diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-09-07 12:00:31 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-07 12:00:31 +0200 |
| commit | 92507c014626bc542f2ab11c729742802c0bc345 (patch) | |
| tree | 0fb365764786c17f130091a056788799df1981c2 /src | |
| parent | 3b5dee1cc0038fdb09f5ff1b18f05dd561dbcb1c (diff) | |
oracle: fix dissector (#2548)
We can do definitely better, but this change is a big improvements
respect the current broken code
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/protocols/oracle.c | 39 |
1 files changed, 17 insertions, 22 deletions
diff --git a/src/lib/protocols/oracle.c b/src/lib/protocols/oracle.c index 95f5d9161..56e9a0fb4 100644 --- a/src/lib/protocols/oracle.c +++ b/src/lib/protocols/oracle.c @@ -39,29 +39,24 @@ static void ndpi_search_oracle(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "search ORACLE\n"); - if(packet->tcp != NULL) { - sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); - NDPI_LOG_DBG2(ndpi_struct, "calculating ORACLE over tcp\n"); - /* Oracle Database 9g,10g,11g */ - if ((dport == 1521 || sport == 1521) - && (((packet->payload_packet_len >= 3 && packet->payload[0] == 0x07) && (packet->payload[1] == 0xff) && (packet->payload[2] == 0x00)) - || ((packet->payload_packet_len >= 232) && ((packet->payload[0] == 0x00) || (packet->payload[0] == 0x01)) - && (packet->payload[1] != 0x00) - && (packet->payload[2] == 0x00) - && (packet->payload[3] == 0x00)))) { - NDPI_LOG_INFO(ndpi_struct, "found oracle\n"); - ndpi_int_oracle_add_connection(ndpi_struct, flow); - return; - } else if (packet->payload_packet_len == 213 && packet->payload[0] == 0x00 && - packet->payload[1] == 0xd5 && packet->payload[2] == 0x00 && - packet->payload[3] == 0x00 ) { - NDPI_LOG_INFO(ndpi_struct, "found oracle\n"); - ndpi_int_oracle_add_connection(ndpi_struct, flow); - return; - } + /* For the time being, check only on default port since the logic is quite weak */ + sport = ntohs(packet->tcp->source); + dport = ntohs(packet->tcp->dest); + + /* Check for Connect Request */ + if((dport == 1521 || sport == 1521) && + packet->payload_packet_len >= 8 && + ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len && + packet->payload[2] == 0x00 && packet->payload[3] == 0x00 && /* Packet Checksum */ + packet->payload[4] == 0x01 && /* Connect */ + packet->payload[5] == 0x00 && /* Reserved */ + packet->payload[6] == 0x00 && packet->payload[7] == 0x00 /* Header Checksum */) { + NDPI_LOG_INFO(ndpi_struct, "found oracle\n"); + ndpi_int_oracle_add_connection(ndpi_struct, flow); + return; } - if(flow->packet_counter > 5) - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } |