From 0d47ea1fa23771ea80330afce970b57dd7a4c407 Mon Sep 17 00:00:00 2001 From: liuxueli Date: Thu, 2 Jun 2022 16:57:11 +0800 Subject: [PATCH] =?UTF-8?q?TSG-10533:=20=E5=A2=9E=E5=8A=A0=E6=97=A5?= =?UTF-8?q?=E5=BF=97=E5=85=AC=E5=85=B1=E5=AD=97=E6=AE=B5common=5Fapp=5Fide?= =?UTF-8?q?ntify=5Finfo=EF=BC=8C=E7=94=A8=E4=BA=8E=E5=B1=95=E7=A4=BAAPP?= =?UTF-8?q?=E8=AF=86=E5=88=AB=E7=9A=84=E8=BF=87=E7=A8=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bin/tsg_log_field.conf | 1 + src/tsg_entry.cpp | 87 ++-- src/tsg_entry.h | 892 ++++++++++++++++++------------------ src/tsg_send_log.cpp | 185 +++++--- src/tsg_send_log_internal.h | 1 + 5 files changed, 627 insertions(+), 539 deletions(-) diff --git a/bin/tsg_log_field.conf b/bin/tsg_log_field.conf index bf3f6a0..e77f082 100644 --- a/bin/tsg_log_field.conf +++ b/bin/tsg_log_field.conf @@ -109,3 +109,4 @@ STRING l2tp_version 97 STRING common_packet_capture_file 98 STRING common_app_behavior 99 STRING http_url 100 +STRING common_app_identify_info 101 diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index d62e7e6..5aab3ad 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -494,6 +494,23 @@ static int get_default_policy(int compile_id, struct Maat_rule_t *result) return 0; } +static int get_packet_sequence(const struct streaminfo *a_stream) +{ + unsigned int packet_sequence=0; + unsigned long long value=0; + int value_len=sizeof(unsigned long long); + + value=0; + MESA_get_stream_opt(a_stream, MSO_TOTAL_INBOUND_PKT, (void *)&value, &value_len); + packet_sequence+=(unsigned int)value; + + value=0; + MESA_get_stream_opt(a_stream, MSO_TOTAL_OUTBOUND_PKT, (void *)&value, &value_len); + packet_sequence+=(unsigned int)value; + + return packet_sequence; +} + static int is_do_default_policy(const struct streaminfo *a_stream, int after_n_packets) { if(after_n_packets<=0 || a_stream->pdetail==NULL) @@ -935,6 +952,26 @@ static void copy_bypass_result(const struct streaminfo *a_stream, struct master_ return ; } +int copy_app_result(struct gather_app_result *gather_result, struct app_identify_result *identify_result, int packet_sequence) +{ + int i=0; + for(i=0; (i < identify_result->app_id_num) && iapp_num < MAX_APP_ID_NUM); i++) + { + if(gather_result->attributes[i].app_id==identify_result->app_id[i] && gather_result->attributes[i].surrogate_id==identify_result->surrogate_id[i]) + { + continue; + } + + gather_result->origin=identify_result->origin; + gather_result->attributes[i].app_id=identify_result->app_id[i]; + gather_result->attributes[i].surrogate_id=identify_result->surrogate_id[i]; + gather_result->attributes[i].packet_sequence=packet_sequence; + gather_result->app_num++; + } + + return 0; +} + static int l7_protocol_mapper(const char *filename) { int ret=0; @@ -1095,16 +1132,18 @@ static int set_l7_protocol_label(const struct streaminfo *a_stream, tsg_protocol return 0; } - gather_result=(struct gather_app_result *)dictator_malloc(a_stream->threadnum, sizeof(struct gather_app_result)); - memset(gather_result, 0, sizeof(struct gather_app_result)); + gather_result=(struct gather_app_result *)dictator_malloc(a_stream->threadnum, sizeof(struct gather_app_result)*ORIGIN_MAX); + memset(gather_result, 0, sizeof(struct gather_app_result)*ORIGIN_MAX); set_struct_project(a_stream, g_tsg_para.gather_app_project_id, (void *)gather_result); int app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[protocol].name); if(app_id>0) { - gather_result->result[ORIGIN_BASIC_PROTOCOL].app_id_num=1; - gather_result->result[ORIGIN_BASIC_PROTOCOL].app_id[0]=app_id; - gather_result->result[ORIGIN_BASIC_PROTOCOL].origin=ORIGIN_BASIC_PROTOCOL; + gather_result[ORIGIN_BASIC_PROTOCOL].app_num=1; + gather_result[ORIGIN_BASIC_PROTOCOL].origin=ORIGIN_BASIC_PROTOCOL; + gather_result[ORIGIN_BASIC_PROTOCOL].attributes[0].app_id=app_id; + gather_result[ORIGIN_BASIC_PROTOCOL].attributes[0].surrogate_id=0; + gather_result[ORIGIN_BASIC_PROTOCOL].attributes[0].packet_sequence=get_packet_sequence(a_stream); } return 0; @@ -1509,9 +1548,8 @@ static int identify_application_protocol(const struct streaminfo *a_stream, stru if(sip_ret==SIP_TRUE) { context->proto=PROTO_SIP; - } - - return 1; + return 1; + } } if(g_tsg_para.proto_flag&(1<app_id_num; i++) + for(i=0; i< identify_result->app_num; i++) { - snprintf(app_id_buff, sizeof(app_id_buff), "%d", identify_result->app_id[i]); + snprintf(app_id_buff, sizeof(app_id_buff), "%d", identify_result->attributes[i].app_id); dict=(struct app_id_dict *)Maat_plugin_get_EX_data(g_tsg_maat_feather, g_tsg_para.table_id[TABLE_APP_ID_DICT], (const char *)app_id_buff); if(dict!=NULL) { @@ -1559,7 +1597,7 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), dict->subcategroy, (char *)"subcategory", thread_seq); hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), dict->characteristics, (char *)"characteristics", thread_seq); - hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), dict->app_name, identify_result->app_id[i], thread_seq); + hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), dict->app_name, identify_result->attributes[i].app_id, thread_seq); after_n_packets=dict->deny_app_para.after_n_packets; set_app_timeout(a_stream, dict, &(context->timeout)); @@ -1567,22 +1605,22 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct } else { - name=tsg_l7_protocol_id2name(identify_result->app_id[i]); - hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), ((name==NULL) ? (char *)"" : name), identify_result->app_id[i], thread_seq); + name=tsg_l7_protocol_id2name(identify_result->attributes[i].app_id); + hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), ((name==NULL) ? (char *)"" : name), identify_result->attributes[i].app_id, thread_seq); } p_result=tsg_fetch_deny_rule(result, hit_num); if(d_result==NULL) { d_result=p_result; - hited_app_id=identify_result->app_id[i]; + hited_app_id=identify_result->attributes[i].app_id; continue; } if(d_result->config_id!=p_result->config_id) { d_result=p_result; - hited_app_id=identify_result->app_id[i]; + hited_app_id=identify_result->attributes[i].app_id; } } @@ -1590,7 +1628,7 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct { if(identify_result->origin!=ORIGIN_BASIC_PROTOCOL) { - context->hited_app_id=hited_app_id; + context->hited_app_id=hited_app_id; } context->hited_para.hited_app_id=hited_app_id; @@ -1728,10 +1766,9 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_ gather_result=(struct gather_app_result *)get_struct_project(a_stream, g_tsg_para.gather_app_project_id); if(gather_result==NULL) { - gather_result=(struct gather_app_result *)dictator_malloc(a_stream->threadnum, sizeof(struct gather_app_result)); - memset(gather_result, 0, sizeof(struct gather_app_result)); + gather_result=(struct gather_app_result *)dictator_malloc(a_stream->threadnum, sizeof(struct gather_app_result)*ORIGIN_MAX); + memset(gather_result, 0, sizeof(struct gather_app_result)*ORIGIN_MAX); set_struct_project(a_stream, g_tsg_para.gather_app_project_id, (void *)gather_result); - gather_result->origin=ORIGIN_MAX; } switch(identify_result->origin) @@ -1777,9 +1814,7 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_ return 0; } - gather_result->origin=identify_result->origin; - - memcpy(&(gather_result->result[identify_result->origin]), identify_result, sizeof(struct app_identify_result)); + copy_app_result(&(gather_result[identify_result->origin]), identify_result, get_packet_sequence(a_stream)); if(context->mid==NULL) { @@ -1787,7 +1822,7 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_ } record_time_start(&(context->last_scan_time)); - hit_num=scan_application_id_and_properties((struct streaminfo *)a_stream, scan_result, MAX_RESULT_NUM, context, identify_result, a_stream->threadnum); + hit_num=scan_application_id_and_properties((struct streaminfo *)a_stream, scan_result, MAX_RESULT_NUM, context, &(gather_result[identify_result->origin]), a_stream->threadnum); p_result=tsg_policy_decision_criteria(scan_result, hit_num); if(p_result==NULL || (p_result->action==TSG_ACTION_MONITOR && is_parent_ssl==1)) { @@ -1843,7 +1878,7 @@ static int deal_pending_state(const struct streaminfo *a_stream, struct master_c gather_result=(struct gather_app_result *)get_struct_project(a_stream, g_tsg_para.gather_app_project_id); for(i=0; iresult[i]), a_stream->threadnum); + hit_num+=scan_application_id_and_properties(a_stream, result+hit_num, MAX_RESULT_NUM-hit_num, context, &(gather_result[i]), a_stream->threadnum); } @@ -1941,7 +1976,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo gather_result=(struct gather_app_result *)get_struct_project(a_stream, g_tsg_para.gather_app_project_id); for(i=0; iresult[i]), thread_seq); + hit_num+=scan_application_id_and_properties(a_stream, scan_result+hit_num, MAX_RESULT_NUM-hit_num, context, &(gather_result[i]), thread_seq); } p_result=tsg_policy_decision_criteria(scan_result, hit_num); diff --git a/src/tsg_entry.h b/src/tsg_entry.h index 9ac1276..f94f989 100644 --- a/src/tsg_entry.h +++ b/src/tsg_entry.h @@ -1,442 +1,450 @@ -#ifndef __TSG_ENTRY_H__ -#define __TSG_ENTRY_H__ - -#include -#include -#include - -#include - -#include -#include -#include - -#include "uthash.h" -#include "tsg_rule.h" -#include "app_label.h" -#include "tsg_label.h" -#include "tsg_statistic.h" -#include "tsg_leaky_bucket.h" -#include "tsg_protocol_common.h" -#include "tsg_send_log_internal.h" - -#if(__GNUC__ * 100 + __GNUC_MINOR__ * 10 + __GNUC_PATCHLEVEL__ >= 411) -#define atomic_inc(x) __sync_add_and_fetch((x),1) -#define atomic_dec(x) __sync_sub_and_fetch((x),1) -#define atomic_add(x,y) __sync_add_and_fetch((x),(y)) -#define atomic_sub(x,y) __sync_sub_and_fetch((x),(y)) -typedef int atomic_t; -#define ATOMIC_INIT(i) { (i) } -#define atomic_read(x) __sync_add_and_fetch((x),0) -#define atomic_set(x,y) __sync_lock_test_and_set((x),y) -#else -#include -#endif - -#ifndef MIN -#define MIN(a, b) (((a) < (b)) ? (a) : (b)) -#endif - -#ifndef PRINTADDR -#define PRINTADDR(a, b) ((b)addr), a->threadnum) : "") -#endif - -#ifndef FLAG_FALSE -#define FLAG_FALSE 0 -#endif - -#ifndef FLAG_TRUE -#define FLAG_TRUE 1 -#endif - -#define APP_SCAN_FLAG_STOP 0 -#define APP_SCAN_FLAG_CONTINUE 1 - -enum DEPLOY_MODE -{ - DEPLOY_MODE_MIRROR, - DEPLOY_MODE_INLINE, - DEPLOY_MODE_TRANSPARENT, - DEPLOY_MODE_MAX -}; - -enum MASTER_TABLE{ - TABLE_SECURITY_COMPILE=0, - TABLE_IP_ADDR, - TABLE_SUBSCRIBER_ID, - TABLE_APP_ID, - TABLE_HTTP_HOST, - TABLE_SSL_SNI, - TABLE_EXCLUSION_SSL_SNI, - TABLE_SRC_ASN, - TABLE_DST_ASN, - TABLE_SRC_LOCATION, - TABLE_DST_LOCATION, - TABLE_ASN_USER_DEFINED, - TABLE_ASN_BUILT_IN, - TABLE_LOCATION_USER_DEFINED, - TABLE_LOCATION_BUILT_IN, - TABLE_QUIC_SNI, - TABLE_FQDN_CAT_ID, - TABLE_FQDN_CAT_USER_DEFINED, - TABLE_FQDN_CAT_BUILT_IN, - TABLE_APP_ID_DICT, - TABLE_SELECTOR_ID, - TABLE_SELECTOR_PROPERTIES, - TABLE_GTP_APN, - TABLE_GTP_IMSI, - TABLE_GTP_PHONE_NUMBER, - TABLE_RESPONSE_PAGES, - TABLE_DNS_PROFILE_RECORD, - TABLE_PROFILE_MIRROR, - TABLE_HTTP_URL, - TABLE_MAX -}; - -enum TSG_FS2_TYPE{ - TSG_FS2_TCP_LINKS=0, - TSG_FS2_UDP_LINKS, - TSG_FS2_BYPASS, - TSG_FS2_HIT_ADDR, - TSG_FS2_HIT_SHARE, - TSG_FS2_INTERCEPT, - TSG_FS2_EXCLUSION, - TSG_FS2_APP_DPKT_RESULT, - TSG_FS2_APP_Q_RESULT, - TSG_FS2_APP_USER_RESULT, - TSG_FS2_APP_BUILT_IN_RESULT, - TSG_FS2_INJECT_PKT_SUCCESS, - TSG_FS2_INJECT_PKT_FAILED, - TSG_FS2_MIRRORED_PKT_SUCCESS, - TSG_FS2_MIRRORED_BYTE_SUCCESS, - TSG_FS2_MIRRORED_PKT_FAILED, - TSG_FS2_MIRRORED_BYTE_FAILED, - TSG_FS2_SET_TIMOUT_SUCCESS, - TSG_FS2_SET_TIMOUT_FAILED, - TSG_FS2_SUCESS_TAMPER, - TSG_FS2_TAMPER_FAILED_PLOAD_LESS_4, - TSG_FS2_TAMPER_FAILED_NOSWAP, - TSG_FS2_MAX -}; - -enum TSG_ATTRIBUTE_TYPE -{ - TSG_ATTRIBUTE_TYPE_ESTABLISH_LATECY=0, - TSG_ATTRIBUTE_TYPE_PROTOCOL, - TSG_ATTRIBUTE_TYPE_JA3_HASH, - TSG_ATTRIBUTE_TYPE_MLTS_USER_INFO, - TSG_ATTRIBUTE_TYPE_LOCATION, - TSG_ATTRIBUTE_TYPE_ASN, - TSG_ATTRIBUTE_TYPE_SUBSCRIBER_ID, - TSG_ATTRIBUTE_TYPE_HTTP_ACTION_FILESIZE, - TSG_ATTRIBUTE_TYPE_CATEGORY_ID, - _MAX_TSG_ATTRIBUTE_TYPE -}; - -enum HTTP_RESPONSE_FORMAT -{ - HTTP_RESPONSE_FORMAT_TEMPLATE=0, - HTTP_RESPONSE_FORMAT_HTML -}; - -enum BRIDGE_TYPE -{ - BRIDGE_TYPE_SEND_CONN_SKETCH_DATA=0, - BRIDGE_TYPE_RECV_CONN_SKETCH_DATA, - BRIDGE_TYPE_CONN_SKETCH_EXEC_RESULT, - BRIDGE_TYPE_APP_IDENTIFY_RESULT, - BRIDGE_TYPE_APP_BEHAVIOR_RESULT, - BRIDGE_TYPE_MAX -}; - -struct _str2index -{ - int index; - int len; - char *type; -}; - -struct gather_app_result -{ - enum APP_IDENTIFY_ORIGIN origin; - struct app_identify_result result[ORIGIN_MAX]; -}; - -struct l7_protocol -{ - int id; /* first key */ - char name[32]; /* second key */ - UT_hash_handle hh1; /* handle for first hash table */ - UT_hash_handle hh2; /* handle for second hash table */ -}; - -struct fqdn_category -{ - int ref_cnt; - unsigned int category_id; -}; - -struct http_response_pages -{ - int profile_id; - int content_len; - int ref_cnt; - enum HTTP_RESPONSE_FORMAT format; - char *content; -}; - -struct app_id_dict -{ - int ref_cnt; - int app_id; - int parent_app_id; - int continue_scanning; - unsigned short tcp_timeout; - unsigned short udp_timeout; - int tcp_time_wait; - int tcp_half_close; - char *risk; - char *app_name; - char *parent_app_name; - char *category; - char *subcategroy; - char *technology; - char *characteristics; - struct deny_user_region deny_app_para; -}; - -struct hited_app_para -{ - int hited_app_id; - int after_n_packets; -}; - -struct master_context -{ - unsigned char is_esni; - unsigned char is_log; - unsigned char is_dropme; - unsigned char deal_pkt_num; - unsigned char is_app_link; - unsigned char pad; - unsigned short timeout; - tsg_protocol_t proto; - int hit_cnt; - int hited_app_id; - unsigned int quic_version; - char *domain; - union - { - char *http_url; - char *quic_ua; - void *para; - }; - scan_status_t mid; - struct Maat_rule_t *result; - struct hited_app_para hited_para; - struct timespec last_scan_time; -}; - -struct tcpall_context -{ - int set_latency_flag; - enum TSG_METHOD_TYPE method_type; - union - { - struct leaky_bucket *bucket; - long tamper_count; - int after_n_packets; - struct hited_app_para hited_para; - void *para; - }; -}; - -struct reset_argv -{ - int pkt_num; - int seed1; - int seed2; - int th_flags; - int dir; - int remedy; -}; - -#define _MAX_TABLE_NAME_LEN 64 -typedef struct tsg_para -{ - int level; - short mirror_switch; - unsigned short timeout; - int dynamic_maat_switch; - int location_field_num; - int app_dict_field_num; - int device_seq_in_dc; - int datacenter_id; - int hash_timeout; - int hash_slot_size; - int feature_tamper; - enum DEPLOY_MODE deploy_mode; - int scan_time_interval; - int identify_app_max_pkt_num; - int unknown_app_id; - int hit_path_switch; - int default_compile_id; - int table_id[TABLE_MAX]; - int dyn_subscribe_ip_table_id; //TSG_DYN_SUBSCRIBER_IP - int priority_project_id; - int session_attribute_project_id; - int context_project_id; - int tcpall_project_id; - int gather_app_project_id; - int bridge_id[BRIDGE_TYPE_MAX]; - int proto_flag; //tsg_protocol_t - int fs2_field_id[TSG_FS2_MAX]; - char device_sn[MAX_DOMAIN_LEN/8]; - char log_path[MAX_DOMAIN_LEN/8]; - char device_id_command[MAX_DOMAIN_LEN/8]; - char data_center[_MAX_TABLE_NAME_LEN]; - char device_tag[MAX_DOMAIN_LEN/2]; - char table_name[TABLE_MAX][_MAX_TABLE_NAME_LEN]; - char bridge_name[BRIDGE_TYPE_MAX][_MAX_TABLE_NAME_LEN]; - void *logger; - void *maat_logger; - struct reset_argv reset; - struct mirrored_vlan default_vlan; - screen_stat_handle_t fs2_handle; - struct l7_protocol *name_by_id; - struct l7_protocol *id_by_name; - struct traffic_mirror *mirror_handle; - ctemplate::Template *tpl_403,*tpl_404; - ctemplate::Template *tpl_200,*tpl_204; - ctemplate::Template *tpl_303; -}g_tsg_para_t; - -extern g_tsg_para_t g_tsg_para; -extern Maat_feather_t g_tsg_dynamic_maat_feather; -extern id2field_t g_tsg_proto_name2id[PROTO_MAX]; - -typedef enum tsg_statis_field_id -{ - STATIS_UNKNOWN=0, - STATIS_ENTRANCE_ID=1, - STATIS_TOTAL_CON_NUM, - STATIS_NEW_CON_NUM, - STATIS_ESTABLISHED_CON_NUM, - STATIS_CLOSE_CON_NUM, - STATIS_TOTAL_IN_BYTES, - STATIS_TOTAL_OUT_BYTES, - STATIS_TOTAL_IN_PACKETS, - STATIS_TOTAL_OUT_PACKETS, - STATIS_DEFAULT_CON_NUM, - STATIS_DEFAULT_IN_BYTES, - STATIS_DEFAULT_OUT_BYTES, - STATIS_DEFAULT_IN_PACKETS, - STATIS_DEFAULT_OUT_PACKETS, - STATIS_ALLOW_CON_NUM, - STATIS_ALLOW_IN_BYTES, - STATIS_ALLOW_OUT_BYTES, - STATIS_ALLOW_IN_PACKETS, - STATIS_ALLOW_OUT_PACKETS, - STATIS_DENY_CON_NUM, - STATIS_DENY_IN_BYTES, - STATIS_DENY_OUT_BYTES, - STATIS_DENY_IN_PACKETS, - STATIS_DENY_OUT_PACKETS, - STATIS_MONITOR_CON_NUM, - STATIS_MONITOR_IN_BYTES, - STATIS_MONITOR_OUT_BYTES, - STATIS_MONITOR_IN_PACKETS, - STATIS_MONITOR_OUT_PACKETS, - STATIS_INTERCEPT_CON_NUM, - STATIS_INTERCEPT_IN_BYTES, - STATIS_INTERCEPT_OUT_BYTES, - STATIS_INTERCEPT_IN_PACKETS, - STATIS_INTERCEPT_OUT_PACKETS, - STATIS_IPV4_IN_BYTES, - STATIS_IPV4_OUT_BYTES, - STATIS_IPV4_IN_PACKETS, - STATIS_IPV4_OUT_PACKETS, - STATIS_IPV6_IN_BYTES, - STATIS_IPV6_OUT_BYTES, - STATIS_IPV6_IN_PACKETS, - STATIS_IPV6_OUT_PACKETS, - STATIS_TCP_NEW_CON_NUM, - STATIS_TCP_IN_BYTES, - STATIS_TCP_OUT_BYTES, - STATIS_TCP_IN_PACKETS, - STATIS_TCP_OUT_PACKETS, - STATIS_UDP_NEW_CON_NUM, - STATIS_UDP_IN_BYTES, - STATIS_UDP_OUT_BYTES, - STATIS_UDP_IN_PACKETS, - STATIS_UDP_OUT_PACKETS, - STATIS_ALERT_BYTES, - STATIS_BLOCK_BYTES, - STATIS_PINNING_NUM, - STATIS_MAYBE_PINNING_NUM, - STATIS_NOT_PINNING_NUM, - STATIS_MAX -}tsg_statis_field_id_t; - -enum TRAFFIC_INFO_IDX -{ - TRAFFIC_INFO_ALLOW=0, - TRAFFIC_INFO_DENY, - TRAFFIC_INFO_MONITOR, - TRAFFIC_INFO_INTERCEPT, - TRAFFIC_INFO_MAX -}; - -typedef struct tsg_statistic -{ - int cycle; - int fs_line_id; - int thread_alive; - pthread_t stat_thread_id; - int fs_field_id[STATIS_MAX]; - long long statistic_opt[_OPT_TYPE_MAX]; - struct _traffic_info *traffic_info[TSG_ACTION_MAX+1]; - struct _traffic_info default_total_info; - screen_stat_handle_t fs2_handle; -}tsg_statis_para_t; - -int tsg_statistic_init(const char *conffile, void *logger); -void tsg_statistic_destroy(void); - -int tsg_gtp_signaling_hash_init(const char* conffile, void *logger); - -int set_struct_project(const struct streaminfo *a_stream, int project_id, void *data); -const void *get_struct_project(const struct streaminfo *a_stream, int project_id); - - -//parent_app_name.app_name -int tsg_app_id2name(int app_id, char *app_name, int app_name_len, int is_joint_parent); - -//return 18 or 19: subdivision_addr -int tsg_get_location_type(void); -void location_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); -void ASN_number_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); -void subscriber_id_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); -void app_id_dict_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); -void http_response_pages_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); -void dns_profile_records_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp); -void set_session_attribute_label(const struct streaminfo *a_stream, enum TSG_ATTRIBUTE_TYPE type, void *value, int value_len, int thread_seq); -int tsg_set_method_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, enum TSG_METHOD_TYPE method_type, int thread_seq); -int tsg_set_bucket_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, struct leaky_bucket *bucket, int thread_seq); -void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp); - -struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, int thread_seq); -int tsg_scan_addr(Maat_feather_t maat_feather, const struct streaminfo *a_stream, tsg_protocol_t proto, scan_status_t *mid, Maat_rule_t*result, int result_num); -int tsg_scan_shared_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, char *domain, Maat_rule_t *result, int result_num, scan_status_t *mid, int table_id, int thread_seq); -int tsg_scan_app_properties_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *property, char *district, int thread_seq); -int tsg_scan_subscribe_id_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, struct subscribe_id_info *user_info, int thread_seq); -int tsg_get_umts_user_info(const struct streaminfo *a_stream, struct umts_user_info **user_info); -int tsg_scan_gtp_apn_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *apn, int thread_seq); -int tsg_scan_gtp_imsi_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *imsi, int thread_seq); -int tsg_scan_gtp_phone_number_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *phone_number, int thread_seq); -int tsg_get_ip_location(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_EX_DATA *client_location, MAAT_PLUGIN_EX_DATA *server_location); -int tsg_get_ip_asn(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_EX_DATA* client_asn, MAAT_PLUGIN_EX_DATA* server_asn); -int tsg_get_subscribe_id(const struct streaminfo *a_stream, struct subscribe_id_info **source_subscribe_id, struct subscribe_id_info **dest_subscribe_id); -int tsg_send_raw_packet(const struct streaminfo *a_stream, struct mirrored_vlan *vlan, int vlan_num, int thread_seq); - -#endif +#ifndef __TSG_ENTRY_H__ +#define __TSG_ENTRY_H__ + +#include +#include +#include + +#include + +#include +#include +#include + +#include "uthash.h" +#include "tsg_rule.h" +#include "app_label.h" +#include "tsg_label.h" +#include "tsg_statistic.h" +#include "tsg_leaky_bucket.h" +#include "tsg_protocol_common.h" +#include "tsg_send_log_internal.h" + +#if(__GNUC__ * 100 + __GNUC_MINOR__ * 10 + __GNUC_PATCHLEVEL__ >= 411) +#define atomic_inc(x) __sync_add_and_fetch((x),1) +#define atomic_dec(x) __sync_sub_and_fetch((x),1) +#define atomic_add(x,y) __sync_add_and_fetch((x),(y)) +#define atomic_sub(x,y) __sync_sub_and_fetch((x),(y)) +typedef int atomic_t; +#define ATOMIC_INIT(i) { (i) } +#define atomic_read(x) __sync_add_and_fetch((x),0) +#define atomic_set(x,y) __sync_lock_test_and_set((x),y) +#else +#include +#endif + +#ifndef MIN +#define MIN(a, b) (((a) < (b)) ? (a) : (b)) +#endif + +#ifndef PRINTADDR +#define PRINTADDR(a, b) ((b)addr), a->threadnum) : "") +#endif + +#ifndef FLAG_FALSE +#define FLAG_FALSE 0 +#endif + +#ifndef FLAG_TRUE +#define FLAG_TRUE 1 +#endif + +#define APP_SCAN_FLAG_STOP 0 +#define APP_SCAN_FLAG_CONTINUE 1 + +enum DEPLOY_MODE +{ + DEPLOY_MODE_MIRROR, + DEPLOY_MODE_INLINE, + DEPLOY_MODE_TRANSPARENT, + DEPLOY_MODE_MAX +}; + +enum MASTER_TABLE{ + TABLE_SECURITY_COMPILE=0, + TABLE_IP_ADDR, + TABLE_SUBSCRIBER_ID, + TABLE_APP_ID, + TABLE_HTTP_HOST, + TABLE_SSL_SNI, + TABLE_EXCLUSION_SSL_SNI, + TABLE_SRC_ASN, + TABLE_DST_ASN, + TABLE_SRC_LOCATION, + TABLE_DST_LOCATION, + TABLE_ASN_USER_DEFINED, + TABLE_ASN_BUILT_IN, + TABLE_LOCATION_USER_DEFINED, + TABLE_LOCATION_BUILT_IN, + TABLE_QUIC_SNI, + TABLE_FQDN_CAT_ID, + TABLE_FQDN_CAT_USER_DEFINED, + TABLE_FQDN_CAT_BUILT_IN, + TABLE_APP_ID_DICT, + TABLE_SELECTOR_ID, + TABLE_SELECTOR_PROPERTIES, + TABLE_GTP_APN, + TABLE_GTP_IMSI, + TABLE_GTP_PHONE_NUMBER, + TABLE_RESPONSE_PAGES, + TABLE_DNS_PROFILE_RECORD, + TABLE_PROFILE_MIRROR, + TABLE_HTTP_URL, + TABLE_MAX +}; + +enum TSG_FS2_TYPE{ + TSG_FS2_TCP_LINKS=0, + TSG_FS2_UDP_LINKS, + TSG_FS2_BYPASS, + TSG_FS2_HIT_ADDR, + TSG_FS2_HIT_SHARE, + TSG_FS2_INTERCEPT, + TSG_FS2_EXCLUSION, + TSG_FS2_APP_DPKT_RESULT, + TSG_FS2_APP_Q_RESULT, + TSG_FS2_APP_USER_RESULT, + TSG_FS2_APP_BUILT_IN_RESULT, + TSG_FS2_INJECT_PKT_SUCCESS, + TSG_FS2_INJECT_PKT_FAILED, + TSG_FS2_MIRRORED_PKT_SUCCESS, + TSG_FS2_MIRRORED_BYTE_SUCCESS, + TSG_FS2_MIRRORED_PKT_FAILED, + TSG_FS2_MIRRORED_BYTE_FAILED, + TSG_FS2_SET_TIMOUT_SUCCESS, + TSG_FS2_SET_TIMOUT_FAILED, + TSG_FS2_SUCESS_TAMPER, + TSG_FS2_TAMPER_FAILED_PLOAD_LESS_4, + TSG_FS2_TAMPER_FAILED_NOSWAP, + TSG_FS2_MAX +}; + +enum TSG_ATTRIBUTE_TYPE +{ + TSG_ATTRIBUTE_TYPE_ESTABLISH_LATECY=0, + TSG_ATTRIBUTE_TYPE_PROTOCOL, + TSG_ATTRIBUTE_TYPE_JA3_HASH, + TSG_ATTRIBUTE_TYPE_MLTS_USER_INFO, + TSG_ATTRIBUTE_TYPE_LOCATION, + TSG_ATTRIBUTE_TYPE_ASN, + TSG_ATTRIBUTE_TYPE_SUBSCRIBER_ID, + TSG_ATTRIBUTE_TYPE_HTTP_ACTION_FILESIZE, + TSG_ATTRIBUTE_TYPE_CATEGORY_ID, + _MAX_TSG_ATTRIBUTE_TYPE +}; + +enum HTTP_RESPONSE_FORMAT +{ + HTTP_RESPONSE_FORMAT_TEMPLATE=0, + HTTP_RESPONSE_FORMAT_HTML +}; + +enum BRIDGE_TYPE +{ + BRIDGE_TYPE_SEND_CONN_SKETCH_DATA=0, + BRIDGE_TYPE_RECV_CONN_SKETCH_DATA, + BRIDGE_TYPE_CONN_SKETCH_EXEC_RESULT, + BRIDGE_TYPE_APP_IDENTIFY_RESULT, + BRIDGE_TYPE_APP_BEHAVIOR_RESULT, + BRIDGE_TYPE_MAX +}; + +struct _str2index +{ + int index; + int len; + char *type; +}; + +struct app_attributes +{ + unsigned int app_id; + unsigned int surrogate_id; + unsigned int packet_sequence; +}; + +struct gather_app_result +{ + int app_num; + enum APP_IDENTIFY_ORIGIN origin; + struct app_attributes attributes[MAX_APP_ID_NUM]; +}; + +struct l7_protocol +{ + int id; /* first key */ + char name[32]; /* second key */ + UT_hash_handle hh1; /* handle for first hash table */ + UT_hash_handle hh2; /* handle for second hash table */ +}; + +struct fqdn_category +{ + int ref_cnt; + unsigned int category_id; +}; + +struct http_response_pages +{ + int profile_id; + int content_len; + int ref_cnt; + enum HTTP_RESPONSE_FORMAT format; + char *content; +}; + +struct app_id_dict +{ + int ref_cnt; + int app_id; + int parent_app_id; + int continue_scanning; + unsigned short tcp_timeout; + unsigned short udp_timeout; + int tcp_time_wait; + int tcp_half_close; + char *risk; + char *app_name; + char *parent_app_name; + char *category; + char *subcategroy; + char *technology; + char *characteristics; + struct deny_user_region deny_app_para; +}; + +struct hited_app_para +{ + int hited_app_id; + int after_n_packets; +}; + +struct master_context +{ + unsigned char is_esni; + unsigned char is_log; + unsigned char is_dropme; + unsigned char deal_pkt_num; + unsigned char is_app_link; + unsigned char pad; + unsigned short timeout; + tsg_protocol_t proto; + int hit_cnt; + int hited_app_id; + unsigned int quic_version; + char *domain; + union + { + char *http_url; + char *quic_ua; + void *para; + }; + scan_status_t mid; + struct Maat_rule_t *result; + struct hited_app_para hited_para; + struct timespec last_scan_time; +}; + +struct tcpall_context +{ + int set_latency_flag; + enum TSG_METHOD_TYPE method_type; + union + { + struct leaky_bucket *bucket; + long tamper_count; + int after_n_packets; + struct hited_app_para hited_para; + void *para; + }; +}; + +struct reset_argv +{ + int pkt_num; + int seed1; + int seed2; + int th_flags; + int dir; + int remedy; +}; + +#define _MAX_TABLE_NAME_LEN 64 +typedef struct tsg_para +{ + int level; + short mirror_switch; + unsigned short timeout; + int dynamic_maat_switch; + int location_field_num; + int app_dict_field_num; + int device_seq_in_dc; + int datacenter_id; + int hash_timeout; + int hash_slot_size; + int feature_tamper; + enum DEPLOY_MODE deploy_mode; + int scan_time_interval; + int identify_app_max_pkt_num; + int unknown_app_id; + int hit_path_switch; + int default_compile_id; + int table_id[TABLE_MAX]; + int dyn_subscribe_ip_table_id; //TSG_DYN_SUBSCRIBER_IP + int priority_project_id; + int session_attribute_project_id; + int context_project_id; + int tcpall_project_id; + int gather_app_project_id; + int bridge_id[BRIDGE_TYPE_MAX]; + int proto_flag; //tsg_protocol_t + int fs2_field_id[TSG_FS2_MAX]; + char device_sn[MAX_DOMAIN_LEN/8]; + char log_path[MAX_DOMAIN_LEN/8]; + char device_id_command[MAX_DOMAIN_LEN/8]; + char data_center[_MAX_TABLE_NAME_LEN]; + char device_tag[MAX_DOMAIN_LEN/2]; + char table_name[TABLE_MAX][_MAX_TABLE_NAME_LEN]; + char bridge_name[BRIDGE_TYPE_MAX][_MAX_TABLE_NAME_LEN]; + void *logger; + void *maat_logger; + struct reset_argv reset; + struct mirrored_vlan default_vlan; + screen_stat_handle_t fs2_handle; + struct l7_protocol *name_by_id; + struct l7_protocol *id_by_name; + struct traffic_mirror *mirror_handle; + ctemplate::Template *tpl_403,*tpl_404; + ctemplate::Template *tpl_200,*tpl_204; + ctemplate::Template *tpl_303; +}g_tsg_para_t; + +extern g_tsg_para_t g_tsg_para; +extern Maat_feather_t g_tsg_dynamic_maat_feather; +extern id2field_t g_tsg_proto_name2id[PROTO_MAX]; + +typedef enum tsg_statis_field_id +{ + STATIS_UNKNOWN=0, + STATIS_ENTRANCE_ID=1, + STATIS_TOTAL_CON_NUM, + STATIS_NEW_CON_NUM, + STATIS_ESTABLISHED_CON_NUM, + STATIS_CLOSE_CON_NUM, + STATIS_TOTAL_IN_BYTES, + STATIS_TOTAL_OUT_BYTES, + STATIS_TOTAL_IN_PACKETS, + STATIS_TOTAL_OUT_PACKETS, + STATIS_DEFAULT_CON_NUM, + STATIS_DEFAULT_IN_BYTES, + STATIS_DEFAULT_OUT_BYTES, + STATIS_DEFAULT_IN_PACKETS, + STATIS_DEFAULT_OUT_PACKETS, + STATIS_ALLOW_CON_NUM, + STATIS_ALLOW_IN_BYTES, + STATIS_ALLOW_OUT_BYTES, + STATIS_ALLOW_IN_PACKETS, + STATIS_ALLOW_OUT_PACKETS, + STATIS_DENY_CON_NUM, + STATIS_DENY_IN_BYTES, + STATIS_DENY_OUT_BYTES, + STATIS_DENY_IN_PACKETS, + STATIS_DENY_OUT_PACKETS, + STATIS_MONITOR_CON_NUM, + STATIS_MONITOR_IN_BYTES, + STATIS_MONITOR_OUT_BYTES, + STATIS_MONITOR_IN_PACKETS, + STATIS_MONITOR_OUT_PACKETS, + STATIS_INTERCEPT_CON_NUM, + STATIS_INTERCEPT_IN_BYTES, + STATIS_INTERCEPT_OUT_BYTES, + STATIS_INTERCEPT_IN_PACKETS, + STATIS_INTERCEPT_OUT_PACKETS, + STATIS_IPV4_IN_BYTES, + STATIS_IPV4_OUT_BYTES, + STATIS_IPV4_IN_PACKETS, + STATIS_IPV4_OUT_PACKETS, + STATIS_IPV6_IN_BYTES, + STATIS_IPV6_OUT_BYTES, + STATIS_IPV6_IN_PACKETS, + STATIS_IPV6_OUT_PACKETS, + STATIS_TCP_NEW_CON_NUM, + STATIS_TCP_IN_BYTES, + STATIS_TCP_OUT_BYTES, + STATIS_TCP_IN_PACKETS, + STATIS_TCP_OUT_PACKETS, + STATIS_UDP_NEW_CON_NUM, + STATIS_UDP_IN_BYTES, + STATIS_UDP_OUT_BYTES, + STATIS_UDP_IN_PACKETS, + STATIS_UDP_OUT_PACKETS, + STATIS_ALERT_BYTES, + STATIS_BLOCK_BYTES, + STATIS_PINNING_NUM, + STATIS_MAYBE_PINNING_NUM, + STATIS_NOT_PINNING_NUM, + STATIS_MAX +}tsg_statis_field_id_t; + +enum TRAFFIC_INFO_IDX +{ + TRAFFIC_INFO_ALLOW=0, + TRAFFIC_INFO_DENY, + TRAFFIC_INFO_MONITOR, + TRAFFIC_INFO_INTERCEPT, + TRAFFIC_INFO_MAX +}; + +typedef struct tsg_statistic +{ + int cycle; + int fs_line_id; + int thread_alive; + pthread_t stat_thread_id; + int fs_field_id[STATIS_MAX]; + long long statistic_opt[_OPT_TYPE_MAX]; + struct _traffic_info *traffic_info[TSG_ACTION_MAX+1]; + struct _traffic_info default_total_info; + screen_stat_handle_t fs2_handle; +}tsg_statis_para_t; + +int tsg_statistic_init(const char *conffile, void *logger); +void tsg_statistic_destroy(void); + +int tsg_gtp_signaling_hash_init(const char* conffile, void *logger); + +int set_struct_project(const struct streaminfo *a_stream, int project_id, void *data); +const void *get_struct_project(const struct streaminfo *a_stream, int project_id); + + +//parent_app_name.app_name +int tsg_app_id2name(int app_id, char *app_name, int app_name_len, int is_joint_parent); + +//return 18 or 19: subdivision_addr +int tsg_get_location_type(void); +void location_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); +void ASN_number_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); +void subscriber_id_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); +void app_id_dict_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); +void http_response_pages_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); +void dns_profile_records_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp); +void set_session_attribute_label(const struct streaminfo *a_stream, enum TSG_ATTRIBUTE_TYPE type, void *value, int value_len, int thread_seq); +int tsg_set_method_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, enum TSG_METHOD_TYPE method_type, int thread_seq); +int tsg_set_bucket_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, struct leaky_bucket *bucket, int thread_seq); +void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp); + +struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, int thread_seq); +int tsg_scan_addr(Maat_feather_t maat_feather, const struct streaminfo *a_stream, tsg_protocol_t proto, scan_status_t *mid, Maat_rule_t*result, int result_num); +int tsg_scan_shared_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, char *domain, Maat_rule_t *result, int result_num, scan_status_t *mid, int table_id, int thread_seq); +int tsg_scan_app_properties_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *property, char *district, int thread_seq); +int tsg_scan_subscribe_id_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, struct subscribe_id_info *user_info, int thread_seq); +int tsg_get_umts_user_info(const struct streaminfo *a_stream, struct umts_user_info **user_info); +int tsg_scan_gtp_apn_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *apn, int thread_seq); +int tsg_scan_gtp_imsi_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *imsi, int thread_seq); +int tsg_scan_gtp_phone_number_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *phone_number, int thread_seq); +int tsg_get_ip_location(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_EX_DATA *client_location, MAAT_PLUGIN_EX_DATA *server_location); +int tsg_get_ip_asn(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_EX_DATA* client_asn, MAAT_PLUGIN_EX_DATA* server_asn); +int tsg_get_subscribe_id(const struct streaminfo *a_stream, struct subscribe_id_info **source_subscribe_id, struct subscribe_id_info **dest_subscribe_id); +int tsg_send_raw_packet(const struct streaminfo *a_stream, struct mirrored_vlan *vlan, int vlan_num, int thread_seq); + +#endif diff --git a/src/tsg_send_log.cpp b/src/tsg_send_log.cpp index 89dff63..52120f3 100644 --- a/src/tsg_send_log.cpp +++ b/src/tsg_send_log.cpp @@ -617,9 +617,75 @@ static int set_packet_bytes(struct tsg_log_instance_t *_instance, struct TLD_han return 1; } -static int set_userdefine_app(struct TLD_handle_t *_handle, char *field_name, struct app_identify_result *result, TLD_TYPE type) +static int set_app_identify_info(struct TLD_handle_t *_handle, char *field_name, struct gather_app_result *result) +{ + int i=0,j=0,ret=0; + char app_name[512]={0}; + Value array(kArrayType); + + for(i=ORIGIN_USER_DEFINE; i0) + { + add_str_member(_handle, &object, "app_name", app_name); + } + else + { + object.AddMember("app_name", result[i].attributes[j].app_id, _handle->document->GetAllocator()); + } + object.AddMember("packet_sequence",result[i].attributes[j].packet_sequence, _handle->document->GetAllocator()); + } + + array.PushBack(object, _handle->document->GetAllocator()); + } + + TLD_append(_handle, field_name, &array, TLD_TYPE_OBJECT); + + return 1; +} + +static int get_app_id_list(Value *app_id_object, struct TLD_handle_t *_handle, const char *field_name, struct gather_app_result *result) { - if(result==NULL || result->app_id_num<=0) + int i=0,ret=0; + char app_name[512]={0}; + + if(result->app_num==0) + { + return 0; + } + + Value array(kArrayType); + for(i=0; iapp_num; i++) + { + Value object(kObjectType); + ret=tsg_app_id2name(result->attributes[i].app_id, app_name, sizeof(app_name), 1); + if(ret>0) + { + add_str_member(_handle, &object, "app_name", app_name); + } + object.AddMember("app_id", result->attributes[i].app_id, _handle->document->GetAllocator()); + object.AddMember("surrogate_id", result->attributes[i].surrogate_id, _handle->document->GetAllocator()); + object.AddMember("packet_sequence",result->attributes[i].packet_sequence, _handle->document->GetAllocator()); + array.PushBack(object, _handle->document->GetAllocator()); + } + add_object_member(_handle, app_id_object, field_name, array); + + return 1; +} + + +static int set_userdefine_app(struct TLD_handle_t *_handle, char *field_name, struct gather_app_result *result, TLD_TYPE type) +{ + if(result==NULL || result->app_num<=0) { return 0; } @@ -628,10 +694,10 @@ static int set_userdefine_app(struct TLD_handle_t *_handle, char *field_name, st char app_name[256]={0}; Value array(kArrayType); - for(i=0; iapp_id_num; i++) + for(i=0; iapp_num; i++) { memset(app_name, 0, sizeof(app_name)); - tsg_app_id2name(result->app_id[i], app_name, sizeof(app_name), 1); + tsg_app_id2name(result->attributes[i].app_id, app_name, sizeof(app_name), 1); if(strnlen(app_name, sizeof(app_name)) > 0) { Value app_name_str; @@ -645,7 +711,7 @@ static int set_userdefine_app(struct TLD_handle_t *_handle, char *field_name, st return 1; } -static int get_l7_protocol(struct app_identify_result *result, char *protocol_list, int protocol_list_len, int *flag) +static int get_l7_protocol(struct gather_app_result *result, char *protocol_list, int protocol_list_len, int *flag) { int i=0,offset=0; char *name=NULL; @@ -655,10 +721,10 @@ static int get_l7_protocol(struct app_identify_result *result, char *protocol_li return 0; } - for(i=0; iapp_id_num; i++) + for(i=0; iapp_num; i++) { (*flag)=1; - name=tsg_l7_protocol_id2name(result->app_id[i]); + name=tsg_l7_protocol_id2name(result->attributes[i].app_id); if(name!=NULL) { if(i>0 && offset>0 && (protocol_list_len-offset)>0) @@ -673,35 +739,38 @@ static int get_l7_protocol(struct app_identify_result *result, char *protocol_li return 1; } -static unsigned int get_max_app_id(unsigned int *app_id_array, int app_id_num) +static unsigned int get_userdefine_name(struct gather_app_result *result, char *app_name, int app_name_len, int *flag, int is_joint_parent) { - if(app_id_num<=0) + if((*flag)==1 || result->app_num<=0) { return 0; } + int i=0; - unsigned int max_app_id=app_id_array[0]; + unsigned int max_app_id=0; - for(i=1; i< app_id_num; i++) + for(i=0; i< result->app_num; i++) { - if(max_app_idattributes[i].app_id) { - max_app_id=app_id_array[i]; + max_app_id=result->attributes[i].app_id; } } + (*flag)=1; + tsg_app_id2name(max_app_id, app_name, app_name_len, is_joint_parent); return max_app_id; } -static int get_app_id(struct app_identify_result *result, unsigned int *app_id, unsigned int *surrogate_id, int *flag) +static int get_app_id(struct gather_app_result *result, unsigned int *app_id, unsigned int *surrogate_id, int *flag) { - if(result->app_id_num>0 && (*flag)==0) + if(result->app_num>0 && (*flag)==0) { (*flag)=1; - (*app_id)=result->app_id[result->app_id_num-1]; - (*surrogate_id)=result->surrogate_id[result->app_id_num-1]; + (*app_id)=result->attributes[result->app_num-1].app_id; + (*surrogate_id)=result->attributes[result->app_num-1].surrogate_id; return 1; } @@ -709,40 +778,17 @@ static int get_app_id(struct app_identify_result *result, unsigned int *app_id, return 0; } -static int get_app_id_list(Value *app_id_object, struct TLD_handle_t *_handle, const char *field_name, struct app_identify_result *result) -{ - int i=0; - - if(result->app_id_num==0) - { - return 0; - } - - Value array(kArrayType); - for(i=0; iapp_id_num; i++) - { - Value object(kObjectType); - object.AddMember("app_id", result->app_id[i], _handle->document->GetAllocator()); - object.AddMember("surrogate_id", result->surrogate_id[i], _handle->document->GetAllocator()); - array.PushBack(object, _handle->document->GetAllocator()); - } - add_object_member(_handle, app_id_object, field_name, array); - - return 1; -} - -static int get_app_name_list(unsigned int *app_id_array, int app_id_num, char *app_name, int app_name_len, int *flag, int is_joint_parent) +static int get_app_name_list(struct gather_app_result *result, char *app_name, int app_name_len, int *flag, int is_joint_parent) { int i=0; int offset=0; - if((*flag)==1 || app_id_num<=0) + if((*flag)==1 || result->app_num<=0) { return 0; } - //for(i=0; iapp_num-1; iapp_num; i++) { (*flag)=1; @@ -752,7 +798,7 @@ static int get_app_name_list(unsigned int *app_id_array, int app_id_num, char *a offset++; } - offset+=tsg_app_id2name(app_id_array[i], app_name+offset, app_name_len-offset, is_joint_parent); + offset+=tsg_app_id2name(result->attributes[i].app_id, app_name+offset, app_name_len-offset, is_joint_parent); } return 1; @@ -763,21 +809,20 @@ static int set_app_id(struct tsg_log_instance_t *_instance, struct TLD_handle_t int app_id_flag=0; int l7_protocol_flag=0; char app_name[512]={0}; - unsigned int max_app_id=0; char protocol_list[256]={0}; unsigned int one_app_id=0; unsigned int one_surrogate_id=0; - struct gather_app_result *label=NULL; + struct gather_app_result *gather_result=NULL; - label=(struct gather_app_result *)project_req_get_struct(a_stream, g_tsg_para.gather_app_project_id); - if(label==NULL) + gather_result=(struct gather_app_result *)project_req_get_struct(a_stream, g_tsg_para.gather_app_project_id); + if(gather_result==NULL) { TLD_append(_handle, _instance->id2field[LOG_COMMON_L7_PROTOCOL].name, (void *)_instance->l7_unknown_name, TLD_TYPE_STRING); return 0; } - get_l7_protocol(&(label->result[ORIGIN_BASIC_PROTOCOL]), protocol_list, sizeof(protocol_list), &l7_protocol_flag); + get_l7_protocol(&(gather_result[ORIGIN_BASIC_PROTOCOL]), protocol_list, sizeof(protocol_list), &l7_protocol_flag); if(l7_protocol_flag==1) { TLD_append(_handle, _instance->id2field[LOG_COMMON_L7_PROTOCOL].name, (void *)protocol_list, TLD_TYPE_STRING); @@ -789,9 +834,9 @@ static int set_app_id(struct tsg_log_instance_t *_instance, struct TLD_handle_t if(_instance->app_id_type==0) // int { - get_app_id(&(label->result[ORIGIN_USER_DEFINE]), &one_app_id, &one_surrogate_id, &app_id_flag); - get_app_id(&(label->result[ORIGIN_DKPT]), &one_app_id, &one_surrogate_id, &app_id_flag); - get_app_id(&(label->result[ORIGIN_QM_ENGINE]), &one_app_id, &one_surrogate_id, &app_id_flag); + get_app_id(&(gather_result[ORIGIN_USER_DEFINE]), &one_app_id, &one_surrogate_id, &app_id_flag); + get_app_id(&(gather_result[ORIGIN_DKPT]), &one_app_id, &one_surrogate_id, &app_id_flag); + get_app_id(&(gather_result[ORIGIN_QM_ENGINE]), &one_app_id, &one_surrogate_id, &app_id_flag); if(app_id_flag==1) { @@ -801,32 +846,28 @@ static int set_app_id(struct tsg_log_instance_t *_instance, struct TLD_handle_t } else //string { - set_userdefine_app(_handle, _instance->id2field[LOG_COMMON_USERDEFINE_APP].name, &(label->result[ORIGIN_USER_DEFINE]), TLD_TYPE_LONG); - - max_app_id=get_max_app_id(label->result[ORIGIN_USER_DEFINE].app_id, label->result[ORIGIN_USER_DEFINE].app_id_num); - if(max_app_id>0) - { - get_app_name_list(&max_app_id, 1, app_name, sizeof(app_name), &app_id_flag, 0); - } + set_userdefine_app(_handle, _instance->id2field[LOG_COMMON_USERDEFINE_APP].name, &(gather_result[ORIGIN_USER_DEFINE]), TLD_TYPE_LONG); + + get_userdefine_name(&(gather_result[ORIGIN_USER_DEFINE]), app_name, sizeof(app_name), &app_id_flag, 0); if(app_id_flag!=1) { - get_app_name_list(label->result[ORIGIN_BUILT_IN].app_id, label->result[ORIGIN_BUILT_IN].app_id_num, app_name, sizeof(app_name), &app_id_flag, 0); + get_app_name_list(&(gather_result[ORIGIN_BUILT_IN]), app_name, sizeof(app_name), &app_id_flag, 0); } if(app_id_flag!=1) - { - get_app_name_list(label->result[ORIGIN_DKPT].app_id, label->result[ORIGIN_DKPT].app_id_num, app_name, sizeof(app_name), &app_id_flag, 0); + { + get_app_name_list(&(gather_result[ORIGIN_DKPT]), app_name, sizeof(app_name), &app_id_flag, 0); } if(app_id_flag!=1) - { - get_app_name_list(label->result[ORIGIN_QM_ENGINE].app_id, label->result[ORIGIN_QM_ENGINE].app_id_num, app_name, sizeof(app_name), &app_id_flag, 0); + { + get_app_name_list(&(gather_result[ORIGIN_QM_ENGINE]), app_name, sizeof(app_name), &app_id_flag, 0); } if(app_id_flag!=1) - { - get_app_name_list(label->result[ORIGIN_UNKNOWN].app_id, label->result[ORIGIN_UNKNOWN].app_id_num, app_name, sizeof(app_name), &app_id_flag, 0); + { + get_app_name_list(&(gather_result[ORIGIN_UNKNOWN]), app_name, sizeof(app_name), &app_id_flag, 0); } if(app_id_flag==1) @@ -837,12 +878,14 @@ static int set_app_id(struct tsg_log_instance_t *_instance, struct TLD_handle_t } Value app_id_object(kObjectType); - get_app_id_list(&app_id_object, _handle, "USER_DEFINE", &(label->result[ORIGIN_USER_DEFINE])); - get_app_id_list(&app_id_object, _handle, "BUILT_IN", &(label->result[ORIGIN_BUILT_IN])); - get_app_id_list(&app_id_object, _handle, "DKPT", &(label->result[ORIGIN_DKPT])); - get_app_id_list(&app_id_object, _handle, "THIRD", &(label->result[ORIGIN_QM_ENGINE])); - get_app_id_list(&app_id_object, _handle, "UNKNOWN", &(label->result[ORIGIN_UNKNOWN])); + get_app_id_list(&app_id_object, _handle, "USER_DEFINE", &(gather_result[ORIGIN_USER_DEFINE])); + get_app_id_list(&app_id_object, _handle, "BUILT_IN", &(gather_result[ORIGIN_BUILT_IN])); + get_app_id_list(&app_id_object, _handle, "DKPT", &(gather_result[ORIGIN_DKPT])); + get_app_id_list(&app_id_object, _handle, "THIRD", &(gather_result[ORIGIN_QM_ENGINE])); + get_app_id_list(&app_id_object, _handle, "UNKNOWN", &(gather_result[ORIGIN_UNKNOWN])); TLD_append(_handle, _instance->id2field[LOG_COMMON_APP_ID].name, &app_id_object, TLD_TYPE_OBJECT); + + set_app_identify_info(_handle, _instance->id2field[LOG_COMMON_APP_IDENTIFY_INFO].name, gather_result); } } diff --git a/src/tsg_send_log_internal.h b/src/tsg_send_log_internal.h index 52b11b0..1140d85 100644 --- a/src/tsg_send_log_internal.h +++ b/src/tsg_send_log_internal.h @@ -126,6 +126,7 @@ typedef enum _tsg_log_field_id LOG_COMMON_PACKET_CAPTURE_FILE, LOG_COMMON_APPLICATION_BEHAVIOR, LOG_HTTP_URL, + LOG_COMMON_APP_IDENTIFY_INFO, LOG_COMMON_MAX }tsg_log_field_id_t;