aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rfb/eve: convert to jsonbuilder

Browse Source
pull/5012/head
Jason Ish 6 years ago committed by Victor Julien
parent 49f7dc93bd
commit 36d687580a
4 changed files with 67 additions and 66 deletions
Show Stats Download Patch File Download Diff File

103
rust/src/rfb/logger.rs
Unescape Escape View File

@ -19,102 +19,103 @@
use std; use std;
use std::fmt::Write; use std::fmt::Write;
use crate::json::*;
use super::rfb::{RFBState, RFBTransaction}; use super::rfb::{RFBState, RFBTransaction};
use crate::jsonbuilder::{JsonBuilder, JsonError};
fn log_rfb(tx: &RFBTransaction) -> Option<Json> { fn log_rfb(tx: &RFBTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> {
let js = Json::object(); js.open_object("rfb")?;
// Protocol version // Protocol version
if let Some(tx_spv) = &tx.tc_server_protocol_version { if let Some(tx_spv) = &tx.tc_server_protocol_version {
let spv = Json::object(); js.open_object("server_protocol_version")?;
spv.set_string("major", &tx_spv.major); js.set_string("major", &tx_spv.major)?;
spv.set_string("minor", &tx_spv.minor); js.set_string("minor", &tx_spv.minor)?;
js.set("server_protocol_version", spv); js.close()?;
} }
if let Some(tx_cpv) = &tx.ts_client_protocol_version { if let Some(tx_cpv) = &tx.ts_client_protocol_version {
let cpv = Json::object(); js.open_object("client_protocol_version")?;
cpv.set_string("major", &tx_cpv.major); js.set_string("major", &tx_cpv.major)?;
cpv.set_string("minor", &tx_cpv.minor); js.set_string("minor", &tx_cpv.minor)?;
js.set("client_protocol_version", cpv); js.close()?;
} }
// Authentication // Authentication
let auth = Json::object(); js.open_object("authentication")?;
if let Some(chosen_security_type) = tx.chosen_security_type { if let Some(chosen_security_type) = tx.chosen_security_type {
auth.set_integer("security_type", chosen_security_type as u64); js.set_uint("security_type", chosen_security_type as u64)?;
} }
match tx.chosen_security_type { match tx.chosen_security_type {
Some(2) => { Some(2) => {
let vncauth = Json::object(); js.open_object("vnc")?;
if let Some(ref sc) = tx.tc_vnc_challenge { if let Some(ref sc) = tx.tc_vnc_challenge {
let mut s = String::new(); let mut s = String::new();
for &byte in &sc.secret[..] { for &byte in &sc.secret[..] {
write!(&mut s, "{:02x}", byte).expect("Unable to write"); write!(&mut s, "{:02x}", byte).expect("Unable to write");
} }
vncauth.set_string("challenge", &s); js.set_string("challenge", &s)?;
} }
if let Some(ref sr) = tx.ts_vnc_response { if let Some(ref sr) = tx.ts_vnc_response {
let mut s = String::new(); let mut s = String::new();
for &byte in &sr.secret[..] { for &byte in &sr.secret[..] {
write!(&mut s, "{:02x}", byte).expect("Unable to write"); write!(&mut s, "{:02x}", byte).expect("Unable to write");
} }
vncauth.set_string("response", &s); js.set_string("response", &s)?;
} }
auth.set("vnc", vncauth); js.close()?;
} }
_ => () _ => ()
} }
if let Some(security_result) = &tx.tc_security_result { if let Some(security_result) = &tx.tc_security_result {
match security_result.status { let _ = match security_result.status {
0 => auth.set_string("security_result", "OK"), 0 => js.set_string("security_result", "OK")?,
1 => auth.set_string("security-result", "FAIL"), 1 => js.set_string("security-result", "FAIL")?,
2 => auth.set_string("security_result", "TOOMANY"), 2 => js.set_string("security_result", "TOOMANY")?,
_ => auth.set_string("security_result", _ => js.set_string("security_result",
&format!("UNKNOWN ({})", security_result.status)), &format!("UNKNOWN ({})", security_result.status))?,
} };
} }
js.set("authentication", auth); js.close()?; // Close authentication.
if let Some(ref reason) = tx.tc_failure_reason { if let Some(ref reason) = tx.tc_failure_reason {
js.set_string("server_security_failure_reason", &reason.reason_string); js.set_string("server_security_failure_reason", &reason.reason_string)?;
} }
// Client/Server init // Client/Server init
if let Some(s) = &tx.ts_client_init { if let Some(s) = &tx.ts_client_init {
js.set_boolean("screen_shared", s.shared != 0); js.set_bool("screen_shared", s.shared != 0)?;
} }
if let Some(tc_server_init) = &tx.tc_server_init { if let Some(tc_server_init) = &tx.tc_server_init {
let fb = Json::object(); js.open_object("framebuffer")?;
fb.set_integer("width", tc_server_init.width as u64); js.set_uint("width", tc_server_init.width as u64)?;
fb.set_integer("height", tc_server_init.height as u64); js.set_uint("height", tc_server_init.height as u64)?;
fb.set_string_from_bytes("name", &tc_server_init.name); js.set_string_from_bytes("name", &tc_server_init.name)?;
let pfj = Json::object(); js.open_object("pixel_format")?;
pfj.set_integer("bits_per_pixel", tc_server_init.pixel_format.bits_per_pixel as u64); js.set_uint("bits_per_pixel", tc_server_init.pixel_format.bits_per_pixel as u64)?;
pfj.set_integer("depth", tc_server_init.pixel_format.depth as u64); js.set_uint("depth", tc_server_init.pixel_format.depth as u64)?;
pfj.set_boolean("big_endian", tc_server_init.pixel_format.big_endian_flag != 0); js.set_bool("big_endian", tc_server_init.pixel_format.big_endian_flag != 0)?;
pfj.set_boolean("true_color", tc_server_init.pixel_format.true_colour_flag != 0); js.set_bool("true_color", tc_server_init.pixel_format.true_colour_flag != 0)?;
pfj.set_integer("red_max", tc_server_init.pixel_format.red_max as u64); js.set_uint("red_max", tc_server_init.pixel_format.red_max as u64)?;
pfj.set_integer("green_max", tc_server_init.pixel_format.green_max as u64); js.set_uint("green_max", tc_server_init.pixel_format.green_max as u64)?;
pfj.set_integer("blue_max", tc_server_init.pixel_format.blue_max as u64); js.set_uint("blue_max", tc_server_init.pixel_format.blue_max as u64)?;
pfj.set_integer("red_shift", tc_server_init.pixel_format.red_shift as u64); js.set_uint("red_shift", tc_server_init.pixel_format.red_shift as u64)?;
pfj.set_integer("green_shift", tc_server_init.pixel_format.green_shift as u64); js.set_uint("green_shift", tc_server_init.pixel_format.green_shift as u64)?;
pfj.set_integer("blue_shift", tc_server_init.pixel_format.blue_shift as u64); js.set_uint("blue_shift", tc_server_init.pixel_format.blue_shift as u64)?;
pfj.set_integer("depth", tc_server_init.pixel_format.depth as u64); js.set_uint("depth", tc_server_init.pixel_format.depth as u64)?;
fb.set("pixel_format", pfj); js.close()?;
js.set("framebuffer", fb); js.close()?;
} }
return Some(js); js.close()?;
return Ok(());
} }
#[no_mangle] #[no_mangle]
pub extern "C" fn rs_rfb_logger_log(_state: &mut RFBState, tx: *mut std::os::raw::c_void) -> *mut JsonT { pub extern "C" fn rs_rfb_logger_log(_state: &mut RFBState,
tx: *mut std::os::raw::c_void,
js: &mut JsonBuilder) -> bool {
let tx = cast_pointer!(tx, RFBTransaction); let tx = cast_pointer!(tx, RFBTransaction);
match log_rfb(tx) { log_rfb(tx, js).is_ok()
Some(js) => js.unwrap(),
None => std::ptr::null_mut(),
}
} }

10
src/output-json-alert.c
Unescape Escape View File

@ -532,11 +532,13 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
case ALPROTO_SIP: case ALPROTO_SIP:
JsonSIPAddMetadata(jb, p->flow, pa->tx_id); JsonSIPAddMetadata(jb, p->flow, pa->tx_id);
break; break;
case ALPROTO_RFB: case ALPROTO_RFB: {
hjs = JsonRFBAddMetadata(p->flow, pa->tx_id); jb_get_mark(jb, &mark);
if (hjs) if (!JsonRFBAddMetadata(p->flow, pa->tx_id, jb)) {
jb_set_jsont(jb, "rfb", hjs); jb_restore_mark(jb, &mark);
}
break; break;
}
case ALPROTO_FTPDATA: case ALPROTO_FTPDATA:
hjs = JsonFTPDataAddMetadata(p->flow); hjs = JsonFTPDataAddMetadata(p->flow);
if (hjs) { if (hjs) {

18
src/output-json-rfb.c
Unescape Escape View File

@ -57,17 +57,17 @@ typedef struct LogRFBLogThread_ {
MemBuffer *buffer; MemBuffer *buffer;
} LogRFBLogThread; } LogRFBLogThread;
json_t *JsonRFBAddMetadata(const Flow *f, uint64_t tx_id) bool JsonRFBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js)
{ {
RFBState *state = FlowGetAppState(f); RFBState *state = FlowGetAppState(f);
if (state) { if (state) {
RFBTransaction *tx = AppLayerParserGetTx(f->proto, ALPROTO_RFB, state, tx_id); RFBTransaction *tx = AppLayerParserGetTx(f->proto, ALPROTO_RFB, state, tx_id);
if (tx) { if (tx) {
return rs_rfb_logger_log(state, tx); return rs_rfb_logger_log(state, tx, js);
} }
} }
return NULL; return false;
} }
static int JsonRFBLogger(ThreadVars *tv, void *thread_data, static int JsonRFBLogger(ThreadVars *tv, void *thread_data,
@ -75,25 +75,23 @@ static int JsonRFBLogger(ThreadVars *tv, void *thread_data,
{ {
LogRFBLogThread *thread = thread_data; LogRFBLogThread *thread = thread_data;
json_t *js = CreateJSONHeader(p, LOG_DIR_FLOW, "rfb", NULL); JsonBuilder *js = CreateEveHeader(p, LOG_DIR_FLOW, "rfb", NULL);
if (unlikely(js == NULL)) { if (unlikely(js == NULL)) {
return TM_ECODE_FAILED; return TM_ECODE_FAILED;
} }
json_t *rfb_js = rs_rfb_logger_log(NULL, tx); if (!rs_rfb_logger_log(NULL, tx, js)) {
if (unlikely(rfb_js == NULL)) {
goto error; goto error;
} }
json_object_set_new(js, "rfb", rfb_js);
MemBufferReset(thread->buffer); MemBufferReset(thread->buffer);
OutputJSONBuffer(js, thread->rfblog_ctx->file_ctx, &thread->buffer); OutputJsonBuilderBuffer(js, thread->rfblog_ctx->file_ctx, &thread->buffer);
json_decref(js); jb_free(js);
return TM_ECODE_OK; return TM_ECODE_OK;
error: error:
json_decref(js); jb_free(js);
return TM_ECODE_FAILED; return TM_ECODE_FAILED;
} }

2
src/output-json-rfb.h
Unescape Escape View File

@ -26,6 +26,6 @@
void JsonRFBLogRegister(void); void JsonRFBLogRegister(void);
json_t *JsonRFBAddMetadata(const Flow *f, uint64_t tx_id); bool JsonRFBAddMetadata(const Flow *f, uint64_t tx_id, JsonBuilder *js);
#endif /* __OUTPUT_JSON_RFB_H__ */ #endif /* __OUTPUT_JSON_RFB_H__ */

Write Preview
Loading…
Cancel
Save