glutton/protocols/protocols.go at 4001b4af84d67ca959dfe2aa1e1ddd03e7a26836 · Boolean-Autocrat/glutton · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
package protocols

import (
	"bytes"
	"context"
	"encoding/binary"
	"net"
	"strings"

	"github.com/mushorg/glutton/connection"
	"github.com/mushorg/glutton/producer"
	"github.com/mushorg/glutton/protocols/interfaces"
	spicyHandlers "github.com/mushorg/glutton/protocols/spicy/handlers"
	"github.com/mushorg/glutton/protocols/tcp"
	"github.com/mushorg/glutton/protocols/udp"
	"github.com/spf13/viper"
)

type TCPHandlerFunc func(ctx context.Context, conn net.Conn, md connection.Metadata) error

type UDPHandlerFunc func(ctx context.Context, srcAddr, dstAddr *net.UDPAddr, data []byte, md connection.Metadata) error

// MapUDPProtocolHandlers map protocol handlers to corresponding protocol
func MapUDPProtocolHandlers(log interfaces.Logger, h interfaces.Honeypot) map[string]UDPHandlerFunc {
	protocolHandlers := map[string]UDPHandlerFunc{}
	protocolHandlers["udp"] = func(ctx context.Context, srcAddr, dstAddr *net.UDPAddr, data []byte, md connection.Metadata) error {
		return udp.HandleUDP(ctx, srcAddr, dstAddr, data, md, log, h)
	}
	return protocolHandlers
}

// MapTCPProtocolHandlers map protocol handlers to corresponding protocol
func MapTCPProtocolHandlers(log interfaces.Logger, h interfaces.Honeypot) map[string]TCPHandlerFunc {
	protocolHandlers := map[string]TCPHandlerFunc{}
	protocolHandlers["smtp"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleSMTP(ctx, conn, md, log, h)
	}
	protocolHandlers["rdp"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleRDP(ctx, conn, md, log, h)
	}
	protocolHandlers["smb"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleSMB(ctx, conn, md, log, h)
	}
	protocolHandlers["ftp"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleFTP(ctx, conn, md, log, h)
	}
	protocolHandlers["sip"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleSIP(ctx, conn, md, log, h)
	}
	protocolHandlers["rfb"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleRFB(ctx, conn, md, log, h)
	}
	protocolHandlers["telnet"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleTelnet(ctx, conn, md, log, h)
	}
	protocolHandlers["mqtt"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleMQTT(ctx, conn, md, log, h)
	}
	protocolHandlers["iscsi"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleISCSI(ctx, conn, md, log, h)
	}
	protocolHandlers["bittorrent"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleBittorrent(ctx, conn, md, log, h)
	}
	protocolHandlers["memcache"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleMemcache(ctx, conn, md, log, h)
	}
	protocolHandlers["jabber"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleJabber(ctx, conn, md, log, h)
	}
	protocolHandlers["adb"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleADB(ctx, conn, md, log, h)
	}
	protocolHandlers["mongodb"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		return tcp.HandleMongoDB(ctx, conn, md, log, h)
	}
	protocolHandlers["tcp"] = func(ctx context.Context, conn net.Conn, md connection.Metadata) error {
		snip, bufConn, err := Peek(conn, 4)
		if err != nil {
			if err := conn.Close(); err != nil {
				log.Error("failed to close connection", producer.ErrAttr(err))
			}
			log.Debug("failed to peek connection", producer.ErrAttr(err))
			return nil
		}
		// poor mans check for HTTP request
		httpMap := map[string]bool{"GET ": true, "POST": true, "HEAD": true, "OPTI": true, "CONN": true}
		if _, ok := httpMap[strings.ToUpper(string(snip))]; ok {
			if viper.GetBool("spicy.enabled") {
				return spicyHandlers.HandleHTTP(ctx, bufConn, md, log, h)
			} else {
				return tcp.HandleHTTP(ctx, bufConn, md, log, h)
			}
		}
		// poor mans check for RDP header
		if bytes.Equal(snip, []byte{0x03, 0x00, 0x00, 0x2b}) {
			return tcp.HandleRDP(ctx, bufConn, md, log, h)
		}
		// poor mans check for MongoDB header (checking msg length and validating opcodes)
		messageLength := binary.LittleEndian.Uint32(snip)
		if messageLength > 0 && messageLength <= 48*1024*1024 {
			moreSample, bufConn, err := Peek(bufConn, 16)
			if err != nil {
				if err := conn.Close(); err != nil {
					log.Error("failed to close connection", producer.ErrAttr(err))
				}
				log.Debug("failed to peek connection", producer.ErrAttr(err))
				return nil
			}
			if len(moreSample) == 16 {
				opCode := binary.LittleEndian.Uint32(moreSample[12:16])
				validOpCodes := map[uint32]bool{
					1:    true, // OP_REPLY
					2001: true, // OP_UPDATE
					2002: true, // OP_INSERT
					2004: true, // OP_QUERY
					2005: true, // OP_GET_MORE
					2006: true, // OP_DELETE
					2007: true, // OP_KILL_CURSORS
					2012: true, // OP_COMPRESSED
					2013: true, // OP_MSG
				}
				if _, ok := validOpCodes[opCode]; ok {
					return tcp.HandleMongoDB(ctx, bufConn, md, log, h)
				}
			}
		}
		// fallback TCP handler
		return tcp.HandleTCP(ctx, bufConn, md, log, h)
	}
	return protocolHandlers
}