Initial import of svn+ssh:://svn.icir.org/bro/trunk/bro as of r7088

src/BackDoor.h

@@ -0,0 +1,119 @@
+// $Id: BackDoor.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef backdoor_h
+#define backdoor_h
+
+#include "TCP.h"
+#include "Timer.h"
+#include "NetVar.h"
+#include "Login.h"
+
+class BackDoorEndpoint {
+public:
+	BackDoorEndpoint(TCP_Endpoint* e);
+
+	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+		     const IP_Hdr* ip, const struct tcphdr* tp);
+
+	RecordVal* BuildStats();
+
+	void FinalCheckForRlogin();
+
+protected:
+	void CheckForRlogin(int seq, int len, const u_char* data);
+	void RloginSignatureFound(int len);
+
+	void CheckForTelnet(int seq, int len, const u_char* data);
+	void TelnetSignatureFound(int len);
+
+	void CheckForSSH(int seq, int len, const u_char* data);
+	void CheckForFTP(int seq, int len, const u_char* data);
+	void CheckForRootBackdoor(int seq, int len, const u_char* data);
+	void CheckForNapster(int seq, int len, const u_char* data);
+	void CheckForGnutella(int seq, int len, const u_char* data);
+	void CheckForKazaa(int seq, int len, const u_char* data);
+	void CheckForHTTP(int seq, int len, const u_char* data);
+	void CheckForHTTPProxy(int seq, int len, const u_char* data);
+	void CheckForSMTP(int seq, int len, const u_char* data);
+	void CheckForIRC(int seq, int len, const u_char* data);
+	void CheckForGaoBot(int seq, int len, const u_char* data);
+
+	void SignatureFound(EventHandlerPtr e, int do_orig = 0);
+
+	int CheckForStrings(const char** strs, const u_char* data, int len);
+	int CheckForFullString(const char* str, const u_char* data, int len);
+	int CheckForString(const char* str, const u_char* data, int len);
+
+	TCP_Endpoint* endp;
+	int is_partial;
+	int max_top_seq;
+
+	int rlogin_checking_done;
+	int rlogin_num_null;
+	int rlogin_string_separator_pos;
+	int rlogin_slash_seen;
+
+	uint32 num_pkts;
+	uint32 num_8k4_pkts;
+	uint32 num_8k0_pkts;
+	uint32 num_lines;
+	uint32 num_normal_lines;
+	uint32 num_bytes;
+	uint32 num_7bit_ascii;
+};
+
+class BackDoor_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	BackDoor_Analyzer(Connection* c);
+	~BackDoor_Analyzer();
+
+	virtual void Init();
+	virtual void Done();
+	void StatTimer(double t, int is_expire);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new BackDoor_Analyzer(conn); }
+
+	static bool Available()
+		{
+		return backdoor_stats || rlogin_signature_found ||
+			telnet_signature_found || ssh_signature_found ||
+			root_backdoor_signature_found || ftp_signature_found ||
+			napster_signature_found || kazaa_signature_found ||
+			http_signature_found || http_proxy_signature_found;
+		}
+
+protected:
+	// We support both packet and stream input, and can be instantiated
+	// even if the TCP analyzer is not yet reassembling.
+	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen);
+	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
+
+	void StatEvent();
+	void RemoveEvent();
+
+	BackDoorEndpoint* orig_endp;
+	BackDoorEndpoint* resp_endp;
+
+	int orig_stream_pos;
+	int resp_stream_pos;
+
+	double timeout;
+	double backoff;
+};
+
+class BackDoorTimer : public Timer {
+public:
+	BackDoorTimer(double t, BackDoor_Analyzer* a);
+	~BackDoorTimer();
+
+	void Dispatch(double t, int is_expire);
+
+protected:
+	BackDoor_Analyzer* analyzer;
+};
+
+#endif