Uberlogger dissectors

[Sylvain SARMEJEANNE]

(sent to scapy's ML on 03/09/2006 but not included)

Hi all! here are dissectors for the Uberlogger honeypot. They are named after the structures found in Uber's header file.

Hope that helps :)

Sylvain SARMEJEANNE

# Syscalls known by Uberlogger
uberlogger_sys_calls = {0:"READ_ID",
             1:"OPEN_ID",
             2:"WRITE_ID",
             3:"CHMOD_ID",
             4:"CHOWN_ID",
             5:"SETUID_ID",
             6:"CHROOT_ID",
             7:"CREATE_MODULE_ID",
             8:"INIT_MODULE_ID",
             9:"DELETE_MODULE_ID",
             10:"CAPSET_ID",
             11:"CAPGET_ID",
             12:"FORK_ID",
             13:"EXECVE_ID"}

# First part of the header
class Uberlogger_honeypot_caract(Packet):
    name = "Uberlogger honeypot_caract"
    fields_desc = [ByteField("honeypot_id", 0),
                   ByteField("reserved", 0),
                   ByteField("os_type_and_version", 0)]

# Second part of the header
class Uberlogger_uber_h(Packet):
    name  = "Uberlogger uber_h"
    fields_desc = [ByteEnumField("syscall_type", 0, uberlogger_sys_calls),
                   IntField("time_sec", 0),
                   IntField("time_usec", 0),
                   IntField("pid", 0),
                   IntField("uid", 0),
                   IntField("euid", 0),
                   IntField("cap_effective", 0),
                   IntField("cap_inheritable", 0),
                   IntField("cap_permitted", 0),
                   IntField("res", 0),
                   IntField("length", 0)]

# The 9 following classes are options depending on the syscall type
class Uberlogger_capget_data(Packet):
    name  = "Uberlogger capget_data"
    fields_desc = [IntField("target_pid", 0)]

class Uberlogger_capset_data(Packet):
    name  = "Uberlogger capset_data"
    fields_desc = [IntField("target_pid", 0),
                   IntField("effective_cap", 0),
                   IntField("permitted_cap", 0),
                   IntField("inheritable_cap", 0)]

class Uberlogger_chmod_data(Packet):
    name  = "Uberlogger chmod_data"
    fields_desc = [ShortField("mode", 0)]

class Uberlogger_chown_data(Packet):
    name  = "Uberlogger chown_data"
    fields_desc = [IntField("uid", 0),
                   IntField("gid", 0)]

class Uberlogger_open_data(Packet):
    name  = "Uberlogger open_data"
    fields_desc = [IntField("flags", 0),
                   IntField("mode", 0)]
                   
class Uberlogger_read_data(Packet):
    name  = "Uberlogger read_data"
    fields_desc = [IntField("fd", 0),
                   IntField("count", 0)]
                   
class Uberlogger_setuid_data(Packet):
    name  = "Uberlogger setuid_data"
    fields_desc = [IntField("uid", 0)]

class Uberlogger_create_module_data(Packet):
    name  = "Uberlogger create_module_data"
    fields_desc = [IntField("size", 0)]

class Uberlogger_execve_data(Packet):
    name  = "Uberlogger execve_data"
    fields_desc = [IntField("nbarg", 0)]

# Layer bounds for Uberlogger
layer_bonds.append((Uberlogger_honeypot_caract,Uberlogger_uber_h,{}))
layer_bonds.append((Uberlogger_uber_h,Uberlogger_capget_data,{}))
layer_bonds.append((Uberlogger_uber_h,Uberlogger_capset_data,{}))
layer_bonds.append((Uberlogger_uber_h,Uberlogger_chmod_data,{}))
layer_bonds.append((Uberlogger_uber_h,Uberlogger_chown_data,{}))
layer_bonds.append((Uberlogger_uber_h,Uberlogger_open_data,{}))
layer_bonds.append((Uberlogger_uber_h,Uberlogger_read_data,{}))
layer_bonds.append((Uberlogger_uber_h,Uberlogger_setuid_data,{}))
layer_bonds.append((Uberlogger_uber_h,Uberlogger_create_module_data,{}))
layer_bonds.append((Uberlogger_uber_h,Uberlogger_execve_data,{}))

[pbi]

Not integrated yet. I'm waiting for a more robust way to integrate many protocols without scapy taking seconds to load. For the moment I added it to a wiki page ÜbberLogger page