New tags protocol:tls and http:bad-xff; yara tags start with yara:

* Set protocol:tls if the header is for tlsv3 * Set http:bad-xff if the X-Forwarded-For isn't an ip * Tags from yara start with yara: * Support native yara tags
arkime · Aug 31, 2012 · 272f463 · 272f463
1 parent b2f768a
commit 272f463
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/capture/nids.c b/capture/nids.c
@@ -570,6 +570,18 @@ void moloch_nids_parse_classify(MolochSession_t *session, struct tcp_stream *UNU
 
     if (memcmp("+OK POP3 ", data, 9) == 0)
         moloch_nids_add_tag(session, MOLOCH_TAG_TAGS, "protocol:pop3");
+
+    if (hlf->count > 30 && data[0] == 0x16 && data[1] == 0x03 && data[2] == 0x01) {
+        moloch_nids_add_tag(session, MOLOCH_TAG_TAGS, "protocol:tls");
+
+        /*unsigned char *ssldata = data;
+        while (ssldata < data + hlf->count) {
+            int len = ((ssldata[3]&0xff) << 8 | (ssldata[4]&0xff));
+            if (ssldata[5] == 0x0b) {
+            }
+            ssldata += len;
+        }*/
+    }
 }
 /******************************************************************************/
 void moloch_nids_parse_yara(MolochSession_t *session, struct tcp_stream *UNUSED(a_tcp), struct half_stream *hlf)
@@ -854,6 +866,7 @@ moloch_hp_cb_on_message_complete (http_parser *parser)
 
             in_addr_t ia = inet_addr(ip);
             if (ia == 0 || ia == 0xffffffff) {
+                moloch_nids_add_tag(session, MOLOCH_TAG_TAGS, "http:bad-xff");
                 LOG("ERROR - Didn't understand ip: %s %s %d", session->xffString->str, ip, ia);
                 continue;
             }

diff --git a/capture/yara.c b/capture/yara.c
@@ -227,12 +227,24 @@ int callback(RULE* rule, void* data)
 /******************************************************************************/
 int moloch_yara_callback(RULE* rule, MolochSession_t* session)
 {
+    char tagname[256];
+    TAG* tag;
+
 #ifdef DEBUG
     callback(rule, session);
 #endif
 
     if (rule->flags & RULE_FLAGS_MATCH) {
-        moloch_nids_add_tag(session, MOLOCH_TAG_TAGS, rule->identifier);
+        snprintf(tagname, sizeof(tagname), "yara:%s", rule->identifier); 
+        moloch_nids_add_tag(session, MOLOCH_TAG_TAGS, tagname);
+        tag = rule->tag_list_head;
+        while(tag != NULL) {
+            if (tag->identifier) {
+                snprintf(tagname, sizeof(tagname), "yara:%s", tag->identifier); 
+                moloch_nids_add_tag(session, MOLOCH_TAG_TAGS, tagname);
+            }
+            tag = tag->next;
+        }
     }
 
     return CALLBACK_CONTINUE;