"Fossies" - the Fresh Open Source Software Archive 
Member "snort3_extra-3.1.51.0/src/inspectors/data_log/data_log.cc" (20 Dec 2022, 6346 Bytes) of package /linux/misc/snort3_extra-3.1.51.0.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "data_log.cc" see the
Fossies "Dox" file reference documentation and the last
Fossies "Diffs" side-by-side code changes report:
3.1.48.0_vs_3.1.50.0.
1 //--------------------------------------------------------------------------
2 // Copyright (C) 2015-2022 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation. You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 //--------------------------------------------------------------------------
18 // data_log.cc author Russ Combs <rcombs@sourcefire.com>
19
20 #include <ctime>
21
22 #include "flow/flow.h"
23 #include "framework/data_bus.h"
24 #include "framework/inspector.h"
25 #include "framework/module.h"
26 #include "log/messages.h"
27 #include "log/text_log.h"
28 #include "pub_sub/http_events.h"
29 #include "time/packet_time.h"
30
31 using namespace snort;
32
33 static const char* s_name = "data_log";
34 static const char* s_help = "log selected published data to data.log";
35
36 static THREAD_LOCAL TextLog* tlog = nullptr;
37 static THREAD_LOCAL SimpleStats dl_stats;
38
39 //-------------------------------------------------------------------------
40 // data stuff
41 //-------------------------------------------------------------------------
42
43 class LogHandler : public DataHandler
44 {
45 public:
46 LogHandler(const std::string& s) : DataHandler(s_name)
47 { key = s; }
48
49 void handle(DataEvent& e, Flow*) override;
50
51 private:
52 void log(const uint8_t*, int32_t);
53 std::string key;
54 };
55
56 void LogHandler::log(const uint8_t* s, int32_t n)
57 {
58 if ( !s or !*s or n <= 0 )
59 return;
60
61 TextLog_Print(tlog, ", ");
62 TextLog_Write(tlog, (const char*)s, (unsigned)n);
63 }
64
65 void LogHandler::handle(DataEvent& e, Flow* f)
66 {
67 time_t pt = packet_time();
68 struct tm st;
69 char buf[26];
70 SfIpString ip_str;
71
72 gmtime_r(&pt, &st);
73 asctime_r(&st, buf);
74 buf[sizeof(buf)-2] = '\0';
75
76 TextLog_Print(tlog, "%s, ", buf);
77 TextLog_Print(tlog, "%s, %d, ", f->client_ip.ntop(ip_str), f->client_port);
78 TextLog_Print(tlog, "%s, %d", f->server_ip.ntop(ip_str), f->server_port);
79
80 HttpEvent* he = (HttpEvent*)&e;
81 int32_t n;
82 const uint8_t* s;
83
84 s = he->get_server(n);
85 log(s, n);
86
87 s = he->get_authority(n);
88 log(s, n);
89
90 s = he->get_uri(n);
91 log(s, n);
92
93 n = he->get_response_code();
94 if ( n > 0 )
95 TextLog_Print(tlog, ", %d", n);
96
97 s = he->get_user_agent(n);
98 log(s, n);
99
100 TextLog_NewLine(tlog);
101 dl_stats.total_packets++;
102 }
103
104 //-------------------------------------------------------------------------
105 // inspector stuff
106 //-------------------------------------------------------------------------
107
108 class DataLog : public Inspector
109 {
110 public:
111 DataLog(const std::string& s, uint64_t n) : key(s), limit(n) { }
112
113 void show(const SnortConfig*) const override;
114 void eval(Packet*) override { }
115
116 bool configure(SnortConfig*) override
117 {
118 unsigned eid = key == "http_request_header_event" ? HttpEventIds::REQUEST_HEADER : HttpEventIds::RESPONSE_HEADER;
119 DataBus::subscribe(http_pub_key, eid, new LogHandler(key));
120 return true;
121 }
122
123 void tinit() override
124 { tlog = TextLog_Init(s_name, 64*K_BYTES, limit); }
125
126 void tterm() override
127 { TextLog_Term(tlog); }
128
129 private:
130 std::string key;
131 uint64_t limit;
132 };
133
134 void DataLog::show(const SnortConfig*) const
135 {
136 ConfigLogger::log_value("key", key.c_str());
137 ConfigLogger::log_value("limit", limit / M_BYTES);
138 }
139
140 //-------------------------------------------------------------------------
141 // module stuff
142 //-------------------------------------------------------------------------
143
144 static const Parameter dl_params[] =
145 {
146 { "key", Parameter::PT_SELECT, "http_request_header_event | http_response_header_event",
147 "http_request_header_event ", "name of the event to log" },
148
149 { "limit", Parameter::PT_INT, "0:max32", "0",
150 "set maximum size in MB before rollover (0 is unlimited)" },
151
152 { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
153 };
154
155 class DataLogModule : public Module
156 {
157 public:
158 DataLogModule() : Module(s_name, s_help, dl_params)
159 { }
160
161 const PegInfo* get_pegs() const override
162 { return simple_pegs; }
163
164 PegCount* get_counts() const override
165 { return (PegCount*)&dl_stats; }
166
167 bool begin(const char*, int, SnortConfig*) override;
168 bool set(const char*, Value& v, SnortConfig*) override;
169
170 Usage get_usage() const override
171 { return INSPECT; }
172
173 public:
174 std::string key;
175 uint64_t limit;
176 };
177
178 bool DataLogModule::begin(const char*, int, SnortConfig*)
179 {
180 key.clear();
181 limit = 0;
182 return true;
183 }
184
185 bool DataLogModule::set(const char*, Value& v, SnortConfig*)
186 {
187 if ( v.is("key") )
188 key = v.get_string();
189
190 else if ( v.is("limit") )
191 limit = v.get_uint32() * M_BYTES;
192
193 return true;
194 }
195
196 //-------------------------------------------------------------------------
197 // api stuff
198 //-------------------------------------------------------------------------
199
200 static Module* mod_ctor()
201 { return new DataLogModule; }
202
203 static void mod_dtor(Module* m)
204 { delete m; }
205
206 static Inspector* dl_ctor(Module* m)
207 {
208 DataLogModule* mod = (DataLogModule*)m;
209 return new DataLog(mod->key, mod->limit);
210 }
211
212 static void dl_dtor(Inspector* p)
213 {
214 delete p;
215 }
216
217 static const InspectApi dl_api
218 {
219 {
220 PT_INSPECTOR,
221 sizeof(InspectApi),
222 INSAPI_VERSION,
223 0,
224 API_RESERVED,
225 API_OPTIONS,
226 s_name,
227 s_help,
228 mod_ctor,
229 mod_dtor
230 },
231 IT_PASSIVE,
232 PROTO_BIT__NONE,
233 nullptr, // buffers
234 nullptr, // service
235 nullptr, // pinit
236 nullptr, // pterm
237 nullptr, // tinit,
238 nullptr, // tterm,
239 dl_ctor,
240 dl_dtor,
241 nullptr, // ssn
242 nullptr // reset
243 };
244
245 SO_PUBLIC const BaseApi* snort_plugins[] =
246 {
247 &dl_api.base,
248 nullptr
249 };
250