static void
parse_status(struct Output *out,
enum PortStatus status, /* open/closed */
const unsigned char *buf, size_t buf_length)
{
struct MasscanRecord record;
if (buf_length < 12)
return;
/* parse record */
record.timestamp = buf[0]<<24 | buf[1]<<16 | buf[2]<<8 | buf[3];
record.ip = buf[4]<<24 | buf[5]<<16 | buf[6]<<8 | buf[7];
record.port = buf[8]<<8 | buf[9];
record.reason = buf[10];
record.ttl = buf[11];
/*
* Now report the result
*/
output_report_status(out,
record.timestamp,
status,
record.ip,
record.port,
record.reason,
record.ttl);
}
void
handle_udp(struct Output *out, time_t timestamp,
const unsigned char *px, unsigned length,
struct PreprocessedInfo *parsed, uint64_t entropy)
{
unsigned ip_them;
unsigned port_them = parsed->port_src;
unsigned status = 0;
ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
| parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
switch (port_them) {
case 53: /* DNS - Domain Name System (amplifier) */
status = handle_dns(out, timestamp, px, length, parsed, entropy);
break;
case 123: /* NTP - Network Time Protocol (amplifier) */
status = ntp_handle_response(out, timestamp, px, length, parsed, entropy);
break;
case 137: /* NetBIOS (amplifier) */
status = handle_nbtstat(out, timestamp, px, length, parsed, entropy);
break;
case 161: /* SNMP - Simple Network Managment Protocol (amplifier) */
status = handle_snmp(out, timestamp, px, length, parsed, entropy);
break;
case 11211: /* memcached (amplifier) */
px += parsed->app_offset;
length = parsed->app_length;
status = memcached_udp_parse(out, timestamp, px, length, parsed, entropy);
break;
case 16464:
case 16465:
case 16470:
case 16471:
status = handle_zeroaccess(out, timestamp, px, length, parsed, entropy);
break;
default:
px += parsed->app_offset;
length = parsed->app_length;
status = default_udp_parse(out, timestamp, px, length, parsed, entropy);
break;
}
if (status == 0)
output_report_status(
out,
timestamp,
PortStatus_Open,
ip_them,
17, /* ip proto = udp */
port_them,
0,
0,
parsed->mac_src);
}
void handle_udp(struct Output *out, time_t timestamp, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed)
{
unsigned ip_them;
unsigned port_them = parsed->port_src;
unsigned status = 0;
ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
| parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
switch (port_them) {
case 53:
status = handle_dns(out, timestamp, px, length, parsed);
break;
case 123:
status = ntp_handle_response(out, timestamp, px, length, parsed);
break;
case 137:
status = handle_nbtstat(out, timestamp, px, length, parsed);
break;
case 161:
status = handle_snmp(out, timestamp, px, length, parsed);
break;
case 16464:
case 16465:
case 16470:
case 16471:
status = handle_zeroaccess(out, timestamp, px, length, parsed);
break;
}
if (status == 0)
output_report_status(
out,
timestamp,
PortStatus_Open,
ip_them,
17, /* ip proto = udp */
port_them,
0,
0);
}
void
handle_arp(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed)
{
unsigned ip_them;
UNUSEDPARM(length);
UNUSEDPARM(px);
ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
| parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
output_report_status(
out,
Port_ArpOpen,
ip_them,
0,
0,
0);
}
void handle_icmp(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed)
{
unsigned type = parsed->port_src;
unsigned code = parsed->port_dst;
unsigned seqno_me;
//unsigned ip_me;
unsigned ip_them;
/*ip_me = parsed->ip_dst[0]<<24 | parsed->ip_dst[1]<<16
| parsed->ip_dst[2]<< 8 | parsed->ip_dst[3]<<0;*/
ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
| parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
seqno_me = px[parsed->transport_offset+4]<<24
| px[parsed->transport_offset+5]<<16
| px[parsed->transport_offset+6]<<8
| px[parsed->transport_offset+7]<<0;
switch (type) {
case 0: /* ICMP echo reply */
if (syn_hash(ip_them, Templ_ICMP_echo) != seqno_me)
return; /* not my response */
/*
* Report "open" or "existence" of host
*/
output_report_status(
out,
Port_IcmpEchoResponse,
ip_them,
0,
0,
0);
break;
case 3: /* destination unreachable */
switch (code) {
case 0: /* net unreachable */
case 1: /* host unreachable */
case 2: /* protocol unreachable */
break;
case 3: /* port unreachable */
if (length - parsed->transport_offset > 8) {
unsigned ip_me2, ip_them2, port_me2, port_them2;
int err;
err = parse_port_unreachable(
px + parsed->transport_offset + 8,
length - parsed->transport_offset + 8,
&ip_me2, &ip_them2, &port_me2, &port_them2);
if (err)
return;
if (!matches_me(out, ip_me2, port_me2))
return;
output_report_status(
out,
Port_UdpClosed,
ip_them2,
port_them2,
0,
px[parsed->ip_offset + 8]);
}
}
break;
default:
;
}
}
/***************************************************************************
* This is where we handle all incoming ICMP packets. Some of these packets
* will be due to scans we are doing, like pings (echoes). Some will
* be inadvertent, such as "destination unreachable" messages.
***************************************************************************/
void
handle_icmp(struct Output *out, time_t timestamp,
const unsigned char *px, unsigned length,
struct PreprocessedInfo *parsed)
{
unsigned type = parsed->port_src;
unsigned code = parsed->port_dst;
unsigned seqno_me;
unsigned ip_me;
unsigned ip_them;
unsigned cookie;
ip_me = parsed->ip_dst[0]<<24 | parsed->ip_dst[1]<<16
| parsed->ip_dst[2]<< 8 | parsed->ip_dst[3]<<0;
ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
| parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
seqno_me = px[parsed->transport_offset+4]<<24
| px[parsed->transport_offset+5]<<16
| px[parsed->transport_offset+6]<<8
| px[parsed->transport_offset+7]<<0;
switch (type) {
case 0: /* ICMP echo reply */
cookie = (unsigned)syn_cookie(ip_them, Templ_ICMP_echo, ip_me, 0);
if ((cookie & 0xFFFFFFFF) != seqno_me)
return; /* not my response */
//if (syn_hash(ip_them, Templ_ICMP_echo) != seqno_me)
// return; /* not my response */
/*
* Report "open" or "existence" of host
*/
output_report_status(
out,
timestamp,
PortStatus_Open,
ip_them,
1, /* ip proto */
0,
0,
0);
break;
case 3: /* destination unreachable */
switch (code) {
case 0: /* net unreachable */
/* We get these a lot while port scanning, often a flood coming
* back from broken/misconfigured networks */
break;
case 1: /* host unreachable */
/* This means the router doesn't exist */
break;
case 2: /* protocol unreachable */
/* The host exists, but it doesn't support SCTP */
break;
case 3: /* port unreachable */
if (length - parsed->transport_offset > 8) {
unsigned ip_me2, ip_them2, port_me2, port_them2;
unsigned ip_proto;
int err;
err = parse_port_unreachable(
px + parsed->transport_offset + 8,
length - parsed->transport_offset + 8,
&ip_me2, &ip_them2, &port_me2, &port_them2,
&ip_proto);
if (err)
return;
if (!matches_me(out, ip_me2, port_me2))
return;
switch (ip_proto) {
case 6:
output_report_status(
out,
timestamp,
PortStatus_Closed,
ip_them2,
ip_proto,
port_them2,
0,
px[parsed->ip_offset + 8]);
break;
case 17:
output_report_status(
out,
timestamp,
PortStatus_Closed,
ip_them2,
ip_proto,
port_them2,
0,
px[parsed->ip_offset + 8]);
break;
case 132:
output_report_status(
out,
timestamp,
PortStatus_Closed,
ip_them2,
ip_proto,
port_them2,
0,
px[parsed->ip_offset + 8]);
break;
}
}
}
break;
default:
;
}
}
