"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.0.3-1/src/inspectors/data_log/data_log.cc" (23 Sep 2020, 6245 Bytes) of package /linux/misc/snort3_extra-3.0.3-1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "data_log.cc" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 1.0.0-beta2_vs_3.0.3-1.

    1 //--------------------------------------------------------------------------
    2 // Copyright (C) 2015-2020 Cisco and/or its affiliates. All rights reserved.
    3 //
    4 // This program is free software; you can redistribute it and/or modify it
    5 // under the terms of the GNU General Public License Version 2 as published
    6 // by the Free Software Foundation.  You may not use, modify or distribute
    7 // this program under any other version of the GNU General Public License.
    8 //
    9 // This program is distributed in the hope that it will be useful, but
   10 // WITHOUT ANY WARRANTY; without even the implied warranty of
   11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   12 // General Public License for more details.
   13 //
   14 // You should have received a copy of the GNU General Public License along
   15 // with this program; if not, write to the Free Software Foundation, Inc.,
   16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   17 //--------------------------------------------------------------------------
   18 // data_log.cc author Russ Combs <rcombs@sourcefire.com>
   19 
   20 #include <ctime>
   21 
   22 #include "flow/flow.h"
   23 #include "framework/data_bus.h"
   24 #include "framework/inspector.h"
   25 #include "framework/module.h"
   26 #include "log/messages.h"
   27 #include "log/text_log.h"
   28 #include "pub_sub/http_events.h"
   29 #include "time/packet_time.h"
   30 
   31 using namespace snort;
   32 
   33 static const char* s_name = "data_log";
   34 static const char* s_help = "log selected published data to data.log";
   35 
   36 static THREAD_LOCAL TextLog* tlog = nullptr;
   37 static THREAD_LOCAL SimpleStats dl_stats;
   38 
   39 //-------------------------------------------------------------------------
   40 // data stuff
   41 //-------------------------------------------------------------------------
   42 
   43 class LogHandler : public DataHandler
   44 {
   45 public:
   46     LogHandler(const std::string& s) : DataHandler(s_name)
   47     { key = s; }
   48 
   49     void handle(DataEvent& e, Flow*) override;
   50 
   51 private:
   52     void log(const uint8_t*, int32_t);
   53     std::string key;
   54 };
   55 
   56 void LogHandler::log(const uint8_t* s, int32_t n)
   57 {
   58     if ( !s or !*s or n <= 0 )
   59         return;
   60 
   61     TextLog_Print(tlog, ", ");
   62     TextLog_Write(tlog, (const char*)s, (unsigned)n);
   63 }
   64 
   65 void LogHandler::handle(DataEvent& e, Flow* f)
   66 {
   67     time_t pt = packet_time();
   68     struct tm st;
   69     char buf[26];
   70     SfIpString ip_str;
   71     
   72     gmtime_r(&pt, &st);
   73     asctime_r(&st, buf);
   74     buf[sizeof(buf)-2] = '\0';
   75 
   76     TextLog_Print(tlog, "%s, ", buf);
   77     TextLog_Print(tlog, "%s, %d, ", f->client_ip.ntop(ip_str), f->client_port);
   78     TextLog_Print(tlog, "%s, %d", f->server_ip.ntop(ip_str), f->server_port);
   79 
   80     HttpEvent* he = (HttpEvent*)&e;
   81     int32_t n;
   82     const uint8_t* s;
   83     
   84     s = he->get_server(n);
   85     log(s, n);
   86 
   87     s = he->get_host(n);
   88     log(s, n);
   89 
   90     s = he->get_uri(n);
   91     log(s, n);
   92 
   93     n = he->get_response_code();
   94     if ( n > 0 )
   95         TextLog_Print(tlog, ", %d", n);
   96     
   97     s = he->get_user_agent(n);
   98     log(s, n);
   99 
  100     TextLog_NewLine(tlog);
  101     dl_stats.total_packets++;
  102 }
  103 
  104 //-------------------------------------------------------------------------
  105 // inspector stuff
  106 //-------------------------------------------------------------------------
  107 
  108 class DataLog : public Inspector
  109 {
  110 public:
  111     DataLog(const std::string& s, uint64_t n) : key(s), limit(n) { }
  112 
  113     void show(const SnortConfig*) const override;
  114     void eval(Packet*) override { }
  115 
  116     bool configure(SnortConfig*) override
  117     {
  118         DataBus::subscribe(key.c_str(), new LogHandler(key));
  119         return true;
  120     }
  121 
  122     void tinit() override
  123     { tlog = TextLog_Init(s_name, 64*K_BYTES, limit); }
  124 
  125     void tterm() override
  126     { TextLog_Term(tlog); }
  127 
  128 private:
  129     std::string key;
  130     uint64_t limit;
  131 };
  132 
  133 void DataLog::show(const SnortConfig*) const
  134 {
  135     ConfigLogger::log_value("key", key.c_str());
  136     ConfigLogger::log_value("limit", limit / M_BYTES);
  137 }
  138 
  139 //-------------------------------------------------------------------------
  140 // module stuff
  141 //-------------------------------------------------------------------------
  142 
  143 static const Parameter dl_params[] =
  144 {
  145     { "key", Parameter::PT_SELECT, "http_request_header_event | http_response_header_event",
  146       "http_request_header_event ", "name of the event to log" },
  147 
  148     { "limit", Parameter::PT_INT, "0:max32", "0",
  149       "set maximum size in MB before rollover (0 is unlimited)" },
  150 
  151     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
  152 };
  153 
  154 class DataLogModule : public Module
  155 {
  156 public:
  157     DataLogModule() : Module(s_name, s_help, dl_params)
  158     { }
  159 
  160     const PegInfo* get_pegs() const override
  161     { return simple_pegs; }
  162 
  163     PegCount* get_counts() const override
  164     { return (PegCount*)&dl_stats; }
  165 
  166     bool begin(const char*, int, SnortConfig*) override;
  167     bool set(const char*, Value& v, SnortConfig*) override;
  168 
  169     Usage get_usage() const override
  170     { return INSPECT; }
  171 
  172 public:
  173     std::string key;
  174     uint64_t limit;
  175 };
  176 
  177 bool DataLogModule::begin(const char*, int, SnortConfig*)
  178 {
  179     key.clear();
  180     limit = 0;
  181     return true;
  182 }
  183 
  184 bool DataLogModule::set(const char*, Value& v, SnortConfig*)
  185 {
  186     if ( v.is("key") )
  187         key = v.get_string();
  188 
  189     else if ( v.is("limit") )
  190         limit = v.get_uint32() * M_BYTES;
  191 
  192     else
  193         return false;
  194 
  195     return true;
  196 }
  197 
  198 //-------------------------------------------------------------------------
  199 // api stuff
  200 //-------------------------------------------------------------------------
  201 
  202 static Module* mod_ctor()
  203 { return new DataLogModule; }
  204 
  205 static void mod_dtor(Module* m)
  206 { delete m; }
  207 
  208 static Inspector* dl_ctor(Module* m)
  209 {
  210     DataLogModule* mod = (DataLogModule*)m;
  211     return new DataLog(mod->key, mod->limit);
  212 }
  213 
  214 static void dl_dtor(Inspector* p)
  215 {
  216     delete p;
  217 }
  218 
  219 static const InspectApi dl_api
  220 {
  221     {
  222         PT_INSPECTOR,
  223         sizeof(InspectApi),
  224         INSAPI_VERSION,
  225         0,
  226         API_RESERVED,
  227         API_OPTIONS,
  228         s_name,
  229         s_help,
  230         mod_ctor,
  231         mod_dtor
  232     },
  233     IT_PASSIVE,
  234     PROTO_BIT__NONE,
  235     nullptr, // buffers
  236     nullptr, // service
  237     nullptr, // pinit
  238     nullptr, // pterm
  239     nullptr, // tinit,
  240     nullptr, // tterm,
  241     dl_ctor,
  242     dl_dtor,
  243     nullptr, // ssn
  244     nullptr  // reset
  245 };
  246 
  247 SO_PUBLIC const BaseApi* snort_plugins[] =
  248 {
  249     &dl_api.base,
  250     nullptr
  251 };
  252