Exemplo n.º 1
0
Arquivo: tls.c Projeto: ariosx/moloch
/* @data the data inside the record layer
 * @len  the length of data inside record layer
 */
int
tls_process_server_handshake_record(MolochSession_t *session, const unsigned char *data, int len)
{
    BSB rbsb;

    BSB_INIT(rbsb, data, len);

    while (BSB_REMAINING(rbsb) >= 4) {
        unsigned char *hdata = BSB_WORK_PTR(rbsb);
        int hlen = MIN(BSB_REMAINING(rbsb), (hdata[1] << 16 | hdata[2] << 8 | hdata[3]) + 4);

        switch(hdata[0]) {
        case 2:
            tls_process_server_hello(session, hdata+4, hlen-4);
            break;
        case 11:
            tls_process_server_certificate(session, hdata + 4, hlen - 4);
            break;
        case 14:
            return 1;
        }

        BSB_IMPORT_skip(rbsb, hlen);
    }
    return 0;
}
Exemplo n.º 2
0
Arquivo: wise.c Projeto: Amelos/moloch
void wise_load_fields()
{
    char                key[500];
    int                 key_len;

    memset(fieldsMap, -1, sizeof(fieldsMap));

    key_len = snprintf(key, sizeof(key), "/fields");
    size_t         data_len;
    unsigned char *data = moloch_http_send_sync(wiseService, "GET", key, key_len, NULL, 0, NULL, &data_len);;

    BSB bsb;
    BSB_INIT(bsb, data, data_len);

    int ver, cnt = 0;
    BSB_IMPORT_u32(bsb, fieldsTS);
    BSB_IMPORT_u32(bsb, ver);
    BSB_IMPORT_u08(bsb, cnt);

    int i;
    for (i = 0; i < cnt; i++) {
        int len = 0;
        BSB_IMPORT_u16(bsb, len); // len includes NULL terminated
        fieldsMap[i] = moloch_field_define_text((char*)BSB_WORK_PTR(bsb), NULL);
        if (fieldsMap[i] == -1)
            fieldsTS = 0;
        if (config.debug)
            LOG("%d %d %s", i, fieldsMap[i], BSB_WORK_PTR(bsb));
        BSB_IMPORT_skip(bsb, len);
    }
}
Exemplo n.º 3
0
Arquivo: krb5.c Projeto: paulpc/moloch
LOCAL void krb5_parse(MolochSession_t *session, const unsigned char *data, int len)
{
    BSB obsb;
    uint32_t opc, msgType, olen;
    unsigned char *ovalue;

    BSB_INIT(obsb, data, len);
    ovalue = moloch_parsers_asn_get_tlv(&obsb, &opc, &msgType, &olen);
#ifdef KRB5_DEBUG
    LOG("DEBUG1 - opc:%uumsgType:%u olen:%u", opc, msgType, olen);
#endif
    if (!opc)
        return;

    switch (msgType) {
    case 10:
    case 12:
        krb5_parse_req(session, ovalue, olen);
        break;
    case 11:
    case 13:
        krb5_parse_rep(session, ovalue, olen);
        break;
    case 30:
        krb5_parse_error(session, ovalue, olen);
        break;
    }
}
Exemplo n.º 4
0
unsigned char *dns_name(const unsigned char *full, int fulllen, BSB *inbsb, int *namelen)
{
    static unsigned char  name[8000];
    BSB  nbsb;
    int  didPointer = 0;
    BSB  tmpbsb;
    BSB *curbsb;

    BSB_INIT(nbsb, name, sizeof(name));

    curbsb = inbsb;

    while (BSB_REMAINING(*curbsb)) {
        unsigned char ch = 0;
        BSB_IMPORT_u08(*curbsb, ch);

        if (ch == 0)
            break;

        BSB_EXPORT_rewind(*curbsb, 1);

        if (ch & 0xc0) {
            if (didPointer > 5)
                return 0;
            didPointer++;
            int tpos = 0;
            BSB_IMPORT_u16(*curbsb, tpos);
            tpos &= 0x3fff;

            BSB_INIT(tmpbsb, full+tpos, fulllen - tpos);
            curbsb = &tmpbsb;
            continue;
        } 

        if (BSB_LENGTH(nbsb)) {
            BSB_EXPORT_u08(nbsb, '.');
        }

        if (dns_name_element(&nbsb, curbsb) && BSB_LENGTH(nbsb))
            BSB_EXPORT_rewind(nbsb, 1); // Remove last .
    }
    *namelen = BSB_LENGTH(nbsb);
    BSB_EXPORT_u08(nbsb, 0);
    return name;
}
Exemplo n.º 5
0
void netflow_send()
{
    BSB hbsb;

    BSB_INIT(hbsb, buf, headerSize);

    uint32_t sys_uptime = (bufTime.tv_sec - initialPacket.tv_sec)*1000; /*+
                          (bufTIme.tv_usec - initialPacket.tv_usec)/1000;*/
                 

    /* Header */
    BSB_EXPORT_u16(hbsb, netflowVersion);
    BSB_EXPORT_u16(hbsb, bufCount); // count
    BSB_EXPORT_u32(hbsb, sys_uptime); // sys_uptime
    BSB_EXPORT_u32(hbsb, bufTime.tv_sec);
    BSB_EXPORT_u32(hbsb, bufTime.tv_usec);

    switch (netflowVersion) {
    case 5:
        BSB_EXPORT_u32(hbsb, totalFlows); // flow_sequence
        BSB_EXPORT_u08(hbsb, 0); // engine_type
        BSB_EXPORT_u08(hbsb, 0); // engine_id
        BSB_EXPORT_u16(hbsb, 0); // mode/interval
        break;
    case 7:
        BSB_EXPORT_u32(hbsb, totalFlows); // flow_sequence
        BSB_EXPORT_u32(hbsb, 0); // reserved
        break;
    }

    int i;
    for (i = 0; i < numDests; i++) {
        int rc;
        
        if ((rc = send(dests[i].fd, buf, BSB_LENGTH(bsb)+headerSize, 0)) < BSB_LENGTH(bsb)+headerSize) {
            LOG("Failed to send rc=%d size=%ld", rc, BSB_LENGTH(bsb)+headerSize);
        }
    }

    totalFlows += bufCount;
    BSB_INIT(bsb, buf + headerSize, sizeof(buf) - headerSize);
    bufCount = 0;
}
Exemplo n.º 6
0
Arquivo: tls.c Projeto: ariosx/moloch
void tls_process_server_hello(MolochSession_t *session, const unsigned char *data, int len)
{
    BSB bsb;
    BSB_INIT(bsb, data, len);

    unsigned char *ver;
    BSB_IMPORT_ptr(bsb, ver, 2);

    BSB_IMPORT_skip(bsb, 32);     // Random

    int skiplen = 0;
    BSB_IMPORT_u08(bsb, skiplen);   // Session Id Length
    BSB_IMPORT_skip(bsb, skiplen);  // Session Id

    unsigned char *cipher;
    BSB_IMPORT_ptr(bsb, cipher, 2);

    if (!BSB_IS_ERROR(bsb)) {
        char str[100];
        if (ver[0] == 3) {
            switch (ver[1]) {
            case 0:
                moloch_field_string_add(verField, session, "SSLv3", 5, TRUE);
                break;
            case 1:
                moloch_field_string_add(verField, session, "TLSv1", 5, TRUE);
                break;
            case 2:
                moloch_field_string_add(verField, session, "TLSv1.1", 7, TRUE);
                break;
            case 3:
                moloch_field_string_add(verField, session, "TLSv1.2", 7, TRUE);
                break;
            default:
                snprintf(str, sizeof(str), "0x%02x.%02x", ver[0], ver[1]);
                moloch_field_string_add(verField, session, str, 6, TRUE);
            }
        } else {
            snprintf(str, sizeof(str), "0x%02x.%02x", ver[0], ver[1]);
            moloch_field_string_add(verField, session, str, 7, TRUE);
        }


        char *cipherStr = ciphers[cipher[0]][cipher[1]];
        if (cipherStr)
            moloch_field_string_add(cipherField, session, cipherStr, -1, TRUE);
        else {
            snprintf(str, sizeof(str), "%02X%02X", cipher[0], cipher[1]);
            moloch_field_string_add(cipherField, session, str, 4, TRUE);
        }
    }
}
Exemplo n.º 7
0
Arquivo: tls.c Projeto: ariosx/moloch
void
tls_alt_names(MolochCertsInfo_t *certs, BSB *bsb, char *lastOid)
{
    int apc, atag, alen;

    while (BSB_REMAINING(*bsb) >= 2) {
        unsigned char *value = moloch_parsers_asn_get_tlv(bsb, &apc, &atag, &alen);

        if (!value)
            return;

        if (apc) {
            BSB tbsb;
            BSB_INIT(tbsb, value, alen);
            tls_alt_names(certs, &tbsb, lastOid);
            if (certs->alt.s_count > 0) {
                return;
            }
        } else if (atag == 6)  {
            moloch_parsers_asn_decode_oid(lastOid, 100, value, alen);
            if (strcmp(lastOid, "2.5.29.17") != 0)
                lastOid[0] = 0;
        } else if (lastOid[0] && atag == 4) {
            BSB tbsb;
            BSB_INIT(tbsb, value, alen);
            tls_alt_names(certs, &tbsb, lastOid);
            return;
        } else if (lastOid[0] && atag == 2) {
            MolochString_t *element = MOLOCH_TYPE_ALLOC0(MolochString_t);
            element->str = g_ascii_strdown((char*)value, alen);
            element->len = alen;
            DLL_PUSH_TAIL(s_, &certs->alt, element);
        }
    }
    lastOid[0] = 0;
    return;
}
Exemplo n.º 8
0
Arquivo: krb5.c Projeto: paulpc/moloch
LOCAL void krb5_udp_classify(MolochSession_t *session, const unsigned char *data, int len, int UNUSED(which), void *UNUSED(uw))
{
    if (moloch_session_has_protocol(session, "krb5"))
        return;

    BSB obsb;
    uint32_t opc, otag, olen;

    BSB_INIT(obsb, data, len);
    moloch_parsers_asn_get_tlv(&obsb, &opc, &otag, &olen);
#ifdef KRB5_DEBUG
    LOG("enter %u %u %u", opc, otag, olen);
#endif
    if (opc && (otag == 10 || otag == 12 || otag == 30) && len >= (int)olen) {
        moloch_parsers_register(session, krb5_udp_parser, 0, 0);
    }
}
Exemplo n.º 9
0
Arquivo: tls.c Projeto: ariosx/moloch
void
tls_certinfo_process(MolochCertInfo_t *ci, BSB *bsb)
{
    int apc, atag, alen;
    char lastOid[1000];
    lastOid[0] = 0;

    while (BSB_REMAINING(*bsb)) {
        unsigned char *value = moloch_parsers_asn_get_tlv(bsb, &apc, &atag, &alen);
        if (!value)
            return;

        if (apc) {
            BSB tbsb;
            BSB_INIT(tbsb, value, alen);
            tls_certinfo_process(ci, &tbsb);
        } else if (atag  == 6)  {
            moloch_parsers_asn_decode_oid(lastOid, sizeof(lastOid), value, alen);
        } else if (lastOid[0] && (atag == 20 || atag == 19 || atag == 12))  {
            /* 20 == BER_UNI_TAG_TeletexString
             * 19 == BER_UNI_TAG_PrintableString
             * 12 == BER_UNI_TAG_UTF8String
             */
            if (strcmp(lastOid, "2.5.4.3") == 0) {
                MolochString_t *element = MOLOCH_TYPE_ALLOC(MolochString_t);
                element->utf8 = atag == 12;
                if (element->utf8)
                    element->str = g_utf8_strdown((char*)value, alen);
                else
                    element->str = g_ascii_strdown((char*)value, alen);
                DLL_PUSH_TAIL(s_, &ci->commonName, element);
            } else if (strcmp(lastOid, "2.5.4.10") == 0) {
                if (ci->orgName) {
                    LOG("Multiple orgName %s => %.*s", ci->orgName, alen, value);
                    free(ci->orgName);
                }
                ci->orgUtf8 = atag == 12;
                ci->orgName = g_strndup((char*)value, alen);
            }
        }
    }
}
Exemplo n.º 10
0
// SSH Parsing currently assumes the parts we want from a SSH Packet will be
// in a single TCP packet.  Kind of sucks.
int ssh_parser(MolochSession_t *session, void *uw, const unsigned char *data, int remaining, int which)
{
    SSHInfo_t *ssh = uw;

    if (memcmp("SSH", data, 3) == 0) {
        unsigned char *n = memchr(data, 0x0a, remaining);
        if (n && *(n-1) == 0x0d)
            n--;

        if (n) {
            int len = (n - data);

            char *str = g_ascii_strdown((char *)data, len);

            if (!moloch_field_string_add(verField, session, str, len, FALSE)) {
                g_free(str);
            }
        }
        return 0;
    }

    if (which != 1)
        return 0;

    BSB bsb;
    BSB_INIT(bsb, data, remaining);

    while (BSB_REMAINING(bsb) > 6) {
        uint32_t loopRemaining = BSB_REMAINING(bsb);

        // If 0 looking for a ssh packet, otherwise in the middle of ssh packet
        if (ssh->sshLen == 0) {
            BSB_IMPORT_u32(bsb, ssh->sshLen);

            // Can't have a ssh packet > 35000 bytes.
            if (ssh->sshLen >= 35000) {
                moloch_parsers_unregister(session, uw);
                return 0;
            }
            ssh->sshLen += 4;

            uint8_t    sshCode = 0;
            BSB_IMPORT_skip(bsb, 1); // padding length
            BSB_IMPORT_u08(bsb, sshCode);

            if (sshCode == 33) {
                moloch_parsers_unregister(session, uw);

                uint32_t keyLen = 0;
                BSB_IMPORT_u32(bsb, keyLen);

                if (!BSB_IS_ERROR(bsb) && BSB_REMAINING(bsb) >= keyLen) {
                    char *str = g_base64_encode(BSB_WORK_PTR(bsb), keyLen);
                    if (!moloch_field_string_add(keyField, session, str, (keyLen/3+1)*4, FALSE)) {
                        g_free(str);
                    }
                }
                break;
            }
        }

        if (loopRemaining > ssh->sshLen) {
            // Processed all, looking for another packet
            BSB_IMPORT_skip(bsb, loopRemaining);
            ssh->sshLen = 0;
            continue;
        } else {
            // Waiting on more data then in this callback
            ssh->sshLen -= loopRemaining;
            break;
        }
    }
    return 0;
}
Exemplo n.º 11
0
Arquivo: tls.c Projeto: ariosx/moloch
void
tls_process_client(MolochSession_t *session, const unsigned char *data, int len)
{
    BSB sslbsb;

    BSB_INIT(sslbsb, data, len);

    if (BSB_REMAINING(sslbsb) > 5) {
        unsigned char *ssldata = BSB_WORK_PTR(sslbsb);
        int            ssllen = MIN(BSB_REMAINING(sslbsb) - 5, ssldata[3] << 8 | ssldata[4]);

        BSB pbsb;
        BSB_INIT(pbsb, ssldata+5, ssllen);

        if (BSB_REMAINING(pbsb) > 7) {
            unsigned char *pdata = BSB_WORK_PTR(pbsb);
            int            plen = MIN(BSB_REMAINING(pbsb) - 4, pdata[2] << 8 | pdata[3]);

            BSB cbsb;
            BSB_INIT(cbsb, pdata+6, plen-2); // The - 4 for plen is done above, confusing

            if(BSB_REMAINING(cbsb) > 32) {
                BSB_IMPORT_skip(cbsb, 32);     // Random

                int skiplen = 0;
                BSB_IMPORT_u08(cbsb, skiplen);   // Session Id Length
                BSB_IMPORT_skip(cbsb, skiplen);  // Session Id

                BSB_IMPORT_u16(cbsb, skiplen);   // Ciper Suites Length
                BSB_IMPORT_skip(cbsb, skiplen);  // Ciper Suites

                BSB_IMPORT_u08(cbsb, skiplen);   // Compression Length
                BSB_IMPORT_skip(cbsb, skiplen);  // Compressions

                if (BSB_REMAINING(cbsb) > 2) {
                    int etotlen = 0;
                    BSB_IMPORT_u16(cbsb, etotlen);  // Extensions Length

                    etotlen = MIN(etotlen, BSB_REMAINING(cbsb));

                    BSB ebsb;
                    BSB_INIT(ebsb, BSB_WORK_PTR(cbsb), etotlen);

                    while (BSB_REMAINING(ebsb) > 0) {
                        int etype = 0, elen = 0;

                        BSB_IMPORT_u16 (ebsb, etype);
                        BSB_IMPORT_u16 (ebsb, elen);
                        if (etype != 0) {
                            BSB_IMPORT_skip (ebsb, elen);
                            continue;
                        }

                        if (elen > BSB_REMAINING(ebsb))
                            break;

                        BSB snibsb;
                        BSB_INIT(snibsb, BSB_WORK_PTR(ebsb), elen);
                        BSB_IMPORT_skip (ebsb, elen);

                        int sni = 0;
                        BSB_IMPORT_u16(snibsb, sni); // list len
                        if (sni != BSB_REMAINING(snibsb))
                            continue;

                        BSB_IMPORT_u08(snibsb, sni); // type
                        if (sni != 0)
                            continue;

                        BSB_IMPORT_u16(snibsb, sni); // len
                        if (sni != BSB_REMAINING(snibsb))
                            continue;

                        moloch_field_string_add(hostField, session, (char *)BSB_WORK_PTR(snibsb), sni, TRUE);
                    }
                }
            }
        }

        BSB_IMPORT_skip(sslbsb, ssllen + 5);
    }
}
Exemplo n.º 12
0
Arquivo: tls.c Projeto: ariosx/moloch
void tls_process_server_certificate(MolochSession_t *session, const unsigned char *data, int len)
{
    BSB cbsb;

    BSB_INIT(cbsb, data, len);

    BSB_IMPORT_skip(cbsb, 3); // Length again

    while(BSB_REMAINING(cbsb) > 3) {
        int            badreason = 0;
        unsigned char *cdata = BSB_WORK_PTR(cbsb);
        int            clen = MIN(BSB_REMAINING(cbsb) - 3, (cdata[0] << 16 | cdata[1] << 8 | cdata[2]));

        MolochCertsInfo_t *certs = MOLOCH_TYPE_ALLOC0(MolochCertsInfo_t);
        DLL_INIT(s_, &certs->alt);
        DLL_INIT(s_, &certs->subject.commonName);
        DLL_INIT(s_, &certs->issuer.commonName);

        int            atag, alen, apc;
        unsigned char *value;

        BSB            bsb;
        BSB_INIT(bsb, cdata + 3, clen);

        /* Certificate */
        if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
            {badreason = 1; goto bad_cert;}
        BSB_INIT(bsb, value, alen);

        /* signedCertificate */
        if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
            {badreason = 2; goto bad_cert;}
        BSB_INIT(bsb, value, alen);

        /* serialNumber or version*/
        if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
            {badreason = 3; goto bad_cert;}

        if (apc) {
            if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
                {badreason = 4; goto bad_cert;}
        }
        certs->serialNumberLen = alen;
        certs->serialNumber = malloc(alen);
        memcpy(certs->serialNumber, value, alen);

        /* signature */
        if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
            {badreason = 5; goto bad_cert;}

        /* issuer */
        if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
            {badreason = 6; goto bad_cert;}
        BSB tbsb;
        BSB_INIT(tbsb, value, alen);
        tls_certinfo_process(&certs->issuer, &tbsb);

        /* validity */
        if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
            {badreason = 7; goto bad_cert;}

        /* subject */
        if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
            {badreason = 8; goto bad_cert;}
        BSB_INIT(tbsb, value, alen);
        tls_certinfo_process(&certs->subject, &tbsb);

        /* subjectPublicKeyInfo */
        if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
            {badreason = 9; goto bad_cert;}

        /* extensions */
        if (BSB_REMAINING(bsb)) {
            if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
                {badreason = 10; goto bad_cert;}
            BSB tbsb;
            BSB_INIT(tbsb, value, alen);
            char lastOid[100];
            lastOid[0] = 0;
            tls_alt_names(certs, &tbsb, lastOid);
        }

        if (!moloch_field_certsinfo_add(certsField, session, certs, clen*2)) {
            moloch_field_certsinfo_free(certs);
        }

        BSB_IMPORT_skip(cbsb, clen + 3);

        continue;

    bad_cert:
        if (config.debug)
            LOG("bad cert %d - %d", badreason, clen);
        moloch_field_certsinfo_free(certs);
        break;
    }
}
Exemplo n.º 13
0
Arquivo: wise.c Projeto: Amelos/moloch
void wise_cb(unsigned char *data, int data_len, gpointer uw)
{

    BSB             bsb;
    WiseRequest_t *request = uw;
    int             i;

    inflight -= request->numItems;

    BSB_INIT(bsb, data, data_len);

    uint32_t fts = 0, ver = 0;
    BSB_IMPORT_u32(bsb, fts);
    BSB_IMPORT_u32(bsb, ver);

    if (BSB_IS_ERROR(bsb) || ver != 0) {
        for (i = 0; i < request->numItems; i++) {
            wise_free_item(request->items[i]);
        }
        MOLOCH_TYPE_FREE(WiseRequest_t, request);
        return;
    }

    if (fts != fieldsTS)
        wise_load_fields();

    struct timeval currentTime;
    gettimeofday(&currentTime, NULL);

    for (i = 0; i < request->numItems; i++) {
        WiseItem_t    *wi = request->items[i];
        BSB_IMPORT_u08(bsb, wi->numOps);

        if (wi->numOps > 0) {
            wi->ops = malloc(wi->numOps * sizeof(WiseOp_t));

            int i;
            for (i = 0; i < wi->numOps; i++) {
                WiseOp_t *op = &(wi->ops[i]);

                int rfield = 0;
                BSB_IMPORT_u08(bsb, rfield);
                op->fieldPos = fieldsMap[rfield];

                int len = 0;
                BSB_IMPORT_u08(bsb, len);
                char *str = (char*)BSB_WORK_PTR(bsb);
                BSB_IMPORT_skip(bsb, len);

                switch (config.fields[op->fieldPos]->type) {
                case  MOLOCH_FIELD_TYPE_INT_HASH:
                    if (op->fieldPos == tagsField) {
                        moloch_db_get_tag(NULL, tagsField, str, NULL); // Preload the tagname -> tag mapping
                        op->str = g_strdup(str);
                        op->strLenOrInt = len - 1;
                        continue;
                    }
                    // Fall thru
                case  MOLOCH_FIELD_TYPE_INT:
                case  MOLOCH_FIELD_TYPE_INT_ARRAY:
                    op->str = 0;
                    op->strLenOrInt = atoi(str);
                    break;
                case  MOLOCH_FIELD_TYPE_STR:
                case  MOLOCH_FIELD_TYPE_STR_ARRAY:
                case  MOLOCH_FIELD_TYPE_STR_HASH:
                    op->str = g_strdup(str);
                    op->strLenOrInt = len - 1;
                    break;
                case  MOLOCH_FIELD_TYPE_IP:
                case  MOLOCH_FIELD_TYPE_IP_HASH:
                    op->str = 0;
                    op->strLenOrInt = inet_addr(str);
                    break;
                default:
                    LOG("WARNING - Unsupported expression type for %s", str);
                    continue;
                }
            }
        }

        wi->loadTime = currentTime.tv_sec;

        int s;
        for (s = 0; s < wi->numSessions; s++) {
            wise_process_ops(wi->sessions[s], wi);
            moloch_nids_decr_outstanding(wi->sessions[s]);
        }
        g_free(wi->sessions);
        wi->sessions = 0;
        wi->numSessions = 0;

        DLL_PUSH_HEAD(wil_, &itemList[(int)wi->type], wi);
        // Cache needs to be reduced
        if (itemList[(int)wi->type].wil_count > maxCache) {
            DLL_POP_TAIL(wil_, &itemList[(int)wi->type], wi);
            wise_free_item(wi);
        }
    }
    MOLOCH_TYPE_FREE(WiseRequest_t, request);
}
Exemplo n.º 14
0
void dns_parser(MolochSession_t *session, const unsigned char *data, int len) 
{

    if (len < 18)
        return;

    int qr      = (data[2] >> 7) & 0x1;
    int opcode  = (data[2] >> 3) & 0xf;

    if (opcode != 0)
        return;

    int qdcount = (data[4] << 8) | data[5];
    int ancount = (data[6] << 8) | data[7];

    if (qdcount > 10 || qdcount <= 0)
        return;

    BSB bsb;
    BSB_INIT(bsb, data + 12, len - 12);

    /* QD Section */
    int i;
    for (i = 0; BSB_NOT_ERROR(bsb) && i < qdcount; i++) {
        int namelen;
        unsigned char *name = dns_name(data, len, &bsb, &namelen);

        if (BSB_IS_ERROR(bsb))
            break;

        if (!namelen) {
            name = (unsigned char*)"<root>";
            namelen = 6;
        }

        unsigned short qtype = 0 , qclass = 0 ;
        BSB_IMPORT_u16(bsb, qtype);
        BSB_IMPORT_u16(bsb, qclass);

        char *lower = g_ascii_strdown((char*)name, namelen);

        if (qclass <= 255 && qclasses[qclass]) {
            moloch_field_string_add(queryClassField, session, qclasses[qclass], -1, TRUE);
        }

        if (qtype <= 255 && qtypes[qtype]) {
            moloch_field_string_add(queryTypeField, session, qtypes[qtype], -1, TRUE);
        }

        if (lower && !moloch_field_string_add(hostField, session, lower, namelen, FALSE)) {
            g_free(lower);
        }
    }
    moloch_nids_add_protocol(session, "dns");

    if (qr == 0)
        return;

    int rcode      = data[3] & 0xf;
    moloch_field_string_add(statusField, session, statuses[rcode], -1, TRUE);

    for (i = 0; BSB_NOT_ERROR(bsb) && i < ancount; i++) {
        int namelen;
        dns_name(data, len, &bsb, &namelen);

        if (BSB_IS_ERROR(bsb))
            break;

        uint16_t antype = 0;
        BSB_IMPORT_u16 (bsb, antype);
        uint16_t anclass = 0;
        BSB_IMPORT_u16 (bsb, anclass);
        BSB_IMPORT_skip(bsb, 4); // ttl
        uint16_t rdlength = 0;
        BSB_IMPORT_u16 (bsb, rdlength);

        if (BSB_REMAINING(bsb) < rdlength) {
            break;
        }

        if (anclass != 1) {
            BSB_IMPORT_skip(bsb, rdlength);
            continue;
        }

        switch (antype) {
        case 1: {
            if (rdlength != 4)
                break;
            struct in_addr in;
            unsigned char *ptr = BSB_WORK_PTR(bsb);
            in.s_addr = ptr[3] << 24 | ptr[2] << 16 | ptr[1] << 8 | ptr[0];

            moloch_field_int_add(ipField, session, in.s_addr);
            break;
        }
        case 5: {
            BSB rdbsb;
            BSB_INIT(rdbsb, BSB_WORK_PTR(bsb), rdlength);

            int namelen;
            unsigned char *name = dns_name(data, len, &rdbsb, &namelen);

            if (!namelen || BSB_IS_ERROR(rdbsb))
                continue;

            char *lower = g_ascii_strdown((char*)name, namelen);

            if (lower && !moloch_field_string_add(hostField, session, lower, namelen, FALSE)) {
                g_free(lower);
            }
            break;
        }
        case 15: {
            BSB rdbsb;
            BSB_INIT(rdbsb, BSB_WORK_PTR(bsb), rdlength);
            BSB_IMPORT_skip(rdbsb, 2); // preference

            int namelen;
            unsigned char *name = dns_name(data, len, &rdbsb, &namelen);

            if (!namelen || BSB_IS_ERROR(rdbsb))
                continue;

            char *lower = g_ascii_strdown((char*)name, namelen);

            if (lower && !moloch_field_string_add(hostField, session, lower, namelen, FALSE)) {
                g_free(lower);
            }
        }
        } /* switch */
        BSB_IMPORT_skip(bsb, rdlength);
    }
}
Exemplo n.º 15
0
int radius_udp_parser(MolochSession_t *session, void *UNUSED(uw), const unsigned char *data, int len, int UNUSED(which))
{
    BSB bsb;

    BSB_INIT(bsb, data, len);

    BSB_IMPORT_skip(bsb, 20);

    unsigned char type = 0, length = 0;
    unsigned char *value;
    char str[256];
    struct in_addr in;
    int i;

    while (BSB_REMAINING(bsb) > 2) {
        BSB_IMPORT_u08(bsb, type);
        BSB_IMPORT_u08(bsb, length);
        length -= 2; // length includes the type/length
        BSB_IMPORT_ptr(bsb, value, length);
        if (BSB_IS_ERROR(bsb)) {
            break;
        }
        switch (type) {
        case 1:
            moloch_field_string_add(userField, session, (char *)value, length, TRUE);
            break;
    /*    case 4:
            LOG("NAS-IP-Address: %d %d %u.%u.%u.%u", type, length, value[0], value[1], value[2], value[3]);
            break;*/
        case 8:
            memcpy(&in.s_addr, value, 4);
            moloch_field_int_add(framedIpField, session, in.s_addr);
            break;
        case 31:
            if (length == 12) {
                snprintf(str, sizeof(str), "%c%c:%c%c:%c%c:%c%c:%c%c:%c%c",
                        value[0], value[1],
                        value[2], value[3],
                        value[4], value[5],
                        value[6], value[7],
                        value[8], value[9],
                        value[10], value[11]);
                for (i = 0; i < 17; i++) {
                    if (isupper (str[i]))
                      str[i] = tolower (str[i]);
                }
                moloch_field_string_add(macField, session, str, 17, TRUE);
            }
            break;
        case 66:
            memcpy(str, value, length);
            str[length] = 0;
            inet_aton(str, &in);
            moloch_field_int_add(endpointIpField, session, in.s_addr);
            break;

/*        default:
            LOG("%d %d %.*s", type, length, length, value);*/
        }
    }
    return 0;
}
Exemplo n.º 16
0
Arquivo: quic.c Projeto: paulpc/moloch
LOCAL int quic_udp_parser(MolochSession_t *session, void *UNUSED(uw), const unsigned char *data, int len, int UNUSED(which))
{
    int version = -1;
    int offset = 1;

    // PUBLIC_FLAG_RESET
    if (data[0] & 0x02) {
        return 0;
    }

    // CID
    if (data[0] & 0x08) {
        offset += 8;
    }

    // Get version
    if (data[0] & 0x01 && data[offset] == 'Q') {
        version = (data[offset+1] - '0') * 100 +
                  (data[offset+2] - '0') * 10 +
                  (data[offset+3] - '0');
        offset += 4;
    }

    // Unsupported version
    if (version < 24) {
        moloch_parsers_unregister(session, uw);
        return 0;
    }

    // Diversification only is from server to client, so we can ignore

    // Packet number size
    if ((data[0] & 0x30) == 0) {
        offset++;
    } else {
        offset += ((data[0] & 0x30) >> 4) * 2;
    }

    // Hash
    offset += 12;

    // Private Flags
    if (version < 34)
        offset++;

    if (offset > len)
        return 0;

    BSB bsb;
    BSB_INIT(bsb, data+offset, len-offset);

    while (!BSB_IS_ERROR(bsb) && BSB_REMAINING(bsb)) {
        uint8_t type = 0;
        BSB_LIMPORT_u08(bsb, type);

        //1fdooossB
        if ((type & 0x80) == 0) {
            return 0;
        }

        int offsetLen = 0;
        if (type & 0x1C) {
            offsetLen = ((type & 0x1C) >> 2) + 1;
        }

        int streamLen = (type & 0x03) + 1;

        BSB_LIMPORT_skip(bsb, streamLen + offsetLen);

        int dataLen = BSB_REMAINING(bsb);
        if (type & 0x20) {
            BSB_LIMPORT_u16(bsb, dataLen);
        }

        if (BSB_IS_ERROR(bsb))
            return 0;

        BSB dbsb;
        BSB_INIT(dbsb, BSB_WORK_PTR(bsb), MIN(dataLen, BSB_REMAINING(bsb)));
        BSB_IMPORT_skip(bsb, dataLen);

        quic_chlo_parser(session,dbsb);
        moloch_parsers_unregister(session, uw);
        return 0;
    }