static void check_http_payload(struct ipoque_detection_module_struct *ipoque_struct) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "called check_http_payload.\n"); #ifdef IPOQUE_PROTOCOL_FLASH if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_FLASH) != 0) flash_check_http_payload(ipoque_struct); #endif #ifdef IPOQUE_PROTOCOL_AVI if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_AVI) != 0) avi_check_http_payload(ipoque_struct); #endif }
/* this function deals with UDP connections */ static void ipoque_search_rdt_connection(struct ipoque_detection_module_struct *ipoque_struct) { struct ipoque_packet_struct *packet = &ipoque_struct->packet; struct ipoque_id_struct *src = ipoque_struct->src; // struct ipoque_id_struct *dst = ipoque_struct->dst; IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found UDP\n"); if (src != NULL) { // UDP packets, check in case of timeout, bitmask, packet length and payload -> search the RDT Request which has the type 0xff03 if (src->rtsp_ts_set == 1 && ((IPOQUE_TIMESTAMP_COUNTER_SIZE) (packet->tick_timestamp - src->rtsp_timer)) < ipoque_struct->rtsp_connection_timeout) { if (ipq_packet_dst_ip_eql(packet, &src->rtsp_ip_address) && IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_RTSP) != 0) { if (packet->payload_packet_len == 3 && packet->payload[0] == 0x00 && packet->payload[1] == 0xff && packet->payload[2] == 0x03) { IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found RTSP RDT.\n"); ipoque_int_rtsp_add_connection(ipoque_struct); return; } } } else { src->rtsp_ts_set = 0; } } IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "didn't find RDT stream.\n"); return; }
static void opendpi_mt4_save(const void *entry, const struct xt_entry_match *match) { const struct xt_opendpi_mtinfo *info = (const void *)match->data; int i; for (i = 1; i <= IPOQUE_MAX_SUPPORTED_PROTOCOLS; i++){ if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(info->flags, i) != 0){ printf("--%s ", prot_short_str[i]); } } }
void ipoque_search_mms_tcp(struct ipoque_detection_module_struct *ipoque_struct) { struct ipoque_packet_struct *packet = &ipoque_struct->packet; struct ipoque_flow_struct *flow = ipoque_struct->flow; // struct ipoque_id_struct *src=ipoque_struct->src; // struct ipoque_id_struct *dst=ipoque_struct->dst; /* search MSMMS packets */ if (packet->payload_packet_len >= 20) { if (flow->l4.tcp.mms_stage == 0 && packet->payload[4] == 0xce && packet->payload[5] == 0xfa && packet->payload[6] == 0x0b && packet->payload[7] == 0xb0 && packet->payload[12] == 0x4d && packet->payload[13] == 0x4d && packet->payload[14] == 0x53 && packet->payload[15] == 0x20) { IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS: MSMMS Request found \n"); flow->l4.tcp.mms_stage = 1 + packet->packet_direction; return; } if (flow->l4.tcp.mms_stage == 2 - packet->packet_direction && packet->payload[4] == 0xce && packet->payload[5] == 0xfa && packet->payload[6] == 0x0b && packet->payload[7] == 0xb0 && packet->payload[12] == 0x4d && packet->payload[13] == 0x4d && packet->payload[14] == 0x53 && packet->payload[15] == 0x20) { IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS: MSMMS Response found \n"); ipoque_int_mms_add_connection(ipoque_struct); return; } } #ifdef IPOQUE_PROTOCOL_HTTP if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_HTTP) != 0) { #endif /* IPOQUE_PROTOCOL_HTTP */ IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS: exclude\n"); IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MMS); #ifdef IPOQUE_PROTOCOL_HTTP } else { IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS avoid early exclude from http\n"); } #endif /* IPOQUE_PROTOCOL_HTTP */ }
static void ipoque_search_directconnect_udp(struct ipoque_detection_module_struct *ipoque_struct) { struct ipoque_packet_struct *packet = &ipoque_struct->packet; struct ipoque_flow_struct *flow = ipoque_struct->flow; struct ipoque_id_struct *src = ipoque_struct->src; struct ipoque_id_struct *dst = ipoque_struct->dst; int pos, count = 0; if (dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) { if ((IPOQUE_TIMESTAMP_COUNTER_SIZE) (packet->tick_timestamp - dst->directconnect_last_safe_access_time) < ipoque_struct->directconnect_connection_ip_tick_timeout) { ipoque_int_add_connection(ipoque_struct, IPOQUE_PROTOCOL_DIRECTCONNECT, IPOQUE_REAL_PROTOCOL); dst->directconnect_last_safe_access_time = packet->tick_timestamp; IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG, "marking using dc udp port\n %d", ntohs(dst->detected_directconnect_udp_port)); return; } else { dst->detected_directconnect_udp_port = 0; IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG, "resetting dst udp port due to timeout"); return; } } if (packet->payload_packet_len > 58) { if (src != NULL && IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_DIRECTCONNECT)) { if (packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|' && memcmp(&packet->payload[1], "SR ", 3) == 0) { pos = packet->payload_packet_len - 2; if (packet->payload[pos] == ')') { while (pos > 0 && packet->payload[pos] != '(' && count < 21) { pos--; count++; } if (packet->payload[pos] == '(') { pos = pos - 44; if (pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG, "dc udp detected\n"); ipoque_int_directconnect_add_connection(ipoque_struct, DIRECT_CONNECT_TYPE_PEER); return; } } } flow->directconnect_stage++; if (flow->directconnect_stage < 3) { return; } } } if (dst != NULL && IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_DIRECTCONNECT)) { if (packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|' && memcmp(&packet->payload[1], "SR ", 3) == 0) { pos = packet->payload_packet_len - 2; if (packet->payload[pos] == ')') { while (pos > 0 && packet->payload[pos] != '(' && count < 21) { pos--; count++; } if (packet->payload[pos] == '(') { pos = pos - 44; if (pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG, "dc udp detected\n"); ipoque_int_directconnect_add_connection(ipoque_struct, DIRECT_CONNECT_TYPE_PEER); return; } } } flow->directconnect_stage++; if (flow->directconnect_stage < 3) return; } } } IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG, "excluded at stage %d \n", flow->directconnect_stage); IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_DIRECTCONNECT); }
void ipoque_search_soulseek_tcp(struct ipoque_detection_module_struct *ipoque_struct) { struct ipoque_packet_struct *packet = &ipoque_struct->packet; struct ipoque_flow_struct *flow = ipoque_struct->flow; struct ipoque_id_struct *src = ipoque_struct->src; struct ipoque_id_struct *dst = ipoque_struct->dst; IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "Soulseek: search soulseec tcp \n"); if (packet->detected_protocol_stack[0] == IPOQUE_PROTOCOL_SOULSEEK) { IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "packet marked as Soulseek\n"); if (src != NULL) IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, " SRC bitmask: %u, packet tick %llu , last safe access timestamp: %llu\n", IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_SOULSEEK) != 0 ? 1 : 0, (u64) packet->tick_timestamp, (u64) src->soulseek_last_safe_access_time); if (dst != NULL) IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, " DST bitmask: %u, packet tick %llu , last safe ts: %llu\n", IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_SOULSEEK) != 0 ? 1 : 0, (u64) packet->tick_timestamp, (u64) dst->soulseek_last_safe_access_time); if (packet->payload_packet_len == 431) { if (dst != NULL) { dst->soulseek_last_safe_access_time = packet->tick_timestamp; } return; } if (packet->payload_packet_len == 12 && get_l32(packet->payload, 4) == 0x02) { if (src != NULL) { src->soulseek_last_safe_access_time = packet->tick_timestamp; if (packet->tcp != NULL && src->soulseek_listen_port == 0) { src->soulseek_listen_port = get_l32(packet->payload, 8); return; } } } if (src != NULL && ((IPOQUE_TIMESTAMP_COUNTER_SIZE) (packet->tick_timestamp - src->soulseek_last_safe_access_time) < ipoque_struct->soulseek_connection_ip_tick_timeout)) { IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "Soulseek: SRC update last safe access time and SKIP_FOR_TIME \n"); src->soulseek_last_safe_access_time = packet->tick_timestamp; } if (dst != NULL && ((IPOQUE_TIMESTAMP_COUNTER_SIZE) (packet->tick_timestamp - dst->soulseek_last_safe_access_time) < ipoque_struct->soulseek_connection_ip_tick_timeout)) { IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "Soulseek: DST update last safe access time and SKIP_FOR_TIME \n"); dst->soulseek_last_safe_access_time = packet->tick_timestamp; } } if (dst != NULL && dst->soulseek_listen_port != 0 && dst->soulseek_listen_port == ntohs(packet->tcp->dest) && ((IPOQUE_TIMESTAMP_COUNTER_SIZE) (packet->tick_timestamp - dst->soulseek_last_safe_access_time) < ipoque_struct->soulseek_connection_ip_tick_timeout)) { IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "Soulseek: Plain detection on Port : %u packet_tick_timestamp: %u soulseeek_last_safe_access_time: %u soulseek_connection_ip_ticktimeout: %u\n", dst->soulseek_listen_port, packet->tick_timestamp, dst->soulseek_last_safe_access_time, ipoque_struct->soulseek_connection_ip_tick_timeout); ipoque_int_soulseek_add_connection(ipoque_struct); return; } if (flow->l4.tcp.soulseek_stage == 0) { u32 index = 0; if (packet->payload_packet_len >= 12 && packet->payload_packet_len < 300 && get_l32(packet->payload, 4) == 1) { while (!get_u16(packet->payload, index + 2) && (index + get_l32(packet->payload, index)) < packet->payload_packet_len - 4) { if (get_l32(packet->payload, index) < 8) /*Minimum soulsek login msg is 8B */ break; if (index + get_l32(packet->payload, index) + 4 <= index) { /* avoid overflow */ break; } index += get_l32(packet->payload, index) + 4; } if (index + get_l32(packet->payload, index) == packet->payload_packet_len - 4 && !get_u16(packet->payload, 10)) { /*This structure seems to be soulseek proto */ index = get_l32(packet->payload, 8) + 12; // end of "user name" if ((index + 4) <= packet->payload_packet_len && !get_u16(packet->payload, index + 2)) // for passwd len { index += get_l32(packet->payload, index) + 4; //end of "Passwd" if ((index + 4 + 4) <= packet->payload_packet_len && !get_u16(packet->payload, index + 6)) // to read version,hashlen { index += get_l32(packet->payload, index + 4) + 8; // enf of "hash value" if (index == get_l32(packet->payload, 0)) { IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "Soulseek Login Detected\n"); ipoque_int_soulseek_add_connection(ipoque_struct); return; } } } } } if (packet->payload_packet_len > 8 && packet->payload_packet_len < 200 && get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { //Server Messages: const u32 msgcode = get_l32(packet->payload, 4); if (msgcode == 0x7d) { flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction; IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "Soulseek Messages Search\n"); return; } else if (msgcode == 0x02 && packet->payload_packet_len == 12) { const u32 soulseek_listen_port = get_l32(packet->payload, 8); if (src != NULL) { src->soulseek_last_safe_access_time = packet->tick_timestamp; if (packet->tcp != NULL && src->soulseek_listen_port == 0) { src->soulseek_listen_port = soulseek_listen_port; IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "\n Listen Port Saved : %u", src->soulseek_listen_port); ipoque_int_soulseek_add_connection(ipoque_struct); return; } } } //Peer Messages : Peer Init Message Detection if (get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { const u32 typelen = get_l32(packet->payload, packet->payload_packet_len - 9); const u8 type = packet->payload[packet->payload_packet_len - 5]; const u32 namelen = get_l32(packet->payload, 5); if (packet->payload[4] == 0x01 && typelen == 1 && namelen <= packet->payload_packet_len && (4 + 1 + 4 + namelen + 4 + 1 + 4) == packet->payload_packet_len && (type == 'F' || type == 'P' || type == 'D')) { IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected\n"); ipoque_int_soulseek_add_connection(ipoque_struct); return; } IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "1\n"); } IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "3\n"); //Peer Message : Pierce Firewall if (packet->payload_packet_len == 9 && get_l32(packet->payload, 0) == 5 && packet->payload[4] <= 0x10 && get_u32(packet->payload, 5) != 0x00000000) { flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction; IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_TRACE, "Soulseek Size 9 Pierce Firewall\n"); return; } } if (packet->payload_packet_len > 25 && packet->payload[4] == 0x01 && !get_u16(packet->payload, 7) && !get_u16(packet->payload, 2)) { const u32 usrlen = get_l32(packet->payload, 5); if (usrlen <= packet->payload_packet_len - 4 + 1 + 4 + 4 + 1 + 4) { const u32 typelen = get_l32(packet->payload, 4 + 1 + 4 + usrlen); const u8 type = packet->payload[4 + 1 + 4 + usrlen + 4]; if (typelen == 1 && (type == 'F' || type == 'P' || type == 'D')) { IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected Pattern command(D|P|F).\n"); ipoque_int_soulseek_add_connection(ipoque_struct); return; } } } } else if (flow->l4.tcp.soulseek_stage == 2 - packet->packet_direction) { if (packet->payload_packet_len > 8) { if ((packet->payload[0] || packet->payload[1]) && get_l32(packet->payload, 4) == 9) { /* 9 is search result */ IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected Second Pkt\n"); ipoque_int_soulseek_add_connection(ipoque_struct); return; } if (get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { const u32 msgcode = get_l32(packet->payload, 4); if (msgcode == 0x03 && packet->payload_packet_len >= 12) //Server Message : Get Peer Address { const u32 usrlen = get_l32(packet->payload, 8); if (usrlen <= packet->payload_packet_len && 4 + 4 + 4 + usrlen == packet->payload_packet_len) { IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "Soulseek Request Get Peer Address Detected\n"); ipoque_int_soulseek_add_connection(ipoque_struct); return; } } } } if (packet->payload_packet_len == 8 && get_l32(packet->payload, 4) == 0x00000004) { IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected\n"); ipoque_int_soulseek_add_connection(ipoque_struct); return; } if (packet->payload_packet_len == 4 && get_u16(packet->payload, 2) == 0x00 && get_u16(packet->payload, 0) != 0x00) { IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected\n"); ipoque_int_soulseek_add_connection(ipoque_struct); return; } else if (packet->payload_packet_len == 4) { flow->l4.tcp.soulseek_stage = 3; return; } } else if (flow->l4.tcp.soulseek_stage == 1 + packet->packet_direction) { if (packet->payload_packet_len > 8) { if (packet->payload[4] == 0x03 && get_l32(packet->payload, 5) == 0x00000031) { IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected Second Pkt with SIGNATURE :: 0x0331000000 \n"); ipoque_int_soulseek_add_connection(ipoque_struct); return; } } } if (flow->l4.tcp.soulseek_stage == 3 && packet->payload_packet_len == 8 && !get_u32(packet->payload, 4)) { IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected bcz of 8B pkt\n"); ipoque_int_soulseek_add_connection(ipoque_struct); return; } if (flow->l4.tcp.soulseek_stage && flow->packet_counter < 11) { } else { IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_SOULSEEK); } }
void ipoque_search_http_tcp(struct ipoque_detection_module_struct *ipoque_struct) { struct ipoque_packet_struct *packet = &ipoque_struct->packet; struct ipoque_flow_struct *flow = ipoque_struct->flow; // struct ipoque_id_struct *src=ipoque_struct->src; // struct ipoque_id_struct *dst=ipoque_struct->dst; u16 filename_start; IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "search http\n"); /* set client-server_direction */ if (flow->l4.tcp.http_setup_dir == 0) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "initializes http to stage: 1 \n"); flow->l4.tcp.http_setup_dir = 1 + packet->packet_direction; } if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK (ipoque_struct->generic_http_packet_bitmask, packet->detected_protocol_stack[0]) != 0) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "protocol might be detected earlier as http jump to payload type detection\n"); goto http_parse_detection; } if (flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "http stage: 1\n"); if (flow->l4.tcp.http_wait_for_retransmission) { if (!packet->tcp_retransmission) { if (flow->packet_counter <= 5) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "still waiting for retransmission\n"); return; } else { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "retransmission not found, exclude\n"); http_bitmask_exclude(flow); return; } } } if (flow->l4.tcp.http_stage == 0) { filename_start = http_request_url_offset(ipoque_struct); if (filename_start == 0) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "filename not found, exclude\n"); http_bitmask_exclude(flow); return; } // parse packet ipq_parse_packet_line_info(ipoque_struct); if (packet->parsed_lines <= 1) { /* parse one more packet .. */ IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "just one line, search next packet\n"); flow->l4.tcp.http_stage = 1; return; } // parsed_lines > 1 here if (packet->line[0].len >= (9 + filename_start) && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { packet->http_url_name.ptr = &packet->payload[filename_start]; packet->http_url_name.len = packet->line[0].len - (filename_start + 9); packet->http_method.ptr = packet->line[0].ptr; packet->http_method.len = filename_start - 1; IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "http structure detected, adding\n"); ipoque_int_http_add_connection(ipoque_struct, (filename_start == 8) ? NTOP_PROTOCOL_HTTP_CONNECT : IPOQUE_PROTOCOL_HTTP); check_content_type_and_change_protocol(ipoque_struct); /* HTTP found, look for host... */ if (packet->host_line.ptr != NULL) { /* aaahh, skip this direction and wait for a server reply here */ flow->l4.tcp.http_stage = 2; IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP START HOST found\n"); return; } IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP START HOST found\n"); /* host not found, check in next packet after */ flow->l4.tcp.http_stage = 1; return; } } else if (flow->l4.tcp.http_stage == 1) { /* SECOND PAYLOAD TRAFFIC FROM CLIENT, FIRST PACKET MIGHT HAVE BEEN HTTP... */ /* UNKNOWN TRAFFIC, HERE FOR HTTP again.. */ // parse packet ipq_parse_packet_line_info(ipoque_struct); if (packet->parsed_lines <= 1) { /* wait some packets in case request is split over more than 2 packets */ if (flow->packet_counter < 5) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "line still not finished, search next packet\n"); return; } else { /* stop parsing here */ IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP: PACKET DOES NOT HAVE A LINE STRUCTURE\n"); http_bitmask_exclude(flow); return; } } if (packet->line[0].len >= 9 && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_HTTP); check_content_type_and_change_protocol(ipoque_struct); IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP START HTTP found in 2. packet, check host here...\n"); /* HTTP found, look for host... */ flow->l4.tcp.http_stage = 2; return; } } } IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP: REQUEST NOT HTTP CONFORM\n"); http_bitmask_exclude(flow); return; http_parse_detection: if (flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) { /* we have something like http here, so check for host and content type if possible */ if (flow->l4.tcp.http_stage == 0 || flow->l4.tcp.http_stage == 3) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP RUN MAYBE NEXT GET/POST...\n"); // parse packet ipq_parse_packet_line_info(ipoque_struct); /* check for url here */ filename_start = http_request_url_offset(ipoque_struct); if (filename_start != 0 && packet->parsed_lines > 1 && packet->line[0].len >= (9 + filename_start) && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { packet->http_url_name.ptr = &packet->payload[filename_start]; packet->http_url_name.len = packet->line[0].len - (filename_start + 9); packet->http_method.ptr = packet->line[0].ptr; packet->http_method.len = filename_start - 1; IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "next http action, " "resetting to http and search for other protocols later.\n"); ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_HTTP); } check_content_type_and_change_protocol(ipoque_struct); /* HTTP found, look for host... */ if (packet->host_line.ptr != NULL) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP RUN MAYBE NEXT HOST found, skipping all packets from this direction\n"); /* aaahh, skip this direction and wait for a server reply here */ flow->l4.tcp.http_stage = 2; return; } IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP RUN MAYBE NEXT HOST NOT found, scanning one more packet from this direction\n"); flow->l4.tcp.http_stage = 1; } else if (flow->l4.tcp.http_stage == 1) { // parse packet and maybe find a packet info with host ptr,... ipq_parse_packet_line_info(ipoque_struct); check_content_type_and_change_protocol(ipoque_struct); IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP RUN second packet scanned\n"); /* HTTP found, look for host... */ flow->l4.tcp.http_stage = 2; } IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP skipping client packets after second packet\n"); return; } /* server response */ if (flow->l4.tcp.http_stage > 0) { /* first packet from server direction, might have a content line */ ipq_parse_packet_line_info(ipoque_struct); check_content_type_and_change_protocol(ipoque_struct); if (packet->empty_line_position_set != 0 || flow->l4.tcp.http_empty_line_seen == 1) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "empty line. check_http_payload.\n"); check_http_payload(ipoque_struct); } if (flow->l4.tcp.http_stage == 2) { flow->l4.tcp.http_stage = 3; } else { flow->l4.tcp.http_stage = 0; } IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP response first or second packet scanned,new stage is: %u\n", flow->l4.tcp.http_stage); return; } else { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP response next packet skipped\n"); } }
static void check_content_type_and_change_protocol(struct ipoque_detection_module_struct *ipoque_struct) { #ifdef IPOQUE_PROTOCOL_MPEG struct ipoque_packet_struct *packet = &ipoque_struct->packet; #endif #ifdef IPOQUE_PROTOCOL_AVI #endif // struct ipoque_id_struct *src=ipoque_struct->src; // struct ipoque_id_struct *dst=ipoque_struct->dst; u8 a; if (ipoque_struct->packet.content_line.ptr != NULL && ipoque_struct->packet.content_line.len != 0) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "Content Type Line found %.*s\n", ipoque_struct->packet.content_line.len, ipoque_struct->packet.content_line.ptr); #ifdef IPOQUE_PROTOCOL_MPEG if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_MPEG) != 0) mpeg_parse_packet_contentline(ipoque_struct); #endif #ifdef IPOQUE_PROTOCOL_FLASH if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_FLASH) != 0) flash_parse_packet_contentline(ipoque_struct); #endif #ifdef IPOQUE_PROTOCOL_QUICKTIME if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_QUICKTIME) != 0) qt_parse_packet_contentline(ipoque_struct); #endif #ifdef IPOQUE_PROTOCOL_REALMEDIA if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_REALMEDIA) != 0) realmedia_parse_packet_contentline(ipoque_struct); #endif #ifdef IPOQUE_PROTOCOL_WINDOWSMEDIA if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_WINDOWSMEDIA) != 0) windowsmedia_parse_packet_contentline(ipoque_struct); #endif #ifdef IPOQUE_PROTOCOL_MMS if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_MMS) != 0) mms_parse_packet_contentline(ipoque_struct); #endif #ifdef IPOQUE_PROTOCOL_OFF if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_OFF) != 0) off_parse_packet_contentline(ipoque_struct); #endif #ifdef IPOQUE_PROTOCOL_OGG if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_OGG) != 0) ogg_parse_packet_contentline(ipoque_struct); #endif #ifdef IPOQUE_PROTOCOL_MOVE if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_MOVE) != 0) move_parse_packet_contentline(ipoque_struct); #endif } /* check user agent here too */ if (ipoque_struct->packet.user_agent_line.ptr != NULL && ipoque_struct->packet.user_agent_line.len != 0) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "User Agent Type Line found %.*s\n", ipoque_struct->packet.user_agent_line.len, ipoque_struct->packet.user_agent_line.ptr); #ifdef IPOQUE_PROTOCOL_XBOX if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_XBOX) != 0) xbox_parse_packet_useragentline(ipoque_struct); #endif #ifdef IPOQUE_PROTOCOL_WINDOWSMEDIA if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_WINDOWSMEDIA) != 0) winmedia_parse_packet_useragentline(ipoque_struct); #endif } /* check for host line */ if (ipoque_struct->packet.host_line.ptr != NULL) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HOST Line found %.*s\n", ipoque_struct->packet.host_line.len, ipoque_struct->packet.host_line.ptr); #ifdef IPOQUE_PROTOCOL_QQ if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_QQ) != 0) { qq_parse_packet_URL_and_hostname(ipoque_struct); } #endif #ifdef HAVE_NTOP parseHttpSubprotocol(ipoque_struct); #endif } /* check for accept line */ if (ipoque_struct->packet.accept_line.ptr != NULL) { IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "Accept Line found %.*s\n", ipoque_struct->packet.accept_line.len, ipoque_struct->packet.accept_line.ptr); #ifdef IPOQUE_PROTOCOL_RTSP if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_RTSP) != 0) { rtsp_parse_packet_acceptline(ipoque_struct); } #endif } /* search for line startin with "Icy-MetaData" */ #ifdef IPOQUE_PROTOCOL_MPEG for (a = 0; a < packet->parsed_lines; a++) { if (packet->line[a].len > 11 && memcmp(packet->line[a].ptr, "Icy-MetaData", 12) == 0) { IPQ_LOG(IPOQUE_PROTOCOL_MPEG, ipoque_struct, IPQ_LOG_DEBUG, "MPEG: Icy-MetaData found.\n"); ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_MPEG); return; } } #ifdef IPOQUE_PROTOCOL_AVI #endif #endif }
void ipoque_search_pplive_tcp_udp(struct ipoque_detection_module_struct *ipoque_struct) { struct ipoque_packet_struct *packet = &ipoque_struct->packet; struct ipoque_flow_struct *flow = ipoque_struct->flow; struct ipoque_id_struct *src = ipoque_struct->src; struct ipoque_id_struct *dst = ipoque_struct->dst; u16 a; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "search pplive.\n"); if (packet->udp != NULL) { if (src != NULL && src->pplive_vod_cli_port == packet->udp->source && IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE)) { if (src->pplive_last_packet_time_set == 1 && (IPOQUE_TIMESTAMP_COUNTER_SIZE) (packet->tick_timestamp - src->pplive_last_packet_time) < ipoque_struct->pplive_connection_timeout) { ipoque_int_pplive_add_connection(ipoque_struct); src->pplive_last_packet_time_set = 1; src->pplive_last_packet_time = packet->tick_timestamp; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "timestamp src.\n"); return; } else { src->pplive_vod_cli_port = 0; src->pplive_last_packet_time = 0; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD port timer reset.\n"); } } if (dst != NULL && dst->pplive_vod_cli_port == packet->udp->dest && IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE)) { if (dst->pplive_last_packet_time_set == 1 && (IPOQUE_TIMESTAMP_COUNTER_SIZE) (packet->tick_timestamp - dst->pplive_last_packet_time) < ipoque_struct->pplive_connection_timeout) { ipoque_int_pplive_add_connection(ipoque_struct); dst->pplive_last_packet_time_set = 1; dst->pplive_last_packet_time = packet->tick_timestamp; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "timestamp dst.\n"); return; } else { dst->pplive_last_packet_time_set = 0; dst->pplive_vod_cli_port = 0; dst->pplive_last_packet_time = 0; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD port timer reset.\n"); } } if ((packet->payload_packet_len >= 76) && ((packet->payload[0] == 0x01) || (packet->payload[0] == 0x18) || (packet->payload[0] == 0x05)) && (packet->payload[1] == 0x00) && get_l32(packet->payload, 12) == 0 && (packet->payload[16] == 0 || packet->payload[16] == 1) && (packet->payload[17] == 0) && (packet->payload[24] == 0xac)) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } if (packet->payload_packet_len > 50 && packet->payload[0] == 0xe9 && packet->payload[1] == 0x03 && (packet->payload[3] == 0x00 || packet->payload[3] == 0x01) && packet->payload[4] == 0x98 && packet->payload[5] == 0xab && packet->payload[6] == 0x01 && packet->payload[7] == 0x02) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } if (packet->payload_packet_len == 94 && packet->payload[8] == 0x00 && get_u32(packet->payload, 9) == ntohl(0x02010000) && get_u32(packet->payload, 58) == ntohl(0xb1130000)) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } if ((packet->payload_packet_len >= 90 && packet->payload_packet_len <= 110) && (packet->payload[0] >= 0x0a && packet->payload[0] <= 0x0f) && get_u32(packet->payload, 86) == 0) { int i; for (i = 56; i < 68; i += 2) { if ((get_u32(packet->payload, i) == ntohl(0x4fde7e7f)) && (get_u16(packet->payload, i + 4) == 0)) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive through " "bitpattern 4f de 7e 7f 00 00.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } } } if (flow->packet_counter < 5 && !flow->pplive_stage) { /* With in 1st 4 packets */ if (((packet->payload_packet_len >= 90 && packet->payload_packet_len <= 110) && (!get_u32(packet->payload, packet->payload_packet_len - 16) || !get_u32(packet->payload, packet->payload_packet_len - 4))) ) { flow->pplive_stage = 2; /* Now start looking for size(28 | 30) */ IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "Maybe found pplive packet. Now start looking for size(28 | 30).\n"); } if (68 == packet->payload_packet_len && get_l16(packet->payload, 0) == 0x21 && packet->payload[19] == packet->payload[20] && packet->payload[20] == packet->payload[21] && packet->payload[12] == packet->payload[13] && packet->payload[14] == packet->payload[15]) { flow->pplive_stage = 3 + packet->packet_direction; } IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet I.\n"); return; } if (flow->pplive_stage == 3 + packet->packet_direction) { /* Because we are expecting packet in reverese direction.. */ IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet II.\n"); return; } if (flow->pplive_stage == (4 - packet->packet_direction) && packet->payload_packet_len > 67 && (get_l16(packet->payload, 0) == 0x21 || (get_l16(packet->payload, 0) == 0x22 && !get_l16(packet->payload, 28)))) { if (dst != NULL) { dst->pplive_vod_cli_port = packet->udp->dest; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD Port marked %u.\n", ntohs(packet->udp->dest)); dst->pplive_last_packet_time = packet->tick_timestamp; dst->pplive_last_packet_time_set = 1; } IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } if (flow->pplive_stage == 2) { if ((packet->payload_packet_len == 30 && (packet->payload[0] == 0x02 || packet->payload[0] == 0x03) && get_u32(packet->payload, 21) == ntohl(0x00000001)) || (packet->payload_packet_len == 28 && (packet->payload[0] == 0x01 || packet->payload[0] == 0x00) && (get_u32(packet->payload, 19) == ntohl(0x00000001)))) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } if (flow->packet_counter < 45) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet III.\n"); return; } } } else if (packet->tcp != NULL) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: TCP found, plen = %d, stage = %d, payload[0] = %x, payload[1] = %x, payload[2] = %x, payload[3] = %x \n", packet->payload_packet_len, flow->pplive_stage, packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3]); if (src != NULL && src->pplive_vod_cli_port == packet->tcp->source && IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE)) { if (src->pplive_last_packet_time_set == 1 && (IPOQUE_TIMESTAMP_COUNTER_SIZE) (packet->tick_timestamp - src->pplive_last_packet_time) < ipoque_struct->pplive_connection_timeout) { ipoque_int_pplive_add_connection(ipoque_struct); src->pplive_last_packet_time_set = 1; src->pplive_last_packet_time = packet->tick_timestamp; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "timestamp src.\n"); return; } else { src->pplive_vod_cli_port = 0; src->pplive_last_packet_time = 0; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD port timer reset.\n"); } } if (dst != NULL && dst->pplive_vod_cli_port == packet->tcp->dest && IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE)) { if (dst->pplive_last_packet_time_set == 1 && (IPOQUE_TIMESTAMP_COUNTER_SIZE) (packet->tick_timestamp - dst->pplive_last_packet_time) < ipoque_struct->pplive_connection_timeout) { flow->detected_protocol = IPOQUE_PROTOCOL_PPLIVE; packet->detected_protocol = IPOQUE_PROTOCOL_PPLIVE; dst->pplive_last_packet_time_set = 1; dst->pplive_last_packet_time = packet->tick_timestamp; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "timestamp dst.\n"); return; } else { dst->pplive_last_packet_time_set = 0; dst->pplive_vod_cli_port = 0; dst->pplive_last_packet_time = 0; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD port timer reset.\n"); } } if (packet->payload_packet_len > 4 && memcmp(packet->payload, "GET /", 5) == 0) { ipq_parse_packet_line_info(ipoque_struct); if (packet->parsed_lines == 8 && packet->line[0].ptr != NULL && packet->line[0].len >= 8 && memcmp(&packet->payload[packet->line[0].len - 8], "HTTP/1.", 7) == 0 && packet->line[2].ptr != NULL && packet->line[2].len >= 16 && memcmp(packet->line[2].ptr, "x-flash-version:", 16) == 0 && packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= 11 && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0", 11) == 0 && packet->line[6].ptr != NULL && packet->line[6].len >= 21 && memcmp(packet->line[6].ptr, "Pragma: Client=PPLive", 21) == 0) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: found HTTP request.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } else if (packet->parsed_lines == 6 && packet->line[0].ptr != NULL && packet->line[0].len >= 8 && memcmp(&packet->payload[packet->line[0].len - 8], "HTTP/1.", 7) == 0 && packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= 10 && memcmp(packet->user_agent_line.ptr, "PPLive DAC", 10) == 0) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: found HTTP request.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } } // searches for packets > 20 byte that begin with a hex number == packet->payload_packet_len - 4 // and with the same number at position 16, 17, 18, 19 if (packet->payload_packet_len > 20 && ntohl(get_u32(packet->payload, 0)) == packet->payload_packet_len - 4) { if (packet->payload[4] == 0x21 && packet->payload[5] == 0x00) { if ((packet->payload[9] == packet->payload[10]) && (packet->payload[9] == packet->payload[11])) { if ((packet->payload[16] == packet->payload[17]) && (packet->payload[16] == packet->payload[18]) && (packet->payload[16] == packet->payload[19])) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } } } } // stage > 0, packet begins with 21 00, bytes at positions 5, 6, 7 are equal, bytes at positions 12, 13, 14, 15 are equal, if (packet->payload_packet_len > 20 && flow->pplive_stage) { if (packet->payload[0] == 0x21 && packet->payload[1] == 0x00) { if (packet->payload[5] == packet->payload[6] && packet->payload[5] == packet->payload[7]) { if (packet->payload[12] == packet->payload[13] && packet->payload[14] == packet->payload[15] && packet->payload[12] == packet->payload[14]) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } } } } // packet (len>11) begins with a hex number == packet->payload_packet_len - 4 and matches certain bitmuster if (packet->payload_packet_len > 11 && ntohl(get_u32(packet->payload, 0)) == packet->payload_packet_len - 4) { if (packet->payload[4] == 0xe9 && packet->payload[5] == 0x03 && ((packet->payload[7] == packet->payload[10]) || (packet->payload[7] == packet->payload[11]))) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } } // stage > 0, len>10, begins with e9 03, matches certain pattern if (packet->payload_packet_len > 10 && flow->pplive_stage) { if (packet->payload[0] == 0xe9 && packet->payload[1] == 0x03 && ((packet->payload[3] == packet->payload[6]) || (packet->payload[3] == packet->payload[7]))) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } } /* Adware in the PPLive Client -> first TCP Packet has length of 4 Bytes -> 2nd TCP Packet has length of 96 Bytes */ /* or */ /* Peer-List Requests over TCP -> first Packet has length of 4 Bytes -> 2nd TCP Packet has length of 71 Bytes */ /* there are different possibilities of the order of the packets */ IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: TCP found, plen = %d, stage = %d, payload[0] = %x, payload[1] = %x, payload[2] = %x, payload[3] = %x \n", packet->payload_packet_len, flow->pplive_stage, packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3]); /* generic pplive detection (independent of the stage) !!! */ // len > 11, packet begins with a hex number == packet->payload_packet_len - 4, pattern: ?? ?? ?? ?? 21 00 ?? ?? 98 ab 01 02 if (packet->payload_packet_len > 11 && ntohl(get_u32(packet->payload, 0)) == packet->payload_packet_len - 4) { if (packet->payload[4] == 0x21 && packet->payload[5] == 0x00 && ((packet->payload[8] == 0x98 && packet->payload[9] == 0xab && packet->payload[10] == 0x01 && packet->payload[11] == 0x02) )) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } // packet 4 to 19 have a hex representation from 0x30 to 0x39 if (packet->payload_packet_len > 20) { a = 4; while (a < 20) { if (packet->payload[a] >= '0' && packet->payload[a] <= '9') { if (a == 19) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: direct new header format found\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } else { a++; } } else { break; } } } } /* 1st and 2nd (KD: ??????? )Packet of Client is 4 Byte */ // stage == 0, p_len == 4, pattern: 04 00 00 00 --> need next packet if (flow->pplive_stage == 0) { if (packet->payload_packet_len == 4 && packet->payload[0] > 0x04 && packet->payload[1] == 0x00 && packet->payload[2] == 0x00 && packet->payload[3] == 0x00) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: 4Byte TCP Packet Request found \n"); /* go to the 2nd Client Packet */ flow->pplive_stage = 1 + packet->packet_direction; flow->pplive_next_packet_size[packet->packet_direction] = packet->payload[0]; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet i.\n"); return; } } else if (flow->pplive_stage == 2 - packet->packet_direction) { if (packet->payload_packet_len == 4 && packet->payload[0] > 0x04 && packet->payload[1] == 0x00 && packet->payload[2] == 0x00 && packet->payload[3] == 0x00) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: 4Byte TCP Packet Response found \n"); /* go to the 2nd Client Packet */ flow->pplive_next_packet_size[packet->packet_direction] = packet->payload[0]; } flow->pplive_stage = 3; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet ii.\n"); return; } else if (flow->pplive_stage == 1 + packet->packet_direction || flow->pplive_stage == 3) { if (packet->payload_packet_len > 7 && flow->pplive_next_packet_size[packet->packet_direction] >= 4) { if (packet->payload_packet_len == flow->pplive_next_packet_size[packet->packet_direction]) { if (packet->payload[0] == 0xe9 && packet->payload[1] == 0x03 && ((packet->payload[4] == 0x98 && packet->payload[5] == 0xab && packet->payload[6] == 0x01 && packet->payload[7] == 0x02) )) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: two packet response found\n"); IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive over tcp with pattern iii.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } // packet 4 to 19 have a hex representation from 0x30 to 0x39 if (packet->payload_packet_len > 16) { a = 0; while (a < 16) { if (packet->payload[a] >= '0' && packet->payload[a] <= '9') { if (a == 15) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: new header format found\n"); IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive over tcp with pattern v.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } else { a++; } } else { break; } } } // p_len>79 and a lot of 00 in the end if (packet->payload_packet_len > 79 && get_u32(packet->payload, packet->payload_packet_len - 9) == 0x00000000 && get_u32(packet->payload, packet->payload_packet_len - 5) == 0x00000000) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: Last 8 NULL bytes found.\n"); IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive over tcp with pattern vi.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } } if (packet->payload_packet_len > flow->pplive_next_packet_size[packet->packet_direction]) { if (packet->payload[0] == 0xe9 && packet->payload[1] == 0x03 && packet->payload[4] == 0x98 && packet->payload[5] == 0xab && packet->payload[6] == 0x01 && packet->payload[7] == 0x02) { a = flow->pplive_next_packet_size[packet->packet_direction]; IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "a=%u.\n", a); if (packet->payload_packet_len > a + 4 && packet->payload[a + 2] == 0x00 && packet->payload[a + 3] == 0x00 && packet->payload[a] != 0) { a += ((packet->payload[a + 1] << 8) + packet->payload[a] + 4); IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "a=%u.\n", a); if (packet->payload_packet_len == a) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive over tcp with pattern vii.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } if (packet->payload_packet_len > a + 4 && packet->payload[a + 2] == 0x00 && packet->payload[a + 3] == 0x00 && packet->payload[a] != 0) { a += ((packet->payload[a + 1] << 8) + packet->payload[a] + 4); if (packet->payload_packet_len == a) { IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive over tcp with pattern viii.\n"); ipoque_int_pplive_add_connection(ipoque_struct); return; } } } } } } } } IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "exclude pplive.\n"); IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE); }
/* this function searches for a rtsp-"handshake" over tcp or udp. */ void ipoque_search_rtsp_tcp_udp(struct ipoque_detection_module_struct *ipoque_struct) { struct ipoque_packet_struct *packet = &ipoque_struct->packet; struct ipoque_flow_struct *flow = ipoque_struct->flow; struct ipoque_id_struct *src = ipoque_struct->src; struct ipoque_id_struct *dst = ipoque_struct->dst; IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "calling ipoque_search_rtsp_tcp_udp.\n"); if (flow->rtsprdt_stage == 0 #ifdef IPOQUE_PROTOCOL_RTCP && !(packet->detected_protocol_stack[0] == IPOQUE_PROTOCOL_RTCP) #endif ) { flow->rtsprdt_stage = 1 + packet->packet_direction; IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "maybe handshake 1; need next packet, return.\n"); return; } if (flow->packet_counter < 3 && flow->rtsprdt_stage == 1 + packet->packet_direction) { IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "maybe handshake 2; need next packet.\n"); return; } if (packet->payload_packet_len > 20 && flow->rtsprdt_stage == 2 - packet->packet_direction) { // RTSP Server Message if (memcmp(packet->payload, "RTSP/1.0 ", 9) == 0) { IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found RTSP/1.0 .\n"); if (dst != NULL) { IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found dst.\n"); ipq_packet_src_ip_get(packet, &dst->rtsp_ip_address); dst->rtsp_timer = packet->tick_timestamp; dst->rtsp_ts_set = 1; } if (src != NULL) { IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found src.\n"); ipq_packet_dst_ip_get(packet, &src->rtsp_ip_address); src->rtsp_timer = packet->tick_timestamp; src->rtsp_ts_set = 1; } IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found RTSP.\n"); flow->rtsp_control_flow = 1; ipoque_int_rtsp_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL); return; } } if (packet->udp != NULL && packet->detected_protocol_stack[0] == IPOQUE_PROTOCOL_UNKNOWN && ((IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_RTP) == 0) #ifdef IPOQUE_PROTOCOL_RTCP || (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_RTCP) == 0) #endif )) { IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "maybe RTSP RTP, RTSP RTCP, RDT; need next packet.\n"); return; } IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "didn't find handshake, exclude.\n"); IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_RTSP); return; }
static void ipoque_int_edonkey_tcp(struct ipoque_detection_module_struct *ipoque_struct) { struct ipoque_packet_struct *packet = &ipoque_struct->packet; struct ipoque_flow_struct *flow = ipoque_struct->flow; int edk_stage2_len; /*len range increase if safe mode and also only once */ if (ipoque_struct->edonkey_safe_mode == 0) edk_stage2_len = 140; else if (!flow->l4.tcp.edk_ext || packet->payload_packet_len == 212) { edk_stage2_len = 300; } else edk_stage2_len = 140; /* skip excluded connections */ if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_EDONKEY) != 0) return; /* source and dst port must be 80 443 or > 1024 */ if (ipoque_struct->edonkey_upper_ports_only != 0) { u16 port; port = ntohs(packet->tcp->source); /* source and dst port must be 80 443 or > 1024 */ if (port < 1024 && port != 80 && port != 443) goto exclude_edk_tcp; port = ntohs(packet->tcp->dest); if (port < 1024 && port != 80 && port != 443) goto exclude_edk_tcp; } /* return here for empty packets, we needed them only for bt port detection */ if (packet->payload_packet_len == 0) return; /* skip marked packets */ if (flow->edk_stage == 0 && packet->detected_protocol_stack[0] != IPOQUE_PROTOCOL_UNKNOWN) return; /* first: check for unencrypted traffic */ if (flow->edk_stage == 0) { /* check for client hello */ if (packet->payload_packet_len >= 32 && get_l32(packet->payload, 1) <= (packet->payload_packet_len - 5) && (packet->payload[0] == 0xe3 || packet->payload[0] == 0xc5)) { if (packet->payload[5] == 0x01 && ((packet->payload[6] == 0x10 && get_l32(packet->payload, 29) < 0x0F) || (get_l32(packet->payload, 28) > 0x00 && get_l32(packet->payload, 28) < 0x0F))) { IPQ_LOG_EDONKEY(IPOQUE_PROTOCOL_EDONKEY, ipoque_struct, IPQ_LOG_DEBUG, "edk hello meta tag recognized\n"); flow->edk_stage = 16 + packet->packet_direction; return; } } } if ((17 - packet->packet_direction) == flow->edk_stage) { if ((packet->payload_packet_len >= 32 && get_l32(packet->payload, 1) == 9 && (packet->payload[0] == 0xe3) && packet->payload[5] == 0x40) || (packet->payload_packet_len >= 32 && (packet->payload[0] == 0xe3) && packet->payload[5] == 0x40 && check_edk_len(packet->payload, packet->payload_packet_len)) || (packet->payload_packet_len >= 32 && packet->payload[0] == 0xe3 && packet->payload[5] == 0x4c && (get_l32(packet->payload, 1) == (packet->payload_packet_len - 5) || check_edk_len(packet->payload, packet->payload_packet_len))) || (packet->payload_packet_len >= 32 && get_l32(packet->payload, 1) == (packet->payload_packet_len - 5) && packet->payload[0] == 0xe3 && packet->payload[5] == 0x38) || (packet->payload_packet_len >= 20 && get_l32(packet->payload, 1) == (packet->payload_packet_len - 5) && packet->payload[0] == 0xc5 && packet->payload[5] == 0x92) || (packet->payload_packet_len >= 20 && get_l32(packet->payload, 1) <= (packet->payload_packet_len - 5) && packet->payload[0] == 0xe3 && packet->payload[5] == 0x58) || (packet->payload_packet_len >= 20 && get_l32(packet->payload, 1) <= (packet->payload_packet_len - 5) && (packet->payload[0] == 0xe3 || packet->payload[0] == 0xc5) && packet->payload[5] == 0x01)) { IPQ_LOG_EDONKEY(IPOQUE_PROTOCOL_EDONKEY, ipoque_struct, IPQ_LOG_DEBUG, "edk 17: detected plain detection\n"); ipoque_add_connection_as_edonkey(ipoque_struct, IPOQUE_PROTOCOL_SAFE_DETECTION, IPOQUE_PROTOCOL_PLAIN_DETECTION); return; } IPQ_LOG_EDONKEY(IPOQUE_PROTOCOL_EDONKEY, ipoque_struct, IPQ_LOG_DEBUG, "edk 17: id: %u, %u, %u not detected\n", packet->payload[0], get_l32(packet->payload, 1), packet->payload[5]); } exclude_edk_tcp: IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_EDONKEY); return; }
static void ssl_mark_and_payload_search_for_other_protocols(struct ipoque_detection_module_struct *ipoque_struct) { #if defined(IPOQUE_PROTOCOL_SOFTETHER) || defined(IPOQUE_PROTOCOL_MEEBO)|| defined(IPOQUE_PROTOCOL_TOR) || defined(IPOQUE_PROTOCOL_VPN_X) || defined(IPOQUE_PROTOCOL_UNENCRYPED_JABBER) || defined (IPOQUE_PROTOCOL_OOVOO) || defined (IPOQUE_PROTOCOL_ISKOOT) || defined (IPOQUE_PROTOCOL_OSCAR) || defined (IPOQUE_PROTOCOL_ITUNES) || defined (IPOQUE_PROTOCOL_GMAIL) struct ipoque_packet_struct *packet = &ipoque_struct->packet; #ifdef IPOQUE_PROTOCOL_ISKOOT struct ipoque_flow_struct *flow = ipoque_struct->flow; #endif // struct ipoque_id_struct *src=ipoque_struct->src; // struct ipoque_id_struct *dst=ipoque_struct->dst; u32 a; u32 end; #if defined(IPOQUE_PROTOCOL_UNENCRYPED_JABBER) if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_UNENCRYPED_JABBER) != 0) goto check_for_ssl_payload; #endif #if defined(IPOQUE_PROTOCOL_OSCAR) if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_OSCAR) != 0) goto check_for_ssl_payload; #endif #if defined(IPOQUE_PROTOCOL_GADUGADU) if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_GADUGADU) != 0) goto check_for_ssl_payload; #endif goto no_check_for_ssl_payload; check_for_ssl_payload: end = packet->payload_packet_len - 20; for (a = 5; a < end; a++) { #ifdef IPOQUE_PROTOCOL_UNENCRYPED_JABBER if (packet->payload[a] == 't') { if (memcmp(&packet->payload[a], "talk.google.com", 15) == 0) { IPQ_LOG(IPOQUE_PROTOCOL_UNENCRYPED_JABBER, ipoque_struct, IPQ_LOG_DEBUG, "ssl jabber packet match\n"); if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK (ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_UNENCRYPED_JABBER) != 0) { ipoque_int_ssl_add_connection(ipoque_struct, IPOQUE_PROTOCOL_UNENCRYPED_JABBER); return; } } } #endif #ifdef IPOQUE_PROTOCOL_OSCAR if (packet->payload[a] == 'A' || packet->payload[a] == 'k' || packet->payload[a] == 'c' || packet->payload[a] == 'h') { if (((a + 19) < packet->payload_packet_len && memcmp(&packet->payload[a], "America Online Inc.", 19) == 0) // || (end - c > 3 memcmp (&packet->payload[c],"AOL", 3) == 0 ) // || (end - c > 7 && memcmp (&packet->payload[c], "AOL LLC", 7) == 0) || ((a + 15) < packet->payload_packet_len && memcmp(&packet->payload[a], "kdc.uas.aol.com", 15) == 0) || ((a + 14) < packet->payload_packet_len && memcmp(&packet->payload[a], "*****@*****.**", 14) == 0) || ((a + 41) < packet->payload_packet_len && memcmp(&packet->payload[a], "http://crl.aol.com/AOLMSPKI/aolServerCert", 41) == 0) || ((a + 28) < packet->payload_packet_len && memcmp(&packet->payload[a], "http://ocsp.web.aol.com/ocsp", 28) == 0) || ((a + 32) < packet->payload_packet_len && memcmp(&packet->payload[a], "http://pki-info.aol.com/AOLMSPKI", 32) == 0)) { IPQ_LOG(IPOQUE_PROTOCOL_OSCAR, ipoque_struct, IPQ_LOG_DEBUG, "OSCAR SERVER SSL DETECTED\n"); if (ipoque_struct->dst != NULL && packet->payload_packet_len > 75) { memcpy(ipoque_struct->dst->oscar_ssl_session_id, &packet->payload[44], 32); ipoque_struct->dst->oscar_ssl_session_id[32] = '\0'; ipoque_struct->dst->oscar_last_safe_access_time = packet->tick_timestamp; } ipoque_int_ssl_add_connection(ipoque_struct, IPOQUE_PROTOCOL_OSCAR); return; } } if (packet->payload[a] == 'm' || packet->payload[a] == 's') { if ((a + 21) < packet->payload_packet_len && (memcmp(&packet->payload[a], "my.screenname.aol.com", 21) == 0 || memcmp(&packet->payload[a], "sns-static.aolcdn.com", 21) == 0)) { IPQ_LOG(IPOQUE_PROTOCOL_OSCAR, ipoque_struct, IPQ_LOG_DEBUG, "OSCAR SERVER SSL DETECTED\n"); ipoque_int_ssl_add_connection(ipoque_struct, IPOQUE_PROTOCOL_OSCAR); return; } } #endif } no_check_for_ssl_payload: #endif IPQ_LOG(IPOQUE_PROTOCOL_SSL, ipoque_struct, IPQ_LOG_DEBUG, "found ssl connection.\n"); ipoque_int_ssl_add_connection(ipoque_struct, IPOQUE_PROTOCOL_SSL); }