parse.c

100 病毒源碼,原始碼,無毒 ......

				return 0;
			}
			
			free(list);
		}
		
		recweb->ext_type = M_RECORD_TYPE_WEB_EXTCLF;
		recweb->ext = recext;
		
	} else if (n == PCRE_ERROR_NOMATCH) {
#ifdef DEBUG_INPUT
		fprintf(stderr, "-no elf-> (%s)",_buffer + endpos);
#endif
	} else {
		fprintf(stderr, "%s.%d: Matched fields below minimum: %d\n", __FILE__, __LINE__, n);
		return -1;
	}
	

	
/* try to get the squid fields */
	n = pcre_exec(conf->match_clf_squid, conf->match_clf_squid_extra, _buffer, strlen(_buffer), endpos, 0, ovector, 3 * N);
	
	if (n < 0 && n != PCRE_ERROR_NOMATCH) {
		fprintf(stderr, "%s.%d: execution error while matching: %d\n", __FILE__, __LINE__, n);
		return -1;
	} else 	if (n == 2) {
		mlogrec_web_squid *recext;
		
		recweb->ext_type = M_RECORD_TYPE_WEB_SQUID;
		recweb->ext = mrecord_init_web_extclf();
		
		recext = recweb->ext;
		
		if (recext != NULL) {
			pcre_get_substring_list(_buffer, ovector, n, &list);
#ifdef DEBUG_INPUT		
			fprintf(stderr, "-squid-> %s\n", list[1]);
#endif
			free(list);
		}
	} else if (n == PCRE_ERROR_NOMATCH) {
#ifdef DEBUG_INPUT
		fprintf(stderr, "-no squid-> (%s)",_buffer + endpos);
#endif
	} else {
		fprintf(stderr, "%s.%d: Matched fields below minimum: %d\n", __FILE__, __LINE__, n);
		return -1;
	}

	return 0;
#undef  N
}

int parse_record_dynamic(mconfig *ext_conf, mlogrec *record, char *_buffer) {
#define N 20 + 1
	const char **list;
	int ovector[3 * N], n, i;
	config_input *conf = ext_conf->input;
	mlogrec_web *recweb = NULL; 
	mlogrec_web_extclf *recext = NULL; 
	
	/* remove the carriage return */
	if (_buffer[strlen(_buffer)-1] == '\r') {
		_buffer[strlen(_buffer)-1] = '\0';
	}
	
	if (conf->match_clf == NULL) return -1;
	
	recweb = mrecord_init_web();
	
	record->ext_type = M_RECORD_TYPE_WEB;
	record->ext = recweb;
	
	recext = mrecord_init_web_extclf();
	
	recweb->ext_type = M_RECORD_TYPE_WEB_EXTCLF;
	recweb->ext = recext;
	
	if (recweb == NULL) return 1;

/* parse a CLF record */	
	if ((n = pcre_exec(conf->match_clf, conf->match_clf_extra, _buffer, strlen(_buffer), 0, 0, ovector, 3 * N)) < 0) {
		if (n == PCRE_ERROR_NOMATCH) {
			fprintf(stderr, "%s.%d: string doesn't match: %s\n", __FILE__, __LINE__, _buffer);
		} else {
			fprintf(stderr, "%s.%d: execution error while matching: %d\n", __FILE__, __LINE__, n);
		}
		return 1;
	}
	
	pcre_get_substring_list(_buffer, ovector, n, &list);
	
	for (i = 0; i < n-1; i++) {
		switch (def[conf->trans_fields[i]].id) {
		case M_CLF_FIELD_TIMESTAMP:
			parse_timestamp(ext_conf, (char *)list[i+1], record);
			break;
		case M_CLF_FIELD_REQ_HOST:
			recweb->req_host = malloc(strlen((char *)list[i+1])+1);
			strcpy(recweb->req_host, (char *)list[i+1]);
			break;
		case M_CLF_FIELD_USERNAME:
			recweb->req_user = malloc(strlen((char *)list[i+1])+1);
			strcpy(recweb->req_user, (char *)list[i+1]);
			break;
		case M_CLF_FIELD_STATUS:
			recweb->req_status = strtol(list[i+1], NULL,10);
			break;
		case M_CLF_FIELD_BYTES_SEND:
			recweb->xfersize = strtod(list[i+1], NULL);
			break;
		case M_CLF_FIELD_SERVER_PORT:
			recext->srv_port = malloc(strlen((char *)list[i+1])+1);
			strcpy(recext->srv_port, (char *)list[i+1]);
			break;
		case M_CLF_FIELD_SERVER_IP:
			recext->srv_host = malloc(strlen((char *)list[i+1])+1);
			strcpy(recext->srv_host, (char *)list[i+1]);
			break;
		case M_CLF_FIELD_REQUEST:
			if (parse_url(ext_conf, list[5], recweb) == -1) {
				free(list);
				return 1;
			}
			break;
		case M_CLF_FIELD_USER_AGENT:
			if (parse_useragent(ext_conf, list[i+1], recext)  == -1) {
				free(list);
				return 1;
			}
			break;
		case M_CLF_FIELD_REFERRER:
			if (parse_referrer(ext_conf, list[i+1], recext)  == -1) {
				free(list);
				return 1;
			}
			break;
		/* no mapping */
		case M_CLF_FIELD_AUTH_USERNAME:
		case M_CLF_FIELD_DURATION:
			if (ext_conf->debug_level > 2)
				fprintf(stderr, "the field '%s' (%d) is known, but not supported yet.\n",def[conf->trans_fields[i]].field, def[conf->trans_fields[i]].id);
			break;

		default:
			fprintf(stderr, "the field '%s' (%d) is unknown\n", def[conf->trans_fields[i]].field, def[conf->trans_fields[i]].id);
			break;
		}
	}
	
	free(list);
	
	return 0;
#undef  N
}

int mlist_insert_sorted (mlist *l, void *ins_data) {
	int ins_me = 0;
	mlist *d = l;
	
	if (!l) return -1; 
	if (!ins_data) return -1;
#ifdef DEBUG_SORTER		
	printf("-1-- %ld\n", ((mlogrec *)ins_data)->timestamp);
#endif	
	while(l) {
		mlogrec *data = (mlogrec *)l->data;
		
		if (!data) break;
		
		if (((mlogrec *)ins_data)->timestamp >= data->timestamp) {
			ins_me = 1;
			break;
		}
			
		if (!l->next) break;
			
		l = l->next;
	}
	
	if (!l->data) {
		l->data = ins_data;
	} else if (ins_me) {
		mlist *n = mlist_init();
		
		n->data = l->data;
		l->data = ins_data;
		n->next = l->next;
		n->prev = l;
		if (n->next)
			n->next->prev = n;
		l->next = n;
	} else {
		mlist *n = mlist_init();
			
		n->data = ins_data;
		n->prev = l;
		n->next = l->next;
		if (n->next)
			n->next->prev = n;
		l->next = n;
	}
	
	l = d;
	while(l) {
#ifdef DEBUG_SORTER
		mlogrec *data = (mlogrec *)l->data;

		printf("-2-- %ld\n", data->timestamp);
#endif		
		if (!l->next) break;
			
		l = l->next;
	}
	while(l) {
#ifdef DEBUG_SORTER
		mlogrec *data = (mlogrec *)l->data;

		printf("-2-+ %ld\n", data->timestamp);
#endif		
		l = l->prev;
	}
	
	return 0;
}

int get_line (mconfig *ext_conf) {
	config_input *conf = ext_conf->input;
	int newline = 1;
	
	if (!fgets(conf->buffer, conf->buf_len-1,conf->inputfile)) {
		newline = 0;
	}

	while (newline && conf->buffer[strlen(conf->buffer)-1] != '\n') {
		conf->buffer = realloc(conf->buffer, (conf->buf_len+conf->buf_inc+1) * sizeof(char));
		
		if (!fgets(conf->buffer+strlen(conf->buffer), conf->buf_inc-1,conf->inputfile)) {
			newline = 0;
		}
		
		conf->buf_len += conf->buf_inc;
	}
	
	return newline;
}

#ifdef HAVE_LIBADNS
const char* reverse_ip(const char *ip) {
	static char ip_buf[30];
	pcre *m;
#define N 20 + 1
	const char **list;
	int ovector[3 * N], n;
	const char *errptr;
	int erroffset = 0;
	
	if (!ip) return NULL;
	
	if ((m = pcre_compile(
		"^([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})$", 
		0, &errptr, &erroffset, NULL)) == NULL) {
		
		fprintf(stderr, "%s.%d: rexexp compilation error at %s\n", __FILE__, __LINE__, errptr);
		return NULL;
	} 
	
	if ((n = pcre_exec(m, NULL, ip, strlen(ip), 0, 0, ovector, 3 * N)) < 0) {
		if (n != PCRE_ERROR_NOMATCH) {
			fprintf(stderr, "%s.%d: execution error while matching: %d\n", __FILE__, __LINE__, n);
		}
		return NULL;
	}
	
	pcre_get_substring_list(ip, ovector, n, &list);
	
	sprintf(ip_buf, "%s.%s.%s.%s.in-addr.arpa.",
		list[4],
		list[3],
		list[2],
		list[1]
		);
	
	pcre_free(list);
	free(m);
	
	return ip_buf;
}
#endif

int mplugins_input_get_next_record(mconfig *ext_conf, mlogrec *record) {
	int ret = 0;
	config_input *conf = ext_conf->input;
	int newline = 1;
	mlist *l;
	
	if (record == NULL) return -1;
	
	/* inserting the records into to list */
	while (newline && conf->read_ahead_count < conf->read_ahead_limit) {
		newline = get_line(ext_conf);
		
		if (newline) {
			mlogrec *new_record = mrecord_init();
#ifdef HAVE_LIBADNS
			const char *conv_ip;
			adns_query *query = NULL;
			mlogrec_web *web = NULL;
			adns_answer *answer = NULL;
#endif
			ret = (conf->format)
				? parse_record_dynamic(ext_conf, new_record, conf->buffer)
				: parse_record_pcre(ext_conf, new_record, conf->buffer);
			
			if (ret == -1) {	
				mrecord_free(new_record);
				return 1;
			}
			
#ifdef HAVE_LIBADNS
			if (!ext_conf->disable_resolver) {
				web = new_record->ext;
				conv_ip = reverse_ip(web->req_host);
			
				if (conv_ip) {
					data_Query *data = NULL;
					
					if (!mhash_in_hash(ext_conf->query_hash, web->req_host)) {
						query = malloc(sizeof(adns_query));
	
						adns_submit(*(ext_conf->adns), 
							conv_ip,
							adns_r_ptr,
							adns_qf_quoteok_cname|adns_qf_cname_loose,
							NULL,
							query
						);
				
			/* put ip and query into a hash */
					
						data = createQuery(web->req_host, query);
						mhash_insert(ext_conf->query_hash, data);
					}
			/* don't free query !! it will be removed by mhash_free */
				}
			}
#endif
			
			mlist_insert_sorted(conf->record_list, new_record);
			
			conf->read_ahead_count++;
		}
#ifdef DEBUG_SORTER			
		printf("-3-> nl: %d, ra: %d, rl: %d\n", newline, conf->read_ahead_count, conf->read_ahead_limit);
#endif
	}
	
	
	
	/* take them out of the list */
	l = conf->record_list;
	
	while (l->next) {
#ifdef DEBUG_SORTER	
		printf("-2+- %ld\n", ((mlogrec *)l->data)->timestamp);
#endif
		l = l->next;
	}
	
	if (l && l->data) {
#ifdef DEBUG_SORTER	
		printf("-2*- %ld\n", ((mlogrec *)l->data)->timestamp);
#endif
		mrecord_copy(record, l->data);
		
		mrecord_free(l->data);
		l->data = NULL;
		
		if (l->prev) {
#ifdef DEBUG_SORTER	
			printf("-4*-\n");
#endif
			l->prev->next = NULL;
			l->prev = NULL;
			l->next = NULL;
			mlist_free(l);
		}
		
		conf->read_ahead_count--;
#ifdef DEBUG_SORTER			
		l = conf->record_list;
		while(l) {
			mlogrec *data = (mlogrec *)l->data;
			if (data)
				printf("-4+- %ld\n", data->timestamp);
			
			l = l->next;
		}
#endif		
		return 0;
	}
#ifdef DEBUG_SORTER	
	l = conf->record_list;
	while(l) {
		mlogrec *data = (mlogrec *)l->data;
		
		if (data)
			printf("-4-- %ld\n", data->timestamp);
			
		l = l->next;
	}
#endif	
	return -1;
}