Data

Tools

Indexes

Applications

Experiments

Open Source Science

hexa_payload_decoder

A tool to automatically decode and translate any TCP hexa payload data form any language to english.

https://github.com/stratosphereips/hexa_payload_decoder

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (14.1%) to scientific vocabulary

Keywords

cybersecurity iot iot-malware malware-analysis security-tools traffic-analysis
Last synced: 4 months ago · JSON representation ·

Repository

A tool to automatically decode and translate any TCP hexa payload data form any language to english.

Basic Info
  • Host: GitHub
  • Owner: stratosphereips
  • Language: Python
  • Default Branch: master
  • Homepage:
  • Size: 378 KB
Statistics
  • Stars: 17
  • Watchers: 7
  • Forks: 6
  • Open Issues: 0
  • Releases: 0
Topics
cybersecurity iot iot-malware malware-analysis security-tools traffic-analysis
Created over 6 years ago · Last pushed over 3 years ago
Metadata Files
Readme Citation

README.md

Hexa Payload Decoder

Docker Image CI GitHub last commit (branch) Docker Pulls

Problem Statement

When analyzing malware traffic on the network sometimes we find ourselves spending several minutes decoding the data from the hexadecimal streams. In the best case scenario we can use some tools (like Wireshark) to see these streams already decoded, but sometimes the decoded characters are not supported by most of the networking analyzers.

The Solution

The idea is to develop a tool aimed to extract the TCP hexadecimal data from netwrok captures filtering by a specific port provided by the user, decode it from hexadecimal and translate it from any language to english.

The workflow of the tool is the following: - User runs the bash script with two parameters, the pcap file to analyze and some port. - The bash script extracts the hexadecimal data from the TCP flows filtering by the user provided port using Tshark command. - The extracted hexadecimal data are decoded as UTF-8 using the Python standard library. - The decoded data is finally passed to Libre Translate Python library which automatically detects the language and translates it to English. - The decoded and translated data is written to an output file to see the results. - This flow repeats for every TCP flow found in the pcap.

Hexadecimal decoder and translator for network analysis

The hexadecimal decoder and translator for network analysis runs using Python 3, and currently supports the following options:

``` usage: python3 hexapayloaddecoder.py [-h] [-d DECODE | -c] [-r READ] [-p PORT] [-l LENGTH]

optional arguments: -h, --help show this help message and exit -d DECODE, --decode DECODE Decode and translate the given string. -c, --clean Clean the contents of the log file.

Analysis: -r READ, --read READ Name of the pcap file that is analyzed. -p PORT, --port PORT Analyze traffic for a specific port only. -l LENGTH, --length LENGTH Analyze data streams longer than the given length. ```

Here is the tool working with a packet capture from Mirai IoT malware:

Suspicious_payload_example

Requirements

  • Libre Translate Python Library https://github.com/argosopentech/LibreTranslate-py
  • Tshark https://www.wireshark.org/docs/man-pages/tshark.html

Docker Image

The Hexa Payload Decoder currently has a public docker image:

docker run --rm -it stratosphereips/hexapayloaddecoder:latest /bin/bash

Owner

  • Name: Stratosphere IPS
  • Login: stratosphereips
  • Kind: organization
  • Location: Prague

Cybersecurity Research Laboratory at the Czech Technical University in Prague. Creators of Slips, a free software machine learning-based behavioral IDS/IPS.

Citation (CITATION.cff) 

cff-version: 1.2.0
title: >-
  Hexa Payload Decoder: A tool to automatically decode and translate any TCP hexa payload data form any language to English
message: 'If you use this software, please cite it as below.'
type: software
authors:
  - given-names: Agustin
    family-names: Parmisano
    email: agustinparmisano@gmail.com
    affiliation: >-
      Stratosphere Laboratory, AIC, FEL, Czech
      Technical University in Prague
    orcid: ''
  - given-names: Maria
    family-names: Rigaki
    email: rigakmar@fel.cvut.cz
    affiliation: >-
      Stratosphere Laboratory, AIC, FEL, Czech
      Technical University in Prague
    orcid: 'https://orcid.org/0000-0002-0688-7752'
  - given-names: Veronica
    family-names: Valeros
    email: valerver@fel.cvut.cz
    affiliation: >-
      Stratosphere Laboratory, AIC, FEL, Czech
      Technical University in Prague
    orcid: 'https://orcid.org/0000-0003-2554-3231'

GitHub Events

Total
  • Watch event: 1
Last Year
  • Watch event: 1

Dependencies

requirements.txt pypi
  • libretranslatepy *