void print_urls(u_long dst, u_short dport, int win) { char *p, host[128], tmp[128]; u_long ip; gethostname(host, sizeof(host)); ip = resolve_host(host); strncpy(host, int_ntoa(ip), sizeof(host)); /* XXX - "MDTM /\r\n" for Netscape, "CWD /\r\n" for MSIE. i suk. */ win -= (4 + 2 + 2); p = malloc(win + 1); memset(p, 'a', win); p[win] = '\0'; portnum2str(tmp, sizeof(tmp), dst, dport); printf("Netscape / Lynx URL to send client at %s:\n" "ftp://%s/%s%%0a%%0dPORT%%20%s\n", int_ntoa(dst), host, p, tmp); printf("MSIE / Wget URL to send client at %s:\n" "ftp://%s/a%s%%0a%%0dPORT%%20%s\n", int_ntoa(dst), host, p, tmp); free(p); }
static void nids_syslog(int type, int errnum, struct ip *iph, void *data) { char saddr[20], daddr[20]; switch (type) { case NIDS_WARN_IP: if (errnum != NIDS_WARN_IP_HDR) { strcpy(saddr, int_ntoa(iph->ip_src.s_addr)); strcpy(daddr, int_ntoa(iph->ip_dst.s_addr)); syslog(nids_params.syslog_level, "%s, packet (apparently) from %s to %s\n", nids_warnings[errnum], saddr, daddr); } else syslog(nids_params.syslog_level, "%s\n", nids_warnings[errnum]); break; case NIDS_WARN_TCP: strcpy(saddr, int_ntoa(iph->ip_src.s_addr)); strcpy(daddr, int_ntoa(iph->ip_dst.s_addr)); if (errnum != NIDS_WARN_TCP_HDR) syslog(nids_params.syslog_level, "%s,from %s:%hu to %s:%hu\n", nids_warnings[errnum], saddr, ntohs(((struct tcphdr *) data)->th_sport), daddr, ntohs(((struct tcphdr *) data)->th_dport)); else syslog(nids_params.syslog_level, "%s,from %s to %s\n", nids_warnings[errnum], saddr, daddr); break; default: syslog(nids_params.syslog_level, "Unknown warning number ?\n"); } }
char * adres (struct tuple4 addr, char *direction){ static char buf[256] = {0}; strcpy (buf, int_ntoa (addr.saddr)); sprintf (buf + strlen (buf), ":%i %s", addr.source, direction); strcat (buf, int_ntoa (addr.daddr)); sprintf (buf + strlen (buf), ":%i ", addr.dest); return buf; }
/* struct tuple4 contains addresses and port numbers of the TCP connections the following auxiliary function produces a string looking like 10.0.0.1,1024,10.0.0.2,23 */ char* adres(struct tuple4 addr) { static char buf[256]; strcpy(buf, int_ntoa(addr.saddr)); sprintf(buf + strlen(buf), ",%i,", addr.source); strcat(buf, int_ntoa(addr.daddr)); sprintf(buf + strlen(buf), ",%i", addr.dest); return buf; }
void streamClean(struct stream *s) { char buffer[1024]; http_parser_init(&(s->request_parser), HTTP_REQUEST); http_parser_init(&(s->response_parser), HTTP_RESPONSE); s->is_http = 0; s->request_data_size = 0; s->response_data_size = 0; s->json = json_object_new_object(); sprintf(buffer, "%s:%i", int_ntoa(s->addr.saddr), s->addr.source); json_object_object_add(s->json, "src", json_object_new_string(buffer)); sprintf(buffer, "%s:%i", int_ntoa(s->addr.daddr), s->addr.dest); json_object_object_add(s->json, "dst", json_object_new_string(buffer)); }
int main (int argc, char *argv[]) { struct ddos_log header; char log_header[1024]; char * in_buffer[16384]; char * obuf[16384]; unsigned int obuf_len = sizeof(obuf); int rc; char timebuf[64]; struct tm* tm_info; char source_ip[64]; char dest_ip[64]; char filename[256]; if (argc > 1) { strncpy(filename, argv[1], sizeof(filename)); } else { // if (argc > 1) printf("Usage:\n%s logfilename\n\n", argv[0]); exit(1); } // if (argc > 1) fp = fopen(filename, "rb"); if (fp) { // this will eventually hold a version header fgets(log_header, sizeof(log_header), fp); while (1) { fread(&header, sizeof(header), 1, fp); fread(&in_buffer, header.payload_len, 1, fp); if (!feof(fp)) { memset(obuf, 0, sizeof(obuf)); obuf_len = sizeof(obuf); rc = lzfx_decompress(in_buffer, header.payload_len, obuf, &obuf_len); tm_info = localtime(&header.time); strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm_info); strcpy(source_ip, int_ntoa(header.source_ip)); strcpy(dest_ip, int_ntoa(header.dest_ip)); printf("%s %s:%d %s:%d %s %s", timebuf, source_ip, header.source_port, dest_ip, header.dest_port, header.country, obuf); } else { // if (!feof(fp)) break; } // if (!feof(fp)) } // while (1) } else { // if (fp) printf("Didn't find a valid file\n\n"); } // if (fp) return 0; }
static void my_nids_packetloss(struct ip* iph, struct tcphdr* tcph, struct skbuff* packet) { if (packet->len <= 0) { return; } char saddr[20], daddr[20]; strcpy(saddr, int_ntoa(iph->ip_src.s_addr)); strcpy(daddr, int_ntoa(iph->ip_dst.s_addr)); if (g_Verbose) { fprintf(stderr, "packet loss! from %s:%hu to %s:%hu, " "len: %d, seq: %u\n", saddr, ntohs(tcph->th_sport), daddr, ntohs(tcph->th_dport), packet->len, packet->seq); } g_NumPacketLoss++; g_BytesLoss += packet->len; return; }
void session_log(struct session * s){ char timestr[80]; char *clientip = strdup(int_ntoa(s->tcp->addr.saddr)); struct tm *newtime; newtime = localtime(&(s->start_time)); strftime(×tr, 80, "%d/%b/%Y:%H:%M:%S %z", newtime); snprintf(&log_buff, LOG_BUF_SIZE, "%s %s:%d %s - [%s] \"%s %s HTTP/%d.%d\" %d %d \"%s\" \"%s\"" , clientip , int_ntoa(s->tcp->addr.daddr) , s->tcp->addr.dest , s->host , ×tr , http_method_str(s->method) , s->path , s->http_major , s->http_minor , s->status_code , s->tcp->client.count , s->referer?s->referer:"" , s->ua?s->ua:"" ); free(clientip); status_logpush(&log_buff, strnlen(&log_buff, LOG_BUF_SIZE)); }
static void nids_syslog(int type, int errnum, struct ip *iph, void *data) { char saddr[20], daddr[20]; char buf[1024]; struct host *this_host; unsigned char flagsand = 255, flagsor = 0; int i; switch (type) { case NIDS_WARN_IP: if (errnum != NIDS_WARN_IP_HDR) { strcpy(saddr, int_ntoa(iph->ip_src.s_addr)); strcpy(daddr, int_ntoa(iph->ip_dst.s_addr)); syslog(nids_params.syslog_level, "%s, packet (apparently) from %s to %s\n", nids_warnings[errnum], saddr, daddr); } else syslog(nids_params.syslog_level, "%s\n", nids_warnings[errnum]); break; case NIDS_WARN_TCP: strcpy(saddr, int_ntoa(iph->ip_src.s_addr)); strcpy(daddr, int_ntoa(iph->ip_dst.s_addr)); if (errnum != NIDS_WARN_TCP_HDR) syslog(nids_params.syslog_level, "%s,from %s:%hu to %s:%hu\n", nids_warnings[errnum], saddr, ntohs(((struct tcphdr *) data)->th_sport), daddr, ntohs(((struct tcphdr *) data)->th_dport)); else syslog(nids_params.syslog_level, "%s,from %s to %s\n", nids_warnings[errnum], saddr, daddr); break; case NIDS_WARN_SCAN: this_host = (struct host *) data; sprintf(buf, "Scan from %s. Scanned ports: ", int_ntoa(this_host->addr)); for (i = 0; i < this_host->n_packets; i++) { strcat(buf, int_ntoa(this_host->packets[i].addr)); sprintf(buf + strlen(buf), ":%hu,", this_host->packets[i].port); flagsand &= this_host->packets[i].flags; flagsor |= this_host->packets[i].flags; } if (flagsand == flagsor) { i = flagsand; switch (flagsand) { case 2: strcat(buf, "scan type: SYN"); break; case 0: strcat(buf, "scan type: NULL"); break; case 1: strcat(buf, "scan type: FIN"); break; default: sprintf(buf + strlen(buf), "flags=0x%x", i); } } else strcat(buf, "various flags"); syslog(nids_params.syslog_level, "%s", buf); break; default: syslog(nids_params.syslog_level, "Unknown warning number ?\n"); } }
void session_report(struct session * s, char type){ if(s->need_report==0){ return; } s->need_report = 0; struct msg_report rp; rp.buffer = msgpack_sbuffer_new(); rp.pk = msgpack_packer_new(rp.buffer, msgpack_sbuffer_write); rp.count = 0; // 15 < keys < 65535 // https://github.com/msgpack/msgpack/blob/master/spec.md#formats-map // +--------+--------+--------+~~~~~~~~~~~~~~~~~+ // | 0xde |YYYYYYYY|YYYYYYYY| N*2 objects | // +--------+--------+--------+~~~~~~~~~~~~~~~~~+ msgpack_pack_map(rp.pk, 20); report_add_pair(&rp, "@class", "http-scope"); report_add_pair_int(&rp, "@time", s->start_time); report_add_pair(&rp, "method", http_method_str(s->method)); report_add_pair(&rp, "host", s->host); report_add_pair(&rp, "host", s->host); report_add_pair(&rp, "path", s->path); report_add_pair(&rp, "node", config.node); report_add_pair_int(&rp, "code", s->status_code); //print_data(rp.buffer->data, rp.buffer->size); report_add_pair(&rp, "server", int_ntoa(s->tcp->addr.daddr)); report_add_pair_int(&rp, "server-port", s->tcp->addr.dest); report_add_pair(&rp, "client", int_ntoa(s->tcp->addr.saddr)); // report_add_pair_int(&rp, "loat_packet", s->lost_packets); // report_add_pair_int(&rp, "total_packets", s->packets); // /* report_add_packet_int(&rp, "packets", "%d/%d",s->lost_packets, s->packets);*/ report_add_pair(&rp, "status", close_status(type)); report_add_pair_int(&rp, "req-bytes", s->tcp->server.count); report_add_pair_int(&rp, "rep-bytes", s->tcp->client.count); report_add_pair_float(&rp, "net-req-time", s->req_time/1000000.0); report_add_pair_float(&rp, "server-time", s->server_time/1000000.0); report_add_pair_float(&rp, "net-rep-time", s->rep_time/1000000.0); if(s->referer){ report_add_pair(&rp, "referer", s->referer); char * referer_host = strstr(s->referer, "//"); if(referer_host){ referer_host+=2; char *p = strstr(referer_host, "/"); if(p) *p = 0; report_add_pair(&rp, "referer-host", referer_host); } } struct kv *p = s->proplist; while(p){ urldecode(p->value); report_add_pair(&rp, kv_type_string(p->type, p->key), p->value); p = p->next; } if(s->is_catch_response_body && s->response_body_size<65535){ report_add_pair_int(&rp, "body-captured-size", s->response_body_size); report_add_key(&rp, "body-captured"); msgpack_pack_raw(rp.pk, s->response_body_size); struct body_buf *b = s->response_body_first; int size_pushed = 0; while(b){ msgpack_pack_raw_body(rp.pk, b->data, b->size); size_pushed += b->size; b = b->next; } } //print_data(rp.buffer->data, rp.buffer->size); char *cp = rp.buffer->data; cp = cp + 1; *cp = rp.count >> 8; cp = cp + 1; *cp = rp.count % 256; //printf("rp.buffer->size=%d\n", rp.count); rp.routing_key = malloc(ROUTING_KEY_BUF_SIZE); bzero(rp.routing_key, ROUTING_KEY_BUF_SIZE); snprintf(rp.routing_key, ROUTING_KEY_BUF_SIZE, "http-scope.%s.%dxx.%d", s->host, s->status_code / 100 ,s->status_code); send_report(&rp); //print_data(rp.buffer->data, rp.buffer->size); free(rp.routing_key); msgpack_sbuffer_free(rp.buffer); msgpack_packer_free(rp.pk); session_log(s); session_clean(s); session_start(s); }
void tcp_callback (struct tcp_stream *a_tcp, void ** this_time_not_needed) { g_mutex_lock (table_mutex); char buf[1024] = {0}; char *received_time = NULL; struct half_stream *hlf_server=NULL, *hlf_client=NULL; packets++; received_time = timeval_to_char(nids_last_pcap_header->ts); hlf_server = &a_tcp->server; hlf_client = &a_tcp->client; // if(a_tcp->nids_state == NIDS_EXITING) { // fprintf(stream_out, COLOUR_RED "\nNIDS is closing!\n" COLOUR_NONE); // }else if(a_tcp->nids_state == NIDS_JUST_EST) { // connexion described by a_tcp is established // here we decide, if we wish to follow this stream // sample condition: if (a_tcp->addr.dest!=23) return; // in this simple app we follow each stream, so.. a_tcp->client.collect++; // we want data received by a client a_tcp->server.collect++; // and by a server, too fprintf(stream_out, COLOUR_B_GREEN "#%d\tSYN\t" COLOUR_NONE, packets); fprintf(stream_out, "%s", adres(a_tcp->addr, "\t")); fprintf(stream_out, "\t%s\n", received_time); }else if(a_tcp->nids_state == NIDS_RESET) { fprintf(stream_out, COLOUR_B_YELLOW "#%d\tRST\t" COLOUR_NONE, packets); fprintf(stream_out, "%s", adres(a_tcp->addr, "\t")); fprintf(stream_out, "\t%s\n", received_time); }else if(a_tcp->nids_state == NIDS_CLOSE || a_tcp->nids_state == NIDS_EXITING) { fprintf(stream_out, COLOUR_B_RED "#%d\tFIN\t" COLOUR_NONE, packets); fprintf(stream_out, "%s\n", adres(a_tcp->addr, "\t")); char *clave_hash = hash_key(a_tcp); g_hash_table_remove(table, clave_hash); if(clave_hash != NULL){ free(clave_hash); } a_tcp->client.collect--; a_tcp->server.collect--; //LLEGA PAQUETE TCP CON PAYLOAD }else if(a_tcp->nids_state == NIDS_DATA) { /*** PACKETES TCP CON PAYLOAD * * |¯¯¯¯\ /¯¯¯¯¯| |¯¯¯¯¯| /¯¯¯¯¯| * | x \ / ! | | | / ! | * |_____/ /__/¯|__' ¯|_|¯ /__/¯|__| */ http_packet http = NULL; if(hlf_client->count_new){ //RESPONSE // fprintf(stderr, COLOUR_B_YELLOW "\n|%s - (%u, %u, %u, %d)|\n" COLOUR_NONE, received_time, hlf_client->seq, hlf_client->ack_seq, hlf_client->curr_ts, hlf_client->count_new); // fprintf(stderr, "|"); // write(2, hlf_client->data, 130); // fprintf(stderr, "|\n" ); http_parse_packet(hlf_client->data, hlf_client->count_new, &http); }else if(hlf_server->count_new){ //PETICION // fprintf(stderr, COLOUR_B_GREEN "\n|%s - (%u, %u, %u, %d)|\n" COLOUR_NONE, received_time, hlf_server->seq, hlf_server->ack_seq, hlf_server->curr_ts, hlf_server->count_new); // fprintf(stderr, "|"); // write(2, hlf_server->data, 130); // fprintf(stderr, "|\n" ); http_parse_packet(hlf_server->data, hlf_server->count_new, &http); } //RESPUESTA Y QUE COINCIDA QUE ES PRIMER PAQUETE DE RESPUESTA if(hlf_client->count_new && http_get_op(http) == RESPONSE){ //RESPONSE char *hashkey = hash_key(a_tcp); hash_value *hashvalue = NULL; gpointer gkey = NULL, gval = NULL; intercambio *peticion = NULL; g_hash_table_lookup_extended(table, hashkey, &gkey, &gval); hashvalue = (hash_value *) gval; //Si hay una entrada en la tabla hash if(hashvalue != NULL){ //peticion = hashvalue->last; hashvalue->n_respuestas++; //Obtener el par peticion/respuesta correspondiente peticion = get_n_intercambio(hashvalue->array, hashvalue->n_respuestas, hashvalue->n_peticiones); if(peticion==NULL){ fprintf(stream_out, COLOUR_B_RED "ERROR OBTAINING REQUEST!! \t%d\t" COLOUR_NONE, packets); fprintf(stream_out, "%s:%u\t", int_ntoa (a_tcp->addr.daddr), a_tcp->addr.dest); fprintf(stream_out, "%s:%u ", int_ntoa (a_tcp->addr.saddr), a_tcp->addr.source); fprintf(stream_out, "\t%s\n", received_time); free(hashkey); free(received_time); g_mutex_unlock (table_mutex); return; } //Copiar timestamp peticion->ts_response = nids_last_pcap_header->ts; peticion->ts_last_response = nids_last_pcap_header->ts; peticion->chunks += 1; //copiar los datos de la respuesta a la estructura // =================================== //DESCARTADOS PARA AHORRAR MEMORIA peticion->response = (char *) realloc(peticion->response, hlf_client->count_new); strncpy(peticion->response, hlf_client->data, hlf_client->count_new); //FIN DESCARTADOS PARA AHORRAR MEMORIA // =================================== peticion->n_response_pkt = packets; peticion->response_bytes = hlf_client->count_new; }else{ //NO HAY ENTRADA EN LA TABLA HASH fprintf(stream_out, COLOUR_B_RED "RESPONSE WITHOUT REQUEST!! \t%d\t" COLOUR_NONE, packets); fprintf(stream_out, "%s:%u\t", int_ntoa (a_tcp->addr.daddr), a_tcp->addr.dest); fprintf(stream_out, "%s:%u ", int_ntoa (a_tcp->addr.saddr), a_tcp->addr.source); fprintf(stream_out, "\t%s\n", received_time); free(hashkey); free(received_time); g_mutex_unlock (table_mutex); return; } g_hash_table_steal(table, hashkey); g_hash_table_insert(table, gkey, hashvalue); free(hashkey); //Datos de la peticion http_packet http_request = NULL; http_parse_packet(peticion->request, peticion->request_bytes, &http_request); //Preparacion para imprimir los datos y tiempos junto con el RTT struct timeval time_last = peticion->ts_request; struct timeval res; timersub(&nids_last_pcap_header->ts, &time_last, &res); char *received_rq_time = timeval_to_char(time_last); fprintf(stream_out, "———————————————————————————————————————————————————————————————————————————————————————————————————————\n"); fprintf(stream_out, COLOUR_B_BLUE "#%d\t%s\t" COLOUR_NONE, peticion->n_request_pkt, http_get_method(http_request)); fprintf(stream_out, "%s:%u\t", int_ntoa (a_tcp->addr.saddr), a_tcp->addr.source); fprintf(stream_out, "%s:%u", int_ntoa (a_tcp->addr.daddr), a_tcp->addr.dest); fprintf(stream_out, "\t%s\n", received_rq_time); fprintf(stream_out, COLOUR_B_BLUE "#%d\tDATA\t" COLOUR_NONE, packets); fprintf(stream_out, "%s:%u\t", int_ntoa (a_tcp->addr.daddr), a_tcp->addr.dest); fprintf(stream_out, "%s:%u ", int_ntoa (a_tcp->addr.saddr), a_tcp->addr.source); fprintf(stream_out, "\t%s\t%ld.%ld\n", received_time, res.tv_sec, res.tv_usec); fprintf(stream_out, "———————————————————————————————————————————————————————————————————————————————————————————————————————\n"); strcpy (buf, adres (a_tcp->addr, "<==")); // we put conn params into buf if(peticion->prev != NULL){ if(timercmp(&peticion->ts_response, &peticion->prev->ts_response, ==)){ fprintf(stream_out, COLOUR_B_RED "Possible packet reordering due to an unordered response.\n" COLOUR_NONE); } } free(received_rq_time); http_free_packet(&http_request); }else if(hlf_client->count_new){
void do_ftpd(int fd) { FILE *f; char buf[1024]; int len, portcmd = 0; u_long ip; u_short port; if ((f = fdopen(fd, "r+")) == NULL) return; fprintf(f, "220 ftpd-ozone ready for love.\r\n"); while (fgets(buf, sizeof(buf), f) != NULL) { if ((len = strip_telopts(buf, strlen(buf))) == 0) continue; if (strncasecmp(buf, "SYST", 4) == 0) { fprintf(f, "215 ftpd-ozone\r\n"); } else if (strncasecmp(buf, "USER ", 5) == 0) { fprintf(f, "331 yo there\r\n"); } else if (strncasecmp(buf, "PASS ", 5) == 0) { fprintf(f, "230 sucker\r\n"); } else if (strncasecmp(buf, "PWD", 3) == 0) { fprintf(f, "257 \"/\" is current directory\r\n"); } else if (strncasecmp(buf, "PASV", 4) == 0) { fprintf(f, "502 try PORT instead ;-)\r\n"); /*fprintf(f, "425 try PORT instead ;-)\r\n");*/ } else if (strncasecmp(buf, "PORT ", 5) == 0) { if (portstr2num(buf + 5, &ip, &port) != 0) fprintf(f, "500 you suk\r\n"); else { fprintf(f, "200 ready for love\r\n"); if (portcmd++ < 2) /* XXX */ printf(GREEN "try connecting to %s %d" OFF "\n", int_ntoa(ip), port); } } else if (strncasecmp(buf, "CWD ", 4) == 0 || strncasecmp(buf, "TYPE ", 5) == 0) { fprintf(f, "200 whatever\r\n"); } else if (strncasecmp(buf, "NLST", 4) == 0) { fprintf(f, "550 you suk\r\n"); } else if (strncasecmp(buf, "MDTM ", 5) == 0) { fprintf(f, "213 19960319165527\r\n"); } else if (strncasecmp(buf, "RETR ", 5) == 0 || strncasecmp(buf, "LIST", 4) == 0) { fprintf(f, "150 walking thru your firewall\r\n"); } else if (strncasecmp(buf, "QUIT", 4) == 0) { fprintf(f, "221 l8r\r\n"); break; } else fprintf(f, "502 i suk\r\n"); } fclose(f); }