From c14264415332f1e9f26ee36cd0e25d99a210013d Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 11 Feb 2020 19:39:40 +0000 Subject: [PATCH 1/2] Check for postParams with single null value --- decoders/http/httpdump.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/decoders/http/httpdump.py b/decoders/http/httpdump.py index d32b00f..264cb42 100644 --- a/decoders/http/httpdump.py +++ b/decoders/http/httpdump.py @@ -76,6 +76,9 @@ def HTTPHandler(self, conn, request, response, requesttime, responsetime): request.method, response.status, host, uri_location, util.getHeader(response, 'content-type')) urlParams = util.URLDataToParameterDict(uri_data) postParams = util.URLDataToParameterDict(request.body) + # If URLData parser only returns a single element with null value, it's probably an eroneous evaluation. Most likely base64 encoded payload ending in an '=' character. + if len(postParams)==1 and postParams[postParams.keys()[0]] == '\x00': + postParams = None clientCookies = self._parseCookies(util.getHeader(request, 'cookie')) serverCookies = self._parseCookies( From 86aaf7f2c7fa527648ce1a7701fcd49437c77725 Mon Sep 17 00:00:00 2001 From: adam Date: Tue, 11 Feb 2020 20:09:58 +0000 Subject: [PATCH 2/2] Add SOA --- decoders/dns/dns.py | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) mode change 100644 => 100755 decoders/dns/dns.py diff --git a/decoders/dns/dns.py b/decoders/dns/dns.py old mode 100644 new mode 100755 index 5991f10..1971c7d --- a/decoders/dns/dns.py +++ b/decoders/dns/dns.py @@ -22,11 +22,13 @@ def decode_q(self, dns): queried = "" if dns.qd[0].type == dpkt.dns.DNS_A: queried = queried + "A? %s" % (dns.qd[0].name) - if dns.qd[0].type == dpkt.dns.DNS_CNAME: + elif dns.qd[0].type == dpkt.dns.DNS_CNAME: queried = queried + "CNAME? %s" % (dns.qd[0].name) - if dns.qd[0].type == dpkt.dns.DNS_AAAA: + elif dns.qd[0].type == dpkt.dns.DNS_AAAA: queried = queried + "AAAA? %s" % (dns.qd[0].name) - if dns.qd[0].type == dpkt.dns.DNS_PTR: + elif dns.qd[0].type == dpkt.dns.DNS_SOA: + queried = queried + "SOA? %s" % (dns.qd[0].name) + elif dns.qd[0].type == dpkt.dns.DNS_PTR: if dns.qd[0].name.endswith('.in-addr.arpa'): query_name = '.'.join( reversed(dns.qd[0].name.split('.in-addr.arpa')[0].split('.'))) @@ -39,11 +41,11 @@ def decode_q(self, dns): if dns.qd[0].type == dpkt.dns.DNS_NS: queried = queried + "NS? %s" % (dns.qd[0].name) - if dns.qd[0].type == dpkt.dns.DNS_MX: + elif dns.qd[0].type == dpkt.dns.DNS_MX: queried = queried + "MX? %s" % (dns.qd[0].name) - if dns.qd[0].type == dpkt.dns.DNS_TXT: + elif dns.qd[0].type == dpkt.dns.DNS_TXT: queried = queried + "TXT? %s" % (dns.qd[0].name) - if dns.qd[0].type == dpkt.dns.DNS_SRV: + elif dns.qd[0].type == dpkt.dns.DNS_SRV: queried = queried + "SRV? %s" % (dns.qd[0].name) return queried @@ -65,7 +67,7 @@ def DNSHandler(self, conn, request, response, **kwargs): conn.info(query=self.decode_q(dns)) # DNS Answer with data and no errors - elif (dns.qr == dpkt.dns.DNS_A and dns.rcode == dpkt.dns.DNS_RCODE_NOERR and len(dns.an) > 0): + elif (dns.rcode == dpkt.dns.DNS_RCODE_NOERR and len(dns.an) > 0): queried = self.decode_q(dns) @@ -108,6 +110,16 @@ def DNSHandler(self, conn, request, response, **kwargs): if queried != '': anstext = 'NXDOMAIN' + #SOA response + elif dns.qd[0].type == dpkt.dns.DNS_SOA and len(dns.ns): + queried = self.decode_q(dns) + answers = [] + for ns in dns.ns: + if ns.type == dpkt.dns.DNS_SOA: + answers.append('SOA: '+ ns.mname) + anstext = ", ".join(answers) + + # did we get an answer? if anstext and not self.only_noanswer and not self.only_norequest: self.alert(