From: Eric Leblond Date: Wed, 14 Oct 2015 10:13:06 +0000 (+0200) Subject: json-email-common: can now log same header twice X-Git-Tag: suricata-3.0RC1~65 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=484885b70fe0ee380489f63545c49bd898afbc6d;p=thirdparty%2Fsuricata.git json-email-common: can now log same header twice Multiple events can be applied on a transaction so we may need to log the same header twice. The HDR_IS_LOGGED flag was making it impossible. And this system is usless as email application layer is transaction based. --- diff --git a/src/output-json-email-common.c b/src/output-json-email-common.c index d54b7b4d02..dc62832865 100644 --- a/src/output-json-email-common.c +++ b/src/output-json-email-common.c @@ -270,51 +270,73 @@ json_t *JsonEmailLogJsonData(const Flow *f, void *state, void *vtx, uint64_t tx_ json_object_set_new(sjs, "status", json_string(MimeDecParseStateGetStatus(mime_state))); - if ((entity->header_flags & HDR_IS_LOGGED) == 0) { - MimeDecField *field; - //printf("email LOG\n"); - - /* From: */ - field = MimeDecFindField(entity, "from"); - if (field != NULL) { - char *s = BytesToString((uint8_t *)field->value, - (size_t)field->value_len); - if (likely(s != NULL)) { - //printf("From: \"%s\"\n", s); - char * sp = SkipWhiteSpaceTill(s, s + strlen(s)); - json_object_set_new(sjs, "from", json_string(sp)); - SCFree(s); - } - } + MimeDecField *field; + //printf("email LOG\n"); - /* To: */ - field = MimeDecFindField(entity, "to"); - if (field != NULL) { - json_t *ajs = JsonEmailJsonArrayFromCommaList(field->value, field->value_len); - if (ajs) { - json_object_set_new(sjs, "to", ajs); - } + /* From: */ + field = MimeDecFindField(entity, "from"); + if (field != NULL) { + char *s = BytesToString((uint8_t *)field->value, + (size_t)field->value_len); + if (likely(s != NULL)) { + //printf("From: \"%s\"\n", s); + char * sp = SkipWhiteSpaceTill(s, s + strlen(s)); + json_object_set_new(sjs, "from", json_string(sp)); + SCFree(s); } + } - /* Cc: */ - field = MimeDecFindField(entity, "cc"); - if (field != NULL) { - json_t *ajs = JsonEmailJsonArrayFromCommaList(field->value, field->value_len); - if (ajs) { - json_object_set_new(sjs, "cc", ajs); - } + /* To: */ + field = MimeDecFindField(entity, "to"); + if (field != NULL) { + json_t *ajs = JsonEmailJsonArrayFromCommaList(field->value, field->value_len); + if (ajs) { + json_object_set_new(sjs, "to", ajs); } + } - entity->header_flags |= HDR_IS_LOGGED; + /* Cc: */ + field = MimeDecFindField(entity, "cc"); + if (field != NULL) { + json_t *ajs = JsonEmailJsonArrayFromCommaList(field->value, field->value_len); + if (ajs) { + json_object_set_new(sjs, "cc", ajs); + } + } - if (mime_state->stack == NULL || mime_state->stack->top == NULL || mime_state->stack->top->data == NULL) - SCReturnPtr(NULL, "json_t"); + if (mime_state->stack == NULL || mime_state->stack->top == NULL || mime_state->stack->top->data == NULL) + SCReturnPtr(NULL, "json_t"); - entity = (MimeDecEntity *)mime_state->stack->top->data; - int attch_cnt = 0; - int url_cnt = 0; - json_t *js_attch = json_array(); - json_t *js_url = json_array(); + entity = (MimeDecEntity *)mime_state->stack->top->data; + int attch_cnt = 0; + int url_cnt = 0; + json_t *js_attch = json_array(); + json_t *js_url = json_array(); + if (entity->url_list != NULL) { + MimeDecUrl *url; + for (url = entity->url_list; url != NULL; url = url->next) { + char *s = BytesToString((uint8_t *)url->url, + (size_t)url->url_len); + if (s != NULL) { + //printf("URL: \"%s\"\n", s); + json_array_append_new(js_url, + json_string(s)); + SCFree(s); + url_cnt += 1; + } + } + } + for (entity = entity->child; entity != NULL; entity = entity->next) { + if (entity->ctnt_flags & CTNT_IS_ATTACHMENT) { + + char *s = BytesToString((uint8_t *)entity->filename, + (size_t)entity->filename_len); + //printf("found attachment \"%s\"\n", s); + json_array_append_new(js_attch, + json_string(s)); + SCFree(s); + attch_cnt += 1; + } if (entity->url_list != NULL) { MimeDecUrl *url; for (url = entity->url_list; url != NULL; url = url->next) { @@ -329,45 +351,19 @@ json_t *JsonEmailLogJsonData(const Flow *f, void *state, void *vtx, uint64_t tx_ } } } - for (entity = entity->child; entity != NULL; entity = entity->next) { - if (entity->ctnt_flags & CTNT_IS_ATTACHMENT) { - - char *s = BytesToString((uint8_t *)entity->filename, - (size_t)entity->filename_len); - //printf("found attachment \"%s\"\n", s); - json_array_append_new(js_attch, - json_string(s)); - SCFree(s); - attch_cnt += 1; - } - if (entity->url_list != NULL) { - MimeDecUrl *url; - for (url = entity->url_list; url != NULL; url = url->next) { - char *s = BytesToString((uint8_t *)url->url, - (size_t)url->url_len); - if (s != NULL) { - //printf("URL: \"%s\"\n", s); - json_array_append_new(js_url, - json_string(s)); - SCFree(s); - url_cnt += 1; - } - } - } - } - if (attch_cnt > 0) { - json_object_set_new(sjs, "attachment", js_attch); - } else { - json_decref(js_attch); - } - if (url_cnt > 0) { - json_object_set_new(sjs, "url", js_url); - } else { - json_decref(js_url); - } -// FLOWLOCK_UNLOCK(p->flow); - SCReturnPtr(sjs, "json_t"); } + if (attch_cnt > 0) { + json_object_set_new(sjs, "attachment", js_attch); + } else { + json_decref(js_attch); + } + if (url_cnt > 0) { + json_object_set_new(sjs, "url", js_url); + } else { + json_decref(js_url); + } +// FLOWLOCK_UNLOCK(p->flow); + SCReturnPtr(sjs, "json_t"); } json_decref(sjs); diff --git a/src/util-decode-mime.h b/src/util-decode-mime.h index 536c3a0a24..02b3bb13dd 100644 --- a/src/util-decode-mime.h +++ b/src/util-decode-mime.h @@ -33,9 +33,6 @@ #include "util-base64.h" #include "util-debug.h" -/* Header Flags */ -#define HDR_IS_LOGGED 1 - /* Content Flags */ #define CTNT_IS_MSG 1 #define CTNT_IS_ENV 2