void ipoque_search_icecast_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
u8 i;
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "search icecast.\n");
if ((packet->payload_packet_len < 500 &&
packet->payload_packet_len >= 7 && ipq_mem_cmp(packet->payload, "SOURCE ", 7) == 0)
|| flow->l4.tcp.icecast_stage) {
ipq_parse_packet_line_info_unix(ipoque_struct);
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "Icecast lines=%d\n", packet->parsed_unix_lines);
for (i = 0; i < packet->parsed_unix_lines; i++) {
if (packet->unix_line[i].ptr != NULL && packet->unix_line[i].len > 4
&& ipq_mem_cmp(packet->unix_line[i].ptr, "ice-", 4) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "Icecast detected.\n");
ipoque_int_icecast_add_connection(ipoque_struct);
return;
}
}
if (packet->parsed_unix_lines < 1 && !flow->l4.tcp.icecast_stage) {
flow->l4.tcp.icecast_stage = 1;
return;
}
}
#ifdef IPOQUE_PROTOCOL_HTTP
if (IPQ_FLOW_PROTOCOL_EXCLUDED(ipoque_struct, flow, IPOQUE_PROTOCOL_HTTP)) {
goto icecast_exclude;
}
#endif
if (packet->packet_direction == flow->setup_packet_direction && flow->packet_counter < 10) {
return;
}
if (packet->packet_direction != flow->setup_packet_direction) {
/* server answer, now test Server for Icecast */
ipq_parse_packet_line_info(ipoque_struct);
if (packet->server_line.ptr != NULL && packet->server_line.len > IPQ_STATICSTRING_LEN("Icecast") &&
memcmp(packet->server_line.ptr, "Icecast", IPQ_STATICSTRING_LEN("Icecast")) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "Icecast detected.\n");
/* TODO maybe store the previous protocol type as subtype?
* e.g. ogg or mpeg
*/
ipoque_int_icecast_add_connection(ipoque_struct);
return;
}
}
icecast_exclude:
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_ICECAST);
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "Icecast excluded.\n");
}
static inline void ipoque_int_search_thunder_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30
&& packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) {
if (flow->thunder_stage == 3) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG, "THUNDER tcp detected\n");
ipoque_int_thunder_add_connection(ipoque_struct);
return;
}
flow->thunder_stage++;
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"maybe thunder tcp packet detected, stage increased to %u\n", flow->thunder_stage);
return;
}
if (flow->thunder_stage == 0 && packet->payload_packet_len > 17
&& ipq_mem_cmp(packet->payload, "POST / HTTP/1.1\r\n", 17) == 0) {
ipq_parse_packet_line_info(ipoque_struct);
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"maybe thunder http POST packet detected, parsed packet lines: %u, empty line set %u (at: %u)\n",
packet->parsed_lines, packet->empty_line_position_set, packet->empty_line_position);
if (packet->empty_line_position_set != 0 &&
packet->content_line.ptr != NULL &&
packet->content_line.len == 24 &&
ipq_mem_cmp(packet->content_line.ptr, "application/octet-stream",
24) == 0 && packet->empty_line_position_set < (packet->payload_packet_len - 8)
&& packet->payload[packet->empty_line_position + 2] >= 0x30
&& packet->payload[packet->empty_line_position + 2] < 0x40
&& packet->payload[packet->empty_line_position + 3] == 0x00
&& packet->payload[packet->empty_line_position + 4] == 0x00
&& packet->payload[packet->empty_line_position + 5] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"maybe thunder http POST packet application does match\n");
ipoque_int_thunder_add_connection(ipoque_struct);
return;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"excluding thunder tcp at stage %u\n", flow->thunder_stage);
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_THUNDER);
}
static inline void ipoque_int_search_thunder_http(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
if (packet->detected_protocol == IPOQUE_PROTOCOL_THUNDER) {
if (src != NULL && ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - src->thunder_ts) < ipoque_struct->thunder_timeout)) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"thunder : save src connection packet detected\n");
src->thunder_ts = packet->tick_timestamp;
} else if (dst != NULL && ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - dst->thunder_ts) < ipoque_struct->thunder_timeout)) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"thunder : save dst connection packet detected\n");
dst->thunder_ts = packet->tick_timestamp;
}
return;
}
if (packet->payload_packet_len > 5
&& memcmp(packet->payload, "GET /", 5) == 0 && IPQ_SRC_OR_DST_HAS_PROTOCOL(src, dst, IPOQUE_PROTOCOL_THUNDER)) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG, "HTTP packet detected.\n");
ipq_parse_packet_line_info(ipoque_struct);
if (packet->parsed_lines > 7
&& packet->parsed_lines < 11
&& packet->line[1].len > 10
&& ipq_mem_cmp(packet->line[1].ptr, "Accept: */*", 11) == 0
&& packet->line[2].len > 22
&& ipq_mem_cmp(packet->line[2].ptr, "Cache-Control: no-cache",
23) == 0 && packet->line[3].len > 16
&& ipq_mem_cmp(packet->line[3].ptr, "Connection: close", 17) == 0
&& packet->line[4].len > 6
&& ipq_mem_cmp(packet->line[4].ptr, "Host: ", 6) == 0
&& packet->line[5].len > 15
&& ipq_mem_cmp(packet->line[5].ptr, "Pragma: no-cache", 16) == 0
&& packet->user_agent_line.ptr != NULL
&& packet->user_agent_line.len > 49
&& ipq_mem_cmp(packet->user_agent_line.ptr,
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)", 50) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"Thunder HTTP download detected, adding flow.\n");
ipoque_int_thunder_add_connection(ipoque_struct);
}
}
}
void ipoque_search_maplestory(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len == 16
&& (ntohl(get_u32(packet->payload, 0)) == 0x0e003a00 || ntohl(get_u32(packet->payload, 0)) == 0x0e003b00
|| ntohl(get_u32(packet->payload, 0)) == 0x0e004200)
&& ntohs(get_u16(packet->payload, 4)) == 0x0100 && (packet->payload[6] == 0x32 || packet->payload[6] == 0x33)) {
IPQ_LOG(IPOQUE_PROTOCOL_MAPLESTORY, ipoque_struct, IPQ_LOG_DEBUG, "found maplestory.\n");
ipoque_int_maplestory_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
if (packet->payload_packet_len > IPQ_STATICSTRING_LEN("GET /maple")
&& memcmp(packet->payload, "GET /maple", IPQ_STATICSTRING_LEN("GET /maple")) == 0) {
ipq_parse_packet_line_info(ipoque_struct);
/* Maplestory update */
if (packet->payload_packet_len > IPQ_STATICSTRING_LEN("GET /maple/patch")
&& packet->payload[IPQ_STATICSTRING_LEN("GET /maple")] == '/') {
if (packet->user_agent_line.ptr != NULL && packet->host_line.ptr != NULL
&& packet->user_agent_line.len == IPQ_STATICSTRING_LEN("Patcher")
&& packet->host_line.len > IPQ_STATICSTRING_LEN("patch.")
&& memcmp(&packet->payload[IPQ_STATICSTRING_LEN("GET /maple/")], "patch",
IPQ_STATICSTRING_LEN("patch")) == 0
&& memcmp(packet->user_agent_line.ptr, "Patcher", IPQ_STATICSTRING_LEN("Patcher")) == 0
&& memcmp(packet->host_line.ptr, "patch.", IPQ_STATICSTRING_LEN("patch.")) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_MAPLESTORY, ipoque_struct, IPQ_LOG_DEBUG, "found maplestory update.\n");
ipoque_int_maplestory_add_connection(ipoque_struct, IPOQUE_CORRELATED_PROTOCOL);
return;
}
} else if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len == IPQ_STATICSTRING_LEN("AspINet")
&& memcmp(&packet->payload[IPQ_STATICSTRING_LEN("GET /maple")], "story/",
IPQ_STATICSTRING_LEN("story/")) == 0
&& memcmp(packet->user_agent_line.ptr, "AspINet", IPQ_STATICSTRING_LEN("AspINet")) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_MAPLESTORY, ipoque_struct, IPQ_LOG_DEBUG, "found maplestory update.\n");
ipoque_int_maplestory_add_connection(ipoque_struct, IPOQUE_CORRELATED_PROTOCOL);
return;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_MAPLESTORY, ipoque_struct, IPQ_LOG_DEBUG, "exclude maplestory.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MAPLESTORY);
}
void ipoque_search_openft_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len > 5 && memcmp(packet->payload, "GET /", 5) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_OPENFT, ipoque_struct, IPQ_LOG_DEBUG, "HTTP packet detected.\n");
ipq_parse_packet_line_info(ipoque_struct);
if (packet->parsed_lines >= 2
&& packet->line[1].len > 13 && ipq_mem_cmp(packet->line[1].ptr, "X-OpenftAlias:", 14) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_OPENFT, ipoque_struct, IPQ_LOG_DEBUG, "OpenFT detected.\n");
ipoque_int_openft_add_connection(ipoque_struct);
return;
}
}
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_OPENFT);
}
void ipoque_search_ipp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
u8 i;
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "search ipp\n");
if (packet->payload_packet_len > 20) {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG,
"searching for a payload with a pattern like 'number(1to8)blanknumber(1to3)ipp://.\n");
/* this pattern means that there is a printer saying that his state is idle,
* means that he is not printing anything at the moment */
i = 0;
if (packet->payload[i] < '0' || packet->payload[i] > '9') {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "payload does not begin with a number.\n");
goto search_for_next_pattern;
}
for (;;) {
i++;
if (!((packet->payload[i] >= '0' && packet->payload[i] <= '9') ||
(packet->payload[i] >= 'a' && packet->payload[i] <= 'f') ||
(packet->payload[i] >= 'A' && packet->payload[i] <= 'F')) || i > 8) {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG,
"read symbols while the symbol is a number.\n");
break;
}
}
if (packet->payload[i++] != ' ') {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "there is no blank following the number.\n");
goto search_for_next_pattern;
}
if (packet->payload[i] < '0' || packet->payload[i] > '9') {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "no number following the blank.\n");
goto search_for_next_pattern;
}
for (;;) {
i++;
if (packet->payload[i] < '0' || packet->payload[i] > '9' || i > 12) {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG,
"read symbols while the symbol is a number.\n");
break;
}
}
if (ipq_mem_cmp(&packet->payload[i], " ipp://", 7) != 0) {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "the string ' ipp://' does not follow.\n");
goto search_for_next_pattern;
}
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "found ipp\n");
ipoque_int_ipp_add_connection(ipoque_struct);
return;
}
search_for_next_pattern:
if (packet->payload_packet_len > 3 && memcmp(packet->payload, "POST", 4) == 0) {
ipq_parse_packet_line_info(ipoque_struct);
if (packet->content_line.ptr != NULL && packet->content_line.len > 14
&& memcmp(packet->content_line.ptr, "application/ipp", 15) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "found ipp via POST ... application/ipp.\n");
ipoque_int_ipp_add_connection(ipoque_struct);
return;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "no ipp detected.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_IPP);
}
void ipoque_search_http_tcp(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
u16 filename_start;
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "search http\n");
/* set client-server_direction */
if (flow->l4.tcp.http_setup_dir == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "initializes http to stage: 1 \n");
flow->l4.tcp.http_setup_dir = 1 + packet->packet_direction;
}
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK
(ipoque_struct->generic_http_packet_bitmask, packet->detected_protocol_stack[0]) != 0) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"protocol might be detected earlier as http jump to payload type detection\n");
goto http_parse_detection;
}
if (flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "http stage: 1\n");
if (flow->l4.tcp.http_wait_for_retransmission) {
if (!packet->tcp_retransmission) {
if (flow->packet_counter <= 5) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "still waiting for retransmission\n");
return;
} else {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "retransmission not found, exclude\n");
http_bitmask_exclude(flow);
return;
}
}
}
if (flow->l4.tcp.http_stage == 0) {
filename_start = http_request_url_offset(ipoque_struct);
if (filename_start == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "filename not found, exclude\n");
http_bitmask_exclude(flow);
return;
}
// parse packet
ipq_parse_packet_line_info(ipoque_struct);
if (packet->parsed_lines <= 1) {
/* parse one more packet .. */
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "just one line, search next packet\n");
flow->l4.tcp.http_stage = 1;
return;
}
// parsed_lines > 1 here
if (packet->line[0].len >= (9 + filename_start)
&& memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
packet->http_url_name.ptr = &packet->payload[filename_start];
packet->http_url_name.len = packet->line[0].len - (filename_start + 9);
packet->http_method.ptr = packet->line[0].ptr;
packet->http_method.len = filename_start - 1;
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "http structure detected, adding\n");
ipoque_int_http_add_connection(ipoque_struct, (filename_start == 8) ? NTOP_PROTOCOL_HTTP_CONNECT : IPOQUE_PROTOCOL_HTTP);
check_content_type_and_change_protocol(ipoque_struct);
/* HTTP found, look for host... */
if (packet->host_line.ptr != NULL) {
/* aaahh, skip this direction and wait for a server reply here */
flow->l4.tcp.http_stage = 2;
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP START HOST found\n");
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP START HOST found\n");
/* host not found, check in next packet after */
flow->l4.tcp.http_stage = 1;
return;
}
} else if (flow->l4.tcp.http_stage == 1) {
/* SECOND PAYLOAD TRAFFIC FROM CLIENT, FIRST PACKET MIGHT HAVE BEEN HTTP... */
/* UNKNOWN TRAFFIC, HERE FOR HTTP again.. */
// parse packet
ipq_parse_packet_line_info(ipoque_struct);
if (packet->parsed_lines <= 1) {
/* wait some packets in case request is split over more than 2 packets */
if (flow->packet_counter < 5) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"line still not finished, search next packet\n");
return;
} else {
/* stop parsing here */
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"HTTP: PACKET DOES NOT HAVE A LINE STRUCTURE\n");
http_bitmask_exclude(flow);
return;
}
}
if (packet->line[0].len >= 9 && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_HTTP);
check_content_type_and_change_protocol(ipoque_struct);
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"HTTP START HTTP found in 2. packet, check host here...\n");
/* HTTP found, look for host... */
flow->l4.tcp.http_stage = 2;
return;
}
}
}
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP: REQUEST NOT HTTP CONFORM\n");
http_bitmask_exclude(flow);
return;
http_parse_detection:
if (flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) {
/* we have something like http here, so check for host and content type if possible */
if (flow->l4.tcp.http_stage == 0 || flow->l4.tcp.http_stage == 3) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP RUN MAYBE NEXT GET/POST...\n");
// parse packet
ipq_parse_packet_line_info(ipoque_struct);
/* check for url here */
filename_start = http_request_url_offset(ipoque_struct);
if (filename_start != 0 && packet->parsed_lines > 1 && packet->line[0].len >= (9 + filename_start)
&& memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
packet->http_url_name.ptr = &packet->payload[filename_start];
packet->http_url_name.len = packet->line[0].len - (filename_start + 9);
packet->http_method.ptr = packet->line[0].ptr;
packet->http_method.len = filename_start - 1;
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "next http action, "
"resetting to http and search for other protocols later.\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_HTTP);
}
check_content_type_and_change_protocol(ipoque_struct);
/* HTTP found, look for host... */
if (packet->host_line.ptr != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"HTTP RUN MAYBE NEXT HOST found, skipping all packets from this direction\n");
/* aaahh, skip this direction and wait for a server reply here */
flow->l4.tcp.http_stage = 2;
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"HTTP RUN MAYBE NEXT HOST NOT found, scanning one more packet from this direction\n");
flow->l4.tcp.http_stage = 1;
} else if (flow->l4.tcp.http_stage == 1) {
// parse packet and maybe find a packet info with host ptr,...
ipq_parse_packet_line_info(ipoque_struct);
check_content_type_and_change_protocol(ipoque_struct);
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP RUN second packet scanned\n");
/* HTTP found, look for host... */
flow->l4.tcp.http_stage = 2;
}
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"HTTP skipping client packets after second packet\n");
return;
}
/* server response */
if (flow->l4.tcp.http_stage > 0) {
/* first packet from server direction, might have a content line */
ipq_parse_packet_line_info(ipoque_struct);
check_content_type_and_change_protocol(ipoque_struct);
if (packet->empty_line_position_set != 0 || flow->l4.tcp.http_empty_line_seen == 1) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "empty line. check_http_payload.\n");
check_http_payload(ipoque_struct);
}
if (flow->l4.tcp.http_stage == 2) {
flow->l4.tcp.http_stage = 3;
} else {
flow->l4.tcp.http_stage = 0;
}
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"HTTP response first or second packet scanned,new stage is: %u\n", flow->l4.tcp.http_stage);
return;
} else {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP response next packet skipped\n");
}
}
void ipoque_search_pplive_tcp_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
u16 a;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "search pplive.\n");
if (packet->udp != NULL) {
if (src != NULL && src->pplive_vod_cli_port == packet->udp->source
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE)) {
if (src->pplive_last_packet_time_set == 1 && (IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - src->pplive_last_packet_time) < ipoque_struct->pplive_connection_timeout) {
ipoque_int_pplive_add_connection(ipoque_struct);
src->pplive_last_packet_time_set = 1;
src->pplive_last_packet_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "timestamp src.\n");
return;
} else {
src->pplive_vod_cli_port = 0;
src->pplive_last_packet_time = 0;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD port timer reset.\n");
}
}
if (dst != NULL && dst->pplive_vod_cli_port == packet->udp->dest
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE)) {
if (dst->pplive_last_packet_time_set == 1 && (IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - dst->pplive_last_packet_time) < ipoque_struct->pplive_connection_timeout) {
ipoque_int_pplive_add_connection(ipoque_struct);
dst->pplive_last_packet_time_set = 1;
dst->pplive_last_packet_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "timestamp dst.\n");
return;
} else {
dst->pplive_last_packet_time_set = 0;
dst->pplive_vod_cli_port = 0;
dst->pplive_last_packet_time = 0;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD port timer reset.\n");
}
}
if ((packet->payload_packet_len >= 76) && ((packet->payload[0] == 0x01) || (packet->payload[0] == 0x18)
|| (packet->payload[0] == 0x05))
&& (packet->payload[1] == 0x00)
&& get_l32(packet->payload, 12) == 0 && (packet->payload[16] == 0 || packet->payload[16] == 1)
&& (packet->payload[17] == 0) && (packet->payload[24] == 0xac)) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len > 50 && packet->payload[0] == 0xe9
&& packet->payload[1] == 0x03 && (packet->payload[3] == 0x00 || packet->payload[3] == 0x01)
&& packet->payload[4] == 0x98 && packet->payload[5] == 0xab
&& packet->payload[6] == 0x01 && packet->payload[7] == 0x02) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len == 94
&& packet->payload[8] == 0x00 && get_u32(packet->payload, 9) == ntohl(0x02010000)
&& get_u32(packet->payload, 58) == ntohl(0xb1130000)) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
if ((packet->payload_packet_len >= 90 && packet->payload_packet_len <= 110)
&& (packet->payload[0] >= 0x0a && packet->payload[0] <= 0x0f)
&& get_u32(packet->payload, 86) == 0) {
int i;
for (i = 56; i < 68; i += 2) {
if ((get_u32(packet->payload, i) == ntohl(0x4fde7e7f))
&& (get_u16(packet->payload, i + 4) == 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive through "
"bitpattern 4f de 7e 7f 00 00.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
}
if (flow->packet_counter < 5 && !flow->pplive_stage) { /* With in 1st 4 packets */
if (((packet->payload_packet_len >= 90 && packet->payload_packet_len <= 110)
&& (!get_u32(packet->payload, packet->payload_packet_len - 16)
|| !get_u32(packet->payload, packet->payload_packet_len - 4)))
) {
flow->pplive_stage = 2; /* Now start looking for size(28 | 30) */
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"Maybe found pplive packet. Now start looking for size(28 | 30).\n");
}
if (68 == packet->payload_packet_len
&& get_l16(packet->payload, 0) == 0x21 && packet->payload[19] == packet->payload[20]
&& packet->payload[20] == packet->payload[21]
&& packet->payload[12] == packet->payload[13]
&& packet->payload[14] == packet->payload[15]) {
flow->pplive_stage = 3 + packet->packet_direction;
}
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet I.\n");
return;
}
if (flow->pplive_stage == 3 + packet->packet_direction) {
/* Because we are expecting packet in reverese direction.. */
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet II.\n");
return;
}
if (flow->pplive_stage == (4 - packet->packet_direction)
&& packet->payload_packet_len > 67
&& (get_l16(packet->payload, 0) == 0x21
|| (get_l16(packet->payload, 0) == 0x22 && !get_l16(packet->payload, 28)))) {
if (dst != NULL) {
dst->pplive_vod_cli_port = packet->udp->dest;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: VOD Port marked %u.\n", ntohs(packet->udp->dest));
dst->pplive_last_packet_time = packet->tick_timestamp;
dst->pplive_last_packet_time_set = 1;
}
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
if (flow->pplive_stage == 2) {
if ((packet->payload_packet_len == 30 && (packet->payload[0] == 0x02 || packet->payload[0] == 0x03)
&& get_u32(packet->payload, 21) == ntohl(0x00000001))
|| (packet->payload_packet_len == 28 && (packet->payload[0] == 0x01 || packet->payload[0] == 0x00)
&& (get_u32(packet->payload, 19) == ntohl(0x00000001)))) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
if (flow->packet_counter < 45) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet III.\n");
return;
}
}
} else if (packet->tcp != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"PPLIVE: TCP found, plen = %d, stage = %d, payload[0] = %x, payload[1] = %x, payload[2] = %x, payload[3] = %x \n",
packet->payload_packet_len, flow->pplive_stage, packet->payload[0], packet->payload[1],
packet->payload[2], packet->payload[3]);
if (src != NULL && src->pplive_vod_cli_port == packet->tcp->source
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE)) {
if (src->pplive_last_packet_time_set == 1 && (IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - src->pplive_last_packet_time) < ipoque_struct->pplive_connection_timeout) {
ipoque_int_pplive_add_connection(ipoque_struct);
src->pplive_last_packet_time_set = 1;
src->pplive_last_packet_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "timestamp src.\n");
return;
} else {
src->pplive_vod_cli_port = 0;
src->pplive_last_packet_time = 0;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD port timer reset.\n");
}
}
if (dst != NULL && dst->pplive_vod_cli_port == packet->tcp->dest
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE)) {
if (dst->pplive_last_packet_time_set == 1 && (IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - dst->pplive_last_packet_time) < ipoque_struct->pplive_connection_timeout) {
flow->detected_protocol = IPOQUE_PROTOCOL_PPLIVE;
packet->detected_protocol = IPOQUE_PROTOCOL_PPLIVE;
dst->pplive_last_packet_time_set = 1;
dst->pplive_last_packet_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "timestamp dst.\n");
return;
} else {
dst->pplive_last_packet_time_set = 0;
dst->pplive_vod_cli_port = 0;
dst->pplive_last_packet_time = 0;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD port timer reset.\n");
}
}
if (packet->payload_packet_len > 4 && memcmp(packet->payload, "GET /", 5) == 0) {
ipq_parse_packet_line_info(ipoque_struct);
if (packet->parsed_lines == 8
&& packet->line[0].ptr != NULL && packet->line[0].len >= 8
&& memcmp(&packet->payload[packet->line[0].len - 8], "HTTP/1.", 7) == 0
&& packet->line[2].ptr != NULL && packet->line[2].len >= 16
&& memcmp(packet->line[2].ptr, "x-flash-version:", 16) == 0
&& packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= 11
&& memcmp(packet->user_agent_line.ptr, "Mozilla/4.0", 11) == 0
&& packet->line[6].ptr != NULL && packet->line[6].len >= 21
&& memcmp(packet->line[6].ptr, "Pragma: Client=PPLive", 21) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: found HTTP request.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
} else if (packet->parsed_lines == 6
&& packet->line[0].ptr != NULL && packet->line[0].len >= 8
&& memcmp(&packet->payload[packet->line[0].len - 8], "HTTP/1.", 7) == 0
&& packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= 10
&& memcmp(packet->user_agent_line.ptr, "PPLive DAC", 10) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: found HTTP request.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
// searches for packets > 20 byte that begin with a hex number == packet->payload_packet_len - 4
// and with the same number at position 16, 17, 18, 19
if (packet->payload_packet_len > 20 && ntohl(get_u32(packet->payload, 0)) == packet->payload_packet_len - 4) {
if (packet->payload[4] == 0x21 && packet->payload[5] == 0x00) {
if ((packet->payload[9] == packet->payload[10]) && (packet->payload[9] == packet->payload[11])) {
if ((packet->payload[16] == packet->payload[17]) &&
(packet->payload[16] == packet->payload[18]) && (packet->payload[16] == packet->payload[19])) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
}
}
// stage > 0, packet begins with 21 00, bytes at positions 5, 6, 7 are equal, bytes at positions 12, 13, 14, 15 are equal,
if (packet->payload_packet_len > 20 && flow->pplive_stage) {
if (packet->payload[0] == 0x21 && packet->payload[1] == 0x00) {
if (packet->payload[5] == packet->payload[6] && packet->payload[5] == packet->payload[7]) {
if (packet->payload[12] == packet->payload[13] && packet->payload[14] == packet->payload[15]
&& packet->payload[12] == packet->payload[14]) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
}
}
// packet (len>11) begins with a hex number == packet->payload_packet_len - 4 and matches certain bitmuster
if (packet->payload_packet_len > 11 && ntohl(get_u32(packet->payload, 0)) == packet->payload_packet_len - 4) {
if (packet->payload[4] == 0xe9 && packet->payload[5] == 0x03 &&
((packet->payload[7] == packet->payload[10]) || (packet->payload[7] == packet->payload[11]))) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
// stage > 0, len>10, begins with e9 03, matches certain pattern
if (packet->payload_packet_len > 10 && flow->pplive_stage) {
if (packet->payload[0] == 0xe9 && packet->payload[1] == 0x03 &&
((packet->payload[3] == packet->payload[6]) || (packet->payload[3] == packet->payload[7]))) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
/* Adware in the PPLive Client -> first TCP Packet has length of 4 Bytes -> 2nd TCP Packet has length of 96 Bytes */
/* or */
/* Peer-List Requests over TCP -> first Packet has length of 4 Bytes -> 2nd TCP Packet has length of 71 Bytes */
/* there are different possibilities of the order of the packets */
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"PPLIVE: TCP found, plen = %d, stage = %d, payload[0] = %x, payload[1] = %x, payload[2] = %x, payload[3] = %x \n",
packet->payload_packet_len, flow->pplive_stage,
packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3]);
/* generic pplive detection (independent of the stage) !!! */
// len > 11, packet begins with a hex number == packet->payload_packet_len - 4, pattern: ?? ?? ?? ?? 21 00 ?? ?? 98 ab 01 02
if (packet->payload_packet_len > 11 && ntohl(get_u32(packet->payload, 0)) == packet->payload_packet_len - 4) {
if (packet->payload[4] == 0x21 && packet->payload[5] == 0x00
&& ((packet->payload[8] == 0x98 && packet->payload[9] == 0xab
&& packet->payload[10] == 0x01 && packet->payload[11] == 0x02)
)) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
// packet 4 to 19 have a hex representation from 0x30 to 0x39
if (packet->payload_packet_len > 20) {
a = 4;
while (a < 20) {
if (packet->payload[a] >= '0' && packet->payload[a] <= '9') {
if (a == 19) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: direct new header format found\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
} else {
a++;
}
} else {
break;
}
}
}
}
/* 1st and 2nd (KD: ??????? )Packet of Client is 4 Byte */
// stage == 0, p_len == 4, pattern: 04 00 00 00 --> need next packet
if (flow->pplive_stage == 0) {
if (packet->payload_packet_len == 4 && packet->payload[0] > 0x04
&& packet->payload[1] == 0x00 && packet->payload[2] == 0x00 && packet->payload[3] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: 4Byte TCP Packet Request found \n");
/* go to the 2nd Client Packet */
flow->pplive_stage = 1 + packet->packet_direction;
flow->pplive_next_packet_size[packet->packet_direction] = packet->payload[0];
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet i.\n");
return;
}
} else if (flow->pplive_stage == 2 - packet->packet_direction) {
if (packet->payload_packet_len == 4 && packet->payload[0] > 0x04
&& packet->payload[1] == 0x00 && packet->payload[2] == 0x00 && packet->payload[3] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: 4Byte TCP Packet Response found \n");
/* go to the 2nd Client Packet */
flow->pplive_next_packet_size[packet->packet_direction] = packet->payload[0];
}
flow->pplive_stage = 3;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet ii.\n");
return;
} else if (flow->pplive_stage == 1 + packet->packet_direction || flow->pplive_stage == 3) {
if (packet->payload_packet_len > 7 && flow->pplive_next_packet_size[packet->packet_direction] >= 4) {
if (packet->payload_packet_len == flow->pplive_next_packet_size[packet->packet_direction]) {
if (packet->payload[0] == 0xe9 && packet->payload[1] == 0x03
&& ((packet->payload[4] == 0x98
&& packet->payload[5] == 0xab && packet->payload[6] == 0x01 && packet->payload[7] == 0x02)
)) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: two packet response found\n");
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"found pplive over tcp with pattern iii.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
// packet 4 to 19 have a hex representation from 0x30 to 0x39
if (packet->payload_packet_len > 16) {
a = 0;
while (a < 16) {
if (packet->payload[a] >= '0' && packet->payload[a] <= '9') {
if (a == 15) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"PPLIVE: new header format found\n");
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"found pplive over tcp with pattern v.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
} else {
a++;
}
} else {
break;
}
}
}
// p_len>79 and a lot of 00 in the end
if (packet->payload_packet_len > 79
&& get_u32(packet->payload, packet->payload_packet_len - 9) == 0x00000000
&& get_u32(packet->payload, packet->payload_packet_len - 5) == 0x00000000) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"PPLIVE: Last 8 NULL bytes found.\n");
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"found pplive over tcp with pattern vi.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
if (packet->payload_packet_len > flow->pplive_next_packet_size[packet->packet_direction]) {
if (packet->payload[0] == 0xe9 && packet->payload[1] == 0x03
&& packet->payload[4] == 0x98 && packet->payload[5] == 0xab
&& packet->payload[6] == 0x01 && packet->payload[7] == 0x02) {
a = flow->pplive_next_packet_size[packet->packet_direction];
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "a=%u.\n", a);
if (packet->payload_packet_len > a + 4
&& packet->payload[a + 2] == 0x00 && packet->payload[a + 3] == 0x00
&& packet->payload[a] != 0) {
a += ((packet->payload[a + 1] << 8) + packet->payload[a] + 4);
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "a=%u.\n", a);
if (packet->payload_packet_len == a) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"found pplive over tcp with pattern vii.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len > a + 4
&& packet->payload[a + 2] == 0x00 && packet->payload[a + 3] == 0x00
&& packet->payload[a] != 0) {
a += ((packet->payload[a + 1] << 8) + packet->payload[a] + 4);
if (packet->payload_packet_len == a) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"found pplive over tcp with pattern viii.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
}
}
}
}
}
}
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "exclude pplive.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE);
}
void ipoque_search_secondlife(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
// if ((ntohs(packet->udp->dest) == 12035 || ntohs(packet->udp->dest) == 12036 || (ntohs(packet->udp->dest) >= 13000 && ntohs(packet->udp->dest) <= 13050)) //port
// && packet->payload_packet_len > 6 // min length with no extra header, high frequency and 1 byte message body
// && get_u8(packet->payload, 0) == 0x40 // reliable packet
// && ntohl(get_u32(packet->payload, 1)) == 0x00000001 // sequence number equals 1
// //ntohl (get_u32 (packet->payload, 5)) == 0x00FFFF00 // no extra header, low frequency message - can't use, message may have higher frequency
// ) {
// IPQ_LOG(IPOQUE_PROTOCOL_SECONDLIFE, ipoque_struct, IPQ_LOG_DEBUG, "Second Life detected.\n");
// ipoque_int_secondlife_add_connection(ipoque_struct);
// return;
// }
if (packet->tcp != NULL) {
if (packet->payload_packet_len > IPQ_STATICSTRING_LEN("GET /")
&& memcmp(packet->payload, "GET /", IPQ_STATICSTRING_LEN("GET /")) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_SECONDLIFE, ipoque_struct, IPQ_LOG_DEBUG, "Second Life HTTP 'GET /'' found.\n");
ipq_parse_packet_line_info(ipoque_struct);
if (packet->user_agent_line.ptr != NULL
&& packet->user_agent_line.len >
IPQ_STATICSTRING_LEN
("Mozilla/5.0 (Windows; U; Windows NT 6.1; de-DE) AppleWebKit/532.4 (KHTML, like Gecko) SecondLife/")
&& memcmp(&packet->user_agent_line.ptr[IPQ_STATICSTRING_LEN
("Mozilla/5.0 (Windows; U; Windows NT 6.1; de-DE) AppleWebKit/532.4 (KHTML, like Gecko) ")],
"SecondLife/", IPQ_STATICSTRING_LEN("SecondLife/")) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_SECONDLIFE, ipoque_struct, IPQ_LOG_DEBUG,
"Second Life TCP HTTP User Agent detected.\n");
ipoque_int_secondlife_add_connection(ipoque_struct, IPOQUE_CORRELATED_PROTOCOL);
return;
}
if (packet->host_line.ptr != NULL && packet->host_line.len > IPQ_STATICSTRING_LEN(".agni.lindenlab.com:")) {
u8 x;
for (x = 2; x < 6; x++) {
if (packet->host_line.ptr[packet->host_line.len - (1 + x)] == ':') {
if ((1 + x + IPQ_STATICSTRING_LEN(".agni.lindenlab.com")) < packet->host_line.len
&& memcmp(&packet->host_line.ptr[packet->host_line.len -
(1 + x + IPQ_STATICSTRING_LEN(".agni.lindenlab.com"))],
".agni.lindenlab.com", IPQ_STATICSTRING_LEN(".agni.lindenlab.com")) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_SECONDLIFE, ipoque_struct, IPQ_LOG_DEBUG,
"Second Life TCP HTTP Host detected.\n");
ipoque_int_secondlife_add_connection(ipoque_struct, IPOQUE_CORRELATED_PROTOCOL);
return;
}
break;
}
}
}
}
}
if (packet->udp != NULL) {
if (packet->payload_packet_len == 46
&& memcmp(packet->payload, "\x40\x00\x00\x00\x01\x00\xff\xff\x00\x03", 10) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_SECONDLIFE, ipoque_struct, IPQ_LOG_DEBUG, "Second Life 0xffff0003 detected.\n");
ipoque_int_secondlife_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
if (packet->payload_packet_len == 54
&& memcmp(packet->payload, "\x40\x00\x00\x00\x01\x00\xff\xff\x00\x52", 10) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_SECONDLIFE, ipoque_struct, IPQ_LOG_DEBUG, "Second Life 0xffff0052 detected.\n");
ipoque_int_secondlife_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
if (packet->payload_packet_len == 58
&& memcmp(packet->payload, "\x40\x00\x00\x00\x01\x00\xff\xff\x00\xa9", 10) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_SECONDLIFE, ipoque_struct, IPQ_LOG_DEBUG, "Second Life 0xffff00a9 detected.\n");
ipoque_int_secondlife_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
if (packet->payload_packet_len > 54 && memcmp(packet->payload, "\x40\x00\x00\x00\x01\x00\x08", 7) == 0 &&
get_u32(packet->payload, packet->payload_packet_len - 4) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_SECONDLIFE, ipoque_struct, IPQ_LOG_DEBUG, "Second Life 0x08 detected.\n");
ipoque_int_secondlife_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_SECONDLIFE, ipoque_struct, IPQ_LOG_DEBUG, "Second Life excluded.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_SECONDLIFE);
}
void ipoque_search_aimini(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "search aimini.\n");
if (packet->udp != NULL) {
if (flow->l4.udp.aimini_stage == 0) {
if (packet->payload_packet_len == 64 && ntohs(get_u16(packet->payload, 0)) == 0x010b) {
flow->l4.udp.aimini_stage = 1;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 1.\n");
return;
}
if (packet->payload_packet_len == 136
&& (ntohs(get_u16(packet->payload, 0)) == 0x01c9 || ntohs(get_u16(packet->payload, 0)) == 0x0165)) {
flow->l4.udp.aimini_stage = 4;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 4.\n");
return;
}
if (packet->payload_packet_len == 88 && ntohs(get_u16(packet->payload, 0)) == 0x0101) {
flow->l4.udp.aimini_stage = 7;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 7.\n");
return;
}
if (packet->payload_packet_len == 104 && ntohs(get_u16(packet->payload, 0)) == 0x0102) {
flow->l4.udp.aimini_stage = 10;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 10.\n");
return;
}
if (packet->payload_packet_len == 32 && ntohs(get_u16(packet->payload, 0)) == 0x01ca) {
flow->l4.udp.aimini_stage = 13;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 13.\n");
return;
}
if (packet->payload_packet_len == 16 && ntohs(get_u16(packet->payload, 0)) == 0x010c) {
flow->l4.udp.aimini_stage = 16;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 16.\n");
return;
}
}
/* first packet chronology: (len, value): (64, 0x010b), (>100, 0x0115), (16, 0x010c || 64, 0x010b || 88, 0x0115),
* (16, 0x010c || 64, 0x010b || >100, 0x0115)
*/
if (flow->l4.udp.aimini_stage == 1 && packet->payload_packet_len > 100
&& ntohs(get_u16(packet->payload, 0)) == 0x0115) {
flow->l4.udp.aimini_stage = 2;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 2.\n");
return;
}
if (flow->l4.udp.aimini_stage == 2 &&
((packet->payload_packet_len == 16 && get_u16(packet->payload, 0) == htons(0x010c)) ||
(packet->payload_packet_len == 64 && get_u16(packet->payload, 0) == htons(0x010b)) ||
(packet->payload_packet_len == 88 && get_u16(packet->payload, 0) == ntohs(0x0115)))) {
flow->l4.udp.aimini_stage = 3;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 3.\n");
return;
}
if (flow->l4.udp.aimini_stage == 3
&& ((packet->payload_packet_len == 16 && ntohs(get_u16(packet->payload, 0)) == 0x010c)
|| (packet->payload_packet_len == 64 && ntohs(get_u16(packet->payload, 0)) == 0x010b)
|| (packet->payload_packet_len > 100 && ntohs(get_u16(packet->payload, 0)) == 0x0115))) {
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "found aimini (64, 0x010b), (>300, 0x0115), "
"(16, 0x010c || 64, 0x010b), (16, 0x010c || 64, 0x010b || >100, 0x0115).\n");
ipoque_int_aimini_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
/* second packet chronology: (len, value): (136, 0x01c9), (136, 0x01c9),(136, 0x01c9),(136, 0x01c9 || 32, 0x01ca) */
if (flow->l4.udp.aimini_stage == 4 && packet->payload_packet_len == 136
&& (ntohs(get_u16(packet->payload, 0)) == 0x01c9 || ntohs(get_u16(packet->payload, 0)) == 0x0165)) {
flow->l4.udp.aimini_stage = 5;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 5.\n");
return;
}
if (flow->l4.udp.aimini_stage == 5 && (packet->payload_packet_len == 136
&& (ntohs(get_u16(packet->payload, 0)) == 0x01c9
|| ntohs(get_u16(packet->payload, 0)) == 0x0165))) {
flow->l4.udp.aimini_stage = 6;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 6.\n");
return;
}
if (flow->l4.udp.aimini_stage == 6 && ((packet->payload_packet_len == 136
&& ((ntohs(get_u16(packet->payload, 0)) == 0x0165)
|| ntohs(get_u16(packet->payload, 0)) == 0x01c9))
|| (packet->payload_packet_len == 32
&& ntohs(get_u16(packet->payload, 0)) == 0x01ca))) {
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG,
"found aimini (136, 0x01c9), (136, 0x01c9)," "(136, 0x01c9),(136, 0x01c9 || 32, 0x01ca).\n");
ipoque_int_aimini_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
/* third packet chronology: (len, value): (88, 0x0101), (88, 0x0101),(88, 0x0101),(88, 0x0101) */
if (flow->l4.udp.aimini_stage == 7 && packet->payload_packet_len == 88
&& ntohs(get_u16(packet->payload, 0)) == 0x0101) {
flow->l4.udp.aimini_stage = 8;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 8.\n");
return;
}
if (flow->l4.udp.aimini_stage == 8
&& (packet->payload_packet_len == 88 && ntohs(get_u16(packet->payload, 0)) == 0x0101)) {
flow->l4.udp.aimini_stage = 9;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 9.\n");
return;
}
if (flow->l4.udp.aimini_stage == 9
&& (packet->payload_packet_len == 88 && ntohs(get_u16(packet->payload, 0)) == 0x0101)) {
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG,
"found aimini (88, 0x0101), (88, 0x0101)," "(88, 0x0101),(88, 0x0101).\n");
ipoque_int_aimini_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
/* fourth packet chronology: (len, value): (104, 0x0102), (104, 0x0102), (104, 0x0102), (104, 0x0102) */
if (flow->l4.udp.aimini_stage == 10 && packet->payload_packet_len == 104
&& ntohs(get_u16(packet->payload, 0)) == 0x0102) {
flow->l4.udp.aimini_stage = 11;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 11.\n");
return;
}
if (flow->l4.udp.aimini_stage == 11
&& (packet->payload_packet_len == 104 && ntohs(get_u16(packet->payload, 0)) == 0x0102)) {
flow->l4.udp.aimini_stage = 12;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 12.\n");
return;
}
if (flow->l4.udp.aimini_stage == 12
&& ((packet->payload_packet_len == 104 && ntohs(get_u16(packet->payload, 0)) == 0x0102)
|| (packet->payload_packet_len == 32 && ntohs(get_u16(packet->payload, 0)) == 0x01ca))) {
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG,
"found aimini (104, 0x0102), (104, 0x0102), " "(104, 0x0102), (104, 0x0102).\n");
ipoque_int_aimini_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
/* fifth packet chronology (len, value): (32,0x01ca), (32,0x01ca), (32,0x01ca), ((136, 0x0166) || (32,0x01ca)) */
if (flow->l4.udp.aimini_stage == 13 && packet->payload_packet_len == 32
&& ntohs(get_u16(packet->payload, 0)) == 0x01ca) {
flow->l4.udp.aimini_stage = 14;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 14.\n");
return;
}
if (flow->l4.udp.aimini_stage == 14
&& ((packet->payload_packet_len == 32 && ntohs(get_u16(packet->payload, 0)) == 0x01ca)
|| (packet->payload_packet_len == 136 && ntohs(get_u16(packet->payload, 0)) == 0x0166))) {
flow->l4.udp.aimini_stage = 15;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 15.\n");
return;
}
if (flow->l4.udp.aimini_stage == 15
&& ((packet->payload_packet_len == 136 && ntohs(get_u16(packet->payload, 0)) == 0x0166)
|| (packet->payload_packet_len == 32 && ntohs(get_u16(packet->payload, 0)) == 0x01ca))) {
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG,
"found aimini (32,0x01ca), (32,0x01ca), (32,0x01ca), ((136, 0x0166)||(32,0x01ca)).\n");
ipoque_int_aimini_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
/* sixth packet chronology (len, value): (16, 0x010c), (16, 0x010c), (16, 0x010c), (16, 0x010c) */
if (flow->l4.udp.aimini_stage == 16 && packet->payload_packet_len == 16
&& ntohs(get_u16(packet->payload, 0)) == 0x010c) {
flow->l4.udp.aimini_stage = 17;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 17.\n");
return;
}
if (flow->l4.udp.aimini_stage == 17
&& (packet->payload_packet_len == 16 && ntohs(get_u16(packet->payload, 0)) == 0x010c)) {
flow->l4.udp.aimini_stage = 18;
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "stage = 18.\n");
return;
}
if (flow->l4.udp.aimini_stage == 18
&& (packet->payload_packet_len == 16 && ntohs(get_u16(packet->payload, 0)) == 0x010c)) {
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG,
"found aimini (16, 0x010c), (16, 0x010c), (16, 0x010c), (16, 0x010c).\n");
ipoque_int_aimini_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
} else if (packet->tcp != NULL) {
if ((packet->payload_packet_len > IPQ_STATICSTRING_LEN("GET /player/") &&
(memcmp(packet->payload, "GET /player/", IPQ_STATICSTRING_LEN("GET /player/")) == 0)) ||
(packet->payload_packet_len > IPQ_STATICSTRING_LEN("GET /play/?fid=") &&
(memcmp(packet->payload, "GET /play/?fid=", IPQ_STATICSTRING_LEN("GET /play/?fid=")) == 0))) {
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "HTTP packet detected.\n");
ipq_parse_packet_line_info(ipoque_struct);
if (packet->host_line.ptr != NULL && packet->host_line.len > 11
&& (memcmp(&packet->host_line.ptr[packet->host_line.len - 11], ".aimini.net", 11) == 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "AIMINI HTTP traffic detected.\n");
ipoque_int_aimini_add_connection(ipoque_struct, IPOQUE_CORRELATED_PROTOCOL);
return;
}
}
if (packet->payload_packet_len > 100) {
if (memcmp(packet->payload, "GET /", IPQ_STATICSTRING_LEN("GET /")) == 0) {
if (memcmp(&packet->payload[IPQ_STATICSTRING_LEN("GET /")], "play/",
IPQ_STATICSTRING_LEN("play/")) == 0 ||
memcmp(&packet->payload[IPQ_STATICSTRING_LEN("GET /")], "download/",
IPQ_STATICSTRING_LEN("download/")) == 0) {
ipq_parse_packet_line_info(ipoque_struct);
if (is_special_aimini_host(packet->host_line) == 1) {
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG,
"AIMINI HTTP traffic detected.\n");
ipoque_int_aimini_add_connection(ipoque_struct, IPOQUE_CORRELATED_PROTOCOL);
return;
}
}
} else if (memcmp(packet->payload, "POST /", IPQ_STATICSTRING_LEN("POST /")) == 0) {
if (memcmp(&packet->payload[IPQ_STATICSTRING_LEN("POST /")], "upload/",
IPQ_STATICSTRING_LEN("upload/")) == 0) {
ipq_parse_packet_line_info(ipoque_struct);
if (is_special_aimini_host(packet->host_line) == 1) {
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG,
"AIMINI HTTP traffic detected.\n");
ipoque_int_aimini_add_connection(ipoque_struct, IPOQUE_CORRELATED_PROTOCOL);
return;
}
}
}
}
}
IPQ_LOG(IPOQUE_PROTOCOL_AIMINI, ipoque_struct, IPQ_LOG_DEBUG, "exclude aimini.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_AIMINI);
}
