udp seqno

yehgdotnet · Sep 21, 2013 · 426afb1 · 426afb1
1 parent 30f38dc
commit 426afb1
Show file tree

Hide file tree

Showing 11 changed files with 187 additions and 49 deletions.
diff --git a/src/pixie-timer.c b/src/pixie-timer.c
@@ -142,7 +142,7 @@ pixie_usleep(uint64_t waitTime)
     start = pixie_gettime();
 
     if (waitTime > 1000)
-        Sleep(waitTime/1000);
+        Sleep((DWORD)(waitTime/1000));
 
     while (pixie_gettime() - start < waitTime)
         ;

diff --git a/src/proto-banner1.c b/src/proto-banner1.c
@@ -247,7 +247,7 @@ int banner1_selftest()
                     px+i, 1,
                     banner, &banner_offset, sizeof(banner)
                     );
-    if (memcmp(banner, "YTS/1.20.13", 11) != 0) {
+    if (memcmp(banner, "Via:HTTP/1.1", 11) != 0) {
         printf("banner1: test failed\n");
         return 1;
     }
@@ -268,7 +268,7 @@ int banner1_selftest()
                     px, length,
                     banner, &banner_offset, sizeof(banner)
                     );
-    if (memcmp(banner, "YTS/1.20.13", 11) != 0) {
+    if (memcmp(banner, "Via:HTTP/1.1", 11) != 0) {
         printf("banner1: test failed\n");
         return 1;
     }

diff --git a/src/proto-dns.c b/src/proto-dns.c
@@ -9,6 +9,7 @@
 #include "unusedparm.h"
 
 
+
 struct DomainPointer
 {
     const unsigned char *name;
@@ -324,34 +325,52 @@ proto_dns_parse(struct DNS_Incoming *dns, const unsigned char px[], unsigned off
     return;
 }
 
-void handle_dns(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed)
+unsigned
+dns_set_cookie(unsigned char *px, size_t length, uint64_t seqno)
+{
+    if (length > 2) {
+        px[0] = (unsigned char)(seqno >> 8);
+        px[1] = (unsigned char)(seqno >> 0);
+        return seqno & 0xFFFF;
+    } else
+        return 0;
+}
+
+unsigned
+handle_dns(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed)
 {
     unsigned ip_them;
     unsigned port_them = parsed->port_src;
     struct DNS_Incoming dns[1];
     unsigned offset;
+    unsigned seqno;
 
     ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
             | parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
 
+    seqno = syn_hash(ip_them, port_them | 0x10000);
+
     proto_dns_parse(dns, px, parsed->app_offset, parsed->app_offset + parsed->app_length);
 
+    if ((seqno & 0xFFFF) != dns->id)
+        return 1;
+
     if (dns->qr != 1)
-        return;
+        return 0;
     if (dns->rcode != 0)
-        return;
+        return 0;
     if (dns->qdcount != 1)
-        return;
+        return 0;
     if (dns->ancount < 1)
-        return;
+        return 0;
     if (dns->rr_count < 2)
-        return;
+        return 0;
 
 
     offset = dns->rr_offset[1];
     offset = dns_name_skip(px, offset, length);
     if (offset + 10 >= length)
-        return;
+        return 0;
 
     {
         unsigned type = px[offset+0]<<8 | px[offset+1];
@@ -360,9 +379,9 @@ void handle_dns(struct Output *out, const unsigned char *px, unsigned length, st
         unsigned txtlen = px[offset+10];
 
         if (rrlen == 0 || txtlen > rrlen-1)
-            return;
+            return 0;
         if (type != 0x10 || xclass != 3)
-            return;
+            return 0;
 
         offset += 11;
 
@@ -371,8 +390,7 @@ void handle_dns(struct Output *out, const unsigned char *px, unsigned length, st
                 ip_them, port_them, 
                 PROTO_DNS_VERSIONBIND,
                 px + offset, txtlen);
-
-
-
     }
+
+    return 0;
 }
diff --git a/src/proto-dns.h b/src/proto-dns.h
@@ -3,6 +3,6 @@
 struct PreprocessedInfo;
 struct Output;
 
-void handle_dns(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed);
+unsigned handle_dns(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed);
 
 #endif
diff --git a/src/proto-http.c b/src/proto-http.c
@@ -38,7 +38,7 @@ struct Patterns html_fields[] = {
 /*****************************************************************************
  *****************************************************************************/
 static void
-field_name(void *banner, unsigned *banner_offset, size_t banner_max, unsigned id, struct Patterns *http_fields)
+field_name(void *banner, unsigned *banner_offset, size_t banner_max, size_t id, struct Patterns *http_fields)
 {
     unsigned i;
     if (id == HTTPFIELD_INCOMPLETE)

diff --git a/src/proto-snmp.c b/src/proto-snmp.c
@@ -7,6 +7,7 @@
 #include "output.h"
 #include "proto-preprocess.h"
 #include "proto-banner1.h"
+#include "syn-cookie.h"
 
 static struct SMACK *global_mib;
 
@@ -221,7 +222,7 @@ snmp_banner(const unsigned char *oid, size_t oid_length,
             uint64_t result = 0;
             for (i=0; i<var_length; i++)
                 result = result<<8 | var[i];
-            sprintf_s(foo, sizeof(foo), "%llu", result);
+            sprintf_s(foo, sizeof(foo), "%llu", foo);
             if (*banner_offset + strlen(foo) < banner_max) {
                 memcpy(banner + *banner_offset, foo, strlen(foo));
                 *banner_offset += (unsigned)strlen(foo);
@@ -254,7 +255,8 @@ snmp_banner(const unsigned char *oid, size_t oid_length,
  ****************************************************************************/
 void
 snmp_parse(const unsigned char *px, uint64_t length,
-    unsigned char *banner, unsigned *banner_offset, unsigned banner_max)
+    unsigned char *banner, unsigned *banner_offset, unsigned banner_max,
+    unsigned *request_id)
 {
 	uint64_t offset=0;
 	uint64_t outer_length;
@@ -293,6 +295,7 @@ snmp_parse(const unsigned char *px, uint64_t length,
 
 	/* Request ID */
 	snmp->request_id = asn1_integer(px, length, &offset);
+    *request_id = (unsigned)snmp->request_id;
 	snmp->error_status = asn1_integer(px, length, &offset);
 	snmp->error_index = asn1_integer(px, length, &offset);
 
@@ -349,6 +352,80 @@ snmp_parse(const unsigned char *px, uint64_t length,
 	}
 }
 
+/****************************************************************************
+ ****************************************************************************/
+unsigned
+snmp_set_cookie(unsigned char *px, size_t length, uint64_t seqno)
+{
+	uint64_t offset=0;
+	uint64_t outer_length;
+    uint64_t version;
+    uint64_t tag;
+    uint64_t len;
+
+
+	/* tag */
+	if (asn1_tag(px, length, &offset) != 0x30)
+		return 0;
+
+	/* length */
+	outer_length = asn1_length(px, length, &offset);
+	if (length > outer_length + offset)
+		length = outer_length + offset;
+
+	/* Version */
+	version = asn1_integer(px, length, &offset);
+	if (version != 0)
+		return 0;
+
+	/* Community */
+	if (asn1_tag(px, length, &offset) != 0x04)
+		return 0;
+	offset += asn1_length(px, length, &offset);
+
+	/* PDU */
+	tag = asn1_tag(px, length, &offset);
+	if (tag < 0xA0 || 0xA5 < tag)
+		return 0;
+	outer_length = asn1_length(px, length, &offset);
+	if (length > outer_length + offset)
+		length = outer_length + offset;
+
+	/* Request ID */
+	tag = asn1_tag(px, length, &offset);
+    len = asn1_length(px, length, &offset);
+    switch (len) {
+    case 0: 
+        return 0;
+    case 1: 
+        px[offset+0] = (unsigned char)(seqno>>0)&0x7F;
+        return seqno & 0x7F;
+    case 2:
+        px[offset+0] = (unsigned char)(seqno>>8)&0x7F;
+        px[offset+1] = (unsigned char)(seqno>>0);
+        return seqno & 0x7fff;
+    case 3:
+        px[offset+0] = (unsigned char)(seqno>>16)&0x7F;
+        px[offset+1] = (unsigned char)(seqno>>8);
+        px[offset+2] = (unsigned char)(seqno>>0);
+        return seqno & 0x7fffFF;
+    case 4:
+        px[offset+0] = (unsigned char)(seqno>>24)&0x7F;
+        px[offset+1] = (unsigned char)(seqno>>16);
+        px[offset+2] = (unsigned char)(seqno>>8);
+        px[offset+3] = (unsigned char)(seqno>>0);
+        return seqno & 0x7fffFFFF;
+    case 5: 
+        px[offset+0] = 0;
+        px[offset+1] = (unsigned char)(seqno>>24);
+        px[offset+2] = (unsigned char)(seqno>>16);
+        px[offset+3] = (unsigned char)(seqno>>8);
+        px[offset+4] = (unsigned char)(seqno>>0);
+        return seqno & 0xffffFFFF;
+    }
+    return 0;
+}
+
 #define TWO_BYTE       ((~0)<<7)
 #define THREE_BYTE     ((~0)<<14)
 #define FOUR_BYTE      ((~0)<<21)
@@ -410,30 +487,43 @@ convert_oid(unsigned char *dst, size_t sizeof_dst, const char *src)
 
 /****************************************************************************
  ****************************************************************************/
-void handle_snmp(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed)
+unsigned
+handle_snmp(struct Output *out, 
+            const unsigned char *px, unsigned length, 
+            struct PreprocessedInfo *parsed
+            )
 {
     unsigned char banner[1024];
     unsigned banner_offset = 0;
     unsigned banner_length = sizeof(banner);
     unsigned ip_them;
+    unsigned port_them = parsed->port_src;
+    unsigned seqno;
+    unsigned request_id;
 
     UNUSEDPARM(length);
 
     snmp_parse(px + parsed->app_offset, parsed->app_length,
-        banner, &banner_offset, banner_length);
-    if (!banner_offset)
-        return;
+        banner, &banner_offset, banner_length,
+        &request_id);
+
 
     ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
             | parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
 
-    output_report_banner(
+    seqno = syn_hash(ip_them, port_them | 0x10000);
+    if ((seqno&0x7FFFffff) != request_id)
+        return 1;
+
+    if (banner_offset) {
+        output_report_banner(
             out,
             ip_them, parsed->port_src, 
             PROTO_SNMP,
             banner, banner_offset);
+    }
 
-
+    return 0;
 }
 
 
@@ -481,11 +571,11 @@ static int
 snmp_selftest_banner()
 {
     static const unsigned char snmp_response[] = {
-        0x30, 0x3b, 
+        0x30, 0x38, 
          0x02, 0x01, 0x00, 
          0x04, 0x06, 0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, 
-         0xA2, 0x2e, 
-           0x02, 0x04, 0x00, 0x00, 0x00, 0x26, 
+         0xA2, 0x2B, 
+           0x02, 0x01, 0x26, 
            0x02, 0x01, 0x00, 
            0x02, 0x01, 0x00, 
            0x30, 0x20, 
@@ -498,10 +588,13 @@ snmp_selftest_banner()
     unsigned char banner[256];
     unsigned banner_offset = 0;
     unsigned banner_max = sizeof(banner);
+    unsigned request_id;
 
     snmp_parse(snmp_response, sizeof(snmp_response),
-                banner, &banner_offset, banner_max);
+                banner, &banner_offset, banner_max, &request_id);
 
+    if (request_id != 0x26)
+        return 1;
 
     return memcmp(banner, "sysObjectID:okidata.1.1.1.297.93", 30) != 0;
 }

diff --git a/src/proto-snmp.h b/src/proto-snmp.h
@@ -15,6 +15,7 @@ void snmp_init();
  */
 int snmp_selftest();
 
-void handle_snmp(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed);
+unsigned
+handle_snmp(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed);
 
 #endif
diff --git a/src/proto-udp.c b/src/proto-udp.c
@@ -14,25 +14,29 @@ void handle_udp(struct Output *out, const unsigned char *px, unsigned length, st
 {
     unsigned ip_them;
     unsigned port_them = parsed->port_src;
+    unsigned status = 0;
 
     ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
             | parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
 
-    output_report_status(
-                        out,
-                        Port_UdpOpen,
-                        ip_them,
-                        port_them,
-                        0,
-                        0);
+
 
     switch (port_them) {
     case 161:
-        handle_snmp(out, px, length, parsed);
+        status = handle_snmp(out, px, length, parsed);
         break;
     case 53:
-        handle_dns(out, px, length, parsed);
+        status = handle_dns(out, px, length, parsed);
         break;
     }
 
+    if (status == 0)
+        output_report_status(
+                        out,
+                        Port_UdpOpen,
+                        ip_them,
+                        port_them,
+                        0,
+                        0);
+
 }