void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
struct ndpi_id_struct *src = flow->src;
struct ndpi_id_struct *dst = flow->dst;
u_int16_t x;
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_TRACE, "JABBER detection....\n");
/* search for jabber file transfer */
/* this part is working asymmetrically */
if (packet->tcp != NULL && packet->tcp->syn != 0 && packet->payload_packet_len == 0) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "check jabber syn\n");
if (src != NULL && src->jabber_file_transfer_port[0] != 0) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG,
"src jabber ft port set, ports are: %u, %u\n", ntohs(src->jabber_file_transfer_port[0]),
ntohs(src->jabber_file_transfer_port[1]));
if (((u_int32_t)
(packet->tick_timestamp - src->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
NDPI_LOG_DEBUG, "JABBER src stun timeout %u %u\n", src->jabber_stun_or_ft_ts,
packet->tick_timestamp);
src->jabber_file_transfer_port[0] = 0;
src->jabber_file_transfer_port[1] = 0;
} else if (src->jabber_file_transfer_port[0] == packet->tcp->dest
|| src->jabber_file_transfer_port[0] == packet->tcp->source
|| src->jabber_file_transfer_port[1] == packet->tcp->dest
|| src->jabber_file_transfer_port[1] == packet->tcp->source) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG,
"found jabber file transfer.\n");
ndpi_int_jabber_add_connection(ndpi_struct, flow,
NDPI_PROTOCOL_UNENCRYPED_JABBER);
}
}
if (dst != NULL && dst->jabber_file_transfer_port[0] != 0) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG,
"dst jabber ft port set, ports are: %u, %u\n", ntohs(dst->jabber_file_transfer_port[0]),
ntohs(dst->jabber_file_transfer_port[1]));
if (((u_int32_t)
(packet->tick_timestamp - dst->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
NDPI_LOG_DEBUG, "JABBER dst stun timeout %u %u\n", dst->jabber_stun_or_ft_ts,
packet->tick_timestamp);
dst->jabber_file_transfer_port[0] = 0;
dst->jabber_file_transfer_port[1] = 0;
} else if (dst->jabber_file_transfer_port[0] == packet->tcp->dest
|| dst->jabber_file_transfer_port[0] == packet->tcp->source
|| dst->jabber_file_transfer_port[1] == packet->tcp->dest
|| dst->jabber_file_transfer_port[1] == packet->tcp->source) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG,
"found jabber file transfer.\n");
ndpi_int_jabber_add_connection(ndpi_struct, flow,
NDPI_PROTOCOL_UNENCRYPED_JABBER);
}
}
return;
}
if (packet->tcp != 0 && packet->payload_packet_len == 0) {
return;
}
/* this part parses a packet and searches for port=. it works asymmetrically. */
if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNENCRYPED_JABBER) {
u_int16_t lastlen;
u_int16_t j_port = 0;
/* check for google jabber voip connections ... */
/* need big packet */
if (packet->payload_packet_len < 100) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "packet too small, return.\n");
return;
}
/* need message to or type for file-transfer */
if (memcmp(packet->payload, "<iq from=\"", 8) == 0 || memcmp(packet->payload, "<iq from=\'", 8) == 0) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "JABBER <iq from=\".\n");
lastlen = packet->payload_packet_len - 11;
for (x = 10; x < lastlen; x++) {
if (packet->payload[x] == 'p') {
if (memcmp(&packet->payload[x], "port=", 5) == 0) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "port=\n");
if (src != NULL) {
src->jabber_stun_or_ft_ts = packet->tick_timestamp;
}
if (dst != NULL) {
dst->jabber_stun_or_ft_ts = packet->tick_timestamp;
}
x += 6;
j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x);
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
NDPI_LOG_DEBUG, "JABBER port : %u\n", ntohs(j_port));
if (src != NULL) {
if (src->jabber_file_transfer_port[0] == 0 || src->jabber_file_transfer_port[0] == j_port) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
NDPI_LOG_DEBUG, "src->jabber_file_transfer_port[0] = j_port = %u;\n",
ntohs(j_port));
src->jabber_file_transfer_port[0] = j_port;
} else {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
NDPI_LOG_DEBUG, "src->jabber_file_transfer_port[1] = j_port = %u;\n",
ntohs(j_port));
src->jabber_file_transfer_port[1] = j_port;
}
}
if (dst != NULL) {
if (dst->jabber_file_transfer_port[0] == 0 || dst->jabber_file_transfer_port[0] == j_port) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
NDPI_LOG_DEBUG, "dst->jabber_file_transfer_port[0] = j_port = %u;\n",
ntohs(j_port));
dst->jabber_file_transfer_port[0] = j_port;
} else {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
NDPI_LOG_DEBUG, "dst->jabber_file_transfer_port[1] = j_port = %u;\n",
ntohs(j_port));
dst->jabber_file_transfer_port[1] = j_port;
}
}
}
}
}
} else if (memcmp(packet->payload, "<iq to=\"", 8) == 0 || memcmp(packet->payload, "<iq to=\'", 8) == 0
|| memcmp(packet->payload, "<iq type=", 9) == 0) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "JABBER <iq to=\"/type=\"\n");
lastlen = packet->payload_packet_len - 21;
for (x = 8; x < lastlen; x++) {
/* invalid character */
if (packet->payload[x] < 32 || packet->payload[x] > 127) {
return;
}
if (packet->payload[x] == '@') {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "JABBER @\n");
break;
}
}
if (x >= lastlen) {
return;
}
lastlen = packet->payload_packet_len - 10;
for (; x < lastlen; x++) {
if (packet->payload[x] == 'p') {
if (memcmp(&packet->payload[x], "port=", 5) == 0) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "port=\n");
if (src != NULL) {
src->jabber_stun_or_ft_ts = packet->tick_timestamp;
}
if (dst != NULL) {
dst->jabber_stun_or_ft_ts = packet->tick_timestamp;
}
x += 6;
j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x);
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
NDPI_LOG_DEBUG, "JABBER port : %u\n", ntohs(j_port));
if (src != NULL && src->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) {
if (packet->payload[5] == 'o') {
src->jabber_voice_stun_port[src->jabber_voice_stun_used_ports++]
= j_port;
} else {
if (src->jabber_file_transfer_port[0] == 0
|| src->jabber_file_transfer_port[0] == j_port) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG,
"src->jabber_file_transfer_port[0] = j_port = %u;\n", ntohs(j_port));
src->jabber_file_transfer_port[0] = j_port;
} else {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
NDPI_LOG_DEBUG, "src->jabber_file_transfer_port[1] = j_port = %u;\n",
ntohs(j_port));
src->jabber_file_transfer_port[1] = j_port;
}
}
}
if (dst != NULL && dst->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) {
if (packet->payload[5] == 'o') {
dst->jabber_voice_stun_port[dst->jabber_voice_stun_used_ports++]
= j_port;
} else {
if (dst->jabber_file_transfer_port[0] == 0
|| dst->jabber_file_transfer_port[0] == j_port) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG,
"dst->jabber_file_transfer_port[0] = j_port = %u;\n", ntohs(j_port));
dst->jabber_file_transfer_port[0] = j_port;
} else {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
NDPI_LOG_DEBUG, "dst->jabber_file_transfer_port[1] = j_port = %u;\n",
ntohs(j_port));
dst->jabber_file_transfer_port[1] = j_port;
}
}
}
return;
}
}
}
}
return;
}
/* search for jabber here */
/* this part is working asymmetrically */
if ((packet->payload_packet_len > 13 && memcmp(packet->payload, "<?xml version=", 14) == 0)
|| (packet->payload_packet_len >= NDPI_STATICSTRING_LEN("<stream:stream ")
&& memcmp(packet->payload, "<stream:stream ", NDPI_STATICSTRING_LEN("<stream:stream ")) == 0)) {
int start = packet->payload_packet_len-13;
if(ndpi_strnstr((const char *)&packet->payload[13], "xmlns:stream='http://etherx.jabber.org/streams'", start)
|| ndpi_strnstr((const char *)&packet->payload[13], "xmlns:stream=\"http://etherx.jabber.org/streams\"", start)) {
/* Protocol family */
ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPED_JABBER);
/* search for subprotocols */
check_content_type_and_change_protocol(ndpi_struct, flow, 13);
return;
}
}
if (flow->packet_counter < 3) {
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
NDPI_LOG_DEBUG, "packet_counter: %u\n", flow->packet_counter);
return;
}
NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_TRACE, "JABBER Excluded.\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UNENCRYPED_JABBER);
#ifdef NDPI_PROTOCOL_TRUPHONE
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TRUPHONE);
#endif
}
static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
struct ndpi_id_struct *src = flow->src;
struct ndpi_id_struct *dst = flow->dst;
int less;
u_int16_t c = 0;
u_int16_t c1 = 0;
u_int16_t port = 0;
u_int16_t sport = 0;
u_int16_t dport = 0;
u_int16_t counter = 0;
u_int16_t i = 0;
u_int16_t j = 0;
u_int16_t k = 0;
u_int16_t h;
u_int16_t http_content_ptr_len = 0;
u_int8_t space = 0;
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "irc : search irc\n");
if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter > 70) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "exclude irc, packet_counter > 70\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IRC);
return;
}
if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter > 30 &&
flow->l4.tcp.irc_stage2 == 0) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "packet_counter > 30, exclude irc.\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IRC);
return;
}
if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) {
if (src != NULL && ((u_int32_t)
(packet->tick_timestamp - src->irc_ts) < ndpi_struct->irc_timeout)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "irc : save src connection packet detected\n");
src->irc_ts = packet->tick_timestamp;
} else if (dst != NULL && ((u_int32_t)
(packet->tick_timestamp - dst->irc_ts) < ndpi_struct->irc_timeout)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "irc : save dst connection packet detected\n");
dst->irc_ts = packet->tick_timestamp;
}
}
if (((dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_IRC)
&& ((u_int32_t)
(packet->tick_timestamp - dst->irc_ts)) <
ndpi_struct->irc_timeout)) || (src != NULL
&&
NDPI_COMPARE_PROTOCOL_TO_BITMASK
(src->detected_protocol_bitmask, NDPI_PROTOCOL_IRC)
&& ((u_int32_t)
(packet->tick_timestamp - src->irc_ts)) < ndpi_struct->irc_timeout)) {
if (packet->tcp != NULL) {
sport = packet->tcp->source;
dport = packet->tcp->dest;
}
if (dst != NULL) {
for (counter = 0; counter < dst->irc_number_of_port; counter++) {
if (dst->irc_port[counter] == sport || dst->irc_port[counter] == dport) {
dst->last_time_port_used[counter] = packet->tick_timestamp;
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"dest port matched with the DCC port and the flow is marked as IRC");
ndpi_int_irc_add_connection(ndpi_struct, flow);
return;
}
}
}
if (src != NULL) {
for (counter = 0; counter < src->irc_number_of_port; counter++) {
if (src->irc_port[counter] == sport || src->irc_port[counter] == dport) {
src->last_time_port_used[counter] = packet->tick_timestamp;
ndpi_int_irc_add_connection(ndpi_struct, flow);
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"Source port matched with the DCC port and the flow is marked as IRC");
return;
}
}
}
}
if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC
&& flow->packet_counter == 2 && (packet->payload_packet_len > 400 && packet->payload_packet_len < 1381)) {
for (c1 = 50; c1 < packet->payload_packet_len - 23; c1++) {
if (packet->payload[c1] == 'i' || packet->payload[c1] == 'd') {
if ((memcmp(&packet->payload[c1], "irc.hackthissite.org0", 21)
== 0)
|| (memcmp(&packet->payload[c1], "irc.gamepad.ca1", 15) == 0)
|| (memcmp(&packet->payload[c1], "dungeon.axenet.org0", 19)
== 0)
|| (memcmp(&packet->payload[c1], "dazed.nuggethaus.net", 20)
== 0)
|| (memcmp(&packet->payload[c1], "irc.indymedia.org", 17)
== 0)
|| (memcmp(&packet->payload[c1], "irc.cccp-project.net", 20)
== 0)
|| (memcmp(&packet->payload[c1], "dirc.followell.net0", 19)
== 0)
|| (memcmp(&packet->payload[c1], "irc.discostars.de1", 18)
== 0)
|| (memcmp(&packet->payload[c1], "irc.rizon.net", 13) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"IRC SSL detected with :- irc.hackthissite.org0 | irc.gamepad.ca1 | dungeon.axenet.org0 "
"| dazed.nuggethaus.net | irc.indymedia.org | irc.discostars.de1 ");
ndpi_int_irc_add_connection(ndpi_struct, flow);
break;
}
}
}
}
if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC &&
ndpi_search_irc_ssl_detect_ninty_percent_but_very_fast(ndpi_struct, flow) != 0) {
return;
}
if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter < 20
&& packet->payload_packet_len >= 8) {
if (get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x0a
|| (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0a00)) {
if (memcmp(packet->payload, ":", 1) == 0) {
if (packet->payload[packet->payload_packet_len - 2] != 0x0d
&& packet->payload[packet->payload_packet_len - 1] == 0x0a) {
ndpi_parse_packet_line_info_unix(ndpi_struct, flow);
packet->parsed_lines = packet->parsed_unix_lines;
for (i = 0; i < packet->parsed_lines; i++) {
packet->line[i] = packet->unix_line[i];
packet->line[i].ptr = packet->unix_line[i].ptr;
packet->line[i].len = packet->unix_line[i].len;
}
} else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) {
ndpi_parse_packet_line_info(ndpi_struct, flow);
} else {
flow->l4.tcp.irc_3a_counter++;
}
for (i = 0; i < packet->parsed_lines; i++) {
if (packet->line[i].ptr[0] == ':') {
flow->l4.tcp.irc_3a_counter++;
if (flow->l4.tcp.irc_3a_counter == 7) { /* ':' == 0x3a */
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "0x3a. seven times. found irc.");
ndpi_int_irc_add_connection(ndpi_struct, flow);
goto detected_irc;
}
}
}
if (flow->l4.tcp.irc_3a_counter == 7) { /* ':' == 0x3a */
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "0x3a. seven times. found irc.");
ndpi_int_irc_add_connection(ndpi_struct, flow);
goto detected_irc;
}
}
if ((memcmp(packet->payload, "USER ", 5) == 0)
|| (memcmp(packet->payload, "NICK ", 5) == 0)
|| (memcmp(packet->payload, "PASS ", 5) == 0)
|| (memcmp(packet->payload, ":", 1) == 0 && ndpi_check_for_NOTICE_or_PRIVMSG(ndpi_struct, flow) != 0)
|| (memcmp(packet->payload, "PONG ", 5) == 0)
|| (memcmp(packet->payload, "PING ", 5) == 0)
|| (memcmp(packet->payload, "JOIN ", 5) == 0)
|| (memcmp(packet->payload, "NOTICE ", 7) == 0)
|| (memcmp(packet->payload, "PRIVMSG ", 8) == 0)
|| (memcmp(packet->payload, "VERSION ", 8) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"USER, NICK, PASS, NOTICE, PRIVMSG one time");
if (flow->l4.tcp.irc_stage == 2) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "found irc");
ndpi_int_irc_add_connection(ndpi_struct, flow);
flow->l4.tcp.irc_stage = 3;
}
if (flow->l4.tcp.irc_stage == 1) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "second time, stage=2");
flow->l4.tcp.irc_stage = 2;
}
if (flow->l4.tcp.irc_stage == 0) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "first time, stage=1");
flow->l4.tcp.irc_stage = 1;
}
/* irc packets can have either windows line breaks (0d0a) or unix line breaks (0a) */
if (packet->payload[packet->payload_packet_len - 2] == 0x0d
&& packet->payload[packet->payload_packet_len - 1] == 0x0a) {
ndpi_parse_packet_line_info(ndpi_struct, flow);
if (packet->parsed_lines > 1) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"packet contains more than one line");
for (c = 1; c < packet->parsed_lines; c++) {
if (packet->line[c].len > 4 && (memcmp(packet->line[c].ptr, "NICK ", 5) == 0
|| memcmp(packet->line[c].ptr, "USER ", 5) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct,
NDPI_LOG_TRACE, "two icq signal words in the same packet");
ndpi_int_irc_add_connection(ndpi_struct, flow);
flow->l4.tcp.irc_stage = 3;
return;
}
}
}
} else if (packet->payload[packet->payload_packet_len - 1] == 0x0a) {
ndpi_parse_packet_line_info_unix(ndpi_struct, flow);
if (packet->parsed_unix_lines > 1) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"packet contains more than one line");
for (c = 1; c < packet->parsed_unix_lines; c++) {
if (packet->unix_line[c].len > 4 && (memcmp(packet->unix_line[c].ptr, "NICK ", 5) == 0
|| memcmp(packet->unix_line[c].ptr, "USER ",
5) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"two icq signal words in the same packet");
ndpi_int_irc_add_connection(ndpi_struct, flow);
flow->l4.tcp.irc_stage = 3;
return;
}
}
}
}
}
}
}
/**
* Trying to primarily detect the HTTP Web based IRC chat patterns based on the HTTP headers
* during the User login time.When the HTTP data gets posted using the POST method ,patterns
* will be searched in the HTTP content.
*/
if ((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC) && (flow->l4.tcp.irc_stage == 0)
&& (packet->payload_packet_len > 5)) {
//HTTP POST Method being employed
if (memcmp(packet->payload, "POST ", 5) == 0) {
ndpi_parse_packet_line_info(ndpi_struct, flow);
if (packet->parsed_lines) {
u_int16_t http_header_len = (packet->line[packet->parsed_lines - 1].ptr - packet->payload) + 2;
if (packet->payload_packet_len > http_header_len) {
http_content_ptr_len = packet->payload_packet_len - http_header_len;
}
if ((ndpi_check_for_IRC_traces(packet->line[0].ptr, packet->line[0].len))
|| ((packet->http_url_name.ptr)
&& (ndpi_check_for_IRC_traces(packet->http_url_name.ptr, packet->http_url_name.len)))
|| ((packet->referer_line.ptr)
&& (ndpi_check_for_IRC_traces(packet->referer_line.ptr, packet->referer_line.len)))) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"IRC detected from the Http URL/ Referer header ");
flow->l4.tcp.irc_stage = 1;
// HTTP POST Request body is not in the same packet.
if (!http_content_ptr_len) {
return;
}
}
}
}
}
if ((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC) && (flow->l4.tcp.irc_stage == 1)) {
if ((((packet->payload_packet_len - http_content_ptr_len) > 10)
&& (memcmp(packet->payload + http_content_ptr_len, "interface=", 10) == 0)
&& (ndpi_check_for_Nickname(ndpi_struct, flow) != 0))
|| (((packet->payload_packet_len - http_content_ptr_len) > 5)
&& (memcmp(packet->payload + http_content_ptr_len, "item=", 5) == 0)
&& (ndpi_check_for_cmd(ndpi_struct, flow) != 0))) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC Nickname, cmd, one time");
ndpi_int_irc_add_connection(ndpi_struct, flow);
return;
}
}
detected_irc:
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "detected_irc:");
if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) {
/* maybe this can be deleted at the end */
if (packet->payload[packet->payload_packet_len - 2] != 0x0d
&& packet->payload[packet->payload_packet_len - 1] == 0x0a) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG,
"ndpi_parse_packet_line_info_unix(ndpi_struct, flow);");
ndpi_parse_packet_line_info_unix(ndpi_struct, flow);
packet->parsed_lines = packet->parsed_unix_lines;
for (i = 0; i < packet->parsed_lines; i++) {
packet->line[i] = packet->unix_line[i];
packet->line[i].ptr = packet->unix_line[i].ptr;
packet->line[i].len = packet->unix_line[i].len;
}
} else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) {
ndpi_parse_packet_line_info(ndpi_struct, flow);
} else {
return;
}
for (i = 0; i < packet->parsed_lines; i++) {
if (packet->line[i].len > 6 && memcmp(packet->line[i].ptr, "NOTICE ", 7) == 0) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "NOTICE");
for (j = 7; j < packet->line[i].len - 8; j++) {
if (packet->line[i].ptr[j] == ':') {
if (memcmp(&packet->line[i].ptr[j + 1], "DCC SEND ", 9) == 0
|| memcmp(&packet->line[i].ptr[j + 1], "DCC CHAT ", 9) == 0) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"found NOTICE and DCC CHAT or DCC SEND.");
}
}
}
}
if (packet->payload_packet_len > 0 && packet->payload[0] == 0x3a /* 0x3a = ':' */ ) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "3a");
for (j = 1; j < packet->line[i].len - 9; j++) {
if (packet->line[i].ptr[j] == ' ') {
j++;
if (packet->line[i].ptr[j] == 'P') {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "P");
j++;
if (memcmp(&packet->line[i].ptr[j], "RIVMSG ", 7) == 0)
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "RIVMSG");
h = j + 7;
goto read_privmsg;
}
}
}
}
if (packet->line[i].len > 7 && (memcmp(packet->line[i].ptr, "PRIVMSG ", 8) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "PRIVMSG ");
h = 7;
read_privmsg:
for (j = h; j < packet->line[i].len - 9; j++) {
if (packet->line[i].ptr[j] == ':') {
if (memcmp(&packet->line[i].ptr[j + 1], "xdcc ", 5) == 0) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "xdcc should match.");
}
j += 2;
if (memcmp(&packet->line[i].ptr[j], "DCC ", 4) == 0) {
j += 4;
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "found DCC.");
if (memcmp(&packet->line[i].ptr[j], "SEND ", 5) == 0
|| (memcmp(&packet->line[i].ptr[j], "CHAT", 4) == 0)
|| (memcmp(&packet->line[i].ptr[j], "chat", 4) == 0)
|| (memcmp(&packet->line[i].ptr[j], "sslchat", 7) == 0)
|| (memcmp(&packet->line[i].ptr[j], "TSEND", 5) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"found CHAT,chat,sslchat,TSEND.");
j += 4;
while (packet->line[i].len > j &&
((packet->line[i].ptr[j] >= 'a' && packet->line[i].ptr[j] <= 'z')
|| (packet->line[i].ptr[j] >= 'A' && packet->line[i].ptr[j] <= 'Z')
|| (packet->line[i].ptr[j] >= '0' && packet->line[i].ptr[j] <= '9')
|| (packet->line[i].ptr[j] >= ' ')
|| (packet->line[i].ptr[j] >= '.')
|| (packet->line[i].ptr[j] >= '-'))) {
if (packet->line[i].ptr[j] == ' ') {
space++;
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "space %u.", space);
}
if (space == 3) {
j++;
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "read port.");
if (src != NULL) {
k = j;
port =
ntohs_ndpi_bytestream_to_number
(&packet->line[i].ptr[j], packet->payload_packet_len - j, &j);
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "port %u.",
port);
j = k;
// hier jetzt überlegen, wie die ports abgespeichert werden sollen
if (src->irc_number_of_port < 16)
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"src->irc_number_of_port < 16.");
if (src->irc_number_of_port < 16 && port != 0) {
if (!ndpi_is_duplicate(src, port)) {
src->irc_port[src->irc_number_of_port]
= port;
src->irc_number_of_port++;
NDPI_LOG
(NDPI_PROTOCOL_IRC,
ndpi_struct,
NDPI_LOG_DEBUG, "found port=%d",
ntohs(get_u_int16_t(src->irc_port, 0)));
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG,
"jjeeeeeeeeeeeeeeeeeeeeeeeee");
}
src->irc_ts = packet->tick_timestamp;
} else if (port != 0 && src->irc_number_of_port == 16) {
if (!ndpi_is_duplicate(src, port)) {
less = 0;
NDPI_IRC_FIND_LESS(src->last_time_port_used, less);
src->irc_port[less] = port;
NDPI_LOG
(NDPI_PROTOCOL_IRC,
ndpi_struct,
NDPI_LOG_DEBUG, "found port=%d",
ntohs(get_u_int16_t(src->irc_port, 0)));
}
src->irc_ts = packet->tick_timestamp;
}
if (dst == NULL) {
break;
}
}
if (dst != NULL) {
port = ntohs_ndpi_bytestream_to_number
(&packet->line[i].ptr[j], packet->payload_packet_len - j, &j);
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "port %u.",
port);
// hier das gleiche wie oben.
/* hier werden 16 ports pro irc flows mitgespeichert. könnte man denn nicht ein-
* fach an die dst oder src einen flag setzten, dass dieser port für eine bestimmte
* zeit ein irc-port bleibt?
*/
if (dst->irc_number_of_port < 16 && port != 0) {
if (!ndpi_is_duplicate(dst, port)) {
dst->irc_port[dst->irc_number_of_port]
= port;
dst->irc_number_of_port++;
NDPI_LOG
(NDPI_PROTOCOL_IRC,
ndpi_struct,
NDPI_LOG_DEBUG, "found port=%d",
ntohs(get_u_int16_t(dst->irc_port, 0)));
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG,
"juuuuuuuuuuuuuuuu");
}
dst->irc_ts = packet->tick_timestamp;
} else if (port != 0 && dst->irc_number_of_port == 16) {
if (!ndpi_is_duplicate(dst, port)) {
less = 0;
NDPI_IRC_FIND_LESS(dst->last_time_port_used, less);
dst->irc_port[less] = port;
NDPI_LOG
(NDPI_PROTOCOL_IRC,
ndpi_struct,
NDPI_LOG_DEBUG, "found port=%d",
ntohs(get_u_int16_t(dst->irc_port, 0)));
}
dst->irc_ts = packet->tick_timestamp;
}
break;
}
}
j++;
}
}
}
}
}
}
}
}
}
