int moloch_hp_cb_on_header_field (http_parser *parser, const char *at, size_t length) { HTTPInfo_t *http = parser->data; MolochSession_t *session = http->session; #ifdef HTTPDEBUG LOG("HTTPDEBUG: which: %d field: %.*s", http->which, (int)length, at); #endif if (http->inValue & (1 << http->which)) { http->inValue &= ~(1 << http->which); http->header[http->which][0] = 0; if (http->pos[http->which]) { http_add_value(session, http); } } if ((http->inHeader & (1 << http->which)) == 0) { http->inHeader |= (1 << http->which); if (http->urlString && parser->status_code == 0 && pluginsCbs & MOLOCH_PLUGIN_HP_OU) { moloch_plugins_cb_hp_ou(session, parser, http->urlString->str, http->urlString->len); } } size_t remaining = sizeof(http->header[http->which]) - strlen(http->header[http->which]) - 1; if (remaining > 0) strncat(http->header[http->which], at, MIN(length, remaining)); return 0; }
int moloch_hp_cb_on_headers_complete (http_parser *parser) { HTTPInfo_t *http = parser->data; MolochSession_t *session = http->session; char tag[200]; char version[20]; #ifdef HTTPDEBUG LOG("HTTPDEBUG: which: %d code: %d method: %d", session->which, parser->status_code, parser->method); #endif int len = snprintf(version, sizeof(version), "%d.%d", parser->http_major, parser->http_minor); if (parser->status_code == 0) { #ifndef REMOVEOLD snprintf(tag, sizeof(tag), "http:method:%s", http_method_str(parser->method)); moloch_nids_add_tag(session, tag); #endif moloch_field_string_add(methodField, session, http_method_str(parser->method), -1, TRUE); moloch_field_string_add(verReqField, session, version, len, TRUE); } else { #ifndef REMOVEOLD snprintf(tag, sizeof(tag), "http:statuscode:%d", parser->status_code); moloch_nids_add_tag(session, tag); #endif moloch_field_int_add(statuscodeField, session, parser->status_code); moloch_field_string_add(verResField, session, version, len, TRUE); } if (http->inValue & (1 << session->which) && http->pos[session->which]) { http_add_value(session, http); } if (pluginsCbs & MOLOCH_PLUGIN_HP_OHC) moloch_plugins_cb_hp_ohc(session, parser); return 0; }
int moloch_hp_cb_on_headers_complete (http_parser *parser) { HTTPInfo_t *http = parser->data; MolochSession_t *session = http->session; char tag[200]; char version[20]; #ifdef HTTPDEBUG LOG("HTTPDEBUG: which: %d code: %d method: %d", http->which, parser->status_code, parser->method); #endif int len = snprintf(version, sizeof(version), "%d.%d", parser->http_major, parser->http_minor); if (parser->status_code == 0) { #ifndef REMOVEOLD snprintf(tag, sizeof(tag), "http:method:%s", http_method_str(parser->method)); moloch_nids_add_tag(session, tag); #endif moloch_field_string_add(methodField, session, http_method_str(parser->method), -1, TRUE); moloch_field_string_add(verReqField, session, version, len, TRUE); } else { #ifndef REMOVEOLD snprintf(tag, sizeof(tag), "http:statuscode:%d", parser->status_code); moloch_nids_add_tag(session, tag); #endif moloch_field_int_add(statuscodeField, session, parser->status_code); moloch_field_string_add(verResField, session, version, len, TRUE); } if (http->inValue & (1 << http->which) && http->pos[http->which]) { http_add_value(session, http); } http->header[0][0] = http->header[1][0] = 0; if (http->urlString) { char *ch = http->urlString->str; while (*ch) { if (*ch < 32) { moloch_nids_add_tag(session, "http:control-char"); break; } ch++; } } if (http->cookieString && http->cookieString->str[0]) { char *start = http->cookieString->str; while (1) { while (isspace(*start)) start++; char *equal = strchr(start, '='); if (!equal) break; moloch_field_string_add(cookieKeyField, session, start, equal-start, TRUE); start = strchr(equal+1, ';'); if(!start) break; start++; } g_string_truncate(http->cookieString, 0); } if (http->authString && http->authString->str[0]) { moloch_http_parse_authorization(session, http->authString->str); g_string_truncate(http->authString, 0); } if (http->hostString) { g_string_ascii_down(http->hostString); } if (http->urlString && http->hostString) { char *colon = strchr(http->hostString->str+2, ':'); if (colon) { moloch_field_string_add(hostField, session, http->hostString->str+2, colon - http->hostString->str-2, TRUE); } else { moloch_field_string_add(hostField, session, http->hostString->str+2, http->hostString->len-2, TRUE); } char *question = strchr(http->urlString->str, '?'); if (question) { moloch_field_string_add(pathField, session, http->urlString->str, question - http->urlString->str, TRUE); char *start = question+1; char *ch; int field = keyField; for (ch = start; *ch; ch++) { if (*ch == '&') { if (ch != start && (config.parseQSValue || field == keyField)) { char *str = g_uri_unescape_segment(start, ch, NULL); if (!str) { moloch_field_string_add(field, session, start, ch-start, TRUE); } else if (!moloch_field_string_add(field, session, str, strlen(str), FALSE)) { g_free(str); } } start = ch+1; field = keyField; continue; } else if (*ch == '=') { if (ch != start && (config.parseQSValue || field == keyField)) { char *str = g_uri_unescape_segment(start, ch, NULL); if (!str) { moloch_field_string_add(field, session, start, ch-start, TRUE); } else if (!moloch_field_string_add(field, session, str, strlen(str), FALSE)) { g_free(str); } } start = ch+1; field = valueField; } } if (config.parseQSValue && field == valueField && ch > start) { char *str = g_uri_unescape_segment(start, ch, NULL); if (!str) { moloch_field_string_add(field, session, start, ch-start, TRUE); } else if (!moloch_field_string_add(field, session, str, strlen(str), FALSE)) { g_free(str); } } } else { moloch_field_string_add(pathField, session, http->urlString->str, http->urlString->len, TRUE); } if (http->urlString->str[0] != '/') { char *result = strstr(http->urlString->str, http->hostString->str+2); /* If the host header is in the first 8 bytes of url then just use the url */ if (result && result - http->urlString->str <= 8) { moloch_field_string_add(urlsField, session, http->urlString->str, http->urlString->len, FALSE); g_string_free(http->urlString, FALSE); g_string_free(http->hostString, TRUE); } else { /* Host header doesn't match the url */ g_string_append(http->hostString, ";"); g_string_append(http->hostString, http->urlString->str); moloch_field_string_add(urlsField, session, http->hostString->str, http->hostString->len, FALSE); g_string_free(http->urlString, TRUE); g_string_free(http->hostString, FALSE); } } else { /* Normal case, url starts with /, so no extra host in url */ g_string_append(http->hostString, http->urlString->str); moloch_field_string_add(urlsField, session, http->hostString->str, http->hostString->len, FALSE); g_string_free(http->urlString, TRUE); g_string_free(http->hostString, FALSE); } http->urlString = NULL; http->hostString = NULL; } else if (http->urlString) { moloch_field_string_add(urlsField, session, http->urlString->str, http->urlString->len, FALSE); g_string_free(http->urlString, FALSE); http->urlString = NULL; } else if (http->hostString) { char *colon = strchr(http->hostString->str+2, ':'); if (colon) { moloch_field_string_add(hostField, session, http->hostString->str+2, colon - http->hostString->str-2, TRUE); } else { moloch_field_string_add(hostField, session, http->hostString->str+2, http->hostString->len-2, TRUE); } g_string_free(http->hostString, TRUE); http->hostString = NULL; } moloch_nids_add_tag(session, "protocol:http"); moloch_nids_add_protocol(session, "http"); if (pluginsCbs & MOLOCH_PLUGIN_HP_OHC) moloch_plugins_cb_hp_ohc(session, parser); return 0; }