static void rep_host(char *buf, size_t len, const parse_frame *f)
{
#ifndef TEST
const struct browse_hostann *h = (struct browse_hostann *)buf;
char ipbuf[48];
char val[256];
const parse_frame *fi = f-4;//st->frame+st->frames-3;
if (PROT_IPv4 == fi->id) {
/* NOTE: may also be LLC or something else */
const ipv4 *ip = fi->off;
(void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src);
snprintf(val, sizeof val, "%u.%u", h->os_maj, h->os_min);
rep_hint("4", ipbuf, "BROWSE.OS", val, -1);
snprintf(val, sizeof val, "%u.%u", h->browser_maj, h->browser_min);
rep_hint("4", ipbuf, "BROWSE.Browser", val, -1);
if ('\0' != h->host_comment[0]) {
/* don't fall off the end of non-string host_comments */
size_t max_hc_buf = len - (buf - (char*)h->host_comment);
dump_chars_buf2(val, sizeof val, (char *)h->host_comment,
strlen_bound((char *)h->host_comment, max_hc_buf));
rep_hint("4", ipbuf, "BROWSE.Comment", val, -1);
} else if ('\0' != h->host_comment[0]) {
assert(0 && "Parsing still broken?!");
}
}
#endif
}
static void report(const parse_status *st, const parse_frame *f)
{
char ipbuf[48];
const rtsp *r = f->pass;
const http_req *req = &r->h.data.req;
const http_headers *h = &req->headers;
const parse_frame *fi = st->frame + st->frames - 2;
const ipv4 *ip = fi->off;
unsigned i;
assert(PROT_IPv4 == fi->id);
(void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src);
/*
* the "DESCRIBE" method provides an RTSP URL; let's record it for later
*/
if (8 == req->meth.len && 0 == strncasecmp(req->meth.start, "DESCRIBE", 8)) {
rep_hint("4", ipbuf, "RTSP.URL", req->uri.start, req->uri.len);
}
for (i = 0; i < h->cnt; i++) {
const struct head_kv *kv = h->h+i;
if (0 == kv->key.len || 0 == kv->val.cnt)
continue;
if (10 == kv->key.len && 0 == strncasecmp(kv->key.start, "USER-AGENT", 10)) {
rep_hint("4", ipbuf, "RTSP.User-Agent", kv->val.p[0].start, kv->val.p[0].len);
} else if (6 == kv->key.len && 0 == strncasecmp(kv->key.start, "SERVER", 6)) {
rep_hint("4", ipbuf, "RTSP.Server", kv->val.p[0].start, kv->val.p[0].len);
}
}
}
size_t dump(const parse_frame *f, int options, FILE *out)
{
const tivoconn *t = (tivoconn *)f->off;
const tivoconn_kv *kv = f->pass;
const char *ver = (char *)f->off + sizeof t->tivoconnect + 1;
int bytes = fprintf(out, "%s ver=%c\n", Iface_TiVoConn.shortname, *ver);
unsigned i;
for (i = 1; i < kv->cnt; i++) { /* yes, start at one. skip TiVoConn header */
bytes += fprintf(out, " %-8.*s %.*s\n",
kv->item[i].keystr.len, kv->item[i].keystr.start,
kv->item[i].val.len, kv->item[i].val.start);
if (Key_Platform == i) {
char ipbuf[48];
const parse_frame *fi = f-2;
const ipv4 *ip = fi->off;
assert(PROT_IPv4 == fi->id);
(void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src);
rep_hint("4", ipbuf, "TivoConn.Platform", kv->item[i].val.start, kv->item[i].val.len);
}
}
#if 0
bytes += dump_chars(ver + 2, f->len - ((ver + 2) - (char *)f->off), stdout);
fputc('\n', stdout);
bytes++;
#endif
return (size_t)bytes;
}
static void report(const parse_status *st, const parse_frame *f)
{
char ipbuf[48];
const gnutella *g = f->pass;
const http_req *r = &g->h.data.req;
const http_headers *h = &r->headers;
const parse_frame *fi = st->frame + st->frames - 2;
const ipv4 *ip = fi->off;
unsigned i;
if (PROT_IPv4 == fi->id) {
(void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src);
for (i = 0; i < h->cnt; i++) {
const struct head_kv *kv = h->h+i;
if (10 == kv->key.len && 0 == strncasecmp(kv->key.start, "User-Agent", 10)) {
rep_hint("4", ipbuf, "Gnutella.User-Agent", kv->val.p[0].start, kv->val.p[0].len);
}
}
} else {
unsigned i;
printf("%s:%s:expected PROT_IPv4(%u) but got (%u)! st->frames(%u):",
__FILE__, __func__, PROT_IPv4, fi->id, st->frames);
for (i = 0; i < st->frames; i++)
printf(" (#%u:%u)", i, st->frame[i].id);
fputc('\n', stdout);
}
}
/**
* given a SYN (not SYN+ACK) TCP packet, generate a p0f-style
* fingerprint and report it
*/
void tcp_rep_syn(const parse_status *st, const tcp *t, size_t tcplen)
{
#ifndef TEST
const parse_frame *fi = st->frame + st->frames - 1;
if (PROT_IPv4 == fi->id) {
char fpbuf[256],
ipbuf[48];
const ipv4 *ip = fi->off;
size_t fplen;
(void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src);
/* generate and report fingerprint with literal MSS value */
fplen = p0f2str(fpbuf, sizeof fpbuf, t, tcplen, ip, fi->len, 0);
if (fplen)
rep_hint("4", ipbuf, "TCP.SYN.Fingerprint", fpbuf, fplen);
/* generate and report fingerprint with "*" MSS value */
fplen = p0f2str(fpbuf, sizeof fpbuf, t, tcplen, ip, fi->len, 1);
if (fplen)
rep_hint("4", ipbuf, "TCP.SYN.Fingerprint", fpbuf, fplen);
}
#endif
}
/**
* report the connection between the MAC address and the 'Platform' hint
*/
static void do_rep_platform(const parse_frame *pf, const char *data, size_t len)
{
if (PROT_LLC == (*(pf-1)).id && PROT_IEEE802_3 == (*(pf-2)).id) {
char macbuf[32];
const parse_frame *fe = pf-2;
const ethernet2_frame *e = fe->off;
assert(PROT_IEEE802_3 == fe->id);
(void)ieee802_3_addr_format(macbuf, sizeof macbuf, &e->src);
rep_hint("M", macbuf, "CDP.Platform", data, len);
} else {
assert(0 && "Where is CDP's ethernet?!");
}
}
/**
* @note called in context of 'parse', so parse stack
*/
void report_echo_fingerprint(const icmp *i, size_t len, const parse_status *st)
{
if (PROT_IPv4 == st->frame[st->frames-1].id) {
char fbuf[1500 * 4 + 1],
ipbuf[48];
const ipv4 *ip = st->frame[st->frames-1].off;
size_t flen;
echo_fingerprint f = {
i->head.type, ttl_normalize(ip->ttl), !ip->id, !!ip->flag.dontfrag,
len - (i->data.echo.payload - (u8*)i), i->data.echo.payload
};
(void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src);
fprint2str(fbuf, sizeof fbuf, &f);
DEBUGF(__FILE__, __LINE__, "ICMP.Echo.Fingerprint %s\n", fbuf);
rep_hint("4", ipbuf, "ICMP.Echo.Fingerprint", fbuf, -1);
}
}
/*
* report IP/User-Agent combo
*
* TODO: add support for IPv6
*/
static void do_req_rep(const http_req *r, const parse_status *st)
{
#ifndef TEST
if (st->frames >= 2) { /* assume [IPv4][TCP][HTTP] */
const struct head_kv *uah = http_header_find_key(&r->headers, "User-Agent");
if (uah) {
const ptrlen *ua = uah->val.p;
/* TODO: this IP/foo hint reporting is ugly and common, abstract it */
const parse_frame *fi = st->frame + st->frames - 2;
if (PROT_IPv4 == fi->id) {
char ipbuf[48];
const ipv4 *ip = fi->off;
(void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src);
rep_hint("4", ipbuf, "HTTP.User-Agent", ua->start, ua->len);
}
}
}
#endif
}
static void report(const parse_frame *f, const parse_status *st)
{
#ifndef TEST
if (st->frames >= 3) {
char ipbuf[48];
const parse_frame *fi = st->frame+st->frames-2;
const ipv4 *ip = fi->off;
const struct kv_list *l = f->pass;
assert(PROT_IPv4 == fi->id);
(void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src);
unsigned i;
for (i = 0; i < l->cnt; i++) {
if (8 == l->kv[i].key.len && 0 == memcmp("Hostname", l->kv[i].key.start, 8)) {
rep_addr("4", ipbuf, "RAS", l->kv[i].val.start, Iface_RASADV.shortname, 1);
} else if (6 == l->kv[i].key.len && 0 == memcmp("Domain", l->kv[i].key.start, 6)) {
rep_hint("4", ipbuf, "RAS.Domain", l->kv[i].val.start, l->kv[i].val.len);
}
}
}
#endif
}
static size_t dump_rr(enum DNS_RR rr, const parse_frame *f, const char *buf, size_t len, FILE *out)
{
char namebuf[256],
targetbuf[256];
const char *name = buf;
size_t namelen = dns_calc_len_name(name, len);
const dns_answer *a = (dns_answer *)(buf + namelen);
int bytes;
(void)dump_chars_buf(namebuf, sizeof namebuf, name, namelen-1);
bytes = fprintf(out,
" %s name=%s type=%hu(%s) class=%hu(%s) ttl=%ld target=%s\n",
RR[rr].name, namebuf,
ntohs(a->type), type2str(ntohs(a->type)),
a->class_, class2str(a->class_),
(long)ntohl(a->ttl),
addrformat(ntohs(a->type), targetbuf, sizeof targetbuf,
(char *)a + sizeof *a, ntohs(a->rrlen)));
#ifndef TEST
/* TODO: split this block off to another function */
if (DNS_RR_AN == rr && DNS_Type_TXT == ntohs(a->type)) {
/* is a TXT record answer; usually supplemental information that can
* contain some interesting stuff */
const char *addrtype = NULL;
char ipbuf[64];
const parse_frame *fi = f-2;
if (PROT_IPv4 == fi->id) {
const ipv4 *i = fi->off;
addrtype = "4";
ipv4_addr_format(ipbuf, sizeof ipbuf, i->src);
} else if (PROT_IPv6 == fi->id) {
const ipv6 *i = fi->off;
addrtype = "6";
ipv6_addr_format(ipbuf, sizeof ipbuf, i->src);
}
if (addrtype) {
(void)dump_chars_buf(namebuf, sizeof namebuf, name,
strip_c0(namebuf, namelen));
(void)dump_chars_buf(targetbuf, sizeof targetbuf, (char *)a + sizeof *a,
strip_c0((char *)a + sizeof *a, ntohs(a->rrlen)));
if ('\0' != namebuf[0])
rep_hint(addrtype, ipbuf, "DNS.TXT", namebuf, -1);
if ('\0' != targetbuf[0])
rep_hint(addrtype, ipbuf, "DNS.TXT", targetbuf, -1);
}
} else if (DNS_RR_AN == rr
&& (DNS_Type_A == ntohs(a->type) || DNS_Type_AAAA == ntohs(a->type))
&& str_endswith(namebuf, "\\x05local")) {
/* we're looking for ".local" addresses; which may identify the machine */
char ipbuf[64];
const parse_frame *fi = f-2;
const char *addrtype = NULL;
if (PROT_IPv4 == fi->id) {
const ipv4 *i = fi->off;
addrtype = "4";
ipv4_addr_format(ipbuf, sizeof ipbuf, i->src);
} else if (PROT_IPv6 == fi->id) {
const ipv6 *i = fi->off;
addrtype = "6";
ipv6_addr_format(ipbuf, sizeof ipbuf, i->src);
}
(void)dump_chars_buf(namebuf, sizeof namebuf, name, namelen-1);
if ('\0' != namebuf[0]) {
rep_hint(addrtype, ipbuf, "DNS.LOCAL", namebuf, -1);
}
{
char localname[64];
/* first char is length of actual name */
if (name[0] > 0 && (unsigned)name[0] < sizeof localname) {
strlcpy(localname, name+1, (size_t)name[0]+1);
localname[(unsigned)name[0]] = '\0';
} else {
strlcpy(localname, name+1, sizeof localname);
}
rep_addr(addrtype, ipbuf, "D", localname, "DNS.LOCAL", 1);
}
}
#endif
return (size_t)bytes;
}
static void do_rep_txt(const parse_status *st, const parse_frame *f, const char *buf, size_t len)
{
#if 0
rep_hint("M", macbuf, "BOOTP.VendorClass", (char *)o + sizeof *o, o->len);
#endif
}
