corelight / pycommunityid Goto Github PK
View Code? Open in Web Editor NEWA Python implementation of the Community ID flow hashing standard
License: BSD 3-Clause "New" or "Revised" License
A Python implementation of the Community ID flow hashing standard
License: BSD 3-Clause "New" or "Revised" License
At https://tools.ietf.org/html/rfc8335 an additional request-reply pair is documented.
ICMP field Type: Extended Echo Request. The value for ICMPv4 is 42. The value for ICMPv6 is 160
ICMP field Type: Extended Echo Reply. The value for ICMPv4 is 43. The value for ICMPv6 is 161
Since that wasn’t in the version 1 table, hashes have been using the code octet instead of the request-response peer type value.
Hi, I started to experiment with community ID and pycommunityid and I think that I found a bug in function in_nbo():
pycommunityid/communityid/algo.py
Lines 194 to 213 in b446735
communityid.error.FlowTupleError: Destination port "b'-1'" invalid
You can test it with your sample application:
$ community-id tcp 10.0.0.1 10.0.0.2 10 11569
Number 11569 in hex is 0x2D31 and that is '-1' in ASCII. I think the problem is with this line in function is_port(val):
pycommunityid/communityid/algo.py
Line 249 in b446735
I hope somebody will check this bug and will found a solution.
Desire a script which will convert a community-id into the following formats for use with systems which don't support a community-id:
I have a pcap, when i run suricata on it, it produces flows with cids
when I run zeek on it, and generate the cid of each zeek flow using pycommunityid library, some flows don't have the same cids produced by suricata
here's the pcap i used: https://github.com/stratosphereips/StratosphereLinuxIPS/blob/develop/dataset/test7-malicious.pcap
i ran suricata using the following command on it
suricata -r test7-malicious.pcap
i ran zeek using the following cmd on it
zeek -C -r test7-malicious.pcap
for each line in the zeek conn.log output i ran the following script to get the cid of each flow
proto = flow.proto.lower()
cases = {
'tcp': communityid.FlowTuple.make_tcp,
'udp': communityid.FlowTuple.make_udp,
'icmp': communityid.FlowTuple.make_icmp,
}
try:
tpl = cases[proto](flow.saddr, flow.daddr, flow.sport, flow.dport)
return self.community_id.calc(tpl)
except KeyError:
return ''
now for example this flow produced by suricata:
{"timestamp": "2018-03-09T22:49:16.520001+0200", "flow_id": 1898491295854895, "event_type": "flow", "src_ip": "fe80:0000:0000:0000:00d2:4591:568e:c3d1", "src_port": 5353, "dest_ip": "ff02:0000:0000:0000:0000:0000:0000:00fb", "dest_port": 5353, "proto": "UDP", "app_proto": "failed", "flow": {"pkts_toserver": 13, "pkts_toclient": 0, "bytes_toserver": 5188, "bytes_toclient": 0, "start": "2018-03-09T22:49:16.553263+0200", "end": "2018-03-09T22:50:26.234272+0200", "age": 70, "state": "new", "reason": "timeout", "alerted": false}, "community_id": "1:JpepHprmBz0RFdlLGhEMO4jAPvA="}
is the same as this flow produced by zeek:
conn.log:{"ts":1520628556.553263,"uid":"CJwrIjmGopvQP6Gx1","id.orig_h":"fe80::d2:4591:568e:c3d1","id.orig_p":5353,"id.resp_h":"ff02::fb","id.resp_p":5353,"proto":"udp","service":"dns","duration":14.121544122695923,"orig_bytes":1892,"resp_bytes":0,"conn_state":"S0","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"D","orig_pkts":7,"orig_ip_bytes":2228,"resp_pkts":0,"resp_ip_bytes":0,"orig_l2_addr":"68:5b:35:b1:55:93","resp_l2_addr":"33:33:00:00:00:fb"}
however, pycommunity id gives me this cid: 1:Ij3wBn8AhEgwlNMz41h3vXi0yL8= which doesn't match the one produced by suricata for the same flow
when I tried generating the cid using zeek's corelight plugin Corelight/CommunityID
, I got the same uid as pycommunityid library
{"ts":1520628556.553263,"uid":"C0ADPg3q0T5H6xlzdb","id.orig_h":"fe80::d2:4591:568e:c3d1","id.orig_p":5353,"id.resp_h":"ff02::fb","id.resp_p":5353,"proto":"udp","service":"dns","duration":14.121544122695923,"orig_bytes":1892,"resp_bytes":0,"conn_state":"S0","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"D","orig_pkts":7,"orig_ip_bytes":2228,"resp_pkts":0,"resp_ip_bytes":0,"orig_l2_addr":"68:5b:35:b1:55:93","resp_l2_addr":"33:33:00:00:00:fb","community_id":"1:Ij3wBn8AhEgwlNMz41h3vXi0yL8="}
i guess this means that suricata is the one doing something wrong, and not pycommunityid?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.