aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

app layer htp logging and better htp request handling. removed recent_in_tx.

Browse Source
remotes/origin/master-1.0.x
Gurvinder Singh 16 years ago committed by Victor Julien
parent aa1564791d
commit 50f7d0a887
8 changed files with 232 additions and 152 deletions
Show Stats Download Patch File Download Diff File

61
src/app-layer-htp.c
Unescape Escape View File

@ -64,15 +64,6 @@ static void *HTPStateAlloc(void)
s->body.operation = HTP_BODY_NONE; s->body.operation = HTP_BODY_NONE;
s->body.pcre_flags = HTP_PCRE_NONE; s->body.pcre_flags = HTP_PCRE_NONE;
/* Create a list_array of size 8 to store the incoming requests, the size of
8 has been chosen as half the size of conn->transactions in the
HTP lib. As we are storing only requests here not responses!! */
s->recent_in_tx = list_array_create(8);
if (s->recent_in_tx == NULL) {
SCLogDebug("list_array_create returned NULL");
goto error;
}
htp_connp_set_user_data(s->connp, (void *)s); htp_connp_set_user_data(s->connp, (void *)s);
#ifdef DEBUG #ifdef DEBUG
@ -108,10 +99,6 @@ static void HTPStateFree(void *state)
if (s->connp != NULL) { if (s->connp != NULL) {
htp_connp_destroy_all(s->connp); htp_connp_destroy_all(s->connp);
} }
if (s->recent_in_tx != NULL) {
list_destroy(s->recent_in_tx);
}
/* free the list of body chunks */ /* free the list of body chunks */
if (s->body.nchunks > 0) { if (s->body.nchunks > 0) {
HtpBodyFree(&s->body); HtpBodyFree(&s->body);
@ -170,7 +157,7 @@ static int HTPHandleRequestData(Flow *f, void *htp_state,
/* Unset the body inspection (the callback should /* Unset the body inspection (the callback should
* reactivate it if necessary) */ * reactivate it if necessary) */
hstate->flags &= ~HTP_NEW_BODY_SET; hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
/* Open the HTTP connection on receiving the first request */ /* Open the HTTP connection on receiving the first request */
if (!(hstate->flags & HTP_FLAG_STATE_OPEN)) { if (!(hstate->flags & HTP_FLAG_STATE_OPEN)) {
@ -199,7 +186,7 @@ static int HTPHandleRequestData(Flow *f, void *htp_state,
} }
hstate->flags |= HTP_FLAG_STATE_ERROR; hstate->flags |= HTP_FLAG_STATE_ERROR;
hstate->flags &= ~HTP_FLAG_STATE_DATA; hstate->flags &= ~HTP_FLAG_STATE_DATA;
hstate->flags &= ~HTP_NEW_BODY_SET; hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
ret = -1; ret = -1;
break; break;
case STREAM_STATE_DATA: case STREAM_STATE_DATA:
@ -209,12 +196,12 @@ static int HTPHandleRequestData(Flow *f, void *htp_state,
SCLogDebug("CONNECT not supported yet"); SCLogDebug("CONNECT not supported yet");
hstate->flags |= HTP_FLAG_STATE_ERROR; hstate->flags |= HTP_FLAG_STATE_ERROR;
hstate->flags &= ~HTP_FLAG_STATE_DATA; hstate->flags &= ~HTP_FLAG_STATE_DATA;
hstate->flags &= ~HTP_NEW_BODY_SET; hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
ret = -1; ret = -1;
break; break;
default: default:
hstate->flags &= ~HTP_FLAG_STATE_DATA; hstate->flags &= ~HTP_FLAG_STATE_DATA;
hstate->flags &= ~HTP_NEW_BODY_SET; hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
} }
/* if we the TCP connection is closed, then close the HTTP connection */ /* if we the TCP connection is closed, then close the HTTP connection */
@ -256,7 +243,7 @@ static int HTPHandleResponseData(Flow *f, void *htp_state,
/* Unset the body inspection (the callback should /* Unset the body inspection (the callback should
* reactivate it if necessary) */ * reactivate it if necessary) */
hstate->flags &= ~HTP_NEW_BODY_SET; hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
r = htp_connp_res_data(hstate->connp, 0, input, input_len); r = htp_connp_res_data(hstate->connp, 0, input, input_len);
switch(r) { switch(r) {
@ -274,7 +261,7 @@ static int HTPHandleResponseData(Flow *f, void *htp_state,
} }
hstate->flags = HTP_FLAG_STATE_ERROR; hstate->flags = HTP_FLAG_STATE_ERROR;
hstate->flags &= ~HTP_FLAG_STATE_DATA; hstate->flags &= ~HTP_FLAG_STATE_DATA;
hstate->flags &= ~HTP_NEW_BODY_SET; hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
ret = -1; ret = -1;
break; break;
case STREAM_STATE_DATA: case STREAM_STATE_DATA:
@ -284,12 +271,12 @@ static int HTPHandleResponseData(Flow *f, void *htp_state,
SCLogDebug("CONNECT not supported yet"); SCLogDebug("CONNECT not supported yet");
hstate->flags = HTP_FLAG_STATE_ERROR; hstate->flags = HTP_FLAG_STATE_ERROR;
hstate->flags &= ~HTP_FLAG_STATE_DATA; hstate->flags &= ~HTP_FLAG_STATE_DATA;
hstate->flags &= ~HTP_NEW_BODY_SET; hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
ret = -1; ret = -1;
break; break;
default: default:
hstate->flags &= ~HTP_FLAG_STATE_DATA; hstate->flags &= ~HTP_FLAG_STATE_DATA;
hstate->flags &= ~HTP_NEW_BODY_SET; hstate->flags &= ~HTP_FLAG_NEW_BODY_SET;
} }
/* if we the TCP connection is closed, then close the HTTP connection */ /* if we the TCP connection is closed, then close the HTTP connection */
@ -442,7 +429,7 @@ int HTPCallbackRequestBodyData(htp_tx_data_t *d)
} }
/* set the new chunk flag */ /* set the new chunk flag */
hstate->flags |= HTP_NEW_BODY_SET; hstate->flags |= HTP_FLAG_NEW_BODY_SET;
SCReturnInt(HOOK_OK); SCReturnInt(HOOK_OK);
} }
@ -477,12 +464,13 @@ static int HTPCallbackRequest(htp_connp_t *connp) {
HtpState *hstate = (HtpState *)connp->user_data; HtpState *hstate = (HtpState *)connp->user_data;
if (hstate == NULL) { if (hstate == NULL) {
/** \todo error condition, what should we return? */ SCReturnInt(HOOK_ERROR);
SCReturnInt(0);
} }
if (! (hstate->flags & HTP_FLAG_NEW_REQUEST)) {
list_add(hstate->recent_in_tx, connp->in_tx); hstate->flags |= HTP_FLAG_NEW_REQUEST;
SCReturnInt(0); hstate->new_in_tx_index = list_size(hstate->connp->conn->transactions) - 1;
}
SCReturnInt(HOOK_OK);
} }
/** /**
@ -494,10 +482,10 @@ static int HTPCallbackRequest(htp_connp_t *connp) {
static int HTPCallbackResponse(htp_connp_t *connp) { static int HTPCallbackResponse(htp_connp_t *connp) {
SCEnter(); SCEnter();
uint8_t i;
HtpState *hstate = (HtpState *)connp->user_data; HtpState *hstate = (HtpState *)connp->user_data;
if (hstate == NULL) { if (hstate == NULL) {
/** \todo error condition, what should we return? */ SCReturnInt(HOOK_ERROR);
SCReturnInt(0);
} }
/* Free data when we have a response */ /* Free data when we have a response */
@ -506,22 +494,15 @@ static int HTPCallbackResponse(htp_connp_t *connp) {
hstate->body.operation = HTP_BODY_RESPONSE; hstate->body.operation = HTP_BODY_RESPONSE;
hstate->body.pcre_flags = HTP_PCRE_NONE; hstate->body.pcre_flags = HTP_PCRE_NONE;
while (list_size(hstate->recent_in_tx) > 0) {
htp_tx_t *tx = list_pop(hstate->recent_in_tx);
if (tx != NULL) {
htp_tx_destroy(tx);
}
}
#if 0 /* VJ disabled for now */
/* Clear the trasactions which are processed by the engine from libhtp. /* Clear the trasactions which are processed by the engine from libhtp.
This helps in reducing the meory consumptions of libhtp */ This helps in reducing the meory consumptions of libhtp */
while (list_size(hstate->connp->conn->transactions) > 0) { for (i = 0; i< hstate->new_in_tx_index; i++) {
htp_tx_t *tx = list_pop(hstate->connp->conn->transactions); htp_tx_t *tx = list_get(hstate->connp->conn->transactions, i);
if (tx != NULL) if (tx != NULL)
htp_tx_destroy(tx); htp_tx_destroy(tx);
} }
#endif
SCReturnInt(0); SCReturnInt(HOOK_OK);
} }
/** /**

9
src/app-layer-htp.h
Unescape Escape View File

@ -23,10 +23,12 @@
#define HTP_FLAG_STATE_ERROR 0x08 /**< Flag to indicate that an error #define HTP_FLAG_STATE_ERROR 0x08 /**< Flag to indicate that an error
has been occured on HTTP has been occured on HTTP
connection */ connection */
#define HTP_FLAG_NEW_BODY_SET 0x10 /**< Flag to indicate that HTTP
#define HTP_NEW_BODY_SET 0x10 /**< Flag to indicate that HTTP
has parsed a new body (for has parsed a new body (for
pcre) */ pcre) */
#define HTP_FLAG_NEW_REQUEST 0x20 /**< Flag to indicate that we have
a new HTTP requesta and we
need to log it */
enum { enum {
@ -69,8 +71,9 @@ typedef struct HtpState_ {
htp_connp_t *connp; /**< Connection parser structure for htp_connp_t *connp; /**< Connection parser structure for
each connection */ each connection */
uint8_t flags; uint8_t flags;
list_t *recent_in_tx; /**< Point to the new received HTTP request */
HtpBody body; /**< Body of the request (if any) */ HtpBody body; /**< Body of the request (if any) */
uint8_t new_in_tx_index; /**< Index to indicate that after this we have
new requests to log */
} HtpState; } HtpState;

10
src/detect-http-cookie.c
Unescape Escape View File

@ -73,6 +73,7 @@ int DetectHttpCookieMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
SCEnter(); SCEnter();
int ret = 0; int ret = 0;
uint8_t i;
SCMutexLock(&f->m); SCMutexLock(&f->m);
SCLogDebug("got lock %p", &f->m); SCLogDebug("got lock %p", &f->m);
@ -100,9 +101,14 @@ int DetectHttpCookieMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
} }
htp_tx_t *tx = NULL; htp_tx_t *tx = NULL;
list_iterator_reset(htp_state->recent_in_tx);
while ((tx = list_iterator_next(htp_state->recent_in_tx)) != NULL) { for (i = htp_state->new_in_tx_index;
i < list_size(htp_state->connp->conn->transactions); i++)
{
tx = list_get(htp_state->connp->conn->transactions, i);
if (tx == NULL)
continue;
htp_header_t *h = NULL; htp_header_t *h = NULL;
h = (htp_header_t *) table_getc(tx->request_headers, "Cookie"); h = (htp_header_t *) table_getc(tx->request_headers, "Cookie");
if (h == NULL) { if (h == NULL) {

8
src/detect-http-method.c
Unescape Escape View File

@ -71,6 +71,7 @@ int DetectHttpMethodMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Signature *s, SigMatch *m) Signature *s, SigMatch *m)
{ {
SCEnter(); SCEnter();
uint8_t i;
DetectHttpMethodData *data = (DetectHttpMethodData *)m->ctx; DetectHttpMethodData *data = (DetectHttpMethodData *)m->ctx;
HtpState *hs = (HtpState *)state; HtpState *hs = (HtpState *)state;
htp_tx_t *tx = NULL; htp_tx_t *tx = NULL;
@ -82,9 +83,12 @@ int DetectHttpMethodMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
} }
SCMutexLock(&f->m); SCMutexLock(&f->m);
list_iterator_reset(hs->recent_in_tx); for (i = hs->new_in_tx_index; i < list_size(hs->connp->conn->transactions); i++)
{
tx = list_get(hs->connp->conn->transactions, i);
if (tx == NULL)
continue;
while ((tx = list_iterator_next(hs->recent_in_tx)) != NULL) {
/* Compare the numeric methods if they are known, otherwise compare /* Compare the numeric methods if they are known, otherwise compare
* the raw values. * the raw values.

9
src/detect-uricontent.c
Unescape Escape View File

@ -549,6 +549,7 @@ int DetectAppLayerUricontentMatch (ThreadVars *tv, DetectEngineThreadCtx *det_ct
uint32_t DetectUricontentInspectMpm(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, void *alstate) { uint32_t DetectUricontentInspectMpm(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, void *alstate) {
SCEnter(); SCEnter();
uint32_t cnt = 0; uint32_t cnt = 0;
uint8_t i;
HtpState *htp_state = (HtpState *)alstate; HtpState *htp_state = (HtpState *)alstate;
if (htp_state == NULL) { if (htp_state == NULL) {
@ -557,10 +558,12 @@ uint32_t DetectUricontentInspectMpm(ThreadVars *tv, DetectEngineThreadCtx *det_c
} }
htp_tx_t *tx = NULL; htp_tx_t *tx = NULL;
list_iterator_reset(htp_state->recent_in_tx);
while ((tx = list_iterator_next(htp_state->recent_in_tx)) != NULL) { for (i = htp_state->new_in_tx_index;
if (tx->request_uri_normalized == NULL) i < list_size(htp_state->connp->conn->transactions); i++)
{
tx = list_get(htp_state->connp->conn->transactions, i);
if (tx == NULL || tx->request_uri_normalized == NULL)
continue; continue;
cnt += DoDetectAppLayerUricontentMatch(tv, det_ctx, (uint8_t *) cnt += DoDetectAppLayerUricontentMatch(tv, det_ctx, (uint8_t *)

9
src/detect-urilen.c
Unescape Escape View File

@ -86,6 +86,7 @@ int DetectUrilenMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
{ {
SCEnter(); SCEnter();
int ret = 0; int ret = 0;
uint8_t i;
DetectUrilenData *urilend = (DetectUrilenData *) m->ctx; DetectUrilenData *urilend = (DetectUrilenData *) m->ctx;
HtpState *htp_state = (HtpState *)state; HtpState *htp_state = (HtpState *)state;
@ -95,8 +96,12 @@ int DetectUrilenMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
} }
SCMutexLock(&f->m); SCMutexLock(&f->m);
htp_tx_t *tx = list_get(htp_state->recent_in_tx, 0); htp_tx_t *tx = NULL;
for (i = htp_state->new_in_tx_index;
i < list_size(htp_state->connp->conn->transactions); i++)
{
tx = list_get(htp_state->connp->conn->transactions, i);
if (tx == NULL || tx->request_uri_normalized == NULL) if (tx == NULL || tx->request_uri_normalized == NULL)
goto end; goto end;
@ -119,7 +124,7 @@ int DetectUrilenMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *f,
ret = 1; ret = 1;
break; break;
} }
}
end: end:
SCMutexUnlock(&f->m); SCMutexUnlock(&f->m);
SCReturnInt(ret); SCReturnInt(ret);

35
src/detect.c
Unescape Escape View File

@ -310,7 +310,6 @@ int SigLoadSignatures (DetectEngineCtx *de_ctx, char *sig_file)
{ {
SCEnter(); SCEnter();
Signature *prevsig = NULL, *sig;
ConfNode *rule_files; ConfNode *rule_files;
ConfNode *file = NULL; ConfNode *file = NULL;
int ret = 0; int ret = 0;
@ -320,39 +319,7 @@ int SigLoadSignatures (DetectEngineCtx *de_ctx, char *sig_file)
int sigtotal = 0; int sigtotal = 0;
char *sfile = NULL; char *sfile = NULL;
/* The next 3 rules handle HTTP header capture. */ /* ok, let's load signature files from the general config */
/* http_uri -- for uricontent */
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP GET URI cap\"; flow:to_server,established; content:\"GET \"; depth:4; pcre:\"/^GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)");
if (sig == NULL)
ret = -1;
prevsig = sig;
de_ctx->sig_list = sig;
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP POST URI cap\"; flow:to_server,established; content:\"POST \"; depth:5; pcre:\"/^POST (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:2;)");
if (sig == NULL)
ret = -1;
prevsig->next = sig;
prevsig = sig;
/* http_host -- for the log-httplog module */
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; flow:to_server,established; content:\"|0d 0a|Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:3;)");
if (sig == NULL)
ret = -1;
prevsig->next = sig;
prevsig = sig;
/* http_ua -- for the log-httplog module */
sig = SigInit(de_ctx, "alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP UA cap\"; flow:to_server,established; content:\"|0d 0a|User-Agent:\"; pcre:\"/^User-Agent: (?P<pkt_http_ua>.*)\\r\\n/m\"; noalert; sid:4;)");
if (sig == NULL)
ret = -1;
prevsig->next = sig;
/* ok, now let's load signature files from the general config */
rule_files = ConfGetNode("rule-files"); rule_files = ConfGetNode("rule-files");
if (rule_files != NULL) { if (rule_files != NULL) {
TAILQ_FOREACH(file, &rule_files->head, next) { TAILQ_FOREACH(file, &rule_files->head, next) {

177
src/log-httplog.c
Unescape Escape View File

@ -22,6 +22,9 @@
#include "output.h" #include "output.h"
#include "log-httplog.h" #include "log-httplog.h"
#include "app-layer-htp.h"
#include <htp/dslib.h>
#include "app-layer.h"
#define DEFAULT_LOG_FILENAME "http.log" #define DEFAULT_LOG_FILENAME "http.log"
@ -83,88 +86,196 @@ static void CreateTimeString (const struct timeval *ts, char *str, size_t size)
TmEcode LogHttpLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) TmEcode LogHttpLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
{ {
SCEnter();
LogHttpLogThread *aft = (LogHttpLogThread *)data; LogHttpLogThread *aft = (LogHttpLogThread *)data;
int i;
char timebuf[64]; char timebuf[64];
uint8_t i = 0;
/* check if we have HTTP state or not */
SCMutexLock(&p->flow->m);
HtpState *htp_state = (HtpState *)AppLayerGetProtoStateFromPacket(p);
if (htp_state == NULL) {
SCLogDebug("no http state, so no request logging");
goto end;
}
/* XXX add a better check for this */ if ( !(htp_state->flags & HTP_FLAG_NEW_REQUEST)) {
if (p->http_uri.cnt == 0) SCLogDebug("no new http request , so no request logging");
return TM_ECODE_OK; goto end;
}
PktVar *pv_hn = PktVarGet(p, "http_host"); htp_tx_t *tx = NULL;
PktVar *pv_ua = PktVarGet(p, "http_ua");
CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[16], dstip[16]; char srcip[16], dstip[16];
Port sp;
Port dp;
if ((PKT_IS_TOSERVER(p))) {
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
sp = p->sp;
dp = p->dp;
} else {
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip));
sp = p->dp;
dp = p->sp;
}
SCMutexLock(&aft->file_ctx->fp_mutex); SCMutexLock(&aft->file_ctx->fp_mutex);
for (i = 0; i < p->http_uri.cnt; i++) { for (i = htp_state->new_in_tx_index;
i < list_size(htp_state->connp->conn->transactions); i++)
{
tx = list_get(htp_state->connp->conn->transactions, i);
if (tx == NULL) {
SCLogDebug("tx is NULL not logging !!");
continue;
}
SCLogDebug("got a HTTP request and now logging !!");
/* time */ /* time */
fprintf(aft->file_ctx->fp, "%s ", timebuf); fprintf(aft->file_ctx->fp, "%s ", timebuf);
/* hostname */ /* hostname */
if (pv_hn != NULL) PrintRawUriFp(aft->file_ctx->fp, pv_hn->value, pv_hn->value_len); if (tx->parsed_uri != NULL &&
else fprintf(aft->file_ctx->fp, "<hostname unknown>"); tx->parsed_uri->hostname != NULL)
{
PrintRawUriFp(aft->file_ctx->fp,
(uint8_t *)bstr_ptr(tx->parsed_uri->hostname),
bstr_len(tx->parsed_uri->hostname));
} else {
fprintf(aft->file_ctx->fp, "<hostname unknown>");
}
fprintf(aft->file_ctx->fp, " [**] "); fprintf(aft->file_ctx->fp, " [**] ");
/* uri */ /* uri */
PrintRawUriFp(aft->file_ctx->fp, p->http_uri.raw[i], p->http_uri.raw_size[i]); if (tx->request_uri != NULL) {
PrintRawUriFp(aft->file_ctx->fp,
(uint8_t *)bstr_ptr(tx->request_uri),
bstr_len(tx->request_uri));
}
fprintf(aft->file_ctx->fp, " [**] "); fprintf(aft->file_ctx->fp, " [**] ");
/* user agent */ /* user agent */
if (pv_ua != NULL) PrintRawUriFp(aft->file_ctx->fp, pv_ua->value, pv_ua->value_len); htp_header_t *h_user_agent = table_getc(tx->request_headers, "user-agent");
else fprintf(aft->file_ctx->fp, "<useragent unknown>"); if (h_user_agent != NULL) {
PrintRawUriFp(aft->file_ctx->fp,
(uint8_t *)bstr_ptr(h_user_agent->value),
bstr_len(h_user_agent->value));
} else {
fprintf(aft->file_ctx->fp, "<useragent unknown>");
}
/* ip/tcp header info */ /* ip/tcp header info */
fprintf(aft->file_ctx->fp, " [**] %s:%" PRIu32 " -> %s:%" PRIu32 "\n", srcip, p->sp, dstip, p->dp); fprintf(aft->file_ctx->fp, " [**] %s:%" PRIu32 " -> %s:%" PRIu32 "\n",
srcip, sp, dstip, dp);
} }
fflush(aft->file_ctx->fp); fflush(aft->file_ctx->fp);
SCMutexUnlock(&aft->file_ctx->fp_mutex); SCMutexUnlock(&aft->file_ctx->fp_mutex);
aft->uri_cnt += p->http_uri.cnt; aft->uri_cnt += list_size(htp_state->connp->conn->transactions) -
return TM_ECODE_OK; htp_state->new_in_tx_index;
htp_state->flags &= ~HTP_FLAG_NEW_REQUEST;
end:
SCMutexUnlock(&p->flow->m);
SCReturnUInt(TM_ECODE_OK);
} }
TmEcode LogHttpLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) TmEcode LogHttpLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
{ {
SCEnter();
LogHttpLogThread *aft = (LogHttpLogThread *)data; LogHttpLogThread *aft = (LogHttpLogThread *)data;
int i;
char timebuf[64]; char timebuf[64];
uint8_t i = 0;
/* check if we have HTTP state or not */
SCMutexLock(&p->flow->m);
HtpState *htp_state = (HtpState *)AppLayerGetProtoStateFromPacket(p);
if (htp_state == NULL) {
SCLogDebug("no http state, so no request logging");
goto end;
}
/* XXX add a better check for this */ if ( !(htp_state->flags & HTP_FLAG_NEW_REQUEST)) {
if (p->http_uri.cnt == 0) SCLogDebug("no new http request , so no request logging");
return TM_ECODE_OK; goto end;
}
PktVar *pv_hn = PktVarGet(p, "http_host"); htp_tx_t *tx = NULL;
PktVar *pv_ua = PktVarGet(p, "http_ua");
CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[46], dstip[46]; char srcip[46], dstip[46];
Port sp;
Port dp;
if ((PKT_IS_TOSERVER(p))) {
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
sp = p->sp;
dp = p->dp;
} else {
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
sp = p->dp;
dp = p->sp;
}
SCMutexLock(&aft->file_ctx->fp_mutex); SCMutexLock(&aft->file_ctx->fp_mutex);
for (i = 0; i < p->http_uri.cnt; i++) { for (i = htp_state->new_in_tx_index;
i < list_size(htp_state->connp->conn->transactions); i++)
{
tx = list_get(htp_state->connp->conn->transactions, i);
if (tx == NULL) {
SCLogDebug("tx is NULL not logging !!");
continue;
}
SCLogDebug("got a HTTP request and now logging !!");
/* time */ /* time */
fprintf(aft->file_ctx->fp, "%s ", timebuf); fprintf(aft->file_ctx->fp, "%s ", timebuf);
/* hostname */ /* hostname */
if (pv_hn != NULL) PrintRawUriFp(aft->file_ctx->fp, pv_hn->value, pv_hn->value_len); if (tx->parsed_uri != NULL &&
else fprintf(aft->file_ctx->fp, "<hostname unknown>"); tx->parsed_uri->hostname != NULL)
{
PrintRawUriFp(aft->file_ctx->fp,
(uint8_t *)bstr_ptr(tx->parsed_uri->hostname),
bstr_len(tx->parsed_uri->hostname));
} else {
fprintf(aft->file_ctx->fp, "<hostname unknown>");
}
fprintf(aft->file_ctx->fp, " [**] "); fprintf(aft->file_ctx->fp, " [**] ");
/* uri */ /* uri */
PrintRawUriFp(aft->file_ctx->fp, p->http_uri.raw[i], p->http_uri.raw_size[i]); if (tx->request_uri != NULL) {
PrintRawUriFp(aft->file_ctx->fp,
(uint8_t *)bstr_ptr(tx->request_uri),
bstr_len(tx->request_uri));
}
fprintf(aft->file_ctx->fp, " [**] "); fprintf(aft->file_ctx->fp, " [**] ");
/* user agent */ /* user agent */
if (pv_ua != NULL) PrintRawUriFp(aft->file_ctx->fp, pv_ua->value, pv_ua->value_len); htp_header_t *h_user_agent = table_getc(tx->request_headers, "user-agent");
else fprintf(aft->file_ctx->fp, "<useragent unknown>"); if (h_user_agent != NULL) {
PrintRawUriFp(aft->file_ctx->fp,
(uint8_t *)bstr_ptr(h_user_agent->value),
bstr_len(h_user_agent->value));
} else {
fprintf(aft->file_ctx->fp, "<useragent unknown>");
}
/* ip/tcp header info */ /* ip/tcp header info */
fprintf(aft->file_ctx->fp, " [**] %s:%" PRIu32 " -> %s:%" PRIu32 "\n", srcip, p->sp, dstip, p->dp); fprintf(aft->file_ctx->fp, " [**] %s:%" PRIu32 " -> %s:%" PRIu32 "\n",
srcip, sp, dstip, dp);
} }
fflush(aft->file_ctx->fp); fflush(aft->file_ctx->fp);
SCMutexUnlock(&aft->file_ctx->fp_mutex); SCMutexUnlock(&aft->file_ctx->fp_mutex);
aft->uri_cnt += p->http_uri.cnt; aft->uri_cnt += list_size(htp_state->connp->conn->transactions) -
return TM_ECODE_OK; htp_state->new_in_tx_index;
htp_state->flags &= ~HTP_FLAG_NEW_REQUEST;
end:
SCMutexUnlock(&p->flow->m);
SCReturnUInt(TM_ECODE_OK);
} }
TmEcode LogHttpLog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) TmEcode LogHttpLog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)

Write Preview
Loading…
Cancel
Save