Parsing tls layer (hacky way)

alessio-perugini · Oct 1, 2020 · 0c78fed · 0c78fed
1 parent d4386b0
commit 0c78fed
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 7 deletions.
diff --git a/cmd/peng/main.go b/cmd/peng/main.go
@@ -25,6 +25,7 @@ var (
 		Verbose:            uint(0),
 		NetworkInterface:   "",
 		Ja3BlackListFile:   "",
+		GeoIpDb:            "",
 	}
 
 	timeFrame = "1m"
@@ -55,6 +56,7 @@ func init() {
 	flag.StringVar(&config.NetworkInterface, "network", "", "name of your network interface")
 	flag.BoolVar(&showInterfaceNames, "interfaces", false, "show the list of all your network interfaces")
 	flag.StringVar(&config.Ja3BlackListFile, "ja3", "", "file path of malicious ja3 fingerprints")
+	flag.StringVar(&config.GeoIpDb, "geoip", "", "file path of geoip db")
 }
 
 func flagConfig() {

diff --git a/go.mod b/go.mod
@@ -8,4 +8,5 @@ require (
 	github.com/dreadl0ck/ja3 v1.0.0
 	github.com/google/gopacket v1.1.18
 	github.com/influxdata/influxdb-client-go v1.4.0
+	github.com/oschwald/geoip2-golang v1.4.0
 )
diff --git a/go.sum b/go.sum
@@ -97,6 +97,10 @@ github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxzi
 github.com/nats-io/nkeys v0.1.4/go.mod h1:XdZpAbhgyyODYqjTawOnIOI7VlbKSarI9Gfy1tqEu/s=
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/nsqio/go-nsq v1.0.8/go.mod h1:vKq36oyeVXgsS5Q8YEO7WghqidAVXQlcFxzQbQTuDEY=
+github.com/oschwald/geoip2-golang v1.4.0 h1:5RlrjCgRyIGDz/mBmPfnAF4h8k0IAcRv9PvrpOfz+Ug=
+github.com/oschwald/geoip2-golang v1.4.0/go.mod h1:8QwxJvRImBH+Zl6Aa6MaIcs5YdlZSTKtzmPGzQqi9ng=
+github.com/oschwald/maxminddb-golang v1.6.0 h1:KAJSjdHQ8Kv45nFIbtoLGrGWqHFajOIm7skTyz/+Dls=
+github.com/oschwald/maxminddb-golang v1.6.0/go.mod h1:DUJFucBg2cvqx42YmDa/+xHvb0elJtOm3o4aFQ/nb/w=
 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pierrec/lz4 v2.4.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -165,6 +169,7 @@ golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191224085550-c709ea063b76/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f h1:gWF768j/LaZugp8dyS4UwsslYCYz9XgFxvlgsn0n9H8=

diff --git a/pkg/peng/inspection.go b/pkg/peng/inspection.go
@@ -7,15 +7,38 @@ import (
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	_ "github.com/google/gopacket/layers" //Used to init internal struct
+	"github.com/oschwald/geoip2-golang"
 	"log"
 	"net"
 	"time"
 )
 
 var myIPs = make([]net.IP, 0, 2)
+var topCountryVisit = make(map[string]int)
 
 func (p *Peng) inspect(packet gopacket.Packet) {
 	var ipv4Layer gopacket.Layer //skip inspection if i can't obtain ip layer
+
+	if packet.ApplicationLayer() != nil {
+		var tls layers.TLS
+		var decoded []gopacket.LayerType
+		parser := gopacket.NewDecodingLayerParser(layers.LayerTypeTLS, &tls)
+		err := parser.DecodeLayers(packet.ApplicationLayer().LayerContents(), &decoded)
+		if err != nil {
+			return
+		}
+
+		for _, layerType := range decoded {
+			switch layerType {
+			case layers.LayerTypeTLS:
+				for _, v := range tls.Alert {
+					//TODO implement TLS cipher check
+					fmt.Printf("TLS: %s %s %s\n", v.Version.String(), v.Description.String(), v.Level.String())
+				}
+			}
+		}
+	}
+
 	if ipv4Layer = packet.Layer(layers.LayerTypeIPv4); ipv4Layer == nil {
 		return
 	}
@@ -34,6 +57,7 @@ func (p *Peng) inspect(packet gopacket.Packet) {
 
 	if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
 		tcp, _ := tcpLayer.(*layers.TCP)
+
 		if tcp.SYN && !tcp.ACK {
 			p.PortScanningHandler(uint16(tcp.DstPort), packetDestToMyPc)
 
@@ -46,6 +70,7 @@ func (p *Peng) inspect(packet gopacket.Packet) {
 			}
 		}
 	}
+
 	/*
 		if udpLayer := packet.Layer(layers.LayerTypeUDP); udpLayer != nil {
 			udp, _ := udpLayer.(*layers.UDP)
@@ -57,6 +82,13 @@ func (p *Peng) inspect(packet gopacket.Packet) {
 			if
 		}*/
 
+	externalIp := ipv4.DstIP.String()
+	if packetDestToMyPc {
+		externalIp = ipv4.SrcIP.String()
+	}
+
+	GeoIpSearch(externalIp, p.Config.GeoIpDb)
+
 	if len(ja3BlackList) != 0 {
 		ja3md5 := ja3.DigestHexPacket(packet) //TODO replace this in the previous tcp handler
 		ja3smd5 := ja3.DigestHexPacketJa3s(packet)
@@ -70,21 +102,35 @@ func (p *Peng) inspect(packet gopacket.Packet) {
 			}
 		}
 
-		maliciousIp := ipv4.DstIP.String()
-		if packetDestToMyPc {
-			maliciousIp = ipv4.SrcIP.String()
-		}
-
 		if name, ok := ja3BlackList[ja3md5]; ok {
-			fmt.Printf("[%s] %s appears in the blocked Ja3 list as %s!\n", maliciousIp, ja3md5, name)
+			fmt.Printf("[%s] %s appears in the blocked Ja3 list as %s!\n", externalIp, ja3md5, name)
 		}
 		if name, ok := ja3BlackList[ja3smd5]; ok {
-			fmt.Printf("[%s] %s appears in the blocked Ja3 list as %s!\n", maliciousIp, ja3smd5, name)
+			fmt.Printf("[%s] %s appears in the blocked Ja3 list as %s!\n", externalIp, ja3smd5, name)
 		}
 	}
 
 }
 
+func GeoIpSearch(ip, dbPath string) {
+	db, err := geoip2.Open(dbPath)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer db.Close()
+
+	parsedIp := net.ParseIP(ip)
+	record, err := db.Country(parsedIp)
+	if err != nil {
+		log.Println(err)
+	}
+
+	if record.Country.IsoCode != "" {
+		//fmt.Printf("[%s] nation: %s \n", ip, record.Country.IsoCode)
+		topCountryVisit[record.Country.IsoCode]++
+	}
+}
+
 func (p *Peng) PortScanningHandler(port uint16, incomingPck bool) {
 	if incomingPck {
 		addPortToBitmap(port, p.ServerTraffic)

diff --git a/pkg/peng/peng.go b/pkg/peng/peng.go
@@ -33,6 +33,7 @@ type Config struct {
 	Verbose            uint
 	TimeFrame          time.Duration
 	Ja3BlackListFile   string
+	GeoIpDb            string
 }
 
 var ja3BlackList map[string]string
@@ -80,6 +81,10 @@ func (p *Peng) Start() {
 	signal.Notify(sig, os.Interrupt)
 	<-sig
 	log.Println("Quitting Peng, bye!")
+
+	for k, v := range topCountryVisit {
+		fmt.Printf("[%s] %d visit.\n", k, v)
+	}
 }
 
 func (p *Peng) LoadBlackListJa3InMemory() {