mirror of
https://github.com/vel21ripn/nDPI.git
synced 2026-04-29 15:39:42 +00:00
125 lines
No EOL
3.5 KiB
Lua
125 lines
No EOL
3.5 KiB
Lua
|
|
--
|
|
-- Sharkfest 2021
|
|
--
|
|
-- This is going to be an example of a lua script that can be written for cybersecurity reasons.
|
|
-- HTTP Request/Reply Ratio:
|
|
-- the ratio of HTTP requests and replies should be alwais close to 1, because, if not, usually means
|
|
-- that there are problems with the client that is sending the requests or there are problems with
|
|
-- the server that should receive those requests.
|
|
|
|
local f_http_request = Field.new("http.request")
|
|
local f_http_reply = Field.new("http.response")
|
|
local f_ip_src = Field.new("ip.src")
|
|
local f_ip_dst = Field.new("ip.dst")
|
|
|
|
--############################################
|
|
|
|
local function getstring(finfo)
|
|
local ok, val = pcall(tostring, finfo)
|
|
if not ok then val = "(unknown)" end
|
|
return val
|
|
end
|
|
|
|
--############################################
|
|
|
|
local function processResponse(http_table, req_or_rep, src, dst)
|
|
local key = src .. "->" .. dst
|
|
|
|
-- Create the table entry if needed
|
|
if not http_table[key] then
|
|
http_table[key] = {
|
|
requests = 0,
|
|
replies = 0,
|
|
}
|
|
end
|
|
|
|
-- Increase the stats
|
|
http_table[key][req_or_rep] = http_table[key][req_or_rep] + 1
|
|
|
|
return http_table
|
|
end
|
|
|
|
--############################################
|
|
|
|
local function processPackets(pinfo,tvb, http_table)
|
|
-- Call the function that extracts the field
|
|
local http_request = f_http_request()
|
|
local http_reply = f_http_reply()
|
|
|
|
--Check if there is an HTTP request or reply
|
|
if http_request then
|
|
local src = getstring(f_ip_src().value)
|
|
local dst = getstring(f_ip_dst().value)
|
|
|
|
http_table = processResponse(http_table, "requests", src, dst)
|
|
elseif http_reply then
|
|
local dst = getstring(f_ip_src().value)
|
|
local src = getstring(f_ip_dst().value)
|
|
|
|
http_table = processResponse(http_table, "replies", src, dst)
|
|
end
|
|
|
|
return http_table
|
|
end
|
|
|
|
--############################################
|
|
|
|
local function httpReqRepRatio()
|
|
-- Declare the window we will use
|
|
local tw = TextWindow.new("HTTP Request/Reply Ratio")
|
|
|
|
local http_table = {}
|
|
|
|
local tap = Listener.new();
|
|
|
|
local function removeListener()
|
|
-- This way we remove the listener that otherwise will remain running indefinitely
|
|
tap:remove();
|
|
end
|
|
|
|
-- We tell the window to call the remove() function when closed
|
|
tw:set_atclose(removeListener)
|
|
|
|
-- This function will be called once for each packet
|
|
function tap.packet(pinfo,tvb)
|
|
http_table = processPackets(pinfo,tvb, http_table)
|
|
end
|
|
|
|
-- This function will be called once every few seconds to update our window
|
|
function tap.draw(t)
|
|
tw:clear()
|
|
|
|
for flow in pairs(http_table) do
|
|
local requests = http_table[flow]["requests"]
|
|
local replies = http_table[flow]["replies"]
|
|
local ratio = 0
|
|
local danger = ""
|
|
|
|
if replies == 0 then
|
|
ratio = 0
|
|
else
|
|
ratio = requests/replies
|
|
end
|
|
|
|
if ratio ~= 1 then
|
|
danger = "-- DANGER: RATIO NOT 1 --\n"
|
|
end
|
|
|
|
tw:append(danger .. flow .. ":\n\tRatio: " .. (ratio) .. "\n\tRequests: " .. requests .. "\n\tReplies: " .. replies .. "\n\n");
|
|
end
|
|
end
|
|
|
|
-- This function will be called whenever a reset is needed
|
|
-- e.g. when reloading the capture file
|
|
function tap.reset()
|
|
tw:clear()
|
|
http_table = {}
|
|
end
|
|
|
|
-- Ensure that all existing packets are processed.
|
|
retap_packets()
|
|
end
|
|
|
|
-- Register the menu Entry
|
|
register_menu("Sharkfest/HTTP Request-Reply Ratio", httpReqRepRatio, MENU_TOOLS_UNSORTED) |