You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
suricata/src/log-cf-common.c

276 lines
7.2 KiB
C

/* Copyright (C) 2007-2016 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Paulo Pacheco <fooinha@gmail.com>
* \author Victor Julien <victor@inliniac.net>
* \author Ignacio Sanchez <sanchezmartin.ji@gmail.com>
*
* Common custom logging format
*/
#include "log-cf-common.h"
#include "util-print.h"
#include "util-unittest.h"
#include "util-time.h"
/**
* \brief Creates a custom format node
* \retval LogCustomFormatNode * ptr if created
* \retval NULL if failed to allocate
*/
LogCustomFormatNode * LogCustomFormatNodeAlloc()
{
LogCustomFormatNode * node = SCCalloc(1, sizeof(LogCustomFormatNode));
if (unlikely(node == NULL)) {
SCLogError(SC_ERR_MEM_ALLOC, "Failed to alloc custom format node");
return NULL;
}
return node;
}
/**
* \brief Creates a custom format.
* \retval LogCustomFormat * ptr if created
* \retval NULL if failed to allocate
*/
LogCustomFormat * LogCustomFormatAlloc()
{
LogCustomFormat * cf = SCCalloc(1, sizeof(LogCustomFormat));
if (unlikely(cf == NULL)) {
SCLogError(SC_ERR_MEM_ALLOC, "Failed to alloc custom format");
return NULL;
}
return cf;
}
/**
* \brief Frees memory held by a custom format node
* \param LogCustomFormatNode * node - node to relaease
*/
void LogCustomFormatNodeFree(LogCustomFormatNode *node)
{
if (node==NULL)
return;
SCFree(node);
}
/**
* \brief Frees memory held by a custom format
* \param LogCustomFormat * cf - format to relaease
*/
void LogCustomFormatFree(LogCustomFormat *cf)
{
if (cf==NULL)
return;
for (size_t i = 0; i < cf->cf_n; ++i) {
LogCustomFormatNodeFree(cf->cf_nodes[i]);
}
SCFree(cf);
}
/**
* \brief Parses and saves format nodes for custom format
* \param LogCustomFormat * cf - custom format to build
* \param const char * format - string with format specification
*/
int LogCustomFormatParse(LogCustomFormat *cf, const char *format)
{
const char *p, *np;
uint32_t n;
LogCustomFormatNode *node = NULL;
if (cf==NULL)
return 0;
if (format==NULL)
return 0;
p=format;
for (cf->cf_n = 0; cf->cf_n < LOG_MAXN_NODES-1 && p && *p != '\0';){
node = LogCustomFormatNodeAlloc();
if (node == NULL) {
goto parsererror;
}
node->maxlen = 0;
if (*p != '%'){
/* Literal found in format string */
node->type = LOG_CF_LITERAL;
np = strchr(p, '%');
if (np == NULL){
n = LOG_NODE_STRLEN-2;
np = NULL; /* End */
}else{
n = np-p;
}
strlcpy(node->data,p,n+1);
p = np;
} else {
/* Non Literal found in format string */
p++;
if (*p == '[') { /* Check if maxlength has been specified (ie: [25]) */
p++;
np = strchr(p, ']');
if (np != NULL) {
if (np-p > 0 && np-p < 10){
long maxlen = strtol(p,NULL,10);
if (maxlen > 0 && maxlen < LOG_NODE_MAXOUTPUTLEN) {
node->maxlen = (uint32_t) maxlen;
}
} else {
goto parsererror;
}
p = np + 1;
} else {
goto parsererror;
}
}
if (*p == '{') { /* Simple format char */
np = strchr(p, '}');
if (np != NULL && np-p > 1 && np-p < LOG_NODE_STRLEN-2) {
p++;
n = np-p;
strlcpy(node->data, p, n+1);
p = np;
} else {
goto parsererror;
}
p++;
} else {
node->data[0] = '\0';
}
node->type = *p;
if (*p == '%'){
node->type = LOG_CF_LITERAL;
strlcpy(node->data, "%", 2);
}
p++;
}
LogCustomFormatAddNode(cf, node);
}
return 1;
parsererror:
LogCustomFormatNodeFree(node);
return 0;
}
/**
* \brief Adds a node to custom format
* \param LogCustomFormat * cf - custom format
* \param LogCustomFormatNode * node - node to add
*/
void LogCustomFormatAddNode(LogCustomFormat *cf, LogCustomFormatNode *node)
{
if (cf == NULL || node == NULL)
return;
if (cf->cf_n == LOG_MAXN_NODES) {
SCLogWarning(SC_WARN_LOG_CF_TOO_MANY_NODES, "Too many options for custom format");
return;
}
#ifdef DEBUG
SCLogDebug("%d-> n.type=[%d] n.maxlen=[%d] n.data=[%s]",
cf->cf_n, node->type, node->maxlen, node->data);
#endif
cf->cf_nodes[cf->cf_n] = node;
cf->cf_n++;
}
/**
* \brief Writes a timestamp with given format into a MemBuffer
* \param MemBuffer * buffer - where to write
* \param const char * fmt - format to be used write timestamp
* \param const struct timeveal *ts - the timetstamp
*
*/
void LogCustomFormatWriteTimestamp(MemBuffer *buffer, const char *fmt, const struct timeval *ts) {
time_t time = ts->tv_sec;
struct tm local_tm;
struct tm *timestamp = SCLocalTime(time, &local_tm);
char buf[128] = {0};
const char * fmt_to_use = TIMESTAMP_DEFAULT_FORMAT;
if (fmt && *fmt != '\0') {
fmt_to_use = fmt;
}
CreateFormattedTimeString (timestamp, fmt_to_use, buf, sizeof(buf));
PrintRawUriBuf((char *)buffer->buffer, &buffer->offset,
buffer->size, (uint8_t *)buf,strlen(buf));
}
#ifdef UNITTESTS
/**
* \internal
* \brief This test tests default timestamp format
*/
static int LogCustomFormatTest01(void)
{
struct tm tm;
tm.tm_sec = 0;
tm.tm_min = 30;
tm.tm_hour = 4;
tm.tm_mday = 13;
tm.tm_mon = 0;
tm.tm_year = 114;
tm.tm_wday = 1;
tm.tm_yday = 13;
tm.tm_isdst = 0;
time_t secs = mktime(&tm);
struct timeval ts = {secs, 0};
MemBuffer *buffer = MemBufferCreateNew(62);
if (!buffer) {
return 0;
}
LogCustomFormatWriteTimestamp(buffer, "", &ts);
/*
* {buffer = "01/13/14-04:30:00", size = 62, offset = 17}
*/
FAIL_IF_NOT( buffer->offset == 17);
FAIL_IF(strcmp((char *)buffer->buffer, "01/13/14-04:30:00") != 0);
MemBufferFree(buffer);
return 1;
}
static void LogCustomFormatRegisterTests(void)
{
UtRegisterTest("LogCustomFormatTest01", LogCustomFormatTest01);
}
#endif /* UNITTESTS */
void LogCustomFormatRegister(void)
{
#ifdef UNITTESTS
LogCustomFormatRegisterTests();
#endif /* UNITTESTS */
}