void wise_load_fields() { char key[500]; int key_len; memset(fieldsMap, -1, sizeof(fieldsMap)); key_len = snprintf(key, sizeof(key), "/fields"); size_t data_len; unsigned char *data = moloch_http_send_sync(wiseService, "GET", key, key_len, NULL, 0, NULL, &data_len);; BSB bsb; BSB_INIT(bsb, data, data_len); int ver, cnt = 0; BSB_IMPORT_u32(bsb, fieldsTS); BSB_IMPORT_u32(bsb, ver); BSB_IMPORT_u08(bsb, cnt); int i; for (i = 0; i < cnt; i++) { int len = 0; BSB_IMPORT_u16(bsb, len); // len includes NULL terminated fieldsMap[i] = moloch_field_define_text((char*)BSB_WORK_PTR(bsb), NULL); if (fieldsMap[i] == -1) fieldsTS = 0; if (config.debug) LOG("%d %d %s", i, fieldsMap[i], BSB_WORK_PTR(bsb)); BSB_IMPORT_skip(bsb, len); } }
unsigned char *dns_name(const unsigned char *full, int fulllen, BSB *inbsb, int *namelen) { static unsigned char name[8000]; BSB nbsb; int didPointer = 0; BSB tmpbsb; BSB *curbsb; BSB_INIT(nbsb, name, sizeof(name)); curbsb = inbsb; while (BSB_REMAINING(*curbsb)) { unsigned char ch = 0; BSB_IMPORT_u08(*curbsb, ch); if (ch == 0) break; BSB_EXPORT_rewind(*curbsb, 1); if (ch & 0xc0) { if (didPointer > 5) return 0; didPointer++; int tpos = 0; BSB_IMPORT_u16(*curbsb, tpos); tpos &= 0x3fff; BSB_INIT(tmpbsb, full+tpos, fulllen - tpos); curbsb = &tmpbsb; continue; } if (BSB_LENGTH(nbsb)) { BSB_EXPORT_u08(nbsb, '.'); } if (dns_name_element(&nbsb, curbsb) && BSB_LENGTH(nbsb)) BSB_EXPORT_rewind(nbsb, 1); // Remove last . } *namelen = BSB_LENGTH(nbsb); BSB_EXPORT_u08(nbsb, 0); return name; }
void tls_process_client(MolochSession_t *session, const unsigned char *data, int len) { BSB sslbsb; BSB_INIT(sslbsb, data, len); if (BSB_REMAINING(sslbsb) > 5) { unsigned char *ssldata = BSB_WORK_PTR(sslbsb); int ssllen = MIN(BSB_REMAINING(sslbsb) - 5, ssldata[3] << 8 | ssldata[4]); BSB pbsb; BSB_INIT(pbsb, ssldata+5, ssllen); if (BSB_REMAINING(pbsb) > 7) { unsigned char *pdata = BSB_WORK_PTR(pbsb); int plen = MIN(BSB_REMAINING(pbsb) - 4, pdata[2] << 8 | pdata[3]); BSB cbsb; BSB_INIT(cbsb, pdata+6, plen-2); // The - 4 for plen is done above, confusing if(BSB_REMAINING(cbsb) > 32) { BSB_IMPORT_skip(cbsb, 32); // Random int skiplen = 0; BSB_IMPORT_u08(cbsb, skiplen); // Session Id Length BSB_IMPORT_skip(cbsb, skiplen); // Session Id BSB_IMPORT_u16(cbsb, skiplen); // Ciper Suites Length BSB_IMPORT_skip(cbsb, skiplen); // Ciper Suites BSB_IMPORT_u08(cbsb, skiplen); // Compression Length BSB_IMPORT_skip(cbsb, skiplen); // Compressions if (BSB_REMAINING(cbsb) > 2) { int etotlen = 0; BSB_IMPORT_u16(cbsb, etotlen); // Extensions Length etotlen = MIN(etotlen, BSB_REMAINING(cbsb)); BSB ebsb; BSB_INIT(ebsb, BSB_WORK_PTR(cbsb), etotlen); while (BSB_REMAINING(ebsb) > 0) { int etype = 0, elen = 0; BSB_IMPORT_u16 (ebsb, etype); BSB_IMPORT_u16 (ebsb, elen); if (etype != 0) { BSB_IMPORT_skip (ebsb, elen); continue; } if (elen > BSB_REMAINING(ebsb)) break; BSB snibsb; BSB_INIT(snibsb, BSB_WORK_PTR(ebsb), elen); BSB_IMPORT_skip (ebsb, elen); int sni = 0; BSB_IMPORT_u16(snibsb, sni); // list len if (sni != BSB_REMAINING(snibsb)) continue; BSB_IMPORT_u08(snibsb, sni); // type if (sni != 0) continue; BSB_IMPORT_u16(snibsb, sni); // len if (sni != BSB_REMAINING(snibsb)) continue; moloch_field_string_add(hostField, session, (char *)BSB_WORK_PTR(snibsb), sni, TRUE); } } } } BSB_IMPORT_skip(sslbsb, ssllen + 5); } }
void dns_parser(MolochSession_t *session, const unsigned char *data, int len) { if (len < 18) return; int qr = (data[2] >> 7) & 0x1; int opcode = (data[2] >> 3) & 0xf; if (opcode != 0) return; int qdcount = (data[4] << 8) | data[5]; int ancount = (data[6] << 8) | data[7]; if (qdcount > 10 || qdcount <= 0) return; BSB bsb; BSB_INIT(bsb, data + 12, len - 12); /* QD Section */ int i; for (i = 0; BSB_NOT_ERROR(bsb) && i < qdcount; i++) { int namelen; unsigned char *name = dns_name(data, len, &bsb, &namelen); if (BSB_IS_ERROR(bsb)) break; if (!namelen) { name = (unsigned char*)"<root>"; namelen = 6; } unsigned short qtype = 0 , qclass = 0 ; BSB_IMPORT_u16(bsb, qtype); BSB_IMPORT_u16(bsb, qclass); char *lower = g_ascii_strdown((char*)name, namelen); if (qclass <= 255 && qclasses[qclass]) { moloch_field_string_add(queryClassField, session, qclasses[qclass], -1, TRUE); } if (qtype <= 255 && qtypes[qtype]) { moloch_field_string_add(queryTypeField, session, qtypes[qtype], -1, TRUE); } if (lower && !moloch_field_string_add(hostField, session, lower, namelen, FALSE)) { g_free(lower); } } moloch_nids_add_protocol(session, "dns"); if (qr == 0) return; int rcode = data[3] & 0xf; moloch_field_string_add(statusField, session, statuses[rcode], -1, TRUE); for (i = 0; BSB_NOT_ERROR(bsb) && i < ancount; i++) { int namelen; dns_name(data, len, &bsb, &namelen); if (BSB_IS_ERROR(bsb)) break; uint16_t antype = 0; BSB_IMPORT_u16 (bsb, antype); uint16_t anclass = 0; BSB_IMPORT_u16 (bsb, anclass); BSB_IMPORT_skip(bsb, 4); // ttl uint16_t rdlength = 0; BSB_IMPORT_u16 (bsb, rdlength); if (BSB_REMAINING(bsb) < rdlength) { break; } if (anclass != 1) { BSB_IMPORT_skip(bsb, rdlength); continue; } switch (antype) { case 1: { if (rdlength != 4) break; struct in_addr in; unsigned char *ptr = BSB_WORK_PTR(bsb); in.s_addr = ptr[3] << 24 | ptr[2] << 16 | ptr[1] << 8 | ptr[0]; moloch_field_int_add(ipField, session, in.s_addr); break; } case 5: { BSB rdbsb; BSB_INIT(rdbsb, BSB_WORK_PTR(bsb), rdlength); int namelen; unsigned char *name = dns_name(data, len, &rdbsb, &namelen); if (!namelen || BSB_IS_ERROR(rdbsb)) continue; char *lower = g_ascii_strdown((char*)name, namelen); if (lower && !moloch_field_string_add(hostField, session, lower, namelen, FALSE)) { g_free(lower); } break; } case 15: { BSB rdbsb; BSB_INIT(rdbsb, BSB_WORK_PTR(bsb), rdlength); BSB_IMPORT_skip(rdbsb, 2); // preference int namelen; unsigned char *name = dns_name(data, len, &rdbsb, &namelen); if (!namelen || BSB_IS_ERROR(rdbsb)) continue; char *lower = g_ascii_strdown((char*)name, namelen); if (lower && !moloch_field_string_add(hostField, session, lower, namelen, FALSE)) { g_free(lower); } } } /* switch */ BSB_IMPORT_skip(bsb, rdlength); } }