diff options
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/http.c | 53 | ||||
| -rw-r--r-- | src/lib/protocols/telnet.c | 107 | ||||
| -rw-r--r-- | src/lib/protocols/zabbix.c | 63 |
3 files changed, 174 insertions, 49 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index b73a1aeee..2525cfbd7 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -39,7 +39,7 @@ static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_ #ifdef HTTP_DEBUG printf("=> %s()\n", __FUNCTION__); #endif - + if((flow->host_server_name[0] != '\0') && (flow->http.response_status_code != 0)) { /* stop extra processing */ flow->extra_packets_func = NULL; /* We're good now */ @@ -61,7 +61,7 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd if(flow->extra_packets_func && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)) return; /* Nothing new to add */ - + /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */ ndpi_search_tcp_or_udp(ndpi_struct, flow); @@ -71,9 +71,9 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_HTTP); } else ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); - + /* This is necessary to inform the core to call this dissector again */ - flow->check_extra_packets = 1; + flow->check_extra_packets = 1; flow->max_extra_packets_to_check = 5; flow->extra_packets_func = ndpi_search_http_tcp_again; flow->http_detected = 1, flow->guessed_category = category; @@ -134,9 +134,9 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ struct ndpi_packet_struct *packet = &flow->packet; ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); - - if(flow->http_detected && (flow->http.response_status_code != 0)) - return; + + if(flow->http_detected && (flow->http.response_status_code != 0)) + return; #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* PPStream */ @@ -200,17 +200,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } - if((flow->http.content_type == NULL) && (packet->content_line.len > 0)) { - int len = packet->content_line.len + 1; - - flow->http.content_type = ndpi_malloc(len); - if(flow->http.content_type) { - strncpy(flow->http.content_type, (char*)packet->content_line.ptr, - packet->content_line.len); - flow->http.content_type[packet->content_line.len] = '\0'; - } - } - if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) { /** Format examples: @@ -276,6 +265,17 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } + if(flow->http.user_agent == NULL) { + int len = packet->user_agent_line.len + 1; + + flow->http.user_agent = ndpi_malloc(len); + if(flow->http.user_agent) { + strncpy(flow->http.user_agent, (char*)packet->user_agent_line.ptr, + packet->user_agent_line.len); + flow->http.user_agent[packet->user_agent_line.len] = '\0'; + } + } + NDPI_LOG_DBG2(ndpi_struct, "User Agent Type line found %.*s\n", packet->user_agent_line.len, packet->user_agent_line.ptr); } @@ -383,6 +383,17 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n", packet->content_line.len, packet->content_line.ptr); + if((flow->http.content_type == NULL) && (packet->content_line.len > 0)) { + int len = packet->content_line.len + 1; + + flow->http.content_type = ndpi_malloc(len); + if(flow->http.content_type) { + strncpy(flow->http.content_type, (char*)packet->content_line.ptr, + packet->content_line.len); + flow->http.content_type[packet->content_line.len] = '\0'; + } + } + if(flow->http_detected) { ndpi_protocol_match_result ret_match; @@ -491,7 +502,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->http.response_status_code = 0; /* Out of range */ } - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); + ndpi_parse_packet_line_info(ndpi_struct, flow); check_content_type_and_change_protocol(ndpi_struct, flow); return; } @@ -615,7 +626,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct x++; } #endif - + #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* check PPStream protocol or iQiyi service (iqiyi is delivered by ppstream) */ @@ -688,7 +699,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->http_detected = 1; NDPI_LOG_DBG2(ndpi_struct, "HTTP START Found, we will look further for the response...\n"); - flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 + flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 check_content_type_and_change_protocol(ndpi_struct, flow); return; } diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index e293fc960..59b1e4978 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -19,7 +19,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ @@ -29,14 +29,66 @@ #include "ndpi_api.h" +/* ************************************************************************ */ + +static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + // printf("==> %s()\n", __FUNCTION__); + + if(packet->payload[0] == 0xFF) + return(1); + + if(packet->payload_packet_len > 0) { + int i; + + if((!flow->protos.telnet.username_found) + && (packet->payload_packet_len > 6)) { + + if(strncasecmp((char*)packet->payload, "login:", 6) == 0) { + flow->protos.telnet.username_found = 1; + } + + return(1); + } + + if(packet->payload[0] == '\r') { + flow->protos.telnet.username_detected = 1; + flow->protos.telnet.username[flow->protos.telnet.character_id] = '\0'; + return(0); + } + + for(i=0; i<packet->payload_packet_len; i++) { + if(!flow->protos.telnet.skip_next) { + if(flow->protos.telnet.character_id < (sizeof(flow->protos.telnet.username)-1)) + flow->protos.telnet.username[flow->protos.telnet.character_id++] = packet->payload[i]; + flow->protos.telnet.skip_next = 1; + } else + flow->protos.telnet.skip_next = 0; + } + } + + /* Possibly more processing */ + return(1); +} + +/* ************************************************************************ */ static void ndpi_int_telnet_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ + *ndpi_struct, struct ndpi_flow_struct *flow) { + flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_TELNET; + + /* This is necessary to inform the core to call this dissector again */ + flow->check_extra_packets = 1; + flow->max_extra_packets_to_check = 32; + flow->extra_packets_func = search_telnet_again; + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELNET, NDPI_PROTOCOL_UNKNOWN); } - +/* ************************************************************************ */ + #if !defined(WIN32) static inline #elif defined(MINGW_GCC) @@ -44,62 +96,62 @@ __mingw_forceinline static #else __forceinline static #endif -u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t a; - if (packet->payload_packet_len < 3) { - return 0; - } + if(packet->payload_packet_len < 3) + return(0); - if (!(packet->payload[0] == 0xff - && packet->payload[1] > 0xf9 && packet->payload[1] != 0xff && packet->payload[2] < 0x28)) { - return 0; - } + if(!((packet->payload[0] == 0xff) + && (packet->payload[1] > 0xf9) + && (packet->payload[1] != 0xff) + && (packet->payload[2] < 0x28))) + return(0); a = 3; while (a < packet->payload_packet_len - 2) { // commands start with a 0xff byte followed by a command byte >= 0xf0 and < 0xff // command bytes 0xfb to 0xfe are followed by an option byte <= 0x28 - if (!(packet->payload[a] != 0xff || + if(!(packet->payload[a] != 0xff || (packet->payload[a] == 0xff && (packet->payload[a + 1] >= 0xf0) && (packet->payload[a + 1] <= 0xfa)) || (packet->payload[a] == 0xff && (packet->payload[a + 1] >= 0xfb) && (packet->payload[a + 1] != 0xff) - && (packet->payload[a + 2] <= 0x28)))) { - return 0; - } + && (packet->payload[a + 2] <= 0x28)))) + return(0); + a++; } return 1; } -/* this detection also works asymmetrically */ -void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ +/* ************************************************************************ */ +/* this detection also works asymmetrically */ +void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { NDPI_LOG_DBG(ndpi_struct, "search telnet\n"); - if (search_iac(ndpi_struct, flow) == 1) { - - if (flow->l4.tcp.telnet_stage == 2) { + if(search_iac(ndpi_struct, flow) == 1) { + if(flow->l4.tcp.telnet_stage == 2) { NDPI_LOG_INFO(ndpi_struct, "found telnet\n"); ndpi_int_telnet_add_connection(ndpi_struct, flow); return; } + flow->l4.tcp.telnet_stage++; NDPI_LOG_DBG2(ndpi_struct, "telnet stage %u\n", flow->l4.tcp.telnet_stage); return; } - if ((flow->packet_counter < 12 && flow->l4.tcp.telnet_stage > 0) || flow->packet_counter < 6) { + if(((flow->packet_counter < 12) && (flow->l4.tcp.telnet_stage > 0)) || (flow->packet_counter < 6)) return; - } else { + else NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } + return; } @@ -112,6 +164,5 @@ void init_telnet_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); - *id += 1; } diff --git a/src/lib/protocols/zabbix.c b/src/lib/protocols/zabbix.c new file mode 100644 index 000000000..9e67a3159 --- /dev/null +++ b/src/lib/protocols/zabbix.c @@ -0,0 +1,63 @@ +/* + * zabbix.c + * + * Copyright (C) 2019 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + +#include "ndpi_protocol_ids.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ZABBIX + +#include "ndpi_api.h" + +/* *************************************************** */ + +static void ndpi_int_zabbix_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow/* , */ + /* ndpi_protocol_type_t protocol_type */) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZABBIX, NDPI_PROTOCOL_UNKNOWN); +} + +/* *************************************************** */ + +void ndpi_search_zabbix(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int8_t tomatch[] = { 'Z', 'B', 'X', 'D', 0x1 }; + + NDPI_LOG_DBG(ndpi_struct, "search Zabbix\n"); + + if((packet->payload_packet_len > 4) + && (memcmp(packet->payload, tomatch, 5) == 0)) + ndpi_int_zabbix_add_connection(ndpi_struct, flow); + else + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); +} + +/* *************************************************** */ + +void init_zabbix_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) { + ndpi_set_bitmask_protocol_detection("Zabbix", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_ZABBIX, + ndpi_search_zabbix, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} |