LOCAL int suricata_alerts_add(SuricataItem_t *item) { SuricataItem_t *check; item->hash = moloch_session_hash(item->sessionId); int h = item->hash % alerts.num; MOLOCH_LOCK(alerts.lock); // Dup is same hash, signature_id, timestamp, ses, and sessionId for (check = alerts.items[h]; check; check = check->items_next) { if (check->hash == item->hash && check->timestamp == item->timestamp && check->ses == item->ses && check->signature_id == item->signature_id && memcmp(check->sessionId, item->sessionId, item->sessionId[0]) == 0) { // Dup MOLOCH_UNLOCK(alerts.lock); return 0; } } item->items_next = alerts.items[h]; alerts.items[h] = item; alerts.cnt++; MOLOCH_UNLOCK(alerts.lock); return 1; }
MolochSession_t *moloch_session_find(int ses, char *sessionId) { MolochSession_t *session; uint32_t hash = moloch_session_hash(sessionId); int thread = hash % config.packetThreads; HASH_FIND_HASH(h_, sessions[thread][ses], hash, sessionId, session); return session; }
// Should only be used by packet, lots of side effects MolochSession_t *moloch_session_find_or_create(int ses, uint32_t hash, char *sessionId, int *isNew) { MolochSession_t *session; if (hash == 0) { hash = moloch_session_hash(sessionId); } int thread = hash % config.packetThreads; HASH_FIND_HASH(h_, sessions[thread][ses], hash, sessionId, session); if (session) { if (!session->closingQ) { DLL_MOVE_TAIL(q_, &sessionsQ[thread][ses], session); } *isNew = 0; return session; } *isNew = 1; session = MOLOCH_TYPE_ALLOC0(MolochSession_t); session->ses = ses; memcpy(session->sessionId, sessionId, sessionId[0]); HASH_ADD_HASH(h_, sessions[thread][ses], hash, sessionId, session); DLL_PUSH_TAIL(q_, &sessionsQ[thread][ses], session); if (HASH_BUCKET_COUNT(h_, sessions[thread][ses], hash) > 10) { char buf[100]; LOG("Large number of chains: %s %u %u %u %u", moloch_session_id_string(sessionId, buf), hash, hash % sessions[thread][ses].size, thread, HASH_BUCKET_COUNT(h_, sessions[thread][ses], hash)); } session->filePosArray = g_array_sized_new(FALSE, FALSE, sizeof(uint64_t), 100); session->fileLenArray = g_array_sized_new(FALSE, FALSE, sizeof(uint16_t), 100); session->fileNumArray = g_array_new(FALSE, FALSE, 4); session->fields = MOLOCH_SIZE_ALLOC0(fields, sizeof(MolochField_t *)*config.maxField); session->maxFields = config.maxField; session->thread = thread; DLL_INIT(td_, &session->tcpData); if (config.numPlugins > 0) session->pluginData = MOLOCH_SIZE_ALLOC0(pluginData, sizeof(void *)*config.numPlugins); return session; }