From c3a49fd7b5308eb4e83d146a7654a49782ff0f1a Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Mon, 30 Nov 2015 13:14:02 -0800 Subject: [PATCH 1/1] Initial commit (maybe fixed the bug?) --- Makefile | 12 +++ p0f-client-exim.c | 247 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 259 insertions(+) create mode 100644 Makefile create mode 100644 p0f-client-exim.c diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..b39c5d7 --- /dev/null +++ b/Makefile @@ -0,0 +1,12 @@ +SRC := p0f-client-exim.c +OUT := p0f-client-exim +CC := /home/zamnedix/local/1/bin/gcc +CFLAGS := -O2 -march=native -pipe +DBG_CFLAGS := -Wall -Og -ggdb + +all: + ${CC} ${CFLAGS} ${SRC} -o ${OUT} +debug: + ${CC} ${DBG_CFLAGS} ${SRC} -o ${OUT} +test: + ./${OUT} ~/tmp/p0f.sock "2001:4830:134:3::11"; echo diff --git a/p0f-client-exim.c b/p0f-client-exim.c new file mode 100644 index 0000000..e907f08 --- /dev/null +++ b/p0f-client-exim.c @@ -0,0 +1,247 @@ +/* + p0f-client - simple API client + ------------------------------ + + Can be used to query p0f API sockets. + + Copyright (C) 2012 by Michal Zalewski + + Distributed under the terms and conditions of GNU LGPL. + + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include "../types.h" +#include "../config.h" +#include "../alloc-inl.h" +#include "../debug.h" +#include "../api.h" + +/* Parse IPv4 address into a buffer. */ + +static void parse_addr4(char* str, u8* ret) { + + u32 a1, a2, a3, a4; + + if (sscanf(str, "%u.%u.%u.%u", &a1, &a2, &a3, &a4) != 4) { + SAYF("Malformed IPv4 address."); + exit(1); + } + + if (a1 > 255 || a2 > 255 || a3 > 255 || a4 > 255) { + SAYF("Malformed IPv4 address."); + exit(1); + } + + ret[0] = a1; + ret[1] = a2; + ret[2] = a3; + ret[3] = a4; + +} + + +/* Parse IPv6 address into a buffer. */ + +static void parse_addr6(char* str, u8* ret) { + + u32 seg = 0; + u32 val; + + while (*str) { + + if (seg == 8) { + SAYF("Malformed IPv6 address (too many segments)."); + exit(1); + } + + + if (*str == ':') { val = 0; } + else if (sscanf((char*)str, "%x", &val) != 1 || val > 65535) { + SAYF("Malformed IPv6 address (bad octet value)."); + exit(1); + } + + SAYF("str %s val %d\n", str, val); + + ret[seg * 2] = val >> 8; + ret[seg * 2 + 1] = val; + + seg++; + + while (isxdigit(*str)) str++; + if (*str) str++; + + } + + if (seg != 6) { + SAYF("Malformed IPv6 address (incorrect number of segments parsed)"); + exit(1); + } + +} + + +int main(int argc, char** argv) { + + u8 tmp[128]; + struct tm* t; + + static struct p0f_api_query q; + static struct p0f_api_response r; + + static struct sockaddr_un sun; + + s32 sock; + time_t ut; + + if (argc != 3) { + ERRORF("Usage: p0f-client /path/to/socket host_ip\n"); + exit(1); + } + + q.magic = P0F_QUERY_MAGIC; + + if (strchr(argv[2], ':')) { + + parse_addr6(argv[2], q.addr); + q.addr_type = P0F_ADDR_IPV6; + + } else { + + parse_addr4(argv[2], q.addr); + q.addr_type = P0F_ADDR_IPV4; + + } + + sock = socket(PF_UNIX, SOCK_STREAM, 0); + + if (sock < 0) { + SAYF("Call to socket() failed."); + return 1; + } + + sun.sun_family = AF_UNIX; + + if (strlen(argv[1]) >= sizeof(sun.sun_path)) { + SAYF("API socket filename is too long for sockaddr_un (blame Unix)."); + return 1; + } + + strcpy(sun.sun_path, argv[1]); + + if (connect(sock, (struct sockaddr*)&sun, sizeof(sun))) { + SAYF("Can't connect to API socket."); + return 1; + } + + if (write(sock, &q, sizeof(struct p0f_api_query)) != + sizeof(struct p0f_api_query)) { + SAYF("Short write to API socket."); + return 1; + } + + if (read(sock, &r, sizeof(struct p0f_api_response)) != + sizeof(struct p0f_api_response)) { + SAYF("Short read from API socket."); + } + + close(sock); + + if (r.magic != P0F_RESP_MAGIC) { + SAYF("Bad response magic (0x%08x).\n", r.magic); + return 1; + } + + if (r.status == P0F_STATUS_BADQUERY) { + SAYF("P0f did not understand the query.\n"); + return 1; + } + + if (r.status == P0F_STATUS_NOMATCH) { + SAYF("No matching host in p0f cache. That's all we know.\n"); + return 0; + } + + ut = r.first_seen; + t = localtime(&ut); + strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t); + +// SAYF("First seen = %s\n", tmp); + + ut = r.last_seen; + t = localtime(&ut); + strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t); + +// SAYF("Last update = %s\n", tmp); + +// SAYF("Total flows = %u\n", r.total_conn); + + if (!r.os_name[0]) + SAYF("Genre and OS details not recognized."); + else + SAYF("%s %s%s%s", r.os_name, r.os_flavor, + (r.os_match_q & P0F_MATCH_GENERIC) ? " [generic]" : "", + (r.os_match_q & P0F_MATCH_FUZZY) ? " [fuzzy]" : ""); + +// if (!r.http_name[0]) +// SAYF("HTTP software = ???\n"); +// else +// SAYF("HTTP software = %s %s (ID %s)\n", r.http_name, r.http_flavor, +// (r.bad_sw == 2) ? "is fake" : (r.bad_sw ? "OS mismatch" : "seems legit")); +// +// if (!r.link_type[0]) +// SAYF("Network link = ???\n"); +// else +// SAYF("Network link = %s\n", r.link_type); +// +// if (!r.language[0]) +// SAYF("Language = ???\n"); +// else +// SAYF("Language = %s\n", r.language); +// +// +// if (r.distance == -1) +// SAYF("Distance = ???\n"); +// else +// SAYF("Distance = %u\n", r.distance); +// +// if (r.last_nat) { +// ut = r.last_nat; +// t = localtime(&ut); +// strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t); +// SAYF("IP sharing = %s\n", tmp); +// } +// +// if (r.last_chg) { +// ut = r.last_chg; +// t = localtime(&ut); +// strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t); +// SAYF("Sys change = %s\n", tmp); +// } +// +// if (r.uptime_min) { +// SAYF("Uptime = %u days %u hrs %u min (modulo %u days)\n", +// r.uptime_min / 60 / 24, (r.uptime_min / 60) % 24, r.uptime_min % 60, +// r.up_mod_days); +// } + + return 0; + +} + -- 2.25.1