信息安全从业人员^_^
一个未入门de情报学胖子(邮箱:tenghm1986@163.com)
Toggle navigation
信息安全从业人员^_^
主页
About Me
归档
标签
suricata-code分析
2019-08-06 14:50:43
580
0
0
heming
# 0. 参考 [1] [配置篇-suricata.yaml-2](https://m.w3cschool.cn/notebook/notebook-6tps2l2o.html) # 1.总体工作流程 ![架构](https://leanote.com/api/file/getImage?fileId=5d36bfb4ab64414d870024cf) **解析(parser)** ------ ------ # app-layer-parser.c ```c typedef struct AppLayerParserCtx_{ AppLayerParserProtoCtx ctxs[FLOW_PROTO_MAX][ALPROTO_MAX]; } AppLayerParserCtx; static AppLayerParserCtx alp_ctx; void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, void *(*StateAlloc)(void), void (*StateFree)(void *)) { SCEnter(); alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateAlloc = StateAlloc; alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].StateFree = StateFree; SCReturn; } ``` # 输出 <center> ![output](https://leanote.com/api/file/getImage?fileId=5d4826cdab64417fbf000c19) </center> <center> ![TX获取](https://leanote.com/api/file/getImage?fileId=5d492337ab64417fbf001611) </center> **log(输出--http)** ----- ----- > output-json-http.c 此文件主要关于http各个字段以json格式输出,需要关注几个函数 - JsonHttpLogRegister - JsonHttpLogger - JsonHttpLogJson - JsonHttpLogJSONBasic - JsonHttpLogJSONCustom - JsonHttpLogJSONExtended - JsonHttpLogJSONHeaders <center> ![output-json](https://leanote.com/api/file/getImage?fileId=5d3ab317ab644105cb006731) </center> <center> ![call graph](https://leanote.com/api/file/getImage?fileId=5d3aacccab644103ac006559) </center> ``` JsonHttpLogJSONBasic输出字段:hostname/http_port/url/http_user_agent/xff/http_content_type/content_range/raw/start(?)/end(?)/size(?) JsonHttpLogJSONCustom输出字段(code拥有支持字段名字,客户按需定制输出字段):accept,accept-charset,accept-encoding,accept-language,accept-datetime,authorization,cache-control,cookie,from,max-forwards,origin,pragma,proxy-authorization,range,te,via,x-requested-with,dnt,x-forwarded-proto,x-authenticated-user,x-flash-version,accept-range,age,allow,connection,content-encoding,content-language,content-length,content-location,content-md5,content-range,content-type,date,etags,expires,last-modified,link,location,proxy-authenticate,referrer,refresh,retry-after,server,set-cookie,trailer,transfer-encoding,upgrade,vary,warning,www-authenticate,true-client-ip,org-src-ip,x-bluecoat-via JsonHttpLogJSONExtended输出字段:http_refer,http_method,protocol,status,redirect,length JsonHttpLogJSONHeaders输出req/res头信息,这些头(name/value)信息存储在list结构体里,遍历输出name:xx value:xxx ``` http字段取得结构体: ``` /** * Represents a single HTTP transaction, which is a combination of a request and a response. */ struct htp_tx_t { /** The connection parser associated with this transaction. */ htp_connp_t *connp; /** The connection to which this transaction belongs. */ htp_conn_t *conn; /** The configuration structure associated with this transaction. */ htp_cfg_t *cfg; /** * Is the configuration structure shared with other transactions or connections? If * this field is set to HTP_CONFIG_PRIVATE, the transaction owns the configuration. */ int is_config_shared; /** The user data associated with this transaction. */ void *user_data; // Request fields /** Contains a count of how many empty lines were skipped before the request line. */ unsigned int request_ignored_lines; /** The first line of this request. */ bstr *request_line; /** Request method. */ bstr *request_method; /** Request method, as number. Available only if we were able to recognize the request method. */ enum htp_method_t request_method_number; /** * Request URI, raw, as given to us on the request line. This field can take different forms, * for example authority for CONNECT methods, absolute URIs for proxy requests, and the query * string when one is provided. Use htp_tx_t::parsed_uri if you need to access to specific * URI elements. Can be NULL if the request line contains only a request method (which is * an extreme case of HTTP/0.9, but passes in practice. */ bstr *request_uri; /** Request protocol, as text. Can be NULL if no protocol was specified. */ bstr *request_protocol; /** * Protocol version as a number. Multiply the high version number by 100, then add the low * version number. You should prefer to work the pre-defined HTP_PROTOCOL_* constants. */ int request_protocol_number; /** * Is this request using HTTP/0.9? We need a separate field for this purpose because * the protocol version alone is not sufficient to determine if HTTP/0.9 is used. For * example, if you submit "GET / HTTP/0.9" to Apache, it will not treat the request * as HTTP/0.9. */ int is_protocol_0_9; /** * This structure holds the individual components parsed out of the request URI, with * appropriate normalization and transformation applied, per configuration. No information * is added. In extreme cases when no URI is provided on the request line, all fields * will be NULL. (Well, except for port_number, which will be -1.) To inspect raw data, use * htp_tx_t::request_uri or htp_tx_t::parsed_uri_raw. */ htp_uri_t *parsed_uri; /** * This structure holds the individual components parsed out of the request URI, but * without any modification. The purpose of this field is to allow you to look at the data as it * was supplied on the request line. Fields can be NULL, depending on what data was supplied. * The port_number field is always -1. */ htp_uri_t *parsed_uri_raw; /* HTTP 1.1 RFC * * 4.3 Message Body * * The message-body (if any) of an HTTP message is used to carry the * entity-body associated with the request or response. The message-body * differs from the entity-body only when a transfer-coding has been * applied, as indicated by the Transfer-Encoding header field (section * 14.41). * * message-body = entity-body * | <entity-body encoded as per Transfer-Encoding> */ /** * The length of the request message-body. In most cases, this value * will be the same as request_entity_len. The values will be different * if request compression or chunking were applied. In that case, * request_message_len contains the length of the request body as it * has been seen over TCP; request_entity_len contains length after * de-chunking and decompression. */ int64_t request_message_len; /** * The length of the request entity-body. In most cases, this value * will be the same as request_message_len. The values will be different * if request compression or chunking were applied. In that case, * request_message_len contains the length of the request body as it * has been seen over TCP; request_entity_len contains length after * de-chunking and decompression. */ int64_t request_entity_len; /** Parsed request headers. */ htp_table_t *request_headers; /** * Request transfer coding. Can be one of HTP_CODING_UNKNOWN (body presence not * determined yet), HTP_CODING_IDENTITY, HTP_CODING_CHUNKED, HTP_CODING_NO_BODY, * and HTP_CODING_UNRECOGNIZED. */ enum htp_transfer_coding_t request_transfer_coding; /** Request body compression. */ enum htp_content_encoding_t request_content_encoding; /** * This field contain the request content type when that information is * available in request headers. The contents of the field will be converted * to lowercase and any parameters (e.g., character set information) removed. */ bstr *request_content_type; /** * Contains the value specified in the Content-Length header. The value of this * field will be -1 from the beginning of the transaction and until request * headers are processed. It will stay -1 if the C-L header was not provided, * or if the value in it cannot be parsed. */ int64_t request_content_length; /** * Transaction-specific REQUEST_BODY_DATA hook. Behaves as * the configuration hook with the same name. */ htp_hook_t *hook_request_body_data; /** * Transaction-specific RESPONSE_BODY_DATA hook. Behaves as * the configuration hook with the same name. */ htp_hook_t *hook_response_body_data; /** * Query string URLENCODED parser. Available only * when the query string is not NULL and not empty. */ htp_urlenp_t *request_urlenp_query; /** * Request body URLENCODED parser. Available only when the request body is in the * application/x-www-form-urlencoded format and the parser was configured to run. */ htp_urlenp_t *request_urlenp_body; /** * Request body MULTIPART parser. Available only when the body is in the * multipart/form-data format and the parser was configured to run. */ htp_mpartp_t *request_mpartp; /** Request parameters. */ htp_table_t *request_params; /** Request cookies */ htp_table_t *request_cookies; /** Authentication type used in the request. */ enum htp_auth_type_t request_auth_type; /** Authentication username. */ bstr *request_auth_username; /** Authentication password. Available only when htp_tx_t::request_auth_type is HTP_AUTH_BASIC. */ bstr *request_auth_password; /** * Request hostname. Per the RFC, the hostname will be taken from the Host header * when available. If the host information is also available in the URI, it is used * instead of whatever might be in the Host header. Can be NULL. This field does * not contain port information. */ bstr *request_hostname; /** * Request port number, if presented. The rules for htp_tx_t::request_host apply. Set to * -1 by default. */ int request_port_number; // Response fields /** How many empty lines did we ignore before reaching the status line? */ unsigned int response_ignored_lines; /** Response line. */ bstr *response_line; /** Response protocol, as text. Can be NULL. */ bstr *response_protocol; /** * Response protocol as number. Available only if we were able to parse the protocol version, * HTP_PROTOCOL_INVALID otherwise. HTP_PROTOCOL_UNKNOWN until parsing is attempted. */ int response_protocol_number; /** * Response status code, as text. Starts as NULL and can remain NULL on * an invalid response that does not specify status code. */ bstr *response_status; /** * Response status code, available only if we were able to parse it, HTP_STATUS_INVALID * otherwise. HTP_STATUS_UNKNOWN until parsing is attempted. */ int response_status_number; /** * This field is set by the protocol decoder with it thinks that the * backend server will reject a request with a particular status code. */ int response_status_expected_number; /** The message associated with the response status code. Can be NULL. */ bstr *response_message; /** Have we seen the server respond with a 100 response? */ int seen_100continue; /** Parsed response headers. Contains instances of htp_header_t. */ htp_table_t *response_headers; /* HTTP 1.1 RFC * * 4.3 Message Body * * The message-body (if any) of an HTTP message is used to carry the * entity-body associated with the request or response. The message-body * differs from the entity-body only when a transfer-coding has been * applied, as indicated by the Transfer-Encoding header field (section * 14.41). * * message-body = entity-body * | <entity-body encoded as per Transfer-Encoding> */ /** * The length of the response message-body. In most cases, this value * will be the same as response_entity_len. The values will be different * if response compression or chunking were applied. In that case, * response_message_len contains the length of the response body as it * has been seen over TCP; response_entity_len contains the length after * de-chunking and decompression. */ int64_t response_message_len; /** * The length of the response entity-body. In most cases, this value * will be the same as response_message_len. The values will be different * if request compression or chunking were applied. In that case, * response_message_len contains the length of the response body as it * has been seen over TCP; response_entity_len contains length after * de-chunking and decompression. */ int64_t response_entity_len; /** * Contains the value specified in the Content-Length header. The value of this * field will be -1 from the beginning of the transaction and until response * headers are processed. It will stay -1 if the C-L header was not provided, * or if the value in it cannot be parsed. */ int64_t response_content_length; /** * Response transfer coding, which indicates if there is a response body, * and how it is transported (e.g., as-is, or chunked). */ enum htp_transfer_coding_t response_transfer_coding; /** * Response body compression, which indicates if compression is used * for the response body. This field is an interpretation of the information * available in response headers. */ enum htp_content_encoding_t response_content_encoding; /** * Response body compression processing information, which is related to how * the library is going to process (or has processed) a response body. Changing * this field mid-processing can influence library actions. For example, setting * this field to HTP_COMPRESSION_NONE in a RESPONSE_HEADERS callback will prevent * decompression. */ enum htp_content_encoding_t response_content_encoding_processing; /** * This field will contain the response content type when that information * is available in response headers. The contents of the field will be converted * to lowercase and any parameters (e.g., character set information) removed. */ bstr *response_content_type; // Common fields /** * Parsing flags; a combination of: HTP_REQUEST_INVALID_T_E, HTP_INVALID_FOLDING, * HTP_REQUEST_SMUGGLING, HTP_MULTI_PACKET_HEAD, and HTP_FIELD_UNPARSEABLE. */ uint64_t flags; /** Request progress. */ enum htp_tx_req_progress_t request_progress; /** Response progress. */ enum htp_tx_res_progress_t response_progress; /** Transaction index on the connection. */ size_t index; }; ``` ``` void JsonHttpLogRegister (void) { /* register as separate module */ OutputRegisterTxModule(LOGGER_JSON_HTTP, "JsonHttpLog", "http-json-log", OutputHttpLogInit, ALPROTO_HTTP, JsonHttpLogger, JsonHttpLogThreadInit, JsonHttpLogThreadDeinit, NULL); /* also register as child of eve-log */ OutputRegisterTxSubModule( LOGGER_JSON_HTTP,// LoggerID "eve-log",//parent_name "JsonHttpLog",//name "eve-log.http",//conf_name OutputHttpLogInitSub, ALPROTO_HTTP,//AppProto JsonHttpLogger,//TxLogger JsonHttpLogThreadInit, JsonHttpLogThreadDeinit, NULL); } ``` >output.c ``` void OutputRegisterTxSubModule( LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats) { OutputRegisterTxSubModuleWrapper( id, parent_name, name, conf_name, InitFunc, alproto, TxLogFunc, -1,//tc_log_progress -1,//ts_log_progress NULL, ThreadInit, ThreadDeinit, ThreadExitPrintStats); } #define TAILQ_HEAD(name, type) \ struct name { \ struct type *tqh_first; /* first element */ \ struct type **tqh_last; /* addr of last next element */ \ } typedef TAILQ_HEAD(OutputModuleList_, OutputModule_) OutputModuleList;//很有技巧,前面名称,后面组合类型 extern OutputModuleList output_modules; typedef struct OutputModule_ { LoggerId logger_id; const char *name; const char *conf_name; const char *parent_name; OutputInitFunc InitFunc; OutputInitSubFunc InitSubFunc; ThreadInitFunc ThreadInit; ThreadDeinitFunc ThreadDeinit; ThreadExitPrintStatsFunc ThreadExitPrintStats; PacketLogger PacketLogFunc; PacketLogCondition PacketConditionFunc; TxLogger TxLogFunc; TxLoggerCondition TxLogCondition; FileLogger FileLogFunc; FiledataLogger FiledataLogFunc; FlowLogger FlowLogFunc; StreamingLogger StreamingLogFunc; StatsLogger StatsLogFunc; AppProto alproto; enum OutputStreamingType stream_type; int tc_log_progress; int ts_log_progress; TAILQ_ENTRY(OutputModule_) entries;//前后节点 } OutputModule; ```
上一篇:
流量探针竞品调研
下一篇:
suricata安装编译运行
0
赞
580 人读过
新浪微博
微信
腾讯微博
QQ空间
人人网
Please enable JavaScript to view the
comments powered by Disqus.
comments powered by
Disqus
文档导航