rust/tftp: eve logging with rust

8 years ago · 80f2fbac6e
parent b9cf49e933
commit 80f2fbac6e
6 changed files with 39 additions and 17 deletions
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@ -299,3 +299,23 @@ Example of certificate logging using TLS custom logging (subject, sni, certifica
      "sni": "www.googleapis.com",
      "certificate": "MIIE3TCCA8WgAwIBAgIIQPsvobRZN0gwDQYJKoZIhvcNAQELBQAwSTELMA [...]"
   }
+
+Event type: TFTP
+----------------
+
+Fields
+~~~~~~
+
+* "packet": The operation code, can be "read" or "write" or "error"
+* "file": The filename transported with the tftp protocol
+* "mode": The mode field, can be "octet" or "mail" or "netascii" (or any combination of upper and lower case)
+
+Example of TFTP logging:
+
+::
+
+  "tftp": {
+      "packet": "write",
+      "file": "rfc1350.txt",
+      "mode": "octet"
+   }
--- a/rust/src/tftp/tftp.rs
+++ b/rust/src/tftp/tftp.rs
@ -84,20 +84,16 @@ pub extern "C" fn rs_tftp_get_tx(state: &mut TFTPState,

 #[no_mangle]
 pub extern "C" fn rs_tftp_get_tx_logged(_state: &mut TFTPState,
-                                        tx: &mut TFTPTransaction,
-                                        logger: libc::uint32_t) -> i8 {
-    if tx.logged.is_logged(logger) {
-        1
-    } else {
-        0
-    }
+                                        tx: &mut TFTPTransaction)
+                                        -> u32 {
+    return tx.logged.get();
 }

 #[no_mangle]
 pub extern "C" fn rs_tftp_set_tx_logged(_state: &mut TFTPState,
                                        tx: &mut TFTPTransaction,
-                                        logger: libc::uint32_t) {
-    tx.logged.set_logged(logger);
+                                        logged: libc::uint32_t) {
+    tx.logged.set(logged);
 }

 #[no_mangle]
--- a/src/app-layer-protos.c
+++ b/src/app-layer-protos.c
@ -89,6 +89,7 @@ const char *AppProtoToString(AppProto alproto)
            break;
        case ALPROTO_FTPDATA:
            proto_name = "ftp-data";
+            break;
        case ALPROTO_TFTP:
            proto_name = "tftp";
            break;
--- a/src/app-layer-tftp.c
+++ b/src/app-layer-tftp.c
@ -120,7 +120,7 @@ static int TFTPHasEvents(void *state)
 static AppProto TFTPProbingParser(Flow *f, uint8_t *input, uint32_t input_len,
    uint32_t *offset)
 {
-    /* Very simple test - if there is input, this is echo.
+    /* Very simple test - if there is input, this is tftp.
     * Also check if it's starting by a zero */
    if (input_len >= TFTP_MIN_FRAME_LEN && *input == 0) {
        SCLogDebug("Detected as ALPROTO_TFTP.");
@ -176,9 +176,9 @@ static void TFTPSetTxLogged(void *state, void *vtx, uint32_t logger)
    rs_tftp_set_tx_logged(state, vtx, logger);
 }

-static int TFTPGetTxLogged(void *state, void *vtx, uint32_t logger)
+static LoggerId TFTPGetTxLogged(void *state, void *vtx)
 {
-    return rs_tftp_get_tx_logged(state, vtx, logger);
+    return rs_tftp_get_tx_logged(state, vtx);
 }

 /**
--- a/src/output-json-tftp.c
+++ b/src/output-json-tftp.c
@ -23,7 +23,6 @@
 * Implement JSON/eve logging app-layer TFTP.
 */

-//#ifdef HAVE_RUST

 #include "suricata-common.h"
 #include "debug.h"
@ -103,21 +102,22 @@ static void OutputTFTPLogDeInitCtxSub(OutputCtx *output_ctx)
    SCFree(output_ctx);
 }

-static OutputCtx *OutputTFTPLogInitSub(ConfNode *conf,
+static OutputInitResult OutputTFTPLogInitSub(ConfNode *conf,
    OutputCtx *parent_ctx)
 {
+    OutputInitResult result = { NULL, false };
    OutputJsonCtx *ajt = parent_ctx->data;

    LogTFTPFileCtx *tftplog_ctx = SCCalloc(1, sizeof(*tftplog_ctx));
    if (unlikely(tftplog_ctx == NULL)) {
-        return NULL;
+        return result;
    }
    tftplog_ctx->file_ctx = ajt->file_ctx;

    OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx));
    if (unlikely(output_ctx == NULL)) {
        SCFree(tftplog_ctx);
-        return NULL;
+        return result;
    }
    output_ctx->data = tftplog_ctx;
    output_ctx->DeInit = OutputTFTPLogDeInitCtxSub;
@ -126,7 +126,9 @@ static OutputCtx *OutputTFTPLogInitSub(ConfNode *conf,

    AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_TFTP);

-    return output_ctx;
+    result.ctx = output_ctx;
+    result.ok = true;
+    return result;
 }

 #define OUTPUT_BUFFER_SIZE 65535
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -239,6 +239,7 @@ outputs:

        #- dnp3
        @rust_config_comment@- nfs
+        @rust_config_comment@- tftp
        - ssh
        - stats:
            totals: yes       # stats for all threads merged together
@ -798,6 +799,8 @@ app-layer:
    # to configure.
    nfs:
      enabled: @rust_config_enabled@
+    tftp:
+      enabled: @rust_config_enabled@
    dns:
      # memcaps. Globally and per flow/state.
      #global-memcap: 16mb