further tree reorganization

author: laforge <laforge> 2004-07-23 03:22:16 +0000
committer: laforge <laforge> 2004-07-23 03:22:16 +0000
commit: 2dc0dd85c2e851e9b2dacd9dfaa40c70cc61ff95 (patch)
tree: 18d1d23e47b5142ede938165c616bbc942f14bd5 /filter/raw2packet
parent: e67fb3fbdc6ac83e884d9741e3b4a759b1bd8c5f (diff)
2 files changed, 601 insertions, 0 deletions
diff --git a/filter/raw2packet/ulogd_raw2packet_BASE.c b/filter/raw2packet/ulogd_raw2packet_BASE.c
new file mode 100644
index 0000000..c843ccf
--- /dev/null
+++ b/filter/raw2packet/ulogd_raw2packet_BASE.c
@@ -0,0 +1,441 @@
+/* ulogd_MAC.c, Version $Revision: 1.21 $
+ *
+ * ulogd interpreter plugin for 
+ * 	o MAC addresses
+ * 	o NFMARK field
+ * 	o TIME
+ * 	o Interface names
+ * 	o IP header
+ * 	o TCP header
+ * 	o UDP header
+ * 	o ICMP header
+ * 	o AH/ESP header
+ *
+ * (C) 2000-2001 by Harald Welte <laforge@gnumonks.org>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 
+ *  as published by the Free Software Foundation
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ 
+ * $Id$
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <netinet/ip.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <netinet/ip_icmp.h>
+#include <netinet/udp.h>
+#include <ulogd/ulogd.h>
+
+/***********************************************************************
+ * 			Raw header
+ ***********************************************************************/
+static ulog_iret_t raw_rets[] = {
+	{ NULL, NULL, 0, ULOGD_RET_STRING, ULOGD_RETF_FREE, "raw.mac", 
+	  { ptr: NULL } },
+	{ NULL, NULL, 0, ULOGD_RET_RAW, ULOGD_RETF_NONE, "raw.pkt",
+	  { ptr: NULL } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT32, ULOGD_RETF_NONE, "raw.pktlen",
+	  { ui32: 0 } },
+};
+
+static ulog_iret_t *_interp_raw(ulog_interpreter_t *ip, 
+				ulog_packet_msg_t *pkt)
+{
+	unsigned char *p;
+	int i;
+	char *buf, *oldbuf = NULL;
+	ulog_iret_t *ret = ip->result;
+
+	if (pkt->mac_len) {
+		buf = (char *) malloc(3 * pkt->mac_len + 1);
+		if (!buf) {
+			ulogd_log(ULOGD_ERROR, "OOM!!!\n");
+			return NULL;
+		}
+		*buf = '\0';
+
+		p = pkt->mac;
+		oldbuf = buf;
+		for (i = 0; i < pkt->mac_len; i++, p++)
+			sprintf(buf, "%s%02x%c", oldbuf, *p, i==pkt->mac_len-1 ? ' ':':');
+		ret[0].value.ptr = buf;
+		ret[0].flags |= ULOGD_RETF_VALID;
+	}
+
+	/* include pointer to raw ipv4 packet */
+	ret[1].value.ptr = pkt->payload;
+	ret[1].flags |= ULOGD_RETF_VALID;
+	ret[2].value.ui32 = pkt->data_len;
+	ret[2].flags |= ULOGD_RETF_VALID;
+
+	return ret;
+}
+
+/***********************************************************************
+ * 			OUT OF BAND
+ ***********************************************************************/
+
+static ulog_iret_t oob_rets[] = {
+	{ NULL, NULL, 0, ULOGD_RET_STRING, ULOGD_RETF_NONE, "oob.prefix", 
+		{ ptr: NULL } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT32, ULOGD_RETF_NONE, "oob.time.sec", 
+		{ ui32: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT32, ULOGD_RETF_NONE, "oob.time.usec", 
+		{ ui32: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT32, ULOGD_RETF_NONE, "oob.mark", 
+		{ ui32: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_STRING, ULOGD_RETF_NONE, "oob.in", 
+		{ ptr: NULL } },
+	{ NULL, NULL, 0, ULOGD_RET_STRING, ULOGD_RETF_NONE, "oob.out", 
+		{ ptr: NULL } },
+};
+
+static ulog_iret_t *_interp_oob(struct ulog_interpreter *ip, 
+				ulog_packet_msg_t *pkt)
+{
+	ulog_iret_t *ret = ip->result;
+
+	ret[0].value.ptr = pkt->prefix;
+	ret[0].flags |= ULOGD_RETF_VALID;
+
+	/* god knows why timestamp_usec contains crap if timestamp_sec == 0
+	 * if (pkt->timestamp_sec || pkt->timestamp_usec) { */
+	if (pkt->timestamp_sec) {
+		ret[1].value.ui32 = pkt->timestamp_sec;
+		ret[1].flags |= ULOGD_RETF_VALID;
+		ret[2].value.ui32 = pkt->timestamp_usec;
+		ret[2].flags |= ULOGD_RETF_VALID;
+	} else {
+		ret[1].flags &= ~ULOGD_RETF_VALID;
+		ret[2].flags &= ~ULOGD_RETF_VALID;
+	}
+
+	ret[3].value.ui32 = pkt->mark;
+	ret[3].flags |= ULOGD_RETF_VALID;
+	ret[4].value.ptr = pkt->indev_name;
+	ret[4].flags |= ULOGD_RETF_VALID;
+	ret[5].value.ptr = pkt->outdev_name;
+	ret[5].flags |= ULOGD_RETF_VALID;
+	
+	return ret;
+}
+
+/***********************************************************************
+ * 			IP HEADER
+ ***********************************************************************/
+
+static ulog_iret_t iphdr_rets[] = {
+	{ NULL, NULL, 0, ULOGD_RET_IPADDR, ULOGD_RETF_NONE, "ip.saddr", 
+		{ ui32: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_IPADDR, ULOGD_RETF_NONE, "ip.daddr", 
+		{ ui32: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "ip.protocol", 
+		{ ui8: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "ip.tos", 
+		{ ui8: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "ip.ttl", 
+		{ ui8: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "ip.totlen", 
+		{ ui16: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "ip.ihl", 
+		{ ui8: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "ip.csum", 
+		{ ui16: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "ip.id", 
+		{ ui16: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "ip.fragoff", 
+		{ ui16: 0 } },
+};
+
+static ulog_iret_t *_interp_iphdr(struct ulog_interpreter *ip, 
+				ulog_packet_msg_t *pkt)
+{
+	ulog_iret_t *ret = ip->result;
+	struct iphdr *iph = (struct iphdr *) pkt->payload;
+
+	ret[0].value.ui32 = ntohl(iph->saddr);
+	ret[0].flags |= ULOGD_RETF_VALID;
+	ret[1].value.ui32 = ntohl(iph->daddr);
+	ret[1].flags |= ULOGD_RETF_VALID;
+	ret[2].value.ui8 = iph->protocol;
+	ret[2].flags |= ULOGD_RETF_VALID;
+	ret[3].value.ui8 = ntohs(iph->tos);
+	ret[3].flags |= ULOGD_RETF_VALID;
+	ret[4].value.ui8 = iph->ttl;
+	ret[4].flags |= ULOGD_RETF_VALID;
+	ret[5].value.ui16 = ntohs(iph->tot_len);
+	ret[5].flags |= ULOGD_RETF_VALID;
+	ret[6].value.ui8 = iph->ihl;
+	ret[6].flags |= ULOGD_RETF_VALID;
+	ret[7].value.ui16 = ntohs(iph->check);
+	ret[7].flags |= ULOGD_RETF_VALID;
+	ret[8].value.ui16 = ntohs(iph->id);
+	ret[8].flags |= ULOGD_RETF_VALID;
+	ret[9].value.ui16 = ntohs(iph->frag_off);
+	ret[9].flags |= ULOGD_RETF_VALID;
+
+	return ret;
+}
+
+/***********************************************************************
+ * 			TCP HEADER
+ ***********************************************************************/
+static ulog_iret_t tcphdr_rets[] = {
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "tcp.sport", 
+		{ ui16: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "tcp.dport", 
+		{ ui16: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT32, ULOGD_RETF_NONE, "tcp.seq", 
+		{ ui32: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT32, ULOGD_RETF_NONE, "tcp.ackseq", 
+		{ ui32: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "tcp.offset",
+		{ ui8: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "tcp.reserved",
+		{ ui8: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "tcp.window",
+		{ ui16:	0 } },
+	{ NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.urg", 
+		{ b: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "tcp.urgp",
+		{ ui16: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.ack", 
+		{ b: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.psh", 
+		{ b: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.rst", 
+		{ b: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.syn", 
+		{ b: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.fin", 
+		{ b: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.res1",
+		{ b: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.res2",
+		{ b: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "tcp.csum",
+		{ ui16: 0 } },
+};
+
+static ulog_iret_t *_interp_tcphdr(struct ulog_interpreter *ip, 
+				ulog_packet_msg_t *pkt)
+{
+	struct iphdr *iph = (struct iphdr *) pkt->payload;
+	void *protoh = (u_int32_t *)iph + iph->ihl;
+	struct tcphdr *tcph = (struct tcphdr *) protoh;
+	ulog_iret_t *ret = ip->result;
+
+	if (iph->protocol != IPPROTO_TCP)
+		return NULL;
+	
+	ret[0].value.ui16 = ntohs(tcph->source);
+	ret[0].flags |= ULOGD_RETF_VALID;
+	ret[1].value.ui16 = ntohs(tcph->dest);
+	ret[1].flags |= ULOGD_RETF_VALID;
+	ret[2].value.ui32 = ntohl(tcph->seq);
+	ret[2].flags |= ULOGD_RETF_VALID;
+	ret[3].value.ui32 = ntohl(tcph->ack_seq);
+	ret[3].flags |= ULOGD_RETF_VALID;
+	ret[4].value.ui8 = ntohs(tcph->doff);
+	ret[4].flags |= ULOGD_RETF_VALID;
+	ret[5].value.ui8 = ntohs(tcph->res1);
+	ret[5].flags |= ULOGD_RETF_VALID;
+	ret[6].value.ui16 = ntohs(tcph->window);
+	ret[6].flags |= ULOGD_RETF_VALID;
+
+	ret[7].value.b = tcph->urg;
+	ret[7].flags |= ULOGD_RETF_VALID;
+	if (tcph->urg) {
+		ret[8].value.ui16 = ntohs(tcph->urg_ptr);
+		ret[8].flags |= ULOGD_RETF_VALID;
+	}
+	ret[9].value.b = tcph->ack;
+	ret[9].flags |= ULOGD_RETF_VALID;
+	ret[10].value.b = tcph->psh;
+	ret[10].flags |= ULOGD_RETF_VALID;
+	ret[11].value.b = tcph->rst;
+	ret[11].flags |= ULOGD_RETF_VALID;
+	ret[12].value.b = tcph->syn;
+	ret[12].flags |= ULOGD_RETF_VALID;
+	ret[13].value.b = tcph->fin;
+	ret[13].flags |= ULOGD_RETF_VALID;
+	ret[14].value.b = tcph->res1;
+	ret[14].flags |= ULOGD_RETF_VALID;
+	ret[15].value.b = tcph->res2;
+	ret[15].flags |= ULOGD_RETF_VALID;
+	ret[16].value.ui16 = ntohs(tcph->check);
+	ret[16].value.ui16 = ULOGD_RETF_VALID;
+	
+	return ret;
+}
+
+/***********************************************************************
+ * 			UDP HEADER
+ ***********************************************************************/
+static ulog_iret_t udphdr_rets[] = {
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "udp.sport", 
+		{ ui16 :0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "udp.dport", 
+		{ ui16: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "udp.len", 
+		{ ui16: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "udp.csum",
+		{ ui16: 0 } },
+};
+
+static ulog_iret_t *_interp_udp(struct ulog_interpreter *ip, 
+				ulog_packet_msg_t *pkt)
+{
+	struct iphdr *iph = (struct iphdr *) pkt->payload;
+	void *protoh = (u_int32_t *)iph + iph->ihl;
+	struct udphdr *udph = protoh;
+	ulog_iret_t *ret = ip->result;
+
+	if (iph->protocol != IPPROTO_UDP)
+		return NULL;
+
+	ret[0].value.ui16 = ntohs(udph->source);
+	ret[0].flags |= ULOGD_RETF_VALID;
+	ret[1].value.ui16 = ntohs(udph->dest);
+	ret[1].flags |= ULOGD_RETF_VALID;
+	ret[2].value.ui16 = ntohs(udph->len);
+	ret[2].flags |= ULOGD_RETF_VALID;
+	ret[3].value.ui16 = ntohs(udph->check);
+	ret[3].flags |= ULOGD_RETF_VALID;
+	
+	return ret;
+}
+
+/***********************************************************************
+ * 			ICMP HEADER
+ ***********************************************************************/
+
+static ulog_iret_t icmphdr_rets[] = {
+	{ NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "icmp.type", 
+		{ ui8: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "icmp.code", 
+		{ ui8: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "icmp.echoid", 
+		{ ui16: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "icmp.echoseq", 
+		{ ui16: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_IPADDR, ULOGD_RETF_NONE, "icmp.gateway", 
+		{ ui32: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "icmp.fragmtu", 
+		{ ui16: 0 } },
+	{ NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "icmp.csum",
+		{ ui16: 0 } },
+};
+
+static ulog_iret_t *_interp_icmp(struct ulog_interpreter *ip, 
+				ulog_packet_msg_t *pkt)
+{
+	struct iphdr *iph = (struct iphdr *) pkt->payload;
+	void *protoh = (u_int32_t *)iph + iph->ihl;
+	struct icmphdr *icmph = protoh;
+	ulog_iret_t *ret = ip->result;
+
+	if (iph->protocol != IPPROTO_ICMP)
+		return NULL;
+	
+	ret[0].value.ui8 = icmph->type;
+	ret[0].flags |= ULOGD_RETF_VALID;
+	ret[1].value.ui8 = icmph->code;
+	ret[1].flags |= ULOGD_RETF_VALID;
+
+	switch(icmph->type) {
+		case ICMP_ECHO:
+		case ICMP_ECHOREPLY:
+			ret[2].value.ui16 = ntohs(icmph->un.echo.id);
+			ret[2].flags |= ULOGD_RETF_VALID;
+			ret[3].value.ui16 = ntohs(icmph->un.echo.sequence);
+			ret[3].flags |= ULOGD_RETF_VALID;
+			break;
+		case ICMP_REDIRECT:
+		case ICMP_PARAMETERPROB:
+			ret[4].value.ui32 = ntohl(icmph->un.gateway);
+			ret[4].flags |= ULOGD_RETF_VALID;
+			break;
+		case ICMP_DEST_UNREACH:
+			if (icmph->code == ICMP_FRAG_NEEDED) {
+				ret[5].value.ui16 = ntohs(icmph->un.frag.mtu);
+				ret[5].flags |= ULOGD_RETF_VALID;
+			}
+			break;
+	}
+	ret[6].value.ui16 = icmph->checksum;
+	ret[6].flags |= ULOGD_RETF_VALID;
+
+	return ret;
+}
+
+/***********************************************************************
+ * 			IPSEC HEADER 
+ ***********************************************************************/
+
+static ulog_iret_t ahesphdr_rets[] = {
+	{ NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "ahesp.spi", 
+		{ ui8: 0 } },
+};
+
+static ulog_iret_t *_interp_ahesp(struct ulog_interpreter *ip, 
+				ulog_packet_msg_t *pkt)
+{
+
+	ulog_iret_t *ret = ip->result;
+#if 0
+	struct iphdr *iph = (struct iphdr *) pkt->payload;
+	void *protoh = (u_int32_t *) (iph + iph->ihl);
+	struct esphdr *esph = protoh;
+
+	if (iph->protocol != IPPROTO_ESP)
+		return NULL;
+
+	ret[0].value.ui32 = ntohl(esph->spi);
+	ret[0].flags |= ULOGD_RETF_VALID;
+#endif
+
+	return ret;
+}
+
+
+static ulog_interpreter_t base_ip[] = {
+	{ NULL, "raw", 0, &_interp_raw, 3, raw_rets },
+	{ NULL, "oob", 0, &_interp_oob, 6, oob_rets },
+	{ NULL, "ip", 0, &_interp_iphdr, 10, iphdr_rets },
+	{ NULL, "tcp", 0, &_interp_tcphdr, 17, tcphdr_rets },
+	{ NULL, "icmp", 0, &_interp_icmp, 7, icmphdr_rets },
+	{ NULL, "udp", 0, &_interp_udp, 4, udphdr_rets },
+	{ NULL, "ahesp", 0, &_interp_ahesp, 1, ahesphdr_rets },
+	{ NULL, "", 0, NULL, 0, NULL }, 
+};
+
+void _base_reg_ip(void)
+{
+	ulog_interpreter_t *ip = base_ip;
+	ulog_interpreter_t *p;
+
+	for (p = ip; p->interp; p++) {
+		register_interpreter(p);
+	}
+
+}
+
+void _init(void)
+{
+	_base_reg_ip();
+}
diff --git a/filter/raw2packet/ulogd_raw2packet_PWSNIFF.c b/filter/raw2packet/ulogd_raw2packet_PWSNIFF.c
new file mode 100644
index 0000000..50e8629
--- /dev/null
+++ b/filter/raw2packet/ulogd_raw2packet_PWSNIFF.c
@@ -0,0 +1,160 @@
+/* ulogd_PWSNIFF.c, Version $Revision: 1.9 $
+ *
+ * ulogd logging interpreter for POP3 / FTP like plaintext passwords.
+ *
+ * (C) 2000-2003 by Harald Welte <laforge@gnumonks.org>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 
+ *  as published by the Free Software Foundation
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *
+ * $Id$
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/ip.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include "chtons.h"
+#include <ulogd/ulogd.h>
+
+#ifdef DEBUG_PWSNIFF
+#define DEBUGP(x) ulogd_log(ULOGD_DEBUG, x)
+#else
+#define DEBUGP(format, args...)
+#endif
+
+
+#define PORT_POP3	110
+#define PORT_FTP	21
+
+static u_int16_t pwsniff_ports[] = {
+	__constant_htons(PORT_POP3),
+	__constant_htons(PORT_FTP),
+	/* feel free to include any other ports here, provided that their
+	 * user/password syntax is the same */
+};
+
+#define PWSNIFF_MAX_PORTS 2
+
+static char *_get_next_blank(char* begp, char *endp)
+{
+	char *ptr;
+
+	for (ptr = begp; ptr < endp; ptr++) {
+		if (*ptr == ' ' || *ptr == '\n' || *ptr == '\r') {
+			return ptr-1;	
+		}
+	}
+	return NULL;
+}
+
+static ulog_iret_t *_interp_pwsniff(ulog_interpreter_t *ip, ulog_packet_msg_t *pkt)
+{
+	struct iphdr *iph = (struct iphdr *) pkt->payload;
+	void *protoh = (u_int32_t *)iph + iph->ihl;
+	struct tcphdr *tcph = protoh;
+	u_int32_t tcplen = ntohs(iph->tot_len) - iph->ihl * 4;
+	unsigned char  *ptr, *begp, *pw_begp, *endp, *pw_endp;
+	ulog_iret_t *ret = ip->result;
+	int len, pw_len, i, cont = 0;
+
+	len = pw_len = 0;
+	begp = pw_begp = NULL;
+
+	if (iph->protocol != IPPROTO_TCP)
+		return NULL;
+	
+	for (i = 0; i < PWSNIFF_MAX_PORTS; i++)
+	{
+		if (tcph->dest == pwsniff_ports[i]) {
+			cont = 1; 
+			break;
+		}
+	}
+	if (!cont)
+		return NULL;
+
+	DEBUGP("----> pwsniff detected, tcplen=%d, struct=%d, iphtotlen=%d, ihl=%d\n", tcplen, sizeof(struct tcphdr), ntohs(iph->tot_len), iph->ihl);
+
+	for (ptr = (unsigned char *) tcph + sizeof(struct tcphdr); 
+			ptr < (unsigned char *) tcph + tcplen; ptr++)
+	{
+		if (!strncasecmp(ptr, "USER ", 5)) {
+			begp = ptr+5;
+			endp = _get_next_blank(begp, (char *)tcph + tcplen);
+			if (endp)
+				len = endp - begp + 1;
+		}
+		if (!strncasecmp(ptr, "PASS ", 5)) {
+			pw_begp = ptr+5;
+			pw_endp = _get_next_blank(pw_begp, 
+					(char *)tcph + tcplen);
+			if (pw_endp)
+				pw_len = pw_endp - pw_begp + 1;
+		}
+	}
+
+	if (len) {
+		ret[0].value.ptr = (char *) malloc(len+1);
+		ret[0].flags |= ULOGD_RETF_VALID;
+		if (!ret[0].value.ptr) {
+			ulogd_log(ULOGD_ERROR, "OOM (size=%u)\n", len);
+			return NULL;
+		}
+		strncpy(ret[0].value.ptr, begp, len);
+		*((char *)ret[0].value.ptr + len + 1) = '\0';
+	}
+	if (pw_len) {
+		ret[1].value.ptr = (char *) malloc(pw_len+1);
+		ret[1].flags |= ULOGD_RETF_VALID;
+		if (!ret[1].value.ptr){
+			ulogd_log(ULOGD_ERROR, "OOM (size=%u)\n", pw_len);
+			return NULL;
+		}
+		strncpy(ret[1].value.ptr, pw_begp, pw_len);
+		*((char *)ret[1].value.ptr + pw_len + 1) = '\0';
+
+	}
+	return ret;
+}
+
+static ulog_iret_t pwsniff_rets[] = {
+	{ NULL, NULL, 0, ULOGD_RET_STRING, ULOGD_RETF_FREE, "pwsniff.user", 
+		{ ptr: NULL } },
+	{ NULL, NULL, 0, ULOGD_RET_STRING, ULOGD_RETF_FREE, "pwsniff.pass", 
+		{ ptr: NULL } },
+};
+static ulog_interpreter_t base_ip[] = { 
+
+	{ NULL, "pwsniff", 0, &_interp_pwsniff, 2, pwsniff_rets },
+	{ NULL, "", 0, NULL, 0, NULL }, 
+};
+void _base_reg_ip(void)
+{
+	ulog_interpreter_t *ip = base_ip;
+	ulog_interpreter_t *p;
+
+	for (p = ip; p->interp; p++)
+		register_interpreter(p);
+
+}
+
+
+void _init(void)
+{
+	_base_reg_ip();
+}
author	laforge <laforge>	2004-07-23 03:22:16 +0000
committer	laforge <laforge>	2004-07-23 03:22:16 +0000
commit	2dc0dd85c2e851e9b2dacd9dfaa40c70cc61ff95 (patch)
tree	18d1d23e47b5142ede938165c616bbc942f14bd5 /filter/raw2packet
parent	e67fb3fbdc6ac83e884d9741e3b4a759b1bd8c5f (diff)