[p0f-client-exim.git] / p0f-client.c

/*
   p0f-client - simple API client
   ------------------------------

   Can be used to query p0f API sockets.

   Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>

   Distributed under the terms and conditions of GNU LGPL.

 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <errno.h>
#include <ctype.h>
#include <time.h>

#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <sys/un.h>

#include "../types.h"
#include "../config.h"
#include "../alloc-inl.h"
#include "../debug.h"
#include "../api.h"

/* Parse IPv4 address into a buffer. */

static void parse_addr4(char* str, u8* ret) {

  u32 a1, a2, a3, a4;

  if (sscanf(str, "%u.%u.%u.%u", &a1, &a2, &a3, &a4) != 4)
    FATAL("Malformed IPv4 address.");

  if (a1 > 255 || a2 > 255 || a3 > 255 || a4 > 255)
    FATAL("Malformed IPv4 address.");

  ret[0] = a1;
  ret[1] = a2;
  ret[2] = a3;
  ret[3] = a4;

}


/* Parse IPv6 address into a buffer. */

static void parse_addr6(char* str, u8* ret) {

  u32 seg = 0;
  u32 val;

  while (*str) {

    if (seg == 8) FATAL("Malformed IPv6 address (too many segments).");

    if (sscanf((char*)str, "%x", &val) != 1 ||
        val > 65535) FATAL("Malformed IPv6 address (bad octet value).");

    ret[seg * 2] = val >> 8;
    ret[seg * 2 + 1] = val;

    seg++;

    while (isxdigit(*str)) str++;
    if (*str) str++;
    // ian: added this to get beyond ::
    if (*str && !isxdigit(*str)) str++;

  }

  // iank: commented. exim abbreviates but its consistent. and ip addr is only used
  // to identify host, some misplaced leading zeros will not end up making 2
  // ipv6 addresses from the internet be the same in practice.
  //if (seg != 8) FATAL("Malformed IPv6 address (don't abbreviate).");

}


int main(int argc, char** argv) {

  u8 tmp[128];
  struct tm* t;

  static struct p0f_api_query q;
  static struct p0f_api_response r;

  static struct sockaddr_un sun;

  s32  sock;
  time_t ut;

  if (argc != 3) {
    ERRORF("Usage: p0f-client /path/to/socket host_ip\n");
    exit(1);
  }

  q.magic = P0F_QUERY_MAGIC;

  if (strchr(argv[2], ':')) {

    parse_addr6(argv[2], q.addr);
    q.addr_type = P0F_ADDR_IPV6;

  } else {

    parse_addr4(argv[2], q.addr);
    q.addr_type = P0F_ADDR_IPV4;

  }

  sock = socket(PF_UNIX, SOCK_STREAM, 0);

  if (sock < 0) PFATAL("Call to socket() failed.");

  sun.sun_family = AF_UNIX;

  if (strlen(argv[1]) >= sizeof(sun.sun_path))
    FATAL("API socket filename is too long for sockaddr_un (blame Unix).");

  strcpy(sun.sun_path, argv[1]);

  if (connect(sock, (struct sockaddr*)&sun, sizeof(sun)))
    PFATAL("Can't connect to API socket.");

  if (write(sock, &q, sizeof(struct p0f_api_query)) !=
      sizeof(struct p0f_api_query)) FATAL("Short write to API socket.");

  if (read(sock, &r, sizeof(struct p0f_api_response)) !=
      sizeof(struct p0f_api_response)) FATAL("Short read from API socket.");

  close(sock);

  if (r.magic != P0F_RESP_MAGIC)
    FATAL("Bad response magic (0x%08x).\n", r.magic);

  if (r.status == P0F_STATUS_BADQUERY)
    FATAL("P0f did not understand the query.\n");

  if (r.status == P0F_STATUS_NOMATCH) {
    SAYF("No matching host in p0f cache. That's all we know.\n");
    return 0;
  }

  ut = r.first_seen;
  t = localtime(&ut);
  strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t);

  SAYF("First seen    = %s\n", tmp);

  ut = r.last_seen;
  t = localtime(&ut);
  strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t);

//  SAYF("Last update   = %s\n", tmp);

//  SAYF("Total flows   = %u\n", r.total_conn);

  if (!r.os_name[0])
    SAYF("Detected OS   = ???\n");
  else
    SAYF("Detected OS   = %s %s%s%s\n", r.os_name, r.os_flavor,
         (r.os_match_q & P0F_MATCH_GENERIC) ? " [generic]" : "",
         (r.os_match_q & P0F_MATCH_FUZZY) ? " [fuzzy]" : "");

//  if (!r.http_name[0])
//    SAYF("HTTP software = ???\n");
//  else
//    SAYF("HTTP software = %s %s (ID %s)\n", r.http_name, r.http_flavor,
//         (r.bad_sw == 2) ? "is fake" : (r.bad_sw ? "OS mismatch" : "seems legit"));
//
//  if (!r.link_type[0])
//    SAYF("Network link  = ???\n");
//  else
//    SAYF("Network link  = %s\n", r.link_type);
//
//  if (!r.language[0])
//    SAYF("Language      = ???\n");
//  else
//    SAYF("Language      = %s\n", r.language);
//
//
//  if (r.distance == -1)
//    SAYF("Distance      = ???\n");
//  else
//    SAYF("Distance      = %u\n", r.distance);
//
//  if (r.last_nat) {
//    ut = r.last_nat;
//    t = localtime(&ut);
//    strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t);
//    SAYF("IP sharing    = %s\n", tmp);
//  }
//
//  if (r.last_chg) {
//    ut = r.last_chg;
//    t = localtime(&ut);
//    strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t);
//    SAYF("Sys change    = %s\n", tmp);
//  }
//
//  if (r.uptime_min) {
//    SAYF("Uptime        = %u days %u hrs %u min (modulo %u days)\n",
//         r.uptime_min / 60 / 24, (r.uptime_min / 60) % 24, r.uptime_min % 60,
//         r.up_mod_days);
//  }

  return 0;

}
Commit	Line	Data
c3a49fd7 JD	1	/*
	2	p0f-client - simple API client
	3	------------------------------
	4
	5	Can be used to query p0f API sockets.
	6
	7	Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>
	8
	9	Distributed under the terms and conditions of GNU LGPL.
	10
	11	*/
	12
	13	#include <stdio.h>
	14	#include <stdlib.h>
	15	#include <unistd.h>
	16	#include <string.h>
	17	#include <netdb.h>
	18	#include <errno.h>
	19	#include <ctype.h>
	20	#include <time.h>
	21
	22	#include <netinet/in.h>
	23	#include <arpa/inet.h>
	24	#include <sys/types.h>
	25	#include <sys/time.h>
	26	#include <sys/socket.h>
	27	#include <sys/un.h>
	28
	29	#include "../types.h"
	30	#include "../config.h"
	31	#include "../alloc-inl.h"
	32	#include "../debug.h"
	33	#include "../api.h"
	34
	35	/* Parse IPv4 address into a buffer. */
	36
	37	static void parse_addr4(char* str, u8* ret) {
	38
	39	u32 a1, a2, a3, a4;
	40
bdd1c87e IK	41	if (sscanf(str, "%u.%u.%u.%u", &a1, &a2, &a3, &a4) != 4)
bdd1c87e IK	42	FATAL("Malformed IPv4 address.");
c3a49fd7	43
bdd1c87e IK	44	if (a1 > 255 \|\| a2 > 255 \|\| a3 > 255 \|\| a4 > 255)
bdd1c87e IK	45	FATAL("Malformed IPv4 address.");
c3a49fd7 JD	46
	47	ret[0] = a1;
	48	ret[1] = a2;
	49	ret[2] = a3;
	50	ret[3] = a4;
	51
	52	}
	53
	54
	55	/* Parse IPv6 address into a buffer. */
	56
	57	static void parse_addr6(char* str, u8* ret) {
bdd1c87e IK	58
	59	u32 seg = 0;
	60	u32 val;
	61
	62	while (*str) {
	63
	64	if (seg == 8) FATAL("Malformed IPv6 address (too many segments).");
	65
	66	if (sscanf((char*)str, "%x", &val) != 1 \|\|
	67	val > 65535) FATAL("Malformed IPv6 address (bad octet value).");
	68
	69	ret[seg * 2] = val >> 8;
	70	ret[seg * 2 + 1] = val;
	71
	72	seg++;
	73
	74	while (isxdigit(*str)) str++;
	75	if (*str) str++;
20c93451 IK	76	// ian: added this to get beyond ::
20c93451 IK	77	if (str && !isxdigit(str)) str++;
bdd1c87e	78
52b56873	79	}
c3a49fd7	80
20c93451 IK	81	// iank: commented. exim abbreviates but its consistent. and ip addr is only used
	82	// to identify host, some misplaced leading zeros will not end up making 2
	83	// ipv6 addresses from the internet be the same in practice.
	84	//if (seg != 8) FATAL("Malformed IPv6 address (don't abbreviate).");
bdd1c87e	85
c3a49fd7 JD	86	}
	87
	88
	89	int main(int argc, char** argv) {
	90
	91	u8 tmp[128];
	92	struct tm* t;
	93
	94	static struct p0f_api_query q;
	95	static struct p0f_api_response r;
	96
	97	static struct sockaddr_un sun;
	98
	99	s32 sock;
	100	time_t ut;
	101
	102	if (argc != 3) {
	103	ERRORF("Usage: p0f-client /path/to/socket host_ip\n");
	104	exit(1);
	105	}
	106
	107	q.magic = P0F_QUERY_MAGIC;
	108
	109	if (strchr(argv[2], ':')) {
	110
	111	parse_addr6(argv[2], q.addr);
	112	q.addr_type = P0F_ADDR_IPV6;
	113
	114	} else {
	115
	116	parse_addr4(argv[2], q.addr);
	117	q.addr_type = P0F_ADDR_IPV4;
	118
	119	}
	120
	121	sock = socket(PF_UNIX, SOCK_STREAM, 0);
	122
bdd1c87e	123	if (sock < 0) PFATAL("Call to socket() failed.");
c3a49fd7 JD	124
	125	sun.sun_family = AF_UNIX;
	126
bdd1c87e IK	127	if (strlen(argv[1]) >= sizeof(sun.sun_path))
bdd1c87e IK	128	FATAL("API socket filename is too long for sockaddr_un (blame Unix).");
c3a49fd7 JD	129
	130	strcpy(sun.sun_path, argv[1]);
	131
bdd1c87e IK	132	if (connect(sock, (struct sockaddr*)&sun, sizeof(sun)))
bdd1c87e IK	133	PFATAL("Can't connect to API socket.");
c3a49fd7 JD	134
c3a49fd7 JD	135	if (write(sock, &q, sizeof(struct p0f_api_query)) !=
bdd1c87e	136	sizeof(struct p0f_api_query)) FATAL("Short write to API socket.");
c3a49fd7 JD	137
c3a49fd7 JD	138	if (read(sock, &r, sizeof(struct p0f_api_response)) !=
bdd1c87e IK	139	sizeof(struct p0f_api_response)) FATAL("Short read from API socket.");
bdd1c87e IK	140
c3a49fd7 JD	141	close(sock);
c3a49fd7 JD	142
bdd1c87e IK	143	if (r.magic != P0F_RESP_MAGIC)
bdd1c87e IK	144	FATAL("Bad response magic (0x%08x).\n", r.magic);
c3a49fd7	145
bdd1c87e IK	146	if (r.status == P0F_STATUS_BADQUERY)
bdd1c87e IK	147	FATAL("P0f did not understand the query.\n");
c3a49fd7 JD	148
	149	if (r.status == P0F_STATUS_NOMATCH) {
	150	SAYF("No matching host in p0f cache. That's all we know.\n");
	151	return 0;
	152	}
	153
	154	ut = r.first_seen;
	155	t = localtime(&ut);
	156	strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t);
	157
bdd1c87e	158	SAYF("First seen = %s\n", tmp);
c3a49fd7 JD	159
	160	ut = r.last_seen;
	161	t = localtime(&ut);
	162	strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t);
	163
	164	// SAYF("Last update = %s\n", tmp);
	165
	166	// SAYF("Total flows = %u\n", r.total_conn);
	167
	168	if (!r.os_name[0])
bdd1c87e	169	SAYF("Detected OS = ???\n");
c3a49fd7	170	else
bdd1c87e	171	SAYF("Detected OS = %s %s%s%s\n", r.os_name, r.os_flavor,
c3a49fd7 JD	172	(r.os_match_q & P0F_MATCH_GENERIC) ? " [generic]" : "",
	173	(r.os_match_q & P0F_MATCH_FUZZY) ? " [fuzzy]" : "");
	174
	175	// if (!r.http_name[0])
	176	// SAYF("HTTP software = ???\n");
	177	// else
	178	// SAYF("HTTP software = %s %s (ID %s)\n", r.http_name, r.http_flavor,
	179	// (r.bad_sw == 2) ? "is fake" : (r.bad_sw ? "OS mismatch" : "seems legit"));
	180	//
	181	// if (!r.link_type[0])
	182	// SAYF("Network link = ???\n");
	183	// else
	184	// SAYF("Network link = %s\n", r.link_type);
	185	//
	186	// if (!r.language[0])
	187	// SAYF("Language = ???\n");
	188	// else
	189	// SAYF("Language = %s\n", r.language);
	190	//
	191	//
	192	// if (r.distance == -1)
	193	// SAYF("Distance = ???\n");
	194	// else
	195	// SAYF("Distance = %u\n", r.distance);
	196	//
	197	// if (r.last_nat) {
	198	// ut = r.last_nat;
	199	// t = localtime(&ut);
	200	// strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t);
	201	// SAYF("IP sharing = %s\n", tmp);
	202	// }
	203	//
	204	// if (r.last_chg) {
	205	// ut = r.last_chg;
	206	// t = localtime(&ut);
	207	// strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t);
	208	// SAYF("Sys change = %s\n", tmp);
	209	// }
	210	//
	211	// if (r.uptime_min) {
bdd1c87e	212	// SAYF("Uptime = %u days %u hrs %u min (modulo %u days)\n",
c3a49fd7 JD	213	// r.uptime_min / 60 / 24, (r.uptime_min / 60) % 24, r.uptime_min % 60,
	214	// r.up_mod_days);
	215	// }
	216
	217	return 0;
	218
	219	}