📄 match_rpc.c
字号:
#include <stdlib.h>#include <stdio.h>#include <string.h>#include <errno.h>#include <netinet/in.h>#include <firestorm.h>#include <packet.h>#include <alert.h>#include <signature.h>#include <decode.h>#include <matcher.h>#include <plugin.h>PLUGIN_STD_DEFS();proc_template template_shortrange;proc_decode_proto decode_proto;struct proto *tcpproto=NULL;struct proto *udpproto=NULL;struct rpc_pkt { u_int32_t xid; u_int16_t direction; u_int32_t rpc_ver; u_int32_t app,ver,proc;};u_int16_t rpc_call=0;u_int32_t rpc_ver=__constant_htonl(0x0002);#define RPC_CHECK_APP (1<<0)#define RPC_CHECK_PROC (1<<1)#define RPC_CHECK_VER (1<<2)struct rpc_priv { u_int32_t app,ver,proc; u_int32_t flags;};int rpc_compare(void *x1, void *x2){ struct rpc_priv *p1=(struct rpc_priv *)x1; struct rpc_priv *p2=(struct rpc_priv *)x2; if ( p1->flags!=p2->flags ) return 1; if ( (p1->flags&RPC_CHECK_APP) && (p1->app!=p2->app) ) return 1; if ( (p1->flags&RPC_CHECK_VER) && (p1->ver!=p2->ver) ) return 1; if ( (p1->flags&RPC_CHECK_PROC) && (p1->proc!=p2->proc) ) return 1; return 0;}int rpc_match(struct packet *pkt, void *priv, unsigned int l, int n){ struct rpc_priv *p=(struct rpc_priv *)priv; struct rpc_pkt *rp; /* Find RPC packet header */ if ( pkt->layer[l+1].proto==tcpproto ) { rp=(struct rpc_pkt *)(pkt->layer[l+2].h.raw+4); }else if (pkt->layer[l+1].proto==udpproto ) { rp=(struct rpc_pkt *)pkt->layer[l+2].h.raw; }else return 0; /* Check packet is big enough */ if ( (void *)rp + sizeof(*rp) > pkt->end ) return 0; /* Only look at calls */ if ( rp->direction != rpc_call ) return 0; /* Check the message version */ if ( rp->rpc_ver != rpc_ver ) return 0; if ( (p->flags&RPC_CHECK_APP) && (rp->app!=p->app) ) return n^0; if ( (p->flags&RPC_CHECK_VER) && (rp->ver!=p->ver) ) return n^0; if ( (p->flags&RPC_CHECK_PROC) && (rp->proc!=p->proc) ) return n^0; return n^1;}proc_match_match rpc_validate(char *args, void **priv, struct criteria *m, u_int32_t *c){ struct rpc_priv *p; char *str[3]; u_int32_t app=0,proc=0,ver=0; u_int32_t flags=0; int i=0; if ( !args ) return NULL; /* We only support RPC encapsulations in TCP or UDP */ if ( !tcpproto && !(tcpproto=decode_proto("tcp")) ) return NULL; if ( !udpproto && !(udpproto=decode_proto("udp")) ) return NULL; str[0]=args; str[1]=NULL; str[2]=NULL; for(; *args; args++) { if ( i==0 ) { if ( *args!=' ' && *args!='\t' ) { str[i++]=args; } }else if ( i<3 ) { if ( *args==',' ) { *args=0; str[i++]=args+1; } }else{ if ( *args==' ' || *args=='\t' ) { *args=0; break; } } } if ( i<3 ) return NULL; /* Application / Program */ if ( str[0][0]!='*' ) { if ( strtouint(str[0], &app) ) return NULL; flags|=RPC_CHECK_APP; } /* Procedure */ if ( str[1][0]!='*' ) { if ( strtouint(str[1], &proc) ) return NULL; flags|=RPC_CHECK_PROC; } /* Procedure */ if ( str[2][0]!='*' ) { if ( strtouint(str[2], &ver) ) return NULL; flags|=RPC_CHECK_VER; } if ( !(p=calloc(1, sizeof(*p))) ) return NULL; p->app=htonl(app); p->ver=htonl(ver); p->proc=htonl(proc); p->flags=flags; *priv=p; return rpc_match;}struct matcher rpc_matchers[]={ matcher_init("rpc", MCOST_APP+12, rpc_validate, rpc_compare, MATCHER_FREE), matcher_null()};int PLUGIN_MATCHER (struct matcher_api *m){ object_check(m); template_shortrange=m->template_shortrange; if ( !m->matcher_add(rpc_matchers) ) return PLUGIN_ERR_FAIL; return PLUGIN_ERR_OK;}int PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out){ plugin_check(in, out); PLUGIN_ID("match.rpc", "RPC matching routines"); PLUGIN_VERSION(2, 0); PLUGIN_AUTHOR("Gianni Tedesco", "gianni@scaramanga.co.uk"); PLUGIN_LICENSE("GPL"); if ( !(decode_proto=in->import("decode.proto")) ) { return PLUGIN_ERR_OBJECT; } return PLUGIN_ERR_OK;}int PLUGIN_UNLOAD (int code) { return PLUGIN_ERR_OK;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -