1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
# Copyright (C) 2013 Nippon Telegraph and Telephone Corporation.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import struct
from struct import calcsize
class SfTimeval32(object):
_PACK_STR = '!II'
_SIZE = 8
def __init__(self, tv_sec, tv_usec):
self.tv_sec = tv_sec
self.tv_usec = tv_usec
@classmethod
def parser(cls, buf, offset):
(tv_sec, tv_usec) = struct.unpack_from(
cls._PACK_STR, buf, offset)
msg = cls(tv_sec, tv_usec)
return msg
class Event(object):
_PACK_STR = '!IIIIIII'
_SIZE = 36
def __init__(self, sig_generator, sig_id, sig_rev, classification,
priority, event_id, event_reference, ref_time):
self.sig_generator = sig_generator
self.sig_id = sig_id
self.sig_rev = sig_rev
self.classification = classification
self.priority = priority
self.event_id = event_id
self.event_reference = event_reference
self.ref_time = ref_time
@classmethod
def parser(cls, buf, offset):
(sig_generator, sig_id, sig_rev, classification, priority,
event_id, event_reference) = struct.unpack_from(
cls._PACK_STR, buf, offset)
offset += calcsize(cls._PACK_STR)
ref_time = SfTimeval32.parser(buf, offset)
msg = cls(sig_generator, sig_id, sig_rev, classification,
priority, event_id, event_reference, ref_time)
return msg
class PcapPktHdr32(object):
_PACK_STR = '!II'
_SIZE = 16
def __init__(self, ts, caplen, len_):
self.ts = ts
self.caplen = caplen
self.len = len_
@classmethod
def parser(cls, buf, offset):
ts = SfTimeval32.parser(buf, offset)
offset += SfTimeval32._SIZE
(caplen, len_) = struct.unpack_from(
cls._PACK_STR, buf, offset)
msg = cls(ts, caplen, len_)
return msg
class AlertPkt(object):
_ALERTMSG_PACK_STR = '!256s'
_ALERTPKT_PART_PACK_STR = '!IIIII65535s'
_ALERTPKT_SIZE = 65863
def __init__(self, alertmsg, pkth, dlthdr, nethdr, transhdr, data,
val, pkt, event):
self.alertmsg = alertmsg
self.pkth = pkth
self.dlthdr = dlthdr
self.nethdr = nethdr
self.transhdr = transhdr
self.data = data
self.val = val
self.pkt = pkt
self.event = event
@classmethod
def parser(cls, buf):
alertmsg = struct.unpack_from(cls._ALERTMSG_PACK_STR, buf)
offset = calcsize(cls._ALERTMSG_PACK_STR)
pkth = PcapPktHdr32.parser(buf, offset)
offset += PcapPktHdr32._SIZE
(dlthdr, nethdr, transhdr, data, val, pkt) = \
struct.unpack_from(cls._ALERTPKT_PART_PACK_STR, buf,
offset)
offset += calcsize(cls._ALERTPKT_PART_PACK_STR)
event = Event.parser(buf, offset)
msg = cls(alertmsg, pkth, dlthdr, nethdr, transhdr, data, val,
pkt, event)
return msg
|
