##############################################################################
#                                                                            #
#   idabenchias is public domain software and may be freely used and           #
#   distributed with or without modification.                                #
#                                                                            #
#   See file "idabenchias.terms" for DISCLAIMER OF ALL WARRANTIES.             #
#                                                                            #
##############################################################################

$heading = "Use p0f to identify operating systems";

sub build_form_table
{
    (&choose_site(), &choose_lines(), &choose_tcpdump(),
    &choose_time(), &choose_p0f_mods()
    );
}

sub build_search_command
{
    return &build_p0fcmd();
}

# No arguments.
# Perform plugin-specific data validation, and add to $aborted if errors found.
# All general validity checks will have been performed before this is called.
sub plugin_validation
{
}

# One argument: A line of the output from the search command.
# Transform it in place to make the output suitable for display.
sub transform_plugin_line
{
chomp unless ( m/^\s*\+/);
}

# No arguments.
# Returns a list of html to introduce the results.
sub answer_heading
{
    my $escpattern = escapeHTML($pattern);
    (
	h1("Your answers: "),
	p(" Sensor: $param_info{site}{labels}{$site} -- Host lookup: $nslookup"),
	p(" Dates: $bdate - $edate ----- Pattern: $escpattern")
    );
}

#
# No arguments.
# Build and return the string needed to run p0f.
# Die if the command won't run in syntax check mode.
# Currently this has the side effect of setting the global
# $pattern, but a way should be found to eliminate this.
#
sub build_p0fcmd
{
    our $pattern = bpf_pat_build();
    my $quotepattern = "'".$pattern."'";

    my ($tstp, $ksigs, $usigs, $mode);
#    $tstp = "t" if ($timestamps eq "yes");
    foreach $val (param(known)){
        $ksigs="K" if ($val eq "known");
        $usigs="U" if ($val eq "unknown");
    }
    foreach $val (param(mode)){
        $mode="A" if ($val eq "SYNACK");
        $mode="R" if ($val eq "RST");
    }
    $fuzz = "F" if ($fuzzy);
    $asc = "X" if ($ascii);
    $hex = "x" if ($hexa);
    $sing = "l" if ($single);
    $res = "r" if ($resolve);
    $lim = "N" if ($limited);
    
    unless ( -x "$P0F_PLGBIN"){
        $pattern_error = qq(Plugin error. p0f not found. Please install <A HREF="http://www.stearns.org/p0f" target="new">p0f</A> to access this capability.);
       return "";
    } 

# We can't always depend upon a retval of "0" when reading from pcaptestfile. (I think p0f version 2.0.3 takes care of this)
# Leave this commented unless p0f >=2.0.3
#    $pattern_error = "Pattern input error:\n\n\t$pattern\n" if ( system $P0F_PLGBIN, "-${ksigs}${usigs}${mode}${tstp}qs", $PCAPTESTF, $pattern );
        
    return "$P0F_PLGBIN -${ksigs}${usigs}${mode}${fuzz}${asc}${hex}${sing}${res}${lim}${tstp}qs - $quotepattern";
}

#
# Additional parameters to pass to tcpdump.
#

sub choose_p0f_mods
{
    (

# Timestamping is broken in p0f readback mode. Leave this commented until Michael or Bill (or you!) fix it.

#   timestamps => {
#	    new => "block",
#            param_label => "Include timestamps in output?",
#            maxlen => "3",
#            param_type => "radio",
#            values => [ "no", "yes" ],
#            default_value => "yes",
#           },
    known => {
	    new => "line",
            param_label => "Hide packets whose signatures are:",
            maxlen => "7",
            param_type => "checkbox",
            values => [ "known", "unknown" ],
           },
    mode => {
	    new => "line",
            param_label => "Match on what kind of packets?",
            maxlen => "6",
            param_type => "radio",
            values => [ "SYN", "SYNACK", "RST" ],
            default_value => "SYN",
           },
    fuzzy => {
	    new => "line",
            param_label => "Fuzzy TTL matching",
            param_type => "checkbox",
            values => [ " " ],
            maxlen => "1",
           },
    ascii => {
	    spacing => "3",
            param_label => "Display payload, if any",
            param_type => "checkbox",
            values => [ " " ],
            maxlen => "1",
           },
    hexa => {
	    new => "line",
            param_label => "Hexadecimal packet dump",
            param_type => "checkbox",
            values => [ " " ],
            maxlen => "1",
           },
    single => {
	    spacing => "3",
            param_label => "Single line output (recommended)",
            param_type => "checkbox",
            values => [ " " ],
            default_values => " ",
            maxlen => "1",
           },
    resolve => {
	    new => "line",
            param_label => "Resolve IP addresses to names",
            param_type => "checkbox",
            values => [ " " ],
            maxlen => "1",
           },
    limited => {
	    spacing => "3",
            param_label => "Limit output to address and OS",
            param_type => "checkbox",
            values => [ " " ],
            maxlen => "1",
           }
    );
}

sub choose_site
{
    return (
   site=> {
	   new => "block",
	   bgcolor => $topframe,
           param_label => "Which Sensor: ", 
           maxlen => "50", 
           param_type => "popup",
           values => \@SiteFormVals, 
           labels => \%SiteValueName,
           default_value => $SHADOW_SITE_DEFAULT,
          }
    );
}

sub choose_lines
{
    return (
    max_lines => {
	    spacing => "3",
            param_label => "Max output lines: ",
            maxlen => "7",
            param_type => "number",
	    field_size => "6",
            min_value => "0",
            max_value => "3000000",
            default_value => "10000",
    }
    );
}