From: Jeff Lucovsky Date: Thu, 4 Jun 2020 11:45:05 +0000 (-0400) Subject: output/json: Refactor file output helper X-Git-Tag: suricata-6.0.0-beta1~325 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae50d1a225ca8feba42a5e3f2acc5f099461f0df;p=thirdparty%2Fsuricata.git output/json: Refactor file output helper This commit creates a common file output helper function based on the logic in output-file-info.c:BuildBuildFileInfoRecord The refactored helper will be used to create "fileinfo" information during the alert output path. --- diff --git a/src/output-json-file.c b/src/output-json-file.c index f104eb1e61..378bf6f799 100644 --- a/src/output-json-file.c +++ b/src/output-json-file.c @@ -174,85 +174,7 @@ JsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff, jb_set_string(js, "app_proto", AppProtoToString(p->flow->alproto)); - /* Open the fileinfo object. */ - jb_open_object(js, "fileinfo"); - - size_t filename_size = ff->name_len * 2 + 1; - char filename_string[filename_size]; - BytesToStringBuffer(ff->name, ff->name_len, filename_string, filename_size); - jb_set_string(js, "filename", filename_string); - - jb_open_array(js, "sid"); - for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) { - jb_append_uint(js, ff->sid[i]); - } - jb_close(js); - -#ifdef HAVE_MAGIC - if (ff->magic) - jb_set_string(js, "magic", (char *)ff->magic); -#endif - jb_set_bool(js, "gaps", ff->flags & FILE_HAS_GAPS); - switch (ff->state) { - case FILE_STATE_CLOSED: - jb_set_string(js, "state", "CLOSED"); -#ifdef HAVE_NSS - if (ff->flags & FILE_MD5) { - size_t x; - int i; - char str[256]; - for (i = 0, x = 0; x < sizeof(ff->md5); x++) { - i += snprintf(&str[i], 255-i, "%02x", ff->md5[x]); - } - jb_set_string(js, "md5", str); - } - if (ff->flags & FILE_SHA1) { - size_t x; - int i; - char str[256]; - for (i = 0, x = 0; x < sizeof(ff->sha1); x++) { - i += snprintf(&str[i], 255-i, "%02x", ff->sha1[x]); - } - jb_set_string(js, "sha1", str); - } -#endif - break; - case FILE_STATE_TRUNCATED: - JB_SET_STRING(js, "state", "TRUNCATED"); - break; - case FILE_STATE_ERROR: - JB_SET_STRING(js, "state", "ERROR"); - break; - default: - JB_SET_STRING(js, "state", "UNKNOWN"); - break; - } - -#ifdef HAVE_NSS - if (ff->flags & FILE_SHA256) { - size_t x; - int i; - char str[256]; - for (i = 0, x = 0; x < sizeof(ff->sha256); x++) { - i += snprintf(&str[i], 255-i, "%02x", ff->sha256[x]); - } - jb_set_string(js, "sha256", str); - } -#endif - - jb_set_bool(js, "stored", stored ? true : false); - if (ff->flags & FILE_STORED) { - jb_set_uint(js, "file_id", ff->file_store_id); - } - jb_set_uint(js, "size", FileTrackedSize(ff)); - if (ff->end > 0) { - jb_set_uint(js, "start", ff->start); - jb_set_uint(js, "end", ff->end); - } - jb_set_uint(js, "tx_id", ff->txid); - - /* Close fileinfo object */ - jb_close(js); + JsonFileInfo(js, ff, stored); /* xff header */ if (have_xff_ip && xff_cfg->flags & XFF_EXTRADATA) { diff --git a/src/output-json.c b/src/output-json.c index aab31d1a96..6f7e8c3bf6 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -152,6 +152,92 @@ json_t *JsonAddStringN(const char *string, size_t size) return SCJsonString(tmpbuf); } +void JsonFileInfo(JsonBuilder *js, const File *ff, const bool stored) +{ + /* Open the fileinfo object. */ + jb_open_object(js, "fileinfo"); + + size_t filename_size = ff->name_len * 2 + 1; + char filename_string[filename_size]; + BytesToStringBuffer(ff->name, ff->name_len, filename_string, filename_size); + jb_set_string(js, "filename", filename_string); + + jb_open_array(js, "sid"); + for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) { + jb_append_uint(js, ff->sid[i]); + } + jb_close(js); + +#ifdef HAVE_MAGIC + if (ff->magic) + jb_set_string(js, "magic", (char *)ff->magic); +#endif + jb_set_bool(js, "gaps", ff->flags & FILE_HAS_GAPS); + switch (ff->state) { + case FILE_STATE_CLOSED: + jb_set_string(js, "state", "CLOSED"); +#ifdef HAVE_NSS + if (ff->flags & FILE_MD5) { + size_t x; + int i; + char str[256]; + for (i = 0, x = 0; x < sizeof(ff->md5); x++) { + i += snprintf(&str[i], 255-i, "%02x", ff->md5[x]); + } + jb_set_string(js, "md5", str); + } + if (ff->flags & FILE_SHA1) { + size_t x; + int i; + char str[256]; + for (i = 0, x = 0; x < sizeof(ff->sha1); x++) { + i += snprintf(&str[i], 255-i, "%02x", ff->sha1[x]); + } + jb_set_string(js, "sha1", str); + } +#endif + break; + case FILE_STATE_TRUNCATED: + JB_SET_STRING(js, "state", "TRUNCATED"); + break; + case FILE_STATE_ERROR: + JB_SET_STRING(js, "state", "ERROR"); + break; + default: + JB_SET_STRING(js, "state", "UNKNOWN"); + break; + } + +#ifdef HAVE_NSS + if (ff->flags & FILE_SHA256) { + size_t x; + int i; + char str[256]; + for (i = 0, x = 0; x < sizeof(ff->sha256); x++) { + i += snprintf(&str[i], 255-i, "%02x", ff->sha256[x]); + } + jb_set_string(js, "sha256", str); + } +#endif + + if (stored) { + jb_set_bool(js, "stored", true); + jb_set_uint(js, "file_id", ff->file_store_id); + } else { + jb_set_bool(js, "stored", false); + } + + jb_set_uint(js, "size", FileTrackedSize(ff)); + if (ff->end > 0) { + jb_set_uint(js, "start", ff->start); + jb_set_uint(js, "end", ff->end); + } + jb_set_uint(js, "tx_id", ff->txid); + + /* Close fileinfo object */ + jb_close(js); +} + static void JsonAddPacketvars(const Packet *p, json_t *js_vars) { if (p == NULL || p->pktvar == NULL) { diff --git a/src/output-json.h b/src/output-json.h index 41375f3f92..86ff211b69 100644 --- a/src/output-json.h +++ b/src/output-json.h @@ -72,6 +72,7 @@ int OutputJSONMemBufferCallback(const char *str, size_t size, void *data); void CreateJSONFlowId(json_t *js, const Flow *f); void CreateEveFlowId(JsonBuilder *js, const Flow *f); void JsonTcpFlags(uint8_t flags, json_t *js); +void JsonFileInfo(JsonBuilder *js, const File *file, const bool stored); void EveTcpFlags(uint8_t flags, JsonBuilder *js); void JsonPacket(const Packet *p, json_t *js, unsigned long max_length); void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length);