further progress
This commit is contained in:
Zakir Durumeric
@ -82,33 +82,8 @@ void icmp_echo_print_packet(FILE *fp, void* packet)
|
||||
ntohs(icmp_header->icmp_cksum),
|
||||
ntohs(icmp_header->icmp_id),
|
||||
ntohs(icmp_header->icmp_seq));
|
||||
struct in_addr *s = (struct in_addr *) &(iph->saddr);
|
||||
struct in_addr *d = (struct in_addr *) &(iph->daddr);
|
||||
char srcip[20];
|
||||
char dstip[20];
|
||||
// inet_ntoa is a const char * so we if just call it in
|
||||
// fprintf, you'll get back wrong results since we're
|
||||
// calling it twice.
|
||||
strncpy(srcip, inet_ntoa(*s), 19);
|
||||
strncpy(dstip, inet_ntoa(*d), 19);
|
||||
fprintf(fp, "ip { saddr: %s | daddr: %s | checksum: %u }\n",
|
||||
srcip,
|
||||
dstip,
|
||||
ntohl(iph->check));
|
||||
fprintf(fp, "eth { shost: %02x:%02x:%02x:%02x:%02x:%02x | "
|
||||
"dhost: %02x:%02x:%02x:%02x:%02x:%02x }\n",
|
||||
(int) ((unsigned char *) ethh->h_source)[0],
|
||||
(int) ((unsigned char *) ethh->h_source)[1],
|
||||
(int) ((unsigned char *) ethh->h_source)[2],
|
||||
(int) ((unsigned char *) ethh->h_source)[3],
|
||||
(int) ((unsigned char *) ethh->h_source)[4],
|
||||
(int) ((unsigned char *) ethh->h_source)[5],
|
||||
(int) ((unsigned char *) ethh->h_dest)[0],
|
||||
(int) ((unsigned char *) ethh->h_dest)[1],
|
||||
(int) ((unsigned char *) ethh->h_dest)[2],
|
||||
(int) ((unsigned char *) ethh->h_dest)[3],
|
||||
(int) ((unsigned char *) ethh->h_dest)[4],
|
||||
(int) ((unsigned char *) ethh->h_dest)[5]);
|
||||
fprintf_ip_header(fp, iph);
|
||||
fprintf_eth_header(fp, ethh);
|
||||
fprintf(fp, "------------------------------------------------------\n");
|
||||
}
|
||||
|
||||
|
||||
@ -84,45 +84,18 @@ void synscan_print_packet(FILE *fp, void* packet)
|
||||
ntohs(tcph->dest),
|
||||
ntohl(tcph->seq),
|
||||
ntohl(tcph->check));
|
||||
struct in_addr *s = (struct in_addr *) &(iph->saddr);
|
||||
struct in_addr *d = (struct in_addr *) &(iph->daddr);
|
||||
char srcip[20];
|
||||
char dstip[20];
|
||||
// inet_ntoa is a const char * so we if just call it in
|
||||
// fprintf, you'll get back wrong results since we're
|
||||
// calling it twice.
|
||||
strncpy(srcip, inet_ntoa(*s), 19);
|
||||
strncpy(dstip, inet_ntoa(*d), 19);
|
||||
fprintf(fp, "ip { saddr: %s | daddr: %s | checksum: %u }\n",
|
||||
srcip,
|
||||
dstip,
|
||||
ntohl(iph->check));
|
||||
fprintf(fp, "eth { shost: %02x:%02x:%02x:%02x:%02x:%02x | "
|
||||
"dhost: %02x:%02x:%02x:%02x:%02x:%02x }\n",
|
||||
(int) ((unsigned char *) ethh->h_source)[0],
|
||||
(int) ((unsigned char *) ethh->h_source)[1],
|
||||
(int) ((unsigned char *) ethh->h_source)[2],
|
||||
(int) ((unsigned char *) ethh->h_source)[3],
|
||||
(int) ((unsigned char *) ethh->h_source)[4],
|
||||
(int) ((unsigned char *) ethh->h_source)[5],
|
||||
(int) ((unsigned char *) ethh->h_dest)[0],
|
||||
(int) ((unsigned char *) ethh->h_dest)[1],
|
||||
(int) ((unsigned char *) ethh->h_dest)[2],
|
||||
(int) ((unsigned char *) ethh->h_dest)[3],
|
||||
(int) ((unsigned char *) ethh->h_dest)[4],
|
||||
(int) ((unsigned char *) ethh->h_dest)[5]);
|
||||
fprintf_ip_header(fp, iph);
|
||||
fprintf_eth_header(fp, ethh);
|
||||
fprintf(fp, "------------------------------------------------------\n");
|
||||
}
|
||||
|
||||
|
||||
|
||||
int synscan_validate_packet(const struct iphdr *ip_hdr, uint32_t len,
|
||||
__attribute__((unused))uint32_t *src_ip, uint32_t *validation)
|
||||
__attribute__((unused))uint32_t *src_ip,
|
||||
uint32_t *validation)
|
||||
{
|
||||
if (ip_hdr->protocol != IPPROTO_TCP) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if ((4*ip_hdr->ihl + sizeof(struct tcphdr)) > len) {
|
||||
// buffer not large enough to contain expected tcp header
|
||||
return 0;
|
||||
@ -130,27 +103,21 @@ int synscan_validate_packet(const struct iphdr *ip_hdr, uint32_t len,
|
||||
struct tcphdr *tcp = (struct tcphdr*)((char *)ip_hdr + 4*ip_hdr->ihl);
|
||||
uint16_t sport = tcp->source;
|
||||
uint16_t dport = tcp->dest;
|
||||
|
||||
// validate source port
|
||||
if (ntohs(sport) != zconf.target_port) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
// validate destination port
|
||||
if (!check_dst_port(ntohs(dport), num_ports, validation)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
// validate tcp acknowledgement number
|
||||
if (htonl(tcp->ack_seq) != htonl(validation[0])+1) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
|
||||
void synscan_process_packet(const u_char *packet,
|
||||
__attribute__((unused)) uint32_t len, fieldset_t *fs)
|
||||
{
|
||||
@ -174,13 +141,18 @@ void synscan_process_packet(const u_char *packet,
|
||||
}
|
||||
|
||||
static fielddef_t fields[] = {
|
||||
{.name = "sport", .type = "int", .desc = "TCP source port"},
|
||||
{.name = "dport", .type = "int", .desc = "TCP destination port"},
|
||||
{.name = "sport", .type = "int", .desc = "TCP source port"},
|
||||
{.name = "dport", .type = "int", .desc = "TCP destination port"},
|
||||
{.name = "seqnum", .type = "int", .desc = "TCP sequence number"},
|
||||
{.name = "acknum", .type = "int", .desc = "TCP acknowledgement number"},
|
||||
{.name = "window", .type = "int", .desc = "TCP window"},
|
||||
};
|
||||
|
||||
const char *help =
|
||||
"Probe module that sends a TCP SYN packet to a specific "
|
||||
"port. Possible classifications are: synack and rst. A "
|
||||
"SYN-ACK packet is considered a success and a reset packet "
|
||||
"is considered a failed response.";
|
||||
|
||||
probe_module_t module_tcp_synscan = {
|
||||
.name = "tcp_synscan",
|
||||
@ -195,5 +167,6 @@ probe_module_t module_tcp_synscan = {
|
||||
.process_packet = &synscan_process_packet,
|
||||
.validate_packet = &synscan_validate_packet,
|
||||
.close = NULL,
|
||||
.helptext = help,
|
||||
.fields = fields};
|
||||
|
||||
|
||||
@ -109,14 +109,17 @@ int udp_global_initialize(struct state_conf *conf) {
|
||||
udp_send_msg[i] = (n & 0xff);
|
||||
}
|
||||
} else {
|
||||
log_fatal("udp", "unknown UDP probe specification (expected file:/path, text:STRING, or hex:01020304)");
|
||||
log_fatal("udp", "unknown UDP probe specification "
|
||||
"(expected file:/path, text:STRING, "
|
||||
"or hex:01020304)");
|
||||
free(udp_send_msg);
|
||||
free(args);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (udp_send_msg_len > MAX_UDP_PAYLOAD_LEN) {
|
||||
log_warn("udp", "warning: reducing UDP payload to %d bytes (from %d) to fit on the wire\n",
|
||||
log_warn("udp", "warning: reducing UDP payload to %d "
|
||||
"bytes (from %d) to fit on the wire\n",
|
||||
MAX_UDP_PAYLOAD_LEN, udp_send_msg_len);
|
||||
udp_send_msg_len = MAX_UDP_PAYLOAD_LEN;
|
||||
}
|
||||
@ -132,7 +135,6 @@ int udp_global_cleanup(__attribute__((unused)) struct state_conf *zconf,
|
||||
return(0);
|
||||
}
|
||||
|
||||
|
||||
int udp_init_perthread(void* buf, macaddr_t *src,
|
||||
macaddr_t *gw, __attribute__((unused)) port_h_t dst_port)
|
||||
{
|
||||
@ -158,9 +160,6 @@ int udp_init_perthread(void* buf, macaddr_t *src,
|
||||
return EXIT_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
int udp_make_packet(void *buf, ipaddr_n_t src_ip, ipaddr_n_t dst_ip,
|
||||
uint32_t *validation, int probe_num)
|
||||
{
|
||||
@ -188,34 +187,8 @@ void udp_print_packet(FILE *fp, void* packet)
|
||||
ntohs(udph->source),
|
||||
ntohs(udph->dest),
|
||||
ntohl(udph->check));
|
||||
//ip_header = (struct iphdr*)(ð_header[1])
|
||||
struct in_addr *s = (struct in_addr *) &(iph->saddr);
|
||||
struct in_addr *d = (struct in_addr *) &(iph->daddr);
|
||||
char srcip[20];
|
||||
char dstip[20];
|
||||
// inet_ntoa is a const char * so we if just call it in
|
||||
// fprintf, you'll get back wrong results since we're
|
||||
// calling it twice.
|
||||
strncpy(srcip, inet_ntoa(*s), 19);
|
||||
strncpy(dstip, inet_ntoa(*d), 19);
|
||||
fprintf(fp, "ip { saddr: %s | daddr: %s | checksum: %u }\n",
|
||||
srcip,
|
||||
dstip,
|
||||
ntohl(iph->check));
|
||||
fprintf(fp, "eth { shost: %02x:%02x:%02x:%02x:%02x:%02x | "
|
||||
"dhost: %02x:%02x:%02x:%02x:%02x:%02x }\n",
|
||||
(int) ((unsigned char *) ethh->h_source)[0],
|
||||
(int) ((unsigned char *) ethh->h_source)[1],
|
||||
(int) ((unsigned char *) ethh->h_source)[2],
|
||||
(int) ((unsigned char *) ethh->h_source)[3],
|
||||
(int) ((unsigned char *) ethh->h_source)[4],
|
||||
(int) ((unsigned char *) ethh->h_source)[5],
|
||||
(int) ((unsigned char *) ethh->h_dest)[0],
|
||||
(int) ((unsigned char *) ethh->h_dest)[1],
|
||||
(int) ((unsigned char *) ethh->h_dest)[2],
|
||||
(int) ((unsigned char *) ethh->h_dest)[3],
|
||||
(int) ((unsigned char *) ethh->h_dest)[4],
|
||||
(int) ((unsigned char *) ethh->h_dest)[5]);
|
||||
fprintf_ip_header(fp, iph);
|
||||
fprintf_eth_header(fp, ethh);
|
||||
fprintf(fp, "------------------------------------------------------\n");
|
||||
}
|
||||
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
* of the License at http://www.apache.org/licenses/LICENSE-2.0
|
||||
*/
|
||||
|
||||
|
||||
#include "packet.h"
|
||||
|
||||
#include <stdlib.h>
|
||||
@ -36,6 +35,41 @@ void print_macaddr(struct ifreq* i)
|
||||
(int) ((unsigned char *) &i->ifr_hwaddr.sa_data)[5]);
|
||||
}
|
||||
|
||||
void fprintf_ip_header(FILE *fp, struct iphdr *iph)
|
||||
{
|
||||
struct in_addr *s = (struct in_addr *) &(iph->saddr);
|
||||
struct in_addr *d = (struct in_addr *) &(iph->daddr);
|
||||
char srcip[20];
|
||||
char dstip[20];
|
||||
// inet_ntoa is a const char * so we if just call it in
|
||||
// fprintf, you'll get back wrong results since we're
|
||||
// calling it twice.
|
||||
strncpy(srcip, inet_ntoa(*s), 19);
|
||||
strncpy(dstip, inet_ntoa(*d), 19);
|
||||
fprintf(fp, "ip { saddr: %s | daddr: %s | checksum: %u }\n",
|
||||
srcip,
|
||||
dstip,
|
||||
ntohl(iph->check));
|
||||
}
|
||||
|
||||
void fprintf_eth_header(FILE *fp, struct ethhdr *ethh)
|
||||
{
|
||||
fprintf(fp, "eth { shost: %02x:%02x:%02x:%02x:%02x:%02x | "
|
||||
"dhost: %02x:%02x:%02x:%02x:%02x:%02x }\n",
|
||||
(int) ((unsigned char *) ethh->h_source)[0],
|
||||
(int) ((unsigned char *) ethh->h_source)[1],
|
||||
(int) ((unsigned char *) ethh->h_source)[2],
|
||||
(int) ((unsigned char *) ethh->h_source)[3],
|
||||
(int) ((unsigned char *) ethh->h_source)[4],
|
||||
(int) ((unsigned char *) ethh->h_source)[5],
|
||||
(int) ((unsigned char *) ethh->h_dest)[0],
|
||||
(int) ((unsigned char *) ethh->h_dest)[1],
|
||||
(int) ((unsigned char *) ethh->h_dest)[2],
|
||||
(int) ((unsigned char *) ethh->h_dest)[3],
|
||||
(int) ((unsigned char *) ethh->h_dest)[4],
|
||||
(int) ((unsigned char *) ethh->h_dest)[5]);
|
||||
}
|
||||
|
||||
void make_eth_header(struct ethhdr *ethh, macaddr_t *src, macaddr_t *dst)
|
||||
{
|
||||
memcpy(ethh->h_source, src, ETH_ALEN);
|
||||
|
||||
@ -31,7 +31,6 @@ probe_module_t* probe_modules[] = {
|
||||
// ADD YOUR MODULE HERE
|
||||
};
|
||||
|
||||
|
||||
probe_module_t* get_probe_module_by_name(const char* name)
|
||||
{
|
||||
for (int i=0; i < (int) (sizeof(probe_modules)/sizeof(probe_modules[0])); i++) {
|
||||
@ -76,6 +75,8 @@ fielddef_t ip_fields[] = {
|
||||
|
||||
fielddef_t sys_fields[] = {
|
||||
{.name="repeat", .type="int", .desc="Is response a repeat response from host"},
|
||||
{.name="cooldown", .type="int", .desc="Was response received during the cooldown period"},
|
||||
|
||||
{.name="timestamp-str", .type="string", .desc="timestamp of when response arrived in ISO8601 format."}
|
||||
}
|
||||
|
||||
@ -87,9 +88,8 @@ void fs_add_ip_fields(fieldset_t *fs, struct iphdr *ip)
|
||||
fs_add_uint64(fs, "ttl", ntohl(ip->ttl));
|
||||
}
|
||||
|
||||
void fs_add_system_fields(fieldset_t *fs)
|
||||
void fs_add_system_fields(fieldset_t *fs, int is_repeat, int in_cooldown)
|
||||
{
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
@ -37,12 +37,14 @@ typedef struct probe_module {
|
||||
probe_classify_packet_cb process_packet;
|
||||
probe_close_cb close;
|
||||
fielddef_t *fields;
|
||||
|
||||
const char *helptext;
|
||||
|
||||
} probe_module_t;
|
||||
|
||||
probe_module_t* get_probe_module_by_name(const char*);
|
||||
|
||||
void fs_add_ip_fields(fieldset_t *fs, struct iphdr *ip);
|
||||
void fs_add_system_fields(fieldset_t *fs, int is_repeat, int in_cooldown);
|
||||
void print_probe_modules(void);
|
||||
|
||||
#endif // HEADER_PROBE_MODULES_H
|
||||
|
||||
Reference in New Issue
Block a user