# Psnuffle password sniffer add-on class for HTTP GET URL's
# part of psnuffle sniffer auxiliary module
#
# Very simple example how to write sniffer extensions
#

# Sniffer class for GET URL's
class SnifferURL < BaseProtocolParser
	def register_sigs
		self.sigs = {
			:get		=> /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
			:webhost	=> /^HOST\:\s+([^\n\r]+)/i,
		}
	end

	def parse(pkt)
		# We want to return immediantly if	we do not have a packet which is handled by us
		return if not pkt[:tcp]
		return if (pkt[:tcp].dst_port != 80)
		s = find_session((pkt[:tcp].dst_port == 80) ? get_session_dst(pkt) : get_session_src(pkt))

		self.sigs.each_key do |k|

			# There is only one pattern per run to test
			matched = nil
			matches = nil

			if(pkt[:tcp].payload_data =~ self.sigs[k])
				matched = k
				matches = $1
				sessions[s[:session]].merge!({k => matches})
			end

			case matched
			when :webhost
				sessions[s[:session]].merge!({k => matches})
				if(s[:get])
					print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
					sessions.delete(s[:session])
					return
				end
			when nil
				# No matches, no saved state
			end # end case matched
		end # end of each_key
	end # end of parse
end # end of URL sniffer