static void check_http_payload(struct ipoque_detection_module_struct *ipoque_struct)
{
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "called check_http_payload.\n");
#ifdef IPOQUE_PROTOCOL_FLASH
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_FLASH) != 0)
flash_check_http_payload(ipoque_struct);
#endif
#ifdef IPOQUE_PROTOCOL_AVI
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_AVI) != 0)
avi_check_http_payload(ipoque_struct);
#endif
}
/* this function deals with UDP connections */
static void ipoque_search_rdt_connection(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_id_struct *src = ipoque_struct->src;
// struct ipoque_id_struct *dst = ipoque_struct->dst;
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found UDP\n");
if (src != NULL) {
// UDP packets, check in case of timeout, bitmask, packet length and payload -> search the RDT Request which has the type 0xff03
if (src->rtsp_ts_set == 1
&& ((IPOQUE_TIMESTAMP_COUNTER_SIZE) (packet->tick_timestamp - src->rtsp_timer)) <
ipoque_struct->rtsp_connection_timeout) {
if (ipq_packet_dst_ip_eql(packet, &src->rtsp_ip_address)
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_RTSP) != 0) {
if (packet->payload_packet_len == 3 && packet->payload[0] == 0x00 && packet->payload[1] == 0xff
&& packet->payload[2] == 0x03) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found RTSP RDT.\n");
ipoque_int_rtsp_add_connection(ipoque_struct);
return;
}
}
} else {
src->rtsp_ts_set = 0;
}
}
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "didn't find RDT stream.\n");
return;
}
static void
opendpi_mt4_save(const void *entry, const struct xt_entry_match *match)
{
const struct xt_opendpi_mtinfo *info = (const void *)match->data;
int i;
for (i = 1; i <= IPOQUE_MAX_SUPPORTED_PROTOCOLS; i++){
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(info->flags, i) != 0){
printf("--%s ", prot_short_str[i]);
}
}
}
void ipoque_search_mms_tcp(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
/* search MSMMS packets */
if (packet->payload_packet_len >= 20) {
if (flow->l4.tcp.mms_stage == 0 && packet->payload[4] == 0xce
&& packet->payload[5] == 0xfa && packet->payload[6] == 0x0b
&& packet->payload[7] == 0xb0 && packet->payload[12] == 0x4d
&& packet->payload[13] == 0x4d && packet->payload[14] == 0x53 && packet->payload[15] == 0x20) {
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS: MSMMS Request found \n");
flow->l4.tcp.mms_stage = 1 + packet->packet_direction;
return;
}
if (flow->l4.tcp.mms_stage == 2 - packet->packet_direction
&& packet->payload[4] == 0xce && packet->payload[5] == 0xfa
&& packet->payload[6] == 0x0b && packet->payload[7] == 0xb0
&& packet->payload[12] == 0x4d && packet->payload[13] == 0x4d
&& packet->payload[14] == 0x53 && packet->payload[15] == 0x20) {
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS: MSMMS Response found \n");
ipoque_int_mms_add_connection(ipoque_struct);
return;
}
}
#ifdef IPOQUE_PROTOCOL_HTTP
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_HTTP) != 0) {
#endif /* IPOQUE_PROTOCOL_HTTP */
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS: exclude\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_MMS);
#ifdef IPOQUE_PROTOCOL_HTTP
} else {
IPQ_LOG(IPOQUE_PROTOCOL_MMS, ipoque_struct, IPQ_LOG_DEBUG, "MMS avoid early exclude from http\n");
}
#endif /* IPOQUE_PROTOCOL_HTTP */
}
static void ipoque_search_directconnect_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
int pos, count = 0;
if (dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) {
if ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp -
dst->directconnect_last_safe_access_time) < ipoque_struct->directconnect_connection_ip_tick_timeout) {
ipoque_int_add_connection(ipoque_struct, IPOQUE_PROTOCOL_DIRECTCONNECT, IPOQUE_REAL_PROTOCOL);
dst->directconnect_last_safe_access_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "marking using dc udp port\n %d", ntohs(dst->detected_directconnect_udp_port));
return;
} else {
dst->detected_directconnect_udp_port = 0;
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct,
IPQ_LOG_DEBUG, "resetting dst udp port due to timeout");
return;
}
}
if (packet->payload_packet_len > 58) {
if (src != NULL
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_DIRECTCONNECT)) {
if (packet->payload[0] == '$'
&& packet->payload[packet->payload_packet_len - 1] == '|'
&& memcmp(&packet->payload[1], "SR ", 3) == 0) {
pos = packet->payload_packet_len - 2;
if (packet->payload[pos] == ')') {
while (pos > 0 && packet->payload[pos] != '(' && count < 21) {
pos--;
count++;
}
if (packet->payload[pos] == '(') {
pos = pos - 44;
if (pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG, "dc udp detected\n");
ipoque_int_directconnect_add_connection(ipoque_struct, DIRECT_CONNECT_TYPE_PEER);
return;
}
}
}
flow->directconnect_stage++;
if (flow->directconnect_stage < 3) {
return;
}
}
}
if (dst != NULL
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_DIRECTCONNECT)) {
if (packet->payload[0] == '$'
&& packet->payload[packet->payload_packet_len - 1] == '|'
&& memcmp(&packet->payload[1], "SR ", 3) == 0) {
pos = packet->payload_packet_len - 2;
if (packet->payload[pos] == ')') {
while (pos > 0 && packet->payload[pos] != '(' && count < 21) {
pos--;
count++;
}
if (packet->payload[pos] == '(') {
pos = pos - 44;
if (pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG, "dc udp detected\n");
ipoque_int_directconnect_add_connection(ipoque_struct, DIRECT_CONNECT_TYPE_PEER);
return;
}
}
}
flow->directconnect_stage++;
if (flow->directconnect_stage < 3)
return;
}
}
}
IPQ_LOG(IPOQUE_PROTOCOL_DIRECTCONNECT, ipoque_struct, IPQ_LOG_DEBUG,
"excluded at stage %d \n", flow->directconnect_stage);
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_DIRECTCONNECT);
}
void ipoque_search_soulseek_tcp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "Soulseek: search soulseec tcp \n");
if (packet->detected_protocol_stack[0] == IPOQUE_PROTOCOL_SOULSEEK) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "packet marked as Soulseek\n");
if (src != NULL)
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG,
" SRC bitmask: %u, packet tick %llu , last safe access timestamp: %llu\n",
IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_SOULSEEK)
!= 0 ? 1 : 0, (u64) packet->tick_timestamp, (u64) src->soulseek_last_safe_access_time);
if (dst != NULL)
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG,
" DST bitmask: %u, packet tick %llu , last safe ts: %llu\n",
IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_SOULSEEK)
!= 0 ? 1 : 0, (u64) packet->tick_timestamp, (u64) dst->soulseek_last_safe_access_time);
if (packet->payload_packet_len == 431) {
if (dst != NULL) {
dst->soulseek_last_safe_access_time = packet->tick_timestamp;
}
return;
}
if (packet->payload_packet_len == 12 && get_l32(packet->payload, 4) == 0x02) {
if (src != NULL) {
src->soulseek_last_safe_access_time = packet->tick_timestamp;
if (packet->tcp != NULL && src->soulseek_listen_port == 0) {
src->soulseek_listen_port = get_l32(packet->payload, 8);
return;
}
}
}
if (src != NULL && ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp -
src->soulseek_last_safe_access_time) <
ipoque_struct->soulseek_connection_ip_tick_timeout)) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG,
"Soulseek: SRC update last safe access time and SKIP_FOR_TIME \n");
src->soulseek_last_safe_access_time = packet->tick_timestamp;
}
if (dst != NULL && ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp -
dst->soulseek_last_safe_access_time) <
ipoque_struct->soulseek_connection_ip_tick_timeout)) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG,
"Soulseek: DST update last safe access time and SKIP_FOR_TIME \n");
dst->soulseek_last_safe_access_time = packet->tick_timestamp;
}
}
if (dst != NULL && dst->soulseek_listen_port != 0 && dst->soulseek_listen_port == ntohs(packet->tcp->dest)
&& ((IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - dst->soulseek_last_safe_access_time) <
ipoque_struct->soulseek_connection_ip_tick_timeout)) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG,
"Soulseek: Plain detection on Port : %u packet_tick_timestamp: %u soulseeek_last_safe_access_time: %u soulseek_connection_ip_ticktimeout: %u\n",
dst->soulseek_listen_port, packet->tick_timestamp,
dst->soulseek_last_safe_access_time, ipoque_struct->soulseek_connection_ip_tick_timeout);
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
if (flow->l4.tcp.soulseek_stage == 0) {
u32 index = 0;
if (packet->payload_packet_len >= 12 && packet->payload_packet_len < 300 && get_l32(packet->payload, 4) == 1) {
while (!get_u16(packet->payload, index + 2)
&& (index + get_l32(packet->payload, index)) < packet->payload_packet_len - 4) {
if (get_l32(packet->payload, index) < 8) /*Minimum soulsek login msg is 8B */
break;
if (index + get_l32(packet->payload, index) + 4 <= index) {
/* avoid overflow */
break;
}
index += get_l32(packet->payload, index) + 4;
}
if (index + get_l32(packet->payload, index) ==
packet->payload_packet_len - 4 && !get_u16(packet->payload, 10)) {
/*This structure seems to be soulseek proto */
index = get_l32(packet->payload, 8) + 12; // end of "user name"
if ((index + 4) <= packet->payload_packet_len && !get_u16(packet->payload, index + 2)) // for passwd len
{
index += get_l32(packet->payload, index) + 4; //end of "Passwd"
if ((index + 4 + 4) <= packet->payload_packet_len && !get_u16(packet->payload, index + 6)) // to read version,hashlen
{
index += get_l32(packet->payload, index + 4) + 8; // enf of "hash value"
if (index == get_l32(packet->payload, 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK,
ipoque_struct, IPQ_LOG_DEBUG, "Soulseek Login Detected\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
}
}
}
}
if (packet->payload_packet_len > 8
&& packet->payload_packet_len < 200 && get_l32(packet->payload, 0) == packet->payload_packet_len - 4) {
//Server Messages:
const u32 msgcode = get_l32(packet->payload, 4);
if (msgcode == 0x7d) {
flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction;
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "Soulseek Messages Search\n");
return;
} else if (msgcode == 0x02 && packet->payload_packet_len == 12) {
const u32 soulseek_listen_port = get_l32(packet->payload, 8);
if (src != NULL) {
src->soulseek_last_safe_access_time = packet->tick_timestamp;
if (packet->tcp != NULL && src->soulseek_listen_port == 0) {
src->soulseek_listen_port = soulseek_listen_port;
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct,
IPQ_LOG_DEBUG, "\n Listen Port Saved : %u", src->soulseek_listen_port);
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
}
}
//Peer Messages : Peer Init Message Detection
if (get_l32(packet->payload, 0) == packet->payload_packet_len - 4) {
const u32 typelen = get_l32(packet->payload, packet->payload_packet_len - 9);
const u8 type = packet->payload[packet->payload_packet_len - 5];
const u32 namelen = get_l32(packet->payload, 5);
if (packet->payload[4] == 0x01 && typelen == 1
&& namelen <= packet->payload_packet_len
&& (4 + 1 + 4 + namelen + 4 + 1 + 4) ==
packet->payload_packet_len && (type == 'F' || type == 'P' || type == 'D')) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "1\n");
}
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "3\n");
//Peer Message : Pierce Firewall
if (packet->payload_packet_len == 9 && get_l32(packet->payload, 0) == 5
&& packet->payload[4] <= 0x10 && get_u32(packet->payload, 5) != 0x00000000) {
flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction;
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_TRACE, "Soulseek Size 9 Pierce Firewall\n");
return;
}
}
if (packet->payload_packet_len > 25 && packet->payload[4] == 0x01 && !get_u16(packet->payload, 7)
&& !get_u16(packet->payload, 2)) {
const u32 usrlen = get_l32(packet->payload, 5);
if (usrlen <= packet->payload_packet_len - 4 + 1 + 4 + 4 + 1 + 4) {
const u32 typelen = get_l32(packet->payload, 4 + 1 + 4 + usrlen);
const u8 type = packet->payload[4 + 1 + 4 + usrlen + 4];
if (typelen == 1 && (type == 'F' || type == 'P' || type == 'D')) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct,
IPQ_LOG_DEBUG, "soulseek detected Pattern command(D|P|F).\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
}
}
} else if (flow->l4.tcp.soulseek_stage == 2 - packet->packet_direction) {
if (packet->payload_packet_len > 8) {
if ((packet->payload[0] || packet->payload[1]) && get_l32(packet->payload, 4) == 9) {
/* 9 is search result */
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected Second Pkt\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
if (get_l32(packet->payload, 0) == packet->payload_packet_len - 4) {
const u32 msgcode = get_l32(packet->payload, 4);
if (msgcode == 0x03 && packet->payload_packet_len >= 12) //Server Message : Get Peer Address
{
const u32 usrlen = get_l32(packet->payload, 8);
if (usrlen <= packet->payload_packet_len && 4 + 4 + 4 + usrlen == packet->payload_packet_len) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct,
IPQ_LOG_DEBUG, "Soulseek Request Get Peer Address Detected\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
}
}
}
if (packet->payload_packet_len == 8 && get_l32(packet->payload, 4) == 0x00000004) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len == 4
&& get_u16(packet->payload, 2) == 0x00 && get_u16(packet->payload, 0) != 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
} else if (packet->payload_packet_len == 4) {
flow->l4.tcp.soulseek_stage = 3;
return;
}
} else if (flow->l4.tcp.soulseek_stage == 1 + packet->packet_direction) {
if (packet->payload_packet_len > 8) {
if (packet->payload[4] == 0x03 && get_l32(packet->payload, 5) == 0x00000031) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct,
IPQ_LOG_DEBUG, "soulseek detected Second Pkt with SIGNATURE :: 0x0331000000 \n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
}
}
if (flow->l4.tcp.soulseek_stage == 3 && packet->payload_packet_len == 8 && !get_u32(packet->payload, 4)) {
IPQ_LOG(IPOQUE_PROTOCOL_SOULSEEK, ipoque_struct, IPQ_LOG_DEBUG, "soulseek detected bcz of 8B pkt\n");
ipoque_int_soulseek_add_connection(ipoque_struct);
return;
}
if (flow->l4.tcp.soulseek_stage && flow->packet_counter < 11) {
} else {
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_SOULSEEK);
}
}
void ipoque_search_http_tcp(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
u16 filename_start;
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "search http\n");
/* set client-server_direction */
if (flow->l4.tcp.http_setup_dir == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "initializes http to stage: 1 \n");
flow->l4.tcp.http_setup_dir = 1 + packet->packet_direction;
}
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK
(ipoque_struct->generic_http_packet_bitmask, packet->detected_protocol_stack[0]) != 0) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"protocol might be detected earlier as http jump to payload type detection\n");
goto http_parse_detection;
}
if (flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "http stage: 1\n");
if (flow->l4.tcp.http_wait_for_retransmission) {
if (!packet->tcp_retransmission) {
if (flow->packet_counter <= 5) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "still waiting for retransmission\n");
return;
} else {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "retransmission not found, exclude\n");
http_bitmask_exclude(flow);
return;
}
}
}
if (flow->l4.tcp.http_stage == 0) {
filename_start = http_request_url_offset(ipoque_struct);
if (filename_start == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "filename not found, exclude\n");
http_bitmask_exclude(flow);
return;
}
// parse packet
ipq_parse_packet_line_info(ipoque_struct);
if (packet->parsed_lines <= 1) {
/* parse one more packet .. */
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "just one line, search next packet\n");
flow->l4.tcp.http_stage = 1;
return;
}
// parsed_lines > 1 here
if (packet->line[0].len >= (9 + filename_start)
&& memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
packet->http_url_name.ptr = &packet->payload[filename_start];
packet->http_url_name.len = packet->line[0].len - (filename_start + 9);
packet->http_method.ptr = packet->line[0].ptr;
packet->http_method.len = filename_start - 1;
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "http structure detected, adding\n");
ipoque_int_http_add_connection(ipoque_struct, (filename_start == 8) ? NTOP_PROTOCOL_HTTP_CONNECT : IPOQUE_PROTOCOL_HTTP);
check_content_type_and_change_protocol(ipoque_struct);
/* HTTP found, look for host... */
if (packet->host_line.ptr != NULL) {
/* aaahh, skip this direction and wait for a server reply here */
flow->l4.tcp.http_stage = 2;
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP START HOST found\n");
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP START HOST found\n");
/* host not found, check in next packet after */
flow->l4.tcp.http_stage = 1;
return;
}
} else if (flow->l4.tcp.http_stage == 1) {
/* SECOND PAYLOAD TRAFFIC FROM CLIENT, FIRST PACKET MIGHT HAVE BEEN HTTP... */
/* UNKNOWN TRAFFIC, HERE FOR HTTP again.. */
// parse packet
ipq_parse_packet_line_info(ipoque_struct);
if (packet->parsed_lines <= 1) {
/* wait some packets in case request is split over more than 2 packets */
if (flow->packet_counter < 5) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"line still not finished, search next packet\n");
return;
} else {
/* stop parsing here */
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"HTTP: PACKET DOES NOT HAVE A LINE STRUCTURE\n");
http_bitmask_exclude(flow);
return;
}
}
if (packet->line[0].len >= 9 && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_HTTP);
check_content_type_and_change_protocol(ipoque_struct);
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"HTTP START HTTP found in 2. packet, check host here...\n");
/* HTTP found, look for host... */
flow->l4.tcp.http_stage = 2;
return;
}
}
}
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP: REQUEST NOT HTTP CONFORM\n");
http_bitmask_exclude(flow);
return;
http_parse_detection:
if (flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) {
/* we have something like http here, so check for host and content type if possible */
if (flow->l4.tcp.http_stage == 0 || flow->l4.tcp.http_stage == 3) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP RUN MAYBE NEXT GET/POST...\n");
// parse packet
ipq_parse_packet_line_info(ipoque_struct);
/* check for url here */
filename_start = http_request_url_offset(ipoque_struct);
if (filename_start != 0 && packet->parsed_lines > 1 && packet->line[0].len >= (9 + filename_start)
&& memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
packet->http_url_name.ptr = &packet->payload[filename_start];
packet->http_url_name.len = packet->line[0].len - (filename_start + 9);
packet->http_method.ptr = packet->line[0].ptr;
packet->http_method.len = filename_start - 1;
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "next http action, "
"resetting to http and search for other protocols later.\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_HTTP);
}
check_content_type_and_change_protocol(ipoque_struct);
/* HTTP found, look for host... */
if (packet->host_line.ptr != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"HTTP RUN MAYBE NEXT HOST found, skipping all packets from this direction\n");
/* aaahh, skip this direction and wait for a server reply here */
flow->l4.tcp.http_stage = 2;
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"HTTP RUN MAYBE NEXT HOST NOT found, scanning one more packet from this direction\n");
flow->l4.tcp.http_stage = 1;
} else if (flow->l4.tcp.http_stage == 1) {
// parse packet and maybe find a packet info with host ptr,...
ipq_parse_packet_line_info(ipoque_struct);
check_content_type_and_change_protocol(ipoque_struct);
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP RUN second packet scanned\n");
/* HTTP found, look for host... */
flow->l4.tcp.http_stage = 2;
}
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"HTTP skipping client packets after second packet\n");
return;
}
/* server response */
if (flow->l4.tcp.http_stage > 0) {
/* first packet from server direction, might have a content line */
ipq_parse_packet_line_info(ipoque_struct);
check_content_type_and_change_protocol(ipoque_struct);
if (packet->empty_line_position_set != 0 || flow->l4.tcp.http_empty_line_seen == 1) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "empty line. check_http_payload.\n");
check_http_payload(ipoque_struct);
}
if (flow->l4.tcp.http_stage == 2) {
flow->l4.tcp.http_stage = 3;
} else {
flow->l4.tcp.http_stage = 0;
}
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG,
"HTTP response first or second packet scanned,new stage is: %u\n", flow->l4.tcp.http_stage);
return;
} else {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HTTP response next packet skipped\n");
}
}
static void check_content_type_and_change_protocol(struct ipoque_detection_module_struct
*ipoque_struct)
{
#ifdef IPOQUE_PROTOCOL_MPEG
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
#endif
#ifdef IPOQUE_PROTOCOL_AVI
#endif
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
u8 a;
if (ipoque_struct->packet.content_line.ptr != NULL && ipoque_struct->packet.content_line.len != 0) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "Content Type Line found %.*s\n",
ipoque_struct->packet.content_line.len, ipoque_struct->packet.content_line.ptr);
#ifdef IPOQUE_PROTOCOL_MPEG
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_MPEG) != 0)
mpeg_parse_packet_contentline(ipoque_struct);
#endif
#ifdef IPOQUE_PROTOCOL_FLASH
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_FLASH) != 0)
flash_parse_packet_contentline(ipoque_struct);
#endif
#ifdef IPOQUE_PROTOCOL_QUICKTIME
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_QUICKTIME) != 0)
qt_parse_packet_contentline(ipoque_struct);
#endif
#ifdef IPOQUE_PROTOCOL_REALMEDIA
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_REALMEDIA) != 0)
realmedia_parse_packet_contentline(ipoque_struct);
#endif
#ifdef IPOQUE_PROTOCOL_WINDOWSMEDIA
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_WINDOWSMEDIA) != 0)
windowsmedia_parse_packet_contentline(ipoque_struct);
#endif
#ifdef IPOQUE_PROTOCOL_MMS
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_MMS) != 0)
mms_parse_packet_contentline(ipoque_struct);
#endif
#ifdef IPOQUE_PROTOCOL_OFF
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_OFF) != 0)
off_parse_packet_contentline(ipoque_struct);
#endif
#ifdef IPOQUE_PROTOCOL_OGG
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_OGG) != 0)
ogg_parse_packet_contentline(ipoque_struct);
#endif
#ifdef IPOQUE_PROTOCOL_MOVE
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_MOVE) != 0)
move_parse_packet_contentline(ipoque_struct);
#endif
}
/* check user agent here too */
if (ipoque_struct->packet.user_agent_line.ptr != NULL && ipoque_struct->packet.user_agent_line.len != 0) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "User Agent Type Line found %.*s\n",
ipoque_struct->packet.user_agent_line.len, ipoque_struct->packet.user_agent_line.ptr);
#ifdef IPOQUE_PROTOCOL_XBOX
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_XBOX) != 0)
xbox_parse_packet_useragentline(ipoque_struct);
#endif
#ifdef IPOQUE_PROTOCOL_WINDOWSMEDIA
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_WINDOWSMEDIA) != 0)
winmedia_parse_packet_useragentline(ipoque_struct);
#endif
}
/* check for host line */
if (ipoque_struct->packet.host_line.ptr != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "HOST Line found %.*s\n",
ipoque_struct->packet.host_line.len, ipoque_struct->packet.host_line.ptr);
#ifdef IPOQUE_PROTOCOL_QQ
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_QQ) != 0) {
qq_parse_packet_URL_and_hostname(ipoque_struct);
}
#endif
#ifdef HAVE_NTOP
parseHttpSubprotocol(ipoque_struct);
#endif
}
/* check for accept line */
if (ipoque_struct->packet.accept_line.ptr != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_HTTP, ipoque_struct, IPQ_LOG_DEBUG, "Accept Line found %.*s\n",
ipoque_struct->packet.accept_line.len, ipoque_struct->packet.accept_line.ptr);
#ifdef IPOQUE_PROTOCOL_RTSP
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_RTSP) != 0) {
rtsp_parse_packet_acceptline(ipoque_struct);
}
#endif
}
/* search for line startin with "Icy-MetaData" */
#ifdef IPOQUE_PROTOCOL_MPEG
for (a = 0; a < packet->parsed_lines; a++) {
if (packet->line[a].len > 11 && memcmp(packet->line[a].ptr, "Icy-MetaData", 12) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_MPEG, ipoque_struct, IPQ_LOG_DEBUG, "MPEG: Icy-MetaData found.\n");
ipoque_int_http_add_connection(ipoque_struct, IPOQUE_PROTOCOL_MPEG);
return;
}
}
#ifdef IPOQUE_PROTOCOL_AVI
#endif
#endif
}
void ipoque_search_pplive_tcp_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
u16 a;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "search pplive.\n");
if (packet->udp != NULL) {
if (src != NULL && src->pplive_vod_cli_port == packet->udp->source
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE)) {
if (src->pplive_last_packet_time_set == 1 && (IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - src->pplive_last_packet_time) < ipoque_struct->pplive_connection_timeout) {
ipoque_int_pplive_add_connection(ipoque_struct);
src->pplive_last_packet_time_set = 1;
src->pplive_last_packet_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "timestamp src.\n");
return;
} else {
src->pplive_vod_cli_port = 0;
src->pplive_last_packet_time = 0;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD port timer reset.\n");
}
}
if (dst != NULL && dst->pplive_vod_cli_port == packet->udp->dest
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE)) {
if (dst->pplive_last_packet_time_set == 1 && (IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - dst->pplive_last_packet_time) < ipoque_struct->pplive_connection_timeout) {
ipoque_int_pplive_add_connection(ipoque_struct);
dst->pplive_last_packet_time_set = 1;
dst->pplive_last_packet_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "timestamp dst.\n");
return;
} else {
dst->pplive_last_packet_time_set = 0;
dst->pplive_vod_cli_port = 0;
dst->pplive_last_packet_time = 0;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD port timer reset.\n");
}
}
if ((packet->payload_packet_len >= 76) && ((packet->payload[0] == 0x01) || (packet->payload[0] == 0x18)
|| (packet->payload[0] == 0x05))
&& (packet->payload[1] == 0x00)
&& get_l32(packet->payload, 12) == 0 && (packet->payload[16] == 0 || packet->payload[16] == 1)
&& (packet->payload[17] == 0) && (packet->payload[24] == 0xac)) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len > 50 && packet->payload[0] == 0xe9
&& packet->payload[1] == 0x03 && (packet->payload[3] == 0x00 || packet->payload[3] == 0x01)
&& packet->payload[4] == 0x98 && packet->payload[5] == 0xab
&& packet->payload[6] == 0x01 && packet->payload[7] == 0x02) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len == 94
&& packet->payload[8] == 0x00 && get_u32(packet->payload, 9) == ntohl(0x02010000)
&& get_u32(packet->payload, 58) == ntohl(0xb1130000)) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
if ((packet->payload_packet_len >= 90 && packet->payload_packet_len <= 110)
&& (packet->payload[0] >= 0x0a && packet->payload[0] <= 0x0f)
&& get_u32(packet->payload, 86) == 0) {
int i;
for (i = 56; i < 68; i += 2) {
if ((get_u32(packet->payload, i) == ntohl(0x4fde7e7f))
&& (get_u16(packet->payload, i + 4) == 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive through "
"bitpattern 4f de 7e 7f 00 00.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
}
if (flow->packet_counter < 5 && !flow->pplive_stage) { /* With in 1st 4 packets */
if (((packet->payload_packet_len >= 90 && packet->payload_packet_len <= 110)
&& (!get_u32(packet->payload, packet->payload_packet_len - 16)
|| !get_u32(packet->payload, packet->payload_packet_len - 4)))
) {
flow->pplive_stage = 2; /* Now start looking for size(28 | 30) */
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"Maybe found pplive packet. Now start looking for size(28 | 30).\n");
}
if (68 == packet->payload_packet_len
&& get_l16(packet->payload, 0) == 0x21 && packet->payload[19] == packet->payload[20]
&& packet->payload[20] == packet->payload[21]
&& packet->payload[12] == packet->payload[13]
&& packet->payload[14] == packet->payload[15]) {
flow->pplive_stage = 3 + packet->packet_direction;
}
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet I.\n");
return;
}
if (flow->pplive_stage == 3 + packet->packet_direction) {
/* Because we are expecting packet in reverese direction.. */
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet II.\n");
return;
}
if (flow->pplive_stage == (4 - packet->packet_direction)
&& packet->payload_packet_len > 67
&& (get_l16(packet->payload, 0) == 0x21
|| (get_l16(packet->payload, 0) == 0x22 && !get_l16(packet->payload, 28)))) {
if (dst != NULL) {
dst->pplive_vod_cli_port = packet->udp->dest;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: VOD Port marked %u.\n", ntohs(packet->udp->dest));
dst->pplive_last_packet_time = packet->tick_timestamp;
dst->pplive_last_packet_time_set = 1;
}
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
if (flow->pplive_stage == 2) {
if ((packet->payload_packet_len == 30 && (packet->payload[0] == 0x02 || packet->payload[0] == 0x03)
&& get_u32(packet->payload, 21) == ntohl(0x00000001))
|| (packet->payload_packet_len == 28 && (packet->payload[0] == 0x01 || packet->payload[0] == 0x00)
&& (get_u32(packet->payload, 19) == ntohl(0x00000001)))) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "found pplive.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
if (flow->packet_counter < 45) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet III.\n");
return;
}
}
} else if (packet->tcp != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"PPLIVE: TCP found, plen = %d, stage = %d, payload[0] = %x, payload[1] = %x, payload[2] = %x, payload[3] = %x \n",
packet->payload_packet_len, flow->pplive_stage, packet->payload[0], packet->payload[1],
packet->payload[2], packet->payload[3]);
if (src != NULL && src->pplive_vod_cli_port == packet->tcp->source
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE)) {
if (src->pplive_last_packet_time_set == 1 && (IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - src->pplive_last_packet_time) < ipoque_struct->pplive_connection_timeout) {
ipoque_int_pplive_add_connection(ipoque_struct);
src->pplive_last_packet_time_set = 1;
src->pplive_last_packet_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "timestamp src.\n");
return;
} else {
src->pplive_vod_cli_port = 0;
src->pplive_last_packet_time = 0;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD port timer reset.\n");
}
}
if (dst != NULL && dst->pplive_vod_cli_port == packet->tcp->dest
&& IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE)) {
if (dst->pplive_last_packet_time_set == 1 && (IPOQUE_TIMESTAMP_COUNTER_SIZE)
(packet->tick_timestamp - dst->pplive_last_packet_time) < ipoque_struct->pplive_connection_timeout) {
flow->detected_protocol = IPOQUE_PROTOCOL_PPLIVE;
packet->detected_protocol = IPOQUE_PROTOCOL_PPLIVE;
dst->pplive_last_packet_time_set = 1;
dst->pplive_last_packet_time = packet->tick_timestamp;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "timestamp dst.\n");
return;
} else {
dst->pplive_last_packet_time_set = 0;
dst->pplive_vod_cli_port = 0;
dst->pplive_last_packet_time = 0;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: VOD port timer reset.\n");
}
}
if (packet->payload_packet_len > 4 && memcmp(packet->payload, "GET /", 5) == 0) {
ipq_parse_packet_line_info(ipoque_struct);
if (packet->parsed_lines == 8
&& packet->line[0].ptr != NULL && packet->line[0].len >= 8
&& memcmp(&packet->payload[packet->line[0].len - 8], "HTTP/1.", 7) == 0
&& packet->line[2].ptr != NULL && packet->line[2].len >= 16
&& memcmp(packet->line[2].ptr, "x-flash-version:", 16) == 0
&& packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= 11
&& memcmp(packet->user_agent_line.ptr, "Mozilla/4.0", 11) == 0
&& packet->line[6].ptr != NULL && packet->line[6].len >= 21
&& memcmp(packet->line[6].ptr, "Pragma: Client=PPLive", 21) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: found HTTP request.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
} else if (packet->parsed_lines == 6
&& packet->line[0].ptr != NULL && packet->line[0].len >= 8
&& memcmp(&packet->payload[packet->line[0].len - 8], "HTTP/1.", 7) == 0
&& packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= 10
&& memcmp(packet->user_agent_line.ptr, "PPLive DAC", 10) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "PPLIVE: found HTTP request.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
// searches for packets > 20 byte that begin with a hex number == packet->payload_packet_len - 4
// and with the same number at position 16, 17, 18, 19
if (packet->payload_packet_len > 20 && ntohl(get_u32(packet->payload, 0)) == packet->payload_packet_len - 4) {
if (packet->payload[4] == 0x21 && packet->payload[5] == 0x00) {
if ((packet->payload[9] == packet->payload[10]) && (packet->payload[9] == packet->payload[11])) {
if ((packet->payload[16] == packet->payload[17]) &&
(packet->payload[16] == packet->payload[18]) && (packet->payload[16] == packet->payload[19])) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
}
}
// stage > 0, packet begins with 21 00, bytes at positions 5, 6, 7 are equal, bytes at positions 12, 13, 14, 15 are equal,
if (packet->payload_packet_len > 20 && flow->pplive_stage) {
if (packet->payload[0] == 0x21 && packet->payload[1] == 0x00) {
if (packet->payload[5] == packet->payload[6] && packet->payload[5] == packet->payload[7]) {
if (packet->payload[12] == packet->payload[13] && packet->payload[14] == packet->payload[15]
&& packet->payload[12] == packet->payload[14]) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
}
}
// packet (len>11) begins with a hex number == packet->payload_packet_len - 4 and matches certain bitmuster
if (packet->payload_packet_len > 11 && ntohl(get_u32(packet->payload, 0)) == packet->payload_packet_len - 4) {
if (packet->payload[4] == 0xe9 && packet->payload[5] == 0x03 &&
((packet->payload[7] == packet->payload[10]) || (packet->payload[7] == packet->payload[11]))) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
// stage > 0, len>10, begins with e9 03, matches certain pattern
if (packet->payload_packet_len > 10 && flow->pplive_stage) {
if (packet->payload[0] == 0xe9 && packet->payload[1] == 0x03 &&
((packet->payload[3] == packet->payload[6]) || (packet->payload[3] == packet->payload[7]))) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
/* Adware in the PPLive Client -> first TCP Packet has length of 4 Bytes -> 2nd TCP Packet has length of 96 Bytes */
/* or */
/* Peer-List Requests over TCP -> first Packet has length of 4 Bytes -> 2nd TCP Packet has length of 71 Bytes */
/* there are different possibilities of the order of the packets */
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"PPLIVE: TCP found, plen = %d, stage = %d, payload[0] = %x, payload[1] = %x, payload[2] = %x, payload[3] = %x \n",
packet->payload_packet_len, flow->pplive_stage,
packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3]);
/* generic pplive detection (independent of the stage) !!! */
// len > 11, packet begins with a hex number == packet->payload_packet_len - 4, pattern: ?? ?? ?? ?? 21 00 ?? ?? 98 ab 01 02
if (packet->payload_packet_len > 11 && ntohl(get_u32(packet->payload, 0)) == packet->payload_packet_len - 4) {
if (packet->payload[4] == 0x21 && packet->payload[5] == 0x00
&& ((packet->payload[8] == 0x98 && packet->payload[9] == 0xab
&& packet->payload[10] == 0x01 && packet->payload[11] == 0x02)
)) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: direct server request or response found\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
// packet 4 to 19 have a hex representation from 0x30 to 0x39
if (packet->payload_packet_len > 20) {
a = 4;
while (a < 20) {
if (packet->payload[a] >= '0' && packet->payload[a] <= '9') {
if (a == 19) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: direct new header format found\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
} else {
a++;
}
} else {
break;
}
}
}
}
/* 1st and 2nd (KD: ??????? )Packet of Client is 4 Byte */
// stage == 0, p_len == 4, pattern: 04 00 00 00 --> need next packet
if (flow->pplive_stage == 0) {
if (packet->payload_packet_len == 4 && packet->payload[0] > 0x04
&& packet->payload[1] == 0x00 && packet->payload[2] == 0x00 && packet->payload[3] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: 4Byte TCP Packet Request found \n");
/* go to the 2nd Client Packet */
flow->pplive_stage = 1 + packet->packet_direction;
flow->pplive_next_packet_size[packet->packet_direction] = packet->payload[0];
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet i.\n");
return;
}
} else if (flow->pplive_stage == 2 - packet->packet_direction) {
if (packet->payload_packet_len == 4 && packet->payload[0] > 0x04
&& packet->payload[1] == 0x00 && packet->payload[2] == 0x00 && packet->payload[3] == 0x00) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: 4Byte TCP Packet Response found \n");
/* go to the 2nd Client Packet */
flow->pplive_next_packet_size[packet->packet_direction] = packet->payload[0];
}
flow->pplive_stage = 3;
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "need next packet ii.\n");
return;
} else if (flow->pplive_stage == 1 + packet->packet_direction || flow->pplive_stage == 3) {
if (packet->payload_packet_len > 7 && flow->pplive_next_packet_size[packet->packet_direction] >= 4) {
if (packet->payload_packet_len == flow->pplive_next_packet_size[packet->packet_direction]) {
if (packet->payload[0] == 0xe9 && packet->payload[1] == 0x03
&& ((packet->payload[4] == 0x98
&& packet->payload[5] == 0xab && packet->payload[6] == 0x01 && packet->payload[7] == 0x02)
)) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct,
IPQ_LOG_DEBUG, "PPLIVE: two packet response found\n");
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"found pplive over tcp with pattern iii.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
// packet 4 to 19 have a hex representation from 0x30 to 0x39
if (packet->payload_packet_len > 16) {
a = 0;
while (a < 16) {
if (packet->payload[a] >= '0' && packet->payload[a] <= '9') {
if (a == 15) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"PPLIVE: new header format found\n");
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"found pplive over tcp with pattern v.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
} else {
a++;
}
} else {
break;
}
}
}
// p_len>79 and a lot of 00 in the end
if (packet->payload_packet_len > 79
&& get_u32(packet->payload, packet->payload_packet_len - 9) == 0x00000000
&& get_u32(packet->payload, packet->payload_packet_len - 5) == 0x00000000) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"PPLIVE: Last 8 NULL bytes found.\n");
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"found pplive over tcp with pattern vi.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
if (packet->payload_packet_len > flow->pplive_next_packet_size[packet->packet_direction]) {
if (packet->payload[0] == 0xe9 && packet->payload[1] == 0x03
&& packet->payload[4] == 0x98 && packet->payload[5] == 0xab
&& packet->payload[6] == 0x01 && packet->payload[7] == 0x02) {
a = flow->pplive_next_packet_size[packet->packet_direction];
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "a=%u.\n", a);
if (packet->payload_packet_len > a + 4
&& packet->payload[a + 2] == 0x00 && packet->payload[a + 3] == 0x00
&& packet->payload[a] != 0) {
a += ((packet->payload[a + 1] << 8) + packet->payload[a] + 4);
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "a=%u.\n", a);
if (packet->payload_packet_len == a) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"found pplive over tcp with pattern vii.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
if (packet->payload_packet_len > a + 4
&& packet->payload[a + 2] == 0x00 && packet->payload[a + 3] == 0x00
&& packet->payload[a] != 0) {
a += ((packet->payload[a + 1] << 8) + packet->payload[a] + 4);
if (packet->payload_packet_len == a) {
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG,
"found pplive over tcp with pattern viii.\n");
ipoque_int_pplive_add_connection(ipoque_struct);
return;
}
}
}
}
}
}
}
}
IPQ_LOG(IPOQUE_PROTOCOL_PPLIVE, ipoque_struct, IPQ_LOG_DEBUG, "exclude pplive.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_PPLIVE);
}
/* this function searches for a rtsp-"handshake" over tcp or udp. */
void ipoque_search_rtsp_tcp_udp(struct ipoque_detection_module_struct
*ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
struct ipoque_id_struct *src = ipoque_struct->src;
struct ipoque_id_struct *dst = ipoque_struct->dst;
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "calling ipoque_search_rtsp_tcp_udp.\n");
if (flow->rtsprdt_stage == 0
#ifdef IPOQUE_PROTOCOL_RTCP
&& !(packet->detected_protocol_stack[0] == IPOQUE_PROTOCOL_RTCP)
#endif
) {
flow->rtsprdt_stage = 1 + packet->packet_direction;
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "maybe handshake 1; need next packet, return.\n");
return;
}
if (flow->packet_counter < 3 && flow->rtsprdt_stage == 1 + packet->packet_direction) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "maybe handshake 2; need next packet.\n");
return;
}
if (packet->payload_packet_len > 20 && flow->rtsprdt_stage == 2 - packet->packet_direction) {
// RTSP Server Message
if (memcmp(packet->payload, "RTSP/1.0 ", 9) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found RTSP/1.0 .\n");
if (dst != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found dst.\n");
ipq_packet_src_ip_get(packet, &dst->rtsp_ip_address);
dst->rtsp_timer = packet->tick_timestamp;
dst->rtsp_ts_set = 1;
}
if (src != NULL) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found src.\n");
ipq_packet_dst_ip_get(packet, &src->rtsp_ip_address);
src->rtsp_timer = packet->tick_timestamp;
src->rtsp_ts_set = 1;
}
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "found RTSP.\n");
flow->rtsp_control_flow = 1;
ipoque_int_rtsp_add_connection(ipoque_struct, IPOQUE_REAL_PROTOCOL);
return;
}
}
if (packet->udp != NULL && packet->detected_protocol_stack[0] == IPOQUE_PROTOCOL_UNKNOWN
&& ((IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_RTP) == 0)
#ifdef IPOQUE_PROTOCOL_RTCP
|| (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_RTCP) == 0)
#endif
)) {
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG,
"maybe RTSP RTP, RTSP RTCP, RDT; need next packet.\n");
return;
}
IPQ_LOG(IPOQUE_PROTOCOL_RTSP, ipoque_struct, IPQ_LOG_DEBUG, "didn't find handshake, exclude.\n");
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_RTSP);
return;
}
static void ipoque_int_edonkey_tcp(struct ipoque_detection_module_struct *ipoque_struct)
{
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
struct ipoque_flow_struct *flow = ipoque_struct->flow;
int edk_stage2_len;
/*len range increase if safe mode and also only once */
if (ipoque_struct->edonkey_safe_mode == 0)
edk_stage2_len = 140;
else if (!flow->l4.tcp.edk_ext || packet->payload_packet_len == 212) {
edk_stage2_len = 300;
} else
edk_stage2_len = 140;
/* skip excluded connections */
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_EDONKEY) != 0)
return;
/* source and dst port must be 80 443 or > 1024 */
if (ipoque_struct->edonkey_upper_ports_only != 0) {
u16 port;
port = ntohs(packet->tcp->source);
/* source and dst port must be 80 443 or > 1024 */
if (port < 1024 && port != 80 && port != 443)
goto exclude_edk_tcp;
port = ntohs(packet->tcp->dest);
if (port < 1024 && port != 80 && port != 443)
goto exclude_edk_tcp;
}
/* return here for empty packets, we needed them only for bt port detection */
if (packet->payload_packet_len == 0)
return;
/* skip marked packets */
if (flow->edk_stage == 0 && packet->detected_protocol_stack[0] != IPOQUE_PROTOCOL_UNKNOWN)
return;
/* first: check for unencrypted traffic */
if (flow->edk_stage == 0) {
/* check for client hello */
if (packet->payload_packet_len >= 32 && get_l32(packet->payload, 1) <= (packet->payload_packet_len - 5)
&& (packet->payload[0] == 0xe3 || packet->payload[0] == 0xc5)) {
if (packet->payload[5] == 0x01 && ((packet->payload[6] == 0x10 && get_l32(packet->payload, 29) < 0x0F)
|| (get_l32(packet->payload, 28) > 0x00
&& get_l32(packet->payload, 28) < 0x0F))) {
IPQ_LOG_EDONKEY(IPOQUE_PROTOCOL_EDONKEY, ipoque_struct, IPQ_LOG_DEBUG,
"edk hello meta tag recognized\n");
flow->edk_stage = 16 + packet->packet_direction;
return;
}
}
}
if ((17 - packet->packet_direction) == flow->edk_stage) {
if ((packet->payload_packet_len >= 32 && get_l32(packet->payload, 1) == 9 && (packet->payload[0] == 0xe3)
&& packet->payload[5] == 0x40)
|| (packet->payload_packet_len >= 32 && (packet->payload[0] == 0xe3)
&& packet->payload[5] == 0x40 && check_edk_len(packet->payload, packet->payload_packet_len))
|| (packet->payload_packet_len >= 32 && packet->payload[0] == 0xe3
&& packet->payload[5] == 0x4c && (get_l32(packet->payload, 1) == (packet->payload_packet_len - 5)
|| check_edk_len(packet->payload, packet->payload_packet_len)))
|| (packet->payload_packet_len >= 32 && get_l32(packet->payload, 1) == (packet->payload_packet_len - 5)
&& packet->payload[0] == 0xe3 && packet->payload[5] == 0x38)
|| (packet->payload_packet_len >= 20 && get_l32(packet->payload, 1) == (packet->payload_packet_len - 5)
&& packet->payload[0] == 0xc5 && packet->payload[5] == 0x92)
|| (packet->payload_packet_len >= 20 && get_l32(packet->payload, 1) <= (packet->payload_packet_len - 5)
&& packet->payload[0] == 0xe3 && packet->payload[5] == 0x58)
|| (packet->payload_packet_len >= 20 && get_l32(packet->payload, 1) <= (packet->payload_packet_len - 5)
&& (packet->payload[0] == 0xe3 || packet->payload[0] == 0xc5)
&& packet->payload[5] == 0x01)) {
IPQ_LOG_EDONKEY(IPOQUE_PROTOCOL_EDONKEY, ipoque_struct,
IPQ_LOG_DEBUG, "edk 17: detected plain detection\n");
ipoque_add_connection_as_edonkey(ipoque_struct,
IPOQUE_PROTOCOL_SAFE_DETECTION, IPOQUE_PROTOCOL_PLAIN_DETECTION);
return;
}
IPQ_LOG_EDONKEY(IPOQUE_PROTOCOL_EDONKEY, ipoque_struct, IPQ_LOG_DEBUG,
"edk 17: id: %u, %u, %u not detected\n",
packet->payload[0], get_l32(packet->payload, 1), packet->payload[5]);
}
exclude_edk_tcp:
IPOQUE_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, IPOQUE_PROTOCOL_EDONKEY);
return;
}
static void ssl_mark_and_payload_search_for_other_protocols(struct
ipoque_detection_module_struct
*ipoque_struct)
{
#if defined(IPOQUE_PROTOCOL_SOFTETHER) || defined(IPOQUE_PROTOCOL_MEEBO)|| defined(IPOQUE_PROTOCOL_TOR) || defined(IPOQUE_PROTOCOL_VPN_X) || defined(IPOQUE_PROTOCOL_UNENCRYPED_JABBER) || defined (IPOQUE_PROTOCOL_OOVOO) || defined (IPOQUE_PROTOCOL_ISKOOT) || defined (IPOQUE_PROTOCOL_OSCAR) || defined (IPOQUE_PROTOCOL_ITUNES) || defined (IPOQUE_PROTOCOL_GMAIL)
struct ipoque_packet_struct *packet = &ipoque_struct->packet;
#ifdef IPOQUE_PROTOCOL_ISKOOT
struct ipoque_flow_struct *flow = ipoque_struct->flow;
#endif
// struct ipoque_id_struct *src=ipoque_struct->src;
// struct ipoque_id_struct *dst=ipoque_struct->dst;
u32 a;
u32 end;
#if defined(IPOQUE_PROTOCOL_UNENCRYPED_JABBER)
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_UNENCRYPED_JABBER) != 0)
goto check_for_ssl_payload;
#endif
#if defined(IPOQUE_PROTOCOL_OSCAR)
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_OSCAR) != 0)
goto check_for_ssl_payload;
#endif
#if defined(IPOQUE_PROTOCOL_GADUGADU)
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_GADUGADU) != 0)
goto check_for_ssl_payload;
#endif
goto no_check_for_ssl_payload;
check_for_ssl_payload:
end = packet->payload_packet_len - 20;
for (a = 5; a < end; a++) {
#ifdef IPOQUE_PROTOCOL_UNENCRYPED_JABBER
if (packet->payload[a] == 't') {
if (memcmp(&packet->payload[a], "talk.google.com", 15) == 0) {
IPQ_LOG(IPOQUE_PROTOCOL_UNENCRYPED_JABBER, ipoque_struct, IPQ_LOG_DEBUG, "ssl jabber packet match\n");
if (IPOQUE_COMPARE_PROTOCOL_TO_BITMASK
(ipoque_struct->detection_bitmask, IPOQUE_PROTOCOL_UNENCRYPED_JABBER) != 0) {
ipoque_int_ssl_add_connection(ipoque_struct, IPOQUE_PROTOCOL_UNENCRYPED_JABBER);
return;
}
}
}
#endif
#ifdef IPOQUE_PROTOCOL_OSCAR
if (packet->payload[a] == 'A' || packet->payload[a] == 'k' || packet->payload[a] == 'c'
|| packet->payload[a] == 'h') {
if (((a + 19) < packet->payload_packet_len && memcmp(&packet->payload[a], "America Online Inc.", 19) == 0)
// || (end - c > 3 memcmp (&packet->payload[c],"AOL", 3) == 0 )
// || (end - c > 7 && memcmp (&packet->payload[c], "AOL LLC", 7) == 0)
|| ((a + 15) < packet->payload_packet_len && memcmp(&packet->payload[a], "kdc.uas.aol.com", 15) == 0)
|| ((a + 14) < packet->payload_packet_len && memcmp(&packet->payload[a], "*****@*****.**", 14) == 0)
|| ((a + 41) < packet->payload_packet_len
&& memcmp(&packet->payload[a], "http://crl.aol.com/AOLMSPKI/aolServerCert", 41) == 0)
|| ((a + 28) < packet->payload_packet_len
&& memcmp(&packet->payload[a], "http://ocsp.web.aol.com/ocsp", 28) == 0)
|| ((a + 32) < packet->payload_packet_len
&& memcmp(&packet->payload[a], "http://pki-info.aol.com/AOLMSPKI", 32) == 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_OSCAR, ipoque_struct, IPQ_LOG_DEBUG, "OSCAR SERVER SSL DETECTED\n");
if (ipoque_struct->dst != NULL && packet->payload_packet_len > 75) {
memcpy(ipoque_struct->dst->oscar_ssl_session_id, &packet->payload[44], 32);
ipoque_struct->dst->oscar_ssl_session_id[32] = '\0';
ipoque_struct->dst->oscar_last_safe_access_time = packet->tick_timestamp;
}
ipoque_int_ssl_add_connection(ipoque_struct, IPOQUE_PROTOCOL_OSCAR);
return;
}
}
if (packet->payload[a] == 'm' || packet->payload[a] == 's') {
if ((a + 21) < packet->payload_packet_len &&
(memcmp(&packet->payload[a], "my.screenname.aol.com", 21) == 0
|| memcmp(&packet->payload[a], "sns-static.aolcdn.com", 21) == 0)) {
IPQ_LOG(IPOQUE_PROTOCOL_OSCAR, ipoque_struct, IPQ_LOG_DEBUG, "OSCAR SERVER SSL DETECTED\n");
ipoque_int_ssl_add_connection(ipoque_struct, IPOQUE_PROTOCOL_OSCAR);
return;
}
}
#endif
}
no_check_for_ssl_payload:
#endif
IPQ_LOG(IPOQUE_PROTOCOL_SSL, ipoque_struct, IPQ_LOG_DEBUG, "found ssl connection.\n");
ipoque_int_ssl_add_connection(ipoque_struct, IPOQUE_PROTOCOL_SSL);
}
