# quick and dirty finger logger
# mudge@l0pht.com
#

# This filter serves two purposes:  to record client requests
# made to your web servers, and to serve as example in the LISA paper.
#
# schema would be automatically generated by a "wizard"

finger_schema = library_schema:new( 1, ["time", "int", "ip", "ip", "str"], 
                                    scope());
#finger_schema = [ 1, 1, 	1, 6, 6, 2 ];

# list of web servers to watch.  List IP address of servers or a netmask 
# that matches all. use 0.0.0.0:0.0.0.0 to match any server

my_finger_servers = [ 0.0.0.0:0.0.0.0 ] ;

# gather data the client sends to a finger server.  This will only see
# finger servers on port 79.  

filter finger tcp ( client, dport: 79 )
{
	if (! ( tcp.connDst inside my_finger_servers) )
		return;
	declare $blob inside tcp.connSym;
        if ($blob == null)
                $blob = tcp.blob;
        else
                $blob = cat ( $blob, tcp.blob );
	while (1 == 1)
		{
		$x = index( $blob, "\n" );
		if ($x < 0)		# break loop if no complete line yet
			break;
		$t=substr($blob,$x-1,1);	# look for cr at end of line
                if ($t == '\r')
                        $t=substr($blob,0,$x-1);	# tear off line
                else
                        $t=substr($blob,0,$x);

		# save the time, the connection hash, the client, 
		# the server, and the command to a list
		record system.time, tcp.connHash, tcp.connSrc, tcp.connDst, 
			$t to fingerservers_list;

		# keep the remainder of the blob for the next pass
		$blob = substr($blob, $x + 1);
		}

	# keep us from getting flooded if there is no newline in the data
	if (strlen($blob) > 4096)
		$blob = "";

	# save the blob for next pass
}

fingerservers_list = recorder ("bin/list packages/test/finger.cfg",
	"finger_schema" );