aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

json-http: refactoring output code

Browse Source 
Splits the output code in two public functions and permits
to call them from the alert function
pull/1097/head
Giuseppe Longo 12 years ago
parent db9588a2ce
commit 288f0b1fb7
2 changed files with 102 additions and 84 deletions
Show Stats Download Patch File Download Diff File

181
src/output-json-http.c
Unescape Escape View File

@ -178,23 +178,16 @@ struct {
{ "www_authenticate", "www-authenticate", 0 }, { "www_authenticate", "www-authenticate", 0 },
}; };
void JsonHttpLogJSONBasic(json_t *js, htp_tx_t *tx)
/* JSON format logging */
static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx, uint64_t tx_id)
{ {
LogHttpFileCtx *http_ctx = aft->httplog_ctx;
json_t *hjs = json_object();
if (hjs == NULL) {
return;
}
char *c; char *c;
/* hostname */ /* hostname */
if (tx->request_hostname != NULL) if (tx->request_hostname != NULL)
{ {
c = bstr_util_strdup_to_c(tx->request_hostname); c = bstr_util_strdup_to_c(tx->request_hostname);
if (c != NULL) { if (c != NULL) {
json_object_set_new(hjs, "hostname", json_string(c)); json_object_set_new(js, "hostname", json_string(c));
SCFree(c); SCFree(c);
} }
} }
@ -204,7 +197,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx, ui
{ {
c = bstr_util_strdup_to_c(tx->request_uri); c = bstr_util_strdup_to_c(tx->request_uri);
if (c != NULL) { if (c != NULL) {
json_object_set_new(hjs, "url", json_string(c)); json_object_set_new(js, "url", json_string(c));
SCFree(c); SCFree(c);
} }
} }
@ -217,7 +210,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx, ui
if (h_user_agent != NULL) { if (h_user_agent != NULL) {
c = bstr_util_strdup_to_c(h_user_agent->value); c = bstr_util_strdup_to_c(h_user_agent->value);
if (c != NULL) { if (c != NULL) {
json_object_set_new(hjs, "http_user_agent", json_string(c)); json_object_set_new(js, "http_user_agent", json_string(c));
SCFree(c); SCFree(c);
} }
} }
@ -230,7 +223,7 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx, ui
if (h_x_forwarded_for != NULL) { if (h_x_forwarded_for != NULL) {
c = bstr_util_strdup_to_c(h_x_forwarded_for->value); c = bstr_util_strdup_to_c(h_x_forwarded_for->value);
if (c != NULL) { if (c != NULL) {
json_object_set_new(hjs, "xff", json_string(c)); json_object_set_new(js, "xff", json_string(c));
SCFree(c); SCFree(c);
} }
} }
@ -247,107 +240,127 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx, ui
p = strchr(c, ';'); p = strchr(c, ';');
if (p != NULL) if (p != NULL)
*p = '\0'; *p = '\0';
json_object_set_new(hjs, "http_content_type", json_string(c)); json_object_set_new(js, "http_content_type", json_string(c));
SCFree(c); SCFree(c);
} }
} }
}
/* log custom fields if configured */ static void JsonHttpLogJSONCustom(LogHttpFileCtx *http_ctx, json_t *js, htp_tx_t *tx)
if (http_ctx->fields != 0) {
char *c;
HttpField f;
for (f = HTTP_FIELD_ACCEPT; f < HTTP_FIELD_SIZE; f++)
{ {
HttpField f; if ((http_ctx->fields & (1ULL<<f)) != 0)
for (f = HTTP_FIELD_ACCEPT; f < HTTP_FIELD_SIZE; f++)
{ {
if ((http_ctx->fields & (1ULL<<f)) != 0) /* prevent logging a field twice if extended logging is
enabled */
if (((http_ctx->flags & LOG_HTTP_EXTENDED) == 0) ||
((http_ctx->flags & LOG_HTTP_EXTENDED) !=
(http_fields[f].flags & LOG_HTTP_EXTENDED)))
{ {
/* prevent logging a field twice if extended logging is htp_header_t *h_field = NULL;
enabled */ if ((http_fields[f].flags & LOG_HTTP_REQUEST) != 0)
if (((http_ctx->flags & LOG_HTTP_EXTENDED) == 0) ||
((http_ctx->flags & LOG_HTTP_EXTENDED) !=
(http_fields[f].flags & LOG_HTTP_EXTENDED)))
{ {
htp_header_t *h_field = NULL; if (tx->request_headers != NULL) {
if ((http_fields[f].flags & LOG_HTTP_REQUEST) != 0) h_field = htp_table_get_c(tx->request_headers,
{ http_fields[f].htp_field);
if (tx->request_headers != NULL) {
h_field = htp_table_get_c(tx->request_headers,
http_fields[f].htp_field);
}
} else {
if (tx->response_headers != NULL) {
h_field = htp_table_get_c(tx->response_headers,
http_fields[f].htp_field);
}
} }
if (h_field != NULL) { } else {
c = bstr_util_strdup_to_c(h_field->value); if (tx->response_headers != NULL) {
if (c != NULL) { h_field = htp_table_get_c(tx->response_headers,
json_object_set_new(hjs, http_fields[f].htp_field);
http_fields[f].config_field, }
json_string(c)); }
SCFree(c); if (h_field != NULL) {
} c = bstr_util_strdup_to_c(h_field->value);
if (c != NULL) {
json_object_set_new(js,
http_fields[f].config_field,
json_string(c));
SCFree(c);
} }
} }
} }
} }
} }
}
if (http_ctx->flags & LOG_HTTP_EXTENDED) { void JsonHttpLogJSONExtended(json_t *js, htp_tx_t *tx)
{
char *c;
/* referer */ /* referer */
htp_header_t *h_referer = NULL; htp_header_t *h_referer = NULL;
if (tx->request_headers != NULL) { if (tx->request_headers != NULL) {
h_referer = htp_table_get_c(tx->request_headers, "referer"); h_referer = htp_table_get_c(tx->request_headers, "referer");
}
if (h_referer != NULL) {
c = bstr_util_strdup_to_c(h_referer->value);
if (c != NULL) {
json_object_set_new(js, "http_refer", json_string(c));
SCFree(c);
} }
if (h_referer != NULL) { }
c = bstr_util_strdup_to_c(h_referer->value);
if (c != NULL) { /* method */
json_object_set_new(hjs, "http_refer", json_string(c)); if (tx->request_method != NULL) {
SCFree(c); c = bstr_util_strdup_to_c(tx->request_method);
} if (c != NULL) {
json_object_set_new(js, "http_method", json_string(c));
SCFree(c);
} }
}
/* method */ /* protocol */
if (tx->request_method != NULL) { if (tx->request_protocol != NULL) {
c = bstr_util_strdup_to_c(tx->request_method); c = bstr_util_strdup_to_c(tx->request_protocol);
if (c != NULL) { if (c != NULL) {
json_object_set_new(hjs, "http_method", json_string(c)); json_object_set_new(js, "protocol", json_string(c));
SCFree(c); SCFree(c);
}
} }
}
/* protocol */ /* response status */
if (tx->request_protocol != NULL) { if (tx->response_status != NULL) {
c = bstr_util_strdup_to_c(tx->request_protocol); c = bstr_util_strdup_to_c(tx->response_status);
if (c != NULL) { if (c != NULL) {
json_object_set_new(hjs, "protocol", json_string(c)); json_object_set_new(js, "status", json_string(c));
SCFree(c); SCFree(c);
}
} }
/* response status */ htp_header_t *h_location = htp_table_get_c(tx->response_headers, "location");
if (tx->response_status != NULL) { if (h_location != NULL) {
c = bstr_util_strdup_to_c(tx->response_status); c = bstr_util_strdup_to_c(h_location->value);
if (c != NULL) { if (c != NULL) {
json_object_set_new(hjs, "status", json_string(c)); json_object_set_new(js, "redirect", json_string(c));
SCFree(c); SCFree(c);
} }
htp_header_t *h_location = htp_table_get_c(tx->response_headers, "location");
if (h_location != NULL) {
c = bstr_util_strdup_to_c(h_location->value);
if (c != NULL) {
json_object_set_new(hjs, "redirect", json_string(c));
SCFree(c);
}
}
} }
}
/* length */ /* length */
json_object_set_new(hjs, "length", json_integer(tx->response_message_len)); json_object_set_new(js, "length", json_integer(tx->response_message_len));
}
/* JSON format logging */
static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx, uint64_t tx_id)
{
LogHttpFileCtx *http_ctx = aft->httplog_ctx;
json_t *hjs = json_object();
if (hjs == NULL) {
return;
} }
JsonHttpLogJSONBasic(hjs, tx);
/* log custom fields if configured */
if (http_ctx->fields != 0)
JsonHttpLogJSONCustom(http_ctx, hjs, tx);
if (http_ctx->flags & LOG_HTTP_EXTENDED)
JsonHttpLogJSONExtended(hjs, tx);
/* tx id for correlation with alerts */ /* tx id for correlation with alerts */
json_object_set_new(hjs, "tx_id", json_integer(tx_id)); json_object_set_new(hjs, "tx_id", json_integer(tx_id));

5
src/output-json-http.h
Unescape Escape View File

@ -26,5 +26,10 @@
void TmModuleJsonHttpLogRegister (void); void TmModuleJsonHttpLogRegister (void);
#ifdef HAVE_LIBJANSSON
void JsonHttpLogJSONBasic(json_t *js, htp_tx_t *tx);
void JsonHttpLogJSONExtended(json_t *js, htp_tx_t *tx);
#endif /* HAVE_LIBJANSSON */
#endif /* __OUTPUT_JSON_HTTP_H__ */ #endif /* __OUTPUT_JSON_HTTP_H__ */

Write Preview
Loading…
Cancel
Save