"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.1.51.0/src/inspectors/data_log/data_log.cc" (20 Dec 2022, 6346 Bytes) of package /linux/misc/snort3_extra-3.1.51.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "data_log.cc" see the Fossies "Dox" file reference documentation and the last Fossies "Diffs" side-by-side code changes report: 3.1.48.0_vs_3.1.50.0.

    1 //--------------------------------------------------------------------------
    2 // Copyright (C) 2015-2022 Cisco and/or its affiliates. All rights reserved.
    3 //
    4 // This program is free software; you can redistribute it and/or modify it
    5 // under the terms of the GNU General Public License Version 2 as published
    6 // by the Free Software Foundation.  You may not use, modify or distribute
    7 // this program under any other version of the GNU General Public License.
    8 //
    9 // This program is distributed in the hope that it will be useful, but
   10 // WITHOUT ANY WARRANTY; without even the implied warranty of
   11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   12 // General Public License for more details.
   13 //
   14 // You should have received a copy of the GNU General Public License along
   15 // with this program; if not, write to the Free Software Foundation, Inc.,
   16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   17 //--------------------------------------------------------------------------
   18 // data_log.cc author Russ Combs <rcombs@sourcefire.com>
   19 
   20 #include <ctime>
   21 
   22 #include "flow/flow.h"
   23 #include "framework/data_bus.h"
   24 #include "framework/inspector.h"
   25 #include "framework/module.h"
   26 #include "log/messages.h"
   27 #include "log/text_log.h"
   28 #include "pub_sub/http_events.h"
   29 #include "time/packet_time.h"
   30 
   31 using namespace snort;
   32 
   33 static const char* s_name = "data_log";
   34 static const char* s_help = "log selected published data to data.log";
   35 
   36 static THREAD_LOCAL TextLog* tlog = nullptr;
   37 static THREAD_LOCAL SimpleStats dl_stats;
   38 
   39 //-------------------------------------------------------------------------
   40 // data stuff
   41 //-------------------------------------------------------------------------
   42 
   43 class LogHandler : public DataHandler
   44 {
   45 public:
   46     LogHandler(const std::string& s) : DataHandler(s_name)
   47     { key = s; }
   48 
   49     void handle(DataEvent& e, Flow*) override;
   50 
   51 private:
   52     void log(const uint8_t*, int32_t);
   53     std::string key;
   54 };
   55 
   56 void LogHandler::log(const uint8_t* s, int32_t n)
   57 {
   58     if ( !s or !*s or n <= 0 )
   59         return;
   60 
   61     TextLog_Print(tlog, ", ");
   62     TextLog_Write(tlog, (const char*)s, (unsigned)n);
   63 }
   64 
   65 void LogHandler::handle(DataEvent& e, Flow* f)
   66 {
   67     time_t pt = packet_time();
   68     struct tm st;
   69     char buf[26];
   70     SfIpString ip_str;
   71     
   72     gmtime_r(&pt, &st);
   73     asctime_r(&st, buf);
   74     buf[sizeof(buf)-2] = '\0';
   75 
   76     TextLog_Print(tlog, "%s, ", buf);
   77     TextLog_Print(tlog, "%s, %d, ", f->client_ip.ntop(ip_str), f->client_port);
   78     TextLog_Print(tlog, "%s, %d", f->server_ip.ntop(ip_str), f->server_port);
   79 
   80     HttpEvent* he = (HttpEvent*)&e;
   81     int32_t n;
   82     const uint8_t* s;
   83     
   84     s = he->get_server(n);
   85     log(s, n);
   86 
   87     s = he->get_authority(n);
   88     log(s, n);
   89 
   90     s = he->get_uri(n);
   91     log(s, n);
   92 
   93     n = he->get_response_code();
   94     if ( n > 0 )
   95         TextLog_Print(tlog, ", %d", n);
   96     
   97     s = he->get_user_agent(n);
   98     log(s, n);
   99 
  100     TextLog_NewLine(tlog);
  101     dl_stats.total_packets++;
  102 }
  103 
  104 //-------------------------------------------------------------------------
  105 // inspector stuff
  106 //-------------------------------------------------------------------------
  107 
  108 class DataLog : public Inspector
  109 {
  110 public:
  111     DataLog(const std::string& s, uint64_t n) : key(s), limit(n) { }
  112 
  113     void show(const SnortConfig*) const override;
  114     void eval(Packet*) override { }
  115 
  116     bool configure(SnortConfig*) override
  117     {
  118         unsigned eid = key == "http_request_header_event" ? HttpEventIds::REQUEST_HEADER : HttpEventIds::RESPONSE_HEADER;
  119         DataBus::subscribe(http_pub_key, eid, new LogHandler(key));
  120         return true;
  121     }
  122 
  123     void tinit() override
  124     { tlog = TextLog_Init(s_name, 64*K_BYTES, limit); }
  125 
  126     void tterm() override
  127     { TextLog_Term(tlog); }
  128 
  129 private:
  130     std::string key;
  131     uint64_t limit;
  132 };
  133 
  134 void DataLog::show(const SnortConfig*) const
  135 {
  136     ConfigLogger::log_value("key", key.c_str());
  137     ConfigLogger::log_value("limit", limit / M_BYTES);
  138 }
  139 
  140 //-------------------------------------------------------------------------
  141 // module stuff
  142 //-------------------------------------------------------------------------
  143 
  144 static const Parameter dl_params[] =
  145 {
  146     { "key", Parameter::PT_SELECT, "http_request_header_event | http_response_header_event",
  147       "http_request_header_event ", "name of the event to log" },
  148 
  149     { "limit", Parameter::PT_INT, "0:max32", "0",
  150       "set maximum size in MB before rollover (0 is unlimited)" },
  151 
  152     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
  153 };
  154 
  155 class DataLogModule : public Module
  156 {
  157 public:
  158     DataLogModule() : Module(s_name, s_help, dl_params)
  159     { }
  160 
  161     const PegInfo* get_pegs() const override
  162     { return simple_pegs; }
  163 
  164     PegCount* get_counts() const override
  165     { return (PegCount*)&dl_stats; }
  166 
  167     bool begin(const char*, int, SnortConfig*) override;
  168     bool set(const char*, Value& v, SnortConfig*) override;
  169 
  170     Usage get_usage() const override
  171     { return INSPECT; }
  172 
  173 public:
  174     std::string key;
  175     uint64_t limit;
  176 };
  177 
  178 bool DataLogModule::begin(const char*, int, SnortConfig*)
  179 {
  180     key.clear();
  181     limit = 0;
  182     return true;
  183 }
  184 
  185 bool DataLogModule::set(const char*, Value& v, SnortConfig*)
  186 {
  187     if ( v.is("key") )
  188         key = v.get_string();
  189 
  190     else if ( v.is("limit") )
  191         limit = v.get_uint32() * M_BYTES;
  192 
  193     return true;
  194 }
  195 
  196 //-------------------------------------------------------------------------
  197 // api stuff
  198 //-------------------------------------------------------------------------
  199 
  200 static Module* mod_ctor()
  201 { return new DataLogModule; }
  202 
  203 static void mod_dtor(Module* m)
  204 { delete m; }
  205 
  206 static Inspector* dl_ctor(Module* m)
  207 {
  208     DataLogModule* mod = (DataLogModule*)m;
  209     return new DataLog(mod->key, mod->limit);
  210 }
  211 
  212 static void dl_dtor(Inspector* p)
  213 {
  214     delete p;
  215 }
  216 
  217 static const InspectApi dl_api
  218 {
  219     {
  220         PT_INSPECTOR,
  221         sizeof(InspectApi),
  222         INSAPI_VERSION,
  223         0,
  224         API_RESERVED,
  225         API_OPTIONS,
  226         s_name,
  227         s_help,
  228         mod_ctor,
  229         mod_dtor
  230     },
  231     IT_PASSIVE,
  232     PROTO_BIT__NONE,
  233     nullptr, // buffers
  234     nullptr, // service
  235     nullptr, // pinit
  236     nullptr, // pterm
  237     nullptr, // tinit,
  238     nullptr, // tterm,
  239     dl_ctor,
  240     dl_dtor,
  241     nullptr, // ssn
  242     nullptr  // reset
  243 };
  244 
  245 SO_PUBLIC const BaseApi* snort_plugins[] =
  246 {
  247     &dl_api.base,
  248     nullptr
  249 };
  250