coydog/zmap-freebsd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

building fieldset and probe modules

Browse Source
This commit is contained in:
Zakir Durumeric 2013-08-19 04:42:25 -04:00
parent a0288adec8
commit 952f6cefa1
7 changed files with 159 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Makefile
View File

@ -35,7 +35,7 @@ LDFLAGS+=$(EXTRALDFLAGS)
modules=module_tcp_synscan.o module_icmp_echo.o module_udp.o #ADD YOUR MODULE HERE modules=module_tcp_synscan.o module_icmp_echo.o module_udp.o #ADD YOUR MODULE HERE
objects=constraint.o blacklist.o cyclic.o logger.o send.o recv.o state.o monitor.o zopt.o zmap.o random.o output_modules.o module_simple_file.o module_extended_file.o packet.o probe_modules.o ${modules} validate.o rijndael-alg-fst.o get_gateway.o aesrand.o objects=constraint.o blacklist.o cyclic.o logger.o send.o recv.o state.o monitor.o zopt.o zmap.o random.o output_modules.o module_simple_file.o module_extended_file.o packet.o probe_modules.o ${modules} validate.o rijndael-alg-fst.o get_gateway.o aesrand.o fieldset.o
ifeq ($(REDIS), true) ifeq ($(REDIS), true)
LDLIBS+=-lhiredis LDLIBS+=-lhiredis

53
src/fieldset.c
View File

@ -7,55 +7,12 @@
#include "../lib/logger.h" #include "../lib/logger.h"
// maximum number of records that can be stored in a fieldset
#define MAX_FIELDS 128
// types of data that can be stored in a field
#define FS_STRING 0
#define FS_UINT64 1
#define FS_BINARY 2
// definition of a field that's provided by a probe module
// these are used so that users can ask at the command-line
// what fields are available for consumption
typedef struct field_def {
const char *name;
const char *type;
const char *desc;
} field_def_t;
// the internal field type used by fieldset
typedef struct field {
const char *name;
int type;
int free_;
size_t len;
void *value;
} field_t;
// data structure that is populated by the probe module
// and translated into the data structure that's passed
// to the output module
typedef struct fieldset {
int len;
field_t fields[MAX_FIELDS];
} fieldset_t;
// we pass a different fieldset to an output module than
// the probe module generates for us because a user may
// only want certain fields and will expect them in a certain
// order. We generate a translated fieldset that contains
// only the fields we want to export to the output module.
// a translation specifies how to efficiently convert the fs
// povided by the probe module to the fs for the output module.
typedef struct translation {
int len;
int translation[MAX_FIELDS];
} translation_t;
int fs_split_string(int *len, char**results) int fs_split_string(int *len, char**results)
{ {
(void)len;
(void)results;
return 0;
} }
fieldset_t *fs_new_fieldset(void) fieldset_t *fs_new_fieldset(void)
@ -112,7 +69,7 @@ void fs_free(fieldset_t *fs)
translation_t *fs_generate_fieldset_translation() translation_t *fs_generate_fieldset_translation()
{ {
return NULL;
} }
fieldset_t *translate_fieldset(fieldset_t *fs, translation_t *t) fieldset_t *translate_fieldset(fieldset_t *fs, translation_t *t)
@ -126,4 +83,6 @@ fieldset_t *translate_fieldset(fieldset_t *fs, translation_t *t)
memcpy(&(retv->fields[i]), &(fs->fields[o]), sizeof(field_t)); memcpy(&(retv->fields[i]), &(fs->fields[o]), sizeof(field_t));
} }
retv->len = t->len; retv->len = t->len;
return retv;
} }

77
src/fieldset.h
View File

@ -0,0 +1,77 @@
/*
* ZMap Copyright 2013 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdlib.h>
#include <stdint.h>
#ifndef _FIELDSET_H
#define _FIELDSET_H
// maximum number of records that can be stored in a fieldset
#define MAX_FIELDS 128
// types of data that can be stored in a field
#define FS_STRING 0
#define FS_UINT64 1
#define FS_BINARY 2
// definition of a field that's provided by a probe module
// these are used so that users can ask at the command-line
// what fields are available for consumption
typedef struct field_def {
const char *name;
const char *type;
const char *desc;
} fielddef_t;
// the internal field type used by fieldset
typedef struct field {
const char *name;
int type;
int free_;
size_t len;
void *value;
} field_t;
// data structure that is populated by the probe module
// and translated into the data structure that's passed
// to the output module
typedef struct fieldset {
int len;
field_t fields[MAX_FIELDS];
} fieldset_t;
// we pass a different fieldset to an output module than
// the probe module generates for us because a user may
// only want certain fields and will expect them in a certain
// order. We generate a translated fieldset that contains
// only the fields we want to export to the output module.
// a translation specifies how to efficiently convert the fs
// povided by the probe module to the fs for the output module.
typedef struct translation {
int len;
int translation[MAX_FIELDS];
} translation_t;
fieldset_t *fs_new_fieldset(void);
void fs_add_uint64(fieldset_t *fs, const char *name, uint64_t value);
void fs_add_string(fieldset_t *fs, const char *name, char *value, int free_);
void fs_add_binary(fieldset_t *fs, const char *name, size_t len,
void *value, int free_);
void fs_free(fieldset_t *fs);
translation_t *fs_generate_fieldset_translation();
fieldset_t *translate_fieldset(fieldset_t *fs, translation_t *t);
#endif

42
src/probe_modules/module_icmp_echo.c
View File

@ -158,38 +158,46 @@ int icmp_validate_packet(const struct iphdr *ip_hdr,
} }
void icmp_echo_process_packet(const u_char *packet, void icmp_echo_process_packet(const u_char *packet,
__attribute__((unused)) uint32_t len, fieldset *fs) __attribute__((unused)) uint32_t len, fieldset_t *fs)
{ {
struct iphdr *ip_hdr = (struct iphdr *)&packet[sizeof(struct ethhdr)]; struct iphdr *ip_hdr = (struct iphdr *)&packet[sizeof(struct ethhdr)];
struct icmp *icmp_hdr = (struct icmp*)((char *)ip_hdr struct icmphdr *icmp_hdr = (struct icmphdr*)((char *)ip_hdr + 4 *ip_hdr->ihl);
+ sizeof(struct iphdr));
fs_add_uint64(fs, "type", ntohs(icmp_hdr->type)); fs_add_uint64(fs, "type", ntohs(icmp_hdr->type));
fs_add_uint64(fs, "code", ntohs(icmp_hdr->code)); fs_add_uint64(fs, "code", ntohs(icmp_hdr->code));
fs_add_uint64(fs, "icmp-id", ntohs(icmp_hdr->un.echo.id)); fs_add_uint64(fs, "icmp-id", ntohs(icmp_hdr->un.echo.id));
fs_add_uint64(fs, "seq", ntohs(icmp_hdr->un.echo.sequence)); fs_add_uint64(fs, "seq", ntohs(icmp_hdr->un.echo.sequence));
switch (icmp_hdr->icmp_type) { switch (icmp_hdr->type) {
case ICMP_ECHOREPLY: case ICMP_ECHOREPLY:
fs_add_string(fs, "classification", "echoreply", 0); fs_add_string(fs, "classification", (char*) "echoreply", 0);
fs_add_uint64(fs, "success", 1); fs_add_uint64(fs, "success", 1);
case ICMP_UNREACH: case ICMP_UNREACH:
fs_add_string(fs, "classification", "unreach", 0); fs_add_string(fs, "classification", (char*) "unreach", 0);
fs_add_uint64(fs, "success", 0); fs_add_uint64(fs, "success", 0);
case ICMP_SOURCEQUENCH: case ICMP_SOURCEQUENCH:
fs_add_string(fs, "classification", "sourcequench", 0); fs_add_string(fs, "classification", (char*) "sourcequench", 0);
fs_add_uint64(fs, "success", 0); fs_add_uint64(fs, "success", 0);
case ICMP_REDIRECT: case ICMP_REDIRECT:
fs_add_string(fs, "classification", "redirect", 0); fs_add_string(fs, "classification", (char*) "redirect", 0);
fs_add_uint64(fs, "success", 0); fs_add_uint64(fs, "success", 0);
case ICMP_TIMXCEED: case ICMP_TIMXCEED:
fs_add_string(fs, "classification", "timxceed", 0); fs_add_string(fs, "classification", (char*) "timxceed", 0);
fs_add_uint64(fs, "success", 0); fs_add_uint64(fs, "success", 0);
default: default:
fs_add_string(fs, "classification", "other", 0); fs_add_string(fs, "classification", (char*) "other", 0);
fs_add_uint64(fs, "success", 0); fs_add_uint64(fs, "success", 0);
} }
} }
fielddef_t fields[] = {
{.name="type", .type="int", .desc="icmp message type"},
{.name="code", .type="int", .desc="icmp message sub type code"},
{.name="icmp-id", .type="int", .desc="icmp id number"},
{.name="seq", .type="int", .desc="icmp sequence number"},
{.name="classification", .type="string", .desc="probe module classification"},
{.name="success", .type="int", .desc="did probe module classify response as success"}
};
probe_module_t module_icmp_echo = { probe_module_t module_icmp_echo = {
.name = "icmp_echoscan", .name = "icmp_echoscan",
.packet_length = 62, .packet_length = 62,
@ -199,16 +207,8 @@ probe_module_t module_icmp_echo = {
.thread_initialize = &icmp_echo_init_perthread, .thread_initialize = &icmp_echo_init_perthread,
.make_packet = &icmp_echo_make_packet, .make_packet = &icmp_echo_make_packet,
.print_packet = &icmp_echo_print_packet, .print_packet = &icmp_echo_print_packet,
.process_response = &icmp_echo_process_response, .process_packet = &icmp_echo_process_packet,
.validate_packet = &icmp_validate_packet, .validate_packet = &icmp_validate_packet,
.close = NULL, .close = NULL,
.fields = { .fields = fields};
{.name "type", .type="int", .desc="icmp message type"},
{.name "code", .type="int", .desc="icmp message sub type code"},
{.name "icmp-id", .type="int", .desc="icmp id number"},
{.name "seq", .type="int", .desc="icmp sequence number"},
{.name="classification", .type="string", .desc="probe module classification"},
{.name="success", .type="int", .desc="did probe module classify response as success"}
}
};

45
src/probe_modules/module_tcp_synscan.c
View File

@ -149,29 +149,7 @@ int synscan_validate_packet(const struct iphdr *ip_hdr, uint32_t len,
return 1; return 1;
} }
void fs_add_sys_fields(fieldset_t *fs)
{
}
char *make_ip_str(uint32_t ip)
{
struct in_addr t;
t.saddr = ip;
const char *temp = inet_ntoa(t);
char *retv = malloc(strlen(temp)+1);
assert (retv);
strcpy(retv, temp);
return retv;
}
void fs_add_ip_fields(fieldset_t *fs, struct iphdr *ip)
{
fs_add_string(fs, "saddr", make_ip_str(ip->saddr), 1);
fs_add_string(fs, "daddr", make_ip_str(ip->daddr), 1);
fs_add_uint64(fs, "ipid", ntohl(ip->id);
fs_add_uint64(fs, "ttl", ntohl(ip->ttl);
}
void synscan_process_packet(const u_char *packet, void synscan_process_packet(const u_char *packet,
__attribute__((unused)) uint32_t len, fieldset_t *fs) __attribute__((unused)) uint32_t len, fieldset_t *fs)
@ -187,15 +165,23 @@ void synscan_process_packet(const u_char *packet,
fs_add_uint64(fs, "window", (uint64_t) ntohs(tcp->window)); fs_add_uint64(fs, "window", (uint64_t) ntohs(tcp->window));
if (tcp->rst) { // RST packet if (tcp->rst) { // RST packet
fs_add_string(fs, "classification", "rst", 0); fs_add_string(fs, "classification", (char*) "rst", 0);
fs_add_uint64(fs, "success", 0); fs_add_uint64(fs, "success", 0);
} else { // SYNACK packet } else { // SYNACK packet
fs_add_string(fs, "classification", "synack", 0); fs_add_string(fs, "classification", (char*) "synack", 0);
fs_add_uint64(fs, "success", 1); fs_add_uint64(fs, "success", 1);
} }
return
} }
static fielddef_t fields[] = {
{.name = "sport", .type = "int", .desc = "TCP source port"},
{.name = "dport", .type = "int", .desc = "TCP destination port"},
{.name = "seqnum", .type = "int", .desc = "TCP sequence number"},
{.name = "acknum", .type = "int", .desc = "TCP acknowledgement number"},
{.name = "window", .type = "int", .desc = "TCP window"},
};
probe_module_t module_tcp_synscan = { probe_module_t module_tcp_synscan = {
.name = "tcp_synscan", .name = "tcp_synscan",
.packet_length = 54, .packet_length = 54,
@ -209,12 +195,5 @@ probe_module_t module_tcp_synscan = {
.process_packet = &synscan_process_packet, .process_packet = &synscan_process_packet,
.validate_packet = &synscan_validate_packet, .validate_packet = &synscan_validate_packet,
.close = NULL, .close = NULL,
.fields = { .fields = fields};
{.name = "sport", .type = "int", .desc = "TCP source port"},
{.name = "dport", .type = "int", .desc = "TCP destination port"},
{.name = "seqnum", .type = "int", .desc = "TCP sequence number"},
{.name = "acknum", .type = "int", .desc = "TCP acknowledgement number"},
{.name = "window", .type = "int", .desc = "TCP window"},
}
};

35
src/probe_modules/probe_modules.c
View File

@ -8,7 +8,15 @@
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include <assert.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <linux/if_packet.h>
#include "../fieldset.h"
#include "probe_modules.h" #include "probe_modules.h"
extern probe_module_t module_tcp_synscan; extern probe_module_t module_tcp_synscan;
@ -40,3 +48,30 @@ void print_probe_modules(void)
printf("%s\n", probe_modules[i]->name); printf("%s\n", probe_modules[i]->name);
} }
} }
void print_probe_module_fields(probe_module_t *p)
{
for (int i=0; i < (int) (sizeof(p->fields)/sizeof(p->fields[0])); i++) {
}
}
char *make_ip_str(uint32_t ip)
{
struct in_addr t;
t.s_addr = ip;
const char *temp = inet_ntoa(t);
char *retv = malloc(strlen(temp)+1);
assert (retv);
strcpy(retv, temp);
return retv;
}
void fs_add_ip_fields(fieldset_t *fs, struct iphdr *ip)
{
fs_add_string(fs, "saddr", make_ip_str(ip->saddr), 1);
fs_add_string(fs, "daddr", make_ip_str(ip->daddr), 1);
fs_add_uint64(fs, "ipid", ntohl(ip->id));
fs_add_uint64(fs, "ttl", ntohl(ip->ttl));
}

11
src/probe_modules/probe_modules.h
View File

@ -1,4 +1,5 @@
#include "../state.h" #include "../state.h"
#include "../fieldset.h"
#ifndef HEADER_PROBE_MODULES_H #ifndef HEADER_PROBE_MODULES_H
#define HEADER_PROBE_MODULES_H #define HEADER_PROBE_MODULES_H
@ -14,9 +15,10 @@ typedef int (*probe_make_packet_cb)(void* packetbuf, ipaddr_n_t src_ip, ipaddr_n
uint32_t *validation, int probe_num); uint32_t *validation, int probe_num);
typedef void (*probe_print_packet_cb)(FILE *, void* packetbuf); typedef void (*probe_print_packet_cb)(FILE *, void* packetbuf);
typedef int (*probe_close_cb)(struct state_conf*, struct state_send*, struct state_recv*); typedef int (*probe_close_cb)(struct state_conf*, struct state_send*, struct state_recv*);
typedef response_type_t* (*probe_classify_packet_cb)(const u_char* packetbuf, uint32_t len);
typedef int (*probe_validate_packet_cb)(const struct iphdr *ip_hdr, uint32_t len, uint32_t *src_ip, uint32_t *validation); typedef int (*probe_validate_packet_cb)(const struct iphdr *ip_hdr, uint32_t len, uint32_t *src_ip, uint32_t *validation);
typedef void (*probe_classify_packet_cb)(const u_char* packetbuf, uint32_t len, fieldset_t*);
typedef struct probe_module { typedef struct probe_module {
const char *name; const char *name;
size_t packet_length; size_t packet_length;
@ -27,19 +29,20 @@ typedef struct probe_module {
// source and target port numbers? // source and target port numbers?
uint8_t port_args; uint8_t port_args;
response_type_t *responses;
probe_global_init_cb global_initialize; probe_global_init_cb global_initialize;
probe_thread_init_cb thread_initialize; probe_thread_init_cb thread_initialize;
probe_make_packet_cb make_packet; probe_make_packet_cb make_packet;
probe_print_packet_cb print_packet; probe_print_packet_cb print_packet;
probe_validate_packet_cb validate_packet; probe_validate_packet_cb validate_packet;
probe_classify_packet_cb classify_packet; probe_classify_packet_cb process_packet;
probe_close_cb close; probe_close_cb close;
fielddef_t *fields;
} probe_module_t; } probe_module_t;
probe_module_t* get_probe_module_by_name(const char*); probe_module_t* get_probe_module_by_name(const char*);
void print_probe_modules(void); void print_probe_modules(void);
#endif // HEADER_PROBE_MODULES_H #endif // HEADER_PROBE_MODULES_H