void tls_process_server_hello(MolochSession_t *session, const unsigned char *data, int len) { BSB bsb; BSB_INIT(bsb, data, len); unsigned char *ver; BSB_IMPORT_ptr(bsb, ver, 2); BSB_IMPORT_skip(bsb, 32); // Random int skiplen = 0; BSB_IMPORT_u08(bsb, skiplen); // Session Id Length BSB_IMPORT_skip(bsb, skiplen); // Session Id unsigned char *cipher; BSB_IMPORT_ptr(bsb, cipher, 2); if (!BSB_IS_ERROR(bsb)) { char str[100]; if (ver[0] == 3) { switch (ver[1]) { case 0: moloch_field_string_add(verField, session, "SSLv3", 5, TRUE); break; case 1: moloch_field_string_add(verField, session, "TLSv1", 5, TRUE); break; case 2: moloch_field_string_add(verField, session, "TLSv1.1", 7, TRUE); break; case 3: moloch_field_string_add(verField, session, "TLSv1.2", 7, TRUE); break; default: snprintf(str, sizeof(str), "0x%02x.%02x", ver[0], ver[1]); moloch_field_string_add(verField, session, str, 6, TRUE); } } else { snprintf(str, sizeof(str), "0x%02x.%02x", ver[0], ver[1]); moloch_field_string_add(verField, session, str, 7, TRUE); } char *cipherStr = ciphers[cipher[0]][cipher[1]]; if (cipherStr) moloch_field_string_add(cipherField, session, cipherStr, -1, TRUE); else { snprintf(str, sizeof(str), "%02X%02X", cipher[0], cipher[1]); moloch_field_string_add(cipherField, session, str, 4, TRUE); } } }
int radius_udp_parser(MolochSession_t *session, void *UNUSED(uw), const unsigned char *data, int len, int UNUSED(which)) { BSB bsb; BSB_INIT(bsb, data, len); BSB_IMPORT_skip(bsb, 20); unsigned char type = 0, length = 0; unsigned char *value; char str[256]; struct in_addr in; int i; while (BSB_REMAINING(bsb) > 2) { BSB_IMPORT_u08(bsb, type); BSB_IMPORT_u08(bsb, length); length -= 2; // length includes the type/length BSB_IMPORT_ptr(bsb, value, length); if (BSB_IS_ERROR(bsb)) { break; } switch (type) { case 1: moloch_field_string_add(userField, session, (char *)value, length, TRUE); break; /* case 4: LOG("NAS-IP-Address: %d %d %u.%u.%u.%u", type, length, value[0], value[1], value[2], value[3]); break;*/ case 8: memcpy(&in.s_addr, value, 4); moloch_field_int_add(framedIpField, session, in.s_addr); break; case 31: if (length == 12) { snprintf(str, sizeof(str), "%c%c:%c%c:%c%c:%c%c:%c%c:%c%c", value[0], value[1], value[2], value[3], value[4], value[5], value[6], value[7], value[8], value[9], value[10], value[11]); for (i = 0; i < 17; i++) { if (isupper (str[i])) str[i] = tolower (str[i]); } moloch_field_string_add(macField, session, str, 17, TRUE); } break; case 66: memcpy(str, value, length); str[length] = 0; inet_aton(str, &in); moloch_field_int_add(endpointIpField, session, in.s_addr); break; /* default: LOG("%d %d %.*s", type, length, length, value);*/ } } return 0; }