static void http_bitmask_exclude(struct ipoque_flow_struct *flow)
{
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_HTTP);
#ifdef IPOQUE_PROTOCOL_MPEG
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MPEG);
#endif
#ifdef IPOQUE_PROTOCOL_QUICKTIME
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_QUICKTIME);
#endif
#ifdef IPOQUE_PROTOCOL_WINDOWSMEDIA
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_WINDOWSMEDIA);
#endif
#ifdef IPOQUE_PROTOCOL_REALMEDIA
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_REALMEDIA);
#endif
#ifdef IPOQUE_PROTOCOL_AVI
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_AVI);
#endif
#ifdef IPOQUE_PROTOCOL_OGG
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_OGG);
#endif
#ifdef IPOQUE_PROTOCOL_MOVE
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MOVE);
#endif
#ifdef IPOQUE_PROTOCOL_OFF
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_OFF);
#endif
#ifdef IPOQUE_PROTOCOL_XBOX
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_XBOX);
#endif
}
static inline void ipoque_int_search_thunder_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30
&& packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) {
if (flow->thunder_stage == 3) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG, "THUNDER udp detected\n");
ipoque_int_thunder_add_connection(ipoque_struct);
return;
}
flow->thunder_stage++;
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"maybe thunder udp packet detected, stage increased to %u\n", flow->thunder_stage);
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"excluding thunder udp at stage %u\n", flow->thunder_stage);
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_THUNDER);
}
void ipoque_search_kontiki(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len == 4 && (get_u32(packet->payload, 0) == htonl(0x02010100))) {
IPQ_LOG(IPOQUE_PROTOCOL_KONTIKI, ipoque_struct, IPQ_LOG_DEBUG, "Kontiki UDP detected.\n");
ipoque_int_kontiki_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len > 0 && packet->payload[0] == 0x02) {
if (packet->payload_packet_len == 20 && (get_u32(packet->payload, 16) == htonl(0x02040100))) {
IPQ_LOG(IPOQUE_PROTOCOL_KONTIKI, ipoque_struct, IPQ_LOG_DEBUG, "Kontiki UDP detected.\n");
ipoque_int_kontiki_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len == 16 && (get_u32(packet->payload, 12) == htonl(0x000004e4))) {
IPQ_LOG(IPOQUE_PROTOCOL_KONTIKI, ipoque_struct, IPQ_LOG_DEBUG, "Kontiki UDP detected.\n");
ipoque_int_kontiki_add_connection(ipoque_struct);
return;
}
}
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_KONTIKI);
}
void ipoque_search_mysql_tcp(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len > 37 //min length
&& get_u16(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length
&& get_u8(packet->payload, 2) == 0x00 //3rd byte of packet length
&& get_u8(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet
&& get_u8(packet->payload, 5) > 0x30 //server version > 0
&& get_u8(packet->payload, 5) < 0x37 //server version < 7
&& get_u8(packet->payload, 6) == 0x2e //dot
) {
u32 a;
for (a = 7; a + 31 < packet->payload_packet_len; a++) {
if (packet->payload[a] == 0x00) {
if (get_u8(packet->payload, a + 13) == 0x00 //filler byte
&& get_u64(packet->payload, a + 19) == 0x0ULL //13 more
&& get_u32(packet->payload, a + 27) == 0x0 //filler bytes
&& get_u8(packet->payload, a + 31) == 0x0) {
IPQ_LOG(IPOQUE_PROTOCOL_MYSQL, ipoque_struct, IPQ_LOG_DEBUG, "MySQL detected.\n");
ipoque_int_mysql_add_connection(ipoque_struct);
return;
}
break;
}
}
}
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MYSQL);
}
void ipoque_search_icecast_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
u8 i;
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "search icecast.\n");
if ((packet->payload_packet_len < 500 &&
packet->payload_packet_len >= 7 && ipq_mem_cmp(packet->payload, "SOURCE ", 7) == 0)
|| flow->l4.tcp.icecast_stage) {
ipq_parse_packet_line_info_unix(ipoque_struct);
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "Icecast lines=%d\n", packet->parsed_unix_lines);
for (i = 0; i < packet->parsed_unix_lines; i++) {
if (packet->unix_line[i].ptr != NULL && packet->unix_line[i].len > 4
&& ipq_mem_cmp(packet->unix_line[i].ptr, "ice-", 4) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "Icecast detected.\n");
ipoque_int_icecast_add_connection(ipoque_struct);
return;
}
}
if (packet->parsed_unix_lines < 1 && !flow->l4.tcp.icecast_stage) {
flow->l4.tcp.icecast_stage = 1;
return;
}
}
#ifdef IPOQUE_PROTOCOL_HTTP
if (IPQ_FLOW_PROTOCOL_EXCLUDED(ipoque_struct, flow, IPOQUE_PROTOCOL_HTTP)) {
goto icecast_exclude;
}
#endif
if (packet->packet_direction == flow->setup_packet_direction && flow->packet_counter < 10) {
return;
}
if (packet->packet_direction != flow->setup_packet_direction) {
/* server answer, now test Server for Icecast */
ipq_parse_packet_line_info(ipoque_struct);
if (packet->server_line.ptr != NULL && packet->server_line.len > IPQ_STATICSTRING_LEN("Icecast") &&
memcmp(packet->server_line.ptr, "Icecast", IPQ_STATICSTRING_LEN("Icecast")) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "Icecast detected.\n");
/* TODO maybe store the previous protocol type as subtype?
* e.g. ogg or mpeg
*/
ipoque_int_icecast_add_connection(ipoque_struct);
return;
}
}
icecast_exclude:
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_ICECAST);
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "Icecast excluded.\n");
}
static void ipoque_int_rtsp_add_connection(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
flow->detected_protocol = IPOQUE_PROTOCOL_RTSP;
packet->detected_protocol = IPOQUE_PROTOCOL_RTSP;
if (src != NULL) {
IPOQUE_ADD_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_RTSP);
}
if (dst != NULL) {
IPOQUE_ADD_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_RTSP);
}
}
static void ipoque_int_thunder_add_connection(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
flow->detected_protocol = IPOQUE_PROTOCOL_THUNDER;
packet->detected_protocol = IPOQUE_PROTOCOL_THUNDER;
if (src != NULL) {
IPOQUE_ADD_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_THUNDER);
src->thunder_ts = packet->tick_timestamp;
}
if (dst != NULL) {
IPOQUE_ADD_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_THUNDER);
dst->thunder_ts = packet->tick_timestamp;
}
}
static inline void ipoque_int_search_thunder_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30
&& packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) {
if (flow->thunder_stage == 3) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG, "THUNDER tcp detected\n");
ipoque_int_thunder_add_connection(ipoque_struct);
return;
}
flow->thunder_stage++;
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"maybe thunder tcp packet detected, stage increased to %u\n", flow->thunder_stage);
return;
}
if (flow->thunder_stage == 0 && packet->payload_packet_len > 17
&& ipq_mem_cmp(packet->payload, "POST / HTTP/1.1\r\n", 17) == 0) {
ipq_parse_packet_line_info(ipoque_struct);
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"maybe thunder http POST packet detected, parsed packet lines: %u, empty line set %u (at: %u)\n",
packet->parsed_lines, packet->empty_line_position_set, packet->empty_line_position);
if (packet->empty_line_position_set != 0 &&
packet->content_line.ptr != NULL &&
packet->content_line.len == 24 &&
ipq_mem_cmp(packet->content_line.ptr, "application/octet-stream",
24) == 0 && packet->empty_line_position_set < (packet->payload_packet_len - 8)
&& packet->payload[packet->empty_line_position + 2] >= 0x30
&& packet->payload[packet->empty_line_position + 2] < 0x40
&& packet->payload[packet->empty_line_position + 3] == 0x00
&& packet->payload[packet->empty_line_position + 4] == 0x00
&& packet->payload[packet->empty_line_position + 5] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"maybe thunder http POST packet application does match\n");
ipoque_int_thunder_add_connection(ipoque_struct);
return;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"excluding thunder tcp at stage %u\n", flow->thunder_stage);
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_THUNDER);
}
void ipoque_search_pando_tcp_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
// struct ipoque_packet_struct *packet=&ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (search_pando(ipoque_struct) != 0)
return;
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_PANDO);
}
void ipoque_search_maplestory(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len == 16
&& (ntohl(get_u32(packet->payload, 0)) == 0x0e003a00 || ntohl(get_u32(packet->payload, 0)) == 0x0e003b00
|| ntohl(get_u32(packet->payload, 0)) == 0x0e004200)
&& ntohs(get_u16(packet->payload, 4)) == 0x0100 && (packet->payload[6] == 0x32 || packet->payload[6] == 0x33)) {
IPQ_LOG(IPOQUE_PROTOCOL_MAPLESTORY, ipoque_struct, IPQ_LOG_DEBUG, "found maplestory.\n");
ipoque_int_maplestory_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
if (packet->payload_packet_len > IPQ_STATICSTRING_LEN("GET /maple")
&& memcmp(packet->payload, "GET /maple", IPQ_STATICSTRING_LEN("GET /maple")) == 0) {
ipq_parse_packet_line_info(ipoque_struct);
/* Maplestory update */
if (packet->payload_packet_len > IPQ_STATICSTRING_LEN("GET /maple/patch")
&& packet->payload[IPQ_STATICSTRING_LEN("GET /maple")] == '/') {
if (packet->user_agent_line.ptr != NULL && packet->host_line.ptr != NULL
&& packet->user_agent_line.len == IPQ_STATICSTRING_LEN("Patcher")
&& packet->host_line.len > IPQ_STATICSTRING_LEN("patch.")
&& memcmp(&packet->payload[IPQ_STATICSTRING_LEN("GET /maple/")], "patch",
IPQ_STATICSTRING_LEN("patch")) == 0
&& memcmp(packet->user_agent_line.ptr, "Patcher", IPQ_STATICSTRING_LEN("Patcher")) == 0
&& memcmp(packet->host_line.ptr, "patch.", IPQ_STATICSTRING_LEN("patch.")) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_MAPLESTORY, ipoque_struct, IPQ_LOG_DEBUG, "found maplestory update.\n");
ipoque_int_maplestory_add_connection(ipoque_struct, IPOQUE_CORRELATED_PROTOCOL);
return;
}
} else if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len == IPQ_STATICSTRING_LEN("AspINet")
&& memcmp(&packet->payload[IPQ_STATICSTRING_LEN("GET /maple")], "story/",
IPQ_STATICSTRING_LEN("story/")) == 0
&& memcmp(packet->user_agent_line.ptr, "AspINet", IPQ_STATICSTRING_LEN("AspINet")) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_MAPLESTORY, ipoque_struct, IPQ_LOG_DEBUG, "found maplestory update.\n");
ipoque_int_maplestory_add_connection(ipoque_struct, IPOQUE_CORRELATED_PROTOCOL);
return;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_MAPLESTORY, ipoque_struct, IPQ_LOG_DEBUG, "exclude maplestory.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MAPLESTORY);
}
void ipoque_search_filetopia_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (flow->filetopia_stage == 0) {
if (packet->payload_packet_len >= 50 && packet->payload_packet_len <= 70
&& packet->payload[0] == 0x03 && packet->payload[1] == 0x9a
&& packet->payload[3] == 0x22 && packet->payload[packet->payload_packet_len - 1] == 0x2b) {
IPQ_LOG(IPOQUE_PROTOCOL_FILETOPIA, ipoque_struct, IPQ_LOG_DEBUG, "Filetopia stage 1 detected\n");
flow->filetopia_stage = 1;
return;
}
} else if (flow->filetopia_stage == 1) {
if (packet->payload_packet_len >= 100 && packet->payload[0] == 0x03
&& packet->payload[1] == 0x9a && (packet->payload[3] == 0x22 || packet->payload[3] == 0x23)) {
int i;
for (i = 0; i < 10; i++) { // check 10 bytes for valid ASCII printable characters
if (!(packet->payload[5 + i] >= 0x20 && packet->payload[5 + i] <= 0x7e)) {
goto end_filetopia_nothing_found;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_FILETOPIA, ipoque_struct, IPQ_LOG_DEBUG, "Filetopia stage 2 detected\n");
flow->filetopia_stage = 2;
return;
}
} else if (flow->filetopia_stage == 2) {
if (packet->payload_packet_len >= 4 && packet->payload_packet_len <= 100
&& packet->payload[0] == 0x03 && packet->payload[1] == 0x9a
&& (packet->payload[3] == 0x22 || packet->payload[3] == 0x23)) {
IPQ_LOG(IPOQUE_PROTOCOL_FILETOPIA, ipoque_struct, IPQ_LOG_DEBUG, "Filetopia detected\n");
ipoque_int_filetopia_add_connection(ipoque_struct);
return;
}
}
end_filetopia_nothing_found:
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_FILETOPIA);
}
void ipoque_search_pcanywhere(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->udp != NULL && packet->udp->dest == htons(5632)
&& packet->payload_packet_len == 2
&& (ipq_mem_cmp(packet->payload, "NQ", 2) == 0 || ipq_mem_cmp(packet->payload, "ST", 2) == 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_PCANYWHERE, ipoque_struct, IPQ_LOG_DEBUG,
"PC Anywhere name or status query detected.\n");
ipoque_int_pcanywhere_add_connection(ipoque_struct);
return;
}
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_PCANYWHERE);
}
static void ipoque_search_sopcast_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
if (flow->packet_counter == 1 && packet->payload_packet_len == 54 && get_u16(packet->payload, 0) == ntohs(0x0036)) {
if (ipoque_int_is_sopcast_tcp(packet->payload, packet->payload_packet_len)) {
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "found sopcast TCP \n");
ipoque_int_sopcast_add_connection(ipoque_struct);
return;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "exclude sopcast TCP. \n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_SOPCAST);
}
void ipoque_search_socrates(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
IPQ_LOG(IPOQUE_PROTOCOL_SOCRATES, ipoque_struct, IPQ_LOG_DEBUG, "search socrates.\n");
if (packet->udp != NULL) {
if (packet->payload_packet_len > 9 && packet->payload[0] == 0xfe
&& packet->payload[packet->payload_packet_len - 1] == 0x05) {
IPQ_LOG(IPOQUE_PROTOCOL_SOCRATES, ipoque_struct, IPQ_LOG_DEBUG, "found fe.\n");
IPQ_LOG(IPOQUE_PROTOCOL_SOCRATES, ipoque_struct, IPQ_LOG_DEBUG, "len match.\n");
if (memcmp(&packet->payload[2], "socrates", 8) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_SOCRATES, ipoque_struct, IPQ_LOG_DEBUG, "found socrates udp.\n");
ipoque_socrates_add_connection(ipoque_struct);
}
}
} else if (packet->tcp != NULL) {
if (packet->payload_packet_len > 13 && packet->payload[0] == 0xfe
&& packet->payload[packet->payload_packet_len - 1] == 0x05) {
IPQ_LOG(IPOQUE_PROTOCOL_SOCRATES, ipoque_struct, IPQ_LOG_DEBUG, "found fe.\n");
if (packet->payload_packet_len == ntohl(get_u32(packet->payload, 2))) {
IPQ_LOG(IPOQUE_PROTOCOL_SOCRATES, ipoque_struct, IPQ_LOG_DEBUG, "len match.\n");
if (memcmp(&packet->payload[6], "socrates", 8) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_SOCRATES, ipoque_struct, IPQ_LOG_DEBUG, "found socrates tcp.\n");
ipoque_socrates_add_connection(ipoque_struct);
}
}
}
}
IPQ_LOG(IPOQUE_PROTOCOL_SOCRATES, ipoque_struct, IPQ_LOG_DEBUG, "exclude socrates.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_SOCRATES);
}
void ipoque_search_mms_tcp(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
/* search MSMMS packets */
if (packet->payload_packet_len >= 20) {
if (flow->l4.tcp.mms_stage == 0 && packet->payload[4] == 0xce
&& packet->payload[5] == 0xfa && packet->payload[6] == 0x0b
&& packet->payload[7] == 0xb0 && packet->payload[12] == 0x4d
&& packet->payload[13] == 0x4d && packet->payload[14] == 0x53 && packet->payload[15] == 0x20) {
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS: MSMMS Request found \n");
flow->l4.tcp.mms_stage = 1 + packet->packet_direction;
return;
}
if (flow->l4.tcp.mms_stage == 2 - packet->packet_direction
&& packet->payload[4] == 0xce && packet->payload[5] == 0xfa
&& packet->payload[6] == 0x0b && packet->payload[7] == 0xb0
&& packet->payload[12] == 0x4d && packet->payload[13] == 0x4d
&& packet->payload[14] == 0x53 && packet->payload[15] == 0x20) {
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS: MSMMS Response found \n");
ipoque_int_mms_add_connection(ipoque_struct);
return;
}
}
#ifdef IPOQUE_PROTOCOL_HTTP
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_HTTP) != 0) {
#endif /* IPOQUE_PROTOCOL_HTTP */
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS: exclude\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MMS);
#ifdef IPOQUE_PROTOCOL_HTTP
} else {
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS avoid early exclude from http\n");
}
#endif /* IPOQUE_PROTOCOL_HTTP */
}
static int
opendpi_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
struct xt_opendpi_mtinfo *info = (void *)(*match)->data;
int i;
*flags = 0;
for (i = 1; i <= IPOQUE_MAX_SUPPORTED_PROTOCOLS; i++){
if (c == i){
IPOQUE_ADD_PROTOCOL_TO_BITMASK(info->flags, i);
/*printf("Parameter detected as protocol %s.\n",
prot_long_str[i]);*/
*flags = 1;
return true;
}
}
return false;
}
void ipoque_search_openft_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len > 5 && memcmp(packet->payload, "GET /", 5) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_OPENFT, ipoque_struct, IPQ_LOG_DEBUG, "HTTP packet detected.\n");
ipq_parse_packet_line_info(ipoque_struct);
if (packet->parsed_lines >= 2
&& packet->line[1].len > 13 && ipq_mem_cmp(packet->line[1].ptr, "X-OpenftAlias:", 14) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_OPENFT, ipoque_struct, IPQ_LOG_DEBUG, "OpenFT detected.\n");
ipoque_int_openft_add_connection(ipoque_struct);
return;
}
}
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_OPENFT);
}
void ntop_search_teamview(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
if (ipoque_struct->packet.udp != NULL) {
if (packet->payload_packet_len > 13) {
if (packet->payload[0] == 0x00 && packet->payload[11] == 0x17 && packet->payload[12] == 0x24) { /* byte 0 is a counter/seq number, and at the start is 0 */
flow->l4.udp.teamviewer_stage++;
if (flow->l4.udp.teamviewer_stage == 4 ||
packet->udp->dest == ntohs(5938) || packet->udp->source == ntohs(5938)) {
ntop_int_teamview_add_connection(ipoque_struct);
}
return;
}
}
}
else if(ipoque_struct->packet.tcp != NULL) {
if (packet->payload_packet_len > 2) {
if (packet->payload[0] == 0x17 && packet->payload[1] == 0x24) {
flow->l4.udp.teamviewer_stage++;
if (flow->l4.udp.teamviewer_stage == 4 ||
packet->tcp->dest == ntohs(5938) || packet->tcp->source == ntohs(5938)) {
ntop_int_teamview_add_connection(ipoque_struct);
}
return;
}
else if (flow->l4.udp.teamviewer_stage) {
if (packet->payload[0] == 0x11 && packet->payload[1] == 0x30) {
flow->l4.udp.teamviewer_stage++;
if (flow->l4.udp.teamviewer_stage == 4)
ntop_int_teamview_add_connection(ipoque_struct);
}
return;
}
}
}
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NTOP_PROTOCOL_TEAMVIEWER);
}
void ipoque_search_afp(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src = ipoque_struct->src;
// struct ipoque_id_struct *dst = ipoque_struct->dst;
/*
* this will detect the OpenSession command of the Data Stream Interface (DSI) protocol
* which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks
*/
if (packet->payload_packet_len >= 22 && get_u16(packet->payload, 0) == htons(0x0004) &&
get_u16(packet->payload, 2) == htons(0x0001) && get_u32(packet->payload, 4) == 0 &&
get_u32(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
get_u32(packet->payload, 12) == 0 && get_u16(packet->payload, 16) == htons(0x0104)) {
IPQ_LOG(IPOQUE_PROTOCOL_AFP, ipoque_struct, IPQ_LOG_DEBUG, "AFP: DSI OpenSession detected.\n");
ipoque_int_afp_add_connection(ipoque_struct);
return;
}
/*
* detection of GetStatus command of DSI protocl
*/
if (packet->payload_packet_len >= 18 && get_u16(packet->payload, 0) == htons(0x0003) &&
get_u16(packet->payload, 2) == htons(0x0001) && get_u32(packet->payload, 4) == 0 &&
get_u32(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
get_u32(packet->payload, 12) == 0 && get_u16(packet->payload, 16) == htons(0x0f00)) {
IPQ_LOG(IPOQUE_PROTOCOL_AFP, ipoque_struct, IPQ_LOG_DEBUG, "AFP: DSI GetStatus detected.\n");
ipoque_int_afp_add_connection(ipoque_struct);
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_AFP, ipoque_struct, IPQ_LOG_DEBUG, "AFP excluded.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_AFP);
}
void ipoque_search_tvants_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
IPQ_LOG(IPOQUE_PROTOCOL_TVANTS, ipoque_struct, IPQ_LOG_DEBUG, "search tvants. \n");
if (packet->udp != NULL && packet->payload_packet_len > 57
&& packet->payload[0] == 0x04 && packet->payload[1] == 0x00
&& (packet->payload[2] == 0x05 || packet->payload[2] == 0x06
|| packet->payload[2] == 0x07) && packet->payload[3] == 0x00
&& packet->payload_packet_len == (packet->payload[5] << 8) + packet->payload[4]
&& packet->payload[6] == 0x00 && packet->payload[7] == 0x00
&& (memcmp(&packet->payload[48], "TVANTS", 6) == 0
|| memcmp(&packet->payload[49], "TVANTS", 6) == 0 || memcmp(&packet->payload[51], "TVANTS", 6) == 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_TVANTS, ipoque_struct, IPQ_LOG_DEBUG, "found tvants over udp. \n");
ipoque_int_tvants_add_connection(ipoque_struct);
} else if (packet->tcp != NULL && packet->payload_packet_len > 15
&& packet->payload[0] == 0x04 && packet->payload[1] == 0x00
&& packet->payload[2] == 0x07 && packet->payload[3] == 0x00
&& packet->payload_packet_len == (packet->payload[5] << 8) + packet->payload[4]
&& packet->payload[6] == 0x00 && packet->payload[7] == 0x00
&& memcmp(&packet->payload[8], "TVANTS", 6) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_TVANTS, ipoque_struct, IPQ_LOG_DEBUG, "found tvants over tcp. \n");
ipoque_int_tvants_add_connection(ipoque_struct);
}
IPQ_LOG(IPOQUE_PROTOCOL_TVANTS, ipoque_struct, IPQ_LOG_DEBUG, "exclude tvants. \n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_TVANTS);
}
void ipoque_search_mssql(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
IPQ_LOG(IPOQUE_PROTOCOL_MSSQL, ipoque_struct, IPQ_LOG_DEBUG, "search mssql.\n");
if (packet->payload_packet_len > 51 && ntohs(get_u32(packet->payload, 0)) == 0x1201
&& ntohs(get_u16(packet->payload, 2)) == packet->payload_packet_len
&& ntohl(get_u32(packet->payload, 4)) == 0x00000100 && memcmp(&packet->payload[41], "sqlexpress", 10) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_MSSQL, ipoque_struct, IPQ_LOG_DEBUG, "found mssql.\n");
ipoque_int_mssql_add_connection(ipoque_struct);
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_MSSQL, ipoque_struct, IPQ_LOG_DEBUG, "exclude mssql.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MSSQL);
}
static void ipoque_search_sopcast_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "search sopcast. \n");
if (packet->payload_packet_len == 52 && packet->payload[0] == 0xff
&& packet->payload[1] == 0xff && packet->payload[2] == 0x01
&& packet->payload[8] == 0x02 && packet->payload[9] == 0xff
&& packet->payload[10] == 0x00 && packet->payload[11] == 0x2c
&& packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "found sopcast with if I. \n");
ipoque_int_sopcast_add_connection(ipoque_struct);
return;
}
if ((packet->payload_packet_len == 80 || packet->payload_packet_len == 28 || packet->payload_packet_len == 94)
&& packet->payload[0] == 0x00 && (packet->payload[2] == 0x02 || packet->payload[2] == 0x01)
&& packet->payload[8] == 0x01 && packet->payload[9] == 0xff
&& packet->payload[10] == 0x00 && packet->payload[11] == 0x14
&& packet->payload[12] == 0x00 && packet->payload[13] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "found sopcast with if II. \n");
ipoque_int_sopcast_add_connection(ipoque_struct);
return;
}
/* this case has been seen once. Please revome this comment, if you see it another time */
if (packet->payload_packet_len == 60 && packet->payload[0] == 0x00
&& packet->payload[2] == 0x01
&& packet->payload[8] == 0x03 && packet->payload[9] == 0xff
&& packet->payload[10] == 0x00 && packet->payload[11] == 0x34
&& packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "found sopcast with if III. \n");
ipoque_int_sopcast_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len == 42 && packet->payload[0] == 0x00
&& packet->payload[1] == 0x02 && packet->payload[2] == 0x01
&& packet->payload[3] == 0x07 && packet->payload[4] == 0x03
&& packet->payload[8] == 0x06
&& packet->payload[9] == 0x01 && packet->payload[10] == 0x00
&& packet->payload[11] == 0x22 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "found sopcast with if IV. \n");
ipoque_int_sopcast_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len == 28 && packet->payload[0] == 0x00
&& packet->payload[1] == 0x0c && packet->payload[2] == 0x01
&& packet->payload[3] == 0x07 && packet->payload[4] == 0x00
&& packet->payload[8] == 0x01
&& packet->payload[9] == 0x01 && packet->payload[10] == 0x00
&& packet->payload[11] == 0x14 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "found sopcast with if V. \n");
ipoque_int_sopcast_add_connection(ipoque_struct);
return;
}
/* this case has been seen once. Please revome this comment, if you see it another time */
if (packet->payload_packet_len == 286 && packet->payload[0] == 0x00
&& packet->payload[1] == 0x02 && packet->payload[2] == 0x01
&& packet->payload[3] == 0x07 && packet->payload[4] == 0x03
&& packet->payload[8] == 0x06
&& packet->payload[9] == 0x01 && packet->payload[10] == 0x01
&& packet->payload[11] == 0x16 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "found sopcast with if VI. \n");
ipoque_int_sopcast_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len == 76 && packet->payload[0] == 0xff
&& packet->payload[1] == 0xff && packet->payload[2] == 0x01
&& packet->payload[8] == 0x0c && packet->payload[9] == 0xff
&& packet->payload[10] == 0x00 && packet->payload[11] == 0x44
&& packet->payload[16] == 0x01 && packet->payload[15] == 0x01
&& packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "found sopcast with if VII. \n");
ipoque_int_sopcast_add_connection(ipoque_struct);
return;
}
/* Attention please: no asymmetric detection necessary. This detection works asymmetrically as well. */
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "exclude sopcast. \n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_SOPCAST);
}
static void ipoque_search_directconnect_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
int pos, count = 0;
if (dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) {
if ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp -
dst->directconnect_last_safe_access_time) < ipoque_struct->directconnect_connection_ip_tick_timeout) {
ipoque_int_add_connection(ipoque_struct, IPOQUE_PROTOCOL_DIRECTCONNECT, IPOQUE_REAL_PROTOCOL);
dst->directconnect_last_safe_access_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "marking using dc udp port\n %d", ntohs(dst->detected_directconnect_udp_port));
return;
} else {
dst->detected_directconnect_udp_port = 0;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "resetting dst udp port due to timeout");
return;
}
}
if (packet->payload_packet_len > 58) {
if (src != NULL
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_DIRECTCONNECT)) {
if (packet->payload[0] == '$'
&& packet->payload[packet->payload_packet_len - 1] == '|'
&& memcmp(&packet->payload[1], "SR ", 3) == 0) {
pos = packet->payload_packet_len - 2;
if (packet->payload[pos] == ')') {
while (pos > 0 && packet->payload[pos] != '(' && count < 21) {
pos--;
count++;
}
if (packet->payload[pos] == '(') {
pos = pos - 44;
if (pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG, "dc udp detected\n");
ipoque_int_directconnect_add_connection(ipoque_struct, DIRECT_CONNECT_TYPE_PEER);
return;
}
}
}
flow->directconnect_stage++;
if (flow->directconnect_stage < 3) {
return;
}
}
}
if (dst != NULL
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_DIRECTCONNECT)) {
if (packet->payload[0] == '$'
&& packet->payload[packet->payload_packet_len - 1] == '|'
&& memcmp(&packet->payload[1], "SR ", 3) == 0) {
pos = packet->payload_packet_len - 2;
if (packet->payload[pos] == ')') {
while (pos > 0 && packet->payload[pos] != '(' && count < 21) {
pos--;
count++;
}
if (packet->payload[pos] == '(') {
pos = pos - 44;
if (pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG, "dc udp detected\n");
ipoque_int_directconnect_add_connection(ipoque_struct, DIRECT_CONNECT_TYPE_PEER);
return;
}
}
}
flow->directconnect_stage++;
if (flow->directconnect_stage < 3)
return;
}
}
}
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG,
"excluded at stage %d \n", flow->directconnect_stage);
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_DIRECTCONNECT);
}
static void ipoque_search_directconnect_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
if (flow->detected_protocol_stack[0] == IPOQUE_PROTOCOL_DIRECTCONNECT) {
if (packet->payload_packet_len >= 40 && memcmp(&packet->payload[0], "BINF", 4) == 0) {
u16 ssl_port = 0;
ssl_port = parse_binf_message(ipoque_struct, &packet->payload[4], packet->payload_packet_len - 4);
if (dst != NULL && ssl_port) {
dst->detected_directconnect_ssl_port = ssl_port;
}
if (src != NULL && ssl_port) {
src->detected_directconnect_ssl_port = ssl_port;
}
}
if ((packet->payload_packet_len >= 38 && packet->payload_packet_len <= 42)
&& memcmp(&packet->payload[0], "DCTM", 4) == 0 && memcmp(&packet->payload[15], "ADCS", 4) == 0) {
u16 bytes_read = 0;
if (dst != NULL) {
dst->detected_directconnect_ssl_port =
ntohs_ipq_bytestream_to_number(&packet->payload[25], 5, &bytes_read);
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "directconnect ssl port parsed %d", ntohs(dst->detected_directconnect_ssl_port));
}
if (src != NULL) {
src->detected_directconnect_ssl_port =
ntohs_ipq_bytestream_to_number(&packet->payload[25], 5, &bytes_read);
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "directconnect ssl port parsed %d", ntohs(src->detected_directconnect_ssl_port));
}
}
return;
}
if (src != NULL) {
if (src->detected_directconnect_port == packet->tcp->source) {
if ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp -
src->directconnect_last_safe_access_time) < ipoque_struct->directconnect_connection_ip_tick_timeout) {
ipoque_int_change_protocol(ipoque_struct, IPOQUE_PROTOCOL_DIRECTCONNECT, IPOQUE_REAL_PROTOCOL);
src->directconnect_last_safe_access_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "marking using dc port\n %d", ntohs(src->detected_directconnect_port));
return;
} else {
src->detected_directconnect_port = 0;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "resetting src port due to timeout");
return;
}
}
if (src->detected_directconnect_ssl_port == packet->tcp->dest) {
if ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp -
src->directconnect_last_safe_access_time) < ipoque_struct->directconnect_connection_ip_tick_timeout) {
ipoque_int_change_protocol(ipoque_struct, IPOQUE_PROTOCOL_DIRECTCONNECT, IPOQUE_REAL_PROTOCOL);
src->directconnect_last_safe_access_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "marking using dc port\n %d", ntohs(src->detected_directconnect_ssl_port));
return;
} else {
src->detected_directconnect_ssl_port = 0;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "resetting src port due to timeout");
return;
}
}
}
if (dst != NULL) {
if (dst->detected_directconnect_port == packet->tcp->dest) {
if ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp -
dst->directconnect_last_safe_access_time) < ipoque_struct->directconnect_connection_ip_tick_timeout) {
ipoque_int_add_connection(ipoque_struct, IPOQUE_PROTOCOL_DIRECTCONNECT, IPOQUE_REAL_PROTOCOL);
dst->directconnect_last_safe_access_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "marking using dc port\n %d", ntohs(dst->detected_directconnect_port));
return;
} else {
dst->detected_directconnect_port = 0;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "resetting dst port due to timeout");
return;
}
}
if (dst->detected_directconnect_ssl_port == packet->tcp->dest) {
if ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp -
dst->directconnect_last_safe_access_time) < ipoque_struct->directconnect_connection_ip_tick_timeout) {
ipoque_int_add_connection(ipoque_struct, IPOQUE_PROTOCOL_DIRECTCONNECT, IPOQUE_REAL_PROTOCOL);
dst->directconnect_last_safe_access_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "marking using dc port\n %d", ntohs(dst->detected_directconnect_ssl_port));
return;
} else {
dst->detected_directconnect_ssl_port = 0;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "resetting dst port due to timeout");
return;
}
}
}
if (flow->directconnect_stage == 0) {
if (packet->payload_packet_len > 6) {
if (packet->payload[0] == '$'
&& packet->payload[packet->payload_packet_len - 1] == '|'
&& (memcmp(&packet->payload[1], "Lock ", 5) == 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "maybe first dc connect to hub detected\n");
flow->directconnect_stage = 1;
return;
}
if (packet->payload_packet_len > 7
&& packet->payload[0] == '$'
&& packet->payload[packet->payload_packet_len - 1] == '|'
&& (memcmp(&packet->payload[1], "MyNick ", 7) == 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "maybe first dc connect between peers detected\n");
flow->directconnect_stage = 2;
return;
}
}
if (packet->payload_packet_len >= 11) {
/* did not see this pattern in any trace */
if (memcmp(&packet->payload[0], "HSUP ADBAS0", 11) == 0
|| memcmp(&packet->payload[0], "HSUP ADBASE", 11) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "found directconnect HSUP ADBAS0 E\n");
ipoque_int_directconnect_add_connection(ipoque_struct, DIRECT_CONNECT_TYPE_HUB);
return;
/* did not see this pattern in any trace */
} else if (memcmp(&packet->payload[0], "CSUP ADBAS0", 11) == 0 ||
memcmp(&packet->payload[0], "CSUP ADBASE", 11) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "found directconnect CSUP ADBAS0 E\n");
ipoque_int_directconnect_add_connection(ipoque_struct, DIRECT_CONNECT_ADC_PEER);
return;
}
}
} else if (flow->directconnect_stage == 1) {
if (packet->payload_packet_len >= 11) {
/* did not see this pattern in any trace */
if (memcmp(&packet->payload[0], "HSUP ADBAS0", 11) == 0
|| memcmp(&packet->payload[0], "HSUP ADBASE", 11) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "found directconnect HSUP ADBAS E in second packet\n");
ipoque_int_directconnect_add_connection(ipoque_struct, DIRECT_CONNECT_TYPE_HUB);
return;
/* did not see this pattern in any trace */
} else if (memcmp(&packet->payload[0], "CSUP ADBAS0", 11) == 0 ||
memcmp(&packet->payload[0], "CSUP ADBASE", 11) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "found directconnect HSUP ADBAS0 E in second packet\n");
ipoque_int_directconnect_add_connection(ipoque_struct, DIRECT_CONNECT_ADC_PEER);
return;
}
}
/* get client hello answer or server message */
if (packet->payload_packet_len > 6) {
if ((packet->payload[0] == '$' || packet->payload[0] == '<')
&& packet->payload[packet->payload_packet_len - 1] == '|') {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG, "second dc detected\n");
ipoque_int_directconnect_add_connection(ipoque_struct, DIRECT_CONNECT_TYPE_HUB);
return;
} else {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG, "second dc not detected\n");
}
}
} else if (flow->directconnect_stage == 2) {
/* get client hello answer or server message */
if (packet->payload_packet_len > 6) {
if (packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|') {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "second dc between peers detected\n");
ipoque_int_directconnect_add_connection(ipoque_struct, DIRECT_CONNECT_TYPE_PEER);
return;
} else {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "second dc between peers not detected\n");
}
}
}
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_DIRECTCONNECT);
}
void ipoque_search_netbios(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
u16 dport;
if (packet->udp != NULL) {
dport = ntohs(packet->udp->dest);
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct, IPQ_LOG_DEBUG, "netbios udp start\n");
/*check standard NETBIOS over udp to port 137 */
if ((dport == 137 || 0) && packet->payload_packet_len >= 50) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG, "found netbios port 137 and payload_packet_len 50\n");
if (ntohs(get_u16(packet->payload, 2)) == 0 &&
ntohs(get_u16(packet->payload, 4)) == 1 &&
ntohs(get_u16(packet->payload, 6)) == 0 &&
ntohs(get_u16(packet->payload, 8)) == 0 && ntohs(get_u16(packet->payload, 10)) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG, "found netbios with questions = 1 and answers = 0, authority = 0 \n");
ipoque_int_netbios_add_connection(ipoque_struct);
return;
}
if (packet->payload[2] == 0x80 &&
ntohs(get_u16(packet->payload, 4)) == 1 &&
ntohs(get_u16(packet->payload, 6)) == 0 &&
ntohs(get_u16(packet->payload, 8)) == 0 && ntohs(get_u16(packet->payload, 10)) == 1) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG, "found netbios with questions = 1 and answers, authority, additional = 0 \n");
ipoque_int_netbios_add_connection(ipoque_struct);
return;
}
if (ntohs(get_u16(packet->payload, 2)) == 0x4000 &&
ntohs(get_u16(packet->payload, 4)) == 1 &&
ntohs(get_u16(packet->payload, 6)) == 0 &&
ntohs(get_u16(packet->payload, 8)) == 0 && ntohs(get_u16(packet->payload, 10)) == 1) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG, "found netbios with questions = 1 and answers = 0, authority = 0 \n");
ipoque_int_netbios_add_connection(ipoque_struct);
return;
}
if (ntohs(get_u16(packet->payload, 2)) == 0x8400 &&
ntohs(get_u16(packet->payload, 4)) == 0 &&
ntohs(get_u16(packet->payload, 6)) == 1 &&
ntohs(get_u16(packet->payload, 8)) == 0 && ntohs(get_u16(packet->payload, 10)) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG,
"found netbios with flag 8400 questions = 0 and answers = 1, authority, additional = 0 \n");
ipoque_int_netbios_add_connection(ipoque_struct);
return;
}
if (ntohs(get_u16(packet->payload, 2)) == 0x8500 &&
ntohs(get_u16(packet->payload, 4)) == 0 &&
ntohs(get_u16(packet->payload, 6)) == 1 &&
ntohs(get_u16(packet->payload, 8)) == 0 && ntohs(get_u16(packet->payload, 10)) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG,
"found netbios with flag 8500 questions = 0 and answers = 1, authority, additional = 0 \n");
ipoque_int_netbios_add_connection(ipoque_struct);
return;
}
if (ntohs(get_u16(packet->payload, 2)) == 0x2910 &&
ntohs(get_u16(packet->payload, 4)) == 1 &&
ntohs(get_u16(packet->payload, 6)) == 0 &&
ntohs(get_u16(packet->payload, 8)) == 0 && ntohs(get_u16(packet->payload, 10)) == 1) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG,
"found netbios with flag 2910, questions = 1 and answers, authority=0, additional = 1 \n");
ipoque_int_netbios_add_connection(ipoque_struct);
return;
}
if (ntohs(get_u16(packet->payload, 2)) == 0xAD86 &&
ntohs(get_u16(packet->payload, 4)) == 0 &&
ntohs(get_u16(packet->payload, 6)) == 1 &&
ntohs(get_u16(packet->payload, 8)) == 0 && ntohs(get_u16(packet->payload, 10)) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG,
"found netbios with flag ad86 questions = 0 and answers = 1, authority, additional = 0 \n");
ipoque_int_netbios_add_connection(ipoque_struct);
return;
}
if (ntohs(get_u16(packet->payload, 2)) == 0x0110 &&
ntohs(get_u16(packet->payload, 4)) == 1 &&
ntohs(get_u16(packet->payload, 6)) == 0 &&
ntohs(get_u16(packet->payload, 8)) == 0 && ntohs(get_u16(packet->payload, 10)) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG,
"found netbios with flag 0110 questions = 1 and answers = 0, authority, additional = 0 \n");
ipoque_int_netbios_add_connection(ipoque_struct);
return;
}
}
/*check standard NETBIOS over udp to port 138 */
/*netbios header token from http://www.protocolbase.net/protocols/protocol_NBDGM.php */
if ((dport == 138 ||
0) &&
packet->payload_packet_len >= 14 &&
ntohs(get_u16(packet->payload, 10)) == packet->payload_packet_len - 14) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG, "found netbios port 138 and payload length >= 112 \n");
if (packet->payload[0] >= 0x11 && packet->payload[0] <= 0x16) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG, "found netbios with MSG-type 0x11,0x12,0x13,0x14,0x15 or 0x16\n");
if (ntohl(get_u32(packet->payload, 4)) == ntohl(packet->iph->saddr)) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG, "found netbios with checked ip-address.\n");
ipoque_int_netbios_add_connection(ipoque_struct);
return;
}
}
}
}
if (packet->tcp != NULL) {
dport = ntohs(packet->tcp->dest);
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct, IPQ_LOG_DEBUG, "netbios tcp start\n");
/* destination port must be 139 */
if (dport == 139) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct, IPQ_LOG_DEBUG, "found netbios with destination port 139\n");
/* payload_packet_len must be 72 */
if (packet->payload_packet_len == 72) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG, "found netbios with payload_packen_len = 72. \n");
if (packet->payload[0] == 0x81 && packet->payload[1] == 0 && ntohs(get_u16(packet->payload, 2)) == 68) {
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct,
IPQ_LOG_DEBUG,
"found netbios with session request = 81, flags=0 and length od following bytes = 68. \n");
ipoque_int_netbios_add_connection(ipoque_struct);
return;
}
}
}
}
IPQ_LOG(IPOQUE_PROTOCOL_NETBIOS, ipoque_struct, IPQ_LOG_DEBUG, "exclude netbios\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_NETBIOS);
}
/* this function searches for a rtsp-"handshake" over tcp or udp. */
void ipoque_search_rtsp_tcp_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
// in case of rtsp control flow, update timestamp from time to time
if (flow->detected_protocol == IPOQUE_PROTOCOL_RTSP && flow->rtsp_control_flow == 1) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "RTSP control flow update timestamp.\n");
if (dst != NULL) {
ipq_packet_src_ip_get(packet, &dst->rtsp_ip_address);
dst->rtsp_timer = packet->tick_timestamp;
dst->rtsp_ts_set = 1;
}
if (src != NULL) {
ipq_packet_dst_ip_get(packet, &src->rtsp_ip_address);
src->rtsp_timer = packet->tick_timestamp;
src->rtsp_ts_set = 1;
}
return;
}
if (flow->rtsprdt_stage == 0) {
flow->rtsprdt_stage = 1 + packet->packet_direction;
if (packet->udp != NULL) {
/*this function checks if it concerns a rtsp-data-transfer over udp. */
ipoque_search_rdt_connection(ipoque_struct);
if (packet->detected_protocol == IPOQUE_PROTOCOL_RTSP && flow->rtsp_control_flow == 0) {
return;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "maybe handshake 1; need next packet.\n");
return;
}
if (flow->packet_counter < 3 && flow->rtsprdt_stage == 1 + packet->packet_direction) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "maybe handshake 2; need next packet.\n");
return;
}
if (packet->payload_packet_len > 20 && flow->rtsprdt_stage == 2 - packet->packet_direction) {
// RTSP Server Message
if (memcmp(packet->payload, "RTSP/1.0 ", 9) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found RTSP/1.0 .\n");
if (dst != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found dst.\n");
ipq_packet_src_ip_get(packet, &dst->rtsp_ip_address);
dst->rtsp_timer = packet->tick_timestamp;
dst->rtsp_ts_set = 1;
}
if (src != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found src.\n");
ipq_packet_dst_ip_get(packet, &src->rtsp_ip_address);
src->rtsp_timer = packet->tick_timestamp;
src->rtsp_ts_set = 1;
}
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found RTSP.\n");
flow->rtsp_control_flow = 1;
ipoque_int_rtsp_add_connection(ipoque_struct);
return;
}
}
if (packet->udp != NULL && packet->detected_protocol == IPOQUE_PROTOCOL_UNKNOWN && flow->packet_counter < 5) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "maybe RTSP RTP; need next packet.\n");
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "didn't find handshake, exclude.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_RTSP);
return;
}
void ipoque_search_imesh_tcp_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
if (packet->detected_protocol == IPOQUE_PROTOCOL_IMESH) {
if (src != NULL) {
src->imesh_timer = packet->tick_timestamp;
}
if (dst != NULL) {
dst->imesh_timer = packet->tick_timestamp;
}
return;
}
/* skip marked packets */
if (packet->detected_protocol != IPOQUE_PROTOCOL_UNKNOWN)
goto imesh_not_found_end;
if (packet->udp != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG, "UDP FOUND\n");
// this is the login packet
if ( //&& ((IPOQUE_TIMESTAMP_COUNTER_SIZE)(packet->tick_timestamp - src->imesh_timer)) < ipoque_struct->imesh_connection_timeout
packet->payload_packet_len == 28 && (get_l32(packet->payload, 0)) == 0x00000002 // PATTERN : 02 00 00 00
&& (get_l32(packet->payload, 24)) == 0x00000000 // PATTERN : 00 00 00 00
&& (packet->udp->dest == htons(1864) || packet->udp->source == htons(1864))) {
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG, "iMesh Login detected\n");
if (src != NULL) {
src->imesh_timer = packet->tick_timestamp;
}
if (dst != NULL) {
dst->imesh_timer = packet->tick_timestamp;
}
ipoque_int_imesh_add_connection(ipoque_struct);
return;
} else if ( //&& ((IPOQUE_TIMESTAMP_COUNTER_SIZE)(packet->tick_timestamp - src->imesh_timer)) < ipoque_struct->imesh_connection_timeout
packet->payload_packet_len == 36 && (get_l32(packet->payload, 0)) == 0x00000002 // PATTERN : 02 00 00 00
//&& packet->payload[35]==0x0f
) {
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG, "iMesh detected, %u\n",
ipoque_struct->imesh_connection_timeout);
if (src != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG, "iMesh: src < %u, %u, %u\n",
(packet->tick_timestamp - src->imesh_timer), packet->tick_timestamp, src->imesh_timer);
if (((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - src->imesh_timer)) < ipoque_struct->imesh_connection_timeout) {
src->imesh_timer = packet->tick_timestamp;
ipoque_int_imesh_add_connection(ipoque_struct);
}
}
if (dst != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG, "iMesh: dst < %u, %u, %u\n",
(packet->tick_timestamp - dst->imesh_timer), packet->tick_timestamp, dst->imesh_timer);
if (((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - dst->imesh_timer)) < ipoque_struct->imesh_connection_timeout) {
dst->imesh_timer = packet->tick_timestamp;
ipoque_int_imesh_add_connection(ipoque_struct);
}
}
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"iMesh UDP packetlen: %d\n", packet->payload_packet_len);
} else if (packet->tcp != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"TCP FOUND :: Payload %u\n", packet->payload_packet_len);
if (packet->actual_payload_len == 0) {
return;
} else if ((packet->actual_payload_len == 8 || packet->payload_packet_len == 10) /* PATTERN:: 04 00 00 00 00 00 00 00 [00 00] */
&&packet->payload[0] == 0x04
&& packet->payload[1] == 0x00
&& packet->payload[2] == 0x00
&& packet->payload[3] == 0x00
&& packet->payload[4] == 0x00
&& packet->payload[5] == 0x00 && packet->payload[6] == 0x00 && packet->payload[7] == 0x00) {
flow->imesh_stage += 2;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
} else if (packet->actual_payload_len == 10 /* PATTERN:: ?? ?? 04|00 00 64|00 00 */
&& (packet->payload[2] == 0x04 || packet->payload[2] == 0x00)
&& packet->payload[3] == 0x00 && (packet->payload[4] == 0x00 || packet->payload[4] == 0x64)
&& packet->payload[5] == 0x00) {
flow->imesh_stage += 2;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
} else if (packet->actual_payload_len == 2 && packet->payload[0] == 0x06 && packet->payload[1] == 0x00) {
flow->imesh_stage++;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
} else if (packet->actual_payload_len == 10 /* PATTERN:: 06 00 04|00 00 01|00 00 01|00 00 ?? 00 */
&& packet->payload[0] == 0x06
&& packet->payload[1] == 0x00 && (packet->payload[2] == 0x04 || packet->payload[2] == 0x00)
&& packet->payload[3] == 0x00 && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01)
&& packet->payload[5] == 0x00 && (packet->payload[6] == 0x01 || packet->payload[6] == 0x00)
&& packet->payload[7] == 0x00 && packet->payload[9] == 0x00) {
flow->imesh_stage += 2;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
}
else if (packet->actual_payload_len == 24 && packet->payload[0] == 0x06 // PATTERN :: 06 00 12 00 00 00 34 00 00
&& packet->payload[1] == 0x00
&& packet->payload[2] == 0x12
&& packet->payload[3] == 0x00
&& packet->payload[4] == 0x00
&& packet->payload[5] == 0x00
&& packet->payload[6] == 0x34 && packet->payload[7] == 0x00 && packet->payload[8] == 0x00) {
flow->imesh_stage += 2;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
}
else if (packet->actual_payload_len == 8 /* PATTERN:: 06|00 00 02 00 00 00 33 00 */
&& (packet->payload[0] == 0x06 || packet->payload[0] == 0x00)
&& packet->payload[1] == 0x00
&& packet->payload[2] == 0x02
&& packet->payload[3] == 0x00
&& packet->payload[4] == 0x00
&& packet->payload[5] == 0x00 && packet->payload[6] == 0x33 && packet->payload[7] == 0x00) {
flow->imesh_stage += 2;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
}
else if (packet->payload_packet_len == 6 /* PATTERN:: 02 00 00 00 33 00 */
&& packet->payload[0] == 0x02
&& packet->payload[1] == 0x00
&& packet->payload[2] == 0x00
&& packet->payload[3] == 0x00 && packet->payload[4] == 0x33 && packet->payload[5] == 0x00) {
flow->imesh_stage += 2;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
}
else if (packet->actual_payload_len == 12 && packet->payload[0] == 0x06 // PATTERN : 06 00 06 00 00 00 64 00
&& packet->payload[1] == 0x00
&& packet->payload[2] == 0x06
&& packet->payload[3] == 0x00
&& packet->payload[4] == 0x00
&& packet->payload[5] == 0x00 && packet->payload[6] == 0x64 && packet->payload[7] == 0x00) {
flow->imesh_stage += 2;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
}
else if (packet->actual_payload_len == 10 /* PATTERN:: 06 00 04|01 00 00 00 01|00 00 ?? 00 */
&& packet->payload[0] == 0x06
&& packet->payload[1] == 0x00 && (packet->payload[2] == 0x04 || packet->payload[2] == 0x01)
&& packet->payload[3] == 0x00
&& packet->payload[4] == 0x00
&& packet->payload[5] == 0x00 && (packet->payload[6] == 0x01 || packet->payload[6] == 0x00)
&& packet->payload[7] == 0x00
/* && packet->payload[8]==0x00 */
&& packet->payload[9] == 0x00) {
flow->imesh_stage += 2;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
} else if ((packet->actual_payload_len == 64 || packet->actual_payload_len == 52 /* PATTERN:: [len] 00 00 00 00 */
|| packet->actual_payload_len == 95)
&& get_u16(packet->payload, 0) == (packet->actual_payload_len)
&& packet->payload[1] == 0x00 && packet->payload[2] == 0x00
&& packet->payload[3] == 0x00 && packet->payload[4] == 0x00) {
flow->imesh_stage += 2;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
} else if (packet->actual_payload_len == 6 && packet->payload[0] == 0x06 // PATTERN : 06 00 04|6c 00|01 00 00
&& packet->payload[1] == 0x00 && (packet->payload[2] == 0x04 || packet->payload[2] == 0x6c)
&& (packet->payload[3] == 0x00 || packet->payload[3] == 0x01)
&& packet->payload[4] == 0x00 && packet->payload[5] == 0x00) {
flow->imesh_stage += 2;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
} else if (packet->actual_payload_len == 6 /* PATTERN:: [len] ?? ee 00 00 00 */
&& get_u16(packet->payload, 0) == (packet->actual_payload_len)
&& packet->payload[2] == 0xee
&& packet->payload[3] == 0x00 && packet->payload[4] == 0x00 && packet->payload[5] == 0x00) {
flow->imesh_stage += 2;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
}
else if (packet->actual_payload_len == 10 /* PATTERN:: 06 00 00 00 00 00 00 00 */
&& packet->payload[0] == 0x06
&& packet->payload[1] == 0x00
&& packet->payload[2] == 0x00
&& packet->payload[3] == 0x00
&& packet->payload[4] == 0x00
&& packet->payload[5] == 0x00 && packet->payload[6] == 0x00 && packet->payload[7] == 0x00) {
flow->imesh_stage += 2;
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG,
"IMESH FOUND :: Payload %u\n", packet->actual_payload_len);
}
}
/*give one packet tolerance for detection */
if (flow->imesh_stage >= 4)
ipoque_int_imesh_add_connection(ipoque_struct);
else if ((flow->packet_counter < 5) || packet->actual_payload_len == 0) {
return;
} else {
goto imesh_not_found_end;
}
imesh_not_found_end:
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_IMESH);
IPQ_LOG(IPOQUE_PROTOCOL_IMESH, ipoque_struct, IPQ_LOG_DEBUG, "iMesh excluded at stage %d\n", flow->imesh_stage);
}
void ipoque_search_battlefield(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
if (packet->detected_protocol_stack[0] == IPOQUE_PROTOCOL_BATTLEFIELD) {
if (src != NULL && ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - src->battlefield_ts) < ipoque_struct->battlefield_timeout)) {
IPQ_LOG(IPOQUE_PROTOCOL_BATTLEFIELD, ipoque_struct, IPQ_LOG_DEBUG,
"battlefield : save src connection packet detected\n");
src->battlefield_ts = packet->tick_timestamp;
} else if (dst != NULL && ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - dst->battlefield_ts) < ipoque_struct->battlefield_timeout)) {
IPQ_LOG(IPOQUE_PROTOCOL_BATTLEFIELD, ipoque_struct, IPQ_LOG_DEBUG,
"battlefield : save dst connection packet detected\n");
dst->battlefield_ts = packet->tick_timestamp;
}
return;
}
if (IPQ_SRC_OR_DST_HAS_PROTOCOL(src, dst, IPOQUE_PROTOCOL_BATTLEFIELD)) {
if (flow->l4.udp.battlefield_stage == 0 || flow->l4.udp.battlefield_stage == 1 + packet->packet_direction) {
if (packet->payload_packet_len > 8 && get_u16(packet->payload, 0) == htons(0xfefd)) {
flow->l4.udp.battlefield_msg_id = get_u32(packet->payload, 2);
flow->l4.udp.battlefield_stage = 1 + packet->packet_direction;
return;
}
} else if (flow->l4.udp.battlefield_stage == 2 - packet->packet_direction) {
if (packet->payload_packet_len > 8 && get_u32(packet->payload, 0) == flow->l4.udp.battlefield_msg_id) {
IPQ_LOG(IPOQUE_PROTOCOL_BATTLEFIELD, ipoque_struct,
IPQ_LOG_DEBUG, "Battlefield message and reply detected.\n");
ipoque_int_battlefield_add_connection(ipoque_struct);
return;
}
}
}
if (flow->l4.udp.battlefield_stage == 0) {
if (packet->payload_packet_len == 46 && packet->payload[2] == 0 && packet->payload[4] == 0
&& get_u32(packet->payload, 7) == htonl(0x98001100)) {
flow->l4.udp.battlefield_stage = 3 + packet->packet_direction;
return;
}
} else if (flow->l4.udp.battlefield_stage == 4 - packet->packet_direction) {
if (packet->payload_packet_len == 7
&& (packet->payload[0] == 0x02 || packet->payload[packet->payload_packet_len - 1] == 0xe0)) {
IPQ_LOG(IPOQUE_PROTOCOL_BATTLEFIELD, ipoque_struct, IPQ_LOG_DEBUG,
"Battlefield message and reply detected.\n");
ipoque_int_battlefield_add_connection(ipoque_struct);
return;
}
}
if (packet->payload_packet_len == 18 && ipq_mem_cmp(&packet->payload[5], "battlefield2\x00", 13) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_BATTLEFIELD, ipoque_struct, IPQ_LOG_DEBUG, "Battlefield 2 hello packet detected.\n");
ipoque_int_battlefield_add_connection(ipoque_struct);
return;
} else if (packet->payload_packet_len > 10 &&
(ipq_mem_cmp(packet->payload, "\x11\x20\x00\x01\x00\x00\x50\xb9\x10\x11", 10) == 0
|| ipq_mem_cmp(packet->payload, "\x11\x20\x00\x01\x00\x00\x30\xb9\x10\x11", 10) == 0
|| ipq_mem_cmp(packet->payload, "\x11\x20\x00\x01\x00\x00\xa0\x98\x00\x11", 10) == 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_BATTLEFIELD, ipoque_struct, IPQ_LOG_DEBUG, "Battlefield safe pattern detected.\n");
ipoque_int_battlefield_add_connection(ipoque_struct);
return;
}
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_BATTLEFIELD);
return;
}
void ipoque_search_ipp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
u8 i;
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "search ipp\n");
if (packet->payload_packet_len > 20) {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG,
"searching for a payload with a pattern like 'number(1to8)blanknumber(1to3)ipp://.\n");
/* this pattern means that there is a printer saying that his state is idle,
* means that he is not printing anything at the moment */
i = 0;
if (packet->payload[i] < '0' || packet->payload[i] > '9') {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "payload does not begin with a number.\n");
goto search_for_next_pattern;
}
for (;;) {
i++;
if (!((packet->payload[i] >= '0' && packet->payload[i] <= '9') ||
(packet->payload[i] >= 'a' && packet->payload[i] <= 'f') ||
(packet->payload[i] >= 'A' && packet->payload[i] <= 'F')) || i > 8) {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG,
"read symbols while the symbol is a number.\n");
break;
}
}
if (packet->payload[i++] != ' ') {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "there is no blank following the number.\n");
goto search_for_next_pattern;
}
if (packet->payload[i] < '0' || packet->payload[i] > '9') {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "no number following the blank.\n");
goto search_for_next_pattern;
}
for (;;) {
i++;
if (packet->payload[i] < '0' || packet->payload[i] > '9' || i > 12) {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG,
"read symbols while the symbol is a number.\n");
break;
}
}
if (ipq_mem_cmp(&packet->payload[i], " ipp://", 7) != 0) {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "the string ' ipp://' does not follow.\n");
goto search_for_next_pattern;
}
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "found ipp\n");
ipoque_int_ipp_add_connection(ipoque_struct);
return;
}
search_for_next_pattern:
if (packet->payload_packet_len > 3 && memcmp(packet->payload, "POST", 4) == 0) {
ipq_parse_packet_line_info(ipoque_struct);
if (packet->content_line.ptr != NULL && packet->content_line.len > 14
&& memcmp(packet->content_line.ptr, "application/ipp", 15) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "found ipp via POST ... application/ipp.\n");
ipoque_int_ipp_add_connection(ipoque_struct);
return;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_IPP, ipoque_struct, IPQ_LOG_DEBUG, "no ipp detected.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_IPP);
}
void ipoque_search_soulseek_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "Soulseek: search soulseec tcp \n");
if (packet->detected_protocol_stack[0] == IPOQUE_PROTOCOL_SOULSEEK) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "packet marked as Soulseek\n");
if (src != NULL)
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG,
" SRC bitmask: %u, packet tick %llu , last safe access timestamp: %llu\n",
IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_SOULSEEK)
!= 0 ? 1 : 0, (u64) packet->tick_timestamp, (u64) src->soulseek_last_safe_access_time);
if (dst != NULL)
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG,
" DST bitmask: %u, packet tick %llu , last safe ts: %llu\n",
IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_SOULSEEK)
!= 0 ? 1 : 0, (u64) packet->tick_timestamp, (u64) dst->soulseek_last_safe_access_time);
if (packet->payload_packet_len == 431) {
if (dst != NULL) {
dst->soulseek_last_safe_access_time = packet->tick_timestamp;
}
return;
}
if (packet->payload_packet_len == 12 && get_l32(packet->payload, 4) == 0x02) {
if (src != NULL) {
src->soulseek_last_safe_access_time = packet->tick_timestamp;
if (packet->tcp != NULL && src->soulseek_listen_port == 0) {
src->soulseek_listen_port = get_l32(packet->payload, 8);
return;
}
}
}
if (src != NULL && ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp -
src->soulseek_last_safe_access_time) <
ipoque_struct->soulseek_connection_ip_tick_timeout)) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG,
"Soulseek: SRC update last safe access time and SKIP_FOR_TIME \n");
src->soulseek_last_safe_access_time = packet->tick_timestamp;
}
if (dst != NULL && ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp -
dst->soulseek_last_safe_access_time) <
ipoque_struct->soulseek_connection_ip_tick_timeout)) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG,
"Soulseek: DST update last safe access time and SKIP_FOR_TIME \n");
dst->soulseek_last_safe_access_time = packet->tick_timestamp;
}
}
if (dst != NULL && dst->soulseek_listen_port != 0 && dst->soulseek_listen_port == ntohs(packet->tcp->dest)
&& ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - dst->soulseek_last_safe_access_time) <
ipoque_struct->soulseek_connection_ip_tick_timeout)) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG,
"Soulseek: Plain detection on Port : %u packet_tick_timestamp: %u soulseeek_last_safe_access_time: %u soulseek_connection_ip_ticktimeout: %u\n",
dst->soulseek_listen_port, packet->tick_timestamp,
dst->soulseek_last_safe_access_time, ipoque_struct->soulseek_connection_ip_tick_timeout);
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
if (flow->l4.tcp.soulseek_stage == 0) {
u32 index = 0;
if (packet->payload_packet_len >= 12 && packet->payload_packet_len < 300 && get_l32(packet->payload, 4) == 1) {
while (!get_u16(packet->payload, index + 2)
&& (index + get_l32(packet->payload, index)) < packet->payload_packet_len - 4) {
if (get_l32(packet->payload, index) < 8) /*Minimum soulsek login msg is 8B */
break;
if (index + get_l32(packet->payload, index) + 4 <= index) {
/* avoid overflow */
break;
}
index += get_l32(packet->payload, index) + 4;
}
if (index + get_l32(packet->payload, index) ==
packet->payload_packet_len - 4 && !get_u16(packet->payload, 10)) {
/*This structure seems to be soulseek proto */
index = get_l32(packet->payload, 8) + 12; // end of "user name"
if ((index + 4) <= packet->payload_packet_len && !get_u16(packet->payload, index + 2)) // for passwd len
{
index += get_l32(packet->payload, index) + 4; //end of "Passwd"
if ((index + 4 + 4) <= packet->payload_packet_len && !get_u16(packet->payload, index + 6)) // to read version,hashlen
{
index += get_l32(packet->payload, index + 4) + 8; // enf of "hash value"
if (index == get_l32(packet->payload, 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK,
ipoque_struct, IPQ_LOG_DEBUG, "Soulseek Login Detected\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
}
}
}
}
if (packet->payload_packet_len > 8
&& packet->payload_packet_len < 200 && get_l32(packet->payload, 0) == packet->payload_packet_len - 4) {
//Server Messages:
const u32 msgcode = get_l32(packet->payload, 4);
if (msgcode == 0x7d) {
flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction;
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "Soulseek Messages Search\n");
return;
} else if (msgcode == 0x02 && packet->payload_packet_len == 12) {
const u32 soulseek_listen_port = get_l32(packet->payload, 8);
if (src != NULL) {
src->soulseek_last_safe_access_time = packet->tick_timestamp;
if (packet->tcp != NULL && src->soulseek_listen_port == 0) {
src->soulseek_listen_port = soulseek_listen_port;
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct,
IPQ_LOG_DEBUG, "\n Listen Port Saved : %u", src->soulseek_listen_port);
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
}
}
//Peer Messages : Peer Init Message Detection
if (get_l32(packet->payload, 0) == packet->payload_packet_len - 4) {
const u32 typelen = get_l32(packet->payload, packet->payload_packet_len - 9);
const u8 type = packet->payload[packet->payload_packet_len - 5];
const u32 namelen = get_l32(packet->payload, 5);
if (packet->payload[4] == 0x01 && typelen == 1
&& namelen <= packet->payload_packet_len
&& (4 + 1 + 4 + namelen + 4 + 1 + 4) ==
packet->payload_packet_len && (type == 'F' || type == 'P' || type == 'D')) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "1\n");
}
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "3\n");
//Peer Message : Pierce Firewall
if (packet->payload_packet_len == 9 && get_l32(packet->payload, 0) == 5
&& packet->payload[4] <= 0x10 && get_u32(packet->payload, 5) != 0x00000000) {
flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction;
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_TRACE, "Soulseek Size 9 Pierce Firewall\n");
return;
}
}
if (packet->payload_packet_len > 25 && packet->payload[4] == 0x01 && !get_u16(packet->payload, 7)
&& !get_u16(packet->payload, 2)) {
const u32 usrlen = get_l32(packet->payload, 5);
if (usrlen <= packet->payload_packet_len - 4 + 1 + 4 + 4 + 1 + 4) {
const u32 typelen = get_l32(packet->payload, 4 + 1 + 4 + usrlen);
const u8 type = packet->payload[4 + 1 + 4 + usrlen + 4];
if (typelen == 1 && (type == 'F' || type == 'P' || type == 'D')) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct,
IPQ_LOG_DEBUG, "soulseek detected Pattern command(D|P|F).\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
}
}
} else if (flow->l4.tcp.soulseek_stage == 2 - packet->packet_direction) {
if (packet->payload_packet_len > 8) {
if ((packet->payload[0] || packet->payload[1]) && get_l32(packet->payload, 4) == 9) {
/* 9 is search result */
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected Second Pkt\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
if (get_l32(packet->payload, 0) == packet->payload_packet_len - 4) {
const u32 msgcode = get_l32(packet->payload, 4);
if (msgcode == 0x03 && packet->payload_packet_len >= 12) //Server Message : Get Peer Address
{
const u32 usrlen = get_l32(packet->payload, 8);
if (usrlen <= packet->payload_packet_len && 4 + 4 + 4 + usrlen == packet->payload_packet_len) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct,
IPQ_LOG_DEBUG, "Soulseek Request Get Peer Address Detected\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
}
}
}
if (packet->payload_packet_len == 8 && get_l32(packet->payload, 4) == 0x00000004) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len == 4
&& get_u16(packet->payload, 2) == 0x00 && get_u16(packet->payload, 0) != 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
} else if (packet->payload_packet_len == 4) {
flow->l4.tcp.soulseek_stage = 3;
return;
}
} else if (flow->l4.tcp.soulseek_stage == 1 + packet->packet_direction) {
if (packet->payload_packet_len > 8) {
if (packet->payload[4] == 0x03 && get_l32(packet->payload, 5) == 0x00000031) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct,
IPQ_LOG_DEBUG, "soulseek detected Second Pkt with SIGNATURE :: 0x0331000000 \n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
}
}
if (flow->l4.tcp.soulseek_stage == 3 && packet->payload_packet_len == 8 && !get_u32(packet->payload, 4)) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected bcz of 8B pkt\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
if (flow->l4.tcp.soulseek_stage && flow->packet_counter < 11) {
} else {
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_SOULSEEK);
}
}