Home > Uncategorized > Generating raservices().conf files from the nDPI libs

Generating raservices().conf files from the nDPI libs

 

Understanding the raservices() conf file:

Let’s take an example config file and break down the lines: ../argus-clients-*/support/Config/std.sig

Service: http            tcp port 80    n =    34 src = "50524F5046494E44202F737973766F6C"  dst = "485454502F312E312034303420526573"

This declares:

Attribute

Parameter
service as defined in /etc/services (or not)

http
protocol as defined in /etc/services (or not)

tcp
port as defined in /etc/services (or not)

80
Occurances of the src and dst in source data that assist with determining the given patterns. (“n”)

34
data portion that is sent from the client to the server (“src”). If you are unsure, leave a space.

50524F5046494E44202F737973766F6C
data portion that is sent from the server to the client (“dst”). If you are unsure, leave a space.

485454502F312E312034303420526573
string that indicates whether this data is considered to be encrypted. likely a boolean that is consider during processing in some other way. (not present in this example)

“encrypted”

In this example, the data that has been generated (“src” and “dst”) is 16 bytes.

Let’s take the “src” and take a look.

#[offset]    [byte values]
0000    50 52 4F 50 46 49 4E 44 20 2F 73 79 73 76 6F 6C

Remember:
– 16 bytes in length = 128 bits in length
– 8 bytes = 0-F hex for each bit
– F = 1111 1111 = 8 bits and 0 = 0000 0000

Or we can display this as follows using the same display notation:

#[offset]    [byte values]
00    50
01    52
02    4F
03    50
04    46
05    49
06    4E
07    44
08    20
09    2F
0A    73
0B    79
0C    73
0D    76
0E    6F
0F    6C

Now we understand what falls where.

nDPI protocol definition conversion:

We know that the printer expected by rauserdata() is “encode32″ (normally written as -M printer=”encode32”), which is a included function.

ArgusEncode32() does the following:
1) takes each individual byte (provided at a memory point, aka pointer)
2) treats it as a numeric value in 0-255 (aka 0x0-0xFF) range
3) then generates two hex digits that represent this numeric value in base 16.
4) the printer outputs this as a string of hex digits.

Given the example from afp.c from nDPI [https://svn.ntop.org/svn/ntop/trunk/nDPI/src/lib/protocols/afp.c]:

#define get_u_int16_t (X,O)  (*(u_int16_t *)(((u_int8_t *)X) + O))

if (get_u_int16_t(packet->payload, 0) == htons(0x0004)) {
//do something
return;
})

Cutting out the middle man and assuming our host byte order is little endian, as is the binary representation of Argus data in memory (as accessed by raservices()), we can directly compare the values (purpose of raservices()).

In this example, we are sending 16 bits of memory made up of data that can be expressed as `0x0004` in to ArgusEncode32(), for which the output as a string of hex characters is “0000000000000004”.
We can see by the above c macro (as noted by “#defined”) that the O is the byte (16 bits) offset of 0.

Let’s take the whole definition of “AFP: DSI OpenSession detected” and convert it for use with raservices:

if:
packet->payload_packet_len >= 22 &&
get_u_int16_t(packet->payload, 0) == htons(0x0004) &&  //if the 16 bits starting at byte-offset 0 (meaning, bits 0 through 15) of the payload equals the 16 bit little endian "0x0004" and...
get_u_int16_t(packet->payload, 2) == htons(0x0001) &&  //if the 16 bits starting at byte-offset 2 (meaning, bits 16 through 31) of the payload equals the 16 bit little endian "0x0001" and...
get_u_int32_t(packet->payload, 4) == 0 && //if the 32 bits starting at byte-offset 4 (meaning bits 32-63) of the payload equals 0 and...
get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) && //if the 32 bits at byte-offset 8 (meaning, bits 64-95) are the same as a 32-bit little endian value equal to the size of the packet minus 16 [must be a check of sorts] and...
get_u_int32_t(packet->payload, 12) == 0 && //if the 32 bits at byte-offset 12 (bits 96-127) equals 0 and...
get_u_int16_t(packet->payload, 16) == htons(0x0104)) //if the 16 bits at byte-offset 16 (bits 128-144)
then:
this flow has the attribute "AFP: DSI OpenSession detected"

1) Because raservices() only considers the attributes mentioned in the previous section Understanding the raservices() conf file, we can toss the payload length out.
2) Next we’ll build out the entire 144 bits of data:

#[offset in hex]    [byte values for raservices().conf]
00    04
01    00
02    01
03    00
04    00
05    00
06    00
07    00
08    
09    
0A    
0B    
0C    00
0D    00
0E    00
0F    00
10    04
11    01

Then the raservices().conf line would be:

Service: afpovertcp            tcp port 548    n =  5000 src="010400000000        0000000000010004"
Service: afpovertcp            tcp port 548    n =  5000 dst="010400000000        0000000000010004"

I’ve given these definitions arbitrary weight of 5000. I am not sure how to algorithm takes this weight into account.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: