From: Jason Ish Date: Mon, 8 Jan 2018 19:41:34 +0000 (-0600) Subject: eve/fileinfo: split record creation from writing X-Git-Tag: suricata-4.1.0-beta1~344 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=59bb98afccee9f8af8f73841bc4e2cf829f5b5cd;p=thirdparty%2Fsuricata.git eve/fileinfo: split record creation from writing Split the building of the fileinfo record from the writing of the record so the building can be called from other code. Specifically the new filestore output which uses fileinfo records as the metadata. --- diff --git a/src/output-json-file.c b/src/output-json-file.c index fcfec5047e..33b1b40105 100644 --- a/src/output-json-file.c +++ b/src/output-json-file.c @@ -78,19 +78,12 @@ typedef struct JsonFileLogThread_ { MemBuffer *buffer; } JsonFileLogThread; -/** - * \internal - * \brief Write meta data on a single line json record - */ -static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const File *ff) +json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff) { json_t *js = CreateJSONHeader((Packet *)p, 0, "fileinfo"); //TODO const json_t *hjs = NULL; if (unlikely(js == NULL)) - return; - - /* reset */ - MemBufferReset(aft->buffer); + return NULL; switch (p->flow->alproto) { case ALPROTO_HTTP: @@ -124,7 +117,7 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F json_t *fjs = json_object(); if (unlikely(fjs == NULL)) { json_decref(js); - return; + return NULL; } char *s = BytesToString(ff->name, ff->name_len); @@ -158,15 +151,6 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F } json_object_set_new(fjs, "sha1", json_string(str)); } - if (ff->flags & FILE_SHA256) { - size_t x; - int i; - char str[256]; - for (i = 0, x = 0; x < sizeof(ff->sha256); x++) { - i += snprintf(&str[i], 255-i, "%02x", ff->sha256[x]); - } - json_object_set_new(fjs, "sha256", json_string(str)); - } #endif break; case FILE_STATE_TRUNCATED: @@ -179,6 +163,19 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F json_object_set_new(fjs, "state", json_string("UNKNOWN")); break; } + +#ifdef HAVE_NSS + if (ff->flags & FILE_SHA256) { + size_t x; + int i; + char str[256]; + for (i = 0, x = 0; x < sizeof(ff->sha256); x++) { + i += snprintf(&str[i], 255-i, "%02x", ff->sha256[x]); + } + json_object_set_new(fjs, "sha256", json_string(str)); + } +#endif + json_object_set_new(fjs, "stored", (ff->flags & FILE_STORED) ? json_true() : json_false()); if (ff->flags & FILE_STORED) { @@ -189,20 +186,23 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F /* originally just 'file', but due to bug 1127 naming it fileinfo */ json_object_set_new(js, "fileinfo", fjs); - OutputJSONBuffer(js, aft->filelog_ctx->file_ctx, &aft->buffer); - json_object_del(js, "fileinfo"); - switch (p->flow->alproto) { - case ALPROTO_HTTP: - json_object_del(js, "http"); - break; - case ALPROTO_SMTP: - json_object_del(js, "smtp"); - json_object_del(js, "email"); - break; + return js; +} + +/** + * \internal + * \brief Write meta data on a single line json record + */ +static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const File *ff) +{ + json_t *js = JsonBuildFileInfoRecord(p, ff); + if (unlikely(js == NULL)) { + return; } - json_object_clear(js); + MemBufferReset(aft->buffer); + OutputJSONBuffer(js, aft->filelog_ctx->file_ctx, &aft->buffer); json_decref(js); } diff --git a/src/output-json-file.h b/src/output-json-file.h index 680724f6cb..774693c539 100644 --- a/src/output-json-file.h +++ b/src/output-json-file.h @@ -26,4 +26,8 @@ void JsonFileLogRegister(void); +#ifdef HAVE_LIBJANSSON +json_t *JsonBuildFileInfoRecord(const Packet *p, const File *ff); +#endif + #endif /* __OUTPUT_JSON_FILE_H__ */