"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.0.3-1/src/inspectors/appid_listener/appid_listener_event_handler.cc" (23 Sep 2020, 6793 Bytes) of package /linux/misc/snort3_extra-3.0.3-1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "appid_listener_event_handler.cc" see the Fossies "Dox" file reference documentation.

    1 //--------------------------------------------------------------------------
    2 // Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved.
    3 //
    4 // This program is free software; you can redistribute it and/or modify it
    5 // under the terms of the GNU General Public License Version 2 as published
    6 // by the Free Software Foundation.  You may not use, modify or distribute
    7 // this program under any other version of the GNU General Public License.
    8 //
    9 // This program is distributed in the hope that it will be useful, but
   10 // WITHOUT ANY WARRANTY; without even the implied warranty of
   11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   12 // General Public License for more details.
   13 //
   14 // You should have received a copy of the GNU General Public License along
   15 // with this program; if not, write to the Free Software Foundation, Inc.,
   16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   17 //--------------------------------------------------------------------------
   18 // appid_listener_event_handler.cc author Shravan Rangaraju <shrarang@cisco.com>
   19 
   20 #include "appid_listener_event_handler.h"
   21 
   22 #include <iomanip>
   23 
   24 #include "flow/flow.h"
   25 #include "network_inspectors/appid/appid_api.h"
   26 #include "utils/stats.h"
   27 #include "utils/util.h"
   28 
   29 using namespace snort;
   30 using namespace std;
   31 
   32 void AppIdListenerEventHandler::handle(DataEvent& event, Flow* flow)
   33 {
   34     AppidEvent& appid_event = static_cast<AppidEvent&>(event);
   35     const AppidChangeBits& ac_bits = appid_event.get_change_bitset();
   36 
   37     AppidChangeBits temp_ac_bits = ac_bits;
   38     temp_ac_bits.reset(APPID_CREATED_BIT);
   39     if (temp_ac_bits.none())
   40         return;
   41 
   42     if (!flow)
   43     {
   44         if (!config.json_logging)
   45             WarningMessage("appid_listener: flow is null\n");
   46         return;
   47     }
   48 
   49     if (!config.json_logging and !appid_changed(ac_bits))
   50         return;
   51 
   52     char cli_ip_str[INET6_ADDRSTRLEN], srv_ip_str[INET6_ADDRSTRLEN];
   53     flow->client_ip.ntop(cli_ip_str, sizeof(cli_ip_str));
   54     flow->server_ip.ntop(srv_ip_str, sizeof(srv_ip_str));
   55 
   56     if (!config.json_logging and ac_bits.test(APPID_RESET_BIT))
   57     {
   58         print_header(cli_ip_str, srv_ip_str, flow->client_port, flow->server_port,
   59             flow->ip_proto, get_packet_number());
   60 
   61         ostringstream ss(" appid data is reset\n");
   62         if (!write_to_file(ss.str()))
   63             LogMessage("%s", ss.str().c_str());
   64 
   65         return;
   66     }
   67 
   68     const AppIdSessionApi& api = appid_event.get_appid_session_api();
   69     AppId service = api.get_service_app_id();
   70     PegCount packet_num = get_packet_number();
   71     uint32_t http2_stream_index = 0;
   72     bool is_http2 = appid_event.get_is_http2();
   73     if (is_http2)
   74         http2_stream_index = appid_event.get_http2_stream_index();
   75 
   76     AppId client = api.get_client_app_id(http2_stream_index);
   77     AppId payload = api.get_payload_app_id(http2_stream_index);
   78     AppId misc = api.get_misc_app_id(http2_stream_index);
   79     AppId referred = api.get_referred_app_id(http2_stream_index);
   80 
   81     if (config.json_logging)
   82     {
   83         ostringstream ss;
   84         JsonStream js(ss);
   85         print_json_message(js, cli_ip_str, srv_ip_str, *flow, packet_num, api, service,
   86             client, payload, misc, referred, is_http2, http2_stream_index, appid_event.get_packet());
   87         if (!write_to_file(ss.str()))
   88             LogMessage("%s", ss.str().c_str());
   89     }
   90     else
   91         print_message(cli_ip_str, srv_ip_str, *flow, packet_num, service, client,
   92             payload, misc, referred);
   93 }
   94 
   95 void AppIdListenerEventHandler::print_message(const char* cli_ip_str, const char* srv_ip_str,
   96     const Flow& flow, PegCount packet_num, AppId service, AppId client, AppId payload, AppId misc,
   97     AppId referred)
   98 {
   99     print_header(cli_ip_str, srv_ip_str, flow.client_port, flow.server_port, flow.ip_proto,
  100         packet_num);
  101 
  102     ostringstream ss;
  103     ss << " service: " << service << " client: " << client << " payload: " <<
  104         payload << " misc: " << misc << " referred: " << referred << endl;
  105 
  106     if (!write_to_file(ss.str()))
  107         LogMessage("%s", ss.str().c_str());
  108 }
  109 
  110 void AppIdListenerEventHandler::print_json_message(JsonStream& js, const char* cli_ip_str,
  111     const char* srv_ip_str, const Flow& flow, PegCount packet_num, const AppIdSessionApi& api,
  112     AppId service, AppId client, AppId payload, AppId misc, AppId referred,
  113     bool is_http2, uint32_t http2_stream_index, const Packet* p)
  114 {
  115     assert(p);
  116     char timebuf[TIMEBUF_SIZE];
  117     ts_print((const struct timeval*)&p->pkth->ts, timebuf, true);
  118     js.open();
  119     js.put("session_num", api.get_session_id());
  120     js.put("pkt_time", timebuf);
  121 
  122     print_json_header(js, cli_ip_str, srv_ip_str, flow.client_port, flow.server_port,
  123         flow.ip_proto, packet_num);
  124 
  125     const char* service_str = appid_api.get_application_name(service, flow);
  126     const char* client_str = appid_api.get_application_name(client, flow);
  127     const char* payload_str = appid_api.get_application_name(payload, flow);
  128     const char* misc_str = appid_api.get_application_name(misc, flow);
  129     const char* referred_str = appid_api.get_application_name(referred, flow);
  130 
  131     js.open("apps");
  132     js.put("service", service_str);
  133     js.put("client", client_str);
  134     js.put("payload", payload_str);
  135     js.put("misc", misc_str);
  136     js.put("referred", referred_str);
  137     js.close();
  138 
  139     const char* tls_host = api.get_tls_host();
  140     js.put("tls_host", tls_host);
  141 
  142     const char* dns_host = nullptr;
  143     if (api.get_dns_session())
  144         dns_host = api.get_dns_session()->get_host();
  145     js.put("dns_host", dns_host);
  146 
  147     const AppIdHttpSession* hsession = api.get_http_session(http2_stream_index);
  148 
  149     js.open("http");
  150     if (!hsession)
  151     {
  152         js.put("http2_stream");
  153         js.put("host");
  154         js.put("url");
  155         js.put("user_agent");
  156         js.put("response_code");
  157         js.put("referrer");
  158         js.put("client_version");
  159     }
  160     else
  161     {
  162         const char* host = hsession->get_cfield(REQ_HOST_FID);
  163         const char* url = hsession->get_cfield(MISC_URL_FID);
  164         const char* user_agent = hsession->get_cfield(REQ_AGENT_FID);
  165         const char* response_code = hsession->get_cfield(MISC_RESP_CODE_FID);
  166         const char* referrer = hsession->get_cfield(REQ_REFERER_FID);
  167         const char* version_str = api.get_client_version(http2_stream_index);
  168 
  169         if (is_http2)
  170             js.put("http2_stream", to_string(hsession->get_http2_stream_id()));
  171         else
  172             js.put("http2_stream", nullptr);
  173         js.put("host", host);
  174         js.put("url", url);
  175         js.put("user_agent", user_agent);
  176         js.put("response_code", response_code);
  177         js.put("referrer", referrer);
  178         js.put("client_version", version_str);
  179     }
  180 
  181     js.close();
  182     js.close();
  183 }