diff options
author | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2020-06-22 09:12:35 +0200 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2020-08-08 09:56:03 +0000 |
commit | f5a8c08b1206bf4ddbbc07c3dc2e19ca6607dd15 (patch) | |
tree | 2d56643717909669ee4badb62901cc3ffeba1053 | |
parent | fd03c85d0f5c1e17337c2c1380e6018679f2e9c6 (diff) |
Add FSSO (Fortinet Single Sign-On) Dissector
It is send from DCAgent to FSSO collector using UDP 8002 packet
It is based on analysis of protocol (and log)
Bug: 16657
Change-Id: I2e23a403a103c25820d714446d4e3245af04e876
Reviewed-on: https://code.wireshark.org/review/37547
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
-rw-r--r-- | docbook/release-notes.adoc | 4 | ||||
-rw-r--r-- | epan/dissectors/CMakeLists.txt | 1 | ||||
-rw-r--r-- | epan/dissectors/packet-fortinet-sso.c | 239 |
3 files changed, 244 insertions, 0 deletions
diff --git a/docbook/release-notes.adoc b/docbook/release-notes.adoc index aa4f69db0d..5358e6a9ca 100644 --- a/docbook/release-notes.adoc +++ b/docbook/release-notes.adoc @@ -68,7 +68,11 @@ ScyllaDB RPC Dynamic Link Exchange Protocol (DLEP) LBM Stateful Resolution Service (LBMSRS) Asphodel Protocol +<<<<<<< HEAD Technically Enhanced Capture Module Protocol (TECMP) +======= +Fortinet Single Sign-on (FSSO) +>>>>>>> WIP: Add FSSO (Fortinet Single Sign-On) Dissector -- === Updated Protocol Support diff --git a/epan/dissectors/CMakeLists.txt b/epan/dissectors/CMakeLists.txt index 14ae2d9a6a..d4a6e231e4 100644 --- a/epan/dissectors/CMakeLists.txt +++ b/epan/dissectors/CMakeLists.txt @@ -1057,6 +1057,7 @@ set(DISSECTOR_SRC ${CMAKE_CURRENT_SOURCE_DIR}/packet-fmtp.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-force10-oui.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-forces.c + ${CMAKE_CURRENT_SOURCE_DIR}/packet-fortinet-sso.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-foundry.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-fp_hint.c ${CMAKE_CURRENT_SOURCE_DIR}/packet-fp_mux.c diff --git a/epan/dissectors/packet-fortinet-sso.c b/epan/dissectors/packet-fortinet-sso.c new file mode 100644 index 0000000000..660a0db2ed --- /dev/null +++ b/epan/dissectors/packet-fortinet-sso.c @@ -0,0 +1,239 @@ +/* packet-fortinet-sso.c + * Routines for Fortinet Single Sign-On + * Copyright 2020, Alexis La Goutte <alexis.lagoutte at gmail dot com> + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + * + * No spec/doc is available based on reverse/analysis of protocol... + */ + +#include "config.h" + +#include <epan/packet.h> +#include <epan/addr_resolv.h> + +#define UDP_FSSO 8002 + +void proto_register_fortinet_sso(void); +void proto_reg_handoff_fortinet_sso(void); + +static int proto_fortinet_sso = -1; +static gint ett_fortinet_sso = -1; + +static int hf_fsso_length = -1; +static int hf_fsso_timestamp = -1; +static int hf_fsso_client_ip = -1; +static int hf_fsso_payload_length = -1; +static int hf_fsso_string = -1; +static int hf_fsso_domain = -1; +static int hf_fsso_user = -1; +static int hf_fsso_host = -1; +static int hf_fsso_version = -1; +static int hf_fsso_tsagent_port_range_min = -1; +static int hf_fsso_tsagent_port_range_max = -1; +static int hf_fsso_unknown = -1; + +static dissector_handle_t fortinet_sso_handle; + +static int +dissect_fortinet_sso(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) +{ + proto_tree *ti; + proto_tree *fsso_tree; + guint32 payload_length, client_ip; + gint string_length = -1; + const gchar *string; + gint32 len; + int offset = 0; + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "FSSO"); + col_clear(pinfo->cinfo, COL_INFO); + col_add_fstr(pinfo->cinfo, COL_INFO, "Fortinet Single Sign-On"); + + ti = proto_tree_add_item(tree, proto_fortinet_sso, tvb, 0, -1, ENC_NA); + fsso_tree = proto_item_add_subtree(ti, ett_fortinet_sso); + + proto_tree_add_item(fsso_tree, hf_fsso_length, tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + proto_tree_add_item(fsso_tree, hf_fsso_timestamp, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + + proto_tree_add_item(fsso_tree, hf_fsso_client_ip, tvb, offset, 4, ENC_BIG_ENDIAN); + client_ip = tvb_get_ipv4(tvb, offset); + offset += 4; + + proto_tree_add_item_ret_uint(fsso_tree, hf_fsso_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN, &payload_length); + offset += 2; + + string = tvb_get_stringz_enc(pinfo->pool, tvb, offset, &string_length, ENC_ASCII); + proto_tree_add_item(fsso_tree, hf_fsso_string, tvb, offset, string_length, ENC_ASCII|ENC_NA); + col_set_str(pinfo->cinfo, COL_INFO, string); + + if(client_ip == 0xFFFFFFFF) { //if client_ip equal 255.255.255.255 (0xFFFFFFFF) is KeepAlive packet + /* Domain / KeepAlive (User) / Version */ + len = tvb_find_guint8(tvb, offset, string_length, '/') - offset; + proto_tree_add_item(fsso_tree, hf_fsso_domain, tvb, offset, len, ENC_ASCII|ENC_NA); + offset += (len + 1); + string_length -= (len + 1); + + len = tvb_find_guint8(tvb, offset, string_length, '/') - offset; + proto_tree_add_item(fsso_tree, hf_fsso_user, tvb, offset, len, ENC_ASCII|ENC_NA); + offset += (len + 1); + string_length -= (len + 1); + + proto_tree_add_item(fsso_tree, hf_fsso_version, tvb, offset, string_length, ENC_ASCII|ENC_NA); + offset += (string_length); + + } else { + /* Host / Domain / User */ + len = tvb_find_guint8(tvb, offset, string_length, '/') - offset; + proto_tree_add_item(fsso_tree, hf_fsso_host, tvb, offset, len, ENC_ASCII|ENC_NA); + offset += (len + 1); + string_length -= (len + 1); + + len = tvb_find_guint8(tvb, offset, string_length, '/') - offset; + proto_tree_add_item(fsso_tree, hf_fsso_domain, tvb, offset, len, ENC_ASCII|ENC_NA); + offset += (len + 1); + string_length -= (len + 1); + + proto_tree_add_item(fsso_tree, hf_fsso_user, tvb, offset, string_length, ENC_ASCII|ENC_NA); + offset += (string_length); + } + + if(tvb_reported_length_remaining(tvb, offset)){ + proto_tree_add_item(fsso_tree, hf_fsso_unknown, tvb, offset, 15, ENC_NA); + offset += 15; + + proto_tree_add_item(fsso_tree, hf_fsso_unknown, tvb, offset, 5, ENC_NA); + offset += 5; + + proto_tree_add_item(fsso_tree, hf_fsso_unknown, tvb, offset, 8, ENC_NA); + offset += 8; + + proto_tree_add_item(fsso_tree, hf_fsso_tsagent_port_range_min, tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + proto_tree_add_item(fsso_tree, hf_fsso_tsagent_port_range_max, tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + } + + return offset; +} + +static gboolean +dissect_fortinet_fsso_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) +{ + guint32 length_remaining, length; + + if (tvb_captured_length(tvb) < 2) { + return FALSE; + } + + length_remaining = tvb_reported_length_remaining(tvb, 0); + //first bytes is the length of payload + length = tvb_get_ntohs(tvb, 0); + if(length_remaining != length) + { + return FALSE; + } + + //always send with UDP Destination Port 80002 + if(pinfo->destport != UDP_FSSO) + { + return FALSE; + } + + dissect_fortinet_sso(tvb, pinfo, tree, data); + return TRUE; +} + +void +proto_register_fortinet_sso(void) +{ + static hf_register_info hf[] = { + { &hf_fsso_length, + { "Length", "fortinet_sso.length", FT_UINT16, BASE_DEC, NULL, 0x0, + NULL, HFILL}}, + + { &hf_fsso_timestamp, + { "Timestamp", "fortinet_sso.timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, + NULL, HFILL}}, + + { &hf_fsso_client_ip, + { "Client IP", "fortinet_sso.client_ip", FT_IPv4, BASE_NONE, NULL, 0x0, + NULL, HFILL}}, + + { &hf_fsso_payload_length, + { "Payload Length", "fortinet_sso.payload_length", FT_UINT16, BASE_DEC, NULL, 0x0, + NULL, HFILL}}, + + { &hf_fsso_string, + { "String", "fortinet_sso.string", FT_STRING, BASE_NONE, NULL, 0x0, + NULL, HFILL}}, + + { &hf_fsso_user, + { "User", "fortinet_sso.user", FT_STRING, BASE_NONE, NULL, 0x0, + NULL, HFILL}}, + + { &hf_fsso_domain, + { "Domain", "fortinet_sso.domain", FT_STRING, BASE_NONE, NULL, 0x0, + NULL, HFILL}}, + + { &hf_fsso_host, + { "Host", "fortinet_sso.host", FT_STRING, BASE_NONE, NULL, 0x0, + NULL, HFILL}}, + + { &hf_fsso_version, + { "Version", "fortinet_sso.version", FT_STRING, BASE_NONE, NULL, 0x0, + NULL, HFILL}}, + + { &hf_fsso_tsagent_port_range_min, + { "Port Range (Min)", "fortinet_sso.tsagent.port_range.min", FT_UINT16, BASE_DEC, NULL, 0x0, + NULL, HFILL}}, + + { &hf_fsso_tsagent_port_range_max, + { "Port Range (Max)", "fortinet_sso.tsagent.port_range.max", FT_UINT16, BASE_DEC, NULL, 0x0, + NULL, HFILL}}, + + { &hf_fsso_unknown, + { "Unknown", "fortinet_sso.unknown", FT_BYTES, BASE_NONE, NULL, 0x0, + "Unknown Data...", HFILL}}, + + }; + + static gint *ett[] = { + &ett_fortinet_sso, + }; + + proto_fortinet_sso = proto_register_protocol("Fortinet Single Sign On", "fortinet_sso", "fortinet_sso"); + fortinet_sso_handle = register_dissector("fortinet_sso", dissect_fortinet_sso, proto_fortinet_sso); + + proto_register_field_array(proto_fortinet_sso, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); +} + + +void +proto_reg_handoff_fortinet_sso(void) +{ + dissector_add_uint_with_preference("udp.port", 0, fortinet_sso_handle); + heur_dissector_add("udp", dissect_fortinet_fsso_heur, "fortinet_sso", "fortinet_sso", proto_fortinet_sso, HEURISTIC_ENABLE); +} + +/* + * Editor modelines - https://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 4 + * tab-width: 8 + * indent-tabs-mode: nil + * End: + * + * vi: set shiftwidth=4 tabstop=8 expandtab: + * :indentSize=4:tabSize=8:noTabs=true: + */ |