/// <summary> /// Initializes a new instance of the <see cref="BaseObject"/> class. /// </summary> /// <param name="sOrigUrl">The original URL.</param> /// <param name="sPathToFile">The path to file.</param> /// <param name="sFileName">Name of the file.</param> /// <param name="sFileExtension">The file extension.</param> /// <param name="sContentType">Type of the content.</param> /// <param name="oRequestMsg">The request message.</param> /// <param name="listCookieInformation">The list cookie information.</param> public BaseObject( string sOrigUrl, string sPathToFile, string sFileName, string sFileExtension, string sContentType, HTTPMsg oRequestMsg, List <string> listCookieInformation) { this.RequestMessage = oRequestMsg; this.OriginalUrl = sOrigUrl; this.PathToFileName = sPathToFile; this.FileName = sFileName; this.FileExtension = sFileExtension; this.ContentType = sContentType; this.Referrer = ObjectParser.ParseReferer((HttpRequestHeader)oRequestMsg.HTTPHeader); this.HostAddress = ObjectParser.ParseHostAddress((HttpRequestHeader)oRequestMsg.HTTPHeader); this.Content = oRequestMsg.PairMessages[0].HTTPContent.Content; this.TimeStamp = oRequestMsg.TimeStamp; this.ExportSource = oRequestMsg.ExportSources[0]; this.CookieInformation = listCookieInformation; this.UniqueHash = ComputeHash.GetMd5Hash(this.Content); this.FileSize = this.Content.LongLength; this.ListOfNewReferences = new List <string>(); }
public override void Init(HTTPMsg message) { this._headerFields = message.HTTPHeader.Fields; if (message.MessageType == MessageType.REQUEST) { var reqHeader = message.HTTPHeader as HttpRequestHeader; var uri = reqHeader.RequestURI.Split('?'); this._requestUri = uri[0]; this._requestUriParameters = new Dictionary <string, List <string> >(); if (uri.Length == 2) { foreach (var p in uri[1].Split('&').Select(pair => pair.Split('='))) { if (!this._requestUriParameters.ContainsKey(p[0])) { this._requestUriParameters[p[0]] = new List <string>(); } if (p.Length == 2) { this._requestUriParameters[p[0]].Add(p[1]); } } } } if (message.HTTPContent == null) { return; } var jsonReader = JsonReaderWriterFactory.CreateJsonReader(message.HTTPContent.Content, new XmlDictionaryReaderQuotas()); this._root = XElement.Load(jsonReader); }
/// <summary> /// Initialization with HTTP message. /// </summary> /// <param name="message">HTTPMsg message</param> public void Init(HTTPMsg message) { if (message.HTTPHeader.Fields.ContainsKey("Content-Type")) { this.ContentSpotter = this.SpotterPool.GetSpotterOrWait(message.HTTPHeader.Fields["Content-Type"].First()); this.ContentSpotter.Init(message); } this.WebmailApp = WebmailSuggest.Unknown; }
public override void Init(HTTPMsg message) { if (message.HTTPContent == null) { return; } var encoder = this.GetEncoder(message.HTTPHeader.Fields["Content-Type"].First()); this._content = encoder.GetString(message.HTTPContent.Content); }
public override bool IsMsgWebmailEvent(HTTPMsg message, ref List <EventSuggest> detectedEvents, out SpotterBase spotter) { this.Init(message); spotter = this.ContentSpotter; if (this.ContentSpotter == null) { return(false); } /* webmail application detection for better content parsing purposes */ if (this.ContentSpotter.ContainsKeyValuePair("appid", "YahooMailNeo", SpotterBase.SpotterContext.AllPair)) { this.WebmailApp = WebmailSuggest.YahooMailNeo; } else if (this.ContentSpotter.ContainsKeyValuePair("Host", "email.seznam.cz", SpotterBase.SpotterContext.AllPair)) { this.WebmailApp = WebmailSuggest.Seznam; } /* event detection */ if (this.ContentSpotter.Contains("from", SpotterBase.SpotterContext.ContentKey) && this.ContentSpotter.Contains("to", SpotterBase.SpotterContext.ContentKey) && this.ContentSpotter.Contains("subject", SpotterBase.SpotterContext.ContentKey) && this.ContentSpotter.ContainsOneOf(this.MailContentFields, SpotterBase.SpotterContext.ContentKey)) { detectedEvents.Add(EventSuggest.MailNewMessage); } else { foreach (var pair in this.ListFolderPairs) { var key = pair.Key; if ((pair.Value.Equals("*") && this.ContentSpotter.Contains(pair.Key, SpotterBase.SpotterContext.AllKey)) || this.ContentSpotter.ContainsKeyValuePair(key, pair.Value, SpotterBase.SpotterContext.AllPair)) { detectedEvents.Add(EventSuggest.MailListFolder); } } foreach (var pair in this.DisplayMessagePairs) { var key = pair.Key; if ((pair.Value.Equals("*") && this.ContentSpotter.Contains(pair.Key, SpotterBase.SpotterContext.AllKey)) || this.ContentSpotter.ContainsKeyValuePair(key, pair.Value, SpotterBase.SpotterContext.AllPair)) { detectedEvents.Add(EventSuggest.MailDisplayMessage); } } // other events detection comes here } return(detectedEvents.Any()); }
/// <summary> /// Initializes a new instance of the <see cref="TextObject"/> class. /// </summary> /// <param name="sOrigUrl">The original URL.</param> /// <param name="sPathToFile">The path to file.</param> /// <param name="sFileName">Name of the file.</param> /// <param name="sFileExtension">The file extension.</param> /// <param name="sContentType">Type of the content.</param> /// <param name="oRequestMsg">The request MSG.</param> /// <param name="listCookieInformation">The list cookie information.</param> public TextObject( string sOrigUrl, string sPathToFile, string sFileName, string sFileExtension, string sContentType, HTTPMsg oRequestMsg, List <string> listCookieInformation) : base(sOrigUrl, sPathToFile, sFileName, sFileExtension, sContentType, oRequestMsg, listCookieInformation) { this.ListOfReferences = new List <Tuple <string, string> >(); this.ConvertByteArrayToString(); }
public override void Clean() { this._clone = null; this._content = string.Empty; this._boundariesIndices = null; this._boundary = null; this._headerFields = null; this._requestUri = string.Empty; this._requestUriParameters = null; this._partCount = 0; this._partPosition = 0; }
/// <summary> /// Initializes a new instance of the <see cref="ScriptObject"/> class. /// </summary> /// <param name="sOrigUrl">The original URL.</param> /// <param name="sPathToFile">The path to file.</param> /// <param name="sFileName">Name of the file.</param> /// <param name="sFileExtension">The file extension.</param> /// <param name="sContentType">Type of the content.</param> /// <param name="oRequestMsg">The request MSG.</param> /// <param name="listCookieInformation">The list cookie information.</param> public ScriptObject( string sOrigUrl, string sPathToFile, string sFileName, string sFileExtension, string sContentType, HTTPMsg oRequestMsg, List <string> listCookieInformation) : base(sOrigUrl, sPathToFile, sFileName, sFileExtension, sContentType, oRequestMsg, listCookieInformation) { this._jsParser = new Jint.Parser.JavaScriptParser(false); this._jsProgram = null; //this._jsEngine = new Jint.Engine(); //this.ParseScript(); }
public GeneratedObject( string sOrigUrl, string sPathToFile, string sFileName, string sFileExtension, string sContentType, HTTPMsg oRequestMsg, List <string> listCookieInformation, long lGeneratedObjectIndex) : base(sOrigUrl, sPathToFile, sFileName, sFileExtension, sContentType, oRequestMsg, listCookieInformation) { this._lGeneratedObjectIndex = lGeneratedObjectIndex; this.FileName = "ad" + this._lGeneratedObjectIndex + ".js"; this.FileExtension = "js"; }
public override void Init(HTTPMsg message) { this._headerFields = message.HTTPHeader.Fields; if (message.MessageType == MessageType.REQUEST) { var reqHeader = message.HTTPHeader as HttpRequestHeader; var uri = reqHeader.RequestURI.Split('?'); this._requestUri = uri[0]; this._requestUriParameters = new Dictionary <string, List <string> >(); if (uri.Length == 2) { foreach (var p in uri[1].Split('&').Select(pair => pair.Split('='))) { if (!this._requestUriParameters.ContainsKey(p[0])) { this._requestUriParameters[p[0]] = new List <string>(); } if (p.Length == 2) { this._requestUriParameters[p[0]].Add(p[1]); } } } } if (message.HTTPContent == null) { return; } this._contentFields = new Dictionary <string, List <string> >(StringComparer.OrdinalIgnoreCase); var encoder = this.GetEncoder(message.HTTPHeader.Fields["Content-Type"].First()); foreach (var pair in encoder.GetString(message.HTTPContent.Content).Split('&')) { var p = pair.Split('='); if (p.Length < 2) { continue; } if (!this._contentFields.ContainsKey(p[0])) { this._contentFields.Add(p[0], new List <string>()); } this._contentFields[p[0]].Add(p[1]); } }
public void HTTPTest_http_malyweb3() { var httpMessagePatterns = new[] //Messages - timestampes, HttpRequestHeader and HttpResponseHeader { new [] { "22.11.2013 14:52:17", "Accept: */*; \nReferer: http://www.fit.vutbr.cz/; \nAccept-Language: cs,en-US;q=0.7,en;q=0.3; \nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; Avant Browser); \nAccept-Encoding: gzip, deflate; \nHost: www.fit.vutbr.cz; \nConnection: Keep-Alive; \n", "" }, new [] { "22.11.2013 14:52:23", "", "Date: Fri, 22 Nov 2013 14:52:24 GMT; \nServer: Apache; \nCache-Control: max-age=604800; \nExpires: Fri, 29 Nov 2013 14:52:24 GMT; \nLast-Modified: Fri, 29 Jun 2012 15:06:59 GMT; \nETag: \"7a1fd3-800c-4fedc493\"; \nAccept-Ranges: bytes; \nContent-Length: 32780; \nContent-Type: image/jpeg; \n" } }; this.FrameworkController.ProcessCapture(this.PrepareCaptureForProcessing(SnoopersPcaps.Default.http_caps_malyweb3_pcapng)); var conversations = this.L7Conversations.ToArray(); this.FrameworkController.ExportData(this.SnoopersToUse, conversations, this.CurrentTestBaseDirectory, true); SnooperExportHTTP exportedObjectsReference = null; foreach (var exportedObjects in this.SnooperExports.ToArray()) //Get SnooperExportHTTP exported objects { if ((exportedObjectsReference = exportedObjects as SnooperExportHTTP) != null) { break; } } Assert.IsNotNull(exportedObjectsReference); var exportedObjectBases = exportedObjectsReference.ExportObjects.ToArray(); Assert.AreEqual(2, exportedObjectBases.Length); //Total number of exported objects should be 2 var httpObjects = exportedObjectBases.Where(i => i is SnooperExportedDataObjectHTTP).Cast <SnooperExportedDataObjectHTTP>().OrderBy(it => it.TimeStamp).ToArray(); HTTPMsg[] messages = new HTTPMsg[httpObjects.Length]; int j = 0; foreach (SnooperExportedDataObjectHTTP o in httpObjects) { messages[j] = o.Message; j++; } Assert.AreEqual(2, messages.Length); Assert.AreEqual(httpMessagePatterns.Length, messages.Length); //Both arrays should have same length for (var i = 0; i < messages.Length; i++) { Assert.AreEqual(messages[i].TimeStamp.ToString(new CultureInfo("cs-CZ", false)), httpMessagePatterns[i][0]); Assert.AreEqual(messages[i].HttpRequestHeader.ToString(), httpMessagePatterns[i][1]); Assert.AreEqual(messages[i].HttpResponseHeader.ToString(), httpMessagePatterns[i][2]); } }
/// <summary> /// Parse,validate HTTP object and create archive objects from HTTP object. /// </summary> /// <param name="oResponseHeader">The response header of HTTP Message.</param> /// <param name="oRequestHTTPMsg">The request HTTP Message.</param> private void ParseAndCreateArchiveObject(HttpResponseHeader oResponseHeader, HTTPMsg oRequestHTTPMsg) { var oArchiveObject = ObjectParser.CreateDataObject(oResponseHeader, oRequestHTTPMsg); if (oArchiveObject == null) { return; } if (oArchiveObject is ParentObject) { this._listOfArchives.Add(new Archive((ParentObject)oArchiveObject, this.ExportBaseDirectory)); } else { this._oContainer.AddObject(oArchiveObject); } }
/// <summary> /// Creates Facebook status by parsing content of HTTP message. /// </summary> /// <param name="msg">Content of HTTP message.</param> /// <param name="exportObject">For referencing FacebookSnooperExport from Facebook object.</param> /// <returns>Parsed comment from HTTP content.</returns> private static FacebookStatus GetFacebookStatus(HTTPMsg msg, SnooperExportBase exportObject) { var httpContent = msg.HTTPContent.Content; var strippedContent = Encoding.Default.GetString(httpContent); // parses urlencoded data var parsedUrl = HttpUtility.ParseQueryString(strippedContent); var status = new FacebookStatus(exportObject) { FacebookStatusTimestamp = parsedUrl["ttstamp"], SenderId = parsedUrl["__user"], TargetId = parsedUrl["xhpc_targetid"], StatusText = parsedUrl["xhpc_message_text"] }; return(status); }
public void GetFileHash(Guid investigationId, SnooperHTTPFileDTO image, string appPath) { using (var uow = this.UnitOfWorkProvider.Create(investigationId)) { var query = (IQueryable <PmFrameBase>)uow.DbContext.Set <PmFrameBase>(); var frames = query.Where(i => image.FrameGuids.Contains(i.Id)).OrderBy(e => e.FirstSeen).ToList(); foreach (var f in frames) { f.PmCapture.FileInfo = new FileInfo(Path.Combine(appPath + NetfoxWebSettings.Default.InvestigationsFolder + NetfoxWebSettings.Default.InvestigationPrefix + investigationId + "/Sources/Captures", f.PmCapture.RelativeFilePath)); } var prepare = image.TimeStamp.Ticks + string.Join(" ", frames) + image.StatusLine; image.Path = "Exports/HTTP/" + HTTPMsg.GetMD5Hash(prepare); } }
/// <summary> /// Initializes a new instance of the <see cref="ParentObject"/> class. /// </summary> /// <param name="sOrigUrl">The original URL.</param> /// <param name="sPathToFile">The path to file.</param> /// <param name="sFileName">Name of the file.</param> /// <param name="sFileExtension">The file extension.</param> /// <param name="sContentType">Type of the content.</param> /// <param name="oRequestMsg">The request message.</param> /// <param name="listCookieInformation">The list cookie information.</param> /// <param name="sCharSet">The character set.</param> public ParentObject( string sOrigUrl, string sPathToFile, string sFileName, string sFileExtension, string sContentType, HTTPMsg oRequestMsg, List <string> listCookieInformation, string sCharSet) : base(sOrigUrl, sPathToFile, sFileName, sFileExtension, sContentType, oRequestMsg, listCookieInformation) { this._sCharSet = sCharSet; var regMatch = Regex.Match(this.StringContent, @"<title>(.*)</title>"); if (regMatch.Success) { this._sTitle = regMatch.Groups[1].ToString(); } }
public override void Init(HTTPMsg message) { this._headerFields = message.HTTPHeader.Fields; if (message.MessageType == MessageType.REQUEST) { var reqHeader = message.HTTPHeader as HttpRequestHeader; var uri = reqHeader.RequestURI.Split('?'); this._requestUri = uri[0]; this._requestUriParameters = new Dictionary <string, List <string> >(); if (uri.Length == 2) { foreach (var p in uri[1].Split('&').Select(pair => pair.Split('='))) { if (!this._requestUriParameters.ContainsKey(p[0])) { this._requestUriParameters[p[0]] = new List <string>(); } if (p.Length == 2) { this._requestUriParameters[p[0]].Add(p[1]); } } } } if (message.HTTPContent == null) { return; } var decodedBytes = Convert.FromBase64String(message.HTTPContent.ToString()); this.Items = new List <FRPCparser.IFRPCItem>(); if (!FRPCparser.Parse(decodedBytes, out this.Items)) { return; } }
/// <summary> /// Creates object which represents sent private message from application/x-www-form-urlencoded serialization type /// </summary> /// <param name="httpMessage">Original HTTP message from HTTP snooper</param> /// <param name="exportObject">For referencing XChatSnooperExport from XChat object</param> /// <returns>Instance of Xchat sent message</returns> private static XChatPrivateMessage GetXChatPrivateSentMessage(HTTPMsg httpMessage, SnooperExportBase exportObject) { var strippedContent = Encoding.GetEncoding("ISO-8859-2").GetString(httpMessage.HTTPContent.Content); //Convert bytes to string in ISO-8859-2 encoding var parsedUrl = HttpUtility.ParseQueryString(strippedContent, Encoding.GetEncoding("ISO-8859-2")); //Parse query from message body var message = new XChatPrivateMessage(exportObject) { Time = httpMessage.TimeStamp.ToString("dd. MM. yyyy HH:mm:ss"), Text = parsedUrl["message"], Target = parsedUrl["to"], Subject = parsedUrl["subject"] }; //Getting sender nickname from Cookie in header: var requestHeader = httpMessage.HTTPHeader as HttpRequestHeader; List <string> values; //List which contains values from Cookie in HTTP request header if (requestHeader.Fields.TryGetValue("Cookie", out values)) { var sb = new StringBuilder(); foreach (var value in values) { sb.Append(value).Append("; "); } //Concatenes values from Cookie in HTTP header var regex = new Regex(@"[0-9]{8}=[0-9]{8}%3A([0-9a-zA-Z][a-zA-Z0-9\.-_]{2,19})"); //Regular expression for getting message sender nickname var match = regex.Match(sb.ToString()); message.Source = match.Success ? match.Groups[1].ToString() : ""; } else { message.Source = ""; } return(message); }
/// <summary> /// Creates object which represents recieved private message from HTML document /// </summary> /// <param name="httpMessage">Original HTTP message</param> /// <param name="html">Parsed HTML document</param> /// <param name="exportObject">For referencing XChatSnooperExport from XChat object</param> /// <returns>Instance of Xchat received message</returns> private static XChatPrivateMessage GetXChatPrivateReceivedMessage(HTTPMsg httpMessage, HtmlDocument html, SnooperExportBase exportObject) { HtmlNode node; var message = new XChatPrivateMessage(exportObject); var form = html.DocumentNode.SelectSingleNode("//form[@name='readmsg']"); //Node that represents form with class readmsg node = form.SelectSingleNode("//span[@class='offlinesm']/child::a[@title='profil uživatele']/strong"); //Position in document where sender nickname is located message.Source = node?.InnerText; node = form.SelectSingleNode("//table/descendant::table/tr[4]/td[2]"); //Position in document where receiver nickname is located message.Target = node?.InnerText; node = form.SelectSingleNode("//div[@class='boxudaje2']/div[@class='boxudaje3']/descendant::div"); //Position in document where message text is located message.Text = node?.InnerText; node = form.SelectSingleNode("//table/descendant::table/tr[2]/td[2]"); message.Subject = node?.InnerText; message.Time = httpMessage.TimeStamp.ToString("dd. MM. yyyy HH:mm:ss"); return(message); }
public override bool IsMsgWebmailEvent(HTTPMsg message, ref List <EventSuggest> detectedEvents, out SpotterBase spotter) { this.Init(message); spotter = this.ContentSpotter; if (this.ContentSpotter == null) { return(false); } if (this.ContentSpotter.ContainsKeyValuePair("cn", "Microsoft.Msn.Hotmail.Ui.Fpp.MailBox", SpotterBase.SpotterContext.ContentPair)) { if (this.ContentSpotter.ContainsKeyValuePair("mn", "SendMessage_ec", SpotterBase.SpotterContext.ContentPair)) { detectedEvents.Add(EventSuggest.MailNewMessage); } if (this.ContentSpotter.ContainsKeyValuePair("mn", "GetInboxData", SpotterBase.SpotterContext.ContentPair) && !detectedEvents.Contains(EventSuggest.MailNewMessage)) { detectedEvents.Add(EventSuggest.MailListFolder); } // TODO other events } return(detectedEvents.Any()); }
/// <summary> /// Creates the MAFF object method. /// </summary> /// <param name="oResponseHeader">The message response header.</param> /// <param name="oRequestMsg">The request message.</param> /// <returns></returns> public static BaseObject CreateDataObject(HttpResponseHeader oResponseHeader, HTTPMsg oRequestMsg) { var oRequestHeader = ((HttpRequestHeader)oRequestMsg.HTTPHeader); var sOriginalUrl = oRequestHeader.RequestURI; var sContentType = ObjectParser.ParseContentType(oResponseHeader); var sCharSet = ObjectParser.ParseCharSet(oResponseHeader); var sPathToFileName = ObjectParser.ParsePathToFileName(sOriginalUrl); var sFileName = ObjectParser.ParseFileName(sPathToFileName); var listCookiees = ObjectParser.ParseCookieInformation(oResponseHeader); var bGeneratedObject = false; var sFileExtension = string.Empty; if (sFileName.Length != 0) { sFileExtension = ObjectParser.ParseFileExtension(sFileName); //If it's Text object without extension, fill with GET uri request if (ObjectParser.CheckIfTextObject(sContentType) && sFileExtension == string.Empty) { sPathToFileName = sOriginalUrl; } } //Parse GetUrlRequest for Javasrcipt If isnt Root html object else if (!sOriginalUrl.Equals("/")) { _generatedObjectIndex++; bGeneratedObject = true; } if (sContentType.Contains("text/html") && !bGeneratedObject) { if (ObjectParser.CheckIsValidParentObject(oRequestMsg.PairMessages[0].HTTPContent.Content)) { return(new ParentObject(sOriginalUrl, sPathToFileName, "index.html", "html", sContentType, oRequestMsg, listCookiees, sCharSet)); } return(new TextObject(sOriginalUrl, sPathToFileName, sFileName, sFileExtension, sContentType, oRequestMsg, listCookiees)); } if (bGeneratedObject) { //TODO IMPOSSIBLE TO PARSE??? FOR NOW -> Discard packet return(ObjectParser.CheckIfScriptObject(sContentType) ? new GeneratedObject(sOriginalUrl, sPathToFileName, sFileName, sFileExtension, sContentType, oRequestMsg, listCookiees, _generatedObjectIndex) : null); } if (ObjectParser.CheckIfScriptObject(sContentType)) { return(new ScriptObject(sOriginalUrl, sPathToFileName, sFileName, sFileExtension, sContentType, oRequestMsg, listCookiees)); } if (ObjectParser.CheckIfTextObject(sContentType)) { return(new TextObject(sOriginalUrl, sPathToFileName, sFileName, sFileExtension, sContentType, oRequestMsg, listCookiees)); } return(new BaseObject(sOriginalUrl, sPathToFileName, sFileName, sFileExtension, sContentType, oRequestMsg, listCookiees)); }
public override void Init(HTTPMsg message) { this._headerFields = message.HTTPHeader.Fields; if (message.MessageType == MessageType.REQUEST) { var reqHeader = message.HTTPHeader as HttpRequestHeader; var uri = reqHeader.RequestURI.Split('?'); this._requestUri = uri[0]; this._requestUriParameters = new Dictionary <string, List <string> >(); if (uri.Length == 2) { foreach (var p in uri[1].Split('&').Select(pair => pair.Split('='))) { if (!this._requestUriParameters.ContainsKey(p[0])) { this._requestUriParameters[p[0]] = new List <string>(); } if (p.Length == 2) { this._requestUriParameters[p[0]].Add(p[1]); } } } } // Clone message is needed for later use of another soptters for every part this._clone = message.Clone(); this._clone.HTTPContent = this._clone.HTTPContent.Clone(); this._boundary = this.GetStringPart("boundary=", ";", message.HTTPHeader.Fields["Content-Type"].First()); var encoder = this.GetEncoder(message.HTTPHeader.Fields["Content-Type"].First()); this._content = encoder.GetString(message.HTTPContent.Content); this._boundariesIndices = new List <Int32>(); // mark boundaries var start = this._content.IndexOf(this._boundary, StringComparison.Ordinal); start = this._content.IndexOf("\r\n", start, StringComparison.Ordinal) + 1; this._boundariesIndices.Add(start); do { var end = this._content.IndexOf(this._boundary, start, StringComparison.Ordinal); if (end == -1) { break; } end = this._content.LastIndexOf("\r\n", end, StringComparison.Ordinal); this._boundariesIndices.Add(end); this._partCount++; start = this._content.IndexOf(this._boundary, start, StringComparison.Ordinal); if (end == -1) { break; } start = this._content.IndexOf("\r\n", start, StringComparison.Ordinal) + 1; this._boundariesIndices.Add(start); } while(true); }
/// <summary> /// Initialize spotter with HTTP message. /// </summary> /// <param name="message">HTTP message which content should be watch.</param> public abstract void Init(HTTPMsg message);
/// <summary> /// Check if HTTP message is webmail event. /// </summary> /// <param name="message">HTTP message to check</param> /// <param name="detectedEvents">Webmail events found in message</param> /// <param name="spotter">Spotter used to handle message.</param> /// <returns></returns> public abstract bool IsMsgWebmailEvent(HTTPMsg message, ref List <EventSuggest> detectedEvents, out SpotterBase spotter);
protected override void ProcessConversation() { Console.WriteLine("SnooperHTTP.ProcessConversation() called"); // we need a stream to read from var stream = this.CurrentConversation.Key.IsSet ? new PDUDecrypterBase(this.CurrentConversation, EfcPDUProviderType.Breaked) : new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.Breaked); // now we can create a reader that will be reading from the stream we just created // encoding set to codepage 437 as extended ascii var reader = new PDUStreamReader(stream, Encoding.GetEncoding(437)); // create export directory if it doesn't exist if (!this.ExportBaseDirectory.Exists) { this.ExportBaseDirectory.Create(); } HTTPMsg request = null; // reader will spawn messages, cycle through them do { this.OnBeforeProtocolParsing(); // parse protocol var message = new HTTPMsg(reader, this.ExportBaseDirectory); if (!message.Valid) { this.SnooperExport.TimeStampFirst = message.TimeStamp; // parsing went wrong, we have to report it this.SnooperExport.AddExportReport( ExportReport.ReportLevel.Warn, this.Name, "parsing of HTTP message failed, frames: " + string.Join(",", message.Frames), message.ExportSources); Console.WriteLine("parsing of HTTP message failed, frame numbers: " + string.Join(",", message.Frames) + ": " + message.InvalidReason); // skip processing, go to next message continue; } // parsing done this.OnAfterProtocolParsing(); // start processing and export this.OnBeforeDataExporting(); SnooperExportedDataObjectHTTP exportedObject; // process parsed structure switch (message.MessageType) { case MessageType.REQUEST: if (request != null) { /* export request with no response ?? */ exportedObject = new SnooperExportedDataObjectHTTP(this.SnooperExport) { TimeStamp = request.TimeStamp, Message = request }; exportedObject.ExportSources.AddRange(request.ExportSources); this.SnooperExport.AddExportObject(exportedObject); } request = message; break; case MessageType.RESPONSE: if (request != null) { message.PairMessages.Add(request); } request?.PairMessages.Add(message); request = null; /* always export with response message */ // export request if (message.PairMessages.Any()) { exportedObject = new SnooperExportedDataObjectHTTP(this.SnooperExport) { TimeStamp = message.PairMessages.First().TimeStamp, Message = message.PairMessages.First() }; exportedObject.ExportSources.AddRange(message.ExportSources); this.SnooperExport.AddExportObject(exportedObject); } // export response exportedObject = new SnooperExportedDataObjectHTTP(this.SnooperExport); exportedObject.TimeStamp = message.TimeStamp; exportedObject.Message = message; exportedObject.ExportSources.AddRange(message.ExportSources); this.SnooperExport.AddExportObject(exportedObject); break; } this.OnAfterDataExporting(); //finalize processing of current message, moving to next one // IMPORTANT !!! this has to be called after each message successfully processed // so correct connections between exported data and exported reports can be kept //base.ProcessingDone(); } while(reader.NewMessage()); // export last request if needed if (request != null) { var exportedObject = new SnooperExportedDataObjectHTTP(this.SnooperExport) { TimeStamp = request.TimeStamp, Message = request }; exportedObject.ExportSources.AddRange(request.ExportSources); this.SnooperExport.AddExportObject(exportedObject); } }