mirror of
				https://github.com/telekom-security/tpotce.git
				synced 2025-10-25 01:34:43 +00:00 
			
		
		
		
	
		
			
	
	
		
			1549 lines
		
	
	
	
		
			34 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
		
		
			
		
	
	
			1549 lines
		
	
	
	
		
			34 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
|   | /*
 | ||
|  |    p0f - packet capture and overall host / flow bookkeeping | ||
|  |    -------------------------------------------------------- | ||
|  | 
 | ||
|  |    Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx> | ||
|  | 
 | ||
|  |    Distributed under the terms and conditions of GNU LGPL. | ||
|  | 
 | ||
|  |  */ | ||
|  | 
 | ||
|  | #include <stdio.h>
 | ||
|  | #include <stdlib.h>
 | ||
|  | #include <unistd.h>
 | ||
|  | #include <pcap.h>
 | ||
|  | #include <time.h>
 | ||
|  | #include <ctype.h>
 | ||
|  | 
 | ||
|  | #include <sys/fcntl.h>
 | ||
|  | #include <netinet/in.h>
 | ||
|  | #include <sys/types.h>
 | ||
|  | #include <sys/socket.h>
 | ||
|  | #include <arpa/inet.h>
 | ||
|  | #include <sys/time.h>
 | ||
|  | #include <sys/stat.h>
 | ||
|  | 
 | ||
|  | #include "types.h"
 | ||
|  | #include "config.h"
 | ||
|  | #include "debug.h"
 | ||
|  | #include "alloc-inl.h"
 | ||
|  | #include "process.h"
 | ||
|  | #include "hash.h"
 | ||
|  | #include "tcp.h"
 | ||
|  | #include "readfp.h"
 | ||
|  | #include "p0f.h"
 | ||
|  | 
 | ||
|  | #include "fp_tcp.h"
 | ||
|  | #include "fp_mtu.h"
 | ||
|  | #include "fp_http.h"
 | ||
|  | 
 | ||
|  | u64 packet_cnt;                         /* Total number of packets processed  */ | ||
|  | 
 | ||
|  | static s8 link_off = -1;                /* Link-specific IP header offset     */ | ||
|  | static u8 bad_packets;                  /* Seen non-IP packets?               */ | ||
|  | 
 | ||
|  | static struct host_data *host_by_age,   /* All host entries, by last mod      */ | ||
|  |                         *newest_host;   /* Tail of the list                   */ | ||
|  | 
 | ||
|  | static struct packet_flow *flow_by_age, /* All flows, by creation time        */ | ||
|  |                           *newest_flow; /* Tail of the list                   */ | ||
|  | 
 | ||
|  | static struct timeval* cur_time;        /* Current time, courtesy of pcap     */ | ||
|  | 
 | ||
|  | /* Bucketed hosts and flows: */ | ||
|  | 
 | ||
|  | static struct host_data    *host_b[HOST_BUCKETS]; | ||
|  | static struct packet_flow  *flow_b[FLOW_BUCKETS]; | ||
|  | 
 | ||
|  | static u32 host_cnt, flow_cnt;          /* Counters for bookkeeping purposes  */ | ||
|  | 
 | ||
|  | static void flow_dispatch(struct packet_data* pk); | ||
|  | static void nuke_flows(u8 silent); | ||
|  | static void expire_cache(void); | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Get unix time in milliseconds. */ | ||
|  | 
 | ||
|  | u64 get_unix_time_ms(void) { | ||
|  | 
 | ||
|  |   return ((u64)cur_time->tv_sec) * 1000 + (cur_time->tv_usec / 1000); | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Get unix time in seconds. */ | ||
|  | 
 | ||
|  | u32 get_unix_time(void) { | ||
|  |   return cur_time->tv_sec; | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Find link-specific offset (pcap knows, but won't tell). */ | ||
|  | 
 | ||
|  | static void find_offset(const u8* data, s32 total_len) { | ||
|  | 
 | ||
|  |   u8 i; | ||
|  | 
 | ||
|  |   /* Check hardcoded values for some of the most common options. */ | ||
|  | 
 | ||
|  |   switch (link_type) { | ||
|  | 
 | ||
|  |     case DLT_RAW:        link_off = 0;  return; | ||
|  | 
 | ||
|  |     case DLT_NULL: | ||
|  |     case DLT_PPP:        link_off = 4;  return; | ||
|  | 
 | ||
|  |     case DLT_LOOP: | ||
|  | 
 | ||
|  | #ifdef DLT_PPP_SERIAL
 | ||
|  |     case DLT_PPP_SERIAL: | ||
|  | #endif /* DLT_PPP_SERIAL */
 | ||
|  | 
 | ||
|  |     case DLT_PPP_ETHER:  link_off = 8;  return; | ||
|  | 
 | ||
|  |     case DLT_EN10MB:     link_off = 14; return; | ||
|  | 
 | ||
|  | #ifdef DLT_LINUX_SLL
 | ||
|  |     case DLT_LINUX_SLL:  link_off = 16; return; | ||
|  | #endif /* DLT_LINUX_SLL */
 | ||
|  | 
 | ||
|  |     case DLT_PFLOG:      link_off = 28; return; | ||
|  | 
 | ||
|  |     case DLT_IEEE802_11: link_off = 32; return; | ||
|  |   } | ||
|  | 
 | ||
|  |   /* If this fails, try to auto-detect. There is a slight risk that if the
 | ||
|  |      first packet we see is maliciously crafted, and somehow gets past the | ||
|  |      configured BPF filter, we will configure the wrong offset. But that | ||
|  |      seems fairly unlikely. */ | ||
|  | 
 | ||
|  |   for (i = 0; i < 40; i += 2, total_len -= 2) { | ||
|  | 
 | ||
|  |     if (total_len < MIN_TCP4) break; | ||
|  | 
 | ||
|  |     /* Perhaps this is IPv6? We check three things: IP version (first 4 bits);
 | ||
|  |        total length sufficient to accommodate IPv6 and TCP headers; and the | ||
|  |        "next protocol" field equal to PROTO_TCP. */ | ||
|  | 
 | ||
|  |     if (total_len >= MIN_TCP6 && (data[i] >> 4) == IP_VER6) { | ||
|  | 
 | ||
|  |       struct ipv6_hdr* hdr = (struct ipv6_hdr*)(data + i); | ||
|  | 
 | ||
|  |       if (hdr->proto == PROTO_TCP) { | ||
|  | 
 | ||
|  |         DEBUG("[#] Detected packet offset of %u via IPv6 (link type %u).\n", i, | ||
|  |               link_type); | ||
|  |         link_off = i; | ||
|  |         break; | ||
|  | 
 | ||
|  |       } | ||
|  |        | ||
|  |     } | ||
|  | 
 | ||
|  |     /* Okay, let's try IPv4 then. The same approach, except the shortest packet
 | ||
|  |        size must be just enough to accommodate IPv4 + TCP (already checked). */ | ||
|  | 
 | ||
|  |     if ((data[i] >> 4) == IP_VER4) { | ||
|  | 
 | ||
|  |       struct ipv4_hdr* hdr = (struct ipv4_hdr*)(data + i); | ||
|  | 
 | ||
|  |       if (hdr->proto == PROTO_TCP) { | ||
|  | 
 | ||
|  |         DEBUG("[#] Detected packet offset of %u via IPv4 (link type %u).\n", i, | ||
|  |               link_type); | ||
|  |         link_off = i; | ||
|  |         break; | ||
|  | 
 | ||
|  |       } | ||
|  | 
 | ||
|  |     } | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   /* If we found something, adjust for VLAN tags (ETH_P_8021Q == 0x8100). Else,
 | ||
|  |      complain once and try again soon. */ | ||
|  | 
 | ||
|  |   if (link_off >= 4 && data[i-4] == 0x81 && data[i-3] == 0x00) { | ||
|  | 
 | ||
|  |     DEBUG("[#] Adjusting offset due to VLAN tagging.\n"); | ||
|  |     link_off -= 4; | ||
|  | 
 | ||
|  |   } else if (link_off == -1) { | ||
|  | 
 | ||
|  |     link_off = -2; | ||
|  |     WARN("Unable to find link-specific packet offset. This is bad."); | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Convert IPv4 or IPv6 address to a human-readable form. */ | ||
|  | 
 | ||
|  | u8* addr_to_str(u8* data, u8 ip_ver) { | ||
|  | 
 | ||
|  |   static char tmp[128]; | ||
|  | 
 | ||
|  |   /* We could be using inet_ntop(), but on systems that have older libc
 | ||
|  |      but still see passing IPv6 traffic, we would be in a pickle. */ | ||
|  | 
 | ||
|  |   if (ip_ver == IP_VER4) { | ||
|  | 
 | ||
|  |     sprintf(tmp, "%u.%u.%u.%u", data[0], data[1], data[2], data[3]); | ||
|  | 
 | ||
|  |   } else { | ||
|  | 
 | ||
|  |     sprintf(tmp, "%x:%x:%x:%x:%x:%x:%x:%x", | ||
|  |             (data[0] << 8) | data[1], (data[2] << 8) | data[3],  | ||
|  |             (data[4] << 8) | data[5], (data[6] << 8) | data[7],  | ||
|  |             (data[8] << 8) | data[9], (data[10] << 8) | data[11],  | ||
|  |             (data[12] << 8) | data[13], (data[14] << 8) | data[15]); | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   return (u8*)tmp; | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Parse PCAP input, with plenty of sanity checking. Store interesting details
 | ||
|  |    in a protocol-agnostic buffer that will be then examined upstream. */ | ||
|  | 
 | ||
|  | void parse_packet(void* junk, const struct pcap_pkthdr* hdr, const u8* data) { | ||
|  | 
 | ||
|  |   struct tcp_hdr* tcp; | ||
|  |   struct packet_data pk; | ||
|  | 
 | ||
|  |   s32 packet_len; | ||
|  |   u32 tcp_doff; | ||
|  | 
 | ||
|  |   u8* opt_end; | ||
|  | 
 | ||
|  |   packet_cnt++; | ||
|  |    | ||
|  |   cur_time = (struct timeval*)&hdr->ts; | ||
|  | 
 | ||
|  |   if (!(packet_cnt % EXPIRE_INTERVAL)) expire_cache(); | ||
|  | 
 | ||
|  |   /* Be paranoid about how much data we actually have off the wire. */ | ||
|  | 
 | ||
|  |   packet_len = MIN(hdr->len, hdr->caplen); | ||
|  |   if (packet_len > SNAPLEN) packet_len = SNAPLEN; | ||
|  | 
 | ||
|  |   // DEBUG("[#] Received packet: len = %d, caplen = %d, limit = %d\n",
 | ||
|  |   //    hdr->len, hdr->caplen, SNAPLEN);
 | ||
|  | 
 | ||
|  |   /* Account for link-level headers. */ | ||
|  | 
 | ||
|  |   if (link_off < 0) find_offset(data, packet_len); | ||
|  | 
 | ||
|  |   if (link_off > 0) { | ||
|  | 
 | ||
|  |     data += link_off; | ||
|  |     packet_len -= link_off; | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   /* If there is no way we could have received a complete TCP packet, bail
 | ||
|  |      out early. */ | ||
|  | 
 | ||
|  |   if (packet_len < MIN_TCP4) { | ||
|  |     DEBUG("[#] Packet too short for any IPv4 + TCP headers, giving up!\n"); | ||
|  |     return; | ||
|  |   } | ||
|  | 
 | ||
|  |   pk.quirks = 0; | ||
|  | 
 | ||
|  |   if ((*data >> 4) == IP_VER4) { | ||
|  | 
 | ||
|  |     /************************
 | ||
|  |      * IPv4 header parsing. * | ||
|  |      ************************/ | ||
|  |      | ||
|  |     const struct ipv4_hdr* ip4 = (struct ipv4_hdr*)data; | ||
|  | 
 | ||
|  |     u32 hdr_len = (ip4->ver_hlen & 0x0F) * 4; | ||
|  |     u16 flags_off = ntohs(RD16(ip4->flags_off)); | ||
|  |     u16 tot_len = ntohs(RD16(ip4->tot_len)); | ||
|  | 
 | ||
|  |     /* If the packet claims to be shorter than what we received off the wire,
 | ||
|  |        honor this claim to account for etherleak-type bugs. */ | ||
|  | 
 | ||
|  |     if (packet_len > tot_len) { | ||
|  |       packet_len = tot_len; | ||
|  |       // DEBUG("[#] ipv4.tot_len = %u, adjusted accordingly.\n", tot_len);
 | ||
|  |     } | ||
|  | 
 | ||
|  |     /* Bail out if the result leaves no room for IPv4 + TCP headers. */ | ||
|  | 
 | ||
|  |     if (packet_len < MIN_TCP4) { | ||
|  |       DEBUG("[#] packet_len = %u. Too short for IPv4 + TCP, giving up!\n", | ||
|  |             packet_len); | ||
|  |       return; | ||
|  |     } | ||
|  | 
 | ||
|  |     /* Bail out if the declared length of IPv4 headers is nonsensical. */ | ||
|  | 
 | ||
|  |     if (hdr_len < sizeof(struct ipv4_hdr)) { | ||
|  |       DEBUG("[#] ipv4.hdr_len = %u. Too short for IPv4, giving up!\n", | ||
|  |             hdr_len); | ||
|  |       return; | ||
|  |     } | ||
|  | 
 | ||
|  |     /* If the packet claims to be longer than the recv buffer, best to back
 | ||
|  |        off - even though we could just ignore this and recover. */ | ||
|  | 
 | ||
|  |     if (tot_len > packet_len) { | ||
|  |       DEBUG("[#] ipv4.tot_len = %u but packet_len = %u, bailing out!\n", | ||
|  |             tot_len, packet_len); | ||
|  |       return; | ||
|  |     } | ||
|  | 
 | ||
|  |     /* And finally, bail out if after skipping the IPv4 header as specified
 | ||
|  |        (including options), there wouldn't be enough room for TCP. */ | ||
|  | 
 | ||
|  |     if (hdr_len + sizeof(struct tcp_hdr) > packet_len) { | ||
|  |       DEBUG("[#] ipv4.hdr_len = %u, packet_len = %d, no room for TCP!\n", | ||
|  |             hdr_len, packet_len); | ||
|  |       return; | ||
|  |     } | ||
|  | 
 | ||
|  |     /* Bail out if the subsequent protocol is not TCP. */ | ||
|  | 
 | ||
|  |     if (ip4->proto != PROTO_TCP) { | ||
|  |       DEBUG("[#] Whoa, IPv4 packet with non-TCP payload (%u)?\n", ip4->proto); | ||
|  |       return; | ||
|  |     } | ||
|  | 
 | ||
|  |     /* Ignore any traffic with MF or non-zero fragment offset specified. We
 | ||
|  |        can do enough just fingerprinting the non-fragmented traffic. */ | ||
|  | 
 | ||
|  |     if (flags_off & ~(IP4_DF | IP4_MBZ)) { | ||
|  |       DEBUG("[#] Packet fragment (0x%04x), letting it slide!\n", flags_off); | ||
|  |       return; | ||
|  |     } | ||
|  | 
 | ||
|  |     /* Store some relevant information about the packet. */ | ||
|  | 
 | ||
|  |     pk.ip_ver = IP_VER4; | ||
|  | 
 | ||
|  |     pk.ip_opt_len = hdr_len - 20; | ||
|  | 
 | ||
|  |     memcpy(pk.src, ip4->src, 4); | ||
|  |     memcpy(pk.dst, ip4->dst, 4); | ||
|  | 
 | ||
|  |     pk.tos = ip4->tos_ecn >> 2; | ||
|  | 
 | ||
|  |     pk.ttl = ip4->ttl; | ||
|  | 
 | ||
|  |     if (ip4->tos_ecn & (IP_TOS_CE | IP_TOS_ECT)) pk.quirks |= QUIRK_ECN; | ||
|  | 
 | ||
|  |     /* Tag some of the corner cases associated with implementation quirks. */ | ||
|  |      | ||
|  |     if (flags_off & IP4_MBZ) pk.quirks |= QUIRK_NZ_MBZ; | ||
|  | 
 | ||
|  |     if (flags_off & IP4_DF) { | ||
|  | 
 | ||
|  |       pk.quirks |= QUIRK_DF; | ||
|  |       if (RD16(ip4->id)) pk.quirks |= QUIRK_NZ_ID; | ||
|  | 
 | ||
|  |     } else { | ||
|  | 
 | ||
|  |       if (!RD16(ip4->id)) pk.quirks |= QUIRK_ZERO_ID; | ||
|  | 
 | ||
|  |     } | ||
|  | 
 | ||
|  |     pk.tot_hdr = hdr_len; | ||
|  | 
 | ||
|  |     tcp = (struct tcp_hdr*)(data + hdr_len); | ||
|  |     packet_len -= hdr_len; | ||
|  |      | ||
|  |   } else if ((*data >> 4) == IP_VER6) { | ||
|  | 
 | ||
|  |     /************************
 | ||
|  |      * IPv6 header parsing. * | ||
|  |      ************************/ | ||
|  |      | ||
|  |     const struct ipv6_hdr* ip6 = (struct ipv6_hdr*)data; | ||
|  |     u32 ver_tos = ntohl(RD32(ip6->ver_tos)); | ||
|  |     u32 tot_len = ntohs(RD16(ip6->pay_len)) + sizeof(struct ipv6_hdr); | ||
|  | 
 | ||
|  |     /* If the packet claims to be shorter than what we received off the wire,
 | ||
|  |        honor this claim to account for etherleak-type bugs. */ | ||
|  | 
 | ||
|  |     if (packet_len > tot_len) { | ||
|  |       packet_len = tot_len; | ||
|  |       // DEBUG("[#] ipv6.tot_len = %u, adjusted accordingly.\n", tot_len);
 | ||
|  |     } | ||
|  | 
 | ||
|  |     /* Bail out if the result leaves no room for IPv6 + TCP headers. */ | ||
|  | 
 | ||
|  |     if (packet_len < MIN_TCP6) { | ||
|  |       DEBUG("[#] packet_len = %u. Too short for IPv6 + TCP, giving up!\n", | ||
|  |             packet_len); | ||
|  |       return; | ||
|  |     } | ||
|  | 
 | ||
|  |     /* If the packet claims to be longer than the data we have, best to back
 | ||
|  |        off - even though we could just ignore this and recover. */ | ||
|  | 
 | ||
|  |     if (tot_len > packet_len) { | ||
|  |       DEBUG("[#] ipv6.tot_len = %u but packet_len = %u, bailing out!\n", | ||
|  |             tot_len, packet_len); | ||
|  |       return; | ||
|  |     } | ||
|  | 
 | ||
|  |     /* Bail out if the subsequent protocol is not TCP. One day, we may try
 | ||
|  |        to parse and skip IPv6 extensions, but there seems to be no point in | ||
|  |        it today. */ | ||
|  | 
 | ||
|  |     if (ip6->proto != PROTO_TCP) { | ||
|  |       DEBUG("[#] IPv6 packet with non-TCP payload (%u).\n", ip6->proto); | ||
|  |       return; | ||
|  |     } | ||
|  | 
 | ||
|  |     /* Store some relevant information about the packet. */ | ||
|  | 
 | ||
|  |     pk.ip_ver = IP_VER6; | ||
|  | 
 | ||
|  |     pk.ip_opt_len = 0; | ||
|  | 
 | ||
|  |     memcpy(pk.src, ip6->src, 16); | ||
|  |     memcpy(pk.dst, ip6->dst, 16); | ||
|  | 
 | ||
|  |     pk.tos = (ver_tos >> 22) & 0x3F; | ||
|  | 
 | ||
|  |     pk.ttl = ip6->ttl; | ||
|  | 
 | ||
|  |     if (ver_tos & 0xFFFFF) pk.quirks |= QUIRK_FLOW; | ||
|  | 
 | ||
|  |     if ((ver_tos >> 20) & (IP_TOS_CE | IP_TOS_ECT)) pk.quirks |= QUIRK_ECN; | ||
|  | 
 | ||
|  |     pk.tot_hdr = sizeof(struct ipv6_hdr); | ||
|  | 
 | ||
|  |     tcp = (struct tcp_hdr*)(ip6 + 1); | ||
|  |     packet_len -= sizeof(struct ipv6_hdr); | ||
|  | 
 | ||
|  |   } else { | ||
|  | 
 | ||
|  |     if (!bad_packets) { | ||
|  |       WARN("Unknown packet type %u, link detection issue?", *data >> 4); | ||
|  |       bad_packets = 1; | ||
|  |     } | ||
|  | 
 | ||
|  |     return; | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   /***************
 | ||
|  |    * TCP parsing * | ||
|  |    ***************/ | ||
|  | 
 | ||
|  |   data = (u8*)tcp; | ||
|  | 
 | ||
|  |   tcp_doff = (tcp->doff_rsvd >> 4) * 4; | ||
|  | 
 | ||
|  |   /* As usual, let's start with sanity checks. */ | ||
|  | 
 | ||
|  |   if (tcp_doff < sizeof(struct tcp_hdr)) { | ||
|  |     DEBUG("[#] tcp.hdr_len = %u, not enough for TCP!\n", tcp_doff); | ||
|  |     return; | ||
|  |   } | ||
|  | 
 | ||
|  |   if (tcp_doff > packet_len) { | ||
|  |     DEBUG("[#] tcp.hdr_len = %u, past end of packet!\n", tcp_doff); | ||
|  |     return; | ||
|  |   } | ||
|  | 
 | ||
|  |   pk.tot_hdr += tcp_doff; | ||
|  | 
 | ||
|  |   pk.sport = ntohs(RD16(tcp->sport)); | ||
|  |   pk.dport = ntohs(RD16(tcp->dport)); | ||
|  | 
 | ||
|  |   pk.tcp_type = tcp->flags & (TCP_SYN | TCP_ACK | TCP_FIN | TCP_RST); | ||
|  | 
 | ||
|  |   /* NUL, SYN+FIN, SYN+RST, FIN+RST, etc, should go to /dev/null. */ | ||
|  | 
 | ||
|  |   if (((tcp->flags & TCP_SYN) && (tcp->flags & (TCP_FIN | TCP_RST))) || | ||
|  |       ((tcp->flags & TCP_FIN) && (tcp->flags & TCP_RST)) || | ||
|  |       !pk.tcp_type) { | ||
|  | 
 | ||
|  |     DEBUG("[#] Silly combination of TCP flags: 0x%02x.\n", tcp->flags); | ||
|  |     return; | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   pk.win = ntohs(RD16(tcp->win)); | ||
|  | 
 | ||
|  |   pk.seq = ntohl(RD32(tcp->seq)); | ||
|  | 
 | ||
|  |   /* Take note of miscellanous features and quirks. */ | ||
|  | 
 | ||
|  |   if ((tcp->flags & (TCP_ECE | TCP_CWR)) ||  | ||
|  |       (tcp->doff_rsvd & TCP_NS_RES)) pk.quirks |= QUIRK_ECN; | ||
|  | 
 | ||
|  |   if (!pk.seq) pk.quirks |= QUIRK_ZERO_SEQ; | ||
|  | 
 | ||
|  |   if (tcp->flags & TCP_ACK) { | ||
|  | 
 | ||
|  |     if (!RD32(tcp->ack)) pk.quirks |= QUIRK_ZERO_ACK; | ||
|  | 
 | ||
|  |   } else { | ||
|  | 
 | ||
|  |     /* A good proportion of RSTs tend to have "illegal" ACK numbers, so
 | ||
|  |        ignore these. */ | ||
|  | 
 | ||
|  |     if (RD32(tcp->ack) & !(tcp->flags & TCP_RST)) { | ||
|  | 
 | ||
|  |       DEBUG("[#] Non-zero ACK on a non-ACK packet: 0x%08x.\n", | ||
|  |             ntohl(RD32(tcp->ack))); | ||
|  | 
 | ||
|  |       pk.quirks |= QUIRK_NZ_ACK; | ||
|  | 
 | ||
|  |     } | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   if (tcp->flags & TCP_URG) { | ||
|  | 
 | ||
|  |     pk.quirks |= QUIRK_URG; | ||
|  | 
 | ||
|  |   } else { | ||
|  | 
 | ||
|  |     if (RD16(tcp->urg)) { | ||
|  | 
 | ||
|  |       DEBUG("[#] Non-zero UPtr on a non-URG packet: 0x%08x.\n", | ||
|  |             ntohl(RD16(tcp->urg))); | ||
|  | 
 | ||
|  |       pk.quirks |= QUIRK_NZ_URG; | ||
|  | 
 | ||
|  |     } | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   if (tcp->flags & TCP_PUSH) pk.quirks |= QUIRK_PUSH; | ||
|  | 
 | ||
|  |   /* Handle payload data. */ | ||
|  | 
 | ||
|  |   if (tcp_doff == packet_len) { | ||
|  | 
 | ||
|  |     pk.payload = NULL; | ||
|  |     pk.pay_len = 0; | ||
|  | 
 | ||
|  |   } else { | ||
|  | 
 | ||
|  |     pk.payload = (u8*)data + tcp_doff; | ||
|  |     pk.pay_len = packet_len - tcp_doff; | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   /**********************
 | ||
|  |    * TCP option parsing * | ||
|  |    **********************/ | ||
|  | 
 | ||
|  |   opt_end = (u8*)data + tcp_doff; /* First byte of non-option data */ | ||
|  |   data = (u8*)(tcp + 1); | ||
|  | 
 | ||
|  |   pk.opt_cnt     = 0; | ||
|  |   pk.opt_eol_pad = 0; | ||
|  |   pk.mss         = 0; | ||
|  |   pk.wscale      = 0; | ||
|  |   pk.ts1         = 0; | ||
|  | 
 | ||
|  |   /* Option parsing problems are non-fatal, but we want to keep track of
 | ||
|  |      them to spot buggy TCP stacks. */ | ||
|  | 
 | ||
|  |   while (data < opt_end && pk.opt_cnt < MAX_TCP_OPT) { | ||
|  | 
 | ||
|  |     pk.opt_layout[pk.opt_cnt++] = *data; | ||
|  | 
 | ||
|  |     switch (*data++) { | ||
|  | 
 | ||
|  |       case TCPOPT_EOL: | ||
|  | 
 | ||
|  |         /* EOL is a single-byte option that aborts further option parsing.
 | ||
|  |            Take note of how many bytes of option data are left, and if any of | ||
|  |            them are non-zero. */ | ||
|  | 
 | ||
|  |         pk.opt_eol_pad = opt_end - data; | ||
|  |          | ||
|  |         while (data < opt_end && !*data++); | ||
|  | 
 | ||
|  |         if (data != opt_end) { | ||
|  |           pk.quirks |= QUIRK_OPT_EOL_NZ; | ||
|  |           data = opt_end; | ||
|  |         } | ||
|  | 
 | ||
|  |         break; | ||
|  | 
 | ||
|  |       case TCPOPT_NOP: | ||
|  | 
 | ||
|  |         /* NOP is a single-byte option that does nothing. */ | ||
|  | 
 | ||
|  |         break; | ||
|  |    | ||
|  |       case TCPOPT_MAXSEG: | ||
|  | 
 | ||
|  |         /* MSS is a four-byte option with specified size. */ | ||
|  | 
 | ||
|  |         if (data + 3 > opt_end) { | ||
|  |           DEBUG("[#] MSS option would end past end of header (%u left).\n", | ||
|  |                 opt_end - data); | ||
|  |           goto abort_options; | ||
|  |         } | ||
|  | 
 | ||
|  |         if (*data != 4) { | ||
|  |           DEBUG("[#] MSS option expected to have 4 bytes, not %u.\n", *data); | ||
|  |           pk.quirks |= QUIRK_OPT_BAD; | ||
|  |         } | ||
|  | 
 | ||
|  |         pk.mss = ntohs(RD16p(data+1)); | ||
|  | 
 | ||
|  |         data += 3; | ||
|  | 
 | ||
|  |         break; | ||
|  | 
 | ||
|  |       case TCPOPT_WSCALE: | ||
|  | 
 | ||
|  |         /* WS is a three-byte option with specified size. */ | ||
|  | 
 | ||
|  |         if (data + 2 > opt_end) { | ||
|  |           DEBUG("[#] WS option would end past end of header (%u left).\n", | ||
|  |                 opt_end - data); | ||
|  |           goto abort_options; | ||
|  |         } | ||
|  | 
 | ||
|  |         if (*data != 3) { | ||
|  |           DEBUG("[#] WS option expected to have 3 bytes, not %u.\n", *data); | ||
|  |           pk.quirks |= QUIRK_OPT_BAD; | ||
|  |         } | ||
|  | 
 | ||
|  |         pk.wscale = data[1]; | ||
|  | 
 | ||
|  |         if (pk.wscale > 14) pk.quirks |= QUIRK_OPT_EXWS; | ||
|  | 
 | ||
|  |         data += 2; | ||
|  | 
 | ||
|  |         break; | ||
|  | 
 | ||
|  |       case TCPOPT_SACKOK: | ||
|  | 
 | ||
|  |         /* SACKOK is a two-byte option with specified size. */ | ||
|  | 
 | ||
|  |         if (data + 1 > opt_end) { | ||
|  |           DEBUG("[#] SACKOK option would end past end of header (%u left).\n", | ||
|  |                 opt_end - data); | ||
|  |           goto abort_options; | ||
|  |         } | ||
|  | 
 | ||
|  |         if (*data != 2) { | ||
|  |           DEBUG("[#] SACKOK option expected to have 2 bytes, not %u.\n", *data); | ||
|  |           pk.quirks |= QUIRK_OPT_BAD; | ||
|  |         } | ||
|  | 
 | ||
|  |         data++; | ||
|  | 
 | ||
|  |         break; | ||
|  | 
 | ||
|  |       case TCPOPT_SACK: | ||
|  | 
 | ||
|  |         /* SACK is a variable-length option of 10 to 34 bytes. Because we don't
 | ||
|  |            know the size any better, we need to bail out if it looks wonky. */ | ||
|  | 
 | ||
|  |         if (data == opt_end) { | ||
|  |           DEBUG("[#] SACK option without room for length field."); | ||
|  |           goto abort_options; | ||
|  |         } | ||
|  | 
 | ||
|  |         if (*data < 10 || *data > 34) { | ||
|  |           DEBUG("[#] SACK length out of range (%u), bailing out.\n", *data); | ||
|  |           goto abort_options; | ||
|  |         } | ||
|  | 
 | ||
|  |         if (data - 1 + *data > opt_end) { | ||
|  |           DEBUG("[#] SACK option (len %u) is too long (%u left).\n", | ||
|  |                 *data, opt_end - data); | ||
|  |           goto abort_options; | ||
|  |         } | ||
|  | 
 | ||
|  |         data += *data - 1; | ||
|  | 
 | ||
|  |         break; | ||
|  | 
 | ||
|  |       case TCPOPT_TSTAMP: | ||
|  | 
 | ||
|  |         /* Timestamp is a ten-byte option with specified size. */ | ||
|  | 
 | ||
|  |         if (data + 9 > opt_end) { | ||
|  |           DEBUG("[#] TStamp option would end past end of header (%u left).\n", | ||
|  |                 opt_end - data); | ||
|  |           goto abort_options; | ||
|  |         } | ||
|  | 
 | ||
|  |         if (*data != 10) { | ||
|  |           DEBUG("[#] TStamp option expected to have 10 bytes, not %u.\n", | ||
|  |                 *data); | ||
|  |           pk.quirks |= QUIRK_OPT_BAD; | ||
|  |         } | ||
|  | 
 | ||
|  |         pk.ts1 = ntohl(RD32p(data + 1)); | ||
|  | 
 | ||
|  |         if (!pk.ts1) pk.quirks |= QUIRK_OPT_ZERO_TS1; | ||
|  | 
 | ||
|  |         if (pk.tcp_type == TCP_SYN && RD32p(data + 5)) { | ||
|  | 
 | ||
|  |           DEBUG("[#] Non-zero second timestamp: 0x%08x.\n", | ||
|  |                 ntohl(*(u32*)(data + 5))); | ||
|  | 
 | ||
|  |           pk.quirks |= QUIRK_OPT_NZ_TS2; | ||
|  | 
 | ||
|  |         } | ||
|  | 
 | ||
|  |         data += 9; | ||
|  | 
 | ||
|  |         break; | ||
|  | 
 | ||
|  |       default: | ||
|  | 
 | ||
|  |         /* Unknown option, presumably with specified size. */ | ||
|  | 
 | ||
|  |         if (data == opt_end) { | ||
|  |           DEBUG("[#] Unknown option 0x%02x without room for length field.", | ||
|  |                 data[-1]); | ||
|  |           goto abort_options; | ||
|  |         } | ||
|  | 
 | ||
|  |         if (*data < 2 || *data > 40) { | ||
|  |           DEBUG("[#] Unknown option 0x%02x has invalid length %u.\n", | ||
|  |                 data[-1], *data); | ||
|  |           goto abort_options; | ||
|  |         } | ||
|  | 
 | ||
|  |         if (data - 1 + *data > opt_end) { | ||
|  |           DEBUG("[#] Unknown option 0x%02x (len %u) is too long (%u left).\n", | ||
|  |                 data[-1], *data, opt_end - data); | ||
|  |           goto abort_options; | ||
|  |         } | ||
|  | 
 | ||
|  |         data += *data - 1; | ||
|  | 
 | ||
|  |     } | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   if (data != opt_end) { | ||
|  | 
 | ||
|  | abort_options: | ||
|  | 
 | ||
|  |     DEBUG("[#] Option parsing aborted (cnt = %u, remainder = %u).\n", | ||
|  |           pk.opt_cnt, opt_end - data); | ||
|  | 
 | ||
|  |     pk.quirks |= QUIRK_OPT_BAD; | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   flow_dispatch(&pk); | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Calculate hash bucket for packet_flow. Keep the hash symmetrical: switching
 | ||
|  |    source and dest should have no effect. */ | ||
|  | 
 | ||
|  | static u32 get_flow_bucket(struct packet_data* pk) { | ||
|  | 
 | ||
|  |   u32 bucket; | ||
|  | 
 | ||
|  |   if (pk->ip_ver == IP_VER4) { | ||
|  |     bucket = hash32(pk->src, 4, hash_seed) ^ hash32(pk->dst, 4, hash_seed); | ||
|  |   } else { | ||
|  |     bucket = hash32(pk->src, 16, hash_seed) ^ hash32(pk->dst, 16, hash_seed); | ||
|  |   } | ||
|  | 
 | ||
|  |   bucket ^= hash32(&pk->sport, 2, hash_seed) ^ hash32(&pk->dport, 2, hash_seed); | ||
|  | 
 | ||
|  |   return bucket % FLOW_BUCKETS; | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Calculate hash bucket for host_data. */ | ||
|  | 
 | ||
|  | static u32 get_host_bucket(u8* addr, u8 ip_ver) { | ||
|  | 
 | ||
|  |   u32 bucket; | ||
|  | 
 | ||
|  |   bucket = hash32(addr, (ip_ver == IP_VER4) ? 4 : 16, hash_seed); | ||
|  | 
 | ||
|  |   return bucket % HOST_BUCKETS; | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Look up host data. */ | ||
|  | 
 | ||
|  | struct host_data* lookup_host(u8* addr, u8 ip_ver) { | ||
|  | 
 | ||
|  |   u32 bucket = get_host_bucket(addr, ip_ver); | ||
|  |   struct host_data* h = host_b[bucket]; | ||
|  | 
 | ||
|  |   while (CP(h)) { | ||
|  | 
 | ||
|  |     if (ip_ver == h->ip_ver && | ||
|  |         !memcmp(addr, h->addr, (h->ip_ver == IP_VER4) ? 4 : 16)) | ||
|  |       return h; | ||
|  | 
 | ||
|  |     h = h->next; | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   return NULL; | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Destroy host data. */ | ||
|  | 
 | ||
|  | static void destroy_host(struct host_data* h) { | ||
|  | 
 | ||
|  |   u32 bucket;  | ||
|  | 
 | ||
|  |   bucket = get_host_bucket(CP(h)->addr, h->ip_ver); | ||
|  | 
 | ||
|  |   if (h->use_cnt) FATAL("Attempt to destroy used host data."); | ||
|  | 
 | ||
|  |   DEBUG("[#] Destroying host data: %s (bucket %d)\n", | ||
|  |         addr_to_str(h->addr, h->ip_ver), bucket); | ||
|  | 
 | ||
|  |   /* Remove it from the bucketed linked list. */ | ||
|  | 
 | ||
|  |   if (CP(h->next)) h->next->prev = h->prev; | ||
|  |    | ||
|  |   if (CP(h->prev)) h->prev->next = h->next; | ||
|  |   else host_b[bucket] = h->next; | ||
|  | 
 | ||
|  |   /* Remove from the by-age linked list. */ | ||
|  | 
 | ||
|  |   if (CP(h->newer)) h->newer->older = h->older; | ||
|  |   else newest_host = h->older; | ||
|  | 
 | ||
|  |   if (CP(h->older)) h->older->newer = h->newer; | ||
|  |   else host_by_age = h->newer;  | ||
|  | 
 | ||
|  |   /* Free memory. */ | ||
|  | 
 | ||
|  |   ck_free(h->last_syn); | ||
|  |   ck_free(h->last_synack); | ||
|  | 
 | ||
|  |   ck_free(h->http_resp); | ||
|  |   ck_free(h->http_req_os); | ||
|  | 
 | ||
|  |   ck_free(h); | ||
|  | 
 | ||
|  |   host_cnt--; | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Indiscriminately kill some of the older hosts. */ | ||
|  | 
 | ||
|  | static void nuke_hosts(void) { | ||
|  | 
 | ||
|  |   u32 kcnt = 1 + (host_cnt * KILL_PERCENT / 100); | ||
|  |   struct host_data* target = host_by_age; | ||
|  | 
 | ||
|  |   if (!read_file) | ||
|  |     WARN("Too many host entries, deleting %u. Use -m to adjust.", kcnt); | ||
|  | 
 | ||
|  |   nuke_flows(1); | ||
|  | 
 | ||
|  |   while (kcnt && CP(target)) { | ||
|  |     struct host_data* next = target->older; | ||
|  |     if (!target->use_cnt) { kcnt--; destroy_host(target); } | ||
|  |     target = next; | ||
|  |   } | ||
|  | 
 | ||
|  | } | ||
|  |    | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Create a minimal host data. */ | ||
|  | 
 | ||
|  | static struct host_data* create_host(u8* addr, u8 ip_ver) { | ||
|  | 
 | ||
|  |   u32 bucket = get_host_bucket(addr, ip_ver); | ||
|  |   struct host_data* nh; | ||
|  | 
 | ||
|  |   if (host_cnt > max_hosts) nuke_hosts(); | ||
|  | 
 | ||
|  |   DEBUG("[#] Creating host data: %s (bucket %u)\n", | ||
|  |         addr_to_str(addr, ip_ver), bucket); | ||
|  | 
 | ||
|  |   nh = ck_alloc(sizeof(struct host_data)); | ||
|  | 
 | ||
|  |   /* Insert into the bucketed linked list. */ | ||
|  | 
 | ||
|  |   if (CP(host_b[bucket])) { | ||
|  |     host_b[bucket]->prev = nh; | ||
|  |     nh->next = host_b[bucket]; | ||
|  |   } | ||
|  | 
 | ||
|  |   host_b[bucket] = nh; | ||
|  | 
 | ||
|  |   /* Insert into the by-age linked list. */ | ||
|  |   | ||
|  |   if (CP(newest_host)) { | ||
|  | 
 | ||
|  |     newest_host->newer = nh; | ||
|  |     nh->older = newest_host; | ||
|  | 
 | ||
|  |   } else host_by_age = nh; | ||
|  | 
 | ||
|  |   newest_host = nh; | ||
|  | 
 | ||
|  |   /* Populate other data. */ | ||
|  | 
 | ||
|  |   nh->ip_ver = ip_ver; | ||
|  |   memcpy(nh->addr, addr, (ip_ver == IP_VER4) ? 4 : 16); | ||
|  | 
 | ||
|  |   nh->last_seen = nh->first_seen = get_unix_time(); | ||
|  | 
 | ||
|  |   nh->last_up_min     = -1; | ||
|  |   nh->last_class_id   = -1; | ||
|  |   nh->last_name_id    = -1; | ||
|  |   nh->http_name_id    = -1; | ||
|  |   nh->distance        = -1; | ||
|  | 
 | ||
|  |   host_cnt++; | ||
|  | 
 | ||
|  |   return nh; | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Touch host data to make it more recent. */ | ||
|  | 
 | ||
|  | static void touch_host(struct host_data* h) { | ||
|  | 
 | ||
|  |   CP(h); | ||
|  | 
 | ||
|  |   DEBUG("[#] Refreshing host data: %s\n", addr_to_str(h->addr, h->ip_ver)); | ||
|  | 
 | ||
|  |   if (h != CP(newest_host)) { | ||
|  | 
 | ||
|  |     /* Remove from the the by-age linked list. */ | ||
|  | 
 | ||
|  |     CP(h->newer); | ||
|  |     h->newer->older = h->older; | ||
|  | 
 | ||
|  |     if (CP(h->older)) h->older->newer = h->newer; | ||
|  |     else host_by_age = h->newer;  | ||
|  | 
 | ||
|  |     /* Re-insert in front. */ | ||
|  | 
 | ||
|  |     newest_host->newer = h; | ||
|  |     h->older = newest_host; | ||
|  |     h->newer = NULL; | ||
|  | 
 | ||
|  |     newest_host = h; | ||
|  | 
 | ||
|  |     /* This wasn't the only entry on the list, so there is no
 | ||
|  |        need to update the tail (host_by_age). */ | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   /* Update last seen time. */ | ||
|  | 
 | ||
|  |   h->last_seen = get_unix_time(); | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Destroy a flow. */ | ||
|  | 
 | ||
|  | static void destroy_flow(struct packet_flow* f) { | ||
|  | 
 | ||
|  |   CP(f); | ||
|  |   CP(f->client); | ||
|  |   CP(f->server); | ||
|  | 
 | ||
|  |   DEBUG("[#] Destroying flow: %s/%u -> ", | ||
|  |         addr_to_str(f->client->addr, f->client->ip_ver), f->cli_port); | ||
|  | 
 | ||
|  |   DEBUG("%s/%u (bucket %u)\n", | ||
|  |         addr_to_str(f->server->addr, f->server->ip_ver), f->srv_port, | ||
|  |         f->bucket); | ||
|  | 
 | ||
|  |   /* Remove it from the bucketed linked list. */ | ||
|  | 
 | ||
|  |   if (CP(f->next)) f->next->prev = f->prev; | ||
|  |    | ||
|  |   if (CP(f->prev)) f->prev->next = f->next; | ||
|  |   else { CP(flow_b[f->bucket]); flow_b[f->bucket] = f->next; } | ||
|  | 
 | ||
|  |   /* Remove from the by-age linked list. */ | ||
|  | 
 | ||
|  |   if (CP(f->newer)) f->newer->older = f->older; | ||
|  |   else { CP(newest_flow); newest_flow = f->older; } | ||
|  | 
 | ||
|  |   if (CP(f->older)) f->older->newer = f->newer; | ||
|  |   else flow_by_age = f->newer;  | ||
|  | 
 | ||
|  |   /* Free memory, etc. */ | ||
|  | 
 | ||
|  |   f->client->use_cnt--; | ||
|  |   f->server->use_cnt--; | ||
|  | 
 | ||
|  |   free_sig_hdrs(&f->http_tmp); | ||
|  | 
 | ||
|  |   ck_free(f->request); | ||
|  |   ck_free(f->response); | ||
|  |   ck_free(f); | ||
|  | 
 | ||
|  |   flow_cnt--;   | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Indiscriminately kill some of the oldest flows. */ | ||
|  | 
 | ||
|  | static void nuke_flows(u8 silent) { | ||
|  | 
 | ||
|  |   u32 kcnt = 1 + (flow_cnt * KILL_PERCENT / 100); | ||
|  | 
 | ||
|  |   if (silent) | ||
|  |     DEBUG("[#] Pruning connections - trying to delete %u...\n",kcnt); | ||
|  |   else if (!read_file) | ||
|  |     WARN("Too many tracked connections, deleting %u. " | ||
|  |          "Use -m to adjust.", kcnt); | ||
|  | 
 | ||
|  |   while (kcnt-- && flow_by_age) destroy_flow(flow_by_age); | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Create flow, and host data if necessary. If counts exceeded, prune old. */ | ||
|  | 
 | ||
|  | static struct packet_flow* create_flow_from_syn(struct packet_data* pk) { | ||
|  | 
 | ||
|  |   u32 bucket = get_flow_bucket(pk); | ||
|  |   struct packet_flow* nf; | ||
|  | 
 | ||
|  |   if (flow_cnt > max_conn) nuke_flows(0); | ||
|  | 
 | ||
|  |   DEBUG("[#] Creating flow from SYN: %s/%u -> ", | ||
|  |         addr_to_str(pk->src, pk->ip_ver), pk->sport); | ||
|  | 
 | ||
|  |   DEBUG("%s/%u (bucket %u)\n", | ||
|  |         addr_to_str(pk->dst, pk->ip_ver), pk->dport, bucket); | ||
|  | 
 | ||
|  |   nf = ck_alloc(sizeof(struct packet_flow)); | ||
|  | 
 | ||
|  |   nf->client = lookup_host(pk->src, pk->ip_ver); | ||
|  | 
 | ||
|  |   if (nf->client) touch_host(nf->client); | ||
|  |   else nf->client = create_host(pk->src, pk->ip_ver); | ||
|  | 
 | ||
|  |   nf->server = lookup_host(pk->dst, pk->ip_ver); | ||
|  | 
 | ||
|  |   if (nf->server) touch_host(nf->server); | ||
|  |   else nf->server = create_host(pk->dst, pk->ip_ver); | ||
|  | 
 | ||
|  |   nf->client->use_cnt++; | ||
|  |   nf->server->use_cnt++; | ||
|  | 
 | ||
|  |   nf->client->total_conn++; | ||
|  |   nf->server->total_conn++; | ||
|  | 
 | ||
|  |   /* Insert into the bucketed linked list.*/ | ||
|  | 
 | ||
|  |   if (CP(flow_b[bucket])) { | ||
|  |     flow_b[bucket]->prev = nf; | ||
|  |     nf->next = flow_b[bucket]; | ||
|  |   } | ||
|  | 
 | ||
|  |   flow_b[bucket] = nf; | ||
|  | 
 | ||
|  |   /* Insert into the by-age linked list */ | ||
|  |   | ||
|  |   if (CP(newest_flow)) { | ||
|  |     newest_flow->newer = nf; | ||
|  |     nf->older = newest_flow; | ||
|  |   } else flow_by_age = nf; | ||
|  | 
 | ||
|  |   newest_flow = nf; | ||
|  | 
 | ||
|  |   /* Populate other data */ | ||
|  | 
 | ||
|  |   nf->cli_port = pk->sport; | ||
|  |   nf->srv_port = pk->dport; | ||
|  |   nf->bucket   = bucket; | ||
|  |   nf->created  = get_unix_time(); | ||
|  | 
 | ||
|  |   nf->next_cli_seq = pk->seq + 1; | ||
|  | 
 | ||
|  |   flow_cnt++; | ||
|  |   return nf; | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Look up an existing flow. */ | ||
|  | 
 | ||
|  | static struct packet_flow* lookup_flow(struct packet_data* pk, u8* to_srv) { | ||
|  | 
 | ||
|  |   u32 bucket = get_flow_bucket(pk); | ||
|  |   struct packet_flow* f = flow_b[bucket]; | ||
|  | 
 | ||
|  |   while (CP(f)) { | ||
|  | 
 | ||
|  |     CP(f->client); | ||
|  |     CP(f->server); | ||
|  | 
 | ||
|  |     if (pk->ip_ver != f->client->ip_ver) goto lookup_next; | ||
|  | 
 | ||
|  |     if (pk->sport == f->cli_port && pk->dport == f->srv_port && | ||
|  |         !memcmp(pk->src, f->client->addr, (pk->ip_ver == IP_VER4) ? 4 : 16) && | ||
|  |         !memcmp(pk->dst, f->server->addr, (pk->ip_ver == IP_VER4) ? 4 : 16)) { | ||
|  | 
 | ||
|  |       *to_srv = 1; | ||
|  |       return f; | ||
|  | 
 | ||
|  |     } | ||
|  | 
 | ||
|  |     if (pk->dport == f->cli_port && pk->sport == f->srv_port && | ||
|  |         !memcmp(pk->dst, f->client->addr, (pk->ip_ver == IP_VER4) ? 4 : 16) && | ||
|  |         !memcmp(pk->src, f->server->addr, (pk->ip_ver == IP_VER4) ? 4 : 16)) { | ||
|  | 
 | ||
|  |       *to_srv = 0; | ||
|  |       return f; | ||
|  | 
 | ||
|  |     } | ||
|  | 
 | ||
|  | lookup_next: | ||
|  | 
 | ||
|  |     f = f->next; | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   return NULL; | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Go through host and flow cache, expire outdated items. */ | ||
|  | 
 | ||
|  | static void expire_cache(void) { | ||
|  |   struct host_data* target; | ||
|  |   static u32 pt; | ||
|  | 
 | ||
|  |   u32 ct = get_unix_time(); | ||
|  | 
 | ||
|  |   if (ct == pt) return; | ||
|  |   pt = ct; | ||
|  | 
 | ||
|  |   DEBUG("[#] Cache expiration kicks in...\n"); | ||
|  | 
 | ||
|  |   while (CP(flow_by_age) && ct - flow_by_age->created > conn_max_age) | ||
|  |     destroy_flow(flow_by_age); | ||
|  | 
 | ||
|  |   target = host_by_age; | ||
|  | 
 | ||
|  |   while (CP(target) && ct - target->last_seen > host_idle_limit * 60) { | ||
|  |     struct host_data* newer = target->newer; | ||
|  |     if (!target->use_cnt) destroy_host(target); | ||
|  |     target = newer; | ||
|  |   } | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Insert data from a packet into a flow, call handlers as appropriate. */ | ||
|  | 
 | ||
|  | static void flow_dispatch(struct packet_data* pk) { | ||
|  | 
 | ||
|  |   struct packet_flow* f; | ||
|  |   struct tcp_sig* tsig; | ||
|  |   u8 to_srv = 0; | ||
|  |   u8 need_more = 0; | ||
|  | 
 | ||
|  |   DEBUG("[#] Received TCP packet: %s/%u -> ", | ||
|  |         addr_to_str(pk->src, pk->ip_ver), pk->sport); | ||
|  | 
 | ||
|  |   DEBUG("%s/%u (type 0x%02x, pay_len = %u)\n", | ||
|  |         addr_to_str(pk->dst, pk->ip_ver), pk->dport, pk->tcp_type, | ||
|  |         pk->pay_len); | ||
|  |      | ||
|  |   f = lookup_flow(pk, &to_srv); | ||
|  | 
 | ||
|  |   switch (pk->tcp_type) { | ||
|  | 
 | ||
|  |     case TCP_SYN: | ||
|  | 
 | ||
|  |       if (f) { | ||
|  | 
 | ||
|  |         /* Perhaps just a simple dupe? */ | ||
|  |         if (to_srv && f->next_cli_seq - 1 == pk->seq) return; | ||
|  | 
 | ||
|  |         DEBUG("[#] New SYN for an existing flow, resetting.\n"); | ||
|  |         destroy_flow(f); | ||
|  | 
 | ||
|  |       } | ||
|  | 
 | ||
|  |       f = create_flow_from_syn(pk); | ||
|  | 
 | ||
|  |       tsig = fingerprint_tcp(1, pk, f); | ||
|  | 
 | ||
|  |       /* We don't want to do any further processing on generic non-OS
 | ||
|  |          signatures (e.g. NMap). The easiest way to guarantee that is to  | ||
|  |          kill the flow. */ | ||
|  | 
 | ||
|  |       if (!tsig && !f->sendsyn) { | ||
|  | 
 | ||
|  |         destroy_flow(f); | ||
|  |         return; | ||
|  | 
 | ||
|  |       } | ||
|  | 
 | ||
|  |       fingerprint_mtu(1, pk, f); | ||
|  |       check_ts_tcp(1, pk, f); | ||
|  | 
 | ||
|  |       if (tsig) { | ||
|  | 
 | ||
|  |         /* This can't be done in fingerprint_tcp because check_ts_tcp()
 | ||
|  |            depends on having original SYN / SYN+ACK data. */ | ||
|  |   | ||
|  |         ck_free(f->client->last_syn); | ||
|  |         f->client->last_syn = tsig; | ||
|  | 
 | ||
|  |       } | ||
|  | 
 | ||
|  |       break; | ||
|  | 
 | ||
|  |     case TCP_SYN | TCP_ACK: | ||
|  | 
 | ||
|  |       if (!f) { | ||
|  | 
 | ||
|  |         DEBUG("[#] Stray SYN+ACK with no flow.\n"); | ||
|  |         return; | ||
|  | 
 | ||
|  |       } | ||
|  | 
 | ||
|  |       /* This is about as far as we want to go with p0f-sendsyn. */ | ||
|  | 
 | ||
|  |       if (f->sendsyn) { | ||
|  | 
 | ||
|  |         fingerprint_tcp(0, pk, f); | ||
|  |         destroy_flow(f); | ||
|  |         return; | ||
|  | 
 | ||
|  |       } | ||
|  | 
 | ||
|  | 
 | ||
|  |       if (to_srv) { | ||
|  | 
 | ||
|  |         DEBUG("[#] SYN+ACK from client to server, trippy.\n"); | ||
|  |         return; | ||
|  | 
 | ||
|  |       } | ||
|  | 
 | ||
|  |       if (f->acked) { | ||
|  | 
 | ||
|  |         if (f->next_srv_seq - 1 != pk->seq) | ||
|  |           DEBUG("[#] Repeated but non-identical SYN+ACK (0x%08x != 0x%08x).\n", | ||
|  |                 f->next_srv_seq - 1, pk->seq); | ||
|  | 
 | ||
|  |         return; | ||
|  | 
 | ||
|  |       } | ||
|  | 
 | ||
|  |       f->acked = 1; | ||
|  | 
 | ||
|  |       tsig = fingerprint_tcp(0, pk, f); | ||
|  | 
 | ||
|  |       /* SYN from real OS, SYN+ACK from a client stack. Weird, but whatever. */ | ||
|  | 
 | ||
|  |       if (!tsig) { | ||
|  | 
 | ||
|  |         destroy_flow(f); | ||
|  |         return; | ||
|  | 
 | ||
|  |       } | ||
|  | 
 | ||
|  |       fingerprint_mtu(0, pk, f); | ||
|  |       check_ts_tcp(0, pk, f); | ||
|  | 
 | ||
|  |       ck_free(f->server->last_synack); | ||
|  |       f->server->last_synack = tsig; | ||
|  | 
 | ||
|  |       f->next_srv_seq = pk->seq + 1; | ||
|  | 
 | ||
|  |       break; | ||
|  | 
 | ||
|  |     case TCP_RST | TCP_ACK: | ||
|  |     case TCP_RST: | ||
|  |     case TCP_FIN | TCP_ACK: | ||
|  |     case TCP_FIN: | ||
|  | 
 | ||
|  |        if (f) { | ||
|  | 
 | ||
|  |          check_ts_tcp(to_srv, pk, f); | ||
|  |          destroy_flow(f); | ||
|  | 
 | ||
|  |        } | ||
|  | 
 | ||
|  |        break; | ||
|  | 
 | ||
|  |     case TCP_ACK: | ||
|  | 
 | ||
|  |       if (!f) return; | ||
|  | 
 | ||
|  |       /* Stop there, you criminal scum! */ | ||
|  | 
 | ||
|  |       if (f->sendsyn) { | ||
|  |         destroy_flow(f); | ||
|  |         return; | ||
|  |       } | ||
|  | 
 | ||
|  |       if (!f->acked) { | ||
|  | 
 | ||
|  |         DEBUG("[#] Never received SYN+ACK to complete handshake, huh.\n"); | ||
|  |         destroy_flow(f); | ||
|  |         return; | ||
|  | 
 | ||
|  |       } | ||
|  | 
 | ||
|  |       if (to_srv) { | ||
|  | 
 | ||
|  |         /* We don't do stream reassembly, so if something arrives out of order,
 | ||
|  |            we won't catch it. Oh well. */ | ||
|  | 
 | ||
|  |         if (f->next_cli_seq != pk->seq) { | ||
|  | 
 | ||
|  |           /* Not a simple dupe? */ | ||
|  | 
 | ||
|  |           if (f->next_cli_seq - pk->pay_len != pk->seq) | ||
|  |             DEBUG("[#] Expected client seq 0x%08x, got 0x%08x.\n", f->next_cli_seq, pk->seq); | ||
|  |   | ||
|  |           return; | ||
|  |         } | ||
|  | 
 | ||
|  |         /* Append data */ | ||
|  | 
 | ||
|  |         if (f->req_len < MAX_FLOW_DATA && pk->pay_len) { | ||
|  | 
 | ||
|  |           u32 read_amt = MIN(pk->pay_len, MAX_FLOW_DATA - f->req_len); | ||
|  | 
 | ||
|  |           f->request = ck_realloc_kb(f->request, f->req_len + read_amt + 1); | ||
|  |           memcpy(f->request + f->req_len, pk->payload, read_amt); | ||
|  |           f->req_len += read_amt; | ||
|  | 
 | ||
|  |         } | ||
|  | 
 | ||
|  |         check_ts_tcp(1, pk, f); | ||
|  | 
 | ||
|  |         f->next_cli_seq += pk->pay_len; | ||
|  | 
 | ||
|  |       } else { | ||
|  | 
 | ||
|  |         if (f->next_srv_seq != pk->seq) { | ||
|  | 
 | ||
|  |           /* Not a simple dupe? */ | ||
|  | 
 | ||
|  |           if (f->next_srv_seq - pk->pay_len != pk->seq) | ||
|  |             DEBUG("[#] Expected server seq 0x%08x, got 0x%08x.\n", | ||
|  |                   f->next_cli_seq, pk->seq); | ||
|  |   | ||
|  |           return; | ||
|  | 
 | ||
|  |         } | ||
|  | 
 | ||
|  |         /* Append data */ | ||
|  | 
 | ||
|  |         if (f->resp_len < MAX_FLOW_DATA && pk->pay_len) { | ||
|  | 
 | ||
|  |           u32 read_amt = MIN(pk->pay_len, MAX_FLOW_DATA - f->resp_len); | ||
|  | 
 | ||
|  |           f->response = ck_realloc_kb(f->response, f->resp_len + read_amt + 1); | ||
|  |           memcpy(f->response + f->resp_len, pk->payload, read_amt); | ||
|  |           f->resp_len += read_amt; | ||
|  | 
 | ||
|  |         } | ||
|  | 
 | ||
|  |         check_ts_tcp(0, pk, f); | ||
|  | 
 | ||
|  |         f->next_srv_seq += pk->pay_len; | ||
|  | 
 | ||
|  |       } | ||
|  | 
 | ||
|  |       if (!pk->pay_len) return; | ||
|  | 
 | ||
|  |       need_more |= process_http(to_srv, f); | ||
|  | 
 | ||
|  |       if (!need_more) { | ||
|  | 
 | ||
|  |         DEBUG("[#] All modules done, no need to keep tracking flow.\n"); | ||
|  |         destroy_flow(f); | ||
|  | 
 | ||
|  |       } else if (f->req_len >= MAX_FLOW_DATA && f->resp_len >= MAX_FLOW_DATA) { | ||
|  | 
 | ||
|  |         DEBUG("[#] Per-flow capture size limit exceeded.\n"); | ||
|  |         destroy_flow(f); | ||
|  | 
 | ||
|  |       } | ||
|  | 
 | ||
|  |       break; | ||
|  | 
 | ||
|  |     default: | ||
|  | 
 | ||
|  |       WARN("Huh. Unexpected packet type 0x%02x in flow_dispatch().", pk->tcp_type); | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Add NAT score, check if alarm due. */ | ||
|  | 
 | ||
|  | void add_nat_score(u8 to_srv, struct packet_flow* f, u16 reason, u8 score) { | ||
|  | 
 | ||
|  |   static u8 rea[1024]; | ||
|  | 
 | ||
|  |   struct host_data* hd; | ||
|  |   u8 *scores, *rptr = rea; | ||
|  |   u32 i; | ||
|  |   u8  over_5 = 0, over_2 = 0, over_1 = 0, over_0 = 0; | ||
|  | 
 | ||
|  |   if (to_srv) { | ||
|  | 
 | ||
|  |     hd = f->client; | ||
|  |     scores = hd->cli_scores; | ||
|  | 
 | ||
|  |   } else { | ||
|  | 
 | ||
|  |     hd = f->server; | ||
|  |     scores = hd->srv_scores; | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   memmove(scores, scores + 1, NAT_SCORES - 1); | ||
|  |   scores[NAT_SCORES - 1] = score; | ||
|  |   hd->nat_reasons |= reason; | ||
|  | 
 | ||
|  |   if (!score) return; | ||
|  | 
 | ||
|  |   for (i = 0; i < NAT_SCORES; i++) switch (scores[i]) { | ||
|  |     case 6 ... 255: over_5++; | ||
|  |     case 3 ... 5:   over_2++; | ||
|  |     case 2:         over_1++; | ||
|  |     case 1:         over_0++; | ||
|  |   } | ||
|  | 
 | ||
|  |   if (over_5 > 2 || over_2 > 4 || over_1 > 6 || over_0 > 8) { | ||
|  | 
 | ||
|  |     start_observation("ip sharing", 2, to_srv, f); | ||
|  | 
 | ||
|  |     reason = hd->nat_reasons; | ||
|  | 
 | ||
|  |     hd->last_nat = get_unix_time(); | ||
|  | 
 | ||
|  |     memset(scores, 0, NAT_SCORES); | ||
|  |     hd->nat_reasons = 0; | ||
|  | 
 | ||
|  |   } else { | ||
|  | 
 | ||
|  |     /* Wait for something more substantial. */ | ||
|  |     if (score == 1) return; | ||
|  | 
 | ||
|  |     start_observation("host change", 2, to_srv, f); | ||
|  | 
 | ||
|  |     hd->last_chg = get_unix_time(); | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  |   *rptr = 0; | ||
|  | 
 | ||
|  | #define REAF(_par...) do { \
 | ||
|  |     rptr += sprintf((char*)rptr, _par); \ | ||
|  |   } while (0)  | ||
|  | 
 | ||
|  |   if (reason & NAT_APP_SIG)  REAF(" app_vs_os"); | ||
|  |   if (reason & NAT_OS_SIG)   REAF(" os_diff"); | ||
|  |   if (reason & NAT_UNK_DIFF) REAF(" sig_diff"); | ||
|  |   if (reason & NAT_TO_UNK)   REAF(" x_known"); | ||
|  |   if (reason & NAT_TS)       REAF(" tstamp"); | ||
|  |   if (reason & NAT_TTL)      REAF(" ttl"); | ||
|  |   if (reason & NAT_PORT)     REAF(" port"); | ||
|  |   if (reason & NAT_MSS)      REAF(" mtu"); | ||
|  |   if (reason & NAT_FUZZY)    REAF(" fuzzy"); | ||
|  | 
 | ||
|  |   if (reason & NAT_APP_VIA)  REAF(" via"); | ||
|  |   if (reason & NAT_APP_DATE) REAF(" date"); | ||
|  |   if (reason & NAT_APP_LB)   REAF(" srv_sig_lb"); | ||
|  |   if (reason & NAT_APP_UA)   REAF(" ua_vs_os"); | ||
|  | 
 | ||
|  | #undef REAF
 | ||
|  | 
 | ||
|  |   add_observation_field("reason", rea[0] ? (rea + 1) : NULL); | ||
|  | 
 | ||
|  |   OBSERVF("raw_hits", "%u,%u,%u,%u", over_5, over_2, over_1, over_0); | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Verify if tool class (called from modules). */ | ||
|  | 
 | ||
|  | void verify_tool_class(u8 to_srv, struct packet_flow* f, u32* sys, u32 sys_cnt) { | ||
|  | 
 | ||
|  |   struct host_data* hd; | ||
|  |   u32 i; | ||
|  | 
 | ||
|  |   if (to_srv) hd = f->client; else hd = f->server; | ||
|  | 
 | ||
|  |   CP(sys); | ||
|  | 
 | ||
|  |   /* No existing data; although there is perhaps some value in detecting
 | ||
|  |      app-only conflicts in absence of other info, it's probably OK to just | ||
|  |      wait until more data becomes available. */ | ||
|  | 
 | ||
|  |   if (hd->last_class_id == -1) return; | ||
|  | 
 | ||
|  |   for (i = 0; i < sys_cnt; i++) | ||
|  | 
 | ||
|  |     if ((sys[i] & SYS_CLASS_FLAG)) { | ||
|  | 
 | ||
|  |       if (SYS_NF(sys[i]) == hd->last_class_id) break; | ||
|  | 
 | ||
|  |     } else { | ||
|  | 
 | ||
|  |       if (SYS_NF(sys[i]) == hd->last_name_id) break; | ||
|  | 
 | ||
|  |     } | ||
|  | 
 | ||
|  |   /* Oops, a mismatch. */ | ||
|  | 
 | ||
|  |   if (i == sys_cnt) { | ||
|  | 
 | ||
|  |     DEBUG("[#] Detected app not supposed to run on host OS.\n"); | ||
|  |     add_nat_score(to_srv, f, NAT_APP_SIG, 4); | ||
|  | 
 | ||
|  |   } else { | ||
|  | 
 | ||
|  |     DEBUG("[#] Detected app supported on host OS.\n"); | ||
|  |     add_nat_score(to_srv, f, 0, 0); | ||
|  | 
 | ||
|  |   } | ||
|  | 
 | ||
|  | } | ||
|  | 
 | ||
|  | 
 | ||
|  | /* Clean up everything. */ | ||
|  | 
 | ||
|  | void destroy_all_hosts(void) { | ||
|  | 
 | ||
|  |   while (flow_by_age) destroy_flow(flow_by_age); | ||
|  |   while (host_by_age) destroy_host(host_by_age); | ||
|  | 
 | ||
|  | } |