1 /*
2 * oracle.c
3 *
4 * Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr>
5 *
6 * This module is free software: you can redistribute it and/or modify
7 * it under the terms of the GNU Lesser General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This module is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public License.
17 * If not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21 #include "ndpi_protocol_ids.h"
22
23 #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ORACLE
24
25 #include "ndpi_api.h"
26
27
ndpi_int_oracle_add_connection(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)28 static void ndpi_int_oracle_add_connection(struct ndpi_detection_module_struct
29 *ndpi_struct, struct ndpi_flow_struct *flow)
30 {
31 ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ORACLE, NDPI_PROTOCOL_UNKNOWN);
32 }
33
ndpi_search_oracle(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)34 void ndpi_search_oracle(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
35 {
36 struct ndpi_packet_struct *packet = &flow->packet;
37 u_int16_t dport = 0, sport = 0;
38
39 NDPI_LOG_DBG(ndpi_struct, "search ORACLE\n");
40
41 if(packet->tcp != NULL) {
42 sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest);
43 NDPI_LOG_DBG2(ndpi_struct, "calculating ORACLE over tcp\n");
44 /* Oracle Database 9g,10g,11g */
45 if ((dport == 1521 || sport == 1521)
46 && (((packet->payload_packet_len >= 3 && packet->payload[0] == 0x07) && (packet->payload[1] == 0xff) && (packet->payload[2] == 0x00))
47 || ((packet->payload_packet_len >= 232) && ((packet->payload[0] == 0x00) || (packet->payload[0] == 0x01))
48 && (packet->payload[1] != 0x00)
49 && (packet->payload[2] == 0x00)
50 && (packet->payload[3] == 0x00)))) {
51 NDPI_LOG_INFO(ndpi_struct, "found oracle\n");
52 ndpi_int_oracle_add_connection(ndpi_struct, flow);
53 } else if (packet->payload_packet_len == 213 && packet->payload[0] == 0x00 &&
54 packet->payload[1] == 0xd5 && packet->payload[2] == 0x00 &&
55 packet->payload[3] == 0x00 ) {
56 NDPI_LOG_INFO(ndpi_struct, "found oracle\n");
57 ndpi_int_oracle_add_connection(ndpi_struct, flow);
58 }
59 } else {
60 NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
61 }
62 }
63
64
init_oracle_dissector(struct ndpi_detection_module_struct * ndpi_struct,u_int32_t * id,NDPI_PROTOCOL_BITMASK * detection_bitmask)65 void init_oracle_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
66 {
67 ndpi_set_bitmask_protocol_detection("Oracle", ndpi_struct, detection_bitmask, *id,
68 NDPI_PROTOCOL_ORACLE,
69 ndpi_search_oracle,
70 NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
71 SAVE_DETECTION_BITMASK_AS_UNKNOWN,
72 ADD_TO_DETECTION_BITMASK);
73
74 *id += 1;
75 }
76