smtp client processing

ekmixon · Mar 29, 2021 · cd35397 · cd35397
1 parent e4d6a4f
commit cd35397
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 8 deletions.
diff --git a/src/libmerc/extractor.cc b/src/libmerc/extractor.cc
@@ -195,11 +195,18 @@ unsigned char smtp_server_value[] = {
  0x32, 0x35, 0x30, 0x2d, 0x00, 0x00, 0x00, 0x00
 };
 
-struct pi_container smtp_server = {
- DIR_SERVER,
- SMTP_PORT
+
+/* SMTP client matching value */
+
+unsigned char smtp_client_mask[] = {
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00
 };
 
+unsigned char smtp_client_value[] = {
+ 0x45, 0x48, 0x4c, 0x4f, 0x20, 0x00, 0x00, 0x00
+};
+
+
 enum tcp_msg_type get_message_type(const uint8_t *tcp_data,
  unsigned int len) {
 
@@ -266,6 +273,11 @@ enum tcp_msg_type get_message_type(const uint8_t *tcp_data,
  ssh_kex_value)) {
  return tcp_msg_type_ssh_kex;
  }
+ if (u32_compare_masked_data_to_value(tcp_data,
+ smtp_client_mask,
+ smtp_client_value)) {
+ return tcp_msg_type_smtp_client;
+ }
  if (u32_compare_masked_data_to_value(tcp_data,
  smtp_server_mask,
  smtp_server_value)) {

diff --git a/src/libmerc/pkt_proc.cc b/src/libmerc/pkt_proc.cc
@@ -567,6 +567,7 @@ using tcp_protocol = std::variant<std::monostate,
  tls_server_hello_and_certificate,
  ssh_init_packet,
  ssh_kex_init,
+ smtp_client,
  smtp_server,
  unknown_initial_packet
  >;
@@ -765,6 +766,13 @@ void set_tcp_protocol(tcp_protocol &x,
  kex_init.parse(ssh_pkt.payload);
  break;
  }
+ case tcp_msg_type_smtp_client:
+ {
+ x.emplace<smtp_client>();
+ auto &response = std::get<smtp_client>(x);
+ response.parse(pkt);
+ break;
+ }
  case tcp_msg_type_smtp_server:
  {
  x.emplace<smtp_server>();

diff --git a/src/libmerc/proto_identify.h b/src/libmerc/proto_identify.h
@@ -25,6 +25,7 @@ enum tcp_msg_type {
  tcp_msg_type_tls_certificate,
  tcp_msg_type_ssh,
  tcp_msg_type_ssh_kex,
+ tcp_msg_type_smtp_client,
  tcp_msg_type_smtp_server
 };
 

diff --git a/src/libmerc/smtp.h b/src/libmerc/smtp.h
@@ -34,7 +34,7 @@ struct smtp_parameters : public datum {
  data_end = p.data;
  }
 
- void print_parameters(struct json_array &a) const {
+ void print_parameters(struct json_array &a, int offset) const {
  unsigned char crlf[2] = { '\r', '\n' };
 
  if (this->is_not_readable()) {
@@ -52,17 +52,54 @@ struct smtp_parameters : public datum {
  break;
  }
  param.data_end = p.data - 2;
- param.data += 4;
+ param.data += offset;
 
  a.print_json_string(param);
  }
  }
 };
 
 
-struct smtp_server {
+class smtp_client {
  struct smtp_parameters parameters;
 
+public:
+
+ smtp_client() : parameters{} { }
+
+ void parse(struct datum &pkt) {
+ parameters.parse(pkt);
+
+ return;
+ }
+
+ void operator()(buffer_stream &) { }
+
+ void write_json(json_object &record, bool) {
+ if (this->is_not_empty()) {
+ struct json_object smtp{record, "smtp"};
+ struct json_object smtp_request{smtp, "request"};
+ struct json_array params{smtp_request, "parameters"};
+
+ parameters.print_parameters(params, 5);
+
+ params.close();
+ smtp_request.close();
+ smtp.close();
+ }
+ }
+
+ void compute_fingerprint(struct fingerprint) const { };
+
+ bool is_not_empty() { return parameters.is_not_empty(); }
+};
+
+
+class smtp_server {
+ struct smtp_parameters parameters;
+
+public:
+
  smtp_server() : parameters{} { }
 
  void parse(struct datum &pkt) {
@@ -79,15 +116,15 @@ struct smtp_server {
  struct json_object smtp_response{smtp, "response"};
  struct json_array params{smtp_response, "parameters"};
 
- parameters.print_parameters(params);
+ parameters.print_parameters(params, 4);
 
  params.close();
  smtp_response.close();
  smtp.close();
  }
  }
 
- void compute_fingerprint(struct fingerprint &fp) const { };
+ void compute_fingerprint(struct fingerprint) const { };
 
  bool is_not_empty() { return parameters.is_not_empty(); }
 };