static void smtpPlugin_packet(u_char new_bucket, void *pluginData,
HashBucket* bkt,
u_short proto, u_char isFragment,
u_short numPkts, u_char tos,
u_short vlanId, struct ether_header *ehdr,
IpAddress *src, u_short sport,
IpAddress *dst, u_short dport,
u_int len, u_int8_t flags, u_int8_t icmpType,
u_short numMplsLabels,
u_char mplsLabels[MAX_NUM_MPLS_LABELS][MPLS_LABEL_LEN],
char *fingerprint,
const struct pcap_pkthdr *h, const u_char *p,
u_char *payload, int payloadLen) {
PluginInformation *info;
struct plugin_info *pinfo;
// traceEvent(TRACE_INFO, "smtpPlugin_packet(%d)", payloadLen);
if(new_bucket) {
info = (PluginInformation*)malloc(sizeof(PluginInformation));
if(info == NULL) {
traceEvent(TRACE_ERROR, "Not enough memory?");
return; /* Not enough memory */
}
info->pluginPtr = (void*)&smtpPlugin;
pluginData = info->pluginData = malloc(sizeof(struct plugin_info));
if(info->pluginData == NULL) {
traceEvent(TRACE_ERROR, "Not enough memory?");
free(info);
return; /* Not enough memory */
} else
memset(info->pluginData, 0, sizeof(struct plugin_info));
info->next = bkt->plugin;
bkt->plugin = info;
}
pinfo = (struct plugin_info*)pluginData;
if(payloadLen > 0) {
char *method;
//traceEvent(TRACE_INFO, "==> [%d][%d]'%s'", bkt->bytesSent, bkt->bytesRcvd, payload);
if((!strncasecmp((char*)payload, MAIL_FROM, strlen(MAIL_FROM)))) method = MAIL_FROM;
else if((!strncasecmp((char*)payload, RCPT_TO, strlen(RCPT_TO)))) method = RCPT_TO;
else if((!strncasecmp((char*)payload, RESET, strlen(RESET)))) method = RESET;
else method = NULL;
if(method) {
char address[ADDRESS_MAX_LEN+1];
int i;
if(method == RESET) {
/* We need to export this flow now */
exportBucket(bkt, 0);
resetBucketStats(bkt, h, len, sport, dport, payload, payloadLen);
memset(pinfo, 0, sizeof(struct plugin_info));
return;
}
strncpy(address, (char*)&payload[strlen(method)-1],
min(ADDRESS_MAX_LEN, (payloadLen-(strlen(method)-1))));
address[ADDRESS_MAX_LEN] = '\0';
for(i=0; i<ADDRESS_MAX_LEN; i++)
if((address[i] == ' ')
|| (address[i] == '\r')
|| (address[i] == '\n')) {
address[i] = '\0';
break;
}
if(method == MAIL_FROM)
memcpy(pinfo->mail_from, address, strlen(address));
else if(method == RCPT_TO)
memcpy(pinfo->rcpt_to, address, strlen(address));
}
}
}
static void httpPlugin_packet(u_char new_bucket, void *pluginData,
HashBucket* bkt,
u_short proto, u_char isFragment,
u_short numPkts, u_char tos,
u_short vlanId, struct ether_header *ehdr,
IpAddress *src, u_short sport,
IpAddress *dst, u_short dport,
u_int len, u_int8_t flags, u_int8_t icmpType,
u_short numMplsLabels,
u_char mplsLabels[MAX_NUM_MPLS_LABELS][MPLS_LABEL_LEN],
char *fingerprint,
const struct pcap_pkthdr *h, const u_char *p,
u_char *payload, int payloadLen) {
PluginInformation *info;
struct plugin_info *pinfo;
// traceEvent(TRACE_INFO, "httpPlugin_packet(%d)", payloadLen);
if(new_bucket) {
info = (PluginInformation*)malloc(sizeof(PluginInformation));
if(info == NULL) {
traceEvent(TRACE_ERROR, "Not enough memory?");
return; /* Not enough memory */
}
info->pluginPtr = (void*)&httpPlugin;
pluginData = info->pluginData = malloc(sizeof(struct plugin_info));
if(info->pluginData == NULL) {
traceEvent(TRACE_ERROR, "Not enough memory?");
free(info);
return; /* Not enough memory */
} else
memset(info->pluginData, 0, sizeof(struct plugin_info));
info->next = bkt->plugin;
bkt->plugin = info;
}
pinfo = (struct plugin_info*)pluginData;
if(payloadLen > 0) {
char *method;
//traceEvent(TRACE_INFO, "==> [%d][%d]'%s'", bkt->bytesSent, bkt->bytesRcvd, payload);
if((!strncmp((char*)payload, GET_URL, strlen(GET_URL)))) method = GET_URL;
else if((!strncmp((char*)payload, POST_URL, strlen(POST_URL)))) method = POST_URL;
else if((!strncmp((char*)payload, HTTP_1_0_URL, strlen(HTTP_1_0_URL)))) method = HTTP_1_0_URL;
else if((!strncmp((char*)payload, HTTP_1_1_URL, strlen(HTTP_1_1_URL)))) method = HTTP_1_1_URL;
else method = NULL;
if(method) {
char url[URL_MAX_LEN+1];
int i, displ;
if((method == GET_URL) || (method == POST_URL)) {
/* We need to export this flow now */
if(pinfo->http_url[0] != '\0') {
exportBucket(bkt, 0);
resetBucketStats(bkt, h, len, sport, dport, payload, payloadLen);
memset(pinfo, 0, sizeof(struct plugin_info));
}
displ = 1;
} else
displ = 0;
strncpy(url, (char*)&payload[strlen(method)-displ],
min(URL_MAX_LEN, (payloadLen-(strlen(method)-displ))));
url[URL_MAX_LEN] = '\0';
for(i=0; i<URL_MAX_LEN; i++)
if((url[i] == ' ')
|| (url[i] == '\r')
|| (url[i] == '\n')) {
url[i] = '\0';
break;
}
if(displ == 1)
memcpy(pinfo->http_url, url, strlen(url));
else
pinfo->ret_code = atoi(url);
}
}
}
