static int
process_smtp_client(struct smtp_info *smtp, char *data, int len)
{
struct buf *line, *body, buf;
char *p;
int i;
buf_init(&buf, data, len);
if (smtp->state != SMTP_DATA) {
while ((i = buf_index(&buf, "\r\n", 2)) >= 0) {
line = buf_tok(&buf, NULL, i + 2);
line->base[line->end-1] = '\0';
p = buf_ptr(line);
if (strncasecmp(p, "RSET", 4) == 0) {
smtp->state = SMTP_HELO;
}
else if (smtp->state == SMTP_NONE &&
(strncasecmp(p, "HELO", 4) == 0 ||
strncasecmp(p, "EHLO", 4) == 0)) {
smtp->state = SMTP_HELO;
}
else if (smtp->state == SMTP_HELO &&
(strncasecmp(p, "MAIL ", 5) == 0 ||
strncasecmp(p, "SEND ", 5) == 0 ||
strncasecmp(p, "SAML ", 5) == 0)) {
smtp->from = grep_mail_address(p);
smtp->state = SMTP_MAIL;
}
else if (smtp->state == SMTP_MAIL &&
strncasecmp(p, "RCPT ", 5) == 0) {
smtp->state = SMTP_RCPT;
}
else if (smtp->state == SMTP_RCPT &&
strncasecmp(p, "DATA", 4) == 0) {
smtp->state = SMTP_DATA;
break;
}
}
}
if (smtp->state == SMTP_DATA) {
if ((i = buf_index(&buf, "\r\n.\r\n", 5)) >= 0) {
body = buf_tok(&buf, NULL, i);
buf_skip(&buf, 5);
body->base[body->end] = '\0';
if (regex_match(buf_ptr(body)))
print_mbox_msg(smtp->from, buf_ptr(body));
if (smtp->from) {
free(smtp->from);
smtp->from = NULL;
}
smtp->state = SMTP_HELO;
}
}
return (len - buf_len(&buf));
}
int
decode_vrrp(u_char *buf, int len, u_char *obuf, int olen)
{
struct buf *b, inbuf, outbuf;
struct vrrp_header *vrrp;
buf_init(&inbuf, buf, len);
buf_init(&outbuf, obuf, olen);
vrrp = (struct vrrp_header *)buf_ptr(&inbuf);
if (buf_len(&inbuf) < sizeof(*vrrp))
return (0);
/* We only care about VRRP_AUTH_SIMPLE */
if (ntohs(vrrp->vr_auth) != VRRP_AUTH_SIMPLE)
return (0);
/* XXX - probably want to verify checksum */
/* Forward to Authentication Data */
buf_skip(&inbuf, sizeof(*vrrp) + 8 + (vrrp->vr_naddr * 4));
if ((b = buf_tok(&inbuf, NULL, VRRP_AUTH_DATA_LEN)) == NULL)
return (0);
buf_put(&outbuf, buf_ptr(b), buf_len(b));
buf_put(&outbuf, "\n", 1);
buf_end(&outbuf);
return (buf_len(&outbuf));
}
int
decode_imap(u_char *buf, int len, u_char *obuf, int olen)
{
struct buf *line, inbuf, outbuf;
int i;
buf_init(&inbuf, buf, len);
buf_init(&outbuf, obuf, olen);
while ((i = buf_index(&inbuf, "\r\n", 2)) != -1) {
line = buf_tok(&inbuf, NULL, i);
buf_skip(&inbuf, 2);
if ((i = buf_index(line, " ", 1)) != -1) {
buf_skip(line, i + 1);
if (buf_cmp(line, "LOGIN ", 6) == 0) {
buf_putf(&outbuf, "%.*s\n",
buf_len(line), buf_ptr(line));
}
}
}
buf_end(&outbuf);
return (buf_len(&outbuf));
}
static int
process_pop_server(struct pop_info *pop, char *data, int len)
{
struct buf *line, *body, buf;
int i;
buf_init(&buf, data, len);
if (pop->state == POP_NONE)
return (len);
if (pop->state == POP_RETR) {
if ((i = buf_index(&buf, "\r\n", 2)) < 0)
return (0);
line = buf_tok(&buf, NULL, i + 2);
if (buf_cmp(line, "+OK", 3) == 0) {
pop->state = POP_DATA;
}
else pop->state = POP_NONE;
}
if (pop->state == POP_DATA) {
if ((i = buf_index(&buf, "\r\n.\r\n", 5)) >= 0) {
body = buf_tok(&buf, NULL, i);
buf_skip(&buf, 5);
body->base[body->end] = '\0';
if (regex_match(buf_ptr(body)))
print_mbox_msg(NULL, buf_ptr(body));
pop->state = POP_NONE;
}
}
return (len - buf_len(&buf));
}
static int
process_pop_client(struct pop_info *pop, char *data, int len)
{
struct buf *line, buf;
int i;
buf_init(&buf, data, len);
while ((i = buf_index(&buf, "\r\n", 2)) >= 0) {
line = buf_tok(&buf, NULL, i + 2);
line->base[line->end] = '\0';
if (strncasecmp(buf_ptr(line), "RETR ", 5) == 0) {
pop->state = POP_RETR;
}
else pop->state = POP_NONE;
}
return (len - buf_len(&buf));
}
int
decode_ftp(u_char *buf, int len, u_char *obuf, int olen)
{
struct buf *line, inbuf, outbuf;
int i, n;
if ((len = strip_telopts(buf, len)) == 0)
return (0);
buf_init(&inbuf, buf, len);
buf_init(&outbuf, obuf, olen);
if (!buf_isascii(&inbuf))
return (0);
n = 0;
while ((i = buf_index(&inbuf, "\n", 1)) != -1) {
line = buf_tok(&inbuf, NULL, i);
buf_skip(&inbuf, 1);
if (i > 0 && line->base[i - 1] == '\r')
line->end--;
line->base[line->end] = '\0';
if (strncasecmp(buf_ptr(line), "USER ", 5) == 0 ||
strncasecmp(buf_ptr(line), "ACCT ", 5) == 0 ||
strncasecmp(buf_ptr(line), "PASS ", 5) == 0) {
buf_putf(&outbuf, "%s\n", buf_ptr(line));
n++;
}
}
if (n < 2) return (0);
buf_end(&outbuf);
return (buf_len(&outbuf));
}
int
process_http_request(struct tuple4 *addr, u_char *data, int len)
{
struct buf *msg, buf;
char *p, *req, *uri, *user, *vhost, *referer, *agent;
int i;
buf_init(&buf, data, len);
while ((i = buf_index(&buf, "\r\n\r\n", 4)) >= 0) {
msg = buf_tok(&buf, NULL, i);
msg->base[msg->end] = '\0';
buf_skip(&buf, 4);
if (!regex_match(buf_ptr(msg)))
continue;
if ((req = strtok(buf_ptr(msg), "\r\n")) == NULL)
continue;
if (strncmp(req, "GET ", 4) != 0 &&
strncmp(req, "POST ", 5) != 0 &&
strncmp(req, "CONNECT ", 8) != 0)
continue;
if ((uri = strchr(req, ' ')) == NULL)
continue;
*uri++ = '\0';
user = vhost = referer = agent = NULL;
while ((p = strtok(NULL, "\r\n")) != NULL) {
if (strncasecmp(p, "Authorization: Basic ", 21) == 0) {
p += 21;
i = base64_pton(p, p, strlen(p));
p[i] = '\0';
user = p;
if ((p = strchr(p, ':')) != NULL)
*p = '\0';
}
else if (strncasecmp(p, "Host: ", 6) == 0) {
vhost = p + 6;
}
else if (strncasecmp(p, "Referer: ", 9) == 0) {
referer = p + 9;
}
else if (strncasecmp(p, "User-Agent: ", 12) == 0) {
agent = p + 12;
}
else if (strncasecmp(p, "Content-length: ", 16) == 0) {
i = atoi(p + 16);
buf_tok(NULL, NULL, i);
}
}
if (user == NULL)
user = "******";
if (vhost == NULL)
vhost = "none";// libnet_host_lookup(addr->daddr, Opt_dns);
if (referer == NULL)
referer = "-";
if (agent == NULL)
agent = "-";
printf("%s - %s [%s] \"%s http://%s%s\" - - \"%s\" \"%s\"\n",
//"0.0.0.0",
libnet_addr2name4(addr->saddr, Opt_dns),
user, timestamp(), req, vhost, uri, referer, agent);
}
fflush(stdout);
return (len - buf_len(&buf));
}
int
decode_aim(u_char *buf, int len, u_char *obuf, int olen)
{
struct buf *msg, inbuf, outbuf;
struct flap *flap;
u_char c, *p;
int i, j;
buf_init(&inbuf, buf, len);
buf_init(&outbuf, obuf, olen);
if (buf_cmp(&inbuf, "FLAPON\r\n\r\n", 10) == 0)
buf_skip(&inbuf, 10);
while (buf_len(&inbuf) > sizeof(*flap)) {
flap = (struct flap *)buf_ptr(&inbuf);
flap->datalen = ntohs(flap->datalen);
i = sizeof(*flap) + flap->datalen;
if ((msg = buf_tok(&inbuf, NULL, i)) == NULL)
break;
buf_skip(msg, sizeof(*flap));
if (buf_cmp(msg, "toc_signon ", 11) == 0) {
msg->base[msg->end - 1] = '\0';
p = buf_ptr(msg);
for (i = 0; i < 4; i++) {
if ((j = strcspn(p, " ")) > 0)
p += (j + 1);
}
if (strtok(p, " ") == NULL)
continue;
buf_putf(&outbuf, "%s ", buf_ptr(msg));
i = strlen(p);
j = hex_decode(p, i, p, i);
for (i = 0; i < j; i++)
p[i] = p[i] ^ aim_xor1[i % 7];
p[i] = '\0';
buf_putf(&outbuf, "[%s]\n", p);
}
else if (flap->start == 0x2a && flap->channel == 0x01 &&
buf_cmp(msg, "\x00\x00\x00\x01", 4) == 0) {
buf_skip(msg, 7);
buf_get(msg, &c, 1);
p = buf_ptr(msg);
if (c == 0 || buf_skip(msg, c + 3) < 0)
continue;
p[c] = '\0';
buf_get(msg, &c, 1);
if (buf_len(msg) < c + 1)
continue;
buf_putf(&outbuf, "%s\n", p);
p = buf_ptr(msg);
for (i = 0; i < c; i++) {
p[i] = p[i] ^ aim_xor2[i % sizeof(aim_xor2)];
}
p[i] = '\0';
buf_putf(&outbuf, "%s\n", p);
break;
}
}
buf_end(&outbuf);
return (buf_len(&outbuf));
}