gfwleak/stellar-stellar
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(integration decoders): http and glimpse_detector

Browse Source 
compile pass, todo test
This commit is contained in:
yangwei
2024-08-20 19:01:06 +08:00
committed by lijia
parent 6e46dbf762
commit dafbecd49a
804 changed files with 66904 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
CMakeLists.txt
View File

@@ -44,6 +44,7 @@ if (CMAKE_CXX_CPPCHECK)
"--suppress=funcArgOrderDifferent"
"--suppress=unreachableCode"
"--suppress=internalAstError"
"--suppress=integerOverflow"
)
set(CMAKE_C_CPPCHECK ${CMAKE_CXX_CPPCHECK})
else()
@@ -70,11 +71,17 @@ elseif(ASAN_OPTION MATCHES "THREAD")
endif()
# end of for ASAN
#common include directories
include_directories(${CMAKE_SOURCE_DIR}/include)
include_directories(${CMAKE_SOURCE_DIR}/deps)
enable_testing()
add_subdirectory(conf)
add_subdirectory(vendor)
add_subdirectory(deps)
add_subdirectory(src)
add_subdirectory(decoders)
add_subdirectory(script)
add_subdirectory(include)
add_subdirectory(test)

2
decoders/CMakeLists.txt Normal file
View File

@@ -0,0 +1,2 @@
add_subdirectory(http)
add_subdirectory(glimpse_detector)

6
decoders/glimpse_detector/.gitignore vendored Normal file
View File

@@ -0,0 +1,6 @@
*.o
*.so
.deps/
cmake-build-*
build
.vscode/

12
decoders/glimpse_detector/CMakeLists.txt Normal file
View File

@@ -0,0 +1,12 @@
add_definitions(-fPIC)
add_subdirectory(libprotoident)
add_library(glimpse_detector app_l7_protocol.cpp quic_identify.cpp openvpn_identify.cpp)
target_include_directories(glimpse_detector PUBLIC ${CMAKE_SOURCE_DIR}/deps/)
target_link_libraries(glimpse_detector libprotoident)
set_target_properties(glimpse_detector PROPERTIES LINK_FLAGS
"-Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/version.map")
#install(TARGETS ${PROJECT_NAME} LIBRARY DESTINATION ${CMAKE_INSTALL_PREFIX}/stellar_plugin COMPONENT LIBRARIES)

843
decoders/glimpse_detector/app_l7_protocol.cpp Normal file
View File

@@ -0,0 +1,843 @@
/*
* dpkt_basic_proto_main.cpp
*
* Created on: Aug 7, 2020
* Author: iie
*/
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <assert.h>
#include "uthash/uthash.h"
//#include <MESA/MESA_prof_load.h>
//#include <MESA/MESA_handle_logger.h>
#include "stellar/utils.h"
#include "stellar/session.h"
#include "stellar/stellar_exdata.h"
#include "stellar/stellar_mq.h"
#include "stellar/layer.h"
#include "stellar/appid.h"
#include "app_l7_protocol.h"
const char *dns_name="DNS";
const char *imap_name="IMAP";
const char *quic_name="QUIC";
const char *g_app_proto_conffile="./tsgconf/main.conf";
const char *l7_protocol_file = (char *)"./tsgconf/tsg_l7_protocol.conf";
const char *log_path = (char *)"./tsglog/glimpse_detector/glimpse_detector";
struct glimpse_detector_schema
{
int level;
int max_pkts;
int l7_label_id;
int l7_bridge_id;
int plugin_exdata_idx;
int l7_app_id_exdata_idx;
int topic_id;
int plugin_id;
struct stellar *st;
char log_path[128];
char l7_label_name[128];
char l7_bridge_name[128];
char l7_library_name[128];
char l7_protocol_file[128];
struct l7_protocol_hash *name_by_id;
void *logger;
int tcp_topic_id;
int udp_topic_id;
};
struct l7_protocol_hash g_app_name2lpi_id[]={
{0, LPI_PROTO_UNKNOWN, "UNCATEGORIZED",{}},
//{0, LPI_PROTO_UNKNOWN, "Unknown_UDP"},
//{0, LPI_PROTO_UNSUPPORTED, "Unknown_Other"},
{0, LPI_PROTO_DNS, "DNS", {}},
{0, LPI_PROTO_FTP_CONTROL, "FTP", {}},
//{0, LPI_PROTO_FTP_DATA, "FTP", NULL, NULL},
{0, LPI_PROTP_FTPS, "FTPS", {}},
{0, LPI_PROTO_HTTP, "HTTP", {}},
{0, LPI_PROTO_HTTPS, "HTTPS", {}},
{0, LPI_PROTO_ICMP, "ICMP", {}},
{0, LPI_PROTO_IKE, "IKE", {}},
{0, LPI_PROTO_MAIL, "MAIL", {}},
{0, LPI_PROTO_IMAP, "IMAP", {}},
{0, LPI_PROTO_IMAPS, "IMAPS", {}},
{0, LPI_PROTO_UDP_ESP, "IPSEC", {}},
{0, LPI_PROTO_XMPP, "XMPP", {}},
{0, LPI_PROTO_UDP_L2TP, "L2TP", {}},
{0, LPI_PROTO_UDP_NTP, "NTP", {}},
{0, LPI_PROTO_POP3, "POP3", {}},
{0, LPI_PROTO_POP3S, "POP3S", {}},
{0, LPI_PROTO_PPTP, "PPTP", {}},
{0, LPI_PROTO_UDP_QUIC, "QUIC", {}},
{0, LPI_PROTO_SIP, "SIP", {}},
{0, LPI_PROTO_SMB, "SMB", {}},
{0, LPI_PROTO_SMTP, "SMTP", {}},
{0, LPI_PROTO_SMTPS, "SMTPS", {}},
{0, LPI_PROTO_SPDY, "SPDY", {}},
{0, LPI_PROTO_SSH, "SSH", {}},
{0, LPI_PROTO_SSL, "SSL", {}},
{0, LPI_PROTO_SOCKS4, "SOCKS", {}},
//{0, LPI_PROTO_SOCKS4, "SOCKS4", NULL, NULL},
//{0, LPI_PROTO_SOCKS5, "SOCKS5", NULL, NULL},
{0, LPI_PROTO_TELNET, "TELNET", {}},
{0, LPI_PROTO_UDP_DHCP, "DHCP", {}},
{0, LPI_PROTO_UDP_RADIUS, "RADIUS", {}},
{0, LPI_PROTO_OPENVPN, "OPENVPN", {}},
{0, LPI_PROTO_STUN, "STUN", {}},
{0, LPI_PROTO_UDP_TEREDO, "TEREDO", {}},
{0, LPI_PROTO_UDP_DTLS, "DTLS", {}},
{0, LPI_PROTO_DOH, "DoH", {}},
{0, LPI_PROTO_UDP_ISAKMP, "ISAKMP", {}},
{0, LPI_PROTO_UDP_MDNS, "MDNS", {}},
{0, LPI_PROTO_NETBIOS, "NETBIOS", {}},
{0, LPI_PROTO_UDP_NETFLOW, "NETFLOW", {}},
{0, LPI_PROTO_RDP, "RDP", {}},
{0, LPI_PROTO_UDP_RTCP, "RTCP", {}},
{0, LPI_PROTO_UDP_RTP, "RTP", {}},
{0, LPI_PROTO_UDP_SLP, "SLP", {}},
{0, LPI_PROTO_UDP_SNMP, "SNMP", {}},
{0, LPI_PROTO_UDP_SSDP, "SSDP", {}},
{0, LPI_PROTO_UDP_TFTP, "TFTP", {}},
{0, LPI_PROTO_UDP_BJNP, "BJNP", {}},
{0, LPI_PROTO_LDAP, "LDAP", {}},
{0, LPI_PROTO_RTMP, "RTMP", {}},
{0, LPI_PROTO_RTSP, "RTSP", {}},
{0, LPI_PROTO_ESNI, "ESNI", {}},
{0, LPI_PROTO_STRATUM, "Stratum", {}},
{0, LPI_PROTO_QQ, "QQ", {}},
{0, LPI_PROTO_WECHAT, "WeChat", {}},
{0, LPI_PROTO_MMS, "MMS", {}},
{0, LPI_PROTO_RSYNC, "RSYNC", {}},
{0, LPI_PROTO_UDP_WIREGUARD, "WIREGUARD", {}},
};
struct dns_header
{
u_int16_t id;
#if __BYTE_ORDER == __LITTLE_ENDIAN
u_char rd:1;
u_char tc:1;
u_char aa:1;
u_char opcode:4;
u_char qr:1;
u_char rcode:4;
u_char z:3;
u_char ra:1;
#elif __BYTE_ORDER == __BIG_ENDIAN
u_char qr:1;
u_char opcode:4;
u_char aa:1;
u_char tc:1;
u_char rd:1;
u_char ra:1;
u_char z:3;
u_char rcode:4;
#endif
u_int16_t qdcount;
u_int16_t ancount;
u_int16_t aucount;//authority count
u_int16_t adcount;//additional count
};
static void get_host_order_port(struct session *sess __unused, unsigned short *sport, unsigned short *dport)
{
*sport=0;
*dport=0;
#if 0
// DONE: get host order port from session api 1.0
enum session_addr_type addr_type;
struct session_addr *addr=session_get0_addr(sess, &addr_type);
unsigned short n_sport = (addr_type == SESSION_ADDR_TYPE_IPV4_TCP || addr_type == SESSION_ADDR_TYPE_IPV4_UDP) ? (addr->ipv4.sport) : ( (addr_type == SESSION_ADDR_TYPE_IPV6_TCP || addr_type == SESSION_ADDR_TYPE_IPV6_UDP) ? (addr->ipv6.sport) : 0);
unsigned short n_dport = (addr_type == SESSION_ADDR_TYPE_IPV4_TCP || addr_type == SESSION_ADDR_TYPE_IPV4_UDP) ? (addr->ipv4.dport) : ( (addr_type == SESSION_ADDR_TYPE_IPV6_TCP || addr_type == SESSION_ADDR_TYPE_IPV6_UDP) ? (addr->ipv6.dport) : 0);
//unsigned short n_dport = (pstream->addr.addrtype == ADDR_TYPE_IPV4) ? (pstream->addr.tuple4_v4->dest) : ( (pstream->addr.addrtype == ADDR_TYPE_IPV6) ? (pstream->addr.tuple4_v6->dest) : 0);
*sport=ntohs(n_sport);
*dport=ntohs(n_dport);
#else
//get host order port from stellar session api
#if 0
const struct tuple6 *t6 = session_get_tuple6(sess);
enum flow_direction flow_dir = session_get_tuple6_direction(sess);
if(flow_dir == FLOW_DIRECTION_C2S)
{
*sport = ntohs(t6->src_port);
*dport = ntohs(t6->dst_port);
}
else
{
*sport = ntohs(t6->dst_port);
*dport = ntohs(t6->src_port);
}
#endif
const struct packet *pkt = session_get0_current_packet(sess);
enum flow_direction flow_dir=session_get_current_flow_direction(sess);
if(pkt && (flow_dir==FLOW_DIRECTION_C2S || flow_dir==FLOW_DIRECTION_S2C))
{
int layer_cnt=packet_get_layer_count(pkt);
struct layer l={};
packet_get_layer_by_idx(pkt, layer_cnt-1, &l);
switch((int)l.proto)
{
case LAYER_PROTO_TCP:
*sport = ntohs(l.hdr.tcp->th_sport);
*dport = ntohs(l.hdr.tcp->th_dport);
break;
case LAYER_PROTO_UDP:
*sport = ntohs(l.hdr.udp->uh_sport);
*dport = ntohs(l.hdr.udp->uh_dport);
break;
default:
break;
}
//S2C, swap sport and dport
if(flow_dir == FLOW_DIRECTION_S2C)
{
unsigned short tmp = *sport;
*sport = *dport;
*dport = tmp;
}
}
#endif
return;
}
static int revise_lpi_result(struct session *sess, const char *scan_data, const int scan_data_len, lpi_module_t* proto, struct traffic_context *context, int l4_is_tcp, int curdir_is_c2s)
{
unsigned short sport=0, dport=0;
get_host_order_port(sess, &sport, &dport);
if(sport == 989 || sport == 990 || dport == 989 || dport == 990)
{
if(proto->protocol == LPI_PROTO_SSL)
{
proto->protocol=(lpi_protocol_t)LPI_PROTP_FTPS;
proto->category=LPI_CATEGORY_FILES;
proto->priority=3;
proto->name="FTPS";
proto->lpi_callback=NULL;
return 1;
}
}
if(sport==443 || dport==443 || sport==80 || dport==80 || sport==8443 || dport==8443)
{
if(app_identify_get_quic_protocol(curdir_is_c2s, (const unsigned char *)scan_data, scan_data_len) != QUIC_VERSION_UNKNOWN)
{
//lpi_quic
proto->protocol=LPI_PROTO_UDP_QUIC;
proto->category=LPI_CATEGORY_WEB;
proto->priority=9;
proto->name=quic_name;
proto->lpi_callback=NULL;
return 1;
}
}
if((sport==53 || dport==53) && (scan_data_len>12))
{
struct dns_header *dns_hdr=NULL;
if(l4_is_tcp)
{
dns_hdr=(struct dns_header *)(scan_data+2);
}
else
{
dns_hdr=(struct dns_header *)scan_data;
}
if((dns_hdr->qr==1 && ntohs(dns_hdr->qdcount)==1) ||
(dns_hdr->qr==0 && ntohs(dns_hdr->qdcount)==1 && ntohs(dns_hdr->aucount)==0 && ntohs(dns_hdr->ancount)==0))
{
proto->protocol=LPI_PROTO_DNS;
proto->category=LPI_CATEGORY_SERVICES;
proto->priority=10;
proto->name=dns_name;
proto->lpi_callback=NULL;
return 1;
}
}
if(((sport==143 || dport==143)) &&
(
(scan_data_len>=11 && memmem(scan_data, scan_data_len, " CAPABILITY", 11)!=NULL) ||
(scan_data_len>=7 && memmem(scan_data, scan_data_len, " LOGIN ", 7)!=NULL)
)
)
{
proto->protocol=LPI_PROTO_IMAP;
proto->category=LPI_CATEGORY_MAIL;
proto->priority=2;
proto->name=imap_name;
proto->lpi_callback=NULL;
return 1;
}
int c2s_pkt_cnt=context->c2s_pkt;
int s2c_pkt_cnt=context->s2c_pkt;
if(app_identify_guess_openvpn((const unsigned char *)scan_data, scan_data_len, c2s_pkt_cnt, s2c_pkt_cnt, &context->ovpn, l4_is_tcp, curdir_is_c2s)==1)
{
proto->protocol=LPI_PROTO_OPENVPN;
proto->category=LPI_CATEGORY_TUNNELLING;
proto->priority=4;
proto->name="OpenVPN";
proto->lpi_callback=NULL;
return 1;
}
return 0;
}
static int set_lpi_same_name(struct l7_protocol_hash *l7_protocol_hash, struct l7_protocol_hash *l7_protocol_elem, int lpi_protocol_id)
{
struct l7_protocol_hash *tmp=(struct l7_protocol_hash *)calloc(1, sizeof(struct l7_protocol_hash));
memcpy(tmp, l7_protocol_elem, sizeof(struct l7_protocol_hash));
tmp->lpi_protocol=lpi_protocol_id;
HASH_ADD(hh, l7_protocol_hash, lpi_protocol, sizeof(int), tmp);
return 0;
}
static int get_protocol_id(struct l7_protocol_hash *name_by_id, const lpi_module_t* proto)
{
struct l7_protocol_hash *out=NULL;
HASH_FIND(hh, name_by_id, &(proto->protocol), sizeof(int), out);
if(out!=NULL)
{
return out->protocol_id;
}
return -1;
}
static struct app_id_message *app_id_messgae_create(unsigned short *id_array, int id_num)
{
struct app_id_message *result=CALLOC(struct app_id_message, 1);
result->origin=ORIGIN_PROTO_IDENTIFY;
result->magic=MESSAGE_MAGIC;
result->app_id_num=id_num;
for(unsigned int i=0; i<result->app_id_num; i++)
{
result->app_id[i]=(int)(id_array[i]);
result->surrogate_id[i]=0;
}
return result;
}
static int update_protocol_id(unsigned short *old_id_array, int *old_id_num, unsigned short new_id)
{
int i=0;
if(*old_id_num>=MAX_APP_ID_NUM)
{
return 0;
}
for(i=0; i<(*old_id_num); i++)
{
if(new_id==old_id_array[i])
{
return 0;
}
}
old_id_array[(*old_id_num)]=new_id;
(*old_id_num)++;
return 1;
}
static int l7_protocol_mapper(struct glimpse_detector_schema *g_app_proto_para, const char *filename)
{
size_t i=0,ret=0;
FILE *fp=NULL;
char line[1024]={0};
char type_name[32]={0};
struct l7_protocol_hash *name2lpi=NULL;
struct l7_protocol_hash *l7_protocol=NULL;
struct l7_protocol_hash *out=NULL;
fp=fopen(filename, "r");
if(fp==NULL)
{
printf("Open %s failed ...", filename);
return -1;
}
for(i=0; i<(sizeof(g_app_name2lpi_id)/sizeof(struct l7_protocol_hash)); i++)
{
HASH_ADD(hh, name2lpi, name, strlen(g_app_name2lpi_id[i].name), &(g_app_name2lpi_id[i]));
}
memset(line, 0, sizeof(line));
while((fgets(line, sizeof(line), fp))!=NULL)
{
if(line[0]=='#' || line[0]=='\n' || line[0]=='\r' ||line[0]=='\0')
{
continue;
}
l7_protocol=(struct l7_protocol_hash *)calloc(1, sizeof(struct l7_protocol_hash));
ret=sscanf(line, "%31s %63s %d", type_name, l7_protocol->name, &l7_protocol->protocol_id);
assert(ret==3);
HASH_FIND(hh, name2lpi, l7_protocol->name, strlen(l7_protocol->name), out);
if(out==NULL)
{
//MESA_handle_runtime_log(g_app_proto_para->logger, RLOG_LV_FATAL, "INIT_HASH", "Protocol %s identified without registered LPI ID", l7_protocol->name);
free(l7_protocol);
continue;
}
l7_protocol->lpi_protocol=out->lpi_protocol;
HASH_ADD(hh, g_app_proto_para->name_by_id, lpi_protocol, sizeof(int), l7_protocol);
switch(out->lpi_protocol)
{
case LPI_PROTO_DNS:
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_DNS);
break;
case LPI_PROTO_SIP:
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_SIP);
break;
case LPI_PROTO_SOCKS4:
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_SOCKS5);
break;
case LPI_PROTO_FTP_CONTROL:
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_FTP_DATA);
break;
case LPI_PROTO_OPENVPN:
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_OPENVPN);
break;
case LPI_PROTO_LDAP:
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_TCP_LDAP_AD);
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_LDAP_AD);
break;
case LPI_PROTO_HTTP:
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_HTTP_BADPORT);
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_HTTP_TUNNEL);
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_NONSTANDARD_HTTP);
break;
case LPI_PROTO_STUN:
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_STUN);
break;
case LPI_PROTO_NETBIOS:
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_NETBIOS);
break;
case LPI_PROTO_QQ:
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_QQ);
break;
case LPI_PROTO_WECHAT:
set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_WECHAT);
break;
default:
break;
}
memset(line, 0, sizeof(line));
}
fclose(fp);
fp=NULL;
HASH_CLEAR(hh, name2lpi);
#if 0
HASH_ITER(hh, g_app_proto_para->name_by_id, out ,tmp)
{
MESA_handle_runtime_log(g_app_proto_para->logger,
RLOG_LV_DEBUG,
"ID_MAPPER",
"%s lpi_protocol built-in ID is %d and TSG ID is %d",
out->name,
out->lpi_protocol,
out->protocol_id
);
}
#endif
return ret;
}
static void free_l7_protocol_mapper(struct l7_protocol_hash *hash)
{
if(hash==NULL)
{
return ;
}
struct l7_protocol_hash *out=NULL, *tmp=NULL;
HASH_ITER(hh, hash, out ,tmp)
{
if(out!=NULL)
{
HASH_DEL(hash, out);
free(out);
out=NULL;
}
}
}
int lpi_update_dpkt(lpi_data_t *data, struct session *sess,
const char *scan_data, int scan_data_len, char tsproto,
uint32_t is_c2s)
{
uint32_t dir = 0;
if(is_c2s == 1)
{
dir = 0;
}
else
{
dir = 1;
}
uint32_t four_bytes;
if (data->observed[dir] > 32 * 1024)
return 0;
data->observed[dir] += scan_data_len;
if (data->trans_proto == 0)data->trans_proto = tsproto;
if (scan_data == NULL)return 0;
if (scan_data_len <= 0)return 0;
if (scan_data_len < 4)
{
memcpy((char *)&four_bytes, scan_data, scan_data_len);
four_bytes = (ntohl(four_bytes)) >> (8 * (4 - scan_data_len));
four_bytes = htonl(four_bytes << (8 * (4 - scan_data_len)));
}
else
{
four_bytes = (*(uint32_t *)scan_data);
}
data->payload[dir] = four_bytes;
data->payload_len[dir] = scan_data_len;
uint16_t source=0;
uint16_t dest=0;
get_host_order_port(sess,&source ,&dest);
data->client_port = source;
data->server_port = dest;
// DONE: no need to set saddr and daddr
/*
if (pstream != NULL && data->ips[0] == 0
&& (pstream->addr.addrtype == __ADDR_TYPE_IP_PAIR_V4
|| pstream->addr.addrtype == ADDR_TYPE_IPV4))
{
if (dir == 1)
{
data->ips[0] = pstream->addr.ipv4->saddr;
data->ips[1] = pstream->addr.ipv4->daddr;
}
else
{
data->ips[1] = pstream->addr.ipv4->saddr;
data->ips[0] = pstream->addr.ipv4->daddr;
}
}
*/
return 1;
}
static int app_glimpse_detector(struct session *sess, struct traffic_context *context, struct glimpse_detector_schema *g_app_proto_para, const char *scan_data, const int scan_data_len, int l4_proto)
{
int ret=0,is_update=0;
//unsigned short sport=0, dport=0;
lpi_module_t modify_lpi_result={(lpi_protocol_t)0, (lpi_category_t)0, NULL, 0, NULL};
unsigned short new_protocol_id=0;
struct l7_protocol_label *l7_protocol=NULL;
//const struct packet *raw_packet=session_get0_current_packet(sess);
//int cur_pkt_dir= packet_get_direction(raw_packet);
int cur_pkt_dir=session_get_current_flow_direction(sess);
context->pkt_cnt++;
(cur_pkt_dir==FLOW_DIRECTION_C2S) ? (context->c2s_pkt++) : (context->s2c_pkt++);
int is_c2s_pkt=((cur_pkt_dir==FLOW_DIRECTION_C2S) ? 1 : 0);
ret=lpi_update_dpkt(&(context->lpi_data), sess, scan_data, scan_data_len, l4_proto, is_c2s_pkt);
if(!ret)
{
return 1;
}
lpi_module_t *plpi_mod=lpi_guess_protocol(&(context->lpi_data));
if(plpi_mod==NULL)
{
return 1;
}
if((plpi_mod->protocol==LPI_PROTO_UNKNOWN || plpi_mod->protocol==LPI_PROTO_UDP) &&
(context->pkt_cnt<g_app_proto_para->max_pkts || context->is_identify==1))
{
ret=revise_lpi_result(sess, scan_data, scan_data_len, &modify_lpi_result, context,
(l4_proto==6?1:0),
(cur_pkt_dir==FLOW_DIRECTION_C2S?1:0));
if(ret==0)
{
return 1;
}
plpi_mod=&modify_lpi_result;
}
if (plpi_mod->protocol == LPI_PROTO_FTP_CONTROL && context->is_first_payload == 1 && cur_pkt_dir == FLOW_DIRECTION_S2C)
{
if ((((scan_data_len >= 4 && (memcmp(scan_data, "220-", 4) == 0)) || memcmp(scan_data, "220 ", 4) == 0)) &&
(((scan_data_len >= 7 && (memmem(scan_data, scan_data_len, " ESMTP ", 7) != NULL)) ||
memmem(scan_data, scan_data_len, " esmtp ", 7) != NULL)))
{
// lpi_smtp
modify_lpi_result.protocol = LPI_PROTO_SMTP;
modify_lpi_result.category = LPI_CATEGORY_MAIL;
modify_lpi_result.priority = 2;
modify_lpi_result.name = "SMTP";
plpi_mod = &modify_lpi_result;
}
}
if (plpi_mod->protocol == LPI_PROTO_SMTP && context->is_first_payload == 1 && cur_pkt_dir == FLOW_DIRECTION_S2C)
{
if (
(scan_data_len >= 4) &&
(memcmp(scan_data, "220 ", 4) == 0 || memcmp(scan_data, "220-", 4) == 0) &&
(memmem(scan_data, scan_data_len, "FTPd", 4) != NULL ||
memmem(scan_data, scan_data_len, "ftpd", 4) != NULL ||
memmem(scan_data, scan_data_len, "FTPD", 4) != NULL))
{
// lpi_ftpcontrol
modify_lpi_result.protocol = LPI_PROTO_FTP_CONTROL;
modify_lpi_result.category = LPI_CATEGORY_FILES;
modify_lpi_result.priority = 3;
modify_lpi_result.name = "FTP_Control";
plpi_mod = &modify_lpi_result;
}
}
new_protocol_id=get_protocol_id(g_app_proto_para->name_by_id, plpi_mod);
#if 0
if(new_protocol_id==(unsigned short)-1)
{
if(plpi_mod->protocol!=LPI_PROTO_UNKNOWN && plpi_mod->protocol!=LPI_PROTO_UDP && plpi_mod->protocol!=LPI_PROTO_UNSUPPORTED)
{
MESA_handle_runtime_log(g_app_proto_para->logger,
RLOG_LV_INFO,
"UNDEFINE",
"Protocol Name: %s identified without registered LPI ID=%d, category: %s priority: %d addr: %s",
plpi_mod->name,
plpi_mod->protocol,
lpi_print_category(plpi_mod->category),
plpi_mod->priority,
session_get0_readable_addr(sess)
);
}
return 1;
}
else
{
MESA_handle_runtime_log(g_app_proto_para->logger,
RLOG_LV_INFO,
"DEFINE",
"Protocol Name: %s identified registered LPI ID(%d), category: %s priority: %d addr: %s",
plpi_mod->name,
plpi_mod->protocol,
lpi_print_category(plpi_mod->category),
plpi_mod->priority,
session_get0_readable_addr(sess)
);
}
#endif
l7_protocol = (struct l7_protocol_label *)session_exdata_get(sess, g_app_proto_para->l7_app_id_exdata_idx);
if(l7_protocol==NULL)
{
l7_protocol=CALLOC(struct l7_protocol_label, 1);
l7_protocol->continue_scan_flag = 1;
session_exdata_set(sess, g_app_proto_para->l7_app_id_exdata_idx, l7_protocol);
}
is_update=update_protocol_id(l7_protocol->protocol_id, &(l7_protocol->protocol_id_num), new_protocol_id);
if(is_update==1)
{
context->is_identify=1;
struct app_id_message *msg=app_id_messgae_create(l7_protocol->protocol_id, l7_protocol->protocol_id_num);
if(session_mq_publish_message(sess, g_app_proto_para->topic_id, msg) < 0)
{
FREE(msg);
}
//MESA_handle_runtime_log(g_app_proto_para->logger, RLOG_LV_DEBUG, "ADD_PROJECT", "%s identified, ID %d addr: %s", plpi_mod->name, new_protocol_id, session_get0_readable_addr(sess));
}
if (context->pkt_cnt >= g_app_proto_para->max_pkts || (plpi_mod->category != LPI_CATEGORY_TUNNELLING && plpi_mod->category != LPI_CATEGORY_NAT && plpi_mod->protocol != LPI_PROTO_RDP && plpi_mod->protocol != LPI_PROTO_UDP_RDP && plpi_mod->protocol != LPI_PROTO_UDP_RTP && plpi_mod->protocol != LPI_PROTO_UDP_RTCP))
{
l7_protocol->continue_scan_flag=0;
return 0;
}
return 1;
}
static void glimpse_detector_on_session_msg(struct session *sess, int topic_id __unused, const void *msg, void *per_session_ctx __unused, void *plugin_env)
{
assert(plugin_env!=NULL);
if(msg==NULL)return;
struct glimpse_detector_schema *glimpse_detector_env=(struct glimpse_detector_schema *)plugin_env;
int identify_continue=0;
struct traffic_context *context = (struct traffic_context *)session_exdata_get(sess, glimpse_detector_env->plugin_exdata_idx);
if(context==NULL)
{
context= CALLOC(struct traffic_context, 1);
context->is_first_payload=1;
session_exdata_set(sess, glimpse_detector_env->plugin_exdata_idx, context);
}
//size_t payload_len=0;
//const char *payload=session_get0_current_payload(sess, &payload_len);
uint16_t payload_len=packet_get_payload_len((struct packet*)msg);
const char *payload=packet_get_payload((struct packet*)msg);
if (payload!=NULL && payload_len>0 && context->pkt_cnt<glimpse_detector_env->max_pkts)
{
int l4_proto=0;
enum session_type type= session_get_type(sess);
if(type == SESSION_TYPE_TCP)
{
l4_proto=6;
}
if(type == SESSION_TYPE_UDP)
{
l4_proto=17;
}
identify_continue=app_glimpse_detector(sess, context, glimpse_detector_env, payload, payload_len, l4_proto);
context->is_first_payload=0;
}
else
{
identify_continue=1;
}
if (identify_continue==0)
{
if(context->is_identify==0)
{
//MESA_handle_runtime_log(glimpse_detector_env->logger, RLOG_LV_INFO, "UNKNOWN", "addr: %s", session_get0_readable_addr(sess));
}
FREE(context);
session_exdata_set(sess, glimpse_detector_env->plugin_exdata_idx, NULL);
stellar_session_plugin_dettach_current_session(sess);
}
return;
}
extern "C" void APP_GLIMPSE_DETECTOR_UNLOAD(void *plugin_env)
{
if(plugin_env)
{
struct glimpse_detector_schema *glimpse_detector_env=(struct glimpse_detector_schema *)plugin_env;
lpi_free_library();
free_l7_protocol_mapper(glimpse_detector_env->name_by_id);
//if(glimpse_detector_env->logger)
//{
// MESA_destroy_runtime_log_handle(glimpse_detector_env->logger);
//}
FREE(plugin_env);
}
}
extern "C" void * APP_GLIMPSE_DETECTOR_LOAD(struct stellar *st)
{
int ret=0;
struct glimpse_detector_schema *glimpse_detector_env=CALLOC(struct glimpse_detector_schema, 1);
glimpse_detector_env->st=st;
//MESA_load_profile_short_def(g_app_proto_conffile, "PROTO_IDENTIFY", "LOG_LEVEL", (short *)&glimpse_detector_env->level, 30);
glimpse_detector_env->max_pkts=16;
strcpy(glimpse_detector_env->l7_bridge_name,"APP_IDENTIFY_RESULT_BRIDGE");
strcpy( glimpse_detector_env->l7_protocol_file, l7_protocol_file);
//MESA_load_profile_int_def(g_app_proto_conffile, "PROTO_IDENTIFY", "MAX_IDENTIFY_PACKETS", &glimpse_detector_env->max_pkts, 16);
//MESA_load_profile_string_def(g_app_proto_conffile, "PROTO_IDENTIFY", "LOG_PATH", glimpse_detector_env->log_path, sizeof(glimpse_detector_env->log_path), log_path);
//MESA_load_profile_string_def(g_app_proto_conffile, "SYSTEM", "APP_IDENTIFY_RESULT_BRIDGE", glimpse_detector_env->l7_bridge_name, sizeof(glimpse_detector_env->l7_bridge_name), "APP_IDENTIFY_RESULT_BRIDGE");
//MESA_load_profile_string_def(g_app_proto_conffile, "SYSTEM", "L7_PROTOCOL_FILE", glimpse_detector_env->l7_protocol_file, sizeof(glimpse_detector_env->l7_protocol_file), l7_protocol_file);
//glimpse_detector_env->logger=MESA_create_runtime_log_handle(glimpse_detector_env->log_path, glimpse_detector_env->level);
//if(glimpse_detector_env->logger==NULL)
//{
// goto INIT_ERROR;
//}
ret=lpi_init_library(1); // 1, 2 or 3
if(ret<0)
{
goto INIT_ERROR;
}
ret=l7_protocol_mapper(glimpse_detector_env,glimpse_detector_env->l7_protocol_file);
if(ret<0)
{
goto INIT_ERROR;
}
glimpse_detector_env->plugin_id=stellar_session_plugin_register(st, NULL, NULL, glimpse_detector_env);
if(glimpse_detector_env->plugin_id < 0)
{
goto INIT_ERROR;
}
glimpse_detector_env->tcp_topic_id=stellar_mq_get_topic_id(st, TOPIC_TCP);
glimpse_detector_env->udp_topic_id=stellar_mq_get_topic_id(st, TOPIC_UDP);
if(glimpse_detector_env->tcp_topic_id < 0 || glimpse_detector_env->udp_topic_id < 0)
{
perror("get tcp or udp topic id failed\n");
exit(-1);
}
stellar_session_mq_subscribe(st, glimpse_detector_env->tcp_topic_id, glimpse_detector_on_session_msg, glimpse_detector_env->plugin_id);
stellar_session_mq_subscribe(st, glimpse_detector_env->udp_topic_id, glimpse_detector_on_session_msg, glimpse_detector_env->plugin_id);
glimpse_detector_env->plugin_exdata_idx = stellar_exdata_new_index(st, "EXDATA_LPI", stellar_exdata_free_default, NULL);
glimpse_detector_env->l7_app_id_exdata_idx = stellar_exdata_new_index(st, "L7_PROTOCOL", stellar_exdata_free_default, NULL);
glimpse_detector_env->topic_id=stellar_mq_get_topic_id(st, APP_ID_MESSAGE_TOPIC);
if(glimpse_detector_env->topic_id < 0)
{
glimpse_detector_env->topic_id=stellar_mq_create_topic(st, APP_ID_MESSAGE_TOPIC, stellar_msg_free_default, NULL);
}
return glimpse_detector_env;
INIT_ERROR:
APP_GLIMPSE_DETECTOR_UNLOAD(glimpse_detector_env);
exit(-1);
return NULL;
}

227
decoders/glimpse_detector/app_l7_protocol.h Normal file
View File

@@ -0,0 +1,227 @@
#pragma once
#include "libprotoident/libprotoident.h"
#include "uthash/uthash.h"
#define MAX_APP_ID_NUM 8
typedef enum {
LPI_PROTO_EXTEND_FRIST = LPI_PROTO_LAST,
LPI_PROTO_IKE, //unsupport
LPI_PROTO_DOH, //unsupport
LPI_PROTO_MAIL, //unsupport
LPI_PROTO_ESNI, //unsupport
LPI_PROTP_FTPS,
LPI_PROTO_EXTEND_LAST
} extend_lpi_protocol_t;
struct l7_protocol_label
{
int continue_scan_flag; //0: stop; 1: continue
int protocol_id_num;
unsigned short protocol_id[MAX_APP_ID_NUM];
};
struct l7_protocol_hash
{
int protocol_id;
int lpi_protocol;
char name[64];
UT_hash_handle hh;
};
struct ovpn_ctx
{
uint64_t local_session_id;
int contain_local_session_id_pkt_num;
int valid_opcode_cnt;
};
struct traffic_context
{
unsigned char is_identify;
unsigned char is_first_payload;
unsigned short pkt_cnt;
unsigned short s2c_pkt;
unsigned short c2s_pkt;
lpi_data_t lpi_data; // lpi API
union{
uint64_t ctx[2];
struct ovpn_ctx ovpn;
};
};
//https://github.com/quicwg/base-drafts/wiki/QUIC-Versions
enum _QUIC_VERSION
{
QUIC_VERSION_UNKNOWN=0,
//NetApp
QUANT_VERSION_00=0x45474700,
QUANT_VERSION_FF=0x454747FF,
//Private Octopus
PICOQUIC_VERSION_30=0x50435130,
//google
GQUIC_VERSION_Q001=0x51303031,
GQUIC_VERSION_Q002=0x51303032,
GQUIC_VERSION_Q003=0x51303033,
GQUIC_VERSION_Q004=0x51303034,
GQUIC_VERSION_Q005=0x51303035,
GQUIC_VERSION_Q006=0x51303036,
GQUIC_VERSION_Q007=0x51303037,
GQUIC_VERSION_Q008=0x51303038,
GQUIC_VERSION_Q009=0x51303039,
GQUIC_VERSION_Q010=0x51303130,
GQUIC_VERSION_Q011=0x51303131,
GQUIC_VERSION_Q012=0x51303132,
GQUIC_VERSION_Q013=0x51303133,
GQUIC_VERSION_Q014=0x51303134,
GQUIC_VERSION_Q015=0x51303135,
GQUIC_VERSION_Q016=0x51303136,
GQUIC_VERSION_Q017=0x51303137,
GQUIC_VERSION_Q018=0x51303138,
GQUIC_VERSION_Q019=0x51303139,
GQUIC_VERSION_Q020=0x51303230,
GQUIC_VERSION_Q021=0x51303231,
GQUIC_VERSION_Q022=0x51303232,
GQUIC_VERSION_Q023=0x51303233,
GQUIC_VERSION_Q024=0x51303234,
GQUIC_VERSION_Q025=0x51303235,
GQUIC_VERSION_Q026=0x51303236,
GQUIC_VERSION_Q027=0x51303237,
GQUIC_VERSION_Q028=0x51303238,
GQUIC_VERSION_Q029=0x51303239,
GQUIC_VERSION_Q030=0x51303330,
GQUIC_VERSION_Q031=0x51303331,
GQUIC_VERSION_Q032=0x51303332,
GQUIC_VERSION_Q033=0x51303333,
GQUIC_VERSION_Q034=0x51303334,
GQUIC_VERSION_Q035=0x51303335,
GQUIC_VERSION_Q036=0x51303336,
GQUIC_VERSION_Q037=0x51303337,
GQUIC_VERSION_Q038=0x51303338,
GQUIC_VERSION_Q039=0x51303339,
GQUIC_VERSION_Q040=0x51303430,
GQUIC_VERSION_Q041=0x51303431,
GQUIC_VERSION_Q042=0x51303432,
GQUIC_VERSION_Q043=0x51303433,
GQUIC_VERSION_Q044=0x51303434,
GQUIC_VERSION_Q045=0x51303435,
GQUIC_VERSION_Q046=0x51303436,
GQUIC_VERSION_Q047=0x51303437,
GQUIC_VERSION_Q048=0x51303438,
GQUIC_VERSION_Q049=0x51303439,
GQUIC_VERSION_Q050=0x51303530,
GQUIC_VERSION_Q051=0x51303531,
GQUIC_VERSION_Q052=0x51303532,
GQUIC_VERSION_Q053=0x51303533,
GQUIC_VERSION_Q054=0x51303534,
GQUIC_VERSION_Q055=0x51303535,
GQUIC_VERSION_Q056=0x51303536,
GQUIC_VERSION_Q057=0x51303537,
GQUIC_VERSION_Q058=0x51303538,
GQUIC_VERSION_Q059=0x51303539,
GQUIC_VERSION_Q099=0x51303939,
//Google QUIC with TLS 48 - 49 (T048 - T049)
GQUIC_VERSION_T048=0x54303438,
GQUIC_VERSION_T049=0x54303439,
//Google QUIC with TLS 50 - 59 (T050 - T059)
GQUIC_VERSION_T050=0x54303530,
GQUIC_VERSION_T051=0x54303531,
GQUIC_VERSION_T052=0x54303532,
GQUIC_VERSION_T053=0x54303533,
GQUIC_VERSION_T054=0x54303534,
GQUIC_VERSION_T055=0x54303535,
GQUIC_VERSION_T056=0x54303536,
GQUIC_VERSION_T057=0x54303537,
GQUIC_VERSION_T058=0x54303538,
GQUIC_VERSION_T059=0x54303539,
//Google QUIC with TLS 99 (T099)
GQUIC_VERSION_T099=0x54303939,
//Google Proxied QUIC
PQUIC_VERSION_PROX=0x50524f58,
//quic-go
QUIC_GO_VERSION_00=0x51474F00,
QUIC_GO_VERSION_FF=0x51474FFF,
//quicly
QUICLY_VERSION_00=0x91c17000,
QUICLY_VERSION_FF=0x91c170FF,
//Microsoft
MSQUIC_VERSION_00=0xabcd0000,
MSQUIC_VERSION_0F=0xabcd000F,
//Mozilla
MOZQUIC_VERSION_00=0xf123f0c0,
MOZQUIC_VERSION_0F=0xf123f0cF,
//Facebook
MVFST_VERSION_00=0xfaceb000,
MVFST_VERSION_01=0xfaceb001,
MVFST_VERSION_02=0xfaceb002,
MVFST_VERSION_03=0xfaceb003,
MVFST_VERSION_04=0xfaceb004,
MVFST_VERSION_05=0xfaceb005,
MVFST_VERSION_06=0xfaceb006,
MVFST_VERSION_07=0xfaceb007,
MVFST_VERSION_08=0xfaceb008,
MVFST_VERSION_09=0xfaceb009,
MVFST_VERSION_0A=0xfaceb00A,
MVFST_VERSION_0B=0xfaceb00B,
MVFST_VERSION_0C=0xfaceb00C,
MVFST_VERSION_0D=0xfaceb00D,
MVFST_VERSION_0E=0xfaceb00E,
MVFST_VERSION_0F=0xfaceb00F,
//IETF
IQUIC_VERSION_RFC9000=0x00000001,
IQUIC_VERSION_I001=0xFF000001,
IQUIC_VERSION_I002=0xFF000002,
IQUIC_VERSION_I003=0xFF000003,
IQUIC_VERSION_I004=0xFF000004,
IQUIC_VERSION_I005=0xFF000005,
IQUIC_VERSION_I006=0xFF000006,
IQUIC_VERSION_I007=0xFF000007,
IQUIC_VERSION_I008=0xFF000008,
IQUIC_VERSION_I009=0xFF000009,
IQUIC_VERSION_I010=0xFF00000A,
IQUIC_VERSION_I011=0xFF00000B,
IQUIC_VERSION_I012=0xFF00000C,
IQUIC_VERSION_I013=0xFF00000D,
IQUIC_VERSION_I014=0xFF00000E,
IQUIC_VERSION_I015=0xFF00000F,
IQUIC_VERSION_I016=0xFF000010,
IQUIC_VERSION_I017=0xFF000011,
IQUIC_VERSION_I018=0xFF000012,
IQUIC_VERSION_I019=0xFF000013,
IQUIC_VERSION_I020=0xFF000014,
IQUIC_VERSION_I021=0xFF000015,
IQUIC_VERSION_I022=0xFF000016,
IQUIC_VERSION_I023=0xFF000017,
IQUIC_VERSION_I024=0xFF000018,
IQUIC_VERSION_I025=0xFF000019,
IQUIC_VERSION_I026=0xFF00001A,
IQUIC_VERSION_I027=0xFF00001B,
IQUIC_VERSION_I028=0xFF00001C,
IQUIC_VERSION_I029=0xFF00001D,
IQUIC_VERSION_I030=0xFF00001E,
IQUIC_VERSION_I031=0xFF00001F,
IQUIC_VERSION_I032=0xFF000020
};
enum _QUIC_VERSION app_identify_get_quic_protocol(int curdir_is_c2s, const unsigned char *payload, const int payload_len);
int app_identify_guess_openvpn(const unsigned char *payload, int payload_len, int c2s_pkt_cnt, int s2c_pkt_cnt, struct ovpn_ctx *ovpn, int l4_is_tcp, int curdir_is_c2s);

36
decoders/glimpse_detector/libprotoident/CMakeLists.txt Normal file
View File

@@ -0,0 +1,36 @@
add_definitions(-D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DHAVE_ICMPHDR=1 -DHAVE_TCP_STATES=1 -DHAVE_BSD_UDPHDR=1 -DHAVE_BSD_TCPHDR=1)
include_directories(${CMAKE_CURRENT_SOURCE_DIR})
file(GLOB UDP_SRC
"udp/*.c"
"udp/*.cpp"
"udp/*.cc"
)
file(GLOB TCP_SRC
"tcp/*.c"
"tcp/*.cpp"
"tcp/*.cc"
)
add_compile_options(-Wno-error=unused-parameter -Wno-error=unused-function)
#add_library(udp_static STATIC ${UDP_SRC})
#add_library(tcp_static STATIC ${TCP_SRC})
file(GLOB LPI_SRC
"*.c"
"*.cpp"
"*.cc"
)
add_library(libprotoident ${LPI_SRC} ${UDP_SRC} ${TCP_SRC})
#target_link_libraries(libprotoident udp_static tcp_static)
set_target_properties(libprotoident PROPERTIES LINK_FLAGS
"-Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/version.map")
#install(TARGETS libprotoident LIBRARY DESTINATION ${CMAKE_INSTALL_PREFIX}/stellar_plugin COMPONENT LIBRARIES)

415
decoders/glimpse_detector/libprotoident/libprotoident.cc Normal file
View File

@@ -0,0 +1,415 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#define __STDC_FORMAT_MACROS
#define __STDC_LIMIT_MACROS
#include <stdio.h>
#include <assert.h>
//#include <libtrace.h>
#include <inttypes.h>
#include <sys/types.h>
#include <stdint.h>
#include <stdlib.h>
#include <signal.h>
#include "libprotoident.h"
#include "proto_manager.h"
bool init_called = false;
LPIModuleMap TCP_protocols;
LPIModuleMap UDP_protocols;
lpi_module_t *lpi_icmp = NULL;
lpi_module_t *lpi_unsupported = NULL;
lpi_module_t *lpi_unknown_tcp = NULL;
lpi_module_t *lpi_unknown_udp = NULL;
static LPINameMap lpi_names;
static LPIProtocolMap lpi_protocols;
static LPICategoryMap lpi_categories;
static LPICategoryProtocolMap lpi_category_protocols;
int lpi_init_library(int level) {
if (init_called) {
fprintf(stderr, "WARNING: lpi_init_library has already been called\n");
return 0;
}
if (register_tcp_protocols(&TCP_protocols) == -1)
return -1;
if (register_udp_protocols(&UDP_protocols) == -1)
return -1;
init_other_protocols(&lpi_names, &lpi_protocols, &lpi_category_protocols);
register_names(&TCP_protocols, &lpi_names, &lpi_protocols, &lpi_category_protocols);
register_names(&UDP_protocols, &lpi_names, &lpi_protocols, &lpi_category_protocols);
register_category_names(&lpi_categories);
init_called = true;
if (TCP_protocols.empty() && UDP_protocols.empty()) {
fprintf(stderr, "WARNING: No protocol modules loaded\n");
return -1;
}
return 0;
}
void lpi_free_library() {
free_protocols(&TCP_protocols);
free_protocols(&UDP_protocols);
if (lpi_icmp != NULL) {
delete lpi_icmp;
lpi_icmp = NULL;
}
if (lpi_unsupported != NULL) {
delete lpi_unsupported;
lpi_unsupported = NULL;
}
if (lpi_unknown_tcp != NULL) {
delete lpi_unknown_tcp;
lpi_unknown_tcp = NULL;
}
if (lpi_unknown_udp != NULL) {
delete lpi_unknown_udp;
lpi_unknown_udp = NULL;
}
init_called = false;
}
void lpi_init_data(lpi_data_t *data) {
data->payload[0] = 0;
data->payload[1] = 0;
data->seen_syn[0] = false;
data->seen_syn[1] = false;
data->seqno[0] = 0;
data->seqno[1] = 0;
data->observed[0] = 0;
data->observed[1] = 0;
data->server_port = 0;
data->client_port = 0;
data->trans_proto = 0;
data->payload_len[0] = 0;
data->payload_len[1] = 0;
data->ips[0] = 0;
data->ips[1] = 0;
}
typedef enum {
TRACE_IPPROTO_IP = 0, /**< IP pseudo protocol number */
TRACE_IPPROTO_ICMP = 1, /**< Internet Control Message protocol */
TRACE_IPPROTO_IGMP = 2, /**< Internet Group Management Protocol */
TRACE_IPPROTO_IPIP = 4, /**< IP encapsulated in IP */
TRACE_IPPROTO_TCP = 6, /**< Transmission Control Protocol */
TRACE_IPPROTO_UDP = 17, /**< User Datagram Protocol */
TRACE_IPPROTO_IPV6 = 41, /**< IPv6 over IPv4 */
TRACE_IPPROTO_ROUTING = 43, /**< IPv6 Routing header */
TRACE_IPPROTO_FRAGMENT = 44, /**< IPv6 Fragmentation header */
TRACE_IPPROTO_RSVP = 46, /**< Resource Reservation Protocol */
TRACE_IPPROTO_GRE = 47, /**< General Routing Encapsulation */
TRACE_IPPROTO_ESP = 50, /**< Encapsulated Security Payload [RFC2406] */
TRACE_IPPROTO_AH = 51, /**< Authentication Header [RFC2402] */
TRACE_IPPROTO_ICMPV6 = 58, /**< ICMPv6 */
TRACE_IPPROTO_NONE = 59, /**< IPv6 no next header */
TRACE_IPPROTO_DSTOPTS = 60, /**< IPv6 destination options */
TRACE_IPPROTO_OSPF = 89, /**< Open Shortest Path First routing protocol */
TRACE_IPPROTO_PIM = 103, /**< Protocol Independant Multicast */
TRACE_IPPROTO_SCTP = 132 /**< Stream Control Transmission Protocol */
} libtrace_ipproto_t;
static lpi_module_t *test_protocol_list(LPIModuleList *ml, lpi_data_t *data) {
LPIModuleList::iterator l_it;
/* Turns out naively looping through the modules is quicker
* than trying to do intelligent stuff with threads. Most
* callbacks complete very quickly so threading overhead is a
* major problem */
for (l_it = ml->begin(); l_it != ml->end(); ++ l_it) {
lpi_module_t *module = *l_it;
/* To save time, I'm going to break on the first successful
* match. A threaded version would wait for all the modules
* to run, storing all successful results in a list of some
* sort and selecting an appropriate result from there.
*/
if (module->lpi_callback(data, module))
return module;
}
return NULL;
}
static lpi_module_t *guess_protocol(LPIModuleMap *modmap, lpi_data_t *data) {
lpi_module_t *proto = NULL;
LPIModuleMap::iterator m_it;
/* Deal with each priority in turn - want to match higher priority
* rules first.
*/
for (m_it = modmap->begin(); m_it != modmap->end(); ++ m_it) {
LPIModuleList *ml = m_it->second;
proto = test_protocol_list(ml, data);
if (proto != NULL)
break;
}
return proto;
}
lpi_module_t *lpi_guess_protocol(lpi_data_t *data) {
lpi_module_t *p = NULL;
if (!init_called) {
fprintf(stderr, "lpi_init_library was never called - cannot guess the protocol\n");
return NULL;
}
switch(data->trans_proto) {
case TRACE_IPPROTO_ICMP:
return lpi_icmp;
case TRACE_IPPROTO_TCP:
p = guess_protocol(&TCP_protocols, data);
if (p == NULL)
p = lpi_unknown_tcp;
return p;
case TRACE_IPPROTO_UDP:
p = guess_protocol(&UDP_protocols, data);
if (p == NULL)
p = lpi_unknown_udp;
return p;
default:
return lpi_unsupported;
}
return p;
}
lpi_category_t lpi_categorise(lpi_module_t *module) {
if (module == NULL)
return LPI_CATEGORY_NO_CATEGORY;
return module->category;
}
const char *lpi_print_category(lpi_category_t category) {
switch(category) {
case LPI_CATEGORY_WEB:
return "Web";
case LPI_CATEGORY_MAIL:
return "Mail";
case LPI_CATEGORY_CHAT:
return "Chat";
case LPI_CATEGORY_P2P:
return "P2P";
case LPI_CATEGORY_P2P_STRUCTURE:
return "P2P_Structure";
case LPI_CATEGORY_KEY_EXCHANGE:
return "Key_Exchange";
case LPI_CATEGORY_ECOMMERCE:
return "ECommerce";
case LPI_CATEGORY_GAMING:
return "Gaming";
case LPI_CATEGORY_ENCRYPT:
return "Encryption";
case LPI_CATEGORY_MONITORING:
return "Measurement";
case LPI_CATEGORY_NEWS:
return "News";
case LPI_CATEGORY_MALWARE:
return "Malware";
case LPI_CATEGORY_SECURITY:
return "Security";
case LPI_CATEGORY_ANTISPAM:
return "Antispam";
case LPI_CATEGORY_VOIP:
return "VOIP";
case LPI_CATEGORY_TUNNELLING:
return "Tunnelling";
case LPI_CATEGORY_NAT:
return "NAT_Traversal";
case LPI_CATEGORY_STREAMING:
return "Streaming";
case LPI_CATEGORY_SERVICES:
return "Services";
case LPI_CATEGORY_DATABASES:
return "Databases";
case LPI_CATEGORY_FILES:
return "File_Transfer";
case LPI_CATEGORY_REMOTE:
return "Remote_Access";
case LPI_CATEGORY_TELCO:
return "Telco_Services";
case LPI_CATEGORY_P2PTV:
return "P2PTV";
case LPI_CATEGORY_RCS:
return "Revision_Control";
case LPI_CATEGORY_LOGGING:
return "Logging";
case LPI_CATEGORY_PRINTING:
return "Printing";
case LPI_CATEGORY_TRANSLATION:
return "Translation";
case LPI_CATEGORY_CDN:
return "CDN";
case LPI_CATEGORY_CLOUD:
return "Cloud";
case LPI_CATEGORY_NOTIFICATION:
return "Notification";
case LPI_CATEGORY_SERIALISATION:
return "Serialisation";
case LPI_CATEGORY_BROADCAST:
return "Broadcast";
case LPI_CATEGORY_LOCATION:
return "Location";
case LPI_CATEGORY_CACHING:
return "Caching";
case LPI_CATEGORY_ICS:
return "ICS";
case LPI_CATEGORY_MOBILE_APP:
return "Mobile App";
case LPI_CATEGORY_IPCAMERAS:
return "IP Cameras";
case LPI_CATEGORY_EDUCATIONAL:
return "Educational";
case LPI_CATEGORY_MESSAGE_QUEUE:
return "Message_Queuing";
case LPI_CATEGORY_ICMP:
return "ICMP";
case LPI_CATEGORY_MIXED:
return "Mixed";
case LPI_CATEGORY_NOPAYLOAD:
return "No_Payload";
case LPI_CATEGORY_UNKNOWN:
return "Unknown";
case LPI_CATEGORY_UNSUPPORTED:
return "Unsupported";
case LPI_CATEGORY_NO_CATEGORY:
return "Uncategorised";
case LPI_CATEGORY_LAST:
return "Invalid_Category";
}
return "Invalid_Category";
}
const char *lpi_print(lpi_protocol_t proto) {
LPINameMap::iterator it;
it = lpi_names.find(proto);
if (it == lpi_names.end()) {
return "NULL";
}
return (it->second);
}
lpi_protocol_t lpi_get_protocol_by_name(char *name) {
LPIProtocolMap::iterator it;
it = lpi_protocols.find(name);
if (it == lpi_protocols.end()) {
return LPI_PROTO_UNKNOWN;
}
return (it->second);
}
lpi_category_t lpi_get_category_by_name(char *name) {
LPICategoryMap::iterator it;
it = lpi_categories.find(name);
if (it == lpi_categories.end()) {
return LPI_CATEGORY_UNKNOWN;
}
return (it->second);
}
lpi_category_t lpi_get_category_by_protocol(lpi_protocol_t protocol) {
LPICategoryProtocolMap::iterator it;
it = lpi_category_protocols.find(protocol);
if (it == lpi_category_protocols.end()) {
return LPI_CATEGORY_UNKNOWN;
}
return (it->second);
}
bool lpi_is_protocol_inactive(lpi_protocol_t proto) {
LPINameMap::iterator it;
it = lpi_names.find(proto);
if (it == lpi_names.end()) {
return true;
}
return false;
}

854
decoders/glimpse_detector/libprotoident/libprotoident.h Normal file
View File

@@ -0,0 +1,854 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#ifndef LIBPROTOIDENT_H_
#define LIBPROTOIDENT_H_
//#include <libtrace.h>
#include <pthread.h>
#include <list>
#include <stdint.h>
#include <netinet/in.h>
#if __GNUC__ >= 3
#ifndef PRINTF
# define DEPRECATED __attribute__((deprecated))
# define SIMPLE_FUNCTION __attribute__((pure))
# define UNUSED __attribute__((unused))
# define PACKED __attribute__((packed))
# define PRINTF(formatpos,argpos) __attribute__((format(printf,formatpos,argpos)))
#endif
#else
#ifndef PRINTF
# define DEPRECATED
# define SIMPLE_FUNCTION
# define UNUSED
# define PACKED
# define PRINTF(formatpos,argpos)
#endif
#endif
#define DEFAULT_MAXTHREADS 10
#ifdef __cplusplus
extern "C" {
#endif
/* Protocol categories - most l7 protocols fall into a broader category that
* describes what they are used for, e.g. P2P, Web, Mail etc.
*/
typedef enum {
LPI_CATEGORY_WEB, /* HTTP-based protocols */
LPI_CATEGORY_CHAT, /* Instant messaging and chatrooms */
LPI_CATEGORY_MAIL, /* E-mail */
LPI_CATEGORY_P2P, /* Peer-to-peer uploads and downloads */
LPI_CATEGORY_P2P_STRUCTURE, /* Maintenance of P2P networks */
LPI_CATEGORY_KEY_EXCHANGE, /* Protocols used to exchange and
manage cryptographic keys, e.g.
ISAKMP */
LPI_CATEGORY_ECOMMERCE, /* Financial transaction protocols */
LPI_CATEGORY_GAMING, /* Game protocols */
LPI_CATEGORY_ENCRYPT, /* Encrypted traffic that is not
clearly part of another category */
LPI_CATEGORY_MONITORING, /* Network measurement / monitoring */
LPI_CATEGORY_NEWS, /* Newsgroup protocols, e.g. NNTP */
LPI_CATEGORY_MALWARE, /* Viruses, trojans etc. */
LPI_CATEGORY_SECURITY, /* Antivirus and firewall updates */
LPI_CATEGORY_ANTISPAM, /* Anti-spam software update protocols
*/
LPI_CATEGORY_VOIP, /* Voice chat and Internet telephony
protocols */
LPI_CATEGORY_TUNNELLING, /* Tunnelling protocols */
LPI_CATEGORY_NAT, /* NAT traversal protocols */
LPI_CATEGORY_STREAMING, /* Streaming media protocols */
LPI_CATEGORY_SERVICES, /* Basic services, e.g. DNS, NTP */
LPI_CATEGORY_DATABASES, /* Database remote access protocols */
LPI_CATEGORY_FILES, /* Non-P2P file transfer protocols */
LPI_CATEGORY_REMOTE, /* Remote access, e.g. SSH, telnet */
LPI_CATEGORY_TELCO, /* Telco services aside from VOIP, e.g
SMS protocols */
LPI_CATEGORY_P2PTV, /* P2P TV, e.g. PPLive */
LPI_CATEGORY_RCS, /* Revision Control */
LPI_CATEGORY_LOGGING, /* Logging */
LPI_CATEGORY_PRINTING, /* Network printing */
LPI_CATEGORY_TRANSLATION, /* Language translation */
LPI_CATEGORY_CDN, /* CDN protocols, e.g. Akamai */
LPI_CATEGORY_CLOUD, /* Cloud computing/storage protocols */
LPI_CATEGORY_NOTIFICATION, /* Notification / messaging protocols */
LPI_CATEGORY_SERIALISATION, /* Transfer of programming "objects" */
LPI_CATEGORY_BROADCAST, /* Protocols usually broadcast to the
local network */
LPI_CATEGORY_LOCATION, /* Location-related services / GPS */
LPI_CATEGORY_CACHING, /* Proxy cache protocols and similar */
LPI_CATEGORY_MOBILE_APP, /* Mobile apps that don't fit any
other category */
LPI_CATEGORY_ICS, /* Industrial control system protocols */
LPI_CATEGORY_IPCAMERAS, /* IP Surveillance Camera protocols */
LPI_CATEGORY_MESSAGE_QUEUE, /* Message queuing protocols */
LPI_CATEGORY_EDUCATIONAL, /* Educational applications, e.g. virtual
classrooms */
LPI_CATEGORY_ICMP, /* ICMP */
LPI_CATEGORY_MIXED, /* Different protos in each direction */
LPI_CATEGORY_NOPAYLOAD, /* No payload observed */
LPI_CATEGORY_UNSUPPORTED, /* Transport protocol unsupported */
LPI_CATEGORY_UNKNOWN, /* Protocol could not be identified */
LPI_CATEGORY_NO_CATEGORY, /* Protocol has not been placed into a
category yet */
LPI_CATEGORY_LAST /* Must always be last */
} lpi_category_t;
typedef enum {
/* TCP Protocols */
LPI_PROTO_HTTP,
LPI_PROTO_SMTP,
LPI_PROTO_BITTORRENT,
LPI_PROTO_IRC,
LPI_PROTO_NCSOFT, /* NCSoft proprietary protocol */
LPI_PROTO_DC, /* DirectConnect */
LPI_PROTO_EMULE,
LPI_PROTO_GNUTELLA,
LPI_PROTO_SSH,
LPI_PROTO_HTTPS,
LPI_PROTO_RAZOR, /* Razor database updates */
LPI_PROTO_POP3,
LPI_PROTO_SSL, /* SSL that isn't HTTPS */
LPI_PROTO_MSN,
LPI_PROTO_DNS,
LPI_PROTO_IMAP,
LPI_PROTO_RTSP,
LPI_PROTO_ID, /* Identification protocol */
LPI_PROTO_YAHOO,
LPI_PROTO_ICQ,
LPI_PROTO_TELNET,
LPI_PROTO_RDP, /* Windows remote desktop protocol */
LPI_PROTO_TDS, /* MS SQL Server protocol */
LPI_PROTO_RPC_SCAN, /* Port 135 exploit attempt */
LPI_PROTO_SMB, /* Server Message Block protocol e.g. samba */
LPI_PROTO_WARCRAFT3,
LPI_PROTO_ETRUST, /* Updates for the eTrust virus scanner */
LPI_PROTO_FTP_CONTROL, /* FTP control e.g. port 21 or 2121 */
LPI_PROTO_FTP_DATA,
LPI_PROTO_EYE, /* Yahoo Game Server Browser */
LPI_PROTO_ARES, /* Ares peer-to-peer protocol */
LPI_PROTO_NNTP, /* Newsfeeds */
LPI_PROTO_NAPSTER,
LPI_PROTO_BNCS, /* Battle.net Chat Server */
LPI_PROTO_RFB, /* Remote Frame Buffer protocol */
LPI_PROTO_YAHOO_WEBCAM,/* Webcam over Yahoo Messenger */
LPI_PROTO_ICA, /* Citrix ICA */
LPI_PROTO_NETBIOS,
LPI_PROTO_KMS, /* Possibly a vista activation service */
LPI_PROTO_MS_DS,
LPI_PROTO_SIP, /* Session Initiation Protocol*/
LPI_PROTO_MZINGA,
LPI_PROTO_GOKUCHAT,
LPI_PROTO_XUNLEI,
LPI_PROTO_DXP,
LPI_PROTO_HAMACHI,
LPI_PROTO_BLIZZARD,
LPI_PROTO_MSNV, /* MSN Voice */
LPI_PROTO_BITEXT, /* BitTorrent extensions */
LPI_PROTO_MITGLIEDER, /* Mitglieder trojan */
LPI_PROTO_TOR, /* TOR (The Onion Router) */
LPI_PROTO_MYSQL,
LPI_PROTO_HTTP_TUNNEL, /* Tunnelling via HTTP */
LPI_PROTO_RSYNC,
LPI_PROTO_NOTES_RPC, /* Lotus Notes RPC (Domino) */
LPI_PROTO_AZUREUS, /* Azureus Extension */
LPI_PROTO_PANDO, /* Pando P2P protocol */
LPI_PROTO_FLASH, /* Flash Player specific behaviour */
LPI_PROTO_STEAM, /* Steam TCP download, i.e. downloading games */
LPI_PROTO_TRACKMANIA, /* Trackmania control protocol */
LPI_PROTO_CONQUER, /* Conquer Online game */
LPI_PROTO_RTMP, /* Adobe RTMP */
LPI_PROTO_TIP, /* Transaction Internet Protocol */
LPI_PROTO_NONSTANDARD_HTTP, /* HTTP on unconventional port numbers */
LPI_PROTO_HARVEYS, /* Photo transfers for Harveys Real Estate */
LPI_PROTO_SHOUTCAST,
LPI_PROTO_HTTP_BADPORT, /* HTTP over port 443, leading to failure */
LPI_PROTO_POSTGRESQL, /* Postgresql protocol */
LPI_PROTO_WOW, /* World of Warcraft */
LPI_PROTO_M4U, /* Message4U (Aus SMS service) */
LPI_PROTO_RBLS, /* Realtime Block List updates */
LPI_PROTO_OPENVPN,
LPI_PROTO_TELECOMKEY, /* Proto used to talk to telecomkey.com */
LPI_PROTO_IMAPS, /* IMAP over SSL */
LPI_PROTO_MSNC, /* MSN Client Protocol */
LPI_PROTO_YAHOO_ERROR, /* Yahoo method of dealing with HTTP errors */
LPI_PROTO_IMESH, /* iMesh */
LPI_PROTO_PPTP, /* MS Tunnelling protocol */
LPI_PROTO_AFP, /* Apple Filing Protocol */
LPI_PROTO_PDBOX, /* Korean P2P TV protocol */
LPI_PROTO_EA_GAMES, /* EA Games protocol */
LPI_PROTO_ZYNGA, /* Protocol used by Zynga games */
LPI_PROTO_CLUBBOX, /* Another Korean file sharing protocol */
LPI_PROTO_WINMX, /* WinMX */
LPI_PROTO_INVALID_BT, /* Bittorrent in one direction but not other */
LPI_PROTO_WEBLOGIC, /* Weblogic server */
LPI_PROTO_INVALID_HTTP, /* HTTP server sending raw HTML */
LPI_PROTO_COD_WAW, /* Call of Duty: World at War TCP */
LPI_PROTO_MP2P,
LPI_PROTO_SVN,
LPI_PROTO_SOCKS5,
LPI_PROTO_SOCKS4,
LPI_PROTO_INVALID_SMTP,
LPI_PROTO_MMS, /* Microsoft Media Server */
LPI_PROTO_CISCO_VPN, /* Cisco VPN protocol */
LPI_PROTO_WEB_JUNK, /* Clients communicating with web servers
using non-HTTP */
LPI_PROTO_CVS,
LPI_PROTO_LDAP, /* LDAP */
LPI_PROTO_INVALID_POP3, /* POP commands send to an SMTP server */
LPI_PROTO_TEAMVIEWER,
LPI_PROTO_XMPP, /* a.k.a. Jabber */
LPI_PROTO_SECONDLIFE, /* SecondLife over TCP */
LPI_PROTO_KASEYA,
LPI_PROTO_KASPERSKY,
LPI_PROTO_JEDI, /* Citrix Jedi */
LPI_PROTO_CGP, /* Citrix CGP */
LPI_PROTO_YOUKU,
LPI_PROTO_STUN,
LPI_PROTO_XYMON,
LPI_PROTO_MUNIN,
LPI_PROTO_TROJAN_WIN32_GENERIC_SB,
LPI_PROTO_PALTALK,
LPI_PROTO_ZABBIX,
LPI_PROTO_AKAMAI,
LPI_PROTO_GAMESPY,
LPI_PROTO_WUALA,
LPI_PROTO_TROJAN_ZEROACCESS,
LPI_PROTO_DVRNS,
LPI_PROTO_CHATANGO,
LPI_PROTO_OMEGLE,
LPI_PROTO_TELNET_EXPLOIT,
LPI_PROTO_POP3S, /* POP3 over TLS/SSL */
LPI_PROTO_PSN_STORE,
LPI_PROTO_SKYPE_TCP, /* Skype TCP sessions */
LPI_PROTO_APPLE_PUSH, /* Apple push notifications */
LPI_PROTO_XMPPS, /* XMPP over TLS/SSL */
LPI_PROTO_SMTPS, /* Legacy Secure SMTP */
LPI_PROTO_NNTPS, /* NNTP over TLS/SSL */
LPI_PROTO_JAVA, /* Serialised Java Objects */
LPI_PROTO_IPOP, /* IP over P2P */
LPI_PROTO_SPOTIFY,
LPI_PROTO_RUNESCAPE,
LPI_PROTO_WHOIS,
LPI_PROTO_VIBER,
LPI_PROTO_FRING,
LPI_PROTO_PALRINGO,
LPI_PROTO_CRYPTIC, /* Games by Cryptic */
LPI_PROTO_SUPL,
LPI_PROTO_MINECRAFT,
LPI_PROTO_TPKT,
LPI_PROTO_QVOD,
LPI_PROTO_KIK,
LPI_PROTO_WHATSAPP,
LPI_PROTO_WECHAT,
LPI_PROTO_FUNSHION,
LPI_PROTO_BTSYNC,
LPI_PROTO_SPEEDTEST,
LPI_PROTO_GIT,
LPI_PROTO_DUELING_NETWORK,
LPI_PROTO_LINE,
LPI_PROTO_AMP,
LPI_PROTO_SPDY,
LPI_PROTO_YAHOO_GAMES,
LPI_PROTO_DELL_BACKUP,
LPI_PROTO_REVOLVER_NBLBT,
LPI_PROTO_CRASHPLAN,
LPI_PROTO_CLASH_OF_CLANS,
LPI_PROTO_TRION,
LPI_PROTO_MONGO,
LPI_PROTO_LLP2P,
LPI_PROTO_HEARTHSTONE,
LPI_PROTO_DIABLO3,
LPI_PROTO_CACAOWEB,
LPI_PROTO_TAOBAO, /* Custom protocol seen on Taobao CDN */
LPI_PROTO_TERA,
LPI_PROTO_SILKROADONLINE, /* Korean MMO */
LPI_PROTO_GOOGLE_HANGOUTS,
LPI_PROTO_HOLA,
LPI_PROTO_GUILDWARS2,
LPI_PROTO_QQ,
LPI_PROTO_TETRISONLINE,
LPI_PROTO_TWITCH_IRC, /* IRC specific to twitch.tv */
LPI_PROTO_QQLIVE,
LPI_PROTO_TENCENT_GAMES, /* Games operated by Tencent */
LPI_PROTO_VODLOCKER,
LPI_PROTO_TELEGRAM,
LPI_PROTO_XUNLEI_ACCEL,
LPI_PROTO_360SAFEGUARD, /* Chinese anti-virus */
LPI_PROTO_NORTON_BACKUP,
LPI_PROTO_BADBAIDU, /* Weird 1 byte flows from Baidu browser */
LPI_PROTO_KAKAO,
LPI_PROTO_WEIBO,
LPI_PROTO_TENSAFE,
LPI_PROTO_KANKAN,
LPI_PROTO_AIRDROID,
LPI_PROTO_KUAIBO,
LPI_PROTO_DIANPING,
LPI_PROTO_XIAMI,
LPI_PROTO_QQDOWNLOAD,
LPI_PROTO_ZERO_FACEBOOK,
LPI_PROTO_FINALFANTASY_XIV,
LPI_PROTO_FACEBOOK_MESSENGER,
LPI_PROTO_YY,
LPI_PROTO_NETCAT_CCTV,
LPI_PROTO_ZOOM,
LPI_PROTO_S7COMM,
LPI_PROTO_MAXICLOUD,
LPI_PROTO_GLUPTEBA,
LPI_PROTO_WNS,
LPI_PROTO_PANDATV,
LPI_PROTO_FACEBOOK_TURN,
LPI_PROTO_DESTINY,
LPI_PROTO_QCLOUD_ILVB,
LPI_PROTO_BITCOIN,
LPI_PROTO_LIFEFORGE,
LPI_PROTO_ACESTREAM,
LPI_PROTO_MAPLESTORY_CHINA,
LPI_PROTO_NDT_TPUT,
LPI_PROTO_RELAY,
LPI_PROTO_DOUYU,
LPI_PROTO_IDRIVE_SYNC,
LPI_PROTO_TWITCASTING,
LPI_PROTO_THE_DIVISION,
LPI_PROTO_BLACKDESERT,
LPI_PROTO_REALVNC,
LPI_PROTO_DOGECOIN,
LPI_PROTO_FUCKCOIN,
LPI_PROTO_OURWORLD,
LPI_PROTO_GRAAL_ONLINE_ERA,
LPI_PROTO_APPEAR_IN,
LPI_PROTO_VAINGLORY,
LPI_PROTO_WEIQI,
LPI_PROTO_4D,
LPI_PROTO_TANKIX,
LPI_PROTO_IPSHARKK,
LPI_PROTO_NET_MFP,
LPI_PROTO_SPEEDIN,
LPI_PROTO_CROSSFIRE,
LPI_PROTO_DASH,
LPI_PROTO_AIRMEDIA,
LPI_PROTO_GIOP,
LPI_PROTO_VPN_UNLIMITED,
LPI_PROTO_TENFIVECOIN,
LPI_PROTO_BAOFENG,
LPI_PROTO_TALESRUNNER,
LPI_PROTO_ANTCOIN,
LPI_PROTO_FBCDN_SSL,
LPI_PROTO_SAPROUTER,
LPI_PROTO_FLIGGY,
LPI_PROTO_SMITE,
LPI_PROTO_VPNROBOT,
LPI_PROTO_VMWARE,
LPI_PROTO_DOUYU_CHAT,
LPI_PROTO_JX3ONLINE,
LPI_PROTO_LITECOIN,
LPI_PROTO_STRATUM,
LPI_PROTO_WIZARD101,
LPI_PROTO_KINGOFGLORY,
LPI_PROTO_SAS_ZOMBIE_ASSAULT_4,
LPI_PROTO_DNF,
LPI_PROTO_IHEXIN,
LPI_PROTO_NAVER_P2P,
LPI_PROTO_GCAFE_UPDATER,
LPI_PROTO_BWSYNC,
LPI_PROTO_TANKIONLINE,
LPI_PROTO_REALMOFTHEMADGOD,
LPI_PROTO_PATHOFEXILE,
LPI_PROTO_SSJJ,
LPI_PROTO_SPEEDIFY,
LPI_PROTO_NSQ,
LPI_PROTO_SKYFORGE,
LPI_PROTO_HOTS,
LPI_PROTO_NOMACHINE,
LPI_PROTO_QQSPEEDMOBILE,
LPI_PROTO_DAHUA,
LPI_PROTO_UTHERVERSE,
LPI_PROTO_300_HEROES,
LPI_PROTO_FILENORI,
LPI_PROTO_IPFS,
LPI_PROTO_REMOTE_MANIPULATOR,
LPI_PROTO_WEBEX_STUN,
LPI_PROTO_RRTV,
LPI_PROTO_RABBITMQ,
LPI_PROTO_ICEP,
LPI_PROTO_BEAM,
LPI_PROTO_VHDP2P,
LPI_PROTO_CLASSIN,
LPI_PROTO_TRANSOCKS,
LPI_PROTO_RAGNAROK_ONLINE,
LPI_PROTO_ETHERNETIP,
/* UDP Protocols */
LPI_PROTO_UDP,
LPI_PROTO_UDP_SIP,
LPI_PROTO_UDP_BTDHT,
LPI_PROTO_UDP_GNUTELLA,
LPI_PROTO_UDP_DNS,
LPI_PROTO_UDP_DHCP,
LPI_PROTO_UDP_QUAKE,
LPI_PROTO_UDP_STEAM,
LPI_PROTO_UDP_STEAM_FRIENDS,
LPI_PROTO_UDP_STEAM_INHOMEBROADCAST,
LPI_PROTO_UDP_WIN_MESSAGE,
LPI_PROTO_UDP_GAMESPY,
LPI_PROTO_UDP_EMULE,
LPI_PROTO_UDP_EYE,
LPI_PROTO_UDP_RTP,
LPI_PROTO_UDP_ETHERNETIP,
LPI_PROTO_UDP_CIP_IO, /* Common industrial protocol IO */
LPI_PROTO_UDP_MSN_VIDEO,
LPI_PROTO_UDP_COD, /* Call of Duty game protocol */
LPI_PROTO_UDP_NTP,
LPI_PROTO_UDP_MP2P, /* MP2P protocol (Piolet, Manolito etc.) */
LPI_PROTO_UDP_SPAMFIGHTER, /* SpamFighter */
LPI_PROTO_UDP_TRACEROUTE,
LPI_PROTO_UDP_SECONDLIFE,
LPI_PROTO_UDP_HL, /* Halflife, includes derivatives such as
* CounterStrike and Garry's Mod */
LPI_PROTO_UDP_XLSP, /* XLSP - Xbox Live */
LPI_PROTO_UDP_DEMONWARE, /* Company that does game networking */
LPI_PROTO_UDP_IMESH, /* iMesh */
LPI_PROTO_UDP_OPASERV, /* Opaserv worm */
LPI_PROTO_UDP_STUN, /* STUN NAT traversal */
LPI_PROTO_UDP_SQLEXP, /* MS SQL Server worm, called SQLExp */
LPI_PROTO_UDP_MSN_CACHE, /* MSN cache callback protocol */
LPI_PROTO_UDP_DIABLO2, /* Diablo 2 game protocol */
LPI_PROTO_UDP_IPV6, /* IPv6 tunnelled directly over UDP */
LPI_PROTO_UDP_ORBIT, /* Orbit downloader */
LPI_PROTO_UDP_TEREDO,
LPI_PROTO_UDP_KADEMLIA, /* Unknown flavour of kademlia */
LPI_PROTO_UDP_PANDO, /* Pando DHT and Peer Exchange */
LPI_PROTO_UDP_ESP, /* ESP/IPSec encapsulated in UDP */
LPI_PROTO_UDP_PSN, /* Playstation Network */
LPI_PROTO_UDP_REAL, /* RDT - the Real Data Transport protocol */
LPI_PROTO_UDP_GNUTELLA2, /* Gnutella2 */
LPI_PROTO_UDP_PYZOR, /* Python implementation of Razor */
LPI_PROTO_UDP_SKYPE,
LPI_PROTO_UDP_ISAKMP, /* ref: RFC 2408 */
LPI_PROTO_UDP_SNMP,
LPI_PROTO_UDP_BACKWEB, /* BackWeb Polite Protocol */
LPI_PROTO_UDP_STARCRAFT,
LPI_PROTO_UDP_XFIRE_P2P, /* Xfire P2P protocol */
LPI_PROTO_UDP_THQ, /* Protocol used by THQ games */
LPI_PROTO_UDP_NEWERTH, /* Heroes of Newerth */
LPI_PROTO_UDP_LINKPROOF, /* Linkproof device packets */
LPI_PROTO_UDP_WORM_22105, /* Chinese worm that uses port 22105 */
LPI_PROTO_UDP_QQ, /* Tencent QQ */
LPI_PROTO_UDP_SLP, /* Service Location Protocol, RFC 2608 */
LPI_PROTO_UDP_ESO, /* Games using Ensemble Studios Online */
LPI_PROTO_UDP_SSDP,
LPI_PROTO_UDP_NETBIOS, /* Netbios lookup */
LPI_PROTO_UDP_CP_RDP, /* Checkpoint RDP */
LPI_PROTO_UDP_VENTRILO, /* Ventrilo VoiceChat */
LPI_PROTO_UDP_MTA, /* Multitheftauto */
LPI_PROTO_UDP_PPLIVE,
LPI_PROTO_UDP_JEDI_ACADEMY, /* Jedi Academy game */
LPI_PROTO_UDP_MOH, /* Medal of Honor game */
LPI_PROTO_UDP_TREMULOUS, /* Tremulous - free OSS FPS */
LPI_PROTO_UDP_VIVOX, /* Vivox voice chat */
LPI_PROTO_UDP_IPMSG, /* IPMsg messenger */
LPI_PROTO_UDP_TEAMSPEAK,
LPI_PROTO_UDP_DC, /* DirectConnect UDP commands */
LPI_PROTO_UDP_FREECHAL, /* FreeChal P2P */
LPI_PROTO_UDP_XUNLEI,
LPI_PROTO_UDP_KAZAA,
LPI_PROTO_UDP_NORTON, /* Norton Antivirus probe */
LPI_PROTO_UDP_CISCO_VPN, /* Cisco VPN (port 10000) */
LPI_PROTO_UDP_RTCP,
LPI_PROTO_UDP_UNREAL, /* Unreal server query protocol */
LPI_PROTO_UDP_TFTP,
LPI_PROTO_UDP_GARENA, /* A gaming platform */
LPI_PROTO_UDP_PPSTREAM, /* PPStream - Chinese P2PTV */
LPI_PROTO_UDP_FORTINET, /* Fortinet update protocol */
LPI_PROTO_UDP_TVANTS, /* TVants P2PTV - no longer active */
LPI_PROTO_UDP_STORM_WORM,
LPI_PROTO_UDP_BATTLEFIELD, /* Battlefield series of games */
LPI_PROTO_UDP_SOPCAST,
LPI_PROTO_UDP_SERIALNUMBERD,
LPI_PROTO_UDP_LDAP_AD,
LPI_PROTO_UDP_RTMFP,
LPI_PROTO_UDP_L2TP,
LPI_PROTO_UDP_SYSLOG,
LPI_PROTO_UDP_AKAMAI,
LPI_PROTO_UDP_RADIUS,
LPI_PROTO_UDP_HAMACHI,
LPI_PROTO_UDP_BJNP, /* Canon BJNP printing protocol */
LPI_PROTO_UDP_KASPERSKY,
LPI_PROTO_UDP_GSM,
LPI_PROTO_UDP_JEDI, /* Citrix Jedi */
LPI_PROTO_UDP_YOUKU,
LPI_PROTO_UDP_YOUDAO_DICT,
LPI_PROTO_UDP_DRIVESHARE,
LPI_PROTO_UDP_CIRN, /* Carpathia Intelligent Routing Network */
LPI_PROTO_UDP_NEVERWINTER,
LPI_PROTO_UDP_QQLIVE,
LPI_PROTO_UDP_TEAMVIEWER,
LPI_PROTO_UDP_ARES,
LPI_PROTO_UDP_EPSON,
LPI_PROTO_UDP_AKAMAI_TRANSFER,
LPI_PROTO_UDP_DCC,
LPI_PROTO_UDP_AMANDA,
LPI_PROTO_UDP_NETFLOW,
LPI_PROTO_UDP_ZEROACCESS,
LPI_PROTO_UDP_VXWORKS_EXPLOIT,
LPI_PROTO_UDP_APPLE_FACETIME_INIT,
LPI_PROTO_UDP_STEAM_LOCALBROADCAST,
/* ^Protocol used by Steam to discover clients on the local network */
LPI_PROTO_UDP_LANSYNC, /* LANSync, used by DropBox */
LPI_PROTO_UDP_BTSYNC,
LPI_PROTO_UDP_MSOFFICE_MAC, /* MS Office for Mac anti-piracy */
LPI_PROTO_UDP_SPOTIFY_BROADCAST,
LPI_PROTO_UDP_MDNS, /* Multicast DNS */
LPI_PROTO_UDP_FASP,
LPI_PROTO_UDP_RAKNET,
LPI_PROTO_UDP_OPENVPN,
LPI_PROTO_UDP_NOE, /* Alcatel's New Office Environment */
LPI_PROTO_UDP_VIBER,
LPI_PROTO_UDP_DTLS,
LPI_PROTO_UDP_ICP,
LPI_PROTO_UDP_LOL, /* League of Legends */
LPI_PROTO_UDP_SANANDREAS, /* San Andreas Multiplayer */
LPI_PROTO_UDP_MFNP, /* Canon MFNP Printer protocol */
LPI_PROTO_UDP_FUNSHION,
LPI_PROTO_UDP_QUIC,
LPI_PROTO_UDP_AVAST_DNS,
LPI_PROTO_UDP_DB2,
LPI_PROTO_UDP_NATPMP,
LPI_PROTO_UDP_GPRS_TUNNEL,
LPI_PROTO_UDP_WECHAT,
LPI_PROTO_UDP_NOCTION,
LPI_PROTO_UDP_ARMA_SERVER, /* Includes DayZ */
LPI_PROTO_UDP_PLANETSIDE2,
LPI_PROTO_UDP_RWTH_AACHEN, /* RWTH-Aachen University research */
LPI_PROTO_UDP_BMDP, /* Part of Microsoft ADS */
LPI_PROTO_UDP_DOTA2,
LPI_PROTO_UDP_LINE,
LPI_PROTO_UDP_ZOOM,
LPI_PROTO_UDP_HEROES_GENERALS, /* Heroes and Generals */
LPI_PROTO_UDP_WARTHUNDER,
LPI_PROTO_UDP_H1Z1,
LPI_PROTO_UDP_CS_GLOBAL_OFFENSIVE,
LPI_PROTO_UDP_NTP_REFLECT, /* NTP reflection attack */
LPI_PROTO_UDP_PUNKBUSTER,
LPI_PROTO_UDP_ROBOCRAFT,
LPI_PROTO_UDP_CISCO_SSLVPN,
LPI_PROTO_UDP_ACERCLOUD,
LPI_PROTO_UDP_360CN,
LPI_PROTO_UDP_WOLF_ET,
LPI_PROTO_UDP_KUGOU,
LPI_PROTO_UDP_XUNLEI_JSQ,
LPI_PROTO_UDP_KANKAN,
LPI_PROTO_UDP_QQPCMGR,
LPI_PROTO_UDP_DIANPING,
LPI_PROTO_UDP_XUNYOU,
LPI_PROTO_UDP_FORTICLIENT_SSLVPN,
LPI_PROTO_UDP_DISCORD,
LPI_PROTO_UDP_NETCORE,
LPI_PROTO_UDP_ARMA3_SERVER,
LPI_PROTO_UDP_BAIDU_YUN_P2P,
LPI_PROTO_UDP_YY,
LPI_PROTO_UDP_OVERWATCH,
LPI_PROTO_UDP_BACNET,
LPI_PROTO_UDP_ARK_SURVIVAL,
LPI_PROTO_UDP_360P2P,
LPI_PROTO_UDP_PORTMAP_RPC,
LPI_PROTO_UDP_NINTENDO,
LPI_PROTO_UDP_CHIVALRY,
LPI_PROTO_UDP_DOYO,
LPI_PROTO_UDP_NETCAT_CCTV,
LPI_PROTO_UDP_N2PING,
LPI_PROTO_UDP_RAMSEY_DASH,
LPI_PROTO_UDP_UBISOFT_GAMES,
LPI_PROTO_UDP_THE_CREW,
LPI_PROTO_UDP_TURBOVPN,
LPI_PROTO_UDP_GEARSOFWAR,
LPI_PROTO_UDP_RDP,
LPI_PROTO_UDP_HOTS,
LPI_PROTO_UDP_VPNMASTER,
LPI_PROTO_UDP_DIANSHIJIA,
LPI_PROTO_UDP_PS4_REMOTEPLAY,
LPI_PROTO_UDP_STARCITIZEN,
LPI_PROTO_UDP_WEBEX,
LPI_PROTO_UDP_HALO_ONLINE,
LPI_PROTO_UDP_GOTOMEETING,
LPI_PROTO_UDP_CROSSOUT,
LPI_PROTO_UDP_UMEYE,
LPI_PROTO_UDP_RISING_STORM,
LPI_PROTO_UDP_CROSSFIRE,
LPI_PROTO_UDP_MERAKICLOUD,
LPI_PROTO_UDP_SNAPVPN,
LPI_PROTO_UDP_DAHUA,
LPI_PROTO_UDP_STARLEAF,
LPI_PROTO_UDP_FOSCAM,
LPI_PROTO_UDP_DESTINY,
LPI_PROTO_UDP_BAOFENG,
LPI_PROTO_UDP_TORCHLIGHT2,
LPI_PROTO_UDP_SMITE,
LPI_PROTO_UDP_COUNTERSTRIKE_16,
LPI_PROTO_UDP_VPNROBOT,
LPI_PROTO_UDP_TF2,
LPI_PROTO_UDP_GANGSOFSPACE,
LPI_PROTO_UDP_COMBATARMS,
LPI_PROTO_UDP_COMBATARMS_P2P,
LPI_PROTO_UDP_PANIPANI,
LPI_PROTO_UDP_FEITWO,
LPI_PROTO_UDP_MOONHUNTERS,
LPI_PROTO_UDP_HELIBORNE,
LPI_PROTO_UDP_KINGOFGLORY,
LPI_PROTO_UDP_ASSETTO_CORSA,
LPI_PROTO_UDP_CACAOWEB,
LPI_PROTO_UDP_ZALO_CALL,
LPI_PROTO_UDP_PALADINS,
LPI_PROTO_UDP_CHARGEN_EXPLOIT,
LPI_PROTO_UDP_TOX,
LPI_PROTO_UDP_HOLLA,
LPI_PROTO_UDP_RRSHARE,
LPI_PROTO_UDP_QQSPEEDMOBILE,
LPI_PROTO_UDP_LOADOUT,
LPI_PROTO_UDP_GANGLIA,
LPI_PROTO_UDP_TALESRUNNER,
LPI_PROTO_UDP_FREEFIRE,
LPI_PROTO_UDP_HEROES_EVOLVED,
LPI_PROTO_UDP_RULES_OF_SURVIVAL,
LPI_PROTO_UDP_CONTRACT_WARS,
LPI_PROTO_UDP_ARD,
LPI_PROTO_UDP_QVOD,
LPI_PROTO_UDP_YUANFUDAO,
LPI_PROTO_UDP_ROCKET_LEAGUE,
LPI_PROTO_UDP_CLOUDFLARE_WARP,
LPI_PROTO_UDP_WIREGUARD,
LPI_PROTO_UDP_COD_MOBILE,
LPI_PROTO_UDP_NVIDIA_GAMESTREAM,
LPI_PROTO_UDP_CLASSIN,
LPI_PROTO_UDP_ARTCP,
/* Patterns that we can match, but do not know the protocol */
LPI_PROTO_REJECTION, /* All responses are 0x02 */
LPI_PROTO_MYSTERY_9000, /* Occurs on tcp port 9000 */
LPI_PROTO_MYSTERY_PSPR,
LPI_PROTO_MYSTERY_8000,
LPI_PROTO_MYSTERY_IG,
LPI_PROTO_MYSTERY_CONN,
LPI_PROTO_MYSTERY_SYMANTEC,
LPI_PROTO_MYSTERY_RXXF,
LPI_PROTO_UDP_MYSTERY_0D,
LPI_PROTO_UDP_MYSTERY_99,
LPI_PROTO_UDP_MYSTERY_8000,
LPI_PROTO_UDP_MYSTERY_45,
LPI_PROTO_UDP_MYSTERY_0660,
LPI_PROTO_UDP_MYSTERY_E9,
LPI_PROTO_UDP_MYSTERY_QQ,
LPI_PROTO_UDP_MYSTERY_61_72,
LPI_PROTO_UDP_MYSTERY_05,
LPI_PROTO_ICMP,
LPI_PROTO_INVALID, /* No single valid protocol */
LPI_PROTO_NO_PAYLOAD,
LPI_PROTO_NO_FIRSTPKT,
LPI_PROTO_UNSUPPORTED,
LPI_PROTO_UNKNOWN,
LPI_PROTO_TCP_LDAP_AD,
LPI_PROTO_LAST /** ALWAYS have this as the last value */
} lpi_protocol_t;
/* This structure stores all the data needed by libprotoident to identify the
* application protocol for a flow. Do not change the contents of this struct
* directly - lpi_update_data() will do that for you - but reading the values
* should be ok. */
typedef struct lpi {
uint32_t payload[2];
bool seen_syn[2];
uint32_t seqno[2];
uint32_t observed[2];
uint16_t server_port;
uint16_t client_port;
uint8_t trans_proto;
uint32_t payload_len[2];
uint32_t ips[2];
} lpi_data_t;
typedef struct lpi_module lpi_module_t;
/* This structure describes an individual LPI module - i.e. a protocol
* supported by libprotoident */
struct lpi_module {
lpi_protocol_t protocol; /* The protocol ID */
lpi_category_t category; /* The category for this protocol */
const char *name; /* The protocol name, as a string */
uint8_t priority; /* The relative priority for matching
this protocol */
/* The callback function for testing whether a given set of LPI
* data matches the ruleset for this protocol */
bool (*lpi_callback) (lpi_data_t *proto_d, lpi_module_t *module);
};
typedef std::list<lpi_module_t *> ProtoMatchList;
typedef struct lpi_thread {
int index;
lpi_module_t *module;
lpi_data_t *data;
bool result;
} lpi_thread_t;
typedef std::list<pthread_t> ThreadList;
/* Initialises the LPI library, by registering all the protocol modules.
*
* @return 0 if initialisation succeeded, -1 otherwise
*/
int lpi_init_library(int level);
/* Shuts down the LPI library, by de-registering all the protocol modules */
void lpi_free_library(void);
/** Initialises an LPI data structure, setting all the members to appropriate
* starting values.
*
* @param data The LPI data structure to be initialised.
*/
void lpi_init_data(lpi_data_t *data);
/** Updates the LPI data structure based on the contents of the packet
* provided.
*
* @note The direction must be provided by the caller, as we cannot rely
* on trace_get_direction().
*
* @param packet The packet to update the LPI data from.
* @param data The LPI data structure to be updated.
* @param dir The direction of the packet - 0 is outgoing, 1 is incoming.
*
* @return 0 if the packet was ignored, 1 if the LPI data was updated.
*/
int lpi_update_dpkt(lpi_data_t *data, struct streaminfo *pstream,
const char *scan_data, int scan_data_len, char tsproto, uint32_t plseq,
uint32_t _curdir);
/** Returns a unique string describing the provided protocol.
*
* This is essentially a protocol-to-string conversion function.
*
* @param proto The protocol that a string representation is required for.
*
* @return A pointer to a statically allocated string describing the protocol.
* This is allocated on the stack, so should be used or copied immediately.
*/
const char *lpi_print(lpi_protocol_t proto);
/** Given a protocol, returns the category that it matches.
*
* @param proto The protocol that a category is required for.
*
* @return The category that the protocol belongs to.
*/
lpi_category_t lpi_categorise(lpi_module_t *proto);
/** Returns a unique string describing the provided category.
*
* This is essentially a category-to-string conversion function.
*
* @param category The category that a string representation is required for.
*
* @return A pointer to a statically allocated string describing the category.
* This is allocated on the stack, so should be used or copied immediately.
*/
const char *lpi_print_category(lpi_category_t category);
/** Using the provided data, attempts to determine the L7 protocol being used
* by that flow.
*
* @param data The LPI data to use when determining the protocol.
*
* @return The LPI module for the protocol that matches the profile described
* by the given LPI data. If no protocol matches, the module for either
* LPI_UNKNOWN or LPI_UNKNOWN_UDP will be returned, depending on the transport
* protocol.
*/
lpi_module_t *lpi_guess_protocol(lpi_data_t *data);
/** Given the protocol name, returns the lpi protcol it matches.
*
* @param name The protocol name
*
* @returns The LPI protocol for the supplied name.
* LPI_PROTO_UNKNOWN if the name is not found.
*/
lpi_protocol_t lpi_get_protocol_by_name(char *name);
/* Give the category name, returns the lpi category it matches.
*
* @param name The protocol name
*
* @returns the LPI category for the supplied name on success.
* LPI_CATEGORY_UNKNOWN if the name is not found.
*/
lpi_category_t lpi_get_category_by_name(char *name);
/* Given the lpi protocol, returns the lpi category it matches.
*
* @param protocol The lpi protocol
*
* @returns the lpi category for the supplied lpi protocol.
* LPI_CATEGORY_UNKNOWN if the category is not found.
*/
lpi_category_t lpi_get_category_by_protocol(lpi_protocol_t protocol);
/** Determines whether the protocol matching a given protocol number is no
* longer supported by libprotoident.
*
* @param proto The protocol to check
*
* @return true if the protocol is no longer supported, false otherwise.
*
* Some protocols are no longer supported by libprotoident, either because
* the rules were found to be producing too many false positives or the
* protocol has been merged with another existing protocol (especially in the
* case of mystery protocols). When these cases occur, we don't necessarily
* remove the protocol from the enumerated type list, just disable the module
* and set the name string for the protocol to "NULL".
*
* This function allows the caller to check if a given protocol value has
* been disabled. This is often handy when reporting stats for all the
* protocol values (see lpi_live for an example), as ideally you would want
* to avoid reporting anything for the NULL protocols.
*/
bool lpi_is_protocol_inactive(lpi_protocol_t proto);
#ifdef __cplusplus
}
#endif
#endif

867
decoders/glimpse_detector/libprotoident/proto_common.cc Normal file
View File

@@ -0,0 +1,867 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#ifdef __APPLE__
#include <libkern/OSByteOrder.h>
#define bswap32 OSSwapInt32
#endif
#ifdef __FreeBSD__
#include <sys/endian.h>
#endif
#ifdef __linux__
#include <byteswap.h>
#define bswap32 __bswap_32
#endif
#include "libprotoident.h"
#include "proto_common.h"
bool match_str_either(lpi_data_t *data, const char *string) {
if (MATCHSTR(data->payload[0], string))
return true;
if (MATCHSTR(data->payload[1], string))
return true;
return false;
}
bool match_str_both(lpi_data_t *data, const char *string1,
const char *string2) {
if (MATCHSTR(data->payload[0], string1) &&
MATCHSTR(data->payload[1], string2))
return true;
if (MATCHSTR(data->payload[1], string1) &&
MATCHSTR(data->payload[0], string2))
return true;
return false;
}
bool match_chars_either(lpi_data_t *data, char a, char b, char c,
char d) {
if (MATCH(data->payload[0], a, b, c, d))
return true;
if (MATCH(data->payload[1], a, b, c, d))
return true;
return false;
}
bool match_payload_length(uint32_t payload, uint32_t payload_len) {
uint32_t header = 0;
header = ntohl(payload);
/* See if the length in the (presumed) header matches the
* length of the rest of the packet minus the header itself (4 bytes).
*
* Watch out for the case of a 4 byte packet containing just
* 00 00 00 00! */
if (payload_len > 4 && header == payload_len - 4)
return true;
return false;
}
bool match_ip_address_both(lpi_data_t *data) {
uint8_t matches = 0;
if (data->ips[0] == 0 || data->ips[1] == 0)
return false;
if (data->payload_len[0] == 0)
matches += 1;
else if (data->payload[0] == data->ips[0])
matches += 1;
else if (data->payload[0] == data->ips[1])
matches += 1;
if (data->payload_len[1] == 0)
matches += 1;
else if (data->payload[1] == data->ips[0])
matches += 1;
else if (data->payload[1] == data->ips[1])
matches += 1;
if (matches == 2)
return true;
else
return false;
}
/* Multiple protocols use HTTP-style requests */
bool match_http_request(uint32_t payload, uint32_t len) {
/* HTTP requests - some of these are MS-specific extensions */
if (len == 0)
return true;
if (MATCHSTR(payload, "GET ")) return true;
if (len == 1 && MATCH(payload, 'G', 0x00, 0x00, 0x00))
return true;
if (len == 2 && MATCH(payload, 'G', 'E', 0x00, 0x00))
return true;
if (len == 3 && MATCH(payload, 'G', 'E', 'T', 0x00))
return true;
if (MATCHSTR(payload, "POST")) return true;
if (MATCHSTR(payload, "HEAD")) return true;
if (MATCHSTR(payload, "PUT ")) return true;
if (MATCHSTR(payload, "DELE")) return true;
if (MATCHSTR(payload, "auth")) return true;
/* SVN? */
if (MATCHSTR(payload, "REPO")) return true;
/* Webdav */
if (MATCHSTR(payload, "LOCK")) return true;
if (MATCHSTR(payload, "UNLO")) return true;
if (MATCHSTR(payload, "OPTI")) return true;
if (MATCHSTR(payload, "PROP")) return true;
if (MATCHSTR(payload, "MKCO")) return true;
if (MATCHSTR(payload, "POLL")) return true;
if (MATCHSTR(payload, "SEAR")) return true;
/* Ntrip - some differential GPS system using modified HTTP */
if (MATCHSTR(payload, "SOUR")) return true;
return false;
}
/* File headers are not specific to any particular protocol */
bool match_file_header(uint32_t payload) {
/* RIFF is a meta-format for storing AVI and WAV files */
if (MATCHSTR(payload, "RIFF"))
return true;
/* MZ is a .exe file */
if (MATCH(payload, 'M', 'Z', ANY, 0x00))
return true;
/* Ogg files */
if (MATCHSTR(payload, "OggS"))
return true;
/* ZIP files */
if (MATCH(payload, 'P', 'K', 0x03, 0x04))
return true;
/* MPEG files */
if (MATCH(payload, 0x00, 0x00, 0x01, 0xba))
return true;
/* RAR files */
if (MATCHSTR(payload, "Rar!"))
return true;
/* EBML */
if (MATCH(payload, 0x1a, 0x45, 0xdf, 0xa3))
return true;
/* JPG */
if (MATCH(payload, 0xff, 0xd8, ANY, ANY))
return true;
/* GIF */
if (MATCHSTR(payload, "GIF8"))
return true;
/* I'm also going to include PHP scripts in here */
if (MATCH(payload, 0x3c, 0x3f, 0x70, 0x68))
return true;
/* Unix scripts */
if (MATCH(payload, 0x23, 0x21, 0x2f, 0x62))
return true;
/* PDFs */
if (MATCHSTR(payload, "%PDF"))
return true;
/* PNG */
if (MATCH(payload, 0x89, 'P', 'N', 'G'))
return true;
/* HTML */
if (MATCHSTR(payload, "<htm"))
return true;
if (MATCH(payload, 0x0a, '<', '!', 'D'))
return true;
/* 7zip */
if (MATCH(payload, 0x37, 0x7a, 0xbc, 0xaf))
return true;
/* gzip - may need to replace last two bytes with ANY */
if (MATCH(payload, 0x1f, 0x8b, 0x08, ANY))
return true;
/* XML */
if (MATCHSTR(payload, "<!DO"))
return true;
/* FLAC */
if (MATCHSTR(payload, "fLaC"))
return true;
/* MP3 */
if (MATCH(payload, 'I', 'D', '3', 0x03))
return true;
if (MATCHSTR(payload, "\xff\xfb\x90\xc0"))
return true;
/* RPM */
if (MATCH(payload, 0xed, 0xab, 0xee, 0xdb))
return true;
/* Wz Patch */
if (MATCHSTR(payload, "WzPa"))
return true;
/* Flash Video */
if (MATCH(payload, 'F', 'L', 'V', 0x01))
return true;
/* .BKF (Microsoft Tape Format) */
if (MATCHSTR(payload, "TAPE"))
return true;
/* MS Office Doc file - this is unpleasantly geeky */
if (MATCH(payload, 0xd0, 0xcf, 0x11, 0xe0))
return true;
/* ASP */
if (MATCH(payload, 0x3c, 0x25, 0x40, 0x20))
return true;
/* WMS file */
if (MATCH(payload, 0x3c, 0x21, 0x2d, 0x2d))
return true;
/* ar archive, typically .deb files */
if (MATCHSTR(payload, "!<ar"))
return true;
/* Raw XML */
if (MATCHSTR(payload, "<?xm"))
return true;
if (MATCHSTR(payload, "<iq "))
return true;
/* SPF */
if (MATCHSTR(payload, "SPFI"))
return true;
/* ABIF - Applied Biosystems */
if (MATCHSTR(payload, "ABIF"))
return true;
/* bzip2 - other digits are also possible instead of 9 */
if (MATCH(payload, 'B', 'Z', 'h', '9'))
return true;
/* xz compression format */
if (MATCH(payload, 0xfd, '7', 'z', 'X'))
return true;
/* Microsoft Cabinet Files */
if (MATCH(payload, 'M', 'S', 'C', 'F'))
return true;
/* M4A -- be wary of false positives? */
if (MATCH(payload, 0x00, 0x00, 0x00, 0x20))
return true;
/* TIFF */
if (MATCH(payload, 0x49, 0x49, 0x2a, 0x00))
return true;
/* LZMA */
if (MATCH(payload, 0x5d, 0x00, 0x00, 0x80))
return true;
/* Source engine BSP file */
if (MATCH(payload, 'V', 'B', 'S', 'P'))
return true;
/* TTF */
if (MATCH(payload, 0x00, 0x01, 0x00, 0x00))
return true;
if (MATCH(payload, 'O', 'T', 'T', 'O'))
return true;
/* WOF2 TTCF */
if (MATCH(payload, 't', 't', 'c', 'f'))
return true;
/* RIR delegation files... */
if (MATCH(payload, '2', '.', '3', '|'))
return true;
/* REBASE -- restriction enzyme database
* A bit niche, but might be fairly common at universities? */
if (MATCH(payload, 0x20, 0x0a, 'R', 'E'))
return true;
/* Old coralreef trace files! */
if (MATCHSTR(payload, "\xff\xff\x44\x00"))
return true;
/* I'm pretty sure the following are files of some type or another.
* They crop up pretty often in our test data sets, so I'm going to
* put them in here.
*
* Hopefully one day we will find out what they really are */
if (MATCH(payload, '<', 'c', 'f', ANY))
return true;
if (MATCH(payload, '<', 'C', 'F', ANY))
return true;
if (MATCHSTR(payload, ".tem"))
return true;
if (MATCHSTR(payload, ".ite"))
return true;
if (MATCHSTR(payload, ".lef"))
return true;
return false;
}
bool valid_http_port(lpi_data_t *data) {
/* Must be on a known HTTP port - designed to filter
* out P2P protos that use HTTP.
*
* XXX If this doesn't work well, get rid of it!
*/
if (data->server_port == 80 || data->client_port == 80)
return true;
if (data->server_port == 8080 || data->client_port == 8080)
return true;
if (data->server_port == 8081 || data->client_port == 8081)
return true;
/* If port 443 responds, we want it to be counted as genuine
* HTTP, rather than a bad port scenario */
if (data->server_port == 443 || data->client_port == 443) {
if (data->payload_len[0] > 0 && data->payload_len[1] > 0)
return true;
}
return false;
}
/* 16 03 00 X is an SSLv3 handshake */
static inline bool match_ssl3_handshake(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (len == 1 && MATCH(payload, 0x16, 0x00, 0x00, 0x00))
return true;
if (MATCH(payload, 0x16, 0x03, 0x00, ANY))
return true;
return false;
}
/* 16 03 01 X is an TLS handshake */
static inline bool match_tls_handshake(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (len == 1 && MATCH(payload, 0x16, 0x00, 0x00, 0x00))
return true;
if (MATCH(payload, 0x16, 0x03, 0x01, ANY))
return true;
if (MATCH(payload, 0x16, 0x03, 0x02, ANY))
return true;
if (MATCH(payload, 0x16, 0x03, 0x03, ANY))
return true;
return false;
}
/* SSLv2 handshake - the ANY byte in the 0x80 payload is actually the length
* of the payload - 2.
*
* XXX This isn't always true - consecutive packets may be merged it seems :(
*/
static inline bool match_ssl2_handshake(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0x80, ANY, 0x01, 0x03))
return true;
if (MATCH(payload, 0x81, ANY, 0x01, 0x03))
return true;
return false;
}
static inline bool match_tls_alert(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0x15, 0x03, 0x01, ANY))
return true;
if (MATCH(payload, 0x15, 0x03, 0x02, ANY))
return true;
if (MATCH(payload, 0x15, 0x03, 0x03, ANY))
return true;
/* Alerts are also possible under SSL 3.0 */
if (MATCH(payload, 0x15, 0x03, 0x00, ANY))
return true;
return false;
}
static inline bool match_tls_change(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0x14, 0x03, 0x01, ANY))
return true;
if (MATCH(payload, 0x14, 0x03, 0x02, ANY))
return true;
if (MATCH(payload, 0x14, 0x03, 0x03, ANY))
return true;
return false;
}
static inline bool match_tls_content(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0x17, 0x03, 0x01, ANY))
return true;
if (MATCH(payload, 0x17, 0x03, 0x02, ANY))
return true;
if (MATCH(payload, 0x17, 0x03, 0x03, ANY))
return true;
return false;
}
bool match_ssl(lpi_data_t *data) {
if (match_ssl3_handshake(data->payload[0], data->payload_len[0]) &&
match_ssl3_handshake(data->payload[1], data->payload_len[1]))
return true;
if (match_tls_handshake(data->payload[0], data->payload_len[0]) &&
match_tls_handshake(data->payload[1], data->payload_len[1]))
return true;
if (match_ssl3_handshake(data->payload[0], data->payload_len[0]) &&
match_tls_handshake(data->payload[1], data->payload_len[1]))
return true;
if (match_tls_handshake(data->payload[0], data->payload_len[0]) &&
match_ssl3_handshake(data->payload[1], data->payload_len[1]))
return true;
/* Seems we can sometimes skip the full handshake and start on the data
* right away (as indicated by 0x17) - for now, I've only done this for TLS */
if (match_tls_handshake(data->payload[0], data->payload_len[0]) &&
match_tls_content(data->payload[1], data->payload_len[1]))
return true;
if (match_tls_handshake(data->payload[1], data->payload_len[1]) &&
match_tls_content(data->payload[0], data->payload_len[0]))
return true;
/* Need to check for TLS alerts (errors) too */
if (match_tls_handshake(data->payload[0], data->payload_len[0]) &&
match_tls_alert(data->payload[1], data->payload_len[1]))
return true;
if (match_tls_handshake(data->payload[1], data->payload_len[1]) &&
match_tls_alert(data->payload[0], data->payload_len[0]))
return true;
if (match_ssl3_handshake(data->payload[0], data->payload_len[0]) &&
match_tls_alert(data->payload[1], data->payload_len[1]))
return true;
if (match_ssl3_handshake(data->payload[1], data->payload_len[1]) &&
match_tls_alert(data->payload[0], data->payload_len[0]))
return true;
/* Need to check for cipher changes too */
if (match_tls_handshake(data->payload[0], data->payload_len[0]) &&
match_tls_change(data->payload[1], data->payload_len[1]))
return true;
if (match_tls_handshake(data->payload[1], data->payload_len[1]) &&
match_tls_change(data->payload[0], data->payload_len[0]))
return true;
/* Some HTTPS servers respond with unencrypted content, presumably
* when somebody invalid attempts a connection */
if (match_tls_handshake(data->payload[0], data->payload_len[0]) &&
MATCHSTR(data->payload[1], "<!DO") &&
data->payload_len[0] != 0)
return true;
if (match_tls_handshake(data->payload[1], data->payload_len[1]) &&
MATCHSTR(data->payload[0], "<!DO") &&
data->payload_len[1] != 0)
return true;
/* Allow TLS content in both directions -- could be multi-path TCP?
* Or some form of picking up where a previous connection left off?
*/
if (match_tls_content(data->payload[0], data->payload_len[0]) &&
match_tls_content(data->payload[1], data->payload_len[1]))
return true;
if (match_tls_content(data->payload[1], data->payload_len[1]) &&
match_tls_content(data->payload[0], data->payload_len[0]))
return true;
if ((match_tls_handshake(data->payload[0], data->payload_len[0]) ||
match_ssl3_handshake(data->payload[0], data->payload_len[0])) &&
match_ssl2_handshake(data->payload[1], data->payload_len[1]))
return true;
if ((match_tls_handshake(data->payload[1], data->payload_len[1]) ||
match_ssl3_handshake(data->payload[1], data->payload_len[1])) &&
match_ssl2_handshake(data->payload[0], data->payload_len[0]))
return true;
if (data->payload_len[0] == 0 && match_ssl2_handshake(data->payload[1], data->payload_len[1]))
return true;
if (data->payload_len[1] == 0 && match_ssl2_handshake(data->payload[0], data->payload_len[0]))
return true;
return false;
}
static bool dns_req(uint32_t payload) {
/* The flags / rcode on requests are usually all zero.
*
* Exceptions: CD and RD may be set
*
* Remember BYTE ORDER!
*/
payload = htonl(payload);
if ((payload & 0x0000ffff) == 0x00000000)
return true;
/* Check for CD */
if ((payload & 0x0000ffff) == 0x00000010)
return true;
/* Check for RD */
if ((payload & 0x0000ffff) == 0x00000100)
return true;
return false;
}
static bool dns_backscatter(uint32_t payload) {
/* Let's see if we can identify unsolicited DNS responses */
/* Last byte seems to be always 0x00 - third is either 0x84 or 0x85 */
payload = htonl(payload);
if ((payload & 0x0000ffff) == 0x00008500)
return true;
if ((payload & 0x0000ffff) == 0x00008580)
return true;
if ((payload & 0x0000ffff) == 0x00008400)
return true;
if ((payload & 0x0000ffff) == 0x00008480)
return true;
if ((payload & 0x0000ffff) == 0x00008483)
return true;
if ((payload & 0x0000ffff) == 0x00008403)
return true;
if ((payload & 0x0000ffff) == 0x00008000)
return true;
return false;
}
bool match_dns(lpi_data_t *data) {
if (data->payload_len[0] == 0 || data->payload_len[1] == 0) {
/* No response, so we have a bit of a hard time - however,
* most requests have a pretty standard set of flags.
*
* We'll also use the port here to help out */
if (data->server_port != 53 && data->client_port != 53)
return false;
if (data->payload_len[0] > 12 && dns_req(data->payload[0]))
return true;
if (data->payload_len[1] > 12 && dns_req(data->payload[1]))
return true;
if (data->payload_len[0] > 12 &&
dns_backscatter(data->payload[0]))
return true;
if (data->payload_len[1] > 12 &&
dns_backscatter(data->payload[1]))
return true;
return false;
}
if (((htonl(data->payload[0])) & 0xffff7800) !=
((htonl(data->payload[1])) & 0xffff7800))
return false;
if ((htonl(data->payload[0]) & 0x00008000) ==
(htonl(data->payload[1]) & 0x00008000))
return false;
return true;
}
bool match_tds_request(uint32_t payload, uint32_t len) {
uint32_t stated_len = 0;
stated_len = (ntohl(payload) & 0xffff);
if (stated_len != len)
return false;
if (MATCH(payload, 0x12, 0x01, ANY, ANY))
return true;
if (MATCH(payload, 0x10, 0x01, ANY, ANY))
return true;
return false;
}
bool match_8000_payload(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (MATCH(payload, 0x3b, 0x00, 0x00, 0x00)) {
return true;
}
if (MATCH(payload, 0x3c, 0x00, 0x00, 0x00)) {
return true;
}
if (MATCH(payload, 0x3d, 0x00, 0x00, 0x00)) {
return true;
}
if (MATCH(payload, 0x3e, 0x00, 0x00, 0x00)) {
return true;
}
return false;
}
bool match_emule(lpi_data_t *data) {
/* Check that payload begins with e3 or c5 in both directions before
* classifying as eMule */
/* (I noticed that most emule(probably) flows began with "e3 xx 00 00"
* or "c5 xx 00 00", perhaps is worth looking into... Although I
* couldn't find anything about emule packets) */
if (data->payload_len[0] < 4 && data->payload_len[1] < 4)
return false;
if (MATCH(data->payload[0], 0xe3, ANY, 0x00, 0x00) &&
MATCH(data->payload[1], 0xe3, ANY, 0x00, 0x00))
return true;
if (MATCH(data->payload[0], 0xe3, ANY, 0x00, 0x00) &&
MATCH(data->payload[1], 0xc5, ANY, 0x00, 0x00))
return true;
/* XXX I haven't seen any obviously legit emule that starts with c5
* in both directions */
/*
if (MATCH(data->payload[0], 0xc5, ANY, ANY, ANY) &&
MATCH(data->payload[1], 0xc5, ANY, ANY, ANY))
return true;
*/
if (MATCH(data->payload[0], 0xc5, ANY, 0x00, 0x00) &&
MATCH(data->payload[1], 0xe3, ANY, 0x00, 0x00))
return true;
if (MATCH(data->payload[0], 0xe3, ANY, 0x00, 0x00) &&
data->payload_len[1] == 0)
return true;
if (MATCH(data->payload[1], 0xe3, ANY, 0x00, 0x00) &&
data->payload_len[0] == 0)
return true;
return false;
}
static inline bool match_kaspersky_ke(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (MATCH(payload, 'K', 'E', 0x00, 0x00))
return true;
if (MATCH(payload, 'K', 'E', 0x00, 0x02))
return true;
if (MATCH(payload, 'K', 'E', 0x00, 0x07))
return true;
return false;
}
static inline bool match_kaspersky_ks(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (MATCH(payload, 'K', 'S', 0x00, 0x00))
return true;
return false;
}
bool match_kaspersky(lpi_data_t *data) {
/* Traffic is either on TCP port 443 or UDP port 2001.
*
* One of the endpoints is always in either a Kaspersky range or
* an old PSInet range */
if (match_str_both(data, "PI\x00\x00", "PI\x00\x00")) {
if (data->payload_len[0] == 2 && data->payload_len[1] == 2)
return true;
}
if (match_kaspersky_ke(data->payload[0], data->payload_len[0])) {
if (match_kaspersky_ke(data->payload[1], data->payload_len[1]))
return true;
}
if (match_kaspersky_ks(data->payload[0], data->payload_len[0])) {
if (match_kaspersky_ks(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
bool match_youku_payload(uint32_t pload, uint32_t len) {
if (len == 0)
return true;
if (MATCH(pload, 0x4b, 0x55, 0x00, 0x01))
return true;
if (MATCH(pload, 0x4b, 0x55, 0x00, 0x02))
return true;
if (MATCH(pload, 0x4b, 0x55, 0x00, 0x03))
return true;
if (MATCH(pload, 0x4b, 0x55, 0x00, 0x04))
return true;
return false;
}
bool match_tpkt(uint32_t payload, uint32_t len) {
uint32_t stated_len = 0;
/*
* TPKT header is 03 00 + 2 bytes of length (including the TPKT header)
*/
if (!MATCH(payload, 0x03, 0x00, ANY, ANY))
return false;
stated_len = ntohl(payload) & 0xffff;
if (stated_len != len)
return false;
return true;
}
bool match_qqlive_payload(uint32_t payload, uint32_t len) {
uint32_t swap;
/* This appears to have a 3 byte header. First byte is always 0xfe.
* Second and third bytes are the length (minus the 3 byte header).
*/
if (len == 0)
return true;
swap = htonl(payload);
swap = (swap & 0xffff00) >> 8;
if (ntohs(swap) != len - 3)
return false;
/* Interestingly, the third and fourth byte always match */
swap = htonl(payload);
if ((swap & 0xff) != ((swap & 0xff00) >> 8))
return false;
if (MATCH(payload, 0xfe, ANY, ANY, ANY))
return true;
return false;
}
bool match_yy_payload(uint32_t payload, uint32_t len) {
/* The first four bytes are a length field, but using the
* wrong byte order...
*/
if (!MATCH(payload, ANY, ANY, 0x00, 0x00))
return false;
#if BYTE_ORDER == BIG_ENDIAN
if (bswap32(payload) == len)
return true;
#else
if (payload == len)
return true;
#endif
return false;
}
/* Byte swapping functions for various inttypes */
uint64_t byteswap64(uint64_t num)
{
return (byteswap32((num&0xFFFFFFFF00000000ULL)>>32))
|((uint64_t)byteswap32(num&0x00000000FFFFFFFFULL)<<32);
}
uint32_t byteswap32(uint32_t num)
{
return ((num&0x000000FFU)<<24)
| ((num&0x0000FF00U)<<8)
| ((num&0x00FF0000U)>>8)
| ((num&0xFF000000U)>>24);
}
uint16_t byteswap16(uint16_t num)
{
return ((num<<8)&0xFF00)|((num>>8)&0x00FF);
}

143
decoders/glimpse_detector/libprotoident/proto_common.h Normal file
View File

@@ -0,0 +1,143 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#ifndef PROTO_COMMON_H_
#define PROTO_COMMON_H_
#include "libprotoident.h"
#ifndef __BYTE_ORDER
#include <endian.h>
#endif
#define ANY -1
#define MASKOCTET(x) \
((x) == ANY ? 0U : 255U)
#if __BYTE_ORDER == __BIG_ENDIAN
#define FORMUP(a,b,c,d) \
(unsigned)((((a)&0xFF)<<24)|(((b)&0xFF)<<16)|(((c)&0xFF)<<8)|((d)&0xFF))
#else
#define FORMUP(a,b,c,d) \
(unsigned)((((d)&0xFF)<<24)|(((c)&0xFF)<<16)|(((b)&0xFF)<<8)|((a)&0xFF))
#endif
#define FORMUPMASK(a,b,c,d) \
FORMUP(MASKOCTET(a),MASKOCTET(b),MASKOCTET(c),MASKOCTET(d))
#define MATCH(x,a,b,c,d) \
((x&FORMUPMASK(a,b,c,d))==(FORMUP(a,b,c,d)&FORMUPMASK(a,b,c,d)))
#define MATCHSTR(x,st) \
(memcmp(&(x),(st),sizeof(x))==0)
/** Byteswaps a 64-bit value.
*
* @param num The value to be byteswapped.
* @return The byteswapped 64-bit number
*
*/
uint64_t byteswap64(uint64_t num);
/** Byteswaps a 32-bit value.
*
* @param num The value to be byteswapped.
* @return The byteswapped 32-bit number
*
*/
uint32_t byteswap32(uint32_t num);
/** Byteswaps a 16-bit value.
*
* @param num The value to be byteswapped.
* @return The byteswapped 16-bit number
*
*/
uint16_t byteswap16(uint16_t num);
#if __BYTE_ORDER == __BIG_ENDIAN
#define bswap_host_to_be64(num) ((uint64_t)(num))
#define bswap_host_to_le64(num) byteswap64(num)
#define bswap_host_to_be32(num) ((uint32_t)(num))
#define bswap_host_to_le32(num) byteswap32(num)
#define bswap_host_to_be16(num) ((uint16_t)(num))
#define bswap_host_to_le16(num) byteswap16(num)
#define bswap_be_to_host64(num) ((uint64_t)(num))
#define bswap_le_to_host64(num) byteswap64(num)
#define bswap_be_to_host32(num) ((uint32_t)(num))
#define bswap_le_to_host32(num) byteswap32(num)
#define bswap_be_to_host16(num) ((uint16_t)(num))
#define bswap_le_to_host16(num) byteswap16(num)
/* We use ntoh*() here, because the compiler may
* attempt to optimise it
*/
#elif __BYTE_ORDER == __LITTLE_ENDIAN
#define bswap_host_to_be64(num) (byteswap64(num))
#define bswap_host_to_le64(num) ((uint64_t)(num))
#define bswap_host_to_be32(num) (htonl(num))
#define bswap_host_to_le32(num) ((uint32_t)(num))
#define bswap_host_to_be16(num) (htons(num))
#define bswap_host_to_le16(num) ((uint16_t)(num))
#define bswap_be_to_host64(num) (byteswap64(num))
#define bswap_le_to_host64(num) ((uint64_t)(num))
#define bswap_be_to_host32(num) (ntohl(num))
#define bswap_le_to_host32(num) ((uint32_t)(num))
#define bswap_be_to_host16(num) (ntohs(num))
#define bswap_le_to_host16(num) ((uint16_t)(num))
#else
#error "Unknown byte order"
#endif
bool match_str_either(lpi_data_t *data, const char *string);
bool match_str_both(lpi_data_t *data, const char *string1,
const char *string2);
bool match_chars_either(lpi_data_t *data, char a, char b, char c,
char d);
bool match_payload_length(uint32_t payload, uint32_t payload_len);
bool match_ip_address_both(lpi_data_t *data);
bool match_file_header(uint32_t payload);
bool match_http_request(uint32_t payload, uint32_t len);
bool valid_http_port(lpi_data_t *data);
bool match_ssl(lpi_data_t *data);
bool match_dns(lpi_data_t *data);
bool match_tds_request(uint32_t payload, uint32_t len);
bool match_8000_payload(uint32_t payload, uint32_t len);
bool match_youku_payload(uint32_t payload, uint32_t len);
bool match_emule(lpi_data_t *data);
bool match_kaspersky(lpi_data_t *data);
bool match_tpkt(uint32_t payload, uint32_t len);
bool match_qqlive_payload(uint32_t payload, uint32_t len);
bool match_yy_payload(uint32_t payload, uint32_t len);
#endif

691
decoders/glimpse_detector/libprotoident/proto_manager.cc Normal file
View File

@@ -0,0 +1,691 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
//#include "config.h"
#include <glob.h>
#include <dlfcn.h>
#include "proto_manager.h"
#include "tcp/tcp_protocols.h"
#include "udp/udp_protocols.h"
void register_protocol(lpi_module_t *mod, LPIModuleMap *mod_map) {
LPIModuleMap::iterator it;
LPIModuleList *ml;
it = mod_map->find(mod->priority);
if (it == mod_map->end()) {
(*mod_map)[mod->priority] = new LPIModuleList();
it = mod_map->find(mod->priority);
}
ml = it->second;
ml->push_back(mod);
}
void free_protocols(LPIModuleMap *mod_map) {
LPIModuleMap::iterator it;
LPIModuleList *ml;
for (it = mod_map->begin(); it != mod_map->end(); ++ it ) {
ml = it->second;
ml->clear();
delete(ml);
}
mod_map->clear();
}
int register_tcp_protocols(LPIModuleMap *mod_map) {
//register_300heroes(mod_map);
//register_360safeguard(mod_map);
//register_4d(mod_map);
//register_acestream(mod_map);
//register_afp(mod_map);
//register_airdroid(mod_map);
//register_airmedia(mod_map);
//register_akamai_tcp(mod_map);
//register_amp(mod_map);
//register_antcoin(mod_map);
//register_appearin(mod_map);
//register_apple_push(mod_map);
//register_ares(mod_map);
//register_badbaidu(mod_map);
//register_baofeng_tcp(mod_map);
//register_beam(mod_map);
//register_bitcoin(mod_map);
//register_bitextend(mod_map);
//register_bittorrent(mod_map);
//register_blackdesert(mod_map);
//register_blizzard(mod_map);
//register_btsync(mod_map);
//register_bwsyncandshare(mod_map);
//register_cacaoweb(mod_map);
//register_cgp(mod_map);
//register_chatango(mod_map);
//register_cisco_vpn(mod_map);
//register_clashofclans(mod_map);
//register_classin_tcp(mod_map);
//register_clubbox(mod_map);
//register_cod_waw(mod_map);
//register_conquer(mod_map);
//register_crashplan(mod_map);
//register_crossfire_tcp(mod_map);
//register_cryptic(mod_map);
//register_cvs(mod_map);
//register_dahua_tcp(mod_map);
//register_dash(mod_map);
//register_dell_backup(mod_map);
//register_destiny(mod_map);
//register_diablo3(mod_map);
//register_dianping_tcp(mod_map);
//register_directconnect(mod_map);
//register_dnf(mod_map);
register_dns_tcp(mod_map);
//register_dogecoin(mod_map);
//register_douyu(mod_map);
//register_douyu_chat(mod_map);
//register_duelingnetwork(mod_map);
//register_dvrns(mod_map);
//register_dxp(mod_map);
//register_ea_games(mod_map);
//register_emule(mod_map);
//register_ethernetip(mod_map);
//register_eye(mod_map);
//register_facebook_turn(mod_map);
//register_fb_message(mod_map);
//register_fbcdn_ssl(mod_map);
//register_ffxiv(mod_map);
//register_filenori(mod_map);
//register_flash(mod_map);
//register_fliggy(mod_map);
//register_fring(mod_map);
register_ftpcontrol(mod_map);
register_ftpdata(mod_map);
//register_fuckcoin(mod_map);
//register_funshion_tcp(mod_map);
//register_gamespy_tcp(mod_map);
//register_gcafe_updater(mod_map);
//register_giop(mod_map);
//register_git(mod_map);
//register_glupteba(mod_map);
//register_gnutella(mod_map);
//register_goku(mod_map);
//register_googlehangouts(mod_map);
//register_graalonlineera(mod_map);
//register_guildwars2(mod_map);
//register_hamachi(mod_map);
//register_harveys(mod_map);
//register_hearthstone(mod_map);
//register_hola(mod_map);
//register_hots_tcp(mod_map);
register_http_badport(mod_map);
register_http(mod_map);
register_http_nonstandard(mod_map);
register_https(mod_map);
register_http_tunnel(mod_map);
//register_ica(mod_map);
//register_icep(mod_map);
//register_id(mod_map);
//register_idrivesync(mod_map);
//register_ihexin(mod_map);
register_imap(mod_map);
register_imaps(mod_map);
//register_imesh(mod_map);
//register_invalid(mod_map);
//register_invalid_bittorrent(mod_map);
register_invalid_http(mod_map);
register_invalid_pop(mod_map);
register_invalid_smtp(mod_map);
//register_ipfs(mod_map);
//register_ipop(mod_map);
//register_ipsharkk(mod_map);
//register_irc(mod_map);
//register_java(mod_map);
//register_jedi(mod_map);
//register_jx3online(mod_map);
//register_kakao(mod_map);
//register_kankan_tcp(mod_map);
//register_kaseya(mod_map);
//register_kaspersky(mod_map);
//register_kik(mod_map);
//register_kingofglory_tcp(mod_map);
//register_kuaibo(mod_map);
register_ldap(mod_map);
//register_tcp_ldap_ad(mod_map);
//register_lifeforge(mod_map);
//register_line(mod_map);
//register_litecoin(mod_map);
//register_llp2p(mod_map);
//register_maplestory_china(mod_map);
//register_maxicloud(mod_map);
//register_message4u(mod_map);
//register_minecraft(mod_map);
//register_mitglieder(mod_map);
register_mms(mod_map);
//register_mongo(mod_map);
//register_mp2p(mod_map);
//register_msn(mod_map);
//register_msnc(mod_map);
//register_msnv(mod_map);
//register_munin(mod_map);
//register_mysql(mod_map);
//register_mystery_8000(mod_map);
//register_mystery_9000(mod_map);
//register_mystery_conn(mod_map);
//register_mystery_iG(mod_map);
//register_mystery_pspr(mod_map);
//register_mystery_rxxf(mod_map);
//register_mystery_symantec(mod_map);
//register_mzinga(mod_map);
//register_naverp2p(mod_map);
//register_ncsoft(mod_map);
//register_ndt_tput(mod_map);
register_netbios(mod_map);
//register_notes_rpc(mod_map);
//register_tcp_no_payload(mod_map);
//register_tcp_no_firstpkt(mod_map);
//register_nsq(mod_map);
//register_omegle(mod_map);
register_openvpn(mod_map);
//register_ourworld(mod_map);
//register_palringo(mod_map);
//register_paltalk(mod_map);
//register_pandatv(mod_map);
//register_pando(mod_map);
//register_pathofexile(mod_map);
//register_pdbox(mod_map);
register_pop3(mod_map);
register_pop3s(mod_map);
//register_postgresql(mod_map);
register_pptp(mod_map);
//register_psn_store(mod_map);
//register_qcloud_ilvb(mod_map);
register_qq_tcp(mod_map);
//register_qqdownload(mod_map);
//register_qqlive_tcp(mod_map);
//register_qqspeedmobile_tcp(mod_map);
//register_qvod(mod_map);
//register_rabbitmq(mod_map);
//register_ragnarokonline(mod_map);
//register_razor(mod_map);
//register_rbls(mod_map);
register_rdp(mod_map);
//register_realmofthemadgod(mod_map);
//register_realvnc(mod_map);
//register_rejection(mod_map);
//register_relay(mod_map);
//register_remote_manipulator(mod_map);
//register_revolver_nblbt(mod_map);
//register_rfb(mod_map);
//register_rpcscan(mod_map);
//register_rrtv(mod_map);
register_rsync(mod_map);
register_rtmp(mod_map);
register_rtsp(mod_map);
//register_runescape(mod_map);
//register_s7comm(mod_map);
//register_saprouter(mod_map);
//register_saszombieassault4(mod_map);
//register_second_life(mod_map);
//register_shoutcast(mod_map);
//register_silkroadonline(mod_map);
register_sip(mod_map);
//register_skyforge(mod_map);
//register_skype_tcp(mod_map);
register_smb(mod_map);
//register_smite_tcp(mod_map);
register_smtp(mod_map);
register_smtps(mod_map);
register_socks4(mod_map);
register_socks5(mod_map);
register_spdy(mod_map);
//register_speedify(mod_map);
//register_speedin(mod_map);
//register_speedtest(mod_map);
//register_spotify(mod_map);
register_ssh(mod_map);
//register_ssjj(mod_map);
register_ssl(mod_map);
//register_steam(mod_map);
register_stratum(mod_map);
register_stun_tcp(mod_map);
//register_supl(mod_map);
//register_svn(mod_map);
//register_talesrunner(mod_map);
//register_tankionline(mod_map);
//register_tankix(mod_map);
//register_taobao(mod_map);
//register_tds(mod_map);
//register_teamviewer(mod_map);
//register_telecomkey(mod_map);
//register_telegram(mod_map);
register_telnet(mod_map);
//register_telnet_exploit(mod_map);
//register_tencent_games(mod_map);
//register_tenfivecoin(mod_map);
//register_tensafe(mod_map);
//register_tera(mod_map);
//register_tetrisonline(mod_map);
//register_thedivision(mod_map);
//register_tip(mod_map);
//register_tor(mod_map);
//register_tpkt_generic(mod_map);
//register_trackmania(mod_map);
//register_transocks(mod_map);
//register_trion(mod_map);
//register_trojan_win32_generic_sb(mod_map);
//register_trojan_zeroaccess(mod_map);
//register_twitcasting(mod_map);
//register_twitch_irc(mod_map);
//register_utherverse(mod_map);
//register_vainglory(mod_map);
//register_vhdp2p(mod_map);
//register_viber(mod_map);
//register_vmware(mod_map);
//register_vodlocker(mod_map);
//register_vpnrobot_tcp(mod_map);
//register_vpnunlimited_tcp(mod_map);
//register_warcraft3(mod_map);
//register_web_junk(mod_map);
//register_webex_stun(mod_map);
//register_weblogic(mod_map);
register_wechat(mod_map);
//register_weibo(mod_map);
//register_weiqi(mod_map);
//register_whatsapp(mod_map);
//register_whois(mod_map);
//register_winmx(mod_map);
//register_wizard101(mod_map);
//register_wns(mod_map);
//register_wow(mod_map);
//register_wuala(mod_map);
//register_xiami(mod_map);
register_xmpp(mod_map);
register_xmpps(mod_map);
//register_xunlei(mod_map);
//register_xunlei_accel(mod_map);
//register_xymon(mod_map);
//register_yahoo(mod_map);
//register_yahoo_error(mod_map);
//register_yahoo_games(mod_map);
//register_yahoo_webcam(mod_map);
//register_youku_tcp(mod_map);
//register_yy_tcp(mod_map);
//register_zabbix(mod_map);
//register_zero_facebook(mod_map);
//register_zoom_tcp(mod_map);
//register_zynga(mod_map);
return 0;
}
int register_udp_protocols(LPIModuleMap *mod_map) {
//register_360cn(mod_map);
//register_360p2p(mod_map);
//register_aachen_udp(mod_map);
//register_acercloud(mod_map);
//register_akamai(mod_map);
//register_akamai_transfer(mod_map);
//register_amanda(mod_map);
//register_apple_facetime_init(mod_map);
//register_ard(mod_map);
//register_ares_udp(mod_map);
//register_arksurvival(mod_map);
//register_arma_server(mod_map);
//register_arma3_server(mod_map);
//register_artcp(mod_map);
//register_assettocorsa(mod_map);
//register_avast_secure_dns(mod_map);
//register_bacnet(mod_map);
//register_backweb(mod_map);
//register_baiduyun_p2p(mod_map);
//register_baofeng_udp(mod_map);
//register_battlefield(mod_map);
//register_bjnp(mod_map);
//register_bmdp(mod_map);
//register_btsync_udp(mod_map);
//register_cacaoweb_udp(mod_map);
//register_canon_mfnp(mod_map);
//register_callofduty(mod_map);
//register_chargen_exploit(mod_map);
//register_checkpoint_rdp(mod_map);
//register_chivalry(mod_map);
//register_ethernetip_udp(mod_map);
//register_cip_io(mod_map);
//register_cirn(mod_map);
//register_cisco_ipsec(mod_map);
//register_cisco_sslvpn(mod_map);
//register_classin_udp(mod_map);
//register_cloudflare_warp(mod_map);
//register_codmobile(mod_map);
//register_combatarms(mod_map);
//register_combatarms_p2p(mod_map);
//register_contract_wars(mod_map);
//register_crossfire(mod_map);
//register_crossout(mod_map);
//register_csgo(mod_map);
//register_csoriginal(mod_map);
//register_dahua(mod_map);
//register_db2(mod_map);
//register_dcc_udp(mod_map);
//register_demonware(mod_map);
//register_destiny_udp(mod_map);
register_dhcp(mod_map);
//register_dht_dict(mod_map);
//register_dht_other(mod_map);
//register_diablo2(mod_map);
//register_dianping_udp(mod_map);
//register_dianshijia(mod_map);
//register_directconnect_udp(mod_map);
//register_discord(mod_map);
register_dns_udp(mod_map);
//register_dota2(mod_map);
//register_doyo(mod_map);
//register_driveshare(mod_map);
register_dtls(mod_map);
//register_emule_udp(mod_map);
//register_emule_weak_udp(mod_map);
//register_epson(mod_map);
//register_eso(mod_map);
register_esp_encap(mod_map);
//register_eye_udp(mod_map);
//register_fasp(mod_map);
//register_feitwo(mod_map);
//register_forticlient_sslvpn(mod_map);
//register_fortinet(mod_map);
//register_foscam(mod_map);
//register_freechal(mod_map);
//register_freefire(mod_map);
//register_funshion_udp(mod_map);
//register_gamespy(mod_map);
//register_ganglia(mod_map);
//register_gangsofspace(mod_map);
//register_garena(mod_map);
//register_gearsofwar(mod_map);
//register_gnutella_udp(mod_map);
//register_gnutella2_udp(mod_map);
//register_gnutella_weak(mod_map);
//register_gotomeeting(mod_map);
register_gprs_tunnel(mod_map);
//register_gsm(mod_map);
//register_h1z1(mod_map);
//register_halflife(mod_map);
//register_haloonline(mod_map);
//register_hamachi_udp(mod_map);
//register_heliborne(mod_map);
//register_heroesevolved(mod_map);
//register_heroes_generals(mod_map);
//register_hollachat(mod_map);
//register_hots(mod_map);
//register_icp(mod_map);
//register_imesh_udp(mod_map);
//register_ipmsg(mod_map);
//register_ipv6_udp(mod_map);
register_isakmp(mod_map);
//register_jedi_academy(mod_map);
//register_jedi_udp(mod_map);
//register_kademlia(mod_map);
//register_kankan(mod_map);
//register_kaspersky_udp(mod_map);
//register_kazaa(mod_map);
//register_kingofglory_udp(mod_map);
//register_kugou(mod_map);
register_l2tp(mod_map);
//register_lansync_udp(mod_map);
//register_ldap_ad(mod_map);
//register_line_udp(mod_map);
//register_linkproof(mod_map);
//register_loadout(mod_map);
//register_lol(mod_map);
register_mdns(mod_map);
//register_merakicloud(mod_map);
//register_moh(mod_map);
//register_moonhunters(mod_map);
//register_mp2p_udp(mod_map);
//register_msn_cache(mod_map);
//register_msn_video(mod_map);
//register_msoffice_mac(mod_map);
//register_mta(mod_map);
//register_mystery_05(mod_map);
//register_mystery_0660(mod_map);
//register_mystery_0d(mod_map);
//register_mystery_45(mod_map);
//register_mystery_61_72(mod_map);
//register_mystery_8000_udp(mod_map);
//register_mystery_99(mod_map);
//register_mystery_e9(mod_map);
//register_mystery_qq(mod_map);
//register_n2ping(mod_map);
//register_natpmp(mod_map);
register_netbios_udp(mod_map);
//register_netcat_cctv_udp(mod_map);
//register_netcore_scan(mod_map);
register_netflow(mod_map);
//register_newerth(mod_map);
//register_nintendo(mod_map);
//register_noction(mod_map);
//register_noe(mod_map);
//register_norton(mod_map);
register_ntp(mod_map);
//register_ntp_reflect(mod_map);
//register_nwn(mod_map);
//register_nvidia_gamestream(mod_map);
//register_opaserv(mod_map);
register_openvpn_udp(mod_map);
//register_orbit_udp(mod_map);
//register_overwatch(mod_map);
//register_paladins(mod_map);
//register_pando_udp(mod_map);
//register_panipani(mod_map);
//register_planetside2(mod_map);
//register_portmap_rpc(mod_map);
//register_pplive(mod_map);
//register_ppstream(mod_map);
//register_probable_gnutella(mod_map);
//register_ps4_remoteplay(mod_map);
//register_psn(mod_map);
//register_punkbuster(mod_map);
//register_pyzor(mod_map);
register_qq(mod_map);
//register_qqlive(mod_map);
//register_qqpcmgr(mod_map);
//register_qqspeedmobile_udp(mod_map);
//register_quake(mod_map);
register_quic(mod_map);
//register_qvod_udp(mod_map);
register_radius(mod_map);
//register_ramsey_dash(mod_map);
register_rdp_udp(mod_map);
//register_real(mod_map);
//register_risingstorm(mod_map);
//register_raknet(mod_map);
//register_robocraft(mod_map);
//register_rocket_league(mod_map);
//register_rrshare(mod_map);
register_rtcp(mod_map);
//register_rtmfp(mod_map);
register_rtp(mod_map);
//register_rulesofsurvival(mod_map);
//register_sanandreas_mp(mod_map);
//register_second_life_udp(mod_map);
//register_serialnumberd(mod_map);
register_sip_udp(mod_map);
//register_skype(mod_map);
//register_slp(mod_map);
//register_smite(mod_map);
//register_snapvpn(mod_map);
register_snmp(mod_map);
//register_sopcast(mod_map);
//register_spamfighter(mod_map);
//register_spotify_bcast(mod_map);
//register_sql_worm(mod_map);
register_ssdp(mod_map);
//register_starcitizen(mod_map);
//register_starcraft(mod_map);
//register_starleaf(mod_map);
//register_steamfriends(mod_map);
//register_steam_localbroadcast(mod_map);
//register_steam_inhomebroadcast(mod_map);
//register_steam_udp(mod_map);
//register_storm_worm(mod_map);
register_stun(mod_map);
//register_syslog(mod_map);
//register_talesrunner_udp(mod_map);
//register_teamspeak(mod_map);
//register_teamviewer_udp(mod_map);
register_teredo(mod_map);
//register_tf2(mod_map);
register_tftp(mod_map);
//register_thecrew(mod_map);
//register_thq(mod_map);
//register_torchlight2(mod_map);
//register_tox(mod_map);
//register_traceroute(mod_map);
//register_tremulous(mod_map);
//register_turbovpn(mod_map);
//register_tvants(mod_map);
//register_ubisoft_games(mod_map);
//register_udp_no_payload(mod_map);
//register_umeye(mod_map);
//register_unreal(mod_map);
//register_ventrilo(mod_map);
//register_viber_udp(mod_map);
//register_vivox(mod_map);
//register_vpnmaster(mod_map);
//register_vpnrobot_udp(mod_map);
//register_vxworks_exploit(mod_map);
//register_warthunder(mod_map);
//register_webex(mod_map);
register_wechat_udp(mod_map);
//register_winmessage(mod_map);
register_wireguard(mod_map);
//register_wolfet(mod_map);
//register_worm_22105(mod_map);
//register_xfire_p2p(mod_map);
//register_xlsp(mod_map);
//register_xunlei_jsq(mod_map);
//register_xunlei_udp(mod_map);
//register_xunyou(mod_map);
//register_youdao_dict(mod_map);
//register_youku_udp(mod_map);
//register_yuanfudao(mod_map);
//register_yy_udp(mod_map);
//register_zalo_call(mod_map);
//register_zeroaccess_udp(mod_map);
//register_zoom(mod_map);
return 0;
}
static void register_list_names(LPIModuleList *ml, LPINameMap *names, LPIProtocolMap *protos,
LPICategoryProtocolMap *category_protocols) {
LPIModuleList::iterator it;
for (it = ml->begin(); it != ml->end(); ++ it) {
lpi_module_t *mod = *it;
(*names)[mod->protocol] = mod->name;
(*protos)[std::string(mod->name)] = mod->protocol;
(*category_protocols)[mod->protocol] = mod->category;
}
}
void register_names(LPIModuleMap *mods, LPINameMap *names, LPIProtocolMap *protocols,
LPICategoryProtocolMap *category_protocols) {
LPIModuleMap::iterator it;
for (it = mods->begin(); it != mods->end(); ++ it) {
register_list_names(it->second, names, protocols, category_protocols);
}
}
void register_category_names(LPICategoryMap *categories) {
int i;
for (i = 0; i < LPI_CATEGORY_LAST; i++) {
(*categories)[std::string(lpi_print_category((lpi_category_t)i))] = (lpi_category_t)i;
}
}
void init_other_protocols(LPINameMap *name_map, LPIProtocolMap *proto_map,
LPICategoryProtocolMap *category_protocols) {
lpi_icmp = new lpi_module_t;
lpi_icmp->protocol = LPI_PROTO_ICMP;
lpi_icmp->category = LPI_CATEGORY_ICMP;
lpi_icmp->name = "ICMP";
lpi_icmp->priority = 255;
lpi_icmp->lpi_callback = NULL;
(*name_map)[lpi_icmp->protocol] = lpi_icmp->name;
(*proto_map)[std::string(lpi_icmp->name)] = lpi_icmp->protocol;
(*category_protocols)[lpi_icmp->protocol] = lpi_icmp->category;
lpi_unknown_tcp = new lpi_module_t;
lpi_unknown_tcp->protocol = LPI_PROTO_UNKNOWN;
lpi_unknown_tcp->category = LPI_CATEGORY_UNKNOWN;
lpi_unknown_tcp->name = "Unknown_TCP";
lpi_unknown_tcp->priority = 255;
lpi_unknown_tcp->lpi_callback = NULL;
(*name_map)[lpi_unknown_tcp->protocol] = lpi_unknown_tcp->name;
(*proto_map)[std::string(lpi_unknown_tcp->name)] = lpi_unknown_tcp->protocol;
(*category_protocols)[lpi_unknown_tcp->protocol] = lpi_unknown_tcp->category;
lpi_unknown_udp = new lpi_module_t;
lpi_unknown_udp->protocol = LPI_PROTO_UDP;
lpi_unknown_udp->category = LPI_CATEGORY_UNKNOWN;
lpi_unknown_udp->name = "Unknown_UDP";
lpi_unknown_udp->priority = 255;
lpi_unknown_udp->lpi_callback = NULL;
(*name_map)[lpi_unknown_udp->protocol] = lpi_unknown_udp->name;
(*proto_map)[std::string(lpi_unknown_udp->name)] = lpi_unknown_udp->protocol;
(*category_protocols)[lpi_unknown_udp->protocol] = lpi_unknown_udp->category;
lpi_unsupported = new lpi_module_t;
lpi_unsupported->protocol = LPI_PROTO_UNSUPPORTED;
lpi_unsupported->category = LPI_CATEGORY_UNSUPPORTED;
lpi_unsupported->name = "Unsupported";
lpi_unsupported->priority = 255;
lpi_unsupported->lpi_callback = NULL;
(*name_map)[lpi_unsupported->protocol] = lpi_unsupported->name;
(*proto_map)[std::string(lpi_unsupported->name)] = lpi_unsupported->protocol;
(*category_protocols)[lpi_unsupported->protocol] = lpi_unsupported->category;
}

61
decoders/glimpse_detector/libprotoident/proto_manager.h Normal file
View File

@@ -0,0 +1,61 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#ifndef PROTO_MANAGER_H_
#define PROTO_MANAGER_H_
#include <list>
#include <vector>
#include <map>
#include <string>
#include "libprotoident.h"
typedef std::list<lpi_module_t *> LPIModuleList;
typedef std::map<uint8_t, LPIModuleList *> LPIModuleMap;
typedef std::map<lpi_protocol_t, const char *> LPINameMap;
typedef std::map<std::string, lpi_protocol_t> LPIProtocolMap;
typedef std::map<std::string, lpi_category_t> LPICategoryMap;
typedef std::map<lpi_protocol_t, lpi_category_t> LPICategoryProtocolMap;
void register_protocol(lpi_module_t *mod, LPIModuleMap *mod_map);
int register_tcp_protocols(LPIModuleMap *mod_map);
int register_udp_protocols(LPIModuleMap *mod_map);
void register_names(LPIModuleMap *mod_map, LPINameMap *name_map, LPIProtocolMap *proto_map,
LPICategoryProtocolMap *category_protocols);
void register_category_names(LPICategoryMap *categories);
void init_other_protocols(LPINameMap *name_map, LPIProtocolMap *proto_map,
LPICategoryProtocolMap *category_protocols);
void free_protocols(LPIModuleMap *mod_map);
extern lpi_module_t *lpi_icmp;
extern lpi_module_t *lpi_unknown_tcp;
extern lpi_module_t *lpi_unknown_udp;
extern lpi_module_t *lpi_unsupported;
#endif

97
decoders/glimpse_detector/libprotoident/tcp/lpi_300heroes.cc Normal file
View File

@@ -0,0 +1,97 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Yet another Chinese LoL clone */
static inline bool match_heroes_c1(uint32_t payload, uint32_t len) {
if (len == 12 && MATCH(payload, 0xc1, 0x0c, 0x00, 0x00))
return true;
return false;
}
static inline bool match_heroes_c2(uint32_t payload, uint32_t len) {
if (len == 15 && MATCH(payload, 0xc2, 0x0f, 0x00, 0x00))
return true;
return false;
}
static inline bool match_heroes_db(uint32_t payload, uint32_t len) {
if (len == 22 && MATCH(payload, 0xdb, 0x16, 0x00, 0x00))
return true;
return false;
}
static inline bool match_heroes_e7(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0xe7, 0x2a, 0x00, 0x00)) {
if (len >= 185 && len <= 200)
return true;
}
return false;
}
static inline bool match_300heroes(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_heroes_c1(data->payload[0], data->payload_len[0])) {
if (match_heroes_c2(data->payload[1], data->payload_len[1]))
return true;
}
if (match_heroes_c1(data->payload[1], data->payload_len[1])) {
if (match_heroes_c2(data->payload[0], data->payload_len[0]))
return true;
}
if (match_heroes_db(data->payload[0], data->payload_len[0])) {
if (match_heroes_e7(data->payload[1], data->payload_len[1]))
return true;
}
if (match_heroes_db(data->payload[1], data->payload_len[1])) {
if (match_heroes_e7(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_300heroes = {
LPI_PROTO_300_HEROES,
LPI_CATEGORY_GAMING,
"300Heroes",
101,
match_300heroes
};
void register_300heroes(LPIModuleMap *mod_map) {
register_protocol(&lpi_300heroes, mod_map);
}

130
decoders/glimpse_detector/libprotoident/tcp/lpi_360safeguard.cc Normal file
View File

@@ -0,0 +1,130 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_360_a1req(uint32_t payload, uint32_t len) {
if (len != 63)
return false;
if (MATCH(payload, 0xa1, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_360_a1resp(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0xa1, 0x82, 0x00, 0x00))
return true;
return false;
}
static inline bool match_360_03req(uint32_t payload, uint32_t len) {
uint32_t hdrlen = (ntohl(payload) & 0xffff);
if (!MATCH(payload, 0x00, 0x03, 0x00, ANY))
return false;
if (len - 8 == hdrlen)
return true;
return false;
}
static inline bool match_360_03resp(uint32_t payload, uint32_t len) {
if (len != 8)
return false;
if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_360_p2pupdate(uint32_t payload, uint32_t len) {
if (len == 68 && MATCH(payload, 0x01, 0xaa, 0x4b, 0x79))
return true;
return false;
}
static inline bool match_360safeguard(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* These patterns have been regularly seen on a machine with 360
* safeguard (Chinese edition) installed. They seem to appear when
* starting up and running a scan, so are probably some form of update
* checking?
*/
if (match_360_a1req(data->payload[0], data->payload_len[0])) {
if (match_360_a1resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_360_a1req(data->payload[1], data->payload_len[1])) {
if (match_360_a1resp(data->payload[0], data->payload_len[0]))
return true;
}
if (match_360_03req(data->payload[0], data->payload_len[0])) {
if (match_360_03resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_360_03req(data->payload[1], data->payload_len[1])) {
if (match_360_03resp(data->payload[0], data->payload_len[0]))
return true;
}
/* Have observed unencrypted traffic that appears to be downloading a
* .cab file to update 360 safeguard. */
if (match_360_p2pupdate(data->payload[0], data->payload_len[0])) {
if (match_360_p2pupdate(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_360safeguard = {
LPI_PROTO_360SAFEGUARD,
LPI_CATEGORY_SECURITY,
"360Safeguard",
8,
match_360safeguard
};
void register_360safeguard(LPIModuleMap *mod_map) {
register_protocol(&lpi_360safeguard, mod_map);
}

99
decoders/glimpse_detector/libprotoident/tcp/lpi_4d.cc Normal file
View File

@@ -0,0 +1,99 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_4d_5f(uint32_t payload, uint32_t len) {
if (len == 4 && MATCH(payload, 0x5f, 0x11, 0x00, 0x00))
return true;
return false;
}
static inline bool match_4d_other(uint32_t payload, uint32_t len) {
if (len == 4 && MATCH(payload, 0x60, 0x11, 0x00, 0x00))
return true;
if (len == 4 && MATCH(payload, 0x61, 0x11, 0x00, 0x00))
return true;
return false;
}
static inline bool match_4d_len72(uint32_t payload, uint32_t len) {
if (len == 72 && MATCH(payload, 0x00, 0x00, 0x00, 0x48))
return true;
return false;
}
static inline bool match_4d_len12(uint32_t payload, uint32_t len) {
if (len == 12 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_4d(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_4d_5f(data->payload[0], data->payload_len[0])) {
if (match_4d_other(data->payload[1], data->payload_len[1]))
return true;
}
if (match_4d_5f(data->payload[1], data->payload_len[1])) {
if (match_4d_other(data->payload[0], data->payload_len[0]))
return true;
}
if (match_4d_len72(data->payload[0], data->payload_len[0])) {
if (match_4d_len12(data->payload[1], data->payload_len[1]))
return true;
}
if (match_4d_len72(data->payload[1], data->payload_len[1])) {
if (match_4d_len12(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_4d = {
LPI_PROTO_4D,
LPI_CATEGORY_DATABASES,
"4D",
75,
match_4d
};
void register_4d(LPIModuleMap *mod_map) {
register_protocol(&lpi_4d, mod_map);
}

76
decoders/glimpse_detector/libprotoident/tcp/lpi_acestream.cc Normal file
View File

@@ -0,0 +1,76 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_ace_greet(uint32_t payload, uint32_t len) {
if (len == 46 && MATCH(payload, 0x11, 'A', 'c', 'e'))
return true;
return false;
}
static inline bool match_ace_66(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (len == 66 && MATCH(payload, 0x11, 'A', 'c', 'e'))
return true;
return false;
}
static inline bool match_acestream(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_ace_greet(data->payload[0], data->payload_len[0])) {
if (match_ace_greet(data->payload[1], data->payload_len[1])) {
return true;
}
if (match_ace_66(data->payload[1], data->payload_len[1])) {
return true;
}
}
return false;
}
static lpi_module_t lpi_acestream = {
LPI_PROTO_ACESTREAM,
LPI_CATEGORY_P2P,
"AceStream",
6,
match_acestream
};
void register_acestream(LPIModuleMap *mod_map) {
register_protocol(&lpi_acestream, mod_map);
}

53
decoders/glimpse_detector/libprotoident/tcp/lpi_afp.cc Normal file
View File

@@ -0,0 +1,53 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_afp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Looking for a DSI header - command 4 is OpenSession */
if (match_str_both(data, "\x00\x04\x00\x01", "\x01\x04\x00\x01"))
return true;
return false;
}
static lpi_module_t lpi_afp = {
LPI_PROTO_AFP,
LPI_CATEGORY_FILES,
"AFP",
5,
match_afp
};
void register_afp(LPIModuleMap *mod_map) {
register_protocol(&lpi_afp, mod_map);
}

139
decoders/glimpse_detector/libprotoident/tcp/lpi_airdroid.cc Normal file
View File

@@ -0,0 +1,139 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_airdroid_req(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0x2a, 0x33, 0x0d, 0x0a)) {
if (len == 97)
return true;
}
if (MATCH(payload, 0x2a, 0x35, 0x0d, 0x0a)) {
if (len == 118 || len == 119)
return true;
}
return false;
}
static inline bool match_airdroid_resp(uint32_t payload, uint32_t len) {
if (len != 4)
return false;
if (MATCH(payload, 0x2b, 0x68, 0x0d, 0x0a))
return true;
return false;
}
static inline bool match_airdroid_get(uint32_t payload) {
if (MATCH(payload, 'G', 'E', 'T', 0x20))
return true;
return false;
}
static inline bool is_hexdigit(uint32_t byte) {
if (byte < 0x30)
return false;
if (byte > 0x39 && byte < 0x61)
return false;
if (byte > 0x66)
return false;
return true;
}
static inline bool match_airdroid_33(uint32_t payload, uint32_t len) {
uint32_t ordered = ntohl(payload);
uint32_t byte;
/* Needs some proper testing against real airdroid traffic */
if (len == 33) {
byte = (ordered & 0xff);
if (!is_hexdigit(byte))
return false;
byte = ((ordered >> 8) & 0xff);
if (!is_hexdigit(byte))
return false;
byte = ((ordered >> 16) & 0xff);
if (!is_hexdigit(byte))
return false;
byte = ((ordered >> 24) & 0xff);
if (!is_hexdigit(byte))
return false;
return true;
}
return false;
}
static inline bool match_airdroid(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_airdroid_req(data->payload[0], data->payload_len[0])) {
if (match_airdroid_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_airdroid_req(data->payload[1], data->payload_len[1])) {
if (match_airdroid_resp(data->payload[0], data->payload_len[0]))
return true;
}
if (data->server_port == 9991 || data->client_port == 9991) {
if (match_airdroid_33(data->payload[0], data->payload_len[0])) {
if (match_airdroid_get(data->payload[1]))
return true;
}
if (match_airdroid_33(data->payload[1], data->payload_len[1])) {
if (match_airdroid_get(data->payload[0]))
return true;
}
}
return false;
}
static lpi_module_t lpi_airdroid = {
LPI_PROTO_AIRDROID,
LPI_CATEGORY_CLOUD,
"AirDroid",
12,
match_airdroid
};
void register_airdroid(LPIModuleMap *mod_map) {
register_protocol(&lpi_airdroid, mod_map);
}

76
decoders/glimpse_detector/libprotoident/tcp/lpi_airmedia.cc Normal file
View File

@@ -0,0 +1,76 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Crestron Airmedia -- more details at:
* http://www.boredhackerblog.info/2016/02/extracting-images-from-crestron.html
*/
static inline bool match_cam_wppi(uint32_t payload, uint32_t len) {
if (len == 12 && MATCHSTR(payload, "wppi"))
return true;
return false;
}
static inline bool match_cam_sender(uint32_t payload, uint32_t len) {
if (len == 32 && MATCHSTR(payload, "Send"))
return true;
return false;
}
static inline bool match_airmedia(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 515 */
if (match_cam_wppi(data->payload[0], data->payload_len[0])) {
if (match_cam_sender(data->payload[1], data->payload_len[1]))
return true;
}
if (match_cam_wppi(data->payload[1], data->payload_len[1])) {
if (match_cam_sender(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_airmedia = {
LPI_PROTO_AIRMEDIA,
LPI_CATEGORY_REMOTE,
"Airmedia",
5,
match_airmedia
};
void register_airmedia(LPIModuleMap *mod_map) {
register_protocol(&lpi_airmedia, mod_map);
}

62
decoders/glimpse_detector/libprotoident/tcp/lpi_akamai.cc Normal file
View File

@@ -0,0 +1,62 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_akamai_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* TCP exchanges between Akamai nodes */
/* Seems to always be over port 9050, so add a check if too many
* false positives */
/* Payload is 00000000 in both directions */
if (data->payload[0] != 0 || data->payload[1] != 0)
return false;
if (data->payload_len[0] == 163 && data->payload_len[1] == 149)
return true;
if (data->payload_len[1] == 163 && data->payload_len[0] == 149)
return true;
return false;
}
static lpi_module_t lpi_akamai_tcp = {
LPI_PROTO_AKAMAI,
LPI_CATEGORY_CDN,
"AkamaiTCP",
9,
match_akamai_tcp
};
void register_akamai_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_akamai_tcp, mod_map);
}

72
decoders/glimpse_detector/libprotoident/tcp/lpi_amp.cc Normal file
View File

@@ -0,0 +1,72 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_amp_throughput(lpi_data_t *data) {
/* AMP Throughput generally uses port 8826 or 8827 */
if (data->server_port != 8826 && data->client_port != 8826
&& data->server_port != 8827 &&
data->client_port != 8827)
return false;
/* AMP Throughput tests are large one-way data transfers */
if (data->payload_len[0] != 0 && data->payload_len[1] != 0)
return false;
/* Packets are always going to be MSS-sized -- assume MTU is no
* smaller than 1280 bytes */
if (data->payload_len[0] < 1240 && data->payload_len[1] < 1240)
return false;
return true;
}
static inline bool match_amp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_amp_throughput(data))
return true;
return false;
}
static lpi_module_t lpi_amp = {
LPI_PROTO_AMP,
LPI_CATEGORY_MONITORING,
"AMP",
240, /* AMP is not something I'd expect to see outside of Waikato */
match_amp
};
void register_amp(LPIModuleMap *mod_map) {
register_protocol(&lpi_amp, mod_map);
}

57
decoders/glimpse_detector/libprotoident/tcp/lpi_antcoin.cc Normal file
View File

@@ -0,0 +1,57 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_antcoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* port 10333 */
if (MATCH(data->payload[0], 'A', 'n', 't', 0x00)) {
if (MATCH(data->payload[1], 'A', 'n', 't', 0x00))
return true;
}
return false;
}
static lpi_module_t lpi_antcoin = {
LPI_PROTO_ANTCOIN,
LPI_CATEGORY_ECOMMERCE,
"AntCoin",
5,
match_antcoin
};
void register_antcoin(LPIModuleMap *mod_map) {
register_protocol(&lpi_antcoin, mod_map);
}

89
decoders/glimpse_detector/libprotoident/tcp/lpi_appearin.cc Normal file
View File

@@ -0,0 +1,89 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Signalling protocol (?) used by appear.in, a WebRTC based video
* conferencing system.
*/
static inline bool match_appear_req(uint32_t payload, uint32_t len) {
uint32_t hlen = ntohl(payload) & 0xffff;
/* Usually 28 bytes */
if (hlen == len - 20 && MATCH(payload, 0x00, 0x03, 0x00, ANY))
return true;
return false;
}
static inline bool match_appear_resp(uint32_t payload, uint32_t len) {
uint32_t hlen = ntohl(payload) & 0xffff;
/* Usually 92 bytes */
if (hlen == len - 20 && MATCH(payload, 0x01, 0x13, 0x00, ANY))
return true;
return false;
}
static inline bool match_appearin(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 443 && data->client_port != 443)
return false;
if (match_appear_req(data->payload[0], data->payload_len[0])) {
if (match_appear_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_appear_req(data->payload[1], data->payload_len[1])) {
if (match_appear_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_appearin = {
LPI_PROTO_APPEAR_IN,
LPI_CATEGORY_VOIP,
"Appear.in",
120,
match_appearin
};
void register_appearin(LPIModuleMap *mod_map) {
register_protocol(&lpi_appearin, mod_map);
}

69
decoders/glimpse_detector/libprotoident/tcp/lpi_apple_push.cc Normal file
View File

@@ -0,0 +1,69 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_apple_push(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* This rule matches the push notifications sent to IOS devices */
if (!match_ssl(data))
return false;
/* Port 5223 is used for the push notifications */
if (data->server_port != 5223 && data->client_port != 5223)
return false;
/* If payload is only one-way, fall back to SSL to avoid risking
* a false positive for other port 5223 SSL apps, e.g. Kik */
if (data->payload_len[0] == 0 || data->payload_len[1] == 0)
return false;
/* Too much size variation to write a good set of rules based on
* payload sizes, just use this as the fallback option for all
* SSL traffic on 5223 that doesn't match something else, e.g.
* PSN store */
return true;
}
static lpi_module_t lpi_apple_push = {
LPI_PROTO_APPLE_PUSH,
LPI_CATEGORY_NOTIFICATION,
"ApplePush",
8, /* Should be a higher priority than regular SSL, but lower than
anything else on port 5223 */
match_apple_push
};
void register_apple_push(LPIModuleMap *mod_map) {
register_protocol(&lpi_apple_push, mod_map);
}

87
decoders/glimpse_detector/libprotoident/tcp/lpi_ares.cc Normal file
View File

@@ -0,0 +1,87 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_ares_client(uint32_t payload, uint32_t len) {
if (len != 6)
return false;
if (!MATCH(payload, 0x03, 0x00, 0x5a, 0x06))
return false;
return true;
}
static inline bool match_ares_peer(uint32_t payload, uint32_t len) {
if (len != 138)
return false;
if (MATCH(payload, 0x87, 0x00, 0x3c, ANY))
return true;
if (MATCH(payload, 0x87, 0x00, 0x3b, ANY))
return true;
return false;
}
static inline bool match_ares(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Pretty sure this is the ARES p2p protocol */
if (match_str_either(data, "ARES"))
return true;
if (match_ares_client(data->payload[0], data->payload_len[0])) {
if (match_ares_peer(data->payload[1], data->payload_len[1]))
return true;
}
if (match_ares_client(data->payload[1], data->payload_len[1])) {
if (match_ares_peer(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_ares = {
LPI_PROTO_ARES,
LPI_CATEGORY_P2P,
"Ares",
8,
match_ares
};
void register_ares(LPIModuleMap *mod_map) {
register_protocol(&lpi_ares, mod_map);
}

82
decoders/glimpse_detector/libprotoident/tcp/lpi_badbaidu.cc Normal file
View File

@@ -0,0 +1,82 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Strange flows that seem to be related to users running the Baidu browser.
* The flow will connect to a Baidu server on port 80, send no data, then
* start sending FINs. After about 6 FINs, the client will then send a one
* byte packet with a sequence number matching the original SYN (which is
* of course completely invalid). At this point, the server usually terminates
* the connection.
*
* Confirmed as being associated with Baidu browser after observing this
* exact traffic after installing the browser.
*
* Not sure what the purpose of this is, or how the browser manages to send
* invalid TCP traffic but it is the root cause behind a lot of non-HTTP
* flows on TCP port 80.
*/
static inline bool match_badbaidu(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Only seen on port 80 */
if (data->client_port != 80 && data->server_port != 80)
return false;
/* Packet is one byte; the byte itself is 0x00. The other end
* does not send any payload.
*/
if (data->payload_len[0] == 0 && data->payload_len[1] == 1) {
if (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00))
return true;
}
if (data->payload_len[1] == 0 && data->payload_len[0] == 1) {
if (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00))
return true;
}
return false;
}
static lpi_module_t lpi_badbaidu = {
LPI_PROTO_BADBAIDU,
LPI_CATEGORY_MALWARE,
"BadBaidu",
100,
match_badbaidu
};
void register_badbaidu(LPIModuleMap *mod_map) {
register_protocol(&lpi_badbaidu, mod_map);
}

74
decoders/glimpse_detector/libprotoident/tcp/lpi_baofeng_tcp.cc Normal file
View File

@@ -0,0 +1,74 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_baofeng_52(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0x52, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_baofeng_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port == 7909 || data->client_port == 7909) {
if (match_baofeng_52(data->payload[1], data->payload_len[1])) {
if (match_baofeng_52(data->payload[0], data->payload_len[0]))
return true;
}
}
if (data->server_port == 8189 || data->client_port == 8189) {
if (data->payload_len[0] == 63 && data->payload_len[1] == 152)
return true;
if (data->payload_len[1] == 63 && data->payload_len[0] == 152)
return true;
}
return false;
}
static lpi_module_t lpi_baofeng_tcp = {
LPI_PROTO_BAOFENG,
LPI_CATEGORY_STREAMING,
"Baofeng",
105,
match_baofeng_tcp
};
void register_baofeng_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_baofeng_tcp, mod_map);
}

66
decoders/glimpse_detector/libprotoident/tcp/lpi_beam.cc Normal file
View File

@@ -0,0 +1,66 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_bm(uint32_t payload, uint32_t len) {
if (len == 40 && MATCH(payload, 'B', 'm', 0x0a, 0x04)) {
return true;
}
return false;
}
static inline bool match_beam(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 8100 && data->client_port != 8100) {
return false;
}
if (match_bm(data->payload[0], data->payload_len[0])) {
if (match_bm(data->payload[1], data->payload_len[1])) {
return true;
}
}
return false;
}
static lpi_module_t lpi_beam = {
LPI_PROTO_BEAM,
LPI_CATEGORY_ECOMMERCE,
"Beam",
25,
match_beam
};
void register_beam(LPIModuleMap *mod_map) {
register_protocol(&lpi_beam, mod_map);
}

75
decoders/glimpse_detector/libprotoident/tcp/lpi_bitcoin.cc Normal file
View File

@@ -0,0 +1,75 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_bc_version(uint32_t payload, uint32_t len) {
if (len >= 24 && MATCH(payload, 0xf9, 0xbe, 0xb4, 0xd9))
return true;
return false;
}
static inline bool match_bc_version_reply(uint32_t payload, uint32_t len) {
if (len >= 24 && MATCH(payload, 0xf9, 0xbe, 0xb4, 0xd9))
return true;
return false;
}
static inline bool match_bitcoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_bc_version(data->payload[0], data->payload_len[0])) {
if (match_bc_version_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_bc_version(data->payload[1], data->payload_len[1])) {
if (match_bc_version_reply(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_bitcoin = {
LPI_PROTO_BITCOIN,
LPI_CATEGORY_ECOMMERCE,
"Bitcoin",
5,
match_bitcoin
};
void register_bitcoin(LPIModuleMap *mod_map) {
register_protocol(&lpi_bitcoin, mod_map);
}

90
decoders/glimpse_detector/libprotoident/tcp/lpi_bitextend.cc Normal file
View File

@@ -0,0 +1,90 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Bittorrent extensions (?)
*
* TODO Find some good references for this
*/
static inline bool match_bitextend(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_both(data, "\x0\x0\x0\xd", "\x0\x0\x0\x1"))
return true;
if (match_str_both(data, "\x0\x0\x0\x3", "\x0\x0\x0\x38"))
return true;
if (match_str_both(data, "\x0\x0\x0\x3", "\x0\x0\x0\x39"))
return true;
if (match_str_both(data, "\x0\x0\x0\x3", "\x0\x0\x0\x3"))
return true;
if (match_str_both(data, "\x0\x0\x0\x4e", "\x0\x0\x0\xb2"))
return true;
if (match_chars_either(data, 0x00, 0x00, 0x40, 0x09))
return true;
if (MATCH(data->payload[0], 0x00, 0x00, 0x01, ANY) &&
MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x38))
return true;
if (MATCH(data->payload[1], 0x00, 0x00, 0x01, ANY) &&
MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x38))
return true;
if (MATCH(data->payload[0], 0x00, 0x00, 0x00, ANY) &&
MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x05))
return true;
if (MATCH(data->payload[1], 0x00, 0x00, 0x00, ANY) &&
MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x05))
return true;
if (MATCH(data->payload[0], 0x01, 0x00, ANY, 0x68) &&
MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x05))
return true;
if (MATCH(data->payload[1], 0x01, 0x00, ANY, 0x68) &&
MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x05))
return true;
return false;
}
static lpi_module_t lpi_bitextend = {
LPI_PROTO_BITEXT,
LPI_CATEGORY_P2P,
"Bittorrent_Extension",
5, /* This is probably fine, but I'd rather have this at 5 than 2 */
match_bitextend
};
void register_bitextend(LPIModuleMap *mod_map) {
register_protocol(&lpi_bitextend, mod_map);
}

96
decoders/glimpse_detector/libprotoident/tcp/lpi_bittorrent.cc Normal file
View File

@@ -0,0 +1,96 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_bittorrent_header(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (MATCH(payload, 0x13, 'B', 'i', 't'))
return true;
if (len == 3 && MATCH(payload, 0x13, 'B', 'i', 0x00))
return true;
if (len == 2 && MATCH(payload, 0x13, 'B', 0x00, 0x00))
return true;
if (len == 1 && MATCH(payload, 0x13, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_ww_xx_header(uint32_t payload, uint32_t len) {
/* Fairly confident that this is related to Bittorrent, though I
* can't seem to find any source code or documentation that references
* it.
*
* The full string included in the header is:
* 0x13 #WW-XX#@77
*/
if (len == 0)
return true;
if (MATCH(payload, 0x13, 0x23, 0x57, 0x57))
return true;
return false;
}
static inline bool match_bittorrent(lpi_data_t *data, lpi_module_t *mod UNUSED)
{
if (match_bittorrent_header(data->payload[0], data->payload_len[0])) {
if (match_bittorrent_header(data->payload[1],
data->payload_len[1]))
return true;
}
if (match_ww_xx_header(data->payload[0], data->payload_len[0])) {
if (match_ww_xx_header(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_bittorrent = {
LPI_PROTO_BITTORRENT,
LPI_CATEGORY_P2P,
"BitTorrent",
2,
match_bittorrent
};
void register_bittorrent(LPIModuleMap *mod_map) {
register_protocol(&lpi_bittorrent, mod_map);
}

93
decoders/glimpse_detector/libprotoident/tcp/lpi_blackdesert.cc Normal file
View File

@@ -0,0 +1,93 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* First two bytes definitely look like a little-endian length
* field, so we could use that to match more reply types */
/* Port 9991, 9992 and 9993 */
static inline bool match_bdo_request(uint32_t payload, uint32_t len) {
if (len == 111 && MATCH(payload, 0x6f, 0x00, 0x01, 0x9d))
return true;
if (len == 111 && MATCH(payload, 0x6f, 0x00, 0x01, 0x46))
return true;
if (len == 277 && MATCH(payload, 0x15, 0x01, 0x01, ANY))
return true;
if (len == 433 && MATCH(payload, 0xb1, 0x01, 0x01, ANY))
return true;
return false;
}
static inline bool match_bdo_reply(uint32_t payload, uint32_t len) {
if (len == 112 && MATCH(payload, 0x70, 0x00, 0x01, ANY))
return true;
if (len == 113 && MATCH(payload, 0x71, 0x00, 0x01, ANY))
return true;
if (len == 119 && MATCH(payload, 0x77, 0x00, 0x01, 0x46))
return true;
return false;
}
static inline bool match_blackdesert(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_bdo_request(data->payload[0], data->payload_len[0])) {
if (match_bdo_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_bdo_request(data->payload[1], data->payload_len[1])) {
if (match_bdo_reply(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_blackdesert = {
LPI_PROTO_BLACKDESERT,
LPI_CATEGORY_GAMING,
"BlackDesertOnline",
12,
match_blackdesert
};
void register_blackdesert(LPIModuleMap *mod_map) {
register_protocol(&lpi_blackdesert, mod_map);
}

88
decoders/glimpse_detector/libprotoident/tcp/lpi_blizzard.cc Normal file
View File

@@ -0,0 +1,88 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_bnet_auth_req(uint32_t payload, uint32_t len) {
if (len >= 160 && len <= 170 && MATCH(payload, 0x00, 0x0a, 0x08, 0xfe))
return true;
return false;
}
static inline bool match_bnet_auth_resp(uint32_t payload, uint32_t len) {
if (len == 184 || len == 199) {
if (MATCH(payload, 0x00, 0x09, 0x08, 0x00))
return true;
}
return false;
}
static inline bool match_blizzard(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_both(data, "\x10\xdf\x22\x00", "\x10\x00\x00\x00"))
return true;
if (MATCH(data->payload[0], 0x00, ANY, 0xed, 0x01) &&
MATCH(data->payload[1], 0x00, 0x06, 0xec, 0x01))
return true;
if (MATCH(data->payload[1], 0x00, ANY, 0xed, 0x01) &&
MATCH(data->payload[0], 0x00, 0x06, 0xec, 0x01))
return true;
/* More up to date battle.net authentication protocol */
if (match_bnet_auth_req(data->payload[0], data->payload_len[0])) {
if (match_bnet_auth_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_bnet_auth_req(data->payload[1], data->payload_len[1])) {
if (match_bnet_auth_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_blizzard = {
LPI_PROTO_BLIZZARD,
LPI_CATEGORY_GAMING,
"Blizzard",
2,
match_blizzard
};
void register_blizzard(LPIModuleMap *mod_map) {
register_protocol(&lpi_blizzard, mod_map);
}

52
decoders/glimpse_detector/libprotoident/tcp/lpi_btsync.cc Normal file
View File

@@ -0,0 +1,52 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_btsync(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_either(data, "BSYN"))
return true;
return false;
}
static lpi_module_t lpi_btsync = {
LPI_PROTO_BTSYNC,
LPI_CATEGORY_FILES,
"BitTorrentSync",
8,
match_btsync
};
void register_btsync(LPIModuleMap *mod_map) {
register_protocol(&lpi_btsync, mod_map);
}

85
decoders/glimpse_detector/libprotoident/tcp/lpi_bwsyncandshare.cc Normal file
View File

@@ -0,0 +1,85 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Have not tested against the application itself, as it is restricted
* to certain German universities. There may be more variants of this
* traffic.
*/
static inline bool match_bws_951(uint32_t payload, uint32_t len) {
if (len == 4 && MATCH(payload, 0x00, 0x00, 0x09, 0x51))
return true;
return false;
}
static inline bool match_bws_other(uint32_t payload, uint32_t len) {
uint32_t lastbyte = ntohl(payload) & 0x000000ff;
if (len == 4 && MATCH(payload, 0x00, 0x00, 0x08, ANY)) {
/* Byte 4 is always 0xfX, where X can be just about
* anything.
*/
if ((lastbyte & 0xf0) == 0xf0)
return true;
}
return false;
}
static inline bool match_bwsyncandshare(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 60107? */
if (match_bws_951(data->payload[0], data->payload_len[0])) {
if (match_bws_other(data->payload[1], data->payload_len[1]))
return true;
}
if (match_bws_951(data->payload[1], data->payload_len[1])) {
if (match_bws_other(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_bwsyncandshare = {
LPI_PROTO_BWSYNC,
LPI_CATEGORY_CLOUD,
"BWSyncAndShare",
120,
match_bwsyncandshare
};
void register_bwsyncandshare(LPIModuleMap *mod_map) {
register_protocol(&lpi_bwsyncandshare, mod_map);
}

65
decoders/glimpse_detector/libprotoident/tcp/lpi_cacaoweb.cc Normal file
View File

@@ -0,0 +1,65 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_cacaoweb_header(uint32_t payload, uint32_t len) {
if (!MATCH(payload, 0x84, 0x95, 0xa6, 0xbe))
return false;
if (len >= 51 && len <= 56)
return true;
if (len == 91)
return true;
return false;
}
static inline bool match_cacaoweb(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_cacaoweb_header(data->payload[0], data->payload_len[0])) {
if (match_cacaoweb_header(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_cacaoweb = {
LPI_PROTO_CACAOWEB,
LPI_CATEGORY_P2P,
"CacaoWeb",
5,
match_cacaoweb
};
void register_cacaoweb(LPIModuleMap *mod_map) {
register_protocol(&lpi_cacaoweb, mod_map);
}

55
decoders/glimpse_detector/libprotoident/tcp/lpi_cgp.cc Normal file
View File

@@ -0,0 +1,55 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_cgp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Citrix CGP is a special version of ICA that runs on TCP port
* 2598 */
if (match_str_both(data, "\x1a""CGP", "\x1a""CGP"))
return true;
return false;
}
static lpi_module_t lpi_cgp = {
LPI_PROTO_CGP,
LPI_CATEGORY_REMOTE,
"CitrixCGP",
3,
match_cgp
};
void register_cgp(LPIModuleMap *mod_map) {
register_protocol(&lpi_cgp, mod_map);
}

82
decoders/glimpse_detector/libprotoident/tcp/lpi_chatango.cc Normal file
View File

@@ -0,0 +1,82 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_chatango_in(uint32_t payload, uint32_t len) {
if (len != 2)
return false;
if (!MATCH(payload, 'v', 0x00, 0x00, 0x00))
return false;
return true;
}
static inline bool match_chatango_out(uint32_t payload, uint32_t len) {
if (len != 10)
return false;
if (MATCH(payload, 'v', ':', '1', '0'))
return true;
if (MATCH(payload, 'v', ':', '1', '4'))
return true;
return false;
}
static inline bool match_chatango(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_chatango_out(data->payload[0], data->payload_len[0])) {
if (match_chatango_in(data->payload[1], data->payload_len[1]))
return true;
}
if (match_chatango_in(data->payload[0], data->payload_len[0])) {
if (match_chatango_out(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_chatango = {
LPI_PROTO_CHATANGO,
LPI_CATEGORY_CHAT,
"Chatango",
3,
match_chatango
};
void register_chatango(LPIModuleMap *mod_map) {
register_protocol(&lpi_chatango, mod_map);
}

76
decoders/glimpse_detector/libprotoident/tcp/lpi_cisco_vpn.cc Normal file
View File

@@ -0,0 +1,76 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_cisco_vpn_server(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (MATCH(payload, 0x01, 0xf4, ANY, ANY))
return true;
return false;
}
static inline bool match_cisco_vpn_client(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (MATCH(payload, ANY, ANY, 0x01, 0xf4))
return true;
return false;
}
static inline bool match_cisco_vpn(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_cisco_vpn_server(data->payload[0], data->payload_len[0])) {
if (match_cisco_vpn_client(data->payload[1], data->payload_len[1]))
return true;
}
if (match_cisco_vpn_server(data->payload[1], data->payload_len[1])) {
if (match_cisco_vpn_client(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_cisco_vpn = {
LPI_PROTO_CISCO_VPN,
LPI_CATEGORY_TUNNELLING,
"Cisco_VPN",
7,
match_cisco_vpn
};
void register_cisco_vpn(LPIModuleMap *mod_map) {
register_protocol(&lpi_cisco_vpn, mod_map);
}

98
decoders/glimpse_detector/libprotoident/tcp/lpi_clashofclans.cc Normal file
View File

@@ -0,0 +1,98 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_coc_login(uint32_t payload, uint32_t len) {
/* First two bytes are 10101 (0x2775) or 10100 (0x2774)
* Next three bytes are a length field, usually 250-330 bytes */
if (MATCH(payload, 0x27, 0x75, 0x00, 0x01))
return true;
if (MATCH(payload, 0x27, 0x75, 0x00, 0x00))
return true;
if (MATCH(payload, 0x27, 0x74, 0x00, 0x01))
return true;
if (MATCH(payload, 0x27, 0x74, 0x00, 0x00))
return true;
return false;
}
static inline bool match_coc_encrypt(uint32_t payload, uint32_t len) {
/* First two bytes are 20000 (0x4e20) or 20100 (0x4e84)
* Next three bytes are a length field, always seems to be just
* under 256 bytes */
if (MATCH(payload, 0x4e, 0x20, 0x00, 0x00))
return true;
if (MATCH(payload, 0x4e, 0x84, 0x00, 0x00))
return true;
return false;
}
static inline bool match_clashofclans(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Could limit this to port 9339, but the pattern is probably strong
* enough by itself */
/* Actually, port 1863 is also used... */
if (match_coc_login(data->payload[0], data->payload_len[0])) {
if (match_coc_encrypt(data->payload[1], data->payload_len[1]))
return true;
}
if (match_coc_login(data->payload[1], data->payload_len[1])) {
if (match_coc_encrypt(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_clashofclans = {
LPI_PROTO_CLASH_OF_CLANS,
LPI_CATEGORY_GAMING,
"ClashOfClans",
4,
match_clashofclans
};
void register_clashofclans(LPIModuleMap *mod_map) {
register_protocol(&lpi_clashofclans, mod_map);
}

75
decoders/glimpse_detector/libprotoident/tcp/lpi_classin_tcp.cc Normal file
View File

@@ -0,0 +1,75 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_classin_41(uint32_t payload, uint32_t len) {
if (len == 41 && MATCH(payload, 0x1a, 0x03, 0x00, 0x02)) {
return true;
}
return false;
}
static inline bool match_classin_52(uint32_t payload, uint32_t len) {
if (len == 52 && MATCH(payload, 0x1a, 0x03, 0x00, 0x02)) {
return true;
}
return false;
}
static inline bool match_classin_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_classin_41(data->payload[0], data->payload_len[0])) {
if (match_classin_52(data->payload[1], data->payload_len[1])) {
return true;
}
}
if (match_classin_41(data->payload[1], data->payload_len[1])) {
if (match_classin_52(data->payload[0], data->payload_len[0])) {
return true;
}
}
return false;
}
static lpi_module_t lpi_classin_tcp = {
LPI_PROTO_CLASSIN,
LPI_CATEGORY_EDUCATIONAL,
"ClassIn_TCP",
133,
match_classin_tcp
};
void register_classin_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_classin_tcp, mod_map);
}

57
decoders/glimpse_detector/libprotoident/tcp/lpi_clubbox.cc Normal file
View File

@@ -0,0 +1,57 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_clubbox(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (!match_str_both(data, "\x00\x00\x01\x03", "\x00\x00\x01\x03"))
return false;
if (data->payload_len[0] == 36 && data->payload_len[1] == 28)
return true;
if (data->payload_len[1] == 36 && data->payload_len[0] == 28)
return true;
return false;
}
static lpi_module_t lpi_clubbox = {
LPI_PROTO_CLUBBOX,
LPI_CATEGORY_P2P,
"Clubbox",
3,
match_clubbox
};
void register_clubbox(LPIModuleMap *mod_map) {
register_protocol(&lpi_clubbox, mod_map);
}

63
decoders/glimpse_detector/libprotoident/tcp/lpi_cod_waw.cc Normal file
View File

@@ -0,0 +1,63 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_cod_waw(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Call of Duty: World at War uses TCP port 3074 - the protocol isn't
* well documented, but traffic matching this pattern goes to known
* CoD servers */
if (data->server_port != 3074 && data->client_port != 3074)
return false;
if (data->payload_len[0] != 4 || data->payload_len[1] != 4)
return false;
if (data->payload[0] != 0 || data->payload[1] != 0)
return false;
return true;
}
static lpi_module_t lpi_cod_waw = {
LPI_PROTO_COD_WAW,
LPI_CATEGORY_GAMING,
"Call_of_Duty_TCP",
10, /* Weak rule */
match_cod_waw
};
void register_cod_waw(LPIModuleMap *mod_map) {
register_protocol(&lpi_cod_waw, mod_map);
}

67
decoders/glimpse_detector/libprotoident/tcp/lpi_conquer.cc Normal file
View File

@@ -0,0 +1,67 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_conquer(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->payload_len[0] == 5 && data->payload_len[1] == 4 &&
MATCH(data->payload[0], 'R', 'E', 'A', 'D'))
return true;
if (data->payload_len[1] == 5 && data->payload_len[0] == 4 &&
MATCH(data->payload[1], 'R', 'E', 'A', 'D'))
return true;
if (data->payload_len[0] == 4 && (MATCH(data->payload[0], '5', '0', ANY, ANY) ||
MATCH(data->payload[0], '5', '1', ANY, ANY)) &&
MATCH(data->payload[1], 'U', 'P', 'D', 'A'))
return true;
if (data->payload_len[1] == 4 && (MATCH(data->payload[1], '5', '0', ANY, ANY) ||
MATCH(data->payload[1], '5', '1', ANY, ANY)) &&
MATCH(data->payload[0], 'U', 'P', 'D', 'A'))
return true;
return false;
}
static lpi_module_t lpi_conquer = {
LPI_PROTO_CONQUER,
LPI_CATEGORY_GAMING,
"ConquerOnline",
3,
match_conquer
};
void register_conquer(LPIModuleMap *mod_map) {
register_protocol(&lpi_conquer, mod_map);
}

76
decoders/glimpse_detector/libprotoident/tcp/lpi_crashplan.cc Normal file
View File

@@ -0,0 +1,76 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_crashplan_16(uint32_t payload, uint32_t len) {
if (len != 16)
return false;
return true;
}
static inline bool match_crashplan_6(uint32_t payload, uint32_t len) {
if (len != 6)
return false;
if (!MATCH(payload, 0x80, 0x63, 0x00, 0x00))
return false;
return true;
}
static inline bool match_crashplan(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_crashplan_16(data->payload[0], data->payload_len[0])) {
if (match_crashplan_6(data->payload[1], data->payload_len[1]))
return true;
}
if (match_crashplan_16(data->payload[1], data->payload_len[1])) {
if (match_crashplan_6(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_crashplan = {
LPI_PROTO_CRASHPLAN,
LPI_CATEGORY_CLOUD,
"CrashPlan",
50,
match_crashplan
};
void register_crashplan(LPIModuleMap *mod_map) {
register_protocol(&lpi_crashplan, mod_map);
}

82
decoders/glimpse_detector/libprotoident/tcp/lpi_crossfire_tcp.cc Normal file
View File

@@ -0,0 +1,82 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_cf_05(uint32_t payload, uint32_t len) {
if (len == 65 && MATCH(payload, 0x05, 0x01, 0x99, 0x01))
return true;
return false;
}
static inline bool match_cf_tcp(uint32_t payload, uint32_t len) {
uint32_t hlen = bswap_le_to_host32(payload & 0xffff00) >> 8;
if (len < 1350 && hlen != len - 7)
return false;
if (MATCH(payload, 0xf1, ANY, ANY, 0x01))
return true;
if (MATCH(payload, 0xf1, ANY, ANY, 0x00))
return true;
return false;
}
static inline bool match_crossfire_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_cf_tcp(data->payload[0], data->payload_len[0])) {
if (match_cf_tcp(data->payload[1], data->payload_len[1])) {
return true;
}
if (match_cf_05(data->payload[1], data->payload_len[1])) {
return true;
}
}
if (match_cf_05(data->payload[0], data->payload_len[0])) {
if (match_cf_tcp(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_crossfire_tcp = {
LPI_PROTO_CROSSFIRE,
LPI_CATEGORY_GAMING,
"CrossfireTCP",
30,
match_crossfire_tcp
};
void register_crossfire_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_crossfire_tcp, mod_map);
}

55
decoders/glimpse_detector/libprotoident/tcp/lpi_cryptic.cc Normal file
View File

@@ -0,0 +1,55 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Cryptic are the company behind several popular MMOs, including
* Champions Online and Star Trek Online */
static inline bool match_cryptic(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_both(data, "Cryp", "Cryp"))
return true;
return false;
}
static lpi_module_t lpi_cryptic = {
LPI_PROTO_CRYPTIC,
LPI_CATEGORY_GAMING,
"Cryptic",
2,
match_cryptic
};
void register_cryptic(LPIModuleMap *mod_map) {
register_protocol(&lpi_cryptic, mod_map);
}

90
decoders/glimpse_detector/libprotoident/tcp/lpi_cvs.cc Normal file
View File

@@ -0,0 +1,90 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_cvs_request(uint32_t data, uint32_t len) {
if (MATCHSTR(data, "BEGI"))
return true;
return false;
}
static inline bool match_cvs_response(uint32_t data, uint32_t len) {
if (len == 0)
return true;
/* "I LOVE YOU" = auth succeeded */
if (MATCHSTR(data, "I LO"))
return true;
/* "I HATE YOU" = auth failed */
if (MATCHSTR(data, "I HA"))
return true;
/* "E <msg>" = a message */
if (MATCH(data, 'E', ' ', ANY, ANY))
return true;
/* error = an error */
if (MATCHSTR(data, "erro"))
return true;
return false;
}
static inline bool match_cvs(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_cvs_request(data->payload[0], data->payload_len[0]) &&
match_cvs_response(data->payload[1], data->payload_len[1]))
return true;
if (match_cvs_request(data->payload[1], data->payload_len[1]) &&
match_cvs_response(data->payload[0], data->payload_len[0]))
return true;
return false;
}
static lpi_module_t lpi_cvs = {
LPI_PROTO_CVS,
LPI_CATEGORY_RCS,
"CVS",
3,
match_cvs
};
void register_cvs(LPIModuleMap *mod_map) {
register_protocol(&lpi_cvs, mod_map);
}

92
decoders/glimpse_detector/libprotoident/tcp/lpi_dahua_tcp.cc Normal file
View File

@@ -0,0 +1,92 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Chinese IP surveillance Cameras */
static inline bool match_dahua_ports(uint16_t sport, uint16_t cport) {
if (sport == 8888 || cport == 8888) {
return true;
}
if (sport == 37777 || cport == 37777) {
return true;
}
return false;
}
static inline bool match_f4_186(uint32_t payload, uint32_t len) {
if (len == 186 && MATCH(payload, 0xf4, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_f4_208(uint32_t payload, uint32_t len) {
if (len >= 206 && len <= 208 && MATCH(payload, 0xf4, 0x00, 0x00, 0x58))
return true;
return false;
}
static inline bool match_dahua(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (!match_dahua_ports(data->server_port, data->client_port)) {
return false;
}
if (match_f4_186(data->payload[0], data->payload_len[0])) {
if (match_f4_208(data->payload[1], data->payload_len[1])) {
return true;
}
}
if (match_f4_186(data->payload[1], data->payload_len[1])) {
if (match_f4_208(data->payload[0], data->payload_len[0])) {
return true;
}
}
return false;
}
static lpi_module_t lpi_dahua_tcp = {
LPI_PROTO_DAHUA,
LPI_CATEGORY_IPCAMERAS,
"DahuaTCP",
13,
match_dahua
};
void register_dahua_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_dahua_tcp, mod_map);
}

74
decoders/glimpse_detector/libprotoident/tcp/lpi_dash.cc Normal file
View File

@@ -0,0 +1,74 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dash_125(uint32_t payload, uint32_t len) {
if (len == 125 && MATCH(payload, 0xbf, 0x0c, 0x6b, 0xbd))
return true;
return false;
}
static inline bool match_dash_130(uint32_t payload, uint32_t len) {
if (len == 130 && MATCH(payload, 0xbf, 0x0c, 0x6b, 0xbd))
return true;
return false;
}
static inline bool match_dash(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 9999 */
if (match_dash_125(data->payload[0], data->payload_len[0])) {
if (match_dash_130(data->payload[1], data->payload_len[1]))
return true;
}
if (match_dash_125(data->payload[1], data->payload_len[1])) {
if (match_dash_130(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_dash = {
LPI_PROTO_DASH,
LPI_CATEGORY_ECOMMERCE,
"Dash",
5,
match_dash
};
void register_dash(LPIModuleMap *mod_map) {
register_protocol(&lpi_dash, mod_map);
}

85
decoders/glimpse_detector/libprotoident/tcp/lpi_dell_backup.cc Normal file
View File

@@ -0,0 +1,85 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* This one is a bit tenuous but I'm reasonably confident that this is
* something to do with the Dell backup and recovery service. All observed
* traffic matching the rules described here go 66.151.242.0/24, which has
* previously reversed to dellbackupandrecoverycloudstorage.com.
*/
static inline bool match_dell_backup_req(uint32_t payload, uint32_t len) {
if (len != 12)
return false;
if (MATCH(payload, 0x08, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_dell_backup_resp(uint32_t payload, uint32_t len) {
if (len != 24)
return false;
if (MATCH(payload, 0x14, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_dell_backup(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 443 && data->client_port != 443)
return false;
if (match_dell_backup_req(data->payload[0], data->payload_len[0])) {
if (match_dell_backup_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_dell_backup_req(data->payload[1], data->payload_len[1])) {
if (match_dell_backup_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_dell_backup = {
LPI_PROTO_DELL_BACKUP,
LPI_CATEGORY_CLOUD,
"DellBackup",
100,
match_dell_backup
};
void register_dell_backup(LPIModuleMap *mod_map) {
register_protocol(&lpi_dell_backup, mod_map);
}

74
decoders/glimpse_detector/libprotoident/tcp/lpi_destiny.cc Normal file
View File

@@ -0,0 +1,74 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Destiny -- multiplayer FPS by Bungie */
static inline bool match_destiny_request(uint32_t payload, uint32_t len) {
if (len == 140 && MATCH(payload, 0x01, 0x02, 0x00, 0x00))
return true;
return false;
}
static inline bool match_destiny_reply(uint32_t payload, uint32_t len) {
if (len == 142 && MATCH(payload, 0x01, 0x02, 0x00, 0x00))
return true;
return false;
}
static inline bool match_destiny(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_destiny_request(data->payload[0], data->payload_len[0])) {
if (match_destiny_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_destiny_request(data->payload[1], data->payload_len[1])) {
if (match_destiny_reply(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_destiny = {
LPI_PROTO_DESTINY,
LPI_CATEGORY_GAMING,
"Destiny",
23,
match_destiny
};
void register_destiny(LPIModuleMap *mod_map) {
register_protocol(&lpi_destiny, mod_map);
}

71
decoders/glimpse_detector/libprotoident/tcp/lpi_diablo3.cc Normal file
View File

@@ -0,0 +1,71 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_diablo_req(uint32_t payload, uint32_t len) {
if (len == 25 && MATCH(payload, 0x00, 0x00, 0x00, 0x19))
return true;
return false;
}
static inline bool match_diablo_resp(uint32_t payload, uint32_t len) {
if (len == 66 && MATCH(payload, 0x00, 0x00, 0x00, 0x42))
return true;
return false;
}
static inline bool match_diablo3(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_diablo_req(data->payload[0], data->payload_len[0])) {
if (match_diablo_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_diablo_req(data->payload[1], data->payload_len[1])) {
if (match_diablo_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_diablo3 = {
LPI_PROTO_DIABLO3,
LPI_CATEGORY_GAMING,
"Diablo3",
5,
match_diablo3
};
void register_diablo3(LPIModuleMap *mod_map) {
register_protocol(&lpi_diablo3, mod_map);
}

82
decoders/glimpse_detector/libprotoident/tcp/lpi_dianping_tcp.cc Normal file
View File

@@ -0,0 +1,82 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dianping_query(uint32_t payload, uint32_t len) {
if (len != 1)
return false;
if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
if (MATCH(payload, 0x01, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_dianping_resp(uint32_t payload, uint32_t len) {
if (len != 1)
return false;
if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_dianping_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 80 && data->client_port != 80 &&
data->client_port != 443 && data->server_port != 443)
return false;
if (match_dianping_query(data->payload[0], data->payload_len[0])) {
if (match_dianping_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_dianping_query(data->payload[1], data->payload_len[1])) {
if (match_dianping_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_dianping_tcp = {
LPI_PROTO_DIANPING,
LPI_CATEGORY_MOBILE_APP,
"DianpingTCP",
210,
match_dianping_tcp
};
void register_dianping_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_dianping_tcp, mod_map);
}

64
decoders/glimpse_detector/libprotoident/tcp/lpi_directconnect.cc Normal file
View File

@@ -0,0 +1,64 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dc(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* $MyN seemed best to check for - might have to check for $max and
* $Sup as well */
/* NOTE: Some people seem to use DC to connect to port 80 and get
* HTTP responses. At this stage, I'd rather that fell under DC rather
* than HTTP, so we need to check for this before we check for HTTP */
if (match_str_either(data, "$MyN")) return true;
if (match_str_either(data, "$Sup")) return true;
if (match_str_either(data, "$Loc")) return true;
/* Response is usually an HTTP response - we could check that if
* needed */
return false;
}
static lpi_module_t lpi_directconnect = {
LPI_PROTO_DC,
LPI_CATEGORY_P2P,
"DirectConnect",
1, /* Need a higher priority than regular HTTP */
match_dc
};
void register_directconnect(LPIModuleMap *mod_map) {
register_protocol(&lpi_directconnect, mod_map);
}

73
decoders/glimpse_detector/libprotoident/tcp/lpi_dnf.cc Normal file
View File

@@ -0,0 +1,73 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dnf_90(uint32_t payload, uint32_t len) {
if (len == 90 && MATCH(payload, 0x01, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_dnf_258(uint32_t payload, uint32_t len) {
if (len == 258 && MATCH(payload, 0x01, 0x00, 0x00, 0x01))
return true;
return false;
}
static inline bool match_dnf(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 80 or 443 */
if (match_dnf_90(data->payload[0], data->payload_len[0])) {
if (match_dnf_258(data->payload[1], data->payload_len[1]))
return true;
}
if (match_dnf_90(data->payload[1], data->payload_len[1])) {
if (match_dnf_258(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_dnf = {
LPI_PROTO_DNF,
LPI_CATEGORY_GAMING,
"DNF",
150,
match_dnf
};
void register_dnf(LPIModuleMap *mod_map) {
register_protocol(&lpi_dnf, mod_map);
}

102
decoders/glimpse_detector/libprotoident/tcp/lpi_dns.cc Normal file
View File

@@ -0,0 +1,102 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static bool match_length_single(uint32_t payload, uint32_t len) {
uint32_t statedlen;
if (len == 2) {
return true;
}
statedlen = (ntohl(payload) >> 16);
if (statedlen < 1280) {
if (statedlen != len - 2)
return false;
}
return true;
}
static bool match_dns_tcp_length(lpi_data_t *data) {
uint32_t id0, id1;
if (data->payload_len[0] == 0 || data->payload_len[1] == 0)
return false;
if (data->server_port != 53 && data->client_port != 53)
return false;
if (!match_length_single(data->payload[0], data->payload_len[0]))
return false;
if (!match_length_single(data->payload[1], data->payload_len[1]))
return false;
if (data->payload_len[0] > 2 && data->payload_len[1] > 2) {
id0 = (ntohl(data->payload[0]) & 0xffff);
id1 = (ntohl(data->payload[1]) & 0xffff);
if (id0 != id1)
return false;
}
return true;
}
static bool match_tcp_dns(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_dns(data))
return true;
if (match_dns_tcp_length(data))
return true;
return false;
}
static lpi_module_t lpi_dns = {
LPI_PROTO_DNS,
LPI_CATEGORY_SERVICES,
"DNS_TCP",
6, /* Not a high certainty */
match_tcp_dns
};
void register_dns_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_dns, mod_map);
}

68
decoders/glimpse_detector/libprotoident/tcp/lpi_dogecoin.cc Normal file
View File

@@ -0,0 +1,68 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dc_magic(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0xc0, 0xc0, 0xc0, 0xc0)) {
if (len >= 125 && len <= 129)
return true;
if (len == 142)
return true;
}
return false;
}
static inline bool match_dogecoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port == 22556 */
if (match_dc_magic(data->payload[0], data->payload_len[0])) {
if (match_dc_magic(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_dogecoin = {
LPI_PROTO_DOGECOIN,
LPI_CATEGORY_ECOMMERCE,
"Dogecoin",
8,
match_dogecoin
};
void register_dogecoin(LPIModuleMap *mod_map) {
register_protocol(&lpi_dogecoin, mod_map);
}

109
decoders/glimpse_detector/libprotoident/tcp/lpi_douyu.cc Normal file
View File

@@ -0,0 +1,109 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* This is a classic 4-byte length protocol, but there is plenty of
* scope for the packet sizes to vary a bit so we can't just look for
* a specific combo of packet sizes */
static inline bool match_douyu_req(uint32_t payload, uint32_t len) {
uint32_t plen = bswap_le_to_host32(payload);
/* Packet usually contains a username and a password so
* can probably vary quite a bit in size */
if (plen == len - 4) {
if (len <= 255)
return true;
}
return false;
}
static inline bool match_douyu_reply(uint32_t payload, uint32_t len) {
uint32_t plen = bswap_le_to_host32(payload);
/* Response packets seem like they will vary a lot less in
* size -- could be wrong though */
if (plen == len - 4) {
if (len >= 225 && len <= 255)
return true;
}
return false;
}
static inline bool match_douyu_port(uint16_t port) {
/* Based purely on observed flows, rather than any docs */
if (port >= 8601 && port <= 8605)
return true;
if (port >= 12601 && port <= 12605)
return true;
return false;
}
static inline bool match_douyu(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Tends to use a couple of different port ranges */
if (!match_douyu_port(data->server_port) &&
!match_douyu_port(data->client_port)) {
return false;
}
if (match_douyu_req(data->payload[0], data->payload_len[0])) {
if (match_douyu_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_douyu_req(data->payload[1], data->payload_len[1])) {
if (match_douyu_reply(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_douyu = {
LPI_PROTO_DOUYU,
LPI_CATEGORY_STREAMING,
"Douyu",
249,
match_douyu
};
void register_douyu(LPIModuleMap *mod_map) {
register_protocol(&lpi_douyu, mod_map);
}

82
decoders/glimpse_detector/libprotoident/tcp/lpi_douyu_chat.cc Normal file
View File

@@ -0,0 +1,82 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_douyu_ee(uint32_t payload, uint32_t len) {
if (len == 242 && MATCH(payload, 0xee, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_douyu_len(uint32_t payload, uint32_t len) {
if (bswap_host_to_le32(payload) == len - 4)
return true;
return false;
}
static inline bool match_douyu_chat(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 8601 && data->client_port != 8601 &&
data->client_port != 8602 && data->server_port != 8602)
{
return false;
}
if (match_douyu_ee(data->payload[0], data->payload_len[0])) {
if (match_douyu_len(data->payload[1], data->payload_len[1]))
return true;
}
if (match_douyu_ee(data->payload[1], data->payload_len[1])) {
if (match_douyu_len(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_douyu_chat = {
LPI_PROTO_DOUYU_CHAT,
LPI_CATEGORY_CHAT,
"DouyuChat",
133,
match_douyu_chat
};
void register_douyu_chat(LPIModuleMap *mod_map) {
register_protocol(&lpi_douyu_chat, mod_map);
}

57
decoders/glimpse_detector/libprotoident/tcp/lpi_duelingnetwork.cc Normal file
View File

@@ -0,0 +1,57 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_duelingnetwork(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 1235 && data->client_port != 1235)
return false;
if (data->payload_len[0] == 40 && MATCHSTR(data->payload[0], "Ritv"))
return true;
if (data->payload_len[1] == 40 && MATCHSTR(data->payload[1], "Ritv"))
return true;
return false;
}
static lpi_module_t lpi_duelingnetwork = {
LPI_PROTO_DUELING_NETWORK,
LPI_CATEGORY_GAMING,
"DuelingNetwork",
4,
match_duelingnetwork
};
void register_duelingnetwork(LPIModuleMap *mod_map) {
register_protocol(&lpi_duelingnetwork, mod_map);
}

101
decoders/glimpse_detector/libprotoident/tcp/lpi_dvrns.cc Normal file
View File

@@ -0,0 +1,101 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dvrns_typea(uint32_t payload_a, uint32_t len_a,
uint32_t payload_b, uint32_t len_b) {
if (!MATCH(payload_a, 0x12, 0xa4, 0x00, 0x01))
return false;
if (len_a != 188)
return false;
if (len_b == 0)
return true;
if (len_b != 20)
return false;
if (!MATCH(payload_b, 0x12, 0xa4, 0x00, 0x01))
return false;
return true;
}
static inline bool match_dvrns_typeb(uint32_t payload_a, uint32_t len_a,
uint32_t payload_b, uint32_t len_b) {
if (!MATCH(payload_a, 0x12, 0xa4, 0x00, 0x01))
return false;
if (len_a != 12)
return false;
if (len_b == 0)
return true;
if (len_b != 140)
return false;
if (!MATCH(payload_b, 0x12, 0xa4, 0x00, 0x01))
return false;
return true;
}
static inline bool match_dvrns(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* DVRNS is basically DNS for DVR surveillance systems */
/* Not sure whether this is just the protocol used by dvrnames.net
* or all DVRNS systems */
if (match_dvrns_typea(data->payload[0], data->payload_len[0],
data->payload[1], data->payload_len[1]))
return true;
if (match_dvrns_typea(data->payload[1], data->payload_len[1],
data->payload[0], data->payload_len[0]))
return true;
if (match_dvrns_typeb(data->payload[0], data->payload_len[0],
data->payload[1], data->payload_len[1]))
return true;
if (match_dvrns_typeb(data->payload[1], data->payload_len[1],
data->payload[0], data->payload_len[0]))
return true;
return false;
}
static lpi_module_t lpi_dvrns = {
LPI_PROTO_DVRNS,
LPI_CATEGORY_SERVICES,
"DVRNS",
10,
match_dvrns
};
void register_dvrns(LPIModuleMap *mod_map) {
register_protocol(&lpi_dvrns, mod_map);
}

51
decoders/glimpse_detector/libprotoident/tcp/lpi_dxp.cc Normal file
View File

@@ -0,0 +1,51 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_dxp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_chars_either(data, 0xb0, 0x04, 0x15, 0x00))
return true;
return false;
}
static lpi_module_t lpi_dxp = {
LPI_PROTO_DXP,
LPI_CATEGORY_DATABASES,
"Silverplatter_DXP",
3,
match_dxp
};
void register_dxp(LPIModuleMap *mod_map) {
register_protocol(&lpi_dxp, mod_map);
}

63
decoders/glimpse_detector/libprotoident/tcp/lpi_ea_games.cc Normal file
View File

@@ -0,0 +1,63 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_ea_games(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Not sure exactly what game this is, but the server matches the
* EA IP range and the default port is 9946 */
if (match_str_both(data, "&lgr", "&lgr"))
return true;
if (match_str_either(data, "&lgr")) {
if (data->payload_len[0] == 0)
return true;
if (data->payload_len[1] == 0)
return true;
}
return false;
}
static lpi_module_t lpi_ea_games = {
LPI_PROTO_EA_GAMES,
LPI_CATEGORY_GAMING,
"EA_Games",
4,
match_ea_games
};
void register_ea_games(LPIModuleMap *mod_map) {
register_protocol(&lpi_ea_games, mod_map);
}

51
decoders/glimpse_detector/libprotoident/tcp/lpi_emule.cc Normal file
View File

@@ -0,0 +1,51 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_emule_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_emule(data))
return true;
return false;
}
static lpi_module_t lpi_emule = {
LPI_PROTO_EMULE,
LPI_CATEGORY_P2P,
"EMule",
10, /* We've always had this at low priority */
match_emule_tcp
};
void register_emule(LPIModuleMap *mod_map) {
register_protocol(&lpi_emule, mod_map);
}

96
decoders/glimpse_detector/libprotoident/tcp/lpi_ethernetip.cc Normal file
View File

@@ -0,0 +1,96 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_command(uint32_t payload) {
// no op
if (MATCH(payload, 0x00, 0x00, ANY, ANY))
return true;
// list services
if (MATCH(payload, 0x04, 0x00, ANY, ANY))
return true;
// list identity
if (MATCH(payload, 0x63, 0x00, ANY, ANY))
return true;
// list interfaces
if (MATCH(payload, 0x64, 0x00, ANY, ANY))
return true;
// register session
if (MATCH(payload, 0x65, 0x00, 0x04, 0x00))
return true;
// un-register session
if (MATCH(payload, 0x66, 0x00, ANY, ANY))
return true;
// sendrrdata
if (MATCH(payload, 0x6f, 0x00, ANY, ANY))
return true;
// send unit data
if (MATCH(payload, 0x70, 0x00, ANY, ANY))
return true;
// indicate status
if (MATCH(payload, 0x72, 0x00, ANY, ANY))
return true;
// cancel
if (MATCH(payload, 0x73, 0x00, ANY, ANY))
return true;
// error
if (MATCH(payload, 0xff, 0xff, ANY, ANY))
return true;
return false;
}
static inline bool match_ethernetip(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->payload_len[0] < 24 || data->payload_len[1] < 24)
return false;
if (data->server_port != 44818 && data->client_port != 44818)
return false;
if (match_command(data->payload[0]) && match_command(data->payload[1]))
return true;
return false;
}
static lpi_module_t lpi_ethernetip = {
LPI_PROTO_ETHERNETIP,
LPI_CATEGORY_ICS,
"EtherNet/IP",
100,
match_ethernetip
};
void register_ethernetip(LPIModuleMap *mod_map) {
register_protocol(&lpi_ethernetip, mod_map);
}

54
decoders/glimpse_detector/libprotoident/tcp/lpi_eye.cc Normal file
View File

@@ -0,0 +1,54 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* All-seeing Eye - Yahoo Games */
static inline bool match_eye(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_either(data, "EYE1"))
return true;
return false;
}
static lpi_module_t lpi_eye = {
LPI_PROTO_EYE,
LPI_CATEGORY_GAMING,
"AllSeeingEye",
3,
match_eye
};
void register_eye(LPIModuleMap *mod_map) {
register_protocol(&lpi_eye, mod_map);
}

94
decoders/glimpse_detector/libprotoident/tcp/lpi_facebook_turn.cc Normal file
View File

@@ -0,0 +1,94 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_fbturn_request(uint32_t payload, uint32_t len) {
/* 0x74 == len - 2, 0x0001 == binding request */
if (len == 118 && MATCH(payload, 0x00, 0x74, 0x00, 0x01))
return true;
if (len == 114 && MATCH(payload, 0x00, 0x70, 0x00, 0x01))
return true;
if (len == 110 && MATCH(payload, 0x00, 0x6c, 0x00, 0x01))
return true;
if (len == 122 && MATCH(payload, 0x00, 0x78, 0x00, 0x01))
return true;
if (len == 126 && MATCH(payload, 0x00, 0x7c, 0x00, 0x01))
return true;
return false;
}
static inline bool match_fbturn_reply(uint32_t payload, uint32_t len) {
/* 0x40 == len - 2, 0x0101 == binding accepted */
if (len == 66 && MATCH(payload, 0x00, 0x40, 0x01, 0x01))
return true;
if (len == 82 && MATCH(payload, 0x00, 0x50, 0x01, 0x01))
return true;
return false;
}
static inline bool match_facebook_turn(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Seems to be a slightly custom version of TURN, as there is a two
* byte length field preceding the conventional STUN header. Can't
* find any explanation for this in RFC 5766, so maybe it is a Facebook
* addition?
*/
if (data->server_port != 443 && data->client_port != 443)
return false;
if (match_fbturn_request(data->payload[0], data->payload_len[0])) {
if (match_fbturn_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_fbturn_request(data->payload[1], data->payload_len[1])) {
if (match_fbturn_reply(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_facebook_turn = {
LPI_PROTO_FACEBOOK_TURN,
LPI_CATEGORY_NAT,
"FacebookTURN",
55,
match_facebook_turn
};
void register_facebook_turn(LPIModuleMap *mod_map) {
register_protocol(&lpi_facebook_turn, mod_map);
}

86
decoders/glimpse_detector/libprotoident/tcp/lpi_fb_message.cc Normal file
View File

@@ -0,0 +1,86 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Observed while using Facebook Messenger -- I used the unofficial desktop
* version (https://messengerfordesktop.com/) to talk to another account
* logged into a web browser. I suspect direct app->app voice/video calls
* may use the protocol more heavily.
*/
static inline bool match_fb_msg_104(uint32_t payload, uint32_t len) {
if (len == 104 && MATCH(payload, 0x01, 0x13, 0x00, 0x54))
return true;
if (len == 116 && MATCH(payload, 0x01, 0x13, 0x00, 0x60))
return true;
return false;
}
static inline bool match_fb_msg_28(uint32_t payload, uint32_t len) {
if (len == 28 && MATCH(payload, 0x00, 0x03, 0x00, 0x08))
return true;
if (len == 44 && MATCH(payload, 0x00, 0x03, 0x00, 0x18))
return true;
return false;
}
static inline bool match_fb_message(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 3478 && data->client_port != 3478 &&
data->server_port != 443 && data->client_port != 443)
return false;
if (match_fb_msg_28(data->payload[0], data->payload_len[0])) {
if (match_fb_msg_104(data->payload[1], data->payload_len[1]))
return true;
}
if (match_fb_msg_28(data->payload[1], data->payload_len[1])) {
if (match_fb_msg_104(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_fb_message = {
LPI_PROTO_FACEBOOK_MESSENGER,
LPI_CATEGORY_CHAT,
"FacebookMessenger",
9,
match_fb_message
};
void register_fb_message(LPIModuleMap *mod_map) {
register_protocol(&lpi_fb_message, mod_map);
}

80
decoders/glimpse_detector/libprotoident/tcp/lpi_fbcdn_ssl.cc Normal file
View File

@@ -0,0 +1,80 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Seems to be a custom version of SSL used by the FNA servers provided
* by Facebook? */
static inline bool match_normal_req(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0x16, 0x03, 0x01, ANY))
return true;
return false;
}
static inline bool match_odd_reply(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0x63, 0x03, 0x01, 0x00))
return true;
return false;
}
static inline bool match_fbcdn_ssl(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 443 */
if (match_normal_req(data->payload[0], data->payload_len[0])) {
if (match_odd_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_normal_req(data->payload[1], data->payload_len[1])) {
if (match_odd_reply(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_fbcdn_ssl = {
LPI_PROTO_FBCDN_SSL,
LPI_CATEGORY_WEB,
"FacebookCDNSSL",
112,
match_fbcdn_ssl
};
void register_fbcdn_ssl(LPIModuleMap *mod_map) {
register_protocol(&lpi_fbcdn_ssl, mod_map);
}

78
decoders/glimpse_detector/libprotoident/tcp/lpi_ffxiv.cc Normal file
View File

@@ -0,0 +1,78 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_ff_96(uint32_t payload, uint32_t len) {
/* Some flows also have a 672 byte packet */
if (len != 96 && len != 672)
return false;
if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_ff_other(uint32_t payload, uint32_t len) {
if (len == 0)
return false;
if (len == 64 || len == 63 || len == 153 || len == 154) {
if (MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
}
return false;
}
static inline bool match_ffxiv(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_ff_96(data->payload[0], data->payload_len[0])) {
if (match_ff_other(data->payload[1], data->payload_len[1]))
return true;
}
if (match_ff_96(data->payload[1], data->payload_len[1])) {
if (match_ff_other(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_ffxiv = {
LPI_PROTO_FINALFANTASY_XIV,
LPI_CATEGORY_GAMING,
"FinalFantasy14",
55,
match_ffxiv
};
void register_ffxiv(LPIModuleMap *mod_map) {
register_protocol(&lpi_ffxiv, mod_map);
}

86
decoders/glimpse_detector/libprotoident/tcp/lpi_filenori.cc Normal file
View File

@@ -0,0 +1,86 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Filenori is the most likely candidate for this -- hard to test because
* you need to pay money to download anything and probably not a good look
* for me to be paying money for this kind of service...
*/
static inline bool match_100(uint32_t payload, uint32_t len) {
if (len != 15)
return false;
if (MATCHSTR(payload, "100 "))
return true;
return false;
}
static inline bool match_command(uint32_t payload, uint32_t len) {
/* Probably short for START */
if ((len == 20 || len == 19) && MATCHSTR(payload, "STAR"))
return true;
/* DOWNLOAD ? */
if (len == 39 && MATCHSTR(payload, "DOWN"))
return true;
return false;
}
static inline bool match_filenori(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_100(data->payload[0], data->payload_len[0])) {
if (match_command(data->payload[1], data->payload_len[1]))
return true;
}
if (match_100(data->payload[1], data->payload_len[1])) {
if (match_command(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_filenori = {
LPI_PROTO_FILENORI,
LPI_CATEGORY_P2P,
"Filenori",
15,
match_filenori
};
void register_filenori(LPIModuleMap *mod_map) {
register_protocol(&lpi_filenori, mod_map);
}

69
decoders/glimpse_detector/libprotoident/tcp/lpi_flash.cc Normal file
View File

@@ -0,0 +1,69 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_flash(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Flash player stuff - cross-domain policy etc. */
if (match_str_either(data, "<cro")) {
if (match_str_either(data, "<msg"))
return true;
if (match_str_either(data, "<pol"))
return true;
if (data->payload_len[0] == 0)
return true;
if (data->payload_len[1] == 0)
return true;
}
if (match_str_either(data, "<?xm")) {
if (match_str_either(data, "<pol"))
return true;
if (match_str_either(data, "<msg"))
return true;
}
return false;
}
static lpi_module_t lpi_flash = {
LPI_PROTO_FLASH,
LPI_CATEGORY_STREAMING,
"Flash_Player",
6,
match_flash
};
void register_flash(LPIModuleMap *mod_map) {
register_protocol(&lpi_flash, mod_map);
}

97
decoders/glimpse_detector/libprotoident/tcp/lpi_fliggy.cc Normal file
View File

@@ -0,0 +1,97 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Bytes 3 and 4 are a length field */
static inline bool match_fliggy_req(uint32_t payload, uint32_t len) {
uint32_t hlen = ntohl(payload) & 0xffff;
if (MATCH(payload, 0xd1, 0x00, ANY, ANY) ||
MATCH(payload, 0xd5, 0x00, ANY, ANY)) {
if (hlen == len - 4)
return true;
/* Try to account for messages that are longer than one MTU */
if (len >= 1300 && hlen > len)
return true;
}
if (MATCH(payload, 0xd5, 0x00, 0x01, 0x16) && len >= 282) {
return true;
}
return false;
}
static inline bool match_fliggy_resp(uint32_t payload, uint32_t len) {
/* Usually, but not always 174 bytes -- I'm guessing sometimes
* messages get merged?
*/
if (MATCH(payload, 0xd3, 0x00, 0x00, 0xaa) && len >= 174)
return true;
/* Same for this one, usually 58 but not always */
if (MATCH(payload, 0xd3, 0x00, 0x00, 0x36) && len >= 58)
return true;
return false;
}
static inline bool match_fliggy(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Ports 80 and 443, typically */
if (match_fliggy_req(data->payload[0], data->payload_len[0])) {
if (match_fliggy_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_fliggy_req(data->payload[1], data->payload_len[1])) {
if (match_fliggy_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_fliggy = {
LPI_PROTO_FLIGGY,
LPI_CATEGORY_ECOMMERCE,
"Fliggy",
30,
match_fliggy
};
void register_fliggy(LPIModuleMap *mod_map) {
register_protocol(&lpi_fliggy, mod_map);
}

52
decoders/glimpse_detector/libprotoident/tcp/lpi_fring.cc Normal file
View File

@@ -0,0 +1,52 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_fring(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_both(data, "NOPC", "1234"))
return true;
return false;
}
static lpi_module_t lpi_fring = {
LPI_PROTO_FRING,
LPI_CATEGORY_VOIP,
"Fring",
2,
match_fring
};
void register_fring(LPIModuleMap *mod_map) {
register_protocol(&lpi_fring, mod_map);
}

110
decoders/glimpse_detector/libprotoident/tcp/lpi_ftpcontrol.cc Normal file
View File

@@ -0,0 +1,110 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_ftp_reply_code(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (MATCHSTR(payload, "220 "))
return true;
if (MATCHSTR(payload, "220-"))
return true;
return false;
}
static inline bool match_ftp_command(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
/* There are lots of valid FTP commands, but let's just limit this
* to ones we've observed for now */
if (MATCHSTR(payload, "USER"))
return true;
if (MATCHSTR(payload, "QUIT"))
return true;
if (MATCHSTR(payload, "FEAT"))
return true;
if (MATCHSTR(payload, "HELP"))
return true;
if (MATCHSTR(payload, "user"))
return true;
if (MATCHSTR(payload, "AUTH"))
return true;
/* This is invalid syntax, but clients using HOST seem to revert to
* sane FTP commands once the server reports a syntax error */
if (MATCHSTR(payload, "HOST"))
return true;
return false;
}
static inline bool match_ftp_control(lpi_data_t *data,
lpi_module_t *mod UNUSED) {
/*https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol*/
/* Rule out SMTP which uses similar reply codes and commands */
if (data->server_port == 25 || data->client_port == 25 ||
data->server_port == 587 || data->client_port == 587 ||
data->server_port == 110 || data->client_port == 110 ||
data->server_port == 143 || data->client_port == 143)
return false;
if (match_ftp_reply_code(data->payload[0], data->payload_len[0])) {
if (match_ftp_command(data->payload[1], data->payload_len[1]))
return true;
}
if (match_ftp_reply_code(data->payload[1], data->payload_len[1])) {
if (match_ftp_command(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_ftpcontrol = {
LPI_PROTO_FTP_CONTROL,
LPI_CATEGORY_FILES,
"FTP_Control",
3,
match_ftp_control
};
void register_ftpcontrol(LPIModuleMap *mod_map) {
register_protocol(&lpi_ftpcontrol, mod_map);
}

152
decoders/glimpse_detector/libprotoident/tcp/lpi_ftpdata.cc Normal file
View File

@@ -0,0 +1,152 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_bulk_response(uint32_t payload, uint32_t len) {
/* Most FTP-style transactions result in no packets being sent back
* to server (aside from ACKs) */
if (len == 0)
return true;
/* However, there is at least one FTP client that sends some sort of
* sequence number back to the server - maybe allowing for resumption
* of paused transfers?
*
* XXX This seems to be related to completely failing to implement the
* FTP protocol correctly. There is usually a flow preceding these
* flows that sends commands like "get" and "dir" to the server,
* which are not actually part of the FTP protocol. Instead, these
* are often commands typed into FTP CLI clients that are converted
* into the appropriate FTP commands. No idea what software is doing
* this, but it is essentially emulating FTP so I'll keep it in here
* for now.
* */
if (len == 4 && MATCH(payload, 0x00, 0x00, ANY, ANY))
return true;
/* Another weird FTP client: sends the occasional one byte response */
if (len == 1 && MATCH(payload, 0x00, 0x00, 0x00, 0x00))
return true;
return false;
}
/* Bulk download covers files being downloaded through a separate channel,
* like FTP data. We identify these by observing file type identifiers at the
* start of the packet. This is not a protocol in itself, but it's almost
* certainly FTP.
*/
static inline bool match_bulk_download(lpi_data_t *data) {
if (match_bulk_response(data->payload[1], data->payload_len[1]) &&
(data->observed[0] == 0 && (data->payload[0])))
return true;
if (match_bulk_response(data->payload[0], data->payload_len[0]) &&
(data->observed[1] == 0 && match_file_header(data->payload[1])))
return true;
return false;
}
static inline bool match_directory(lpi_data_t *data) {
/* FTP Data can start with directory permissions */
if ( (MATCH(data->payload[0], '-', ANY, ANY, ANY) ||
MATCH(data->payload[0], 'd', ANY, ANY, ANY)) &&
(MATCH(data->payload[0], ANY, '-', ANY, ANY) ||
MATCH(data->payload[0], ANY, 'r', ANY, ANY)) &&
(MATCH(data->payload[0], ANY, ANY, '-', ANY) ||
MATCH(data->payload[0], ANY, ANY, 'w', ANY)) &&
(MATCH(data->payload[0], ANY, ANY, ANY, '-') ||
MATCH(data->payload[0], ANY, ANY, ANY, 'x')) )
return true;
if ( (MATCH(data->payload[1], '-', ANY, ANY, ANY) ||
MATCH(data->payload[1], 'd', ANY, ANY, ANY)) &&
(MATCH(data->payload[1], ANY, '-', ANY, ANY) ||
MATCH(data->payload[1], ANY, 'r', ANY, ANY)) &&
(MATCH(data->payload[1], ANY, ANY, '-', ANY) ||
MATCH(data->payload[1], ANY, ANY, 'w', ANY)) &&
(MATCH(data->payload[1], ANY, ANY, ANY, '-') ||
MATCH(data->payload[1], ANY, ANY, ANY, 'x')) )
return true;
return false;
}
static inline bool match_ftp_data(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_bulk_download(data))
return true;
/* XXX All rules below this are for one-way exchanges only */
if (data->payload_len[0] > 0 && data->payload_len[1] > 0)
return false;
/* All rules for ftp data are for first observed data only */
if(data->observed[0] != 0 || data->observed[1] != 0)
return false;
if (match_directory(data))
return true;
/* Virus definition updates from CA are delivered via FTP */
if (match_str_either(data, "Viru"))
return true;
/* XXX - I hate having to look at port numbers but there are no
* useful headers in FTP data exchanges; all the FTP protocol stuff
* is done using the control channel */
if (data->client_port == 20 || data->server_port == 20)
return true;
return false;
}
static lpi_module_t lpi_ftpdata = {
LPI_PROTO_FTP_DATA,
LPI_CATEGORY_FILES,
"FTP_Data",
7, /* Some of these rules rely on port numbers and one-way data, so
* should have a lower priority than more concrete rules */
match_ftp_data
};
void register_ftpdata(LPIModuleMap *mod_map) {
register_protocol(&lpi_ftpdata, mod_map);
}

68
decoders/glimpse_detector/libprotoident/tcp/lpi_fuckcoin.cc Normal file
View File

@@ -0,0 +1,68 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_fc_magic(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0xfb, 0xc0, 0xb6, 0xdb)) {
if (len == 126)
return true;
if (len == 146)
return true;
}
return false;
}
static inline bool match_fuckcoin(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port == 9333 */
if (match_fc_magic(data->payload[0], data->payload_len[0])) {
if (match_fc_magic(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_fuckcoin = {
LPI_PROTO_FUCKCOIN,
LPI_CATEGORY_ECOMMERCE,
"Dogecoin",
8,
match_fuckcoin
};
void register_fuckcoin(LPIModuleMap *mod_map) {
register_protocol(&lpi_fuckcoin, mod_map);
}

78
decoders/glimpse_detector/libprotoident/tcp/lpi_funshion.cc Normal file
View File

@@ -0,0 +1,78 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
#include <stdio.h>
/* Funshion is a Chinese P2PTV application that seems to use a bunch
* of different protocols / messages.
*/
static inline bool match_funshion_54(uint32_t payload, uint32_t len) {
if (len != 54)
return false;
/* Byte 4 is always 0x00.
* Byte 3 is always 0x?1, where '?' can be any hex digit.
*/
if ((payload & 0xff0f0000) == 0x00010000)
return true;
return false;
}
static inline bool match_funshion_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Only ever observed this traffic pattern on port 6601 */
if (data->server_port == 6601 || data->client_port == 6601) {
if (match_funshion_54(data->payload[0], data->payload_len[0])) {
if (match_funshion_54(data->payload[1], data->payload_len[1]))
return true;
}
}
return false;
}
static lpi_module_t lpi_funshion_tcp = {
LPI_PROTO_FUNSHION,
LPI_CATEGORY_P2PTV,
"Funshion_TCP",
10,
match_funshion_tcp
};
void register_funshion_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_funshion_tcp, mod_map);
}

76
decoders/glimpse_detector/libprotoident/tcp/lpi_gamespy.cc Normal file
View File

@@ -0,0 +1,76 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_gamespy_bsr(uint32_t payload, uint32_t len) {
if (len != 16)
return false;
if (!MATCH(payload, 0x5c, 'b', 's', 'r'))
return false;
return true;
}
static inline bool match_gamespy_search(uint32_t payload, uint32_t len) {
if (!MATCH(payload, 0x5c, 's', 'e', 'a'))
return false;
return true;
}
static inline bool match_gamespy_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_gamespy_bsr(data->payload[0], data->payload_len[0])) {
if (match_gamespy_search(data->payload[1], data->payload_len[1]))
return true;
}
if (match_gamespy_bsr(data->payload[1], data->payload_len[1])) {
if (match_gamespy_search(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_gamespy_tcp = {
LPI_PROTO_GAMESPY,
LPI_CATEGORY_GAMING,
"Gamespy_TCP",
6,
match_gamespy_tcp
};
void register_gamespy_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_gamespy_tcp, mod_map);
}

63
decoders/glimpse_detector/libprotoident/tcp/lpi_gcafe_updater.cc Normal file
View File

@@ -0,0 +1,63 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_caf(uint32_t payload, uint32_t len) {
if (len == 53 && MATCH(payload, 0x0c, 'C', 'A', 'F'))
return true;
return false;
}
static inline bool match_gcafe_updater(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Seen on ports 16800 and 1839 */
if (match_caf(data->payload[0], data->payload_len[0])) {
if (match_caf(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_gcafe_updater = {
LPI_PROTO_GCAFE_UPDATER,
LPI_CATEGORY_P2P,
"G-CafeUpdater",
11,
match_gcafe_updater
};
void register_gcafe_updater(LPIModuleMap *mod_map) {
register_protocol(&lpi_gcafe_updater, mod_map);
}

62
decoders/glimpse_detector/libprotoident/tcp/lpi_giop.cc Normal file
View File

@@ -0,0 +1,62 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_giop(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (MATCH(data->payload[0], 'G', 'I', 'O', 'P')) {
if (MATCH(data->payload[1], 'G', 'I', 'O', 'P'))
return true;
if (data->payload_len[1] == 0)
return true;
}
if (MATCH(data->payload[1], 'G', 'I', 'O', 'P')) {
if (data->payload_len[0] == 0)
return true;
}
return false;
}
static lpi_module_t lpi_giop = {
LPI_PROTO_GIOP,
LPI_CATEGORY_REMOTE,
"GIOP",
5,
match_giop
};
void register_giop(LPIModuleMap *mod_map) {
register_protocol(&lpi_giop, mod_map);
}

81
decoders/glimpse_detector/libprotoident/tcp/lpi_git.cc Normal file
View File

@@ -0,0 +1,81 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include <stdlib.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_git_header(uint32_t payload, uint32_t len) {
int i;
char headerstr[4];
uint8_t *pl = (uint8_t *)(&payload);
if (len == 0)
return true;
memset(headerstr, 0, 4);
for (i = 0; i < 4; i++) {
headerstr[i] = (char)(*pl);
pl++;
}
uint32_t replen = strtoul(headerstr, NULL, 16);
if (replen != len)
return false;
return true;
}
static inline bool match_git(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_git_header(data->payload[0], data->payload_len[0])) {
if (match_git_header(data->payload[1], data->payload_len[1]))
return true;
}
if (match_git_header(data->payload[1], data->payload_len[1])) {
if (match_git_header(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_git = {
LPI_PROTO_GIT,
LPI_CATEGORY_RCS,
"Git",
5,
match_git
};
void register_git(LPIModuleMap *mod_map) {
register_protocol(&lpi_git, mod_map);
}

90
decoders/glimpse_detector/libprotoident/tcp/lpi_glupteba.cc Normal file
View File

@@ -0,0 +1,90 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_glupteba.yvg */
static inline bool match_glup_hello(uint32_t payload, uint32_t len) {
if (MATCH(payload, 'H', 'E', 'L', 'L'))
return true;
return false;
}
static inline bool match_glup_id(uint32_t payload, uint32_t len) {
/* ID changes from infected host to infected host, but I'm
* going to assume the ID has a similar length.
*/
if (len >= 18 && len <= 25) {
/* Always begins with @ */
if (MATCH(payload, '@', ANY, ANY, ANY))
return true;
}
return false;
}
static inline bool match_glupteba(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_glup_hello(data->payload[0], data->payload_len[0])) {
if (match_glup_id(data->payload[1], data->payload_len[1])) {
return true;
}
if (match_glup_hello(data->payload[1], data->payload_len[1])) {
return true;
}
}
if (match_glup_hello(data->payload[1], data->payload_len[1])) {
if (match_glup_id(data->payload[0], data->payload_len[0])) {
return true;
}
if (match_glup_hello(data->payload[0], data->payload_len[0])) {
return true;
}
}
return false;
}
static lpi_module_t lpi_glupteba = {
LPI_PROTO_GLUPTEBA,
LPI_CATEGORY_MALWARE,
"GluptebaBackdoor",
50,
match_glupteba
};
void register_glupteba(LPIModuleMap *mod_map) {
register_protocol(&lpi_glupteba, mod_map);
}

54
decoders/glimpse_detector/libprotoident/tcp/lpi_gnutella.cc Normal file
View File

@@ -0,0 +1,54 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_gnutella(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_either(data, "GNUT"))
return true;
if (match_str_either(data, "GIV "))
return true;
return false;
}
static lpi_module_t lpi_gnutella = {
LPI_PROTO_GNUTELLA,
LPI_CATEGORY_P2P,
"Gnutella",
1, /* Avoid matching HTTP which uses similar commands */
match_gnutella
};
void register_gnutella(LPIModuleMap *mod_map) {
register_protocol(&lpi_gnutella, mod_map);
}

53
decoders/glimpse_detector/libprotoident/tcp/lpi_goku.cc Normal file
View File

@@ -0,0 +1,53 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_goku(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_both(data, "ok:g", "baut"))
return true;
if (match_str_both(data, "ok:w", "baut"))
return true;
return false;
}
static lpi_module_t lpi_goku = {
LPI_PROTO_GOKUCHAT,
LPI_CATEGORY_CHAT,
"GokuChat",
3,
match_goku
};
void register_goku(LPIModuleMap *mod_map) {
register_protocol(&lpi_goku, mod_map);
}

105
decoders/glimpse_detector/libprotoident/tcp/lpi_googlehangouts.cc Normal file
View File

@@ -0,0 +1,105 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_hangout_req(uint32_t payload, uint32_t len) {
if ((len % 114) == 0) {
if (MATCH(payload, 0x00, 0x70, 0x00, 0x01))
return true;
}
if ((len % 122) == 0) {
if (MATCH(payload, 0x00, 0x78, 0x00, 0x01))
return true;
}
if (len == 110 && MATCH(payload, 0x00, 0x6c, 0x00, 0x01))
return true;
return false;
}
static inline bool match_hangout_resp(uint32_t payload, uint32_t len) {
if (len == 106) {
if (MATCH(payload, 0x00, 0x68, 0x01, 0x01))
return true;
}
if (len == 118) {
if (MATCH(payload, 0x00, 0x74, 0x01, 0x01))
return true;
}
if (len == 94 && MATCH(payload, 0x00, 0x5c, 0x01, 0x01))
return true;
return false;
}
static inline bool match_googlehangouts(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Based on traffic seen on port 19305 to google addresses */
/* Limit this to port 19305 - 19309 */
if (data->server_port < 19305 || data->server_port > 19309) {
if (data->client_port < 19305 || data->client_port > 19309)
return false;
}
if (match_hangout_req(data->payload[0], data->payload_len[0])) {
if (match_hangout_resp(data->payload[1], data->payload_len[1]))
return true;
}
if (match_hangout_req(data->payload[1], data->payload_len[1])) {
if (match_hangout_resp(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_googlehangouts = {
LPI_PROTO_GOOGLE_HANGOUTS,
LPI_CATEGORY_CHAT,
"GoogleHangouts",
12,
match_googlehangouts
};
void register_googlehangouts(LPIModuleMap *mod_map) {
register_protocol(&lpi_googlehangouts, mod_map);
}

82
decoders/glimpse_detector/libprotoident/tcp/lpi_graalonlineera.cc Normal file
View File

@@ -0,0 +1,82 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_goe_gnp(uint32_t payload, uint32_t len) {
if (len == 8 && MATCH(payload, 'G', 'N', 'P', '1'))
return true;
return false;
}
static inline bool match_goe_binary(uint32_t payload, uint32_t len) {
if (len >= 275 && len <= 300) {
if (MATCH(payload, 0x01, 0x02, 0x00, 0x01))
return true;
if (MATCH(payload, 0x01, 0x03, 0x00, 0x01))
return true;
}
return false;
}
static inline bool match_graalonlineera(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Port 14900 */
if (match_goe_gnp(data->payload[0], data->payload_len[0])) {
if (match_goe_binary(data->payload[1], data->payload_len[1]))
return true;
}
if (match_goe_gnp(data->payload[1], data->payload_len[1])) {
if (match_goe_binary(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_graalonlineera = {
LPI_PROTO_GRAAL_ONLINE_ERA,
LPI_CATEGORY_GAMING,
"GraalOnlineEra",
8,
match_graalonlineera
};
void register_graalonlineera(LPIModuleMap *mod_map) {
register_protocol(&lpi_graalonlineera, mod_map);
}

80
decoders/glimpse_detector/libprotoident/tcp/lpi_guildwars2.cc Normal file
View File

@@ -0,0 +1,80 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_gw2_req(uint32_t payload, uint32_t len) {
if (len < 285 || len > 295)
return false;
if (MATCH(payload, 0x50, 0x20, 0x2f, 0x53))
return true;
return false;
}
static inline bool match_gw2_resp(uint32_t payload, uint32_t len) {
if (len != 35)
return false;
if (MATCH(payload, 0x53, 0x54, 0x53, 0x2f))
return true;
return false;
}
static inline bool match_guildwars2(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_gw2_req(data->payload[1], data->payload_len[1])) {
if (match_gw2_resp(data->payload[0], data->payload_len[0]))
return true;
}
if (match_gw2_req(data->payload[0], data->payload_len[0])) {
if (match_gw2_resp(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_guildwars2 = {
LPI_PROTO_GUILDWARS2,
LPI_CATEGORY_GAMING,
"GuildWars2",
5,
match_guildwars2
};
void register_guildwars2(LPIModuleMap *mod_map) {
register_protocol(&lpi_guildwars2, mod_map);
}

62
decoders/glimpse_detector/libprotoident/tcp/lpi_hamachi.cc Normal file
View File

@@ -0,0 +1,62 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_hamachi(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* All Hamachi messages that I've seen begin with a 4 byte length
* field. Other protocols also do this, so I also check for the
* default Hamachi port (12975)
*/
if (!match_payload_length(data->payload[0], data->payload_len[0]))
return false;
if (!match_payload_length(data->payload[1], data->payload_len[1]))
return false;
if (data->server_port == 12975 || data->client_port == 12975)
return true;
return false;
}
static lpi_module_t lpi_hamachi = {
LPI_PROTO_HAMACHI,
LPI_CATEGORY_TUNNELLING,
"Hamachi",
4,
match_hamachi
};
void register_hamachi(LPIModuleMap *mod_map) {
register_protocol(&lpi_hamachi, mod_map);
}

67
decoders/glimpse_detector/libprotoident/tcp/lpi_harveys.cc Normal file
View File

@@ -0,0 +1,67 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Harveys - a seemingly custom protocol used by Harveys Real
* Estate to transfer photos. Common in ISP C traces */
static inline bool match_harveys(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_str_both(data, "77;T", "47;T"))
return true;
if (match_str_either(data, "47;T")) {
if (data->payload_len[0] == 0)
return true;
if (data->payload_len[1] == 0)
return true;
}
if (match_str_either(data, "77;T")) {
if (data->payload_len[0] == 0)
return true;
if (data->payload_len[1] == 0)
return true;
}
return false;
}
static lpi_module_t lpi_harveys = {
LPI_PROTO_HARVEYS,
LPI_CATEGORY_FILES,
"Harveys",
10,
match_harveys
};
void register_harveys(LPIModuleMap *mod_map) {
register_protocol(&lpi_harveys, mod_map);
}

79
decoders/glimpse_detector/libprotoident/tcp/lpi_hearthstone.cc Normal file
View File

@@ -0,0 +1,79 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_hearthstone_req(uint32_t payload, uint32_t len) {
if (len == 16 && MATCH(payload, 0x10, 0x00, 0x00, 0x00))
return true;
if (len == 22 && MATCH(payload, 0x10, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_hearthstone_reply(uint32_t payload) {
if (MATCH(payload, 0x0f, 0x00, 0x00, 0x00))
return true;
if (MATCH(payload, 0xa8, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_hearthstone(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Consider enforcing port 1119 or 3724, if we get FPs */
if (match_hearthstone_req(data->payload[0], data->payload_len[0])) {
if (match_hearthstone_reply(data->payload[1]))
return true;
}
if (match_hearthstone_req(data->payload[1], data->payload_len[1])) {
if (match_hearthstone_reply(data->payload[0]))
return true;
}
return false;
}
static lpi_module_t lpi_hearthstone = {
LPI_PROTO_HEARTHSTONE,
LPI_CATEGORY_GAMING,
"Hearthstone",
5,
match_hearthstone
};
void register_hearthstone(LPIModuleMap *mod_map) {
register_protocol(&lpi_hearthstone, mod_map);
}

55
decoders/glimpse_detector/libprotoident/tcp/lpi_hola.cc Normal file
View File

@@ -0,0 +1,55 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_hola(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (MATCH(data->payload[0], 0xac, 0x2e, 0xbf, 0x5c)) {
if (MATCH(data->payload[1], 0xac, 0x2e, 0xbf, 0x5c))
return true;
}
return false;
}
static lpi_module_t lpi_hola = {
LPI_PROTO_HOLA,
LPI_CATEGORY_TUNNELLING,
"HolaVPN",
4,
match_hola
};
void register_hola(LPIModuleMap *mod_map) {
register_protocol(&lpi_hola, mod_map);
}

90
decoders/glimpse_detector/libprotoident/tcp/lpi_hots_tcp.cc Normal file
View File

@@ -0,0 +1,90 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_bau(uint32_t payload, uint32_t len) {
if (len == 743 && MATCH(payload, 0x42, 0x10, 0x61, 0x75))
return true;
return false;
}
static inline bool match_hots_7f28(uint32_t payload, uint32_t len) {
uint32_t hlen;
hlen = (ntohl(payload) & 0xffff) * 2 + 5;
if (len == hlen && MATCH(payload, 0x7f, 0x28, ANY, ANY)) {
return true;
}
return false;
}
static inline bool match_hots_4a48(uint32_t payload, uint32_t len) {
if (len == 201 && MATCH(payload, 0x4a, 0x48, 0x0c, 0xae))
return true;
return false;
}
static inline bool match_hots_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (data->server_port != 1119 && data->client_port != 1119) {
return false;
}
if (match_bau(data->payload[0], data->payload_len[0])) {
if (match_hots_7f28(data->payload[1], data->payload_len[1]))
return true;
if (match_hots_4a48(data->payload[1], data->payload_len[1]))
return true;
}
if (match_bau(data->payload[1], data->payload_len[1])) {
if (match_hots_7f28(data->payload[0], data->payload_len[0]))
return true;
if (match_hots_4a48(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_hots_tcp = {
LPI_PROTO_HOTS,
LPI_CATEGORY_GAMING,
"HeroesOfTheStorm_TCP",
90,
match_hots_tcp
};
void register_hots_tcp(LPIModuleMap *mod_map) {
register_protocol(&lpi_hots_tcp, mod_map);
}

106
decoders/glimpse_detector/libprotoident/tcp/lpi_http.cc Normal file
View File

@@ -0,0 +1,106 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_http_response(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (len == 1 && MATCH(payload, 'H', 0x00, 0x00, 0x00))
return true;
if (MATCHSTR(payload, "HTTP")) {
return true;
}
/* UNKNOWN seems to be a valid response from some servers, e.g.
* mini_httpd */
if (MATCHSTR(payload, "UNKN")) {
return true;
}
return false;
}
static inline bool match_http(lpi_data_t *data, lpi_module_t *mod) {
/* Need to rule out protocols using HTTP-style commands to do
* exchanges. These protocols primarily use GET, rather than other
* HTTP requests */
if (!valid_http_port(data)) {
if (match_str_either(data, "GET "))
return false;
}
if (match_http_request(data->payload[0], data->payload_len[0])) {
if (match_http_response(data->payload[1], data->payload_len[1]))
return true;
if (match_http_request(data->payload[1], data->payload_len[1]))
return true;
if (match_file_header(data->payload[1]) &&
data->payload_len[0] != 0)
return true;
}
if (match_http_request(data->payload[1], data->payload_len[1])) {
if (match_http_response(data->payload[0], data->payload_len[0]))
return true;
if (match_file_header(data->payload[0]) &&
data->payload_len[1] != 0)
return true;
}
/* Allow responses in both directions, even if this is doesn't entirely
* make sense :/ */
if (match_http_response(data->payload[0], data->payload_len[0])) {
if (match_http_response(data->payload[1], data->payload_len[1]))
return true;
}
return false;
}
static lpi_module_t lpi_http = {
LPI_PROTO_HTTP,
LPI_CATEGORY_WEB,
"HTTP",
2,
match_http
};
void register_http(LPIModuleMap *mod_map) {
register_protocol(&lpi_http, mod_map);
}

64
decoders/glimpse_detector/libprotoident/tcp/lpi_http_badport.cc Normal file
View File

@@ -0,0 +1,64 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_http_badport(lpi_data_t *data, lpi_module_t *mod) {
/* For some reason, some clients send GET messages to servers on
* port 443, which unsurprisingly do not respond. I'm putting this
* in a separate category to avoid mixing it in with legitimate
* HTTP traffic */
if (data->payload_len[0] != 0 && data->payload_len[1] != 0)
return false;
if (!match_str_either(data, "GET "))
return false;
if (data->server_port == 443 || data->client_port == 443)
return true;
return false;
}
static lpi_module_t lpi_http_badport = {
LPI_PROTO_HTTP_BADPORT,
LPI_CATEGORY_WEB,
"HTTP_443",
2,
match_http_badport
};
void register_http_badport(LPIModuleMap *mod_map) {
register_protocol(&lpi_http_badport, mod_map);
}

68
decoders/glimpse_detector/libprotoident/tcp/lpi_http_nonstandard.cc Normal file
View File

@@ -0,0 +1,68 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_nonstandard_http(lpi_data_t *data, lpi_module_t *mod UNUSED) {
/* Must not be on a known HTTP port
*
* This used to be HTTP_P2P, but we found that most of this stuff was
* legit HTTP - just using really weird ports.
*
* We might miss some HTTP-based P2P now, but it's just too hard for
* us to differentiate more than this.
*/
if (valid_http_port(data))
return false;
if (match_str_both(data, "GET ", "HTTP"))
return true;
if (match_str_either(data, "GET ")) {
if (data->payload_len[0] == 0 || data->payload_len[1] == 0)
return true;
}
return false;
}
static lpi_module_t lpi_http_nonstandard = {
LPI_PROTO_NONSTANDARD_HTTP,
LPI_CATEGORY_WEB,
"HTTP_NonStandard",
100,
match_nonstandard_http
};
void register_http_nonstandard(LPIModuleMap *mod_map) {
register_protocol(&lpi_http_nonstandard, mod_map);
}

58
decoders/glimpse_detector/libprotoident/tcp/lpi_http_tunnel.cc Normal file
View File

@@ -0,0 +1,58 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_http_tunnel(lpi_data_t *data, lpi_module_t *mod UNUSED)
{
if (match_str_both(data, "CONN", "HTTP")) return true;
if (MATCHSTR(data->payload[0], "CONN") && data->payload_len[1] == 0)
return true;
if (MATCHSTR(data->payload[1], "CONN") && data->payload_len[0] == 0)
return true;
return false;
}
static lpi_module_t lpi_http_tunnel = {
LPI_PROTO_HTTP_TUNNEL,
LPI_CATEGORY_TUNNELLING,
"HTTP_Tunnel",
1, /* Make sure we are higher priority than HTTP */
match_http_tunnel
};
void register_http_tunnel(LPIModuleMap *mod_map) {
register_protocol(&lpi_http_tunnel, mod_map);
}

60
decoders/glimpse_detector/libprotoident/tcp/lpi_https.cc Normal file
View File

@@ -0,0 +1,60 @@
/*
*
* Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
* All rights reserved.
*
* This file is part of libprotoident.
*
* This code has been developed by the University of Waikato WAND
* research group. For further information please see http://www.wand.net.nz/
*
* libprotoident is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* libprotoident is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_https(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (!match_ssl(data))
return false;
/* Assume all SSL traffic on port 443 is HTTPS */
if (data->server_port == 443 || data->client_port == 443)
return true;
/* We'll do port 80 as well, just to be safe */
if (data->server_port == 80 || data->client_port == 80)
return true;
return false;
}
static lpi_module_t lpi_https = {
LPI_PROTO_HTTPS,
LPI_CATEGORY_WEB,
"HTTPS",
2, /* Should be higher priority than regular SSL */
match_https
};
void register_https(LPIModuleMap *mod_map) {
register_protocol(&lpi_https, mod_map);
}

Some files were not shown because too many files have changed in this diff Show More