From 4a2041993bc767c88583133e81ae38b5925dfc0a Mon Sep 17 00:00:00 2001
From: laforge <laforge>
Date: Sat, 5 Nov 2005 15:44:46 +0000
Subject: move to filter dir

---
 filter/raw2packet/ulogd_raw2packet_PWSNIFF.c | 183 ---------------------------
 filter/ulogd_raw2packet_PWSNIFF.c            | 183 +++++++++++++++++++++++++++
 2 files changed, 183 insertions(+), 183 deletions(-)
 delete mode 100644 filter/raw2packet/ulogd_raw2packet_PWSNIFF.c
 create mode 100644 filter/ulogd_raw2packet_PWSNIFF.c

(limited to 'filter')

diff --git a/filter/raw2packet/ulogd_raw2packet_PWSNIFF.c b/filter/raw2packet/ulogd_raw2packet_PWSNIFF.c
deleted file mode 100644
index 2be2126..0000000
--- a/filter/raw2packet/ulogd_raw2packet_PWSNIFF.c
+++ /dev/null
@@ -1,183 +0,0 @@
-/* ulogd_PWSNIFF.c, Version $Revision$
- *
- * ulogd logging interpreter for POP3 / FTP like plaintext passwords.
- *
- * (C) 2000-2003 by Harald Welte <laforge@gnumonks.org>
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License version 2 
- *  as published by the Free Software Foundation
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License
- *  along with this program; if not, write to the Free Software
- *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- *
- * $Id$
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <netinet/ip.h>
-#include <netinet/in.h>
-#include <netinet/tcp.h>
-#include "chtons.h"
-#include <ulogd/ulogd.h>
-
-#ifdef DEBUG_PWSNIFF
-#define DEBUGP(x) ulogd_log(ULOGD_DEBUG, x)
-#else
-#define DEBUGP(format, args...)
-#endif
-
-
-#define PORT_POP3	110
-#define PORT_FTP	21
-
-static u_int16_t pwsniff_ports[] = {
-	__constant_htons(PORT_POP3),
-	__constant_htons(PORT_FTP),
-	/* feel free to include any other ports here, provided that their
-	 * user/password syntax is the same */
-};
-
-#define PWSNIFF_MAX_PORTS 2
-
-static char *_get_next_blank(char* begp, char *endp)
-{
-	char *ptr;
-
-	for (ptr = begp; ptr < endp; ptr++) {
-		if (*ptr == ' ' || *ptr == '\n' || *ptr == '\r') {
-			return ptr-1;	
-		}
-	}
-	return NULL;
-}
-
-static int interp_pwsniff(ulogd_pluginstance *pi);
-{
-	struct ulogd_key *inp = pi->input;
-	struct ulogd_key *ret = pi->output;
-	struct iphdr *iph;
-	void *protoh;
-	struct tcphdr *tcph;	
-	unsigned int tcplen;
-	unsigned char  *ptr, *begp, *pw_begp, *endp, *pw_endp;
-	int len, pw_len, i, cont = 0;
-
-	if (!IS_VALID(pi->input[0]))
-		return 0;
-	
-	iph = (struct iphdr *) pi->input[0].u.value.ptr;
-	protoh = (u_int32_t *)iph + iph->ihl;
-	tcph = protoh;
-	cplen = ntohs(iph->tot_len) - iph->ihl * 4;
-
-	len = pw_len = 0;
-	begp = pw_begp = NULL;
-
-	if (iph->protocol != IPPROTO_TCP)
-		return 0;
-	
-	for (i = 0; i < PWSNIFF_MAX_PORTS; i++)
-	{
-		if (tcph->dest == pwsniff_ports[i]) {
-			cont = 1; 
-			break;
-		}
-	}
-	if (!cont)
-		return 0;
-
-	DEBUGP("----> pwsniff detected, tcplen=%d, struct=%d, iphtotlen=%d, "
-		"ihl=%d\n", tcplen, sizeof(struct tcphdr), ntohs(iph->tot_len),
-		iph->ihl);
-
-	for (ptr = (unsigned char *) tcph + sizeof(struct tcphdr); 
-			ptr < (unsigned char *) tcph + tcplen; ptr++)
-	{
-		if (!strncasecmp(ptr, "USER ", 5)) {
-			begp = ptr+5;
-			endp = _get_next_blank(begp, (char *)tcph + tcplen);
-			if (endp)
-				len = endp - begp + 1;
-		}
-		if (!strncasecmp(ptr, "PASS ", 5)) {
-			pw_begp = ptr+5;
-			pw_endp = _get_next_blank(pw_begp, 
-					(char *)tcph + tcplen);
-			if (pw_endp)
-				pw_len = pw_endp - pw_begp + 1;
-		}
-	}
-
-	if (len) {
-		ret[0].value.ptr = (char *) malloc(len+1);
-		ret[0].flags |= ULOGD_RETF_VALID;
-		if (!ret[0].value.ptr) {
-			ulogd_log(ULOGD_ERROR, "OOM (size=%u)\n", len);
-			return 0;
-		}
-		strncpy(ret[0].value.ptr, begp, len);
-		*((char *)ret[0].value.ptr + len + 1) = '\0';
-	}
-	if (pw_len) {
-		ret[1].value.ptr = (char *) malloc(pw_len+1);
-		ret[1].flags |= ULOGD_RETF_VALID;
-		if (!ret[1].value.ptr){
-			ulogd_log(ULOGD_ERROR, "OOM (size=%u)\n", pw_len);
-			return 0;
-		}
-		strncpy(ret[1].value.ptr, pw_begp, pw_len);
-		*((char *)ret[1].value.ptr + pw_len + 1) = '\0';
-
-	}
-	return 0;
-}
-
-static struct ulogd_key pwsniff_inp = {
-	{
-		.name 	= "raw.pkt",
-	},
-};
-
-static struct ulogd_key pwsniff_outp = {
-	{
-		.name	= "pwsniff.user",
-		.type	= ULOGD_RETF_STRING,
-		.flags	= ULOGD_RETF_FREE,
-	},
-	{
-		.name 	= "pwsniff.pass",
-		.type	= ULOGD_RETF_STRING,
-		.flags	= ULOGD_RETF_FREE,
-	},
-};
-
-static struct ulogd_plugin pwsniff_plugin = {
-	.name	= "PWSNIFF",
-	.input	= {
-		.keys = pwsniff_inp,
-		.num_keys = ARRAY_SIZE(pwsniff_inp),
-		.type = ULOGD_DTYPE_PACKET,
-	},
-	.output	= {
-		.keys = pwsniff_outp,
-		.num_keys = ARRAY_SIZE(pwsniff_outp),
-		.type = ULOGD_DTYPE_PACKET,
-	},
-	.interp = &interp_pwsniff,
-};
-
-void __attribute__ ((constructor)) init(void)
-{
-	ulogd_register_plugin(&pwsniff_plugin);
-}
diff --git a/filter/ulogd_raw2packet_PWSNIFF.c b/filter/ulogd_raw2packet_PWSNIFF.c
new file mode 100644
index 0000000..2be2126
--- /dev/null
+++ b/filter/ulogd_raw2packet_PWSNIFF.c
@@ -0,0 +1,183 @@
+/* ulogd_PWSNIFF.c, Version $Revision$
+ *
+ * ulogd logging interpreter for POP3 / FTP like plaintext passwords.
+ *
+ * (C) 2000-2003 by Harald Welte <laforge@gnumonks.org>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 
+ *  as published by the Free Software Foundation
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *
+ * $Id$
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/ip.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include "chtons.h"
+#include <ulogd/ulogd.h>
+
+#ifdef DEBUG_PWSNIFF
+#define DEBUGP(x) ulogd_log(ULOGD_DEBUG, x)
+#else
+#define DEBUGP(format, args...)
+#endif
+
+
+#define PORT_POP3	110
+#define PORT_FTP	21
+
+static u_int16_t pwsniff_ports[] = {
+	__constant_htons(PORT_POP3),
+	__constant_htons(PORT_FTP),
+	/* feel free to include any other ports here, provided that their
+	 * user/password syntax is the same */
+};
+
+#define PWSNIFF_MAX_PORTS 2
+
+static char *_get_next_blank(char* begp, char *endp)
+{
+	char *ptr;
+
+	for (ptr = begp; ptr < endp; ptr++) {
+		if (*ptr == ' ' || *ptr == '\n' || *ptr == '\r') {
+			return ptr-1;	
+		}
+	}
+	return NULL;
+}
+
+static int interp_pwsniff(ulogd_pluginstance *pi);
+{
+	struct ulogd_key *inp = pi->input;
+	struct ulogd_key *ret = pi->output;
+	struct iphdr *iph;
+	void *protoh;
+	struct tcphdr *tcph;	
+	unsigned int tcplen;
+	unsigned char  *ptr, *begp, *pw_begp, *endp, *pw_endp;
+	int len, pw_len, i, cont = 0;
+
+	if (!IS_VALID(pi->input[0]))
+		return 0;
+	
+	iph = (struct iphdr *) pi->input[0].u.value.ptr;
+	protoh = (u_int32_t *)iph + iph->ihl;
+	tcph = protoh;
+	cplen = ntohs(iph->tot_len) - iph->ihl * 4;
+
+	len = pw_len = 0;
+	begp = pw_begp = NULL;
+
+	if (iph->protocol != IPPROTO_TCP)
+		return 0;
+	
+	for (i = 0; i < PWSNIFF_MAX_PORTS; i++)
+	{
+		if (tcph->dest == pwsniff_ports[i]) {
+			cont = 1; 
+			break;
+		}
+	}
+	if (!cont)
+		return 0;
+
+	DEBUGP("----> pwsniff detected, tcplen=%d, struct=%d, iphtotlen=%d, "
+		"ihl=%d\n", tcplen, sizeof(struct tcphdr), ntohs(iph->tot_len),
+		iph->ihl);
+
+	for (ptr = (unsigned char *) tcph + sizeof(struct tcphdr); 
+			ptr < (unsigned char *) tcph + tcplen; ptr++)
+	{
+		if (!strncasecmp(ptr, "USER ", 5)) {
+			begp = ptr+5;
+			endp = _get_next_blank(begp, (char *)tcph + tcplen);
+			if (endp)
+				len = endp - begp + 1;
+		}
+		if (!strncasecmp(ptr, "PASS ", 5)) {
+			pw_begp = ptr+5;
+			pw_endp = _get_next_blank(pw_begp, 
+					(char *)tcph + tcplen);
+			if (pw_endp)
+				pw_len = pw_endp - pw_begp + 1;
+		}
+	}
+
+	if (len) {
+		ret[0].value.ptr = (char *) malloc(len+1);
+		ret[0].flags |= ULOGD_RETF_VALID;
+		if (!ret[0].value.ptr) {
+			ulogd_log(ULOGD_ERROR, "OOM (size=%u)\n", len);
+			return 0;
+		}
+		strncpy(ret[0].value.ptr, begp, len);
+		*((char *)ret[0].value.ptr + len + 1) = '\0';
+	}
+	if (pw_len) {
+		ret[1].value.ptr = (char *) malloc(pw_len+1);
+		ret[1].flags |= ULOGD_RETF_VALID;
+		if (!ret[1].value.ptr){
+			ulogd_log(ULOGD_ERROR, "OOM (size=%u)\n", pw_len);
+			return 0;
+		}
+		strncpy(ret[1].value.ptr, pw_begp, pw_len);
+		*((char *)ret[1].value.ptr + pw_len + 1) = '\0';
+
+	}
+	return 0;
+}
+
+static struct ulogd_key pwsniff_inp = {
+	{
+		.name 	= "raw.pkt",
+	},
+};
+
+static struct ulogd_key pwsniff_outp = {
+	{
+		.name	= "pwsniff.user",
+		.type	= ULOGD_RETF_STRING,
+		.flags	= ULOGD_RETF_FREE,
+	},
+	{
+		.name 	= "pwsniff.pass",
+		.type	= ULOGD_RETF_STRING,
+		.flags	= ULOGD_RETF_FREE,
+	},
+};
+
+static struct ulogd_plugin pwsniff_plugin = {
+	.name	= "PWSNIFF",
+	.input	= {
+		.keys = pwsniff_inp,
+		.num_keys = ARRAY_SIZE(pwsniff_inp),
+		.type = ULOGD_DTYPE_PACKET,
+	},
+	.output	= {
+		.keys = pwsniff_outp,
+		.num_keys = ARRAY_SIZE(pwsniff_outp),
+		.type = ULOGD_DTYPE_PACKET,
+	},
+	.interp = &interp_pwsniff,
+};
+
+void __attribute__ ((constructor)) init(void)
+{
+	ulogd_register_plugin(&pwsniff_plugin);
+}
-- 
cgit v1.2.3