void
handle_udp(struct Output *out, time_t timestamp,
const unsigned char *px, unsigned length,
struct PreprocessedInfo *parsed, uint64_t entropy)
{
unsigned ip_them;
unsigned port_them = parsed->port_src;
unsigned status = 0;
ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
| parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
switch (port_them) {
case 53: /* DNS - Domain Name System (amplifier) */
status = handle_dns(out, timestamp, px, length, parsed, entropy);
break;
case 123: /* NTP - Network Time Protocol (amplifier) */
status = ntp_handle_response(out, timestamp, px, length, parsed, entropy);
break;
case 137: /* NetBIOS (amplifier) */
status = handle_nbtstat(out, timestamp, px, length, parsed, entropy);
break;
case 161: /* SNMP - Simple Network Managment Protocol (amplifier) */
status = handle_snmp(out, timestamp, px, length, parsed, entropy);
break;
case 11211: /* memcached (amplifier) */
px += parsed->app_offset;
length = parsed->app_length;
status = memcached_udp_parse(out, timestamp, px, length, parsed, entropy);
break;
case 16464:
case 16465:
case 16470:
case 16471:
status = handle_zeroaccess(out, timestamp, px, length, parsed, entropy);
break;
default:
px += parsed->app_offset;
length = parsed->app_length;
status = default_udp_parse(out, timestamp, px, length, parsed, entropy);
break;
}
if (status == 0)
output_report_status(
out,
timestamp,
PortStatus_Open,
ip_them,
17, /* ip proto = udp */
port_them,
0,
0,
parsed->mac_src);
}
dns_message *
handle_udp(const struct udphdr *udp, int len)
{
char buf[PCAP_SNAPLEN];
dns_message *m;
if (port53 != udp->uh_dport && port53 != udp->uh_sport)
return NULL;
memcpy(buf, udp + 1, len - sizeof(*udp));
m = handle_dns(buf, len - sizeof(*udp));
if (NULL == m)
return NULL;
m->src_port = ntohs(udp->uh_sport);
return m;
}
static int
hdr_plugin(TSCont contp, TSEvent event, void *edata)
{
TSHttpTxn txnp = (TSHttpTxn)edata;
switch (event) {
case TS_EVENT_HTTP_OS_DNS:
handle_dns(txnp, contp);
return 0;
default:
break;
}
return 0;
}
static int
hdr_plugin(INKCont contp, INKEvent event, void *edata)
{
INKHttpTxn txnp = (INKHttpTxn) edata;
switch (event) {
case INK_EVENT_HTTP_OS_DNS:
handle_dns(txnp, contp);
return 0;
default:
break;
}
return 0;
}
static int
blacklist_plugin(TSCont contp, TSEvent event, void *edata)
{
TSHttpTxn txnp = (TSHttpTxn)edata;
switch (event) {
case TS_EVENT_HTTP_OS_DNS:
handle_dns(txnp, contp);
return 0;
case TS_EVENT_HTTP_SEND_RESPONSE_HDR:
handle_response(txnp);
return 0;
default:
break;
}
return 0;
}
void handle_udp(struct Output *out, time_t timestamp, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed)
{
unsigned ip_them;
unsigned port_them = parsed->port_src;
unsigned status = 0;
ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
| parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
switch (port_them) {
case 53:
status = handle_dns(out, timestamp, px, length, parsed);
break;
case 123:
status = ntp_handle_response(out, timestamp, px, length, parsed);
break;
case 137:
status = handle_nbtstat(out, timestamp, px, length, parsed);
break;
case 161:
status = handle_snmp(out, timestamp, px, length, parsed);
break;
case 16464:
case 16465:
case 16470:
case 16471:
status = handle_zeroaccess(out, timestamp, px, length, parsed);
break;
}
if (status == 0)
output_report_status(
out,
timestamp,
PortStatus_Open,
ip_them,
17, /* ip proto = udp */
port_them,
0,
0);
}
/**
* NET: Handles UDP-packets according to Receive-handle diagram.
*
* @param udp_packet UDP-packet to be handled
* @param packetsize Length of the packet
* @return ZERO - packet handled successfully;
* NON ZERO - packet was not handled (e.g. bad format)
* @see receive_ether
* @see udphdr
*/
int8_t
handle_udp(uint8_t * udp_packet, int32_t packetsize) {
struct udphdr * udph = (struct udphdr *) udp_packet;
if (packetsize < sizeof(struct udphdr))
return -1; // packet is too small
switch (htons(udph -> uh_dport)) {
case UDPPORT_BOOTPC:
if (udph -> uh_sport == htons(UDPPORT_BOOTPS))
return handle_dhcp(udp_packet + sizeof(struct udphdr),
packetsize - sizeof(struct udphdr));
else
return -1;
case UDPPORT_DNSC:
if (udph -> uh_sport == htons(UDPPORT_DNSS))
return handle_dns(udp_packet + sizeof(struct udphdr),
packetsize - sizeof(struct udphdr));
else
return -1;
case UDPPORT_DHCPV6C:
return handle_dhcpv6(udp_packet+sizeof(struct udphdr),
packetsize - sizeof(struct udphdr));
case UDPPORT_TFTPC:
#ifdef USE_MTFTP
return handle_tftp(udp_packet + sizeof(struct udphdr),
packetsize - sizeof(struct udphdr));
#else
return handle_tftp(udp_packet, packetsize);
#endif
default:
#ifdef USE_MTFTP
if (htons(udph -> uh_dport) == net_tftp_uport)
return handle_tftp(udp_packet + sizeof(struct udphdr),
packetsize - sizeof(struct udphdr));
else if (htons(udph -> uh_dport) == net_mtftp_uport)
return handle_tftp(udp_packet + sizeof(struct udphdr),
packetsize - sizeof(struct udphdr));
#endif
return -1;
}
}
void handle_udp(const unsigned char *bytes) {
struct udphdr *udp_hdr = (struct udphdr *)bytes;
u_short source = ntohs(udp_hdr->source), dest = ntohs(udp_hdr->dest);
printf2("UDP %u -> %u, len %u, checksum %u\n",
source, dest, ntohs(udp_hdr->len), ntohs(udp_hdr->check));
bytes += sizeof(struct udphdr);
if(source == 53 || dest == 53) {
handle_dns(bytes);
}
else if(source == IPPORT_BOOTPS || dest == IPPORT_BOOTPS) {
handle_bootp(bytes);
}
else if(source == 137 || dest == 137) {
print1("NETBIOS \n");
}
else {
print1("??? unsupported UDP protocol\n");
}
}
static int
blacklist_plugin(TSCont contp, TSEvent event, void *edata)
{
TSHttpTxn txnp;
cdata *cd;
switch (event) {
case TS_EVENT_HTTP_TXN_START:
txnp = (TSHttpTxn)edata;
handle_txn_start(contp, txnp);
return 0;
case TS_EVENT_HTTP_OS_DNS:
if (contp != global_contp) {
cd = (cdata *)TSContDataGet(contp);
cd->cf = HANDLE_DNS;
handle_dns(cd->txnp, contp);
return 0;
} else {
break;
}
case TS_EVENT_HTTP_TXN_CLOSE:
txnp = (TSHttpTxn)edata;
if (contp != global_contp) {
destroy_continuation(txnp, contp);
}
break;
case TS_EVENT_HTTP_SEND_RESPONSE_HDR:
if (contp != global_contp) {
cd = (cdata *)TSContDataGet(contp);
cd->cf = HANDLE_RESPONSE;
handle_response(cd->txnp, contp);
return 0;
} else {
break;
}
case TS_EVENT_TIMEOUT:
/* when mutex lock is not acquired and continuation is rescheduled,
the plugin is called back with TS_EVENT_TIMEOUT with a NULL
edata. We need to decide, in which function did the MutexLock
failed and call that function again */
if (contp != global_contp) {
cd = (cdata *)TSContDataGet(contp);
switch (cd->cf) {
case HANDLE_DNS:
handle_dns(cd->txnp, contp);
return 0;
case HANDLE_RESPONSE:
handle_response(cd->txnp, contp);
return 0;
default:
TSDebug(PLUGIN_NAME, "This event was unexpected: %d", event);
break;
}
} else {
read_blacklist(contp);
return 0;
}
default:
break;
}
return 0;
}