/// <summary>
/// Initializes a new instance of the <see cref="BaseObject"/> class.
/// </summary>
/// <param name="sOrigUrl">The original URL.</param>
/// <param name="sPathToFile">The path to file.</param>
/// <param name="sFileName">Name of the file.</param>
/// <param name="sFileExtension">The file extension.</param>
/// <param name="sContentType">Type of the content.</param>
/// <param name="oRequestMsg">The request message.</param>
/// <param name="listCookieInformation">The list cookie information.</param>
public BaseObject(
string sOrigUrl,
string sPathToFile,
string sFileName,
string sFileExtension,
string sContentType,
HTTPMsg oRequestMsg,
List <string> listCookieInformation)
{
this.RequestMessage = oRequestMsg;
this.OriginalUrl = sOrigUrl;
this.PathToFileName = sPathToFile;
this.FileName = sFileName;
this.FileExtension = sFileExtension;
this.ContentType = sContentType;
this.Referrer = ObjectParser.ParseReferer((HttpRequestHeader)oRequestMsg.HTTPHeader);
this.HostAddress = ObjectParser.ParseHostAddress((HttpRequestHeader)oRequestMsg.HTTPHeader);
this.Content = oRequestMsg.PairMessages[0].HTTPContent.Content;
this.TimeStamp = oRequestMsg.TimeStamp;
this.ExportSource = oRequestMsg.ExportSources[0];
this.CookieInformation = listCookieInformation;
this.UniqueHash = ComputeHash.GetMd5Hash(this.Content);
this.FileSize = this.Content.LongLength;
this.ListOfNewReferences = new List <string>();
}
public override void Init(HTTPMsg message)
{
this._headerFields = message.HTTPHeader.Fields;
if (message.MessageType == MessageType.REQUEST)
{
var reqHeader = message.HTTPHeader as HttpRequestHeader;
var uri = reqHeader.RequestURI.Split('?');
this._requestUri = uri[0];
this._requestUriParameters = new Dictionary <string, List <string> >();
if (uri.Length == 2)
{
foreach (var p in uri[1].Split('&').Select(pair => pair.Split('=')))
{
if (!this._requestUriParameters.ContainsKey(p[0]))
{
this._requestUriParameters[p[0]] = new List <string>();
}
if (p.Length == 2)
{
this._requestUriParameters[p[0]].Add(p[1]);
}
}
}
}
if (message.HTTPContent == null)
{
return;
}
var jsonReader = JsonReaderWriterFactory.CreateJsonReader(message.HTTPContent.Content, new XmlDictionaryReaderQuotas());
this._root = XElement.Load(jsonReader);
}
/// <summary>
/// Initialization with HTTP message.
/// </summary>
/// <param name="message">HTTPMsg message</param>
public void Init(HTTPMsg message)
{
if (message.HTTPHeader.Fields.ContainsKey("Content-Type"))
{
this.ContentSpotter = this.SpotterPool.GetSpotterOrWait(message.HTTPHeader.Fields["Content-Type"].First());
this.ContentSpotter.Init(message);
}
this.WebmailApp = WebmailSuggest.Unknown;
}
public override void Init(HTTPMsg message)
{
if (message.HTTPContent == null)
{
return;
}
var encoder = this.GetEncoder(message.HTTPHeader.Fields["Content-Type"].First());
this._content = encoder.GetString(message.HTTPContent.Content);
}
public override bool IsMsgWebmailEvent(HTTPMsg message, ref List <EventSuggest> detectedEvents, out SpotterBase spotter)
{
this.Init(message);
spotter = this.ContentSpotter;
if (this.ContentSpotter == null)
{
return(false);
}
/* webmail application detection for better content parsing purposes */
if (this.ContentSpotter.ContainsKeyValuePair("appid", "YahooMailNeo", SpotterBase.SpotterContext.AllPair))
{
this.WebmailApp = WebmailSuggest.YahooMailNeo;
}
else if (this.ContentSpotter.ContainsKeyValuePair("Host", "email.seznam.cz", SpotterBase.SpotterContext.AllPair))
{
this.WebmailApp = WebmailSuggest.Seznam;
}
/* event detection */
if (this.ContentSpotter.Contains("from", SpotterBase.SpotterContext.ContentKey) && this.ContentSpotter.Contains("to", SpotterBase.SpotterContext.ContentKey) &&
this.ContentSpotter.Contains("subject", SpotterBase.SpotterContext.ContentKey) &&
this.ContentSpotter.ContainsOneOf(this.MailContentFields, SpotterBase.SpotterContext.ContentKey))
{
detectedEvents.Add(EventSuggest.MailNewMessage);
}
else
{
foreach (var pair in this.ListFolderPairs)
{
var key = pair.Key;
if ((pair.Value.Equals("*") && this.ContentSpotter.Contains(pair.Key, SpotterBase.SpotterContext.AllKey)) ||
this.ContentSpotter.ContainsKeyValuePair(key, pair.Value, SpotterBase.SpotterContext.AllPair))
{
detectedEvents.Add(EventSuggest.MailListFolder);
}
}
foreach (var pair in this.DisplayMessagePairs)
{
var key = pair.Key;
if ((pair.Value.Equals("*") && this.ContentSpotter.Contains(pair.Key, SpotterBase.SpotterContext.AllKey)) ||
this.ContentSpotter.ContainsKeyValuePair(key, pair.Value, SpotterBase.SpotterContext.AllPair))
{
detectedEvents.Add(EventSuggest.MailDisplayMessage);
}
}
// other events detection comes here
}
return(detectedEvents.Any());
}
/// <summary>
/// Initializes a new instance of the <see cref="TextObject"/> class.
/// </summary>
/// <param name="sOrigUrl">The original URL.</param>
/// <param name="sPathToFile">The path to file.</param>
/// <param name="sFileName">Name of the file.</param>
/// <param name="sFileExtension">The file extension.</param>
/// <param name="sContentType">Type of the content.</param>
/// <param name="oRequestMsg">The request MSG.</param>
/// <param name="listCookieInformation">The list cookie information.</param>
public TextObject(
string sOrigUrl,
string sPathToFile,
string sFileName,
string sFileExtension,
string sContentType,
HTTPMsg oRequestMsg,
List <string> listCookieInformation) : base(sOrigUrl, sPathToFile, sFileName, sFileExtension, sContentType, oRequestMsg, listCookieInformation)
{
this.ListOfReferences = new List <Tuple <string, string> >();
this.ConvertByteArrayToString();
}
public override void Clean()
{
this._clone = null;
this._content = string.Empty;
this._boundariesIndices = null;
this._boundary = null;
this._headerFields = null;
this._requestUri = string.Empty;
this._requestUriParameters = null;
this._partCount = 0;
this._partPosition = 0;
}
/// <summary>
/// Initializes a new instance of the <see cref="ScriptObject"/> class.
/// </summary>
/// <param name="sOrigUrl">The original URL.</param>
/// <param name="sPathToFile">The path to file.</param>
/// <param name="sFileName">Name of the file.</param>
/// <param name="sFileExtension">The file extension.</param>
/// <param name="sContentType">Type of the content.</param>
/// <param name="oRequestMsg">The request MSG.</param>
/// <param name="listCookieInformation">The list cookie information.</param>
public ScriptObject(
string sOrigUrl,
string sPathToFile,
string sFileName,
string sFileExtension,
string sContentType,
HTTPMsg oRequestMsg,
List <string> listCookieInformation) : base(sOrigUrl, sPathToFile, sFileName, sFileExtension, sContentType, oRequestMsg, listCookieInformation)
{
this._jsParser = new Jint.Parser.JavaScriptParser(false);
this._jsProgram = null;
//this._jsEngine = new Jint.Engine();
//this.ParseScript();
}
public GeneratedObject(
string sOrigUrl,
string sPathToFile,
string sFileName,
string sFileExtension,
string sContentType,
HTTPMsg oRequestMsg,
List <string> listCookieInformation,
long lGeneratedObjectIndex) : base(sOrigUrl, sPathToFile, sFileName, sFileExtension, sContentType, oRequestMsg, listCookieInformation)
{
this._lGeneratedObjectIndex = lGeneratedObjectIndex;
this.FileName = "ad" + this._lGeneratedObjectIndex + ".js";
this.FileExtension = "js";
}
public override void Init(HTTPMsg message)
{
this._headerFields = message.HTTPHeader.Fields;
if (message.MessageType == MessageType.REQUEST)
{
var reqHeader = message.HTTPHeader as HttpRequestHeader;
var uri = reqHeader.RequestURI.Split('?');
this._requestUri = uri[0];
this._requestUriParameters = new Dictionary <string, List <string> >();
if (uri.Length == 2)
{
foreach (var p in uri[1].Split('&').Select(pair => pair.Split('=')))
{
if (!this._requestUriParameters.ContainsKey(p[0]))
{
this._requestUriParameters[p[0]] = new List <string>();
}
if (p.Length == 2)
{
this._requestUriParameters[p[0]].Add(p[1]);
}
}
}
}
if (message.HTTPContent == null)
{
return;
}
this._contentFields = new Dictionary <string, List <string> >(StringComparer.OrdinalIgnoreCase);
var encoder = this.GetEncoder(message.HTTPHeader.Fields["Content-Type"].First());
foreach (var pair in encoder.GetString(message.HTTPContent.Content).Split('&'))
{
var p = pair.Split('=');
if (p.Length < 2)
{
continue;
}
if (!this._contentFields.ContainsKey(p[0]))
{
this._contentFields.Add(p[0], new List <string>());
}
this._contentFields[p[0]].Add(p[1]);
}
}
public void HTTPTest_http_malyweb3()
{
var httpMessagePatterns = new[] //Messages - timestampes, HttpRequestHeader and HttpResponseHeader
{
new [] { "22.11.2013 14:52:17", "Accept: */*; \nReferer: http://www.fit.vutbr.cz/; \nAccept-Language: cs,en-US;q=0.7,en;q=0.3; \nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; Avant Browser); \nAccept-Encoding: gzip, deflate; \nHost: www.fit.vutbr.cz; \nConnection: Keep-Alive; \n", "" },
new [] { "22.11.2013 14:52:23", "", "Date: Fri, 22 Nov 2013 14:52:24 GMT; \nServer: Apache; \nCache-Control: max-age=604800; \nExpires: Fri, 29 Nov 2013 14:52:24 GMT; \nLast-Modified: Fri, 29 Jun 2012 15:06:59 GMT; \nETag: \"7a1fd3-800c-4fedc493\"; \nAccept-Ranges: bytes; \nContent-Length: 32780; \nContent-Type: image/jpeg; \n" }
};
this.FrameworkController.ProcessCapture(this.PrepareCaptureForProcessing(SnoopersPcaps.Default.http_caps_malyweb3_pcapng));
var conversations = this.L7Conversations.ToArray();
this.FrameworkController.ExportData(this.SnoopersToUse, conversations, this.CurrentTestBaseDirectory, true);
SnooperExportHTTP exportedObjectsReference = null;
foreach (var exportedObjects in this.SnooperExports.ToArray()) //Get SnooperExportHTTP exported objects
{
if ((exportedObjectsReference = exportedObjects as SnooperExportHTTP) != null)
{
break;
}
}
Assert.IsNotNull(exportedObjectsReference);
var exportedObjectBases = exportedObjectsReference.ExportObjects.ToArray();
Assert.AreEqual(2, exportedObjectBases.Length); //Total number of exported objects should be 2
var httpObjects = exportedObjectBases.Where(i => i is SnooperExportedDataObjectHTTP).Cast <SnooperExportedDataObjectHTTP>().OrderBy(it => it.TimeStamp).ToArray();
HTTPMsg[] messages = new HTTPMsg[httpObjects.Length];
int j = 0;
foreach (SnooperExportedDataObjectHTTP o in httpObjects)
{
messages[j] = o.Message;
j++;
}
Assert.AreEqual(2, messages.Length);
Assert.AreEqual(httpMessagePatterns.Length, messages.Length); //Both arrays should have same length
for (var i = 0; i < messages.Length; i++)
{
Assert.AreEqual(messages[i].TimeStamp.ToString(new CultureInfo("cs-CZ", false)), httpMessagePatterns[i][0]);
Assert.AreEqual(messages[i].HttpRequestHeader.ToString(), httpMessagePatterns[i][1]);
Assert.AreEqual(messages[i].HttpResponseHeader.ToString(), httpMessagePatterns[i][2]);
}
}
/// <summary>
/// Parse,validate HTTP object and create archive objects from HTTP object.
/// </summary>
/// <param name="oResponseHeader">The response header of HTTP Message.</param>
/// <param name="oRequestHTTPMsg">The request HTTP Message.</param>
private void ParseAndCreateArchiveObject(HttpResponseHeader oResponseHeader, HTTPMsg oRequestHTTPMsg)
{
var oArchiveObject = ObjectParser.CreateDataObject(oResponseHeader, oRequestHTTPMsg);
if (oArchiveObject == null)
{
return;
}
if (oArchiveObject is ParentObject)
{
this._listOfArchives.Add(new Archive((ParentObject)oArchiveObject, this.ExportBaseDirectory));
}
else
{
this._oContainer.AddObject(oArchiveObject);
}
}
/// <summary>
/// Creates Facebook status by parsing content of HTTP message.
/// </summary>
/// <param name="msg">Content of HTTP message.</param>
/// <param name="exportObject">For referencing FacebookSnooperExport from Facebook object.</param>
/// <returns>Parsed comment from HTTP content.</returns>
private static FacebookStatus GetFacebookStatus(HTTPMsg msg, SnooperExportBase exportObject)
{
var httpContent = msg.HTTPContent.Content;
var strippedContent = Encoding.Default.GetString(httpContent);
// parses urlencoded data
var parsedUrl = HttpUtility.ParseQueryString(strippedContent);
var status = new FacebookStatus(exportObject)
{
FacebookStatusTimestamp = parsedUrl["ttstamp"],
SenderId = parsedUrl["__user"],
TargetId = parsedUrl["xhpc_targetid"],
StatusText = parsedUrl["xhpc_message_text"]
};
return(status);
}
public void GetFileHash(Guid investigationId, SnooperHTTPFileDTO image, string appPath)
{
using (var uow = this.UnitOfWorkProvider.Create(investigationId))
{
var query = (IQueryable <PmFrameBase>)uow.DbContext.Set <PmFrameBase>();
var frames = query.Where(i => image.FrameGuids.Contains(i.Id)).OrderBy(e => e.FirstSeen).ToList();
foreach (var f in frames)
{
f.PmCapture.FileInfo = new FileInfo(Path.Combine(appPath + NetfoxWebSettings.Default.InvestigationsFolder + NetfoxWebSettings.Default.InvestigationPrefix + investigationId + "/Sources/Captures", f.PmCapture.RelativeFilePath));
}
var prepare = image.TimeStamp.Ticks + string.Join(" ", frames) + image.StatusLine;
image.Path = "Exports/HTTP/" + HTTPMsg.GetMD5Hash(prepare);
}
}
/// <summary>
/// Initializes a new instance of the <see cref="ParentObject"/> class.
/// </summary>
/// <param name="sOrigUrl">The original URL.</param>
/// <param name="sPathToFile">The path to file.</param>
/// <param name="sFileName">Name of the file.</param>
/// <param name="sFileExtension">The file extension.</param>
/// <param name="sContentType">Type of the content.</param>
/// <param name="oRequestMsg">The request message.</param>
/// <param name="listCookieInformation">The list cookie information.</param>
/// <param name="sCharSet">The character set.</param>
public ParentObject(
string sOrigUrl,
string sPathToFile,
string sFileName,
string sFileExtension,
string sContentType,
HTTPMsg oRequestMsg,
List <string> listCookieInformation,
string sCharSet) : base(sOrigUrl, sPathToFile, sFileName, sFileExtension, sContentType, oRequestMsg, listCookieInformation)
{
this._sCharSet = sCharSet;
var regMatch = Regex.Match(this.StringContent, @"<title>(.*)</title>");
if (regMatch.Success)
{
this._sTitle = regMatch.Groups[1].ToString();
}
}
public override void Init(HTTPMsg message)
{
this._headerFields = message.HTTPHeader.Fields;
if (message.MessageType == MessageType.REQUEST)
{
var reqHeader = message.HTTPHeader as HttpRequestHeader;
var uri = reqHeader.RequestURI.Split('?');
this._requestUri = uri[0];
this._requestUriParameters = new Dictionary <string, List <string> >();
if (uri.Length == 2)
{
foreach (var p in uri[1].Split('&').Select(pair => pair.Split('=')))
{
if (!this._requestUriParameters.ContainsKey(p[0]))
{
this._requestUriParameters[p[0]] = new List <string>();
}
if (p.Length == 2)
{
this._requestUriParameters[p[0]].Add(p[1]);
}
}
}
}
if (message.HTTPContent == null)
{
return;
}
var decodedBytes = Convert.FromBase64String(message.HTTPContent.ToString());
this.Items = new List <FRPCparser.IFRPCItem>();
if (!FRPCparser.Parse(decodedBytes, out this.Items))
{
return;
}
}
/// <summary>
/// Creates object which represents sent private message from application/x-www-form-urlencoded serialization type
/// </summary>
/// <param name="httpMessage">Original HTTP message from HTTP snooper</param>
/// <param name="exportObject">For referencing XChatSnooperExport from XChat object</param>
/// <returns>Instance of Xchat sent message</returns>
private static XChatPrivateMessage GetXChatPrivateSentMessage(HTTPMsg httpMessage, SnooperExportBase exportObject)
{
var strippedContent = Encoding.GetEncoding("ISO-8859-2").GetString(httpMessage.HTTPContent.Content); //Convert bytes to string in ISO-8859-2 encoding
var parsedUrl = HttpUtility.ParseQueryString(strippedContent, Encoding.GetEncoding("ISO-8859-2")); //Parse query from message body
var message = new XChatPrivateMessage(exportObject)
{
Time = httpMessage.TimeStamp.ToString("dd. MM. yyyy HH:mm:ss"),
Text = parsedUrl["message"],
Target = parsedUrl["to"],
Subject = parsedUrl["subject"]
};
//Getting sender nickname from Cookie in header:
var requestHeader = httpMessage.HTTPHeader as HttpRequestHeader;
List <string> values; //List which contains values from Cookie in HTTP request header
if (requestHeader.Fields.TryGetValue("Cookie", out values))
{
var sb = new StringBuilder();
foreach (var value in values)
{
sb.Append(value).Append("; ");
} //Concatenes values from Cookie in HTTP header
var regex = new Regex(@"[0-9]{8}=[0-9]{8}%3A([0-9a-zA-Z][a-zA-Z0-9\.-_]{2,19})"); //Regular expression for getting message sender nickname
var match = regex.Match(sb.ToString());
message.Source = match.Success ? match.Groups[1].ToString() : "";
}
else
{
message.Source = "";
}
return(message);
}
/// <summary>
/// Creates object which represents recieved private message from HTML document
/// </summary>
/// <param name="httpMessage">Original HTTP message</param>
/// <param name="html">Parsed HTML document</param>
/// <param name="exportObject">For referencing XChatSnooperExport from XChat object</param>
/// <returns>Instance of Xchat received message</returns>
private static XChatPrivateMessage GetXChatPrivateReceivedMessage(HTTPMsg httpMessage, HtmlDocument html, SnooperExportBase exportObject)
{
HtmlNode node;
var message = new XChatPrivateMessage(exportObject);
var form = html.DocumentNode.SelectSingleNode("//form[@name='readmsg']"); //Node that represents form with class readmsg
node = form.SelectSingleNode("//span[@class='offlinesm']/child::a[@title='profil uživatele']/strong"); //Position in document where sender nickname is located
message.Source = node?.InnerText;
node = form.SelectSingleNode("//table/descendant::table/tr[4]/td[2]"); //Position in document where receiver nickname is located
message.Target = node?.InnerText;
node = form.SelectSingleNode("//div[@class='boxudaje2']/div[@class='boxudaje3']/descendant::div"); //Position in document where message text is located
message.Text = node?.InnerText;
node = form.SelectSingleNode("//table/descendant::table/tr[2]/td[2]");
message.Subject = node?.InnerText;
message.Time = httpMessage.TimeStamp.ToString("dd. MM. yyyy HH:mm:ss");
return(message);
}
public override bool IsMsgWebmailEvent(HTTPMsg message, ref List <EventSuggest> detectedEvents, out SpotterBase spotter)
{
this.Init(message);
spotter = this.ContentSpotter;
if (this.ContentSpotter == null)
{
return(false);
}
if (this.ContentSpotter.ContainsKeyValuePair("cn", "Microsoft.Msn.Hotmail.Ui.Fpp.MailBox", SpotterBase.SpotterContext.ContentPair))
{
if (this.ContentSpotter.ContainsKeyValuePair("mn", "SendMessage_ec", SpotterBase.SpotterContext.ContentPair))
{
detectedEvents.Add(EventSuggest.MailNewMessage);
}
if (this.ContentSpotter.ContainsKeyValuePair("mn", "GetInboxData", SpotterBase.SpotterContext.ContentPair) &&
!detectedEvents.Contains(EventSuggest.MailNewMessage))
{
detectedEvents.Add(EventSuggest.MailListFolder);
}
// TODO other events
}
return(detectedEvents.Any());
}
/// <summary>
/// Creates the MAFF object method.
/// </summary>
/// <param name="oResponseHeader">The message response header.</param>
/// <param name="oRequestMsg">The request message.</param>
/// <returns></returns>
public static BaseObject CreateDataObject(HttpResponseHeader oResponseHeader, HTTPMsg oRequestMsg)
{
var oRequestHeader = ((HttpRequestHeader)oRequestMsg.HTTPHeader);
var sOriginalUrl = oRequestHeader.RequestURI;
var sContentType = ObjectParser.ParseContentType(oResponseHeader);
var sCharSet = ObjectParser.ParseCharSet(oResponseHeader);
var sPathToFileName = ObjectParser.ParsePathToFileName(sOriginalUrl);
var sFileName = ObjectParser.ParseFileName(sPathToFileName);
var listCookiees = ObjectParser.ParseCookieInformation(oResponseHeader);
var bGeneratedObject = false;
var sFileExtension = string.Empty;
if (sFileName.Length != 0)
{
sFileExtension = ObjectParser.ParseFileExtension(sFileName);
//If it's Text object without extension, fill with GET uri request
if (ObjectParser.CheckIfTextObject(sContentType) && sFileExtension == string.Empty)
{
sPathToFileName = sOriginalUrl;
}
}
//Parse GetUrlRequest for Javasrcipt If isnt Root html object
else if (!sOriginalUrl.Equals("/"))
{
_generatedObjectIndex++;
bGeneratedObject = true;
}
if (sContentType.Contains("text/html") && !bGeneratedObject)
{
if (ObjectParser.CheckIsValidParentObject(oRequestMsg.PairMessages[0].HTTPContent.Content))
{
return(new ParentObject(sOriginalUrl, sPathToFileName, "index.html", "html", sContentType, oRequestMsg, listCookiees, sCharSet));
}
return(new TextObject(sOriginalUrl, sPathToFileName, sFileName, sFileExtension, sContentType, oRequestMsg, listCookiees));
}
if (bGeneratedObject)
{
//TODO IMPOSSIBLE TO PARSE??? FOR NOW -> Discard packet
return(ObjectParser.CheckIfScriptObject(sContentType) ?
new GeneratedObject(sOriginalUrl, sPathToFileName, sFileName, sFileExtension, sContentType, oRequestMsg, listCookiees, _generatedObjectIndex) : null);
}
if (ObjectParser.CheckIfScriptObject(sContentType))
{
return(new ScriptObject(sOriginalUrl, sPathToFileName, sFileName, sFileExtension, sContentType, oRequestMsg, listCookiees));
}
if (ObjectParser.CheckIfTextObject(sContentType))
{
return(new TextObject(sOriginalUrl, sPathToFileName, sFileName, sFileExtension, sContentType, oRequestMsg, listCookiees));
}
return(new BaseObject(sOriginalUrl, sPathToFileName, sFileName, sFileExtension, sContentType, oRequestMsg, listCookiees));
}
public override void Init(HTTPMsg message)
{
this._headerFields = message.HTTPHeader.Fields;
if (message.MessageType == MessageType.REQUEST)
{
var reqHeader = message.HTTPHeader as HttpRequestHeader;
var uri = reqHeader.RequestURI.Split('?');
this._requestUri = uri[0];
this._requestUriParameters = new Dictionary <string, List <string> >();
if (uri.Length == 2)
{
foreach (var p in uri[1].Split('&').Select(pair => pair.Split('=')))
{
if (!this._requestUriParameters.ContainsKey(p[0]))
{
this._requestUriParameters[p[0]] = new List <string>();
}
if (p.Length == 2)
{
this._requestUriParameters[p[0]].Add(p[1]);
}
}
}
}
// Clone message is needed for later use of another soptters for every part
this._clone = message.Clone();
this._clone.HTTPContent = this._clone.HTTPContent.Clone();
this._boundary = this.GetStringPart("boundary=", ";", message.HTTPHeader.Fields["Content-Type"].First());
var encoder = this.GetEncoder(message.HTTPHeader.Fields["Content-Type"].First());
this._content = encoder.GetString(message.HTTPContent.Content);
this._boundariesIndices = new List <Int32>();
// mark boundaries
var start = this._content.IndexOf(this._boundary, StringComparison.Ordinal);
start = this._content.IndexOf("\r\n", start, StringComparison.Ordinal) + 1;
this._boundariesIndices.Add(start);
do
{
var end = this._content.IndexOf(this._boundary, start, StringComparison.Ordinal);
if (end == -1)
{
break;
}
end = this._content.LastIndexOf("\r\n", end, StringComparison.Ordinal);
this._boundariesIndices.Add(end);
this._partCount++;
start = this._content.IndexOf(this._boundary, start, StringComparison.Ordinal);
if (end == -1)
{
break;
}
start = this._content.IndexOf("\r\n", start, StringComparison.Ordinal) + 1;
this._boundariesIndices.Add(start);
} while(true);
}
/// <summary> /// Initialize spotter with HTTP message. /// </summary> /// <param name="message">HTTP message which content should be watch.</param> public abstract void Init(HTTPMsg message);
/// <summary> /// Check if HTTP message is webmail event. /// </summary> /// <param name="message">HTTP message to check</param> /// <param name="detectedEvents">Webmail events found in message</param> /// <param name="spotter">Spotter used to handle message.</param> /// <returns></returns> public abstract bool IsMsgWebmailEvent(HTTPMsg message, ref List <EventSuggest> detectedEvents, out SpotterBase spotter);
protected override void ProcessConversation()
{
Console.WriteLine("SnooperHTTP.ProcessConversation() called");
// we need a stream to read from
var stream = this.CurrentConversation.Key.IsSet
? new PDUDecrypterBase(this.CurrentConversation, EfcPDUProviderType.Breaked)
: new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.Breaked);
// now we can create a reader that will be reading from the stream we just created
// encoding set to codepage 437 as extended ascii
var reader = new PDUStreamReader(stream, Encoding.GetEncoding(437));
// create export directory if it doesn't exist
if (!this.ExportBaseDirectory.Exists)
{
this.ExportBaseDirectory.Create();
}
HTTPMsg request = null;
// reader will spawn messages, cycle through them
do
{
this.OnBeforeProtocolParsing();
// parse protocol
var message = new HTTPMsg(reader, this.ExportBaseDirectory);
if (!message.Valid)
{
this.SnooperExport.TimeStampFirst = message.TimeStamp;
// parsing went wrong, we have to report it
this.SnooperExport.AddExportReport(
ExportReport.ReportLevel.Warn,
this.Name,
"parsing of HTTP message failed, frames: " + string.Join(",", message.Frames),
message.ExportSources);
Console.WriteLine("parsing of HTTP message failed, frame numbers: " + string.Join(",", message.Frames) + ": " + message.InvalidReason);
// skip processing, go to next message
continue;
}
// parsing done
this.OnAfterProtocolParsing();
// start processing and export
this.OnBeforeDataExporting();
SnooperExportedDataObjectHTTP exportedObject;
// process parsed structure
switch (message.MessageType)
{
case MessageType.REQUEST:
if (request != null)
{
/* export request with no response ?? */
exportedObject = new SnooperExportedDataObjectHTTP(this.SnooperExport)
{
TimeStamp = request.TimeStamp,
Message = request
};
exportedObject.ExportSources.AddRange(request.ExportSources);
this.SnooperExport.AddExportObject(exportedObject);
}
request = message;
break;
case MessageType.RESPONSE:
if (request != null)
{
message.PairMessages.Add(request);
}
request?.PairMessages.Add(message);
request = null;
/* always export with response message */
// export request
if (message.PairMessages.Any())
{
exportedObject = new SnooperExportedDataObjectHTTP(this.SnooperExport)
{
TimeStamp = message.PairMessages.First().TimeStamp,
Message = message.PairMessages.First()
};
exportedObject.ExportSources.AddRange(message.ExportSources);
this.SnooperExport.AddExportObject(exportedObject);
}
// export response
exportedObject = new SnooperExportedDataObjectHTTP(this.SnooperExport);
exportedObject.TimeStamp = message.TimeStamp;
exportedObject.Message = message;
exportedObject.ExportSources.AddRange(message.ExportSources);
this.SnooperExport.AddExportObject(exportedObject);
break;
}
this.OnAfterDataExporting();
//finalize processing of current message, moving to next one
// IMPORTANT !!! this has to be called after each message successfully processed
// so correct connections between exported data and exported reports can be kept
//base.ProcessingDone();
} while(reader.NewMessage());
// export last request if needed
if (request != null)
{
var exportedObject = new SnooperExportedDataObjectHTTP(this.SnooperExport)
{
TimeStamp = request.TimeStamp,
Message = request
};
exportedObject.ExportSources.AddRange(request.ExportSources);
this.SnooperExport.AddExportObject(exportedObject);
}
}
