void mysql_classify(MolochSession_t *session, const unsigned char *data, int len) { if (session->which != 1) return; if (moloch_nids_has_protocol(session, "mysql")) return; unsigned char *ptr = (unsigned char*)data + 5; unsigned char *end = (unsigned char*)data + len; while (ptr < end) { if (*ptr == 0) break; if (!isprint(*ptr)) { return; } ptr++; } if (ptr == end || ptr == data + 5) { return; } Info_t *info = MOLOCH_TYPE_ALLOC0(Info_t); info->versionLen = ptr - (data + 5); info->version = g_strndup((char*)data + 5, info->versionLen); moloch_parsers_register(session, mysql_parser, info, mysql_free); }
void dns_tcp_classify(MolochSession_t *session, const unsigned char *UNUSED(data), int UNUSED(len), int which) { if (which == 0 && session->port2 == 53 && !moloch_nids_has_protocol(session, "dns")) { moloch_nids_add_protocol(session, "dns"); moloch_parsers_register(session, dns_tcp_parser, 0, 0); } }
void irc_classify(MolochSession_t *session, const unsigned char *data, int len, int which) { if (data[0] == ':' && !moloch_memstr((char *)data, len, " NOTICE ", 8)) return; //If a USER packet must have NICK with it so we don't pickup FTP if (data[0] == 'U' && !moloch_memstr((char *)data, len, "\nNICK ", 6)) { return; } if (moloch_nids_has_protocol(session, "irc")) return; moloch_nids_add_protocol(session, "irc"); IRCInfo_t *irc = MOLOCH_TYPE_ALLOC0(IRCInfo_t); moloch_parsers_register(session, irc_parser, irc, irc_free); irc_parser(session, irc, data, len, which); }