sethhall

module Notepad;

import spicy;

# Count the number of invalid checksums in the file to report how many were invalid.
global invalid_checksums: uint64 = 0;

# This doesn't support 128bit values... only 64bit. :(
type uLEB128 = unit {
    var xresult: uint64 = 0;

sethhall

// Thanks to AbdulRhman Alfaifi's blog post that describes the format!
// https://u0041.co/posts/articals/exploring-windows-artifacts-notepad-files/

import type.leb128;
import type.time;
import type.magic;
import std.time;

using uLEB128 = type::uLEB128;

sethhall

module STL;
import spicy;

%byte-order = spicy::ByteOrder::Little;

public type File = unit {
    header       : bytes &size=80;
    total_facets : uint32;
    facets       : Facet[self.total_facets];
};

sethhall

## This is Johanna Amann's prototype code that is updated to work with 
## Spicy edge as of 7/2/2024.

module internet;

import spicy;

type DataLinkType = enum {
  DLT_NULL = 0, #  BSD loopback encapsulation
  DLT_EN10MB = 1, #  Ethernet (10Mb)

sethhall

module JSON;

import spicy;

# This supports jsonc (json with comments)
%skip = /[ \t\r\n]*(\/\/[^\n]*)*[ \t\r\n]*/;

public type File = unit {
    values: JSONValue[];
};

sethhall

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "https://corelight.com/software-sensor.schema.json",
  "title": "Corelight Logs",
  "description": "Definition of all of the potential logs for this installation",
  "definitions": {
    "time": {"type": "string", "pattern": "[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-5][0-9]:[0-5][0-9]\\.?[0-9]{0,6}Z"},
    "port": {"type": "integer", "minimum": 0, "maximum": 65535},
    "count": {"type": "integer", "minimum": 0, "maximum": 18446744073709551615},
    "int": {"type": "integer", "minimum": -9223372036854775807, "maximum": 9223372036854775807},

sethhall

##! Add Business Unit to all logs with an "id" field.

module BusinessUnit;

export {
        option BusinessUnit::networks: table[subnet] of string = set();
}

redef record conn_id += {
        ## The business unit seen as the connection originator.

sethhall

function next_interval(i: interval): interval
    {
    local now = current_time();
    local ii = double_to_count(interval_to_double(i));
    local sofar = double_to_count(time_to_double(now)) % ii;
    local togo = ii - sofar;
    local dur = double_to_interval(togo);
    return dur;
    }

sethhall

const stdout = open("/dev/stdout") &raw_output;

const WIDTH = 80;
const HEIGHT = 25;

const characters = vector(" ", ".", ":", "-", "#", "o", "*", ">");#, ")", #, "|", "&", "I", "H", "%", "*", "#");
function CalculateRow(y: double, factor: double, shiftRight: double)
	{
	local output: vector of string = vector();
	local XCenter = -0.45;

sethhall

redef record HTTP::Info += {
	potential_fname: string &optional;
};

event http_request(c: connection, method: string, original_URI: string,
                   unescaped_URI: string, version: string) &priority=5
	{
	# Get rid of uri arguments
	local path = split_string(c$http$uri, /\?/)[0];