tql/parse_vnc.rb at master · kedji/tql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# The is just a stub parser for now.  It detects only the present of client/
# server communication, then stops parsing.

class Protos

  # It is unknown until we examine 'dir' whether this is client or server
  # traffic.
  def parse_vnc(data, state, dir)
    return nil unless data
    dir = state.app_state[dir][:type]
    if dir == :client
      return _parse_vnc_client(data, state, dir)
    end
    return _parse_vnc_server(data, state, dir)
  end

  # Stub parser for now
  def _parse_vnc_client(data, state, dir)
    req = state.app_state[:req_struct]
    pos = 0

    unless req
      req = state.app_state[:req_struct] = Struct.new(
        :state, :buff, :maxlen, :terminator, :version
      ).new
      _prepare_to_copy(req, 12)
      req.state = :init
    end

    while pos < data.length
      case req.state

        when :init
          pos, ret = _copy_bytes(req, data, pos)
          return true if ret == true   # more data to come, but not now
          req.version = "#{ret[4,3].to_i}.#{ret[8,3].to_i}"

          # For now, just raise an event and return false to stop parsing
          @event_collector.send(:vnc_detected) do
            { :version => req.version, :dir => dir,
              :server_ip => str_ip(state.app_state[:dst]),
              :client_ip => str_ip(state.app_state[:src]),
              :server_port => state.app_state[:dport],
              :client_port => state.app_state[:sport]
            }
          end
          return false
      end  # of case
    end  # of while data
    true
  end  # of _parse_vnc_client

  # Stub parser for now
  def _parse_vnc_server(data, state, dir)
    res = state.app_state[:resp_struct]
    pos = 0

    unless res
      res = state.app_state[:resp_struct] = Struct.new(
        :state, :buff, :maxlen, :terminator, :version
      ).new
      _prepare_to_copy(res, 12)
      res.state = :init
    end

    while pos < data.length
      case res.state

        when :init
          pos, ret = _copy_bytes(res, data, pos)
          return true if ret == true   # more data to come, but not now
          res.version = "#{ret[4,3].to_i}.#{ret[8,3].to_i}"

          # For now, just raise an event and return false to stop parsing
          @event_collector.send(:vnc_detected) do
            { :version => res.version, :dir => dir,
              :server_ip => str_ip(state.app_state[:dst]),
              :client_ip => str_ip(state.app_state[:src]),
              :server_port => state.app_state[:dport],
              :client_port => state.app_state[:sport]
            }
          end
          return false
      end  # of case
    end  # of while data
    true
  end  # of _parse_vnc_server

end  # of class Protos