LOCAL void suricata_alerts_del(SuricataItem_t *item)
{
SuricataItem_t *check, *parent = NULL;
int h = item->hash % alerts.num;
MOLOCH_LOCK(alerts.lock);
for (check = alerts.items[h]; check; parent = check, check = check->items_next) {
if (check != item) {
continue;
}
if (parent) {
parent->items_next = check->items_next;
} else {
alerts.items[h] = check->items_next;
}
moloch_free_later(check, (GDestroyNotify)suricata_item_free);
alerts.cnt--;
break;
}
MOLOCH_UNLOCK(alerts.lock);
}
void moloch_rules_load(char **names)
{
int i;
// Make a copy of current items to free later
MolochRulesInfo_t *freeing = MOLOCH_TYPE_ALLOC0(MolochRulesInfo_t);
memcpy(freeing, ¤t, sizeof(current));
moloch_free_later(freeing, (GDestroyNotify) moloch_rules_free);
// Load all the rule files
for (i = 0; names[i]; i++) {
yaml_parser_t parser;
yaml_parser_initialize(&parser);
FILE *input = fopen(names[i], "rb");
if (!input)
LOGEXIT("ERROR - can not open rules file %s", names[i]);
yaml_parser_set_input_file(&parser, input);
YamlNode_t *parent = moloch_rules_parse_yaml(names[i], NULL, &parser, FALSE);
yaml_parser_delete(&parser);
if (!parent) {
LOG("WARNING %s - has no rules", names[i]);
continue;
}
#ifdef RULES_DEBUG
moloch_rules_parse_print(parent, 0);
#endif
moloch_rules_load_file(names[i], parent);
moloch_rules_free_node(parent);
fclose(input);
}
// Part 2, which will also copy loading to current
moloch_rules_load_complete();
}
LOCAL void reader_libpcapfile_opened()
{
int dlt_to_linktype(int dlt);
if (config.flushBetween)
moloch_session_flush();
moloch_packet_set_linksnap(dlt_to_linktype(pcap_datalink(pcap)) | pcap_datalink_ext(pcap), pcap_snapshot(pcap));
offlineFile = pcap_file(pcap);
if (config.bpf && pcapFileHeader.linktype != 239) {
struct bpf_program bpf;
if (pcap_compile(pcap, &bpf, config.bpf, 1, PCAP_NETMASK_UNKNOWN) == -1) {
LOGEXIT("ERROR - Couldn't compile filter: '%s' with %s", config.bpf, pcap_geterr(pcap));
}
if (pcap_setfilter(pcap, &bpf) == -1) {
LOGEXIT("ERROR - Couldn't set filter: '%s' with %s", config.bpf, pcap_geterr(pcap));
}
}
readerPos++;
if (readerFileName[readerPos])
moloch_free_later(readerFileName[readerPos], g_free);
readerFileName[readerPos] = g_strdup(offlinePcapFilename);
int fd = pcap_fileno(pcap);
if (fd == -1) {
g_timeout_add(0, reader_libpcapfile_read, NULL);
} else {
moloch_watch_fd(fd, MOLOCH_GIO_READ_COND, reader_libpcapfile_read, NULL);
}
if (filenameOpsNum > 0) {
// Free any previously allocated
if (readerFieldOps[readerPos].size > 0)
moloch_field_ops_free(&readerFieldOps[readerPos]);
moloch_field_ops_init(&readerFieldOps[readerPos], filenameOpsNum, MOLOCH_FIELD_OPS_FLAGS_COPY);
// Go thru all the filename ops looking for matches and then expand the value string
int i;
for (i = 0; i < filenameOpsNum; i++) {
GMatchInfo *match_info = 0;
g_regex_match(filenameOps[i].regex, offlinePcapFilename, 0, &match_info);
if (g_match_info_matches(match_info)) {
GError *error = 0;
char *expand = g_match_info_expand_references(match_info, filenameOps[i].expand, &error);
if (error) {
LOG("Error expanding '%s' with '%s' - %s", offlinePcapFilename, filenameOps[i].expand, error->message);
g_error_free(error);
}
if (expand) {
moloch_field_ops_add(&readerFieldOps[readerPos], filenameOps[i].field, expand, -1);
g_free(expand);
}
}
g_match_info_free(match_info);
}
}
}
