diff options
| author | yangwei <[email protected]> | 2024-08-16 20:38:37 +0800 |
|---|---|---|
| committer | yangwei <[email protected]> | 2024-08-19 18:27:28 +0800 |
| commit | 858a3ad589b110b069da19c43f566ea7ad8d7012 (patch) | |
| tree | 1e297d8274bebd839f87c914c2dacebaecad330c | |
| parent | a59eca7685e126226d5c2b4679a2a90711cc5875 (diff) | |
✨ feat(integration glimpse_detector): in decoders/glimpse_detector
651 files changed, 53732 insertions, 5 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index f524aaa..f8c0010 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -44,6 +44,7 @@ if (CMAKE_CXX_CPPCHECK) "--suppress=funcArgOrderDifferent" "--suppress=unreachableCode" "--suppress=internalAstError" + "--suppress=integerOverflow" ) set(CMAKE_C_CPPCHECK ${CMAKE_CXX_CPPCHECK}) else() @@ -77,7 +78,7 @@ add_subdirectory(conf) add_subdirectory(vendor) add_subdirectory(deps) add_subdirectory(src) -add_subdirectory(decoders/http) +add_subdirectory(decoders) add_subdirectory(scripts) add_subdirectory(include) add_subdirectory(test) diff --git a/decoders/CMakeLists.txt b/decoders/CMakeLists.txt new file mode 100644 index 0000000..9206b96 --- /dev/null +++ b/decoders/CMakeLists.txt @@ -0,0 +1,2 @@ +add_subdirectory(http) +add_subdirectory(glimpse_detector) diff --git a/decoders/glimpse_detector/.gitignore b/decoders/glimpse_detector/.gitignore new file mode 100644 index 0000000..43c6efe --- /dev/null +++ b/decoders/glimpse_detector/.gitignore @@ -0,0 +1,6 @@ +*.o +*.so +.deps/ +cmake-build-* +build +.vscode/ diff --git a/decoders/glimpse_detector/CMakeLists.txt b/decoders/glimpse_detector/CMakeLists.txt new file mode 100644 index 0000000..9a99f69 --- /dev/null +++ b/decoders/glimpse_detector/CMakeLists.txt @@ -0,0 +1,12 @@ +add_definitions(-fPIC) +add_subdirectory(libprotoident) + +add_library(glimpse_detector app_l7_protocol.cpp quic_identify.cpp openvpn_identify.cpp) +target_include_directories(glimpse_detector PUBLIC ${CMAKE_SOURCE_DIR}/deps/) + +target_link_libraries(glimpse_detector libprotoident MESA_handle_logger MESA_prof_load) +set_target_properties(glimpse_detector PROPERTIES LINK_FLAGS + "-Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/version.map") + +#install(TARGETS ${PROJECT_NAME} LIBRARY DESTINATION ${CMAKE_INSTALL_PREFIX}/stellar_plugin COMPONENT LIBRARIES) + diff --git a/decoders/glimpse_detector/app_l7_protocol.cpp b/decoders/glimpse_detector/app_l7_protocol.cpp new file mode 100644 index 0000000..cdf2fb5 --- /dev/null +++ b/decoders/glimpse_detector/app_l7_protocol.cpp @@ -0,0 +1,836 @@ +/* + * dpkt_basic_proto_main.cpp + * + * Created on: Aug 7, 2020 + * Author: iie + */ + +#include <stdio.h> +#include <stdlib.h> +#include <time.h> +#include <string.h> +#include <assert.h> + +#include "uthash/uthash.h" + +#include <MESA/MESA_prof_load.h> +#include <MESA/MESA_handle_logger.h> + + +#include "stellar/utils.h" + +#include "stellar/session.h" +#include "stellar/stellar_exdata.h" +#include "stellar/stellar_mq.h" + +#include "stellar/layer.h" + +#include "app_l7_protocol.h" +#include "firewall/firewall_message.h" + +const char *dns_name="DNS"; +const char *imap_name="IMAP"; +const char *quic_name="QUIC"; + +const char *g_app_proto_conffile="./tsgconf/main.conf"; +const char *l7_protocol_file = (char *)"./tsgconf/tsg_l7_protocol.conf"; +const char *log_path = (char *)"./tsglog/glimpse_detector/glimpse_detector"; + + +struct glimpse_detector_schema +{ + int level; + int max_pkts; + int l7_label_id; + int l7_bridge_id; + int plugin_exdata_idx; + int l7_app_id_exdata_idx; + int topic_id; + int plugin_id; + struct stellar *st; + char log_path[128]; + char l7_label_name[128]; + char l7_bridge_name[128]; + char l7_library_name[128]; + char l7_protocol_file[128]; + struct l7_protocol_hash *name_by_id; + void *logger; + int tcp_topic_id; + int udp_topic_id; +}; + +struct l7_protocol_hash g_app_name2lpi_id[]={ + {0, LPI_PROTO_UNKNOWN, "UNCATEGORIZED",{}}, + //{0, LPI_PROTO_UNKNOWN, "Unknown_UDP"}, + //{0, LPI_PROTO_UNSUPPORTED, "Unknown_Other"}, + {0, LPI_PROTO_DNS, "DNS", {}}, + {0, LPI_PROTO_FTP_CONTROL, "FTP", {}}, + //{0, LPI_PROTO_FTP_DATA, "FTP", NULL, NULL}, + {0, LPI_PROTP_FTPS, "FTPS", {}}, + {0, LPI_PROTO_HTTP, "HTTP", {}}, + {0, LPI_PROTO_HTTPS, "HTTPS", {}}, + {0, LPI_PROTO_ICMP, "ICMP", {}}, + {0, LPI_PROTO_IKE, "IKE", {}}, + {0, LPI_PROTO_MAIL, "MAIL", {}}, + {0, LPI_PROTO_IMAP, "IMAP", {}}, + {0, LPI_PROTO_IMAPS, "IMAPS", {}}, + {0, LPI_PROTO_UDP_ESP, "IPSEC", {}}, + {0, LPI_PROTO_XMPP, "XMPP", {}}, + {0, LPI_PROTO_UDP_L2TP, "L2TP", {}}, + {0, LPI_PROTO_UDP_NTP, "NTP", {}}, + {0, LPI_PROTO_POP3, "POP3", {}}, + {0, LPI_PROTO_POP3S, "POP3S", {}}, + {0, LPI_PROTO_PPTP, "PPTP", {}}, + {0, LPI_PROTO_UDP_QUIC, "QUIC", {}}, + {0, LPI_PROTO_SIP, "SIP", {}}, + {0, LPI_PROTO_SMB, "SMB", {}}, + {0, LPI_PROTO_SMTP, "SMTP", {}}, + {0, LPI_PROTO_SMTPS, "SMTPS", {}}, + {0, LPI_PROTO_SPDY, "SPDY", {}}, + {0, LPI_PROTO_SSH, "SSH", {}}, + {0, LPI_PROTO_SSL, "SSL", {}}, + {0, LPI_PROTO_SOCKS4, "SOCKS", {}}, + //{0, LPI_PROTO_SOCKS4, "SOCKS4", NULL, NULL}, + //{0, LPI_PROTO_SOCKS5, "SOCKS5", NULL, NULL}, + {0, LPI_PROTO_TELNET, "TELNET", {}}, + {0, LPI_PROTO_UDP_DHCP, "DHCP", {}}, + {0, LPI_PROTO_UDP_RADIUS, "RADIUS", {}}, + {0, LPI_PROTO_OPENVPN, "OPENVPN", {}}, + {0, LPI_PROTO_STUN, "STUN", {}}, + {0, LPI_PROTO_UDP_TEREDO, "TEREDO", {}}, + {0, LPI_PROTO_UDP_DTLS, "DTLS", {}}, + {0, LPI_PROTO_DOH, "DoH", {}}, + {0, LPI_PROTO_UDP_ISAKMP, "ISAKMP", {}}, + {0, LPI_PROTO_UDP_MDNS, "MDNS", {}}, + {0, LPI_PROTO_NETBIOS, "NETBIOS", {}}, + {0, LPI_PROTO_UDP_NETFLOW, "NETFLOW", {}}, + {0, LPI_PROTO_RDP, "RDP", {}}, + {0, LPI_PROTO_UDP_RTCP, "RTCP", {}}, + {0, LPI_PROTO_UDP_RTP, "RTP", {}}, + {0, LPI_PROTO_UDP_SLP, "SLP", {}}, + {0, LPI_PROTO_UDP_SNMP, "SNMP", {}}, + {0, LPI_PROTO_UDP_SSDP, "SSDP", {}}, + {0, LPI_PROTO_UDP_TFTP, "TFTP", {}}, + {0, LPI_PROTO_UDP_BJNP, "BJNP", {}}, + {0, LPI_PROTO_LDAP, "LDAP", {}}, + {0, LPI_PROTO_RTMP, "RTMP", {}}, + {0, LPI_PROTO_RTSP, "RTSP", {}}, + {0, LPI_PROTO_ESNI, "ESNI", {}}, + {0, LPI_PROTO_STRATUM, "Stratum", {}}, + {0, LPI_PROTO_QQ, "QQ", {}}, + {0, LPI_PROTO_WECHAT, "WeChat", {}}, + {0, LPI_PROTO_MMS, "MMS", {}}, + {0, LPI_PROTO_RSYNC, "RSYNC", {}}, + {0, LPI_PROTO_UDP_WIREGUARD, "WIREGUARD", {}}, + }; + +struct dns_header +{ + u_int16_t id; +#if __BYTE_ORDER == __LITTLE_ENDIAN + u_char rd:1; + u_char tc:1; + u_char aa:1; + u_char opcode:4; + u_char qr:1; + u_char rcode:4; + u_char z:3; + u_char ra:1; +#elif __BYTE_ORDER == __BIG_ENDIAN + u_char qr:1; + u_char opcode:4; + u_char aa:1; + u_char tc:1; + u_char rd:1; + u_char ra:1; + u_char z:3; + u_char rcode:4; +#endif + u_int16_t qdcount; + u_int16_t ancount; + u_int16_t aucount;//authority count + u_int16_t adcount;//additional count +}; + +static void get_host_order_port(struct session *sess __unused, unsigned short *sport, unsigned short *dport) +{ + *sport=0; + *dport=0; +#if 0 + // DONE: get host order port from session api 1.0 + enum session_addr_type addr_type; + struct session_addr *addr=session_get0_addr(sess, &addr_type); + unsigned short n_sport = (addr_type == SESSION_ADDR_TYPE_IPV4_TCP || addr_type == SESSION_ADDR_TYPE_IPV4_UDP) ? (addr->ipv4.sport) : ( (addr_type == SESSION_ADDR_TYPE_IPV6_TCP || addr_type == SESSION_ADDR_TYPE_IPV6_UDP) ? (addr->ipv6.sport) : 0); + unsigned short n_dport = (addr_type == SESSION_ADDR_TYPE_IPV4_TCP || addr_type == SESSION_ADDR_TYPE_IPV4_UDP) ? (addr->ipv4.dport) : ( (addr_type == SESSION_ADDR_TYPE_IPV6_TCP || addr_type == SESSION_ADDR_TYPE_IPV6_UDP) ? (addr->ipv6.dport) : 0); + //unsigned short n_dport = (pstream->addr.addrtype == ADDR_TYPE_IPV4) ? (pstream->addr.tuple4_v4->dest) : ( (pstream->addr.addrtype == ADDR_TYPE_IPV6) ? (pstream->addr.tuple4_v6->dest) : 0); + + *sport=ntohs(n_sport); + *dport=ntohs(n_dport); +#else +//get host order port from stellar session api + + #if 0 + const struct tuple6 *t6 = session_get_tuple6(sess); + enum flow_direction flow_dir = session_get_tuple6_direction(sess); + if(flow_dir == FLOW_DIRECTION_C2S) + { + *sport = ntohs(t6->src_port); + *dport = ntohs(t6->dst_port); + } + else + { + *sport = ntohs(t6->dst_port); + *dport = ntohs(t6->src_port); + + } + #endif + + + const struct packet *pkt = session_get0_current_packet(sess); + enum flow_direction flow_dir=session_get_current_flow_direction(sess); + if(pkt && (flow_dir==FLOW_DIRECTION_C2S || flow_dir==FLOW_DIRECTION_S2C)) + { + int layer_cnt=packet_get_layer_count(pkt); + struct layer l={}; + packet_get_layer_by_idx(pkt, layer_cnt-1, &l); + switch((int)l.proto) + { + case LAYER_PROTO_TCP: + *sport = ntohs(l.hdr.tcp->th_sport); + *dport = ntohs(l.hdr.tcp->th_dport); + break; + case LAYER_PROTO_UDP: + *sport = ntohs(l.hdr.udp->uh_sport); + *dport = ntohs(l.hdr.udp->uh_dport); + break; + default: + break; + } + //S2C, swap sport and dport + if(flow_dir == FLOW_DIRECTION_S2C) + { + unsigned short tmp = *sport; + *sport = *dport; + *dport = tmp; + } + } +#endif + + return; +} + +static int revise_lpi_result(struct session *sess, const char *scan_data, const int scan_data_len, lpi_module_t* proto, struct traffic_context *context, int l4_is_tcp, int curdir_is_c2s) +{ + unsigned short sport=0, dport=0; + + get_host_order_port(sess, &sport, &dport); + + if(sport == 989 || sport == 990 || dport == 989 || dport == 990) + { + if(proto->protocol == LPI_PROTO_SSL) + { + proto->protocol=(lpi_protocol_t)LPI_PROTP_FTPS; + proto->category=LPI_CATEGORY_FILES; + proto->priority=3; + proto->name="FTPS"; + proto->lpi_callback=NULL; + return 1; + } + } + + if(sport==443 || dport==443 || sport==80 || dport==80 || sport==8443 || dport==8443) + { + if(app_identify_get_quic_protocol(curdir_is_c2s, (const unsigned char *)scan_data, scan_data_len) != QUIC_VERSION_UNKNOWN) + { + //lpi_quic + proto->protocol=LPI_PROTO_UDP_QUIC; + proto->category=LPI_CATEGORY_WEB; + proto->priority=9; + proto->name=quic_name; + proto->lpi_callback=NULL; + return 1; + } + } + + if((sport==53 || dport==53) && (scan_data_len>12)) + { + struct dns_header *dns_hdr=NULL; + if(l4_is_tcp) + { + dns_hdr=(struct dns_header *)(scan_data+2); + } + else + { + dns_hdr=(struct dns_header *)scan_data; + } + if((dns_hdr->qr==1 && ntohs(dns_hdr->qdcount)==1) || + (dns_hdr->qr==0 && ntohs(dns_hdr->qdcount)==1 && ntohs(dns_hdr->aucount)==0 && ntohs(dns_hdr->ancount)==0)) + { + proto->protocol=LPI_PROTO_DNS; + proto->category=LPI_CATEGORY_SERVICES; + proto->priority=10; + proto->name=dns_name; + proto->lpi_callback=NULL; + return 1; + } + } + + if(((sport==143 || dport==143)) && + ( + (scan_data_len>=11 && memmem(scan_data, scan_data_len, " CAPABILITY", 11)!=NULL) || + (scan_data_len>=7 && memmem(scan_data, scan_data_len, " LOGIN ", 7)!=NULL) + ) + ) + { + proto->protocol=LPI_PROTO_IMAP; + proto->category=LPI_CATEGORY_MAIL; + proto->priority=2; + proto->name=imap_name; + proto->lpi_callback=NULL; + return 1; + } + int c2s_pkt_cnt=context->c2s_pkt; + int s2c_pkt_cnt=context->s2c_pkt; + + if(app_identify_guess_openvpn((const unsigned char *)scan_data, scan_data_len, c2s_pkt_cnt, s2c_pkt_cnt, &context->ovpn, l4_is_tcp, curdir_is_c2s)==1) + { + proto->protocol=LPI_PROTO_OPENVPN; + proto->category=LPI_CATEGORY_TUNNELLING; + proto->priority=4; + proto->name="OpenVPN"; + proto->lpi_callback=NULL; + return 1; + } + + return 0; +} + + +static int set_lpi_same_name(struct l7_protocol_hash *l7_protocol_hash, struct l7_protocol_hash *l7_protocol_elem, int lpi_protocol_id) +{ + struct l7_protocol_hash *tmp=(struct l7_protocol_hash *)calloc(1, sizeof(struct l7_protocol_hash)); + memcpy(tmp, l7_protocol_elem, sizeof(struct l7_protocol_hash)); + + tmp->lpi_protocol=lpi_protocol_id; + HASH_ADD(hh, l7_protocol_hash, lpi_protocol, sizeof(int), tmp); + + return 0; +} + +static int get_protocol_id(struct l7_protocol_hash *name_by_id, const lpi_module_t* proto) +{ + struct l7_protocol_hash *out=NULL; + + HASH_FIND(hh, name_by_id, &(proto->protocol), sizeof(int), out); + if(out!=NULL) + { + return out->protocol_id; + } + + return -1; +} + +static struct app_id_message *app_id_messgae_create(unsigned short *id_array, int id_num) +{ + struct app_id_message *result=CALLOC(struct app_id_message, 1); + result->origin=ORIGIN_PROTO_IDENTIFY; + result->magic=MESSAGE_MAGIC; + result->app_id_num=id_num; + for(unsigned int i=0; i<result->app_id_num; i++) + { + result->app_id[i]=(int)(id_array[i]); + result->surrogate_id[i]=0; + } + + return result; +} + +static int update_protocol_id(unsigned short *old_id_array, int *old_id_num, unsigned short new_id) +{ + int i=0; + + if(*old_id_num>=MAX_APP_ID_NUM) + { + return 0; + } + + for(i=0; i<(*old_id_num); i++) + { + if(new_id==old_id_array[i]) + { + return 0; + } + } + + old_id_array[(*old_id_num)]=new_id; + (*old_id_num)++; + + return 1; +} + +static int l7_protocol_mapper(struct glimpse_detector_schema *g_app_proto_para, const char *filename) +{ + size_t i=0,ret=0; + FILE *fp=NULL; + char line[1024]={0}; + char type_name[32]={0}; + struct l7_protocol_hash *name2lpi=NULL; + struct l7_protocol_hash *l7_protocol=NULL; + struct l7_protocol_hash *out=NULL, *tmp=NULL; + + fp=fopen(filename, "r"); + if(fp==NULL) + { + printf("Open %s failed ...", filename); + return -1; + } + + for(i=0; i<(sizeof(g_app_name2lpi_id)/sizeof(struct l7_protocol_hash)); i++) + { + HASH_ADD(hh, name2lpi, name, strlen(g_app_name2lpi_id[i].name), &(g_app_name2lpi_id[i])); + } + + memset(line, 0, sizeof(line)); + + while((fgets(line, sizeof(line), fp))!=NULL) + { + if(line[0]=='#' || line[0]=='\n' || line[0]=='\r' ||line[0]=='\0') + { + continue; + } + + l7_protocol=(struct l7_protocol_hash *)calloc(1, sizeof(struct l7_protocol_hash)); + ret=sscanf(line, "%31s %63s %d", type_name, l7_protocol->name, &l7_protocol->protocol_id); + assert(ret==3); + + HASH_FIND(hh, name2lpi, l7_protocol->name, strlen(l7_protocol->name), out); + if(out==NULL) + { + MESA_handle_runtime_log(g_app_proto_para->logger, RLOG_LV_FATAL, "INIT_HASH", "Protocol %s identified without registered LPI ID", l7_protocol->name); + free(l7_protocol); + continue; + } + + l7_protocol->lpi_protocol=out->lpi_protocol; + HASH_ADD(hh, g_app_proto_para->name_by_id, lpi_protocol, sizeof(int), l7_protocol); + + switch(out->lpi_protocol) + { + case LPI_PROTO_DNS: + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_DNS); + break; + case LPI_PROTO_SIP: + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_SIP); + break; + case LPI_PROTO_SOCKS4: + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_SOCKS5); + break; + case LPI_PROTO_FTP_CONTROL: + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_FTP_DATA); + break; + case LPI_PROTO_OPENVPN: + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_OPENVPN); + break; + case LPI_PROTO_LDAP: + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_TCP_LDAP_AD); + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_LDAP_AD); + break; + case LPI_PROTO_HTTP: + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_HTTP_BADPORT); + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_HTTP_TUNNEL); + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_NONSTANDARD_HTTP); + break; + case LPI_PROTO_STUN: + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_STUN); + break; + case LPI_PROTO_NETBIOS: + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_NETBIOS); + break; + case LPI_PROTO_QQ: + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_QQ); + break; + case LPI_PROTO_WECHAT: + set_lpi_same_name(g_app_proto_para->name_by_id, l7_protocol, LPI_PROTO_UDP_WECHAT); + break; + default: + break; + } + + memset(line, 0, sizeof(line)); + } + + fclose(fp); + fp=NULL; + + HASH_CLEAR(hh, name2lpi); + + HASH_ITER(hh, g_app_proto_para->name_by_id, out ,tmp) + { + MESA_handle_runtime_log(g_app_proto_para->logger, + RLOG_LV_DEBUG, + "ID_MAPPER", + "%s lpi_protocol built-in ID is %d and TSG ID is %d", + out->name, + out->lpi_protocol, + out->protocol_id + ); + } + + return ret; +} + +static void free_l7_protocol_mapper(struct l7_protocol_hash *hash) +{ + if(hash==NULL) + { + return ; + } + struct l7_protocol_hash *out=NULL, *tmp=NULL; + HASH_ITER(hh, hash, out ,tmp) + { + if(out!=NULL) + { + HASH_DEL(hash, out); + free(out); + out=NULL; + } + } +} + +int lpi_update_dpkt(lpi_data_t *data, struct session *sess, + const char *scan_data, int scan_data_len, char tsproto, + uint32_t is_c2s) +{ + + uint32_t dir = 0; + if(is_c2s == 1) + { + dir = 0; + } + else + { + dir = 1; + } + uint32_t four_bytes; + + if (data->observed[dir] > 32 * 1024) + return 0; + + data->observed[dir] += scan_data_len; + + if (data->trans_proto == 0)data->trans_proto = tsproto; + + if (scan_data == NULL)return 0; + if (scan_data_len <= 0)return 0; + + if (scan_data_len < 4) + { + memcpy((char *)&four_bytes, scan_data, scan_data_len); + four_bytes = (ntohl(four_bytes)) >> (8 * (4 - scan_data_len)); + four_bytes = htonl(four_bytes << (8 * (4 - scan_data_len))); + } + else + { + four_bytes = (*(uint32_t *)scan_data); + } + + data->payload[dir] = four_bytes; + data->payload_len[dir] = scan_data_len; + + uint16_t source=0; + uint16_t dest=0; + get_host_order_port(sess,&source ,&dest); + + data->client_port = source; + data->server_port = dest; + +// DONE: no need to set saddr and daddr +/* + + if (pstream != NULL && data->ips[0] == 0 + && (pstream->addr.addrtype == __ADDR_TYPE_IP_PAIR_V4 + || pstream->addr.addrtype == ADDR_TYPE_IPV4)) + { + if (dir == 1) + { + data->ips[0] = pstream->addr.ipv4->saddr; + data->ips[1] = pstream->addr.ipv4->daddr; + } + else + { + data->ips[1] = pstream->addr.ipv4->saddr; + data->ips[0] = pstream->addr.ipv4->daddr; + } + } +*/ + return 1; + +} + + + +static int app_glimpse_detector(struct session *sess, struct traffic_context *context, struct glimpse_detector_schema *g_app_proto_para, const char *scan_data, const int scan_data_len, int l4_proto) +{ + int ret=0,is_update=0; + //unsigned short sport=0, dport=0; + lpi_module_t modify_lpi_result={(lpi_protocol_t)0, (lpi_category_t)0, NULL, 0, NULL}; + unsigned short new_protocol_id=0; + struct l7_protocol_label *l7_protocol=NULL; + //const struct packet *raw_packet=session_get0_current_packet(sess); + //int cur_pkt_dir= packet_get_direction(raw_packet); + int cur_pkt_dir=session_get_current_flow_direction(sess); + context->pkt_cnt++; + (cur_pkt_dir==FLOW_DIRECTION_C2S) ? (context->c2s_pkt++) : (context->s2c_pkt++); + int is_c2s_pkt=((cur_pkt_dir==FLOW_DIRECTION_C2S) ? 1 : 0); + ret=lpi_update_dpkt(&(context->lpi_data), sess, scan_data, scan_data_len, l4_proto, is_c2s_pkt); + if(!ret) + { + return 1; + } + + lpi_module_t *plpi_mod=lpi_guess_protocol(&(context->lpi_data)); + if(plpi_mod==NULL) + { + return 1; + } + + if((plpi_mod->protocol==LPI_PROTO_UNKNOWN || plpi_mod->protocol==LPI_PROTO_UDP) && + (context->pkt_cnt<g_app_proto_para->max_pkts || context->is_identify==1)) + { + ret=revise_lpi_result(sess, scan_data, scan_data_len, &modify_lpi_result, context, + (l4_proto==6?1:0), + (cur_pkt_dir==FLOW_DIRECTION_C2S?1:0)); + if(ret==0) + { + return 1; + } + + plpi_mod=&modify_lpi_result; + } + + if (plpi_mod->protocol == LPI_PROTO_FTP_CONTROL && context->is_first_payload == 1 && cur_pkt_dir == FLOW_DIRECTION_S2C) + { + if ((((scan_data_len >= 4 && (memcmp(scan_data, "220-", 4) == 0)) || memcmp(scan_data, "220 ", 4) == 0)) && + (((scan_data_len >= 7 && (memmem(scan_data, scan_data_len, " ESMTP ", 7) != NULL)) || + memmem(scan_data, scan_data_len, " esmtp ", 7) != NULL))) + { + // lpi_smtp + modify_lpi_result.protocol = LPI_PROTO_SMTP; + modify_lpi_result.category = LPI_CATEGORY_MAIL; + modify_lpi_result.priority = 2; + modify_lpi_result.name = "SMTP"; + + plpi_mod = &modify_lpi_result; + } + } + + if (plpi_mod->protocol == LPI_PROTO_SMTP && context->is_first_payload == 1 && cur_pkt_dir == FLOW_DIRECTION_S2C) + { + if ( + (scan_data_len >= 4) && + (memcmp(scan_data, "220 ", 4) == 0 || memcmp(scan_data, "220-", 4) == 0) && + (memmem(scan_data, scan_data_len, "FTPd", 4) != NULL || + memmem(scan_data, scan_data_len, "ftpd", 4) != NULL || + memmem(scan_data, scan_data_len, "FTPD", 4) != NULL)) + { + // lpi_ftpcontrol + modify_lpi_result.protocol = LPI_PROTO_FTP_CONTROL; + modify_lpi_result.category = LPI_CATEGORY_FILES; + modify_lpi_result.priority = 3; + modify_lpi_result.name = "FTP_Control"; + + plpi_mod = &modify_lpi_result; + } + } + + new_protocol_id=get_protocol_id(g_app_proto_para->name_by_id, plpi_mod); + if(new_protocol_id==(unsigned short)-1) + { + + if(plpi_mod->protocol!=LPI_PROTO_UNKNOWN && plpi_mod->protocol!=LPI_PROTO_UDP && plpi_mod->protocol!=LPI_PROTO_UNSUPPORTED) + { + MESA_handle_runtime_log(g_app_proto_para->logger, + RLOG_LV_INFO, + "UNDEFINE", + "Protocol Name: %s identified without registered LPI ID=%d, category: %s priority: %d addr: %s", + plpi_mod->name, + plpi_mod->protocol, + lpi_print_category(plpi_mod->category), + plpi_mod->priority, + session_get0_readable_addr(sess) + ); + } + + return 1; + } + else + { + MESA_handle_runtime_log(g_app_proto_para->logger, + RLOG_LV_INFO, + "DEFINE", + "Protocol Name: %s identified registered LPI ID(%d), category: %s priority: %d addr: %s", + plpi_mod->name, + plpi_mod->protocol, + lpi_print_category(plpi_mod->category), + plpi_mod->priority, + session_get0_readable_addr(sess) + ); + } + l7_protocol = (struct l7_protocol_label *)session_exdata_get(sess, g_app_proto_para->l7_app_id_exdata_idx); + if(l7_protocol==NULL) + { + l7_protocol=CALLOC(struct l7_protocol_label, 1); + l7_protocol->continue_scan_flag = 1; + session_exdata_set(sess, g_app_proto_para->l7_app_id_exdata_idx, l7_protocol); + } + + is_update=update_protocol_id(l7_protocol->protocol_id, &(l7_protocol->protocol_id_num), new_protocol_id); + if(is_update==1) + { + context->is_identify=1; + struct app_id_message *msg=app_id_messgae_create(l7_protocol->protocol_id, l7_protocol->protocol_id_num); + if(session_mq_publish_message(sess, g_app_proto_para->topic_id, msg) < 0) + { + FREE(msg); + } + MESA_handle_runtime_log(g_app_proto_para->logger, RLOG_LV_DEBUG, "ADD_PROJECT", "%s identified, ID %d addr: %s", plpi_mod->name, new_protocol_id, session_get0_readable_addr(sess)); + } + + if (context->pkt_cnt >= g_app_proto_para->max_pkts || (plpi_mod->category != LPI_CATEGORY_TUNNELLING && plpi_mod->category != LPI_CATEGORY_NAT && plpi_mod->protocol != LPI_PROTO_RDP && plpi_mod->protocol != LPI_PROTO_UDP_RDP && plpi_mod->protocol != LPI_PROTO_UDP_RTP && plpi_mod->protocol != LPI_PROTO_UDP_RTCP)) + { + l7_protocol->continue_scan_flag=0; + return 0; + } + + return 1; +} + +static void glimpse_detector_on_session_msg(struct session *sess, int topic_id __unused, const void *msg, void *per_session_ctx __unused, void *plugin_env) +{ + assert(plugin_env!=NULL); + + if(msg==NULL)return; + + struct glimpse_detector_schema *glimpse_detector_env=(struct glimpse_detector_schema *)plugin_env; + int identify_continue=0; + struct traffic_context *context = (struct traffic_context *)session_exdata_get(sess, glimpse_detector_env->plugin_exdata_idx); + if(context==NULL) + { + context= CALLOC(struct traffic_context, 1); + context->is_first_payload=1; + session_exdata_set(sess, glimpse_detector_env->plugin_exdata_idx, context); + } + //size_t payload_len=0; + //const char *payload=session_get0_current_payload(sess, &payload_len); + + uint16_t payload_len=packet_get_payload_len((struct packet*)msg); + const char *payload=packet_get_payload((struct packet*)msg); + if (payload!=NULL && payload_len>0 && context->pkt_cnt<glimpse_detector_env->max_pkts) + { + int l4_proto=0; + enum session_type type= session_get_type(sess); + if(type == SESSION_TYPE_TCP) + { + l4_proto=6; + } + if(type == SESSION_TYPE_UDP) + { + l4_proto=17; + } + identify_continue=app_glimpse_detector(sess, context, glimpse_detector_env, payload, payload_len, l4_proto); + context->is_first_payload=0; + } + else + { + identify_continue=1; + } + + if (identify_continue==0) + { + if(context->is_identify==0) + { + MESA_handle_runtime_log(glimpse_detector_env->logger, RLOG_LV_INFO, "UNKNOWN", "addr: %s", session_get0_readable_addr(sess)); + } + FREE(context); + session_exdata_set(sess, glimpse_detector_env->plugin_exdata_idx, NULL); + stellar_session_plugin_dettach_current_session(sess); + } + return; +} + + +extern "C" void APP_GLIMPSE_DETECTOR_UNLOAD(void *plugin_env) +{ + if(plugin_env) + { + struct glimpse_detector_schema *glimpse_detector_env=(struct glimpse_detector_schema *)plugin_env; + lpi_free_library(); + free_l7_protocol_mapper(glimpse_detector_env->name_by_id); + if(glimpse_detector_env->logger) + { + MESA_destroy_runtime_log_handle(glimpse_detector_env->logger); + } + FREE(plugin_env); + } +} + +extern "C" void * APP_GLIMPSE_DETECTOR_LOAD(struct stellar *st) +{ + int ret=0; + struct glimpse_detector_schema *glimpse_detector_env=CALLOC(struct glimpse_detector_schema, 1); + glimpse_detector_env->st=st; + MESA_load_profile_short_def(g_app_proto_conffile, "PROTO_IDENTIFY", "LOG_LEVEL", (short *)&glimpse_detector_env->level, 30); + MESA_load_profile_int_def(g_app_proto_conffile, "PROTO_IDENTIFY", "MAX_IDENTIFY_PACKETS", &glimpse_detector_env->max_pkts, 16); + MESA_load_profile_string_def(g_app_proto_conffile, "PROTO_IDENTIFY", "LOG_PATH", glimpse_detector_env->log_path, sizeof(glimpse_detector_env->log_path), log_path); + MESA_load_profile_string_def(g_app_proto_conffile, "SYSTEM", "APP_IDENTIFY_RESULT_BRIDGE", glimpse_detector_env->l7_bridge_name, sizeof(glimpse_detector_env->l7_bridge_name), "APP_IDENTIFY_RESULT_BRIDGE"); + MESA_load_profile_string_def(g_app_proto_conffile, "SYSTEM", "L7_PROTOCOL_FILE", glimpse_detector_env->l7_protocol_file, sizeof(glimpse_detector_env->l7_protocol_file), l7_protocol_file); + + glimpse_detector_env->logger=MESA_create_runtime_log_handle(glimpse_detector_env->log_path, glimpse_detector_env->level); + if(glimpse_detector_env->logger==NULL) + { + goto INIT_ERROR; + } + ret=lpi_init_library(1); // 1, 2 or 3 + if(ret<0) + { + goto INIT_ERROR; + } + + ret=l7_protocol_mapper(glimpse_detector_env,glimpse_detector_env->l7_protocol_file); + if(ret<0) + { + goto INIT_ERROR; + } + + glimpse_detector_env->plugin_id=stellar_session_plugin_register(st, NULL, NULL, glimpse_detector_env); + if(glimpse_detector_env->plugin_id < 0) + { + goto INIT_ERROR; + } + glimpse_detector_env->tcp_topic_id=stellar_mq_get_topic_id(st, TOPIC_TCP); + glimpse_detector_env->udp_topic_id=stellar_mq_get_topic_id(st, TOPIC_UDP); + if(glimpse_detector_env->tcp_topic_id < 0 || glimpse_detector_env->udp_topic_id < 0) + { + perror("get tcp or udp topic id failed\n"); + exit(-1); + } + + stellar_session_mq_subscribe(st, glimpse_detector_env->tcp_topic_id, glimpse_detector_on_session_msg, glimpse_detector_env->plugin_id); + stellar_session_mq_subscribe(st, glimpse_detector_env->udp_topic_id, glimpse_detector_on_session_msg, glimpse_detector_env->plugin_id); + + glimpse_detector_env->plugin_exdata_idx = stellar_exdata_new_index(st, "EXDATA_LPI", stellar_exdata_free_default, NULL); + glimpse_detector_env->l7_app_id_exdata_idx = stellar_exdata_new_index(st, "L7_PROTOCOL", stellar_exdata_free_default, NULL); + glimpse_detector_env->topic_id=stellar_mq_get_topic_id(st, APP_ID_MESSAGE_TOPIC); + if(glimpse_detector_env->topic_id < 0) + { + glimpse_detector_env->topic_id=stellar_mq_create_topic(st, APP_ID_MESSAGE_TOPIC, stellar_msg_free_default, NULL); + } + return glimpse_detector_env; + +INIT_ERROR: + APP_GLIMPSE_DETECTOR_UNLOAD(glimpse_detector_env); + exit(-1); + return NULL; + +} + diff --git a/decoders/glimpse_detector/app_l7_protocol.h b/decoders/glimpse_detector/app_l7_protocol.h new file mode 100644 index 0000000..2fae274 --- /dev/null +++ b/decoders/glimpse_detector/app_l7_protocol.h @@ -0,0 +1,227 @@ +#pragma once + +#include "libprotoident/libprotoident.h" +#include "uthash/uthash.h" + +#define MAX_APP_ID_NUM 8 + +typedef enum { + LPI_PROTO_EXTEND_FRIST = LPI_PROTO_LAST, + LPI_PROTO_IKE, //unsupport + LPI_PROTO_DOH, //unsupport + LPI_PROTO_MAIL, //unsupport + LPI_PROTO_ESNI, //unsupport + LPI_PROTP_FTPS, + LPI_PROTO_EXTEND_LAST +} extend_lpi_protocol_t; + +struct l7_protocol_label +{ + int continue_scan_flag; //0: stop; 1: continue + int protocol_id_num; + unsigned short protocol_id[MAX_APP_ID_NUM]; +}; + +struct l7_protocol_hash +{ + int protocol_id; + int lpi_protocol; + char name[64]; + UT_hash_handle hh; +}; + + +struct ovpn_ctx +{ + uint64_t local_session_id; + int contain_local_session_id_pkt_num; + int valid_opcode_cnt; +}; + +struct traffic_context +{ + unsigned char is_identify; + unsigned char is_first_payload; + unsigned short pkt_cnt; + unsigned short s2c_pkt; + unsigned short c2s_pkt; + lpi_data_t lpi_data; // lpi API + union{ + uint64_t ctx[2]; + struct ovpn_ctx ovpn; + }; +}; + +//https://github.com/quicwg/base-drafts/wiki/QUIC-Versions +enum _QUIC_VERSION +{ + QUIC_VERSION_UNKNOWN=0, + //NetApp + QUANT_VERSION_00=0x45474700, + QUANT_VERSION_FF=0x454747FF, + + //Private Octopus + PICOQUIC_VERSION_30=0x50435130, + + //google + GQUIC_VERSION_Q001=0x51303031, + GQUIC_VERSION_Q002=0x51303032, + GQUIC_VERSION_Q003=0x51303033, + GQUIC_VERSION_Q004=0x51303034, + GQUIC_VERSION_Q005=0x51303035, + GQUIC_VERSION_Q006=0x51303036, + GQUIC_VERSION_Q007=0x51303037, + GQUIC_VERSION_Q008=0x51303038, + GQUIC_VERSION_Q009=0x51303039, + + GQUIC_VERSION_Q010=0x51303130, + GQUIC_VERSION_Q011=0x51303131, + GQUIC_VERSION_Q012=0x51303132, + GQUIC_VERSION_Q013=0x51303133, + GQUIC_VERSION_Q014=0x51303134, + GQUIC_VERSION_Q015=0x51303135, + GQUIC_VERSION_Q016=0x51303136, + GQUIC_VERSION_Q017=0x51303137, + GQUIC_VERSION_Q018=0x51303138, + GQUIC_VERSION_Q019=0x51303139, + + GQUIC_VERSION_Q020=0x51303230, + GQUIC_VERSION_Q021=0x51303231, + GQUIC_VERSION_Q022=0x51303232, + GQUIC_VERSION_Q023=0x51303233, + GQUIC_VERSION_Q024=0x51303234, + GQUIC_VERSION_Q025=0x51303235, + GQUIC_VERSION_Q026=0x51303236, + GQUIC_VERSION_Q027=0x51303237, + GQUIC_VERSION_Q028=0x51303238, + GQUIC_VERSION_Q029=0x51303239, + + GQUIC_VERSION_Q030=0x51303330, + GQUIC_VERSION_Q031=0x51303331, + GQUIC_VERSION_Q032=0x51303332, + GQUIC_VERSION_Q033=0x51303333, + GQUIC_VERSION_Q034=0x51303334, + GQUIC_VERSION_Q035=0x51303335, + GQUIC_VERSION_Q036=0x51303336, + GQUIC_VERSION_Q037=0x51303337, + GQUIC_VERSION_Q038=0x51303338, + GQUIC_VERSION_Q039=0x51303339, + + GQUIC_VERSION_Q040=0x51303430, + GQUIC_VERSION_Q041=0x51303431, + GQUIC_VERSION_Q042=0x51303432, + GQUIC_VERSION_Q043=0x51303433, + GQUIC_VERSION_Q044=0x51303434, + GQUIC_VERSION_Q045=0x51303435, + GQUIC_VERSION_Q046=0x51303436, + GQUIC_VERSION_Q047=0x51303437, + GQUIC_VERSION_Q048=0x51303438, + GQUIC_VERSION_Q049=0x51303439, + + GQUIC_VERSION_Q050=0x51303530, + GQUIC_VERSION_Q051=0x51303531, + GQUIC_VERSION_Q052=0x51303532, + GQUIC_VERSION_Q053=0x51303533, + GQUIC_VERSION_Q054=0x51303534, + GQUIC_VERSION_Q055=0x51303535, + GQUIC_VERSION_Q056=0x51303536, + GQUIC_VERSION_Q057=0x51303537, + GQUIC_VERSION_Q058=0x51303538, + GQUIC_VERSION_Q059=0x51303539, + + GQUIC_VERSION_Q099=0x51303939, + + //Google QUIC with TLS 48 - 49 (T048 - T049) + GQUIC_VERSION_T048=0x54303438, + GQUIC_VERSION_T049=0x54303439, + + //Google QUIC with TLS 50 - 59 (T050 - T059) + GQUIC_VERSION_T050=0x54303530, + GQUIC_VERSION_T051=0x54303531, + GQUIC_VERSION_T052=0x54303532, + GQUIC_VERSION_T053=0x54303533, + GQUIC_VERSION_T054=0x54303534, + GQUIC_VERSION_T055=0x54303535, + GQUIC_VERSION_T056=0x54303536, + GQUIC_VERSION_T057=0x54303537, + GQUIC_VERSION_T058=0x54303538, + GQUIC_VERSION_T059=0x54303539, + + //Google QUIC with TLS 99 (T099) + GQUIC_VERSION_T099=0x54303939, + + //Google Proxied QUIC + PQUIC_VERSION_PROX=0x50524f58, + + //quic-go + QUIC_GO_VERSION_00=0x51474F00, + QUIC_GO_VERSION_FF=0x51474FFF, + + //quicly + QUICLY_VERSION_00=0x91c17000, + QUICLY_VERSION_FF=0x91c170FF, + + //Microsoft + MSQUIC_VERSION_00=0xabcd0000, + MSQUIC_VERSION_0F=0xabcd000F, + + //Mozilla + MOZQUIC_VERSION_00=0xf123f0c0, + MOZQUIC_VERSION_0F=0xf123f0cF, + + //Facebook + MVFST_VERSION_00=0xfaceb000, + MVFST_VERSION_01=0xfaceb001, + MVFST_VERSION_02=0xfaceb002, + MVFST_VERSION_03=0xfaceb003, + MVFST_VERSION_04=0xfaceb004, + MVFST_VERSION_05=0xfaceb005, + MVFST_VERSION_06=0xfaceb006, + MVFST_VERSION_07=0xfaceb007, + MVFST_VERSION_08=0xfaceb008, + MVFST_VERSION_09=0xfaceb009, + MVFST_VERSION_0A=0xfaceb00A, + MVFST_VERSION_0B=0xfaceb00B, + MVFST_VERSION_0C=0xfaceb00C, + MVFST_VERSION_0D=0xfaceb00D, + MVFST_VERSION_0E=0xfaceb00E, + MVFST_VERSION_0F=0xfaceb00F, + + //IETF + IQUIC_VERSION_RFC9000=0x00000001, + IQUIC_VERSION_I001=0xFF000001, + IQUIC_VERSION_I002=0xFF000002, + IQUIC_VERSION_I003=0xFF000003, + IQUIC_VERSION_I004=0xFF000004, + IQUIC_VERSION_I005=0xFF000005, + IQUIC_VERSION_I006=0xFF000006, + IQUIC_VERSION_I007=0xFF000007, + IQUIC_VERSION_I008=0xFF000008, + IQUIC_VERSION_I009=0xFF000009, + IQUIC_VERSION_I010=0xFF00000A, + IQUIC_VERSION_I011=0xFF00000B, + IQUIC_VERSION_I012=0xFF00000C, + IQUIC_VERSION_I013=0xFF00000D, + IQUIC_VERSION_I014=0xFF00000E, + IQUIC_VERSION_I015=0xFF00000F, + IQUIC_VERSION_I016=0xFF000010, + IQUIC_VERSION_I017=0xFF000011, + IQUIC_VERSION_I018=0xFF000012, + IQUIC_VERSION_I019=0xFF000013, + IQUIC_VERSION_I020=0xFF000014, + IQUIC_VERSION_I021=0xFF000015, + IQUIC_VERSION_I022=0xFF000016, + IQUIC_VERSION_I023=0xFF000017, + IQUIC_VERSION_I024=0xFF000018, + IQUIC_VERSION_I025=0xFF000019, + IQUIC_VERSION_I026=0xFF00001A, + IQUIC_VERSION_I027=0xFF00001B, + IQUIC_VERSION_I028=0xFF00001C, + IQUIC_VERSION_I029=0xFF00001D, + IQUIC_VERSION_I030=0xFF00001E, + IQUIC_VERSION_I031=0xFF00001F, + IQUIC_VERSION_I032=0xFF000020 +}; + +enum _QUIC_VERSION app_identify_get_quic_protocol(int curdir_is_c2s, const unsigned char *payload, const int payload_len); +int app_identify_guess_openvpn(const unsigned char *payload, int payload_len, int c2s_pkt_cnt, int s2c_pkt_cnt, struct ovpn_ctx *ovpn, int l4_is_tcp, int curdir_is_c2s);
\ No newline at end of file diff --git a/decoders/glimpse_detector/libprotoident/CMakeLists.txt b/decoders/glimpse_detector/libprotoident/CMakeLists.txt new file mode 100644 index 0000000..98de411 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/CMakeLists.txt @@ -0,0 +1,36 @@ + +add_definitions(-D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DHAVE_ICMPHDR=1 -DHAVE_TCP_STATES=1 -DHAVE_BSD_UDPHDR=1 -DHAVE_BSD_TCPHDR=1) + +include_directories(${CMAKE_CURRENT_SOURCE_DIR}) + +file(GLOB UDP_SRC + "udp/*.c" + "udp/*.cpp" + "udp/*.cc" +) + +file(GLOB TCP_SRC + "tcp/*.c" + "tcp/*.cpp" + "tcp/*.cc" +) + +add_compile_options(-Wno-error=unused-parameter -Wno-error=unused-function) + +#add_library(udp_static STATIC ${UDP_SRC}) +#add_library(tcp_static STATIC ${TCP_SRC}) + + + +file(GLOB LPI_SRC + "*.c" + "*.cpp" + "*.cc" +) + +add_library(libprotoident ${LPI_SRC} ${UDP_SRC} ${TCP_SRC}) +#target_link_libraries(libprotoident udp_static tcp_static) +set_target_properties(libprotoident PROPERTIES LINK_FLAGS + "-Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/version.map") + +#install(TARGETS libprotoident LIBRARY DESTINATION ${CMAKE_INSTALL_PREFIX}/stellar_plugin COMPONENT LIBRARIES) diff --git a/decoders/glimpse_detector/libprotoident/libprotoident.cc b/decoders/glimpse_detector/libprotoident/libprotoident.cc new file mode 100644 index 0000000..f5baf58 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/libprotoident.cc @@ -0,0 +1,415 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#define __STDC_FORMAT_MACROS +#define __STDC_LIMIT_MACROS + +#include <stdio.h> +#include <assert.h> +//#include <libtrace.h> +#include <inttypes.h> +#include <sys/types.h> +#include <stdint.h> +#include <stdlib.h> +#include <signal.h> + +#include "libprotoident.h" +#include "proto_manager.h" + +bool init_called = false; +LPIModuleMap TCP_protocols; +LPIModuleMap UDP_protocols; + +lpi_module_t *lpi_icmp = NULL; +lpi_module_t *lpi_unsupported = NULL; +lpi_module_t *lpi_unknown_tcp = NULL; +lpi_module_t *lpi_unknown_udp = NULL; + +static LPINameMap lpi_names; +static LPIProtocolMap lpi_protocols; +static LPICategoryMap lpi_categories; +static LPICategoryProtocolMap lpi_category_protocols; + +int lpi_init_library(int level) { + + if (init_called) { + fprintf(stderr, "WARNING: lpi_init_library has already been called\n"); + return 0; + } + + if (register_tcp_protocols(&TCP_protocols) == -1) + return -1; + + if (register_udp_protocols(&UDP_protocols) == -1) + return -1; + + init_other_protocols(&lpi_names, &lpi_protocols, &lpi_category_protocols); + + register_names(&TCP_protocols, &lpi_names, &lpi_protocols, &lpi_category_protocols); + register_names(&UDP_protocols, &lpi_names, &lpi_protocols, &lpi_category_protocols); + + register_category_names(&lpi_categories); + + init_called = true; + + if (TCP_protocols.empty() && UDP_protocols.empty()) { + fprintf(stderr, "WARNING: No protocol modules loaded\n"); + return -1; + } + + + return 0; + +} + +void lpi_free_library() { + + free_protocols(&TCP_protocols); + free_protocols(&UDP_protocols); + + if (lpi_icmp != NULL) { + delete lpi_icmp; + lpi_icmp = NULL; + } + + if (lpi_unsupported != NULL) { + delete lpi_unsupported; + lpi_unsupported = NULL; + } + + if (lpi_unknown_tcp != NULL) { + delete lpi_unknown_tcp; + lpi_unknown_tcp = NULL; + } + + if (lpi_unknown_udp != NULL) { + delete lpi_unknown_udp; + lpi_unknown_udp = NULL; + } + + init_called = false; +} + +void lpi_init_data(lpi_data_t *data) { + + data->payload[0] = 0; + data->payload[1] = 0; + data->seen_syn[0] = false; + data->seen_syn[1] = false; + data->seqno[0] = 0; + data->seqno[1] = 0; + data->observed[0] = 0; + data->observed[1] = 0; + data->server_port = 0; + data->client_port = 0; + data->trans_proto = 0; + data->payload_len[0] = 0; + data->payload_len[1] = 0; + data->ips[0] = 0; + data->ips[1] = 0; + +} + + + +typedef enum { + TRACE_IPPROTO_IP = 0, /**< IP pseudo protocol number */ + TRACE_IPPROTO_ICMP = 1, /**< Internet Control Message protocol */ + TRACE_IPPROTO_IGMP = 2, /**< Internet Group Management Protocol */ + TRACE_IPPROTO_IPIP = 4, /**< IP encapsulated in IP */ + TRACE_IPPROTO_TCP = 6, /**< Transmission Control Protocol */ + TRACE_IPPROTO_UDP = 17, /**< User Datagram Protocol */ + TRACE_IPPROTO_IPV6 = 41, /**< IPv6 over IPv4 */ + TRACE_IPPROTO_ROUTING = 43, /**< IPv6 Routing header */ + TRACE_IPPROTO_FRAGMENT = 44, /**< IPv6 Fragmentation header */ + TRACE_IPPROTO_RSVP = 46, /**< Resource Reservation Protocol */ + TRACE_IPPROTO_GRE = 47, /**< General Routing Encapsulation */ + TRACE_IPPROTO_ESP = 50, /**< Encapsulated Security Payload [RFC2406] */ + TRACE_IPPROTO_AH = 51, /**< Authentication Header [RFC2402] */ + TRACE_IPPROTO_ICMPV6 = 58, /**< ICMPv6 */ + TRACE_IPPROTO_NONE = 59, /**< IPv6 no next header */ + TRACE_IPPROTO_DSTOPTS = 60, /**< IPv6 destination options */ + TRACE_IPPROTO_OSPF = 89, /**< Open Shortest Path First routing protocol */ + TRACE_IPPROTO_PIM = 103, /**< Protocol Independant Multicast */ + TRACE_IPPROTO_SCTP = 132 /**< Stream Control Transmission Protocol */ +} libtrace_ipproto_t; + + +static lpi_module_t *test_protocol_list(LPIModuleList *ml, lpi_data_t *data) { + + LPIModuleList::iterator l_it; + + /* Turns out naively looping through the modules is quicker + * than trying to do intelligent stuff with threads. Most + * callbacks complete very quickly so threading overhead is a + * major problem */ + for (l_it = ml->begin(); l_it != ml->end(); ++ l_it) { + lpi_module_t *module = *l_it; + + /* To save time, I'm going to break on the first successful + * match. A threaded version would wait for all the modules + * to run, storing all successful results in a list of some + * sort and selecting an appropriate result from there. + */ + + if (module->lpi_callback(data, module)) + return module; + + } + + return NULL; +} +static lpi_module_t *guess_protocol(LPIModuleMap *modmap, lpi_data_t *data) { + + lpi_module_t *proto = NULL; + + LPIModuleMap::iterator m_it; + + /* Deal with each priority in turn - want to match higher priority + * rules first. + */ + + for (m_it = modmap->begin(); m_it != modmap->end(); ++ m_it) { + LPIModuleList *ml = m_it->second; + + proto = test_protocol_list(ml, data); + + if (proto != NULL) + break; + } + + return proto; + +} + +lpi_module_t *lpi_guess_protocol(lpi_data_t *data) { + + lpi_module_t *p = NULL; + + if (!init_called) { + fprintf(stderr, "lpi_init_library was never called - cannot guess the protocol\n"); + return NULL; + } + + switch(data->trans_proto) { + case TRACE_IPPROTO_ICMP: + return lpi_icmp; + case TRACE_IPPROTO_TCP: + p = guess_protocol(&TCP_protocols, data); + if (p == NULL) + p = lpi_unknown_tcp; + return p; + + case TRACE_IPPROTO_UDP: + p = guess_protocol(&UDP_protocols, data); + if (p == NULL) + p = lpi_unknown_udp; + return p; + default: + return lpi_unsupported; + } + + + return p; +} + +lpi_category_t lpi_categorise(lpi_module_t *module) { + + if (module == NULL) + return LPI_CATEGORY_NO_CATEGORY; + + return module->category; + +} + +const char *lpi_print_category(lpi_category_t category) { + + switch(category) { + case LPI_CATEGORY_WEB: + return "Web"; + case LPI_CATEGORY_MAIL: + return "Mail"; + case LPI_CATEGORY_CHAT: + return "Chat"; + case LPI_CATEGORY_P2P: + return "P2P"; + case LPI_CATEGORY_P2P_STRUCTURE: + return "P2P_Structure"; + case LPI_CATEGORY_KEY_EXCHANGE: + return "Key_Exchange"; + case LPI_CATEGORY_ECOMMERCE: + return "ECommerce"; + case LPI_CATEGORY_GAMING: + return "Gaming"; + case LPI_CATEGORY_ENCRYPT: + return "Encryption"; + case LPI_CATEGORY_MONITORING: + return "Measurement"; + case LPI_CATEGORY_NEWS: + return "News"; + case LPI_CATEGORY_MALWARE: + return "Malware"; + case LPI_CATEGORY_SECURITY: + return "Security"; + case LPI_CATEGORY_ANTISPAM: + return "Antispam"; + case LPI_CATEGORY_VOIP: + return "VOIP"; + case LPI_CATEGORY_TUNNELLING: + return "Tunnelling"; + case LPI_CATEGORY_NAT: + return "NAT_Traversal"; + case LPI_CATEGORY_STREAMING: + return "Streaming"; + case LPI_CATEGORY_SERVICES: + return "Services"; + case LPI_CATEGORY_DATABASES: + return "Databases"; + case LPI_CATEGORY_FILES: + return "File_Transfer"; + case LPI_CATEGORY_REMOTE: + return "Remote_Access"; + case LPI_CATEGORY_TELCO: + return "Telco_Services"; + case LPI_CATEGORY_P2PTV: + return "P2PTV"; + case LPI_CATEGORY_RCS: + return "Revision_Control"; + case LPI_CATEGORY_LOGGING: + return "Logging"; + case LPI_CATEGORY_PRINTING: + return "Printing"; + case LPI_CATEGORY_TRANSLATION: + return "Translation"; + case LPI_CATEGORY_CDN: + return "CDN"; + case LPI_CATEGORY_CLOUD: + return "Cloud"; + case LPI_CATEGORY_NOTIFICATION: + return "Notification"; + case LPI_CATEGORY_SERIALISATION: + return "Serialisation"; + case LPI_CATEGORY_BROADCAST: + return "Broadcast"; + case LPI_CATEGORY_LOCATION: + return "Location"; + case LPI_CATEGORY_CACHING: + return "Caching"; + case LPI_CATEGORY_ICS: + return "ICS"; + case LPI_CATEGORY_MOBILE_APP: + return "Mobile App"; + case LPI_CATEGORY_IPCAMERAS: + return "IP Cameras"; + case LPI_CATEGORY_EDUCATIONAL: + return "Educational"; + case LPI_CATEGORY_MESSAGE_QUEUE: + return "Message_Queuing"; + case LPI_CATEGORY_ICMP: + return "ICMP"; + case LPI_CATEGORY_MIXED: + return "Mixed"; + case LPI_CATEGORY_NOPAYLOAD: + return "No_Payload"; + case LPI_CATEGORY_UNKNOWN: + return "Unknown"; + case LPI_CATEGORY_UNSUPPORTED: + return "Unsupported"; + case LPI_CATEGORY_NO_CATEGORY: + return "Uncategorised"; + case LPI_CATEGORY_LAST: + return "Invalid_Category"; + } + + return "Invalid_Category"; + +} + +const char *lpi_print(lpi_protocol_t proto) { + + LPINameMap::iterator it; + + it = lpi_names.find(proto); + + if (it == lpi_names.end()) { + return "NULL"; + } + return (it->second); + +} + +lpi_protocol_t lpi_get_protocol_by_name(char *name) { + + LPIProtocolMap::iterator it; + + it = lpi_protocols.find(name); + + if (it == lpi_protocols.end()) { + return LPI_PROTO_UNKNOWN; + } + + return (it->second); +} + +lpi_category_t lpi_get_category_by_name(char *name) { + + LPICategoryMap::iterator it; + + it = lpi_categories.find(name); + + if (it == lpi_categories.end()) { + return LPI_CATEGORY_UNKNOWN; + } + + return (it->second); +} + +lpi_category_t lpi_get_category_by_protocol(lpi_protocol_t protocol) { + + LPICategoryProtocolMap::iterator it; + + it = lpi_category_protocols.find(protocol); + + if (it == lpi_category_protocols.end()) { + return LPI_CATEGORY_UNKNOWN; + } + + return (it->second); +} + +bool lpi_is_protocol_inactive(lpi_protocol_t proto) { + + LPINameMap::iterator it; + + it = lpi_names.find(proto); + + if (it == lpi_names.end()) { + return true; + } + return false; + +} + diff --git a/decoders/glimpse_detector/libprotoident/libprotoident.h b/decoders/glimpse_detector/libprotoident/libprotoident.h new file mode 100644 index 0000000..500d26a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/libprotoident.h @@ -0,0 +1,854 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + + +#ifndef LIBPROTOIDENT_H_ +#define LIBPROTOIDENT_H_ + +//#include <libtrace.h> +#include <pthread.h> +#include <list> +#include <stdint.h> +#include <netinet/in.h> + + +#if __GNUC__ >= 3 +#ifndef PRINTF +# define DEPRECATED __attribute__((deprecated)) +# define SIMPLE_FUNCTION __attribute__((pure)) +# define UNUSED __attribute__((unused)) +# define PACKED __attribute__((packed)) +# define PRINTF(formatpos,argpos) __attribute__((format(printf,formatpos,argpos))) +#endif +#else +#ifndef PRINTF +# define DEPRECATED +# define SIMPLE_FUNCTION +# define UNUSED +# define PACKED +# define PRINTF(formatpos,argpos) +#endif +#endif + +#define DEFAULT_MAXTHREADS 10 + +#ifdef __cplusplus +extern "C" { +#endif + +/* Protocol categories - most l7 protocols fall into a broader category that + * describes what they are used for, e.g. P2P, Web, Mail etc. + */ +typedef enum { + LPI_CATEGORY_WEB, /* HTTP-based protocols */ + LPI_CATEGORY_CHAT, /* Instant messaging and chatrooms */ + LPI_CATEGORY_MAIL, /* E-mail */ + LPI_CATEGORY_P2P, /* Peer-to-peer uploads and downloads */ + LPI_CATEGORY_P2P_STRUCTURE, /* Maintenance of P2P networks */ + LPI_CATEGORY_KEY_EXCHANGE, /* Protocols used to exchange and + manage cryptographic keys, e.g. + ISAKMP */ + LPI_CATEGORY_ECOMMERCE, /* Financial transaction protocols */ + LPI_CATEGORY_GAMING, /* Game protocols */ + LPI_CATEGORY_ENCRYPT, /* Encrypted traffic that is not + clearly part of another category */ + LPI_CATEGORY_MONITORING, /* Network measurement / monitoring */ + LPI_CATEGORY_NEWS, /* Newsgroup protocols, e.g. NNTP */ + LPI_CATEGORY_MALWARE, /* Viruses, trojans etc. */ + LPI_CATEGORY_SECURITY, /* Antivirus and firewall updates */ + LPI_CATEGORY_ANTISPAM, /* Anti-spam software update protocols + */ + LPI_CATEGORY_VOIP, /* Voice chat and Internet telephony + protocols */ + LPI_CATEGORY_TUNNELLING, /* Tunnelling protocols */ + LPI_CATEGORY_NAT, /* NAT traversal protocols */ + LPI_CATEGORY_STREAMING, /* Streaming media protocols */ + LPI_CATEGORY_SERVICES, /* Basic services, e.g. DNS, NTP */ + LPI_CATEGORY_DATABASES, /* Database remote access protocols */ + LPI_CATEGORY_FILES, /* Non-P2P file transfer protocols */ + LPI_CATEGORY_REMOTE, /* Remote access, e.g. SSH, telnet */ + LPI_CATEGORY_TELCO, /* Telco services aside from VOIP, e.g + SMS protocols */ + LPI_CATEGORY_P2PTV, /* P2P TV, e.g. PPLive */ + LPI_CATEGORY_RCS, /* Revision Control */ + LPI_CATEGORY_LOGGING, /* Logging */ + LPI_CATEGORY_PRINTING, /* Network printing */ + LPI_CATEGORY_TRANSLATION, /* Language translation */ + LPI_CATEGORY_CDN, /* CDN protocols, e.g. Akamai */ + LPI_CATEGORY_CLOUD, /* Cloud computing/storage protocols */ + LPI_CATEGORY_NOTIFICATION, /* Notification / messaging protocols */ + LPI_CATEGORY_SERIALISATION, /* Transfer of programming "objects" */ + LPI_CATEGORY_BROADCAST, /* Protocols usually broadcast to the + local network */ + LPI_CATEGORY_LOCATION, /* Location-related services / GPS */ + LPI_CATEGORY_CACHING, /* Proxy cache protocols and similar */ + LPI_CATEGORY_MOBILE_APP, /* Mobile apps that don't fit any + other category */ + LPI_CATEGORY_ICS, /* Industrial control system protocols */ + LPI_CATEGORY_IPCAMERAS, /* IP Surveillance Camera protocols */ + LPI_CATEGORY_MESSAGE_QUEUE, /* Message queuing protocols */ + LPI_CATEGORY_EDUCATIONAL, /* Educational applications, e.g. virtual + classrooms */ + LPI_CATEGORY_ICMP, /* ICMP */ + LPI_CATEGORY_MIXED, /* Different protos in each direction */ + LPI_CATEGORY_NOPAYLOAD, /* No payload observed */ + LPI_CATEGORY_UNSUPPORTED, /* Transport protocol unsupported */ + LPI_CATEGORY_UNKNOWN, /* Protocol could not be identified */ + LPI_CATEGORY_NO_CATEGORY, /* Protocol has not been placed into a + category yet */ + LPI_CATEGORY_LAST /* Must always be last */ +} lpi_category_t; + + +typedef enum { + /* TCP Protocols */ + LPI_PROTO_HTTP, + LPI_PROTO_SMTP, + LPI_PROTO_BITTORRENT, + LPI_PROTO_IRC, + LPI_PROTO_NCSOFT, /* NCSoft proprietary protocol */ + LPI_PROTO_DC, /* DirectConnect */ + LPI_PROTO_EMULE, + LPI_PROTO_GNUTELLA, + LPI_PROTO_SSH, + LPI_PROTO_HTTPS, + LPI_PROTO_RAZOR, /* Razor database updates */ + LPI_PROTO_POP3, + LPI_PROTO_SSL, /* SSL that isn't HTTPS */ + LPI_PROTO_MSN, + LPI_PROTO_DNS, + LPI_PROTO_IMAP, + LPI_PROTO_RTSP, + LPI_PROTO_ID, /* Identification protocol */ + LPI_PROTO_YAHOO, + LPI_PROTO_ICQ, + LPI_PROTO_TELNET, + LPI_PROTO_RDP, /* Windows remote desktop protocol */ + LPI_PROTO_TDS, /* MS SQL Server protocol */ + LPI_PROTO_RPC_SCAN, /* Port 135 exploit attempt */ + LPI_PROTO_SMB, /* Server Message Block protocol e.g. samba */ + LPI_PROTO_WARCRAFT3, + LPI_PROTO_ETRUST, /* Updates for the eTrust virus scanner */ + LPI_PROTO_FTP_CONTROL, /* FTP control e.g. port 21 or 2121 */ + LPI_PROTO_FTP_DATA, + LPI_PROTO_EYE, /* Yahoo Game Server Browser */ + LPI_PROTO_ARES, /* Ares peer-to-peer protocol */ + LPI_PROTO_NNTP, /* Newsfeeds */ + LPI_PROTO_NAPSTER, + LPI_PROTO_BNCS, /* Battle.net Chat Server */ + LPI_PROTO_RFB, /* Remote Frame Buffer protocol */ + LPI_PROTO_YAHOO_WEBCAM,/* Webcam over Yahoo Messenger */ + LPI_PROTO_ICA, /* Citrix ICA */ + LPI_PROTO_NETBIOS, + LPI_PROTO_KMS, /* Possibly a vista activation service */ + LPI_PROTO_MS_DS, + LPI_PROTO_SIP, /* Session Initiation Protocol*/ + LPI_PROTO_MZINGA, + LPI_PROTO_GOKUCHAT, + LPI_PROTO_XUNLEI, + LPI_PROTO_DXP, + LPI_PROTO_HAMACHI, + LPI_PROTO_BLIZZARD, + LPI_PROTO_MSNV, /* MSN Voice */ + LPI_PROTO_BITEXT, /* BitTorrent extensions */ + LPI_PROTO_MITGLIEDER, /* Mitglieder trojan */ + LPI_PROTO_TOR, /* TOR (The Onion Router) */ + LPI_PROTO_MYSQL, + LPI_PROTO_HTTP_TUNNEL, /* Tunnelling via HTTP */ + LPI_PROTO_RSYNC, + LPI_PROTO_NOTES_RPC, /* Lotus Notes RPC (Domino) */ + LPI_PROTO_AZUREUS, /* Azureus Extension */ + LPI_PROTO_PANDO, /* Pando P2P protocol */ + LPI_PROTO_FLASH, /* Flash Player specific behaviour */ + LPI_PROTO_STEAM, /* Steam TCP download, i.e. downloading games */ + LPI_PROTO_TRACKMANIA, /* Trackmania control protocol */ + LPI_PROTO_CONQUER, /* Conquer Online game */ + LPI_PROTO_RTMP, /* Adobe RTMP */ + LPI_PROTO_TIP, /* Transaction Internet Protocol */ + LPI_PROTO_NONSTANDARD_HTTP, /* HTTP on unconventional port numbers */ + LPI_PROTO_HARVEYS, /* Photo transfers for Harveys Real Estate */ + LPI_PROTO_SHOUTCAST, + LPI_PROTO_HTTP_BADPORT, /* HTTP over port 443, leading to failure */ + LPI_PROTO_POSTGRESQL, /* Postgresql protocol */ + LPI_PROTO_WOW, /* World of Warcraft */ + LPI_PROTO_M4U, /* Message4U (Aus SMS service) */ + LPI_PROTO_RBLS, /* Realtime Block List updates */ + LPI_PROTO_OPENVPN, + LPI_PROTO_TELECOMKEY, /* Proto used to talk to telecomkey.com */ + LPI_PROTO_IMAPS, /* IMAP over SSL */ + LPI_PROTO_MSNC, /* MSN Client Protocol */ + LPI_PROTO_YAHOO_ERROR, /* Yahoo method of dealing with HTTP errors */ + LPI_PROTO_IMESH, /* iMesh */ + LPI_PROTO_PPTP, /* MS Tunnelling protocol */ + LPI_PROTO_AFP, /* Apple Filing Protocol */ + LPI_PROTO_PDBOX, /* Korean P2P TV protocol */ + LPI_PROTO_EA_GAMES, /* EA Games protocol */ + LPI_PROTO_ZYNGA, /* Protocol used by Zynga games */ + LPI_PROTO_CLUBBOX, /* Another Korean file sharing protocol */ + LPI_PROTO_WINMX, /* WinMX */ + LPI_PROTO_INVALID_BT, /* Bittorrent in one direction but not other */ + LPI_PROTO_WEBLOGIC, /* Weblogic server */ + LPI_PROTO_INVALID_HTTP, /* HTTP server sending raw HTML */ + LPI_PROTO_COD_WAW, /* Call of Duty: World at War TCP */ + LPI_PROTO_MP2P, + LPI_PROTO_SVN, + LPI_PROTO_SOCKS5, + LPI_PROTO_SOCKS4, + LPI_PROTO_INVALID_SMTP, + LPI_PROTO_MMS, /* Microsoft Media Server */ + LPI_PROTO_CISCO_VPN, /* Cisco VPN protocol */ + LPI_PROTO_WEB_JUNK, /* Clients communicating with web servers + using non-HTTP */ + LPI_PROTO_CVS, + LPI_PROTO_LDAP, /* LDAP */ + LPI_PROTO_INVALID_POP3, /* POP commands send to an SMTP server */ + LPI_PROTO_TEAMVIEWER, + LPI_PROTO_XMPP, /* a.k.a. Jabber */ + LPI_PROTO_SECONDLIFE, /* SecondLife over TCP */ + LPI_PROTO_KASEYA, + LPI_PROTO_KASPERSKY, + LPI_PROTO_JEDI, /* Citrix Jedi */ + LPI_PROTO_CGP, /* Citrix CGP */ + LPI_PROTO_YOUKU, + LPI_PROTO_STUN, + LPI_PROTO_XYMON, + LPI_PROTO_MUNIN, + LPI_PROTO_TROJAN_WIN32_GENERIC_SB, + LPI_PROTO_PALTALK, + LPI_PROTO_ZABBIX, + LPI_PROTO_AKAMAI, + LPI_PROTO_GAMESPY, + LPI_PROTO_WUALA, + LPI_PROTO_TROJAN_ZEROACCESS, + LPI_PROTO_DVRNS, + LPI_PROTO_CHATANGO, + LPI_PROTO_OMEGLE, + LPI_PROTO_TELNET_EXPLOIT, + LPI_PROTO_POP3S, /* POP3 over TLS/SSL */ + LPI_PROTO_PSN_STORE, + LPI_PROTO_SKYPE_TCP, /* Skype TCP sessions */ + LPI_PROTO_APPLE_PUSH, /* Apple push notifications */ + LPI_PROTO_XMPPS, /* XMPP over TLS/SSL */ + LPI_PROTO_SMTPS, /* Legacy Secure SMTP */ + LPI_PROTO_NNTPS, /* NNTP over TLS/SSL */ + LPI_PROTO_JAVA, /* Serialised Java Objects */ + LPI_PROTO_IPOP, /* IP over P2P */ + LPI_PROTO_SPOTIFY, + LPI_PROTO_RUNESCAPE, + LPI_PROTO_WHOIS, + LPI_PROTO_VIBER, + LPI_PROTO_FRING, + LPI_PROTO_PALRINGO, + LPI_PROTO_CRYPTIC, /* Games by Cryptic */ + LPI_PROTO_SUPL, + LPI_PROTO_MINECRAFT, + LPI_PROTO_TPKT, + LPI_PROTO_QVOD, + LPI_PROTO_KIK, + LPI_PROTO_WHATSAPP, + LPI_PROTO_WECHAT, + LPI_PROTO_FUNSHION, + LPI_PROTO_BTSYNC, + LPI_PROTO_SPEEDTEST, + LPI_PROTO_GIT, + LPI_PROTO_DUELING_NETWORK, + LPI_PROTO_LINE, + LPI_PROTO_AMP, + LPI_PROTO_SPDY, + LPI_PROTO_YAHOO_GAMES, + LPI_PROTO_DELL_BACKUP, + LPI_PROTO_REVOLVER_NBLBT, + LPI_PROTO_CRASHPLAN, + LPI_PROTO_CLASH_OF_CLANS, + LPI_PROTO_TRION, + LPI_PROTO_MONGO, + LPI_PROTO_LLP2P, + LPI_PROTO_HEARTHSTONE, + LPI_PROTO_DIABLO3, + LPI_PROTO_CACAOWEB, + LPI_PROTO_TAOBAO, /* Custom protocol seen on Taobao CDN */ + LPI_PROTO_TERA, + LPI_PROTO_SILKROADONLINE, /* Korean MMO */ + LPI_PROTO_GOOGLE_HANGOUTS, + LPI_PROTO_HOLA, + LPI_PROTO_GUILDWARS2, + LPI_PROTO_QQ, + LPI_PROTO_TETRISONLINE, + LPI_PROTO_TWITCH_IRC, /* IRC specific to twitch.tv */ + LPI_PROTO_QQLIVE, + LPI_PROTO_TENCENT_GAMES, /* Games operated by Tencent */ + LPI_PROTO_VODLOCKER, + LPI_PROTO_TELEGRAM, + LPI_PROTO_XUNLEI_ACCEL, + LPI_PROTO_360SAFEGUARD, /* Chinese anti-virus */ + LPI_PROTO_NORTON_BACKUP, + LPI_PROTO_BADBAIDU, /* Weird 1 byte flows from Baidu browser */ + LPI_PROTO_KAKAO, + LPI_PROTO_WEIBO, + LPI_PROTO_TENSAFE, + LPI_PROTO_KANKAN, + LPI_PROTO_AIRDROID, + LPI_PROTO_KUAIBO, + LPI_PROTO_DIANPING, + LPI_PROTO_XIAMI, + LPI_PROTO_QQDOWNLOAD, + LPI_PROTO_ZERO_FACEBOOK, + LPI_PROTO_FINALFANTASY_XIV, + LPI_PROTO_FACEBOOK_MESSENGER, + LPI_PROTO_YY, + LPI_PROTO_NETCAT_CCTV, + LPI_PROTO_ZOOM, + LPI_PROTO_S7COMM, + LPI_PROTO_MAXICLOUD, + LPI_PROTO_GLUPTEBA, + LPI_PROTO_WNS, + LPI_PROTO_PANDATV, + LPI_PROTO_FACEBOOK_TURN, + LPI_PROTO_DESTINY, + LPI_PROTO_QCLOUD_ILVB, + LPI_PROTO_BITCOIN, + LPI_PROTO_LIFEFORGE, + LPI_PROTO_ACESTREAM, + LPI_PROTO_MAPLESTORY_CHINA, + LPI_PROTO_NDT_TPUT, + LPI_PROTO_RELAY, + LPI_PROTO_DOUYU, + LPI_PROTO_IDRIVE_SYNC, + LPI_PROTO_TWITCASTING, + LPI_PROTO_THE_DIVISION, + LPI_PROTO_BLACKDESERT, + LPI_PROTO_REALVNC, + LPI_PROTO_DOGECOIN, + LPI_PROTO_FUCKCOIN, + LPI_PROTO_OURWORLD, + LPI_PROTO_GRAAL_ONLINE_ERA, + LPI_PROTO_APPEAR_IN, + LPI_PROTO_VAINGLORY, + LPI_PROTO_WEIQI, + LPI_PROTO_4D, + LPI_PROTO_TANKIX, + LPI_PROTO_IPSHARKK, + LPI_PROTO_NET_MFP, + LPI_PROTO_SPEEDIN, + LPI_PROTO_CROSSFIRE, + LPI_PROTO_DASH, + LPI_PROTO_AIRMEDIA, + LPI_PROTO_GIOP, + LPI_PROTO_VPN_UNLIMITED, + LPI_PROTO_TENFIVECOIN, + LPI_PROTO_BAOFENG, + LPI_PROTO_TALESRUNNER, + LPI_PROTO_ANTCOIN, + LPI_PROTO_FBCDN_SSL, + LPI_PROTO_SAPROUTER, + LPI_PROTO_FLIGGY, + LPI_PROTO_SMITE, + LPI_PROTO_VPNROBOT, + LPI_PROTO_VMWARE, + LPI_PROTO_DOUYU_CHAT, + LPI_PROTO_JX3ONLINE, + LPI_PROTO_LITECOIN, + LPI_PROTO_STRATUM, + LPI_PROTO_WIZARD101, + LPI_PROTO_KINGOFGLORY, + LPI_PROTO_SAS_ZOMBIE_ASSAULT_4, + LPI_PROTO_DNF, + LPI_PROTO_IHEXIN, + LPI_PROTO_NAVER_P2P, + LPI_PROTO_GCAFE_UPDATER, + LPI_PROTO_BWSYNC, + LPI_PROTO_TANKIONLINE, + LPI_PROTO_REALMOFTHEMADGOD, + LPI_PROTO_PATHOFEXILE, + LPI_PROTO_SSJJ, + LPI_PROTO_SPEEDIFY, + LPI_PROTO_NSQ, + LPI_PROTO_SKYFORGE, + LPI_PROTO_HOTS, + LPI_PROTO_NOMACHINE, + LPI_PROTO_QQSPEEDMOBILE, + LPI_PROTO_DAHUA, + LPI_PROTO_UTHERVERSE, + LPI_PROTO_300_HEROES, + LPI_PROTO_FILENORI, + LPI_PROTO_IPFS, + LPI_PROTO_REMOTE_MANIPULATOR, + LPI_PROTO_WEBEX_STUN, + LPI_PROTO_RRTV, + LPI_PROTO_RABBITMQ, + LPI_PROTO_ICEP, + LPI_PROTO_BEAM, + LPI_PROTO_VHDP2P, + LPI_PROTO_CLASSIN, + LPI_PROTO_TRANSOCKS, + LPI_PROTO_RAGNAROK_ONLINE, + LPI_PROTO_ETHERNETIP, + + /* UDP Protocols */ + LPI_PROTO_UDP, + LPI_PROTO_UDP_SIP, + LPI_PROTO_UDP_BTDHT, + LPI_PROTO_UDP_GNUTELLA, + LPI_PROTO_UDP_DNS, + LPI_PROTO_UDP_DHCP, + LPI_PROTO_UDP_QUAKE, + LPI_PROTO_UDP_STEAM, + LPI_PROTO_UDP_STEAM_FRIENDS, + LPI_PROTO_UDP_STEAM_INHOMEBROADCAST, + LPI_PROTO_UDP_WIN_MESSAGE, + LPI_PROTO_UDP_GAMESPY, + LPI_PROTO_UDP_EMULE, + LPI_PROTO_UDP_EYE, + LPI_PROTO_UDP_RTP, + LPI_PROTO_UDP_ETHERNETIP, + LPI_PROTO_UDP_CIP_IO, /* Common industrial protocol IO */ + LPI_PROTO_UDP_MSN_VIDEO, + LPI_PROTO_UDP_COD, /* Call of Duty game protocol */ + LPI_PROTO_UDP_NTP, + LPI_PROTO_UDP_MP2P, /* MP2P protocol (Piolet, Manolito etc.) */ + LPI_PROTO_UDP_SPAMFIGHTER, /* SpamFighter */ + LPI_PROTO_UDP_TRACEROUTE, + LPI_PROTO_UDP_SECONDLIFE, + LPI_PROTO_UDP_HL, /* Halflife, includes derivatives such as + * CounterStrike and Garry's Mod */ + LPI_PROTO_UDP_XLSP, /* XLSP - Xbox Live */ + LPI_PROTO_UDP_DEMONWARE, /* Company that does game networking */ + LPI_PROTO_UDP_IMESH, /* iMesh */ + LPI_PROTO_UDP_OPASERV, /* Opaserv worm */ + LPI_PROTO_UDP_STUN, /* STUN NAT traversal */ + LPI_PROTO_UDP_SQLEXP, /* MS SQL Server worm, called SQLExp */ + LPI_PROTO_UDP_MSN_CACHE, /* MSN cache callback protocol */ + LPI_PROTO_UDP_DIABLO2, /* Diablo 2 game protocol */ + LPI_PROTO_UDP_IPV6, /* IPv6 tunnelled directly over UDP */ + LPI_PROTO_UDP_ORBIT, /* Orbit downloader */ + LPI_PROTO_UDP_TEREDO, + LPI_PROTO_UDP_KADEMLIA, /* Unknown flavour of kademlia */ + LPI_PROTO_UDP_PANDO, /* Pando DHT and Peer Exchange */ + LPI_PROTO_UDP_ESP, /* ESP/IPSec encapsulated in UDP */ + LPI_PROTO_UDP_PSN, /* Playstation Network */ + LPI_PROTO_UDP_REAL, /* RDT - the Real Data Transport protocol */ + LPI_PROTO_UDP_GNUTELLA2, /* Gnutella2 */ + LPI_PROTO_UDP_PYZOR, /* Python implementation of Razor */ + LPI_PROTO_UDP_SKYPE, + LPI_PROTO_UDP_ISAKMP, /* ref: RFC 2408 */ + LPI_PROTO_UDP_SNMP, + LPI_PROTO_UDP_BACKWEB, /* BackWeb Polite Protocol */ + LPI_PROTO_UDP_STARCRAFT, + LPI_PROTO_UDP_XFIRE_P2P, /* Xfire P2P protocol */ + LPI_PROTO_UDP_THQ, /* Protocol used by THQ games */ + LPI_PROTO_UDP_NEWERTH, /* Heroes of Newerth */ + LPI_PROTO_UDP_LINKPROOF, /* Linkproof device packets */ + LPI_PROTO_UDP_WORM_22105, /* Chinese worm that uses port 22105 */ + LPI_PROTO_UDP_QQ, /* Tencent QQ */ + LPI_PROTO_UDP_SLP, /* Service Location Protocol, RFC 2608 */ + LPI_PROTO_UDP_ESO, /* Games using Ensemble Studios Online */ + LPI_PROTO_UDP_SSDP, + LPI_PROTO_UDP_NETBIOS, /* Netbios lookup */ + LPI_PROTO_UDP_CP_RDP, /* Checkpoint RDP */ + LPI_PROTO_UDP_VENTRILO, /* Ventrilo VoiceChat */ + LPI_PROTO_UDP_MTA, /* Multitheftauto */ + LPI_PROTO_UDP_PPLIVE, + LPI_PROTO_UDP_JEDI_ACADEMY, /* Jedi Academy game */ + LPI_PROTO_UDP_MOH, /* Medal of Honor game */ + LPI_PROTO_UDP_TREMULOUS, /* Tremulous - free OSS FPS */ + LPI_PROTO_UDP_VIVOX, /* Vivox voice chat */ + LPI_PROTO_UDP_IPMSG, /* IPMsg messenger */ + LPI_PROTO_UDP_TEAMSPEAK, + LPI_PROTO_UDP_DC, /* DirectConnect UDP commands */ + LPI_PROTO_UDP_FREECHAL, /* FreeChal P2P */ + LPI_PROTO_UDP_XUNLEI, + LPI_PROTO_UDP_KAZAA, + LPI_PROTO_UDP_NORTON, /* Norton Antivirus probe */ + LPI_PROTO_UDP_CISCO_VPN, /* Cisco VPN (port 10000) */ + LPI_PROTO_UDP_RTCP, + LPI_PROTO_UDP_UNREAL, /* Unreal server query protocol */ + LPI_PROTO_UDP_TFTP, + LPI_PROTO_UDP_GARENA, /* A gaming platform */ + LPI_PROTO_UDP_PPSTREAM, /* PPStream - Chinese P2PTV */ + LPI_PROTO_UDP_FORTINET, /* Fortinet update protocol */ + LPI_PROTO_UDP_TVANTS, /* TVants P2PTV - no longer active */ + LPI_PROTO_UDP_STORM_WORM, + LPI_PROTO_UDP_BATTLEFIELD, /* Battlefield series of games */ + LPI_PROTO_UDP_SOPCAST, + LPI_PROTO_UDP_SERIALNUMBERD, + LPI_PROTO_UDP_LDAP_AD, + LPI_PROTO_UDP_RTMFP, + LPI_PROTO_UDP_L2TP, + LPI_PROTO_UDP_SYSLOG, + LPI_PROTO_UDP_AKAMAI, + LPI_PROTO_UDP_RADIUS, + LPI_PROTO_UDP_HAMACHI, + LPI_PROTO_UDP_BJNP, /* Canon BJNP printing protocol */ + LPI_PROTO_UDP_KASPERSKY, + LPI_PROTO_UDP_GSM, + LPI_PROTO_UDP_JEDI, /* Citrix Jedi */ + LPI_PROTO_UDP_YOUKU, + LPI_PROTO_UDP_YOUDAO_DICT, + LPI_PROTO_UDP_DRIVESHARE, + LPI_PROTO_UDP_CIRN, /* Carpathia Intelligent Routing Network */ + LPI_PROTO_UDP_NEVERWINTER, + LPI_PROTO_UDP_QQLIVE, + LPI_PROTO_UDP_TEAMVIEWER, + LPI_PROTO_UDP_ARES, + LPI_PROTO_UDP_EPSON, + LPI_PROTO_UDP_AKAMAI_TRANSFER, + LPI_PROTO_UDP_DCC, + LPI_PROTO_UDP_AMANDA, + LPI_PROTO_UDP_NETFLOW, + LPI_PROTO_UDP_ZEROACCESS, + LPI_PROTO_UDP_VXWORKS_EXPLOIT, + LPI_PROTO_UDP_APPLE_FACETIME_INIT, + LPI_PROTO_UDP_STEAM_LOCALBROADCAST, + /* ^Protocol used by Steam to discover clients on the local network */ + LPI_PROTO_UDP_LANSYNC, /* LANSync, used by DropBox */ + LPI_PROTO_UDP_BTSYNC, + LPI_PROTO_UDP_MSOFFICE_MAC, /* MS Office for Mac anti-piracy */ + LPI_PROTO_UDP_SPOTIFY_BROADCAST, + LPI_PROTO_UDP_MDNS, /* Multicast DNS */ + LPI_PROTO_UDP_FASP, + LPI_PROTO_UDP_RAKNET, + LPI_PROTO_UDP_OPENVPN, + LPI_PROTO_UDP_NOE, /* Alcatel's New Office Environment */ + LPI_PROTO_UDP_VIBER, + LPI_PROTO_UDP_DTLS, + LPI_PROTO_UDP_ICP, + LPI_PROTO_UDP_LOL, /* League of Legends */ + LPI_PROTO_UDP_SANANDREAS, /* San Andreas Multiplayer */ + LPI_PROTO_UDP_MFNP, /* Canon MFNP Printer protocol */ + LPI_PROTO_UDP_FUNSHION, + LPI_PROTO_UDP_QUIC, + LPI_PROTO_UDP_AVAST_DNS, + LPI_PROTO_UDP_DB2, + LPI_PROTO_UDP_NATPMP, + LPI_PROTO_UDP_GPRS_TUNNEL, + LPI_PROTO_UDP_WECHAT, + LPI_PROTO_UDP_NOCTION, + LPI_PROTO_UDP_ARMA_SERVER, /* Includes DayZ */ + LPI_PROTO_UDP_PLANETSIDE2, + LPI_PROTO_UDP_RWTH_AACHEN, /* RWTH-Aachen University research */ + LPI_PROTO_UDP_BMDP, /* Part of Microsoft ADS */ + LPI_PROTO_UDP_DOTA2, + LPI_PROTO_UDP_LINE, + LPI_PROTO_UDP_ZOOM, + LPI_PROTO_UDP_HEROES_GENERALS, /* Heroes and Generals */ + LPI_PROTO_UDP_WARTHUNDER, + LPI_PROTO_UDP_H1Z1, + LPI_PROTO_UDP_CS_GLOBAL_OFFENSIVE, + LPI_PROTO_UDP_NTP_REFLECT, /* NTP reflection attack */ + LPI_PROTO_UDP_PUNKBUSTER, + LPI_PROTO_UDP_ROBOCRAFT, + LPI_PROTO_UDP_CISCO_SSLVPN, + LPI_PROTO_UDP_ACERCLOUD, + LPI_PROTO_UDP_360CN, + LPI_PROTO_UDP_WOLF_ET, + LPI_PROTO_UDP_KUGOU, + LPI_PROTO_UDP_XUNLEI_JSQ, + LPI_PROTO_UDP_KANKAN, + LPI_PROTO_UDP_QQPCMGR, + LPI_PROTO_UDP_DIANPING, + LPI_PROTO_UDP_XUNYOU, + LPI_PROTO_UDP_FORTICLIENT_SSLVPN, + LPI_PROTO_UDP_DISCORD, + LPI_PROTO_UDP_NETCORE, + LPI_PROTO_UDP_ARMA3_SERVER, + LPI_PROTO_UDP_BAIDU_YUN_P2P, + LPI_PROTO_UDP_YY, + LPI_PROTO_UDP_OVERWATCH, + LPI_PROTO_UDP_BACNET, + LPI_PROTO_UDP_ARK_SURVIVAL, + LPI_PROTO_UDP_360P2P, + LPI_PROTO_UDP_PORTMAP_RPC, + LPI_PROTO_UDP_NINTENDO, + LPI_PROTO_UDP_CHIVALRY, + LPI_PROTO_UDP_DOYO, + LPI_PROTO_UDP_NETCAT_CCTV, + LPI_PROTO_UDP_N2PING, + LPI_PROTO_UDP_RAMSEY_DASH, + LPI_PROTO_UDP_UBISOFT_GAMES, + LPI_PROTO_UDP_THE_CREW, + LPI_PROTO_UDP_TURBOVPN, + LPI_PROTO_UDP_GEARSOFWAR, + LPI_PROTO_UDP_RDP, + LPI_PROTO_UDP_HOTS, + LPI_PROTO_UDP_VPNMASTER, + LPI_PROTO_UDP_DIANSHIJIA, + LPI_PROTO_UDP_PS4_REMOTEPLAY, + LPI_PROTO_UDP_STARCITIZEN, + LPI_PROTO_UDP_WEBEX, + LPI_PROTO_UDP_HALO_ONLINE, + LPI_PROTO_UDP_GOTOMEETING, + LPI_PROTO_UDP_CROSSOUT, + LPI_PROTO_UDP_UMEYE, + LPI_PROTO_UDP_RISING_STORM, + LPI_PROTO_UDP_CROSSFIRE, + LPI_PROTO_UDP_MERAKICLOUD, + LPI_PROTO_UDP_SNAPVPN, + LPI_PROTO_UDP_DAHUA, + LPI_PROTO_UDP_STARLEAF, + LPI_PROTO_UDP_FOSCAM, + LPI_PROTO_UDP_DESTINY, + LPI_PROTO_UDP_BAOFENG, + LPI_PROTO_UDP_TORCHLIGHT2, + LPI_PROTO_UDP_SMITE, + LPI_PROTO_UDP_COUNTERSTRIKE_16, + LPI_PROTO_UDP_VPNROBOT, + LPI_PROTO_UDP_TF2, + LPI_PROTO_UDP_GANGSOFSPACE, + LPI_PROTO_UDP_COMBATARMS, + LPI_PROTO_UDP_COMBATARMS_P2P, + LPI_PROTO_UDP_PANIPANI, + LPI_PROTO_UDP_FEITWO, + LPI_PROTO_UDP_MOONHUNTERS, + LPI_PROTO_UDP_HELIBORNE, + LPI_PROTO_UDP_KINGOFGLORY, + LPI_PROTO_UDP_ASSETTO_CORSA, + LPI_PROTO_UDP_CACAOWEB, + LPI_PROTO_UDP_ZALO_CALL, + LPI_PROTO_UDP_PALADINS, + LPI_PROTO_UDP_CHARGEN_EXPLOIT, + LPI_PROTO_UDP_TOX, + LPI_PROTO_UDP_HOLLA, + LPI_PROTO_UDP_RRSHARE, + LPI_PROTO_UDP_QQSPEEDMOBILE, + LPI_PROTO_UDP_LOADOUT, + LPI_PROTO_UDP_GANGLIA, + LPI_PROTO_UDP_TALESRUNNER, + LPI_PROTO_UDP_FREEFIRE, + LPI_PROTO_UDP_HEROES_EVOLVED, + LPI_PROTO_UDP_RULES_OF_SURVIVAL, + LPI_PROTO_UDP_CONTRACT_WARS, + LPI_PROTO_UDP_ARD, + LPI_PROTO_UDP_QVOD, + LPI_PROTO_UDP_YUANFUDAO, + LPI_PROTO_UDP_ROCKET_LEAGUE, + LPI_PROTO_UDP_CLOUDFLARE_WARP, + LPI_PROTO_UDP_WIREGUARD, + LPI_PROTO_UDP_COD_MOBILE, + LPI_PROTO_UDP_NVIDIA_GAMESTREAM, + LPI_PROTO_UDP_CLASSIN, + LPI_PROTO_UDP_ARTCP, + + /* Patterns that we can match, but do not know the protocol */ + LPI_PROTO_REJECTION, /* All responses are 0x02 */ + LPI_PROTO_MYSTERY_9000, /* Occurs on tcp port 9000 */ + LPI_PROTO_MYSTERY_PSPR, + LPI_PROTO_MYSTERY_8000, + LPI_PROTO_MYSTERY_IG, + LPI_PROTO_MYSTERY_CONN, + LPI_PROTO_MYSTERY_SYMANTEC, + LPI_PROTO_MYSTERY_RXXF, + + LPI_PROTO_UDP_MYSTERY_0D, + LPI_PROTO_UDP_MYSTERY_99, + LPI_PROTO_UDP_MYSTERY_8000, + LPI_PROTO_UDP_MYSTERY_45, + LPI_PROTO_UDP_MYSTERY_0660, + LPI_PROTO_UDP_MYSTERY_E9, + LPI_PROTO_UDP_MYSTERY_QQ, + LPI_PROTO_UDP_MYSTERY_61_72, + LPI_PROTO_UDP_MYSTERY_05, + + LPI_PROTO_ICMP, + + LPI_PROTO_INVALID, /* No single valid protocol */ + LPI_PROTO_NO_PAYLOAD, + LPI_PROTO_NO_FIRSTPKT, + LPI_PROTO_UNSUPPORTED, + LPI_PROTO_UNKNOWN, + + LPI_PROTO_TCP_LDAP_AD, + LPI_PROTO_LAST /** ALWAYS have this as the last value */ +} lpi_protocol_t; + +/* This structure stores all the data needed by libprotoident to identify the + * application protocol for a flow. Do not change the contents of this struct + * directly - lpi_update_data() will do that for you - but reading the values + * should be ok. */ +typedef struct lpi { + uint32_t payload[2]; + bool seen_syn[2]; + uint32_t seqno[2]; + uint32_t observed[2]; + uint16_t server_port; + uint16_t client_port; + uint8_t trans_proto; + uint32_t payload_len[2]; + uint32_t ips[2]; +} lpi_data_t; + +typedef struct lpi_module lpi_module_t; + +/* This structure describes an individual LPI module - i.e. a protocol + * supported by libprotoident */ +struct lpi_module { + lpi_protocol_t protocol; /* The protocol ID */ + lpi_category_t category; /* The category for this protocol */ + const char *name; /* The protocol name, as a string */ + uint8_t priority; /* The relative priority for matching + this protocol */ + + /* The callback function for testing whether a given set of LPI + * data matches the ruleset for this protocol */ + bool (*lpi_callback) (lpi_data_t *proto_d, lpi_module_t *module); + +}; + +typedef std::list<lpi_module_t *> ProtoMatchList; + +typedef struct lpi_thread { + int index; + lpi_module_t *module; + lpi_data_t *data; + bool result; +} lpi_thread_t; + +typedef std::list<pthread_t> ThreadList; + +/* Initialises the LPI library, by registering all the protocol modules. + * + * @return 0 if initialisation succeeded, -1 otherwise + */ +int lpi_init_library(int level); + +/* Shuts down the LPI library, by de-registering all the protocol modules */ +void lpi_free_library(void); + +/** Initialises an LPI data structure, setting all the members to appropriate + * starting values. + * + * @param data The LPI data structure to be initialised. + */ +void lpi_init_data(lpi_data_t *data); + +/** Updates the LPI data structure based on the contents of the packet + * provided. + * + * @note The direction must be provided by the caller, as we cannot rely + * on trace_get_direction(). + * + * @param packet The packet to update the LPI data from. + * @param data The LPI data structure to be updated. + * @param dir The direction of the packet - 0 is outgoing, 1 is incoming. + * + * @return 0 if the packet was ignored, 1 if the LPI data was updated. + */ +int lpi_update_dpkt(lpi_data_t *data, struct streaminfo *pstream, + const char *scan_data, int scan_data_len, char tsproto, uint32_t plseq, + uint32_t _curdir); + +/** Returns a unique string describing the provided protocol. + * + * This is essentially a protocol-to-string conversion function. + * + * @param proto The protocol that a string representation is required for. + * + * @return A pointer to a statically allocated string describing the protocol. + * This is allocated on the stack, so should be used or copied immediately. + */ +const char *lpi_print(lpi_protocol_t proto); + +/** Given a protocol, returns the category that it matches. + * + * @param proto The protocol that a category is required for. + * + * @return The category that the protocol belongs to. + */ +lpi_category_t lpi_categorise(lpi_module_t *proto); + +/** Returns a unique string describing the provided category. + * + * This is essentially a category-to-string conversion function. + * + * @param category The category that a string representation is required for. + * + * @return A pointer to a statically allocated string describing the category. + * This is allocated on the stack, so should be used or copied immediately. + */ +const char *lpi_print_category(lpi_category_t category); + +/** Using the provided data, attempts to determine the L7 protocol being used + * by that flow. + * + * @param data The LPI data to use when determining the protocol. + * + * @return The LPI module for the protocol that matches the profile described + * by the given LPI data. If no protocol matches, the module for either + * LPI_UNKNOWN or LPI_UNKNOWN_UDP will be returned, depending on the transport + * protocol. + */ +lpi_module_t *lpi_guess_protocol(lpi_data_t *data); + +/** Given the protocol name, returns the lpi protcol it matches. + * + * @param name The protocol name + * + * @returns The LPI protocol for the supplied name. + * LPI_PROTO_UNKNOWN if the name is not found. + */ +lpi_protocol_t lpi_get_protocol_by_name(char *name); + +/* Give the category name, returns the lpi category it matches. + * + * @param name The protocol name + * + * @returns the LPI category for the supplied name on success. + * LPI_CATEGORY_UNKNOWN if the name is not found. + */ +lpi_category_t lpi_get_category_by_name(char *name); + +/* Given the lpi protocol, returns the lpi category it matches. + * + * @param protocol The lpi protocol + * + * @returns the lpi category for the supplied lpi protocol. + * LPI_CATEGORY_UNKNOWN if the category is not found. + */ +lpi_category_t lpi_get_category_by_protocol(lpi_protocol_t protocol); + +/** Determines whether the protocol matching a given protocol number is no + * longer supported by libprotoident. + * + * @param proto The protocol to check + * + * @return true if the protocol is no longer supported, false otherwise. + * + * Some protocols are no longer supported by libprotoident, either because + * the rules were found to be producing too many false positives or the + * protocol has been merged with another existing protocol (especially in the + * case of mystery protocols). When these cases occur, we don't necessarily + * remove the protocol from the enumerated type list, just disable the module + * and set the name string for the protocol to "NULL". + * + * This function allows the caller to check if a given protocol value has + * been disabled. This is often handy when reporting stats for all the + * protocol values (see lpi_live for an example), as ideally you would want + * to avoid reporting anything for the NULL protocols. + */ +bool lpi_is_protocol_inactive(lpi_protocol_t proto); +#ifdef __cplusplus +} +#endif +#endif diff --git a/decoders/glimpse_detector/libprotoident/proto_common.cc b/decoders/glimpse_detector/libprotoident/proto_common.cc new file mode 100644 index 0000000..3fca68c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/proto_common.cc @@ -0,0 +1,867 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#ifdef __APPLE__ +#include <libkern/OSByteOrder.h> +#define bswap32 OSSwapInt32 +#endif + +#ifdef __FreeBSD__ +#include <sys/endian.h> +#endif + +#ifdef __linux__ +#include <byteswap.h> +#define bswap32 __bswap_32 +#endif + +#include "libprotoident.h" +#include "proto_common.h" + +bool match_str_either(lpi_data_t *data, const char *string) { + + if (MATCHSTR(data->payload[0], string)) + return true; + if (MATCHSTR(data->payload[1], string)) + return true; + return false; +} + +bool match_str_both(lpi_data_t *data, const char *string1, + const char *string2) { + + if (MATCHSTR(data->payload[0], string1) && + MATCHSTR(data->payload[1], string2)) + return true; + if (MATCHSTR(data->payload[1], string1) && + MATCHSTR(data->payload[0], string2)) + return true; + return false; +} + +bool match_chars_either(lpi_data_t *data, char a, char b, char c, + char d) { + + if (MATCH(data->payload[0], a, b, c, d)) + return true; + if (MATCH(data->payload[1], a, b, c, d)) + return true; + return false; +} + +bool match_payload_length(uint32_t payload, uint32_t payload_len) { + + uint32_t header = 0; + + header = ntohl(payload); + + /* See if the length in the (presumed) header matches the + * length of the rest of the packet minus the header itself (4 bytes). + * + * Watch out for the case of a 4 byte packet containing just + * 00 00 00 00! */ + if (payload_len > 4 && header == payload_len - 4) + return true; + + return false; +} + +bool match_ip_address_both(lpi_data_t *data) { + + uint8_t matches = 0; + + if (data->ips[0] == 0 || data->ips[1] == 0) + return false; + + if (data->payload_len[0] == 0) + matches += 1; + else if (data->payload[0] == data->ips[0]) + matches += 1; + else if (data->payload[0] == data->ips[1]) + matches += 1; + + if (data->payload_len[1] == 0) + matches += 1; + else if (data->payload[1] == data->ips[0]) + matches += 1; + else if (data->payload[1] == data->ips[1]) + matches += 1; + + if (matches == 2) + return true; + else + return false; + +} + +/* Multiple protocols use HTTP-style requests */ +bool match_http_request(uint32_t payload, uint32_t len) { + + /* HTTP requests - some of these are MS-specific extensions */ + if (len == 0) + return true; + + if (MATCHSTR(payload, "GET ")) return true; + if (len == 1 && MATCH(payload, 'G', 0x00, 0x00, 0x00)) + return true; + if (len == 2 && MATCH(payload, 'G', 'E', 0x00, 0x00)) + return true; + if (len == 3 && MATCH(payload, 'G', 'E', 'T', 0x00)) + return true; + + if (MATCHSTR(payload, "POST")) return true; + if (MATCHSTR(payload, "HEAD")) return true; + if (MATCHSTR(payload, "PUT ")) return true; + if (MATCHSTR(payload, "DELE")) return true; + if (MATCHSTR(payload, "auth")) return true; + + /* SVN? */ + if (MATCHSTR(payload, "REPO")) return true; + + /* Webdav */ + if (MATCHSTR(payload, "LOCK")) return true; + if (MATCHSTR(payload, "UNLO")) return true; + if (MATCHSTR(payload, "OPTI")) return true; + if (MATCHSTR(payload, "PROP")) return true; + if (MATCHSTR(payload, "MKCO")) return true; + if (MATCHSTR(payload, "POLL")) return true; + if (MATCHSTR(payload, "SEAR")) return true; + + /* Ntrip - some differential GPS system using modified HTTP */ + if (MATCHSTR(payload, "SOUR")) return true; + + + return false; + +} + +/* File headers are not specific to any particular protocol */ +bool match_file_header(uint32_t payload) { + + /* RIFF is a meta-format for storing AVI and WAV files */ + if (MATCHSTR(payload, "RIFF")) + return true; + + /* MZ is a .exe file */ + if (MATCH(payload, 'M', 'Z', ANY, 0x00)) + return true; + + /* Ogg files */ + if (MATCHSTR(payload, "OggS")) + return true; + + /* ZIP files */ + if (MATCH(payload, 'P', 'K', 0x03, 0x04)) + return true; + + /* MPEG files */ + if (MATCH(payload, 0x00, 0x00, 0x01, 0xba)) + return true; + + /* RAR files */ + if (MATCHSTR(payload, "Rar!")) + return true; + + /* EBML */ + if (MATCH(payload, 0x1a, 0x45, 0xdf, 0xa3)) + return true; + + /* JPG */ + if (MATCH(payload, 0xff, 0xd8, ANY, ANY)) + return true; + + /* GIF */ + if (MATCHSTR(payload, "GIF8")) + return true; + + /* I'm also going to include PHP scripts in here */ + if (MATCH(payload, 0x3c, 0x3f, 0x70, 0x68)) + return true; + + /* Unix scripts */ + if (MATCH(payload, 0x23, 0x21, 0x2f, 0x62)) + return true; + + /* PDFs */ + if (MATCHSTR(payload, "%PDF")) + return true; + + /* PNG */ + if (MATCH(payload, 0x89, 'P', 'N', 'G')) + return true; + + /* HTML */ + if (MATCHSTR(payload, "<htm")) + return true; + if (MATCH(payload, 0x0a, '<', '!', 'D')) + return true; + + /* 7zip */ + if (MATCH(payload, 0x37, 0x7a, 0xbc, 0xaf)) + return true; + + /* gzip - may need to replace last two bytes with ANY */ + if (MATCH(payload, 0x1f, 0x8b, 0x08, ANY)) + return true; + + /* XML */ + if (MATCHSTR(payload, "<!DO")) + return true; + + /* FLAC */ + if (MATCHSTR(payload, "fLaC")) + return true; + + /* MP3 */ + if (MATCH(payload, 'I', 'D', '3', 0x03)) + return true; + if (MATCHSTR(payload, "\xff\xfb\x90\xc0")) + return true; + + /* RPM */ + if (MATCH(payload, 0xed, 0xab, 0xee, 0xdb)) + return true; + + /* Wz Patch */ + if (MATCHSTR(payload, "WzPa")) + return true; + + /* Flash Video */ + if (MATCH(payload, 'F', 'L', 'V', 0x01)) + return true; + + /* .BKF (Microsoft Tape Format) */ + if (MATCHSTR(payload, "TAPE")) + return true; + + /* MS Office Doc file - this is unpleasantly geeky */ + if (MATCH(payload, 0xd0, 0xcf, 0x11, 0xe0)) + return true; + + /* ASP */ + if (MATCH(payload, 0x3c, 0x25, 0x40, 0x20)) + return true; + + /* WMS file */ + if (MATCH(payload, 0x3c, 0x21, 0x2d, 0x2d)) + return true; + + /* ar archive, typically .deb files */ + if (MATCHSTR(payload, "!<ar")) + return true; + + /* Raw XML */ + if (MATCHSTR(payload, "<?xm")) + return true; + if (MATCHSTR(payload, "<iq ")) + return true; + + /* SPF */ + if (MATCHSTR(payload, "SPFI")) + return true; + + /* ABIF - Applied Biosystems */ + if (MATCHSTR(payload, "ABIF")) + return true; + + /* bzip2 - other digits are also possible instead of 9 */ + if (MATCH(payload, 'B', 'Z', 'h', '9')) + return true; + + /* xz compression format */ + if (MATCH(payload, 0xfd, '7', 'z', 'X')) + return true; + + /* Microsoft Cabinet Files */ + if (MATCH(payload, 'M', 'S', 'C', 'F')) + return true; + + /* M4A -- be wary of false positives? */ + if (MATCH(payload, 0x00, 0x00, 0x00, 0x20)) + return true; + + /* TIFF */ + if (MATCH(payload, 0x49, 0x49, 0x2a, 0x00)) + return true; + + /* LZMA */ + if (MATCH(payload, 0x5d, 0x00, 0x00, 0x80)) + return true; + + /* Source engine BSP file */ + if (MATCH(payload, 'V', 'B', 'S', 'P')) + return true; + + /* TTF */ + if (MATCH(payload, 0x00, 0x01, 0x00, 0x00)) + return true; + if (MATCH(payload, 'O', 'T', 'T', 'O')) + return true; + + /* WOF2 TTCF */ + if (MATCH(payload, 't', 't', 'c', 'f')) + return true; + + /* RIR delegation files... */ + if (MATCH(payload, '2', '.', '3', '|')) + return true; + + /* REBASE -- restriction enzyme database + * A bit niche, but might be fairly common at universities? */ + if (MATCH(payload, 0x20, 0x0a, 'R', 'E')) + return true; + + /* Old coralreef trace files! */ + if (MATCHSTR(payload, "\xff\xff\x44\x00")) + return true; + + /* I'm pretty sure the following are files of some type or another. + * They crop up pretty often in our test data sets, so I'm going to + * put them in here. + * + * Hopefully one day we will find out what they really are */ + + if (MATCH(payload, '<', 'c', 'f', ANY)) + return true; + if (MATCH(payload, '<', 'C', 'F', ANY)) + return true; + if (MATCHSTR(payload, ".tem")) + return true; + if (MATCHSTR(payload, ".ite")) + return true; + if (MATCHSTR(payload, ".lef")) + return true; + + return false; + +} + +bool valid_http_port(lpi_data_t *data) { + /* Must be on a known HTTP port - designed to filter + * out P2P protos that use HTTP. + * + * XXX If this doesn't work well, get rid of it! + */ + if (data->server_port == 80 || data->client_port == 80) + return true; + if (data->server_port == 8080 || data->client_port == 8080) + return true; + if (data->server_port == 8081 || data->client_port == 8081) + return true; + + /* If port 443 responds, we want it to be counted as genuine + * HTTP, rather than a bad port scenario */ + if (data->server_port == 443 || data->client_port == 443) { + if (data->payload_len[0] > 0 && data->payload_len[1] > 0) + return true; + } + + return false; + +} + +/* 16 03 00 X is an SSLv3 handshake */ +static inline bool match_ssl3_handshake(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len == 1 && MATCH(payload, 0x16, 0x00, 0x00, 0x00)) + return true; + if (MATCH(payload, 0x16, 0x03, 0x00, ANY)) + return true; + return false; +} + +/* 16 03 01 X is an TLS handshake */ +static inline bool match_tls_handshake(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len == 1 && MATCH(payload, 0x16, 0x00, 0x00, 0x00)) + return true; + if (MATCH(payload, 0x16, 0x03, 0x01, ANY)) + return true; + if (MATCH(payload, 0x16, 0x03, 0x02, ANY)) + return true; + if (MATCH(payload, 0x16, 0x03, 0x03, ANY)) + return true; + return false; +} + +/* SSLv2 handshake - the ANY byte in the 0x80 payload is actually the length + * of the payload - 2. + * + * XXX This isn't always true - consecutive packets may be merged it seems :( + */ +static inline bool match_ssl2_handshake(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x80, ANY, 0x01, 0x03)) + return true; + if (MATCH(payload, 0x81, ANY, 0x01, 0x03)) + return true; + + return false; +} + +static inline bool match_tls_alert(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x15, 0x03, 0x01, ANY)) + return true; + if (MATCH(payload, 0x15, 0x03, 0x02, ANY)) + return true; + if (MATCH(payload, 0x15, 0x03, 0x03, ANY)) + return true; + + /* Alerts are also possible under SSL 3.0 */ + if (MATCH(payload, 0x15, 0x03, 0x00, ANY)) + return true; + return false; +} + +static inline bool match_tls_change(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x14, 0x03, 0x01, ANY)) + return true; + if (MATCH(payload, 0x14, 0x03, 0x02, ANY)) + return true; + if (MATCH(payload, 0x14, 0x03, 0x03, ANY)) + return true; + return false; + +} + +static inline bool match_tls_content(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x17, 0x03, 0x01, ANY)) + return true; + if (MATCH(payload, 0x17, 0x03, 0x02, ANY)) + return true; + if (MATCH(payload, 0x17, 0x03, 0x03, ANY)) + return true; + return false; +} + +bool match_ssl(lpi_data_t *data) { + + + if (match_ssl3_handshake(data->payload[0], data->payload_len[0]) && + match_ssl3_handshake(data->payload[1], data->payload_len[1])) + return true; + + if (match_tls_handshake(data->payload[0], data->payload_len[0]) && + match_tls_handshake(data->payload[1], data->payload_len[1])) + return true; + + if (match_ssl3_handshake(data->payload[0], data->payload_len[0]) && + match_tls_handshake(data->payload[1], data->payload_len[1])) + return true; + + if (match_tls_handshake(data->payload[0], data->payload_len[0]) && + match_ssl3_handshake(data->payload[1], data->payload_len[1])) + return true; + /* Seems we can sometimes skip the full handshake and start on the data + * right away (as indicated by 0x17) - for now, I've only done this for TLS */ + if (match_tls_handshake(data->payload[0], data->payload_len[0]) && + match_tls_content(data->payload[1], data->payload_len[1])) + return true; + if (match_tls_handshake(data->payload[1], data->payload_len[1]) && + match_tls_content(data->payload[0], data->payload_len[0])) + return true; + /* Need to check for TLS alerts (errors) too */ + if (match_tls_handshake(data->payload[0], data->payload_len[0]) && + match_tls_alert(data->payload[1], data->payload_len[1])) + return true; + if (match_tls_handshake(data->payload[1], data->payload_len[1]) && + match_tls_alert(data->payload[0], data->payload_len[0])) + return true; + if (match_ssl3_handshake(data->payload[0], data->payload_len[0]) && + match_tls_alert(data->payload[1], data->payload_len[1])) + return true; + if (match_ssl3_handshake(data->payload[1], data->payload_len[1]) && + match_tls_alert(data->payload[0], data->payload_len[0])) + return true; + + /* Need to check for cipher changes too */ + if (match_tls_handshake(data->payload[0], data->payload_len[0]) && + match_tls_change(data->payload[1], data->payload_len[1])) + return true; + if (match_tls_handshake(data->payload[1], data->payload_len[1]) && + match_tls_change(data->payload[0], data->payload_len[0])) + return true; + + + /* Some HTTPS servers respond with unencrypted content, presumably + * when somebody invalid attempts a connection */ + if (match_tls_handshake(data->payload[0], data->payload_len[0]) && + MATCHSTR(data->payload[1], "<!DO") && + data->payload_len[0] != 0) + return true; + if (match_tls_handshake(data->payload[1], data->payload_len[1]) && + MATCHSTR(data->payload[0], "<!DO") && + data->payload_len[1] != 0) + return true; + + + /* Allow TLS content in both directions -- could be multi-path TCP? + * Or some form of picking up where a previous connection left off? + */ + if (match_tls_content(data->payload[0], data->payload_len[0]) && + match_tls_content(data->payload[1], data->payload_len[1])) + return true; + if (match_tls_content(data->payload[1], data->payload_len[1]) && + match_tls_content(data->payload[0], data->payload_len[0])) + return true; + + + if ((match_tls_handshake(data->payload[0], data->payload_len[0]) || + match_ssl3_handshake(data->payload[0], data->payload_len[0])) && + match_ssl2_handshake(data->payload[1], data->payload_len[1])) + return true; + + if ((match_tls_handshake(data->payload[1], data->payload_len[1]) || + match_ssl3_handshake(data->payload[1], data->payload_len[1])) && + match_ssl2_handshake(data->payload[0], data->payload_len[0])) + return true; + + if (data->payload_len[0] == 0 && match_ssl2_handshake(data->payload[1], data->payload_len[1])) + return true; + if (data->payload_len[1] == 0 && match_ssl2_handshake(data->payload[0], data->payload_len[0])) + return true; + + return false; +} + +static bool dns_req(uint32_t payload) { + + /* The flags / rcode on requests are usually all zero. + * + * Exceptions: CD and RD may be set + * + * Remember BYTE ORDER! + */ + + payload = htonl(payload); + + if ((payload & 0x0000ffff) == 0x00000000) + return true; + /* Check for CD */ + if ((payload & 0x0000ffff) == 0x00000010) + return true; + /* Check for RD */ + if ((payload & 0x0000ffff) == 0x00000100) + return true; + + + return false; + +} + +static bool dns_backscatter(uint32_t payload) { + + /* Let's see if we can identify unsolicited DNS responses */ + + /* Last byte seems to be always 0x00 - third is either 0x84 or 0x85 */ + + payload = htonl(payload); + + if ((payload & 0x0000ffff) == 0x00008500) + return true; + if ((payload & 0x0000ffff) == 0x00008580) + return true; + if ((payload & 0x0000ffff) == 0x00008400) + return true; + if ((payload & 0x0000ffff) == 0x00008480) + return true; + if ((payload & 0x0000ffff) == 0x00008483) + return true; + if ((payload & 0x0000ffff) == 0x00008403) + return true; + if ((payload & 0x0000ffff) == 0x00008000) + return true; + + return false; +} + +bool match_dns(lpi_data_t *data) { + + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) { + + /* No response, so we have a bit of a hard time - however, + * most requests have a pretty standard set of flags. + * + * We'll also use the port here to help out */ + if (data->server_port != 53 && data->client_port != 53) + return false; + if (data->payload_len[0] > 12 && dns_req(data->payload[0])) + return true; + if (data->payload_len[1] > 12 && dns_req(data->payload[1])) + return true; + if (data->payload_len[0] > 12 && + dns_backscatter(data->payload[0])) + return true; + if (data->payload_len[1] > 12 && + dns_backscatter(data->payload[1])) + return true; + + return false; + } + + if (((htonl(data->payload[0])) & 0xffff7800) != + ((htonl(data->payload[1])) & 0xffff7800)) + return false; + + if ((htonl(data->payload[0]) & 0x00008000) == + (htonl(data->payload[1]) & 0x00008000)) + return false; + + return true; + +} + +bool match_tds_request(uint32_t payload, uint32_t len) { + + uint32_t stated_len = 0; + + stated_len = (ntohl(payload) & 0xffff); + if (stated_len != len) + return false; + + if (MATCH(payload, 0x12, 0x01, ANY, ANY)) + return true; + if (MATCH(payload, 0x10, 0x01, ANY, ANY)) + return true; + + return false; + +} + + +bool match_8000_payload(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (MATCH(payload, 0x3b, 0x00, 0x00, 0x00)) { + return true; + } + if (MATCH(payload, 0x3c, 0x00, 0x00, 0x00)) { + return true; + } + if (MATCH(payload, 0x3d, 0x00, 0x00, 0x00)) { + return true; + } + if (MATCH(payload, 0x3e, 0x00, 0x00, 0x00)) { + return true; + } + + return false; +} + +bool match_emule(lpi_data_t *data) { + + /* Check that payload begins with e3 or c5 in both directions before + * classifying as eMule */ + /* (I noticed that most emule(probably) flows began with "e3 xx 00 00" + * or "c5 xx 00 00", perhaps is worth looking into... Although I + * couldn't find anything about emule packets) */ + + if (data->payload_len[0] < 4 && data->payload_len[1] < 4) + return false; + + if (MATCH(data->payload[0], 0xe3, ANY, 0x00, 0x00) && + MATCH(data->payload[1], 0xe3, ANY, 0x00, 0x00)) + return true; + + if (MATCH(data->payload[0], 0xe3, ANY, 0x00, 0x00) && + MATCH(data->payload[1], 0xc5, ANY, 0x00, 0x00)) + return true; + + /* XXX I haven't seen any obviously legit emule that starts with c5 + * in both directions */ + /* + if (MATCH(data->payload[0], 0xc5, ANY, ANY, ANY) && + MATCH(data->payload[1], 0xc5, ANY, ANY, ANY)) + return true; + */ + + if (MATCH(data->payload[0], 0xc5, ANY, 0x00, 0x00) && + MATCH(data->payload[1], 0xe3, ANY, 0x00, 0x00)) + return true; + + if (MATCH(data->payload[0], 0xe3, ANY, 0x00, 0x00) && + data->payload_len[1] == 0) + return true; + + if (MATCH(data->payload[1], 0xe3, ANY, 0x00, 0x00) && + data->payload_len[0] == 0) + return true; + + + + return false; +} + +static inline bool match_kaspersky_ke(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (MATCH(payload, 'K', 'E', 0x00, 0x00)) + return true; + if (MATCH(payload, 'K', 'E', 0x00, 0x02)) + return true; + if (MATCH(payload, 'K', 'E', 0x00, 0x07)) + return true; + return false; +} + +static inline bool match_kaspersky_ks(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (MATCH(payload, 'K', 'S', 0x00, 0x00)) + return true; + return false; +} + +bool match_kaspersky(lpi_data_t *data) { + + /* Traffic is either on TCP port 443 or UDP port 2001. + * + * One of the endpoints is always in either a Kaspersky range or + * an old PSInet range */ + + if (match_str_both(data, "PI\x00\x00", "PI\x00\x00")) { + if (data->payload_len[0] == 2 && data->payload_len[1] == 2) + return true; + } + if (match_kaspersky_ke(data->payload[0], data->payload_len[0])) { + if (match_kaspersky_ke(data->payload[1], data->payload_len[1])) + return true; + } + if (match_kaspersky_ks(data->payload[0], data->payload_len[0])) { + if (match_kaspersky_ks(data->payload[1], data->payload_len[1])) + return true; + } + return false; +} + +bool match_youku_payload(uint32_t pload, uint32_t len) { + + if (len == 0) + return true; + if (MATCH(pload, 0x4b, 0x55, 0x00, 0x01)) + return true; + if (MATCH(pload, 0x4b, 0x55, 0x00, 0x02)) + return true; + if (MATCH(pload, 0x4b, 0x55, 0x00, 0x03)) + return true; + if (MATCH(pload, 0x4b, 0x55, 0x00, 0x04)) + return true; + return false; + +} + +bool match_tpkt(uint32_t payload, uint32_t len) { + uint32_t stated_len = 0; + + /* + * TPKT header is 03 00 + 2 bytes of length (including the TPKT header) + */ + + if (!MATCH(payload, 0x03, 0x00, ANY, ANY)) + return false; + + stated_len = ntohl(payload) & 0xffff; + if (stated_len != len) + return false; + return true; +} + +bool match_qqlive_payload(uint32_t payload, uint32_t len) { + + uint32_t swap; + + /* This appears to have a 3 byte header. First byte is always 0xfe. + * Second and third bytes are the length (minus the 3 byte header). + */ + + if (len == 0) + return true; + + swap = htonl(payload); + swap = (swap & 0xffff00) >> 8; + + if (ntohs(swap) != len - 3) + return false; + + /* Interestingly, the third and fourth byte always match */ + swap = htonl(payload); + if ((swap & 0xff) != ((swap & 0xff00) >> 8)) + return false; + + if (MATCH(payload, 0xfe, ANY, ANY, ANY)) + return true; + return false; + +} + +bool match_yy_payload(uint32_t payload, uint32_t len) { + + /* The first four bytes are a length field, but using the + * wrong byte order... + */ + + if (!MATCH(payload, ANY, ANY, 0x00, 0x00)) + return false; + +#if BYTE_ORDER == BIG_ENDIAN + if (bswap32(payload) == len) + return true; +#else + if (payload == len) + return true; +#endif + return false; +} + + +/* Byte swapping functions for various inttypes */ +uint64_t byteswap64(uint64_t num) +{ + return (byteswap32((num&0xFFFFFFFF00000000ULL)>>32)) + |((uint64_t)byteswap32(num&0x00000000FFFFFFFFULL)<<32); +} + +uint32_t byteswap32(uint32_t num) +{ + return ((num&0x000000FFU)<<24) + | ((num&0x0000FF00U)<<8) + | ((num&0x00FF0000U)>>8) + | ((num&0xFF000000U)>>24); +} + +uint16_t byteswap16(uint16_t num) +{ + return ((num<<8)&0xFF00)|((num>>8)&0x00FF); +} + diff --git a/decoders/glimpse_detector/libprotoident/proto_common.h b/decoders/glimpse_detector/libprotoident/proto_common.h new file mode 100644 index 0000000..679f784 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/proto_common.h @@ -0,0 +1,143 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + + +#ifndef PROTO_COMMON_H_ +#define PROTO_COMMON_H_ + +#include "libprotoident.h" + +#ifndef __BYTE_ORDER +#include <endian.h> +#endif + +#define ANY -1 + +#define MASKOCTET(x) \ + ((x) == ANY ? 0U : 255U) + +#if __BYTE_ORDER == __BIG_ENDIAN +#define FORMUP(a,b,c,d) \ + (unsigned)((((a)&0xFF)<<24)|(((b)&0xFF)<<16)|(((c)&0xFF)<<8)|((d)&0xFF)) +#else +#define FORMUP(a,b,c,d) \ + (unsigned)((((d)&0xFF)<<24)|(((c)&0xFF)<<16)|(((b)&0xFF)<<8)|((a)&0xFF)) +#endif + + +#define FORMUPMASK(a,b,c,d) \ + FORMUP(MASKOCTET(a),MASKOCTET(b),MASKOCTET(c),MASKOCTET(d)) +#define MATCH(x,a,b,c,d) \ + ((x&FORMUPMASK(a,b,c,d))==(FORMUP(a,b,c,d)&FORMUPMASK(a,b,c,d))) + +#define MATCHSTR(x,st) \ + (memcmp(&(x),(st),sizeof(x))==0) + + +/** Byteswaps a 64-bit value. + * + * @param num The value to be byteswapped. + * @return The byteswapped 64-bit number + * + */ +uint64_t byteswap64(uint64_t num); + +/** Byteswaps a 32-bit value. + * + * @param num The value to be byteswapped. + * @return The byteswapped 32-bit number + * + */ +uint32_t byteswap32(uint32_t num); + +/** Byteswaps a 16-bit value. + * + * @param num The value to be byteswapped. + * @return The byteswapped 16-bit number + * + */ +uint16_t byteswap16(uint16_t num); + + +#if __BYTE_ORDER == __BIG_ENDIAN +#define bswap_host_to_be64(num) ((uint64_t)(num)) +#define bswap_host_to_le64(num) byteswap64(num) +#define bswap_host_to_be32(num) ((uint32_t)(num)) +#define bswap_host_to_le32(num) byteswap32(num) +#define bswap_host_to_be16(num) ((uint16_t)(num)) +#define bswap_host_to_le16(num) byteswap16(num) + +#define bswap_be_to_host64(num) ((uint64_t)(num)) +#define bswap_le_to_host64(num) byteswap64(num) +#define bswap_be_to_host32(num) ((uint32_t)(num)) +#define bswap_le_to_host32(num) byteswap32(num) +#define bswap_be_to_host16(num) ((uint16_t)(num)) +#define bswap_le_to_host16(num) byteswap16(num) + +/* We use ntoh*() here, because the compiler may + * attempt to optimise it + */ +#elif __BYTE_ORDER == __LITTLE_ENDIAN +#define bswap_host_to_be64(num) (byteswap64(num)) +#define bswap_host_to_le64(num) ((uint64_t)(num)) +#define bswap_host_to_be32(num) (htonl(num)) +#define bswap_host_to_le32(num) ((uint32_t)(num)) +#define bswap_host_to_be16(num) (htons(num)) +#define bswap_host_to_le16(num) ((uint16_t)(num)) + +#define bswap_be_to_host64(num) (byteswap64(num)) +#define bswap_le_to_host64(num) ((uint64_t)(num)) +#define bswap_be_to_host32(num) (ntohl(num)) +#define bswap_le_to_host32(num) ((uint32_t)(num)) +#define bswap_be_to_host16(num) (ntohs(num)) +#define bswap_le_to_host16(num) ((uint16_t)(num)) + +#else +#error "Unknown byte order" +#endif + + +bool match_str_either(lpi_data_t *data, const char *string); +bool match_str_both(lpi_data_t *data, const char *string1, + const char *string2); +bool match_chars_either(lpi_data_t *data, char a, char b, char c, + char d); +bool match_payload_length(uint32_t payload, uint32_t payload_len); +bool match_ip_address_both(lpi_data_t *data); +bool match_file_header(uint32_t payload); +bool match_http_request(uint32_t payload, uint32_t len); +bool valid_http_port(lpi_data_t *data); +bool match_ssl(lpi_data_t *data); +bool match_dns(lpi_data_t *data); +bool match_tds_request(uint32_t payload, uint32_t len); +bool match_8000_payload(uint32_t payload, uint32_t len); +bool match_youku_payload(uint32_t payload, uint32_t len); +bool match_emule(lpi_data_t *data); +bool match_kaspersky(lpi_data_t *data); +bool match_tpkt(uint32_t payload, uint32_t len); +bool match_qqlive_payload(uint32_t payload, uint32_t len); +bool match_yy_payload(uint32_t payload, uint32_t len); +#endif diff --git a/decoders/glimpse_detector/libprotoident/proto_manager.cc b/decoders/glimpse_detector/libprotoident/proto_manager.cc new file mode 100644 index 0000000..b4c58bf --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/proto_manager.cc @@ -0,0 +1,691 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +//#include "config.h" + +#include <glob.h> +#include <dlfcn.h> + +#include "proto_manager.h" +#include "tcp/tcp_protocols.h" +#include "udp/udp_protocols.h" + +void register_protocol(lpi_module_t *mod, LPIModuleMap *mod_map) { + LPIModuleMap::iterator it; + LPIModuleList *ml; + + it = mod_map->find(mod->priority); + + if (it == mod_map->end()) { + (*mod_map)[mod->priority] = new LPIModuleList(); + + it = mod_map->find(mod->priority); + } + + ml = it->second; + ml->push_back(mod); + + +} + +void free_protocols(LPIModuleMap *mod_map) { + + LPIModuleMap::iterator it; + LPIModuleList *ml; + + for (it = mod_map->begin(); it != mod_map->end(); ++ it ) { + ml = it->second; + + ml->clear(); + delete(ml); + } + mod_map->clear(); +} + +int register_tcp_protocols(LPIModuleMap *mod_map) { + + //register_300heroes(mod_map); + //register_360safeguard(mod_map); + //register_4d(mod_map); + //register_acestream(mod_map); + //register_afp(mod_map); + //register_airdroid(mod_map); + //register_airmedia(mod_map); + //register_akamai_tcp(mod_map); + //register_amp(mod_map); + //register_antcoin(mod_map); + //register_appearin(mod_map); + //register_apple_push(mod_map); + //register_ares(mod_map); + //register_badbaidu(mod_map); + //register_baofeng_tcp(mod_map); + //register_beam(mod_map); + //register_bitcoin(mod_map); + //register_bitextend(mod_map); + //register_bittorrent(mod_map); + //register_blackdesert(mod_map); + //register_blizzard(mod_map); + //register_btsync(mod_map); + //register_bwsyncandshare(mod_map); + //register_cacaoweb(mod_map); + //register_cgp(mod_map); + //register_chatango(mod_map); + //register_cisco_vpn(mod_map); + //register_clashofclans(mod_map); + //register_classin_tcp(mod_map); + //register_clubbox(mod_map); + //register_cod_waw(mod_map); + //register_conquer(mod_map); + //register_crashplan(mod_map); + //register_crossfire_tcp(mod_map); + //register_cryptic(mod_map); + //register_cvs(mod_map); + //register_dahua_tcp(mod_map); + //register_dash(mod_map); + //register_dell_backup(mod_map); + //register_destiny(mod_map); + //register_diablo3(mod_map); + //register_dianping_tcp(mod_map); + //register_directconnect(mod_map); + //register_dnf(mod_map); + register_dns_tcp(mod_map); + //register_dogecoin(mod_map); + //register_douyu(mod_map); + //register_douyu_chat(mod_map); + //register_duelingnetwork(mod_map); + //register_dvrns(mod_map); + //register_dxp(mod_map); + //register_ea_games(mod_map); + //register_emule(mod_map); + //register_ethernetip(mod_map); + //register_eye(mod_map); + //register_facebook_turn(mod_map); + //register_fb_message(mod_map); + //register_fbcdn_ssl(mod_map); + //register_ffxiv(mod_map); + //register_filenori(mod_map); + //register_flash(mod_map); + //register_fliggy(mod_map); + //register_fring(mod_map); + register_ftpcontrol(mod_map); + register_ftpdata(mod_map); + //register_fuckcoin(mod_map); + //register_funshion_tcp(mod_map); + //register_gamespy_tcp(mod_map); + //register_gcafe_updater(mod_map); + //register_giop(mod_map); + //register_git(mod_map); + //register_glupteba(mod_map); + //register_gnutella(mod_map); + //register_goku(mod_map); + //register_googlehangouts(mod_map); + //register_graalonlineera(mod_map); + //register_guildwars2(mod_map); + //register_hamachi(mod_map); + //register_harveys(mod_map); + //register_hearthstone(mod_map); + //register_hola(mod_map); + //register_hots_tcp(mod_map); + register_http_badport(mod_map); + register_http(mod_map); + register_http_nonstandard(mod_map); + register_https(mod_map); + register_http_tunnel(mod_map); + //register_ica(mod_map); + //register_icep(mod_map); + //register_id(mod_map); + //register_idrivesync(mod_map); + //register_ihexin(mod_map); + register_imap(mod_map); + register_imaps(mod_map); + //register_imesh(mod_map); + //register_invalid(mod_map); + //register_invalid_bittorrent(mod_map); + register_invalid_http(mod_map); + register_invalid_pop(mod_map); + register_invalid_smtp(mod_map); + //register_ipfs(mod_map); + //register_ipop(mod_map); + //register_ipsharkk(mod_map); + //register_irc(mod_map); + //register_java(mod_map); + //register_jedi(mod_map); + //register_jx3online(mod_map); + //register_kakao(mod_map); + //register_kankan_tcp(mod_map); + //register_kaseya(mod_map); + //register_kaspersky(mod_map); + //register_kik(mod_map); + //register_kingofglory_tcp(mod_map); + //register_kuaibo(mod_map); + register_ldap(mod_map); + //register_tcp_ldap_ad(mod_map); + //register_lifeforge(mod_map); + //register_line(mod_map); + //register_litecoin(mod_map); + //register_llp2p(mod_map); + //register_maplestory_china(mod_map); + //register_maxicloud(mod_map); + //register_message4u(mod_map); + //register_minecraft(mod_map); + //register_mitglieder(mod_map); + register_mms(mod_map); + //register_mongo(mod_map); + //register_mp2p(mod_map); + //register_msn(mod_map); + //register_msnc(mod_map); + //register_msnv(mod_map); + //register_munin(mod_map); + //register_mysql(mod_map); + //register_mystery_8000(mod_map); + //register_mystery_9000(mod_map); + //register_mystery_conn(mod_map); + //register_mystery_iG(mod_map); + //register_mystery_pspr(mod_map); + //register_mystery_rxxf(mod_map); + //register_mystery_symantec(mod_map); + //register_mzinga(mod_map); + //register_naverp2p(mod_map); + //register_ncsoft(mod_map); + //register_ndt_tput(mod_map); + register_netbios(mod_map); + //register_notes_rpc(mod_map); + //register_tcp_no_payload(mod_map); + //register_tcp_no_firstpkt(mod_map); + //register_nsq(mod_map); + //register_omegle(mod_map); + register_openvpn(mod_map); + //register_ourworld(mod_map); + //register_palringo(mod_map); + //register_paltalk(mod_map); + //register_pandatv(mod_map); + //register_pando(mod_map); + //register_pathofexile(mod_map); + //register_pdbox(mod_map); + register_pop3(mod_map); + register_pop3s(mod_map); + //register_postgresql(mod_map); + register_pptp(mod_map); + //register_psn_store(mod_map); + //register_qcloud_ilvb(mod_map); + register_qq_tcp(mod_map); + //register_qqdownload(mod_map); + //register_qqlive_tcp(mod_map); + //register_qqspeedmobile_tcp(mod_map); + //register_qvod(mod_map); + //register_rabbitmq(mod_map); + //register_ragnarokonline(mod_map); + //register_razor(mod_map); + //register_rbls(mod_map); + register_rdp(mod_map); + //register_realmofthemadgod(mod_map); + //register_realvnc(mod_map); + //register_rejection(mod_map); + //register_relay(mod_map); + //register_remote_manipulator(mod_map); + //register_revolver_nblbt(mod_map); + //register_rfb(mod_map); + //register_rpcscan(mod_map); + //register_rrtv(mod_map); + register_rsync(mod_map); + register_rtmp(mod_map); + register_rtsp(mod_map); + //register_runescape(mod_map); + //register_s7comm(mod_map); + //register_saprouter(mod_map); + //register_saszombieassault4(mod_map); + //register_second_life(mod_map); + //register_shoutcast(mod_map); + //register_silkroadonline(mod_map); + register_sip(mod_map); + //register_skyforge(mod_map); + //register_skype_tcp(mod_map); + register_smb(mod_map); + //register_smite_tcp(mod_map); + register_smtp(mod_map); + register_smtps(mod_map); + register_socks4(mod_map); + register_socks5(mod_map); + register_spdy(mod_map); + //register_speedify(mod_map); + //register_speedin(mod_map); + //register_speedtest(mod_map); + //register_spotify(mod_map); + register_ssh(mod_map); + //register_ssjj(mod_map); + register_ssl(mod_map); + //register_steam(mod_map); + register_stratum(mod_map); + register_stun_tcp(mod_map); + //register_supl(mod_map); + //register_svn(mod_map); + //register_talesrunner(mod_map); + //register_tankionline(mod_map); + //register_tankix(mod_map); + //register_taobao(mod_map); + //register_tds(mod_map); + //register_teamviewer(mod_map); + //register_telecomkey(mod_map); + //register_telegram(mod_map); + register_telnet(mod_map); + //register_telnet_exploit(mod_map); + //register_tencent_games(mod_map); + //register_tenfivecoin(mod_map); + //register_tensafe(mod_map); + //register_tera(mod_map); + //register_tetrisonline(mod_map); + //register_thedivision(mod_map); + //register_tip(mod_map); + //register_tor(mod_map); + //register_tpkt_generic(mod_map); + //register_trackmania(mod_map); + //register_transocks(mod_map); + //register_trion(mod_map); + //register_trojan_win32_generic_sb(mod_map); + //register_trojan_zeroaccess(mod_map); + //register_twitcasting(mod_map); + //register_twitch_irc(mod_map); + //register_utherverse(mod_map); + //register_vainglory(mod_map); + //register_vhdp2p(mod_map); + //register_viber(mod_map); + //register_vmware(mod_map); + //register_vodlocker(mod_map); + //register_vpnrobot_tcp(mod_map); + //register_vpnunlimited_tcp(mod_map); + //register_warcraft3(mod_map); + //register_web_junk(mod_map); + //register_webex_stun(mod_map); + //register_weblogic(mod_map); + register_wechat(mod_map); + //register_weibo(mod_map); + //register_weiqi(mod_map); + //register_whatsapp(mod_map); + //register_whois(mod_map); + //register_winmx(mod_map); + //register_wizard101(mod_map); + //register_wns(mod_map); + //register_wow(mod_map); + //register_wuala(mod_map); + //register_xiami(mod_map); + register_xmpp(mod_map); + register_xmpps(mod_map); + //register_xunlei(mod_map); + //register_xunlei_accel(mod_map); + //register_xymon(mod_map); + //register_yahoo(mod_map); + //register_yahoo_error(mod_map); + //register_yahoo_games(mod_map); + //register_yahoo_webcam(mod_map); + //register_youku_tcp(mod_map); + //register_yy_tcp(mod_map); + //register_zabbix(mod_map); + //register_zero_facebook(mod_map); + //register_zoom_tcp(mod_map); + //register_zynga(mod_map); + return 0; +} + +int register_udp_protocols(LPIModuleMap *mod_map) { + + //register_360cn(mod_map); + //register_360p2p(mod_map); + //register_aachen_udp(mod_map); + //register_acercloud(mod_map); + //register_akamai(mod_map); + //register_akamai_transfer(mod_map); + //register_amanda(mod_map); + //register_apple_facetime_init(mod_map); + //register_ard(mod_map); + //register_ares_udp(mod_map); + //register_arksurvival(mod_map); + //register_arma_server(mod_map); + //register_arma3_server(mod_map); + //register_artcp(mod_map); + //register_assettocorsa(mod_map); + //register_avast_secure_dns(mod_map); + //register_bacnet(mod_map); + //register_backweb(mod_map); + //register_baiduyun_p2p(mod_map); + //register_baofeng_udp(mod_map); + //register_battlefield(mod_map); + //register_bjnp(mod_map); + //register_bmdp(mod_map); + //register_btsync_udp(mod_map); + //register_cacaoweb_udp(mod_map); + //register_canon_mfnp(mod_map); + //register_callofduty(mod_map); + //register_chargen_exploit(mod_map); + //register_checkpoint_rdp(mod_map); + //register_chivalry(mod_map); + //register_ethernetip_udp(mod_map); + //register_cip_io(mod_map); + //register_cirn(mod_map); + //register_cisco_ipsec(mod_map); + //register_cisco_sslvpn(mod_map); + //register_classin_udp(mod_map); + //register_cloudflare_warp(mod_map); + //register_codmobile(mod_map); + //register_combatarms(mod_map); + //register_combatarms_p2p(mod_map); + //register_contract_wars(mod_map); + //register_crossfire(mod_map); + //register_crossout(mod_map); + //register_csgo(mod_map); + //register_csoriginal(mod_map); + //register_dahua(mod_map); + //register_db2(mod_map); + //register_dcc_udp(mod_map); + //register_demonware(mod_map); + //register_destiny_udp(mod_map); + register_dhcp(mod_map); + //register_dht_dict(mod_map); + //register_dht_other(mod_map); + //register_diablo2(mod_map); + //register_dianping_udp(mod_map); + //register_dianshijia(mod_map); + //register_directconnect_udp(mod_map); + //register_discord(mod_map); + register_dns_udp(mod_map); + //register_dota2(mod_map); + //register_doyo(mod_map); + //register_driveshare(mod_map); + register_dtls(mod_map); + //register_emule_udp(mod_map); + //register_emule_weak_udp(mod_map); + //register_epson(mod_map); + //register_eso(mod_map); + register_esp_encap(mod_map); + //register_eye_udp(mod_map); + //register_fasp(mod_map); + //register_feitwo(mod_map); + //register_forticlient_sslvpn(mod_map); + //register_fortinet(mod_map); + //register_foscam(mod_map); + //register_freechal(mod_map); + //register_freefire(mod_map); + //register_funshion_udp(mod_map); + //register_gamespy(mod_map); + //register_ganglia(mod_map); + //register_gangsofspace(mod_map); + //register_garena(mod_map); + //register_gearsofwar(mod_map); + //register_gnutella_udp(mod_map); + //register_gnutella2_udp(mod_map); + //register_gnutella_weak(mod_map); + //register_gotomeeting(mod_map); + register_gprs_tunnel(mod_map); + //register_gsm(mod_map); + //register_h1z1(mod_map); + //register_halflife(mod_map); + //register_haloonline(mod_map); + //register_hamachi_udp(mod_map); + //register_heliborne(mod_map); + //register_heroesevolved(mod_map); + //register_heroes_generals(mod_map); + //register_hollachat(mod_map); + //register_hots(mod_map); + //register_icp(mod_map); + //register_imesh_udp(mod_map); + //register_ipmsg(mod_map); + //register_ipv6_udp(mod_map); + register_isakmp(mod_map); + //register_jedi_academy(mod_map); + //register_jedi_udp(mod_map); + //register_kademlia(mod_map); + //register_kankan(mod_map); + //register_kaspersky_udp(mod_map); + //register_kazaa(mod_map); + //register_kingofglory_udp(mod_map); + //register_kugou(mod_map); + register_l2tp(mod_map); + //register_lansync_udp(mod_map); + //register_ldap_ad(mod_map); + //register_line_udp(mod_map); + //register_linkproof(mod_map); + //register_loadout(mod_map); + //register_lol(mod_map); + register_mdns(mod_map); + //register_merakicloud(mod_map); + //register_moh(mod_map); + //register_moonhunters(mod_map); + //register_mp2p_udp(mod_map); + //register_msn_cache(mod_map); + //register_msn_video(mod_map); + //register_msoffice_mac(mod_map); + //register_mta(mod_map); + //register_mystery_05(mod_map); + //register_mystery_0660(mod_map); + //register_mystery_0d(mod_map); + //register_mystery_45(mod_map); + //register_mystery_61_72(mod_map); + //register_mystery_8000_udp(mod_map); + //register_mystery_99(mod_map); + //register_mystery_e9(mod_map); + //register_mystery_qq(mod_map); + //register_n2ping(mod_map); + //register_natpmp(mod_map); + register_netbios_udp(mod_map); + //register_netcat_cctv_udp(mod_map); + //register_netcore_scan(mod_map); + register_netflow(mod_map); + //register_newerth(mod_map); + //register_nintendo(mod_map); + //register_noction(mod_map); + //register_noe(mod_map); + //register_norton(mod_map); + register_ntp(mod_map); + //register_ntp_reflect(mod_map); + //register_nwn(mod_map); + //register_nvidia_gamestream(mod_map); + //register_opaserv(mod_map); + register_openvpn_udp(mod_map); + //register_orbit_udp(mod_map); + //register_overwatch(mod_map); + //register_paladins(mod_map); + //register_pando_udp(mod_map); + //register_panipani(mod_map); + //register_planetside2(mod_map); + //register_portmap_rpc(mod_map); + //register_pplive(mod_map); + //register_ppstream(mod_map); + //register_probable_gnutella(mod_map); + //register_ps4_remoteplay(mod_map); + //register_psn(mod_map); + //register_punkbuster(mod_map); + //register_pyzor(mod_map); + register_qq(mod_map); + //register_qqlive(mod_map); + //register_qqpcmgr(mod_map); + //register_qqspeedmobile_udp(mod_map); + //register_quake(mod_map); + register_quic(mod_map); + //register_qvod_udp(mod_map); + register_radius(mod_map); + //register_ramsey_dash(mod_map); + register_rdp_udp(mod_map); + //register_real(mod_map); + //register_risingstorm(mod_map); + //register_raknet(mod_map); + //register_robocraft(mod_map); + //register_rocket_league(mod_map); + //register_rrshare(mod_map); + register_rtcp(mod_map); + //register_rtmfp(mod_map); + register_rtp(mod_map); + //register_rulesofsurvival(mod_map); + //register_sanandreas_mp(mod_map); + //register_second_life_udp(mod_map); + //register_serialnumberd(mod_map); + register_sip_udp(mod_map); + //register_skype(mod_map); + //register_slp(mod_map); + //register_smite(mod_map); + //register_snapvpn(mod_map); + register_snmp(mod_map); + //register_sopcast(mod_map); + //register_spamfighter(mod_map); + //register_spotify_bcast(mod_map); + //register_sql_worm(mod_map); + register_ssdp(mod_map); + //register_starcitizen(mod_map); + //register_starcraft(mod_map); + //register_starleaf(mod_map); + //register_steamfriends(mod_map); + //register_steam_localbroadcast(mod_map); + //register_steam_inhomebroadcast(mod_map); + //register_steam_udp(mod_map); + //register_storm_worm(mod_map); + register_stun(mod_map); + //register_syslog(mod_map); + //register_talesrunner_udp(mod_map); + //register_teamspeak(mod_map); + //register_teamviewer_udp(mod_map); + register_teredo(mod_map); + //register_tf2(mod_map); + register_tftp(mod_map); + //register_thecrew(mod_map); + //register_thq(mod_map); + //register_torchlight2(mod_map); + //register_tox(mod_map); + //register_traceroute(mod_map); + //register_tremulous(mod_map); + //register_turbovpn(mod_map); + //register_tvants(mod_map); + //register_ubisoft_games(mod_map); + //register_udp_no_payload(mod_map); + //register_umeye(mod_map); + //register_unreal(mod_map); + //register_ventrilo(mod_map); + //register_viber_udp(mod_map); + //register_vivox(mod_map); + //register_vpnmaster(mod_map); + //register_vpnrobot_udp(mod_map); + //register_vxworks_exploit(mod_map); + //register_warthunder(mod_map); + //register_webex(mod_map); + register_wechat_udp(mod_map); + //register_winmessage(mod_map); + register_wireguard(mod_map); + //register_wolfet(mod_map); + //register_worm_22105(mod_map); + //register_xfire_p2p(mod_map); + //register_xlsp(mod_map); + //register_xunlei_jsq(mod_map); + //register_xunlei_udp(mod_map); + //register_xunyou(mod_map); + //register_youdao_dict(mod_map); + //register_youku_udp(mod_map); + //register_yuanfudao(mod_map); + //register_yy_udp(mod_map); + //register_zalo_call(mod_map); + //register_zeroaccess_udp(mod_map); + //register_zoom(mod_map); + return 0; +} + +static void register_list_names(LPIModuleList *ml, LPINameMap *names, LPIProtocolMap *protos, + LPICategoryProtocolMap *category_protocols) { + LPIModuleList::iterator it; + + for (it = ml->begin(); it != ml->end(); ++ it) { + lpi_module_t *mod = *it; + + (*names)[mod->protocol] = mod->name; + (*protos)[std::string(mod->name)] = mod->protocol; + (*category_protocols)[mod->protocol] = mod->category; + } + +} + +void register_names(LPIModuleMap *mods, LPINameMap *names, LPIProtocolMap *protocols, + LPICategoryProtocolMap *category_protocols) { + + LPIModuleMap::iterator it; + + for (it = mods->begin(); it != mods->end(); ++ it) { + register_list_names(it->second, names, protocols, category_protocols); + } + +} + +void register_category_names(LPICategoryMap *categories) { + + int i; + + for (i = 0; i < LPI_CATEGORY_LAST; i++) { + (*categories)[std::string(lpi_print_category((lpi_category_t)i))] = (lpi_category_t)i; + } +} + +void init_other_protocols(LPINameMap *name_map, LPIProtocolMap *proto_map, + LPICategoryProtocolMap *category_protocols) { + + lpi_icmp = new lpi_module_t; + + lpi_icmp->protocol = LPI_PROTO_ICMP; + lpi_icmp->category = LPI_CATEGORY_ICMP; + lpi_icmp->name = "ICMP"; + lpi_icmp->priority = 255; + lpi_icmp->lpi_callback = NULL; + (*name_map)[lpi_icmp->protocol] = lpi_icmp->name; + (*proto_map)[std::string(lpi_icmp->name)] = lpi_icmp->protocol; + (*category_protocols)[lpi_icmp->protocol] = lpi_icmp->category; + + lpi_unknown_tcp = new lpi_module_t; + + lpi_unknown_tcp->protocol = LPI_PROTO_UNKNOWN; + lpi_unknown_tcp->category = LPI_CATEGORY_UNKNOWN; + lpi_unknown_tcp->name = "Unknown_TCP"; + lpi_unknown_tcp->priority = 255; + lpi_unknown_tcp->lpi_callback = NULL; + (*name_map)[lpi_unknown_tcp->protocol] = lpi_unknown_tcp->name; + (*proto_map)[std::string(lpi_unknown_tcp->name)] = lpi_unknown_tcp->protocol; + (*category_protocols)[lpi_unknown_tcp->protocol] = lpi_unknown_tcp->category; + + lpi_unknown_udp = new lpi_module_t; + + lpi_unknown_udp->protocol = LPI_PROTO_UDP; + lpi_unknown_udp->category = LPI_CATEGORY_UNKNOWN; + lpi_unknown_udp->name = "Unknown_UDP"; + lpi_unknown_udp->priority = 255; + lpi_unknown_udp->lpi_callback = NULL; + (*name_map)[lpi_unknown_udp->protocol] = lpi_unknown_udp->name; + (*proto_map)[std::string(lpi_unknown_udp->name)] = lpi_unknown_udp->protocol; + (*category_protocols)[lpi_unknown_udp->protocol] = lpi_unknown_udp->category; + + lpi_unsupported = new lpi_module_t; + + lpi_unsupported->protocol = LPI_PROTO_UNSUPPORTED; + lpi_unsupported->category = LPI_CATEGORY_UNSUPPORTED; + lpi_unsupported->name = "Unsupported"; + lpi_unsupported->priority = 255; + lpi_unsupported->lpi_callback = NULL; + (*name_map)[lpi_unsupported->protocol] = lpi_unsupported->name; + (*proto_map)[std::string(lpi_unsupported->name)] = lpi_unsupported->protocol; + (*category_protocols)[lpi_unsupported->protocol] = lpi_unsupported->category; +} + diff --git a/decoders/glimpse_detector/libprotoident/proto_manager.h b/decoders/glimpse_detector/libprotoident/proto_manager.h new file mode 100644 index 0000000..9e5ff62 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/proto_manager.h @@ -0,0 +1,61 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + + +#ifndef PROTO_MANAGER_H_ +#define PROTO_MANAGER_H_ + +#include <list> +#include <vector> +#include <map> +#include <string> + +#include "libprotoident.h" + +typedef std::list<lpi_module_t *> LPIModuleList; +typedef std::map<uint8_t, LPIModuleList *> LPIModuleMap; +typedef std::map<lpi_protocol_t, const char *> LPINameMap; +typedef std::map<std::string, lpi_protocol_t> LPIProtocolMap; +typedef std::map<std::string, lpi_category_t> LPICategoryMap; +typedef std::map<lpi_protocol_t, lpi_category_t> LPICategoryProtocolMap; + +void register_protocol(lpi_module_t *mod, LPIModuleMap *mod_map); +int register_tcp_protocols(LPIModuleMap *mod_map); +int register_udp_protocols(LPIModuleMap *mod_map); +void register_names(LPIModuleMap *mod_map, LPINameMap *name_map, LPIProtocolMap *proto_map, + LPICategoryProtocolMap *category_protocols); +void register_category_names(LPICategoryMap *categories); +void init_other_protocols(LPINameMap *name_map, LPIProtocolMap *proto_map, + LPICategoryProtocolMap *category_protocols); +void free_protocols(LPIModuleMap *mod_map); + + +extern lpi_module_t *lpi_icmp; +extern lpi_module_t *lpi_unknown_tcp; +extern lpi_module_t *lpi_unknown_udp; +extern lpi_module_t *lpi_unsupported; + +#endif diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_300heroes.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_300heroes.cc new file mode 100644 index 0000000..b93d663 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_300heroes.cc @@ -0,0 +1,97 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Yet another Chinese LoL clone */ + +static inline bool match_heroes_c1(uint32_t payload, uint32_t len) { + if (len == 12 && MATCH(payload, 0xc1, 0x0c, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_heroes_c2(uint32_t payload, uint32_t len) { + if (len == 15 && MATCH(payload, 0xc2, 0x0f, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_heroes_db(uint32_t payload, uint32_t len) { + if (len == 22 && MATCH(payload, 0xdb, 0x16, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_heroes_e7(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0xe7, 0x2a, 0x00, 0x00)) { + if (len >= 185 && len <= 200) + return true; + } + return false; +} + +static inline bool match_300heroes(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_heroes_c1(data->payload[0], data->payload_len[0])) { + if (match_heroes_c2(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_heroes_c1(data->payload[1], data->payload_len[1])) { + if (match_heroes_c2(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_heroes_db(data->payload[0], data->payload_len[0])) { + if (match_heroes_e7(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_heroes_db(data->payload[1], data->payload_len[1])) { + if (match_heroes_e7(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_300heroes = { + LPI_PROTO_300_HEROES, + LPI_CATEGORY_GAMING, + "300Heroes", + 101, + match_300heroes +}; + +void register_300heroes(LPIModuleMap *mod_map) { + register_protocol(&lpi_300heroes, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_360safeguard.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_360safeguard.cc new file mode 100644 index 0000000..dff2244 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_360safeguard.cc @@ -0,0 +1,130 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_360_a1req(uint32_t payload, uint32_t len) { + + if (len != 63) + return false; + if (MATCH(payload, 0xa1, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_360_a1resp(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0xa1, 0x82, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_360_03req(uint32_t payload, uint32_t len) { + + uint32_t hdrlen = (ntohl(payload) & 0xffff); + + if (!MATCH(payload, 0x00, 0x03, 0x00, ANY)) + return false; + if (len - 8 == hdrlen) + return true; + return false; + +} + +static inline bool match_360_03resp(uint32_t payload, uint32_t len) { + + if (len != 8) + return false; + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_360_p2pupdate(uint32_t payload, uint32_t len) { + + if (len == 68 && MATCH(payload, 0x01, 0xaa, 0x4b, 0x79)) + return true; + return false; + +} + +static inline bool match_360safeguard(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* These patterns have been regularly seen on a machine with 360 + * safeguard (Chinese edition) installed. They seem to appear when + * starting up and running a scan, so are probably some form of update + * checking? + */ + + if (match_360_a1req(data->payload[0], data->payload_len[0])) { + if (match_360_a1resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_360_a1req(data->payload[1], data->payload_len[1])) { + if (match_360_a1resp(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_360_03req(data->payload[0], data->payload_len[0])) { + if (match_360_03resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_360_03req(data->payload[1], data->payload_len[1])) { + if (match_360_03resp(data->payload[0], data->payload_len[0])) + return true; + } + + /* Have observed unencrypted traffic that appears to be downloading a + * .cab file to update 360 safeguard. */ + if (match_360_p2pupdate(data->payload[0], data->payload_len[0])) { + if (match_360_p2pupdate(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_360safeguard = { + LPI_PROTO_360SAFEGUARD, + LPI_CATEGORY_SECURITY, + "360Safeguard", + 8, + match_360safeguard +}; + +void register_360safeguard(LPIModuleMap *mod_map) { + register_protocol(&lpi_360safeguard, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_4d.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_4d.cc new file mode 100644 index 0000000..cd7316c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_4d.cc @@ -0,0 +1,99 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_4d_5f(uint32_t payload, uint32_t len) { + + if (len == 4 && MATCH(payload, 0x5f, 0x11, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_4d_other(uint32_t payload, uint32_t len) { + + if (len == 4 && MATCH(payload, 0x60, 0x11, 0x00, 0x00)) + return true; + if (len == 4 && MATCH(payload, 0x61, 0x11, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_4d_len72(uint32_t payload, uint32_t len) { + if (len == 72 && MATCH(payload, 0x00, 0x00, 0x00, 0x48)) + return true; + return false; +} + +static inline bool match_4d_len12(uint32_t payload, uint32_t len) { + if (len == 12 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_4d(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_4d_5f(data->payload[0], data->payload_len[0])) { + if (match_4d_other(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_4d_5f(data->payload[1], data->payload_len[1])) { + if (match_4d_other(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_4d_len72(data->payload[0], data->payload_len[0])) { + if (match_4d_len12(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_4d_len72(data->payload[1], data->payload_len[1])) { + if (match_4d_len12(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_4d = { + LPI_PROTO_4D, + LPI_CATEGORY_DATABASES, + "4D", + 75, + match_4d +}; + +void register_4d(LPIModuleMap *mod_map) { + register_protocol(&lpi_4d, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_acestream.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_acestream.cc new file mode 100644 index 0000000..c6f205c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_acestream.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ace_greet(uint32_t payload, uint32_t len) { + + if (len == 46 && MATCH(payload, 0x11, 'A', 'c', 'e')) + return true; + return false; + +} + +static inline bool match_ace_66(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len == 66 && MATCH(payload, 0x11, 'A', 'c', 'e')) + return true; + return false; + +} + +static inline bool match_acestream(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_ace_greet(data->payload[0], data->payload_len[0])) { + if (match_ace_greet(data->payload[1], data->payload_len[1])) { + return true; + } + if (match_ace_66(data->payload[1], data->payload_len[1])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_acestream = { + LPI_PROTO_ACESTREAM, + LPI_CATEGORY_P2P, + "AceStream", + 6, + match_acestream +}; + +void register_acestream(LPIModuleMap *mod_map) { + register_protocol(&lpi_acestream, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_afp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_afp.cc new file mode 100644 index 0000000..194c23f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_afp.cc @@ -0,0 +1,53 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_afp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Looking for a DSI header - command 4 is OpenSession */ + if (match_str_both(data, "\x00\x04\x00\x01", "\x01\x04\x00\x01")) + return true; + + return false; +} + +static lpi_module_t lpi_afp = { + LPI_PROTO_AFP, + LPI_CATEGORY_FILES, + "AFP", + 5, + match_afp +}; + +void register_afp(LPIModuleMap *mod_map) { + register_protocol(&lpi_afp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_airdroid.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_airdroid.cc new file mode 100644 index 0000000..ef94071 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_airdroid.cc @@ -0,0 +1,139 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_airdroid_req(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x2a, 0x33, 0x0d, 0x0a)) { + if (len == 97) + return true; + } + + if (MATCH(payload, 0x2a, 0x35, 0x0d, 0x0a)) { + if (len == 118 || len == 119) + return true; + } + + return false; +} + +static inline bool match_airdroid_resp(uint32_t payload, uint32_t len) { + if (len != 4) + return false; + if (MATCH(payload, 0x2b, 0x68, 0x0d, 0x0a)) + return true; + return false; +} + +static inline bool match_airdroid_get(uint32_t payload) { + + if (MATCH(payload, 'G', 'E', 'T', 0x20)) + return true; + return false; +} + +static inline bool is_hexdigit(uint32_t byte) { + + if (byte < 0x30) + return false; + if (byte > 0x39 && byte < 0x61) + return false; + if (byte > 0x66) + return false; + return true; +} + +static inline bool match_airdroid_33(uint32_t payload, uint32_t len) { + + uint32_t ordered = ntohl(payload); + uint32_t byte; + + /* Needs some proper testing against real airdroid traffic */ + if (len == 33) { + byte = (ordered & 0xff); + if (!is_hexdigit(byte)) + return false; + + byte = ((ordered >> 8) & 0xff); + if (!is_hexdigit(byte)) + return false; + + byte = ((ordered >> 16) & 0xff); + if (!is_hexdigit(byte)) + return false; + + byte = ((ordered >> 24) & 0xff); + if (!is_hexdigit(byte)) + return false; + + return true; + } + return false; +} + +static inline bool match_airdroid(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_airdroid_req(data->payload[0], data->payload_len[0])) { + if (match_airdroid_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_airdroid_req(data->payload[1], data->payload_len[1])) { + if (match_airdroid_resp(data->payload[0], data->payload_len[0])) + return true; + } + + if (data->server_port == 9991 || data->client_port == 9991) { + if (match_airdroid_33(data->payload[0], data->payload_len[0])) { + if (match_airdroid_get(data->payload[1])) + return true; + } + if (match_airdroid_33(data->payload[1], data->payload_len[1])) { + if (match_airdroid_get(data->payload[0])) + return true; + } + } + + return false; +} + +static lpi_module_t lpi_airdroid = { + LPI_PROTO_AIRDROID, + LPI_CATEGORY_CLOUD, + "AirDroid", + 12, + match_airdroid +}; + +void register_airdroid(LPIModuleMap *mod_map) { + register_protocol(&lpi_airdroid, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_airmedia.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_airmedia.cc new file mode 100644 index 0000000..752b8fe --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_airmedia.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Crestron Airmedia -- more details at: + * http://www.boredhackerblog.info/2016/02/extracting-images-from-crestron.html + */ + +static inline bool match_cam_wppi(uint32_t payload, uint32_t len) { + if (len == 12 && MATCHSTR(payload, "wppi")) + return true; + return false; +} + +static inline bool match_cam_sender(uint32_t payload, uint32_t len) { + if (len == 32 && MATCHSTR(payload, "Send")) + return true; + return false; +} + +static inline bool match_airmedia(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 515 */ + if (match_cam_wppi(data->payload[0], data->payload_len[0])) { + if (match_cam_sender(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_cam_wppi(data->payload[1], data->payload_len[1])) { + if (match_cam_sender(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_airmedia = { + LPI_PROTO_AIRMEDIA, + LPI_CATEGORY_REMOTE, + "Airmedia", + 5, + match_airmedia +}; + +void register_airmedia(LPIModuleMap *mod_map) { + register_protocol(&lpi_airmedia, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_akamai.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_akamai.cc new file mode 100644 index 0000000..85d0361 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_akamai.cc @@ -0,0 +1,62 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_akamai_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* TCP exchanges between Akamai nodes */ + + /* Seems to always be over port 9050, so add a check if too many + * false positives */ + + /* Payload is 00000000 in both directions */ + if (data->payload[0] != 0 || data->payload[1] != 0) + return false; + if (data->payload_len[0] == 163 && data->payload_len[1] == 149) + return true; + if (data->payload_len[1] == 163 && data->payload_len[0] == 149) + return true; + + return false; +} + +static lpi_module_t lpi_akamai_tcp = { + LPI_PROTO_AKAMAI, + LPI_CATEGORY_CDN, + "AkamaiTCP", + 9, + match_akamai_tcp +}; + +void register_akamai_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_akamai_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_amp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_amp.cc new file mode 100644 index 0000000..6e7aa1d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_amp.cc @@ -0,0 +1,72 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_amp_throughput(lpi_data_t *data) { + /* AMP Throughput generally uses port 8826 or 8827 */ + if (data->server_port != 8826 && data->client_port != 8826 + && data->server_port != 8827 && + data->client_port != 8827) + return false; + + /* AMP Throughput tests are large one-way data transfers */ + if (data->payload_len[0] != 0 && data->payload_len[1] != 0) + return false; + + /* Packets are always going to be MSS-sized -- assume MTU is no + * smaller than 1280 bytes */ + if (data->payload_len[0] < 1240 && data->payload_len[1] < 1240) + return false; + + return true; + +} + +static inline bool match_amp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_amp_throughput(data)) + return true; + + return false; +} + +static lpi_module_t lpi_amp = { + LPI_PROTO_AMP, + LPI_CATEGORY_MONITORING, + "AMP", + 240, /* AMP is not something I'd expect to see outside of Waikato */ + match_amp +}; + +void register_amp(LPIModuleMap *mod_map) { + register_protocol(&lpi_amp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_antcoin.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_antcoin.cc new file mode 100644 index 0000000..02d57fb --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_antcoin.cc @@ -0,0 +1,57 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_antcoin(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* port 10333 */ + + if (MATCH(data->payload[0], 'A', 'n', 't', 0x00)) { + if (MATCH(data->payload[1], 'A', 'n', 't', 0x00)) + return true; + } + + return false; +} + +static lpi_module_t lpi_antcoin = { + LPI_PROTO_ANTCOIN, + LPI_CATEGORY_ECOMMERCE, + "AntCoin", + 5, + match_antcoin +}; + +void register_antcoin(LPIModuleMap *mod_map) { + register_protocol(&lpi_antcoin, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_appearin.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_appearin.cc new file mode 100644 index 0000000..5ba45a6 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_appearin.cc @@ -0,0 +1,89 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +/* Signalling protocol (?) used by appear.in, a WebRTC based video + * conferencing system. + */ + +static inline bool match_appear_req(uint32_t payload, uint32_t len) { + + uint32_t hlen = ntohl(payload) & 0xffff; + + /* Usually 28 bytes */ + if (hlen == len - 20 && MATCH(payload, 0x00, 0x03, 0x00, ANY)) + return true; + return false; + +} + +static inline bool match_appear_resp(uint32_t payload, uint32_t len) { + + uint32_t hlen = ntohl(payload) & 0xffff; + + /* Usually 92 bytes */ + if (hlen == len - 20 && MATCH(payload, 0x01, 0x13, 0x00, ANY)) + return true; + return false; + +} + +static inline bool match_appearin(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 443 && data->client_port != 443) + return false; + + if (match_appear_req(data->payload[0], data->payload_len[0])) { + if (match_appear_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_appear_req(data->payload[1], data->payload_len[1])) { + if (match_appear_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_appearin = { + LPI_PROTO_APPEAR_IN, + LPI_CATEGORY_VOIP, + "Appear.in", + 120, + match_appearin +}; + +void register_appearin(LPIModuleMap *mod_map) { + register_protocol(&lpi_appearin, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_apple_push.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_apple_push.cc new file mode 100644 index 0000000..a678821 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_apple_push.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_apple_push(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This rule matches the push notifications sent to IOS devices */ + + if (!match_ssl(data)) + return false; + + /* Port 5223 is used for the push notifications */ + if (data->server_port != 5223 && data->client_port != 5223) + return false; + + /* If payload is only one-way, fall back to SSL to avoid risking + * a false positive for other port 5223 SSL apps, e.g. Kik */ + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) + return false; + + /* Too much size variation to write a good set of rules based on + * payload sizes, just use this as the fallback option for all + * SSL traffic on 5223 that doesn't match something else, e.g. + * PSN store */ + + return true; +} + +static lpi_module_t lpi_apple_push = { + LPI_PROTO_APPLE_PUSH, + LPI_CATEGORY_NOTIFICATION, + "ApplePush", + 8, /* Should be a higher priority than regular SSL, but lower than + anything else on port 5223 */ + match_apple_push +}; + +void register_apple_push(LPIModuleMap *mod_map) { + register_protocol(&lpi_apple_push, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ares.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ares.cc new file mode 100644 index 0000000..720f318 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ares.cc @@ -0,0 +1,87 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ares_client(uint32_t payload, uint32_t len) { + if (len != 6) + return false; + + if (!MATCH(payload, 0x03, 0x00, 0x5a, 0x06)) + return false; + + return true; +} + +static inline bool match_ares_peer(uint32_t payload, uint32_t len) { + + if (len != 138) + return false; + + if (MATCH(payload, 0x87, 0x00, 0x3c, ANY)) + return true; + if (MATCH(payload, 0x87, 0x00, 0x3b, ANY)) + return true; + + return false; + +} + +static inline bool match_ares(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Pretty sure this is the ARES p2p protocol */ + if (match_str_either(data, "ARES")) + return true; + + if (match_ares_client(data->payload[0], data->payload_len[0])) { + if (match_ares_peer(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_ares_client(data->payload[1], data->payload_len[1])) { + if (match_ares_peer(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_ares = { + LPI_PROTO_ARES, + LPI_CATEGORY_P2P, + "Ares", + 8, + match_ares +}; + +void register_ares(LPIModuleMap *mod_map) { + register_protocol(&lpi_ares, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_badbaidu.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_badbaidu.cc new file mode 100644 index 0000000..857be3d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_badbaidu.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Strange flows that seem to be related to users running the Baidu browser. + * The flow will connect to a Baidu server on port 80, send no data, then + * start sending FINs. After about 6 FINs, the client will then send a one + * byte packet with a sequence number matching the original SYN (which is + * of course completely invalid). At this point, the server usually terminates + * the connection. + * + * Confirmed as being associated with Baidu browser after observing this + * exact traffic after installing the browser. + * + * Not sure what the purpose of this is, or how the browser manages to send + * invalid TCP traffic but it is the root cause behind a lot of non-HTTP + * flows on TCP port 80. + */ + + +static inline bool match_badbaidu(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Only seen on port 80 */ + if (data->client_port != 80 && data->server_port != 80) + return false; + + /* Packet is one byte; the byte itself is 0x00. The other end + * does not send any payload. + */ + if (data->payload_len[0] == 0 && data->payload_len[1] == 1) { + if (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00)) + return true; + } + + if (data->payload_len[1] == 0 && data->payload_len[0] == 1) { + if (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00)) + return true; + } + + return false; +} + +static lpi_module_t lpi_badbaidu = { + LPI_PROTO_BADBAIDU, + LPI_CATEGORY_MALWARE, + "BadBaidu", + 100, + match_badbaidu +}; + +void register_badbaidu(LPIModuleMap *mod_map) { + register_protocol(&lpi_badbaidu, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_baofeng_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_baofeng_tcp.cc new file mode 100644 index 0000000..9a74bfc --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_baofeng_tcp.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_baofeng_52(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x52, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_baofeng_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port == 7909 || data->client_port == 7909) { + + if (match_baofeng_52(data->payload[1], data->payload_len[1])) { + if (match_baofeng_52(data->payload[0], data->payload_len[0])) + return true; + } + + } + + if (data->server_port == 8189 || data->client_port == 8189) { + if (data->payload_len[0] == 63 && data->payload_len[1] == 152) + return true; + if (data->payload_len[1] == 63 && data->payload_len[0] == 152) + return true; + } + + + return false; +} + +static lpi_module_t lpi_baofeng_tcp = { + LPI_PROTO_BAOFENG, + LPI_CATEGORY_STREAMING, + "Baofeng", + 105, + match_baofeng_tcp +}; + +void register_baofeng_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_baofeng_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_beam.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_beam.cc new file mode 100644 index 0000000..e9c6401 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_beam.cc @@ -0,0 +1,66 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_bm(uint32_t payload, uint32_t len) { + if (len == 40 && MATCH(payload, 'B', 'm', 0x0a, 0x04)) { + return true; + } + return false; +} + +static inline bool match_beam(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 8100 && data->client_port != 8100) { + return false; + } + + if (match_bm(data->payload[0], data->payload_len[0])) { + if (match_bm(data->payload[1], data->payload_len[1])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_beam = { + LPI_PROTO_BEAM, + LPI_CATEGORY_ECOMMERCE, + "Beam", + 25, + match_beam +}; + +void register_beam(LPIModuleMap *mod_map) { + register_protocol(&lpi_beam, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_bitcoin.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_bitcoin.cc new file mode 100644 index 0000000..137e78c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_bitcoin.cc @@ -0,0 +1,75 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_bc_version(uint32_t payload, uint32_t len) { + + if (len >= 24 && MATCH(payload, 0xf9, 0xbe, 0xb4, 0xd9)) + return true; + return false; +} + +static inline bool match_bc_version_reply(uint32_t payload, uint32_t len) { + + if (len >= 24 && MATCH(payload, 0xf9, 0xbe, 0xb4, 0xd9)) + return true; + return false; +} + +static inline bool match_bitcoin(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_bc_version(data->payload[0], data->payload_len[0])) { + if (match_bc_version_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_bc_version(data->payload[1], data->payload_len[1])) { + if (match_bc_version_reply(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_bitcoin = { + LPI_PROTO_BITCOIN, + LPI_CATEGORY_ECOMMERCE, + "Bitcoin", + 5, + match_bitcoin +}; + +void register_bitcoin(LPIModuleMap *mod_map) { + register_protocol(&lpi_bitcoin, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_bitextend.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_bitextend.cc new file mode 100644 index 0000000..a328211 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_bitextend.cc @@ -0,0 +1,90 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Bittorrent extensions (?) + * + * TODO Find some good references for this + */ + +static inline bool match_bitextend(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "\x0\x0\x0\xd", "\x0\x0\x0\x1")) + return true; + if (match_str_both(data, "\x0\x0\x0\x3", "\x0\x0\x0\x38")) + return true; + if (match_str_both(data, "\x0\x0\x0\x3", "\x0\x0\x0\x39")) + return true; + if (match_str_both(data, "\x0\x0\x0\x3", "\x0\x0\x0\x3")) + return true; + + if (match_str_both(data, "\x0\x0\x0\x4e", "\x0\x0\x0\xb2")) + return true; + if (match_chars_either(data, 0x00, 0x00, 0x40, 0x09)) + return true; + + if (MATCH(data->payload[0], 0x00, 0x00, 0x01, ANY) && + MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x38)) + return true; + if (MATCH(data->payload[1], 0x00, 0x00, 0x01, ANY) && + MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x38)) + return true; + + if (MATCH(data->payload[0], 0x00, 0x00, 0x00, ANY) && + MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x05)) + return true; + if (MATCH(data->payload[1], 0x00, 0x00, 0x00, ANY) && + MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x05)) + return true; + + if (MATCH(data->payload[0], 0x01, 0x00, ANY, 0x68) && + MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x05)) + return true; + if (MATCH(data->payload[1], 0x01, 0x00, ANY, 0x68) && + MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x05)) + return true; + + + return false; +} + +static lpi_module_t lpi_bitextend = { + LPI_PROTO_BITEXT, + LPI_CATEGORY_P2P, + "Bittorrent_Extension", + 5, /* This is probably fine, but I'd rather have this at 5 than 2 */ + match_bitextend +}; + +void register_bitextend(LPIModuleMap *mod_map) { + register_protocol(&lpi_bitextend, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_bittorrent.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_bittorrent.cc new file mode 100644 index 0000000..b953003 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_bittorrent.cc @@ -0,0 +1,96 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_bittorrent_header(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (MATCH(payload, 0x13, 'B', 'i', 't')) + return true; + + if (len == 3 && MATCH(payload, 0x13, 'B', 'i', 0x00)) + return true; + if (len == 2 && MATCH(payload, 0x13, 'B', 0x00, 0x00)) + return true; + if (len == 1 && MATCH(payload, 0x13, 0x00, 0x00, 0x00)) + return true; + + return false; + +} + + +static inline bool match_ww_xx_header(uint32_t payload, uint32_t len) { + /* Fairly confident that this is related to Bittorrent, though I + * can't seem to find any source code or documentation that references + * it. + * + * The full string included in the header is: + * 0x13 #WW-XX#@77 + */ + if (len == 0) + return true; + if (MATCH(payload, 0x13, 0x23, 0x57, 0x57)) + return true; + return false; + +} + +static inline bool match_bittorrent(lpi_data_t *data, lpi_module_t *mod UNUSED) +{ + if (match_bittorrent_header(data->payload[0], data->payload_len[0])) { + if (match_bittorrent_header(data->payload[1], + data->payload_len[1])) + return true; + } + + if (match_ww_xx_header(data->payload[0], data->payload_len[0])) { + if (match_ww_xx_header(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_bittorrent = { + LPI_PROTO_BITTORRENT, + LPI_CATEGORY_P2P, + "BitTorrent", + 2, + match_bittorrent +}; + +void register_bittorrent(LPIModuleMap *mod_map) { + register_protocol(&lpi_bittorrent, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_blackdesert.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_blackdesert.cc new file mode 100644 index 0000000..ded8c93 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_blackdesert.cc @@ -0,0 +1,93 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* First two bytes definitely look like a little-endian length + * field, so we could use that to match more reply types */ + +/* Port 9991, 9992 and 9993 */ + +static inline bool match_bdo_request(uint32_t payload, uint32_t len) { + + if (len == 111 && MATCH(payload, 0x6f, 0x00, 0x01, 0x9d)) + return true; + if (len == 111 && MATCH(payload, 0x6f, 0x00, 0x01, 0x46)) + return true; + if (len == 277 && MATCH(payload, 0x15, 0x01, 0x01, ANY)) + return true; + if (len == 433 && MATCH(payload, 0xb1, 0x01, 0x01, ANY)) + return true; + return false; + +} + +static inline bool match_bdo_reply(uint32_t payload, uint32_t len) { + + if (len == 112 && MATCH(payload, 0x70, 0x00, 0x01, ANY)) + return true; + if (len == 113 && MATCH(payload, 0x71, 0x00, 0x01, ANY)) + return true; + if (len == 119 && MATCH(payload, 0x77, 0x00, 0x01, 0x46)) + return true; + + return false; + +} + +static inline bool match_blackdesert(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + + if (match_bdo_request(data->payload[0], data->payload_len[0])) { + if (match_bdo_reply(data->payload[1], data->payload_len[1])) + return true; + } + + + if (match_bdo_request(data->payload[1], data->payload_len[1])) { + if (match_bdo_reply(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_blackdesert = { + LPI_PROTO_BLACKDESERT, + LPI_CATEGORY_GAMING, + "BlackDesertOnline", + 12, + match_blackdesert +}; + +void register_blackdesert(LPIModuleMap *mod_map) { + register_protocol(&lpi_blackdesert, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_blizzard.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_blizzard.cc new file mode 100644 index 0000000..d1b0fdb --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_blizzard.cc @@ -0,0 +1,88 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_bnet_auth_req(uint32_t payload, uint32_t len) { + + if (len >= 160 && len <= 170 && MATCH(payload, 0x00, 0x0a, 0x08, 0xfe)) + return true; + return false; + +} + +static inline bool match_bnet_auth_resp(uint32_t payload, uint32_t len) { + + if (len == 184 || len == 199) { + if (MATCH(payload, 0x00, 0x09, 0x08, 0x00)) + return true; + } + return false; +} + +static inline bool match_blizzard(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "\x10\xdf\x22\x00", "\x10\x00\x00\x00")) + return true; + + if (MATCH(data->payload[0], 0x00, ANY, 0xed, 0x01) && + MATCH(data->payload[1], 0x00, 0x06, 0xec, 0x01)) + return true; + if (MATCH(data->payload[1], 0x00, ANY, 0xed, 0x01) && + MATCH(data->payload[0], 0x00, 0x06, 0xec, 0x01)) + return true; + + + /* More up to date battle.net authentication protocol */ + if (match_bnet_auth_req(data->payload[0], data->payload_len[0])) { + if (match_bnet_auth_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_bnet_auth_req(data->payload[1], data->payload_len[1])) { + if (match_bnet_auth_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_blizzard = { + LPI_PROTO_BLIZZARD, + LPI_CATEGORY_GAMING, + "Blizzard", + 2, + match_blizzard +}; + +void register_blizzard(LPIModuleMap *mod_map) { + register_protocol(&lpi_blizzard, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_btsync.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_btsync.cc new file mode 100644 index 0000000..a0ecd38 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_btsync.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_btsync(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "BSYN")) + return true; + + return false; +} + +static lpi_module_t lpi_btsync = { + LPI_PROTO_BTSYNC, + LPI_CATEGORY_FILES, + "BitTorrentSync", + 8, + match_btsync +}; + +void register_btsync(LPIModuleMap *mod_map) { + register_protocol(&lpi_btsync, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_bwsyncandshare.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_bwsyncandshare.cc new file mode 100644 index 0000000..acbb51e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_bwsyncandshare.cc @@ -0,0 +1,85 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Have not tested against the application itself, as it is restricted + * to certain German universities. There may be more variants of this + * traffic. + */ + +static inline bool match_bws_951(uint32_t payload, uint32_t len) { + if (len == 4 && MATCH(payload, 0x00, 0x00, 0x09, 0x51)) + return true; + return false; +} + +static inline bool match_bws_other(uint32_t payload, uint32_t len) { + + uint32_t lastbyte = ntohl(payload) & 0x000000ff; + + if (len == 4 && MATCH(payload, 0x00, 0x00, 0x08, ANY)) { + /* Byte 4 is always 0xfX, where X can be just about + * anything. + */ + if ((lastbyte & 0xf0) == 0xf0) + return true; + } + return false; +} + +static inline bool match_bwsyncandshare(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 60107? */ + if (match_bws_951(data->payload[0], data->payload_len[0])) { + if (match_bws_other(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_bws_951(data->payload[1], data->payload_len[1])) { + if (match_bws_other(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_bwsyncandshare = { + LPI_PROTO_BWSYNC, + LPI_CATEGORY_CLOUD, + "BWSyncAndShare", + 120, + match_bwsyncandshare +}; + +void register_bwsyncandshare(LPIModuleMap *mod_map) { + register_protocol(&lpi_bwsyncandshare, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_cacaoweb.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_cacaoweb.cc new file mode 100644 index 0000000..5f6b57b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_cacaoweb.cc @@ -0,0 +1,65 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cacaoweb_header(uint32_t payload, uint32_t len) { + if (!MATCH(payload, 0x84, 0x95, 0xa6, 0xbe)) + return false; + if (len >= 51 && len <= 56) + return true; + if (len == 91) + return true; + return false; + +} + +static inline bool match_cacaoweb(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_cacaoweb_header(data->payload[0], data->payload_len[0])) { + if (match_cacaoweb_header(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_cacaoweb = { + LPI_PROTO_CACAOWEB, + LPI_CATEGORY_P2P, + "CacaoWeb", + 5, + match_cacaoweb +}; + +void register_cacaoweb(LPIModuleMap *mod_map) { + register_protocol(&lpi_cacaoweb, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_cgp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_cgp.cc new file mode 100644 index 0000000..3a8b1c2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_cgp.cc @@ -0,0 +1,55 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cgp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Citrix CGP is a special version of ICA that runs on TCP port + * 2598 */ + + if (match_str_both(data, "\x1a""CGP", "\x1a""CGP")) + return true; + + return false; +} + +static lpi_module_t lpi_cgp = { + LPI_PROTO_CGP, + LPI_CATEGORY_REMOTE, + "CitrixCGP", + 3, + match_cgp +}; + +void register_cgp(LPIModuleMap *mod_map) { + register_protocol(&lpi_cgp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_chatango.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_chatango.cc new file mode 100644 index 0000000..c36ca87 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_chatango.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_chatango_in(uint32_t payload, uint32_t len) { + + if (len != 2) + return false; + if (!MATCH(payload, 'v', 0x00, 0x00, 0x00)) + return false; + + return true; + +} + +static inline bool match_chatango_out(uint32_t payload, uint32_t len) { + + if (len != 10) + return false; + if (MATCH(payload, 'v', ':', '1', '0')) + return true; + if (MATCH(payload, 'v', ':', '1', '4')) + return true; + + return false; + +} + +static inline bool match_chatango(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_chatango_out(data->payload[0], data->payload_len[0])) { + if (match_chatango_in(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_chatango_in(data->payload[0], data->payload_len[0])) { + if (match_chatango_out(data->payload[1], data->payload_len[1])) + return true; + } + return false; +} + +static lpi_module_t lpi_chatango = { + LPI_PROTO_CHATANGO, + LPI_CATEGORY_CHAT, + "Chatango", + 3, + match_chatango +}; + +void register_chatango(LPIModuleMap *mod_map) { + register_protocol(&lpi_chatango, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_cisco_vpn.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_cisco_vpn.cc new file mode 100644 index 0000000..5e4b22c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_cisco_vpn.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cisco_vpn_server(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (MATCH(payload, 0x01, 0xf4, ANY, ANY)) + return true; + return false; +} + +static inline bool match_cisco_vpn_client(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (MATCH(payload, ANY, ANY, 0x01, 0xf4)) + return true; + return false; +} + +static inline bool match_cisco_vpn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_cisco_vpn_server(data->payload[0], data->payload_len[0])) { + if (match_cisco_vpn_client(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_cisco_vpn_server(data->payload[1], data->payload_len[1])) { + if (match_cisco_vpn_client(data->payload[0], data->payload_len[0])) + return true; + } + + return false; + +} + +static lpi_module_t lpi_cisco_vpn = { + LPI_PROTO_CISCO_VPN, + LPI_CATEGORY_TUNNELLING, + "Cisco_VPN", + 7, + match_cisco_vpn +}; + +void register_cisco_vpn(LPIModuleMap *mod_map) { + register_protocol(&lpi_cisco_vpn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_clashofclans.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_clashofclans.cc new file mode 100644 index 0000000..2574507 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_clashofclans.cc @@ -0,0 +1,98 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_coc_login(uint32_t payload, uint32_t len) { + + /* First two bytes are 10101 (0x2775) or 10100 (0x2774) + * Next three bytes are a length field, usually 250-330 bytes */ + + if (MATCH(payload, 0x27, 0x75, 0x00, 0x01)) + return true; + if (MATCH(payload, 0x27, 0x75, 0x00, 0x00)) + return true; + + if (MATCH(payload, 0x27, 0x74, 0x00, 0x01)) + return true; + if (MATCH(payload, 0x27, 0x74, 0x00, 0x00)) + return true; + + return false; + +} + +static inline bool match_coc_encrypt(uint32_t payload, uint32_t len) { + + /* First two bytes are 20000 (0x4e20) or 20100 (0x4e84) + * Next three bytes are a length field, always seems to be just + * under 256 bytes */ + + if (MATCH(payload, 0x4e, 0x20, 0x00, 0x00)) + return true; + if (MATCH(payload, 0x4e, 0x84, 0x00, 0x00)) + return true; + + return false; + +} + +static inline bool match_clashofclans(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Could limit this to port 9339, but the pattern is probably strong + * enough by itself */ + /* Actually, port 1863 is also used... */ + + if (match_coc_login(data->payload[0], data->payload_len[0])) { + if (match_coc_encrypt(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_coc_login(data->payload[1], data->payload_len[1])) { + if (match_coc_encrypt(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_clashofclans = { + LPI_PROTO_CLASH_OF_CLANS, + LPI_CATEGORY_GAMING, + "ClashOfClans", + 4, + match_clashofclans +}; + +void register_clashofclans(LPIModuleMap *mod_map) { + register_protocol(&lpi_clashofclans, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_classin_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_classin_tcp.cc new file mode 100644 index 0000000..fcf9697 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_classin_tcp.cc @@ -0,0 +1,75 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_classin_41(uint32_t payload, uint32_t len) { + if (len == 41 && MATCH(payload, 0x1a, 0x03, 0x00, 0x02)) { + return true; + } + return false; +} + +static inline bool match_classin_52(uint32_t payload, uint32_t len) { + if (len == 52 && MATCH(payload, 0x1a, 0x03, 0x00, 0x02)) { + return true; + } + return false; +} + +static inline bool match_classin_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_classin_41(data->payload[0], data->payload_len[0])) { + if (match_classin_52(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_classin_41(data->payload[1], data->payload_len[1])) { + if (match_classin_52(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_classin_tcp = { + LPI_PROTO_CLASSIN, + LPI_CATEGORY_EDUCATIONAL, + "ClassIn_TCP", + 133, + match_classin_tcp +}; + +void register_classin_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_classin_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_clubbox.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_clubbox.cc new file mode 100644 index 0000000..3bf6d74 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_clubbox.cc @@ -0,0 +1,57 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_clubbox(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_str_both(data, "\x00\x00\x01\x03", "\x00\x00\x01\x03")) + return false; + + if (data->payload_len[0] == 36 && data->payload_len[1] == 28) + return true; + if (data->payload_len[1] == 36 && data->payload_len[0] == 28) + return true; + + return false; +} + +static lpi_module_t lpi_clubbox = { + LPI_PROTO_CLUBBOX, + LPI_CATEGORY_P2P, + "Clubbox", + 3, + match_clubbox +}; + +void register_clubbox(LPIModuleMap *mod_map) { + register_protocol(&lpi_clubbox, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_cod_waw.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_cod_waw.cc new file mode 100644 index 0000000..edd4002 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_cod_waw.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cod_waw(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Call of Duty: World at War uses TCP port 3074 - the protocol isn't + * well documented, but traffic matching this pattern goes to known + * CoD servers */ + + if (data->server_port != 3074 && data->client_port != 3074) + return false; + + if (data->payload_len[0] != 4 || data->payload_len[1] != 4) + return false; + + if (data->payload[0] != 0 || data->payload[1] != 0) + return false; + + return true; + +} + +static lpi_module_t lpi_cod_waw = { + LPI_PROTO_COD_WAW, + LPI_CATEGORY_GAMING, + "Call_of_Duty_TCP", + 10, /* Weak rule */ + match_cod_waw +}; + +void register_cod_waw(LPIModuleMap *mod_map) { + register_protocol(&lpi_cod_waw, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_conquer.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_conquer.cc new file mode 100644 index 0000000..99bb107 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_conquer.cc @@ -0,0 +1,67 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_conquer(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] == 5 && data->payload_len[1] == 4 && + MATCH(data->payload[0], 'R', 'E', 'A', 'D')) + return true; + if (data->payload_len[1] == 5 && data->payload_len[0] == 4 && + MATCH(data->payload[1], 'R', 'E', 'A', 'D')) + return true; + + if (data->payload_len[0] == 4 && (MATCH(data->payload[0], '5', '0', ANY, ANY) || + MATCH(data->payload[0], '5', '1', ANY, ANY)) && + MATCH(data->payload[1], 'U', 'P', 'D', 'A')) + return true; + + if (data->payload_len[1] == 4 && (MATCH(data->payload[1], '5', '0', ANY, ANY) || + MATCH(data->payload[1], '5', '1', ANY, ANY)) && + MATCH(data->payload[0], 'U', 'P', 'D', 'A')) + return true; + + + return false; +} + +static lpi_module_t lpi_conquer = { + LPI_PROTO_CONQUER, + LPI_CATEGORY_GAMING, + "ConquerOnline", + 3, + match_conquer +}; + +void register_conquer(LPIModuleMap *mod_map) { + register_protocol(&lpi_conquer, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_crashplan.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_crashplan.cc new file mode 100644 index 0000000..fcdb795 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_crashplan.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_crashplan_16(uint32_t payload, uint32_t len) { + + if (len != 16) + return false; + return true; + +} + +static inline bool match_crashplan_6(uint32_t payload, uint32_t len) { + + if (len != 6) + return false; + if (!MATCH(payload, 0x80, 0x63, 0x00, 0x00)) + return false; + return true; + +} + +static inline bool match_crashplan(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_crashplan_16(data->payload[0], data->payload_len[0])) { + if (match_crashplan_6(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_crashplan_16(data->payload[1], data->payload_len[1])) { + if (match_crashplan_6(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_crashplan = { + LPI_PROTO_CRASHPLAN, + LPI_CATEGORY_CLOUD, + "CrashPlan", + 50, + match_crashplan +}; + +void register_crashplan(LPIModuleMap *mod_map) { + register_protocol(&lpi_crashplan, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_crossfire_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_crossfire_tcp.cc new file mode 100644 index 0000000..2f73f2b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_crossfire_tcp.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cf_05(uint32_t payload, uint32_t len) { + if (len == 65 && MATCH(payload, 0x05, 0x01, 0x99, 0x01)) + return true; + return false; +} + +static inline bool match_cf_tcp(uint32_t payload, uint32_t len) { + + uint32_t hlen = bswap_le_to_host32(payload & 0xffff00) >> 8; + + if (len < 1350 && hlen != len - 7) + return false; + if (MATCH(payload, 0xf1, ANY, ANY, 0x01)) + return true; + if (MATCH(payload, 0xf1, ANY, ANY, 0x00)) + return true; + return false; +} + +static inline bool match_crossfire_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_cf_tcp(data->payload[0], data->payload_len[0])) { + if (match_cf_tcp(data->payload[1], data->payload_len[1])) { + return true; + } + if (match_cf_05(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_cf_05(data->payload[0], data->payload_len[0])) { + if (match_cf_tcp(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_crossfire_tcp = { + LPI_PROTO_CROSSFIRE, + LPI_CATEGORY_GAMING, + "CrossfireTCP", + 30, + match_crossfire_tcp +}; + +void register_crossfire_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_crossfire_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_cryptic.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_cryptic.cc new file mode 100644 index 0000000..44f6c1e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_cryptic.cc @@ -0,0 +1,55 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Cryptic are the company behind several popular MMOs, including + * Champions Online and Star Trek Online */ + +static inline bool match_cryptic(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "Cryp", "Cryp")) + return true; + + return false; +} + +static lpi_module_t lpi_cryptic = { + LPI_PROTO_CRYPTIC, + LPI_CATEGORY_GAMING, + "Cryptic", + 2, + match_cryptic +}; + +void register_cryptic(LPIModuleMap *mod_map) { + register_protocol(&lpi_cryptic, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_cvs.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_cvs.cc new file mode 100644 index 0000000..976cb29 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_cvs.cc @@ -0,0 +1,90 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cvs_request(uint32_t data, uint32_t len) { + + if (MATCHSTR(data, "BEGI")) + return true; + return false; + +} + +static inline bool match_cvs_response(uint32_t data, uint32_t len) { + + if (len == 0) + return true; + + /* "I LOVE YOU" = auth succeeded */ + if (MATCHSTR(data, "I LO")) + return true; + + /* "I HATE YOU" = auth failed */ + if (MATCHSTR(data, "I HA")) + return true; + + /* "E <msg>" = a message */ + if (MATCH(data, 'E', ' ', ANY, ANY)) + return true; + + /* error = an error */ + if (MATCHSTR(data, "erro")) + return true; + + return false; + +} + +static inline bool match_cvs(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_cvs_request(data->payload[0], data->payload_len[0]) && + match_cvs_response(data->payload[1], data->payload_len[1])) + return true; + + if (match_cvs_request(data->payload[1], data->payload_len[1]) && + match_cvs_response(data->payload[0], data->payload_len[0])) + return true; + + return false; +} + +static lpi_module_t lpi_cvs = { + LPI_PROTO_CVS, + LPI_CATEGORY_RCS, + "CVS", + 3, + match_cvs +}; + +void register_cvs(LPIModuleMap *mod_map) { + register_protocol(&lpi_cvs, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_dahua_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_dahua_tcp.cc new file mode 100644 index 0000000..8e308bb --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_dahua_tcp.cc @@ -0,0 +1,92 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Chinese IP surveillance Cameras */ + +static inline bool match_dahua_ports(uint16_t sport, uint16_t cport) { + if (sport == 8888 || cport == 8888) { + return true; + } + + if (sport == 37777 || cport == 37777) { + return true; + } + return false; +} + +static inline bool match_f4_186(uint32_t payload, uint32_t len) { + if (len == 186 && MATCH(payload, 0xf4, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_f4_208(uint32_t payload, uint32_t len) { + if (len >= 206 && len <= 208 && MATCH(payload, 0xf4, 0x00, 0x00, 0x58)) + return true; + return false; + +} + +static inline bool match_dahua(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_dahua_ports(data->server_port, data->client_port)) { + return false; + } + + if (match_f4_186(data->payload[0], data->payload_len[0])) { + if (match_f4_208(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_f4_186(data->payload[1], data->payload_len[1])) { + if (match_f4_208(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_dahua_tcp = { + LPI_PROTO_DAHUA, + LPI_CATEGORY_IPCAMERAS, + "DahuaTCP", + 13, + match_dahua +}; + +void register_dahua_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_dahua_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_dash.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_dash.cc new file mode 100644 index 0000000..4355b07 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_dash.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_dash_125(uint32_t payload, uint32_t len) { + + if (len == 125 && MATCH(payload, 0xbf, 0x0c, 0x6b, 0xbd)) + return true; + return false; +} + +static inline bool match_dash_130(uint32_t payload, uint32_t len) { + + if (len == 130 && MATCH(payload, 0xbf, 0x0c, 0x6b, 0xbd)) + return true; + return false; +} + +static inline bool match_dash(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 9999 */ + if (match_dash_125(data->payload[0], data->payload_len[0])) { + if (match_dash_130(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_dash_125(data->payload[1], data->payload_len[1])) { + if (match_dash_130(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_dash = { + LPI_PROTO_DASH, + LPI_CATEGORY_ECOMMERCE, + "Dash", + 5, + match_dash +}; + +void register_dash(LPIModuleMap *mod_map) { + register_protocol(&lpi_dash, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_dell_backup.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_dell_backup.cc new file mode 100644 index 0000000..65ede05 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_dell_backup.cc @@ -0,0 +1,85 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* This one is a bit tenuous but I'm reasonably confident that this is + * something to do with the Dell backup and recovery service. All observed + * traffic matching the rules described here go 66.151.242.0/24, which has + * previously reversed to dellbackupandrecoverycloudstorage.com. + */ + +static inline bool match_dell_backup_req(uint32_t payload, uint32_t len) { + if (len != 12) + return false; + if (MATCH(payload, 0x08, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_dell_backup_resp(uint32_t payload, uint32_t len) { + if (len != 24) + return false; + if (MATCH(payload, 0x14, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_dell_backup(lpi_data_t *data, lpi_module_t *mod UNUSED) { + if (data->server_port != 443 && data->client_port != 443) + return false; + + if (match_dell_backup_req(data->payload[0], data->payload_len[0])) { + if (match_dell_backup_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_dell_backup_req(data->payload[1], data->payload_len[1])) { + if (match_dell_backup_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_dell_backup = { + LPI_PROTO_DELL_BACKUP, + LPI_CATEGORY_CLOUD, + "DellBackup", + 100, + match_dell_backup +}; + +void register_dell_backup(LPIModuleMap *mod_map) { + register_protocol(&lpi_dell_backup, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_destiny.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_destiny.cc new file mode 100644 index 0000000..5066e08 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_destiny.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Destiny -- multiplayer FPS by Bungie */ + +static inline bool match_destiny_request(uint32_t payload, uint32_t len) { + if (len == 140 && MATCH(payload, 0x01, 0x02, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_destiny_reply(uint32_t payload, uint32_t len) { + if (len == 142 && MATCH(payload, 0x01, 0x02, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_destiny(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_destiny_request(data->payload[0], data->payload_len[0])) { + if (match_destiny_reply(data->payload[1], data->payload_len[1])) + return true; + } + + + if (match_destiny_request(data->payload[1], data->payload_len[1])) { + if (match_destiny_reply(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_destiny = { + LPI_PROTO_DESTINY, + LPI_CATEGORY_GAMING, + "Destiny", + 23, + match_destiny +}; + +void register_destiny(LPIModuleMap *mod_map) { + register_protocol(&lpi_destiny, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_diablo3.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_diablo3.cc new file mode 100644 index 0000000..311fc8f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_diablo3.cc @@ -0,0 +1,71 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_diablo_req(uint32_t payload, uint32_t len) { + if (len == 25 && MATCH(payload, 0x00, 0x00, 0x00, 0x19)) + return true; + return false; +} + +static inline bool match_diablo_resp(uint32_t payload, uint32_t len) { + if (len == 66 && MATCH(payload, 0x00, 0x00, 0x00, 0x42)) + return true; + return false; +} + +static inline bool match_diablo3(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + + if (match_diablo_req(data->payload[0], data->payload_len[0])) { + if (match_diablo_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_diablo_req(data->payload[1], data->payload_len[1])) { + if (match_diablo_resp(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_diablo3 = { + LPI_PROTO_DIABLO3, + LPI_CATEGORY_GAMING, + "Diablo3", + 5, + match_diablo3 +}; + +void register_diablo3(LPIModuleMap *mod_map) { + register_protocol(&lpi_diablo3, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_dianping_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_dianping_tcp.cc new file mode 100644 index 0000000..3239ea1 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_dianping_tcp.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_dianping_query(uint32_t payload, uint32_t len) { + if (len != 1) + return false; + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_dianping_resp(uint32_t payload, uint32_t len) { + if (len != 1) + return false; + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_dianping_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 80 && data->client_port != 80 && + data->client_port != 443 && data->server_port != 443) + return false; + + if (match_dianping_query(data->payload[0], data->payload_len[0])) { + if (match_dianping_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_dianping_query(data->payload[1], data->payload_len[1])) { + if (match_dianping_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_dianping_tcp = { + LPI_PROTO_DIANPING, + LPI_CATEGORY_MOBILE_APP, + "DianpingTCP", + 210, + match_dianping_tcp +}; + +void register_dianping_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_dianping_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_directconnect.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_directconnect.cc new file mode 100644 index 0000000..392415e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_directconnect.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_dc(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* $MyN seemed best to check for - might have to check for $max and + * $Sup as well */ + /* NOTE: Some people seem to use DC to connect to port 80 and get + * HTTP responses. At this stage, I'd rather that fell under DC rather + * than HTTP, so we need to check for this before we check for HTTP */ + + + if (match_str_either(data, "$MyN")) return true; + if (match_str_either(data, "$Sup")) return true; + if (match_str_either(data, "$Loc")) return true; + + /* Response is usually an HTTP response - we could check that if + * needed */ + + return false; + +} + +static lpi_module_t lpi_directconnect = { + LPI_PROTO_DC, + LPI_CATEGORY_P2P, + "DirectConnect", + 1, /* Need a higher priority than regular HTTP */ + match_dc +}; + +void register_directconnect(LPIModuleMap *mod_map) { + register_protocol(&lpi_directconnect, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_dnf.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_dnf.cc new file mode 100644 index 0000000..3482109 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_dnf.cc @@ -0,0 +1,73 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_dnf_90(uint32_t payload, uint32_t len) { + if (len == 90 && MATCH(payload, 0x01, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_dnf_258(uint32_t payload, uint32_t len) { + if (len == 258 && MATCH(payload, 0x01, 0x00, 0x00, 0x01)) + return true; + return false; +} + +static inline bool match_dnf(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 80 or 443 */ + + if (match_dnf_90(data->payload[0], data->payload_len[0])) { + if (match_dnf_258(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_dnf_90(data->payload[1], data->payload_len[1])) { + if (match_dnf_258(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_dnf = { + LPI_PROTO_DNF, + LPI_CATEGORY_GAMING, + "DNF", + 150, + match_dnf +}; + +void register_dnf(LPIModuleMap *mod_map) { + register_protocol(&lpi_dnf, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_dns.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_dns.cc new file mode 100644 index 0000000..2f2468b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_dns.cc @@ -0,0 +1,102 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static bool match_length_single(uint32_t payload, uint32_t len) { + + uint32_t statedlen; + + if (len == 2) { + return true; + } + + statedlen = (ntohl(payload) >> 16); + + if (statedlen < 1280) { + if (statedlen != len - 2) + return false; + } + + return true; +} + +static bool match_dns_tcp_length(lpi_data_t *data) { + + uint32_t id0, id1; + + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) + return false; + + if (data->server_port != 53 && data->client_port != 53) + return false; + + if (!match_length_single(data->payload[0], data->payload_len[0])) + return false; + + if (!match_length_single(data->payload[1], data->payload_len[1])) + return false; + + if (data->payload_len[0] > 2 && data->payload_len[1] > 2) { + + id0 = (ntohl(data->payload[0]) & 0xffff); + id1 = (ntohl(data->payload[1]) & 0xffff); + + if (id0 != id1) + return false; + } + + + return true; +} + + +static bool match_tcp_dns(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_dns(data)) + return true; + if (match_dns_tcp_length(data)) + return true; + + return false; + +} + +static lpi_module_t lpi_dns = { + LPI_PROTO_DNS, + LPI_CATEGORY_SERVICES, + "DNS_TCP", + 6, /* Not a high certainty */ + match_tcp_dns +}; + +void register_dns_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_dns, mod_map); +} diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_dogecoin.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_dogecoin.cc new file mode 100644 index 0000000..12aa27b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_dogecoin.cc @@ -0,0 +1,68 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_dc_magic(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0xc0, 0xc0, 0xc0, 0xc0)) { + if (len >= 125 && len <= 129) + return true; + if (len == 142) + return true; + } + return false; + +} + +static inline bool match_dogecoin(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port == 22556 */ + + if (match_dc_magic(data->payload[0], data->payload_len[0])) { + if (match_dc_magic(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_dogecoin = { + LPI_PROTO_DOGECOIN, + LPI_CATEGORY_ECOMMERCE, + "Dogecoin", + 8, + match_dogecoin +}; + +void register_dogecoin(LPIModuleMap *mod_map) { + register_protocol(&lpi_dogecoin, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_douyu.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_douyu.cc new file mode 100644 index 0000000..28eb419 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_douyu.cc @@ -0,0 +1,109 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* This is a classic 4-byte length protocol, but there is plenty of + * scope for the packet sizes to vary a bit so we can't just look for + * a specific combo of packet sizes */ + +static inline bool match_douyu_req(uint32_t payload, uint32_t len) { + + uint32_t plen = bswap_le_to_host32(payload); + + /* Packet usually contains a username and a password so + * can probably vary quite a bit in size */ + if (plen == len - 4) { + if (len <= 255) + return true; + } + + return false; +} + +static inline bool match_douyu_reply(uint32_t payload, uint32_t len) { + + uint32_t plen = bswap_le_to_host32(payload); + + /* Response packets seem like they will vary a lot less in + * size -- could be wrong though */ + + if (plen == len - 4) { + if (len >= 225 && len <= 255) + return true; + } + + return false; +} + +static inline bool match_douyu_port(uint16_t port) { + + /* Based purely on observed flows, rather than any docs */ + if (port >= 8601 && port <= 8605) + return true; + if (port >= 12601 && port <= 12605) + return true; + return false; +} + +static inline bool match_douyu(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Tends to use a couple of different port ranges */ + if (!match_douyu_port(data->server_port) && + !match_douyu_port(data->client_port)) { + return false; + } + + if (match_douyu_req(data->payload[0], data->payload_len[0])) { + if (match_douyu_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_douyu_req(data->payload[1], data->payload_len[1])) { + if (match_douyu_reply(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_douyu = { + LPI_PROTO_DOUYU, + LPI_CATEGORY_STREAMING, + "Douyu", + 249, + match_douyu +}; + +void register_douyu(LPIModuleMap *mod_map) { + register_protocol(&lpi_douyu, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_douyu_chat.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_douyu_chat.cc new file mode 100644 index 0000000..dc6e169 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_douyu_chat.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_douyu_ee(uint32_t payload, uint32_t len) { + + if (len == 242 && MATCH(payload, 0xee, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_douyu_len(uint32_t payload, uint32_t len) { + + + if (bswap_host_to_le32(payload) == len - 4) + return true; + return false; + +} + +static inline bool match_douyu_chat(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 8601 && data->client_port != 8601 && + data->client_port != 8602 && data->server_port != 8602) + { + return false; + } + + if (match_douyu_ee(data->payload[0], data->payload_len[0])) { + if (match_douyu_len(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_douyu_ee(data->payload[1], data->payload_len[1])) { + if (match_douyu_len(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_douyu_chat = { + LPI_PROTO_DOUYU_CHAT, + LPI_CATEGORY_CHAT, + "DouyuChat", + 133, + match_douyu_chat +}; + +void register_douyu_chat(LPIModuleMap *mod_map) { + register_protocol(&lpi_douyu_chat, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_duelingnetwork.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_duelingnetwork.cc new file mode 100644 index 0000000..643ebee --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_duelingnetwork.cc @@ -0,0 +1,57 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_duelingnetwork(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 1235 && data->client_port != 1235) + return false; + + if (data->payload_len[0] == 40 && MATCHSTR(data->payload[0], "Ritv")) + return true; + if (data->payload_len[1] == 40 && MATCHSTR(data->payload[1], "Ritv")) + return true; + + return false; +} + +static lpi_module_t lpi_duelingnetwork = { + LPI_PROTO_DUELING_NETWORK, + LPI_CATEGORY_GAMING, + "DuelingNetwork", + 4, + match_duelingnetwork +}; + +void register_duelingnetwork(LPIModuleMap *mod_map) { + register_protocol(&lpi_duelingnetwork, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_dvrns.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_dvrns.cc new file mode 100644 index 0000000..fbc50b2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_dvrns.cc @@ -0,0 +1,101 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_dvrns_typea(uint32_t payload_a, uint32_t len_a, + uint32_t payload_b, uint32_t len_b) { + + if (!MATCH(payload_a, 0x12, 0xa4, 0x00, 0x01)) + return false; + if (len_a != 188) + return false; + if (len_b == 0) + return true; + if (len_b != 20) + return false; + if (!MATCH(payload_b, 0x12, 0xa4, 0x00, 0x01)) + return false; + return true; + +} + +static inline bool match_dvrns_typeb(uint32_t payload_a, uint32_t len_a, + uint32_t payload_b, uint32_t len_b) { + + if (!MATCH(payload_a, 0x12, 0xa4, 0x00, 0x01)) + return false; + if (len_a != 12) + return false; + if (len_b == 0) + return true; + if (len_b != 140) + return false; + if (!MATCH(payload_b, 0x12, 0xa4, 0x00, 0x01)) + return false; + return true; + +} + +static inline bool match_dvrns(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* DVRNS is basically DNS for DVR surveillance systems */ + + /* Not sure whether this is just the protocol used by dvrnames.net + * or all DVRNS systems */ + + if (match_dvrns_typea(data->payload[0], data->payload_len[0], + data->payload[1], data->payload_len[1])) + return true; + if (match_dvrns_typea(data->payload[1], data->payload_len[1], + data->payload[0], data->payload_len[0])) + return true; + if (match_dvrns_typeb(data->payload[0], data->payload_len[0], + data->payload[1], data->payload_len[1])) + return true; + if (match_dvrns_typeb(data->payload[1], data->payload_len[1], + data->payload[0], data->payload_len[0])) + return true; + + return false; +} + +static lpi_module_t lpi_dvrns = { + LPI_PROTO_DVRNS, + LPI_CATEGORY_SERVICES, + "DVRNS", + 10, + match_dvrns +}; + +void register_dvrns(LPIModuleMap *mod_map) { + register_protocol(&lpi_dvrns, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_dxp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_dxp.cc new file mode 100644 index 0000000..1ab0cda --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_dxp.cc @@ -0,0 +1,51 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_dxp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_chars_either(data, 0xb0, 0x04, 0x15, 0x00)) + return true; + return false; +} + +static lpi_module_t lpi_dxp = { + LPI_PROTO_DXP, + LPI_CATEGORY_DATABASES, + "Silverplatter_DXP", + 3, + match_dxp +}; + +void register_dxp(LPIModuleMap *mod_map) { + register_protocol(&lpi_dxp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ea_games.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ea_games.cc new file mode 100644 index 0000000..c061bae --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ea_games.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ea_games(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Not sure exactly what game this is, but the server matches the + * EA IP range and the default port is 9946 */ + + if (match_str_both(data, "&lgr", "&lgr")) + return true; + + if (match_str_either(data, "&lgr")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + + return false; +} + +static lpi_module_t lpi_ea_games = { + LPI_PROTO_EA_GAMES, + LPI_CATEGORY_GAMING, + "EA_Games", + 4, + match_ea_games +}; + +void register_ea_games(LPIModuleMap *mod_map) { + register_protocol(&lpi_ea_games, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_emule.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_emule.cc new file mode 100644 index 0000000..5e18dc5 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_emule.cc @@ -0,0 +1,51 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_emule_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_emule(data)) + return true; + return false; +} + +static lpi_module_t lpi_emule = { + LPI_PROTO_EMULE, + LPI_CATEGORY_P2P, + "EMule", + 10, /* We've always had this at low priority */ + match_emule_tcp +}; + +void register_emule(LPIModuleMap *mod_map) { + register_protocol(&lpi_emule, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ethernetip.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ethernetip.cc new file mode 100644 index 0000000..e309665 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ethernetip.cc @@ -0,0 +1,96 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_command(uint32_t payload) { + + // no op + if (MATCH(payload, 0x00, 0x00, ANY, ANY)) + return true; + // list services + if (MATCH(payload, 0x04, 0x00, ANY, ANY)) + return true; + // list identity + if (MATCH(payload, 0x63, 0x00, ANY, ANY)) + return true; + // list interfaces + if (MATCH(payload, 0x64, 0x00, ANY, ANY)) + return true; + // register session + if (MATCH(payload, 0x65, 0x00, 0x04, 0x00)) + return true; + // un-register session + if (MATCH(payload, 0x66, 0x00, ANY, ANY)) + return true; + // sendrrdata + if (MATCH(payload, 0x6f, 0x00, ANY, ANY)) + return true; + // send unit data + if (MATCH(payload, 0x70, 0x00, ANY, ANY)) + return true; + // indicate status + if (MATCH(payload, 0x72, 0x00, ANY, ANY)) + return true; + // cancel + if (MATCH(payload, 0x73, 0x00, ANY, ANY)) + return true; + // error + if (MATCH(payload, 0xff, 0xff, ANY, ANY)) + return true; + + return false; +} + +static inline bool match_ethernetip(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] < 24 || data->payload_len[1] < 24) + return false; + + if (data->server_port != 44818 && data->client_port != 44818) + return false; + + if (match_command(data->payload[0]) && match_command(data->payload[1])) + return true; + + return false; +} + +static lpi_module_t lpi_ethernetip = { + LPI_PROTO_ETHERNETIP, + LPI_CATEGORY_ICS, + "EtherNet/IP", + 100, + match_ethernetip +}; + +void register_ethernetip(LPIModuleMap *mod_map) { + register_protocol(&lpi_ethernetip, mod_map); +} diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_eye.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_eye.cc new file mode 100644 index 0000000..294e87e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_eye.cc @@ -0,0 +1,54 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* All-seeing Eye - Yahoo Games */ + +static inline bool match_eye(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "EYE1")) + return true; + + return false; +} + +static lpi_module_t lpi_eye = { + LPI_PROTO_EYE, + LPI_CATEGORY_GAMING, + "AllSeeingEye", + 3, + match_eye +}; + +void register_eye(LPIModuleMap *mod_map) { + register_protocol(&lpi_eye, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_facebook_turn.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_facebook_turn.cc new file mode 100644 index 0000000..95bd2fb --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_facebook_turn.cc @@ -0,0 +1,94 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_fbturn_request(uint32_t payload, uint32_t len) { + /* 0x74 == len - 2, 0x0001 == binding request */ + + if (len == 118 && MATCH(payload, 0x00, 0x74, 0x00, 0x01)) + return true; + if (len == 114 && MATCH(payload, 0x00, 0x70, 0x00, 0x01)) + return true; + if (len == 110 && MATCH(payload, 0x00, 0x6c, 0x00, 0x01)) + return true; + if (len == 122 && MATCH(payload, 0x00, 0x78, 0x00, 0x01)) + return true; + if (len == 126 && MATCH(payload, 0x00, 0x7c, 0x00, 0x01)) + return true; + return false; +} + +static inline bool match_fbturn_reply(uint32_t payload, uint32_t len) { + /* 0x40 == len - 2, 0x0101 == binding accepted */ + + if (len == 66 && MATCH(payload, 0x00, 0x40, 0x01, 0x01)) + return true; + if (len == 82 && MATCH(payload, 0x00, 0x50, 0x01, 0x01)) + return true; + return false; +} + +static inline bool match_facebook_turn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Seems to be a slightly custom version of TURN, as there is a two + * byte length field preceding the conventional STUN header. Can't + * find any explanation for this in RFC 5766, so maybe it is a Facebook + * addition? + */ + + if (data->server_port != 443 && data->client_port != 443) + return false; + + if (match_fbturn_request(data->payload[0], data->payload_len[0])) { + if (match_fbturn_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_fbturn_request(data->payload[1], data->payload_len[1])) { + if (match_fbturn_reply(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_facebook_turn = { + LPI_PROTO_FACEBOOK_TURN, + LPI_CATEGORY_NAT, + "FacebookTURN", + 55, + match_facebook_turn +}; + +void register_facebook_turn(LPIModuleMap *mod_map) { + register_protocol(&lpi_facebook_turn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_fb_message.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_fb_message.cc new file mode 100644 index 0000000..eeba8c7 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_fb_message.cc @@ -0,0 +1,86 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Observed while using Facebook Messenger -- I used the unofficial desktop + * version (https://messengerfordesktop.com/) to talk to another account + * logged into a web browser. I suspect direct app->app voice/video calls + * may use the protocol more heavily. + */ + +static inline bool match_fb_msg_104(uint32_t payload, uint32_t len) { + if (len == 104 && MATCH(payload, 0x01, 0x13, 0x00, 0x54)) + return true; + if (len == 116 && MATCH(payload, 0x01, 0x13, 0x00, 0x60)) + return true; + return false; +} + +static inline bool match_fb_msg_28(uint32_t payload, uint32_t len) { + if (len == 28 && MATCH(payload, 0x00, 0x03, 0x00, 0x08)) + return true; + if (len == 44 && MATCH(payload, 0x00, 0x03, 0x00, 0x18)) + return true; + return false; +} + +static inline bool match_fb_message(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 3478 && data->client_port != 3478 && + data->server_port != 443 && data->client_port != 443) + return false; + + if (match_fb_msg_28(data->payload[0], data->payload_len[0])) { + if (match_fb_msg_104(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_fb_msg_28(data->payload[1], data->payload_len[1])) { + if (match_fb_msg_104(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_fb_message = { + LPI_PROTO_FACEBOOK_MESSENGER, + LPI_CATEGORY_CHAT, + "FacebookMessenger", + 9, + match_fb_message +}; + +void register_fb_message(LPIModuleMap *mod_map) { + register_protocol(&lpi_fb_message, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_fbcdn_ssl.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_fbcdn_ssl.cc new file mode 100644 index 0000000..9ef1232 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_fbcdn_ssl.cc @@ -0,0 +1,80 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Seems to be a custom version of SSL used by the FNA servers provided + * by Facebook? */ + +static inline bool match_normal_req(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x16, 0x03, 0x01, ANY)) + return true; + return false; +} + +static inline bool match_odd_reply(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x63, 0x03, 0x01, 0x00)) + return true; + return false; +} + +static inline bool match_fbcdn_ssl(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 443 */ + + if (match_normal_req(data->payload[0], data->payload_len[0])) { + if (match_odd_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_normal_req(data->payload[1], data->payload_len[1])) { + if (match_odd_reply(data->payload[0], data->payload_len[0])) + return true; + } + + + + return false; +} + +static lpi_module_t lpi_fbcdn_ssl = { + LPI_PROTO_FBCDN_SSL, + LPI_CATEGORY_WEB, + "FacebookCDNSSL", + 112, + match_fbcdn_ssl +}; + +void register_fbcdn_ssl(LPIModuleMap *mod_map) { + register_protocol(&lpi_fbcdn_ssl, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ffxiv.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ffxiv.cc new file mode 100644 index 0000000..c934302 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ffxiv.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ff_96(uint32_t payload, uint32_t len) { + /* Some flows also have a 672 byte packet */ + if (len != 96 && len != 672) + return false; + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_ff_other(uint32_t payload, uint32_t len) { + if (len == 0) + return false; + if (len == 64 || len == 63 || len == 153 || len == 154) { + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + } + return false; +} + +static inline bool match_ffxiv(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_ff_96(data->payload[0], data->payload_len[0])) { + if (match_ff_other(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_ff_96(data->payload[1], data->payload_len[1])) { + if (match_ff_other(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_ffxiv = { + LPI_PROTO_FINALFANTASY_XIV, + LPI_CATEGORY_GAMING, + "FinalFantasy14", + 55, + match_ffxiv +}; + +void register_ffxiv(LPIModuleMap *mod_map) { + register_protocol(&lpi_ffxiv, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_filenori.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_filenori.cc new file mode 100644 index 0000000..fb0ea02 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_filenori.cc @@ -0,0 +1,86 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Filenori is the most likely candidate for this -- hard to test because + * you need to pay money to download anything and probably not a good look + * for me to be paying money for this kind of service... + */ + +static inline bool match_100(uint32_t payload, uint32_t len) { + + if (len != 15) + return false; + if (MATCHSTR(payload, "100 ")) + return true; + return false; +} + +static inline bool match_command(uint32_t payload, uint32_t len) { + + /* Probably short for START */ + if ((len == 20 || len == 19) && MATCHSTR(payload, "STAR")) + return true; + + /* DOWNLOAD ? */ + if (len == 39 && MATCHSTR(payload, "DOWN")) + return true; + + return false; + +} + +static inline bool match_filenori(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_100(data->payload[0], data->payload_len[0])) { + if (match_command(data->payload[1], data->payload_len[1])) + return true; + } + if (match_100(data->payload[1], data->payload_len[1])) { + if (match_command(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_filenori = { + LPI_PROTO_FILENORI, + LPI_CATEGORY_P2P, + "Filenori", + 15, + match_filenori +}; + +void register_filenori(LPIModuleMap *mod_map) { + register_protocol(&lpi_filenori, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_flash.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_flash.cc new file mode 100644 index 0000000..e56b470 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_flash.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_flash(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Flash player stuff - cross-domain policy etc. */ + + if (match_str_either(data, "<cro")) { + if (match_str_either(data, "<msg")) + return true; + if (match_str_either(data, "<pol")) + return true; + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + if (match_str_either(data, "<?xm")) { + if (match_str_either(data, "<pol")) + return true; + if (match_str_either(data, "<msg")) + return true; + } + + return false; +} + +static lpi_module_t lpi_flash = { + LPI_PROTO_FLASH, + LPI_CATEGORY_STREAMING, + "Flash_Player", + 6, + match_flash +}; + +void register_flash(LPIModuleMap *mod_map) { + register_protocol(&lpi_flash, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_fliggy.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_fliggy.cc new file mode 100644 index 0000000..f97e9dc --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_fliggy.cc @@ -0,0 +1,97 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +/* Bytes 3 and 4 are a length field */ +static inline bool match_fliggy_req(uint32_t payload, uint32_t len) { + + uint32_t hlen = ntohl(payload) & 0xffff; + + if (MATCH(payload, 0xd1, 0x00, ANY, ANY) || + MATCH(payload, 0xd5, 0x00, ANY, ANY)) { + if (hlen == len - 4) + return true; + /* Try to account for messages that are longer than one MTU */ + if (len >= 1300 && hlen > len) + return true; + } + + if (MATCH(payload, 0xd5, 0x00, 0x01, 0x16) && len >= 282) { + return true; + } + return false; +} + +static inline bool match_fliggy_resp(uint32_t payload, uint32_t len) { + + /* Usually, but not always 174 bytes -- I'm guessing sometimes + * messages get merged? + */ + if (MATCH(payload, 0xd3, 0x00, 0x00, 0xaa) && len >= 174) + return true; + + /* Same for this one, usually 58 but not always */ + if (MATCH(payload, 0xd3, 0x00, 0x00, 0x36) && len >= 58) + return true; + return false; + +} + +static inline bool match_fliggy(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Ports 80 and 443, typically */ + + if (match_fliggy_req(data->payload[0], data->payload_len[0])) { + if (match_fliggy_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_fliggy_req(data->payload[1], data->payload_len[1])) { + if (match_fliggy_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_fliggy = { + LPI_PROTO_FLIGGY, + LPI_CATEGORY_ECOMMERCE, + "Fliggy", + 30, + match_fliggy +}; + +void register_fliggy(LPIModuleMap *mod_map) { + register_protocol(&lpi_fliggy, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_fring.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_fring.cc new file mode 100644 index 0000000..33dee22 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_fring.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_fring(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "NOPC", "1234")) + return true; + + return false; +} + +static lpi_module_t lpi_fring = { + LPI_PROTO_FRING, + LPI_CATEGORY_VOIP, + "Fring", + 2, + match_fring +}; + +void register_fring(LPIModuleMap *mod_map) { + register_protocol(&lpi_fring, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ftpcontrol.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ftpcontrol.cc new file mode 100644 index 0000000..0fd7b2e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ftpcontrol.cc @@ -0,0 +1,110 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ftp_reply_code(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (MATCHSTR(payload, "220 ")) + return true; + if (MATCHSTR(payload, "220-")) + return true; + return false; +} + +static inline bool match_ftp_command(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + /* There are lots of valid FTP commands, but let's just limit this + * to ones we've observed for now */ + + if (MATCHSTR(payload, "USER")) + return true; + if (MATCHSTR(payload, "QUIT")) + return true; + if (MATCHSTR(payload, "FEAT")) + return true; + if (MATCHSTR(payload, "HELP")) + return true; + if (MATCHSTR(payload, "user")) + return true; + if (MATCHSTR(payload, "AUTH")) + return true; + + /* This is invalid syntax, but clients using HOST seem to revert to + * sane FTP commands once the server reports a syntax error */ + if (MATCHSTR(payload, "HOST")) + return true; + + return false; + +} + +static inline bool match_ftp_control(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + /*https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol*/ + /* Rule out SMTP which uses similar reply codes and commands */ + if (data->server_port == 25 || data->client_port == 25 || + data->server_port == 587 || data->client_port == 587 || + data->server_port == 110 || data->client_port == 110 || + data->server_port == 143 || data->client_port == 143) + return false; + + if (match_ftp_reply_code(data->payload[0], data->payload_len[0])) { + if (match_ftp_command(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_ftp_reply_code(data->payload[1], data->payload_len[1])) { + if (match_ftp_command(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_ftpcontrol = { + LPI_PROTO_FTP_CONTROL, + LPI_CATEGORY_FILES, + "FTP_Control", + 3, + match_ftp_control +}; + +void register_ftpcontrol(LPIModuleMap *mod_map) { + register_protocol(&lpi_ftpcontrol, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ftpdata.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ftpdata.cc new file mode 100644 index 0000000..dd77395 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ftpdata.cc @@ -0,0 +1,152 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_bulk_response(uint32_t payload, uint32_t len) { + + /* Most FTP-style transactions result in no packets being sent back + * to server (aside from ACKs) */ + + if (len == 0) + return true; + + /* However, there is at least one FTP client that sends some sort of + * sequence number back to the server - maybe allowing for resumption + * of paused transfers? + * + * XXX This seems to be related to completely failing to implement the + * FTP protocol correctly. There is usually a flow preceding these + * flows that sends commands like "get" and "dir" to the server, + * which are not actually part of the FTP protocol. Instead, these + * are often commands typed into FTP CLI clients that are converted + * into the appropriate FTP commands. No idea what software is doing + * this, but it is essentially emulating FTP so I'll keep it in here + * for now. + * */ + + if (len == 4 && MATCH(payload, 0x00, 0x00, ANY, ANY)) + return true; + + + /* Another weird FTP client: sends the occasional one byte response */ + if (len == 1 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; + +} + + +/* Bulk download covers files being downloaded through a separate channel, + * like FTP data. We identify these by observing file type identifiers at the + * start of the packet. This is not a protocol in itself, but it's almost + * certainly FTP. + */ +static inline bool match_bulk_download(lpi_data_t *data) { + + if (match_bulk_response(data->payload[1], data->payload_len[1]) && + (data->observed[0] == 0 && (data->payload[0]))) + return true; + if (match_bulk_response(data->payload[0], data->payload_len[0]) && + (data->observed[1] == 0 && match_file_header(data->payload[1]))) + return true; + + return false; +} + +static inline bool match_directory(lpi_data_t *data) { + + /* FTP Data can start with directory permissions */ + if ( (MATCH(data->payload[0], '-', ANY, ANY, ANY) || + MATCH(data->payload[0], 'd', ANY, ANY, ANY)) && + (MATCH(data->payload[0], ANY, '-', ANY, ANY) || + MATCH(data->payload[0], ANY, 'r', ANY, ANY)) && + (MATCH(data->payload[0], ANY, ANY, '-', ANY) || + MATCH(data->payload[0], ANY, ANY, 'w', ANY)) && + (MATCH(data->payload[0], ANY, ANY, ANY, '-') || + MATCH(data->payload[0], ANY, ANY, ANY, 'x')) ) + + return true; + + if ( (MATCH(data->payload[1], '-', ANY, ANY, ANY) || + MATCH(data->payload[1], 'd', ANY, ANY, ANY)) && + (MATCH(data->payload[1], ANY, '-', ANY, ANY) || + MATCH(data->payload[1], ANY, 'r', ANY, ANY)) && + (MATCH(data->payload[1], ANY, ANY, '-', ANY) || + MATCH(data->payload[1], ANY, ANY, 'w', ANY)) && + (MATCH(data->payload[1], ANY, ANY, ANY, '-') || + MATCH(data->payload[1], ANY, ANY, ANY, 'x')) ) + + return true; + return false; +} + +static inline bool match_ftp_data(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_bulk_download(data)) + return true; + + /* XXX All rules below this are for one-way exchanges only */ + if (data->payload_len[0] > 0 && data->payload_len[1] > 0) + return false; + + /* All rules for ftp data are for first observed data only */ + if(data->observed[0] != 0 || data->observed[1] != 0) + return false; + + if (match_directory(data)) + return true; + + /* Virus definition updates from CA are delivered via FTP */ + if (match_str_either(data, "Viru")) + return true; + + /* XXX - I hate having to look at port numbers but there are no + * useful headers in FTP data exchanges; all the FTP protocol stuff + * is done using the control channel */ + if (data->client_port == 20 || data->server_port == 20) + return true; + + return false; +} + +static lpi_module_t lpi_ftpdata = { + LPI_PROTO_FTP_DATA, + LPI_CATEGORY_FILES, + "FTP_Data", + 7, /* Some of these rules rely on port numbers and one-way data, so + * should have a lower priority than more concrete rules */ + match_ftp_data +}; + +void register_ftpdata(LPIModuleMap *mod_map) { + register_protocol(&lpi_ftpdata, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_fuckcoin.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_fuckcoin.cc new file mode 100644 index 0000000..e407d1c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_fuckcoin.cc @@ -0,0 +1,68 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_fc_magic(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0xfb, 0xc0, 0xb6, 0xdb)) { + if (len == 126) + return true; + if (len == 146) + return true; + } + return false; + +} + +static inline bool match_fuckcoin(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port == 9333 */ + + if (match_fc_magic(data->payload[0], data->payload_len[0])) { + if (match_fc_magic(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_fuckcoin = { + LPI_PROTO_FUCKCOIN, + LPI_CATEGORY_ECOMMERCE, + "Dogecoin", + 8, + match_fuckcoin +}; + +void register_fuckcoin(LPIModuleMap *mod_map) { + register_protocol(&lpi_fuckcoin, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_funshion.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_funshion.cc new file mode 100644 index 0000000..358f83e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_funshion.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" +#include <stdio.h> + +/* Funshion is a Chinese P2PTV application that seems to use a bunch + * of different protocols / messages. + */ + +static inline bool match_funshion_54(uint32_t payload, uint32_t len) { + + if (len != 54) + return false; + + /* Byte 4 is always 0x00. + * Byte 3 is always 0x?1, where '?' can be any hex digit. + */ + if ((payload & 0xff0f0000) == 0x00010000) + return true; + + return false; + +} + +static inline bool match_funshion_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Only ever observed this traffic pattern on port 6601 */ + if (data->server_port == 6601 || data->client_port == 6601) { + if (match_funshion_54(data->payload[0], data->payload_len[0])) { + if (match_funshion_54(data->payload[1], data->payload_len[1])) + return true; + } + } + + return false; + +} + +static lpi_module_t lpi_funshion_tcp = { + LPI_PROTO_FUNSHION, + LPI_CATEGORY_P2PTV, + "Funshion_TCP", + 10, + match_funshion_tcp +}; + +void register_funshion_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_funshion_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_gamespy.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_gamespy.cc new file mode 100644 index 0000000..7947571 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_gamespy.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gamespy_bsr(uint32_t payload, uint32_t len) { + + if (len != 16) + return false; + if (!MATCH(payload, 0x5c, 'b', 's', 'r')) + return false; + return true; + +} + +static inline bool match_gamespy_search(uint32_t payload, uint32_t len) { + + if (!MATCH(payload, 0x5c, 's', 'e', 'a')) + return false; + return true; + +} + +static inline bool match_gamespy_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_gamespy_bsr(data->payload[0], data->payload_len[0])) { + if (match_gamespy_search(data->payload[1], data->payload_len[1])) + return true; + } + if (match_gamespy_bsr(data->payload[1], data->payload_len[1])) { + if (match_gamespy_search(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_gamespy_tcp = { + LPI_PROTO_GAMESPY, + LPI_CATEGORY_GAMING, + "Gamespy_TCP", + 6, + match_gamespy_tcp +}; + +void register_gamespy_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_gamespy_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_gcafe_updater.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_gcafe_updater.cc new file mode 100644 index 0000000..3cbbd0a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_gcafe_updater.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_caf(uint32_t payload, uint32_t len) { + if (len == 53 && MATCH(payload, 0x0c, 'C', 'A', 'F')) + return true; + return false; +} + +static inline bool match_gcafe_updater(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Seen on ports 16800 and 1839 */ + + + if (match_caf(data->payload[0], data->payload_len[0])) { + if (match_caf(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_gcafe_updater = { + LPI_PROTO_GCAFE_UPDATER, + LPI_CATEGORY_P2P, + "G-CafeUpdater", + 11, + match_gcafe_updater +}; + +void register_gcafe_updater(LPIModuleMap *mod_map) { + register_protocol(&lpi_gcafe_updater, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_giop.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_giop.cc new file mode 100644 index 0000000..8dc926d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_giop.cc @@ -0,0 +1,62 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_giop(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (MATCH(data->payload[0], 'G', 'I', 'O', 'P')) { + if (MATCH(data->payload[1], 'G', 'I', 'O', 'P')) + return true; + if (data->payload_len[1] == 0) + return true; + } + + if (MATCH(data->payload[1], 'G', 'I', 'O', 'P')) { + if (data->payload_len[0] == 0) + return true; + } + + return false; +} + +static lpi_module_t lpi_giop = { + LPI_PROTO_GIOP, + LPI_CATEGORY_REMOTE, + "GIOP", + 5, + match_giop +}; + +void register_giop(LPIModuleMap *mod_map) { + register_protocol(&lpi_giop, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_git.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_git.cc new file mode 100644 index 0000000..d3481b1 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_git.cc @@ -0,0 +1,81 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> +#include <stdlib.h> +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_git_header(uint32_t payload, uint32_t len) { + int i; + char headerstr[4]; + uint8_t *pl = (uint8_t *)(&payload); + + if (len == 0) + return true; + + memset(headerstr, 0, 4); + for (i = 0; i < 4; i++) { + headerstr[i] = (char)(*pl); + pl++; + } + + uint32_t replen = strtoul(headerstr, NULL, 16); + + if (replen != len) + return false; + + return true; +} + +static inline bool match_git(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_git_header(data->payload[0], data->payload_len[0])) { + if (match_git_header(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_git_header(data->payload[1], data->payload_len[1])) { + if (match_git_header(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_git = { + LPI_PROTO_GIT, + LPI_CATEGORY_RCS, + "Git", + 5, + match_git +}; + +void register_git(LPIModuleMap *mod_map) { + register_protocol(&lpi_git, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_glupteba.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_glupteba.cc new file mode 100644 index 0000000..33f0b54 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_glupteba.cc @@ -0,0 +1,90 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_glupteba.yvg */ + +static inline bool match_glup_hello(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 'H', 'E', 'L', 'L')) + return true; + return false; +} + +static inline bool match_glup_id(uint32_t payload, uint32_t len) { + + /* ID changes from infected host to infected host, but I'm + * going to assume the ID has a similar length. + */ + + if (len >= 18 && len <= 25) { + /* Always begins with @ */ + if (MATCH(payload, '@', ANY, ANY, ANY)) + return true; + } + return false; + +} + +static inline bool match_glupteba(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_glup_hello(data->payload[0], data->payload_len[0])) { + if (match_glup_id(data->payload[1], data->payload_len[1])) { + return true; + } + if (match_glup_hello(data->payload[1], data->payload_len[1])) { + return true; + } + } + if (match_glup_hello(data->payload[1], data->payload_len[1])) { + if (match_glup_id(data->payload[0], data->payload_len[0])) { + return true; + } + if (match_glup_hello(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_glupteba = { + LPI_PROTO_GLUPTEBA, + LPI_CATEGORY_MALWARE, + "GluptebaBackdoor", + 50, + match_glupteba +}; + +void register_glupteba(LPIModuleMap *mod_map) { + register_protocol(&lpi_glupteba, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_gnutella.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_gnutella.cc new file mode 100644 index 0000000..608d825 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_gnutella.cc @@ -0,0 +1,54 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gnutella(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "GNUT")) + return true; + if (match_str_either(data, "GIV ")) + return true; + + return false; +} + +static lpi_module_t lpi_gnutella = { + LPI_PROTO_GNUTELLA, + LPI_CATEGORY_P2P, + "Gnutella", + 1, /* Avoid matching HTTP which uses similar commands */ + match_gnutella +}; + +void register_gnutella(LPIModuleMap *mod_map) { + register_protocol(&lpi_gnutella, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_goku.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_goku.cc new file mode 100644 index 0000000..206589e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_goku.cc @@ -0,0 +1,53 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_goku(lpi_data_t *data, lpi_module_t *mod UNUSED) { + if (match_str_both(data, "ok:g", "baut")) + return true; + if (match_str_both(data, "ok:w", "baut")) + return true; + + return false; +} + +static lpi_module_t lpi_goku = { + LPI_PROTO_GOKUCHAT, + LPI_CATEGORY_CHAT, + "GokuChat", + 3, + match_goku +}; + +void register_goku(LPIModuleMap *mod_map) { + register_protocol(&lpi_goku, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_googlehangouts.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_googlehangouts.cc new file mode 100644 index 0000000..49417a9 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_googlehangouts.cc @@ -0,0 +1,105 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_hangout_req(uint32_t payload, uint32_t len) { + + if ((len % 114) == 0) { + if (MATCH(payload, 0x00, 0x70, 0x00, 0x01)) + return true; + } + + if ((len % 122) == 0) { + if (MATCH(payload, 0x00, 0x78, 0x00, 0x01)) + return true; + } + + if (len == 110 && MATCH(payload, 0x00, 0x6c, 0x00, 0x01)) + return true; + + return false; +} + +static inline bool match_hangout_resp(uint32_t payload, uint32_t len) { + + if (len == 106) { + if (MATCH(payload, 0x00, 0x68, 0x01, 0x01)) + return true; + } + + if (len == 118) { + if (MATCH(payload, 0x00, 0x74, 0x01, 0x01)) + return true; + } + + if (len == 94 && MATCH(payload, 0x00, 0x5c, 0x01, 0x01)) + return true; + + return false; +} + + +static inline bool match_googlehangouts(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Based on traffic seen on port 19305 to google addresses */ + + /* Limit this to port 19305 - 19309 */ + if (data->server_port < 19305 || data->server_port > 19309) { + if (data->client_port < 19305 || data->client_port > 19309) + return false; + } + + if (match_hangout_req(data->payload[0], data->payload_len[0])) { + if (match_hangout_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_hangout_req(data->payload[1], data->payload_len[1])) { + if (match_hangout_resp(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_googlehangouts = { + LPI_PROTO_GOOGLE_HANGOUTS, + LPI_CATEGORY_CHAT, + "GoogleHangouts", + 12, + match_googlehangouts +}; + +void register_googlehangouts(LPIModuleMap *mod_map) { + register_protocol(&lpi_googlehangouts, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_graalonlineera.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_graalonlineera.cc new file mode 100644 index 0000000..44a3ce4 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_graalonlineera.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_goe_gnp(uint32_t payload, uint32_t len) { + if (len == 8 && MATCH(payload, 'G', 'N', 'P', '1')) + return true; + return false; +} + +static inline bool match_goe_binary(uint32_t payload, uint32_t len) { + + if (len >= 275 && len <= 300) { + if (MATCH(payload, 0x01, 0x02, 0x00, 0x01)) + return true; + if (MATCH(payload, 0x01, 0x03, 0x00, 0x01)) + return true; + + } + return false; + +} + + +static inline bool match_graalonlineera(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 14900 */ + + if (match_goe_gnp(data->payload[0], data->payload_len[0])) { + if (match_goe_binary(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_goe_gnp(data->payload[1], data->payload_len[1])) { + if (match_goe_binary(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_graalonlineera = { + LPI_PROTO_GRAAL_ONLINE_ERA, + LPI_CATEGORY_GAMING, + "GraalOnlineEra", + 8, + match_graalonlineera +}; + +void register_graalonlineera(LPIModuleMap *mod_map) { + register_protocol(&lpi_graalonlineera, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_guildwars2.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_guildwars2.cc new file mode 100644 index 0000000..67e93dc --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_guildwars2.cc @@ -0,0 +1,80 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_gw2_req(uint32_t payload, uint32_t len) { + + if (len < 285 || len > 295) + return false; + if (MATCH(payload, 0x50, 0x20, 0x2f, 0x53)) + return true; + return false; + +} + +static inline bool match_gw2_resp(uint32_t payload, uint32_t len) { + + if (len != 35) + return false; + if (MATCH(payload, 0x53, 0x54, 0x53, 0x2f)) + return true; + return false; + +} + +static inline bool match_guildwars2(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_gw2_req(data->payload[1], data->payload_len[1])) { + if (match_gw2_resp(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_gw2_req(data->payload[0], data->payload_len[0])) { + if (match_gw2_resp(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_guildwars2 = { + LPI_PROTO_GUILDWARS2, + LPI_CATEGORY_GAMING, + "GuildWars2", + 5, + match_guildwars2 +}; + +void register_guildwars2(LPIModuleMap *mod_map) { + register_protocol(&lpi_guildwars2, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_hamachi.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_hamachi.cc new file mode 100644 index 0000000..7530132 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_hamachi.cc @@ -0,0 +1,62 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_hamachi(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* All Hamachi messages that I've seen begin with a 4 byte length + * field. Other protocols also do this, so I also check for the + * default Hamachi port (12975) + */ + if (!match_payload_length(data->payload[0], data->payload_len[0])) + return false; + + if (!match_payload_length(data->payload[1], data->payload_len[1])) + return false; + + if (data->server_port == 12975 || data->client_port == 12975) + return true; + + return false; +} + +static lpi_module_t lpi_hamachi = { + LPI_PROTO_HAMACHI, + LPI_CATEGORY_TUNNELLING, + "Hamachi", + 4, + match_hamachi +}; + +void register_hamachi(LPIModuleMap *mod_map) { + register_protocol(&lpi_hamachi, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_harveys.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_harveys.cc new file mode 100644 index 0000000..52cdc83 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_harveys.cc @@ -0,0 +1,67 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Harveys - a seemingly custom protocol used by Harveys Real + * Estate to transfer photos. Common in ISP C traces */ + +static inline bool match_harveys(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "77;T", "47;T")) + return true; + + if (match_str_either(data, "47;T")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + if (match_str_either(data, "77;T")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + return false; +} + +static lpi_module_t lpi_harveys = { + LPI_PROTO_HARVEYS, + LPI_CATEGORY_FILES, + "Harveys", + 10, + match_harveys +}; + +void register_harveys(LPIModuleMap *mod_map) { + register_protocol(&lpi_harveys, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_hearthstone.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_hearthstone.cc new file mode 100644 index 0000000..2807a5c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_hearthstone.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_hearthstone_req(uint32_t payload, uint32_t len) { + if (len == 16 && MATCH(payload, 0x10, 0x00, 0x00, 0x00)) + return true; + if (len == 22 && MATCH(payload, 0x10, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_hearthstone_reply(uint32_t payload) { + if (MATCH(payload, 0x0f, 0x00, 0x00, 0x00)) + return true; + if (MATCH(payload, 0xa8, 0x00, 0x00, 0x00)) + return true; + return false; +} + + +static inline bool match_hearthstone(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Consider enforcing port 1119 or 3724, if we get FPs */ + + + if (match_hearthstone_req(data->payload[0], data->payload_len[0])) { + if (match_hearthstone_reply(data->payload[1])) + return true; + } + + if (match_hearthstone_req(data->payload[1], data->payload_len[1])) { + if (match_hearthstone_reply(data->payload[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_hearthstone = { + LPI_PROTO_HEARTHSTONE, + LPI_CATEGORY_GAMING, + "Hearthstone", + 5, + match_hearthstone +}; + +void register_hearthstone(LPIModuleMap *mod_map) { + register_protocol(&lpi_hearthstone, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_hola.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_hola.cc new file mode 100644 index 0000000..3691028 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_hola.cc @@ -0,0 +1,55 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_hola(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (MATCH(data->payload[0], 0xac, 0x2e, 0xbf, 0x5c)) { + if (MATCH(data->payload[1], 0xac, 0x2e, 0xbf, 0x5c)) + return true; + } + + return false; +} + +static lpi_module_t lpi_hola = { + LPI_PROTO_HOLA, + LPI_CATEGORY_TUNNELLING, + "HolaVPN", + 4, + match_hola +}; + +void register_hola(LPIModuleMap *mod_map) { + register_protocol(&lpi_hola, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_hots_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_hots_tcp.cc new file mode 100644 index 0000000..bc95c35 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_hots_tcp.cc @@ -0,0 +1,90 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_bau(uint32_t payload, uint32_t len) { + + if (len == 743 && MATCH(payload, 0x42, 0x10, 0x61, 0x75)) + return true; + return false; +} + +static inline bool match_hots_7f28(uint32_t payload, uint32_t len) { + uint32_t hlen; + + hlen = (ntohl(payload) & 0xffff) * 2 + 5; + if (len == hlen && MATCH(payload, 0x7f, 0x28, ANY, ANY)) { + return true; + } + return false; +} + +static inline bool match_hots_4a48(uint32_t payload, uint32_t len) { + if (len == 201 && MATCH(payload, 0x4a, 0x48, 0x0c, 0xae)) + return true; + return false; +} + +static inline bool match_hots_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 1119 && data->client_port != 1119) { + return false; + } + + if (match_bau(data->payload[0], data->payload_len[0])) { + if (match_hots_7f28(data->payload[1], data->payload_len[1])) + return true; + if (match_hots_4a48(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_bau(data->payload[1], data->payload_len[1])) { + if (match_hots_7f28(data->payload[0], data->payload_len[0])) + return true; + if (match_hots_4a48(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_hots_tcp = { + LPI_PROTO_HOTS, + LPI_CATEGORY_GAMING, + "HeroesOfTheStorm_TCP", + 90, + match_hots_tcp +}; + +void register_hots_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_hots_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_http.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_http.cc new file mode 100644 index 0000000..d32cace --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_http.cc @@ -0,0 +1,106 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_http_response(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len == 1 && MATCH(payload, 'H', 0x00, 0x00, 0x00)) + return true; + if (MATCHSTR(payload, "HTTP")) { + return true; + } + + /* UNKNOWN seems to be a valid response from some servers, e.g. + * mini_httpd */ + if (MATCHSTR(payload, "UNKN")) { + return true; + } + + return false; +} + +static inline bool match_http(lpi_data_t *data, lpi_module_t *mod) { + + + /* Need to rule out protocols using HTTP-style commands to do + * exchanges. These protocols primarily use GET, rather than other + * HTTP requests */ + if (!valid_http_port(data)) { + if (match_str_either(data, "GET ")) + return false; + } + + if (match_http_request(data->payload[0], data->payload_len[0])) { + if (match_http_response(data->payload[1], data->payload_len[1])) + return true; + if (match_http_request(data->payload[1], data->payload_len[1])) + return true; + if (match_file_header(data->payload[1]) && + data->payload_len[0] != 0) + return true; + } + + if (match_http_request(data->payload[1], data->payload_len[1])) { + if (match_http_response(data->payload[0], data->payload_len[0])) + return true; + if (match_file_header(data->payload[0]) && + data->payload_len[1] != 0) + return true; + } + + /* Allow responses in both directions, even if this is doesn't entirely + * make sense :/ */ + if (match_http_response(data->payload[0], data->payload_len[0])) { + if (match_http_response(data->payload[1], data->payload_len[1])) + return true; + } + + + return false; + + +} + +static lpi_module_t lpi_http = { + LPI_PROTO_HTTP, + LPI_CATEGORY_WEB, + "HTTP", + 2, + match_http +}; + +void register_http(LPIModuleMap *mod_map) { + register_protocol(&lpi_http, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_http_badport.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_http_badport.cc new file mode 100644 index 0000000..d0be1f0 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_http_badport.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_http_badport(lpi_data_t *data, lpi_module_t *mod) { + + /* For some reason, some clients send GET messages to servers on + * port 443, which unsurprisingly do not respond. I'm putting this + * in a separate category to avoid mixing it in with legitimate + * HTTP traffic */ + + if (data->payload_len[0] != 0 && data->payload_len[1] != 0) + return false; + + if (!match_str_either(data, "GET ")) + return false; + + if (data->server_port == 443 || data->client_port == 443) + return true; + + return false; + +} + +static lpi_module_t lpi_http_badport = { + LPI_PROTO_HTTP_BADPORT, + LPI_CATEGORY_WEB, + "HTTP_443", + 2, + match_http_badport +}; + +void register_http_badport(LPIModuleMap *mod_map) { + register_protocol(&lpi_http_badport, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_http_nonstandard.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_http_nonstandard.cc new file mode 100644 index 0000000..db1d394 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_http_nonstandard.cc @@ -0,0 +1,68 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_nonstandard_http(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Must not be on a known HTTP port + * + * This used to be HTTP_P2P, but we found that most of this stuff was + * legit HTTP - just using really weird ports. + * + * We might miss some HTTP-based P2P now, but it's just too hard for + * us to differentiate more than this. + */ + if (valid_http_port(data)) + return false; + + if (match_str_both(data, "GET ", "HTTP")) + return true; + + if (match_str_either(data, "GET ")) { + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) + return true; + } + + return false; +} + +static lpi_module_t lpi_http_nonstandard = { + LPI_PROTO_NONSTANDARD_HTTP, + LPI_CATEGORY_WEB, + "HTTP_NonStandard", + 100, + match_nonstandard_http +}; + +void register_http_nonstandard(LPIModuleMap *mod_map) { + register_protocol(&lpi_http_nonstandard, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_http_tunnel.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_http_tunnel.cc new file mode 100644 index 0000000..e12a31e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_http_tunnel.cc @@ -0,0 +1,58 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_http_tunnel(lpi_data_t *data, lpi_module_t *mod UNUSED) +{ + + if (match_str_both(data, "CONN", "HTTP")) return true; + + if (MATCHSTR(data->payload[0], "CONN") && data->payload_len[1] == 0) + return true; + + if (MATCHSTR(data->payload[1], "CONN") && data->payload_len[0] == 0) + return true; + + return false; +} + +static lpi_module_t lpi_http_tunnel = { + LPI_PROTO_HTTP_TUNNEL, + LPI_CATEGORY_TUNNELLING, + "HTTP_Tunnel", + 1, /* Make sure we are higher priority than HTTP */ + match_http_tunnel +}; + +void register_http_tunnel(LPIModuleMap *mod_map) { + register_protocol(&lpi_http_tunnel, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_https.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_https.cc new file mode 100644 index 0000000..dc0bdf9 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_https.cc @@ -0,0 +1,60 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_https(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_ssl(data)) + return false; + + /* Assume all SSL traffic on port 443 is HTTPS */ + if (data->server_port == 443 || data->client_port == 443) + return true; + + /* We'll do port 80 as well, just to be safe */ + if (data->server_port == 80 || data->client_port == 80) + return true; + + return false; +} + +static lpi_module_t lpi_https = { + LPI_PROTO_HTTPS, + LPI_CATEGORY_WEB, + "HTTPS", + 2, /* Should be higher priority than regular SSL */ + match_https +}; + +void register_https(LPIModuleMap *mod_map) { + register_protocol(&lpi_https, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ica.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ica.cc new file mode 100644 index 0000000..8a54b9b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ica.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ica(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Citrix ICA */ + if (match_chars_either(data, 0x7f, 0x7f, 0x49, 0x43)) + return true; + return false; +} + +static lpi_module_t lpi_ica = { + LPI_PROTO_ICA, + LPI_CATEGORY_REMOTE, + "CitrixICA", + 3, + match_ica +}; + +void register_ica(LPIModuleMap *mod_map) { + register_protocol(&lpi_ica, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_icep.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_icep.cc new file mode 100644 index 0000000..1c0f7d8 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_icep.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Internet Communications Engine Protocol */ + +static inline bool match_icep_validate(uint32_t payload, uint32_t len) { + if (len == 14 && MATCHSTR(payload, "IceP")) { + return true; + } + return false; +} + +static inline bool match_icep_req(uint32_t payload, uint32_t len) { + if (MATCHSTR(payload, "IceP") && len >= 30) { + return true; + } + return false; +} + +static inline bool match_icep(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_icep_validate(data->payload[0], data->payload_len[0])) { + if (match_icep_req(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_icep_validate(data->payload[1], data->payload_len[1])) { + if (match_icep_req(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_icep = { + LPI_PROTO_ICEP, + LPI_CATEGORY_NAT, /* unsure about this one */ + "IceP", + 8, + match_icep +}; + +void register_icep(LPIModuleMap *mod_map) { + register_protocol(&lpi_icep, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_id.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_id.cc new file mode 100644 index 0000000..01de0c0 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_id.cc @@ -0,0 +1,55 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_id(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* TODO: Starts with only digits - request matches the response */ + + /* 20 3a 20 55 is an ID protocol error, I think */ + if (match_str_either(data, " : U")) + return true; + + return false; +} + +static lpi_module_t lpi_id = { + LPI_PROTO_ID, + LPI_CATEGORY_SERVICES, + "ID_Protocol", + 3, + match_id +}; + +void register_id(LPIModuleMap *mod_map) { + register_protocol(&lpi_id, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_idrivesync.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_idrivesync.cc new file mode 100644 index 0000000..5a4379b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_idrivesync.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_idrivesync_hello(uint32_t payload) { + + if (MATCH(payload, '@', 'I', 'D', 'E')) + return true; + return false; + +} + +static inline bool match_idrivesync(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_idrivesync_hello(data->payload[0])) { + if (match_idrivesync_hello(data->payload[1])) + return true; + if (data->payload_len[1] == 0) + return true; + } + + if (match_idrivesync_hello(data->payload[1])) { + if (data->payload_len[0] == 0) + return true; + } + + return false; +} + +static lpi_module_t lpi_idrivesync = { + LPI_PROTO_IDRIVE_SYNC, + LPI_CATEGORY_CLOUD, + "IDriveSync", + 5, + match_idrivesync +}; + +void register_idrivesync(LPIModuleMap *mod_map) { + register_protocol(&lpi_idrivesync, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ihexin.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ihexin.cc new file mode 100644 index 0000000..27a1207 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ihexin.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Stock trading app by 10jqka.com.cn (aka Flush). */ + +static inline bool match_ihex_magic(uint32_t payload) { + if (MATCH(payload, 0xfd, 0xfd, 0xfd, 0xfd)) + return true; + return false; +} + +static inline bool match_ihexin(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 9528 and 8887 */ + + if (match_ihex_magic(data->payload[0])) { + if (match_ihex_magic(data->payload[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_ihexin = { + LPI_PROTO_IHEXIN, + LPI_CATEGORY_ECOMMERCE, + "IHexin", + 89, + match_ihexin +}; + +void register_ihexin(LPIModuleMap *mod_map) { + register_protocol(&lpi_ihexin, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_imap.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_imap.cc new file mode 100644 index 0000000..98a9ffb --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_imap.cc @@ -0,0 +1,51 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_imap(lpi_data_t *data, lpi_module_t *mod UNUSED) { + if (match_str_either(data, "* OK")) + return true; + return false; + +} + +static lpi_module_t lpi_imap = { + LPI_PROTO_IMAP, + LPI_CATEGORY_MAIL, + "IMAP", + 2, + match_imap +}; + +void register_imap(LPIModuleMap *mod_map) { + register_protocol(&lpi_imap, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_imaps.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_imaps.cc new file mode 100644 index 0000000..77bb7d6 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_imaps.cc @@ -0,0 +1,56 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_imaps(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_ssl(data)) + return false; + + /* Assume all SSL traffic on port 993 is IMAPS */ + if (data->server_port == 993 || data->client_port == 993) + return true; + + return false; +} + +static lpi_module_t lpi_imaps = { + LPI_PROTO_IMAPS, + LPI_CATEGORY_MAIL, + "IMAPS", + 2, /* Should be a higher priority than regular SSL */ + match_imaps +}; + +void register_imaps(LPIModuleMap *mod_map) { + register_protocol(&lpi_imaps, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_imesh.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_imesh.cc new file mode 100644 index 0000000..f73163e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_imesh.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_imesh_payload(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + + if (len == 2 && MATCH(payload, 0x06, 0x00, 0x00, 0x00)) + return true; + if (len == 10 && MATCH(payload, 0x06, 0x00, 0x04, 0x00)) + return true; + if (len == 6 && MATCH(payload, 0x06, 0x00, 0x04, 0x00)) + return true; + if (len == 12 && MATCH(payload, 0x06, 0x00, 0x06, 0x00)) + return true; + return false; + +} + + +static inline bool match_imesh(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Credit for this rule goes to opendpi - so if they're wrong then + * we're wrong! */ + + if (!match_imesh_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_imesh_payload(data->payload[1], data->payload_len[1])) + return false; + return true; + +} + +static lpi_module_t lpi_imesh = { + LPI_PROTO_IMESH, + LPI_CATEGORY_P2P, + "iMesh_TCP", + 3, + match_imesh +}; + +void register_imesh(LPIModuleMap *mod_map) { + register_protocol(&lpi_imesh, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid.cc new file mode 100644 index 0000000..2787bcb --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid.cc @@ -0,0 +1,95 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_invalid(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* I'm using invalid as a category for flows where both halves of + * the connection are clearly speaking different protocols, + * e.g. trying to do HTTP tunnelling via an SMTP server + */ + + /* XXX Bittorrent-related stuff is covered in + * match_invalid_bittorrent() */ + + /* SOCKSv4 via FTP or SMTP + * + * The last two octets '\x00\x50' is the port number - in this case + * I've hard-coded it to be 80 */ + if (match_str_both(data, "220 ", "\x04\x01\x00\x50")) + return true; + + /* SOCKSv5 via FTP or SMTP */ + if (match_str_both(data, "220 ", "\x05\x01\x00\x00")) + return true; + + /* HTTP tunnelling via FTP or SMTP */ + if (match_str_both(data, "220 ", "CONN")) + return true; + if (match_str_both(data, "450 ", "CONN")) + return true; + + /* Trying to send HTTP commands to FTP or SMTP servers */ + if (match_str_both(data, "220 ", "GET ")) + return true; + if (match_str_both(data, "450 ", "GET ")) + return true; + + /* Trying to send HTTP commands to an SVN server */ + if (match_str_both(data, "( su", "GET ")) + return true; + + /* People running an HTTP server on the MS SQL server port */ + if (match_tds_request(data->payload[0], data->payload_len[0])) { + if (MATCHSTR(data->payload[1], "HTTP")) + return true; + } + if (match_tds_request(data->payload[1], data->payload_len[1])) { + if (MATCHSTR(data->payload[0], "HTTP")) + return true; + } + + + return false; +} + +static lpi_module_t lpi_invalid = { + LPI_PROTO_INVALID, + LPI_CATEGORY_MIXED, + "Invalid", + 200, /* Very low priority, but not as low as mystery protos */ + match_invalid +}; + +void register_invalid(LPIModuleMap *mod_map) { + register_protocol(&lpi_invalid, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_bittorrent.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_bittorrent.cc new file mode 100644 index 0000000..7d35b95 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_bittorrent.cc @@ -0,0 +1,85 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_invalid_bittorrent(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This function will match anyone doing bittorrent in one + * direction and *something else* in the other. + * + * I've broken it down into several separate conditions, just in case + * we want to treat them as separate instances later on */ + + + + /* People trying to do Bittorrent to an actual HTTP server, rather than + * someone peering on port 80 */ + if (match_str_either(data, "HTTP") && + match_chars_either(data, 0x13, 'B', 'i', 't')) + return true; + + /* People sending GETs to a Bittorrent peer?? */ + if (match_str_either(data, "GET ") && + match_chars_either(data, 0x13, 'B', 'i', 't')) + return true; + + /* We also get a bunch of cases where one end is doing bittorrent + * and the other end is speaking a protocol that begins with a 4 + * byte length field. */ + if (match_chars_either(data, 0x13, 'B', 'i', 't')) { + if (match_payload_length(data->payload[0],data->payload_len[0])) + return true; + if (match_payload_length(data->payload[1],data->payload_len[1])) + return true; + } + + + /* This assumes we've checked for regular bittorrent prior to calling + * this function! */ + if (match_chars_either(data, 0x13, 'B', 'i', 't')) + return true; + + + return false; +} + +static lpi_module_t lpi_invalid_bittorrent = { + LPI_PROTO_INVALID_BT, + LPI_CATEGORY_MIXED, + "Invalid_Bittorrent", + 200, + match_invalid_bittorrent +}; + +void register_invalid_bittorrent(LPIModuleMap *mod_map) { + register_protocol(&lpi_invalid_bittorrent, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_http.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_http.cc new file mode 100644 index 0000000..09c544b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_http.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_invalid_http(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This function is for identifying web servers that are not + * following the HTTP spec properly. + * + * For flows where the client is not doing HTTP properly, see + * match_web_junk(). + */ + + /* HTTP servers that appear to respond with raw HTML */ + if (match_str_either(data, "GET ")) { + if (match_chars_either(data, '<', 'H', 'T', 'M')) + return true; + if (match_chars_either(data, '<', 'h', 't', 'm')) + return true; + if (match_chars_either(data, '<', 'h', '1', '>')) + return true; + if (match_chars_either(data, '<', 't', 'i', 't')) + return true; + } + + + return false; +} + +static lpi_module_t lpi_invalid_http = { + LPI_PROTO_INVALID_HTTP, + LPI_CATEGORY_WEB, + "Invalid_HTTP", + 200, + match_invalid_http +}; + +void register_invalid_http(LPIModuleMap *mod_map) { + register_protocol(&lpi_invalid_http, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_pop.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_pop.cc new file mode 100644 index 0000000..2085b31 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_pop.cc @@ -0,0 +1,57 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_invalid_pop(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This basically covers cases where idiots run SMTP servers on the + * POP port, so we get SMTP responses to valid POP commands */ + if (match_str_both(data, "USER", "421 ")) + return true; + if (match_str_both(data, "QUIT", "421 ")) + return true; + + + return false; +} + +static lpi_module_t lpi_invalid_pop = { + LPI_PROTO_INVALID_POP3, + LPI_CATEGORY_MAIL, + "Invalid_POP3", + 200, + match_invalid_pop +}; + +void register_invalid_pop(LPIModuleMap *mod_map) { + register_protocol(&lpi_invalid_pop, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_smtp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_smtp.cc new file mode 100644 index 0000000..a55d89d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_invalid_smtp.cc @@ -0,0 +1,65 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_invalid_smtp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* SMTP flows that do not conform to the spec properly */ + + if (match_str_both(data, "250-", "EHLO")) + return true; + + if (match_str_both(data, "250 ", "HELO")) + return true; + + if (match_str_both(data, "220 ", "MAIL")) + return true; + + if (match_str_both(data, "\x00\x00\x00\x00", "EHLO")) + return true; + if (match_str_both(data, "\x00\x00\x00\x00", "HELO")) + return true; + + return false; +} + +static lpi_module_t lpi_invalid_smtp = { + LPI_PROTO_INVALID_SMTP, + LPI_CATEGORY_MAIL, + "Invalid_SMTP", + 200, + match_invalid_smtp +}; + +void register_invalid_smtp(LPIModuleMap *mod_map) { + register_protocol(&lpi_invalid_smtp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ipfs.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ipfs.cc new file mode 100644 index 0000000..23ab4d1 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ipfs.cc @@ -0,0 +1,94 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* self-described "P2P hypermedia protocol" -- https://ipfs.io */ + +static inline bool match_ipfs_mu(uint32_t payload, uint32_t len) { + if (len == 20 && MATCH(payload, 0x13, 0x2f, 'm', 'u')) { + return true; + } + if (len == 34 && MATCH(payload, 0x13, 0x2f, 'm', 'u')) { + return true; + } + return false; +} + +static inline bool match_ipfs_single(uint32_t payload, uint32_t len) { + if (len == 1 && MATCH(payload, 0x13, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_ipfs_length(uint32_t payload, uint32_t len) { + uint32_t plen = ntohl(payload); + + /* Starting to see IPFS replies with a four byte length field */ + if (plen + 4 == len) { + return true; + } + return false; +} + +static inline bool match_ipfs(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 4001 by default, but probably changeable */ + if (match_ipfs_mu(data->payload[0], data->payload_len[0])) { + if (match_ipfs_single(data->payload[1], data->payload_len[1])) + return true; + if (match_ipfs_mu(data->payload[1], data->payload_len[1])) + return true; + if (match_ipfs_length(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_ipfs_mu(data->payload[1], data->payload_len[1])) { + if (match_ipfs_single(data->payload[0], data->payload_len[0])) + return true; + if (match_ipfs_length(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_ipfs = { + LPI_PROTO_IPFS, + LPI_CATEGORY_P2P, + "IPFS", + 10, + match_ipfs +}; + +void register_ipfs(LPIModuleMap *mod_map) { + register_protocol(&lpi_ipfs, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ipop.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ipop.cc new file mode 100644 index 0000000..cac92d9 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ipop.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ipop_payload(uint32_t payload, uint32_t len) { + + uint16_t *len_ptr; + + if (!MATCH(payload, ANY, ANY, 0x72, 0x00)) + return false; + + len_ptr = (uint16_t *)(&payload); + + if ((uint32_t)ntohs(*len_ptr) + 4 != len) + return false; + return true; + +} + +static inline bool match_ipop(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_ipop_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_ipop_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; +} + +static lpi_module_t lpi_ipop = { + LPI_PROTO_IPOP, + LPI_CATEGORY_P2P, + "IPOP_TCP", + 8, + match_ipop +}; + +void register_ipop(LPIModuleMap *mod_map) { + register_protocol(&lpi_ipop, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ipsharkk.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ipsharkk.cc new file mode 100644 index 0000000..1c5259d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ipsharkk.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* IPSharkk P2P Proxy */ + +static inline bool match_ipsharkk_ssl(uint32_t payload) { + + if (MATCH(payload, 0x16, 0x03, 0x03, 0x00)) + return true; + return false; + +} + +static inline bool match_ipsharkk_4f(uint32_t payload) { + + if (MATCH(payload, 0x4f, 0x1b, 0x4d, ANY)) + return true; + return false; +} + +static inline bool match_ipsharkk(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_ipsharkk_ssl(data->payload[0])) { + if (match_ipsharkk_4f(data->payload[1])) + return true; + } + + if (match_ipsharkk_ssl(data->payload[1])) { + if (match_ipsharkk_4f(data->payload[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_ipsharkk = { + LPI_PROTO_IPSHARKK, + LPI_CATEGORY_TUNNELLING, + "IPSharkk", + 15, + match_ipsharkk +}; + +void register_ipsharkk(LPIModuleMap *mod_map) { + register_protocol(&lpi_ipsharkk, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_irc.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_irc.cc new file mode 100644 index 0000000..1cace1a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_irc.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_irc(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "PASS")) + return true; + if (match_str_either(data, "NICK")) + return true; + if (MATCHSTR(data->payload[0], "\x0aNIC")) + return true; + if (MATCHSTR(data->payload[1], "\x0aNIC")) + return true; + if (match_str_both(data, ":irc", "USER")) + return true; + if (match_str_both(data, ":loc", "MODE")) + return true; + + + /* Trying to match on broken IRC implementations :) */ + if (data->server_port == 6667 || data->client_port == 6667) { + if (match_str_either(data, "ERRO")) + return true; + } + + return false; +} + +static lpi_module_t lpi_irc = { + LPI_PROTO_IRC, + LPI_CATEGORY_CHAT, + "IRC", + 2, + match_irc +}; + +void register_irc(LPIModuleMap *mod_map) { + register_protocol(&lpi_irc, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_java.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_java.cc new file mode 100644 index 0000000..40b505f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_java.cc @@ -0,0 +1,66 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_java_serial(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len != 4) + return false; + if (MATCH(payload, 0xac, 0xed, 0x00, 0x05)) + return true; + return false; + +} + +static inline bool match_java(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_java_serial(data->payload[0], data->payload_len[0])) + return false; + if (!match_java_serial(data->payload[1], data->payload_len[1])) + return false; + + return true; +} + +static lpi_module_t lpi_java = { + LPI_PROTO_JAVA, + LPI_CATEGORY_SERIALISATION, + "JavaObjectSerialised", + 5, + match_java +}; + +void register_java(LPIModuleMap *mod_map) { + register_protocol(&lpi_java, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_jedi.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_jedi.cc new file mode 100644 index 0000000..2780674 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_jedi.cc @@ -0,0 +1,55 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_jedi(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Citrix have a protocol called JEDI which is used for streaming + * in products like GoToMyPC */ + + if (match_str_both(data, "JEDI", "JEDI")) + return true; + + return false; +} + +static lpi_module_t lpi_jedi = { + LPI_PROTO_JEDI, + LPI_CATEGORY_REMOTE, + "Citrix_Jedi", + 3, + match_jedi +}; + +void register_jedi(LPIModuleMap *mod_map) { + register_protocol(&lpi_jedi, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_jx3online.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_jx3online.cc new file mode 100644 index 0000000..80e7cb7 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_jx3online.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_jx3_2c(uint32_t payload, uint32_t len) { + + if (len == 44 && MATCH(payload, 0x2c, 0x00, 0x20, 0x00)) + return true; + return false; + +} + +static inline bool match_jx3_varying(uint32_t payload, uint32_t len) { + + /* There appear to be lots of valid patterns here, but I'm + * just going to focus on the major ones for now */ + if (len == 28 && MATCH(payload, 0x1c, 0x00, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_jx3online(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_jx3_2c(data->payload[0], data->payload_len[0])) { + if (match_jx3_varying(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_jx3_2c(data->payload[1], data->payload_len[1])) { + if (match_jx3_varying(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_jx3online = { + LPI_PROTO_JX3ONLINE, + LPI_CATEGORY_GAMING, + "JX3Online", + 201, + match_jx3online +}; + +void register_jx3online(LPIModuleMap *mod_map) { + register_protocol(&lpi_jx3online, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_kakao.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_kakao.cc new file mode 100644 index 0000000..6ec17c8 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_kakao.cc @@ -0,0 +1,81 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_kakao_req(uint32_t payload, uint32_t len) { + + if (len < 250) + return false; + if (MATCH(payload, 0x00, 0x01, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_kakao_resp(uint32_t payload, uint32_t len) { + + if (payload + 4 == len) + return true; + return false; + +} + +static inline bool match_kakao(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_kakao_req(data->payload[0], data->payload_len[0])) { + if (match_kakao_resp(data->payload[1], + data->payload_len[1])) { + return true; + } + } + + if (match_kakao_req(data->payload[1], data->payload_len[1])) { + if (match_kakao_resp(data->payload[0], + data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_kakao = { + LPI_PROTO_KAKAO, + LPI_CATEGORY_CHAT, + "Kakao", + 43, + match_kakao +}; + +void register_kakao(LPIModuleMap *mod_map) { + register_protocol(&lpi_kakao, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_kankan_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_kankan_tcp.cc new file mode 100644 index 0000000..de2a052 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_kankan_tcp.cc @@ -0,0 +1,129 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_kankan_44(uint32_t payload, uint32_t len) { + if (len != 44) + return false; + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_kankan_28(uint32_t payload, uint32_t len) { + if (len != 28) + return false; + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_kankan_140(uint32_t payload, uint32_t len) { + if (len != 140) + return false; + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_kankan_any(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_xmp_04_req(uint32_t payload, uint32_t len) { + if (len < 92) + return false; + if (MATCH(payload, 0x04, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_xmp_04_resp(uint32_t payload, uint32_t len) { + if (len != 4) + return false; + if (MATCH(payload, 0x04, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_kankan(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->client_port != 80 && data->server_port != 80) + return false; + + if (match_kankan_44(data->payload[0], data->payload_len[0])) { + if (match_kankan_28(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_kankan_44(data->payload[1], data->payload_len[1])) { + if (match_kankan_28(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_kankan_140(data->payload[0], data->payload_len[0])) { + if (match_kankan_any(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_kankan_140(data->payload[1], data->payload_len[1])) { + if (match_kankan_any(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_xmp_04_req(data->payload[0], data->payload_len[0])) { + if (match_xmp_04_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_xmp_04_req(data->payload[1], data->payload_len[1])) { + if (match_xmp_04_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_kankan = { + LPI_PROTO_KANKAN, + LPI_CATEGORY_STREAMING, + "KankanTCP", + 70, + match_kankan +}; + +void register_kankan_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_kankan, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_kaseya.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_kaseya.cc new file mode 100644 index 0000000..acc7def --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_kaseya.cc @@ -0,0 +1,93 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_kaseya_req(uint32_t payload, uint32_t len) { + + /* Seen quite a few flows where only the response is present */ + if (len == 0) + return true; + + if (!MATCH(payload, 0x4a, 0x5e, 0x7a, 0x04)) + return false; + if (len == 48) + return true; + if (len == 52) + return true; + if (len == 25) + return true; + return false; + +} + +static inline bool match_kaseya_resp(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (!MATCH(payload, 0x4a, 0x5e, 0x7a, 0x04)) + return false; + + /* + if (len < 200) + return false; + */ + + return true; +} + +static inline bool match_kaseya(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_kaseya_req(data->payload[0], data->payload_len[0])) { + if (match_kaseya_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_kaseya_req(data->payload[1], data->payload_len[1])) { + if (match_kaseya_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_kaseya = { + LPI_PROTO_KASEYA, + LPI_CATEGORY_REMOTE, + "Kaseya", + 7, + match_kaseya +}; + +void register_kaseya(LPIModuleMap *mod_map) { + register_protocol(&lpi_kaseya, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_kaspersky.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_kaspersky.cc new file mode 100644 index 0000000..983e416 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_kaspersky.cc @@ -0,0 +1,53 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_kaspersky_tcp(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + if (data->server_port != 443 && data->client_port != 443) + return false; + + return match_kaspersky(data); +} + +static lpi_module_t lpi_kaspersky = { + LPI_PROTO_KASPERSKY, + LPI_CATEGORY_SECURITY, + "Kaspersky_TCP", + 4, + match_kaspersky_tcp +}; + +void register_kaspersky(LPIModuleMap *mod_map) { + register_protocol(&lpi_kaspersky, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_kik.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_kik.cc new file mode 100644 index 0000000..cd6f545 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_kik.cc @@ -0,0 +1,81 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_kik(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This rule tries to match the traffic for Kik, a somewhat popular + * IM app for mobile devices. + * + * The problem with Kik is that it uses port 5223 and SSL, so it is + * very difficult to distinguish from ApplePush + */ + + if (!match_ssl(data)) + return false; + + /* Port 5223 is used */ + if (data->server_port != 5223 && data->client_port != 5223) + return false; + + /* The key to matching Kik is bytes 3 and 4 of the incoming SSL + * handshake packet. They are slightly different to those seen + * for ApplePush flows. + */ + + if (MATCH(data->payload[0], 0x16, 0x03, 0x01, 0x0c)) + return true; + if (MATCH(data->payload[1], 0x16, 0x03, 0x01, 0x0c)) + return true; + if (MATCH(data->payload[0], 0x16, 0x03, 0x03, 0x0e)) + return true; + if (MATCH(data->payload[1], 0x16, 0x03, 0x03, 0x0e)) + return true; + if (MATCH(data->payload[0], 0x16, 0x03, 0x01, 0x0e)) + return true; + if (MATCH(data->payload[1], 0x16, 0x03, 0x01, 0x0e)) + return true; + + return false; +} + +static lpi_module_t lpi_kik = { + LPI_PROTO_KIK, + LPI_CATEGORY_CHAT, + "Kik", + 5, /* Should be a higher priority than ApplePush */ + match_kik +}; + +void register_kik(LPIModuleMap *mod_map) { + register_protocol(&lpi_kik, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_kingofglory_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_kingofglory_tcp.cc new file mode 100644 index 0000000..330ac34 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_kingofglory_tcp.cc @@ -0,0 +1,73 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* TODO make sure this is not a more generic tencent games protocol? */ + +static inline bool match_kog_64(uint32_t payload, uint32_t len) { + if (len == 64 && MATCH(payload, 0x33, 0x66, 0x00, 0x09)) + return true; + return false; +} + +static inline bool match_kog_other(uint32_t payload, uint32_t len) { + if (len < 100 && MATCH(payload, 0x33, 0x66, 0x00, 0x09)) + return true; + return false; +} + +static inline bool match_kingofglory_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_kog_64(data->payload[0], data->payload_len[0])) { + if (match_kog_other(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_kog_64(data->payload[1], data->payload_len[1])) { + if (match_kog_other(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_kingofglory_tcp = { + LPI_PROTO_KINGOFGLORY, + LPI_CATEGORY_GAMING, + "KingOfGlory_TCP", + 99, + match_kingofglory_tcp +}; + +void register_kingofglory_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_kingofglory_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_kuaibo.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_kuaibo.cc new file mode 100644 index 0000000..6f4c89e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_kuaibo.cc @@ -0,0 +1,131 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* First two bytes are actually a length field, byte 3 is always 0x03, + * byte 4 is probably a message type (must match both ways). + * + * However, since messages of a certain type always seem to have the same + * length for the request and response, I prefer matching like this + * where I can enforce the length requirement. + */ + +static inline bool match_1c_req(uint32_t payload, uint32_t len) { + if (len == 28 && MATCH(payload, 0x00, 0x1c, 0x03, 0x03)) + return true; + return false; +} + +static inline bool match_0c_resp(uint32_t payload, uint32_t len) { + if (len == 12 && MATCH(payload, 0x00, 0x0c, 0x03, 0x03)) + return true; + return false; +} + +static inline bool match_30_req(uint32_t payload, uint32_t len) { + + if (len == 48 && MATCH(payload, 0x00, 0x30, 0x03, 0x06)) + return true; + return false; + +} + +static inline bool match_20_resp(uint32_t payload, uint32_t len) { + + if (len == 32 && MATCH(payload, 0x00, 0x20, 0x03, 0x06)) + return true; + return false; + +} + +static inline bool match_24_req(uint32_t payload, uint32_t len) { + + if (len == 36 && MATCH(payload, 0x00, 0x24, 0x03, 0x01)) + return true; + return false; + +} + +static inline bool match_10_resp(uint32_t payload, uint32_t len) { + + if (len == 16 && MATCH(payload, 0x00, 0x10, 0x03, 0x01)) + return true; + return false; + +} + +static inline bool match_kuaibo(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_1c_req(data->payload[0], data->payload_len[0])) { + if (match_0c_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_1c_req(data->payload[1], data->payload_len[1])) { + if (match_0c_resp(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_30_req(data->payload[0], data->payload_len[0])) { + if (match_20_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_30_req(data->payload[1], data->payload_len[1])) { + if (match_20_resp(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_24_req(data->payload[0], data->payload_len[0])) { + if (match_10_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_24_req(data->payload[1], data->payload_len[1])) { + if (match_10_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_kuaibo = { + LPI_PROTO_KUAIBO, + LPI_CATEGORY_STREAMING, + "Kuaibo", + 51, + match_kuaibo +}; + +void register_kuaibo(LPIModuleMap *mod_map) { + register_protocol(&lpi_kuaibo, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ldap.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ldap.cc new file mode 100644 index 0000000..80f8614 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ldap.cc @@ -0,0 +1,97 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ldap_payload(uint32_t payload, uint32_t len) { + + uint8_t *byte = ((uint8_t *)&payload); + uint16_t struct_len = 0; + + if (len == 0) + return true; + + byte ++; + + if (((*byte) & 0x80) == 0x80) { + uint8_t bytes_required = ((*byte) & 0x7f); + if (bytes_required > 2 || bytes_required == 0) + return false; + + if (bytes_required == 1) { + if (len > 255) + return false; + byte ++; + struct_len = 3 + ((uint8_t)(*byte)); + if (!MATCH(payload, 0x30, ANY, ANY, 0x02)) + return false; + } else { + struct_len = 4 + ntohs(*((uint16_t *)(byte + 1))); + if (!MATCH(payload, 0x30, ANY, ANY, ANY)) + return false; + } + } else { + if (!MATCH(payload, 0x30, ANY, 0x02, 0x01)) + return false; + if (len > 255) + return false; + struct_len = (*byte) + 2; + } + + if (struct_len != len) + return false; + + + return true; + +} + +static inline bool match_ldap(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_ldap_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_ldap_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; +} + +static lpi_module_t lpi_ldap = { + LPI_PROTO_LDAP, + LPI_CATEGORY_SERVICES, + "LDAP", + 3, + match_ldap +}; + +void register_ldap(LPIModuleMap *mod_map) { + register_protocol(&lpi_ldap, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_lifeforge.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_lifeforge.cc new file mode 100644 index 0000000..a216e83 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_lifeforge.cc @@ -0,0 +1,86 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_lifeforge_login(uint32_t payload, uint32_t len) { + + uint32_t plen = bswap_le_to_host32(payload); + + /* I've only seen 0x25 in here, but that may vary depending on + * username length? */ + if (MATCH(payload, ANY, 0x00, 0x00, 0x00)) { + if (len == plen + 4) + return true; + } + + return false; +} + +static inline bool match_lifeforge_ping(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x0e, 0x00, 0x00, 0x00)) { + if (len == 18) + return true; + if (len == 34) + return true; + } + + return false; + +} + +static inline bool match_lifeforge(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_lifeforge_login(data->payload[0], data->payload_len[0])) { + if (match_lifeforge_ping(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_lifeforge_login(data->payload[1], data->payload_len[1])) { + if (match_lifeforge_ping(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_lifeforge = { + LPI_PROTO_LIFEFORGE, + LPI_CATEGORY_GAMING, + "LifeForge", + 150, + match_lifeforge +}; + +void register_lifeforge(LPIModuleMap *mod_map) { + register_protocol(&lpi_lifeforge, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_line.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_line.cc new file mode 100644 index 0000000..c4f15dd --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_line.cc @@ -0,0 +1,87 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_line_request(uint32_t payload, uint32_t len) { + + /* This packet varies in length but is always ~680 bytes if we + * end up needing a stronger rule */ + if (MATCH(payload, 0x80, 0x02, 0x00, 0x01)) + return true; + + if (len == 12 && MATCH(payload, 0x80, 0x02, 0x00, 0x06)) + return true; + + return false; + +} + +static inline bool match_line_response(uint32_t payload, uint32_t len) { + + if (len == 60 && MATCH(payload, 0x80, 0x02, 0x00, 0x04)) + return true; + + return false; + +} + +static inline bool match_line(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Restrict to port 443 for now */ + if (data->server_port != 443 && data->client_port != 443) + return false; + + /* This looks a lot like an SSL 2.0 handshake */ + if (match_line_request(data->payload[0], data->payload_len[0])) { + if (match_line_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_line_request(data->payload[1], data->payload_len[1])) { + if (match_line_response(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_line = { + LPI_PROTO_LINE, + LPI_CATEGORY_CHAT, + "Line", + 12, + match_line +}; + +void register_line(LPIModuleMap *mod_map) { + register_protocol(&lpi_line, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_litecoin.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_litecoin.cc new file mode 100644 index 0000000..8039024 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_litecoin.cc @@ -0,0 +1,60 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_lc_magic(uint32_t payload) { + if (MATCH(payload, 0xfb, 0xc0, 0xb6, 0xdb)) + return true; + return false; +} + +static inline bool match_litecoin(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 9333 */ + + if (match_lc_magic(data->payload[0]) && match_lc_magic(data->payload[1])) + return true; + + return false; +} + +static lpi_module_t lpi_litecoin = { + LPI_PROTO_LITECOIN, + LPI_CATEGORY_ECOMMERCE, + "Litecoin", + 5, + match_litecoin +}; + +void register_litecoin(LPIModuleMap *mod_map) { + register_protocol(&lpi_litecoin, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_llp2p.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_llp2p.cc new file mode 100644 index 0000000..a2e820f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_llp2p.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Low Latency P2P -- open-source Chinese P2P streaming software. + * https://github.com/momomou/llp2p + */ +static inline bool match_llp2p_get(uint32_t payload, uint32_t len) { + /* Outgoing request looks like an HTTP GET -- maybe aiming to fool + * DPI software? */ + + /* Only seen len=133 so far but this seems like it could change */ + if (MATCH(payload, 'G', 'E', 'T', 0x20)) + return true; + return false; + +} + +static inline bool match_llp2p_update(uint32_t payload, uint32_t len) { + + /* Not sure on the length requirement, but I've only seen 454 + * bytes so far. + */ + if (MATCH(payload, 0x13, 0x00, 0x01, 0x00) && len == 454) + return true; + return false; + +} + +static inline bool match_llp2p(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_llp2p_get(data->payload[0], data->payload_len[0])) { + if (match_llp2p_update(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_llp2p_get(data->payload[1], data->payload_len[1])) { + if (match_llp2p_update(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_llp2p = { + LPI_PROTO_LLP2P, + LPI_CATEGORY_P2PTV, + "LLP2P", + 12, + match_llp2p +}; + +void register_llp2p(LPIModuleMap *mod_map) { + register_protocol(&lpi_llp2p, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_maplestory_china.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_maplestory_china.cc new file mode 100644 index 0000000..16fa307 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_maplestory_china.cc @@ -0,0 +1,119 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cms_hello(uint32_t payload, uint32_t len) { + + if (len == 16 || len == 536) { + if (MATCH(payload, 0x0e, 0x00, 0x8d, 0x00)) + return true; + if (MATCH(payload, 0x0e, 0x00, 0x8e, 0x00)) + return true; + if (MATCH(payload, 0x0e, 0x00, 0x8f, 0x00)) + return true; + if (MATCH(payload, 0x0e, 0x00, 0x90, 0x00)) + return true; + if (MATCH(payload, 0x0e, 0x00, 0x91, 0x00)) + return true; + } + return false; + +} + +static inline bool match_cms_alt(uint32_t payload, uint32_t len) { + + if (len == 16) { + if (MATCH(payload, 0x0e, 0x00, 0xba, 0x00)) + return true; + if (MATCH(payload, 0x0e, 0x00, 0xbb, 0x00)) + return true; + } + return false; +} + +static inline bool match_cms_51(uint32_t payload, uint32_t len) { + if (len == 16) { + if (MATCH(payload, 0x0e, 0x00, 0xc1, 0x00)) { + return true; + } + } + return false; +} + +static inline bool match_maplestory_china(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Can also restrict to ports 8585 and 8586 if required */ + + if (match_cms_hello(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] == 42) + return true; + } + + if (match_cms_hello(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == 42) + return true; + } + + if (match_cms_alt(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] == 40) + return true; + } + + if (match_cms_alt(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == 40) + return true; + } + + if (match_cms_51(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] == 51) + return true; + } + + if (match_cms_51(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == 51) + return true; + } + + return false; +} + +static lpi_module_t lpi_maplestory_china = { + LPI_PROTO_MAPLESTORY_CHINA, + LPI_CATEGORY_GAMING, + "MaplestoryChina", + 12, + match_maplestory_china +}; + +void register_maplestory_china(LPIModuleMap *mod_map) { + register_protocol(&lpi_maplestory_china, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_maxicloud.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_maxicloud.cc new file mode 100644 index 0000000..000ddde --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_maxicloud.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_maxicloud(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* MaxiCloud actually uses HTTP, but there is some weird behaviour + * with some servers where we see a 1 byte response to the login + * POST prior to the actual HTTP response so we can distinguish these + * flows as MaxiCloud specifically. + */ + + if (MATCHSTR(data->payload[0], "POST") && MATCH(data->payload[1], + 0x00, 0x00, 0x00, 0x00) && data->payload_len[1] == 1) + return true; + + if (MATCHSTR(data->payload[1], "POST") && MATCH(data->payload[0], + 0x00, 0x00, 0x00, 0x00) && data->payload_len[0] == 1) + return true; + + return false; +} + +static lpi_module_t lpi_maxicloud = { + LPI_PROTO_MAXICLOUD, + LPI_CATEGORY_CLOUD, + "MaxiCloud", + 100, + match_maxicloud +}; + +void register_maxicloud(LPIModuleMap *mod_map) { + register_protocol(&lpi_maxicloud, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_message4u.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_message4u.cc new file mode 100644 index 0000000..578eaab --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_message4u.cc @@ -0,0 +1,51 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_message4u(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "m4ul")) + return true; + return false; +} + +static lpi_module_t lpi_message4u = { + LPI_PROTO_M4U, + LPI_CATEGORY_TELCO, + "Message4U", + 3, + match_message4u +}; + +void register_message4u(LPIModuleMap *mod_map) { + register_protocol(&lpi_message4u, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_minecraft.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_minecraft.cc new file mode 100644 index 0000000..434478b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_minecraft.cc @@ -0,0 +1,213 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mc_server_ping(uint32_t payload, uint32_t len) { + + /* There are two variants of the server ping + * + * http://mc.kev009.com/Server_List_Ping + */ + + if (len == 1) { + if (MATCH(payload, 0xfe, 0x00, 0x00, 0x00)) + return true; + } + + if (len == 2) { + if (MATCH(payload, 0xf3, 0x01, 0x00, 0x00)) + return true; + } + + return false; + +} + +static inline bool match_mc_kick(uint32_t payload, uint32_t len) { + + uint32_t str_len; + + if (!MATCH(payload, 0xff, ANY, ANY, 0x00)) + return false; + + /* Middle 2 bytes are the length of the string following the initial + * header. Unfortunately there is more to the packet after the string, + * so we just have to check that the length makes sense given the size + * of the packet */ + + str_len = (ntohl(payload) >> 8) & 0xffff; + + if (str_len >= len) + return false; + return true; + +} + +static inline bool match_mc_handshake(uint32_t payload, uint32_t len) { + /* Ref: http://wiki.vg/Protocol */ + uint32_t replen; + + replen = ntohl(payload) >> 24; + + if (replen == len - 1) { + if (MATCH(payload, ANY, 0x00, ANY, ANY) && len - 1 <= 255) + return true; + if (MATCH(payload, ANY, 0x01, ANY, ANY) && len - 1 >= 256) + return true; + } + + /* Some handshakes seem to be undersized? */ + if (len == 187 && MATCH(payload, 0xb9, 0x01, 0x01, 0x0e)) + return true; + if (len == 188 && MATCH(payload, 0xba, 0x01, 0x01, 0x0f)) + return true; + if (len == 189 && MATCH(payload, 0xbb, 0x01, 0x01, 0x10)) + return true; + if (len == 190 && MATCH(payload, 0xbc, 0x01, 0x01, 0x11)) + return true; + + return false; +} + +static inline bool match_mc_v5_handshake(uint32_t payload, uint32_t len) { + + uint32_t replen; + uint32_t serverlen; + + replen = ntohl(payload) >> 24; + serverlen = ntohl(payload) & 0xff; + + if (replen == len - 1 && len - 1 <= 255) { + if (!MATCH(payload, ANY, 0x00, 0x05, ANY)) + return false; + if (serverlen != replen - 6) + return false; + return true; + } + + return false; + +} + +static inline bool match_mc_handshake_reply(uint32_t payload, uint32_t len) { + + /* Not technically a handshake reply, as the protocol spec doesn't + * have one. This pattern is what we see in the other direction + * after a handshake though. + */ + if (len == 173) { + if (MATCH(payload, 0xab, 0x01, 0x01, 0x00)) + return true; + } + + if (len == 174) { + if (MATCH(payload, 0xac, 0x01, 0x01, 0x00)) + return true; + } + + if (len == 22 && MATCH(payload, 0x15, 0x00, 0xd4, 0x02)) + return true; + if (len == 24 && MATCH(payload, 0x17, 0x00, 0xcf, 0x02)) + return true; + if (len == 29 && MATCH(payload, 0x1c, 0x00, 0xd2, 0x01)) + return true; + if (len == 30 && MATCH(payload, 0x1d, 0x00, 0xd4, 0x02)) + return true; + + if (len == 4) { + if (MATCH(payload, 0x03, 0x03, 0x80, 0x02)) + return true; + } + + return false; + +} + +static inline bool match_minecraft(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_mc_server_ping(data->payload[0], data->payload_len[0])) { + if (match_mc_kick(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_mc_server_ping(data->payload[1], data->payload_len[1])) { + if (match_mc_kick(data->payload[0], data->payload_len[0])) { + return true; + } + } + + if (match_mc_handshake(data->payload[0], data->payload_len[0])) { + if (match_mc_handshake_reply(data->payload[1], + data->payload_len[1])) + return true; + /* apparently we can have handshake reqs in both dirs? */ + if (match_mc_handshake(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_mc_handshake(data->payload[1], data->payload_len[1])) { + if (match_mc_handshake_reply(data->payload[0], + data->payload_len[0])) + return true; + /* apparently we can have handshake reqs in both dirs? */ + if (match_mc_handshake(data->payload[0], data->payload_len[0])) + return true; + } + + + /* Some servers running old versions of MC are annoying and send + * single byte packets */ + if (match_mc_v5_handshake(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] == 1) + return true; + } + + if (match_mc_v5_handshake(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == 1) + return true; + } + + return false; +} + +static lpi_module_t lpi_minecraft = { + LPI_PROTO_MINECRAFT, + LPI_CATEGORY_GAMING, + "Minecraft", + 35, + match_minecraft +}; + +void register_minecraft(LPIModuleMap *mod_map) { + register_protocol(&lpi_minecraft, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mitglieder.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mitglieder.cc new file mode 100644 index 0000000..5cf25be --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mitglieder.cc @@ -0,0 +1,50 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mitglieder(lpi_data_t *data, lpi_module_t *mod UNUSED) { + if (match_chars_either(data, 0x04, 0x01, 0x00, 0x19)) + return true; + return false; +} + +static lpi_module_t lpi_mitglieder = { + LPI_PROTO_MITGLIEDER, + LPI_CATEGORY_MALWARE, + "Mitglieder_Trojan", + 8, + match_mitglieder +}; + +void register_mitglieder(LPIModuleMap *mod_map) { + register_protocol(&lpi_mitglieder, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mms.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mms.cc new file mode 100644 index 0000000..59f6466 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mms.cc @@ -0,0 +1,81 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mms_server(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x01, 0x00, 0x00, ANY)) + return true; + return false; + +} + +static inline bool match_mms_client(uint32_t payload, uint32_t len) { + + if (len != 144) + return false; + if (MATCH(payload, 0x01, 0x00, 0x00, ANY)) + return true; + return false; + +} + + +static inline bool match_mms(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Microsoft Media Server protocol */ + + if (match_mms_server(data->payload[0], data->payload_len[0])) { + if (match_mms_client(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_mms_server(data->payload[1], data->payload_len[1])) { + if (match_mms_client(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_mms = { + LPI_PROTO_MMS, + LPI_CATEGORY_STREAMING, + "MMS", + 6, + match_mms +}; + +void register_mms(LPIModuleMap *mod_map) { + register_protocol(&lpi_mms, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mongo.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mongo.cc new file mode 100644 index 0000000..e48405d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mongo.cc @@ -0,0 +1,101 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Mongo protocol uses the first four bytes as a length field */ +static inline bool match_mongo_req(uint32_t payload, uint32_t len) { + + uint32_t mongolen = bswap_le_to_host32(payload); + + /* Most requests are very small */ + if (MATCH(payload, ANY, 0x00, 0x00, 0x00) || + MATCH(payload, ANY, 0x01, 0x00, 0x00)) { + /* Some mongo libraries manage to split requests across + * multiple packets, so we can't do a direct length + * match :( + */ + if (mongolen >= len) + return true; + } + + return false; + +} + +static inline bool match_mongo_reply(uint32_t payload, uint32_t len) { + + uint32_t mongolen = bswap_le_to_host32(payload); + + /* If reply is short, mongolen should match the packet length */ + if (mongolen == len) + return true; + + /* If mongolen is large, packet len should be MTU-sized. Here, + * we'll assume an MTU of at least 1400 (sorry, people with + * tons of encapsulation) */ + if (mongolen > len) { + if (len >= 1400) + return true; + } + + return false; + +} + +static inline bool match_mongo(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Restrict to the default mongo port for now */ + if (data->server_port != 27017 && data->client_port != 27017) + return false; + + if (match_mongo_req(data->payload[0], data->payload_len[0])) { + if (match_mongo_reply(data->payload[1], data->payload_len[1])) + return true; + } + if (match_mongo_req(data->payload[1], data->payload_len[1])) { + if (match_mongo_reply(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_mongo = { + LPI_PROTO_MONGO, + LPI_CATEGORY_DATABASES, + "MongoDB", + 88, + match_mongo +}; + +void register_mongo(LPIModuleMap *mod_map) { + register_protocol(&lpi_mongo, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mp2p.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mp2p.cc new file mode 100644 index 0000000..0ec6275 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mp2p.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mp2p(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Looking for STR, SIZ, MD5, GO!! */ + + if (match_str_both(data, "STR ", "SIZ ")) + return true; + if (MATCHSTR(data->payload[0], "STR ")) { + if (data->payload_len[0] == 10 || data->payload_len[0] == 11) + return true; + } + if (MATCHSTR(data->payload[1], "STR ")) { + if (data->payload_len[1] == 10 || data->payload_len[1] == 11) + return true; + } + + + + return false; +} + +static lpi_module_t lpi_mp2p = { + LPI_PROTO_MP2P, + LPI_CATEGORY_P2P, + "MP2P_TCP", + 2, + match_mp2p +}; + +void register_mp2p(LPIModuleMap *mod_map) { + register_protocol(&lpi_mp2p, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_msn.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_msn.cc new file mode 100644 index 0000000..003d19d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_msn.cc @@ -0,0 +1,54 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_msn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "ANS ")) + return true; + if (match_str_either(data, "VER ")) + return true; + + return false; +} + +static lpi_module_t lpi_msn = { + LPI_PROTO_MSN, + LPI_CATEGORY_CHAT, + "MSN", + 2, + match_msn +}; + +void register_msn(LPIModuleMap *mod_map) { + register_protocol(&lpi_msn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_msnc.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_msnc.cc new file mode 100644 index 0000000..b734e68 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_msnc.cc @@ -0,0 +1,70 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_msnc(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* http://msnpiki.msnfanatic.com/index.php/MSNC:File_Transfer#Direct_connection:_Handshake */ + + /* MSNC sends the length as a separate packet before the data. To + * confirm MSNC, you have to look at the second packet sent by the + * connecting host. It should begin with 'foo'. */ + + if (match_str_both(data, "\x30\x00\x00\x00", "\x04\x00\x00\x00")) { + if (data->payload_len[0] == 4 && data->payload_len[1] == 4) + return true; + } + if (match_str_both(data, "\x10\x00\x00\x00", "\x04\x00\x00\x00")) { + if (MATCH(data->payload[0], 0x04, 0x00, 0x00, 0x00)) { + if (data->payload_len[0] == 4) + return true; + } + if (MATCH(data->payload[1], 0x04, 0x00, 0x00, 0x00)) { + if (data->payload_len[1] == 4) + return true; + } + } + + return false; +} + +static lpi_module_t lpi_msnc = { + LPI_PROTO_MSNC, + LPI_CATEGORY_FILES, + "MSNC", + 3, + match_msnc +}; + +void register_msnc(LPIModuleMap *mod_map) { + register_protocol(&lpi_msnc, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_msnv.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_msnv.cc new file mode 100644 index 0000000..9db045b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_msnv.cc @@ -0,0 +1,51 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_msnv(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "\x01\x01\x00\x70", "\x00\x01\x00\x64")) + return true; + return false; +} + +static lpi_module_t lpi_msnv = { + LPI_PROTO_MSNV, + LPI_CATEGORY_CHAT, + "MSN_Voice", + 3, + match_msnv +}; + +void register_msnv(LPIModuleMap *mod_map) { + register_protocol(&lpi_msnv, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_munin.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_munin.cc new file mode 100644 index 0000000..ea68858 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_munin.cc @@ -0,0 +1,58 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_munin(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Can also match on TCP port 4949 if we're having false positive + * problems */ + + /* Also, one common munin command (seen in the other direction) + * is "cap " */ + + if (match_str_either(data, "# mu")) + return true; + + return false; +} + +static lpi_module_t lpi_munin = { + LPI_PROTO_MUNIN, + LPI_CATEGORY_MONITORING, + "Munin", + 6, + match_munin +}; + +void register_munin(LPIModuleMap *mod_map) { + register_protocol(&lpi_munin, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mysql.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mysql.cc new file mode 100644 index 0000000..96ce748 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mysql.cc @@ -0,0 +1,83 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mysql(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + uint32_t stated_len = 0; + + if (data->payload_len[0] == 0 && data->payload_len[1] == 0) + return false; + + /* Need to enforce some sort of port checking here */ + if (data->server_port != 3306 && data->client_port != 3306) + return false; + + stated_len = (data->payload[0] & 0xffffff); + if (data->payload_len[0] > 0 && stated_len != data->payload_len[0] - 4) + return false; + + stated_len = (data->payload[1] & 0xffffff); + if (data->payload_len[1] > 0 && stated_len != data->payload_len[1] - 4) + return false; + + if (MATCH(data->payload[0], ANY, ANY, ANY, 0x00) && + MATCH(data->payload[1], ANY, ANY, ANY, 0x01)) + return true; + + if (MATCH(data->payload[1], ANY, ANY, ANY, 0x00) && + MATCH(data->payload[0], ANY, ANY, ANY, 0x01)) + return true; + + + if (MATCH(data->payload[0], ANY, ANY, ANY, 0x00) && + data->payload_len[1] == 0) + return true; + + if (MATCH(data->payload[1], ANY, ANY, ANY, 0x00) && + data->payload_len[0] == 0) + return true; + + return false; +} + +static lpi_module_t lpi_mysql = { + LPI_PROTO_MYSQL, + LPI_CATEGORY_DATABASES, + "MySQL", + 4, + match_mysql +}; + +void register_mysql(LPIModuleMap *mod_map) { + register_protocol(&lpi_mysql, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_8000.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_8000.cc new file mode 100644 index 0000000..ee58a59 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_8000.cc @@ -0,0 +1,58 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mystery_8000(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* These patterns typically appear on UDP port 8000 (and occasionally + * TCP port 80) */ + + if (!match_8000_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_8000_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; + +} + +static lpi_module_t lpi_mystery_8000 = { + LPI_PROTO_MYSTERY_8000, + LPI_CATEGORY_NO_CATEGORY, + "Mystery_8000", + 250, + match_mystery_8000 +}; + +void register_mystery_8000(LPIModuleMap *mod_map) { + register_protocol(&lpi_mystery_8000, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_9000.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_9000.cc new file mode 100644 index 0000000..6d1af54 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_9000.cc @@ -0,0 +1,71 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mystery_9000_payload(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (len != 80) + return false; + if (MATCH(payload, 0x4c, 0x00, 0x00, 0x00)) + return true; + return false; +} + + +static inline bool match_mystery_9000(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Not entirely sure what this is - looks kinda like Samba that is + * occurring primarily on port 9000. Many storage solutions use + * port 9000 as a default port so this is a possibility, but the + * use of this protocol is rather spammy */ + + if (!match_mystery_9000_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_mystery_9000_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; + +} + +static lpi_module_t lpi_mystery_9000 = { + LPI_PROTO_MYSTERY_9000, + LPI_CATEGORY_NO_CATEGORY, + "Mystery_9000", + 250, + match_mystery_9000 +}; + +void register_mystery_9000(LPIModuleMap *mod_map) { + register_protocol(&lpi_mystery_9000, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_conn.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_conn.cc new file mode 100644 index 0000000..dcac2b9 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_conn.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mystery_conn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + /* Appears to be some sort of file transfer protocol, but + * trying to google for a protocol using words such as "connect" + * and "receive" is not very helpful */ + + if (match_str_both(data, "conn", "reci")) + return true; + + if (match_str_either(data, "reci")) { + if (data->payload_len[1] == 0) + return true; + if (data->payload_len[0] == 0) + return true; + } + + + return false; +} + +static lpi_module_t lpi_mystery_conn = { + LPI_PROTO_MYSTERY_CONN, + LPI_CATEGORY_NO_CATEGORY, + "Mystery_conn", + 250, + match_mystery_conn +}; + +void register_mystery_conn(LPIModuleMap *mod_map) { + register_protocol(&lpi_mystery_conn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_iG.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_iG.cc new file mode 100644 index 0000000..428bf5e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_iG.cc @@ -0,0 +1,65 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mystery_iG(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Another mystery protocol - the payload pattern is the same in + * both directions. Have observed this on port 20005 and port 8080, + * but not obvious what exactly this is */ + + if (match_str_both(data, "\xd7\x69\x47\x26", "\xd7\x69\x47\x26")) + return true; + if (MATCH(data->payload[0], 0xd7, 0x69, 0x47, 0x26)) { + if (data->payload_len[1] == 0) + return true; + } + if (MATCH(data->payload[1], 0xd7, 0x69, 0x47, 0x26)) { + if (data->payload_len[0] == 0) + return true; + } + + + return false; +} + +static lpi_module_t lpi_mystery_iG = { + LPI_PROTO_MYSTERY_IG, + LPI_CATEGORY_NO_CATEGORY, + "Mystery_iG", + 250, + match_mystery_iG +}; + +void register_mystery_iG(LPIModuleMap *mod_map) { + register_protocol(&lpi_mystery_iG, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_pspr.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_pspr.cc new file mode 100644 index 0000000..d592a11 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_pspr.cc @@ -0,0 +1,59 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mystery_pspr(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "PSPr", "PSPr")) + return true; + if (match_str_either(data, "PSPr")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + + return false; +} + +static lpi_module_t lpi_mystery_pspr = { + LPI_PROTO_MYSTERY_PSPR, + LPI_CATEGORY_NO_CATEGORY, + "Mystery_PSPR", + 250, + match_mystery_pspr +}; + +void register_mystery_pspr(LPIModuleMap *mod_map) { + register_protocol(&lpi_mystery_pspr, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_rxxf.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_rxxf.cc new file mode 100644 index 0000000..964977a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_rxxf.cc @@ -0,0 +1,60 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mystery_rxxf(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + /* Things we know about this protocol: + * + * One endpoint is always running on TCP port 3128 (squid). + * The other end always seems to be in Chinese address space. + * Bytes 5-8 are a length field. + */ + + if (match_str_either(data, "RXXF")) + return true; + + return false; +} + +static lpi_module_t lpi_mystery_rxxf = { + LPI_PROTO_MYSTERY_RXXF, + LPI_CATEGORY_NO_CATEGORY, + "Mystery_RXXF", + 250, + match_mystery_rxxf +}; + +void register_mystery_rxxf(LPIModuleMap *mod_map) { + register_protocol(&lpi_mystery_rxxf, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_symantec.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_symantec.cc new file mode 100644 index 0000000..464db00 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mystery_symantec.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mystery_symantec(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + /* This protocol definitely goes to hosts in the Symantec IP space, + * but it is not exactly clear what the purpose of it is */ + + /* Always on TCP port 80 */ + if (data->server_port != 80 && data->client_port != 80) + return false; + + if (data->payload_len[0] != 4 || data->payload_len[1] != 4) + return false; + + if (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00)) { + if (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00)) + return false; + if (MATCH(data->payload[1], 0x58, 0x54, 0x7d, 0x01)) + return true; + if (MATCH(data->payload[1], ANY, ANY, ANY, 0x00)) + return true; + } + + if (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00)) { + if (MATCH(data->payload[1], 0x58, 0x54, 0x7d, 0x01)) + return true; + if (MATCH(data->payload[0], ANY, ANY, ANY, 0x00)) + return true; + } + + return false; +} + +static lpi_module_t lpi_mystery_symantec = { + LPI_PROTO_MYSTERY_SYMANTEC, + LPI_CATEGORY_NO_CATEGORY, + "Mystery_Symantec", + 250, + match_mystery_symantec +}; + +void register_mystery_symantec(LPIModuleMap *mod_map) { + register_protocol(&lpi_mystery_symantec, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_mzinga.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_mzinga.cc new file mode 100644 index 0000000..7879731 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_mzinga.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mzinga(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "PCHA")) + return true; + + return false; +} + +static lpi_module_t lpi_mzinga = { + LPI_PROTO_MZINGA, + LPI_CATEGORY_CHAT, + "Mzinga", + 3, + match_mzinga +}; + +void register_mzinga(LPIModuleMap *mod_map) { + register_protocol(&lpi_mzinga, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_naverp2p.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_naverp2p.cc new file mode 100644 index 0000000..e34535e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_naverp2p.cc @@ -0,0 +1,61 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_naver_magic(uint32_t payload) { + if (MATCH(payload, 0xcf, 0x10, 0x00, 0x1f)) + return true; + return false; +} + +static inline bool match_naverp2p(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_naver_magic(data->payload[0])) { + if (match_naver_magic(data->payload[1])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_naverp2p = { + LPI_PROTO_NAVER_P2P, + LPI_CATEGORY_P2P, + "NaverP2P", + 29, + match_naverp2p +}; + +void register_naverp2p(LPIModuleMap *mod_map) { + register_protocol(&lpi_naverp2p, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ncsoft.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ncsoft.cc new file mode 100644 index 0000000..eeca36b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ncsoft.cc @@ -0,0 +1,53 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ncsoft(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_chars_either(data, 0x00, 0x05, 0x0c, 0x00)) + return true; + + return false; +} + +static lpi_module_t lpi_ncsoft = { + LPI_PROTO_NCSOFT, + LPI_CATEGORY_GAMING, + "NCSoft", + 4, /* Not the strongest rule, although this hasn't caused any problems + * in the past */ + match_ncsoft +}; + +void register_ncsoft(LPIModuleMap *mod_map) { + register_protocol(&lpi_ncsoft, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ndt_tput.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ndt_tput.cc new file mode 100644 index 0000000..640572c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ndt_tput.cc @@ -0,0 +1,60 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_ndt_tput(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* One-way throughput test */ + if (MATCH(data->payload[0], 0x20, 0x21, 0x22, 0x23) && + data->payload_len[1] == 0) { + return true; + } + if (MATCH(data->payload[1], 0x20, 0x21, 0x22, 0x23) && + data->payload_len[0] == 0) { + return true; + } + + return false; +} + +static lpi_module_t lpi_ndt_tput = { + LPI_PROTO_NDT_TPUT, + LPI_CATEGORY_MONITORING, + "NDTThroughput", + 100, + match_ndt_tput +}; + +void register_ndt_tput(LPIModuleMap *mod_map) { + register_protocol(&lpi_ndt_tput, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_netbios.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_netbios.cc new file mode 100644 index 0000000..2aff478 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_netbios.cc @@ -0,0 +1,62 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_netbios(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + uint32_t stated_len = 0; + + if (MATCH(data->payload[0], 0x81, 0x00, ANY, ANY)) { + stated_len = ntohl(data->payload[0]) & 0xffff; + if (stated_len == data->payload_len[0] - 4) + return true; + } + + if (MATCH(data->payload[1], 0x81, 0x00, ANY, ANY)) { + stated_len = ntohl(data->payload[1]) & 0xffff; + if (stated_len == data->payload_len[1] - 4) + return true; + } + + return false; +} +static lpi_module_t lpi_netbios = { + LPI_PROTO_NETBIOS, + LPI_CATEGORY_SERVICES, + "NetBIOS", + 2, + match_netbios +}; + +void register_netbios(LPIModuleMap *mod_map) { + register_protocol(&lpi_netbios, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_netcat_cctv.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_netcat_cctv.cc new file mode 100644 index 0000000..d8af5c0 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_netcat_cctv.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_netcat_ff00(uint32_t payload, uint32_t len) { + if (MATCHSTR(payload, "\xff\x00\x00\x00")) + return true; + return false; +} + +static inline bool match_netcat_ff01(uint32_t payload, uint32_t len) { + if (MATCHSTR(payload, "\xff\x01\x00\x00")) + return true; + return false; +} + +static inline bool match_netcat_cctv(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Protocol used by Netcat branded IP Cameras + * http://www.netcatcctv.com + */ + + if (match_netcat_ff00(data->payload[0], data->payload_len[0])) { + if (match_netcat_ff01(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_netcat_ff00(data->payload[1], data->payload_len[1])) { + if (match_netcat_ff01(data->payload[0], data->payload_len[0])) + return true; + } + + + + return false; +} + +static lpi_module_t lpi_netcat_cctv = { + LPI_PROTO_NETCAT_CCTV, + LPI_CATEGORY_IPCAMERAS, + "NetcatCCTV", + 20, + match_netcat_cctv +}; + +void register_netcat_cctv(LPIModuleMap *mod_map) { + register_protocol(&lpi_netcat_cctv, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_netmfp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_netmfp.cc new file mode 100644 index 0000000..28daef2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_netmfp.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* .NET Message Framing Protocol */ + +static inline bool match_version_record(uint32_t payload, uint32_t len) { + + /* Length will probably vary */ + /* Version, mode and via records are often included in the same + * packet */ + + if (MATCH(payload, 0x00, 0x01, 0x00, 0x01)) + return true; + return false; + +} + +static inline bool match_upgrade_resp(uint32_t payload, uint32_t len) { + + if (len == 1 && MATCH(payload, 0x0a, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_netmfp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Limit to port 7150 for now -- this probably only corresponds to + * one MS service that uses this protocol, but I'm going to play + * it conservative. + */ + + if (data->server_port != 7150 && data->client_port != 7150) + return false; + + if (match_version_record(data->payload[0], data->payload_len[0])) { + if (match_upgrade_resp(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_netmfp = { + LPI_PROTO_NET_MFP, + LPI_CATEGORY_WEB, + "NET-MFP", + 199, + match_netmfp +}; + +void register_netmfp(LPIModuleMap *mod_map) { + register_protocol(&lpi_netmfp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_nntp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_nntp.cc new file mode 100644 index 0000000..bb1fdda --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_nntp.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_nntp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "mode")) return true; + if (match_str_either(data, "MODE")) return true; + if (match_str_either(data, "GROU")) return true; + if (match_str_either(data, "grou")) return true; + + if (match_str_both(data, "AUTH", "200 ")) return true; + if (match_str_both(data, "AUTH", "201 ")) return true; + if (match_str_both(data, "AUTH", "200-")) return true; + if (match_str_both(data, "AUTH", "201-")) return true; + if (match_str_both(data, "auth", "200 ")) return true; + if (match_str_both(data, "auth", "201 ")) return true; + if (match_str_both(data, "auth", "200-")) return true; + if (match_str_both(data, "auth", "201-")) return true; + + return false; +} + +static lpi_module_t lpi_nntp = { + LPI_PROTO_NNTP, + LPI_CATEGORY_NEWS, + "NNTP", + 4, + match_nntp +}; + +void register_nntp(LPIModuleMap *mod_map) { + register_protocol(&lpi_nntp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_nntps.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_nntps.cc new file mode 100644 index 0000000..85e6ee2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_nntps.cc @@ -0,0 +1,58 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_nntps(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This rule matches NNTP over SSL/TLS */ + + if (!match_ssl(data)) + return false; + + /* NNTPS uses port 563 */ + if (data->server_port != 563 && data->client_port != 563) + return false; + + return true; +} + +static lpi_module_t lpi_nntps = { + LPI_PROTO_NNTPS, + LPI_CATEGORY_NEWS, + "NNTPS", + 5, /* Should be a higher priority than regular SSL */ + match_nntps +}; + +void register_nntps(LPIModuleMap *mod_map) { + register_protocol(&lpi_nntps, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_nofirstpkt.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_nofirstpkt.cc new file mode 100644 index 0000000..4a869c0 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_nofirstpkt.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +bool match_no_firstpkt(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if ( (data->observed[0] != 0 || data->observed[1] != 0) && + (data->payload_len[0] == 0 && data->payload_len[1] == 0) ) + return true; + + return false; +} + +static lpi_module_t lpi_no_firstpkt = { + LPI_PROTO_NO_FIRSTPKT, + LPI_CATEGORY_NOPAYLOAD, + "No_FirstPkt", + 0, /* Must supercede all other protocols */ + match_no_firstpkt +}; + +void register_tcp_no_firstpkt(LPIModuleMap *mod_map) { + register_protocol(&lpi_no_firstpkt, mod_map); +} diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_nomachine.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_nomachine.cc new file mode 100644 index 0000000..125a49e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_nomachine.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_nxd(uint32_t payload, uint32_t len) { + if (len == 11 && MATCH(payload, 'N', 'X', 'D', '-')) + return true; + return false; +} + +static inline bool match_nxup(uint32_t payload, uint32_t len) { + if (len < 20 && MATCH(payload, 'N', 'X', 'U', 'P')) + return true; + return false; +} + +static inline bool match_nomachine(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 4000? */ + + if (match_nxup(data->payload[0], data->payload_len[0])) { + if (match_nxd(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_nxd(data->payload[0], data->payload_len[0])) { + if (match_nxup(data->payload[1], data->payload_len[1])) { + return true; + } + } + + + return false; +} + +static lpi_module_t lpi_nomachine = { + LPI_PROTO_NOMACHINE, + LPI_CATEGORY_REMOTE, + "NoMachine", + 19, + match_nomachine +}; + +void register_nomachine(LPIModuleMap *mod_map) { + register_protocol(&lpi_nomachine, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_nopayload.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_nopayload.cc new file mode 100644 index 0000000..783776d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_nopayload.cc @@ -0,0 +1,51 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +bool match_no_payload(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->observed[0] == 0 && data->observed[1] == 0) + return true; + + return false; +} + +static lpi_module_t lpi_no_payload = { + LPI_PROTO_NO_PAYLOAD, + LPI_CATEGORY_NOPAYLOAD, + "No_Payload", + 0, /* Must supercede all other protocols */ + match_no_payload +}; + +void register_tcp_no_payload(LPIModuleMap *mod_map) { + register_protocol(&lpi_no_payload, mod_map); +} diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_norton_backup.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_norton_backup.cc new file mode 100644 index 0000000..c97b771 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_norton_backup.cc @@ -0,0 +1,96 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_nobu_rand(uint32_t payload, uint32_t len) { + + /* This seems to be a random host-specific ID? */ + + /* Rule out 00000000, as that is unlikely to be this */ + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return false; + + if (len == 4) + return true; + return false; +} + +static inline bool match_nobu_zeroes(uint32_t payload, uint32_t len) { + + if (len != 4) + return false; + + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) + return true; + if (MATCH(payload, 0x02, 0x00, 0x00, 0x00)) + return true; + if (MATCH(payload, 0x03, 0x00, 0x00, 0x00)) + return true; + + return false; +} + +static inline bool match_norton_backup(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 80 && data->client_port != 80) + return false; + + /* Some sort of keep-alive protocol? Appears regularly on machines with + * Norton backup active, but generally only sends 4 bytes each way. + */ + if (match_nobu_rand(data->payload[0], data->payload_len[0])) { + if (match_nobu_zeroes(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_nobu_rand(data->payload[1], data->payload_len[1])) { + if (match_nobu_zeroes(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_norton_backup = { + LPI_PROTO_NORTON_BACKUP, + LPI_CATEGORY_CLOUD, + "NortonBackup", + 25, + match_norton_backup +}; + +void register_norton_backup(LPIModuleMap *mod_map) { + register_protocol(&lpi_norton_backup, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_notes_rpc.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_notes_rpc.cc new file mode 100644 index 0000000..4eaff55 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_notes_rpc.cc @@ -0,0 +1,68 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_notes_rpc(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Notes RPC is a proprietary protocol and I haven't been able to + * find anything to confirm or disprove any of this. + * + * As a result, this rule is pretty iffy as it is based on a bunch + * of flows observed going to 1 server using port 1352. There is + * no documented basis for this (unlike most other rules) + */ + + if (data->server_port != 1352 && data->client_port != 1352) + return false; + + if (!match_str_either(data, "\x78\x00\x00\x00")) + return false; + + if (MATCH(data->payload[0], ANY, ANY, 0x00, 0x00) && + MATCH(data->payload[1], ANY, ANY, 0x00, 0x00)) + return true; + + + return false; +} + +static lpi_module_t lpi_notes_rpc = { + LPI_PROTO_NOTES_RPC, + LPI_CATEGORY_REMOTE, + "Lotus_Notes_RPC", + 200, /* Don't really trust this rule that much :/ */ + match_notes_rpc +}; + +void register_notes_rpc(LPIModuleMap *mod_map) { + register_protocol(&lpi_notes_rpc, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_nsq.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_nsq.cc new file mode 100644 index 0000000..3bf88c5 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_nsq.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_nsq_v2(uint32_t payload, uint32_t len) { + if (len == 4 && MATCH(payload, ' ', ' ', 'V', '2')) + return true; + return false; +} + +static inline bool match_nsq_data(uint32_t payload, uint32_t len) { + + uint32_t assize = ntohl(payload); + + if (assize == len - 4) { + return true; + } + + return false; +} + +static inline bool match_nsq(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 4150? */ + + if (match_nsq_v2(data->payload[0], data->payload_len[0])) { + if (match_nsq_data(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_nsq_v2(data->payload[1], data->payload_len[1])) { + if (match_nsq_data(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_nsq = { + LPI_PROTO_NSQ, + LPI_CATEGORY_MESSAGE_QUEUE, + "NSQ", + 45, + match_nsq +}; + +void register_nsq(LPIModuleMap *mod_map) { + register_protocol(&lpi_nsq, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_omegle.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_omegle.cc new file mode 100644 index 0000000..e9cd832 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_omegle.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* http://pastebin.com/bGxqigRN */ + +static inline bool match_omegle_client(uint32_t payload, uint32_t len) { + if (len < 12) + return false; + if (!MATCH(payload, 0x0b, 'o', 'm', 'e')) + return false; + return true; + +} + +static inline bool match_omegle_server(uint32_t payload, uint32_t len) { + + if (len == 4 && MATCH(payload, 0x01, 'w', 0x00, 0x00)) + return true; + if (len == 68 && MATCH(payload, 0x01, 0x63, 0x00, 0x40)) + return true; + if (MATCH(payload, 0x09, 'c', 'l', 'i')) + return true; + return false; + +} + +static inline bool match_omegle(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_omegle_client(data->payload[0], data->payload_len[0])) { + if (match_omegle_server(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_omegle_client(data->payload[1], data->payload_len[1])) { + if (match_omegle_server(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_omegle = { + LPI_PROTO_OMEGLE, + LPI_CATEGORY_CHAT, + "Omegle", + 3, + match_omegle +}; + +void register_omegle(LPIModuleMap *mod_map) { + register_protocol(&lpi_omegle, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_openvpn.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_openvpn.cc new file mode 100644 index 0000000..f9e58be --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_openvpn.cc @@ -0,0 +1,83 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_openvpn_handshake(uint32_t payload, uint32_t len) { + + uint16_t pktlen = ntohs((uint16_t)payload); + + /* First two bytes are the length of the packet (not including the + * length) */ + if ((uint32_t)(pktlen + 2) != len) + return false; + + /* Handshake packets have opcodes of either 7 or 8 and key IDs of + * zero, so the third byte is either 0x38 or 0x40 */ + + /* Ref: http://tinyurl.com/37tt3xe */ + + if (MATCH(payload, ANY, ANY, 0x38, ANY)) + return true; + if (MATCH(payload, ANY, ANY, 0x40, ANY)) + return true; + + + return false; + +} + + +static inline bool match_openvpn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port == 53 || data->client_port == 53) { + return false; + } + + if (data->payload_len[0] != 0 && !match_openvpn_handshake(data->payload[0], data->payload_len[0])) + return false; + if (data->payload_len[1] != 0 && !match_openvpn_handshake(data->payload[1], data->payload_len[1])) + return false; + + return true; +} + +static lpi_module_t lpi_openvpn = { + LPI_PROTO_OPENVPN, + LPI_CATEGORY_TUNNELLING, + "OpenVPN", + 4, /* Most of this rule is based on a length field in the header */ + match_openvpn +}; + +void register_openvpn(LPIModuleMap *mod_map) { + register_protocol(&lpi_openvpn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ourworld.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ourworld.cc new file mode 100644 index 0000000..650b8eb --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ourworld.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* ourworld.com -- Flash-based MMO / game site combo thing */ + +static inline bool match_custom_flash_36(uint32_t payload, uint32_t len) { + + if (len == 36 && MATCH(payload, '<', 'm', '>', 'A')) + return true; + return false; +} + +static inline bool match_custom_flash_200(uint32_t payload, uint32_t len) { + + if (MATCH(payload, '<', 'm', '>', 'A')) { + if (len >= 200 && len <= 250) + return true; + } + return false; +} + +static inline bool match_ourworld(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 9310 */ + if (match_custom_flash_36(data->payload[0], data->payload_len[0])) { + if (match_custom_flash_200(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_custom_flash_36(data->payload[1], data->payload_len[1])) { + if (match_custom_flash_200(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_ourworld = { + LPI_PROTO_OURWORLD, + LPI_CATEGORY_GAMING, + "OurWorld", + 5, + match_ourworld +}; + +void register_ourworld(LPIModuleMap *mod_map) { + register_protocol(&lpi_ourworld, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_palringo.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_palringo.cc new file mode 100644 index 0000000..1f3d346 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_palringo.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_palringo(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "AUTH", "LOGO")) + return true; + + return false; +} + +static lpi_module_t lpi_palringo = { + LPI_PROTO_PALRINGO, + LPI_CATEGORY_CHAT, + "Palringo", + 4, + match_palringo +}; + +void register_palringo(LPIModuleMap *mod_map) { + register_protocol(&lpi_palringo, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_paltalk.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_paltalk.cc new file mode 100644 index 0000000..f039835 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_paltalk.cc @@ -0,0 +1,147 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_pal_17f6(uint32_t payload, uint32_t len) { + + if (len != 8) + return false; + if (MATCH(payload, 0x17, 0xf6, 0x00, 0x01)) + return true; + return false; + +} + +static inline bool match_pal_24c2(uint32_t payload, uint32_t len) { + + if (len != 4) + return false; + if (MATCH(payload, 0x00, 0x00, 0x24, 0xc2)) + return true; + return false; + +} + +static inline bool match_pal_ff8b(uint32_t payload, uint32_t len) { + + if (len != 24) + return false; + if (MATCHSTR(payload, "\xff\x8b\x00\x0e")) + return true; + return false; + +} + +static inline bool match_pal_fb(uint32_t payload, uint32_t len) { + + if (len != 6) + return false; + if (MATCH(payload, 0xfb, ANY, 0x00, ANY)) + return true; + return false; + +} + +static inline bool match_pal_1byte(uint32_t payload, uint32_t len) { + + if (len != 0 and len != 1) + return false; + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + + return false; +} + +static inline bool match_pal_4byte(uint32_t payload, uint32_t len) { + + if (len != 4) + return false; + if (payload == 0) + return false; + + if (MATCH(payload, 0x00, 0x00, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_paltalk(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Created all these rules based on a capture of actual Paltalk + * traffic */ + + if (match_pal_fb(data->payload[0], data->payload_len[0])) { + if (match_pal_ff8b(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_pal_fb(data->payload[1], data->payload_len[1])) { + if (match_pal_ff8b(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_pal_17f6(data->payload[0], data->payload_len[0])) { + if (match_pal_24c2(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_pal_17f6(data->payload[1], data->payload_len[1])) { + if (match_pal_24c2(data->payload[0], data->payload_len[0])) + return true; + } + + + /* These last two may be iffy, keep an eye out for false positives */ + if (match_pal_4byte(data->payload[0], data->payload_len[0])) { + if (match_pal_1byte(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_pal_4byte(data->payload[1], data->payload_len[1])) { + if (match_pal_1byte(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_paltalk = { + LPI_PROTO_PALTALK, + LPI_CATEGORY_CHAT, + "Paltalk", + 11, + match_paltalk +}; + +void register_paltalk(LPIModuleMap *mod_map) { + register_protocol(&lpi_paltalk, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_pandatv.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_pandatv.cc new file mode 100644 index 0000000..a424559 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_pandatv.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_panda_request(uint32_t payload, uint32_t len) { + + /* Seen length 156 and 160 so far, so could be variable length */ + if (MATCH(payload, 0x02, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_panda_reply(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00) && len == 36) + return true; + return false; + +} + +static inline bool match_pandatv(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 3105 && data->client_port != 3105) + return false; + + if (match_panda_request(data->payload[0], data->payload_len[0])) { + if (match_panda_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_panda_request(data->payload[1], data->payload_len[1])) { + if (match_panda_reply(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_pandatv = { + LPI_PROTO_PANDATV, + LPI_CATEGORY_STREAMING, + "Panda.tv", + 140, + match_pandatv +}; + +void register_pandatv(LPIModuleMap *mod_map) { + register_protocol(&lpi_pandatv, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_pando.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_pando.cc new file mode 100644 index 0000000..09a1dae --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_pando.cc @@ -0,0 +1,51 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_pando(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "\x0ePan")) + return true; + return false; +} + +static lpi_module_t lpi_pando = { + LPI_PROTO_PANDO, + LPI_CATEGORY_P2P, + "Pando", + 3, + match_pando +}; + +void register_pando(LPIModuleMap *mod_map) { + register_protocol(&lpi_pando, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_pathofexile.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_pathofexile.cc new file mode 100644 index 0000000..cbb607a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_pathofexile.cc @@ -0,0 +1,75 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_poe_40(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x00, 0x03, 0x00, 0x00)) { + if (len == 40 || len == 54 || len == 20 || len == 66) { + return true; + } + } + return false; +} + +static inline bool match_poe_05(uint32_t payload, uint32_t len) { + if (len >= 200 && MATCH(payload, 0x00, 0x05, ANY, ANY)) + return true; + return false; +} + +static inline bool match_pathofexile(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 6112 */ + if (match_poe_40(data->payload[0], data->payload_len[0])) { + if (match_poe_05(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_poe_40(data->payload[1], data->payload_len[1])) { + if (match_poe_05(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_pathofexile = { + LPI_PROTO_PATHOFEXILE, + LPI_CATEGORY_GAMING, + "PathOfExile", + 49, + match_pathofexile +}; + +void register_pathofexile(LPIModuleMap *mod_map) { + register_protocol(&lpi_pathofexile, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_pdbox.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_pdbox.cc new file mode 100644 index 0000000..d6b641f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_pdbox.cc @@ -0,0 +1,51 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_pdbox(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "0127", "0326")) + return true; + return false; +} + +static lpi_module_t lpi_pdbox = { + LPI_PROTO_PDBOX, + LPI_CATEGORY_CLOUD, + "PDBOX", + 3, + match_pdbox +}; + +void register_pdbox(LPIModuleMap *mod_map) { + register_protocol(&lpi_pdbox, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_pop3.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_pop3.cc new file mode 100644 index 0000000..4243542 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_pop3.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_pop3(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + //if (match_chars_either(data, '+', 'O', 'K', ANY)) + // return true; + if (MATCH(data->payload[0], '+', 'O', 'K', ANY) && data->payload_len[0] > 8) // at least "+OK n n\r" + return true; + if (MATCH(data->payload[1],'+', 'O', 'K', ANY) && data->payload_len[1] > 8) + return true; + if (match_chars_either(data, '-', 'E', 'R', 'R')) + return true; + + if (match_str_either(data, "CAPA")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + if (match_str_either(data, "AUTH")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + if(data->server_port==110 || data->client_port==110) + { + if (match_str_either(data, "USER") || + match_str_either(data, "user") || + match_str_either(data, "QUIT") || + match_str_either(data, "quit") || + match_str_either(data, "LIST") || + match_str_either(data, "list")) + { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_pop3 = { + LPI_PROTO_POP3, + LPI_CATEGORY_MAIL, + "POP3", + 2, + match_pop3 +}; + +void register_pop3(LPIModuleMap *mod_map) { + register_protocol(&lpi_pop3, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_pop3s.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_pop3s.cc new file mode 100644 index 0000000..1d20249 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_pop3s.cc @@ -0,0 +1,56 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_pop3s(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_ssl(data)) + return false; + + /* Assume all SSL traffic on port 995 is POP3S */ + if (data->server_port == 995 || data->client_port == 995) + return true; + + return false; +} + +static lpi_module_t lpi_pop3s = { + LPI_PROTO_POP3S, + LPI_CATEGORY_MAIL, + "POP3S", + 2, /* Should be a higher priority than regular SSL */ + match_pop3s +}; + +void register_pop3s(LPIModuleMap *mod_map) { + register_protocol(&lpi_pop3s, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_postgresql.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_postgresql.cc new file mode 100644 index 0000000..aefbd80 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_postgresql.cc @@ -0,0 +1,66 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_postgresql(lpi_data_t *data, lpi_module_t *mod UNUSED) { + /* Client start up messages start with a 4 byte length */ + /* Server auth requests start with 'R', followed by 4 bytes of length + * + * All auth requests tend to be quite small */ + + if (ntohl(data->payload[0]) == data->payload_len[0]) + { + if (MATCH(data->payload[1], 0x52, 0x00, 0x00, 0x00)) + return true; + } + + if (ntohl(data->payload[1]) == data->payload_len[1]) + { + if (MATCH(data->payload[0], 0x52, 0x00, 0x00, 0x00)) + return true; + } + + + return false; +} + +static lpi_module_t lpi_postgresql = { + LPI_PROTO_POSTGRESQL, + LPI_CATEGORY_DATABASES, + "Postgresql", + 4, + match_postgresql +}; + +void register_postgresql(LPIModuleMap *mod_map) { + register_protocol(&lpi_postgresql, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_pptp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_pptp.cc new file mode 100644 index 0000000..a1f1672 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_pptp.cc @@ -0,0 +1,67 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_pptp_payload(uint32_t payload, uint32_t len) { + + if (len != 156) + return false; + + if (!MATCH(payload, 0x00, 0x9c, 0x00, 0x01)) + return false; + + return true; + +} + + +static inline bool match_pptp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] != 0 && !match_pptp_payload(data->payload[0], data->payload_len[0])) + return false; + if (data->payload_len[1] != 0 && !match_pptp_payload(data->payload[1], data->payload_len[1])) + return false; + return true; + +} + +static lpi_module_t lpi_pptp = { + LPI_PROTO_PPTP, + LPI_CATEGORY_TUNNELLING, + "PPTP", + 3, + match_pptp +}; + +void register_pptp(LPIModuleMap *mod_map) { + register_protocol(&lpi_pptp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_psn_store.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_psn_store.cc new file mode 100644 index 0000000..c34feea --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_psn_store.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_psn_store(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This rule matches the SSL exchanges used by the Playstation + * Store */ + + if (!match_ssl(data)) + return false; + + /* All PSN SSL traffic is on port 5223 */ + if (data->server_port != 5223 && data->client_port != 5223) + return false; + + if (data->payload_len[0] == 66 && data->payload_len[1] == 1085) + return true; + if (data->payload_len[1] == 66 && data->payload_len[0] == 1085) + return true; + + return false; +} + +static lpi_module_t lpi_psn_store = { + LPI_PROTO_PSN_STORE, + LPI_CATEGORY_GAMING, + "PSNStore", + 2, /* Should be a higher priority than regular SSL */ + match_psn_store +}; + +void register_psn_store(LPIModuleMap *mod_map) { + register_protocol(&lpi_psn_store, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_qcloud_ilvb.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_qcloud_ilvb.cc new file mode 100644 index 0000000..be063ec --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_qcloud_ilvb.cc @@ -0,0 +1,60 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Interactive Live Video Broadcasting, a service offered by Tencent QCloud. + * + * Seems to be some sort of SDK for developing live streaming applications. + */ + +static inline bool match_qcloud_ilvb(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Packet sizes can vary -- 51,53,55,68 observed */ + if (MATCH(data->payload[0], 0x28, 0x00, 0x00, 0x00)) { + if (MATCH(data->payload[1], 0x28, 0x00, 0x00, 0x00)) + return true; + } + + return false; +} + +static lpi_module_t lpi_qcloud_ilvb = { + LPI_PROTO_QCLOUD_ILVB, + LPI_CATEGORY_STREAMING, + "QCloud_ILVB", + 199, + match_qcloud_ilvb +}; + +void register_qcloud_ilvb(LPIModuleMap *mod_map) { + register_protocol(&lpi_qcloud_ilvb, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_qq_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_qq_tcp.cc new file mode 100644 index 0000000..9da838a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_qq_tcp.cc @@ -0,0 +1,107 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool check_length(uint32_t payload, uint32_t len) { + uint32_t swap; + + uint32_t length; + + if (!(MATCH(payload, ANY, ANY, 0x02, ANY) || + MATCH(payload, ANY, ANY, 0x2d, ANY))) + return false; + + swap=ntohl(payload); + + length = swap >> 16; + + if (length != len) + return false; + return true; + +} + +static inline bool match_qq_8080(uint32_t payload, uint32_t len) { + if (len == 0) + return false; + + if (ntohl(payload) == len) + return true; + return false; +} + +static inline bool match_qq_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port == 8080 || data->client_port == 8080) { + /* Typically traffic to msfwifi.3g.qq.com, only seen on + * mobile QQ clients. + */ + + if (match_qq_8080(data->payload[0], data->payload_len[0])) { + if (match_qq_8080(data->payload[1], data->payload_len[1])) + return true; + } + + } + + + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) + return false; + if ((data->payload[0] & 0xffff0000) != (data->payload[1] & 0xffff0000)) + return false; + + if ((data->payload[0] & 0xffff0000) == 0x00000000) + return false; + //if ((data->payload[1] & 0xffff0000) == 0x00000000) + // return false; + + if (!check_length(data->payload[0], data->payload_len[0])) + return false; + + if (!check_length(data->payload[1], data->payload_len[1])) + return false; + + + return true; +} + +static lpi_module_t lpi_qq_tcp = { + LPI_PROTO_QQ, + LPI_CATEGORY_CHAT, + "QQ", + 20, + match_qq_tcp +}; + +void register_qq_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_qq_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_qqdownload.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_qqdownload.cc new file mode 100644 index 0000000..a0f5803 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_qqdownload.cc @@ -0,0 +1,102 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_qqd_req(uint32_t payload) { + + if (!MATCH(payload, 0x02, 0x03, ANY, ANY)) + return false; + + if (MATCH(payload, 0x02, 0x03, 0x05, 0x00)) + return true; + if (MATCH(payload, 0x02, 0x03, 0x05, 0x01)) + return true; + if (MATCH(payload, 0x02, 0x03, 0x04, 0x00)) + return true; + if (MATCH(payload, 0x02, 0x03, 0x04, 0x01)) + return true; + if (MATCH(payload, 0x02, 0x03, 0x04, 0x03)) + return true; + if (MATCH(payload, 0x02, 0x03, 0x04, 0x06)) + return true; + return false; +} + +static inline bool match_qqd_resp(uint32_t payload) { + + if (MATCH(payload, 0x02, 0x03, 0x04, 0x00)) + return true; + if (MATCH(payload, 0x02, 0x03, 0x04, 0x04)) + return true; + if (MATCH(payload, 0x02, 0x03, 0x04, 0x05)) + return true; + if (MATCH(payload, 0x02, 0x03, 0x04, 0x13)) + return true; + if (MATCH(payload, 0x02, 0x03, 0x04, 0x17)) + return true; + if (MATCH(payload, 0x02, 0x03, 0x05, 0x00)) + return true; + if (MATCH(payload, 0x02, 0x03, 0x05, 0x01)) + return true; + return false; +} + +static inline bool match_qqdownload(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + + if ((data->payload[0] & 0xffffff) != (data->payload[1] & 0xffffff)) + return false; + + if (match_qqd_req(data->payload[0])) { + if (match_qqd_resp(data->payload[1])) + return true; + } + + if (match_qqd_req(data->payload[1])) { + if (match_qqd_resp(data->payload[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_qqdownload = { + LPI_PROTO_QQDOWNLOAD, + LPI_CATEGORY_P2P, + "QQDownload", + 14, + match_qqdownload +}; + +void register_qqdownload(LPIModuleMap *mod_map) { + register_protocol(&lpi_qqdownload, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_qqlive_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_qqlive_tcp.cc new file mode 100644 index 0000000..4863d99 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_qqlive_tcp.cc @@ -0,0 +1,60 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> +#include <stdio.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_qqlive_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) { + if (data->server_port == 53 || data->client_port == 53) + return false; + } + + if (!match_qqlive_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_qqlive_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; +} + +static lpi_module_t lpi_qqlive_tcp = { + LPI_PROTO_QQLIVE, + LPI_CATEGORY_P2PTV, + "QQLive_TCP", + 4, + match_qqlive_tcp +}; + +void register_qqlive_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_qqlive_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_qqspeedmobile_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_qqspeedmobile_tcp.cc new file mode 100644 index 0000000..5a4d3fc --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_qqspeedmobile_tcp.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_speedtcp_113(uint32_t payload, uint32_t len) { + if (len == 113 && MATCH(payload, 0x33, 0x66, 0x00, 0x08)) + return true; + return false; +} + +static inline bool match_speedtcp_212(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x33, 0x66, 0x00, 0x08)) { + if (len == 212 || len == 216) + return true; + } + return false; +} + +static inline bool match_qqspeedmobile_tcp(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + if (match_speedtcp_113(data->payload[0], data->payload_len[0])) { + if (match_speedtcp_212(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_speedtcp_113(data->payload[1], data->payload_len[1])) { + if (match_speedtcp_212(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_qqspeedmobile_tcp = { + LPI_PROTO_QQSPEEDMOBILE, + LPI_CATEGORY_GAMING, + "QQSpeedMobile_TCP", + 5, + match_qqspeedmobile_tcp +}; + +void register_qqspeedmobile_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_qqspeedmobile_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_qvod.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_qvod.cc new file mode 100644 index 0000000..34b6830 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_qvod.cc @@ -0,0 +1,73 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Chinese variant of BitTorrent -- www.qvod.com */ + +static inline bool match_qvod_message(uint32_t payload, uint32_t len) { + + if (!MATCH(payload, 0x13, 'Q', 'V', 'O')) + return false; + return true; + +} + +static inline bool match_qvod(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_qvod_message(data->payload[0], data->payload_len[0])) { + if (match_qvod_message(data->payload[1], data->payload_len[1])) + return true; + if (data->payload_len[1] == 0) + return true; + } + + if (match_qvod_message(data->payload[1], data->payload_len[1])) { + if (match_qvod_message(data->payload[0], data->payload_len[0])) + return true; + if (data->payload_len[0] == 0) + return true; + } + + return false; +} + +static lpi_module_t lpi_qvod = { + LPI_PROTO_QVOD, + LPI_CATEGORY_P2P, + "Qvod", + 6, + match_qvod +}; + +void register_qvod(LPIModuleMap *mod_map) { + register_protocol(&lpi_qvod, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_rabbitmq.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_rabbitmq.cc new file mode 100644 index 0000000..190204e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_rabbitmq.cc @@ -0,0 +1,83 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_amqp_header(uint32_t payload, uint32_t len) { + if (len == 8 && MATCH(payload, 'A', 'M', 'Q', 'P')) { + return true; + } + + return false; +} + +static inline bool match_amqp_start(uint32_t payload) { + /* only seen length 498 so far, but surely this could vary more */ + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) { + return true; + } + + return false; +} + +static inline bool match_rabbitmq(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 5672 && data->client_port != 5672) { + return false; + } + + if (match_amqp_header(data->payload[0], data->payload_len[0])) { + if (match_amqp_start(data->payload[1])) { + return true; + } + } + + if (match_amqp_header(data->payload[1], data->payload_len[1])) { + if (match_amqp_start(data->payload[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_rabbitmq = { + LPI_PROTO_RABBITMQ, + LPI_CATEGORY_MESSAGE_QUEUE, + "RabbitMQ", + 75, + match_rabbitmq +}; + +void register_rabbitmq(LPIModuleMap *mod_map) { + register_protocol(&lpi_rabbitmq, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ragnarokonline.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ragnarokonline.cc new file mode 100644 index 0000000..27945ba --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ragnarokonline.cc @@ -0,0 +1,87 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ro_0204(uint32_t payload, uint32_t len) { + + if (len < 11) { + return false; + } + + if (MATCH(payload, 0x02, 0x04, 0x00, 0x21)) { + return true; + } + return false; +} + +static inline bool match_ro_reply(uint32_t payload, uint32_t len) { + if (len == 53 && MATCH(payload, 0x00, 0x32, 0x00, 0x01)) { + return true; + } + if (len == 57 && MATCH(payload, 0x00, 0x36, 0x00, 0x01)) { + return true; + } + return false; +} + +static inline bool match_ragnarokonline(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 5222 && data->client_port != 5222) { + return false; + } + + if (match_ro_0204(data->payload[0], data->payload_len[0])) { + if (match_ro_reply(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_ro_0204(data->payload[1], data->payload_len[1])) { + if (match_ro_reply(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_ragnarokonline = { + LPI_PROTO_RAGNAROK_ONLINE, + LPI_CATEGORY_GAMING, + "RagnarokOnline", + 80, + match_ragnarokonline +}; + +void register_ragnarokonline(LPIModuleMap *mod_map) { + register_protocol(&lpi_ragnarokonline, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_razor.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_razor.cc new file mode 100644 index 0000000..c0603cc --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_razor.cc @@ -0,0 +1,51 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Razor server contacts (ie SpamAssassin) */ + +static inline bool match_razor(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_chars_either(data, 's', 'n', '=', ANY)) + return true; + return false; +} +static lpi_module_t lpi_razor = { + LPI_PROTO_RAZOR, + LPI_CATEGORY_ANTISPAM, + "Razor", + 2, + match_razor +}; + +void register_razor(LPIModuleMap *mod_map) { + register_protocol(&lpi_razor, mod_map); +} diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_rbls.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_rbls.cc new file mode 100644 index 0000000..860f626 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_rbls.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_rbls(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "rbls")) + return true; + + return false; +} + +static lpi_module_t lpi_rbls = { + LPI_PROTO_RBLS, + LPI_CATEGORY_ANTISPAM, + "RBL", + 3, + match_rbls +}; + +void register_rbls(LPIModuleMap *mod_map) { + register_protocol(&lpi_rbls, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_rdp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_rdp.cc new file mode 100644 index 0000000..be979d9 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_rdp.cc @@ -0,0 +1,110 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_rdp_sizes(lpi_data_t *data) { + + /* This should match the common packet sizes we see for genuine + * RDP traffic */ + + if (data->payload_len[0] == 11 || data->payload_len[0] == 19) { + if (data->payload_len[1] == 19) + return true; + if (data->payload_len[1] >= 30 && data->payload_len[1] <= 47) + return true; + } + + if (data->payload_len[1] == 11 || data->payload_len[1] == 19) { + if (data->payload_len[0] == 19) + return true; + if (data->payload_len[0] >= 30 && data->payload_len[0] <= 47) + return true; + } + + return false; +} + +static inline bool match_rdp_port(lpi_data_t *data) { + + /* To try and avoid confusing RDP with other protocols that rely + * on TPKT, most notably H.323, I've had to add a port requirement + * here */ + + if (data->server_port == 3389 || data->client_port == 3389) + return true; + return false; +} + + + +static bool match_rdp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* RDP is transported via TPKT */ + if ((data->payload_len[0]!= 0) && !match_tpkt(data->payload[0], data->payload_len[0])) + return false; + if ((data->payload_len[1]!= 0) && !match_tpkt(data->payload[1], data->payload_len[1])) + return false; + + if (match_rdp_port(data)) + return true; + if (match_rdp_sizes(data)) + return true; + + +#if 0 + if (match_tpkt(data->payload[0], data->payload_len[0])) { + if (match_tpkt(data->payload[1], data->payload_len[1])) + return true; + + /* Some RDP responses seem to be encrypted - not sure if this + * payload length is common to all flows */ + if (data->payload_len[1] == 309) + return true; + } + if (match_tpkt(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == 309) + return true; + } +#endif + return false; +} + +static lpi_module_t lpi_rdp = { + LPI_PROTO_RDP, + LPI_CATEGORY_REMOTE, + "RDP", + 4, /* Moving this to 4 purely on gut feeling */ + match_rdp +}; + +void register_rdp(LPIModuleMap *mod_map) { + register_protocol(&lpi_rdp, mod_map); +} diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_realmofthemadgod.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_realmofthemadgod.cc new file mode 100644 index 0000000..13f3bc2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_realmofthemadgod.cc @@ -0,0 +1,75 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_rotmg_small(uint32_t payload, uint32_t len) { + if (ntohl(payload) == len && len < 100) + return true; + return false; +} + +static inline bool match_rotmg_big(uint32_t payload, uint32_t len) { + if (ntohl(payload) == len && len > 400 && len < 520) + return true; + return false; +} + +static inline bool match_realmofthemadgod(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 2050 && data->client_port != 2050) { + return false; + } + + if (match_rotmg_small(data->payload[0], data->payload_len[0])) { + if (match_rotmg_big(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_rotmg_small(data->payload[1], data->payload_len[1])) { + if (match_rotmg_big(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_realmofthemadgod = { + LPI_PROTO_REALMOFTHEMADGOD, + LPI_CATEGORY_GAMING, + "RealmOfTheMadGod", + 239, + match_realmofthemadgod +}; + +void register_realmofthemadgod(LPIModuleMap *mod_map) { + register_protocol(&lpi_realmofthemadgod, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_realvnc.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_realvnc.cc new file mode 100644 index 0000000..77ca4ec --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_realvnc.cc @@ -0,0 +1,75 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_real(uint32_t payload) { + if (MATCH(payload, 'R', 'E', 'A', 'L')) + return true; + return false; +} + +static inline bool match_real_resp(uint32_t payload, uint32_t len) { + + /* Byte 3 could be a length field (len - 3). */ + if (MATCH(payload, 0x81, 0x00, 0x14, ANY) && len == 23) + return true; + return false; +} + + +static inline bool match_realvnc(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + + if (match_real(data->payload[0])) { + if (match_real_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_real(data->payload[1])) { + if (match_real_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_realvnc = { + LPI_PROTO_REALVNC, + LPI_CATEGORY_REMOTE, + "RealVNC", + 10, + match_realvnc +}; + +void register_realvnc(LPIModuleMap *mod_map) { + register_protocol(&lpi_realvnc, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_rejection.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_rejection.cc new file mode 100644 index 0000000..5027e43 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_rejection.cc @@ -0,0 +1,67 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_rejection(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This is an odd one - the server allows a TCP handshake to complete, + * but responds to any requests with a single 0x02 byte. Not sure + * whether this is some kind of honeypot or what. + * + * We see this behaviour on ports 445, 1433 and 80, if we need + * further checking */ + + if (MATCH(data->payload[0], 0x02, 0x00, 0x00, 0x00)) { + if (data->payload_len[0] == 1) + return true; + } + + if (MATCH(data->payload[1], 0x02, 0x00, 0x00, 0x00)) { + if (data->payload_len[1] == 1) + return true; + } + + + return false; +} + +static lpi_module_t lpi_rejection = { + LPI_PROTO_REJECTION, + LPI_CATEGORY_NO_CATEGORY, + "Rejection", + 255, /* This one must be dead last */ + match_rejection +}; + +void register_rejection(LPIModuleMap *mod_map) { + register_protocol(&lpi_rejection, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_relay.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_relay.cc new file mode 100644 index 0000000..41d2c40 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_relay.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* https://docs.syncthing.net/specs/relay-v1.html */ + +static inline bool match_relay_magic(uint32_t payload) { + if (MATCH(payload, 0x9e, 0x79, 0xbc, 0x40)) + return true; + return false; + +} + +static inline bool match_relay(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_relay_magic(data->payload[0])) { + if (match_relay_magic(data->payload[1])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_relay = { + LPI_PROTO_RELAY, + LPI_CATEGORY_NAT, + "Relay", + 5, + match_relay +}; + +void register_relay(LPIModuleMap *mod_map) { + register_protocol(&lpi_relay, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_remote_manipulator.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_remote_manipulator.cc new file mode 100644 index 0000000..c7a056c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_remote_manipulator.cc @@ -0,0 +1,83 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Remote Manipulator System a.k.a Remote Utilities + * + * Russian RDP-style software, sometimes used in malware for remote control. + */ + +static inline bool match_rms_9504(uint32_t payload, uint32_t len) { + if (len == 1338 && MATCH(payload, 0x95, 0x04, 0x00, 0x00)) { + return true; + } + return false; +} + +static inline bool match_rms_d90d(uint32_t payload, uint32_t len) { + if (len == 8 && MATCH(payload, 0xd9, 0x0d, 0x00, 0x00)) { + return true; + } + return false; +} + +static inline bool match_remote_manipulator(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 5655 && data->client_port != 5655) + return false; + + if (match_rms_9504(data->payload[0], data->payload_len[0])) { + if (match_rms_d90d(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_rms_9504(data->payload[1], data->payload_len[1])) { + if (match_rms_d90d(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_remote_manipulator = { + LPI_PROTO_REMOTE_MANIPULATOR, + LPI_CATEGORY_REMOTE, + "RemoteManipulator", + 100, + match_remote_manipulator +}; + +void register_remote_manipulator(LPIModuleMap *mod_map) { + register_protocol(&lpi_remote_manipulator, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_revolver_nblbt.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_revolver_nblbt.cc new file mode 100644 index 0000000..0867c66 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_revolver_nblbt.cc @@ -0,0 +1,93 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* This appears to be some sort of Chinese P2P game updating software from + * Revolver Software (?). + * + * This is based on the appearance of the strings "nblbt" and "nbmep" in + * the payload of the initial packets. NBLBT.rar and NBMEP.rar can be + * downloaded from www.zy995.com which seems to host numerous offerings from + * Revolver Software. + * + * Yet to fully confirm as a) I don't know enough Chinese to install and run + * the software sensibly and b) I strongly suspect the software is bundled + * with all sorts of malware so am reluctant to install it anywhere that isn't + * a completely fenced-off sandbox. + */ + +static inline bool match_nblbt_ok(uint32_t payload, uint32_t len) { + if (len != 20) + return false; + if (!MATCH(payload, 'o', 'k', 0x00, 0x00)) + return false; + return true; + +} + +static inline bool match_nblbt_reply(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (len != 1024) + return false; + if (!MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return false; + return true; + +} + +static inline bool match_revolver_nblbt(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_nblbt_ok(data->payload[0], data->payload_len[0])) { + if (match_nblbt_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_nblbt_ok(data->payload[1], data->payload_len[1])) { + if (match_nblbt_reply(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_revolver_nblbt = { + LPI_PROTO_REVOLVER_NBLBT, + LPI_CATEGORY_P2P, + "RevolverNBLBT", + 6, + match_revolver_nblbt +}; + +void register_revolver_nblbt(LPIModuleMap *mod_map) { + register_protocol(&lpi_revolver_nblbt, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_rfb.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_rfb.cc new file mode 100644 index 0000000..88bbd7a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_rfb.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_rfb(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "RFB ")) + return true; + + return false; +} + +static lpi_module_t lpi_rfb = { + LPI_PROTO_RFB, + LPI_CATEGORY_REMOTE, + "RFB", + 3, + match_rfb +}; + +void register_rfb(LPIModuleMap *mod_map) { + register_protocol(&lpi_rfb, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_rpcscan.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_rpcscan.cc new file mode 100644 index 0000000..10ad66a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_rpcscan.cc @@ -0,0 +1,53 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_rpcscan(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* RPC Exploit */ + if (match_chars_either(data, 0x05, 0x00, 0x0b, 0x03)) + return true; + return false; +} + +static lpi_module_t lpi_rpcscan = { + LPI_PROTO_RPC_SCAN, + LPI_CATEGORY_MALWARE, + "RPC_Exploit", + 8, /* Most malware can go to priority 8 - want to match legit protocols + * first */ + match_rpcscan +}; + +void register_rpcscan(LPIModuleMap *mod_map) { + register_protocol(&lpi_rpcscan, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_rrtv.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_rrtv.cc new file mode 100644 index 0000000..a76e89d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_rrtv.cc @@ -0,0 +1,80 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* rr.tv -- P2P TV/video streaming from China */ + +/* XXX mobile only, need to test the app properly but the initial + * packets literally include URLs referring to rr.tv so I'm pretty + * confident. + */ + +static inline bool match_rrtv_header(uint32_t payload, uint32_t len) { + + /* broad estimate based on what I've seen so far */ + if (len < 380 || len > 900) { + return false; + } + + if ((ntohl(payload) & 0x0000ffff) != len - 4) { + return false; + } + + if (MATCH(payload, 0x01, 0x10, ANY, ANY)) { + return true; + } + + return false; +} + +static inline bool match_rrtv(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_rrtv_header(data->payload[0], data->payload_len[0])) { + if (match_rrtv_header(data->payload[1], data->payload_len[1])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_rrtv = { + LPI_PROTO_RRTV, + LPI_CATEGORY_P2PTV, + "RR.tv", + 120, + match_rrtv +}; + +void register_rrtv(LPIModuleMap *mod_map) { + register_protocol(&lpi_rrtv, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_rsync.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_rsync.cc new file mode 100644 index 0000000..7ec6fb0 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_rsync.cc @@ -0,0 +1,51 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_rsync(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "@RSY")) + return true; + return false; +} + +static lpi_module_t lpi_rsync = { + LPI_PROTO_RSYNC, + LPI_CATEGORY_FILES, + "Rsync", + 3, + match_rsync +}; + +void register_rsync(LPIModuleMap *mod_map) { + register_protocol(&lpi_rsync, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_rtmp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_rtmp.cc new file mode 100644 index 0000000..cdf9991 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_rtmp.cc @@ -0,0 +1,116 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_rtmp_server_handshake(uint32_t payload, uint32_t len, + bool defaultport) { + + if (len < 4 && !defaultport) + return false; + + /* Standard RTMP handshake types */ + if (MATCH(payload, 0x03, ANY, ANY, ANY)) + return true; + if (MATCH(payload, 0x06, ANY, ANY, ANY)) + return true; + + /* Encrypted, but not RTMPE? */ + if (MATCH(payload, 0x08, ANY, ANY, ANY)) + return true; + + + /* RTMPE handshake type */ + if (MATCH(payload, 0x09, ANY, ANY, ANY)) + return true; + + /* New handshake type used by some YouTube videos */ + if (MATCH(payload, 0x0a, ANY, ANY, ANY)) + return true; + + return false; +} + +static inline bool match_rtmp_client_handshake(uint32_t payload, uint32_t len) { + + if (len < 4) + return false; + + /* Standard RTMP handshake types */ + if (MATCH(payload, 0x03, ANY, ANY, ANY)) + return true; + if (MATCH(payload, 0x06, ANY, ANY, ANY)) + return true; + + return false; +} + +static inline bool match_rtmp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + bool defaultport = false; + + if (data->server_port == 1935 || data->client_port == 1935) + defaultport = true; + + /* Facebook live streaming wants to use port 80 sometimes and they + * love sending 1 byte handshakes :( */ + if (data->server_port == 80 || data->client_port == 80) + defaultport = true; + + if (match_rtmp_client_handshake(data->payload[0], data->payload_len[0])) + { + if (match_rtmp_server_handshake(data->payload[1], + data->payload_len[1], defaultport)) { + return true; + } + } + + if (match_rtmp_client_handshake(data->payload[1], data->payload_len[1])) + { + if (match_rtmp_server_handshake(data->payload[0], + data->payload_len[0], defaultport)) { + return true; + } + } + return false; +} + +static lpi_module_t lpi_rtmp = { + LPI_PROTO_RTMP, + LPI_CATEGORY_STREAMING, + "RTMP", + 169, /* Not a strong rule */ + match_rtmp +}; + +void register_rtmp(LPIModuleMap *mod_map) { + register_protocol(&lpi_rtmp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_rtsp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_rtsp.cc new file mode 100644 index 0000000..b1f3b90 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_rtsp.cc @@ -0,0 +1,51 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_rtsp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "RTSP")) + return true; + return false; +} + +static lpi_module_t lpi_rtsp = { + LPI_PROTO_RTSP, + LPI_CATEGORY_STREAMING, + "RTSP", + 2, + match_rtsp +}; + +void register_rtsp(LPIModuleMap *mod_map) { + register_protocol(&lpi_rtsp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_runescape.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_runescape.cc new file mode 100644 index 0000000..df7b6cc --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_runescape.cc @@ -0,0 +1,118 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Protocol is not documented and goes through all sorts of revisions + * (mainly to stop hax0rs, no doubt) - so this is mostly based on + * observations of traffic to Jagex servers and messing around with the + * game myself + */ + +static inline bool match_runescape_req(uint32_t payload, uint32_t len) { + + if (len == 1 || len == 105) { + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + } + + if (len == 9 && MATCH(payload, 0x00, ANY, ANY, ANY)) + return true; + + return false; + +} + +static inline bool match_runescape_resp(uint32_t payload, uint32_t len) { + + /* Don't allow empty responses, as the request rule is rather + * non-specific */ + + /* First byte appears to be a packet type + * Second bytes is the packet length - 2 + * + * It appears many types have a fixed size anyway, so no need to + * get fancy :) + */ + + if (MATCH(payload, 0x0f, 0x29, 0x00, 0x00)) { + if (len == 43) + return true; + } + + if (MATCH(payload, 0x0f, 0x2a, 0x00, 0x00)) { + if (len == 44) + return true; + } + + if (MATCH(payload, 0x0e, 0x00, 0x00, 0x00)) { + if (len == 1) + return true; + } + if (MATCH(payload, 0x0f, 0x00, 0x00, 0x00)) { + if (len == 1) + return true; + if (len == 5) + return true; + } + return false; + +} + +static inline bool match_runescape(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_runescape_req(data->payload[0], data->payload_len[0])) { + if (match_runescape_resp(data->payload[1], + data->payload_len[1])) { + return true; + } + } + if (match_runescape_req(data->payload[1], data->payload_len[1])) { + if (match_runescape_resp(data->payload[0], + data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_runescape = { + LPI_PROTO_RUNESCAPE, + LPI_CATEGORY_GAMING, + "Runescape", + 9, + match_runescape +}; + +void register_runescape(LPIModuleMap *mod_map) { + register_protocol(&lpi_runescape, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_s7comm.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_s7comm.cc new file mode 100644 index 0000000..e082821 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_s7comm.cc @@ -0,0 +1,81 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_s7comm_sizes(lpi_data_t *data) { + + /* Based on observations, size of first package is equal + * in both directions. + */ + + if (data->payload_len[0] == data->payload_len[1]) { + return true; + } + return false; +} + +static inline bool match_s7comm_port(lpi_data_t *data) { + + if (data->server_port == 102 || data->client_port == 102) { + return true; + } + return false; +} + +static bool match_s7comm(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* S7COMM uses port 102 */ + if (!match_s7comm_port(data)) + return false; + + /* S7COMM is transported via TPKT */ + if (!match_tpkt(data->payload[0], data->payload_len[0])) + return false; + if (!match_tpkt(data->payload[1], data->payload_len[1])) + return false; + + if (match_s7comm_sizes(data)) + return true; + + return false; +} + +static lpi_module_t lpi_s7comm = { + LPI_PROTO_S7COMM, + LPI_CATEGORY_ICS, + "S7COMM", + 7, /* Must come before TPKT */ + match_s7comm +}; + +void register_s7comm(LPIModuleMap *mod_map) { + register_protocol(&lpi_s7comm, mod_map); +} diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_saprouter.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_saprouter.cc new file mode 100644 index 0000000..00283ed --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_saprouter.cc @@ -0,0 +1,71 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_nipong(uint32_t payload, uint32_t len) { + /* A NI_PONG message should always have the same structure... */ + if (len == 12 && MATCH(payload, 0x00, 0x00, 0x00, 0x08)) + return true; + return false; +} + +static inline bool match_saprouter(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 3299 && data->client_port != 3299) + return false; + + /* Not very distinctive, so we need the port restriction as well */ + if (ntohl(data->payload[0]) == data->payload_len[0] - 4) { + if (match_nipong(data->payload[1], data->payload_len[1])) + return true; + } + + if (ntohl(data->payload[1]) == data->payload_len[1] - 4) { + if (match_nipong(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_saprouter = { + LPI_PROTO_SAPROUTER, + LPI_CATEGORY_SERVICES, + "SAPRouter", + 251, + match_saprouter +}; + +void register_saprouter(LPIModuleMap *mod_map) { + register_protocol(&lpi_saprouter, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_saszombieassault4.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_saszombieassault4.cc new file mode 100644 index 0000000..b63a9fa --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_saszombieassault4.cc @@ -0,0 +1,57 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_saszombieassault4(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 1445 */ + + if (MATCHSTR(data->payload[0], "NKMl")) { + if (MATCHSTR(data->payload[1], "NKMl")) + return true; + } + + return false; +} + +static lpi_module_t lpi_saszombieassault4 = { + LPI_PROTO_SAS_ZOMBIE_ASSAULT_4, + LPI_CATEGORY_GAMING, + "SASZombieAssault4", + 5, + match_saszombieassault4 +}; + +void register_saszombieassault4(LPIModuleMap *mod_map) { + register_protocol(&lpi_saszombieassault4, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_second_life.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_second_life.cc new file mode 100644 index 0000000..f5bafb1 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_second_life.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_second_life(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* SecondLife uses SSL over port 12043 and HTTP over port 12046 */ + + if (data->server_port == 12043 || data->client_port == 12043) { + if (match_ssl(data)) + return true; + + } + + if (data->server_port == 12046 || data->client_port == 12046) { + if (match_str_both(data, "GET ", "HTTP")) + return true; + if (match_str_either(data, "GET ")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + } + + + return false; +} + +static lpi_module_t lpi_second_life = { + LPI_PROTO_SECONDLIFE, + LPI_CATEGORY_GAMING, + "SecondLife", + 6, + match_second_life +}; + +void register_second_life(LPIModuleMap *mod_map) { + register_protocol(&lpi_second_life, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_shoutcast.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_shoutcast.cc new file mode 100644 index 0000000..ab91f77 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_shoutcast.cc @@ -0,0 +1,60 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_shoutcast(lpi_data_t *data, lpi_module_t *mod UNUSED) +{ + if (match_str_both(data, "GET ", "ICY ")) + return true; + if (match_chars_either(data, 'O', 'K', '2', 0x0d)) + return true; + if (match_chars_either(data, 'I', 'C', 'Y', ' ')) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + return false; + +} + +static lpi_module_t lpi_shoutcast = { + LPI_PROTO_SHOUTCAST, + LPI_CATEGORY_STREAMING, + "Shoutcast", + 1, /* Should be ahead of HTTP, due to "GET" */ + match_shoutcast +}; + +void register_shoutcast(LPIModuleMap *mod_map) { + register_protocol(&lpi_shoutcast, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_silkroadonline.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_silkroadonline.cc new file mode 100644 index 0000000..d22e1f2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_silkroadonline.cc @@ -0,0 +1,81 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_sro_req(uint32_t payload, uint32_t len) { + if (len != 18) + return false; + if (MATCH(payload, 0x0c, 0x00, 0x00, 0x50)) + return true; + return false; + +} + +static inline bool match_sro_resp(uint32_t payload, uint32_t len) { + if (len != 43) + return false; + if (MATCH(payload, 0x25, 0x00, 0x00, 0x50)) + return true; + return false; + +} + +static inline bool match_silkroadonline(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Uses ports 15884 and 15779, also server is located at + * hyperfilter.com. + */ + + if (match_sro_req(data->payload[0], data->payload_len[0])) { + if (match_sro_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_sro_req(data->payload[1], data->payload_len[1])) { + if (match_sro_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_silkroadonline = { + LPI_PROTO_SILKROADONLINE, + LPI_CATEGORY_GAMING, + "SilkRoadOnline", + 5, + match_silkroadonline +}; + +void register_silkroadonline(LPIModuleMap *mod_map) { + register_protocol(&lpi_silkroadonline, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_sip.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_sip.cc new file mode 100644 index 0000000..a5811f1 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_sip.cc @@ -0,0 +1,62 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_sip(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "SIP/", "REGI")) + return true; + /* Non-RFC SIP added by Donald Neal, June 2008 */ + if (match_str_either(data, "SIP-")) { + if (match_chars_either(data, 'R', ' ', ANY, ANY)) + return true; + } + + if (match_str_either(data, "REGI") && + (data->payload_len[0] == 0 || + data->payload_len[1] == 0)) + return true; + + return false; +} + +static lpi_module_t lpi_sip = { + LPI_PROTO_SIP, + LPI_CATEGORY_VOIP, + "SIP", + 2, + match_sip +}; + +void register_sip(LPIModuleMap *mod_map) { + register_protocol(&lpi_sip, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_skyforge.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_skyforge.cc new file mode 100644 index 0000000..7df48d8 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_skyforge.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_sf_req(uint32_t payload, uint32_t len) { + + if (len == 168 && MATCH(payload, 0xa6, 0x00, 0xef, 0x03)) { + return true; + } + return false; +} + +static inline bool match_sf_reply(uint32_t payload, uint32_t len) { + + if (len == 10 && MATCH(payload, 0x08, 0x00, 0xef, 0x82)) { + return true; + } + return false; +} + +static inline bool match_skyforge(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_sf_req(data->payload[0], data->payload_len[0])) { + if (match_sf_reply(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_sf_req(data->payload[1], data->payload_len[1])) { + if (match_sf_reply(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_skyforge = { + LPI_PROTO_SKYFORGE, + LPI_CATEGORY_GAMING, + "Skyforge", + 5, + match_skyforge +}; + +void register_skyforge(LPIModuleMap *mod_map) { + register_protocol(&lpi_skyforge, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_skype_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_skype_tcp.cc new file mode 100644 index 0000000..3924650 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_skype_tcp.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_skype_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This rule matches SSL traffic sent by Skype clients + * + * It isn't clear what the TCP session is used for, though... */ + + if (!match_ssl(data)) + return false; + + /* Ports 12350 and 13392 are used for these sessions */ + if (data->server_port != 12350 && data->client_port != 12350 && + data->server_port != 13392 && + data->client_port != 13392) + return false; + + /* Other payload sizes are possible unfortunately, but rare */ + + if (data->payload_len[0] == 5 || + data->payload_len[0] == 92 || + data->payload_len[0] == 89 || + data->payload_len[0] == 90 || + data->payload_len[0] == 33) + return true; + if (data->payload_len[1] == 5 || + data->payload_len[1] == 92 || + data->payload_len[1] == 89 || + data->payload_len[1] == 90 || + data->payload_len[1] == 33) + return true; + + + return false; +} + +static lpi_module_t lpi_skype_tcp = { + LPI_PROTO_SKYPE_TCP, + LPI_CATEGORY_VOIP, + "SkypeTCP", + 20, /* Should be a higher priority than regular SSL */ + match_skype_tcp +}; + +void register_skype_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_skype_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_smb.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_smb.cc new file mode 100644 index 0000000..e15b6ac --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_smb.cc @@ -0,0 +1,95 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_smb_payload(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (match_payload_length(payload, len)) + return true; + + /* Some stupid systems send the NetBIOS header separately, which + * makes this a lot harder to detect :( + * + * Instead, look for common payload sizes. */ + + if (MATCH(payload, 0x00, 0x00, 0x00, 0x85)) + return true; + + /* Also, sometimes we just forget the NetBIOS header, or the + * connection fails before it is retransmitted */ + if (MATCH(payload, 0xff, 'S', 'M', 'B')) + return true; + + return false; + +} + + +static inline bool match_smb(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* SMB is often prepended with a NetBIOS session service header. + * It's easiest for us to treat it as a four byte length field (it + * is actually a bit more complicated than that, but all other fields + * tend to be zero anyway) + * + * More details at http://lists.samba.org/archive/samba-technical/2003-January/026283.html + */ + + /* Only match on port 445 to avoid clashing with other 4 byte length + * fields */ + if (data->server_port != 445 && data->client_port != 445) + return false; + + if (!match_smb_payload(data->payload[0], data->payload_len[0])) + return false; + + if (!match_smb_payload(data->payload[1], data->payload_len[1])) + return false; + return true; + + +} + +static lpi_module_t lpi_smb = { + LPI_PROTO_SMB, + LPI_CATEGORY_FILES, + "SMB", + 3, + match_smb +}; + +void register_smb(LPIModuleMap *mod_map) { + register_protocol(&lpi_smb, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_smite_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_smite_tcp.cc new file mode 100644 index 0000000..2107284 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_smite_tcp.cc @@ -0,0 +1,60 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_smite_magic(uint32_t payload, uint32_t len) { + if (len < 100 && MATCH(payload, 0x78, 0xdb, 0x39, 0x64)) + return true; + return false; +} + +static inline bool match_smite_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_smite_magic(data->payload[0], data->payload_len[0])) { + if (match_smite_magic(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_smite_tcp = { + LPI_PROTO_SMITE, + LPI_CATEGORY_GAMING, + "SmiteTCP", + 55, + match_smite_tcp +}; + +void register_smite_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_smite_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_smtp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_smtp.cc new file mode 100644 index 0000000..df3eb0d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_smtp.cc @@ -0,0 +1,252 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_smtp_command(uint32_t payload, uint32_t len) { + + if (MATCHSTR(payload, "EHLO")) + return true; + if (MATCHSTR(payload, "ehlo")) + return true; + if (MATCHSTR(payload, "HELO")) + return true; + if (MATCHSTR(payload, "helo")) + return true; + if (MATCHSTR(payload, "NOOP")) + return true; + if (MATCHSTR(payload, "XXXX")) + return true; + if (MATCHSTR(payload, "HELP")) + return true; + if (MATCHSTR(payload, "EXPN")) + return true; + + /* Turns out there are idiots who send their ehlos one byte at a + * time :/ */ + if (MATCH(payload, 'e', 0x00, 0x00, 0x00) && len == 1) + return true; + if (MATCH(payload, 'E', 0x00, 0x00, 0x00) && len == 1) + return true; + if (MATCH(payload, 'h', 0x00, 0x00, 0x00) && len == 1) + return true; + if (MATCH(payload, 'H', 0x00, 0x00, 0x00) && len == 1) + return true; + + return false; + +} + +static inline bool match_smtp_banner(uint32_t payload, uint32_t len) { + + /* Stupid servers that only send the banner one or two bytes at + * a time! */ + + if (len == 1) { + if (MATCH(payload, '2', 0x00, 0x00, 0x00)) + return true; + return false; + } + if (len == 2) { + if (MATCH(payload, '2', '2', 0x00, 0x00)) + return true; + return false; + } + if (len == 3) { + if (MATCH(payload, '2', '2', '0', 0x00)) + return true; + return false; + } + + if (MATCH(payload, '2', '2', '0', ' ')) + return true; + + if (MATCH(payload, '2', '2', '0', '-')) + return true; + + return false; +} + +static inline bool invalid_smtp(lpi_data_t *data) { + + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) + { + if (match_str_either(data, "220 ") && + (data->server_port == 21 || + data->client_port == 21)) + return true; + } + return false; +} + +static inline bool match_smtp(lpi_data_t *data, lpi_module_t *mod UNUSED) +{ + if(invalid_smtp(data)) + { + return false; + } + /* Match all the random error codes */ + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) { + if (match_str_either(data, "220 ")) + return true; + if (match_str_either(data, "450 ")) + return true; + if (match_str_either(data, "550 ")) + return true; + if (match_str_either(data, "550-")) + return true; + if (match_str_either(data, "421 ")) + return true; + if (match_str_either(data, "421-")) + return true; + if (match_str_either(data, "451 ")) + return true; + if (match_str_either(data, "451-")) + return true; + if (match_str_either(data, "452 ")) + return true; + if (match_str_either(data, "420 ")) + return true; + if (match_str_either(data, "571 ")) + return true; + if (match_str_either(data, "553 ")) + return true; + if (match_str_either(data, "554 ")) + return true; + if (match_str_either(data, "554-")) + return true; + if (match_str_either(data, "476 ")) + return true; + if (match_str_either(data, "475 ")) + return true; + } + + if (match_str_either(data, "QUIT") && + (data->server_port == 25 || + data->server_port == 587 || + data->client_port == 25 || + data->client_port == 587) + ) + return true; + if (match_str_either(data, "quit") && + (data->server_port == 25 || + data->server_port == 587 || + data->client_port == 25 || + data->client_port == 587) + ) + return true; + if (match_str_either(data, "Quit") && + (data->server_port == 25 || + data->server_port == 587 || + data->client_port == 25 || + data->client_port == 587) + ) + return true; + if (match_str_either(data, "EHLO") && + (data->server_port == 25 || + data->server_port == 587 || + data->client_port == 25 || + data->client_port == 587) + ) + return true; + if (match_str_either(data, "ehlo") && + (data->server_port == 25 || + data->server_port == 587 || + data->client_port == 25 || + data->client_port == 587) + ) + return true; + if (match_str_either(data, "HELO") && + (data->server_port == 25 || + data->server_port == 587 || + data->client_port == 25 || + data->client_port == 587) + ) + return true; + if (match_str_either(data, "helo") && + (data->server_port == 25 || + data->server_port == 587 || + data->client_port == 25 || + data->client_port == 587) + ) + return true; + if (match_str_either(data, "MAIL") && + (data->server_port == 25 || + data->server_port == 587 || + data->client_port == 25 || + data->client_port == 587) + ) + return true; + if (match_str_either(data, "mail") && (data->server_port == 25 || + data->server_port == 587 || + data->client_port == 25 || + data->client_port == 587)) + return true; + if (match_str_either(data, "RCPT") && + (data->server_port == 25 || + data->server_port == 587 || + data->client_port == 25 || + data->client_port == 587) + ) + return true; + if (match_str_either(data, "rcpt") && + (data->server_port == 25 || + data->server_port == 587 || + data->client_port == 25 || + data->client_port == 587) + ) + return true; + /* Match the server banner code */ + + if (match_smtp_banner(data->payload[0], data->payload_len[0])) { + if (match_smtp_command(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_smtp_banner(data->payload[1], data->payload_len[1])) { + if (match_smtp_command(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_smtp = { + LPI_PROTO_SMTP, + LPI_CATEGORY_MAIL, + "SMTP", + 2, + match_smtp +}; + +void register_smtp(LPIModuleMap *mod_map) { + register_protocol(&lpi_smtp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_smtps.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_smtps.cc new file mode 100644 index 0000000..35c6a84 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_smtps.cc @@ -0,0 +1,59 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_smtps(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This rule matches legacy secure SMTP - this stuff shouldn't + * really exist anymore... */ + + if (!match_ssl(data)) + return false; + + /* Secure SMTP uses port 465 */ + if (data->server_port != 465 && data->client_port != 465) + return false; + + return true; +} + +static lpi_module_t lpi_smtps = { + LPI_PROTO_SMTPS, + LPI_CATEGORY_MAIL, + "SMTP_Secure", + 5, /* Should be a higher priority than regular SSL */ + match_smtps +}; + +void register_smtps(LPIModuleMap *mod_map) { + register_protocol(&lpi_smtps, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_socks4.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_socks4.cc new file mode 100644 index 0000000..bf71109 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_socks4.cc @@ -0,0 +1,95 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_socks4_req(uint32_t payload, uint32_t len) { + + /* Assuming port 80 for now - will update if we see other ports + * used + * + * Octets 3 and 4 contain the port number */ + if (!(MATCH(payload, 0x04, 0x01, ANY, ANY)) || (MATCH(payload, 0x04, 0x01, 0x00, 0x00))) + return false; + /* Port 25 */ + + if (len < 9) + return false; + + return true; + +} + +static inline bool match_socks4_resp(uint32_t payload, uint32_t len) { + + if(len < 8)return false; + if(MATCH(payload, 0x00, 0x5a, ANY, ANY) && !MATCH(payload, 0x00, 0x5a, 0x00,0x00)) + return true; + + /* Haven't seen any legit responses yet :/ */ + + return false; + +} + + +static inline bool match_socks4(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + //if (data->payload_len[0] != 0 && data->observed[0] == data->payload_len[0] && data->payload_len[1] != 0 && data->observed[1] == data->payload_len[1]) + if (data->payload_len[0] != 0 && data->payload_len[1] != 0) + { + if (match_socks4_req(data->payload[0], data->payload_len[0])) + { + if (match_socks4_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_socks4_req(data->payload[1], data->payload_len[1])) + { + if (match_socks4_resp(data->payload[0], data->payload_len[0])) + return true; + } + } + + return false; +} + +static lpi_module_t lpi_socks4 = { + LPI_PROTO_SOCKS4, + LPI_CATEGORY_TUNNELLING, + "SOCKS4", + 5, + match_socks4 +}; + +void register_socks4(LPIModuleMap *mod_map) { + register_protocol(&lpi_socks4, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_socks5.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_socks5.cc new file mode 100644 index 0000000..0113538 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_socks5.cc @@ -0,0 +1,107 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_socks5_req(uint32_t payload, uint32_t len) { + + if(MATCH(payload, 0x05, ANY, ANY, ANY) && len < 6) + { + + if (MATCH(payload, 0x05, 0x01, ANY, ANY) && len == 3) + return true; + + if (MATCH(payload, 0x05, 0x02, ANY, ANY) && len == 4) + return true; + + if (MATCH(payload, 0x05, 0x03, ANY, ANY) && len == 5) + return true; + } + +#if 0 + /* Just assume "no auth" method supported, for now */ + if (!(MATCH(payload, 0x05, 0x01, 0x00, 0x00)) && !(MATCH(payload, 0x05, 0x02, 0x00, 0x01)) && !(MATCH(payload, 0x05, 0x01, 0x02, ANY))) + return false; + + if (len != 4 && len != 3) + return false; +#endif + return false; + +} + +static inline bool match_socks5_resp(uint32_t payload, uint32_t len) { + + //if (len == 0) + // return true; + + /* Just assume "no auth" method supported, for now */ + if (!(MATCH(payload, 0x05, 0x00, ANY, ANY)) && !(MATCH(payload, 0x05, 0x02, ANY, ANY)) && !(MATCH(payload, 0x05, 0xff, ANY, ANY))) + return false; + + if (len != 2) + return false; + + return true; + +} + + +static inline bool match_socks5(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] != 0 && data->observed[0] == data->payload_len[0] && data->payload_len[1] != 0 && data->observed[1] == data->payload_len[1]) + { + if (match_socks5_req(data->payload[0], data->payload_len[0])) + { + if (match_socks5_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_socks5_req(data->payload[1], data->payload_len[1])) + { + if (match_socks5_resp(data->payload[0], data->payload_len[0])) + return true; + } + } + return false; +} + +static lpi_module_t lpi_socks5 = { + LPI_PROTO_SOCKS5, + LPI_CATEGORY_TUNNELLING, + "SOCKS5", + 3, + match_socks5 +}; + +void register_socks5(LPIModuleMap *mod_map) { + register_protocol(&lpi_socks5, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_spdy.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_spdy.cc new file mode 100644 index 0000000..b564224 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_spdy.cc @@ -0,0 +1,102 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_spdy_syn(uint32_t payload) { + + if (MATCH(payload, 0x80, 0x03, 0x00, 0x01)) + return true; + return false; + +} + +static inline bool match_spdy_settings(uint32_t payload) { + + if (MATCH(payload, 0x80, 0x03, 0x00, 0x04)) + return true; + return false; + +} + +static inline bool match_spdy_syn_reply(uint32_t payload) { + + if (MATCH(payload, 0x80, 0x03, 0x00, 0x02)) + return true; + return false; + +} + +static inline bool match_spdy_ping(uint32_t payload, uint32_t len){ + + if (MATCH(payload, 0x80, 0x03, 0x00, 0x06) && len == 12) + return true; + return false; + +} + + + +static inline bool match_spdy(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_spdy_syn(data->payload[0])) { + if (match_spdy_settings(data->payload[1])) + return true; + if (match_spdy_syn_reply(data->payload[1])) + return true; + } + + if (match_spdy_syn(data->payload[1])) { + if (match_spdy_settings(data->payload[0])) + return true; + if (match_spdy_syn_reply(data->payload[0])) + return true; + } + + if (match_spdy_settings(data->payload[0]) && data->payload_len[0] == 28){ + if (match_spdy_ping(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_spdy = { + LPI_PROTO_SPDY, + LPI_CATEGORY_WEB, + "SPDY", + 10, + match_spdy +}; + +void register_spdy(LPIModuleMap *mod_map) { + register_protocol(&lpi_spdy, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_speedify.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_speedify.cc new file mode 100644 index 0000000..18bacf6 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_speedify.cc @@ -0,0 +1,72 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +/* Be super careful with this one -- looks a lot like Google Hangouts + * and Facebook TURN :/ + */ + +static inline bool match_speedify_header(uint32_t payload, uint32_t len) { + + /* 2 byte length field */ + if (len == 118 && MATCH(payload, 0x00, 0x74, 0x00, 0x01)) { + return true; + } + + return false; +} + +static inline bool match_speedify(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_speedify_header(data->payload[0], data->payload_len[0])) { + if (match_speedify_header(data->payload[1], + data->payload_len[1])) { + return true; + } + } + + + return false; +} + +static lpi_module_t lpi_speedify = { + LPI_PROTO_SPEEDIFY, + LPI_CATEGORY_TUNNELLING, + "SpeedifyVPN", + 199, + match_speedify +}; + +void register_speedify(LPIModuleMap *mod_map) { + register_protocol(&lpi_speedify, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_speedin.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_speedin.cc new file mode 100644 index 0000000..0b5831a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_speedin.cc @@ -0,0 +1,100 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Speedin a.k.a. InVPN -- VPN for accessing Chinese content from outside + * of China. + */ +static inline bool match_speedin_3byte(uint32_t payload, uint32_t len) { + + if (len == 3 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_speedin_other(uint32_t payload, uint32_t len) { + if (len <= 75 || len >= 137) + return false; + + if (MATCH(payload, 0x23, 0x00, ANY, ANY)) + return true; + if (MATCH(payload, 0x03, 0x00, ANY, ANY)) + return true; + return false; +} + +static inline bool match_port(uint16_t server, uint16_t client) { + if (server == 12000 || client == 12000) + return true; + + if (server == 11100 || client == 11100) + return true; + if (server == 11000 || client == 11000) + return true; + + /* Starting to see this on port 443 now :( */ + if (server == 443 || client == 443) + return true; + + return false; +} + + +static inline bool match_speedin(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_port(data->server_port, data->client_port)) + return false; + + if (match_speedin_3byte(data->payload[0], data->payload_len[0])) { + if (match_speedin_other(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_speedin_3byte(data->payload[1], data->payload_len[1])) { + if (match_speedin_other(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_speedin = { + LPI_PROTO_SPEEDIN, + LPI_CATEGORY_TUNNELLING, + "Speedin", + 22, + match_speedin +}; + +void register_speedin(LPIModuleMap *mod_map) { + register_protocol(&lpi_speedin, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_speedtest.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_speedtest.cc new file mode 100644 index 0000000..d8425ca --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_speedtest.cc @@ -0,0 +1,99 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_speedtest_hi(uint32_t payload, uint32_t len) { + + if (len != 3) + return false; + if (!MATCH(payload, 'H', 'I', 0x0a, 0x00)) + return false; + return true; +} + +static inline bool match_speedtest_bighi(uint32_t payload, uint32_t len) { + + if (len == 40 && MATCH(payload, 'H', 'I', 0x20, ANY)) + return true; + return false; + +} + +static inline bool match_speedtest_hello(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (!MATCH(payload, 'H', 'E', 'L', 'L')) + return false; + return true; +} + +static inline bool match_speedtest(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_speedtest_hi(data->payload[0], data->payload_len[0])) { + if (match_speedtest_hello(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_speedtest_hi(data->payload[1], data->payload_len[1])) { + if (match_speedtest_hello(data->payload[0], data->payload_len[0])) { + return true; + } + } + + if (match_speedtest_bighi(data->payload[0], data->payload_len[0])) { + if (match_speedtest_hello(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_speedtest_bighi(data->payload[1], data->payload_len[1])) { + if (match_speedtest_hello(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_speedtest = { + LPI_PROTO_SPEEDTEST, + LPI_CATEGORY_MONITORING, + "Speedtest.net", + 5, + match_speedtest +}; + +void register_speedtest(LPIModuleMap *mod_map) { + register_protocol(&lpi_speedtest, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_spotify.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_spotify.cc new file mode 100644 index 0000000..5a8b28b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_spotify.cc @@ -0,0 +1,134 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_spotify_02_req(uint32_t payload, uint32_t len) { + uint32_t len_field = 0; + + /* Type 0x02 has a 16 bit length field */ + + /* The 0x01 is part of the length too... */ + if (!MATCH(payload, 0x00, 0x02, 0x01, ANY)) + return false; + + /* The last byte is the length of the packet - 256 */ + len_field = (ntohl(payload)) & 0xff; + + if (len_field == len - 256) + return true; + return false; + +} + +static inline bool match_spotify_04_req(uint32_t payload, uint32_t len) { + + if (!MATCH(payload, 0x00, 0x04, 0x00, 0x00)) + return false; + + return true; +} + + +static inline bool match_spotify_02_resp(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len < 512) + return false; + if (!MATCH(payload, 0x00, ANY, ANY, ANY)) + return false; + return true; +} + +static inline bool match_spotify_04_resp(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (ntohl(payload) != len) + return false; + return true; + +} + +static inline bool match_spotify_port(uint16_t port) { + + if (port == 4070) + return true; + if (port == 80) + return true; + if (port == 443) + return true; + return false; + +} + +static inline bool match_spotify(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Make sure we're using the right port */ + if (!match_spotify_port(data->server_port) && + !match_spotify_port(data->client_port)) { + return false; + } + + if (match_spotify_02_req(data->payload[0], data->payload_len[0])) { + if (match_spotify_02_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_spotify_02_req(data->payload[1], data->payload_len[1])) { + if (match_spotify_02_resp(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_spotify_04_req(data->payload[0], data->payload_len[0])) { + if (match_spotify_04_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_spotify_04_req(data->payload[1], data->payload_len[1])) { + if (match_spotify_04_resp(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_spotify = { + LPI_PROTO_SPOTIFY, + LPI_CATEGORY_STREAMING, + "Spotify", + 7, + match_spotify +}; + +void register_spotify(LPIModuleMap *mod_map) { + register_protocol(&lpi_spotify, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ssh.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ssh.cc new file mode 100644 index 0000000..3c9553c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ssh.cc @@ -0,0 +1,83 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ssh2_payload(uint32_t payload, uint32_t len) { + + /* SSH-2 begins with a four byte length field */ + + + if (len == 0) + return true; + + /* DON'T BYTESWAP!!! */ + if (payload == len) + return true; + return false; + +} + +static inline bool match_ssh(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "SSH-")) + return true; + + /* Require port 22 for the following rules as they are not + * specific to SSH */ + if (data->server_port != 22 && data->client_port != 22) + return false; + if (match_str_either(data, "QUIT")) + return true; + + + if (!match_ssh2_payload(data->payload[0], data->payload_len[0])) + return false; + + if (!match_ssh2_payload(data->payload[1], data->payload_len[1])) + return false; + + + return true; + +} + +static lpi_module_t lpi_ssh = { + LPI_PROTO_SSH, + LPI_CATEGORY_REMOTE, + "SSH", + 2, + match_ssh +}; + +void register_ssh(LPIModuleMap *mod_map) { + register_protocol(&lpi_ssh, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ssjj.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ssjj.cc new file mode 100644 index 0000000..15519ba --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ssjj.cc @@ -0,0 +1,80 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Some Chinese Flash-based FPS game */ + +static inline bool match_ssjj_3611(uint32_t payload, uint32_t len) { + + /* payload is a length field, but length exceeds typical MTU */ + if (len > 1380 && MATCH(payload, 0x00, 0x00, 0x36, 0x11)) + return true; + return false; + +} + +static inline bool match_ssjj_61(uint32_t payload, uint32_t len) { + + /* payload is a length field */ + if (len == 101 && MATCH(payload, 0x00, 0x00, 0x00, 0x61)) + return true; + return false; + +} + +static inline bool match_ssjj(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_ssjj_3611(data->payload[0], data->payload_len[0])) { + if (match_ssjj_61(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_ssjj_3611(data->payload[1], data->payload_len[1])) { + if (match_ssjj_61(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_ssjj = { + LPI_PROTO_SSJJ, + LPI_CATEGORY_GAMING, + "SSJJ", + 5, + match_ssjj +}; + +void register_ssjj(LPIModuleMap *mod_map) { + register_protocol(&lpi_ssjj, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_ssl.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_ssl.cc new file mode 100644 index 0000000..5737522 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_ssl.cc @@ -0,0 +1,58 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_other_ssl(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_ssl(data)) + return false; + + /* Ignore IMAPS and HTTPS, as these are separate protocols */ + if (data->server_port == 993 || data->client_port == 993) + return false; + if (data->server_port == 443 || data->client_port == 443) + return false; + + return true; +} + +static lpi_module_t lpi_ssl = { + LPI_PROTO_SSL, + LPI_CATEGORY_ENCRYPT, + "SSL/TLS", + 100, /* Make this lower priority than IMAPS and HTTPS, just in case */ + match_other_ssl +}; + +void register_ssl(LPIModuleMap *mod_map) { + register_protocol(&lpi_ssl, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_steam.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_steam.cc new file mode 100644 index 0000000..6c68bf7 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_steam.cc @@ -0,0 +1,118 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_old_steam(lpi_data_t *data) { + + /* Steam TCP Download */ + + if (!match_str_either(data, "\x01\x00\x00\x00")) + return false; + if (!match_chars_either(data, 0x00, 0x00, 0x00, ANY)) + return false; + + if (data->payload_len[0] == 4 && data->payload_len[1] == 1) { + return true; + } + if (data->payload_len[0] == 4 && data->payload_len[1] == 5) { + return true; + } + + if (data->payload_len[1] == 4 && data->payload_len[0] == 1) { + return true; + } + if (data->payload_len[1] == 4 && data->payload_len[0] == 5) { + return true; + } + + + return false; +} + +static inline bool match_steam_len(uint32_t payload, uint32_t len) { + + /* length is stored as a little-endian integer */ +#if BYTE_ORDER == BIG_ENDIAN + uint32_t plen = bswap32(payload); +#else + uint32_t plen = payload; +#endif + + if (plen == len - 8) { + return true; + } + return false; +} + +static inline bool match_steam_vt01(lpi_data_t *data) { + + /* I imagine other ports are possible? */ + + if (data->server_port != 27050 && data->client_port != 27050) { + return false; + } + + /* Observed length pairs so far: + * 150, 76 + */ + + if (match_steam_len(data->payload[0], data->payload_len[0])) { + if (match_steam_len(data->payload[1], data->payload_len[1])) { + return true; + } + } + + return false; +} + +static inline bool match_steam(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_old_steam(data)) + return true; + if (match_steam_vt01(data)) { + return true; + } + return false; +} + + +static lpi_module_t lpi_steam = { + LPI_PROTO_STEAM, + LPI_CATEGORY_GAMING, + "Steam_TCP", + 104, /* Might not be as reliable as some other rules (?) */ + match_steam +}; + +void register_steam(LPIModuleMap *mod_map) { + register_protocol(&lpi_steam, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_stratum.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_stratum.cc new file mode 100644 index 0000000..a992161 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_stratum.cc @@ -0,0 +1,71 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool possible_port(uint16_t porta, uint16_t portb) { + /* Bit hax, but the payload alone doesn't exactly feel + * unique. */ + if (porta >= 3300 && porta < 3400) + return true; + + if (portb >= 3300 && portb < 3400) + return true; + return false; +} + +/* Protocol used for pooled bitcoin mining */ +static inline bool match_stratum(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port can vary but usually something around 3357 */ + + if (!possible_port(data->server_port, data->client_port)) + return false; + + if (MATCH(data->payload[0], '{', '"', 'i', 'd')) { + if (MATCH(data->payload[1], '{', '"', 'i', 'd')) + return true; + } + + return false; +} + +static lpi_module_t lpi_stratum = { + LPI_PROTO_STRATUM, + LPI_CATEGORY_ECOMMERCE, + "Stratum", + 200, + match_stratum +}; + +void register_stratum(LPIModuleMap *mod_map) { + register_protocol(&lpi_stratum, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_stun.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_stun.cc new file mode 100644 index 0000000..4526291 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_stun.cc @@ -0,0 +1,90 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_stun_payload(uint32_t payload, uint32_t len) { + /* Bytes 3 and 4 are the Message Length - the STUN header */ + if ((ntohl(payload) & 0x0000ffff) != len - 20) + return false; + + if (MATCH(payload, 0x00, 0x01, ANY, ANY)) + return true; + if (MATCH(payload, 0x01, 0x01, ANY, ANY)) + return true; + if (MATCH(payload, 0x01, 0x11, ANY, ANY)) + return true; + if (MATCH(payload, 0x00, 0x03, ANY, ANY)) + return true; + if (MATCH(payload, 0x01, 0x03, ANY, ANY)) + return true; + if (MATCH(payload, 0x01, 0x13, ANY, ANY)) + return true; + + return false; + +} + + +static inline bool match_stun_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Wouldn't have expected to see STUN over TCP, but sure we can + * match that. */ + + if (match_str_either(data, "RSP/")) + return true; + + /* We can also see more conventional STUN payloads over TCP as well :/ + */ + if (data->server_port == 3478 || data->client_port == 3478) { + if (match_stun_payload(data->payload[0], data->payload_len[0])) + { + if (match_stun_payload(data->payload[1], + data->payload_len[1])) { + return true; + } + } + } + + return false; +} + +static lpi_module_t lpi_stun_tcp = { + LPI_PROTO_STUN, + LPI_CATEGORY_NAT, + "STUN_TCP", + 5, + match_stun_tcp +}; + +void register_stun_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_stun_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_supl.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_supl.cc new file mode 100644 index 0000000..752b752 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_supl.cc @@ -0,0 +1,80 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* SUPL - protocol to support location based services */ + +static inline bool match_supl_out(uint32_t payload, uint32_t len) { + + /* First two bytes are a length field, followed by two bytes of version */ + if (len == 32 && MATCH(payload, 0x00, 0x20, 0x02, 0x00)) + return true; + return false; +} + +static inline bool match_supl_in(uint32_t payload, uint32_t len) { + + /* First two bytes are a length field, followed by two bytes of version */ + if (len == 18 && MATCH(payload, 0x00, 0x12, 0x02, 0x00)) + return true; + return false; + +} + +static inline bool match_supl(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 7275 && data->client_port != 7275) + return false; + + if (match_supl_out(data->payload[0], data->payload_len[0])) { + if (match_supl_in(data->payload[1], data->payload_len[1])) + return true; + } + if (match_supl_out(data->payload[1], data->payload_len[1])) { + if (match_supl_in(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_supl = { + LPI_PROTO_SUPL, + LPI_CATEGORY_LOCATION, + "SUPL", + 12, + match_supl +}; + +void register_supl(LPIModuleMap *mod_map) { + register_protocol(&lpi_supl, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_svn.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_svn.cc new file mode 100644 index 0000000..6a6c36a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_svn.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_svn_greet(uint32_t payload, uint32_t len) { + + if (MATCHSTR(payload, "( su")) + return true; + + return false; + +} + +static inline bool match_svn_resp(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + + if (MATCHSTR(payload, "( 2 ")) + return true; + return false; +} + + +static inline bool match_svn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_svn_greet(data->payload[0], data->payload_len[0])) { + if (match_svn_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_svn_greet(data->payload[1], data->payload_len[1])) { + if (match_svn_resp(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_svn = { + LPI_PROTO_SVN, + LPI_CATEGORY_RCS, + "SVN", + 3, + match_svn +}; + +void register_svn(LPIModuleMap *mod_map) { + register_protocol(&lpi_svn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_talesrunner.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_talesrunner.cc new file mode 100644 index 0000000..d74847e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_talesrunner.cc @@ -0,0 +1,85 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* MMORPG from the people behind "Funtown" */ + +static inline bool match_0e01(uint32_t payload, uint32_t len) { + + if (len == 5 && MATCH(payload, 0x05, 0x00, 0x0e, 0x01)) + return true; + return false; +} + +static inline bool match_0f(uint32_t payload, uint32_t len) { + + /* Bytes 1 and 2 are a length field, but length seems to + * correlate strongly with the value of byte 4 */ + + if (len == 64 && MATCH(payload, 0x40, 0x00, 0x0f, 0x0b)) + return true; + if (len == 61 && MATCH(payload, 0x3d, 0x00, 0x0f, 0x08)) + return true; + if (len == 60 && MATCH(payload, 0x3c, 0x00, 0x0f, 0x07)) + return true; + return false; +} + +static inline bool match_talesrunner(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* port 9153 */ + + if (match_0e01(data->payload[0], data->payload_len[0])) { + if (match_0f(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_0e01(data->payload[1], data->payload_len[1])) { + if (match_0f(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_talesrunner = { + LPI_PROTO_TALESRUNNER, + LPI_CATEGORY_GAMING, + "TalesRunner", + 51, + match_talesrunner +}; + +void register_talesrunner(LPIModuleMap *mod_map) { + register_protocol(&lpi_talesrunner, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_tankionline.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_tankionline.cc new file mode 100644 index 0000000..da9af66 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_tankionline.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* A Flash-based version of TankiX */ + +static inline bool to_port(uint16_t porta, uint16_t portb) { + if (porta == 5190 || porta == 15050) + return true; + if (portb == 15050 || portb == 5190) + return true; + return false; +} + +static inline bool match_to(uint32_t payload, uint32_t len) { + + if (len == 44 && MATCH(payload, 0x00, 0x2a, 0x00, 0x03)) + return true; + return false; +} + +static inline bool match_tankionline(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!to_port(data->server_port, data->client_port)) { + return false; + } + + /* The other direction is random MTU-sized payload. Apologies to + * people with small MTUs. */ + if (match_to(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] >= 1300) + return true; + } + + if (match_to(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] >= 1300) + return true; + } + + return false; +} + +static lpi_module_t lpi_tankionline = { + LPI_PROTO_TANKIONLINE, + LPI_CATEGORY_GAMING, + "TankiOnline", + 180, + match_tankionline +}; + +void register_tankionline(LPIModuleMap *mod_map) { + register_protocol(&lpi_tankionline, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_tankix.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_tankix.cc new file mode 100644 index 0000000..c85b32e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_tankix.cc @@ -0,0 +1,68 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_tankix_19(uint32_t payload, uint32_t len) { + + if (MATCHSTR(payload, "\xff\x00\x00\x00") && len == 19) + return true; + return false; +} + + +static inline bool match_tankix(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 5050 */ + if (match_tankix_19(data->payload[0], data->payload_len[0])) { + if (MATCHSTR(data->payload[1], "\xff\x00\x00\x00")) + return true; + } + + if (match_tankix_19(data->payload[1], data->payload_len[1])) { + if (MATCHSTR(data->payload[0], "\xff\x00\x00\x00")) + return true; + } + + return false; +} + +static lpi_module_t lpi_tankix = { + LPI_PROTO_TANKIX, + LPI_CATEGORY_GAMING, + "TankiX", + 52, + match_tankix +}; + +void register_tankix(LPIModuleMap *mod_map) { + register_protocol(&lpi_tankix, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_taobao.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_taobao.cc new file mode 100644 index 0000000..31bf114 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_taobao.cc @@ -0,0 +1,130 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Not entirely sure what this protocol is. Observed flows involve Taobao + * CDN hosts and TCP port 80, but it is clearly not HTTP. Users doing this + * protocol also speak conventional HTTP and HTTPS to the same Taobao host + * at the same time, so it isn't a substitute for HTTP. Possibly a streaming + * media protocol? + * + * For now I'm just going to use the generic name 'Taobao' and hope that + * we can figure this out some time in the future. + */ + +static inline bool match_taobao_req(uint32_t payload, uint32_t len) { + /* Byte 4 is a length field, == len - 4 */ + + uint32_t taolen = ntohl(payload) & 0xffff; + + if (MATCH(payload, 0xf5, 0x00, ANY, ANY)) { + if (taolen == len - 4) + return true; + } + + if (MATCH(payload, 0xf1, 0x00, ANY, ANY)) { + if (taolen == len - 4) + return true; + } + return false; + +} + +static inline bool match_taobao_resp(uint32_t payload, uint32_t len) { + /* Byte 4 is a length field, == len - 4 */ + + uint32_t taolen = ntohl(payload) & 0xffff; + + if (MATCH(payload, 0xf3, 0x00, ANY, ANY)) { + if (taolen == len - 4) + return true; + } + return false; + +} + + +/* Taobao seem to bastardize SSL. The request looks like a standard + * TLS handshake, but the response is definitely something custom. + */ +static inline bool match_taobao_sslreq(uint32_t payload) { + if (MATCH(payload, 0x16, 0x03, 0x01, 0x00)) + return true; + return false; +} + +static inline bool match_taobao_sslresp(uint32_t payload) { + if (MATCH(payload, 0x10, 0x3a, 0xf3, 0x00)) + return true; + if (MATCH(payload, 0x10, 0xae, 0xf3, 0x00)) + return true; + return false; +} + +static inline bool match_taobao(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_taobao_req(data->payload[0], data->payload_len[0])) { + if (match_taobao_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_taobao_req(data->payload[1], data->payload_len[1])) { + if (match_taobao_resp(data->payload[0], data->payload_len[0])) + return true; + } + + + if (match_taobao_sslreq(data->payload[0])) { + if (match_taobao_sslresp(data->payload[1])) + return true; + } + + if (match_taobao_sslreq(data->payload[1])) { + if (match_taobao_sslresp(data->payload[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_taobao = { + LPI_PROTO_TAOBAO, + LPI_CATEGORY_CDN, + "Taobao", + 20, + match_taobao +}; + +void register_taobao(LPIModuleMap *mod_map) { + register_protocol(&lpi_taobao, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_tds.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_tds.cc new file mode 100644 index 0000000..4069b70 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_tds.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_tds_response(uint32_t payload, uint32_t len) { + + uint32_t stated_len = 0; + + if (len == 0) + return true; + + if (!MATCH(payload, 0x04, 0x01, ANY, ANY)) + return false; + stated_len = (ntohl(payload) & 0xffff); + if (stated_len != len) + return false; + + return true; + + +} + + +static inline bool match_tds(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_tds_request(data->payload[0], data->payload_len[0])) { + if (match_tds_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_tds_request(data->payload[1], data->payload_len[1])) { + if (match_tds_response(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_tds = { + LPI_PROTO_TDS, + LPI_CATEGORY_DATABASES, + "TDS", + 4, + match_tds +}; + +void register_tds(LPIModuleMap *mod_map) { + register_protocol(&lpi_tds, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_teamviewer.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_teamviewer.cc new file mode 100644 index 0000000..f33a296 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_teamviewer.cc @@ -0,0 +1,108 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_teamviewer_payload(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (!MATCH(payload, 0x17, 0x24, ANY, ANY)) + return false; + + if (len < 256 && (ntohl(payload) & 0xff) != len - 5) + return false; + + return true; + + +} + +static inline bool match_teamviewer_alt(uint32_t payload, uint32_t len) { + if (!MATCH(payload, 0x11, 0x30, 0x36, 0x00)) + return false; + return true; +} + +static inline bool match_teamviewer_37(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x11, 0x30, 0x37, 0x00) && len == 32) + return true; + return false; +} + +static inline bool match_teamviewer_38(uint32_t payload) { + if (MATCH(payload, 0x11, 0x30, 0x38, 0x00)) + return true; + return false; +} + +static inline bool match_teamviewer(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_teamviewer_payload(data->payload[0], data->payload_len[0])) { + if (match_teamviewer_payload(data->payload[1], data->payload_len[1])) + return true; + if (match_teamviewer_alt(data->payload[1], data->payload_len[1])) + return true; + + } + + if (match_teamviewer_payload(data->payload[1], data->payload_len[1])) { + if (match_teamviewer_payload(data->payload[0], data->payload_len[0])) + return true; + if (match_teamviewer_alt(data->payload[0], data->payload_len[0])) + return true; + + } + + if (match_teamviewer_37(data->payload[0], data->payload_len[0])) { + if (match_teamviewer_38(data->payload[1])) + return true; + } + + if (match_teamviewer_37(data->payload[1], data->payload_len[1])) { + if (match_teamviewer_38(data->payload[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_teamviewer = { + LPI_PROTO_TEAMVIEWER, + LPI_CATEGORY_REMOTE, + "Teamviewer", + 40, + match_teamviewer +}; + +void register_teamviewer(LPIModuleMap *mod_map) { + register_protocol(&lpi_teamviewer, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_telecomkey.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_telecomkey.cc new file mode 100644 index 0000000..a9eb654 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_telecomkey.cc @@ -0,0 +1,60 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_telecomkey(lpi_data_t *data, lpi_module_t *mod UNUSED) { + /* Custom protocol used in transactions to telecomkey.com + * + * Not idea what it is, exactly. + */ + + if (MATCH(data->payload[0], 0x30, 0x30, 0x30, 0x30) && + data->payload_len[0] == 8) + return true; + if (MATCH(data->payload[1], 0x30, 0x30, 0x30, 0x30) && + data->payload_len[1] == 8) + return true; + + return false; +} + +static lpi_module_t lpi_telecomkey = { + LPI_PROTO_TELECOMKEY, + LPI_CATEGORY_TELCO, + "TelecomKey", + 3, + match_telecomkey +}; + +void register_telecomkey(LPIModuleMap *mod_map) { + register_protocol(&lpi_telecomkey, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_telegram.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_telegram.cc new file mode 100644 index 0000000..704876f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_telegram.cc @@ -0,0 +1,162 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +#include <stdio.h> +/* Protocol is documented at https://core.telegram.org/mtproto */ + + +static inline bool match_abridged_telegram_query(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0xef, ANY, ANY, ANY)) { + + /* Bottom 7 bits of byte 2 are a length field */ + uint32_t lenfield = ((ntohl(payload) >> 16) & 0x7f); + + if (len - 2 == lenfield * 4) { + return true; + } + + /* XXX Some clients appear to follow the query with some + * other message which TCP will combine into the same + * segment, so we can still fail the length check. Do + * we want to consider removing the length check and just + * rely on the 0x3f byte for matching this? + */ + + } + + /* All 1s in the length field means the next three bytes are a + * length field. In this case, the first packet will almost + * certainly be MSS sized. + */ + if (MATCH(payload, 0xef, 0x7f, ANY, ANY)) { + if (len >= 1300) + return true; + } + + return false; +} + +static inline bool match_telegram_query(uint32_t payload, uint32_t len) { + + /* Random bytes but always 105 based on my observations */ + + if (len == 105) + return true; + + return false; +} + +static inline bool match_abridged_telegram_resp(uint32_t payload, uint32_t len) { + + /* Fast acknowledgement -- technically this should only match if + * top bit of the length field is set, but we're probably ok to not + * enforce that. + */ + if (len == 4 && (payload & 0x00000080)) + return true; + + /* Look out for very large packets that won't fit in a single segment */ + if (MATCH(payload, 0x7f, ANY, ANY, 0x00)) + return true; + + /* Otherwise, first byte is the length field */ + uint32_t lenfield = ((ntohl(payload) >> 24)); + + if (lenfield * 4 == len - 1) + return true; + return false; + +} + +static inline bool match_telegram_resp(uint32_t payload, uint32_t len) { + + /* First four bytes are a length field */ + uint32_t lenfield = ntohl(payload); + + if (lenfield * 4 == len - 1) + return true; + return false; + +} + + +static inline bool match_telegram(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + + if (match_abridged_telegram_query(data->payload[0], data->payload_len[0])) { + if (match_abridged_telegram_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_abridged_telegram_query(data->payload[1], data->payload_len[1])) { + if (match_abridged_telegram_resp(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_telegram_query(data->payload[0], data->payload_len[0])) { + if (match_telegram_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_telegram_query(data->payload[1], data->payload_len[1])) { + if (match_telegram_resp(data->payload[0], data->payload_len[0])) + return true; + } + + if (data->payload_len[0] == 96 && data->payload_len[1] == 52) { + if (MATCH(data->payload[0], 0x60, 0x00, 0x00, 0x00) && + MATCH(data->payload[1], 0x34, 0x00, 0x00, 0x00)) + return true; + } + + if (data->payload_len[1] == 96 && data->payload_len[0] == 52) { + if (MATCH(data->payload[1], 0x60, 0x00, 0x00, 0x00) && + MATCH(data->payload[0], 0x34, 0x00, 0x00, 0x00)) + return true; + } + + return false; +} + +static lpi_module_t lpi_telegram = { + LPI_PROTO_TELEGRAM, + LPI_CATEGORY_CHAT, + "TelegramMessenger", + 10, + match_telegram +}; + +void register_telegram(LPIModuleMap *mod_map) { + register_protocol(&lpi_telegram, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_telnet.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_telnet.cc new file mode 100644 index 0000000..8368cf0 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_telnet.cc @@ -0,0 +1,100 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Rules adapted from l7-filter */ +static inline bool match_telnet_pattern(uint32_t payload, uint32_t len) { + + /* Sadly we cannot use a simple MATCH, because we're looking for + * two 0xff characters, which happens to be the same value as ANY. + */ + + if (len >= 4) { + if ((ntohl(payload) & 0xff0000ff) != (0xff0000ff)) + return false; + } + else if (len == 3) { + if ((ntohl(payload) & 0xff000000) != (0xff000000)) + return false; + } + else + return false; + + if (MATCH(payload, ANY, 0xfb, ANY, ANY)) + return true; + if (MATCH(payload, ANY, 0xfc, ANY, ANY)) + return true; + if (MATCH(payload, ANY, 0xfd, ANY, ANY)) + return true; + if (MATCH(payload, ANY, 0xfe, ANY, ANY)) + return true; + + return false; +} + +static inline bool match_atos_telnet(uint32_t payload) { + + /* ATOS seems to be related to ADSL routers, which really shouldn't + * be allowing telnet over the public internet */ + + if (MATCH(payload, 0x1b, 0x5b, 0x32, 0x4a)) + return true; + return false; + +} + +static inline bool match_telnet(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_telnet_pattern(data->payload[0], data->payload_len[0])) + return true; + if (match_telnet_pattern(data->payload[1], data->payload_len[1])) + return true; + + if (match_atos_telnet(data->payload[0]) && data->payload_len[1] == 0) + return true; + if (match_atos_telnet(data->payload[1]) && data->payload_len[0] == 0) + return true; + + return false; +} + +static lpi_module_t lpi_telnet = { + LPI_PROTO_TELNET, + LPI_CATEGORY_REMOTE, + "Telnet", + 2, + match_telnet +}; + +void register_telnet(LPIModuleMap *mod_map) { + register_protocol(&lpi_telnet, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_telnet_exploit.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_telnet_exploit.cc new file mode 100644 index 0000000..a642870 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_telnet_exploit.cc @@ -0,0 +1,73 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_telnet_exploit(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Anyone firing up a telnet session and immediately sending 'root', + * as opposed to the initial telnet commands, is probably up to no + * good */ + + if (data->server_port != 23 && data->client_port != 23) + return false; + + if (MATCH(data->payload[0], 'r', 'o', 'o', 't')) + return true; + if (MATCH(data->payload[1], 'r', 'o', 'o', 't')) + return true; + + /* This is a common way for telnet servers to drop unwanted clients + * + * Full string is: + * + * %connection closed by remote host! */ + if (MATCH(data->payload[0], 0x0d, 0x0a, '%', 'c') && + data->payload_len[1] == 0) + return true; + if (MATCH(data->payload[1], 0x0d, 0x0a, '%', 'c') && + data->payload_len[0] == 0) + return true; + + return false; +} + +static lpi_module_t lpi_telnet_exploit = { + LPI_PROTO_TELNET_EXPLOIT, + LPI_CATEGORY_MALWARE, + "TelnetExploit", + 20, + match_telnet_exploit +}; + +void register_telnet_exploit(LPIModuleMap *mod_map) { + register_protocol(&lpi_telnet_exploit, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_tencent_games.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_tencent_games.cc new file mode 100644 index 0000000..72770d7 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_tencent_games.cc @@ -0,0 +1,90 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* This traffic has been observed with BNS China, an MMO operated by + * Tencent. I can't be sure whether this is exclusive to BNS or is used + * by all Tencent games yet, so I'll use the generic name "TencentGames" + * rather than assuming it is only BNS. + */ + +static inline bool match_tcg_req(uint32_t payload, uint32_t len) { + + uint32_t hdrlen = (ntohl(payload) & 0xffff); + + if (hdrlen != len) + return false; + + if (MATCH(payload, 0xd8, 0x5c, ANY, ANY)) + return true; + return false; +} + +static inline bool match_tcg_reply(uint32_t payload, uint32_t len) { + + uint32_t hdrlen = (ntohl(payload) & 0xffff); + + if (hdrlen != len) + return false; + + if (MATCH(payload, 0xd8, 0x5d, ANY, ANY)) + return true; + return false; +} + +static inline bool match_tencent_games(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_tcg_req(data->payload[0], data->payload_len[0])) { + if (match_tcg_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_tcg_req(data->payload[1], data->payload_len[1])) { + if (match_tcg_reply(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_tencent_games = { + LPI_PROTO_TENCENT_GAMES, + LPI_CATEGORY_GAMING, + "TencentGames", + 5, + match_tencent_games +}; + +void register_tencent_games(LPIModuleMap *mod_map) { + register_protocol(&lpi_tencent_games, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_tenfivecoin.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_tenfivecoin.cc new file mode 100644 index 0000000..1aa7256 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_tenfivecoin.cc @@ -0,0 +1,61 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_tfc_magic(uint32_t payload, uint32_t len) { + if (len == 24 && MATCH(payload, 0xfa, 0xbf, 0xb5, 0xda)) + return true; + return false; +} + +static inline bool match_tenfivecoin(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_tfc_magic(data->payload[0], data->payload_len[0])) { + if (match_tfc_magic(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_tenfivecoin = { + LPI_PROTO_TENFIVECOIN, + LPI_CATEGORY_ECOMMERCE, + "TenFiveCoin", + 12, + match_tenfivecoin +}; + +void register_tenfivecoin(LPIModuleMap *mod_map) { + register_protocol(&lpi_tenfivecoin, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_tensafe.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_tensafe.cc new file mode 100644 index 0000000..89132de --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_tensafe.cc @@ -0,0 +1,97 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* TenSafe is an anti-cheat mechanism that is included with major + * online games published by Tencent, e.g. Blade N Soul, DNF. + */ + +static inline bool match_tensafe_req(uint32_t payload, uint32_t len) { + if (len != 42) + return false; + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_tensafe_resp(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + + if (len != 50) + return false; + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool is_tensafe_port(uint16_t server, uint16_t client) { + if (server == 8080 || server == 80 || server == 443) + return true; + if (server == 10012) + return true; + if (client == 8080 || client == 80 || client == 443) + return true; + if (client == 10012) + return true; + return false; +} + +static inline bool match_tensafe(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!is_tensafe_port(data->server_port, data->client_port)) + return false; + + if (match_tensafe_req(data->payload[0], data->payload_len[0])) { + if (match_tensafe_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_tensafe_req(data->payload[1], data->payload_len[1])) { + if (match_tensafe_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_tensafe = { + LPI_PROTO_TENSAFE, + LPI_CATEGORY_GAMING, + "TenSafe", + 70, + match_tensafe +}; + +void register_tensafe(LPIModuleMap *mod_map) { + register_protocol(&lpi_tensafe, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_tera.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_tera.cc new file mode 100644 index 0000000..a8ca5ca --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_tera.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_tera_resp(uint32_t payload, uint32_t len) { + + if (len != 4) + return false; + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_tera(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* XXX This traffic generally only appears on port 10001 */ + + /* First C->S packet is 128 bytes, but first bytes are random */ + + if (data->payload_len[1] == 128) { + if (match_tera_resp(data->payload[0], data->payload_len[0])) + return true; + } + + if (data->payload_len[0] == 128) { + if (match_tera_resp(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_tera = { + LPI_PROTO_TERA, + LPI_CATEGORY_GAMING, + "Tera", + 8, + match_tera +}; + +void register_tera(LPIModuleMap *mod_map) { + register_protocol(&lpi_tera, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_tetrisonline.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_tetrisonline.cc new file mode 100644 index 0000000..1f318b7 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_tetrisonline.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Only ever seen this on port 80 to hosts owned by Tetris Online. This + * may not be exclusive to Tetris Online (i.e. it might be a generic flash + * game protocol) but I can't be sure until I see it somewhere else. + */ + + +static inline bool match_tetrisonline(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 80 && data->client_port != 80) + return false; + + if (MATCH(data->payload[0], 'U', 'S', 'R', ' ')) { + if (MATCH(data->payload[1], 'U', 'S', 'R', ' ')) + return true; + } + + return false; +} + +static lpi_module_t lpi_tetrisonline = { + LPI_PROTO_TETRISONLINE, + LPI_CATEGORY_GAMING, + "TetrisOnline", + 5, + match_tetrisonline +}; + +void register_tetrisonline(LPIModuleMap *mod_map) { + register_protocol(&lpi_tetrisonline, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_thedivision.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_thedivision.cc new file mode 100644 index 0000000..59001e4 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_thedivision.cc @@ -0,0 +1,75 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Tom Clancy's The Division -- Ubisoft game */ + +static inline bool match_div_36(uint32_t payload, uint32_t len) { + if (len == 36 && MATCH(payload, 0x46, 0x01, 0x02, 0x20)) + return true; + return false; +} + +static inline bool match_div_8(uint32_t payload, uint32_t len) { + if (len == 8 && MATCH(payload, 0x0e, 0x01, 0x00, 0x04)) + return true; + return false; +} + +static inline bool match_thedivision(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 55000? */ + + if (match_div_36(data->payload[0], data->payload_len[0])) { + if (match_div_8(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_div_36(data->payload[1], data->payload_len[1])) { + if (match_div_8(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_thedivision = { + LPI_PROTO_THE_DIVISION, + LPI_CATEGORY_GAMING, + "TheDivision", + 5, + match_thedivision +}; + +void register_thedivision(LPIModuleMap *mod_map) { + register_protocol(&lpi_thedivision, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_tip.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_tip.cc new file mode 100644 index 0000000..63770c8 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_tip.cc @@ -0,0 +1,51 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_tip(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "PUSH")) + return true; + return false; +} + +static lpi_module_t lpi_tip = { + LPI_PROTO_TIP, + LPI_CATEGORY_ECOMMERCE, + "TIP", + 5, /* Not a very strong rule */ + match_tip +}; + +void register_tip(LPIModuleMap *mod_map) { + register_protocol(&lpi_tip, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_tor.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_tor.cc new file mode 100644 index 0000000..c1282f9 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_tor.cc @@ -0,0 +1,68 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_tor(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* I *think* this is TOR but have not confirmed */ + + /* Don't believe in this rule anymore :) */ + /* + if (match_chars_either(data, 0x3d, 0x00, 0x00, 0x00) && + (data->payload_len[0] == 4 || + data->payload_len[1] == 4)) + return true; + */ + + /* Lots of TOR is SSL over port 443, which we can't really distinguish + * from HTTPS. However, we can match the stuff on port 9001 */ + + if (!match_ssl(data)) + return false; + + if (data->server_port == 9001 || data->client_port == 9001) + return true; + + return false; +} + +static lpi_module_t lpi_tor = { + LPI_PROTO_TOR, + LPI_CATEGORY_TUNNELLING, + "TOR", + 7, /* Not the strongest rule */ + match_tor +}; + +void register_tor(LPIModuleMap *mod_map) { + register_protocol(&lpi_tor, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_tpkt.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_tpkt.cc new file mode 100644 index 0000000..df4df0a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_tpkt.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* TPKT is a slightly annoying little protocol that is used by a variety of + * applications. It is most notably used for RDP, but is also important for + * anything based on the H.323 standard for multimedia conferencing (e.g. + * Cisco CallManager). + * + * Basically, this module is going to be aimed at matching any generic + * TPKT traffic that isn't something we can assign to a more specific + * application, e.g. RDP + */ + +static inline bool match_tpkt_generic(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_tpkt(data->payload[0], data->payload_len[0])) { + if (match_tpkt(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_tpkt_generic = { + LPI_PROTO_TPKT, + LPI_CATEGORY_VOIP, /* Most TPKT stuff is for VOIP, conferencing etc */ + "TPKT", + 8, /* Must come after RDP and S7COMM but before RTMP */ + match_tpkt_generic +}; + +void register_tpkt_generic(LPIModuleMap *mod_map) { + register_protocol(&lpi_tpkt_generic, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_trackmania.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_trackmania.cc new file mode 100644 index 0000000..a510ccd --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_trackmania.cc @@ -0,0 +1,106 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_trackmania_3450(lpi_data_t *data) { + + /* Version of trackmania protocol usually seen on port 3450 */ + + if (data->server_port != 3450 && data->client_port != 3450) + return false; + + if (match_str_both(data, "\x23\x00\x00\x00", "\x13\x00\x00\x00")) { + + if (!match_payload_length(ntohl(data->payload[0]), + data->payload_len[0])) + return false; + + if (!match_payload_length(ntohl(data->payload[1]), + data->payload_len[1])) + return false; + return true; + } + + if (match_str_either(data, "\x23\x00\x00\x00")) { + if (data->payload_len[0] == 39 && data->payload_len[1] == 0) + return true; + if (data->payload_len[1] == 39 && data->payload_len[0] == 0) + return true; + } + + return false; + +} + +static inline bool match_trackmania_2350(lpi_data_t *data) { + + /* One version of the trackmania protocol, typically seen running + * on port 2350 */ + + if (!match_payload_length(ntohl(data->payload[0]), + data->payload_len[0])) + return false; + + if (!match_payload_length(ntohl(data->payload[1]), + data->payload_len[1])) + return false; + + if (!match_chars_either(data, 0x1c, 0x00, 0x00, 0x00)) + return false; + + return true; + +} + + +static inline bool match_trackmania(lpi_data_t *data, lpi_module_t *mod UNUSED) +{ + if (match_trackmania_3450(data)) + return true; + if (match_trackmania_2350(data)) + return true; + + + return false; +} + +static lpi_module_t lpi_trackmania = { + LPI_PROTO_TRACKMANIA, + LPI_CATEGORY_GAMING, + "Trackmania", + 3, + match_trackmania +}; + +void register_trackmania(LPIModuleMap *mod_map) { + register_protocol(&lpi_trackmania, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_transocks.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_transocks.cc new file mode 100644 index 0000000..0190a82 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_transocks.cc @@ -0,0 +1,100 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Chinese VPN for accessing mainland content */ + +static inline bool match_ts_23(uint32_t payload, uint32_t len) { + + if (len == 23 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) { + return true; + } + + return false; +} + +static inline bool match_ts_reply(uint32_t payload, uint32_t len) { + + /* Payload is random, but we could add rules to return false + * if the payload is 00000000 or ffffffff (or any other clearly + * intentional pattern), if this is generating FPs. + */ + + /* Lower path MTUs would affect this number, but let's concentrate + * on getting the lowest hanging fruit for now. + */ + if (len == 1460 || len == 1406 || len == 1356) { + return true; + } + + /* 503 is also a common length? also seen 501 and 507 occasionally.. */ + if (len == 503) { + return true; + } + + /* Starting to see a bit of variation in reply sizes now :/ */ + if (len >= 678 && len <= 688) { + return true; + } + + return false; + +} + +static inline bool match_transocks(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_ts_23(data->payload[0], data->payload_len[0])) { + if (match_ts_reply(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_ts_23(data->payload[0], data->payload_len[0])) { + if (match_ts_reply(data->payload[1], data->payload_len[1])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_transocks = { + LPI_PROTO_TRANSOCKS, + LPI_CATEGORY_TUNNELLING, + "Transocks", + 240, + match_transocks +}; + +void register_transocks(LPIModuleMap *mod_map) { + register_protocol(&lpi_transocks, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_trion.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_trion.cc new file mode 100644 index 0000000..6177e49 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_trion.cc @@ -0,0 +1,125 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Trion - publisher of F2P online games e.g. Archeage, Trove, etc. + * + * For now, I'm just going to group all Trion's games into a single "protocol" + * as I doubt there is much need to make a distinction. + */ + +/* This is probably a length field */ +static inline bool match_trion_29(uint32_t payload, uint32_t len) { + if (len != 29) + return false; + if (!MATCH(payload, 0x18, 0x00, 0x00, 0x00)) + return false; + return true; + +} + +/* This is probably a length field */ +static inline bool match_trion_23(uint32_t payload, uint32_t len) { + if (len != 23) + return false; + if (!MATCH(payload, 0x12, 0x00, 0x00, 0x00)) + return false; + return true; + +} + +static inline bool match_trion_37(uint32_t payload, uint32_t len) { + + if (len == 37 && MATCH(payload, 0x20, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_trion_1c(uint32_t payload, uint32_t len) { + if (len == 263 && MATCH(payload, 0x1c, 0x80, 0x20, 0x00)) + return true; + return false; +} + +static inline bool match_trion_2080(uint32_t payload, uint32_t len) { + if (len == 263 && MATCH(payload, 0x20, 0x80, 0x20, 0x00)) + return true; + return false; +} + +static inline bool match_trion(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* We can also try to limit to port 6560 and 37000-37100, if + * necessary */ + + if (match_trion_29(data->payload[0], data->payload_len[0])) { + if (match_trion_23(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_trion_29(data->payload[1], data->payload_len[1])) { + if (match_trion_23(data->payload[0], data->payload_len[0])) + return true; + } + + /* RIFT and Defiance require TCP port 6540 and 50000 and use a + * different payload pattern */ + if (match_trion_1c(data->payload[0], data->payload_len[0])) { + if (match_trion_2080(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_trion_1c(data->payload[1], data->payload_len[1])) { + if (match_trion_2080(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_trion_37(data->payload[0], data->payload_len[0])) { + if (match_trion_37(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_trion = { + LPI_PROTO_TRION, + LPI_CATEGORY_GAMING, + "TrionGames", + 8, + match_trion +}; + +void register_trion(LPIModuleMap *mod_map) { + register_protocol(&lpi_trion, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_trojan_win32_generic_sb.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_trojan_win32_generic_sb.cc new file mode 100644 index 0000000..f7e307d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_trojan_win32_generic_sb.cc @@ -0,0 +1,98 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_socks_response(uint32_t payload, uint32_t len) { + + if (len == 3 && MATCH(payload, 0x05, 0x01, 0x00, 0x00)) + return true; + if (len == 9 && MATCH(payload, 0x04, 0x01, 0x00, 0x19)) + return true; + return false; + +} + +static inline bool match_trojan_request(uint32_t payload, uint32_t len) { + + /* This is the typical request packet sent to the SOCKS server + * that the infected machines connect to */ + if (len != 5) + return false; + if (!MATCH(payload, ANY, ANY, 0x00, 0x00)) + return false; + return true; +} + +static inline bool match_trojan_other(uint32_t payload, uint32_t len) { + + /* Occasionally, the infected machine and the SOCKS server + * exchange packets that have this payload */ + if (!MATCH(payload, 0x01, 0x38, 0x71, 0x74)) + return false; + + return true; + +} + +static inline bool match_trojan_win32_generic_sb(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 3000 && data->client_port != 3000) + return false; + + if (match_trojan_other(data->payload[0], data->payload_len[0])) { + if (match_trojan_other(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_socks_response(data->payload[0], data->payload_len[0])) { + if (match_trojan_request(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_socks_response(data->payload[1], data->payload_len[1])) { + if (match_trojan_request(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_trojan_win32_generic_sb = { + LPI_PROTO_TROJAN_WIN32_GENERIC_SB, + LPI_CATEGORY_MALWARE, + "Trojan.Win32.Generic!SB", + 10, + match_trojan_win32_generic_sb +}; + +void register_trojan_win32_generic_sb(LPIModuleMap *mod_map) { + register_protocol(&lpi_trojan_win32_generic_sb, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_trojan_zeroaccess.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_trojan_zeroaccess.cc new file mode 100644 index 0000000..03c666d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_trojan_zeroaccess.cc @@ -0,0 +1,81 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_zeroaccess_in(uint32_t payload, uint32_t len) { + + if (len != 20) + return false; + if (!MATCH(payload, 0xe5, 0xaa, 0xc0, 0x31)) + return false; + return true; + +} + +static inline bool match_zeroaccess_out(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (!MATCH(payload, 0xe5, 0xaa, 0xc0, 0x31)) + return false; + return true; + +} + +static inline bool match_trojan_zeroaccess(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* More info on this trojan can be found at + * http://www.antivirus365.org/PCAntivirus/43465.html */ + + if (match_zeroaccess_in(data->payload[0], data->payload_len[0])) { + if (match_zeroaccess_out(data->payload[1], data->payload_len[1])) + return true; + } + if (match_zeroaccess_in(data->payload[1], data->payload_len[1])) { + if (match_zeroaccess_out(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_trojan_zeroaccess = { + LPI_PROTO_TROJAN_ZEROACCESS, + LPI_CATEGORY_MALWARE, + "TrojanZeroAccess", + 10, + match_trojan_zeroaccess +}; + +void register_trojan_zeroaccess(LPIModuleMap *mod_map) { + register_protocol(&lpi_trojan_zeroaccess, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_twitcasting.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_twitcasting.cc new file mode 100644 index 0000000..3769bed --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_twitcasting.cc @@ -0,0 +1,81 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Live self-streaming protocol, popular in Japan */ + +static inline bool match_tc_get(uint32_t payload) { + /* Yes, they have managed to co-opt "GET" for this protocol */ + + if (MATCH(payload, 'G', 'E', 'T', 0x20)) + return true; + return false; +} + +static inline bool match_tc_reply(uint32_t payload, uint32_t len) { + + /* Possible that bytes 3 and 4 are a length field? */ + + if (len == 19 && MATCH(payload, 'T', 'C', 0x0c, 0x00)) + return true; + return false; + +} + +static inline bool match_twitcasting(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Can use port 8094 if we need to */ + + if (match_tc_get(data->payload[0])) { + if (match_tc_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_tc_get(data->payload[0])) { + if (match_tc_reply(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_twitcasting = { + LPI_PROTO_TWITCASTING, + LPI_CATEGORY_STREAMING, + "TwitCasting", + 25, /* Should definitely be higher than HTTP */ + match_twitcasting +}; + +void register_twitcasting(LPIModuleMap *mod_map) { + register_protocol(&lpi_twitcasting, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_twitch_irc.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_twitch_irc.cc new file mode 100644 index 0000000..178505a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_twitch_irc.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Twitch IRC expects the use of a CAP command to check for membership lists. + * The response will begin with :tmi.twitch.tv, regardless of what the + * result of the CAP command is. + */ + +static inline bool match_twitch_cap(uint32_t payload) { + if (MATCH(payload, 'C', 'A', 'P', 0x20)) + return true; + return false; +} + +static inline bool match_twitch_tmi(uint32_t payload) { + if (MATCH(payload, ':', 't', 'm', 'i')) + return true; + return false; +} + + +static inline bool match_twitch_irc(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_twitch_cap(data->payload[1])) { + if (match_twitch_tmi(data->payload[0])) { + return true; + } + } + + if (match_twitch_cap(data->payload[0])) { + if (match_twitch_tmi(data->payload[1])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_twitch_irc = { + LPI_PROTO_TWITCH_IRC, + LPI_CATEGORY_CHAT, + "TwitchIRC", + 5, + match_twitch_irc +}; + +void register_twitch_irc(LPIModuleMap *mod_map) { + register_protocol(&lpi_twitch_irc, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_utherverse.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_utherverse.cc new file mode 100644 index 0000000..cbd9958 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_utherverse.cc @@ -0,0 +1,93 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Virtual world a la Second Life, but even more targeted towards virtual sex */ + +static inline bool match_uther_21(uint32_t payload, uint32_t len) { + if (len == 21 && MATCH(payload, 0x11, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_uther_other(uint32_t payload, uint32_t len) { + + /* It's a length field, but in little endian */ + /* Max length appears to be hard-coded to 1350 */ + + if (len > 1350) { + return false; + } else if (len == 1350) { + if (MATCH(payload, ANY, ANY, 0x00, 0x00)) { + if (!MATCH(payload, ANY, 0x00, 0x00, 0x00)) + return true; + } + } else { + if (bswap_le_to_host32(payload) == len + 4) { + return true; + } + } + + return false; +} + +static inline bool match_utherverse(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 4991 && data->client_port != 4991) { + return false; + } + + if (match_uther_21(data->payload[0], data->payload_len[0])) { + if (match_uther_other(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_uther_21(data->payload[1], data->payload_len[1])) { + if (match_uther_other(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_utherverse = { + LPI_PROTO_UTHERVERSE, + LPI_CATEGORY_GAMING, + "Utherverse", + 200, + match_utherverse +}; + +void register_utherverse(LPIModuleMap *mod_map) { + register_protocol(&lpi_utherverse, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_vainglory.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_vainglory.cc new file mode 100644 index 0000000..7b1e76a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_vainglory.cc @@ -0,0 +1,81 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Vainglory -- MOBA for touch screens */ + +static inline bool match_vg_req(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x00, 0x86, 0x00, 0x05) && len == 136) + return true; + if (MATCH(payload, 0x00, 0x86, 0x00, 0x06) && len == 136) + return true; + return false; + +} + +static inline bool match_vg_resp(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x00, 0x03, 0x00, 0x07) && len == 5) + return true; + if (MATCH(payload, 0x00, 0x03, 0x00, 0x06) && len == 5) + return true; + return false; + +} + +static inline bool match_vainglory(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_vg_req(data->payload[0], data->payload_len[0])) { + if (match_vg_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_vg_req(data->payload[1], data->payload_len[1])) { + if (match_vg_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_vainglory = { + LPI_PROTO_VAINGLORY, + LPI_CATEGORY_GAMING, + "Vainglory", + 5, + match_vainglory +}; + +void register_vainglory(LPIModuleMap *mod_map) { + register_protocol(&lpi_vainglory, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_vhdp2p.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_vhdp2p.cc new file mode 100644 index 0000000..a4d49f9 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_vhdp2p.cc @@ -0,0 +1,62 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_vhd(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x13, 'v', 'h', 'd') && len < 150) { + return true; + } + return false; +} + +static inline bool match_vhdp2p(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_vhd(data->payload[0], data->payload_len[0])) { + if (match_vhd(data->payload[1], data->payload_len[1])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_vhdp2p = { + LPI_PROTO_VHDP2P, + LPI_CATEGORY_P2P, + "VHD_P2P", + 7, + match_vhdp2p +}; + +void register_vhdp2p(LPIModuleMap *mod_map) { + register_protocol(&lpi_vhdp2p, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_viber.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_viber.cc new file mode 100644 index 0000000..eaee6ac --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_viber.cc @@ -0,0 +1,128 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* I'm fairly confident this is viber - uses port 5242, destination is an + * Amazon AWS server. Hard to test because capturing mobile traffic is much + * trickier than capturing a desktop app */ + +static inline bool match_viber_in(uint32_t payload, uint32_t len) { + + /* First two bytes are length, but we only support one packet + * type right now anyway */ + + if (len != 24) + return false; + if (MATCH(payload, 0x18, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_viber_4244_req(uint32_t payload, uint32_t len) { + + if (len == 96 && MATCH(payload, 0x60, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_viber_4244_resp(uint32_t payload, uint32_t len) { + + if (len == 56 && MATCH(payload, 0x38, 0x00, ANY, 0x04)) + return true; + if (len == 56 && MATCH(payload, 0x38, 0x00, ANY, 0x05)) + return true; + return false; + +} + +static inline bool match_viber_out(uint32_t payload, uint32_t len) { + + /* Again, bytes 1 and 2 are the length */ + if (len != 154) + return false; + if (MATCH(payload, 0x9a, 0x00, ANY, 0x00)) + return true; + return false; + +} + +static inline bool match_viber(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Could enforce port 5242 if we're getting false positives */ + + if (match_viber_in(data->payload[0], data->payload_len[0])) { + if (match_viber_out(data->payload[1], data->payload_len[1])) { + return true; + } + if (data->payload_len[1] == 0) { + if (data->server_port == 5242 || data->client_port == 5242) + return true; + } + } + + if (match_viber_in(data->payload[1], data->payload_len[1])) { + if (match_viber_out(data->payload[0], data->payload_len[0])) { + return true; + } + if (data->payload_len[0] == 0) { + if (data->server_port == 5242 || data->client_port == 5242) + return true; + } + } + + /* Seen on port 4244 */ + + if (match_viber_4244_req(data->payload[0], data->payload_len[0])) { + if (match_viber_4244_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_viber_4244_req(data->payload[1], data->payload_len[1])) { + if (match_viber_4244_resp(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_viber = { + LPI_PROTO_VIBER, + LPI_CATEGORY_VOIP, + "Viber", + 9, + match_viber +}; + +void register_viber(LPIModuleMap *mod_map) { + register_protocol(&lpi_viber, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_vmware.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_vmware.cc new file mode 100644 index 0000000..815894d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_vmware.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_vmware_banner(uint32_t payload) { + if (MATCH(payload, '2', '2', '0', 0x20)) + return true; + return false; +} + +static inline bool match_vmware_ssl(uint32_t payload) { + if (MATCH(payload, 0x16, 0x03, 0x01, 0x00)) + return true; + return false; +} + +static inline bool match_vmware(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Require port 902 to avoid confusion with other SSL or "220 " + * protocols */ + if (data->server_port != 902 && data->client_port != 902) + return false; + + if (match_vmware_banner(data->payload[0])) { + if (match_vmware_ssl(data->payload[1])) + return true; + } + + if (match_vmware_banner(data->payload[1])) { + if (match_vmware_ssl(data->payload[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_vmware = { + LPI_PROTO_VMWARE, + LPI_CATEGORY_CLOUD, + "VMWare", + 125, + match_vmware +}; + +void register_vmware(LPIModuleMap *mod_map) { + register_protocol(&lpi_vmware, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_vodlocker.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_vodlocker.cc new file mode 100644 index 0000000..4ce07f0 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_vodlocker.cc @@ -0,0 +1,71 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Vodlocker is basically HTTP, but it uses a non-standard port (8777) and + * the capitalisation on the HTTP responses can be a bit inconsistent. + * Rather than pollute HTTP with this crap, I think we can get away with + * having a separate rule for it */ + +static inline bool match_vodlocker(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 8777 && data->client_port != 8777) + return false; + + if (MATCH(data->payload[0], 'G', 'E', 'T', 0x20)) { + if (MATCH(data->payload[1], 'H', 't', 'T', 'P')) + return true; + if (MATCH(data->payload[1], 'H', 'T', 'T', 'P')) + return true; + } + + if (MATCH(data->payload[1], 'G', 'E', 'T', 0x20)) { + if (MATCH(data->payload[0], 'H', 't', 'T', 'P')) + return true; + if (MATCH(data->payload[0], 'H', 'T', 'T', 'P')) + return true; + } + + return false; +} + +static lpi_module_t lpi_vodlocker = { + LPI_PROTO_VODLOCKER, + LPI_CATEGORY_WEB, + "Vodlocker", + 100, + match_vodlocker +}; + +void register_vodlocker(LPIModuleMap *mod_map) { + register_protocol(&lpi_vodlocker, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_vpnrobot_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_vpnrobot_tcp.cc new file mode 100644 index 0000000..cb2f0fa --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_vpnrobot_tcp.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_um(uint32_t payload, uint32_t len) { + + /* First two bytes are a length field */ + uint32_t hlen = ntohl(payload) >> 16; + + if (hlen == len - 2) { + if (MATCH(payload, ANY, ANY, 'U', 'M')) + return true; + } + return false; +} + +static inline bool match_2byte_reply(uint32_t payload, uint32_t len) { + + if (len == 2 && MATCH(payload, 0x00, 0x0e, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_vpnrobot_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Don't have any examples of a successful connection to a VPN + * server yet, which may look a little different */ + + /* Commonly seen on ports 66 and 119 */ + + if (match_um(data->payload[0], data->payload_len[0])) { + if (match_2byte_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_um(data->payload[1], data->payload_len[1])) { + if (match_2byte_reply(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_vpnrobot_tcp = { + LPI_PROTO_VPNROBOT, + LPI_CATEGORY_TUNNELLING, + "VPNRobot", + 55, + match_vpnrobot_tcp +}; + +void register_vpnrobot_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_vpnrobot_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_vpnunlimited_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_vpnunlimited_tcp.cc new file mode 100644 index 0000000..fc7c41f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_vpnunlimited_tcp.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Custom VPN protocol used by VPN Unlimited -- OpenVPN is the default, but + * this is also offered for "ultimate security" (at some performance cost). + */ + +/* Looks like first 2 bytes are a length field */ + +static inline bool match_vpn_req(uint32_t payload, uint32_t len) { + if (len == 44 && MATCH(payload, 0x00, 0x2a, 0x5e, 0x4d)) + return true; + return false; +} + +static inline bool match_vpn_resp(uint32_t payload, uint32_t len) { + if (len == 56 && MATCH(payload, 0x00, 0x36, 0x26, 0x51)) + return true; + return false; +} + +static inline bool match_vpnunlimited_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Always seen on port 443 */ + if (match_vpn_req(data->payload[0], data->payload_len[0])) { + if (match_vpn_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_vpn_req(data->payload[1], data->payload_len[1])) { + if (match_vpn_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_vpnunlimited_tcp = { + LPI_PROTO_VPN_UNLIMITED, + LPI_CATEGORY_TUNNELLING, + "VPNUnlimitedTCP", + 10, + match_vpnunlimited_tcp +}; + +void register_vpnunlimited_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_vpnunlimited_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_warcraft3.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_warcraft3.cc new file mode 100644 index 0000000..afd9e5e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_warcraft3.cc @@ -0,0 +1,68 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_warcraft3(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Warcraft 3 packets all begin with 0xf7 */ + if (!MATCH(data->payload[0], 0xf7, ANY, ANY, ANY) || + !MATCH(data->payload[1], 0xf7, ANY, ANY, ANY)) + return false; + + if (match_chars_either(data, 0xf7, 0x37, 0x12, 0x00)) + return true; + /* Another Warcraft 3 example added by Donald Neal */ + if (match_chars_either(data, 0xf7, 0x1e, ANY, 0x00)) + return true; + + + /* XXX - I have my doubts about these rules */ +#if 0 + if (match_chars_either(proto_d, 0xf7, 0xf7, ANY, ANY)) + return LPI_PROTO_WARCRAFT3; +#endif + + + return false; +} + +static lpi_module_t lpi_warcraft3 = { + LPI_PROTO_WARCRAFT3, + LPI_CATEGORY_GAMING, + "Warcraft3", + 5, /* I'm a bit dubious about the value of this rule */ + match_warcraft3 +}; + +void register_warcraft3(LPIModuleMap *mod_map) { + register_protocol(&lpi_warcraft3, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_web_junk.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_web_junk.cc new file mode 100644 index 0000000..1f54312 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_web_junk.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_web_junk(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Connections to web servers where the client clearly is not + * speaking HTTP. + * + * XXX Check flows matching this occasionally for new HTTP request + * types that we've missed :( + */ + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) + return false; + + if (!match_http_request(data->payload[0], data->payload_len[0])) { + if (MATCHSTR(data->payload[1], "HTTP")) + return true; + } + + if (!match_http_request(data->payload[1], data->payload_len[1])) { + if (MATCHSTR(data->payload[0], "HTTP")) + return true; + } + + + return false; +} + +static lpi_module_t lpi_web_junk = { + LPI_PROTO_WEB_JUNK, + LPI_CATEGORY_MIXED, + "Web_Junk", + 210, + match_web_junk +}; + +void register_web_junk(LPIModuleMap *mod_map) { + register_protocol(&lpi_web_junk, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_webex_stun.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_webex_stun.cc new file mode 100644 index 0000000..33560b9 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_webex_stun.cc @@ -0,0 +1,87 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Bastardization of the STUN protocol used by Cisco Webex */ + +static inline bool match_webex_req(uint32_t payload, uint32_t len) { + + if (len == 28 && MATCH(payload, 0x00, 0x03, 0x00, 0x08)) { + return true; + } + + return false; +} + +static inline bool match_webex_resp(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x01, 0x13, 0x00, ANY)) { + if ((ntohl(payload) & 0x0000ffff) == len - 20) + return true; + } + + return false; +} + +static inline bool match_webex_stun(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 80 && data->client_port != 80) { + return false; + } + + if (match_webex_req(data->payload[0], data->payload_len[0])) { + if (match_webex_resp(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_webex_req(data->payload[1], data->payload_len[1])) { + if (match_webex_resp(data->payload[0], data->payload_len[0])) { + return true; + } + } + + + return false; +} + +static lpi_module_t lpi_webex_stun = { + LPI_PROTO_WEBEX_STUN, + LPI_CATEGORY_TUNNELLING, + "WebexSTUN", + 140, + match_webex_stun +}; + +void register_webex_stun(LPIModuleMap *mod_map) { + register_protocol(&lpi_webex_stun, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_weblogic.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_weblogic.cc new file mode 100644 index 0000000..fc82d72 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_weblogic.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_weblogic(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* T3 is the protocol used by Weblogic, a Java application server */ + + /* sa is the admin username for MSSQL databases */ + if (MATCH(data->payload[1], 0x00, 0x02, 's', 'a')) { + if (match_payload_length(data->payload[0], + data->payload_len[0])) + return true; + if (data->client_port == 7001 || data->server_port == 7001) + return true; + } + + if (MATCH(data->payload[0], 0x00, 0x02, 's', 'a')) { + if (match_payload_length(data->payload[1], + data->payload_len[1])) + return true; + if (data->client_port == 7001 || data->server_port == 7001) + return true; + } + + + return false; +} + +static lpi_module_t lpi_weblogic = { + LPI_PROTO_WEBLOGIC, + LPI_CATEGORY_DATABASES, + "Weblogic", + 8, + match_weblogic +}; + +void register_weblogic(LPIModuleMap *mod_map) { + register_protocol(&lpi_weblogic, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_wechat.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_wechat.cc new file mode 100644 index 0000000..9784355 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_wechat.cc @@ -0,0 +1,209 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_wc_pair(uint32_t payloada, uint32_t lena, + uint32_t payloadb, uint32_t lenb) { + + if (lena == 16 && MATCH(payloada, 0x00, 0x00, 0x00, 0x10)) { + if (lenb == 16 && MATCH(payloadb, 0x00, 0x00, 0x00, 0x10)) + return true; + if (lenb == 18 && MATCH(payloadb, 0x00, 0x00, 0x00, 0x12)) + return true; + } + + if (lena == 21 && MATCH(payloada, 0x00, 0x00, 0x00, 0x15)) { + if (lenb == 25 && MATCH(payloadb, 0x00, 0x00, 0x00, 0x19)) + return true; + if (lenb == 21 && MATCH(payloadb, 0x00, 0x00, 0x00, 0x15)) + return true; + } + + return false; + + +} + +static inline bool match_wc_ab_request(uint32_t payload, uint32_t len) { + /* This is 0xab, followed by 4 bytes of length for the first + * packet. + */ + + if (len <= 255 && MATCH(payload, 0xab, 0x00, 0x00, 0x00)) + return true; + + if (MATCH(payload, 0xab, 0x00, 0x00, 0x01)) + return true; + return false; + +} + +static inline bool match_wc_ab_big02(uint32_t payload, uint32_t len) { + /* again 0xab followed by length, except this time the length is + * for the entire flow. + */ + if (len < 255) + return false; + + /* Flows are unlikely to need a full 4 bytes for length so I'm + * going to stick 0x00 or 0x01 in the top byte for now */ + if (MATCH(payload, 0xab, 0x00, ANY, ANY)) { + return true; + } + if (MATCH(payload, 0xab, 0x01, ANY, ANY)) { + return true; + } + return false; + +} + +static inline bool match_wc_ab_big01(uint32_t payload, uint32_t len) { + + if (len < 100) + return false; + if (len <= 255 && MATCH(payload, 0xab, 0x00, 0x00, 0x00)) + return true; + if (len > 255 && len < 512 && MATCH(payload, 0xab, 0x00, 0x00, 0x01)) + return true; + if (len >= 512 && len < 768 && MATCH(payload, 0xab, 0x00, 0x00, 0x02)) + return true; + if (len >= 768 && len < 1024 && MATCH(payload, 0xab, 0x00, 0x00, 0x03)) + return true; + return false; +} + +static inline bool match_wc_ab_reply(uint32_t payload, uint32_t len) { + /* All replies appear to be 41 or 53 bytes */ + + if (len != 41 && len != 53) + return false; + + if (MATCH(payload, 0xab, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +/* This appears to be some sort of SSL ripoff */ +static inline bool match_wc_ssl_111(uint32_t payload, uint32_t len) { + if (len == 111 && MATCH(payload, 0x16, 0xf1, 0x03, 0x00)) + return true; + return false; +} + +static inline bool match_wc_ssl_166(uint32_t payload, uint32_t len) { + if (len == 166 && MATCH(payload, 0x16, 0xf1, 0x03, 0x00)) + return true; + return false; +} + + +static inline bool match_wechat(lpi_data_t *data, lpi_module_t *mod UNUSED) { + bool valid_port = false; + + /* WeChat begins with a very simple 4 byte length field. + * This is not unique to WeChat though, so we need to be careful. + */ + + /* Only observed on port 80, 443, 14000, 10001 or 8080. Because the payload + * signature is not entirely unique to WeChat, let's restrict matches + * to flows using those ports unless it shows up on other ports. + */ + if (data->server_port == 80 || data->client_port == 80) + valid_port = true; + if (data->server_port == 8080 || data->client_port == 8080) + valid_port = true; + if (data->server_port == 443 || data->client_port == 443) + valid_port = true; + if (data->server_port == 14000 || data->client_port == 14000) + valid_port = true; + if (data->server_port == 10001 || data->client_port == 10001) + valid_port = true; + + if (!valid_port) + return false; + + if (match_wc_pair(data->payload[0], data->payload_len[0], + data->payload[1], data->payload_len[1])) { + return true; + } + + if (match_wc_pair(data->payload[1], data->payload_len[1], + data->payload[0], data->payload_len[0])) { + return true; + } + + if (match_wc_ab_request(data->payload[0], data->payload_len[0])) { + if (match_wc_ab_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_wc_ab_request(data->payload[1], data->payload_len[1])) { + if (match_wc_ab_reply(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_wc_ab_big01(data->payload[0], data->payload_len[0])) { + if (match_wc_ab_big02(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_wc_ab_big01(data->payload[1], data->payload_len[1])) { + if (match_wc_ab_big02(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_wc_ssl_111(data->payload[0], data->payload_len[0])) { + if (match_wc_ssl_166(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_wc_ssl_111(data->payload[1], data->payload_len[1])) { + if (match_wc_ssl_166(data->payload[0], data->payload_len[0])) + return true; + } + + return false; + +} + +static lpi_module_t lpi_wechat = { + LPI_PROTO_WECHAT, + LPI_CATEGORY_CHAT, + "WeChat", + 10, + match_wechat +}; + +void register_wechat(LPIModuleMap *mod_map) { + register_protocol(&lpi_wechat, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_weibo.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_weibo.cc new file mode 100644 index 0000000..ab4fe14 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_weibo.cc @@ -0,0 +1,86 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_weibo_req(uint32_t payload, uint32_t len) { + + if (len < 230) + return false; + + if (payload + 4 == len) + return true; + return false; + +} + + +static inline bool match_weibo_resp(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len == 30 && MATCH(payload, 0x1a, 0x00, 0x00, 0x00)) + return true; + if (len == 37 && MATCH(payload, 0x21, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_weibo(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 8080 && data->client_port != 8080) + return false; + + if (match_weibo_req(data->payload[0], data->payload_len[0])) { + if (match_weibo_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_weibo_req(data->payload[1], data->payload_len[1])) { + if (match_weibo_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_weibo = { + LPI_PROTO_WEIBO, + LPI_CATEGORY_CHAT, + "Weibo", + 15, + match_weibo +}; + +void register_weibo(LPIModuleMap *mod_map) { + register_protocol(&lpi_weibo, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_weiqi.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_weiqi.cc new file mode 100644 index 0000000..f272d1c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_weiqi.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* AKA Fox Go -- Multiplayer Go client included with QQ Games */ + +static inline bool match_weiqi_tgw(uint32_t payload, uint32_t len) { + if (len == 43 && MATCH(payload, 't', 'g', 'w', '_')) + return true; + return false; +} + +static inline bool match_weiqi_other(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x00, 0x0e, 0x0f, 0xa5)) + return true; + return false; +} + +static inline bool match_weiqi(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 8000 */ + + if (match_weiqi_tgw(data->payload[0], data->payload_len[0])) { + if (match_weiqi_other(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_weiqi_tgw(data->payload[1], data->payload_len[1])) { + if (match_weiqi_other(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_weiqi = { + LPI_PROTO_WEIQI, + LPI_CATEGORY_GAMING, + "WeiqiQQ", + 20, + match_weiqi +}; + +void register_weiqi(LPIModuleMap *mod_map) { + register_protocol(&lpi_weiqi, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_whatsapp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_whatsapp.cc new file mode 100644 index 0000000..5041615 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_whatsapp.cc @@ -0,0 +1,149 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_wa_first(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 'W', 'A', 0x01, 0x02)) + return true; + if (MATCH(payload, 'W', 'A', 0x01, 0x05)) + return true; + + if (len == 1 && MATCH(payload, 'W', 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_wa_first_20(uint32_t payload, uint32_t len) { + /* New protocol version? 2.0? */ + if (MATCH(payload, 'W', 'A', 0x02, 0x00)) + return true; + if (len == 1 && MATCH(payload, 'W', 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_ed_first(uint32_t payload, uint32_t len) { + if (MATCH(payload, 'E', 'D', 0x00, 0x01)) + return true; + if (len == 1 && MATCH(payload, 'E', 0x00, 0x00, 0x00)) + return true; + return false; +} + + +static inline bool match_wa_second(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + + if (MATCH(payload, 0x00, 0x00, 0x05, 0xf8)) + return true; + return false; +} + +static inline bool match_wa_second_20(uint32_t payload, uint32_t len) { + uint32_t walen = ntohl(payload) >> 8; + + if (len == 0) + return true; + + if (walen == len - 3) { + if (MATCH(payload, ANY, ANY, ANY, 0x1a)) + return true; + } + + return false; +} + +static inline bool match_wa_fixed_second(uint32_t payload) { + if (MATCH(payload, 0x00, 0x00, 0x36, 0x1a)) { + return true; + } + return false; +} + +static inline bool match_whatsapp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* WhatsApp uses a modified form of XMPP and typically runs on + * either port 443 or 5222 + */ + + if (match_wa_first(data->payload[0], data->payload_len[0])) { + if (match_wa_second(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_wa_first(data->payload[1], data->payload_len[1])) { + if (match_wa_second(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_wa_first_20(data->payload[0], data->payload_len[0])) { + if (match_wa_second_20(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_wa_first_20(data->payload[1], data->payload_len[1])) { + if (match_wa_second_20(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_ed_first(data->payload[0], data->payload_len[0])) { + if (match_wa_second_20(data->payload[1], data->payload_len[1])) + return true; + if (match_wa_fixed_second(data->payload[1])) + return true; + } + + if (match_ed_first(data->payload[1], data->payload_len[1])) { + if (match_wa_second_20(data->payload[0], data->payload_len[0])) + return true; + if (match_wa_fixed_second(data->payload[0])) + return true; + } + + return false; + +} + +static lpi_module_t lpi_whatsapp = { + LPI_PROTO_WHATSAPP, + LPI_CATEGORY_CHAT, + "WhatsApp", + 4, + match_whatsapp +}; + +void register_whatsapp(LPIModuleMap *mod_map) { + register_protocol(&lpi_whatsapp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_whois.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_whois.cc new file mode 100644 index 0000000..f27c60b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_whois.cc @@ -0,0 +1,237 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_dot_second(uint32_t payload) { + if (MATCH(payload, ANY, '.', ANY, ANY)) + return true; + return false; +} + +static inline bool match_dot_third(uint32_t payload) { + if (MATCH(payload, ANY, ANY, '.', ANY)) + return true; + return false; +} + +static inline bool match_dot_last(uint32_t payload) { + if (MATCH(payload, ANY, ANY, ANY, '.')) + return true; + return false; +} + +static inline bool match_digit_first(uint32_t payload) { + + if (MATCH(payload, '1', ANY, ANY, ANY)) + return true; + if (MATCH(payload, '2', ANY, ANY, ANY)) + return true; + if (MATCH(payload, '3', ANY, ANY, ANY)) + return true; + if (MATCH(payload, '4', ANY, ANY, ANY)) + return true; + if (MATCH(payload, '5', ANY, ANY, ANY)) + return true; + if (MATCH(payload, '6', ANY, ANY, ANY)) + return true; + if (MATCH(payload, '7', ANY, ANY, ANY)) + return true; + if (MATCH(payload, '8', ANY, ANY, ANY)) + return true; + if (MATCH(payload, '9', ANY, ANY, ANY)) + return true; + if (MATCH(payload, '0', ANY, ANY, ANY)) + return true; + return false; +} + +static inline bool match_digit_second(uint32_t payload) { + + if (MATCH(payload, ANY, '1', ANY, ANY)) + return true; + if (MATCH(payload, ANY, '2', ANY, ANY)) + return true; + if (MATCH(payload, ANY, '3', ANY, ANY)) + return true; + if (MATCH(payload, ANY, '4', ANY, ANY)) + return true; + if (MATCH(payload, ANY, '5', ANY, ANY)) + return true; + if (MATCH(payload, ANY, '6', ANY, ANY)) + return true; + if (MATCH(payload, ANY, '7', ANY, ANY)) + return true; + if (MATCH(payload, ANY, '8', ANY, ANY)) + return true; + if (MATCH(payload, ANY, '9', ANY, ANY)) + return true; + if (MATCH(payload, ANY, '0', ANY, ANY)) + return true; + return false; +} + +static inline bool match_digit_third(uint32_t payload) { + + if (MATCH(payload, ANY, ANY, '1', ANY)) + return true; + if (MATCH(payload, ANY, ANY, '2', ANY)) + return true; + if (MATCH(payload, ANY, ANY, '3', ANY)) + return true; + if (MATCH(payload, ANY, ANY, '4', ANY)) + return true; + if (MATCH(payload, ANY, ANY, '5', ANY)) + return true; + if (MATCH(payload, ANY, ANY, '6', ANY)) + return true; + if (MATCH(payload, ANY, ANY, '7', ANY)) + return true; + if (MATCH(payload, ANY, ANY, '8', ANY)) + return true; + if (MATCH(payload, ANY, ANY, '9', ANY)) + return true; + if (MATCH(payload, ANY, ANY, '0', ANY)) + return true; + return false; +} + +static inline bool match_digit_last(uint32_t payload) { + + if (MATCH(payload, ANY, ANY, ANY, '1')) + return true; + if (MATCH(payload, ANY, ANY, ANY, '2')) + return true; + if (MATCH(payload, ANY, ANY, ANY, '3')) + return true; + if (MATCH(payload, ANY, ANY, ANY, '4')) + return true; + if (MATCH(payload, ANY, ANY, ANY, '5')) + return true; + if (MATCH(payload, ANY, ANY, ANY, '6')) + return true; + if (MATCH(payload, ANY, ANY, ANY, '7')) + return true; + if (MATCH(payload, ANY, ANY, ANY, '8')) + return true; + if (MATCH(payload, ANY, ANY, ANY, '9')) + return true; + if (MATCH(payload, ANY, ANY, ANY, '0')) + return true; + return false; +} + +static inline bool match_ipv4_text(uint32_t payload) { + + /* Gotta start with a digit */ + if (!match_digit_first(payload)) + return false; + + /* Matching the case 1.XX */ + if (match_dot_second(payload)) { + /* Can't have two dots in a row */ + if (!match_digit_third(payload)) + return false; + + /* We can have either two digits, e.g. 1.45 */ + if (match_digit_last(payload)) + return true; + /* Or a another dot, e.g. 1.1. */ + if (match_dot_last(payload)) + return true; + return false; + } + + /* Not a dot so must be a digit, e.g. 11XX */ + if (!match_digit_second(payload)) { + return false; + } + + /* If the third character is a dot, then we need a digit as the last + * e.g. 10.4 */ + if (match_dot_third(payload)) { + if (!match_digit_last(payload)) + return false; + return true; + } + + /* Third character must be a digit, then */ + if (!match_digit_third(payload)) + return false; + + /* If we've got three digits, we must end on a dot - e.g. 192. */ + if (match_dot_last(payload)) + return true; + + return false; +} + +static inline bool match_md5_option(uint32_t payload) { + + if (MATCHSTR(payload, "-V M")) + return true; + return false; + +} + +static inline bool match_whois(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 43 && data->client_port != 43) + return false; + + if (match_ipv4_text(data->payload[0])) { + if (data->payload_len[0] >= 4) + return true; + } + + if (match_md5_option(data->payload[0])) + return true; + + if (match_ipv4_text(data->payload[1])) { + if (data->payload_len[1] >= 4) + return true; + } + if (match_md5_option(data->payload[1])) + return true; + return false; +} + +static lpi_module_t lpi_whois = { + LPI_PROTO_WHOIS, + LPI_CATEGORY_SERVICES, + "Whois", + 20, + match_whois +}; + +void register_whois(LPIModuleMap *mod_map) { + register_protocol(&lpi_whois, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_winmx.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_winmx.cc new file mode 100644 index 0000000..175aae5 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_winmx.cc @@ -0,0 +1,62 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_winmx(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "SEND")) { + if (data->payload_len[0] == 1) + return true; + if (data->payload_len[1] == 1) + return true; + } + if (match_chars_either(data, 'G', 'E', 'T', ANY)) { + if (data->payload_len[0] == 1) + return true; + if (data->payload_len[1] == 1) + return true; + } + + return false; +} + +static lpi_module_t lpi_winmx = { + LPI_PROTO_WINMX, + LPI_CATEGORY_P2P, + "WinMX", + 4, /* Have this lower priority than HTTP - GET-based rule */ + match_winmx +}; + +void register_winmx(LPIModuleMap *mod_map) { + register_protocol(&lpi_winmx, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_wizard101.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_wizard101.cc new file mode 100644 index 0000000..e6356c0 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_wizard101.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_wiz_23(uint32_t payload, uint32_t len) { + + /* Bytes 3 and 4 are a length field */ + if (len == 23 && MATCH(payload, 0x0d, 0xf0, 0x13, 0x00)) + return true; + return false; + +} + +static inline bool match_wiz_13(uint32_t payload, uint32_t len) { + + /* Bytes 3 and 4 are a length field */ + if (len == 13 && MATCH(payload, 0x0d, 0xf0, 0x09, 0x00)) + return true; + return false; + +} + +static inline bool match_wizard101(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_wiz_23(data->payload[0], data->payload_len[0])) { + if (match_wiz_13(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_wiz_23(data->payload[1], data->payload_len[1])) { + if (match_wiz_13(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_wizard101 = { + LPI_PROTO_WIZARD101, + LPI_CATEGORY_GAMING, + "Wizard101", + 19, + match_wizard101 +}; + +void register_wizard101(LPIModuleMap *mod_map) { + register_protocol(&lpi_wizard101, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_wns.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_wns.cc new file mode 100644 index 0000000..f0d92c8 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_wns.cc @@ -0,0 +1,55 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_wns(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (MATCH(data->payload[0], 'w', 'n', 's', 0x00)) { + if (MATCH(data->payload[1], 'w', 'n', 's', 0x00)) + return true; + } + + return false; +} + +static lpi_module_t lpi_wns = { + LPI_PROTO_WNS, + LPI_CATEGORY_CLOUD, + "TencentWNS", + 8, + match_wns +}; + +void register_wns(LPIModuleMap *mod_map) { + register_protocol(&lpi_wns, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_wow.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_wow.cc new file mode 100644 index 0000000..368201b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_wow.cc @@ -0,0 +1,216 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_wow_request(uint32_t payload, uint32_t len) { + + if (!MATCH(payload, 0x00, 0x08, ANY, 0x00)) + return false; + + payload = ntohl(payload); + + /* 3rd and 4th bytes are the size of the packet, minus the four + * byte header */ + if (htons(payload & 0xffff) == len - 4) + return true; + + return false; +} + +static inline bool match_wow_response(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (len != 119) + return false; + + if (!MATCH(payload, 0x00, 0x00, 0x00, ANY)) + return false; + + return true; + +} + +static inline bool match_wow_s2c(uint32_t payload, uint32_t len) { + /* WoW seems to have changed the server to client protocol recently, + * possibly with the new expansion Cataclysm */ + + if (len == 0) + return true; + if (len != 50) + return false; + if (MATCH(payload, 0x30, 0x00, 0x57, 0x4f)) + return true; + return false; +} + + +static inline bool match_wow_2016(uint32_t payload, uint32_t len) { + if (len == 47 || len == 48 || len == 52) { + if (MATCHSTR(payload, "WORL")) + return true; + } + return false; + +} + + +static inline bool match_china_wow(uint32_t payload, uint32_t len) { + if (len == 57 || len == 59) { + if (MATCH(payload, 0x05, 0x01, 0x93, 0x01)) + return true; + if (MATCH(payload, 0x05, 0x01, 0x99, 0x01)) + return true; + } + + /* New alternative -- clearly a length field, rest of packet + * is mostly JSON */ + if (len == 112 && MATCH(payload, 0x00, 0x00, 0x00, 0x6c)) + return true; + if (len == 113 && MATCH(payload, 0x00, 0x00, 0x00, 0x6d)) + return true; + if (len == 114 && MATCH(payload, 0x00, 0x00, 0x00, 0x6e)) + return true; + return false; + +} + +static inline bool match_china_wow512(uint32_t payload, uint32_t len) { + if (len == 512 && MATCH(payload, 0x00, 0x01, 0x00, 0x25)) + return true; + return false; +} + +static inline bool match_china_wow03(uint32_t payload, uint32_t len) { + + uint32_t hdrlen; + uint32_t swapped; + + if (!MATCH(payload, 0x03, 0x00, ANY, ANY)) { + return false; + } + + /* bytes 3 and 4 are a length field, but in little endian */ + hdrlen = ntohl(payload); + swapped = ((hdrlen & 0xff) << 8) + ((hdrlen & 0xff00) >> 8); + + if (swapped == len) { + return true; + } + + return false; +} + +static inline bool chinese_wow_port(lpi_data_t *data) { + if (data->server_port >= 8000 && data->server_port <= 8002) + return true; + if (data->client_port >= 8000 && data->client_port <= 8002) + return true; + if (data->server_port == 443 || data->client_port == 443) + return true; + if (data->server_port == 2082 || data->client_port == 2082) + return true; + return false; +} + +static inline bool match_wow(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_wow_request(data->payload[0], data->payload_len[0])) { + if (match_wow_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_wow_request(data->payload[1], data->payload_len[1])) { + if (match_wow_response(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_wow_s2c(data->payload[0], data->payload_len[0])) { + if (match_wow_s2c(data->payload[1], data->payload_len[1])) + return true; + } + + if (data->server_port == 3724 || data->client_port == 3724) { + /* New initial exchange observed in packet traces from 2016 */ + if (match_wow_2016(data->payload[0], data->payload_len[0]) && + match_wow_2016(data->payload[1], + data->payload_len[1])) { + return true; + } + } + + /* Chinese WOW is a little different */ + if (chinese_wow_port(data)) { + if (match_wow_2016(data->payload[0], data->payload_len[0])) { + if (match_wow_2016(data->payload[1], data->payload_len[1])) + return true; + + if (match_china_wow(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_wow_2016(data->payload[1], data->payload_len[1])) { + if (match_china_wow(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_china_wow(data->payload[0], data->payload_len[0])) { + if (match_china_wow03(data->payload[1], data->payload_len[1])) + return true; + if (match_china_wow512(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_china_wow(data->payload[1], data->payload_len[1])) { + if (match_china_wow03(data->payload[0], data->payload_len[0])) + return true; + if (match_china_wow512(data->payload[0], data->payload_len[0])) + return true; + } + } + + + return false; +} + +static lpi_module_t lpi_wow = { + LPI_PROTO_WOW, + LPI_CATEGORY_GAMING, + "WorldOfWarcraft", + 4, /* Not super-strong, especially for one-way */ + match_wow +}; + +void register_wow(LPIModuleMap *mod_map) { + register_protocol(&lpi_wow, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_wuala.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_wuala.cc new file mode 100644 index 0000000..3a3c1f5 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_wuala.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_wuala_out(uint32_t payload, uint32_t len) { + + if (len != 18) + return false; + if (!MATCH(payload, 0xfe, 0x08, 0x00, 0x00)) + return false; + return true; + +} + +static inline bool match_wuala_in(uint32_t payload, uint32_t len) { + + if (len != 18) + return false; + if (!MATCH(payload, 0xfe, 0x18, 0x00, 0x00)) + return false; + return true; + +} + +static inline bool match_wuala(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_wuala_out(data->payload[0], data->payload_len[0])) { + if (match_wuala_in(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_wuala_out(data->payload[1], data->payload_len[1])) { + if (match_wuala_in(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_wuala = { + LPI_PROTO_WUALA, + LPI_CATEGORY_CLOUD, + "Wuala", + 6, + match_wuala +}; + +void register_wuala(LPIModuleMap *mod_map) { + register_protocol(&lpi_wuala, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_xiami.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_xiami.cc new file mode 100644 index 0000000..0fce5a9 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_xiami.cc @@ -0,0 +1,60 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_xiami(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] == 187 && data->payload_len[1] == 0) { + if (MATCH(data->payload[0], 0xbb, 0x00, 0x00, 0x00)) + return true; + } + + if (data->payload_len[1] == 187 && data->payload_len[0] == 0) { + if (MATCH(data->payload[1], 0xbb, 0x00, 0x00, 0x00)) + return true; + } + + return false; +} + +static lpi_module_t lpi_xiami = { + LPI_PROTO_XIAMI, + LPI_CATEGORY_STREAMING, + "Xiami", + 34, + match_xiami +}; + +void register_xiami(LPIModuleMap *mod_map) { + register_protocol(&lpi_xiami, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_xmpp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_xmpp.cc new file mode 100644 index 0000000..18fc750 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_xmpp.cc @@ -0,0 +1,71 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_xmpp_payload(uint32_t data, uint32_t len) { + + if (MATCHSTR(data, "<?xm")) + return true; + if (MATCHSTR(data, "<str")) + return true; + if (MATCHSTR(data, "<pre")) + return true; + + if (MATCH(data, 0x20, 0x20, 0x20, 0x20) && len == 147) + return true; + return false; +} + +static inline bool match_xmpp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* If this is overmatching, enforce TCP port 5222 */ + + if (!match_xmpp_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_xmpp_payload(data->payload[1], data->payload_len[1])) + return false; + + + return true; +} + +static lpi_module_t lpi_xmpp = { + LPI_PROTO_XMPP, + LPI_CATEGORY_CHAT, + "XMPP", + 4, + match_xmpp +}; + +void register_xmpp(LPIModuleMap *mod_map) { + register_protocol(&lpi_xmpp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_xmpps.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_xmpps.cc new file mode 100644 index 0000000..4048dce --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_xmpps.cc @@ -0,0 +1,99 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gtalk(lpi_data_t *data) { + + /* This rule matches the encrypted traffic sent to google talk + * clients */ + + if (!match_ssl(data)) + return false; + + /* Port 5228 is used for this */ + if (data->server_port != 5228 && data->client_port != 5228) + return false; + + /* Try and avoid false positives using payload size checks */ + + if (data->payload_len[0] == 80 || + data->payload_len[0] == 120 || + data->payload_len[0] == 118 || + data->payload_len[0] == 184) + return true; + + if (data->payload_len[1] == 80 || + data->payload_len[1] == 120 || + data->payload_len[1] == 118 || + data->payload_len[1] == 184) + return true; + + return false; +} + +static inline bool match_facebook_chat(lpi_data_t *data) { + + /* This rule matches the encrypted traffic sent to facebook chat + * clients */ + + if (!match_ssl(data)) + return false; + + /* Port 5228 is used for this */ + if (data->server_port != 8883 && data->client_port != 8883) + return false; + + return true; +} + +static inline bool match_xmpps(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_gtalk(data)) + return true; + if (match_facebook_chat(data)) + return true; + + return false; + +} + +static lpi_module_t lpi_xmpps = { + LPI_PROTO_XMPPS, + LPI_CATEGORY_CHAT, + "XMPPS", + 10, + match_xmpps +}; + +void register_xmpps(LPIModuleMap *mod_map) { + register_protocol(&lpi_xmpps, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_xunlei.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_xunlei.cc new file mode 100644 index 0000000..da1fab2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_xunlei.cc @@ -0,0 +1,187 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_shuijing_44(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x44, 0x00, 0x00, 0x00)) + return true; + if (MATCH(payload, 0x42, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_shuijing_3e(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x3e, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_shuijing_41(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x41, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_shuijing_46(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x46, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_shuijing_43(uint32_t payload, uint32_t len) { + if (len == 9 && MATCH(payload, 0x43, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_xunlei_3e(uint32_t payload, uint32_t len) { + if (len == 132 && MATCH(payload, 0x3e, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_xunlei_36(uint32_t payload, uint32_t len) { + if (len == 51 && MATCH(payload, 0x36, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_xunlei(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* + if (match_str_both(data, "\x3c\x00\x00\x00", "\x3c\x00\x00\x00")) + return true; + if (match_str_both(data, "\x3d\x00\x00\x00", "\x39\x00\x00\x00")) + return true; + if (match_str_both(data, "\x3d\x00\x00\x00", "\x3a\x00\x00\x00")) + return true; + */ + + if (match_str_both(data, "\x29\x00\x00\x00", "\x29\x00\x00\x00")) + return true; + if (match_str_both(data, "\x36\x00\x00\x00", "\x33\x00\x00\x00")) + return true; + if (match_str_both(data, "\x36\x00\x00\x00", "\x36\x00\x00\x00")) + return true; + if (match_str_either(data, "\x33\x00\x00\x00")) { + if (data->payload_len[0] == 0 && data->payload_len[1] == 87) + return true; + if (data->payload_len[1] == 0 && data->payload_len[0] == 87) + return true; + } + + if (match_str_either(data, "\x36\x00\x00\x00")) { + if (data->payload_len[0] == 0 && data->payload_len[1] == 71) + return true; + if (data->payload_len[1] == 0 && data->payload_len[0] == 71) + return true; + } + + if (match_str_either(data, "\x29\x00\x00\x00")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + + /* Pretty sure this is "Thunder Crystal" (a.k.a. Xunlei Shuijing), + * a P2P approach to doing CDN. Uses TCP port 4593, usually. + * Ref: http://dl.acm.org/citation.cfm?id=2736085 + * + * XXX Should this be a separate protocol? + */ + + if (match_shuijing_44(data->payload[0], data->payload_len[0])) { + if (match_shuijing_3e(data->payload[1], data->payload_len[1])) + return true; + if (match_shuijing_46(data->payload[1], data->payload_len[1])) + return true; + if (match_shuijing_44(data->payload[1], data->payload_len[1])) + return true; + if (match_shuijing_43(data->payload[1], data->payload_len[1])) + return true; + if (match_shuijing_41(data->payload[1], data->payload_len[1])) + return true; + } + if (match_shuijing_44(data->payload[1], data->payload_len[1])) { + if (match_shuijing_3e(data->payload[0], data->payload_len[0])) + return true; + if (match_shuijing_46(data->payload[0], data->payload_len[0])) + return true; + if (match_shuijing_44(data->payload[0], data->payload_len[0])) + return true; + if (match_shuijing_43(data->payload[0], data->payload_len[0])) + return true; + if (match_shuijing_41(data->payload[0], data->payload_len[0])) + return true; + } + + + /* Almost certainly Xunlei-related, appears on port 8080 to hosts + * that are in subnets used by Xunlei. Many IP ranges appear in + * http://ipfilter-emule.googlecode.com/svn/trunk/ipfilter-xl/.htaccess?id=htxl + * + * Update: the above URL no longer exists, but thankfully archive.org + * has saved a copy: + * http://web.archive.org/web/20160410231755/http://ipfilter-emule.googlecode.com/svn/trunk/ipfilter-xl/.htaccess + */ + + if (match_xunlei_3e(data->payload[0], data->payload_len[0])) { + if (match_xunlei_36(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_xunlei_3e(data->payload[1], data->payload_len[1])) { + if (match_xunlei_36(data->payload[0], data->payload_len[0])) { + return true; + } + } + + + return false; +} + +static lpi_module_t lpi_xunlei = { + LPI_PROTO_XUNLEI, + LPI_CATEGORY_P2P, + "Xunlei", + 3, + match_xunlei +}; + +void register_xunlei(LPIModuleMap *mod_map) { + register_protocol(&lpi_xunlei, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_xunlei_accel.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_xunlei_accel.cc new file mode 100644 index 0000000..60af3f6 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_xunlei_accel.cc @@ -0,0 +1,121 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +/* This protocol is definitely tied up with Xunlei. It appears to only be + * used when using the "accelerated" download option in the Thunder client. + * Basically, the download will be accelerated by pulling parts of the content + * from servers owned by Xunlei in addition to the standard P2P downloading + * from other Xunlei users. + * + * Not 100% sure this should be a separate protocol, but the distinction + * compared with the other Xunlei stuff is possibly interesting. + */ + +/* NOTE: we see a lot of other xunlei traffic with a similar payload pattern + * on other ports but the payload sizes don't match up so I suspect this is + * 'other' thunder traffic of some sort. + */ + +static inline bool match_xaccel_req(uint32_t payload, uint32_t len) { + + uint32_t byte4; + /* Byte 4 must be either 0x4X or 0x5X */ + + byte4 = (ntohl(payload) & 0xff); + + if (byte4 < 0x40 || byte4 > 0x5f) + return false; + + /* Observed requests seem to fall in a very specific packet size + * range (at least the stuff on port 8080 does) + */ + if (len >= 532 && len <= 542) + return true; + if (len >= 309 && len <= 312) + return true; + + return false; +} + +static inline bool match_xaccel_resp(uint32_t payload, uint32_t len) { + + uint32_t byte4; + /* Byte 4 must be either 0x4X or 0x5X */ + + byte4 = (ntohl(payload) & 0xff); + + if (byte4 < 0x40 || byte4 > 0x5f) + return false; + + /* Observed requests seem to fall in a very specific packet size + * range (at least the stuff on port 8080 does) + */ + if (len >= 104 && len <= 116) + return true; + + return false; +} + +static inline bool match_xunlei_accel(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Tough to match reliably -- we don't have a lot to go on */ + + /* The Xunlei-controlled servers all seem to listen on port 8080 */ + if (data->server_port != 8080 && data->client_port != 8080) + return false; + + if (match_xaccel_req(data->payload[0], data->payload_len[0])) { + if (match_xaccel_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_xaccel_req(data->payload[1], data->payload_len[1])) { + if (match_xaccel_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_xunlei_accel = { + LPI_PROTO_XUNLEI_ACCEL, + LPI_CATEGORY_P2P, + "XunleiAccelerated", + 240, + match_xunlei_accel +}; + +void register_xunlei_accel(LPIModuleMap *mod_map) { + register_protocol(&lpi_xunlei_accel, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_xymon.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_xymon.cc new file mode 100644 index 0000000..15f5064 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_xymon.cc @@ -0,0 +1,58 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_xymon(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Xymon aka "Big Brother" aka "Hobbit" */ + + /* Runs over port 1984 - clever :) */ + if (data->server_port != 1984 && data->client_port != 1984) + return false; + + if (match_chars_either(data, 's', 't', 'a', 't')) + return true; + + return false; +} + +static lpi_module_t lpi_xymon = { + LPI_PROTO_XYMON, + LPI_CATEGORY_MONITORING, + "Xymon", + 6, + match_xymon +}; + +void register_xymon(LPIModuleMap *mod_map) { + register_protocol(&lpi_xymon, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_yahoo.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_yahoo.cc new file mode 100644 index 0000000..43189b1 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_yahoo.cc @@ -0,0 +1,57 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_yahoo(lpi_data_t *data, lpi_module_t *mod UNUSED) { + /* Yahoo messenger starts with YMSG */ + if (match_str_either(data, "YMSG")) return true; + + /* Some flows start with YAHO - I'm going to go with my gut instinct */ + if (match_str_either(data, "YAHO")) return true; + + /* Some versions appear to use <Yms as the beginning */ + if (match_str_either(data, "<Yms")) return true; + + return false; +} + +static lpi_module_t lpi_yahoo = { + LPI_PROTO_YAHOO, + LPI_CATEGORY_CHAT, + "Yahoo", + 3, + match_yahoo +}; + +void register_yahoo(LPIModuleMap *mod_map) { + register_protocol(&lpi_yahoo, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_yahoo_error.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_yahoo_error.cc new file mode 100644 index 0000000..381a120 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_yahoo_error.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_yahoo_error(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Yahoo seems to respond to HTTP errors in a really odd way - it + * opens up a new connection and just sends raw HTML with the + * error message in it. Not sure how they expect that to work, though. + */ + + if (data->payload_len[0] != 0 && data->payload_len[1] != 0) + return false; + + /* The html isn't entirely valid either - they start with <HEAD> + * rather than <HTML>... + */ + if (match_str_either(data, "<HEA")) + return true; + + + return false; +} + +static lpi_module_t lpi_yahoo_error = { + LPI_PROTO_YAHOO_ERROR, + LPI_CATEGORY_CHAT, + "YahooError", + 10, /* This rule is a bit odd */ + match_yahoo_error +}; + +void register_yahoo_error(LPIModuleMap *mod_map) { + register_protocol(&lpi_yahoo_error, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_yahoo_games.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_yahoo_games.cc new file mode 100644 index 0000000..40432d5 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_yahoo_games.cc @@ -0,0 +1,83 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* This traffic all seems to go to games.X.yahoo.com, so I'm going to assume + * that this is Yahoo Games */ + +static inline bool match_yahoo_games_req(uint32_t payload, uint32_t len) { + + if (len != 1) + return false; + if (!MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return false; + return true; + +} + +static inline bool match_yahoo_games_resp(uint32_t payload, uint32_t len) { + + if (len != 22) + return false; + if (!MATCH(payload, 0x81, 0xd3, 0x70, 0x6c)) + return false; + return true; + +} + +static inline bool match_yahoo_games(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_yahoo_games_req(data->payload[0], data->payload_len[0])) { + if (match_yahoo_games_resp(data->payload[1], data->payload_len[1])) { + return true; + } + } + if (match_yahoo_games_req(data->payload[1], data->payload_len[1])) { + if (match_yahoo_games_resp(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_yahoo_games = { + LPI_PROTO_YAHOO_GAMES, + LPI_CATEGORY_GAMING, + "YahooGames", + 4, + match_yahoo_games +}; + +void register_yahoo_games(LPIModuleMap *mod_map) { + register_protocol(&lpi_yahoo_games, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_yahoo_webcam.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_yahoo_webcam.cc new file mode 100644 index 0000000..2cf48f3 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_yahoo_webcam.cc @@ -0,0 +1,57 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_yahoo_webcam(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "<SND")) + return true; + if (match_str_either(data, "<REQ")) + return true; + if (match_chars_either(data, 0x0d, 0x00, 0x05, 0x00)) + return true; + + return false; +} + +static lpi_module_t lpi_yahoo_webcam = { + LPI_PROTO_YAHOO_WEBCAM, + LPI_CATEGORY_CHAT, + "Yahoo_Webcam", + 3, + match_yahoo_webcam +}; + +void register_yahoo_webcam(LPIModuleMap *mod_map) { + register_protocol(&lpi_yahoo_webcam, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_youku.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_youku.cc new file mode 100644 index 0000000..779b306 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_youku.cc @@ -0,0 +1,58 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_youku_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This took a lot of detective work and liberal use of Google + * translate to figure out what this protocol this pattern matched */ + + if (match_youku_payload(data->payload[0], data->payload_len[0])) { + if (match_youku_payload(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_youku = { + LPI_PROTO_YOUKU, + LPI_CATEGORY_STREAMING, + "Youku", + 4, + match_youku_tcp +}; + +void register_youku_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_youku, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_yy_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_yy_tcp.cc new file mode 100644 index 0000000..1b90d34 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_yy_tcp.cc @@ -0,0 +1,59 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +/* YY Live Streaming from China */ +/* Unfortunately YY uses a 4 byte length field (albeit in little endian + * byte order) so there's a good chance this rule will get a few FPs :/ + */ +static inline bool match_yy_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_yy_payload(data->payload[0], data->payload_len[0])) { + if (match_yy_payload(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_yy_tcp = { + LPI_PROTO_YY, + LPI_CATEGORY_STREAMING, + "YY_TCP", + 200, + match_yy_tcp +}; + +void register_yy_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_yy_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_zabbix.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_zabbix.cc new file mode 100644 index 0000000..f761109 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_zabbix.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_zabbix(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "ZBXD")) + return true; + + /* Everything below this line requires one of the ports to be the + * default zabbix port */ + if (data->server_port != 10050 && data->client_port != 10050) + return false; + + /* Zabbix Windows performance counters + * TODO capture some genuine responses and match on those too */ + if (MATCH(data->payload[0], 'p', 'e', 'r', 'f')) + return true; + if (MATCH(data->payload[1], 'p', 'e', 'r', 'f')) + return true; + + if (MATCH(data->payload[0], 's', 'y', 's', 't')) + return true; + if (MATCH(data->payload[1], 's', 'y', 's', 't')) + return true; + + return false; +} + +static lpi_module_t lpi_zabbix = { + LPI_PROTO_ZABBIX, + LPI_CATEGORY_MONITORING, + "Zabbix", + 5, + match_zabbix +}; + +void register_zabbix(LPIModuleMap *mod_map) { + register_protocol(&lpi_zabbix, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_zero.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_zero.cc new file mode 100644 index 0000000..3904a25 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_zero.cc @@ -0,0 +1,97 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Zero: a modified version of QUIC crypto used by Facebook until TLS 1.3 is + * available. + * + * See http://cryptologie.net/article/321/real-world-crypto-day-2/ for a bit + * more detail. + */ + +static inline bool match_zero_fb_chlo(uint32_t payload, uint32_t len) { + + if (MATCH(payload, '1', 'Q', 'T', 'V')) + return true; + return false; +} + + +static inline bool match_zero_fb_shlo(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (MATCH(payload, '1', 'Q', 'T', 'V')) + return true; + if (MATCH(payload, 0x30, ANY, 0x0c, 0x00)) + return true; + if (MATCH(payload, 0x30, ANY, 0x0d, 0x00)) + return true; + if (MATCH(payload, 0x30, 0x11, 0x0f, 0x00)) + return true; + if (MATCH(payload, 0x30, 0x14, 0x05, 0x00)) + return true; + if (MATCH(payload, 0x30, ANY, 0x00, 0x00)) + return true; + return false; +} + + +static inline bool match_zero_facebook(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 443 && data->client_port != 443) + return false; + + if (match_zero_fb_chlo(data->payload[0], data->payload_len[0])) { + if (match_zero_fb_shlo(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_zero_fb_chlo(data->payload[1], data->payload_len[1])) { + if (match_zero_fb_shlo(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_zero_facebook = { + LPI_PROTO_ZERO_FACEBOOK, + LPI_CATEGORY_WEB, + "Zero_Facebook", + 5, + match_zero_facebook +}; + +void register_zero_facebook(LPIModuleMap *mod_map) { + register_protocol(&lpi_zero_facebook, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_zoom_tcp.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_zoom_tcp.cc new file mode 100644 index 0000000..62dcd93 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_zoom_tcp.cc @@ -0,0 +1,90 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_zoom_01(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x01, 0x00, 0x6c, 0x00) && len == 111) + return true; + if (MATCH(payload, 0x01, 0x00, 0x6a, 0x00) && len == 109) + return true; + if (MATCH(payload, 0x01, 0x00, 0x83, 0x00) && len == 134) + return true; + return false; + +} + +static inline bool match_zoom_02(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x02, 0x00, 0x22, 0x00) && len == 37) + return true; + if (MATCH(payload, 0x02, 0x00, 0x24, 0x00) && len == 39) + return true; + return false; + +} + +static inline bool match_zoom_tcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 8801 && data->client_port != 8801) { + return false; + } + + /* Byte 4 must match in both directions */ + if ((data->payload[0] & 0xff000000) != (data->payload[1] & 0xff000000)) + return false; + + if (match_zoom_01(data->payload[0], data->payload_len[0])) { + if (match_zoom_02(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_zoom_01(data->payload[1], data->payload_len[1])) { + if (match_zoom_02(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_zoom_tcp = { + LPI_PROTO_ZOOM, + LPI_CATEGORY_VOIP, + "ZoomTCP", + 5, + match_zoom_tcp +}; + +void register_zoom_tcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_zoom_tcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/lpi_zynga.cc b/decoders/glimpse_detector/libprotoident/tcp/lpi_zynga.cc new file mode 100644 index 0000000..5c24b02 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/lpi_zynga.cc @@ -0,0 +1,62 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_zynga(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "pres", "3 se")) + return true; + if (match_str_both(data, "pres", "4 se")) + return true; + if (match_str_both(data, "imsg", "4 se")) + return true; + + /* Flash facebook games */ + if (match_str_both(data, "<msg", "<?xm")) { + if (data->server_port == 9339 || data->client_port == 9339) + return true; + } + + return false; +} + +static lpi_module_t lpi_zynga = { + LPI_PROTO_ZYNGA, + LPI_CATEGORY_GAMING, + "Zynga", + 3, + match_zynga +}; + +void register_zynga(LPIModuleMap *mod_map) { + register_protocol(&lpi_zynga, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/tcp/tcp_protocols.h b/decoders/glimpse_detector/libprotoident/tcp/tcp_protocols.h new file mode 100644 index 0000000..89c2bf7 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/tcp/tcp_protocols.h @@ -0,0 +1,316 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ +#ifndef TCP_PROTOCOLS_H_ +#define TCP_PROTOCOLS_H_ + +#include "proto_manager.h" + +void register_300heroes(LPIModuleMap *mod_map); +void register_360safeguard(LPIModuleMap *mod_map); +void register_4d(LPIModuleMap *mod_map); +void register_acestream(LPIModuleMap *mod_map); +void register_afp(LPIModuleMap *mod_map); +void register_airdroid(LPIModuleMap *mod_map); +void register_airmedia(LPIModuleMap *mod_map); +void register_akamai_tcp(LPIModuleMap *mod_map); +void register_amp(LPIModuleMap *mod_map); +void register_antcoin(LPIModuleMap *mod_map); +void register_appearin(LPIModuleMap *mod_map); +void register_apple_push(LPIModuleMap *mod_map); +void register_ares(LPIModuleMap *mod_map); +void register_badbaidu(LPIModuleMap *mod_map); +void register_baofeng_tcp(LPIModuleMap *mod_map); +void register_beam(LPIModuleMap *mod_map); +void register_bitcoin(LPIModuleMap *mod_map); +void register_bitextend(LPIModuleMap *mod_map); +void register_bittorrent(LPIModuleMap *mod_map); +void register_blackdesert(LPIModuleMap *mod_map); +void register_blizzard(LPIModuleMap *mod_map); +void register_btsync(LPIModuleMap *mod_map); +void register_bwsyncandshare(LPIModuleMap *mod_map); +void register_cacaoweb(LPIModuleMap *mod_map); +void register_cgp(LPIModuleMap *mod_map); +void register_chatango(LPIModuleMap *mod_map); +void register_cisco_vpn(LPIModuleMap *mod_map); +void register_clashofclans(LPIModuleMap *mod_map); +void register_classin_tcp(LPIModuleMap *mod_map); +void register_clubbox(LPIModuleMap *mod_map); +void register_cod_waw(LPIModuleMap *mod_map); +void register_conquer(LPIModuleMap *mod_map); +void register_crashplan(LPIModuleMap *mod_map); +void register_crossfire_tcp(LPIModuleMap *mod_map); +void register_cryptic(LPIModuleMap *mod_map); +void register_cvs(LPIModuleMap *mod_map); +void register_dahua_tcp(LPIModuleMap *mod_map); +void register_dash(LPIModuleMap *mod_map); +void register_dell_backup(LPIModuleMap *mod_map); +void register_destiny(LPIModuleMap *mod_map); +void register_diablo3(LPIModuleMap *mod_map); +void register_dianping_tcp(LPIModuleMap *mod_map); +void register_directconnect(LPIModuleMap *mod_map); +void register_dnf(LPIModuleMap *mod_map); +void register_dns_tcp(LPIModuleMap *mod_map); +void register_dogecoin(LPIModuleMap *mod_map); +void register_douyu(LPIModuleMap *mod_map); +void register_douyu_chat(LPIModuleMap *mod_map); +void register_duelingnetwork(LPIModuleMap *mod_map); +void register_dvrns(LPIModuleMap *mod_map); +void register_dxp(LPIModuleMap *mod_map); +void register_ea_games(LPIModuleMap *mod_map); +void register_emule(LPIModuleMap *mod_map); +void register_ethernetip(LPIModuleMap *mod_map); +void register_eye(LPIModuleMap *mod_map); +void register_facebook_turn(LPIModuleMap *mod_map); +void register_fb_message(LPIModuleMap *mod_map); +void register_fbcdn_ssl(LPIModuleMap *mod_map); +void register_ffxiv(LPIModuleMap *mod_map); +void register_filenori(LPIModuleMap *mod_map); +void register_flash(LPIModuleMap *mod_map); +void register_fliggy(LPIModuleMap *mod_map); +void register_fring(LPIModuleMap *mod_map); +void register_ftpcontrol(LPIModuleMap *mod_map); +void register_ftpdata(LPIModuleMap *mod_map); +void register_fuckcoin(LPIModuleMap *mod_map); +void register_funshion_tcp(LPIModuleMap *mod_map); +void register_gamespy_tcp(LPIModuleMap *mod_map); +void register_gcafe_updater(LPIModuleMap *mod_map); +void register_giop(LPIModuleMap *mod_map); +void register_git(LPIModuleMap *mod_map); +void register_glupteba(LPIModuleMap *mod_map); +void register_gnutella(LPIModuleMap *mod_map); +void register_goku(LPIModuleMap *mod_map); +void register_googlehangouts(LPIModuleMap *mod_map); +void register_graalonlineera(LPIModuleMap *mod_map); +void register_guildwars2(LPIModuleMap *mod_map); +void register_hamachi(LPIModuleMap *mod_map); +void register_harveys(LPIModuleMap *mod_map); +void register_hearthstone(LPIModuleMap *mod_map); +void register_hola(LPIModuleMap *mod_map); +void register_hots_tcp(LPIModuleMap *mod_map); +void register_http_badport(LPIModuleMap *mod_map); +void register_http(LPIModuleMap *mod_map); +void register_http_nonstandard(LPIModuleMap *mod_map); +void register_https(LPIModuleMap *mod_map); +void register_http_tunnel(LPIModuleMap *mod_map); +void register_ica(LPIModuleMap *mod_map); +void register_icep(LPIModuleMap *mod_map); +void register_id(LPIModuleMap *mod_map); +void register_idrivesync(LPIModuleMap *mod_map); +void register_ihexin(LPIModuleMap *mod_map); +void register_imap(LPIModuleMap *mod_map); +void register_imaps(LPIModuleMap *mod_map); +void register_imesh(LPIModuleMap *mod_map); +void register_invalid(LPIModuleMap *mod_map); +void register_invalid_bittorrent(LPIModuleMap *mod_map); +void register_invalid_http(LPIModuleMap *mod_map); +void register_invalid_pop(LPIModuleMap *mod_map); +void register_invalid_smtp(LPIModuleMap *mod_map); +void register_ipfs(LPIModuleMap *mod_map); +void register_ipop(LPIModuleMap *mod_map); +void register_ipsharkk(LPIModuleMap *mod_map); +void register_irc(LPIModuleMap *mod_map); +void register_java(LPIModuleMap *mod_map); +void register_jedi(LPIModuleMap *mod_map); +void register_jx3online(LPIModuleMap *mod_map); +void register_kakao(LPIModuleMap *mod_map); +void register_kankan_tcp(LPIModuleMap *mod_map); +void register_kaseya(LPIModuleMap *mod_map); +void register_kaspersky(LPIModuleMap *mod_map); +void register_kik(LPIModuleMap *mod_map); +void register_kingofglory_tcp(LPIModuleMap *mod_map); +void register_kuaibo(LPIModuleMap *mod_map); +void register_ldap(LPIModuleMap *mod_map); +void register_lifeforge(LPIModuleMap *mod_map); +void register_line(LPIModuleMap *mod_map); +void register_litecoin(LPIModuleMap *mod_map); +void register_llp2p(LPIModuleMap *mod_map); +void register_maplestory_china(LPIModuleMap *mod_map); +void register_maxicloud(LPIModuleMap *mod_map); +void register_message4u(LPIModuleMap *mod_map); +void register_minecraft(LPIModuleMap *mod_map); +void register_mitglieder(LPIModuleMap *mod_map); +void register_mms(LPIModuleMap *mod_map); +void register_mongo(LPIModuleMap *mod_map); +void register_mp2p(LPIModuleMap *mod_map); +void register_msn(LPIModuleMap *mod_map); +void register_msnc(LPIModuleMap *mod_map); +void register_msnv(LPIModuleMap *mod_map); +void register_munin(LPIModuleMap *mod_map); +void register_mysql(LPIModuleMap *mod_map); +void register_mystery_8000(LPIModuleMap *mod_map); +void register_mystery_9000(LPIModuleMap *mod_map); +void register_mystery_conn(LPIModuleMap *mod_map); +void register_mystery_iG(LPIModuleMap *mod_map); +void register_mystery_pspr(LPIModuleMap *mod_map); +void register_mystery_rxxf(LPIModuleMap *mod_map); +void register_mystery_symantec(LPIModuleMap *mod_map); +void register_mzinga(LPIModuleMap *mod_map); +void register_naverp2p(LPIModuleMap *mod_map); +void register_ncsoft(LPIModuleMap *mod_map); +void register_ndt_tput(LPIModuleMap *mod_map); +void register_netbios(LPIModuleMap *mod_map); +void register_netcat_cctv(LPIModuleMap *mod_map); +void register_netmfp(LPIModuleMap *mod_map); +void register_nntp(LPIModuleMap *mod_map); +void register_nntps(LPIModuleMap *mod_map); +void register_nomachine(LPIModuleMap *mod_map); +void register_norton_backup(LPIModuleMap *mod_map); +void register_notes_rpc(LPIModuleMap *mod_map); +void register_tcp_no_payload(LPIModuleMap *mod_map); +void register_tcp_no_firstpkt(LPIModuleMap *mod_map); +void register_nsq(LPIModuleMap *mod_map); +void register_omegle(LPIModuleMap *mod_map); +void register_openvpn(LPIModuleMap *mod_map); +void register_ourworld(LPIModuleMap *mod_map); +void register_palringo(LPIModuleMap *mod_map); +void register_paltalk(LPIModuleMap *mod_map); +void register_pandatv(LPIModuleMap *mod_map); +void register_pando(LPIModuleMap *mod_map); +void register_pathofexile(LPIModuleMap *mod_map); +void register_pdbox(LPIModuleMap *mod_map); +void register_pop3(LPIModuleMap *mod_map); +void register_pop3s(LPIModuleMap *mod_map); +void register_postgresql(LPIModuleMap *mod_map); +void register_pptp(LPIModuleMap *mod_map); +void register_psn_store(LPIModuleMap *mod_map); +void register_qcloud_ilvb(LPIModuleMap *mod_map); +void register_qq_tcp(LPIModuleMap *mod_map); +void register_qqdownload(LPIModuleMap *mod_map); +void register_qqlive_tcp(LPIModuleMap *mod_map); +void register_qqspeedmobile_tcp(LPIModuleMap *mod_map); +void register_qvod(LPIModuleMap *mod_map); +void register_rabbitmq(LPIModuleMap *mod_map); +void register_ragnarokonline(LPIModuleMap *mod_map); +void register_razor(LPIModuleMap *mod_map); +void register_rbls(LPIModuleMap *mod_map); +void register_rdp(LPIModuleMap *mod_map); +void register_realmofthemadgod(LPIModuleMap *mod_map); +void register_realvnc(LPIModuleMap *mod_map); +void register_rejection(LPIModuleMap *mod_map); +void register_relay(LPIModuleMap *mod_map); +void register_remote_manipulator(LPIModuleMap *mod_map); +void register_revolver_nblbt(LPIModuleMap *mod_map); +void register_rfb(LPIModuleMap *mod_map); +void register_rpcscan(LPIModuleMap *mod_map); +void register_rrtv(LPIModuleMap *mod_map); +void register_rsync(LPIModuleMap *mod_map); +void register_rtmp(LPIModuleMap *mod_map); +void register_rtsp(LPIModuleMap *mod_map); +void register_runescape(LPIModuleMap *mod_map); +void register_s7comm(LPIModuleMap *mod_map); +void register_saprouter(LPIModuleMap *mod_map); +void register_saszombieassault4(LPIModuleMap *mod_map); +void register_second_life(LPIModuleMap *mod_map); +void register_shoutcast(LPIModuleMap *mod_map); +void register_silkroadonline(LPIModuleMap *mod_map); +void register_sip(LPIModuleMap *mod_map); +void register_skyforge(LPIModuleMap *mod_map); +void register_skype_tcp(LPIModuleMap *mod_map); +void register_smb(LPIModuleMap *mod_map); +void register_smite_tcp(LPIModuleMap *mod_map); +void register_smtp(LPIModuleMap *mod_map); +void register_smtps(LPIModuleMap *mod_map); +void register_socks4(LPIModuleMap *mod_map); +void register_socks5(LPIModuleMap *mod_map); +void register_spdy(LPIModuleMap *mod_map); +void register_speedify(LPIModuleMap *mod_map); +void register_speedin(LPIModuleMap *mod_map); +void register_speedtest(LPIModuleMap *mod_map); +void register_spotify(LPIModuleMap *mod_map); +void register_ssh(LPIModuleMap *mod_map); +void register_ssjj(LPIModuleMap *mod_map); +void register_ssl(LPIModuleMap *mod_map); +void register_steam(LPIModuleMap *mod_map); +void register_stratum(LPIModuleMap *mod_map); +void register_stun_tcp(LPIModuleMap *mod_map); +void register_supl(LPIModuleMap *mod_map); +void register_svn(LPIModuleMap *mod_map); +void register_talesrunner(LPIModuleMap *mod_map); +void register_tankionline(LPIModuleMap *mod_map); +void register_tankix(LPIModuleMap *mod_map); +void register_taobao(LPIModuleMap *mod_map); +void register_tds(LPIModuleMap *mod_map); +void register_teamviewer(LPIModuleMap *mod_map); +void register_telecomkey(LPIModuleMap *mod_map); +void register_telegram(LPIModuleMap *mod_map); +void register_telnet(LPIModuleMap *mod_map); +void register_telnet_exploit(LPIModuleMap *mod_map); +void register_tencent_games(LPIModuleMap *mod_map); +void register_tenfivecoin(LPIModuleMap *mod_map); +void register_tensafe(LPIModuleMap *mod_map); +void register_tera(LPIModuleMap *mod_map); +void register_tetrisonline(LPIModuleMap *mod_map); +void register_thedivision(LPIModuleMap *mod_map); +void register_tip(LPIModuleMap *mod_map); +void register_tor(LPIModuleMap *mod_map); +void register_tpkt_generic(LPIModuleMap *mod_map); +void register_trackmania(LPIModuleMap *mod_map); +void register_transocks(LPIModuleMap *mod_map); +void register_trion(LPIModuleMap *mod_map); +void register_trojan_win32_generic_sb(LPIModuleMap *mod_map); +void register_trojan_zeroaccess(LPIModuleMap *mod_map); +void register_twitcasting(LPIModuleMap *mod_map); +void register_twitch_irc(LPIModuleMap *mod_map); +void register_utherverse(LPIModuleMap *mod_map); +void register_vainglory(LPIModuleMap *mod_map); +void register_vhdp2p(LPIModuleMap *mod_map); +void register_viber(LPIModuleMap *mod_map); +void register_vmware(LPIModuleMap *mod_map); +void register_vodlocker(LPIModuleMap *mod_map); +void register_vpnrobot_tcp(LPIModuleMap *mod_map); +void register_vpnunlimited_tcp(LPIModuleMap *mod_map); +void register_warcraft3(LPIModuleMap *mod_map); +void register_web_junk(LPIModuleMap *mod_map); +void register_webex_stun(LPIModuleMap *mod_map); +void register_weblogic(LPIModuleMap *mod_map); +void register_wechat(LPIModuleMap *mod_map); +void register_weibo(LPIModuleMap *mod_map); +void register_weiqi(LPIModuleMap *mod_map); +void register_whatsapp(LPIModuleMap *mod_map); +void register_whois(LPIModuleMap *mod_map); +void register_winmx(LPIModuleMap *mod_map); +void register_wizard101(LPIModuleMap *mod_map); +void register_wns(LPIModuleMap *mod_map); +void register_wow(LPIModuleMap *mod_map); +void register_wuala(LPIModuleMap *mod_map); +void register_xiami(LPIModuleMap *mod_map); +void register_xmpp(LPIModuleMap *mod_map); +void register_xmpps(LPIModuleMap *mod_map); +void register_xunlei(LPIModuleMap *mod_map); +void register_xunlei_accel(LPIModuleMap *mod_map); +void register_xymon(LPIModuleMap *mod_map); +void register_yahoo(LPIModuleMap *mod_map); +void register_yahoo_error(LPIModuleMap *mod_map); +void register_yahoo_games(LPIModuleMap *mod_map); +void register_yahoo_webcam(LPIModuleMap *mod_map); +void register_youku_tcp(LPIModuleMap *mod_map); +void register_yy_tcp(LPIModuleMap *mod_map); +void register_zabbix(LPIModuleMap *mod_map); +void register_zero_facebook(LPIModuleMap *mod_map); +void register_zoom_tcp(LPIModuleMap *mod_map); +void register_zynga(LPIModuleMap *mod_map); + +#endif diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_360cn.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_360cn.cc new file mode 100644 index 0000000..e0e631b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_360cn.cc @@ -0,0 +1,96 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Not 100% sure what this is but: + * - it's on port 53 but is definitely not DNS + * - involves servers owned by 360.cn, who 'supposedly' are antivirus experts + * - the protocol appears to be a custom encryption protocol + */ + + +static inline bool match_360cn_0102(uint32_t a, uint32_t b) { + + + if (a != b) + return false; + if (MATCH(a, ANY, ANY, 0x01, 0x02)) + return true; + return false; + +} + +static inline bool match_360cn_0a04(uint32_t pload, uint32_t len) { + + uint32_t hdrlen = (ntohl(pload)) & 0xffff; + + if (len == 0) + return true; + + if (!MATCH(pload, 0x0a, 0x04, ANY, ANY)) + return false; + + if (hdrlen + 10 == len) + return true; + + return false; + + +} + +static inline bool match_360cn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 53 && data->client_port != 53) + return false; + + if (match_360cn_0102(data->payload[0], data->payload[1])) + return true; + + if (match_360cn_0a04(data->payload[0], data->payload_len[0])) { + if (match_360cn_0a04(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_360cn = { + LPI_PROTO_UDP_360CN, + LPI_CATEGORY_SECURITY, + "360.cn", + 50, + match_360cn +}; + +void register_360cn(LPIModuleMap *mod_map) { + register_protocol(&lpi_360cn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_360p2p.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_360p2p.cc new file mode 100644 index 0000000..251e205 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_360p2p.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_360p2p_request(uint32_t payload, uint32_t len) { + if (len == 72 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + if (len == 40 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_360p2p_reply(uint32_t payload, uint32_t len) { + if (len == 40 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + if (len == 30 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + if (len == 50 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + if (len == 72 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_360p2p(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_360p2p_request(data->payload[0], data->payload_len[0])) { + if (match_360p2p_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_360p2p_request(data->payload[1], data->payload_len[1])) { + if (match_360p2p_reply(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_360p2p = { + LPI_PROTO_UDP_360P2P, + LPI_CATEGORY_SECURITY, + "360Safeguard_P2P", + 211, + match_360p2p +}; + +void register_360p2p(LPIModuleMap *mod_map) { + register_protocol(&lpi_360p2p, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_aachen_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_aachen_udp.cc new file mode 100644 index 0000000..385fa1e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_aachen_udp.cc @@ -0,0 +1,72 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_aachen_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Regular UDP port 80 and port 443 probes from RWTH-Aachen University + * for research purposes. See http://137.226.113.7/ for more details. + */ + + if (data->server_port == 80 || data->client_port == 80 || + data->server_port == 443 || + data->client_port == 443) { + if (data->payload_len[0] == 0) { + if (data->payload_len[1] != 1055) + return false; + if (MATCH(data->payload[1], 0x0d, 'S', 'C', 'A')) + return true; + } + + if (data->payload_len[1] == 0) { + if (data->payload_len[0] != 1055) + return false; + if (MATCH(data->payload[0], 0x0d, 'S', 'C', 'A')) + return true; + } + } + + + return false; +} + +static lpi_module_t lpi_aachen_udp = { + LPI_PROTO_UDP_RWTH_AACHEN, + LPI_CATEGORY_MONITORING, + "RWTHAachenScan", + 100, + match_aachen_udp +}; + +void register_aachen_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_aachen_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_acercloud.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_acercloud.cc new file mode 100644 index 0000000..a6a7989 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_acercloud.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_acer_ff99(uint32_t payload, uint32_t len) { + + if (len == 102 && MATCHSTR(payload, "\xff\xff\xff\x99")) + return true; + return false; + +} + +static inline bool match_acercloud(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + + if (match_acer_ff99(data->payload[0], data->payload_len[0])) { + if (match_acer_ff99(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_acercloud = { + LPI_PROTO_UDP_ACERCLOUD, + LPI_CATEGORY_CLOUD, + "AcerCloud", + 6, + match_acercloud +}; + +void register_acercloud(LPIModuleMap *mod_map) { + register_protocol(&lpi_acercloud, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_akamai.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_akamai.cc new file mode 100644 index 0000000..821b3ce --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_akamai.cc @@ -0,0 +1,75 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_akamai(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This appears to be some sort of protocol used by Akamai nodes + * to talk to one another - probably the monitoring for the Akamai + * network */ + + /* All messages begin with 8 bytes of zeroes */ + if (data->payload[0] != 0 || data->payload[1] != 0) + return false; + + if (data->payload_len[0] == 1080 && data->payload_len[1] == 0) + return true; + if (data->payload_len[1] == 1080 && data->payload_len[0] == 0) + return true; + + if (data->payload_len[0] == 1032) { + if (data->payload_len[1] == 0) + return true; + if (data->payload_len[1] == 1032) + return true; + } + + if (data->payload_len[1] == 1032) { + if (data->payload_len[0] == 0) + return true; + } + + + return false; +} + +static lpi_module_t lpi_akamai = { + LPI_PROTO_UDP_AKAMAI, + LPI_CATEGORY_MONITORING, + "Akamai", + 5, + match_akamai +}; + +void register_akamai(LPIModuleMap *mod_map) { + register_protocol(&lpi_akamai, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_akamai_transfer.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_akamai_transfer.cc new file mode 100644 index 0000000..ebd63a4 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_akamai_transfer.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static bool match_akamai_out(uint32_t payload, uint32_t len) { + + if (len < 200) + return false; + + if (MATCH(payload, 0x02, 0x24, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_akamai_transfer(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This protocol is used by Akamai boxes to transfer large quantities + * of data back to the main Akamai network. This involves a one-way + * UDP flow */ + + + /* Restrict based on port number, because this rule is a bit weak */ + if (data->server_port != 1485 && data->client_port != 1485) + return false; + + if (match_akamai_out(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] == 0) + return true; + } + + if (match_akamai_out(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == 0) + return true; + } + + return false; +} + +static lpi_module_t lpi_akamai_transfer = { + LPI_PROTO_UDP_AKAMAI_TRANSFER, + LPI_CATEGORY_CDN, + "AkamaiTransfer", + 15, + match_akamai_transfer +}; + +void register_akamai_transfer(LPIModuleMap *mod_map) { + register_protocol(&lpi_akamai_transfer, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_amanda.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_amanda.cc new file mode 100644 index 0000000..646cc78 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_amanda.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_amanda(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "Aman")) + return true; + + return false; +} + +static lpi_module_t lpi_amanda = { + LPI_PROTO_UDP_AMANDA, + LPI_CATEGORY_FILES, + "AmandaUDP", + 6, + match_amanda +}; + +void register_amanda(LPIModuleMap *mod_map) { + register_protocol(&lpi_amanda, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_apple_facetime_init.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_apple_facetime_init.cc new file mode 100644 index 0000000..12182b4 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_apple_facetime_init.cc @@ -0,0 +1,118 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Protocol used to talk to Apple servers when commencing a Facetime call. + * iMessage may also use this protocol to determine whether iMessage is + * available between two devices. + * May also be used by Game Center (but this is not verified). + * + * NOTE: this protocol is not used for the actual Facetime call itself - that + * is done via RTP, SIP and other standard protocols. + */ + +static inline bool match_afi_server_port(uint16_t port) { + + if (port < 16384) + return false; + if (port > 16387) + return false; + return true; +} + +static inline bool match_afi_client_port(uint16_t port) { + if (port < 16402) + return false; + if (port > 16410) + return false; + return true; +} + +static inline bool match_facetime_req(uint32_t payload, uint32_t len) { + + if (len != 16) + return false; + if (MATCH(payload, 0x00, 0x01, 0x00, 0x02)) + return true; + if (MATCH(payload, 0x00, 0x00, 0x00, 0x02)) + return true; + return false; +} + +static inline bool match_facetime_resp(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len != 16) + return false; + if (MATCH(payload, 0x00, 0x01, 0x00, 0x01)) + return true; + if (MATCH(payload, 0x00, 0x00, 0x00, 0x01)) + return true; + return false; +} + +static inline bool match_apple_facetime_init(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_afi_server_port(data->server_port) && + !match_afi_client_port(data->server_port)) { + return false; + } + + if (!match_afi_server_port(data->client_port) && + !match_afi_client_port(data->client_port)) { + return false; + } + + if (match_facetime_req(data->payload[0], data->payload_len[0])) { + if (match_facetime_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_facetime_req(data->payload[1], data->payload_len[1])) { + if (match_facetime_resp(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_apple_facetime_init = { + LPI_PROTO_UDP_APPLE_FACETIME_INIT, + LPI_CATEGORY_NAT, // Unsure about this one... + "AppleFacetimeInit", + 16, + match_apple_facetime_init +}; + +void register_apple_facetime_init(LPIModuleMap *mod_map) { + register_protocol(&lpi_apple_facetime_init, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ard.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ard.cc new file mode 100644 index 0000000..b4a3e7d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ard.cc @@ -0,0 +1,108 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Apple Remote Desktop protocol, generally used to remotely manage Macs. + * Probably shouldn't be seen on the Internet, particularly with the patterns + * presented here as this was almost certainly a case where a Mac with remote + * management enabled was being abused into performing an amplification attack. + * + * Of course, being Apple, there is no public documentation of this protocol + * anywhere so it's pretty hard to write rules that cover legitimate uses of + * this protocol. + */ + +static inline bool match_ard_tiny_req(uint32_t payload, uint32_t len) { + if (len == 5 && MATCH(payload, 0x00, 0x14, 0x00, 0x01)) { + return true; + } + return false; +} + +static inline bool match_ard_large_resp(uint32_t payload, uint32_t len) { + + /* Match the case where the client doesn't reply (i.e. participate + * in the amplification attack). + */ + if (len == 0) { + return true; + } + + /* All my examples were 1006 bytes, but that's just from one + * specific machine */ + if (len < 1000) { + return false; + } + + if ((ntohl(payload) & 0x0000ffff) != len - 4) { + return false; + } + + if (MATCH(payload, 0x00, 0x01, ANY, ANY)) { + return true; + } + + return false; +} + +static inline bool match_ard(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 3283 && data->client_port != 3283) { + return false; + } + + if (match_ard_tiny_req(data->payload[0], data->payload_len[0])) { + if (match_ard_large_resp(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_ard_tiny_req(data->payload[1], data->payload_len[1])) { + if (match_ard_large_resp(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_ard = { + LPI_PROTO_UDP_ARD, + LPI_CATEGORY_REMOTE, + "ARD", + 20, + match_ard +}; + +void register_ard(LPIModuleMap *mod_map) { + register_protocol(&lpi_ard, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ares.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ares.cc new file mode 100644 index 0000000..76e7648 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ares.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ares_client(uint32_t payload, uint32_t len) { + + if (len != 3) + return false; + if (!MATCH(payload, 0x00, ANY, ANY, 0x00)) + return false; + return true; +} + +static inline bool match_ares_peer(uint32_t payload, uint32_t len) { + + if (len != 3) + return false; + if (!MATCH(payload, 0x01, ANY, ANY, 0x00)) + return false; + return true; +} + +static inline bool match_ares_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_ares_client(data->payload[0], data->payload_len[0])) { + if (match_ares_peer(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_ares_client(data->payload[1], data->payload_len[1])) { + if (match_ares_peer(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_ares_udp = { + LPI_PROTO_UDP_ARES, + LPI_CATEGORY_P2P, + "Ares_UDP", + 9, + match_ares_udp +}; + +void register_ares_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_ares_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ark.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ark.cc new file mode 100644 index 0000000..bb13007 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ark.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_ark_request(uint32_t payload, uint32_t len) { + if (len == 38 && MATCH(payload, 0x00, 0x80, 0x05, 0x00)) + return true; + return false; +} + +static inline bool match_ark_response(uint32_t payload, uint32_t len) { + if (len == 26 && MATCH(payload, 0x00, 0x00, 0x01, 0x00)) + return true; + return false; +} + + +static inline bool match_arksurvival(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + + if (match_ark_request(data->payload[0], data->payload_len[0])) { + if (match_ark_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_ark_request(data->payload[1], data->payload_len[1])) { + if (match_ark_response(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_arksurvival = { + LPI_PROTO_UDP_ARK_SURVIVAL, + LPI_CATEGORY_GAMING, + "ARKSurvivalEvolved", + 20, + match_arksurvival +}; + +void register_arksurvival(LPIModuleMap *mod_map) { + register_protocol(&lpi_arksurvival, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_arma3_server.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_arma3_server.cc new file mode 100644 index 0000000..29c5ed0 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_arma3_server.cc @@ -0,0 +1,86 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_arma3_server_payload(uint32_t payload, uint32_t len) { + + uint32_t replen; + + if (len == 0) + return true; + + replen = (payload & 0xffff); + if (replen != len) + return false; + + if (MATCH(payload, ANY, ANY, 0xe2, 0x16)) + return true; + if (MATCH(payload, ANY, ANY, 0x60, 0xcf)) + return true; + + + return false; + + +} + +static inline bool match_arma_port_range(lpi_data_t *data) { + + if (data->server_port >= 2300 && data->server_port <= 2400) + return true; + if (data->client_port >= 2300 && data->client_port <= 2400) + return true; + + return false; +} + +static inline bool match_arma3_server(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_arma3_server_payload(data->payload[0], data->payload_len[0])) { + if (match_arma3_server_payload(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_arma3_server = { + LPI_PROTO_UDP_ARMA3_SERVER, + LPI_CATEGORY_GAMING, + "ARMA3Server", + 4, + match_arma3_server +}; + +void register_arma3_server(LPIModuleMap *mod_map) { + register_protocol(&lpi_arma3_server, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_arma_server.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_arma_server.cc new file mode 100644 index 0000000..b0e2f56 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_arma_server.cc @@ -0,0 +1,109 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_arma_server_payload(uint32_t payload, uint32_t len) { + + uint32_t replen; + + if (len == 0) + return true; + + if (!MATCH(payload, ANY, ANY, 0x01, 0x08)) + return false; + + replen = (payload & 0xffff); + if (replen != len) + return false; + + return true; + + +} + +static inline bool match_arma_nine(uint32_t payload, uint32_t len) { + + /* The HalfLife protocol and its derivatives all use a similar + * type of packet -- probably a server ping probe? + * This is probably copied or heavily influenced by that. + */ + + if (len != 9) + return false; + if (MATCHSTR(payload, "\xff\xff\xff\xff")) + return true; + return false; + +} + +static inline bool match_arma_port_range(lpi_data_t *data) { + + if (data->server_port >= 2300 && data->server_port <= 2400) + return true; + if (data->client_port >= 2300 && data->client_port <= 2400) + return true; + + return false; +} + +static inline bool match_arma_server(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_arma_server_payload(data->payload[0], data->payload_len[0])) { + if (match_arma_server_payload(data->payload[1], data->payload_len[1])) + return true; + } + + /* The next rule is prone to conflicts so restrict to flows that + * are using common ARMA ports */ + if (!match_arma_port_range(data)) + return false; + + if (match_arma_nine(data->payload[0], data->payload_len[0])) { + if (match_arma_nine(data->payload[1], data->payload_len[1])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_arma_server = { + LPI_PROTO_UDP_ARMA_SERVER, + LPI_CATEGORY_GAMING, + "ARMA2Server", + 4, + match_arma_server +}; + +void register_arma_server(LPIModuleMap *mod_map) { + register_protocol(&lpi_arma_server, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_artcp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_artcp.cc new file mode 100644 index 0000000..ddbfa26 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_artcp.cc @@ -0,0 +1,72 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Custom version of RTCP used by Alibaba cloud for streaming */ + +static inline bool match_artcp_payload(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (MATCH(payload, 0x83, 0xcc, 0x00, ANY)) + return true; + return false; +} + + +static inline bool match_artcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + + if (data->server_port == 1106 || data->client_port == 1106) { + + if (!match_artcp_payload(data->payload[0], + data->payload_len[0])) + return false; + if (!match_artcp_payload(data->payload[1], + data->payload_len[1])) + return false; + return true; + } + return false; + +} + +static lpi_module_t lpi_artcp = { + LPI_PROTO_UDP_ARTCP, + LPI_CATEGORY_STREAMING, + "ARTCP", + 200, + match_artcp +}; + +void register_artcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_artcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_assettocorsa.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_assettocorsa.cc new file mode 100644 index 0000000..c6860d9 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_assettocorsa.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* A multiplayer car racing sim -- costs $$ to play so unconfirmed but + * supporting evidence is strong */ + +static inline bool match_ac_two(uint32_t payload, uint32_t len) { + + /* ANY is usually between 0x00 and 0x18 */ + if (len == 2 && MATCH(payload, 0x4e, ANY, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_ac_one(uint32_t payload, uint32_t len) { + + if (len == 1 && MATCH(payload, 0x4e, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_assettocorsa(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_ac_two(data->payload[0], data->payload_len[0])) { + if (match_ac_one(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_ac_one(data->payload[0], data->payload_len[0])) { + if (match_ac_two(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_assettocorsa = { + LPI_PROTO_UDP_ASSETTO_CORSA, + LPI_CATEGORY_GAMING, + "AssettoCorsa", + 200, + match_assettocorsa +}; + +void register_assettocorsa(LPIModuleMap *mod_map) { + register_protocol(&lpi_assettocorsa, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_avast_secure_dns.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_avast_secure_dns.cc new file mode 100644 index 0000000..c3ca42e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_avast_secure_dns.cc @@ -0,0 +1,92 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_asd_reply(uint32_t payload) { + + if (MATCH(payload, 'r', '6', 'f', 'n')) + return true; + return false; +} + +static inline bool match_asd_request(uint32_t payload) { + + if (MATCH(payload, '7', 'P', 'Y', 'q')) + return true; + return false; +} + +static inline bool match_avast_secure_dns(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + if (data->server_port != 53 && data->client_port != 53 && + data->server_port != 443 && data->client_port != 443) { + return false; + } + + if (match_asd_request(data->payload[0])) { + if (match_asd_reply(data->payload[1])) + return true; + } + + if (match_asd_request(data->payload[1])) { + if (match_asd_reply(data->payload[0])) + return true; + } + + /* The requests have no obvious pattern, except being always 512 + * bytes. */ + if (match_asd_reply(data->payload[0]) && data->payload_len[1] == 512) + return true; + if (match_asd_reply(data->payload[1]) && data->payload_len[0] == 512) + return true; + + if (data->server_port == 443 || data->client_port == 443) { + if (match_dns(data)) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_avast_secure_dns = { + LPI_PROTO_UDP_AVAST_DNS, + LPI_CATEGORY_SERVICES, + "AvastSecureDNS", + 14, + match_avast_secure_dns +}; + +void register_avast_secure_dns(LPIModuleMap *mod_map) { + register_protocol(&lpi_avast_secure_dns, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_backweb.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_backweb.cc new file mode 100644 index 0000000..71aa5bf --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_backweb.cc @@ -0,0 +1,55 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_backweb(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 370 && data->client_port != 370) + return false; + + if (match_chars_either(data, 0x21, 0x24, 0x00, ANY)) + return true; + + return false; +} + +static lpi_module_t lpi_backweb = { + LPI_PROTO_UDP_BACKWEB, + LPI_CATEGORY_SECURITY, + "BackWeb", + 5, + match_backweb +}; + +void register_backweb(LPIModuleMap *mod_map) { + register_protocol(&lpi_backweb, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_bacnet.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_bacnet.cc new file mode 100644 index 0000000..85b4997 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_bacnet.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_bacnet_request(uint32_t payload, uint32_t len) { + + uint32_t baclen = (ntohl(payload) & 0xffff); + + if (baclen == len && MATCH(payload, 0x81, 0x0a, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_bacnet(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 47808 && data->client_port != 47808) + return false; + + /* I've only seen scans for this stuff, so don't know what a reply + * would look like */ + + if (match_bacnet_request(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] == 0) + return true; + } + + if (match_bacnet_request(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == 0) + return true; + } + + return false; +} + +static lpi_module_t lpi_bacnet = { + LPI_PROTO_UDP_BACNET, + LPI_CATEGORY_REMOTE, /* XXX Create a new category for building + * automation?? */ + "BACnet", + 23, + match_bacnet +}; + +void register_bacnet(LPIModuleMap *mod_map) { + register_protocol(&lpi_bacnet, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_baiduyun_p2p.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_baiduyun_p2p.cc new file mode 100644 index 0000000..89354d7 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_baiduyun_p2p.cc @@ -0,0 +1,86 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Protocol used by Baidu Yun for sharing files between friends. Not + * 100% confirmed, but I've managed to observe other confirmed Baidu Yun + * traffic for the same host / port prior to the suspected peer starting + * flows matching this pattern. + * + * For some reason I was unable to make P2P transfers work when using Baidu + * Yun myself (possibly because I was behind NAT?), which is why I haven't + * been able to confirm. + */ + +static inline bool match_byun_p2p(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (len == 64 || len == 32 || len == 50) { + if (MATCH(payload, 0x01, ANY, ANY, ANY)) + return true; + } + return false; + +} + +static inline bool match_baiduyun_p2p(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* + if (data->server_port != 7273 && data->client_port != 7273 && + data->server_port != 7274 && + data->client_port != 7274) + return false; + */ + + + if (match_byun_p2p(data->payload[0], data->payload_len[0])) { + if (match_byun_p2p(data->payload[1], data->payload_len[1])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_baiduyun_p2p = { + LPI_PROTO_UDP_BAIDU_YUN_P2P, + LPI_CATEGORY_P2P, + "BaiduYunP2P", + 220, + match_baiduyun_p2p +}; + +void register_baiduyun_p2p(LPIModuleMap *mod_map) { + register_protocol(&lpi_baiduyun_p2p, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_baofeng_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_baofeng_udp.cc new file mode 100644 index 0000000..f982090 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_baofeng_udp.cc @@ -0,0 +1,70 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_bao(uint32_t payload, uint32_t len) { + uint32_t first = ntohl(payload) >> 24; + + if (len < 38 || len > 55) + return false; + + /* First byte always begins with 0x2X or 0x3X */ + if (first < 0x20 || first > 0x3f) + return false; + + return true; +} + +static inline bool match_baofeng_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 9909 && data->client_port != 9909) + return false; + + if (match_bao(data->payload[0], data->payload_len[0])) { + if (match_bao(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_baofeng_udp = { + LPI_PROTO_UDP_BAOFENG, + LPI_CATEGORY_STREAMING, + "Baofeng", + 105, + match_baofeng_udp +}; + +void register_baofeng_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_baofeng_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_battlefield.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_battlefield.cc new file mode 100644 index 0000000..3d3815b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_battlefield.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_battlefield(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Server browsing for battlefield 1942 */ + + if (match_str_both(data, "ping", "Ping")) + return true; + + if (MATCHSTR(data->payload[0], "ping")) { + if (data->payload_len[0] != 5) + return false; + if (data->payload_len[1] == 0) + return true; + } + + if (MATCHSTR(data->payload[1], "ping")) { + if (data->payload_len[1] != 5) + return false; + if (data->payload_len[0] == 0) + return true; + } + + + return false; +} + +static lpi_module_t lpi_battlefield = { + LPI_PROTO_UDP_BATTLEFIELD, + LPI_CATEGORY_GAMING, + "Battlefield", + 7, + match_battlefield +}; + +void register_battlefield(LPIModuleMap *mod_map) { + register_protocol(&lpi_battlefield, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_bjnp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_bjnp.cc new file mode 100644 index 0000000..97ec24e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_bjnp.cc @@ -0,0 +1,65 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_bjnp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Could strengthen this by requiring 16 byte packets too if needed */ + + if (match_str_either(data, "BJNP")) + return true; + + /* Apparently, there are a few other combinations that we can see */ + if (match_str_either(data, "BNJB")) + return true; + if (match_str_either(data, "BJNB")) + return true; + if (match_str_either(data, "PJNB")) + return true; + if (match_str_either(data, "PNJB")) + return true; + + + return false; +} + +static lpi_module_t lpi_bjnp = { + LPI_PROTO_UDP_BJNP, + LPI_CATEGORY_PRINTING, + "Canon_BJNP", + 3, + match_bjnp +}; + +void register_bjnp(LPIModuleMap *mod_map) { + register_protocol(&lpi_bjnp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_bmdp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_bmdp.cc new file mode 100644 index 0000000..fcbd681 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_bmdp.cc @@ -0,0 +1,101 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> +#include <stdio.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* BMDP is a protocol used by Microsoft Automated Deployment Services, a + * system for remotely installing, configuring and maintained Windows Servers. + * + * Unfortunately, there is no obvious BMDP spec out there so this is just + * based on what we have seen in our traffic. + */ + +static inline bool match_bmdp_payload(uint32_t payload, uint32_t len) { + uint32_t byte3 = ntohl(payload) & 0xff00; + uint32_t byte4 = ntohl(payload) & 0x00ff; + + if (len == 0) + return false; + + /* Byte 3 is always Xd, where X >=0 and X < 8 */ + if ((ntohl(payload) & 0x7d00) != byte3) + return false; + + /* There seem to be a fixed set of values for byte 4 and these seem + * to also determine the length. + * + * So far I've limited this to byte4's that I've seen on multiple + * occasions. + */ + if (byte4 == 0x2d && (len == 115 || len == 114)) + return true; + + if (byte4 == 0x42 && len == 116) + return true; + + if (byte4 == 0x5c && len == 117) + return true; + + return false; +} + +static inline bool match_bmdp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* XXX The typical port number is 8197, but usually you will see this + * on a port ranging from 8190 to 8210. We could consider limiting + * this rule to traffic matching those ports if we really wanted. + */ + + /* Traffic is always one-way only */ + if (data->payload_len[0] != 0 && data->payload_len[1] != 0) + return false; + + if (match_bmdp_payload(data->payload[0], data->payload_len[0])) + return true; + + if (match_bmdp_payload(data->payload[1], data->payload_len[1])) + return true; + + return false; +} + +static lpi_module_t lpi_bmdp = { + LPI_PROTO_UDP_BMDP, + LPI_CATEGORY_FILES, + "BMDP", + 70, + match_bmdp +}; + +void register_bmdp(LPIModuleMap *mod_map) { + register_protocol(&lpi_bmdp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_btsync.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_btsync.cc new file mode 100644 index 0000000..63648d3 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_btsync.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_btsync_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "BSYN")) + return true; + + return false; +} + +static lpi_module_t lpi_btsync_udp = { + LPI_PROTO_UDP_BTSYNC, + LPI_CATEGORY_FILES, + "BitTorrentSync_UDP", + 8, + match_btsync_udp +}; + +void register_btsync_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_btsync_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_cacaoweb_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_cacaoweb_udp.cc new file mode 100644 index 0000000..5359371 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_cacaoweb_udp.cc @@ -0,0 +1,105 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cacao_smalla(uint32_t payload, uint32_t len) { + + if (len > 15) + return false; + + if ((ntohl(payload) & 0xa0000000) == 0xa0000000) + return true; + return false; +} + +static inline bool match_cacao_other(uint32_t payload, uint32_t opp) { + + uint32_t firsta = ntohl(payload) >> 24; + uint32_t lastb = ntohl(opp) & 0xff; + + if (firsta == lastb && firsta != 0) + return true; + return false; + +} + +static inline bool match_cacao_c0_12(uint32_t payload, uint32_t len) { + if (len == 12 && MATCH(payload, 0xc0, ANY, ANY, ANY)) + return true; + return false; +} + +static inline bool match_cacao_c0_14(uint32_t payload, uint32_t len) { + if (len == 14 && MATCH(payload, 0xc0, ANY, ANY, ANY)) + return true; + return false; +} + +static inline bool match_cacaoweb_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_cacao_smalla(data->payload[0], data->payload_len[0])) { + if (match_cacao_other(data->payload[1], data->payload[0])) { + return true; + } + } + + if (match_cacao_smalla(data->payload[1], data->payload_len[1])) { + if (match_cacao_other(data->payload[0], data->payload[1])) { + return true; + } + } + + if (match_cacao_c0_12(data->payload[0], data->payload_len[0])) { + if (match_cacao_c0_14(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_cacao_c0_12(data->payload[1], data->payload_len[1])) { + if (match_cacao_c0_14(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_cacaoweb_udp = { + LPI_PROTO_UDP_CACAOWEB, + LPI_CATEGORY_P2P, + "CacaowebUDP", + 231, + match_cacaoweb_udp +}; + +void register_cacaoweb_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_cacaoweb_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_canon_mfnp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_canon_mfnp.cc new file mode 100644 index 0000000..6f08e16 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_canon_mfnp.cc @@ -0,0 +1,55 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_canon_mfnp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 8610 && data->client_port != 8610) + return false; + + if (match_str_either(data, "MFNP")) + return true; + + return false; +} + +static lpi_module_t lpi_canon_mfnp = { + LPI_PROTO_UDP_MFNP, + LPI_CATEGORY_PRINTING, + "Canon_MFNP", + 8, + match_canon_mfnp +}; + +void register_canon_mfnp(LPIModuleMap *mod_map) { + register_protocol(&lpi_canon_mfnp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_chargen_exploit.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_chargen_exploit.cc new file mode 100644 index 0000000..81b08d6 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_chargen_exploit.cc @@ -0,0 +1,62 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_chargen_exploit(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 19 && data->client_port != 19) + return false; + + /* Matching chargen replies to spoofed sources */ + if (data->payload_len[0] == 0 && + MATCH(data->payload[1], 0x20, 0x21, 0x22, 0x23)) + return true; + + if (data->payload_len[1] == 0 && + MATCH(data->payload[0], 0x20, 0x21, 0x22, 0x23)) + return true; + + return false; +} + +static lpi_module_t lpi_chargen_exploit = { + LPI_PROTO_UDP_CHARGEN_EXPLOIT, + LPI_CATEGORY_MALWARE, + "ChargenExploit", + 200, + match_chargen_exploit +}; + +void register_chargen_exploit(LPIModuleMap *mod_map) { + register_protocol(&lpi_chargen_exploit, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_checkpoint_rdp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_checkpoint_rdp.cc new file mode 100644 index 0000000..9e7f13f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_checkpoint_rdp.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_checkpoint_rdp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* We only see this on port 259, so I'm pretty sure that this is + * the Checkpoint proprietary RDP protocol (not to be confused with + * Remote Desktop Protocol or the RDP transport protocol). + * + * Begins with a four byte magic number */ + + if (match_str_both(data, "\xf0\x01\xcc\xcc", "\xf0\x01\xcc\xcc")) + return true; + if (match_str_either(data, "\xf0\x01\xcc\xcc")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + return false; +} + +static lpi_module_t lpi_checkpoint_rdp = { + LPI_PROTO_UDP_CP_RDP, + LPI_CATEGORY_KEY_EXCHANGE, + "Checkpoint_RDP", + 3, + match_checkpoint_rdp +}; + +void register_checkpoint_rdp(LPIModuleMap *mod_map) { + register_protocol(&lpi_checkpoint_rdp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_chivalry.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_chivalry.cc new file mode 100644 index 0000000..7f29b27 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_chivalry.cc @@ -0,0 +1,59 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Chivalry: Medieval Warfare -- a game */ + +static inline bool match_chivalry(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00) && + MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00)) { + if (data->payload_len[0] == 12 && data->payload_len[1] == 15) + return true; + if (data->payload_len[1] == 12 && data->payload_len[0] == 15) + return true; + } + + return false; +} + +static lpi_module_t lpi_chivalry = { + LPI_PROTO_UDP_CHIVALRY, + LPI_CATEGORY_GAMING, + "Chivalry", + 200, + match_chivalry +}; + +void register_chivalry(LPIModuleMap *mod_map) { + register_protocol(&lpi_chivalry, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_cip_io.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_cip_io.cc new file mode 100644 index 0000000..0a028d2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_cip_io.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * 239.192.27.192 10.1.1.215 2222 2222 17 1599194119.713 1599194136.242 0 527360 00000000 .... 0 02000280 .... 80 + * 10.1.1.215 10.1.1.200 2222 2222 17 1599194119.716 1599194136.397 187488 0 02000280 .... 56 00000000 .... 0 + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cip(lpi_data_t *data) { + + if (MATCH(data->payload[0], 0x02, 0x00, 0x02, 0x80) && + MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00)) + return true; + + if (MATCH(data->payload[1], 0x02, 0x00, 0x02, 0x80) && + MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00)) + return true; + + return false; +} + +static inline bool match_cip_io(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 2222 || data->client_port != 2222) + return false; + + if (match_cip(data)) + return true; + + return false; +} + +static lpi_module_t lpi_cip_io = { + LPI_PROTO_UDP_CIP_IO, + LPI_CATEGORY_ICS, + "CIP_I/O", + 100, + match_cip_io +}; + +void register_cip_io(LPIModuleMap *mod_map) { + register_protocol(&lpi_cip_io, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_cirn.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_cirn.cc new file mode 100644 index 0000000..430aa46 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_cirn.cc @@ -0,0 +1,71 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cirn_probe(uint32_t payload, uint32_t len) { + if (MATCH(payload, 'P', 'a', 't', 'h') && len == 10) + return true; + return false; +} + +static inline bool match_cirn_response(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + return false; +} + +static inline bool match_cirn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_cirn_probe(data->payload[0], data->payload_len[0])) { + if (match_cirn_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_cirn_probe(data->payload[1], data->payload_len[1])) { + if (match_cirn_response(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_cirn = { + LPI_PROTO_UDP_CIRN, + LPI_CATEGORY_MONITORING, + "CIRN_Probe", + 8, + match_cirn +}; + +void register_cirn(LPIModuleMap *mod_map) { + register_protocol(&lpi_cirn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_cisco_ipsec.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_cisco_ipsec.cc new file mode 100644 index 0000000..0fc95ae --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_cisco_ipsec.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cisco_ipsec_payload(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len == 109) + return true; + if (len == 93) + return true; + return false; + +} + + +static inline bool match_cisco_ipsec(lpi_data_t *data, lpi_module_t *mod UNUSED) { + /* Been seeing this on UDP port 10000, which I assume is the + * Cisco IPSec VPN */ + + if (data->server_port != 10000 && data->client_port != 10000) + return false; + + if (!match_cisco_ipsec_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_cisco_ipsec_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; + + +} + +static lpi_module_t lpi_cisco_ipsec = { + LPI_PROTO_UDP_CISCO_VPN, + LPI_CATEGORY_TUNNELLING, + "Cisco_VPN_UDP", + 8, + match_cisco_ipsec +}; + +void register_cisco_ipsec(LPIModuleMap *mod_map) { + register_protocol(&lpi_cisco_ipsec, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_cisco_sslvpn.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_cisco_sslvpn.cc new file mode 100644 index 0000000..9194191 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_cisco_sslvpn.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_sslvpn(uint32_t payload) { + + /* Payload looks like SSL, except they've set the version field + * to 1.0 (which would be invalid in real SSL) -- oh, Cisco! + */ + if (MATCH(payload, 0x16, 0x01, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_cisco_sslvpn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_sslvpn(data->payload[0]) && match_sslvpn(data->payload[1])) + return true; + + return false; +} + +static lpi_module_t lpi_cisco_sslvpn = { + LPI_PROTO_UDP_CISCO_SSLVPN, + LPI_CATEGORY_TUNNELLING, + "CiscoSSLVPN", + 5, + match_cisco_sslvpn +}; + +void register_cisco_sslvpn(LPIModuleMap *mod_map) { + register_protocol(&lpi_cisco_sslvpn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_classin_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_classin_udp.cc new file mode 100644 index 0000000..656b752 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_classin_udp.cc @@ -0,0 +1,75 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_classin_41(uint32_t payload, uint32_t len) { + if (len == 41 && MATCH(payload, 0x1a, 0x03, 0x00, 0x02)) { + return true; + } + return false; +} + +static inline bool match_classin_56(uint32_t payload, uint32_t len) { + if (len == 56 && MATCH(payload, 0x1a, 0x03, 0x00, 0x02)) { + return true; + } + return false; +} + +static inline bool match_classin_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_classin_41(data->payload[0], data->payload_len[0])) { + if (match_classin_56(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_classin_41(data->payload[1], data->payload_len[1])) { + if (match_classin_56(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_classin_udp = { + LPI_PROTO_UDP_CLASSIN, + LPI_CATEGORY_EDUCATIONAL, + "ClassIn_UDP", + 133, + match_classin_udp +}; + +void register_classin_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_classin_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_cloudflare_warp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_cloudflare_warp.cc new file mode 100644 index 0000000..2d222bb --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_cloudflare_warp.cc @@ -0,0 +1,129 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* 01 == handshake begin */ +static inline bool match_warp_01(uint32_t payload, uint32_t len) { + + if (len != 148) { + return false; + } + + if (MATCH(payload, 0x01, ANY, ANY, ANY)) { + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00)) { + return false; + } + return true; + } + return false; +} + +/* 02 == handshake reply */ +static inline bool match_warp_02(uint32_t payload, uint32_t len) { + + if (len != 92) { + return false; + } + + if (MATCH(payload, 0x02, ANY, ANY, ANY)) { + return true; + } + return false; +} + +/* 04 == data (for sessions where we missed part of the handshake */ +static inline bool match_warp_04(uint32_t payload, uint32_t len) { + + /* 100 is approximate, but 1312 seems to be an actual + * Max Datagram Size */ + if (len < 100 || len > 1312) { + return false; + } + + if (MATCH(payload, 0x04, ANY, ANY, ANY)) { + return true; + } + return false; +} + +static inline bool is_cf_warp_port(lpi_data_t *data) { + if (data->server_port == 2408 || data->client_port == 2408) { + return true; + } + if (data->server_port == 1701 || data->client_port == 1701) { + return true; + } + if (data->server_port == 500 || data->client_port == 500) { + return true; + } + return false; +} + + +static inline bool match_cloudflare_warp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!is_cf_warp_port(data)) { + return false; + } + + if (match_warp_01(data->payload[0], data->payload_len[0])) { + if (match_warp_02(data->payload[1], data->payload_len[1])) { + return true; + } + if (match_warp_04(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_warp_01(data->payload[1], data->payload_len[1])) { + if (match_warp_02(data->payload[0], data->payload_len[0])) { + return true; + } + if (match_warp_04(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_cloudflare_warp = { + LPI_PROTO_UDP_CLOUDFLARE_WARP, + LPI_CATEGORY_TUNNELLING, + "CloudflareWarp", + 21, + match_cloudflare_warp +}; + +void register_cloudflare_warp(LPIModuleMap *mod_map) { + register_protocol(&lpi_cloudflare_warp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_cod.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_cod.cc new file mode 100644 index 0000000..3cdd444 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_cod.cc @@ -0,0 +1,170 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cod_payload(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (!MATCH(payload, 0xff, 0xff, 0xff, 0xff)) + return false; + return true; + +} + + +static inline bool match_callofduty(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_cod_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_cod_payload(data->payload[1], data->payload_len[1])) + return false; + + /* One packet is always 14 or 15 bytes, the other is usually much + * larger */ + if (data->payload_len[0] == 14 || data->payload_len[0] == 15) { + if (data->payload_len[1] == 0) + return true; + if (data->payload_len[1] > 100) + return true; + } + + if (data->payload_len[1] == 14 || data->payload_len[1] == 15) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[0] > 100) + return true; + } + + /* 13 is also observed */ + if (data->payload_len[0] == 13) { + if (data->payload_len[1] > 880) + return true; + if (data->payload_len[1] >= 225 && data->payload_len[1] <= 250) + return true; + } + + /* Other packet size combos */ + + /* 74 seems to be common on port 20800 which is associated with + * COD:WaW + */ + if (data->payload_len[0] == 74) { + if (data->payload_len[1] == 0) + return true; + } + + if (data->payload_len[1] == 74) { + if (data->payload_len[0] == 0) + return true; + } + + if (data->payload_len[0] == 45) { + if (data->payload_len[1] == 0) + return true; + } + + if (data->payload_len[1] == 45) { + if (data->payload_len[0] == 0) + return true; + } + + if (data->payload_len[0] == 53) { + if (data->payload_len[1] < 30) + return false; + if (data->payload_len[1] > 33) + return false; + return true; + } + if (data->payload_len[1] == 53) { + if (data->payload_len[0] < 30) + return false; + if (data->payload_len[0] > 33) + return false; + return true; + } + + if (data->payload_len[0] == 16) { + if (data->payload_len[1] == 18) + return true; + if (data->payload_len[1] == 16) + return true; + if (data->payload_len[1] == 13) + return true; + if (data->payload_len[1] == 0) { + return true; + } + } + + if (data->payload_len[1] == 16) { + if (data->payload_len[0] == 18) + return true; + if (data->payload_len[0] == 16) + return true; + if (data->payload_len[0] == 13) + return true; + if (data->payload_len[0] == 0) { + return true; + } + } + + if (data->payload_len[0] >= 16 && data->payload_len[0] <= 19) { + if (data->payload_len[1] < 40) + return false; + if (data->payload_len[1] > 44) + return false; + return true; + } + + if (data->payload_len[1] >= 16 && data->payload_len[1] <= 19) { + if (data->payload_len[0] < 40) + return false; + if (data->payload_len[0] > 44) + return false; + return true; + } + + + return false; +} + +static lpi_module_t lpi_callofduty = { + LPI_PROTO_UDP_COD, + LPI_CATEGORY_GAMING, + "Call_of_Duty", + 60, /* Must be lower priority than XLSP */ + match_callofduty +}; + +void register_callofduty(LPIModuleMap *mod_map) { + register_protocol(&lpi_callofduty, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_codmobile.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_codmobile.cc new file mode 100644 index 0000000..b1daf2e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_codmobile.cc @@ -0,0 +1,75 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cod_mob84(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x43, 0x01, 0xc0, 0x12) && len == 84) { + return true; + } + return false; +} + +static inline bool match_cod_mob12(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x43, 0x02, 0xc0, 0x00) && len == 12) { + return true; + } + return false; +} + +static inline bool match_codmobile(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_cod_mob84(data->payload[0], data->payload_len[0])) { + if (match_cod_mob12(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_cod_mob84(data->payload[1], data->payload_len[1])) { + if (match_cod_mob12(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_codmobile = { + LPI_PROTO_UDP_COD_MOBILE, + LPI_CATEGORY_GAMING, + "CallOfDuty_Mobile", + 15, + match_codmobile +}; + +void register_codmobile(LPIModuleMap *mod_map) { + register_protocol(&lpi_codmobile, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_combatarms.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_combatarms.cc new file mode 100644 index 0000000..0f4a76b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_combatarms.cc @@ -0,0 +1,71 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_arms_5(uint32_t payload, uint32_t len) { + if (len == 5 && MATCH(payload, 0x00, 0xf1, 0x37, 0x13)) + return true; + return false; +} + +static inline bool match_arms_any(uint32_t payload, uint32_t len) { + if (len < 100 && MATCH(payload, 0x00, 0xf1, 0x37, 0x13)) + return true; + return false; +} + +static inline bool match_combatarms(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_arms_5(data->payload[0],data->payload_len[0])) { + if (match_arms_any(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_arms_5(data->payload[1],data->payload_len[1])) { + if (match_arms_any(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_combatarms = { + LPI_PROTO_UDP_COMBATARMS, + LPI_CATEGORY_GAMING, + "CombatArms", + 40, + match_combatarms +}; + +void register_combatarms(LPIModuleMap *mod_map) { + register_protocol(&lpi_combatarms, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_combatarms_p2p.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_combatarms_p2p.cc new file mode 100644 index 0000000..512979a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_combatarms_p2p.cc @@ -0,0 +1,80 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_arms_p2p_ping(uint32_t payload, uint32_t len) { + if (len == 28 && MATCH(payload, 0x00, 0x00, 0xc0, 0x00)) + return true; + if (len == 28 && MATCH(payload, 0x00, 0x00, 0xc0, 0x01)) + return true; + return false; +} + +static inline bool match_arms_p2p_pong(uint32_t payload, uint32_t len) { + if (len == 28 && MATCH(payload, 0x00, 0x00, 0xc0, 0x00)) + return true; + if (len == 28 && MATCH(payload, 0x00, 0x00, 0xc0, 0x01)) + return true; + if (len == 0) + return true; + return false; +} + +static inline bool match_combatarms_p2p(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Another protocol, probably used for direct player to + * player communication. */ + + if (match_arms_p2p_ping(data->payload[0], data->payload_len[0])) { + if (match_arms_p2p_pong(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_arms_p2p_ping(data->payload[1], data->payload_len[1])) { + if (match_arms_p2p_pong(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_combatarms_p2p = { + LPI_PROTO_UDP_COMBATARMS_P2P, + LPI_CATEGORY_GAMING, + "CombatArms_P2P", + 140, + match_combatarms_p2p +}; + +void register_combatarms_p2p(LPIModuleMap *mod_map) { + register_protocol(&lpi_combatarms_p2p, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_contract_wars.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_contract_wars.cc new file mode 100644 index 0000000..3b96370 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_contract_wars.cc @@ -0,0 +1,89 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_cw_09(uint32_t payload, uint32_t len) { + + if (len < 1300) { + return false; + } + + if (MATCH(payload, 0x09, 0x0b, 0x0d, 0xd0)) { + return true; + } + if (MATCH(payload, 0x09, 0x0b, 0x00, 0x80)) { + return true; + } + return false; +} + +static inline bool match_cw_0a(uint32_t payload, uint32_t len) { + + if (len < 1300) { + return false; + } + + if (MATCHSTR(payload, "\x0a\x00\xff\xff")) { + return true; + } + return false; +} + +static inline bool match_contract_wars(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_cw_09(data->payload[0], data->payload_len[0])) { + if (match_cw_0a(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_cw_09(data->payload[1], data->payload_len[1])) { + if (match_cw_0a(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_contract_wars = { + LPI_PROTO_UDP_CONTRACT_WARS, + LPI_CATEGORY_GAMING, + "ContractWars", + 50, + match_contract_wars +}; + +void register_contract_wars(LPIModuleMap *mod_map) { + register_protocol(&lpi_contract_wars, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_crossfire.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_crossfire.cc new file mode 100644 index 0000000..0410997 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_crossfire.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_cf_25(uint32_t payload, uint32_t len) { + + if (len == 25 && MATCH(payload, 0xc7, 0xd9, 0x19, 0x99)) + return true; + if (len == 35 && MATCH(payload, 0xc7, 0xd9, 0x19, 0x99)) + return true; + return false; + +} + +static inline bool match_cf_5(uint32_t payload, uint32_t len) { + + if (len == 5 && MATCH(payload, 0xc7, 0xd9, 0x19, 0x99)) + return true; + return false; + +} + +static inline bool match_crossfire(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_cf_25(data->payload[0], data->payload_len[0])) { + if (match_cf_5(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_cf_25(data->payload[1], data->payload_len[1])) { + if (match_cf_5(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_crossfire = { + LPI_PROTO_UDP_CROSSFIRE, + LPI_CATEGORY_GAMING, + "CrossfireUDP", + 10, + match_crossfire +}; + +void register_crossfire(LPIModuleMap *mod_map) { + register_protocol(&lpi_crossfire, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_crossout.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_crossout.cc new file mode 100644 index 0000000..da8a268 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_crossout.cc @@ -0,0 +1,75 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_co_05(uint32_t payload, uint32_t len) { + + if (len == 1322 && MATCHSTR(payload, "\x05\x00\xff\xff")) + return true; + return false; + +} + +static inline bool match_co_06(uint32_t payload, uint32_t len) { + + if (len == 1322 && MATCHSTR(payload, "\x06\x00\xff\xff")) + return true; + return false; + +} + +static inline bool match_crossout(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_co_05(data->payload[0], data->payload_len[0])) { + if (match_co_06(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_co_05(data->payload[1], data->payload_len[1])) { + if (match_co_06(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_crossout = { + LPI_PROTO_UDP_CROSSOUT, + LPI_CATEGORY_GAMING, + "Crossout", + 11, + match_crossout +}; + +void register_crossout(LPIModuleMap *mod_map) { + register_protocol(&lpi_crossout, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_csgo.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_csgo.cc new file mode 100644 index 0000000..6e31057 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_csgo.cc @@ -0,0 +1,103 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Pretty sure this is Counterstrike: Global Offensive (saw references to the + * map 'mg_de_dust' in other flows between the same endpoints). + */ + +static inline bool match_ff_csgo(lpi_data_t *data) { + + if (!match_str_both(data, "\xff\xff\xff\xff", "\xff\xff\xff\xff")) + return false; + + if (data->payload_len[0] == 33 && data->payload_len[1] == 18) + return true; + if (data->payload_len[1] == 33 && data->payload_len[0] == 18) + return true; + + if (data->payload_len[0] == 23 && data->payload_len[1] >= 61 && + data->payload_len[1] <= 66) + return true; + if (data->payload_len[1] == 23 && data->payload_len[0] >= 61 && + data->payload_len[0] <= 66) + return true; + + return false; +} + +static inline bool match_sdping(uint32_t payload) { + if (MATCH(payload, 0x01, 0x00, 's', 'd')) + return true; + return false; +} + +static inline bool match_sdpong(uint32_t payload) { + if (MATCH(payload, 0x02, 0x12, 'T', 'l')) + return true; + if (MATCH(payload, 0x02, 0x12, 'T', 'd')) + return true; + if (MATCH(payload, 0x02, 0x12, 'X', 'd')) + return true; + return false; +} + +static inline bool match_csgo(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_ff_csgo(data)) { + return true; + } + + if (match_sdping(data->payload[0])) { + if (match_sdpong(data->payload[1])) + return true; + } + + if (match_sdping(data->payload[1])) { + if (match_sdpong(data->payload[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_csgo = { + LPI_PROTO_UDP_CS_GLOBAL_OFFENSIVE, + LPI_CATEGORY_GAMING, + "CSGlobalOffensive", + 18, + match_csgo +}; + +void register_csgo(LPIModuleMap *mod_map) { + register_protocol(&lpi_csgo, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_csoriginal.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_csoriginal.cc new file mode 100644 index 0000000..ade9266 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_csoriginal.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_csorig_14(uint32_t payload, uint32_t len) { + if (len == 14 && MATCHSTR(payload, "\xff\xff\xff\xff")) + return true; + return false; +} + +static inline bool match_csorig_big(uint32_t payload, uint32_t len) { + + if (len >= 800 && len < 1000 && MATCHSTR(payload, "\xff\xff\xff\xff")) + return true; + + return false; +} + +static inline bool match_csoriginal(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_csorig_14(data->payload[0], data->payload_len[0])) { + if (match_csorig_big(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_csorig_14(data->payload[1], data->payload_len[1])) { + if (match_csorig_big(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_csoriginal = { + LPI_PROTO_UDP_COUNTERSTRIKE_16, + LPI_CATEGORY_GAMING, + "Counterstrike1.6", + 50, + match_csoriginal +}; + +void register_csoriginal(LPIModuleMap *mod_map) { + register_protocol(&lpi_csoriginal, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_dahua.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_dahua.cc new file mode 100644 index 0000000..a61730e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_dahua.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Chinese IP surveillance Cameras */ + +static inline bool match_dahua_p2p(uint32_t payload, uint32_t len) { + if (len == 44 && MATCHSTR(payload, "\xff\xfe\xff\xe7")) + return true; + return false; + +} + +static inline bool match_dahua(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_dahua_p2p(data->payload[0], data->payload_len[0])) { + if (match_dahua_p2p(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_dahua = { + LPI_PROTO_UDP_DAHUA, + LPI_CATEGORY_IPCAMERAS, + "Dahua", + 13, + match_dahua +}; + +void register_dahua(LPIModuleMap *mod_map) { + register_protocol(&lpi_dahua, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_db2.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_db2.cc new file mode 100644 index 0000000..67e3b4c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_db2.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_db2_query(uint32_t payload, uint32_t len) { + + if (len != 20) + return false; + + if (!MATCHSTR(payload, "DB2G")) + return false; + return true; + +} + +static inline bool match_db2_response(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + + return false; + +} + +static inline bool match_db2(lpi_data_t *data, lpi_module_t *mod UNUSED) { + /* Only ever seen this as scan traffic so far, so no idea what the + * response should look like. + */ + + /* Assume port 523 for now */ + if (data->server_port != 523 && data->client_port != 523) + return false; + + if (match_db2_query(data->payload[0], data->payload_len[0])) { + if (match_db2_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_db2_query(data->payload[1], data->payload_len[1])) { + if (match_db2_response(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_db2 = { + LPI_PROTO_UDP_DB2, + LPI_CATEGORY_DATABASES, + "IBM-DB2", + 6, + match_db2 +}; + +void register_db2(LPIModuleMap *mod_map) { + register_protocol(&lpi_db2, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_dcc.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_dcc.cc new file mode 100644 index 0000000..ea2043c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_dcc.cc @@ -0,0 +1,93 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* DCC is the IRC-based file sharing protocol, not to be confused with + * Direct Connect */ + +static inline bool match_dcc_length(uint32_t payload, uint32_t len) { + + uint32_t hdr_len; + + hdr_len = (ntohl(payload)) >> 16; + + if (hdr_len == len) + return true; + return false; + +} + +static inline bool match_dcc_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_dcc_length(data->payload[0], data->payload_len[0])) + return false; + if (!match_dcc_length(data->payload[1], data->payload_len[1])) + return false; + + /* Byte 3 must match */ + if ((ntohl(data->payload[0]) & 0xff00) != (ntohl(data->payload[1]) & 0xff00)) + return false; + + if (MATCH(data->payload[0], ANY, ANY, ANY, 0x01)) { + if (MATCH(data->payload[1], ANY, ANY, ANY, 0x06)) + return true; + } + + if (MATCH(data->payload[1], ANY, ANY, ANY, 0x01)) { + if (MATCH(data->payload[0], ANY, ANY, ANY, 0x06)) + return true; + } + + if (MATCH(data->payload[0], ANY, ANY, ANY, 0x02)) { + if (MATCH(data->payload[1], ANY, ANY, ANY, 0x04)) + return true; + } + + if (MATCH(data->payload[1], ANY, ANY, ANY, 0x02)) { + if (MATCH(data->payload[0], ANY, ANY, ANY, 0x04)) + return true; + } + + return false; +} + +static lpi_module_t lpi_dcc_udp = { + LPI_PROTO_UDP_DCC, + LPI_CATEGORY_CHAT, + "DCC_UDP", + 8, + match_dcc_udp +}; + +void register_dcc_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_dcc_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_demonware.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_demonware.cc new file mode 100644 index 0000000..12fa9cf --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_demonware.cc @@ -0,0 +1,93 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_demonware(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This is some sort of control channel for demonware? */ + if (data->payload_len[0] == 15 && data->payload_len[1] == 0) { + if (MATCH(data->payload[0], 0x15, 0x02, 0x00, ANY)) + return true; + } + + if (data->payload_len[1] == 15 && data->payload_len[0] == 0) { + if (MATCH(data->payload[1], 0x15, 0x02, 0x00, ANY)) + return true; + } + + + /* Demonware bandwidth testing involves sending a series of 1024 + * byte packets to a known server - each packet has an incrementing + * seqno, starting from zero */ + + if (!match_str_both(data, "\x00\x00\x00\x00", "\x00\x00\x00\x00")) + return false; + + if (data->payload_len[0] == 1024) { + if (data->payload_len[1] == 0) + return true; + if (data->payload_len[1] == 1024) + return true; + } + + if (data->payload_len[1] == 1024) { + if (data->payload_len[0] == 0) + return true; + } + + /* Sometimes 512 bytes are used as well, but only ever one-way */ + if (data->payload_len[0] == 512) { + if (data->payload_len[1] == 0) + return true; + } + if (data->payload_len[1] == 512) { + if (data->payload_len[0] == 0) + return true; + } + + /* Could also check for ports 3074 and 3075 if needed */ + + + return false; +} + +static lpi_module_t lpi_demonware = { + LPI_PROTO_UDP_DEMONWARE, + LPI_CATEGORY_GAMING, + "Demonware", + 4, + match_demonware +}; + +void register_demonware(LPIModuleMap *mod_map) { + register_protocol(&lpi_demonware, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_destiny_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_destiny_udp.cc new file mode 100644 index 0000000..2892418 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_destiny_udp.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_destiny_299(uint32_t payload, uint32_t len) { + if (len == 299 && MATCH(payload, 0x00, 0x00, 0x00, 0x01)) + return true; + return false; +} + +static inline bool match_destiny_423(uint32_t payload, uint32_t len) { + if (len == 423 && MATCH(payload, 0x00, 0x00, 0x00, 0x01)) + return true; + return false; +} + +static inline bool match_destiny_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 3074 && data->client_port != 3074) + return false; + + if (match_destiny_299(data->payload[0], data->payload_len[0])) { + if (match_destiny_423(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_destiny_299(data->payload[1], data->payload_len[1])) { + if (match_destiny_423(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_destiny_udp = { + LPI_PROTO_UDP_DESTINY, + LPI_CATEGORY_GAMING, + "DestinyUDP", + 166, + match_destiny_udp +}; + +void register_destiny_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_destiny_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_dhcp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_dhcp.cc new file mode 100644 index 0000000..9b9f362 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_dhcp.cc @@ -0,0 +1,118 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_dhcp_v4(lpi_data_t *data) { + if (match_chars_either(data, 0x01, 0x01, 0x06, 0x00)) + return true; + if (match_chars_either(data, 0x02, 0x01, 0x06, 0x00)) + return true; + + return false; +} + +static inline bool match_dhcp_v6_ports(uint16_t porta, uint16_t portb) { + if (porta == 547 && portb == 546) + return true; + if (portb == 547 && porta == 546) + return true; + return false; +} + +static inline bool match_dhcp_v6_solicit(uint32_t payload, uint32_t len) { + + if (len < 52) + return false; + if (!MATCH(payload, 0x01, ANY, ANY, ANY)) + return false; + + return true; + +} + +static inline bool match_dhcp_v6_advert(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (MATCH(payload, 0x02, ANY, ANY, ANY)) + return false; + + return true; + +} + +static inline bool match_dhcp_v6(lpi_data_t *data) { + + if (!match_dhcp_v6_ports(data->server_port, data->client_port)) + return false; + + if (match_dhcp_v6_solicit(data->payload[0], data->payload_len[0])) { + if (match_dhcp_v6_advert(data->payload[1], + data->payload_len[1])) { + return true; + } + } + + if (match_dhcp_v6_solicit(data->payload[1], data->payload_len[1])) { + if (match_dhcp_v6_advert(data->payload[0], + data->payload_len[0])) { + return true; + } + } + + return false; +} + +static inline bool match_dhcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + + if (match_dhcp_v4(data)) + return true; + if (match_dhcp_v6(data)) + return true; + + return false; + +} + + +static lpi_module_t lpi_dhcp = { + LPI_PROTO_UDP_DHCP, + LPI_CATEGORY_SERVICES, + "DHCP", + 8, + match_dhcp +}; + +void register_dhcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_dhcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_dht_dict.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_dht_dict.cc new file mode 100644 index 0000000..913ae7d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_dht_dict.cc @@ -0,0 +1,279 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Separate modules for dictionary-style DHT (which has a much stronger rule) + * and Vuze DHTs (which are not so strong) + * + * This source file also covers the uTP protocol, which typically shares the + * same flow as the dictionary DHTs + */ + +static inline bool match_utp_query(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x01, 0x00, ANY, ANY)) + return true; + if (MATCH(payload, 0x11, 0x00, ANY, ANY) && len == 20) + return true; + if (MATCH(payload, 0x21, 0x02, ANY, ANY) && len == 30) + return true; + if (MATCH(payload, 0x21, 0x00, ANY, ANY) && len == 20) + return true; + if (MATCH(payload, 0x31, 0x02, ANY, ANY) && len == 30) + return true; + if (MATCH(payload, 0x31, 0x00, ANY, ANY) && len == 20) + return true; + if (MATCH(payload, 0x41, 0x02, ANY, ANY) && len == 30) + return true; + if (MATCH(payload, 0x41, 0x00, ANY, ANY) && len == 20) + return true; + return false; + +} + +static inline bool match_utp_reply(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (MATCH(payload, 0x11, 0x00, ANY, ANY) && len == 20) + return true; + if (MATCH(payload, 0x21, 0x02, ANY, ANY) && (len == 30 || len == 33)) + return true; + if (MATCH(payload, 0x21, 0x01, ANY, ANY) && (len == 26 || len == 23)) + return true; + if (MATCH(payload, 0x21, 0x00, ANY, ANY) && len == 20) + return true; + if (MATCH(payload, 0x31, 0x02, ANY, ANY) && len == 30) + return true; + if (MATCH(payload, 0x31, 0x00, ANY, ANY) && len == 20) + return true; + if (MATCH(payload, 0x41, 0x00, ANY, ANY) && len == 20) + return true; + if (MATCH(payload, 0x41, 0x02, ANY, ANY) && (len == 33 || len == 30)) + return true; + + return false; +} + +static inline bool match_opentracker_98(uint32_t payload, uint32_t len) { + if (len == 98 || len == 109) + return true; + return false; +} + +static inline bool match_opentracker_X6(uint32_t payload, uint32_t len) { + if (len >= 36 && (len % 10) == 6) + return true; + return false; +} + +static inline bool match_opentracker_01(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x00, 0x00, 0x00, 0x01)) + return true; + return false; + +} + +static inline bool match_opentracker_02(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x00, 0x00, 0x00, 0x02)) + return true; + return false; + +} + +static inline bool match_dict_query(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 'd', '1', ':', 'a')) + return true; + if (MATCH(payload, 'd', '1', ':', 'r')) + return true; + if (MATCH(payload, 'd', '1', ':', 'e')) + return true; + if (MATCH(payload, 'd', '1', ':', 'q')) + return true; + if (MATCH(payload, 'd', '1', ':', 't')) + return true; + if (MATCH(payload, 'd', '1', ANY, ':')) + return true; + + return false; + +} + +static inline bool match_dict_reply(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (MATCH(payload, 'd', '1', ':', 'a')) + return true; + if (MATCH(payload, 'd', '1', ':', 'r')) + return true; + if (MATCH(payload, 'd', '1', ':', 'e')) + return true; + if (MATCH(payload, 'd', '1', ANY, ':')) + return true; + if (MATCH(payload, 'd', '2', ':', 'i')) + return true; + + /* These are a bit iffy, but this seems to be what happens in + * response to a lot of dict queries :/ */ + if (len == 23) + return true; + if (len == 33) + return true; + + + return false; + +} + +static inline bool num_seq_match(uint32_t query, uint32_t resp) { + + uint32_t query_seq = (ntohl(query)) & 0x0000ffff; + uint32_t resp_seq = (ntohl(resp)) & 0x0000ffff; + + if (query_seq == resp_seq) + return true; + + /* Allowed to be seq +/- 1 as well, apparently */ + if (query_seq == resp_seq + 1) + return true; + if (query_seq == resp_seq - 1) + return true; + + return false; + +} + +static inline bool match_bt_search(uint32_t payload, uint32_t len) { + + /* Matches the BT-SEARCH command, which we've seen while messing with + * World of Warcraft */ + if (MATCHSTR(payload, "BT-S")) + return true; + return false; + +} + +static inline bool match_dht_dict(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_dict_query(data->payload[0], data->payload_len[0])) { + if (match_dict_reply(data->payload[1], data->payload_len[1])) + return true; + if (match_utp_reply(data->payload[1], data->payload_len[1])) + return true; + if (match_utp_query(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_dict_query(data->payload[1], data->payload_len[1])) { + if (match_dict_reply(data->payload[0], data->payload_len[0])) + return true; + if (match_utp_reply(data->payload[0], data->payload_len[0])) + return true; + if (match_utp_query(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_utp_query(data->payload[0], data->payload_len[0])) { + + if (MATCH(data->payload[0], 0x01, 0x00, ANY, ANY)) { + if (!num_seq_match(data->payload[0], data->payload[1])) + return false; + + } + + if (match_utp_reply(data->payload[1], data->payload_len[1])) + return true; + if (match_dict_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_utp_query(data->payload[1], data->payload_len[1])) { + if (MATCH(data->payload[1], 0x01, 0x00, ANY, ANY)) { + if (!num_seq_match(data->payload[1], data->payload[0])) + return false; + } + if (match_utp_reply(data->payload[0], data->payload_len[0])) + return true; + if (match_dict_reply(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_bt_search(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] == 0) + return true; + } + if (match_bt_search(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == 0) + return true; + } + + + if (match_opentracker_X6(data->payload[0], data->payload_len[0])) { + if (match_opentracker_02(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_opentracker_X6(data->payload[1], data->payload_len[1])) { + if (match_opentracker_02(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_opentracker_98(data->payload[0], data->payload_len[0])) { + if (match_opentracker_01(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_opentracker_98(data->payload[1], data->payload_len[1])) { + if (match_opentracker_01(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + + +static lpi_module_t lpi_dht_dict = { + LPI_PROTO_UDP_BTDHT, + LPI_CATEGORY_P2P, + "BitTorrent_UDP", + 6, + match_dht_dict +}; + +void register_dht_dict(LPIModuleMap *mod_map) { + register_protocol(&lpi_dht_dict, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_dht_other.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_dht_other.cc new file mode 100644 index 0000000..d72cca8 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_dht_other.cc @@ -0,0 +1,299 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* http://xbtt.sourceforge.net/udp_tracker_protocol.html */ +static inline bool match_xbt_tracker(lpi_data_t *data) { + + if (data->payload_len[0] != 0 && data->payload_len[0] != 16) + return false; + if (data->payload_len[1] != 0 && data->payload_len[1] != 16) + return false; + + if (!match_chars_either(data, 0x00, 0x00, 0x04, 0x17)) + return false; + + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) + return true; + + if (data->payload_len[0] == 16 && data->payload_len[1] == 16 && + match_chars_either(data, 0x00, 0x00, 0x00, 0x00)) + return true; + + return false; + +} + + +static inline bool match_unknown_btudp(lpi_data_t *data) { + + /* I have not been able to figure out exactly what this stuff + * is, but I'm pretty confident it is somehow related to a + * BitTorrent implementation or two */ + + /* The recipient does not reply */ + if (data->payload_len[0] > 0 && data->payload_len[1] > 0) + return false; + + if (!(match_str_both(data, "\x00\x00\x00\x00", "\x00\x00\x00\x00"))) + return false; + + if (data->payload_len[0] == 14 || data->payload_len[0] == 18) + return true; + if (data->payload_len[1] == 14 || data->payload_len[1] == 18) + return true; + + return false; + +} + +static inline bool match_vuze_dht_request(uint32_t payload, uint32_t len, + bool check_msb) { + + + /* Some implementations don't choose an appropriate MSB or get the + * byte ordering wrong, so we only force an MSB check when we're + * examining requests that get no response. + */ + + if (len < 4) + return false; + + if (check_msb) { + + if ((ntohl(payload) & 0x80000000) != 0x80000000) + return false; + + } else { + /* Automatically return true if the MSB is set, regardless of + * request size */ + + if ((ntohl(payload) & 0x80000000) == 0x80000000) + return true; + } + + + if (len == 42 || len == 51) { + return true; + } + + if (len == 63 || len == 65 || len == 71) + return true; + + return false; + +} + +static inline bool match_vuze_dht_reply(uint32_t data, uint32_t len) { + + /* Each reply action is an odd number */ + + if (MATCH(data, 0x00, 0x00, 0x04, 0x01)) + return true; + if (MATCH(data, 0x00, 0x00, 0x04, 0x03)) + return true; + if (MATCH(data, 0x00, 0x00, 0x04, 0x05)) + return true; + if (MATCH(data, 0x00, 0x00, 0x04, 0x07)) + return true; + + /* Except for this one, which is an error message */ + if (MATCH(data, 0x00, 0x00, 0x04, 0x08)) + return true; + + return false; + + +} + +static inline bool match_vuze_dht_alt(lpi_data_t *data) { + + /* Flows matching this rule *appear* to be doing something related + * to the Vuze DHT system, but this behaviour is undocumented. + * + * I have observed flows that match the conventional Vuze DHT rule + * involving the same IP/port as flows that match this rule, so + * that does suggest it is related to Vuze somehow. */ + + if (data->payload_len[0] != 0 && + (ntohl(data->payload[0]) & 0x80000000) != 0x80000000) + return false; + if (data->payload_len[1] != 0 && + (ntohl(data->payload[1]) & 0x80000000) != 0x80000000) + return false; + + if (data->payload_len[0] == 90 && data->payload_len[1] == 79) + return true; + if (data->payload_len[1] == 90 && data->payload_len[0] == 79) + return true; + if (data->payload_len[0] == 90 && data->payload_len[1] == 0) + return true; + if (data->payload_len[1] == 90 && data->payload_len[0] == 0) + return true; + + return false; +} + + +static inline bool match_vuze_dht(lpi_data_t *data) { + + /* OK, gotta rework this one as this protocol is a bit messed up in + * the implementation. + * + * Normally, we have a request which contains a random number in + * the first four bytes. However, the MSB of that number must be + * set to one. + * + * The reply begins with a four byte action which is easy to identify. + * + * However, we also get replies in both directions (which is a bit + * odd). I'm also seeing requests where the MSB is not set, which is + * a definite violation. + * + * However, I think we want to count these - they are clearly attempts + * to use this protocol so classing them as unknown doesn't seem + * right. + */ + + if (match_vuze_dht_reply(data->payload[0], data->payload_len[0])) { + + if (data->payload_len[1] == 0) + return true; + + if (match_vuze_dht_request(data->payload[1], + data->payload_len[1], false)) + return true; + + /* Check for replies in both directions */ + if (match_vuze_dht_reply(data->payload[1], + data->payload_len[1])) + return true; + + } + if (match_vuze_dht_reply(data->payload[1], data->payload_len[1])) { + + if (data->payload_len[0] == 0) + return true; + + if (match_vuze_dht_request(data->payload[0], + data->payload_len[0], false)) + return true; + + /* Check for replies in both directions */ + if (match_vuze_dht_reply(data->payload[0], + data->payload_len[0])) + return true; + + } + + /* Check for unanswered requests - these are much harder to match, + * because they are simply a random conn id. We can only hope to match + * on common packet sizes and the MSB being set + * + * XXX This could lead to a few false positives, so be careful */ + + if (data->payload[0] == 0) { + if (match_vuze_dht_request(data->payload[1], + data->payload_len[1], true)) + return true; + } + + if (data->payload[1] == 0) { + if (match_vuze_dht_request(data->payload[0], + data->payload_len[0], true)) + return true; + } + + /* Apparently, we can also see requests both ways, which is a bit + * less than ideal.... + */ + if (match_vuze_dht_request(data->payload[0], data->payload_len[0], true) && match_vuze_dht_request(data->payload[1], data->payload_len[1], true)) + return true; + + + if (match_vuze_dht_alt(data)) + return true; + + return false; + + + +} + +static inline bool match_unknown_dht(lpi_data_t *data) { + + /* I don't know exactly what BT clients do this, but there are often + * DHT queries and responses present in flows that match this rule, + * so we're going to go with some form of Bittorrent */ + + if (data->payload[0] == 0 || data->payload[1] == 0) + return false; + + /* Both initial packets are 33 bytes and have the exact same + * payload */ + if (data->payload_len[0] != 33 || data->payload_len[1] != 33) + return false; + + if (data->payload[0] != data->payload[1]) + return false; + + return true; + +} + + +static inline bool match_dht_other(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_unknown_btudp(data)) + return true; + if (match_vuze_dht(data)) + return true; + if (match_xbt_tracker(data)) + return true; + if (match_unknown_dht(data)) + return true; + + return false; +} + +static lpi_module_t lpi_dht_other = { + LPI_PROTO_UDP_BTDHT, + LPI_CATEGORY_P2P, + "BitTorrent_UDP", + 12, /* Need to be lower priority than DNS, at least in cases + * where traffic is one-way only */ + match_dht_other +}; + +void register_dht_other(LPIModuleMap *mod_map) { + register_protocol(&lpi_dht_other, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_diablo2.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_diablo2.cc new file mode 100644 index 0000000..55da20b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_diablo2.cc @@ -0,0 +1,72 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_diablo2_message(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (MATCH(payload, 0x03, 0x00, 0x00, 0x00) && len == 8) + return true; + if (MATCH(payload, 0x05, 0x00, 0x00, 0x00) && len == 8) + return true; + if (MATCH(payload, 0x09, 0x00, 0x00, 0x00) && len == 12) + return true; + + return false; +} + +static inline bool match_diablo2(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 6112 && data->client_port != 6112) + return false; + + if (!match_diablo2_message(data->payload[0], data->payload_len[0])) + return false; + if (!match_diablo2_message(data->payload[1], data->payload_len[1])) + return false; + + return true; +} + +static lpi_module_t lpi_diablo2 = { + LPI_PROTO_UDP_DIABLO2, + LPI_CATEGORY_GAMING, + "Diablo2", + 3, + match_diablo2 +}; + +void register_diablo2(LPIModuleMap *mod_map) { + register_protocol(&lpi_diablo2, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_dianping_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_dianping_udp.cc new file mode 100644 index 0000000..19094aa --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_dianping_udp.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_dianping_query(uint32_t payload, uint32_t len) { + + if (len != 14) + return false; + if (MATCH(payload, 0x4e, 0x58, 0x00, 0x0a)) + return true; + return false; +} + +static inline bool match_dianping_resp(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (len != 16) + return false; + if (MATCH(payload, 0x4e, 0x58, 0x00, 0x0c)) + return true; + return false; +} + +static inline bool match_dianping_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_dianping_query(data->payload[0], data->payload_len[0])) { + if (match_dianping_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_dianping_query(data->payload[1], data->payload_len[1])) { + if (match_dianping_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_dianping_udp = { + LPI_PROTO_UDP_DIANPING, + LPI_CATEGORY_MOBILE_APP, + "DianpingUDP", + 21, + match_dianping_udp +}; + +void register_dianping_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_dianping_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_dianshijia.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_dianshijia.cc new file mode 100644 index 0000000..74c395e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_dianshijia.cc @@ -0,0 +1,81 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +/* APK name = com.dianshijia.tvlive */ +/* Published by New Zealand ibestv Trading Limited (?) */ + +static inline bool match_dsj_req(uint32_t payload, uint32_t len) { + if (len == 20 && MATCHSTR(payload, "\xff\x03\x00\x00")) + return true; + + return false; +} + +static inline bool match_dsj_reply(uint32_t payload, uint32_t len) { + if (len == 20 && MATCHSTR(payload, "\xff\x05\x00\x00")) + return true; + if (len == 20 && MATCHSTR(payload, "\xff\x03\x01\x00")) + return true; + + return false; +} + +static inline bool match_dianshijia(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + + if (match_dsj_req(data->payload[0], data->payload_len[0])) { + if (match_dsj_reply(data->payload[1], data->payload_len[1])) + return true; + } + + + if (match_dsj_req(data->payload[1], data->payload_len[1])) { + if (match_dsj_reply(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_dianshijia = { + LPI_PROTO_UDP_DIANSHIJIA, + LPI_CATEGORY_P2PTV, /* I think... */ + "Dianshijia", + 100, + match_dianshijia +}; + +void register_dianshijia(LPIModuleMap *mod_map) { + register_protocol(&lpi_dianshijia, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_directconnect.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_directconnect.cc new file mode 100644 index 0000000..216bf68 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_directconnect.cc @@ -0,0 +1,57 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_directconnect_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] == 0 && + MATCHSTR(data->payload[1], "$SR ")) + return true; + if (data->payload_len[1] == 0 && + MATCHSTR(data->payload[0], "$SR ")) + return true; + + + return false; +} + +static lpi_module_t lpi_directconnect_udp = { + LPI_PROTO_UDP_DC, + LPI_CATEGORY_P2P, + "DirectConnect_UDP", + 3, + match_directconnect_udp +}; + +void register_directconnect_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_directconnect_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_discord.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_discord.cc new file mode 100644 index 0000000..ebc6556 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_discord.cc @@ -0,0 +1,108 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* discord.gg */ + +static inline bool discord_payload_match(uint32_t a, uint32_t b) { + + uint32_t bytea = (ntohl(a) >> 24); + uint32_t byteb = (ntohl(b) & 0xff); + + if (bytea == byteb && bytea != 0x00) { + if (MATCH(a, ANY, 0x00, 0x00, 0x00) && + MATCH(b, 0x00, 0x00, 0x00, ANY)) { + return true; + } + } + + bytea = (ntohl(a) & 0xff); + byteb = (ntohl(b) >> 24); + + if (bytea == byteb && bytea != 0x00) { + if (MATCH(b, ANY, 0x00, 0x00, 0x00) && + MATCH(a, 0x00, 0x00, 0x00, ANY)) { + return true; + } + } + + return false; + +} + +static inline bool match_discord_01(uint32_t payload, uint32_t len) { + if (len == 74 && MATCH(payload, 0x00, 0x01, 0x00, 0x46)) { + return true; + } + return false; +} + +static inline bool match_discord_02(uint32_t payload, uint32_t len) { + if (len == 74 && MATCH(payload, 0x00, 0x02, 0x00, 0x46)) { + return true; + } + return false; +} + +static inline bool match_discord(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Discord voice call/chat */ + if (match_discord_01(data->payload[0], data->payload_len[0])) { + if (match_discord_02(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_discord_01(data->payload[1], data->payload_len[1])) { + if (match_discord_02(data->payload[0], data->payload_len[0])) + return true; + } + + if (discord_payload_match(data->payload[0], data->payload[1])) { + if (data->payload_len[0] == 70 && data->payload_len[1] == 70) + return true; + } + + + return false; +} + +static lpi_module_t lpi_discord = { + LPI_PROTO_UDP_DISCORD, + LPI_CATEGORY_VOIP, + "Discord", + 19, + match_discord +}; + +void register_discord(LPIModuleMap *mod_map) { + register_protocol(&lpi_discord, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_dns.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_dns.cc new file mode 100644 index 0000000..6de0580 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_dns.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_reordered_dns(lpi_data_t *data) { + + /* Unfortunately, UDP can get reordered so if there are multiple + * queries in a flow we cannot guarantee that the first response + * will have the same ID as the first query. + */ + + + /* Just try and match common request / response flag arrangements */ + if (MATCH(data->payload[0], ANY, ANY, 0x01, 0x00)) { + if (MATCH(data->payload[1], ANY, ANY, 0x81, 0x80)) + return true; + } + + if (MATCH(data->payload[1], ANY, ANY, 0x01, 0x00)) { + if (MATCH(data->payload[0], ANY, ANY, 0x81, 0x80)) + return true; + } + + return false; + + +} + +static inline bool match_dns_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* As loath as I am to do this, we probably shouldn't allow any DNS + * on ports other than 53 */ + if (data->server_port != 53 && data->client_port != 53) + return false; + + if (match_dns(data)) + return true; + + if (match_reordered_dns(data)) + return true; + + return false; +} + +static lpi_module_t lpi_dns_udp = { + LPI_PROTO_UDP_DNS, + LPI_CATEGORY_SERVICES, + "DNS", + 10, /* Not a high certainty */ + match_dns_udp +}; + +void register_dns_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_dns_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_dota2.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_dota2.cc new file mode 100644 index 0000000..45d3127 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_dota2.cc @@ -0,0 +1,141 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* DOTA 2 -- a popular multiplayer battleground game */ + +static inline bool match_dota2_20(uint32_t payload, uint32_t len) { + + if (len != 20) + return false; + if (MATCHSTR(payload, "\xff\xff\xff\xff")) + return true; + return false; + +} + +static inline bool match_dota2_30(uint32_t payload, uint32_t len) { + + if (len != 30) + return false; + if (MATCHSTR(payload, "\xff\xff\xff\xff")) + return true; + return false; + +} + +static inline bool match_dota2_0100(uint32_t payload, uint32_t len) { + + if (len == 216 && MATCH(payload, 0x01, 0x00, 0x73, 0x64)) + return true; + if (len == 416 && MATCH(payload, 0x01, 0x00, 0x73, 0x64)) + return true; + return false; + +} + +static inline bool match_dota2_0212(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x02, 0x12, ANY, ANY)) + return true; + return false; +} + +static inline bool match_dota2_512(uint32_t payload, uint32_t len) { + + if (len == 512) { + if (MATCH(payload, 0x20, 0x0e, 0x00, 0x0d)) + return true; + if (MATCH(payload, 0x20, 0x10, 0x00, 0x0d)) + return true; + } + return false; + +} + +static inline bool match_dota2_24(uint32_t payload, uint32_t len) { + + if (len == 24 && MATCH(payload, 0x21, 0x0d, ANY, ANY)) + return true; + if (len == 26 && MATCH(payload, 0x21, 0x0d, ANY, ANY)) + return true; + return false; + +} + + +static inline bool match_dota2(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_dota2_20(data->payload[0], data->payload_len[0])) { + if (match_dota2_30(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_dota2_20(data->payload[1], data->payload_len[1])) { + if (match_dota2_30(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_dota2_0100(data->payload[0], data->payload_len[0])) { + if (match_dota2_0212(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_dota2_0100(data->payload[1], data->payload_len[1])) { + if (match_dota2_0212(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_dota2_512(data->payload[0], data->payload_len[0])) { + if (match_dota2_24(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_dota2_512(data->payload[1], data->payload_len[1])) { + if (match_dota2_24(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_dota2 = { + LPI_PROTO_UDP_DOTA2, + LPI_CATEGORY_GAMING, + "DOTA2", + 10, + match_dota2 +}; + +void register_dota2(LPIModuleMap *mod_map) { + register_protocol(&lpi_dota2, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_doyo.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_doyo.cc new file mode 100644 index 0000000..c007f25 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_doyo.cc @@ -0,0 +1,83 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Doyo -- Chinese service for downloading free games (especially + * ones that you would otherwise have to buy!) + */ + +static inline bool match_doyo_p2p(uint32_t payload, uint32_t len) { + /* Not the strongest of rules, but not much we can do */ + if (len == 56 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_doyo_nonzero(uint32_t payload, uint32_t len) { + if (len == 20 && MATCH(payload, ANY, 0x00, 0x00, 0x00) && payload != 0) + return true; + return false; +} + +static inline bool match_doyo(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_doyo_p2p(data->payload[0], data->payload_len[0])) { + if (match_doyo_p2p(data->payload[1], data->payload_len[1])) + return true; + if (match_doyo_nonzero(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_doyo_p2p(data->payload[1], data->payload_len[1])) { + if (match_doyo_nonzero(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_doyo_nonzero(data->payload[0], data->payload_len[0])) { + if (match_doyo_nonzero(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_doyo = { + LPI_PROTO_UDP_DOYO, + LPI_CATEGORY_P2P, + "DoyoP2P", + 200, + match_doyo +}; + +void register_doyo(LPIModuleMap *mod_map) { + register_protocol(&lpi_doyo, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_driveshare.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_driveshare.cc new file mode 100644 index 0000000..8de22d6 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_driveshare.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> +#include <stdio.h> +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_driveshare_payload(uint32_t pload, uint32_t len) { + + /* I *think* this is driveshare, which seems to do SMB-like things + * on port 8109 UDP */ + + if (len == ntohl(pload)) { + return true; + } + if (MATCH(pload, 0x00, 0x00, 0x00, 0x00) && len == 48) { + return true; + } + + return false; + +} + +static inline bool match_driveshare(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Add a port restriction here, just to be safe */ + if (data->client_port != 8109 && data->server_port != 8109) + return false; + + if (!match_driveshare_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_driveshare_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; +} + +static lpi_module_t lpi_driveshare = { + LPI_PROTO_UDP_DRIVESHARE, + LPI_CATEGORY_FILES, + "DriveShare", + 12, + match_driveshare +}; + +void register_driveshare(LPIModuleMap *mod_map) { + register_protocol(&lpi_driveshare, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_dtls.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_dtls.cc new file mode 100644 index 0000000..9eee536 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_dtls.cc @@ -0,0 +1,105 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* This is basically SSL for UDP. Used by AnyConnect. + * It is possible that we can subclassify this traffic, e.g. maybe AnyConnect + * is the only DTLS app that uses port 443 for instance... + * + * Thanks to Remy Mudingay for helping to identify this protocol + */ + +static inline bool match_dtls(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* DTLS uses entirely different versioning to conventional TLS */ + + if (MATCH(data->payload[0], 0x17, 0x01, 0x00, 0x00)) { + if (data->payload_len[1] == 0) + return true; + if (MATCH(data->payload[1], 0x17, 0x01, 0x00, 0x00)) + return true; + } + + if (MATCH(data->payload[1], 0x17, 0x01, 0x00, 0x00)) { + if (data->payload_len[0] == 0) + return true; + } + + if (MATCHSTR(data->payload[0], "\x16\xfe\xff\x00")) { + if (data->payload_len[1] == 0) + return true; + if (MATCHSTR(data->payload[1], "\x16\xfe\xff\x00")) + return true; + } + + if (MATCHSTR(data->payload[1], "\x16\xfe\xff\x00")) { + if (data->payload_len[0] == 0) + return true; + if (MATCHSTR(data->payload[0], "\x16\xfe\xff\x00")) + return true; + } + + /* DTLS 1.2 */ + if (MATCHSTR(data->payload[0], "\x16\xfe\xfd\x00")) { + if (data->payload_len[1] == 0) + return true; + if (MATCHSTR(data->payload[1], "\x16\xfe\xfd\x00")) + return true; + } + + if (MATCHSTR(data->payload[1], "\x16\xfe\xfd\x00")) { + if (data->payload_len[0] == 0) + return true; + if (MATCHSTR(data->payload[1], "\x16\xfe\xfd\x00")) + return true; + } + + /* This is probably Google Duo -- consider separate protocol? */ + if (MATCHSTR(data->payload[0], "\x17\xfe\xfd\x00")) { + if (MATCHSTR(data->payload[1], "\x17\xfe\xfd\x00")) + return true; + } + + return false; +} + +static lpi_module_t lpi_dtls = { + LPI_PROTO_UDP_DTLS, + LPI_CATEGORY_ENCRYPT, + "DTLS", + 100, + match_dtls +}; + +void register_dtls(LPIModuleMap *mod_map) { + register_protocol(&lpi_dtls, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_emule.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_emule.cc new file mode 100644 index 0000000..6321116 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_emule.cc @@ -0,0 +1,241 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_emule_kad(uint32_t payload, uint32_t len) { + + /* Many of these can be tracked back to + * http://easymule.googlecode.com/svn/trunk/src/WorkLayer/opcodes.h + * + * XXX Some of these are request/response pairs that we may need to + * match together if we start getting false positives + */ + + + /* Bootstrap version 2 request and response */ + if (MATCH(payload, 0xe4, 0x00, ANY, ANY) && len == 27) + return true; + if (MATCH(payload, 0xe4, 0x08, ANY, ANY) && len == 529) + return true; + + /* Bootstrap version 2 request and response */ + if (MATCH(payload, 0xe4, 0x01, 0x00, 0x00) && ( + len == 2 || len == 18)) + return true; + if (MATCH(payload, 0xe4, 0x09, ANY, ANY) && len == 523) + return true; + + + if (MATCH(payload, 0xe4, 0x21, ANY, ANY) && len == 35) + return true; + if (MATCH(payload, 0xe4, 0x4b, ANY, ANY) && len == 19) + return true; + if (MATCH(payload, 0xe4, 0x11, ANY, ANY)) { + return true; + } + + if (MATCH(payload, 0xe4, 0x19, ANY, ANY)) { + if (len == 22 || len == 38 || len == 28) + return true; + } + + if (MATCH(payload, 0xe4, 0x20, ANY, ANY) && len == 35) + return true; + + if (MATCH(payload, 0xe4, 0x18, ANY, ANY) && len == 27) + return true; + + if (MATCH(payload, 0xe4, 0x10, ANY, ANY) && len == 27) + return true; + + if (MATCH(payload, 0xe4, 0x58, ANY, ANY) && len == 6) + return true; + + if (MATCH(payload, 0xe4, 0x50, ANY, ANY) && len == 4) + return true; + + if (MATCH(payload, 0xe4, 0x52, ANY, ANY) && len == 36) + return true; + + if (MATCH(payload, 0xe4, 0x40, ANY, ANY) && len == 48) + return true; + + if (MATCH(payload, 0xe4, 0x43, ANY, ANY) && len == 225) + return true; + + if (MATCH(payload, 0xe4, 0x48, ANY, ANY) && len == 19) + return true; + + if (MATCH(payload, 0xe4, 0x29, ANY, ANY)) { + if (len == 119 || len == 69 || len == 294) + return true; + } + + if (MATCH(payload, 0xe4, 0x28, ANY, ANY)) { + if (len == 119 || len == 69 || len == 294) + return true; + if (len == 44) + return true; + if (len == 269) + return true; + } + + return false; +} + + +static bool is_emule_udp(uint32_t payload, uint32_t len) { + + /* Mainly looking at Kad stuff here - Kad packets start with 0xe4 + * for uncompressed and 0xe5 for compressed data */ + + + if (MATCH(payload, 0xe5, 0x43, ANY, ANY)) + return true; + if (MATCH(payload, 0xe5, 0x08, 0x78, 0xda)) + return true; + if (MATCH(payload, 0xe5, 0x28, 0x78, 0xda)) + return true; + + /* emule extensions */ + if (MATCH(payload, 0xc5, 0x90, ANY, ANY)) { + return true; + } + if (MATCH(payload, 0xc5, 0x91, ANY, ANY)) { + return true; + } + if (MATCH(payload, 0xc5, 0x92, ANY, ANY) && (len == 2)) + return true; + if (MATCH(payload, 0xc5, 0x93, ANY, ANY) && (len == 2)) + return true; + if (MATCH(payload, 0xc5, 0x94, ANY, ANY)) { + if (len >= 38 && len <= 70) + return true; + } + + /* 0xe3 covers conventional emule messages */ + if (MATCH(payload, 0xe3, 0x9a, ANY, ANY)) + return true; + if (MATCH(payload, 0xe3, 0x9b, ANY, ANY)) + return true; + if (MATCH(payload, 0xe3, 0x96, ANY, ANY) && len == 6) + return true; + + if (MATCH(payload, 0xe3, 0x97, ANY, ANY)) { + if (len <= 34 && ((len - 2) % 4 == 0)) + return true; + } + if (MATCH(payload, 0xe3, 0x92, ANY, ANY)) + return true; + if (MATCH(payload, 0xe3, 0x94, ANY, ANY)) + return true; + if (MATCH(payload, 0xe3, 0x98, ANY, ANY)) + return true; + if (MATCH(payload, 0xe3, 0x99, ANY, ANY)) + return true; + if (MATCH(payload, 0xe3, 0xa2, ANY, ANY) && len == 6) + return true; + if (MATCH(payload, 0xe3, 0xa3, ANY, ANY)) + return true; + + + + + if (match_emule_kad(payload, len)) + return true; + + + return false; + +} + +static inline bool match_emule_verycd(uint32_t payload, uint32_t len) { + + /* Later packets in the flow are clearly referencing eMule builds + * and software, in particular VeryCD and xl build61 */ + if (len != 31) + return false; + if (!MATCH(payload, 0x3b, 0x00, 0x00, 0x00)) + return false; + return true; + +} + + +static inline bool match_emule_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_emule(data)) + return true; + + if (data->payload_len[0] == 0 && + is_emule_udp(data->payload[1], data->payload_len[1])) { + return true; + } + + if (data->payload_len[1] == 0 && + is_emule_udp(data->payload[0], data->payload_len[0])) { + return true; + } + + if (is_emule_udp(data->payload[0], data->payload_len[0]) && + is_emule_udp(data->payload[1], data->payload_len[1])) + return true; + + + /* Having doubts about the correctness of this rule, so disabling + * for now. */ + /* + if (match_emule_verycd(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] != 0) + return true; + } + + if (match_emule_verycd(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] != 0) + return true; + } + */ + + return false; +} + +static lpi_module_t lpi_emule_udp = { + LPI_PROTO_UDP_EMULE, + LPI_CATEGORY_P2P, + "eMule_UDP", + 11, + match_emule_udp +}; + +void register_emule_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_emule_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_emule_weak.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_emule_weak.cc new file mode 100644 index 0000000..ddc7bbe --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_emule_weak.cc @@ -0,0 +1,92 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/** XXX This module is currently disabled due to a tendency to overmatch! */ + +static inline bool match_mystery_emule(lpi_data_t *data, lpi_module_t *mod UNUSED) { + /* These particular patterns occur frequently on port 4672, making + * me think they're some sort of emule traffic but there is no + * obvious documentation. The payloads appear to be random, which + * is unlike all other emule traffic. The flows tend to consist of + * only one or two packets in each direction. + * + * XXX Comparison with DPI tools suggest that this is indeed eMule! + * + */ + + if (data->payload_len[0] == 44 && data->payload_len[1] >= 38 && + data->payload_len[1] <= 50) + return true; + if (data->payload_len[1] == 44 && data->payload_len[0] >= 38 && + data->payload_len[0] <= 50) + return true; + + if (data->payload_len[0] == 51 && (data->payload_len[1] == 135 || + data->payload_len[1] == 85 || + data->payload_len[1] == 310)) + return true; + if (data->payload_len[1] == 51 && (data->payload_len[0] == 135 || + data->payload_len[0] == 85 || + data->payload_len[0] == 310)) + return true; + + + return false; +} + + +static inline bool match_emule_weak_udp(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + /* This covers a particular branch of emule traffic which is harder + * to reliably detect than even regular emule (which isn't great to + * begin with). + */ + + if (match_mystery_emule(data, NULL)) + return true; + + return false; +} + +static lpi_module_t lpi_emule_weak_udp = { + LPI_PROTO_UDP_EMULE, + LPI_CATEGORY_P2P, + "eMule_UDP", + 20, + match_emule_weak_udp +}; + +void register_emule_weak_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_emule_weak_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_epson.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_epson.cc new file mode 100644 index 0000000..8bf1278 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_epson.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_epson(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "EPSO")) + return true; + + return false; +} + +static lpi_module_t lpi_epson = { + LPI_PROTO_UDP_EPSON, + LPI_CATEGORY_PRINTING, + "Epson", + 5, + match_epson +}; + +void register_epson(LPIModuleMap *mod_map) { + register_protocol(&lpi_epson, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_eso.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_eso.cc new file mode 100644 index 0000000..828c7a1 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_eso.cc @@ -0,0 +1,73 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_eso_payload(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len == 40 && MATCH(payload, 0x00, ANY, ANY, ANY)) + return true; + if (len == 10 && MATCH(payload, 0x07, 0xa9, 0x00, 0x00)) + return true; + + return false; + +} + + +static inline bool match_eso(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* I'm pretty sure this is Ensemble game traffic, as it is the + * only thing I can find matching the port 2300 that it commonly + * occurs on. No game docs available, though :( */ + + if (!match_eso_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_eso_payload(data->payload[1], data->payload_len[1])) + return false; + return true; + + +} + +static lpi_module_t lpi_eso = { + LPI_PROTO_UDP_ESO, + LPI_CATEGORY_GAMING, + "EnsembleOnline", + 12, + match_eso +}; + +void register_eso(LPIModuleMap *mod_map) { + register_protocol(&lpi_eso, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_esp_encap.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_esp_encap.cc new file mode 100644 index 0000000..f814805 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_esp_encap.cc @@ -0,0 +1,67 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_esp_encap(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This sucks, as the four bytes are the security association ID for + * the flow. We can only really go on port numbers, although we can + * identify IKE packets by looking for the Non-ESP marker (which is + * all zeroes) + * + * Just have to match on ports, I guess :( + */ + + if (data->server_port == 4500 && data->client_port == 4500) + return true; + + /* If only one port is 4500, check for the Non-ESP marker */ + if (data->server_port == 4500 || data->client_port == 4500) { + if (data->payload[0] == 0 && data->payload[1] == 0) + return true; + } + + + return false; +} + +static lpi_module_t lpi_esp_encap = { + LPI_PROTO_UDP_ESP, + LPI_CATEGORY_TUNNELLING, + "ESP_UDP", + 200, /* This is a pretty terrible rule */ + match_esp_encap +}; + +void register_esp_encap(LPIModuleMap *mod_map) { + register_protocol(&lpi_esp_encap, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ethernetip.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ethernetip.cc new file mode 100644 index 0000000..1c43f4a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ethernetip.cc @@ -0,0 +1,103 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + * 255.255.255.255 192.168.10.105 44818 1136 17 1226525494.728 1226525530.720 0 888 00000000 .... 0 63000000 c... 24 + * 192.168.10.105 192.168.10.120 1136 44818 17 1226525494.730 1226525530.722 2775 0 63003300 c.3. 75 00000000 .... 0 + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_command(uint32_t payload, uint16_t payload_len) { + + // the second uint16 of the ethernetip header is payload the length + // but not including the header size of 24 bytes + uint16_t len = ntohs((uint16_t)ntohl(payload)) + 24; + + if (payload_len != len) + return false; + + // no op + if (MATCH(payload, 0x00, 0x00, ANY, ANY)) + return true; + // list services + if (MATCH(payload, 0x04, 0x00, ANY, ANY)) + return true; + // list identity + if (MATCH(payload, 0x63, 0x00, ANY, ANY)) + return true; + // list interfaces + if (MATCH(payload, 0x64, 0x00, ANY, ANY)) + return true; + // register session + if (MATCH(payload, 0x65, 0x00, 0x04, 0x00)) + return true; + // un-register session + if (MATCH(payload, 0x66, 0x00, ANY, ANY)) + return true; + // sendrrdata + if (MATCH(payload, 0x6f, 0x00, ANY, ANY)) + return true; + // send unit data + if (MATCH(payload, 0x70, 0x00, ANY, ANY)) + return true; + // indicate status + if (MATCH(payload, 0x72, 0x00, ANY, ANY)) + return true; + // cancel + if (MATCH(payload, 0x73, 0x00, ANY, ANY)) + return true; + // error + if (MATCH(payload, 0xff, 0xff, ANY, ANY)) + return true; + + return false; +} + +static inline bool match_ethernetip_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 44818 && data->client_port != 44818) + return false; + + if (match_command(data->payload[0], data->payload_len[0]) || + match_command(data->payload[1], data->payload_len[1])) + return true; + + return false; +} + +static lpi_module_t lpi_ethernetip_udp = { + LPI_PROTO_UDP_ETHERNETIP, + LPI_CATEGORY_ICS, + "EtherNet/IP_UDP", + 100, + match_ethernetip_udp +}; + +void register_ethernetip_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_ethernetip_udp, mod_map); +} diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_eye.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_eye.cc new file mode 100644 index 0000000..aee7611 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_eye.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_eye_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "EYE1")) + return true; + + return false; +} + +static lpi_module_t lpi_eye_udp = { + LPI_PROTO_UDP_EYE, + LPI_CATEGORY_GAMING, + "AllSeeingEye_UDP", + 3, + match_eye_udp +}; + +void register_eye_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_eye_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_fasp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_fasp.cc new file mode 100644 index 0000000..23cd183 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_fasp.cc @@ -0,0 +1,83 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_fasp_out(uint32_t payload, uint32_t len) { + + if (MATCH(payload, ANY, 0x21, 0x00, 0x00)) + return true; + + return false; + +} + +static inline bool match_fasp_in(uint32_t payload, uint32_t len) { + if (len != 64) + return false; + + if (MATCH(payload, ANY, 0x20, 0x00, 0x00)) + return true; + + return false; + +} + +static inline bool match_fasp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* First byte must match in both directions */ + if ((data->payload[0] & 0xff) != (data->payload[1] & 0xff)) { + return false; + } + + if (match_fasp_out(data->payload[0], data->payload_len[0])) { + if (match_fasp_in(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_fasp_out(data->payload[1], data->payload_len[1])) { + if (match_fasp_in(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_fasp = { + LPI_PROTO_UDP_FASP, + LPI_CATEGORY_FILES, + "FASP", + 16, + match_fasp +}; + +void register_fasp(LPIModuleMap *mod_map) { + register_protocol(&lpi_fasp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_feitwo.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_feitwo.cc new file mode 100644 index 0000000..e39dd72 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_feitwo.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_feitwo_sig(uint32_t payload) { + + if (MATCH(payload, 0x83, 0x80, 0x00, 0x01)) + return true; + return false; +} + +static inline bool match_feitwo(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 3333 */ + + if (match_feitwo_sig(data->payload[0])) { + if (match_feitwo_sig(data->payload[1])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_feitwo = { + LPI_PROTO_UDP_FEITWO, + LPI_CATEGORY_P2P, + "Feitwo", + 112, + match_feitwo +}; + +void register_feitwo(LPIModuleMap *mod_map) { + register_protocol(&lpi_feitwo, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_forticlient_sslvpn.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_forticlient_sslvpn.cc new file mode 100644 index 0000000..60583b1 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_forticlient_sslvpn.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_forti_vpn_48(uint32_t payload, uint32_t len) { + if (len != 48 && len != 192) + return false; + if (MATCHSTR(payload, "\x16\xfe\xff\x00")) + return true; + return false; +} + +static inline bool match_forti_vpn(uint32_t payload, uint32_t len) { + if (MATCHSTR(payload, "\x16\xfe\xff\x00")) + return true; + return false; +} + +static inline bool match_forti_fd_99(uint32_t payload, uint32_t len) { + if (len == 99 && MATCHSTR(payload, "\x16\xfe\xfd\x00")) + return true; + return false; +} + + +static inline bool match_forticlient_sslvpn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_forti_vpn_48(data->payload[0], data->payload_len[0])) { + if (match_forti_vpn(data->payload[1], data->payload_len[1])) + return true; + if (match_forti_fd_99(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_forti_vpn_48(data->payload[1], data->payload_len[1])) { + if (match_forti_vpn(data->payload[0], data->payload_len[0])) + return true; + if (match_forti_fd_99(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_forticlient_sslvpn = { + LPI_PROTO_UDP_FORTICLIENT_SSLVPN, + LPI_CATEGORY_TUNNELLING, + "FortiClientSSLVPN", + 12, + match_forticlient_sslvpn +}; + +void register_forticlient_sslvpn(LPIModuleMap *mod_map) { + register_protocol(&lpi_forticlient_sslvpn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_fortinet.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_fortinet.cc new file mode 100644 index 0000000..55dd680 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_fortinet.cc @@ -0,0 +1,122 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_fortinet_req(uint32_t payload, uint32_t len) { + + if (MATCHSTR(payload, "ikro")) + return true; + if (MATCHSTR(payload, "ikuo")) + return true; + + + /* All the following strings require a 64 byte datagram */ + if (len != 64) + return false; + + if (MATCHSTR(payload, "ihrk")) + return true; + if (MATCHSTR(payload, "ihri")) + return true; + if (MATCHSTR(payload, "iiri")) + return true; + if (MATCHSTR(payload, "ihrh")) + return true; + if (MATCHSTR(payload, "ihrj")) + return true; + if (MATCHSTR(payload, "ihro")) + return true; + if (MATCHSTR(payload, "iiro")) + return true; + if (MATCHSTR(payload, "ikri")) + return true; + if (MATCHSTR(payload, "ikvk")) + return true; + if (MATCHSTR(payload, "ikvo")) + return true; + + return false; + +} + +static inline bool match_fortinet_resp(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len == 36 && MATCHSTR(payload, "kowO")) + return true; + if (len == 44 && MATCHSTR(payload, "kowG")) + return true; + if (len == 12 && MATCHSTR(payload, "nkwg")) + return true; + if (len == 32 && MATCHSTR(payload, "khwK")) + return true; + if (len == 64 && MATCHSTR(payload, "kkw+")) + return true; + return false; + +} + +static inline bool match_fortinet(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Seems to be part of the Fortinet update system */ + if (match_fortinet_req(data->payload[0], data->payload_len[0])) { + if (match_fortinet_resp(data->payload[1], data->payload_len[1])) + return true; + } + if (match_fortinet_req(data->payload[1], data->payload_len[1])) { + if (match_fortinet_resp(data->payload[0], data->payload_len[0])) + return true; + } + + + if (match_str_either(data, "Comm")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + return false; +} + +static lpi_module_t lpi_fortinet = { + LPI_PROTO_UDP_FORTINET, + LPI_CATEGORY_SECURITY, + "Fortinet", + 3, + match_fortinet +}; + +void register_fortinet(LPIModuleMap *mod_map) { + register_protocol(&lpi_fortinet, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_foscam.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_foscam.cc new file mode 100644 index 0000000..f200e3b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_foscam.cc @@ -0,0 +1,151 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* All Foscam traffic begins with 0xf1. Bytes 3 and 4 are a length field */ + +static inline bool match_fcam_probe(uint32_t payload, uint32_t len) { + + if (len == 4 && MATCH(payload, 0xf1, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_fcam_probereply(uint32_t payload, uint32_t len) { + + if (len == 20 && MATCH(payload, 0xf1, 0x01, 0x00, 0x10)) + return true; + return false; + +} + +static inline bool match_fcam_4(uint32_t payload, uint32_t len) { + + if (len == 4 && MATCH(payload, 0xf1, 0x03, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_fcam_70(uint32_t payload, uint32_t len) { + if (len == 4 && MATCH(payload, 0xf1, 0x70, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_fcam_32(uint32_t payload, uint32_t len) { + + if (len == 32 && MATCH(payload, 0xf1, 0x83, 0x00, 0x1c)) + return true; + return false; +} + +static inline bool match_fcam_p2p_ping(uint32_t payload, uint32_t len) { + if (len != 60 && len != 288) { + return false; + } + if (MATCH(payload, 0x3e, 0x2f, 0x8d, 0xcc)) { + return true; + } + return false; +} + +static inline bool match_fcam_p2p_pong(uint32_t payload, uint32_t len) { + if (len != 60 && len != 288) { + return false; + } + if (MATCH(payload, 0x7e, 0x2a, 0x9d, 0xec)) { + return true; + } + return false; +} + +static inline bool match_foscam(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_fcam_4(data->payload[0], data->payload_len[0])) { + if (match_fcam_32(data->payload[1], data->payload_len[1])) + return true; + if (match_fcam_70(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_fcam_4(data->payload[1], data->payload_len[1])) { + if (match_fcam_32(data->payload[0], data->payload_len[0])) + return true; + if (match_fcam_70(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_fcam_probe(data->payload[0], data->payload_len[0])) { + if (match_fcam_probereply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_fcam_probe(data->payload[1], data->payload_len[1])) { + if (match_fcam_probereply(data->payload[0], data->payload_len[0])) + return true; + } + + /* Periodic pings and replies seemingly sent by Foscam cameras to + * servers on the internet (port 10001) + * More info: + * http://foscam.us/forum/foscam-dialing-out-to-suspect-hosts-t17699.html */ + if (data->payload_len[0] == data->payload_len[1] && + (data->server_port == 10001 || + data->client_port == 10001)) { + if (match_fcam_p2p_ping(data->payload[0], data->payload_len[0])) { + if (match_fcam_p2p_pong(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_fcam_p2p_ping(data->payload[1], data->payload_len[1])) { + if (match_fcam_p2p_pong(data->payload[0], data->payload_len[0])) + return true; + } + } + + + return false; +} + +static lpi_module_t lpi_foscam = { + LPI_PROTO_UDP_FOSCAM, + LPI_CATEGORY_IPCAMERAS, + "Foscam", + 100, + match_foscam +}; + +void register_foscam(LPIModuleMap *mod_map) { + register_protocol(&lpi_foscam, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_freechal.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_freechal.cc new file mode 100644 index 0000000..71166e2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_freechal.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_freechal(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "GET ", "FCP2")) + return true; + + return false; +} + +static lpi_module_t lpi_freechal = { + LPI_PROTO_UDP_FREECHAL, + LPI_CATEGORY_P2P, + "FreeChal_UDP", + 3, + match_freechal +}; + +void register_freechal(LPIModuleMap *mod_map) { + register_protocol(&lpi_freechal, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_freefire.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_freefire.cc new file mode 100644 index 0000000..eb1df58 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_freefire.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Battle royale game for mobile from Garena */ + +static inline bool match_ff_0101(uint32_t payload, uint32_t len) { + if (len == 28 && MATCH(payload, 0x6c, ANY, 0x01, 0x01)) + return true; + + return false; +} + +static inline bool match_ff_0002(uint32_t payload, uint32_t len) { + if (len == 14 && MATCH(payload, 0x6c, 0x65, 0x00, 0x02)) + return true; + + return false; +} + +static inline bool match_freefire(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Ports are in 1000-10005 range */ + + if (match_ff_0101(data->payload[0], data->payload_len[0])) { + if (match_ff_0002(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_ff_0101(data->payload[1], data->payload_len[1])) { + if (match_ff_0002(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_freefire = { + LPI_PROTO_UDP_FREEFIRE, + LPI_CATEGORY_GAMING, + "FreeFire", + 101, + match_freefire +}; + +void register_freefire(LPIModuleMap *mod_map) { + register_protocol(&lpi_freefire, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_funshion.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_funshion.cc new file mode 100644 index 0000000..ca00aea --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_funshion.cc @@ -0,0 +1,147 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" +#include <stdio.h> + +/* Funshion is a Chinese P2PTV application that seems to use a bunch + * of different protocols / messages. + */ +static inline bool match_funshion_25(uint32_t payload, uint32_t len) { + + /* One-way flows are also common, but we'd need a stronger set + * of rules before I'd feel comfortable allowing this. + */ + + if (len != 25) + return false; + + + /* The payload here is almost definitely a timestamp, but it only + * bears an approximate resemblance to the timestamp of the packet + * itself. + * Sometimes it is up to a day in excess of the current timestamp, + * sometimes it is several hours behind. + * + * Not much chance of doing any useful matches on the payload. + */ + return true; +} + +static inline bool match_funshion_104(uint32_t payload, uint32_t len) { + + /* The payload for these packets is all zeroes, so be careful + * regarding false positives, e.g. XboxLive traffic. + */ + + if (len == 0) + return true; + if (len != 104) + return false; + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_funshion_dt(uint32_t payload, uint32_t otherlen) { + + if (otherlen != 0) + return false; + + /* The 'command' begins with byte 4, so I'm going to try + * and match all known commands rather than just allowing + * anything in byte 4. + * + * We might miss a few rare commands but should get the + * common ones. + */ + + /* init, inline_page */ + if (MATCH(payload, 'd', 't', '=', 'i')) + return true; + + /* dtfsp, dtjs */ + if (MATCH(payload, 'd', 't', '=', 'd')) + return true; + + /* play_* */ + if (MATCH(payload, 'd', 't', '=', 'p')) + return true; + + /* wt_bh */ + if (MATCH(payload, 'd', 't', '=', 'w')) + return true; + + /* taskflux */ + if (MATCH(payload, 'd', 't', '=', 't')) + return true; + + /* compress_uncompress */ + if (MATCH(payload, 'd', 't', '=', 'c')) + return true; + + return false; +} + +static inline bool match_funshion_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_funshion_25(data->payload[0], data->payload_len[0])) { + if (match_funshion_25(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_funshion_104(data->payload[0], data->payload_len[0])) { + if (match_funshion_104(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_funshion_dt(data->payload[0], data->payload_len[1])) + return true; + if (match_funshion_dt(data->payload[1], data->payload_len[0])) + return true; + + + return false; + +} + +static lpi_module_t lpi_funshion_udp = { + LPI_PROTO_UDP_FUNSHION, + LPI_CATEGORY_P2PTV, + "Funshion_UDP", + 50, + match_funshion_udp +}; + +void register_funshion_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_funshion_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_gamespy.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_gamespy.cc new file mode 100644 index 0000000..573a5ff --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_gamespy.cc @@ -0,0 +1,83 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gamespy(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "\\sta")) + return true; + if (match_str_either(data, "\\inf")) + return true; + if (match_str_either(data, "\\gam")) + return true; + if (match_str_either(data, "\\hos")) + return true; + if (match_str_either(data, "\\bas")) + return true; + + /* Gamespy request begins with 0xfe 0xfd FOO BAR. The response begins + * with FOO BAR, where FOO and BAR are specific bytes */ + + if (MATCH(data->payload[0], 0xfe, 0xfd, ANY, ANY) && + ((data->payload[1] << 16) == (data->payload[0] & 0xffff0000))) + return true; + if (MATCH(data->payload[1], 0xfe, 0xfd, ANY, ANY) && + ((data->payload[0] << 16) == (data->payload[1] & 0xffff0000))) + return true; + + /* These packets have also been observed between gamespy servers + * and for gamespy-powered games, e.g. GTA 4 */ + if (match_str_both(data, "\xfd\xfc\x1e\x66", "\xfd\xfc\x1e\x66")) + return true; + + if (match_str_either(data, "\xfd\xfc\x1e\x66")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + + return false; +} + +static lpi_module_t lpi_gamespy = { + LPI_PROTO_UDP_GAMESPY, + LPI_CATEGORY_GAMING, + "GameSpy", + 3, + match_gamespy +}; + +void register_gamespy(LPIModuleMap *mod_map) { + register_protocol(&lpi_gamespy, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ganglia.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ganglia.cc new file mode 100644 index 0000000..1ec3067 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ganglia.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Ganglia -- monitoring for clusters / grid computing */ + +static inline bool match_gangmsg(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x00, 0x00, 0x00, 0x80)) { + /* The payload usually contains a host name so can + * vary a fair bit. + */ + if (len >= 100 && len <= 250) { + return true; + } + } + return false; +} + +static inline bool match_ganglia(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 8649 && data->client_port != 8649) { + return false; + } + + if (match_gangmsg(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] == 0) + return true; + } + + if (match_gangmsg(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == 0) + return true; + } + + return false; +} + +static lpi_module_t lpi_ganglia = { + LPI_PROTO_UDP_GANGLIA, + LPI_CATEGORY_MONITORING, + "Ganglia", + 50, + match_ganglia +}; + +void register_ganglia(LPIModuleMap *mod_map) { + register_protocol(&lpi_ganglia, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_gangsofspace.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_gangsofspace.cc new file mode 100644 index 0000000..083dca6 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_gangsofspace.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gos_37(uint32_t payload, uint32_t len) { + + /* bytes 3 and 4 appear to be a length field */ + if (len == 37 && MATCH(payload, 0x07, 0x00, 0x00, 0x21)) + return true; + return false; + +} + +static inline bool match_gos_45(uint32_t payload, uint32_t len) { + + /* bytes 3 and 4 appear to be a length field */ + if (len == 45 && MATCH(payload, 0x07, 0x00, 0x00, 0x29)) + return true; + return false; + +} + +static inline bool match_gangsofspace(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_gos_37(data->payload[0], data->payload_len[0])) { + if (match_gos_45(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_gos_37(data->payload[1], data->payload_len[1])) { + if (match_gos_45(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_gangsofspace = { + LPI_PROTO_UDP_GANGSOFSPACE, + LPI_CATEGORY_GAMING, + "GangsOfSpace", + 12, + match_gangsofspace +}; + +void register_gangsofspace(LPIModuleMap *mod_map) { + register_protocol(&lpi_gangsofspace, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_garena.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_garena.cc new file mode 100644 index 0000000..fa07d9b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_garena.cc @@ -0,0 +1,86 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_garena(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* http://garenalinux.pastebay.com/71533 */ + + if (data->server_port == 53 || data->client_port == 53) + return false; + + /* Garena is NOT always on port 1513 */ + + /* Matching HELLO in each direction */ + if (MATCH(data->payload[0], 0x02, 0x00, 0x00, 0x00)) { + if (data->payload_len[0] != 16) + return false; + if (data->payload_len[1] == 0) + return true; + if (data->payload_len[1] != 16) + return false; + if (MATCH(data->payload[1], 0x02, 0x00, 0x00, 0x00)) + return true; + if (MATCH(data->payload[1], 0x0f, 0x00, 0x00, 0x00)) + return true; + return false; + } + + if (MATCH(data->payload[1], 0x02, 0x00, 0x00, 0x00)) { + if (data->payload_len[1] != 16) + return false; + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[0] != 16) + return false; + if (MATCH(data->payload[0], 0x02, 0x00, 0x00, 0x00)) + return true; + if (MATCH(data->payload[0], 0x0f, 0x00, 0x00, 0x00)) + return true; + return false; + } + + + return false; +} + +static lpi_module_t lpi_garena = { + LPI_PROTO_UDP_GARENA, + LPI_CATEGORY_GAMING, + "Garena_UDP", + 5, + match_garena +}; + +void register_garena(LPIModuleMap *mod_map) { + register_protocol(&lpi_garena, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_gearsofwar.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_gearsofwar.cc new file mode 100644 index 0000000..b9169e4 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_gearsofwar.cc @@ -0,0 +1,92 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gow_44(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 44) + return true; + return false; +} + +static inline bool match_gow_51(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 51) + return true; + return false; +} + +static inline bool match_gow_port(uint32_t sp, uint32_t cp) { + + if (sp == 30200 || cp == 30200) + return true; + if (sp == 30400 || cp == 30400) + return true; + if (sp == 30600 || cp == 30600) + return true; + if (sp == 31000 || cp == 31000) + return true; + if (sp == 30800 || cp == 30800) + return true; + if (sp == 30000 || cp == 30000) + return true; + + return false; +} + +static inline bool match_gearsofwar(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_gow_port(data->server_port, data->client_port)) + return false; + + if (match_gow_44(data->payload[0], data->payload_len[0])) { + if (match_gow_51(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_gow_44(data->payload[1], data->payload_len[1])) { + if (match_gow_51(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_gearsofwar = { + LPI_PROTO_UDP_GEARSOFWAR, + LPI_CATEGORY_GAMING, + "GearsOfWar", + 199, + match_gearsofwar +}; + +void register_gearsofwar(LPIModuleMap *mod_map) { + register_protocol(&lpi_gearsofwar, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_gnutella.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_gnutella.cc new file mode 100644 index 0000000..1982ccc --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_gnutella.cc @@ -0,0 +1,210 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gnutella_maint(lpi_data_t *data) { + + + /* All Gnutella UDP communications begin with a random 16 byte + * message ID - the request and the response must have the same + * message ID */ + + /* OK, for now I'm going to just work with two-way exchanges, because + * one-way is going to be pretty unreliable :( */ + + /* One exception! Unanswered PINGs */ + if (data->payload_len[0] == 23 && data->payload_len[1] == 0) + return true; + if (data->payload_len[1] == 23 && data->payload_len[0] == 0) + return true; + + if (data->payload_len[1] == 0 || data->payload_len[0] == 0) + return false; + + /* There seem to be some message types that do weird stuff with the + * GUID - I suspect they are Limewire extensions. */ + + if (data->payload_len[0] == 23 && data->payload_len[1] == 23) { + if (match_chars_either(data, 0x00, 0x00, 0x00, 0x00)) + return true; + } + + /* If there is payload in both directions, the message IDs must match */ + if (data->payload[0] != data->payload[1]) + return false; + + + /* All of these payload combinations are based purely on transactions + * observed on UDP port 6346 (a known Gnutella port) - sadly, there's + * no genuinely good documentation on the typical size of Gnutella + * UDP requests */ + + /* PING */ + /* + if (data->payload_len[0] == 23 && data->payload_len[1] < 100) + return true; + if (data->payload_len[1] == 23 && data->payload_len[0] < 100) + return true; + */ + + /* 727 byte packets are matched with 81 or 86 byte packets */ + if (data->payload_len[0] == 727 && (data->payload_len[1] == 81 || + data->payload_len[1] == 86)) + return true; + if (data->payload_len[1] == 727 && (data->payload_len[0] == 81 || + data->payload_len[0] == 86)) + return true; + + /* 72 and (61 or 81 or 86) byte packets seem to go together */ + if (data->payload_len[0] == 72) { + if (data->payload_len[1] == 61) + return true; + if (data->payload_len[1] == 81) + return true; + if (data->payload_len[1] == 86) + return true; + } + + if (data->payload_len[1] == 72) { + if (data->payload_len[0] == 61) + return true; + if (data->payload_len[0] == 81) + return true; + if (data->payload_len[0] == 86) + return true; + } + + /* 81 and 544 */ + if (data->payload_len[0] == 81 && data->payload_len[1] == 544) + return true; + if (data->payload_len[1] == 81 && data->payload_len[0] == 544) + return true; + + /* 55 and 47 */ + if (data->payload_len[0] == 55 && data->payload_len[1] == 47) + return true; + if (data->payload_len[1] == 55 && data->payload_len[0] == 47) + return true; + + /* 38 and 96 */ + if (data->payload_len[0] == 38 && data->payload_len[1] == 96) + return true; + if (data->payload_len[1] == 38 && data->payload_len[0] == 96) + return true; + + /* 67 and (81 or 86) */ + if (data->payload_len[0] == 67 && (data->payload_len[1] == 81 || + data->payload_len[1] == 86)) + return true; + if (data->payload_len[1] == 67 && (data->payload_len[0] == 81 || + data->payload_len[0] == 86)) + return true; + + + /* 29 byte requests seem to be met with 80-100 byte responses OR + * a 46 byte response */ + if (data->payload_len[0] == 29) { + if (data->payload_len[1] <= 100 && data->payload_len[1] >= 80) + return true; + if (data->payload_len[1] == 46) + return true; + } + if (data->payload_len[1] == 29) { + if (data->payload_len[0] <= 100 && data->payload_len[0] >= 80) + return true; + if (data->payload_len[0] == 46) + return true; + } + + /* 34 byte requests seem to be met with 138-165 byte responses */ + if (data->payload_len[0] == 34 && (data->payload_len[1] <= 165 && + data->payload_len[1] >= 138)) + return true; + if (data->payload_len[1] == 34 && (data->payload_len[0] <= 165 && + data->payload_len[0] >= 138)) + return true; + + + /* 193 matches 108 or 111 */ + if (data->payload_len[0] == 193 && (data->payload_len[1] == 108 || + data->payload_len[1] == 111)) + return true; + if (data->payload_len[1] == 193 && (data->payload_len[0] == 108 || + data->payload_len[0] == 111)) + return true; + + + return false; + +} + +/* http://wiki.limewire.org/index.php?title=Out_of_Band_System */ +static inline bool match_gnutella_oob(lpi_data_t *data) { + + /* DANGER: anonymised IP addresses! */ + if (!match_ip_address_both(data)) + return false; + + /* Payload size seems to be either 32 or 33 bytes */ + if (data->payload_len[0] == 32 || data->payload_len[1] == 32) + return true; + if (data->payload_len[0] == 33 || data->payload_len[1] == 33) + return true; + + return false; + +} + + +static inline bool match_gnutella_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_gnutella_oob(data)) + return true; + + if (match_gnutella_maint(data)) + return true; + + + return false; +} + +static lpi_module_t lpi_gnutella_udp = { + LPI_PROTO_UDP_GNUTELLA, + LPI_CATEGORY_P2P, + "Gnutella_UDP", + 110, /* Rules are pretty dodgy so make this low priority */ + match_gnutella_udp +}; + +void register_gnutella_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_gnutella_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_gnutella2.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_gnutella2.cc new file mode 100644 index 0000000..15b4a91 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_gnutella2.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gnutella2_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_chars_either(data, 'G', 'N', 'D', ANY)) + return true; + + return false; +} + +static lpi_module_t lpi_gnutella2_udp = { + LPI_PROTO_UDP_GNUTELLA2, + LPI_CATEGORY_P2P, + "Gnutella2_UDP", + 3, + match_gnutella2_udp +}; + +void register_gnutella2_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_gnutella2_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_gnutella_weak.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_gnutella_weak.cc new file mode 100644 index 0000000..106e3a3 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_gnutella_weak.cc @@ -0,0 +1,59 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gnutella_weak(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + /* Not confident in this rule at all in terms of not creating + * false positives. Need to *regularly* check up on this one + * and make sure we're not over-matching */ + + if (data->payload_len[0] == 31 && data->payload_len[1] == 0) + return true; + if (data->payload_len[1] == 31 && data->payload_len[0] == 1) + return true; + + return false; +} + +static lpi_module_t lpi_gnutella_weak = { + LPI_PROTO_UDP_GNUTELLA, + LPI_CATEGORY_P2P, + "Gnutella_UDP", + 220, + match_gnutella_weak +}; + +void register_gnutella_weak(LPIModuleMap *mod_map) { + register_protocol(&lpi_gnutella_weak, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_gotomeeting.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_gotomeeting.cc new file mode 100644 index 0000000..a182129 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_gotomeeting.cc @@ -0,0 +1,95 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gtm_ping(uint32_t payload, uint32_t len) { + + if (len == 16 && MATCH(payload, 'P', 'I', 'N', 'G')) + return true; + return false; +} + +static inline bool match_gtm_pong(uint32_t payload, uint32_t len) { + + if (len == 16 && MATCH(payload, 'P', 'O', 'N', 'G')) + return true; + return false; +} + +static inline bool match_gtm_webcam(uint32_t ploada, uint32_t ploadb) { + + /* Bytes 2,3,4 match, but be careful not to match stuff like + * 0x000000 */ + + if (MATCH(ploada, ANY, 0x00, 0x00, 0x00)) + return false; + + if ((ploada & 0xffffff00) == (ploadb & 0xffffff00)) + return true; + return false; + +} + +static inline bool match_gotomeeting(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* VOIP tends to be on port 8200 */ + + if (match_gtm_ping(data->payload[0], data->payload_len[0])) { + if (match_gtm_pong(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_gtm_ping(data->payload[1], data->payload_len[1])) { + if (match_gtm_pong(data->payload[0], data->payload_len[0])) + return true; + } + + /* Webcam goes over port 1853 */ + if (match_gtm_webcam(data->payload[0], data->payload[1])) { + if (data->server_port == 1853 || data->client_port == 1853) + return true; + } + + return false; +} + +static lpi_module_t lpi_gotomeeting = { + LPI_PROTO_UDP_GOTOMEETING, + LPI_CATEGORY_VOIP, + "GoToMeeting", + 149, + match_gotomeeting +}; + +void register_gotomeeting(LPIModuleMap *mod_map) { + register_protocol(&lpi_gotomeeting, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_gprs_tunnel.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_gprs_tunnel.cc new file mode 100644 index 0000000..471e106 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_gprs_tunnel.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gtp_payload(uint32_t payload, uint32_t len) { + uint32_t swap = ntohl(payload); + uint32_t replen = swap & 0x0000ffff; + + if (len == 0) + return true; + + if (len != replen) + return false; + + if ((swap & 0xf0ff0000) != 0x30010000) { + return false; + } + + return true; +} + + +static inline bool match_gprs_tunnel(lpi_data_t *data, lpi_module_t *mod UNUSED) { + if (match_gtp_payload(data->payload[0], data->payload_len[0])) { + if (match_gtp_payload(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_gtp_payload(data->payload[1], data->payload_len[1])) { + if (match_gtp_payload(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_gprs_tunnel = { + LPI_PROTO_UDP_GPRS_TUNNEL, + LPI_CATEGORY_TUNNELLING, + "GPRS_Tunnelling", + 10, + match_gprs_tunnel +}; + +void register_gprs_tunnel(LPIModuleMap *mod_map) { + register_protocol(&lpi_gprs_tunnel, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_gsm.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_gsm.cc new file mode 100644 index 0000000..d6f6599 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_gsm.cc @@ -0,0 +1,57 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gsm(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* There are other commands but these are the only ones I've seen in + * the wild so far */ + + if (match_str_either(data, "+CSQ")) + return true; + if (match_str_either(data, "+CIM")) + return true; + + return false; +} + +static lpi_module_t lpi_gsm = { + LPI_PROTO_UDP_GSM, + LPI_CATEGORY_MONITORING, + "GSM", + 3, + match_gsm +}; + +void register_gsm(LPIModuleMap *mod_map) { + register_protocol(&lpi_gsm, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_h1z1.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_h1z1.cc new file mode 100644 index 0000000..8cc06a2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_h1z1.cc @@ -0,0 +1,107 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +/* Appears to be H1Z1, an early access MMO (DayZ clone) from Sony Online */ + +static inline bool match_h1z1_req1(uint32_t payload, uint32_t len) { + + if (len == 25 && MATCH(payload, 0x00, 0x01, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_h1z1_resp1(uint32_t payload, uint32_t len) { + + if (len == 21 && MATCH(payload, 0x00, 0x02, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_h1z1_req2(uint32_t payload, uint32_t len) { + + if (len == 35 && MATCH(payload, 0x00, 0x01, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_h1z1_resp2(uint32_t payload, uint32_t len) { + + if (len == 6 && MATCH(payload, 0x00, 0x15, ANY, ANY)) + return true; + return false; + +} + + +static inline bool match_h1z1(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* There are a couple of request / response patterns */ + + if (match_h1z1_req1(data->payload[1], data->payload_len[1])) { + if (match_h1z1_resp1(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_h1z1_req1(data->payload[0], data->payload_len[0])) { + if (match_h1z1_resp1(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_h1z1_req2(data->payload[1], data->payload_len[1])) { + if (match_h1z1_resp2(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_h1z1_req2(data->payload[0], data->payload_len[0])) { + if (match_h1z1_resp2(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_h1z1 = { + LPI_PROTO_UDP_H1Z1, + LPI_CATEGORY_GAMING, + "H1Z1", + 25, + match_h1z1 +}; + +void register_h1z1(LPIModuleMap *mod_map) { + register_protocol(&lpi_h1z1, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_halflife.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_halflife.cc new file mode 100644 index 0000000..430fac6 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_halflife.cc @@ -0,0 +1,94 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_halflife_ports(lpi_data_t *data) { + if (data->server_port >= 27000 && data->server_port < 28000) + return true; + if (data->client_port >= 27000 && data->client_port < 28000) + return true; + return false; +} + +static inline bool match_halflife_nine(uint32_t payload, uint32_t len) { + + if (len != 9) + return false; + if (!MATCHSTR(payload, "\xff\xff\xff\xff")) + return false; + return true; + +} + +static inline bool match_halflife_generic(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (!MATCHSTR(payload, "\xff\xff\xff\xff")) + return false; + return true; + +} + +static inline bool match_halflife(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_halflife_nine(data->payload[0], data->payload_len[0])) { + if (match_halflife_nine(data->payload[1], data->payload_len[1])) + return true; + } + + if (!match_halflife_ports(data)) + return false; + + /* + if (match_halflife_generic(data->payload[0], data->payload_len[0])) { + if (match_halflife_generic(data->payload[1], data->payload_len[1])) + return true; + } + */ + + + return false; +} + +static lpi_module_t lpi_halflife = { + LPI_PROTO_UDP_HL, + LPI_CATEGORY_GAMING, + "HalfLife", + 100, /* Make sure this comes after other similar game protocols, + * e.g. ARMA, Quake */ + match_halflife +}; + +void register_halflife(LPIModuleMap *mod_map) { + register_protocol(&lpi_halflife, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_haloonline.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_haloonline.cc new file mode 100644 index 0000000..12553bf --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_haloonline.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Halo Online -- multiplayer FPS that has already been shut down but is + * somehow still being played by FPS "aficionados". + */ + +static inline bool match_bla_17(uint32_t payload, uint32_t len) { + if (len == 17 && MATCH(payload, 0x01, 'b', 'l', 'a')) + return true; + return false; + +} + +static inline bool match_bla_86(uint32_t payload, uint32_t len) { + if (len == 86 && MATCH(payload, 0x01, 'b', 'l', 'a')) + return true; + return false; + +} + +static inline bool match_haloonline(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 11774 */ + if (match_bla_17(data->payload[0], data->payload_len[0])) { + if (match_bla_86(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_bla_17(data->payload[1], data->payload_len[1])) { + if (match_bla_86(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_haloonline = { + LPI_PROTO_UDP_HALO_ONLINE, + LPI_CATEGORY_GAMING, + "HaloOnline", + 5, + match_haloonline +}; + +void register_haloonline(LPIModuleMap *mod_map) { + register_protocol(&lpi_haloonline, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_hamachi.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_hamachi.cc new file mode 100644 index 0000000..030175b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_hamachi.cc @@ -0,0 +1,61 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_hamachi(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Based on traffic observed on port 17771 where one endpoint is in + * an IP range owned by LogMeIn */ + + if (!MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00)) + return false; + if (!MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00)) + return false; + if (data->payload_len[0] != 76) + return false; + if (data->payload_len[1] != 76) + return false; + + return true; +} + +static lpi_module_t lpi_hamachi = { + LPI_PROTO_UDP_HAMACHI, + LPI_CATEGORY_TUNNELLING, + "Hamachi_UDP", + 8, + match_hamachi +}; + +void register_hamachi_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_hamachi, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_heliborne.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_heliborne.cc new file mode 100644 index 0000000..1444fea --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_heliborne.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_hb_60(uint32_t payload, uint32_t len) { + if (len == 60 && MATCHSTR(payload, "\xff\xff\xcc\x01")) + return true; + return false; +} + +static inline bool match_hb_76(uint32_t payload, uint32_t len) { + + if (len == 76 && MATCH(payload, 0x00, 0x00, 0x00, 0x02)) + return true; + if (len == 80 && MATCH(payload, 0x00, 0x00, 0xcc, 0x02)) + return true; + return false; +} + +static inline bool match_heliborne(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Ports 5055 and 5056 */ + if (match_hb_60(data->payload[0], data->payload_len[0])) { + if (match_hb_76(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_hb_60(data->payload[1], data->payload_len[1])) { + if (match_hb_76(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_heliborne = { + LPI_PROTO_UDP_HELIBORNE, + LPI_CATEGORY_GAMING, + "Heliborne", + 49, + match_heliborne +}; + +void register_heliborne(LPIModuleMap *mod_map) { + register_protocol(&lpi_heliborne, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_heroes_generals.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_heroes_generals.cc new file mode 100644 index 0000000..97c268e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_heroes_generals.cc @@ -0,0 +1,80 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_hg_149(uint32_t payload, uint32_t len) { + if (len == 149 && MATCHSTR(payload, "\xff\xff\xff\xff")) + return true; + return false; + +} + +static inline bool match_hg_1400(uint32_t payload, uint32_t len) { + + /* MTU could affect this XXX */ + if (len != 1400) + return false; + + /* Bits 5-8 of the first byte are always 0 -- rest is random */ + if ((payload & 0x0000000f) != 0x00000000) + return false; + + return true; + +} + +static inline bool match_heroes_generals(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_hg_149(data->payload[0], data->payload_len[0])) { + if (match_hg_1400(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_hg_149(data->payload[1], data->payload_len[1])) { + if (match_hg_1400(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_heroes_generals = { + LPI_PROTO_UDP_HEROES_GENERALS, + LPI_CATEGORY_GAMING, + "HeroesAndGenerals", + 20, + match_heroes_generals +}; + +void register_heroes_generals(LPIModuleMap *mod_map) { + register_protocol(&lpi_heroes_generals, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_heroesevolved.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_heroesevolved.cc new file mode 100644 index 0000000..235360b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_heroesevolved.cc @@ -0,0 +1,75 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Mobile MOBA from R2Games */ + + +static inline bool match_he(uint32_t payload, uint32_t len) { + if (len == 5 && MATCH(payload, 0xdc, 'H', 'E', 0xe4)) + return true; + return false; +} + +static inline bool match_ffff(uint32_t payload, uint32_t len) { + if (len == 17 && MATCHSTR(payload, "\x01\x00\xff\xff")) + return true; + return false; +} + +static inline bool match_heroesevolved(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + + if (match_he(data->payload[0], data->payload_len[0])) { + if (match_ffff(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_he(data->payload[1], data->payload_len[1])) { + if (match_ffff(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_heroesevolved = { + LPI_PROTO_UDP_HEROES_EVOLVED, + LPI_CATEGORY_GAMING, + "HeroesEvolved", + 50, + match_heroesevolved +}; + +void register_heroesevolved(LPIModuleMap *mod_map) { + register_protocol(&lpi_heroesevolved, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_hollachat.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_hollachat.cc new file mode 100644 index 0000000..a9e5e4d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_hollachat.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_holla_header(uint32_t payload, uint32_t len) { + + uint32_t hdrlen; + uint16_t swapped; + + hdrlen = ntohl(payload) >> 16; + swapped = bswap_be_to_host16((uint16_t)hdrlen); + + if (len == swapped && MATCH(payload, ANY, ANY, 0x01, 0x00)) + return true; + + return false; + +} + +static inline bool restrict_port(uint16_t porta, uint16_t portb) { + if (porta == 5888 || portb == 5888) + return true; + if (porta >= 4000 && porta <= 4010) + return true; + if (portb >= 4000 && portb <= 4010) + return true; + return false; +} + +static inline bool match_hollachat(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Ports 5888 and 4000-4009 are common */ + if (restrict_port(data->server_port, data->client_port) == false) { + return false; + } + + if (match_holla_header(data->payload[0], data->payload_len[0])) { + if (match_holla_header(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_hollachat = { + LPI_PROTO_UDP_HOLLA, + LPI_CATEGORY_CHAT, + "HollaChat", + 210, + match_hollachat +}; + +void register_hollachat(LPIModuleMap *mod_map) { + register_protocol(&lpi_hollachat, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_hots.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_hots.cc new file mode 100644 index 0000000..47f0aa4 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_hots.cc @@ -0,0 +1,105 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Heroes of the Storm -- Blizzard MOBA */ + +static inline bool match_hots_zero(uint32_t payload, uint32_t len) { + + if (len == 20 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_hots_other(uint32_t payload, uint32_t len) { + + if (len == 20 && MATCH(payload, ANY, ANY, 0x01, 0x00)) + return true; + if (len == 20 && MATCH(payload, ANY, ANY, 0x02, 0x00)) + return true; + if (len == 20 && MATCH(payload, ANY, ANY, 0x03, 0x00)) + return true; + if (len == 20 && MATCH(payload, ANY, ANY, 0x04, 0x00)) + return true; + if (len == 20 && MATCH(payload, ANY, ANY, 0x05, 0x00)) + return true; + if (len == 20 && MATCH(payload, ANY, ANY, 0x06, 0x00)) + return true; + if (len == 20 && MATCH(payload, ANY, ANY, 0x07, 0x00)) + return true; + if (len == 20 && MATCH(payload, ANY, ANY, 0x08, 0x00)) + return true; + if (len == 20 && MATCH(payload, ANY, ANY, 0x00, 0x00)) { + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return false; + return true; + } + + return false; +} + +static inline bool match_hots(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + bool validport = false; + + if (data->server_port == 1119 || data->client_port == 1119) + validport = true; + if (data->server_port == 3724 || data->client_port == 3724) + validport = true; + + if (!validport) + return false; + + if (match_hots_zero(data->payload[0], data->payload_len[0])) { + if (match_hots_other(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_hots_zero(data->payload[1], data->payload_len[1])) { + if (match_hots_other(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_hots = { + LPI_PROTO_UDP_HOTS, + LPI_CATEGORY_GAMING, + "HeroesOfTheStorm", + 101, + match_hots +}; + +void register_hots(LPIModuleMap *mod_map) { + register_protocol(&lpi_hots, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_icp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_icp.cc new file mode 100644 index 0000000..07cef1a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_icp.cc @@ -0,0 +1,99 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_icp_query(uint32_t payload, uint32_t len) { + + uint32_t stated_len = 0; + + stated_len = ntohl(payload) & 0xffff; + if (stated_len != len) + return false; + + /* Just going to match v2 for now */ + if (MATCH(payload, 0x01, 0x02, ANY, ANY)) + return true; + return false; + + +} + +static inline bool match_icp_response(uint32_t payload, uint32_t len) { + + uint32_t stated_len = 0; + + stated_len = ntohl(payload) & 0xffff; + if (stated_len != len) + return false; + + /* Just going to match v2 for now */ + + /* HIT */ + if (MATCH(payload, 0x02, 0x02, ANY, ANY)) + return true; + /* MISS */ + if (MATCH(payload, 0x03, 0x02, ANY, ANY)) + return true; + + /* XXX we possibly could match invalid and error codes as well, + * but let's wait until we actually see these things */ + return false; + + +} + +static inline bool match_icp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_icp_query(data->payload[0], data->payload_len[0])) { + if (match_icp_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_icp_query(data->payload[1], data->payload_len[1])) { + if (match_icp_response(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_icp = { + LPI_PROTO_UDP_ICP, + LPI_CATEGORY_CACHING, + "ICP", + 8, /* Must be run before RADIUS */ + match_icp +}; + +void register_icp(LPIModuleMap *mod_map) { + register_protocol(&lpi_icp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_imesh.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_imesh.cc new file mode 100644 index 0000000..b893329 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_imesh.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_imesh_req(uint32_t data, uint32_t len) { + + if (len != 36 && len != 32) + return false; + + if (MATCH(data, 0x02, 0x00, 0x00, 0x00)) + return true; + + return false; +} + +static inline bool match_imesh_resp(uint32_t data, uint32_t len) { + if (len == 0) + return true; + if (len != 36 && len != 32) + return false; + + if (MATCH(data, 0x02, 0x00, ANY, ANY)) + return true; + return false; +} +/* XXX Not really sure on this one - based on the code from OpenDPI but I + * can't find any documentation that confirms this */ +static inline bool match_imesh_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_imesh_req(data->payload[0], data->payload_len[0])) { + if (match_imesh_resp(data->payload[1], data->payload_len[1])) + return true; + } + if (match_imesh_req(data->payload[1], data->payload_len[1])) { + if (match_imesh_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_imesh_udp = { + LPI_PROTO_UDP_IMESH, + LPI_CATEGORY_P2P, + "iMesh_UDP", + 6, + match_imesh_udp +}; + +void register_imesh_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_imesh_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ipmsg.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ipmsg.cc new file mode 100644 index 0000000..d66b4bd --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ipmsg.cc @@ -0,0 +1,66 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ipmsg(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* IPMSG packet format: + * + * Version:MessageNumber:User:Host:Command:MsgContent + * + * Version is always 1. + * + * All IPMsg observed so far has a message number beginning with + * 80... + */ + + /* Do a port check as well, just to be sure */ + if (data->server_port != 2425 && data->client_port != 2425) + return false; + + if (match_chars_either(data, '1', ':', '8', '0')) + return true; + + return false; +} + +static lpi_module_t lpi_ipmsg = { + LPI_PROTO_UDP_IPMSG, + LPI_CATEGORY_CHAT, + "IPMsg", + 5, + match_ipmsg +}; + +void register_ipmsg(LPIModuleMap *mod_map) { + register_protocol(&lpi_ipmsg, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ipv6.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ipv6.cc new file mode 100644 index 0000000..bbfb1bc --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ipv6.cc @@ -0,0 +1,73 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ipv6_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] < 4 && data->payload_len[1] < 4) + return false; + + if (match_str_both(data, "\x60\x00\x00\x00", "\x60\x00\x00\x00")) { + return true; + } + + /* One-way DNS check */ + if (data->server_port == 53 || data->client_port == 53) + return false; + + if (MATCHSTR(data->payload[0], "\x60\x00\x00\x00")) { + if (data->payload_len[1] == 0) { + return true; + } + } + + if (MATCHSTR(data->payload[1], "\x60\x00\x00\x00")) { + if (data->payload_len[0] == 0) { + return true; + } + } + + + return false; +} + +static lpi_module_t lpi_ipv6_udp = { + LPI_PROTO_UDP_IPV6, + LPI_CATEGORY_TUNNELLING, + "UDP_IPv6", + 4, + match_ipv6_udp +}; + +void register_ipv6_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_ipv6_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_isakmp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_isakmp.cc new file mode 100644 index 0000000..b9ab307 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_isakmp.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_isakmp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Rule out anything not on UDP port 500 */ + if (data->server_port != 500 && data->client_port != 500) + return false; + + /* Catching one-way ISAKMP is hard, we have to rely on port numbers + * because nothing else is consistent :( */ + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) { + if (data->server_port == 500 && data->client_port == 500) + return true; + /* Match shadowserver.org scan traffic */ + if (MATCH(data->payload[0], 0x3e, 0x35, 0xc7, 0x07)) + return true; + if (MATCH(data->payload[1], 0x3e, 0x35, 0xc7, 0x07)) + return true; + return false; + } + + + /* First four bytes are the cookie for the initiator, so should match + * in both directions */ + + if (data->payload[0] != data->payload[1]) + return false; + if (data->payload_len[0] < 4 && data->payload_len[1] < 4) + return false; + + return true; + +} + +static lpi_module_t lpi_isakmp = { + LPI_PROTO_UDP_ISAKMP, + LPI_CATEGORY_KEY_EXCHANGE, + "ISAKMP", + 6, + match_isakmp +}; + +void register_isakmp(LPIModuleMap *mod_map) { + register_protocol(&lpi_isakmp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_jedi.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_jedi.cc new file mode 100644 index 0000000..1e38292 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_jedi.cc @@ -0,0 +1,55 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_jedi_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Citrix have a protocol called JEDI which is used for streaming + * in products like GoToMyPC */ + + if (match_str_both(data, "JEDI", "JEDI")) + return true; + + return false; +} + +static lpi_module_t lpi_jedi = { + LPI_PROTO_UDP_JEDI, + LPI_CATEGORY_REMOTE, + "Citrix_Jedi_UDP", + 3, + match_jedi_udp +}; + +void register_jedi_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_jedi, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_jedi_academy.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_jedi_academy.cc new file mode 100644 index 0000000..0fbcb9c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_jedi_academy.cc @@ -0,0 +1,70 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_jedi_academy(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + /* Pretty rare, but we can write a rule for it */ + if (match_str_both(data, "\xff\xff\xff\xff", "\xff\xff\xff\xff")) { + /* Server browsing */ + if (data->payload_len[0] == 65 && data->payload_len[1] == 181) + return true; + if (data->payload_len[0] == 66 && data->payload_len[1] == 182) + return true; + if (data->payload_len[1] == 65 && data->payload_len[0] == 181) + return true; + if (data->payload_len[1] == 66 && data->payload_len[0] == 182) + return true; + + /* Actual gameplay */ + if (data->payload_len[0] == 16 && data->payload_len[1] == 32) + return true; + if (data->payload_len[1] == 16 && data->payload_len[0] == 32) + return true; + } + + + return false; +} + +static lpi_module_t lpi_jedi = { + LPI_PROTO_UDP_JEDI_ACADEMY, + LPI_CATEGORY_GAMING, + "JediAcademy", + 5, + match_jedi_academy +}; + +void register_jedi_academy(LPIModuleMap *mod_map) { + register_protocol(&lpi_jedi, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_kademlia.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_kademlia.cc new file mode 100644 index 0000000..3c33cf1 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_kademlia.cc @@ -0,0 +1,104 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static bool is_kad_e9_payload(uint32_t payload, uint32_t len) { + + /* This seem to be some variant of Kademlia, although I have not + * been able to figure out which */ + + /* All packets begin with e9, while possible second bytes are + * 0x55, 0x56, 0x60, 0x61, 0x76, 0x75 + * + * 0x56 is a response to 0x55 + * 0x61 is a response to 0x60 + * 0x76 is a kind of FIN packet, it also responds to 0x75 + * + * 0x92 seems to be a valid response to unsolicited 0x56 or 0x61 ?? + * + * There are also packets that seem to begin with 0xea 0x75 0x78 0x9c. + */ + + if (MATCH(payload, 0xe9, 0x55, ANY, ANY) && len == 27) + return true; + if (MATCH(payload, 0xe9, 0x56, ANY, ANY) && len == 27) + return true; + if (MATCH(payload, 0xe9, 0x60, ANY, ANY) && len == 34) + return true; + if (MATCH(payload, 0xe9, 0x61, ANY, ANY)) + return true; + if (MATCH(payload, 0xe9, 0x76, ANY, ANY) && len == 18) + return true; + if (MATCH(payload, 0xe9, 0x75, ANY, ANY)) + return true; + if (MATCH(payload, 0xe9, 0x92, ANY, ANY) && len == 3) + return true; + + + if (MATCH(payload, 0xea, 0x75, 0x78, 0x9c)) + return true; + + return false; + +} + + +static inline bool match_kademlia(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] == 0 && is_kad_e9_payload(data->payload[1], + data->payload_len[1])) + return true; + + if (data->payload_len[1] == 0 && is_kad_e9_payload(data->payload[0], + data->payload_len[0])) + return true; + + if (is_kad_e9_payload(data->payload[0], data->payload_len[0]) && + is_kad_e9_payload(data->payload[1], + data->payload_len[1])) + return true; + + + return false; +} + +static lpi_module_t lpi_kademlia = { + LPI_PROTO_UDP_KADEMLIA, + LPI_CATEGORY_P2P, + "Kademlia", + 11, + match_kademlia +}; + +void register_kademlia(LPIModuleMap *mod_map) { + register_protocol(&lpi_kademlia, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_kankan.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_kankan.cc new file mode 100644 index 0000000..a11ed3c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_kankan.cc @@ -0,0 +1,65 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Kankan -- video streaming by Xunlei */ + +static inline bool match_kankan(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port == 8080 || data->client_port == 8080) { + /* Small flows used probably for DHT-like purposes */ + if (data->payload_len[0] == 68 && data->payload_len[1] == 180) + return true; + if (data->payload_len[0] == 68 && data->payload_len[1] == 0) + return true; + if (data->payload_len[1] == 68 && data->payload_len[0] == 180) + return true; + if (data->payload_len[1] == 68 && data->payload_len[0] == 0) + return true; + + } + + + return false; +} + +static lpi_module_t lpi_kankan = { + LPI_PROTO_UDP_KANKAN, + LPI_CATEGORY_STREAMING, + "Kankan", + 100, + match_kankan +}; + +void register_kankan(LPIModuleMap *mod_map) { + register_protocol(&lpi_kankan, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_kaspersky.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_kaspersky.cc new file mode 100644 index 0000000..934b528 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_kaspersky.cc @@ -0,0 +1,53 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_kaspersky_udp(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + if (data->server_port != 2001 && data->client_port != 2001) + return false; + + return match_kaspersky(data); +} + +static lpi_module_t lpi_kaspersky = { + LPI_PROTO_UDP_KASPERSKY, + LPI_CATEGORY_SECURITY, + "Kaspersky_UDP", + 3, + match_kaspersky_udp +}; + +void register_kaspersky_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_kaspersky, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_kazaa.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_kazaa.cc new file mode 100644 index 0000000..9d23a82 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_kazaa.cc @@ -0,0 +1,65 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_kazaa(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* 0x27 is a ping, 0x28 and 0x29 are pongs */ + + /* A Kazaa ping is usually 12 bytes, 0x28 pong is 17, 0x29 pong is 21 */ + + if (match_str_both(data, "\x27\x00\x00\x00", "\x28\x00\x00\x00")) + return true; + if (match_str_both(data, "\x27\x00\x00\x00", "\x29\x00\x00\x00")) + return true; + + if (match_str_either(data, "\x27\x00\x00\x00")) { + if (data->payload_len[0] == 0 && data->payload_len[1] == 12) + return true; + if (data->payload_len[1] == 0 && data->payload_len[0] == 12) + return true; + } + + return false; +} + +static lpi_module_t lpi_kazaa = { + LPI_PROTO_UDP_KAZAA, + LPI_CATEGORY_P2P, + "Kazaa_UDP", + 4, + match_kazaa +}; + +void register_kazaa(LPIModuleMap *mod_map) { + register_protocol(&lpi_kazaa, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_kingofglory_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_kingofglory_udp.cc new file mode 100644 index 0000000..495d19f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_kingofglory_udp.cc @@ -0,0 +1,73 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_kog_44(uint32_t payload, uint32_t len) { + if (len == 44 && MATCH(payload, 0x01, 0x02, 0x00, 0x00)) + return true; + return false; +} + + +static inline bool match_kog_24(uint32_t payload, uint32_t len) { + if (len == 24) + return true; + return false; +} + + +static inline bool match_kingofglory_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_kog_44(data->payload[0], data->payload_len[0])) { + if (match_kog_24(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_kog_44(data->payload[1], data->payload_len[1])) { + if (match_kog_24(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_kingofglory_udp = { + LPI_PROTO_UDP_KINGOFGLORY, + LPI_CATEGORY_GAMING, + "KingOfGlory_UDP", + 101, + match_kingofglory_udp +}; + +void register_kingofglory_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_kingofglory_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_kuguo.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_kuguo.cc new file mode 100644 index 0000000..2586b46 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_kuguo.cc @@ -0,0 +1,87 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_kugou_req(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x65, ANY, ANY, ANY)) + return true; + if (MATCH(payload, 0x64, ANY, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_kugou_resp(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (MATCH(payload, 0x65, ANY, ANY, ANY)) + return true; + if (MATCH(payload, 0x64, ANY, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_kugou(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Rule is very weak, need to limit to known Kuguo ports */ + + if (data->server_port != 8000 && data->client_port != 8000) + return false; + + if (match_kugou_req(data->payload[0], data->payload_len[0])) { + if (match_kugou_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_kugou_req(data->payload[1], data->payload_len[1])) { + if (match_kugou_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_kugou = { + LPI_PROTO_UDP_KUGOU, + LPI_CATEGORY_STREAMING, + "Kugou", + 200, + match_kugou +}; + +void register_kugou(LPIModuleMap *mod_map) { + register_protocol(&lpi_kugou, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_l2tp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_l2tp.cc new file mode 100644 index 0000000..f0e6ccd --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_l2tp.cc @@ -0,0 +1,72 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_l2tp_payload(uint32_t payload, uint32_t len) { + + uint32_t hdrlen = ntohl(payload) & 0xffff; + + if (len == 0) + return true; + + if (len != hdrlen) + return false; + + if (!MATCH(payload, 0xc8, 0x02, ANY, ANY) && !MATCH(payload, 0x40, 0x02, ANY, ANY)) + return false; + + return true; + +} + +static inline bool match_l2tp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] != 0 && !match_l2tp_payload(data->payload[0], data->payload_len[0])) + return false; + if (data->payload_len[1] != 0 && !match_l2tp_payload(data->payload[1], data->payload_len[1])) + return false; + + + return true; +} + +static lpi_module_t lpi_l2tp = { + LPI_PROTO_UDP_L2TP, + LPI_CATEGORY_TUNNELLING, + "L2TP", + 6, + match_l2tp +}; + +void register_l2tp(LPIModuleMap *mod_map) { + register_protocol(&lpi_l2tp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_lansync.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_lansync.cc new file mode 100644 index 0000000..af92e7d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_lansync.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* LANSync is the protocol used by DropBox to sync data changes within the + * local network. + * + * Ref: http://geeklogs.posterous.com/dropbox-lan-sync-protocol + */ + +static inline bool match_lansync_disc(uint32_t payload, uint32_t len) { + + if (len == 0) + return false; + if (MATCH(payload, '{', '"', 'h', 'o')) + return true; + return false; +} + +static inline bool match_lansync_udp(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + if (data->server_port != 17500 && data->client_port != 17500) + return false; + + if (match_lansync_disc(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] == 0) + return true; + } + + if (match_lansync_disc(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == 0) + return true; + } + return false; +} + +static lpi_module_t lpi_lansync_udp = { + LPI_PROTO_UDP_LANSYNC, + LPI_CATEGORY_BROADCAST, + "LanSync_UDP", + 6, + match_lansync_udp +}; + +void register_lansync_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_lansync_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ldap_ad.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ldap_ad.cc new file mode 100644 index 0000000..0724e66 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ldap_ad.cc @@ -0,0 +1,81 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ldap_ad_payload(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (MATCH(payload, 0x30, 0x84, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_ldap_ad(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Rule out one-way DNS, which could look like our LDAP AD payload */ + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) { + if (data->server_port == 53 || data->client_port == 53) + return false; + } + + if (!match_ldap_ad_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_ldap_ad_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; +} + +static lpi_module_t lpi_ldap_ad = { + LPI_PROTO_UDP_LDAP_AD, + LPI_CATEGORY_SERVICES, + "LDAP_AD", + 5, + match_ldap_ad +}; + +void register_ldap_ad(LPIModuleMap *mod_map) { + register_protocol(&lpi_ldap_ad, mod_map); +} + +static lpi_module_t lpi_tcp_ldap_ad = { + LPI_PROTO_TCP_LDAP_AD, + LPI_CATEGORY_SERVICES, + "LDAP_AD", + 5, + match_ldap_ad +}; + +void register_tcp_ldap_ad(LPIModuleMap *mod_map) { + register_protocol(&lpi_tcp_ldap_ad, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_line_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_line_udp.cc new file mode 100644 index 0000000..762e65c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_line_udp.cc @@ -0,0 +1,148 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_line_108(uint32_t payload, uint32_t len) { + + if (len != 108) + return false; + if (MATCH(payload, 0xb6, 0x12, 0x00, 0x68)) + return true; + return false; + +} + +static inline bool match_line_110(uint32_t payload, uint32_t len) { + + if (len != 110) + return false; + if (MATCH(payload, 0xb6, 0x18, 0x00, 0x6a)) + return true; + return false; + +} + +static inline bool match_line_35(uint32_t payload, uint32_t len) { + + if (!MATCH(payload, 0xb6, 0x13, 0x00, 0x06)) + return false; + if (len == 35 || len == 46) + return true; + return false; + +} + +static inline bool match_line_16(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + + if (len == 16 && MATCH(payload, 0xb6, 0x09, 0x00, 0x0c)) + return true; + + return false; +} + +static inline bool match_line_43(uint32_t payload, uint32_t len) { + + if (len == 43 && MATCH(payload, 0xb6, 0x13, 0x00, 0x27)) + return true; + if (len == 43 && MATCH(payload, 0xb6, 0x14, 0x00, 0x27)) + return true; + return false; + +} + +static inline bool match_line_46(uint32_t payload, uint32_t len) { + + if (len == 46 && MATCH(payload, 0xb6, 0x15, 0x00, 0x06)) + return true; + return false; + +} + +static inline bool match_line_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_line_108(data->payload[0], data->payload_len[0])) { + if (match_line_35(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_line_108(data->payload[1], data->payload_len[1])) { + if (match_line_35(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_line_110(data->payload[0], data->payload_len[0])) { + if (match_line_35(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_line_110(data->payload[1], data->payload_len[1])) { + if (match_line_35(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_line_43(data->payload[0], data->payload_len[0])) { + if (match_line_46(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_line_43(data->payload[1], data->payload_len[1])) { + if (match_line_46(data->payload[0], data->payload_len[0])) + return true; + } + + /* Not 100% sure about this one, but the few clues I have make me + * think this is likely to be Line. + * 1. all connections use at least one port in the 50000+ range. + * 2. many remote addresses are in Japanese ASNs. + * 3. first byte of payload is 0xb6. + */ + if (match_line_16(data->payload[0], data->payload_len[0])) { + if (match_line_16(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_line_udp = { + LPI_PROTO_UDP_LINE, + LPI_CATEGORY_CHAT, + "Line_UDP", + 16, + match_line_udp +}; + +void register_line_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_line_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_linkproof.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_linkproof.cc new file mode 100644 index 0000000..5b8bf4e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_linkproof.cc @@ -0,0 +1,59 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_linkproof(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] != 0 && data->payload_len[1] != 0) + return false; + + if (!match_str_either(data, "link")) + return false; + + if (data->payload_len[0] == 50 || data->payload_len[1] == 50) + return true; + + + return false; +} + +static lpi_module_t lpi_linkproof = { + LPI_PROTO_UDP_LINKPROOF, + LPI_CATEGORY_MONITORING, + "Linkproof", + 3, + match_linkproof +}; + +void register_linkproof(LPIModuleMap *mod_map) { + register_protocol(&lpi_linkproof, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_loadout.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_loadout.cc new file mode 100644 index 0000000..9eec1a7 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_loadout.cc @@ -0,0 +1,71 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_load_42(uint32_t payload, uint32_t len) { + if (len == 42 && MATCH(payload, 0x60, 0x0a, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_load_46(uint32_t payload, uint32_t len) { + if (len == 46 && MATCH(payload, 0x60, 0x0a, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_loadout(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_load_42(data->payload[0], data->payload_len[0])) { + if (match_load_46(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_load_42(data->payload[1], data->payload_len[1])) { + if (match_load_46(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_loadout = { + LPI_PROTO_UDP_LOADOUT, + LPI_CATEGORY_GAMING, + "Loadout", + 60, + match_loadout +}; + +void register_loadout(LPIModuleMap *mod_map) { + register_protocol(&lpi_loadout, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_lol.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_lol.cc new file mode 100644 index 0000000..4c663e6 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_lol.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* League of Legends: a popular online game circa 2012/2013 */ +static inline bool match_lol(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if ((data->server_port < 5100 || data->server_port > 5150) && + (data->client_port < 5100 || data->client_port > 5150)) + return false; + + if (data->payload_len[0] == 44 && data->payload_len[1] == 48) + return true; + if (data->payload_len[1] == 44 && data->payload_len[0] == 48) + return true; + + if (data->payload_len[0] == 52 && data->payload_len[1] == 48) + return true; + if (data->payload_len[1] == 52 && data->payload_len[0] == 48) + return true; + + return false; +} + +static lpi_module_t lpi_lol = { + LPI_PROTO_UDP_LOL, + LPI_CATEGORY_GAMING, + "LeagueOfLegends", + 35, + match_lol +}; + +void register_lol(LPIModuleMap *mod_map) { + register_protocol(&lpi_lol, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_mdns.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_mdns.cc new file mode 100644 index 0000000..32445ce --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_mdns.cc @@ -0,0 +1,100 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Multicast DNS */ + +static inline bool match_unicast_mdns(lpi_data_t *data) { + if (data->server_port != 5353 && data->client_port != 5353) { + return false; + } + + /* Only time I've ever seen this is Russian hackers trying + * to get more info about the local network. */ + + if (MATCH(data->payload[0], 0x00, 0x00, 0x84, 0x00)) { + if (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x00)) + return true; + } + + if (MATCH(data->payload[1], 0x00, 0x00, 0x84, 0x00)) { + if (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x00)) + return true; + } + return false; +} + +static inline bool match_mdns(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_unicast_mdns(data)) + return true; + + if (data->server_port != 5353) + return false; + if (data->client_port != 5353) + return false; + + /* Flags are set */ + if (MATCH(data->payload[0], 0x00, 0x00, 0x84, 0x00)) { + if (data->payload_len[1] == 0) + return true; + } + if (MATCH(data->payload[1], 0x00, 0x00, 0x84, 0x00)) { + if (data->payload_len[0] == 0) + return true; + } + + /* Flags are not set - this is tricky because the payload is zero */ + if (data->payload_len[0] != 0 && data->payload[0] == 0) { + if (data->payload_len[1] == 0) + return true; + } + if (data->payload_len[1] != 0 && data->payload[1] == 0) { + if (data->payload_len[0] == 0) + return true; + } + + + return false; +} + +static lpi_module_t lpi_mdns = { + LPI_PROTO_UDP_MDNS, + LPI_CATEGORY_SERVICES, + "mDNS", + 20, + match_mdns +}; + +void register_mdns(LPIModuleMap *mod_map) { + register_protocol(&lpi_mdns, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_merakicloud.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_merakicloud.cc new file mode 100644 index 0000000..9e2045b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_merakicloud.cc @@ -0,0 +1,61 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_merakicloud(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 7351 */ + + /* This may just be a user id of some sort -- need to see multiple + * users to confirm this is a fixed pattern. + */ + if (MATCH(data->payload[0], 0xfe, 0xf7, 0x28, 0x91)) { + if (MATCH(data->payload[1], 0xfe, 0xf7, 0x28, 0x91)) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_merakicloud = { + LPI_PROTO_UDP_MERAKICLOUD, + LPI_CATEGORY_CLOUD, + "MerakiCloud", + 34, + match_merakicloud +}; + +void register_merakicloud(LPIModuleMap *mod_map) { + register_protocol(&lpi_merakicloud, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_moh.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_moh.cc new file mode 100644 index 0000000..9806f33 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_moh.cc @@ -0,0 +1,101 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_moh_ping(lpi_data_t *data) { + + /* Seems to be server browsing for Medal of Honor: AA */ + + if (match_str_both(data, "ping", "\xff\xff\xff\xff")) + return true; + + if (MATCHSTR(data->payload[0], "ping")) { + if (data->payload_len[0] != 4) + return false; + if (data->payload_len[1] == 0) + return true; + } + + if (MATCHSTR(data->payload[1], "ping")) { + if (data->payload_len[1] != 4) + return false; + if (data->payload_len[0] == 0) + return true; + } + + return false; +} + + +static inline bool match_moh(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_moh_ping(data)) + return true; + + if (!MATCH(data->payload[0], 0xff, 0xff, 0xff, 0xff)) + return false; + if (!MATCH(data->payload[1], 0xff, 0xff, 0xff, 0xff)) + return false; + + /* This is kinda a broad match, so let's refine it a bit by using the + * port number */ + if (data->server_port >= 12200 && data->server_port <= 12210) { + + if (data->payload_len[0] == 16 && data->payload_len[1] > 600) + return true; + if (data->payload_len[1] == 16 && data->payload_len[0] > 600) + return true; + } + + if (data->client_port >= 12200 && data->client_port <= 12210) { + + if (data->payload_len[0] == 16 && data->payload_len[1] > 600) + return true; + if (data->payload_len[1] == 16 && data->payload_len[0] > 600) + return true; + } + + + return false; +} + +static lpi_module_t lpi_moh = { + LPI_PROTO_UDP_MOH, + LPI_CATEGORY_GAMING, + "MedalOfHonor", + 8, + match_moh +}; + +void register_moh(LPIModuleMap *mod_map) { + register_protocol(&lpi_moh, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_moonhunters.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_moonhunters.cc new file mode 100644 index 0000000..2c67cb6 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_moonhunters.cc @@ -0,0 +1,80 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Needs to be confirmed, as this game costs money, but pretty confident + * that Moon Hunters is the source of the traffic for this rule. + */ + +static inline bool match_mh_27(uint32_t payload, uint32_t len) { + + if (len == 27 && MATCH(payload, 0x00, 0x00, 0x05, 0x00)) + return true; + return false; +} + +static inline bool match_mh_10(uint32_t payload, uint32_t len) { + + if (len == 10 && MATCH(payload, 0x00, 0x00, 0x05, 0x00)) + return true; + return false; +} + +static inline bool match_moonhunters(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 9999 && data->client_port != 9999) + return false; + + if (match_mh_27(data->payload[0], data->payload_len[0])) { + if (match_mh_10(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_mh_27(data->payload[1], data->payload_len[1])) { + if (match_mh_10(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_moonhunters = { + LPI_PROTO_UDP_MOONHUNTERS, + LPI_CATEGORY_GAMING, + "MoonHunters", + 51, + match_moonhunters +}; + +void register_moonhunters(LPIModuleMap *mod_map) { + register_protocol(&lpi_moonhunters, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_mp2p.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_mp2p.cc new file mode 100644 index 0000000..8130396 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_mp2p.cc @@ -0,0 +1,92 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_mp2p_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* At least one of the endpoints needs to be on the known port */ + if (data->server_port != 41170 && data->client_port != 41170) + return false; + + if (match_chars_either(data, 0x3d, 0x4a, 0xd9, ANY)) + return true; + if (match_chars_either(data, 0x3e, 0x4a, 0xd9, ANY)) + return true; + if (match_chars_either(data, 0x3d, 0x4b, 0xd9, ANY)) + return true; + if (match_chars_either(data, 0x3e, 0x4b, 0xd9, ANY)) + return true; + if (match_chars_either(data, ANY, 0x4b, 0xd9, 0x65)) + return true; + if (match_chars_either(data, ANY, 0x4a, 0xd9, 0x65)) + return true; + if (match_chars_either(data, ANY, 0x4a, 0xd6, 0x6f)) + return true; + if (match_chars_either(data, ANY, 0x4a, 0xd6, 0x90)) + return true; + + + /* Seeing a lot of these in flows using port 41170 both ways */ + + /* Watch out for one-way DNS again */ + if (data->server_port == 53 || data->client_port == 53) + return false; + + if (MATCH(data->payload[0], ANY, ANY, 0x00, 0x00) && + data->payload_len[0] != 0) { + if (data->payload_len[1] != 0) + return false; + return true; + } + + if (MATCH(data->payload[1], ANY, ANY, 0x00, 0x00) && + data->payload_len[1] != 0) { + if (data->payload_len[0] != 0) + return false; + return true; + } + + + return false; +} + +static lpi_module_t lpi_mp2p_udp = { + LPI_PROTO_UDP_MP2P, + LPI_CATEGORY_P2P, + "MP2P_UDP", + 4, + match_mp2p_udp +}; + +void register_mp2p_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_mp2p_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_msn_cache.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_msn_cache.cc new file mode 100644 index 0000000..4b83c95 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_msn_cache.cc @@ -0,0 +1,62 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_msn_cache(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] != 0 && data->payload_len[1] != 0) + return false; + + /* These packets seem to be 20 bytes */ + if (data->payload_len[0] != 20 && data->payload_len[1] != 20) + return false; + + if (match_chars_either(data, 0x02, 0x04, 0x00, 0x00)) + return true; + if (match_chars_either(data, 0x02, 0x01, 0x41, 0x31)) + return true; + + + return false; +} + +static lpi_module_t lpi_msn_cache = { + LPI_PROTO_UDP_MSN_CACHE, + LPI_CATEGORY_CHAT, + "MSN_Cache", + 3, + match_msn_cache +}; + +void register_msn_cache(LPIModuleMap *mod_map) { + register_protocol(&lpi_msn_cache, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_msn_video.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_msn_video.cc new file mode 100644 index 0000000..132ccf8 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_msn_video.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_msn_video(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* The authorization messages use a code of 0x48, followed by 3 + * bytes of zero. The packet contains no non-header payload, so the + * payload length must be the size of the MSN video header (10 bytes) + * + * Ref: http://ml20rc.msnfanatic.com/vc_1_1/index.html + */ + if (!(MATCHSTR(data->payload[0], "\x48\x00\x00\x00") && + data->payload_len[0] == 10)) + return false; + + if (!(MATCHSTR(data->payload[1], "\x48\x00\x00\x00") && + data->payload_len[1] == 10)) + return false; + + return true; + +} + +static lpi_module_t lpi_msn_video = { + LPI_PROTO_UDP_MSN_VIDEO, + LPI_CATEGORY_CHAT, + "MSN_Video_UDP", + 3, + match_msn_video +}; + +void register_msn_video(LPIModuleMap *mod_map) { + register_protocol(&lpi_msn_video, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_msoffice_mac.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_msoffice_mac.cc new file mode 100644 index 0000000..37551bd --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_msoffice_mac.cc @@ -0,0 +1,72 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +/* Protocol used by MS Office 2008 (Mac OS X version only) for license checking + * on a local network. + */ + +static inline bool match_office_2008(lpi_data_t *data) { + + if (!match_str_either(data, "MSOP")) + return false; + + if (data->payload_len[0] == 72 && data->payload_len[1] == 0) + return true; + if (data->payload_len[1] == 72 && data->payload_len[0] == 0) + return true; + + return false; +} + +static inline bool match_msoffice_mac(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + if (data->server_port == 2223 || data->client_port == 2223) { + return match_office_2008(data); + } + + return false; +} + +static lpi_module_t lpi_msoffice_mac = { + LPI_PROTO_UDP_MSOFFICE_MAC, + LPI_CATEGORY_BROADCAST, + "MSOffice_Mac", + 10, + match_msoffice_mac +}; + +void register_msoffice_mac(LPIModuleMap *mod_map) { + register_protocol(&lpi_msoffice_mac, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_mta.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_mta.cc new file mode 100644 index 0000000..0c5318b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_mta.cc @@ -0,0 +1,86 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ase_ping(lpi_data_t *data) { + + /* Commonly used by MultiTheftAuto - the use of "ping" and + * "Ping" is not documented though */ + + if (MATCHSTR(data->payload[0], "ping")) { + if (data->payload_len[0] != 16) + return false; + if (data->payload_len[1] == 0) + return true; + if (data->payload_len[1] != 16) + return false; + if (MATCHSTR(data->payload[1], "Ping")) + return true; + return false; + } + + if (MATCHSTR(data->payload[1], "ping")) { + if (data->payload_len[1] != 16) + return false; + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[0] != 16) + return false; + if (MATCHSTR(data->payload[0], "Ping")) + return true; + return false; + } + + return false; + +} + + +static inline bool match_mta(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Multitheftauto uses ASE on UDP to ping servers */ + if (match_ase_ping(data)) + return true; + return false; +} + +static lpi_module_t lpi_mta = { + LPI_PROTO_UDP_MTA, + LPI_CATEGORY_GAMING, + "MultiTheftAuto", + 5, + match_mta +}; + +void register_mta(LPIModuleMap *mod_map) { + register_protocol(&lpi_mta, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_n2ping.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_n2ping.cc new file mode 100644 index 0000000..ee5d7de --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_n2ping.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* This is a horrible pseudo-VPN that is used to access content that is + * restricted to China only. Despite their claims, the traffic is not + * encrypted -- just tunnelled over a custom UDP application protocol + * to a server in Hong Kong. + */ + +static inline bool match_n2ping_header(uint32_t payload) { + + if (MATCH(payload, 0x08, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_n2ping(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + bool validport = false; + + if (data->server_port == 44778 || data->client_port == 44778) { + validport = true; + } + if (data->server_port == 23 || data->client_port == 23) { + validport = true; + } + + if (validport && match_n2ping_header(data->payload[0]) && + match_n2ping_header(data->payload[1])) { + if (data->payload_len[0] < 100) + return true; + if (data->payload_len[1] < 100) + return true; + } + + return false; +} + +static lpi_module_t lpi_n2ping = { + LPI_PROTO_UDP_N2PING, + LPI_CATEGORY_TUNNELLING, + "N2Ping", + 150, + match_n2ping +}; + +void register_n2ping(LPIModuleMap *mod_map) { + register_protocol(&lpi_n2ping, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_natpmp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_natpmp.cc new file mode 100644 index 0000000..8680ca6 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_natpmp.cc @@ -0,0 +1,87 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_natpmp_probe(uint32_t payload, uint32_t len) { + if (len != 2) + return false; + + if (!MATCHSTR(payload, "\x00\x00\x00\x00")) + return false; + + return true; + +} + +static inline bool match_natpmp_response(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + + /* Just guessing based on RFC6886 */ + if (len != 12) + return false; + + if (!MATCHSTR(payload, "\x00\x80\x00\x00")) + return false; + + return true; + +} + +static inline bool match_natpmp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* XXX Shall we limit to port 5351 only? */ + + /* Only seen attempted scanning so far */ + if (match_natpmp_probe(data->payload[0], data->payload_len[0])) { + if (match_natpmp_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_natpmp_probe(data->payload[1], data->payload_len[1])) { + if (match_natpmp_response(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_natpmp = { + LPI_PROTO_UDP_NATPMP, + LPI_CATEGORY_NAT, + "NAT-PMP", + 20, + match_natpmp +}; + +void register_natpmp(LPIModuleMap *mod_map) { + register_protocol(&lpi_natpmp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_netbios.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_netbios.cc new file mode 100644 index 0000000..a720219 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_netbios.cc @@ -0,0 +1,168 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_netbios_name_req(uint32_t payload, uint32_t len) { + + if (MATCH(payload, ANY, ANY, 0x00, 0x00)) { + if (len == 50) + return true; + if (len == 20) + return true; + if (len == 33) + return true; + } + + if (MATCH(payload, ANY, ANY, 0x01, 0x00)) { + if (len == 50) + return true; + + } + + if (MATCH(payload, ANY, ANY, 0x40, 0x00)) { + if (len == 68) + return true; + + } + + if (MATCH(payload, ANY, ANY, 0x29, 0x10)) { + if (len == 68) + return true; + } + + /* Broadcast traffic */ + if (MATCH(payload, ANY, ANY, 0x01, 0x10)) { + if (len == 50) + return true; + + } + return false; + +} + +static inline bool match_netbios_name_resp(uint32_t resp, uint32_t req) { + + if (!MATCH(resp, ANY, ANY, 0x84, 0x00)) + return false; + + /* First two bytes must match */ + if ((resp & 0x0000ffff) != (req & 0x0000ffff)) + return false; + + return true; + +} + +static inline bool match_netbios_datagram(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x11, 0x02, ANY, ANY)) + return true; + if (MATCH(payload, 0x11, 0x06, ANY, ANY)) + return true; + if (MATCH(payload, 0x11, 0x0e, ANY, ANY)) + return true; + + return false; +} + +static inline bool match_name_resp_only(lpi_data_t *data) { + + /* Match the "special" case where only a name response is + * observed, presumably misdirected traffic */ + + if (data->payload_len[0] != 0 && data->payload_len[1] != 0) + return false; + + if (data->server_port != 137 && data->client_port != 137) + return false; + + if (!match_chars_either(data, ANY, ANY, 0x84, 0x00)) + return false; + + return true; + + +} + +static inline bool match_netbios_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_netbios_name_req(data->payload[0], data->payload_len[0])) { + if (data->server_port != 137 && data->client_port != 137) + return false; + + if (match_netbios_name_resp(data->payload[1], data->payload[0])) + return true; + if (data->payload_len[1] == 0) + return true; + } + + if (match_netbios_name_req(data->payload[1], data->payload_len[1])) { + if (data->server_port != 137 && data->client_port != 137) + return false; + if (match_netbios_name_resp(data->payload[0], data->payload[1])) + return true; + if (data->payload_len[0] == 0) + return true; + } + + if (match_netbios_datagram(data->payload[0], data->payload_len[0])) { + if (data->server_port != 138 && data->client_port != 138) + return false; + + if (data->payload_len[1] == 0) + return true; + } + + if (match_netbios_datagram(data->payload[1], data->payload_len[1])) { + if (data->server_port != 138 && data->client_port != 138) + return false; + if (data->payload_len[0] == 0) + return true; + } + + if (match_name_resp_only(data)) + return true; + + return false; +} + +static lpi_module_t lpi_netbios_udp = { + LPI_PROTO_UDP_NETBIOS, + LPI_CATEGORY_SERVICES, + "NetBIOS_UDP", + 5, + match_netbios_udp +}; + +void register_netbios_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_netbios_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_netcat_cctv_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_netcat_cctv_udp.cc new file mode 100644 index 0000000..4207e2b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_netcat_cctv_udp.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_xmip_header(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x12, 0x20, 0xd0, 0x07)) { + if (len == 112 || len == 120 || len == 184 || len == 148) + return true; + } + return false; +} + +static inline bool match_netcat_cctv_udp(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + + if (match_xmip_header(data->payload[0], data->payload_len[0])) { + if (match_xmip_header(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_netcat_cctv_udp = { + LPI_PROTO_UDP_NETCAT_CCTV, + LPI_CATEGORY_IPCAMERAS, + "NetcatCCTV_UDP", + 22, + match_netcat_cctv_udp +}; + +void register_netcat_cctv_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_netcat_cctv_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_netcore_scan.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_netcore_scan.cc new file mode 100644 index 0000000..7dc479f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_netcore_scan.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_netcore_scan(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Well-known vulnerability in Netcore CPEs, which listen on port + * 53413 on the WAN interface. + * + * Mostly just a major source of UDP scan traffic. + */ + + if (data->server_port != 53413 && data->client_port != 53413) + return false; + + if (MATCHSTR(data->payload[0], "AAAA")) + return true; + if (MATCHSTR(data->payload[1], "AAAA")) + return true; + + if (MATCHSTR(data->payload[0], "AA\x00\x00")) + return true; + if (MATCHSTR(data->payload[1], "AA\x00\x00")) + return true; + + return false; +} + +static lpi_module_t lpi_netcore_scan = { + LPI_PROTO_UDP_NETCORE, + LPI_CATEGORY_MALWARE, + "NetcoreScan", + 199, + match_netcore_scan +}; + +void register_netcore_scan(LPIModuleMap *mod_map) { + register_protocol(&lpi_netcore_scan, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_netflow.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_netflow.cc new file mode 100644 index 0000000..d0bffbb --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_netflow.cc @@ -0,0 +1,68 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_netflow(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* NetFlow is one-way only */ + if (data->payload_len[0] != 0 && data->payload_len[1] != 0) + return false; + + /* Force port requirement for now */ + if (data->server_port != 9996 && data->client_port != 9996) + return false; + + /* Match NetFlow version 5 */ + if (MATCH(data->payload[0], 0x00, 0x05, 0x00, ANY)) + return true; + if (MATCH(data->payload[1], 0x00, 0x05, 0x00, ANY)) + return true; + /* Match NetFlow version 9 */ + if (MATCH(data->payload[0], 0x00, 0x09, 0x00, ANY)) + return true; + if (MATCH(data->payload[1], 0x00, 0x09, 0x00, ANY)) + return true; + + return false; +} + +static lpi_module_t lpi_netflow = { + LPI_PROTO_UDP_NETFLOW, + LPI_CATEGORY_MONITORING, + "NetFlow", + 14, + match_netflow +}; + +void register_netflow(LPIModuleMap *mod_map) { + register_protocol(&lpi_netflow, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_newerth.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_newerth.cc new file mode 100644 index 0000000..90a38b4 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_newerth.cc @@ -0,0 +1,91 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_newerth_301(uint32_t payload, uint32_t len) { + if (len == 27 && MATCH(payload, 0x00, 0x00, 0x03, 0x01)) + return true; + return false; +} + +static inline bool match_newerth_1c9(uint32_t payload, uint32_t len) { + if (len == 4 && MATCH(payload, 0x00, 0x00, 0x01, 0xc9)) + return true; + return false; +} + + + +static inline bool match_newerth_payload(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (MATCH(payload, 0x00, 0x00, 0x01, 0x66)) + return true; + if (MATCH(payload, 0x00, 0x00, 0x01, 0xca) && len == 6) + return true; + return false; +} + + +static inline bool match_newerth(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_newerth_1c9(data->payload[0], data->payload_len[0])) { + if (match_newerth_301(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_newerth_1c9(data->payload[1], data->payload_len[1])) { + if (match_newerth_301(data->payload[0], data->payload_len[0])) + return true; + } + + if (!match_newerth_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_newerth_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; + + +} + +static lpi_module_t lpi_newerth = { + LPI_PROTO_UDP_NEWERTH, + LPI_CATEGORY_GAMING, + "NewerthGames", + 3, + match_newerth +}; + +void register_newerth(LPIModuleMap *mod_map) { + register_protocol(&lpi_newerth, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_nintendo.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_nintendo.cc new file mode 100644 index 0000000..b3bef84 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_nintendo.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_nintendo_magic(uint32_t payload, uint32_t len) { + /* https://github.com/Shragei/SplatNet/blob/master/NinMainTiming.txt */ + + if ((len == 64 || len == 84) && MATCH(payload, 0x32, 0xab, 0x98, 0x64)) + return true; + return false; +} + +static inline bool match_nintendo(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_nintendo_magic(data->payload[0], data->payload_len[0])) { + if (match_nintendo_magic(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_nintendo = { + LPI_PROTO_UDP_NINTENDO, + LPI_CATEGORY_GAMING, + "NintendoGames", + 5, + match_nintendo +}; + +void register_nintendo(LPIModuleMap *mod_map) { + register_protocol(&lpi_nintendo, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_noction.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_noction.cc new file mode 100644 index 0000000..473039f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_noction.cc @@ -0,0 +1,54 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_noction(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Never seen anyone reply to this stuff */ + + if (match_str_either(data, "NOCT")) + return true; + + return false; +} + +static lpi_module_t lpi_noction = { + LPI_PROTO_UDP_NOCTION, + LPI_CATEGORY_MONITORING, + "NoctionIRP", + 3, + match_noction +}; + +void register_noction(LPIModuleMap *mod_map) { + register_protocol(&lpi_noction, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_noe.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_noe.cc new file mode 100644 index 0000000..9de88ef --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_noe.cc @@ -0,0 +1,89 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Alcatel's New Office Environment proprietary VOIP protocol + * Thanks to Remy Mudingay for providing traces to identify this protocol + */ + +static inline bool match_noe_5byte(uint32_t payload, uint32_t plen) { + + if (plen != 5) + return false; + if (MATCH(payload, 0x07, ANY, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_noe_20byte(uint32_t payload, uint32_t plen) { + + if (plen != 20) + return false; + if (MATCH(payload, 0x07, ANY, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_noe(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] == 1 && data->payload_len[1] == 1) { + if (match_str_both(data, "\x05\x00\x00\x00", + "\x04\x00\x00\x00")) { + return true; + } + } + + if (match_noe_5byte(data->payload[0], data->payload_len[0])) { + if (match_noe_20byte(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_noe_5byte(data->payload[1], data->payload_len[1])) { + if (match_noe_20byte(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_noe = { + LPI_PROTO_UDP_NOE, + LPI_CATEGORY_VOIP, + "NOE", + 12, + match_noe +}; + +void register_noe(LPIModuleMap *mod_map) { + register_protocol(&lpi_noe, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_nopayload.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_nopayload.cc new file mode 100644 index 0000000..911605c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_nopayload.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_udp_no_payload(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->observed[0] == 0 && data->observed[1] == 0) + return true; + + return false; +} + +static lpi_module_t lpi_udp_no_payload = { + LPI_PROTO_NO_PAYLOAD, + LPI_CATEGORY_NOPAYLOAD, + "No_Payload", + 0, /* Must be highest priority! */ + match_udp_no_payload +}; + +void register_udp_no_payload(LPIModuleMap *mod_map) { + register_protocol(&lpi_udp_no_payload, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_norton.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_norton.cc new file mode 100644 index 0000000..2eb06b2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_norton.cc @@ -0,0 +1,104 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_norton_24_00(uint32_t payload, uint32_t len) { + + if (len != 24) + return false; + if (MATCH(payload, 0x00, 0x10, 0x00, 0x14)) + return true; + return false; + +} + +static inline bool match_norton_24_80(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len != 24) + return false; + if (MATCH(payload, 0x80, 0x10, 0x00, 0x14)) + return true; + return false; + +} + + +static inline bool match_norton(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (MATCH(data->payload[0], 0x02, 0x0a, 0x00, 0xc0)) { + if (data->payload_len[0] != 16) + return false; + if (data->payload_len[1] != 0) + return false; + return true; + } + if (MATCH(data->payload[1], 0x02, 0x0a, 0x00, 0xc0)) { + if (data->payload_len[1] != 16) + return false; + if (data->payload_len[0] != 0) + return false; + return true; + } + + + /* New behaviour observed in 2012 - interesting use of port 53 */ + if (match_norton_24_00(data->payload[0], data->payload_len[0])) { + + if (data->server_port != 53 && data->client_port != 53) + return false; + + if (match_norton_24_80(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_norton_24_00(data->payload[1], data->payload_len[1])) { + if (data->server_port != 53 && data->client_port != 53) + return false; + if (match_norton_24_80(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_norton = { + LPI_PROTO_UDP_NORTON, + LPI_CATEGORY_SECURITY, + "Norton_UDP", + 5, + match_norton +}; + +void register_norton(LPIModuleMap *mod_map) { + register_protocol(&lpi_norton, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ntp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ntp.cc new file mode 100644 index 0000000..b9053c1 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ntp.cc @@ -0,0 +1,153 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ntp_request(uint32_t payload, uint32_t len) { + + uint8_t first; + uint8_t *ptr; + uint8_t version; + + if (len != 48 && len != 68 && len != 64) + return false; + + ptr = (uint8_t *)&payload; + first = *ptr; + + //first = (uint8_t) (payload); + + version = (first & 0x38) >> 3; + + if (version > 4 || version == 0) + return false; + + return true; + +} + +static inline bool match_version0_request(uint32_t payload, uint32_t len) { + + uint32_t secondbyte = 0; + + if (len != 48) + return false; + + /* Only supporting the 'clock good' status for now */ + if (!MATCH(payload, 0x00, ANY, ANY, ANY)) + return false; + + secondbyte = ((ntohl(payload) >> 16) & 0xff); + if (secondbyte > 4) + return false; + return true; + + +} + +static inline bool match_ntp_response(uint32_t payload, uint32_t len) { + + uint8_t first; + uint8_t version; + uint8_t mode; + + /* Server may not have replied */ + if (len == 0) + return true; + + first = (uint8_t) (payload); + + version = (first & 0x38) >> 3; + mode = (first & 0x07); + + if (version > 4 || version == 0) + return false; + if (mode == 3) + return false; + + return true; +} + + +static inline bool match_ntp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Force NTP to be on port 123 */ + + if (data->server_port != 123 && data->client_port != 123) + return false; + + if (match_ntp_request(data->payload[0], data->payload_len[0])) { + if (match_ntp_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_ntp_request(data->payload[1], data->payload_len[1])) { + if (match_ntp_response(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_version0_request(data->payload[0], data->payload_len[0])) { + if (match_ntp_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_version0_request(data->payload[1], data->payload_len[1])) { + if (match_ntp_response(data->payload[0], data->payload_len[0])) + return true; + } + + /* OK, turns out we can have NTP servers that keep sending responses + * without a specific request from the client */ + if (match_ntp_response(data->payload[0], data->payload_len[0]) && + data->payload_len[0] == 48 && + data->payload_len[1] == 0) { + return true; + } + if (match_ntp_response(data->payload[1], data->payload_len[1]) && + data->payload_len[1] == 48 && + data->payload_len[0] == 0) { + return true; + } + + return false; +} + +static lpi_module_t lpi_ntp = { + LPI_PROTO_UDP_NTP, + LPI_CATEGORY_SERVICES, + "NTP", + 2, + match_ntp +}; + +void register_ntp(LPIModuleMap *mod_map) { + register_protocol(&lpi_ntp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ntp_reflect.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ntp_reflect.cc new file mode 100644 index 0000000..5a91cf5 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ntp_reflect.cc @@ -0,0 +1,99 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_monlist(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (MATCH(payload, 0x17, 0x00, 0x03, 0x2a)) + return true; + return false; + +} + +static inline bool match_monlist_reply(uint32_t payload, uint32_t len) { + + /* Hopefully nobody replies :) */ + if (len == 0) + return true; + + /* NTPv2 reply */ + if (MATCH(payload, 0x97, 0x00, 0x03, 0x2a)) + return true; + if (MATCH(payload, 0xd7, ANY, 0x03, 0x2a)) + return true; + + /* NTPv3 reply */ + if (MATCH(payload, 0x9f, 0x00, 0x03, 0x2a)) + return true; + if (MATCH(payload, 0xdf, 0x00, 0x03, 0x2a)) + return true; + + + + return false; + +} + +static inline bool match_ntp_reflect(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 123 && data->client_port != 123) + return false; + + if (match_monlist(data->payload[0], data->payload_len[0])) { + if (match_monlist_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_monlist(data->payload[1], data->payload_len[1])) { + if (match_monlist_reply(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_ntp_reflect = { + LPI_PROTO_UDP_NTP_REFLECT, + LPI_CATEGORY_MALWARE, + "NTPReflection", + 50, + match_ntp_reflect +}; + +void register_ntp_reflect(LPIModuleMap *mod_map) { + register_protocol(&lpi_ntp_reflect, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_nvidia_gamestream.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_nvidia_gamestream.cc new file mode 100644 index 0000000..3a956b4 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_nvidia_gamestream.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gs_ping(uint32_t payload, uint32_t len) { + if (len == 4 && MATCHSTR(payload, "PING")) { + return true; + } + return false; +} + +static inline bool match_gs_rtp(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x80, 0x61, 0x00, 0x00)) { + if (len == 72) { + return true; + } + } + + if (MATCH(payload, 0x90, 0x67, 0x00, 0x00)) { + if (len == 1040) { + return true; + } + } + return false; +} + +static inline bool match_nvidia_gamestream(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_gs_ping(data->payload[0], data->payload_len[0])) { + if (match_gs_rtp(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_gs_ping(data->payload[1], data->payload_len[1])) { + if (match_gs_rtp(data->payload[0], data->payload_len[0])) { + return true; + } + } + + + return false; +} + +static lpi_module_t lpi_nvidia_gamestream = { + LPI_PROTO_UDP_NVIDIA_GAMESTREAM, + LPI_CATEGORY_GAMING, + "NVIDIAGamestream", + 99, + match_nvidia_gamestream +}; + +void register_nvidia_gamestream(LPIModuleMap *mod_map) { + register_protocol(&lpi_nvidia_gamestream, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_nwn.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_nwn.cc new file mode 100644 index 0000000..497f636 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_nwn.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_nwn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "BNES")) + return true; + + return false; +} + +static lpi_module_t lpi_nwn = { + LPI_PROTO_UDP_NEVERWINTER, + LPI_CATEGORY_GAMING, + "NeverwinterNights", + 4, + match_nwn +}; + +void register_nwn(LPIModuleMap *mod_map) { + register_protocol(&lpi_nwn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_opaserv.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_opaserv.cc new file mode 100644 index 0000000..346e65c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_opaserv.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Matches the Opaserv worm that attacks UDP port 137 + * Ref: http://www.usenix.org/events/osdi04/tech/full_papers/singh/singh_html/ + */ + +static inline bool match_opaserv(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* The recipient does not reply (usually) */ + if (data->payload_len[0] > 0 && data->payload_len[1] > 0) + return false; + + if (data->server_port != 137 && data->client_port != 137) + return false; + + if (match_chars_either(data, 0x01, 0x00, 0x00, 0x10)) + return true; + + + return false; +} + +static lpi_module_t lpi_opaserv = { + LPI_PROTO_UDP_OPASERV, + LPI_CATEGORY_MALWARE, + "Opaserv", + 10, + match_opaserv +}; + +void register_opaserv(LPIModuleMap *mod_map) { + register_protocol(&lpi_opaserv, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_openvpn.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_openvpn.cc new file mode 100644 index 0000000..2a1e678 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_openvpn.cc @@ -0,0 +1,171 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Thanks to Remy Mudingay for providing traces to identify this protocol */ + +static inline bool match_openvpn_handshake(uint32_t pl_a, uint32_t pl_b) { + + + /* 0x31 and 0x37 are commonly used as the first byte of a UDP + * OpenVPN exchange. However, if one end uses 0x31 then the other + * must also use 0x31 -- same for 0x37. + */ + + if (MATCH(pl_a, 0x31, ANY, ANY, ANY)) { + if (MATCH(pl_b, 0x31, ANY, ANY, ANY)) + return true; + } + + if (MATCH(pl_a, 0x37, ANY, ANY, ANY)) { + if (MATCH(pl_b, 0x37, ANY, ANY, ANY)) + return true; + } + + if (MATCH(pl_a, 0x49, ANY, ANY, ANY)) { + if (MATCH(pl_b, 0x49, ANY, ANY, ANY)) + return true; + } + + return false; + +} + +static inline bool match_tunnelbear_40(uint32_t payload, uint32_t len) { + if (!MATCH(payload, 0x40, ANY, ANY, ANY)) + return false; + if (len != 26) + return false; + return true; + +} + +static inline bool match_tunnelbear_38(uint32_t payload, uint32_t len) { + if (!MATCH(payload, 0x38, ANY, ANY, ANY)) + return false; + if (len != 14 && len != 126 && len != 128) + return false; + return true; + +} + +static inline bool match_wscribe_40(uint32_t payload, uint32_t len) { + if (!MATCH(payload, 0x40, ANY, ANY, ANY)) + return false; + if (len != 98) + return false; + return true; + +} + +static inline bool match_wscribe_38(uint32_t payload, uint32_t len) { + if (!MATCH(payload, 0x38, ANY, ANY, ANY)) + return false; + if (len != 86) + return false; + return true; + +} + +static inline bool match_openvpn_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port == 53 || data->client_port == 53) { + return false; + } + + /* The payload matching alone isn't very strong, so I'm going to + * add a port-based condition as well. Default port for OpenVPN + * is UDP 1194 */ + + if (data->server_port == 1194 || data->client_port == 1194) { + /* Just match the two-way stuff for now */ + if (match_openvpn_handshake(data->payload[0], + data->payload[1])) + return true; + + /*add 20201125 for one-way */ + if (data->payload_len[0] == 84 && MATCH(data->payload[0], 0x48, 0x00, ANY, ANY)) + return true; + if (data->payload_len[1] == 84 && MATCH(data->payload[1], 0x48, 0x00, ANY, ANY)) + return true; + + if (((data->payload_len[0] != 0 && data->payload_len[1] == 0) && + (match_tunnelbear_40(data->payload[0], data->payload_len[0]))) || + match_tunnelbear_38(data->payload[0], data->payload_len[0])) + return true; + + if (((data->payload_len[1] != 0 && data->payload_len[0] == 0) && + (match_tunnelbear_40(data->payload[0], data->payload_len[0]))) || + match_tunnelbear_38(data->payload[0], data->payload_len[0])) + return true; + } + + + /* These are based on traffic seen involving TunnelBear hosts */ + if (match_tunnelbear_40(data->payload[0], data->payload_len[0])) { + if (match_tunnelbear_38(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_tunnelbear_40(data->payload[1], data->payload_len[1])) { + if (match_tunnelbear_38(data->payload[0], data->payload_len[0])) + return true; + } + + + /* Similar for Windscribe */ + if (data->server_port == 443 || data->client_port == 443) { + if (match_wscribe_40(data->payload[0], data->payload_len[0])) { + if (match_wscribe_38(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_wscribe_40(data->payload[1], data->payload_len[1])) { + if (match_wscribe_38(data->payload[0], data->payload_len[0])) + return true; + } + } + + return false; +} + +static lpi_module_t lpi_openvpn_udp = { + LPI_PROTO_UDP_OPENVPN, + LPI_CATEGORY_TUNNELLING, + "OpenVPN_UDP", + 12, + match_openvpn_udp +}; + +void register_openvpn_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_openvpn_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_orbit.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_orbit.cc new file mode 100644 index 0000000..a190644 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_orbit.cc @@ -0,0 +1,80 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_orbit_payload(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (MATCH(payload, 0xaa, 0x20, ANY, ANY) && len == 36) + return true; + if (MATCH(payload, 0xaa, 0x10, ANY, ANY) && len == 27) + return true; + if (MATCH(payload, 0xaa, 0x18, ANY, ANY) && len == 27) + return true; + if (MATCH(payload, 0xaa, 0x28, ANY, ANY) && len == 120) + return true; + if (MATCH(payload, 0xab, ANY, 0x78, 0xda)) + return true; + + return false; + +} + + +static inline bool match_orbit_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* There's no nice spec for the Orbit UDP protocol, so I'm just + * going to match based on evidence observed thus far */ + + if (!match_orbit_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_orbit_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; + + +} + +static lpi_module_t lpi_orbit_udp = { + LPI_PROTO_UDP_ORBIT, + LPI_CATEGORY_FILES, + "Orbit_UDP", + 3, + match_orbit_udp +}; + +void register_orbit_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_orbit_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_overwatch.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_overwatch.cc new file mode 100644 index 0000000..ca22205 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_overwatch.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Not 100% confirmed, mainly because there is no trial or F2P version of + * Overwatch to test against. Would be great if anyone out there who owns + * Overwatch to confirm this for me :) + */ + +static inline bool match_owatch_cc(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0xcc, 0x8e, 0x5f, 0x0d)) + return true; + return false; +} + +static inline bool match_owatch_df(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if ((ntohl(payload) & 0xfffff000) == 0xdffcf000) + return true; + return false; + +} + +static inline bool match_overwatch(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_owatch_cc(data->payload[0], data->payload_len[0])) { + if (match_owatch_df(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_owatch_cc(data->payload[1], data->payload_len[1])) { + if (match_owatch_df(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_overwatch = { + LPI_PROTO_UDP_OVERWATCH, + LPI_CATEGORY_GAMING, + "Overwatch", + 12, + match_overwatch +}; + +void register_overwatch(LPIModuleMap *mod_map) { + register_protocol(&lpi_overwatch, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_paladins.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_paladins.cc new file mode 100644 index 0000000..274dd8e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_paladins.cc @@ -0,0 +1,89 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_pd_570(uint32_t payload, uint32_t len) { + if (len == 570 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_pd_46(uint32_t payload, uint32_t len) { + + /* The first byte starts at 0x01 and increments for each + * subsequent flow */ + if (len == 46 && MATCH(payload, ANY, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool port_range_check(uint16_t porta, uint16_t portb) { + if (porta >= 9000 && porta < 10000) + return true; + + if (portb >= 9000 && portb < 10000) + return true; + + return false; +} + +static inline bool match_paladins(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!port_range_check(data->server_port, data->client_port)) + return false; + + if (match_pd_570(data->payload[0], data->payload_len[0])) { + if (match_pd_46(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_pd_570(data->payload[1], data->payload_len[1])) { + if (match_pd_46(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_paladins = { + LPI_PROTO_UDP_PALADINS, + LPI_CATEGORY_GAMING, + "Paladins", + 203, + match_paladins +}; + +void register_paladins(LPIModuleMap *mod_map) { + register_protocol(&lpi_paladins, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_pando.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_pando.cc new file mode 100644 index 0000000..e23e7ec --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_pando.cc @@ -0,0 +1,81 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* This seems to be a Pando thing - I've found libtorrent handshakes within + * full payload captures of these packets that refer to Pando peer exchange. + * + * It may be a wider Bittorrent thing, but I haven't found any evidence to + * suggest that any clients other than Pando use it */ + +static inline bool match_pando_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "\x00\x00\x00\x09", "\x00\x00\x00\x09")) + return true; + + if (MATCH(data->payload[0], 0x00, 0x00, 0x00, 0x09) && + data->payload_len[1] == 0) + return true; + + if (MATCH(data->payload[1], 0x00, 0x00, 0x00, 0x09) && + data->payload_len[0] == 0) + return true; + + /* This is something I've observed going to hosts belonging to + * Pando */ + + if (match_str_both(data, "UDPA", "UDPR")) + return true; + if (match_str_both(data, "UDPA", "UDPE")) + return true; + if (match_str_either(data, "UDPA")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + + return false; +} + +static lpi_module_t lpi_pando_udp = { + LPI_PROTO_UDP_PANDO, + LPI_CATEGORY_P2P, + "Pando_UDP", + 10, + match_pando_udp +}; + +void register_pando_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_pando_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_panipani.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_panipani.cc new file mode 100644 index 0000000..1559d2a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_panipani.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* https://play.google.com/store/apps/details?id=jp.colopl.pcat */ + +static inline bool match_pani_42(uint32_t payload, uint32_t len) { + + if (len == 40 && MATCH(payload, 0x42, 0x00, ANY, 0x00)) + return true; + return false; +} + +static inline bool match_pani_4a(uint32_t payload, uint32_t len) { + + if (len == 1051 && MATCH(payload, 0x4a, 0x80, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_panipani(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 7101, 7102 or 7103 */ + + if (match_pani_42(data->payload[0], data->payload_len[0])) { + if (match_pani_4a(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_pani_42(data->payload[1], data->payload_len[1])) { + if (match_pani_4a(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_panipani = { + LPI_PROTO_UDP_PANIPANI, + LPI_CATEGORY_GAMING, + "Panipani", + 101, + match_panipani +}; + +void register_panipani(LPIModuleMap *mod_map) { + register_protocol(&lpi_panipani, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_planetside2.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_planetside2.cc new file mode 100644 index 0000000..bb4ba48 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_planetside2.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_planetside_35(uint32_t payload, uint32_t len) { + if (len != 35) + return false; + + if (!MATCH(payload, 0x00, 0x01, 0x00, 0x00)) + return false; + + return true; + +} + +static inline bool match_planetside_21(uint32_t payload, uint32_t len) { + if (len != 21) + return false; + + if (!MATCH(payload, 0x00, 0x02, ANY, ANY)) + return false; + + return true; + +} + + +static inline bool match_planetside2(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_planetside_35(data->payload[0], data->payload_len[0])) { + if (match_planetside_21(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_planetside_35(data->payload[1], data->payload_len[1])) { + if (match_planetside_21(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_planetside2 = { + LPI_PROTO_UDP_PLANETSIDE2, + LPI_CATEGORY_GAMING, + "Planetside2", + 17, + match_planetside2 +}; + +void register_planetside2(LPIModuleMap *mod_map) { + register_protocol(&lpi_planetside2, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_portmap_rpc.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_portmap_rpc.cc new file mode 100644 index 0000000..7660892 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_portmap_rpc.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_portmap_rpc(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 111 && data->client_port != 111) + return false; + + if (data->payload_len[0] > 0 && data->payload_len[1] > 0) { + if (data->payload[0] != data->payload[1]) + return false; + } + + if (data->payload_len[0] == 46 || data->payload_len[1] == 46) + return true; + if (data->payload_len[0] == 40 || data->payload_len[1] == 40) + return true; + + return false; +} + +static lpi_module_t lpi_portmap_rpc = { + LPI_PROTO_UDP_PORTMAP_RPC, + LPI_CATEGORY_SERVICES, + "PortmapRPC", + 220, + match_portmap_rpc +}; + +void register_portmap_rpc(LPIModuleMap *mod_map) { + register_protocol(&lpi_portmap_rpc, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_pplive.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_pplive.cc new file mode 100644 index 0000000..aaabde9 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_pplive.cc @@ -0,0 +1,114 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool obs_pplive_req(uint32_t payload, uint32_t len) { + /* There's always a 94 byte packet involved */ + if (payload == 0) + return false; + if (len == 94) + return true; + return false; +} + +static inline bool obs_pplive_resp(uint32_t len, bool knownport) { + if (len == 0 && knownport) + return true; + if (len == 94) + return true; + if (len == 49 && knownport) + return true; + return false; +} + + +static inline bool match_obscure_pplive(lpi_data_t *data) { + + /* This is pretty tough stuff to match - the 4 bytes of payload + * is random, but the packet sizes seem consistent. + * + * DPI tools suggest this traffic is pplive, so we'll go with that + * in the absence of any other documentation :/ + */ + bool knownport = false; + + /* Restrict non-94 byte responses to port 5041 */ + if (data->server_port == 5041 || data->client_port == 5041) + knownport = true; + + if (obs_pplive_req(data->payload[0], data->payload_len[0]) && + obs_pplive_resp(data->payload_len[1], knownport)) + return true; + if (obs_pplive_req(data->payload[1], data->payload_len[1]) && + obs_pplive_resp(data->payload_len[0], knownport)) + return true; + + return false; + +} + +static inline bool match_pplive(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "\xe9\x03\x41\x01", "\xe9\x03\x42\x01")) + return true; + if (match_str_both(data, "\xe9\x03\x41\x01", "\xe9\x03\x41\x01")) + return true; + if (match_str_either(data, "\xe9\x03\x41\x01")) { + if (data->payload_len[0] == 0 && data->payload_len[1] == 57) + return true; + if (data->payload_len[1] == 0 && data->payload_len[0] == 57) + return true; + } + /* According to a Chinese paper (Xiaona et al), this is a pattern + * for PPLive */ + if (match_str_both(data, "\x1c\x1c\x32\x01", "\x1c\x1c\x32\x01")) + return true; + + if (match_obscure_pplive(data)) { + return true; + } + + + return false; +} + +static lpi_module_t lpi_pplive = { + LPI_PROTO_UDP_PPLIVE, + LPI_CATEGORY_P2PTV, + "PPLive", + 203, + match_pplive +}; + +void register_pplive(LPIModuleMap *mod_map) { + register_protocol(&lpi_pplive, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ppstream.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ppstream.cc new file mode 100644 index 0000000..36b9537 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ppstream.cc @@ -0,0 +1,246 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" +#include <stdio.h> + +static inline bool ppstream_pattern(uint32_t payload) { + + if (MATCH(payload, ANY, ANY, 0x43, 0x00)) + return true; + if (MATCH(payload, ANY, ANY, 0x43, 0x22)) + return true; + if (MATCH(payload, ANY, ANY, 0x43, 0x23)) + return true; + if (MATCH(payload, ANY, ANY, 0x43, 0x32)) + return true; + if (MATCH(payload, ANY, ANY, 0x43, 0x46)) + return true; + if (MATCH(payload, ANY, ANY, 0x43, 0x47)) + return true; + if (MATCH(payload, ANY, ANY, 0x43, 0x49)) + return true; + if (MATCH(payload, ANY, ANY, 0x43, 0x4c)) + return true; + if (MATCH(payload, ANY, ANY, 0x43, 0x4d)) + return true; + if (MATCH(payload, ANY, ANY, 0x44, 0x73)) + return true; + if (MATCH(payload, ANY, ANY, 0x44, 0xb2)) + return true; + if (MATCH(payload, ANY, ANY, 0x44, 0xb5)) + return true; + if (MATCH(payload, ANY, ANY, 0x55, 0x72)) + return true; + if (MATCH(payload, ANY, ANY, 0x55, 0x75)) + return true; + if (MATCH(payload, ANY, ANY, 0x55, 0xb3)) + return true; + + return false; + +} + +static inline bool match_ppstream_payload(uint32_t payload, uint32_t len) { + uint16_t rep_len = 0; + uint32_t swap = ntohl(payload); + + if (len == 0) + return true; + + /* Seems to be used on start-up to check access to certain + * servers owned by PPStream */ + if (MATCH(payload, 'e', 'c', 'h', 'o') && len == 5) + return true; + + if (!ppstream_pattern(payload)) + return false; + + /* First two bytes are either len or len - 4 */ + + rep_len = ntohs((uint16_t)(swap >> 16)); + + if (rep_len == len) + return true; + if (rep_len == len - 4) + return true; + + return false; +} + +static inline bool match_8480_ppstream(uint32_t payload, uint32_t len) { + + + if (len == 132 && MATCH(payload, 0x84, 0x80, 0xc0, 0xd1)) + return true; + if (len == 132 && MATCH(payload, 0x84, 0x80, 0xd1, 0xc0)) + return true; + + return false; +} + +static inline bool match_8580_ppstream(uint32_t payload, uint32_t len) { + + + if (len == 133 && MATCH(payload, 0x85, 0x80, 0xc1, 0xd0)) + return true; + + return false; +} + +static inline bool match_1580_ppstream(uint32_t payload, uint32_t len) { + + if (len == 24 && MATCH(payload, 0x15, 0x80, 0x40, 0x01)) + return true; + return false; +} + +static inline bool match_8580_reply(uint32_t payload, uint32_t len) { + + if (len < 134 || len > 151) { + return false; + } + + if (MATCH(payload, ANY, 0x80, ANY, ANY)) { + return true; + } + + return false; +} + +static inline bool match_80_ppstream(uint32_t payload, uint32_t len) { + + uint32_t hlen = ntohl(payload) >> 24; + + if (MATCH(payload, ANY, 0x80, ANY, ANY)) { + if (len == hlen ) + return true; + + /* There must be a minimum datagram size */ + if (len == 24 && hlen < 24) + return true; + } + + return false; + + +} + +static inline bool match_any84(uint32_t payload, uint32_t len) { + + if (MATCH(payload, ANY, 0x84, ANY, ANY)) { + if (len >= 1065 && len <= 1100) + return true; + } + return false; +} + +static inline bool match_any80(uint32_t payload, uint32_t len) { + + /* Only examples so far are 0x25806144, len=33 -- need to + * see more users to confirm if this is a constant payload */ + if (MATCH(payload, ANY, 0x80, ANY, ANY)) { + if (len == 33) + return true; + } + return false; +} + +static inline bool match_ppstream(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_ppstream_payload(data->payload[0], data->payload_len[0])) { + if (match_ppstream_payload(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_8480_ppstream(data->payload[0], data->payload_len[0])) { + if (MATCH(data->payload[1], ANY, 0x80, ANY, ANY)) + return true; + } + + if (match_8480_ppstream(data->payload[1], data->payload_len[1])) { + if (MATCH(data->payload[0], ANY, 0x80, ANY, ANY)) + return true; + } + + if (match_80_ppstream(data->payload[0], data->payload_len[0])) { + if (match_80_ppstream(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_any84(data->payload[0], data->payload_len[0])) { + if (match_any80(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_any80(data->payload[0], data->payload_len[0])) { + if (match_any84(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_8580_ppstream(data->payload[0], data->payload_len[0])) { + if (match_8580_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_8580_ppstream(data->payload[1], data->payload_len[1])) { + if (match_8580_reply(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_1580_ppstream(data->payload[0], data->payload_len[0])) { + /* 8580 reply is intention here -- it's the same reply + * pattern for both 1580 and 8580 */ + if (match_8580_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_1580_ppstream(data->payload[1], data->payload_len[1])) { + if (match_8580_reply(data->payload[0], data->payload_len[0])) + return true; + } + + return false; + + +} + +static lpi_module_t lpi_ppstream = { + LPI_PROTO_UDP_PPSTREAM, + LPI_CATEGORY_P2PTV, + "PPStream", + 150, + match_ppstream +}; + +void register_ppstream(LPIModuleMap *mod_map) { + register_protocol(&lpi_ppstream, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_probable_gnutella.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_probable_gnutella.cc new file mode 100644 index 0000000..e3d908e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_probable_gnutella.cc @@ -0,0 +1,58 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_probable_gnutella(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* XXX This could well be prone to false positives, so definitely + * check this one LAST */ + + if (data->payload_len[0] == 35 && data->payload_len[1] == 0) + return true; + if (data->payload_len[1] == 35 && data->payload_len[0] == 0) + return true; + + + return false; +} + +static lpi_module_t lpi_probable_gnutella = { + LPI_PROTO_UDP_GNUTELLA, + LPI_CATEGORY_P2P, + "Gnutella_UDP", + 255, /* This is a really bad rule - make it extremely low priority */ + match_probable_gnutella +}; + +void register_probable_gnutella(LPIModuleMap *mod_map) { + register_protocol(&lpi_probable_gnutella, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ps4_remoteplay.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ps4_remoteplay.cc new file mode 100644 index 0000000..748a57d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ps4_remoteplay.cc @@ -0,0 +1,72 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool valid_port(uint16_t porta, uint16_t portb) { + + if (porta == 9296 || portb == 9296) + return true; + if (porta == 9297 || portb == 9297) + return true; + + return false; +} + +static inline bool match_ps4_remoteplay(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!valid_port(data->server_port, data->client_port)) + return false; + + /* Examples that I have are 88 bytes, but this probably depends on + * lengths of user and device names */ + if (data->payload_len[0] != data->payload_len[1]) + return false; + + if (MATCH(data->payload[0], 0x01, 0x00, 0x00, 0x00)) { + if (MATCH(data->payload[1], 0x01, 0x00, 0x00, 0x00)) + return true; + } + + return false; +} + +static lpi_module_t lpi_ps4_remoteplay = { + LPI_PROTO_UDP_PS4_REMOTEPLAY, + LPI_CATEGORY_GAMING, + "PS4_RemotePlay", + 150, + match_ps4_remoteplay +}; + +void register_ps4_remoteplay(LPIModuleMap *mod_map) { + register_protocol(&lpi_ps4_remoteplay, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_psn.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_psn.cc new file mode 100644 index 0000000..2753713 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_psn.cc @@ -0,0 +1,69 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_psn_payload(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + /* Seen on udp port 3658 */ + if (MATCH(payload, 0xff, 0x83, 0xff, 0xfe)) + return true; + /* Seen on udp port 9306 */ + if (MATCH(payload, 0xff, 0x83, 0xff, 0xfd)) + return true; + return false; +} + + +static inline bool match_psn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_psn_payload(data->payload[0], data->payload_len[0])) { + if (match_psn_payload(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_psn = { + LPI_PROTO_UDP_PSN, + LPI_CATEGORY_GAMING, + "PSN", + 3, + match_psn +}; + +void register_psn(LPIModuleMap *mod_map) { + register_protocol(&lpi_psn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_punkbuster.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_punkbuster.cc new file mode 100644 index 0000000..852f918 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_punkbuster.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Punkbuster: anti-cheating software for online games. Uses its own + * protocol for keeping the local PB software up to date. */ + +static inline bool match_pb_req(uint32_t payload, uint32_t len) { + + /* length 60-65 bytes */ + if (MATCH(payload, 'k', 'e', 'y', 0x20)) + return true; + return false; + +} + +static inline bool match_pb_resp(uint32_t payload, uint32_t len) { + + /* length 49-51 bytes */ + + if (MATCHSTR(payload, "\xff\xff\xff\xff")) + return true; + return false; + +} + + +static inline bool match_punkbuster(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_pb_req(data->payload[1], data->payload_len[1])) { + if (match_pb_resp(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_pb_req(data->payload[0], data->payload_len[0])) { + if (match_pb_resp(data->payload[1], data->payload_len[1])) + return true; + } + + + + return false; +} + +static lpi_module_t lpi_punkbuster = { + LPI_PROTO_UDP_PUNKBUSTER, + LPI_CATEGORY_GAMING, + "Punkbuster", + 9, + match_punkbuster +}; + +void register_punkbuster(LPIModuleMap *mod_map) { + register_protocol(&lpi_punkbuster, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_pyzor.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_pyzor.cc new file mode 100644 index 0000000..8071ac8 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_pyzor.cc @@ -0,0 +1,59 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_pyzor(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "User", "Code")) + return true; + if (match_str_both(data, "User", "Thre")) + return true; + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) { + if (match_str_either(data, "User")) + return true; + } + + + return false; +} + +static lpi_module_t lpi_pyzor = { + LPI_PROTO_UDP_PYZOR, + LPI_CATEGORY_ANTISPAM, + "Pyzor", + 3, + match_pyzor +}; + +void register_pyzor(LPIModuleMap *mod_map) { + register_protocol(&lpi_pyzor, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_qq.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_qq.cc new file mode 100644 index 0000000..7011f09 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_qq.cc @@ -0,0 +1,136 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_qq_chat(lpi_data_t *data) { + + /* QQ 2006 has a version number of 0x0f5f */ + if (match_str_both(data, "\x02\x0f\x5f\x00", "\x02\x0f\x5f\x00")) + return true; + + if (match_str_either(data, "\x02\x0f\x5f\x00")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + if (match_str_both(data, "\x02\x01\x00\x00", "\x02\x01\x00\x00")) { + if (data->payload_len[0] == 75 && data->payload_len[1] == 43) + return true; + + if (data->payload_len[1] == 75 && data->payload_len[0] == 43) + return true; + } + + if (match_str_both(data, "\x02\x02\x00\x00", "\x02\x02\x00\x00")) { + if (data->payload_len[0] == 83 && data->payload_len[1] == 43) + return true; + + if (data->payload_len[1] == 83 && data->payload_len[0] == 43) + return true; + } + + if (match_str_both(data, "\x02\x03\x00\x00", "\x02\x03\x00\x00")) { + if (data->payload_len[0] == 83 && data->payload_len[1] == 43) + return true; + + if (data->payload_len[1] == 83 && data->payload_len[0] == 43) + return true; + } + + if (data->payload[0] == data->payload[1]) { + if (!MATCH(data->payload[0], 0x02, ANY, ANY, ANY)) + return false; + if (data->server_port != 8000 && data->client_port != 8000) + return false; + return true; + } + + + return false; +} + +static inline bool match_qq_video(lpi_data_t *data) { + + /* Observed when using the QQ app to make video calls */ + + if (match_str_both(data, "\x28\x00\x00\x00", "\x28\x00\x00\x00")) + return true; + return false; + +} + +static inline bool match_qq_length(uint32_t payload, uint32_t len) { + + uint32_t plen = (ntohl(payload) >> 8) & 0xffff; + + if (plen != len) + return false; + + if (MATCH(payload, 0x02, ANY, ANY, ANY)) + return true; + if (MATCH(payload, 0x3e, ANY, ANY, 0x02)) + return true; + + return false; + +} + +static inline bool match_qq(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_qq_chat(data)) + return true; + if (match_qq_video(data)) + return true; + + if ((data->payload[0] & 0xff000000) == (data->payload[1] & 0xff000000)) { + if (!match_qq_length(data->payload[0], data->payload_len[0])) + return false; + if (!match_qq_length(data->payload[1], data->payload_len[1])) + return false; + return true; + } + return false; +} + +static lpi_module_t lpi_qq = { + LPI_PROTO_UDP_QQ, + LPI_CATEGORY_CHAT, + "QQ", + 23, + match_qq +}; + +void register_qq(LPIModuleMap *mod_map) { + register_protocol(&lpi_qq, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_qqlive.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_qqlive.cc new file mode 100644 index 0000000..2a92787 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_qqlive.cc @@ -0,0 +1,89 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> +#include <stdio.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_qqlive_p2p(uint32_t payload) { + + if (MATCH(payload, 0x1a, 0x10, 0x01, 0x20)) + return true; + return false; +} + +static inline bool match_qqlive_p2p_fe0a(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0xfe, 0x0a, 0x00, 0x00) && len == 13) + return true; + return false; + +} + +static inline bool match_qqlive(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) { + if (data->server_port == 53 || data->client_port == 53) + return false; + } + + if (match_qqlive_p2p(data->payload[0])) { + if (match_qqlive_p2p(data->payload[1])) + return true; + if (match_qqlive_p2p_fe0a(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_qqlive_p2p(data->payload[1])) { + if (match_qqlive_p2p(data->payload[0])) + return true; + if (match_qqlive_p2p_fe0a(data->payload[0], data->payload_len[0])) + return true; + } + + if (!match_qqlive_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_qqlive_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; +} + +static lpi_module_t lpi_qqlive = { + LPI_PROTO_UDP_QQLIVE, + LPI_CATEGORY_P2PTV, + "QQLive", + 4, + match_qqlive +}; + +void register_qqlive(LPIModuleMap *mod_map) { + register_protocol(&lpi_qqlive, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_qqpcmgr.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_qqpcmgr.cc new file mode 100644 index 0000000..1e53999 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_qqpcmgr.cc @@ -0,0 +1,68 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> +#include <stdio.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Some sort of phone-home protocol mostly used by QQPCMgr, a "security" + * program by QQ. + * + * Appears to occasionally be used by other QQ background processes, like + * QQLive, but the background processes created by QQPCMgr uses this + * protocol far more than anything else I've seen. + */ + +static inline bool match_qqpcmgr(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 8000 && data->client_port != 8000) + return false; + + if (!MATCH(data->payload[0], 0x00, 0x02, 0x00, ANY)) + return false; + if (!MATCH(data->payload[1], 0x00, 0x02, 0x00, ANY)) + return false; + + /* Usually byte 4 matches for both payloads, but not always */ + + return true; +} + +static lpi_module_t lpi_qqpcmgr = { + LPI_PROTO_UDP_QQPCMGR, + LPI_CATEGORY_SECURITY, + "QQPCMgr", + 21, + match_qqpcmgr +}; + +void register_qqpcmgr(LPIModuleMap *mod_map) { + register_protocol(&lpi_qqpcmgr, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_qqspeedmobile_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_qqspeedmobile_udp.cc new file mode 100644 index 0000000..e6dd21c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_qqspeedmobile_udp.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +/* QQ Speed (mobile version) -- Online Mario Kart clone */ + +static inline bool match_speed_55(uint32_t payload, uint32_t len) { + if (len == 55 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_speed_57(uint32_t payload, uint32_t len) { + /* Payload itself is pretty random */ + if (len == 57) + return true; + return false; +} + +static inline bool match_qqspeedmobile_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_speed_55(data->payload[0], data->payload_len[0])) { + if (match_speed_57(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_speed_57(data->payload[0], data->payload_len[0])) { + if (match_speed_55(data->payload[1], data->payload_len[1])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_qqspeedmobile_udp = { + LPI_PROTO_UDP_QQSPEEDMOBILE, + LPI_CATEGORY_GAMING, + "QQSpeedMobile_UDP", + 100, + match_qqspeedmobile_udp +}; + +void register_qqspeedmobile_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_qqspeedmobile_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_quake.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_quake.cc new file mode 100644 index 0000000..9528d57 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_quake.cc @@ -0,0 +1,138 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_quake_ping(lpi_data_t *data) { + + /* The client appears to send a "ping" (which is not part of the + * documented Quake engine protocol). The server responds with a + * standard "ffffffff" packet */ + + if (MATCHSTR(data->payload[0], "ping") && data->payload_len[0] == 4) { + if (data->payload_len[1] == 0) + return true; + if (data->payload_len[1] != 14) + return false; + if (MATCHSTR(data->payload[1], "\xff\xff\xff\xff")) + return true; + return false; + } + + if (MATCHSTR(data->payload[1], "ping") && data->payload_len[1] == 4) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[0] != 14) + return false; + if (MATCHSTR(data->payload[0], "\xff\xff\xff\xff")) + return true; + return false; + } + + return false; +} + + +static inline bool match_qlive_challenge(uint32_t payload, uint32_t len) { + + /* Not sure whether this length can vary or not? */ + if (len == 259) + return true; + return false; + +} + +static inline bool match_qlive_response(uint32_t payload, uint32_t len) { + + /* Not sure whether this length can vary or not? */ + if (len == 33 || len == 32 || len == 31 || len == 30) + return true; + return false; + +} + +static inline bool match_quake(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Trying to match generic Quake engine games - typically use port + * 27960 */ + + if (match_quake_ping(data)) + return true; + + if (!match_str_both(data, "\xff\xff\xff\xff", "\xff\xff\xff\xff")) + return false; + if (data->payload_len[0] == 16) { + if (data->payload_len[1] >= 51 && data->payload_len[1] <= 54) + return true; + if (data->payload_len[1] >= 30 && data->payload_len[1] <= 33) + return true; + if (data->server_port == 27960 || data->client_port == 27960) { + if (data->payload_len[1] >= 800 && data->payload_len[1] <= 812) + return true; + } + + } + if (data->payload_len[1] == 16) { + if (data->payload_len[0] >= 51 && data->payload_len[0] <= 54) + return true; + if (data->payload_len[0] >= 30 && data->payload_len[0] <= 33) + return true; + if (data->server_port == 27960 || data->client_port == 27960) { + if (data->payload_len[0] >= 800 && data->payload_len[0] <= 812) + return true; + } + } + + + if (match_qlive_challenge(data->payload[0], data->payload_len[0])) { + if (match_qlive_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_qlive_challenge(data->payload[1], data->payload_len[1])) { + if (match_qlive_response(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_quake = { + LPI_PROTO_UDP_QUAKE, + LPI_CATEGORY_GAMING, + "Quake", + 6, + match_quake +}; + +void register_quake(LPIModuleMap *mod_map) { + register_protocol(&lpi_quake, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_quic.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_quic.cc new file mode 100644 index 0000000..eeb50b2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_quic.cc @@ -0,0 +1,379 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Based on both the QUIC spec: + * https://docs.google.com/document/d/1WJvyZflAO2pq77yOLbp9NsGjC1CHetAXV8I0fQe-B_U/edit + * and traffic observed in the wild. + */ + +static inline bool match_quic_version(uint32_t payload) { + + /* Public flags for a Version Negotiation packet must be + * 0x0d */ + if (MATCH(payload, 0x0d, ANY, ANY, ANY)) { + return true; + } + + /* 0x09 can also work in the case where there is no + * diversification nonce in the header */ + if (MATCH(payload, 0x09, ANY, ANY, ANY)) { + return true; + } + + /* Apparently 0x0c and 0x0e can also work here? */ + if (MATCH(payload, 0x0c, ANY, ANY, ANY)) { + return true; + } + + if (MATCH(payload, 0x0e, ANY, ANY, ANY)) { + return true; + } + + + return false; + +} + +static inline bool match_quic_response(uint32_t payload, uint32_t other) { + + uint32_t seq8 = (ntohl(payload) >> 16) & 0xff; + + /* Public flags are 0x00 for a packet with a single byte of + * sequence number and no connection id */ + if (MATCH(payload, 0x00, ANY, ANY, ANY)) { + /* This *is* UDP, so we might miss some of the first + * few datagrams... */ + if (seq8 >= 1 && seq8 <= 10) + return true; + } + + + /* Otherwise, connection IDs must match for both directions */ + if (MATCH(payload, 0x0c, ANY, ANY, ANY)) { + if ((payload & 0xffffff00) == (other & 0xffffff00)) + return true; + } + + if (MATCH(payload, 0x0e, ANY, ANY, ANY)) { + if ((payload & 0xffffff00) == (other & 0xffffff00)) + return true; + } + + /* This is the 4 byte connection ID case */ + if (MATCH(payload, 0x08, ANY, ANY, ANY)) { + if ((payload & 0xffffff00) == (other & 0xffffff00)) + return true; + } + + /* This is the 4 byte diversification nonce case, with no other + * flags set. */ + if (MATCH(payload, 0x04, ANY, ANY, ANY)) { + return true; + } + + + return false; + +} + +static inline bool match_quic_port(lpi_data_t *data) { + if (data->server_port == 443) + return true; + if (data->client_port == 443) + return true; + + if (data->server_port == 80) + return true; + if (data->client_port == 80) + return true; + + return false; +} + +/* Match old Google QUIC versions */ +static inline bool match_old_gquic(lpi_data_t *data) { + + if (match_quic_version(data->payload[0])) { + if (match_quic_response(data->payload[1], data->payload[0])) + return true; + } + + if (match_quic_version(data->payload[1])) { + if (match_quic_response(data->payload[0], data->payload[1])) + return true; + } + + + /* Matches against an in-progress QUIC flow + * XXX not overly robust, may produce false positives... */ + if (MATCH(data->payload[0], 0x10, ANY, ANY, ANY)) { + if (MATCH(data->payload[1], 0x0c, ANY, ANY, ANY)) + return true; + if (MATCH(data->payload[1], 0x1c, ANY, ANY, ANY)) + return true; + } + + if (MATCH(data->payload[0], 0x00, ANY, ANY, ANY)) { + if (MATCH(data->payload[1], 0x0c, ANY, ANY, ANY)) + return true; + if (MATCH(data->payload[1], 0x1c, ANY, ANY, ANY)) + return true; + } + + if (MATCH(data->payload[1], 0x10, ANY, ANY, ANY)) { + if (MATCH(data->payload[0], 0x0c, ANY, ANY, ANY)) + return true; + if (MATCH(data->payload[0], 0x1c, ANY, ANY, ANY)) + return true; + } + + if (MATCH(data->payload[1], 0x00, ANY, ANY, ANY)) { + if (MATCH(data->payload[0], 0x0c, ANY, ANY, ANY)) + return true; + if (MATCH(data->payload[0], 0x1c, ANY, ANY, ANY)) + return true; + } + + return false; +} + +static inline bool match_05X_req(uint32_t payload, uint32_t len) { + + if ((ntohl(payload) & 0xf0000000) != 0xc0000000) { + return false; + } + if (MATCH(payload, ANY, 0x51, 0x30, 0x35)) { + if (len == 42) { + return true; + } + + if (len == 1350 || len == 1330) { + return true; + } + } + + if (MATCH(payload, ANY, 0x54, 0x30, 0x35)) { + if (len == 1350 || len == 1330) { + return true; + } + } + + return false; +} + +static inline bool match_05X_reply(uint32_t payload, uint32_t len, + uint32_t other) { + + if ((ntohl(payload) & 0x00ff0000) != (ntohl(other) & 0x00ff0000)) { + return false; + } + + if ((ntohl(payload) & 0xf0000000) == 0xc0000000) { + if (MATCH(payload, ANY, 0x51, 0x30, 0x35)) { + if (len == 1350 || len == 1330) { + return true; + } + } + + if (MATCH(payload, ANY, 0x54, 0x30, 0x35)) { + if (len == 1350 || len == 1330) { + return true; + } + } + } + + if ((ntohl(payload) & 0xff000000) == 0xd5000000) { + if (!MATCH(payload, ANY, 0x51, 0x30, 0x35)) { + return false; + } + + if (len == 1350 || len == 1330) { + return true; + } + } + + return false; +} + +static inline bool match_req_q044(uint32_t payload, uint32_t len) { + + if (MATCHSTR(payload, "\xffQ04") && len == 1350) { + return true; + } + + /* IPv6 */ + if (MATCHSTR(payload, "\xffQ04") && len == 1330) { + return true; + } + if (MATCH(payload, 0xc3, 'Q', '0', '4') && + (len == 36 || len == 1350 || len == 1330)) { + return true; + } + return false; +} + +static inline bool match_reply_q044(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0xff, 'Q', '0', '4')) { + return true; + } + if (MATCH(payload, 0xfd, 'Q', '0', '4')) { + return true; + } + if (MATCH(payload, 0xfc, 'Q', '0', '4')) { + return true; + } + if (MATCH(payload, 0xc3, 'Q', '0', '4')) { + return true; + } + if (MATCH(payload, 0xd3, 'Q', '0', '4')) { + return true; + } + if (MATCH(payload, 0xe3, 'Q', '0', '4')) { + return true; + } + return false; +} + + + +/* IETF QUIC version 44, starting to be deployed by Google */ +static inline bool match_quic_044(lpi_data_t *data) { + + if (match_req_q044(data->payload[0], data->payload_len[0])) { + if (match_reply_q044(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_req_q044(data->payload[1], data->payload_len[1])) { + if (match_reply_q044(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static inline bool match_quic_05X(lpi_data_t *data) { + if (match_05X_req(data->payload[0], data->payload_len[0])) { + if (match_05X_reply(data->payload[1], data->payload_len[1], + data->payload[0])) { + return true; + } + } + + if (match_05X_req(data->payload[1], data->payload_len[1])) { + if (match_05X_reply(data->payload[0], data->payload_len[0], + data->payload[1])) { + return true; + } + } + return false; +} + +static inline bool match_reply_fbquic(uint32_t payload, uint32_t len) { + if ((len >= 38 && len <= 50) || len == 1252 || len == 1232) { + if ((ntohl(payload) & 0xf0000000) != 0xc0000000) { + return false; + } + if (MATCH(payload, ANY, 0xfa, 0xce, 0xb0)) { + return true; + } + } + return false; +} + +static inline bool match_req_fbquic(uint32_t payload, uint32_t len) { + if (len == 1232 || len == 1235) { + if ((ntohl(payload) & 0xf0000000) != 0xc0000000) { + return false; + } + if (MATCH(payload, ANY, 0xfa, 0xce, 0xb0)) { + return true; + } + } + return false; +} + +static inline bool match_fb_quic(lpi_data_t *data) { + if (match_req_fbquic(data->payload[0], data->payload_len[0])) { + if (match_reply_fbquic(data->payload[1], data->payload_len[1])) + return true; + } + if (match_req_fbquic(data->payload[1], data->payload_len[1])) { + if (match_reply_fbquic(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static inline bool match_quic(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_quic_port(data)) + return false; + + /* Spec says that packets must not be larger than 1350 bytes */ + if (data->payload_len[0] > 1350 || data->payload_len[1] > 1350) + return false; + + if (match_quic_044(data)) { + return true; + } + + if (match_quic_05X(data)) { + return true; + } + + if (match_fb_quic(data)) { + return true; + } + + if (match_old_gquic(data)) { + return true; + } + + return false; +} + +static lpi_module_t lpi_quic = { + LPI_PROTO_UDP_QUIC, + LPI_CATEGORY_WEB, + "QUIC", + 9, + match_quic +}; + +void register_quic(LPIModuleMap *mod_map) { + register_protocol(&lpi_quic, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_qvod_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_qvod_udp.cc new file mode 100644 index 0000000..78e7b70 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_qvod_udp.cc @@ -0,0 +1,83 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_qvod_1(uint32_t payload, uint32_t len) { + + if (len == 1 && MATCH(payload, 0x30, 0x00, 0x00, 0x00)) { + return true; + } + return false; +} + +static inline bool match_qvod_13(uint32_t payload, uint32_t len) { + + if (len == 13 && MATCH(payload, 0x00, 0x00, 0x00, 0x0d)) { + return true; + } + return false; +} + +static inline bool match_qvod_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_qvod_13(data->payload[0], data->payload_len[0])) { + if (match_qvod_13(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_qvod_1(data->payload[0], data->payload_len[0])) { + if (match_qvod_13(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_qvod_1(data->payload[1], data->payload_len[1])) { + if (match_qvod_13(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_qvod_udp = { + LPI_PROTO_UDP_QVOD, + LPI_CATEGORY_P2P, + "QVOD_UDP", + 201, + match_qvod_udp +}; + +void register_qvod_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_qvod_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_radius.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_radius.cc new file mode 100644 index 0000000..a1c2567 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_radius.cc @@ -0,0 +1,105 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_radius_request(uint32_t pload, uint32_t len) { + + uint32_t stated_len = 0; + + stated_len = ntohl(pload) & 0xffff; + if (stated_len != len) + return false; + + /* Access-Request */ + if (MATCH(pload, 0x01, ANY, ANY, ANY)) + return true; + /* Accounting-Request */ + if (MATCH(pload, 0x04, ANY, ANY, ANY)) + return true; + + return false; +} + +static inline bool match_radius_resp(uint32_t pload, uint32_t len) { + + uint32_t stated_len = 0; + + stated_len = ntohl(pload) & 0xffff; + if (stated_len != len) + return false; + + /* Access-Accept */ + if (MATCH(pload, 0x02, ANY, ANY, ANY)) + return true; + /* Access-Reject */ + if (MATCH(pload, 0x03, ANY, ANY, ANY)) + return true; + /* Accounting-Response */ + if (MATCH(pload, 0x05, ANY, ANY, ANY)) + return true; + + return false; +} + +static inline bool match_radius(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + //if (data->server_port != 1812 && data->client_port != 1812) + // return false; + + /* Second byte is the ID field, which must match for both payloads */ + if ((ntohl(data->payload[0]) & 0xff0000) != + (ntohl(data->payload[1]) & 0xff0000)) + return false; + + if (match_radius_request(data->payload[0], data->payload_len[0])) { + if (match_radius_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_radius_request(data->payload[1], data->payload_len[1])) { + if (match_radius_resp(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_radius = { + LPI_PROTO_UDP_RADIUS, + LPI_CATEGORY_REMOTE, + "Radius", + 14, + match_radius +}; + +void register_radius(LPIModuleMap *mod_map) { + register_protocol(&lpi_radius, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_raknet.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_raknet.cc new file mode 100644 index 0000000..e33f05f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_raknet.cc @@ -0,0 +1,76 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_raknet_out(uint32_t payload, uint32_t len) { + + if (MATCHSTR(payload, "\x05\x00\xff\xff")) + return true; + return false; + +} + +static inline bool match_raknet_in(uint32_t payload, uint32_t len) { + + if (len != 28) + return false; + if (MATCHSTR(payload, "\x06\x00\xff\xff")) + return true; + return false; + +} + +static inline bool match_raknet(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_raknet_out(data->payload[0], data->payload_len[0])) { + if (match_raknet_in(data->payload[1], data->payload_len[1])) + return true; + } + if (match_raknet_out(data->payload[1], data->payload_len[1])) { + if (match_raknet_in(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_raknet = { + LPI_PROTO_UDP_RAKNET, + LPI_CATEGORY_GAMING, + "Raknet", + 7, + match_raknet +}; + +void register_raknet(LPIModuleMap *mod_map) { + register_protocol(&lpi_raknet, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ramseydash.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ramseydash.cc new file mode 100644 index 0000000..00702ae --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ramseydash.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Gordon Ramsey Dash -- mobile game */ + +static inline bool match_rdash_56da(uint32_t payload, uint32_t len) { + + if (len == 24 && MATCH(payload, 0x56, 0xda, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_rdash_da57(uint32_t payload, uint32_t len) { + + if (len >= 120 && len <= 320 && MATCH(payload, 0xda, 0x57, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_ramsey_dash(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_rdash_56da(data->payload[0], data->payload_len[0])) { + if (match_rdash_da57(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_rdash_56da(data->payload[1], data->payload_len[1])) { + if (match_rdash_da57(data->payload[0], data->payload_len[0])) + return true; + } + + + + return false; +} + +static lpi_module_t lpi_ramsey_dash = { + LPI_PROTO_UDP_RAMSEY_DASH, + LPI_CATEGORY_GAMING, + "RamseyDash", + 12, + match_ramsey_dash +}; + +void register_ramsey_dash(LPIModuleMap *mod_map) { + register_protocol(&lpi_ramsey_dash, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_rdp_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_rdp_udp.cc new file mode 100644 index 0000000..1086fe2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_rdp_udp.cc @@ -0,0 +1,85 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_rdp_init(uint32_t payload, uint32_t len) { + + if (len == 1232 && MATCHSTR(payload, "\xff\xff\xff\xff")) + return true; + return false; + +} + +static inline bool match_rdp_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Seen both 3389 and 4732 used as ports */ + + if (match_rdp_init(data->payload[0], data->payload_len[0])) { + if (match_rdp_init(data->payload[1], data->payload_len[1])) + return true; + + if (data->server_port == 4732 || data->client_port == 4732) { + if (data->payload[1] != 0 && data->payload_len[1] == 1232) + return true; + } + if (data->server_port == 3389 || data->client_port == 3389) { + if (data->payload[1] != 0 && data->payload_len[1] == 1232) + return true; + } + } + + if (match_rdp_init(data->payload[1], data->payload_len[1])) { + if (data->server_port == 4732 || data->client_port == 4732) { + if (data->payload[0] != 0 && data->payload_len[0] == 1232) + return true; + } + if (data->server_port == 3389 || data->client_port == 3389) { + if (data->payload[0] != 0 && data->payload_len[0] == 1232) + return true; + } + } + + return false; +} + +static lpi_module_t lpi_rdp_udp = { + LPI_PROTO_UDP_RDP, + LPI_CATEGORY_REMOTE, + "RDP_UDP", + 200, + match_rdp_udp +}; + +void register_rdp_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_rdp_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_real.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_real.cc new file mode 100644 index 0000000..8617a04 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_real.cc @@ -0,0 +1,65 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_real(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* The Real Data Transport is not explicitly documented in full, + * but these packets seem to resemble those examples we have been able + * to find. + * + * https://protocol.helixcommunity.org/2005/devdocs/RDT_Feature_Level_30.txt + */ + + if (!match_str_both(data, "\x00\xff\x03\x00", "\x00\xff\x04\x49")) + return false; + + if (data->payload_len[0] == 3 && data->payload_len[1] == 11) + return true; + if (data->payload_len[1] == 3 && data->payload_len[0] == 11) + return true; + + + return false; +} + +static lpi_module_t lpi_real = { + LPI_PROTO_UDP_REAL, + LPI_CATEGORY_STREAMING, + "RealPlayer", + 3, + match_real +}; + +void register_real(LPIModuleMap *mod_map) { + register_protocol(&lpi_real, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_risingstorm.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_risingstorm.cc new file mode 100644 index 0000000..89ab4ef --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_risingstorm.cc @@ -0,0 +1,103 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* More specifically, this rule is based off Rising Storm 2 but it'll + * probably match other Tripwire games including the original. + * + * TBC against real game traffic, but that costs $$. + * All servers contacted were labelled as RS2 on various server tracking + * sites, so that's enough for me. + */ + +static inline bool match_rs_0080(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x00, 0x80, 0x05, 0x20)) { + if (len == 10 || len == 17) + return true; + } + return false; + +} + +static inline bool match_rs_00c0(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x00, 0xc0, ANY, 0x08)) { + if (len == 14) + return true; + } + return false; +} + +static inline bool match_rs_0108(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x00, 0x00, 0x01, 0x08)) { + if (len == 25 || len == 12) + return true; + } + return false; +} + +static inline bool match_risingstorm(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_rs_0080(data->payload[0], data->payload_len[0])) { + if (match_rs_0108(data->payload[1], data->payload_len[1])) + return true; + + if (match_rs_00c0(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_rs_0080(data->payload[1], data->payload_len[1])) { + if (match_rs_0108(data->payload[0], data->payload_len[0])) + return true; + + if (match_rs_00c0(data->payload[0], data->payload_len[0])) + return true; + } + + + + return false; +} + +static lpi_module_t lpi_risingstorm = { + LPI_PROTO_UDP_RISING_STORM, + LPI_CATEGORY_GAMING, + "RisingStorm", + 12, + match_risingstorm +}; + +void register_risingstorm(LPIModuleMap *mod_map) { + register_protocol(&lpi_risingstorm, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_robocraft.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_robocraft.cc new file mode 100644 index 0000000..52dd3e7 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_robocraft.cc @@ -0,0 +1,72 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_robocraft_req(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x09, 0x0b, 0x00, 0x05)) + return true; + if (MATCH(payload, 0x09, 0x0b, 0x07, 0xd0)) + return true; + + return false; +} + +static inline bool match_robocraft_resp(uint32_t payload, uint32_t len) { + + if (MATCHSTR(payload, "\x0a\x00\xff\xff")) + return true; + return false; +} + +static inline bool match_robocraft(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_robocraft_req(data->payload[0], data->payload_len[0])) { + if (match_robocraft_resp(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_robocraft = { + LPI_PROTO_UDP_ROBOCRAFT, + LPI_CATEGORY_GAMING, + "Robocraft", + 5, + match_robocraft +}; + +void register_robocraft(LPIModuleMap *mod_map) { + register_protocol(&lpi_robocraft, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_rocket_league.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_rocket_league.cc new file mode 100644 index 0000000..1947153 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_rocket_league.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Not confirmed -- RL costs too much money -- but pretty certain */ + +static inline bool match_rl_1d(uint32_t payload, uint32_t len) { + + if (len == 115 && MATCH(payload, 0x1d, 0x01, 0x00, 0x00)) { + return true; + } + return false; +} + +static inline bool match_rl_1c(uint32_t payload, uint32_t len) { + + if (len == 93 && MATCH(payload, 0x1c, 0x01, 0x00, 0x00)) { + return true; + } + return false; +} + +static inline bool match_rocket_league(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_rl_1d(data->payload[0], data->payload_len[0])) { + if (match_rl_1c(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_rl_1c(data->payload[0], data->payload_len[0])) { + if (match_rl_1d(data->payload[1], data->payload_len[1])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_rocket_league = { + LPI_PROTO_UDP_ROCKET_LEAGUE, + LPI_CATEGORY_GAMING, + "RocketLeague", + 175, + match_rocket_league +}; + +void register_rocket_league(LPIModuleMap *mod_map) { + register_protocol(&lpi_rocket_league, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_rrshare.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_rrshare.cc new file mode 100644 index 0000000..04644f8 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_rrshare.cc @@ -0,0 +1,98 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +/* RRshare aka YYets aka Zimuzu (app.zimuzu.tv) */ + +static inline bool match_rr_short(uint32_t payload, uint32_t len) { + if (len == 43 && MATCH(payload, 0x00, 0x00, 0x00, ANY)) + return true; + if (len == 43 && MATCH(payload, 0x15, 0x00, 0x00, ANY)) + return true; + return false; +} + +static inline bool match_rr_long(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x01, 0x02, 0x00, ANY)) + return true; + return false; +} + +static inline bool match_rr_05(uint32_t payload, uint32_t len) { + if (len == 0) { + return true; + } + if (MATCH(payload, 0x05, 0x00, 0x00, ANY)) + return true; + return false; +} + +static inline bool match_rrshare(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_rr_short(data->payload[0], data->payload_len[0])) { + if (match_rr_long(data->payload[1], data->payload_len[1])) + return true; + if (match_rr_short(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_rr_short(data->payload[1], data->payload_len[1])) { + if (match_rr_long(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_rr_long(data->payload[0], data->payload_len[0])) { + if (match_rr_05(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_rr_long(data->payload[1], data->payload_len[1])) { + if (match_rr_05(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_rrshare = { + LPI_PROTO_UDP_RRSHARE, + LPI_CATEGORY_P2P, + "RRShare", + 149, + match_rrshare +}; + +void register_rrshare(LPIModuleMap *mod_map) { + register_protocol(&lpi_rrshare, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_rtcp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_rtcp.cc new file mode 100644 index 0000000..acbca15 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_rtcp.cc @@ -0,0 +1,75 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_rtcp_payload(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (MATCH(payload, 0x81, 0xc8, 0x00, ANY)) + return true; + if (MATCH(payload, 0x81, 0xc9, 0x00, ANY)) + return true; + if (MATCH(payload, 0x80, 0xc9, 0x00, ANY)) + return true; + if (MATCH(payload, 0x80, 0xc8, 0x00, ANY)) + return true; + return false; +} + + +static inline bool match_rtcp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Watch out for one-way DNS... */ + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) { + if (data->server_port == 53 || data->client_port == 53) + return false; + } + + if (!match_rtcp_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_rtcp_payload(data->payload[1], data->payload_len[1])) + return false; + return true; + +} + +static lpi_module_t lpi_rtcp = { + LPI_PROTO_UDP_RTCP, + LPI_CATEGORY_VOIP, + "RTCP", + 3, + match_rtcp +}; + +void register_rtcp(LPIModuleMap *mod_map) { + register_protocol(&lpi_rtcp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_rtmfp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_rtmfp.cc new file mode 100644 index 0000000..efc5846 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_rtmfp.cc @@ -0,0 +1,73 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_rtmfp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* RTMFP is Adobe's proprietary P2P streaming protocol. There are two + * stages - communicating with the Stratus servers and then talking + * to the peers themselves */ + + /* Basically we're matching pairs of packet sizes here - not very + * reliable at all. Could be lots of false positives! */ + + /* Hitting the Stratus servers */ + if (data->payload_len[0] == 100 && data->payload_len[1] == 180) + return true; + if (data->payload_len[1] == 100 && data->payload_len[0] == 180) + return true; + + /* P2P */ + if (data->payload_len[0] == 228 && data->payload_len[1] == 68) + return true; + if (data->payload_len[1] == 228 && data->payload_len[0] == 68) + return true; + if (data->payload_len[0] == 68 && data->payload_len[1] == 68) + return true; + if (data->payload_len[1] == 68 && data->payload_len[0] == 68) + return true; + + + return false; +} + +static lpi_module_t lpi_rtmfp = { + LPI_PROTO_UDP_RTMFP, + LPI_CATEGORY_STREAMING, + "RTMFP", + 12, + match_rtmfp +}; + +void register_rtmfp(LPIModuleMap *mod_map) { + register_protocol(&lpi_rtmfp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_rtp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_rtp.cc new file mode 100644 index 0000000..bc9d2d5 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_rtp.cc @@ -0,0 +1,194 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_rtp_payload(uint32_t payload, uint32_t len, + uint32_t other_len) { + + /* This rule seems very weak -- maybe need to capture some known + * RTP traffic to try and strengthen it? + */ + + /* Be stricter about packet length when looking at one-way flows */ + if (other_len == 0) { + if (len != 32 && len != 92 && len != 172 && + len != 31 && len != 24) + return false; + } + + if (MATCH(payload, 0x80, ANY, ANY, ANY)) + return true; + if (MATCH(payload, 0x90, ANY, ANY, ANY)) + return true; + if (MATCH(payload, 0x91, ANY, ANY, ANY)) + return true; + + return false; + +} + +static inline bool match_rtp_806d(uint32_t payload, uint32_t len) { + + /* Common pattern we see on our local videoconf server */ + if (len == 24 && MATCH(payload, 0x80, 0x6d, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_rtp_80c9(uint32_t payload, uint32_t len) { + if (len == 94 && MATCH(payload, 0x80, 0xc9, 0x00, 0x01)) + return true; + return false; +} + +static inline bool match_rtcp_report(uint32_t payload, uint32_t len) { + if (len == 16 && MATCH(payload, 0x81, 0xcd, 0x00, 0x03)) + return true; + if (len == 20 && MATCH(payload, 0x81, 0xcd, 0x00, 0x03)) + return true; + if (len == 32 && MATCH(payload, 0x81, 0xc9, 0x00, 0x07)) + return true; + if (len == 36 && MATCH(payload, 0x81, 0xc9, 0x00, 0x07)) + return true; + return false; +} + + +static inline bool match_stun_response(uint32_t payload, uint32_t len) { + + uint32_t plen = ntohl(payload) & 0xffff; + /* Many VOIP phones use STUN for NAT traversal, so the response to + * outgoing RTP is often a STUN packet */ + + if (len - 20 == plen && MATCH(payload, 0x00, 0x01, 0x00, ANY)) + return true; + if (len == 12 && MATCH(payload, 0x00, 0x11, 0x00, 0x00)) + return true; + + /* Facebook-specific STUN? Message type 0x003 is not defined in + * any official STUN documentation */ + if (len == 126 && MATCH(payload, 0x00, 0x03, 0x00, 0x6a)) + return true; + if (len == 94 && MATCH(payload, 0x00, 0x03, 0x00, 0x4a)) + return true; + + return false; + +} + +static inline bool match_rtp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Watch out for one-way DNS... */ + if (data->client_port == 53 || data->server_port == 53) { + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) + return false; + } + + // Exclude QUIC port + if (data->client_port == 443 || data->server_port == 443) + return false; + + if (match_rtp_806d(data->payload[0], data->payload_len[0])) { + if (match_rtp_payload(data->payload[1], data->payload_len[1], + data->payload_len[0])) + return true; + } + + if (match_rtp_806d(data->payload[1], data->payload_len[1])) { + if (match_rtp_payload(data->payload[0], data->payload_len[0], + data->payload_len[1])) + return true; + } + + if (match_rtp_80c9(data->payload[0], data->payload_len[0])) { + if (match_stun_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_rtp_80c9(data->payload[1], data->payload_len[1])) { + if (match_stun_response(data->payload[0], data->payload_len[0])) + return true; + } + + + if (match_rtp_payload(data->payload[0], data->payload_len[0], + data->payload_len[1])) { + if (match_stun_response(data->payload[1], data->payload_len[1])) + return true; + if (match_rtp_payload(data->payload[1], data->payload_len[1], + data->payload_len[0])) { + uint32_t a = ntohl(data->payload[0]) & 0xffff0000; + uint32_t b = ntohl(data->payload[1]) & 0xffff0000; + + if (a == b) + return true; + return false; + } + if (data->payload_len[1] == 0) + return true; + } + + if (match_rtp_payload(data->payload[1], data->payload_len[1], + data->payload_len[0])) { + if (match_stun_response(data->payload[0], data->payload_len[0])) + return true; + if (data->payload_len[0] == 0) + return true; + } + + if (match_rtcp_report(data->payload[0], data->payload_len[0])) { + if (match_rtp_payload(data->payload[1], data->payload_len[1], + data->payload_len[0])) + return true; + } + + if (match_rtcp_report(data->payload[1], data->payload_len[1])) { + if (match_rtp_payload(data->payload[0], data->payload_len[0], + data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_rtp = { + LPI_PROTO_UDP_RTP, + LPI_CATEGORY_VOIP, + "RTP", + 33, + match_rtp +}; + +void register_rtp(LPIModuleMap *mod_map) { + register_protocol(&lpi_rtp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_rulesofsurvival.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_rulesofsurvival.cc new file mode 100644 index 0000000..2323b23 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_rulesofsurvival.cc @@ -0,0 +1,86 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Rules of Survival -- battle royale from NetEase for mobile and PC */ + +/* Based on PC version -- mobile may be different? */ + +static inline bool match_ros_24(uint32_t payload, uint32_t len) { + if (len == 24 && MATCH(payload, 0x01, 0x00, 0x00, 0x0b)) { + return true; + } + return false; +} + +static inline bool match_ros_32(uint32_t payload, uint32_t len) { + if (len == 32) { + /* Payload is seemingly random, so rule out common + * patterns that are very unlikely to come up randomly. + */ + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) { + return false; + } + if (MATCHSTR(payload, "\xff\xff\xff\xff")) { + return false; + } + return true; + } + return false; +} + +static inline bool match_rulesofsurvival(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_ros_24(data->payload[0], data->payload_len[0])) { + if (match_ros_32(data->payload[1], data->payload[1])) + return true; + } + + if (match_ros_24(data->payload[1], data->payload_len[1])) { + if (match_ros_32(data->payload[0], data->payload[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_rulesofsurvival = { + LPI_PROTO_UDP_RULES_OF_SURVIVAL, + LPI_CATEGORY_GAMING, + "RulesOfSurvival", + 123, + match_rulesofsurvival +}; + +void register_rulesofsurvival(LPIModuleMap *mod_map) { + register_protocol(&lpi_rulesofsurvival, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_sanandreas_mp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_sanandreas_mp.cc new file mode 100644 index 0000000..d0575c0 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_sanandreas_mp.cc @@ -0,0 +1,110 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Matches the GTA: San Andreas Multiplayer Mod -- http://www.sa-mp.com/ */ + +static inline bool match_samp_request(uint32_t payload, uint32_t len) { + if (!MATCHSTR(payload, "SAMP")) + return false; + if (len != 71) + return false; + return true; + +} + +static inline bool match_samp_reply(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (!MATCHSTR(payload, "SAMP")) + return false; + if (len == 11 || len == 15) + return true; + return false; +} + + +static inline bool match_ffs_req(uint32_t payload, uint32_t len) { + if (len != 4) + return false; + if (MATCH(payload, 0x40, 0xb1, 0xd1, 0xef)) + return true; + return false; +} + +static inline bool match_ffs_resp(uint32_t payload, uint32_t len) { + if (len != 2) + return false; + if (MATCH(payload, 0x16, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_sanandreas_mp(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + if (match_samp_request(data->payload[0], data->payload_len[0])) { + if (match_samp_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_samp_request(data->payload[1], data->payload_len[1])) { + if (match_samp_reply(data->payload[0], data->payload_len[0])) + return true; + } + + /* Traffic seen on port 7777 for a SA-MP server called + * Fight Fun Server (ff-server.com). */ + if (match_ffs_req(data->payload[1], data->payload_len[1])) { + if (match_ffs_resp(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_ffs_req(data->payload[0], data->payload_len[0])) { + if (match_ffs_resp(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_sanandreas_mp = { + LPI_PROTO_UDP_SANANDREAS, + LPI_CATEGORY_GAMING, + "GTA_SanAndreas_Multiplayer", + 8, + match_sanandreas_mp +}; + +void register_sanandreas_mp(LPIModuleMap *mod_map) { + register_protocol(&lpi_sanandreas_mp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_second_life.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_second_life.cc new file mode 100644 index 0000000..0dc07be --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_second_life.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_second_life_req(uint32_t payload, uint32_t len) { + + if (len != 46 && len != 54) + return false; + if (!MATCH(payload, 0x40, 0x00, 0x00, 0x00)) + return false; + return true; + +} + +static inline bool match_second_life(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Haven't actually seen any legit 2-way SecondLife exchanges, so + * only speculating based on my interpretation of the specs + * + * http://wiki.secondlife.com/wiki/Packet_Layout + */ + + if (match_second_life_req(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] == 0) + return true; + if (MATCH(data->payload[1], ANY, 0x00, 0x00, 0x00)) { + if (data->payload_len[1] < 15) + return false; + return true; + } + } + + if (match_second_life_req(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == 0) + return true; + if (MATCH(data->payload[0], ANY, 0x00, 0x00, 0x00)) { + if (data->payload_len[0] < 15) + return false; + return true; + } + } + return false; +} + +static lpi_module_t lpi_second_life = { + LPI_PROTO_UDP_SECONDLIFE, + LPI_CATEGORY_GAMING, + "SecondLife_UDP", + 6, + match_second_life +}; + +void register_second_life_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_second_life, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_serialnumberd.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_serialnumberd.cc new file mode 100644 index 0000000..1244da5 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_serialnumberd.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_serialnumberd(lpi_data_t *data, lpi_module_t *mod UNUSED) { + if (MATCHSTR(data->payload[0], "SNQU")) { + if (data->payload_len[1] == 0) + return true; + if (MATCHSTR(data->payload[1], "SNRE")) + return true; + } + + if (MATCHSTR(data->payload[1], "SNQU")) { + if (data->payload_len[0] == 0) + return true; + if (MATCHSTR(data->payload[0], "SNRE")) + return true; + } + + + return false; +} + +static lpi_module_t lpi_serialnumberd = { + LPI_PROTO_UDP_SERIALNUMBERD, + LPI_CATEGORY_SERVICES, + "Serialnumberd", + 3, + match_serialnumberd +}; + +void register_serialnumberd(LPIModuleMap *mod_map) { + register_protocol(&lpi_serialnumberd, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_sip.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_sip.cc new file mode 100644 index 0000000..6f7839b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_sip.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_sip_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_chars_either(data, 'S', 'I', 'P', ANY)) + return true; + + if (match_str_either(data, "BYE ")) + return true; + + if (match_str_either(data, "OPTI") && + (data->payload_len[0] == 0 || + data->payload_len[1] == 0)) + return true; + + if (match_str_either(data, "INVI") && + (data->payload_len[0] == 0 || + data->payload_len[1] == 0)) + return true; + + if (match_str_both(data, "NOTI", "OPTI")) + return true; + if (match_str_both(data, "OPTI", "REGI")) + return true; + if (match_str_both(data, "NOTI", "REGI")) + return true; + if (match_str_both(data, "NOTI", "INVI")) + return true; + if (match_str_either(data, "REGI") && + (data->payload_len[0] == 0 || + data->payload_len[1] == 0)) + return true; + if (match_str_either(data, "SUBS")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + return false; +} + +static lpi_module_t lpi_sip_udp = { + LPI_PROTO_UDP_SIP, + LPI_CATEGORY_VOIP, + "SIP_UDP", + 2, + match_sip_udp +}; + +void register_sip_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_sip_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_skype.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_skype.cc new file mode 100644 index 0000000..10ce3fe --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_skype.cc @@ -0,0 +1,207 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_skype_rule1(lpi_data_t *data) { + + /* This is one method for matching skype traffic - turns out there + * are other forms as well... */ + + /* The third byte is always 0x02 in Skype UDP traffic - if we have + * payload in both directions we can probably match on that alone */ + + uint32_t payload0 = ntohl(data->payload[0]); + uint32_t payload1 = ntohl(data->payload[1]); + + + if (data->payload_len[0] > 0 && data->payload_len[1] > 0) { + if ((payload0 & 0x0000ff00) != 0x00000200) + return false; + if ((payload1 & 0x0000ff00) != 0x00000200) + return false; + return true; + } + + /* Probes with no responses are trickier - likelihood of a random + * packet having 0x02 as the third byte is not small, so we'll try + * and filter on packet size too */ + + if (data->payload_len[0] >= 18 && data->payload_len[0] <= 137 ) { + if ((payload0 & 0x0000ff00) == 0x00000200) + return true; + } + if (data->payload_len[1] >= 18 && data->payload_len[1] <= 137 ) { + if ((payload1 & 0x0000ff00) == 0x00000200) + return true; + } + + return false; +} + + +static inline bool match_skype_U1(uint32_t payload, uint32_t len) { + + if (len < 18) + return false; + if ((ntohl(payload) & 0x0000ff00) == 0x00000200) + return true; + + return false; + +} + +static inline bool match_skype_U2(uint32_t payload, uint32_t len) { + + if (len != 11) + return false; + if ((ntohl(payload) & 0x00000f00) == 0x00000500) + return true; + if ((ntohl(payload) & 0x00000f00) == 0x00000700) + return true; + return false; +} + + +static inline bool match_skype_rule2(lpi_data_t *data) { + + /* What we're looking for here is a initiating message (called U1) + * matched with a response (called U2). + * + * The first two bytes of U1 and U2 must match. + * + * The third byte of U1 is always 0x02 (as with rule 1) + * + * The lower four bits of the third byte of U2 is always either 0x05 + * or 0x07 + * + * The length of U2 is always 11 bytes. + * + * The length of U1 is always between 18 and 31 bytes. + */ + + if ((ntohl(data->payload[0]) & 0xffff0000) != + (ntohl(data->payload[1]) & 0xffff0000)) + return false; + + if (match_skype_U1(data->payload[0], data->payload_len[0])) { + if (match_skype_U2(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_skype_U1(data->payload[1], data->payload_len[1])) { + if (match_skype_U2(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + + +static inline bool match_meeting_stun_request(uint32_t payload, uint32_t len) { + + if ((ntohl(payload) & 0xffff) != len - 4) + return false; + + /* Checking for 0xff + ANY bytes is hard :( */ + if ((ntohl(payload) & 0xff000000) != 0xff000000) + return false; + + if (MATCH(payload, ANY, 0x10, ANY, ANY)) + return true; + + return false; + +} + +static inline bool match_meeting_stun_reply(uint32_t payload, uint32_t len) { + + if ((ntohl(payload) & 0xffff) != len - 20) + return false; + + if (MATCH(payload, 0x00, 0x01, ANY, ANY)) + return true; + if (MATCH(payload, 0x01, 0x01, ANY, ANY)) + return true; + + return false; + +} + +static inline bool match_skype_meeting_broadcast(lpi_data_t *data) { + /* This protocol is a LOT like STUN, but isn't really STUN. */ + + /* TODO get hold of skype for business and double check this */ + + if (match_meeting_stun_request(data->payload[0], data->payload_len[0])) + { + if (match_meeting_stun_reply(data->payload[1], + data->payload_len[1])) { + return true; + } + } + + if (match_meeting_stun_request(data->payload[1], data->payload_len[1])) + { + if (match_meeting_stun_reply(data->payload[0], + data->payload_len[0])) { + return true; + } + } + + return false; +} + +static inline bool match_skype(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_skype_rule1(data)) + return true; + if (match_skype_rule2(data)) + return true; + + + if (match_skype_meeting_broadcast(data)) + return true; + + return false; +} + +static lpi_module_t lpi_skype = { + LPI_PROTO_UDP_SKYPE, + LPI_CATEGORY_VOIP, + "Skype", + 105, /* The Skype rules aren't strong, so have a low priority */ + match_skype +}; + +void register_skype(LPIModuleMap *mod_map) { + register_protocol(&lpi_skype, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_slp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_slp.cc new file mode 100644 index 0000000..2de78d0 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_slp.cc @@ -0,0 +1,96 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_slp_req(uint32_t payload, uint32_t len) { + + /* According to RFC 2608, the 3rd and 4th bytes should be the + * length (including the SLP header). This doesn't appear to be the + * case with any of the port 427 traffic I've seen, so either I'm + * wrong or people fail at following RFCs */ + + if (MATCH(payload, 0x02, 0x01, 0x00, 0x00) && len == 49) { + return true; + } + + return false; + +} + +static inline bool match_slp_resp(uint32_t payload, uint32_t len) { + + /* I haven't actually observed any responses yet, so just going + * on what the spec says :/ */ + + if (len == 0) + return true; + + if (MATCH(payload, 0x02, 0x02, ANY, ANY)) { + return true; + } + + return false; +} + + +static inline bool match_slp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 427 && data->client_port != 427) + return false; + + if (match_slp_req(data->payload[0], data->payload_len[0])) { + if (match_slp_resp(data->payload[1], data->payload_len[1])) + return true; + return false; + } + + if (match_slp_req(data->payload[1], data->payload_len[1])) { + if (match_slp_resp(data->payload[0], data->payload_len[0])) + return true; + return false; + } + + + return false; +} + +static lpi_module_t lpi_slp = { + LPI_PROTO_UDP_SLP, + LPI_CATEGORY_SERVICES, + "SLP", + 5, + match_slp +}; + +void register_slp(LPIModuleMap *mod_map) { + register_protocol(&lpi_slp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_smite.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_smite.cc new file mode 100644 index 0000000..c18caa2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_smite.cc @@ -0,0 +1,57 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_smite(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + + if (MATCH(data->payload[0], 0x01, 0x14, 0x00, 0x00)) { + if (MATCH(data->payload[1], 0x01, 0x14, 0x00, 0x00)) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_smite = { + LPI_PROTO_UDP_SMITE, + LPI_CATEGORY_GAMING, + "Smite", + 55, + match_smite +}; + +void register_smite(LPIModuleMap *mod_map) { + register_protocol(&lpi_smite, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_snapvpn.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_snapvpn.cc new file mode 100644 index 0000000..e5ab71f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_snapvpn.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_snap_query(uint32_t payload, uint32_t len) { + + if (MATCH(payload, '2', '7', '3', 'P') && len < 50) + return true; + return false; +} + +static inline bool match_snap_fail(uint32_t payload, uint32_t len) { + /* Saw this a lot when failing to connect to the server */ + if (len == 14 && MATCH(payload, 0x0a, ANY, ANY, ANY)) + return true; + return false; +} + +static inline bool match_snapvpn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Ports 21, 25, 109, 119 */ + + if (match_snap_query(data->payload[0], data->payload_len[0])) { + if (match_snap_query(data->payload[1], data->payload_len[1])) + return true; + if (match_snap_fail(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_snap_query(data->payload[1], data->payload_len[1])) { + if (match_snap_fail(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_snapvpn = { + LPI_PROTO_UDP_SNAPVPN, + LPI_CATEGORY_TUNNELLING, + "SnapVPN", + 25, + match_snapvpn +}; + +void register_snapvpn(LPIModuleMap *mod_map) { + register_protocol(&lpi_snapvpn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_snmp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_snmp.cc new file mode 100644 index 0000000..7e72434 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_snmp.cc @@ -0,0 +1,104 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_snmp_payload(uint32_t payload, uint32_t len) { + + /* SNMP is BER encoded, which is an ass to decode */ + uint8_t snmplen = 0; + uint8_t *byte; + + if (len == 0) + return true; + + /* Must be a SEQUENCE */ + if (!MATCH(payload, 0x30, ANY, ANY, ANY)) + return false; + + byte = ((uint8_t *)&payload) + 1; + + if (*byte< 0x80) { + snmplen = *byte; + + if (!MATCH(payload, 0x30, ANY, 0x02, 0x01)) + return false; + if (len - 2 != snmplen) + return false; + return true; + } + + if (*byte == 0x81) { + snmplen = *(byte + 1); + + if (!MATCH(payload, 0x30, 0x81, ANY, 0x02)) + return false; + if (len - 3 != snmplen) + return false; + return true; + } + + if (*byte == 0x82) { + uint16_t longlen = *((uint16_t *)(byte + 1)); + + if (len - 4 != ntohs(longlen)) + return false; + return true; + } + + return false; + +} + + +static inline bool match_snmp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_snmp_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_snmp_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; + + +} + +static lpi_module_t lpi_snmp = { + LPI_PROTO_UDP_SNMP, + LPI_CATEGORY_MONITORING, + "SNMP", + 3, + match_snmp +}; + +void register_snmp(LPIModuleMap *mod_map) { + register_protocol(&lpi_snmp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_sopcast.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_sopcast.cc new file mode 100644 index 0000000..608168f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_sopcast.cc @@ -0,0 +1,92 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_sopcast_req(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0xff, 0xff, 0x01, ANY)) { + if (len == 52) + return true; + } + + return false; +} + +static inline bool match_sopcast_reply(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x00, ANY, 0x02, ANY)) { + if (len == 80) + return true; + } + if (MATCH(payload, 0x00, ANY, 0x01, ANY)) { + if (len == 60) + return true; + } + + return false; +} + + +static inline bool match_sopcast(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if ((data->payload[0] & 0xff000000) != (data->payload[1] & 0xff000000)) + return false; + + if (match_sopcast_req(data->payload[0], data->payload_len[0])) { + if (match_sopcast_reply(data->payload[1], data->payload_len[1])) + return true; + if (match_sopcast_req(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_sopcast_req(data->payload[1], data->payload_len[1])) { + if (match_sopcast_reply(data->payload[0], data->payload_len[0])) + return true; + if (match_sopcast_req(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_sopcast = { + LPI_PROTO_UDP_SOPCAST, + LPI_CATEGORY_P2PTV, + "Sopcast", + 5, + match_sopcast +}; + +void register_sopcast(LPIModuleMap *mod_map) { + register_protocol(&lpi_sopcast, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_spamfighter.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_spamfighter.cc new file mode 100644 index 0000000..1b3eb9b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_spamfighter.cc @@ -0,0 +1,54 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_spamfighter(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "DISC")) + return true; + if (match_str_either(data, "SCP\x03")) + return true; + + return false; +} + +static lpi_module_t lpi_spamfighter = { + LPI_PROTO_UDP_SPAMFIGHTER, + LPI_CATEGORY_ANTISPAM, + "SpamFighter", + 3, + match_spamfighter +}; + +void register_spamfighter(LPIModuleMap *mod_map) { + register_protocol(&lpi_spamfighter, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_spotify_bcast.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_spotify_bcast.cc new file mode 100644 index 0000000..9c9dde3 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_spotify_bcast.cc @@ -0,0 +1,58 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Protocol used by Spotify to find other clients on the local network */ + +static inline bool match_spotify_bcast(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + if (!match_str_either(data, "Spot")) + return false; + + if (data->server_port != 57621 || data->client_port != 57621) + return false; + + return true; +} + +static lpi_module_t lpi_spotify_bcast = { + LPI_PROTO_UDP_SPOTIFY_BROADCAST, + LPI_CATEGORY_BROADCAST, + "SpotifyBroadcast", + 14, + match_spotify_bcast +}; + +void register_spotify_bcast(LPIModuleMap *mod_map) { + register_protocol(&lpi_spotify_bcast, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_sql_worm.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_sql_worm.cc new file mode 100644 index 0000000..bd257e0 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_sql_worm.cc @@ -0,0 +1,56 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_sql_worm(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* The recipient does not reply (with any luck!) */ + if (data->payload_len[0] > 0 && data->payload_len[1] > 0) + return false; + + if (match_chars_either(data, 0x04, 0x01, 0x01, 0x01)) + return true; + + return false; +} + +static lpi_module_t lpi_sql_worm = { + LPI_PROTO_UDP_SQLEXP, + LPI_CATEGORY_MALWARE, + "SQLExp", + 10, + match_sql_worm +}; + +void register_sql_worm(LPIModuleMap *mod_map) { + register_protocol(&lpi_sql_worm, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ssdp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ssdp.cc new file mode 100644 index 0000000..48b9f50 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ssdp.cc @@ -0,0 +1,73 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ssdp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "M-SE")) + return true; + + if (match_str_either(data, "NOTI")) { + if (data->server_port != 1900) + return false; + if (data->client_port != 1900) + return false; + return true; + } + + /* Check for SSDP reflection attacks */ + if (match_str_either(data, "HTTP")) { + /* usually only the source port is 1900 */ + if (data->server_port != 1900 && data->client_port != 1900) + return false; + + /* the request usually has a spoofed address so we won't + * payload in one direction */ + if (data->payload_len[0] != 0 && data->payload_len[1] != 0) + return false; + return true; + } + + return false; +} + +static lpi_module_t lpi_ssdp = { + LPI_PROTO_UDP_SSDP, + LPI_CATEGORY_SERVICES, + "SSDP", + 5, + match_ssdp +}; + +void register_ssdp(LPIModuleMap *mod_map) { + register_protocol(&lpi_ssdp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_starcitizen.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_starcitizen.cc new file mode 100644 index 0000000..97fe392 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_starcitizen.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_sc_13(uint32_t payload, uint32_t len) { + + if (len == 13 && MATCH(payload, 0x43, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_sc_67(uint32_t payload, uint32_t len) { + + if (len == 67 && MATCH(payload, 0x43, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_starcitizen(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 64090 */ + if (match_sc_13(data->payload[0], data->payload_len[0])) { + if (match_sc_13(data->payload[1], data->payload_len[1])) + return true; + if (match_sc_67(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_sc_13(data->payload[1], data->payload_len[1])) { + if (match_sc_67(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_starcitizen = { + LPI_PROTO_UDP_STARCITIZEN, + LPI_CATEGORY_GAMING, + "StarCitizen", + 39, + match_starcitizen +}; + +void register_starcitizen(LPIModuleMap *mod_map) { + register_protocol(&lpi_starcitizen, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_starcraft.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_starcraft.cc new file mode 100644 index 0000000..636514b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_starcraft.cc @@ -0,0 +1,121 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_sc_message(uint32_t payload, uint32_t len) { + + /* http://forum.valhallalegends.com/index.php?topic=17702.0 */ + + /* Starcraft header is 16 bytes - most bodies are either one or + * two bytes */ + + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 16) + return true; + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 17) + return true; + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 18) + return true; + + /* 34 also seems possible */ + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 34) + return true; + + + return false; +} + +static inline bool match_sc_remaster_01(uint32_t payload, uint32_t len) { + /* New protocol that has been implemented as part of the + * remaster. + */ + if (len == 0) + return true; + if (len < 50 && MATCH(payload, 0x08, 0x01, 0x12, 0x14)) + return true; + if (len < 50 && MATCH(payload, 0x08, 0x01, 0x12, 0x10)) + return true; + if (len < 50 && MATCH(payload, 0x08, 0x01, 0x12, 0x11)) + return true; + return false; + +} + +static inline bool match_sc_remaster_02(uint32_t payload, uint32_t len) { + /* New protocol that has been implemented as part of the + * remaster. + */ + if (len < 50 && MATCH(payload, 0x08, 0x02, 0x12, 0x18)) + return true; + return false; + +} + +static inline bool match_starcraft(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 6112 && data->client_port != 6112) + return false; + + if (match_sc_remaster_01(data->payload[0], data->payload_len[0])) { + if (match_sc_remaster_01(data->payload[1], data->payload_len[1])) + return true; + if (match_sc_remaster_02(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_sc_remaster_01(data->payload[1], data->payload_len[1])) { + if (match_sc_remaster_01(data->payload[0], data->payload_len[0])) + return true; + if (match_sc_remaster_02(data->payload[0], data->payload_len[0])) + return true; + } + + if (!match_sc_message(data->payload[0], data->payload_len[0])) + return false; + if (!match_sc_message(data->payload[1], data->payload_len[1])) + return false; + + return true; + + +} + +static lpi_module_t lpi_starcraft = { + LPI_PROTO_UDP_STARCRAFT, + LPI_CATEGORY_GAMING, + "Starcraft", + 4, + match_starcraft +}; + +void register_starcraft(LPIModuleMap *mod_map) { + register_protocol(&lpi_starcraft, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_starleaf.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_starleaf.cc new file mode 100644 index 0000000..1da25d8 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_starleaf.cc @@ -0,0 +1,66 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_slp(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00) && len == 9) + return true; + + return false; +} + +static inline bool match_starleaf(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Restrict to port 24704 */ + if (data->server_port != 24704 && data->client_port != 24704) + return false; + + if (match_slp(data->payload[0], data->payload_len[0])) { + if (match_slp(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_starleaf = { + LPI_PROTO_UDP_STARLEAF, + LPI_CATEGORY_VOIP, + "StarLeaf", + 122, + match_starleaf +}; + +void register_starleaf(LPIModuleMap *mod_map) { + register_protocol(&lpi_starleaf, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_steam.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_steam.cc new file mode 100644 index 0000000..37f492c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_steam.cc @@ -0,0 +1,118 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_39_request(uint32_t payload, uint32_t len) { + + if (len != 4) + return false; + if (!MATCH(payload, 0x39, 0x18, 0x00, 0x00)) + return false; + + return true; + +} + +static inline bool match_3a_response(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + if (len != 8) + return false; + if (!MATCH(payload, 0x3a, 0x18, 0x00, 0x00)) + return false; + + return true; + +} + +static inline bool match_steam_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Master Server Queries begin with 31 ff 30 2e + * + * NOTE: the ff byte can vary depending on the region that the user + * is querying for, but ff is the "all regions" option and is the + * typical default. + */ + if (match_str_either(data, "\x31\xff\x30\x2e") + && match_str_either(data, "\xff\xff\xff\xff")) { + return true; + } + + /* Server Info queries are always 53 bytes and begin with ff ff ff ff. + * The reply also begins with ff ff ff ff but can vary in size */ + + if (MATCHSTR(data->payload[0], "\xff\xff\xff\xff") && + data->payload_len[0] == 25 && + (MATCHSTR(data->payload[1], "\xff\xff\xff\xff") || + data->payload_len[1] == 0)) { + + return true; + } + + if (MATCHSTR(data->payload[1], "\xff\xff\xff\xff") && + data->payload_len[1] == 25 && + (MATCHSTR(data->payload[0], "\xff\xff\xff\xff") || + data->payload_len[0] == 0)) { + + return true; + } + + /* This stuff is definitely related to Steam or some game played + * over Steam - need to look into this more at some point */ + + if (match_39_request(data->payload[0], data->payload_len[0])) { + if (match_3a_response(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_39_request(data->payload[1], data->payload_len[1])) { + if (match_3a_response(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_steam_udp = { + LPI_PROTO_UDP_STEAM, + LPI_CATEGORY_GAMING, + "Steam_UDP", + 4, + match_steam_udp +}; + +void register_steam_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_steam_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_steam_inhomebroadcast.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_steam_inhomebroadcast.cc new file mode 100644 index 0000000..c45d12a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_steam_inhomebroadcast.cc @@ -0,0 +1,69 @@ +/* + * This file is part of libprotoident + * + * Copyright (c) 2011 The University of Waikato, Hamilton, New Zealand. + * Author: Shane Alcock + * + * With contributions from: + * Aaron Murrihy + * Donald Neal + * + * All rights reserved. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with libprotoident; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * $Id$ + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_steam_inhomebroadcast_ports(uint16_t porta, uint16_t portb) { + if (porta == 27036 && portb == 27036) + return true; + return false; +} + +static inline bool match_steam_inhomebroadcast(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!match_steam_inhomebroadcast_ports(data->server_port, data->client_port)) + return false; + + if (data->payload_len[0] == 0 || data->payload_len[1] == 0) { + if (match_str_both(data, "\xff\xff\xff\xff", "\x00\x00\x00\x00")) + return true; + } + + return false; +} + +static lpi_module_t lpi_steam_inhomebroadcast = { + LPI_PROTO_UDP_STEAM_INHOMEBROADCAST, + LPI_CATEGORY_GAMING, + "Steam_InHome_Broadcast", + 9, + match_steam_inhomebroadcast +}; + +void register_steam_inhomebroadcast(LPIModuleMap *mod_map) { + register_protocol(&lpi_steam_inhomebroadcast, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_steam_localbroadcast.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_steam_localbroadcast.cc new file mode 100644 index 0000000..e54bc04 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_steam_localbroadcast.cc @@ -0,0 +1,101 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* This protocol is something I observed on a laptop running a Steam client. + * It just constantly spams 255.255.255.255 with these packets and I found + * some references to Steam when trying to find out what it was, e.g. + * http://ask.wireshark.org/questions/11566/possible-malware-on-network + * + */ + +static inline bool match_steam_ports(uint16_t port_a, uint16_t port_b) { + + if (port_a == 10007 || port_b == 10007) + return true; + if (port_a == 10019 || port_b == 10019) + return true; + return false; +} + +static inline bool match_steam_request(uint32_t payload, uint32_t len) { + + if (len != 128) + return false; + if (MATCHSTR(payload, "\x00\xff\x00\x00")) + return true; + if (MATCHSTR(payload, "\xf0\xff\x00\x00")) + return true; + + return false; +} + + +static inline bool match_steam_reply(uint32_t payload, uint32_t len) { + + /* Not seen a valid reply yet, so just check for no reply */ + if (len == 0) + return true; + return false; + +} + +static inline bool match_steam_localbroadcast(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + if (!match_steam_ports(data->server_port, data->client_port)) { + return false; + } + + if (match_steam_request(data->payload[0], data->payload_len[0])) { + if (match_steam_reply(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_steam_request(data->payload[1], data->payload_len[1])) { + if (match_steam_reply(data->payload[0], data->payload_len[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_steam_localbroadcast = { + LPI_PROTO_UDP_STEAM_LOCALBROADCAST, + LPI_CATEGORY_BROADCAST, + "SteamLocalBroadcast", + 16, + match_steam_localbroadcast +}; + +void register_steam_localbroadcast(LPIModuleMap *mod_map) { + register_protocol(&lpi_steam_localbroadcast, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_steamfriends.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_steamfriends.cc new file mode 100644 index 0000000..6c35e1b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_steamfriends.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_steamfriends(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, "VS01")) + return true; + + return false; +} + +static lpi_module_t lpi_steamfriends = { + LPI_PROTO_UDP_STEAM_FRIENDS, + LPI_CATEGORY_GAMING, + "Steam_Friends", + 3, + match_steamfriends +}; + +void register_steamfriends(LPIModuleMap *mod_map) { + register_protocol(&lpi_steamfriends, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_storm_worm.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_storm_worm.cc new file mode 100644 index 0000000..71b0ba7 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_storm_worm.cc @@ -0,0 +1,71 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_storm_worm(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This pattern is observed on ports 4000, 7871 and 11271 which are + * all known port numbers for this trojan */ + + if (MATCH(data->payload[0], 0xe3, 0x1b, 0xd6, 0x21)) { + if (data->payload_len[0] != 4) + return false; + if (data->payload_len[1] == 0) + return true; + if (MATCH(data->payload[1], 0xe3, 0x0c, 0x66, 0xe6)) + return true; + } + + if (MATCH(data->payload[1], 0xe3, 0x1b, 0xd6, 0x21)) { + if (data->payload_len[1] != 4) + return false; + if (data->payload_len[0] == 0) + return true; + if (MATCH(data->payload[0], 0xe3, 0x0c, 0x66, 0xe6)) + return true; + } + + + return false; +} + +static lpi_module_t lpi_storm_worm = { + LPI_PROTO_UDP_STORM_WORM, + LPI_CATEGORY_MALWARE, + "StormWorm", + 10, + match_storm_worm +}; + +void register_storm_worm(LPIModuleMap *mod_map) { + register_protocol(&lpi_storm_worm, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_stun.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_stun.cc new file mode 100644 index 0000000..a6eedce --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_stun.cc @@ -0,0 +1,160 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static bool match_facetime_stun_request(uint32_t payload, uint32_t len) { + + /* Bytes 3 and 4 are the Message Length - the STUN header */ + if ((ntohl(payload) & 0x0000ffff) != len - 20) + return false; + + if (MATCH(payload, 0x0f, 0xe0, ANY, ANY)) + return true; + if (MATCH(payload, 0x0f, 0xe1, ANY, ANY)) + return true; + if (MATCH(payload, 0x0f, 0xe4, ANY, ANY)) + return true; + return false; + +} + +static bool match_facetime_stun_response(uint32_t payload, uint32_t len) { + + /* Bytes 3 and 4 are the Message Length - the STUN header */ + if ((ntohl(payload) & 0x0000ffff) != len - 20) + return false; + + if (MATCH(payload, 0x0e, 0xe0, ANY, ANY)) + return true; + if (MATCH(payload, 0x0e, 0xe1, ANY, ANY)) + return true; + if (MATCH(payload, 0x0e, 0xe4, ANY, ANY)) + return true; + return false; + +} + +static bool match_skype_stun_request(uint32_t payload, uint32_t len) { + + /* Bytes 3 and 4 are the Message Length - the STUN header */ + if ((ntohl(payload) & 0x0000ffff) != len - 20) + return false; + + /* These flows start with an Allocate Request */ + if (MATCH(payload, 0x00, 0x03, ANY, ANY)) + return true; + + return false; + +} + +static bool match_stun_payload(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + + /* Bytes 3 and 4 are the Message Length - the STUN header */ + if ((ntohl(payload) & 0x0000ffff) != len - 20) + return false; + + if (MATCH(payload, 0x00, 0x01, ANY, ANY)) + return true; + if (MATCH(payload, 0x01, 0x01, ANY, ANY)) + return true; + if (MATCH(payload, 0x01, 0x11, ANY, ANY)) + return true; + if (MATCH(payload, 0x00, 0x03, ANY, ANY)) + return true; + if (MATCH(payload, 0x01, 0x03, ANY, ANY)) + return true; + if (MATCH(payload, 0x01, 0x13, ANY, ANY)) + return true; + + /* Data Indication message (used by Skype) */ + if (MATCH(payload, 0x01, 0x15, ANY, ANY)) + return true; + + return false; + +} + + +static inline bool match_stun(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This seems to be a special response containing a STUN token + * + * Not very well-documented though :( + */ + + if (match_str_either(data, "RSP/")) + return true; + + if (match_stun_payload(data->payload[0], data->payload_len[0])) { + if (match_stun_payload(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_facetime_stun_request(data->payload[0], data->payload_len[0])) + { + if ((data->payload[0] & 0xff0000) == + (data->payload[1] & 0xff0000) && + match_facetime_stun_response(data->payload[1], + data->payload_len[1])) { + return true; + } + } + + if (match_facetime_stun_request(data->payload[1], data->payload_len[1])) + { + /* Byte 2 must match for both directions */ + if ((data->payload[0] & 0xff0000) == + (data->payload[1] & 0xff0000) && + match_facetime_stun_response(data->payload[0], + data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_stun = { + LPI_PROTO_UDP_STUN, + LPI_CATEGORY_NAT, + "STUN", + 3, + match_stun +}; + +void register_stun(LPIModuleMap *mod_map) { + register_protocol(&lpi_stun, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_syslog.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_syslog.cc new file mode 100644 index 0000000..e57e159 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_syslog.cc @@ -0,0 +1,77 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_syslog_payload(uint32_t pload) { + + /* Syslog starts with <PRI>, where PRI is a number between 0 and 191 */ + + if (MATCH(pload, '<', ANY, '>', ANY)) + return true; + if (MATCH(pload, '<', ANY, ANY, '>')) + return true; + if (MATCH(pload, '<', '1', ANY, ANY)) + return true; + + return false; + + +} + +static inline bool match_syslog(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 514 && data->client_port != 514) + return false; + + if (data->payload_len[0] == 0) { + if (match_syslog_payload(data->payload[1])) + return true; + } + + if (data->payload_len[1] == 0) { + if (match_syslog_payload(data->payload[0])) + return true; + } + return false; +} + +static lpi_module_t lpi_syslog = { + LPI_PROTO_UDP_SYSLOG, + LPI_CATEGORY_LOGGING, + "Syslog", + 6, + match_syslog +}; + +void register_syslog(LPIModuleMap *mod_map) { + register_protocol(&lpi_syslog, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_talesrunner_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_talesrunner_udp.cc new file mode 100644 index 0000000..4c54332 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_talesrunner_udp.cc @@ -0,0 +1,84 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_tr_1b(uint32_t payload, uint32_t len) { + if (len == 8 && MATCH(payload, 0x1b, 0x00, 0xb2, 0x1a)) + return true; + return false; +} + +static inline bool match_tr_1e(uint32_t payload, uint32_t len) { + if (len == 8 && MATCH(payload, 0x1e, 0x00, 0x6b, 0x51)) + return true; + return false; +} + +static inline bool match_talesrunner_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (MATCH(data->payload[0], 0x1d, 0x00, 0x67, 0x01)) { + if (MATCH(data->payload[1], 0x1d, 0x00, 0x61, 0x01)) { + + /* One of the packets is always 8 bytes */ + if (data->payload_len[0] == 8 || + data->payload_len[1] == 8) { + return true; + } + } + } + + if (match_tr_1b(data->payload[0], data->payload_len[0])) { + if (match_tr_1b(data->payload[1], data->payload_len[1])) + return true; + } + + + if (match_tr_1e(data->payload[0], data->payload_len[0])) { + if (match_tr_1e(data->payload[1], data->payload_len[1])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_talesrunner_udp = { + LPI_PROTO_UDP_TALESRUNNER, + LPI_CATEGORY_GAMING, + "TalesrunnerUDP", + 59, + match_talesrunner_udp +}; + +void register_talesrunner_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_talesrunner_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_teamspeak.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_teamspeak.cc new file mode 100644 index 0000000..503288a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_teamspeak.cc @@ -0,0 +1,95 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ts3_req(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 'T', 'S', '3', 'I')) + return true; + + return false; +} + +static inline bool match_ts3_resp(uint32_t payload, uint32_t len, + uint16_t porta, uint16_t portb) { + if (len == 0) + return true; + + if (MATCH(payload, 'T', 'S', '3', 'I')) + return true; + + /* Seem to get some encrypted responses, but the only ones I've + * seen so far are either 181 or 182 bytes. Enforce the expected + * TeamSpeak port in this case, just to be safe. + */ + if ((len >= 180 && len <= 182) && (porta == 9987 || portb == 9987)) + return true; + + return false; +} + +static inline bool match_teamspeak(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Teamspeak version 2 */ + if (match_str_both(data, "\xf4\xbe\x03\x00", "\xf4\xbe\x03\x00")) + return true; + /* Teamspeak version 3 */ + if (match_ts3_req(data->payload[0], data->payload_len[0])) { + if (match_ts3_resp(data->payload[1], data->payload_len[1], + data->server_port, data->client_port)) + return true; + } + + if (match_ts3_req(data->payload[1], data->payload_len[1])) { + if (match_ts3_resp(data->payload[0], data->payload_len[0], + data->server_port, data->client_port)) + return true; + } + + /* Not sure what this is, but it goes to a teamspeak.org server */ + if (match_str_either(data, "\x07Pri")) + return true; + + return false; +} + +static lpi_module_t lpi_teamspeak = { + LPI_PROTO_UDP_TEAMSPEAK, + LPI_CATEGORY_VOIP, + "TeamSpeak", + 3, + match_teamspeak +}; + +void register_teamspeak(LPIModuleMap *mod_map) { + register_protocol(&lpi_teamspeak, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_teamviewer.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_teamviewer.cc new file mode 100644 index 0000000..48e5635 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_teamviewer.cc @@ -0,0 +1,110 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_tv_payload(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len != 88) + return false; + if (!MATCH(payload, ANY, ANY, ANY, 0x17)) + return false; + return true; + +} + +static inline bool match_teamviewer_classic_udp(lpi_data_t *data) { + + if (!match_tv_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_tv_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; +} + +static inline bool match_teamviewer_96(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (len == 96 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_tv_1024(uint32_t payload, uint32_t len) { + if (len == 1024 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_tv_48(uint32_t payload, uint32_t len) { + if (len == 48 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + + +static inline bool match_teamviewer_udp(lpi_data_t *data, lpi_module_t *module UNUSED) { + + if (match_teamviewer_classic_udp(data)) + return true; + + if (match_teamviewer_96(data->payload[0], data->payload_len[0])) { + if (match_teamviewer_96(data->payload[1], data->payload_len[1])) + return true; + } + + if (data->server_port == 5938 || data->client_port == 5938) { + if (match_tv_1024(data->payload[0], data->payload_len[0])) { + if (match_tv_48(data->payload[1], data->payload_len[1])) + return true; + } + if (match_tv_1024(data->payload[1], data->payload_len[1])) { + if (match_tv_48(data->payload[0], data->payload_len[0])) + return true; + } + } + return false; +} + +static lpi_module_t lpi_teamviewer = { + LPI_PROTO_UDP_TEAMVIEWER, + LPI_CATEGORY_REMOTE, + "TeamViewer_UDP", + 115, + match_teamviewer_udp +}; + +void register_teamviewer_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_teamviewer, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_teredo.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_teredo.cc new file mode 100644 index 0000000..41f62a1 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_teredo.cc @@ -0,0 +1,90 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static bool match_teredo_payload(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (MATCH(payload, 0x00, 0x01, 0x00, 0x00)) { + if (len == 61 || len == 109 || len == 77) + return true; + } + + /* Matching v6 traffic */ + if (MATCH(payload, 0x60, 0x00, 0x00, 0x00) && len >= 4) { + return true; + } + + /* We also see this in flows that have the same 5 tuple as other + * Teredo flows */ + + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return false; + + if (len == 48 && MATCH(payload, 0x00, 0x00, ANY, ANY)) + return true; + + + return false; + +} + + +static inline bool match_teredo(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port == 53 || data->client_port == 53) { + if (data->payload_len[0] == 0) + return false; + if (data->payload_len[1] == 0) + return false; + } + + if (!match_teredo_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_teredo_payload(data->payload[1], data->payload_len[1])) + return false; + + return true; +} + +static lpi_module_t lpi_teredo = { + LPI_PROTO_UDP_TEREDO, + LPI_CATEGORY_TUNNELLING, + "Teredo", + 6, + match_teredo +}; + +void register_teredo(LPIModuleMap *mod_map) { + register_protocol(&lpi_teredo, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_tf2.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_tf2.cc new file mode 100644 index 0000000..b931ec3 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_tf2.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_tf2_20(uint32_t payload, uint32_t len) { + if (len == 20 && MATCHSTR(payload, "\xff\xff\xff\xff")) + return true; + return false; +} + +static inline bool match_tf2_39(uint32_t payload, uint32_t len) { + if (len == 39 && MATCHSTR(payload, "\xff\xff\xff\xff")) + return true; + return false; +} + +static inline bool is_okport(lpi_data_t *data) { + if (data->server_port == 27015 && data->client_port == 27015) + return true; + if (data->server_port == 27005 || data->client_port == 27005) + return true; + return false; +} + +static inline bool match_tf2(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!is_okport(data)) + return false; + + if (match_tf2_20(data->payload[0], data->payload_len[0])) { + if (match_tf2_39(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_tf2_20(data->payload[1], data->payload_len[1])) { + if (match_tf2_39(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_tf2 = { + LPI_PROTO_UDP_TF2, + LPI_CATEGORY_GAMING, + "TeamFortress2", + 100, + match_tf2 +}; + +void register_tf2(LPIModuleMap *mod_map) { + register_protocol(&lpi_tf2, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_tftp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_tftp.cc new file mode 100644 index 0000000..c931386 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_tftp.cc @@ -0,0 +1,124 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_tftp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Read request */ + if (MATCH(data->payload[0], 0x00, 0x01, ANY, ANY)) { + if (data->server_port != 69 && data->client_port != 69) + return false; + if (data->payload_len[1] == 0) + return true; + if (MATCH(data->payload[1], 0x00, 0x03, ANY, ANY)) + return true; + if (MATCH(data->payload[1], 0x00, 0x05, ANY, ANY)) + return true; + } + + if (MATCH(data->payload[1], 0x00, 0x01, ANY, ANY)) { + if (data->server_port != 69 && data->client_port != 69) + return false; + if (data->payload_len[0] == 0) + return true; + if (MATCH(data->payload[0], 0x00, 0x03, ANY, ANY)) + return true; + if (MATCH(data->payload[0], 0x00, 0x05, ANY, ANY)) + return true; + } + + /* Write request */ + if (MATCH(data->payload[0], 0x00, 0x02, ANY, ANY)) { + if (data->server_port != 69 && data->client_port != 69) + return false; + if (data->payload_len[1] == 0) + return true; + if (MATCH(data->payload[1], 0x00, 0x04, ANY, ANY)) + return true; + if (MATCH(data->payload[1], 0x00, 0x05, ANY, ANY)) + return true; + } + + if (MATCH(data->payload[1], 0x00, 0x02, ANY, ANY)) { + if (data->server_port != 69 && data->client_port != 69) + return false; + if (data->payload_len[0] == 0) + return true; + if (MATCH(data->payload[0], 0x00, 0x04, ANY, ANY)) + return true; + if (MATCH(data->payload[0], 0x00, 0x05, ANY, ANY)) + return true; + } + + /* Some systems will switch to a different port for the file + * transfer itself, so the request is in a different flow */ + if (MATCH(data->payload[0], 0x00, 0x03, 0x00, 0x01)) { + if (data->payload_len[1] == 0) + return true; + if (MATCH(data->payload[1], 0x00, 0x05, ANY, ANY)) + return true; + + /* Acks (0x04) must be 4 bytes */ + if (data->payload_len[1] != 4) + return false; + if (MATCH(data->payload[1], 0x00, 0x04, 0x00, 0x01)) + return true; + } + + if (MATCH(data->payload[1], 0x00, 0x03, 0x00, 0x01)) { + if (data->payload_len[0] == 0) + return true; + if (MATCH(data->payload[0], 0x00, 0x05, ANY, ANY)) + return true; + + /* Acks (0x04) must be 4 bytes */ + if (data->payload_len[0] != 4) + return false; + if (MATCH(data->payload[0], 0x00, 0x04, 0x00, 0x01)) + return true; + } + + + return false; +} + +static lpi_module_t lpi_tftp = { + LPI_PROTO_UDP_TFTP, + LPI_CATEGORY_FILES, + "TFTP", + 5, + match_tftp +}; + +void register_tftp(LPIModuleMap *mod_map) { + register_protocol(&lpi_tftp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_thecrew.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_thecrew.cc new file mode 100644 index 0000000..8ff2653 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_thecrew.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_thecrew_hello(uint32_t payload, uint32_t len) { + + if (MATCHSTR(payload, "\xff\xff\xff\xff")) { + if (len == 50) + return true; + if (len == 39) + return true; + if (len == 60) + return true; + } + return false; + +} + +static inline bool match_thecrew(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 3001 && data->client_port != 3001 && + data->server_port != 10000 && + data->client_port != 10000) { + return false; + } + + if (match_thecrew_hello(data->payload[0], data->payload_len[0])) { + if (match_thecrew_hello(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_thecrew = { + LPI_PROTO_UDP_THE_CREW, + LPI_CATEGORY_GAMING, + "TheCrew", + 75, + match_thecrew +}; + +void register_thecrew(LPIModuleMap *mod_map) { + register_protocol(&lpi_thecrew, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_thq.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_thq.cc new file mode 100644 index 0000000..f074932 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_thq.cc @@ -0,0 +1,65 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_thq(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* I *suspect* this is the protocol used by RTS games released by + * THQ - haven't been able to confirm for sure, though + * + * Most traffic is on port 6112, which is used by Blizzard and THQ + * games, but we already have rules for most Blizzard stuff */ + + /* The ANY byte also matches the packet length - 17, if we need + * further matching rules */ + if (data->payload_len[0] != 0 && + !MATCH(data->payload[0], 'Q', 'N', 'A', ANY)) + return false; + if (data->payload_len[1] != 0 && + !MATCH(data->payload[1], 'Q', 'N', 'A', ANY)) + return false; + + return true; + +} + +static lpi_module_t lpi_thq = { + LPI_PROTO_UDP_THQ, + LPI_CATEGORY_GAMING, + "THQ", + 3, + match_thq +}; + +void register_thq(LPIModuleMap *mod_map) { + register_protocol(&lpi_thq, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_torchlight2.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_torchlight2.cc new file mode 100644 index 0000000..a2543fe --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_torchlight2.cc @@ -0,0 +1,74 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_tl2_00(uint32_t payload, uint32_t len) { + + if (len == 13 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_tl2_01(uint32_t payload, uint32_t len) { + + if (len == 13 && MATCH(payload, 0x01, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_torchlight2(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_tl2_00(data->payload[0], data->payload_len[0])) { + if (match_tl2_01(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_tl2_00(data->payload[1], data->payload_len[1])) { + if (match_tl2_01(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_torchlight2 = { + LPI_PROTO_UDP_TORCHLIGHT2, + LPI_CATEGORY_GAMING, + "Torchlight2", + 201, + match_torchlight2 +}; + +void register_torchlight2(LPIModuleMap *mod_map) { + register_protocol(&lpi_torchlight2, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_tox.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_tox.cc new file mode 100644 index 0000000..0a25bb6 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_tox.cc @@ -0,0 +1,87 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Open source encrypted skype replacement */ + +static inline bool match_tox_get(uint32_t payload, uint32_t len) { + + if (len == 113 && MATCH(payload, 0x02, ANY, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_tox_reply(uint32_t payload, uint32_t len) { + + /* Not sure on these length restrictions */ + if (len == 238 && MATCH(payload, 0x04, ANY, ANY, ANY)) + return true; + if (len == 354 && MATCH(payload, 0x83, ANY, ANY, ANY)) + return true; + if (len == 387 && MATCH(payload, 0x82, ANY, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_tox(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 33445 && data->client_port != 33445) { + return false; + } + + if (match_tox_get(data->payload[0], data->payload_len[0])) { + if (match_tox_reply(data->payload[1], data->payload_len[1])) { + return true; + } + } + if (match_tox_get(data->payload[1], data->payload_len[1])) { + if (match_tox_reply(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_tox = { + LPI_PROTO_UDP_TOX, + LPI_CATEGORY_CHAT, + "ToxUDP", + 110, + match_tox +}; + +void register_tox(LPIModuleMap *mod_map) { + register_protocol(&lpi_tox, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_traceroute.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_traceroute.cc new file mode 100644 index 0000000..7d57089 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_traceroute.cc @@ -0,0 +1,117 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ea_traceroute(uint32_t payload, uint32_t len) { + + if (len != 42) + return false; + if (!MATCH(payload, 'P', 'a', 't', 'h')) + return false; + return true; + +} + +static inline bool match_planetlab_traceroute(uint32_t payload, uint32_t len) { + if (len != 82) + return false; + if (!MATCH(payload, '@', 'A', 'B', 'C')) + return false; + return true; +} + +static inline bool match_traceroute(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* The iVMG people put payload in their traceroute packets that + * we can easily identify */ + + if (match_str_either(data, "iVMG")) + return true; + + /* Spammy traceroute observed coming from EA servers */ + if (match_ea_traceroute(data->payload[0], data->payload_len[0])) { + if (data->payload_len[1] == 0) + return true; + } + + if (match_ea_traceroute(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == 0) + return true; + } + + /* This seems to be a traceroute sent from planetlab nodes */ + if (match_planetlab_traceroute(data->payload[0], data->payload_len[0])) + { + if (data->payload_len[1] == 0) + return true; + } + + if (match_planetlab_traceroute(data->payload[1], data->payload_len[1])) + { + if (data->payload_len[0] == 0) + return true; + } + + + if (data->payload_len[0] == 0) { + if (!MATCH(data->payload[1], ANY, ANY, 0x00, 0x00)) + return false; + if (data->payload_len[1] != 16 && data->payload_len[1] != 8) + return false; + if (data->server_port != 33435 && data->client_port != 33435) + return false; + return true; + } + + if (data->payload_len[1] == 0) { + if (!MATCH(data->payload[0], ANY, ANY, 0x00, 0x00)) + return false; + if (data->payload_len[0] != 16 && data->payload_len[1] != 8) + return false; + if (data->server_port != 33435 && data->client_port != 33435) + return false; + return true; + } + return false; +} + +static lpi_module_t lpi_traceroute = { + LPI_PROTO_UDP_TRACEROUTE, + LPI_CATEGORY_MONITORING, + "Traceroute_UDP", + 2, + match_traceroute +}; + +void register_traceroute(LPIModuleMap *mod_map) { + register_protocol(&lpi_traceroute, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_tremulous.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_tremulous.cc new file mode 100644 index 0000000..211bc5f --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_tremulous.cc @@ -0,0 +1,97 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_tremulous(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (!MATCH(data->payload[0], 0xff, 0xff, 0xff, 0xff)) { + if (data->payload_len[0] != 0) + return false; + } + if (!MATCH(data->payload[1], 0xff, 0xff, 0xff, 0xff)) { + if (data->payload_len[1] != 0) + return false; + } + + /* Not super confident that this won't match other traffic, so + * added a port rule here */ + if (data->server_port != 30710 && data->client_port != 30710 && + data->client_port != 30711 && + data->server_port != 30711) { + return false; + } + + + if (data->payload_len[0] >= 20 && data->payload_len[0] <= 24) { + if (data->payload_len[1] == 0) + return true; + } + + if (data->payload_len[1] >= 20 && data->payload_len[1] <= 24) { + if (data->payload_len[0] == 0) + return true; + } + + if (data->payload_len[0] >= 116 && data->payload_len[0] <= 119) { + if (data->payload_len[1] == 0) + return true; + } + + if (data->payload_len[1] >= 116 && data->payload_len[1] <= 119) { + if (data->payload_len[0] == 0) + return true; + } + + if (data->payload_len[0] == 37) { + if (data->payload_len[1] == 98) + return true; + } + if (data->payload_len[1] == 37) { + if (data->payload_len[0] == 98) + return true; + } + + + return false; +} + +static lpi_module_t lpi_tremulous = { + LPI_PROTO_UDP_TREMULOUS, + LPI_CATEGORY_GAMING, + "Tremulous", + 7, + match_tremulous +}; + +void register_tremulous(LPIModuleMap *mod_map) { + register_protocol(&lpi_tremulous, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_turbovpn.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_turbovpn.cc new file mode 100644 index 0000000..2ed502a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_turbovpn.cc @@ -0,0 +1,66 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_gene(uint32_t payload, uint32_t len) { + + /* Range of packet sizes, but always fairly small */ + if (MATCH(payload, 'G', 'E', 'N', 'E')) { + if (len >= 15 && len <= 50) + return true; + } + + return false; + +} + +static inline bool match_turbovpn(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_gene(data->payload[0], data->payload_len[0])) { + if (match_gene(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_turbovpn = { + LPI_PROTO_UDP_TURBOVPN, + LPI_CATEGORY_TUNNELLING, + "TurboVPN", + 10, + match_turbovpn +}; + +void register_turbovpn(LPIModuleMap *mod_map) { + register_protocol(&lpi_turbovpn, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_tvants.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_tvants.cc new file mode 100644 index 0000000..3f00e65 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_tvants.cc @@ -0,0 +1,55 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_tvants(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "\x04\x00\x05\x00", "\x04\x00\x05\x00")) + return true; + if (match_str_both(data, "\x04\x00\x07\x00", "\x04\x00\x05\x00")) + return true; + + + return false; +} + +static lpi_module_t lpi_tvants = { + LPI_PROTO_UDP_TVANTS, + LPI_CATEGORY_P2PTV, + "TVants", + 5, + match_tvants +}; + +void register_tvants(LPIModuleMap *mod_map) { + register_protocol(&lpi_tvants, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ubisoft_games.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ubisoft_games.cc new file mode 100644 index 0000000..d64475d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ubisoft_games.cc @@ -0,0 +1,66 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* A variety of Ubisoft games seem to use a similar protocol for + * multiplayer. Usually seen on UDP port 3074, but not always. + */ + +static inline bool match_ubisoft_pat(uint32_t payload, uint32_t len) { + + if (len == 71 && MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + return false; + +} + +static inline bool match_ubisoft_games(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_ubisoft_pat(data->payload[0], data->payload_len[0])) { + if (match_ubisoft_pat(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_ubisoft_games = { + LPI_PROTO_UDP_UBISOFT_GAMES, + LPI_CATEGORY_GAMING, + "UbisoftGames", + 199, + match_ubisoft_games +}; + +void register_ubisoft_games(LPIModuleMap *mod_map) { + register_protocol(&lpi_ubisoft_games, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_umeye.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_umeye.cc new file mode 100644 index 0000000..e8e63ec --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_umeye.cc @@ -0,0 +1,67 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Umeye itself seems to be a cloud platform for streaming, but it seems + * to be most commonly used in concert with home surveillance cameras + * to allow users to check their cameras remotely. + */ + +static inline bool match_umeye_shake(uint32_t payload, uint32_t len) { + + if (len == 164 && MATCHSTR(payload, "\xc1\xef\xab\xff")) + return true; + return false; + +} + +static inline bool match_umeye(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_umeye_shake(data->payload[0], data->payload_len[0])) { + if (match_umeye_shake(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_umeye = { + LPI_PROTO_UDP_UMEYE, + LPI_CATEGORY_IPCAMERAS, + "Umeye", + 101, + match_umeye +}; + +void register_umeye(LPIModuleMap *mod_map) { + register_protocol(&lpi_umeye, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_unreal.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_unreal.cc new file mode 100644 index 0000000..9699ac2 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_unreal.cc @@ -0,0 +1,82 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_unreal_query(uint32_t payload, uint32_t len) { + + /* UT2004 retail is 0x80, demo is 0x7f */ + + /* Queries are 5 bytes */ + if (len != 5) + return false; + if (MATCH(payload, 0x80, 0x00, 0x00, 0x00)) + return true; + if (MATCH(payload, 0x7f, 0x00, 0x00, 0x00)) + return true; + return false; + +} + + +static inline bool match_unreal(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* http://www.unrealadmin.org/forums/showthread.php?p=56944 */ + + if (match_unreal_query(data->payload[0], data->payload_len[0])) { + if (MATCH(data->payload[1], 0x80, 0x00, 0x00, 0x00)) + return true; + if (data->payload_len[1] == 0) + return true; + } + + if (match_unreal_query(data->payload[1], data->payload_len[1])) { + if (MATCH(data->payload[0], 0x80, 0x00, 0x00, 0x00)) + return true; + if (data->payload_len[0] == 0) + return true; + } + + + return false; +} + +static lpi_module_t lpi_unreal = { + LPI_PROTO_UDP_UNREAL, + LPI_CATEGORY_GAMING, + "Unreal", + 5, + match_unreal +}; + +void register_unreal(LPIModuleMap *mod_map) { + register_protocol(&lpi_unreal, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_ventrilo.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_ventrilo.cc new file mode 100644 index 0000000..1b4bbc8 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_ventrilo.cc @@ -0,0 +1,66 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_ventrilo(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* We see this on port 6100, so I'm assuming it is the UDP + * Ventrilo protocol. No real documentation of it to confirm, + * though */ + + if (!(match_str_both(data, "\x00\x00\x00\x00", "\x00\x00\x00\x00"))) + return false; + + if (data->payload_len[0] == 108 && data->payload_len[1] == 132) + return true; + if (data->payload_len[1] == 108 && data->payload_len[0] == 132) + return true; + if (data->payload_len[0] == 52 && data->payload_len[1] == 196) + return true; + if (data->payload_len[1] == 52 && data->payload_len[0] == 196) + return true; + + + return false; +} + +static lpi_module_t lpi_ventrilo = { + LPI_PROTO_UDP_VENTRILO, + LPI_CATEGORY_VOIP, + "Ventrilo_UDP", + 5, + match_ventrilo +}; + +void register_ventrilo(LPIModuleMap *mod_map) { + register_protocol(&lpi_ventrilo, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_viber.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_viber.cc new file mode 100644 index 0000000..68ff880 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_viber.cc @@ -0,0 +1,127 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Thanks to Remy Mudingay for providing traces to identify this protocol */ + +static inline bool match_viber_request(uint32_t payload, uint32_t plen) { + if (plen != 12 && plen != 16) + return false; + if (MATCH(payload, ANY, ANY, 0x03, 0x00)) + return true; + return false; + +} + +static inline bool match_viber_response(uint32_t payload, uint32_t plen) { + if (plen == 0) + return true; + if (plen != 12) + return false; + if (MATCH(payload, ANY, ANY, 0x04, 0x00)) + return true; + return false; + +} + +static inline bool match_viber_aws0c(uint32_t payload, uint32_t plen) { + + if (MATCH(payload, ANY, ANY, 0x0c, 0x00)) + return true; + return false; + +} + +static inline bool match_viber_aws01(uint32_t payload, uint32_t plen) { + + if (MATCH(payload, ANY, ANY, 0x01, 0x00)) + return true; + return false; + +} + +static inline bool same_viber_id(uint32_t pl_a, uint32_t pl_b) { + + if ((pl_a & 0xffff) == (pl_b & 0xffff)) + return true; + return false; + +} + +static inline bool match_viber_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* These rules target the little 12 byte exchanges that go on */ + if (match_viber_request(data->payload[0], data->payload_len[0])) { + if (match_viber_response(data->payload[1], data->payload_len[1])) + return true; + if (match_viber_request(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_viber_request(data->payload[1], data->payload_len[1])) { + if (match_viber_response(data->payload[0], data->payload_len[0])) + return true; + if (match_viber_request(data->payload[0], data->payload_len[0])) + return true; + } + + /* This targets the viber flow that goes to the AWS server */ + if (match_viber_aws0c(data->payload[0], data->payload_len[0])) { + if (match_viber_aws01(data->payload[1], data->payload_len[1])) + { + if (same_viber_id(data->payload[0], data->payload[1])) + return true; + } + } + + if (match_viber_aws0c(data->payload[1], data->payload_len[1])) { + if (match_viber_aws01(data->payload[0], data->payload_len[0])) + { + if (same_viber_id(data->payload[0], data->payload[1])) + return true; + } + } + + return false; +} + +static lpi_module_t lpi_viber_udp = { + LPI_PROTO_UDP_VIBER, + LPI_CATEGORY_VOIP, + "Viber_UDP", + 18, + match_viber_udp +}; + +void register_viber_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_viber_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_vivox.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_vivox.cc new file mode 100644 index 0000000..be7aeae --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_vivox.cc @@ -0,0 +1,97 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_vivox_request(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x80, 0x7f, 0x00, 0x00) && len == 112) + return true; + return false; + +} + +static inline bool match_vivox_reply(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x80, 0x7f, 0x00, 0x00) && len == 99) + return true; + return false; + +} + +static inline bool match_vivox_stun(uint32_t payload, uint32_t len) { + + /* Vivox mixes a whole bunch of RTP(?) and STUN together + * when it starts up, so sometimes the STUN replies arrive + * first. */ + if (MATCH(payload, 0x01, 0x01, 0x00, 0x70) && len == 132) + return true; + return false; + +} + +static inline bool match_vivox(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_vivox_request(data->payload[0], data->payload_len[0])) { + if (match_vivox_stun(data->payload[1], data->payload_len[1])) + return true; + if (match_vivox_reply(data->payload[1], data->payload_len[1])) + return true; + } + if (match_vivox_request(data->payload[1], data->payload_len[1])) { + if (match_vivox_stun(data->payload[0], data->payload_len[0])) + return true; + if (match_vivox_reply(data->payload[0], data->payload_len[0])) + return true; + } + + /* Seen this to Vivox servers, so I'm going to make the logical + * assumption */ + if (!match_str_both(data, "\x80\x6f\x00\x00", "\x80\x6f\x00\x01")) + return false; + + if (data->payload_len[0] == 108 || data->payload_len[1] == 108) + return true; + + return false; +} + +static lpi_module_t lpi_vivox = { + LPI_PROTO_UDP_VIVOX, + LPI_CATEGORY_VOIP, + "Vivox", + 5, + match_vivox +}; + +void register_vivox(LPIModuleMap *mod_map) { + register_protocol(&lpi_vivox, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_vpnmaster.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_vpnmaster.cc new file mode 100644 index 0000000..df7c4c9 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_vpnmaster.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* VPN Proxy Master-Free security -- free android VPN via China */ + +static inline bool match_ce7(uint32_t payload, uint32_t len) { + + if (len == 30 && MATCH(payload, 'C', 'E', '7', 'E')) + return true; + if (len == 29 && MATCH(payload, 'C', 'E', '7', 0x05)) + return true; + return false; + +} + +static inline bool match_7b(uint32_t payload, uint32_t len) { + + if (len == 14 && MATCH(payload, 0x7b, ANY, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_vpnmaster(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_ce7(data->payload[0], data->payload_len[0])) { + if (match_7b(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_ce7(data->payload[0], data->payload_len[0])) { + if (match_7b(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_vpnmaster = { + LPI_PROTO_UDP_VPNMASTER, + LPI_CATEGORY_TUNNELLING, + "VPNMaster", + 5, + match_vpnmaster +}; + +void register_vpnmaster(LPIModuleMap *mod_map) { + register_protocol(&lpi_vpnmaster, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_vpnrobot_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_vpnrobot_udp.cc new file mode 100644 index 0000000..414491d --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_vpnrobot_udp.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_umxw(uint32_t payload) { + if (MATCH(payload, 'U', 'M', 'X', 'W')) + return true; + return false; +} + +static inline bool match_robot_fail(uint32_t payload, uint32_t len) { + + if (len == 14) { + if (MATCH(payload, 0x6d, ANY, ANY, ANY)) + return true; + } + return false; + +} + +static inline bool match_vpnrobot_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_umxw(data->payload[0])) { + if (match_umxw(data->payload[1])) + return true; + if (match_robot_fail(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_umxw(data->payload[1])) { + if (match_robot_fail(data->payload[0], data->payload_len[0])) + return true; + } + + + return false; +} + +static lpi_module_t lpi_vpnrobot_udp = { + LPI_PROTO_UDP_VPNROBOT, + LPI_CATEGORY_TUNNELLING, + "VPNRobot", + 15, + match_vpnrobot_udp +}; + +void register_vpnrobot_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_vpnrobot_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_vxworks_exploit.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_vxworks_exploit.cc new file mode 100644 index 0000000..f54358b --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_vxworks_exploit.cc @@ -0,0 +1,71 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* VxWorks exposes a system-level debugger over UDP port 17185 which can be + * exploited remotely. Most traffic I've seen trying to access this port is + * actually critical.io poking around looking for vulnerable machines in the + * interests of finding ISPs that are putting their customers at risk. + * + * So if you see this traffic, it is not necessarily bad (as long as the + * recipient is not responding to the probe packet!). + */ + +static inline bool match_vxworks_exploit(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 17185 && data->client_port != 17185) + return false; + + /* Payload sent by critical.io */ + if (MATCH(data->payload[0], 0x1a, 0x09, 0xfa, 0xba)) { + if (data->payload_len[0] == 64) + return true; + } + + if (MATCH(data->payload[1], 0x1a, 0x09, 0xfa, 0xba)) { + if (data->payload_len[1] == 64) + return true; + } + return false; +} + +static lpi_module_t lpi_vxworks_exploit = { + LPI_PROTO_UDP_VXWORKS_EXPLOIT, + LPI_CATEGORY_MALWARE, + "VxWorks_Exploit", + 14, + match_vxworks_exploit +}; + +void register_vxworks_exploit(LPIModuleMap *mod_map) { + register_protocol(&lpi_vxworks_exploit, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_warthunder.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_warthunder.cc new file mode 100644 index 0000000..b98a78e --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_warthunder.cc @@ -0,0 +1,95 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* MMO game from Gaijin Entertainment. Uses UDP ports 20010+ */ + +static inline bool match_warthunder_req(uint32_t payload, uint32_t len) { + + if (len == 52 && MATCHSTR(payload, "\xcf\xff\x00\x0a")) + return true; + if (len == 52 && MATCHSTR(payload, "\xcf\xff\x00\x0b")) + return true; + if (len == 52 && MATCHSTR(payload, "\xcf\xff\x00\x05")) + return true; + if (len == 52 && MATCHSTR(payload, "\xcf\xff\x00\x04")) + return true; + if (len == 52 && MATCHSTR(payload, "\xcf\xff\x00\x14")) + return true; + if (len == 52 && MATCHSTR(payload, "\xcf\xff\x00\x03")) + return true; + if (len == 53 && MATCHSTR(payload, "\xcf\xff\x00\x04")) + return true; + if (len == 53 && MATCHSTR(payload, "\xcf\xff\x00\x05")) + return true; + return false; + +} + +static inline bool match_warthunder_resp(uint32_t payload, uint32_t len) { + + if (len == 48 && MATCH(payload, 0xc0, 0x00, ANY, ANY)) + return true; + if (len == 49 && MATCH(payload, 0xc0, 0x00, ANY, ANY)) + return true; + if (len == 52 && MATCH(payload, 0xc0, 0x00, ANY, ANY)) + return true; + return false; + +} + +static inline bool match_warthunder(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_warthunder_req(data->payload[1], data->payload_len[1])){ + if (match_warthunder_resp(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_warthunder_req(data->payload[0], data->payload_len[0])){ + if (match_warthunder_resp(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_warthunder = { + LPI_PROTO_UDP_WARTHUNDER, + LPI_CATEGORY_GAMING, + "WarThunder", + 9, + match_warthunder +}; + +void register_warthunder(LPIModuleMap *mod_map) { + register_protocol(&lpi_warthunder, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_webex.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_webex.cc new file mode 100644 index 0000000..c02d456 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_webex.cc @@ -0,0 +1,78 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_webex_req(uint32_t payload, uint32_t len) { + + if (len == 8 && MATCH(payload, 0x01, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_webex_resp(uint32_t payload, uint32_t len) { + + if (len == 8 && MATCH(payload, 0x02, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_webex(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Port 9000 */ + + if (data->server_port != 9000 && data->client_port != 9000) + return false; + + if (match_webex_req(data->payload[0], data->payload_len[0])) { + if (match_webex_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_webex_req(data->payload[1], data->payload_len[1])) { + if (match_webex_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_webex = { + LPI_PROTO_UDP_WEBEX, + LPI_CATEGORY_VOIP, + "Webex", + 100, + match_webex +}; + +void register_webex(LPIModuleMap *mod_map) { + register_protocol(&lpi_webex, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_wechat_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_wechat_udp.cc new file mode 100644 index 0000000..677182c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_wechat_udp.cc @@ -0,0 +1,189 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Thanks to http://www.cse.cuhk.edu.hk/~pclee/www/pubs/iwqos15chatdissect.pdf + * for helping confirm this rule */ + +static inline bool match_wechat_uplink_hb(uint32_t payload, uint32_t len) { + + /* Byte 3 appears to be a length indicator */ + if (MATCH(payload, 0xd1, 0x0a, 0x2e, 0x0a)) + return true; + if (MATCH(payload, 0xd1, 0x0a, 0x2d, 0x0a)) + return true; + if (MATCH(payload, 0xd1, 0x0a, 0x2c, 0x0a)) + return true; + if (MATCH(payload, 0xd1, 0x0a, 0x1e, 0x0a)) + return true; + if (MATCH(payload, 0xd1, 0x0a, 0x1d, 0x0a)) + return true; + + return false; + +} + +static inline bool match_wechat_downlink_hb(uint32_t payload, uint32_t len) { + + /* Byte 3 appears to be a length indicator */ + if (MATCHSTR(payload, "\xd1\x0a\x2b\x0a")) + return true; + if (MATCHSTR(payload, "\xd1\x0a\x2a\x0a")) + return true; + if (MATCHSTR(payload, "\xd1\x0a\x2d\x0a")) + return true; + if (MATCHSTR(payload, "\xd1\x0a\x29\x0a")) + return true; + + return false; + +} + +static inline bool match_wechat_voip_a175(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0xa1, 0x08, ANY, ANY) && len == 75) + return true; + + return false; +} + +static inline bool match_wechat_voip_a192(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0xa1, 0x08, ANY, ANY) && len == 92) + return true; + + return false; +} + +static inline bool match_wechat_voip_a396(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + if (len == 96 && MATCH(payload, 0xa3, ANY, ANY, ANY)) + return true; + if (len == 95 && MATCH(payload, 0xa3, ANY, ANY, ANY)) + return true; + return false; +} + +static inline bool match_wechat_voip_d6200(uint32_t payload, uint32_t len) { + if (len == 200 && MATCH(payload, 0xd6, ANY, ANY, ANY)) + return true; + return false; +} + +static inline bool match_wechat_voip_d591(uint32_t payload, uint32_t len) { + + if (len < 89 || len > 91) + return false; + + if (MATCH(payload, 0xd5, ANY, ANY, ANY)) + return true; + return false; +} + +static inline bool match_wechat_voip_d5104(uint32_t payload, uint32_t len) { + + if (len < 103 || len > 104) + return false; + if (MATCH(payload, 0xd5, ANY, ANY, ANY)) + return true; + return false; +} + +static inline bool match_wechat_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_wechat_uplink_hb(data->payload[0], data->payload_len[0])) { + if (match_wechat_downlink_hb(data->payload[1], + data->payload_len[1])) + return true; + } + + if (match_wechat_uplink_hb(data->payload[1], data->payload_len[1])) { + if (match_wechat_downlink_hb(data->payload[0], + data->payload_len[0])) + return true; + } + + /* Lots of different patterns seen when using WeChat to make a voice + * or video call. + */ + + if (match_wechat_voip_a396(data->payload[0], data->payload_len[0])) { + if (match_wechat_voip_a396(data->payload[1], + data->payload_len[1])) + return true; + } + + if (match_wechat_voip_d6200(data->payload[0], data->payload_len[0])) { + if (match_wechat_voip_d6200(data->payload[1], + data->payload_len[1])) + return true; + } + + if (match_wechat_voip_d591(data->payload[0], data->payload_len[0])) { + if (match_wechat_voip_d5104(data->payload[1], + data->payload_len[1])) + return true; + } + + if (match_wechat_voip_d591(data->payload[1], data->payload_len[1])) { + if (match_wechat_voip_d5104(data->payload[0], + data->payload_len[0])) + return true; + } + + if (match_wechat_voip_a192(data->payload[0], data->payload_len[0])) { + if (match_wechat_voip_a175(data->payload[1], + data->payload_len[1])) + return true; + } + + if (match_wechat_voip_a192(data->payload[1], data->payload_len[1])) { + if (match_wechat_voip_a175(data->payload[0], + data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_wechat_udp = { + LPI_PROTO_UDP_WECHAT, + LPI_CATEGORY_CHAT, + "WeChat_UDP", + 20, + match_wechat_udp +}; + +void register_wechat_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_wechat_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_winmessage.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_winmessage.cc new file mode 100644 index 0000000..d966be7 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_winmessage.cc @@ -0,0 +1,64 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* + * This covers Windows messenger spam over UDP + * + * Ref: http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm + */ + +static inline bool match_winmessage(lpi_data_t *data, lpi_module_t *mod UNUSED) { + if (match_str_both(data, "\x04\x00\x28\x00", "\x04\x02\x08\x00")) + return true; + + if (match_str_either(data, "\x04\x00\x28\x00")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + return false; +} + +static lpi_module_t lpi_winmessage = { + LPI_PROTO_UDP_WIN_MESSAGE, + LPI_CATEGORY_MALWARE, + "WindowsMessenger", + 10, + match_winmessage +}; + +void register_winmessage(LPIModuleMap *mod_map) { + register_protocol(&lpi_winmessage, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_wireguard.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_wireguard.cc new file mode 100644 index 0000000..8ad6b1a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_wireguard.cc @@ -0,0 +1,115 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_wg_first(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x01, 0x00, 0x00, 0x00) && len == 148) { + return true; + } + return false; +} + +static inline bool match_wg_second(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x02, 0x00, 0x00, 0x00) && len == 92) { + return true; + } + return false; +} + + +static inline bool match_wg_midsession(uint32_t payload, uint32_t len) { + /* Not a very strong rule, but should only matter if the initial + * packets go missing. + */ + if (MATCH(payload, 0x04, 0x00, 0x00, 0x00)) { + if (len >= 92 && len <= 512) { + return true; + } + } + return false; +} + +static inline bool match_wireguard(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_wg_first(data->payload[0], data->payload_len[0])) { + if (match_wg_second(data->payload[1], data->payload_len[1])) { + return true; + } + if (match_wg_midsession(data->payload[1], + data->payload_len[1])) { + return true; + } + } + + if (match_wg_first(data->payload[1], data->payload_len[1])) { + if (match_wg_second(data->payload[0], data->payload_len[0])) { + return true; + } + if (match_wg_midsession(data->payload[0], + data->payload_len[0])) { + return true; + } + } + + if (match_wg_second(data->payload[0], data->payload_len[0])) { + if (match_wg_midsession(data->payload[1], + data->payload_len[1])) { + return true; + } + } + + if (match_wg_second(data->payload[1], data->payload_len[1])) { + if (match_wg_midsession(data->payload[0], + data->payload_len[0])) { + return true; + } + } + + if (match_wg_midsession(data->payload[0], data->payload_len[0])) { + if (match_wg_midsession(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_wireguard = { + LPI_PROTO_UDP_WIREGUARD, + LPI_CATEGORY_TUNNELLING, + "WireGuard", + 201, + match_wireguard +}; + +void register_wireguard(LPIModuleMap *mod_map) { + register_protocol(&lpi_wireguard, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_wolfet.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_wolfet.cc new file mode 100644 index 0000000..6cb2612 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_wolfet.cc @@ -0,0 +1,89 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_wolf_payload(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (!MATCHSTR(payload, "\xff\xff\xff\xff")) + return false; + return true; + +} + + +static inline bool match_wolf_et(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Limit to port 27960 for now */ + if (data->server_port != 27960 && data->client_port != 27960) + return false; + + if (!match_wolf_payload(data->payload[0], data->payload_len[0])) + return false; + if (!match_wolf_payload(data->payload[1], data->payload_len[1])) + return false; + + /* getinfo packet is always 15 bytes, the other is always 250-350 */ + if (data->payload_len[0] == 15) { + if (data->payload_len[1] == 0 || (data->payload_len[1] >= 250 + && data->payload_len[1] < 350)) + return true; + } + + if (data->payload_len[1] == 15) { + if (data->payload_len[0] == 0 || (data->payload_len[0] >= 250 + && data->payload_len[0] < 350)) + return true; + } + + /* getservers packets are 17 bytes, response may vary a lot (?) */ + if (data->payload_len[0] == 17) + return true; + if (data->payload_len[1] == 17) + return true; + + + return false; +} + +static lpi_module_t lpi_wolfet = { + LPI_PROTO_UDP_WOLF_ET, + LPI_CATEGORY_GAMING, + "WolfensteinEnemyTerritory", + 50, /* Must be lower priority than Call of Duty */ + match_wolf_et +}; + +void register_wolfet(LPIModuleMap *mod_map) { + register_protocol(&lpi_wolfet, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_worm_22105.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_worm_22105.cc new file mode 100644 index 0000000..94619ea --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_worm_22105.cc @@ -0,0 +1,52 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_worm_22105(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_either(data, " VRV")) + return true; + + return false; +} + +static lpi_module_t lpi_worm_22105 = { + LPI_PROTO_UDP_WORM_22105, + LPI_CATEGORY_MALWARE, + "Worm_22105", + 10, + match_worm_22105 +}; + +void register_worm_22105(LPIModuleMap *mod_map) { + register_protocol(&lpi_worm_22105, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_xfire_p2p.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_xfire_p2p.cc new file mode 100644 index 0000000..6523c5a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_xfire_p2p.cc @@ -0,0 +1,54 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_xfire_p2p(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_str_both(data, "SC01", "CK01")) + return true; + if (match_str_either(data, "MC01")) + return true; + + return false; +} + +static lpi_module_t lpi_xfire_p2p = { + LPI_PROTO_UDP_XFIRE_P2P, + LPI_CATEGORY_P2P, + "Xfire_P2P", + 3, + match_xfire_p2p +}; + +void register_xfire_p2p(LPIModuleMap *mod_map) { + register_protocol(&lpi_xfire_p2p, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_xlsp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_xlsp.cc new file mode 100644 index 0000000..f680f33 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_xlsp.cc @@ -0,0 +1,255 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_xlsp_payload(uint32_t payload, uint32_t len, + uint32_t other_len, lpi_data_t *data) { + + /* This is almost all based on observing traffic on port 3074. Not + * very scientific, but seems more or less right */ + + /* TODO: come up with a cleaner matching module */ + + /* We've only ever seen a few of the packet sizes in one-way flows, + * so let's not match any of the others if there is no response */ + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) { + if (len == 139) + return true; + if (len == 122) + return true; + if (len == 156) + return true; + if (len == 82) + return true; + if (len == 50) + return true; + if (len == 83) + return true; + if (len == 43) + return true; + if (len == 75) + return true; + if (len == 120 && other_len != 0) + return true; + if (len == 91 && other_len != 0) + return true; + if (len == 0 && other_len != 0) + return true; + if ((len == 90 || len == 172) && other_len == 138) + return true; + if (len == 138 && (other_len == 90 || other_len == 172)) + return true; + if (len == 65 && other_len == 65) + return true; + if ((len == 148 || len == 149) && + (other_len == 115 || other_len == 116)) + return true; + if ((len == 115 || len == 116) && + (other_len == 148 || other_len == 149)) + return true; + + } + + if (len == 24) { + /* Employ port number restriction because these rules are weak + */ + if (data->server_port != 3074 && data->client_port != 3074) + return false; + if (MATCH(payload, 0x0d, ANY, ANY, ANY)) + return true; + if (MATCH(payload, 0x80, ANY, ANY, ANY)) + return true; + + } + + if (len == 16) { + if (MATCH(payload, 0x01, 0x02, 0x00, 0x00)) + return true; + } + + if (len == 32) { + /* Employ port number restriction because these rules are weak + */ + if (data->server_port != 3074 && data->client_port != 3074) + return false; + if (MATCH(payload, 0x06, 0x02, ANY, ANY)) + return true; + if (MATCH(payload, 0xcd, ANY, ANY, ANY)) + return true; + } + + if (len == 17) { + /* Employ port number restriction because these rules are weak + */ + if (data->server_port != 3074 && data->client_port != 3074) + return false; + if (MATCH(payload, 0x28, ANY, ANY, ANY)) + return true; + } + + if (len == 287 || len == 1336 || len == 1011) { + /* Employ port number restriction because these rules are weak + */ + if (data->server_port != 3074 && data->client_port != 3074) + return false; + if (other_len != 0) + return false; + if (MATCH(payload, 0x00, 0x00, 0x00, 0x00)) + return true; + + } + + if (len == 26) { + if (MATCH(payload, 0x29, ANY, 0x00, 0x00)) + return true; + } + + if (len == 29) { + if (MATCH(payload, 0x0a, 0x02, 0x00, ANY)) + return true; + if (MATCH(payload, 0x0b, 0x02, 0x00, ANY)) + return true; + if (MATCH(payload, 0x0c, 0x02, 0x00, ANY)) + return true; + if (MATCH(payload, 0x0d, 0x02, 0x00, ANY)) + return true; + if (MATCH(payload, 0x0e, 0x02, 0x00, ANY)) + return true; + } + + + return false; + +} + + +static inline bool match_xlsp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Had a few false matches against DNS traffic in the past, so + * rule out port 53 traffic */ + if (data->server_port == 53 || data->client_port == 53) + return false; + + /* Unlike other combos, 1336 and 287 (or rarely 286) only go with + * each other + * + * 1011 (or rarely 1010) is also a possible response */ + if (match_str_both(data, "\x00\x00\x00\x00", "\x00\x00\x00\x00")) { + if (data->payload_len[0] == 1336) { + if (data->payload_len[1] == 287) + return true; + if (data->payload_len[1] == 1011) + return true; + if (data->payload_len[1] == 286) + return true; + if (data->payload_len[1] == 1010) + return true; + if (data->payload_len[1] == 1003) + return true; + if (data->payload_len[1] == 1026) + return true; + if (data->payload_len[1] == 1027) + return true; + if (data->payload_len[1] == 1331) + return true; + } + if (data->payload_len[1] == 1336) { + if (data->payload_len[0] == 287) + return true; + if (data->payload_len[0] == 1011) + return true; + if (data->payload_len[0] == 286) + return true; + if (data->payload_len[0] == 1010) + return true; + if (data->payload_len[0] == 1003) + return true; + if (data->payload_len[0] == 1026) + return true; + if (data->payload_len[0] == 1027) + return true; + if (data->payload_len[0] == 1331) + return true; + } + + /* This is something to do with PunkBuster? */ + if (data->payload_len[0] == 4) { + if (data->payload_len[1] == 4) + return true; + } + if (data->payload_len[1] == 4) { + if (data->payload_len[0] == 4) + return true; + } + } + + + /* Enforce port 3074 being involved, to reduce false positive rate for + * one-way transactions */ + + if (match_str_either(data, "\xff\xff\xff\xff")) { + if (data->server_port != 3074 && data->client_port != 3074) + return false; + if (data->payload_len[0] == 14 && data->payload_len[1] == 0) + return true; + if (data->payload_len[1] == 14 && data->payload_len[0] == 0) + return true; + } + + /* We could also enforce the port number here too, but we still see a + * lot of one-way traffic that matches these rules on other ports. + * I'm pretty confident it is XLSP, but this should be watched + * closely to make sure it isn't overmatching */ + + if (!match_xlsp_payload(data->payload[0], data->payload_len[0], + data->payload_len[1], data)) + return false; + if (!match_xlsp_payload(data->payload[1], data->payload_len[1], + data->payload_len[0], data)) + return false; + + return true; + +} + + +static lpi_module_t lpi_xlsp = { + LPI_PROTO_UDP_XLSP, + LPI_CATEGORY_GAMING, + "XboxLive_UDP", + 180, + match_xlsp +}; + +void register_xlsp(LPIModuleMap *mod_map) { + register_protocol(&lpi_xlsp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_xunlei.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_xunlei.cc new file mode 100644 index 0000000..9bf34bb --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_xunlei.cc @@ -0,0 +1,188 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool xunlei_32(uint32_t payload, uint32_t len) { + if (len == 0) + return true; + + if (!MATCH(payload, 0x32, 0x00, 0x00, 0x00)) + return false; + + if (len == 29) + return true; + if (len == 31) + return true; + return false; +} + +static inline bool match_shuijing_3b_other(uint32_t payload, uint32_t len) { + if (!MATCH(payload, 0x3b, 0x00, 0x00, 0x00)) + return false; + if (len == 31 || len == 29 || len == 42) + return true; + return false; +} + +static inline bool match_shuijing_32(uint32_t payload, uint32_t len) { + if (len == 31 && MATCH(payload, 0x32, 0x00, 0x00, 0x00)) + return true; + if (len == 29 && MATCH(payload, 0x32, 0x00, 0x00, 0x00)) + return true; + if (len == 42 && MATCH(payload, 0x32, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_shuijing_3b(uint32_t payload, uint32_t len) { + if (len == 33 && MATCH(payload, 0x3b, 0x00, 0x00, 0x00)) + return true; + if (len == 31 && MATCH(payload, 0x3b, 0x00, 0x00, 0x00)) + return true; + if (len == 29 && MATCH(payload, 0x3b, 0x00, 0x00, 0x00)) + return true; + if (len == 13 && MATCH(payload, 0x3b, 0x00, 0x00, 0x00)) + return true; + return false; +} + + +static inline bool match_xunlei_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* Shuijing = "Thunder Crystal", a P2P CDN approach used by Xunlei. + * Uses UDP port 4693 normally */ + + if (match_shuijing_3b(data->payload[0], data->payload_len[0])) { + if (match_shuijing_3b_other(data->payload[1], data->payload_len[1])) + return true; + if (match_shuijing_32(data->payload[1], data->payload_len[1])) + return true; + + } + + if (match_shuijing_3b(data->payload[1], data->payload_len[1])) { + if (match_shuijing_3b_other(data->payload[0], data->payload_len[0])) + return true; + if (match_shuijing_32(data->payload[0], data->payload_len[0])) + return true; + } + + + /* Traffic seen while operating the Thunder client, not sure on exact + * purpose but can lead to large flows. Rule is not very strong, since + * the payload seems random. + */ + if (data->server_port == 12345 || data->client_port == 12345) { + if (data->payload[0] != 0 && data->payload[1] != 0) { + if (data->payload_len[0] >= 39) { + if (data->payload_len[0] <= 43) { + if (data->payload_len[1] >= 39) { + if (data->payload_len[1] <= 43) + return true; + } + } + } + } + } + + if (match_str_both(data, "\x32\x00\x00\x00", "\x32\x00\x00\x00")) + return true; + if (match_str_both(data, "\x36\x00\x00\x00", "\x36\x00\x00\x00")) + return true; + if (match_str_both(data, "\x35\x00\x00\x00", "\x35\x00\x00\x00")) + return true; + if (match_str_both(data, "\x35\x00\x00\x00", "\x28\x00\x00\x00")) + return true; + if (match_str_both(data, "\x35\x00\x00\x00", "\x29\x00\x00\x00")) + return true; + if (match_str_both(data, "\x34\x00\x00\x00", "\x34\x00\x00\x00")) + return true; + if (match_str_both(data, "\x34\x00\x00\x00", "\x29\x00\x00\x00")) + return true; + if (match_str_both(data, "\x33\x00\x00\x00", "\x33\x00\x00\x00")) + return true; + + if (xunlei_32(data->payload[0], data->payload_len[0])) { + if (xunlei_32(data->payload[1], data->payload_len[1])) + return true; + } + /* Require port 3076 for now, as all these rules are based on + * traffic seen on port 3076 */ + if (data->server_port != 3076 && data->client_port != 3076) + return false; + + + if (match_str_either(data, "\x36\x00\x00\x00")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + if (match_str_either(data, "\x35\x00\x00\x00")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + if (match_str_either(data, "\x34\x00\x00\x00")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + if (match_str_either(data, "\x33\x00\x00\x00")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + if (match_str_either(data, "\x29\x00\x00\x00")) { + if (data->payload_len[0] == 0) + return true; + if (data->payload_len[1] == 0) + return true; + } + + return false; +} + +static lpi_module_t lpi_xunlei_udp = { + LPI_PROTO_UDP_XUNLEI, + LPI_CATEGORY_P2P, + "Xunlei_UDP", + 203, + match_xunlei_udp +}; + +void register_xunlei_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_xunlei_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_xunlei_jsq.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_xunlei_jsq.cc new file mode 100644 index 0000000..84f6f72 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_xunlei_jsq.cc @@ -0,0 +1,94 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* JSQ: a game accelerator service offered by Xunlei. + * + * The actual accelerator service itself is VIP-only (i.e. pay for it), + * but the log in, server querying etc, will still work for free so that's + * mostly what we're matching here. + * + */ + +static inline bool match_jsq_req(uint32_t payload, uint32_t len) { + + if (len != 150 && (len < 77 || len > 80)) + return false; + + if (MATCH(payload, 0x64, 0x00, 0x00, 0x00)) + return true; + + return false; +} + +static inline bool match_jsq_resp(uint32_t payload, uint32_t len) { + + if (len == 0) + return true; + if (len != 40) + return false; + + if (MATCH(payload, 0x64, 0x00, 0x00, 0x00)) + return true; + return false; +} + +static inline bool match_xunlei_jsq(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 8080 && data->client_port != 8080) { + return false; + } + + if (match_jsq_req(data->payload[0], data->payload_len[0])) { + if (match_jsq_resp(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_jsq_req(data->payload[1], data->payload_len[1])) { + if (match_jsq_resp(data->payload[0], data->payload_len[0])) + return true; + } + + return false; +} + +static lpi_module_t lpi_xunlei_jsq = { + LPI_PROTO_UDP_XUNLEI_JSQ, + LPI_CATEGORY_GAMING, + "XunleiJSQ", + 25, + match_xunlei_jsq +}; + +void register_xunlei_jsq(LPIModuleMap *mod_map) { + register_protocol(&lpi_xunlei_jsq, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_xunyou.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_xunyou.cc new file mode 100644 index 0000000..77682ad --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_xunyou.cc @@ -0,0 +1,63 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_xunyou(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (data->server_port != 8000 && data->client_port != 8000) + return false; + + if (data->payload[0] != 0) + return false; + if (data->payload[1] != 0) + return false; + + if (data->payload_len[0] != 2) + return false; + if (data->payload_len[1] != 2) + return false; + + return true; +} + +static lpi_module_t lpi_xunyou = { + LPI_PROTO_UDP_XUNYOU, + LPI_CATEGORY_GAMING, + "Xunyou", + 210, + match_xunyou +}; + +void register_xunyou(LPIModuleMap *mod_map) { + register_protocol(&lpi_xunyou, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_youdao_dict.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_youdao_dict.cc new file mode 100644 index 0000000..cd4af1c --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_youdao_dict.cc @@ -0,0 +1,57 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_youdao_dict(lpi_data_t *data, + lpi_module_t *mod UNUSED) { + + /* All signs point to this being the protocol used by Youdao + * Dictionary software + * + * Can force a check for port 2000 if need be */ + if (match_str_both(data, "type", "\x1f\x8b\x08\x00")) + return true; + + return false; +} + +static lpi_module_t lpi_youdao_dict = { + LPI_PROTO_UDP_YOUDAO_DICT, + LPI_CATEGORY_TRANSLATION, + "YoudaoDict", + 10, + match_youdao_dict +}; + +void register_youdao_dict(LPIModuleMap *mod_map) { + register_protocol(&lpi_youdao_dict, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_youku.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_youku.cc new file mode 100644 index 0000000..2ce64ea --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_youku.cc @@ -0,0 +1,58 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +static inline bool match_youku_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* This took a lot of detective work and liberal use of Google + * translate to figure out what this protocol this pattern matched */ + + if (match_youku_payload(data->payload[0], data->payload_len[0])) { + if (match_youku_payload(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_youku = { + LPI_PROTO_UDP_YOUKU, + LPI_CATEGORY_STREAMING, + "Youku_UDP", + 4, + match_youku_udp +}; + +void register_youku_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_youku, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_yuanfudao.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_yuanfudao.cc new file mode 100644 index 0000000..ef17857 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_yuanfudao.cc @@ -0,0 +1,79 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* Unable to confirm because yuanfudao requires a Chinese mobile number */ + +static inline bool match_yuan_7b(uint32_t payload, uint32_t len) { + if (len == 33 && MATCH(payload, 0x80, 0x7b, 0x00, 0x00)) { + return true; + } + return false; +} + +static inline bool match_yuan_7c(uint32_t payload, uint32_t len) { + if (len == 32 || len == 48 || len == 60) { + if (MATCH(payload, 0x80, 0x7c, 0x00, 0x00)) { + return true; + } + } + return false; +} + +static inline bool match_yuanfudao(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_yuan_7b(data->payload[0], data->payload_len[0])) { + if (match_yuan_7c(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_yuan_7b(data->payload[1], data->payload_len[1])) { + if (match_yuan_7c(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_yuanfudao = { + LPI_PROTO_UDP_YUANFUDAO, + LPI_CATEGORY_STREAMING, + "Yuanfudao", + 79, + match_yuanfudao +}; + +void register_yuanfudao(LPIModuleMap *mod_map) { + register_protocol(&lpi_yuanfudao, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_yy_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_yy_udp.cc new file mode 100644 index 0000000..bb06d75 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_yy_udp.cc @@ -0,0 +1,59 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + + +/* YY Live Streaming from China */ +/* Unfortunately YY uses a 4 byte length field (albeit in little endian + * byte order) so there's a good chance this rule will get a few FPs :/ + */ +static inline bool match_yy_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_yy_payload(data->payload[0], data->payload_len[0])) { + if (match_yy_payload(data->payload[1], data->payload_len[1])) + return true; + } + + return false; +} + +static lpi_module_t lpi_yy_udp = { + LPI_PROTO_UDP_YY, + LPI_CATEGORY_STREAMING, + "YY_UDP", + 200, + match_yy_udp +}; + +void register_yy_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_yy_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_zalo_call.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_zalo_call.cc new file mode 100644 index 0000000..1d07777 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_zalo_call.cc @@ -0,0 +1,100 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_zalo_pat(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x01, 0x01, 0x00, 0x00)) { + if (len == 26 || len == 27) + return true; + if (len == 34) + return true; + if (len == 42) + return true; + } + return false; + +} + +static inline bool match_zalo_185(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x01, 0x01, 0x00, 0x00)) { + if (len >= 180 && len <= 185) { + return true; + } + } + return false; +} + +static inline bool match_zalo_56(uint32_t payload, uint32_t len) { + if (MATCH(payload, 0x02, 0x01, 0x00, 0x00)) { + if (len >= 52 && len <= 56) { + return true; + } + } + return false; +} + +static inline bool match_zalo_call(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_zalo_pat(data->payload[0], data->payload_len[0])) { + if (match_zalo_pat(data->payload[1], data->payload_len[1])) { + if (data->payload_len[0] == data->payload_len[1]) + return true; + } + } + + if (match_zalo_185(data->payload[0], data->payload_len[0])) { + if (match_zalo_56(data->payload[1], data->payload_len[1])) { + return true; + } + } + + if (match_zalo_185(data->payload[1], data->payload_len[1])) { + if (match_zalo_56(data->payload[0], data->payload_len[0])) { + return true; + } + } + + return false; +} + +static lpi_module_t lpi_zalo_call = { + LPI_PROTO_UDP_ZALO_CALL, + LPI_CATEGORY_VOIP, + "ZaloVideoCall", + 199, + match_zalo_call +}; + +void register_zalo_call(LPIModuleMap *mod_map) { + register_protocol(&lpi_zalo_call, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_zeroaccess_udp.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_zeroaccess_udp.cc new file mode 100644 index 0000000..03a3e7a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_zeroaccess_udp.cc @@ -0,0 +1,130 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +/* This protocol is used by the ZeroAccess Trojan for P2P communication + * between infected hosts. + * + * http://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-New_CC_protocol_ZeroAccess-final2.pdf + */ + +static inline bool using_zeroaccess_port(lpi_data_t *data) { + + switch(data->server_port) { + case 16464: + case 16465: + case 16470: + case 16471: + return true; + } + + switch(data->client_port) { + case 16464: + case 16465: + case 16470: + case 16471: + return true; + } + + return false; +} + +static inline bool match_zeroaccess_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + /* ZeroAccess uses specific ports for talking to peers */ + if (!using_zeroaccess_port(data)) { + return false; + } + + /* The infected host always sends a 16 byte UDP packet to the + * peer - the response packet size is based solely on what we've + * observed in the wild. + * + * Since both payloads begin with a 32 byte checksum, we can't + * do much based on payload patterns */ + + /* Pretty unlikely that the CRC will be exactly 0, but 0 is a + * common payload for other UDP protocols */ + if (data->payload[0] == 0 && data->payload_len[0] != 0) + return false; + if (data->payload[1] == 0 && data->payload_len[1] != 0) + return false; + + if (data->payload_len[0] == 16) { + if (data->payload_len[1] == 848) + return true; + if (data->payload_len[1] == 988) + return true; + if (data->payload_len[1] == 568) + return true; + + /* If no response, lets at least force it to be on the + * default port before reporting a match */ + if (data->payload_len[1] == 0) { + if (data->server_port == 16464) + return true; + if (data->client_port == 16464) + return true; + } + } + if (data->payload_len[1] == 16) { + if (data->payload_len[0] == 848) + return true; + if (data->payload_len[0] == 988) + return true; + if (data->payload_len[0] == 568) + return true; + + /* If no response, lets at least force it to be on the + * default port before reporting a match */ + if (data->payload_len[0] == 0) { + if (data->server_port == 16464) + return true; + if (data->client_port == 16464) + return true; + } + } + + return false; +} + +static lpi_module_t lpi_zeroaccess_udp = { + LPI_PROTO_UDP_ZEROACCESS, + LPI_CATEGORY_MALWARE, + "ZeroAccess_UDP", + 40, + match_zeroaccess_udp +}; + +void register_zeroaccess_udp(LPIModuleMap *mod_map) { + register_protocol(&lpi_zeroaccess_udp, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/lpi_zoom.cc b/decoders/glimpse_detector/libprotoident/udp/lpi_zoom.cc new file mode 100644 index 0000000..4ad3ca5 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/lpi_zoom.cc @@ -0,0 +1,147 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include <string.h> + +#include "libprotoident.h" +#include "proto_manager.h" +#include "proto_common.h" + +static inline bool match_zoom_01(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x01, 0x00, 0x02, ANY)) { + if (len == 107 || len == 109 || len == 169) + return true; + } + if (MATCH(payload, 0x01, 0x00, 0x03, ANY)) { + if (len == 187 || len == 185 || len == 123 || len == 125) { + return true; + } + } + if (MATCH(payload, 0x01, 0x00, 0x6c, 0x00) && len == 111) + return true; + return false; + +} + +static inline bool match_zoom_02(uint32_t payload, uint32_t len) { + + if (MATCH(payload, 0x02, 0x00, 0x01, ANY) && len == 35) + return true; + if (MATCH(payload, 0x02, 0x00, 0x03, ANY) && len == 105) + return true; + if (MATCH(payload, 0x02, 0x00, 0x03, ANY) && len == 43) + return true; + if (MATCH(payload, 0x02, 0x00, 0x22, 0x00) && len == 37) + return true; + if (MATCH(payload, 0x02, 0x00, 0x24, 0x00) && len == 39) + return true; + return false; + +} + +static inline bool match_zoom_05(uint32_t payload) { + if (MATCH(payload, 0x05, 0x10, 0x01, 0x00)) + return true; + if (MATCH(payload, 0x05, 0x0f, 0x01, 0x00)) + return true; + if (MATCH(payload, 0x05, 0x15, 0x01, 0x00)) + return true; + return false; + +} + +static inline bool match_zoom_stream_hello(uint32_t payload, uint32_t len) { + + /* Seen 72, 85 and 86 so far */ + if (len >= 72 && len <= 90) { + if (MATCH(payload, 0x1f, 0x01, 0x01, 0x00)) + return true; + } + return false; + +} + +static inline bool match_zoom_manager(lpi_data_t *data) { + + if (data->server_port != 8801 && data->client_port != 8801) { + return false; + } + + /* Byte 4 must match in both directions */ + if ((data->payload[0] & 0xff000000) != (data->payload[1] & 0xff000000)) + return false; + + if (match_zoom_01(data->payload[0], data->payload_len[0])) { + if (match_zoom_02(data->payload[1], data->payload_len[1])) + return true; + } + + if (match_zoom_01(data->payload[1], data->payload_len[1])) { + if (match_zoom_02(data->payload[0], data->payload_len[0])) + return true; + } + + if (match_zoom_05(data->payload[0]) && match_zoom_05(data->payload[1])) + return true; + + return false; +} + +static inline bool match_zoom_stream(lpi_data_t *data) { + + if (match_zoom_stream_hello(data->payload[0], data->payload_len[0])) { + if (match_zoom_stream_hello(data->payload[1], data->payload_len[1])) + return true; + } + + return false; + +} + +static inline bool match_zoom(lpi_data_t *data, lpi_module_t *mod UNUSED) { + + if (match_zoom_manager(data)) + return true; + + if (match_zoom_stream(data)) + return true; + + return false; +} + +static lpi_module_t lpi_zoom = { + LPI_PROTO_UDP_ZOOM, + LPI_CATEGORY_VOIP, + "Zoom", + 5, + match_zoom +}; + +void register_zoom(LPIModuleMap *mod_map) { + register_protocol(&lpi_zoom, mod_map); +} + diff --git a/decoders/glimpse_detector/libprotoident/udp/udp_protocols.h b/decoders/glimpse_detector/libprotoident/udp/udp_protocols.h new file mode 100644 index 0000000..71fe45a --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/udp/udp_protocols.h @@ -0,0 +1,287 @@ +/* + * + * Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand. + * All rights reserved. + * + * This file is part of libprotoident. + * + * This code has been developed by the University of Waikato WAND + * research group. For further information please see http://www.wand.net.nz/ + * + * libprotoident is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * libprotoident is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + + +#ifndef UDP_PROTOCOLS_H_ +#define UDP_PROTOCOLS_H_ + +#include "proto_manager.h" + +void register_360cn(LPIModuleMap *mod_map); +void register_360p2p(LPIModuleMap *mod_map); +void register_aachen_udp(LPIModuleMap *mod_map); +void register_acercloud(LPIModuleMap *mod_map); +void register_akamai(LPIModuleMap *mod_map); +void register_akamai_transfer(LPIModuleMap *mod_map); +void register_amanda(LPIModuleMap *mod_map); +void register_apple_facetime_init(LPIModuleMap *mod_map); +void register_ard(LPIModuleMap *mod_map); +void register_ares_udp(LPIModuleMap *mod_map); +void register_arksurvival(LPIModuleMap *mod_map); +void register_arma_server(LPIModuleMap *mod_map); +void register_arma3_server(LPIModuleMap *mod_map); +void register_artcp(LPIModuleMap *mod_map); +void register_assettocorsa(LPIModuleMap *mod_map); +void register_avast_secure_dns(LPIModuleMap *mod_map); +void register_backweb(LPIModuleMap *mod_map); +void register_bacnet(LPIModuleMap *mod_map); +void register_baiduyun_p2p(LPIModuleMap *mod_map); +void register_baofeng_udp(LPIModuleMap *mod_map); +void register_battlefield(LPIModuleMap *mod_map); +void register_bjnp(LPIModuleMap *mod_map); +void register_bmdp(LPIModuleMap *mod_map); +void register_btsync_udp(LPIModuleMap *mod_map); +void register_cacaoweb_udp(LPIModuleMap *mod_map); +void register_callofduty(LPIModuleMap *mod_map); +void register_canon_mfnp(LPIModuleMap *mod_map); +void register_chargen_exploit(LPIModuleMap *mod_map); +void register_checkpoint_rdp(LPIModuleMap *mod_map); +void register_chivalry(LPIModuleMap *mod_map); +void register_ethernetip_udp(LPIModuleMap *mod_map); +void register_cip_io(LPIModuleMap *mod_map); +void register_cirn(LPIModuleMap *mod_map); +void register_cisco_ipsec(LPIModuleMap *mod_map); +void register_cisco_sslvpn(LPIModuleMap *mod_map); +void register_classin_udp(LPIModuleMap *mod_map); +void register_cloudflare_warp(LPIModuleMap *mod_map); +void register_codmobile(LPIModuleMap *mod_map); +void register_combatarms(LPIModuleMap *mod_map); +void register_combatarms_p2p(LPIModuleMap *mod_map); +void register_contract_wars(LPIModuleMap *mod_map); +void register_crossfire(LPIModuleMap *mod_map); +void register_crossout(LPIModuleMap *mod_map); +void register_csgo(LPIModuleMap *mod_map); +void register_csoriginal(LPIModuleMap *mod_map); +void register_dahua(LPIModuleMap *mod_map); +void register_db2(LPIModuleMap *mod_map); +void register_dcc_udp(LPIModuleMap *mod_map); +void register_demonware(LPIModuleMap *mod_map); +void register_destiny_udp(LPIModuleMap *mod_map); +void register_dhcp(LPIModuleMap *mod_map); +void register_dht_dict(LPIModuleMap *mod_map); +void register_dht_other(LPIModuleMap *mod_map); +void register_diablo2(LPIModuleMap *mod_map); +void register_dianping_udp(LPIModuleMap *mod_map); +void register_dianshijia(LPIModuleMap *mod_map); +void register_directconnect_udp(LPIModuleMap *mod_map); +void register_discord(LPIModuleMap *mod_map); +void register_dns_udp(LPIModuleMap *mod_map); +void register_dota2(LPIModuleMap *mod_map); +void register_doyo(LPIModuleMap *mod_map); +void register_driveshare(LPIModuleMap *mod_map); +void register_dtls(LPIModuleMap *mod_map); +void register_emule_udp(LPIModuleMap *mod_map); +void register_emule_weak_udp(LPIModuleMap *mod_map); +void register_epson(LPIModuleMap *mod_map); +void register_eso(LPIModuleMap *mod_map); +void register_esp_encap(LPIModuleMap *mod_map); +void register_eye_udp(LPIModuleMap *mod_map); +void register_fasp(LPIModuleMap *mod_map); +void register_feitwo(LPIModuleMap *mod_map); +void register_forticlient_sslvpn(LPIModuleMap *mod_map); +void register_fortinet(LPIModuleMap *mod_map); +void register_foscam(LPIModuleMap *mod_map); +void register_freechal(LPIModuleMap *mod_map); +void register_freefire(LPIModuleMap *mod_map); +void register_funshion_udp(LPIModuleMap *mod_map); +void register_gamespy(LPIModuleMap *mod_map); +void register_ganglia(LPIModuleMap *mod_map); +void register_gangsofspace(LPIModuleMap *mod_map); +void register_garena(LPIModuleMap *mod_map); +void register_gearsofwar(LPIModuleMap *mod_map); +void register_gnutella_udp(LPIModuleMap *mod_map); +void register_gnutella2_udp(LPIModuleMap *mod_map); +void register_gnutella_weak(LPIModuleMap *mod_map); +void register_gotomeeting(LPIModuleMap *mod_map); +void register_gprs_tunnel(LPIModuleMap *mod_map); +void register_gsm(LPIModuleMap *mod_map); +void register_h1z1(LPIModuleMap *mod_map); +void register_halflife(LPIModuleMap *mod_map); +void register_haloonline(LPIModuleMap *mod_map); +void register_hamachi_udp(LPIModuleMap *mod_map); +void register_heliborne(LPIModuleMap *mod_map); +void register_heroesevolved(LPIModuleMap *mod_map); +void register_heroes_generals(LPIModuleMap *mod_map); +void register_hollachat(LPIModuleMap *mod_map); +void register_hots(LPIModuleMap *mod_map); +void register_icp(LPIModuleMap *mod_map); +void register_imesh_udp(LPIModuleMap *mod_map); +void register_ipmsg(LPIModuleMap *mod_map); +void register_ipv6_udp(LPIModuleMap *mod_map); +void register_isakmp(LPIModuleMap *mod_map); +void register_jedi_academy(LPIModuleMap *mod_map); +void register_jedi_udp(LPIModuleMap *mod_map); +void register_kademlia(LPIModuleMap *mod_map); +void register_kankan(LPIModuleMap *mod_map); +void register_kaspersky_udp(LPIModuleMap *mod_map); +void register_kazaa(LPIModuleMap *mod_map); +void register_kingofglory_udp(LPIModuleMap *mod_map); +void register_kugou(LPIModuleMap *mod_map); +void register_l2tp(LPIModuleMap *mod_map); +void register_lansync_udp(LPIModuleMap *mod_map); +void register_ldap_ad(LPIModuleMap *mod_map); +void register_tcp_ldap_ad(LPIModuleMap *mod_map); +void register_line_udp(LPIModuleMap *mod_map); +void register_linkproof(LPIModuleMap *mod_map); +void register_loadout(LPIModuleMap *mod_map); +void register_lol(LPIModuleMap *mod_map); +void register_mdns(LPIModuleMap *mod_map); +void register_merakicloud(LPIModuleMap *mod_map); +void register_moh(LPIModuleMap *mod_map); +void register_moonhunters(LPIModuleMap *mod_map); +void register_mp2p_udp(LPIModuleMap *mod_map); +void register_msn_cache(LPIModuleMap *mod_map); +void register_msn_video(LPIModuleMap *mod_map); +void register_msoffice_mac(LPIModuleMap *mod_map); +void register_mta(LPIModuleMap *mod_map); +void register_mystery_05(LPIModuleMap *mod_map); +void register_mystery_0660(LPIModuleMap *mod_map); +void register_mystery_0d(LPIModuleMap *mod_map); +void register_mystery_45(LPIModuleMap *mod_map); +void register_mystery_61_72(LPIModuleMap *mod_map); +void register_mystery_8000_udp(LPIModuleMap *mod_map); +void register_mystery_99(LPIModuleMap *mod_map); +void register_mystery_e9(LPIModuleMap *mod_map); +void register_mystery_qq(LPIModuleMap *mod_map); +void register_n2ping(LPIModuleMap *mod_map); +void register_natpmp(LPIModuleMap *mod_map); +void register_netbios_udp(LPIModuleMap *mod_map); +void register_netcat_cctv_udp(LPIModuleMap *mod_map); +void register_netcore_scan(LPIModuleMap *mod_map); +void register_netflow(LPIModuleMap *mod_map); +void register_newerth(LPIModuleMap *mod_map); +void register_nintendo(LPIModuleMap *mod_map); +void register_noction(LPIModuleMap *mod_map); +void register_noe(LPIModuleMap *mod_map); +void register_norton(LPIModuleMap *mod_map); +void register_ntp(LPIModuleMap *mod_map); +void register_ntp_reflect(LPIModuleMap *mod_map); +void register_nwn(LPIModuleMap *mod_map); +void register_nvidia_gamestream(LPIModuleMap *mod_map); +void register_opaserv(LPIModuleMap *mod_map); +void register_openvpn_udp(LPIModuleMap *mod_map); +void register_orbit_udp(LPIModuleMap *mod_map); +void register_overwatch(LPIModuleMap *mod_map); +void register_paladins(LPIModuleMap *mod_map); +void register_pando_udp(LPIModuleMap *mod_map); +void register_panipani(LPIModuleMap *mod_map); +void register_planetside2(LPIModuleMap *mod_map); +void register_portmap_rpc(LPIModuleMap *mod_map); +void register_pplive(LPIModuleMap *mod_map); +void register_ppstream(LPIModuleMap *mod_map); +void register_probable_gnutella(LPIModuleMap *mod_map); +void register_ps4_remoteplay(LPIModuleMap *mod_map); +void register_psn(LPIModuleMap *mod_map); +void register_punkbuster(LPIModuleMap *mod_map); +void register_pyzor(LPIModuleMap *mod_map); +void register_qq(LPIModuleMap *mod_map); +void register_qqlive(LPIModuleMap *mod_map); +void register_qqpcmgr(LPIModuleMap *mod_map); +void register_qqspeedmobile_udp(LPIModuleMap *mod_map); +void register_quake(LPIModuleMap *mod_map); +void register_quic(LPIModuleMap *mod_map); +void register_qvod_udp(LPIModuleMap *mod_map); +void register_radius(LPIModuleMap *mod_map); +void register_ramsey_dash(LPIModuleMap *mod_map); +void register_rdp_udp(LPIModuleMap *mod_map); +void register_real(LPIModuleMap *mod_map); +void register_risingstorm(LPIModuleMap *mod_map); +void register_raknet(LPIModuleMap *mod_map); +void register_robocraft(LPIModuleMap *mod_map); +void register_rocket_league(LPIModuleMap *mod_map); +void register_rrshare(LPIModuleMap *mod_map); +void register_rtcp(LPIModuleMap *mod_map); +void register_rtmfp(LPIModuleMap *mod_map); +void register_rtp(LPIModuleMap *mod_map); +void register_rulesofsurvival(LPIModuleMap *mod_map); +void register_sanandreas_mp(LPIModuleMap *mod_map); +void register_second_life_udp(LPIModuleMap *mod_map); +void register_serialnumberd(LPIModuleMap *mod_map); +void register_sip_udp(LPIModuleMap *mod_map); +void register_skype(LPIModuleMap *mod_map); +void register_slp(LPIModuleMap *mod_map); +void register_smite(LPIModuleMap *mod_map); +void register_snapvpn(LPIModuleMap *mod_map); +void register_snmp(LPIModuleMap *mod_map); +void register_sopcast(LPIModuleMap *mod_map); +void register_spamfighter(LPIModuleMap *mod_map); +void register_spotify_bcast(LPIModuleMap *mod_map); +void register_sql_worm(LPIModuleMap *mod_map); +void register_ssdp(LPIModuleMap *mod_map); +void register_starcitizen(LPIModuleMap *mod_map); +void register_starcraft(LPIModuleMap *mod_map); +void register_starleaf(LPIModuleMap *mod_map); +void register_steamfriends(LPIModuleMap *mod_map); +void register_steam_inhomebroadcast(LPIModuleMap *mod_map); +void register_steam_localbroadcast(LPIModuleMap *mod_map); +void register_steam_udp(LPIModuleMap *mod_map); +void register_storm_worm(LPIModuleMap *mod_map); +void register_stun(LPIModuleMap *mod_map); +void register_syslog(LPIModuleMap *mod_map); +void register_talesrunner_udp(LPIModuleMap *mod_map); +void register_teamspeak(LPIModuleMap *mod_map); +void register_teamviewer_udp(LPIModuleMap *mod_map); +void register_teredo(LPIModuleMap *mod_map); +void register_tf2(LPIModuleMap *mod_map); +void register_tftp(LPIModuleMap *mod_map); +void register_thecrew(LPIModuleMap *mod_map); +void register_thq(LPIModuleMap *mod_map); +void register_torchlight2(LPIModuleMap *mod_map); +void register_tox(LPIModuleMap *mod_map); +void register_traceroute(LPIModuleMap *mod_map); +void register_tremulous(LPIModuleMap *mod_map); +void register_turbovpn(LPIModuleMap *mod_map); +void register_tvants(LPIModuleMap *mod_map); +void register_ubisoft_games(LPIModuleMap *mod_map); +void register_udp_no_payload(LPIModuleMap *mod_map); +void register_umeye(LPIModuleMap *mod_map); +void register_unreal(LPIModuleMap *mod_map); +void register_ventrilo(LPIModuleMap *mod_map); +void register_viber_udp(LPIModuleMap *mod_map); +void register_vivox(LPIModuleMap *mod_map); +void register_vpnmaster(LPIModuleMap *mod_map); +void register_vpnrobot_udp(LPIModuleMap *mod_map); +void register_vxworks_exploit(LPIModuleMap *mod_map); +void register_warthunder(LPIModuleMap *mod_map); +void register_webex(LPIModuleMap *mod_map); +void register_wechat_udp(LPIModuleMap *mod_map); +void register_winmessage(LPIModuleMap *mod_map); +void register_wireguard(LPIModuleMap *mod_map); +void register_wolfet(LPIModuleMap *mod_map); +void register_worm_22105(LPIModuleMap *mod_map); +void register_xfire_p2p(LPIModuleMap *mod_map); +void register_xlsp(LPIModuleMap *mod_map); +void register_xunlei_jsq(LPIModuleMap *mod_map); +void register_xunlei_udp(LPIModuleMap *mod_map); +void register_xunyou(LPIModuleMap *mod_map); +void register_youdao_dict(LPIModuleMap *mod_map); +void register_youku_udp(LPIModuleMap *mod_map); +void register_yuanfudao(LPIModuleMap *mod_map); +void register_yy_udp(LPIModuleMap *mod_map); +void register_zalo_call(LPIModuleMap *mod_map); +void register_zeroaccess_udp(LPIModuleMap *mod_map); +void register_zoom(LPIModuleMap *mod_map); +#endif diff --git a/decoders/glimpse_detector/libprotoident/version.map b/decoders/glimpse_detector/libprotoident/version.map new file mode 100644 index 0000000..0624251 --- /dev/null +++ b/decoders/glimpse_detector/libprotoident/version.map @@ -0,0 +1,14 @@ +VERS_2.4{ +global: +extern "C" { + lpi_init_library; + lpi_free_library; + lpi_init_data; + lpi_update_dpkt; + lpi_guess_protocol; + lpi_print_category; + GIT_VERSION_*; +}; + +local: *; +}; diff --git a/decoders/glimpse_detector/openvpn_identify.cpp b/decoders/glimpse_detector/openvpn_identify.cpp new file mode 100644 index 0000000..9c06e89 --- /dev/null +++ b/decoders/glimpse_detector/openvpn_identify.cpp @@ -0,0 +1,184 @@ +/* + * openvpn.c + * + * Copyright (C) 2011-22 - ntop.org + * + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + + + +#include <stdint.h> +#include <arpa/inet.h> + +#include <MESA/stream.h> +#include "app_l7_protocol.h" +/* + * OpenVPN TCP / UDP Detection - 128/160 hmac + * + * Detection based upon these openvpn protocol properties: + * - opcode + * - packet ID + * - session ID + * + * Two (good) packets are needed to perform detection. + * - First packet from client: save session ID + * - Second packet from server: report saved session ID + * + * TODO + * - Support PSK only mode (instead of TLS) + * - Support PSK + TLS mode (PSK used for early authentication) + * - TLS certificate extraction + * + */ + +#define P_CONTROL_HARD_RESET_CLIENT_V1 (0x01 << 3) +#define P_CONTROL_HARD_RESET_CLIENT_V2 (0x07 << 3) +#define P_CONTROL_HARD_RESET_SERVER_V1 (0x02 << 3) +#define P_CONTROL_HARD_RESET_SERVER_V2 (0x08 << 3) +#define P_ACK_V1 (0x05 << 3) +#define P_CONTROL_V1 (0x04 << 3) +#define P_OPCODE_MASK 0xF8 +#define P_SHA1_HMAC_SIZE 20 +#define P_HMAC_128 16 // (RSA-)MD5, (RSA-)MD4, ..others +#define P_HMAC_160 20 // (RSA-|DSA-)SHA(1), ..others, SHA1 is openvpn default +#define P_HMAC_NONE 0 +#define P_HARD_RESET_PACKET_ID_OFFSET(hmac_size) (9 + hmac_size) +#define P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size) (P_HARD_RESET_PACKET_ID_OFFSET(hmac_size) + 8) +#define P_HARD_RESET_CLIENT_MAX_COUNT 5 + +static inline uint32_t get_packet_id(const uint8_t * payload, uint8_t hms) { + return(ntohl(*(uint32_t*)(payload + P_HARD_RESET_PACKET_ID_OFFSET(hms)))); +} + +static inline int8_t check_pkid_and_detect_hmac_size(const uint8_t * payload) { + // try to guess + if((int)get_packet_id(payload, P_HMAC_160) != 0) + return P_HMAC_160; + + if((int)get_packet_id(payload, P_HMAC_128) != 0 ) + return P_HMAC_128; + + if((int)get_packet_id(payload, P_HMAC_NONE) != 0) + return P_HMAC_NONE; + + return(-1); +} + +int app_identify_guess_openvpn(const unsigned char *payload, int payload_len, int c2s_pkt_cnt, int s2c_pkt_cnt, struct ovpn_ctx *ovpn, int l4_is_tcp, int curdir_is_c2s) +{ + const uint8_t * session_remote; + uint8_t opcode; + uint8_t alen; + int8_t hmac_size; + int8_t failed = 0; + + if (c2s_pkt_cnt > 5) + { + if (ovpn->contain_local_session_id_pkt_num == P_HARD_RESET_CLIENT_MAX_COUNT - 1 && ovpn->valid_opcode_cnt == P_HARD_RESET_CLIENT_MAX_COUNT) + return 1; + return -1; + } + + if (payload_len >= 40) + { + // skip openvpn TCP transport packet size + if (l4_is_tcp) + payload += 2, payload_len -= 2; + + opcode = payload[0] & P_OPCODE_MASK; + if (curdir_is_c2s == 1 && + (opcode == P_CONTROL_HARD_RESET_CLIENT_V1 || + opcode == P_CONTROL_HARD_RESET_CLIENT_V2 || + opcode == P_ACK_V1 || + opcode == P_CONTROL_V1)) + { + ovpn->valid_opcode_cnt++; + } + // for UDP, trying to identify by opcode and first packet length + if (l4_is_tcp == 0) + { + if ((c2s_pkt_cnt == 1 || s2c_pkt_cnt == 1) && (((payload_len == 112) && ((opcode == 168) || (opcode == 192))) || ((payload_len == 80) && ((opcode == 184) || (opcode == 88) || (opcode == 160) || (opcode == 168) || (opcode == 200))))) + { + return 1; + } + } + + if(s2c_pkt_cnt >= 1 && curdir_is_c2s == 0)return 0; + + if (curdir_is_c2s == 1 && c2s_pkt_cnt <= P_HARD_RESET_CLIENT_MAX_COUNT && (opcode == P_CONTROL_HARD_RESET_CLIENT_V1 || opcode == P_CONTROL_HARD_RESET_CLIENT_V2 || opcode == P_ACK_V1 || opcode == P_CONTROL_V1)) + { + if (check_pkid_and_detect_hmac_size(payload) >= 0) + { + if (c2s_pkt_cnt > 1) + { + if (memcmp(&ovpn->local_session_id, payload + 1, 8) == 0) + { + ovpn->contain_local_session_id_pkt_num++; + } + } + memcpy(&ovpn->local_session_id, payload + 1, 8); + } + } + else if (c2s_pkt_cnt >= 1 && c2s_pkt_cnt <= P_HARD_RESET_CLIENT_MAX_COUNT && + (opcode == P_CONTROL_HARD_RESET_SERVER_V1 || opcode == P_CONTROL_HARD_RESET_SERVER_V2)) + { + + hmac_size = check_pkid_and_detect_hmac_size(payload); + + if (hmac_size >= 0) + { + u_int16_t offset = P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size); + + alen = payload[offset]; + + if (alen > 0) + { + offset += 1 + alen * 4; + + if ((offset + 8) <= payload_len) + { + session_remote = &payload[offset]; + + if (memcmp(&ovpn->local_session_id, session_remote, 8) == 0) + { + + return 1; + } + else + { + + failed = 1; + } + } + else + failed = 1; + } + else + failed = 1; + } + else + failed = 1; + } + else + failed = 1; + + if (failed) + return -1; + } + + return 0; +}
\ No newline at end of file diff --git a/decoders/glimpse_detector/quic_identify.cpp b/decoders/glimpse_detector/quic_identify.cpp new file mode 100644 index 0000000..7e88311 --- /dev/null +++ b/decoders/glimpse_detector/quic_identify.cpp @@ -0,0 +1,239 @@ +#include <arpa/inet.h> +#include "MESA/stream.h" + +#include "app_l7_protocol.h" + +#define GQUIC_PUBLIC_FLAG_VERSION 0x01 +#define GQUIC_PUBLIC_FLAG_RST 0x02 +#define GQUIC_PUBLIC_FLAG_NONCE 0x04 +#define GQUIC_PUBLIC_FLAG_CID 0x08 +#define GQUIC_PUBLIC_FLAG_PKT_NUM 0x30 + +//GQIIC Frame type +#define GQUIC_SPECIAL_FRAME_FLAG 0xE0 // Special Frame Types +#define GQUIC_SPECIAL_FRAME_STREAM 0x80 +#define GQUIC_SPECIAL_FRAME_ACK 0x40 +#define GQUIC_SPECIAL_FRAME_CONGEST_FB 0x20 + +#define GQUIC_SPECIAL_FRAME_STREAM_FIN 0x40 // FIN +#define GQUIC_SPECIAL_FRAME_STREAM_DLEN 0x20 //stream length +#define GQUIC_SPECIAL_FRAME_STREAM_OFFSET 0x1C //offset header field +#define GQUIC_SPECIAL_FRAME_STREAM_ID 0x03 //offset header field + +#define GQUIC_REGULAR_FRAME_PADDING 0x00 +#define GQUIC_REGULAR_FRAME_RST_STREAM 0x01 +#define GQUIC_REGULAR_FRAME_CONNECTION_CLOSE 0x02 +#define GQUIC_REGULAR_FRAME_GOAWAY 0x03 +#define GQUIC_REGULAR_FRAME_WINDOW_UPDATE 0x04 +#define GQUIC_REGULAR_FRAME_BLOCKED 0x05 +#define GQUIC_REGULAR_FRAME_STOP_WAITING 0x06 +#define GQUIC_REGULAR_FRAME_PING 0x07 + +#define GQUIC_SPECIAL_FRAME_FLAG 0xE0 // Special Frame Types +#define GQUIC_SPECIAL_FRAME_STREAM 0x80 +#define GQUIC_SPECIAL_FRAME_ACK 0x40 +#define GQUIC_SPECIAL_FRAME_CONGEST_FB 0x20 + +#define GQUIC_SPECIAL_FRAME_STREAM_FIN 0x40 // FIN +#define GQUIC_SPECIAL_FRAME_STREAM_DLEN 0x20 //stream length +#define GQUIC_SPECIAL_FRAME_STREAM_OFFSET 0x1C //offset header field +#define GQUIC_SPECIAL_FRAME_STREAM_ID 0x03 //offset header field + +#define GQUIC_REGULAR_FRAME_PADDING 0x00 +#define GQUIC_REGULAR_FRAME_RST_STREAM 0x01 +#define GQUIC_REGULAR_FRAME_CONNECTION_CLOSE 0x02 +#define GQUIC_REGULAR_FRAME_GOAWAY 0x03 +#define GQUIC_REGULAR_FRAME_WINDOW_UPDATE 0x04 +#define GQUIC_REGULAR_FRAME_BLOCKED 0x05 +#define GQUIC_REGULAR_FRAME_STOP_WAITING 0x06 +#define GQUIC_REGULAR_FRAME_PING 0x07 + +//IQIIC Frame type (GQUIC_Q046 is iQUIC 17) +#define IQUIC_FRAME_PADDING 0x00 +#define IQUIC_FRAME_PING 0x10 +#define IQUIC_FRAME_ACK_HEX02 0x20 +#define IQUIC_FRAME_ACK_HEX03 0x30 +#define IQUIC_FRAME_RESET_STREAM 0x40 +#define IQUIC_FRAME_STOP_SENDING 0x50 +#define IQUIC_FRAME_CRYPTO 0x60 +#define IQUIC_FRAME_NEW_TOKEN 0x70 +#define IQUIC_FRAME_STREAM_HEX08 0x80 +#define IQUIC_FRAME_STREAM_HEX09 0x90 +#define IQUIC_FRAME_STREAM_HEX0A 0xA0 +#define IQUIC_FRAME_STREAM_HEX0B 0xB0 +#define IQUIC_FRAME_STREAM_HEX0C 0xC0 +#define IQUIC_FRAME_STREAM_HEX0D 0xD0 +#define IQUIC_FRAME_STREAM_HEX0E 0xE0 +#define IQUIC_FRAME_STREAM_HEX0F 0xF0 +#define IQUIC_FRAME_MAX_DATA 0x01 +#define IQUIC_FRAME_MAX_STREAM_DATA 0x11 +#define IQUIC_FRAME_MAX_STREAMS_HEX12 0x21 +#define IQUIC_FRAME_MAX_STREAMS_HEX13 0x31 +#define IQUIC_FRAME_DATA_BLOCKED 0x41 +#define IQUIC_FRAME_STREAM_DATA_BLOCKED 0x51 +#define IQUIC_FRAME_STREAMS_BLOCKED_HEX16 0x61 +#define IQUIC_FRAME_STREAMS_BLOCKED_HEX17 0x71 +#define IQUIC_FRAME_NEW_CONNECTION_ID 0x81 +#define IQUIC_FRAME_RETIRE_CONNECTION_ID 0x91 +#define IQUIC_FRAME_PATH_CHALLENGE 0xA1 +#define IQUIC_FRAME_PATH_RESPONSE 0xB1 +#define IQUIC_FRAME_CONNECTION_CLOSE_HEX1C 0xC1 +#define IQUIC_FRAME_CONNECTION_CLOSE_HEX1D 0xD1 + + +/**************************************************************************/ +/* Message tag */ +/**************************************************************************/ +#define CHLO 0x43484C4F +#define SHLO 0x53484C4F +#define REJ 0x52454A00 +#define PRST 0x50525354 + + +/**************************************************************************/ +/* Tag */ +/**************************************************************************/ +#define TAG_PAD 0x50414400 +#define TAG_SNI 0x534E4900 +#define TAG_VER 0x56455200 +#define TAG_CCS 0x43435300 +#define TAG_UAID 0x55414944 +#define TAG_PDMD 0x50444d44 +#define TAG_STK 0x53544b00 +#define TAG_SNO 0x534E4F00 +#define TAG_PROF 0x50524F46 +#define TAG_SCFG 0x53434647 +#define TAG_RREJ 0x5252454A +#define TAG_CRT 0x435254FF +#define TAG_AEAD 0x41454144 +#define TAG_SCID 0x53434944 +#define TAG_PUBS 0x50554253 +#define TAG_KEXS 0x4B455853 +#define TAG_OBIT 0x4F424954 +#define TAG_EXPY 0x45585059 +#define TAG_NONC 0x4E4F4E43 +#define TAG_MSPC 0x4D535043 +#define TAG_TCID 0x54434944 +#define TAG_SRBF 0x53524246 +#define TAG_ICSL 0x4943534C +#define TAG_SCLS 0x53434C53 +#define TAG_COPT 0x434F5054 +#define TAG_CCRT 0x43435254 +#define TAG_IRTT 0x49525454 +#define TAG_CFCW 0x43464357 +#define TAG_SFCW 0x53464357 +#define TAG_CETV 0x43455456 +#define TAG_XLCT 0x584C4354 +#define TAG_NONP 0x4E4F4E50 +#define TAG_CSCT 0x43534354 +#define TAG_CTIM 0x4354494D +#define TAG_MIDS 0x4D494453 +#define TAG_FHOL 0x46484F4C +#define TAG_STTL 0x5354544C +#define TAG_SMHL 0x534D484C +#define TAG_TBKP 0x54424B50 + +/* Public Reset Tag */ +#define TAG_RNON 0x524E4F4E +#define TAG_RSEQ 0x52534551 +#define TAG_CADR 0x43414452 + +#define EXTENSION_SERVER_NAME 0x0000 +#define EXTENSION_SUPPORT_GROUP 0x000A +#define EXTENSION_APP_PROT_NEGO 0x0010 //application layer protocol negotiation +#define EXTENSION_SIG_ALGORITHM 0x000D +#define EXTENSION_KEY_SHARE 0x0033 +#define EXTENSION_PSK_EXCHANGE 0x002D +#define EXTENSION_SUPP_SSL_VER 0x002B +#define EXTENSION_QUIC_PARAM 0xFFA5 +#define EXTENSION_COMPRESS_CERT 0x001B + +#define EXT_QUIC_PARAM_MAX_IDLE_TIMEOUT 0x01 +#define EXT_QUIC_PARAM_MAX_UDP_PAYLOAD 0x03 +#define EXT_QUIC_PARAM_MAX_INIT_DATA 0x04 +#define EXT_QUIC_PARAM_MAX_STREAM_BIDI_LOCAL 0x05 +#define EXT_QUIC_PARAM_MAX_STREAM_BIDI_REMOTE 0x06 +#define EXT_QUIC_PARAM_MAX_STREAM_UNI 0x07 +#define EXT_QUIC_PARAM_MAX_STREAMS_BIDI 0x08 +#define EXT_QUIC_PARAM_MAX_STREAMS_UNI 0x09 +#define EXT_QUIC_PARAM_MAX_FRAME_SIZE 0x20 +#define EXT_QUIC_PARAM_INIT_SRC_CONN_ID 0x0F +#define EXT_QUIC_PARAM_USER_AGENT 0x7129 +#define EXT_QUIC_PARAM_NOT_YET_SUPPORTED 0x712B +#define EXT_QUIC_PARAM_QUIC_VERSION 0x80004752 +#define EXT_QUIC_PARAM_GREASE_LOW4 0x91D24E9B +#define EXT_QUIC_PARAM_GREASE_HIGH4 0xEA666DE7 + +#define EXTENSION_QUIC_PARAM_UA 0x7129 +#define EXTENSION_QUIC_PARAM_VERSION 0x4752 + +enum _QUIC_VERSION app_identify_get_quic_protocol(int curdir_is_c2s, const unsigned char *payload, const int payload_len) +{ + enum _QUIC_VERSION quic_version = QUIC_VERSION_UNKNOWN; + + if(payload_len<5) + { + return QUIC_VERSION_UNKNOWN; + } + + // Q001~Q043: 0x80 is currently unused, and must be set to 0 + + // The most significant bit (0x80) of byte 0 (the first byte) is set to 1 for long headers + (payload[0] & 0x80) ? (quic_version = (enum _QUIC_VERSION)ntohl(*(unsigned int *)(payload + 1))) : QUIC_VERSION_UNKNOWN; + if ( + (quic_version == GQUIC_VERSION_Q099) || + (quic_version == PICOQUIC_VERSION_30) || + (quic_version == PQUIC_VERSION_PROX) || + (quic_version == GQUIC_VERSION_T099) || + (quic_version >= GQUIC_VERSION_Q044 && quic_version <= GQUIC_VERSION_Q050) || + (quic_version >= GQUIC_VERSION_Q051 && quic_version <= GQUIC_VERSION_Q059) || + (quic_version >= GQUIC_VERSION_T048 && quic_version <= GQUIC_VERSION_T049) || + (quic_version >= GQUIC_VERSION_T050 && quic_version <= GQUIC_VERSION_T059) || + (quic_version >= QUANT_VERSION_00 && quic_version <= QUANT_VERSION_FF) || + (quic_version >= QUIC_GO_VERSION_00 && quic_version <= QUIC_GO_VERSION_FF) || + (quic_version >= QUICLY_VERSION_00 && quic_version <= QUICLY_VERSION_FF) || + (quic_version >= MSQUIC_VERSION_00 && quic_version <= MSQUIC_VERSION_0F) || + (quic_version >= MOZQUIC_VERSION_00 && quic_version <= MOZQUIC_VERSION_0F) || + (quic_version >= MVFST_VERSION_00 && quic_version <= MVFST_VERSION_0F) || + (quic_version >= IQUIC_VERSION_I001 && quic_version <= IQUIC_VERSION_I032) || + (quic_version == IQUIC_VERSION_RFC9000)) + { + return quic_version; + } + + char public_flags=payload[0]; + int used_len = 1; + if(curdir_is_c2s==0 && public_flags & GQUIC_PUBLIC_FLAG_VERSION) + { + return QUIC_VERSION_UNKNOWN; + } + if((!public_flags)&GQUIC_PUBLIC_FLAG_PKT_NUM) + { + if(public_flags&GQUIC_PUBLIC_FLAG_VERSION) //Public Reset Packet + { + return QUIC_VERSION_UNKNOWN;// todo + } + else // Version Negotiation Packet + { + return QUIC_VERSION_UNKNOWN; + } + } + if(public_flags&GQUIC_PUBLIC_FLAG_CID) + { + used_len+=sizeof(unsigned long long); // CID length + } + + if(payload_len>=(int)(used_len+sizeof(int)) && public_flags&GQUIC_PUBLIC_FLAG_VERSION && (*(unsigned char *)(payload+used_len)==0x51)) + { + quic_version=(enum _QUIC_VERSION)ntohl(*(unsigned int *)(payload+used_len)); + used_len+=sizeof(int); // skip version + } + + if(quic_version<GQUIC_VERSION_Q001 || quic_version>GQUIC_VERSION_Q043) + { + return QUIC_VERSION_UNKNOWN; + } + + return quic_version; +} + diff --git a/decoders/glimpse_detector/version.map b/decoders/glimpse_detector/version.map new file mode 100644 index 0000000..b5f2f91 --- /dev/null +++ b/decoders/glimpse_detector/version.map @@ -0,0 +1,10 @@ +VERS_2.4{ +global: +extern "C" { + APP_GLIMPSE_DETECTOR_LOAD; + APP_GLIMPSE_DETECTOR_UNLOAD; + GIT_VERSION_*; +}; + +local: *; +}; diff --git a/src/core/CMakeLists.txt b/src/core/CMakeLists.txt index 2772926..1ffee77 100644 --- a/src/core/CMakeLists.txt +++ b/src/core/CMakeLists.txt @@ -1,7 +1,8 @@ set(SOURCE stellar_config.cpp stellar_stat.cpp stellar_core.cpp) set(LIBRARY times session_manager plugin_manager ip_reassembly - packet_io packet pthread fieldstat4 toml hexdump nmx_pool - http_decoder) + packet_io packet pthread fieldstat4 toml hexdump nmx_pool) + +set(PLUGIN http_decoder glimpse_detector) add_library(stellar_core STATIC ${SOURCE}) target_link_libraries(stellar_core PUBLIC ${LIBRARY}) @@ -11,7 +12,7 @@ set_target_properties(stellar_devel PROPERTIES LINK_FLAGS "-Wl,--version-script= target_link_libraries(stellar_devel PRIVATE -Wl,--whole-archive ${LIBRARY} -Wl,--no-whole-archive) add_executable(stellar main.cpp) -target_link_libraries(stellar PRIVATE -Wl,--whole-archive stellar_core ${LIBRARY} -Wl,--no-whole-archive) +target_link_libraries(stellar PRIVATE -Wl,--whole-archive stellar_core ${LIBRARY} ${PLUGIN} -Wl,--no-whole-archive) target_link_libraries(stellar PRIVATE "-rdynamic") set_target_properties(stellar PROPERTIES LINK_FLAGS "-Wl,--version-script=${CMAKE_CURRENT_LIST_DIR}/version.map") diff --git a/src/core/version.map b/src/core/version.map index 25b803e..9d5a230 100644 --- a/src/core/version.map +++ b/src/core/version.map @@ -65,5 +65,8 @@ global: http_decoder_tcp_stream_msg_cb; http_tunnel_message_*; + APP_GLIMPSE_DETECTOR_LOAD; + APP_GLIMPSE_DETECTOR_UNLOAD; + local: *; }; diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 4001cb1..158849e 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -1,3 +1,4 @@ add_subdirectory(packet_inject) add_subdirectory(packet_tool) -add_subdirectory(debug_plugin)
\ No newline at end of file +add_subdirectory(debug_plugin) +add_subdirectory(glimpse_detector)
\ No newline at end of file diff --git a/test/glimpse_detector/CMakeLists.txt b/test/glimpse_detector/CMakeLists.txt new file mode 100644 index 0000000..118624d --- /dev/null +++ b/test/glimpse_detector/CMakeLists.txt @@ -0,0 +1,15 @@ +add_executable(gtest_glimpse_detector gtest_glimpse_detector_main.cpp) + +target_include_directories(gtest_glimpse_detector PRIVATE ${CMAKE_SOURCE_DIR}/deps/) +target_include_directories(gtest_glimpse_detector PRIVATE ${CMAKE_SOURCE_DIR}/decoders/glimpse_detector) + +target_link_libraries( +gtest_glimpse_detector PRIVATE stellar_devel glimpse_detector cjson-static MESA_prof_load +dl "-rdynamic" +gtest gmock +) + +target_link_libraries(gtest_glimpse_detector PRIVATE -Wl,--whole-archive glimpse_detector -Wl,--no-whole-archive) + +#include(GoogleTest) +#gtest_discover_tests(gtest_glimpse_detector)
\ No newline at end of file diff --git a/test/glimpse_detector/app_pcap/1-qq_59361.pcap b/test/glimpse_detector/app_pcap/1-qq_59361.pcap Binary files differnew file mode 100644 index 0000000..4334250 --- /dev/null +++ b/test/glimpse_detector/app_pcap/1-qq_59361.pcap diff --git a/test/glimpse_detector/app_pcap/2-qq_8758.pcap b/test/glimpse_detector/app_pcap/2-qq_8758.pcap Binary files differnew file mode 100644 index 0000000..5d3a09c --- /dev/null +++ b/test/glimpse_detector/app_pcap/2-qq_8758.pcap diff --git a/test/glimpse_detector/app_pcap/3-wechat_51876.pcap b/test/glimpse_detector/app_pcap/3-wechat_51876.pcap Binary files differnew file mode 100644 index 0000000..8790b64 --- /dev/null +++ b/test/glimpse_detector/app_pcap/3-wechat_51876.pcap diff --git a/test/glimpse_detector/app_pcap/4-wechat_8080.pcap b/test/glimpse_detector/app_pcap/4-wechat_8080.pcap Binary files differnew file mode 100644 index 0000000..c9bd882 --- /dev/null +++ b/test/glimpse_detector/app_pcap/4-wechat_8080.pcap diff --git a/test/glimpse_detector/app_pcap/5-wireguard.pcap b/test/glimpse_detector/app_pcap/5-wireguard.pcap Binary files differnew file mode 100644 index 0000000..5dac585 --- /dev/null +++ b/test/glimpse_detector/app_pcap/5-wireguard.pcap diff --git a/test/glimpse_detector/app_pcap/6-wireguard1.pcap b/test/glimpse_detector/app_pcap/6-wireguard1.pcap Binary files differnew file mode 100644 index 0000000..5f9d7ce --- /dev/null +++ b/test/glimpse_detector/app_pcap/6-wireguard1.pcap diff --git a/test/glimpse_detector/app_pcap/7-wireguard2.pcap b/test/glimpse_detector/app_pcap/7-wireguard2.pcap Binary files differnew file mode 100644 index 0000000..5ea113e --- /dev/null +++ b/test/glimpse_detector/app_pcap/7-wireguard2.pcap diff --git a/test/glimpse_detector/conf/log.toml b/test/glimpse_detector/conf/log.toml new file mode 100644 index 0000000..64b5fea --- /dev/null +++ b/test/glimpse_detector/conf/log.toml @@ -0,0 +1,4 @@ +[log] +output = file # stderr, file +file = "log/stellar.log" +level = FATAL # TRACE, DEBUG, INFO, WARN, ERROR, FATAL diff --git a/test/glimpse_detector/conf/stellar.toml b/test/glimpse_detector/conf/stellar.toml new file mode 100644 index 0000000..b79be60 --- /dev/null +++ b/test/glimpse_detector/conf/stellar.toml @@ -0,0 +1,43 @@ +[id_generator] +snowflake_worker_id_base = 1 +snowflake_worker_id_offset = 2 + +[packet_io] +mode = "dumpfile" +app_symbol = "stellar" +dev_symbol = "nf_0_fw" +dumpfile_dir = "/home/yangwei/platform/stellar/test/glimpse_detector//socks_pcap/" +nr_threads = 1 +cpu_mask = [5, 6, 7, 8, 9, 10, 11, 12] + +[ip_reassembly] +enable = 1 +timeout = 10000 +bucket_entries = 256 +bucket_num = 4096 + +[session_manager] +max_tcp_session_num = 50000 +max_udp_session_num = 50000 +tcp_overload_evict_old_sess = 1 +udp_overload_evict_old_sess = 1 +tcp_init_timeout = 5000 +tcp_handshake_timeout = 5000 +tcp_data_timeout = 5000 +tcp_half_closed_timeout = 5000 +tcp_time_wait_timeout = 5000 +tcp_discard_timeout = 10000 +tcp_unverified_rst_timeout = 5000 +udp_data_timeout = 5000 +udp_discard_timeout = 5000 +duplicated_packet_filter_enable = 1 +duplicated_packet_filter_capacity = 1000000 +duplicated_packet_filter_timeout = 10000 +duplicated_packet_filter_error_rate = 1e-05 +evicted_session_filter_enable = 1 +evicted_session_filter_capacity = 1000000 +evicted_session_filter_timeout = 10000 +evicted_session_filter_error_rate = 1e-05 +tcp_reassembly_enable = 1 +tcp_reassembly_max_timeout = 10000 +tcp_reassembly_max_segments = 256 diff --git a/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap b/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap Binary files differnew file mode 100644 index 0000000..0397534 --- /dev/null +++ b/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap diff --git a/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap b/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap Binary files differnew file mode 100644 index 0000000..d54bad6 --- /dev/null +++ b/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap diff --git a/test/glimpse_detector/gtest_glimpse_detector_main.cpp b/test/glimpse_detector/gtest_glimpse_detector_main.cpp new file mode 100644 index 0000000..b404ed7 --- /dev/null +++ b/test/glimpse_detector/gtest_glimpse_detector_main.cpp @@ -0,0 +1,444 @@ +/* + * author:yangwei + * create time:2021-8-21 + * + */ + +#pragma GCC diagnostic ignored "-Wunused-parameter" + +#include <stdio.h> +#include <time.h> +#include <unistd.h> +#include <assert.h> + +#include "app_l7_protocol.h" + +#include "cJSON.h" +#include "MESA_prof_load.h" + +#include "stellar/stellar.h" +#include "stellar/session.h" +#include "stellar/stellar_exdata.h" +#include "stellar/stellar_mq.h" + + +struct app_test_para +{ + cJSON *test_result_root; + cJSON *load_result_root; + int result_count; +}; + +struct app_test_para g_test_para={}; + +static int commit_test_result_json(struct app_test_para *para, cJSON *node, const char *name); + +struct app_test_plugin_env +{ + int test_exdata_idx; + int l7_exdata_idx; + int test_app_plugin_id; + struct stellar *st; +}; + +#define MAX_PROTO_ID_NUM 10000 +static char *g_proto_id2name[MAX_PROTO_ID_NUM]; + +static int load_l7_protocol_mapper(const char *filename) +{ + memset(g_proto_id2name, 0, sizeof(g_proto_id2name)); + int ret=0, proto_id=0;; + FILE *fp=NULL; + char line[1024]={0}; + char type_name[32]={0}; + char proto_name[32]={0}; + + fp=fopen(filename, "r"); + if(fp==NULL) + { + printf("Open %s failed ...", filename); + return -1; + } + + memset(line, 0, sizeof(line)); + + while((fgets(line, sizeof(line), fp))!=NULL) + { + if(line[0]=='#' || line[0]=='\n' || line[0]=='\r' ||line[0]=='\0') + { + continue; + } + + ret=sscanf(line, "%31s %31s %d", type_name, proto_name, &proto_id); + assert(ret==3 && proto_id < MAX_PROTO_ID_NUM); + g_proto_id2name[proto_id] = (char*)calloc(strlen(proto_name)+1, 1); + strcpy(g_proto_id2name[proto_id], proto_name); + memset(line, 0, sizeof(line)); + } + + fclose(fp); + fp=NULL; + return ret; +} + +static void commit_test_result(struct app_test_plugin_env *env, cJSON *ctx, struct session *sess) +{ + assert(env->l7_exdata_idx >= 0 && ctx != NULL); + struct l7_protocol_label *label = (struct l7_protocol_label *)session_exdata_get(sess, env->l7_exdata_idx);; + if(label != NULL) + { + int proto_ids[8]; + const char* proto_names[8]; + for(int i = 0; i < label->protocol_id_num; i++) + { + proto_ids[i] = (int)(label->protocol_id[i]); + proto_names[i] = g_proto_id2name[proto_ids[i]]; + + } + cJSON *label_ids = cJSON_CreateIntArray(proto_ids, label->protocol_id_num); + cJSON_AddItemToObject(ctx, "l7_label_id", label_ids); + cJSON *label_names = cJSON_CreateStringArray(proto_names, label->protocol_id_num); + cJSON_AddItemToObject(ctx, "l7_label_name", label_names); + } + else + { + cJSON_AddStringToObject(ctx, "l7_label_id", "UNKNOWN"); + } + unsigned char dir_flag; + int is_symmetric=session_is_symmetric(sess, &dir_flag); + if(is_symmetric) + { + cJSON_AddStringToObject(ctx, "STREAM_DIR", "DOUBLE"); + } + else if(dir_flag == SESSION_SEEN_C2S_FLOW) + { + cJSON_AddStringToObject(ctx, "STREAM_DIR", "C2S"); + } + else if(dir_flag == SESSION_SEEN_S2C_FLOW) + { + cJSON_AddStringToObject(ctx, "STREAM_DIR", "S2C"); + } + else + { + assert(0); + } + if (ctx) + { + char result_name[128] = ""; + sprintf(result_name, "APP_PROTO_IDENTIFY_RESULT_%d", g_test_para.result_count); + commit_test_result_json(&g_test_para, ctx, result_name); + g_test_para.result_count += 1; + } + return; +} + + + void *APP_TEST_CTX_NEW(struct session *sess, void *plugin_env) +{ + cJSON *ctx =cJSON_CreateObject(); + cJSON_AddStringToObject(ctx, "Tuple4", session_get0_readable_addr(sess)); + enum session_type type= session_get_type(sess); + if (type == SESSION_TYPE_TCP) + { + cJSON_AddStringToObject(ctx, "STREAM_TYPE", "TCP"); + } + if (type == SESSION_TYPE_UDP) + { + cJSON_AddStringToObject(ctx, "STREAM_TYPE", "UDP"); + } + return ctx; +} + +void APP_TEST_CTX_FREE(struct session *sess, void *session_ctx, void *plugin_env) +{ + cJSON *ctx = (cJSON *)session_ctx; + commit_test_result((struct app_test_plugin_env*)plugin_env, ctx, sess); + return; +} + +static void APP_TEST_ON_SESSION_MSG(struct session *sess, int topic_id, const void *msg, void *per_session_ctx, void *plugin_env) +{ + return; +} + +extern "C" void *APP_TEST_PLUG_INIT(struct stellar *st) +{ + struct app_test_plugin_env *env = (struct app_test_plugin_env *)calloc(1, sizeof(struct app_test_plugin_env)); + env->st=st; + char l7_label_name[256]=""; + char l7_bridge_name[256]=""; + char l7_proto_name[256]=""; + MESA_load_profile_string_def("./tsgconf/main.conf", "SYSTEM", "L7_LABEL_NAME", l7_label_name, sizeof(l7_label_name), "L7_PROTOCOL_LABEL"); + MESA_load_profile_string_def("./tsgconf/main.conf", "SYSTEM", "APP_BRIDGE_NAME", l7_bridge_name, sizeof(l7_bridge_name), "APP_BRIDGE"); + MESA_load_profile_string_def("./tsgconf/main.conf", "SYSTEM", "L7_PROTOCOL_FILE", l7_proto_name, sizeof(l7_proto_name), "./tsgconf/tsg_l7_protocol.conf"); + env->l7_exdata_idx= stellar_exdata_new_index(st, "L7_PROTOCOL", stellar_exdata_free_default, NULL); + env->test_exdata_idx= stellar_exdata_new_index(st, "APP_PROTO_TEST", stellar_exdata_free_default, NULL); + if(env->l7_exdata_idx<0 || env->test_exdata_idx<0) + { + printf("APP_PROTO_IDENTIFY_TEST_PLUG_INIT:stellar_session_get_ex_new_index faild!!!\n"); + exit(-1); + } + int ret = load_l7_protocol_mapper(l7_proto_name); + if(ret<0) + { + printf("APP_PROTO_IDENTIFY_TEST_PLUG_INIT:l7_protocol_mapper failed !!!\n"); + exit(-1); + } + env->test_app_plugin_id=stellar_session_plugin_register(st, APP_TEST_CTX_NEW, APP_TEST_CTX_FREE, env); + if(env->test_app_plugin_id < 0) + { + printf("APP_PROTO_IDENTIFY_TEST_PLUG_INIT:stellar_plugin_register failed !!!\n"); + exit(-1); + } + + int tcp_topic_id=stellar_mq_get_topic_id(st, TOPIC_TCP); + int udp_topic_id=stellar_mq_get_topic_id(st, TOPIC_UDP); + if(tcp_topic_id < 0 || udp_topic_id < 0) + { + perror("get tcp or udp topic id failed\n"); + exit(-1); + } + + stellar_session_mq_subscribe(st, tcp_topic_id, APP_TEST_ON_SESSION_MSG, env->test_app_plugin_id); + stellar_session_mq_subscribe(st, udp_topic_id, APP_TEST_ON_SESSION_MSG, env->test_app_plugin_id); + printf("APP_PROTO_IDENTIFY_TEST_PLUG_INIT OK!\n"); + + return env; +} + +extern "C" void APP_TEST_PLUG_DESTROY(void *ctx) +{ + struct app_test_plugin_env *env = (struct app_test_plugin_env *)ctx; + free(env); + printf("APP_PROTO_IDENTIFY_TEST_PLUG_DESTROY OK!\n"); + return ; +} + +#include <gtest/gtest.h> +#include "stellar/stellar.h" + +static int commit_test_result_json(struct app_test_para *para, cJSON *node, const char *name) +{ + assert(node != NULL || name != NULL || para != NULL); + if(para->test_result_root) + { + //cJSON_AddItemToObject(g_test_result_root, name, node); + cJSON_AddStringToObject(node, "name", name); + cJSON_AddItemToArray(para->test_result_root, node); + return 0; + } + return -1; +} + +static cJSON *load_result_from_jsonfile(const char *json_path) +{ + + if(json_path == NULL)return NULL; + + long file_len = 0; + char *file_content = NULL; + FILE *fp = NULL; + + fp = fopen(json_path, "r+"); + if (NULL == fp) + { + return NULL; + } + fseek(fp, 0, SEEK_END); + file_len = ftell(fp); + fseek(fp, 0, SEEK_SET); + if (file_len == 0) { + fclose(fp); + return NULL; + } + file_content = (char *) malloc(file_len + 1); + fread(file_content, file_len, 1, fp); + file_content[file_len] = '\0'; + cJSON *load = cJSON_Parse(file_content); + free(file_content); + fclose(fp); + return load; +} + + + +static int app_test_para_start(struct app_test_para *para, const char *load_json_path) +{ + para->test_result_root = cJSON_CreateArray(); + para->load_result_root = load_result_from_jsonfile(load_json_path); + para->result_count=1;//count start from 1 + return 0; +} + +static int app_test_para_finish(struct app_test_para *para) +{ + if(para==NULL)return -1; + if(para->test_result_root==NULL || para->load_result_root==NULL)return -1; + int ret=-1; + if(cJSON_GetArraySize(para->test_result_root)!=cJSON_GetArraySize(para->load_result_root)) + { + char *load_json_str = cJSON_Print(para->load_result_root); + printf("LOAD Raw:\n%s\n", load_json_str); + free(load_json_str); + char *result_json_str = cJSON_Print(para->test_result_root); + printf("TEST Raw:\n%s\n", result_json_str); + free(result_json_str); + ret=-1; + goto error_out; + } + ret = cJSON_Compare(para->load_result_root, para->test_result_root, 0); + if (ret != 1) + { + char *load_json_str = cJSON_Print(para->load_result_root); + printf("LOAD Raw:\n%s\n", load_json_str); + free(load_json_str); + char *result_json_str = cJSON_Print(para->test_result_root); + printf("TEST Raw:\n%s\n", result_json_str); + free(result_json_str); + + cJSON *t_load = para->load_result_root->child, *t_test = para->test_result_root->child; + while (t_load != NULL) + { + ret = cJSON_Compare(t_load, t_test, 0); + if(ret != 1) + { + load_json_str = cJSON_Print(t_load); + printf("LOAD Diff:\n%s\n", load_json_str); + free(load_json_str); + result_json_str = cJSON_Print(t_test); + printf("TEST Diff:\n%s\n", result_json_str); + free(result_json_str); + } + t_load = t_load->next; + t_test = t_test->next; + + } + } + +error_out: + if(para->test_result_root)cJSON_Delete(para->test_result_root); + if(para->load_result_root)cJSON_Delete(para->load_result_root); + return ret; +} + + +/********************************************** + * GTEST MAIN * + **********************************************/ + + +#define RESULT_JSON_DIR_NAME "test_result_json" +#define TEST_ENV_DIR_NAME "test_env" + +const char *g_test_dir=NULL; + +#include <stdarg.h> +static inline void system_cmd(const char *cmd, ...) +{ + char buf[4096] = {0}; + va_list args; + + va_start(args, cmd); + vsnprintf(buf, sizeof(buf), cmd, args); + va_end(args); + + system(buf); +} + +class gtest_glimpse_detector : public ::testing::Test { +protected: + char result_json_path[4096] = {0}; + char pcap_path[4096] = {0}; + + // Constructor should be default; static members should be set externally + gtest_glimpse_detector() = default; + + + void SetUp() override { + + std::cout << "SetUpTestCase called for work_dir: " << g_test_dir<< std::endl; + system_cmd("mkdir -p ./conf/"); + system_cmd("mkdir -p ./log/ "); + system_cmd("mkdir -p ./plugin"); + system_cmd("mkdir -p ./tsgconf/"); + system_cmd("cp %s/%s/tsg_l7_protocol.conf ./tsgconf/tsg_l7_protocol.conf", g_test_dir, TEST_ENV_DIR_NAME); + system_cmd("cp %s/%s/stellar.toml ./conf/stellar.toml", g_test_dir, TEST_ENV_DIR_NAME); + system_cmd("cp %s/%s/log.toml ./conf/log.toml", g_test_dir, TEST_ENV_DIR_NAME); + system_cmd("cp %s/%s/spec.toml ./plugin/spec.toml", g_test_dir, TEST_ENV_DIR_NAME); + // Retrieve current test info + const ::testing::TestInfo* test_info = ::testing::UnitTest::GetInstance()->current_test_info(); + + std::cout << "Setting up test environment for test case: " + << test_info->test_case_name() + << " in work_dir: " << g_test_dir << std::endl; + + // Initialize paths based on test case name and arguments + memset(&g_test_para, 0, sizeof(struct app_test_para)); + snprintf(result_json_path, sizeof(result_json_path), + "%s/%s/%s.json", g_test_dir, RESULT_JSON_DIR_NAME, + test_info->name()); + snprintf(pcap_path, sizeof(pcap_path), + "%s/%s", g_test_dir, test_info->name()); + + std::cout << "result_json_path: " << result_json_path << std::endl; + std::cout << "pcap_path: " << pcap_path << std::endl; + system_cmd("tomlq -t -i '.packet_io.dumpfile_dir = \"%s/\"' ./conf/stellar.toml", pcap_path); + system_cmd("cat ./conf/stellar.toml"); + } + +}; + +TEST_F(gtest_glimpse_detector, app_pcap) { + + app_test_para_start(&g_test_para, result_json_path); + stellar_run(0, NULL); + EXPECT_EQ(app_test_para_finish(&g_test_para), 1); +} + + +TEST_F(gtest_glimpse_detector, dns_pcap) { + + app_test_para_start(&g_test_para, result_json_path); + stellar_run(0, NULL); + EXPECT_EQ(app_test_para_finish(&g_test_para), 1); +} + +TEST_F(gtest_glimpse_detector, mixed_pcap) { + + app_test_para_start(&g_test_para, result_json_path); + stellar_run(0, NULL); + EXPECT_EQ(app_test_para_finish(&g_test_para), 1); +} + +TEST_F(gtest_glimpse_detector, openvpn_pcap) { + + app_test_para_start(&g_test_para, result_json_path); + stellar_run(0, NULL); + EXPECT_EQ(app_test_para_finish(&g_test_para), 1); +} + +TEST_F(gtest_glimpse_detector, ppp_pcap) { + + app_test_para_start(&g_test_para, result_json_path); + stellar_run(0, NULL); + EXPECT_EQ(app_test_para_finish(&g_test_para), 1); +} + +TEST_F(gtest_glimpse_detector, socks_pcap) { + + app_test_para_start(&g_test_para, result_json_path); + stellar_run(0, NULL); + EXPECT_EQ(app_test_para_finish(&g_test_para), 1); +} + +int main(int argc, char ** argv) +{ + if(argc != 2) + { + printf("Invalid Argument!!!\n Usage: ./[gtest_main] [/path/to/glimpse_detector_test_dir] \n"); + return -1; + } + ::testing::InitGoogleTest(&argc, argv); + g_test_dir=argv[1]; + return RUN_ALL_TESTS(); +}
\ No newline at end of file diff --git a/test/glimpse_detector/log/stellar.log.2024-08-16 b/test/glimpse_detector/log/stellar.log.2024-08-16 new file mode 100644 index 0000000..c9b3999 --- /dev/null +++ b/test/glimpse_detector/log/stellar.log.2024-08-16 @@ -0,0 +1,997 @@ +Fri Aug 16 21:00:34 2024 139823384804160 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:00:34 2024 139823384804160 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:00:34 2024 139823384804160 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:00:34 2024 139823384804160 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:00:34 2024 139823280088832 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:00:34 2024 139823280088832 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap in-processing +Fri Aug 16 21:00:34 2024 139823280088832 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap processed +Fri Aug 16 21:00:34 2024 139823280088832 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap in-processing +Fri Aug 16 21:00:34 2024 139823280088832 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap processed +Fri Aug 16 21:00:34 2024 139823280088832 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:00:34 2024 139823384804160 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:00:34 2024 139823271696128 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:00:34 2024 139823271696128 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:00:35 2024 139823280088832 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:00:35 2024 139823384804160 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:00:35 2024 139823384804160 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:00:35 2024 139823384804160 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:00:35 2024 139823384804160 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:00:35 2024 139823384804160 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap in-processing +Fri Aug 16 21:00:35 2024 139823384804160 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:00:35 2024 139823094122240 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:00:35 2024 139823094122240 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap in-processing +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap processed +Fri Aug 16 21:00:35 2024 139823263303424 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:00:36 2024 139823263303424 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:00:36 2024 139823384804160 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:00:37 2024 139823384804160 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:00:37 2024 139823384804160 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:00:37 2024 139823384804160 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:00:37 2024 139823384804160 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap in-processing +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap processed +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap in-processing +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap processed +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap in-processing +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap processed +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap in-processing +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap processed +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap in-processing +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap processed +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap in-processing +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap processed +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap in-processing +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap processed +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap in-processing +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap processed +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap in-processing +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap processed +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap in-processing +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap processed +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap in-processing +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap processed +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap in-processing +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap processed +Fri Aug 16 21:00:37 2024 139823238924032 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:00:37 2024 139823384804160 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:00:37 2024 139823230531328 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:00:37 2024 139823230531328 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:00:38 2024 139823238924032 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:00:38 2024 139823384804160 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:00:38 2024 139823384804160 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:00:38 2024 139823384804160 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:00:38 2024 139823384804160 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:00:38 2024 139823384804160 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:00:38 2024 139823222138624 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:00:38 2024 139823222138624 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:00:38 2024 139823384804160 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:00:38 2024 139823213745920 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:00:38 2024 139823213745920 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:00:39 2024 139823222138624 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:00:39 2024 139823384804160 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:00:39 2024 139823384804160 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:00:39 2024 139823384804160 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:00:39 2024 139823384804160 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:00:39 2024 139823384804160 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:00:39 2024 139823205353216 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:00:39 2024 139823205353216 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:00:39 2024 139823384804160 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:00:39 2024 139823196960512 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:00:39 2024 139823196960512 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:00:40 2024 139823205353216 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:00:40 2024 139823384804160 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:04:31 2024 140372655012672 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:04:31 2024 140372655012672 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:04:31 2024 140372655012672 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:04:31 2024 140372655012672 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:04:31 2024 140372550297344 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:04:31 2024 140372550297344 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap in-processing +Fri Aug 16 21:04:31 2024 140372550297344 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap processed +Fri Aug 16 21:04:31 2024 140372550297344 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap in-processing +Fri Aug 16 21:04:31 2024 140372550297344 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap processed +Fri Aug 16 21:04:31 2024 140372550297344 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:04:31 2024 140372655012672 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:04:31 2024 140372541904640 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:04:31 2024 140372541904640 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:04:32 2024 140372550297344 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:04:32 2024 140372655012672 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:04:32 2024 140372655012672 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:04:32 2024 140372655012672 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:04:32 2024 140372655012672 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:04:32 2024 140372655012672 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap in-processing +Fri Aug 16 21:04:32 2024 140372655012672 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:04:32 2024 140372364330752 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:04:32 2024 140372364330752 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap in-processing +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap processed +Fri Aug 16 21:04:32 2024 140372533511936 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:04:33 2024 140372533511936 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:04:33 2024 140372655012672 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:04:33 2024 140372655012672 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:04:33 2024 140372655012672 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:04:33 2024 140372655012672 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:04:33 2024 140372655012672 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap in-processing +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap processed +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap in-processing +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap processed +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap in-processing +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap processed +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap in-processing +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap processed +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap in-processing +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap processed +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap in-processing +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap processed +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap in-processing +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap processed +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap in-processing +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap processed +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap in-processing +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap processed +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap in-processing +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap processed +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap in-processing +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap processed +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap in-processing +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap processed +Fri Aug 16 21:04:33 2024 140372509132544 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:04:33 2024 140372655012672 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:04:33 2024 140372500739840 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:04:33 2024 140372500739840 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:04:34 2024 140372509132544 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:04:34 2024 140372655012672 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:04:34 2024 140372655012672 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:04:34 2024 140372655012672 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:04:34 2024 140372655012672 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:04:34 2024 140372655012672 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:04:35 2024 140372492347136 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:04:35 2024 140372492347136 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:04:35 2024 140372655012672 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:04:35 2024 140372483954432 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:04:35 2024 140372483954432 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:04:36 2024 140372492347136 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:04:36 2024 140372655012672 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:04:36 2024 140372655012672 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:04:36 2024 140372655012672 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:04:36 2024 140372655012672 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:04:36 2024 140372655012672 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:04:36 2024 140372475561728 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:04:36 2024 140372475561728 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:04:36 2024 140372655012672 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:04:36 2024 140372467169024 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:04:36 2024 140372467169024 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:04:37 2024 140372475561728 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:04:37 2024 140372655012672 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:06:00 2024 140268265610048 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:06:00 2024 140268265610048 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:06:00 2024 140268265610048 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:06:00 2024 140268265610048 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:06:00 2024 140268160894720 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:06:00 2024 140268160894720 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap in-processing +Fri Aug 16 21:06:00 2024 140268160894720 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap processed +Fri Aug 16 21:06:00 2024 140268160894720 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap in-processing +Fri Aug 16 21:06:00 2024 140268160894720 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap processed +Fri Aug 16 21:06:00 2024 140268160894720 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:06:00 2024 140268265610048 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:06:00 2024 140268152502016 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:06:00 2024 140268152502016 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:06:01 2024 140268160894720 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:06:01 2024 140268265610048 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:06:01 2024 140268265610048 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:06:01 2024 140268265610048 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:06:01 2024 140268265610048 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:06:01 2024 140268265610048 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap in-processing +Fri Aug 16 21:06:01 2024 140268265610048 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:06:01 2024 140267974928128 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:06:01 2024 140267974928128 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap in-processing +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap processed +Fri Aug 16 21:06:01 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap in-processing +Fri Aug 16 21:06:02 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap processed +Fri Aug 16 21:06:02 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap in-processing +Fri Aug 16 21:06:02 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap processed +Fri Aug 16 21:06:02 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap in-processing +Fri Aug 16 21:06:02 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap processed +Fri Aug 16 21:06:02 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap in-processing +Fri Aug 16 21:06:02 2024 140268144109312 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap processed +Fri Aug 16 21:06:02 2024 140268144109312 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:06:03 2024 140268144109312 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:06:03 2024 140268265610048 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:06:03 2024 140268265610048 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:06:03 2024 140268265610048 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:06:03 2024 140268265610048 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:06:03 2024 140268265610048 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap in-processing +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap processed +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap in-processing +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap processed +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap in-processing +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap processed +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap in-processing +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap processed +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap in-processing +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap processed +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap in-processing +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap processed +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap in-processing +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap processed +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap in-processing +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap processed +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap in-processing +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap processed +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap in-processing +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap processed +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap in-processing +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap processed +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap in-processing +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap processed +Fri Aug 16 21:06:03 2024 140268119729920 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:06:03 2024 140268265610048 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:06:03 2024 140268111337216 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:06:03 2024 140268111337216 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:06:04 2024 140268119729920 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:06:04 2024 140268265610048 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:06:04 2024 140268265610048 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:06:04 2024 140268265610048 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:06:04 2024 140268265610048 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:06:04 2024 140268265610048 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:06:04 2024 140268102944512 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:06:04 2024 140268102944512 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:06:04 2024 140268265610048 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:06:04 2024 140268094551808 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:06:04 2024 140268094551808 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:06:05 2024 140268102944512 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:06:05 2024 140268265610048 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:06:05 2024 140268265610048 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:06:05 2024 140268265610048 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:06:05 2024 140268265610048 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:06:05 2024 140268265610048 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:06:05 2024 140268086159104 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:06:05 2024 140268086159104 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:06:05 2024 140268265610048 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:06:05 2024 140268077766400 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:06:05 2024 140268077766400 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:06:05 2024 140268265610048 STATE (stellar), SIGINT received, notify threads to exit !!! +Fri Aug 16 21:06:06 2024 140268086159104 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:06:06 2024 140268265610048 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:06:16 2024 140686103681856 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:06:16 2024 140686103681856 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:06:16 2024 140686103681856 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:06:16 2024 140686103681856 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:06:16 2024 140685998966528 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:06:16 2024 140685998966528 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap in-processing +Fri Aug 16 21:06:16 2024 140685998966528 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap processed +Fri Aug 16 21:06:16 2024 140685998966528 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap in-processing +Fri Aug 16 21:06:16 2024 140685998966528 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap processed +Fri Aug 16 21:06:16 2024 140685998966528 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:06:16 2024 140686103681856 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:06:16 2024 140685990573824 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:06:16 2024 140685990573824 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:06:16 2024 140686103681856 STATE (stellar), SIGINT received, notify threads to exit !!! +Fri Aug 16 21:06:17 2024 140686103681856 STATE (stellar), SIGINT received, notify threads to exit !!! +Fri Aug 16 21:06:17 2024 140686103681856 STATE (stellar), SIGINT received, notify threads to exit !!! +Fri Aug 16 21:06:17 2024 140685998966528 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:06:17 2024 140686103681856 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:06:17 2024 140686103681856 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:06:17 2024 140686103681856 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:06:17 2024 140686103681856 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:06:17 2024 140686103681856 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:06:17 2024 140685982181120 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:06:17 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap in-processing +Fri Aug 16 21:06:17 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap processed +Fri Aug 16 21:06:17 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap in-processing +Fri Aug 16 21:06:18 2024 140686103681856 STATE (stellar), SIGINT received, notify threads to exit !!! +Fri Aug 16 21:06:18 2024 140686103681856 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:06:18 2024 140685812999936 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:06:18 2024 140685812999936 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap in-processing +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap processed +Fri Aug 16 21:06:18 2024 140685982181120 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:06:18 2024 140686103681856 STATE (stellar), SIGINT received, notify threads to exit !!! +Fri Aug 16 21:06:19 2024 140686103681856 STATE (stellar), SIGINT received, notify threads to exit !!! +Fri Aug 16 21:06:19 2024 140685982181120 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:06:19 2024 140686103681856 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:06:19 2024 140686103681856 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:06:19 2024 140686103681856 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:06:19 2024 140686103681856 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:06:19 2024 140686103681856 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap in-processing +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap processed +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap in-processing +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap processed +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap in-processing +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap processed +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap in-processing +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap processed +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap in-processing +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap processed +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap in-processing +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap processed +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap in-processing +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap processed +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap in-processing +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap processed +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap in-processing +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap processed +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap in-processing +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap processed +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap in-processing +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap processed +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap in-processing +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap processed +Fri Aug 16 21:06:19 2024 140685957801728 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:06:19 2024 140686103681856 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:06:19 2024 140685949409024 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:06:19 2024 140685949409024 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:06:20 2024 140685957801728 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:06:20 2024 140686103681856 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:06:20 2024 140686103681856 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:06:20 2024 140686103681856 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:06:20 2024 140686103681856 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:06:20 2024 140686103681856 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:06:20 2024 140685941016320 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:06:20 2024 140685941016320 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:06:20 2024 140686103681856 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:06:20 2024 140685932623616 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:06:20 2024 140685932623616 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:06:21 2024 140685941016320 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:06:21 2024 140686103681856 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:06:21 2024 140686103681856 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:06:21 2024 140686103681856 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:06:21 2024 140686103681856 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:06:21 2024 140686103681856 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:06:21 2024 140685924230912 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:06:21 2024 140685924230912 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:06:21 2024 140686103681856 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:06:21 2024 140685915838208 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:06:21 2024 140685915838208 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:06:22 2024 140685924230912 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:06:22 2024 140686103681856 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:07:14 2024 139661526674240 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:07:14 2024 139661526674240 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:07:14 2024 139661526674240 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:07:14 2024 139661526674240 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:07:14 2024 139661421958912 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:07:14 2024 139661421958912 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap in-processing +Fri Aug 16 21:07:14 2024 139661421958912 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/1-dns-tcp-single-53-124.88.175.201-8.8.8.8.pcap processed +Fri Aug 16 21:07:14 2024 139661421958912 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap in-processing +Fri Aug 16 21:07:14 2024 139661421958912 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/dns_pcap/2-dns-tcp-single-53-60.13.179.249-8.8.8.8.pcap processed +Fri Aug 16 21:07:14 2024 139661421958912 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:07:14 2024 139661526674240 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:07:14 2024 139661413566208 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:07:14 2024 139661413566208 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:07:15 2024 139661421958912 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:07:15 2024 139661526674240 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:07:15 2024 139661526674240 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:07:15 2024 139661526674240 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:07:15 2024 139661526674240 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:07:15 2024 139661526674240 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap in-processing +Fri Aug 16 21:07:16 2024 139661526674240 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:07:16 2024 139661235992320 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:07:16 2024 139661235992320 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap in-processing +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap processed +Fri Aug 16 21:07:16 2024 139661405173504 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:07:17 2024 139661405173504 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:07:17 2024 139661526674240 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:07:17 2024 139661526674240 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:07:17 2024 139661526674240 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:07:17 2024 139661526674240 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:07:17 2024 139661526674240 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap in-processing +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap processed +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap in-processing +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap processed +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap in-processing +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap processed +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap in-processing +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap processed +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap in-processing +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap processed +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap in-processing +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap processed +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap in-processing +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap processed +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap in-processing +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap processed +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap in-processing +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap processed +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap in-processing +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap processed +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap in-processing +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap processed +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap in-processing +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile /home/yangwei/platform/stellar/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap processed +Fri Aug 16 21:07:17 2024 139661380794112 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:07:17 2024 139661526674240 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:07:17 2024 139661372401408 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:07:17 2024 139661372401408 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:07:18 2024 139661380794112 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:07:18 2024 139661526674240 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:07:18 2024 139661526674240 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:07:18 2024 139661526674240 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:07:18 2024 139661526674240 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:07:18 2024 139661526674240 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:07:18 2024 139661364008704 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:07:18 2024 139661364008704 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:07:18 2024 139661526674240 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:07:18 2024 139661355616000 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:07:18 2024 139661355616000 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:07:19 2024 139661364008704 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:07:19 2024 139661526674240 STATE (stellar), stellar exit !!! + +Fri Aug 16 21:07:19 2024 139661526674240 STATE (stellar), start stellar (version: 1.0.0-a59eca7) + _ _ _ + ___ | |_ ___ | | | | __ _ _ __ + / __| | __| / _ \ | | | | / _` | | '__| + \__ \ | |_ | __/ | | | | | (_| | | | + |___/ \__| \___| |_| |_| \__,_| |_| + +Fri Aug 16 21:07:19 2024 139661526674240 STATE (stellar), log config file : ./conf/log.toml +Fri Aug 16 21:07:19 2024 139661526674240 STATE (stellar), main config file : ./conf/stellar.toml +Fri Aug 16 21:07:19 2024 139661526674240 STATE (stellar), plugin config file : ./plugin/spec.toml +Fri Aug 16 21:07:19 2024 139661347223296 STATE (dumpfile), dumpfile io thread is running +Fri Aug 16 21:07:19 2024 139661347223296 STATE (dumpfile), dumpfile io thread has processed all pcap files, wait for exit +Fri Aug 16 21:07:19 2024 139661526674240 STATE (stellar), clean worker thread 0 context +Fri Aug 16 21:07:19 2024 139661338830592 STATE (stellar), worker thread 0 runing +Fri Aug 16 21:07:19 2024 139661338830592 STATE (stellar), worker thread 0 exit !!! +Fri Aug 16 21:07:20 2024 139661347223296 STATE (dumpfile), dumpfile io thread exit !!! +Fri Aug 16 21:07:20 2024 139661526674240 STATE (stellar), stellar exit !!! + diff --git a/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap b/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap Binary files differnew file mode 100644 index 0000000..d1f49ec --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/01-http-not-ftp.pcap diff --git a/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap b/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap Binary files differnew file mode 100644 index 0000000..bd33283 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/02-stun-rtcp-rtp-22005-8000-39.144.206.199-117.156.19.31.pcap diff --git a/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap b/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap Binary files differnew file mode 100644 index 0000000..1214121 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/03-ftp-37923-21121-117.145.115.74-218.31.124.234.pcap diff --git a/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap b/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap Binary files differnew file mode 100644 index 0000000..3549c0d --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/04-mail_smtp_port_18867_25.pcap diff --git a/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap b/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap Binary files differnew file mode 100644 index 0000000..2fb600f --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/05-ftp_port_21121-double.pcap diff --git a/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap b/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap Binary files differnew file mode 100644 index 0000000..e1ad680 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/06-ftp_port_21121-s2c.pcap diff --git a/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap b/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap Binary files differnew file mode 100644 index 0000000..152e850 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/07-ftp_port_21121-c2s.pcap diff --git a/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap b/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap Binary files differnew file mode 100644 index 0000000..db29a3b --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/08-gquic-023-85.117.117.169.47762-173.194.73.95.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap b/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap Binary files differnew file mode 100644 index 0000000..299e573 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/09-gquic-025-85.117.113.98.4340-74.125.131.95.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap b/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap Binary files differnew file mode 100644 index 0000000..b0e4c5b --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/10-gquic-033-90.143.189.5.8026-173.194.188.40.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap b/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap Binary files differnew file mode 100644 index 0000000..eee3c8e --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/11-gquic-034-85.117.125.8.21243-173.194.73.102.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap b/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap Binary files differnew file mode 100644 index 0000000..5dc1f81 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/12-gquic-035-redirector.googlevideo.com-85.117.122.194.32370-173.194.220.138.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap b/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap Binary files differnew file mode 100644 index 0000000..ca6388d --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/13-gquic-037-10.32.121.249.33765-64.233.161.95.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap b/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap Binary files differnew file mode 100644 index 0000000..bd088b0 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/14-gquic-039-redirector.googlevideo.com-85.117.119.45.22495-173.194.73.101.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap b/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap Binary files differnew file mode 100644 index 0000000..0a6e5ff --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/15-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap b/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap Binary files differnew file mode 100644 index 0000000..0abc861 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/16-gquic-041-90.143.180.56.28496-64.233.165.113.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap b/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap Binary files differnew file mode 100644 index 0000000..204f860 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/17-gquic-044-146.158.67.194.1044-108.177.14.138.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap b/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap Binary files differnew file mode 100644 index 0000000..0b77c4d --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/18-gquic-046-36.142.158.169.16385-36.189.11.71.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap b/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap Binary files differnew file mode 100644 index 0000000..5c9fcd6 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/19-gquic-048-103.3.138.59.12521-123.125.116.52.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap b/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap Binary files differnew file mode 100644 index 0000000..1d5c46a --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/20-gquic-050-i.ytimg.com-172.20.9.135.65045-64.233.162.119.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap b/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap Binary files differnew file mode 100644 index 0000000..dcd22db --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/21-iquic-29-192.168.50.29.61891-31.13.77.35.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap b/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap Binary files differnew file mode 100644 index 0000000..be91a45 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/22-mvfst-01-i.instagram.com-192.168.60.9.55659-69.171.250.63.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap b/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap Binary files differnew file mode 100644 index 0000000..9b88cc0 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/23-mvfst-02-192.168.137.141.50006-31.13.77.17.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap b/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap Binary files differnew file mode 100644 index 0000000..a2efae4 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/23-prox-quic-217.76.77.70.33232-173.194.220.105.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap b/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap Binary files differnew file mode 100644 index 0000000..84097c8 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/24-ietf-rfc9000-192.168.60.32.59699-64.233.164.84.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap b/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap Binary files differnew file mode 100644 index 0000000..357777c --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/25-tquic-51-195.12.120.14.41803-173.194.222.101.443.pcap diff --git a/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap b/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap Binary files differnew file mode 100644 index 0000000..9296279 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/26-smtp-55426-587-10.130.2.104-67.225.241.247.pcap diff --git a/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap b/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap Binary files differnew file mode 100644 index 0000000..1b36161 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/27-pop-54776-110-196.188.12.179-192.185.31.244.pcap diff --git a/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap b/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap Binary files differnew file mode 100644 index 0000000..a8ca249 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/28-Bole-IGW-SMTP-57719-26-10.130.13.155-50.87.145.154-2.pcap diff --git a/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap b/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap Binary files differnew file mode 100644 index 0000000..067a8e7 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/29-Bole-IGW-SMTP-14636-25-196.189.57.105-68.232.159.216-2.pcap diff --git a/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap b/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap Binary files differnew file mode 100644 index 0000000..94942a2 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/30-Bole-IGW-SMTP-20997-25-196.190.160.6-64.225.54.152.pcap diff --git a/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap b/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap Binary files differnew file mode 100644 index 0000000..53c8de0 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/31-Bole-IGW-POP3-50020-110-196.188.3.8-82.98.178.159.pcap diff --git a/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap b/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap Binary files differnew file mode 100644 index 0000000..93a1b66 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/32-Bole-IGW-POP3-53357-110-196.189.0.15-39.156.6.106.pcap diff --git a/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap b/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap Binary files differnew file mode 100644 index 0000000..b75137f --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/33-Bole-IGW-IMAP-36734-143-196.189.5.89-101.32.113.90.pcap diff --git a/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap b/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap Binary files differnew file mode 100644 index 0000000..ff45c81 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/34-Bole-IGW-IMAP-50415-143-196.188.28.149-69.195.110.51.pcap diff --git a/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap b/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap Binary files differnew file mode 100644 index 0000000..f507751 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/35-Bole-IGW-SMTP-587-1440-587-196.189.45.189-40.101.92.178.pcap diff --git a/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap b/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap Binary files differnew file mode 100644 index 0000000..0975e5a --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/36-Bole-IGW-SMTP-587-37943-587-196.191.120.240-81.19.77.166.pcap diff --git a/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap b/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap Binary files differnew file mode 100644 index 0000000..d899c17 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/37-dns-response-4029-53-115.24.235.11-8.210.152.150.pcap diff --git a/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap b/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap Binary files differnew file mode 100644 index 0000000..1b2a8b7 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/38-stun-dtls.pcap diff --git a/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap b/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap Binary files differnew file mode 100644 index 0000000..c866867 --- /dev/null +++ b/test/glimpse_detector/mixed_pcap/39-pop3-mistake-redis.pcap diff --git a/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap b/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap Binary files differnew file mode 100644 index 0000000..61b4ec5 --- /dev/null +++ b/test/glimpse_detector/openvpn_pcap/01-openvpn-udp-port-1198-first.pcap diff --git a/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap b/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap Binary files differnew file mode 100644 index 0000000..9ae8351 --- /dev/null +++ b/test/glimpse_detector/openvpn_pcap/02-openvpn-nDPI.pcap diff --git a/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap b/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap Binary files differnew file mode 100644 index 0000000..3a3519e --- /dev/null +++ b/test/glimpse_detector/openvpn_pcap/03-openvpn_onestream.pcap diff --git a/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap b/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap Binary files differnew file mode 100644 index 0000000..c185c52 --- /dev/null +++ b/test/glimpse_detector/openvpn_pcap/04-openvpn-udp-63111.pcap diff --git a/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap b/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap Binary files differnew file mode 100644 index 0000000..3a3519e --- /dev/null +++ b/test/glimpse_detector/openvpn_pcap/05-openvpn-udp-34400.pcap diff --git a/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap b/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap Binary files differnew file mode 100644 index 0000000..36853be --- /dev/null +++ b/test/glimpse_detector/openvpn_pcap/06-openvpn-udp-40914.pcap diff --git a/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap b/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap Binary files differnew file mode 100644 index 0000000..fa0b75a --- /dev/null +++ b/test/glimpse_detector/openvpn_pcap/07-openvpn.tcp.pcap diff --git a/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap b/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap Binary files differnew file mode 100644 index 0000000..aed2c38 --- /dev/null +++ b/test/glimpse_detector/openvpn_pcap/08-ovpntcp_hmac.pcap diff --git a/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap b/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap Binary files differnew file mode 100644 index 0000000..7f48bce --- /dev/null +++ b/test/glimpse_detector/openvpn_pcap/09-ovpntcp_nohmac.pcap diff --git a/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap b/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap Binary files differnew file mode 100644 index 0000000..9865847 --- /dev/null +++ b/test/glimpse_detector/openvpn_pcap/10-openvpn-udp-49941.pcap diff --git a/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap b/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap Binary files differnew file mode 100644 index 0000000..015867b --- /dev/null +++ b/test/glimpse_detector/openvpn_pcap/11-ipv6_openvpn.pcap diff --git a/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap b/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap Binary files differnew file mode 100644 index 0000000..00c4d40 --- /dev/null +++ b/test/glimpse_detector/openvpn_pcap/12-quic-openvpn.pcap diff --git a/test/glimpse_detector/plugin/spec.toml b/test/glimpse_detector/plugin/spec.toml new file mode 100644 index 0000000..7901d9b --- /dev/null +++ b/test/glimpse_detector/plugin/spec.toml @@ -0,0 +1,11 @@ +# stellar_plugin.toml +# +[[plugin]] +path = "" +init = "APP_GLIMPSE_DETECTOR_LOAD" +exit = "APP_GLIMPSE_DETECTOR_UNLOAD" + +[[plugin]] +path = "" +init = "APP_TEST_PLUG_INIT" +exit = "APP_TEST_PLUG_DESTROY" diff --git a/test/glimpse_detector/ppp_pcap/01-l2tp_netbios.pcap b/test/glimpse_detector/ppp_pcap/01-l2tp_netbios.pcap Binary files differnew file mode 100644 index 0000000..de7803c --- /dev/null +++ b/test/glimpse_detector/ppp_pcap/01-l2tp_netbios.pcap diff --git a/test/glimpse_detector/ppp_pcap/02-l2tp-without-l7_protocol-62176-33445-192.168.10.91-220.43.148.189.pcap b/test/glimpse_detector/ppp_pcap/02-l2tp-without-l7_protocol-62176-33445-192.168.10.91-220.43.148.189.pcap Binary files differnew file mode 100755 index 0000000..ae908be --- /dev/null +++ b/test/glimpse_detector/ppp_pcap/02-l2tp-without-l7_protocol-62176-33445-192.168.10.91-220.43.148.189.pcap diff --git a/test/glimpse_detector/ppp_pcap/03-l2tp_http.pcap b/test/glimpse_detector/ppp_pcap/03-l2tp_http.pcap Binary files differnew file mode 100755 index 0000000..066f523 --- /dev/null +++ b/test/glimpse_detector/ppp_pcap/03-l2tp_http.pcap diff --git a/test/glimpse_detector/ppp_pcap/04-l2tp_ctrl_data_full.pcap b/test/glimpse_detector/ppp_pcap/04-l2tp_ctrl_data_full.pcap Binary files differnew file mode 100755 index 0000000..9d824a1 --- /dev/null +++ b/test/glimpse_detector/ppp_pcap/04-l2tp_ctrl_data_full.pcap diff --git a/test/glimpse_detector/ppp_pcap/05-pptp_encrypt.pcap b/test/glimpse_detector/ppp_pcap/05-pptp_encrypt.pcap Binary files differnew file mode 100755 index 0000000..cf2cdd8 --- /dev/null +++ b/test/glimpse_detector/ppp_pcap/05-pptp_encrypt.pcap diff --git a/test/glimpse_detector/ppp_pcap/06-pptp_http.pcap b/test/glimpse_detector/ppp_pcap/06-pptp_http.pcap Binary files differnew file mode 100755 index 0000000..9203ed0 --- /dev/null +++ b/test/glimpse_detector/ppp_pcap/06-pptp_http.pcap diff --git a/test/glimpse_detector/socks_pcap/1-socks45-http-example.pcap b/test/glimpse_detector/socks_pcap/1-socks45-http-example.pcap Binary files differnew file mode 100644 index 0000000..1b82f60 --- /dev/null +++ b/test/glimpse_detector/socks_pcap/1-socks45-http-example.pcap diff --git a/test/glimpse_detector/socks_pcap/10-socks5-http-302-frag.pcap b/test/glimpse_detector/socks_pcap/10-socks5-http-302-frag.pcap Binary files differnew file mode 100644 index 0000000..58690a7 --- /dev/null +++ b/test/glimpse_detector/socks_pcap/10-socks5-http-302-frag.pcap diff --git a/test/glimpse_detector/socks_pcap/11-socks5-http-302.pcap b/test/glimpse_detector/socks_pcap/11-socks5-http-302.pcap Binary files differnew file mode 100644 index 0000000..cf0ece9 --- /dev/null +++ b/test/glimpse_detector/socks_pcap/11-socks5-http-302.pcap diff --git a/test/glimpse_detector/socks_pcap/12-socks5-rdp.pcap b/test/glimpse_detector/socks_pcap/12-socks5-rdp.pcap Binary files differnew file mode 100644 index 0000000..8c8e632 --- /dev/null +++ b/test/glimpse_detector/socks_pcap/12-socks5-rdp.pcap diff --git a/test/glimpse_detector/socks_pcap/13-socks5-reverse.pcap b/test/glimpse_detector/socks_pcap/13-socks5-reverse.pcap Binary files differnew file mode 100644 index 0000000..81b0d8a --- /dev/null +++ b/test/glimpse_detector/socks_pcap/13-socks5-reverse.pcap diff --git a/test/glimpse_detector/socks_pcap/14-socks5-smtp-503.pcap b/test/glimpse_detector/socks_pcap/14-socks5-smtp-503.pcap Binary files differnew file mode 100644 index 0000000..13bafd9 --- /dev/null +++ b/test/glimpse_detector/socks_pcap/14-socks5-smtp-503.pcap diff --git a/test/glimpse_detector/socks_pcap/15-socks-http-pass.pcap b/test/glimpse_detector/socks_pcap/15-socks-http-pass.pcap Binary files differnew file mode 100644 index 0000000..a99cb60 --- /dev/null +++ b/test/glimpse_detector/socks_pcap/15-socks-http-pass.pcap diff --git a/test/glimpse_detector/socks_pcap/16-socks-https-example.pcap b/test/glimpse_detector/socks_pcap/16-socks-https-example.pcap Binary files differnew file mode 100644 index 0000000..8cb982c --- /dev/null +++ b/test/glimpse_detector/socks_pcap/16-socks-https-example.pcap diff --git a/test/glimpse_detector/socks_pcap/2-socks5_ftp.pcap b/test/glimpse_detector/socks_pcap/2-socks5_ftp.pcap Binary files differnew file mode 100644 index 0000000..6e270f7 --- /dev/null +++ b/test/glimpse_detector/socks_pcap/2-socks5_ftp.pcap diff --git a/test/glimpse_detector/socks_pcap/3-POP3_Sock5_subject.pcap b/test/glimpse_detector/socks_pcap/3-POP3_Sock5_subject.pcap Binary files differnew file mode 100644 index 0000000..38caab7 --- /dev/null +++ b/test/glimpse_detector/socks_pcap/3-POP3_Sock5_subject.pcap diff --git a/test/glimpse_detector/socks_pcap/4-SMTP_Sock5_subject.pcap b/test/glimpse_detector/socks_pcap/4-SMTP_Sock5_subject.pcap Binary files differnew file mode 100644 index 0000000..ce5e53f --- /dev/null +++ b/test/glimpse_detector/socks_pcap/4-SMTP_Sock5_subject.pcap diff --git a/test/glimpse_detector/socks_pcap/5-T3-HTTP-URL-SOCKS5.pcap b/test/glimpse_detector/socks_pcap/5-T3-HTTP-URL-SOCKS5.pcap Binary files differnew file mode 100644 index 0000000..4f8812a --- /dev/null +++ b/test/glimpse_detector/socks_pcap/5-T3-HTTP-URL-SOCKS5.pcap diff --git a/test/glimpse_detector/socks_pcap/6-T7-HTTP-CONT-SOCKS5.pcap b/test/glimpse_detector/socks_pcap/6-T7-HTTP-CONT-SOCKS5.pcap Binary files differnew file mode 100644 index 0000000..737aac0 --- /dev/null +++ b/test/glimpse_detector/socks_pcap/6-T7-HTTP-CONT-SOCKS5.pcap diff --git a/test/glimpse_detector/socks_pcap/7-T86-FTP-URL-PORT-BIN-SOCKS5.pcap b/test/glimpse_detector/socks_pcap/7-T86-FTP-URL-PORT-BIN-SOCKS5.pcap Binary files differnew file mode 100644 index 0000000..30b7f69 --- /dev/null +++ b/test/glimpse_detector/socks_pcap/7-T86-FTP-URL-PORT-BIN-SOCKS5.pcap diff --git a/test/glimpse_detector/socks_pcap/8-socks4_http.pcap b/test/glimpse_detector/socks_pcap/8-socks4_http.pcap Binary files differnew file mode 100644 index 0000000..85ca607 --- /dev/null +++ b/test/glimpse_detector/socks_pcap/8-socks4_http.pcap diff --git a/test/glimpse_detector/socks_pcap/9-socks4-https.pcap b/test/glimpse_detector/socks_pcap/9-socks4-https.pcap Binary files differnew file mode 100644 index 0000000..851028b --- /dev/null +++ b/test/glimpse_detector/socks_pcap/9-socks4-https.pcap diff --git a/test/glimpse_detector/test_env/log.toml b/test/glimpse_detector/test_env/log.toml new file mode 100644 index 0000000..64b5fea --- /dev/null +++ b/test/glimpse_detector/test_env/log.toml @@ -0,0 +1,4 @@ +[log] +output = file # stderr, file +file = "log/stellar.log" +level = FATAL # TRACE, DEBUG, INFO, WARN, ERROR, FATAL diff --git a/test/glimpse_detector/test_env/spec.toml b/test/glimpse_detector/test_env/spec.toml new file mode 100644 index 0000000..7901d9b --- /dev/null +++ b/test/glimpse_detector/test_env/spec.toml @@ -0,0 +1,11 @@ +# stellar_plugin.toml +# +[[plugin]] +path = "" +init = "APP_GLIMPSE_DETECTOR_LOAD" +exit = "APP_GLIMPSE_DETECTOR_UNLOAD" + +[[plugin]] +path = "" +init = "APP_TEST_PLUG_INIT" +exit = "APP_TEST_PLUG_DESTROY" diff --git a/test/glimpse_detector/test_env/stellar.toml b/test/glimpse_detector/test_env/stellar.toml new file mode 100644 index 0000000..d48c8d1 --- /dev/null +++ b/test/glimpse_detector/test_env/stellar.toml @@ -0,0 +1,56 @@ +[id_generator] +snowflake_worker_id_base = 1 # [0, 31] +snowflake_worker_id_offset = 2 # [0, 127] + +[packet_io] +mode = "dumpfile" # dumpfile, marsio +app_symbol = "stellar" +dev_symbol = "nf_0_fw" + +dumpfile_dir = "/tmp/dumpfile/" +nr_threads = 1 # [1, 256] +cpu_mask = [5, 6, 7, 8, 9, 10, 11, 12] + +[ip_reassembly] +enable = 1 +timeout = 10000 # range: [1, 60000] (ms) +bucket_entries = 256 # range: [1, 4294967295] (must be power of 2) +bucket_num = 4096 # range: [1, 4294967295] + +[session_manager] +# max session number +max_tcp_session_num = 50000 +max_udp_session_num = 50000 + +# session overload evict +tcp_overload_evict_old_sess = 1 # 1: evict old session, 0: bypass new session +udp_overload_evict_old_sess = 1 # 1: evict old session, 0: bypass new session + +# TCP timeout +tcp_init_timeout = 5000 # range: [1, 60000] (ms) +tcp_handshake_timeout = 5000 # range: [1, 60000] (ms) +tcp_data_timeout = 5000 # range: [1, 15999999000] (ms) +tcp_half_closed_timeout = 5000 # range: [1, 604800000] (ms) +tcp_time_wait_timeout = 5000 # range: [1, 600000] (ms) +tcp_discard_timeout = 10000 # range: [1, 15999999000] (ms) +tcp_unverified_rst_timeout = 5000 # range: [1, 600000] (ms) +# UDP timeout +udp_data_timeout = 5000 # range: [1, 15999999000] (ms) +udp_discard_timeout = 5000 # range: [1, 15999999000] (ms) + +# duplicate packet filter +duplicated_packet_filter_enable = 1 +duplicated_packet_filter_capacity = 1000000 # range: [1, 4294967295] +duplicated_packet_filter_timeout = 10000 # range: [1, 60000] (ms) +duplicated_packet_filter_error_rate = 0.00001 # range: [0.0, 1.0] + +# evicted session filter +evicted_session_filter_enable = 1 +evicted_session_filter_capacity = 1000000 # range: [1, 4294967295] +evicted_session_filter_timeout = 10000 # range: [1, 60000] (ms) +evicted_session_filter_error_rate = 0.00001 # range: [0.0, 1.0] + +# TCP reassembly (Per direction) +tcp_reassembly_enable = 1 +tcp_reassembly_max_timeout = 10000 # range: [1, 60000] (ms) +tcp_reassembly_max_segments = 256 # range: [2, 4096] diff --git a/test/glimpse_detector/test_env/tsg_l7_protocol.conf b/test/glimpse_detector/test_env/tsg_l7_protocol.conf new file mode 100644 index 0000000..4e5f3ab --- /dev/null +++ b/test/glimpse_detector/test_env/tsg_l7_protocol.conf @@ -0,0 +1,61 @@ +#TYPE:1:UCHAR,2:USHORT,3:USTRING,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET +#TYPE FIELD VALUE +STRING UNCATEGORIZED 8000 +#STRING UNCATEGORIZED 8001 +#STRING UNKNOWN_OTHER 8002 +STRING DNS 32 +STRING FTP 45 +STRING FTPS 751 +STRING HTTP 67 +STRING HTTPS 68 +STRING ICMP 70 +STRING IKE 8003 +STRING MAIL 8004 +STRING IMAP 75 +STRING IMAPS 76 +STRING IPSEC 85 +STRING XMPP 94 +STRING L2TP 98 +STRING NTP 137 +STRING POP3 147 +STRING POP3S 148 +STRING PPTP 153 +STRING QUIC 2521 +STRING SIP 182 +STRING SMB 185 +STRING SMTP 186 +STRING SMTPS 187 +STRING SPDY 1469 +STRING SSH 198 +STRING SSL 199 +STRING SOCKS 8005 +STRING TELNET 209 +STRING DHCP 29 +STRING RADIUS 158 +STRING OPENVPN 336 +STRING STUN 201 +STRING TEREDO 555 +STRING DTLS 1291 +STRING DoH 8006 +STRING ISAKMP 92 +STRING MDNS 3835 +STRING NETBIOS 129 +STRING NETFLOW 130 +STRING RDP 159 +STRING RTCP 174 +STRING RTP 175 +STRING SLP 8007 +STRING SNMP 190 +STRING SSDP 197 +STRING TFTP 211 +STRING BJNP 2481 +STRING LDAP 100 +STRING RTMP 337 +STRING RTSP 176 +STRING ESNI 8008 +STRING Stratum 8169 +STRING QQ 156 +STRING WeChat 1296 +STRING WIREGUARD 3700 +STRING MMS 115 +STRING RSYNC 173 diff --git a/test/glimpse_detector/test_result_json/app_pcap.json b/test/glimpse_detector/test_result_json/app_pcap.json new file mode 100644 index 0000000..da783e6 --- /dev/null +++ b/test/glimpse_detector/test_result_json/app_pcap.json @@ -0,0 +1,50 @@ +[{ + "Tuple4": "192.168.57.168:8758-123.151.78.109:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [156], + "l7_label_name": ["QQ"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_1" + }, { + "Tuple4": "192.168.58.58:51876-175.27.3.209:443-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [1296], + "l7_label_name": ["WeChat"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_2" + }, { + "Tuple4": "192.168.57.168:59361-106.119.174.27:18001-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [156], + "l7_label_name": ["QQ"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_3" + }, { + "Tuple4": "192.168.58.58:57907-119.167.204.98:8080-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [1296], + "l7_label_name": ["WeChat"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_4" + }, { + "Tuple4": "192.168.39.77:62682-81.181.55.9:1337-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [3700], + "l7_label_name": ["WIREGUARD"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_5" + }, { + "Tuple4": "192.168.50.26:56658-209.58.189.105:58237-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [3700], + "l7_label_name": ["WIREGUARD"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_6" + }, { + "Tuple4": "196.188.136.150:20620-51.77.200.55:51820-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [3700], + "l7_label_name": ["WIREGUARD"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_7" + }] diff --git a/test/glimpse_detector/test_result_json/dns_pcap.json b/test/glimpse_detector/test_result_json/dns_pcap.json new file mode 100644 index 0000000..f993cdc --- /dev/null +++ b/test/glimpse_detector/test_result_json/dns_pcap.json @@ -0,0 +1,402 @@ +[{ + "Tuple4": "124.88.175.201:17997-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_1" + }, { + "Tuple4": "124.88.175.201:18014-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_2" + }, { + "Tuple4": "124.88.175.201:18081-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_3" + }, { + "Tuple4": "124.88.175.201:18082-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_4" + }, { + "Tuple4": "124.88.175.201:18091-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_5" + }, { + "Tuple4": "124.88.175.201:18088-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_6" + }, { + "Tuple4": "124.88.175.201:18103-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_7" + }, { + "Tuple4": "124.88.175.201:18126-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_8" + }, { + "Tuple4": "124.88.175.201:18136-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_9" + }, { + "Tuple4": "124.88.175.201:18142-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_10" + }, { + "Tuple4": "124.88.175.201:18210-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_11" + }, { + "Tuple4": "124.88.175.201:18215-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_12" + }, { + "Tuple4": "124.88.175.201:18219-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_13" + }, { + "Tuple4": "124.88.175.201:18223-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_14" + }, { + "Tuple4": "124.88.175.201:18236-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_15" + }, { + "Tuple4": "124.88.175.201:18239-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_16" + }, { + "Tuple4": "124.88.175.201:18242-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_17" + }, { + "Tuple4": "124.88.175.201:18256-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_18" + }, { + "Tuple4": "124.88.175.201:18266-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_19" + }, { + "Tuple4": "124.88.175.201:18336-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_20" + }, { + "Tuple4": "124.88.175.201:18345-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_21" + }, { + "Tuple4": "124.88.175.201:18347-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_22" + }, { + "Tuple4": "124.88.175.201:18351-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_23" + }, { + "Tuple4": "124.88.175.201:18354-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_24" + }, { + "Tuple4": "124.88.175.201:18358-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_25" + }, { + "Tuple4": "124.88.175.201:18360-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_26" + }, { + "Tuple4": "60.13.179.249:38470-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_27" + }, { + "Tuple4": "60.13.179.249:38594-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_28" + }, { + "Tuple4": "60.13.179.249:38608-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_29" + }, { + "Tuple4": "60.13.179.249:38624-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_30" + }, { + "Tuple4": "60.13.179.249:38712-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_31" + }, { + "Tuple4": "60.13.179.249:38692-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_32" + }, { + "Tuple4": "60.13.179.249:38694-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_33" + }, { + "Tuple4": "60.13.179.249:38886-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_34" + }, { + "Tuple4": "60.13.179.249:38904-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_35" + }, { + "Tuple4": "60.13.179.249:38912-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_36" + }, { + "Tuple4": "60.13.179.249:38960-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_37" + }, { + "Tuple4": "60.13.179.249:38976-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_38" + }, { + "Tuple4": "60.13.179.249:38972-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_39" + }, { + "Tuple4": "60.13.179.249:39016-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_40" + }, { + "Tuple4": "60.13.179.249:38978-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_41" + }, { + "Tuple4": "60.13.179.249:39000-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_42" + }, { + "Tuple4": "60.13.179.249:39052-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_43" + }, { + "Tuple4": "60.13.179.249:39082-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_44" + }, { + "Tuple4": "60.13.179.249:39120-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_45" + }, { + "Tuple4": "60.13.179.249:39114-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_46" + }, { + "Tuple4": "60.13.179.249:39176-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_47" + }, { + "Tuple4": "60.13.179.249:39186-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_48" + }, { + "Tuple4": "60.13.179.249:39216-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_49" + }, { + "Tuple4": "60.13.179.249:39246-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_50" + }, { + "Tuple4": "60.13.179.249:39268-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_51" + }, { + "Tuple4": "60.13.179.249:26834-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_52" + }, { + "Tuple4": "124.88.175.201:18095-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_53" + }, { + "Tuple4": "60.13.195.137:41008-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_54" + }, { + "Tuple4": "124.88.175.201:18111-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_55" + }, { + "Tuple4": "60.13.179.249:26633-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_56" + }, { + "Tuple4": "60.13.179.249:26709-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_57" + }, { + "Tuple4": "60.13.179.249:37897-8.8.8.8:53-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_58" + }] diff --git a/test/glimpse_detector/test_result_json/empty_array.json b/test/glimpse_detector/test_result_json/empty_array.json new file mode 100644 index 0000000..0637a08 --- /dev/null +++ b/test/glimpse_detector/test_result_json/empty_array.json @@ -0,0 +1 @@ +[]
\ No newline at end of file diff --git a/test/glimpse_detector/test_result_json/mixed_pcap.json b/test/glimpse_detector/test_result_json/mixed_pcap.json new file mode 100644 index 0000000..34d9f65 --- /dev/null +++ b/test/glimpse_detector/test_result_json/mixed_pcap.json @@ -0,0 +1,291 @@ +[{ + "Tuple4": "117.146.23.226:63007-211.95.50.57:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_1" + }, { + "Tuple4": "117.145.115.74:37855-218.31.124.234:21121-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [45], + "l7_label_name": ["FTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_2" + }, { + "Tuple4": "117.146.23.226:63007-211.95.50.57:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_3" + }, { + "Tuple4": "117.145.115.74:37923-218.31.124.234:21121-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [45], + "l7_label_name": ["FTP"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_4" + }, { + "Tuple4": "218.229.99.73:25-172.17.107.32:18867-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [186], + "l7_label_name": ["SMTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_5" + }, { + "Tuple4": "196.188.12.179:54776-192.185.31.244:110-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [147], + "l7_label_name": ["POP3"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_6" + }, { + "Tuple4": "196.189.57.105:14636-68.232.159.216:25-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [186], + "l7_label_name": ["SMTP"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_7" + }, { + "Tuple4": "196.190.160.6:20997-64.225.54.152:25-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [186], + "l7_label_name": ["SMTP"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_8" + }, { + "Tuple4": "196.188.3.8:50020-82.98.178.159:110-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [147], + "l7_label_name": ["POP3"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_9" + }, { + "Tuple4": "196.189.45.189:1440-40.101.92.178:587-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [186], + "l7_label_name": ["SMTP"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_10" + }, { + "Tuple4": "196.191.120.240:37943-81.19.77.166:587-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [186], + "l7_label_name": ["SMTP"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_11" + }, { + "Tuple4": "218.31.124.234:21121-117.145.115.74:37855-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_12" + }, { + "Tuple4": "117.156.19.31:8000-39.144.206.199:22005-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [201, 174, 175], + "l7_label_name": ["STUN", "RTCP", "RTP"], + "STREAM_DIR": "S2C", + "name": "APP_PROTO_IDENTIFY_RESULT_13" + }, { + "Tuple4": "85.117.117.169:47762-173.194.73.95:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_14" + }, { + "Tuple4": "85.117.113.98:4340-74.125.131.95:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_15" + }, { + "Tuple4": "90.143.189.5:8026-173.194.188.40:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_16" + }, { + "Tuple4": "85.117.125.8:21243-173.194.73.102:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_17" + }, { + "Tuple4": "85.117.122.194:32370-173.194.220.138:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_18" + }, { + "Tuple4": "10.32.121.249:33765-64.233.161.95:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_19" + }, { + "Tuple4": "85.117.119.45:22495-173.194.73.101:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_20" + }, { + "Tuple4": "90.143.180.56:28496-64.233.165.113:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_21" + }, { + "Tuple4": "112.43.145.231:18699-112.46.25.216:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_22" + }, { + "Tuple4": "108.177.14.138:443-146.158.67.194:1044-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "S2C", + "name": "APP_PROTO_IDENTIFY_RESULT_23" + }, { + "Tuple4": "36.189.11.71:443-36.142.158.169:16385-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "S2C", + "name": "APP_PROTO_IDENTIFY_RESULT_24" + }, { + "Tuple4": "103.3.138.59:12521-123.125.116.52:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_25" + }, { + "Tuple4": "172.20.9.135:65045-64.233.162.119:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_26" + }, { + "Tuple4": "192.168.50.29:61891-31.13.77.35:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_27" + }, { + "Tuple4": "192.168.60.9:55659-69.171.250.63:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_28" + }, { + "Tuple4": "192.168.137.141:50006-31.13.77.17:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_29" + }, { + "Tuple4": "217.76.77.70:33232-173.194.220.105:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_30" + }, { + "Tuple4": "192.168.60.32:59699-64.233.164.84:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_31" + }, { + "Tuple4": "195.12.120.14:41803-173.194.222.101:443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_32" + }, { + "Tuple4": "10.130.2.104:55426-67.225.241.247:587-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [186], + "l7_label_name": ["SMTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_33" + }, { + "Tuple4": "10.130.13.155:57719-50.87.145.154:26-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [186], + "l7_label_name": ["SMTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_34" + }, { + "Tuple4": "196.189.24.94:20997-98.138.112.34:25-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_35" + }, { + "Tuple4": "196.189.0.15:53357-39.156.6.106:110-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [147], + "l7_label_name": ["POP3"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_36" + }, { + "Tuple4": "196.188.121.1:53357-68.183.134.15:110-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_37" + }, { + "Tuple4": "196.189.5.89:36734-101.32.113.90:143-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [75], + "l7_label_name": ["IMAP"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_38" + }, { + "Tuple4": "196.188.28.149:50415-69.195.110.51:143-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [75], + "l7_label_name": ["IMAP"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_39" + }, { + "Tuple4": "8.210.152.150:53-115.24.235.11:4029-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "S2C", + "name": "APP_PROTO_IDENTIFY_RESULT_40" + }, { + "Tuple4": "192.168.137.147:45736-78.1.76.154:57133-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [201, 1291], + "l7_label_name": ["STUN", "DTLS"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_41" + }, { + "Tuple4": "192.168.40.82:41450-192.168.44.230:7002-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_42" + }] diff --git a/test/glimpse_detector/test_result_json/openvpn_pcap.json b/test/glimpse_detector/test_result_json/openvpn_pcap.json new file mode 100644 index 0000000..d3d929c --- /dev/null +++ b/test/glimpse_detector/test_result_json/openvpn_pcap.json @@ -0,0 +1,92 @@ +[{ + "Tuple4": "192.168.64.27:61801-219.100.37.7:443-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [336], + "l7_label_name": ["OPENVPN"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_1" + }, { + "Tuple4": "172.16.18.30:12272-172.16.18.11:1194-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [336], + "l7_label_name": ["OPENVPN"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_2" + }, { + "Tuple4": "192.168.88.3:50568-46.246.122.61:1198-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [336], + "l7_label_name": ["OPENVPN"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_3" + }, { + "Tuple4": "192.168.1.77:60140-46.101.231.218:443-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [336], + "l7_label_name": ["OPENVPN"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_4" + }, { + "Tuple4": "192.168.43.12:41507-139.59.151.137:13680-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [336], + "l7_label_name": ["OPENVPN"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_5" + }, { + "Tuple4": "192.168.43.18:13680-139.59.151.137:13680-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [336], + "l7_label_name": ["OPENVPN"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_6" + }, { + "Tuple4": "192.168.34.249:63111-3.115.218.192:1194-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [336], + "l7_label_name": ["OPENVPN"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_7" + }, { + "Tuple4": "192.168.11.14:34400-202.43.148.189:1194-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [336], + "l7_label_name": ["OPENVPN"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_8" + }, { + "Tuple4": "202.43.148.166:40914-202.43.148.189:1194-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [336], + "l7_label_name": ["OPENVPN"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_9" + }, { + "Tuple4": "172.31.136.16:51706-172.31.250.5:1194-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [336], + "l7_label_name": ["OPENVPN"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_10" + }, { + "Tuple4": "192.168.56.31:49941-185.225.234.3:1194-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [336], + "l7_label_name": ["OPENVPN"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_11" + }, { + "Tuple4": "2607:5d00:2:2::38:129:61897-2a01:4f8:200:812b:65b::1:3042-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [336], + "l7_label_name": ["OPENVPN"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_12" + }, { + "Tuple4": "192.168.58.112:41925-36.102.226.57:8443-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [2521], + "l7_label_name": ["QUIC"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_13" + }] diff --git a/test/glimpse_detector/test_result_json/ppp_pcap.json b/test/glimpse_detector/test_result_json/ppp_pcap.json new file mode 100644 index 0000000..e1bcde0 --- /dev/null +++ b/test/glimpse_detector/test_result_json/ppp_pcap.json @@ -0,0 +1,826 @@ +[{ + "Tuple4": "192.168.10.91:62176-220.249.244.23:33445-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_1" + }, { + "Tuple4": "172.16.2.100:49247-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_2" + }, { + "Tuple4": "172.16.2.100:49245-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_3" + }, { + "Tuple4": "172.16.2.100:49252-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_4" + }, { + "Tuple4": "172.16.2.100:49255-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_5" + }, { + "Tuple4": "172.16.2.100:49248-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_6" + }, { + "Tuple4": "172.16.2.100:49254-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_7" + }, { + "Tuple4": "172.16.2.100:49259-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_8" + }, { + "Tuple4": "172.16.0.100:50112-172.16.0.254:1723-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [153], + "l7_label_name": ["PPTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_9" + }, { + "Tuple4": "172.16.2.100:50072-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_10" + }, { + "Tuple4": "172.16.2.100:49250-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_11" + }, { + "Tuple4": "172.16.0.100:500-172.16.0.254:500-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [92], + "l7_label_name": ["ISAKMP"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_12" + }, { + "Tuple4": "172.16.2.100:63747-224.0.0.252:5355-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_13" + }, { + "Tuple4": "172.16.2.100:65012-224.0.0.252:5355-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_14" + }, { + "Tuple4": "172.16.2.100:68-255.255.255.255:67-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_15" + }, { + "Tuple4": "172.16.2.100:63917-224.0.0.252:5355-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_16" + }, { + "Tuple4": "172.16.2.100:50147-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_17" + }, { + "Tuple4": "172.16.2.100:50866-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_18" + }, { + "Tuple4": "172.16.2.100:57084-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_19" + }, { + "Tuple4": "172.16.2.100:138-255.255.255.255:138-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [129], + "l7_label_name": ["NETBIOS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_20" + }, { + "Tuple4": "172.16.2.100:51103-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_21" + }, { + "Tuple4": "172.16.2.100:53831-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_22" + }, { + "Tuple4": "172.16.2.100:52460-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_23" + }, { + "Tuple4": "172.16.2.100:50497-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_24" + }, { + "Tuple4": "172.16.2.100:50233-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_25" + }, { + "Tuple4": "172.16.2.100:64355-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_26" + }, { + "Tuple4": "172.16.2.100:50648-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_27" + }, { + "Tuple4": "172.16.2.100:52851-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_28" + }, { + "Tuple4": "172.16.2.100:58476-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_29" + }, { + "Tuple4": "172.16.2.100:50897-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_30" + }, { + "Tuple4": "172.16.2.100:65380-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_31" + }, { + "Tuple4": "172.16.2.100:58422-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_32" + }, { + "Tuple4": "172.16.2.100:64882-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_33" + }, { + "Tuple4": "172.16.2.100:51787-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_34" + }, { + "Tuple4": "172.16.2.100:59393-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_35" + }, { + "Tuple4": "172.16.2.100:52783-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_36" + }, { + "Tuple4": "172.16.2.100:55755-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_37" + }, { + "Tuple4": "172.16.2.100:60213-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_38" + }, { + "Tuple4": "172.16.2.100:64847-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_39" + }, { + "Tuple4": "172.16.2.100:64115-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_40" + }, { + "Tuple4": "172.16.2.100:57554-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_41" + }, { + "Tuple4": "172.16.2.100:49969-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_42" + }, { + "Tuple4": "172.16.2.100:57553-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_43" + }, { + "Tuple4": "172.16.2.100:58185-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_44" + }, { + "Tuple4": "172.16.2.100:60349-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_45" + }, { + "Tuple4": "172.16.2.100:62337-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_46" + }, { + "Tuple4": "172.16.2.100:64382-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_47" + }, { + "Tuple4": "172.16.2.100:62694-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_48" + }, { + "Tuple4": "172.16.2.100:64915-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_49" + }, { + "Tuple4": "172.16.2.100:50578-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_50" + }, { + "Tuple4": "172.16.2.100:56971-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_51" + }, { + "Tuple4": "172.16.2.100:62721-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_52" + }, { + "Tuple4": "172.16.2.100:50655-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_53" + }, { + "Tuple4": "172.16.2.100:54363-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_54" + }, { + "Tuple4": "172.16.2.100:53796-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_55" + }, { + "Tuple4": "172.16.2.100:59348-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_56" + }, { + "Tuple4": "172.16.2.100:49686-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_57" + }, { + "Tuple4": "172.16.2.100:50273-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_58" + }, { + "Tuple4": "172.16.2.100:63738-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_59" + }, { + "Tuple4": "172.16.2.100:62490-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_60" + }, { + "Tuple4": "172.16.2.100:61200-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_61" + }, { + "Tuple4": "172.16.2.100:64138-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_62" + }, { + "Tuple4": "172.16.2.100:64736-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_63" + }, { + "Tuple4": "172.16.2.100:54188-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_64" + }, { + "Tuple4": "172.16.2.100:59408-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_65" + }, { + "Tuple4": "172.16.2.100:49446-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_66" + }, { + "Tuple4": "172.16.2.100:58556-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_67" + }, { + "Tuple4": "172.16.2.100:52129-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_68" + }, { + "Tuple4": "172.16.2.100:50258-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_69" + }, { + "Tuple4": "172.16.2.100:51697-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_70" + }, { + "Tuple4": "172.16.2.100:58428-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_71" + }, { + "Tuple4": "172.16.2.100:51307-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_72" + }, { + "Tuple4": "172.16.2.100:55973-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_73" + }, { + "Tuple4": "172.16.2.100:53758-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_74" + }, { + "Tuple4": "172.16.2.100:62140-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_75" + }, { + "Tuple4": "172.16.2.100:63652-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_76" + }, { + "Tuple4": "172.16.2.100:60777-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_77" + }, { + "Tuple4": "172.16.2.100:49246-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_78" + }, { + "Tuple4": "172.16.2.100:56967-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_79" + }, { + "Tuple4": "172.16.2.100:60549-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_80" + }, { + "Tuple4": "172.16.2.100:49621-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_81" + }, { + "Tuple4": "172.16.2.100:49257-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_82" + }, { + "Tuple4": "172.16.2.100:65424-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_83" + }, { + "Tuple4": "172.16.2.100:49249-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_84" + }, { + "Tuple4": "172.16.2.100:49256-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_85" + }, { + "Tuple4": "172.16.2.100:61044-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_86" + }, { + "Tuple4": "172.16.2.100:55106-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_87" + }, { + "Tuple4": "172.16.2.100:62335-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_88" + }, { + "Tuple4": "172.16.2.100:54356-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_89" + }, { + "Tuple4": "172.16.2.100:51628-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_90" + }, { + "Tuple4": "172.16.2.100:50188-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_91" + }, { + "Tuple4": "172.16.2.100:57198-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_92" + }, { + "Tuple4": "172.16.2.100:57310-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_93" + }, { + "Tuple4": "172.16.2.100:49258-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_94" + }, { + "Tuple4": "172.16.2.100:63697-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_95" + }, { + "Tuple4": "172.16.2.100:50244-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_96" + }, { + "Tuple4": "172.16.2.100:57229-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_97" + }, { + "Tuple4": "172.16.2.100:62401-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_98" + }, { + "Tuple4": "172.16.2.100:58807-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_99" + }, { + "Tuple4": "172.16.2.100:49264-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_100" + }, { + "Tuple4": "172.16.2.100:49261-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_101" + }, { + "Tuple4": "172.16.2.100:49253-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_102" + }, { + "Tuple4": "172.16.2.100:50564-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_103" + }, { + "Tuple4": "172.16.2.100:49263-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_104" + }, { + "Tuple4": "172.16.2.100:49251-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_105" + }, { + "Tuple4": "172.16.2.100:49265-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_106" + }, { + "Tuple4": "172.16.2.100:60282-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_107" + }, { + "Tuple4": "172.16.2.100:58248-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_108" + }, { + "Tuple4": "172.16.2.100:53188-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_109" + }, { + "Tuple4": "172.16.2.100:53483-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_110" + }, { + "Tuple4": "172.16.2.100:49260-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_111" + }, { + "Tuple4": "172.16.2.100:51121-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_112" + }, { + "Tuple4": "172.16.2.100:52562-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_113" + }, { + "Tuple4": "172.16.2.100:49262-10.0.6.229:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_114" + }, { + "Tuple4": "172.16.2.100:51048-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_115" + }, { + "Tuple4": "172.16.2.100:51806-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_116" + }, { + "Tuple4": "172.16.2.100:137-255.255.255.255:137-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [129], + "l7_label_name": ["NETBIOS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_117" + }, { + "Tuple4": "172.16.2.100:60348-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_118" + }, { + "Tuple4": "172.16.0.100:1701-172.16.0.254:1701-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [158], + "l7_label_name": ["RADIUS"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_119" + }] diff --git a/test/glimpse_detector/test_result_json/socks_pcap.json b/test/glimpse_detector/test_result_json/socks_pcap.json new file mode 100644 index 0000000..d27ce58 --- /dev/null +++ b/test/glimpse_detector/test_result_json/socks_pcap.json @@ -0,0 +1,266 @@ +[{ + "Tuple4": "10.0.0.1:1637-10.0.0.2:21477-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 67], + "l7_label_name": ["SOCKS", "HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_1" + }, { + "Tuple4": "192.168.122.100:62395-192.168.122.202:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 45], + "l7_label_name": ["SOCKS", "FTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_2" + }, { + "Tuple4": "192.168.122.100:50259-192.168.122.202:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 67], + "l7_label_name": ["SOCKS", "HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_3" + }, { + "Tuple4": "10.180.156.185:53533-10.180.156.249:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 67], + "l7_label_name": ["SOCKS", "HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_4" + }, { + "Tuple4": "10.180.156.185:53534-10.180.156.249:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 67], + "l7_label_name": ["SOCKS", "HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_5" + }, { + "Tuple4": "10.180.156.185:53535-10.180.156.249:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 67], + "l7_label_name": ["SOCKS", "HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_6" + }, { + "Tuple4": "192.168.122.100:50260-192.168.122.202:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 67], + "l7_label_name": ["SOCKS", "HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_7" + }, { + "Tuple4": "10.0.0.1:1637-10.0.0.2:21477-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 67], + "l7_label_name": ["SOCKS", "HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_8" + }, { + "Tuple4": "10.0.0.1:54263-10.0.0.2:8855-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_9" + }, { + "Tuple4": "10.0.0.2:53709-10.0.0.1:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [186], + "l7_label_name": ["SMTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_10" + }, { + "Tuple4": "10.180.156.185:54068-10.180.156.249:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005], + "l7_label_name": ["SOCKS"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_11" + }, { + "Tuple4": "10.180.156.185:54069-10.180.156.249:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005], + "l7_label_name": ["SOCKS"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_12" + }, { + "Tuple4": "10.180.156.185:54072-10.180.156.249:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 67], + "l7_label_name": ["SOCKS", "HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_13" + }, { + "Tuple4": "10.180.156.185:53554-10.180.156.249:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 199], + "l7_label_name": ["SOCKS", "SSL"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_14" + }, { + "Tuple4": "10.180.156.185:53555-10.180.156.249:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 199], + "l7_label_name": ["SOCKS", "SSL"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_15" + }, { + "Tuple4": "10.180.156.185:53556-10.180.156.249:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 199], + "l7_label_name": ["SOCKS", "SSL"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_16" + }, { + "Tuple4": "10.10.9.37:1063-100.100.9.37:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 147], + "l7_label_name": ["SOCKS", "POP3"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_17" + }, { + "Tuple4": "10.10.10.38:1061-100.100.10.38:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 186], + "l7_label_name": ["SOCKS", "SMTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_18" + }, { + "Tuple4": "192.168.122.100:50261-192.168.122.202:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 67], + "l7_label_name": ["SOCKS", "HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_19" + }, { + "Tuple4": "192.168.122.100:50274-192.168.122.202:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 67], + "l7_label_name": ["SOCKS", "HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_20" + }, { + "Tuple4": "192.168.122.100:50275-192.168.122.202:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 67], + "l7_label_name": ["SOCKS", "HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_21" + }, { + "Tuple4": "192.168.122.100:50273-192.168.122.202:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 67], + "l7_label_name": ["SOCKS", "HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_22" + }, { + "Tuple4": "192.168.122.100:62396-192.168.122.202:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005], + "l7_label_name": ["SOCKS"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_23" + }, { + "Tuple4": "192.168.122.100:62397-192.168.122.202:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005], + "l7_label_name": ["SOCKS"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_24" + }, { + "Tuple4": "192.168.122.100:62398-192.168.122.202:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005], + "l7_label_name": ["SOCKS"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_25" + }, { + "Tuple4": "192.168.122.100:62395-192.168.122.202:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [45], + "l7_label_name": ["FTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_26" + }, { + "Tuple4": "192.168.122.100:50259-192.168.122.202:1080-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_27" + }, { + "Tuple4": "10.0.0.3:2276-10.0.0.2:42356-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005, 159], + "l7_label_name": ["SOCKS", "RDP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_28" + }, { + "Tuple4": "192.168.122.100:58811-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_29" + }, { + "Tuple4": "fe80::424:6d4c:9a85:337d:546-ff02::1:2:547-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [29], + "l7_label_name": ["DHCP"], + "STREAM_DIR": "S2C", + "name": "APP_PROTO_IDENTIFY_RESULT_30" + }, { + "Tuple4": "192.168.122.100:58117-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_31" + }, { + "Tuple4": "192.168.122.100:50258-184.50.87.123:80-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [67], + "l7_label_name": ["HTTP"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_32" + }, { + "Tuple4": "192.168.122.100:52837-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_33" + }, { + "Tuple4": "192.168.122.100:50262-74.125.235.196:443-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": "UNKNOWN", + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_34" + }, { + "Tuple4": "192.168.122.100:57617-8.8.8.8:53-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [32], + "l7_label_name": ["DNS"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_35" + }, { + "Tuple4": "192.168.122.100:138-192.168.122.255:138-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [129], + "l7_label_name": ["NETBIOS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_36" + }, { + "Tuple4": "192.168.122.100:137-192.168.122.255:137-17-0", + "STREAM_TYPE": "UDP", + "l7_label_id": [129], + "l7_label_name": ["NETBIOS"], + "STREAM_DIR": "C2S", + "name": "APP_PROTO_IDENTIFY_RESULT_37" + }, { + "Tuple4": "10.0.0.1:50606-10.0.0.2:9901-6-0", + "STREAM_TYPE": "TCP", + "l7_label_id": [8005], + "l7_label_name": ["SOCKS"], + "STREAM_DIR": "DOUBLE", + "name": "APP_PROTO_IDENTIFY_RESULT_38" + }] diff --git a/test/glimpse_detector/tsgconf/tsg_l7_protocol.conf b/test/glimpse_detector/tsgconf/tsg_l7_protocol.conf new file mode 100644 index 0000000..4e5f3ab --- /dev/null +++ b/test/glimpse_detector/tsgconf/tsg_l7_protocol.conf @@ -0,0 +1,61 @@ +#TYPE:1:UCHAR,2:USHORT,3:USTRING,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET +#TYPE FIELD VALUE +STRING UNCATEGORIZED 8000 +#STRING UNCATEGORIZED 8001 +#STRING UNKNOWN_OTHER 8002 +STRING DNS 32 +STRING FTP 45 +STRING FTPS 751 +STRING HTTP 67 +STRING HTTPS 68 +STRING ICMP 70 +STRING IKE 8003 +STRING MAIL 8004 +STRING IMAP 75 +STRING IMAPS 76 +STRING IPSEC 85 +STRING XMPP 94 +STRING L2TP 98 +STRING NTP 137 +STRING POP3 147 +STRING POP3S 148 +STRING PPTP 153 +STRING QUIC 2521 +STRING SIP 182 +STRING SMB 185 +STRING SMTP 186 +STRING SMTPS 187 +STRING SPDY 1469 +STRING SSH 198 +STRING SSL 199 +STRING SOCKS 8005 +STRING TELNET 209 +STRING DHCP 29 +STRING RADIUS 158 +STRING OPENVPN 336 +STRING STUN 201 +STRING TEREDO 555 +STRING DTLS 1291 +STRING DoH 8006 +STRING ISAKMP 92 +STRING MDNS 3835 +STRING NETBIOS 129 +STRING NETFLOW 130 +STRING RDP 159 +STRING RTCP 174 +STRING RTP 175 +STRING SLP 8007 +STRING SNMP 190 +STRING SSDP 197 +STRING TFTP 211 +STRING BJNP 2481 +STRING LDAP 100 +STRING RTMP 337 +STRING RTSP 176 +STRING ESNI 8008 +STRING Stratum 8169 +STRING QQ 156 +STRING WeChat 1296 +STRING WIREGUARD 3700 +STRING MMS 115 +STRING RSYNC 173 |