dap 0.0.1 → 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4c2529f239c66a0e6c098ec4d920f32385c2051e
+  data.tar.gz: 9ab89eec2980e1ed96004cf2399706590d86f414
+SHA512:
+  metadata.gz: 3e5587663578778dde872b500540665fbee3318e388a39e298cc5c01c31548a58d06464b6dea4f70ca4b74b58d1318f51e87c23f4ad20e680c9c30db36b2b67c
+  data.tar.gz: 46da39ede0b3f7966ec91cae4e50afb52e5de86a86431c725e9e3661ba20bf1b1d0576f24f2623412451e78987f441ad9e3cfc8953c2cfb6ff84bcc0fba36ec1

data/.travis.yml

@@ -0,0 +1,8 @@
+language: ruby
+rvm:
+  - 2.0.0
+  - 1.9.3
+before_install:
+  - sudo apt-get update -qq
+  - sudo apt-get install -y libgeoip-dev libgeoip1
+script: bundle exec rspec spec

data/Gemfile

@@ -9,7 +9,7 @@ gem 'geoip-c'
 gem 'recog'
 
 group :test do
-  gem 'rspec', '~> 2.14.1'
-  gem 'cucumber', '~> 1.3.8'
-  gem 'aruba', '~> 0.5.3'
+  gem 'rspec', '~> 3.1.0'
+  gem 'cucumber', '~> 1.3.16'
+  gem 'aruba', '~> 0.6.1'
 end

data/Gemfile.lock

@@ -1,7 +1,7 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    aruba (0.5.4)
+    aruba (0.6.1)
       childprocess (>= 0.3.6)
       cucumber (>= 1.1.1)
       rspec-expectations (>= 2.7.0)
@@ -9,7 +9,7 @@ GEM
     builder (3.2.2)
     childprocess (0.5.3)
       ffi (~> 1.0, >= 1.0.11)
-    cucumber (1.3.15)
+    cucumber (1.3.16)
       builder (>= 2.1.2)
       diff-lcs (>= 1.1.3)
       gherkin (~> 2.12)
@@ -20,36 +20,40 @@ GEM
     geoip-c (0.9.1)
     gherkin (2.12.2)
       multi_json (~> 1.3)
-    htmlentities (4.3.1)
+    htmlentities (4.3.2)
     mini_portile (0.6.0)
-    multi_json (1.10.0)
+    multi_json (1.10.1)
     multi_test (0.1.1)
     net-dns (0.8.0)
-    nokogiri (1.6.2.1)
+    nokogiri (1.6.3.1)
       mini_portile (= 0.6.0)
-    oj (2.9.0)
-    recog (0.01)
+    oj (2.10.2)
+    recog (0.02)
       nokogiri
-    rspec (2.14.1)
-      rspec-core (~> 2.14.0)
-      rspec-expectations (~> 2.14.0)
-      rspec-mocks (~> 2.14.0)
-    rspec-core (2.14.8)
-    rspec-expectations (2.14.5)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.14.6)
+    rspec (3.1.0)
+      rspec-core (~> 3.1.0)
+      rspec-expectations (~> 3.1.0)
+      rspec-mocks (~> 3.1.0)
+    rspec-core (3.1.1)
+      rspec-support (~> 3.1.0)
+    rspec-expectations (3.1.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.1.0)
+    rspec-mocks (3.1.0)
+      rspec-support (~> 3.1.0)
+    rspec-support (3.1.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  aruba (~> 0.5.3)
+  aruba (~> 0.6.1)
   bit-struct
-  cucumber (~> 1.3.8)
+  cucumber (~> 1.3.16)
   geoip-c
   htmlentities
   net-dns
   nokogiri
   oj
   recog
-  rspec (~> 2.14.1)
+  rspec (~> 3.1.0)

data/README.md

@@ -12,4 +12,27 @@ DAP depends on GeoIP (http://dev.maxmind.com/geoip/legacy/downloadable/) to be a
 
 ## Usage
 
-See [tree/master/samples](/tree/master/samples)
+See [Samples](https://github.com/rapid7/dap/tree/master/samples)
+
+### Quick Setup for GeoIP Lookups
+
+```
+$ git clone https://github.com/rapid7/dap.git
+$ cd dap
+$ gem install bundler
+$ bundle install
+$ sudo bash
+# mkdir -p /var/lib/geoip && cd /var/lib/geoip && wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz && gunzip GeoLiteCity.dat.gz && mv GeoLiteCity.dat geoip.dat
+```
+
+```
+$  echo 8.8.8.8 | bin/dap + lines + geo_ip line + json
+{"line":"8.8.8.8","line.country_code":"US","line.country_code3":"USA","line.country_name":"United States","line.latitude":"38.0","line.longitude":"-97.0"}
+```
+
+Where dap gets fun is doing transforms, like just grabbing the country code:
+```
+$  echo 8.8.8.8 | bin/dap + lines + geo_ip line + select line.country_code3 + lines
+USA
+```
+

data/Rakefile

@@ -0,0 +1,22 @@
+require "bundler/gem_tasks"
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new do |t|
+    t.pattern = "spec/**/*_spec.rb"
+end
+
+require 'yard'
+require 'yard/rake/yardoc_task'
+YARD::Rake::YardocTask.new do |t|
+    t.files = ['lib/**/*.rb', '-', 'README.md']
+end
+
+require 'cucumber'
+require 'cucumber/rake/task'
+
+Cucumber::Rake::Task.new(:features) do |t|
+    t.cucumber_opts = "features --format pretty"
+end
+
+task :default => [ :spec, :features, :yard ]
+

data/data/vulndb.rb

@@ -0,0 +1,83 @@
+
+# Searches contains each of the services, within each service it contains
+# a hash key that will be compared against each of the items in the
+# regex hash, and if a hit is returned the value from the regex is inserted
+# into the hash with the output_key as the key.
+#
+SEARCHES = {
+    :upnp => [{
+      :hash_key   => 'data.upnp_server',
+      :output_key => 'vulnerability',
+      :regex      => {
+        /MiniUPnPd\/1\.0([\.\,\-\~\s]|$)/mi     => ['CVE-2013-0229'],
+        /MiniUPnPd\/1\.[0-3]([\.\,\-\~\s]|$)/mi => ['CVE-2013-0230'],
+        /Intel SDK for UPnP devices.*|Portable SDK for UPnP devices(\/?\s*$|\/1\.([0-5]\..*|8\.0.*|(6\.[0-9]|6\.1[0-7])([\.\,\-\~\s]|$)))/mi => ['CVE-2012-5958', 'CVE-2012-5959']
+      }
+    }],
+
+    :ipmi => [{
+        :hash_key   => 'data.ipmi_compat_password',
+        :output_key => 'vulnerability',
+        :regex      => {
+            /1/ => ['IPMI-STRAIGHT-PASS'],
+        }
+    },{
+        :hash_key   => 'data.ipmi_compat_md2',
+        :output_key => 'vulnerability',
+        :regex      => {
+            /1/ => ['IPMI-MD2'],
+        }
+    },{
+        :hash_key   => 'data.ipmi_compat_none',
+        :output_key => 'vulnerability',
+        :regex      => {
+            /1/ => ['IPMI-NOAUTH'],
+        }
+    },{
+        :hash_key   => 'data.ipmi_user_disable_message_auth',
+        :output_key => 'vulnerability',
+        :regex      => {
+            /1/ => ['IPMI-PERMSG'],
+        }
+    },{
+        :hash_key   => 'data.ipmi_user_disable_user_auth',
+        :output_key => 'vulnerability',
+        :regex      => {
+            /1/ => ['IPMI-USRLVL'],
+        }
+    }],
+
+    :mssql => [{
+        :hash_key   => 'data.version.name',
+        :output_key => 'vulnerability',
+        :cvemap     => {
+            #['', ''] => ['CVE-2007-5090'],
+            ['2000', '-'] => ['CVE-2003-0230', 'CVE-2003-0231', 'CVE-2003-0232', 'CVE-2008-4110', 'CVE-2008-5416'],
+            #['2000', '""'] => ['CVE-2003-0230', 'CVE-2003-0231', 'CVE-2003-0232'],
+            ['2000', 'sp1'] => ['CVE-2003-0230', 'CVE-2003-0231', 'CVE-2003-0232'],
+            ['2000', 'sp2'] => ['CVE-2003-0230', 'CVE-2003-0231', 'CVE-2003-0232'],
+            ['2000', 'sp3'] => ['CVE-2003-0230', 'CVE-2003-0231', 'CVE-2003-0232'],
+            ['2000', 'sp3a'] => ['CVE-2003-0230', 'CVE-2003-0231', 'CVE-2003-0232'],
+            ['2000', 'sp4'] => ['CVE-2008-0085', 'CVE-2008-0086', 'CVE-2008-0106', 'CVE-2008-0107', 'CVE-2012-0158', 'CVE-2012-1856'],
+            ['2005', '-'] => ['CVE-2008-5416'],
+            ['2005', 'sp1'] => ['CVE-2008-0085', 'CVE-2008-0107'],
+            ['2005', 'sp2'] => ['CVE-2007-4814', 'CVE-2007-5348', 'CVE-2008-0085', 'CVE-2008-0086', 'CVE-2008-0106', 'CVE-2008-0107', 'CVE-2008-3012', 'CVE-2008-3013', 'CVE-2008-3014', 'CVE-2008-3015', 'CVE-2009-2500', 'CVE-2009-2501', 'CVE-2009-2502', 'CVE-2009-2503', 'CVE-2009-2504', 'CVE-2009-2518', 'CVE-2009-2528', 'CVE-2009-3126'],
+            ['2005', 'sp3'] => ['CVE-2009-2500', 'CVE-2009-2501', 'CVE-2009-2502', 'CVE-2009-2503', 'CVE-2009-2504', 'CVE-2009-2518', 'CVE-2009-2528', 'CVE-2009-3126', 'CVE-2011-1280'],
+            ['2005', 'sp4'] => ['CVE-2011-1280', 'CVE-2012-0158', 'CVE-2012-1856', 'CVE-2012-2552'],
+            ['2008', 'r2'] => ['CVE-2011-1280', 'CVE-2012-0158', 'CVE-2012-1856'],
+            ['2008', 'r2 sp1'] => ['CVE-2012-1856', 'CVE-2012-2552'],
+            ['2008', 'r2 sp2'] => ['CVE-2012-1856', 'CVE-2014-4061'],
+            ['2008', 'sp1'] => ['CVE-2011-1280'],
+            ['2008', 'sp2'] => ['CVE-2011-1280', 'CVE-2012-0158', 'CVE-2012-1856', 'CVE-2012-2552'],
+            ['2008', 'sp3'] => ['CVE-2012-0158', 'CVE-2012-1856', 'CVE-2012-2552', 'CVE-2014-4061'],
+            ['2012', '-'] => ['CVE-2012-2552'],
+            ['2012', 'sp1'] => ['CVE-2014-1820', 'CVE-2014-4061'],
+            ['2014', '-'] => ['CVE-2014-1820'],
+            ['7.0', '-'] => ['CVE-2003-0230', 'CVE-2003-0231', 'CVE-2003-0232', 'CVE-2004-1560'],
+            ['7.0', 'sp1'] => ['CVE-2003-0230', 'CVE-2003-0231', 'CVE-2003-0232', 'CVE-2004-1560'],
+            ['7.0', 'sp2'] => ['CVE-2003-0230', 'CVE-2003-0231', 'CVE-2003-0232', 'CVE-2004-1560'],
+            ['7.0', 'sp3'] => ['CVE-2003-0230', 'CVE-2003-0231', 'CVE-2003-0232', 'CVE-2004-1560'],
+            ['7.0', 'sp4'] => ['CVE-2003-0230', 'CVE-2003-0231', 'CVE-2003-0232', 'CVE-2004-1560', 'CVE-2008-0085', 'CVE-2008-0086', 'CVE-2008-0106', 'CVE-2008-0107'],
+        }
+    }],
+}

data/lib/dap/filter.rb

@@ -5,4 +5,5 @@ require 'dap/filter/udp'
 require 'dap/filter/openssl'
 require 'dap/filter/names'
 require 'dap/filter/geoip'
-require 'dap/filter/recog'
+require 'dap/filter/recog'
+require 'dap/filter/vulnmatch'

data/lib/dap/filter/http.rb

@@ -113,6 +113,7 @@ class FilterDecodeHTTPReply
 
     save["http_code"] = $1.to_i
     save["http_message"] = $2.strip
+    save["http_raw_headers"] = {}
 
     clen = nil
 
@@ -149,6 +150,9 @@ class FilterDecodeHTTPReply
       when /^Content-Length:\s*(.*)/i
         clen = $1.strip.to_i
 
+      when /^([A-Za-z0-9\-]+):\s*(.*)/i
+        save["http_raw_headers"][$1.downcase.strip] = $2.strip
+
       when ""
         break
       end

data/lib/dap/filter/simple.rb

@@ -232,7 +232,7 @@ class FilterSplitComma
     lines = [ ]
     self.opts.each_pair do |k,v|
       if doc.has_key?(k)
-        doc[k].to_s.split(/m/).each do |line|
+        doc[k].to_s.split(/,/).each do |line|
           lines << doc.merge({ "#{k}.word" => line })
         end
       end
@@ -336,5 +336,29 @@ class FilterFieldSplitArray
   end
 end
 
+class FilterFieldArrayJoinComma
+  include Base
+  def process(doc)
+    self.opts.each_pair do |k,v|
+      if doc.has_key?(v) and doc[v].respond_to?(:each)
+        doc[k] = doc[v].join(",")
+      end
+    end
+   [ doc ]
+  end
+end
+
+class FilterFieldArrayJoinWhitespace
+  include Base
+  def process(doc)
+    self.opts.each_pair do |k,v|
+      if doc.has_key?(v) and doc[v].respond_to?(:each)
+        doc[k] = doc[v].join(" ")
+      end
+    end
+   [ doc ]
+  end
+end
+
 end
 end

data/lib/dap/filter/udp.rb

@@ -10,6 +10,7 @@ require 'dap/proto/dtls'
 require 'dap/proto/natpmp'
 require 'dap/proto/wdbrpc'
 require 'dap/proto/ipmi'
+require 'dap/proto/mssql'
 require 'dap/utils/oui'
 
 #
@@ -26,8 +27,9 @@ class FilterDecodeMDNSSrvReply
       svcs = r.answer.map {|x| (x.value.to_s) }
       svcs.delete('')
       return if not (svcs and svcs.length > 0)
-      return { "mdns_services" => svc.join(" ") }
+      return { "mdns_services" => svcs }
     rescue ::Exception
+      { }
     end
     nil
   end
@@ -75,26 +77,42 @@ end
 class FilterDecodeWDBRPC_Reply
   include BaseDecoder
   def decode(data)
+    buff = data.dup
+
     info = {}
     head = buff.slice!(0,36)
-    info['agent_ver'] = wdbrpc_decode_str(buff)
-    info['agent_mtu'] = wdbrpc_decode_int(buff)
-    info['agent_mod'] = wdbrpc_decode_int(buff)
-    info['rt_type']          = wdbrpc_decode_int(buff)
-    info['rt_vers']          = wdbrpc_decode_str(buff)
-    info['rt_cpu_type']      = wdbrpc_decode_int(buff)
-    info['rt_has_fpp']       = wdbrpc_decode_bool(buff)
-    info['rt_has_wp']        = wdbrpc_decode_bool(buff)
-    info['rt_page_size']     = wdbrpc_decode_int(buff)
-    info['rt_endian']        = wdbrpc_decode_int(buff)
-    info['rt_bsp_name']      = wdbrpc_decode_str(buff)
-    info['rt_bootline']      = wdbrpc_decode_str(buff)
-    info['rt_membase']       = wdbrpc_decode_int(buff)
-    info['rt_memsize']       = wdbrpc_decode_int(buff)
-    info['rt_region_count']  = wdbrpc_decode_int(buff)
-    info['rt_regions']       = wdbrpc_decode_arr(buff, :int)
-    info['rt_hostpool_base'] = wdbrpc_decode_int(buff)
-    info['rt_hostpool_size'] = wdbrpc_decode_int(buff)
+    return info unless head.to_s.length == 36
+    return unless buff.length > 0
+    info['agent_ver'] = Dap::Proto::WDBRPC.wdbrpc_decode_str(buff)
+    info['agent_mtu'] = Dap::Proto::WDBRPC.wdbrpc_decode_int(buff)
+    info['agent_mod'] = Dap::Proto::WDBRPC.wdbrpc_decode_int(buff)
+    info['rt_type']          = Dap::Proto::WDBRPC.wdbrpc_decode_int(buff)
+    info['rt_vers']          = Dap::Proto::WDBRPC.wdbrpc_decode_str(buff)
+    info['rt_cpu_type']      = Dap::Proto::WDBRPC.wdbrpc_decode_int(buff)
+    info['rt_has_fpp']       = Dap::Proto::WDBRPC.wdbrpc_decode_bool(buff)
+    info['rt_has_wp']        = Dap::Proto::WDBRPC.wdbrpc_decode_bool(buff)
+    info['rt_page_size']     = Dap::Proto::WDBRPC.wdbrpc_decode_int(buff)
+    info['rt_endian']        = Dap::Proto::WDBRPC.wdbrpc_decode_int(buff)
+    info['rt_bsp_name']      = Dap::Proto::WDBRPC.wdbrpc_decode_str(buff)
+    info['rt_bootline']      = Dap::Proto::WDBRPC.wdbrpc_decode_str(buff)
+    info['rt_membase']       = Dap::Proto::WDBRPC.wdbrpc_decode_int(buff)
+    info['rt_memsize']       = Dap::Proto::WDBRPC.wdbrpc_decode_int(buff)
+    info['rt_region_count']  = Dap::Proto::WDBRPC.wdbrpc_decode_int(buff)
+    info['rt_regions']       = Dap::Proto::WDBRPC.wdbrpc_decode_arr(buff, :int)
+    info['rt_hostpool_base'] = Dap::Proto::WDBRPC.wdbrpc_decode_int(buff)
+    info['rt_hostpool_size'] = Dap::Proto::WDBRPC.wdbrpc_decode_int(buff)
+
+    if info['rt_regions']
+      info['rt_regions'] = info['rt_regions'].map{|x| x.to_s}.join(" ")
+    end
+
+    nulls = []
+    info.each_pair do |k,v|
+      nulls << k if v.nil?
+    end
+
+    nulls.each {|k| info.delete(k) }
+
     info
   end
 end
@@ -247,6 +265,16 @@ class FilterDecodeMSSQLReply
     data.scan(/([A-Za-z0-9 \.\-_]+?);(.+?);/).each do | var, val|
       info["mssql.#{var.encode!( 'UTF-8', invalid: :replace, undef: :replace, replace: '' )}"] = val.encode!( 'UTF-8', invalid: :replace, undef: :replace, replace: '' )
     end
+
+    info
+  end
+end
+
+class FilterDecodeMSSQLVersion
+  include BaseDecoder
+  def decode(data)
+    info = {}
+    info["name"] = Dap::Proto::MSSQL::version_num_to_name(data)
     info
   end
 end
@@ -258,9 +286,9 @@ class FilterDecodeSIPOptionsReply
   include BaseDecoder
   def decode(data)
     info = {}
-    
+
     return info unless (data and data.length > 0)
-    
+
     head,body = data.to_s.split(/\r?\n\r?\n/, 2)
 
     head.split(/\r?\n/).each do |line|
@@ -305,6 +333,105 @@ class FilterDecodeDTLS
   end
 end
 
+#
+# Decode a BACnet Read Property Multiple reply
+#
+class FilterDecodeBacnetRPMReply
+  include BaseDecoder
+  TAG_TYPE_LENGTHS = {
+    2 => 2,
+    10 => 4,
+    11 => 4,
+  }
+  def decode(sdata)
+    info = {}
+    return if sdata.length < 9
+
+    data = sdata.dup
+
+    bacnet_vlc_type, bacnet_vlc_function, bacnet_vlc_length = data.slice!(0,4).unpack("CCn")
+    # if this isn't a BACnet/IP (0x81) original unicast NPDU (0x0a), abort
+    if bacnet_vlc_type != 0x81 || bacnet_vlc_function != 0x0a
+      return info
+    else
+      info['bacnet_vlc_type'] = bacnet_vlc_type
+      info['bacnet_vlc_function'] = bacnet_vlc_function
+      info['bacnet_vlc_length'] = bacnet_vlc_length
+    end
+
+    # we only know how to decode version 1, so abort if it is anything else
+    # but store the version in the event that we want to parse these later
+    bacnet_npdu_version, bacnet_npdu_control = data.slice!(0,2).unpack("CC")
+    info['bacnet_npdu_version'] = bacnet_npdu_version
+    info['bacnet_npdu_control'] = bacnet_npdu_control
+    return info if bacnet_npdu_version != 1
+
+    bacnet_apdu_type_flags, bacnet_apdu_invoke_id, bacnet_apdu_service_choice = data.slice!(0,3).unpack("CCC")
+    bacnet_apdu_type = bacnet_apdu_type_flags >> 4
+    bacnet_apdu_flags = bacnet_apdu_type_flags & 0b00001111
+    info['bacnet_apdu_type'] = bacnet_apdu_type
+    info['bacnet_apdu_flags'] = bacnet_apdu_flags
+    info['bacnet_apdu_invoke_id'] = bacnet_apdu_invoke_id
+    info['bacnet_apdu_service_choice'] = bacnet_apdu_service_choice
+    return info unless (bacnet_apdu_type == 3 && bacnet_apdu_service_choice == 14)
+
+    return info unless data.size > 5
+    # XXX: don't know what to do with this right now
+    bacnet_object_id = data.slice!(0,5)
+    return info unless data.slice!(0,1).unpack('C').first == 0x1e
+    props = {}
+    # XXX: I think this is ASN.1, but still need to confirm
+    while (true) do
+      #puts "size is #{data.size}, data is #{data.each_byte.map { |b| b.to_s(16) }.join(' ')}"
+      break if data.size < 4
+      property_tag, property_id = data.slice!(0,2).unpack('CC')
+      props[property_id] = true
+      # slice off the opening tag
+      otag = data.slice!(0,1).unpack('C').first
+      if otag == 0x5e
+        data.slice!(0,5)
+        #puts "Property #{property_id} unknown"
+        props[property_id] = nil
+      else
+        # it isn't clear if the length is one byte wide followed by one byte of
+        # 0x00 for spacing or if it is two bytes little endian.  Looks like the later.
+        # XXX?
+        tag_flags = data.slice!(0,1).unpack('C').first
+        tag_type = tag_flags >> 4
+        if TAG_TYPE_LENGTHS.key?(tag_type)
+          #puts "Know how to handle property #{property_id}'s tag type #{tag_type}"
+          props[property_id] = data.slice!(0, TAG_TYPE_LENGTHS[tag_type])
+        else
+          if tag_type == 7
+            property_length = data.slice!(0,2).unpack('v').first
+            #puts "Handled property #{property_id}'s #{property_length}-byte tag type #{tag_type}"
+              property_length -= 1
+              # handle String
+              props[property_id] = data.slice!(0, property_length)
+          else
+            #puts "Don't know how to handle property #{property_id}'s tag type #{tag_type}"
+          end
+        end
+
+        ctag = data.slice!(0,1).unpack('C')
+      end
+      if data.size == 0
+        #puts "done"
+        break
+      else
+        #puts "going"
+      end
+    end
+
+    props.each do |k,v|
+      info[k] = v
+    end
+
+
+    info
+  end
+end
+
 #
 # Decode a NTP reply
 #
@@ -324,31 +451,28 @@ class FilterDecodeNTPReply
     ntp_flags = data.slice!(0,1).unpack('C').first
     ntp_version = (ntp_flags & 0b00111000) >> 3
     info['ntp.version'] = ntp_version
+    info['ntp.mode'] = (ntp_flags & 0b00000111)
 
     # NTP 2 & 3 share a common header, so parse those together
     if ntp_version == 2 || ntp_version == 3
-      #     0                   1                   2                   3
-      #     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      #    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      #    |R|M| VN  | Mode|A|  Sequence   | Implementation|   Req Code    |
-      #    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-      info['ntp.response'] = ntp_flags >> 7
-      info['ntp.more'] = (ntp_flags & 0b01000000) >> 6
-      info['ntp.mode'] = (ntp_flags & 0b00000111)
-      ntp_auth_seq, ntp_impl, ntp_rcode = data.slice!(0,3).unpack('C*')
-      info['ntp.implementation'] = ntp_impl
-      info['ntp.request_code'] = ntp_rcode
-
-      # if it is mode 7, parse that:
-      #     0                   1                   2                   3
-      #     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      #    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      #    |  Err  | Number of data items  |  MBZ  |   Size of data item   |
-      #    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      #    ... data ...
+
       if info['ntp.mode'] == 7
-        return info if data.size < 4
+        # if it is mode 7, parse that:
+        #     0                   1                   2                   3
+        #     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+        #    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+        #    |R|M| VN  | Mode|A|  Sequence   | Implementation|   Req Code    |
+        #    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+        #    |  Err  | Number of data items  |  MBZ  |   Size of data item   |
+        #    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+        #    ... data ...
+
+        return info if data.size < 8
+        info['ntp.response'] = ntp_flags >> 7
+        info['ntp.more'] = (ntp_flags & 0b01000000) >> 6
+        ntp_auth_seq, ntp_impl, ntp_rcode = data.slice!(0,3).unpack('C*')
+        info['ntp.implementation'] = ntp_impl
+        info['ntp.request_code'] = ntp_rcode
         mode7_data = data.slice!(0,4).unpack('n*')
         info['ntp.mode7.err'] = mode7_data.first >> 11
         info['ntp.mode7.data_items_count'] = mode7_data.first & 0b0000111111111111
@@ -371,11 +495,18 @@ class FilterDecodeNTPReply
               #u_int32 daddr;     /* destination host address */
               #u_int32 flags;     /* flags about destination */
               #u_short port;      /* port number of last reception */
-
-              firsttime,lasttime,restr,count,raddr,laddr,flags,dport = data[idx, 30].unpack("NNNNNNNn")
-              remote_addresses << [raddr].pack("N").unpack("C*").map{|x| x.to_s }.join(".")
-              local_addresses << [laddr].pack("N").unpack("C*").map{|x| x.to_s }.join(".")
-              idx += info['ntp.mode7.data_item_size']
+              data_block = data[idx, 30]
+              # Occasionally not all of data captured, need to defensively handle this case.
+              if data_block
+                firsttime,lasttime,restr,count,raddr,laddr,flags,dport = data_block.unpack("NNNNNNNn")
+                # even if data_block is not nil, might not have all of the 30 bytes of data, so make sure
+                # that remote and local address are non-nil.
+                remote_addresses << [raddr].pack("N").unpack("C*").map{|x| x.to_s }.join(".") if raddr
+                local_addresses << [laddr].pack("N").unpack("C*").map{|x| x.to_s }.join(".")  if laddr
+                idx += info['ntp.mode7.data_item_size']
+              else
+                break
+              end
             end
 
             info['ntp.monlist.remote_addresses'] = remote_addresses.join(' ')
@@ -384,10 +515,38 @@ class FilterDecodeNTPReply
             info['ntp.monlist.local_addresses.count'] = local_addresses.size
           end
         end
+      elsif info['ntp.mode'] == 6
+        # control responses, supposedly.  abort if there isn't enough to have an empty control response
+        return info if data.size < 12
+        ntp_control_flags = data.slice!(0,1).unpack('C').first
+        info["ntp.control.response"] = ntp_control_flags >> 7
+        info["ntp.control.error"] = (ntp_control_flags & 0b01000000) >> 6
+        info["ntp.control.more"] = (ntp_control_flags & 0b00100000) >> 5
+        info["ntp.control.opcode"] = (ntp_control_flags & 0b00011111)
+        %w(seq status association_id offset count).each do |field|
+          info["ntp.control.#{field}"] = data.slice!(0,2).unpack('n').first
+        end
+        data = data.slice(0,info["ntp.control.count"])
+        # decode readvar responses
+        if info["ntp.control.opcode"] == 2
+          info["ntp.control.readvar"] =  data
+          data.strip!
+          data.gsub!(/\r\n/, ' ')
+          data.split(/, /).each do |pair|
+            next unless pair =~ /=/
+            key, value = pair.split(/=/)
+            if value
+              value.gsub!(/^['"]/, '')
+              value.gsub!(/['"]$/, '')
+            end
+            info["ntp.control.readvar.#{key}"] = value
+          end
+        else
+          info["ntp.control.data"] = data
+        end
       end
     elsif ntp_version == 4
       info['ntp.leap_indicator'] = ntp_flags >> 6
-      info['ntp.mode'] = ntp_flags & 0b00000111
       info['ntp.peer.stratum'], info['ntp.peer.interval'], info['ntp.peer.precision'] = data.slice!(0,3).unpack('C*')
       info['ntp.root.delay'], info['ntp.root.dispersion'], info['ntp.ref_id'] = data.slice!(0,12).unpack('N*')
       info['ntp.timestamp.reference'], info['ntp.timestamp.origin'], info['ntp.timestamp.receive'], info['ntp.timestamp.transmit'] = data.slice!(0,32).unpack('Q*')
@@ -396,6 +555,54 @@ class FilterDecodeNTPReply
     info
   end
 end
+#
+  class FilterDecodePortmapperReply
+    include BaseDecoder
+    ID_TO_PROTOCOL = {
+        0=>"ip",           1=>"icmp",        2=>"igmp",              3=>"ggp",
+        4=>"ipencap",      5=>"st",          6=>"tcp",               8=>"egp",
+        9=>"igp",          12=>"pup",        17=>"udp",              20=>"hmp",
+        22=>"xns-idp",     27=>"rdp",        29=>"iso-tp4",          33=>"dccp",
+        36=>"xtp",         37=>"ddp",        38=>"idpr-cmtp",        41=>"ipv6",
+        43=>"ipv6-route",  44=>"ipv6-frag",  45=>"idrp",             46=>"rsvp",
+        47=>"gre",         50=>"esp",        51=>"ah",               57=>"skip",
+        58=>"ipv6-icmp",   59=>"ipv6-nonxt", 60=>"ipv6-opts",        73=>"rspf",
+        81=>"vmtp",        88=>"eigrp",      89=>"ospf",             93=>"ax.25",
+        94=>"ipip",        97=>"etherip",    98=>"encap",            103=>"pim",
+        108=>"ipcomp",     112=>"vrrp",      115=>"l2tp",            124=>"isis",
+        132=>"sctp",       133=>"fc",        135=>"mobility-header", 136=>"udplite",
+        137=>"mpls-in-ip", 138=>"manet",     139=>"hip",             140=>"shim6",
+        141=>"wesp",       142=>"rohc"
+    }
+    # returns array of program-version-protocol-port strings for each rpc service
+    def parse_data(data)
+      ret = []
+      # Skip past header that contains no rpc services
+      stripped = data[8..-1]
+      curr_pos = 0
+      has_next = ( !stripped.nil? && stripped.length >= 8 ? stripped[curr_pos,8].to_i(16) : 0 )
+      curr_pos +=8
+      while has_next > 0
+        # See if enough data present for next set of reads.
+        if data.length > curr_pos+40
+          prog_id = stripped[curr_pos,8].to_i(16); curr_pos+=8
+          version = stripped[curr_pos,8].to_i(16); curr_pos += 8
+          proto_id = stripped[curr_pos,8].to_i(16); curr_pos+=8
+          protocol = ID_TO_PROTOCOL[ proto_id ] || "proto-#{proto_id}"
+          port = stripped[curr_pos,8].to_i(16); curr_pos += 8
+          ret << "#{prog_id}-v#{version}-#{protocol}-#{port}" if prog_id > 0
+          has_next = stripped[curr_pos,8].to_i(16); curr_pos += 8
+        else
+          break
+        end
+      end
+      ret
+    end
+
+    def decode(data)
+      { 'rpc_services'=>parse_data(data) }
+    end
+  end
 
 end
 end