; |
997
|
|
|
|
|
|
|
|
998
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'Processing ' . $pcap . ", size=" . $size . " ..." ); |
999
|
|
|
|
|
|
|
|
1000
|
0
|
|
|
|
|
|
my $tmp_file = $cache_file . '-' . $to_return->{pcap_count}; |
1001
|
|
|
|
|
|
|
|
1002
|
0
|
|
|
|
|
|
my ( $success, $error_message, $full_buf, $stdout_buf, $stderr_buf ); |
1003
|
0
|
0
|
|
|
|
|
if ( $opts{type} eq 'tcpdump' ) { |
1004
|
|
|
|
|
|
|
( $success, $error_message, $full_buf, $stdout_buf, $stderr_buf ) = run( |
1005
|
0
|
|
|
|
|
|
command => [ 'tcpdump', '-r', $pcap, '-w', $tmp_file, $opts{filter} ], |
1006
|
|
|
|
|
|
|
verbose => 0 |
1007
|
|
|
|
|
|
|
); |
1008
|
|
|
|
|
|
|
} else { |
1009
|
0
|
|
|
|
|
|
( $success, $error_message, $full_buf, $stdout_buf, $stderr_buf ) = run( |
1010
|
|
|
|
|
|
|
command => [ 'tshark', '-r', $pcap, '-w', $tmp_file, $tshark_filter ], |
1011
|
|
|
|
|
|
|
verbose => 0 |
1012
|
|
|
|
|
|
|
); |
1013
|
|
|
|
|
|
|
} |
1014
|
0
|
0
|
|
|
|
|
if ($success) { |
1015
|
0
|
|
|
|
|
|
$to_return->{success_count}++; |
1016
|
0
|
|
|
|
|
|
$to_return->{success_size} += $size; |
1017
|
0
|
|
|
|
|
|
push( @{$to_merge}, $tmp_file ); |
|
0
|
|
|
|
|
|
|
1018
|
0
|
|
|
|
|
|
push( @tmp_files, $tmp_file ); |
1019
|
|
|
|
|
|
|
|
1020
|
|
|
|
|
|
|
# get stat info for the tmp file |
1021
|
0
|
|
|
|
|
|
( $dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks ) |
1022
|
|
|
|
|
|
|
= stat($tmp_file); |
1023
|
0
|
|
|
|
|
|
$to_return->{tmp_size} += $size; |
1024
|
|
|
|
|
|
|
|
1025
|
|
|
|
|
|
|
} else { |
1026
|
0
|
|
|
|
|
|
$to_return->{failed}{$pcap} = $error_message; |
1027
|
0
|
|
|
|
|
|
$to_return->{failed_count}++; |
1028
|
0
|
|
|
|
|
|
$to_return->{failed_size} += $size; |
1029
|
|
|
|
|
|
|
|
1030
|
0
|
|
|
|
|
|
$self->verbose( 'warning', 'Failed ' . $pcap . " ... " . $error_message ); |
1031
|
|
|
|
|
|
|
|
1032
|
0
|
|
|
|
|
|
unlink $tmp_file; |
1033
|
|
|
|
|
|
|
} |
1034
|
|
|
|
|
|
|
|
1035
|
0
|
|
|
|
|
|
$to_return->{pcap_count}++; |
1036
|
|
|
|
|
|
|
} ## end foreach my $pcap ( @{$to_check} ) |
1037
|
|
|
|
|
|
|
|
1038
|
|
|
|
|
|
|
# only try merging if we had more than one success |
1039
|
0
|
0
|
|
|
|
|
if ( $to_return->{success_count} > 0 ) { |
1040
|
|
|
|
|
|
|
|
1041
|
0
|
|
|
|
|
|
$self->verbose( 'info', "Merging PCAPs... " . join( ' ', @{$to_merge} ) ); |
|
0
|
|
|
|
|
|
|
1042
|
|
|
|
|
|
|
|
1043
|
0
|
|
|
|
|
|
my ( $success, $error_message, $full_buf, $stdout_buf, $stderr_buf ) = run( |
1044
|
|
|
|
|
|
|
command => $to_merge, |
1045
|
|
|
|
|
|
|
verbose => 0 |
1046
|
|
|
|
|
|
|
); |
1047
|
0
|
0
|
|
|
|
|
if ($success) { |
1048
|
0
|
|
|
|
|
|
$self->verbose( 'info', "PCAPs merged into " . $cache_file ); |
1049
|
|
|
|
|
|
|
} else { |
1050
|
|
|
|
|
|
|
# if verbose print different messages if mergecap generated a ouput file or not when it fialed |
1051
|
0
|
0
|
|
|
|
|
if ( -f $cache_file ) { |
1052
|
0
|
|
|
|
|
|
$self->verbose( 'warning', "PCAPs partially(output file generated) failed " . $error_message ); |
1053
|
|
|
|
|
|
|
} else { |
1054
|
0
|
|
|
|
|
|
$self->verbose( 'err', "PCAPs merge completely(output file not generated) failed " . $error_message ); |
1055
|
|
|
|
|
|
|
} |
1056
|
|
|
|
|
|
|
} |
1057
|
|
|
|
|
|
|
|
1058
|
|
|
|
|
|
|
# remove each tmp file |
1059
|
0
|
|
|
|
|
|
foreach my $tmp_file (@tmp_files) { |
1060
|
0
|
|
|
|
|
|
unlink($tmp_file); |
1061
|
|
|
|
|
|
|
} |
1062
|
|
|
|
|
|
|
|
1063
|
|
|
|
|
|
|
# don't bother checking size if the file was not generated |
1064
|
0
|
0
|
|
|
|
|
if ( -f $cache_file ) { |
1065
|
0
|
|
|
|
|
|
my ( $dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks ) |
1066
|
|
|
|
|
|
|
= stat($cache_file); |
1067
|
0
|
|
|
|
|
|
$to_return->{final_size} = $size; |
1068
|
|
|
|
|
|
|
} |
1069
|
|
|
|
|
|
|
|
1070
|
|
|
|
|
|
|
} else { |
1071
|
0
|
|
|
|
|
|
$self->verbose( 'err', "No PCAPs to merge" ); |
1072
|
|
|
|
|
|
|
} |
1073
|
|
|
|
|
|
|
|
1074
|
|
|
|
|
|
|
$self->verbose( 'info', |
1075
|
|
|
|
|
|
|
"PCAP sizes... failed_size=" |
1076
|
|
|
|
|
|
|
. $to_return->{failed_size} |
1077
|
|
|
|
|
|
|
. " success_size=" |
1078
|
|
|
|
|
|
|
. $to_return->{success_size} |
1079
|
|
|
|
|
|
|
. " total_size=" |
1080
|
|
|
|
|
|
|
. $to_return->{total_size} |
1081
|
|
|
|
|
|
|
. " tmp_size=" |
1082
|
|
|
|
|
|
|
. $to_return->{tmp_size} |
1083
|
|
|
|
|
|
|
. " final_size=" |
1084
|
0
|
|
|
|
|
|
. $to_return->{final_size} ); |
1085
|
|
|
|
|
|
|
|
1086
|
|
|
|
|
|
|
# finalize info on how long the request took |
1087
|
0
|
|
|
|
|
|
my $req_end = localtime; |
1088
|
0
|
|
|
|
|
|
$to_return->{req_end} = $req_end->strftime('%Y-%m-%dT%H:%M:%S%z'); |
1089
|
0
|
|
|
|
|
|
$to_return->{req_end_s} = $req_end->epoch; |
1090
|
0
|
|
|
|
|
|
$to_return->{req_time} = $req_end->epoch - $req_start->epoch; |
1091
|
|
|
|
|
|
|
|
1092
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'Creating metadata JSON at "' . $cache_file . '.json" ' ); |
1093
|
0
|
|
|
|
|
|
my $json = JSON->new->allow_nonref->pretty->canonical(1); |
1094
|
0
|
|
|
|
|
|
my $raw_json = $json->encode($to_return); |
1095
|
0
|
|
|
|
|
|
write_file( $cache_file . '.json', $raw_json ); |
1096
|
|
|
|
|
|
|
|
1097
|
|
|
|
|
|
|
# if the file and cache file are the same, then the cache dir not accessing, so no need to copy it |
1098
|
0
|
0
|
0
|
|
|
|
if ( defined( $opts{file} ) && $cache_file ne $opts{file} ) { |
1099
|
0
|
|
|
|
|
|
$self->verbose( 'info', 'Copying "' . $cache_file . '" to "' . $opts{file} . '"' ); |
1100
|
0
|
|
|
|
|
|
cp( $cache_file, $opts{file} ); |
1101
|
|
|
|
|
|
|
} |
1102
|
|
|
|
|
|
|
|
1103
|
0
|
|
|
|
|
|
$to_return->{using_cache} = 0; |
1104
|
|
|
|
|
|
|
|
1105
|
0
|
|
|
|
|
|
return $to_return; |
1106
|
|
|
|
|
|
|
} ## end sub get_pcap_local |
1107
|
|
|
|
|
|
|
|
1108
|
|
|
|
|
|
|
=head2 get_set_path |
1109
|
|
|
|
|
|
|
|
1110
|
|
|
|
|
|
|
Returns the path to a set. |
1111
|
|
|
|
|
|
|
|
1112
|
|
|
|
|
|
|
If no set is given, the default is used. |
1113
|
|
|
|
|
|
|
|
1114
|
|
|
|
|
|
|
Will return undef if the set does not exist or if the set does not have a path defined. |
1115
|
|
|
|
|
|
|
|
1116
|
|
|
|
|
|
|
my $path=$virani->get_set_path($set); |
1117
|
|
|
|
|
|
|
|
1118
|
|
|
|
|
|
|
=cut |
1119
|
|
|
|
|
|
|
|
1120
|
|
|
|
|
|
|
sub get_set_path { |
1121
|
0
|
|
|
0
|
1
|
|
my ( $self, $set ) = @_; |
1122
|
|
|
|
|
|
|
|
1123
|
0
|
0
|
|
|
|
|
if ( !defined($set) ) { |
1124
|
0
|
|
|
|
|
|
$set = $self->get_default_set; |
1125
|
|
|
|
|
|
|
} |
1126
|
|
|
|
|
|
|
|
1127
|
0
|
0
|
|
|
|
|
if ( !defined( $self->{sets}{$set} ) ) { |
1128
|
0
|
|
|
|
|
|
return undef; |
1129
|
|
|
|
|
|
|
} |
1130
|
|
|
|
|
|
|
|
1131
|
0
|
0
|
|
|
|
|
if ( !defined( $self->{sets}{$set}{path} ) ) { |
1132
|
0
|
|
|
|
|
|
return undef; |
1133
|
|
|
|
|
|
|
} |
1134
|
|
|
|
|
|
|
|
1135
|
0
|
|
|
|
|
|
return $self->{sets}{$set}{path}; |
1136
|
|
|
|
|
|
|
} ## end sub get_set_path |
1137
|
|
|
|
|
|
|
|
1138
|
|
|
|
|
|
|
=head2 set_verbose |
1139
|
|
|
|
|
|
|
|
1140
|
|
|
|
|
|
|
Set if it should be verbose or not. |
1141
|
|
|
|
|
|
|
|
1142
|
|
|
|
|
|
|
# be verbose |
1143
|
|
|
|
|
|
|
$virani->verbose(1); |
1144
|
|
|
|
|
|
|
|
1145
|
|
|
|
|
|
|
# do not be verbose |
1146
|
|
|
|
|
|
|
$virani->verbose(0); |
1147
|
|
|
|
|
|
|
|
1148
|
|
|
|
|
|
|
=cut |
1149
|
|
|
|
|
|
|
|
1150
|
|
|
|
|
|
|
sub set_verbose { |
1151
|
0
|
|
|
0
|
1
|
|
my ( $self, $verbose ) = @_; |
1152
|
|
|
|
|
|
|
|
1153
|
0
|
|
|
|
|
|
$self->{verbose} = $verbose; |
1154
|
|
|
|
|
|
|
} |
1155
|
|
|
|
|
|
|
|
1156
|
|
|
|
|
|
|
=head2 set_verbose_to_syslog |
1157
|
|
|
|
|
|
|
|
1158
|
|
|
|
|
|
|
Set if it should be verbose or not. |
1159
|
|
|
|
|
|
|
|
1160
|
|
|
|
|
|
|
# send verbose messages to syslog |
1161
|
|
|
|
|
|
|
$virani->set_verbose_to_syslog(1); |
1162
|
|
|
|
|
|
|
|
1163
|
|
|
|
|
|
|
# do not send verbose messages to syslog |
1164
|
|
|
|
|
|
|
$virani->set_verbose_to_syslog(0); |
1165
|
|
|
|
|
|
|
|
1166
|
|
|
|
|
|
|
=cut |
1167
|
|
|
|
|
|
|
|
1168
|
|
|
|
|
|
|
sub set_verbose_to_syslog { |
1169
|
0
|
|
|
0
|
1
|
|
my ( $self, $to_syslog ) = @_; |
1170
|
|
|
|
|
|
|
|
1171
|
0
|
|
|
|
|
|
$self->{verbose_to_syslog} = $to_syslog; |
1172
|
|
|
|
|
|
|
} |
1173
|
|
|
|
|
|
|
|
1174
|
|
|
|
|
|
|
=head2 verbose |
1175
|
|
|
|
|
|
|
|
1176
|
|
|
|
|
|
|
Prints out error messages. This is inteded to be internal. |
1177
|
|
|
|
|
|
|
|
1178
|
|
|
|
|
|
|
Only sends the string if verbose is enabled. |
1179
|
|
|
|
|
|
|
|
1180
|
|
|
|
|
|
|
There is no need to add a "\n" as it will automatically if not sending to syslog. |
1181
|
|
|
|
|
|
|
|
1182
|
|
|
|
|
|
|
Two variables are taken. The first is level the second is the message. Level is only used |
1183
|
|
|
|
|
|
|
for syslog. Default level is info. |
1184
|
|
|
|
|
|
|
|
1185
|
|
|
|
|
|
|
- Levels :: emerg, alert, crit, err, warning, notice, info, debug |
1186
|
|
|
|
|
|
|
|
1187
|
|
|
|
|
|
|
$self->verbose('info', 'some string'); |
1188
|
|
|
|
|
|
|
|
1189
|
|
|
|
|
|
|
=cut |
1190
|
|
|
|
|
|
|
|
1191
|
|
|
|
|
|
|
sub verbose { |
1192
|
0
|
|
|
0
|
1
|
|
my ( $self, $level, $string ) = @_; |
1193
|
|
|
|
|
|
|
|
1194
|
0
|
0
|
0
|
|
|
|
if ( !defined($string) || $string eq '' ) { |
1195
|
0
|
|
|
|
|
|
return; |
1196
|
|
|
|
|
|
|
} |
1197
|
|
|
|
|
|
|
|
1198
|
0
|
0
|
|
|
|
|
if ( !defined($level) ) { |
1199
|
0
|
|
|
|
|
|
$level = 'info'; |
1200
|
|
|
|
|
|
|
} |
1201
|
|
|
|
|
|
|
|
1202
|
0
|
0
|
|
|
|
|
if ( $self->{verbose} ) { |
1203
|
0
|
0
|
|
|
|
|
if ( $self->{verbose_to_syslog} ) { |
1204
|
0
|
|
|
|
|
|
openlog( 'virani', undef, 'daemon' ); |
1205
|
0
|
|
|
|
|
|
syslog( $level, $string ); |
1206
|
0
|
|
|
|
|
|
closelog(); |
1207
|
|
|
|
|
|
|
} else { |
1208
|
0
|
|
|
|
|
|
print $string. "\n"; |
1209
|
|
|
|
|
|
|
} |
1210
|
|
|
|
|
|
|
} |
1211
|
|
|
|
|
|
|
|
1212
|
0
|
|
|
|
|
|
return; |
1213
|
|
|
|
|
|
|
} ## end sub verbose |
1214
|
|
|
|
|
|
|
|
1215
|
|
|
|
|
|
|
=head2 CONFIG |
1216
|
|
|
|
|
|
|
|
1217
|
|
|
|
|
|
|
The config format used toml, processed via L. |
1218
|
|
|
|
|
|
|
|
1219
|
|
|
|
|
|
|
'new_from_conf' will initiate virani by reading it in and feeding it to 'new'. |
1220
|
|
|
|
|
|
|
|
1221
|
|
|
|
|
|
|
=head2 DAEMONLOGGER ON FREEBSD |
1222
|
|
|
|
|
|
|
|
1223
|
|
|
|
|
|
|
With daemonlogger setup along the lines of like below... |
1224
|
|
|
|
|
|
|
|
1225
|
|
|
|
|
|
|
daemonlogger_enable="YES" |
1226
|
|
|
|
|
|
|
daemonlogger_flags="-f /usr/local/etc/daemonlogger.bpf -d -l /var/log/daemonlogger -t 120" |
1227
|
|
|
|
|
|
|
|
1228
|
|
|
|
|
|
|
The following can be made available via mojo-varini or locally via varini with the set name of |
1229
|
|
|
|
|
|
|
default as below. |
1230
|
|
|
|
|
|
|
|
1231
|
|
|
|
|
|
|
default_set='default' |
1232
|
|
|
|
|
|
|
allowed_subnets=["192.168.14.0/23", "127.0.0.1/8"] |
1233
|
|
|
|
|
|
|
[sets.default] |
1234
|
|
|
|
|
|
|
path='/var/log/daemonlogger' |
1235
|
|
|
|
|
|
|
regex='(?\d\d\d\d\d\d+)(\.pcap|(?\.\d+)\.pcap)$' |
1236
|
|
|
|
|
|
|
|
1237
|
|
|
|
|
|
|
=head1 AUTHOR |
1238
|
|
|
|
|
|
|
|
1239
|
|
|
|
|
|
|
Zane C. Bowers-Hadley, C<< >> |
1240
|
|
|
|
|
|
|
|
1241
|
|
|
|
|
|
|
=head1 BUGS |
1242
|
|
|
|
|
|
|
|
1243
|
|
|
|
|
|
|
Please report any bugs or feature requests to C, or through |
1244
|
|
|
|
|
|
|
the web interface at L. I will be notified, and then you'll |
1245
|
|
|
|
|
|
|
automatically be notified of progress on your bug as I make changes. |
1246
|
|
|
|
|
|
|
|
1247
|
|
|
|
|
|
|
|
1248
|
|
|
|
|
|
|
|
1249
|
|
|
|
|
|
|
|
1250
|
|
|
|
|
|
|
=head1 SUPPORT |
1251
|
|
|
|
|
|
|
|
1252
|
|
|
|
|
|
|
You can find documentation for this module with the perldoc command. |
1253
|
|
|
|
|
|
|
|
1254
|
|
|
|
|
|
|
perldoc Virani |
1255
|
|
|
|
|
|
|
|
1256
|
|
|
|
|
|
|
|
1257
|
|
|
|
|
|
|
You can also look for information at: |
1258
|
|
|
|
|
|
|
|
1259
|
|
|
|
|
|
|
=over 4 |
1260
|
|
|
|
|
|
|
|
1261
|
|
|
|
|
|
|
=item * RT: CPAN's request tracker (report bugs here) |
1262
|
|
|
|
|
|
|
|
1263
|
|
|
|
|
|
|
L |
1264
|
|
|
|
|
|
|
|
1265
|
|
|
|
|
|
|
=item * CPAN Ratings |
1266
|
|
|
|
|
|
|
|
1267
|
|
|
|
|
|
|
L |
1268
|
|
|
|
|
|
|
|
1269
|
|
|
|
|
|
|
=item * Search CPAN |
1270
|
|
|
|
|
|
|
|
1271
|
|
|
|
|
|
|
L |
1272
|
|
|
|
|
|
|
|
1273
|
|
|
|
|
|
|
=back |
1274
|
|
|
|
|
|
|
|
1275
|
|
|
|
|
|
|
|
1276
|
|
|
|
|
|
|
=head1 ACKNOWLEDGEMENTS |
1277
|
|
|
|
|
|
|
|
1278
|
|
|
|
|
|
|
|
1279
|
|
|
|
|
|
|
=head1 LICENSE AND COPYRIGHT |
1280
|
|
|
|
|
|
|
|
1281
|
|
|
|
|
|
|
This software is Copyright (c) 2023 by Zane C. Bowers-Hadley. |
1282
|
|
|
|
|
|
|
|
1283
|
|
|
|
|
|
|
This is free software, licensed under: |
1284
|
|
|
|
|
|
|
|
1285
|
|
|
|
|
|
|
The GNU Lesser General Public License, Version 2.1, February 1999 |
1286
|
|
|
|
|
|
|
|
1287
|
|
|
|
|
|
|
|
1288
|
|
|
|
|
|
|
=cut |
1289
|
|
|
|
|
|
|
|
1290
|
|
|
|
|
|
|
1; # End of Virani |