anonymization.h 10.1 KB
Newer Older
's avatar
committed
1
2
3
#ifndef _ANONYMIZATION_H_
#define _ANONYMIZATION_H_

4
5
#include <netinet/ip6.h>
#include <netinet/icmp6.h>
's avatar
committed
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#include <pcap.h>
#include "anon_snort_decode.h"

#define MAX_UPPER_PROTOCOLS 10

typedef struct _mapiPacket
{
    struct pcap_pkthdr *pkth;   /* BPF data */
    unsigned char *pkt;              /* base pointer to the raw packet data */

    Fddi_hdr *fddihdr;          /* FDDI support headers */
    Fddi_llc_saps *fddisaps;
    Fddi_llc_sna *fddisna;
    Fddi_llc_iparp *fddiiparp;
    Fddi_llc_other *fddiother;
    Trh_hdr *trh;               /* Token Ring support headers */
    Trh_llc *trhllc;
    Trh_mr *trhmr;
    SLLHdr *sllh;               /* Linux cooked sockets header */
    PflogHdr *pfh;              /* OpenBSD pflog interface header */
    EtherHdr *eh;               /* standard TCP/IP/Ethernet/ARP headers */
    VlanTagHdr *vh;
    EthLlc   *ehllc;
    EthLlcOther *ehllcother;
    WifiHdr *wifih;         /* wireless LAN header */
    EtherARP *ah;
    EtherEapol *eplh;       /* 802.1x EAPOL header */
    EAPHdr *eaph;
    unsigned char *eaptype;
    EapolKey *eapolk;

    IPHdr *iph, *orig_iph;   /* and orig. headers for ICMP_*_UNREACH family */
    unsigned int ip_options_len;
    unsigned char *ip_options_data;

41
42
43
    struct ip6_hdr *ip6h, *orig_ip6h;    /* IPv6 specific stuff */
    struct ip6_frag *ip6fh;
    struct icmp6_hdr *icmp6h;
44
    
's avatar
committed
45
46
47
48
49
50
51
52
53
    TCPHdr *tcph, *orig_tcph;
    unsigned int tcp_options_len;
    unsigned char *tcp_options_data;

    UDPHdr *udph, *orig_udph;
    ICMPHdr *icmph, *orig_icmph;

    echoext *ext;       /* ICMP echo extension struct */

54
    unsigned char *ipdata;     /* IP payload pointer (incl tcp/udp header) */
's avatar
committed
55
    unsigned char *data;     /* packet payload pointer */
56
    unsigned short int ipdsize;        /* IP payload size */
's avatar
committed
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
    unsigned short int dsize;        /* packet payload size */
    unsigned short int alt_dsize; /* the dsize of a packet before munging
                            (used for log)*/

    unsigned char frag_flag;     /* flag to indicate a fragmented packet */
    unsigned short int frag_offset;  /* fragment offset number */
    unsigned char mf;            /* more fragments flag */
    unsigned char df;            /* don't fragment flag */
    unsigned char rf;                  /* IP reserved bit */

    unsigned short int sp;       /* source port (TCP/UDP) */
    unsigned short int dp;       /* dest port (TCP/UDP) */
    unsigned short int orig_sp;      /* source port (TCP/UDP) of original datagram */
    unsigned short int orig_dp;      /* dest port (TCP/UDP) of original datagram */
    unsigned int caplen;

    unsigned char uri_count;   /* number of URIs in this packet */

75
76
77
#define MAX_IPV6_OPT 40
    IPV6Opt ip6_options[MAX_IPV6_OPT]; /* IPV6 Option Header decode structure */
    u_int32_t ip6_option_count;  /* number of Option Header in this packet */
's avatar
committed
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
    
    Options ip_options[40]; /* ip options decode structure */
    unsigned int ip_option_count;  /* number of options in this packet */
    u_char ip_lastopt_bad;  /* flag to indicate that option decoding was halted due to a bad option */
    Options tcp_options[40];    /* tcp options decode struct */
    unsigned int tcp_option_count;
    u_char tcp_lastopt_bad;  /* flag to indicate that option decoding was halted due to a bad option */

    unsigned char csum_flags;        /* checksum flags */
    unsigned int packet_flags;     /* special flags for the packet */

	void *upper_layer_protocol_headers[MAX_UPPER_PROTOCOLS];
	int upper_layer_names[MAX_UPPER_PROTOCOLS];
	int num_of_upper_layer_protocols;

} mapipacket;

typedef enum {
	INTEGER,
	STR
} patternTypes;

's avatar
nits    
committed
100

's avatar
committed
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
typedef enum  {
		
	//ACCEPTED PROTOCOLS
	IP=1  ,
	TCP  ,
	UDP  ,
	ICMP ,
	HTTP ,
	FTP  ,
	
	
	//ANONYMIZATION FUNCTIONS
	UNCHANGED         , 
	MAP               ,
	MAP_DISTRIBUTION  ,
	STRIP             ,
	RANDOM            ,
	HASHED            ,
	PATTERN_FILL      ,
	ZERO              ,
	REPLACE           ,
	PREFIX_PRESERVING ,
's avatar
committed
123
	PREFIX_PRESERVING_MAP ,
's avatar
committed
124
125
126
127
128
129
130
131
	CHECKSUM_ADJUST   ,
	FILENAME_RANDOM   ,
	REGEXP            ,
	
	PAD_WITH_ZERO     ,
	STRIP_REST        ,
	
	//ACCEPTABLE HASH FUNCTIONS
's avatar
committed
132
133
134
135
136
137
138
	ANON_SHA              ,
	ANON_MD5              ,
	ANON_CRC32            ,
	ANON_SHA_2		 ,
	ANON_TRIPLEDES   	 ,
	ANON_AES		 ,
	ANON_DES              ,
's avatar
committed
139
140
141
142
143
144
145
146
147
	
	BASE_FIELD_DEFS,
	PAYLOAD, //common to all protocols
	CHECKSUM,
	SRC_IP,
	DST_IP,
	TTL,
	TOS,
	ID,
148
	FIELD_VERSION,
's avatar
committed
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
	OPTIONS,
	PACKET_LENGTH,
	IP_PROTO,
	IHL,
	FRAGMENT_OFFSET ,
	
	SRC_PORT ,
	DST_PORT ,
	SEQUENCE_NUMBER,
	OFFSET_AND_RESERVED,
	ACK_NUMBER,
	FLAGS ,
	URGENT_POINTER,
	WINDOW ,
	TCP_OPTIONS ,
	UDP_DATAGRAM_LENGTH,
	TYPE ,
	CODE ,
	
	BASE_HTTP_DEFS      , //the number of first definition for HTTP
	HTTP_VERSION        ,
	METHOD              ,
	URI                 ,
	USER_AGENT          ,
	ACCEPT              ,
	ACCEPT_CHARSET      ,
	ACCEPT_ENCODING     ,
	ACCEPT_LANGUAGE     ,
	ACCEPT_RANGES       ,
	AGE                 ,
	ALLOW               ,
	AUTHORIZATION       ,
	CACHE_CONTROL      	, 
	CONNECTION_TYPE     ,  
	CONTENT_TYPE        ,
	CONTENT_LENGTH      ,
	CONTENT_LOCATION    ,
	CONTENT_MD5         ,
	CONTENT_RANGE       ,
	COOKIE              ,
	ETAG                ,
	EXPECT              , 
	EXPIRES             ,
	FROM                ,
	HOST                ,
	IF_MATCH            ,
	IF_MODIFIED_SINCE   ,
	IF_NONE_MATCH       ,
	IF_RANGE            ,
	IF_UNMODIFIED_SINCE ,
	LAST_MODIFIED       ,
	MAX_FORWRDS         ,
	PRAGMA              ,
	PROXY_AUTHENTICATE  ,
	PROXY_AUTHORIZATION ,
	RANGE               ,
	REFERRER            ,
	RETRY_AFTER         ,
	SET_COOKIE          ,
	SERVER              ,
	TE                  ,
	TRAILER             ,
	TRANSFER_ENCODING   ,
	UPGRADE             ,
	VIA                 ,
	WARNING             ,
	WWW_AUTHENTICATE    ,
	X_POWERED_BY        ,
	RESPONSE_CODE       ,
	RESP_CODE_DESCR     ,
	VARY                ,
	DATE                ,
	CONTENT_ENCODING    ,
	KEEP_ALIVE          ,
	LOCATION		    ,
224
225
226
227
228
229
230
	CONTENT_LANGUAGE    ,
	DERIVED_FROM        ,
	ALLOWED             ,
	MIME_VERSION        ,
	TITLE               ,
	REFRESH             ,

's avatar
committed
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
	HTTP_PAYLOAD		, //for internal use
	END_HTTP_DEFS       ,

	//FTP FIELDS 
	BASE_FTP_DEFS ,
	//XXX me must include responses
	//all responses have a code and an argument
	USER     , //has arg
	PASS     , //has arg
	ACCT     , //has arg
	FTP_TYPE , //has arg
	STRU     ,
	MODE     ,
	CWD      , //has arg
	PWD      , //no arg
	CDUP     , //no arg
	PASV     , //no arg
	RETR     , //has arg
	REST     ,
	PORT     ,
	LIST     , //no arg
	NLST     , //yes/no arg 
	QUIT     , //no arg
	SYST     , //no arg
	STAT     , 
	HELP     ,
	NOOP     ,
	STOR     ,
	APPE     ,
	STOU     ,
	ALLO     ,
	MKD      , //has arg
	RMD      , //has arg
	DELE     , //has arg 
	RNFR     ,
	RNTO     ,
	SITE     , //has arg    
	FTP_RESPONSE_CODE,
	FTP_RESPONSE_ARG,
	END_FTP_DEFS,
	END_FIELD_DEFS,

	GAUSSIAN,
Stig Venaas's avatar
Stig Venaas committed
274
275
276
277
	UNIFORM,

	FLOW /* IPv6 header field, should not be here, but may break compatibility
	      * if not at the end */
's avatar
committed
278
279
} anonymizationDefs;

280
281
#define MAX_PIPELINE 50

's avatar
committed
282
283
struct httpheader {
	int http_type;
284
285
286
287
288
	unsigned char *pointers_to_value[MAX_PIPELINE][END_HTTP_DEFS-BASE_HTTP_DEFS+1];
	unsigned char *pointers_to_header[MAX_PIPELINE][END_HTTP_DEFS-BASE_HTTP_DEFS+1];
	unsigned int value_length[MAX_PIPELINE][END_HTTP_DEFS-BASE_HTTP_DEFS+1];
	unsigned int header_length[MAX_PIPELINE][END_HTTP_DEFS-BASE_HTTP_DEFS+1];
	int pipeline_depth;
's avatar
committed
289
290
291
292
293
294
295
296
297
298
299
300
301
};

struct ftpheader {
	int ftp_type;
	unsigned char *pointers_to_value[END_FTP_DEFS-BASE_FTP_DEFS+1];
	unsigned char *pointers_to_header[END_FTP_DEFS-BASE_FTP_DEFS+1];
	unsigned short value_length[END_FTP_DEFS-BASE_FTP_DEFS+1];
	unsigned short header_length[END_FTP_DEFS-BASE_FTP_DEFS+1];
};


/* for mapping functions */

302
303
304
305
306
typedef struct _mapValue {
    unsigned int val[4];
    unsigned char len; /* len == 1 || len == 4 */
} mapValue;

's avatar
committed
307
typedef struct _mapNode {
308
	mapValue value;
's avatar
committed
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
	unsigned int mapped_value;
	struct _mapNode *next;
} mapNode;

#define MAPPING_ENTRIES 1024 

/* ANONYMIZATION PROTOTYPES */
int decode_packet(int datalink,int snaplen,struct pcap_pkthdr *pkthdr,unsigned char *p,mapipacket *pkt);
int http_decode(mapipacket *p, struct httpheader *h);
int ftp_decode(mapipacket *p, struct ftpheader *h);


typedef void (*grinder_t)(mapipacket *, struct pcap_pkthdr *, u_char *,int snaplen); 

extern void PrintIPPkt(FILE * fp, int type, mapipacket * p);
extern unsigned short calculate_ip_sum(mapipacket *p);
extern unsigned short calculate_tcp_sum(mapipacket *p);
extern unsigned short calculate_udp_sum(mapipacket *p);
extern unsigned short calculate_icmp_sum(mapipacket *p);

extern void PrintPacket(FILE *fp, mapipacket *p,int datalink); 
extern void gen_table();

extern void pattern_fill_field(unsigned char *field, int len, int pattern_type, void *pattern);
333
extern void prefix_preserving_anonymize_field(unsigned char *raw_addr, int len);
's avatar
committed
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
extern void random_field(unsigned char *field, int len);
extern void filename_random_field(unsigned char *p, int len);
extern void map_distribution(unsigned char *field, short len, int distribution_type, int arg1, int arg2);
extern int aes_hash(unsigned char *field, int len, unsigned char *key, int padding_behavior, mapipacket *p);
extern int des_hash(unsigned char *field, int len, unsigned char *key, int padding_behavior, mapipacket *p);
extern void map_field(unsigned char *field, short len, mapNode **map_table,int *count);
extern int replace_field(unsigned char *field,  int len, unsigned char * pattern, int pattern_len,mapipacket *p, int total_len, unsigned char *packet_end);
extern int md5_hash(unsigned char *field, int len, int padding_behavior, mapipacket *p, int total_len, unsigned char * packet_end,int donotreplace);

extern void strip (mapipacket *p, unsigned char *field, int len,int keep_bytes, int total_len, unsigned char* packet_end);
extern int sha1_hash(unsigned char *field, int len, int padding_behavior, mapipacket *p, int total_len, unsigned char * packet_end,int donotreplace);
extern int sha256_hash(unsigned char *field, int len, int padding_behavior, mapipacket *p, int total_len, unsigned char * packet_end,int donotreplace);
extern int crc32_hash(unsigned char *field, int len, int padding_behavior, mapipacket *p, int total_len, unsigned char * packet_end,int donotreplace);

#endif