SnortExtras: src/inspectors/data_log/data_log.cc

"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.0.3-1/src/inspectors/data_log/data_log.cc" (23 Sep 2020, 6245 Bytes) of package /linux/misc/snort3_extra-3.0.3-1.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "data_log.cc" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report:

1.0.0-beta2_vs_3.0.3-1.

1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2015-2020 Cisco and/or its affiliates. All rights reserved. 3 // 4 // This program is free software; you can redistribute it and/or modify it 5 // under the terms of the GNU General Public License Version 2 as published 6 // by the Free Software Foundation. You may not use, modify or distribute 7 // this program under any other version of the GNU General Public License. 8 // 9 // This program is distributed in the hope that it will be useful, but 10 // WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 // General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License along 15 // with this program; if not, write to the Free Software Foundation, Inc., 16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 //-------------------------------------------------------------------------- 18 // data_log.cc author Russ Combs <rcombs@sourcefire.com> 19 20 #include <ctime> 21 22 #include "flow/flow.h" 23 #include "framework/data_bus.h" 24 #include "framework/inspector.h" 25 #include "framework/module.h" 26 #include "log/messages.h" 27 #include "log/text_log.h" 28 #include "pub_sub/http_events.h" 29 #include "time/packet_time.h" 30 31 using namespace snort; 32 33 static const char* s_name = "data_log"; 34 static const char* s_help = "log selected published data to data.log"; 35 36 static THREAD_LOCAL TextLog* tlog = nullptr; 37 static THREAD_LOCAL SimpleStats dl_stats; 38 39 //------------------------------------------------------------------------- 40 // data stuff 41 //------------------------------------------------------------------------- 42 43 class LogHandler : public DataHandler 44 { 45 public: 46 LogHandler(const std::string& s) : DataHandler(s_name) 47 { key = s; } 48 49 void handle(DataEvent& e, Flow*) override; 50 51 private: 52 void log(const uint8_t*, int32_t); 53 std::string key; 54 }; 55 56 void LogHandler::log(const uint8_t* s, int32_t n) 57 { 58 if ( !s or !*s or n <= 0 ) 59 return; 60 61 TextLog_Print(tlog, ", "); 62 TextLog_Write(tlog, (const char*)s, (unsigned)n); 63 } 64 65 void LogHandler::handle(DataEvent& e, Flow* f) 66 { 67 time_t pt = packet_time(); 68 struct tm st; 69 char buf[26]; 70 SfIpString ip_str; 71 72 gmtime_r(&pt, &st); 73 asctime_r(&st, buf); 74 buf[sizeof(buf)-2] = '\0'; 75 76 TextLog_Print(tlog, "%s, ", buf); 77 TextLog_Print(tlog, "%s, %d, ", f->client_ip.ntop(ip_str), f->client_port); 78 TextLog_Print(tlog, "%s, %d", f->server_ip.ntop(ip_str), f->server_port); 79 80 HttpEvent* he = (HttpEvent*)&e; 81 int32_t n; 82 const uint8_t* s; 83 84 s = he->get_server(n); 85 log(s, n); 86 87 s = he->get_host(n); 88 log(s, n); 89 90 s = he->get_uri(n); 91 log(s, n); 92 93 n = he->get_response_code(); 94 if ( n > 0 ) 95 TextLog_Print(tlog, ", %d", n); 96 97 s = he->get_user_agent(n); 98 log(s, n); 99 100 TextLog_NewLine(tlog); 101 dl_stats.total_packets++; 102 } 103 104 //------------------------------------------------------------------------- 105 // inspector stuff 106 //------------------------------------------------------------------------- 107 108 class DataLog : public Inspector 109 { 110 public: 111 DataLog(const std::string& s, uint64_t n) : key(s), limit(n) { } 112 113 void show(const SnortConfig*) const override; 114 void eval(Packet*) override { } 115 116 bool configure(SnortConfig*) override 117 { 118 DataBus::subscribe(key.c_str(), new LogHandler(key)); 119 return true; 120 } 121 122 void tinit() override 123 { tlog = TextLog_Init(s_name, 64*K_BYTES, limit); } 124 125 void tterm() override 126 { TextLog_Term(tlog); } 127 128 private: 129 std::string key; 130 uint64_t limit; 131 }; 132 133 void DataLog::show(const SnortConfig*) const 134 { 135 ConfigLogger::log_value("key", key.c_str()); 136 ConfigLogger::log_value("limit", limit / M_BYTES); 137 } 138 139 //------------------------------------------------------------------------- 140 // module stuff 141 //------------------------------------------------------------------------- 142 143 static const Parameter dl_params[] = 144 { 145 { "key", Parameter::PT_SELECT, "http_request_header_event | http_response_header_event", 146 "http_request_header_event ", "name of the event to log" }, 147 148 { "limit", Parameter::PT_INT, "0:max32", "0", 149 "set maximum size in MB before rollover (0 is unlimited)" }, 150 151 { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } 152 }; 153 154 class DataLogModule : public Module 155 { 156 public: 157 DataLogModule() : Module(s_name, s_help, dl_params) 158 { } 159 160 const PegInfo* get_pegs() const override 161 { return simple_pegs; } 162 163 PegCount* get_counts() const override 164 { return (PegCount*)&dl_stats; } 165 166 bool begin(const char*, int, SnortConfig*) override; 167 bool set(const char*, Value& v, SnortConfig*) override; 168 169 Usage get_usage() const override 170 { return INSPECT; } 171 172 public: 173 std::string key; 174 uint64_t limit; 175 }; 176 177 bool DataLogModule::begin(const char*, int, SnortConfig*) 178 { 179 key.clear(); 180 limit = 0; 181 return true; 182 } 183 184 bool DataLogModule::set(const char*, Value& v, SnortConfig*) 185 { 186 if ( v.is("key") ) 187 key = v.get_string(); 188 189 else if ( v.is("limit") ) 190 limit = v.get_uint32() * M_BYTES; 191 192 else 193 return false; 194 195 return true; 196 } 197 198 //------------------------------------------------------------------------- 199 // api stuff 200 //------------------------------------------------------------------------- 201 202 static Module* mod_ctor() 203 { return new DataLogModule; } 204 205 static void mod_dtor(Module* m) 206 { delete m; } 207 208 static Inspector* dl_ctor(Module* m) 209 { 210 DataLogModule* mod = (DataLogModule*)m; 211 return new DataLog(mod->key, mod->limit); 212 } 213 214 static void dl_dtor(Inspector* p) 215 { 216 delete p; 217 } 218 219 static const InspectApi dl_api 220 { 221 { 222 PT_INSPECTOR, 223 sizeof(InspectApi), 224 INSAPI_VERSION, 225 0, 226 API_RESERVED, 227 API_OPTIONS, 228 s_name, 229 s_help, 230 mod_ctor, 231 mod_dtor 232 }, 233 IT_PASSIVE, 234 PROTO_BIT__NONE, 235 nullptr, // buffers 236 nullptr, // service 237 nullptr, // pinit 238 nullptr, // pterm 239 nullptr, // tinit, 240 nullptr, // tterm, 241 dl_ctor, 242 dl_dtor, 243 nullptr, // ssn 244 nullptr // reset 245 }; 246 247 SO_PUBLIC const BaseApi* snort_plugins[] = 248 { 249 &dl_api.base, 250 nullptr 251 }; 252