I need some help and advice on display filters because I’m new to the codebase. I’m trying to add the capability where a ‘http contains blah’ filter searches uncompressed HTTP content. I’m adding because we use ‘Frame contains’ and ‘http contains’ in our workflow to find items of interest in the traffic. There are items in the compressed data that we would like to find using the contains operator.
I see how the ‘http contains’ filter works and how HTTP decompression works however I cannot figure out how to add the decompressed data to the link list used for display filtering.
I believe it will work if the decompressed buffer was added to the list_a link list in dfvm.c. The list_a link list only has the raw HTTP packet data and the next pointer is NULL when protocol ID is http. It would seem to work if the uncompressed data pointer was added to the end of the list_a link list in the read_tree method.
Thoughts/guidance?
static gboolean any_test(dfilter_t *df, FvalueCmpFunc cmp, int reg1, int reg2) { GList *list_a, *list_b;
list_a = df->registers[reg1];
while (list_a) { list_b = df->registers[reg2]; while (list_b) { if (cmp((fvalue_t *)list_a->data, (fvalue_t *)list_b->data)) { return TRUE; } list_b = g_list_next(list_b); } list_a = g_list_next(list_a); } return FALSE; } |