From: Jason Ish Date: Fri, 26 Mar 2021 21:51:21 +0000 (-0600) Subject: eve: refactor CreateEveHeaderWithTx to include common options X-Git-Tag: suricata-7.0.0-beta1~1711 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2d78afe4b02cc9edf110b23a45a63ec85b04c54b;p=thirdparty%2Fsuricata.git eve: refactor CreateEveHeaderWithTx to include common options --- diff --git a/src/output-json-anomaly.c b/src/output-json-anomaly.c index 98ce065124..c4aaad914f 100644 --- a/src/output-json-anomaly.c +++ b/src/output-json-anomaly.c @@ -172,9 +172,8 @@ static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft, JsonBuilder *js; if (tx_id != TX_ID_UNUSED) { - js = CreateEveHeaderWithTxId(p, LOG_DIR_PACKET, - ANOMALY_EVENT_TYPE, NULL, tx_id); - EveAddCommonOptions(&aft->json_output_ctx->eve_ctx->cfg, p, p->flow, js); + js = CreateEveHeaderWithTxId(p, LOG_DIR_PACKET, ANOMALY_EVENT_TYPE, NULL, tx_id, + aft->json_output_ctx->eve_ctx); } else { js = CreateEveHeader( p, LOG_DIR_PACKET, ANOMALY_EVENT_TYPE, NULL, aft->json_output_ctx->eve_ctx); diff --git a/src/output-json-email-common.h b/src/output-json-email-common.h index a725099139..4ffe4e4a7c 100644 --- a/src/output-json-email-common.h +++ b/src/output-json-email-common.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2014 Open Information Security Foundation +/* Copyright (C) 2007-2021 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -25,10 +25,9 @@ #define __OUTPUT_JSON_EMAIL_COMMON_H__ typedef struct OutputJsonEmailCtx_ { - LogFileCtx *file_ctx; uint32_t flags; /** Store mode */ uint64_t fields;/** Store fields */ - OutputJsonCommonSettings cfg; + OutputJsonCtx *eve_ctx; } OutputJsonEmailCtx; typedef struct JsonEmailLogThread_ { diff --git a/src/output-json-ftp.c b/src/output-json-ftp.c index 619f4148b3..103828cbe3 100644 --- a/src/output-json-ftp.c +++ b/src/output-json-ftp.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2017-2020 Open Information Security Foundation +/* Copyright (C) 2017-2021 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -49,8 +49,7 @@ #include "output-json-ftp.h" typedef struct LogFTPFileCtx_ { - LogFileCtx *file_ctx; - OutputJsonCommonSettings cfg; + OutputJsonCtx *eve_ctx; } LogFTPFileCtx; typedef struct LogFTPLogThread_ { @@ -161,9 +160,9 @@ static int JsonFTPLogger(ThreadVars *tv, void *thread_data, LogFTPLogThread *thread = thread_data; LogFTPFileCtx *ftp_ctx = thread->ftplog_ctx; - JsonBuilder *jb = CreateEveHeaderWithTxId(p, LOG_DIR_FLOW, event_type, NULL, tx_id); + JsonBuilder *jb = CreateEveHeaderWithTxId( + p, LOG_DIR_FLOW, event_type, NULL, tx_id, thread->ftplog_ctx->eve_ctx); if (likely(jb)) { - EveAddCommonOptions(&ftp_ctx->cfg, p, f, jb); jb_open_object(jb, event_type); if (f->alproto == ALPROTO_FTPDATA) { EveFTPDataAddMetadata(f, jb); @@ -205,8 +204,7 @@ static OutputInitResult OutputFTPLogInitSub(ConfNode *conf, if (unlikely(ftplog_ctx == NULL)) { return result; } - ftplog_ctx->file_ctx = ajt->file_ctx; - ftplog_ctx->cfg = ajt->cfg; + ftplog_ctx->eve_ctx = ajt; OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx)); if (unlikely(output_ctx == NULL)) { @@ -244,7 +242,7 @@ static TmEcode JsonFTPLogThreadInit(ThreadVars *t, const void *initdata, void ** } thread->ftplog_ctx = ((OutputCtx *)initdata)->data; - thread->file_ctx = LogFileEnsureExists(thread->ftplog_ctx->file_ctx, t->id); + thread->file_ctx = LogFileEnsureExists(thread->ftplog_ctx->eve_ctx->file_ctx, t->id); if (!thread->file_ctx) { goto error_exit; } diff --git a/src/output-json-http.c b/src/output-json-http.c index 598bf8a8ef..db50e7e1a3 100644 --- a/src/output-json-http.c +++ b/src/output-json-http.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2020 Open Information Security Foundation +/* Copyright (C) 2007-2021 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -56,12 +56,11 @@ #include "util-byte.h" typedef struct LogHttpFileCtx_ { - LogFileCtx *file_ctx; uint32_t flags; /** Store mode */ uint64_t fields;/** Store fields */ HttpXFFCfg *xff_cfg; HttpXFFCfg *parent_xff_cfg; - OutputJsonCommonSettings cfg; + OutputJsonCtx *eve_ctx; } LogHttpFileCtx; typedef struct JsonHttpLogThread_ { @@ -484,10 +483,10 @@ static int JsonHttpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl htp_tx_t *tx = txptr; JsonHttpLogThread *jhl = (JsonHttpLogThread *)thread_data; - JsonBuilder *js = CreateEveHeaderWithTxId(p, LOG_DIR_FLOW, "http", NULL, tx_id); + JsonBuilder *js = CreateEveHeaderWithTxId( + p, LOG_DIR_FLOW, "http", NULL, tx_id, jhl->httplog_ctx->eve_ctx); if (unlikely(js == NULL)) return TM_ECODE_OK; - EveAddCommonOptions(&jhl->httplog_ctx->cfg, p, f, js); SCLogDebug("got a HTTP request and now logging !!"); @@ -567,9 +566,8 @@ static OutputInitResult OutputHttpLogInitSub(ConfNode *conf, OutputCtx *parent_c return result; } - http_ctx->file_ctx = ojc->file_ctx; http_ctx->flags = LOG_HTTP_DEFAULT; - http_ctx->cfg = ojc->cfg; + http_ctx->eve_ctx = ojc; if (conf) { const char *extended = ConfNodeLookupChildValue(conf, "extended"); @@ -656,7 +654,7 @@ static TmEcode JsonHttpLogThreadInit(ThreadVars *t, const void *initdata, void * goto error_exit; } - aft->file_ctx = LogFileEnsureExists(aft->httplog_ctx->file_ctx, t->id); + aft->file_ctx = LogFileEnsureExists(aft->httplog_ctx->eve_ctx->file_ctx, t->id); if (!aft->file_ctx) { goto error_exit; } diff --git a/src/output-json-http2.c b/src/output-json-http2.c index ca9bae1df7..53cc922e20 100644 --- a/src/output-json-http2.c +++ b/src/output-json-http2.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2020 Open Information Security Foundation +/* Copyright (C) 2020-2021 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -54,8 +54,7 @@ #define MODULE_NAME "LogHttp2Log" typedef struct OutputHttp2Ctx_ { - LogFileCtx *file_ctx; - OutputJsonCommonSettings cfg; + OutputJsonCtx *eve_ctx; } OutputHttp2Ctx; @@ -82,18 +81,16 @@ static int JsonHttp2Logger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *txptr, uint64_t tx_id) { JsonHttp2LogThread *aft = (JsonHttp2LogThread *)thread_data; - OutputHttp2Ctx *http2_ctx = aft->http2log_ctx; if (unlikely(state == NULL)) { return 0; } - JsonBuilder *js = CreateEveHeaderWithTxId(p, LOG_DIR_FLOW, "http", NULL, tx_id); + JsonBuilder *js = CreateEveHeaderWithTxId( + p, LOG_DIR_FLOW, "http", NULL, tx_id, aft->http2log_ctx->eve_ctx); if (unlikely(js == NULL)) return 0; - EveAddCommonOptions(&http2_ctx->cfg, p, f, js); - /* reset */ MemBufferReset(aft->buffer); @@ -122,7 +119,7 @@ static TmEcode JsonHttp2LogThreadInit(ThreadVars *t, const void *initdata, void /* Use the Output Context (file pointer and mutex) */ aft->http2log_ctx = ((OutputCtx *)initdata)->data; - aft->file_ctx = LogFileEnsureExists(aft->http2log_ctx->file_ctx, t->id); + aft->file_ctx = LogFileEnsureExists(aft->http2log_ctx->eve_ctx->file_ctx, t->id); if (!aft->file_ctx) { goto error_exit; } @@ -158,55 +155,6 @@ static TmEcode JsonHttp2LogThreadDeinit(ThreadVars *t, void *data) return TM_ECODE_OK; } -static void OutputHttp2LogDeinit(OutputCtx *output_ctx) -{ - OutputHttp2Ctx *http2_ctx = output_ctx->data; - LogFileCtx *logfile_ctx = http2_ctx->file_ctx; - LogFileFreeCtx(logfile_ctx); - SCFree(http2_ctx); - SCFree(output_ctx); -} - -#define DEFAULT_LOG_FILENAME "http2.json" -static OutputInitResult OutputHttp2LogInit(ConfNode *conf) -{ - OutputInitResult result = { NULL, false }; - LogFileCtx *file_ctx = LogFileNewCtx(); - if(file_ctx == NULL) { - SCLogError(SC_ERR_HTTP2_LOG_GENERIC, "couldn't create new file_ctx"); - return result; - } - - if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) { - LogFileFreeCtx(file_ctx); - return result; - } - - OutputHttp2Ctx *http2_ctx = SCMalloc(sizeof(OutputHttp2Ctx)); - if (unlikely(http2_ctx == NULL)) { - LogFileFreeCtx(file_ctx); - return result; - } - - OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx)); - if (unlikely(output_ctx == NULL)) { - LogFileFreeCtx(file_ctx); - SCFree(http2_ctx); - return result; - } - - http2_ctx->file_ctx = file_ctx; - - output_ctx->data = http2_ctx; - output_ctx->DeInit = OutputHttp2LogDeinit; - - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP2); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - static void OutputHttp2LogDeinitSub(OutputCtx *output_ctx) { OutputHttp2Ctx *http2_ctx = output_ctx->data; @@ -229,8 +177,7 @@ static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ return result; } - http2_ctx->file_ctx = ojc->file_ctx; - http2_ctx->cfg = ojc->cfg; + http2_ctx->eve_ctx = ojc; output_ctx->data = http2_ctx; output_ctx->DeInit = OutputHttp2LogDeinitSub; @@ -244,13 +191,6 @@ static OutputInitResult OutputHttp2LogInitSub(ConfNode *conf, OutputCtx *parent_ void JsonHttp2LogRegister (void) { - /* register as separate module */ - OutputRegisterTxModuleWithProgress(LOGGER_JSON_HTTP2, - MODULE_NAME, "http2-json-log", - OutputHttp2LogInit, ALPROTO_HTTP2, JsonHttp2Logger, - HTTP2StateClosed, HTTP2StateClosed, - JsonHttp2LogThreadInit, JsonHttp2LogThreadDeinit, NULL); - /* also register as child of eve-log */ OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_HTTP2, "eve-log", MODULE_NAME, "eve-log.http2", diff --git a/src/output-json-smtp.c b/src/output-json-smtp.c index 606394d64f..cc3b7b3763 100644 --- a/src/output-json-smtp.c +++ b/src/output-json-smtp.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2020 Open Information Security Foundation +/* Copyright (C) 2007-2021 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -76,10 +76,10 @@ static int JsonSmtpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl SCEnter(); JsonEmailLogThread *jhl = (JsonEmailLogThread *)thread_data; - JsonBuilder *jb = CreateEveHeaderWithTxId(p, LOG_DIR_FLOW, "smtp", NULL, tx_id); + JsonBuilder *jb = CreateEveHeaderWithTxId( + p, LOG_DIR_FLOW, "smtp", NULL, tx_id, jhl->emaillog_ctx->eve_ctx); if (unlikely(jb == NULL)) return TM_ECODE_OK; - EveAddCommonOptions(&jhl->emaillog_ctx->cfg, p, f, jb); /* reset */ MemBufferReset(jhl->buffer); @@ -137,8 +137,7 @@ static OutputInitResult OutputSmtpLogInitSub(ConfNode *conf, OutputCtx *parent_c return result; } - email_ctx->file_ctx = ojc->file_ctx; - email_ctx->cfg = ojc->cfg; + email_ctx->eve_ctx = ojc; OutputEmailInitConf(conf, email_ctx); @@ -172,7 +171,7 @@ static TmEcode JsonSmtpLogThreadInit(ThreadVars *t, const void *initdata, void * goto error_exit; } - aft->file_ctx = LogFileEnsureExists(aft->emaillog_ctx->file_ctx, t->id); + aft->file_ctx = LogFileEnsureExists(aft->emaillog_ctx->eve_ctx->file_ctx, t->id); if (!aft->file_ctx) { goto error_exit; } diff --git a/src/output-json-ssh.c b/src/output-json-ssh.c index 33946bb3f9..f9f10ab977 100644 --- a/src/output-json-ssh.c +++ b/src/output-json-ssh.c @@ -62,12 +62,10 @@ static int JsonSshLogger(ThreadVars *tv, void *thread_data, const Packet *p, return 0; } - JsonBuilder *js = CreateEveHeaderWithTxId(p, LOG_DIR_FLOW, "ssh", NULL, tx_id); + JsonBuilder *js = CreateEveHeaderWithTxId(p, LOG_DIR_FLOW, "ssh", NULL, tx_id, thread->ctx); if (unlikely(js == NULL)) return 0; - EveAddCommonOptions(&thread->ctx->cfg, p, f, js); - /* reset */ MemBufferReset(thread->buffer); diff --git a/src/output-json.c b/src/output-json.c index 691133d061..58b0825fe2 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -917,9 +917,9 @@ JsonBuilder *CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, } JsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir, - const char *event_type, JsonAddrInfo *addr, uint64_t tx_id) + const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx) { - JsonBuilder *js = CreateEveHeader(p, dir, event_type, addr, NULL); + JsonBuilder *js = CreateEveHeader(p, dir, event_type, addr, eve_ctx); if (unlikely(js == NULL)) return NULL; diff --git a/src/output-json.h b/src/output-json.h index 6896ae105a..2ae21c5128 100644 --- a/src/output-json.h +++ b/src/output-json.h @@ -101,7 +101,7 @@ void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length); JsonBuilder *CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx); JsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir, - const char *event_type, JsonAddrInfo *addr, uint64_t tx_id); + const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx); int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer); int OutputJsonBuilderBuffer(JsonBuilder *js, LogFileCtx *file_ctx, MemBuffer **buffer); OutputInitResult OutputJsonInitCtx(ConfNode *);