Taking part in gsoc11 The Honeynet Project offered a project to improve dionaea's SIP stack. PhiBo, the student who got accepted on this project had contributed to dionaea before, and even though I initially choose not to mentor the GSoC dionaea SIP project, given my lack in expertise in SIP, I've been working closely with him to make sure the final results are usable.
Working with him was fun, I think both of us have learned something and - even more important - the code written exceeded my expectations.
Dionaea now offers a usable SIP stack for udp, tcp and even tls. DTLS would have been possible too, but the OpenSSL requirements do not allow using this without making the installation a real nightmare.
The thing I like most about the code written - I can be used externally as well. As an example, the following lines parse the Sip bistreams dionaea records, and use the SIP stack to decode the messages and retrieves certain values. It gathers information which number was to be called initiated by which remote and how often per remote.
#!/opt/dionaea/bin/python3.2 import os import sys import glob import imp sys.path.insert(0, '/opt/dionaea/lib/dionaea/python/dionaea/sip/') sys.path.insert(0, '/opt/dionaea/var/dionaea/bistreams/') import rfc3261 import rfc2396 users = {} lusers = [] for session in glob.glob( os.path.join('/opt/dionaea/var/dionaea/bistreams/2011-08-*', 'Sip*-5060-*') ): try: session = imp.load_source('module.name', session) msg = rfc3261.Message.froms(session.stream[0][1]) except: continue if msg.method != b'INVITE': continue if msg.uri.uri.user is None: continue user = msg.uri.uri.user host = rfc2396.Address.froms(msg.headers.get('from')[0].value).uri.host if user not in users: users[user] = {} if host not in users[user]: users[user][host] = 1 else: users[user][host] += 1 for k in users: lusers.append(k[::-1]) lusers.sort() for user in lusers: user = user[::-1] hosts = users[user] print("{:s}".format(user)) for host,cnt in hosts.items(): print("\t{:s}:{:d}".format(host, cnt) )
Will look like this:
b'00441913561021' b'207.44.244.43':1 b'002441913561031' b'50.28.9.55':1 b'018441913561031' b'67.225.165.30':5
Grouping the numbers by ignoring the prefix and possibly ignoring the number block would be an improvement.
Example:
[b'9011441214001369', b'441913561027', b'012441913561023', b'11441913561018', b'04441913561024', b'000441913561035', b'02441913561027', b'020441913561034', b'010441913561027', b'12441913561032', b'14441913561026', b'006441913561032', b'014441913561031', b'13441913561034', b'01441913561029', b'016441913561018', b'20441913561026', b'00441913561021', b'16441913561023', b'00441913561028', b'017441913561031', b'19441913561017', b'06441913561028', b'8441913561029', b'011441913561023', b'009441913561027', b'22441913561036', b'018441913561031', b'001441913561025', b'007441913561036', b'021441913561031', b'005441913561018', b'15441913561034', b'07441913561023', b'022441913561018', b'09441913561029', b'003441913561023', b'015441913561032', b'3441913561032', b'008441913561023', b'013441913561018', b'2441913561035', b'1441913561035', b'7441913561023', b'6441913561018', b'08441913561018', b'019441913561036', b'9441913561029', b'0441913561034', b'004441913561031', b'4441913561024', b'10441913561028', b'21441913561031', b'17441913561033', b'002441913561031', b'5441913561029', b'18441913561035']
“4419135610” would be a common substring for multiple numbers, ignoring the dial prefix and taking a complete number block into account, >95% of the numbers called belong to the same 'network' - “*4419135610??”. I had a look on python-ngram and SequenceMatcher but got nowhere, feel free to post your approach into the comments.
There are still some things to take care of for SIP, one of them is logging, we discussed which data might be useful to log into the 'ore and sqlite already, and will be taken care of in the near future.
