int DissecRegist(const char *file_cfg)
{
proto_heury_dep hdep;
pei_cmpt peic;
char cfg[TCP_GRB_FILENAME_PATH_SIZE];
memset(&hdep, 0, sizeof(proto_heury_dep));
memset(&peic, 0, sizeof(pei_cmpt));
/* protocol name */
ProtName("TCP garbage", "tcp-grb");
/* dep: tcp */
hdep.name = "tcp";
hdep.ProtCheck = TcpGrbCheck;
ProtHeuDep(&hdep);
/* PEI components */
peic.abbrev = "l7prot";
peic.desc = "L7 protocol march";
ProtPeiComponent(&peic);
peic.abbrev = "txt";
peic.desc = "Text file";
ProtPeiComponent(&peic);
peic.abbrev = "size";
peic.desc = "Flow total size";
ProtPeiComponent(&peic);
peic.abbrev = "file";
peic.desc = "File extracted";
ProtPeiComponent(&peic);
peic.abbrev = "ftype";
peic.desc = "File type";
ProtPeiComponent(&peic);
dig_type_dim = 0;
dig_tbl = NULL;
#if GRB_DIG_ENABLE
enable_dig = TRUE;
#else
enable_dig = FALSE;
#endif
/* load config file data */
if (CfgParamStr(file_cfg, TCP_GRB_CFG_FILE, cfg, TCP_GRB_FILENAME_PATH_SIZE) == 0)
TcpGrbCfg(cfg);
if (CfgParamInt(file_cfg, TCP_GRB_PKT_LIMIT_CFG, &limit_pkts) != 0)
limit_pkts = TCP_GRB_PKT_LIMIT;
if (enable_dig == FALSE)
dig_type_dim = 0;
/* dissectors subdissectors registration */
ProtDissectors(NULL, TcpGrbDissector, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_dep dep;
pei_cmpt peic;
bool hins;
insert_http = FALSE;
if (file_cfg != NULL) {
if (CfgParamBool(file_cfg, "HTTPFD_HTTP_INSERT", &hins) == 0) {
if (hins) {
insert_http = TRUE;
}
}
}
memset(&dep, 0, sizeof(proto_dep));
memset(&peic, 0, sizeof(pei_cmpt));
/* protocol name */
ProtName("Http file download", "httpfd");
/* http dependence */
dep.name = "http";
dep.attr = "http.content_range";
dep.type = FT_STRING;
dep.op = FT_OP_CNTD;
dep.val.str = DMemMalloc(2);
strcpy(dep.val.str, "-");
ProtDep(&dep);
peic.abbrev = "url";
peic.desc = "Uniform Resource Locator";
ProtPeiComponent(&peic);
peic.abbrev = "file";
peic.desc = "File";
ProtPeiComponent(&peic);
peic.abbrev = "range";
peic.desc = "File range";
ProtPeiComponent(&peic);
peic.abbrev = "content_type";
peic.desc = "Content Type";
ProtPeiComponent(&peic);
/* dissectors registration */
ProtDissectors(HttpFdDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_dep dep;
pei_cmpt peic;
memset(&dep, 0, sizeof(proto_dep));
/* protocol name */
ProtName("Address Resolution Protocol", "arp");
/* ethernet dependence */
dep.name = "eth";
dep.attr = "eth.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_ARP;
ProtDep(&dep);
dep.name = "eth";
dep.attr = "eth.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_REVARP;
ProtDep(&dep);
/* vlan dependence */
dep.name = "vlan";
dep.attr = "vlan.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_ARP;
ProtDep(&dep);
dep.name = "vlan";
dep.attr = "vlan.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_REVARP;
ProtDep(&dep);
/* PEI components */
peic.abbrev = "mac";
peic.desc = "MAC address";
ProtPeiComponent(&peic);
peic.abbrev = "ip";
peic.desc = "IP address";
ProtPeiComponent(&peic);
/* dissectors registration */
ProtDissectors(ArpDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_heury_dep hdep;
proto_dep dep;
pei_cmpt peic;
memset(&hdep, 0, sizeof(proto_heury_dep));
memset(&dep, 0, sizeof(proto_dep));
memset(&peic, 0, sizeof(pei_cmpt));
/* protocol name */
ProtName("Telnet", "telnet");
/* hdep: tcp */
hdep.name = "tcp";
hdep.ProtCheck = TelnetCheck;
hdep.pktlim = TELNET_PKT_LIMIT;
ProtHeuDep(&hdep);
/* dep: tcp */
dep.name = "tcp";
dep.attr = "tcp.dstport";
dep.type = FT_UINT16;
dep.val.uint16 = TCP_PORT_TELNET;
dep.ProtCheck = TelnetVerify;
dep.pktlim = TELNET_PKT_LIMIT;
ProtDep(&dep);
/* PEI components */
peic.abbrev = "host";
peic.desc = "Host name or IP";
ProtPeiComponent(&peic);
peic.abbrev = "user";
peic.desc = "User name";
ProtPeiComponent(&peic);
peic.abbrev = "password";
peic.desc = "Password";
ProtPeiComponent(&peic);
peic.abbrev = "cmd";
peic.desc = "Commands";
ProtPeiComponent(&peic);
/* dissectors subdissectors registration */
ProtDissectors(NULL, TelnetDissector, NULL, NULL);
return 0;
}
int ManipPeiComponent(void)
{
pei_cmpt peic;
/* part */
peic.abbrev = "parts";
peic.desc = "File of parts";
ProtPeiComponent(&peic);
peic.abbrev = "complete";
peic.desc = "Complete pencentual";
ProtPeiComponent(&peic);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_dep dep;
pei_cmpt peic;
memset(&dep, 0, sizeof(proto_dep));
memset(&peic, 0, sizeof(pei_cmpt));
/* protocol name */
ProtName("Internet Printing Protocol", "ipp");
/* http dependence */
dep.name = "http";
dep.attr = "http.content_type";
dep.type = FT_STRING;
dep.op = FT_OP_CNTD;
dep.val.str = DMemMalloc(16);
strcpy(dep.val.str, "application/ipp");
ProtDep(&dep);
/* PEI components */
peic.abbrev = "url";
peic.desc = "Uniform Resource Locator";
ProtPeiComponent(&peic);
peic.abbrev = "pdf";
peic.desc = "pdf file";
ProtPeiComponent(&peic);
peic.abbrev = "pcl";
peic.desc = "pcl file";
ProtPeiComponent(&peic);
/* dissectors registration */
ProtDissectors(IppDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_dep dep;
pei_cmpt peic;
memset(&dep, 0, sizeof(proto_dep));
memset(&peic, 0, sizeof(pei_cmpt));
/* protocol name */
ProtName("MMS Message Encapsulation", "mms");
/* http dependence */
dep.name = "http";
dep.attr = "http.content_type";
dep.type = FT_STRING;
dep.op = FT_OP_CNTD;
dep.val.str = DMemMalloc(32);
strcpy(dep.val.str, "application/vnd.wap.mms-message");
ProtDep(&dep);
/* PEI components */
peic.abbrev = "url";
peic.desc = "Uniform Resource Locator";
ProtPeiComponent(&peic);
peic.abbrev = "from";
peic.desc = "Source telephon number";
ProtPeiComponent(&peic);
peic.abbrev = "to";
peic.desc = "Destinaton telephon number";
ProtPeiComponent(&peic);
peic.abbrev = "cc";
peic.desc = "Destinaton telephon number (cc)";
ProtPeiComponent(&peic);
peic.abbrev = "bcc";
peic.desc = "Destinaton telephon number (bcc)";
ProtPeiComponent(&peic);
peic.abbrev = "part";
peic.desc = "Content part";
ProtPeiComponent(&peic);
peic.abbrev = "raw";
peic.desc = "Binary raw fromat";
ProtPeiComponent(&peic);
/* dissectors registration */
ProtDissectors(MmsDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_heury_dep hdep;
pei_cmpt peic;
proto_info info;
memset(&info, 0, sizeof(proto_info));
memset(&hdep, 0, sizeof(proto_heury_dep));
memset(&peic, 0, sizeof(pei_cmpt));
/* protocol name */
ProtName("Real time Transport Protocol", "rtp");
/* info: version */
info.name = "Version";
info.abbrev = "rtp.ver";
info.type = FT_UINT8;
ver_id = ProtInfo(&info);
/* info: payload type */
info.name = "Payload type";
info.abbrev = "rtp.pt";
info.type = FT_UINT8;
pt_id = ProtInfo(&info);
/* info: sequence number */
info.name = "Sequence number";
info.abbrev = "rtp.seq";
info.type = FT_UINT16;
seq_id = ProtInfo(&info);
/* info: timestamp */
info.name = "Timestamp";
info.abbrev = "rtp.ts";
info.type = FT_UINT32;
ts_id = ProtInfo(&info);
/* info: synchronization source */
info.name = "Synchronization source";
info.abbrev = "rtp.sync";
info.type = FT_UINT32;
sync_id = ProtInfo(&info);
/* hdep: udp */
hdep.name = "udp";
hdep.ProtCheck = RtpCheck;
hdep.pktlim = RTP_PKT_VER_LIMIT;
ProtHeuDep(&hdep);
/* PEI components */
peic.abbrev = "from";
peic.desc = "Caller";
ProtPeiComponent(&peic);
peic.abbrev = "to";
peic.desc = "Called";
ProtPeiComponent(&peic);
peic.abbrev = "audio_from";
peic.desc = "Caller audio file";
ProtPeiComponent(&peic);
peic.abbrev = "audio_to";
peic.desc = "Called audio file";
ProtPeiComponent(&peic);
peic.abbrev = "audio_mix";
peic.desc = "Caller and Called";
ProtPeiComponent(&peic);
peic.abbrev = "duration";
peic.desc = "Call duration";
ProtPeiComponent(&peic);
/* group protocol (master flow) */
ProtGrpEnable();
/* dissectors registration */
ProtDissectors(RtpPktDissector, RtpDissector, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_heury_dep hdep;
pei_cmpt peic;
long tmp;
pthrs_dim = TCP_CA_DEFUALT_PARAL_THR;
grpdis = TRUE;
memset(&hdep, 0, sizeof(proto_heury_dep));
memset(&peic, 0, sizeof(pei_cmpt));
/* threads parallel */
if (file_cfg != NULL) {
if (CfgParamInt(file_cfg, TCP_CA_CFG_PARAL_THR, &tmp) == 0) {
if (tmp > 0)
pthrs_dim = tmp;
else
grpdis = FALSE;
}
}
/* protocol name */
ProtName("TCP Analysis", "tcp-ca");
/* dep: tcp */
hdep.name = "tcp";
if (grpdis == TRUE)
hdep.ProtCheck = TcpCaCheckGrp;
else
hdep.ProtCheck = TcpCaCheck;
ProtHeuDep(&hdep);
/* PEI components */
peic.abbrev = "ip.src";
peic.desc = "IP source";
ProtPeiComponent(&peic);
peic.abbrev = "ip.dst";
peic.desc = "IP destination";
ProtPeiComponent(&peic);
peic.abbrev = "dns";
peic.desc = "dns name request";
ProtPeiComponent(&peic);
peic.abbrev = "port.src";
peic.desc = "Port source";
ProtPeiComponent(&peic);
peic.abbrev = "port.dst";
peic.desc = "Port destination";
ProtPeiComponent(&peic);
peic.abbrev = "l7prot";
peic.desc = "L7 protocol march";
ProtPeiComponent(&peic);
peic.abbrev = "lat";
peic.desc = "Latitude";
ProtPeiComponent(&peic);
peic.abbrev = "long";
peic.desc = "Longitude";
ProtPeiComponent(&peic);
peic.abbrev = "country_code";
peic.desc = "Country Code";
ProtPeiComponent(&peic);
peic.abbrev = "byte.sent";
peic.desc = "Byte sent";
ProtPeiComponent(&peic);
peic.abbrev = "byte.receiv";
peic.desc = "Byte received";
ProtPeiComponent(&peic);
peic.abbrev = "byte.lost.sent";
peic.desc = "Lost bytes sent";
ProtPeiComponent(&peic);
peic.abbrev = "byte.lost.receiv";
peic.desc = "Lost bytes received";
ProtPeiComponent(&peic);
peic.abbrev = "pkt.sent";
peic.desc = "Packet sent";
ProtPeiComponent(&peic);
peic.abbrev = "pkt.receiv";
peic.desc = "Packet received";
ProtPeiComponent(&peic);
peic.abbrev = "trace.sent";
peic.desc = "Trace sent";
ProtPeiComponent(&peic);
peic.abbrev = "trace.receiv";
peic.desc = "Trace recived";
ProtPeiComponent(&peic);
peic.abbrev = "trace.img";
peic.desc = "Trace the bytes with an image";
ProtPeiComponent(&peic);
peic.abbrev = "metadata";
peic.desc = "Metadata: JSON file with metadata";
ProtPeiComponent(&peic);
limit_pkts = TCP_CA_PKT_LIMIT;
/* dissectors subdissectors registration */
if (grpdis == TRUE) {
ProtDissectors(NULL, TcpCaDissectorGrp, NULL, NULL);
}
else {
ProtDissectors(NULL, TcpCaDissector, NULL, NULL);
}
return 0;
}
