SnortExtras: .../appid_listener_event_handler.cc

"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.0.3-1/src/inspectors/appid_listener/appid_listener_event_handler.cc" (23 Sep 2020, 6793 Bytes) of package /linux/misc/snort3_extra-3.0.3-1.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "appid_listener_event_handler.cc" see the Fossies "Dox" file reference documentation.

1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved. 3 // 4 // This program is free software; you can redistribute it and/or modify it 5 // under the terms of the GNU General Public License Version 2 as published 6 // by the Free Software Foundation. You may not use, modify or distribute 7 // this program under any other version of the GNU General Public License. 8 // 9 // This program is distributed in the hope that it will be useful, but 10 // WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 // General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License along 15 // with this program; if not, write to the Free Software Foundation, Inc., 16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 //-------------------------------------------------------------------------- 18 // appid_listener_event_handler.cc author Shravan Rangaraju <shrarang@cisco.com> 19 20 #include "appid_listener_event_handler.h" 21 22 #include <iomanip> 23 24 #include "flow/flow.h" 25 #include "network_inspectors/appid/appid_api.h" 26 #include "utils/stats.h" 27 #include "utils/util.h" 28 29 using namespace snort; 30 using namespace std; 31 32 void AppIdListenerEventHandler::handle(DataEvent& event, Flow* flow) 33 { 34 AppidEvent& appid_event = static_cast<AppidEvent&>(event); 35 const AppidChangeBits& ac_bits = appid_event.get_change_bitset(); 36 37 AppidChangeBits temp_ac_bits = ac_bits; 38 temp_ac_bits.reset(APPID_CREATED_BIT); 39 if (temp_ac_bits.none()) 40 return; 41 42 if (!flow) 43 { 44 if (!config.json_logging) 45 WarningMessage("appid_listener: flow is null\n"); 46 return; 47 } 48 49 if (!config.json_logging and !appid_changed(ac_bits)) 50 return; 51 52 char cli_ip_str[INET6_ADDRSTRLEN], srv_ip_str[INET6_ADDRSTRLEN]; 53 flow->client_ip.ntop(cli_ip_str, sizeof(cli_ip_str)); 54 flow->server_ip.ntop(srv_ip_str, sizeof(srv_ip_str)); 55 56 if (!config.json_logging and ac_bits.test(APPID_RESET_BIT)) 57 { 58 print_header(cli_ip_str, srv_ip_str, flow->client_port, flow->server_port, 59 flow->ip_proto, get_packet_number()); 60 61 ostringstream ss(" appid data is reset\n"); 62 if (!write_to_file(ss.str())) 63 LogMessage("%s", ss.str().c_str()); 64 65 return; 66 } 67 68 const AppIdSessionApi& api = appid_event.get_appid_session_api(); 69 AppId service = api.get_service_app_id(); 70 PegCount packet_num = get_packet_number(); 71 uint32_t http2_stream_index = 0; 72 bool is_http2 = appid_event.get_is_http2(); 73 if (is_http2) 74 http2_stream_index = appid_event.get_http2_stream_index(); 75 76 AppId client = api.get_client_app_id(http2_stream_index); 77 AppId payload = api.get_payload_app_id(http2_stream_index); 78 AppId misc = api.get_misc_app_id(http2_stream_index); 79 AppId referred = api.get_referred_app_id(http2_stream_index); 80 81 if (config.json_logging) 82 { 83 ostringstream ss; 84 JsonStream js(ss); 85 print_json_message(js, cli_ip_str, srv_ip_str, *flow, packet_num, api, service, 86 client, payload, misc, referred, is_http2, http2_stream_index, appid_event.get_packet()); 87 if (!write_to_file(ss.str())) 88 LogMessage("%s", ss.str().c_str()); 89 } 90 else 91 print_message(cli_ip_str, srv_ip_str, *flow, packet_num, service, client, 92 payload, misc, referred); 93 } 94 95 void AppIdListenerEventHandler::print_message(const char* cli_ip_str, const char* srv_ip_str, 96 const Flow& flow, PegCount packet_num, AppId service, AppId client, AppId payload, AppId misc, 97 AppId referred) 98 { 99 print_header(cli_ip_str, srv_ip_str, flow.client_port, flow.server_port, flow.ip_proto, 100 packet_num); 101 102 ostringstream ss; 103 ss << " service: " << service << " client: " << client << " payload: " << 104 payload << " misc: " << misc << " referred: " << referred << endl; 105 106 if (!write_to_file(ss.str())) 107 LogMessage("%s", ss.str().c_str()); 108 } 109 110 void AppIdListenerEventHandler::print_json_message(JsonStream& js, const char* cli_ip_str, 111 const char* srv_ip_str, const Flow& flow, PegCount packet_num, const AppIdSessionApi& api, 112 AppId service, AppId client, AppId payload, AppId misc, AppId referred, 113 bool is_http2, uint32_t http2_stream_index, const Packet* p) 114 { 115 assert(p); 116 char timebuf[TIMEBUF_SIZE]; 117 ts_print((const struct timeval*)&p->pkth->ts, timebuf, true); 118 js.open(); 119 js.put("session_num", api.get_session_id()); 120 js.put("pkt_time", timebuf); 121 122 print_json_header(js, cli_ip_str, srv_ip_str, flow.client_port, flow.server_port, 123 flow.ip_proto, packet_num); 124 125 const char* service_str = appid_api.get_application_name(service, flow); 126 const char* client_str = appid_api.get_application_name(client, flow); 127 const char* payload_str = appid_api.get_application_name(payload, flow); 128 const char* misc_str = appid_api.get_application_name(misc, flow); 129 const char* referred_str = appid_api.get_application_name(referred, flow); 130 131 js.open("apps"); 132 js.put("service", service_str); 133 js.put("client", client_str); 134 js.put("payload", payload_str); 135 js.put("misc", misc_str); 136 js.put("referred", referred_str); 137 js.close(); 138 139 const char* tls_host = api.get_tls_host(); 140 js.put("tls_host", tls_host); 141 142 const char* dns_host = nullptr; 143 if (api.get_dns_session()) 144 dns_host = api.get_dns_session()->get_host(); 145 js.put("dns_host", dns_host); 146 147 const AppIdHttpSession* hsession = api.get_http_session(http2_stream_index); 148 149 js.open("http"); 150 if (!hsession) 151 { 152 js.put("http2_stream"); 153 js.put("host"); 154 js.put("url"); 155 js.put("user_agent"); 156 js.put("response_code"); 157 js.put("referrer"); 158 js.put("client_version"); 159 } 160 else 161 { 162 const char* host = hsession->get_cfield(REQ_HOST_FID); 163 const char* url = hsession->get_cfield(MISC_URL_FID); 164 const char* user_agent = hsession->get_cfield(REQ_AGENT_FID); 165 const char* response_code = hsession->get_cfield(MISC_RESP_CODE_FID); 166 const char* referrer = hsession->get_cfield(REQ_REFERER_FID); 167 const char* version_str = api.get_client_version(http2_stream_index); 168 169 if (is_http2) 170 js.put("http2_stream", to_string(hsession->get_http2_stream_id())); 171 else 172 js.put("http2_stream", nullptr); 173 js.put("host", host); 174 js.put("url", url); 175 js.put("user_agent", user_agent); 176 js.put("response_code", response_code); 177 js.put("referrer", referrer); 178 js.put("client_version", version_str); 179 } 180 181 js.close(); 182 js.close(); 183 }