search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Reformat README to use Markdown
[prads.git] / src / servicefp / tcps.c
blobcc58c5f36e6a70ba750c24663257e9f24c0d606e
1 /*
2 ** Copyright (C) 2009 Redpill Linpro, AS.
3 ** Copyright (C) 2009 Edward Fjellskål <edward.fjellskaal@redpill-linpro.com>
4 **
5 ** This program is free software; you can redistribute it and/or modify
6 ** it under the terms of the GNU General Public License Version 2 as
7 ** published by the Free Software Foundation. You may not use, modify or
8 ** distribute this program under any other version of the GNU General
9 ** Public License.
10 **
11 ** This program is distributed in the hope that it will be useful,
12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 ** GNU General Public License for more details.
15 **
16 ** You should have received a copy of the GNU General Public License
17 ** along with this program; if not, write to the Free Software
18 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19 */
20
21 #include "../prads.h"
22 #include "../sys_func.h"
23 #include "../assets.h"
24 #include "servicefp.h"
25
26 extern bstring UNKNOWN;
27
28 void service_tcp4(packetinfo *pi, signature* sig_serv_tcp)
29 {
30 int rc; /* PCRE */
31 int ovector[15];
32 int tmplen;
33 signature *tmpsig;
34 bstring app,service_name;
35
36 if (pi->plen < PAYLOAD_MIN) return; // if almost no payload - skip
37 /* should make a config.tcp_server_flowdept etc
38 * a range between 500-1000 should be good?
39 */
40 if (pi->plen > 600) tmplen = 600;
41 else tmplen = pi->plen;
42
43 tmpsig = sig_serv_tcp;
44 while (tmpsig != NULL) {
45 rc = pcre_exec(tmpsig->regex, tmpsig->study, (const char *)pi->payload, tmplen, 0, 0,
46 ovector, 15);
47 if (rc >= 0) {
48 app = get_app_name(tmpsig, pi->payload, ovector, rc);
49 //printf("[*] - MATCH SERVICE IPv4/TCP: %s\n",(char *)bdata(app));
50 update_asset_service(pi, tmpsig->service, app);
51 pi->cxt->check |= CXT_SERVICE_DONT_CHECK;
52 bdestroy(app);
53 return;
54 }
55 /*
56 } else if (rc == PCRE_ERROR_NOMATCH) {
57 printf("pcre nomatch \n");
58 } else {
59 printf("pcre error: %d \n", rc);
60 }
61 */
62 tmpsig = tmpsig->next;
63 }
64 // Should have a flag set to resolve unknowns to default service
65 if ( !ISSET_SERVICE_UNKNOWN(pi)
66 && (service_name = check_known_port(IP_PROTO_TCP,ntohs(pi->s_port))) !=NULL ) {
67 update_asset_service(pi, UNKNOWN, service_name);
68 pi->cxt->check |= CXT_SERVICE_UNKNOWN_SET;
69 bdestroy(service_name);
70 }
71 }
72
73 void service_tcp6(packetinfo *pi, signature* sig_serv_tcp)
74 {
75 int rc; /* PCRE */
76 int ovector[15];
77 int tmplen;
78 signature *tmpsig;
79 bstring app,service_name;
80
81 if (pi->plen < 10) return; // if almost no payload - skip
82 /* should make a config.tcp_client_flowdept etc
83 * a range between 500-1000 should be good!
84 */
85 if (pi->plen > 600) tmplen = 600;
86 else tmplen = pi->plen;
87
88 tmpsig = sig_serv_tcp;
89 while (tmpsig != NULL) {
90 rc = pcre_exec(tmpsig->regex, tmpsig->study, (const char *) pi->payload, tmplen, 0, 0,
91 ovector, 15);
92 if (rc >= 0) {
93 app = get_app_name(tmpsig, pi->payload, ovector, rc);
94 //printf("[*] - MATCH SERVICE IPv6/TCP: %s\n",(char *)bdata(app));
95 update_asset_service(pi, tmpsig->service, app);
96 pi->cxt->check |= CXT_SERVICE_DONT_CHECK;
97 bdestroy(app);
98 return;
99 }
100 tmpsig = tmpsig->next;
101 }
102 // Should have a flag set to resolve unknowns to default service
103 if ( !ISSET_SERVICE_UNKNOWN(pi)
104 && (service_name = check_known_port(IP_PROTO_TCP,ntohs(pi->s_port))) !=NULL ) {
105 update_asset_service(pi, UNKNOWN, service_name);
106 pi->cxt->check |= CXT_SERVICE_UNKNOWN_SET;
107 bdestroy(service_name);
108 }
109
110 }
PRADS is a Passive Real-time Asset Detection System. It passively listen to network traffic and gathers information on hosts and services it sees on the network.