diff --git a/bin/tsg_log_field.conf b/bin/tsg_log_field.conf index bc1dea0..c27a5a3 100644 --- a/bin/tsg_log_field.conf +++ b/bin/tsg_log_field.conf @@ -53,4 +53,7 @@ STRING ssl_ja3_hash 44 STRING common_data_center 45 STRING common_l7_protocol 46 STRING common_tcp_client_isn 47 -STRING common_tcp_server_isn 48 \ No newline at end of file +STRING common_tcp_server_isn 48 +LONG common_app_surrogate_id 49 +STRING sip_from 50 +STRING sip_to 51 \ No newline at end of file diff --git a/bin/tsg_static_tableinfo.conf b/bin/tsg_static_tableinfo.conf index a1485cb..0e3ee01 100644 --- a/bin/tsg_static_tableinfo.conf +++ b/bin/tsg_static_tableinfo.conf @@ -70,3 +70,6 @@ 58 APP_SELECTOR_GROUP_GROUP_RELATION group2group -- 59 APP_SELECTOR_PROPERTIES expr_plus UTF8 UTF8/GBK yes 0 60 APP_SELECTOR_ID intval UTF8 UTF8 yes 0 +61 TSG_FIELD_SIP_FROM virtual TSG_OBJ_ACCOUNT -- +62 TSG_FIELD_SIP_TO virtual TSG_OBJ_ACCOUNT -- +63 APP_ID_DICT plugin {"key":1,"valid":16} \ No newline at end of file diff --git a/inc/app_label.h b/inc/app_label.h index b80da8c..c6b9bd3 100644 --- a/inc/app_label.h +++ b/inc/app_label.h @@ -1,130 +1,13 @@ #ifndef __APP_LABEL_H__ #define __APP_LABEL_H__ -#define MAX_APP_ID_PROPERTY_LEN 128 - - -struct _quic_attribute_t +struct app_id_label { - char *version; - char *sni; - char *user_agent; -}; - -struct _dns_attribute_t -{ - unsigned short id; - unsigned short flag; - unsigned short qdcount; - unsigned short ancount; - unsigned short aucount;//authority count - unsigned short adcount;//additional count - - unsigned short qtype; - unsigned short qclass; - char *qname; -}; - -struct _http_attribute_t -{ - char *host; - char *uri; - char *user_agent; - char *content_type; - char *content_encoding; - char *referer; - char *cookie; - char *set_cookie; -}; - -struct _ssl_attribute_t -{ - char *cn; - char *sni; - char *san; - char *version; - char *fingerprint; - char *serial_number; - char *issuer_common_name; - char *issuer_organition_name; - char *issuer_country_name; - char *subject_common_name; - char *subject_organition_name; - char *subject_country_name; - char *not_valid_before; - char *not_valid_after; - char *algotithm_id; - char *ja3_fingerprint; -}; - -struct _app_id_dict_t -{ - int ref_cnt; - int app_id; - int deny_action; - int continue_scanning; - int tcp_timeout; - int udp_timeout; - int tcp_time_wait; - int tcp_half_close; - int is_valid; - char risk[MAX_APP_ID_PROPERTY_LEN*4]; - char app_name[MAX_APP_ID_PROPERTY_LEN]; - char category[MAX_APP_ID_PROPERTY_LEN*4]; - char subcategroy[MAX_APP_ID_PROPERTY_LEN*4]; - char technology[MAX_APP_ID_PROPERTY_LEN*4]; - char characteristics[MAX_APP_ID_PROPERTY_LEN*4]; - char depends_on_app_ids[MAX_APP_ID_PROPERTY_LEN]; - char implicitly_uses_app_ids[MAX_APP_ID_PROPERTY_LEN]; -}; - - -#define MAX_APP_ID_NUM 8 - -enum _APP_SESSION_PROTO -{ - SESSION_PROTO_HTTP=1, - SESSION_PROTO_SSL, - SESSION_PROTO_QUIC, - SESSION_PROTO_DNS, - _SESSION_PROTO_MAX -}; - -enum _APP_SESSION_FLAG -{ - SESSION_FLAG_TCP_CREATE_WITH_SYN=1, - SESSION_FLAG_SSL_USE_SELFSIGNED_CERT=2, - SESSION_FLAG_SSL_INCOMPLETE_CERT_CHAIN=4 -}; - - -typedef struct _app_id_label_add_flag_t -{ - volatile char flag; -}APP_ADD_ID_LABEL_T; - -struct _app_id_label_t -{ - char ref_cnt; - char session_flag; // enum SESSION_FLAG - char session_proto; //enum _APP_SESSION_PROTO - char app_id_num; - APP_ADD_ID_LABEL_T flag; //0: no; 1: yes - char pad[3]; int surrogate_id; int app_id; - struct _app_id_dict_t *dict; - union - { - struct _ssl_attribute_t *ssl_attribute; - struct _dns_attribute_t *dns_attribute; - struct _http_attribute_t *http_attribute; - struct _quic_attribute_t *quic_attribute; - void *attribute; //quic sni or dns query qname - }; }; -struct _basic_proto_label +struct basic_proto_label { unsigned char continue_scan_flag; //0: stop; 1: continue unsigned char pad; @@ -141,17 +24,17 @@ enum _ATTRIBUTE_TYPE _ATTRIBUTE_TYPE_MAX }; -struct _attribute_kv_t +struct attribute_kv { enum _ATTRIBUTE_TYPE type; char *name; void *value; }; -struct _user_defined_attribute_label_t +struct user_defined_attribute_label { int attribute_num; - struct _attribute_kv_t *attribute; + struct attribute_kv *attribute; }; #endif diff --git a/inc/tsg_label.h b/inc/tsg_label.h index f3d8a9a..2d1987f 100644 --- a/inc/tsg_label.h +++ b/inc/tsg_label.h @@ -28,6 +28,7 @@ typedef enum _tsg_protocol PROTO_IMAP, PROTO_POP3, PROTO_RTP, + PROTO_APP, PROTO_MAX }tsg_protocol_t; diff --git a/inc/tsg_rule.h b/inc/tsg_rule.h index 5e19849..d8b0ce9 100644 --- a/inc/tsg_rule.h +++ b/inc/tsg_rule.h @@ -5,6 +5,9 @@ #include "tsg_label.h" +#define TSG_DOMAIN_MAX 256 +#define MAX_APP_ID_PROPERTY_LEN 128 + #define TSG_ACTION_NONE 0x00 #define TSG_ACTION_MONITOR 0x01 #define TSG_ACTION_INTERCEPT 0x02 @@ -13,7 +16,7 @@ #define TSG_ACTION_BYPASS 0x80 #define TSG_ACTION_MAX 0x80 -enum TSG_ETHOD_TYPE +enum TSG_METHOD_TYPE { TSG_METHOD_TYPE_UNKNOWN=0, TSG_METHOD_TYPE_DROP, @@ -24,13 +27,22 @@ enum TSG_ETHOD_TYPE TSG_METHOD_TYPE_MAX }; -struct _identify_info +struct identify_info { tsg_protocol_t proto; //enum _tsg_protocol (tsg_types.h) int domain_len; char domain[MAX_DOAMIN_LEN]; }; +struct compile_user_region +{ + int code; + int ref_cnt; + int html_profile; + char protocol[32]; + char method[32]; + char *message; +}; typedef enum _PULL_RESULT_TYPE { @@ -38,14 +50,33 @@ typedef enum _PULL_RESULT_TYPE PULL_FW_RESULT }PULL_RESULT_TYPE; -#define TSG_DOMAIN_MAX 256 +struct app_id_dict_table +{ + int ref_cnt; + int app_id; + int deny_action; + int continue_scanning; + int tcp_timeout; + int udp_timeout; + int tcp_time_wait; + int tcp_half_close; + int is_valid; + char risk[MAX_APP_ID_PROPERTY_LEN*4]; + char app_name[MAX_APP_ID_PROPERTY_LEN]; + char category[MAX_APP_ID_PROPERTY_LEN*4]; + char subcategroy[MAX_APP_ID_PROPERTY_LEN*4]; + char technology[MAX_APP_ID_PROPERTY_LEN*4]; + char characteristics[MAX_APP_ID_PROPERTY_LEN*4]; + char depends_on_app_ids[MAX_APP_ID_PROPERTY_LEN]; + char implicitly_uses_app_ids[MAX_APP_ID_PROPERTY_LEN]; +}; extern Maat_feather_t g_tsg_maat_feather; int tsg_rule_init(const char *conffile, void *logger); int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *a_stream, tsg_protocol_t proto, scan_status_t *mid, Maat_rule_t*result, int result_num); -int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_result_type, Maat_rule_t*result, int result_num, struct _identify_info *identify_info); +int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_result_type, Maat_rule_t*result, int result_num, struct identify_info *identify_info); //return NULL if none exists, otherwise return one deny rule; struct Maat_rule_t *tsg_fetch_deny_rule(Maat_rule_t *result, int result_num); diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index 15f02c7..8f93c2a 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -14,6 +14,7 @@ #include #include +#include "app_label.h" #include "tsg_rule.h" #include "tsg_entry.h" #include "tsg_send_log.h" @@ -82,11 +83,29 @@ id2field_t g_tsg_proto_name2id[PROTO_MAX]={{TLD_TYPE_UNKNOWN, PROTO_UNKONWN, "un {TLD_TYPE_UNKNOWN, PROTO_SMTP, "SMTP"}, {TLD_TYPE_UNKNOWN, PROTO_IMAP, "IMAP"}, {TLD_TYPE_UNKNOWN, PROTO_POP3, "POP3"}, - {TLD_TYPE_UNKNOWN, PROTO_RTP, "RTP"} + {TLD_TYPE_UNKNOWN, PROTO_RTP, "RTP"}, + {TLD_TYPE_UNKNOWN, PROTO_APP, "APP"} }; #define DECCRYPTION_EXCLUSION_ALLOW_POLICY_ID 1 + +static int init_context(void **pme, int thread_seq) +{ + struct master_context *context=(struct master_context *)*pme; + + *pme=dictator_malloc(thread_seq, sizeof(struct master_context)); + memset(*pme, 0, sizeof(struct master_context)); + context=(struct master_context *)*pme; + context->domain_len=0; + memset(context->domain, 0, sizeof(context->domain)); + + context->continue_scan_app_id=APP_SCAN_FLAG_CONTINUE; + context->continue_scan_proto_id=APP_SCAN_FLAG_CONTINUE; + + return 0; +} + static int tsg_get_sn(char *filename, char *device_sn, int device_sn_len) { int ret=0,flags=0; @@ -135,132 +154,88 @@ static int get_device_id(char *command, int entrance_id) return (entrance_id<<7)+(atoi(buffer)%128); } -static int tsg_proto_name2flag(char *proto_list, int *flag) +static int is_repetitive_app_id(unsigned short proto_id) { - int i=0; - char *s=NULL,*e=NULL; - - s=proto_list; - while(s) + switch(proto_id) { - e=index(s, ';'); - if(!e) - { - break; - } - - for(i=0; i< PROTO_MAX; i++) - { - if((memcmp(s, g_tsg_proto_name2id[i].name, e-s))==0) - { - *flag|=(1<result!=NULL) - { - dictator_free(thread_seq, (void *)_context->result); - _context->result=NULL; - } - - dictator_free(thread_seq, (void *)_context); - _context=NULL; - *pme=NULL; - } -} - -static int init_context(void **pme, tsg_protocol_t proto, struct Maat_rule_t *p_result, int thread_seq) -{ - struct _master_context *_context=(struct _master_context *)*pme; - - *pme=dictator_malloc(thread_seq, sizeof(struct _master_context)); - _context=(struct _master_context *)*pme; - _context->proto=proto; - _context->domain_len=0; - memset(_context->domain, 0, sizeof(_context->domain)); - - _context->hit_cnt=1; - _context->result=(struct Maat_rule_t *)dictator_malloc(thread_seq, sizeof(struct Maat_rule_t)); - memcpy(_context->result, p_result, sizeof(struct Maat_rule_t)); - - return 0; -} - -char *tsg_schema_index2string(tsg_protocol_t proto) -{ - char *schema_field_value=NULL; - - switch(proto) - { - case PROTO_HTTP: - schema_field_value=(char *)"HTTP"; - break; - case PROTO_SSL: - schema_field_value=(char *)"SSL"; - break; - case PROTO_DNS: - schema_field_value=(char *)"DNS"; - break; - case PROTO_FTP: - schema_field_value=(char *)"FTP"; - break; - case PROTO_BGP: - schema_field_value=(char *)"BGP"; - break; - case PROTO_SIP: - schema_field_value=(char *)"SIP"; - break; - case PROTO_MAIL: - schema_field_value=(char *)"MAIL"; - break; - case PROTO_STREAMING_MEDIA: - schema_field_value=(char *)"STREAMING_MEDIA"; - break; - case PROTO_QUIC: - schema_field_value=(char *)"QUIC"; - break; - case PROTO_SSH: - schema_field_value=(char *)"SSH"; - break; - case PROTO_IMAP: - schema_field_value=(char *)"IMAP"; - break; - case PROTO_POP3: - schema_field_value=(char *)"POP3"; - break; - case PROTO_SMTP: - schema_field_value=(char *)"SMTP"; - break; - case PROTO_RTP: - schema_field_value=(char *)"RTP"; - break; + case DNS_PROTO_ID: + case FTP_PROTO_ID: + case HTTP_PROTO_ID: + case MAIL_PROTO_ID: + case QUIC_PROTO_ID: + case SIP_PROTO_ID: + case SSL_PROTO_ID: + case RTP_PROTO_ID: + return 1; default: break; } - return schema_field_value; + return 0; } -static int master_send_log(struct streaminfo *a_stream, struct Maat_rule_t *p_result, int result_num, struct _identify_info *identify_info, int thread_seq) +static struct app_id_label *get_app_id_label(struct streaminfo *a_stream, struct master_context *context, int thread_seq) +{ + struct app_id_label *app_id_label=NULL; + + if(context->continue_scan_app_id==APP_SCAN_FLAG_CONTINUE && g_tsg_para.app_id_project_id>=0) + { + app_id_label=(struct app_id_label *)project_req_get_struct(a_stream, g_tsg_para.app_id_project_id); + if(app_id_label==NULL) + { + return NULL; + } + + if(context->app_id!=app_id_label->app_id) + { + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "READ_APP_ID_FLAG", + "Get %s app id label, app_id: %d addr: %s", + context->uuid_str, + app_id_label->app_id, + printaddr(&a_stream->addr, thread_seq) + ); + context->app_id=app_id_label->app_id; + return app_id_label; + } + + + } + + return NULL; +} + +static int get_basic_proto_id(struct streaminfo *a_stream, struct master_context *context, int thread_seq) +{ + struct basic_proto_label *proto_label=NULL; + + if(context->continue_scan_proto_id==APP_SCAN_FLAG_CONTINUE && g_tsg_para.l7_proto_project_id>=0) + { + proto_label=(struct basic_proto_label *)project_req_get_struct(a_stream, g_tsg_para.l7_proto_project_id); + if(proto_label!=NULL && proto_label->proto_id!=context->basic_proto_id) + { + if(proto_label->continue_scan_flag==APP_SCAN_FLAG_STOP) + { + context->continue_scan_proto_id=APP_SCAN_FLAG_STOP; + } + + if(is_repetitive_app_id(proto_label->proto_id)) + { + context->continue_scan_proto_id=APP_SCAN_FLAG_STOP; + } + else + { + context->basic_proto_id=proto_label->proto_id; + return context->basic_proto_id; + } + } + } + + return 0; +} + +static int master_send_log(struct streaminfo *a_stream, struct Maat_rule_t *p_result, int result_num, struct identify_info *identify_info, int thread_seq) { tsg_log_t log_msg; char *domain_field_name=NULL; @@ -319,6 +294,382 @@ static int master_send_log(struct streaminfo *a_stream, struct Maat_rule_t *p_re return 1; } + +static int tsg_proto_name2flag(char *proto_list, int *flag) +{ + int i=0; + char *s=NULL,*e=NULL; + + s=proto_list; + while(s) + { + e=index(s, ';'); + if(!e) + { + break; + } + + for(i=0; i< PROTO_MAX; i++) + { + if((memcmp(s, g_tsg_proto_name2id[i].name, e-s))==0) + { + *flag|=(1<=0) + { + if((memcmp(buff, "mirror", strlen(buff)))==0) + { + g_tsg_para.depolyment_mode=0; + } + else + { + g_tsg_para.depolyment_mode=1; + } + } + + return 0; +} + +void free_app_id_label(int thread_seq, void *project_req_value) +{ + if(project_req_value!=NULL) + { + dictator_free(thread_seq, project_req_value); + } +} + +static void free_policy_label(int thread_seq, void *project_req_value) +{ + dictator_free(thread_seq, project_req_value); + project_req_value=NULL; +} + +static void copy_identify_info(struct master_context *context, struct identify_info *identify_info, int thread_seq) +{ + if(identify_info->proto>PROTO_UNKONWN && identify_info->protodomain_len>0 && strlen(identify_info->domain)>0) + { + memcpy(context->domain, identify_info->domain, identify_info->domain_len); + context->domain_len=identify_info->domain_len; + } +} + +static void copy_monitor_result(struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, int result_num, int thread_seq) +{ + int i=0; + + if(context->result==NULL) + { + context->result=(struct Maat_rule_t *)dictator_malloc(thread_seq, sizeof(struct Maat_rule_t)*MAX_RESULT_NUM); + + for(i=0; ihit_cntresult+context->hit_cnt, &p_result[i], sizeof(struct Maat_rule_t)); + context->hit_cnt+=1; + } + } + else + { + if(context->result[0].action==TSG_ACTION_MONITOR) + { + for(i=0; ihit_cntresult+context->hit_cnt, &p_result[i], sizeof(struct Maat_rule_t)); + context->hit_cnt+=1; + } + } + } + + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "MONITOR", + "Hit monitor policy, policy_id: %d service: %d action: %d addr: %s", + p_result[0].config_id, + p_result[0].service_id, + (unsigned char)p_result[0].action, + printaddr(&a_stream->addr, thread_seq) + ); + +} + +static void copy_intercept_result(struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, struct identify_info *identify_info, int thread_seq) +{ + int ret=0; + policy_priority_label_t *priority_label=NULL; + + priority_label=(policy_priority_label_t *)dictator_malloc(thread_seq, sizeof(policy_priority_label_t)); + + priority_label->result_num=1; + priority_label->result_type=PULL_KNI_RESULT; + priority_label->proto=identify_info->proto; + priority_label->domain_len=identify_info->domain_len; + memcpy(priority_label->domain, identify_info->domain, identify_info->domain_len); + memcpy(priority_label->result, p_result, sizeof(struct Maat_rule_t)); + + ret=project_req_add_struct(a_stream, g_tsg_para.priority_project_id, (void *)priority_label); + if(ret<0) + { + free_policy_label(thread_seq, (void *)priority_label); + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_FATAL, + "PROJECT_ADD", + "Add policy_priority_label failed, intercept policy, policy_id: %d action: %d addr: %s", + priority_label->result[0].config_id, + (unsigned char)priority_label->result[0].action, + printaddr(&a_stream->addr, thread_seq) + ); + } + + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "INTERCEPT", + "Hit intercept policy, policy_id: %d action: %d addr: %s", + priority_label->result[0].config_id, + (unsigned char)priority_label->result[0].action, + printaddr(&a_stream->addr, thread_seq) + ); + + return ; +} + +static void copy_deny_result(struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, int thread_seq) +{ + if(context->result==NULL) + { + context->hit_cnt=1; + context->result=(struct Maat_rule_t *)dictator_malloc(thread_seq, sizeof(struct Maat_rule_t)); + + memcpy(context->result, p_result, sizeof(struct Maat_rule_t)); + } + else + { + context->hit_cnt=1; + memcpy(context->result, p_result, sizeof(struct Maat_rule_t)); + } + + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "DENY", + "Hit deny policy, policy_id: %d service: %d action: %d addr: %s", + p_result[0].config_id, + p_result[0].service_id, + (unsigned char)p_result[0].action, + printaddr(&a_stream->addr, thread_seq) + ); + + return ; +} + + +static void copy_bypass_result(struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, int thread_seq) +{ + if(context->result==NULL) + { + context->hit_cnt=1; + context->result=(struct Maat_rule_t *)dictator_malloc(thread_seq, sizeof(struct Maat_rule_t)); + + memcpy(context->result, p_result, sizeof(struct Maat_rule_t)); + } + else + { + if(context->result[0].action==TSG_ACTION_BYPASS) + { + if(p_result->config_id>context->result[0].config_id) + { + context->hit_cnt=1; + memcpy(&(context->result[0]), p_result, sizeof(struct Maat_rule_t)); + } + } + else // hit monitor + { + context->hit_cnt=1; + memcpy(context->result, p_result, sizeof(struct Maat_rule_t)); + } + } + + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "ALLOW", + "Hit allow policy, policy_id: %d service: %d action: %d addr: %s", + p_result[0].config_id, + p_result[0].service_id, + (unsigned char)p_result[0].action, + printaddr(&a_stream->addr, thread_seq) + ); + + return ; +} + +void close_stream_free_context(struct streaminfo *a_stream, struct master_context *context, int thread_seq) +{ + struct identify_info identify_info; + + if(context!=NULL) + { + if(context->hit_cnt>0 && context->result!=NULL) + { + memset(&identify_info, 0, sizeof(identify_info)); + identify_info.proto=context->proto; + if(context->domain_len>0) + { + memcpy(identify_info.domain, context->domain, context->domain_len); + identify_info.domain_len=context->domain_len; + } + master_send_log(a_stream, context->result, context->hit_cnt, &identify_info, thread_seq); + } + + if(context->result!=NULL) + { + dictator_free(thread_seq, (void *)context->result); + context->result=NULL; + } + + if(context->mid!=NULL) + { + Maat_clean_status(&context->mid); + context->mid=NULL; + } + + dictator_free(thread_seq, (void *)context); + context=NULL; + } + + return ; +} + +void set_session_attribute_label(struct streaminfo *a_stream, enum TSG_ATTRIBUTE_TYPE type, void *value, int thread_seq) +{ + struct timespec tv; + unsigned long long create_time=0; + int ret=0,size=sizeof(create_time); + struct _ssl_ja3_info_t *ja3_info=NULL; + struct _session_attribute_label_t *attribute_label=NULL; + + attribute_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, g_tsg_para.internal_project_id); + if(attribute_label==NULL) + { + attribute_label=(struct _session_attribute_label_t *)calloc(1, sizeof(struct _session_attribute_label_t)); + memset(attribute_label, 0, sizeof(struct _session_attribute_label_t)); + + ret=project_req_add_struct(a_stream, g_tsg_para.internal_project_id, (const void *)attribute_label); + if(ret<0) + { + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_FATAL, + "PROJECT_ADD", + "Add internal_label failed, establish latency ms: %llu proto: %d addr: %s", + attribute_label->establish_latency_ms, + attribute_label->proto, + printaddr(&a_stream->addr, thread_seq) + ); + } + } + + switch(type) + { + case TSG_ATTRIBUTE_TYPE_ESTABLISH_LATECY: + ret=MESA_get_stream_opt(a_stream, MSO_STREAM_CREATE_TIMESTAMP_MS, (void *)&create_time, &size); + if(ret>=0) + { + clock_gettime(CLOCK_REALTIME, &tv); + attribute_label->establish_latency_ms=tv.tv_sec*1000+tv.tv_nsec/1000/1000 - create_time; + } + break; + case TSG_ATTRIBUTE_TYPE_PROTOCOL: + attribute_label->proto=(tsg_protocol_t)(*(int *)value); + break; + case TSG_ATTRIBUTE_TYPE_JA3_HASH: + ja3_info=ssl_get_ja3_fingerprint(a_stream, (unsigned char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, a_stream->threadnum); + if(ja3_info!=NULL) + { + if(attribute_label!=NULL && ja3_info->fp!=NULL && ja3_info->fp_len>0) + { + attribute_label->ja3_fingerprint=(char *)dictator_malloc(a_stream->threadnum, ja3_info->fp_len+1); + memcpy(attribute_label->ja3_fingerprint, ja3_info->fp, ja3_info->fp_len); + attribute_label->ja3_fingerprint[ja3_info->fp_len]='\0'; + } + } + break; + default: + break; + } + + return ; +} + +char *tsg_schema_index2string(tsg_protocol_t proto) +{ + char *schema_field_value=NULL; + + switch(proto) + { + case PROTO_HTTP: + schema_field_value=(char *)"HTTP"; + break; + case PROTO_SSL: + schema_field_value=(char *)"SSL"; + break; + case PROTO_DNS: + schema_field_value=(char *)"DNS"; + break; + case PROTO_FTP: + schema_field_value=(char *)"FTP"; + break; + case PROTO_BGP: + schema_field_value=(char *)"BGP"; + break; + case PROTO_SIP: + schema_field_value=(char *)"SIP"; + break; + case PROTO_MAIL: + schema_field_value=(char *)"MAIL"; + break; + case PROTO_STREAMING_MEDIA: + schema_field_value=(char *)"STREAMING_MEDIA"; + break; + case PROTO_QUIC: + schema_field_value=(char *)"QUIC"; + break; + case PROTO_SSH: + schema_field_value=(char *)"SSH"; + break; + case PROTO_IMAP: + schema_field_value=(char *)"IMAP"; + break; + case PROTO_POP3: + schema_field_value=(char *)"POP3"; + break; + case PROTO_SMTP: + schema_field_value=(char *)"SMTP"; + break; + case PROTO_RTP: + schema_field_value=(char *)"RTP"; + break; + case PROTO_APP: + schema_field_value=(char *)"APP"; + break; + default: + break; + } + + return schema_field_value; +} + int tsg_set_device_id_to_telegraf(char *device_sn) { char buff[128]={0}; @@ -340,7 +691,7 @@ int tsg_set_device_id_to_telegraf(char *device_sn) return -1; } -static void free_session_attribute_label(int thread_seq, void *project_req_value) +static void free_session_attribute_labell(int thread_seq, void *project_req_value) { struct _session_attribute_label_t *label=(struct _session_attribute_label_t *)project_req_value; @@ -393,7 +744,7 @@ static void free_session_attribute_label(int thread_seq, void *project_req_value } } -static struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, struct _identify_info *identify_info, int thread_seq) +struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, struct identify_info *identify_info, int thread_seq) { int i=0,ret=0; Maat_rule_t tmp_result; @@ -530,7 +881,7 @@ static struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_str return p_result; } -static int identify_application_protocol(struct streaminfo *a_stream, struct _identify_info *identify_info, struct _session_attribute_label_t *attribute_label, void *a_packet) +static int identify_application_protocol(struct streaminfo *a_stream, struct identify_info *identify_info, void *a_packet) { int ret=0; identify_info->proto = PROTO_UNKONWN; @@ -578,31 +929,6 @@ static int identify_application_protocol(struct streaminfo *a_stream, struct _id } ssl_chello_free(chello); - - struct _ssl_ja3_info_t *ja3_info=NULL; - ja3_info=ssl_get_ja3_fingerprint(a_stream, (unsigned char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, a_stream->threadnum); - if(ja3_info!=NULL) - { - if(ja3_info->sni==NULL || ja3_info->sni_len<=0) - { - identify_info->domain_len = 0; - } - else - { - identify_info->domain_len = strnlen(ja3_info->sni, sizeof(identify_info->domain) - 1); - strncpy(identify_info->domain, ja3_info->sni, identify_info->domain_len); - } - - if(attribute_label!=NULL && ja3_info->fp!=NULL && ja3_info->fp_len>0) - { - attribute_label->ja3_fingerprint=(char *)dictator_malloc(a_stream->threadnum, ja3_info->fp_len+1); - memcpy(attribute_label->ja3_fingerprint, ja3_info->fp, ja3_info->fp_len); - attribute_label->ja3_fingerprint[ja3_info->fp_len]='\0'; - } - - return 1; - } - return 1; } @@ -702,477 +1028,295 @@ static int identify_application_protocol(struct streaminfo *a_stream, struct _id return ret; } -extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int thread_seq,void *a_packet) +int scan_application_protocol(struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int result_num, scan_status_t *mid, int thread_seq) { - int i=0,ret=0,hit_num=0; - struct timespec tv; + int proto_id=0; + char *l7_protocol=NULL; + + proto_id=get_basic_proto_id(a_stream, context, thread_seq); + if(proto_id>0) + { + l7_protocol=tsg_l7_protocol_id2name(g_tsg_log_instance, proto_id); + if(l7_protocol==NULL && proto_id==g_tsg_para.mail_proto_id) + { + l7_protocol=(char *)"MAIL"; + } + + return tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result, result_num, mid, l7_protocol, proto_id, thread_seq); + } + + return 0; +} + +int scan_application_id_and_properties(struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int result_num, scan_status_t *mid, int thread_seq) +{ + int hit_num=0; + char app_id_buff[32]={0}; + struct app_id_label *app_id_label=NULL; + struct app_id_dict_table *dict=NULL; + + app_id_label=get_app_id_label(a_stream, context, thread_seq); + if(app_id_label!=NULL) + { + snprintf(app_id_buff, sizeof(app_id_buff), "%d", app_id_label->app_id); + dict=(struct app_id_dict_table *)Maat_plugin_get_EX_data(g_tsg_maat_feather, g_tsg_para.table_id[TABLE_APP_ID_DICT], (const char *)app_id_buff); + if(dict!=NULL) + { + hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->risk, (char *)"risk", thread_seq); + hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->category, (char *)"category", thread_seq); + hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->technology, (char *)"technology", thread_seq); + hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->subcategroy, (char *)"subcategroy", thread_seq); + hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->characteristics, (char *)"characteristics", thread_seq); + + if(dict->continue_scanning==APP_SCAN_FLAG_STOP) + { + context->continue_scan_app_id=APP_SCAN_FLAG_STOP; + } + + hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->app_name, app_id_label->app_id, thread_seq); + } + else + { + hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, (char *)"", app_id_label->app_id, thread_seq); + } + } + + return hit_num; +} + +extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int thread_seq,void *a_packet) +{ + int opt_value=0; + int ret=0,hit_num=0; int state=APP_STATE_GIVEME; - scan_status_t mid=NULL; Maat_rule_t *p_result=NULL; - //Maat_rule_t *q_result=NULL; - struct _identify_info identify_info; - Maat_rule_t all_result[MAX_RESULT_NUM]; - policy_priority_label_t *priority_label=NULL; - struct _master_context *_context=(struct _master_context *)*pme; - struct _session_attribute_label_t *internal_label=NULL; - unsigned long long create_time=0; - int size=sizeof(create_time); + struct identify_info identify_info; + Maat_rule_t result[MAX_RESULT_NUM]; + struct rst_tcp_para rst_paras; + struct compile_user_region *user_region=NULL; + int method_type=TSG_METHOD_TYPE_UNKNOWN; + struct master_context *context=(struct master_context *)*pme; + + if(*pme==NULL) + { + init_context(pme, thread_seq); + context=(struct master_context *)*pme; + } + switch(a_tcp->opstate) { case OP_STATE_PENDING: - FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_TCP_LINKS], 0, FS_OP_ADD, 1); - - internal_label=(struct _session_attribute_label_t *)dictator_malloc(thread_seq, sizeof(struct _session_attribute_label_t)); - memset(internal_label, 0, sizeof(struct _session_attribute_label_t)); + FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_TCP_LINKS], 0, FS_OP_ADD, 1); + set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_ESTABLISH_LATECY, NULL, thread_seq); - memset(&identify_info, 0, sizeof(identify_info)); - identify_application_protocol(a_tcp, &identify_info, internal_label, a_packet); - internal_label->proto=identify_info.proto; - - ret=MESA_get_stream_opt(a_tcp, MSO_STREAM_CREATE_TIMESTAMP_MS, (void *)&create_time, &size); - if(ret>=0) - { - clock_gettime(CLOCK_REALTIME, &tv); - internal_label->establish_latency_ms=tv.tv_sec*1000+tv.tv_nsec/1000/1000 - create_time; - } - - ret=project_req_add_struct(a_tcp, g_tsg_para.internal_project_id, (const void *)internal_label); - if(ret<0) - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_FATAL, - "PROJECT_ADD", - "Add internal_label failed, establish latency ms: %llu proto: %d addr: %s", - internal_label->establish_latency_ms, - internal_label->proto, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - } - else - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "PROJECT_ADD", - "Add internal_label successfully, establish latency ms: %llu proto: %d addr: %s", - internal_label->establish_latency_ms, - internal_label->proto, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - } - - ret=tsg_scan_nesting_addr(g_tsg_maat_feather, a_tcp, identify_info.proto, &mid, all_result+hit_num, MAX_RESULT_NUM-hit_num); + ret=tsg_scan_nesting_addr(g_tsg_maat_feather, a_tcp, identify_info.proto, &context->mid, result+hit_num, MAX_RESULT_NUM-hit_num); if(ret>0) { hit_num+=ret; FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_ADDR], 0, FS_OP_ADD, 1); } - - if(identify_info.proto==PROTO_HTTP || identify_info.proto==PROTO_SSL) - { - ret=tsg_scan_shared_policy(g_tsg_maat_feather, &identify_info, all_result+hit_num, MAX_RESULT_NUM-hit_num, &mid, thread_seq); - if(ret>0) - { - FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_SHARE], 0, FS_OP_ADD, 1); - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_FQDN", - "Hit %s: %s policy_id: %d service: %d action: %d addr: %s", - (identify_info.proto==PROTO_HTTP) ? "host" : "sni", - identify_info.domain, - all_result[hit_num].config_id, - all_result[hit_num].service_id, - (unsigned char)all_result[hit_num].action, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - - hit_num+=ret; - } - else - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_FQDN", - "Not hit %s: %s ret: %d stream_dir: %d addr: %s", - (ret==-1) ? "NULL" : ((identify_info.proto==PROTO_HTTP) ? "host" : "sni"), - (ret==-1) ? "NULL" : identify_info.domain, - ret, - a_tcp->dir, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - } - - if(strlen(identify_info.domain)>0 && identify_info.domain_len>0) - { - internal_label->fqdn_category_id_num=tsg_get_fqdn_category_id(g_tsg_maat_feather, - identify_info.domain, - internal_label->fqdn_category_id, - MAX_CATEGORY_ID_NUM, - g_tsg_para.logger, - thread_seq - ); - } - - for(i=0; ifqdn_category_id_num; i++) - { - int idx=identify_info.proto==PROTO_HTTP ? TABLE_HTTP_HOST : TABLE_SSL_SNI; - ret=Maat_scan_intval(g_tsg_maat_feather, - g_tsg_para.table_id[idx], - (unsigned int)internal_label->fqdn_category_id[i], - all_result+hit_num, - MAX_RESULT_NUM-hit_num, - &mid, - thread_seq - ); - if(ret>0) - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_FQDN_CAT", - "Hit %s: %s category_id: %d policy_id: %d service: %d action: %d addr: %s", - (identify_info.proto==PROTO_HTTP) ? "host" : "sni", - identify_info.domain, - internal_label->fqdn_category_id[i], - all_result[hit_num].config_id, - all_result[hit_num].service_id, - (unsigned char)all_result[hit_num].action, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - hit_num+=ret; - } - else - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_FQDN_CAT", - "Not hit %s: %s category_id: %d ret: %d stream_dir: %d addr: %s", - (ret==-1) ? "NULL" : ((identify_info.proto==PROTO_HTTP) ? "host" : "sni"), - (ret==-1) ? "NULL" : identify_info.domain, - internal_label->fqdn_category_id[i], - ret, - a_tcp->dir, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - } - } - } - - if(mid!=NULL) - { - Maat_clean_status(&mid); - mid=NULL; - } - p_result=tsg_policy_decision_criteria(a_tcp, all_result, hit_num, &identify_info, thread_seq); - - if(p_result!=NULL) + memset(&identify_info, 0, sizeof(identify_info)); + ret=identify_application_protocol(a_tcp, &identify_info, a_packet); + if(ret==1) { - switch((unsigned char)p_result->action) - { - case TSG_ACTION_DENY: - /* support block/alert(deny), Do action in fw_http_plug */ - break; - case TSG_ACTION_MONITOR: - break; - case TSG_ACTION_BYPASS: - init_context(pme, identify_info.proto, p_result, thread_seq); - if(identify_info.proto>PROTO_UNKONWN && identify_info.protodomain, identify_info.domain, identify_info.domain_len); - _context->domain_len=identify_info.domain_len; - } - - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "ALLOW", - "Hit allow policy, policy_id: %d service: %d action: %d addr: %s", - p_result[0].config_id, - p_result[0].service_id, - (unsigned char)p_result[0].action, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - - state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER; - FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1); - break; - case TSG_ACTION_INTERCEPT: - FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_INTERCEPT], 0, FS_OP_ADD, 1); - - priority_label=(policy_priority_label_t *)dictator_malloc(thread_seq, sizeof(policy_priority_label_t)); - - priority_label->result_num=1; - priority_label->result_type=PULL_KNI_RESULT; - priority_label->proto=identify_info.proto; - priority_label->domain_len=identify_info.domain_len; - memcpy(priority_label->domain, identify_info.domain, identify_info.domain_len); - memcpy(priority_label->result, p_result, sizeof(struct Maat_rule_t)); - - ret=project_req_add_struct(a_tcp, g_tsg_para.priority_project_id, (void *)priority_label); - if(ret<0) - { - free_policy_label(thread_seq, (void *)priority_label); - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_FATAL, - "PROJECT_ADD", - "Add policy_priority_label failed, intercept policy, policy_id: %d action: %d addr: %s", - priority_label->result[0].config_id, - (unsigned char)priority_label->result[0].action, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - } - - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "INTERCEPT", - "Hit intercept policy, policy_id: %d action: %d addr: %s", - priority_label->result[0].config_id, - (unsigned char)priority_label->result[0].action, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - return APP_STATE_DROPME|APP_STATE_KILL_OTHER; - break; - case TSG_ACTION_NONE: - default: - return APP_STATE_DROPME; - break; - } - } + copy_identify_info(context, &identify_info, thread_seq); + set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_PROTOCOL, (void *)(&identify_info.proto), thread_seq); - break; - case OP_STATE_DATA: - break; - case OP_STATE_CLOSE: - if(_context!=NULL) - { - if(_context->hit_cnt>0 && _context->result!=NULL) + if(identify_info.proto==PROTO_SSL) { - memset(&identify_info, 0, sizeof(identify_info)); - identify_info.proto=_context->proto; - if(_context->domain_len>0) - { - memcpy(identify_info.domain, _context->domain, _context->domain_len); - identify_info.domain_len=_context->domain_len; - } - master_send_log(a_tcp, _context->result, _context->hit_cnt, &identify_info, thread_seq); - free_context(pme, thread_seq); + set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_JA3_HASH, NULL, thread_seq); } + + hit_num+=tsg_scan_shared_policy(g_tsg_maat_feather, a_tcp, &identify_info, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, thread_seq); } + break; default: break; } + if(context->proto==PROTO_UNKONWN || context->proto>PROTO_APP) /* support block/alert(deny), Do action in fw_http_plug */ + { + context->proto=PROTO_APP; + hit_num+=scan_application_protocol(a_tcp, context, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, thread_seq); + } + + hit_num+=scan_application_id_and_properties(a_tcp, context, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, thread_seq); + p_result=tsg_policy_decision_criteria(a_tcp, result, hit_num, &identify_info, thread_seq); + if(p_result!=NULL) + { + switch((unsigned char)p_result->action) + { + case TSG_ACTION_DENY: + if((context->result!=NULL && context->result[0].action==TSG_ACTION_BYPASS) || (context->proto!=PROTO_APP)) + { + break; + } + + user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]); + if(user_region!=NULL) + { + atomic_dec(&user_region->ref_cnt); + method_type=tsg_get_method_id(user_region->method); + + switch(method_type) + { + case TSG_METHOD_TYPE_DROP: + opt_value=1; + MESA_set_stream_opt(a_tcp, MSO_DROP_STREAM, (void *)&opt_value, sizeof(opt_value)); + MESA_set_stream_opt(a_tcp, MSO_TIMEOUT, (void *)&g_tsg_para.timeout, sizeof(g_tsg_para.timeout)); + state=APP_STATE_DROPPKT|APP_STATE_DROPME; + break; + case TSG_METHOD_TYPE_RESET: + rst_paras.rst_pkt_num=1; + rst_paras.signature_seed1=65535; + rst_paras.signature_seed2=13; + rst_paras.th_flags=4; + rst_paras.__pad_no_use=0; + MESA_rst_tcp(a_tcp, &rst_paras, sizeof(rst_paras)); + + opt_value=1; + MESA_set_stream_opt(a_tcp, MSO_TCP_RST_REMEDY, (void *)&opt_value, sizeof(opt_value)); + + if(g_tsg_para.depolyment_mode>0) + { + opt_value=1; + MESA_set_stream_opt(a_tcp, MSO_DROP_STREAM, (void *)&opt_value, sizeof(opt_value)); + MESA_set_stream_opt(a_tcp, MSO_TIMEOUT, (void *)&g_tsg_para.timeout, sizeof(g_tsg_para.timeout)); + } + state=APP_STATE_DROPPKT|APP_STATE_DROPME; + break; + default: + break; + } + } + copy_deny_result(a_tcp, context, p_result, thread_seq); + break; + case TSG_ACTION_MONITOR: + copy_monitor_result(a_tcp, context, result, hit_num, thread_seq); + break; + case TSG_ACTION_BYPASS: + copy_bypass_result(a_tcp, context, p_result, thread_seq); + FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1); + state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER; + break; + case TSG_ACTION_INTERCEPT: + copy_intercept_result(a_tcp, context, p_result, &identify_info, thread_seq); + FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_INTERCEPT], 0, FS_OP_ADD, 1); + state=APP_STATE_DROPME|APP_STATE_KILL_OTHER; + break; + default: + break; + } + } + + if((a_tcp->opstate==OP_STATE_CLOSE) || (state&APP_STATE_DROPME)==APP_STATE_DROPME) + { + close_stream_free_context(a_tcp, context, thread_seq); + } + return state; } extern "C" char TSG_MASTER_UDP_ENTRY(struct streaminfo *a_udp, void **pme, int thread_seq,void *a_packet) { - int i=0,ret=0; - int hit_num=0; - scan_status_t mid=NULL; + int ret=0; + int hit_num=0; + int opt_value=0; int state=APP_STATE_GIVEME; Maat_rule_t *p_result=NULL; Maat_rule_t result[MAX_RESULT_NUM]={0}; - struct _identify_info identify_info; - struct _master_context *_context=(struct _master_context *)*pme; - struct _session_attribute_label_t *internal_label=NULL; + struct identify_info identify_info; + struct compile_user_region *user_region=NULL; + int method_type=TSG_METHOD_TYPE_UNKNOWN; + struct master_context *context=(struct master_context *)*pme; + if(*pme==NULL) + { + init_context(pme, thread_seq); + context=(struct master_context *)*pme; + } switch(a_udp->opstate) { case OP_STATE_PENDING: - FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_UDP_LINKS], 0, FS_OP_ADD, 1); - memset(&identify_info, 0, sizeof(identify_info)); - identify_application_protocol(a_udp, &identify_info, NULL, a_packet); - - internal_label=(struct _session_attribute_label_t *)dictator_malloc(thread_seq, sizeof(struct _session_attribute_label_t)); - memset(internal_label, 0, sizeof(struct _session_attribute_label_t)); - internal_label->proto=identify_info.proto; - - ret=project_req_add_struct(a_udp, g_tsg_para.internal_project_id, (const void *)internal_label); - if(ret<0) - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_FATAL, - "PROJECT_ADD", - "Add internal_label failed, proto: %d addr: %s", - internal_label->proto, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - } - else - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "PROJECT_ADD", - "Add internal_label successfully, proto: %d addr: %s", - internal_label->proto, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - } - - ret=tsg_scan_nesting_addr(g_tsg_maat_feather, a_udp, identify_info.proto, &mid, result, MAX_RESULT_NUM); + FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_UDP_LINKS], 0, FS_OP_ADD, 1); + ret=tsg_scan_nesting_addr(g_tsg_maat_feather, a_udp, identify_info.proto, &context->mid, result, MAX_RESULT_NUM); if(ret>0) { hit_num+=ret; FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_ADDR], 0, FS_OP_ADD, 1); } - if(PROTO_QUIC==identify_info.proto && identify_info.domain_len>0) + memset(&identify_info, 0, sizeof(identify_info)); + ret=identify_application_protocol(a_udp, &identify_info, a_packet); + if(ret==1) { - ret=tsg_scan_shared_policy(g_tsg_maat_feather, &identify_info, result+hit_num, MAX_RESULT_NUM-hit_num, &mid, thread_seq); - if(ret>0) - { - FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_SHARE], 0, FS_OP_ADD, 1); - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_QUIC_SNI", - "Hit %s: %s policy_id: %d service: %d action: %d addr: %s", - "QUIC SNI", - identify_info.domain, - result[hit_num].config_id, - result[hit_num].service_id, - (unsigned char)result[hit_num].action, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - - hit_num+=ret; - } - else - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_QUIC_SNI", - "Not hit %s: %s stream_dir: %d addr: %s", - "QUIC SNI", - identify_info.domain, - a_udp->dir, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - } - - if(strlen(identify_info.domain)>0 && identify_info.domain_len>0) - { - internal_label->fqdn_category_id_num=tsg_get_fqdn_category_id(g_tsg_maat_feather, - identify_info.domain, - internal_label->fqdn_category_id, - MAX_CATEGORY_ID_NUM, - g_tsg_para.logger, - thread_seq - ); - } - - for(i=0; ifqdn_category_id_num; i++) - { - ret=Maat_scan_intval(g_tsg_maat_feather, - g_tsg_para.table_id[TABLE_QUIC_SNI], - (unsigned int)internal_label->fqdn_category_id[i], - result+hit_num, - MAX_RESULT_NUM-hit_num, - &mid, - thread_seq - ); - if(ret>0) - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_FQDN_CAT", - "Hit %s: %s category_id: %d policy_id: %d service: %d action: %d addr: %s", - "QUIC SNI", - identify_info.domain, - internal_label->fqdn_category_id[i], - result[hit_num].config_id, - result[hit_num].service_id, - (unsigned char)result[hit_num].action, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - hit_num+=ret; - } - else - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_FQDN_CAT", - "Not hit %s: %s category_id: %d ret: %d stream_dir: %d addr: %s", - (ret==-1) ? "NULL" : ((identify_info.proto==PROTO_HTTP) ? "host" : "sni"), - (ret==-1) ? "NULL" : identify_info.domain, - internal_label->fqdn_category_id[i], - ret, - a_udp->dir, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - } - } - } - - if(mid!=NULL) - { - Maat_clean_status(&mid); - mid=NULL; - } - - p_result=tsg_policy_decision_criteria(a_udp, result, hit_num, NULL, thread_seq); - if(p_result!=NULL) - { - switch((unsigned char)p_result->action) - { - case TSG_ACTION_DENY: - break; - case TSG_ACTION_BYPASS: - init_context(pme, identify_info.proto, p_result, thread_seq); - if(identify_info.proto>PROTO_UNKONWN && identify_info.protodomain, identify_info.domain, identify_info.domain_len); - _context->domain_len=identify_info.domain_len; - } - - FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1); - - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "ALLOW", - "Hit allow policy, policy_id: %d service: %d action: %d addr: %s", - p_result[0].config_id, - p_result[0].service_id, - (unsigned char)p_result[0].action, - (g_tsg_para.leveladdr, thread_seq) : "") - ); - - state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER; - break; - case TSG_ACTION_MONITOR: - break; - case TSG_ACTION_INTERCEPT: - case TSG_ACTION_MANIPULATE: - default: - return APP_STATE_DROPME; - break; - } - } - break; - case OP_STATE_DATA: - break; - case OP_STATE_CLOSE: - if(_context!=NULL) - { - if(_context->hit_cnt>0 && _context->result!=NULL) - { - memset(&identify_info, 0, sizeof(identify_info)); - identify_info.proto=_context->proto; - if(_context->domain_len>0) - { - memcpy(identify_info.domain, _context->domain, _context->domain_len); - identify_info.domain_len=_context->domain_len; - } - - master_send_log(a_udp, _context->result, _context->hit_cnt, &identify_info, thread_seq); - free_context(pme, thread_seq); - } + copy_identify_info(context, &identify_info, thread_seq); + set_session_attribute_label(a_udp, TSG_ATTRIBUTE_TYPE_PROTOCOL, (void *)&(identify_info.proto), thread_seq); + + hit_num+=tsg_scan_shared_policy(g_tsg_maat_feather, a_udp, &identify_info, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, thread_seq); } break; default: break; } + + if(context->proto==PROTO_UNKONWN || context->proto>PROTO_APP) /* support block/alert(deny), Do action in fw_http_plug */ + { + context->proto=PROTO_APP; + hit_num+=scan_application_protocol(a_udp, context, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, thread_seq); + } + hit_num+=scan_application_id_and_properties(a_udp, context, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, thread_seq); + p_result=tsg_policy_decision_criteria(a_udp, result, hit_num, &identify_info, thread_seq); + if(p_result!=NULL) + { + switch((unsigned char)p_result->action) + { + case TSG_ACTION_DENY: + if((context->result!=NULL && context->result[0].action==TSG_ACTION_BYPASS) || (context->proto!=PROTO_APP)) /* support redirect, Do action in fw_dns_plug */ + { + break; + } + user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]); + if(user_region!=NULL) + { + atomic_dec(&user_region->ref_cnt); + method_type=tsg_get_method_id(user_region->method); + + switch(method_type) + { + case TSG_METHOD_TYPE_DROP: + opt_value=1; + MESA_set_stream_opt(a_udp, MSO_DROP_STREAM, (void *)&opt_value, sizeof(opt_value)); + MESA_set_stream_opt(a_udp, MSO_TIMEOUT, (void *)&g_tsg_para.timeout, sizeof(g_tsg_para.timeout)); + state=APP_STATE_DROPPKT|APP_STATE_DROPME; + break; + default: + break; + } + } + copy_deny_result(a_udp, context, p_result, thread_seq); + break; + case TSG_ACTION_MONITOR: + copy_monitor_result(a_udp, context, result, hit_num, thread_seq); + break; + case TSG_ACTION_BYPASS: + copy_bypass_result(a_udp, context, p_result, thread_seq); + FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1); + state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER; + break; + case TSG_ACTION_INTERCEPT: + break; + default: + break; + } + } + + if((a_udp->opstate==OP_STATE_CLOSE) || (state&APP_STATE_DROPME)==APP_STATE_DROPME) + { + close_stream_free_context(a_udp, context, thread_seq); + } return state; } @@ -1190,6 +1334,8 @@ extern "C" int TSG_MASTER_INIT() char identify_proto_name[MAX_STRING_LEN*4]={0}; memset(&g_tsg_para, 0, sizeof(g_tsg_para)); + + get_depolyment_mode(); MESA_load_profile_int_def(tsg_conffile, "SYSTEM","LOG_LEVEL", &g_tsg_para.level, RLOG_LV_FATAL); MESA_load_profile_string_def(tsg_conffile, "SYSTEM","LOG_PATH", g_tsg_para.log_path, sizeof(g_tsg_para.log_path), "tsglog/tsg_master"); @@ -1206,6 +1352,7 @@ extern "C" int TSG_MASTER_INIT() MESA_load_profile_int_def(tsg_conffile, "SYSTEM", "ENTRANCE_ID", &g_tsg_para.entrance_id, 0); MESA_load_profile_short_def(tsg_conffile, "SYSTEM", "TIMEOUT", (short *)&g_tsg_para.timeout, 300); + MESA_load_profile_int_def(tsg_conffile, "SYSTEM", "MAIL_PROTOCOL_ID",&(g_tsg_para.mail_proto_id), 110); MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "DEVICE_ID_COMMAND", g_tsg_para.device_id_command, sizeof(g_tsg_para.device_id_command), NULL); g_tsg_para.device_id=get_device_id(g_tsg_para.device_id_command, g_tsg_para.entrance_id); @@ -1238,7 +1385,7 @@ extern "C" int TSG_MASTER_INIT() } MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "TSG_MASTER_INTERNAL_LABEL", label_buff, sizeof(label_buff), "TSG_MASTER_INTERNAL_LABEL"); - g_tsg_para.internal_project_id=project_producer_register(label_buff, PROJECT_VAL_TYPE_STRUCT, free_session_attribute_label); + g_tsg_para.internal_project_id=project_producer_register(label_buff, PROJECT_VAL_TYPE_STRUCT, free_session_attribute_labell); if(g_tsg_para.internal_project_id<0) { MESA_handle_runtime_log(g_tsg_para.logger, @@ -1250,6 +1397,30 @@ extern "C" int TSG_MASTER_INIT() ); } + MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "APP_ID_LABEL", label_buff, sizeof(label_buff), "APP_ID_LABEL"); + g_tsg_para.app_id_project_id=project_producer_register(label_buff, PROJECT_VAL_TYPE_STRUCT, free_app_id_label); + if(g_tsg_para.app_id_project_id<0) + { + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_FATAL, + "APP_ID_LABEL", + "project_customer_register is error, app_id_label: %s, please check etc/project.conf", + label_buff + ); + } + + MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "L7_PROTO_LABEL", label_buff, sizeof(label_buff), "BASIC_PROTO_LABEL"); + g_tsg_para.l7_proto_project_id=project_customer_register(label_buff, "struct"); + if(g_tsg_para.l7_proto_project_id<0) + { + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_FATAL, + "L7_PROTO_LABEL", + "project_customer_register is error, l7_proto_label: %s, please check etc/project.conf", + label_buff + ); + } + ret=tsg_rule_init(tsg_conffile, g_tsg_para.logger); if(ret<0) { diff --git a/src/tsg_entry.h b/src/tsg_entry.h index c5855e6..00ff800 100644 --- a/src/tsg_entry.h +++ b/src/tsg_entry.h @@ -24,8 +24,21 @@ typedef int atomic_t; #define MIN(a, b) (((a) < (b)) ? (a) : (b)) #endif +#define DNS_PROTO_ID 103 +#define FTP_PROTO_ID 104 +#define HTTP_PROTO_ID 106 +#define MAIL_PROTO_ID 110 +#define QUIC_PROTO_ID 119 +#define SIP_PROTO_ID 120 +#define SSL_PROTO_ID 126 +#define RTP_PROTO_ID 142 + +#define APP_SCAN_FLAG_STOP 0 +#define APP_SCAN_FLAG_CONTINUE 1 + enum MASTER_TABLE{ - TABLE_IP_ADDR=0, + TABLE_SECURITY_COMPILE=0, + TABLE_IP_ADDR, TABLE_SUBSCRIBER_ID, TABLE_APP_ID, TABLE_HTTP_HOST, @@ -43,6 +56,9 @@ enum MASTER_TABLE{ TABLE_FQDN_CAT_ID, TABLE_FQDN_CAT_USER_DEFINED, TABLE_FQDN_CAT_BUILT_IN, + TABLE_APP_ID_DICT, + TABLE_SELECTOR_ID, + TABLE_SELECTOR_PROPERTIES, TABLE_MAX }; @@ -65,6 +81,14 @@ enum TSG_FS2_TYPE{ TSG_FS2_MAX }; +enum TSG_ATTRIBUTE_TYPE +{ + TSG_ATTRIBUTE_TYPE_ESTABLISH_LATECY=0, + TSG_ATTRIBUTE_TYPE_PROTOCOL, + TSG_ATTRIBUTE_TYPE_JA3_HASH, + _MAX_TSG_ATTRIBUTE_TYPE +}; + struct _str2index { int index; @@ -80,20 +104,29 @@ struct _fqdn_category_t char fqdn[MAX_DOAMIN_LEN/8]; }; -struct _master_context +struct master_context { tsg_protocol_t proto; int hit_cnt; int domain_len; char domain[MAX_DOAMIN_LEN]; struct Maat_rule_t *result; + + int app_id; + char continue_scan_app_id; + char continue_scan_proto_id; + unsigned short basic_proto_id; + char uuid_str[32]; + scan_status_t mid; }; #define _MAX_TABLE_NAME_LEN 64 typedef struct _tsg_para { - int level; + int level; + int mail_proto_id; unsigned short timeout; + unsigned short depolyment_mode; int app_id_table_type; int device_id; int entrance_id; @@ -101,6 +134,8 @@ typedef struct _tsg_para int dyn_subscribe_ip_table_id; //TSG_DYN_SUBSCRIBER_IP int priority_project_id; int internal_project_id; + int l7_proto_project_id; + int app_id_project_id; int proto_flag; //tsg_protocol_t int fs2_field_id[TSG_FS2_MAX]; char device_sn[MAX_DOAMIN_LEN/8]; @@ -199,12 +234,13 @@ typedef struct _tsg_statistic int tsg_statistic_init(const char *conffile, void *logger); -int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct _identify_info *identify_info, Maat_rule_t *result, int result_num, scan_status_t *mid, int thread_seq); - void location_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); void ASN_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); void subscribe_id_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp); char *tsg_schema_index2string(tsg_protocol_t proto); - +struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, struct _identify_info *identify_info, int thread_seq); +int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct identify_info *identify_info, Maat_rule_t *result, int result_num, scan_status_t *mid, int thread_seq); +int tsg_scan_app_id_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *name, unsigned int id, int thread_seq); +int tsg_scan_app_properties_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *property, char *district, int thread_seq); #endif diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp index 26f0d7d..0b36906 100644 --- a/src/tsg_rule.cpp +++ b/src/tsg_rule.cpp @@ -57,6 +57,7 @@ const struct _str2index g_tsg_proto_string[PROTO_MAX+1]={{PROTO_UNKONWN, 0, (cha {PROTO_IMAP, 5, (char *)"MAIL."}, {PROTO_POP3, 5, (char *)"MAIL."}, {PROTO_RTP, 4, (char *)"RTP."}, + {PROTO_APP, 4, (char *)"APP."}, {PROTO_MAX, 0, (char *)""} }; @@ -458,6 +459,174 @@ void subscribe_id_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, vo return; } +static void app_id_dict_dup_data(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void* argp) +{ + struct app_id_dict_table *app_id_dict=(struct app_id_dict_table *)(*from); + + if(*from!=NULL) + { + atomic_inc(&app_id_dict->ref_cnt); + *to=*from; + } + return; +} + +static void app_id_dict_new_data(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp) +{ + void *logger=argp; + int ret=0; + + struct app_id_dict_table *app_id_dict=NULL; + app_id_dict=(struct app_id_dict_table *)calloc(1, sizeof(struct app_id_dict_table)); + + ret=sscanf(table_line, + "%d\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%d\t%d\t%d\t%d\t%d\t%d\t%d", + &app_id_dict->app_id, + app_id_dict->app_name, + app_id_dict->category, + app_id_dict->subcategroy, + app_id_dict->technology, + app_id_dict->risk, + app_id_dict->characteristics, + app_id_dict->depends_on_app_ids, + app_id_dict->implicitly_uses_app_ids, + &app_id_dict->deny_action, + &app_id_dict->continue_scanning, + &app_id_dict->tcp_timeout, + &app_id_dict->udp_timeout, + &app_id_dict->tcp_half_close, + &app_id_dict->tcp_time_wait, + &app_id_dict->is_valid); + if(ret!=16) + { + free(app_id_dict); + app_id_dict=NULL; + + MESA_handle_runtime_log(logger, + RLOG_LV_FATAL, + "APP_ID_DICT", + "Parse app_id_dict failed, ret: %d table_id: %d table_line: %s", + ret, + table_id, + table_line + ); + return; + } + + atomic_inc(&app_id_dict->ref_cnt); + eliminate_default_value(app_id_dict->app_name); + eliminate_default_value(app_id_dict->category); + eliminate_default_value(app_id_dict->subcategroy); + eliminate_default_value(app_id_dict->technology); + eliminate_default_value(app_id_dict->risk); + eliminate_default_value(app_id_dict->characteristics); + eliminate_default_value(app_id_dict->depends_on_app_ids); + eliminate_default_value(app_id_dict->implicitly_uses_app_ids); + + *ad=(MAAT_PLUGIN_EX_DATA)app_id_dict; + + return; +} + +void app_id_dict_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp) +{ + struct app_id_dict_table *app_id_dict=(struct app_id_dict_table *)(*ad); + + if(app_id_dict!=NULL) + { + atomic_dec(&app_id_dict->ref_cnt); + if(app_id_dict->ref_cnt<=0) + { + free(*ad); + *ad=NULL; + } + } + return; +} + +void security_compile_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp) +{ + int len=0; + cJSON *object=NULL, *item=NULL; + struct compile_user_region *user_region=NULL; + + if(rule!=NULL && srv_def_large!=NULL && strlen(srv_def_large)>2) + { + object=cJSON_Parse(srv_def_large); + if(object!=NULL) + { + user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region)); + + item=cJSON_GetObjectItem(object, "method"); + if(item!=NULL) + { + len=MIN(strlen(item->valuestring), sizeof(user_region->method)-1); + memcpy(user_region->method, item->valuestring, len); + } + + item=cJSON_GetObjectItem(object, "protocol"); + if(item!=NULL) + { + len=MIN(strlen(item->valuestring), sizeof(user_region->protocol)-1); + memcpy(user_region->protocol, item->valuestring, len); + } + + item=cJSON_GetObjectItem(object, "message"); + if(item!=NULL) + { + len=strlen(item->valuestring)+1; + user_region->message=(char *)calloc(1, len); + memcpy(user_region->message, item->valuestring, len-1); + } + + item=cJSON_GetObjectItem(object, "code"); + if(item!=NULL) + { + user_region->code=item->valueint; + } + + item=cJSON_GetObjectItem(object, "html_profile"); + if(item!=NULL) + { + user_region->html_profile=item->valueint; + } + + atomic_inc(&user_region->ref_cnt); + + *ad=(MAAT_RULE_EX_DATA)user_region; + } + } + + return ; +} + +void security_compile_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp) +{ + struct compile_user_region *user_region=(struct compile_user_region *)(*from); + if(user_region!=NULL) + { + atomic_inc(&user_region->ref_cnt); + *to=*from; + } +} + +void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp) +{ + struct compile_user_region *user_region=(struct compile_user_region *)(*ad); + if(user_region!=NULL) + { + atomic_dec(&user_region->ref_cnt); + if((user_region->ref_cnt-1)<=0) + { + free(user_region->message); + user_region->message=NULL; + + free(*ad); + *ad=NULL; + } + } +} + static Maat_feather_t init_maat_feather(const char* conffile, char* instance_name, char *module, void *logger) { unsigned short redis_port = 0; @@ -584,7 +753,8 @@ int tsg_rule_init(const char* conffile, void *logger) MESA_load_profile_int_def(conffile, "MAAT","APP_ID_TABLE_TYPE", &g_tsg_para.app_id_table_type, 1); - MESA_load_profile_string_def(conffile, "MAAT", "PROFILE", maat_conffile, sizeof(maat_conffile), "./tsgconf/maat.conf"); + MESA_load_profile_string_def(conffile, "MAAT", "PROFILE", maat_conffile, sizeof(maat_conffile), "./tsgconf/maat.conf"); + MESA_load_profile_string_def(conffile, "MAAT", "SECURITY_COMPILE", g_tsg_para.table_name[TABLE_SECURITY_COMPILE], _MAX_TABLE_NAME_LEN, "TSG_SECURITY_COMPILE"); MESA_load_profile_string_def(conffile, "MAAT", "IP_ADDR_TABLE", g_tsg_para.table_name[TABLE_IP_ADDR], _MAX_TABLE_NAME_LEN, "TSG_SECURITY_ADDR"); MESA_load_profile_string_def(conffile, "MAAT", "SUBSCRIBER_ID_TABLE", g_tsg_para.table_name[TABLE_SUBSCRIBER_ID], _MAX_TABLE_NAME_LEN, "TSG_OBJ_SUBSCRIBER_ID"); MESA_load_profile_string_def(conffile, "MAAT", "APP_ID_TABLE", g_tsg_para.table_name[TABLE_APP_ID], _MAX_TABLE_NAME_LEN, "TSG_OBJ_APP_ID"); @@ -608,6 +778,11 @@ int tsg_rule_init(const char* conffile, void *logger) MESA_load_profile_string_def(conffile, "MAAT", "FQDN_CAT_BUILT_IN_TABLE", g_tsg_para.table_name[TABLE_FQDN_CAT_BUILT_IN], _MAX_TABLE_NAME_LEN, "TSG_FQDN_CATEGORY_BUILT_IN"); MESA_load_profile_string_def(conffile, "MAAT", "FQDN_CAT_USER_DEFINED_TABLE", g_tsg_para.table_name[TABLE_FQDN_CAT_USER_DEFINED], _MAX_TABLE_NAME_LEN, "TSG_FQDN_CATEGORY_USER_DEFINED"); + MESA_load_profile_string_def(conffile, "MAAT", "APP_ID_DICT_TABLE", g_tsg_para.table_name[TABLE_APP_ID_DICT], _MAX_TABLE_NAME_LEN, "APP_ID_DICT"); + MESA_load_profile_string_def(conffile, "MAAT", "APP_ID_TABLE", g_tsg_para.table_name[TABLE_APP_ID], _MAX_TABLE_NAME_LEN, "TSG_OBJ_APP_ID"); + MESA_load_profile_string_def(conffile, "MAAT", "SELECTOR_ID_TABLE", g_tsg_para.table_name[TABLE_SELECTOR_ID], _MAX_TABLE_NAME_LEN, "APP_SELECTOR_ID"); + MESA_load_profile_string_def(conffile, "MAAT", "SELECTOR_PROPERTIES_TABLE", g_tsg_para.table_name[TABLE_SELECTOR_PROPERTIES], _MAX_TABLE_NAME_LEN, "APP_SELECTOR_PROPERTIES"); + //init static maat feather g_tsg_maat_feather=init_maat_feather(maat_conffile, (char *)"TSG_STATIC", (char *)"STATIC", logger); if(g_tsg_maat_feather==NULL) @@ -616,7 +791,23 @@ int tsg_rule_init(const char* conffile, void *logger) return -1; } - for(i=0; ithreadnum); + (int)cur_stream->threadnum); if(maat_ret>0) { MESA_handle_runtime_log(g_tsg_para.logger, @@ -1176,43 +1386,43 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * } } - internal_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, g_tsg_para.internal_project_id); - if(internal_label==NULL) + attribute_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, g_tsg_para.internal_project_id); + if(attribute_label==NULL) { - internal_label=(struct _session_attribute_label_t *)calloc(1, sizeof(struct _session_attribute_label_t)); - memset(internal_label, 0, sizeof(struct _session_attribute_label_t)); + attribute_label=(struct _session_attribute_label_t *)calloc(1, sizeof(struct _session_attribute_label_t)); + memset(attribute_label, 0, sizeof(struct _session_attribute_label_t)); } if(hit_numclient_location), (void **)&(internal_label->server_location)); - tsg_get_ip_location(a_stream, g_tsg_para.table_id[TABLE_LOCATION_BUILT_IN], (void **)&(internal_label->client_location), (void **)&(internal_label->server_location)); + tsg_get_ip_location(a_stream, g_tsg_para.table_id[TABLE_LOCATION_USER_DEFINED], (void **)&(attribute_label->client_location), (void **)&(attribute_label->server_location)); + tsg_get_ip_location(a_stream, g_tsg_para.table_id[TABLE_LOCATION_BUILT_IN], (void **)&(attribute_label->client_location), (void **)&(attribute_label->server_location)); - hit_num+=tsg_scan_ip_location(maat_feather, a_stream, internal_label->client_location, TABLE_SRC_LOCATION, mid, result+hit_num, result_num-hit_num); - hit_num+=tsg_scan_ip_location(maat_feather, a_stream, internal_label->server_location, TABLE_DST_LOCATION, mid, result+hit_num, result_num-hit_num); + hit_num+=tsg_scan_ip_location(maat_feather, a_stream, attribute_label->client_location, TABLE_SRC_LOCATION, mid, result+hit_num, result_num-hit_num); + hit_num+=tsg_scan_ip_location(maat_feather, a_stream, attribute_label->server_location, TABLE_DST_LOCATION, mid, result+hit_num, result_num-hit_num); } if(hit_numclient_asn), (void **)&(internal_label->server_asn)); - tsg_get_ip_asn(a_stream, g_tsg_para.table_id[TABLE_ASN_BUILT_IN], (void **)&(internal_label->client_asn), (void **)&(internal_label->server_asn)); + tsg_get_ip_asn(a_stream, g_tsg_para.table_id[TABLE_ASN_USER_DEFINED], (void **)&(attribute_label->client_asn), (void **)&(attribute_label->server_asn)); + tsg_get_ip_asn(a_stream, g_tsg_para.table_id[TABLE_ASN_BUILT_IN], (void **)&(attribute_label->client_asn), (void **)&(attribute_label->server_asn)); - hit_num+=tsg_scan_ip_asn(maat_feather, a_stream, internal_label->client_asn, TABLE_SRC_ASN, mid, result+hit_num, result_num-hit_num); - hit_num+=tsg_scan_ip_asn(maat_feather, a_stream, internal_label->server_asn, TABLE_DST_ASN, mid, result+hit_num, result_num-hit_num); + hit_num+=tsg_scan_ip_asn(maat_feather, a_stream, attribute_label->client_asn, TABLE_SRC_ASN, mid, result+hit_num, result_num-hit_num); + hit_num+=tsg_scan_ip_asn(maat_feather, a_stream, attribute_label->server_asn, TABLE_DST_ASN, mid, result+hit_num, result_num-hit_num); } if(hit_numclient_subscribe_id, &internal_label->server_subscribe_id); + tsg_get_subscribe_id(a_stream, &attribute_label->client_subscribe_id, &attribute_label->server_subscribe_id); - if(internal_label->client_subscribe_id!=NULL) + if(attribute_label->client_subscribe_id!=NULL) { maat_ret=Maat_full_scan_string(maat_feather, g_tsg_para.table_id[TABLE_SUBSCRIBER_ID], CHARSET_GBK, - internal_label->client_subscribe_id->subscribe_id, - strlen(internal_label->client_subscribe_id->subscribe_id), + attribute_label->client_subscribe_id->subscribe_id, + strlen(attribute_label->client_subscribe_id->subscribe_id), result+hit_num, &found_pos, result_num-hit_num, @@ -1224,7 +1434,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * RLOG_LV_DEBUG, "SCAN_SUBSCRIBER", "Hit source subscribe id: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", - internal_label->client_subscribe_id->subscribe_id, + attribute_label->client_subscribe_id->subscribe_id, maat_ret, result[hit_num].config_id, result[hit_num].service_id, @@ -1240,20 +1450,20 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * RLOG_LV_DEBUG, "SCAN_SUBSCRIBER", "No hit source subscribe id: %s scan ret: %d addr: %s", - internal_label->client_subscribe_id->subscribe_id, + attribute_label->client_subscribe_id->subscribe_id, maat_ret, (g_tsg_para.leveladdr, a_stream->threadnum) : "") ); } } - if(internal_label->server_subscribe_id!=NULL) + if(attribute_label->server_subscribe_id!=NULL) { maat_ret=Maat_full_scan_string(maat_feather, g_tsg_para.table_id[TABLE_SUBSCRIBER_ID], CHARSET_GBK, - internal_label->server_subscribe_id->subscribe_id, - strlen(internal_label->server_subscribe_id->subscribe_id), + attribute_label->server_subscribe_id->subscribe_id, + strlen(attribute_label->server_subscribe_id->subscribe_id), result+hit_num, &found_pos, result_num-hit_num, @@ -1265,7 +1475,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * RLOG_LV_DEBUG, "SCAN_SUBSCRIBER", "Hit dest subscribe id: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", - internal_label->server_subscribe_id->subscribe_id, + attribute_label->server_subscribe_id->subscribe_id, maat_ret, result[hit_num].config_id, result[hit_num].service_id, @@ -1281,7 +1491,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * RLOG_LV_DEBUG, "SCAN_SUBSCRIBER", "No hit dest subscribe id: %s scan ret: %d addr: %s", - internal_label->server_subscribe_id->subscribe_id, + attribute_label->server_subscribe_id->subscribe_id, maat_ret, (g_tsg_para.leveladdr, a_stream->threadnum) : "") ); @@ -1289,7 +1499,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * } } - ret=project_req_add_struct((struct streaminfo *)a_stream, g_tsg_para.internal_project_id, (void *)internal_label); + ret=project_req_add_struct((struct streaminfo *)a_stream, g_tsg_para.internal_project_id, (void *)attribute_label); if(ret<0) { MESA_handle_runtime_log(g_tsg_para.logger, @@ -1306,22 +1516,27 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * //return value: -1: failed, 0: not hit, >0: hit count -int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct _identify_info *identify_info, Maat_rule_t *result, int result_num, scan_status_t *mid, int thread_seq) +int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct identify_info *identify_info, Maat_rule_t *result, int result_num, scan_status_t *mid, int thread_seq) { - int ret=0,idx=0; - - if(identify_info->proto!=PROTO_UNKONWN && identify_info->domain_len>0) + char *field_name=NULL; + int i=0,ret=0,idx=0,hit_num=0; + struct _session_attribute_label_t *attribute_label=NULL; + + if(identify_info->proto!=PROTO_UNKONWN && strlen(identify_info->domain)>0 && identify_info->domain_len>0) { switch(identify_info->proto) { case PROTO_HTTP: idx=TABLE_HTTP_HOST; + field_name=(char *)"http_host"; break; case PROTO_SSL: idx=TABLE_SSL_SNI; + field_name=(char *)"ssl_sni"; break; case PROTO_QUIC: idx=TABLE_QUIC_SNI; + field_name=(char *)"quic_sni"; break; default: return 0; @@ -1339,9 +1554,95 @@ int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct _identify_info *i mid, thread_seq ); + if(ret>0) + { + FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_SHARE], 0, FS_OP_ADD, 1); + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "SCAN_FQDN", + "Hit %s: %s policy_id: %d service: %d action: %d addr: %s", + field_name, + identify_info->domain, + result[hit_num].config_id, + result[hit_num].service_id, + (unsigned char)result[hit_num].action, + printaddr(&a_stream->addr, thread_seq) + ); + + hit_num+=ret; + } + else + { + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "SCAN_FQDN", + "Not hit %s: %s ret: %d stream_dir: %d addr: %s", + (ret==-1) ? "NULL" : ((identify_info->proto==PROTO_HTTP) ? "host" : "sni"), + (ret==-1) ? "NULL" : identify_info->domain, + ret, + a_stream->dir, + printaddr(&a_stream->addr, thread_seq) + ); + } + + ret=project_req_add_struct(a_stream, g_tsg_para.internal_project_id, (const void *)attribute_label); + if(ret>0) + { + attribute_label->fqdn_category_id_num=tsg_get_fqdn_category_id(g_tsg_maat_feather, + identify_info->domain, + attribute_label->fqdn_category_id, + MAX_CATEGORY_ID_NUM, + g_tsg_para.logger, + thread_seq + ); + + + for(i=0; ifqdn_category_id_num; i++) + { + int idx=identify_info->proto==PROTO_HTTP ? TABLE_HTTP_HOST : TABLE_SSL_SNI; + ret=Maat_scan_intval(g_tsg_maat_feather, + g_tsg_para.table_id[idx], + (unsigned int)attribute_label->fqdn_category_id[i], + result+hit_num, + result_num-hit_num, + mid, + thread_seq + ); + if(ret>0) + { + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "SCAN_FQDN_CAT", + "Hit %s: %s category_id: %d policy_id: %d service: %d action: %d addr: %s", + (identify_info->proto==PROTO_HTTP) ? "host" : "sni", + identify_info->domain, + attribute_label->fqdn_category_id[i], + result[hit_num].config_id, + result[hit_num].service_id, + (unsigned char)result[hit_num].action, + printaddr(&a_stream->addr, thread_seq) + ); + hit_num+=ret; + } + else + { + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "SCAN_FQDN_CAT", + "Not hit %s: %s category_id: %d ret: %d stream_dir: %d addr: %s", + (ret==-1) ? "NULL" : ((identify_info->proto==PROTO_HTTP) ? "host" : "sni"), + (ret==-1) ? "NULL" : identify_info->domain, + attribute_label->fqdn_category_id[i], + ret, + a_stream->dir, + printaddr(&a_stream->addr, thread_seq) + ); + } + } + } } - return ret; + return hit_num; } @@ -1434,3 +1735,86 @@ int tsg_get_fqdn_category_id(Maat_feather_t maat_feather, char *fqdn, unsigned i return 0; } + +int tsg_scan_app_id_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *name, unsigned int id, int thread_seq) +{ + int ret=0; + + ret=Maat_scan_intval(maat_feather, g_tsg_para.table_id[TABLE_APP_ID], id, result, result_num, mid, thread_seq); + if(ret>0) + { + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "SCAN_ID", + "Hit %s %s_id: %d ret: %d policy_id: %d service: %d action: %d addr: %s", + name, + (id>1000) ? "app" : "proto", + id, + ret, + result[0].config_id, + result[0].service_id, + result[0].action, + printaddr(&a_stream->addr, thread_seq) + ); + + return ret; + } + + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "SCAN_ID", + "scan %s %s_id: %d ret: %d addr: %s", + name, + (id>1000) ? "app" : "proto", + id, + ret, + printaddr(&a_stream->addr, thread_seq) + ); + return 0; +} + +int tsg_scan_app_properties_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *property, char *district, int thread_seq) +{ + int i=0,ret=0; + int ret2=0, hit_num=0; + int district_len=strlen(district); + int property_len=strlen(property); + struct Maat_rule_t property_result[MAX_RESULT_NUM]={0}; + + if(property!=NULL && property_len>0 && district_len>0) + { + Maat_set_scan_status(g_tsg_maat_feather, mid, MAAT_SET_SCAN_DISTRICT, (void *)district, district_len); + ret=Maat_full_scan_string(g_tsg_maat_feather, g_tsg_para.table_id[TABLE_SELECTOR_PROPERTIES], CHARSET_UTF8, property, property_len, property_result, NULL, MAX_RESULT_NUM,mid,thread_seq); + for(i=0; i0) + { + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "SCAN_ID", + "Hit selector_id: %d ret: %d policy_id: %d service: %d action: %d addr: %s", + property_result[i].config_id, + ret2, + result[0].config_id, + result[0].service_id, + result[0].action, + printaddr(&a_stream->addr, thread_seq) + ); + + hit_num+=ret2; + } + else + { + MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, "SCAN_ID","Hit %s selector_id: %d ret: %d addr: %s", + property, property_result[i].config_id, ret2, printaddr(&a_stream->addr, thread_seq)); + } + } + + MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, "SCAN_PROPERTY", "scan %s: %s ret: %d addr: %s", district, property, ret, printaddr(&a_stream->addr, thread_seq)); + } + + return hit_num; +} + + diff --git a/src/tsg_send_log.cpp b/src/tsg_send_log.cpp index f3b4cff..d59eba3 100644 --- a/src/tsg_send_log.cpp +++ b/src/tsg_send_log.cpp @@ -166,10 +166,10 @@ struct TLD_handle_t *TLD_create(int thread_id) static int set_l7_protocol(struct tsg_log_instance_t *_instance, struct TLD_handle_t *_handle, struct streaminfo *a_stream) { char *l7_protocol=NULL; - struct _basic_proto_label *l7_proto_label=NULL; + struct basic_proto_label *l7_proto_label=NULL; - l7_proto_label=(struct _basic_proto_label *)project_req_get_struct(a_stream, _instance->l7_proto_project_id); - if(l7_proto_label!=NULL && l7_proto_label->proto_id!=_instance->mail_proto_id) + l7_proto_label=(struct basic_proto_label *)project_req_get_struct(a_stream, g_tsg_para.l7_proto_project_id); + if(l7_proto_label!=NULL && l7_proto_label->proto_id!=g_tsg_para.mail_proto_id) { l7_protocol=tsg_l7_protocol_id2name(_instance, l7_proto_label->proto_id); if(l7_protocol!=NULL) @@ -245,17 +245,18 @@ int set_common_field_from_label(struct tsg_log_instance_t *_instance, struct TLD char buff[1024]={0}; int l7_protocol_flag=0; char *l7_protocol=NULL; + struct app_id_label *app_label=NULL; struct _location_info_t *location=NULL; - struct _session_attribute_label_t *internal_label=NULL; + struct _session_attribute_label_t *attribute_label=NULL; l7_protocol_flag=set_l7_protocol(_instance, _handle, a_stream); - internal_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, _instance->internal_project_id); - if(internal_label!=NULL) + attribute_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, _instance->internal_project_id); + if(attribute_label!=NULL) { if(l7_protocol_flag==0) { - l7_protocol=tsg_schema_index2string(internal_label->proto); + l7_protocol=tsg_schema_index2string(attribute_label->proto); if(l7_protocol!=NULL) { TLD_append(_handle, _instance->id2field[LOG_COMMON_L7_PROTOCOL].name, (void *)l7_protocol, TLD_TYPE_STRING); @@ -266,37 +267,37 @@ int set_common_field_from_label(struct tsg_log_instance_t *_instance, struct TLD } } - TLD_append(_handle, _instance->id2field[LOG_COMMON_ESTABLISH_LATENCY_MS].name, (void *)internal_label->establish_latency_ms, TLD_TYPE_LONG); + TLD_append(_handle, _instance->id2field[LOG_COMMON_ESTABLISH_LATENCY_MS].name, (void *)attribute_label->establish_latency_ms, TLD_TYPE_LONG); - if(internal_label->client_asn!=NULL) + if(attribute_label->client_asn!=NULL) { - snprintf(buff, sizeof(buff), "%s(%s)", internal_label->client_asn->asn, internal_label->client_asn->organization); + snprintf(buff, sizeof(buff), "%s(%s)", attribute_label->client_asn->asn, attribute_label->client_asn->organization); TLD_append(_handle, _instance->id2field[LOG_COMMON_CLINET_ASN].name, (void *)buff, TLD_TYPE_STRING); } - if(internal_label->server_asn!=NULL) + if(attribute_label->server_asn!=NULL) { - snprintf(buff, sizeof(buff), "%s(%s)", internal_label->server_asn->asn, internal_label->server_asn->organization); + snprintf(buff, sizeof(buff), "%s(%s)", attribute_label->server_asn->asn, attribute_label->server_asn->organization); TLD_append(_handle, _instance->id2field[LOG_COMMON_CLINET_ASN].name, (void *)buff, TLD_TYPE_STRING); } - if(internal_label->client_location!=NULL) + if(attribute_label->client_location!=NULL) { - location=internal_label->client_location; + location=attribute_label->client_location; snprintf(buff, sizeof(buff), "%s,%s,%s", location->city_full, location->province_full, location->country_full); TLD_append(_handle, _instance->id2field[LOG_COMMON_CLINET_LOCATION].name, (void *)buff, TLD_TYPE_STRING); } - if(internal_label->server_location!=NULL) + if(attribute_label->server_location!=NULL) { - location=internal_label->server_location; + location=attribute_label->server_location; snprintf(buff, sizeof(buff), "%s,%s,%s", location->city_full, location->province_full, location->country_full); TLD_append(_handle, _instance->id2field[LOG_COMMON_SERVER_LOCATION].name, (void *)buff, TLD_TYPE_STRING); } - if(internal_label->ja3_fingerprint!=NULL) + if(attribute_label->ja3_fingerprint!=NULL) { - TLD_append(_handle, _instance->id2field[LOG_SSL_JA3_FINGERPRINT].name, (void *)internal_label->ja3_fingerprint, TLD_TYPE_STRING); + TLD_append(_handle, _instance->id2field[LOG_SSL_JA3_FINGERPRINT].name, (void *)attribute_label->ja3_fingerprint, TLD_TYPE_STRING); } } else @@ -307,6 +308,13 @@ int set_common_field_from_label(struct tsg_log_instance_t *_instance, struct TLD } } + app_label=(struct app_id_label *)project_req_get_struct(a_stream, g_tsg_para.app_id_project_id); + if(app_label!=NULL) + { + TLD_append(_handle, _instance->id2field[LOG_COMMON_APP_ID].name, (void *)(long)app_label->app_id, TLD_TYPE_LONG); + TLD_append(_handle, _instance->id2field[LOG_COMMON_APP_SURROGATE_ID].name, (void *)(long)app_label->surrogate_id, TLD_TYPE_LONG); + } + return 0; } @@ -619,7 +627,6 @@ struct tsg_log_instance_t *tsg_sendlog_init(const char *conffile) MESA_load_profile_int_def(conffile, "TSG_LOG", "LOG_LEVEL",&(_instance->level), 30); MESA_load_profile_string_def(conffile, "TSG_LOG", "LOG_PATH", _instance->log_path, sizeof(_instance->log_path), "./tsglog/tsglog"); - MESA_load_profile_int_def(conffile, "TSG_LOG", "MAIL_PROTOCOL_ID",&(_instance->mail_proto_id), 110); MESA_load_profile_int_def(conffile, "TSG_LOG", "SEND_USER_REGION",&(_instance->send_user_region), 0); _instance->logger=MESA_create_runtime_log_handle(_instance->log_path, _instance->level); @@ -647,7 +654,6 @@ struct tsg_log_instance_t *tsg_sendlog_init(const char *conffile) MESA_load_profile_string_def(conffile, "TSG_LOG", "TCP_LABEL", _instance->tcp_label, sizeof(_instance->tcp_label), "tcp_flow_stat"); MESA_load_profile_string_def(conffile, "TSG_LOG", "UDP_LABEL", _instance->udp_label, sizeof(_instance->udp_label), "udp_flow_stat"); - MESA_load_profile_string_def(conffile, "TSG_LOG", "L7_PROTO_LABEL", _instance->l7_proto_label, sizeof(_instance->l7_proto_label), "BASIC_PROTO_LABEL"); _instance->tcp_flow_project_id=project_customer_register(_instance->tcp_label, "struct"); _instance->udp_flow_project_id=project_customer_register(_instance->udp_label, "struct"); @@ -662,17 +668,6 @@ struct tsg_log_instance_t *tsg_sendlog_init(const char *conffile) ); } - _instance->l7_proto_project_id=project_customer_register(_instance->l7_proto_label, "struct"); - if(_instance->l7_proto_project_id<0) - { - MESA_handle_runtime_log(_instance->logger, - RLOG_LV_FATAL, - "L7_PROTO_LABEL", - "project_customer_register is error, l7_proto_label: %s, please check etc/project.conf", - _instance->l7_proto_label - ); - } - MESA_load_profile_string_def(conffile, "TSG_LOG", "NIC_NAME", nic_name, sizeof(nic_name), "eth0"); ret=MESA_get_dev_ipv4(nic_name, (int *)&local_ip_nr); if(ret<0) diff --git a/src/tsg_send_log_internal.h b/src/tsg_send_log_internal.h index ba5b03b..19261f4 100644 --- a/src/tsg_send_log_internal.h +++ b/src/tsg_send_log_internal.h @@ -74,6 +74,7 @@ typedef enum _tsg_log_field_id LOG_COMMON_L7_PROTOCOL, LOG_COMMON_TCP_CLIENT_ISN, LOG_COMMON_TCP_SERVER_ISN, + LOG_COMMON_APP_SURROGATE_ID, LOG_COMMON_MAX }tsg_log_field_id_t; @@ -94,11 +95,9 @@ struct tsg_log_instance_t { int mode; int level; - int mail_proto_id; int max_service; int send_user_region; int recovery_interval; - int l7_proto_project_id; int internal_project_id; int tcp_flow_project_id; int udp_flow_project_id; @@ -108,7 +107,6 @@ struct tsg_log_instance_t char log_path[MAX_STRING_LEN*2]; char tcp_label[MAX_STRING_LEN]; char udp_label[MAX_STRING_LEN]; - char l7_proto_label[MAX_STRING_LEN]; char common_field_file[MAX_STRING_LEN*4]; char broker_list[MAX_STRING_LEN*4]; char send_queue_max_msg[MAX_STRING_LEN];