aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

eve/ftp: Refactor and reduce logging functions

Browse Source
pull/4046/head
Jeff Lucovsky 6 years ago committed by Victor Julien
parent 911d423a6b
commit 9cf4e2e432
1 changed files with 82 additions and 53 deletions
Show Stats Download Patch File Download Diff File

135
src/output-json-ftp.c
Unescape Escape View File

@ -61,82 +61,111 @@ typedef struct LogFTPLogThread_ {
MemBuffer *buffer; MemBuffer *buffer;
} LogFTPLogThread; } LogFTPLogThread;
static void JsonFTPLogJSON(json_t *tjs, Flow *f, FTPTransaction *tx) static json_t *JsonFTPLogCommand(Flow *f, FTPTransaction *tx)
{ {
json_t *cjs = NULL; json_t *cjs = json_object();
if (f->alproto == ALPROTO_FTPDATA) { if (!cjs) {
cjs = JsonFTPDataAddMetadata(f); return cjs;
} else { }
cjs = json_object();
if (cjs) { /* Preallocate array objects to simplify failure case */
json_object_set_new(cjs, "command", json_t *js_resplist;
json_string(tx->command_descriptor->command_name_upper)); json_t *js_respcode_list;
uint32_t min_length = tx->command_descriptor->command_length + 1; /* command + space */ if (!TAILQ_EMPTY(&tx->response_list)) {
if (tx->request_length > min_length) { js_resplist = json_array();
json_object_set_new(cjs, "command_data", js_respcode_list = json_array();
JsonAddStringN((const char *)tx->request + min_length,
tx->request_length - min_length)); if (unlikely(js_resplist == NULL || js_respcode_list == NULL)) {
if (js_resplist) {
json_decref(js_resplist);
} else { } else {
json_object_set_new(cjs, "command_data", json_string(NULL)); json_decref(js_respcode_list);
} }
if (!TAILQ_EMPTY(&tx->response_list)) { return cjs;
json_t *js_resplist = json_array(); }
if (likely(js_resplist != NULL)) { }
FTPString *response;
json_t *resp_code = NULL; json_object_set_new(cjs, "command",
TAILQ_FOREACH(response, &tx->response_list, next) { json_string(tx->command_descriptor->command_name_upper));
if (!resp_code && response->len >= 3) { uint32_t min_length = tx->command_descriptor->command_length + 1; /* command + space */
/* the first completion codes with multiple response lines is definitive */ if (tx->request_length > min_length) {
resp_code = JsonAddStringN((const char *)response->str, 3); json_object_set_new(cjs, "command_data",
} JsonAddStringN((const char *)tx->request + min_length,
/* move past 3 character completion code */ tx->request_length - min_length));
if (response->len > 4) { } else {
json_array_append_new(js_resplist, json_object_set_new(cjs, "command_data", json_string(NULL));
JsonAddStringN((const char *)response->str + 4, }
response->len - 4));
} if (!TAILQ_EMPTY(&tx->response_list)) {
} FTPString *response;
TAILQ_FOREACH(response, &tx->response_list, next) {
json_object_set_new(cjs, "reply", js_resplist); int offset = 0;
/* Try to find a completion code if we haven't seen one */
if (resp_code) { if (response->len >= 3) {
json_object_set_new(cjs, "completion_code", resp_code); /* Gather the completion code if present */
} if (isdigit(response->str[0]) && isdigit(response->str[1]) && isdigit(response->str[2])) {
json_array_append_new(js_respcode_list,
JsonAddStringN((const char *)response->str , 3));
offset = 4;
} }
} }
if (tx->dyn_port) { /* move past 3 character completion code */
json_object_set_new(cjs, "dynamic_port", json_integer(tx->dyn_port)); if (response->len >= offset) {
} json_array_append_new(js_resplist,
if (tx->command_descriptor->command == FTP_COMMAND_PORT || JsonAddStringN((const char *)response->str + offset,
tx->command_descriptor->command == FTP_COMMAND_EPRT) { response->len - offset));
json_object_set_new(cjs, "mode",
json_string((char*)(tx->active ? "active" : "passive")));
} }
json_object_set_new(cjs, "reply_received",
json_string((char*)(tx->done ? "yes" : "no")));
} }
json_object_set_new(cjs, "reply", js_resplist);
json_object_set_new(cjs, "completion_code", js_respcode_list);
}
if (tx->dyn_port) {
json_object_set_new(cjs, "dynamic_port", json_integer(tx->dyn_port));
} }
if (cjs) { if (tx->command_descriptor->command == FTP_COMMAND_PORT ||
json_object_set_new(tjs, f->alproto == ALPROTO_FTP ? "ftp" : "ftp_data", cjs); tx->command_descriptor->command == FTP_COMMAND_EPRT) {
json_object_set_new(cjs, "mode",
json_string((char*)(tx->active ? "active" : "passive")));
} }
json_object_set_new(cjs, "reply_received",
json_string((char*)(tx->done ? "yes" : "no")));
return cjs;
} }
static int JsonFTPLogger(ThreadVars *tv, void *thread_data, static int JsonFTPLogger(ThreadVars *tv, void *thread_data,
const Packet *p, Flow *f, void *state, void *vtx, uint64_t tx_id) const Packet *p, Flow *f, void *state, void *vtx, uint64_t tx_id)
{ {
SCEnter(); SCEnter();
const char *event_type;
if (f->alproto == ALPROTO_FTPDATA) {
event_type = "ftp_data";
} else {
event_type = "ftp";
}
FTPTransaction *tx = vtx; FTPTransaction *tx = vtx;
LogFTPLogThread *thread = thread_data; LogFTPLogThread *thread = thread_data;
LogFTPFileCtx *ftp_ctx = thread->ftplog_ctx; LogFTPFileCtx *ftp_ctx = thread->ftplog_ctx;
json_t *js = CreateJSONHeaderWithTxId(p, LOG_DIR_FLOW, json_t *js = CreateJSONHeaderWithTxId(p, LOG_DIR_FLOW, event_type, tx_id);
f->alproto == ALPROTO_FTP ? "ftp" : "ftp_data",
tx_id);
if (likely(js)) { if (likely(js)) {
JsonAddCommonOptions(&ftp_ctx->cfg, p, f, js); JsonAddCommonOptions(&ftp_ctx->cfg, p, f, js);
JsonFTPLogJSON(js, f, tx); json_t *cjs = NULL;
if (f->alproto == ALPROTO_FTPDATA) {
cjs = JsonFTPDataAddMetadata(f);
} else {
cjs = JsonFTPLogCommand(f, tx);
}
if (cjs) {
json_object_set_new(js, event_type, cjs);
}
MemBufferReset(thread->buffer); MemBufferReset(thread->buffer);
OutputJSONBuffer(js, thread->ftplog_ctx->file_ctx, &thread->buffer); OutputJSONBuffer(js, thread->ftplog_ctx->file_ctx, &thread->buffer);

Write Preview
Loading…
Cancel
Save