aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

output/json: Refactor file output helper

Browse Source 
This commit creates a common file output helper function based on the
logic in output-file-info.c:BuildBuildFileInfoRecord

The refactored helper will be used to create "fileinfo" information
during the alert output path.
pull/5110/head
Jeff Lucovsky 6 years ago committed by Victor Julien
parent f2dbee4787
commit ae50d1a225
3 changed files with 88 additions and 79 deletions
Show Stats Download Patch File Download Diff File

80
src/output-json-file.c
Unescape Escape View File

@ -174,85 +174,7 @@ JsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff,
jb_set_string(js, "app_proto", AppProtoToString(p->flow->alproto));
/* Open the fileinfo object. */
jb_open_object(js, "fileinfo");
size_t filename_size = ff->name_len * 2 + 1;
char filename_string[filename_size];
BytesToStringBuffer(ff->name, ff->name_len, filename_string, filename_size);
jb_set_string(js, "filename", filename_string);
jb_open_array(js, "sid");
for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) {
jb_append_uint(js, ff->sid[i]);
}
jb_close(js);
#ifdef HAVE_MAGIC
if (ff->magic)
jb_set_string(js, "magic", (char *)ff->magic);
#endif
jb_set_bool(js, "gaps", ff->flags & FILE_HAS_GAPS);
switch (ff->state) {
case FILE_STATE_CLOSED:
jb_set_string(js, "state", "CLOSED");
#ifdef HAVE_NSS
if (ff->flags & FILE_MD5) {
size_t x;
int i;
char str[256];
for (i = 0, x = 0; x < sizeof(ff->md5); x++) {
i += snprintf(&str[i], 255-i, "%02x", ff->md5[x]);
}
jb_set_string(js, "md5", str);
}
if (ff->flags & FILE_SHA1) {
size_t x;
int i;
char str[256];
for (i = 0, x = 0; x < sizeof(ff->sha1); x++) {
i += snprintf(&str[i], 255-i, "%02x", ff->sha1[x]);
}
jb_set_string(js, "sha1", str);
}
#endif
break;
case FILE_STATE_TRUNCATED:
JB_SET_STRING(js, "state", "TRUNCATED");
break;
case FILE_STATE_ERROR:
JB_SET_STRING(js, "state", "ERROR");
break;
default:
JB_SET_STRING(js, "state", "UNKNOWN");
break;
}
#ifdef HAVE_NSS
if (ff->flags & FILE_SHA256) {
size_t x;
int i;
char str[256];
for (i = 0, x = 0; x < sizeof(ff->sha256); x++) {
i += snprintf(&str[i], 255-i, "%02x", ff->sha256[x]);
}
jb_set_string(js, "sha256", str);
}
#endif
jb_set_bool(js, "stored", stored ? true : false);
if (ff->flags & FILE_STORED) {
jb_set_uint(js, "file_id", ff->file_store_id);
}
jb_set_uint(js, "size", FileTrackedSize(ff));
if (ff->end > 0) {
jb_set_uint(js, "start", ff->start);
jb_set_uint(js, "end", ff->end);
}
jb_set_uint(js, "tx_id", ff->txid);
/* Close fileinfo object */
jb_close(js);
JsonFileInfo(js, ff, stored);
/* xff header */
if (have_xff_ip && xff_cfg->flags & XFF_EXTRADATA) {

86
src/output-json.c
Unescape Escape View File

@ -152,6 +152,92 @@ json_t *JsonAddStringN(const char *string, size_t size)
return SCJsonString(tmpbuf);
}
void JsonFileInfo(JsonBuilder *js, const File *ff, const bool stored)
{
/* Open the fileinfo object. */
jb_open_object(js, "fileinfo");
size_t filename_size = ff->name_len * 2 + 1;
char filename_string[filename_size];
BytesToStringBuffer(ff->name, ff->name_len, filename_string, filename_size);
jb_set_string(js, "filename", filename_string);
jb_open_array(js, "sid");
for (uint32_t i = 0; ff->sid != NULL && i < ff->sid_cnt; i++) {
jb_append_uint(js, ff->sid[i]);
}
jb_close(js);
#ifdef HAVE_MAGIC
if (ff->magic)
jb_set_string(js, "magic", (char *)ff->magic);
#endif
jb_set_bool(js, "gaps", ff->flags & FILE_HAS_GAPS);
switch (ff->state) {
case FILE_STATE_CLOSED:
jb_set_string(js, "state", "CLOSED");
#ifdef HAVE_NSS
if (ff->flags & FILE_MD5) {
size_t x;
int i;
char str[256];
for (i = 0, x = 0; x < sizeof(ff->md5); x++) {
i += snprintf(&str[i], 255-i, "%02x", ff->md5[x]);
}
jb_set_string(js, "md5", str);
}
if (ff->flags & FILE_SHA1) {
size_t x;
int i;
char str[256];
for (i = 0, x = 0; x < sizeof(ff->sha1); x++) {
i += snprintf(&str[i], 255-i, "%02x", ff->sha1[x]);
}
jb_set_string(js, "sha1", str);
}
#endif
break;
case FILE_STATE_TRUNCATED:
JB_SET_STRING(js, "state", "TRUNCATED");
break;
case FILE_STATE_ERROR:
JB_SET_STRING(js, "state", "ERROR");
break;
default:
JB_SET_STRING(js, "state", "UNKNOWN");
break;
}
#ifdef HAVE_NSS
if (ff->flags & FILE_SHA256) {
size_t x;
int i;
char str[256];
for (i = 0, x = 0; x < sizeof(ff->sha256); x++) {
i += snprintf(&str[i], 255-i, "%02x", ff->sha256[x]);
}
jb_set_string(js, "sha256", str);
}
#endif
if (stored) {
jb_set_bool(js, "stored", true);
jb_set_uint(js, "file_id", ff->file_store_id);
} else {
jb_set_bool(js, "stored", false);
}
jb_set_uint(js, "size", FileTrackedSize(ff));
if (ff->end > 0) {
jb_set_uint(js, "start", ff->start);
jb_set_uint(js, "end", ff->end);
}
jb_set_uint(js, "tx_id", ff->txid);
/* Close fileinfo object */
jb_close(js);
}
static void JsonAddPacketvars(const Packet *p, json_t *js_vars)
{
if (p == NULL || p->pktvar == NULL) {

1
src/output-json.h
Unescape Escape View File

@ -72,6 +72,7 @@ int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);
void CreateJSONFlowId(json_t *js, const Flow *f);
void CreateEveFlowId(JsonBuilder *js, const Flow *f);
void JsonTcpFlags(uint8_t flags, json_t *js);
void JsonFileInfo(JsonBuilder *js, const File *file, const bool stored);
void EveTcpFlags(uint8_t flags, JsonBuilder *js);
void JsonPacket(const Packet *p, json_t *js, unsigned long max_length);
void EvePacket(const Packet *p, JsonBuilder *js, unsigned long max_length);

Write Preview
Loading…
Cancel
Save