void
print_urls(u_long dst, u_short dport, int win)
{
char *p, host[128], tmp[128];
u_long ip;
gethostname(host, sizeof(host));
ip = resolve_host(host);
strncpy(host, int_ntoa(ip), sizeof(host));
/* XXX - "MDTM /\r\n" for Netscape, "CWD /\r\n" for MSIE. i suk. */
win -= (4 + 2 + 2);
p = malloc(win + 1);
memset(p, 'a', win);
p[win] = '\0';
portnum2str(tmp, sizeof(tmp), dst, dport);
printf("Netscape / Lynx URL to send client at %s:\n"
"ftp://%s/%s%%0a%%0dPORT%%20%s\n",
int_ntoa(dst), host, p, tmp);
printf("MSIE / Wget URL to send client at %s:\n"
"ftp://%s/a%s%%0a%%0dPORT%%20%s\n",
int_ntoa(dst), host, p, tmp);
free(p);
}
static void nids_syslog(int type, int errnum, struct ip *iph, void *data)
{
char saddr[20], daddr[20];
switch (type) {
case NIDS_WARN_IP:
if (errnum != NIDS_WARN_IP_HDR) {
strcpy(saddr, int_ntoa(iph->ip_src.s_addr));
strcpy(daddr, int_ntoa(iph->ip_dst.s_addr));
syslog(nids_params.syslog_level,
"%s, packet (apparently) from %s to %s\n",
nids_warnings[errnum], saddr, daddr);
} else
syslog(nids_params.syslog_level, "%s\n",
nids_warnings[errnum]);
break;
case NIDS_WARN_TCP:
strcpy(saddr, int_ntoa(iph->ip_src.s_addr));
strcpy(daddr, int_ntoa(iph->ip_dst.s_addr));
if (errnum != NIDS_WARN_TCP_HDR)
syslog(nids_params.syslog_level,
"%s,from %s:%hu to %s:%hu\n", nids_warnings[errnum],
saddr, ntohs(((struct tcphdr *) data)->th_sport), daddr,
ntohs(((struct tcphdr *) data)->th_dport));
else
syslog(nids_params.syslog_level, "%s,from %s to %s\n",
nids_warnings[errnum], saddr, daddr);
break;
default:
syslog(nids_params.syslog_level, "Unknown warning number ?\n");
}
}
char * adres (struct tuple4 addr, char *direction){
static char buf[256] = {0};
strcpy (buf, int_ntoa (addr.saddr));
sprintf (buf + strlen (buf), ":%i %s", addr.source, direction);
strcat (buf, int_ntoa (addr.daddr));
sprintf (buf + strlen (buf), ":%i ", addr.dest);
return buf;
}
/* struct tuple4 contains addresses and port numbers of the TCP connections
the following auxiliary function produces a string looking like
10.0.0.1,1024,10.0.0.2,23 */
char* adres(struct tuple4 addr)
{
static char buf[256];
strcpy(buf, int_ntoa(addr.saddr));
sprintf(buf + strlen(buf), ",%i,", addr.source);
strcat(buf, int_ntoa(addr.daddr));
sprintf(buf + strlen(buf), ",%i", addr.dest);
return buf;
}
void streamClean(struct stream *s) {
char buffer[1024];
http_parser_init(&(s->request_parser), HTTP_REQUEST);
http_parser_init(&(s->response_parser), HTTP_RESPONSE);
s->is_http = 0;
s->request_data_size = 0;
s->response_data_size = 0;
s->json = json_object_new_object();
sprintf(buffer, "%s:%i", int_ntoa(s->addr.saddr), s->addr.source);
json_object_object_add(s->json, "src", json_object_new_string(buffer));
sprintf(buffer, "%s:%i", int_ntoa(s->addr.daddr), s->addr.dest);
json_object_object_add(s->json, "dst", json_object_new_string(buffer));
}
int main (int argc, char *argv[]) {
struct ddos_log header;
char log_header[1024];
char * in_buffer[16384];
char * obuf[16384];
unsigned int obuf_len = sizeof(obuf);
int rc;
char timebuf[64];
struct tm* tm_info;
char source_ip[64];
char dest_ip[64];
char filename[256];
if (argc > 1) {
strncpy(filename, argv[1], sizeof(filename));
} else { // if (argc > 1)
printf("Usage:\n%s logfilename\n\n", argv[0]);
exit(1);
} // if (argc > 1)
fp = fopen(filename, "rb");
if (fp) {
// this will eventually hold a version header
fgets(log_header, sizeof(log_header), fp);
while (1) {
fread(&header, sizeof(header), 1, fp);
fread(&in_buffer, header.payload_len, 1, fp);
if (!feof(fp)) {
memset(obuf, 0, sizeof(obuf));
obuf_len = sizeof(obuf);
rc = lzfx_decompress(in_buffer, header.payload_len, obuf, &obuf_len);
tm_info = localtime(&header.time);
strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm_info);
strcpy(source_ip, int_ntoa(header.source_ip));
strcpy(dest_ip, int_ntoa(header.dest_ip));
printf("%s %s:%d %s:%d %s %s", timebuf,
source_ip, header.source_port, dest_ip, header.dest_port,
header.country, obuf);
} else { // if (!feof(fp))
break;
} // if (!feof(fp))
} // while (1)
} else { // if (fp)
printf("Didn't find a valid file\n\n");
} // if (fp)
return 0;
}
static void my_nids_packetloss(struct ip* iph, struct tcphdr* tcph,
struct skbuff* packet)
{
if (packet->len <= 0) {
return;
}
char saddr[20], daddr[20];
strcpy(saddr, int_ntoa(iph->ip_src.s_addr));
strcpy(daddr, int_ntoa(iph->ip_dst.s_addr));
if (g_Verbose) {
fprintf(stderr, "packet loss! from %s:%hu to %s:%hu, "
"len: %d, seq: %u\n",
saddr, ntohs(tcph->th_sport),
daddr, ntohs(tcph->th_dport),
packet->len, packet->seq);
}
g_NumPacketLoss++;
g_BytesLoss += packet->len;
return;
}
void session_log(struct session * s){
char timestr[80];
char *clientip = strdup(int_ntoa(s->tcp->addr.saddr));
struct tm *newtime;
newtime = localtime(&(s->start_time));
strftime(×tr, 80, "%d/%b/%Y:%H:%M:%S %z", newtime);
snprintf(&log_buff, LOG_BUF_SIZE, "%s %s:%d %s - [%s] \"%s %s HTTP/%d.%d\" %d %d \"%s\" \"%s\""
, clientip
, int_ntoa(s->tcp->addr.daddr)
, s->tcp->addr.dest
, s->host
, ×tr
, http_method_str(s->method)
, s->path
, s->http_major
, s->http_minor
, s->status_code
, s->tcp->client.count
, s->referer?s->referer:""
, s->ua?s->ua:""
);
free(clientip);
status_logpush(&log_buff, strnlen(&log_buff, LOG_BUF_SIZE));
}
static void nids_syslog(int type, int errnum, struct ip *iph, void *data)
{
char saddr[20], daddr[20];
char buf[1024];
struct host *this_host;
unsigned char flagsand = 255, flagsor = 0;
int i;
switch (type) {
case NIDS_WARN_IP:
if (errnum != NIDS_WARN_IP_HDR) {
strcpy(saddr, int_ntoa(iph->ip_src.s_addr));
strcpy(daddr, int_ntoa(iph->ip_dst.s_addr));
syslog(nids_params.syslog_level,
"%s, packet (apparently) from %s to %s\n",
nids_warnings[errnum], saddr, daddr);
} else
syslog(nids_params.syslog_level, "%s\n",
nids_warnings[errnum]);
break;
case NIDS_WARN_TCP:
strcpy(saddr, int_ntoa(iph->ip_src.s_addr));
strcpy(daddr, int_ntoa(iph->ip_dst.s_addr));
if (errnum != NIDS_WARN_TCP_HDR)
syslog(nids_params.syslog_level,
"%s,from %s:%hu to %s:%hu\n", nids_warnings[errnum],
saddr, ntohs(((struct tcphdr *) data)->th_sport), daddr,
ntohs(((struct tcphdr *) data)->th_dport));
else
syslog(nids_params.syslog_level, "%s,from %s to %s\n",
nids_warnings[errnum], saddr, daddr);
break;
case NIDS_WARN_SCAN:
this_host = (struct host *) data;
sprintf(buf, "Scan from %s. Scanned ports: ",
int_ntoa(this_host->addr));
for (i = 0; i < this_host->n_packets; i++) {
strcat(buf, int_ntoa(this_host->packets[i].addr));
sprintf(buf + strlen(buf), ":%hu,",
this_host->packets[i].port);
flagsand &= this_host->packets[i].flags;
flagsor |= this_host->packets[i].flags;
}
if (flagsand == flagsor) {
i = flagsand;
switch (flagsand) {
case 2:
strcat(buf, "scan type: SYN");
break;
case 0:
strcat(buf, "scan type: NULL");
break;
case 1:
strcat(buf, "scan type: FIN");
break;
default:
sprintf(buf + strlen(buf), "flags=0x%x", i);
}
} else
strcat(buf, "various flags");
syslog(nids_params.syslog_level, "%s", buf);
break;
default:
syslog(nids_params.syslog_level, "Unknown warning number ?\n");
}
}
void session_report(struct session * s, char type){
if(s->need_report==0){
return;
}
s->need_report = 0;
struct msg_report rp;
rp.buffer = msgpack_sbuffer_new();
rp.pk = msgpack_packer_new(rp.buffer, msgpack_sbuffer_write);
rp.count = 0;
// 15 < keys < 65535
// https://github.com/msgpack/msgpack/blob/master/spec.md#formats-map
// +--------+--------+--------+~~~~~~~~~~~~~~~~~+
// | 0xde |YYYYYYYY|YYYYYYYY| N*2 objects |
// +--------+--------+--------+~~~~~~~~~~~~~~~~~+
msgpack_pack_map(rp.pk, 20);
report_add_pair(&rp, "@class", "http-scope");
report_add_pair_int(&rp, "@time", s->start_time);
report_add_pair(&rp, "method", http_method_str(s->method));
report_add_pair(&rp, "host", s->host);
report_add_pair(&rp, "host", s->host);
report_add_pair(&rp, "path", s->path);
report_add_pair(&rp, "node", config.node);
report_add_pair_int(&rp, "code", s->status_code);
//print_data(rp.buffer->data, rp.buffer->size);
report_add_pair(&rp, "server", int_ntoa(s->tcp->addr.daddr));
report_add_pair_int(&rp, "server-port", s->tcp->addr.dest);
report_add_pair(&rp, "client", int_ntoa(s->tcp->addr.saddr));
// report_add_pair_int(&rp, "loat_packet", s->lost_packets);
// report_add_pair_int(&rp, "total_packets", s->packets);
// /* report_add_packet_int(&rp, "packets", "%d/%d",s->lost_packets, s->packets);*/
report_add_pair(&rp, "status", close_status(type));
report_add_pair_int(&rp, "req-bytes", s->tcp->server.count);
report_add_pair_int(&rp, "rep-bytes", s->tcp->client.count);
report_add_pair_float(&rp, "net-req-time", s->req_time/1000000.0);
report_add_pair_float(&rp, "server-time", s->server_time/1000000.0);
report_add_pair_float(&rp, "net-rep-time", s->rep_time/1000000.0);
if(s->referer){
report_add_pair(&rp, "referer", s->referer);
char * referer_host = strstr(s->referer, "//");
if(referer_host){
referer_host+=2;
char *p = strstr(referer_host, "/");
if(p) *p = 0;
report_add_pair(&rp, "referer-host", referer_host);
}
}
struct kv *p = s->proplist;
while(p){
urldecode(p->value);
report_add_pair(&rp, kv_type_string(p->type, p->key), p->value);
p = p->next;
}
if(s->is_catch_response_body && s->response_body_size<65535){
report_add_pair_int(&rp, "body-captured-size", s->response_body_size);
report_add_key(&rp, "body-captured");
msgpack_pack_raw(rp.pk, s->response_body_size);
struct body_buf *b = s->response_body_first;
int size_pushed = 0;
while(b){
msgpack_pack_raw_body(rp.pk, b->data, b->size);
size_pushed += b->size;
b = b->next;
}
}
//print_data(rp.buffer->data, rp.buffer->size);
char *cp = rp.buffer->data;
cp = cp + 1;
*cp = rp.count >> 8;
cp = cp + 1;
*cp = rp.count % 256;
//printf("rp.buffer->size=%d\n", rp.count);
rp.routing_key = malloc(ROUTING_KEY_BUF_SIZE);
bzero(rp.routing_key, ROUTING_KEY_BUF_SIZE);
snprintf(rp.routing_key, ROUTING_KEY_BUF_SIZE,
"http-scope.%s.%dxx.%d", s->host, s->status_code / 100 ,s->status_code);
send_report(&rp);
//print_data(rp.buffer->data, rp.buffer->size);
free(rp.routing_key);
msgpack_sbuffer_free(rp.buffer);
msgpack_packer_free(rp.pk);
session_log(s);
session_clean(s);
session_start(s);
}
void tcp_callback (struct tcp_stream *a_tcp, void ** this_time_not_needed) {
g_mutex_lock (table_mutex);
char buf[1024] = {0};
char *received_time = NULL;
struct half_stream *hlf_server=NULL, *hlf_client=NULL;
packets++;
received_time = timeval_to_char(nids_last_pcap_header->ts);
hlf_server = &a_tcp->server;
hlf_client = &a_tcp->client;
// if(a_tcp->nids_state == NIDS_EXITING) {
// fprintf(stream_out, COLOUR_RED "\nNIDS is closing!\n" COLOUR_NONE);
// }else
if(a_tcp->nids_state == NIDS_JUST_EST) {
// connexion described by a_tcp is established
// here we decide, if we wish to follow this stream
// sample condition: if (a_tcp->addr.dest!=23) return;
// in this simple app we follow each stream, so..
a_tcp->client.collect++; // we want data received by a client
a_tcp->server.collect++; // and by a server, too
fprintf(stream_out, COLOUR_B_GREEN "#%d\tSYN\t" COLOUR_NONE, packets);
fprintf(stream_out, "%s", adres(a_tcp->addr, "\t"));
fprintf(stream_out, "\t%s\n", received_time);
}else if(a_tcp->nids_state == NIDS_RESET) {
fprintf(stream_out, COLOUR_B_YELLOW "#%d\tRST\t" COLOUR_NONE, packets);
fprintf(stream_out, "%s", adres(a_tcp->addr, "\t"));
fprintf(stream_out, "\t%s\n", received_time);
}else if(a_tcp->nids_state == NIDS_CLOSE || a_tcp->nids_state == NIDS_EXITING) {
fprintf(stream_out, COLOUR_B_RED "#%d\tFIN\t" COLOUR_NONE, packets);
fprintf(stream_out, "%s\n", adres(a_tcp->addr, "\t"));
char *clave_hash = hash_key(a_tcp);
g_hash_table_remove(table, clave_hash);
if(clave_hash != NULL){
free(clave_hash);
}
a_tcp->client.collect--;
a_tcp->server.collect--;
//LLEGA PAQUETE TCP CON PAYLOAD
}else if(a_tcp->nids_state == NIDS_DATA) {
/*** PACKETES TCP CON PAYLOAD
*
* |¯¯¯¯\ /¯¯¯¯¯| |¯¯¯¯¯| /¯¯¯¯¯|
* | x \ / ! | | | / ! |
* |_____/ /__/¯|__' ¯|_|¯ /__/¯|__|
*/
http_packet http = NULL;
if(hlf_client->count_new){ //RESPONSE
// fprintf(stderr, COLOUR_B_YELLOW "\n|%s - (%u, %u, %u, %d)|\n" COLOUR_NONE, received_time, hlf_client->seq, hlf_client->ack_seq, hlf_client->curr_ts, hlf_client->count_new);
// fprintf(stderr, "|");
// write(2, hlf_client->data, 130);
// fprintf(stderr, "|\n" );
http_parse_packet(hlf_client->data, hlf_client->count_new, &http);
}else if(hlf_server->count_new){ //PETICION
// fprintf(stderr, COLOUR_B_GREEN "\n|%s - (%u, %u, %u, %d)|\n" COLOUR_NONE, received_time, hlf_server->seq, hlf_server->ack_seq, hlf_server->curr_ts, hlf_server->count_new);
// fprintf(stderr, "|");
// write(2, hlf_server->data, 130);
// fprintf(stderr, "|\n" );
http_parse_packet(hlf_server->data, hlf_server->count_new, &http);
}
//RESPUESTA Y QUE COINCIDA QUE ES PRIMER PAQUETE DE RESPUESTA
if(hlf_client->count_new && http_get_op(http) == RESPONSE){ //RESPONSE
char *hashkey = hash_key(a_tcp);
hash_value *hashvalue = NULL;
gpointer gkey = NULL, gval = NULL;
intercambio *peticion = NULL;
g_hash_table_lookup_extended(table, hashkey, &gkey, &gval);
hashvalue = (hash_value *) gval;
//Si hay una entrada en la tabla hash
if(hashvalue != NULL){
//peticion = hashvalue->last;
hashvalue->n_respuestas++;
//Obtener el par peticion/respuesta correspondiente
peticion = get_n_intercambio(hashvalue->array, hashvalue->n_respuestas, hashvalue->n_peticiones);
if(peticion==NULL){
fprintf(stream_out, COLOUR_B_RED "ERROR OBTAINING REQUEST!! \t%d\t" COLOUR_NONE, packets);
fprintf(stream_out, "%s:%u\t", int_ntoa (a_tcp->addr.daddr), a_tcp->addr.dest);
fprintf(stream_out, "%s:%u ", int_ntoa (a_tcp->addr.saddr), a_tcp->addr.source);
fprintf(stream_out, "\t%s\n", received_time);
free(hashkey);
free(received_time);
g_mutex_unlock (table_mutex);
return;
}
//Copiar timestamp
peticion->ts_response = nids_last_pcap_header->ts;
peticion->ts_last_response = nids_last_pcap_header->ts;
peticion->chunks += 1;
//copiar los datos de la respuesta a la estructura
// ===================================
//DESCARTADOS PARA AHORRAR MEMORIA
peticion->response = (char *) realloc(peticion->response, hlf_client->count_new);
strncpy(peticion->response, hlf_client->data, hlf_client->count_new);
//FIN DESCARTADOS PARA AHORRAR MEMORIA
// ===================================
peticion->n_response_pkt = packets;
peticion->response_bytes = hlf_client->count_new;
}else{ //NO HAY ENTRADA EN LA TABLA HASH
fprintf(stream_out, COLOUR_B_RED "RESPONSE WITHOUT REQUEST!! \t%d\t" COLOUR_NONE, packets);
fprintf(stream_out, "%s:%u\t", int_ntoa (a_tcp->addr.daddr), a_tcp->addr.dest);
fprintf(stream_out, "%s:%u ", int_ntoa (a_tcp->addr.saddr), a_tcp->addr.source);
fprintf(stream_out, "\t%s\n", received_time);
free(hashkey);
free(received_time);
g_mutex_unlock (table_mutex);
return;
}
g_hash_table_steal(table, hashkey);
g_hash_table_insert(table, gkey, hashvalue);
free(hashkey);
//Datos de la peticion
http_packet http_request = NULL;
http_parse_packet(peticion->request, peticion->request_bytes, &http_request);
//Preparacion para imprimir los datos y tiempos junto con el RTT
struct timeval time_last = peticion->ts_request;
struct timeval res;
timersub(&nids_last_pcap_header->ts, &time_last, &res);
char *received_rq_time = timeval_to_char(time_last);
fprintf(stream_out, "———————————————————————————————————————————————————————————————————————————————————————————————————————\n");
fprintf(stream_out, COLOUR_B_BLUE "#%d\t%s\t" COLOUR_NONE, peticion->n_request_pkt, http_get_method(http_request));
fprintf(stream_out, "%s:%u\t", int_ntoa (a_tcp->addr.saddr), a_tcp->addr.source);
fprintf(stream_out, "%s:%u", int_ntoa (a_tcp->addr.daddr), a_tcp->addr.dest);
fprintf(stream_out, "\t%s\n", received_rq_time);
fprintf(stream_out, COLOUR_B_BLUE "#%d\tDATA\t" COLOUR_NONE, packets);
fprintf(stream_out, "%s:%u\t", int_ntoa (a_tcp->addr.daddr), a_tcp->addr.dest);
fprintf(stream_out, "%s:%u ", int_ntoa (a_tcp->addr.saddr), a_tcp->addr.source);
fprintf(stream_out, "\t%s\t%ld.%ld\n", received_time, res.tv_sec, res.tv_usec);
fprintf(stream_out, "———————————————————————————————————————————————————————————————————————————————————————————————————————\n");
strcpy (buf, adres (a_tcp->addr, "<==")); // we put conn params into buf
if(peticion->prev != NULL){
if(timercmp(&peticion->ts_response, &peticion->prev->ts_response, ==)){
fprintf(stream_out, COLOUR_B_RED "Possible packet reordering due to an unordered response.\n" COLOUR_NONE);
}
}
free(received_rq_time);
http_free_packet(&http_request);
}else if(hlf_client->count_new){
void
do_ftpd(int fd)
{
FILE *f;
char buf[1024];
int len, portcmd = 0;
u_long ip;
u_short port;
if ((f = fdopen(fd, "r+")) == NULL)
return;
fprintf(f, "220 ftpd-ozone ready for love.\r\n");
while (fgets(buf, sizeof(buf), f) != NULL) {
if ((len = strip_telopts(buf, strlen(buf))) == 0)
continue;
if (strncasecmp(buf, "SYST", 4) == 0) {
fprintf(f, "215 ftpd-ozone\r\n");
}
else if (strncasecmp(buf, "USER ", 5) == 0) {
fprintf(f, "331 yo there\r\n");
}
else if (strncasecmp(buf, "PASS ", 5) == 0) {
fprintf(f, "230 sucker\r\n");
}
else if (strncasecmp(buf, "PWD", 3) == 0) {
fprintf(f, "257 \"/\" is current directory\r\n");
}
else if (strncasecmp(buf, "PASV", 4) == 0) {
fprintf(f, "502 try PORT instead ;-)\r\n");
/*fprintf(f, "425 try PORT instead ;-)\r\n");*/
}
else if (strncasecmp(buf, "PORT ", 5) == 0) {
if (portstr2num(buf + 5, &ip, &port) != 0)
fprintf(f, "500 you suk\r\n");
else {
fprintf(f, "200 ready for love\r\n");
if (portcmd++ < 2) /* XXX */
printf(GREEN "try connecting to %s %d" OFF "\n", int_ntoa(ip), port);
}
}
else if (strncasecmp(buf, "CWD ", 4) == 0 ||
strncasecmp(buf, "TYPE ", 5) == 0) {
fprintf(f, "200 whatever\r\n");
}
else if (strncasecmp(buf, "NLST", 4) == 0) {
fprintf(f, "550 you suk\r\n");
}
else if (strncasecmp(buf, "MDTM ", 5) == 0) {
fprintf(f, "213 19960319165527\r\n");
}
else if (strncasecmp(buf, "RETR ", 5) == 0 ||
strncasecmp(buf, "LIST", 4) == 0) {
fprintf(f, "150 walking thru your firewall\r\n");
}
else if (strncasecmp(buf, "QUIT", 4) == 0) {
fprintf(f, "221 l8r\r\n");
break;
}
else fprintf(f, "502 i suk\r\n");
}
fclose(f);
}
