Untitled
raw download clone
TEXT
views 18
,
size 16644 b
[root@bolek pcaps]# cat class_test.pl
#!/usr/bin/perl
#
#
# class_ips.pl
# 6/6/12  - Alex Tatistcheff - Added remote nmap from Bleda (requires authorized_keys update on Bleda)
# 4/5/12  - Alex Tatistcheff - Added nmap
# 2/13/08 - John Gay
#
# This script is an adaptation of ips_test.pl from Dan Ramaswami.  This is
# designed to play traffic back through the Sourcfire education classroom
# topology.  Usage information to follow.
#
############################################################################
# Copyright (c) 2007 Sourcefire, INC
# THE PRODUCT AND DOCUMENTATION ARE PROVIDED ?AS IS? WITHOUT WARRANTY
# OF ANY KIND, AND SOURCEFIRE DISCLAIMS ALL WARRANTIES AND REPRESENTATIONS,
# EXPRESS OR IMPLIED, WITH RESPECT TO THE PRODUCT, DOCUMENTATION AND
# RELATED MATERIALS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE; WARRANTIES
# ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE; AND WARRANTIES
# CONCERNING THE NON-INFRINGEMENT OF THIRD PARTY RIGHTS.
#
# IN NO EVENT SHALL SOURCEFIRE BE LIABLE FOR ANY DAMAGES RESULTING FROM
# LOSS OF DATA, LOST PROFITS, LOSS OF USE OF EQUIPMENT OR LOST CONTRACTS
# OR FOR ANY SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE, EXEMPLARY OR
# CONSEQUENTIAL DAMAGES IN ANY WAY ARISING OUT OF OR IN CONNECTION WITH
# THE USE OR PERFORMANCE OF THE PRODUCT OR DOCUMENTATION OR RELATING TO
# THIS AGREEMENT, HOWEVER CAUSED, EVEN IF IT HAS BEEN MADE AWARE OF THE
# POSSIBILITY OF SUCH DAMAGES.  SOURCEFIRE?S ENTIRE LIABILITY TO LICENSEE,
# REGARDLESS OF THE FORM OF ANY CLAIM OR ACTION OR THEORY OF LIABILITY
# (INCLUDING CONTRACT, TORT, OR WARRANTY), SHALL BE LIMITED TO THE
# LICENSE FEES PAID BY LICENSEE TO USE THE PRODUCT.
############################################################################

#--------------------------------------------------------------------------
# Initialization Section
#--------------------------------------------------------------------------
use strict;

my $config_dir = "/pcaps/configs/";

my $pcap_dir = "/pcaps/";

my %pcaps; # associative array of the sid => pcap map

my $ins_style; # This is a numeric value of 1 or 2 for the install type.

my $ins_sane = 0; # Is this how?

my $tst = 2; # This is a numeric value of 1-3 for the type of test we will perform.

my $test_sane = 0; # Eh?

my @sids; # This is the listing of sids, they will come from a file making it
                  # easier to maintain the list of sids per test.



#--------------------------------------------------------------------------
# MAIN Processing Section
#--------------------------------------------------------------------------
&build_map(); # Lets use the VRT EXPECTED.txt to map what pcaps go with sids

&display_welcome_screen();

&install_style(); # Built in safety check.

&run_tests($ins_style,$tst,@sids,%pcaps);

#--------------------------------------------------------------------------
# Subroutine Section
#--------------------------------------------------------------------------

# Build the SID : PCAP map

sub build_map {

  my $expected = "$config_dir/EXPECTED.txt";

  my @pcap_list;

  my@sid_array;
  my $sid;
  my $rest;
        open (PCAPS,"$expected") or die ("File containing SID to PCAP maps:$expected must be missing. Uh oh!");

                @pcap_list = <PCAPS>;
                foreach (@pcap_list) {
                        ($sid, $rest) = split(/\|\|/, $_, 2);
                                                $sid =~ s/\s*\n?$//;
                                                $sid =~ s/^\s*//;
                                                $pcaps{$sid} = [$rest];
                                                                      }
                close (PCAPS);

return %pcaps;
}


# Simple welcome

sub display_welcome_screen {
  system "clear";
  my $reply = "";
    print "\n\n\n\n\n\n\n\n\n\n";
  print "        Welcome to the  S O U R C E F I R E  CLASSROOM TESTER!";
  print "\n\n\n\n\n\n\n\n\n\n\n\n\n";
  print " Press Enter to continue: ";
  $reply = <STDIN>;
}

# Figure out how this box is plugged into the gear

sub install_style {
  system "clear";

  my $valid = "false";  #Local variable used to control loop
  my $pause = "";  #Local variable used to store user input
  my $install;
  until ($valid eq "true") {

    system "clear";
        print"                S O U R C E F I R E  CLASSROOM TESTER                ";
    print "\n\n\n\n\n\n\n\n";
        print "           1. Inline\n";
        print "               - eth1 and eth2 of this box to the IPS\n";
        print "           2. Passive\n";
        print "              - eth0 is on the same network as the tap/SPAN port\n";
        print "\n\n\n\n\n\n\n";
    print " Enter the number corresponding to the way this lab is installed: ";

    chomp($install = <STDIN>);

    if ($install ne "") {
      $valid = "true";
    } else {
      print "\n\n You need to enter the number corresponding to your installation. <ENTER>:";
      $pause = <STDIN>;
      next;
    }

    if ($install =~ /[^1-2]/) {
      $valid = "false";
      print "\n\n Sorry. Your input must be numeric, and within the range.<ENTER>:";
      $pause = <STDIN>;
      next;
    } else {
      $valid = "true";
    }

    if ($install > 2) {
      print "\n\n There are only 2 choices to pick from, please enter one. <ENTER>: ";
      $valid = "false";
      $pause = <STDIN>;
      next;
    }

$ins_style=$install;

do {
                &install_sanity($ins_style);
   }
   while ($ins_sane != 0);

}



sub install_sanity {

# Make sure that we are running the test properly..
  my $valid = "false";  #Local variable used to control loop
  my $pause = "";  #Local variable used to store user input
  my $go;

  until ($valid eq "true") {

    system "clear";
print"                S O U R C E F I R E  CLASSROOM TESTER                ";
    print "\n\n\n\n\n\n\n\n";
        print "           You have selected lab settings of $ins_style which means: \n\n";
                if ($ins_style =~ 1) {
                                                print "            Traffic will be sent from eth1 through the IPS to eth2\n";
                                                print "            if the IPS is set to drop traffic, you will see alerts\n";
                                                print "            in the IPS, and the recv value will be decremented by\n";
                                                print "            the number of offending packets.\n";
                                                print "\n\n\n\n\n\n\n\n";
                                          }
                elsif ($ins_style =~ 2) {
                                                         print "            Traffic will be sent out eth0.\n";
                                                         print "            You will need to have this port plugged into a switch that\n";
                                                         print "            traffic can be sent and recieved on. If not, state issues may\n";
                                                         print "            arise.\n";
                                                         print "\n\n\n\n\n\n\n\n";
                                                        }
        print "If this is correct please enter 1. If not enter 2 to retry\n";
        print "Accept(1), Retry(2): ";
    chomp($go = <STDIN>);

    if ($go ne "") {
      $valid = "true";
    } else {
      print "\n\n You need to enter the number corresponding to your selection. <ENTER>: ";
      $pause = <STDIN>;
      next;
    }

    if ($go =~ /[^1-2]/) {
      $valid = "false";
      print "\n\n Sorry. Your input must be numeric.";
      $pause = <STDIN>;
      next;
    } else {
      $valid = "true";
      next;
        }

    if ($go > 2) {
      print "\n\n There are only 2 choices to pick from, please enter in the proper number";
      $valid = "false";
      $pause = <STDIN>;
      next;
    }
}
if ($go =~ 1) {
              $ins_sane = 0;
                          return $ins_style;
              }
else {
                                &install_style;
                  }

   }

 }

 ### Glad that one is done!
 ### We need to get some SIDs so that we can do some stuffs..

 sub get_sids {
        my @pre_sids; # prior to cleaning up extra junk from the map.
        my $file; # Which pack of sids we want
                if     ($tst =~ 1) { $file = "$config_dir/default-reasonable-ips.map"; }
                elsif ($tst =~ 2) { return  @sids }
open (SIDS,"$file") or die ("File containing SIDs:$file must be missing. Uh oh!");
                @pre_sids = <SIDS>;
foreach (@pre_sids) {
  chomp;
  split/\s/;

                        if ($_[2] =~ m/\d/)
                     {
                                        push (@sids, $_[2]);
                                 }
        }
  close (SIDS);

  ## Have to get a proper PCAP to match the SID
  ## That is held in "expected.txt"
  # I will build an associative array out of @sids and the
  # pcaps that correlate to that specific sid in expected.txt



 ### Good, now only a couple to go

 sub manual_sids {
        # build an array from the user input, maybe add in the ability to add more, and clear the list?
        my $a;
        my $file;
        system "clear";
        print"                 S O U R C E F I R E  I P S  T E S T  S U I T E                ";
        print "\n\n\n\n\n\n\n\n";
        print "              You need to enter in the SID(s) of the attack(s) you would like to run.\n";
        print "              Please enter them in with either a comma or a space separating them. IE:\n";
        print "              2446, 2444 or 1111 2222 3333 4444 5555 or a mixture.\n\n\n";
        print "\n\n\n\n\n\n\n\n";
        print "Enter SID(s) here: ";
        chomp ($a = <STDIN>);
        @sids = split(/,\s*/, $a);
        print "              Great, we will be running tests to illustrate the following SID(s):\n";
        print "              @sids\n";
        return $file;
        return @sids;
        }


####################################
# nmap scans
#

sub nmap_scan {

   my $result;
   my $nmap_command = "/usr/local/bin/nmap";

   # Run nmap
   print "\n";
   print "Performing nmap scans (scans run in background)\n";
   print "------------------\n";
   print "Running nmap - scanning DMZ from Attila\n";
   print "$nmap_command -sP 192.168.10.0/24\n";
   system("$nmap_command -sP 192.168.10.0/24 > /dev/nul&");
   print "$nmap_command -vnO -sVT 192.168.10.0/24\n";
   system("$nmap_command -vnO -sVT 192.168.10.0/24 > /dev/nul&");
   print "\n";
   sleep 2;
   print "Running nmap - scanning General from Bleda\n";
   print "ssh root\@192.168.10.90 /usr/bin/nmap -sP 192.168.133.0/24\n";
   system("/usr/bin/ssh root\@192.168.10.90 /usr/bin/nmap -sP 192.168.133.0/24 > /dev/nul&");
   print "ssh root\@192.168.10.90 /usr/bin/nmap -sVT 192.168.133.0/24\n";
   system("/usr/bin/ssh root\@192.168.10.90 /usr/bin/nmap -vnO -sVT 192.168.133.0/24 > /dev/nul&");
   sleep 2;

}


######
# Now do the do.
#
# for each sid, dump packets out interfaces based on the lab criteria.


        sub run_tests {

                        # I bring in $ins_style which describes the interface settings
                        # 1 = inline, eth1 and eth2 to the IPS
                        # 2 = eth1 only plugged into a switch/tap for IDS
                        # 3 = eth0 is all we have, and its into a switch or a tap
                        my $result;
                        my $command = "/usr/local/bin/tomahawk -l 1 -q";
                        my $com_postfix; # based on the ins_style, we need to define the interfaces
                        my $key;
                                # if 1 = "-i eth1 -j eth2"
                                if      ( $ins_style =~ 1 ) {
                                         system "ifconfig eth1 up";
                                         system "ifconfig eth2 up";
                                        $com_postfix ="-i eth1 -j eth2" ; }
                                # if 2 = "-i eth0 -j eth0"
                                elsif   ( $ins_style =~ 2 ) {
                                        system "ifconfig eth0 up";
                                        $com_postfix ="-i eth0 -j eth0" ; }

                                # this has to be easy enough to add more options later on.. =]
                # OK -- now do something stupid.
                                if ($tst !~ 2) {

                                   # Run nmap
                                   nmap_scan();
                                   print "\n";
                                   print "Sending attack traffic...\n";
                                foreach (@sids) {
                                                       my @sidF;
                                   my @pcapF;
                                                                   my@sid_array;
                                                                   my $key;
                                                                   my$rule;
                                                                   $rule=$_;
                                                                        foreach ((@sidF) = keys (%pcaps)) {
                                                                                $_ =~ s/\s*\n?$//; # Delete all trailing whitespace
                                                                                $_ =~ s/^\s*//; # Delete all leading whitespace
                                                                                if ($rule =~ $_) {
                                                                                        for  (@{$pcaps{$rule}}) {
                                                                                              @sid_array = split(/\|\|/,$_);
                                                                                                        foreach (@sid_array) {
                                                                                                $_ =~ s/\s*\n?$//;
                                                                                                $_ =~ s/^\s*//;
                                                                                                #system "$command" .  " -R 20 $com_postfix " . "-f $pcap_dir$_/input.pcap";
                                                                                                $result = `$command -R 20 $com_postfix -f $pcap_dir$_/input.pcap 2>1`;
                                                                                                print "$_  ";
                                                                                                                                                        }
                                                                                                                                                        }
                                                                                                        }
                                                                                                                else {# print "no match\n";
                                                                                                                      } ## DEBUG

}
                                                                }

                } elsif ($tst =~ 2) {

                   # Run nmap
                   nmap_scan();

                   print "\n";
                   print "Sending attack traffic...\n";
                my @thepcaps;
                my $p;
                        opendir(IMD, $pcap_dir) || die("Cannot open directory");
                        @thepcaps = readdir(IMD);
                        closedir(IMD);

                 foreach $p (@thepcaps)
{
  unless ( ($p eq ".") || ($p eq "..")  || $p =~ /[^\d]/)
  {
   #system "$command" .  " -R 20 $com_postfix " . "-f $pcap_dir$p/input.pcap";
   $result=`$command -R 20 $com_postfix -f $pcap_dir$p/input.pcap 2>1`;
   print "$p  ";
  }
}

        }
   print "\nAttacks finished.\n";
}

}
close fullscreen
Login or Register to edit or fork this paste. It's free.