void imap_classify(MolochSession_t *session, const unsigned char *data, int len, int UNUSED(which)) { if (moloch_memstr((const char *)data+5, len-5, "IMAP", 4)) { moloch_nids_add_tag(session, "protocol:imap"); moloch_nids_add_protocol(session, "imap"); } }
int moloch_hp_cb_on_body (http_parser *parser, const char *at, size_t length) { HTTPInfo_t *http = parser->data; MolochSession_t *session = http->session; #ifdef HTTPDEBUG LOG("HTTPDEBUG: which: %d", http->which); #endif if (!(http->inBody & (1 << http->which))) { if (moloch_memstr(at, length, "password="******"http:password"); } moloch_parsers_magic_tag(session, magicField, "http:content", at, length); http->inBody |= (1 << http->which); } g_checksum_update(http->checksum[http->which], (guchar *)at, length); if (pluginsCbs & MOLOCH_PLUGIN_HP_OB) moloch_plugins_cb_hp_ob(session, parser, at, length); return 0; }
void irc_classify(MolochSession_t *session, const unsigned char *data, int len, int which) { if (data[0] == ':' && !moloch_memstr((char *)data, len, " NOTICE ", 8)) return; //If a USER packet must have NICK with it so we don't pickup FTP if (data[0] == 'U' && !moloch_memstr((char *)data, len, "\nNICK ", 6)) { return; } if (moloch_nids_has_protocol(session, "irc")) return; moloch_nids_add_protocol(session, "irc"); IRCInfo_t *irc = MOLOCH_TYPE_ALLOC0(IRCInfo_t); moloch_parsers_register(session, irc_parser, irc, irc_free); irc_parser(session, irc, data, len, which); }