From: Pascal Delalande <pdl35@free.fr>
Date: Tue, 23 Jan 2018 20:18:41 +0000 (+0100)
Subject: rust/tftp: eve logging with rust
X-Git-Tag: suricata-4.1.0-beta1~285
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80f2fbac6ebc1b9114175068647d6d1c44b46776;p=thirdparty%2Fsuricata.git

rust/tftp: eve logging with rust
---

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index 7f495b0224..799672c26d 100644
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -299,3 +299,23 @@ Example of certificate logging using TLS custom logging (subject, sni, certifica
       "sni": "www.googleapis.com",
       "certificate": "MIIE3TCCA8WgAwIBAgIIQPsvobRZN0gwDQYJKoZIhvcNAQELBQAwSTELMA [...]"
    }
+
+Event type: TFTP
+----------------
+
+Fields
+~~~~~~
+
+* "packet": The operation code, can be "read" or "write" or "error"
+* "file": The filename transported with the tftp protocol
+* "mode": The mode field, can be "octet" or "mail" or "netascii" (or any combination of upper and lower case)
+
+Example of TFTP logging:
+
+::
+
+  "tftp": {
+      "packet": "write",
+      "file": "rfc1350.txt",
+      "mode": "octet"
+   }
diff --git a/rust/src/tftp/tftp.rs b/rust/src/tftp/tftp.rs
index eab70231e9..286049ef99 100644
--- a/rust/src/tftp/tftp.rs
+++ b/rust/src/tftp/tftp.rs
@@ -84,20 +84,16 @@ pub extern "C" fn rs_tftp_get_tx(state: &mut TFTPState,
 
 #[no_mangle]
 pub extern "C" fn rs_tftp_get_tx_logged(_state: &mut TFTPState,
-                                        tx: &mut TFTPTransaction,
-                                        logger: libc::uint32_t) -> i8 {
-    if tx.logged.is_logged(logger) {
-        1
-    } else {
-        0
-    }
+                                        tx: &mut TFTPTransaction)
+                                        -> u32 {
+    return tx.logged.get();
 }
 
 #[no_mangle]
 pub extern "C" fn rs_tftp_set_tx_logged(_state: &mut TFTPState,
                                         tx: &mut TFTPTransaction,
-                                        logger: libc::uint32_t) {
-    tx.logged.set_logged(logger);
+                                        logged: libc::uint32_t) {
+    tx.logged.set(logged);
 }
 
 #[no_mangle]
diff --git a/src/app-layer-protos.c b/src/app-layer-protos.c
index ce80e4b661..9c5cd50d19 100644
--- a/src/app-layer-protos.c
+++ b/src/app-layer-protos.c
@@ -89,6 +89,7 @@ const char *AppProtoToString(AppProto alproto)
             break;
         case ALPROTO_FTPDATA:
             proto_name = "ftp-data";
+            break;
         case ALPROTO_TFTP:
             proto_name = "tftp";
             break;
diff --git a/src/app-layer-tftp.c b/src/app-layer-tftp.c
index 27f1180587..b368f7762b 100644
--- a/src/app-layer-tftp.c
+++ b/src/app-layer-tftp.c
@@ -120,7 +120,7 @@ static int TFTPHasEvents(void *state)
 static AppProto TFTPProbingParser(Flow *f, uint8_t *input, uint32_t input_len,
     uint32_t *offset)
 {
-    /* Very simple test - if there is input, this is echo.
+    /* Very simple test - if there is input, this is tftp.
      * Also check if it's starting by a zero */
     if (input_len >= TFTP_MIN_FRAME_LEN && *input == 0) {
         SCLogDebug("Detected as ALPROTO_TFTP.");
@@ -176,9 +176,9 @@ static void TFTPSetTxLogged(void *state, void *vtx, uint32_t logger)
     rs_tftp_set_tx_logged(state, vtx, logger);
 }
 
-static int TFTPGetTxLogged(void *state, void *vtx, uint32_t logger)
+static LoggerId TFTPGetTxLogged(void *state, void *vtx)
 {
-    return rs_tftp_get_tx_logged(state, vtx, logger);
+    return rs_tftp_get_tx_logged(state, vtx);
 }
 
 /**
diff --git a/src/output-json-tftp.c b/src/output-json-tftp.c
index ded1d12bde..6c79a992cc 100644
--- a/src/output-json-tftp.c
+++ b/src/output-json-tftp.c
@@ -23,7 +23,6 @@
  * Implement JSON/eve logging app-layer TFTP.
  */
 
-//#ifdef HAVE_RUST
 
 #include "suricata-common.h"
 #include "debug.h"
@@ -103,21 +102,22 @@ static void OutputTFTPLogDeInitCtxSub(OutputCtx *output_ctx)
     SCFree(output_ctx);
 }
 
-static OutputCtx *OutputTFTPLogInitSub(ConfNode *conf,
+static OutputInitResult OutputTFTPLogInitSub(ConfNode *conf,
     OutputCtx *parent_ctx)
 {
+    OutputInitResult result = { NULL, false };
     OutputJsonCtx *ajt = parent_ctx->data;
 
     LogTFTPFileCtx *tftplog_ctx = SCCalloc(1, sizeof(*tftplog_ctx));
     if (unlikely(tftplog_ctx == NULL)) {
-        return NULL;
+        return result;
     }
     tftplog_ctx->file_ctx = ajt->file_ctx;
 
     OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx));
     if (unlikely(output_ctx == NULL)) {
         SCFree(tftplog_ctx);
-        return NULL;
+        return result;
     }
     output_ctx->data = tftplog_ctx;
     output_ctx->DeInit = OutputTFTPLogDeInitCtxSub;
@@ -126,7 +126,9 @@ static OutputCtx *OutputTFTPLogInitSub(ConfNode *conf,
 
     AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_TFTP);
 
-    return output_ctx;
+    result.ctx = output_ctx;
+    result.ok = true;
+    return result;
 }
 
 #define OUTPUT_BUFFER_SIZE 65535
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 6294bec45c..5bcb100bef 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -239,6 +239,7 @@ outputs:
 
         #- dnp3
         @rust_config_comment@- nfs
+        @rust_config_comment@- tftp
         - ssh
         - stats:
             totals: yes       # stats for all threads merged together
@@ -798,6 +799,8 @@ app-layer:
     # to configure.
     nfs:
       enabled: @rust_config_enabled@
+    tftp:
+      enabled: @rust_config_enabled@
     dns:
       # memcaps. Globally and per flow/state.
       #global-memcap: 16mb