mirror of
https://github.com/zeek/zeek.git
synced 2025-10-01 22:28:20 +00:00
114 lines
3 KiB
C++
114 lines
3 KiB
C++
// See the file "COPYING" in the main distribution directory for copyright.
|
|
|
|
#pragma once
|
|
|
|
// A very crude analyzer for NCP (Netware Core Protocol)
|
|
//
|
|
// For a brief introduction to NCP, take a look at:
|
|
//
|
|
// http://www.protocols.com/pbook/testcss.htm
|
|
//
|
|
// For list of function codes:
|
|
//
|
|
// http://faydoc.tripod.com/structures/20/2095.htm
|
|
//
|
|
// And for layout of individual request/reply packets, look at the following
|
|
// pages under http://faydoc.tripod.com/structures/, such as:
|
|
//
|
|
// http://faydoc.tripod.com/structures/21/2149.htm
|
|
|
|
#include "zeek/analyzer/protocol/tcp/TCP.h"
|
|
|
|
#include "analyzer/protocol/ncp/ncp_pac.h"
|
|
|
|
namespace zeek::analyzer::ncp {
|
|
namespace detail {
|
|
|
|
// Create a general NCP_Session class so that it can be used in
|
|
// case the RPC conversation is tunneled through other connections,
|
|
// e.g., through an SMB session.
|
|
|
|
class NCP_Session {
|
|
public:
|
|
explicit NCP_Session(analyzer::Analyzer* analyzer);
|
|
|
|
void Deliver(bool is_orig, int len, const u_char* data);
|
|
|
|
static bool any_ncp_event() { return ncp_request || ncp_reply; }
|
|
|
|
protected:
|
|
void DeliverFrame(const binpac::NCP::ncp_frame* frame);
|
|
|
|
analyzer::Analyzer* analyzer;
|
|
int req_frame_type;
|
|
int req_func;
|
|
};
|
|
|
|
class FrameBuffer {
|
|
public:
|
|
explicit FrameBuffer(size_t header_length);
|
|
virtual ~FrameBuffer();
|
|
|
|
// Returns -1 if frame is not ready, 0 if it else, and 1 if
|
|
// the frame would require too large of a buffer allocation.
|
|
int Deliver(int& len, const u_char*& data);
|
|
|
|
void Reset();
|
|
|
|
const u_char* Data() const { return msg_buf; }
|
|
int Len() const { return msg_len; }
|
|
bool empty() const { return buf_n == 0; }
|
|
|
|
protected:
|
|
virtual void compute_msg_length() = 0;
|
|
|
|
size_t hdr_len;
|
|
u_char* msg_buf;
|
|
uint64_t msg_len;
|
|
size_t buf_n; // number of bytes in msg_buf
|
|
size_t buf_len; // size off msg_buf
|
|
};
|
|
|
|
constexpr int NCP_TCPIP_HEADER_LENGTH = 8;
|
|
|
|
class NCP_FrameBuffer : public FrameBuffer {
|
|
public:
|
|
NCP_FrameBuffer() : FrameBuffer(NCP_TCPIP_HEADER_LENGTH) {}
|
|
|
|
protected:
|
|
void compute_msg_length() override;
|
|
};
|
|
|
|
} // namespace detail
|
|
|
|
class Contents_NCP_Analyzer : public analyzer::tcp::TCP_SupportAnalyzer {
|
|
public:
|
|
Contents_NCP_Analyzer(Connection* conn, bool orig, detail::NCP_Session* session);
|
|
~Contents_NCP_Analyzer() override = default;
|
|
|
|
protected:
|
|
void DeliverStream(int len, const u_char* data, bool orig) override;
|
|
void Undelivered(uint64_t seq, int len, bool orig) override;
|
|
|
|
detail::NCP_FrameBuffer buffer;
|
|
detail::NCP_Session* session;
|
|
|
|
// Re-sync for partial connections (or after a content gap).
|
|
bool resync;
|
|
bool resync_set;
|
|
};
|
|
|
|
class NCP_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
|
|
public:
|
|
explicit NCP_Analyzer(Connection* conn);
|
|
~NCP_Analyzer() override;
|
|
|
|
static analyzer::Analyzer* Instantiate(Connection* conn) { return new NCP_Analyzer(conn); }
|
|
|
|
protected:
|
|
detail::NCP_Session* session;
|
|
Contents_NCP_Analyzer* o_ncp;
|
|
Contents_NCP_Analyzer* r_ncp;
|
|
};
|
|
|
|
} // namespace zeek::analyzer::ncp
|