From: Eric Leblond Date: Thu, 19 Apr 2018 09:41:40 +0000 (+0200) Subject: file: update logger API to log direction X-Git-Tag: suricata-4.1.0-rc1~123 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1012fc446611a4b8c66522b5985c76b156ba8982;p=thirdparty%2Fsuricata.git file: update logger API to log direction By adding the flow direction to the logger we can have an accurate logging of fileinfo events that has source and destination IP correctly set. --- diff --git a/src/log-file.c b/src/log-file.c index 63a85e8f86..045588f51b 100644 --- a/src/log-file.c +++ b/src/log-file.c @@ -325,7 +325,8 @@ static void LogFileWriteJsonRecord(LogFileLogThread *aft, const Packet *p, const SCMutexUnlock(&aft->file_ctx->fp_mutex); } -static int LogFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, const File *ff) +static int LogFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, + const File *ff, uint8_t dir) { SCEnter(); LogFileLogThread *aft = (LogFileLogThread *)thread_data; diff --git a/src/log-filestore.c b/src/log-filestore.c index d0509540c0..b2307861d9 100644 --- a/src/log-filestore.c +++ b/src/log-filestore.c @@ -392,7 +392,7 @@ static void LogFilestoreFinalizeFiles(const File *ff) { } static int LogFilestoreLogger(ThreadVars *tv, void *thread_data, const Packet *p, - File *ff, const uint8_t *data, uint32_t data_len, uint8_t flags) + File *ff, const uint8_t *data, uint32_t data_len, uint8_t flags, uint8_t dir) { SCEnter(); LogFilestoreLogThread *aft = (LogFilestoreLogThread *)thread_data; diff --git a/src/output-file.c b/src/output-file.c index 1c4ad27845..b47e76aea3 100644 --- a/src/output-file.c +++ b/src/output-file.c @@ -94,7 +94,8 @@ int OutputRegisterFileLogger(LoggerId id, const char *name, FileLogger LogFunc, static void OutputFileLogFfc(ThreadVars *tv, OutputLoggerThreadData *op_thread_data, Packet *p, - FileContainer *ffc, const bool file_close, const bool file_trunc) + FileContainer *ffc, const bool file_close, const bool file_trunc, + uint8_t dir) { SCLogDebug("ffc %p", ffc); if (ffc != NULL) { @@ -127,7 +128,7 @@ static void OutputFileLogFfc(ThreadVars *tv, SCLogDebug("logger %p", logger); PACKET_PROFILING_LOGGER_START(p, logger->logger_id); - logger->LogFunc(tv, store->thread_data, (const Packet *)p, (const File *)ff); + logger->LogFunc(tv, store->thread_data, (const Packet *)p, (const File *)ff, dir); PACKET_PROFILING_LOGGER_END(p, logger->logger_id); file_logged = true; @@ -176,8 +177,8 @@ static TmEcode OutputFileLog(ThreadVars *tv, Packet *p, void *thread_data) FileContainer *ffc_tc = AppLayerParserGetFiles(p->proto, f->alproto, f->alstate, STREAM_TOCLIENT); - OutputFileLogFfc(tv, op_thread_data, p, ffc_ts, file_close_ts, file_trunc); - OutputFileLogFfc(tv, op_thread_data, p, ffc_tc, file_close_tc, file_trunc); + OutputFileLogFfc(tv, op_thread_data, p, ffc_ts, file_close_ts, file_trunc, STREAM_TOSERVER); + OutputFileLogFfc(tv, op_thread_data, p, ffc_tc, file_close_tc, file_trunc, STREAM_TOCLIENT); return TM_ECODE_OK; } diff --git a/src/output-file.h b/src/output-file.h index d27d26eec4..14b661251b 100644 --- a/src/output-file.h +++ b/src/output-file.h @@ -30,7 +30,8 @@ #include "util-file.h" /** packet logger function pointer type */ -typedef int (*FileLogger)(ThreadVars *, void *thread_data, const Packet *, const File *); +typedef int (*FileLogger)(ThreadVars *, void *thread_data, const Packet *, + const File *, uint8_t direction); /** packet logger condition function pointer type, * must return true for packets that should be logged diff --git a/src/output-filedata.c b/src/output-filedata.c index 1ec2353956..0502c62a78 100644 --- a/src/output-filedata.c +++ b/src/output-filedata.c @@ -99,7 +99,7 @@ SC_ATOMIC_DECLARE(unsigned int, g_file_store_id); static int CallLoggers(ThreadVars *tv, OutputLoggerThreadStore *store_list, Packet *p, File *ff, - const uint8_t *data, uint32_t data_len, uint8_t flags) + const uint8_t *data, uint32_t data_len, uint8_t flags, uint8_t dir) { OutputFiledataLogger *logger = list; OutputLoggerThreadStore *store = store_list; @@ -110,7 +110,7 @@ static int CallLoggers(ThreadVars *tv, OutputLoggerThreadStore *store_list, SCLogDebug("logger %p", logger); PACKET_PROFILING_LOGGER_START(p, logger->logger_id); - logger->LogFunc(tv, store->thread_data, (const Packet *)p, ff, data, data_len, flags); + logger->LogFunc(tv, store->thread_data, (const Packet *)p, ff, data, data_len, flags, dir); PACKET_PROFILING_LOGGER_END(p, logger->logger_id); file_logged = 1; @@ -126,7 +126,7 @@ static int CallLoggers(ThreadVars *tv, OutputLoggerThreadStore *store_list, static void OutputFiledataLogFfc(ThreadVars *tv, OutputLoggerThreadStore *store, Packet *p, FileContainer *ffc, const uint8_t call_flags, - const bool file_close, const bool file_trunc) + const bool file_close, const bool file_trunc, const uint8_t dir) { if (ffc != NULL) { File *ff; @@ -155,7 +155,7 @@ static void OutputFiledataLogFfc(ThreadVars *tv, OutputLoggerThreadStore *store, if (ff->state < FILE_STATE_CLOSED) { FileCloseFilePtr(ff, NULL, 0, FILE_TRUNCATED); } - CallLoggers(tv, store, p, ff, NULL, 0, OUTPUT_FILEDATA_FLAG_CLOSE); + CallLoggers(tv, store, p, ff, NULL, 0, OUTPUT_FILEDATA_FLAG_CLOSE, dir); ff->flags |= FILE_STORED; continue; } @@ -189,7 +189,7 @@ static void OutputFiledataLogFfc(ThreadVars *tv, OutputLoggerThreadStore *store, &data, &data_len, ff->content_stored); - const int file_logged = CallLoggers(tv, store, p, ff, data, data_len, file_flags); + const int file_logged = CallLoggers(tv, store, p, ff, data, data_len, file_flags, dir); if (file_logged) { ff->content_stored += data_len; @@ -233,9 +233,9 @@ static TmEcode OutputFiledataLog(ThreadVars *tv, Packet *p, void *thread_data) FileContainer *ffc_tc = AppLayerParserGetFiles(p->proto, f->alproto, f->alstate, STREAM_TOCLIENT); SCLogDebug("ffc_ts %p", ffc_ts); - OutputFiledataLogFfc(tv, store, p, ffc_ts, STREAM_TOSERVER, file_close_ts, file_trunc); + OutputFiledataLogFfc(tv, store, p, ffc_ts, STREAM_TOSERVER, file_close_ts, file_trunc, STREAM_TOSERVER); SCLogDebug("ffc_tc %p", ffc_tc); - OutputFiledataLogFfc(tv, store, p, ffc_tc, STREAM_TOCLIENT, file_close_tc, file_trunc); + OutputFiledataLogFfc(tv, store, p, ffc_tc, STREAM_TOCLIENT, file_close_tc, file_trunc, STREAM_TOCLIENT); return TM_ECODE_OK; } diff --git a/src/output-filedata.h b/src/output-filedata.h index 8a280b6752..b823510505 100644 --- a/src/output-filedata.h +++ b/src/output-filedata.h @@ -34,7 +34,7 @@ /** filedata logger function pointer type */ typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, - File *, const uint8_t *, uint32_t, uint8_t); + File *, const uint8_t *, uint32_t, uint8_t, uint8_t dir); /** packet logger condition function pointer type, * must return true for packets that should be logged diff --git a/src/output-filestore.c b/src/output-filestore.c index fe83f1b06a..8adb01aefe 100644 --- a/src/output-filestore.c +++ b/src/output-filestore.c @@ -121,7 +121,7 @@ static void OutputFilestoreUpdateFileTime(const char *src_filename, static void OutputFilestoreFinalizeFiles(ThreadVars *tv, const OutputFilestoreLogThread *oft, const OutputFilestoreCtx *ctx, - const Packet *p, File *ff) { + const Packet *p, File *ff, uint8_t dir) { /* Stringify the SHA256 which will be used in the final * filename. */ char sha256string[(SHA256_LENGTH * 2) + 1]; @@ -162,7 +162,7 @@ static void OutputFilestoreFinalizeFiles(ThreadVars *tv, snprintf(js_metadata_filename, sizeof(js_metadata_filename), "%s.%"PRIuMAX".%u.json", final_filename, (uintmax_t)p->ts.tv_sec, ff->file_store_id); - json_t *js_fileinfo = JsonBuildFileInfoRecord(p, ff, true); + json_t *js_fileinfo = JsonBuildFileInfoRecord(p, ff, true, dir); if (likely(js_fileinfo != NULL)) { json_dump_file(js_fileinfo, js_metadata_filename, 0); json_decref(js_fileinfo); @@ -173,7 +173,7 @@ static void OutputFilestoreFinalizeFiles(ThreadVars *tv, static int OutputFilestoreLogger(ThreadVars *tv, void *thread_data, const Packet *p, File *ff, const uint8_t *data, uint32_t data_len, - uint8_t flags) + uint8_t flags, uint8_t dir) { SCEnter(); OutputFilestoreLogThread *aft = (OutputFilestoreLogThread *)thread_data; @@ -255,7 +255,7 @@ static int OutputFilestoreLogger(ThreadVars *tv, void *thread_data, ff->fd = -1; SC_ATOMIC_SUB(filestore_open_file_cnt, 1); } - OutputFilestoreFinalizeFiles(tv, aft, ctx, p, ff); + OutputFilestoreFinalizeFiles(tv, aft, ctx, p, ff, dir); } return 0; diff --git a/src/output-json-file.c b/src/output-json-file.c index 4b07f6ae8e..f652a432af 100644 --- a/src/output-json-file.c +++ b/src/output-json-file.c @@ -50,6 +50,7 @@ #include "util-time.h" #include "util-buffer.h" #include "util-byte.h" +#include "util-validate.h" #include "log-file.h" #include "util-logopenfile.h" @@ -80,10 +81,24 @@ typedef struct JsonFileLogThread_ { } JsonFileLogThread; json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff, - const bool stored) + const bool stored, uint8_t dir) { - json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "fileinfo"); json_t *hjs = NULL; + enum OutputJsonLogDirection fdir = LOG_DIR_FLOW; + + switch(dir) { + case STREAM_TOCLIENT: + fdir = LOG_DIR_FLOW_TOCLIENT; + break; + case STREAM_TOSERVER: + fdir = LOG_DIR_FLOW_TOSERVER; + break; + default: + DEBUG_VALIDATE_BUG_ON(1); + break; + } + + json_t *js = CreateJSONHeader(p, fdir, "fileinfo"); if (unlikely(js == NULL)) return NULL; @@ -200,10 +215,11 @@ json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff, * \internal * \brief Write meta data on a single line json record */ -static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const File *ff) +static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, + const File *ff, uint32_t dir) { json_t *js = JsonBuildFileInfoRecord(p, ff, - ff->flags & FILE_STORED ? true : false); + ff->flags & FILE_STORED ? true : false, dir); if (unlikely(js == NULL)) { return; } @@ -213,7 +229,8 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F json_decref(js); } -static int JsonFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, const File *ff) +static int JsonFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, + const File *ff, uint8_t dir) { SCEnter(); JsonFileLogThread *aft = (JsonFileLogThread *)thread_data; @@ -222,7 +239,7 @@ static int JsonFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, co SCLogDebug("ff %p", ff); - FileWriteJsonRecord(aft, p, ff); + FileWriteJsonRecord(aft, p, ff, dir); return 0; } diff --git a/src/output-json-file.h b/src/output-json-file.h index fdd38d60ea..9b7657d216 100644 --- a/src/output-json-file.h +++ b/src/output-json-file.h @@ -28,7 +28,7 @@ void JsonFileLogRegister(void); #ifdef HAVE_LIBJANSSON json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff, - const bool stored); + const bool stored, uint8_t dir); #endif #endif /* __OUTPUT_JSON_FILE_H__ */ diff --git a/src/output-json.c b/src/output-json.c index c217ae3985..a4b31594b9 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -399,7 +399,23 @@ void JsonFiveTuple(const Packet *p, enum OutputJsonLogDirection dir, json_t *js) dstip[0] = '\0'; switch (dir) { + case LOG_DIR_PACKET: + if (PKT_IS_IPV4(p)) { + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), + dstip, sizeof(dstip)); + } else if (PKT_IS_IPV6(p)) { + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), + dstip, sizeof(dstip)); + } + sp = p->sp; + dp = p->dp; + break; case LOG_DIR_FLOW: + case LOG_DIR_FLOW_TOSERVER: if ((PKT_IS_TOSERVER(p))) { if (PKT_IS_IPV4(p)) { PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), @@ -430,20 +446,36 @@ void JsonFiveTuple(const Packet *p, enum OutputJsonLogDirection dir, json_t *js) dp = p->sp; } break; - case LOG_DIR_PACKET: - if (PKT_IS_IPV4(p)) { - PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), - srcip, sizeof(srcip)); - PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), - dstip, sizeof(dstip)); - } else if (PKT_IS_IPV6(p)) { - PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), - srcip, sizeof(srcip)); - PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), - dstip, sizeof(dstip)); + case LOG_DIR_FLOW_TOCLIENT: + if ((PKT_IS_TOCLIENT(p))) { + if (PKT_IS_IPV4(p)) { + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), + dstip, sizeof(dstip)); + } else if (PKT_IS_IPV6(p)) { + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), + dstip, sizeof(dstip)); + } + sp = p->sp; + dp = p->dp; + } else { + if (PKT_IS_IPV4(p)) { + PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), + dstip, sizeof(dstip)); + } else if (PKT_IS_IPV6(p)) { + PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), + srcip, sizeof(srcip)); + PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), + dstip, sizeof(dstip)); + } + sp = p->dp; + dp = p->sp; } - sp = p->sp; - dp = p->dp; break; default: DEBUG_VALIDATE_BUG_ON(1); diff --git a/src/output-json.h b/src/output-json.h index c4b55c61c7..ff3870f39d 100644 --- a/src/output-json.h +++ b/src/output-json.h @@ -36,6 +36,8 @@ void OutputJsonRegister(void); enum OutputJsonLogDirection { LOG_DIR_PACKET = 0, LOG_DIR_FLOW, + LOG_DIR_FLOW_TOCLIENT, + LOG_DIR_FLOW_TOSERVER, }; /* helper struct for OutputJSONMemBufferCallback */ diff --git a/src/output-lua.c b/src/output-lua.c index 7555a0d90e..eb71ef2407 100644 --- a/src/output-lua.c +++ b/src/output-lua.c @@ -307,7 +307,7 @@ static int LuaPacketCondition(ThreadVars *tv, const Packet *p) * * NOTE p->flow is locked at this point */ -static int LuaFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, const File *ff) +static int LuaFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, const File *ff, uint8_t dir) { SCEnter(); LogLuaThreadCtx *td = (LogLuaThreadCtx *)thread_data;