Hafiye

Author: enderunix

AUTHORS

@@ -0,0 +1,6 @@
+
+EnderUNIX Hafiye 1.0 AUTHORS
+
+[email protected]
+
+

Cfg.c

@@ -0,0 +1,112 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+#include "Data.h"
+#include "Cfg.h"
+#include "Defs.h"
+
+extern int errno;
+extern int debug;
+
+
+void loadConfig(struct Prot *p, char *file)
+{
+	FILE *fp;
+	char buf[BUFSIZE];
+	char keyword[KEYSIZE];
+	char value[VALSIZE];
+	char *cp1, *cp2;
+	field *f;
+	char *variables[] = { "Invalid",
+			"Protocol_Id",
+			"Protocol_Ident",
+			"Protocol_Length",
+			"Field" 
+			};
+	int i, key, line, nkeys;
+
+	nkeys = sizeof(variables) / sizeof(char *);
+
+	if ((fp = fopen(file, "r")) == NULL) {
+		fprintf(stderr, "Cannot open knowledge-base file %s: %s\n", file, strerror(errno));
+		exit(1);
+	}
+	line = 0;
+
+	while ((fgets(buf, BUFSIZE, fp)) != NULL) {
+		line++;
+		if(buf[0] == '#')
+			continue;
+		cp1 = buf;
+		cp2 = keyword;
+		while(isspace((int)*cp1))
+			cp1++;
+		while(isgraph((int)*cp1) && (*cp1 != '='))
+			*cp2++ = *cp1++;
+		*cp2 = '\0';
+		cp2 = value;
+
+		while((*cp1 != '\0') && (*cp1 != '\n')
+				&& (*cp1 != '='))
+			cp1++;
+		cp1++;
+		
+		while(isspace((int)*cp1))
+			cp1++;
+		
+		if (*cp1 == '"')
+			cp1++;
+		
+		while(*cp1 != '\0' && (*cp1 != '\n')
+			&& (*cp1 != '#'))
+			*cp2++ = *cp1++;
+		*cp2-- = '\0';
+
+		if (keyword[0] == '\0' || value[0] == '\0')
+			continue;
+
+		key = 0;
+
+		for (i = 0; i < nkeys; i++) {
+			if (strcmp(keyword, variables[i]) == 0) {
+				key = i;
+				break;
+			}
+		}
+
+		switch(key) {
+			case 0:
+				printf("Invalid keyword \"%s\" in knowledge-base file %s, line %d\n",
+						keyword, file, line);
+				exit(-1);
+				break;
+			case 1:
+				p->id = atoi(value);
+				break;
+			case 2:
+				if (strlen(value) < BUFSIZE) 	/* strncpy weirdness!	*/
+					strcpy(p->ident, value);
+				break;
+			case 3:
+				p->len = atoi(value);
+				break;
+			case 4:
+				f = setField(value);
+				addField(p, f);
+				break;
+		}
+	}
+	if (strlen(p->ident) <= 0) {
+		fprintf(stderr, "Protocol Identification not found in file %s\n", file);
+		fprintf(stderr, "Either correct the file to have the proper form or if you think\n");
+		fprintf(stderr, "this file is not a knowledge-base file, remove it!\n");
+		fprintf(stderr, "\nExiting due to an irrecoverable failure...\n");
+		exit(1);
+	}
+	if (debug)
+		listFields(p);
+	printf("Finished examining knowledge-base file %s Protocol Id: %d, Protocol Definition: %s\n", file, p->id, p->ident);
+	fclose(fp);
+}

Cfg.h

@@ -0,0 +1,9 @@
+#ifndef CFGFILE_H
+#define CFGFILE_H
+
+#include "Defs.h"
+#include "Data.h"
+
+void loadConfig(prot *, char *);
+
+#endif

ChangeLog

@@ -0,0 +1,8 @@
+	EnderUNIX Hafiye 1.0 Changelog
+	------------------------------
+* Tue Aug 25 09:30:00 EEST 2004
+	fixed a terminal escape sequence injection bug reported by
+	Serkan Akpolat.
+
+* Wed Jun 12 20:57:59 EEST 2002
+	First public release

Data.c

@@ -0,0 +1,88 @@
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+
+#include "Data.h"
+#include "Defs.h"
+
+extern int errno;
+extern int debug;
+
+
+field * setField(char *v)
+{
+	field *f;
+	char *tok;
+
+	if ((f = (field *)malloc(sizeof(struct Field))) == NULL) {
+		fprintf(stderr, "setField: memory allocation error: %s\n", strerror(errno));
+		exit(-1);
+	}
+
+	/* Field Identifier	*/
+	if ((tok = strtok(v, "-")) != NULL)
+		strcpy(f->ident, tok);
+	else
+		fprintf(stderr, "Warning: cannot get field-ident from %s\n", v);
+
+	/* Field Length	*/
+	if ((tok = strtok(NULL, "-")) != NULL)
+		f->len = (u_short)atoi(tok);
+	else
+		fprintf(stderr, "Warning: cannot get field-length from %s\n", v);
+
+	/* Field Start bit	*/
+	if ((tok = strtok(NULL, "-")) != NULL)
+		f->start = (u_short)atoi(tok);
+	else
+		fprintf(stderr, "Warning: cannot get field start bit  from %s\n", v);
+
+	/* is next protocol identifier? */
+	if ((tok = strtok(NULL, "-")) != NULL)
+		f->protident = (u_short)atoi(tok);
+	else
+		fprintf(stderr, "Warning: cannot get field protident from %s\n", v);
+
+	/* will inet_ntoa() be applied?	*/
+	if ((tok = strtok(NULL, "-")) != NULL)
+		f->inet_ntoa = (u_short)atoi(tok);
+	else
+		fprintf(stderr, "Warning: cannot get field inet_ntoa from %s\n", v);
+
+	f->next = NULL;
+
+	return f;
+}
+
+
+void addField(prot *p, field *f)
+{
+	field *ptr;
+
+	if (p->fields == NULL) {
+		p->fields = f;
+		return;
+	}
+
+	for (ptr = p->fields; ptr->next != NULL; ptr = ptr->next)
+		;
+
+	ptr->next = f;
+}
+
+
+void listFields(prot *p)
+{
+	field *ptr;
+
+	for (ptr = p->fields; ptr->next != NULL; ptr = ptr->next)
+		printf("%s, %d bits, starts at bit %d, protident %d, inet_ntoa %d, ntohs %d\n", 
+				ptr->ident, 
+				ptr->len,
+				ptr->start,
+				ptr->protident,
+				ptr->inet_ntoa,
+				ptr->ntohs);
+}

Data.h

@@ -0,0 +1,38 @@
+
+#ifndef DATA_H
+#define DATA_H
+
+
+#include "Defs.h"
+
+#include <sys/types.h>
+
+typedef struct Field {
+	char ident[BUFSIZE];
+	u_short len;
+	u_short start;
+	u_char protident;
+	u_char inet_ntoa;
+	u_char ntohs;
+	struct Field *next;
+} field;
+
+
+typedef struct Prot {
+	int id;
+	char ident[BUFSIZE];
+	u_short	len;
+	struct Field *fields;
+} prot;
+
+
+struct Prot *ltwo[MAXLAYER];		/* Layer II Protocols	*/
+struct Prot *lthree[MAXLAYER];		/* Layer III Protocosl	*/
+struct Prot *lfour[MAXLAYER];		/* Layer IV Protocols	*/
+
+
+void addField(prot *, field *);
+void listFields(prot *);
+field * setField(char *);
+
+#endif

Defs.h

@@ -0,0 +1,23 @@
+#ifndef DEFS_H
+#define DEFS_H
+
+
+static const char VERSION[] = "EnderUNIX Hafiye Version 1.0";
+
+
+enum {
+	DEVSIZ = 16,
+	SNAPLEN = 1514,
+	PROMISC = 1,
+	READTIMEOUT = 500,
+	PACKET_COUNT = -1,	/* Infinite loop	*/
+	LAYERONE_LEN = 14,
+	BUFSIZE = 1024,
+	HBUFSIZE = 512,
+	KEYSIZE = 64,
+	VALSIZE = 256,
+	MAXLAYER = 5000
+};
+
+
+#endif

INSTALL

@@ -0,0 +1,25 @@
+		EnderUNIX Hafiye 1.0 INSTALL
+		----------------------------
+
+Installation is straightforward, it should compile on Posix
+compliant systems without any trouble.
+
+However, hafiye uses libpcap interface to capture packets. 
+You have to have it istalled before hafiye. You can download
+latest pcap from http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz
+
+Load Makefile with you favorite editor and change PCAPINC and PCAPLIB 
+variables to point to the pcap includes and pcap library respectively.
+
+Then,
+Just type:
+
+# make
+
+and you'll get a working binary named hafiye, then type
+
+# make install
+
+and you'll get hafiye installed in /usr/local/bin/. Configuration
+files will be installed as /usr/local/share/hafiye/...
+