int
decode_smtp(u_char *buf, int len, u_char *obuf, int olen)
{
char *p;
int i, j, login = 0;
obuf[0] = '\0';
for (p = strtok(buf, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) {
if (login == 1) {
strlcat(obuf, p, olen);
i = base64_pton(p, p, strlen(p));
p[i] = '\0';
j = strlen(obuf);
snprintf(obuf + j, olen - j, " [%s]\n", p);
login = 0;
}
else if (strncmp(p, "AUTH LOGIN ", 11) == 0) {
strlcat(obuf, p, olen);
p += 11;
i = base64_pton(p, p, strlen(p));
p[i] = '\0';
j = strlen(obuf);
snprintf(obuf + j, olen - j, " [%s]\n", p);
login = 1;
}
else if (strncmp(p, "MAIL ", 5) == 0 ||
strncmp(p, "RCPT ", 5) == 0 ||
strncmp(p, "DATA", 4) == 0) {
break;
}
}
return (strlen(obuf));
}
int
decode_pop(u_char *buf, int len, u_char *obuf, int olen)
{
char *p;
int i, j;
obuf[0] = '\0';
for (p = strtok(buf, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) {
if (strncasecmp(p, "AUTH PLAIN", 10) == 0 ||
strncasecmp(p, "AUTH LOGIN", 10) == 0) {
strlcat(obuf, p, olen);
strlcat(obuf, "\n", olen);
/* Decode SASL auth. */
for (i = 0; i < 2 && (p = strtok(NULL, "\r\n")); i++) {
strlcat(obuf, p, olen);
j = base64_pton(p, p, strlen(p));
p[j] = '\0';
strlcat(obuf, " [", olen);
strlcat(obuf, p, olen);
strlcat(obuf, "]\n", olen);
}
}
/* Save regular POP2, POP3 auth info. */
else if (strncasecmp(p, "USER ", 5) == 0 ||
strncasecmp(p, "PASS ", 5) == 0 ||
strncasecmp(p, "HELO ", 5) == 0) {
strlcat(obuf, p, olen);
strlcat(obuf, "\n", olen);
}
}
return (strlen(obuf));
}
int
decode_nntp(u_char *buf, int len, u_char *obuf, int olen)
{
char *p;
int i, simple, dpa;
obuf[0] = '\0';
simple = dpa = 0;
for (p = strtok(buf, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) {
if (simple == 1) {
strlcat(obuf, p, olen);
strlcat(obuf, "\n", olen);
simple = 0;
}
else if (strncasecmp(p, "AUTHINFO ", 9) == 0) {
strlcat(obuf, p, olen);
if (strncasecmp(p + 9, "SIMPLE", 6) == 0) {
simple = 1;
}
else if (strncasecmp(p + 9, "GENERIC ", 8) == 0) {
if (strncasecmp(p + 17, "DPA", 3) == 0) {
dpa = 1;
}
else if (dpa == 1) {
p += 17;
i = base64_pton(p, p, strlen(p));
p[i] = '\0';
i = strlen(obuf);
snprintf(obuf + i, olen - i,
" [%s]", p);
}
}
strlcat(obuf, "\n", olen);
}
}
return (strlen(obuf));
}
int
process_http_request(struct tuple4 *addr, u_char *data, int len)
{
struct buf *msg, buf;
char *p, *req, *uri, *user, *vhost, *referer, *agent;
int i;
buf_init(&buf, data, len);
while ((i = buf_index(&buf, "\r\n\r\n", 4)) >= 0) {
msg = buf_tok(&buf, NULL, i);
msg->base[msg->end] = '\0';
buf_skip(&buf, 4);
if (!regex_match(buf_ptr(msg)))
continue;
if ((req = strtok(buf_ptr(msg), "\r\n")) == NULL)
continue;
if (strncmp(req, "GET ", 4) != 0 &&
strncmp(req, "POST ", 5) != 0 &&
strncmp(req, "CONNECT ", 8) != 0)
continue;
if ((uri = strchr(req, ' ')) == NULL)
continue;
*uri++ = '\0';
user = vhost = referer = agent = NULL;
while ((p = strtok(NULL, "\r\n")) != NULL) {
if (strncasecmp(p, "Authorization: Basic ", 21) == 0) {
p += 21;
i = base64_pton(p, p, strlen(p));
p[i] = '\0';
user = p;
if ((p = strchr(p, ':')) != NULL)
*p = '\0';
}
else if (strncasecmp(p, "Host: ", 6) == 0) {
vhost = p + 6;
}
else if (strncasecmp(p, "Referer: ", 9) == 0) {
referer = p + 9;
}
else if (strncasecmp(p, "User-Agent: ", 12) == 0) {
agent = p + 12;
}
else if (strncasecmp(p, "Content-length: ", 16) == 0) {
i = atoi(p + 16);
buf_tok(NULL, NULL, i);
}
}
if (user == NULL)
user = "******";
if (vhost == NULL)
vhost = "none";// libnet_host_lookup(addr->daddr, Opt_dns);
if (referer == NULL)
referer = "-";
if (agent == NULL)
agent = "-";
printf("%s - %s [%s] \"%s http://%s%s\" - - \"%s\" \"%s\"\n",
//"0.0.0.0",
libnet_addr2name4(addr->saddr, Opt_dns),
user, timestamp(), req, vhost, uri, referer, agent);
}
fflush(stdout);
return (len - buf_len(&buf));
}
