search

USArmyResearchLab / Dshell

Dshell is a network forensic analysis framework.
Other
5.44k stars 1.14k forks source link

Penetration/Exploit/Hijacking Tools decoder #102

Closed 1modm closed 7 years ago

dev195 commented 7 years ago

This is a decoder that looks useful! Needs a bit of cleanup, though.

First, I would recommend updating the filter field to include a port number. HTTPDecoder spams a lot of warning messages if traffic isn't formatted properly. For example, SSL traffic on port 443 can generate a lot of warnings like this:

WARNING:peht:invalid http method: '\x17\x03\x01\x01'

Also, I don't think lines like this work the way you think they do. 'cmd' and 'ProcessBuilder' would never be checked. For example:

>>> ('A' and 'B' and 'C')
'C'
>>> ('A' and 'B' and 'C') in "test"
False
>>> ('A' and 'B' and 'C') in "test-A"
False
>>> ('A' and 'B' and 'C') in "test-C"
True
1modm commented 7 years ago

yes you are right, I tried to fix this

dev195 commented 7 years ago

Sorry for the delay. We wanted to collect some data to test the decoder against before accepting it, and that took a little while.

The decoder seems to be working, so we'll accept the pull request. Thanks for the submission!