int dns_name_element(BSB *nbsb, BSB *bsb) { int nlen = 0; BSB_IMPORT_u08(*bsb, nlen); if (nlen == 0 || nlen > BSB_REMAINING(*bsb)) { return 1; } int j; for (j = 0; j < nlen; j++) { register u_char c = 0; BSB_IMPORT_u08(*bsb, c); if (!isascii(c)) { BSB_EXPORT_u08(*nbsb, 'M'); BSB_EXPORT_u08(*nbsb, '-'); c = toascii(c); } if (!isprint(c)) { BSB_EXPORT_u08(*nbsb, '^'); c ^= 0x40; } BSB_EXPORT_u08(*nbsb, c); } return 0; }
unsigned char *dns_name(const unsigned char *full, int fulllen, BSB *inbsb, int *namelen) { static unsigned char name[8000]; BSB nbsb; int didPointer = 0; BSB tmpbsb; BSB *curbsb; BSB_INIT(nbsb, name, sizeof(name)); curbsb = inbsb; while (BSB_REMAINING(*curbsb)) { unsigned char ch = 0; BSB_IMPORT_u08(*curbsb, ch); if (ch == 0) break; BSB_EXPORT_rewind(*curbsb, 1); if (ch & 0xc0) { if (didPointer > 5) return 0; didPointer++; int tpos = 0; BSB_IMPORT_u16(*curbsb, tpos); tpos &= 0x3fff; BSB_INIT(tmpbsb, full+tpos, fulllen - tpos); curbsb = &tmpbsb; continue; } if (BSB_LENGTH(nbsb)) { BSB_EXPORT_u08(nbsb, '.'); } if (dns_name_element(&nbsb, curbsb) && BSB_LENGTH(nbsb)) BSB_EXPORT_rewind(nbsb, 1); // Remove last . } *namelen = BSB_LENGTH(nbsb); BSB_EXPORT_u08(nbsb, 0); return name; }
void netflow_send() { BSB hbsb; BSB_INIT(hbsb, buf, headerSize); uint32_t sys_uptime = (bufTime.tv_sec - initialPacket.tv_sec)*1000; /*+ (bufTIme.tv_usec - initialPacket.tv_usec)/1000;*/ /* Header */ BSB_EXPORT_u16(hbsb, netflowVersion); BSB_EXPORT_u16(hbsb, bufCount); // count BSB_EXPORT_u32(hbsb, sys_uptime); // sys_uptime BSB_EXPORT_u32(hbsb, bufTime.tv_sec); BSB_EXPORT_u32(hbsb, bufTime.tv_usec); switch (netflowVersion) { case 5: BSB_EXPORT_u32(hbsb, totalFlows); // flow_sequence BSB_EXPORT_u08(hbsb, 0); // engine_type BSB_EXPORT_u08(hbsb, 0); // engine_id BSB_EXPORT_u16(hbsb, 0); // mode/interval break; case 7: BSB_EXPORT_u32(hbsb, totalFlows); // flow_sequence BSB_EXPORT_u32(hbsb, 0); // reserved break; } int i; for (i = 0; i < numDests; i++) { int rc; if ((rc = send(dests[i].fd, buf, BSB_LENGTH(bsb)+headerSize, 0)) < BSB_LENGTH(bsb)+headerSize) { LOG("Failed to send rc=%d size=%ld", rc, BSB_LENGTH(bsb)+headerSize); } } totalFlows += bufCount; BSB_INIT(bsb, buf + headerSize, sizeof(buf) - headerSize); bufCount = 0; }
void moloch_db_js0n_str(BSB *bsb, unsigned char *in, gboolean utf8) { BSB_EXPORT_u08(*bsb, '"'); while (*in) { switch(*in) { case '\b': BSB_EXPORT_u08(*bsb, '\\'); BSB_EXPORT_u08(*bsb, 'b'); break; case '\n': BSB_EXPORT_u08(*bsb, '\\'); BSB_EXPORT_u08(*bsb, 'n'); break; case '\r': BSB_EXPORT_u08(*bsb, '\\'); BSB_EXPORT_u08(*bsb, 'r'); break; case '\f': BSB_EXPORT_u08(*bsb, '\\'); BSB_EXPORT_u08(*bsb, 'f'); break; case '\t': BSB_EXPORT_u08(*bsb, '\\'); BSB_EXPORT_u08(*bsb, 't'); break; case '"': BSB_EXPORT_u08(*bsb, '\\'); BSB_EXPORT_u08(*bsb, '"'); break; case '\\': BSB_EXPORT_u08(*bsb, '\\'); BSB_EXPORT_u08(*bsb, '\\'); break; case '/': BSB_EXPORT_u08(*bsb, '\\'); BSB_EXPORT_u08(*bsb, '/'); break; default: if(*in < 32) { BSB_EXPORT_sprintf(*bsb, "\\u%04x", *in); } else if (utf8) { if ((*in & 0xf0) == 0xf0) { BSB_EXPORT_u08(*bsb, *(in++)); BSB_EXPORT_u08(*bsb, *(in++)); BSB_EXPORT_u08(*bsb, *(in++)); BSB_EXPORT_u08(*bsb, *in); } else if ((*in & 0xf0) == 0xe0) { BSB_EXPORT_u08(*bsb, *(in++)); BSB_EXPORT_u08(*bsb, *(in++)); BSB_EXPORT_u08(*bsb, *in); } else if ((*in & 0xf0) == 0xd0) { BSB_EXPORT_u08(*bsb, *(in++)); BSB_EXPORT_u08(*bsb, *in); } else { BSB_EXPORT_u08(*bsb, *in); } } else { if(*in & 0x80) { BSB_EXPORT_u08(*bsb, (0xc0 | (*in >> 6))); BSB_EXPORT_u08(*bsb, (0x80 | (*in & 0x3f))); } else { BSB_EXPORT_u08(*bsb, *in); } } break; }
void wise_lookup(MolochSession_t *session, WiseRequest_t *request, char *value, int type) { static int lookups = 0; if (*value == 0) return; if (request->numItems >= 256) return; lookups++; if ((lookups % 10000) == 0) wise_print_stats(); stats[type][INTEL_STAT_LOOKUP]++; WiseItem_t *wi; HASH_FIND(wih_, itemHash[type], value, wi); if (wi) { // Already being looked up if (wi->sessions) { if (wi->numSessions < wi->sessionsSize) { wi->sessions[wi->numSessions++] = session; moloch_nids_incr_outstanding(session); } stats[type][INTEL_STAT_INPROGRESS]++; return; } struct timeval currentTime; gettimeofday(¤tTime, NULL); if (wi->loadTime + cacheSecs > currentTime.tv_sec) { wise_process_ops(session, wi); stats[type][INTEL_STAT_CACHE]++; return; } /* Had it in cache, but it is too old */ DLL_REMOVE(wil_, &itemList[type], wi); wise_free_ops(wi); } else { // Know nothing about it wi = MOLOCH_TYPE_ALLOC0(WiseItem_t); wi->key = g_strdup(value); wi->type = type; wi->sessionsSize = 20; HASH_ADD(wih_, itemHash[type], wi->key, wi); } wi->sessions = malloc(sizeof(MolochSession_t *) * wi->sessionsSize); wi->sessions[wi->numSessions++] = session; moloch_nids_incr_outstanding(session); stats[type][INTEL_STAT_REQUEST]++; BSB_EXPORT_u08(request->bsb, type); int len = strlen(value); BSB_EXPORT_u16(request->bsb, len); BSB_EXPORT_ptr(request->bsb, value, len); request->items[request->numItems++] = wi; }