void wise_process_ops(MolochSession_t *session, WiseItem_t *wi)
{
int i;
for (i = 0; i < wi->numOps; i++) {
WiseOp_t *op = &(wi->ops[i]);
switch (config.fields[op->fieldPos]->type) {
case MOLOCH_FIELD_TYPE_INT_HASH:
case MOLOCH_FIELD_TYPE_INT_GHASH:
if (op->fieldPos == tagsField) {
moloch_session_add_tag(session, op->str);
continue;
}
// Fall Thru
case MOLOCH_FIELD_TYPE_INT:
case MOLOCH_FIELD_TYPE_INT_ARRAY:
case MOLOCH_FIELD_TYPE_IP:
case MOLOCH_FIELD_TYPE_IP_HASH:
case MOLOCH_FIELD_TYPE_IP_GHASH:
moloch_field_int_add(op->fieldPos, session, op->strLenOrInt);
break;
case MOLOCH_FIELD_TYPE_STR:
case MOLOCH_FIELD_TYPE_STR_ARRAY:
case MOLOCH_FIELD_TYPE_STR_HASH:
moloch_field_string_add(op->fieldPos, session, op->str, op->strLenOrInt, TRUE);
break;
}
}
}
int
moloch_hp_cb_on_body (http_parser *parser, const char *at, size_t length)
{
HTTPInfo_t *http = parser->data;
MolochSession_t *session = http->session;
#ifdef HTTPDEBUG
LOG("HTTPDEBUG: which: %d", http->which);
#endif
if (!(http->inBody & (1 << http->which))) {
if (moloch_memcasestr(at, length, "password="******"passwd=", 7) ||
moloch_memcasestr(at, length, "pass="******"http:password");
}
moloch_parsers_magic(session, magicField, at, length);
http->inBody |= (1 << http->which);
}
g_checksum_update(http->checksum[http->which], (guchar *)at, length);
if (pluginsCbs & MOLOCH_PLUGIN_HP_OB)
moloch_plugins_cb_hp_ob(session, parser, at, length);
return 0;
}
void
http_add_value(MolochSession_t *session, HTTPInfo_t *http)
{
int pos = http->pos[http->which];
char *s = http->valueString[http->which]->str;
int l = http->valueString[http->which]->len;
while (isspace(*s)) {
s++;
l--;
}
switch (config.fields[pos]->type) {
case MOLOCH_FIELD_TYPE_INT:
case MOLOCH_FIELD_TYPE_INT_ARRAY:
case MOLOCH_FIELD_TYPE_INT_HASH:
case MOLOCH_FIELD_TYPE_INT_GHASH:
moloch_field_int_add(pos, session, atoi(s));
break;
case MOLOCH_FIELD_TYPE_STR:
case MOLOCH_FIELD_TYPE_STR_ARRAY:
case MOLOCH_FIELD_TYPE_STR_HASH:
moloch_field_string_add(pos, session, s, l, TRUE);
break;
case MOLOCH_FIELD_TYPE_IP_HASH:
case MOLOCH_FIELD_TYPE_IP_GHASH:
{
int i;
gchar **parts = g_strsplit(http->valueString[http->which]->str, ",", 0);
for (i = 0; parts[i]; i++) {
gchar *ip = parts[i];
while (*ip == ' ')
ip++;
in_addr_t ia = inet_addr(ip);
if (ia == 0 || ia == 0xffffffff) {
moloch_session_add_tag(session, "http:bad-xff");
if (config.debug)
LOG("INFO - Didn't understand ip: %s %s %d", http->valueString[http->which]->str, ip, ia);
continue;
}
moloch_field_int_add(pos, session, ia);
}
g_strfreev(parts);
break;
}
} /* SWITCH */
g_string_truncate(http->valueString[http->which], 0);
http->pos[http->which] = 0;
}
static int MS_add_tag(lua_State *L)
{
if (lua_gettop(L) != 2 || !lua_isuserdata(L, 1) || !lua_isstring(L, 2)) {
return luaL_error(L, "usage: <session> <tag>");
}
MolochSession_t *session = checkMolochSession(L, 1);
const char *tag = lua_tostring(L, 2);
moloch_session_add_tag(session, tag);
return 0;
}
int
moloch_hp_cb_on_headers_complete (http_parser *parser)
{
HTTPInfo_t *http = parser->data;
MolochSession_t *session = http->session;
char version[20];
#ifdef HTTPDEBUG
LOG("HTTPDEBUG: which: %d code: %d method: %d", http->which, parser->status_code, parser->method);
#endif
int len = snprintf(version, sizeof(version), "%d.%d", parser->http_major, parser->http_minor);
if (parser->status_code == 0) {
moloch_field_string_add(methodField, session, http_method_str(parser->method), -1, TRUE);
moloch_field_string_add(verReqField, session, version, len, TRUE);
} else {
moloch_field_int_add(statuscodeField, session, parser->status_code);
moloch_field_string_add(verResField, session, version, len, TRUE);
}
if (http->inValue & (1 << http->which) && http->pos[http->which]) {
http_add_value(session, http);
}
http->header[0][0] = http->header[1][0] = 0;
if (http->urlString) {
char *ch = http->urlString->str;
while (*ch) {
if (*ch < 32) {
moloch_session_add_tag(session, "http:control-char");
break;
}
ch++;
}
}
if (http->cookieString && http->cookieString->str[0]) {
char *start = http->cookieString->str;
while (1) {
while (isspace(*start)) start++;
char *equal = strchr(start, '=');
if (!equal)
break;
moloch_field_string_add(cookieKeyField, session, start, equal-start, TRUE);
start = strchr(equal+1, ';');
if (config.parseCookieValue) {
equal++;
while (isspace(*equal)) equal++;
if (*equal && equal != start)
moloch_field_string_add(cookieValueField, session, equal, start?start-equal:-1, TRUE);
}
if(!start)
break;
start++;
}
g_string_truncate(http->cookieString, 0);
}
if (http->authString && http->authString->str[0]) {
moloch_http_parse_authorization(session, http->authString->str);
g_string_truncate(http->authString, 0);
}
if (http->hostString) {
g_string_ascii_down(http->hostString);
}
gboolean truncated = FALSE;
if (http->urlString && http->hostString) {
char *colon = strchr(http->hostString->str+2, ':');
if (colon) {
moloch_field_string_add(hostField, session, http->hostString->str+2, colon - http->hostString->str-2, TRUE);
} else {
moloch_field_string_add(hostField, session, http->hostString->str+2, http->hostString->len-2, TRUE);
}
char *question = strchr(http->urlString->str, '?');
if (question) {
moloch_field_string_add(pathField, session, http->urlString->str, question - http->urlString->str, TRUE);
char *start = question+1;
char *ch;
int field = keyField;
for (ch = start; *ch; ch++) {
if (*ch == '&') {
if (ch != start && (config.parseQSValue || field == keyField)) {
char *str = g_uri_unescape_segment(start, ch, NULL);
if (!str) {
moloch_field_string_add(field, session, start, ch-start, TRUE);
} else if (!moloch_field_string_add(field, session, str, -1, FALSE)) {
g_free(str);
}
}
start = ch+1;
field = keyField;
continue;
} else if (*ch == '=') {
if (ch != start && (config.parseQSValue || field == keyField)) {
char *str = g_uri_unescape_segment(start, ch, NULL);
if (!str) {
moloch_field_string_add(field, session, start, ch-start, TRUE);
} else if (!moloch_field_string_add(field, session, str, -1, FALSE)) {
g_free(str);
}
}
start = ch+1;
field = valueField;
}
}
if (config.parseQSValue && field == valueField && ch > start) {
char *str = g_uri_unescape_segment(start, ch, NULL);
if (!str) {
moloch_field_string_add(field, session, start, ch-start, TRUE);
} else if (!moloch_field_string_add(field, session, str, -1, FALSE)) {
g_free(str);
}
}
} else {
moloch_field_string_add(pathField, session, http->urlString->str, http->urlString->len, TRUE);
}
if (http->urlString->str[0] != '/') {
char *result = strstr(http->urlString->str, http->hostString->str+2);
/* If the host header is in the first 8 bytes of url then just use the url */
if (result && result - http->urlString->str <= 8) {
moloch_field_string_add(urlsField, session, http->urlString->str, MIN(MAX_URL_LENGTH, http->urlString->len), FALSE);
truncated = http->urlString->len > MAX_URL_LENGTH;
g_string_free(http->urlString, FALSE);
g_string_free(http->hostString, TRUE);
} else {
/* Host header doesn't match the url */
g_string_append(http->hostString, ";");
g_string_append(http->hostString, http->urlString->str);
moloch_field_string_add(urlsField, session, http->hostString->str, MIN(MAX_URL_LENGTH, http->hostString->len), FALSE);
truncated = http->hostString->len > MAX_URL_LENGTH;
g_string_free(http->urlString, TRUE);
g_string_free(http->hostString, FALSE);
}
} else {
/* Normal case, url starts with /, so no extra host in url */
g_string_append(http->hostString, http->urlString->str);
moloch_field_string_add(urlsField, session, http->hostString->str, MIN(MAX_URL_LENGTH, http->hostString->len), FALSE);
truncated = http->hostString->len > MAX_URL_LENGTH;
g_string_free(http->urlString, TRUE);
g_string_free(http->hostString, FALSE);
}
http->urlString = NULL;
http->hostString = NULL;
} else if (http->urlString) {
moloch_field_string_add(urlsField, session, http->urlString->str, MIN(MAX_URL_LENGTH, http->urlString->len), FALSE);
truncated = http->urlString->len > MAX_URL_LENGTH;
g_string_free(http->urlString, FALSE);
http->urlString = NULL;
} else if (http->hostString) {
char *colon = strchr(http->hostString->str+2, ':');
if (colon) {
moloch_field_string_add(hostField, session, http->hostString->str+2, colon - http->hostString->str-2, TRUE);
} else {
moloch_field_string_add(hostField, session, http->hostString->str+2, http->hostString->len-2, TRUE);
}
g_string_free(http->hostString, TRUE);
http->hostString = NULL;
}
if (truncated)
moloch_session_add_tag(session, "http:url-truncated");
moloch_session_add_protocol(session, "http");
if (pluginsCbs & MOLOCH_PLUGIN_HP_OHC)
moloch_plugins_cb_hp_ohc(session, parser);
return 0;
}
