static int proto_dns_process(struct proto *proto, struct packet *p, struct proto_process_stack *stack, unsigned int stack_index) {
struct proto_process_stack *s = &stack[stack_index];
struct proto_process_stack *s_next = &stack[stack_index + 1];
if (s->plen < sizeof(struct dns_header))
return PROTO_INVALID;
struct dns_header *dhdr = s->pload;
uint16_t qdcount = 0, ancount = 0, nscount = 0, arcount = 0;
qdcount = ntohs(dhdr->qdcount);
ancount = ntohs(dhdr->ancount);
nscount = ntohs(dhdr->nscount);
arcount = ntohs(dhdr->arcount);
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_dns_field_id], ntohs(dhdr->id));
PTYPE_BOOL_SETVAL(s->pkt_info->fields_value[proto_dns_field_response], dhdr->qr);
PTYPE_UINT8_SETVAL(s->pkt_info->fields_value[proto_dns_field_rcode], dhdr->rcode);
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_dns_field_qdcount], qdcount);
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_dns_field_ancount], ancount);
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_dns_field_nscount], nscount);
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_dns_field_arcount], arcount);
if (qdcount != 1)
return PROTO_INVALID;
s_next->plen = s->plen - sizeof(struct dns_header);
s_next->pload = s->pload + sizeof(struct dns_header);
return PROTO_OK;
}
static int analyzer_gif_pload_process(struct analyzer *analyzer, struct analyzer_pload_buffer *pload) {
if (pload->buff_pos < ANALYZER_GIF_HEADER_MIN_SIZE)
return POM_OK;
unsigned char *buff = pload->buff;
if (!memcmp(pload->buff, ANALYZER_GIF_VERSION_87A, strlen(ANALYZER_GIF_VERSION_87A)) || !memcmp(pload->buff, ANALYZER_GIF_VERSION_89A, strlen(ANALYZER_GIF_VERSION_89A))) {
// We got a GIF file
uint16_t height, width;
width = (buff[7] << 8) + buff[8];
height = (buff[9] << 8) + buff[10];
pload->state = analyzer_pload_buffer_state_analyzed;
PTYPE_UINT16_SETVAL(pload->data[analyzer_gif_pload_width].value, width);
data_set(pload->data[analyzer_gif_pload_width]);
PTYPE_UINT16_SETVAL(pload->data[analyzer_gif_pload_height].value, height);
data_set(pload->data[analyzer_gif_pload_height]);
debug_gif("Got GIF image of %ux%u", width, height);
} else {
pomlog(POMLOG_DEBUG "GIF signature not found");
pload->type = NULL;
}
return POM_OK;
}
static int analyzer_png_pload_analyze(struct pload *p, struct pload_buffer *pb, void *priv) {
if (pb->data_len < ANALYZER_PNG_HEADER_MIN_SIZE)
return PLOAD_ANALYSIS_MORE;
if (memcmp(pb->data, ANALYZER_PNG_SIGNATURE, strlen(ANALYZER_PNG_SIGNATURE))) {
pomlog(POMLOG_DEBUG "PNG signature not found");
return PLOAD_ANALYSIS_FAILED;
}
// We got a PNG file
if (memcmp(pb->data + 12, ANALYZER_PNG_HEADER_NAME, strlen(ANALYZER_PNG_HEADER_NAME))) {
pomlog(POMLOG_DEBUG "IHDR not found where it was supposed to be");
return PLOAD_ANALYSIS_FAILED;
}
// We got the right header
uint16_t height, width;
width = ntohl(*(unsigned int*)(pb->data + 16));
height = ntohl(*(unsigned int*)(pb->data + 20));
struct data *pload_data = pload_get_data(p);
PTYPE_UINT16_SETVAL(pload_data[analyzer_png_pload_width].value, width);
data_set(pload_data[analyzer_png_pload_width]);
PTYPE_UINT16_SETVAL(pload_data[analyzer_png_pload_height].value, height);
data_set(pload_data[analyzer_png_pload_height]);
debug_png("Got PNG of %ux%u", width, height);
return PLOAD_ANALYSIS_OK;
}
static int proto_udp_process(void *proto_priv, struct packet *p, struct proto_process_stack *stack, unsigned int stack_index) {
struct proto_process_stack *s = &stack[stack_index];
if (sizeof(struct udphdr) > s->plen)
return PROTO_INVALID;
struct udphdr *hdr = s->pload;
uint16_t ulen = ntohs(hdr->uh_ulen);
uint16_t sport = ntohs(hdr->uh_sport);
uint16_t dport = ntohs(hdr->uh_dport);
if (ulen > s->plen)
return PROTO_INVALID;
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_udp_field_sport], sport);
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_udp_field_dport], dport);
if (conntrack_get(stack, stack_index) != POM_OK)
return POM_ERR;
int res = POM_ERR;
struct proto_process_stack *s_next = &stack[stack_index + 1];
if (s->ce->children) {
res = conntrack_delayed_cleanup(s->ce, 0, p->ts);
s_next->proto = s->ce->children->ce->proto;
} else {
uint32_t *conntrack_timeout = PTYPE_UINT32_GETVAL(param_conntrack_timeout);
res = conntrack_delayed_cleanup(s->ce, *conntrack_timeout, p->ts);
}
conntrack_unlock(s->ce);
s_next->pload = s->pload + sizeof(struct udphdr);
s_next->plen = ulen - sizeof(struct udphdr);
if (!s_next->proto) {
if (dport == 53 || sport == 53)
s_next->proto = proto_dns;
if (dport == 69 || sport == 69)
s_next->proto = proto_tftp;
}
return res;
}
static int proto_arp_process(void *proto_priv, struct packet *p, struct proto_process_stack *stack, unsigned int stack_index) {
struct proto_process_stack *s = &stack[stack_index];
if (sizeof(struct arp_packet) > s->plen)
return PROTO_INVALID;
struct arp_packet *apkt = s->pload;
if (ntohs(apkt->hw_type) != 0x1)
// We only support arp for ethernet links for now
return PROTO_INVALID;
if (ntohs(apkt->proto_type) != 0x0800)
// We only support arp for IPv4 addresses
return PROTO_INVALID;
if (apkt->hw_addr_len != 6)
// Ethernet addresses are 6 bytes long
return PROTO_INVALID;
if (apkt->proto_addr_len != 4)
// IPv4 addresses are 4 bytes long
return PROTO_INVALID;
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_arp_field_oper], ntohs(apkt->oper));
PTYPE_MAC_SETADDR(s->pkt_info->fields_value[proto_arp_field_sender_hw_addr], apkt->sender_hw_addr);
PTYPE_IPV4_SETADDR(s->pkt_info->fields_value[proto_arp_field_sender_proto_addr], apkt->sender_proto_addr);
PTYPE_MAC_SETADDR(s->pkt_info->fields_value[proto_arp_field_target_hw_addr], apkt->target_hw_addr);
PTYPE_IPV4_SETADDR(s->pkt_info->fields_value[proto_arp_field_target_proto_addr], apkt->target_proto_addr);
return PROTO_OK;
}
static int proto_vlan_process(void *proto_priv, struct packet *p, struct proto_process_stack *stack, unsigned int stack_index) {
struct proto_process_stack *s = &stack[stack_index];
if (s->plen < PROTO_VLAN_HEADER_SIZE)
return PROTO_INVALID;
uint16_t tci = ntohs(*(uint16_t*)s->pload);
uint16_t *ether_type = s->pload + sizeof(uint16_t);
uint16_t de = (tci & PROTO_VLAN_DE_MASK) >> PROTO_VLAN_DE_SHIFT;
uint16_t pcp = (tci & PROTO_VLAN_PCP_MASK) >> PROTO_VLAN_PCP_SHIFT;
uint16_t vid = tci & PROTO_VLAN_VID_MASK;
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_vlan_field_vid], vid);
PTYPE_BOOL_SETVAL(s->pkt_info->fields_value[proto_vlan_field_de], de);
PTYPE_UINT8_SETVAL(s->pkt_info->fields_value[proto_vlan_field_pcp], pcp);
struct proto_process_stack *s_next = &stack[stack_index + 1];
s_next->pload = s->pload + PROTO_VLAN_HEADER_SIZE;
s_next->plen = s->plen - PROTO_VLAN_HEADER_SIZE;
s_next->proto = proto_get_by_number(s->proto, ntohs(*ether_type));
return PROTO_OK;
}
static int analyzer_smtp_event_fill_common_data(struct analyzer_smtp_ce_priv *cpriv, struct data *data) {
if (cpriv->client_hello) {
PTYPE_STRING_SETVAL(data[analyzer_smtp_common_client_hello].value, cpriv->client_hello);
data_set(data[analyzer_smtp_common_client_hello]);
}
if (cpriv->server_hello) {
PTYPE_STRING_SETVAL(data[analyzer_smtp_common_server_hello].value, cpriv->server_hello);
data_set(data[analyzer_smtp_common_server_hello]);
}
if (cpriv->client_addr) {
data[analyzer_smtp_common_client_addr].value = ptype_alloc_from(cpriv->client_addr);
data[analyzer_smtp_common_client_addr].flags &= ~DATA_FLAG_NO_CLEAN;
if (data[analyzer_smtp_common_client_addr].value)
data_set(data[analyzer_smtp_common_client_addr]);
}
if (cpriv->server_addr) {
data[analyzer_smtp_common_server_addr].value = ptype_alloc_from(cpriv->server_addr);
data[analyzer_smtp_common_server_addr].flags &= ~DATA_FLAG_NO_CLEAN;
if (data[analyzer_smtp_common_server_addr].value)
data_set(data[analyzer_smtp_common_server_addr]);
}
if (cpriv->server_port) {
PTYPE_UINT16_SETVAL(data[analyzer_smtp_common_server_port].value, cpriv->server_port);
data_set(data[analyzer_smtp_common_server_port]);
}
if (cpriv->server_host) {
PTYPE_STRING_SETVAL(data[analyzer_smtp_common_server_host].value, cpriv->server_host);
data_set(data[analyzer_smtp_common_server_host]);
}
return POM_OK;
}
static int analyzer_smtp_event_process_begin(struct event *evt, void *obj, struct proto_process_stack *stack, unsigned int stack_index) {
struct analyzer *analyzer = obj;
struct analyzer_smtp_priv *apriv = analyzer->priv;
struct proto_process_stack *s = &stack[stack_index];
if (!s->ce)
return POM_ERR;
// Only process stuff if we have the DATA event or if we already have an event
struct event_reg *evt_reg = event_get_reg(evt);
struct data *evt_data = event_get_data(evt);
struct analyzer_smtp_ce_priv *cpriv = conntrack_get_priv(s->ce, analyzer);
// It's expected that an SMTP connection will always contain at least one message
// So we always create the cpriv and event, no matter what
if (!cpriv) {
cpriv = malloc(sizeof(struct analyzer_smtp_ce_priv));
if (!cpriv) {
pom_oom(sizeof(struct analyzer_smtp_ce_priv));
return POM_ERR;
}
memset(cpriv, 0, sizeof(struct analyzer_smtp_ce_priv));
if (conntrack_add_priv(s->ce, analyzer, cpriv, analyzer_smtp_ce_priv_cleanup) != POM_OK) {
free(cpriv);
return POM_ERR;
}
}
if (!cpriv->evt_msg) {
cpriv->evt_msg = event_alloc(apriv->evt_msg);
if (!cpriv->evt_msg)
return POM_ERR;
}
struct data *msg_data = event_get_data(cpriv->evt_msg);
if (evt_reg == apriv->evt_cmd) {
if (!cpriv->common_data_fetched)
analyzer_smtp_event_fetch_common_data(cpriv, stack, stack_index, POM_DIR_REVERSE(s->direction));
// Process commands
// A message was being transmitted and we recevied a new command
if (event_is_started(cpriv->evt_msg)) {
event_process_end(cpriv->evt_msg);
cpriv->evt_msg = NULL;
}
char *cmd = PTYPE_STRING_GETVAL(evt_data[proto_smtp_cmd_name].value);
if (!cmd)
return POM_OK;
char *arg = PTYPE_STRING_GETVAL(evt_data[proto_smtp_cmd_arg].value);
if (arg) {
while (*arg == ' ')
arg++;
}
if (!strcasecmp(cmd, "MAIL")) {
if (strncasecmp(arg, "FROM:", strlen("FROM:"))) {
pomlog(POMLOG_DEBUG "Unparseable MAIL command");
return POM_OK;
}
arg += strlen("FROM:");
while (*arg == ' ')
arg++;
if (*arg == '<')
arg++;
size_t len;
char *end = strchr(arg, '>');
if (end)
len = end - arg;
else
len = strlen(arg);
PTYPE_STRING_SETVAL_N(msg_data[analyzer_smtp_msg_from].value, arg, len);
data_set(msg_data[analyzer_smtp_msg_from]);
cpriv->last_cmd = analyzer_smtp_last_cmd_mail_from;
} else if (!strcasecmp(cmd, "RCPT")) {
if (strncasecmp(arg, "TO:", strlen("TO:"))) {
pomlog(POMLOG_DEBUG "Unparseable RCPT command");
return POM_OK;
}
arg += strlen("TO:");
while (*arg == ' ')
arg++;
if (*arg == '<')
arg++;
size_t len;
char *end = strchr(arg, '>');
if (end)
len = end - arg;
else
len = strlen(arg);
struct ptype *to = ptype_alloc("string");
if (!to)
return POM_ERR;
PTYPE_STRING_SETVAL_N(to, arg, len);
if (data_item_add_ptype(msg_data, analyzer_smtp_msg_to, strdup("to"), to) != POM_OK) {
ptype_cleanup(to);
return POM_ERR;
}
cpriv->last_cmd = analyzer_smtp_last_cmd_rcpt_to;
} else if (!strcasecmp(cmd, "DATA")) {
cpriv->last_cmd = analyzer_smtp_last_cmd_data;
if (!event_is_started(cpriv->evt_msg)) {
analyzer_smtp_event_fill_common_data(cpriv, msg_data);
event_process_begin(cpriv->evt_msg, stack, stack_index, event_get_timestamp(evt));
} else {
pomlog(POMLOG_DEBUG "Message event already started !");
}
} else if (!strcasecmp(cmd, "RSET")) {
// Cleanup the event
event_cleanup(cpriv->evt_msg);
cpriv->evt_msg = NULL;
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
} else if (!strcasecmp(cmd, "HELO") || !strcasecmp(cmd, "EHLO")) {
if (cpriv->client_hello) {
pomlog(POMLOG_DEBUG "We already have a client hello !");
free(cpriv->client_hello);
}
cpriv->client_hello = strdup(arg);
if (!cpriv->client_hello) {
pom_oom(strlen(arg) + 1);
return POM_ERR;
}
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
} else if (!strcasecmp(cmd, "AUTH")) {
if (!strncasecmp(arg, "PLAIN", strlen("PLAIN"))) {
arg += strlen("PLAIN");
while (*arg == ' ')
arg++;
if (cpriv->evt_auth) {
event_process_end(cpriv->evt_auth);
cpriv->evt_auth = NULL;
}
if (strlen(arg)) {
if (analyzer_smtp_parse_auth_plain(apriv, cpriv, arg) == POM_OK) {
event_process_begin(cpriv->evt_auth, stack, stack_index, event_get_timestamp(evt));
cpriv->last_cmd = analyzer_smtp_last_cmd_auth_plain_creds;
}
} else {
cpriv->last_cmd = analyzer_smtp_last_cmd_auth_plain;
}
} else if (!strncasecmp(arg, "LOGIN", strlen("LOGIN"))) {
arg += strlen("LOGIN");
while (*arg == ' ')
arg++;
if (cpriv->evt_auth) {
event_process_end(cpriv->evt_auth);
cpriv->evt_auth = NULL;
}
cpriv->evt_auth = event_alloc(apriv->evt_auth);
if (!cpriv->evt_auth)
return POM_ERR;
struct data *auth_data = event_get_data(cpriv->evt_auth);
analyzer_smtp_event_fill_common_data(cpriv, auth_data);
// Set the authentication type
PTYPE_STRING_SETVAL(auth_data[analyzer_smtp_auth_type].value, "LOGIN");
data_set(auth_data[analyzer_smtp_auth_type]);
if (strlen(arg)) {
char *username = NULL;
size_t out_len = 0;
struct ptype *username_pt = NULL;
if (decoder_decode_simple("base64", arg, strlen(arg), &username, &out_len) == POM_OK) {
username_pt = ptype_alloc("string");
if (username_pt) {
PTYPE_STRING_SETVAL_P(username_pt, username);
if (data_item_add_ptype(auth_data, analyzer_smtp_auth_params, strdup("username"), username_pt) != POM_OK) {
ptype_cleanup(username_pt);
event_cleanup(cpriv->evt_auth);
cpriv->evt_auth = NULL;
username_pt = NULL;
}
} else {
free(username);
}
}
if (!username_pt) {
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
event_process_begin(cpriv->evt_auth, stack, stack_index, event_get_timestamp(evt));
}
} else {
cpriv->last_cmd = analyzer_smtp_last_cmd_auth_login;
}
}
} else if (cpriv->last_cmd == analyzer_smtp_last_cmd_auth_plain) {
// We are expecting the credentials right now
if (analyzer_smtp_parse_auth_plain(apriv, cpriv, cmd) == POM_OK) {
event_process_begin(cpriv->evt_auth, stack, stack_index, event_get_timestamp(evt));
cpriv->last_cmd = analyzer_smtp_last_cmd_auth_plain_creds;
} else {
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
}
} else if (cpriv->last_cmd == analyzer_smtp_last_cmd_auth_login) {
char *username = NULL;
size_t out_len = 0;
struct ptype *username_pt = NULL;
if (decoder_decode_simple("base64", cmd, strlen(cmd), &username, &out_len) == POM_OK) {
username_pt = ptype_alloc("string");
if (username_pt) {
PTYPE_STRING_SETVAL_P(username_pt, username);
struct data *auth_data = event_get_data(cpriv->evt_auth);
if (data_item_add_ptype(auth_data, analyzer_smtp_auth_params, strdup("username"), username_pt) != POM_OK) {
ptype_cleanup(username_pt);
event_process_end(cpriv->evt_auth);
cpriv->evt_auth = NULL;
username_pt = NULL;
}
} else {
free(username);
}
}
if (!username_pt) {
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
} else {
event_process_begin(cpriv->evt_auth, stack, stack_index, event_get_timestamp(evt));
cpriv->last_cmd = analyzer_smtp_last_cmd_auth_login_user;
}
} else if (cpriv->last_cmd == analyzer_smtp_last_cmd_auth_login_user) {
char *password = NULL;
size_t out_len = 0;
struct ptype *password_pt = NULL;
if (decoder_decode_simple("base64", cmd, strlen(cmd), &password, &out_len) == POM_OK) {
password_pt = ptype_alloc("string");
if (password_pt) {
PTYPE_STRING_SETVAL_P(password_pt, password);
struct data *auth_data = event_get_data(cpriv->evt_auth);
if (data_item_add_ptype(auth_data, analyzer_smtp_auth_params, strdup("password"), password_pt) != POM_OK) {
ptype_cleanup(password_pt);
event_process_end(cpriv->evt_auth);
cpriv->evt_auth = NULL;
password_pt = NULL;
}
} else {
free(password);
}
}
if (!password_pt) {
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
} else {
cpriv->last_cmd = analyzer_smtp_last_cmd_auth_login_pass;
}
} else {
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
}
} else if (evt_reg == apriv->evt_reply) {
if (!cpriv->common_data_fetched)
analyzer_smtp_event_fetch_common_data(cpriv, stack, stack_index, s->direction);
// Process replies
uint16_t code = *PTYPE_UINT16_GETVAL(evt_data[proto_smtp_reply_code].value);
switch (cpriv->last_cmd) {
default:
case analyzer_smtp_last_cmd_other:
if (code == 220 && evt_data[proto_smtp_reply_text].items && evt_data[proto_smtp_reply_text].items->value) {
// STARTTLS returns 220 as well so ignore extra code 220
if (!cpriv->server_hello) {
char *helo = PTYPE_STRING_GETVAL(evt_data[proto_smtp_reply_text].items->value);
cpriv->server_hello = strdup(helo);
if (!cpriv->server_hello) {
pom_oom(strlen(helo) + 1);
return POM_ERR;
}
}
}
break;
case analyzer_smtp_last_cmd_mail_from:
if (code != 250) {
// FROM is invalid
data_unset(msg_data[analyzer_smtp_msg_from]);
}
break;
case analyzer_smtp_last_cmd_rcpt_to:
// For now just don't do anything
// It's best to keep a destination in there even if it's invalid or denied
break;
case analyzer_smtp_last_cmd_data:
if (code == 354) {
// The message is starting, keep last_cmd intact
return POM_OK;
}
// Message is over (if ever transmited)
if (event_is_started(cpriv->evt_msg)) {
struct data *msg_data = event_get_data(cpriv->evt_msg);
PTYPE_UINT16_SETVAL(msg_data[analyzer_smtp_msg_result].value, code);
data_set(msg_data[analyzer_smtp_msg_result]);
event_process_end(cpriv->evt_msg);
cpriv->evt_msg = NULL;
}
break;
case analyzer_smtp_last_cmd_auth_plain:
case analyzer_smtp_last_cmd_auth_login:
case analyzer_smtp_last_cmd_auth_login_user:
// Check if authentication phase can continue
if (code == 334) {
// Don't reset cpriv->last_cmd
return POM_OK;
} else {
struct data *evt_data = event_get_data(cpriv->evt_auth);
PTYPE_BOOL_SETVAL(evt_data[analyzer_smtp_auth_success].value, 0);
data_set(evt_data[analyzer_smtp_auth_success]);
event_process_end(cpriv->evt_auth);
cpriv->evt_auth = NULL;
}
break;
case analyzer_smtp_last_cmd_auth_plain_creds:
case analyzer_smtp_last_cmd_auth_login_pass: {
// We just processed the credentials
struct data *auth_data = event_get_data(cpriv->evt_auth);
char success = 0;
if (code == 235)
success = 1;
PTYPE_BOOL_SETVAL(auth_data[analyzer_smtp_auth_success].value, success);
data_set(auth_data[analyzer_smtp_auth_success]);
event_process_end(cpriv->evt_auth);
cpriv->evt_auth = NULL;
break;
}
}
cpriv->last_cmd = analyzer_smtp_last_cmd_other;
}
return POM_OK;
}
static int proto_smtp_process(void *proto_priv, struct packet *p, struct proto_process_stack *stack, unsigned int stack_index) {
struct proto_process_stack *s = &stack[stack_index];
struct proto_process_stack *s_next = &stack[stack_index + 1];
if (conntrack_get_unique_from_parent(stack, stack_index) != POM_OK) {
pomlog(POMLOG_ERR "Could not get conntrack entry");
return PROTO_ERR;
}
// There should no need to keep the lock here since we are in the packet_stream lock from proto_tcp
conntrack_unlock(s->ce);
struct proto_smtp_priv *ppriv = proto_priv;
struct proto_smtp_conntrack_priv *priv = s->ce->priv;
if (!priv) {
priv = malloc(sizeof(struct proto_smtp_conntrack_priv));
if (!priv) {
pom_oom(sizeof(struct proto_smtp_conntrack_priv));
return PROTO_ERR;
}
memset(priv, 0, sizeof(struct proto_smtp_conntrack_priv));
priv->parser[POM_DIR_FWD] = packet_stream_parser_alloc(SMTP_MAX_LINE, PACKET_STREAM_PARSER_FLAG_TRIM);
if (!priv->parser[POM_DIR_FWD]) {
free(priv);
return PROTO_ERR;
}
priv->parser[POM_DIR_REV] = packet_stream_parser_alloc(SMTP_MAX_LINE, PACKET_STREAM_PARSER_FLAG_TRIM);
if (!priv->parser[POM_DIR_REV]) {
packet_stream_parser_cleanup(priv->parser[POM_DIR_FWD]);
free(priv);
return PROTO_ERR;
}
priv->server_direction = POM_DIR_UNK;
s->ce->priv = priv;
}
if (priv->flags & PROTO_SMTP_FLAG_INVALID)
return PROTO_OK;
struct packet_stream_parser *parser = priv->parser[s->direction];
if (packet_stream_parser_add_payload(parser, s->pload, s->plen) != POM_OK)
return PROTO_ERR;
char *line = NULL;
size_t len = 0;
while (1) {
// Some check to do prior to parse the payload
if (s->direction == POM_DIR_REVERSE(priv->server_direction)) {
if (priv->flags & PROTO_SMTP_FLAG_STARTTLS) {
// Last command was a STARTTLS command, this is the TLS negociation
// Since we can't parse this, mark it as invalid
priv->flags |= PROTO_SMTP_FLAG_INVALID;
return PROTO_OK;
} else if (priv->flags & PROTO_SMTP_FLAG_CLIENT_DATA) {
// We are receiving payload data, check where the end is
void *pload;
size_t plen;
packet_stream_parser_get_remaining(parser, &pload, &plen);
if (!plen)
return PROTO_OK;
// Look for the "<CR><LF>.<CR><LF>" sequence
if (priv->data_end_pos > 0) {
// The previous packet ended with something that might be the final sequence
// Check if we have the rest
int i, found = 1;
for (i = 0; i < PROTO_SMTP_DATA_END_LEN - priv->data_end_pos && i <= plen; i++) {
if (*(char*)(pload + i) != PROTO_SMTP_DATA_END[priv->data_end_pos + i]) {
found = 0;
break;
}
}
if (found) {
// If we have already processed the dot after <CR><LF> there is no way to remove it
// Thus we mark this connection as invalid. Most MTA will send at worst the last
// 3 bytes of the end sequence in a sequence packet
if (i != plen || (priv->data_end_pos >= 2 && plen < 3)) {
pomlog(POMLOG_DEBUG "The final line was not at the of a packet as expected !");
priv->flags |= PROTO_SMTP_FLAG_INVALID;
event_process_end(priv->data_evt);
priv->data_evt = NULL;
return PROTO_OK;
}
s_next->pload = pload;
s_next->plen = plen - PROTO_SMTP_DATA_END_LEN + 2; // The last line return is part of the payload
priv->flags |= PROTO_SMTP_FLAG_CLIENT_DATA_END;
priv->flags &= ~PROTO_SMTP_FLAG_CLIENT_DATA;
priv->data_end_pos = 0;
return PROTO_OK;
}
priv->data_end_pos = 0;
}
char *dotline = pom_strnstr(pload, PROTO_SMTP_DATA_END, plen);
if (dotline) {
if (pload + plen - PROTO_SMTP_DATA_END_LEN != dotline) {
pomlog(POMLOG_DEBUG "The final line was not at the of a packet as expected !");
priv->flags |= PROTO_SMTP_FLAG_INVALID;
event_process_end(priv->data_evt);
priv->data_evt = NULL;
return PROTO_OK;
}
s_next->pload = pload;
s_next->plen = plen - PROTO_SMTP_DATA_END_LEN + 2; // The last line return is part of the payload
priv->flags |= PROTO_SMTP_FLAG_CLIENT_DATA_END;
priv->flags &= ~PROTO_SMTP_FLAG_CLIENT_DATA;
} else {
// Check if the end of the payload contains part of the "<CR><LF>.<CR><LF>" sequence
int i, found = 0;
for (i = 1 ; (i < PROTO_SMTP_DATA_END_LEN) && (i <= plen); i++) {
if (!memcmp(pload + plen - i, PROTO_SMTP_DATA_END, i)) {
found = 1;
break;
}
}
if (found)
priv->data_end_pos = i;
s_next->pload = pload;
s_next->plen = plen;
}
return PROTO_OK;
}
}
// Process commands
if (packet_stream_parser_get_line(parser, &line, &len) != POM_OK)
return PROTO_ERR;
if (!line)
return PROTO_OK;
if (!len) // Probably a missed packet
return PROTO_OK;
// Try to find the server direction
if (priv->server_direction == POM_DIR_UNK) {
unsigned int code = atoi(line);
if (code > 0) {
priv->server_direction = s->direction;
} else {
priv->server_direction = POM_DIR_REVERSE(s->direction);
}
}
if (s->direction == priv->server_direction) {
// Parse the response code and generate the event
if ((len < 5) || // Server response is 3 digit error code, a space or hyphen and then at least one letter of text
(line[3] != ' ' && line[3] != '-')) {
pomlog(POMLOG_DEBUG "Too short or invalid response from server");
priv->flags |= PROTO_SMTP_FLAG_INVALID;
return POM_OK;
}
int code = atoi(line);
if (code == 0) {
pomlog(POMLOG_DEBUG "Invalid response from server");
priv->flags |= PROTO_SMTP_FLAG_INVALID;
return POM_OK;
}
if (event_has_listener(ppriv->evt_reply)) {
struct data *evt_data = NULL;
if (priv->reply_evt) {
evt_data = event_get_data(priv->reply_evt);
uint16_t cur_code = *PTYPE_UINT16_GETVAL(evt_data[proto_smtp_reply_code].value);
if (cur_code != code) {
pomlog(POMLOG_WARN "Multiline code not the same as previous line : %hu -> %hu", cur_code, code);
event_process_end(priv->reply_evt);
priv->reply_evt = NULL;
}
}
if (!priv->reply_evt) {
priv->reply_evt = event_alloc(ppriv->evt_reply);
if (!priv->reply_evt)
return PROTO_ERR;
evt_data = event_get_data(priv->reply_evt);
PTYPE_UINT16_SETVAL(evt_data[proto_smtp_reply_code].value, code);
data_set(evt_data[proto_smtp_reply_code]);
}
if (len > 4) {
struct ptype *txt = ptype_alloc("string");
if (!txt)
return PROTO_ERR;
PTYPE_STRING_SETVAL_N(txt, line + 4, len - 4);
if (data_item_add_ptype(evt_data, proto_smtp_reply_text, strdup("text"), txt) != POM_OK)
return PROTO_ERR;
}
if (!event_is_started(priv->reply_evt))
event_process_begin(priv->reply_evt, stack, stack_index, p->ts);
}
if (line[3] != '-') {
// Last line in the response
if (priv->reply_evt) {
event_process_end(priv->reply_evt);
priv->reply_evt = NULL;
}
}
if (priv->flags & PROTO_SMTP_FLAG_STARTTLS) {
// The last command was STARTTLS
priv->flags &= ~PROTO_SMTP_FLAG_STARTTLS;
if (code == 220) {
// TLS has the go, we can't parse from now so mark as invalid
priv->flags |= PROTO_SMTP_FLAG_INVALID;
return POM_OK;
}
}
} else {
// Client command
if (len < 4) { // Client commands are at least 4 bytes long
pomlog(POMLOG_DEBUG "Too short or invalid query from client");
priv->flags |= PROTO_SMTP_FLAG_INVALID;
return POM_OK;
}
// Make sure it's a command by checking it's at least a four letter word
int i;
for (i = 0; i < 4; i++) {
// In some case it can also be a base64 encoded word
if (! ((line[i] >= 'A' && line[i] <= 'Z')
|| (line[i] >= 'a' && line[i] <= 'z')
|| (line[i] >= '0' && line [i] <= '9')
|| line[i] == '='))
break;
}
if ((i < 4)) {
pomlog(POMLOG_DEBUG "Recieved invalid client command");
priv->flags |= PROTO_SMTP_FLAG_INVALID;
return POM_OK;
}
if (!strncasecmp(line, "DATA", strlen("DATA")) && len == strlen("DATA")) {
priv->flags |= PROTO_SMTP_FLAG_CLIENT_DATA;
} else if (!strncasecmp(line, "STARTTLS", strlen("STARTTLS")) && len == strlen("STARTTLS")) {
priv->flags |= PROTO_SMTP_FLAG_STARTTLS;
}
if (event_has_listener(ppriv->evt_cmd)) {
struct event *evt = event_alloc(ppriv->evt_cmd);
if (!evt)
return PROTO_ERR;
size_t cmdlen = len;
char *space = memchr(line, ' ', len);
if (space)
cmdlen = space - line;
struct data *evt_data = event_get_data(evt);
PTYPE_STRING_SETVAL_N(evt_data[proto_smtp_cmd_name].value, line, cmdlen);
data_set(evt_data[proto_smtp_cmd_name]);
if (space) {
PTYPE_STRING_SETVAL_N(evt_data[proto_smtp_cmd_arg].value, space + 1, len - 1 - cmdlen);
data_set(evt_data[proto_smtp_cmd_arg]);
}
if (priv->flags & PROTO_SMTP_FLAG_CLIENT_DATA) {
// The event ends at the end of the message
priv->data_evt = evt;
return event_process_begin(evt, stack, stack_index, p->ts);
} else {
return event_process(evt, stack, stack_index, p->ts);
}
}
}
}
return PROTO_OK;
}
static int analyzer_arp_pkt_process(void *obj, struct packet *p, struct proto_process_stack *stack, unsigned int stack_index) {
struct analyzer *analyzer = obj;
struct analyzer_arp_priv *priv = analyzer->priv;
struct proto_process_stack *s = &stack[stack_index];
struct proto_process_stack *s_prev = &stack[stack_index - 1];
struct in_addr arp_ip = PTYPE_IPV4_GETADDR(s->pkt_info->fields_value[proto_arp_field_sender_proto_addr]);
// Discard bogon 0.0.0.0
if (!arp_ip.s_addr)
return POM_OK;
// Find that IP in the table
uint32_t id = arp_ip.s_addr & ANALYZER_ARP_HOST_MASK;
char *arp_mac = PTYPE_MAC_GETADDR(s->pkt_info->fields_value[proto_arp_field_sender_hw_addr]);
uint16_t vlan = 0;
if (s_prev->proto == priv->proto_vlan)
vlan = *PTYPE_UINT16_GETVAL(s_prev->pkt_info->fields_value[proto_vlan_field_vid]);
pom_mutex_lock(&priv->lock);
struct analyzer_arp_host *host;
for (host = priv->hosts[id]; host; host = host->next) {
if (host->ip.s_addr == arp_ip.s_addr && host->vlan == vlan)
break;
}
if (!host) {
// Host not found !
host = malloc(sizeof(struct analyzer_arp_host));
if (!host) {
pom_mutex_unlock(&priv->lock);
pom_oom(sizeof(struct analyzer_arp_host));
return POM_ERR;
}
memset(host, 0, sizeof(struct analyzer_arp_host));
host->ip.s_addr = arp_ip.s_addr;
memcpy(host->mac, arp_mac, sizeof(host->mac));
host->vlan = vlan;
host->next = priv->hosts[id];
if (host->next)
host->next->prev = host;
priv->hosts[id] = host;
pom_mutex_unlock(&priv->lock);
// Announce the new station
if (event_has_listener(priv->evt_new_sta)) {
struct event *evt = event_alloc(priv->evt_new_sta);
if (!evt)
return POM_ERR;
struct data *evt_data = evt->data;
ptype_copy(evt_data[analyzer_arp_new_sta_mac_addr].value, s->pkt_info->fields_value[proto_arp_field_sender_hw_addr]);
data_set(evt_data[analyzer_arp_new_sta_mac_addr]);
ptype_copy(evt_data[analyzer_arp_new_sta_ip_addr].value, s->pkt_info->fields_value[proto_arp_field_sender_proto_addr]);
data_set(evt_data[analyzer_arp_new_sta_ip_addr]);
PTYPE_UINT16_SETVAL(evt_data[analyzer_arp_new_sta_vlan].value, vlan);
data_set(evt_data[analyzer_arp_new_sta_vlan]);
PTYPE_STRING_SETVAL(evt_data[analyzer_arp_new_sta_input].value, p->input->name);
data_set(evt_data[analyzer_arp_new_sta_input]);
if (event_process(evt, stack, stack_index) != POM_OK)
return POM_ERR;
}
// Nothing else to do
return POM_OK;
}
// Host was found, check mac
if (memcmp(host->mac, arp_mac, sizeof(host->mac))) {
if (event_has_listener(priv->evt_sta_changed)) {
struct event *evt = event_alloc(priv->evt_sta_changed);
if (!evt) {
pom_mutex_unlock(&priv->lock);
return POM_ERR;
}
struct data *evt_data = evt->data;
PTYPE_MAC_SETADDR(evt_data[analyzer_arp_sta_changed_old_mac_addr].value, host->mac);
data_set(evt_data[analyzer_arp_sta_changed_old_mac_addr]);
ptype_copy(evt_data[analyzer_arp_sta_changed_new_mac_addr].value, s->pkt_info->fields_value[proto_arp_field_sender_hw_addr]);
data_set(evt_data[analyzer_arp_sta_changed_new_mac_addr]);
ptype_copy(evt_data[analyzer_arp_sta_changed_ip_addr].value, s->pkt_info->fields_value[proto_arp_field_sender_proto_addr]);
data_set(evt_data[analyzer_arp_sta_changed_ip_addr]);
PTYPE_UINT16_SETVAL(evt_data[analyzer_arp_sta_changed_vlan].value, vlan);
data_set(evt_data[analyzer_arp_sta_changed_vlan]);
PTYPE_STRING_SETVAL(evt_data[analyzer_arp_sta_changed_input].value, p->input->name);
data_set(evt_data[analyzer_arp_sta_changed_input]);
if (event_process(evt, stack, stack_index) != POM_OK) {
pom_mutex_unlock(&priv->lock);
return POM_ERR;
}
}
memcpy(host->mac, arp_mac, sizeof(host->mac));
}
pom_mutex_unlock(&priv->lock);
return POM_OK;
}
static int analyzer_jpeg_pload_analyze(struct analyzer *analyzer, struct analyzer_pload_buffer *pload, void *buffer, size_t buff_len) {
struct analyzer_jpeg_pload_priv *priv = analyzer_pload_buffer_get_priv(pload);
if (!priv) {
priv = malloc(sizeof(struct analyzer_jpeg_pload_priv));
if (!priv) {
pom_oom(sizeof(struct analyzer_jpeg_pload_priv));
return POM_ERR;
}
memset(priv, 0, sizeof(struct analyzer_jpeg_pload_priv));
priv->pload_buff = buffer;
priv->pload_buff_len = buff_len;
// Setup error handler
struct jpeg_error_mgr *jerr = malloc(sizeof(struct jpeg_error_mgr));
if (!jerr) {
free(priv);
pom_oom(sizeof(struct jpeg_error_mgr));
return POM_ERR;
}
memset(jerr, 0, sizeof(struct jpeg_error_mgr));
priv->cinfo.err = jpeg_std_error(jerr);
priv->cinfo.err->error_exit = analyzer_jpeg_lib_error_exit;
// Allocate the decompressor
jpeg_create_decompress(&priv->cinfo);
priv->cinfo.client_data = priv;
#ifdef HAVE_LIBEXIF
// Save APP1
jpeg_save_markers(&priv->cinfo, JPEG_APP0 + 1, 0xFFFF);
#endif
// Allocate the source
struct jpeg_source_mgr *src = malloc(sizeof(struct jpeg_source_mgr));
if (!src) {
free(priv->cinfo.err);
pom_oom(sizeof(struct jpeg_source_mgr));
jpeg_destroy_decompress(&priv->cinfo);
free(priv);
return POM_ERR;
}
memset(src, 0, sizeof(struct jpeg_source_mgr));
src->init_source = analyzer_jpeg_lib_init_source;
src->fill_input_buffer = analyzer_jpeg_lib_fill_input_buffer;
src->skip_input_data = analyzer_jpeg_lib_skip_input_data;
src->resync_to_restart = jpeg_resync_to_restart;
src->term_source = analyzer_jpeg_lib_term_source;
priv->cinfo.src = src;
analyzer_pload_buffer_set_priv(pload, priv);
} else {
priv->pload_buff = buffer;
priv->pload_buff_len = buff_len;
}
if (priv->jpeg_lib_pos >= buff_len)
// Nothing more to process
return POM_OK;
int res = POM_OK;
if (!setjmp(priv->jmp_buff)) {
if (priv->jpeg_lib_pos) {
// It's not garanteed that buffer points to the
// same memory area after each call, so we reset it here
priv->cinfo.src->next_input_byte = buffer + priv->jpeg_lib_pos;
}
if (jpeg_read_header(&priv->cinfo, TRUE) == JPEG_SUSPENDED)
return POM_OK; // Headers are incomplete
struct data *data = analyzer_pload_buffer_get_data(pload);
PTYPE_UINT16_SETVAL(data[analyzer_jpeg_pload_width].value, priv->cinfo.image_width);
data_set(data[analyzer_jpeg_pload_width]);
PTYPE_UINT16_SETVAL(data[analyzer_jpeg_pload_height].value, priv->cinfo.image_height);
data_set(data[analyzer_jpeg_pload_height]);
debug_jpeg("JPEG read header returned %u, image is %ux%u", res, priv->cinfo.image_width, priv->cinfo.image_height);
#ifdef HAVE_LIBEXIF
// Parse the exif data
jpeg_saved_marker_ptr marker;
for (marker = priv->cinfo.marker_list; marker && marker->marker != JPEG_APP0 + 1; marker = marker->next);
if (marker) {
ExifData *exif_data = exif_data_new_from_data(marker->data, marker->data_length);
if (!exif_data) {
pomlog(POMLOG_DEBUG "Unable to parse EXIF data");
}
exif_data_foreach_content(exif_data, analyzer_jpeg_exif_content_process, pload);
exif_data_free(exif_data);
}
#endif
analyzer_pload_buffer_set_state(pload, analyzer_pload_buffer_state_analyzed);
} else {
pomlog(POMLOG_DEBUG "Error while parsing JPEG headers");
res = POM_ERR;
}
free(priv->cinfo.err);
free(priv->cinfo.src);
jpeg_destroy_decompress(&priv->cinfo);
free(priv);
analyzer_pload_buffer_set_priv(pload, NULL);
return res;
}
static void analyzer_jpeg_exif_entry_analyze(ExifEntry *entry, void *pload) {
ExifIfd ifd = exif_content_get_ifd(entry->parent);
const char *tag_name = exif_tag_get_name_in_ifd(entry->tag, ifd);
if (!tag_name) // Unknown tag
return;
struct ptype *value = NULL;
// First parse ascii values
if (entry->format == EXIF_FORMAT_ASCII) {
char *str = malloc(entry->size);
if (!str) {
pom_oom(entry->size);
return;
}
memcpy(str, entry->data, entry->size);
// Make sure it's NULL terminated
str[entry->size - 1] = 0;
value = ptype_alloc("string");
if (!value) {
free(str);
return;
}
PTYPE_STRING_SETVAL_P(value, str);
} else if (entry->components == 1) {
ExifByteOrder byte_order = exif_data_get_byte_order(entry->parent->parent);
if (entry->format == EXIF_FORMAT_BYTE) {
value = ptype_alloc("uint8");
if (!value)
return;
PTYPE_UINT8_SETVAL(value, *entry->data);
} else if (entry->format == EXIF_FORMAT_SHORT) {
value = ptype_alloc("uint16");
if (!value)
return;
PTYPE_UINT16_SETVAL(value, exif_get_short(entry->data, byte_order));
} else if (entry->format == EXIF_FORMAT_LONG) {
value = ptype_alloc("uint32");
if (!value)
return;
PTYPE_UINT32_SETVAL(value, exif_get_long(entry->data, byte_order));
}
}
if (!value) {
// Fallback for types not parsed by us yet
// FIXME this is subject to the locale
char buff[256];
buff[sizeof(buff) - 1] = 0;
exif_entry_get_value(entry, buff, sizeof(buff) - 1);
value = ptype_alloc("string");
if (!value)
return;
PTYPE_STRING_SETVAL(value, buff);
}
char *key = strdup(tag_name);
if (!key) {
pom_oom(strlen(tag_name) + 1);
return;
}
struct data *data = analyzer_pload_buffer_get_data(pload);
data_item_add_ptype(data, analyzer_jpeg_pload_exif, key, value);
}
static int proto_tftp_process(void *proto_priv, struct packet *p, struct proto_process_stack *stack, unsigned int stack_index) {
struct proto_process_stack *s = &stack[stack_index];
struct proto_process_stack *s_prev = &stack[stack_index - 1];
struct proto_process_stack *s_next = &stack[stack_index + 1];
if (conntrack_get_unique_from_parent(stack, stack_index) != POM_OK) {
pomlog(POMLOG_ERR "Could not get a conntrack entry");
return PROTO_ERR;
}
struct proto_tftp_conntrack_priv *priv = s->ce->priv;
if (!priv) {
priv = malloc(sizeof(struct proto_tftp_conntrack_priv));
if (!priv) {
pom_oom(sizeof(struct proto_tftp_conntrack_priv));
conntrack_unlock(s->ce);
return POM_ERR;
}
memset(priv, 0, sizeof(struct proto_tftp_conntrack_priv));
s->ce->priv = priv;
}
if (priv->flags & PROTO_TFTP_CONN_INVALID) {
conntrack_unlock(s->ce);
return PROTO_INVALID;
}
void *pload = s->pload;
uint32_t plen = s->plen;
// proto_tftp only process up to the opcode field
// afterwards, it's up to the analyzer to parse the rest
uint16_t opcode = ntohs(*((uint16_t*)pload));
PTYPE_UINT16_SETVAL(s->pkt_info->fields_value[proto_tftp_field_opcode], opcode);
pload += sizeof(uint16_t);
plen -= sizeof(uint16_t);
s_next->pload = pload;
s_next->plen = plen;
switch (opcode) {
case tftp_rrq:
case tftp_wrq: {
// Find the filename
char *filename = pload;
char *mode = memchr(filename, 0, plen - 1);
if (!mode) {
priv->flags |= PROTO_TFTP_CONN_INVALID;
conntrack_unlock(s->ce);
debug_tftp("End of filename not found in read/write request");
return PROTO_INVALID;
}
mode++;
ssize_t filename_len = mode - filename;
char *end = memchr(mode, 0, plen - filename_len);
if (!end) {
priv->flags |= PROTO_TFTP_CONN_INVALID;
conntrack_unlock(s->ce);
debug_tftp("End of mode not found in read/write request");
return PROTO_INVALID;
}
debug_tftp("Got read/write request for filename \"%s\" with mode \"%s\"", filename, mode);
struct conntrack_session *session = conntrack_session_get(s->ce);
if (!session) {
conntrack_unlock(s->ce);
return POM_ERR;
}
// We don't need to do anything with the session
conntrack_session_unlock(session);
struct proto_expectation *expt = proto_expectation_alloc_from_conntrack(s_prev->ce, proto_tftp, NULL);
if (!expt) {
conntrack_unlock(s->ce);
return PROTO_ERR;
}
proto_expectation_set_field(expt, -1, NULL, POM_DIR_REV);
if (proto_expectation_add(expt, session, PROTO_TFTP_EXPT_TIMER, p->ts) != POM_OK) {
conntrack_unlock(s->ce);
proto_expectation_cleanup(expt);
return PROTO_ERR;
}
break;
}
case tftp_data: {
if (plen < 2) {
priv->flags |= PROTO_TFTP_CONN_INVALID;
conntrack_unlock(s->ce);
return PROTO_INVALID;
}
uint16_t block_id = ntohs(*((uint16_t*)(pload)));
int set_start_seq = 0;
if (!priv->stream) {
priv->stream = stream_alloc(PROTO_TFTP_STREAM_BUFF, s->ce, 0, proto_tftp_process_payload);
if (!priv->stream) {
conntrack_unlock(s->ce);
return PROTO_ERR;
}
stream_set_timeout(priv->stream, PROTO_TFTP_PKT_TIMER);
set_start_seq = 1;
}
conntrack_unlock(s->ce);
if (set_start_seq)
stream_set_start_seq(priv->stream, s->direction, PROTO_TFTP_BLK_SIZE + 2);
int res = stream_process_packet(priv->stream, p, stack, stack_index + 1, block_id * (PROTO_TFTP_BLK_SIZE + 2), 0);
return (res == PROTO_OK ? PROTO_STOP : res);
}
case tftp_ack:
// Nothing to do
break;
case tftp_error:
// An error occured, cleanup this conntrack soon
conntrack_delayed_cleanup(s->ce, 1, p->ts);
break;
default:
priv->flags |= PROTO_TFTP_CONN_INVALID;
conntrack_unlock(s->ce);
return PROTO_INVALID;
}
conntrack_delayed_cleanup(s->ce, PROTO_TFTP_PKT_TIMER, p->ts);
conntrack_unlock(s->ce);
return PROTO_OK;
}
