aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

file: update logger API to log direction

Browse Source 
By adding the flow direction to the logger we can have an accurate
logging of fileinfo events that has source and destination IP
correctly set.
pull/3352/head
Eric Leblond 8 years ago committed by Victor Julien
parent 2515c8927b
commit 1012fc4466
12 changed files with 94 additions and 40 deletions
Show Stats Download Patch File Download Diff File

3
src/log-file.c
Unescape Escape View File

@ -325,7 +325,8 @@ static void LogFileWriteJsonRecord(LogFileLogThread *aft, const Packet *p, const
SCMutexUnlock(&aft->file_ctx->fp_mutex);
}
static int LogFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, const File *ff)
static int LogFileLogger(ThreadVars *tv, void *thread_data, const Packet *p,
const File *ff, uint8_t dir)
{
SCEnter();
LogFileLogThread *aft = (LogFileLogThread *)thread_data;

2
src/log-filestore.c
Unescape Escape View File

@ -392,7 +392,7 @@ static void LogFilestoreFinalizeFiles(const File *ff) {
}
static int LogFilestoreLogger(ThreadVars *tv, void *thread_data, const Packet *p,
File *ff, const uint8_t *data, uint32_t data_len, uint8_t flags)
File *ff, const uint8_t *data, uint32_t data_len, uint8_t flags, uint8_t dir)
{
SCEnter();
LogFilestoreLogThread *aft = (LogFilestoreLogThread *)thread_data;

9
src/output-file.c
Unescape Escape View File

@ -94,7 +94,8 @@ int OutputRegisterFileLogger(LoggerId id, const char *name, FileLogger LogFunc,
static void OutputFileLogFfc(ThreadVars *tv,
OutputLoggerThreadData *op_thread_data,
Packet *p,
FileContainer *ffc, const bool file_close, const bool file_trunc)
FileContainer *ffc, const bool file_close, const bool file_trunc,
uint8_t dir)
{
SCLogDebug("ffc %p", ffc);
if (ffc != NULL) {
@ -127,7 +128,7 @@ static void OutputFileLogFfc(ThreadVars *tv,
SCLogDebug("logger %p", logger);
PACKET_PROFILING_LOGGER_START(p, logger->logger_id);
logger->LogFunc(tv, store->thread_data, (const Packet *)p, (const File *)ff);
logger->LogFunc(tv, store->thread_data, (const Packet *)p, (const File *)ff, dir);
PACKET_PROFILING_LOGGER_END(p, logger->logger_id);
file_logged = true;
@ -176,8 +177,8 @@ static TmEcode OutputFileLog(ThreadVars *tv, Packet *p, void *thread_data)
FileContainer *ffc_tc = AppLayerParserGetFiles(p->proto, f->alproto,
f->alstate, STREAM_TOCLIENT);
OutputFileLogFfc(tv, op_thread_data, p, ffc_ts, file_close_ts, file_trunc);
OutputFileLogFfc(tv, op_thread_data, p, ffc_tc, file_close_tc, file_trunc);
OutputFileLogFfc(tv, op_thread_data, p, ffc_ts, file_close_ts, file_trunc, STREAM_TOSERVER);
OutputFileLogFfc(tv, op_thread_data, p, ffc_tc, file_close_tc, file_trunc, STREAM_TOCLIENT);
return TM_ECODE_OK;
}

3
src/output-file.h
Unescape Escape View File

@ -30,7 +30,8 @@
#include "util-file.h"
/** packet logger function pointer type */
typedef int (*FileLogger)(ThreadVars *, void *thread_data, const Packet *, const File *);
typedef int (*FileLogger)(ThreadVars *, void *thread_data, const Packet *,
const File *, uint8_t direction);
/** packet logger condition function pointer type,
* must return true for packets that should be logged

14
src/output-filedata.c
Unescape Escape View File

@ -99,7 +99,7 @@ SC_ATOMIC_DECLARE(unsigned int, g_file_store_id);
static int CallLoggers(ThreadVars *tv, OutputLoggerThreadStore *store_list,
Packet *p, File *ff,
const uint8_t *data, uint32_t data_len, uint8_t flags)
const uint8_t *data, uint32_t data_len, uint8_t flags, uint8_t dir)
{
OutputFiledataLogger *logger = list;
OutputLoggerThreadStore *store = store_list;
@ -110,7 +110,7 @@ static int CallLoggers(ThreadVars *tv, OutputLoggerThreadStore *store_list,
SCLogDebug("logger %p", logger);
PACKET_PROFILING_LOGGER_START(p, logger->logger_id);
logger->LogFunc(tv, store->thread_data, (const Packet *)p, ff, data, data_len, flags);
logger->LogFunc(tv, store->thread_data, (const Packet *)p, ff, data, data_len, flags, dir);
PACKET_PROFILING_LOGGER_END(p, logger->logger_id);
file_logged = 1;
@ -126,7 +126,7 @@ static int CallLoggers(ThreadVars *tv, OutputLoggerThreadStore *store_list,
static void OutputFiledataLogFfc(ThreadVars *tv, OutputLoggerThreadStore *store,
Packet *p, FileContainer *ffc, const uint8_t call_flags,
const bool file_close, const bool file_trunc)
const bool file_close, const bool file_trunc, const uint8_t dir)
{
if (ffc != NULL) {
File *ff;
@ -155,7 +155,7 @@ static void OutputFiledataLogFfc(ThreadVars *tv, OutputLoggerThreadStore *store,
if (ff->state < FILE_STATE_CLOSED) {
FileCloseFilePtr(ff, NULL, 0, FILE_TRUNCATED);
}
CallLoggers(tv, store, p, ff, NULL, 0, OUTPUT_FILEDATA_FLAG_CLOSE);
CallLoggers(tv, store, p, ff, NULL, 0, OUTPUT_FILEDATA_FLAG_CLOSE, dir);
ff->flags |= FILE_STORED;
continue;
}
@ -189,7 +189,7 @@ static void OutputFiledataLogFfc(ThreadVars *tv, OutputLoggerThreadStore *store,
&data, &data_len,
ff->content_stored);
const int file_logged = CallLoggers(tv, store, p, ff, data, data_len, file_flags);
const int file_logged = CallLoggers(tv, store, p, ff, data, data_len, file_flags, dir);
if (file_logged) {
ff->content_stored += data_len;
@ -233,9 +233,9 @@ static TmEcode OutputFiledataLog(ThreadVars *tv, Packet *p, void *thread_data)
FileContainer *ffc_tc = AppLayerParserGetFiles(p->proto, f->alproto,
f->alstate, STREAM_TOCLIENT);
SCLogDebug("ffc_ts %p", ffc_ts);
OutputFiledataLogFfc(tv, store, p, ffc_ts, STREAM_TOSERVER, file_close_ts, file_trunc);
OutputFiledataLogFfc(tv, store, p, ffc_ts, STREAM_TOSERVER, file_close_ts, file_trunc, STREAM_TOSERVER);
SCLogDebug("ffc_tc %p", ffc_tc);
OutputFiledataLogFfc(tv, store, p, ffc_tc, STREAM_TOCLIENT, file_close_tc, file_trunc);
OutputFiledataLogFfc(tv, store, p, ffc_tc, STREAM_TOCLIENT, file_close_tc, file_trunc, STREAM_TOCLIENT);
return TM_ECODE_OK;
}

2
src/output-filedata.h
Unescape Escape View File

@ -34,7 +34,7 @@
/** filedata logger function pointer type */
typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *,
File *, const uint8_t *, uint32_t, uint8_t);
File *, const uint8_t *, uint32_t, uint8_t, uint8_t dir);
/** packet logger condition function pointer type,
* must return true for packets that should be logged

8
src/output-filestore.c
Unescape Escape View File

@ -121,7 +121,7 @@ static void OutputFilestoreUpdateFileTime(const char *src_filename,
static void OutputFilestoreFinalizeFiles(ThreadVars *tv,
const OutputFilestoreLogThread *oft, const OutputFilestoreCtx *ctx,
const Packet *p, File *ff) {
const Packet *p, File *ff, uint8_t dir) {
/* Stringify the SHA256 which will be used in the final
* filename. */
char sha256string[(SHA256_LENGTH * 2) + 1];
@ -162,7 +162,7 @@ static void OutputFilestoreFinalizeFiles(ThreadVars *tv,
snprintf(js_metadata_filename, sizeof(js_metadata_filename),
"%s.%"PRIuMAX".%u.json", final_filename,
(uintmax_t)p->ts.tv_sec, ff->file_store_id);
json_t *js_fileinfo = JsonBuildFileInfoRecord(p, ff, true);
json_t *js_fileinfo = JsonBuildFileInfoRecord(p, ff, true, dir);
if (likely(js_fileinfo != NULL)) {
json_dump_file(js_fileinfo, js_metadata_filename, 0);
json_decref(js_fileinfo);
@ -173,7 +173,7 @@ static void OutputFilestoreFinalizeFiles(ThreadVars *tv,
static int OutputFilestoreLogger(ThreadVars *tv, void *thread_data,
const Packet *p, File *ff, const uint8_t *data, uint32_t data_len,
uint8_t flags)
uint8_t flags, uint8_t dir)
{
SCEnter();
OutputFilestoreLogThread *aft = (OutputFilestoreLogThread *)thread_data;
@ -255,7 +255,7 @@ static int OutputFilestoreLogger(ThreadVars *tv, void *thread_data,
ff->fd = -1;
SC_ATOMIC_SUB(filestore_open_file_cnt, 1);
}
OutputFilestoreFinalizeFiles(tv, aft, ctx, p, ff);
OutputFilestoreFinalizeFiles(tv, aft, ctx, p, ff, dir);
}
return 0;

29
src/output-json-file.c
Unescape Escape View File

@ -50,6 +50,7 @@
#include "util-time.h"
#include "util-buffer.h"
#include "util-byte.h"
#include "util-validate.h"
#include "log-file.h"
#include "util-logopenfile.h"
@ -80,10 +81,24 @@ typedef struct JsonFileLogThread_ {
} JsonFileLogThread;
json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff,
const bool stored)
const bool stored, uint8_t dir)
{
json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "fileinfo");
json_t *hjs = NULL;
enum OutputJsonLogDirection fdir = LOG_DIR_FLOW;
switch(dir) {
case STREAM_TOCLIENT:
fdir = LOG_DIR_FLOW_TOCLIENT;
break;
case STREAM_TOSERVER:
fdir = LOG_DIR_FLOW_TOSERVER;
break;
default:
DEBUG_VALIDATE_BUG_ON(1);
break;
}
json_t *js = CreateJSONHeader(p, fdir, "fileinfo");
if (unlikely(js == NULL))
return NULL;
@ -200,10 +215,11 @@ json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff,
* \internal
* \brief Write meta data on a single line json record
*/
static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const File *ff)
static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p,
const File *ff, uint32_t dir)
{
json_t *js = JsonBuildFileInfoRecord(p, ff,
ff->flags & FILE_STORED ? true : false);
ff->flags & FILE_STORED ? true : false, dir);
if (unlikely(js == NULL)) {
return;
}
@ -213,7 +229,8 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F
json_decref(js);
}
static int JsonFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, const File *ff)
static int JsonFileLogger(ThreadVars *tv, void *thread_data, const Packet *p,
const File *ff, uint8_t dir)
{
SCEnter();
JsonFileLogThread *aft = (JsonFileLogThread *)thread_data;
@ -222,7 +239,7 @@ static int JsonFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, co
SCLogDebug("ff %p", ff);
FileWriteJsonRecord(aft, p, ff);
FileWriteJsonRecord(aft, p, ff, dir);
return 0;
}

2
src/output-json-file.h
Unescape Escape View File

@ -28,7 +28,7 @@ void JsonFileLogRegister(void);
#ifdef HAVE_LIBJANSSON
json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff,
const bool stored);
const bool stored, uint8_t dir);
#endif
#endif /* __OUTPUT_JSON_FILE_H__ */

58
src/output-json.c
Unescape Escape View File

@ -399,7 +399,23 @@ void JsonFiveTuple(const Packet *p, enum OutputJsonLogDirection dir, json_t *js)
dstip[0] = '\0';
switch (dir) {
case LOG_DIR_PACKET:
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
dstip, sizeof(dstip));
}
sp = p->sp;
dp = p->dp;
break;
case LOG_DIR_FLOW:
case LOG_DIR_FLOW_TOSERVER:
if ((PKT_IS_TOSERVER(p))) {
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
@ -430,20 +446,36 @@ void JsonFiveTuple(const Packet *p, enum OutputJsonLogDirection dir, json_t *js)
dp = p->sp;
}
break;
case LOG_DIR_PACKET:
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
dstip, sizeof(dstip));
case LOG_DIR_FLOW_TOCLIENT:
if ((PKT_IS_TOCLIENT(p))) {
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
dstip, sizeof(dstip));
}
sp = p->sp;
dp = p->dp;
} else {
if (PKT_IS_IPV4(p)) {
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p),
dstip, sizeof(dstip));
} else if (PKT_IS_IPV6(p)) {
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p),
dstip, sizeof(dstip));
}
sp = p->dp;
dp = p->sp;
}
sp = p->sp;
dp = p->dp;
break;
default:
DEBUG_VALIDATE_BUG_ON(1);

2
src/output-json.h
Unescape Escape View File

@ -36,6 +36,8 @@ void OutputJsonRegister(void);
enum OutputJsonLogDirection {
LOG_DIR_PACKET = 0,
LOG_DIR_FLOW,
LOG_DIR_FLOW_TOCLIENT,
LOG_DIR_FLOW_TOSERVER,
};
/* helper struct for OutputJSONMemBufferCallback */

2
src/output-lua.c
Unescape Escape View File

@ -307,7 +307,7 @@ static int LuaPacketCondition(ThreadVars *tv, const Packet *p)
*
* NOTE p->flow is locked at this point
*/
static int LuaFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, const File *ff)
static int LuaFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, const File *ff, uint8_t dir)
{
SCEnter();
LogLuaThreadCtx *td = (LogLuaThreadCtx *)thread_data;

Write Preview
Loading…
Cancel
Save