search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Reformat README to use Markdown
[prads.git] / src / servicefp / udps.c
blobfc2944771c6a4240997f2a38d2804e2dc566850f
1 /*
2 ** Copyright (C) 2009 Redpill Linpro, AS.
3 ** Copyright (C) 2009 Edward Fjellskål <edward.fjellskaal@redpill-linpro.com>
4 **
5 ** This program is free software; you can redistribute it and/or modify
6 ** it under the terms of the GNU General Public License Version 2 as
7 ** published by the Free Software Foundation. You may not use, modify or
8 ** distribute this program under any other version of the GNU General
9 ** Public License.
10 **
11 ** This program is distributed in the hope that it will be useful,
12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 ** GNU General Public License for more details.
15 **
16 ** You should have received a copy of the GNU General Public License
17 ** along with this program; if not, write to the Free Software
18 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19 */
20
21 #include "../prads.h"
22 #include "../assets.h"
23 #include "../cxt.h"
24 #include "servicefp.h"
25
26 extern bstring UNKNOWN;
27
28 void service_udp4(packetinfo *pi, signature* sig_serv_udp)
29 {
30 int rc; /* PCRE */
31 int ovector[15];
32 signature *tmpsig;
33 bstring app, service_name;
34 app = service_name = NULL;
35
36 if (pi->plen < 5 ) return;
37 /* should make a config.tcp_client_flowdept etc
38 * a range between 500-1000 should be good!
39 */
40 tmpsig = sig_serv_udp;
41 while (tmpsig != NULL) {
42 rc = pcre_exec(tmpsig->regex, tmpsig->study, (const char*) pi->payload, pi->plen, 0, 0,
43 ovector, 15);
44 if (rc != -1) {
45 app = get_app_name(tmpsig, pi->payload, ovector, rc);
46 //printf("[*] - MATCH SERVICE IPv4/UDP: %s\n",(char *)bdata(app));
47 update_asset_service(pi, tmpsig->service, app);
48 pi->cxt->check |= CXT_SERVICE_DONT_CHECK;
49 bdestroy(app);
50 return;
51 }
52 tmpsig = tmpsig->next;
53 }
54
55 /*
56 * If no sig is found/mached, use default port to determin.
57 */
58 if (pi->sc == SC_CLIENT && !ISSET_CLIENT_UNKNOWN(pi)) {
59 if ((service_name = (bstring) check_known_port(IP_PROTO_UDP,ntohs(pi->d_port))) !=NULL ) {
60 update_asset_service(pi, UNKNOWN, service_name);
61 pi->cxt->check |= CXT_CLIENT_UNKNOWN_SET;
62 bdestroy(service_name);
63 } else if ((service_name = (bstring) check_known_port(IP_PROTO_UDP,ntohs(pi->s_port))) !=NULL ) {
64 reverse_pi_cxt(pi);
65 pi->d_port = pi->udph->src_port;
66 update_asset_service(pi, UNKNOWN, service_name);
67 pi->d_port = pi->udph->dst_port;
68 pi->cxt->check |= CXT_CLIENT_UNKNOWN_SET;
69 bdestroy(service_name);
70 }
71 } else if (pi->sc == SC_SERVER && !ISSET_SERVICE_UNKNOWN(pi)) {
72 if ((service_name = (bstring) check_known_port(IP_PROTO_UDP,ntohs(pi->s_port))) !=NULL ) {
73 update_asset_service(pi, UNKNOWN, service_name);
74 pi->cxt->check |= CXT_SERVICE_UNKNOWN_SET;
75 bdestroy(service_name);
76 } else if ((service_name = (bstring) check_known_port(IP_PROTO_UDP,ntohs(pi->d_port))) !=NULL ) {
77 reverse_pi_cxt(pi);
78 update_asset_service(pi, UNKNOWN, service_name);
79 pi->cxt->check |= CXT_SERVICE_UNKNOWN_SET;
80 bdestroy(service_name);
81 }
82 }
83 }
84
85 void service_udp6(packetinfo *pi, signature* sig_serv_udp)
86 {
87 int rc; /* PCRE */
88 int ovector[15];
89 int tmplen;
90 signature *tmpsig;
91 bstring app,service_name;
92
93 if (pi->plen < 5) return;
94 /* should make a config.tcp_client_flowdept etc
95 * a range between 500-1000 should be good!
96 */
97 if (pi->plen > 600) tmplen = 600;
98 else tmplen = pi->plen;
99
100 tmpsig = sig_serv_udp;
101 while (tmpsig != NULL) {
102 rc = pcre_exec(tmpsig->regex, tmpsig->study, (const char *) pi->payload, tmplen, 0, 0,
103 ovector, 15);
104 if (rc != -1) {
105 app = get_app_name(tmpsig, pi->payload, ovector, rc);
106 //printf("[*] - MATCH SERVICE IPv6/UDP: %s\n",(char *)bdata(app));
107 update_asset_service(pi, tmpsig->service, app);
108 pi->cxt->check |= CXT_SERVICE_DONT_CHECK;
109 bdestroy(app);
110 return;
111 }
112 tmpsig = tmpsig->next;
113 }
114 if (pi->sc == SC_CLIENT && !ISSET_CLIENT_UNKNOWN(pi)) {
115 if ((service_name = (bstring) check_known_port(IP_PROTO_UDP,ntohs(pi->d_port))) !=NULL ) {
116 update_asset_service(pi, UNKNOWN, service_name);
117 pi->cxt->check |= CXT_CLIENT_UNKNOWN_SET;
118 bdestroy(service_name);
119 } else if ((service_name = (bstring) check_known_port(IP_PROTO_UDP,ntohs(pi->s_port))) !=NULL ) {
120 reverse_pi_cxt(pi);
121 pi->d_port = pi->udph->src_port;
122 update_asset_service(pi, UNKNOWN, service_name);
123 pi->d_port = pi->udph->dst_port;
124 pi->cxt->check |= CXT_CLIENT_UNKNOWN_SET;
125 bdestroy(service_name);
126 }
127 } else if (pi->sc == SC_SERVER && !ISSET_SERVICE_UNKNOWN(pi)) {
128 if ((service_name = (bstring) check_known_port(IP_PROTO_UDP,ntohs(pi->s_port))) !=NULL ) {
129 update_asset_service(pi, UNKNOWN, service_name);
130 pi->cxt->check |= CXT_SERVICE_UNKNOWN_SET;
131 bdestroy(service_name);
132 } else if ((service_name = (bstring) check_known_port(IP_PROTO_UDP,ntohs(pi->d_port))) !=NULL ) {
133 reverse_pi_cxt(pi);
134 update_asset_service(pi, UNKNOWN, service_name);
135 pi->cxt->check |= CXT_SERVICE_UNKNOWN_SET;
136 bdestroy(service_name);
137 }
138 }
139 }
PRADS is a Passive Real-time Asset Detection System. It passively listen to network traffic and gathers information on hosts and services it sees on the network.