void moloch_parser_init() { ipField = moloch_field_define("socks", "ip", "ip.socks", "IP", "socksip", "SOCKS destination IP", MOLOCH_FIELD_TYPE_IP, MOLOCH_FIELD_FLAG_IPPRE, "aliases", "[\"ip.socks\"]", "portField", "sockspo", NULL); hostField = moloch_field_define("socks", "lotermfield", "host.socks", "Host", "socksho", "SOCKS destination host", MOLOCH_FIELD_TYPE_STR, 0, "aliases", "[\"socks.host\"]", NULL); portField = moloch_field_define("socks", "integer", "port.socks", "Port", "sockspo", "SOCKS destination port", MOLOCH_FIELD_TYPE_INT, 0, "aliases", "[\"socks.port\"]", NULL); userField = moloch_field_define("socks", "termfield", "socks.user", "User", "socksuser", "SOCKS authenticated user", MOLOCH_FIELD_TYPE_STR, 0, "aliases", "[\"socksuser\"]", NULL); moloch_parsers_classifier_register_tcp("socks5", 0, (unsigned char*)"\005", 1, socks5_classify); moloch_parsers_classifier_register_tcp("socks4", 0, (unsigned char*)"\004\000", 2, socks4_classify); moloch_parsers_classifier_register_tcp("socks4", 0, (unsigned char*)"\004\001", 2, socks4_classify); }
void moloch_parser_init() { realmField = moloch_field_define("krb5", "termfield", "krb5.realm", "Realm", "krb5.realm", "Kerberos 5 Realm", MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT, (char *)NULL); cnameField = moloch_field_define("krb5", "termfield", "krb5.cname", "cname", "krb5.cname", "Kerberos 5 cname", MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT, (char *)NULL); snameField = moloch_field_define("krb5", "termfield", "krb5.sname", "sname", "krb5.sname", "Kerberos 5 sname", MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT, (char *)NULL); moloch_parsers_classifier_register_udp("krb5", 0, 7, (unsigned char*)"\x03\x02\x01\x05", 4, krb5_udp_classify); moloch_parsers_classifier_register_udp("krb5", 0, 9, (unsigned char*)"\x03\x02\x01\x05", 4, krb5_udp_classify); moloch_parsers_classifier_register_tcp("krb5", 0, 11, (unsigned char*)"\x03\x02\x01\x05", 4, krb5_tcp_classify); moloch_parsers_classifier_register_tcp("krb5", 0, 13, (unsigned char*)"\x03\x02\x01\x05", 4, krb5_tcp_classify); }
void moloch_parser_init() { moloch_field_define_internal(MOLOCH_FIELD_IRC_NICK, "ircnck", MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT); moloch_field_define_internal(MOLOCH_FIELD_IRC_CHANNELS, "ircch", MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT); moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)":", 1, irc_classify); moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)"NOTICE AUTH", 11, irc_classify); moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)"NICK ", 5, irc_classify); moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)"USER ", 5, irc_classify); }
void moloch_parser_init() { nickField = moloch_field_define("irc", "termfield", "irc.nick", "Nickname", "ircnck", "Nicknames set", MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT, NULL); channelsField = moloch_field_define("irc", "termfield", "irc.channel", "Channel", "ircch", "Channels joined", MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT, NULL); moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)":", 1, irc_classify); moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)"NOTICE AUTH", 11, irc_classify); moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)"NICK ", 5, irc_classify); moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)"USER ", 5, irc_classify); }
void moloch_parser_init() { verField = moloch_field_define("ssh", "lotermfield", "ssh.ver", "Version", "sshver", "SSH Software Version", MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT, NULL); keyField = moloch_field_define("ssh", "termfield", "ssh.key", "Key", "sshkey", "SSH Key", MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT, NULL); moloch_parsers_classifier_register_tcp("ssh", NULL, 0, (unsigned char*)"SSH", 3, ssh_classify); }
void moloch_parser_init() { moloch_parsers_classifier_register_tcp("bt", 0, (unsigned char*)"\x13" "BitTorrent protocol", 20, bt_classify); moloch_parsers_classifier_register_tcp("rdp", 0, (unsigned char*)"\x03\x00", 2, rdp_classify); moloch_parsers_classifier_register_tcp("imap", 0, (unsigned char*)"* OK ", 5, imap_classify); moloch_parsers_classifier_register_tcp("pop3", 0, (unsigned char*)"+OK POP3 ", 9, pop3_classify); moloch_parsers_classifier_register_tcp("gh0st", 14, 0, 0, gh0st_classify); moloch_parsers_classifier_register_tcp("other220", 0, (unsigned char*)"220 ", 4, other220_classify); moloch_parsers_classifier_register_tcp("vnc", 0, (unsigned char*)"RFB 0", 5, vnc_classify); moloch_parsers_classifier_register_udp("bt", 0, (unsigned char*)"d1:a", 4, bt_classify); moloch_parsers_classifier_register_udp("bt", 0, (unsigned char*)"d1:r", 4, bt_classify); moloch_parsers_classifier_register_udp("bt", 0, (unsigned char*)"d1:q", 4, bt_classify); }
void moloch_parser_init() { moloch_parsers_classifier_register_tcp("mysql", 1, (unsigned char*)"\x00\x00\x00\x0a", 4, mysql_classify); userField = moloch_field_define("mysql", "lotermfield", "mysql.user", "User", "mysql.user-term", "Mysql user name", MOLOCH_FIELD_TYPE_STR, MOLOCH_FIELD_FLAG_LINKED_SESSIONS, NULL); versionField = moloch_field_define("mysql", "termfield", "mysql.ver", "Version", "mysql.ver-term", "Mysql server version string", MOLOCH_FIELD_TYPE_STR, MOLOCH_FIELD_FLAG_LINKED_SESSIONS, NULL); }
static int MS_register_tcp_classifier(lua_State *L) { if (L != Ls[0]) // Only do once return 0; if (lua_gettop(L) != 4 || !lua_isstring(L, 1) || !lua_isinteger(L, 2) || !lua_isstring(L, 3) || !lua_isstring(L, 4)) { return luaL_error(L, "usage: <name> <offset> <match> <function>"); } char *name = g_strdup(lua_tostring(L, 1)); char offset = lua_tonumber(L, 2); int match_len = lua_rawlen(L, 3); guchar *match = g_memdup(lua_tostring(L, 3), match_len); char *function = g_strdup(lua_tostring(L, 4)); moloch_parsers_classifier_register_tcp(name, function, offset, match, match_len, molua_classify_cb); return 0; }
void moloch_parser_init() { moloch_parsers_classifier_register_tcp("oracle", NULL, 2, (unsigned char*)"\x00\x00\x01\x00\x00\x00", 6, oracle_classify); userField = moloch_field_define("oracle", "lotermfield", "oracle.user", "User", "oracle.user-term", "Oracle User", MOLOCH_FIELD_TYPE_STR, MOLOCH_FIELD_FLAG_LINKED_SESSIONS, "category", "user", NULL); hostField = moloch_field_define("oracle", "lotermfield", "oracle.host", "Host", "oracle.host-term", "Oracle Host", MOLOCH_FIELD_TYPE_STR, MOLOCH_FIELD_FLAG_LINKED_SESSIONS, NULL); serviceField = moloch_field_define("oracle", "lotermfield", "oracle.service", "Service", "oracle.service-term", "Oracle Service", MOLOCH_FIELD_TYPE_STR, MOLOCH_FIELD_FLAG_LINKED_SESSIONS, NULL); }
void moloch_parser_init() { userField = moloch_field_by_db("user"); moloch_parsers_classifier_register_tcp("tds", NULL, 0, (unsigned char*)"\x02\x00\x02\x00\x00\x00\x01\x00", 8, tds_classify); }
void moloch_parser_init() { moloch_parsers_classifier_register_tcp("bt", 0, (unsigned char*)"\x13" "BitTorrent protocol", 20, bt_classify); moloch_parsers_classifier_register_tcp("rdp", 0, (unsigned char*)"\x03\x00", 2, rdp_classify); moloch_parsers_classifier_register_tcp("imap", 0, (unsigned char*)"* OK ", 5, imap_classify); moloch_parsers_classifier_register_tcp("pop3", 0, (unsigned char*)"+OK POP3 ", 9, pop3_classify); moloch_parsers_classifier_register_tcp("gh0st", 14, 0, 0, gh0st_classify); moloch_parsers_classifier_register_tcp("other220", 0, (unsigned char*)"220 ", 4, other220_classify); moloch_parsers_classifier_register_tcp("vnc", 0, (unsigned char*)"RFB 0", 5, vnc_classify); moloch_parsers_classifier_register_tcp("redis", 0, (unsigned char*)"+PONG", 5, redis_classify); moloch_parsers_classifier_register_tcp("redis", 0, (unsigned char*)"\x2a\x31\x0d\x0a\x24", 5, redis_classify); moloch_parsers_classifier_register_tcp("redis", 0, (unsigned char*)"\x2a\x32\x0d\x0a\x24", 5, redis_classify); moloch_parsers_classifier_register_tcp("redis", 0, (unsigned char*)"\x2a\x33\x0d\x0a\x24", 5, redis_classify); moloch_parsers_classifier_register_tcp("redis", 0, (unsigned char*)"\x2a\x34\x0d\x0a\x24", 5, redis_classify); moloch_parsers_classifier_register_tcp("redis", 0, (unsigned char*)"\x2a\x35\x0d\x0a\x24", 5, redis_classify); moloch_parsers_classifier_register_udp("bt", 0, (unsigned char*)"d1:a", 4, bt_classify); moloch_parsers_classifier_register_udp("bt", 0, (unsigned char*)"d1:r", 4, bt_classify); moloch_parsers_classifier_register_udp("bt", 0, (unsigned char*)"d1:q", 4, bt_classify); moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x35\x00\x00\x00", 4, mongo_classify); moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x36\x00\x00\x00", 4, mongo_classify); moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x37\x00\x00\x00", 4, mongo_classify); moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x38\x00\x00\x00", 4, mongo_classify); moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x39\x00\x00\x00", 4, mongo_classify); moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x3a\x00\x00\x00", 4, mongo_classify); moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x3b\x00\x00\x00", 4, mongo_classify); moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x3c\x00\x00\x00", 4, mongo_classify); moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x3d\x00\x00\x00", 4, mongo_classify); moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x3e\x00\x00\x00", 4, mongo_classify); moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x3f\x00\x00\x00", 4, mongo_classify); }