├── ipExclusionFile ├── portExclusionFile ├── flowsEncryption ├── keyProfile ├── background.pcap ├── libInstal.sh ├── common.h ├── common.c ├── Makefile ├── BotTalkerFunctions.h ├── README.md ├── BotTalker.c ├── Flow_Encryption.c ├── Merge_Background_Random.c ├── GenerateTimestampForSSL.c ├── Packet_Encryption.c ├── Flow_Encryption_SingleFlow.c └── BotTalkerFunctions.c /ipExclusionFile: -------------------------------------------------------------------------------- 1 | 8.8.8.8 2 | -------------------------------------------------------------------------------- /portExclusionFile: -------------------------------------------------------------------------------- 1 | 25 2 | 53 3 | -------------------------------------------------------------------------------- /flowsEncryption: -------------------------------------------------------------------------------- 1 | 192.168.1.1 20000 1.1.1.1 10000 17 2 | -------------------------------------------------------------------------------- /keyProfile: -------------------------------------------------------------------------------- 1 | 1234567890abcdefghigklmnopqrstuvwxyz 2 | ABCDEFGHIGKLMNOP 3 | -------------------------------------------------------------------------------- /background.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hanzhang0116/BotTalker/HEAD/background.pcap -------------------------------------------------------------------------------- /libInstal.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #install the required libs 4 | sudo yum install libpcap 5 | sudo yum install libpcap-devel 6 | sudo yum install libtrace 7 | sudo yum install openssl 8 | sudo yum install openssl-devel 9 | sudo yum install bison 10 | sudo yum install flex 11 | sudo yum install wireshark 12 | -------------------------------------------------------------------------------- /common.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #ifndef WIN32 8 | #include 9 | #define THREAD_CC 10 | #define THREAD_TYPE pthread_t 11 | #define THREAD_CREATE(tid, entry, arg) pthread_create(&(tid), NULL, (entry), (arg)) 12 | #else 13 | #include 14 | #define THREAD_CC __cdecl 15 | #define THREAD_TYPE DWORD 16 | #define THREAD_CREATE(tid, entry, arg) do { _beginthread((entry), 0, (arg));\ 17 | (tid) = GetCurrentThreadId(); \ 18 | } while(0) 19 | 20 | #endif 21 | 22 | /*#define PORT "60000" 23 | #define SERVER "proton.netsec.colostate.edu" 24 | #define CLIENT "lander4.cs.colostate.edu"*/ 25 | 26 | #define int_error(msg) handle_error(__FILE__, __LINE__, msg) 27 | void handle_error(const char *file, int lineno, const char *msg); 28 | 29 | void init_OpenSSL(void); 30 | 31 | int verify_callback(int ok, X509_STORE_CTX * store); 32 | -------------------------------------------------------------------------------- /common.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | void handle_error(const char *file, int lineno, const char *msg) 4 | { 5 | fprintf(stderr, "** %s:%i %s\n", file, lineno, msg); 6 | ERR_print_errors_fp(stderr); 7 | exit(-1); 8 | } 9 | 10 | void init_OpenSSL(void) 11 | { 12 | //if (!THREAD_setup() || ! SSL_library_init()) 13 | if (! SSL_library_init()) 14 | { 15 | fprintf(stderr, "** OpenSSL initialization failed!\n"); 16 | exit(-1); 17 | } 18 | SSL_load_error_strings(); 19 | } 20 | 21 | int verify_callback(int ok, X509_STORE_CTX *store) 22 | { 23 | char data[256]; 24 | if (!ok) 25 | { 26 | X509 *cert = X509_STORE_CTX_get_current_cert(store); 27 | int depth = X509_STORE_CTX_get_error_depth(store); 28 | int err = X509_STORE_CTX_get_error(store); 29 | 30 | fprintf(stderr, "-Error with certificate at depth: %i\n", depth); 31 | 32 | X509_NAME_oneline(X509_get_issuer_name(cert), data, 256); 33 | fprintf(stderr, " issuer = %s\n", data); 34 | X509_NAME_oneline(X509_get_subject_name(cert), data, 256); 35 | fprintf(stderr, " subject = %s\n", data); 36 | fprintf(stderr, " err %i:%s\n", err, X509_verify_cert_error_string(err)); 37 | } 38 | return ok; 39 | } 40 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | 2 | CC = gcc 3 | LIBS = -ltrace -lssl -lcrypto 4 | RM = rm 5 | 6 | BotTalker: BotTalker.c 7 | $(CC) -o BotTalker BotTalker.c $(LIBS) 8 | 9 | #Packet_Encryption: Packet_Encryption.c 10 | $(CC) -o Packet_Encryption Packet_Encryption.c $(LIBS) 11 | 12 | #Merge_Background_Random: Merge_Background_Random.c 13 | $(CC) -o Merge_Background_Random Merge_Background_Random.c $(LIBS) 14 | 15 | #Flow_Encryption: Flow_Encryption.c 16 | $(CC) -o Flow_Encryption Flow_Encryption.c $(LIBS) 17 | 18 | #Flow_Encryption_SingleFlow: Flow_Encryption_SingleFlow.c 19 | $(CC) -o Flow_Encryption_SingleFlow Flow_Encryption_SingleFlow.c $(LIBS) 20 | 21 | #SSL_Emulation: SSL_Emulation.c 22 | # $(CC) -o SSL_Emulation SSL_Emulation.c $(LIBS) 23 | 24 | #SSL_Emulation_SingleFlow: SSL_Emulation_SingleFlow.c 25 | # $(CC) -o SSL_Emulation_SingleFlow SSL_Emulation_SingleFlow.c $(LIBS) 26 | 27 | #SSL_Extraction_Payload: SSL_Extraction_Payload.c 28 | # $(CC) -o SSL_Extraction_Payload SSL_Extraction_Payload.c $(LIBS) 29 | 30 | #SSL_server: SSL_server.c 31 | # $(CC) -o SSL_server SSL_server.c $(LIBS) 32 | 33 | #SSL_client: SSL_client.c 34 | # $(CC) -o SSL_client SSL_client.c $(LIBS) 35 | 36 | #SSL_Replace_IP: SSL_Replace_IP.c 37 | # $(CC) -o SSL_Replace_IP SSL_Replace_IP.c $(LIBS) 38 | 39 | #GenerateTimestampForSSL: GenerateTimestampForSSL.c 40 | # $(CC) -o GenerateTimestampForSSL GenerateTimestampForSSL.c $(LIBS) 41 | 42 | clean: 43 | $(RM) BotTalker Packet_Encryption Merge_Background_Random Flow_Encryption Flow_Encryption_SingleFlow 44 | -------------------------------------------------------------------------------- /BotTalkerFunctions.h: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * Copyright (C) <2015> 4 | 5 | * BotTalker is free software: you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published 7 | * by the Free Software Foundation, either version 3 of the License, 8 | * or (at your option) any later version. 9 | 10 | * BotTalker is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program. If not, see . 17 | 18 | * Contact information: 19 | * Email: zhanghan0116@gmail.com 20 | */ 21 | 22 | void select_random_key(char * , int ); 23 | /* 24 | * generate random key 25 | */ 26 | 27 | void select_random_iv(char * , int ); 28 | /* 29 | * generate random iv 30 | */ 31 | 32 | void encrypt_xor(char * , char * , char* , int ) 33 | /* 34 | * encrypt data by using XOR 35 | */ 36 | 37 | char * encrypt_OpenSSL(EVP_CIPHER_CTX *, char * , int , int * ) 38 | /* 39 | * encrypt data by using OpenSSL 40 | */ 41 | 42 | char * decrypt_OpenSSL(EVP_CIPHER_CTX *, char *, int ) 43 | /* 44 | * decrypt data by using OpenSSL 45 | */ 46 | 47 | int get_element_number(char * ) 48 | /* 49 | * get the bytes number of key and iv 50 | */ 51 | 52 | int extract_key_iv(char * , char * ) 53 | /* 54 | * extract the elements of key and iv 55 | */ 56 | 57 | int set_encryption_algorithm(char * , EVP_CIPHER_CTX * , char * , char *) 58 | /* 59 | * set OpenSSL encryption algorithm 60 | */ 61 | 62 | 63 | /* Incrementally update a checksum */ 64 | void update_in_cksum(uint16_t , uint16_t , uint16_t ) 65 | 66 | void update_in_cksum32(uint16_t , uint32_t , uint32_t ) 67 | /* 68 | * update IP checksum 69 | */ 70 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | ##BotTalker: Generating Encrypted, Customizable C&C Traces 3 | 4 | 1. Introduction: 5 | - BotTalker emulates the actions a bot would take to encrypt communication and produces traces that look like they come from real botnets. BotTalker is able to convert non-encrypted botnet traces into encrypted ones. It enables customization along three dimensions: (a) selection of real encryption algorithm, (b) flow or packet level conversion, SSL emulation and (c) IP address substitution. **More details can be found in our published paper - [BotTalker] (http://www.cs.colostate.edu/~hanzhang/papers/BotTalker.pdf).** 6 | 7 | 2. Installation: 8 | - Install required libraries: 9 | * libpcap (e.g., sudo yum install libpcap) 10 | * libpcap-devel 11 | * libtrace 12 | * openssl 13 | * openssl-devel 14 | * bison 15 | * flex 16 | * wireshark 17 | - Compile: 18 | * make 19 | - Run: 20 | * ./BotTalker with options listed as follows 21 | 22 | 3. Supported Encryption Scheme: 23 | * Three encryption schemes can be specified using option '-P', '-F'. 24 | * Packet level emulation: emulate the case where a bot encrypts packets individually as they are transmitted. 25 | * Flow level emulation: emulate the case where a bot transmits encrypted objects. 26 | * SSL emulation (supported soon): emulate the case when the botnet exchange information via SSL connections. 27 | 28 | 4. Supported Encryption Algorithm: 29 | * Various encryption algorithms can be specified using option '-e', for example, '-e xor', '-e EVP_des_cbc'. 30 | * xor: xor 31 | * des: EVP_des_cbc, EVP_des_ecb, EVP_des_cfb, EVP_des_ofb 32 | * des 2 key: EVP_des_ede_cbc, EVP_des_ede, EVP_des_ede_ofb, EVP_des_ede_cfb 33 | * des 3 key: EVP_des_ede3_cbc, EVP_des_ede3, EVP_des_ede3_ofb, EVP_des_ede3_cfb 34 | * desx: EVP_desx_cbc 35 | * rc4: EVP_rc4 36 | * rc4 40 bit key: EVP_rc4_40 37 | * rc2: EVP_rc2_cbc, EVP_rc2_ecb, EVP_rc2_cfb, EVP_rc2_ofb, EVP_rc2_40_cbc, EVP_rc2_64_cbc 38 | * Blowfish: EVP_bf_cbc, EVP_bf_ecb, EVP_bf_cfb, EVP_bf_ofb 39 | * CAST: EVP_cast5_cbc, EVP_cast5_ecb, EVP_cast5_cfb, EVP_cast5_ofb 40 | * AES: EVP_aes_128_ecb, EVP_aes_128_cbc, EVP_aes_192_ecb, EVP_aes_192_cbc, EVP_aes_256_ecb, EVP_aes_256_cbc 41 | 42 | 5. Options: 43 | * -a: specify the file including IPs that do not need to replaced when option -r is used 44 | * -b: specify background traffic 45 | * -c: specify configuration file 46 | * -d: specify the file including ports whose traffic will not be encrypted when option -P or -F is used. For example, we may want to encrypt all the traffic except DNS (port 53). A file named portExclusionFile is given in the package as an example 47 | * -e: specify encryption algorithm 48 | * -f: specify the flow to encrypt. E.g. -f all, or -f flowsToEncryptFiles 49 | * format of flowsToEncryptFiles: srcIP, srcPort, destIP, destPort, Proto 50 | * A file named flowsEncryption is given in the package as an example 51 | * -k: specify encryption key and iv file 52 | * A file named keyProfile is given in the package as an example 53 | * -i: specify input trace 54 | * -o: specify output trace 55 | * -r: apply ip replacement, followed by the ip pair. E.g. -r '192.168.9.5/24 178.162.181.84/24' 56 | * -n: replace a single IP address 57 | * option '-r' and '/32' need to be given (e.g., -n -r '192.168.9.5/32 178.162.181.84/32') 58 | * -N: replace a subnet of IP addresses 59 | * option '-r' needs to be given (e.g., -n -r '192.168.9.5/24 178.162.181.84/24') 60 | * -l: specify background traffic local network. E.g. -l '129.82.138.0/24' 61 | * -t: specify time adjustment (e.g., 300, -10) 62 | * -M: specify traffic merge scheme 63 | * Two schemes are support: 64 | 1. direct: -M 'direct' merge the background traffic with botnet traffic directly 65 | 2. random selection: random select hosts in background traffic and assign botnet traffic on them -M '192.168.9.0' 66 | * -P: enable packet level encryption 67 | * -F: enable flow level encryption 68 | * -h: display this help and exit 69 | 70 | 6. Example: 71 | 1. ./BotTalker -i testInput.pcap -o testOutput.pcap -k keyProfile -e xor -f all -P -r '192.168.1.5/32 111.11.111.1/32' -n 72 | * -i: the input pcap file is testInput.pcap 73 | * -o: the output pcap file is testOutput.pcap 74 | * -k: the key and iv is given in file keyProfile 75 | * -e: encrypt the payload using xor 76 | * -f: encrypt all the packets 77 | * -P: use packet level encryption 78 | * -r, -n: replace IP 192.168.1.5 with 111.11.111.1 79 | 80 | 2. ./BotTalker -i botnet.pcap -o botnetBackgroundMix.pcap -e EVP_des_cbc -k keyProfile -f flowsEncryption -F -b background.pcap -l '192.168.0.0/16' -t 1200 -M '192.168.9.0/24' 81 | * -i: the input botnet pcap file is botnet.pcap 82 | * -o: the output pcap file is botnetBackgroundMix.pcap 83 | * -k: the key and iv is given in file keyProfile 84 | * -e: encrypt the payload using des: EVP_des_cbc 85 | * -f: encrypt the packets belonging to flows in file flowsEncryption 86 | * -F: use flow level encryption (highly recommend not to encrypt all the flows when using flow level encryption due to performance issues) 87 | * -l: the local network of the background trace is '192.168.0.0/16' 88 | * -t: adjust the timestamp 1200 seconds forward 89 | * -M: randomly select hosts in the background trace in subnet '192.168.9.0/24' and add the bot traffic on them (the bots' IPs will also be changed) 90 | 91 | 92 | 93 | -------------------------------------------------------------------------------- /BotTalker.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) <2015> 3 | 4 | * BotTalker is free software: you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License as published 6 | * by the Free Software Foundation, either version 3 of the License, 7 | * or (at your option) any later version. 8 | 9 | * BotTalker is distributed in the hope that it will be useful, 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | * GNU General Public License for more details. 13 | 14 | * You should have received a copy of the GNU General Public License 15 | * along with this program. If not, see . 16 | 17 | * Contact information: 18 | * Email: zhanghan0116@gmail.com 19 | */ 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include "BotTalkerFunctions.c" 35 | 36 | struct config_parameters configBottalker; 37 | 38 | int main(int argc, char *argv[]) 39 | { 40 | int opt = 0; 41 | int enableEncryption = 0; //1 means the data needs to be encrypted 42 | int enableKeyIV = 0; 43 | int encryptAll = 0; //encrypt all the traffic, otherwise encrypt a specific flow 44 | int enableEncryptExecutable = 0; //1 means use the executable magic number files 45 | int enableReplaceIP = 0; //apply IP replacement 46 | int enableBackgroundFile = 0; 47 | int enableBotnetNetwork = 0; 48 | int enableInputFile = 0; 49 | int enableOutputFile = 0; 50 | int enableLocalNetwork = 0; 51 | int enableEncryptionFlows = 0; 52 | int enableTimeAdjust = 0; 53 | int enablePacketLevel = 0; 54 | int enableFlowLevel = 0; 55 | int enableMergeScheme = 0; 56 | int enableSSLEmulation = 0; 57 | int enableIPExclusion = 0; 58 | int enablePortExclusion = 0; 59 | int enableReplaceCertainIP = 0; 60 | int enableReplaceAllIP = 0; 61 | char oriInputFile[MAX_SIZE]; 62 | char oriOutputFile[MAX_SIZE]; 63 | char backgroundFile[MAX_SIZE]; 64 | char botnetNetwork[MAX_SIZE]; 65 | char localNetwork[MAX_SIZE]; 66 | char encryptionFlows[MAX_SIZE]; 67 | char timeAdjust[MAX_SIZE]; 68 | char encryption[MAX_SIZE]; 69 | char inputFile[MAX_SIZE]; 70 | char outputFile[MAX_SIZE]; 71 | char keyIVFile[MAX_SIZE]; 72 | char ipExclusionFile[MAX_SIZE]; 73 | char portExclusionFile[MAX_SIZE]; 74 | char configFile[MAX_SIZE]; 75 | char encryptionAlgorithm[16]; 76 | char exeMagicNumberFile[MAX_SIZE]; 77 | char oriReplaceIP[MAX_SIZE]; 78 | char mergeScheme[MAX_SIZE]; 79 | char command[MAX_SIZE]; 80 | 81 | if ((argc - optind) < 1) { 82 | usage(); 83 | exit(1); 84 | } 85 | 86 | while ((opt = getopt(argc, argv, "a:b:c:d:e:f:Fk:l:i:o:Pr:M:nNSt:")) !=-1) 87 | { 88 | switch (opt) 89 | { 90 | case 'a': 91 | strcpy(ipExclusionFile, optarg); 92 | enableIPExclusion = 1; 93 | break; 94 | case 'b': 95 | strcpy(backgroundFile, optarg); 96 | enableBackgroundFile = 1; 97 | break; 98 | case 'c': 99 | strcpy(configFile, optarg); 100 | break; 101 | case 'd': 102 | strcpy(portExclusionFile, optarg); 103 | enablePortExclusion = 1; 104 | break; 105 | case 'M': 106 | strcpy(mergeScheme, optarg); 107 | enableMergeScheme = 1; 108 | break; 109 | case 'i': 110 | strcpy(inputFile, optarg); 111 | enableInputFile = 1; 112 | break; 113 | case 'l': 114 | strcpy(localNetwork, optarg); 115 | enableLocalNetwork = 1; 116 | break; 117 | case 'o': 118 | strcpy(outputFile, optarg); 119 | enableOutputFile = 1; 120 | break; 121 | case 'k': 122 | strcpy(keyIVFile, optarg); 123 | enableKeyIV = 1; 124 | break; 125 | case 'e': 126 | strcpy(encryptionAlgorithm, optarg); 127 | enableEncryption = 1; 128 | break; 129 | case 'f': 130 | /*encrypt all the traffic*/ 131 | strcpy(encryptionFlows, optarg); 132 | enableEncryptionFlows = 1; 133 | break; 134 | case 'F': 135 | enableFlowLevel = 1; 136 | break; 137 | case 'P': 138 | enablePacketLevel = 1; 139 | break; 140 | case 'S': 141 | enableSSLEmulation = 1; 142 | break; 143 | case 'r': 144 | strcpy(oriReplaceIP, optarg); 145 | enableReplaceIP = 1; 146 | break; 147 | case 'n': 148 | enableReplaceCertainIP = 1; 149 | break; 150 | case 'N': 151 | enableReplaceAllIP = 1; 152 | break; 153 | case 't': 154 | strcpy(timeAdjust, optarg); 155 | enableTimeAdjust = 1; 156 | break; 157 | case 'h': 158 | usage(); 159 | exit(1); 160 | default: 161 | usage(); 162 | exit(1); 163 | } 164 | } 165 | 166 | //reserved for SSL emulation 167 | /* 168 | ReadConfigurationFile(configFile, &configBottalker); 169 | printf("MERGECAP: %s\n", configBottalker.COMMAND_MERGECAP); 170 | printf("EDITCAP: %s\n", configBottalker.COMMAND_EDITCAP); 171 | printf("CIPHER_LIST: %s\n", configBottalker.CIPHER_LIST); 172 | printf("CAFILE: %s\n", configBottalker.CAFILE); 173 | printf("CERTFILE: %s\n", configBottalker.CERTFILE); 174 | printf("PORT: %s\n", configBottalker.PORT); 175 | printf("SERVER: %s\n", configBottalker.SERVER); 176 | printf("CLIENT: %s\n", configBottalker.CLIENT); 177 | */ 178 | 179 | if( ((enablePacketLevel == 1) || (enableFlowLevel == 1)) && ((enableEncryption == 1) || (enableEncryptionFlows == 1) || (enableKeyIV == 1) )) 180 | { 181 | if(enableEncryption + enableEncryptionFlows + enableKeyIV < 3) 182 | { 183 | printf("-e -f -k need to be used together\n"); 184 | exit(1); 185 | } 186 | } 187 | 188 | if( (enableBackgroundFile == 1) || (enableLocalNetwork == 1) || (enableTimeAdjust == 1) || (enableMergeScheme == 1) ) 189 | { 190 | if(enableBackgroundFile + enableLocalNetwork + enableMergeScheme < 3) 191 | { 192 | printf("-l -b -M need to be used together\n"); 193 | exit(1); 194 | } 195 | } 196 | if( enablePacketLevel + enableFlowLevel + enableSSLEmulation > 1 ) 197 | { 198 | printf("Can not apply more than one of packet level encryption, flow level encryption, or ssl emulation at the same time\n"); 199 | exit(1); 200 | } 201 | 202 | strcpy(oriOutputFile, outputFile); 203 | strcpy(oriInputFile, inputFile); 204 | if( (enableBackgroundFile == 1) && ( (enableEncryption == 1) || (enableReplaceIP == 1) ) ) 205 | { 206 | sprintf(outputFile, "%s-encryption", oriOutputFile); 207 | } 208 | memset(command, '\0', sizeof(command)); 209 | if(enablePacketLevel == 1) 210 | { 211 | sprintf(command, "./Packet_Encryption -i pcap:%s -o pcap:%s", inputFile, outputFile); 212 | } 213 | else if(enableFlowLevel == 1) 214 | { 215 | sprintf(command, "./Flow_Encryption -i %s -o %s", inputFile, outputFile); 216 | } 217 | 218 | //reserved for SSL emulation 219 | /* 220 | else if(enableSSLEmulation == 1) 221 | { 222 | sprintf(command, "sudo ./SSL_Emulation -i %s -o %s -f '%s' -c %s", inputFile, outputFile, encryptionFlows, configFile); 223 | if(enablePortExclusion == 1) 224 | { 225 | sprintf(command, "%s -d %s", command, portExclusionFile); 226 | } 227 | printf("command: %s\n", command); 228 | system(command); 229 | return; 230 | } 231 | */ 232 | 233 | /*Concatenate the encryption algorithm and key IV*/ 234 | if(enableEncryption == 1) 235 | { 236 | sprintf(command, "%s -e %s -k %s -f %s", command, encryptionAlgorithm, keyIVFile, encryptionFlows); 237 | } 238 | 239 | /*concatenate the IP replacement*/ 240 | if(enableReplaceIP == 1) 241 | { 242 | sprintf(command, "%s -r '%s'", command, oriReplaceIP); 243 | } 244 | 245 | if(enableIPExclusion == 1) 246 | { 247 | sprintf(command, "%s -a %s", command, ipExclusionFile); 248 | } 249 | if(enablePortExclusion == 1) 250 | { 251 | sprintf(command, "%s -d %s", command, portExclusionFile); 252 | } 253 | if(enableReplaceCertainIP == 1) 254 | { 255 | sprintf(command, "%s -n", command); 256 | } 257 | if(enableReplaceAllIP == 1) 258 | { 259 | sprintf(command, "%s -N", command); 260 | } 261 | printf("command: %s\n", command); 262 | system(command); 263 | 264 | memset(command, '\0', sizeof(command)); 265 | memset(inputFile, '\0', sizeof(inputFile)); 266 | memset(outputFile, '\0', sizeof(outputFile)); 267 | if( (enableBackgroundFile == 1) && ( (enableEncryption == 1) || (enableReplaceIP == 1) ) ) 268 | { 269 | sprintf(inputFile, "%s-encryption", oriOutputFile); 270 | } 271 | else 272 | { 273 | sprintf(inputFile, "%s", oriOutputFile); 274 | } 275 | strcpy(outputFile, oriOutputFile); 276 | 277 | /*adjust timestamps*/ 278 | if(enableTimeAdjust == 1) 279 | { 280 | sprintf(outputFile, "%s-time-adjust", oriOutputFile); 281 | sprintf(command, "editcap -t %s %s %s -F pcap", timeAdjust, inputFile, outputFile); 282 | strcpy(inputFile, outputFile); 283 | strcpy(outputFile, oriOutputFile); 284 | printf("command: %s\n", command); 285 | system(command); 286 | } 287 | 288 | /*merge with background traffic*/ 289 | if(enableBackgroundFile == 1) 290 | { 291 | memset(outputFile, '\0', sizeof(outputFile)); 292 | strcpy(outputFile, oriOutputFile); 293 | printf("outputFile: %s\n", outputFile); 294 | /*merge the bot traffic directly with background hosts' traffic*/ 295 | if(strcmp(mergeScheme, "direct") == 0) 296 | { 297 | sprintf(command, "mergecap pcap:%s pcap:%s -w pcap:%s -F pcap", inputFile, backgroundFile, outputFile); 298 | printf("command: %s\n", command); 299 | system(command); 300 | } 301 | /*add bot traffic on randomly selected hosts from background traffic*/ 302 | else 303 | { 304 | //sprintf(command, "./Merge_Background_Random -i pcap:%s -o pcap:%s-temp -b pcap:%s -l '%s' -M '%s'", inputFile, outputFile, backgroundFile, localNetwork, mergeScheme); 305 | sprintf(command, "./Merge_Background_Random -i pcap:%s -o pcap:%s -b pcap:%s -l '%s' -M '%s'", inputFile, outputFile, backgroundFile, localNetwork, mergeScheme); 306 | printf("command: %s\n", command); 307 | system(command); 308 | memset(command, '\0', sizeof(command)); 309 | } 310 | } 311 | return 0; 312 | } 313 | -------------------------------------------------------------------------------- /Flow_Encryption.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * Copyright (C) <2015> 4 | 5 | * BotTalker is free software: you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published 7 | * by the Free Software Foundation, either version 3 of the License, 8 | * or (at your option) any later version. 9 | 10 | * BotTalker is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program. If not, see . 17 | 18 | * Contact information: 19 | * Email: zhanghan0116@gmail.com 20 | */ 21 | 22 | /* 23 | Encryption Algorithm 24 | Encrypted data size doesn't change: XOR, CFB, OFB 25 | 1. Read flow payload from file 26 | 2. encrypt data 27 | 3. put encrypted data back into packets 28 | */ 29 | 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include "libtrace.h" 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include "BotTalkerFunctions.c" 44 | 45 | #define MAX_SIZE 1024 46 | 47 | int enableIPAnonymize = 0; //1 means the ip needs to be anonymized 48 | int enablePortFilter = 0; //1 means the port needs to be filtered 49 | int enableEncryption = 0; //1 means the data needs to be encrypted 50 | int enableKeyIV = 0; 51 | int encryptAll = 0; //encrypt all the traffic, otherwise encrypt a specific flow 52 | int enableEncryptExecutable = 0; //1 means use the executable magic number files 53 | int enableReplaceIP = 0; //apply IP replacement 54 | char oriIP[16]; //original IP 55 | char replaceIP[16]; //new IP 56 | char encryptionAlgorithm[32]; //specify the encryption algorithm 57 | //struct flow_record flow_extract; 58 | extern struct flow_record * flowExtractHead; 59 | extern struct flow_record * flowExtractLast; 60 | extern struct port_list * portExclusion; 61 | 62 | static int per_packet_extract_flow_records(libtrace_packet_t * pkt, FILE * fpOut) 63 | { 64 | // Create a new packet which is a copy of the old packet. 65 | //libtrace_packet_t *copy_pkt = trace_copy_packet(pkt); 66 | libtrace_ip_t *ip = trace_get_ip(pkt); 67 | libtrace_ip6_t *ip6 = trace_get_ip6(pkt); 68 | 69 | struct flow_record * iteFlowRecord; 70 | struct sockaddr_storage src_addr; 71 | struct sockaddr_storage dest_addr; 72 | struct sockaddr *src_addr_ptr; 73 | struct sockaddr *dest_addr_ptr; 74 | /* Packet data */ 75 | uint32_t remaining; 76 | /* L3 data */ 77 | void *l3; 78 | uint16_t ethertype; 79 | /* Transport data */ 80 | void *transport; 81 | uint8_t proto; 82 | /* Payload data */ 83 | void *payload; 84 | 85 | int i = 0; 86 | int loop = 0; 87 | char srcIP[100]; 88 | char destIP[100]; 89 | struct timeval ts; 90 | 91 | l3 = trace_get_layer3(pkt,ðertype,&remaining); 92 | 93 | if (!l3) 94 | { 95 | /* Probable ARP or something */ 96 | return; 97 | } 98 | 99 | /* Get the UDP/TCP/ICMP header from the IPv4/IPv6 packet */ 100 | switch (ethertype) { 101 | case 0x0800: 102 | transport = trace_get_payload_from_ip( 103 | (libtrace_ip_t*)l3, 104 | &proto, 105 | &remaining); 106 | if (!transport) 107 | return; 108 | //++v4; 109 | break; 110 | case 0x86DD: 111 | transport = trace_get_payload_from_ip6( 112 | (libtrace_ip6_t*)l3, 113 | &proto, 114 | &remaining); 115 | if (!transport) 116 | return; 117 | //++v6; 118 | break; 119 | default: 120 | return; 121 | } 122 | 123 | // Get packet information 124 | //get port numbers 125 | int srcPort = trace_get_source_port(pkt); 126 | int destPort = trace_get_destination_port(pkt); 127 | src_addr_ptr = trace_get_source_address(pkt, (struct sockaddr *) &src_addr); 128 | dest_addr_ptr = trace_get_destination_address(pkt, (struct sockaddr *) &dest_addr); 129 | if( (NULL == src_addr_ptr) || (NULL == dest_addr_ptr) ) 130 | { 131 | return; 132 | } 133 | if( (CheckExclusionPort(srcPort)==1) || (CheckExclusionPort(destPort)==1) ) 134 | { 135 | return; 136 | } 137 | //get source ip address 138 | if (src_addr_ptr->sa_family == AF_INET) { 139 | struct sockaddr_in *src_v4 = (struct sockaddr_in *) src_addr_ptr; 140 | inet_ntop(AF_INET, &(src_v4->sin_addr), srcIP, 100); 141 | } 142 | //get destination ip address 143 | if (dest_addr_ptr->sa_family == AF_INET) { 144 | struct sockaddr_in *dest_v4 = (struct sockaddr_in *) dest_addr_ptr; 145 | inet_ntop(AF_INET, &(dest_v4->sin_addr), destIP, 100); 146 | } 147 | 148 | if(proto == 17) //udp 149 | { 150 | payload = trace_get_payload_from_udp( (libtrace_udp_t*)transport, &remaining); 151 | } 152 | 153 | if(proto == 6) //tcp 154 | { 155 | payload = trace_get_payload_from_tcp( (libtrace_tcp_t*)transport, &remaining); 156 | } 157 | if(remaining <= 0) 158 | { 159 | return; 160 | } 161 | iteFlowRecord = flowExtractHead; 162 | while(iteFlowRecord) 163 | { 164 | if( ( (proto == iteFlowRecord->proto) && (srcPort == iteFlowRecord->src_port) && (strcmp(srcIP, iteFlowRecord->src_ip) == 0) && (destPort == iteFlowRecord->dest_port) && (strcmp(destIP, iteFlowRecord->dest_ip) == 0) ) || ( (destPort == iteFlowRecord->src_port) && (strcmp(destIP, iteFlowRecord->src_ip) == 0) && (srcPort == iteFlowRecord->dest_port) && (strcmp(srcIP, iteFlowRecord->dest_ip) == 0) && (proto == iteFlowRecord->proto) ) ) 165 | { 166 | break; 167 | } 168 | iteFlowRecord = iteFlowRecord->next; 169 | } 170 | if(iteFlowRecord == NULL) 171 | { 172 | struct flow_record * newFlowRecord = (struct flow_record *)malloc(sizeof(struct flow_record)); 173 | strcpy(newFlowRecord->src_ip, srcIP); 174 | newFlowRecord->src_port = srcPort; 175 | strcpy(newFlowRecord->dest_ip, destIP); 176 | newFlowRecord->dest_port = destPort; 177 | newFlowRecord->proto = proto; 178 | newFlowRecord->next = NULL; 179 | if(flowExtractHead == NULL) 180 | { 181 | //printf("line: %d\n", __LINE__); 182 | flowExtractHead = newFlowRecord; 183 | //debug 184 | /*if(flowExtractHead == NULL) 185 | { 186 | printf("line: %d\n", __LINE__); 187 | }*/ 188 | } 189 | else 190 | { 191 | flowExtractLast->next = newFlowRecord; 192 | } 193 | flowExtractLast = newFlowRecord; 194 | fprintf(fpOut, "%s %d %s %d %d\n", newFlowRecord->src_ip, newFlowRecord->src_port, newFlowRecord->dest_ip, newFlowRecord->dest_port, newFlowRecord->proto); 195 | //printf("%s %d %s %d %d\n", newFlowRecord->src_ip, newFlowRecord->src_port, newFlowRecord->dest_ip, newFlowRecord->dest_port, newFlowRecord->proto); 196 | } 197 | } 198 | 199 | static int extract_flow_records(char * flowRecordsFile, char * inputFile) 200 | { 201 | FILE * fpOut = NULL; 202 | int psize = 0; 203 | struct flow_record * flowRecordsHead; 204 | libtrace_t *trace = 0; 205 | libtrace_packet_t *pkt = trace_create_packet(); 206 | if((fpOut = fopen(flowRecordsFile, "w+")) == NULL) //open the file to read 207 | { 208 | fprintf(stderr, "Open file: %s failed\n", flowRecordsFile); 209 | exit(1); 210 | } 211 | // Open traces for reading and writing. 212 | trace = trace_create(inputFile); 213 | if (trace_is_err(trace)) { 214 | trace_perror(trace, "trace_create"); 215 | trace_destroy(trace); 216 | return 1; 217 | } 218 | if (trace_start(trace) == -1) { 219 | trace_perror(trace,"Starting trace"); 220 | //libtrace_cleanup(trace, output, packet); 221 | return 1; 222 | } 223 | 224 | for (;;) { 225 | psize = trace_read_packet(trace, pkt); 226 | if (psize == 0) { 227 | break; 228 | } 229 | if (psize < 0) { 230 | trace_perror(trace, "read_packet"); 231 | break; 232 | } 233 | if ((per_packet_extract_flow_records(pkt, fpOut)) == -1) 234 | { 235 | fprintf(stderr, "Something went wrong in per_packet.\n"); 236 | break; 237 | } 238 | //debug 239 | /* 240 | if(flowExtractHead == NULL) 241 | { 242 | printf("line: %d\n", __LINE__); 243 | } 244 | */ 245 | } 246 | fclose(fpOut); 247 | } 248 | 249 | int main(int argc, char *argv[]) 250 | { 251 | char * p = NULL; 252 | //char * file_content = NULL; 253 | //char * encrypted_file_content; 254 | struct flow_record * iteFlowRecord; 255 | int i = 0; 256 | int opt = 0; 257 | int psize = 0; 258 | int pktCount = 0; 259 | int offset = 0; 260 | int filesize = 0; 261 | int readLength = 0; 262 | int traceOffset = 0; 263 | int oriSubnet = 0; 264 | int replaceSubnet = 0; 265 | int enableReplaceCertainIP = 0; 266 | int enableReplaceAllIP = 0; 267 | int enableIPExclusion = 0; 268 | int enablePortExclusion = 0; 269 | char tempRead[100]; 270 | char inputFile[MAX_SIZE]; 271 | char outputFile[MAX_SIZE]; 272 | char flowsFile[MAX_SIZE]; 273 | char keyIVFile[MAX_SIZE]; 274 | char oriReplaceIP[MAX_SIZE]; 275 | char bufferTemp[MAX_SIZE]; 276 | char encryptionAlgorithm[MAX_SIZE]; 277 | char portExclusionFile[MAX_SIZE]; 278 | char ipExclusionFile[MAX_SIZE]; 279 | char command[MAX_SIZE]; 280 | char inputFileTemp[MAX_SIZE]; 281 | char outputFileTemp[MAX_SIZE]; 282 | clock_t start; 283 | clock_t end; 284 | double functionTime; 285 | 286 | if ((argc - optind) < 1) { 287 | usage(); 288 | exit(1); 289 | } 290 | 291 | while ((opt = getopt(argc, argv, "a:d:e:f:k:i:nNo:r:")) !=-1) 292 | { 293 | switch (opt) 294 | { 295 | case 'a': 296 | strcpy(ipExclusionFile, optarg); 297 | enableIPExclusion = 1; 298 | break; 299 | case 'd': 300 | strcpy(portExclusionFile, optarg); 301 | enablePortExclusion = 1; 302 | break; 303 | case 'i': 304 | strcpy(inputFile, optarg); 305 | break; 306 | case 'o': 307 | strcpy(outputFile, optarg); 308 | break; 309 | case 'k': 310 | enableKeyIV = 1; 311 | strcpy(keyIVFile, optarg); 312 | break; 313 | case 'e': 314 | enableEncryption = 1; 315 | strcpy(encryptionAlgorithm, optarg); 316 | break; 317 | case 'f': 318 | /*encrypt all the traffic*/ 319 | if(strcmp("all", optarg) == 0) 320 | { 321 | encryptAll = 1; 322 | } 323 | else 324 | { 325 | strcpy(flowsFile, optarg); 326 | } 327 | break; 328 | case 'n': 329 | enableReplaceCertainIP = 1; 330 | break; 331 | case 'N': 332 | enableReplaceAllIP = 1; 333 | break; 334 | case 'r': 335 | enableReplaceIP = 1; 336 | strcpy(oriReplaceIP, optarg); 337 | break; 338 | case 'h': 339 | usage(); 340 | exit(1); 341 | default: 342 | usage(); 343 | exit(1); 344 | } 345 | } 346 | 347 | time(&start); 348 | 349 | if(enablePortExclusion == 1) 350 | { 351 | ReadPortExclusionRecords(portExclusionFile); 352 | } 353 | 354 | if(enableEncryption == 1) 355 | { 356 | if(encryptAll == 1) 357 | { 358 | memset(flowsFile, '\0', sizeof(flowsFile)); 359 | sprintf(flowsFile, "%s-flows", inputFile); 360 | extract_flow_records(flowsFile, inputFile); 361 | } 362 | else 363 | { 364 | ReadFlowRecords(flowsFile); 365 | } 366 | //write the flow payload to file 367 | strcpy(inputFileTemp, inputFile); 368 | iteFlowRecord = flowExtractHead; 369 | while(iteFlowRecord) 370 | { 371 | memset(outputFileTemp, '\0', sizeof(outputFileTemp)); 372 | memset(command, '\0', sizeof(command)); 373 | sprintf(outputFileTemp, "temp-trace-%s-%d-%s-%d-%d", iteFlowRecord->src_ip, iteFlowRecord->src_port, iteFlowRecord->dest_ip, iteFlowRecord->dest_port, iteFlowRecord->proto); 374 | sprintf(command, "./Flow_Encryption_SingleFlow -i pcap:%s -o pcap:%s -k %s -e %s -f '%s %d %s %d %d'", inputFileTemp, outputFileTemp, keyIVFile, encryptionAlgorithm, iteFlowRecord->src_ip, iteFlowRecord->src_port, iteFlowRecord->dest_ip, iteFlowRecord->dest_port, iteFlowRecord->proto); 375 | printf("%s\n", command); 376 | system(command); 377 | memset(inputFileTemp, '\0', sizeof(inputFileTemp)); 378 | strcpy(inputFileTemp, outputFileTemp); 379 | iteFlowRecord = iteFlowRecord->next; 380 | } 381 | if(enableReplaceIP == 1) 382 | { 383 | memset(command, '\0', sizeof(command)); 384 | sprintf(command, "./Flow_Encryption_SingleFlow -i pcap:%s -o pcap:%s -r '%s'", outputFileTemp, outputFile, oriReplaceIP); 385 | if(enableReplaceCertainIP == 1) 386 | { 387 | sprintf(command, "%s -n", command); 388 | } 389 | if(enableReplaceAllIP == 1) 390 | { 391 | sprintf(command, "%s -N", command); 392 | } 393 | printf("%s\n", command); 394 | system(command); 395 | } 396 | else 397 | { 398 | memset(command, '\0', sizeof(command)); 399 | sprintf(command, "mv %s %s", outputFileTemp, outputFile); 400 | system(command); 401 | printf("%s\n", command); 402 | } 403 | } 404 | else if(enableReplaceIP == 1) 405 | { 406 | memset(command, '\0', sizeof(command)); 407 | sprintf(command, "./Flow_Encryption_SingleFlow -i pcap:%s -o pcap:%s -r '%s'", inputFile, outputFile, oriReplaceIP); 408 | system(command); 409 | printf("%s\n", command); 410 | } 411 | memset(command, '\0', sizeof(command)); 412 | sprintf(command, "rm temp-trace-*"); 413 | system(command); 414 | memset(command, '\0', sizeof(command)); 415 | sprintf(command, "rm *-flow-offset"); 416 | system(command); 417 | memset(command, '\0', sizeof(command)); 418 | sprintf(command, "rm *-flow-payload"); 419 | system(command); 420 | 421 | time(&end); 422 | double cost = difftime(end, start); 423 | printf("running time: %f\n", cost); 424 | 425 | return 0; 426 | } 427 | -------------------------------------------------------------------------------- /Merge_Background_Random.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) <2015> 3 | 4 | * BotTalker is free software: you can redistribute it and/or modify 5 | * it under the terms of the GNU General Public License as published 6 | * by the Free Software Foundation, either version 3 of the License, 7 | * or (at your option) any later version. 8 | 9 | * BotTalker is distributed in the hope that it will be useful, 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | * GNU General Public License for more details. 13 | 14 | * You should have received a copy of the GNU General Public License 15 | * along with this program. If not, see . 16 | 17 | * Contact information: 18 | * Email: zhanghan0116@gmail.com 19 | */ 20 | 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include "libtrace.h" 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include "BotTalkerFunctions.c" 36 | 37 | #define MAX_SIZE 1024 38 | 39 | int localSubnet = 32; 40 | int botnetSubnet = 32; 41 | int localIPNum = 0; 42 | int botnetIPNum = 0; 43 | int enableReplaceIP = 0; //apply IP replacement 44 | char localIP[16]; //original IP 45 | char botnetIP[16]; //new IP 46 | struct flow_record flowExtract; 47 | struct ip_list * localIPHead = NULL; 48 | struct ip_list * localIPLast = NULL; 49 | struct ip_list * botnetIPHead = NULL; 50 | struct ip_list * botnetIPLast = NULL; 51 | struct ip_pair * localBotnetPairsHead = NULL; 52 | struct ip_pair * localBotnetPairsLast = NULL; 53 | //struct flow_rtt_inter flow_stats = {0, "129.82.138.45", 52424, "129.82.138.36", 60000, 0, 0, -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 54 | 55 | 56 | static int per_packet(libtrace_packet_t * pkt, libtrace_out_t * wr, int list) 57 | { 58 | // Create a new packet which is a copy of the old packet. 59 | libtrace_packet_t *copyPkt = trace_copy_packet(pkt); 60 | libtrace_ip_t *ip = trace_get_ip(copyPkt); 61 | libtrace_ip6_t *ip6 = trace_get_ip6(copyPkt); 62 | 63 | struct sockaddr_storage src_addr; 64 | struct sockaddr_storage dest_addr; 65 | struct sockaddr *src_addr_ptr; 66 | struct sockaddr *dest_addr_ptr; 67 | /* Packet data */ 68 | uint32_t remaining; 69 | /* L3 data */ 70 | void *l3; 71 | uint16_t ethertype; 72 | /* Transport data */ 73 | void *transport; 74 | uint8_t proto; 75 | /* Payload data */ 76 | void *payload; 77 | 78 | int i = 0; 79 | int ipMatch = -1; 80 | int pktSize; 81 | char srcIP[100]; 82 | char destIP[100]; 83 | 84 | l3 = trace_get_layer3(copyPkt,ðertype,&remaining); 85 | 86 | if (!l3) 87 | { 88 | /* Probable ARP or something */ 89 | return; 90 | } 91 | 92 | /* Get the UDP/TCP/ICMP header from the IPv4/IPv6 packet */ 93 | switch (ethertype) { 94 | case 0x0800: 95 | transport = trace_get_payload_from_ip( 96 | (libtrace_ip_t*)l3, 97 | &proto, 98 | &remaining); 99 | if (!transport) 100 | return; 101 | //++v4; 102 | break; 103 | case 0x86DD: 104 | transport = trace_get_payload_from_ip6( 105 | (libtrace_ip6_t*)l3, 106 | &proto, 107 | &remaining); 108 | if (!transport) 109 | return; 110 | //++v6; 111 | break; 112 | default: 113 | return; 114 | } 115 | 116 | // Get packet information 117 | //get port numbers 118 | int srcPort = trace_get_source_port(copyPkt); 119 | int destPort = trace_get_destination_port(copyPkt); 120 | src_addr_ptr = trace_get_source_address(copyPkt, (struct sockaddr *) &src_addr); 121 | dest_addr_ptr = trace_get_destination_address(copyPkt, (struct sockaddr *) &dest_addr); 122 | if( (NULL == src_addr_ptr) || (NULL == dest_addr_ptr) ) 123 | { 124 | return; 125 | } 126 | //get source ip address 127 | if (src_addr_ptr->sa_family == AF_INET) { 128 | struct sockaddr_in *src_v4 = (struct sockaddr_in *) src_addr_ptr; 129 | inet_ntop(AF_INET, &(src_v4->sin_addr), srcIP, 100); 130 | } 131 | //get destination ip address 132 | if (dest_addr_ptr->sa_family == AF_INET) { 133 | struct sockaddr_in *dest_v4 = (struct sockaddr_in *) dest_addr_ptr; 134 | inet_ntop(AF_INET, &(dest_v4->sin_addr), destIP, 100); 135 | } 136 | 137 | pktSize = trace_get_capture_length(copyPkt); 138 | 139 | struct ip_list * ipIterate; 140 | if(list == 0) 141 | { 142 | ipIterate = localIPHead; 143 | } 144 | else if(list == 1) 145 | { 146 | ipIterate = botnetIPHead; 147 | } 148 | if((list == 0) || (list == 1)) 149 | { 150 | if(list == 0) 151 | { 152 | if(IPBelongTo(localIP, srcIP, localSubnet) == 0) 153 | { 154 | ipMatch = 0; 155 | } 156 | else if( IPBelongTo(localIP, destIP, localSubnet) == 0) 157 | { 158 | ipMatch = 1; 159 | } 160 | else 161 | { 162 | ipMatch = -1; 163 | return; 164 | } 165 | } 166 | else if(list == 1) 167 | { 168 | if(IPBelongTo(botnetIP, srcIP, botnetSubnet) == 0) 169 | { 170 | ipMatch = 0; 171 | } 172 | else if( IPBelongTo(botnetIP, destIP, botnetSubnet) == 0) 173 | { 174 | ipMatch = 1; 175 | } 176 | else 177 | { 178 | ipMatch = -1; 179 | return; 180 | } 181 | } 182 | //the first ip 183 | if(ipIterate == NULL) 184 | { 185 | struct ip_list * new = (struct ip_list *)malloc(sizeof(struct ip_list)); 186 | if(ipMatch == 0) 187 | { 188 | strcpy(new->ip, srcIP); 189 | } 190 | else if(ipMatch == 1) 191 | { 192 | strcpy(new->ip, destIP); 193 | } 194 | new->next = NULL; 195 | new->paired = -1; 196 | if(list == 0) 197 | { 198 | localIPHead = new; 199 | localIPLast = new; 200 | localIPNum++; 201 | } 202 | else if(list == 1) 203 | { 204 | botnetIPHead = new; 205 | botnetIPLast = new; 206 | botnetIPNum++; 207 | } 208 | //printf("Add Head: %s\n", new->ip); 209 | } 210 | else 211 | { 212 | while(ipIterate) 213 | { 214 | if(ipMatch == 0) 215 | { 216 | if( strcmp(ipIterate->ip, srcIP) == 0) 217 | { 218 | return; 219 | } 220 | } 221 | else if(ipMatch == 1) 222 | { 223 | if( strcmp(ipIterate->ip, destIP) == 0) 224 | { 225 | return; 226 | } 227 | } 228 | ipIterate = ipIterate->next; 229 | } 230 | struct ip_list * new = (struct ip_list *)malloc(sizeof(struct ip_list)); 231 | new->next = NULL; 232 | new->paired = -1; 233 | if(ipMatch == 0) 234 | { 235 | strcpy(new->ip, srcIP); 236 | } 237 | else if(ipMatch == 1) 238 | { 239 | strcpy(new->ip, destIP); 240 | } 241 | if(list == 0) 242 | { 243 | localIPLast->next = new; 244 | localIPLast = new; 245 | localIPNum++; 246 | } 247 | else if(list == 1) 248 | { 249 | botnetIPLast->next = new; 250 | botnetIPLast = new; 251 | botnetIPNum++; 252 | } 253 | //printf("Add: %s\n", new->ip); 254 | } 255 | } 256 | else 257 | { 258 | struct ip_pair * pairIterate = localBotnetPairsHead; 259 | while(pairIterate) 260 | { 261 | if( (strcmp(srcIP, pairIterate->ip1) == 0) || (strcmp(destIP, pairIterate->ip1) == 0) ) 262 | { 263 | //printf("line: %d\n", __LINE__); 264 | ReplaceIP(ip, pairIterate->ip1, pairIterate->ip2, 32, 0); 265 | ReplaceIP(ip, pairIterate->ip1, pairIterate->ip2, 32, 1); 266 | //break; 267 | } 268 | pairIterate = pairIterate->next; 269 | } 270 | 271 | if (trace_write_packet(wr, copyPkt) == -1) 272 | { 273 | trace_perror_output(wr, "Writing packet"); 274 | return -1; 275 | } 276 | } 277 | trace_destroy_packet(copyPkt); 278 | return 0; 279 | 280 | } 281 | 282 | int main(int argc, char *argv[]) 283 | { 284 | char * p = NULL; 285 | clock_t start; 286 | clock_t end; 287 | double cost; 288 | int opt = 0; 289 | int psize = 0; 290 | int pktCount = 0; 291 | char bufferTemp[MAX_SIZE]; 292 | char inputFile[MAX_SIZE]; 293 | char outputFile[MAX_SIZE]; 294 | char botnetIPSubnet[MAX_SIZE]; 295 | char backgroundFile[MAX_SIZE]; 296 | 297 | if ((argc - optind) < 1) { 298 | usage(); 299 | exit(1); 300 | } 301 | 302 | while ((opt = getopt(argc, argv, "b:l:i:o:M:")) !=-1) 303 | { 304 | switch (opt) 305 | { 306 | case 'i': 307 | strcpy(inputFile, optarg); 308 | break; 309 | case 'o': 310 | strcpy(outputFile, optarg); 311 | break; 312 | case 'b': 313 | strcpy(backgroundFile, optarg); 314 | break; 315 | case 'l': 316 | p = NULL; 317 | strcpy(bufferTemp, optarg); 318 | p = strtok(bufferTemp, "/"); 319 | if(p) 320 | { 321 | strcpy(localIP, p); 322 | } 323 | p = strtok(NULL, "/"); 324 | if(p) 325 | { 326 | localSubnet = atoi(p); 327 | } 328 | printf("local_ip: %s, local_subnet: %d\n", localIP, localSubnet); 329 | break; 330 | case 'M': 331 | p = NULL; 332 | strcpy(bufferTemp, optarg); 333 | p = strtok(bufferTemp, "/"); 334 | if(p) 335 | { 336 | strcpy(botnetIP, p); 337 | } 338 | p = strtok(NULL, "/"); 339 | if(p) 340 | { 341 | botnetSubnet = atoi(p); 342 | } 343 | printf("botnet_ip: %s, botnet_subnet: %d\n", botnetIP, botnetSubnet); 344 | break; 345 | case 'h': 346 | usage(); 347 | exit(1); 348 | default: 349 | usage(); 350 | exit(1); 351 | } 352 | } 353 | 354 | time(&start); 355 | 356 | libtrace_t *trace = 0; 357 | libtrace_out_t *writer = 0; 358 | libtrace_packet_t *pkt = trace_create_packet(); 359 | 360 | // Open traces for reading and writing. 361 | trace = trace_create(inputFile); 362 | if (trace_is_err(trace)) { 363 | trace_perror(trace, "trace_create"); 364 | trace_destroy(trace); 365 | return 1; 366 | } 367 | if (trace_start(trace) == -1) { 368 | trace_perror(trace,"Starting trace"); 369 | //libtrace_cleanup(trace, output, packet); 370 | return 1; 371 | } 372 | for (;;) { 373 | psize = trace_read_packet(trace, pkt); 374 | if (psize == 0) { 375 | break; 376 | } 377 | if (psize < 0) { 378 | trace_perror(trace, "read_packet"); 379 | break; 380 | } 381 | if ((per_packet(pkt, writer, 1)) == -1) 382 | { 383 | fprintf(stderr, "Something went wrong in per_packet.\n"); 384 | break; 385 | } 386 | } 387 | //trace_destroy(trace); 388 | 389 | // Open background traces for reading and writing. 390 | trace = trace_create(backgroundFile); 391 | if (trace_is_err(trace)) { 392 | trace_perror(trace, "trace_create"); 393 | trace_destroy(trace); 394 | return 1; 395 | } 396 | if (trace_start(trace) == -1) { 397 | trace_perror(trace,"Starting trace"); 398 | //libtrace_cleanup(trace, output, packet); 399 | return 1; 400 | } 401 | for (;;) { 402 | psize = trace_read_packet(trace, pkt); 403 | if (psize == 0) { 404 | break; 405 | } 406 | if (psize < 0) { 407 | trace_perror(trace, "read_packet"); 408 | break; 409 | } 410 | if ((per_packet(pkt, writer, 0)) == -1) 411 | { 412 | fprintf(stderr, "Something went wrong in per_packet.\n"); 413 | break; 414 | } 415 | } 416 | //trace_destroy(trace); 417 | 418 | struct ip_list * ipIterate = localIPHead; 419 | 420 | int i = 0; 421 | int j = 0; 422 | int loop = 0; 423 | int tempLocalIPNum = localIPNum; 424 | for(i=0; iip1, ipIterate->ip); 434 | break; 435 | } 436 | loop++; 437 | ipIterate = ipIterate->next; 438 | } 439 | srand ( time(NULL) ); 440 | j = rand()%tempLocalIPNum; 441 | printf("local hosts: %d\n", localIPNum); 442 | printf("random: %d\n", j); 443 | tempLocalIPNum--; 444 | loop = 0; 445 | ipIterate = localIPHead; 446 | while(ipIterate) 447 | { 448 | if(loop == j) 449 | { 450 | if(ipIterate->paired == -1) 451 | { 452 | strcpy(newPair->ip2, ipIterate->ip); 453 | newPair->next = NULL; 454 | ipIterate->paired = 1; 455 | break; 456 | } 457 | loop--; 458 | } 459 | loop++; 460 | ipIterate = ipIterate->next; 461 | } 462 | if(localBotnetPairsHead == NULL) 463 | { 464 | localBotnetPairsHead = newPair; 465 | localBotnetPairsLast = newPair; 466 | } 467 | else 468 | { 469 | localBotnetPairsLast->next = newPair; 470 | localBotnetPairsLast = newPair; 471 | } 472 | } 473 | 474 | struct ip_pair * pairIterate = localBotnetPairsHead; 475 | while(pairIterate) 476 | { 477 | printf("botnet ip: %s <-> local ip: %s\n", pairIterate->ip1, pairIterate->ip2); 478 | pairIterate = pairIterate->next; 479 | } 480 | 481 | trace = trace_create(inputFile); 482 | if (trace_is_err(trace)) { 483 | trace_perror(trace, "trace_create"); 484 | trace_destroy(trace); 485 | return 1; 486 | } 487 | if (trace_start(trace) == -1) { 488 | trace_perror(trace,"Starting trace"); 489 | //libtrace_cleanup(trace, output, packet); 490 | return 1; 491 | } 492 | //writer = trace_create_output("pcap:testcp"); 493 | writer = trace_create_output(outputFile); 494 | if (trace_is_err_output(writer)) { 495 | trace_perror_output(writer, "trace_create_output"); 496 | trace_destroy_output(writer); 497 | trace_destroy(trace); 498 | trace_destroy_packet(pkt); 499 | return 1; 500 | } 501 | 502 | if (trace_start_output(writer) == -1) { 503 | trace_perror_output(writer,"Starting output trace"); 504 | //libtrace_cleanup(trace, output, packet); 505 | return 1; 506 | } 507 | for (;;) { 508 | psize = trace_read_packet(trace, pkt); 509 | if (psize == 0) { 510 | break; 511 | } 512 | if (psize < 0) { 513 | trace_perror(trace, "read_packet"); 514 | break; 515 | } 516 | if ((per_packet(pkt, writer, -1)) == -1) 517 | { 518 | fprintf(stderr, "Something went wrong in per_packet.\n"); 519 | break; 520 | } 521 | } 522 | 523 | //encrypt traffic and write to new file 524 | 525 | trace_destroy_packet(pkt); 526 | trace_destroy(trace); 527 | trace_destroy_output(writer); 528 | 529 | time(&end); 530 | cost = difftime(end, start); 531 | printf("running time: %f\n", cost); 532 | 533 | return 0; 534 | } 535 | -------------------------------------------------------------------------------- /GenerateTimestampForSSL.c: -------------------------------------------------------------------------------- 1 | /* 2 | Encrypt individual packet's payload 3 | 1. The encrypted payload size doesn't change: XOR, CFB, OFB 4 | Encrypt payload and put the encrypted payload back to packet 5 | 2. The encrypted payload size changes: ECB, CBC 6 | Step1: Encrypt payload 7 | Step2: Trim the encrypted payload as the same size of original payload size 8 | Step3: Put trimmed encrypted payload back to packet 9 | 3. Deal with GET/POST request in packet 10 | Search for "\d\r\d\r", the string after that is the payload need to encrypt 11 | 12 | Note: 13 | With IP replacement and GET/POST request parser 14 | IP replacement is not the latest version, code ConvertSSHTrace.c has the latest one 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include "libtrace.h" 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | 31 | #define MAX_SIZE 1024 32 | 33 | struct time_adjust_record 34 | { 35 | char src_ip[16]; 36 | int src_port; 37 | char dest_ip[16]; 38 | int dest_port; 39 | int rtt_sec; 40 | int rtt_usec; 41 | int client_inter_sec; 42 | int client_inter_usec; 43 | int server_inter_sec; 44 | int server_inter_usec; 45 | int reaction_sec; 46 | int reaction_usec; 47 | int first_pkt_sec; 48 | int first_pkt_usec; 49 | int last_tv_sec; 50 | int last_tv_usec; 51 | int last_direction; 52 | }; 53 | 54 | int Set_Time_Adjust(char * buffer, int * i, int * j) 55 | { 56 | char * p = NULL; 57 | p = strtok(buffer, "."); 58 | if(p) 59 | { 60 | *i = atoi(p); 61 | } 62 | else 63 | { 64 | printf("Miss some number in time adjust file\n"); 65 | return 1; 66 | } 67 | p = strtok(NULL, "."); 68 | if(p) 69 | { 70 | *j = atoi(p); 71 | } 72 | else 73 | { 74 | printf("Miss some number time adjust file\n"); 75 | return 1; 76 | } 77 | return 0; 78 | } 79 | 80 | 81 | 82 | static int per_packet(libtrace_packet_t * pkt, FILE * fp_write, struct time_adjust_record * time_adjust_flow) 83 | { 84 | 85 | // Create a new packet which is a copy of the old packet. 86 | //libtrace_packet_t *copy_pkt = trace_copy_packet(pkt); 87 | libtrace_ip_t *ip = trace_get_ip(pkt); 88 | libtrace_ip6_t *ip6 = trace_get_ip6(pkt); 89 | 90 | struct sockaddr_storage src_addr; 91 | struct sockaddr_storage dest_addr; 92 | struct sockaddr *src_addr_ptr; 93 | struct sockaddr *dest_addr_ptr; 94 | /* L3 data */ 95 | void *l3; 96 | uint16_t ethertype; 97 | /* Transport data */ 98 | void *transport; 99 | uint8_t proto; 100 | /* Payload data */ 101 | uint32_t remaining; 102 | 103 | struct timeval ts; 104 | 105 | //printf("In per_packet line:%d\n", __LINE__); 106 | 107 | l3 = trace_get_layer3(pkt,ðertype,&remaining); 108 | 109 | if (!l3) 110 | { 111 | /* Probable ARP or something */ 112 | return; 113 | } 114 | 115 | /* Get the UDP/TCP/ICMP header from the IPv4/IPv6 packet */ 116 | /*switch (ethertype) { 117 | case 0x0800: 118 | transport = trace_get_payload_from_ip( 119 | (libtrace_ip_t*)l3, 120 | &proto, 121 | &remaining); 122 | if (!transport) 123 | return; 124 | //++v4; 125 | break; 126 | case 0x86DD: 127 | transport = trace_get_payload_from_ip6( 128 | (libtrace_ip6_t*)l3, 129 | &proto, 130 | &remaining); 131 | if (!transport) 132 | return; 133 | //++v6; 134 | break; 135 | default: 136 | return; 137 | }*/ 138 | 139 | // Get packet information 140 | //get port numbers 141 | int src_port = trace_get_source_port(pkt); 142 | int dest_port = trace_get_destination_port(pkt); 143 | src_addr_ptr = trace_get_source_address(pkt, (struct sockaddr *) &src_addr); 144 | dest_addr_ptr = trace_get_destination_address(pkt, (struct sockaddr *) &dest_addr); 145 | if( (NULL == src_addr_ptr) || (NULL == dest_addr_ptr) ) 146 | { 147 | //printf("In per_packet line:%d\n", __LINE__); 148 | return; 149 | } 150 | //get source ip address 151 | char src_ip[100]; 152 | if (src_addr_ptr->sa_family == AF_INET) { 153 | struct sockaddr_in *src_v4 = (struct sockaddr_in *) src_addr_ptr; 154 | inet_ntop(AF_INET, &(src_v4->sin_addr), src_ip, 100); 155 | } 156 | //get destination ip address 157 | char dest_ip[100]; 158 | if (dest_addr_ptr->sa_family == AF_INET) { 159 | struct sockaddr_in *dest_v4 = (struct sockaddr_in *) dest_addr_ptr; 160 | inet_ntop(AF_INET, &(dest_v4->sin_addr), dest_ip, 100); 161 | } 162 | 163 | ts = trace_get_timeval(pkt); 164 | struct timeval ts_adjust; 165 | ts_adjust.tv_sec = 0; 166 | ts_adjust.tv_usec = 0; 167 | 168 | 169 | //printf("1 %s %d %s %d\n", time_adjust_flow->src_ip, time_adjust_flow->src_port, time_adjust_flow->dest_ip, time_adjust_flow->dest_port); 170 | //printf("2 %s %d %s %d\n", src_ip, src_port, dest_ip, dest_port); 171 | if( (src_port == time_adjust_flow->src_port) && (strcmp(src_ip, time_adjust_flow->src_ip) == 0) && (dest_port == time_adjust_flow->dest_port) && (strcmp(dest_ip, time_adjust_flow->dest_ip) == 0) ) 172 | { 173 | //printf("CASE1: in per_packet line:%d\n", __LINE__); 174 | if(time_adjust_flow->last_direction == -1) 175 | { 176 | time_adjust_flow->last_direction = 0; 177 | ts_adjust.tv_sec = time_adjust_flow->first_pkt_sec; 178 | ts_adjust.tv_usec = time_adjust_flow->first_pkt_usec; 179 | } 180 | else if(time_adjust_flow->last_direction == 0) //update rtt 181 | { 182 | //add client inter arrival time 183 | if(time_adjust_flow->client_inter_usec + time_adjust_flow->last_tv_usec >= 1000000) 184 | { 185 | ts_adjust.tv_usec = time_adjust_flow->client_inter_usec + time_adjust_flow->last_tv_usec - 1000000; 186 | ts_adjust.tv_sec = time_adjust_flow->client_inter_sec + time_adjust_flow->last_tv_sec + 1; 187 | } 188 | else 189 | { 190 | ts_adjust.tv_sec = time_adjust_flow->client_inter_sec + time_adjust_flow->last_tv_sec; 191 | ts_adjust.tv_usec = time_adjust_flow->client_inter_usec + time_adjust_flow->last_tv_usec; 192 | } 193 | } 194 | else if(time_adjust_flow->last_direction == 1) 195 | { 196 | //add reaction time 197 | if(time_adjust_flow->reaction_usec + time_adjust_flow->last_tv_usec >= 1000000) 198 | { 199 | ts_adjust.tv_usec = time_adjust_flow->reaction_usec + time_adjust_flow->last_tv_usec - 1000000; 200 | ts_adjust.tv_sec = time_adjust_flow->reaction_sec + time_adjust_flow->last_tv_sec + 1; 201 | } 202 | else 203 | { 204 | ts_adjust.tv_usec = time_adjust_flow->reaction_usec + time_adjust_flow->last_tv_usec; 205 | ts_adjust.tv_sec = time_adjust_flow->reaction_sec + time_adjust_flow->last_tv_sec; 206 | } 207 | time_adjust_flow->last_direction = 0; 208 | } 209 | time_adjust_flow->last_tv_sec = ts_adjust.tv_sec; 210 | time_adjust_flow->last_tv_usec = ts_adjust.tv_usec; 211 | fprintf(fp_write, "%d, %d\n", time_adjust_flow->last_tv_sec, time_adjust_flow->last_tv_usec); 212 | //printf("%d, %d\n", time_adjust_flow->last_tv_sec, time_adjust_flow->last_tv_usec); 213 | } 214 | if( (src_port == time_adjust_flow->dest_port) && (strcmp(src_ip, time_adjust_flow->dest_ip) == 0) && (dest_port == time_adjust_flow->src_port) && (strcmp(dest_ip, time_adjust_flow->src_ip) == 0) ) 215 | { 216 | //printf("CASE2 in per_packet line:%d\n", __LINE__); 217 | if(time_adjust_flow->last_direction == -1) 218 | { 219 | time_adjust_flow->last_direction = 1; 220 | ts_adjust.tv_sec = time_adjust_flow->first_pkt_sec; 221 | ts_adjust.tv_usec = time_adjust_flow->first_pkt_usec; 222 | } 223 | else if(time_adjust_flow->last_direction == 1) //update rtt 224 | { 225 | //add server inter arrival time 226 | if(time_adjust_flow->server_inter_usec + time_adjust_flow->last_tv_usec >= 1000000) 227 | { 228 | ts_adjust.tv_usec = time_adjust_flow->server_inter_usec + time_adjust_flow->last_tv_usec - 1000000; 229 | ts_adjust.tv_sec = time_adjust_flow->server_inter_sec + time_adjust_flow->last_tv_sec + 1; 230 | } 231 | else 232 | { 233 | ts_adjust.tv_usec = time_adjust_flow->server_inter_usec + time_adjust_flow->last_tv_usec; 234 | ts_adjust.tv_sec = time_adjust_flow->server_inter_sec + time_adjust_flow->last_tv_sec; 235 | } 236 | //printf("Pkt: %d, last_tv_sec: %d last_tv_usec: %d, ts.tv_sec: %u, ts.tv_usec: %u, rtt_avg_direct0: %f\n", flow_stats.pkt_count, flow_stats.last_tv_sec, flow_stats.last_tv_usec, ts.tv_sec, ts.tv_usec, flow_stats.rtt_avg_direct1); 237 | } 238 | else if(time_adjust_flow->last_direction == 0) 239 | { 240 | // add client RTT 241 | if(time_adjust_flow->rtt_usec + time_adjust_flow->last_tv_usec >= 1000000) 242 | { 243 | ts_adjust.tv_usec = time_adjust_flow->rtt_usec + time_adjust_flow->last_tv_usec - 1000000; 244 | ts_adjust.tv_sec = time_adjust_flow->rtt_sec + time_adjust_flow->last_tv_sec + 1; 245 | } 246 | else 247 | { 248 | ts_adjust.tv_sec = time_adjust_flow->rtt_sec + time_adjust_flow->last_tv_sec; 249 | ts_adjust.tv_usec = time_adjust_flow->rtt_usec + time_adjust_flow->last_tv_usec; 250 | } 251 | time_adjust_flow->last_direction = 1; 252 | } 253 | time_adjust_flow->last_tv_sec = ts_adjust.tv_sec; 254 | time_adjust_flow->last_tv_usec = ts_adjust.tv_usec; 255 | fprintf(fp_write, "%d, %d\n", time_adjust_flow->last_tv_sec, time_adjust_flow->last_tv_usec); 256 | //printf("%d, %d\n", time_adjust_flow->last_tv_sec, time_adjust_flow->last_tv_usec); 257 | } 258 | 259 | //trace_destroy_packet(copy_pkt); 260 | return 0; 261 | 262 | /*if ( (strcmp(src_ip, "")) || (strcmp(dest_ip, "")) ) 263 | { 264 | sprintf(OutputBuffer, "sec: %u, usec: %u, src_ip: %s, src_port: %d, dest_ip: %s, dest_port: %d, pkt_size: %d, remaining: %d", ts.tv_sec, ts.tv_usec, src_ip, src_port, dest_ip, dest_port, pkt_size, remaining); 265 | }*/ 266 | 267 | } 268 | 269 | int main(int argc, char *argv[]) 270 | { 271 | clock_t start; 272 | clock_t end; 273 | double function_time; 274 | 275 | struct time_adjust_record time_adjust_flow1 = {"0.0.0.0", 0, "0.0.0.0", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -1}; 276 | char * p = NULL; 277 | FILE * fp_time_adjust = NULL; 278 | FILE * fp_write = NULL; 279 | char time_adjust_file[128]; 280 | char file_write[256]; 281 | char input_file[256]; 282 | char buffer[256]; 283 | 284 | if (argc < 4) 285 | { 286 | printf("Please enter two parameters: read_file and write_file\n"); 287 | return 1; 288 | } 289 | 290 | strcpy(input_file, argv[1]); 291 | strcpy(time_adjust_file, argv[2]); 292 | strcpy(file_write, argv[3]); 293 | 294 | if((fp_time_adjust = fopen(time_adjust_file, "r")) == NULL) //open the file to read 295 | { 296 | fprintf(stderr, "Open time adjust file: %s failed\n", time_adjust_file); 297 | exit(1); 298 | } 299 | memset(buffer, '\0', sizeof(buffer)); 300 | fgets(buffer, sizeof(buffer), fp_time_adjust); 301 | p = strtok(buffer, " "); 302 | if(p) 303 | { 304 | strcpy( time_adjust_flow1.src_ip, p); 305 | } 306 | p = strtok(NULL, " "); 307 | if(p) 308 | { 309 | time_adjust_flow1.src_port = atoi(p); 310 | } 311 | p = strtok(NULL, " "); 312 | if(p) 313 | { 314 | strcpy( time_adjust_flow1.dest_ip, p); 315 | } 316 | p = strtok(NULL, " "); 317 | if(p) 318 | { 319 | time_adjust_flow1.dest_port = atoi(p); 320 | } 321 | //printf("flow: %s:%d %s:%d\n", time_adjust_flow1.src_ip, time_adjust_flow1.src_port, time_adjust_flow1.dest_ip, time_adjust_flow1.dest_port); 322 | memset(buffer, '\0', sizeof(buffer)); 323 | fgets(buffer, sizeof(buffer), fp_time_adjust); 324 | if( Set_Time_Adjust(buffer, &time_adjust_flow1.first_pkt_sec, &time_adjust_flow1.first_pkt_usec) != 0 ) 325 | { 326 | printf("line: %d\n", __LINE__); 327 | exit(1); 328 | } 329 | //printf("First packet second: %d, usecond: %d\n", time_adjust_flow1.first_pkt_sec, time_adjust_flow1.first_pkt_usec); 330 | memset(buffer, '\0', sizeof(buffer)); 331 | fgets(buffer, sizeof(buffer), fp_time_adjust); 332 | if( Set_Time_Adjust(buffer, &time_adjust_flow1.client_inter_sec, &time_adjust_flow1.client_inter_usec) != 0 ) 333 | { 334 | printf("line: %d\n", __LINE__); 335 | exit(1); 336 | } 337 | //printf("Client packet inter arrival second: %d, usecond: %d\n", time_adjust_flow1.client_inter_sec, time_adjust_flow1.client_inter_usec); 338 | memset(buffer, '\0', sizeof(buffer)); 339 | fgets(buffer, sizeof(buffer), fp_time_adjust); 340 | if( Set_Time_Adjust(buffer, &time_adjust_flow1.server_inter_sec, &time_adjust_flow1.server_inter_usec) != 0 ) 341 | { 342 | printf("line: %d\n", __LINE__); 343 | exit(1); 344 | } 345 | //printf("Server packet inter arrival second: %d, usecond: %d\n", time_adjust_flow1.server_inter_sec, time_adjust_flow1.server_inter_usec); 346 | memset(buffer, '\0', sizeof(buffer)); 347 | fgets(buffer, sizeof(buffer), fp_time_adjust); 348 | if( Set_Time_Adjust(buffer, &time_adjust_flow1.reaction_sec, &time_adjust_flow1.reaction_usec) != 0 ) 349 | { 350 | printf("line: %d\n", __LINE__); 351 | exit(1); 352 | } 353 | //printf("Client reaction second: %d, usecond: %d\n", time_adjust_flow1.reaction_sec, time_adjust_flow1.reaction_usec); 354 | memset(buffer, '\0', sizeof(buffer)); 355 | fgets(buffer, sizeof(buffer), fp_time_adjust); 356 | if( Set_Time_Adjust(buffer, &time_adjust_flow1.rtt_sec, &time_adjust_flow1.rtt_usec) != 0 ) 357 | { 358 | printf("line: %d\n", __LINE__); 359 | exit(1); 360 | } 361 | //time_adjust_flow1.rtt_usec = time_adjust_flow1.rtt_sec*1000 + time_adjust_flow1.rtt_usec*1000; 362 | //time_adjust_flow1.rtt_sec = time_adjust_flow1.rtt_sec/1000; 363 | //printf("Client RTT second: %d, usecond: %d\n", time_adjust_flow1.rtt_sec, time_adjust_flow1.rtt_usec); 364 | fclose(fp_time_adjust); 365 | 366 | if((fp_write=fopen(file_write, "w")) == NULL) //open the file to read 367 | { 368 | fprintf(stderr, "Open write file: %s failed\n", file_write); 369 | exit(1); 370 | } 371 | 372 | libtrace_t *trace = 0; 373 | libtrace_out_t *writer = 0; 374 | libtrace_packet_t *pkt = trace_create_packet(); 375 | 376 | // Open traces for reading and writing. 377 | trace = trace_create(input_file); 378 | if (trace_is_err(trace)) { 379 | trace_perror(trace, "trace_create"); 380 | trace_destroy(trace); 381 | return 1; 382 | } 383 | if (trace_start(trace) == -1) { 384 | trace_perror(trace,"Starting trace"); 385 | //libtrace_cleanup(trace, output, packet); 386 | return 1; 387 | } 388 | 389 | //char output_file[] = "pcap:ttt.pcap"; 390 | //writer = trace_create_output("pcap:testcp"); 391 | /*writer = trace_create_output(output_file); 392 | if (trace_is_err_output(writer)) { 393 | trace_perror_output(writer, "trace_create_output"); 394 | trace_destroy_output(writer); 395 | trace_destroy(trace); 396 | trace_destroy_packet(pkt); 397 | return 1; 398 | } 399 | 400 | if (trace_start_output(writer) == -1) { 401 | trace_perror_output(writer,"Starting output trace"); 402 | //libtrace_cleanup(trace, output, packet); 403 | return 1; 404 | }*/ 405 | 406 | int psize = 0; 407 | int pkt_count = 0; 408 | for (;;) { 409 | psize = trace_read_packet(trace, pkt); 410 | if (psize == 0) { 411 | break; 412 | } 413 | if (psize < 0) { 414 | trace_perror(trace, "read_packet"); 415 | break; 416 | } 417 | //if(pkt_count < 50) 418 | { 419 | //printf("packet: %d\n", pkt_count); 420 | if ((per_packet(pkt, fp_write, &time_adjust_flow1)) == -1) 421 | { 422 | fprintf(stderr, "Something went wrong in per_packet.\n"); 423 | break; 424 | } 425 | } 426 | pkt_count++; 427 | } 428 | 429 | trace_destroy_packet(pkt); 430 | trace_destroy(trace); 431 | //trace_destroy_output(writer); 432 | fclose(fp_write); 433 | 434 | return 0; 435 | } 436 | -------------------------------------------------------------------------------- /Packet_Encryption.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * Copyright (C) <2015> 4 | 5 | * BotTalker is free software: you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published 7 | * by the Free Software Foundation, either version 3 of the License, 8 | * or (at your option) any later version. 9 | 10 | * BotTalker is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program. If not, see . 17 | 18 | * Contact information: 19 | * Email: zhanghan0116@gmail.com 20 | */ 21 | 22 | /* 23 | Encrypt individual packet's payload 24 | 1. The encrypted payload size doesn't change: XOR, CFB, OFB 25 | Encrypt payload and put the encrypted payload back to packet 26 | 2. The encrypted payload size changes: ECB, CBC 27 | Step1: Encrypt payload 28 | Step2: Trim the encrypted payload as the same size of original payload size 29 | Step3: Put trimmed encrypted payload back to packet 30 | */ 31 | 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include "libtrace.h" 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include "BotTalkerFunctions.c" 46 | 47 | #define MAX_SIZE 1024 48 | 49 | int oriSubnet = 32; 50 | int replaceSubnet = 32; 51 | int enableIPAnonymize = 0; //1 means the ip needs to be anonymized 52 | int enablePortFilter = 0; //1 means the port needs to be filtered 53 | int enableEncryption = 0; //1 means the data needs to be encrypted 54 | int enableKeyIV = 0; 55 | int encryptAll = 0; //encrypt all the traffic, otherwise encrypt a specific flow 56 | int enableEncryptExecutable = 0; //1 means use the executable magic number files 57 | int enableReplaceIP = 0; //apply IP replacement 58 | int enableReplaceCertainIP = 0; 59 | int enableReplaceAllIP = 0; 60 | char oriIP[16]; //original IP 61 | char replaceIP[16]; //new IP 62 | char encryptionAlgorithm[32]; //specify the encryption algorithm 63 | extern struct flow_record * flowExtractHead; 64 | extern struct flow_record * flowExtractLast; 65 | extern struct ip_list * ipExclusion; 66 | extern struct port_list * portExclusion; 67 | //struct flow_rtt_inter flow_stats = {0, "129.82.138.45", 52424, "129.82.138.36", 60000, 0, 0, -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 68 | 69 | static int per_packet(libtrace_packet_t * pkt, libtrace_out_t * wr, char * key, char *iv, char * encryptionAlgorithm) 70 | { 71 | EVP_CIPHER_CTX ctx; 72 | 73 | if(enableEncryption == 1) 74 | { 75 | if( strcmp(encryptionAlgorithm, "xor") != 0 ) 76 | { 77 | set_encryption_algorithm(encryptionAlgorithm, &ctx, key, iv); 78 | } 79 | } 80 | 81 | // Create a new packet which is a copy of the old packet. 82 | libtrace_packet_t *copyPkt = trace_copy_packet(pkt); 83 | libtrace_ip_t *ip = trace_get_ip(copyPkt); 84 | libtrace_ip6_t *ip6 = trace_get_ip6(copyPkt); 85 | 86 | struct flow_record * iteFlowRecord; 87 | struct sockaddr_storage src_addr; 88 | struct sockaddr_storage dest_addr; 89 | struct sockaddr *src_addr_ptr; 90 | struct sockaddr *dest_addr_ptr; 91 | /* Packet data */ 92 | uint32_t remaining; 93 | /* L3 data */ 94 | void *l3; 95 | uint16_t ethertype; 96 | /* Transport data */ 97 | void *transport; 98 | uint8_t proto; 99 | /* Payload data */ 100 | void *payload; 101 | 102 | int i = 0; 103 | int pktSize; 104 | char srcIP[100]; 105 | char destIP[100]; 106 | char *ct, *out; 107 | char * encryptedContent = NULL; 108 | char final[EVP_MAX_BLOCK_LENGTH]; 109 | struct timeval ts; 110 | 111 | l3 = trace_get_layer3(copyPkt,ðertype,&remaining); 112 | 113 | if (!l3) 114 | { 115 | /* Probable ARP or something */ 116 | return; 117 | } 118 | 119 | /* Get the UDP/TCP/ICMP header from the IPv4/IPv6 packet */ 120 | switch (ethertype) { 121 | case 0x0800: 122 | transport = trace_get_payload_from_ip( 123 | (libtrace_ip_t*)l3, 124 | &proto, 125 | &remaining); 126 | if (!transport) 127 | return; 128 | //++v4; 129 | break; 130 | case 0x86DD: 131 | transport = trace_get_payload_from_ip6( 132 | (libtrace_ip6_t*)l3, 133 | &proto, 134 | &remaining); 135 | if (!transport) 136 | return; 137 | //++v6; 138 | break; 139 | default: 140 | return; 141 | } 142 | 143 | // Get packet information 144 | //get port numbers 145 | int srcPort = trace_get_source_port(copyPkt); 146 | int destPort = trace_get_destination_port(copyPkt); 147 | src_addr_ptr = trace_get_source_address(copyPkt, (struct sockaddr *) &src_addr); 148 | dest_addr_ptr = trace_get_destination_address(copyPkt, (struct sockaddr *) &dest_addr); 149 | if( (NULL == src_addr_ptr) || (NULL == dest_addr_ptr) ) 150 | { 151 | return; 152 | } 153 | //get source ip address 154 | if (src_addr_ptr->sa_family == AF_INET) { 155 | struct sockaddr_in *src_v4 = (struct sockaddr_in *) src_addr_ptr; 156 | inet_ntop(AF_INET, &(src_v4->sin_addr), srcIP, 100); 157 | } 158 | //get destination ip address 159 | if (dest_addr_ptr->sa_family == AF_INET) { 160 | struct sockaddr_in *dest_v4 = (struct sockaddr_in *) dest_addr_ptr; 161 | inet_ntop(AF_INET, &(dest_v4->sin_addr), destIP, 100); 162 | } 163 | 164 | if( (CheckExclusionPort(srcPort)==1) || (CheckExclusionPort(destPort)==1) ) 165 | { 166 | goto IP_Replace; 167 | } 168 | 169 | ts = trace_get_timeval(copyPkt); 170 | pktSize = trace_get_capture_length(copyPkt); 171 | 172 | if(enableEncryption == 1) 173 | { 174 | iteFlowRecord = flowExtractHead; 175 | while(iteFlowRecord) 176 | { 177 | if( (encryptAll == 0) && (proto == iteFlowRecord->proto) && ( ( (srcPort == iteFlowRecord->src_port) && (strcmp( srcIP, iteFlowRecord->src_ip) == 0) && (destPort == iteFlowRecord->dest_port) && (strcmp(destIP, iteFlowRecord->dest_ip) == 0) ) || ( (destPort == iteFlowRecord->src_port) && (strcmp(destIP, iteFlowRecord->src_ip ) == 0) && (srcPort == iteFlowRecord->dest_port) && (strcmp(srcIP, iteFlowRecord->dest_ip) == 0 ) ) ) ) 178 | { 179 | break; 180 | } 181 | iteFlowRecord = iteFlowRecord->next; 182 | } 183 | if( (iteFlowRecord != NULL) || (encryptAll == 1) ) 184 | { 185 | if(proto == 17) //udp 186 | { 187 | payload = trace_get_payload_from_udp( (libtrace_udp_t*)transport, &remaining); 188 | char * temp = (char*)transport+sizeof(libtrace_udp_t); 189 | int dataLen = ntohs(((libtrace_udp_t*) transport)->len)-8; 190 | struct libtrace_udp *udp; 191 | udp=trace_get_udp_from_ip(ip,NULL); 192 | //encrypt the payload 193 | char payloadCopy[dataLen+1]; 194 | char payloadEncryptCopy[dataLen+1]; 195 | memset(payloadCopy, '\0', sizeof(payloadCopy)); 196 | memset(payloadEncryptCopy, '\0', sizeof(payloadEncryptCopy)); 197 | if(dataLen > 0) 198 | { 199 | memcpy(payloadCopy, temp, dataLen); 200 | if( strcmp(encryptionAlgorithm, "xor") == 0 ) 201 | { 202 | encryptedContent = (char *)malloc(dataLen * sizeof(char)); 203 | encrypt_xor(payloadCopy, encryptedContent, key, dataLen); 204 | } 205 | else 206 | { 207 | encryptedContent = encrypt_OpenSSL(&ctx, payloadCopy, dataLen, &i); 208 | } 209 | memcpy(transport+sizeof(libtrace_udp_t), encryptedContent, dataLen); 210 | memcpy(payloadEncryptCopy, encryptedContent, dataLen); 211 | payload_checksum(&udp->check, payloadCopy, payloadEncryptCopy, dataLen); 212 | if( strcmp(encryptionAlgorithm, "xor") == 0 ) 213 | { 214 | free(encryptedContent); 215 | } 216 | } 217 | } 218 | 219 | if(proto == 6) //tcp 220 | { 221 | payload = trace_get_payload_from_tcp( (libtrace_tcp_t*)transport, &remaining); 222 | int dlen = ((libtrace_tcp_t*) transport)->doff*4; 223 | int dataLen = ntohs(ip->ip_len)-dlen-4*(ip->ip_hl); 224 | char * temp = ((char *)transport+dlen); 225 | char payloadCopy[dataLen+1]; 226 | char payloadEncryptCopy[dataLen+1]; 227 | memset(payloadCopy, '\0', sizeof(payloadCopy)); 228 | memset(payloadEncryptCopy, '\0', sizeof(payloadEncryptCopy)); 229 | if(dataLen>0) 230 | { 231 | struct libtrace_tcp *tcp; 232 | tcp=trace_get_tcp_from_ip(ip,NULL); 233 | //update_in_cksum32(&tcp->ip_sum, old_ip, htonl(new_ip)); 234 | memcpy(payloadCopy, temp, dataLen); 235 | if( strcmp(encryptionAlgorithm, "xor") == 0 ) 236 | { 237 | encryptedContent = (char *)malloc( (dataLen) * sizeof(char)); 238 | encrypt_xor(payloadCopy, encryptedContent, key, dataLen); 239 | } 240 | else 241 | { 242 | encryptedContent = encrypt_OpenSSL(&ctx, payloadCopy, dataLen, &i); 243 | } 244 | memcpy(transport+sizeof(libtrace_tcp_t), encryptedContent, dataLen); 245 | memcpy(payloadEncryptCopy, encryptedContent, dataLen); 246 | payload_checksum(&tcp->check, payloadCopy, payloadEncryptCopy, dataLen); 247 | if( strcmp(encryptionAlgorithm, "xor") == 0 ) 248 | { 249 | free(encryptedContent); 250 | } 251 | } 252 | } 253 | } 254 | } 255 | 256 | IP_Replace: 257 | 258 | if(enableReplaceIP == 1) 259 | { 260 | if(enableReplaceAllIP == 1) //replace all the external ip addresses 261 | { 262 | if(CheckExclusionIP(srcIP)==0) //replace src ip 263 | { 264 | ReplaceIP_All(ip, oriIP, replaceIP, oriSubnet, replaceSubnet, 0); 265 | } 266 | if(CheckExclusionIP(destIP)==0) //replace dest ip 267 | { 268 | ReplaceIP_All(ip, oriIP, replaceIP, oriSubnet, replaceSubnet, 1); 269 | } 270 | } 271 | if(enableReplaceCertainIP == 1) //replace certain ip addresses 272 | { 273 | if(CheckExclusionIP(srcIP)==0) //replace src ip 274 | { 275 | ReplaceIP(ip, oriIP, replaceIP, oriSubnet, 0); 276 | } 277 | if(CheckExclusionIP(destIP)==0) //replace dest ip 278 | { 279 | ReplaceIP(ip, oriIP, replaceIP, oriSubnet, 1); 280 | } 281 | } 282 | } 283 | 284 | if (trace_write_packet(wr, copyPkt) == -1) 285 | { 286 | trace_perror_output(wr, "Writing packet"); 287 | return -1; 288 | } 289 | trace_destroy_packet(copyPkt); 290 | return 0; 291 | } 292 | 293 | int main(int argc, char *argv[]) 294 | { 295 | EVP_CIPHER_CTX ctx; 296 | FILE * fpKeyIV = NULL; 297 | char * key = NULL; 298 | char * iv; 299 | char * p = NULL; 300 | clock_t start; 301 | clock_t end; 302 | double cost; 303 | int opt = 0; 304 | int psize = 0; 305 | int pktCount = 0; 306 | int keyBytesCount = 0; 307 | int ivBytesCount = 0; 308 | int cipherBlockSize = 0; 309 | int cipherKeySize = 0; 310 | int cipherIVSize = 0; 311 | char bufferTemp[MAX_SIZE]; 312 | char keyIVBuffer[MAX_SIZE]; 313 | char keyIVTemp[MAX_SIZE]; 314 | char IPReplaceFile[MAX_SIZE]; 315 | char encryption[MAX_SIZE]; 316 | char ipExclusionFile[MAX_SIZE]; 317 | char portExclusionFile[MAX_SIZE]; 318 | int enableIPExclusion = 0; 319 | int enablePortExclusion = 0; 320 | char flowsFile[MAX_SIZE]; 321 | char inputFile[MAX_SIZE]; 322 | char outputFile[MAX_SIZE]; 323 | char keyIVFile[MAX_SIZE]; 324 | char encryptionAlgorithm[16]; 325 | char exeMagicNumberFile[MAX_SIZE]; 326 | char oriReplaceIP[MAX_SIZE]; 327 | 328 | if ((argc - optind) < 1) { 329 | usage(); 330 | exit(1); 331 | } 332 | 333 | while ((opt = getopt(argc, argv, "a:d:e:f:k:i:nNo:r:")) !=-1) 334 | { 335 | switch (opt) 336 | { 337 | case 'a': 338 | strcpy(ipExclusionFile, optarg); 339 | enableIPExclusion = 1; 340 | break; 341 | case 'd': 342 | strcpy(portExclusionFile, optarg); 343 | enablePortExclusion = 1; 344 | break; 345 | case 'i': 346 | strcpy(inputFile, optarg); 347 | break; 348 | case 'o': 349 | strcpy(outputFile, optarg); 350 | break; 351 | case 'k': 352 | enableKeyIV = 1; 353 | strcpy(keyIVFile, optarg); 354 | break; 355 | case 'e': 356 | enableEncryption = 1; 357 | strcpy(encryptionAlgorithm, optarg); 358 | printf("encryptionAlgorithm: %s\n", encryptionAlgorithm); 359 | break; 360 | case 'f': 361 | /*encrypt all the traffic*/ 362 | if(strcmp("all", optarg) == 0) 363 | { 364 | encryptAll = 1; 365 | printf("Encrypt all the traffic\n"); 366 | } 367 | else 368 | { 369 | strcpy(flowsFile, optarg); 370 | } 371 | break; 372 | case 'n': 373 | enableReplaceCertainIP = 1; 374 | break; 375 | case 'N': 376 | enableReplaceAllIP = 1; 377 | break; 378 | case 'r': 379 | enableReplaceIP = 1; 380 | strcpy(oriReplaceIP, optarg); 381 | p = NULL; 382 | p = strtok(oriReplaceIP, "/"); 383 | if(p) 384 | { 385 | strcpy(oriIP, p); 386 | } 387 | p = strtok(NULL, " "); 388 | if(p) 389 | { 390 | oriSubnet = atoi(p); 391 | } 392 | p = strtok(NULL, "/"); 393 | if(p) 394 | { 395 | strcpy(replaceIP, p); 396 | } 397 | p = strtok(NULL, " "); 398 | if(p) 399 | { 400 | replaceSubnet = atoi(p); 401 | } 402 | //printf("ori_ip: %s, ori_subnet: %d, replace_ip: %s, replace_subnet: %d\n", oriIP, oriSubnet, replaceIP, replaceSubnet); 403 | break; 404 | case 'h': 405 | usage(); 406 | exit(1); 407 | default: 408 | usage(); 409 | exit(1); 410 | } 411 | } 412 | 413 | time(&start); 414 | 415 | if(enableIPExclusion == 1) 416 | { 417 | ReadIPExclusionRecords(ipExclusionFile); 418 | } 419 | if(enablePortExclusion == 1) 420 | { 421 | ReadPortExclusionRecords(portExclusionFile); 422 | } 423 | if(enableKeyIV == 1) 424 | { 425 | if(encryptAll != 1) 426 | { 427 | ReadFlowRecords(flowsFile); 428 | } 429 | //extract key and iv 430 | if((fpKeyIV = fopen(keyIVFile, "r")) == NULL) //open the file to read 431 | { 432 | fprintf(stderr, "Read key and iv file: %s failed\n", keyIVFile); 433 | exit(1); 434 | } 435 | //read and parse the key 436 | memset(keyIVBuffer, '\0', sizeof(keyIVBuffer)); 437 | fgets(keyIVBuffer, sizeof(keyIVBuffer), fpKeyIV); 438 | key = (char *)malloc(sizeof(char) * strlen(keyIVBuffer)); 439 | strcpy(key, keyIVBuffer); 440 | memset(key+strlen(keyIVBuffer)-1, '\0', 1); 441 | printf("key: %s\n", key); 442 | //read and parse the iv 443 | memset(keyIVBuffer, '\0', sizeof(keyIVBuffer)); 444 | if( fgets(keyIVBuffer, sizeof(keyIVBuffer), fpKeyIV) != NULL ) 445 | { 446 | iv = (char *)malloc(sizeof(char) * strlen(keyIVBuffer)); 447 | strcpy(iv, keyIVBuffer); 448 | memset(iv+strlen(iv)-1, '\0', 1); 449 | printf("iv: %s\n", iv); 450 | } 451 | } 452 | 453 | libtrace_t *trace = 0; 454 | libtrace_out_t *writer = 0; 455 | libtrace_packet_t *pkt = trace_create_packet(); 456 | 457 | // Open traces for reading and writing. 458 | trace = trace_create(inputFile); 459 | if (trace_is_err(trace)) { 460 | trace_perror(trace, "trace_create"); 461 | trace_destroy(trace); 462 | return 1; 463 | } 464 | if (trace_start(trace) == -1) { 465 | trace_perror(trace,"Starting trace"); 466 | //libtrace_cleanup(trace, output, packet); 467 | return 1; 468 | } 469 | 470 | //writer = trace_create_output("pcap:testcp"); 471 | writer = trace_create_output(outputFile); 472 | if (trace_is_err_output(writer)) { 473 | trace_perror_output(writer, "trace_create_output"); 474 | trace_destroy_output(writer); 475 | trace_destroy(trace); 476 | trace_destroy_packet(pkt); 477 | return 1; 478 | } 479 | 480 | if (trace_start_output(writer) == -1) { 481 | trace_perror_output(writer,"Starting output trace"); 482 | //libtrace_cleanup(trace, output, packet); 483 | return 1; 484 | } 485 | 486 | //encrypt traffic and write to new file 487 | for (;;) { 488 | psize = trace_read_packet(trace, pkt); 489 | if (psize == 0) { 490 | break; 491 | } 492 | if (psize < 0) { 493 | trace_perror(trace, "read_packet"); 494 | break; 495 | } 496 | //if(pkt_count < 50) 497 | { 498 | if ((per_packet(pkt, writer, key, iv, encryptionAlgorithm)) == -1) 499 | { 500 | fprintf(stderr, "Something went wrong in per_packet.\n"); 501 | break; 502 | } 503 | } 504 | pktCount++; 505 | } 506 | 507 | trace_destroy_packet(pkt); 508 | trace_destroy(trace); 509 | trace_destroy_output(writer); 510 | 511 | time(&end); 512 | cost = difftime(end, start); 513 | printf("running time: %f\n", cost); 514 | 515 | return 0; 516 | } 517 | -------------------------------------------------------------------------------- /Flow_Encryption_SingleFlow.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * Copyright (C) <2015> 4 | 5 | * BotTalker is free software: you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published 7 | * by the Free Software Foundation, either version 3 of the License, 8 | * or (at your option) any later version. 9 | 10 | * BotTalker is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program. If not, see . 17 | 18 | * Contact information: 19 | * Email: zhanghan0116@gmail.com 20 | */ 21 | 22 | /* 23 | Encryption Algorithm 24 | Encrypted data size doesn't change: XOR, CFB, OFB 25 | 1. Read flow payload from file 26 | 2. encrypt data 27 | 3. put encrypted data back into packets 28 | */ 29 | 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include "libtrace.h" 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include "BotTalkerFunctions.c" 44 | 45 | #define MAX_SIZE 1024 46 | 47 | int oriSubnet = 32; 48 | int replaceSubnet = 32; 49 | int enableIPAnonymize = 0; //1 means the ip needs to be anonymized 50 | int enablePortFilter = 0; //1 means the port needs to be filtered 51 | int enableEncryption = 0; //1 means the data needs to be encrypted 52 | int enableKeyIV = 0; 53 | int enableReplaceCertainIP = 0; 54 | int enableReplaceAllIP = 0; 55 | int encryptAll = 0; //encrypt all the traffic, otherwise encrypt a specific flow 56 | int enableEncryptExecutable = 0; //1 means use the executable magic number files 57 | int enableReplaceIP = 0; //apply IP replacement 58 | char oriIP[16]; //original IP 59 | char replaceIP[16]; //new IP 60 | char encryptionAlgorithm[32]; //specify the encryption algorithm 61 | struct flow_record flowExtract; 62 | //struct flow_rtt_inter flow_stats = {0, "129.82.138.45", 52424, "129.82.138.36", 60000, 0, 0, -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 63 | 64 | static int per_packet_write_to_file(libtrace_packet_t * pkt, struct flow_record * flowExtract) 65 | { 66 | // Create a new packet which is a copy of the old packet. 67 | //libtrace_packet_t *copy_pkt = trace_copy_packet(pkt); 68 | libtrace_ip_t *ip = trace_get_ip(pkt); 69 | libtrace_ip6_t *ip6 = trace_get_ip6(pkt); 70 | 71 | struct sockaddr_storage src_addr; 72 | struct sockaddr_storage dest_addr; 73 | struct sockaddr *src_addr_ptr; 74 | struct sockaddr *dest_addr_ptr; 75 | /* Packet data */ 76 | uint32_t remaining; 77 | /* L3 data */ 78 | void *l3; 79 | uint16_t ethertype; 80 | /* Transport data */ 81 | void *transport; 82 | uint8_t proto; 83 | /* Payload data */ 84 | void *payload; 85 | 86 | int i = 0; 87 | int loop = 0; 88 | char srcIP[100]; 89 | char destIP[100]; 90 | struct timeval ts; 91 | 92 | l3 = trace_get_layer3(pkt,ðertype,&remaining); 93 | 94 | if (!l3) 95 | { 96 | /* Probable ARP or something */ 97 | return; 98 | } 99 | 100 | /* Get the UDP/TCP/ICMP header from the IPv4/IPv6 packet */ 101 | switch (ethertype) { 102 | case 0x0800: 103 | transport = trace_get_payload_from_ip( 104 | (libtrace_ip_t*)l3, 105 | &proto, 106 | &remaining); 107 | if (!transport) 108 | return; 109 | //++v4; 110 | break; 111 | case 0x86DD: 112 | transport = trace_get_payload_from_ip6( 113 | (libtrace_ip6_t*)l3, 114 | &proto, 115 | &remaining); 116 | if (!transport) 117 | return; 118 | //++v6; 119 | break; 120 | default: 121 | return; 122 | } 123 | 124 | // Get packet information 125 | //get port numbers 126 | int srcPort = trace_get_source_port(pkt); 127 | int destPort = trace_get_destination_port(pkt); 128 | src_addr_ptr = trace_get_source_address(pkt, (struct sockaddr *) &src_addr); 129 | dest_addr_ptr = trace_get_destination_address(pkt, (struct sockaddr *) &dest_addr); 130 | if( (NULL == src_addr_ptr) || (NULL == dest_addr_ptr) ) 131 | { 132 | return; 133 | } 134 | //get source ip address 135 | if (src_addr_ptr->sa_family == AF_INET) { 136 | struct sockaddr_in *src_v4 = (struct sockaddr_in *) src_addr_ptr; 137 | inet_ntop(AF_INET, &(src_v4->sin_addr), srcIP, 100); 138 | } 139 | //get destination ip address 140 | if (dest_addr_ptr->sa_family == AF_INET) { 141 | struct sockaddr_in *dest_v4 = (struct sockaddr_in *) dest_addr_ptr; 142 | inet_ntop(AF_INET, &(dest_v4->sin_addr), destIP, 100); 143 | } 144 | 145 | ts = trace_get_timeval(pkt); 146 | 147 | if( (proto == 17) || (proto == 6) ) 148 | { 149 | char * temp; 150 | char * payloadCopy; 151 | int dlen = 0; 152 | int dataLen = 0; 153 | /* Parse the udp/tcp/icmp payload */ 154 | if(proto == 17) //udp 155 | { 156 | payload = trace_get_payload_from_udp( (libtrace_udp_t*)transport, &remaining); 157 | dataLen = ntohs(((libtrace_udp_t*) transport)->len)-8; 158 | temp = (char*)transport+sizeof(libtrace_udp_t); 159 | //encrypt the payload 160 | payloadCopy = (char *)malloc(dataLen+1); 161 | } 162 | if(proto == 6) //tcp 163 | { 164 | payload = trace_get_payload_from_tcp( (libtrace_tcp_t*)transport, &remaining); 165 | dlen = ((libtrace_tcp_t*) transport)->doff*4; 166 | dataLen = ntohs(ip->ip_len)-dlen-4*(ip->ip_hl); 167 | //char * temp = (char *)payload; 168 | temp = ((char *)transport+dlen); 169 | payloadCopy = (char *)malloc(dataLen+1); 170 | } 171 | 172 | memset(payloadCopy, '\0', sizeof(payloadCopy)); 173 | memcpy(payloadCopy, temp, dataLen); 174 | //check whether there is a HTTP header 175 | if( (proto == flowExtract->proto) && (srcPort == flowExtract->src_port) && (strcmp(srcIP, flowExtract->src_ip) == 0) && (destPort == flowExtract->dest_port) && (strcmp(destIP, flowExtract->dest_ip) == 0) ) 176 | { 177 | //printf("src_ip: %s, src_port: %d, dst_ip: %s, dst_port: %d, remaining: %d\n", src_ip, src_port, dest_ip, dest_port, remaining); 178 | if(flowExtract->last_direction == -1) 179 | { 180 | //printf("line: %d, remaining: %d\n", __LINE__, remaining); 181 | flowExtract->last_direction = 0; 182 | flowExtract->current_offset = dataLen; 183 | } 184 | else if(flowExtract->last_direction == 1) 185 | { 186 | //printf("line: %d\n", __LINE__); 187 | fprintf(flowExtract->fp_offset, "%d\n", flowExtract->current_offset); 188 | flowExtract->last_direction = 0; 189 | flowExtract->current_offset = dataLen; 190 | flowExtract->offset_count++; 191 | } 192 | else if(flowExtract->last_direction == 0) 193 | { 194 | //printf("line: %d, remaining: %d\n", __LINE__, remaining); 195 | flowExtract->current_offset = flowExtract->current_offset + dataLen; 196 | } 197 | if(flowExtract->current_offset > flowExtract->offset_max) 198 | { 199 | flowExtract->offset_max = flowExtract->current_offset; 200 | } 201 | flowExtract->flow_size = flowExtract->flow_size + dataLen; 202 | fwrite(payloadCopy, sizeof(char), dataLen, flowExtract->fp_content); 203 | } 204 | if ( (proto == flowExtract->proto) && (destPort == flowExtract->src_port) && (strcmp(destIP, flowExtract->src_ip ) == 0) && (srcPort == flowExtract->dest_port) && (strcmp(srcIP, flowExtract->dest_ip) == 0 ) ) 205 | { 206 | //printf("src_ip: %s, src_port: %d, dst_ip: %s, dst_port: %d, remaining: %d\n", src_ip, src_port, dest_ip, dest_port, remaining); 207 | if(flowExtract->last_direction == -1) 208 | { 209 | //printf("line: %d\n", __LINE__); 210 | flowExtract->last_direction = 1; 211 | flowExtract->current_offset = dataLen; 212 | } 213 | else if(flowExtract->last_direction == 0) 214 | { 215 | //printf("line: %d, remaining: %d\n", __LINE__, remaining); 216 | fprintf(flowExtract->fp_offset, "%d\n", flowExtract->current_offset); 217 | flowExtract->last_direction = 1; 218 | flowExtract->current_offset = dataLen; 219 | flowExtract->offset_count++; 220 | } 221 | else if(flowExtract->last_direction == 1) 222 | { 223 | //printf("line: %d, remaining: %d\n", __LINE__, remaining); 224 | flowExtract->current_offset = flowExtract->current_offset + dataLen; 225 | } 226 | if(flowExtract->current_offset > flowExtract->offset_max) 227 | { 228 | flowExtract->offset_max = flowExtract->current_offset; 229 | } 230 | flowExtract->flow_size = flowExtract->flow_size + dataLen; 231 | fwrite(payloadCopy, sizeof(char), dataLen, flowExtract->fp_content); 232 | } 233 | //free(payload_copy); 234 | } 235 | return 0; 236 | } 237 | 238 | 239 | 240 | 241 | static int per_packet_overwrite(libtrace_packet_t * pkt, libtrace_out_t * wr, char * data_to_trace, int * offset, struct flow_record * flowExtract) 242 | { 243 | //EVP_CIPHER_CTX ctx; 244 | // Create a new packet which is a copy of the old packet. 245 | libtrace_packet_t *copyPkt = trace_copy_packet(pkt); 246 | libtrace_ip_t *ip = trace_get_ip(copyPkt); 247 | libtrace_ip6_t *ip6 = trace_get_ip6(copyPkt); 248 | 249 | struct sockaddr_storage src_addr; 250 | struct sockaddr_storage dest_addr; 251 | struct sockaddr *src_addr_ptr; 252 | struct sockaddr *dest_addr_ptr; 253 | /* Packet data */ 254 | uint32_t remaining; 255 | /* L3 data */ 256 | void *l3; 257 | uint16_t ethertype; 258 | /* Transport data */ 259 | void *transport; 260 | uint8_t proto; 261 | /* Payload data */ 262 | void *payload; 263 | 264 | struct timeval ts; 265 | char srcIP[100]; 266 | char destIP[100]; 267 | int loop = 0; 268 | 269 | l3 = trace_get_layer3(copyPkt,ðertype,&remaining); 270 | 271 | if (!l3) 272 | { 273 | /* Probable ARP or something */ 274 | return; 275 | } 276 | 277 | /* Get the UDP/TCP/ICMP header from the IPv4/IPv6 packet */ 278 | switch (ethertype) { 279 | case 0x0800: 280 | transport = trace_get_payload_from_ip( 281 | (libtrace_ip_t*)l3, 282 | &proto, 283 | &remaining); 284 | if (!transport) 285 | return; 286 | //++v4; 287 | break; 288 | case 0x86DD: 289 | transport = trace_get_payload_from_ip6( 290 | (libtrace_ip6_t*)l3, 291 | &proto, 292 | &remaining); 293 | if (!transport) 294 | return; 295 | //++v6; 296 | break; 297 | default: 298 | return; 299 | } 300 | 301 | // Get packet information 302 | //get port numbers 303 | int srcPort = trace_get_source_port(copyPkt); 304 | int destPort = trace_get_destination_port(copyPkt); 305 | src_addr_ptr = trace_get_source_address(copyPkt, (struct sockaddr *) &src_addr); 306 | dest_addr_ptr = trace_get_destination_address(copyPkt, (struct sockaddr *) &dest_addr); 307 | if( (NULL == src_addr_ptr) || (NULL == dest_addr_ptr) ) 308 | { 309 | return; 310 | } 311 | //get source ip address 312 | if (src_addr_ptr->sa_family == AF_INET) { 313 | struct sockaddr_in *src_v4 = (struct sockaddr_in *) src_addr_ptr; 314 | inet_ntop(AF_INET, &(src_v4->sin_addr), srcIP, 100); 315 | } 316 | //get destination ip address 317 | if (dest_addr_ptr->sa_family == AF_INET) { 318 | struct sockaddr_in *dest_v4 = (struct sockaddr_in *) dest_addr_ptr; 319 | inet_ntop(AF_INET, &(dest_v4->sin_addr), destIP, 100); 320 | } 321 | 322 | ts = trace_get_timeval(copyPkt); 323 | //int pkt_size = trace_get_capture_length(copy_pkt); 324 | 325 | if(enableEncryption == 1) 326 | { 327 | if(proto == 17) //udp 328 | { 329 | payload = trace_get_payload_from_udp( (libtrace_udp_t*)transport, &remaining); 330 | char * temp = (char*)transport+sizeof(libtrace_udp_t); 331 | int dataLen = ntohs(((libtrace_udp_t*) transport)->len)-8; 332 | if(dataLen == 0) 333 | { 334 | goto WRITE; 335 | } 336 | struct libtrace_udp *udp; 337 | udp=trace_get_udp_from_ip(ip,NULL); 338 | //encrypt the payload 339 | char payloadCopy[dataLen+1]; 340 | char payloadEncryptCopy[dataLen+1]; 341 | memset(payloadCopy, '\0', sizeof(payloadCopy)); 342 | memset(payloadEncryptCopy, '\0', sizeof(payloadEncryptCopy)); 343 | memcpy(payloadCopy, temp, dataLen); 344 | if( (proto == flowExtract->proto) && ( ( (srcPort == flowExtract->src_port) && (strcmp(srcIP, flowExtract->src_ip) == 0) && (destPort == flowExtract->dest_port) && (strcmp(destIP, flowExtract->dest_ip) == 0) ) || ( (destPort == flowExtract->src_port) && (strcmp(destIP, flowExtract->src_ip ) == 0) && (srcPort == flowExtract->dest_port) && (strcmp(srcIP, flowExtract->dest_ip) == 0 ) ) ) ) 345 | { 346 | memcpy(transport+sizeof(libtrace_udp_t), data_to_trace+flowExtract->current_offset, dataLen); 347 | memcpy(payloadEncryptCopy, data_to_trace+flowExtract->current_offset, dataLen); 348 | payload_checksum(&udp->check, payloadCopy, payloadEncryptCopy, dataLen); 349 | flowExtract->current_offset = flowExtract->current_offset + dataLen; 350 | //printf("Line: %d, remaining: %d, offset: %d\n", __LINE__, remaining, *offset); 351 | } 352 | } 353 | 354 | if(proto == 6) //tcp 355 | { 356 | payload = trace_get_payload_from_tcp( (libtrace_tcp_t*)transport, &remaining); 357 | int dlen = ((libtrace_tcp_t*) transport)->doff*4; 358 | int dataLen = ntohs(ip->ip_len)-dlen-4*(ip->ip_hl); 359 | //char * temp = (char *)payload; 360 | char * temp = ((char *)transport+dlen); 361 | char payloadCopy[dataLen+1]; 362 | char payloadEncryptCopy[dataLen+1]; 363 | memset(payloadCopy, '\0', sizeof(payloadCopy)); 364 | memset(payloadEncryptCopy, '\0', sizeof(payloadEncryptCopy)); 365 | struct libtrace_tcp *tcp; 366 | tcp=trace_get_tcp_from_ip(ip,NULL); 367 | 368 | if(dataLen == 0) 369 | { 370 | goto WRITE; 371 | } 372 | memcpy(payloadCopy, temp, dataLen); 373 | if( (proto == flowExtract->proto) && ( ( (srcPort == flowExtract->src_port) && (strcmp(srcIP, flowExtract->src_ip) == 0) && (destPort == flowExtract->dest_port) && (strcmp(destIP, flowExtract->dest_ip) == 0) ) || ( (destPort == flowExtract->src_port) && (strcmp(destIP, flowExtract->src_ip ) == 0) && (srcPort == flowExtract->dest_port) && (strcmp(srcIP, flowExtract->dest_ip) == 0 ) ) ) ) 374 | { 375 | //memcpy(transport+sizeof(libtrace_tcp_t), data_to_trace+*offset, remaining); 376 | memcpy(transport+sizeof(libtrace_tcp_t), data_to_trace+flowExtract->current_offset, dataLen); 377 | memcpy(payloadEncryptCopy, data_to_trace+flowExtract->current_offset, dataLen); 378 | payload_checksum(&tcp->check, payloadCopy, payloadEncryptCopy, dataLen); 379 | 380 | flowExtract->current_offset = flowExtract->current_offset + dataLen; 381 | //printf("Line: %d, offset: %d\n", __LINE__, *offset); 382 | } 383 | } 384 | } 385 | 386 | WRITE: 387 | if(enableReplaceIP == 1) 388 | { 389 | if(enableReplaceAllIP == 1) //replace all the external ip addresses 390 | { 391 | if(CheckExclusionIP(srcIP)==0) //replace src ip 392 | { 393 | ReplaceIP_All(ip, oriIP, replaceIP, oriSubnet, replaceSubnet, 0); 394 | } 395 | if(CheckExclusionIP(destIP)==0) //replace dest ip 396 | { 397 | ReplaceIP_All(ip, oriIP, replaceIP, oriSubnet, replaceSubnet, 1); 398 | } 399 | } 400 | if(enableReplaceCertainIP == 1) //replace certain ip addresses 401 | { 402 | if(CheckExclusionIP(srcIP)==0) //replace src ip 403 | { 404 | ReplaceIP(ip, oriIP, replaceIP, oriSubnet, 0); 405 | } 406 | if(CheckExclusionIP(destIP)==0) //replace dest ip 407 | { 408 | ReplaceIP(ip, oriIP, replaceIP, oriSubnet, 1); 409 | } 410 | } 411 | 412 | //ReplaceIP(ip, ori_ip, replace_ip, ori_subnet); 413 | } 414 | 415 | if (trace_write_packet(wr, copyPkt) == -1) { 416 | trace_perror_output(wr, "Writing packet"); 417 | return -1; 418 | } 419 | trace_destroy_packet(copyPkt); 420 | return 0; 421 | } 422 | 423 | int main(int argc, char *argv[]) 424 | { 425 | EVP_CIPHER_CTX ctx; 426 | char * p = NULL; 427 | char * key = NULL; 428 | char * iv = NULL; 429 | //char * file_content = NULL; 430 | //char * encrypted_file_content; 431 | FILE * fpKeyIV = NULL; 432 | FILE * fpFlowPayload = NULL; 433 | int i = 0; 434 | int opt = 0; 435 | int psize = 0; 436 | int pktCount = 0; 437 | int offset = 0; 438 | int filesize = 0; 439 | int readLength = 0; 440 | int traceOffset = 0; 441 | int ivBytesCount = 0; 442 | int keyBytesCount = 0; 443 | int enableIPExclusion = 0; 444 | char tempRead[100]; 445 | char keyIVBuffer[1024]; 446 | char ipExclusionFile[MAX_SIZE]; 447 | char IPReplaceFile[MAX_SIZE]; 448 | char encryption[MAX_SIZE]; 449 | char portFilterFile[MAX_SIZE]; 450 | char inputFile[MAX_SIZE]; 451 | char outputFile[MAX_SIZE]; 452 | char keyIVFile[MAX_SIZE]; 453 | char encryptionAlgorithm[16]; 454 | char exeMagicNumberFile[MAX_SIZE]; 455 | char flowPayloadFile[256]; 456 | char flowOffsetFile[256]; 457 | char oriReplaceIP[MAX_SIZE]; 458 | char bufferTemp[MAX_SIZE]; 459 | clock_t start; 460 | clock_t end; 461 | double functionTime; 462 | 463 | if ((argc - optind) < 1) { 464 | usage(); 465 | exit(1); 466 | } 467 | 468 | while ((opt = getopt(argc, argv, "a:e:f:k:i:nNo:r:")) !=-1) 469 | { 470 | switch (opt) 471 | { 472 | case 'a': 473 | strcpy(ipExclusionFile, optarg); 474 | enableIPExclusion = 1; 475 | break; 476 | case 'n': 477 | enableReplaceCertainIP = 1; 478 | break; 479 | case 'N': 480 | enableReplaceAllIP = 1; 481 | break; 482 | case 'i': 483 | strcpy(inputFile, optarg); 484 | break; 485 | case 'o': 486 | strcpy(outputFile, optarg); 487 | break; 488 | case 'k': 489 | enableKeyIV = 1; 490 | strcpy(keyIVFile, optarg); 491 | break; 492 | case 'e': 493 | enableEncryption = 1; 494 | strcpy(encryptionAlgorithm, optarg); 495 | break; 496 | case 'f': 497 | /*encrypt all the traffic*/ 498 | if(strcmp("all", optarg) == 0) 499 | { 500 | encryptAll = 1; 501 | } 502 | else 503 | { 504 | p = NULL; 505 | p = strtok(optarg, " "); 506 | if(p) 507 | { 508 | strcpy(flowExtract.src_ip, p); 509 | } 510 | p = strtok(NULL, " "); 511 | if(p) 512 | { 513 | flowExtract.src_port = atoi(p); 514 | } 515 | p = strtok(NULL, " "); 516 | if(p) 517 | { 518 | strcpy(flowExtract.dest_ip, p); 519 | } 520 | p = strtok(NULL, " "); 521 | if(p) 522 | { 523 | flowExtract.dest_port = atoi(p); 524 | } 525 | p = strtok(NULL, " "); 526 | if(p) 527 | { 528 | flowExtract.proto = atoi(p); 529 | } 530 | } 531 | //printf("src_ip: %s, src_port: %d, dest_ip: %s, dest_port: %d, proto: %d\n", flow_extract.src_ip, flow_extract.src_port, flow_extract.dest_ip, flow_extract.dest_port, flow_extract.proto); 532 | break; 533 | //struct flow_record flow_extract = {"192.168.9.5", 1035, "178.162.181.84", 80}; 534 | case 'r': 535 | enableReplaceIP = 1; 536 | strcpy(oriReplaceIP, optarg); 537 | p = NULL; 538 | p = strtok(oriReplaceIP, "/"); 539 | if(p) 540 | { 541 | strcpy(oriIP, p); 542 | } 543 | p = strtok(NULL, " "); 544 | if(p) 545 | { 546 | oriSubnet = atoi(p); 547 | } 548 | p = strtok(NULL, "/"); 549 | if(p) 550 | { 551 | strcpy(replaceIP, p); 552 | } 553 | p = strtok(NULL, " "); 554 | if(p) 555 | { 556 | replaceSubnet = atoi(p); 557 | } 558 | //printf("ori_ip: %s, ori_subnet: %d, replace_ip: %s, replace_subnet: %d\n", oriIP, oriSubnet, replaceIP, replaceSubnet); 559 | break; 560 | case 'h': 561 | usage(); 562 | exit(1); 563 | default: 564 | usage(); 565 | exit(1); 566 | } 567 | } 568 | 569 | time(&start); 570 | 571 | libtrace_t *trace = 0; 572 | libtrace_packet_t *pkt = trace_create_packet(); 573 | 574 | if(enableIPExclusion == 1) 575 | { 576 | ReadIPExclusionRecords(ipExclusionFile); 577 | } 578 | 579 | if(enableEncryption == 1) 580 | { 581 | //write the flow payload to file 582 | memset(flowPayloadFile, '\0', sizeof(flowPayloadFile)); 583 | sprintf(flowPayloadFile, "%s-%d-%s-%d-%d-flow-payload", flowExtract.src_ip, flowExtract.src_port, flowExtract.dest_ip, flowExtract.dest_port, flowExtract.proto); 584 | sprintf(flowOffsetFile, "%s-%d-%s-%d-%d-flow-offset", flowExtract.src_ip, flowExtract.src_port, flowExtract.dest_ip, flowExtract.dest_port, flowExtract.proto); 585 | if((flowExtract.fp_content = fopen(flowPayloadFile, "w+")) == NULL) //open the file to read 586 | { 587 | fprintf(stderr, "Open file: %s failed\n", flowPayloadFile); 588 | exit(1); 589 | } 590 | if((flowExtract.fp_offset = fopen(flowOffsetFile, "w+")) == NULL) //open the file to read 591 | { 592 | fprintf(stderr, "Open file: %s failed\n", flowOffsetFile); 593 | exit(1); 594 | } 595 | flowExtract.current_offset = 0; 596 | flowExtract.offset_max = 0; 597 | flowExtract.last_direction = -1; 598 | flowExtract.flow_size = 0; 599 | // Open traces for reading and writing. 600 | trace = trace_create(inputFile); 601 | if (trace_is_err(trace)) { 602 | trace_perror(trace, "trace_create"); 603 | trace_destroy(trace); 604 | return 1; 605 | } 606 | if (trace_start(trace) == -1) { 607 | trace_perror(trace,"Starting trace"); 608 | //libtrace_cleanup(trace, output, packet); 609 | return 1; 610 | } 611 | 612 | for (;;) { 613 | psize = trace_read_packet(trace, pkt); 614 | if (psize == 0) { 615 | break; 616 | } 617 | if (psize < 0) { 618 | trace_perror(trace, "read_packet"); 619 | break; 620 | } 621 | if ((per_packet_write_to_file(pkt, &flowExtract)) == -1) 622 | { 623 | fprintf(stderr, "Something went wrong in per_packet.\n"); 624 | break; 625 | } 626 | pktCount++; 627 | } 628 | pktCount = 0; 629 | fprintf(flowExtract.fp_offset, "%d\n", flowExtract.current_offset); 630 | flowExtract.offset_count++; 631 | fclose(flowExtract.fp_content); 632 | fclose(flowExtract.fp_offset); 633 | 634 | flowExtract.offset_array = (int *)malloc(sizeof(int) * flowExtract.offset_count); 635 | //fseek(flow_extract.fp_offset, 0, SEEK_END); 636 | int counter = 0; 637 | if((flowExtract.fp_offset = fopen(flowOffsetFile, "r")) == NULL) //open the file to read 638 | { 639 | fprintf(stderr, "Open file: %s failed\n", flowOffsetFile); 640 | exit(1); 641 | } 642 | while(counter < flowExtract.offset_count) 643 | { 644 | memset(tempRead, '\0', sizeof(tempRead)); 645 | fgets(tempRead, sizeof(tempRead), flowExtract.fp_offset); 646 | flowExtract.offset_array[counter] = atoi(tempRead); 647 | //printf("offset: %d\n", flow_extract.offset_array[counter]); 648 | counter++; 649 | } 650 | fclose(flowExtract.fp_offset); 651 | //end of write flow payload to file 652 | 653 | //strcpy(flow_payload_file, flow_payload_file); 654 | //read original data from file 655 | if((flowExtract.fp_content = fopen(flowPayloadFile, "r")) == NULL) //open the file to read 656 | { 657 | fprintf(stderr, "Open file: %s failed\n", flowPayloadFile); 658 | exit(1); 659 | } 660 | //printf("File %s has %d bytes\n", flowPayloadFile, flowExtract.flow_size); 661 | 662 | //extract key and iv 663 | if((fpKeyIV = fopen(keyIVFile, "r")) == NULL) //open the file to read 664 | { 665 | fprintf(stderr, "Read key and iv file: %s failed\n", keyIVFile); 666 | exit(1); 667 | } 668 | //read and parse the key 669 | memset(keyIVBuffer, '\0', sizeof(keyIVBuffer)); 670 | fgets(keyIVBuffer, sizeof(keyIVBuffer), fpKeyIV); 671 | key = (char *)malloc(sizeof(char) * strlen(keyIVBuffer)); 672 | strcpy(key, keyIVBuffer); 673 | memset(key+strlen(keyIVBuffer)-1, '\0', 1); 674 | printf("key: %s\n", key); 675 | //read and parse the iv 676 | memset(keyIVBuffer, '\0', sizeof(keyIVBuffer)); 677 | if( fgets(keyIVBuffer, sizeof(keyIVBuffer), fpKeyIV) != NULL ) 678 | { 679 | iv = (char *)malloc(sizeof(char) * strlen(keyIVBuffer)); 680 | strcpy(iv, keyIVBuffer); 681 | memset(iv+strlen(iv)-1, '\0', 1); 682 | printf("iv: %s\n", iv); 683 | } 684 | 685 | flowExtract.encrypted_file_content = (char *)malloc(sizeof(char) * flowExtract.flow_size); 686 | flowExtract.temp_file_content = (char *)malloc(sizeof(char) * flowExtract.offset_max); 687 | flowExtract.temp_encrypted_content = (char *)malloc(sizeof(char) * flowExtract.offset_max); 688 | counter = 0; 689 | offset = 0; 690 | memset(flowExtract.encrypted_file_content, '\0', sizeof(flowExtract.encrypted_file_content)); 691 | while(counter < flowExtract.offset_count) 692 | { 693 | memset(flowExtract.temp_file_content, '\0', sizeof(flowExtract.temp_file_content)); 694 | fread(flowExtract.temp_file_content, flowExtract.offset_array[counter], 1, flowExtract.fp_content); 695 | //printf("should read: %d, read: %d\n", flow_extract.offset_array[counter], read_length); 696 | //memcpy(flow_extract.encrypted_file_content + offset, flow_extract.temp_file_content, flow_extract.offset_array[counter]); 697 | //encrypt data read from file 698 | if( strcmp(encryptionAlgorithm, "xor") == 0 ) 699 | { 700 | //encrypted_file_content = (char *)malloc(sizeof(char) * filesize); 701 | encrypt_xor(flowExtract.temp_file_content, flowExtract.temp_encrypted_content, key, flowExtract.offset_array[counter]); 702 | } 703 | else 704 | { 705 | set_encryption_algorithm(encryptionAlgorithm, &ctx, key, iv); 706 | flowExtract.temp_encrypted_content = encrypt_OpenSSL(&ctx, flowExtract.temp_file_content, flowExtract.offset_array[counter], &i); 707 | } 708 | memcpy(flowExtract.encrypted_file_content + offset, flowExtract.temp_encrypted_content, flowExtract.offset_array[counter]); 709 | offset = offset + flowExtract.offset_array[counter]; 710 | //printf("%x %x\n", temp_read[0], temp_read[1]); 711 | counter++; 712 | } 713 | //free(flow_extract.temp_encrypted_content); 714 | //free(flow_extract.temp_file_content); 715 | fclose(flowExtract.fp_content); 716 | } 717 | flowExtract.current_offset = 0; 718 | //printf("line: %d\n", __LINE__); 719 | 720 | libtrace_out_t *writer = 0; 721 | // Open traces and write the encrypted data back to trace. 722 | trace = trace_create(inputFile); 723 | if (trace_is_err(trace)) { 724 | trace_perror(trace, "trace_create"); 725 | trace_destroy(trace); 726 | return 1; 727 | } 728 | if (trace_start(trace) == -1) { 729 | trace_perror(trace,"Starting trace"); 730 | //libtrace_cleanup(trace, output, packet); 731 | return 1; 732 | } 733 | 734 | //printf("line: %d\n", __LINE__); 735 | writer = trace_create_output(outputFile); 736 | if (trace_is_err_output(writer)) { 737 | trace_perror_output(writer, "trace_create_output"); 738 | trace_destroy_output(writer); 739 | trace_destroy(trace); 740 | trace_destroy_packet(pkt); 741 | return 1; 742 | } 743 | 744 | if (trace_start_output(writer) == -1) { 745 | trace_perror_output(writer,"Starting output trace"); 746 | //libtrace_cleanup(trace, output, packet); 747 | return 1; 748 | } 749 | 750 | for (;;) { 751 | psize = trace_read_packet(trace, pkt); 752 | if (psize == 0) { 753 | break; 754 | } 755 | if (psize < 0) { 756 | trace_perror(trace, "read_packet"); 757 | break; 758 | } 759 | if ((per_packet_overwrite(pkt, writer, flowExtract.encrypted_file_content, &traceOffset, &flowExtract)) == -1) 760 | { 761 | fprintf(stderr, "Something went wrong in per_packet.\n"); 762 | break; 763 | } 764 | pktCount++; 765 | } 766 | 767 | trace_destroy_packet(pkt); 768 | trace_destroy(trace); 769 | trace_destroy_output(writer); 770 | //printf("line: %d\n", __LINE__); 771 | 772 | time(&end); 773 | double cost = difftime(end, start); 774 | //printf("running time: %f\n", cost); 775 | 776 | if(enableEncryption == 1) 777 | { 778 | //free(flow_extract.file_content); 779 | if( strcmp(encryptionAlgorithm, "xor") == 0 ) 780 | { 781 | //free(flow_extract.encrypted_file_content); 782 | } 783 | } 784 | //free(flow_extract.encrypted_file_content); 785 | //free(flow_extract.offset_array); 786 | //free(key); 787 | //free(iv); 788 | 789 | return 0; 790 | } 791 | -------------------------------------------------------------------------------- /BotTalkerFunctions.c: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * Copyright (C) <2015> 4 | 5 | * BotTalker is free software: you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License as published 7 | * by the Free Software Foundation, either version 3 of the License, 8 | * or (at your option) any later version. 9 | 10 | * BotTalker is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program. If not, see . 17 | 18 | * Contact information: 19 | * Email: zhanghan0116@gmail.com 20 | */ 21 | 22 | 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include "libtrace.h" 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | 37 | #define MAX_SIZE 1024 38 | #define FILENAME_LENGTH 1024 39 | #define CADIR NULL 40 | 41 | /*reserved for SSL emulation*/ 42 | //char passwd[] = ""; 43 | 44 | struct flow_record * flowExtractHead = NULL; 45 | struct flow_record * flowExtractLast = NULL; 46 | struct ip_list * ipExclusion = NULL; 47 | struct port_list * portExclusion = NULL; 48 | 49 | struct config_parameters 50 | { 51 | char COMMAND_EDITCAP[MAX_SIZE]; 52 | char COMMAND_MERGECAP[MAX_SIZE]; 53 | char CIPHER_LIST[MAX_SIZE]; 54 | char CAFILE[MAX_SIZE]; 55 | char CERTFILE[MAX_SIZE]; 56 | char SERVER[MAX_SIZE]; 57 | char CLIENT[MAX_SIZE]; 58 | char PORT[MAX_SIZE]; 59 | char ETH[MAX_SIZE]; 60 | }; 61 | 62 | struct port_list 63 | { 64 | int port; 65 | struct port_list * next; 66 | }; 67 | 68 | struct ip_list 69 | { 70 | char ip[16]; 71 | int paired; 72 | struct ip_list * next; 73 | }; 74 | 75 | struct ip_pair 76 | { 77 | char ip1[16]; 78 | char ip2[16]; 79 | struct ip_pair * next; 80 | }; 81 | 82 | struct flow_offset 83 | { 84 | int offset; 85 | struct flow_offset * next; 86 | }; 87 | 88 | struct flow_record 89 | { 90 | char src_ip[16]; 91 | int src_port; 92 | char dest_ip[16]; 93 | int dest_port; 94 | int proto; 95 | FILE * fp_content; 96 | FILE * fp_offset; 97 | char flow_offset_file[MAX_SIZE]; 98 | char flow_payload_file[MAX_SIZE]; 99 | int current_offset; 100 | int last_direction; 101 | int offset_count; 102 | int flow_size; 103 | int offset_max; 104 | int * offset_array; 105 | char * file_content; 106 | char * encrypted_file_content; 107 | char * temp_file_content; 108 | char * temp_encrypted_content; 109 | struct flow_record * next; 110 | }; 111 | 112 | struct flow_rtt_inter //used in calculation of rtt 113 | { 114 | //direct0 stands for client to server 115 | int pkt_count; 116 | char src_ip[16]; 117 | int src_port; 118 | char dest_ip[16]; 119 | int dest_port; 120 | int proto; 121 | int last_tv_sec; 122 | int last_tv_usec; 123 | int last_direction; 124 | float rtt_avg_direct0; 125 | int rtt_count_direct0; 126 | float inter_avg_direct0; 127 | int inter_count_direct0; 128 | float rtt_avg_direct1; 129 | int rtt_count_direct1; 130 | float inter_avg_direct1; 131 | int inter_count_direct1; 132 | float reaction_avg_direct0; 133 | int reaction_count_direct0; 134 | }; 135 | 136 | 137 | struct struct_IPReplace 138 | { 139 | char original_IP[16]; 140 | char replace_IP[16]; 141 | int subnet; 142 | }; 143 | 144 | int substring(char * string, char * substring) 145 | { 146 | char *a, *b; 147 | int offset = 0; 148 | 149 | b = substring; 150 | if (*b == 0) { 151 | return -1; 152 | } 153 | for ( ; *string != 0; string += 1) { 154 | offset++; 155 | if (*string != *b) { 156 | continue; 157 | } 158 | a = string; 159 | while (1) { 160 | if (*b == 0) { 161 | return offset-1; 162 | } 163 | if (*a++ != *b++) { 164 | break; 165 | } 166 | } 167 | b = substring; 168 | } 169 | return -1; 170 | } 171 | 172 | int ReadConfigurationFile(char * configFile, struct config_parameters * configBottalker ) 173 | { 174 | FILE * fpRead = NULL; 175 | char buffer[MAX_SIZE]; 176 | char temp[MAX_SIZE]; 177 | char * p = NULL; 178 | if((fpRead = fopen(configFile, "r")) == NULL) //open the file to read 179 | { 180 | fprintf(stderr, "Line %d: Open file: configuration file %s failed\n", __LINE__, configFile); 181 | exit(1); 182 | } 183 | while(!feof(fpRead)) 184 | { 185 | fgets(buffer, sizeof(buffer), fpRead); 186 | memset(temp, '\0', sizeof(temp)); 187 | strcpy(temp, buffer); 188 | if(feof(fpRead)) 189 | { 190 | break; 191 | } 192 | p = strtok(buffer, "="); 193 | p = strtok(NULL, "\n"); 194 | if( substring(temp, "MERGECAP") >= 0) 195 | { 196 | strcpy(configBottalker->COMMAND_MERGECAP, p); 197 | } 198 | else if( substring(temp, "EDITCAP") >= 0) 199 | { 200 | strcpy(configBottalker->COMMAND_EDITCAP, p); 201 | } 202 | else if( substring(temp, "CIPHER_LIST") >= 0) 203 | { 204 | strcpy(configBottalker->CIPHER_LIST, p); 205 | } 206 | else if( substring(temp, "CAFILE") >= 0) 207 | { 208 | strcpy(configBottalker->CAFILE, p); 209 | } 210 | else if( substring(temp, "CERTFILE") >= 0) 211 | { 212 | strcpy(configBottalker->CERTFILE, p); 213 | } 214 | else if( substring(temp, "PORT") >= 0) 215 | { 216 | strcpy( configBottalker->PORT, p); 217 | } 218 | else if( substring(temp, "ETH") >= 0) 219 | { 220 | strcpy( configBottalker->ETH, p); 221 | } 222 | else if( substring(temp, "SERVER") >= 0) 223 | { 224 | strcpy(configBottalker->SERVER, p); 225 | } 226 | else if( substring(temp, "CLIENT") >= 0) 227 | { 228 | strcpy(configBottalker->CLIENT, p); 229 | } 230 | } 231 | } 232 | 233 | /*Read the IPs that users don't want to replace*/ 234 | void ReadIPExclusionRecords(char * fileRead) 235 | { 236 | FILE * fpRead = NULL; 237 | char * p = NULL; 238 | char ip[16]; 239 | char buffer[MAX_SIZE]; 240 | struct ip_list * lastIPExclusion = NULL; 241 | if((fpRead = fopen(fileRead, "r")) == NULL) //open the file to read 242 | { 243 | fprintf(stderr, "Line %d: Open file: %s failed\n", __LINE__, fileRead); 244 | exit(1); 245 | } 246 | while(!feof(fpRead)) 247 | { 248 | fgets(buffer, sizeof(buffer), fpRead); 249 | if(feof(fpRead)) 250 | { 251 | break; 252 | } 253 | p = strtok(buffer, "\n"); 254 | if(p) 255 | { 256 | strcpy(ip, p); 257 | } 258 | struct ip_list * newIPExclusion = (struct ip_list*)malloc(sizeof(struct ip_list)); 259 | strcpy(newIPExclusion->ip, ip); 260 | if(ipExclusion == NULL) 261 | { 262 | ipExclusion = newIPExclusion; 263 | lastIPExclusion = newIPExclusion; 264 | } 265 | else 266 | { 267 | lastIPExclusion->next = newIPExclusion; 268 | lastIPExclusion = newIPExclusion; 269 | } 270 | } 271 | struct ip_list * iteIPExclusion = ipExclusion; 272 | while(iteIPExclusion != NULL) 273 | { 274 | printf("exclusion ip: %s\n", iteIPExclusion->ip); 275 | iteIPExclusion = iteIPExclusion->next; 276 | } 277 | } 278 | 279 | int CheckExclusionIP(char * ip) 280 | { 281 | struct ip_list * iteIPExclusion = ipExclusion; 282 | while(iteIPExclusion != NULL) 283 | { 284 | if(strcmp(iteIPExclusion->ip, ip) == 0) 285 | { 286 | return 1; 287 | } 288 | iteIPExclusion = iteIPExclusion->next; 289 | } 290 | return 0; 291 | } 292 | 293 | /*Read the IPs that users don't want to replace*/ 294 | void ReadPortExclusionRecords(char * fileRead) 295 | { 296 | FILE * fpRead = NULL; 297 | char * p = NULL; 298 | int port = 0; 299 | char buffer[MAX_SIZE]; 300 | struct port_list * lastPortExclusion = NULL; 301 | if((fpRead = fopen(fileRead, "r")) == NULL) //open the file to read 302 | { 303 | fprintf(stderr, "Line %d: Open file: %s failed\n", __LINE__, fileRead); 304 | exit(1); 305 | } 306 | while(!feof(fpRead)) 307 | { 308 | fgets(buffer, sizeof(buffer), fpRead); 309 | if(feof(fpRead)) 310 | { 311 | break; 312 | } 313 | p = strtok(buffer, "\n"); 314 | if(p) 315 | { 316 | port = atoi(p); 317 | } 318 | struct port_list * newPortExclusion = (struct port_list*)malloc(sizeof(struct port_list)); 319 | newPortExclusion->port = port; 320 | newPortExclusion->next = NULL; 321 | if(portExclusion == NULL) 322 | { 323 | portExclusion = newPortExclusion; 324 | lastPortExclusion = newPortExclusion; 325 | } 326 | else 327 | { 328 | lastPortExclusion->next = newPortExclusion; 329 | lastPortExclusion = newPortExclusion; 330 | } 331 | } 332 | struct port_list * itePortExclusion = portExclusion; 333 | while(itePortExclusion != NULL) 334 | { 335 | printf("exclusion port: %d\n", itePortExclusion->port); 336 | itePortExclusion = itePortExclusion->next; 337 | } 338 | } 339 | 340 | int CheckExclusionPort(int port) 341 | { 342 | struct port_list * itePortExclusion = portExclusion; 343 | while(itePortExclusion != NULL) 344 | { 345 | if(itePortExclusion->port == port) 346 | { 347 | return 1; 348 | } 349 | itePortExclusion = itePortExclusion->next; 350 | } 351 | return 0; 352 | } 353 | 354 | void ReadFlowRecords(char * fileRead) 355 | { 356 | FILE * fpRead = NULL; 357 | char * p = NULL; 358 | char srcIP[16]; 359 | char destIP[16]; 360 | int srcPort = 0; 361 | int destPort = 0; 362 | int proto = 0; 363 | char buffer[MAX_SIZE]; 364 | struct flow_record * iteFlowRecord; 365 | if((fpRead = fopen(fileRead, "r")) == NULL) //open the file to read 366 | { 367 | fprintf(stderr, "Line %d: Open file: %s failed\n", __LINE__, fileRead); 368 | exit(1); 369 | } 370 | while(!feof(fpRead)) 371 | { 372 | fgets(buffer, sizeof(buffer), fpRead); 373 | if(feof(fpRead)) 374 | { 375 | break; 376 | } 377 | p = strtok(buffer, " "); 378 | if(p) 379 | { 380 | strcpy(srcIP, p); 381 | } 382 | p = strtok(NULL, " "); 383 | if(p) 384 | { 385 | srcPort = atoi(p); 386 | } 387 | p = strtok(NULL, " "); 388 | if(p) 389 | { 390 | strcpy(destIP, p); 391 | } 392 | p = strtok(NULL, " "); 393 | if(p) 394 | { 395 | destPort = atoi(p); 396 | } 397 | p = strtok(NULL, " "); 398 | if(p) 399 | { 400 | proto = atoi(p); 401 | } 402 | struct flow_record * newFlowRecord = (struct flow_record *)malloc(sizeof(struct flow_record)); 403 | strcpy(newFlowRecord->src_ip, srcIP); 404 | newFlowRecord->src_port = srcPort; 405 | strcpy(newFlowRecord->dest_ip, destIP); 406 | newFlowRecord->dest_port = destPort; 407 | newFlowRecord->proto = proto; 408 | newFlowRecord->next = NULL; 409 | if(flowExtractHead == NULL) 410 | { 411 | flowExtractHead = newFlowRecord; 412 | flowExtractLast = newFlowRecord; 413 | } 414 | else 415 | { 416 | flowExtractLast->next = newFlowRecord; 417 | flowExtractLast = newFlowRecord; 418 | } 419 | } 420 | iteFlowRecord = flowExtractHead; 421 | while(iteFlowRecord) 422 | { 423 | //printf("src_ip: %s, src_port: %d, dest_ip: %s, dest_port: %d\n", iteFlowRecord->src_ip, iteFlowRecord->src_port, iteFlowRecord->dest_ip, iteFlowRecord->dest_port); 424 | iteFlowRecord = iteFlowRecord->next; 425 | } 426 | } 427 | 428 | void select_random_key(char *key, int b) 429 | { 430 | RAND_bytes(key, b); 431 | /*int i; 432 | printf("key: \n"); 433 | for(i=0; i0) 763 | { 764 | if(length%2==1) 765 | { 766 | uint16_t new_data = ((uint16_t)newPayload[length-1] << 8)&0xFFFF; 767 | uint16_t old_data = ((uint16_t)payload[length-1] << 8)&0xFFFF; 768 | sum_ = sum_ + new_data; 769 | sum = (~htons(*checksum) & 0xFFFF) 770 | + (~(old_data) & 0xFFFF) 771 | + (new_data); 772 | sum = (sum & 0xFFFF) + (sum >> 16); 773 | *checksum = htons(~(sum + (sum >> 16))); 774 | length--; 775 | } 776 | else 777 | { 778 | uint16_t new_data = (((uint16_t)newPayload[length-1])&0x00FF) + ((((uint16_t)newPayload[length-2])<<8)&0xFFFF); 779 | uint16_t old_data = (((uint16_t)payload[length-1])&0x00FF) + ((((uint16_t)payload[length-2])<<8)&0xFFFF); 780 | sum_ = sum_ + new_data; 781 | sum = (~htons(*checksum) & 0xFFFF) 782 | + (~(old_data) & 0xFFFF) 783 | + (new_data); 784 | sum = (sum & 0xFFFF) + (sum >> 16); 785 | *checksum = htons(~(sum + (sum >> 16))); 786 | length=length-2; 787 | } 788 | } 789 | } 790 | 791 | /* Incrementally update a checksum */ 792 | void update_in_cksum(uint16_t *csum, uint16_t old, uint16_t new) 793 | { 794 | uint32_t sum = (~htons(*csum) & 0xFFFF) 795 | + (~htons(old) & 0xFFFF) 796 | + htons(new); 797 | sum = (sum & 0xFFFF) + (sum >> 16); 798 | *csum = htons(~(sum + (sum >> 16))); 799 | } 800 | 801 | void update_in_cksum32(uint16_t *csum, uint32_t old, uint32_t new) 802 | { 803 | update_in_cksum(csum,(uint16_t)(old&0xFFFF),(uint16_t)(new&0xFFFF)); 804 | update_in_cksum(csum,(uint16_t)(old>>16),(uint16_t)(new>>16)); 805 | } 806 | 807 | //XOR encryption 808 | void encrypt_xor(char * StrToEncrypt, char * StrEncrtypted, char* key, int length) 809 | { 810 | int keyCount = 0; //Used to restart key if strlen(key) < strlen(encrypt) 811 | int encryptByte; 812 | int loop = 0; 813 | //Loop through each byte of file until EOF 814 | for(loop = 0; loop < length; loop++) 815 | { 816 | //XOR the data and write it to a file 817 | StrEncrtypted[loop] = StrToEncrypt[loop] ^ key[keyCount]; 818 | keyCount++; 819 | if(keyCount == strlen(key)) 820 | { 821 | keyCount = 0; 822 | } 823 | } 824 | } 825 | 826 | 827 | int ReplaceIP_SSL(libtrace_ip_t * copyIP, char * IPOriginal, char * IPReplace, int sys) 828 | { 829 | int loop = 0; 830 | char * p = NULL; 831 | int OctOriginalIP[4]; 832 | int OctReplaceIP[4]; 833 | char tempOri[16]; 834 | char tempRep[16]; 835 | //char replace_IP[16]; 836 | memset(tempOri, '\0', sizeof(tempOri)); 837 | strcpy(tempOri, IPOriginal); 838 | p = NULL; 839 | p = strtok(tempOri, "."); 840 | if(p) 841 | { 842 | OctOriginalIP[0] = atoi(p); 843 | } 844 | for(loop = 1; loop < 4; loop++) 845 | { 846 | p = strtok(NULL, "."); 847 | if(p) 848 | { 849 | OctOriginalIP[loop] = atoi(p); 850 | } 851 | } 852 | uint32_t IPToReplace = OctOriginalIP[3]*256*256*256 + OctOriginalIP[2]*256*256 + OctOriginalIP[1]*256 + OctOriginalIP[0]; 853 | 854 | memset(tempRep, '\0', sizeof(tempRep)); 855 | strcpy(tempRep, IPReplace); 856 | p = NULL; 857 | p = strtok(tempRep, "."); 858 | if(p) 859 | { 860 | OctReplaceIP[0] = atoi(p); 861 | } 862 | for(loop = 1; loop < 4; loop++) 863 | { 864 | p = strtok(NULL, "."); 865 | if(p) 866 | { 867 | OctReplaceIP[loop] = atoi(p); 868 | } 869 | } 870 | 871 | uint32_t oldIP = 0; 872 | //printf("IP_to_replace: %u, src_ip: %u, dest_ip: %u\n", IP_to_replace, copy_ip->ip_src.s_addr, copy_ip->ip_dst.s_addr); 873 | if(sys == 0) 874 | { 875 | oldIP = copyIP->ip_src.s_addr; 876 | } 877 | else if(sys == 1) 878 | { 879 | oldIP = copyIP->ip_dst.s_addr; 880 | } 881 | else 882 | { 883 | //printf("No IP replacement Match\n"); 884 | return; 885 | } 886 | uint32_t newIP = 0; 887 | struct libtrace_tcp *tcp; 888 | struct libtrace_udp *udp; 889 | tcp=trace_get_tcp_from_ip(copyIP,NULL); 890 | udp=trace_get_udp_from_ip(copyIP,NULL); 891 | for(loop=0; loop < 4; loop++) 892 | { 893 | newIP = newIP*256 + OctReplaceIP[loop]; 894 | } 895 | update_in_cksum32(©IP->ip_sum, oldIP, htonl(newIP)); 896 | if(tcp) 897 | { 898 | update_in_cksum32(&tcp->check, oldIP, htonl(newIP)); 899 | } 900 | if(udp) 901 | { 902 | update_in_cksum32(&udp->check, oldIP, htonl(newIP)); 903 | } 904 | if(sys == 0) 905 | { 906 | copyIP->ip_src.s_addr = htonl(newIP); 907 | } 908 | else if(sys == 1) 909 | { 910 | copyIP->ip_dst.s_addr = htonl(newIP); 911 | } 912 | } 913 | 914 | 915 | int IPBelongTo(char * ip1, char * ip2, int subnet) 916 | { 917 | int sysReplaceSrc = 0; 918 | int sysReplaceDest = 0; 919 | int loop = 0; 920 | char * p = NULL; 921 | int octetIP1[4]; 922 | int octetIP2[4]; 923 | char temp[16]; 924 | memset(temp, '\0', sizeof(temp)); 925 | strcpy(temp, ip1); 926 | p = NULL; 927 | p = strtok(temp, "."); 928 | if(p) 929 | { 930 | octetIP1[0] = atoi(p); 931 | } 932 | for(loop = 1; loop < 4; loop++) 933 | { 934 | p = strtok(NULL, "."); 935 | if(p) 936 | { 937 | octetIP1[loop] = atoi(p); 938 | } 939 | } 940 | 941 | memset(temp, '\0', sizeof(temp)); 942 | strcpy(temp, ip2); 943 | p = NULL; 944 | p = strtok(temp, "."); 945 | if(p) 946 | { 947 | octetIP2[0] = atoi(p); 948 | } 949 | for(loop = 1; loop < 4; loop++) 950 | { 951 | p = strtok(NULL, "."); 952 | if(p) 953 | { 954 | octetIP2[loop] = atoi(p); 955 | } 956 | } 957 | 958 | for(loop = 0; loop < subnet/8; loop++) 959 | { 960 | if(octetIP1[loop] != octetIP2[loop]) 961 | { 962 | break; 963 | } 964 | } 965 | if(loop == subnet/8) 966 | { 967 | //ip2 belongs to ip1 968 | return 0; 969 | } 970 | else 971 | { 972 | //ip2 doesn't belong to ip1 973 | return 1; 974 | } 975 | } 976 | 977 | int ReplaceIP_All(libtrace_ip_t * copyIP, char * IPOriginal, char * IPReplace, int oriSubnet, int replaceSubnet, int srcDest) 978 | { 979 | int sysReplaceSrc = 0; 980 | int sysReplaceDest = 0; 981 | int loop = 0; 982 | char * p = NULL; 983 | int OctOriginalIP[4]; 984 | int OctReplaceIP[4]; 985 | char tempOri[16]; 986 | char tempRep[16]; 987 | memset(tempOri, '\0', sizeof(tempOri)); 988 | strcpy(tempOri, IPOriginal); 989 | p = NULL; 990 | p = strtok(tempOri, "."); 991 | if(p) 992 | { 993 | OctOriginalIP[0] = atoi(p); 994 | } 995 | for(loop = 1; loop < 4; loop++) 996 | { 997 | p = strtok(NULL, "."); 998 | if(p) 999 | { 1000 | OctOriginalIP[loop] = atoi(p); 1001 | } 1002 | } 1003 | uint8_t srcDestIPOctet[4]; 1004 | for (loop=0; loop<4; loop++) 1005 | { 1006 | if(srcDest == 0) 1007 | { 1008 | srcDestIPOctet[loop] = ( copyIP->ip_src.s_addr >> (loop*8) ) & 0xFF; 1009 | } 1010 | if(srcDest == 1) 1011 | { 1012 | srcDestIPOctet[loop] = ( copyIP->ip_dst.s_addr >> (loop*8) ) & 0xFF; 1013 | } 1014 | } 1015 | 1016 | memset(tempRep, '\0', sizeof(tempRep)); 1017 | strcpy(tempRep, IPReplace); 1018 | p = NULL; 1019 | p = strtok(tempRep, "."); 1020 | if(p) 1021 | { 1022 | OctReplaceIP[0] = atoi(p); 1023 | } 1024 | for(loop = 1; loop < 4; loop++) 1025 | { 1026 | p = strtok(NULL, "."); 1027 | if(p) 1028 | { 1029 | OctReplaceIP[loop] = atoi(p); 1030 | } 1031 | } 1032 | 1033 | uint32_t oldIP = 0; 1034 | for(loop=0; loop < oriSubnet/8; loop++) 1035 | { 1036 | if(srcDestIPOctet[loop] != OctOriginalIP[loop]) 1037 | { 1038 | if(srcDest == 0) 1039 | { 1040 | oldIP = copyIP->ip_src.s_addr; 1041 | } 1042 | if(srcDest == 1) 1043 | { 1044 | oldIP = copyIP->ip_dst.s_addr; 1045 | } 1046 | break; 1047 | } 1048 | } 1049 | if(loop == oriSubnet/8) //the ip belongs to the local network 1050 | { 1051 | return; 1052 | } 1053 | uint32_t newIP = 0; 1054 | struct libtrace_tcp *tcp; 1055 | struct libtrace_udp *udp; 1056 | tcp=trace_get_tcp_from_ip(copyIP,NULL); 1057 | udp=trace_get_udp_from_ip(copyIP,NULL); 1058 | for(loop=0; loop < replaceSubnet/8; loop++) 1059 | { 1060 | newIP = newIP*256 + OctReplaceIP[loop]; 1061 | } 1062 | for(loop=replaceSubnet/8; loop<4; loop++) 1063 | { 1064 | newIP = newIP*256 + srcDestIPOctet[loop]; 1065 | } 1066 | update_in_cksum32(©IP->ip_sum, oldIP, htonl(newIP)); 1067 | if(tcp) 1068 | { 1069 | update_in_cksum32(&tcp->check, oldIP, htonl(newIP)); 1070 | } 1071 | if(udp) 1072 | { 1073 | update_in_cksum32(&udp->check, oldIP, htonl(newIP)); 1074 | } 1075 | if( srcDest == 0) 1076 | { 1077 | copyIP->ip_src.s_addr = htonl(newIP); 1078 | } 1079 | else if( srcDest == 1) 1080 | { 1081 | copyIP->ip_dst.s_addr = htonl(newIP); 1082 | } 1083 | } 1084 | 1085 | int ReplaceIP_ALL(libtrace_ip_t * copyIP, char * IPOriginal, char * IPReplace, int subnet) 1086 | { 1087 | int sysReplaceSrc = 0; 1088 | int sysReplaceDest = 0; 1089 | int loop = 0; 1090 | char * p = NULL; 1091 | int OctOriginalIP[4]; 1092 | int OctReplaceIP[4]; 1093 | char tempOri[16]; 1094 | char tempRep[16]; 1095 | memset(tempOri, '\0', sizeof(tempOri)); 1096 | strcpy(tempOri, IPOriginal); 1097 | p = NULL; 1098 | p = strtok(tempOri, "."); 1099 | if(p) 1100 | { 1101 | OctOriginalIP[0] = atoi(p); 1102 | } 1103 | for(loop = 1; loop < 4; loop++) 1104 | { 1105 | p = strtok(NULL, "."); 1106 | if(p) 1107 | { 1108 | OctOriginalIP[loop] = atoi(p); 1109 | } 1110 | } 1111 | uint32_t IPToReplace = OctOriginalIP[3]*256*256*256 + OctOriginalIP[2]*256*256 + OctOriginalIP[1]*256 + OctOriginalIP[0]; 1112 | uint8_t srcIPOctet[4]; 1113 | uint8_t destIPOctet[4]; 1114 | for (loop=0; loop<4; loop++) 1115 | { 1116 | srcIPOctet[loop] = ( copyIP->ip_src.s_addr >> (loop*8) ) & 0xFF; 1117 | } 1118 | for (loop=0; loop<4; loop++) 1119 | { 1120 | destIPOctet[loop] = ( copyIP->ip_dst.s_addr >> (loop*8) ) & 0xFF; 1121 | } 1122 | 1123 | memset(tempRep, '\0', sizeof(tempRep)); 1124 | strcpy(tempRep, IPReplace); 1125 | p = NULL; 1126 | p = strtok(tempRep, "."); 1127 | if(p) 1128 | { 1129 | OctReplaceIP[0] = atoi(p); 1130 | } 1131 | for(loop = 1; loop < 4; loop++) 1132 | { 1133 | p = strtok(NULL, "."); 1134 | if(p) 1135 | { 1136 | OctReplaceIP[loop] = atoi(p); 1137 | } 1138 | } 1139 | 1140 | uint32_t oldIP = 0; 1141 | if( (srcIPOctet[0] != OctOriginalIP[0]) || (srcIPOctet[1] != OctOriginalIP[1]) ) 1142 | { 1143 | sysReplaceSrc = 1; 1144 | oldIP = copyIP->ip_src.s_addr; 1145 | } 1146 | else 1147 | { 1148 | if( (destIPOctet[0] != OctOriginalIP[0]) || (destIPOctet[1] != OctOriginalIP[1]) ) 1149 | { 1150 | sysReplaceDest = 1; 1151 | oldIP = copyIP->ip_dst.s_addr; 1152 | } 1153 | else 1154 | { 1155 | return; 1156 | } 1157 | } 1158 | 1159 | uint32_t newIP = 0; 1160 | struct libtrace_tcp *tcp; 1161 | struct libtrace_udp *udp; 1162 | tcp=trace_get_tcp_from_ip(copyIP,NULL); 1163 | udp=trace_get_udp_from_ip(copyIP,NULL); 1164 | for(loop=0; loop < subnet/8; loop++) 1165 | { 1166 | newIP = newIP*256 + OctReplaceIP[loop]; 1167 | } 1168 | for(loop=subnet/8; loop<4; loop++) 1169 | { 1170 | if(sysReplaceSrc == 1) 1171 | { 1172 | newIP = newIP*256 + srcIPOctet[loop]; 1173 | } 1174 | if(sysReplaceDest == 1) 1175 | { 1176 | newIP = newIP*256 + destIPOctet[loop]; 1177 | } 1178 | } 1179 | update_in_cksum32(©IP->ip_sum, oldIP, htonl(newIP)); 1180 | if(tcp) 1181 | { 1182 | update_in_cksum32(&tcp->check, oldIP, htonl(newIP)); 1183 | } 1184 | if(udp) 1185 | { 1186 | update_in_cksum32(&udp->check, oldIP, htonl(newIP)); 1187 | } 1188 | if(sysReplaceSrc == 1) 1189 | { 1190 | copyIP->ip_src.s_addr = htonl(newIP); 1191 | } 1192 | else if(sysReplaceDest == 1) 1193 | { 1194 | copyIP->ip_dst.s_addr = htonl(newIP); 1195 | } 1196 | } 1197 | 1198 | 1199 | int ReplaceIP(libtrace_ip_t * copyIP, char * IPOriginal, char * IPReplace, int subnet, int srcDest) 1200 | { 1201 | int sysReplaceSrc = 0; 1202 | int sysReplaceDest = 0; 1203 | int loop = 0; 1204 | char * p = NULL; 1205 | int OctOriginalIP[4]; 1206 | int OctReplaceIP[4]; 1207 | char tempOri[16]; 1208 | char tempRep[16]; 1209 | memset(tempOri, '\0', sizeof(tempOri)); 1210 | strcpy(tempOri, IPOriginal); 1211 | p = NULL; 1212 | p = strtok(tempOri, "."); 1213 | if(p) 1214 | { 1215 | OctOriginalIP[0] = atoi(p); 1216 | } 1217 | for(loop = 1; loop < 4; loop++) 1218 | { 1219 | p = strtok(NULL, "."); 1220 | if(p) 1221 | { 1222 | OctOriginalIP[loop] = atoi(p); 1223 | } 1224 | } 1225 | uint32_t IPToReplace = OctOriginalIP[3]*256*256*256 + OctOriginalIP[2]*256*256 + OctOriginalIP[1]*256 + OctOriginalIP[0]; 1226 | uint8_t srcDestIPOctet[4]; 1227 | for (loop=0; loop<4; loop++) 1228 | { 1229 | if(srcDest == 0) 1230 | { 1231 | srcDestIPOctet[loop] = ( copyIP->ip_src.s_addr >> (loop*8) ) & 0xFF; 1232 | } 1233 | if(srcDest == 1) 1234 | { 1235 | srcDestIPOctet[loop] = ( copyIP->ip_dst.s_addr >> (loop*8) ) & 0xFF; 1236 | } 1237 | } 1238 | 1239 | memset(tempRep, '\0', sizeof(tempRep)); 1240 | strcpy(tempRep, IPReplace); 1241 | p = NULL; 1242 | p = strtok(tempRep, "."); 1243 | if(p) 1244 | { 1245 | OctReplaceIP[0] = atoi(p); 1246 | } 1247 | for(loop = 1; loop < 4; loop++) 1248 | { 1249 | p = strtok(NULL, "."); 1250 | if(p) 1251 | { 1252 | OctReplaceIP[loop] = atoi(p); 1253 | } 1254 | } 1255 | 1256 | uint32_t oldIP = 0; 1257 | for(loop = 0; loop < subnet/8; loop++) 1258 | { 1259 | if(srcDestIPOctet[loop] != OctOriginalIP[loop]) 1260 | { 1261 | break; 1262 | } 1263 | } 1264 | if(loop == subnet/8) 1265 | { 1266 | if(srcDest == 0) 1267 | { 1268 | oldIP = copyIP->ip_src.s_addr; 1269 | } 1270 | if(srcDest == 1) 1271 | { 1272 | oldIP = copyIP->ip_dst.s_addr; 1273 | } 1274 | } 1275 | else 1276 | { 1277 | return; 1278 | } 1279 | 1280 | uint32_t newIP = 0; 1281 | struct libtrace_tcp *tcp; 1282 | struct libtrace_udp *udp; 1283 | tcp=trace_get_tcp_from_ip(copyIP,NULL); 1284 | udp=trace_get_udp_from_ip(copyIP,NULL); 1285 | for(loop=0; loop < subnet/8; loop++) 1286 | { 1287 | newIP = newIP*256 + OctReplaceIP[loop]; 1288 | } 1289 | for(loop=subnet/8; loop<4; loop++) 1290 | { 1291 | newIP = newIP*256 + srcDestIPOctet[loop]; 1292 | } 1293 | update_in_cksum32(©IP->ip_sum, oldIP, htonl(newIP)); 1294 | if(tcp) 1295 | { 1296 | update_in_cksum32(&tcp->check, oldIP, htonl(newIP)); 1297 | } 1298 | if(udp) 1299 | { 1300 | update_in_cksum32(&udp->check, oldIP, htonl(newIP)); 1301 | } 1302 | if(srcDest == 0) 1303 | { 1304 | copyIP->ip_src.s_addr = htonl(newIP); 1305 | } 1306 | else 1307 | { 1308 | copyIP->ip_dst.s_addr = htonl(newIP); 1309 | } 1310 | } 1311 | 1312 | //read the port need to filter 1313 | int ReadPortFilters(char * portFilterFile, int * portFilterArray, int IPPortFileLines) 1314 | { 1315 | FILE * fpRead = NULL; 1316 | char buffer[256]; 1317 | int count = 0; 1318 | char * p = NULL; 1319 | 1320 | if((fpRead=fopen(portFilterFile, "r")) == NULL) //open the file to read 1321 | { 1322 | fprintf(stderr, "Read IP replacement file: %s failed\n", portFilterFile); 1323 | exit(1); 1324 | } 1325 | while(!feof(fpRead)) //read the data file and analysis 1326 | { 1327 | memset(buffer, '\0', sizeof(buffer)); 1328 | fgets(buffer, sizeof(buffer), fpRead); 1329 | if(feof(fpRead)) 1330 | { 1331 | break; 1332 | } 1333 | p = strtok(buffer, " "); 1334 | if(p) 1335 | { 1336 | portFilterArray[count] = atoi(p); 1337 | count++; 1338 | } 1339 | } 1340 | fclose(fpRead); 1341 | return 0; 1342 | } 1343 | 1344 | //calculate how many lines is in the file 1345 | int GetFileLineNumer(char * ipReplaceFile) 1346 | { 1347 | FILE * fpRead = NULL; 1348 | int count = 0; 1349 | char buffer[1024]; 1350 | 1351 | //printf("line: %d, file: %s\n", __LINE__, ipReplaceFile); 1352 | 1353 | if((fpRead=fopen(ipReplaceFile, "r")) == NULL) //open the file to read 1354 | { 1355 | fprintf(stderr, "Read IP replacement file: %s failed\n", ipReplaceFile); 1356 | exit(1); 1357 | } 1358 | while(!feof(fpRead)) 1359 | { 1360 | memset(buffer, '\0', sizeof(buffer)); 1361 | fgets(buffer, sizeof(buffer), fpRead); 1362 | if(feof(fpRead)) 1363 | { 1364 | break; 1365 | } 1366 | count++; 1367 | } 1368 | fclose(fpRead); 1369 | return count; 1370 | } 1371 | 1372 | //check whether the port is in the filter array, return 1 if it is in, else return 0 1373 | int CheckPortFilters(int portToCheck, int * portFilterArray, int IPPortFileLines) 1374 | { 1375 | int loop = 0; 1376 | for(loop = 0; loop < IPPortFileLines; loop++) 1377 | { 1378 | if(portToCheck == portFilterArray[loop]) 1379 | { 1380 | return 1; 1381 | } 1382 | } 1383 | return 0; 1384 | } 1385 | 1386 | int ReadExeMagicNumberFile(char * exeMagicNumberFile, char ** exeMagicNumberArray) 1387 | { 1388 | FILE * fpRead = NULL; 1389 | char buffer[1024]; 1390 | int count = 0; 1391 | char * p = NULL; 1392 | if((fpRead=fopen( exeMagicNumberFile, "r" )) == NULL) //open the file to read 1393 | { 1394 | fprintf(stderr, "Read IP replacement file: %s failed\n", exeMagicNumberFile); 1395 | exit(1); 1396 | } 1397 | while(!feof(fpRead)) 1398 | { 1399 | memset(buffer, '\0', sizeof(buffer)); 1400 | fgets(buffer, sizeof(buffer), fpRead); 1401 | 1402 | if(feof(fpRead)) 1403 | { 1404 | break; 1405 | } 1406 | p = strtok(buffer, "\n"); 1407 | if(p) 1408 | { 1409 | strcpy(exeMagicNumberArray[count], buffer); 1410 | //printf("MG %d: %s\n", count, buffer); 1411 | count++; 1412 | } 1413 | } 1414 | } 1415 | 1416 | //read the ip anonymization records from file 1417 | int ReadIPReplaceFile(char * IPConfigFile, struct struct_IPReplace * IPReplaceArray) 1418 | { 1419 | FILE * fpRead = NULL; 1420 | char * p = NULL; 1421 | char buffer[128]; 1422 | char originalIP[16]; 1423 | char replaceIP[16]; 1424 | int subnet = 0; 1425 | int count = 0; 1426 | 1427 | if((fpRead=fopen(IPConfigFile, "r")) == NULL) //open the file to read 1428 | { 1429 | fprintf(stderr, "Read IP replacement file: %s failed\n", IPConfigFile); 1430 | exit(1); 1431 | } 1432 | while(!feof(fpRead)) 1433 | { 1434 | memset(buffer, '\0', sizeof(buffer)); 1435 | memset(originalIP, '\0', sizeof(originalIP)); 1436 | memset(replaceIP, '\0', sizeof(replaceIP)); 1437 | fgets(buffer, sizeof(buffer), fpRead); 1438 | 1439 | if(feof(fpRead)) 1440 | { 1441 | break; 1442 | } 1443 | p = strtok(buffer, " "); 1444 | if(p) 1445 | { 1446 | strcpy(originalIP, p); 1447 | } 1448 | p = strtok(NULL, " "); 1449 | if(p) 1450 | { 1451 | subnet = atoi(p); 1452 | } 1453 | p = strtok(NULL, " "); 1454 | if(p) 1455 | { 1456 | strcpy(replaceIP, p); 1457 | } 1458 | strcpy(IPReplaceArray[count].original_IP, originalIP); 1459 | strcpy(IPReplaceArray[count].replace_IP, replaceIP); 1460 | IPReplaceArray[count].subnet = subnet; 1461 | count++; 1462 | } 1463 | fclose(fpRead); 1464 | return 0; 1465 | } 1466 | 1467 | //check whether a string contents a sub-string, return the offset of the beginning of the sub-string, else return -1 1468 | int ContentString( char * Original, int remaining, int exeMagicNumberLines, char ** exeMagicNumberArray) 1469 | { 1470 | int loop = 0; 1471 | int loopInner = 0; 1472 | int loopOuter = 0; 1473 | int lenOriginal = strlen(Original); 1474 | int lenStrToSearch; 1475 | int Found = 0; 1476 | char buffer[1024]; 1477 | 1478 | for(loopOuter = 0; loopOuter < exeMagicNumberLines; loopOuter++) 1479 | { 1480 | memset(buffer, '\0', sizeof(buffer)); 1481 | strcpy(buffer, exeMagicNumberArray[loopOuter]); 1482 | lenStrToSearch = strlen(buffer); 1483 | 1484 | for(loop=0; loop < remaining-lenStrToSearch; loop++) 1485 | { 1486 | Found = 0; 1487 | for(loopInner=0; loopInnersa_family == AF_INET) { 1637 | struct sockaddr_in *src_v4 = (struct sockaddr_in *) src_addr_ptr; 1638 | inet_ntop(AF_INET, &(src_v4->sin_addr), srcIP, 100); 1639 | } 1640 | //get destination ip address 1641 | char destIP[100]; 1642 | if (dest_addr_ptr->sa_family == AF_INET) { 1643 | struct sockaddr_in *dest_v4 = (struct sockaddr_in *) dest_addr_ptr; 1644 | inet_ntop(AF_INET, &(dest_v4->sin_addr), destIP, 100); 1645 | } 1646 | //fprintf(fp_ip_port, "%s %d %s %d\n", src_ip, src_port, dest_ip, dest_port); 1647 | 1648 | strcpy(flowEntry->src_ip, srcIP); 1649 | flowEntry->src_port = srcPort; 1650 | strcpy(flowEntry->dest_ip, destIP); 1651 | flowEntry->dest_port = destPort; 1652 | 1653 | trace_destroy_packet(pkt); 1654 | trace_destroy(trace); 1655 | //fclose(fp_ip_port); 1656 | 1657 | return 0; 1658 | } 1659 | 1660 | --------------------------------------------------------------------------------