📄 dp_log.c
字号:
/* $Id: dp_log.c,v 1.7 2004/04/03 19:57:32 andrewbaker Exp $ *//*** Copyright (C) 2001-2002 Andrew R. Baker <andrewb@snort.org>** Copyright (C) 2001 Martin Roesch <roesch@sourcefire.com>** Portions Copyright (C) 2003-2004 Sourcefire, Inc.**** This program is distributed under the terms of version 1.0 of the ** Q Public License. See LICENSE.QPL for further details.**** This program is distributed in the hope that it will be useful,** but WITHOUT ANY WARRANTY; without even the implied warranty of** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.***//* I N C L U D E S *****************************************************/#include "config.h"#include <sys/types.h>#include <stdio.h>#include <stdlib.h>#include <string.h>#ifdef SOLARIS #include <strings.h>#endif#include <errno.h>#include <unistd.h>#include "barnyard.h"#include "output-plugins/op_plugbase.h"#include "dp_plugbase.h"#include "strlcpyu.h"#include "util.h"#include "dp_log.h"#include "spool.h"/* P R O T O T Y P E S ************************************************/void LogDpSetup(char *config, DpFunctionalNode *dpfn);int LogDpReadFileHeader(DpFunctionalNode *dpfn, SpoolFileHandle *sph);int LogDpReadRecord(SpoolFileHandle *sph);int LogDpProcessRecord(void *data, DpFunctionalNode *dp);int LogDpHeaderCompare(DpFunctionalNode *dpfn, void *old_header, void *new_header);void LogDpPrintRecord(void *data);int linktype = 0;void LogDpInit(){ PluginInfo pi; pi.author = strdup("Martin Roesch <roesch@sourcefire.com>\n" "Andrew R. Baker <andrewb@snort.org>"); pi.version = strdup("1.0"); pi.type = strdup("log input processor"); pi.copyright = strdup("(C) Copyright 2001, Martin Roesch" " & Andrew R. Baker"); pi.description = strdup("reads the log spool and reformats for output"); pi.usage = strdup("dp_log"); RegisterDp("dp_log", LogDpSetup, "log", &pi); free(pi.author); free(pi.version); free(pi.type); free(pi.copyright); free(pi.description); free(pi.usage); if(pv.verbose) LogMessage("dp_log loaded\n"); return;}void LogDpSetup(char *config, DpFunctionalNode *dpfn){ dpfn->type = strdup("log"); dpfn->magic = LOG_MAGIC; RegisterDpReadRecord(LogDpReadRecord, dpfn); RegisterDpReadFileHeader(LogDpReadFileHeader, dpfn); RegisterDpProcessRecord(LogDpProcessRecord, dpfn); RegisterDpHeaderCompare(LogDpHeaderCompare, dpfn);}int LogDpReadFileHeader(DpFunctionalNode *dpfn, SpoolFileHandle *sph){ ssize_t bytes_read; /* allocate storage space for the spool file header */ if(!sph->header) { if(!(sph->header = calloc(1, sizeof(UnifiedLogFileHeader)))) { FatalError("Out of memory reading spool file header " "(wanted %u bytes)", sizeof(UnifiedLogFileHeader)); } } bytes_read = read(sph->filedes, sph->header + sph->offset, sizeof(UnifiedLogFileHeader) - sph->offset); if(bytes_read + sph->offset != sizeof(UnifiedLogFileHeader)) { if(bytes_read == -1) { /* Read error */ LogMessage("ERROR: read error: %s\n", strerror(errno)); return N_FILE_ERROR; } if(bytes_read == 0) { return N_READ_EOF; } sph->offset += bytes_read; return N_READ_PARTIAL; } sph->offset = 0; { UnifiedLogFileHeader *file_header; file_header = (UnifiedLogFileHeader *)sph->header; linktype = file_header->linktype; } /* XXX should be part of the start step */ /* copy the header into the dp plugin */ if(dpfn->context.file_header != NULL) free(dpfn->context.file_header); dpfn->context.file_header = SafeAlloc(sizeof(UnifiedLogFileHeader)); memcpy(dpfn->context.file_header, sph->header, sizeof(UnifiedLogFileHeader)); return 0;} int LogDpHeaderCompare(DpFunctionalNode *dpfn, void *old_header, void *new_header){ if(memcmp(old_header, new_header, sizeof(UnifiedLogFileHeader)) != 0) { DataProcessorRestart(dpfn); } return 0;}/* Partial reads should rarely, if ever, happen. Thus we should not actually call lseek very often */static UnifiedLog unified_log;int LogDpReadRecord(SpoolFileHandle *sph){ ssize_t bytes_read; ssize_t packet_len; int fd; Record *record; if(!sph) return -1; /* Invalid args */ fd = sph->filedes; record = &sph->record; if(sph->offset < sizeof(UnifiedLog)) { /* Read the first portion of the unified log reader */ bytes_read = read(sph->filedes, &unified_log + sph->offset, sizeof(UnifiedLog) - sph->offset); if(bytes_read == -1) { LogMessage("ERROR: read error: %s\n", strerror(errno)); return N_FILE_ERROR; } if(bytes_read + sph->offset != sizeof(UnifiedLog)) { if(bytes_read + sph->offset == 0) { return N_READ_EOF; } sph->offset += bytes_read; return N_READ_PARTIAL; } /* Extract packet length */ packet_len = unified_log.pkth.caplen; if(packet_len >= 0x1ffff) { LogMessage("ERROR: Invalid packet length: %u\n", packet_len); return N_FILE_ERROR; } /* Allocate record storage based on packet length */ sph->record.dynamic = 1; sph->record.data = calloc(1, sizeof(UnifiedLog) + packet_len + 2); if(!sph->record.data) { FatalError("Out of memory (wanted %u bytes)\n", sizeof(UnifiedLog) + packet_len + 2); } memcpy(sph->record.data, &unified_log, sizeof(UnifiedLog)); sph->offset = sizeof(UnifiedLog) + 2; } if(sph->offset >= sizeof(UnifiedLog) + 2) { /* In case we don't have it already */ packet_len = unified_log.pkth.caplen; bytes_read = read(sph->filedes, sph->record.data + sph->offset, packet_len + 2 + sizeof(UnifiedLog) - sph->offset); if(bytes_read == -1) { LogMessage("ERROR: read error: %s\n", strerror(errno)); return N_FILE_ERROR; } if(bytes_read + sph->offset != sizeof(UnifiedLog) + 2 + packet_len) { sph->offset += bytes_read; return N_READ_PARTIAL; } sph->offset = 0; return 0; } /* Should be unreachable */ LogMessage("Should be unreachable\n"); return -1;}int LogDpProcessRecord(void *data, DpFunctionalNode *dp){ if(data == NULL) {#ifdef DEBUG printf("NULL Argument to ProcessUnifiedLogRecord\n");#endif return 1; } #ifdef DEBUG LogDpPrintRecord(data);#endif /* Call the output plugins */ CallOutputPlugins(dp->oList, data); return 0;}void LogDpPrintRecord(void *data){ UnifiedLogRecord *record; if(data == NULL) return; record = (UnifiedLogRecord *)data; LogMessage("Log->sig_generator = %x\n", record->log.event.sig_generator); LogMessage("Log->sig_id = %x\n", record->log.event.sig_id); LogMessage("Log->sig_rev = %x\n", record->log.event.sig_rev); LogMessage("Log->classification = %x\n", record->log.event.classification); LogMessage("Log->priority = %x\n", record->log.event.priority); LogMessage("Log->event_id = %x\n", record->log.event.event_id); LogMessage("Log->reference = %x\n", record->log.event.event_reference); LogMessage("Log->ref_sec = %x\n", record->log.event.ref_time.tv_sec); LogMessage("Log->ref_usec = %x\n", record->log.event.ref_time.tv_usec); LogMessage("Log->flags = 0x%08X\n", (u_int32_t) record->log.flags); LogMessage("Log->sec = %x\n", record->log.pkth.ts.tv_sec); LogMessage("Log->usec = %x\n", record->log.pkth.ts.tv_usec); LogMessage("Log->pktlen = %x\n", record->log.pkth.pktlen); LogMessage("Log->caplen = %u\n", record->log.pkth.caplen); LogMessage("------------------------------------------------------\n");}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -