void wise_load_fields()
{
char key[500];
int key_len;
memset(fieldsMap, -1, sizeof(fieldsMap));
key_len = snprintf(key, sizeof(key), "/fields");
size_t data_len;
unsigned char *data = moloch_http_send_sync(wiseService, "GET", key, key_len, NULL, 0, NULL, &data_len);;
BSB bsb;
BSB_INIT(bsb, data, data_len);
int ver, cnt = 0;
BSB_IMPORT_u32(bsb, fieldsTS);
BSB_IMPORT_u32(bsb, ver);
BSB_IMPORT_u08(bsb, cnt);
int i;
for (i = 0; i < cnt; i++) {
int len = 0;
BSB_IMPORT_u16(bsb, len); // len includes NULL terminated
fieldsMap[i] = moloch_field_define_text((char*)BSB_WORK_PTR(bsb), NULL);
if (fieldsMap[i] == -1)
fieldsTS = 0;
if (config.debug)
LOG("%d %d %s", i, fieldsMap[i], BSB_WORK_PTR(bsb));
BSB_IMPORT_skip(bsb, len);
}
}
unsigned char *dns_name(const unsigned char *full, int fulllen, BSB *inbsb, int *namelen)
{
static unsigned char name[8000];
BSB nbsb;
int didPointer = 0;
BSB tmpbsb;
BSB *curbsb;
BSB_INIT(nbsb, name, sizeof(name));
curbsb = inbsb;
while (BSB_REMAINING(*curbsb)) {
unsigned char ch = 0;
BSB_IMPORT_u08(*curbsb, ch);
if (ch == 0)
break;
BSB_EXPORT_rewind(*curbsb, 1);
if (ch & 0xc0) {
if (didPointer > 5)
return 0;
didPointer++;
int tpos = 0;
BSB_IMPORT_u16(*curbsb, tpos);
tpos &= 0x3fff;
BSB_INIT(tmpbsb, full+tpos, fulllen - tpos);
curbsb = &tmpbsb;
continue;
}
if (BSB_LENGTH(nbsb)) {
BSB_EXPORT_u08(nbsb, '.');
}
if (dns_name_element(&nbsb, curbsb) && BSB_LENGTH(nbsb))
BSB_EXPORT_rewind(nbsb, 1); // Remove last .
}
*namelen = BSB_LENGTH(nbsb);
BSB_EXPORT_u08(nbsb, 0);
return name;
}
void
tls_process_client(MolochSession_t *session, const unsigned char *data, int len)
{
BSB sslbsb;
BSB_INIT(sslbsb, data, len);
if (BSB_REMAINING(sslbsb) > 5) {
unsigned char *ssldata = BSB_WORK_PTR(sslbsb);
int ssllen = MIN(BSB_REMAINING(sslbsb) - 5, ssldata[3] << 8 | ssldata[4]);
BSB pbsb;
BSB_INIT(pbsb, ssldata+5, ssllen);
if (BSB_REMAINING(pbsb) > 7) {
unsigned char *pdata = BSB_WORK_PTR(pbsb);
int plen = MIN(BSB_REMAINING(pbsb) - 4, pdata[2] << 8 | pdata[3]);
BSB cbsb;
BSB_INIT(cbsb, pdata+6, plen-2); // The - 4 for plen is done above, confusing
if(BSB_REMAINING(cbsb) > 32) {
BSB_IMPORT_skip(cbsb, 32); // Random
int skiplen = 0;
BSB_IMPORT_u08(cbsb, skiplen); // Session Id Length
BSB_IMPORT_skip(cbsb, skiplen); // Session Id
BSB_IMPORT_u16(cbsb, skiplen); // Ciper Suites Length
BSB_IMPORT_skip(cbsb, skiplen); // Ciper Suites
BSB_IMPORT_u08(cbsb, skiplen); // Compression Length
BSB_IMPORT_skip(cbsb, skiplen); // Compressions
if (BSB_REMAINING(cbsb) > 2) {
int etotlen = 0;
BSB_IMPORT_u16(cbsb, etotlen); // Extensions Length
etotlen = MIN(etotlen, BSB_REMAINING(cbsb));
BSB ebsb;
BSB_INIT(ebsb, BSB_WORK_PTR(cbsb), etotlen);
while (BSB_REMAINING(ebsb) > 0) {
int etype = 0, elen = 0;
BSB_IMPORT_u16 (ebsb, etype);
BSB_IMPORT_u16 (ebsb, elen);
if (etype != 0) {
BSB_IMPORT_skip (ebsb, elen);
continue;
}
if (elen > BSB_REMAINING(ebsb))
break;
BSB snibsb;
BSB_INIT(snibsb, BSB_WORK_PTR(ebsb), elen);
BSB_IMPORT_skip (ebsb, elen);
int sni = 0;
BSB_IMPORT_u16(snibsb, sni); // list len
if (sni != BSB_REMAINING(snibsb))
continue;
BSB_IMPORT_u08(snibsb, sni); // type
if (sni != 0)
continue;
BSB_IMPORT_u16(snibsb, sni); // len
if (sni != BSB_REMAINING(snibsb))
continue;
moloch_field_string_add(hostField, session, (char *)BSB_WORK_PTR(snibsb), sni, TRUE);
}
}
}
}
BSB_IMPORT_skip(sslbsb, ssllen + 5);
}
}
void dns_parser(MolochSession_t *session, const unsigned char *data, int len)
{
if (len < 18)
return;
int qr = (data[2] >> 7) & 0x1;
int opcode = (data[2] >> 3) & 0xf;
if (opcode != 0)
return;
int qdcount = (data[4] << 8) | data[5];
int ancount = (data[6] << 8) | data[7];
if (qdcount > 10 || qdcount <= 0)
return;
BSB bsb;
BSB_INIT(bsb, data + 12, len - 12);
/* QD Section */
int i;
for (i = 0; BSB_NOT_ERROR(bsb) && i < qdcount; i++) {
int namelen;
unsigned char *name = dns_name(data, len, &bsb, &namelen);
if (BSB_IS_ERROR(bsb))
break;
if (!namelen) {
name = (unsigned char*)"<root>";
namelen = 6;
}
unsigned short qtype = 0 , qclass = 0 ;
BSB_IMPORT_u16(bsb, qtype);
BSB_IMPORT_u16(bsb, qclass);
char *lower = g_ascii_strdown((char*)name, namelen);
if (qclass <= 255 && qclasses[qclass]) {
moloch_field_string_add(queryClassField, session, qclasses[qclass], -1, TRUE);
}
if (qtype <= 255 && qtypes[qtype]) {
moloch_field_string_add(queryTypeField, session, qtypes[qtype], -1, TRUE);
}
if (lower && !moloch_field_string_add(hostField, session, lower, namelen, FALSE)) {
g_free(lower);
}
}
moloch_nids_add_protocol(session, "dns");
if (qr == 0)
return;
int rcode = data[3] & 0xf;
moloch_field_string_add(statusField, session, statuses[rcode], -1, TRUE);
for (i = 0; BSB_NOT_ERROR(bsb) && i < ancount; i++) {
int namelen;
dns_name(data, len, &bsb, &namelen);
if (BSB_IS_ERROR(bsb))
break;
uint16_t antype = 0;
BSB_IMPORT_u16 (bsb, antype);
uint16_t anclass = 0;
BSB_IMPORT_u16 (bsb, anclass);
BSB_IMPORT_skip(bsb, 4); // ttl
uint16_t rdlength = 0;
BSB_IMPORT_u16 (bsb, rdlength);
if (BSB_REMAINING(bsb) < rdlength) {
break;
}
if (anclass != 1) {
BSB_IMPORT_skip(bsb, rdlength);
continue;
}
switch (antype) {
case 1: {
if (rdlength != 4)
break;
struct in_addr in;
unsigned char *ptr = BSB_WORK_PTR(bsb);
in.s_addr = ptr[3] << 24 | ptr[2] << 16 | ptr[1] << 8 | ptr[0];
moloch_field_int_add(ipField, session, in.s_addr);
break;
}
case 5: {
BSB rdbsb;
BSB_INIT(rdbsb, BSB_WORK_PTR(bsb), rdlength);
int namelen;
unsigned char *name = dns_name(data, len, &rdbsb, &namelen);
if (!namelen || BSB_IS_ERROR(rdbsb))
continue;
char *lower = g_ascii_strdown((char*)name, namelen);
if (lower && !moloch_field_string_add(hostField, session, lower, namelen, FALSE)) {
g_free(lower);
}
break;
}
case 15: {
BSB rdbsb;
BSB_INIT(rdbsb, BSB_WORK_PTR(bsb), rdlength);
BSB_IMPORT_skip(rdbsb, 2); // preference
int namelen;
unsigned char *name = dns_name(data, len, &rdbsb, &namelen);
if (!namelen || BSB_IS_ERROR(rdbsb))
continue;
char *lower = g_ascii_strdown((char*)name, namelen);
if (lower && !moloch_field_string_add(hostField, session, lower, namelen, FALSE)) {
g_free(lower);
}
}
} /* switch */
BSB_IMPORT_skip(bsb, rdlength);
}
}