static void rep_host(char *buf, size_t len, const parse_frame *f) { #ifndef TEST const struct browse_hostann *h = (struct browse_hostann *)buf; char ipbuf[48]; char val[256]; const parse_frame *fi = f-4;//st->frame+st->frames-3; if (PROT_IPv4 == fi->id) { /* NOTE: may also be LLC or something else */ const ipv4 *ip = fi->off; (void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src); snprintf(val, sizeof val, "%u.%u", h->os_maj, h->os_min); rep_hint("4", ipbuf, "BROWSE.OS", val, -1); snprintf(val, sizeof val, "%u.%u", h->browser_maj, h->browser_min); rep_hint("4", ipbuf, "BROWSE.Browser", val, -1); if ('\0' != h->host_comment[0]) { /* don't fall off the end of non-string host_comments */ size_t max_hc_buf = len - (buf - (char*)h->host_comment); dump_chars_buf2(val, sizeof val, (char *)h->host_comment, strlen_bound((char *)h->host_comment, max_hc_buf)); rep_hint("4", ipbuf, "BROWSE.Comment", val, -1); } else if ('\0' != h->host_comment[0]) { assert(0 && "Parsing still broken?!"); } } #endif }
static void report(const parse_status *st, const parse_frame *f) { char ipbuf[48]; const rtsp *r = f->pass; const http_req *req = &r->h.data.req; const http_headers *h = &req->headers; const parse_frame *fi = st->frame + st->frames - 2; const ipv4 *ip = fi->off; unsigned i; assert(PROT_IPv4 == fi->id); (void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src); /* * the "DESCRIBE" method provides an RTSP URL; let's record it for later */ if (8 == req->meth.len && 0 == strncasecmp(req->meth.start, "DESCRIBE", 8)) { rep_hint("4", ipbuf, "RTSP.URL", req->uri.start, req->uri.len); } for (i = 0; i < h->cnt; i++) { const struct head_kv *kv = h->h+i; if (0 == kv->key.len || 0 == kv->val.cnt) continue; if (10 == kv->key.len && 0 == strncasecmp(kv->key.start, "USER-AGENT", 10)) { rep_hint("4", ipbuf, "RTSP.User-Agent", kv->val.p[0].start, kv->val.p[0].len); } else if (6 == kv->key.len && 0 == strncasecmp(kv->key.start, "SERVER", 6)) { rep_hint("4", ipbuf, "RTSP.Server", kv->val.p[0].start, kv->val.p[0].len); } } }
size_t dump(const parse_frame *f, int options, FILE *out) { const tivoconn *t = (tivoconn *)f->off; const tivoconn_kv *kv = f->pass; const char *ver = (char *)f->off + sizeof t->tivoconnect + 1; int bytes = fprintf(out, "%s ver=%c\n", Iface_TiVoConn.shortname, *ver); unsigned i; for (i = 1; i < kv->cnt; i++) { /* yes, start at one. skip TiVoConn header */ bytes += fprintf(out, " %-8.*s %.*s\n", kv->item[i].keystr.len, kv->item[i].keystr.start, kv->item[i].val.len, kv->item[i].val.start); if (Key_Platform == i) { char ipbuf[48]; const parse_frame *fi = f-2; const ipv4 *ip = fi->off; assert(PROT_IPv4 == fi->id); (void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src); rep_hint("4", ipbuf, "TivoConn.Platform", kv->item[i].val.start, kv->item[i].val.len); } } #if 0 bytes += dump_chars(ver + 2, f->len - ((ver + 2) - (char *)f->off), stdout); fputc('\n', stdout); bytes++; #endif return (size_t)bytes; }
static void report(const parse_status *st, const parse_frame *f) { char ipbuf[48]; const gnutella *g = f->pass; const http_req *r = &g->h.data.req; const http_headers *h = &r->headers; const parse_frame *fi = st->frame + st->frames - 2; const ipv4 *ip = fi->off; unsigned i; if (PROT_IPv4 == fi->id) { (void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src); for (i = 0; i < h->cnt; i++) { const struct head_kv *kv = h->h+i; if (10 == kv->key.len && 0 == strncasecmp(kv->key.start, "User-Agent", 10)) { rep_hint("4", ipbuf, "Gnutella.User-Agent", kv->val.p[0].start, kv->val.p[0].len); } } } else { unsigned i; printf("%s:%s:expected PROT_IPv4(%u) but got (%u)! st->frames(%u):", __FILE__, __func__, PROT_IPv4, fi->id, st->frames); for (i = 0; i < st->frames; i++) printf(" (#%u:%u)", i, st->frame[i].id); fputc('\n', stdout); } }
/** * given a SYN (not SYN+ACK) TCP packet, generate a p0f-style * fingerprint and report it */ void tcp_rep_syn(const parse_status *st, const tcp *t, size_t tcplen) { #ifndef TEST const parse_frame *fi = st->frame + st->frames - 1; if (PROT_IPv4 == fi->id) { char fpbuf[256], ipbuf[48]; const ipv4 *ip = fi->off; size_t fplen; (void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src); /* generate and report fingerprint with literal MSS value */ fplen = p0f2str(fpbuf, sizeof fpbuf, t, tcplen, ip, fi->len, 0); if (fplen) rep_hint("4", ipbuf, "TCP.SYN.Fingerprint", fpbuf, fplen); /* generate and report fingerprint with "*" MSS value */ fplen = p0f2str(fpbuf, sizeof fpbuf, t, tcplen, ip, fi->len, 1); if (fplen) rep_hint("4", ipbuf, "TCP.SYN.Fingerprint", fpbuf, fplen); } #endif }
/** * report the connection between the MAC address and the 'Platform' hint */ static void do_rep_platform(const parse_frame *pf, const char *data, size_t len) { if (PROT_LLC == (*(pf-1)).id && PROT_IEEE802_3 == (*(pf-2)).id) { char macbuf[32]; const parse_frame *fe = pf-2; const ethernet2_frame *e = fe->off; assert(PROT_IEEE802_3 == fe->id); (void)ieee802_3_addr_format(macbuf, sizeof macbuf, &e->src); rep_hint("M", macbuf, "CDP.Platform", data, len); } else { assert(0 && "Where is CDP's ethernet?!"); } }
/** * @note called in context of 'parse', so parse stack */ void report_echo_fingerprint(const icmp *i, size_t len, const parse_status *st) { if (PROT_IPv4 == st->frame[st->frames-1].id) { char fbuf[1500 * 4 + 1], ipbuf[48]; const ipv4 *ip = st->frame[st->frames-1].off; size_t flen; echo_fingerprint f = { i->head.type, ttl_normalize(ip->ttl), !ip->id, !!ip->flag.dontfrag, len - (i->data.echo.payload - (u8*)i), i->data.echo.payload }; (void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src); fprint2str(fbuf, sizeof fbuf, &f); DEBUGF(__FILE__, __LINE__, "ICMP.Echo.Fingerprint %s\n", fbuf); rep_hint("4", ipbuf, "ICMP.Echo.Fingerprint", fbuf, -1); } }
/* * report IP/User-Agent combo * * TODO: add support for IPv6 */ static void do_req_rep(const http_req *r, const parse_status *st) { #ifndef TEST if (st->frames >= 2) { /* assume [IPv4][TCP][HTTP] */ const struct head_kv *uah = http_header_find_key(&r->headers, "User-Agent"); if (uah) { const ptrlen *ua = uah->val.p; /* TODO: this IP/foo hint reporting is ugly and common, abstract it */ const parse_frame *fi = st->frame + st->frames - 2; if (PROT_IPv4 == fi->id) { char ipbuf[48]; const ipv4 *ip = fi->off; (void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src); rep_hint("4", ipbuf, "HTTP.User-Agent", ua->start, ua->len); } } } #endif }
static void report(const parse_frame *f, const parse_status *st) { #ifndef TEST if (st->frames >= 3) { char ipbuf[48]; const parse_frame *fi = st->frame+st->frames-2; const ipv4 *ip = fi->off; const struct kv_list *l = f->pass; assert(PROT_IPv4 == fi->id); (void)ipv4_addr_format(ipbuf, sizeof ipbuf, ip->src); unsigned i; for (i = 0; i < l->cnt; i++) { if (8 == l->kv[i].key.len && 0 == memcmp("Hostname", l->kv[i].key.start, 8)) { rep_addr("4", ipbuf, "RAS", l->kv[i].val.start, Iface_RASADV.shortname, 1); } else if (6 == l->kv[i].key.len && 0 == memcmp("Domain", l->kv[i].key.start, 6)) { rep_hint("4", ipbuf, "RAS.Domain", l->kv[i].val.start, l->kv[i].val.len); } } } #endif }
static size_t dump_rr(enum DNS_RR rr, const parse_frame *f, const char *buf, size_t len, FILE *out) { char namebuf[256], targetbuf[256]; const char *name = buf; size_t namelen = dns_calc_len_name(name, len); const dns_answer *a = (dns_answer *)(buf + namelen); int bytes; (void)dump_chars_buf(namebuf, sizeof namebuf, name, namelen-1); bytes = fprintf(out, " %s name=%s type=%hu(%s) class=%hu(%s) ttl=%ld target=%s\n", RR[rr].name, namebuf, ntohs(a->type), type2str(ntohs(a->type)), a->class_, class2str(a->class_), (long)ntohl(a->ttl), addrformat(ntohs(a->type), targetbuf, sizeof targetbuf, (char *)a + sizeof *a, ntohs(a->rrlen))); #ifndef TEST /* TODO: split this block off to another function */ if (DNS_RR_AN == rr && DNS_Type_TXT == ntohs(a->type)) { /* is a TXT record answer; usually supplemental information that can * contain some interesting stuff */ const char *addrtype = NULL; char ipbuf[64]; const parse_frame *fi = f-2; if (PROT_IPv4 == fi->id) { const ipv4 *i = fi->off; addrtype = "4"; ipv4_addr_format(ipbuf, sizeof ipbuf, i->src); } else if (PROT_IPv6 == fi->id) { const ipv6 *i = fi->off; addrtype = "6"; ipv6_addr_format(ipbuf, sizeof ipbuf, i->src); } if (addrtype) { (void)dump_chars_buf(namebuf, sizeof namebuf, name, strip_c0(namebuf, namelen)); (void)dump_chars_buf(targetbuf, sizeof targetbuf, (char *)a + sizeof *a, strip_c0((char *)a + sizeof *a, ntohs(a->rrlen))); if ('\0' != namebuf[0]) rep_hint(addrtype, ipbuf, "DNS.TXT", namebuf, -1); if ('\0' != targetbuf[0]) rep_hint(addrtype, ipbuf, "DNS.TXT", targetbuf, -1); } } else if (DNS_RR_AN == rr && (DNS_Type_A == ntohs(a->type) || DNS_Type_AAAA == ntohs(a->type)) && str_endswith(namebuf, "\\x05local")) { /* we're looking for ".local" addresses; which may identify the machine */ char ipbuf[64]; const parse_frame *fi = f-2; const char *addrtype = NULL; if (PROT_IPv4 == fi->id) { const ipv4 *i = fi->off; addrtype = "4"; ipv4_addr_format(ipbuf, sizeof ipbuf, i->src); } else if (PROT_IPv6 == fi->id) { const ipv6 *i = fi->off; addrtype = "6"; ipv6_addr_format(ipbuf, sizeof ipbuf, i->src); } (void)dump_chars_buf(namebuf, sizeof namebuf, name, namelen-1); if ('\0' != namebuf[0]) { rep_hint(addrtype, ipbuf, "DNS.LOCAL", namebuf, -1); } { char localname[64]; /* first char is length of actual name */ if (name[0] > 0 && (unsigned)name[0] < sizeof localname) { strlcpy(localname, name+1, (size_t)name[0]+1); localname[(unsigned)name[0]] = '\0'; } else { strlcpy(localname, name+1, sizeof localname); } rep_addr(addrtype, ipbuf, "D", localname, "DNS.LOCAL", 1); } } #endif return (size_t)bytes; }
static void do_rep_txt(const parse_status *st, const parse_frame *f, const char *buf, size_t len) { #if 0 rep_hint("M", macbuf, "BOOTP.VendorClass", (char *)o + sizeof *o, o->len); #endif }