sync with local CVS (too many things to list)

CHANGELOG

@@ -31,6 +31,7 @@ NG-0.7.0    ????????
    + autoupdate from website for passive databases
    + non root users can use ettercap to read from files
    + advanced ARP poisoning engine
+   + unoffensive mode (doesn't forward packets)
    + dissector enhancements in: 
       + POP (APOP and AUTH LOGIN support)
       + X11 (banner discovery)

Makefile.am

@@ -19,7 +19,7 @@ EXTRA_DIST = LICENSE \
              shtool \
              doc/*
 
-CLEANFILES = *.log *.out *.cache *.so ettercap etterlog
+CLEANFILES = *.log *.out *.cache *.so ettercap etterlog etterfilter
 
 dist-hook:
 	rm -rf `find $(distdir)/doc -name CVS`

TODO

@@ -27,11 +27,12 @@
 
 this is the unofficial and floating in time roadmap:
 
-   - escape string
+   - convert passive list to hostlist
 
 Sep 2003:
 
    + FILTERING ENGINE
+      - don't filter in unoffensive mode
       - use regexp for filtering
       - include all the protocols in the filter rule
          - protocols table
@@ -68,6 +69,7 @@ Oct 2003:
 
    + INJECTION 
       - it is done by the ui looking the sessions (locking them)
+      - don't inject in unoffensive mode
       - binder
 
    + DISSECTORS

configure.in

@@ -565,7 +565,12 @@ dnl ===============
 EC_MESSAGE(Writing output files)
 
 AC_OUTPUT(Makefile
-          man/Makefile man/ettercap.8 man/ettercap_plugins.8 man/etterlog.8 man/etter.conf.5
+          man/Makefile 
+          man/ettercap.8 
+          man/ettercap_plugins.8 
+          man/etterlog.8 
+          man/etterfilter.8 
+          man/etter.conf.5
           share/Makefile 
           src/Makefile 
           include/Makefile

include/ec_filter.h

@@ -38,12 +38,13 @@
 
 #define MAX_FILTER_LEN  200
 
-struct filter {
+struct filter_op {
    char opcode;
-      #define FOP_FUNC  0
+      #define FOP_EXIT  0
       #define FOP_TEST  1
-      #define FOP_JMP   2
-      #define FOP_DROP  3
+      #define FOP_FUNC  2
+      #define FOP_JMP   3
+      #define FOP_DROP  4
 
    struct function {
       char opcode;
@@ -54,18 +55,20 @@ struct filter {
       size_t value_len;
       char value2[MAX_FILTER_LEN];
       size_t value2_len;
-   };
+   } func;
 
-   struct compare {
+   struct operation {
       u_int16 offset;
       u_int32 value;
-   };
+   } op;
 
-   u_int16 goto_if_true;
-   u_int16 goto_if_false;
+   u_int16 jmp;
 
 };
 
+/* exported functions */
+
+extern int filter_engine(struct filter_op *fop, struct packet_object *po);
 
 #endif
 

include/ec_globals.h

@@ -32,6 +32,7 @@ struct ec_options {
    char compress:1;
    char quiet:1;
    char silent:1;
+   char unoffensive:1;
    char load_hosts:1;
    char save_hosts:1;
    char resolve:1;

include/ef.h

@@ -43,12 +43,14 @@
 
 
 struct globals {
+   char test:1;
+   char *source_file;
 };
 
 /* in el_main.c */
 extern struct globals gbls;
 
-#define GBL gbls
+#define GBL_OPTIONS gbls
 
 #define GBL_PROGRAM "etterfilter"
 

include/ef_functions.h

@@ -2,7 +2,15 @@
 #ifndef EF_FUNCTIONS_H
 #define EF_FUNCTIONS_H
 
+/* ef_parser */
+extern void parse_options(int argc, char **argv);
 
+/* ef_test */
+extern void test_filter(void);
+
+/* ef_syntax && ef_grammar */
+extern int yyerror(char *);                                                                         
+extern int yylex(void);
 
 #endif
 

man/Makefile.am

@@ -1,7 +1,7 @@
 
 include $(top_srcdir)/Makefile.am.common
 
-man_MANS = ettercap.8 etterlog.8 etter.conf.5
+man_MANS = ettercap.8 etterlog.8 etterfilter.8 etter.conf.5
 
 if PLUGINS
    man_MANS += ettercap_plugins.8

man/etter.conf.5.in

@@ -14,7 +14,7 @@
 .\"  along with this program; if not, write to the Free Software
 .\"  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 .\"
-.\"  $Id: etter.conf.5.in,v 1.7 2003/08/22 19:23:40 alor Exp $
+.\"  $Id: etter.conf.5.in,v 1.8 2003/08/28 19:55:20 alor Exp $
 .\"
 .de Sp
 .if n .sp
@@ -161,4 +161,5 @@ port1,port2,port3,...
 .I "ettercap(8)"
 .I "ettercap_plugin(8)"
 .I "etterlog(8)"
+.I "etterfilter(8)"
 .LP

man/ettercap.8.in

@@ -14,7 +14,7 @@
 .\"  along with this program; if not, write to the Free Software
 .\"  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 .\"
-.\"  $Id: ettercap.8.in,v 1.29 2003/08/21 15:47:13 alor Exp $
+.\"  $Id: ettercap.8.in,v 1.30 2003/08/28 19:55:20 alor Exp $
 .\"
 .de Sp
 .if n .sp
@@ -323,7 +323,7 @@ Use this <IFACE> instead of the default one.
 Use this <NETMSK> instead of the one associated with the current iface.
 
 .TP
-\fB\-R\fR, \fB\-\-reverse\fR
+\fB\-R\fR, \fB\-\-reversed\fR
 Reverse the matching in the TARGET selection. It means not(TARGET). All but the
 selected TARGET.
 
@@ -344,6 +344,17 @@ NOTE: you will not have the hosts list, so you can't use the multipoison feature
 you can only select two hosts for an ARP poisoning attack, specifying them
 through the TARGETs
 
+.TP
+\fB\-u\fR, \fB\-\-unoffensive\fR
+Every time ettercap starts, it disable ip forwarding in the kernel and begin to
+forward packets it self. This options prevent to do that, so the resposibility
+of ip forwarding is left to the kernel.
+.br
+This options is useful if you want to run multiple ettercap istances. You will
+have one istance (the one without the -u option) forwarding the packets, and
+all the other istances doing their work without forwarding them. Else you will
+get packet duplicates.
+
 .TP
 \fB\-j\fR, \fB\-\-load-hosts <FILENAME>\fR
 It can be used to load an hosts list from a file created by the -k option. (see below)
@@ -589,6 +600,7 @@ Marco Valleri (NaGA) <crwm@freemail.it>
 .I "etter.conf(5)"
 .I "ettercap_plugin(8)"
 .I "etterlog(8)"
+.I "etterfilter(8)"
 .LP
 
 

man/etterfilter.8.in

@@ -0,0 +1,76 @@
+.\"  etterlog -- log analyzer for ettercap log files
+.\"
+.\"  This program is free software; you can redistribute it and/or modify
+.\"  it under the terms of the GNU General Public License as published by
+.\"  the Free Software Foundation; either version 2 of the License, or
+.\"  (at your option) any later version.
+.\"
+.\"  This program is distributed in the hope that it will be useful,
+.\"  but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\"  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\"  GNU General Public License for more details.
+.\"
+.\"  You should have received a copy of the GNU General Public License
+.\"  along with this program; if not, write to the Free Software
+.\"  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+.\"
+.\"  $Id: etterfilter.8.in,v 1.1 2003/08/28 19:55:20 alor Exp $
+.\"
+.de Sp
+.if n .sp
+.if t .sp 0.4
+..
+.TH ETTERFILTER "8" "" "ettercap @VERSION@"
+.SH NAME
+.B etterfilter @VERSION@ \- Filter compiler for ettercap content filtering
+engine
+
+.SH SYNOPSIS
+.B etterfilter
+[\fIOPTIONS\fR] \fIFILE\fR
+
+
+.SH DESCRIPTION
+
+.TP
+.B GENERAL OPTIONS
+.TP
+                           
+
+.TP
+.B STANDARD OPTIONS
+.TP
+\fB\-v\fR, \fB\-\-version\fR
+Print the version and exit.
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+prints the help screen with a short summary of the available options.
+
+
+
+.SH EXAMPLES
+Here are some examples of using etterfilter.
+.TP
+.B etterfilter filter.ecf -o filter.ef
+.Sp
+Compiles the source filter.ecf into a binary filter.ef
+
+
+
+.SH AUTHORS
+Alberto Ornaghi (ALoR) <alor@users.sourceforge.net>
+.br
+Marco Valleri (NaGA) <crwm@freemail.it>
+
+
+
+.SH "SEE ALSO"
+.I "ettercap(8)"
+.I "etterlog(8)"
+.I "etter.conf(5)"
+.I "ettercap_plugin(8)"
+.LP
+
+
+

man/etterlog.8.in

@@ -14,7 +14,7 @@
 .\"  along with this program; if not, write to the Free Software
 .\"  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 .\"
-.\"  $Id: etterlog.8.in,v 1.12 2003/07/15 20:28:00 alor Exp $
+.\"  $Id: etterlog.8.in,v 1.13 2003/08/28 19:55:20 alor Exp $
 .\"
 .de Sp
 .if n .sp
@@ -317,6 +317,7 @@ Marco Valleri (NaGA) <crwm@freemail.it>
 
 .SH "SEE ALSO"
 .I "ettercap(8)"
+.I "etterfilter(8)"
 .I "etter.conf(5)"
 .I "ettercap_plugin(8)"
 .LP

share/etter.filter.ssh

@@ -1,9 +1,8 @@
 ############################################################################
 #                                                                          #
-#  ettercap -- etter.filter -- filter chain file                           #
+#  ettercap -- etter.filter -- filter source file                          #
 #                                                                          #
-#  Copyright (C) 2001  ALoR <alor@users.sourceforge.net>                   #
-#                      NaGA <crwm@freemail.it>                             #
+#  Copyright (C) 2001-2003  ALoR & NaGA                                    #
 #                                                                          #
 #  This program is free software; you can redistribute it and/or modify    #
 #  it under the terms of the GNU General Public License as published by    #
@@ -17,39 +16,25 @@
 #   This filter will substitute the SSH server response from SSH-1.99 to
 #   SSH-1.51, so if the server supports both ssh1 and ssh2 we will force
 #   it to use ssh1... ;)
-#   server response :    SSH-1.99    both ssh1 and ssh2 supported
-#                        SSH-1.51    only ssh1 supported
+#   server response :    SSH-2.00   only ssh2 supported
+#                        SSH-1.99   both ssh1 and ssh2 supported
+#                        SSH-1.51   only ssh1 supported
 ##
 
-##############################
-#### FILTER ON SOURCE IP #####
-##############################
+if (L4.proto == TCP) {
+   if (L4.tcp.port == 22) {
+      if ( replace(DATA.data, "SSH-1.99", "SSH-1.51") ) {
+         msg("SSH downgraded from version 2 to 1");
+      } else {
+         if ( search(DATA.data, "SSH-2.00") ) {
+            msg("Server support only SSH version 2");
+         } else {
+            if ( search(DATA.data, "SSH-1.51") ) {
+               msg("Server already support only version 1");
+            }
+         }
+      }
+   }
+}
 
-<filter source>
-   <id>0</id>
-   <proto>T</proto>
-   <source>22</source>
-   <dest>0</dest>
-   <search>1.99</search>
-   <action>R</action>
-   <replace>1.51</replace>
-   <goto></goto>
-   <elsegoto></elsegoto>
-</filter source>
-
-############################
-#### FILTER ON DEST IP #####
-############################
-
-<filter dest>
-   <id>0</id>
-   <proto>T</proto>
-   <source>0</source>
-   <dest>22</dest>
-   <search>1.99</search>
-   <action>R</action>
-   <replace>1.51</replace>
-   <goto></goto>
-   <elsegoto></elsegoto>
-</filter dest>
 

share/etter.finger.os

@@ -11,8 +11,8 @@
 #                                                                          #
 ############################################################################
 #                                                                          #
-#  Version         : $Revision: 1.6 $                                      # 
-#  Last updated on : $Date: 2003/07/11 16:50:24 $                          #
+#  Version         : $Revision: 1.7 $                                      # 
+#  Last updated on : $Date: 2003/08/28 19:55:20 $                          #
 #  Total entries   : 1280                                                  #
 #                                                                          #
 ############################################################################
@@ -102,6 +102,7 @@
 0400:05B4:40:00:0:1:0:1:S:3C:Windows 44
 0400:05B4:40:WS:0:0:0:0:A:2C:FORE ES-2810 Switch
 0400:05B4:FF:WS:0:0:0:0:A:2C:3Com 812 ADSL ROUTER
+0400:05C8:20:WS:0:0:0:0:A:2C:Nortel BayStack Access Node
 0400:0901:40:10:0:1:0:1:S:3C:Mac OS X 102.4
 0400:_MSS:40:WS:0:0:0:0:S:28:Linux 2.4.18
 0400:_MSS:80:00:0:1:0:0:A:LT:Bay Networks BLN-2 Network Router or ASN Processor rev 9