Fork me on GitHub
security, tutorial, v0.1

Interactive Packet Filtering Mode v0.1

Haka is endowed with an interesting feature allowing to filter packets interactively. With this mode activated, a Haka shell prompt is diplayed to the end-user which will have access to the full Haka API to play with packet content: accessing and modifying packet fields, dropping packets, logging suspicious events, alerting, etc. The Lua console supports auto-completion and therefore is a good starting point to dive into the Haka API.

All the magic starts with the following rule:

require('protocol/ipv4')
require('protocol/tcp')

haka.rule{
    hooks = { 'ipv4-up', 'tcp-up' },
    eval = haka.interactive_rule
}

In the following, we replay a nmap packet capture by running this rule using our tool hakapcap (a tool dedicated to packet capture analysis):

haka@haka:/opt/haka/bin# ./hakapcap xmas.pcap interact.lua -o output.pcap

hakapcap will parse the provided pcap file and halt on the first ip packet. A prompt will then be displayed allowing the user to enter commands. The packet content is available through the input variable. A this point, you can modify some field values (in the example below, the value of the ttl field is set to 60), check the validity of the checksum and add a log entry if the checksum is not valid (as the output shows, the checksum is not valid in our example).

ipv4-up>  input
  #1    userdata ipv4 {
next_dissector : "tcp"
checksum : 51624
version : 4
id : 10453
dissector : "ipv4"
frag_offset : 0
proto : 6
src : userdata addr 192.168.10.1
payload : userdata ipv4_payload
raw : userdata packet {
timestamp : userdata time Thu Feb 20 14:47:14 2014
length : 40
dissector : "raw"
next_dissector : "ipv4"
          }
dst : userdata addr 192.168.20.1
flags : userdata ipv4_flags {
mf : false
df : false
rb : false
all : 0
          }
tos : 0
ttl : 41
len : 40
hdr_len : 20
        }
ipv4-up>  input.ttl = 60
ipv4-up>  if not input:verify_checksum() then
ipv4-up>> haka.log("filter", "Bad IP Checksum")
ipv4-up>> end
info  filter: Bad IP Checksum

Hitting CTRL-D, will display a new prompt where you can play with tcp content this time (remember that we choose to hook 'ipv4-up' and 'tcp-up' in our intercative rule). In the following snapshot, we check first that ttl value has been changed. Next, we dump the tcp flags and see that this actually an Xmas scan ('push', 'urg' and 'fin' are set alltogether). In our example, we raise an alert and drop the packet.

tcp-up>  input.ip.ttl
  #1    60
tcp-up>  input.flags
  #1    userdata tcp_flags {
ecr : false
urg : false
ecn : false
syn : false
rst : false
psh : false
fin : false
all : 41
ack : false
        }
tcp-up>  haka.alert {
tcp-up>> sources = { haka.alert.address(input.ip.src) },
tcp-up>> targets = { haka.alert.address(input.ip.dst), haka.alert.service(input.dstport)},
tcp-up>> method = { description = "Xmas Attack" }
tcp-up>> }
info  alert: id = 1
        time = Thu Feb 20 17:42:34 2014
        method = {
                description = Xmas Attack
        }
        sources = {
                address: 192.168.10.1
        }
        targets = {
                address: 192.168.20.1
                service: 80
        }
tcp-up>  input:drop()

Hitting CTRL-D again, Haka will continue with the next ip packet until all packets have been parsed.

Note that as this interactive mode will add a lot of delay in the packet processing. It is then best to use it on pcap files. Otherwise, you can run into problems with tcp for instance.