int dns_name_element(BSB *nbsb, BSB *bsb)
{
int nlen = 0;
BSB_IMPORT_u08(*bsb, nlen);
if (nlen == 0 || nlen > BSB_REMAINING(*bsb)) {
return 1;
}
int j;
for (j = 0; j < nlen; j++) {
register u_char c = 0;
BSB_IMPORT_u08(*bsb, c);
if (!isascii(c)) {
BSB_EXPORT_u08(*nbsb, 'M');
BSB_EXPORT_u08(*nbsb, '-');
c = toascii(c);
}
if (!isprint(c)) {
BSB_EXPORT_u08(*nbsb, '^');
c ^= 0x40;
}
BSB_EXPORT_u08(*nbsb, c);
}
return 0;
}
unsigned char *dns_name(const unsigned char *full, int fulllen, BSB *inbsb, int *namelen)
{
static unsigned char name[8000];
BSB nbsb;
int didPointer = 0;
BSB tmpbsb;
BSB *curbsb;
BSB_INIT(nbsb, name, sizeof(name));
curbsb = inbsb;
while (BSB_REMAINING(*curbsb)) {
unsigned char ch = 0;
BSB_IMPORT_u08(*curbsb, ch);
if (ch == 0)
break;
BSB_EXPORT_rewind(*curbsb, 1);
if (ch & 0xc0) {
if (didPointer > 5)
return 0;
didPointer++;
int tpos = 0;
BSB_IMPORT_u16(*curbsb, tpos);
tpos &= 0x3fff;
BSB_INIT(tmpbsb, full+tpos, fulllen - tpos);
curbsb = &tmpbsb;
continue;
}
if (BSB_LENGTH(nbsb)) {
BSB_EXPORT_u08(nbsb, '.');
}
if (dns_name_element(&nbsb, curbsb) && BSB_LENGTH(nbsb))
BSB_EXPORT_rewind(nbsb, 1); // Remove last .
}
*namelen = BSB_LENGTH(nbsb);
BSB_EXPORT_u08(nbsb, 0);
return name;
}
void netflow_send()
{
BSB hbsb;
BSB_INIT(hbsb, buf, headerSize);
uint32_t sys_uptime = (bufTime.tv_sec - initialPacket.tv_sec)*1000; /*+
(bufTIme.tv_usec - initialPacket.tv_usec)/1000;*/
/* Header */
BSB_EXPORT_u16(hbsb, netflowVersion);
BSB_EXPORT_u16(hbsb, bufCount); // count
BSB_EXPORT_u32(hbsb, sys_uptime); // sys_uptime
BSB_EXPORT_u32(hbsb, bufTime.tv_sec);
BSB_EXPORT_u32(hbsb, bufTime.tv_usec);
switch (netflowVersion) {
case 5:
BSB_EXPORT_u32(hbsb, totalFlows); // flow_sequence
BSB_EXPORT_u08(hbsb, 0); // engine_type
BSB_EXPORT_u08(hbsb, 0); // engine_id
BSB_EXPORT_u16(hbsb, 0); // mode/interval
break;
case 7:
BSB_EXPORT_u32(hbsb, totalFlows); // flow_sequence
BSB_EXPORT_u32(hbsb, 0); // reserved
break;
}
int i;
for (i = 0; i < numDests; i++) {
int rc;
if ((rc = send(dests[i].fd, buf, BSB_LENGTH(bsb)+headerSize, 0)) < BSB_LENGTH(bsb)+headerSize) {
LOG("Failed to send rc=%d size=%ld", rc, BSB_LENGTH(bsb)+headerSize);
}
}
totalFlows += bufCount;
BSB_INIT(bsb, buf + headerSize, sizeof(buf) - headerSize);
bufCount = 0;
}
void moloch_db_js0n_str(BSB *bsb, unsigned char *in, gboolean utf8)
{
BSB_EXPORT_u08(*bsb, '"');
while (*in) {
switch(*in) {
case '\b':
BSB_EXPORT_u08(*bsb, '\\');
BSB_EXPORT_u08(*bsb, 'b');
break;
case '\n':
BSB_EXPORT_u08(*bsb, '\\');
BSB_EXPORT_u08(*bsb, 'n');
break;
case '\r':
BSB_EXPORT_u08(*bsb, '\\');
BSB_EXPORT_u08(*bsb, 'r');
break;
case '\f':
BSB_EXPORT_u08(*bsb, '\\');
BSB_EXPORT_u08(*bsb, 'f');
break;
case '\t':
BSB_EXPORT_u08(*bsb, '\\');
BSB_EXPORT_u08(*bsb, 't');
break;
case '"':
BSB_EXPORT_u08(*bsb, '\\');
BSB_EXPORT_u08(*bsb, '"');
break;
case '\\':
BSB_EXPORT_u08(*bsb, '\\');
BSB_EXPORT_u08(*bsb, '\\');
break;
case '/':
BSB_EXPORT_u08(*bsb, '\\');
BSB_EXPORT_u08(*bsb, '/');
break;
default:
if(*in < 32) {
BSB_EXPORT_sprintf(*bsb, "\\u%04x", *in);
} else if (utf8) {
if ((*in & 0xf0) == 0xf0) {
BSB_EXPORT_u08(*bsb, *(in++));
BSB_EXPORT_u08(*bsb, *(in++));
BSB_EXPORT_u08(*bsb, *(in++));
BSB_EXPORT_u08(*bsb, *in);
} else if ((*in & 0xf0) == 0xe0) {
BSB_EXPORT_u08(*bsb, *(in++));
BSB_EXPORT_u08(*bsb, *(in++));
BSB_EXPORT_u08(*bsb, *in);
} else if ((*in & 0xf0) == 0xd0) {
BSB_EXPORT_u08(*bsb, *(in++));
BSB_EXPORT_u08(*bsb, *in);
} else {
BSB_EXPORT_u08(*bsb, *in);
}
} else {
if(*in & 0x80) {
BSB_EXPORT_u08(*bsb, (0xc0 | (*in >> 6)));
BSB_EXPORT_u08(*bsb, (0x80 | (*in & 0x3f)));
} else {
BSB_EXPORT_u08(*bsb, *in);
}
}
break;
}
void wise_lookup(MolochSession_t *session, WiseRequest_t *request, char *value, int type)
{
static int lookups = 0;
if (*value == 0)
return;
if (request->numItems >= 256)
return;
lookups++;
if ((lookups % 10000) == 0)
wise_print_stats();
stats[type][INTEL_STAT_LOOKUP]++;
WiseItem_t *wi;
HASH_FIND(wih_, itemHash[type], value, wi);
if (wi) {
// Already being looked up
if (wi->sessions) {
if (wi->numSessions < wi->sessionsSize) {
wi->sessions[wi->numSessions++] = session;
moloch_nids_incr_outstanding(session);
}
stats[type][INTEL_STAT_INPROGRESS]++;
return;
}
struct timeval currentTime;
gettimeofday(¤tTime, NULL);
if (wi->loadTime + cacheSecs > currentTime.tv_sec) {
wise_process_ops(session, wi);
stats[type][INTEL_STAT_CACHE]++;
return;
}
/* Had it in cache, but it is too old */
DLL_REMOVE(wil_, &itemList[type], wi);
wise_free_ops(wi);
} else {
// Know nothing about it
wi = MOLOCH_TYPE_ALLOC0(WiseItem_t);
wi->key = g_strdup(value);
wi->type = type;
wi->sessionsSize = 20;
HASH_ADD(wih_, itemHash[type], wi->key, wi);
}
wi->sessions = malloc(sizeof(MolochSession_t *) * wi->sessionsSize);
wi->sessions[wi->numSessions++] = session;
moloch_nids_incr_outstanding(session);
stats[type][INTEL_STAT_REQUEST]++;
BSB_EXPORT_u08(request->bsb, type);
int len = strlen(value);
BSB_EXPORT_u16(request->bsb, len);
BSB_EXPORT_ptr(request->bsb, value, len);
request->items[request->numItems++] = wi;
}
