ProtocolProfilerInit.tcl

1. #####
2. # ProtocolProfileInit.tcl
3. # Author: Thomas Schockaert
4. # Last Changed: 20141104
5. # Contents: The procedures that define the protocol maps and initialize the user-defined static textmaps.
6. # Howto:
7. # - Procedure names don't follow a specific naming scheme. You just call whatever you named it in the CLIENT_ACCEPTED event of your iRule
8. # - Example:
9. #   when CLIENT_ACCEPTED {
10. #       array set pmap [call ProtocolProfilerInit::init_dns]
11. #   }
12. #####
13.  
14. ### init_dns { }
15. # Description:
16. # - This procedure defines the DNS protocol map in array 'pmap' and initializes the static textmaps.
17. # Arguments: none
18. # Returns:
19. # - the protocol map as a list
20. proc init_dns {
21.     set pmap(0) "record"
22.     set pmap(0_0) {"transactionid" 2 "hex"}
23.     set pmap(0_0_0) {"transaction"}
24.     set pmap(0_0_0_0) {"flags" 2 "hex"}
25.     set pmap(0_0_0_0_0) {"standard_query" "flags=0x0100"}
26.     set pmap(0_0_0_0_0_0) {"questionrecordcount" 2 "dec"}
27.     set pmap(0_0_0_0_0_1) {"answerrecordcount" 2 "dec"}
28.     set pmap(0_0_0_0_0_2) {"authorityrecordcount" 2 "dec"}
29.     set pmap(0_0_0_0_0_3) {"additionalrecordcount" 2 "dec"}
30.     # dns is a bitch: http://www.tcpipguide.com/free/t_DNSNameNotationandMessageCompressionTechnique.htm
31.     set pmap(0_0_0_0_0_4) {"queryname" "\[expr \[UDP::payload length\]-4\]" "dnstext"}
32.     set pmap(0_0_0_0_0_5) {"querytype" 2 "tmap"}
33.     set pmap(0_0_0_0_0_6) {"queryclass" 2 "tmap"}
34.     set pmap(0_0_0_0_1) {"standard_response_noerror" "flags=0x8180"}
35.     set pmap(0_0_0_0_1_0) {"recordcount" 8 "dec"}
36.     set pmap(0_0_0_0_1_0_0) {"question_and_answer" "recordcount=0x0001000100000000"}
37.     # -4 bytes for the querytype and class, -16 bytes for the answer
38.     set pmap(0_0_0_0_1_0_0_0) {"queryname" "\[expr \[UDP::payload length\]-4-16\]" "dnstext"}
39.     set pmap(0_0_0_0_1_0_0_1) {"querytype" 2 "tmap"}
40.     set pmap(0_0_0_0_1_0_0_2) {"queryclass" 2 "tmap"}
41.     set pmap(0_0_0_0_1_0_0_3) {"answername" 2 "hex"}
42.     set pmap(0_0_0_0_1_0_0_4) {"answertype" 2 "tmap"}
43.     set pmap(0_0_0_0_1_0_0_5) {"answerclass" 2 "tmap"}
44.     set pmap(0_0_0_0_1_0_0_6) {"answerttl" 4 "dec"}
45.     set pmap(0_0_0_0_1_0_0_7) {"answerdatalength" 2 "dec"}
46.     set pmap(0_0_0_0_1_0_0_8) {"answeraddress" "answerdatalength" "ipv4"}
47.     set pmap(0_0_0_0_2) {"standard_response_noerror" "flags=0x8183"}
48.     set pmap(0_0_0_0_2_0) {"recordcount" 8 "dec"}
49.     set pmap(0_0_0_0_2_0_0) {"question_and_authoritative" "recordcount=0x0001000000010000"}
50.     # -4 bytes for the querytype and class, -46 bytes for the authoritative
51.     set pmap(0_0_0_0_2_0_0_0) {"queryname" "\[expr \[UDP::payload length\]-4-46\]" "dnstext"}
52.     set pmap(0_0_0_0_2_0_0_1) {"querytype" 2 "tmap"}
53.     set pmap(0_0_0_0_2_0_0_2) {"queryclass" 2 "tmap"}
54.     set pmap(0_0_0_0_2_0_0_3) {"answername" 2 "hex"}
55.     set pmap(0_0_0_0_2_0_0_4) {"answertype" 2 "tmap"}
56.     set pmap(0_0_0_0_2_0_0_5) {"answerclass" 2 "tmap"}
57.     set pmap(0_0_0_0_2_0_0_6) {"answerttl" 4 "dec"}
58.     set pmap(0_0_0_0_2_0_0_7) {"answerdatalength" 2 "dec"}
59.     set pmap(0_0_0_0_2_0_0_8) {"answeraddress" "answerdatalength" "dns_soaracord"} 
60.                        
61.     call ProtocolProfilerTMAPs::tmap_define_dns
62.    
63.     return [array get pmap]
64. }
65.  
66. ### init_ssl { }
67. # Description:
68. # - This procedure defines the SSL protocol map in array 'pmap' and initializes the static textmaps.
69. # Arguments: none
70. # Returns:
71. # - the protocol map as a list
72. proc init_ssl {
73.     set pmap(0) "record"
74.     set pmap(0_0) {"contenttype" 1 "tmap"}
75.     set pmap(0_0_0) "handshake contenttype=0x16"
76.     set pmap(0_0_0_0) {"protocol" 1 "tmap"}
77.     set pmap(0_0_0_0_0) "clienthello protocol=0x01"
78.     set pmap(0_0_0_0_0_0) {"length" 3 "dec"}
79.     set pmap(0_0_0_0_0_1) {"version" 2 "tmap"}
80.     set pmap(0_0_0_0_0_2) {"randomtime" 4 "time"}
81.     set pmap(0_0_0_0_0_3) {"randombytes" 28 "hex"}
82.     set pmap(0_0_0_0_0_4) {"sessionidlength" 1 "dec"}
83.     set pmap(0_0_0_0_0_5) {"sessionid" "sessionidlength" "hex"}
84.     set pmap(0_0_0_0_0_6) {"ciphersuiteslength" 2 "dec"}
85.     set pmap(0_0_0_0_0_7) {"ciphersuites" "ciphersuiteslength" "lmap" 2}
86.     set pmap(0_0_0_0_0_8) {"compressionmethodslength" 1 "dec"}
87.     set pmap(0_0_0_0_0_9) {"compressionmethods" "compressionmethodslength" "lmap" 1}
88.     set pmap(0_0_0_0_0_10) {"extensionslength" 2 "dec"}
89.     set pmap(0_0_0_0_0_11) {"extensions" "extensionslength" "hex"}
90.     set pmap(0_0_0_0_0_11_0) "extension"
91.     set pmap(0_0_0_0_0_11_0_0) {"extensiontype" 2 "tmap"}
92.     set pmap(0_0_0_0_0_11_0_1) {"extensionlength" 2 "dec"}
93.     set pmap(0_0_0_0_0_11_0_2) {"extensioncontent" "extensionlength" "dec"}
94.     set pmap(0_0_0_0_1) "serverhello protocol=0x02"
95.     set pmap(0_0_0_0_1_0) {"length" 3 "dec"}
96.     set pmap(0_0_0_0_1_1) {"version" 2 "tmap"}
97.     set pmap(0_0_0_0_1_2) {"randomtime" 4 "time"}
98.     set pmap(0_0_0_0_1_3) {"randombytes" 28 "hex"}
99.     set pmap(0_0_0_0_1_4) {"sessionidlength" 1 "dec"}
100.     set pmap(0_0_0_0_1_5) {"sessionid" "sessionidlength" "hex"}
101.     set pmap(0_0_0_0_1_6) {"ciphersuite" 2 "tmap"}
102.     set pmap(0_0_0_0_1_7) {"compressionmethod" 1 "tmap"}
103.     set pmap(0_0_0_0_1_8) {"extensionslength" 2 "dec"}
104.     set pmap(0_0_0_0_1_9) {"extensions" "extensionslength" "hex"}
105.     set pmap(0_0_0_0_1_9_0) "extension"
106.     set pmap(0_0_0_0_1_9_0_0) {"extensiontype" 2 "tmap"}
107.     set pmap(0_0_0_0_1_9_0_1) {"extensionlength" 2 "dec"}
108.     set pmap(0_0_0_0_1_9_0_2 {"extensioncontent" "extensionlength" "dec"}
109.     set pmap(0_0_0_0_2) "certificate protocol=0x0b"
110.     set pmap(0_0_0_0_2_0) {"certificateslength" 3 "dec"}
111.     set pmap(0_0_0_0_2_0_1) {"certificates" "certificateslength" "dec"}
112.     set pmap(0_0_0_0_2_0_1) "certificate"
113.     set pmap(0_0_0_0_2_0_0_0) {"certificatelength" 3 "dec"}
114.     set pmap(0_0_0_0_2_0_0_1) {"certificate" "certificatelength" "dec"}
115.     set pmap(0_0_0_0_3) "serverhellodone protocol=0x0e"
116.     set pmap(0_0_0_0_4) "hellorequest protocol=0x00"
117.     set pmap(0_0_0_0_5) "certificateverify protocol=0x0f"
118.     set pmap(0_0_0_0_6) "clientkeyexchange protocol=0x10"
119.     set pmap(0_0_0_0_6_0) {"ckedatalength" 3 "dec"}
120.     set pmap(0_0_0_0_6_1) {"premasterdatalength" 2 "dec"}
121.     set pmap(0_0_0_0_6_2) {"premasterdata" "premasterdatalength" "hex"}
122.     set pmap(0_0_0_0_7) "certificaterequest protocol=0x0d"
123.     set pmap(0_0_0_0_7_0) {"crlength" 3 "dec"}
124.     set pmap(0_0_0_0_7_1) {"crtypescountlength" 1 "dec"}
125.     set pmap(0_0_0_0_7_2) {"crcerttype" "crtypescountlength" "lmap" 1}
126.     set pmap(0_0_0_0_7_3) {"crsighashlength" 2 "dec"}
127.     set pmap(0_0_0_0_7_4) {"crsighash" "crsighashlength" "lmap" 2}
128.     set pmap(0_0_0_0_7_5) {"crdnnamelength" 2 "dec"}
129.     set pmap(0_0_0_0_7_6) {"crdnnames" "crdnnamelength" "hex"}
130.     set pmap(0_0_0_0_8) "encryptedhandshakemessage protocol=*" 
131.     set pmap(0_0_1) "changecipherspec contenttype=0x14"
132.     set pmap(0_0_1_0) {"ccsdata" 1 "hex"}
133.     set pmap(0_0_2) "applicationdata contenttype=0x17"
134.     set pmap(0_0_2_0) {"addata" "recordlength" "hex"}
135.     set pmap(0_0_3) "alert contenttype=0x18"
136.     set pmap(0_0_3_0) {"alertdata" "recordlength" "hex"}
137.     set pmap(0_1) {"version" 2 "tmap"}
138.     set pmap(0_2) {"recordlength" 2 "dec"}
139.    
140.     call ProtocolProfilerTMAPs::tmap_define_ssl
141.    
142.     return [array get pmap]
143. }