mirror of
https://github.com/zeek/zeek.git
synced 2025-10-10 02:28:21 +00:00
117 lines
3.2 KiB
C++
117 lines
3.2 KiB
C++
// See the file "COPYING" in the main distribution directory for copyright.
|
|
|
|
#ifndef backdoor_h
|
|
#define backdoor_h
|
|
|
|
#include "TCP.h"
|
|
#include "Timer.h"
|
|
#include "NetVar.h"
|
|
#include "Login.h"
|
|
|
|
class BackDoorEndpoint {
|
|
public:
|
|
BackDoorEndpoint(TCP_Endpoint* e);
|
|
|
|
int DataSent(double t, int seq, int len, int caplen, const u_char* data,
|
|
const IP_Hdr* ip, const struct tcphdr* tp);
|
|
|
|
RecordVal* BuildStats();
|
|
|
|
void FinalCheckForRlogin();
|
|
|
|
protected:
|
|
void CheckForRlogin(int seq, int len, const u_char* data);
|
|
void RloginSignatureFound(int len);
|
|
|
|
void CheckForTelnet(int seq, int len, const u_char* data);
|
|
void TelnetSignatureFound(int len);
|
|
|
|
void CheckForSSH(int seq, int len, const u_char* data);
|
|
void CheckForFTP(int seq, int len, const u_char* data);
|
|
void CheckForRootBackdoor(int seq, int len, const u_char* data);
|
|
void CheckForNapster(int seq, int len, const u_char* data);
|
|
void CheckForGnutella(int seq, int len, const u_char* data);
|
|
void CheckForKazaa(int seq, int len, const u_char* data);
|
|
void CheckForHTTP(int seq, int len, const u_char* data);
|
|
void CheckForHTTPProxy(int seq, int len, const u_char* data);
|
|
void CheckForSMTP(int seq, int len, const u_char* data);
|
|
void CheckForIRC(int seq, int len, const u_char* data);
|
|
void CheckForGaoBot(int seq, int len, const u_char* data);
|
|
|
|
void SignatureFound(EventHandlerPtr e, int do_orig = 0);
|
|
|
|
int CheckForStrings(const char** strs, const u_char* data, int len);
|
|
int CheckForFullString(const char* str, const u_char* data, int len);
|
|
int CheckForString(const char* str, const u_char* data, int len);
|
|
|
|
TCP_Endpoint* endp;
|
|
int is_partial;
|
|
int max_top_seq;
|
|
|
|
int rlogin_checking_done;
|
|
int rlogin_num_null;
|
|
int rlogin_string_separator_pos;
|
|
int rlogin_slash_seen;
|
|
|
|
uint32 num_pkts;
|
|
uint32 num_8k4_pkts;
|
|
uint32 num_8k0_pkts;
|
|
uint32 num_lines;
|
|
uint32 num_normal_lines;
|
|
uint32 num_bytes;
|
|
uint32 num_7bit_ascii;
|
|
};
|
|
|
|
class BackDoor_Analyzer : public TCP_ApplicationAnalyzer {
|
|
public:
|
|
BackDoor_Analyzer(Connection* c);
|
|
~BackDoor_Analyzer();
|
|
|
|
virtual void Init();
|
|
virtual void Done();
|
|
void StatTimer(double t, int is_expire);
|
|
|
|
static Analyzer* InstantiateAnalyzer(Connection* conn)
|
|
{ return new BackDoor_Analyzer(conn); }
|
|
|
|
static bool Available()
|
|
{
|
|
return backdoor_stats || rlogin_signature_found ||
|
|
telnet_signature_found || ssh_signature_found ||
|
|
root_backdoor_signature_found || ftp_signature_found ||
|
|
napster_signature_found || kazaa_signature_found ||
|
|
http_signature_found || http_proxy_signature_found;
|
|
}
|
|
|
|
protected:
|
|
// We support both packet and stream input, and can be instantiated
|
|
// even if the TCP analyzer is not yet reassembling.
|
|
virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
|
|
int seq, const IP_Hdr* ip, int caplen);
|
|
virtual void DeliverStream(int len, const u_char* data, bool is_orig);
|
|
|
|
void StatEvent();
|
|
void RemoveEvent();
|
|
|
|
BackDoorEndpoint* orig_endp;
|
|
BackDoorEndpoint* resp_endp;
|
|
|
|
int orig_stream_pos;
|
|
int resp_stream_pos;
|
|
|
|
double timeout;
|
|
double backoff;
|
|
};
|
|
|
|
class BackDoorTimer : public Timer {
|
|
public:
|
|
BackDoorTimer(double t, BackDoor_Analyzer* a);
|
|
~BackDoorTimer();
|
|
|
|
void Dispatch(double t, int is_expire);
|
|
|
|
protected:
|
|
BackDoor_Analyzer* analyzer;
|
|
};
|
|
|
|
#endif
|