void moloch_parser_init()
{
ipField = moloch_field_define("socks", "ip",
"ip.socks", "IP", "socksip",
"SOCKS destination IP",
MOLOCH_FIELD_TYPE_IP, MOLOCH_FIELD_FLAG_IPPRE,
"aliases", "[\"ip.socks\"]",
"portField", "sockspo", NULL);
hostField = moloch_field_define("socks", "lotermfield",
"host.socks", "Host", "socksho",
"SOCKS destination host",
MOLOCH_FIELD_TYPE_STR, 0,
"aliases", "[\"socks.host\"]", NULL);
portField = moloch_field_define("socks", "integer",
"port.socks", "Port", "sockspo",
"SOCKS destination port",
MOLOCH_FIELD_TYPE_INT, 0,
"aliases", "[\"socks.port\"]", NULL);
userField = moloch_field_define("socks", "termfield",
"socks.user", "User", "socksuser",
"SOCKS authenticated user",
MOLOCH_FIELD_TYPE_STR, 0,
"aliases", "[\"socksuser\"]", NULL);
moloch_parsers_classifier_register_tcp("socks5", 0, (unsigned char*)"\005", 1, socks5_classify);
moloch_parsers_classifier_register_tcp("socks4", 0, (unsigned char*)"\004\000", 2, socks4_classify);
moloch_parsers_classifier_register_tcp("socks4", 0, (unsigned char*)"\004\001", 2, socks4_classify);
}
void moloch_parser_init()
{
realmField = moloch_field_define("krb5", "termfield",
"krb5.realm", "Realm", "krb5.realm",
"Kerberos 5 Realm",
MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT,
(char *)NULL);
cnameField = moloch_field_define("krb5", "termfield",
"krb5.cname", "cname", "krb5.cname",
"Kerberos 5 cname",
MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT,
(char *)NULL);
snameField = moloch_field_define("krb5", "termfield",
"krb5.sname", "sname", "krb5.sname",
"Kerberos 5 sname",
MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT,
(char *)NULL);
moloch_parsers_classifier_register_udp("krb5", 0, 7, (unsigned char*)"\x03\x02\x01\x05", 4, krb5_udp_classify);
moloch_parsers_classifier_register_udp("krb5", 0, 9, (unsigned char*)"\x03\x02\x01\x05", 4, krb5_udp_classify);
moloch_parsers_classifier_register_tcp("krb5", 0, 11, (unsigned char*)"\x03\x02\x01\x05", 4, krb5_tcp_classify);
moloch_parsers_classifier_register_tcp("krb5", 0, 13, (unsigned char*)"\x03\x02\x01\x05", 4, krb5_tcp_classify);
}
void moloch_parser_init()
{
moloch_field_define_internal(MOLOCH_FIELD_IRC_NICK, "ircnck", MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT);
moloch_field_define_internal(MOLOCH_FIELD_IRC_CHANNELS, "ircch", MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT);
moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)":", 1, irc_classify);
moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)"NOTICE AUTH", 11, irc_classify);
moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)"NICK ", 5, irc_classify);
moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)"USER ", 5, irc_classify);
}
void moloch_parser_init()
{
nickField = moloch_field_define("irc", "termfield",
"irc.nick", "Nickname", "ircnck",
"Nicknames set",
MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT,
NULL);
channelsField = moloch_field_define("irc", "termfield",
"irc.channel", "Channel", "ircch",
"Channels joined",
MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT,
NULL);
moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)":", 1, irc_classify);
moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)"NOTICE AUTH", 11, irc_classify);
moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)"NICK ", 5, irc_classify);
moloch_parsers_classifier_register_tcp("irc", 0, (unsigned char*)"USER ", 5, irc_classify);
}
void moloch_parser_init()
{
verField = moloch_field_define("ssh", "lotermfield",
"ssh.ver", "Version", "sshver",
"SSH Software Version",
MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT,
NULL);
keyField = moloch_field_define("ssh", "termfield",
"ssh.key", "Key", "sshkey",
"SSH Key",
MOLOCH_FIELD_TYPE_STR_HASH, MOLOCH_FIELD_FLAG_CNT,
NULL);
moloch_parsers_classifier_register_tcp("ssh", NULL, 0, (unsigned char*)"SSH", 3, ssh_classify);
}
void moloch_parser_init()
{
moloch_parsers_classifier_register_tcp("bt", 0, (unsigned char*)"\x13" "BitTorrent protocol", 20, bt_classify);
moloch_parsers_classifier_register_tcp("rdp", 0, (unsigned char*)"\x03\x00", 2, rdp_classify);
moloch_parsers_classifier_register_tcp("imap", 0, (unsigned char*)"* OK ", 5, imap_classify);
moloch_parsers_classifier_register_tcp("pop3", 0, (unsigned char*)"+OK POP3 ", 9, pop3_classify);
moloch_parsers_classifier_register_tcp("gh0st", 14, 0, 0, gh0st_classify);
moloch_parsers_classifier_register_tcp("other220", 0, (unsigned char*)"220 ", 4, other220_classify);
moloch_parsers_classifier_register_tcp("vnc", 0, (unsigned char*)"RFB 0", 5, vnc_classify);
moloch_parsers_classifier_register_udp("bt", 0, (unsigned char*)"d1:a", 4, bt_classify);
moloch_parsers_classifier_register_udp("bt", 0, (unsigned char*)"d1:r", 4, bt_classify);
moloch_parsers_classifier_register_udp("bt", 0, (unsigned char*)"d1:q", 4, bt_classify);
}
void moloch_parser_init()
{
moloch_parsers_classifier_register_tcp("mysql", 1, (unsigned char*)"\x00\x00\x00\x0a", 4, mysql_classify);
userField = moloch_field_define("mysql", "lotermfield",
"mysql.user", "User", "mysql.user-term",
"Mysql user name",
MOLOCH_FIELD_TYPE_STR, MOLOCH_FIELD_FLAG_LINKED_SESSIONS,
NULL);
versionField = moloch_field_define("mysql", "termfield",
"mysql.ver", "Version", "mysql.ver-term",
"Mysql server version string",
MOLOCH_FIELD_TYPE_STR, MOLOCH_FIELD_FLAG_LINKED_SESSIONS,
NULL);
}
static int MS_register_tcp_classifier(lua_State *L)
{
if (L != Ls[0]) // Only do once
return 0;
if (lua_gettop(L) != 4 || !lua_isstring(L, 1) || !lua_isinteger(L, 2) || !lua_isstring(L, 3) || !lua_isstring(L, 4)) {
return luaL_error(L, "usage: <name> <offset> <match> <function>");
}
char *name = g_strdup(lua_tostring(L, 1));
char offset = lua_tonumber(L, 2);
int match_len = lua_rawlen(L, 3);
guchar *match = g_memdup(lua_tostring(L, 3), match_len);
char *function = g_strdup(lua_tostring(L, 4));
moloch_parsers_classifier_register_tcp(name, function, offset, match, match_len, molua_classify_cb);
return 0;
}
void moloch_parser_init()
{
moloch_parsers_classifier_register_tcp("oracle", NULL, 2, (unsigned char*)"\x00\x00\x01\x00\x00\x00", 6, oracle_classify);
userField = moloch_field_define("oracle", "lotermfield",
"oracle.user", "User", "oracle.user-term",
"Oracle User",
MOLOCH_FIELD_TYPE_STR, MOLOCH_FIELD_FLAG_LINKED_SESSIONS,
"category", "user",
NULL);
hostField = moloch_field_define("oracle", "lotermfield",
"oracle.host", "Host", "oracle.host-term",
"Oracle Host",
MOLOCH_FIELD_TYPE_STR, MOLOCH_FIELD_FLAG_LINKED_SESSIONS,
NULL);
serviceField = moloch_field_define("oracle", "lotermfield",
"oracle.service", "Service", "oracle.service-term",
"Oracle Service",
MOLOCH_FIELD_TYPE_STR, MOLOCH_FIELD_FLAG_LINKED_SESSIONS,
NULL);
}
void moloch_parser_init()
{
userField = moloch_field_by_db("user");
moloch_parsers_classifier_register_tcp("tds", NULL, 0, (unsigned char*)"\x02\x00\x02\x00\x00\x00\x01\x00", 8, tds_classify);
}
void moloch_parser_init()
{
moloch_parsers_classifier_register_tcp("bt", 0, (unsigned char*)"\x13" "BitTorrent protocol", 20, bt_classify);
moloch_parsers_classifier_register_tcp("rdp", 0, (unsigned char*)"\x03\x00", 2, rdp_classify);
moloch_parsers_classifier_register_tcp("imap", 0, (unsigned char*)"* OK ", 5, imap_classify);
moloch_parsers_classifier_register_tcp("pop3", 0, (unsigned char*)"+OK POP3 ", 9, pop3_classify);
moloch_parsers_classifier_register_tcp("gh0st", 14, 0, 0, gh0st_classify);
moloch_parsers_classifier_register_tcp("other220", 0, (unsigned char*)"220 ", 4, other220_classify);
moloch_parsers_classifier_register_tcp("vnc", 0, (unsigned char*)"RFB 0", 5, vnc_classify);
moloch_parsers_classifier_register_tcp("redis", 0, (unsigned char*)"+PONG", 5, redis_classify);
moloch_parsers_classifier_register_tcp("redis", 0, (unsigned char*)"\x2a\x31\x0d\x0a\x24", 5, redis_classify);
moloch_parsers_classifier_register_tcp("redis", 0, (unsigned char*)"\x2a\x32\x0d\x0a\x24", 5, redis_classify);
moloch_parsers_classifier_register_tcp("redis", 0, (unsigned char*)"\x2a\x33\x0d\x0a\x24", 5, redis_classify);
moloch_parsers_classifier_register_tcp("redis", 0, (unsigned char*)"\x2a\x34\x0d\x0a\x24", 5, redis_classify);
moloch_parsers_classifier_register_tcp("redis", 0, (unsigned char*)"\x2a\x35\x0d\x0a\x24", 5, redis_classify);
moloch_parsers_classifier_register_udp("bt", 0, (unsigned char*)"d1:a", 4, bt_classify);
moloch_parsers_classifier_register_udp("bt", 0, (unsigned char*)"d1:r", 4, bt_classify);
moloch_parsers_classifier_register_udp("bt", 0, (unsigned char*)"d1:q", 4, bt_classify);
moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x35\x00\x00\x00", 4, mongo_classify);
moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x36\x00\x00\x00", 4, mongo_classify);
moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x37\x00\x00\x00", 4, mongo_classify);
moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x38\x00\x00\x00", 4, mongo_classify);
moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x39\x00\x00\x00", 4, mongo_classify);
moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x3a\x00\x00\x00", 4, mongo_classify);
moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x3b\x00\x00\x00", 4, mongo_classify);
moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x3c\x00\x00\x00", 4, mongo_classify);
moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x3d\x00\x00\x00", 4, mongo_classify);
moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x3e\x00\x00\x00", 4, mongo_classify);
moloch_parsers_classifier_register_tcp("mongo", 0, (unsigned char*)"\x3f\x00\x00\x00", 4, mongo_classify);
}
