suricata-code分析

# 0. 参考
[1] [配置篇-suricata.yaml-2](https://m.w3cschool.cn/notebook/notebook-6tps2l2o.html)
# 1.总体工作流程
![架构](https://leanote.com/api/file/getImage?fileId=5d36bfb4ab64414d870024cf)

**解析(parser)**
------
------
# app-layer-parser.c
```c

typedef struct AppLayerParserCtx_{
    AppLayerParserProtoCtx ctxs[FLOW_PROTO_MAX][ALPROTO_MAX];
} AppLayerParserCtx;

static AppLayerParserCtx alp_ctx;

void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto,
                           void *(*StateAlloc)(void),
                           void (*StateFree)(void *))
{
    SCEnter();

alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateAlloc =
        StateAlloc;
    alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateFree =
        StateFree;

SCReturn;
}

```

# 输出

<center>
![output](https://leanote.com/api/file/getImage?fileId=5d4826cdab64417fbf000c19)
</center>

<center>
![TX获取](https://leanote.com/api/file/getImage?fileId=5d492337ab64417fbf001611)
</center>

**log(输出--http)**
-----
-----

> output-json-http.c

此文件主要关于http各个字段以json格式输出，需要关注几个函数

- JsonHttpLogRegister
 - JsonHttpLogger
 - JsonHttpLogJson
    - JsonHttpLogJSONBasic
    - JsonHttpLogJSONCustom
    - JsonHttpLogJSONExtended
    - JsonHttpLogJSONHeaders
<center>
![output-json](https://leanote.com/api/file/getImage?fileId=5d3ab317ab644105cb006731)
</center>
<center>
![call graph](https://leanote.com/api/file/getImage?fileId=5d3aacccab644103ac006559)
</center>

```
JsonHttpLogJSONBasic输出字段:hostname/http_port/url/http_user_agent/xff/http_content_type/content_range/raw/start(?)/end(?)/size(?)
JsonHttpLogJSONCustom输出字段(code拥有支持字段名字，客户按需定制输出字段):accept,accept-charset,accept-encoding,accept-language,accept-datetime,authorization,cache-control,cookie,from,max-forwards,origin,pragma,proxy-authorization,range,te,via,x-requested-with,dnt,x-forwarded-proto,x-authenticated-user,x-flash-version,accept-range,age,allow,connection,content-encoding,content-language,content-length,content-location,content-md5,content-range,content-type,date,etags,expires,last-modified,link,location,proxy-authenticate,referrer,refresh,retry-after,server,set-cookie,trailer,transfer-encoding,upgrade,vary,warning,www-authenticate,true-client-ip,org-src-ip,x-bluecoat-via
JsonHttpLogJSONExtended输出字段:http_refer,http_method,protocol,status,redirect,length
JsonHttpLogJSONHeaders输出req/res头信息,这些头(name/value)信息存储在list结构体里，遍历输出name：xx value:xxx
```

http字段取得结构体:
```
/**
 * Represents a single HTTP transaction, which is a combination of a request and a response.
 */
struct htp_tx_t {
    /** The connection parser associated with this transaction. */
    htp_connp_t *connp;

/** The connection to which this transaction belongs. */
    htp_conn_t *conn;

/** The configuration structure associated with this transaction. */
    htp_cfg_t *cfg;

/**
     * Is the configuration structure shared with other transactions or connections? If
     * this field is set to HTP_CONFIG_PRIVATE, the transaction owns the configuration.
     */
    int is_config_shared;

/** The user data associated with this transaction. */
    void *user_data;
    
    
    // Request fields

/** Contains a count of how many empty lines were skipped before the request line. */
    unsigned int request_ignored_lines;

/** The first line of this request. */
    bstr *request_line;

/** Request method. */
    bstr *request_method;

/** Request method, as number. Available only if we were able to recognize the request method. */
    enum htp_method_t request_method_number;

/**
     * Request URI, raw, as given to us on the request line. This field can take different forms,
     * for example authority for CONNECT methods, absolute URIs for proxy requests, and the query
     * string when one is provided. Use htp_tx_t::parsed_uri if you need to access to specific
     * URI elements. Can be NULL if the request line contains only a request method (which is
     * an extreme case of HTTP/0.9, but passes in practice.
     */
    bstr *request_uri;

/** Request protocol, as text. Can be NULL if no protocol was specified. */
    bstr *request_protocol;

/**
     * Protocol version as a number. Multiply the high version number by 100, then add the low
     * version number. You should prefer to work the pre-defined HTP_PROTOCOL_* constants.
     */
    int request_protocol_number;

/**
     * Is this request using HTTP/0.9? We need a separate field for this purpose because
     * the protocol version alone is not sufficient to determine if HTTP/0.9 is used. For
     * example, if you submit "GET / HTTP/0.9" to Apache, it will not treat the request
     * as HTTP/0.9.
     */
    int is_protocol_0_9;

/**
     * This structure holds the individual components parsed out of the request URI, with
     * appropriate normalization and transformation applied, per configuration. No information
     * is added. In extreme cases when no URI is provided on the request line, all fields
     * will be NULL. (Well, except for port_number, which will be -1.) To inspect raw data, use
     * htp_tx_t::request_uri or htp_tx_t::parsed_uri_raw.
     */
    htp_uri_t *parsed_uri;

/**
     * This structure holds the individual components parsed out of the request URI, but
     * without any modification. The purpose of this field is to allow you to look at the data as it
     * was supplied on the request line. Fields can be NULL, depending on what data was supplied.
     * The port_number field is always -1.
     */
    htp_uri_t *parsed_uri_raw;
    
    /* HTTP 1.1 RFC
     * 
     * 4.3 Message Body
     * 
     * The message-body (if any) of an HTTP message is used to carry the
     * entity-body associated with the request or response. The message-body
     * differs from the entity-body only when a transfer-coding has been
     * applied, as indicated by the Transfer-Encoding header field (section
     * 14.41).
     *
     *     message-body = entity-body
     *                  | <entity-body encoded as per Transfer-Encoding>
     */

/**
     * The length of the request message-body. In most cases, this value
     * will be the same as request_entity_len. The values will be different
     * if request compression or chunking were applied. In that case,
     * request_message_len contains the length of the request body as it
     * has been seen over TCP; request_entity_len contains length after
     * de-chunking and decompression.
     */
    int64_t request_message_len;

/**
     * The length of the request entity-body. In most cases, this value
     * will be the same as request_message_len. The values will be different
     * if request compression or chunking were applied. In that case,
     * request_message_len contains the length of the request body as it
     * has been seen over TCP; request_entity_len contains length after
     * de-chunking and decompression.
     */
    int64_t request_entity_len;

/** Parsed request headers. */
    htp_table_t *request_headers;

/**
     * Request transfer coding. Can be one of HTP_CODING_UNKNOWN (body presence not
     * determined yet), HTP_CODING_IDENTITY, HTP_CODING_CHUNKED, HTP_CODING_NO_BODY,
     * and HTP_CODING_UNRECOGNIZED.
     */
    enum htp_transfer_coding_t request_transfer_coding;

/** Request body compression. */
    enum htp_content_encoding_t request_content_encoding;

/**
     * This field contain the request content type when that information is
     * available in request headers. The contents of the field will be converted
     * to lowercase and any parameters (e.g., character set information) removed.
     */
    bstr *request_content_type;

/**
     * Contains the value specified in the Content-Length header. The value of this
     * field will be -1 from the beginning of the transaction and until request
     * headers are processed. It will stay -1 if the C-L header was not provided,
     * or if the value in it cannot be parsed.
     */
    int64_t request_content_length;

/**
     * Transaction-specific REQUEST_BODY_DATA hook. Behaves as
     * the configuration hook with the same name.
     */
    htp_hook_t *hook_request_body_data;

/**
     * Transaction-specific RESPONSE_BODY_DATA hook. Behaves as
     * the configuration hook with the same name.
     */
    htp_hook_t *hook_response_body_data;

/**
     * Query string URLENCODED parser. Available only
     * when the query string is not NULL and not empty.
     */
    htp_urlenp_t *request_urlenp_query;

/**
     * Request body URLENCODED parser. Available only when the request body is in the
     * application/x-www-form-urlencoded format and the parser was configured to run.
     */
    htp_urlenp_t *request_urlenp_body;

/**
     * Request body MULTIPART parser. Available only when the body is in the
     * multipart/form-data format and the parser was configured to run.
     */
    htp_mpartp_t *request_mpartp;

/** Request parameters. */
    htp_table_t *request_params;

/** Request cookies */
    htp_table_t *request_cookies;

/** Authentication type used in the request. */
    enum htp_auth_type_t request_auth_type;

/** Authentication username. */
    bstr *request_auth_username;

/** Authentication password. Available only when htp_tx_t::request_auth_type is HTP_AUTH_BASIC. */
    bstr *request_auth_password;

/**
     * Request hostname. Per the RFC, the hostname will be taken from the Host header
     * when available. If the host information is also available in the URI, it is used
     * instead of whatever might be in the Host header. Can be NULL. This field does
     * not contain port information.
     */
    bstr *request_hostname;

/**
     * Request port number, if presented. The rules for htp_tx_t::request_host apply. Set to
     * -1 by default.
     */
    int request_port_number;

// Response fields

/** How many empty lines did we ignore before reaching the status line? */
    unsigned int response_ignored_lines;

/** Response line. */
    bstr *response_line;

/** Response protocol, as text. Can be NULL. */
    bstr *response_protocol;

/**
     * Response protocol as number. Available only if we were able to parse the protocol version,
     * HTP_PROTOCOL_INVALID otherwise. HTP_PROTOCOL_UNKNOWN until parsing is attempted.
     */
    int response_protocol_number;

/**
     * Response status code, as text. Starts as NULL and can remain NULL on
     * an invalid response that does not specify status code.
     */
    bstr *response_status;

/**
     * Response status code, available only if we were able to parse it, HTP_STATUS_INVALID
     * otherwise. HTP_STATUS_UNKNOWN until parsing is attempted.
     */
    int response_status_number;

/**
     * This field is set by the protocol decoder with it thinks that the
     * backend server will reject a request with a particular status code.
     */
    int response_status_expected_number;

/** The message associated with the response status code. Can be NULL. */
    bstr *response_message;

/** Have we seen the server respond with a 100 response? */
    int seen_100continue;

/** Parsed response headers. Contains instances of htp_header_t. */
    htp_table_t *response_headers;

/* HTTP 1.1 RFC
     * 
     * 4.3 Message Body
     * 
     * The message-body (if any) of an HTTP message is used to carry the
     * entity-body associated with the request or response. The message-body
     * differs from the entity-body only when a transfer-coding has been
     * applied, as indicated by the Transfer-Encoding header field (section
     * 14.41).
     *
     *     message-body = entity-body
     *                  | <entity-body encoded as per Transfer-Encoding>
     */

/**
     * The length of the response message-body. In most cases, this value
     * will be the same as response_entity_len. The values will be different
     * if response compression or chunking were applied. In that case,
     * response_message_len contains the length of the response body as it
     * has been seen over TCP; response_entity_len contains the length after
     * de-chunking and decompression.
     */
    int64_t response_message_len;

/**
     * The length of the response entity-body. In most cases, this value
     * will be the same as response_message_len. The values will be different
     * if request compression or chunking were applied. In that case,
     * response_message_len contains the length of the response body as it
     * has been seen over TCP; response_entity_len contains length after
     * de-chunking and decompression.
     */
    int64_t response_entity_len;

/**
     * Contains the value specified in the Content-Length header. The value of this
     * field will be -1 from the beginning of the transaction and until response
     * headers are processed. It will stay -1 if the C-L header was not provided,
     * or if the value in it cannot be parsed.
     */
    int64_t response_content_length;
    
    /**
     * Response transfer coding, which indicates if there is a response body,
     * and how it is transported (e.g., as-is, or chunked).
     */
    enum htp_transfer_coding_t response_transfer_coding;

/**
     * Response body compression, which indicates if compression is used
     * for the response body. This field is an interpretation of the information
     * available in response headers.
     */
    enum htp_content_encoding_t response_content_encoding;

/**
     * Response body compression processing information, which is related to how
     * the library is going to process (or has processed) a response body. Changing
     * this field mid-processing can influence library actions. For example, setting
     * this field to HTP_COMPRESSION_NONE in a RESPONSE_HEADERS callback will prevent
     * decompression.
     */
    enum htp_content_encoding_t response_content_encoding_processing;
    
    /**
     * This field will contain the response content type when that information
     * is available in response headers. The contents of the field will be converted
     * to lowercase and any parameters (e.g., character set information) removed.
     */
    bstr *response_content_type;

// Common fields

/**
     * Parsing flags; a combination of: HTP_REQUEST_INVALID_T_E, HTP_INVALID_FOLDING,
     * HTP_REQUEST_SMUGGLING, HTP_MULTI_PACKET_HEAD, and HTP_FIELD_UNPARSEABLE.
     */
    uint64_t flags;

/** Request progress. */
    enum htp_tx_req_progress_t request_progress;

/** Response progress. */
    enum htp_tx_res_progress_t response_progress;

/** Transaction index on the connection. */
    size_t index;
};
```

```

void JsonHttpLogRegister (void)
{
    /* register as separate module */
    OutputRegisterTxModule(LOGGER_JSON_HTTP, "JsonHttpLog", "http-json-log",
        OutputHttpLogInit, ALPROTO_HTTP, JsonHttpLogger, JsonHttpLogThreadInit,
        JsonHttpLogThreadDeinit, NULL);

/* also register as child of eve-log */
    OutputRegisterTxSubModule(
    LOGGER_JSON_HTTP,// LoggerID
    "eve-log",//parent_name
    "JsonHttpLog",//name
    "eve-log.http",//conf_name
    OutputHttpLogInitSub,
    ALPROTO_HTTP,//AppProto
    JsonHttpLogger,//TxLogger
    JsonHttpLogThreadInit,
    JsonHttpLogThreadDeinit,
    NULL);
}
```

>output.c

```
void OutputRegisterTxSubModule(
    LoggerId id, 
    const char *parent_name,
    const char *name,
    const char *conf_name,
    OutputInitSubFunc InitFunc, 
    AppProto alproto, 
    TxLogger TxLogFunc,
    ThreadInitFunc ThreadInit,
    ThreadDeinitFunc ThreadDeinit,
    ThreadExitPrintStatsFunc ThreadExitPrintStats)
{
    OutputRegisterTxSubModuleWrapper(
    id,
    parent_name,
    name,
    conf_name,
    InitFunc, 
    alproto,
    TxLogFunc,
    -1,//tc_log_progress
    -1,//ts_log_progress
    NULL,
    ThreadInit,
    ThreadDeinit,
    ThreadExitPrintStats);
}

#define TAILQ_HEAD(name, type)						\
struct name {								\
	struct type *tqh_first;	/* first element */			\
	struct type **tqh_last;	/* addr of last next element */		\
}

typedef TAILQ_HEAD(OutputModuleList_, OutputModule_) OutputModuleList;//很有技巧，前面名称，后面组合类型
extern OutputModuleList output_modules;

typedef struct OutputModule_ {
    LoggerId logger_id;
    const char *name;
    const char *conf_name;
    const char *parent_name;
    OutputInitFunc InitFunc;
    OutputInitSubFunc InitSubFunc;

ThreadInitFunc ThreadInit;
    ThreadDeinitFunc ThreadDeinit;
    ThreadExitPrintStatsFunc ThreadExitPrintStats;

PacketLogger PacketLogFunc;
    PacketLogCondition PacketConditionFunc;
    TxLogger TxLogFunc;
    TxLoggerCondition TxLogCondition;
    FileLogger FileLogFunc;
    FiledataLogger FiledataLogFunc;
    FlowLogger FlowLogFunc;
    StreamingLogger StreamingLogFunc;
    StatsLogger StatsLogFunc;
    AppProto alproto;
    enum OutputStreamingType stream_type;
    int tc_log_progress;
    int ts_log_progress;

TAILQ_ENTRY(OutputModule_) entries;//前后节点
} OutputModule;

```

信息安全从业人员^_^

导航

最近发表

友情链接