public async Task <ActionResult> OnPostPcap(int cid, int sid, string source, string dest, string output) { SnortContext db = HttpContext.RequestServices.GetService(typeof(SnortContext)) as SnortContext; Utils.Tcpdump tcpdump_path = HttpContext.RequestServices.GetService(typeof(Utils.Tcpdump)) as Utils.Tcpdump; string path = tcpdump_path.path; if (StaticData.alerts == null) { StaticData.alerts = AlertMapper.ResolveAlerts(0, ref StaticData.signatureStrings, db.GetConnection()); } //alerts = SessionExtensions.Get<List<Alert>>(HttpContext.Session,"alert"); this.cid = cid; this.sid = sid; alerts.Add(StaticData.alerts.Where(x => x.cid == cid && x.sid == sid).FirstOrDefault()); targetSec = ((DateTimeOffset)alerts.First().time).ToUnixTimeSeconds(); long epochTicks = new DateTime(1970, 1, 1).Ticks; targetMS = alerts.First().time.Ticks - epochTicks; //TimeSpan epochTicks2 = new TimeSpan(new DateTime(1970, 1, 1).Ticks); //targetMS = (ulong) (((DateTimeOffset)alerts.First().time).Ticks - epochTicks2.Ticks)/10; IEnumerable <string> files; try { files = Directory.EnumerateFiles(path, "tcpdump.log.*"); } catch (Exception) { return(RedirectToPage("Error", "Issue", new { issue = "Snort packet log folder not found (" + path + "). Change the path in appsettings.json to match the Snort output path." })); } long closestTS = 0; string closestFile = ""; foreach (string f in files) { //ulong currentTS = Convert.ToUInt64(f.Split('.').Last()); long currentTSS = Convert.ToInt64(f.Split('.').Last()); //DateTime currentTS = Convert.ToDateTime(f.Split('.').Last()); if (currentTSS <= targetSec && currentTSS > closestTS) { closestTS = currentTSS; closestFile = f; } } if (closestFile == "") { return(RedirectToPage("Error", "Issue", new { issue = "No appropriate packet log found in " + path + ". Please review your Snort output configuration and activate: output log_tcpdump: tcpdump.log" })); } string dir = Path.Combine(Startup.AppPath, "wwwroot/pcaps/"); if (!System.IO.File.Exists(dir + sid + "." + cid)) { (new FileInfo(dir + sid + "." + cid)).Directory.Create(); //CaptureDeviceList devices = CaptureDeviceList.Instance; CaptureFileReaderDevice device = new CaptureFileReaderDevice(closestFile); captureFileWriter = new CaptureFileWriterDevice(dir + sid + "." + cid); captureFileWriter.Open(); device.OnPacketArrival += new PacketArrivalEventHandler(this.device_OnPacketArrival); device.OnCaptureStopped += new CaptureStoppedEventHandler(this.device_OnCaptureStopped); device.Filter = "host " + source + " and host " + dest; device.StartCapture(); signal = new SemaphoreSlim(0, 1); await signal.WaitAsync(); } switch (output) { case "pcap": { return(File("/pcaps/" + sid + "." + cid, "application/octet-stream", sid + "." + cid + ".pcap")); } case "tcpdump": { string tcpdump = Utils.Bash("tcpdump -r " + dir + sid + "." + cid); return(File(new MemoryStream(Encoding.UTF8.GetBytes(tcpdump ?? "tcpdump is not available")), "application/octet-stream", sid + "." + cid + ".txt")); } default: { return(File("/pcaps/" + sid + "." + cid, "application/octet-stream", sid + "." + cid + ".pcap")); } } }
public async void extractFromPcap(int cid, int sid) { string dir = Path.Combine(Startup.AppPath, "wwwroot/pcaps/"); SnortContext db = HttpContext.RequestServices.GetService(typeof(SnortContext)) as SnortContext; Utils.Tcpdump tcpdump_path = HttpContext.RequestServices.GetService(typeof(Utils.Tcpdump)) as Utils.Tcpdump; string path = tcpdump_path.path; if (StaticData.alerts == null) { StaticData.alerts = AlertMapper.ResolveAlerts(0, ref StaticData.signatureStrings, db.GetConnection()); } //alerts = SessionExtensions.Get<List<Alert>>(HttpContext.Session,"alert"); this.cid = cid; this.sid = sid; alerts.Add(StaticData.alerts.Where(x => x.cid == cid && x.sid == sid).FirstOrDefault()); //UTC targetSec = ((DateTimeOffset)alerts.First().time).ToUnixTimeSeconds(); //Local Time //TimeSpan epochSecs = new TimeSpan(new DateTime(1970, 1, 1).Second); //targetSec = (((DateTimeOffset)alerts.First().time).Second - epochSecs.Seconds); if (!System.IO.File.Exists(dir + sid + "." + cid)) { string source = StaticData.alerts.Where(x => x.cid == cid && x.sid == sid).FirstOrDefault().src_ip; string dest = StaticData.alerts.Where(x => x.cid == cid && x.sid == sid).FirstOrDefault().dest_ip; long epochTicks = new DateTime(1970, 1, 1).Ticks; targetMS = alerts.First().time.Ticks - epochTicks; //TimeSpan epochTicks2 = new TimeSpan(new DateTime(1970, 1, 1).Ticks); //targetMS = (ulong) (((DateTimeOffset)alerts.First().time).Ticks - epochTicks2.Ticks)/10; IEnumerable <string> files; try { files = Directory.EnumerateFiles(path, "tcpdump.log.*"); long closestTS = 0; string closestFile = ""; foreach (string f in files) { //ulong currentTS = Convert.ToUInt64(f.Split('.').Last()); long currentTSS = Convert.ToInt64(f.Split('.').Last()); //DateTime currentTS = Convert.ToDateTime(f.Split('.').Last()); if (currentTSS <= targetSec && currentTSS > closestTS) { closestTS = currentTSS; closestFile = f; } } (new FileInfo(dir + sid + "." + cid)).Directory.Create(); //CaptureDeviceList devices = CaptureDeviceList.Instance; CaptureFileReaderDevice device = new CaptureFileReaderDevice(closestFile); captureFileWriter = new CaptureFileWriterDevice(dir + sid + "." + cid); captureFileWriter.Open(); device.OnPacketArrival += new PacketArrivalEventHandler(this.device_OnPacketArrival); device.OnCaptureStopped += new CaptureStoppedEventHandler(this.device_OnCaptureStopped); device.Filter = "host " + source + " and host " + dest; device.StartCapture(); signal = new SemaphoreSlim(0, 1); await signal.WaitAsync(); } catch (Exception) {; } } }