diff --git a/.gitignore b/.gitignore index ea8c4bf..d787b70 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /target +/result diff --git a/pcaps/bro_ssh.pcap b/pcaps/bro_ssh.pcap new file mode 100644 index 0000000..9cbb938 Binary files /dev/null and b/pcaps/bro_ssh.pcap differ diff --git a/pcaps/godpi_ssh.pcap b/pcaps/godpi_ssh.pcap new file mode 100644 index 0000000..31c08b6 Binary files /dev/null and b/pcaps/godpi_ssh.pcap differ diff --git a/pcaps/sources.md b/pcaps/sources.md new file mode 100644 index 0000000..6c22e43 --- /dev/null +++ b/pcaps/sources.md @@ -0,0 +1,8 @@ +- http.cap | wireshark +- http_image.cap | wireshark +- dns.cap | wireshark +- NTP_syc | wireshark +- telnet-cooked | wireshark +- SSHv2 | packetlife +- bro_ssh | try-bro +- godpi_ssh | go-dpi diff --git a/src/main.rs b/src/main.rs index 59be6ff..642371d 100644 --- a/src/main.rs +++ b/src/main.rs @@ -61,7 +61,7 @@ fn main() { stats.analyzed += 1; } if opt.print_analysis { - info!("{:?}", extracted); + println!("{:?}", extracted); } } Err(_) => stats.unknown_packets += 1, diff --git a/src/protocols/mod.rs b/src/protocols/mod.rs index f44671e..cb9cbb9 100644 --- a/src/protocols/mod.rs +++ b/src/protocols/mod.rs @@ -1,4 +1,6 @@ use dns::{DNSType, DNSValue}; +use log::info; +use ssh::SSHType; mod dns; mod ssh; @@ -11,6 +13,7 @@ pub trait KnownProtocol { #[derive(Debug)] pub enum ProtocolType { DNS(DNSType), + SSH, } #[derive(Debug)] @@ -21,17 +24,22 @@ pub enum ExtractedInfo { pub fn extract_info(ptype: ProtocolType, payload: Vec) -> Option { match ptype { ProtocolType::DNS(x) => match x { - DNSType::Query => { - return Some(ExtractedInfo::DNSQuery(dns::analyse_dns_query(payload))); + //DNSType::Query => Some(ExtractedInfo::DNSQuery(dns::analyse_dns_query(payload))), + DNSType::Query => Some(x.extract_info(payload)), + DNSType::Response => { + info!("DNS Response processing not handled yet!"); + None } - DNSType::Response => return None, }, + ProtocolType::SSH => { + todo!() + } } } pub fn match_protocol(payload: Vec) -> Result { - if let Ok(x) = dns::is_dns(payload) { - return Ok(ProtocolType::DNS(x)); - }; + if let Ok(x) = dns::DNSType::classify_proto(payload) { + return Ok(x); + } Err(()) } diff --git a/src/protocols/ssh.rs b/src/protocols/ssh.rs index 7599008..a3d30f6 100644 --- a/src/protocols/ssh.rs +++ b/src/protocols/ssh.rs @@ -1,4 +1,17 @@ -pub fn is_ssh(payload: Vec) -> bool { - // Check for ASCII "SSH" - payload[0] == 0x53 && payload[1] == 0x53 && payload[2] == 0x48 +use crate::{util::*, ExtractedInfo, KnownProtocol, ProtocolType}; + +pub type SSHType = (); + +impl KnownProtocol for SSHType { + fn classify_proto(payload: Vec) -> Result { + if payload[0] == 0x53 && payload[1] == 0x53 && payload[2] == 0x48 { + Ok(ProtocolType::SSH) + } else { + Err(()) + } + } + + fn extract_info(&self, payload: Vec) -> ExtractedInfo { + todo!() + } }