App-DubiousHTTP
2 results

 view release on metacpan or  search on metacpan

bin/dubious_http.pl  view on Meta::CPAN 

#!/usr/bin/perl
use strict;
use warnings;
use Getopt::Long qw(:config posix_default bundling);
use App::DubiousHTTP::Tests;
use App::DubiousHTTP::Tests::Common;
use App::DubiousHTTP::TestServer;
use Data::Dumper;

sub usage {
    print STDERR "ERROR: @_\n" if @_;
    print STDERR <<USAGE;

Test various behaviors of browsers, IDS... by working as a
web server or alternativly creating pcaps with dubios HTTP.
See --mode doc for details about the tests.

Help:               $0 -h|--help
Test descriptions:  $0 -M|--mode doc
Export Pcaps:       $0 -M|--mode pcap [options]
Use as HTTP server: $0 -M|--mode server [options] ip:port

Options for server mode:

 --cert cert.pem    SSL certificate if SSL should be used. It will listen for
		    SSL and plain requests on the same address.
 --key  key.pem     Key for SSL certificate
 --no-garble-url    Use clear names for URL's instead of the default garbled
		    names which were introduced to defer simple URL filters.
		    Logging will be done always with the clear names.
 --no-track-header  Disable logging of header information for requests, which
		    are used to analyze the origin and path of the request in
		    more detail.
 --fast-feedback    Don't collect all results and send them at once at the end
                    but send parts of the output earlier so that the recipient
		    needs to collect them. This saves memory in the client too.
 --wwwroot D        basedir for own payloads, default ./static
		    See below for how to setup your own payload

Options for pcap mode:

 --file F          write all TCP streams to single pcap file F
 --prefix P        one stream per pcap file, files prefixed with P
 --manifest M      write mapping between source port and URL to M
 --filter-any      filter based on existing reports from server mode.
		   All remaining args are considered reports and a stream will
		   be included if at least one report shows a match.
		   This is the default if arguments are given.
 --filter-all      Like --filter-any, but include stream only if all reports
		   show a match.

Setting up your own payload:

The default payload for evasion tests is the EICAR test virus which gets served
as ZIP file eicar.zip and if this gets not detected as plain TXT file eicar.txt.
To verify that the firewall does not block innocent files novirus.txt is used.
All of these payloads are builtin.

It is possible to setup own payload as following:

 1. Reserve a directory for the payload files.
    The default is ./static but an alternative can be specified with --wwwroot

 2. Add your own payloads to this directory as files which contain HTTP header
    (without status line) and body. If the header line "X-Virus: ..." is given
    the file is considered a malicious payload (like EICAR) and otherwise the
    payload is considered innocent. Example:

	Content-type: application/octet-stream
	Content-Disposition: attachment; filename=virus.exe
	X-Virus: my-own-test-virus

	... data of test virus ...

 3. Optionally add a brotli compressed version of the payload. While deflate,
    gzip and lzma compressions are done dynamically the brotli version need to
    be provided or testing for brotli support can not be done.
    Simply add the compressed version as filename.brotli (i.e. virus.exe.brotli
    or similar). The optional HTTP header of this file will be ignored.

 4. Specify the payload in the URL, i.e.  http://ip:port/auto/all/virus.exe.
    In this simple form the custom virus.exe is considered malicious and the
    builtin novirus.txt will be used to check for overblocking.

    A more complex version would be:
    http://ip:port/auto/all/virus.zip|virus.exe|mynovirus.exe
    Assuming the virus.* contains the X-Virus header while mynovirus.exe does
    not it will first check with a fully correct and simple response if the
    firewall blocks virus.zip. If not it will retry with virus.exe and if this
    is not blocked too it will assume that the firewall is not able to block the
    virus at all. But if any of these will result in a block it will use it for
    all the further tests. Since mynovirus.exe does not contain the X-Virus
    header it will assumed to be innocent and used to check for overblocking
    instead of the builtin novirus.txt.


USAGE
    exit(1);
}

our $BASE_URL="http://foo";
$TRACKHDR=1;
GetOptions(
    'h|help' => sub { usage() },
    'M|mode' => sub { 1 },
) or usage();
my $mode = shift(@ARGV) || 'doc';

if ( $mode eq 'server' ) {
    my ($cert,$key);
    GetOptions(
	'no-garble-url' => \$NOGARBLE,
	'track-header!' => \$TRACKHDR,
	'fast-feedback' => \$FAST_FEEDBACK,
	'cert=s'   => \$cert,
	'key=s'    => \$key,



( run in 0.767 second using v1.01-cache-2.11-cpan-39bf76dae61 )