void moloch_rules_load_complete() { char **bpfs; GRegex *regex = g_regex_new(":\\s*(\\d+)\\s*$", 0, 0, 0); int i; bpfs = moloch_config_str_list(NULL, "dontSaveBPFs", NULL); int pos = moloch_field_by_exp("_maxPacketsToSave"); gint start_pos; if (bpfs) { for (i = 0; bpfs[i]; i++) { int n = loading.rulesLen[MOLOCH_RULE_TYPE_SESSION_SETUP]++; MolochRule_t *rule = loading.rules[MOLOCH_RULE_TYPE_SESSION_SETUP][n] = MOLOCH_TYPE_ALLOC0(MolochRule_t); rule->filename = "dontSaveBPFs"; moloch_field_ops_init(&rule->ops, 1, MOLOCH_FIELD_OPS_FLAGS_COPY); GMatchInfo *match_info = 0; g_regex_match(regex, bpfs[i], 0, &match_info); if (g_match_info_matches(match_info)) { g_match_info_fetch_pos (match_info, 1, &start_pos, NULL); rule->bpf = g_strndup(bpfs[i], start_pos-1); moloch_field_ops_add(&rule->ops, pos, g_match_info_fetch(match_info, 1), -1); } else { rule->bpf = g_strdup(bpfs[i]); moloch_field_ops_add(&rule->ops, pos, "1", -1); } g_match_info_free(match_info); } g_strfreev(bpfs); } bpfs = moloch_config_str_list(NULL, "minPacketsSaveBPFs", NULL); pos = moloch_field_by_exp("_minPacketsBeforeSavingSPI"); if (bpfs) { for (i = 0; bpfs[i]; i++) { int n = loading.rulesLen[MOLOCH_RULE_TYPE_SESSION_SETUP]++; MolochRule_t *rule = loading.rules[MOLOCH_RULE_TYPE_SESSION_SETUP][n] = MOLOCH_TYPE_ALLOC0(MolochRule_t); rule->filename = "minPacketsSaveBPFs"; moloch_field_ops_init(&rule->ops, 1, MOLOCH_FIELD_OPS_FLAGS_COPY); GMatchInfo *match_info = 0; g_regex_match(regex, bpfs[i], 0, &match_info); if (g_match_info_matches(match_info)) { g_match_info_fetch_pos (match_info, 1, &start_pos, NULL); rule->bpf = g_strndup(bpfs[i], start_pos-1); moloch_field_ops_add(&rule->ops, pos, g_match_info_fetch(match_info, 1), -1); } else { rule->bpf = g_strdup(bpfs[i]); moloch_field_ops_add(&rule->ops, pos, "1", -1); } g_match_info_free(match_info); } g_strfreev(bpfs); } g_regex_unref(regex); memcpy(¤t, &loading, sizeof(loading)); memset(&loading, 0, sizeof(loading)); }
LOCAL void reader_libpcapfile_opened() { int dlt_to_linktype(int dlt); if (config.flushBetween) moloch_session_flush(); moloch_packet_set_linksnap(dlt_to_linktype(pcap_datalink(pcap)) | pcap_datalink_ext(pcap), pcap_snapshot(pcap)); offlineFile = pcap_file(pcap); if (config.bpf && pcapFileHeader.linktype != 239) { struct bpf_program bpf; if (pcap_compile(pcap, &bpf, config.bpf, 1, PCAP_NETMASK_UNKNOWN) == -1) { LOGEXIT("ERROR - Couldn't compile filter: '%s' with %s", config.bpf, pcap_geterr(pcap)); } if (pcap_setfilter(pcap, &bpf) == -1) { LOGEXIT("ERROR - Couldn't set filter: '%s' with %s", config.bpf, pcap_geterr(pcap)); } } readerPos++; if (readerFileName[readerPos]) moloch_free_later(readerFileName[readerPos], g_free); readerFileName[readerPos] = g_strdup(offlinePcapFilename); int fd = pcap_fileno(pcap); if (fd == -1) { g_timeout_add(0, reader_libpcapfile_read, NULL); } else { moloch_watch_fd(fd, MOLOCH_GIO_READ_COND, reader_libpcapfile_read, NULL); } if (filenameOpsNum > 0) { // Free any previously allocated if (readerFieldOps[readerPos].size > 0) moloch_field_ops_free(&readerFieldOps[readerPos]); moloch_field_ops_init(&readerFieldOps[readerPos], filenameOpsNum, MOLOCH_FIELD_OPS_FLAGS_COPY); // Go thru all the filename ops looking for matches and then expand the value string int i; for (i = 0; i < filenameOpsNum; i++) { GMatchInfo *match_info = 0; g_regex_match(filenameOps[i].regex, offlinePcapFilename, 0, &match_info); if (g_match_info_matches(match_info)) { GError *error = 0; char *expand = g_match_info_expand_references(match_info, filenameOps[i].expand, &error); if (error) { LOG("Error expanding '%s' with '%s' - %s", offlinePcapFilename, filenameOps[i].expand, error->message); g_error_free(error); } if (expand) { moloch_field_ops_add(&readerFieldOps[readerPos], filenameOps[i].field, expand, -1); g_free(expand); } } g_match_info_free(match_info); } } }
void moloch_rules_process_rule(char *filename, YamlNode_t *parent) { char *name = moloch_rules_get_value(parent, "name"); if (!name) LOGEXIT("%s: name required for rule", filename); char *when = moloch_rules_get_value(parent, "when"); if (!when) LOGEXIT("%s: when required for rule '%s'", filename, name); char *bpf = moloch_rules_get_value(parent, "bpf"); GPtrArray *fields = moloch_rules_get_values(parent, "fields"); char *expression = moloch_rules_get_value(parent, "expression"); if (!bpf && !fields && !expression) LOGEXIT("%s: bpf, fields, or expressions required for rule '%s'", filename, name); if ((bpf && fields) || (bpf && expression) || (fields && expression)) LOGEXIT("%s: Only one of bpf, fields, or expressions can be set for rule '%s'", filename, name); GPtrArray *ops = moloch_rules_get_values(parent, "ops"); if (!ops) LOGEXIT("%s: ops required for rule '%s'", filename, name); if (expression) { LOGEXIT("Currently don't support expression, hopefully soon!"); } int type; int saveFlags = 0; if (strcmp(when, "everyPacket") == 0) { type = MOLOCH_RULE_TYPE_EVERY_PACKET; if (!bpf) LOGEXIT("%s: everyPacket only supports bpf", filename); } else if (strcmp(when, "sessionSetup") == 0) { type = MOLOCH_RULE_TYPE_SESSION_SETUP; } else if (strcmp(when, "afterClassify") == 0) { type = MOLOCH_RULE_TYPE_AFTER_CLASSIFY; if (bpf) LOGEXIT("%s: %s doesn't support bpf", filename, when); } else if (strcmp(when, "fieldSet") == 0) { type = MOLOCH_RULE_TYPE_FIELD_SET; if (bpf) LOGEXIT("%s: %s doesn't support bpf", filename, when); } else if (strcmp(when, "beforeMiddleSave") == 0) { type = MOLOCH_RULE_TYPE_BEFORE_SAVE; saveFlags = 1; if (bpf) LOGEXIT("%s: %s doesn't support bpf", filename, when); } else if (strcmp(when, "beforeFinalSave") == 0) { type = MOLOCH_RULE_TYPE_BEFORE_SAVE; saveFlags = 2; if (bpf) LOGEXIT("%s: %s doesn't support bpf", filename, when); } else if (strcmp(when, "beforeBothSave") == 0) { type = MOLOCH_RULE_TYPE_BEFORE_SAVE; saveFlags = 3; if (bpf) LOGEXIT("%s: %s doesn't support bpf", filename, when); } else { LOGEXIT("%s: Unknown when '%s'", filename, when); } if (rulesLen[type] >= MOLOCH_RULES_MAX) LOGEXIT("Too many %s rules", when); int n = rulesLen[type]++; MolochRule_t *rule = rules[type][n] = MOLOCH_TYPE_ALLOC0(MolochRule_t); rule->filename = filename; rule->saveFlags = saveFlags; if (bpf) rule->bpf = g_strdup(bpf); if (fields) { int i; rule->fields = malloc((int)fields->len); for (i = 0; i < (int)fields->len; i++) { YamlNode_t *node = g_ptr_array_index(fields, i); int pos = moloch_field_by_exp(node->key); if (pos == -1) LOGEXIT("%s Couldn't find field '%s'", filename, node->key); rule->fields[(int)rule->fieldsLen++] = pos; switch (config.fields[pos]->type) { case MOLOCH_FIELD_TYPE_INT: case MOLOCH_FIELD_TYPE_INT_ARRAY: case MOLOCH_FIELD_TYPE_INT_HASH: case MOLOCH_FIELD_TYPE_IP: case MOLOCH_FIELD_TYPE_IP_GHASH: case MOLOCH_FIELD_TYPE_INT_GHASH: case MOLOCH_FIELD_TYPE_IP_HASH: rule->hash[pos] = g_hash_table_new(NULL, NULL); break; case MOLOCH_FIELD_TYPE_STR: case MOLOCH_FIELD_TYPE_STR_ARRAY: case MOLOCH_FIELD_TYPE_STR_HASH: rule->hash[pos] = g_hash_table_new(g_str_hash, g_str_equal); break; case MOLOCH_FIELD_TYPE_CERTSINFO: LOGEXIT("%s: Currently don't support any certs fields", filename); } if (node->value) moloch_rules_process_add_field(rule, pos, node->value); else { int j; for (j = 0; j < (int)node->values->len; j++) { YamlNode_t *fnode = g_ptr_array_index(node->values, j); moloch_rules_process_add_field(rule, pos, fnode->key); } } } } moloch_field_ops_init(&rule->ops, ops->len, MOLOCH_FIELD_OPS_FLAGS_COPY); int i; for (i = 0; i < (int)ops->len; i++) { YamlNode_t *node = g_ptr_array_index(ops, i); int pos = moloch_field_by_exp(node->key); if (pos == -1) LOGEXIT("%s Couldn't find field '%s'", filename, node->key); moloch_field_ops_add(&rule->ops, pos, node->value, strlen(node->value)); } }