利用Python抓取网络流量并识别出网络中是否存在下载可执行文件的行为
测试网站(需要是非加密的http网站):http://startrinity.com/InternetQuality/ContinuousBandwidthTester.aspx
from email.policy import HTTP from scapy.all import * from scapy.layers import http import sys import optparse import termcolor class HTTPDownloadDetect: def __init__(self) -> None: self.interface = self.get_params() self.executable_list = ['.exe', '.zip', '.rar'] def get_params(self): parser = optparse.OptionParser('Usage:-i interface ') parser.add_option('-i', '--interface', dest='interface', type='string', help='Specify interface to listen') options, args = parser.parse_args() if options.interface is None: print(parser.usage) sys.exit(0) return options.interface def packet_handler(self,pkt): if pkt.haslayer(http.HTTPRequest): pkt_request = pkt.getlayer(http.HTTPRequest) if pkt_request.Method.decode("utf-8") =='GET': src_ip = pkt.getlayer(IP).src dst_ip = pkt.getlayer(IP).dst host = pkt_request.Host.decode("utf-8") path = pkt_request.Path.decode("utf-8") url = host + path for ext in self.executable_list: if ext in path: print(url) print("Detected client %s downloading from %s: %s" % (src_ip, dst_ip, termcolor.colored(path, 'blue'))) def run(self): try: sniff(iface=self.interface, prn=self.packet_handler, store=False) except KeyboardInterrupt: print("Exit program now!") sys.exit(0) if __name__ == '__main__': httpobj = HTTPDownloadDetect() httpobj.run()