Create TCP packets in Python

Navigation
1

I need to create TCP packets from an apache log file in Python. To do this, I get the HTTP request from the apache log and put it as a payload for the package in question. With the created packages, I create a PCAP file that contains all the packages and I analyze it with Snort.

I tried to create the packages with Scapy in the following way: 

packet = IP(dst=dst_ip)/TCP(dport=9999)/Raw(load=payload)

When analyzing the PCAP file that contains all the created packages, it always gives me the same alert for each package: 

[**] [129:2:1] Data on SYN packet [**]
[Classification: Generic Protocol Command Decode] [Priority: 3] 
09/01-20:29:50.816860 127.0.0.1:20 -> 127.0.0.1:9999
TCP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:102
******S* Seq: 0x0  Ack: 0x0  Win: 0x2000  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/34429][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1157]

This error I guess it is because the sequence number and the ACK (3 way handshake) was not set so I had to adapt the code to create the package: 

ip = IP(src=src_ip, dst=dst_ip)
packet = (ip / TCP(sport=src_port, dport=dest_port, flags='PA',
      seq=seq_n, ack=ack_n) / Raw(load=fullrequest[0])

seq_n = seq_n + len(payload.encode('UTF8'))

This way there is already a sequence but the Data on SYN packet alert changes for another one (although instead of leaving as many alerts as the same number of packages, only 22% of the packets are wrong): 

[**] [129:12:1] Consecutive TCP small segments exceeding threshold [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
09/01-20:49:15.037299 127.0.0.1:60664 -> 127.0.0.1:80
TCP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:94
***AP*** Seq: 0x156E7  Ack: 0xB  Win: 0x2000  TcpLen: 20

In the end, I chose to create a client-server structure with sockets, analyze the traffic with WireShark and then save the packages as PCAP. The problem here is that, besides I can not automate this analysis operation, Snort does not detect a single attack.

The attacks are HTTP requests in the following way: 

"GET /shoutbox.php?conf=../../../../../../../../etc/passwd HTTP/1.1"
"GET /cgi-bin/apexec.pl?etype=odp&template=../../../../../../../../../../etc/hosts%00.html&passurl=/category/ HTTP/1.1"

What can I be doing wrong? Any advice?

    
asked by Neveralways 01.09.2018 в 20:54
source

1 answer

0

It has been resolved here:

link

Basically, instead of trying to create a PCAP file, I use Python's requests library to directly launch the requests.

    
answered by 07.09.2018 / 18:14
source
Multiples data bases with django How to send input values type "hidden" ajax?