int decode_smtp(u_char *buf, int len, u_char *obuf, int olen) { char *p; int i, j, login = 0; obuf[0] = '\0'; for (p = strtok(buf, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) { if (login == 1) { strlcat(obuf, p, olen); i = base64_pton(p, p, strlen(p)); p[i] = '\0'; j = strlen(obuf); snprintf(obuf + j, olen - j, " [%s]\n", p); login = 0; } else if (strncmp(p, "AUTH LOGIN ", 11) == 0) { strlcat(obuf, p, olen); p += 11; i = base64_pton(p, p, strlen(p)); p[i] = '\0'; j = strlen(obuf); snprintf(obuf + j, olen - j, " [%s]\n", p); login = 1; } else if (strncmp(p, "MAIL ", 5) == 0 || strncmp(p, "RCPT ", 5) == 0 || strncmp(p, "DATA", 4) == 0) { break; } } return (strlen(obuf)); }
int decode_pop(u_char *buf, int len, u_char *obuf, int olen) { char *p; int i, j; obuf[0] = '\0'; for (p = strtok(buf, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) { if (strncasecmp(p, "AUTH PLAIN", 10) == 0 || strncasecmp(p, "AUTH LOGIN", 10) == 0) { strlcat(obuf, p, olen); strlcat(obuf, "\n", olen); /* Decode SASL auth. */ for (i = 0; i < 2 && (p = strtok(NULL, "\r\n")); i++) { strlcat(obuf, p, olen); j = base64_pton(p, p, strlen(p)); p[j] = '\0'; strlcat(obuf, " [", olen); strlcat(obuf, p, olen); strlcat(obuf, "]\n", olen); } } /* Save regular POP2, POP3 auth info. */ else if (strncasecmp(p, "USER ", 5) == 0 || strncasecmp(p, "PASS ", 5) == 0 || strncasecmp(p, "HELO ", 5) == 0) { strlcat(obuf, p, olen); strlcat(obuf, "\n", olen); } } return (strlen(obuf)); }
int decode_nntp(u_char *buf, int len, u_char *obuf, int olen) { char *p; int i, simple, dpa; obuf[0] = '\0'; simple = dpa = 0; for (p = strtok(buf, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) { if (simple == 1) { strlcat(obuf, p, olen); strlcat(obuf, "\n", olen); simple = 0; } else if (strncasecmp(p, "AUTHINFO ", 9) == 0) { strlcat(obuf, p, olen); if (strncasecmp(p + 9, "SIMPLE", 6) == 0) { simple = 1; } else if (strncasecmp(p + 9, "GENERIC ", 8) == 0) { if (strncasecmp(p + 17, "DPA", 3) == 0) { dpa = 1; } else if (dpa == 1) { p += 17; i = base64_pton(p, p, strlen(p)); p[i] = '\0'; i = strlen(obuf); snprintf(obuf + i, olen - i, " [%s]", p); } } strlcat(obuf, "\n", olen); } } return (strlen(obuf)); }
int process_http_request(struct tuple4 *addr, u_char *data, int len) { struct buf *msg, buf; char *p, *req, *uri, *user, *vhost, *referer, *agent; int i; buf_init(&buf, data, len); while ((i = buf_index(&buf, "\r\n\r\n", 4)) >= 0) { msg = buf_tok(&buf, NULL, i); msg->base[msg->end] = '\0'; buf_skip(&buf, 4); if (!regex_match(buf_ptr(msg))) continue; if ((req = strtok(buf_ptr(msg), "\r\n")) == NULL) continue; if (strncmp(req, "GET ", 4) != 0 && strncmp(req, "POST ", 5) != 0 && strncmp(req, "CONNECT ", 8) != 0) continue; if ((uri = strchr(req, ' ')) == NULL) continue; *uri++ = '\0'; user = vhost = referer = agent = NULL; while ((p = strtok(NULL, "\r\n")) != NULL) { if (strncasecmp(p, "Authorization: Basic ", 21) == 0) { p += 21; i = base64_pton(p, p, strlen(p)); p[i] = '\0'; user = p; if ((p = strchr(p, ':')) != NULL) *p = '\0'; } else if (strncasecmp(p, "Host: ", 6) == 0) { vhost = p + 6; } else if (strncasecmp(p, "Referer: ", 9) == 0) { referer = p + 9; } else if (strncasecmp(p, "User-Agent: ", 12) == 0) { agent = p + 12; } else if (strncasecmp(p, "Content-length: ", 16) == 0) { i = atoi(p + 16); buf_tok(NULL, NULL, i); } } if (user == NULL) user = "******"; if (vhost == NULL) vhost = "none";// libnet_host_lookup(addr->daddr, Opt_dns); if (referer == NULL) referer = "-"; if (agent == NULL) agent = "-"; printf("%s - %s [%s] \"%s http://%s%s\" - - \"%s\" \"%s\"\n", //"0.0.0.0", libnet_addr2name4(addr->saddr, Opt_dns), user, timestamp(), req, vhost, uri, referer, agent); } fflush(stdout); return (len - buf_len(&buf)); }