void moloch_rules_load_complete()
{
char **bpfs;
GRegex *regex = g_regex_new(":\\s*(\\d+)\\s*$", 0, 0, 0);
int i;
bpfs = moloch_config_str_list(NULL, "dontSaveBPFs", NULL);
int pos = moloch_field_by_exp("_maxPacketsToSave");
gint start_pos;
if (bpfs) {
for (i = 0; bpfs[i]; i++) {
int n = loading.rulesLen[MOLOCH_RULE_TYPE_SESSION_SETUP]++;
MolochRule_t *rule = loading.rules[MOLOCH_RULE_TYPE_SESSION_SETUP][n] = MOLOCH_TYPE_ALLOC0(MolochRule_t);
rule->filename = "dontSaveBPFs";
moloch_field_ops_init(&rule->ops, 1, MOLOCH_FIELD_OPS_FLAGS_COPY);
GMatchInfo *match_info = 0;
g_regex_match(regex, bpfs[i], 0, &match_info);
if (g_match_info_matches(match_info)) {
g_match_info_fetch_pos (match_info, 1, &start_pos, NULL);
rule->bpf = g_strndup(bpfs[i], start_pos-1);
moloch_field_ops_add(&rule->ops, pos, g_match_info_fetch(match_info, 1), -1);
} else {
rule->bpf = g_strdup(bpfs[i]);
moloch_field_ops_add(&rule->ops, pos, "1", -1);
}
g_match_info_free(match_info);
}
g_strfreev(bpfs);
}
bpfs = moloch_config_str_list(NULL, "minPacketsSaveBPFs", NULL);
pos = moloch_field_by_exp("_minPacketsBeforeSavingSPI");
if (bpfs) {
for (i = 0; bpfs[i]; i++) {
int n = loading.rulesLen[MOLOCH_RULE_TYPE_SESSION_SETUP]++;
MolochRule_t *rule = loading.rules[MOLOCH_RULE_TYPE_SESSION_SETUP][n] = MOLOCH_TYPE_ALLOC0(MolochRule_t);
rule->filename = "minPacketsSaveBPFs";
moloch_field_ops_init(&rule->ops, 1, MOLOCH_FIELD_OPS_FLAGS_COPY);
GMatchInfo *match_info = 0;
g_regex_match(regex, bpfs[i], 0, &match_info);
if (g_match_info_matches(match_info)) {
g_match_info_fetch_pos (match_info, 1, &start_pos, NULL);
rule->bpf = g_strndup(bpfs[i], start_pos-1);
moloch_field_ops_add(&rule->ops, pos, g_match_info_fetch(match_info, 1), -1);
} else {
rule->bpf = g_strdup(bpfs[i]);
moloch_field_ops_add(&rule->ops, pos, "1", -1);
}
g_match_info_free(match_info);
}
g_strfreev(bpfs);
}
g_regex_unref(regex);
memcpy(¤t, &loading, sizeof(loading));
memset(&loading, 0, sizeof(loading));
}
LOCAL void reader_libpcapfile_opened()
{
int dlt_to_linktype(int dlt);
if (config.flushBetween)
moloch_session_flush();
moloch_packet_set_linksnap(dlt_to_linktype(pcap_datalink(pcap)) | pcap_datalink_ext(pcap), pcap_snapshot(pcap));
offlineFile = pcap_file(pcap);
if (config.bpf && pcapFileHeader.linktype != 239) {
struct bpf_program bpf;
if (pcap_compile(pcap, &bpf, config.bpf, 1, PCAP_NETMASK_UNKNOWN) == -1) {
LOGEXIT("ERROR - Couldn't compile filter: '%s' with %s", config.bpf, pcap_geterr(pcap));
}
if (pcap_setfilter(pcap, &bpf) == -1) {
LOGEXIT("ERROR - Couldn't set filter: '%s' with %s", config.bpf, pcap_geterr(pcap));
}
}
readerPos++;
if (readerFileName[readerPos])
moloch_free_later(readerFileName[readerPos], g_free);
readerFileName[readerPos] = g_strdup(offlinePcapFilename);
int fd = pcap_fileno(pcap);
if (fd == -1) {
g_timeout_add(0, reader_libpcapfile_read, NULL);
} else {
moloch_watch_fd(fd, MOLOCH_GIO_READ_COND, reader_libpcapfile_read, NULL);
}
if (filenameOpsNum > 0) {
// Free any previously allocated
if (readerFieldOps[readerPos].size > 0)
moloch_field_ops_free(&readerFieldOps[readerPos]);
moloch_field_ops_init(&readerFieldOps[readerPos], filenameOpsNum, MOLOCH_FIELD_OPS_FLAGS_COPY);
// Go thru all the filename ops looking for matches and then expand the value string
int i;
for (i = 0; i < filenameOpsNum; i++) {
GMatchInfo *match_info = 0;
g_regex_match(filenameOps[i].regex, offlinePcapFilename, 0, &match_info);
if (g_match_info_matches(match_info)) {
GError *error = 0;
char *expand = g_match_info_expand_references(match_info, filenameOps[i].expand, &error);
if (error) {
LOG("Error expanding '%s' with '%s' - %s", offlinePcapFilename, filenameOps[i].expand, error->message);
g_error_free(error);
}
if (expand) {
moloch_field_ops_add(&readerFieldOps[readerPos], filenameOps[i].field, expand, -1);
g_free(expand);
}
}
g_match_info_free(match_info);
}
}
}
void moloch_rules_process_rule(char *filename, YamlNode_t *parent)
{
char *name = moloch_rules_get_value(parent, "name");
if (!name)
LOGEXIT("%s: name required for rule", filename);
char *when = moloch_rules_get_value(parent, "when");
if (!when)
LOGEXIT("%s: when required for rule '%s'", filename, name);
char *bpf = moloch_rules_get_value(parent, "bpf");
GPtrArray *fields = moloch_rules_get_values(parent, "fields");
char *expression = moloch_rules_get_value(parent, "expression");
if (!bpf && !fields && !expression)
LOGEXIT("%s: bpf, fields, or expressions required for rule '%s'", filename, name);
if ((bpf && fields) || (bpf && expression) || (fields && expression))
LOGEXIT("%s: Only one of bpf, fields, or expressions can be set for rule '%s'", filename, name);
GPtrArray *ops = moloch_rules_get_values(parent, "ops");
if (!ops)
LOGEXIT("%s: ops required for rule '%s'", filename, name);
if (expression) {
LOGEXIT("Currently don't support expression, hopefully soon!");
}
int type;
int saveFlags = 0;
if (strcmp(when, "everyPacket") == 0) {
type = MOLOCH_RULE_TYPE_EVERY_PACKET;
if (!bpf)
LOGEXIT("%s: everyPacket only supports bpf", filename);
} else if (strcmp(when, "sessionSetup") == 0) {
type = MOLOCH_RULE_TYPE_SESSION_SETUP;
} else if (strcmp(when, "afterClassify") == 0) {
type = MOLOCH_RULE_TYPE_AFTER_CLASSIFY;
if (bpf)
LOGEXIT("%s: %s doesn't support bpf", filename, when);
} else if (strcmp(when, "fieldSet") == 0) {
type = MOLOCH_RULE_TYPE_FIELD_SET;
if (bpf)
LOGEXIT("%s: %s doesn't support bpf", filename, when);
} else if (strcmp(when, "beforeMiddleSave") == 0) {
type = MOLOCH_RULE_TYPE_BEFORE_SAVE;
saveFlags = 1;
if (bpf)
LOGEXIT("%s: %s doesn't support bpf", filename, when);
} else if (strcmp(when, "beforeFinalSave") == 0) {
type = MOLOCH_RULE_TYPE_BEFORE_SAVE;
saveFlags = 2;
if (bpf)
LOGEXIT("%s: %s doesn't support bpf", filename, when);
} else if (strcmp(when, "beforeBothSave") == 0) {
type = MOLOCH_RULE_TYPE_BEFORE_SAVE;
saveFlags = 3;
if (bpf)
LOGEXIT("%s: %s doesn't support bpf", filename, when);
} else {
LOGEXIT("%s: Unknown when '%s'", filename, when);
}
if (rulesLen[type] >= MOLOCH_RULES_MAX)
LOGEXIT("Too many %s rules", when);
int n = rulesLen[type]++;
MolochRule_t *rule = rules[type][n] = MOLOCH_TYPE_ALLOC0(MolochRule_t);
rule->filename = filename;
rule->saveFlags = saveFlags;
if (bpf)
rule->bpf = g_strdup(bpf);
if (fields) {
int i;
rule->fields = malloc((int)fields->len);
for (i = 0; i < (int)fields->len; i++) {
YamlNode_t *node = g_ptr_array_index(fields, i);
int pos = moloch_field_by_exp(node->key);
if (pos == -1)
LOGEXIT("%s Couldn't find field '%s'", filename, node->key);
rule->fields[(int)rule->fieldsLen++] = pos;
switch (config.fields[pos]->type) {
case MOLOCH_FIELD_TYPE_INT:
case MOLOCH_FIELD_TYPE_INT_ARRAY:
case MOLOCH_FIELD_TYPE_INT_HASH:
case MOLOCH_FIELD_TYPE_IP:
case MOLOCH_FIELD_TYPE_IP_GHASH:
case MOLOCH_FIELD_TYPE_INT_GHASH:
case MOLOCH_FIELD_TYPE_IP_HASH:
rule->hash[pos] = g_hash_table_new(NULL, NULL);
break;
case MOLOCH_FIELD_TYPE_STR:
case MOLOCH_FIELD_TYPE_STR_ARRAY:
case MOLOCH_FIELD_TYPE_STR_HASH:
rule->hash[pos] = g_hash_table_new(g_str_hash, g_str_equal);
break;
case MOLOCH_FIELD_TYPE_CERTSINFO:
LOGEXIT("%s: Currently don't support any certs fields", filename);
}
if (node->value)
moloch_rules_process_add_field(rule, pos, node->value);
else {
int j;
for (j = 0; j < (int)node->values->len; j++) {
YamlNode_t *fnode = g_ptr_array_index(node->values, j);
moloch_rules_process_add_field(rule, pos, fnode->key);
}
}
}
}
moloch_field_ops_init(&rule->ops, ops->len, MOLOCH_FIELD_OPS_FLAGS_COPY);
int i;
for (i = 0; i < (int)ops->len; i++) {
YamlNode_t *node = g_ptr_array_index(ops, i);
int pos = moloch_field_by_exp(node->key);
if (pos == -1)
LOGEXIT("%s Couldn't find field '%s'", filename, node->key);
moloch_field_ops_add(&rule->ops, pos, node->value, strlen(node->value));
}
}
