PoC of python nas heuristic #85
Conversation
tools/nasparse.py
Outdated
| res = heur_ue_imsi_sent(msg) | ||
| if(res[0]): | ||
| print(res[1]) |
There was a problem hiding this comment.
| res = heur_ue_imsi_sent(msg) | |
| if(res[0]): | |
| print(res[1]) | |
| triggered, message = heur_ue_imsi_sent(msg) | |
| if triggered: | |
| print(message) |
| parsed = NASLTE.parse_NASLTE_MT(bin) | ||
| return parsed[0] | ||
|
|
||
| def heur_ue_imsi_sent(msg): |
There was a problem hiding this comment.
instead of returning (bool, string | None) why not just return string | None?
There was a problem hiding this comment.
I just feel like returning a bool is cleaner especially with the above rewrite
tools/nasparse.py
Outdated
| if msg['EPSAttachType']['V'].to_int() == 2: | ||
| return (True, output) |
There was a problem hiding this comment.
a comment explaining the significance of this would be great
tools/nasparse_test.py
Outdated
| def test_non_nas_msg(self): | ||
| self.assertEqual(self.run_heur(self.non_nas_msg), False, "non_nas_msg should not trigger heuristic") |
There was a problem hiding this comment.
what do you think about throwing an error if we fail to parse a NAS message from the input?
| exit(1) | ||
|
|
||
| buffer = sys.argv[1] | ||
| msg = parse_nas_message(buffer) |
There was a problem hiding this comment.
i think we're not handling the case of an invalid NAS message here, in which case i think msg == None
There was a problem hiding this comment.
it is handled in line 30 by the heuristic, but we could also handle it here instead, never call the heuristic, and also throw an error.
tools/pcap_check.py
Outdated
| print('Opening {}...'.format(pcap_path)) | ||
|
|
||
| count = 0 | ||
| for (pkt_data, pkt_metadata,) in RawPcapNgReader(pcap_path): |
There was a problem hiding this comment.
nit:
| for (pkt_data, pkt_metadata,) in RawPcapNgReader(pcap_path): | |
| for pkt_data, pkt_metadata in RawPcapNgReader(pcap_path): |
tools/pcap_check.py
Outdated
| uplink = (gsmtap_hdr[4] & 0b01000000) >> 6 | ||
| buffer = pkt_data[header_end:] | ||
| msg = nasparse.parse_nas_message(buffer, uplink) | ||
| (triggered, message)= nasparse.heur_ue_imsi_sent(msg) |
There was a problem hiding this comment.
nit:
| (triggered, message)= nasparse.heur_ue_imsi_sent(msg) | |
| triggered, message = nasparse.heur_ue_imsi_sent(msg) |
tools/pcap_check.py
Outdated
| gsmtap_end_idx = (len(pkt_data) - header_end) * -1 | ||
|
|
||
| gsmtap_hdr = pkt_data[UDP_LEN:gsmtap_end_idx] |
There was a problem hiding this comment.
for some reason this took me forever to wrap my head around lol. would gsmtap_hdr = pkt_data[UDP_LEN:header_end] work?
There was a problem hiding this comment.
ah good call, I for some reason forgot you could do a fixed end index for a slice.
No description provided.