From: Eric Leblond Date: Fri, 17 Apr 2015 14:13:23 +0000 (+0200) Subject: email-json: move email fields to email section X-Git-Tag: suricata-3.0RC1~133 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c26a2f2c8f52a4612f6c185dfd5af912f418589;p=thirdparty%2Fsuricata.git email-json: move email fields to email section This patch changes the way smtp message are written. It is using the "email" key to store the email related fields. This will allow to do the same search through SMTP and IMAP if we implement this last one. --- diff --git a/src/output-json-email-common.c b/src/output-json-email-common.c index 1efa9ce80f..de8e2568b1 100644 --- a/src/output-json-email-common.c +++ b/src/output-json-email-common.c @@ -56,12 +56,11 @@ #include /* JSON format logging */ -static TmEcode JsonEmailLogJson(JsonEmailLogThread *aft, json_t *js, const Packet *p, Flow *f, void *state, void *vtx, uint64_t tx_id) +TmEcode JsonEmailLogJson(JsonEmailLogThread *aft, json_t *js, const Packet *p, Flow *f, void *state, void *vtx, uint64_t tx_id) { SMTPState *smtp_state; MimeDecParseState *mime_state; MimeDecEntity *entity; - char *protos = NULL; json_t *sjs = json_object(); if (sjs == NULL) { @@ -80,7 +79,6 @@ static TmEcode JsonEmailLogJson(JsonEmailLogThread *aft, json_t *js, const Packe SMTPTransaction *tx = vtx; mime_state = tx->mime_state; entity = tx->msg_tail; - protos = "smtp"; SCLogDebug("lets go mime_state %p, entity %p, state_flag %u", mime_state, entity, mime_state ? mime_state->state_flag : 0); break; default: @@ -229,7 +227,7 @@ static TmEcode JsonEmailLogJson(JsonEmailLogThread *aft, json_t *js, const Packe } else { json_decref(js_url); } - json_object_set_new(js, protos, sjs); + json_object_set_new(js, "email", sjs); // FLOWLOCK_UNLOCK(p->flow); SCReturnInt(TM_ECODE_OK); @@ -240,27 +238,4 @@ static TmEcode JsonEmailLogJson(JsonEmailLogThread *aft, json_t *js, const Packe SCReturnInt(TM_ECODE_DONE); } -int JsonEmailLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) { - SCEnter(); - JsonEmailLogThread *jhl = (JsonEmailLogThread *)thread_data; - MemBuffer *buffer = (MemBuffer *)jhl->buffer; - - json_t *js = CreateJSONHeader((Packet *)p, 1, "smtp"); - if (unlikely(js == NULL)) - return TM_ECODE_OK; - - /* reset */ - MemBufferReset(buffer); - - if (JsonEmailLogJson(jhl, js, p, f, state, tx, tx_id) == TM_ECODE_OK) { - OutputJSONBuffer(js, jhl->emaillog_ctx->file_ctx, buffer); - } - json_object_del(js, "smtp"); - - json_object_clear(js); - json_decref(js); - - SCReturnInt(TM_ECODE_OK); -} - #endif diff --git a/src/output-json-email-common.h b/src/output-json-email-common.h index 7a95954c77..618ba828cc 100644 --- a/src/output-json-email-common.h +++ b/src/output-json-email-common.h @@ -35,6 +35,8 @@ typedef struct JsonEmailLogThread_ { MemBuffer *buffer; } JsonEmailLogThread; -int JsonEmailLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id); +#ifdef HAVE_LIBJANSSON +TmEcode JsonEmailLogJson(JsonEmailLogThread *aft, json_t *js, const Packet *p, Flow *f, void *state, void *vtx, uint64_t tx_id); +#endif #endif /* __OUTPUT_JSON_EMAIL_COMMON_H__ */ diff --git a/src/output-json-smtp.c b/src/output-json-smtp.c index f722c383e0..bb835f07c3 100644 --- a/src/output-json-smtp.c +++ b/src/output-json-smtp.c @@ -57,8 +57,26 @@ static int JsonSmtpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) { SCEnter(); - int r = JsonEmailLogger(tv, thread_data, p, f, state, tx, tx_id); - SCReturnInt(r); + JsonEmailLogThread *jhl = (JsonEmailLogThread *)thread_data; + MemBuffer *buffer = (MemBuffer *)jhl->buffer; + + json_t *js = CreateJSONHeader((Packet *)p, 1, "smtp"); + if (unlikely(js == NULL)) + return TM_ECODE_OK; + + /* reset */ + MemBufferReset(buffer); + + if (JsonEmailLogJson(jhl, js, p, f, state, tx, tx_id) == TM_ECODE_OK) { + OutputJSONBuffer(js, jhl->emaillog_ctx->file_ctx, buffer); + } + json_object_del(js, "smtp"); + + json_object_clear(js); + json_decref(js); + + SCReturnInt(TM_ECODE_OK); + } static void OutputSmtpLogDeInitCtx(OutputCtx *output_ctx)