Skip to content

Commit

Permalink
v0.6.2, Initial TLS cert decoding, dryrun option, host bug fix, vlan …
Browse files Browse the repository at this point in the history 
…support,

* Decode the TLS Certificate protocol if found.
** Search with tls.sn, tls.issuer.cn, tls.issuer.on, tls.subject.cn, tls.subject.on, tls.alt
* Always lower case host header
* --dryrun will not write pcap data or session data to elasticsearch
* viewer can now decode vlan ethertype
  • Loading branch information
@awick
awick committed Sep 10, 2012
1 parent 37b665b commit 413dc82
Show file tree
Hide file tree
Showing 16 changed files with 759 additions and 164 deletions.
106 changes: 100 additions & 6 deletions capture/db.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ static GeoIP *giASN = 0;

/******************************************************************************/
extern MolochConfig_t config;
extern gboolean dryRun;

/******************************************************************************/
typedef struct moloch_tag {
Expand Down Expand Up @@ -152,10 +153,17 @@ void moloch_db_save_session(MolochSession_t *session)
int key_len;
uuid_t uuid;


/* No Packets */
if (!session->filePosArray->len)
return;

totalSessions++;

if (dryRun) {
return;
}

if (!sJson) {
sJPtr = sJson = moloch_es_get_buffer(MOLOCH_ES_BUFFER_SIZE_L);
}
Expand Down Expand Up @@ -250,6 +258,89 @@ void moloch_db_save_session(MolochSession_t *session)
sJPtr += snprintf(sJPtr, MOLOCH_ES_BUFFER_SIZE_L - (sJPtr-sJson), "],");
}

if (HASH_COUNT(t_, session->certs)) {
sJPtr += snprintf(sJPtr, MOLOCH_ES_BUFFER_SIZE_L - (sJPtr-sJson), "\"tls\":[");
i = 0;

MolochCertsInfo_t *certs;
HASH_FORALL_POP_HEAD(t_, session->certs, certs,
int j = 0;
if (i != 0)
*(sJPtr++) = ',';

*(sJPtr++) = '{';

if (certs->issuer.commonName) {
sJPtr += snprintf(sJPtr, MOLOCH_ES_BUFFER_SIZE_L - (sJPtr-sJson), "\"iCn\":");
sJPtr += moloch_db_js0n_str(sJPtr, (unsigned char *)certs->issuer.commonName);
free(certs->issuer.commonName);
j++;
}

if (certs->issuer.orgName) {
if (j != 0)
*(sJPtr++) = ',';
sJPtr += snprintf(sJPtr, MOLOCH_ES_BUFFER_SIZE_L - (sJPtr-sJson), "\"iOn\":");
sJPtr += moloch_db_js0n_str(sJPtr, (unsigned char *)certs->issuer.orgName);
free(certs->issuer.orgName);
j++;
}

if (certs->subject.commonName) {
if (j != 0)
*(sJPtr++) = ',';
sJPtr += snprintf(sJPtr, MOLOCH_ES_BUFFER_SIZE_L - (sJPtr-sJson), "\"sCn\":");
sJPtr += moloch_db_js0n_str(sJPtr, (unsigned char *)certs->subject.commonName);
free(certs->subject.commonName);
j++;
}

if (certs->subject.orgName) {
if (j != 0)
*(sJPtr++) = ',';
sJPtr += snprintf(sJPtr, MOLOCH_ES_BUFFER_SIZE_L - (sJPtr-sJson), "\"sOn\":");
sJPtr += moloch_db_js0n_str(sJPtr, (unsigned char *)certs->subject.orgName);
free(certs->subject.orgName);
j++;
}

if (certs->serialNumber) {
if (j != 0)
*(sJPtr++) = ',';
int k;
sJPtr += snprintf(sJPtr, MOLOCH_ES_BUFFER_SIZE_L - (sJPtr-sJson), "\"sn\":\"");
for (k = 0; k < certs->serialNumberLen; k++) {
sJPtr += snprintf(sJPtr, MOLOCH_ES_BUFFER_SIZE_L - (sJPtr-sJson), "%02x", certs->serialNumber[k]);
}
*(sJPtr++) = '"';
}

if (certs->alt.s_count) {
int k = 0;
if (j != 0)
*(sJPtr++) = ',';
sJPtr += snprintf(sJPtr, MOLOCH_ES_BUFFER_SIZE_L - (sJPtr-sJson), "\"alt\":[");
while (certs->alt.s_count > 0) {
MolochString_t *string;
DLL_POP_HEAD(s_, &certs->alt, string);
if (k != 0)
*(sJPtr++) = ',';
sJPtr += moloch_db_js0n_str(sJPtr, (unsigned char *)string->str);
free(string->str);
free(string);
k++;
}
*(sJPtr++) = ']';
}

free(certs);
i++;

*(sJPtr++) = '}';
);
sJPtr += snprintf(sJPtr, MOLOCH_ES_BUFFER_SIZE_L - (sJPtr-sJson), "],");
}

if (HASH_COUNT(s_, session->hosts)) {
sJPtr += snprintf(sJPtr, MOLOCH_ES_BUFFER_SIZE_L - (sJPtr-sJson), "\"ho\":[");
i = 0;
Expand Down Expand Up @@ -387,7 +478,6 @@ void moloch_db_save_session(MolochSession_t *session)
gettimeofday(&currentTime, NULL);
dbLastSave = currentTime.tv_sec;
}
totalSessions++;
}
/******************************************************************************/
long long zero_atoll(char *v) {
Expand Down Expand Up @@ -926,13 +1016,17 @@ void moloch_db_init()
}
}

g_timeout_add_seconds( 2, moloch_db_update_stats_gfunc, 0);
g_timeout_add_seconds( 5, moloch_db_update_stats_gfunc, (gpointer)1);
g_timeout_add_seconds(60, moloch_db_update_stats_gfunc, (gpointer)2);
g_timeout_add_seconds( 1, moloch_db_flush_gfunc, 0);
if (!dryRun) {
g_timeout_add_seconds( 2, moloch_db_update_stats_gfunc, 0);
g_timeout_add_seconds( 5, moloch_db_update_stats_gfunc, (gpointer)1);
g_timeout_add_seconds(60, moloch_db_update_stats_gfunc, (gpointer)2);
g_timeout_add_seconds( 1, moloch_db_flush_gfunc, 0);
}
}
/******************************************************************************/
void moloch_db_exit()
{
moloch_db_flush_gfunc((gpointer)1);
if (!dryRun) {
moloch_db_flush_gfunc((gpointer)1);
}
}
5 changes: 5 additions & 0 deletions capture/dll.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,4 +57,9 @@
#define DLL_PEEK_TAIL(name,head) \
((head)->name##count == 0?NULL:(head)->name##prev)

#define DLL_FOREACH(name,head,element) \
for ((element) = (head)->name##next; \
(element) != (void *)(head); \
(element)=(element)->name##next)

#endif
4 changes: 3 additions & 1 deletion capture/hash.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@
*
* To Use:
* Create item structure and optional head structure for use with a DLL
* Create the key function and cmp function
* Create the key function and cmp function.
* Use HASH_VAR to declare the actual variable. Can be global or in a structure
* Use HASH_INIT to initialze the hashtable
*
* A key can also just be the element
*
* The same WARNING in dll.h applies since hash.h just uses DLL
*/

Expand Down
6 changes: 4 additions & 2 deletions capture/main.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,13 @@ GMainLoop *mainLoop;

/******************************************************************************/
gchar *pcapFile = NULL;
gboolean fakepcap = FALSE;
gboolean fakePcap = FALSE;
gchar *nodeName = NULL;
gchar *hostName = NULL;
gchar *configFile = NULL;
gboolean showVersion = FALSE;
gboolean debug = FALSE;
gboolean dryRun = FALSE;

static GOptionEntry entries[] =
{
Expand All @@ -50,7 +51,8 @@ static GOptionEntry entries[] =
{ "node", 'n', 0, G_OPTION_ARG_STRING, &nodeName, "Our node name, defaults to hostname. Multiple nodes can run on same host.", NULL },
{ "version", 'v', 0, G_OPTION_ARG_NONE, &showVersion, "Show version number", NULL },
{ "debug", 'd', 0, G_OPTION_ARG_NONE, &debug, "Turn on all debugging", NULL },
{ "fakepcap", 0, G_OPTION_FLAG_HIDDEN, G_OPTION_ARG_NONE, &fakepcap, "fake pcap", NULL },
{ "fakepcap", 0, G_OPTION_FLAG_HIDDEN, G_OPTION_ARG_NONE, &fakePcap, "fake pcap", NULL },
{ "dryrun", 0, G_OPTION_FLAG_HIDDEN, G_OPTION_ARG_NONE, &dryRun, "dry run", NULL },
{ NULL, 0, 0, 0, NULL, NULL, NULL }
};

Expand Down
21 changes: 21 additions & 0 deletions capture/moloch.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,26 @@ typedef struct {
int i_count;
} MolochIntHead_t;

typedef struct {
char *commonName; //2.5.4.3
char *orgName; // 2.5.4.10
} MolochCertInfo_t;

typedef struct moloch_tlsinfo{
struct moloch_tlsinfo *t_next, *t_prev;
MolochCertInfo_t issuer;
MolochCertInfo_t subject;
MolochStringHead_t alt;
unsigned char *serialNumber;
short serialNumberLen;
short t_bucket;
} MolochCertsInfo_t;

typedef struct {
struct moloch_tlsinfo *t_next, *t_prev;
int t_count;
} MolochCertsInfoHead_t;


#define MOLOCH_TAG_TAGS 0
#define MOLOCH_TAG_HTTP_HEADERS 1
Expand All @@ -76,6 +96,7 @@ typedef struct moloch_session {
HASH_VAR(s_, hosts, MolochStringHead_t, 11);
HASH_VAR(s_, userAgents, MolochStringHead_t, 11);
HASH_VAR(i_, xffs, MolochIntHead_t, 11);
HASH_VAR(t_, certs, MolochCertsInfoHead_t, 11);

char header[32];
http_parser parsers[2];
Expand Down

0 comments on commit 413dc82

Please sign in to comment.