/* this function deals with UDP connections */
static void ipoque_search_rdt_connection(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_id_struct *src = ipoque_struct->src;
// struct ipoque_id_struct *dst = ipoque_struct->dst;
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found UDP\n");
if (src != NULL) {
// UDP packets, check in case of timeout, bitmask, packet length and payload -> search the RDT Request which has the type 0xff03
if (src->rtsp_ts_set == 1
&& ((IPOQUE_TIMESTAMP_COUNTER_SIZE) (packet->tick_timestamp - src->rtsp_timer)) <
ipoque_struct->rtsp_connection_timeout) {
if (ipq_packet_dst_ip_eql(packet, &src->rtsp_ip_address)
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_RTSP) != 0) {
if (packet->payload_packet_len == 3 && packet->payload[0] == 0x00 && packet->payload[1] == 0xff
&& packet->payload[2] == 0x03) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found RTSP RDT.\n");
ipoque_int_rtsp_add_connection(ipoque_struct);
return;
}
}
} else {
src->rtsp_ts_set = 0;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "didn't find RDT stream.\n");
return;
}
void ipoque_search_kontiki(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len == 4 && (get_u32(packet->payload, 0) == htonl(0x02010100))) {
IPQ_LOG(IPOQUE_PROTOCOL_KONTIKI, ipoque_struct, IPQ_LOG_DEBUG, "Kontiki UDP detected.\n");
ipoque_int_kontiki_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len > 0 && packet->payload[0] == 0x02) {
if (packet->payload_packet_len == 20 && (get_u32(packet->payload, 16) == htonl(0x02040100))) {
IPQ_LOG(IPOQUE_PROTOCOL_KONTIKI, ipoque_struct, IPQ_LOG_DEBUG, "Kontiki UDP detected.\n");
ipoque_int_kontiki_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len == 16 && (get_u32(packet->payload, 12) == htonl(0x000004e4))) {
IPQ_LOG(IPOQUE_PROTOCOL_KONTIKI, ipoque_struct, IPQ_LOG_DEBUG, "Kontiki UDP detected.\n");
ipoque_int_kontiki_add_connection(ipoque_struct);
return;
}
}
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_KONTIKI);
}
static inline void ipoque_int_search_thunder_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30
&& packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) {
if (flow->thunder_stage == 3) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG, "THUNDER udp detected\n");
ipoque_int_thunder_add_connection(ipoque_struct);
return;
}
flow->thunder_stage++;
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"maybe thunder udp packet detected, stage increased to %u\n", flow->thunder_stage);
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"excluding thunder udp at stage %u\n", flow->thunder_stage);
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_THUNDER);
}
void ipoque_search_icecast_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
u8 i;
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "search icecast.\n");
if ((packet->payload_packet_len < 500 &&
packet->payload_packet_len >= 7 && ipq_mem_cmp(packet->payload, "SOURCE ", 7) == 0)
|| flow->l4.tcp.icecast_stage) {
ipq_parse_packet_line_info_unix(ipoque_struct);
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "Icecast lines=%d\n", packet->parsed_unix_lines);
for (i = 0; i < packet->parsed_unix_lines; i++) {
if (packet->unix_line[i].ptr != NULL && packet->unix_line[i].len > 4
&& ipq_mem_cmp(packet->unix_line[i].ptr, "ice-", 4) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "Icecast detected.\n");
ipoque_int_icecast_add_connection(ipoque_struct);
return;
}
}
if (packet->parsed_unix_lines < 1 && !flow->l4.tcp.icecast_stage) {
flow->l4.tcp.icecast_stage = 1;
return;
}
}
#ifdef IPOQUE_PROTOCOL_HTTP
if (IPQ_FLOW_PROTOCOL_EXCLUDED(ipoque_struct, flow, IPOQUE_PROTOCOL_HTTP)) {
goto icecast_exclude;
}
#endif
if (packet->packet_direction == flow->setup_packet_direction && flow->packet_counter < 10) {
return;
}
if (packet->packet_direction != flow->setup_packet_direction) {
/* server answer, now test Server for Icecast */
ipq_parse_packet_line_info(ipoque_struct);
if (packet->server_line.ptr != NULL && packet->server_line.len > IPQ_STATICSTRING_LEN("Icecast") &&
memcmp(packet->server_line.ptr, "Icecast", IPQ_STATICSTRING_LEN("Icecast")) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "Icecast detected.\n");
/* TODO maybe store the previous protocol type as subtype?
* e.g. ogg or mpeg
*/
ipoque_int_icecast_add_connection(ipoque_struct);
return;
}
}
icecast_exclude:
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_ICECAST);
IPQ_LOG(IPOQUE_PROTOCOL_ICECAST, ipoque_struct, IPQ_LOG_DEBUG, "Icecast excluded.\n");
}
static inline void ipoque_int_search_thunder_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30
&& packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) {
if (flow->thunder_stage == 3) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG, "THUNDER tcp detected\n");
ipoque_int_thunder_add_connection(ipoque_struct);
return;
}
flow->thunder_stage++;
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"maybe thunder tcp packet detected, stage increased to %u\n", flow->thunder_stage);
return;
}
if (flow->thunder_stage == 0 && packet->payload_packet_len > 17
&& ipq_mem_cmp(packet->payload, "POST / HTTP/1.1\r\n", 17) == 0) {
ipq_parse_packet_line_info(ipoque_struct);
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"maybe thunder http POST packet detected, parsed packet lines: %u, empty line set %u (at: %u)\n",
packet->parsed_lines, packet->empty_line_position_set, packet->empty_line_position);
if (packet->empty_line_position_set != 0 &&
packet->content_line.ptr != NULL &&
packet->content_line.len == 24 &&
ipq_mem_cmp(packet->content_line.ptr, "application/octet-stream",
24) == 0 && packet->empty_line_position_set < (packet->payload_packet_len - 8)
&& packet->payload[packet->empty_line_position + 2] >= 0x30
&& packet->payload[packet->empty_line_position + 2] < 0x40
&& packet->payload[packet->empty_line_position + 3] == 0x00
&& packet->payload[packet->empty_line_position + 4] == 0x00
&& packet->payload[packet->empty_line_position + 5] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"maybe thunder http POST packet application does match\n");
ipoque_int_thunder_add_connection(ipoque_struct);
return;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"excluding thunder tcp at stage %u\n", flow->thunder_stage);
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_THUNDER);
}
static inline
#else
__forceinline static
#endif
u8 search_pando(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
// struct ipoque_flow_struct *flow=ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->tcp != NULL) {
if (packet->payload_packet_len == 63 && memcmp(&packet->payload[1], "Pando protocol", 14) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_PANDO, ipoque_struct, IPQ_LOG_DEBUG, "Pando download detected\n");
goto end_pando_found;
}
} else if (packet->udp != NULL) {
if (packet->payload_packet_len > 20
&& packet->payload_packet_len < 100
&& packet->payload[0] == 0x00
&& packet->payload[1] == 0x00
&& packet->payload[2] == 0x00
&& packet->payload[3] == 0x09 && packet->payload[4] == 0x00 && packet->payload[5] == 0x00) {
// bypass the detection because one packet has at a specific place the word Pando in it
if (packet->payload_packet_len == 87 && memcmp(&packet->payload[25], "Pando protocol", 14) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_PANDO, ipoque_struct, IPQ_LOG_DEBUG,
"Pando UDP packet detected --> Pando in payload\n");
goto end_pando_found;
} else if (packet->payload_packet_len == 92 && memcmp(&packet->payload[72], "Pando", 5) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_PANDO, ipoque_struct, IPQ_LOG_DEBUG,
"Pando UDP packet detected --> Pando in payload\n");
goto end_pando_found;
}
goto end_pando_maybe_found;
}
}
goto end_pando_nothing_found;
end_pando_found:
ipoque_int_pando_add_connection(ipoque_struct);
return 1;
end_pando_maybe_found:
return 2;
end_pando_nothing_found:
return 0;
}
static inline void ipoque_int_search_thunder_http(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
if (packet->detected_protocol == IPOQUE_PROTOCOL_THUNDER) {
if (src != NULL && ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - src->thunder_ts) < ipoque_struct->thunder_timeout)) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"thunder : save src connection packet detected\n");
src->thunder_ts = packet->tick_timestamp;
} else if (dst != NULL && ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - dst->thunder_ts) < ipoque_struct->thunder_timeout)) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"thunder : save dst connection packet detected\n");
dst->thunder_ts = packet->tick_timestamp;
}
return;
}
if (packet->payload_packet_len > 5
&& memcmp(packet->payload, "GET /", 5) == 0 && IPQ_SRC_OR_DST_HAS_PROTOCOL(src, dst, IPOQUE_PROTOCOL_THUNDER)) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG, "HTTP packet detected.\n");
ipq_parse_packet_line_info(ipoque_struct);
if (packet->parsed_lines > 7
&& packet->parsed_lines < 11
&& packet->line[1].len > 10
&& ipq_mem_cmp(packet->line[1].ptr, "Accept: */*", 11) == 0
&& packet->line[2].len > 22
&& ipq_mem_cmp(packet->line[2].ptr, "Cache-Control: no-cache",
23) == 0 && packet->line[3].len > 16
&& ipq_mem_cmp(packet->line[3].ptr, "Connection: close", 17) == 0
&& packet->line[4].len > 6
&& ipq_mem_cmp(packet->line[4].ptr, "Host: ", 6) == 0
&& packet->line[5].len > 15
&& ipq_mem_cmp(packet->line[5].ptr, "Pragma: no-cache", 16) == 0
&& packet->user_agent_line.ptr != NULL
&& packet->user_agent_line.len > 49
&& ipq_mem_cmp(packet->user_agent_line.ptr,
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)", 50) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_THUNDER, ipoque_struct, IPQ_LOG_DEBUG,
"Thunder HTTP download detected, adding flow.\n");
ipoque_int_thunder_add_connection(ipoque_struct);
}
}
}
static void ipoque_int_directconnect_add_connection(struct ipoque_detection_module_struct
*ipoque_struct, const u8 connection_type)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
ipoque_int_add_connection(ipoque_struct, IPOQUE_PROTOCOL_DIRECTCONNECT, IPOQUE_REAL_PROTOCOL);
if (src != NULL) {
src->directconnect_last_safe_access_time = packet->tick_timestamp;
if (connection_type == DIRECT_CONNECT_TYPE_PEER) {
if (packet->tcp != NULL
&& flow->setup_packet_direction != packet->packet_direction && src->detected_directconnect_port == 0) {
src->detected_directconnect_port = packet->tcp->source;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "directconnect tcp PORT %u for src\n", ntohs(src->detected_directconnect_port));
}
if (packet->udp != NULL && src->detected_directconnect_udp_port == 0) {
src->detected_directconnect_udp_port = packet->udp->source;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "directconnect udp PORT %u for src\n", ntohs(src->detected_directconnect_port));
}
}
}
if (dst != NULL) {
dst->directconnect_last_safe_access_time = packet->tick_timestamp;
if (connection_type == DIRECT_CONNECT_TYPE_PEER) {
if (packet->tcp != NULL
&& flow->setup_packet_direction == packet->packet_direction && dst->detected_directconnect_port == 0) {
/* DST PORT MARKING CAN LEAD TO PORT MISSDETECTIONS
* seen at large customer http servers, where someone has send faked DC tcp packets
* to the server
*/
/*
dst->detected_directconnect_port = packet->tcp->dest;
IPQ_LOG (IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "directconnect tcp PORT %u for dst\n",
ntohs (dst->detected_directconnect_port));
*/
}
}
}
}
void ipoque_search_maplestory(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len == 16
&& (ntohl(get_u32(packet->payload, 0)) == 0x0e003a00 || ntohl(get_u32(packet->payload, 0)) == 0x0e003b00
|| ntohl(get_u32(packet->payload, 0)) == 0x0e004200)
&& ntohs(get_u16(packet->payload, 4)) == 0x0100 && (packet->payload[6] == 0x32 || packet->payload[6] == 0x33)) {
IPQ_LOG(IPOQUE_PROTOCOL_MAPLESTORY, ipoque_struct, IPQ_LOG_DEBUG, "found maplestory.\n");
ipoque_int_maplestory_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
if (packet->payload_packet_len > IPQ_STATICSTRING_LEN("GET /maple")
&& memcmp(packet->payload, "GET /maple", IPQ_STATICSTRING_LEN("GET /maple")) == 0) {
ipq_parse_packet_line_info(ipoque_struct);
/* Maplestory update */
if (packet->payload_packet_len > IPQ_STATICSTRING_LEN("GET /maple/patch")
&& packet->payload[IPQ_STATICSTRING_LEN("GET /maple")] == '/') {
if (packet->user_agent_line.ptr != NULL && packet->host_line.ptr != NULL
&& packet->user_agent_line.len == IPQ_STATICSTRING_LEN("Patcher")
&& packet->host_line.len > IPQ_STATICSTRING_LEN("patch.")
&& memcmp(&packet->payload[IPQ_STATICSTRING_LEN("GET /maple/")], "patch",
IPQ_STATICSTRING_LEN("patch")) == 0
&& memcmp(packet->user_agent_line.ptr, "Patcher", IPQ_STATICSTRING_LEN("Patcher")) == 0
&& memcmp(packet->host_line.ptr, "patch.", IPQ_STATICSTRING_LEN("patch.")) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_MAPLESTORY, ipoque_struct, IPQ_LOG_DEBUG, "found maplestory update.\n");
ipoque_int_maplestory_add_connection(ipoque_struct, IPOQUE_CORRELATED_PROTOCOL);
return;
}
} else if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len == IPQ_STATICSTRING_LEN("AspINet")
&& memcmp(&packet->payload[IPQ_STATICSTRING_LEN("GET /maple")], "story/",
IPQ_STATICSTRING_LEN("story/")) == 0
&& memcmp(packet->user_agent_line.ptr, "AspINet", IPQ_STATICSTRING_LEN("AspINet")) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_MAPLESTORY, ipoque_struct, IPQ_LOG_DEBUG, "found maplestory update.\n");
ipoque_int_maplestory_add_connection(ipoque_struct, IPOQUE_CORRELATED_PROTOCOL);
return;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_MAPLESTORY, ipoque_struct, IPQ_LOG_DEBUG, "exclude maplestory.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MAPLESTORY);
}
void ipoque_search_filetopia_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (flow->filetopia_stage == 0) {
if (packet->payload_packet_len >= 50 && packet->payload_packet_len <= 70
&& packet->payload[0] == 0x03 && packet->payload[1] == 0x9a
&& packet->payload[3] == 0x22 && packet->payload[packet->payload_packet_len - 1] == 0x2b) {
IPQ_LOG(IPOQUE_PROTOCOL_FILETOPIA, ipoque_struct, IPQ_LOG_DEBUG, "Filetopia stage 1 detected\n");
flow->filetopia_stage = 1;
return;
}
} else if (flow->filetopia_stage == 1) {
if (packet->payload_packet_len >= 100 && packet->payload[0] == 0x03
&& packet->payload[1] == 0x9a && (packet->payload[3] == 0x22 || packet->payload[3] == 0x23)) {
int i;
for (i = 0; i < 10; i++) { // check 10 bytes for valid ASCII printable characters
if (!(packet->payload[5 + i] >= 0x20 && packet->payload[5 + i] <= 0x7e)) {
goto end_filetopia_nothing_found;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_FILETOPIA, ipoque_struct, IPQ_LOG_DEBUG, "Filetopia stage 2 detected\n");
flow->filetopia_stage = 2;
return;
}
} else if (flow->filetopia_stage == 2) {
if (packet->payload_packet_len >= 4 && packet->payload_packet_len <= 100
&& packet->payload[0] == 0x03 && packet->payload[1] == 0x9a
&& (packet->payload[3] == 0x22 || packet->payload[3] == 0x23)) {
IPQ_LOG(IPOQUE_PROTOCOL_FILETOPIA, ipoque_struct, IPQ_LOG_DEBUG, "Filetopia detected\n");
ipoque_int_filetopia_add_connection(ipoque_struct);
return;
}
}
end_filetopia_nothing_found:
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_FILETOPIA);
}
void ipoque_search_mysql_tcp(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len > 37 //min length
&& get_u16(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length
&& get_u8(packet->payload, 2) == 0x00 //3rd byte of packet length
&& get_u8(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet
&& get_u8(packet->payload, 5) > 0x30 //server version > 0
&& get_u8(packet->payload, 5) < 0x37 //server version < 7
&& get_u8(packet->payload, 6) == 0x2e //dot
) {
u32 a;
for (a = 7; a + 31 < packet->payload_packet_len; a++) {
if (packet->payload[a] == 0x00) {
if (get_u8(packet->payload, a + 13) == 0x00 //filler byte
&& get_u64(packet->payload, a + 19) == 0x0ULL //13 more
&& get_u32(packet->payload, a + 27) == 0x0 //filler bytes
&& get_u8(packet->payload, a + 31) == 0x0) {
IPQ_LOG(IPOQUE_PROTOCOL_MYSQL, ipoque_struct, IPQ_LOG_DEBUG, "MySQL detected.\n");
ipoque_int_mysql_add_connection(ipoque_struct);
return;
}
break;
}
}
}
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MYSQL);
}
void ipoque_search_oscar(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
if (packet->tcp != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_OSCAR, ipoque_struct, IPQ_LOG_DEBUG, "OSCAR :: TCP\n");
ipoque_search_oscar_tcp_connect(ipoque_struct);
}
}
u8 search_manolito_tcp(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src = ipoque_struct->src;
// struct ipoque_id_struct *dst = ipoque_struct->dst;
IPQ_LOG(IPOQUE_PROTOCOL_MANOLITO, ipoque_struct, IPQ_LOG_DEBUG, "MANOLITO TCP DETECTION\n");
if (flow->l4.tcp.manolito_stage == 0 && packet->payload_packet_len > 6) {
if (ipq_mem_cmp(packet->payload, "SIZ ", 4) != 0)
goto end_manolito_nothing_found;
flow->l4.tcp.manolito_stage = 1 + packet->packet_direction;
IPQ_LOG(IPOQUE_PROTOCOL_MANOLITO, ipoque_struct, IPQ_LOG_DEBUG, "MANOLITO Stage 1.\n");
goto end_manolito_maybe_hit;
} else if ((flow->l4.tcp.manolito_stage == 2 - packet->packet_direction)
&& packet->payload_packet_len > 4) {
if (ipq_mem_cmp(packet->payload, "STR ", 4) != 0)
goto end_manolito_nothing_found;
IPQ_LOG(IPOQUE_PROTOCOL_MANOLITO, ipoque_struct, IPQ_LOG_DEBUG, "MANOLITO Stage 2.\n");
flow->l4.tcp.manolito_stage = 3 + packet->packet_direction;
goto end_manolito_maybe_hit;
} else if ((flow->l4.tcp.manolito_stage == 4 - packet->packet_direction) && packet->payload_packet_len > 5) {
if (ipq_mem_cmp(packet->payload, "MD5 ", 4) != 0)
goto end_manolito_nothing_found;
IPQ_LOG(IPOQUE_PROTOCOL_MANOLITO, ipoque_struct, IPQ_LOG_DEBUG, "MANOLITO Stage 3.\n");
flow->l4.tcp.manolito_stage = 5 + packet->packet_direction;
goto end_manolito_maybe_hit;
} else if ((flow->l4.tcp.manolito_stage == 6 - packet->packet_direction) && packet->payload_packet_len == 4) {
if (ipq_mem_cmp(packet->payload, "GO!!", 4) != 0)
goto end_manolito_nothing_found;
IPQ_LOG(IPOQUE_PROTOCOL_MANOLITO, ipoque_struct, IPQ_LOG_DEBUG, "MANOLITO Stage 4.\n");
goto end_manolito_found;
}
//IPQ_LOG(IPOQUE_PROTOCOL_MANOLITO,ipoque_struct, IPQ_LOG_DEBUG, "MANOLITO FLOW STAGE %d\n", flow->l4.tcp.manolito_stage);
goto end_manolito_nothing_found;
end_manolito_found:
IPQ_LOG(IPOQUE_PROTOCOL_MANOLITO, ipoque_struct, IPQ_LOG_DEBUG, "MANOLITO FOUND\n");
ipoque_int_manolito_add_connection(ipoque_struct);
return 1;
end_manolito_maybe_hit:
IPQ_LOG(IPOQUE_PROTOCOL_MANOLITO, ipoque_struct, IPQ_LOG_DEBUG, "MANOLITO maybe hit.\n");
return 2;
end_manolito_nothing_found:
IPQ_LOG(IPOQUE_PROTOCOL_MANOLITO, ipoque_struct, IPQ_LOG_DEBUG, "MANOLITO NOTHING FOUND\n");
return 0;
}
static void realmedia_parse_packet_contentline(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
if (packet->content_line.len >= 20 && memcmp(packet->content_line.ptr, "audio/x-pn-realaudio", 20) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_REALMEDIA, ipoque_struct, IPQ_LOG_DEBUG,
"REALMEDIA: Content-Type: audio/x-pn-realaudio found.\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_REALMEDIA);
return;
}
if (packet->content_line.len >= 28 && memcmp(packet->content_line.ptr, "application/vnd.rn-realmedia", 28) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_REALMEDIA, ipoque_struct, IPQ_LOG_DEBUG,
"REALMEDIA: Content-Type: application/vnd.rn-realmedia found.\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_REALMEDIA);
return;
}
}
static void winmedia_parse_packet_useragentline(struct ipoque_detection_module_struct
*ipoque_struct)
{
if (ipoque_struct->packet.user_agent_line.len >= 9
&& memcmp(ipoque_struct->packet.user_agent_line.ptr, "NSPlayer/", 9) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_WINDOWSMEDIA, ipoque_struct, IPQ_LOG_DEBUG, "username NSPlayer found\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_WINDOWSMEDIA);
}
}
void ipoque_search_mms_tcp(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
/* search MSMMS packets */
if (packet->payload_packet_len >= 20) {
if (flow->l4.tcp.mms_stage == 0 && packet->payload[4] == 0xce
&& packet->payload[5] == 0xfa && packet->payload[6] == 0x0b
&& packet->payload[7] == 0xb0 && packet->payload[12] == 0x4d
&& packet->payload[13] == 0x4d && packet->payload[14] == 0x53 && packet->payload[15] == 0x20) {
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS: MSMMS Request found \n");
flow->l4.tcp.mms_stage = 1 + packet->packet_direction;
return;
}
if (flow->l4.tcp.mms_stage == 2 - packet->packet_direction
&& packet->payload[4] == 0xce && packet->payload[5] == 0xfa
&& packet->payload[6] == 0x0b && packet->payload[7] == 0xb0
&& packet->payload[12] == 0x4d && packet->payload[13] == 0x4d
&& packet->payload[14] == 0x53 && packet->payload[15] == 0x20) {
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS: MSMMS Response found \n");
ipoque_int_mms_add_connection(ipoque_struct);
return;
}
}
#ifdef IPOQUE_PROTOCOL_HTTP
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_HTTP) != 0) {
#endif /* IPOQUE_PROTOCOL_HTTP */
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS: exclude\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MMS);
#ifdef IPOQUE_PROTOCOL_HTTP
} else {
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS avoid early exclude from http\n");
}
#endif /* IPOQUE_PROTOCOL_HTTP */
}
static void rtsp_parse_packet_acceptline(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
if (packet->accept_line.len >= 28 && memcmp(packet->accept_line.ptr, "application/x-rtsp-tunnelled", 28) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "RTSP accept line detected\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_RTSP);
}
}
static void ipoque_search_sopcast_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
if (flow->packet_counter == 1 && packet->payload_packet_len == 54 && get_u16(packet->payload, 0) == ntohs(0x0036)) {
if (ipoque_int_is_sopcast_tcp(packet->payload, packet->payload_packet_len)) {
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "found sopcast TCP \n");
ipoque_int_sopcast_add_connection(ipoque_struct);
return;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_SOPCAST, ipoque_struct, IPQ_LOG_DEBUG, "exclude sopcast TCP. \n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_SOPCAST);
}
static void off_parse_packet_contentline(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
if (packet->content_line.len >= 4 && memcmp(packet->content_line.ptr, "off/", 4) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_OFF, ipoque_struct, IPQ_LOG_DEBUG, "off: Content-Type: off/ found\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_OFF);
}
}
static void xbox_parse_packet_useragentline(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
if (packet->user_agent_line.len >= 17 && memcmp(packet->user_agent_line.ptr, "Xbox Live Client/", 17) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_XBOX, ipoque_struct, IPQ_LOG_DEBUG, "XBOX: User Agent: Xbox Live Client found\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_XBOX);
}
}
static void mms_parse_packet_contentline(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
if (packet->content_line.len >= 24 && ipq_mem_cmp(packet->content_line.ptr, "application/x-mms-framed", 24) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG,
"MMS: Content-Type: application/x-mms-framed found\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_MMS);
}
}
static void avi_check_http_payload(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
IPQ_LOG(IPOQUE_PROTOCOL_AVI, ipoque_struct, IPQ_LOG_DEBUG, "called avi_check_http_payload: %u %u %u\n",
packet->empty_line_position_set, flow->l4.tcp.http_empty_line_seen, packet->empty_line_position);
if (packet->empty_line_position_set == 0 && flow->l4.tcp.http_empty_line_seen == 0)
return;
if (packet->empty_line_position_set != 0 && ((packet->empty_line_position + 20) > (packet->payload_packet_len))
&& flow->l4.tcp.http_empty_line_seen == 0) {
flow->l4.tcp.http_empty_line_seen = 1;
return;
}
if (flow->l4.tcp.http_empty_line_seen == 1) {
if (packet->payload_packet_len > 20 && memcmp(packet->payload, "RIFF", 4) == 0
&& memcmp(packet->payload + 8, "AVI LIST", 8) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_AVI, ipoque_struct, IPQ_LOG_DEBUG, "Avi content in http detected\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_AVI);
}
flow->l4.tcp.http_empty_line_seen = 0;
return;
}
if (packet->empty_line_position_set != 0) {
// check for avi header
// for reference see http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/directx9_c/directx/htm/avirifffilereference.asp
u32 p = packet->empty_line_position + 2;
IPQ_LOG(IPOQUE_PROTOCOL_AVI, ipoque_struct, IPQ_LOG_DEBUG, "p = %u\n", p);
if ((p + 16) <= packet->payload_packet_len && memcmp(&packet->payload[p], "RIFF", 4) == 0
&& memcmp(&packet->payload[p + 8], "AVI LIST", 8) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_AVI, ipoque_struct, IPQ_LOG_DEBUG, "Avi content in http detected\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_AVI);
}
}
}
static void ogg_parse_packet_contentline(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
if (packet->content_line.len >= 9 && memcmp(packet->content_line.ptr, "audio/ogg", 9) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_OGG, ipoque_struct, IPQ_LOG_DEBUG, "OGG: Content-Type: audio/ogg found.\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_OGG);
return;
}
if (packet->content_line.len >= 9 && memcmp(packet->content_line.ptr, "video/ogg", 9) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_OGG, ipoque_struct, IPQ_LOG_DEBUG, "OGG: Content-Type: video/ogg found.\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_OGG);
return;
}
if (packet->content_line.len >= 15 && memcmp(packet->content_line.ptr, "application/ogg", 15) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_OGG, ipoque_struct, IPQ_LOG_DEBUG, "OGG: content-type: application/ogg found.\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_OGG);
return;
}
}
void ipoque_search_openft_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
if (packet->payload_packet_len > 5 && memcmp(packet->payload, "GET /", 5) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_OPENFT, ipoque_struct, IPQ_LOG_DEBUG, "HTTP packet detected.\n");
ipq_parse_packet_line_info(ipoque_struct);
if (packet->parsed_lines >= 2
&& packet->line[1].len > 13 && ipq_mem_cmp(packet->line[1].ptr, "X-OpenftAlias:", 14) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_OPENFT, ipoque_struct, IPQ_LOG_DEBUG, "OpenFT detected.\n");
ipoque_int_openft_add_connection(ipoque_struct);
return;
}
}
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_OPENFT);
}
static void move_parse_packet_contentline(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
if (packet->content_line.len == 15
&& (memcmp(packet->content_line.ptr, "application/qmx", 15) == 0
|| memcmp(packet->content_line.ptr, "application/qss", 15) == 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_MOVE, ipoque_struct, IPQ_LOG_DEBUG, "MOVE application qmx or qss detected\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_MOVE);
}
}
static void check_http_payload(struct ipoque_detection_module_struct *ipoque_struct)
{
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "called check_http_payload.\n");
#ifdef IPOQUE_PROTOCOL_FLASH
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_FLASH) != 0)
flash_check_http_payload(ipoque_struct);
#endif
#ifdef IPOQUE_PROTOCOL_AVI
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_AVI) != 0)
avi_check_http_payload(ipoque_struct);
#endif
}
void ipoque_search_tvants_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
IPQ_LOG(IPOQUE_PROTOCOL_TVANTS, ipoque_struct, IPQ_LOG_DEBUG, "search tvants. \n");
if (packet->udp != NULL && packet->payload_packet_len > 57
&& packet->payload[0] == 0x04 && packet->payload[1] == 0x00
&& (packet->payload[2] == 0x05 || packet->payload[2] == 0x06
|| packet->payload[2] == 0x07) && packet->payload[3] == 0x00
&& packet->payload_packet_len == (packet->payload[5] << 8) + packet->payload[4]
&& packet->payload[6] == 0x00 && packet->payload[7] == 0x00
&& (memcmp(&packet->payload[48], "TVANTS", 6) == 0
|| memcmp(&packet->payload[49], "TVANTS", 6) == 0 || memcmp(&packet->payload[51], "TVANTS", 6) == 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_TVANTS, ipoque_struct, IPQ_LOG_DEBUG, "found tvants over udp. \n");
ipoque_int_tvants_add_connection(ipoque_struct);
} else if (packet->tcp != NULL && packet->payload_packet_len > 15
&& packet->payload[0] == 0x04 && packet->payload[1] == 0x00
&& packet->payload[2] == 0x07 && packet->payload[3] == 0x00
&& packet->payload_packet_len == (packet->payload[5] << 8) + packet->payload[4]
&& packet->payload[6] == 0x00 && packet->payload[7] == 0x00
&& memcmp(&packet->payload[8], "TVANTS", 6) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_TVANTS, ipoque_struct, IPQ_LOG_DEBUG, "found tvants over tcp. \n");
ipoque_int_tvants_add_connection(ipoque_struct);
}
IPQ_LOG(IPOQUE_PROTOCOL_TVANTS, ipoque_struct, IPQ_LOG_DEBUG, "exclude tvants. \n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_TVANTS);
}
void ipoque_search_afp(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src = ipoque_struct->src;
// struct ipoque_id_struct *dst = ipoque_struct->dst;
/*
* this will detect the OpenSession command of the Data Stream Interface (DSI) protocol
* which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks
*/
if (packet->payload_packet_len >= 22 && get_u16(packet->payload, 0) == htons(0x0004) &&
get_u16(packet->payload, 2) == htons(0x0001) && get_u32(packet->payload, 4) == 0 &&
get_u32(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
get_u32(packet->payload, 12) == 0 && get_u16(packet->payload, 16) == htons(0x0104)) {
IPQ_LOG(IPOQUE_PROTOCOL_AFP, ipoque_struct, IPQ_LOG_DEBUG, "AFP: DSI OpenSession detected.\n");
ipoque_int_afp_add_connection(ipoque_struct);
return;
}
/*
* detection of GetStatus command of DSI protocl
*/
if (packet->payload_packet_len >= 18 && get_u16(packet->payload, 0) == htons(0x0003) &&
get_u16(packet->payload, 2) == htons(0x0001) && get_u32(packet->payload, 4) == 0 &&
get_u32(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
get_u32(packet->payload, 12) == 0 && get_u16(packet->payload, 16) == htons(0x0f00)) {
IPQ_LOG(IPOQUE_PROTOCOL_AFP, ipoque_struct, IPQ_LOG_DEBUG, "AFP: DSI GetStatus detected.\n");
ipoque_int_afp_add_connection(ipoque_struct);
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_AFP, ipoque_struct, IPQ_LOG_DEBUG, "AFP excluded.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_AFP);
}
void ipoque_search_mssql(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
IPQ_LOG(IPOQUE_PROTOCOL_MSSQL, ipoque_struct, IPQ_LOG_DEBUG, "search mssql.\n");
if (packet->payload_packet_len > 51 && ntohs(get_u32(packet->payload, 0)) == 0x1201
&& ntohs(get_u16(packet->payload, 2)) == packet->payload_packet_len
&& ntohl(get_u32(packet->payload, 4)) == 0x00000100 && memcmp(&packet->payload[41], "sqlexpress", 10) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_MSSQL, ipoque_struct, IPQ_LOG_DEBUG, "found mssql.\n");
ipoque_int_mssql_add_connection(ipoque_struct);
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_MSSQL, ipoque_struct, IPQ_LOG_DEBUG, "exclude mssql.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MSSQL);
}
static void qt_parse_packet_contentline(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
if (packet->content_line.len >= 15 && memcmp(packet->content_line.ptr, "video/quicktime", 15) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_QUICKTIME, ipoque_struct, IPQ_LOG_DEBUG,
"QUICKTIME: Content-Type: video/quicktime found.\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_QUICKTIME);
return;
}
if (packet->content_line.len >= 9 && memcmp(packet->content_line.ptr, "video/mp4", 9) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_QUICKTIME, ipoque_struct, IPQ_LOG_DEBUG, "QUICKTIME: Content-Type: video/mp4 found.\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_QUICKTIME);
return;
}
if (packet->content_line.len >= 11 && memcmp(packet->content_line.ptr, "video/x-m4v", 11) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_QUICKTIME, ipoque_struct, IPQ_LOG_DEBUG,
"QUICKTIME: Content-Type: video/x-m4v found.\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_QUICKTIME);
return;
}
}
