aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rust/tftp: eve logging with rust

Browse Source
pull/3201/head
Pascal Delalande 8 years ago committed by Victor Julien
parent b9cf49e933
commit 80f2fbac6e
6 changed files with 39 additions and 17 deletions
Show Stats Download Patch File Download Diff File

20
doc/userguide/output/eve/eve-json-format.rst
Unescape Escape View File

@ -299,3 +299,23 @@ Example of certificate logging using TLS custom logging (subject, sni, certifica
"sni": "www.googleapis.com", "sni": "www.googleapis.com",
"certificate": "MIIE3TCCA8WgAwIBAgIIQPsvobRZN0gwDQYJKoZIhvcNAQELBQAwSTELMA [...]" "certificate": "MIIE3TCCA8WgAwIBAgIIQPsvobRZN0gwDQYJKoZIhvcNAQELBQAwSTELMA [...]"
} }
Event type: TFTP
----------------
Fields
~~~~~~
* "packet": The operation code, can be "read" or "write" or "error"
* "file": The filename transported with the tftp protocol
* "mode": The mode field, can be "octet" or "mail" or "netascii" (or any combination of upper and lower case)
Example of TFTP logging:
::
"tftp": {
"packet": "write",
"file": "rfc1350.txt",
"mode": "octet"
}

14
rust/src/tftp/tftp.rs
Unescape Escape View File

@ -84,20 +84,16 @@ pub extern "C" fn rs_tftp_get_tx(state: &mut TFTPState,
#[no_mangle] #[no_mangle]
pub extern "C" fn rs_tftp_get_tx_logged(_state: &mut TFTPState, pub extern "C" fn rs_tftp_get_tx_logged(_state: &mut TFTPState,
tx: &mut TFTPTransaction, tx: &mut TFTPTransaction)
logger: libc::uint32_t) -> i8 { -> u32 {
if tx.logged.is_logged(logger) { return tx.logged.get();
1
} else {
0
}
} }
#[no_mangle] #[no_mangle]
pub extern "C" fn rs_tftp_set_tx_logged(_state: &mut TFTPState, pub extern "C" fn rs_tftp_set_tx_logged(_state: &mut TFTPState,
tx: &mut TFTPTransaction, tx: &mut TFTPTransaction,
logger: libc::uint32_t) { logged: libc::uint32_t) {
tx.logged.set_logged(logger); tx.logged.set(logged);
} }
#[no_mangle] #[no_mangle]

1
src/app-layer-protos.c
Unescape Escape View File

@ -89,6 +89,7 @@ const char *AppProtoToString(AppProto alproto)
break; break;
case ALPROTO_FTPDATA: case ALPROTO_FTPDATA:
proto_name = "ftp-data"; proto_name = "ftp-data";
break;
case ALPROTO_TFTP: case ALPROTO_TFTP:
proto_name = "tftp"; proto_name = "tftp";
break; break;

6
src/app-layer-tftp.c
Unescape Escape View File

@ -120,7 +120,7 @@ static int TFTPHasEvents(void *state)
static AppProto TFTPProbingParser(Flow *f, uint8_t *input, uint32_t input_len, static AppProto TFTPProbingParser(Flow *f, uint8_t *input, uint32_t input_len,
uint32_t *offset) uint32_t *offset)
{ {
/* Very simple test - if there is input, this is echo. /* Very simple test - if there is input, this is tftp.
* Also check if it's starting by a zero */ * Also check if it's starting by a zero */
if (input_len >= TFTP_MIN_FRAME_LEN && *input == 0) { if (input_len >= TFTP_MIN_FRAME_LEN && *input == 0) {
SCLogDebug("Detected as ALPROTO_TFTP."); SCLogDebug("Detected as ALPROTO_TFTP.");
@ -176,9 +176,9 @@ static void TFTPSetTxLogged(void *state, void *vtx, uint32_t logger)
rs_tftp_set_tx_logged(state, vtx, logger); rs_tftp_set_tx_logged(state, vtx, logger);
} }
static int TFTPGetTxLogged(void *state, void *vtx, uint32_t logger) static LoggerId TFTPGetTxLogged(void *state, void *vtx)
{ {
return rs_tftp_get_tx_logged(state, vtx, logger); return rs_tftp_get_tx_logged(state, vtx);
} }
/** /**

12
src/output-json-tftp.c
Unescape Escape View File

@ -23,7 +23,6 @@
* Implement JSON/eve logging app-layer TFTP. * Implement JSON/eve logging app-layer TFTP.
*/ */
//#ifdef HAVE_RUST
#include "suricata-common.h" #include "suricata-common.h"
#include "debug.h" #include "debug.h"
@ -103,21 +102,22 @@ static void OutputTFTPLogDeInitCtxSub(OutputCtx *output_ctx)
SCFree(output_ctx); SCFree(output_ctx);
} }
static OutputCtx *OutputTFTPLogInitSub(ConfNode *conf, static OutputInitResult OutputTFTPLogInitSub(ConfNode *conf,
OutputCtx *parent_ctx) OutputCtx *parent_ctx)
{ {
OutputInitResult result = { NULL, false };
OutputJsonCtx *ajt = parent_ctx->data; OutputJsonCtx *ajt = parent_ctx->data;
LogTFTPFileCtx *tftplog_ctx = SCCalloc(1, sizeof(*tftplog_ctx)); LogTFTPFileCtx *tftplog_ctx = SCCalloc(1, sizeof(*tftplog_ctx));
if (unlikely(tftplog_ctx == NULL)) { if (unlikely(tftplog_ctx == NULL)) {
return NULL; return result;
} }
tftplog_ctx->file_ctx = ajt->file_ctx; tftplog_ctx->file_ctx = ajt->file_ctx;
OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx)); OutputCtx *output_ctx = SCCalloc(1, sizeof(*output_ctx));
if (unlikely(output_ctx == NULL)) { if (unlikely(output_ctx == NULL)) {
SCFree(tftplog_ctx); SCFree(tftplog_ctx);
return NULL; return result;
} }
output_ctx->data = tftplog_ctx; output_ctx->data = tftplog_ctx;
output_ctx->DeInit = OutputTFTPLogDeInitCtxSub; output_ctx->DeInit = OutputTFTPLogDeInitCtxSub;
@ -126,7 +126,9 @@ static OutputCtx *OutputTFTPLogInitSub(ConfNode *conf,
AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_TFTP); AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_TFTP);
return output_ctx; result.ctx = output_ctx;
result.ok = true;
return result;
} }
#define OUTPUT_BUFFER_SIZE 65535 #define OUTPUT_BUFFER_SIZE 65535

3
suricata.yaml.in
Unescape Escape View File

@ -239,6 +239,7 @@ outputs:
#- dnp3 #- dnp3
@rust_config_comment@- nfs @rust_config_comment@- nfs
@rust_config_comment@- tftp
- ssh - ssh
- stats: - stats:
totals: yes # stats for all threads merged together totals: yes # stats for all threads merged together
@ -798,6 +799,8 @@ app-layer:
# to configure. # to configure.
nfs: nfs:
enabled: @rust_config_enabled@ enabled: @rust_config_enabled@
tftp:
enabled: @rust_config_enabled@
dns: dns:
# memcaps. Globally and per flow/state. # memcaps. Globally and per flow/state.
#global-memcap: 16mb #global-memcap: 16mb

Write Preview
Loading…
Cancel
Save