aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

smtp: convert logger to tx logger

Browse Source 
Move from packet logger to tx logger.
pull/1195/head
Victor Julien 11 years ago
parent d0357c6169
commit 2b9ef87527
3 changed files with 23 additions and 64 deletions
Show Stats Download Patch File Download Diff File

36
src/output-json-email-common.c
Unescape Escape View File

@ -56,50 +56,39 @@
#include <jansson.h> #include <jansson.h>
/* JSON format logging */ /* JSON format logging */
static TmEcode JsonEmailLogJson(JsonEmailLogThread *aft, static TmEcode JsonEmailLogJson(JsonEmailLogThread *aft, json_t *js, const Packet *p, Flow *f, void *state, void *vtx, uint64_t tx_id)
json_t *js,
const Packet *p)
{ {
SMTPState *smtp_state; SMTPState *smtp_state;
MimeDecParseState *mime_state; MimeDecParseState *mime_state;
MimeDecEntity *entity; MimeDecEntity *entity;
char *protos = NULL; char *protos = NULL;
/* no flow, no smtp state */
if (p->flow == NULL) {
SCReturnInt(TM_ECODE_FAILED);
}
json_t *sjs = json_object(); json_t *sjs = json_object();
if (sjs == NULL) { if (sjs == NULL) {
SCReturnInt(TM_ECODE_FAILED); SCReturnInt(TM_ECODE_FAILED);
} }
/* check if we have SMTP state or not */ /* check if we have SMTP state or not */
FLOWLOCK_WRLOCK(p->flow); /* WRITE lock before we updated flow logged id */
AppProto proto = FlowGetAppProtocol(p->flow); AppProto proto = FlowGetAppProtocol(p->flow);
switch (proto) { switch (proto) {
case ALPROTO_SMTP: case ALPROTO_SMTP:
smtp_state = (SMTPState *)FlowGetAppState(p->flow); smtp_state = (SMTPState *)state;
if (smtp_state == NULL) { if (smtp_state == NULL) {
SCLogDebug("no smtp state, so no request logging"); SCLogDebug("no smtp state, so no request logging");
FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(TM_ECODE_FAILED); SCReturnInt(TM_ECODE_FAILED);
} }
mime_state = smtp_state->mime_state; SMTPTransaction *tx = vtx;
entity = smtp_state->msg_tail; mime_state = tx->mime_state;
entity = tx->msg_tail;
protos = "smtp"; protos = "smtp";
SCLogDebug("lets go mime_state %p, entity %p, state_flag %u", mime_state, entity, mime_state ? mime_state->state_flag : 0);
break; break;
default: default:
/* don't know how we got here */ /* don't know how we got here */
FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(TM_ECODE_FAILED); SCReturnInt(TM_ECODE_FAILED);
} }
if ((mime_state != NULL) && if ((mime_state != NULL)) {
(mime_state->state_flag == PARSE_DONE)) {
if (entity == NULL) { if (entity == NULL) {
FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(TM_ECODE_FAILED); SCReturnInt(TM_ECODE_FAILED);
} }
@ -176,6 +165,9 @@ static TmEcode JsonEmailLogJson(JsonEmailLogThread *aft,
entity->header_flags |= HDR_IS_LOGGED; entity->header_flags |= HDR_IS_LOGGED;
if (mime_state->stack == NULL || mime_state->stack->top == NULL || mime_state->stack->top->data == NULL)
SCReturnInt(TM_ECODE_OK);
entity = (MimeDecEntity *)mime_state->stack->top->data; entity = (MimeDecEntity *)mime_state->stack->top->data;
int attch_cnt = 0; int attch_cnt = 0;
int url_cnt = 0; int url_cnt = 0;
@ -233,16 +225,16 @@ static TmEcode JsonEmailLogJson(JsonEmailLogThread *aft,
} }
json_object_set_new(js, protos, sjs); json_object_set_new(js, protos, sjs);
FLOWLOCK_UNLOCK(p->flow); // FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(TM_ECODE_OK); SCReturnInt(TM_ECODE_OK);
} }
} }
FLOWLOCK_UNLOCK(p->flow); // FLOWLOCK_UNLOCK(p->flow);
SCReturnInt(TM_ECODE_DONE); SCReturnInt(TM_ECODE_DONE);
} }
int JsonEmailLogger(ThreadVars *tv, void *thread_data, const Packet *p) { int JsonEmailLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) {
SCEnter(); SCEnter();
JsonEmailLogThread *jhl = (JsonEmailLogThread *)thread_data; JsonEmailLogThread *jhl = (JsonEmailLogThread *)thread_data;
MemBuffer *buffer = (MemBuffer *)jhl->buffer; MemBuffer *buffer = (MemBuffer *)jhl->buffer;
@ -254,7 +246,7 @@ int JsonEmailLogger(ThreadVars *tv, void *thread_data, const Packet *p) {
/* reset */ /* reset */
MemBufferReset(buffer); MemBufferReset(buffer);
if (JsonEmailLogJson(jhl, js, p) == TM_ECODE_OK) { if (JsonEmailLogJson(jhl, js, p, f, state, tx, tx_id) == TM_ECODE_OK) {
OutputJSONBuffer(js, jhl->emaillog_ctx->file_ctx, buffer); OutputJSONBuffer(js, jhl->emaillog_ctx->file_ctx, buffer);
} }
json_object_del(js, "smtp"); json_object_del(js, "smtp");

2
src/output-json-email-common.h
Unescape Escape View File

@ -35,6 +35,6 @@ typedef struct JsonEmailLogThread_ {
MemBuffer *buffer; MemBuffer *buffer;
} JsonEmailLogThread; } JsonEmailLogThread;
int JsonEmailLogger(ThreadVars *tv, void *thread_data, const Packet *p); int JsonEmailLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id);
#endif /* __OUTPUT_JSON_EMAIL_COMMON_H__ */ #endif /* __OUTPUT_JSON_EMAIL_COMMON_H__ */

49
src/output-json-smtp.c
Unescape Escape View File

@ -54,10 +54,10 @@
#ifdef HAVE_LIBJANSSON #ifdef HAVE_LIBJANSSON
#include <jansson.h> #include <jansson.h>
static int JsonSmtpLogger(ThreadVars *tv, void *thread_data, const Packet *p) static int JsonSmtpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
{ {
SCEnter(); SCEnter();
int r = JsonEmailLogger(tv, thread_data, p); int r = JsonEmailLogger(tv, thread_data, p, f, state, tx, tx_id);
SCReturnInt(r); SCReturnInt(r);
} }
@ -187,37 +187,6 @@ static TmEcode JsonSmtpLogThreadDeinit(ThreadVars *t, void *data)
return TM_ECODE_OK; return TM_ECODE_OK;
} }
/** \internal
* \brief Condition function for SMTP logger
* \retval bool true or false -- log now?
*/
static int JsonSmtpCondition(ThreadVars *tv, const Packet *p) {
if (p->flow == NULL) {
return FALSE;
}
if (!(PKT_IS_TCP(p))) {
return FALSE;
}
FLOWLOCK_RDLOCK(p->flow);
uint16_t proto = FlowGetAppProtocol(p->flow);
if (proto != ALPROTO_SMTP)
goto dontlog;
SMTPState *smtp_state = (SMTPState *)FlowGetAppState(p->flow);
if (smtp_state == NULL) {
SCLogDebug("no smtp state, so no request logging");
goto dontlog;
}
FLOWLOCK_UNLOCK(p->flow);
return TRUE;
dontlog:
FLOWLOCK_UNLOCK(p->flow);
return FALSE;
}
void TmModuleJsonSmtpLogRegister (void) { void TmModuleJsonSmtpLogRegister (void) {
tmm_modules[TMM_JSONSMTPLOG].name = "JsonSmtpLog"; tmm_modules[TMM_JSONSMTPLOG].name = "JsonSmtpLog";
tmm_modules[TMM_JSONSMTPLOG].ThreadInit = JsonSmtpLogThreadInit; tmm_modules[TMM_JSONSMTPLOG].ThreadInit = JsonSmtpLogThreadInit;
@ -227,17 +196,15 @@ void TmModuleJsonSmtpLogRegister (void) {
tmm_modules[TMM_JSONSMTPLOG].flags = TM_FLAG_LOGAPI_TM; tmm_modules[TMM_JSONSMTPLOG].flags = TM_FLAG_LOGAPI_TM;
/* register as separate module */ /* register as separate module */
OutputRegisterPacketModule("JsonSmtpLog", "smtp-json-log", OutputRegisterTxModule("JsonSmtpLog", "smtp-json-log",
OutputSmtpLogInit, OutputSmtpLogInit, ALPROTO_SMTP,
JsonSmtpLogger, JsonSmtpLogger);
JsonSmtpCondition);
/* also register as child of eve-log */ /* also register as child of eve-log */
OutputRegisterPacketSubModule("eve-log", "JsonSmtpLog", OutputRegisterTxSubModule("eve-log", "JsonSmtpLog",
"eve-log.smtp", "eve-log.smtp",
OutputSmtpLogInitSub, OutputSmtpLogInitSub, ALPROTO_SMTP,
JsonSmtpLogger, JsonSmtpLogger);
JsonSmtpCondition);
} }
#else #else

Write Preview
Loading…
Cancel
Save