예제 #1
0
  public void handleIPv4Packet(IPv4 ipv4, IPacketModuleContext ctx) {
    if (ipv4.getNextProtocol() != NetworkConstants.IPPROTO_TCP) {
      return;
    }

    TCP tcp = (TCP) ipv4.findHeader(TCP.class);

    if (tcp == null) {
      return;
    }
    if (foundAddresses.contains(ipv4.getSourceAddress())) {
      return;
    }

    Signature s = handleTCP(ipv4, tcp, ctx);
    if (s == null) return;

    log(
        ctx,
        "match! ["
            + ipv4.getSourceAddress()
            + "] --> "
            + ipv4.getDestinationAddress()
            + " is "
            + s.getOSGenre()
            + " "
            + s.getOSVersion());
    foundAddresses.add(ipv4.getSourceAddress());

    INetworkEntityFactory factory = Activator.getInstance().getNetworkEntityFactory();
    factory.setOperatingSystem(
        ctx.getRealm(),
        ctx.getSpaceId(),
        ipv4.getSourceAddress(),
        s.getOSGenre() + " " + s.getOSVersion());
  }
예제 #2
0
  private Signature matchPacket(IPv4 ip, TCP tcp, int mode, IPacketModuleContext ctx) {
    int quirks = 0;

    if (ip.getHeaderLength32() > 5) {
      quirks |= Signature.QUIRK_IPOPT;
    }

    if (mode == MODE_RST && tcp.getACK()) {
      quirks |= Signature.QUIRK_RSTACK;
    }

    if (tcp.sequence().equals(tcp.ackSequence())) {
      quirks |= Signature.QUIRK_SEQEQ;
    }

    if (tcp.sequence().toInteger() == 0) {
      quirks |= Signature.QUIRK_SEQ0;
    }

    if (mode == MODE_OPEN) {
      if (tcp.getURG() || tcp.getFIN()) {
        quirks |= Signature.QUIRK_FLAGS;
      }

    } else {
      if (tcp.getPSH() || tcp.getURG() || tcp.getFIN()) {
        quirks |= Signature.QUIRK_FLAGS;
      }
    }

    if (tcp.getNextHeader() != null) {
      quirks |= Signature.QUIRK_DATA;
    }

    ByteBuffer options = ByteBuffer.wrap(tcp.getOptionsBuffer());
    int mss = 0;
    int wsc = 0;
    int tstamp = 0;
    byte[] op = new byte[Signature.MAXOPT];
    int opCount = 0;
    boolean done = false;

    while (!done && options.hasRemaining()) {

      int currentOp = options.get() & 0xFF;
      switch (currentOp) {
        case TCP.OPT_EOL:
          op[opCount++] = TCP.OPT_EOL;
          if (options.hasRemaining()) {
            quirks |= Signature.QUIRK_PAST;
            done = true;
          }
          break;
        case TCP.OPT_NOP:
          op[opCount++] = TCP.OPT_NOP;
          break;
        case TCP.OPT_SACKOK:
          op[opCount++] = TCP.OPT_SACKOK;
          options.get(); // length byte
          break;
        case TCP.OPT_MAXSEG:
          if (options.remaining() < 3) {
            quirks |= Signature.QUIRK_BROKEN;
            done = true;
            break;
          }
          op[opCount++] = TCP.OPT_MAXSEG;
          options.get(); // length byte
          mss = options.getShort() & 0xFFFF;
          break;

        case TCP.OPT_WSCALE:
          if (options.remaining() < 2) {
            quirks |= Signature.QUIRK_BROKEN;
            done = true;
            break;
          }
          op[opCount++] = TCP.OPT_WSCALE;
          options.get(); // length byte
          wsc = options.get() & 0xFF;
          break;
        case TCP.OPT_TIMESTAMP:
          if (options.remaining() < 9) {
            quirks |= Signature.QUIRK_BROKEN;
            done = true;
            break;
          }
          op[opCount++] = TCP.OPT_TIMESTAMP;
          options.get(); // length byte
          tstamp = options.getInt();
          if (options.getInt() != 0) {
            quirks |= Signature.QUIRK_T2;
          }
          break;

        default:
          if (!options.hasRemaining()) {
            quirks |= Signature.QUIRK_BROKEN;
            done = true;
            break;
          }
          op[opCount++] = (byte) currentOp;
          int olen = options.get() & 0xFF;
          if (olen > 32 || olen > options.remaining()) {
            // p0f has a bug and won't set the QUIRK flag
            // in the second case.
            quirks |= Signature.QUIRK_BROKEN;
            done = true;
            break;
          }

          options.position(options.position() + olen);
          if (opCount >= Signature.MAXOPT) {
            quirks |= Signature.QUIRK_BROKEN;
            done = true;
          }
      }
    }

    if (tcp.getACK()) quirks |= Signature.QUIRK_ACK;
    if (tcp.getURG()) quirks |= Signature.QUIRK_URG;
    if (tcp.getReserved() != 0) quirks |= Signature.QUIRK_X2;
    if (ip.getIdentification() == 0) quirks |= Signature.QUIRK_ZEROID;

    Signature res =
        sigSet.match(
            ip.getTotalLength(),
            ip.getDF(),
            ip.getTimeToLive(),
            tcp.getWindow(),
            op,
            opCount,
            mss,
            wsc,
            tstamp,
            ip.getTypeOfService(),
            quirks,
            mode);
    if (res == null) {
      log(
          ctx,
          "Unmatched ["
              + ip.getSourceAddress()
              + "] --> "
              + ip.getDestinationAddress()
              + " has signature "
              + sigSet.printSignature(
                  ip.getTotalLength(),
                  ip.getDF(),
                  ip.getTimeToLive(),
                  tcp.getWindow(),
                  op,
                  opCount,
                  mss,
                  wsc,
                  tstamp,
                  ip.getTypeOfService(),
                  quirks,
                  mode));
    }

    return res;
  }