From be5a29ba9d4da849992b7a4b42047e591bde20aa Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 8 Feb 2022 18:04:57 +0100 Subject: Added HSRP protocol detection Removed attic directory now obsolete --- src/include/ndpi_protocol_ids.h | 1 + src/include/ndpi_protocols.h | 1 + src/lib/ndpi_main.c | 7 + src/lib/protocols/attic/flash.c | 93 ------- src/lib/protocols/attic/ftp.c | 476 ----------------------------------- src/lib/protocols/attic/manolito.c | 180 ------------- src/lib/protocols/attic/popo.c | 86 ------- src/lib/protocols/attic/secondlife.c | 123 --------- src/lib/protocols/ayiya.c | 4 +- src/lib/protocols/hsrp.c | 78 ++++++ tests/pcap/hsrp0.pcap | Bin 0 -> 352 bytes tests/pcap/hsrp2.pcap | Bin 0 -> 244 bytes tests/result/hsrp0.pcap.out | 11 + tests/result/hsrp2.pcap.out | 9 + tests/result/synscan.pcap.out | 4 +- 15 files changed, 112 insertions(+), 961 deletions(-) delete mode 100644 src/lib/protocols/attic/flash.c delete mode 100644 src/lib/protocols/attic/ftp.c delete mode 100644 src/lib/protocols/attic/manolito.c delete mode 100644 src/lib/protocols/attic/popo.c delete mode 100644 src/lib/protocols/attic/secondlife.c create mode 100644 src/lib/protocols/hsrp.c create mode 100644 tests/pcap/hsrp0.pcap create mode 100644 tests/pcap/hsrp2.pcap create mode 100644 tests/result/hsrp0.pcap.out create mode 100644 tests/result/hsrp2.pcap.out diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index e6e4e93ac..4f0bcebb4 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -310,6 +310,7 @@ typedef enum { NDPI_PROTOCOL_BADOO = 279, NDPI_PROTOCOL_ACCUWEATHER = 280, NDPI_PROTOCOL_GOOGLE_CLASSROOM = 281, + NDPI_PROTOCOL_HSRP = 282, #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 5e27076e3..87c700559 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -85,6 +85,7 @@ void init_ftp_control_dissector(struct ndpi_detection_module_struct *ndpi_struct void init_ftp_data_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_gnutella_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_gtp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_hsrp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_guildwars_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_h323_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_halflife2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 35a4091fc..ad61d56f0 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1460,6 +1460,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "GTP_PRIME", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HSRP, + "HSRP", NDPI_PROTOCOL_CATEGORY_NETWORK, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 1985, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WSD, "WSD", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, @@ -3951,6 +3955,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* GTP */ init_gtp_dissector(ndpi_str, &a, detection_bitmask); + /* HSRP */ + init_hsrp_dissector(ndpi_str, &a, detection_bitmask); + /* DCERPC */ init_dcerpc_dissector(ndpi_str, &a, detection_bitmask); diff --git a/src/lib/protocols/attic/flash.c b/src/lib/protocols/attic/flash.c deleted file mode 100644 index 8ffdf2f06..000000000 --- a/src/lib/protocols/attic/flash.c +++ /dev/null @@ -1,93 +0,0 @@ -/* - * flash.c - * - * Copyright (C) 2009-11 - ipoque GmbH - * Copyright (C) 2011-21 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH - * - * nDPI is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * nDPI is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see . - * - */ - - -#include "ndpi_protocols.h" -#ifdef NDPI_PROTOCOL_FLASH - -static void ndpi_int_flash_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FLASH, NDPI_CONFIDENCE_DPI); -} - -void ndpi_search_flash(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - - if (flow->l4.tcp.flash_stage == 0 && packet->payload_packet_len > 0 - && (packet->payload[0] == 0x03 || packet->payload[0] == 0x06)) { - flow->l4.tcp.flash_bytes = packet->payload_packet_len; - if (packet->tcp->psh == 0) { - NDPI_LOG(NDPI_PROTOCOL_FLASH, ndpi_struct, NDPI_LOG_DEBUG, "FLASH pass 1: \n"); - flow->l4.tcp.flash_stage = packet->packet_direction + 1; - - NDPI_LOG(NDPI_PROTOCOL_FLASH, ndpi_struct, NDPI_LOG_DEBUG, - "FLASH pass 1: flash_stage: %u, flash_bytes: %u\n", flow->l4.tcp.flash_stage, - flow->l4.tcp.flash_bytes); - return; - } else if (packet->tcp->psh != 0 && flow->l4.tcp.flash_bytes == 1537) { - NDPI_LOG(NDPI_PROTOCOL_FLASH, ndpi_struct, NDPI_LOG_DEBUG, - "FLASH hit: flash_stage: %u, flash_bytes: %u\n", flow->l4.tcp.flash_stage, - flow->l4.tcp.flash_bytes); - flow->l4.tcp.flash_stage = 3; - ndpi_int_flash_add_connection(ndpi_struct, flow); - return; - } - } else if (flow->l4.tcp.flash_stage == 1 + packet->packet_direction) { - flow->l4.tcp.flash_bytes += packet->payload_packet_len; - if (packet->tcp->psh != 0 && flow->l4.tcp.flash_bytes == 1537) { - NDPI_LOG(NDPI_PROTOCOL_FLASH, ndpi_struct, NDPI_LOG_DEBUG, - "FLASH hit: flash_stage: %u, flash_bytes: %u\n", flow->l4.tcp.flash_stage, - flow->l4.tcp.flash_bytes); - flow->l4.tcp.flash_stage = 3; - ndpi_int_flash_add_connection(ndpi_struct, flow); - return; - } else if (packet->tcp->psh == 0 && flow->l4.tcp.flash_bytes < 1537) { - NDPI_LOG(NDPI_PROTOCOL_FLASH, ndpi_struct, NDPI_LOG_DEBUG, - "FLASH pass 2: flash_stage: %u, flash_bytes: %u\n", flow->l4.tcp.flash_stage, - flow->l4.tcp.flash_bytes); - return; - } - } - - NDPI_LOG(NDPI_PROTOCOL_FLASH, ndpi_struct, NDPI_LOG_DEBUG, - "FLASH might be excluded: flash_stage: %u, flash_bytes: %u, packet_direction: %u\n", - flow->l4.tcp.flash_stage, flow->l4.tcp.flash_bytes, packet->packet_direction); - -#ifdef NDPI_PROTOCOL_HTTP - if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP) != 0) { -#endif /* NDPI_PROTOCOL_HTTP */ - NDPI_LOG(NDPI_PROTOCOL_FLASH, ndpi_struct, NDPI_LOG_DEBUG, "FLASH: exclude\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FLASH); -#ifdef NDPI_PROTOCOL_HTTP - } else { - NDPI_LOG(NDPI_PROTOCOL_FLASH, ndpi_struct, NDPI_LOG_DEBUG, "FLASH avoid early exclude from http\n"); - } -#endif /* NDPI_PROTOCOL_HTTP */ - -} -#endif diff --git a/src/lib/protocols/attic/ftp.c b/src/lib/protocols/attic/ftp.c deleted file mode 100644 index 99330aa54..000000000 --- a/src/lib/protocols/attic/ftp.c +++ /dev/null @@ -1,476 +0,0 @@ -/* - * ftp.c - * - * Copyright (C) 2009-11 - ipoque GmbH - * Copyright (C) 2011-21 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH - * - * nDPI is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * nDPI is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see . - * - */ - - -#include "ndpi_protocols.h" -#include "ndpi_utils.h" - -#ifdef NDPI_PROTOCOL_FTP - - -static void ndpi_int_ftp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FTP, NDPI_CONFIDENCE_DPI); -} - -/** - * checks for possible FTP command - * not all valid commands are tested, it just need to be 3 or 4 characters followed by a space if the - * packet is longer - * - * this functions is not used to accept, just to not reject - */ -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -u_int8_t ndpi_int_check_possible_ftp_command(const struct ndpi_packet_struct *packet) -{ - if (packet->payload_packet_len < 3) - return 0; - - if ((packet->payload[0] < 'a' || packet->payload[0] > 'z') && - (packet->payload[0] < 'A' || packet->payload[0] > 'Z')) - return 0; - if ((packet->payload[1] < 'a' || packet->payload[1] > 'z') && - (packet->payload[1] < 'A' || packet->payload[1] > 'Z')) - return 0; - if ((packet->payload[2] < 'a' || packet->payload[2] > 'z') && - (packet->payload[2] < 'A' || packet->payload[2] > 'Z')) - return 0; - - if (packet->payload_packet_len > 3) { - if ((packet->payload[3] < 'a' || packet->payload[3] > 'z') && - (packet->payload[3] < 'A' || packet->payload[3] > 'Z') && packet->payload[3] != ' ') - return 0; - - if (packet->payload_packet_len > 4) { - if (packet->payload[3] != ' ' && packet->payload[4] != ' ') - return 0; - } - } - - return 1; -} - -/** - * ftp replies are are 3-digit number followed by space or hyphen - */ - -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -u_int8_t ndpi_int_check_possible_ftp_reply(const struct ndpi_packet_struct *packet) -{ - if (packet->payload_packet_len < 5) - return 0; - - if (packet->payload[3] != ' ' && packet->payload[3] != '-') - return 0; - - if (packet->payload[0] < '0' || packet->payload[0] > '9') - return 0; - if (packet->payload[1] < '0' || packet->payload[1] > '9') - return 0; - if (packet->payload[2] < '0' || packet->payload[2] > '9') - return 0; - - return 1; -} - -/** - * check for continuation replies - * there is no real indication whether it is a continuation message, we just - * require that there are at least 5 ascii characters - */ -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -u_int8_t ndpi_int_check_possible_ftp_continuation_reply(const struct ndpi_packet_struct *packet) -{ - u_int16_t i; - - if (packet->payload_packet_len < 5) - return 0; - - for (i = 0; i < 5; i++) { - if (packet->payload[i] < ' ' || packet->payload[i] > 127) - return 0; - } - - return 1; -} - -/* - * these are the commands we tracking and expecting to see - */ -enum { - FTP_USER_CMD = 1 << 0, - FTP_FEAT_CMD = 1 << 1, - FTP_COMMANDS = ((1 << 2) - 1), - FTP_220_CODE = 1 << 2, - FTP_331_CODE = 1 << 3, - FTP_211_CODE = 1 << 4, - FTP_CODES = ((1 << 5) - 1 - FTP_COMMANDS) -}; - -/* - return 0 if nothing has been detected - return 1 if a pop packet -*/ - -static u_int8_t search_ftp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - - struct ndpi_packet_struct *packet = &flow->packet; - - u_int8_t current_ftp_code = 0; - - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - - /* initiate client direction flag */ - if (flow->packet_counter == 1) { - if (flow->l4.tcp.seen_syn) { - flow->l4.tcp.ftp_client_direction = flow->setup_packet_direction; - } else { - /* no syn flag seen so guess */ - if (packet->payload_packet_len > 0) { - if (packet->payload[0] >= '0' && packet->payload[0] <= '9') { - /* maybe server side */ - flow->l4.tcp.ftp_client_direction = 1 - packet->packet_direction; - } else { - flow->l4.tcp.ftp_client_direction = packet->packet_direction; - } - } - } - } - - if (packet->packet_direction == flow->l4.tcp.ftp_client_direction) { - if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("USER ") && - (memcmp(packet->payload, "USER ", NDPI_STATICSTRING_LEN("USER ")) == 0 || - memcmp(packet->payload, "user ", NDPI_STATICSTRING_LEN("user ")) == 0)) { - - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "FTP: found USER command\n"); - flow->l4.tcp.ftp_codes_seen |= FTP_USER_CMD; - current_ftp_code = FTP_USER_CMD; - } else if (packet->payload_packet_len >= NDPI_STATICSTRING_LEN("FEAT") && - (memcmp(packet->payload, "FEAT", NDPI_STATICSTRING_LEN("FEAT")) == 0 || - memcmp(packet->payload, "feat", NDPI_STATICSTRING_LEN("feat")) == 0)) { - - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "FTP: found FEAT command\n"); - flow->l4.tcp.ftp_codes_seen |= FTP_FEAT_CMD; - current_ftp_code = FTP_FEAT_CMD; - } else if (!ndpi_int_check_possible_ftp_command(packet)) { - return 0; - } - } else { - if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("220 ") && - (memcmp(packet->payload, "220 ", NDPI_STATICSTRING_LEN("220 ")) == 0 || - memcmp(packet->payload, "220-", NDPI_STATICSTRING_LEN("220-")) == 0)) { - - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "FTP: found 220 reply code\n"); - flow->l4.tcp.ftp_codes_seen |= FTP_220_CODE; - current_ftp_code = FTP_220_CODE; - } else if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("331 ") && - (memcmp(packet->payload, "331 ", NDPI_STATICSTRING_LEN("331 ")) == 0 || - memcmp(packet->payload, "331-", NDPI_STATICSTRING_LEN("331-")) == 0)) { - - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "FTP: found 331 reply code\n"); - flow->l4.tcp.ftp_codes_seen |= FTP_331_CODE; - current_ftp_code = FTP_331_CODE; - } else if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("211 ") && - (memcmp(packet->payload, "211 ", NDPI_STATICSTRING_LEN("211 ")) == 0 || - memcmp(packet->payload, "211-", NDPI_STATICSTRING_LEN("211-")) == 0)) { - - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "FTP: found 211reply code\n"); - flow->l4.tcp.ftp_codes_seen |= FTP_211_CODE; - current_ftp_code = FTP_211_CODE; - } else if (!ndpi_int_check_possible_ftp_reply(packet)) { - if ((flow->l4.tcp.ftp_codes_seen & FTP_CODES) == 0 || - (!ndpi_int_check_possible_ftp_continuation_reply(packet))) { - return 0; - } - } - } - - if ((flow->l4.tcp.ftp_codes_seen & FTP_COMMANDS) != 0 && (flow->l4.tcp.ftp_codes_seen & FTP_CODES) != 0) { - - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "FTP detected\n"); - ndpi_int_ftp_add_connection(ndpi_struct, flow); - return 1; - } - - /* if no valid code has been seen for the first packets reject */ - if (flow->l4.tcp.ftp_codes_seen == 0 && flow->packet_counter > 3) - return 0; - - /* otherwise wait more packets, wait more for traffic on known ftp port */ - if ((packet->packet_direction == flow->setup_packet_direction && packet->tcp && packet->tcp->dest == htons(21)) || - (packet->packet_direction != flow->setup_packet_direction && packet->tcp && packet->tcp->source == htons(21))) { - /* flow to known ftp port */ - - /* wait much longer if this was a 220 code, initial messages might be long */ - if (current_ftp_code == FTP_220_CODE) { - if (flow->packet_counter > 40) - return 0; - } else { - if (flow->packet_counter > 20) - return 0; - } - } else { - /* wait much longer if this was a 220 code, initial messages might be long */ - if (current_ftp_code == FTP_220_CODE) { - if (flow->packet_counter > 20) - return 0; - } else { - if (flow->packet_counter > 10) - return 0; - } - } - - return 2; -} - - -static void search_passive_ftp_mode(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - struct ndpi_id_struct *dst = flow->dst; - struct ndpi_id_struct *src = flow->src; - u_int16_t plen; - u_int8_t i; - u_int32_t ftp_ip; - - - // TODO check if normal passive mode also needs adaption for ipv6 - if (packet->payload_packet_len > 3 && ndpi_mem_cmp(packet->payload, "227 ", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "FTP passive mode initial string\n"); - - plen = 4; //=4 for "227 " - while (1) { - if (plen >= packet->payload_packet_len) { - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, - "plen >= packet->payload_packet_len, return\n"); - return; - } - if (packet->payload[plen] == '(') { - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "found (. break.\n"); - break; - } - /* if (!isalnum(packet->payload[plen])) { - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "no alpha numeric symbol --> break.\n"); - return; - }*/ - plen++; - } - plen++; - - if (plen >= packet->payload_packet_len) - return; - - - ftp_ip = 0; - for (i = 0; i < 4; i++) { - u_int16_t oldplen = plen; - ftp_ip = - (ftp_ip << 8) + - ndpi_bytestream_to_number(&packet->payload[plen], packet->payload_packet_len - plen, &plen); - if (oldplen == plen || plen >= packet->payload_packet_len) { - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "FTP passive mode %u value parse failed\n", - i); - return; - } - if (packet->payload[plen] != ',') { - - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, - "FTP passive mode %u value parse failed, char ',' is missing\n", i); - return; - } - plen++; - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, - "FTP passive mode %u value parsed, ip is now: %u\n", i, ftp_ip); - - } - if (dst != NULL) { - dst->ftp_ip.ipv4 = htonl(ftp_ip); - dst->ftp_timer = packet->tick_timestamp; - dst->ftp_timer_set = 1; - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "saved ftp_ip, ftp_timer, ftp_timer_set to dst"); - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "FTP PASSIVE MODE FOUND: use Server %s\n", - ndpi_get_ip_string(ndpi_struct, &dst->ftp_ip)); - } - if (src != NULL) { - src->ftp_ip.ipv4 = packet->iph->daddr; - src->ftp_timer = packet->tick_timestamp; - src->ftp_timer_set = 1; - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "saved ftp_ip, ftp_timer, ftp_timer_set to src"); - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "FTP PASSIVE MODE FOUND: use Server %s\n", - ndpi_get_ip_string(ndpi_struct, &src->ftp_ip)); - } - return; - } - - if (packet->payload_packet_len > 34 && ndpi_mem_cmp(packet->payload, "229 Entering Extended Passive Mode", 34) == 0) { - if (dst != NULL) { - ndpi_packet_src_ip_get(packet, &dst->ftp_ip); - dst->ftp_timer = packet->tick_timestamp; - dst->ftp_timer_set = 1; - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "saved ftp_ip, ftp_timer, ftp_timer_set to dst"); - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, - "FTP Extended PASSIVE MODE FOUND: use Server %s\n", ndpi_get_ip_string(ndpi_struct, &dst->ftp_ip)); - } - if (src != NULL) { - ndpi_packet_dst_ip_get(packet, &src->ftp_ip); - src->ftp_timer = packet->tick_timestamp; - src->ftp_timer_set = 1; - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "saved ftp_ip, ftp_timer, ftp_timer_set to src"); - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, - "FTP Extended PASSIVE MODE FOUND: use Server %s\n", ndpi_get_ip_string(ndpi_struct, &src->ftp_ip)); - } - return; - } -} - - -static void search_active_ftp_mode(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - if (packet->payload_packet_len > 5 - && (ndpi_mem_cmp(packet->payload, "PORT ", 5) == 0 || ndpi_mem_cmp(packet->payload, "EPRT ", 5) == 0)) { - - //src->local_ftp_data_port = htons(data_port_number); - if (src != NULL) { - ndpi_packet_dst_ip_get(packet, &src->ftp_ip); - src->ftp_timer = packet->tick_timestamp; - src->ftp_timer_set = 1; - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "FTP ACTIVE MODE FOUND, command is %.*s\n", 4, - packet->payload); - } - if (dst != NULL) { - ndpi_packet_src_ip_get(packet, &dst->ftp_ip); - dst->ftp_timer = packet->tick_timestamp; - dst->ftp_timer_set = 1; - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "FTP ACTIVE MODE FOUND, command is %.*s\n", 4, - packet->payload); - } - } - return; -} - - -void ndpi_search_ftp_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - - struct ndpi_packet_struct *packet = &flow->packet; - - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - - - if (src != NULL && ndpi_packet_dst_ip_eql(packet, &src->ftp_ip) - && packet->tcp->syn != 0 && packet->tcp->ack == 0 - && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, - NDPI_PROTOCOL_FTP) != 0 && src->ftp_timer_set != 0) { - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "possible ftp data, src!= 0.\n"); - - if (((u_int32_t) - (packet->tick_timestamp - src->ftp_timer)) >= ndpi_struct->ftp_connection_timeout) { - src->ftp_timer_set = 0; - } else if (ntohs(packet->tcp->dest) > 1024 - && (ntohs(packet->tcp->source) > 1024 || ntohs(packet->tcp->source) == 20)) { - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "detected FTP data stream.\n"); - ndpi_int_ftp_add_connection(ndpi_struct, flow); - return; - } - } - - if (dst != NULL && ndpi_packet_src_ip_eql(packet, &dst->ftp_ip) - && packet->tcp->syn != 0 && packet->tcp->ack == 0 - && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, - NDPI_PROTOCOL_FTP) != 0 && dst->ftp_timer_set != 0) { - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "possible ftp data; dst!= 0.\n"); - - if (((u_int32_t) - (packet->tick_timestamp - dst->ftp_timer)) >= ndpi_struct->ftp_connection_timeout) { - dst->ftp_timer_set = 0; - - } else if (ntohs(packet->tcp->dest) > 1024 - && (ntohs(packet->tcp->source) > 1024 || ntohs(packet->tcp->source) == 20)) { - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "detected FTP data stream.\n"); - ndpi_int_ftp_add_connection(ndpi_struct, flow); - return; - } - } - // ftp data asymmetrically - - - /* skip packets without payload */ - if (packet->payload_packet_len == 0) { - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, - "FTP test skip because of data connection or zero byte packet_payload.\n"); - return; - } - /* skip excluded connections */ - - // we test for FTP connection and search for passive mode - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_FTP) { - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, - "detected ftp command mode. going to test data mode.\n"); - search_passive_ftp_mode(ndpi_struct, flow); - - search_active_ftp_mode(ndpi_struct, flow); - return; - } - - - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && search_ftp(ndpi_struct, flow) != 0) { - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "unknown. need next packet.\n"); - - return; - } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FTP); - NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude ftp.\n"); - -} - -#endif diff --git a/src/lib/protocols/attic/manolito.c b/src/lib/protocols/attic/manolito.c deleted file mode 100644 index 07965b35d..000000000 --- a/src/lib/protocols/attic/manolito.c +++ /dev/null @@ -1,180 +0,0 @@ -/* - * manolito.c - * - * Copyright (C) 2009-11 - ipoque GmbH - * Copyright (C) 2011-21 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH - * - * nDPI is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * nDPI is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see . - * - */ - - -#include "ndpi_protocols.h" -#ifdef NDPI_PROTOCOL_MANOLITO - -static void ndpi_int_manolito_add_connection(struct - ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - - struct ndpi_packet_struct *packet = &flow->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MANOLITO, NDPI_CONFIDENCE_DPI); - - - if (src != NULL) { - if (packet->udp != NULL) { - src->manolito_last_pkt_arrival_time = packet->tick_timestamp; - } - } - if (dst != NULL) { - if (packet->udp != NULL) { - dst->manolito_last_pkt_arrival_time = packet->tick_timestamp; - } - } -} - -/* - return 0 if nothing has been detected - return 1 if it is a megaupload packet -*/ -u_int8_t search_manolito_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -u_int8_t search_manolito_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - - // struct ndpi_id_struct *src = flow->src; - // struct ndpi_id_struct *dst = flow->dst; - - NDPI_LOG(NDPI_PROTOCOL_MANOLITO, ndpi_struct, NDPI_LOG_DEBUG, "MANOLITO TCP DETECTION\n"); - - if (flow->l4.tcp.manolito_stage == 0 && packet->payload_packet_len > 6) { - if (memcmp(packet->payload, "SIZ ", 4) != 0) - goto end_manolito_nothing_found; - - flow->l4.tcp.manolito_stage = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_MANOLITO, ndpi_struct, NDPI_LOG_DEBUG, "MANOLITO Stage 1.\n"); - goto end_manolito_maybe_hit; - - } else if ((flow->l4.tcp.manolito_stage == 2 - packet->packet_direction) - && packet->payload_packet_len > 4) { - if (memcmp(packet->payload, "STR ", 4) != 0) - goto end_manolito_nothing_found; - NDPI_LOG(NDPI_PROTOCOL_MANOLITO, ndpi_struct, NDPI_LOG_DEBUG, "MANOLITO Stage 2.\n"); - flow->l4.tcp.manolito_stage = 3 + packet->packet_direction; - goto end_manolito_maybe_hit; - - } else if ((flow->l4.tcp.manolito_stage == 4 - packet->packet_direction) && packet->payload_packet_len > 5) { - if (memcmp(packet->payload, "MD5 ", 4) != 0) - goto end_manolito_nothing_found; - NDPI_LOG(NDPI_PROTOCOL_MANOLITO, ndpi_struct, NDPI_LOG_DEBUG, "MANOLITO Stage 3.\n"); - flow->l4.tcp.manolito_stage = 5 + packet->packet_direction; - goto end_manolito_maybe_hit; - - } else if ((flow->l4.tcp.manolito_stage == 6 - packet->packet_direction) && packet->payload_packet_len == 4) { - - if (memcmp(packet->payload, "GO!!", 4) != 0) - goto end_manolito_nothing_found; - NDPI_LOG(NDPI_PROTOCOL_MANOLITO, ndpi_struct, NDPI_LOG_DEBUG, "MANOLITO Stage 4.\n"); - goto end_manolito_found; - } - //NDPI_LOG(NDPI_PROTOCOL_MANOLITO,ndpi_struct, NDPI_LOG_DEBUG, "MANOLITO FLOW STAGE %d\n", flow->l4.tcp.manolito_stage); - goto end_manolito_nothing_found; - - end_manolito_found: - NDPI_LOG(NDPI_PROTOCOL_MANOLITO, ndpi_struct, NDPI_LOG_DEBUG, "MANOLITO FOUND\n"); - ndpi_int_manolito_add_connection(ndpi_struct, flow); - return 1; - - end_manolito_maybe_hit: - NDPI_LOG(NDPI_PROTOCOL_MANOLITO, ndpi_struct, NDPI_LOG_DEBUG, "MANOLITO maybe hit.\n"); - return 2; - - end_manolito_nothing_found: - NDPI_LOG(NDPI_PROTOCOL_MANOLITO, ndpi_struct, NDPI_LOG_DEBUG, "MANOLITO NOTHING FOUND\n"); - return 0; -} - -void ndpi_search_manolito_tcp_udp(struct - ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - - if (packet->tcp != NULL) { - if (search_manolito_tcp(ndpi_struct, flow) != 0) - return; - } else if (packet->udp != NULL) { - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_MANOLITO) { - if (src != NULL) { - src->manolito_last_pkt_arrival_time = packet->tick_timestamp; - } - if (dst != NULL) { - dst->manolito_last_pkt_arrival_time = packet->tick_timestamp; - } - return; - } else if (packet->udp->source == htons(41170) - || packet->udp->dest == htons(41170)) { - if (src != NULL && src->manolito_last_pkt_arrival_time != 0 - && (packet->tick_timestamp - src->manolito_last_pkt_arrival_time < - ndpi_struct->manolito_subscriber_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_MANOLITO, ndpi_struct, NDPI_LOG_DEBUG, "MANOLITO: UDP detected \n"); - ndpi_int_manolito_add_connection(ndpi_struct, flow); - return; - } else if (src != NULL - && (packet->tick_timestamp - src->manolito_last_pkt_arrival_time) >= - ndpi_struct->manolito_subscriber_timeout) { - src->manolito_last_pkt_arrival_time = 0; - } - - if (dst != NULL && dst->manolito_last_pkt_arrival_time != 0 - && (packet->tick_timestamp - dst->manolito_last_pkt_arrival_time < - ndpi_struct->manolito_subscriber_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_MANOLITO, ndpi_struct, NDPI_LOG_DEBUG, "MANOLITO: UDP detected \n"); - ndpi_int_manolito_add_connection(ndpi_struct, flow); - return; - } else if (dst != NULL - && (packet->tick_timestamp - dst->manolito_last_pkt_arrival_time) >= - ndpi_struct->manolito_subscriber_timeout) { - dst->manolito_last_pkt_arrival_time = 0; - } - - if ((packet->payload_packet_len == 20 && htons(0x3d4b) == get_u_int16_t(packet->payload, 0) - && packet->payload[2] == 0xd9 && htons(0xedbb) == get_u_int16_t(packet->payload, 16)) - || (packet->payload_packet_len == 25 && htons(0x3e4a) == get_u_int16_t(packet->payload, 0) - && htons(0x092f) == get_u_int16_t(packet->payload, 20) && packet->payload[22] == 0x20) - || (packet->payload_packet_len == 20 && !get_u_int16_t(packet->payload, 2) && !get_u_int32_t(packet->payload, 8) - && !get_u_int16_t(packet->payload, 18) && get_u_int16_t(packet->payload, 0)) - ) { //20B pkt is For PING - NDPI_LOG(NDPI_PROTOCOL_MANOLITO, ndpi_struct, NDPI_LOG_DEBUG, "MANOLITO: UDP detected \n"); - ndpi_int_manolito_add_connection(ndpi_struct, flow); - return; - } else if (flow->packet_counter < 7) { - return; - } - } - } - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MANOLITO); -} -#endif diff --git a/src/lib/protocols/attic/popo.c b/src/lib/protocols/attic/popo.c deleted file mode 100644 index 41cda83a6..000000000 --- a/src/lib/protocols/attic/popo.c +++ /dev/null @@ -1,86 +0,0 @@ -/* - * popo.c - * - * Copyright (C) 2009-11 - ipoque GmbH - * Copyright (C) 2011-21 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH - * - * nDPI is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * nDPI is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see . - * - */ - - -#include "ndpi_protocols.h" -#ifdef NDPI_PROTOCOL_POPO - -static void ndpi_int_popo_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_POPO, NDPI_CONFIDENCE_DPI); -} - -void ndpi_search_popo_tcp_udp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - if (packet->tcp != NULL) { - if ((packet->payload_packet_len == 20) - && get_u_int32_t(packet->payload, 0) == htonl(0x0c000000) - && get_u_int32_t(packet->payload, 4) == htonl(0x01010000) - && get_u_int32_t(packet->payload, 8) == htonl(0x06000000) - && get_u_int32_t(packet->payload, 12) == 0 && get_u_int32_t(packet->payload, 16) == 0) { - NDPI_LOG(NDPI_PROTOCOL_POPO, ndpi_struct, NDPI_LOG_DEBUG, "POPO detected\n"); - ndpi_int_popo_add_connection(ndpi_struct, flow); - return; - } - - if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_POPO) != 0) { -#define NDPI_POPO_IP_SUBNET_START ( (220 << 24) + (181 << 16) + (28 << 8) + 220) -#define NDPI_POPO_IP_SUBNET_END ( (220 << 24) + (181 << 16) + (28 << 8) + 238) - - /* may match the first payload ip packet only ... */ - - if (ntohl(packet->iph->daddr) >= NDPI_POPO_IP_SUBNET_START - && ntohl(packet->iph->daddr) <= NDPI_POPO_IP_SUBNET_END) { - NDPI_LOG(NDPI_PROTOCOL_POPO, ndpi_struct, NDPI_LOG_DEBUG, "POPO ip subnet detected\n"); - ndpi_int_popo_add_connection(ndpi_struct, flow); - return; - } - } - } - - if (packet->payload_packet_len > 13 && packet->payload_packet_len == get_l32(packet->payload, 0) - && !get_l16(packet->payload, 12)) { - register u_int16_t ii; - for (ii = 14; ii < 50 && ii < packet->payload_packet_len - 8; ++ii) { - if (packet->payload[ii] == '@') - if (!memcmp(&packet->payload[ii + 1], "163.com", 7) - || (ii <= packet->payload_packet_len - 13 && !memcmp(&packet->payload[ii + 1], "popo.163.com", 12))) { - NDPI_LOG(NDPI_PROTOCOL_POPO, ndpi_struct, NDPI_LOG_DEBUG, "POPO detected.\n"); - ndpi_int_popo_add_connection(ndpi_struct, flow); - return; - } - } - } - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_POPO); -} - -#endif diff --git a/src/lib/protocols/attic/secondlife.c b/src/lib/protocols/attic/secondlife.c deleted file mode 100644 index b4787a910..000000000 --- a/src/lib/protocols/attic/secondlife.c +++ /dev/null @@ -1,123 +0,0 @@ -/* - * secondlife.c - * - * Copyright (C) 2009-11 - ipoque GmbH - * Copyright (C) 2011-21 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH - * - * nDPI is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * nDPI is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see . - * - */ - - -#include "ndpi_utils.h" -#ifdef NDPI_PROTOCOL_SECONDLIFE - -static void ndpi_int_secondlife_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow/* , */ - /* ndpi_protocol_type_t protocol_type */) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SECONDLIFE, protocol_type, NDPI_CONFIDENCE_DPI); -} - -void ndpi_search_secondlife(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - // if ((ntohs(packet->udp->dest) == 12035 || ntohs(packet->udp->dest) == 12036 || (ntohs(packet->udp->dest) >= 13000 && ntohs(packet->udp->dest) <= 13050)) //port - // && packet->payload_packet_len > 6 // min length with no extra header, high frequency and 1 byte message body - // && get_u_int8_t(packet->payload, 0) == 0x40 // reliable packet - // && ntohl(get_u_int32_t(packet->payload, 1)) == 0x00000001 // sequence number equals 1 - // //ntohl (get_u_int32_t (packet->payload, 5)) == 0x00FFFF00 // no extra header, low frequency message - can't use, message may have higher frequency - // ) { - // NDPI_LOG(NDPI_PROTOCOL_SECONDLIFE, ndpi_struct, NDPI_LOG_DEBUG, "Second Life detected.\n"); - // ndpi_int_secondlife_add_connection(ndpi_struct, flow); - // return; - // } - - if (packet->tcp != NULL) { - if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /") - && memcmp(packet->payload, "GET /", NDPI_STATICSTRING_LEN("GET /")) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SECONDLIFE, ndpi_struct, NDPI_LOG_DEBUG, "Second Life HTTP 'GET /'' found.\n"); - ndpi_parse_packet_line_info(ndpi_struct, flow); - if (packet->user_agent_line.ptr != NULL - && packet->user_agent_line.len > - NDPI_STATICSTRING_LEN - ("Mozilla/5.0 (Windows; U; Windows NT 6.1; de-DE) AppleWebKit/532.4 (KHTML, like Gecko) SecondLife/") - && memcmp(&packet->user_agent_line.ptr[NDPI_STATICSTRING_LEN - ("Mozilla/5.0 (Windows; U; Windows NT 6.1; de-DE) AppleWebKit/532.4 (KHTML, like Gecko) ")], - "SecondLife/", NDPI_STATICSTRING_LEN("SecondLife/")) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SECONDLIFE, ndpi_struct, NDPI_LOG_DEBUG, - "Second Life TCP HTTP User Agent detected.\n"); - ndpi_int_secondlife_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); - return; - } - if (packet->host_line.ptr != NULL && packet->host_line.len > NDPI_STATICSTRING_LEN(".agni.lindenlab.com:")) { - u_int8_t x; - for (x = 2; x < 6; x++) { - if (packet->host_line.ptr[packet->host_line.len - (1 + x)] == ':') { - if ((1 + x + NDPI_STATICSTRING_LEN(".agni.lindenlab.com")) < packet->host_line.len - && memcmp(&packet->host_line.ptr[packet->host_line.len - - (1 + x + NDPI_STATICSTRING_LEN(".agni.lindenlab.com"))], - ".agni.lindenlab.com", NDPI_STATICSTRING_LEN(".agni.lindenlab.com")) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SECONDLIFE, ndpi_struct, NDPI_LOG_DEBUG, - "Second Life TCP HTTP Host detected.\n"); - ndpi_int_secondlife_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); - return; - } - break; - } - } - } - } - } - if (packet->udp != NULL) { - if (packet->payload_packet_len == 46 - && memcmp(packet->payload, "\x40\x00\x00\x00\x01\x00\xff\xff\x00\x03", 10) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SECONDLIFE, ndpi_struct, NDPI_LOG_DEBUG, "Second Life 0xffff0003 detected.\n"); - ndpi_int_secondlife_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len == 54 - && memcmp(packet->payload, "\x40\x00\x00\x00\x01\x00\xff\xff\x00\x52", 10) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SECONDLIFE, ndpi_struct, NDPI_LOG_DEBUG, "Second Life 0xffff0052 detected.\n"); - ndpi_int_secondlife_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len == 58 - && memcmp(packet->payload, "\x40\x00\x00\x00\x01\x00\xff\xff\x00\xa9", 10) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SECONDLIFE, ndpi_struct, NDPI_LOG_DEBUG, "Second Life 0xffff00a9 detected.\n"); - ndpi_int_secondlife_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len > 54 && memcmp(packet->payload, "\x40\x00\x00\x00\x01\x00\x08", 7) == 0 && - get_u_int32_t(packet->payload, packet->payload_packet_len - 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SECONDLIFE, ndpi_struct, NDPI_LOG_DEBUG, "Second Life 0x08 detected.\n"); - ndpi_int_secondlife_add_connection(ndpi_struct, flow); - return; - } - } - - - NDPI_LOG(NDPI_PROTOCOL_SECONDLIFE, ndpi_struct, NDPI_LOG_DEBUG, "Second Life excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SECONDLIFE); -} - -#endif diff --git a/src/lib/protocols/ayiya.c b/src/lib/protocols/ayiya.c index 20088d570..abc5f3336 100644 --- a/src/lib/protocols/ayiya.c +++ b/src/lib/protocols/ayiya.c @@ -48,7 +48,9 @@ void ndpi_search_ayiya(struct ndpi_detection_module_struct *ndpi_struct, struct if(packet->udp && (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)) { /* Ayiya is udp based, port 5072 */ - if ((packet->udp->source == htons(5072) || packet->udp->dest == htons(5072)) + u_int16_t port_to_match = htons(5072); + + if ((packet->udp->source == port_to_match || packet->udp->dest == port_to_match) /* check for ayiya new packet */ && (packet->payload_packet_len > 44) ) { diff --git a/src/lib/protocols/hsrp.c b/src/lib/protocols/hsrp.c new file mode 100644 index 000000000..4b8359548 --- /dev/null +++ b/src/lib/protocols/hsrp.c @@ -0,0 +1,78 @@ +/* + * ayiya.c + * + * Copyright (C) 2011-22 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see . + * + */ + +/* + https://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/9234-hsrpguidetoc.html +*/ + +#include "ndpi_protocol_ids.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HSRP + +#include "ndpi_api.h" + +#define HSRP_PORT 1985 + +void ndpi_search_hsrp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &ndpi_struct->packet; + + NDPI_LOG_DBG(ndpi_struct, "search HSRP\n"); + + if(packet->iph && packet->udp && (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)) { + u_int16_t port_to_match = htons(HSRP_PORT); + + if((packet->udp->source == port_to_match) && (packet->udp->dest == port_to_match)) { + u_int8_t found = 0; + + if((ntohl(packet->iph->daddr) == 0xE0000002 /* 224.0.0.2 v0 */) + && (packet->payload_packet_len >= 20) + && (packet->payload[0] == 0x0 /* v0 */) + && (packet->payload[7] == 0x0 /* reserved */)) + found = 1; /* v0 */ + else if((packet->payload_packet_len >= 42) + && (packet->payload[2] == 0x02) /* Version 2 */ + && (packet->payload[5] == 0x04) /* IPv4 */ + && (ntohl(packet->iph->daddr) == 0xE0000066 /* 224.0.0.102 v2 */)) + found = 1; + + if(found) { + NDPI_LOG_INFO(ndpi_struct, "found HSRP\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HSRP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; + } + } + } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); +} + + +void init_hsrp_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { + ndpi_set_bitmask_protocol_detection("HSRP", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_HSRP, + ndpi_search_hsrp, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} diff --git a/tests/pcap/hsrp0.pcap b/tests/pcap/hsrp0.pcap new file mode 100644 index 000000000..679fd48dd Binary files /dev/null and b/tests/pcap/hsrp0.pcap differ diff --git a/tests/pcap/hsrp2.pcap b/tests/pcap/hsrp2.pcap new file mode 100644 index 000000000..ae82996d1 Binary files /dev/null and b/tests/pcap/hsrp2.pcap differ diff --git a/tests/result/hsrp0.pcap.out b/tests/result/hsrp0.pcap.out new file mode 100644 index 000000000..3ccfbe80f --- /dev/null +++ b/tests/result/hsrp0.pcap.out @@ -0,0 +1,11 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 4 (1.00 pkts/flow) +Confidence DPI : 4 (flows) + +HSRP 4 264 4 + + 1 UDP 10.28.168.252:1985 -> 224.0.0.2:1985 [VLAN: 10][proto: 282/HSRP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/66 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 10.28.168.253:1985 -> 224.0.0.2:1985 [VLAN: 10][proto: 282/HSRP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/66 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 10.28.170.253:1985 -> 224.0.0.2:1985 [VLAN: 12][proto: 282/HSRP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/66 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 10.28.171.253:1985 -> 224.0.0.2:1985 [VLAN: 13][proto: 282/HSRP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/66 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][< 1 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/hsrp2.pcap.out b/tests/result/hsrp2.pcap.out new file mode 100644 index 000000000..e97076175 --- /dev/null +++ b/tests/result/hsrp2.pcap.out @@ -0,0 +1,9 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 2 (1.00 pkts/flow) +Confidence DPI : 2 (flows) + +HSRP 2 188 2 + + 1 UDP 10.52.220.125:1985 -> 224.0.0.102:1985 [proto: 282/HSRP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/94 bytes -> 0 pkts/0 bytes][Goodput ratio: 55/0][< 1 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 10.52.253.125:1985 -> 224.0.0.102:1985 [proto: 282/HSRP][ClearText][Confidence: DPI][cat: Network/14][1 pkts/94 bytes -> 0 pkts/0 bytes][Goodput ratio: 55/0][< 1 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/synscan.pcap.out b/tests/result/synscan.pcap.out index 06af57fa4..18fd6a94a 100644 --- a/tests/result/synscan.pcap.out +++ b/tests/result/synscan.pcap.out @@ -104,7 +104,7 @@ iSCSI 2 116 2 43 TCP 172.16.0.8:36050 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 44 TCP 172.16.0.8:36050 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 45 TCP 172.16.0.8:36050 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 46 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 282/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 46 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 283/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 47 TCP 172.16.0.8:36050 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 48 TCP 172.16.0.8:36050 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing Session **][Risk Score: 10][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 49 TCP 172.16.0.8:36050 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -165,7 +165,7 @@ iSCSI 2 116 2 104 TCP 172.16.0.8:36051 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 105 TCP 172.16.0.8:36051 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 106 TCP 172.16.0.8:36051 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 107 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 282/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 107 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 283/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 108 TCP 172.16.0.8:36051 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 109 TCP 172.16.0.8:36051 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing Session **][Risk Score: 10][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 110 TCP 172.16.0.8:36051 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] -- cgit v1.2.3