void Scanner::startup(const scanner_params& sp) {
assert(sp.sp_version == scanner_params::CURRENT_SP_VERSION);
assert(sp.info->si_version == scanner_info::CURRENT_SI_VERSION);
sp.info->name = "email_lg";
sp.info->author = "Simson L. Garfinkel";
sp.info->description = "Scans for email addresses, domains, URLs, RFC822 headers, etc.";
sp.info->scanner_version = "1.0";
// define the feature files this scanner creates
sp.info->feature_names.insert("email");
sp.info->feature_names.insert("domain");
sp.info->feature_names.insert("url");
sp.info->feature_names.insert("rfc822");
sp.info->feature_names.insert("ether");
// define the histograms to make
sp.info->histogram_defs.insert(histogram_def("email", "", "histogram", HistogramMaker::FLAG_LOWERCASE));
sp.info->histogram_defs.insert(histogram_def("domain", "", "histogram"));
sp.info->histogram_defs.insert(histogram_def("url", "", "histogram"));
sp.info->histogram_defs.insert(histogram_def("url", "://([^/]+)", "services"));
sp.info->histogram_defs.insert(histogram_def("url", "://((cid-[0-9a-f])+[a-z.].live.com/)", "microsoft-live"));
sp.info->histogram_defs.insert(histogram_def("url", "://[-_a-z0-9.]+facebook.com/.*[&?]{1}id=([0-9]+)", "facebook-id"));
sp.info->histogram_defs.insert(histogram_def("url", "://[-_a-z0-9.]+facebook.com/([a-zA-Z0-9.]*[^/?&]$)", "facebook-address", HistogramMaker::FLAG_LOWERCASE));
sp.info->histogram_defs.insert(histogram_def("url", "search.*[?&/;fF][pq]=([^&/]+)", "searches"));
}
void scan_find(const class scanner_params &sp,const recursion_control_block &rcb)
{
assert(sp.sp_version==scanner_params::CURRENT_SP_VERSION);
if(sp.phase==scanner_params::PHASE_STARTUP) {
assert(sp.info->si_version==scanner_info::CURRENT_SI_VERSION);
sp.info->name = "find";
sp.info->author = "Simson Garfinkel";
sp.info->description = "Simple search for patterns";
sp.info->scanner_version= "1.1";
sp.info->flags = scanner_info::SCANNER_FIND_SCANNER;
sp.info->feature_names.insert("find");
sp.info->histogram_defs.insert(histogram_def("find","","histogram",HistogramMaker::FLAG_LOWERCASE));
return;
}
if(sp.phase==scanner_params::PHASE_SHUTDOWN) return;
if (scanner_params::PHASE_INIT == sp.phase) {
for (std::vector<std::string>::const_iterator itr(FindOpts.Patterns.begin()); itr != FindOpts.Patterns.end(); ++itr) {
add_find_pattern(*itr);
}
for (std::vector<std::string>::const_iterator itr(FindOpts.Files.begin()); itr != FindOpts.Files.end(); ++itr) {
process_find_file(itr->c_str());
}
}
if(sp.phase==scanner_params::PHASE_SCAN) {
/* The current regex library treats \0 as the end of a string.
* So we make a copy of the current buffer to search that's one bigger, and the copy has a \0 at the end.
*/
feature_recorder *f = sp.fs.get_name("find");
managed_malloc<u_char> tmpbuf(sp.sbuf.bufsize+1);
if(!tmpbuf.buf) return; // no memory for searching
memcpy(tmpbuf.buf,sp.sbuf.buf,sp.sbuf.bufsize);
tmpbuf.buf[sp.sbuf.bufsize]=0;
for(size_t pos = 0; pos < sp.sbuf.pagesize && pos < sp.sbuf.bufsize;) {
/* Now see if we can find a string */
std::string found;
size_t offset=0;
size_t len = 0;
if(find_list.check((const char *)tmpbuf.buf+pos,&found,&offset,&len)) {
if(len == 0) {
len+=1;
continue;
}
f->write_buf(sp.sbuf,pos+offset,len);
pos += offset+len;
} else {
/* nothing was found; skip past the first \0 and repeat. */
const u_char *eos = (const u_char *)memchr(tmpbuf.buf+pos,'\000',sp.sbuf.bufsize-pos);
if(eos) pos=(eos-tmpbuf.buf)+1; // skip 1 past the \0
else pos=sp.sbuf.bufsize; // skip to the end of the buffer
}
}
}
}
void Scanner::startup(const scanner_params& sp) {
assert(sp.sp_version == scanner_params::CURRENT_SP_VERSION);
assert(sp.info->si_version == scanner_info::CURRENT_SI_VERSION);
sp.info->name = "accts_lg";
sp.info->author = "Simson L. Garfinkel";
sp.info->description = "scans for CCNs, track 2, and phone #s";
sp.info->scanner_version = "1.0";
// define the feature files this scanner creates
sp.info->feature_names.insert("ccn");
sp.info->feature_names.insert("pii"); // personally identifiable information
sp.info->feature_names.insert("ccn_track2");
sp.info->feature_names.insert("telephone");
sp.info->histogram_defs.insert(histogram_def("ccn", "", "histogram"));
sp.info->histogram_defs.insert(histogram_def("ccn_track2", "", "histogram"));
// define the histograms to make
sp.info->histogram_defs.insert(
histogram_def("telephone", "", "histogram", HistogramMaker::FLAG_NUMERIC)
);
scan_ccns2_debug = sp.info->config->debug; // get debug value
}
