diff options
| author | Evan Huus <eapache@gmail.com> | 2013-04-02 15:55:35 +0000 |
|---|---|---|
| committer | Evan Huus <eapache@gmail.com> | 2013-04-02 15:55:35 +0000 |
| commit | 0a264333210be6565353c41f689d2fb0922e246d (patch) | |
| tree | 895be540ac20a077acc02b472f853884b22b09fc /epan/dissectors/packet-hpfeeds.c | |
| parent | e8322532786fb40d9a2b6a72c4a515904e930f47 (diff) | |
From Sebastiano Di Paola via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8461
Enhancements for the Honeypot Feeds dissector.
From me: misc. cleanup, modelines, etc.
svn path=/trunk/; revision=48698
Diffstat (limited to 'epan/dissectors/packet-hpfeeds.c')
| -rw-r--r-- | epan/dissectors/packet-hpfeeds.c | 143 |
1 files changed, 116 insertions, 27 deletions
diff --git a/epan/dissectors/packet-hpfeeds.c b/epan/dissectors/packet-hpfeeds.c index 8830452c6a..c569e5f0b7 100644 --- a/epan/dissectors/packet-hpfeeds.c +++ b/epan/dissectors/packet-hpfeeds.c @@ -37,8 +37,8 @@ #include "packet-tcp.h" -#define HPFEEDS_PORT 10000 - +/* Preferences */ +static guint hpfeeds_port_pref = 0; static gboolean hpfeeds_desegment = TRUE; static int proto_hpfeeds = -1; @@ -58,6 +58,8 @@ static int hf_hpfeeds_errmsg = -1; static gint ett_hpfeeds = -1; +static dissector_handle_t json_hdl; + /* OPCODE */ #define OP_ERROR 0 /* error message*/ #define OP_INFO 1 /* server name, nonce */ @@ -66,26 +68,54 @@ static gint ett_hpfeeds = -1; #define OP_SUBSCRIBE 4 /* client id, channelname*/ +/* WELL-KNOWN CHANNELS */ +#define CH_EINVAL 0 +/* Dionaea honeypot */ +#define CH_DIONAEA_CAPTURE 1 +#define CH_DIONAEA_DCE 2 +#define CH_DIONAEA_SHELLCODE 3 +#define CH_DIONAEA_UINQUE 4 +#define CH_DIONAEA_CONNECTIONS 5 +/* Kippo honeypot */ +#define CH_KIPPO_SESSIONS 10 +/* Glastopf honeypot */ +#define CH_GLASTOPF_EVENTS 20 +/* Honeymap geoloc channel */ +#define CH_GEOLOC_EVENTS 30 + /* OFFSET FOR HEADER */ #define HPFEEDS_OPCODE_OFFSET 4 #define HPFEEDS_HDR_LEN 5 - -/* This value is equal to the number of elements inside the following structure -* and should be updated in case new types of messages are added to the protocol -*/ -#define HPFEEDS_IMPLEMENTED_OPCODE 5 - static const value_string opcode_vals[] = { - { OP_ERROR, "Error" }, - { OP_INFO, "Info" }, - { OP_AUTH, "Auth" }, - { OP_PUBLISH, "Publish" }, - { OP_SUBSCRIBE, "Subscribe" }, - { 0, NULL } + { OP_ERROR, "Error" }, + { OP_INFO, "Info" }, + { OP_AUTH, "Auth" }, + { OP_PUBLISH, "Publish" }, + { OP_SUBSCRIBE, "Subscribe" }, + { 0, NULL }, }; +/* +* +* These values are the channel used by "most" spread and used honeypots +* In case we have publish message in one of these channel we can decode +* payload completely +* +*/ +static const value_string chan_vals[] = { + { CH_DIONAEA_CAPTURE, "dionaea.capture" }, + { CH_DIONAEA_DCE, "dionaea.dcerpcrequests" }, + { CH_DIONAEA_SHELLCODE, "dionaea.shellcodeprofiles" }, + { CH_DIONAEA_UINQUE, "mwbinary.dionaea.sensorunique" }, + { CH_DIONAEA_CONNECTIONS, "dionaea.connections" }, + { CH_KIPPO_SESSIONS, "kippo.sessions" }, + { CH_GEOLOC_EVENTS, "geoloc.events" }, + { CH_GLASTOPF_EVENTS, "glastopf.events" }, + { CH_EINVAL, NULL } +}; +void proto_reg_handoff_hpfeeds(void); static void dissect_hpfeeds_error_pdu(tvbuff_t *tvb, proto_tree *tree, guint offset) @@ -137,9 +167,13 @@ dissect_hpfeeds_auth_pdu(tvbuff_t *tvb, proto_tree *tree, guint offset) } static void -dissect_hpfeeds_publish_pdu(tvbuff_t *tvb, proto_tree *tree, guint offset) +dissect_hpfeeds_publish_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + guint offset) { guint8 len = 0; + guint8 *strptr = NULL; + gint8 channel = CH_EINVAL; + tvbuff_t *json_tvb = NULL; len = tvb_get_guint8(tvb, offset); proto_tree_add_item(tree, hf_hpfeeds_ident_len, tvb, offset, 1, @@ -152,12 +186,35 @@ dissect_hpfeeds_publish_pdu(tvbuff_t *tvb, proto_tree *tree, guint offset) proto_tree_add_item(tree, hf_hpfeeds_chan_len, tvb, offset, 1, ENC_BIG_ENDIAN); offset += 1; - + + /* get the channel name as ephemeral string just to make an attempt + * in order to decode more payload if channel is "well known" + */ + strptr = tvb_get_ephemeral_string(tvb, offset, len); proto_tree_add_item(tree, hf_hpfeeds_channel, tvb, offset, len, ENC_BIG_ENDIAN); offset += len; + channel = str_to_val(strptr, chan_vals, CH_EINVAL); + pinfo->private_data = strptr; + switch (channel) { + case CH_DIONAEA_CAPTURE: + case CH_DIONAEA_DCE: + case CH_DIONAEA_SHELLCODE: + case CH_DIONAEA_UINQUE: + case CH_DIONAEA_CONNECTIONS: + case CH_KIPPO_SESSIONS: + case CH_GLASTOPF_EVENTS: + case CH_GEOLOC_EVENTS: + json_tvb = tvb_new_subset(tvb, offset, -1, -1); + call_dissector(json_hdl, json_tvb, pinfo, tree); + break; + default: + proto_tree_add_item(tree, hf_hpfeeds_payload, tvb, offset, -1, + ENC_NA); + break; + } + - proto_tree_add_item(tree, hf_hpfeeds_payload, tvb, offset, -1, ENC_NA); } static void @@ -186,7 +243,7 @@ dissect_hpfeeds_subscribe_pdu(tvbuff_t *tvb, proto_tree *tree, guint offset) static guint get_hpfeeds_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset) { - return tvb_get_ntohl(tvb, offset); + return tvb_get_ntohl(tvb, offset + 0); } static void @@ -213,7 +270,7 @@ dissect_hpfeeds_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) data_subtree = proto_item_add_subtree(ti, ett_hpfeeds); offset += 1; - if (opcode >= HPFEEDS_IMPLEMENTED_OPCODE) { + if (opcode >= array_length(opcode_vals) - 1) { expert_add_info_format(pinfo, ti, PI_PROTOCOL, PI_WARN, "Unknown value %02x for opcode field", opcode); } @@ -230,7 +287,7 @@ dissect_hpfeeds_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) dissect_hpfeeds_auth_pdu(tvb, data_subtree, offset); break; case OP_PUBLISH: - dissect_hpfeeds_publish_pdu(tvb, data_subtree, offset); + dissect_hpfeeds_publish_pdu(tvb, pinfo, data_subtree, offset); break; case OP_SUBSCRIBE: dissect_hpfeeds_subscribe_pdu(tvb, data_subtree, offset); @@ -368,21 +425,53 @@ proto_register_hpfeeds(void) proto_register_field_array(proto_hpfeeds, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); - hpfeeds_module = prefs_register_protocol(proto_hpfeeds, NULL); + hpfeeds_module = prefs_register_protocol(proto_hpfeeds, proto_reg_handoff_hpfeeds); prefs_register_bool_preference(hpfeeds_module, "desegment_hpfeeds_messages", "Reassemble HPFEEDS messages spanning multiple TCP segments", - "Whether the HPFEEDS dissector should reassemble messages spanning \ - multiple TCP segments. " - "To use this option, you must also enable \"Allow subdissectors to \ - reassemble TCP streams\" in the TCP protocol settings.", + "Whether the HPFEEDS dissector should reassemble messages spanning " + "multiple TCP segments. " + "To use this option, you must also enable \"Allow subdissectors to " + "reassemble TCP streams\" in the TCP protocol settings.", &hpfeeds_desegment); + + prefs_register_uint_preference(hpfeeds_module, + "dissector_port", + "Dissector TCP port", + "Set the TCP port for HPFEEDS messages", + 10, &hpfeeds_port_pref); } void proto_reg_handoff_hpfeeds(void) { static dissector_handle_t hpfeeds_handle; + static gboolean hpfeeds_prefs_initialized = FALSE; + static gint16 hpfeeds_dissector_port; + + if (!hpfeeds_prefs_initialized) { + hpfeeds_handle = create_dissector_handle(dissect_hpfeeds, proto_hpfeeds); + hpfeeds_prefs_initialized = TRUE; + } + else { + dissector_delete_uint("tcp.port",hpfeeds_dissector_port , hpfeeds_handle); + } + + hpfeeds_dissector_port = hpfeeds_port_pref; - hpfeeds_handle = create_dissector_handle(dissect_hpfeeds, proto_hpfeeds); - dissector_add_handle("tcp.port", hpfeeds_handle); + dissector_add_uint("tcp.port", hpfeeds_dissector_port, hpfeeds_handle); + + json_hdl = find_dissector("json"); } + +/* + * Editor modelines - http://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 4 + * tab-width: 8 + * indent-tabs-mode: nil + * End: + * + * vi: set shiftwidth=4 tabstop=8 expandtab: + * :indentSize=4:tabSize=8:noTabs=true: + */ |