aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

app layer htp logging and better htp request handling. removed recent_in_tx.

Browse Source
remotes/origin/master-1.0.x
Gurvinder Singh 16 years ago committed by Victor Julien
parent aa1564791d
commit 50f7d0a887
8 changed files with 232 additions and 152 deletions
Show Stats Download Patch File Download Diff File

61
src/app-layer-htp.c
Unescape Escape View File

@ -64,15 +64,6 @@ static void *HTPStateAlloc(void)
s->body.operation = HTP_BODY_NONE;
s->body.pcre_flags = HTP_PCRE_NONE;
/* Create a list_array of size 8 to store the incoming requests, the size of
8 has been chosen as half the size of conn->transactions in the
HTP lib. As we are storing only requests here not responses!! */
s->recent_in_tx = list_array_create(8);
if (s->recent_in_tx == NULL) {
SCLogDebug("list_array_create returned NULL");
goto error;
}
htp_connp_set_user_data(s->connp, (void *)s);
#ifdef DEBUG
@ -108,10 +99,6 @@ static void HTPStateFree(void *state)
if (s->connp != NULL) {
htp_connp_destroy_all(s->connp);
}
if (s->recent_in_tx != NULL) {
list_destroy(s->recent_in_tx);
}
/* free the list of body chunks */
if (s->body.nchunks > 0) {
HtpBodyFree(&s->body);
@ -170,7 +157,7 @@ static int HTPHandleRequestData(Flow *f, void *htp_state,
/* Unset the body inspection (the callback should
* reactivate it if necessary) */
hstate->flags &= ~HTP_NEW_BODY_SET;
hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
/* Open the HTTP connection on receiving the first request */
if (!(hstate->flags & HTP_FLAG_STATE_OPEN)) {
@ -199,7 +186,7 @@ static int HTPHandleRequestData(Flow *f, void *htp_state,
}
hstate->flags |= HTP_FLAG_STATE_ERROR;
hstate->flags &= ~HTP_FLAG_STATE_DATA;
hstate->flags &= ~HTP_NEW_BODY_SET;
hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
ret = -1;
break;
case STREAM_STATE_DATA:
@ -209,12 +196,12 @@ static int HTPHandleRequestData(Flow *f, void *htp_state,
SCLogDebug("CONNECT not supported yet");
hstate->flags |= HTP_FLAG_STATE_ERROR;
hstate->flags &= ~HTP_FLAG_STATE_DATA;
hstate->flags &= ~HTP_NEW_BODY_SET;
hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
ret = -1;
break;
default:
hstate->flags &= ~HTP_FLAG_STATE_DATA;
hstate->flags &= ~HTP_NEW_BODY_SET;
hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
}
/* if we the TCP connection is closed, then close the HTTP connection */
@ -256,7 +243,7 @@ static int HTPHandleResponseData(Flow *f, void *htp_state,
/* Unset the body inspection (the callback should
* reactivate it if necessary) */
hstate->flags &= ~HTP_NEW_BODY_SET;
hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
r = htp_connp_res_data(hstate->connp, 0, input, input_len);
switch(r) {
@ -274,7 +261,7 @@ static int HTPHandleResponseData(Flow *f, void *htp_state,
}
hstate->flags = HTP_FLAG_STATE_ERROR;
hstate->flags &= ~HTP_FLAG_STATE_DATA;
hstate->flags &= ~HTP_NEW_BODY_SET;
hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
ret = -1;
break;
case STREAM_STATE_DATA:
@ -284,12 +271,12 @@ static int HTPHandleResponseData(Flow *f, void *htp_state,
SCLogDebug("CONNECT not supported yet");
hstate->flags = HTP_FLAG_STATE_ERROR;
hstate->flags &= ~HTP_FLAG_STATE_DATA;
hstate->flags &= ~HTP_NEW_BODY_SET;
hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
ret = -1;
break;
default:
hstate->flags &= ~HTP_FLAG_STATE_DATA;
hstate->flags &= ~HTP_NEW_BODY_SET;
hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
}
/* if we the TCP connection is closed, then close the HTTP connection */
@ -442,7 +429,7 @@ int HTPCallbackRequestBodyData(htp_tx_data_t *d)
}
/* set the new chunk flag */
hstate->flags |= HTP_NEW_BODY_SET;
hstate->flags |= HTP_FLAG_NEW_BODY_SET;
SCReturnInt(HOOK_OK);
}
@ -477,12 +464,13 @@ static int HTPCallbackRequest(htp_connp_t *connp) {
HtpState *hstate = (HtpState *)connp->user_data;
if (hstate == NULL) {
/** \todo error condition, what should we return? */
SCReturnInt(0);
SCReturnInt(HOOK_ERROR);
}
list_add(hstate->recent_in_tx, connp->in_tx);
SCReturnInt(0);
if (! (hstate->flags & HTP_FLAG_NEW_REQUEST)) {
hstate->flags |= HTP_FLAG_NEW_REQUEST;
hstate->new_in_tx_index = list_size(hstate->connp->conn->transactions) - 1;
}
SCReturnInt(HOOK_OK);
}
/**
@ -494,10 +482,10 @@ static int HTPCallbackRequest(htp_connp_t *connp) {
static int HTPCallbackResponse(htp_connp_t *connp) {
SCEnter();
uint8_t i;
HtpState *hstate = (HtpState *)connp->user_data;
if (hstate == NULL) {
/** \todo error condition, what should we return? */
SCReturnInt(0);
SCReturnInt(HOOK_ERROR);
}
/* Free data when we have a response */
@ -506,22 +494,15 @@ static int HTPCallbackResponse(htp_connp_t *connp) {
hstate->body.operation = HTP_BODY_RESPONSE;
hstate->body.pcre_flags = HTP_PCRE_NONE;
while (list_size(hstate->recent_in_tx) > 0) {
htp_tx_t *tx = list_pop(hstate->recent_in_tx);
if (tx != NULL) {
htp_tx_destroy(tx);
}
}
#if 0 /* VJ disabled for now */
/* Clear the trasactions which are processed by the engine from libhtp.
This helps in reducing the meory consumptions of libhtp */
while (list_size(hstate->connp->conn->transactions) > 0) {
htp_tx_t *tx = list_pop(hstate->connp->conn->transactions);
for (i = 0; i< hstate->new_in_tx_index; i++) {
htp_tx_t *tx = list_get(hstate->connp->conn->transactions, i);
if (tx != NULL)
htp_tx_destroy(tx);
}
#endif
SCReturnInt(0);
SCReturnInt(HOOK_OK);
}
/**

23
src/app-layer-htp.h
Unescape Escape View File

@ -14,19 +14,21 @@
#include <htp/htp.h>
#define HTP_FLAG_STATE_OPEN 0x01 /**< Flag to indicate that HTTP
#define HTP_FLAG_STATE_OPEN 0x01 /**< Flag to indicate that HTTP
connection is open */
#define HTP_FLAG_STATE_CLOSED 0x02 /**< Flag to indicate that HTTP
#define HTP_FLAG_STATE_CLOSED 0x02 /**< Flag to indicate that HTTP
connection is closed */
#define HTP_FLAG_STATE_DATA 0x04 /**< Flag to indicate that HTTP
#define HTP_FLAG_STATE_DATA 0x04 /**< Flag to indicate that HTTP
connection needs more data */
#define HTP_FLAG_STATE_ERROR 0x08 /**< Flag to indicate that an error
#define HTP_FLAG_STATE_ERROR 0x08 /**< Flag to indicate that an error
has been occured on HTTP
connection */
#define HTP_NEW_BODY_SET 0x10 /**< Flag to indicate that HTTP
#define HTP_FLAG_NEW_BODY_SET 0x10 /**< Flag to indicate that HTTP
has parsed a new body (for
pcre) */
#define HTP_FLAG_NEW_REQUEST 0x20 /**< Flag to indicate that we have
a new HTTP requesta and we
need to log it */
enum {
@ -66,11 +68,12 @@ typedef struct Body_ {
typedef struct HtpState_ {
htp_connp_t *connp; /**< Connection parser structure for
each connection */
htp_connp_t *connp; /**< Connection parser structure for
each connection */
uint8_t flags;
list_t *recent_in_tx; /**< Point to the new received HTTP request */
HtpBody body; /**< Body of the request (if any) */
HtpBody body; /**< Body of the request (if any) */
uint8_t new_in_tx_index; /**< Index to indicate that after this we have
new requests to log */
} HtpState;

10
src/detect-http-cookie.c
Unescape Escape View File

@ -73,6 +73,7 @@ int DetectHttpCookieMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
SCEnter();
int ret = 0;
uint8_t i;
SCMutexLock(&f->m);
SCLogDebug("got lock %p", &f->m);
@ -100,9 +101,14 @@ int DetectHttpCookieMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
}
htp_tx_t *tx = NULL;
list_iterator_reset(htp_state->recent_in_tx);
while ((tx = list_iterator_next(htp_state->recent_in_tx)) != NULL) {
for (i = htp_state->new_in_tx_index;
i < list_size(htp_state->connp->conn->transactions); i++)
{
tx = list_get(htp_state->connp->conn->transactions, i);
if (tx == NULL)
continue;
htp_header_t *h = NULL;
h = (htp_header_t *) table_getc(tx->request_headers, "Cookie");
if (h == NULL) {

8
src/detect-http-method.c
Unescape Escape View File

@ -71,6 +71,7 @@ int DetectHttpMethodMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Signature *s, SigMatch *m)
{
SCEnter();
uint8_t i;
DetectHttpMethodData *data = (DetectHttpMethodData *)m->ctx;
HtpState *hs = (HtpState *)state;
htp_tx_t *tx = NULL;
@ -82,9 +83,12 @@ int DetectHttpMethodMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
}
SCMutexLock(&f->m);
list_iterator_reset(hs->recent_in_tx);
for (i = hs->new_in_tx_index; i < list_size(hs->connp->conn->transactions); i++)
{
tx = list_get(hs->connp->conn->transactions, i);
if (tx == NULL)
continue;
while ((tx = list_iterator_next(hs->recent_in_tx)) != NULL) {
/* Compare the numeric methods if they are known, otherwise compare
* the raw values.

9
src/detect-uricontent.c
Unescape Escape View File

@ -549,6 +549,7 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct
uint32_t DetectUricontentInspectMpm(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, void *alstate) {
SCEnter();
uint32_t cnt = 0;
uint8_t i;
HtpState *htp_state = (HtpState *)alstate;
if (htp_state == NULL) {
@ -557,10 +558,12 @@ uint32_t DetectUricontentInspectMpm(ThreadVars *tv, DetectEngineThreadCtx *det_c
}
htp_tx_t *tx = NULL;
list_iterator_reset(htp_state->recent_in_tx);
while ((tx = list_iterator_next(htp_state->recent_in_tx)) != NULL) {
if (tx->request_uri_normalized == NULL)
for (i = htp_state->new_in_tx_index;
i < list_size(htp_state->connp->conn->transactions); i++)
{
tx = list_get(htp_state->connp->conn->transactions, i);
if (tx == NULL || tx->request_uri_normalized == NULL)
continue;
cnt += DoDetectAppLayerUricontentMatch(tv, det_ctx, (uint8_t *)

53
src/detect-urilen.c
Unescape Escape View File

@ -86,6 +86,7 @@ int DetectUrilenMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
{
SCEnter();
int ret = 0;
uint8_t i;
DetectUrilenData *urilend = (DetectUrilenData *) m->ctx;
HtpState *htp_state = (HtpState *)state;
@ -95,31 +96,35 @@ int DetectUrilenMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
}
SCMutexLock(&f->m);
htp_tx_t *tx = list_get(htp_state->recent_in_tx, 0);
if (tx == NULL || tx->request_uri_normalized == NULL)
goto end;
switch (urilend->mode) {
case DETECT_URILEN_EQ:
if (bstr_len(tx->request_uri_normalized) == urilend->urilen1)
ret = 1;
break;
case DETECT_URILEN_LT:
if (bstr_len(tx->request_uri_normalized) < urilend->urilen1)
ret = 1;
break;
case DETECT_URILEN_GT:
if (bstr_len(tx->request_uri_normalized) > urilend->urilen1)
ret = 1;
break;
case DETECT_URILEN_RA:
if (bstr_len(tx->request_uri_normalized) > urilend->urilen1 &&
bstr_len(tx->request_uri_normalized) < urilend->urilen2)
ret = 1;
break;
htp_tx_t *tx = NULL;
for (i = htp_state->new_in_tx_index;
i < list_size(htp_state->connp->conn->transactions); i++)
{
tx = list_get(htp_state->connp->conn->transactions, i);
if (tx == NULL || tx->request_uri_normalized == NULL)
goto end;
switch (urilend->mode) {
case DETECT_URILEN_EQ:
if (bstr_len(tx->request_uri_normalized) == urilend->urilen1)
ret = 1;
break;
case DETECT_URILEN_LT:
if (bstr_len(tx->request_uri_normalized) < urilend->urilen1)
ret = 1;
break;
case DETECT_URILEN_GT:
if (bstr_len(tx->request_uri_normalized) > urilend->urilen1)
ret = 1;
break;
case DETECT_URILEN_RA:
if (bstr_len(tx->request_uri_normalized) > urilend->urilen1 &&
bstr_len(tx->request_uri_normalized) < urilend->urilen2)
ret = 1;
break;
}
}
end:
SCMutexUnlock(&f->m);
SCReturnInt(ret);

35
src/detect.c
Unescape Escape View File

@ -310,7 +310,6 @@ int SigLoadSignatures (DetectEngineCtx *de_ctx, char *sig_file)
{
SCEnter();
Signature *prevsig = NULL, *sig;
ConfNode *rule_files;
ConfNode *file = NULL;
int ret = 0;
@ -320,39 +319,7 @@ int SigLoadSignatures (DetectEngineCtx *de_ctx, char *sig_file)
int sigtotal = 0;
char *sfile = NULL;
/* The next 3 rules handle HTTP header capture. */
/* http_uri -- for uricontent */
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP GET URI cap\"; flow:to_server,established; content:\"GET \"; depth:4; pcre:\"/^GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)");
if (sig == NULL)
ret = -1;
prevsig = sig;
de_ctx->sig_list = sig;
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP POST URI cap\"; flow:to_server,established; content:\"POST \"; depth:5; pcre:\"/^POST (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:2;)");
if (sig == NULL)
ret = -1;
prevsig->next = sig;
prevsig = sig;
/* http_host -- for the log-httplog module */
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; flow:to_server,established; content:\"|0d 0a|Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:3;)");
if (sig == NULL)
ret = -1;
prevsig->next = sig;
prevsig = sig;
/* http_ua -- for the log-httplog module */
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP UA cap\"; flow:to_server,established; content:\"|0d 0a|User-Agent:\"; pcre:\"/^User-Agent: (?P<pkt_http_ua>.*)\\r\\n/m\"; noalert; sid:4;)");
if (sig == NULL)
ret = -1;
prevsig->next = sig;
/* ok, now let's load signature files from the general config */
/* ok, let's load signature files from the general config */
rule_files = ConfGetNode("rule-files");
if (rule_files != NULL) {
TAILQ_FOREACH(file, &rule_files->head, next) {

185
src/log-httplog.c
Unescape Escape View File

@ -22,6 +22,9 @@
#include "output.h"
#include "log-httplog.h"
#include "app-layer-htp.h"
#include <htp/dslib.h>
#include "app-layer.h"
#define DEFAULT_LOG_FILENAME "http.log"
@ -83,88 +86,196 @@ static void CreateTimeString (const struct timeval *ts, char *str, size_t size)
TmEcode LogHttpLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
{
SCEnter();
LogHttpLogThread *aft = (LogHttpLogThread *)data;
int i;
char timebuf[64];
uint8_t i = 0;
/* check if we have HTTP state or not */
SCMutexLock(&p->flow->m);
HtpState *htp_state = (HtpState *)AppLayerGetProtoStateFromPacket(p);
if (htp_state == NULL) {
SCLogDebug("no http state, so no request logging");
goto end;
}
/* XXX add a better check for this */
if (p->http_uri.cnt == 0)
return TM_ECODE_OK;
PktVar *pv_hn = PktVarGet(p, "http_host");
PktVar *pv_ua = PktVarGet(p, "http_ua");
if ( !(htp_state->flags & HTP_FLAG_NEW_REQUEST)) {
SCLogDebug("no new http request , so no request logging");
goto end;
}
htp_tx_t *tx = NULL;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[16], dstip[16];
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
Port sp;
Port dp;
if ((PKT_IS_TOSERVER(p))) {
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
sp = p->sp;
dp = p->dp;
} else {
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip));
sp = p->dp;
dp = p->sp;
}
SCMutexLock(&aft->file_ctx->fp_mutex);
for (i = 0; i < p->http_uri.cnt; i++) {
for (i = htp_state->new_in_tx_index;
i < list_size(htp_state->connp->conn->transactions); i++)
{
tx = list_get(htp_state->connp->conn->transactions, i);
if (tx == NULL) {
SCLogDebug("tx is NULL not logging !!");
continue;
}
SCLogDebug("got a HTTP request and now logging !!");
/* time */
fprintf(aft->file_ctx->fp, "%s ", timebuf);
/* hostname */
if (pv_hn != NULL) PrintRawUriFp(aft->file_ctx->fp, pv_hn->value, pv_hn->value_len);
else fprintf(aft->file_ctx->fp, "<hostname unknown>");
if (tx->parsed_uri != NULL &&
tx->parsed_uri->hostname != NULL)
{
PrintRawUriFp(aft->file_ctx->fp,
(uint8_t *)bstr_ptr(tx->parsed_uri->hostname),
bstr_len(tx->parsed_uri->hostname));
} else {
fprintf(aft->file_ctx->fp, "<hostname unknown>");
}
fprintf(aft->file_ctx->fp, " [**] ");
/* uri */
PrintRawUriFp(aft->file_ctx->fp, p->http_uri.raw[i], p->http_uri.raw_size[i]);
if (tx->request_uri != NULL) {
PrintRawUriFp(aft->file_ctx->fp,
(uint8_t *)bstr_ptr(tx->request_uri),
bstr_len(tx->request_uri));
}
fprintf(aft->file_ctx->fp, " [**] ");
/* user agent */
if (pv_ua != NULL) PrintRawUriFp(aft->file_ctx->fp, pv_ua->value, pv_ua->value_len);
else fprintf(aft->file_ctx->fp, "<useragent unknown>");
htp_header_t *h_user_agent = table_getc(tx->request_headers, "user-agent");
if (h_user_agent != NULL) {
PrintRawUriFp(aft->file_ctx->fp,
(uint8_t *)bstr_ptr(h_user_agent->value),
bstr_len(h_user_agent->value));
} else {
fprintf(aft->file_ctx->fp, "<useragent unknown>");
}
/* ip/tcp header info */
fprintf(aft->file_ctx->fp, " [**] %s:%" PRIu32 " -> %s:%" PRIu32 "\n", srcip, p->sp, dstip, p->dp);
fprintf(aft->file_ctx->fp, " [**] %s:%" PRIu32 " -> %s:%" PRIu32 "\n",
srcip, sp, dstip, dp);
}
fflush(aft->file_ctx->fp);
SCMutexUnlock(&aft->file_ctx->fp_mutex);
aft->uri_cnt += p->http_uri.cnt;
return TM_ECODE_OK;
aft->uri_cnt += list_size(htp_state->connp->conn->transactions) -
htp_state->new_in_tx_index;
htp_state->flags &= ~HTP_FLAG_NEW_REQUEST;
end:
SCMutexUnlock(&p->flow->m);
SCReturnUInt(TM_ECODE_OK);
}
TmEcode LogHttpLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
{
SCEnter();
LogHttpLogThread *aft = (LogHttpLogThread *)data;
int i;
char timebuf[64];
uint8_t i = 0;
/* check if we have HTTP state or not */
SCMutexLock(&p->flow->m);
HtpState *htp_state = (HtpState *)AppLayerGetProtoStateFromPacket(p);
if (htp_state == NULL) {
SCLogDebug("no http state, so no request logging");
goto end;
}
/* XXX add a better check for this */
if (p->http_uri.cnt == 0)
return TM_ECODE_OK;
PktVar *pv_hn = PktVarGet(p, "http_host");
PktVar *pv_ua = PktVarGet(p, "http_ua");
if ( !(htp_state->flags & HTP_FLAG_NEW_REQUEST)) {
SCLogDebug("no new http request , so no request logging");
goto end;
}
htp_tx_t *tx = NULL;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[46], dstip[46];
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
Port sp;
Port dp;
if ((PKT_IS_TOSERVER(p))) {
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
sp = p->sp;
dp = p->dp;
} else {
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
sp = p->dp;
dp = p->sp;
}
SCMutexLock(&aft->file_ctx->fp_mutex);
for (i = 0; i < p->http_uri.cnt; i++) {
for (i = htp_state->new_in_tx_index;
i < list_size(htp_state->connp->conn->transactions); i++)
{
tx = list_get(htp_state->connp->conn->transactions, i);
if (tx == NULL) {
SCLogDebug("tx is NULL not logging !!");
continue;
}
SCLogDebug("got a HTTP request and now logging !!");
/* time */
fprintf(aft->file_ctx->fp, "%s ", timebuf);
/* hostname */
if (pv_hn != NULL) PrintRawUriFp(aft->file_ctx->fp, pv_hn->value, pv_hn->value_len);
else fprintf(aft->file_ctx->fp, "<hostname unknown>");
if (tx->parsed_uri != NULL &&
tx->parsed_uri->hostname != NULL)
{
PrintRawUriFp(aft->file_ctx->fp,
(uint8_t *)bstr_ptr(tx->parsed_uri->hostname),
bstr_len(tx->parsed_uri->hostname));
} else {
fprintf(aft->file_ctx->fp, "<hostname unknown>");
}
fprintf(aft->file_ctx->fp, " [**] ");
/* uri */
PrintRawUriFp(aft->file_ctx->fp, p->http_uri.raw[i], p->http_uri.raw_size[i]);
if (tx->request_uri != NULL) {
PrintRawUriFp(aft->file_ctx->fp,
(uint8_t *)bstr_ptr(tx->request_uri),
bstr_len(tx->request_uri));
}
fprintf(aft->file_ctx->fp, " [**] ");
/* user agent */
if (pv_ua != NULL) PrintRawUriFp(aft->file_ctx->fp, pv_ua->value, pv_ua->value_len);
else fprintf(aft->file_ctx->fp, "<useragent unknown>");
htp_header_t *h_user_agent = table_getc(tx->request_headers, "user-agent");
if (h_user_agent != NULL) {
PrintRawUriFp(aft->file_ctx->fp,
(uint8_t *)bstr_ptr(h_user_agent->value),
bstr_len(h_user_agent->value));
} else {
fprintf(aft->file_ctx->fp, "<useragent unknown>");
}
/* ip/tcp header info */
fprintf(aft->file_ctx->fp, " [**] %s:%" PRIu32 " -> %s:%" PRIu32 "\n", srcip, p->sp, dstip, p->dp);
fprintf(aft->file_ctx->fp, " [**] %s:%" PRIu32 " -> %s:%" PRIu32 "\n",
srcip, sp, dstip, dp);
}
fflush(aft->file_ctx->fp);
SCMutexUnlock(&aft->file_ctx->fp_mutex);
aft->uri_cnt += p->http_uri.cnt;
return TM_ECODE_OK;
aft->uri_cnt += list_size(htp_state->connp->conn->transactions) -
htp_state->new_in_tx_index;
htp_state->flags &= ~HTP_FLAG_NEW_REQUEST;
end:
SCMutexUnlock(&p->flow->m);
SCReturnUInt(TM_ECODE_OK);
}
TmEcode LogHttpLog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)

Write Preview
Loading…
Cancel
Save