LOCAL void suricata_print(SuricataItem_t *item)
{
char buf[100];
moloch_session_id_string(item->sessionId, buf);
printf("sessionId: %s hash: %u ses: %d timestamp: %ld\n", buf, item->hash, item->ses, item->timestamp);
}
static gboolean moloch_http_curl_watch_open_callback(int fd, GIOCondition condition, gpointer serverV)
{
MolochHttpServer_t *server = serverV;
struct sockaddr_in localAddress, remoteAddress;
socklen_t addressLength = sizeof(localAddress);
int rc = getsockname(fd, (struct sockaddr*)&localAddress, &addressLength);
if (rc != 0)
return FALSE;
addressLength = sizeof(remoteAddress);
rc = getpeername(fd, (struct sockaddr*)&remoteAddress, &addressLength);
if (rc != 0)
return FALSE;
char sessionId[MOLOCH_SESSIONID_LEN];
moloch_session_id(sessionId, localAddress.sin_addr.s_addr, localAddress.sin_port,
remoteAddress.sin_addr.s_addr, remoteAddress.sin_port);
LOG("Connected %d/%d - %s %d->%s:%d - fd:%d",
server->outstanding,
server->connections,
server->names[0],
ntohs(localAddress.sin_port),
inet_ntoa(remoteAddress.sin_addr),
ntohs(remoteAddress.sin_port),
fd);
MolochHttpConn_t *conn;
MOLOCH_LOCK(connections);
BIT_SET(fd, connectionsSet);
HASH_FIND(h_, connections, sessionId, conn);
if (!conn) {
conn = MOLOCH_TYPE_ALLOC0(MolochHttpConn_t);
HASH_ADD(h_, connections, sessionId, conn);
memcpy(&conn->sessionId, sessionId, sessionId[0]);
server->connections++;
} else {
char buf[1000];
LOG("ERROR - Already added %x %s", condition, moloch_session_id_string(sessionId, buf));
}
MOLOCH_UNLOCK(connections);
moloch_http_curlm_check_multi_info(server);
return FALSE;
}
// Should only be used by packet, lots of side effects
MolochSession_t *moloch_session_find_or_create(int ses, uint32_t hash, char *sessionId, int *isNew)
{
MolochSession_t *session;
if (hash == 0) {
hash = moloch_session_hash(sessionId);
}
int thread = hash % config.packetThreads;
HASH_FIND_HASH(h_, sessions[thread][ses], hash, sessionId, session);
if (session) {
if (!session->closingQ) {
DLL_MOVE_TAIL(q_, &sessionsQ[thread][ses], session);
}
*isNew = 0;
return session;
}
*isNew = 1;
session = MOLOCH_TYPE_ALLOC0(MolochSession_t);
session->ses = ses;
memcpy(session->sessionId, sessionId, sessionId[0]);
HASH_ADD_HASH(h_, sessions[thread][ses], hash, sessionId, session);
DLL_PUSH_TAIL(q_, &sessionsQ[thread][ses], session);
if (HASH_BUCKET_COUNT(h_, sessions[thread][ses], hash) > 10) {
char buf[100];
LOG("Large number of chains: %s %u %u %u %u", moloch_session_id_string(sessionId, buf), hash, hash % sessions[thread][ses].size, thread, HASH_BUCKET_COUNT(h_, sessions[thread][ses], hash));
}
session->filePosArray = g_array_sized_new(FALSE, FALSE, sizeof(uint64_t), 100);
session->fileLenArray = g_array_sized_new(FALSE, FALSE, sizeof(uint16_t), 100);
session->fileNumArray = g_array_new(FALSE, FALSE, 4);
session->fields = MOLOCH_SIZE_ALLOC0(fields, sizeof(MolochField_t *)*config.maxField);
session->maxFields = config.maxField;
session->thread = thread;
DLL_INIT(td_, &session->tcpData);
if (config.numPlugins > 0)
session->pluginData = MOLOCH_SIZE_ALLOC0(pluginData, sizeof(void *)*config.numPlugins);
return session;
}
LOCAL gboolean moloch_http_curl_watch_open_callback(int fd, GIOCondition condition, gpointer snameV)
{
MolochHttpServerName_t *sname = snameV;
MolochHttpServer_t *server = sname->server;
struct sockaddr_storage localAddressStorage, remoteAddressStorage;
socklen_t addressLength = sizeof(localAddressStorage);
int rc = getsockname(fd, (struct sockaddr*)&localAddressStorage, &addressLength);
if (rc != 0)
return CURLE_OK;
addressLength = sizeof(remoteAddressStorage);
rc = getpeername(fd, (struct sockaddr*)&remoteAddressStorage, &addressLength);
if (rc != 0)
return CURLE_OK;
char sessionId[MOLOCH_SESSIONID_LEN];
int localPort, remotePort;
char remoteIp[INET6_ADDRSTRLEN+2];
if (localAddressStorage.ss_family == AF_INET) {
struct sockaddr_in *localAddress = (struct sockaddr_in *)&localAddressStorage;
struct sockaddr_in *remoteAddress = (struct sockaddr_in *)&remoteAddressStorage;
moloch_session_id(sessionId, localAddress->sin_addr.s_addr, localAddress->sin_port,
remoteAddress->sin_addr.s_addr, remoteAddress->sin_port);
localPort = ntohs(localAddress->sin_port);
remotePort = ntohs(remoteAddress->sin_port);
inet_ntop(AF_INET, &remoteAddress->sin_addr, remoteIp, sizeof(remoteIp));
} else {
struct sockaddr_in6 *localAddress = (struct sockaddr_in6 *)&localAddressStorage;
struct sockaddr_in6 *remoteAddress = (struct sockaddr_in6 *)&remoteAddressStorage;
moloch_session_id6(sessionId, localAddress->sin6_addr.s6_addr, localAddress->sin6_port,
remoteAddress->sin6_addr.s6_addr, remoteAddress->sin6_port);
localPort = ntohs(localAddress->sin6_port);
remotePort = ntohs(remoteAddress->sin6_port);
inet_ntop(AF_INET6, &remoteAddress->sin6_addr, remoteIp+1, sizeof(remoteIp)-2);
remoteIp[0] = '[';
strcat(remoteIp, "]");
}
if (config.logHTTPConnections) {
LOG("Connected %d/%d - %s %d->%s:%d - fd:%d",
server->outstanding,
server->connections,
sname->name,
localPort,
remoteIp,
remotePort,
fd);
}
MolochHttpConn_t *conn;
MOLOCH_LOCK(connections);
BIT_SET(fd, connectionsSet);
HASH_FIND(h_, connections, sessionId, conn);
if (!conn) {
conn = MOLOCH_TYPE_ALLOC0(MolochHttpConn_t);
HASH_ADD(h_, connections, sessionId, conn);
memcpy(&conn->sessionId, sessionId, sessionId[0]);
server->connections++;
} else {
char buf[1000];
LOG("ERROR - Already added %x %s", condition, moloch_session_id_string(sessionId, buf));
}
MOLOCH_UNLOCK(connections);
moloch_http_curlm_check_multi_info(server);
return CURLE_OK;
}
