search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #56 from wuruilong01/master
[prads.git] / src / prads.h
blobba8c23d9e4ad8b5a1a39cb4c5b25d9c8d774b8a5
1 /*
2 ** This file is a part of PRADS.
3 **
4 ** Copyright (C) 2009, Redpill Linpro
5 ** Copyright (C) 2009, Edward Fjellskål <edward.fjellskaal@redpill-linpro.com>
6 ** Copyright (C) 2009, Kacper Wysocki <kacper.wysocki@redpill-linpro.com>
7 **
8 ** This program is free software; you can redistribute it and/or modify
9 ** it under the terms of the GNU General Public License as published by
10 ** the Free Software Foundation; either version 2 of the License, or
11 ** (at your option) any later version.
12 **
13 ** This program is distributed in the hope that it will be useful,
14 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
15 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 ** GNU General Public License for more details.
17 **
18 ** You should have received a copy of the GNU General Public License
19 ** along with this program; if not, write to the Free Software
20 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
21 **
22 */
23
24 /* I N C L U D E S **********************************************************/
25 #ifndef PRADS_H
26 #define PRADS_H
27 #include "common.h"
28 #include "bstrlib.h"
29 #include <netinet/in.h>
30 #include <pcre.h>
31
32 /* D E F I N E S ************************************************************/
33 #ifndef RELEASE
34 #define RELEASE
35 #endif
36 #define VERSION "0.3.3"RELEASE
37 #define SIG_ALRM 60 /* Time between cxt and asset cleaning/printing */
38 #define TCP_TIMEOUT 300 /* When idle IP connections should be timed out */
39 #define ASSET_TIMEOUT 86400 /* Time befor an asset is deleted if no updates */
40 #define BUCKET_SIZE 31337
41 #define SNAPLENGTH 1604
42 #define MAX_BYTE_CHECK 500000
43 #define MAX_PKT_CHECK 10
44 #define MAX_SERVICE_CHECK 200 /* How many new services we see befor we register */
45
46 /* Flags to identify ASSET TYPE */
47 #define ASSET_ARP 0x01
48 #define ASSET_TYPE_OS 0x02
49 #define ASSET_TYPE_SERVICE 0x04
50
51 #define ETHERNET_TYPE_IP 0x0800
52 #define ETHERNET_TYPE_ARP 0x0806
53 #define ETHERNET_TYPE_IPV6 0x86dd
54 #define ETHERNET_TYPE_8021Q 0x8100
55 #define ETHERNET_TYPE_802Q1MT 0x9100
56 #define ETHERNET_TYPE_802Q1MT2 0x9200
57 #define ETHERNET_TYPE_802Q1MT3 0x9300
58 #define ETHERNET_TYPE_8021AD 0x88a8
59 #define ARPOP_REQUEST 1 /* ARP request. */
60 #define ARPOP_REPLY 2 /* ARP reply. */
61 #define ARPOP_RREQUEST 3 /* RARP request. */
62 #define ARPOP_RREPLY 4 /* RARP reply. */
63 #define ARPOP_InREQUEST 8 /* InARP request. */
64 #define ARPOP_InREPLY 9 /* InARP reply. */
65 #define ARPOP_NAK 10 /* (ATM)ARP NAK. */
66
67 #define IP_PROTO_ICMP 1
68 #define IP_PROTO_TCP 6
69 #define IP_PROTO_UDP 17
70 #define IP_PROTO_IP6 41
71 #define IP_PROTO_GRE 47
72 #define IP_PROTO_IP4 94
73 #define IP6_PROTO_HOPOPT 0
74 #define IP6_PROTO_ROUTE 43
75 #define IP6_PROTO_FRAG 44
76 #define IP6_PROTO_ICMP 58
77 #define IP6_PROTO_NONXT 59
78 #define MAX_IP_PROTO 255
79 #define MAX_PORTS 65536
80
81 #define GRE_VERSION_0 0x0000
82 #define GRE_VERSION_1 0x0001
83 #define GRE_HDR_LEN 4
84 #define GREV1_ACK_LEN 4
85 #define GREV1_HDR_LEN 8
86 #define GRE_CHKSUM_LEN 2
87 #define GRE_OFFSET_LEN 2
88 #define GRE_KEY_LEN 4
89 #define GRE_SEQ_LEN 4
90 #define GRE_SRE_HDR_LEN 4
91 #define GRE_PROTO_PPP 0x880b
92
93 #define IP4_HEADER_LEN 20
94 #define IP6_HEADER_LEN 40
95 #define TCP_HEADER_LEN 20
96 #define UDP_HEADER_LEN 8
97 #define ICMP_HEADER_LEN 4
98 #define GRE_HDR_LEN 4
99 #define MAC_ADDR_LEN 6
100 #define ETHERNET_HEADER_LEN 14
101 #define ETHERNET_8021Q_HEADER_LEN 18
102 #define ETHERNET_802Q1MT_HEADER_LEN 22
103
104 #define TF_FIN 0x01
105 #define TF_SYN 0x02
106 #define TF_RST 0x04
107 #define TF_PUSH 0x08
108 #define TF_ACK 0x10
109 #define TF_URG 0x20
110 #define TF_ECE 0x40
111 #define TF_CWR 0x80
112 #define TF_SYNACK 0x12 /* dont use for ip flag check :) */
113 #define TF_NORESERVED (TF_FIN|TF_SYN|TF_RST|TF_PUSH|TF_ACK|TF_URG)
114 #define TF_FLAGS (TF_FIN|TF_SYN|TF_RST|TF_ACK|TF_URG|TF_ECE|TF_CWR)
115
116 #define MOD_NONE 0
117 #define MOD_CONST 1
118 #define MOD_MSS 2
119 #define MOD_MTU 3
120
121 #define QUIRK_PAST 0x00000001 /* P */
122 #define QUIRK_ZEROID 0x00000002 /* Z */
123 #define QUIRK_IPOPT 0x00000004 /* I */
124 #define QUIRK_URG 0x00000008 /* U */
125 #define QUIRK_X2 0x00000010 /* X */
126 #define QUIRK_ACK 0x00000020 /* A */
127 #define QUIRK_T2 0x00000040 /* T */
128 #define QUIRK_FLAGS 0x00000080 /* F */
129 #define QUIRK_DATA 0x00000100 /* D */
130 #define QUIRK_BROKEN 0x00000200 /* ! */
131 #define QUIRK_RSTACK 0x00000400 /* K */
132 #define QUIRK_SEQEQ 0x00000800 /* Q */
133 #define QUIRK_SEQ0 0x00001000 /* 0 */
134
135 #define QUIRK_FINACK 0x00002000 /* N */
136 #define QUIRK_FLOWL 0x00004000 /* L */
137
138 /* Some systems really like to put lots of NOPs there */
139 #define MAXOPT 16 /* Maximum number of TCP packet options to pars */
140
141 /* The meaning of wildcard is, however, hardcoded as 'size > PACKET_BIG' */
142 #define PACKET_BIG 100 /* Size limit for size wildcards */
143
144 #define TCPOPT_EOL 0 /* End of options */
145 #define TCPOPT_NOP 1 /* Nothing */
146 #define TCPOPT_MAXSEG 2 /* MSS */
147 #define TCPOPT_WSCALE 3 /* Window scaling */
148 #define TCPOPT_SACKOK 4 /* Selective ACK permitted */
149 #define TCPOPT_TIMESTAMP 8 /* Stamp out timestamping! */
150 /* various transparent proxy detection fields */
151 #define TCPOPT_PROXBLUECOAT 0xFD
152 #define TCPOPT_PROXCISCO 0x21
153 #define TCPOPT_PROXRIVERBED1 0x4C
154 #define TCPOPT_PROXRIVERBED2 0x4E
155 /* seen this before? */
156 #define TCPOPT_WTF1 0x32
157 #define TCPOPT_WTF2 0x1e
158
159
160 #define SUCCESS 0
161 #define ERROR 1
162 #define STDBUF 1024
163
164 #define INSTALL_SYSCONFDIR ""
165 #define TCP_SIGNATURE_LIST CONFDIR "tcp-service.sig"
166 #define LOGDIR "/var/log/"
167 #define PRADS_ASSETLOG "prads-asset.log"
168 #define MODE_READ "r"
169 #define MODE_WRITE "w"
170
171 #define MAX_APP 100
172 #define MAX_VER 25
173 #define MAX_MISC 100
174 #define MAX_NETS 128
175 #define SERVICE 1
176 #define CLIENT 2
177 #define FROMSERVER 0
178 #define FROMCLIENT 1
179 #define CXT_DEFAULT_HASHSIZE 65536
180 #define CXT_DEFAULT_PREALLOC 10000
181
182 /* D A T A S T R U C T U R E S *********************************************/
183
184 /*
185 * Ethernet header
186 */
187
188 typedef struct _ether_header {
189 uint8_t ether_dst[6]; /* destination MAC */
190 uint8_t ether_src[6]; /* source MAC */
191
192 union {
193 struct etht {
194 uint16_t ether_type; /* ethernet type (normal) */
195 } etht;
196
197 struct qt {
198 uint16_t eth_t_8021; /* ethernet type/802.1Q tag */
199 uint16_t eth_t_8_vid;
200 uint16_t eth_t_8_type;
201 } qt;
202
203 struct qot {
204 uint16_t eth_t_80212; /* ethernet type/802.1QinQ */
205 uint16_t eth_t_82_mvid;
206 uint16_t eth_t_82_8021;
207 uint16_t eth_t_82_vid;
208 uint16_t eth_t_82_type;
209 } qot;
210 } vlantag;
211
212 #define eth_ip_type vlantag.etht.ether_type
213
214 #define eth_8_type vlantag.qt.eth_t_8021
215 #define eth_8_vid vlantag.qt.eth_t_8_vid
216 #define eth_8_ip_type vlantag.qt.eth_t_8_type
217
218 #define eth_82_type vlantag.qot.eth_t_80212
219 #define eth_82_mvid vlantag.qot.eth_t_82_mvid
220 #define eth_82_8021 vlantag.qot.eth_t_82_8021
221 #define eth_82_vid vlantag.qot.eth_t_82_vid
222 #define eth_82_ip_type vlantag.qot.eth_t_82_type
223
224 } ether_header;
225
226 typedef struct _arphdr {
227 uint16_t ar_hrd; /* Format of hardware address. */
228 uint16_t ar_pro; /* Format of protocol address. */
229 uint8_t ar_hln; /* Length of hardware address. */
230 uint8_t ar_pln; /* Length of protocol address. */
231 uint16_t ar_op; /* ARP opcode (command). */
232 #if 0
233 /*
234 * Ethernet looks like this : This bit is variable sized
235 * however...
236 */
237 unsigned char __ar_sha[MAC_ADDR_LEN]; /* Sender hardware address. */
238 unsigned char __ar_sip[4]; /* Sender IP address. */
239 unsigned char __ar_tha[MAC_ADDR_LEN]; /* Target hardware address. */
240 unsigned char __ar_tip[4]; /* Target IP address. */
241 #endif
242 } arphdr;
243
244 typedef struct _ether_arp {
245 arphdr ea_hdr; /* fixed-size header */
246 uint8_t arp_sha[MAC_ADDR_LEN]; /* sender hardware address */
247 uint8_t arp_spa[4]; /* sender protocol address */
248 uint8_t arp_tha[MAC_ADDR_LEN]; /* target hardware address */
249 uint8_t arp_tpa[4]; /* target protocol address */
250 } ether_arp;
251
252 /*
253 * IPv4 header
254 */
255
256 typedef struct _ip4_header {
257 uint8_t ip_vhl; /* version << 4 | header length >> 2 */
258 uint8_t ip_tos; /* type of service */
259 uint16_t ip_len; /* total length */
260 uint16_t ip_id; /* identification */
261 uint16_t ip_off; /* fragment offset field */
262 uint8_t ip_ttl; /* time to live */
263 uint8_t ip_p; /* protocol */
264 uint16_t ip_csum; /* checksum */
265 uint32_t ip_src; /* source address */
266 uint32_t ip_dst; /* dest address */
267 } ip4_header;
268
269 #define IP_RF 0x8000 /* reserved fragment flag */
270 #define IP_DF 0x4000 /* dont fragment flag */
271 #define IP_MF 0x2000 /* more fragments flag */
272 #define IP_OFFMASK 0x1fff /* mask for fragmenting bits */
273 #define IP_HL(ip4_header) (((ip4_header)->ip_vhl) & 0x0f)
274 #define IP_V(ip4_header) (((ip4_header)->ip_vhl) >> 4)
275
276 /*
277 * IPv6 header
278 */
279
280 typedef struct _ip6_header {
281 uint32_t vcl; /* version, class, and label */
282 uint16_t len; /* length of the payload */
283 uint8_t next; /* next header
284 * Uses the same flags as
285 * the IPv4 protocol field */
286 uint8_t hop_lmt; /* hop limit */
287 struct in6_addr ip_src; /* source address */
288 struct in6_addr ip_dst; /* dest address */
289 } ip6_header;
290
291 // header is in host order~~!
292 #define IP6_V(header) (htonl(header->vcl) >> 28)
293 //#define IP6_TC(ip6_header) (((htonl(ip6_header)->vcl) & 0x0FF00000) >> 20)
294 #define IP6_TC(ip6_header) ((htonl((ip6_header)->vcl) & 0x0FF00000) >> 20)
295 #define IP6_FL(ip6_header) (htonl((ip6_header)->vcl) & 0x000FFFFF)
296
297 /*
298 * TCP header
299 */
300
301 typedef struct _tcp_header {
302 uint16_t src_port; /* source port */
303 uint16_t dst_port; /* destination port */
304 uint32_t t_seq; /* sequence number */
305 uint32_t t_ack; /* acknowledgement number */
306 uint8_t t_offx2; /* data offset, rsvd */
307 uint8_t t_flags; /* tcp flags */
308 uint16_t t_win; /* window */
309 uint16_t t_csum; /* checksum */
310 uint16_t t_urgp; /* urgent pointer */
311 } tcp_header;
312
313 #define TCP_OFFSET(tcp_header) (((tcp_header)->t_offx2 & 0xf0) >> 4)
314 #define TCP_X2(tcp_header) ((tcp_header)->t_offx2 & 0x0f)
315 #define TCP_ISFLAGSET(tcp_header, flags) (((tcp_header)->t_flags & (flags)) == (flags))
316 #define GET16(p) ((uint16_t) *((uint8_t*)(p)+0) << 8 | \
317 (uint16_t) *((uint8_t*)(p)+1) )
318
319 /*
320 * UDP header
321 */
322
323 typedef struct _udp_header {
324 uint16_t src_port; /* source port */
325 uint16_t dst_port; /* destination port */
326 uint16_t len; /* length of the payload */
327 uint16_t csum; /* checksum */
328 } udp_header;
329
330 /*
331 * ICMP header
332 */
333
334 typedef struct _icmp_header {
335 uint8_t type;
336 uint8_t code;
337 uint16_t csum;
338 union {
339 uint8_t pptr;
340
341 struct in_addr gwaddr;
342
343 struct idseq {
344 uint16_t id;
345 uint16_t seq;
346 } idseq;
347
348 int sih_void;
349
350 struct pmtu {
351 uint16_t ipm_void;
352 uint16_t nextmtu;
353 } pmtu;
354
355 struct rtradv {
356 uint8_t num_addrs;
357 uint8_t wpa;
358 uint16_t lifetime;
359 } rtradv;
360 } icmp_hun;
361
362 #define s_icmp_pptr icmp_hun.pptr
363 #define s_icmp_gwaddr icmp_hun.gwaddr
364 #define s_icmp_id icmp_hun.idseq.id
365 #define s_icmp_seq icmp_hun.idseq.seq
366 #define s_icmp_void icmp_hun.sih_void
367 #define s_icmp_pmvoid icmp_hun.pmtu.ipm_void
368 #define s_icmp_nextmtu icmp_hun.pmtu.nextmtu
369 #define s_icmp_num_addrs icmp_hun.rtradv.num_addrs
370 #define s_icmp_wpa icmp_hun.rtradv.wpa
371 #define s_icmp_lifetime icmp_hun.rtradv.lifetime
372
373 union {
374 /*
375 * timestamp
376 */
377 struct ts {
378 uint32_t otime;
379 uint32_t rtime;
380 uint32_t ttime;
381 } ts;
382
383 /*
384 * IP header for unreach
385 */
386 struct ih_ip {
387 ip4_header *ip;
388 /*
389 * options and then 64 bits of data
390 */
391 } ip;
392
393 struct ra_addr {
394 uint32_t addr;
395 uint32_t preference;
396 } radv;
397
398 uint32_t mask;
399
400 char data[1];
401
402 } icmp_dun;
403 #define s_icmp_otime icmp_dun.ts.otime
404 #define s_icmp_rtime icmp_dun.ts.rtime
405 #define s_icmp_ttime icmp_dun.ts.ttime
406 #define s_icmp_ip icmp_dun.ih_ip
407 #define s_icmp_radv icmp_dun.radv
408 #define s_icmp_mask icmp_dun.mask
409 #define s_icmp_data icmp_dun.data
410 } icmp_header;
411
412 typedef struct _icmp6_header {
413 uint8_t type; /* type field */
414 uint8_t code; /* code field */
415 uint16_t csum; /* checksum field */
416 union {
417 uint32_t icmp6_data32[1]; /* type-specific field */
418 uint16_t icmp6_data16[2]; /* type-specific field */
419 uint8_t icmp6_data8[4]; /* type-specific field */
420 } icmp6_data;
421 #define icmp6_id icmp6_data.icmp6_data16[0] /* echo request/reply */
422 #define icmp6_seq icmp6_data.icmp6_data16[1] /* echo request/reply */
423 } icmp6_header;
424
425 #define ICMP6_UNREACH 1
426 #define ICMP6_BIG 2
427 #define ICMP6_TIME 3
428 #define ICMP6_PARAMS 4
429 #define ICMP6_ECHO 128
430 #define ICMP6_REPLY 129
431
432 /* Minus 1 due to the 'body' field */
433 #define ICMP6_MIN_HEADER_LEN (sizeof(ICMP6Hdr) )
434
435 typedef struct _gre_header
436 {
437 uint8_t flags; /**< GRE packet flags */
438 uint8_t version; /**< GRE version */
439 uint16_t ether_type; /**< ether type of the encapsulated traffic */
440 } gre_header;
441 #define GRE_FLAG_ISSET_CHKSUM(r) (r->flags & 0x80)
442 #define GRE_FLAG_ISSET_ROUTE(r) (r->flags & 0x40)
443 #define GRE_FLAG_ISSET_KY(r) (r->flags & 0x20)
444 #define GRE_FLAG_ISSET_SQ(r) (r->flags & 0x10)
445 #define GRE_FLAG_ISSET_SSR(r) (r->flags & 0x08)
446 #define GRE_FLAG_ISSET_RECUR(r) (r->flags & 0x07)
447 #define GRE_GET_VERSION(r) (r->version & 0x07)
448 #define GRE_GET_FLAGS(r) (r->version & 0xF8)
449 #define GRE_GET_PROTO(r) ntohs(r->ether_type)
450 #define GREV1_FLAG_ISSET_FLAGS(r) (r->version & 0x78)
451 #define GREV1_FLAG_ISSET_ACK(r) (r->version & 0x80)
452
453 typedef struct _gre_sre_header
454 {
455 uint16_t af;
456 uint8_t sre_offset;
457 uint8_t sre_length;
458 uint8_t *routing;
459 } gre_sre_header;
460
461 /* Fingerprint / Signature entry */
462 typedef struct _fp_entry {
463 char *os; /* OS genre */
464 char *desc; /* OS description */
465 uint8_t no_detail; /* Disable guesstimates */
466 uint8_t generic; /* Generic hit */
467 uint8_t userland; /* Userland stack */
468 uint16_t wsize; /* window size */
469 uint8_t wsize_mod; /* MOD_* for wsize */
470 uint8_t ttl, df; /* TTL and don't fragment bit */
471 uint8_t zero_stamp; /* timestamp option but zero value? */
472 uint16_t size; /* packet size */
473 uint8_t optcnt; /* option count */
474 uint8_t opt[MAXOPT]; /* TCPOPT_* */
475 uint16_t wsc, mss; /* value for WSCALE and MSS options */
476 uint8_t wsc_mod, mss_mod; /* modulo for WSCALE and MSS (NONE or CONST) */
477 uint32_t quirks; /* packet quirks and bugs */
478 uint32_t line; /* config file line */
479 struct _fp_entry *next;
480 } fp_entry;
481
482 /* mac address database entry */
483 typedef struct _mac_entry {
484 uint8_t o[MAC_ADDR_LEN];
485 uint8_t mask; // optional
486 char *vendor;
487 char *comment;
488 struct _mac_entry *next;
489 } mac_entry;
490
491
492 /* DHCP Fingerprint / Signature entry */
493 typedef struct _dhcp_fp_entry {
494 char *os; /* OS genre */
495 char *desc; /* OS description */
496 char *vc; /* Vender Code */
497 uint8_t type; /* DHCP type */
498 uint8_t ttl; /* IP TTL */
499 uint8_t optcnt; /* option count */
500 uint8_t opt[MAXOPT]; /* DHCP Options */
501 uint8_t optreqcnt; /* request option counter (53) */
502 uint8_t optreq[MAXOPT]; /* request option counter */
503 uint32_t line; /* config file line */
504 struct _dhcp_fp_entry *next;
505 } dhcp_fp_entry;
506
507 /*
508 * Structure for connections
509 */
510
511 typedef struct _connection {
512 struct _connection *prev;
513 struct _connection *next;
514 time_t start_time; /* connection start time */
515 time_t last_pkt_time; /* last seen packet time */
516 uint64_t cxid; /* connection id */
517 uint8_t reversed; /* 1 if the connection is reversed */
518 uint32_t af; /* IP version (4/6) AF_INET */
519 uint16_t hw_proto; /* layer2 protocol */
520 uint8_t proto; /* IP protocoll type */
521 struct in6_addr s_ip; /* source address */
522 struct in6_addr d_ip; /* destination address */
523 uint16_t s_port; /* source port */
524 uint16_t d_port; /* destination port */
525 uint64_t s_total_pkts; /* total source packets */
526 uint64_t s_total_bytes; /* total source bytes */
527 uint64_t d_total_pkts; /* total destination packets */
528 uint64_t d_total_bytes; /* total destination bytes */
529 uint8_t s_tcpFlags; /* tcpflags sent by source */
530 uint8_t __pad__; /* pads struct to alignment */
531 uint8_t d_tcpFlags; /* tcpflags sent by destination */
532 uint8_t check; /* Flags spesifying checking */
533 struct _asset *c_asset; /* pointer to src asset */
534 struct _asset *s_asset; /* pointer to server asset */
535 } connection;
536 #define CXT_DONT_CHECK_SERVER 0x01 /* Dont check server packets */
537 #define CXT_DONT_CHECK_CLIENT 0x02 /* Dont check client packets */
538 #define CXT_SERVICE_DONT_CHECK 0x04 /* Dont check payload from server */
539 #define CXT_CLIENT_DONT_CHECK 0x08 /* Dont check payload from client */
540 #define CXT_SERVICE_UNKNOWN_SET 0x10 /* If service is set as unknown */
541 #define CXT_CLIENT_UNKNOWN_SET 0x20 /* If client is set as unknown */
542
543 #define ISSET_CXT_DONT_CHECK_CLIENT(pi) (pi->cxt->check & CXT_DONT_CHECK_CLIENT)
544 #define ISSET_CXT_DONT_CHECK_SERVER(pi) (pi->cxt->check & CXT_DONT_CHECK_SERVER)
545 #define ISSET_DONT_CHECK_SERVICE(pi) (pi->cxt->check & CXT_SERVICE_DONT_CHECK)
546 #define ISSET_DONT_CHECK_CLIENT(pi) (pi->cxt->check & CXT_CLIENT_DONT_CHECK)
547 #define ISSET_SERVICE_UNKNOWN(pi) (pi->cxt->check & CXT_SERVICE_UNKNOWN_SET)
548 #define ISSET_CLIENT_UNKNOWN(pi) (pi->cxt->check & CXT_CLIENT_UNKNOWN_SET)
549 // good comparison to optimize
550 // XXX: TODO: comotion: use filter_network 64bit instructions
551 #ifdef __APPLE__
552 #define s6_addr32 __u6_addr.__u6_addr32
553 #endif
554
555 #define IP6ADDR0(ip) ((ip)->s6_addr32[0])
556 #define IP6ADDR1(ip) ((ip)->s6_addr32[1])
557 #define IP6ADDR2(ip) ((ip)->s6_addr32[2])
558 #define IP6ADDR3(ip) ((ip)->s6_addr32[3])
559 #define IP6ADDR(ip) \
560 IP6ADDR0(ip), IP6ADDR1(ip), IP6ADDR2(ip), IP6ADDR3(ip)
561
562 #define IP4ADDR(ip) ((ip)->s6_addr32[0])
563
564 #define CMP_ADDR6(a1,a2) \
565 (((a1)->s6_addr32[3] == (a2)->s6_addr32[3] && \
566 (a1)->s6_addr32[2] == (a2)->s6_addr32[2] && \
567 (a1)->s6_addr32[1] == (a2)->s6_addr32[1] && \
568 (a1)->s6_addr32[0] == (a2)->s6_addr32[0]))
569
570 // the reason why we can't get rid of pi->s6_addr32
571 // apples and apples
572 #define CMP_ADDR4A(a1,a2) \
573 ((a1)->s6_addr32[0] == (a2)->s6_addr32[0])
574 // apples and oranges
575 #define CMP_ADDR4(apple,orange) \
576 (((apple)->s6_addr32[0] == (orange)))
577 #define CMP_PORT(p1,p2) \
578 ((p1 == p2))
579
580
581 /* Since two or more connections can have the same hash key, we need to
582 * compare the connections with the current hash key. */
583 #define CMP_CXT4(cxt1, src, sp, dst, dp) \
584 (( \
585 CMP_PORT((cxt1)->s_port, (sp)) && \
586 CMP_PORT((cxt1)->d_port, (dp)) && \
587 CMP_ADDR4(&((cxt1)->s_ip), (src)) && \
588 CMP_ADDR4(&((cxt1)->d_ip), (dst)) \
589 ))
590
591 #define CMP_CXT6(cxt1, src, sp, dst, dp) \
592 ((CMP_ADDR6(&(cxt1)->s_ip, (src)) && \
593 CMP_ADDR6(&(cxt1)->d_ip, (dst)) && \
594 CMP_PORT((cxt1)->s_port, (sp)) && CMP_PORT((cxt1)->d_port, (dp))))
595
596 /* clear the address structure by setting all fields to 0 */
597 #define CLEAR_ADDR(a) { \
598 (a)->s6_addr32[0] = 0; \
599 (a)->s6_addr32[1] = 0; \
600 (a)->s6_addr32[2] = 0; \
601 (a)->s6_addr32[3] = 0; \
602 }
603
604 /* clears the cxt parts */
605 #define CLEAR_CXT(cxt) { \
606 (cxt)->s_port = 0; \
607 (cxt)->d_port = 0; \
608 CLEAR_ADDR(&(cxt)->s_ip); \
609 CLEAR_ADDR(&(cxt)->d_ip); \
610 (cxt)->s_total_pkts = 0; \
611 (cxt)->s_total_bytes = 0; \
612 (cxt)->d_total_pkts = 0; \
613 (cxt)->d_total_bytes = 0; \
614 (cxt)->s_tcpFlags = 0; \
615 (cxt)->d_tcpFlags = 0; \
616 (cxt)->start_time = 0; \
617 (cxt)->last_pkt_time = 0; \
618 (cxt)->af = 0; \
619 (cxt)->proto = 0; \
620 (cxt)->cxid = 0; \
621 }
622
623
624 typedef struct _packetinfo {
625 // macro out the need for some of these
626 // eth_type(pi) is same as pi->eth_type, no?
627 // marked candidates for deletion
628 const struct pcap_pkthdr *pheader; /* Libpcap packet header struct pointer */
629 const uint8_t * packet; /* Unsigned char pointer to raw packet */
630 // compute (all) these from packet
631 uint32_t eth_hlen; /* Ethernet header lenght */
632 uint16_t mvlan; /* Metro vlan tag */
633 uint16_t vlan; /* vlan tag */
634 uint16_t eth_type; /* Ethernet type (IPv4/IPv6/etc) */
635 uint32_t af; /* IP version (4/6) AF_INET */
636 ether_header *eth_hdr; /* Ethernet header struct pointer */
637 ether_arp *arph; /* ARP header struct pointer */
638 ip4_header *ip4; /* IPv4 header struct pointer */
639 ip6_header *ip6; /* IPv6 header struct pointer */
640 uint16_t packet_bytes; /* Lenght of IP payload in packet */
641 //struct in6_addr ip_src; /* source address */
642 //struct in6_addr ip_dst; /* destination address */
643 uint16_t s_port; /* source port */
644 uint16_t d_port; /* destination port */
645 uint8_t proto; /* IP protocoll type */
646 uint8_t sc; /* SC_SERVER or SC_CLIENT */
647 tcp_header *tcph; /* tcp header struct pointer */
648 udp_header *udph; /* udp header struct pointer */
649 icmp_header *icmph; /* icmp header struct pointer */
650 icmp6_header *icmp6h; /* icmp6 header struct pointer */
651 gre_header *greh; /* GRE header struct pointer */
652 uint16_t gre_hlen; /* Length of dynamic GRE header length */
653 const uint8_t *end_ptr; /* Paranoid end pointer of packet */
654 const uint8_t *payload; /* char pointer to transport payload */
655 uint32_t plen; /* transport payload length */
656 uint32_t our; /* Is the asset in our defined network */
657 uint8_t up; /* Set if the asset has been updated */
658 connection *cxt; /* pointer to the cxt for this packet */
659 struct _asset *asset; /* pointer to the asset for this (src) packet */
660 enum { SIGNATURE, FINGERPRINT } type;
661 } packetinfo;
662
663 // packetinfo accessor macros
664
665 #define PI_TOS(pi) ( (pi)->ip4->ip_tos )
666 #define PI_ECN(pi) ( (pi)->tcph->t_flags & (TF_ECE|TF_CWR) )
667
668 #define PI_IP4(pi) ((pi)->ip4)
669 #define PI_IP4SRC(pi) ( PI_IP4(pi)->ip_src )
670 #define PI_IP4DST(pi) ( PI_IP4(pi)->ip_dst )
671
672 #define PI_IP6(pi) ((pi)->ip6)
673 #define PI_IP6SRC(pi) (PI_IP6(pi)->ip_src)
674 #define PI_IP6DST(pi) (PI_IP6(pi)->ip_dst)
675
676 #define PI_TCP_SP(pi) ( ntohs((pi)->tcph->src_port))
677 #define PI_TCP_DP(pi) ( ntohs((pi)->tcph->dst_port))
678 // and more to come
679
680 #define SC_CLIENT 0x01 /* pi for this session is client */
681 #define SC_SERVER 0x02 /* pi for this session is server */
682
683 typedef struct _serv_asset {
684 struct _serv_asset *prev; /* Prev serv_asset structure */
685 struct _serv_asset *next; /* Next serv_asset structure */
686 time_t first_seen; /* Time at which service_asset was first seen. */
687 time_t last_seen; /* Time at which service_asset was last seen. */
688 unsigned short i_attempts; /* Attempts at identifying the service_asset. */
689 unsigned short proto; /* Asset protocol */
690 uint16_t port; /* Asset port */
691 uint8_t ttl; /* Asset TTL */
692 bstring service; /* Asset service (i.e. SSH, WWW, ICMP etc.) */
693 bstring application; /* Asset application (i.e. Apache, ICMP_TYPE etc.) */
694 int role; /* server or client */
695 int unknown; /* 1 = Uknown, 0 = Known "Asset application" */
696 } serv_asset;
697
698 typedef struct _os_asset {
699 struct _os_asset *prev; /* Prev os_asset structure */
700 struct _os_asset *next; /* Next os_asset structure */
701 time_t first_seen; /* Time at which os_asset was first detected. */
702 time_t last_seen; /* Time at which os_asset was last detected. */
703 unsigned short i_attempts; /* Failed attempts at identifying the os_asset. (hench just unknown) */
704 bstring vendor; /* Vendor (MS,Linux,Sun,HP...) */
705 bstring os; /* OS (WinXP SP2, 2.4/2.6, 10.2..) */
706 uint8_t detection; /* Flag describing detection method (SYN/SYNACK/UDP/ICMP...) */
707 bstring raw_fp; /* The raw fingerprint [*:*:*:*:*:*:....] */
708 bstring matched_fp; /* The FP that matched [*:*:*:*.*:*:---] */
709 fp_entry fp;
710 //fp_entry *match; /* Pointer to matching signature */
711 char *match_os;
712 char *match_desc;
713
714 uint16_t port; /* Asset port detected on */
715 uint16_t mtu; /* IPv4:MTU = MSS + 40 | IPv6:MTU = MSS + 60 */
716 uint8_t ttl; /* Asset ttl */
717 uint32_t uptime; /* Asset uptime */
718 } os_asset;
719
720 /* Holds one entery for an ARP/NDP or IPv4/IPv6 asset */
721 typedef struct _asset {
722 struct _asset *prev; /* Prev ip_asset structure */
723 struct _asset *next; /* Next ip_asset structure */
724 time_t first_seen; /* Time at which asset was first seen. */
725 time_t last_seen; /* Time at which asset was last seen. */
726 unsigned short i_attempts; /* Attempts at identifying the asset. */
727 int af; /* IP AF_INET */
728 uint16_t vlan; /* vlan tag */
729 struct in6_addr ip_addr; /* IP asset address */
730 uint8_t mac_addr[MAC_ADDR_LEN]; /* Asset MAC address */
731 mac_entry *macentry; /* Asset MAC vendor name */
732 serv_asset *services; /* Linked list with services detected */
733 os_asset *os; /* Linked list with OSes detected */
734 } asset;
735
736 typedef struct _signature {
737 bstring service; /* Service (i.e. SSH, WWW, etc.) */
738 uint16_t port; /* Port to check for this service, or 0 for all */
739 /*
740 * Should be able to specify range, and such...
741 */
742 /*
743 * Snort style : [80,8080,100-200,20-30,!22]
744 */
745 /*
746 * Not sure how to do that... yet....
747 */
748 struct { /* Application Title, broken up into 3 parts. */
749 bstring app; /* Application */
750 bstring ver; /* Version */
751 bstring misc; /* Misc info */
752 } title;
753 pcre *regex; /* Signature - Compiled Regular Expression */
754 pcre_extra *study; /* Studied version of the compiled regex. */
755 struct { /* Signature stats */
756 uint32_t checked; /* How many times the sig has been matched for */
757 uint32_t matched; /* How many times it has matched*/
758 } stats;
759 struct _signature *next; /* Next record in the list. */
760 struct _signature *prev; /* Next record in the list. */
761 } signature;
762
763 typedef struct _servicelist {
764 bstring service_name; /* Service (@http) etc. */
765 uint8_t proto; /* Flags: TCP=0x01 UDP=0x02 */
766 uint32_t stats; /* stats on how many times it has matched */
767 } servicelist;
768
769 typedef struct _port_t {
770 uint16_t h_port; /* High port */
771 //uint16_t l_port; /* Low Port */
772 bstring service_name; /* Service */
773 struct _port_t *next; /* Next port_t structure */
774 } port_t;
775
776
777 typedef struct _prads_stat {
778 uint32_t got_packets; /* number of packets received by prads */
779 uint32_t eth_recv; /* number of Ethernet packets received */
780 uint32_t arp_recv; /* number of ARP packets received */
781 uint32_t otherl_recv; /* number of other Link layer packets received */
782 uint32_t vlan_recv; /* number of VLAN packets received */
783 uint32_t ip4_recv; /* number of IPv4 packets received */
784 uint32_t ip6_recv; /* number of IPv6 packets received */
785 uint32_t ip4ip_recv; /* number of IP4/6 packets in IPv4 packets */
786 uint32_t ip6ip_recv; /* number of IP4/6 packets in IPv6 packets */
787 uint32_t gre_recv; /* number of GRE packets received */
788 uint32_t tcp_recv; /* number of tcp packets received */
789 uint32_t udp_recv; /* number of udp packets received */
790 uint32_t icmp_recv; /* number of icmp packets received */
791 uint32_t othert_recv; /* number of other transport layer packets received */
792 uint32_t assets; /* total number of assets detected */
793 uint32_t tcp_os_assets; /* total number of tcp os assets detected */
794 uint32_t udp_os_assets; /* total number of udp os assets detected */
795 uint32_t icmp_os_assets;/* total number of icmp os assets detected */
796 uint32_t dhcp_os_assets;/* total number of dhcp os assets detected */
797 uint32_t tcp_services; /* total number of tcp services detected */
798 uint32_t tcp_clients; /* total number of tcp clients detected */
799 uint32_t udp_services; /* total number of udp services detected */
800 uint32_t udp_clients; /* total number of tcp clients detected */
801 } prads_stat;
802
803
804 #ifdef NO_VECTOR_TYPES
805 typedef struct _fmask {
806 int type;
807 struct in6_addr addr;
808 struct in6_addr mask;
809 } fmask;
810 #else
811 // vector types :-)
812 typedef int v4si __attribute__((vector_size(16)));
813 typedef union _i4vector {
814 v4si v;
815 struct in6_addr ip6;
816 uint64_t i[2];
817 uint32_t w[4];
818 uint16_t s[8];
819 } ip6v;
820 typedef struct _fmask {
821 int type;
822 union {
823 v4si addr_v;
824 struct in6_addr addr;
825 uint64_t addr64[2];
826 };
827 union {
828 v4si mask_v;
829 struct in6_addr mask;
830 uint64_t mask64[2];
831 };
832 } fmask;
833
834 #endif
835
836 #define IS_COSET(config, flags) (((config)->ctf & (flags)) == (flags))
837 #define IS_CSSET(config, flags) (((config)->cof & (flags)) == (flags))
838
839 /* P R O T O T Y P E S ******************************************************/
840 void free_config();
841 // can't declare in sys_func.h because it does not include prads.h!
842 const char *u_ntop_src(packetinfo *pi, char* dest);
843 const char *u_ntop_dst(packetinfo *pi, char* dest);
844 #endif // PRADS_H
PRADS is a Passive Real-time Asset Detection System. It passively listen to network traffic and gathers information on hosts and services it sees on the network.