Example #1
0
static int
process_smtp_client(struct smtp_info *smtp, char *data, int len)
{
	struct buf *line, *body, buf;
	char *p;
	int i;

	buf_init(&buf, data, len);
	
	if (smtp->state != SMTP_DATA) {
		while ((i = buf_index(&buf, "\r\n", 2)) >= 0) {
			line = buf_tok(&buf, NULL, i + 2);
			line->base[line->end-1] = '\0';
			p = buf_ptr(line);
			
			if (strncasecmp(p, "RSET", 4) == 0) {
				smtp->state = SMTP_HELO;
			}
			else if (smtp->state == SMTP_NONE &&
				 (strncasecmp(p, "HELO", 4) == 0 ||
				  strncasecmp(p, "EHLO", 4) == 0)) {
				smtp->state = SMTP_HELO;
			}
			else if (smtp->state == SMTP_HELO &&
				 (strncasecmp(p, "MAIL ", 5) == 0 ||
				  strncasecmp(p, "SEND ", 5) == 0 ||
				  strncasecmp(p, "SAML ", 5) == 0)) {
				smtp->from = grep_mail_address(p);
				smtp->state = SMTP_MAIL;
			}
			else if (smtp->state == SMTP_MAIL &&
				 strncasecmp(p, "RCPT ", 5) == 0) {
				smtp->state = SMTP_RCPT;
			}
			else if (smtp->state == SMTP_RCPT &&
				 strncasecmp(p, "DATA", 4) == 0) {
				smtp->state = SMTP_DATA;
				break;
			}
		}
	}
	if (smtp->state == SMTP_DATA) {
		if ((i = buf_index(&buf, "\r\n.\r\n", 5)) >= 0) {
			body = buf_tok(&buf, NULL, i);
			buf_skip(&buf, 5);
			body->base[body->end] = '\0';
			
			if (regex_match(buf_ptr(body)))
				print_mbox_msg(smtp->from, buf_ptr(body));
			
			if (smtp->from) {
				free(smtp->from);
				smtp->from = NULL;
			}
			smtp->state = SMTP_HELO;
		}
	}
	return (len - buf_len(&buf));
}
Example #2
0
int
decode_vrrp(u_char *buf, int len, u_char *obuf, int olen)
{
	struct buf *b, inbuf, outbuf;
	struct vrrp_header *vrrp;

	buf_init(&inbuf, buf, len);
	buf_init(&outbuf, obuf, olen);
	
	vrrp = (struct vrrp_header *)buf_ptr(&inbuf);
	
	if (buf_len(&inbuf) < sizeof(*vrrp))
		return (0);
	
	/* We only care about VRRP_AUTH_SIMPLE */
	if (ntohs(vrrp->vr_auth) != VRRP_AUTH_SIMPLE)
		return (0);
	
	/* XXX - probably want to verify checksum */
	
	/* Forward to Authentication Data */
	buf_skip(&inbuf, sizeof(*vrrp) + 8 + (vrrp->vr_naddr * 4));

	if ((b = buf_tok(&inbuf, NULL, VRRP_AUTH_DATA_LEN)) == NULL)
		return (0);
	
	buf_put(&outbuf, buf_ptr(b), buf_len(b));
	buf_put(&outbuf, "\n", 1);
	buf_end(&outbuf);
	
	return (buf_len(&outbuf));
}
Example #3
0
int
decode_imap(u_char *buf, int len, u_char *obuf, int olen)
{
	struct buf *line, inbuf, outbuf;
	int i;

	buf_init(&inbuf, buf, len);
	buf_init(&outbuf, obuf, olen);
	
	while ((i = buf_index(&inbuf, "\r\n", 2)) != -1) {
		line = buf_tok(&inbuf, NULL, i);
		buf_skip(&inbuf, 2);

		if ((i = buf_index(line, " ", 1)) != -1) {
			buf_skip(line, i + 1);
		
			if (buf_cmp(line, "LOGIN ", 6) == 0) {
				buf_putf(&outbuf, "%.*s\n",
					 buf_len(line), buf_ptr(line));
			}
		}
	}
	buf_end(&outbuf);
	
	return (buf_len(&outbuf));
}
Example #4
0
static int
process_pop_server(struct pop_info *pop, char *data, int len)
{
	struct buf *line, *body, buf;
	int i;

	buf_init(&buf, data, len);
	
	if (pop->state == POP_NONE)
		return (len);

	if (pop->state == POP_RETR) {
		if ((i = buf_index(&buf, "\r\n", 2)) < 0)
			return (0);
		
		line = buf_tok(&buf, NULL, i + 2);
		
		if (buf_cmp(line, "+OK", 3) == 0) {
			pop->state = POP_DATA;
		}
		else pop->state = POP_NONE;
	}
	if (pop->state == POP_DATA) {
		if ((i = buf_index(&buf, "\r\n.\r\n", 5)) >= 0) {
			body = buf_tok(&buf, NULL, i);
			buf_skip(&buf, 5);
			body->base[body->end] = '\0';

			if (regex_match(buf_ptr(body)))
				print_mbox_msg(NULL, buf_ptr(body));
			
			pop->state = POP_NONE;
		}
	}
	return (len - buf_len(&buf));
}
Example #5
0
static int
process_pop_client(struct pop_info *pop, char *data, int len)
{
	struct buf *line, buf;
	int i;

	buf_init(&buf, data, len);
	
	while ((i = buf_index(&buf, "\r\n", 2)) >= 0) {
		line = buf_tok(&buf, NULL, i + 2);
		line->base[line->end] = '\0';
		
		if (strncasecmp(buf_ptr(line), "RETR ", 5) == 0) {
			pop->state = POP_RETR;
		}
		else pop->state = POP_NONE;
	}
	return (len - buf_len(&buf));
}
Example #6
0
int
decode_ftp(u_char *buf, int len, u_char *obuf, int olen)
{
	struct buf *line, inbuf, outbuf;
	int i, n;

	if ((len = strip_telopts(buf, len)) == 0)
		return (0);

	buf_init(&inbuf, buf, len);
	buf_init(&outbuf, obuf, olen);

	if (!buf_isascii(&inbuf))
		return (0);

	n = 0;
	
	while ((i = buf_index(&inbuf, "\n", 1)) != -1) {
		line = buf_tok(&inbuf, NULL, i);
		buf_skip(&inbuf, 1);

		if (i > 0 && line->base[i - 1] == '\r')
			line->end--;
		line->base[line->end] = '\0';

		if (strncasecmp(buf_ptr(line), "USER ", 5) == 0 ||
		    strncasecmp(buf_ptr(line), "ACCT ", 5) == 0 ||
		    strncasecmp(buf_ptr(line), "PASS ", 5) == 0) {
			buf_putf(&outbuf, "%s\n", buf_ptr(line));
			n++;
		}
	}
	if (n < 2) return (0);

	buf_end(&outbuf);
	
	return (buf_len(&outbuf));
}
Example #7
0
int
process_http_request(struct tuple4 *addr, u_char *data, int len)
{
	struct buf *msg, buf;
	char *p, *req, *uri, *user, *vhost, *referer, *agent;
	int i;

	buf_init(&buf, data, len);

	while ((i = buf_index(&buf, "\r\n\r\n", 4)) >= 0) {
		msg = buf_tok(&buf, NULL, i);
		msg->base[msg->end] = '\0';
		buf_skip(&buf, 4);

		if (!regex_match(buf_ptr(msg)))
			continue;

		if ((req = strtok(buf_ptr(msg), "\r\n")) == NULL)
			continue;

		if (strncmp(req, "GET ", 4) != 0 &&
		    strncmp(req, "POST ", 5) != 0 &&
		    strncmp(req, "CONNECT ", 8) != 0)
			continue;

		if ((uri = strchr(req, ' ')) == NULL)
			continue;

		*uri++ = '\0';
		user = vhost = referer = agent = NULL;

		while ((p = strtok(NULL, "\r\n")) != NULL) {
			if (strncasecmp(p, "Authorization: Basic ", 21) == 0) {
				p += 21;
				i = base64_pton(p, p, strlen(p));
				p[i] = '\0';
				user = p;
				if ((p = strchr(p, ':')) != NULL)
					*p = '\0';
			}
			else if (strncasecmp(p, "Host: ", 6) == 0) {
				vhost = p + 6;
			}
			else if (strncasecmp(p, "Referer: ", 9) == 0) {
				referer = p + 9;
			}
			else if (strncasecmp(p, "User-Agent: ", 12) == 0) {
				agent = p + 12;
			}
			else if (strncasecmp(p, "Content-length: ", 16) == 0) {
				i = atoi(p + 16);
				buf_tok(NULL, NULL, i);
			}
		}
		if (user == NULL)
			user = "******";
		if (vhost == NULL)
			vhost = "none";// libnet_host_lookup(addr->daddr, Opt_dns);
		if (referer == NULL)
			referer = "-";
		if (agent == NULL)
			agent = "-";


		printf("%s - %s [%s] \"%s http://%s%s\" - - \"%s\" \"%s\"\n",
		       //"0.0.0.0",
		       libnet_addr2name4(addr->saddr, Opt_dns),
		       user, timestamp(), req, vhost, uri, referer, agent);
	}
	fflush(stdout);

	return (len - buf_len(&buf));
}
Example #8
0
int
decode_aim(u_char *buf, int len, u_char *obuf, int olen)
{
	struct buf *msg, inbuf, outbuf;
	struct flap *flap;
	u_char c, *p;
	int i, j;

	buf_init(&inbuf, buf, len);
	buf_init(&outbuf, obuf, olen);

	if (buf_cmp(&inbuf, "FLAPON\r\n\r\n", 10) == 0)
		buf_skip(&inbuf, 10);

	while (buf_len(&inbuf) > sizeof(*flap)) {
		flap = (struct flap *)buf_ptr(&inbuf);
		flap->datalen = ntohs(flap->datalen);

		i = sizeof(*flap) + flap->datalen;

		if ((msg = buf_tok(&inbuf, NULL, i)) == NULL)
			break;

		buf_skip(msg, sizeof(*flap));

		if (buf_cmp(msg, "toc_signon ", 11) == 0) {
			msg->base[msg->end - 1] = '\0';
			p = buf_ptr(msg);
			
			for (i = 0; i < 4; i++) {
				if ((j = strcspn(p, " ")) > 0)
					p += (j + 1);
			}
			if (strtok(p, " ") == NULL)
				continue;

			buf_putf(&outbuf, "%s ", buf_ptr(msg));
			
			i = strlen(p);
			j = hex_decode(p, i, p, i);

			for (i = 0; i < j; i++)
				p[i] = p[i] ^ aim_xor1[i % 7];
			p[i] = '\0';

			buf_putf(&outbuf, "[%s]\n", p);
		}
		else if (flap->start == 0x2a && flap->channel == 0x01 &&
			 buf_cmp(msg, "\x00\x00\x00\x01", 4) == 0) {
			buf_skip(msg, 7);
			
			buf_get(msg, &c, 1);
			p = buf_ptr(msg);

			if (c == 0 || buf_skip(msg, c + 3) < 0)
				continue;

			p[c] = '\0';
			
			buf_get(msg, &c, 1);

			if (buf_len(msg) < c + 1)
				continue;

			buf_putf(&outbuf, "%s\n", p);
			
			p = buf_ptr(msg);

			for (i = 0; i < c; i++) {
				p[i] = p[i] ^ aim_xor2[i % sizeof(aim_xor2)];
			}
			p[i] = '\0';
			
			buf_putf(&outbuf, "%s\n", p);
			
			break;
		}		
	}
	buf_end(&outbuf);
	
	return (buf_len(&outbuf));
}