From de19fcda82830ecf275752cd7ee953564fd30303 Mon Sep 17 00:00:00 2001
From: david <david@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 19 Aug 2009 16:53:28 +0000
Subject: [PATCH] Add a UDP payload for port 10080/amanda.

---
 payload.cc | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/payload.cc b/payload.cc
index 3ef4d6cf6..1ce1d7cb0 100644
--- a/payload.cc
+++ b/payload.cc
@@ -209,6 +209,16 @@ static const char payload_dns_sd[] =
   "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00"
   "\x09_services\x07_dns-sd\x04_udp\x05local\x00\x00\x0C\x00\x01";
 
+/* Amanda backup service noop request. I think that this does nothing on the
+   server but only asks it to send back its feature list. In reply we expect an
+   ACK or (more likely) an ERROR. I couldn't find good online documentation of
+   the Amanda network protocol. There is parsing code in the Amanda source at
+   common-src/security-util.c. This is based on a packet capture of
+     amcheck <config> <host> */
+static const char payload_amanda[] =
+  "Amanda 2.6 REQ HANDLE 000-00000000 SEQ 0\n"
+  "SERVICE noop\n";
+
 /*
 This one trips a Snort rule with SID 2049 ("MS-SQL ping attempt").
 static const char payload_Sqlping[] = "\x02";
@@ -286,6 +296,9 @@ const char *udp_port2payload(u16 dport, size_t *length){
     case 5353:
       SET_PAYLOAD(payload_dns_sd);
       break;
+    case 10080:
+      SET_PAYLOAD(payload_amanda);
+      break;
     default:
       SET_PAYLOAD(payload_null);
       break;