void wise_process_ops(MolochSession_t *session, WiseItem_t *wi) { int i; for (i = 0; i < wi->numOps; i++) { WiseOp_t *op = &(wi->ops[i]); switch (config.fields[op->fieldPos]->type) { case MOLOCH_FIELD_TYPE_INT_HASH: case MOLOCH_FIELD_TYPE_INT_GHASH: if (op->fieldPos == tagsField) { moloch_session_add_tag(session, op->str); continue; } // Fall Thru case MOLOCH_FIELD_TYPE_INT: case MOLOCH_FIELD_TYPE_INT_ARRAY: case MOLOCH_FIELD_TYPE_IP: case MOLOCH_FIELD_TYPE_IP_HASH: case MOLOCH_FIELD_TYPE_IP_GHASH: moloch_field_int_add(op->fieldPos, session, op->strLenOrInt); break; case MOLOCH_FIELD_TYPE_STR: case MOLOCH_FIELD_TYPE_STR_ARRAY: case MOLOCH_FIELD_TYPE_STR_HASH: moloch_field_string_add(op->fieldPos, session, op->str, op->strLenOrInt, TRUE); break; } } }
int moloch_hp_cb_on_body (http_parser *parser, const char *at, size_t length) { HTTPInfo_t *http = parser->data; MolochSession_t *session = http->session; #ifdef HTTPDEBUG LOG("HTTPDEBUG: which: %d", http->which); #endif if (!(http->inBody & (1 << http->which))) { if (moloch_memcasestr(at, length, "password="******"passwd=", 7) || moloch_memcasestr(at, length, "pass="******"http:password"); } moloch_parsers_magic(session, magicField, at, length); http->inBody |= (1 << http->which); } g_checksum_update(http->checksum[http->which], (guchar *)at, length); if (pluginsCbs & MOLOCH_PLUGIN_HP_OB) moloch_plugins_cb_hp_ob(session, parser, at, length); return 0; }
void http_add_value(MolochSession_t *session, HTTPInfo_t *http) { int pos = http->pos[http->which]; char *s = http->valueString[http->which]->str; int l = http->valueString[http->which]->len; while (isspace(*s)) { s++; l--; } switch (config.fields[pos]->type) { case MOLOCH_FIELD_TYPE_INT: case MOLOCH_FIELD_TYPE_INT_ARRAY: case MOLOCH_FIELD_TYPE_INT_HASH: case MOLOCH_FIELD_TYPE_INT_GHASH: moloch_field_int_add(pos, session, atoi(s)); break; case MOLOCH_FIELD_TYPE_STR: case MOLOCH_FIELD_TYPE_STR_ARRAY: case MOLOCH_FIELD_TYPE_STR_HASH: moloch_field_string_add(pos, session, s, l, TRUE); break; case MOLOCH_FIELD_TYPE_IP_HASH: case MOLOCH_FIELD_TYPE_IP_GHASH: { int i; gchar **parts = g_strsplit(http->valueString[http->which]->str, ",", 0); for (i = 0; parts[i]; i++) { gchar *ip = parts[i]; while (*ip == ' ') ip++; in_addr_t ia = inet_addr(ip); if (ia == 0 || ia == 0xffffffff) { moloch_session_add_tag(session, "http:bad-xff"); if (config.debug) LOG("INFO - Didn't understand ip: %s %s %d", http->valueString[http->which]->str, ip, ia); continue; } moloch_field_int_add(pos, session, ia); } g_strfreev(parts); break; } } /* SWITCH */ g_string_truncate(http->valueString[http->which], 0); http->pos[http->which] = 0; }
static int MS_add_tag(lua_State *L) { if (lua_gettop(L) != 2 || !lua_isuserdata(L, 1) || !lua_isstring(L, 2)) { return luaL_error(L, "usage: <session> <tag>"); } MolochSession_t *session = checkMolochSession(L, 1); const char *tag = lua_tostring(L, 2); moloch_session_add_tag(session, tag); return 0; }
int moloch_hp_cb_on_headers_complete (http_parser *parser) { HTTPInfo_t *http = parser->data; MolochSession_t *session = http->session; char version[20]; #ifdef HTTPDEBUG LOG("HTTPDEBUG: which: %d code: %d method: %d", http->which, parser->status_code, parser->method); #endif int len = snprintf(version, sizeof(version), "%d.%d", parser->http_major, parser->http_minor); if (parser->status_code == 0) { moloch_field_string_add(methodField, session, http_method_str(parser->method), -1, TRUE); moloch_field_string_add(verReqField, session, version, len, TRUE); } else { moloch_field_int_add(statuscodeField, session, parser->status_code); moloch_field_string_add(verResField, session, version, len, TRUE); } if (http->inValue & (1 << http->which) && http->pos[http->which]) { http_add_value(session, http); } http->header[0][0] = http->header[1][0] = 0; if (http->urlString) { char *ch = http->urlString->str; while (*ch) { if (*ch < 32) { moloch_session_add_tag(session, "http:control-char"); break; } ch++; } } if (http->cookieString && http->cookieString->str[0]) { char *start = http->cookieString->str; while (1) { while (isspace(*start)) start++; char *equal = strchr(start, '='); if (!equal) break; moloch_field_string_add(cookieKeyField, session, start, equal-start, TRUE); start = strchr(equal+1, ';'); if (config.parseCookieValue) { equal++; while (isspace(*equal)) equal++; if (*equal && equal != start) moloch_field_string_add(cookieValueField, session, equal, start?start-equal:-1, TRUE); } if(!start) break; start++; } g_string_truncate(http->cookieString, 0); } if (http->authString && http->authString->str[0]) { moloch_http_parse_authorization(session, http->authString->str); g_string_truncate(http->authString, 0); } if (http->hostString) { g_string_ascii_down(http->hostString); } gboolean truncated = FALSE; if (http->urlString && http->hostString) { char *colon = strchr(http->hostString->str+2, ':'); if (colon) { moloch_field_string_add(hostField, session, http->hostString->str+2, colon - http->hostString->str-2, TRUE); } else { moloch_field_string_add(hostField, session, http->hostString->str+2, http->hostString->len-2, TRUE); } char *question = strchr(http->urlString->str, '?'); if (question) { moloch_field_string_add(pathField, session, http->urlString->str, question - http->urlString->str, TRUE); char *start = question+1; char *ch; int field = keyField; for (ch = start; *ch; ch++) { if (*ch == '&') { if (ch != start && (config.parseQSValue || field == keyField)) { char *str = g_uri_unescape_segment(start, ch, NULL); if (!str) { moloch_field_string_add(field, session, start, ch-start, TRUE); } else if (!moloch_field_string_add(field, session, str, -1, FALSE)) { g_free(str); } } start = ch+1; field = keyField; continue; } else if (*ch == '=') { if (ch != start && (config.parseQSValue || field == keyField)) { char *str = g_uri_unescape_segment(start, ch, NULL); if (!str) { moloch_field_string_add(field, session, start, ch-start, TRUE); } else if (!moloch_field_string_add(field, session, str, -1, FALSE)) { g_free(str); } } start = ch+1; field = valueField; } } if (config.parseQSValue && field == valueField && ch > start) { char *str = g_uri_unescape_segment(start, ch, NULL); if (!str) { moloch_field_string_add(field, session, start, ch-start, TRUE); } else if (!moloch_field_string_add(field, session, str, -1, FALSE)) { g_free(str); } } } else { moloch_field_string_add(pathField, session, http->urlString->str, http->urlString->len, TRUE); } if (http->urlString->str[0] != '/') { char *result = strstr(http->urlString->str, http->hostString->str+2); /* If the host header is in the first 8 bytes of url then just use the url */ if (result && result - http->urlString->str <= 8) { moloch_field_string_add(urlsField, session, http->urlString->str, MIN(MAX_URL_LENGTH, http->urlString->len), FALSE); truncated = http->urlString->len > MAX_URL_LENGTH; g_string_free(http->urlString, FALSE); g_string_free(http->hostString, TRUE); } else { /* Host header doesn't match the url */ g_string_append(http->hostString, ";"); g_string_append(http->hostString, http->urlString->str); moloch_field_string_add(urlsField, session, http->hostString->str, MIN(MAX_URL_LENGTH, http->hostString->len), FALSE); truncated = http->hostString->len > MAX_URL_LENGTH; g_string_free(http->urlString, TRUE); g_string_free(http->hostString, FALSE); } } else { /* Normal case, url starts with /, so no extra host in url */ g_string_append(http->hostString, http->urlString->str); moloch_field_string_add(urlsField, session, http->hostString->str, MIN(MAX_URL_LENGTH, http->hostString->len), FALSE); truncated = http->hostString->len > MAX_URL_LENGTH; g_string_free(http->urlString, TRUE); g_string_free(http->hostString, FALSE); } http->urlString = NULL; http->hostString = NULL; } else if (http->urlString) { moloch_field_string_add(urlsField, session, http->urlString->str, MIN(MAX_URL_LENGTH, http->urlString->len), FALSE); truncated = http->urlString->len > MAX_URL_LENGTH; g_string_free(http->urlString, FALSE); http->urlString = NULL; } else if (http->hostString) { char *colon = strchr(http->hostString->str+2, ':'); if (colon) { moloch_field_string_add(hostField, session, http->hostString->str+2, colon - http->hostString->str-2, TRUE); } else { moloch_field_string_add(hostField, session, http->hostString->str+2, http->hostString->len-2, TRUE); } g_string_free(http->hostString, TRUE); http->hostString = NULL; } if (truncated) moloch_session_add_tag(session, "http:url-truncated"); moloch_session_add_protocol(session, "http"); if (pluginsCbs & MOLOCH_PLUGIN_HP_OHC) moloch_plugins_cb_hp_ohc(session, parser); return 0; }