Example #1
0
func (dns *Dns) ReceivedFin(tcpTuple *common.TcpTuple, dir uint8, private protos.ProtocolData) protos.ProtocolData {
	if private == nil {
		return nil
	}
	conn, ok := private.(*dnsConnectionData)
	if !ok {
		return private
	}
	stream := conn.Data[dir]

	if stream == nil || stream.message == nil {
		return conn
	}

	decodedData, err := stream.handleTcpRawData()

	if err == nil {
		dns.messageComplete(conn, tcpTuple, dir, decodedData)
		return conn
	}

	if dir == tcp.TcpDirectionReverse {
		dns.publishResponseError(conn, err)
	}

	logp.Debug("dns", "%s addresses %s, length %d", err.Error(),
		tcpTuple.String(), len(stream.rawData))

	return conn
}
Example #2
0
func (dns *Dns) GapInStream(tcpTuple *common.TcpTuple, dir uint8, nbytes int, private protos.ProtocolData) (priv protos.ProtocolData, drop bool) {
	if private == nil {
		return private, true
	}
	conn, ok := private.(*dnsConnectionData)
	if !ok {
		return private, false
	}
	stream := conn.Data[dir]

	if stream == nil || stream.message == nil {
		return private, false
	}

	decodedData, err := stream.handleTcpRawData()

	if err == nil {
		dns.messageComplete(conn, tcpTuple, dir, decodedData)
		return private, true
	}

	if dir == tcp.TcpDirectionReverse {
		dns.publishResponseError(conn, err)
	}

	logp.Debug("dns", "%s addresses %s, length %d", err.Error(),
		tcpTuple.String(), len(stream.rawData))
	logp.Debug("dns", "Dropping the stream %s", tcpTuple.String())

	// drop the stream because it is binary Data and it would be unexpected to have a decodable message later
	return private, true
}
Example #3
0
func (http *HTTP) handleHTTP(
	conn *httpConnectionData,
	m *message,
	tcptuple *common.TcpTuple,
	dir uint8,
) {

	m.TCPTuple = *tcptuple
	m.Direction = dir
	m.CmdlineTuple = procs.ProcWatcher.FindProcessesTuple(tcptuple.IpPort())
	http.hideHeaders(m)

	if m.IsRequest {
		if isDebug {
			debugf("Received request with tuple: %s", m.TCPTuple)
		}
		conn.requests.append(m)
	} else {
		if isDebug {
			debugf("Received response with tuple: %s", m.TCPTuple)
		}
		conn.responses.append(m)
		http.correlate(conn)
	}
}
Example #4
0
File: dns.go Project: nicoder/beats
func (dns *Dns) GapInStream(tcpTuple *common.TcpTuple, dir uint8, nbytes int, private protos.ProtocolData) (priv protos.ProtocolData, drop bool) {
	dnsData, ok := private.(dnsPrivateData)

	if !ok {
		return private, false
	}

	stream := dnsData.Data[dir]

	if stream == nil || stream.message == nil {
		return private, false
	}

	decodedData, err := decodeDnsData(TransportTcp, stream.data)

	// Add Notes if the failed stream is the response
	if err != nil {
		if dir == tcp.TcpDirectionReverse {
			dns.publishDecodeFailureNotes(dnsData)
		}

		// drop the stream because it is binary and it would be rare to have a decodable message later
		logp.Debug("dns", NonDnsCompleteMsg+" addresses %s, length %d",
			tcpTuple.String(), len(stream.data))
		return private, true
	}

	// publish and ignore the gap. No case should reach this code though ...
	dns.messageComplete(tcpTuple, dir, stream, decodedData)
	return private, false
}
Example #5
0
File: dns.go Project: nicoder/beats
func (dns *Dns) ReceivedFin(tcpTuple *common.TcpTuple, dir uint8, private protos.ProtocolData) protos.ProtocolData {
	if private == nil {
		return private
	}
	dnsData, ok := private.(dnsPrivateData)
	if !ok {
		return private
	}
	if dnsData.Data[dir] == nil {
		return dnsData
	}
	stream := dnsData.Data[dir]
	if stream.message != nil {
		decodedData, err := decodeDnsData(TransportTcp, stream.data)

		if err == nil {
			dns.messageComplete(tcpTuple, dir, stream, decodedData)
		} else /*Failed decode */ {
			if dir == tcp.TcpDirectionReverse {
				dns.publishDecodeFailureNotes(dnsData)
				stream.PrepareForNewMessage()
			}
			logp.Debug("dns", NonDnsCompleteMsg+" addresses %s, length %d",
				tcpTuple.String(), len(stream.data))
		}
	}

	return dnsData
}
Example #6
0
File: dns.go Project: nicoder/beats
func (dns *Dns) handleDns(m *DnsMessage, tcpTuple *common.TcpTuple, dir uint8, data []byte, decodedData *layers.DNS) {
	dnsTuple := DnsTupleFromIpPort(&m.Tuple, TransportTcp, decodedData.ID)
	m.CmdlineTuple = procs.ProcWatcher.FindProcessesTuple(tcpTuple.IpPort())
	m.Data = decodedData
	m.Length = len(data)

	if decodedData.QR == Query {
		dns.receivedDnsRequest(&dnsTuple, m)
	} else /* Response */ {
		dns.receivedDnsResponse(&dnsTuple, m)
	}
}
Example #7
0
func (pgsql *Pgsql) removeTransaction(transList []*PgsqlTransaction,
	tuple common.TcpTuple, index int) *PgsqlTransaction {

	trans := transList[index]
	transList = append(transList[:index], transList[index+1:]...)
	if len(transList) == 0 {
		pgsql.transactions.Delete(trans.tuple.Hashable())
	} else {
		pgsql.transactions.Put(tuple.Hashable(), transList)
	}

	return trans
}
Example #8
0
File: http.go Project: tsg/beats
func (http *HTTP) handleHTTP(m *message, tcptuple *common.TcpTuple,
	dir uint8, rawMsg []byte) {

	m.TCPTuple = *tcptuple
	m.Direction = dir
	m.CmdlineTuple = procs.ProcWatcher.FindProcessesTuple(tcptuple.IpPort())
	m.Raw = rawMsg

	if m.IsRequest {
		http.receivedHTTPRequest(m)
	} else {
		http.receivedHTTPResponse(m)
	}
}
Example #9
0
func (thrift *Thrift) ReceivedFin(tcptuple *common.TcpTuple, dir uint8,
	private protos.ProtocolData) protos.ProtocolData {

	trans := thrift.getTransaction(tcptuple.Hashable())
	if trans != nil {
		if trans.Request != nil && trans.Reply == nil {
			logp.Debug("thrift", "FIN and had only one transaction. Assuming one way")
			thrift.PublishQueue <- trans
			thrift.transactions.Delete(trans.tuple.Hashable())
		}
	}

	return private
}
Example #10
0
func handleMysql(mysql *Mysql, m *MysqlMessage, tcptuple *common.TcpTuple,
	dir uint8, raw_msg []byte) {

	m.TcpTuple = *tcptuple
	m.Direction = dir
	m.CmdlineTuple = procs.ProcWatcher.FindProcessesTuple(tcptuple.IpPort())
	m.Raw = raw_msg

	if m.IsRequest {
		mysql.receivedMysqlRequest(m)
	} else {
		mysql.receivedMysqlResponse(m)
	}
}
Example #11
0
func (dns *Dns) handleDns(conn *dnsConnectionData, tcpTuple *common.TcpTuple, decodedData *mkdns.Msg, dir uint8) {
	message := conn.Data[dir].message
	dnsTuple := DnsTupleFromIpPort(&message.Tuple, TransportTcp, decodedData.Id)

	message.CmdlineTuple = procs.ProcWatcher.FindProcessesTuple(tcpTuple.IpPort())
	message.Data = decodedData
	message.Length += DecodeOffset

	if decodedData.Response {
		dns.receivedDnsResponse(&dnsTuple, message)
		conn.prevRequest = nil
	} else /* Query */ {
		dns.receivedDnsRequest(&dnsTuple, message)
		conn.prevRequest = message
	}
}
Example #12
0
func (redis *Redis) handleRedis(
	conn *redisConnectionData,
	m *redisMessage,
	tcptuple *common.TcpTuple,
	dir uint8,
) {
	m.TcpTuple = *tcptuple
	m.Direction = dir
	m.CmdlineTuple = procs.ProcWatcher.FindProcessesTuple(tcptuple.IpPort())

	if m.IsRequest {
		conn.requests.append(m) // wait for response
	} else {
		conn.responses.append(m)
		redis.correlate(conn)
	}
}
Example #13
0
func (dns *Dns) doParse(conn *dnsConnectionData, pkt *protos.Packet, tcpTuple *common.TcpTuple, dir uint8) *dnsConnectionData {
	stream := conn.Data[dir]
	payload := pkt.Payload

	if stream == nil {
		stream = newStream(pkt, tcpTuple)
		conn.Data[dir] = stream
	} else {
		if stream.message == nil { // nth message of the same stream
			stream.message = &DnsMessage{Ts: pkt.Ts, Tuple: pkt.Tuple}
		}

		stream.rawData = append(stream.rawData, payload...)
		if len(stream.rawData) > tcp.TCP_MAX_DATA_IN_STREAM {
			logp.Debug("dns", "Stream data too large, dropping DNS stream")
			conn.Data[dir] = nil
			return conn
		}
	}
	decodedData, err := stream.handleTcpRawData()

	if err != nil {

		if err == IncompleteMsg {
			logp.Debug("dns", "Waiting for more raw data")
			return conn
		}

		if dir == tcp.TcpDirectionReverse {
			dns.publishResponseError(conn, err)
		}

		logp.Debug("dns", "%s addresses %s, length %d", err.Error(),
			tcpTuple.String(), len(stream.rawData))

		// This means that malformed requests or responses are being sent...
		// TODO: publish the situation also if Request
		conn.Data[dir] = nil
		return conn
	}

	dns.messageComplete(conn, tcpTuple, dir, decodedData)
	stream.PrepareForNewMessage()
	return conn
}
Example #14
0
func (mongodb *Mongodb) handleMongodb(
	conn *mongodbConnectionData,
	m *mongodbMessage,
	tcptuple *common.TcpTuple,
	dir uint8,
) {

	m.TcpTuple = *tcptuple
	m.Direction = dir
	m.CmdlineTuple = procs.ProcWatcher.FindProcessesTuple(tcptuple.IpPort())

	if m.IsResponse {
		debugf("MongoDB response message")
		mongodb.onResponse(conn, m)
	} else {
		debugf("MongoDB request message")
		mongodb.onRequest(conn, m)
	}
}
Example #15
0
func (amqp *Amqp) handleAmqp(m *AmqpMessage, tcptuple *common.TcpTuple, dir uint8) {
	if amqp.mustHideCloseMethod(m) {
		return
	}
	debugf("A message is ready to be handled")
	m.TcpTuple = *tcptuple
	m.Direction = dir
	m.CmdlineTuple = procs.ProcWatcher.FindProcessesTuple(tcptuple.IpPort())

	if m.Method == "basic.publish" {
		amqp.handlePublishing(m)
	} else if m.Method == "basic.deliver" || m.Method == "basic.return" ||
		m.Method == "basic.get-ok" {
		amqp.handleDelivering(m)
	} else if m.IsRequest == true {
		amqp.handleAmqpRequest(m)
	} else if m.IsRequest == false {
		amqp.handleAmqpResponse(m)
	}
}
Example #16
0
File: dns.go Project: nicoder/beats
func (dns *Dns) Parse(pkt *protos.Packet, tcpTuple *common.TcpTuple, dir uint8, private protos.ProtocolData) protos.ProtocolData {
	defer logp.Recover("DNS ParseTcp")

	logp.Debug("dns", "Parsing packet addressed with %s of length %d.",
		pkt.Tuple.String(), len(pkt.Payload))

	priv := dnsPrivateData{}

	if private != nil {
		var ok bool
		priv, ok = private.(dnsPrivateData)
		if !ok {
			priv = dnsPrivateData{}
		}
	}

	payload := pkt.Payload

	stream := &priv.Data[dir]

	if *stream == nil {
		*stream = &DnsStream{
			tcpTuple: tcpTuple,
			data:     payload,
			message:  &DnsMessage{Ts: pkt.Ts, Tuple: pkt.Tuple},
		}
		if len(payload) <= DecodeOffset {
			logp.Debug("dns", EmptyMsg+" addresses %s",
				tcpTuple.String())

			return priv
		}
	} else {
		(*stream).data = append((*stream).data, payload...)
		dataLength := len((*stream).data)
		if dataLength > tcp.TCP_MAX_DATA_IN_STREAM {
			logp.Debug("dns", "Stream data too large, dropping DNS stream")
			return priv
		}
		if dataLength <= DecodeOffset {
			logp.Debug("dns", EmptyMsg+" addresses %s",
				tcpTuple.String())
			return priv
		}
	}

	data, err := decodeDnsData(TransportTcp, (*stream).data)

	if err != nil {
		logp.Debug("dns", NonDnsCompleteMsg+" addresses %s, length %d",
			tcpTuple.String(), len((*stream).data))

		// wait for decoding with the next segment
		return priv
	}

	dns.messageComplete(tcpTuple, dir, *stream, data)
	return priv
}
Example #17
0
func (thrift *Thrift) messageComplete(tcptuple *common.TcpTuple, dir uint8,
	stream *ThriftStream, priv *thriftPrivateData) {

	var flush bool = false

	if stream.message.IsRequest {
		logp.Debug("thrift", "Thrift request message: %s", stream.message.Method)
		if !thrift.CaptureReply {
			// enable the stream in the other direction to get the reply
			stream_rev := priv.Data[1-dir]
			if stream_rev != nil {
				stream_rev.skipInput = false
			}
		}
	} else {
		logp.Debug("thrift", "Thrift response message: %s", stream.message.Method)
		if !thrift.CaptureReply {
			// disable stream in this direction
			stream.skipInput = true

			// and flush current data
			flush = true
		}
	}

	// all ok, go to next level
	stream.message.TcpTuple = *tcptuple
	stream.message.Direction = dir
	stream.message.CmdlineTuple = procs.ProcWatcher.FindProcessesTuple(tcptuple.IpPort())
	if stream.message.FrameSize == 0 {
		stream.message.FrameSize = uint32(stream.parseOffset - stream.message.start)
	}
	thrift.handleThrift(stream.message)

	// and reset message
	stream.PrepareForNewMessage(flush)

}
Example #18
0
// Parse processes a TCP packet. Return nil if connection
// state shall be dropped (e.g. parser not in sync with tcp stream)
func (cassandra *cassandra) Parse(
	pkt *protos.Packet,
	tcptuple *common.TcpTuple, dir uint8,
	private protos.ProtocolData,
) protos.ProtocolData {
	defer logp.Recover("Parse cassandra exception")

	conn := cassandra.ensureConnection(private)
	st := conn.streams[dir]
	if st == nil {
		st = &stream{}
		st.parser.init(&cassandra.parserConfig, func(msg *message) error {
			return conn.trans.onMessage(tcptuple.IpPort(), dir, msg)
		})
		conn.streams[dir] = st
	}

	if err := st.parser.feed(pkt.Ts, pkt.Payload); err != nil {
		debugf("%v, dropping TCP stream for error in direction %v.", err, dir)
		cassandra.onDropConnection(conn)
		return nil
	}
	return conn
}
Example #19
0
func (mc *Memcache) memcacheParseTCP(
	tcpConn *tcpConnectionData,
	pkt *protos.Packet,
	tcptuple *common.TcpTuple,
	dir uint8,
) *tcpConnectionData {
	// assume we are in sync
	stream := tcpConn.Streams[dir]
	if stream == nil {
		stream = mc.newStream(tcptuple)
		tcpConn.Streams[dir] = stream
	}

	debug("add payload to stream(%p): %v", stream, dir)
	if err := stream.Append(pkt.Payload); err != nil {
		debug("%v, dropping TCP streams", err)
		mc.pushAllTCPTrans(tcpConn.connection)
		tcpConn.drop(dir)
		return nil
	}

	if tcpConn.connection == nil {
		tcpConn.connection = &connection{}
	} else {
		stopped := tcpConn.connection.timer.Stop()
		if !stopped {
			// timer was stopped by someone else, create new connection
			tcpConn.connection = &connection{}
		}
	}
	conn := tcpConn.connection

	for stream.Buf.Total() > 0 {
		debug("stream(%p) try to content", stream)
		msg, err := stream.parse(pkt.Ts)
		if err != nil {
			// parsing error, drop tcp stream and retry with next segement
			debug("Ignore Memcache message, drop tcp stream: %v", err)
			mc.pushAllTCPTrans(conn)
			tcpConn.drop(dir)
			return nil
		}

		if msg == nil {
			// wait for more data
			break
		}
		stream.reset()

		tuple := tcptuple.IpPort()
		err = mc.onTCPMessage(conn, tuple, dir, msg)
		if err != nil {
			logp.Warn("error processing memcache message: %s", err)
		}
	}

	conn.timer = time.AfterFunc(mc.tcpTransTimeout, func() {
		debug("connection=%p timed out", conn)
		mc.pushAllTCPTrans(conn)
	})

	return tcpConn
}