tpotce/docker/p0f/process.h

/*
   p0f - packet capture and overall host / flow bookkeeping
   --------------------------------------------------------

   Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>

   Distributed under the terms and conditions of GNU LGPL.

 */

#ifndef _HAVE_PROCESS_H
#define _HAVE_PROCESS_H

#include <pcap.h>

#include "types.h"
#include "fp_tcp.h"
#include "fp_http.h"

/* Parsed information handed over by the pcap callback: */

struct packet_data {

  u8  ip_ver;                           /* IP_VER4, IP_VER6                   */
  u8  tcp_type;                         /* TCP_SYN, ACK, FIN, RST             */

  u8  src[16];                          /* Source address (left-aligned)      */
  u8  dst[16];                          /* Destination address (left-aligned  */

  u16 sport;                            /* Source port                        */
  u16 dport;                            /* Destination port                   */

  u8  ttl;                              /* Observed TTL                       */
  u8  tos;                              /* IP ToS value                       */

  u16 mss;                              /* Maximum segment size               */
  u16 win;                              /* Window size                        */
  u8  wscale;                           /* Window scaling                     */
  u16 tot_hdr;                          /* Total headers (for MTU calc)       */

  u8  opt_layout[MAX_TCP_OPT];          /* Ordering of TCP options            */
  u8  opt_cnt;                          /* Count of TCP options               */
  u8  opt_eol_pad;                      /* Amount of padding past EOL         */

  u32 ts1;                              /* Own timestamp                      */

  u32 quirks;                           /* QUIRK_*                            */

  u8  ip_opt_len;                       /* Length of IP options               */

  u8* payload;                          /* TCP payload                        */
  u16 pay_len;                          /* Length of TCP payload              */

  u32 seq;                              /* seq value seen                     */

};

/* IP-level quirks: */

#define QUIRK_ECN            0x00000001 /* ECN supported                      */
#define QUIRK_DF             0x00000002 /* DF used (probably PMTUD)           */
#define QUIRK_NZ_ID          0x00000004 /* Non-zero IDs when DF set           */
#define QUIRK_ZERO_ID        0x00000008 /* Zero IDs when DF not set           */
#define QUIRK_NZ_MBZ         0x00000010 /* IP "must be zero" field isn't      */
#define QUIRK_FLOW           0x00000020 /* IPv6 flows used                    */

/* Core TCP quirks: */

#define QUIRK_ZERO_SEQ       0x00001000 /* SEQ is zero                        */
#define QUIRK_NZ_ACK         0x00002000 /* ACK non-zero when ACK flag not set */
#define QUIRK_ZERO_ACK       0x00004000 /* ACK is zero when ACK flag set      */
#define QUIRK_NZ_URG         0x00008000 /* URG non-zero when URG flag not set */
#define QUIRK_URG            0x00010000 /* URG flag set                       */
#define QUIRK_PUSH           0x00020000 /* PUSH flag on a control packet      */

/* TCP option quirks: */

#define QUIRK_OPT_ZERO_TS1   0x01000000 /* Own timestamp set to zero          */
#define QUIRK_OPT_NZ_TS2     0x02000000 /* Peer timestamp non-zero on SYN     */
#define QUIRK_OPT_EOL_NZ     0x04000000 /* Non-zero padding past EOL          */
#define QUIRK_OPT_EXWS       0x08000000 /* Excessive window scaling           */
#define QUIRK_OPT_BAD        0x10000000 /* Problem parsing TCP options        */

/* Host record with persistent fingerprinting data: */

struct host_data {

  struct host_data *prev, *next;        /* Linked lists                       */
  struct host_data *older, *newer;
  u32 use_cnt;                          /* Number of packet_flows attached    */

  u32 first_seen;                       /* Record created (unix time)         */
  u32 last_seen;                        /* Host last seen (unix time)         */
  u32 total_conn;                       /* Total number of connections ever   */

  u8 ip_ver;                            /* Address type                       */
  u8 addr[16];                          /* Host address data                  */

  struct tcp_sig* last_syn;             /* Sig of the most recent SYN         */
  struct tcp_sig* last_synack;          /* Sig of the most recent SYN+ACK     */

  s32 last_class_id;                    /* OS class ID (-1 = not found)       */
  s32 last_name_id;                     /* OS name ID (-1 = not found)        */
  u8* last_flavor;                      /* Last OS flavor                     */

  u8  last_quality;                     /* Generic or fuzzy match?            */

  u8* link_type;                        /* MTU-derived link type              */

  u8  cli_scores[NAT_SCORES];           /* Scoreboard for client NAT          */
  u8  srv_scores[NAT_SCORES];           /* Scoreboard for server NAT          */
  u16 nat_reasons;                      /* NAT complaints                     */

  u32 last_nat;                         /* Last NAT detection time            */
  u32 last_chg;                         /* Last OS change detection time      */

  u16 last_port;                        /* Source port on last SYN            */

  u8  distance;                         /* Last measured distance             */

  s32 last_up_min;                      /* Last computed uptime (-1 = none)   */
  u32 up_mod_days;                      /* Uptime modulo (days)               */

  /* HTTP business: */

  struct http_sig* http_req_os;         /* Last request, if class != -1       */
  struct http_sig* http_resp;           /* Last response                      */

  s32 http_name_id;                     /* Client name ID (-1 = not found)    */
  u8* http_flavor;                      /* Client flavor                      */

  u8* language;                         /* Detected language                  */

  u8  bad_sw;                           /* Used dishonest U-A or Server?      */

  u16 http_resp_port;                   /* Port on which response seen        */

};

/* Reasons for NAT detection: */

#define NAT_APP_SIG          0x0001     /* App signature <-> OS mismatch      */
#define NAT_OS_SIG           0x0002     /* OS detection mismatch              */
#define NAT_UNK_DIFF         0x0004     /* Current sig unknown, but different */
#define NAT_TO_UNK           0x0008     /* Sig changed from known to unknown  */
#define NAT_TS               0x0010     /* Timestamp goes back                */
#define NAT_PORT             0x0020     /* Source port goes back              */
#define NAT_TTL              0x0040     /* TTL changes unexpectedly           */
#define NAT_FUZZY            0x0080     /* Signature fuzziness changes        */
#define NAT_MSS              0x0100     /* MSS changes                        */

#define NAT_APP_LB           0x0200     /* Server signature changes           */
#define NAT_APP_VIA          0x0400     /* Via / X-Forwarded-For seen         */
#define NAT_APP_DATE         0x0800     /* Date changes in a weird way        */
#define NAT_APP_UA           0x1000     /* User-Agent OS inconsistency        */

/* TCP flow record, maintained until all fingerprinting modules are happy: */

struct packet_flow {

  struct packet_flow *prev, *next;      /* Linked lists                       */
  struct packet_flow *older, *newer;
  u32 bucket;                           /* Bucket this flow belongs to        */

  struct host_data* client;             /* Requesting client                  */
  struct host_data* server;             /* Target server                      */

  u16 cli_port;                         /* Client port                        */
  u16 srv_port;                         /* Server port                        */

  u8  acked;                            /* SYN+ACK received?                  */
  u8  sendsyn;                          /* Created by p0f-sendsyn?            */

  s16 srv_tps;                          /* Computed TS divisor (-1 = bad)     */ 
  s16 cli_tps;

  u8* request;                          /* Client-originating data            */
  u32 req_len;                          /* Captured data length               */
  u32 next_cli_seq;                     /* Next seq on cli -> srv packet      */

  u8* response;                         /* Server-originating data            */
  u32 resp_len;                         /* Captured data length               */
  u32 next_srv_seq;                     /* Next seq on srv -> cli packet      */
  u16 syn_mss;                          /* MSS on SYN packet                  */

  u32 created;                          /* Flow creation date (unix time)     */

  /* Application-level fingerprinting: */

  s8  in_http;                          /* 0 = tbd, 1 = yes, -1 = no          */

  u8  http_req_done;                    /* Done collecting req headers?       */
  u32 http_pos;                         /* Current parsing offset             */
  u8  http_gotresp1;                    /* Got initial line of a response?    */

  struct http_sig http_tmp;             /* Temporary signature                */

};

extern u64 packet_cnt;

void parse_packet(void* junk, const struct pcap_pkthdr* hdr, const u8* data);

u8* addr_to_str(u8* data, u8 ip_ver);

u64 get_unix_time_ms(void);
u32 get_unix_time(void);

void add_nat_score(u8 to_srv, struct packet_flow* f, u16 reason, u8 score);
void verify_tool_class(u8 to_srv, struct packet_flow* f, u32* sys, u32 sys_cnt);

struct host_data* lookup_host(u8* addr, u8 ip_ver);

void destroy_all_hosts(void);

#endif /* !_HAVE_PROCESS_H */
include docker repos ... skip emobility since it is a dev repo 2017-10-13 18:58:14 +00:00			`/*`
			`p0f - packet capture and overall host / flow bookkeeping`
			`--------------------------------------------------------`

			`Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>`

			`Distributed under the terms and conditions of GNU LGPL.`

			`*/`

			`#ifndef _HAVE_PROCESS_H`
			`#define _HAVE_PROCESS_H`

			`#include <pcap.h>`

			`#include "types.h"`
			`#include "fp_tcp.h"`
			`#include "fp_http.h"`

			`/* Parsed information handed over by the pcap callback: */`

			`struct packet_data {`

			`u8 ip_ver; /* IP_VER4, IP_VER6 */`
			`u8 tcp_type; /* TCP_SYN, ACK, FIN, RST */`

			`u8 src[16]; /* Source address (left-aligned) */`
			`u8 dst[16]; /* Destination address (left-aligned */`

			`u16 sport; /* Source port */`
			`u16 dport; /* Destination port */`

			`u8 ttl; /* Observed TTL */`
			`u8 tos; /* IP ToS value */`

			`u16 mss; /* Maximum segment size */`
			`u16 win; /* Window size */`
			`u8 wscale; /* Window scaling */`
			`u16 tot_hdr; /* Total headers (for MTU calc) */`

			`u8 opt_layout[MAX_TCP_OPT]; /* Ordering of TCP options */`
			`u8 opt_cnt; /* Count of TCP options */`
			`u8 opt_eol_pad; /* Amount of padding past EOL */`

			`u32 ts1; /* Own timestamp */`

			`u32 quirks; /* QUIRK_* */`

			`u8 ip_opt_len; /* Length of IP options */`

			`u8* payload; /* TCP payload */`
			`u16 pay_len; /* Length of TCP payload */`

			`u32 seq; /* seq value seen */`

			`};`

			`/* IP-level quirks: */`

			`#define QUIRK_ECN 0x00000001 /* ECN supported */`
			`#define QUIRK_DF 0x00000002 /* DF used (probably PMTUD) */`
			`#define QUIRK_NZ_ID 0x00000004 /* Non-zero IDs when DF set */`
			`#define QUIRK_ZERO_ID 0x00000008 /* Zero IDs when DF not set */`
			`#define QUIRK_NZ_MBZ 0x00000010 /* IP "must be zero" field isn't */`
			`#define QUIRK_FLOW 0x00000020 /* IPv6 flows used */`

			`/* Core TCP quirks: */`

			`#define QUIRK_ZERO_SEQ 0x00001000 /* SEQ is zero */`
			`#define QUIRK_NZ_ACK 0x00002000 /* ACK non-zero when ACK flag not set */`
			`#define QUIRK_ZERO_ACK 0x00004000 /* ACK is zero when ACK flag set */`
			`#define QUIRK_NZ_URG 0x00008000 /* URG non-zero when URG flag not set */`
			`#define QUIRK_URG 0x00010000 /* URG flag set */`
			`#define QUIRK_PUSH 0x00020000 /* PUSH flag on a control packet */`

			`/* TCP option quirks: */`

			`#define QUIRK_OPT_ZERO_TS1 0x01000000 /* Own timestamp set to zero */`
			`#define QUIRK_OPT_NZ_TS2 0x02000000 /* Peer timestamp non-zero on SYN */`
			`#define QUIRK_OPT_EOL_NZ 0x04000000 /* Non-zero padding past EOL */`
			`#define QUIRK_OPT_EXWS 0x08000000 /* Excessive window scaling */`
			`#define QUIRK_OPT_BAD 0x10000000 /* Problem parsing TCP options */`

			`/* Host record with persistent fingerprinting data: */`

			`struct host_data {`

			`struct host_data prev, next; /* Linked lists */`
			`struct host_data older, newer;`
			`u32 use_cnt; /* Number of packet_flows attached */`

			`u32 first_seen; /* Record created (unix time) */`
			`u32 last_seen; /* Host last seen (unix time) */`
			`u32 total_conn; /* Total number of connections ever */`

			`u8 ip_ver; /* Address type */`
			`u8 addr[16]; /* Host address data */`

			`struct tcp_sig* last_syn; /* Sig of the most recent SYN */`
			`struct tcp_sig* last_synack; /* Sig of the most recent SYN+ACK */`

			`s32 last_class_id; /* OS class ID (-1 = not found) */`
			`s32 last_name_id; /* OS name ID (-1 = not found) */`
			`u8* last_flavor; /* Last OS flavor */`

			`u8 last_quality; /* Generic or fuzzy match? */`

			`u8* link_type; /* MTU-derived link type */`

			`u8 cli_scores[NAT_SCORES]; /* Scoreboard for client NAT */`
			`u8 srv_scores[NAT_SCORES]; /* Scoreboard for server NAT */`
			`u16 nat_reasons; /* NAT complaints */`

			`u32 last_nat; /* Last NAT detection time */`
			`u32 last_chg; /* Last OS change detection time */`

			`u16 last_port; /* Source port on last SYN */`

			`u8 distance; /* Last measured distance */`

			`s32 last_up_min; /* Last computed uptime (-1 = none) */`
			`u32 up_mod_days; /* Uptime modulo (days) */`

			`/* HTTP business: */`

			`struct http_sig* http_req_os; /* Last request, if class != -1 */`
			`struct http_sig* http_resp; /* Last response */`

			`s32 http_name_id; /* Client name ID (-1 = not found) */`
			`u8* http_flavor; /* Client flavor */`

			`u8* language; /* Detected language */`

			`u8 bad_sw; /* Used dishonest U-A or Server? */`

			`u16 http_resp_port; /* Port on which response seen */`

			`};`

			`/* Reasons for NAT detection: */`

			`#define NAT_APP_SIG 0x0001 /* App signature <-> OS mismatch */`
			`#define NAT_OS_SIG 0x0002 /* OS detection mismatch */`
			`#define NAT_UNK_DIFF 0x0004 /* Current sig unknown, but different */`
			`#define NAT_TO_UNK 0x0008 /* Sig changed from known to unknown */`
			`#define NAT_TS 0x0010 /* Timestamp goes back */`
			`#define NAT_PORT 0x0020 /* Source port goes back */`
			`#define NAT_TTL 0x0040 /* TTL changes unexpectedly */`
			`#define NAT_FUZZY 0x0080 /* Signature fuzziness changes */`
			`#define NAT_MSS 0x0100 /* MSS changes */`

			`#define NAT_APP_LB 0x0200 /* Server signature changes */`
			`#define NAT_APP_VIA 0x0400 /* Via / X-Forwarded-For seen */`
			`#define NAT_APP_DATE 0x0800 /* Date changes in a weird way */`
			`#define NAT_APP_UA 0x1000 /* User-Agent OS inconsistency */`

			`/* TCP flow record, maintained until all fingerprinting modules are happy: */`

			`struct packet_flow {`

			`struct packet_flow prev, next; /* Linked lists */`
			`struct packet_flow older, newer;`
			`u32 bucket; /* Bucket this flow belongs to */`

			`struct host_data* client; /* Requesting client */`
			`struct host_data* server; /* Target server */`

			`u16 cli_port; /* Client port */`
			`u16 srv_port; /* Server port */`

			`u8 acked; /* SYN+ACK received? */`
			`u8 sendsyn; /* Created by p0f-sendsyn? */`

			`s16 srv_tps; /* Computed TS divisor (-1 = bad) */`
			`s16 cli_tps;`

			`u8* request; /* Client-originating data */`
			`u32 req_len; /* Captured data length */`
			`u32 next_cli_seq; /* Next seq on cli -> srv packet */`

			`u8* response; /* Server-originating data */`
			`u32 resp_len; /* Captured data length */`
			`u32 next_srv_seq; /* Next seq on srv -> cli packet */`
			`u16 syn_mss; /* MSS on SYN packet */`

			`u32 created; /* Flow creation date (unix time) */`

			`/* Application-level fingerprinting: */`

			`s8 in_http; /* 0 = tbd, 1 = yes, -1 = no */`

			`u8 http_req_done; /* Done collecting req headers? */`
			`u32 http_pos; /* Current parsing offset */`
			`u8 http_gotresp1; /* Got initial line of a response? */`

			`struct http_sig http_tmp; /* Temporary signature */`

			`};`

			`extern u64 packet_cnt;`

			`void parse_packet(void* junk, const struct pcap_pkthdr* hdr, const u8* data);`

			`u8* addr_to_str(u8* data, u8 ip_ver);`

			`u64 get_unix_time_ms(void);`
			`u32 get_unix_time(void);`

			`void add_nat_score(u8 to_srv, struct packet_flow* f, u16 reason, u8 score);`
			`void verify_tool_class(u8 to_srv, struct packet_flow* f, u32* sys, u32 sys_cnt);`

			`struct host_data* lookup_host(u8* addr, u8 ip_ver);`

			`void destroy_all_hosts(void);`

			`#endif /* !_HAVE_PROCESS_H */`