SnortExtras: src/inspectors/data_log/data_log.cc

"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.1.51.0/src/inspectors/data_log/data_log.cc" (20 Dec 2022, 6346 Bytes) of package /linux/misc/snort3_extra-3.1.51.0.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "data_log.cc" see the Fossies "Dox" file reference documentation and the last Fossies "Diffs" side-by-side code changes report:

3.1.48.0_vs_3.1.50.0.

1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2015-2022 Cisco and/or its affiliates. All rights reserved. 3 // 4 // This program is free software; you can redistribute it and/or modify it 5 // under the terms of the GNU General Public License Version 2 as published 6 // by the Free Software Foundation. You may not use, modify or distribute 7 // this program under any other version of the GNU General Public License. 8 // 9 // This program is distributed in the hope that it will be useful, but 10 // WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 // General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License along 15 // with this program; if not, write to the Free Software Foundation, Inc., 16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 //-------------------------------------------------------------------------- 18 // data_log.cc author Russ Combs <rcombs@sourcefire.com> 19 20 #include <ctime> 21 22 #include "flow/flow.h" 23 #include "framework/data_bus.h" 24 #include "framework/inspector.h" 25 #include "framework/module.h" 26 #include "log/messages.h" 27 #include "log/text_log.h" 28 #include "pub_sub/http_events.h" 29 #include "time/packet_time.h" 30 31 using namespace snort; 32 33 static const char* s_name = "data_log"; 34 static const char* s_help = "log selected published data to data.log"; 35 36 static THREAD_LOCAL TextLog* tlog = nullptr; 37 static THREAD_LOCAL SimpleStats dl_stats; 38 39 //------------------------------------------------------------------------- 40 // data stuff 41 //------------------------------------------------------------------------- 42 43 class LogHandler : public DataHandler 44 { 45 public: 46 LogHandler(const std::string& s) : DataHandler(s_name) 47 { key = s; } 48 49 void handle(DataEvent& e, Flow*) override; 50 51 private: 52 void log(const uint8_t*, int32_t); 53 std::string key; 54 }; 55 56 void LogHandler::log(const uint8_t* s, int32_t n) 57 { 58 if ( !s or !*s or n <= 0 ) 59 return; 60 61 TextLog_Print(tlog, ", "); 62 TextLog_Write(tlog, (const char*)s, (unsigned)n); 63 } 64 65 void LogHandler::handle(DataEvent& e, Flow* f) 66 { 67 time_t pt = packet_time(); 68 struct tm st; 69 char buf[26]; 70 SfIpString ip_str; 71 72 gmtime_r(&pt, &st); 73 asctime_r(&st, buf); 74 buf[sizeof(buf)-2] = '\0'; 75 76 TextLog_Print(tlog, "%s, ", buf); 77 TextLog_Print(tlog, "%s, %d, ", f->client_ip.ntop(ip_str), f->client_port); 78 TextLog_Print(tlog, "%s, %d", f->server_ip.ntop(ip_str), f->server_port); 79 80 HttpEvent* he = (HttpEvent*)&e; 81 int32_t n; 82 const uint8_t* s; 83 84 s = he->get_server(n); 85 log(s, n); 86 87 s = he->get_authority(n); 88 log(s, n); 89 90 s = he->get_uri(n); 91 log(s, n); 92 93 n = he->get_response_code(); 94 if ( n > 0 ) 95 TextLog_Print(tlog, ", %d", n); 96 97 s = he->get_user_agent(n); 98 log(s, n); 99 100 TextLog_NewLine(tlog); 101 dl_stats.total_packets++; 102 } 103 104 //------------------------------------------------------------------------- 105 // inspector stuff 106 //------------------------------------------------------------------------- 107 108 class DataLog : public Inspector 109 { 110 public: 111 DataLog(const std::string& s, uint64_t n) : key(s), limit(n) { } 112 113 void show(const SnortConfig*) const override; 114 void eval(Packet*) override { } 115 116 bool configure(SnortConfig*) override 117 { 118 unsigned eid = key == "http_request_header_event" ? HttpEventIds::REQUEST_HEADER : HttpEventIds::RESPONSE_HEADER; 119 DataBus::subscribe(http_pub_key, eid, new LogHandler(key)); 120 return true; 121 } 122 123 void tinit() override 124 { tlog = TextLog_Init(s_name, 64*K_BYTES, limit); } 125 126 void tterm() override 127 { TextLog_Term(tlog); } 128 129 private: 130 std::string key; 131 uint64_t limit; 132 }; 133 134 void DataLog::show(const SnortConfig*) const 135 { 136 ConfigLogger::log_value("key", key.c_str()); 137 ConfigLogger::log_value("limit", limit / M_BYTES); 138 } 139 140 //------------------------------------------------------------------------- 141 // module stuff 142 //------------------------------------------------------------------------- 143 144 static const Parameter dl_params[] = 145 { 146 { "key", Parameter::PT_SELECT, "http_request_header_event | http_response_header_event", 147 "http_request_header_event ", "name of the event to log" }, 148 149 { "limit", Parameter::PT_INT, "0:max32", "0", 150 "set maximum size in MB before rollover (0 is unlimited)" }, 151 152 { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } 153 }; 154 155 class DataLogModule : public Module 156 { 157 public: 158 DataLogModule() : Module(s_name, s_help, dl_params) 159 { } 160 161 const PegInfo* get_pegs() const override 162 { return simple_pegs; } 163 164 PegCount* get_counts() const override 165 { return (PegCount*)&dl_stats; } 166 167 bool begin(const char*, int, SnortConfig*) override; 168 bool set(const char*, Value& v, SnortConfig*) override; 169 170 Usage get_usage() const override 171 { return INSPECT; } 172 173 public: 174 std::string key; 175 uint64_t limit; 176 }; 177 178 bool DataLogModule::begin(const char*, int, SnortConfig*) 179 { 180 key.clear(); 181 limit = 0; 182 return true; 183 } 184 185 bool DataLogModule::set(const char*, Value& v, SnortConfig*) 186 { 187 if ( v.is("key") ) 188 key = v.get_string(); 189 190 else if ( v.is("limit") ) 191 limit = v.get_uint32() * M_BYTES; 192 193 return true; 194 } 195 196 //------------------------------------------------------------------------- 197 // api stuff 198 //------------------------------------------------------------------------- 199 200 static Module* mod_ctor() 201 { return new DataLogModule; } 202 203 static void mod_dtor(Module* m) 204 { delete m; } 205 206 static Inspector* dl_ctor(Module* m) 207 { 208 DataLogModule* mod = (DataLogModule*)m; 209 return new DataLog(mod->key, mod->limit); 210 } 211 212 static void dl_dtor(Inspector* p) 213 { 214 delete p; 215 } 216 217 static const InspectApi dl_api 218 { 219 { 220 PT_INSPECTOR, 221 sizeof(InspectApi), 222 INSAPI_VERSION, 223 0, 224 API_RESERVED, 225 API_OPTIONS, 226 s_name, 227 s_help, 228 mod_ctor, 229 mod_dtor 230 }, 231 IT_PASSIVE, 232 PROTO_BIT__NONE, 233 nullptr, // buffers 234 nullptr, // service 235 nullptr, // pinit 236 nullptr, // pterm 237 nullptr, // tinit, 238 nullptr, // tterm, 239 dl_ctor, 240 dl_dtor, 241 nullptr, // ssn 242 nullptr // reset 243 }; 244 245 SO_PUBLIC const BaseApi* snort_plugins[] = 246 { 247 &dl_api.base, 248 nullptr 249 }; 250