gfwleak/stellar-stellar
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(integration decoders): http and glimpse_detector

Browse Source 
compile pass, todo test
This commit is contained in:
yangwei
2024-08-20 19:01:06 +08:00
committed by lijia
parent 6e46dbf762
commit dafbecd49a
804 changed files with 66904 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
decoders/glimpse_detector/libprotoident/tcp/lpi_300heroes.cc Normal file
View File

@@ -0,0 +1,97 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Yet another Chinese LoL clone */
static inline bool match_heroes_c1(uint32_t payload, uint32_t len) {
if (len == 12 && MATCH(payload, 0xc1, 0x0c, 0x00, 0x00))
return true;
return false;
}
static inline bool match_heroes_c2(uint32_t payload, uint32_t len) {
if (len == 15 && MATCH(payload, 0xc2, 0x0f, 0x00, 0x00))
return true;
return false;
}
static inline bool match_heroes_db(uint32_t payload, uint32_t len) {
if (len == 22 && MATCH(payload, 0xdb, 0x16, 0x00, 0x00))
return true;
return false;
}
static inline bool match_heroes_e7(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0xe7, 0x2a, 0x00, 0x00)) {
if (len >= 185 && len <= 200)
return true;
}
return false;
}
static inline bool match_300heroes(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_heroes_c1(data->payload[0], data->payload_len[0])) {
if (match_heroes_c2(data->payload[1], data->payload_len[1]))
return true;
}
if (match_heroes_c1(data->payload[1], data->payload_len[1])) {
if (match_heroes_c2(data->payload[0], data->payload_len[0]))
return true;
}
if (match_heroes_db(data->payload[0], data->payload_len[0])) {
if (match_heroes_e7(data->payload[1], data->payload_len[1]))
return true;
}
if (match_heroes_db(data->payload[1], data->payload_len[1])) {
if (match_heroes_e7(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_300heroes = {
LPI_PROTO_300_HEROES,
LPI_CATEGORY_GAMING,
"300Heroes",
101,
match_300heroes
};
void register_300heroes(LPIModuleMap *mod_map) {
register_protocol(&lpi_300heroes, mod_map);
}

130
decoders/glimpse_detector/libprotoident/tcp/lpi_360safeguard.cc Normal file
View File

@@ -0,0 +1,130 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_360_a1req(uint32_t payload, uint32_t len) {
if (len != 63)
return false;
if (MATCH(payload, 0xa1, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_360_a1resp(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0xa1, 0x82, 0x00, 0x00))
return true;
return false;
}
static inline bool match_360_03req(uint32_t payload, uint32_t len) {
uint32_t hdrlen = (ntohl(payload) & 0xffff);
if (!MATCH(payload, 0x00, 0x03, 0x00, ANY))
return false;
if (len - 8 == hdrlen)
return true;
return false;
}
static inline bool match_360_03resp(uint32_t payload, uint32_t len) {
if (len != 8)
return false;
if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_360_p2pupdate(uint32_t payload, uint32_t len) {
if (len == 68 && MATCH(payload, 0x01, 0xaa, 0x4b, 0x79))
return true;
return false;
}
static inline bool match_360safeguard(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* These patterns have been regularly seen on a machine with 360
* safeguard (Chinese edition) installed. They seem to appear when
* starting up and running a scan, so are probably some form of update
* checking?
*/
if (match_360_a1req(data->payload[0], data->payload_len[0])) {
if (match_360_a1resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_360_a1req(data->payload[1], data->payload_len[1])) {
if (match_360_a1resp(data->payload[0], data->payload_len[0]))
return true;
}
if (match_360_03req(data->payload[0], data->payload_len[0])) {
if (match_360_03resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_360_03req(data->payload[1], data->payload_len[1])) {
if (match_360_03resp(data->payload[0], data->payload_len[0]))
return true;
}
/* Have observed unencrypted traffic that appears to be downloading a
* .cab file to update 360 safeguard. */
if (match_360_p2pupdate(data->payload[0], data->payload_len[0])) {
if (match_360_p2pupdate(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_360safeguard = {
LPI_PROTO_360SAFEGUARD,
LPI_CATEGORY_SECURITY,
"360Safeguard",
8,
match_360safeguard
};
void register_360safeguard(LPIModuleMap *mod_map) {
register_protocol(&lpi_360safeguard, mod_map);
}

99
decoders/glimpse_detector/libprotoident/tcp/lpi_4d.cc Normal file
View File

@@ -0,0 +1,99 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_4d_5f(uint32_t payload, uint32_t len) {
if (len == 4 && MATCH(payload, 0x5f, 0x11, 0x00, 0x00))
return true;
return false;
}
static inline bool match_4d_other(uint32_t payload, uint32_t len) {
if (len == 4 && MATCH(payload, 0x60, 0x11, 0x00, 0x00))
return true;
if (len == 4 && MATCH(payload, 0x61, 0x11, 0x00, 0x00))
return true;
return false;
}
static inline bool match_4d_len72(uint32_t payload, uint32_t len) {
if (len == 72 && MATCH(payload, 0x00, 0x00, 0x00, 0x48))
return true;
return false;
}
static inline bool match_4d_len12(uint32_t payload, uint32_t len) {
if (len == 12 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_4d(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_4d_5f(data->payload[0], data->payload_len[0])) {
if (match_4d_other(data->payload[1], data->payload_len[1]))
return true;
}
if (match_4d_5f(data->payload[1], data->payload_len[1])) {
if (match_4d_other(data->payload[0], data->payload_len[0]))
return true;
}
if (match_4d_len72(data->payload[0], data->payload_len[0])) {
if (match_4d_len12(data->payload[1], data->payload_len[1]))
return true;
}
if (match_4d_len72(data->payload[1], data->payload_len[1])) {
if (match_4d_len12(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_4d = {
LPI_PROTO_4D,
LPI_CATEGORY_DATABASES,
"4D",
75,
match_4d
};
void register_4d(LPIModuleMap *mod_map) {
register_protocol(&lpi_4d, mod_map);
}

76
decoders/glimpse_detector/libprotoident/tcp/lpi_acestream.cc Normal file
View File

@@ -0,0 +1,76 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_ace_greet(uint32_t payload, uint32_t len) {
if (len == 46 && MATCH(payload, 0x11, 'A', 'c', 'e'))
return true;
return false;
}
static inline bool match_ace_66(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (len == 66 && MATCH(payload, 0x11, 'A', 'c', 'e'))
return true;
return false;
}
static inline bool match_acestream(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_ace_greet(data->payload[0], data->payload_len[0])) {
if (match_ace_greet(data->payload[1], data->payload_len[1])) {
return true;
}
if (match_ace_66(data->payload[1], data->payload_len[1])) {
return true;
}
}
return false;
}
static lpi_module_t lpi_acestream = {
LPI_PROTO_ACESTREAM,
LPI_CATEGORY_P2P,
"AceStream",
6,
match_acestream
};
void register_acestream(LPIModuleMap *mod_map) {
register_protocol(&lpi_acestream, mod_map);
}

53
decoders/glimpse_detector/libprotoident/tcp/lpi_afp.cc Normal file
View File

@@ -0,0 +1,53 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_afp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Looking for a DSI header - command 4 is OpenSession */
if (match_str_both(data, "\x00\x04\x00\x01", "\x01\x04\x00\x01"))
return true;
return false;
}
static lpi_module_t lpi_afp = {
LPI_PROTO_AFP,
LPI_CATEGORY_FILES,
"AFP",
5,
match_afp
};
void register_afp(LPIModuleMap *mod_map) {
register_protocol(&lpi_afp, mod_map);
}

139
decoders/glimpse_detector/libprotoident/tcp/lpi_airdroid.cc Normal file
View File

@@ -0,0 +1,139 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_airdroid_req(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0x2a, 0x33, 0x0d, 0x0a)) {
if (len == 97)
return true;
}
if (MATCH(payload, 0x2a, 0x35, 0x0d, 0x0a)) {
if (len == 118 || len == 119)
return true;
}
return false;
}
static inline bool match_airdroid_resp(uint32_t payload, uint32_t len) {
if (len != 4)
return false;
if (MATCH(payload, 0x2b, 0x68, 0x0d, 0x0a))
return true;
return false;
}
static inline bool match_airdroid_get(uint32_t payload) {
if (MATCH(payload, 'G', 'E', 'T', 0x20))
return true;
return false;
}
static inline bool is_hexdigit(uint32_t byte) {
if (byte < 0x30)
return false;
if (byte > 0x39 && byte < 0x61)
return false;
if (byte > 0x66)
return false;
return true;
}
static inline bool match_airdroid_33(uint32_t payload, uint32_t len) {
uint32_t ordered = ntohl(payload);
uint32_t byte;
/* Needs some proper testing against real airdroid traffic */
if (len == 33) {
byte = (ordered & 0xff);
if (!is_hexdigit(byte))
return false;
byte = ((ordered >> 8) & 0xff);
if (!is_hexdigit(byte))
return false;
byte = ((ordered >> 16) & 0xff);
if (!is_hexdigit(byte))
return false;
byte = ((ordered >> 24) & 0xff);
if (!is_hexdigit(byte))
return false;
return true;
}
return false;
}
static inline bool match_airdroid(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_airdroid_req(data->payload[0], data->payload_len[0])) {
if (match_airdroid_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_airdroid_req(data->payload[1], data->payload_len[1])) {
if (match_airdroid_resp(data->payload[0], data->payload_len[0]))
return true;
}
if (data->server_port == 9991 || data->client_port == 9991) {
if (match_airdroid_33(data->payload[0], data->payload_len[0])) {
if (match_airdroid_get(data->payload[1]))
return true;
}
if (match_airdroid_33(data->payload[1], data->payload_len[1])) {
if (match_airdroid_get(data->payload[0]))
return true;
}
}
return false;
}
static lpi_module_t lpi_airdroid = {
LPI_PROTO_AIRDROID,
LPI_CATEGORY_CLOUD,
"AirDroid",
12,
match_airdroid
};
void register_airdroid(LPIModuleMap *mod_map) {
register_protocol(&lpi_airdroid, mod_map);
}

76
decoders/glimpse_detector/libprotoident/tcp/lpi_airmedia.cc Normal file
View File

@@ -0,0 +1,76 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Crestron Airmedia -- more details at:
* http://www.boredhackerblog.info/2016/02/extracting-images-from-crestron.html
*/
static inline bool match_cam_wppi(uint32_t payload, uint32_t len) {
if (len == 12 && MATCHSTR(payload, "wppi"))
return true;
return false;
}
static inline bool match_cam_sender(uint32_t payload, uint32_t len) {
if (len == 32 && MATCHSTR(payload, "Send"))
return true;
return false;
}
static inline bool match_airmedia(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 515 */
if (match_cam_wppi(data->payload[0], data->payload_len[0])) {
if (match_cam_sender(data->payload[1], data->payload_len[1]))
return true;
}
if (match_cam_wppi(data->payload[1], data->payload_len[1])) {
if (match_cam_sender(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_airmedia = {
LPI_PROTO_AIRMEDIA,
LPI_CATEGORY_REMOTE,
"Airmedia",
5,
match_airmedia
};
void register_airmedia(LPIModuleMap *mod_map) {
register_protocol(&lpi_airmedia, mod_map);
}

62
decoders/glimpse_detector/libprotoident/tcp/lpi_akamai.cc Normal file
View File

@@ -0,0 +1,62 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_akamai_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* TCP exchanges between Akamai nodes */
/* Seems to always be over port 9050, so add a check if too many
* false positives */
/* Payload is 00000000 in both directions */
if (data->payload[0] != 0 || data->payload[1] != 0)
return false;
if (data->payload_len[0] == 163 && data->payload_len[1] == 149)
return true;
if (data->payload_len[1] == 163 && data->payload_len[0] == 149)
return true;
return false;
}
static lpi_module_t lpi_akamai_tcp = {
LPI_PROTO_AKAMAI,
LPI_CATEGORY_CDN,
"AkamaiTCP",
9,
match_akamai_tcp
};
void register_akamai_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_akamai_tcp, mod_map);
}

72
decoders/glimpse_detector/libprotoident/tcp/lpi_amp.cc Normal file
View File

@@ -0,0 +1,72 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_amp_throughput(lpi_data_t *data) {
/* AMP Throughput generally uses port 8826 or 8827 */
if (data->server_port != 8826 && data->client_port != 8826
&& data->server_port != 8827 &&
data->client_port != 8827)
return false;
/* AMP Throughput tests are large one-way data transfers */
if (data->payload_len[0] != 0 && data->payload_len[1] != 0)
return false;
/* Packets are always going to be MSS-sized -- assume MTU is no
* smaller than 1280 bytes */
if (data->payload_len[0] < 1240 && data->payload_len[1] < 1240)
return false;
return true;
}
static inline bool match_amp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_amp_throughput(data))
return true;
return false;
}
static lpi_module_t lpi_amp = {
LPI_PROTO_AMP,
LPI_CATEGORY_MONITORING,
"AMP",
240, /* AMP is not something I'd expect to see outside of Waikato */
match_amp
};
void register_amp(LPIModuleMap *mod_map) {
register_protocol(&lpi_amp, mod_map);
}

57
decoders/glimpse_detector/libprotoident/tcp/lpi_antcoin.cc Normal file
View File

@@ -0,0 +1,57 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_antcoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* port 10333 */
if (MATCH(data->payload[0], 'A', 'n', 't', 0x00)) {
if (MATCH(data->payload[1], 'A', 'n', 't', 0x00))
return true;
}
return false;
}
static lpi_module_t lpi_antcoin = {
LPI_PROTO_ANTCOIN,
LPI_CATEGORY_ECOMMERCE,
"AntCoin",
5,
match_antcoin
};
void register_antcoin(LPIModuleMap *mod_map) {
register_protocol(&lpi_antcoin, mod_map);
}

89
decoders/glimpse_detector/libprotoident/tcp/lpi_appearin.cc Normal file
View File

@@ -0,0 +1,89 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Signalling protocol (?) used by appear.in, a WebRTC based video
* conferencing system.
*/
static inline bool match_appear_req(uint32_t payload, uint32_t len) {
uint32_t hlen = ntohl(payload) & 0xffff;
/* Usually 28 bytes */
if (hlen == len - 20 && MATCH(payload, 0x00, 0x03, 0x00, ANY))
return true;
return false;
}
static inline bool match_appear_resp(uint32_t payload, uint32_t len) {
uint32_t hlen = ntohl(payload) & 0xffff;
/* Usually 92 bytes */
if (hlen == len - 20 && MATCH(payload, 0x01, 0x13, 0x00, ANY))
return true;
return false;
}
static inline bool match_appearin(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 443 && data->client_port != 443)
return false;
if (match_appear_req(data->payload[0], data->payload_len[0])) {
if (match_appear_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_appear_req(data->payload[1], data->payload_len[1])) {
if (match_appear_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_appearin = {
LPI_PROTO_APPEAR_IN,
LPI_CATEGORY_VOIP,
"Appear.in",
120,
match_appearin
};
void register_appearin(LPIModuleMap *mod_map) {
register_protocol(&lpi_appearin, mod_map);
}

69
decoders/glimpse_detector/libprotoident/tcp/lpi_apple_push.cc Normal file
View File

@@ -0,0 +1,69 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_apple_push(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* This rule matches the push notifications sent to IOS devices */
if (!match_ssl(data))
return false;
/* Port 5223 is used for the push notifications */
if (data->server_port != 5223 && data->client_port != 5223)
return false;
/* If payload is only one-way, fall back to SSL to avoid risking
* a false positive for other port 5223 SSL apps, e.g. Kik */
if (data->payload_len[0] == 0 || data->payload_len[1] == 0)
return false;
/* Too much size variation to write a good set of rules based on
* payload sizes, just use this as the fallback option for all
* SSL traffic on 5223 that doesn't match something else, e.g.
* PSN store */
return true;
}
static lpi_module_t lpi_apple_push = {
LPI_PROTO_APPLE_PUSH,
LPI_CATEGORY_NOTIFICATION,
"ApplePush",
8, /* Should be a higher priority than regular SSL, but lower than
anything else on port 5223 */
match_apple_push
};
void register_apple_push(LPIModuleMap *mod_map) {
register_protocol(&lpi_apple_push, mod_map);
}

87
decoders/glimpse_detector/libprotoident/tcp/lpi_ares.cc Normal file
View File

@@ -0,0 +1,87 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_ares_client(uint32_t payload, uint32_t len) {
if (len != 6)
return false;
if (!MATCH(payload, 0x03, 0x00, 0x5a, 0x06))
return false;
return true;
}
static inline bool match_ares_peer(uint32_t payload, uint32_t len) {
if (len != 138)
return false;
if (MATCH(payload, 0x87, 0x00, 0x3c, ANY))
return true;
if (MATCH(payload, 0x87, 0x00, 0x3b, ANY))
return true;
return false;
}
static inline bool match_ares(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Pretty sure this is the ARES p2p protocol */
if (match_str_either(data, "ARES"))
return true;
if (match_ares_client(data->payload[0], data->payload_len[0])) {
if (match_ares_peer(data->payload[1], data->payload_len[1]))
return true;
}
if (match_ares_client(data->payload[1], data->payload_len[1])) {
if (match_ares_peer(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_ares = {
LPI_PROTO_ARES,
LPI_CATEGORY_P2P,
"Ares",
8,
match_ares
};
void register_ares(LPIModuleMap *mod_map) {
register_protocol(&lpi_ares, mod_map);
}

82
decoders/glimpse_detector/libprotoident/tcp/lpi_badbaidu.cc Normal file
View File

@@ -0,0 +1,82 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Strange flows that seem to be related to users running the Baidu browser.
* The flow will connect to a Baidu server on port 80, send no data, then
* start sending FINs. After about 6 FINs, the client will then send a one
* byte packet with a sequence number matching the original SYN (which is
* of course completely invalid). At this point, the server usually terminates
* the connection.
*
* Confirmed as being associated with Baidu browser after observing this
* exact traffic after installing the browser.
*
* Not sure what the purpose of this is, or how the browser manages to send
* invalid TCP traffic but it is the root cause behind a lot of non-HTTP
* flows on TCP port 80.
*/
static inline bool match_badbaidu(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Only seen on port 80 */
if (data->client_port != 80 && data->server_port != 80)
return false;
/* Packet is one byte; the byte itself is 0x00. The other end
* does not send any payload.
*/
if (data->payload_len[0] == 0 && data->payload_len[1] == 1) {
if (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00))
return true;
}
if (data->payload_len[1] == 0 && data->payload_len[0] == 1) {
if (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00))
return true;
}
return false;
}
static lpi_module_t lpi_badbaidu = {
LPI_PROTO_BADBAIDU,
LPI_CATEGORY_MALWARE,
"BadBaidu",
100,
match_badbaidu
};
void register_badbaidu(LPIModuleMap *mod_map) {
register_protocol(&lpi_badbaidu, mod_map);
}

74
decoders/glimpse_detector/libprotoident/tcp/lpi_baofeng_tcp.cc Normal file
View File

@@ -0,0 +1,74 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_baofeng_52(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0x52, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_baofeng_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port == 7909 || data->client_port == 7909) {
if (match_baofeng_52(data->payload[1], data->payload_len[1])) {
if (match_baofeng_52(data->payload[0], data->payload_len[0]))
return true;
}
}
if (data->server_port == 8189 || data->client_port == 8189) {
if (data->payload_len[0] == 63 && data->payload_len[1] == 152)
return true;
if (data->payload_len[1] == 63 && data->payload_len[0] == 152)
return true;
}
return false;
}
static lpi_module_t lpi_baofeng_tcp = {
LPI_PROTO_BAOFENG,
LPI_CATEGORY_STREAMING,
"Baofeng",
105,
match_baofeng_tcp
};
void register_baofeng_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_baofeng_tcp, mod_map);
}

66
decoders/glimpse_detector/libprotoident/tcp/lpi_beam.cc Normal file
View File

@@ -0,0 +1,66 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_bm(uint32_t payload, uint32_t len) {
if (len == 40 && MATCH(payload, 'B', 'm', 0x0a, 0x04)) {
return true;
}
return false;
}
static inline bool match_beam(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 8100 && data->client_port != 8100) {
return false;
}
if (match_bm(data->payload[0], data->payload_len[0])) {
if (match_bm(data->payload[1], data->payload_len[1])) {
return true;
}
}
return false;
}
static lpi_module_t lpi_beam = {
LPI_PROTO_BEAM,
LPI_CATEGORY_ECOMMERCE,
"Beam",
25,
match_beam
};
void register_beam(LPIModuleMap *mod_map) {
register_protocol(&lpi_beam, mod_map);
}

75
decoders/glimpse_detector/libprotoident/tcp/lpi_bitcoin.cc Normal file
View File

@@ -0,0 +1,75 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_bc_version(uint32_t payload, uint32_t len) {
if (len >= 24 && MATCH(payload, 0xf9, 0xbe, 0xb4, 0xd9))
return true;
return false;
}
static inline bool match_bc_version_reply(uint32_t payload, uint32_t len) {
if (len >= 24 && MATCH(payload, 0xf9, 0xbe, 0xb4, 0xd9))
return true;
return false;
}
static inline bool match_bitcoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_bc_version(data->payload[0], data->payload_len[0])) {
if (match_bc_version_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_bc_version(data->payload[1], data->payload_len[1])) {
if (match_bc_version_reply(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_bitcoin = {
LPI_PROTO_BITCOIN,
LPI_CATEGORY_ECOMMERCE,
"Bitcoin",
5,
match_bitcoin
};
void register_bitcoin(LPIModuleMap *mod_map) {
register_protocol(&lpi_bitcoin, mod_map);
}

90
decoders/glimpse_detector/libprotoident/tcp/lpi_bitextend.cc Normal file
View File

@@ -0,0 +1,90 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Bittorrent extensions (?)
*
* TODO Find some good references for this
*/
static inline bool match_bitextend(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_both(data, "\x0\x0\x0\xd", "\x0\x0\x0\x1"))
return true;
if (match_str_both(data, "\x0\x0\x0\x3", "\x0\x0\x0\x38"))
return true;
if (match_str_both(data, "\x0\x0\x0\x3", "\x0\x0\x0\x39"))
return true;
if (match_str_both(data, "\x0\x0\x0\x3", "\x0\x0\x0\x3"))
return true;
if (match_str_both(data, "\x0\x0\x0\x4e", "\x0\x0\x0\xb2"))
return true;
if (match_chars_either(data, 0x00, 0x00, 0x40, 0x09))
return true;
if (MATCH(data->payload[0], 0x00, 0x00, 0x01, ANY) &&
MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x38))
return true;
if (MATCH(data->payload[1], 0x00, 0x00, 0x01, ANY) &&
MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x38))
return true;
if (MATCH(data->payload[0], 0x00, 0x00, 0x00, ANY) &&
MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x05))
return true;
if (MATCH(data->payload[1], 0x00, 0x00, 0x00, ANY) &&
MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x05))
return true;
if (MATCH(data->payload[0], 0x01, 0x00, ANY, 0x68) &&
MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x05))
return true;
if (MATCH(data->payload[1], 0x01, 0x00, ANY, 0x68) &&
MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x05))
return true;
return false;
}
static lpi_module_t lpi_bitextend = {
LPI_PROTO_BITEXT,
LPI_CATEGORY_P2P,
"Bittorrent_Extension",
5, /* This is probably fine, but I'd rather have this at 5 than 2 */
match_bitextend
};
void register_bitextend(LPIModuleMap *mod_map) {
register_protocol(&lpi_bitextend, mod_map);
}

96
decoders/glimpse_detector/libprotoident/tcp/lpi_bittorrent.cc Normal file
View File

@@ -0,0 +1,96 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_bittorrent_header(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (MATCH(payload, 0x13, 'B', 'i', 't'))
return true;
if (len == 3 && MATCH(payload, 0x13, 'B', 'i', 0x00))
return true;
if (len == 2 && MATCH(payload, 0x13, 'B', 0x00, 0x00))
return true;
if (len == 1 && MATCH(payload, 0x13, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_ww_xx_header(uint32_t payload, uint32_t len) {
/* Fairly confident that this is related to Bittorrent, though I
* can't seem to find any source code or documentation that references
* it.
*
* The full string included in the header is:
* 0x13 #WW-XX#@77
*/
if (len == 0)
return true;
if (MATCH(payload, 0x13, 0x23, 0x57, 0x57))
return true;
return false;
}
static inline bool match_bittorrent(lpi_data_t *data, lpi_module_t *mod UNUSED)
{
if (match_bittorrent_header(data->payload[0], data->payload_len[0])) {
if (match_bittorrent_header(data->payload[1],
data->payload_len[1]))
return true;
}
if (match_ww_xx_header(data->payload[0], data->payload_len[0])) {
if (match_ww_xx_header(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_bittorrent = {
LPI_PROTO_BITTORRENT,
LPI_CATEGORY_P2P,
"BitTorrent",
2,
match_bittorrent
};
void register_bittorrent(LPIModuleMap *mod_map) {
register_protocol(&lpi_bittorrent, mod_map);
}

93
decoders/glimpse_detector/libprotoident/tcp/lpi_blackdesert.cc Normal file
View File

@@ -0,0 +1,93 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* First two bytes definitely look like a little-endian length
* field, so we could use that to match more reply types */
/* Port 9991, 9992 and 9993 */
static inline bool match_bdo_request(uint32_t payload, uint32_t len) {
if (len == 111 && MATCH(payload, 0x6f, 0x00, 0x01, 0x9d))
return true;
if (len == 111 && MATCH(payload, 0x6f, 0x00, 0x01, 0x46))
return true;
if (len == 277 && MATCH(payload, 0x15, 0x01, 0x01, ANY))
return true;
if (len == 433 && MATCH(payload, 0xb1, 0x01, 0x01, ANY))
return true;
return false;
}
static inline bool match_bdo_reply(uint32_t payload, uint32_t len) {
if (len == 112 && MATCH(payload, 0x70, 0x00, 0x01, ANY))
return true;
if (len == 113 && MATCH(payload, 0x71, 0x00, 0x01, ANY))
return true;
if (len == 119 && MATCH(payload, 0x77, 0x00, 0x01, 0x46))
return true;
return false;
}
static inline bool match_blackdesert(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_bdo_request(data->payload[0], data->payload_len[0])) {
if (match_bdo_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_bdo_request(data->payload[1], data->payload_len[1])) {
if (match_bdo_reply(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_blackdesert = {
LPI_PROTO_BLACKDESERT,
LPI_CATEGORY_GAMING,
"BlackDesertOnline",
12,
match_blackdesert
};
void register_blackdesert(LPIModuleMap *mod_map) {
register_protocol(&lpi_blackdesert, mod_map);
}

88
decoders/glimpse_detector/libprotoident/tcp/lpi_blizzard.cc Normal file
View File

@@ -0,0 +1,88 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_bnet_auth_req(uint32_t payload, uint32_t len) {
if (len >= 160 && len <= 170 && MATCH(payload, 0x00, 0x0a, 0x08, 0xfe))
return true;
return false;
}
static inline bool match_bnet_auth_resp(uint32_t payload, uint32_t len) {
if (len == 184 || len == 199) {
if (MATCH(payload, 0x00, 0x09, 0x08, 0x00))
return true;
}
return false;
}
static inline bool match_blizzard(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_both(data, "\x10\xdf\x22\x00", "\x10\x00\x00\x00"))
return true;
if (MATCH(data->payload[0], 0x00, ANY, 0xed, 0x01) &&
MATCH(data->payload[1], 0x00, 0x06, 0xec, 0x01))
return true;
if (MATCH(data->payload[1], 0x00, ANY, 0xed, 0x01) &&
MATCH(data->payload[0], 0x00, 0x06, 0xec, 0x01))
return true;
/* More up to date battle.net authentication protocol */
if (match_bnet_auth_req(data->payload[0], data->payload_len[0])) {
if (match_bnet_auth_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_bnet_auth_req(data->payload[1], data->payload_len[1])) {
if (match_bnet_auth_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_blizzard = {
LPI_PROTO_BLIZZARD,
LPI_CATEGORY_GAMING,
"Blizzard",
2,
match_blizzard
};
void register_blizzard(LPIModuleMap *mod_map) {
register_protocol(&lpi_blizzard, mod_map);
}

52
decoders/glimpse_detector/libprotoident/tcp/lpi_btsync.cc Normal file
View File

@@ -0,0 +1,52 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_btsync(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_either(data, "BSYN"))
return true;
return false;
}
static lpi_module_t lpi_btsync = {
LPI_PROTO_BTSYNC,
LPI_CATEGORY_FILES,
"BitTorrentSync",
8,
match_btsync
};
void register_btsync(LPIModuleMap *mod_map) {
register_protocol(&lpi_btsync, mod_map);
}

85
decoders/glimpse_detector/libprotoident/tcp/lpi_bwsyncandshare.cc Normal file
View File

@@ -0,0 +1,85 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Have not tested against the application itself, as it is restricted
* to certain German universities. There may be more variants of this
* traffic.
*/
static inline bool match_bws_951(uint32_t payload, uint32_t len) {
if (len == 4 && MATCH(payload, 0x00, 0x00, 0x09, 0x51))
return true;
return false;
}
static inline bool match_bws_other(uint32_t payload, uint32_t len) {
uint32_t lastbyte = ntohl(payload) & 0x000000ff;
if (len == 4 && MATCH(payload, 0x00, 0x00, 0x08, ANY)) {
/* Byte 4 is always 0xfX, where X can be just about
* anything.
*/
if ((lastbyte & 0xf0) == 0xf0)
return true;
}
return false;
}
static inline bool match_bwsyncandshare(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 60107? */
if (match_bws_951(data->payload[0], data->payload_len[0])) {
if (match_bws_other(data->payload[1], data->payload_len[1]))
return true;
}
if (match_bws_951(data->payload[1], data->payload_len[1])) {
if (match_bws_other(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_bwsyncandshare = {
LPI_PROTO_BWSYNC,
LPI_CATEGORY_CLOUD,
"BWSyncAndShare",
120,
match_bwsyncandshare
};
void register_bwsyncandshare(LPIModuleMap *mod_map) {
register_protocol(&lpi_bwsyncandshare, mod_map);
}

65
decoders/glimpse_detector/libprotoident/tcp/lpi_cacaoweb.cc Normal file
View File

@@ -0,0 +1,65 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_cacaoweb_header(uint32_t payload, uint32_t len) {
if (!MATCH(payload, 0x84, 0x95, 0xa6, 0xbe))
return false;
if (len >= 51 && len <= 56)
return true;
if (len == 91)
return true;
return false;
}
static inline bool match_cacaoweb(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_cacaoweb_header(data->payload[0], data->payload_len[0])) {
if (match_cacaoweb_header(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_cacaoweb = {
LPI_PROTO_CACAOWEB,
LPI_CATEGORY_P2P,
"CacaoWeb",
5,
match_cacaoweb
};
void register_cacaoweb(LPIModuleMap *mod_map) {
register_protocol(&lpi_cacaoweb, mod_map);
}

55
decoders/glimpse_detector/libprotoident/tcp/lpi_cgp.cc Normal file
View File

@@ -0,0 +1,55 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_cgp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Citrix CGP is a special version of ICA that runs on TCP port
* 2598 */
if (match_str_both(data, "\x1a""CGP", "\x1a""CGP"))
return true;
return false;
}
static lpi_module_t lpi_cgp = {
LPI_PROTO_CGP,
LPI_CATEGORY_REMOTE,
"CitrixCGP",
3,
match_cgp
};
void register_cgp(LPIModuleMap *mod_map) {
register_protocol(&lpi_cgp, mod_map);
}

82
decoders/glimpse_detector/libprotoident/tcp/lpi_chatango.cc Normal file
View File

@@ -0,0 +1,82 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_chatango_in(uint32_t payload, uint32_t len) {
if (len != 2)
return false;
if (!MATCH(payload, 'v', 0x00, 0x00, 0x00))
return false;
return true;
}
static inline bool match_chatango_out(uint32_t payload, uint32_t len) {
if (len != 10)
return false;
if (MATCH(payload, 'v', ':', '1', '0'))
return true;
if (MATCH(payload, 'v', ':', '1', '4'))
return true;
return false;
}
static inline bool match_chatango(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_chatango_out(data->payload[0], data->payload_len[0])) {
if (match_chatango_in(data->payload[1], data->payload_len[1]))
return true;
}
if (match_chatango_in(data->payload[0], data->payload_len[0])) {
if (match_chatango_out(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_chatango = {
LPI_PROTO_CHATANGO,
LPI_CATEGORY_CHAT,
"Chatango",
3,
match_chatango
};
void register_chatango(LPIModuleMap *mod_map) {
register_protocol(&lpi_chatango, mod_map);
}

76
decoders/glimpse_detector/libprotoident/tcp/lpi_cisco_vpn.cc Normal file
View File

@@ -0,0 +1,76 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_cisco_vpn_server(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (MATCH(payload, 0x01, 0xf4, ANY, ANY))
return true;
return false;
}
static inline bool match_cisco_vpn_client(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (MATCH(payload, ANY, ANY, 0x01, 0xf4))
return true;
return false;
}
static inline bool match_cisco_vpn(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_cisco_vpn_server(data->payload[0], data->payload_len[0])) {
if (match_cisco_vpn_client(data->payload[1], data->payload_len[1]))
return true;
}
if (match_cisco_vpn_server(data->payload[1], data->payload_len[1])) {
if (match_cisco_vpn_client(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_cisco_vpn = {
LPI_PROTO_CISCO_VPN,
LPI_CATEGORY_TUNNELLING,
"Cisco_VPN",
7,
match_cisco_vpn
};
void register_cisco_vpn(LPIModuleMap *mod_map) {
register_protocol(&lpi_cisco_vpn, mod_map);
}

98
decoders/glimpse_detector/libprotoident/tcp/lpi_clashofclans.cc Normal file
View File

@@ -0,0 +1,98 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_coc_login(uint32_t payload, uint32_t len) {
/* First two bytes are 10101 (0x2775) or 10100 (0x2774)
* Next three bytes are a length field, usually 250-330 bytes */
if (MATCH(payload, 0x27, 0x75, 0x00, 0x01))
return true;
if (MATCH(payload, 0x27, 0x75, 0x00, 0x00))
return true;
if (MATCH(payload, 0x27, 0x74, 0x00, 0x01))
return true;
if (MATCH(payload, 0x27, 0x74, 0x00, 0x00))
return true;
return false;
}
static inline bool match_coc_encrypt(uint32_t payload, uint32_t len) {
/* First two bytes are 20000 (0x4e20) or 20100 (0x4e84)
* Next three bytes are a length field, always seems to be just
* under 256 bytes */
if (MATCH(payload, 0x4e, 0x20, 0x00, 0x00))
return true;
if (MATCH(payload, 0x4e, 0x84, 0x00, 0x00))
return true;
return false;
}
static inline bool match_clashofclans(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Could limit this to port 9339, but the pattern is probably strong
* enough by itself */
/* Actually, port 1863 is also used... */
if (match_coc_login(data->payload[0], data->payload_len[0])) {
if (match_coc_encrypt(data->payload[1], data->payload_len[1]))
return true;
}
if (match_coc_login(data->payload[1], data->payload_len[1])) {
if (match_coc_encrypt(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_clashofclans = {
LPI_PROTO_CLASH_OF_CLANS,
LPI_CATEGORY_GAMING,
"ClashOfClans",
4,
match_clashofclans
};
void register_clashofclans(LPIModuleMap *mod_map) {
register_protocol(&lpi_clashofclans, mod_map);
}

75
decoders/glimpse_detector/libprotoident/tcp/lpi_classin_tcp.cc Normal file
View File

@@ -0,0 +1,75 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_classin_41(uint32_t payload, uint32_t len) {
if (len == 41 && MATCH(payload, 0x1a, 0x03, 0x00, 0x02)) {
return true;
}
return false;
}
static inline bool match_classin_52(uint32_t payload, uint32_t len) {
if (len == 52 && MATCH(payload, 0x1a, 0x03, 0x00, 0x02)) {
return true;
}
return false;
}
static inline bool match_classin_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_classin_41(data->payload[0], data->payload_len[0])) {
if (match_classin_52(data->payload[1], data->payload_len[1])) {
return true;
}
}
if (match_classin_41(data->payload[1], data->payload_len[1])) {
if (match_classin_52(data->payload[0], data->payload_len[0])) {
return true;
}
}
return false;
}
static lpi_module_t lpi_classin_tcp = {
LPI_PROTO_CLASSIN,
LPI_CATEGORY_EDUCATIONAL,
"ClassIn_TCP",
133,
match_classin_tcp
};
void register_classin_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_classin_tcp, mod_map);
}

57
decoders/glimpse_detector/libprotoident/tcp/lpi_clubbox.cc Normal file
View File

@@ -0,0 +1,57 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_clubbox(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (!match_str_both(data, "\x00\x00\x01\x03", "\x00\x00\x01\x03"))
return false;
if (data->payload_len[0] == 36 && data->payload_len[1] == 28)
return true;
if (data->payload_len[1] == 36 && data->payload_len[0] == 28)
return true;
return false;
}
static lpi_module_t lpi_clubbox = {
LPI_PROTO_CLUBBOX,
LPI_CATEGORY_P2P,
"Clubbox",
3,
match_clubbox
};
void register_clubbox(LPIModuleMap *mod_map) {
register_protocol(&lpi_clubbox, mod_map);
}

63
decoders/glimpse_detector/libprotoident/tcp/lpi_cod_waw.cc Normal file
View File

@@ -0,0 +1,63 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_cod_waw(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Call of Duty: World at War uses TCP port 3074 - the protocol isn't
* well documented, but traffic matching this pattern goes to known
* CoD servers */
if (data->server_port != 3074 && data->client_port != 3074)
return false;
if (data->payload_len[0] != 4 || data->payload_len[1] != 4)
return false;
if (data->payload[0] != 0 || data->payload[1] != 0)
return false;
return true;
}
static lpi_module_t lpi_cod_waw = {
LPI_PROTO_COD_WAW,
LPI_CATEGORY_GAMING,
"Call_of_Duty_TCP",
10, /* Weak rule */
match_cod_waw
};
void register_cod_waw(LPIModuleMap *mod_map) {
register_protocol(&lpi_cod_waw, mod_map);
}

67
decoders/glimpse_detector/libprotoident/tcp/lpi_conquer.cc Normal file
View File

@@ -0,0 +1,67 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_conquer(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->payload_len[0] == 5 && data->payload_len[1] == 4 &&
MATCH(data->payload[0], 'R', 'E', 'A', 'D'))
return true;
if (data->payload_len[1] == 5 && data->payload_len[0] == 4 &&
MATCH(data->payload[1], 'R', 'E', 'A', 'D'))
return true;
if (data->payload_len[0] == 4 && (MATCH(data->payload[0], '5', '0', ANY, ANY) ||
MATCH(data->payload[0], '5', '1', ANY, ANY)) &&
MATCH(data->payload[1], 'U', 'P', 'D', 'A'))
return true;
if (data->payload_len[1] == 4 && (MATCH(data->payload[1], '5', '0', ANY, ANY) ||
MATCH(data->payload[1], '5', '1', ANY, ANY)) &&
MATCH(data->payload[0], 'U', 'P', 'D', 'A'))
return true;
return false;
}
static lpi_module_t lpi_conquer = {
LPI_PROTO_CONQUER,
LPI_CATEGORY_GAMING,
"ConquerOnline",
3,
match_conquer
};
void register_conquer(LPIModuleMap *mod_map) {
register_protocol(&lpi_conquer, mod_map);
}

76
decoders/glimpse_detector/libprotoident/tcp/lpi_crashplan.cc Normal file
View File

@@ -0,0 +1,76 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_crashplan_16(uint32_t payload, uint32_t len) {
if (len != 16)
return false;
return true;
}
static inline bool match_crashplan_6(uint32_t payload, uint32_t len) {
if (len != 6)
return false;
if (!MATCH(payload, 0x80, 0x63, 0x00, 0x00))
return false;
return true;
}
static inline bool match_crashplan(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_crashplan_16(data->payload[0], data->payload_len[0])) {
if (match_crashplan_6(data->payload[1], data->payload_len[1]))
return true;
}
if (match_crashplan_16(data->payload[1], data->payload_len[1])) {
if (match_crashplan_6(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_crashplan = {
LPI_PROTO_CRASHPLAN,
LPI_CATEGORY_CLOUD,
"CrashPlan",
50,
match_crashplan
};
void register_crashplan(LPIModuleMap *mod_map) {
register_protocol(&lpi_crashplan, mod_map);
}

82
decoders/glimpse_detector/libprotoident/tcp/lpi_crossfire_tcp.cc Normal file
View File

@@ -0,0 +1,82 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_cf_05(uint32_t payload, uint32_t len) {
if (len == 65 && MATCH(payload, 0x05, 0x01, 0x99, 0x01))
return true;
return false;
}
static inline bool match_cf_tcp(uint32_t payload, uint32_t len) {
uint32_t hlen = bswap_le_to_host32(payload & 0xffff00) >> 8;
if (len < 1350 && hlen != len - 7)
return false;
if (MATCH(payload, 0xf1, ANY, ANY, 0x01))
return true;
if (MATCH(payload, 0xf1, ANY, ANY, 0x00))
return true;
return false;
}
static inline bool match_crossfire_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_cf_tcp(data->payload[0], data->payload_len[0])) {
if (match_cf_tcp(data->payload[1], data->payload_len[1])) {
return true;
}
if (match_cf_05(data->payload[1], data->payload_len[1])) {
return true;
}
}
if (match_cf_05(data->payload[0], data->payload_len[0])) {
if (match_cf_tcp(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_crossfire_tcp = {
LPI_PROTO_CROSSFIRE,
LPI_CATEGORY_GAMING,
"CrossfireTCP",
30,
match_crossfire_tcp
};
void register_crossfire_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_crossfire_tcp, mod_map);
}

55
decoders/glimpse_detector/libprotoident/tcp/lpi_cryptic.cc Normal file
View File

@@ -0,0 +1,55 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Cryptic are the company behind several popular MMOs, including
* Champions Online and Star Trek Online */
static inline bool match_cryptic(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_both(data, "Cryp", "Cryp"))
return true;
return false;
}
static lpi_module_t lpi_cryptic = {
LPI_PROTO_CRYPTIC,
LPI_CATEGORY_GAMING,
"Cryptic",
2,
match_cryptic
};
void register_cryptic(LPIModuleMap *mod_map) {
register_protocol(&lpi_cryptic, mod_map);
}

90
decoders/glimpse_detector/libprotoident/tcp/lpi_cvs.cc Normal file
View File

@@ -0,0 +1,90 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_cvs_request(uint32_t data, uint32_t len) {
if (MATCHSTR(data, "BEGI"))
return true;
return false;
}
static inline bool match_cvs_response(uint32_t data, uint32_t len) {
if (len == 0)
return true;
/* "I LOVE YOU" = auth succeeded */
if (MATCHSTR(data, "I LO"))
return true;
/* "I HATE YOU" = auth failed */
if (MATCHSTR(data, "I HA"))
return true;
/* "E <msg>" = a message */
if (MATCH(data, 'E', ' ', ANY, ANY))
return true;
/* error = an error */
if (MATCHSTR(data, "erro"))
return true;
return false;
}
static inline bool match_cvs(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_cvs_request(data->payload[0], data->payload_len[0]) &&
match_cvs_response(data->payload[1], data->payload_len[1]))
return true;
if (match_cvs_request(data->payload[1], data->payload_len[1]) &&
match_cvs_response(data->payload[0], data->payload_len[0]))
return true;
return false;
}
static lpi_module_t lpi_cvs = {
LPI_PROTO_CVS,
LPI_CATEGORY_RCS,
"CVS",
3,
match_cvs
};
void register_cvs(LPIModuleMap *mod_map) {
register_protocol(&lpi_cvs, mod_map);
}

92
decoders/glimpse_detector/libprotoident/tcp/lpi_dahua_tcp.cc Normal file
View File

@@ -0,0 +1,92 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Chinese IP surveillance Cameras */
static inline bool match_dahua_ports(uint16_t sport, uint16_t cport) {
if (sport == 8888 || cport == 8888) {
return true;
}
if (sport == 37777 || cport == 37777) {
return true;
}
return false;
}
static inline bool match_f4_186(uint32_t payload, uint32_t len) {
if (len == 186 && MATCH(payload, 0xf4, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_f4_208(uint32_t payload, uint32_t len) {
if (len >= 206 && len <= 208 && MATCH(payload, 0xf4, 0x00, 0x00, 0x58))
return true;
return false;
}
static inline bool match_dahua(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (!match_dahua_ports(data->server_port, data->client_port)) {
return false;
}
if (match_f4_186(data->payload[0], data->payload_len[0])) {
if (match_f4_208(data->payload[1], data->payload_len[1])) {
return true;
}
}
if (match_f4_186(data->payload[1], data->payload_len[1])) {
if (match_f4_208(data->payload[0], data->payload_len[0])) {
return true;
}
}
return false;
}
static lpi_module_t lpi_dahua_tcp = {
LPI_PROTO_DAHUA,
LPI_CATEGORY_IPCAMERAS,
"DahuaTCP",
13,
match_dahua
};
void register_dahua_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_dahua_tcp, mod_map);
}

74
decoders/glimpse_detector/libprotoident/tcp/lpi_dash.cc Normal file
View File

@@ -0,0 +1,74 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dash_125(uint32_t payload, uint32_t len) {
if (len == 125 && MATCH(payload, 0xbf, 0x0c, 0x6b, 0xbd))
return true;
return false;
}
static inline bool match_dash_130(uint32_t payload, uint32_t len) {
if (len == 130 && MATCH(payload, 0xbf, 0x0c, 0x6b, 0xbd))
return true;
return false;
}
static inline bool match_dash(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 9999 */
if (match_dash_125(data->payload[0], data->payload_len[0])) {
if (match_dash_130(data->payload[1], data->payload_len[1]))
return true;
}
if (match_dash_125(data->payload[1], data->payload_len[1])) {
if (match_dash_130(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_dash = {
LPI_PROTO_DASH,
LPI_CATEGORY_ECOMMERCE,
"Dash",
5,
match_dash
};
void register_dash(LPIModuleMap *mod_map) {
register_protocol(&lpi_dash, mod_map);
}

85
decoders/glimpse_detector/libprotoident/tcp/lpi_dell_backup.cc Normal file
View File

@@ -0,0 +1,85 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* This one is a bit tenuous but I'm reasonably confident that this is
* something to do with the Dell backup and recovery service. All observed
* traffic matching the rules described here go 66.151.242.0/24, which has
* previously reversed to dellbackupandrecoverycloudstorage.com.
*/
static inline bool match_dell_backup_req(uint32_t payload, uint32_t len) {
if (len != 12)
return false;
if (MATCH(payload, 0x08, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_dell_backup_resp(uint32_t payload, uint32_t len) {
if (len != 24)
return false;
if (MATCH(payload, 0x14, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_dell_backup(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 443 && data->client_port != 443)
return false;
if (match_dell_backup_req(data->payload[0], data->payload_len[0])) {
if (match_dell_backup_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_dell_backup_req(data->payload[1], data->payload_len[1])) {
if (match_dell_backup_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_dell_backup = {
LPI_PROTO_DELL_BACKUP,
LPI_CATEGORY_CLOUD,
"DellBackup",
100,
match_dell_backup
};
void register_dell_backup(LPIModuleMap *mod_map) {
register_protocol(&lpi_dell_backup, mod_map);
}

74
decoders/glimpse_detector/libprotoident/tcp/lpi_destiny.cc Normal file
View File

@@ -0,0 +1,74 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Destiny -- multiplayer FPS by Bungie */
static inline bool match_destiny_request(uint32_t payload, uint32_t len) {
if (len == 140 && MATCH(payload, 0x01, 0x02, 0x00, 0x00))
return true;
return false;
}
static inline bool match_destiny_reply(uint32_t payload, uint32_t len) {
if (len == 142 && MATCH(payload, 0x01, 0x02, 0x00, 0x00))
return true;
return false;
}
static inline bool match_destiny(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_destiny_request(data->payload[0], data->payload_len[0])) {
if (match_destiny_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_destiny_request(data->payload[1], data->payload_len[1])) {
if (match_destiny_reply(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_destiny = {
LPI_PROTO_DESTINY,
LPI_CATEGORY_GAMING,
"Destiny",
23,
match_destiny
};
void register_destiny(LPIModuleMap *mod_map) {
register_protocol(&lpi_destiny, mod_map);
}

71
decoders/glimpse_detector/libprotoident/tcp/lpi_diablo3.cc Normal file
View File

@@ -0,0 +1,71 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_diablo_req(uint32_t payload, uint32_t len) {
if (len == 25 && MATCH(payload, 0x00, 0x00, 0x00, 0x19))
return true;
return false;
}
static inline bool match_diablo_resp(uint32_t payload, uint32_t len) {
if (len == 66 && MATCH(payload, 0x00, 0x00, 0x00, 0x42))
return true;
return false;
}
static inline bool match_diablo3(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_diablo_req(data->payload[0], data->payload_len[0])) {
if (match_diablo_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_diablo_req(data->payload[1], data->payload_len[1])) {
if (match_diablo_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_diablo3 = {
LPI_PROTO_DIABLO3,
LPI_CATEGORY_GAMING,
"Diablo3",
5,
match_diablo3
};
void register_diablo3(LPIModuleMap *mod_map) {
register_protocol(&lpi_diablo3, mod_map);
}

82
decoders/glimpse_detector/libprotoident/tcp/lpi_dianping_tcp.cc Normal file
View File

@@ -0,0 +1,82 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dianping_query(uint32_t payload, uint32_t len) {
if (len != 1)
return false;
if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
if (MATCH(payload, 0x01, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_dianping_resp(uint32_t payload, uint32_t len) {
if (len != 1)
return false;
if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_dianping_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 80 && data->client_port != 80 &&
data->client_port != 443 && data->server_port != 443)
return false;
if (match_dianping_query(data->payload[0], data->payload_len[0])) {
if (match_dianping_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_dianping_query(data->payload[1], data->payload_len[1])) {
if (match_dianping_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_dianping_tcp = {
LPI_PROTO_DIANPING,
LPI_CATEGORY_MOBILE_APP,
"DianpingTCP",
210,
match_dianping_tcp
};
void register_dianping_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_dianping_tcp, mod_map);
}

64
decoders/glimpse_detector/libprotoident/tcp/lpi_directconnect.cc Normal file
View File

@@ -0,0 +1,64 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dc(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* $MyN seemed best to check for - might have to check for $max and
* $Sup as well */
/* NOTE: Some people seem to use DC to connect to port 80 and get
* HTTP responses. At this stage, I'd rather that fell under DC rather
* than HTTP, so we need to check for this before we check for HTTP */
if (match_str_either(data, "$MyN")) return true;
if (match_str_either(data, "$Sup")) return true;
if (match_str_either(data, "$Loc")) return true;
/* Response is usually an HTTP response - we could check that if
* needed */
return false;
}
static lpi_module_t lpi_directconnect = {
LPI_PROTO_DC,
LPI_CATEGORY_P2P,
"DirectConnect",
1, /* Need a higher priority than regular HTTP */
match_dc
};
void register_directconnect(LPIModuleMap *mod_map) {
register_protocol(&lpi_directconnect, mod_map);
}

73
decoders/glimpse_detector/libprotoident/tcp/lpi_dnf.cc Normal file
View File

@@ -0,0 +1,73 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dnf_90(uint32_t payload, uint32_t len) {
if (len == 90 && MATCH(payload, 0x01, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_dnf_258(uint32_t payload, uint32_t len) {
if (len == 258 && MATCH(payload, 0x01, 0x00, 0x00, 0x01))
return true;
return false;
}
static inline bool match_dnf(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 80 or 443 */
if (match_dnf_90(data->payload[0], data->payload_len[0])) {
if (match_dnf_258(data->payload[1], data->payload_len[1]))
return true;
}
if (match_dnf_90(data->payload[1], data->payload_len[1])) {
if (match_dnf_258(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_dnf = {
LPI_PROTO_DNF,
LPI_CATEGORY_GAMING,
"DNF",
150,
match_dnf
};
void register_dnf(LPIModuleMap *mod_map) {
register_protocol(&lpi_dnf, mod_map);
}

102
decoders/glimpse_detector/libprotoident/tcp/lpi_dns.cc Normal file
View File

@@ -0,0 +1,102 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static bool match_length_single(uint32_t payload, uint32_t len) {
uint32_t statedlen;
if (len == 2) {
return true;
}
statedlen = (ntohl(payload) >> 16);
if (statedlen < 1280) {
if (statedlen != len - 2)
return false;
}
return true;
}
static bool match_dns_tcp_length(lpi_data_t *data) {
uint32_t id0, id1;
if (data->payload_len[0] == 0 || data->payload_len[1] == 0)
return false;
if (data->server_port != 53 && data->client_port != 53)
return false;
if (!match_length_single(data->payload[0], data->payload_len[0]))
return false;
if (!match_length_single(data->payload[1], data->payload_len[1]))
return false;
if (data->payload_len[0] > 2 && data->payload_len[1] > 2) {
id0 = (ntohl(data->payload[0]) & 0xffff);
id1 = (ntohl(data->payload[1]) & 0xffff);
if (id0 != id1)
return false;
}
return true;
}
static bool match_tcp_dns(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_dns(data))
return true;
if (match_dns_tcp_length(data))
return true;
return false;
}
static lpi_module_t lpi_dns = {
LPI_PROTO_DNS,
LPI_CATEGORY_SERVICES,
"DNS_TCP",
6, /* Not a high certainty */
match_tcp_dns
};
void register_dns_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_dns, mod_map);
}

68
decoders/glimpse_detector/libprotoident/tcp/lpi_dogecoin.cc Normal file
View File

@@ -0,0 +1,68 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dc_magic(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0xc0, 0xc0, 0xc0, 0xc0)) {
if (len >= 125 && len <= 129)
return true;
if (len == 142)
return true;
}
return false;
}
static inline bool match_dogecoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port == 22556 */
if (match_dc_magic(data->payload[0], data->payload_len[0])) {
if (match_dc_magic(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_dogecoin = {
LPI_PROTO_DOGECOIN,
LPI_CATEGORY_ECOMMERCE,
"Dogecoin",
8,
match_dogecoin
};
void register_dogecoin(LPIModuleMap *mod_map) {
register_protocol(&lpi_dogecoin, mod_map);
}

109
decoders/glimpse_detector/libprotoident/tcp/lpi_douyu.cc Normal file
View File

@@ -0,0 +1,109 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* This is a classic 4-byte length protocol, but there is plenty of
* scope for the packet sizes to vary a bit so we can't just look for
* a specific combo of packet sizes */
static inline bool match_douyu_req(uint32_t payload, uint32_t len) {
uint32_t plen = bswap_le_to_host32(payload);
/* Packet usually contains a username and a password so
* can probably vary quite a bit in size */
if (plen == len - 4) {
if (len <= 255)
return true;
}
return false;
}
static inline bool match_douyu_reply(uint32_t payload, uint32_t len) {
uint32_t plen = bswap_le_to_host32(payload);
/* Response packets seem like they will vary a lot less in
* size -- could be wrong though */
if (plen == len - 4) {
if (len >= 225 && len <= 255)
return true;
}
return false;
}
static inline bool match_douyu_port(uint16_t port) {
/* Based purely on observed flows, rather than any docs */
if (port >= 8601 && port <= 8605)
return true;
if (port >= 12601 && port <= 12605)
return true;
return false;
}
static inline bool match_douyu(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Tends to use a couple of different port ranges */
if (!match_douyu_port(data->server_port) &&
!match_douyu_port(data->client_port)) {
return false;
}
if (match_douyu_req(data->payload[0], data->payload_len[0])) {
if (match_douyu_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_douyu_req(data->payload[1], data->payload_len[1])) {
if (match_douyu_reply(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_douyu = {
LPI_PROTO_DOUYU,
LPI_CATEGORY_STREAMING,
"Douyu",
249,
match_douyu
};
void register_douyu(LPIModuleMap *mod_map) {
register_protocol(&lpi_douyu, mod_map);
}

82
decoders/glimpse_detector/libprotoident/tcp/lpi_douyu_chat.cc Normal file
View File

@@ -0,0 +1,82 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_douyu_ee(uint32_t payload, uint32_t len) {
if (len == 242 && MATCH(payload, 0xee, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_douyu_len(uint32_t payload, uint32_t len) {
if (bswap_host_to_le32(payload) == len - 4)
return true;
return false;
}
static inline bool match_douyu_chat(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 8601 && data->client_port != 8601 &&
data->client_port != 8602 && data->server_port != 8602)
{
return false;
}
if (match_douyu_ee(data->payload[0], data->payload_len[0])) {
if (match_douyu_len(data->payload[1], data->payload_len[1]))
return true;
}
if (match_douyu_ee(data->payload[1], data->payload_len[1])) {
if (match_douyu_len(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_douyu_chat = {
LPI_PROTO_DOUYU_CHAT,
LPI_CATEGORY_CHAT,
"DouyuChat",
133,
match_douyu_chat
};
void register_douyu_chat(LPIModuleMap *mod_map) {
register_protocol(&lpi_douyu_chat, mod_map);
}

57
decoders/glimpse_detector/libprotoident/tcp/lpi_duelingnetwork.cc Normal file
View File

@@ -0,0 +1,57 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_duelingnetwork(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 1235 && data->client_port != 1235)
return false;
if (data->payload_len[0] == 40 && MATCHSTR(data->payload[0], "Ritv"))
return true;
if (data->payload_len[1] == 40 && MATCHSTR(data->payload[1], "Ritv"))
return true;
return false;
}
static lpi_module_t lpi_duelingnetwork = {
LPI_PROTO_DUELING_NETWORK,
LPI_CATEGORY_GAMING,
"DuelingNetwork",
4,
match_duelingnetwork
};
void register_duelingnetwork(LPIModuleMap *mod_map) {
register_protocol(&lpi_duelingnetwork, mod_map);
}

101
decoders/glimpse_detector/libprotoident/tcp/lpi_dvrns.cc Normal file
View File

@@ -0,0 +1,101 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dvrns_typea(uint32_t payload_a, uint32_t len_a,
uint32_t payload_b, uint32_t len_b) {
if (!MATCH(payload_a, 0x12, 0xa4, 0x00, 0x01))
return false;
if (len_a != 188)
return false;
if (len_b == 0)
return true;
if (len_b != 20)
return false;
if (!MATCH(payload_b, 0x12, 0xa4, 0x00, 0x01))
return false;
return true;
}
static inline bool match_dvrns_typeb(uint32_t payload_a, uint32_t len_a,
uint32_t payload_b, uint32_t len_b) {
if (!MATCH(payload_a, 0x12, 0xa4, 0x00, 0x01))
return false;
if (len_a != 12)
return false;
if (len_b == 0)
return true;
if (len_b != 140)
return false;
if (!MATCH(payload_b, 0x12, 0xa4, 0x00, 0x01))
return false;
return true;
}
static inline bool match_dvrns(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* DVRNS is basically DNS for DVR surveillance systems */
/* Not sure whether this is just the protocol used by dvrnames.net
* or all DVRNS systems */
if (match_dvrns_typea(data->payload[0], data->payload_len[0],
data->payload[1], data->payload_len[1]))
return true;
if (match_dvrns_typea(data->payload[1], data->payload_len[1],
data->payload[0], data->payload_len[0]))
return true;
if (match_dvrns_typeb(data->payload[0], data->payload_len[0],
data->payload[1], data->payload_len[1]))
return true;
if (match_dvrns_typeb(data->payload[1], data->payload_len[1],
data->payload[0], data->payload_len[0]))
return true;
return false;
}
static lpi_module_t lpi_dvrns = {
LPI_PROTO_DVRNS,
LPI_CATEGORY_SERVICES,
"DVRNS",
10,
match_dvrns
};
void register_dvrns(LPIModuleMap *mod_map) {
register_protocol(&lpi_dvrns, mod_map);
}

51
decoders/glimpse_detector/libprotoident/tcp/lpi_dxp.cc Normal file
View File

@@ -0,0 +1,51 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dxp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_chars_either(data, 0xb0, 0x04, 0x15, 0x00))
return true;
return false;
}
static lpi_module_t lpi_dxp = {
LPI_PROTO_DXP,
LPI_CATEGORY_DATABASES,
"Silverplatter_DXP",
3,
match_dxp
};
void register_dxp(LPIModuleMap *mod_map) {
register_protocol(&lpi_dxp, mod_map);
}

63
decoders/glimpse_detector/libprotoident/tcp/lpi_ea_games.cc Normal file
View File

@@ -0,0 +1,63 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_ea_games(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Not sure exactly what game this is, but the server matches the
* EA IP range and the default port is 9946 */
if (match_str_both(data, "&lgr", "&lgr"))
return true;
if (match_str_either(data, "&lgr")) {
if (data->payload_len[0] == 0)
return true;
if (data->payload_len[1] == 0)
return true;
}
return false;
}
static lpi_module_t lpi_ea_games = {
LPI_PROTO_EA_GAMES,
LPI_CATEGORY_GAMING,
"EA_Games",
4,
match_ea_games
};
void register_ea_games(LPIModuleMap *mod_map) {
register_protocol(&lpi_ea_games, mod_map);
}

51
decoders/glimpse_detector/libprotoident/tcp/lpi_emule.cc Normal file
View File

@@ -0,0 +1,51 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_emule_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_emule(data))
return true;
return false;
}
static lpi_module_t lpi_emule = {
LPI_PROTO_EMULE,
LPI_CATEGORY_P2P,
"EMule",
10, /* We've always had this at low priority */
match_emule_tcp
};
void register_emule(LPIModuleMap *mod_map) {
register_protocol(&lpi_emule, mod_map);
}

96
decoders/glimpse_detector/libprotoident/tcp/lpi_ethernetip.cc Normal file
View File

@@ -0,0 +1,96 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_command(uint32_t payload) {
// no op
if (MATCH(payload, 0x00, 0x00, ANY, ANY))
return true;
// list services
if (MATCH(payload, 0x04, 0x00, ANY, ANY))
return true;
// list identity
if (MATCH(payload, 0x63, 0x00, ANY, ANY))
return true;
// list interfaces
if (MATCH(payload, 0x64, 0x00, ANY, ANY))
return true;
// register session
if (MATCH(payload, 0x65, 0x00, 0x04, 0x00))
return true;
// un-register session
if (MATCH(payload, 0x66, 0x00, ANY, ANY))
return true;
// sendrrdata
if (MATCH(payload, 0x6f, 0x00, ANY, ANY))
return true;
// send unit data
if (MATCH(payload, 0x70, 0x00, ANY, ANY))
return true;
// indicate status
if (MATCH(payload, 0x72, 0x00, ANY, ANY))
return true;
// cancel
if (MATCH(payload, 0x73, 0x00, ANY, ANY))
return true;
// error
if (MATCH(payload, 0xff, 0xff, ANY, ANY))
return true;
return false;
}
static inline bool match_ethernetip(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->payload_len[0] < 24 || data->payload_len[1] < 24)
return false;
if (data->server_port != 44818 && data->client_port != 44818)
return false;
if (match_command(data->payload[0]) && match_command(data->payload[1]))
return true;
return false;
}
static lpi_module_t lpi_ethernetip = {
LPI_PROTO_ETHERNETIP,
LPI_CATEGORY_ICS,
"EtherNet/IP",
100,
match_ethernetip
};
void register_ethernetip(LPIModuleMap *mod_map) {
register_protocol(&lpi_ethernetip, mod_map);
}

54
decoders/glimpse_detector/libprotoident/tcp/lpi_eye.cc Normal file
View File

@@ -0,0 +1,54 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* All-seeing Eye - Yahoo Games */
static inline bool match_eye(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_either(data, "EYE1"))
return true;
return false;
}
static lpi_module_t lpi_eye = {
LPI_PROTO_EYE,
LPI_CATEGORY_GAMING,
"AllSeeingEye",
3,
match_eye
};
void register_eye(LPIModuleMap *mod_map) {
register_protocol(&lpi_eye, mod_map);
}

94
decoders/glimpse_detector/libprotoident/tcp/lpi_facebook_turn.cc Normal file
View File

@@ -0,0 +1,94 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_fbturn_request(uint32_t payload, uint32_t len) {
/* 0x74 == len - 2, 0x0001 == binding request */
if (len == 118 && MATCH(payload, 0x00, 0x74, 0x00, 0x01))
return true;
if (len == 114 && MATCH(payload, 0x00, 0x70, 0x00, 0x01))
return true;
if (len == 110 && MATCH(payload, 0x00, 0x6c, 0x00, 0x01))
return true;
if (len == 122 && MATCH(payload, 0x00, 0x78, 0x00, 0x01))
return true;
if (len == 126 && MATCH(payload, 0x00, 0x7c, 0x00, 0x01))
return true;
return false;
}
static inline bool match_fbturn_reply(uint32_t payload, uint32_t len) {
/* 0x40 == len - 2, 0x0101 == binding accepted */
if (len == 66 && MATCH(payload, 0x00, 0x40, 0x01, 0x01))
return true;
if (len == 82 && MATCH(payload, 0x00, 0x50, 0x01, 0x01))
return true;
return false;
}
static inline bool match_facebook_turn(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Seems to be a slightly custom version of TURN, as there is a two
* byte length field preceding the conventional STUN header. Can't
* find any explanation for this in RFC 5766, so maybe it is a Facebook
* addition?
*/
if (data->server_port != 443 && data->client_port != 443)
return false;
if (match_fbturn_request(data->payload[0], data->payload_len[0])) {
if (match_fbturn_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_fbturn_request(data->payload[1], data->payload_len[1])) {
if (match_fbturn_reply(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_facebook_turn = {
LPI_PROTO_FACEBOOK_TURN,
LPI_CATEGORY_NAT,
"FacebookTURN",
55,
match_facebook_turn
};
void register_facebook_turn(LPIModuleMap *mod_map) {
register_protocol(&lpi_facebook_turn, mod_map);
}

86
decoders/glimpse_detector/libprotoident/tcp/lpi_fb_message.cc Normal file
View File

@@ -0,0 +1,86 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Observed while using Facebook Messenger -- I used the unofficial desktop
* version (https://messengerfordesktop.com/) to talk to another account
* logged into a web browser. I suspect direct app->app voice/video calls
* may use the protocol more heavily.
*/
static inline bool match_fb_msg_104(uint32_t payload, uint32_t len) {
if (len == 104 && MATCH(payload, 0x01, 0x13, 0x00, 0x54))
return true;
if (len == 116 && MATCH(payload, 0x01, 0x13, 0x00, 0x60))
return true;
return false;
}
static inline bool match_fb_msg_28(uint32_t payload, uint32_t len) {
if (len == 28 && MATCH(payload, 0x00, 0x03, 0x00, 0x08))
return true;
if (len == 44 && MATCH(payload, 0x00, 0x03, 0x00, 0x18))
return true;
return false;
}
static inline bool match_fb_message(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 3478 && data->client_port != 3478 &&
data->server_port != 443 && data->client_port != 443)
return false;
if (match_fb_msg_28(data->payload[0], data->payload_len[0])) {
if (match_fb_msg_104(data->payload[1], data->payload_len[1]))
return true;
}
if (match_fb_msg_28(data->payload[1], data->payload_len[1])) {
if (match_fb_msg_104(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_fb_message = {
LPI_PROTO_FACEBOOK_MESSENGER,
LPI_CATEGORY_CHAT,
"FacebookMessenger",
9,
match_fb_message
};
void register_fb_message(LPIModuleMap *mod_map) {
register_protocol(&lpi_fb_message, mod_map);
}

80
decoders/glimpse_detector/libprotoident/tcp/lpi_fbcdn_ssl.cc Normal file
View File

@@ -0,0 +1,80 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Seems to be a custom version of SSL used by the FNA servers provided
* by Facebook? */
static inline bool match_normal_req(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0x16, 0x03, 0x01, ANY))
return true;
return false;
}
static inline bool match_odd_reply(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0x63, 0x03, 0x01, 0x00))
return true;
return false;
}
static inline bool match_fbcdn_ssl(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 443 */
if (match_normal_req(data->payload[0], data->payload_len[0])) {
if (match_odd_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_normal_req(data->payload[1], data->payload_len[1])) {
if (match_odd_reply(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_fbcdn_ssl = {
LPI_PROTO_FBCDN_SSL,
LPI_CATEGORY_WEB,
"FacebookCDNSSL",
112,
match_fbcdn_ssl
};
void register_fbcdn_ssl(LPIModuleMap *mod_map) {
register_protocol(&lpi_fbcdn_ssl, mod_map);
}

78
decoders/glimpse_detector/libprotoident/tcp/lpi_ffxiv.cc Normal file
View File

@@ -0,0 +1,78 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_ff_96(uint32_t payload, uint32_t len) {
/* Some flows also have a 672 byte packet */
if (len != 96 && len != 672)
return false;
if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_ff_other(uint32_t payload, uint32_t len) {
if (len == 0)
return false;
if (len == 64 || len == 63 || len == 153 || len == 154) {
if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
}
return false;
}
static inline bool match_ffxiv(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_ff_96(data->payload[0], data->payload_len[0])) {
if (match_ff_other(data->payload[1], data->payload_len[1]))
return true;
}
if (match_ff_96(data->payload[1], data->payload_len[1])) {
if (match_ff_other(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_ffxiv = {
LPI_PROTO_FINALFANTASY_XIV,
LPI_CATEGORY_GAMING,
"FinalFantasy14",
55,
match_ffxiv
};
void register_ffxiv(LPIModuleMap *mod_map) {
register_protocol(&lpi_ffxiv, mod_map);
}

86
decoders/glimpse_detector/libprotoident/tcp/lpi_filenori.cc Normal file
View File

@@ -0,0 +1,86 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Filenori is the most likely candidate for this -- hard to test because
* you need to pay money to download anything and probably not a good look
* for me to be paying money for this kind of service...
*/
static inline bool match_100(uint32_t payload, uint32_t len) {
if (len != 15)
return false;
if (MATCHSTR(payload, "100 "))
return true;
return false;
}
static inline bool match_command(uint32_t payload, uint32_t len) {
/* Probably short for START */
if ((len == 20 || len == 19) && MATCHSTR(payload, "STAR"))
return true;
/* DOWNLOAD ? */
if (len == 39 && MATCHSTR(payload, "DOWN"))
return true;
return false;
}
static inline bool match_filenori(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_100(data->payload[0], data->payload_len[0])) {
if (match_command(data->payload[1], data->payload_len[1]))
return true;
}
if (match_100(data->payload[1], data->payload_len[1])) {
if (match_command(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_filenori = {
LPI_PROTO_FILENORI,
LPI_CATEGORY_P2P,
"Filenori",
15,
match_filenori
};
void register_filenori(LPIModuleMap *mod_map) {
register_protocol(&lpi_filenori, mod_map);
}

69
decoders/glimpse_detector/libprotoident/tcp/lpi_flash.cc Normal file
View File

@@ -0,0 +1,69 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_flash(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Flash player stuff - cross-domain policy etc. */
if (match_str_either(data, "<cro")) {
if (match_str_either(data, "<msg"))
return true;
if (match_str_either(data, "<pol"))
return true;
if (data->payload_len[0] == 0)
return true;
if (data->payload_len[1] == 0)
return true;
}
if (match_str_either(data, "<?xm")) {
if (match_str_either(data, "<pol"))
return true;
if (match_str_either(data, "<msg"))
return true;
}
return false;
}
static lpi_module_t lpi_flash = {
LPI_PROTO_FLASH,
LPI_CATEGORY_STREAMING,
"Flash_Player",
6,
match_flash
};
void register_flash(LPIModuleMap *mod_map) {
register_protocol(&lpi_flash, mod_map);
}

97
decoders/glimpse_detector/libprotoident/tcp/lpi_fliggy.cc Normal file
View File

@@ -0,0 +1,97 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Bytes 3 and 4 are a length field */
static inline bool match_fliggy_req(uint32_t payload, uint32_t len) {
uint32_t hlen = ntohl(payload) & 0xffff;
if (MATCH(payload, 0xd1, 0x00, ANY, ANY) ||
MATCH(payload, 0xd5, 0x00, ANY, ANY)) {
if (hlen == len - 4)
return true;
/* Try to account for messages that are longer than one MTU */
if (len >= 1300 && hlen > len)
return true;
}
if (MATCH(payload, 0xd5, 0x00, 0x01, 0x16) && len >= 282) {
return true;
}
return false;
}
static inline bool match_fliggy_resp(uint32_t payload, uint32_t len) {
/* Usually, but not always 174 bytes -- I'm guessing sometimes
* messages get merged?
*/
if (MATCH(payload, 0xd3, 0x00, 0x00, 0xaa) && len >= 174)
return true;
/* Same for this one, usually 58 but not always */
if (MATCH(payload, 0xd3, 0x00, 0x00, 0x36) && len >= 58)
return true;
return false;
}
static inline bool match_fliggy(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Ports 80 and 443, typically */
if (match_fliggy_req(data->payload[0], data->payload_len[0])) {
if (match_fliggy_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_fliggy_req(data->payload[1], data->payload_len[1])) {
if (match_fliggy_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_fliggy = {
LPI_PROTO_FLIGGY,
LPI_CATEGORY_ECOMMERCE,
"Fliggy",
30,
match_fliggy
};
void register_fliggy(LPIModuleMap *mod_map) {
register_protocol(&lpi_fliggy, mod_map);
}

52
decoders/glimpse_detector/libprotoident/tcp/lpi_fring.cc Normal file
View File

@@ -0,0 +1,52 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_fring(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_both(data, "NOPC", "1234"))
return true;
return false;
}
static lpi_module_t lpi_fring = {
LPI_PROTO_FRING,
LPI_CATEGORY_VOIP,
"Fring",
2,
match_fring
};
void register_fring(LPIModuleMap *mod_map) {
register_protocol(&lpi_fring, mod_map);
}

110
decoders/glimpse_detector/libprotoident/tcp/lpi_ftpcontrol.cc Normal file
View File

@@ -0,0 +1,110 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_ftp_reply_code(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (MATCHSTR(payload, "220 "))
return true;
if (MATCHSTR(payload, "220-"))
return true;
return false;
}
static inline bool match_ftp_command(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
/* There are lots of valid FTP commands, but let's just limit this
* to ones we've observed for now */
if (MATCHSTR(payload, "USER"))
return true;
if (MATCHSTR(payload, "QUIT"))
return true;
if (MATCHSTR(payload, "FEAT"))
return true;
if (MATCHSTR(payload, "HELP"))
return true;
if (MATCHSTR(payload, "user"))
return true;
if (MATCHSTR(payload, "AUTH"))
return true;
/* This is invalid syntax, but clients using HOST seem to revert to
* sane FTP commands once the server reports a syntax error */
if (MATCHSTR(payload, "HOST"))
return true;
return false;
}
static inline bool match_ftp_control(lpi_data_t *data,
lpi_module_t *mod UNUSED) {
/*https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol*/
/* Rule out SMTP which uses similar reply codes and commands */
if (data->server_port == 25 || data->client_port == 25 ||
data->server_port == 587 || data->client_port == 587 ||
data->server_port == 110 || data->client_port == 110 ||
data->server_port == 143 || data->client_port == 143)
return false;
if (match_ftp_reply_code(data->payload[0], data->payload_len[0])) {
if (match_ftp_command(data->payload[1], data->payload_len[1]))
return true;
}
if (match_ftp_reply_code(data->payload[1], data->payload_len[1])) {
if (match_ftp_command(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_ftpcontrol = {
LPI_PROTO_FTP_CONTROL,
LPI_CATEGORY_FILES,
"FTP_Control",
3,
match_ftp_control
};
void register_ftpcontrol(LPIModuleMap *mod_map) {
register_protocol(&lpi_ftpcontrol, mod_map);
}

152
decoders/glimpse_detector/libprotoident/tcp/lpi_ftpdata.cc Normal file
View File

@@ -0,0 +1,152 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_bulk_response(uint32_t payload, uint32_t len) {
/* Most FTP-style transactions result in no packets being sent back
* to server (aside from ACKs) */
if (len == 0)
return true;
/* However, there is at least one FTP client that sends some sort of
* sequence number back to the server - maybe allowing for resumption
* of paused transfers?
*
* XXX This seems to be related to completely failing to implement the
* FTP protocol correctly. There is usually a flow preceding these
* flows that sends commands like "get" and "dir" to the server,
* which are not actually part of the FTP protocol. Instead, these
* are often commands typed into FTP CLI clients that are converted
* into the appropriate FTP commands. No idea what software is doing
* this, but it is essentially emulating FTP so I'll keep it in here
* for now.
* */
if (len == 4 && MATCH(payload, 0x00, 0x00, ANY, ANY))
return true;
/* Another weird FTP client: sends the occasional one byte response */
if (len == 1 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
return false;
}
/* Bulk download covers files being downloaded through a separate channel,
* like FTP data. We identify these by observing file type identifiers at the
* start of the packet. This is not a protocol in itself, but it's almost
* certainly FTP.
*/
static inline bool match_bulk_download(lpi_data_t *data) {
if (match_bulk_response(data->payload[1], data->payload_len[1]) &&
(data->observed[0] == 0 && (data->payload[0])))
return true;
if (match_bulk_response(data->payload[0], data->payload_len[0]) &&
(data->observed[1] == 0 && match_file_header(data->payload[1])))
return true;
return false;
}
static inline bool match_directory(lpi_data_t *data) {
/* FTP Data can start with directory permissions */
if ( (MATCH(data->payload[0], '-', ANY, ANY, ANY) ||
MATCH(data->payload[0], 'd', ANY, ANY, ANY)) &&
(MATCH(data->payload[0], ANY, '-', ANY, ANY) ||
MATCH(data->payload[0], ANY, 'r', ANY, ANY)) &&
(MATCH(data->payload[0], ANY, ANY, '-', ANY) ||
MATCH(data->payload[0], ANY, ANY, 'w', ANY)) &&
(MATCH(data->payload[0], ANY, ANY, ANY, '-') ||
MATCH(data->payload[0], ANY, ANY, ANY, 'x')) )
return true;
if ( (MATCH(data->payload[1], '-', ANY, ANY, ANY) ||
MATCH(data->payload[1], 'd', ANY, ANY, ANY)) &&
(MATCH(data->payload[1], ANY, '-', ANY, ANY) ||
MATCH(data->payload[1], ANY, 'r', ANY, ANY)) &&
(MATCH(data->payload[1], ANY, ANY, '-', ANY) ||
MATCH(data->payload[1], ANY, ANY, 'w', ANY)) &&
(MATCH(data->payload[1], ANY, ANY, ANY, '-') ||
MATCH(data->payload[1], ANY, ANY, ANY, 'x')) )
return true;
return false;
}
static inline bool match_ftp_data(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_bulk_download(data))
return true;
/* XXX All rules below this are for one-way exchanges only */
if (data->payload_len[0] > 0 && data->payload_len[1] > 0)
return false;
/* All rules for ftp data are for first observed data only */
if(data->observed[0] != 0 || data->observed[1] != 0)
return false;
if (match_directory(data))
return true;
/* Virus definition updates from CA are delivered via FTP */
if (match_str_either(data, "Viru"))
return true;
/* XXX - I hate having to look at port numbers but there are no
* useful headers in FTP data exchanges; all the FTP protocol stuff
* is done using the control channel */
if (data->client_port == 20 || data->server_port == 20)
return true;
return false;
}
static lpi_module_t lpi_ftpdata = {
LPI_PROTO_FTP_DATA,
LPI_CATEGORY_FILES,
"FTP_Data",
7, /* Some of these rules rely on port numbers and one-way data, so
* should have a lower priority than more concrete rules */
match_ftp_data
};
void register_ftpdata(LPIModuleMap *mod_map) {
register_protocol(&lpi_ftpdata, mod_map);
}

68
decoders/glimpse_detector/libprotoident/tcp/lpi_fuckcoin.cc Normal file
View File

@@ -0,0 +1,68 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_fc_magic(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0xfb, 0xc0, 0xb6, 0xdb)) {
if (len == 126)
return true;
if (len == 146)
return true;
}
return false;
}
static inline bool match_fuckcoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port == 9333 */
if (match_fc_magic(data->payload[0], data->payload_len[0])) {
if (match_fc_magic(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_fuckcoin = {
LPI_PROTO_FUCKCOIN,
LPI_CATEGORY_ECOMMERCE,
"Dogecoin",
8,
match_fuckcoin
};
void register_fuckcoin(LPIModuleMap *mod_map) {
register_protocol(&lpi_fuckcoin, mod_map);
}

78
decoders/glimpse_detector/libprotoident/tcp/lpi_funshion.cc Normal file
View File

@@ -0,0 +1,78 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
#include <stdio.h>
/* Funshion is a Chinese P2PTV application that seems to use a bunch
* of different protocols / messages.
*/
static inline bool match_funshion_54(uint32_t payload, uint32_t len) {
if (len != 54)
return false;
/* Byte 4 is always 0x00.
* Byte 3 is always 0x?1, where '?' can be any hex digit.
*/
if ((payload & 0xff0f0000) == 0x00010000)
return true;
return false;
}
static inline bool match_funshion_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Only ever observed this traffic pattern on port 6601 */
if (data->server_port == 6601 || data->client_port == 6601) {
if (match_funshion_54(data->payload[0], data->payload_len[0])) {
if (match_funshion_54(data->payload[1], data->payload_len[1]))
return true;
}
}
return false;
}
static lpi_module_t lpi_funshion_tcp = {
LPI_PROTO_FUNSHION,
LPI_CATEGORY_P2PTV,
"Funshion_TCP",
10,
match_funshion_tcp
};
void register_funshion_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_funshion_tcp, mod_map);
}

76
decoders/glimpse_detector/libprotoident/tcp/lpi_gamespy.cc Normal file
View File

@@ -0,0 +1,76 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_gamespy_bsr(uint32_t payload, uint32_t len) {
if (len != 16)
return false;
if (!MATCH(payload, 0x5c, 'b', 's', 'r'))
return false;
return true;
}
static inline bool match_gamespy_search(uint32_t payload, uint32_t len) {
if (!MATCH(payload, 0x5c, 's', 'e', 'a'))
return false;
return true;
}
static inline bool match_gamespy_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_gamespy_bsr(data->payload[0], data->payload_len[0])) {
if (match_gamespy_search(data->payload[1], data->payload_len[1]))
return true;
}
if (match_gamespy_bsr(data->payload[1], data->payload_len[1])) {
if (match_gamespy_search(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_gamespy_tcp = {
LPI_PROTO_GAMESPY,
LPI_CATEGORY_GAMING,
"Gamespy_TCP",
6,
match_gamespy_tcp
};
void register_gamespy_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_gamespy_tcp, mod_map);
}

63
decoders/glimpse_detector/libprotoident/tcp/lpi_gcafe_updater.cc Normal file
View File

@@ -0,0 +1,63 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_caf(uint32_t payload, uint32_t len) {
if (len == 53 && MATCH(payload, 0x0c, 'C', 'A', 'F'))
return true;
return false;
}
static inline bool match_gcafe_updater(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Seen on ports 16800 and 1839 */
if (match_caf(data->payload[0], data->payload_len[0])) {
if (match_caf(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_gcafe_updater = {
LPI_PROTO_GCAFE_UPDATER,
LPI_CATEGORY_P2P,
"G-CafeUpdater",
11,
match_gcafe_updater
};
void register_gcafe_updater(LPIModuleMap *mod_map) {
register_protocol(&lpi_gcafe_updater, mod_map);
}

62
decoders/glimpse_detector/libprotoident/tcp/lpi_giop.cc Normal file
View File

@@ -0,0 +1,62 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_giop(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (MATCH(data->payload[0], 'G', 'I', 'O', 'P')) {
if (MATCH(data->payload[1], 'G', 'I', 'O', 'P'))
return true;
if (data->payload_len[1] == 0)
return true;
}
if (MATCH(data->payload[1], 'G', 'I', 'O', 'P')) {
if (data->payload_len[0] == 0)
return true;
}
return false;
}
static lpi_module_t lpi_giop = {
LPI_PROTO_GIOP,
LPI_CATEGORY_REMOTE,
"GIOP",
5,
match_giop
};
void register_giop(LPIModuleMap *mod_map) {
register_protocol(&lpi_giop, mod_map);
}

81
decoders/glimpse_detector/libprotoident/tcp/lpi_git.cc Normal file
View File

@@ -0,0 +1,81 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include <stdlib.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_git_header(uint32_t payload, uint32_t len) {
int i;
char headerstr[4];
uint8_t *pl = (uint8_t *)(&payload);
if (len == 0)
return true;
memset(headerstr, 0, 4);
for (i = 0; i < 4; i++) {
headerstr[i] = (char)(*pl);
pl++;
}
uint32_t replen = strtoul(headerstr, NULL, 16);
if (replen != len)
return false;
return true;
}
static inline bool match_git(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_git_header(data->payload[0], data->payload_len[0])) {
if (match_git_header(data->payload[1], data->payload_len[1]))
return true;
}
if (match_git_header(data->payload[1], data->payload_len[1])) {
if (match_git_header(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_git = {
LPI_PROTO_GIT,
LPI_CATEGORY_RCS,
"Git",
5,
match_git
};
void register_git(LPIModuleMap *mod_map) {
register_protocol(&lpi_git, mod_map);
}

90
decoders/glimpse_detector/libprotoident/tcp/lpi_glupteba.cc Normal file
View File

@@ -0,0 +1,90 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_glupteba.yvg */
static inline bool match_glup_hello(uint32_t payload, uint32_t len) {
if (MATCH(payload, 'H', 'E', 'L', 'L'))
return true;
return false;
}
static inline bool match_glup_id(uint32_t payload, uint32_t len) {
/* ID changes from infected host to infected host, but I'm
* going to assume the ID has a similar length.
*/
if (len >= 18 && len <= 25) {
/* Always begins with @ */
if (MATCH(payload, '@', ANY, ANY, ANY))
return true;
}
return false;
}
static inline bool match_glupteba(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_glup_hello(data->payload[0], data->payload_len[0])) {
if (match_glup_id(data->payload[1], data->payload_len[1])) {
return true;
}
if (match_glup_hello(data->payload[1], data->payload_len[1])) {
return true;
}
}
if (match_glup_hello(data->payload[1], data->payload_len[1])) {
if (match_glup_id(data->payload[0], data->payload_len[0])) {
return true;
}
if (match_glup_hello(data->payload[0], data->payload_len[0])) {
return true;
}
}
return false;
}
static lpi_module_t lpi_glupteba = {
LPI_PROTO_GLUPTEBA,
LPI_CATEGORY_MALWARE,
"GluptebaBackdoor",
50,
match_glupteba
};
void register_glupteba(LPIModuleMap *mod_map) {
register_protocol(&lpi_glupteba, mod_map);
}

54
decoders/glimpse_detector/libprotoident/tcp/lpi_gnutella.cc Normal file
View File

@@ -0,0 +1,54 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_gnutella(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_either(data, "GNUT"))
return true;
if (match_str_either(data, "GIV "))
return true;
return false;
}
static lpi_module_t lpi_gnutella = {
LPI_PROTO_GNUTELLA,
LPI_CATEGORY_P2P,
"Gnutella",
1, /* Avoid matching HTTP which uses similar commands */
match_gnutella
};
void register_gnutella(LPIModuleMap *mod_map) {
register_protocol(&lpi_gnutella, mod_map);
}

53
decoders/glimpse_detector/libprotoident/tcp/lpi_goku.cc Normal file
View File

@@ -0,0 +1,53 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_goku(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_both(data, "ok:g", "baut"))
return true;
if (match_str_both(data, "ok:w", "baut"))
return true;
return false;
}
static lpi_module_t lpi_goku = {
LPI_PROTO_GOKUCHAT,
LPI_CATEGORY_CHAT,
"GokuChat",
3,
match_goku
};
void register_goku(LPIModuleMap *mod_map) {
register_protocol(&lpi_goku, mod_map);
}

105
decoders/glimpse_detector/libprotoident/tcp/lpi_googlehangouts.cc Normal file
View File

@@ -0,0 +1,105 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_hangout_req(uint32_t payload, uint32_t len) {
if ((len % 114) == 0) {
if (MATCH(payload, 0x00, 0x70, 0x00, 0x01))
return true;
}
if ((len % 122) == 0) {
if (MATCH(payload, 0x00, 0x78, 0x00, 0x01))
return true;
}
if (len == 110 && MATCH(payload, 0x00, 0x6c, 0x00, 0x01))
return true;
return false;
}
static inline bool match_hangout_resp(uint32_t payload, uint32_t len) {
if (len == 106) {
if (MATCH(payload, 0x00, 0x68, 0x01, 0x01))
return true;
}
if (len == 118) {
if (MATCH(payload, 0x00, 0x74, 0x01, 0x01))
return true;
}
if (len == 94 && MATCH(payload, 0x00, 0x5c, 0x01, 0x01))
return true;
return false;
}
static inline bool match_googlehangouts(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Based on traffic seen on port 19305 to google addresses */
/* Limit this to port 19305 - 19309 */
if (data->server_port < 19305 || data->server_port > 19309) {
if (data->client_port < 19305 || data->client_port > 19309)
return false;
}
if (match_hangout_req(data->payload[0], data->payload_len[0])) {
if (match_hangout_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_hangout_req(data->payload[1], data->payload_len[1])) {
if (match_hangout_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_googlehangouts = {
LPI_PROTO_GOOGLE_HANGOUTS,
LPI_CATEGORY_CHAT,
"GoogleHangouts",
12,
match_googlehangouts
};
void register_googlehangouts(LPIModuleMap *mod_map) {
register_protocol(&lpi_googlehangouts, mod_map);
}

82
decoders/glimpse_detector/libprotoident/tcp/lpi_graalonlineera.cc Normal file
View File

@@ -0,0 +1,82 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_goe_gnp(uint32_t payload, uint32_t len) {
if (len == 8 && MATCH(payload, 'G', 'N', 'P', '1'))
return true;
return false;
}
static inline bool match_goe_binary(uint32_t payload, uint32_t len) {
if (len >= 275 && len <= 300) {
if (MATCH(payload, 0x01, 0x02, 0x00, 0x01))
return true;
if (MATCH(payload, 0x01, 0x03, 0x00, 0x01))
return true;
}
return false;
}
static inline bool match_graalonlineera(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 14900 */
if (match_goe_gnp(data->payload[0], data->payload_len[0])) {
if (match_goe_binary(data->payload[1], data->payload_len[1]))
return true;
}
if (match_goe_gnp(data->payload[1], data->payload_len[1])) {
if (match_goe_binary(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_graalonlineera = {
LPI_PROTO_GRAAL_ONLINE_ERA,
LPI_CATEGORY_GAMING,
"GraalOnlineEra",
8,
match_graalonlineera
};
void register_graalonlineera(LPIModuleMap *mod_map) {
register_protocol(&lpi_graalonlineera, mod_map);
}

80
decoders/glimpse_detector/libprotoident/tcp/lpi_guildwars2.cc Normal file
View File

@@ -0,0 +1,80 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_gw2_req(uint32_t payload, uint32_t len) {
if (len < 285 || len > 295)
return false;
if (MATCH(payload, 0x50, 0x20, 0x2f, 0x53))
return true;
return false;
}
static inline bool match_gw2_resp(uint32_t payload, uint32_t len) {
if (len != 35)
return false;
if (MATCH(payload, 0x53, 0x54, 0x53, 0x2f))
return true;
return false;
}
static inline bool match_guildwars2(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_gw2_req(data->payload[1], data->payload_len[1])) {
if (match_gw2_resp(data->payload[0], data->payload_len[0]))
return true;
}
if (match_gw2_req(data->payload[0], data->payload_len[0])) {
if (match_gw2_resp(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_guildwars2 = {
LPI_PROTO_GUILDWARS2,
LPI_CATEGORY_GAMING,
"GuildWars2",
5,
match_guildwars2
};
void register_guildwars2(LPIModuleMap *mod_map) {
register_protocol(&lpi_guildwars2, mod_map);
}

62
decoders/glimpse_detector/libprotoident/tcp/lpi_hamachi.cc Normal file
View File

@@ -0,0 +1,62 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_hamachi(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* All Hamachi messages that I've seen begin with a 4 byte length
* field. Other protocols also do this, so I also check for the
* default Hamachi port (12975)
*/
if (!match_payload_length(data->payload[0], data->payload_len[0]))
return false;
if (!match_payload_length(data->payload[1], data->payload_len[1]))
return false;
if (data->server_port == 12975 || data->client_port == 12975)
return true;
return false;
}
static lpi_module_t lpi_hamachi = {
LPI_PROTO_HAMACHI,
LPI_CATEGORY_TUNNELLING,
"Hamachi",
4,
match_hamachi
};
void register_hamachi(LPIModuleMap *mod_map) {
register_protocol(&lpi_hamachi, mod_map);
}

67
decoders/glimpse_detector/libprotoident/tcp/lpi_harveys.cc Normal file
View File

@@ -0,0 +1,67 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Harveys - a seemingly custom protocol used by Harveys Real
* Estate to transfer photos. Common in ISP C traces */
static inline bool match_harveys(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_both(data, "77;T", "47;T"))
return true;
if (match_str_either(data, "47;T")) {
if (data->payload_len[0] == 0)
return true;
if (data->payload_len[1] == 0)
return true;
}
if (match_str_either(data, "77;T")) {
if (data->payload_len[0] == 0)
return true;
if (data->payload_len[1] == 0)
return true;
}
return false;
}
static lpi_module_t lpi_harveys = {
LPI_PROTO_HARVEYS,
LPI_CATEGORY_FILES,
"Harveys",
10,
match_harveys
};
void register_harveys(LPIModuleMap *mod_map) {
register_protocol(&lpi_harveys, mod_map);
}

79
decoders/glimpse_detector/libprotoident/tcp/lpi_hearthstone.cc Normal file
View File

@@ -0,0 +1,79 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_hearthstone_req(uint32_t payload, uint32_t len) {
if (len == 16 && MATCH(payload, 0x10, 0x00, 0x00, 0x00))
return true;
if (len == 22 && MATCH(payload, 0x10, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_hearthstone_reply(uint32_t payload) {
if (MATCH(payload, 0x0f, 0x00, 0x00, 0x00))
return true;
if (MATCH(payload, 0xa8, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_hearthstone(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Consider enforcing port 1119 or 3724, if we get FPs */
if (match_hearthstone_req(data->payload[0], data->payload_len[0])) {
if (match_hearthstone_reply(data->payload[1]))
return true;
}
if (match_hearthstone_req(data->payload[1], data->payload_len[1])) {
if (match_hearthstone_reply(data->payload[0]))
return true;
}
return false;
}
static lpi_module_t lpi_hearthstone = {
LPI_PROTO_HEARTHSTONE,
LPI_CATEGORY_GAMING,
"Hearthstone",
5,
match_hearthstone
};
void register_hearthstone(LPIModuleMap *mod_map) {
register_protocol(&lpi_hearthstone, mod_map);
}

55
decoders/glimpse_detector/libprotoident/tcp/lpi_hola.cc Normal file
View File

@@ -0,0 +1,55 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_hola(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (MATCH(data->payload[0], 0xac, 0x2e, 0xbf, 0x5c)) {
if (MATCH(data->payload[1], 0xac, 0x2e, 0xbf, 0x5c))
return true;
}
return false;
}
static lpi_module_t lpi_hola = {
LPI_PROTO_HOLA,
LPI_CATEGORY_TUNNELLING,
"HolaVPN",
4,
match_hola
};
void register_hola(LPIModuleMap *mod_map) {
register_protocol(&lpi_hola, mod_map);
}

90
decoders/glimpse_detector/libprotoident/tcp/lpi_hots_tcp.cc Normal file
View File

@@ -0,0 +1,90 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_bau(uint32_t payload, uint32_t len) {
if (len == 743 && MATCH(payload, 0x42, 0x10, 0x61, 0x75))
return true;
return false;
}
static inline bool match_hots_7f28(uint32_t payload, uint32_t len) {
uint32_t hlen;
hlen = (ntohl(payload) & 0xffff) * 2 + 5;
if (len == hlen && MATCH(payload, 0x7f, 0x28, ANY, ANY)) {
return true;
}
return false;
}
static inline bool match_hots_4a48(uint32_t payload, uint32_t len) {
if (len == 201 && MATCH(payload, 0x4a, 0x48, 0x0c, 0xae))
return true;
return false;
}
static inline bool match_hots_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 1119 && data->client_port != 1119) {
return false;
}
if (match_bau(data->payload[0], data->payload_len[0])) {
if (match_hots_7f28(data->payload[1], data->payload_len[1]))
return true;
if (match_hots_4a48(data->payload[1], data->payload_len[1]))
return true;
}
if (match_bau(data->payload[1], data->payload_len[1])) {
if (match_hots_7f28(data->payload[0], data->payload_len[0]))
return true;
if (match_hots_4a48(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_hots_tcp = {
LPI_PROTO_HOTS,
LPI_CATEGORY_GAMING,
"HeroesOfTheStorm_TCP",
90,
match_hots_tcp
};
void register_hots_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_hots_tcp, mod_map);
}

106
decoders/glimpse_detector/libprotoident/tcp/lpi_http.cc Normal file
View File

@@ -0,0 +1,106 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_http_response(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (len == 1 && MATCH(payload, 'H', 0x00, 0x00, 0x00))
return true;
if (MATCHSTR(payload, "HTTP")) {
return true;
}
/* UNKNOWN seems to be a valid response from some servers, e.g.
* mini_httpd */
if (MATCHSTR(payload, "UNKN")) {
return true;
}
return false;
}
static inline bool match_http(lpi_data_t *data, lpi_module_t *mod) {
/* Need to rule out protocols using HTTP-style commands to do
* exchanges. These protocols primarily use GET, rather than other
* HTTP requests */
if (!valid_http_port(data)) {
if (match_str_either(data, "GET "))
return false;
}
if (match_http_request(data->payload[0], data->payload_len[0])) {
if (match_http_response(data->payload[1], data->payload_len[1]))
return true;
if (match_http_request(data->payload[1], data->payload_len[1]))
return true;
if (match_file_header(data->payload[1]) &&
data->payload_len[0] != 0)
return true;
}
if (match_http_request(data->payload[1], data->payload_len[1])) {
if (match_http_response(data->payload[0], data->payload_len[0]))
return true;
if (match_file_header(data->payload[0]) &&
data->payload_len[1] != 0)
return true;
}
/* Allow responses in both directions, even if this is doesn't entirely
* make sense :/ */
if (match_http_response(data->payload[0], data->payload_len[0])) {
if (match_http_response(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_http = {
LPI_PROTO_HTTP,
LPI_CATEGORY_WEB,
"HTTP",
2,
match_http
};
void register_http(LPIModuleMap *mod_map) {
register_protocol(&lpi_http, mod_map);
}

64
decoders/glimpse_detector/libprotoident/tcp/lpi_http_badport.cc Normal file
View File

@@ -0,0 +1,64 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_http_badport(lpi_data_t *data, lpi_module_t *mod) {
/* For some reason, some clients send GET messages to servers on
* port 443, which unsurprisingly do not respond. I'm putting this
* in a separate category to avoid mixing it in with legitimate
* HTTP traffic */
if (data->payload_len[0] != 0 && data->payload_len[1] != 0)
return false;
if (!match_str_either(data, "GET "))
return false;
if (data->server_port == 443 || data->client_port == 443)
return true;
return false;
}
static lpi_module_t lpi_http_badport = {
LPI_PROTO_HTTP_BADPORT,
LPI_CATEGORY_WEB,
"HTTP_443",
2,
match_http_badport
};
void register_http_badport(LPIModuleMap *mod_map) {
register_protocol(&lpi_http_badport, mod_map);
}

68
decoders/glimpse_detector/libprotoident/tcp/lpi_http_nonstandard.cc Normal file
View File

@@ -0,0 +1,68 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_nonstandard_http(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Must not be on a known HTTP port
*
* This used to be HTTP_P2P, but we found that most of this stuff was
* legit HTTP - just using really weird ports.
*
* We might miss some HTTP-based P2P now, but it's just too hard for
* us to differentiate more than this.
*/
if (valid_http_port(data))
return false;
if (match_str_both(data, "GET ", "HTTP"))
return true;
if (match_str_either(data, "GET ")) {
if (data->payload_len[0] == 0 || data->payload_len[1] == 0)
return true;
}
return false;
}
static lpi_module_t lpi_http_nonstandard = {
LPI_PROTO_NONSTANDARD_HTTP,
LPI_CATEGORY_WEB,
"HTTP_NonStandard",
100,
match_nonstandard_http
};
void register_http_nonstandard(LPIModuleMap *mod_map) {
register_protocol(&lpi_http_nonstandard, mod_map);
}

58
decoders/glimpse_detector/libprotoident/tcp/lpi_http_tunnel.cc Normal file
View File

@@ -0,0 +1,58 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_http_tunnel(lpi_data_t *data, lpi_module_t *mod UNUSED)
{
if (match_str_both(data, "CONN", "HTTP")) return true;
if (MATCHSTR(data->payload[0], "CONN") && data->payload_len[1] == 0)
return true;
if (MATCHSTR(data->payload[1], "CONN") && data->payload_len[0] == 0)
return true;
return false;
}
static lpi_module_t lpi_http_tunnel = {
LPI_PROTO_HTTP_TUNNEL,
LPI_CATEGORY_TUNNELLING,
"HTTP_Tunnel",
1, /* Make sure we are higher priority than HTTP */
match_http_tunnel
};
void register_http_tunnel(LPIModuleMap *mod_map) {
register_protocol(&lpi_http_tunnel, mod_map);
}

60
decoders/glimpse_detector/libprotoident/tcp/lpi_https.cc Normal file
View File

@@ -0,0 +1,60 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_https(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (!match_ssl(data))
return false;
/* Assume all SSL traffic on port 443 is HTTPS */
if (data->server_port == 443 || data->client_port == 443)
return true;
/* We'll do port 80 as well, just to be safe */
if (data->server_port == 80 || data->client_port == 80)
return true;
return false;
}
static lpi_module_t lpi_https = {
LPI_PROTO_HTTPS,
LPI_CATEGORY_WEB,
"HTTPS",
2, /* Should be higher priority than regular SSL */
match_https
};
void register_https(LPIModuleMap *mod_map) {
register_protocol(&lpi_https, mod_map);
}

52
decoders/glimpse_detector/libprotoident/tcp/lpi_ica.cc Normal file
View File

@@ -0,0 +1,52 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_ica(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Citrix ICA */
if (match_chars_either(data, 0x7f, 0x7f, 0x49, 0x43))
return true;
return false;
}
static lpi_module_t lpi_ica = {
LPI_PROTO_ICA,
LPI_CATEGORY_REMOTE,
"CitrixICA",
3,
match_ica
};
void register_ica(LPIModuleMap *mod_map) {
register_protocol(&lpi_ica, mod_map);
}

77
decoders/glimpse_detector/libprotoident/tcp/lpi_icep.cc Normal file
View File

@@ -0,0 +1,77 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Internet Communications Engine Protocol */
static inline bool match_icep_validate(uint32_t payload, uint32_t len) {
if (len == 14 && MATCHSTR(payload, "IceP")) {
return true;
}
return false;
}
static inline bool match_icep_req(uint32_t payload, uint32_t len) {
if (MATCHSTR(payload, "IceP") && len >= 30) {
return true;
}
return false;
}
static inline bool match_icep(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_icep_validate(data->payload[0], data->payload_len[0])) {
if (match_icep_req(data->payload[1], data->payload_len[1])) {
return true;
}
}
if (match_icep_validate(data->payload[1], data->payload_len[1])) {
if (match_icep_req(data->payload[0], data->payload_len[0])) {
return true;
}
}
return false;
}
static lpi_module_t lpi_icep = {
LPI_PROTO_ICEP,
LPI_CATEGORY_NAT, /* unsure about this one */
"IceP",
8,
match_icep
};
void register_icep(LPIModuleMap *mod_map) {
register_protocol(&lpi_icep, mod_map);
}

55
decoders/glimpse_detector/libprotoident/tcp/lpi_id.cc Normal file
View File

@@ -0,0 +1,55 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_id(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* TODO: Starts with only digits - request matches the response */
/* 20 3a 20 55 is an ID protocol error, I think */
if (match_str_either(data, " : U"))
return true;
return false;
}
static lpi_module_t lpi_id = {
LPI_PROTO_ID,
LPI_CATEGORY_SERVICES,
"ID_Protocol",
3,
match_id
};
void register_id(LPIModuleMap *mod_map) {
register_protocol(&lpi_id, mod_map);
}

69
decoders/glimpse_detector/libprotoident/tcp/lpi_idrivesync.cc Normal file
View File

@@ -0,0 +1,69 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_idrivesync_hello(uint32_t payload) {
if (MATCH(payload, '@', 'I', 'D', 'E'))
return true;
return false;
}
static inline bool match_idrivesync(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_idrivesync_hello(data->payload[0])) {
if (match_idrivesync_hello(data->payload[1]))
return true;
if (data->payload_len[1] == 0)
return true;
}
if (match_idrivesync_hello(data->payload[1])) {
if (data->payload_len[0] == 0)
return true;
}
return false;
}
static lpi_module_t lpi_idrivesync = {
LPI_PROTO_IDRIVE_SYNC,
LPI_CATEGORY_CLOUD,
"IDriveSync",
5,
match_idrivesync
};
void register_idrivesync(LPIModuleMap *mod_map) {
register_protocol(&lpi_idrivesync, mod_map);
}

64
decoders/glimpse_detector/libprotoident/tcp/lpi_ihexin.cc Normal file
View File

@@ -0,0 +1,64 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Stock trading app by 10jqka.com.cn (aka Flush). */
static inline bool match_ihex_magic(uint32_t payload) {
if (MATCH(payload, 0xfd, 0xfd, 0xfd, 0xfd))
return true;
return false;
}
static inline bool match_ihexin(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 9528 and 8887 */
if (match_ihex_magic(data->payload[0])) {
if (match_ihex_magic(data->payload[1]))
return true;
}
return false;
}
static lpi_module_t lpi_ihexin = {
LPI_PROTO_IHEXIN,
LPI_CATEGORY_ECOMMERCE,
"IHexin",
89,
match_ihexin
};
void register_ihexin(LPIModuleMap *mod_map) {
register_protocol(&lpi_ihexin, mod_map);
}

51
decoders/glimpse_detector/libprotoident/tcp/lpi_imap.cc Normal file
View File

@@ -0,0 +1,51 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_imap(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_either(data, "* OK"))
return true;
return false;
}
static lpi_module_t lpi_imap = {
LPI_PROTO_IMAP,
LPI_CATEGORY_MAIL,
"IMAP",
2,
match_imap
};
void register_imap(LPIModuleMap *mod_map) {
register_protocol(&lpi_imap, mod_map);
}

56
decoders/glimpse_detector/libprotoident/tcp/lpi_imaps.cc Normal file
View File

@@ -0,0 +1,56 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_imaps(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (!match_ssl(data))
return false;
/* Assume all SSL traffic on port 993 is IMAPS */
if (data->server_port == 993 || data->client_port == 993)
return true;
return false;
}
static lpi_module_t lpi_imaps = {
LPI_PROTO_IMAPS,
LPI_CATEGORY_MAIL,
"IMAPS",
2, /* Should be a higher priority than regular SSL */
match_imaps
};
void register_imaps(LPIModuleMap *mod_map) {
register_protocol(&lpi_imaps, mod_map);
}

74
decoders/glimpse_detector/libprotoident/tcp/lpi_imesh.cc Normal file
View File

@@ -0,0 +1,74 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_imesh_payload(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (len == 2 && MATCH(payload, 0x06, 0x00, 0x00, 0x00))
return true;
if (len == 10 && MATCH(payload, 0x06, 0x00, 0x04, 0x00))
return true;
if (len == 6 && MATCH(payload, 0x06, 0x00, 0x04, 0x00))
return true;
if (len == 12 && MATCH(payload, 0x06, 0x00, 0x06, 0x00))
return true;
return false;
}
static inline bool match_imesh(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Credit for this rule goes to opendpi - so if they're wrong then
* we're wrong! */
if (!match_imesh_payload(data->payload[0], data->payload_len[0]))
return false;
if (!match_imesh_payload(data->payload[1], data->payload_len[1]))
return false;
return true;
}
static lpi_module_t lpi_imesh = {
LPI_PROTO_IMESH,
LPI_CATEGORY_P2P,
"iMesh_TCP",
3,
match_imesh
};
void register_imesh(LPIModuleMap *mod_map) {
register_protocol(&lpi_imesh, mod_map);
}

95
decoders/glimpse_detector/libprotoident/tcp/lpi_invalid.cc Normal file
View File

@@ -0,0 +1,95 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_invalid(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* I'm using invalid as a category for flows where both halves of
* the connection are clearly speaking different protocols,
* e.g. trying to do HTTP tunnelling via an SMTP server
*/
/* XXX Bittorrent-related stuff is covered in
* match_invalid_bittorrent() */
/* SOCKSv4 via FTP or SMTP
*
* The last two octets '\x00\x50' is the port number - in this case
* I've hard-coded it to be 80 */
if (match_str_both(data, "220 ", "\x04\x01\x00\x50"))
return true;
/* SOCKSv5 via FTP or SMTP */
if (match_str_both(data, "220 ", "\x05\x01\x00\x00"))
return true;
/* HTTP tunnelling via FTP or SMTP */
if (match_str_both(data, "220 ", "CONN"))
return true;
if (match_str_both(data, "450 ", "CONN"))
return true;
/* Trying to send HTTP commands to FTP or SMTP servers */
if (match_str_both(data, "220 ", "GET "))
return true;
if (match_str_both(data, "450 ", "GET "))
return true;
/* Trying to send HTTP commands to an SVN server */
if (match_str_both(data, "( su", "GET "))
return true;
/* People running an HTTP server on the MS SQL server port */
if (match_tds_request(data->payload[0], data->payload_len[0])) {
if (MATCHSTR(data->payload[1], "HTTP"))
return true;
}
if (match_tds_request(data->payload[1], data->payload_len[1])) {
if (MATCHSTR(data->payload[0], "HTTP"))
return true;
}
return false;
}
static lpi_module_t lpi_invalid = {
LPI_PROTO_INVALID,
LPI_CATEGORY_MIXED,
"Invalid",
200, /* Very low priority, but not as low as mystery protos */
match_invalid
};
void register_invalid(LPIModuleMap *mod_map) {
register_protocol(&lpi_invalid, mod_map);
}

85
decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_bittorrent.cc Normal file
View File

@@ -0,0 +1,85 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_invalid_bittorrent(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* This function will match anyone doing bittorrent in one
* direction and *something else* in the other.
*
* I've broken it down into several separate conditions, just in case
* we want to treat them as separate instances later on */
/* People trying to do Bittorrent to an actual HTTP server, rather than
* someone peering on port 80 */
if (match_str_either(data, "HTTP") &&
match_chars_either(data, 0x13, 'B', 'i', 't'))
return true;
/* People sending GETs to a Bittorrent peer?? */
if (match_str_either(data, "GET ") &&
match_chars_either(data, 0x13, 'B', 'i', 't'))
return true;
/* We also get a bunch of cases where one end is doing bittorrent
* and the other end is speaking a protocol that begins with a 4
* byte length field. */
if (match_chars_either(data, 0x13, 'B', 'i', 't')) {
if (match_payload_length(data->payload[0],data->payload_len[0]))
return true;
if (match_payload_length(data->payload[1],data->payload_len[1]))
return true;
}
/* This assumes we've checked for regular bittorrent prior to calling
* this function! */
if (match_chars_either(data, 0x13, 'B', 'i', 't'))
return true;
return false;
}
static lpi_module_t lpi_invalid_bittorrent = {
LPI_PROTO_INVALID_BT,
LPI_CATEGORY_MIXED,
"Invalid_Bittorrent",
200,
match_invalid_bittorrent
};
void register_invalid_bittorrent(LPIModuleMap *mod_map) {
register_protocol(&lpi_invalid_bittorrent, mod_map);
}

69
decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_http.cc Normal file
View File

@@ -0,0 +1,69 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_invalid_http(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* This function is for identifying web servers that are not
* following the HTTP spec properly.
*
* For flows where the client is not doing HTTP properly, see
* match_web_junk().
*/
/* HTTP servers that appear to respond with raw HTML */
if (match_str_either(data, "GET ")) {
if (match_chars_either(data, '<', 'H', 'T', 'M'))
return true;
if (match_chars_either(data, '<', 'h', 't', 'm'))
return true;
if (match_chars_either(data, '<', 'h', '1', '>'))
return true;
if (match_chars_either(data, '<', 't', 'i', 't'))
return true;
}
return false;
}
static lpi_module_t lpi_invalid_http = {
LPI_PROTO_INVALID_HTTP,
LPI_CATEGORY_WEB,
"Invalid_HTTP",
200,
match_invalid_http
};
void register_invalid_http(LPIModuleMap *mod_map) {
register_protocol(&lpi_invalid_http, mod_map);
}

57
decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_pop.cc Normal file
View File

@@ -0,0 +1,57 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_invalid_pop(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* This basically covers cases where idiots run SMTP servers on the
* POP port, so we get SMTP responses to valid POP commands */
if (match_str_both(data, "USER", "421 "))
return true;
if (match_str_both(data, "QUIT", "421 "))
return true;
return false;
}
static lpi_module_t lpi_invalid_pop = {
LPI_PROTO_INVALID_POP3,
LPI_CATEGORY_MAIL,
"Invalid_POP3",
200,
match_invalid_pop
};
void register_invalid_pop(LPIModuleMap *mod_map) {
register_protocol(&lpi_invalid_pop, mod_map);
}

65
decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_smtp.cc Normal file
View File

@@ -0,0 +1,65 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_invalid_smtp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* SMTP flows that do not conform to the spec properly */
if (match_str_both(data, "250-", "EHLO"))
return true;
if (match_str_both(data, "250 ", "HELO"))
return true;
if (match_str_both(data, "220 ", "MAIL"))
return true;
if (match_str_both(data, "\x00\x00\x00\x00", "EHLO"))
return true;
if (match_str_both(data, "\x00\x00\x00\x00", "HELO"))
return true;
return false;
}
static lpi_module_t lpi_invalid_smtp = {
LPI_PROTO_INVALID_SMTP,
LPI_CATEGORY_MAIL,
"Invalid_SMTP",
200,
match_invalid_smtp
};
void register_invalid_smtp(LPIModuleMap *mod_map) {
register_protocol(&lpi_invalid_smtp, mod_map);
}

Some files were not shown because too many files have changed in this diff Show More