diff options
Diffstat (limited to 'filter/ulogd_raw2packet_PWSNIFF.c')
-rw-r--r-- | filter/ulogd_raw2packet_PWSNIFF.c | 183 |
1 files changed, 183 insertions, 0 deletions
diff --git a/filter/ulogd_raw2packet_PWSNIFF.c b/filter/ulogd_raw2packet_PWSNIFF.c new file mode 100644 index 0000000..2be2126 --- /dev/null +++ b/filter/ulogd_raw2packet_PWSNIFF.c @@ -0,0 +1,183 @@ +/* ulogd_PWSNIFF.c, Version $Revision$ + * + * ulogd logging interpreter for POP3 / FTP like plaintext passwords. + * + * (C) 2000-2003 by Harald Welte <laforge@gnumonks.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * $Id$ + * + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/socket.h> +#include <netinet/ip.h> +#include <netinet/in.h> +#include <netinet/tcp.h> +#include "chtons.h" +#include <ulogd/ulogd.h> + +#ifdef DEBUG_PWSNIFF +#define DEBUGP(x) ulogd_log(ULOGD_DEBUG, x) +#else +#define DEBUGP(format, args...) +#endif + + +#define PORT_POP3 110 +#define PORT_FTP 21 + +static u_int16_t pwsniff_ports[] = { + __constant_htons(PORT_POP3), + __constant_htons(PORT_FTP), + /* feel free to include any other ports here, provided that their + * user/password syntax is the same */ +}; + +#define PWSNIFF_MAX_PORTS 2 + +static char *_get_next_blank(char* begp, char *endp) +{ + char *ptr; + + for (ptr = begp; ptr < endp; ptr++) { + if (*ptr == ' ' || *ptr == '\n' || *ptr == '\r') { + return ptr-1; + } + } + return NULL; +} + +static int interp_pwsniff(ulogd_pluginstance *pi); +{ + struct ulogd_key *inp = pi->input; + struct ulogd_key *ret = pi->output; + struct iphdr *iph; + void *protoh; + struct tcphdr *tcph; + unsigned int tcplen; + unsigned char *ptr, *begp, *pw_begp, *endp, *pw_endp; + int len, pw_len, i, cont = 0; + + if (!IS_VALID(pi->input[0])) + return 0; + + iph = (struct iphdr *) pi->input[0].u.value.ptr; + protoh = (u_int32_t *)iph + iph->ihl; + tcph = protoh; + cplen = ntohs(iph->tot_len) - iph->ihl * 4; + + len = pw_len = 0; + begp = pw_begp = NULL; + + if (iph->protocol != IPPROTO_TCP) + return 0; + + for (i = 0; i < PWSNIFF_MAX_PORTS; i++) + { + if (tcph->dest == pwsniff_ports[i]) { + cont = 1; + break; + } + } + if (!cont) + return 0; + + DEBUGP("----> pwsniff detected, tcplen=%d, struct=%d, iphtotlen=%d, " + "ihl=%d\n", tcplen, sizeof(struct tcphdr), ntohs(iph->tot_len), + iph->ihl); + + for (ptr = (unsigned char *) tcph + sizeof(struct tcphdr); + ptr < (unsigned char *) tcph + tcplen; ptr++) + { + if (!strncasecmp(ptr, "USER ", 5)) { + begp = ptr+5; + endp = _get_next_blank(begp, (char *)tcph + tcplen); + if (endp) + len = endp - begp + 1; + } + if (!strncasecmp(ptr, "PASS ", 5)) { + pw_begp = ptr+5; + pw_endp = _get_next_blank(pw_begp, + (char *)tcph + tcplen); + if (pw_endp) + pw_len = pw_endp - pw_begp + 1; + } + } + + if (len) { + ret[0].value.ptr = (char *) malloc(len+1); + ret[0].flags |= ULOGD_RETF_VALID; + if (!ret[0].value.ptr) { + ulogd_log(ULOGD_ERROR, "OOM (size=%u)\n", len); + return 0; + } + strncpy(ret[0].value.ptr, begp, len); + *((char *)ret[0].value.ptr + len + 1) = '\0'; + } + if (pw_len) { + ret[1].value.ptr = (char *) malloc(pw_len+1); + ret[1].flags |= ULOGD_RETF_VALID; + if (!ret[1].value.ptr){ + ulogd_log(ULOGD_ERROR, "OOM (size=%u)\n", pw_len); + return 0; + } + strncpy(ret[1].value.ptr, pw_begp, pw_len); + *((char *)ret[1].value.ptr + pw_len + 1) = '\0'; + + } + return 0; +} + +static struct ulogd_key pwsniff_inp = { + { + .name = "raw.pkt", + }, +}; + +static struct ulogd_key pwsniff_outp = { + { + .name = "pwsniff.user", + .type = ULOGD_RETF_STRING, + .flags = ULOGD_RETF_FREE, + }, + { + .name = "pwsniff.pass", + .type = ULOGD_RETF_STRING, + .flags = ULOGD_RETF_FREE, + }, +}; + +static struct ulogd_plugin pwsniff_plugin = { + .name = "PWSNIFF", + .input = { + .keys = pwsniff_inp, + .num_keys = ARRAY_SIZE(pwsniff_inp), + .type = ULOGD_DTYPE_PACKET, + }, + .output = { + .keys = pwsniff_outp, + .num_keys = ARRAY_SIZE(pwsniff_outp), + .type = ULOGD_DTYPE_PACKET, + }, + .interp = &interp_pwsniff, +}; + +void __attribute__ ((constructor)) init(void) +{ + ulogd_register_plugin(&pwsniff_plugin); +} |