static void smtpPlugin_packet(u_char new_bucket, void *pluginData, HashBucket* bkt, u_short proto, u_char isFragment, u_short numPkts, u_char tos, u_short vlanId, struct ether_header *ehdr, IpAddress *src, u_short sport, IpAddress *dst, u_short dport, u_int len, u_int8_t flags, u_int8_t icmpType, u_short numMplsLabels, u_char mplsLabels[MAX_NUM_MPLS_LABELS][MPLS_LABEL_LEN], char *fingerprint, const struct pcap_pkthdr *h, const u_char *p, u_char *payload, int payloadLen) { PluginInformation *info; struct plugin_info *pinfo; // traceEvent(TRACE_INFO, "smtpPlugin_packet(%d)", payloadLen); if(new_bucket) { info = (PluginInformation*)malloc(sizeof(PluginInformation)); if(info == NULL) { traceEvent(TRACE_ERROR, "Not enough memory?"); return; /* Not enough memory */ } info->pluginPtr = (void*)&smtpPlugin; pluginData = info->pluginData = malloc(sizeof(struct plugin_info)); if(info->pluginData == NULL) { traceEvent(TRACE_ERROR, "Not enough memory?"); free(info); return; /* Not enough memory */ } else memset(info->pluginData, 0, sizeof(struct plugin_info)); info->next = bkt->plugin; bkt->plugin = info; } pinfo = (struct plugin_info*)pluginData; if(payloadLen > 0) { char *method; //traceEvent(TRACE_INFO, "==> [%d][%d]'%s'", bkt->bytesSent, bkt->bytesRcvd, payload); if((!strncasecmp((char*)payload, MAIL_FROM, strlen(MAIL_FROM)))) method = MAIL_FROM; else if((!strncasecmp((char*)payload, RCPT_TO, strlen(RCPT_TO)))) method = RCPT_TO; else if((!strncasecmp((char*)payload, RESET, strlen(RESET)))) method = RESET; else method = NULL; if(method) { char address[ADDRESS_MAX_LEN+1]; int i; if(method == RESET) { /* We need to export this flow now */ exportBucket(bkt, 0); resetBucketStats(bkt, h, len, sport, dport, payload, payloadLen); memset(pinfo, 0, sizeof(struct plugin_info)); return; } strncpy(address, (char*)&payload[strlen(method)-1], min(ADDRESS_MAX_LEN, (payloadLen-(strlen(method)-1)))); address[ADDRESS_MAX_LEN] = '\0'; for(i=0; i<ADDRESS_MAX_LEN; i++) if((address[i] == ' ') || (address[i] == '\r') || (address[i] == '\n')) { address[i] = '\0'; break; } if(method == MAIL_FROM) memcpy(pinfo->mail_from, address, strlen(address)); else if(method == RCPT_TO) memcpy(pinfo->rcpt_to, address, strlen(address)); } } }
static void httpPlugin_packet(u_char new_bucket, void *pluginData, HashBucket* bkt, u_short proto, u_char isFragment, u_short numPkts, u_char tos, u_short vlanId, struct ether_header *ehdr, IpAddress *src, u_short sport, IpAddress *dst, u_short dport, u_int len, u_int8_t flags, u_int8_t icmpType, u_short numMplsLabels, u_char mplsLabels[MAX_NUM_MPLS_LABELS][MPLS_LABEL_LEN], char *fingerprint, const struct pcap_pkthdr *h, const u_char *p, u_char *payload, int payloadLen) { PluginInformation *info; struct plugin_info *pinfo; // traceEvent(TRACE_INFO, "httpPlugin_packet(%d)", payloadLen); if(new_bucket) { info = (PluginInformation*)malloc(sizeof(PluginInformation)); if(info == NULL) { traceEvent(TRACE_ERROR, "Not enough memory?"); return; /* Not enough memory */ } info->pluginPtr = (void*)&httpPlugin; pluginData = info->pluginData = malloc(sizeof(struct plugin_info)); if(info->pluginData == NULL) { traceEvent(TRACE_ERROR, "Not enough memory?"); free(info); return; /* Not enough memory */ } else memset(info->pluginData, 0, sizeof(struct plugin_info)); info->next = bkt->plugin; bkt->plugin = info; } pinfo = (struct plugin_info*)pluginData; if(payloadLen > 0) { char *method; //traceEvent(TRACE_INFO, "==> [%d][%d]'%s'", bkt->bytesSent, bkt->bytesRcvd, payload); if((!strncmp((char*)payload, GET_URL, strlen(GET_URL)))) method = GET_URL; else if((!strncmp((char*)payload, POST_URL, strlen(POST_URL)))) method = POST_URL; else if((!strncmp((char*)payload, HTTP_1_0_URL, strlen(HTTP_1_0_URL)))) method = HTTP_1_0_URL; else if((!strncmp((char*)payload, HTTP_1_1_URL, strlen(HTTP_1_1_URL)))) method = HTTP_1_1_URL; else method = NULL; if(method) { char url[URL_MAX_LEN+1]; int i, displ; if((method == GET_URL) || (method == POST_URL)) { /* We need to export this flow now */ if(pinfo->http_url[0] != '\0') { exportBucket(bkt, 0); resetBucketStats(bkt, h, len, sport, dport, payload, payloadLen); memset(pinfo, 0, sizeof(struct plugin_info)); } displ = 1; } else displ = 0; strncpy(url, (char*)&payload[strlen(method)-displ], min(URL_MAX_LEN, (payloadLen-(strlen(method)-displ)))); url[URL_MAX_LEN] = '\0'; for(i=0; i<URL_MAX_LEN; i++) if((url[i] == ' ') || (url[i] == '\r') || (url[i] == '\n')) { url[i] = '\0'; break; } if(displ == 1) memcpy(pinfo->http_url, url, strlen(url)); else pinfo->ret_code = atoi(url); } } }