diff --git a/bin/tsg_static_tableinfo.conf b/bin/tsg_static_tableinfo.conf index d8505f0..aa7b90a 100644 --- a/bin/tsg_static_tableinfo.conf +++ b/bin/tsg_static_tableinfo.conf @@ -19,7 +19,7 @@ 7 TSG_OBJ_FQDN expr UTF8 UTF8 yes 0 7 TSG_OBJ_FQDN_CAT expr UTF8 UTF8 yes 0 8 TSG_OBJ_KEYWORDS expr UTF8 UTF8/GBK/windows-1251 yes 0 -9 TSG_OBJ_APP_ID expr UTF8 UTF8 yes 0 +9 TSG_OBJ_APP_ID intval UTF8 UTF8 yes 0 10 TSG_OBJ_HTTP_SIGNATURE expr_plus UTF8 UTF8/GBK yes 0 11 TSG_OBJ_AS_NUMBER expr UTF8 UTF8/GBK yes 0 12 TSG_OBJ_GEO_LOCATION expr UTF8 UTF8/GBK yes 0 diff --git a/inc/tsg_label.h b/inc/tsg_label.h index e402b33..5660373 100644 --- a/inc/tsg_label.h +++ b/inc/tsg_label.h @@ -20,6 +20,9 @@ typedef enum _tsg_protocol PROTO_STREAMING_MEDIA, PROTO_QUIC, PROTO_SSH, + PROTO_SMTP, + PROTO_IMAP, + PROTO_POP3, PROTO_MAX }tsg_protocol_t; diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index 2d561d0..c04bfb5 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -474,121 +474,146 @@ static int identify_application_protocol(struct streaminfo *a_stream, struct _id int ret=0; identify_info->proto = PROTO_UNKONWN; - - if(g_tsg_para.proto_flag&(1<ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, a_stream->curdir, &host); - if(ret>=0) - { - identify_info->proto=PROTO_HTTP; - if(ret>0 && host!=NULL) - { - identify_info->domain_len=MIN(ret, (int)sizeof(identify_info->domain) - 1); - strncpy(identify_info->domain, host, identify_info->domain_len); - } - else - { - identify_info->domain_len=0; - } - return 1; - } - } - - if(g_tsg_para.proto_flag&(1<ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, &chello_status); - if(chello_status==CHELLO_PARSE_SUCCESS) - { - identify_info->proto=PROTO_SSL; - if(chello->sni==NULL) + switch(a_stream->type) + { + case STREAM_TYPE_TCP: + if(g_tsg_para.proto_flag&(1<domain_len = 0; + char *host=NULL; + ret=http_host_parser((char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, a_stream->curdir, &host); + if(ret>=0) + { + identify_info->proto=PROTO_HTTP; + if(ret>0 && host!=NULL) + { + identify_info->domain_len=MIN(ret, (int)sizeof(identify_info->domain) - 1); + strncpy(identify_info->domain, host, identify_info->domain_len); + } + else + { + identify_info->domain_len=0; + } + return 1; + } } - else + + if(g_tsg_para.proto_flag&(1<domain_len = strnlen(chello->sni, sizeof(identify_info->domain) - 1); - strncpy(identify_info->domain, chello->sni, identify_info->domain_len); + enum chello_parse_result chello_status = CHELLO_PARSE_INVALID_FORMAT; + struct ssl_chello *chello = NULL; + + chello=ssl_chello_parse((unsigned char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, &chello_status); + if(chello_status==CHELLO_PARSE_SUCCESS) + { + identify_info->proto=PROTO_SSL; + if(chello->sni==NULL) + { + identify_info->domain_len = 0; + } + else + { + identify_info->domain_len = strnlen(chello->sni, sizeof(identify_info->domain) - 1); + strncpy(identify_info->domain, chello->sni, identify_info->domain_len); + } + + ssl_chello_free(chello); + return 1; + } + + ssl_chello_free(chello); + } + + if(g_tsg_para.proto_flag&(1<0) + { + identify_info->proto=PROTO_FTP; + return 1; + } } - ssl_chello_free(chello); - return 1; - } - - ssl_chello_free(chello); - } - - if(g_tsg_para.proto_flag&(1<addr.addrtype) - { - case ADDR_TYPE_IPV4: - tpl4=a_stream->addr.tuple4_v4; - if((ntohs(tpl4->source)==53) || (ntohs(tpl4->dest)==53)) + if(g_tsg_para.proto_flag&(1<ptcpdetail->pdata, a_stream->ptcpdetail->datalen, a_stream->threadnum); + if(ret>0) { - identify_info->proto=PROTO_DNS; + switch(ret) + { + case SMTP_PROTOCOL: + identify_info->proto=PROTO_SMTP; + return 1; + break; + case POP3_PROTOCOL: + identify_info->proto=PROTO_POP3; + return 1; + break; + case IMAP_PROTOCOL: + identify_info->proto=PROTO_IMAP; + return 1; + break; + default: + break; + } + } + } + + break; + case STREAM_TYPE_UDP: + if(g_tsg_para.proto_flag&(1<addr.addrtype) + { + case ADDR_TYPE_IPV4: + tpl4=a_stream->addr.tuple4_v4; + if((ntohs(tpl4->source)==53) || (ntohs(tpl4->dest)==53)) + { + identify_info->proto=PROTO_DNS; + return 1; + } + break; + case ADDR_TYPE_IPV6: + tpl6=a_stream->addr.tuple4_v6; + if((ntohs(tpl6->source)==53) || (ntohs(tpl6->dest)==53)) + { + identify_info->proto=PROTO_DNS; + return 1; + } + break; + default: + break; + } + } + + if(g_tsg_para.proto_flag&(1<ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen,g_tsg_para.logger); + if(ret > 0) + { + identify_info->proto=PROTO_SSH; return 1; } - break; - case ADDR_TYPE_IPV6: - tpl6=a_stream->addr.tuple4_v6; - if((ntohs(tpl6->source)==53) || (ntohs(tpl6->dest)==53)) + } + + if(g_tsg_para.proto_flag&(1<domain, sizeof(identify_info->domain)); + if(ret>0) { - identify_info->proto=PROTO_DNS; + identify_info->proto=PROTO_QUIC; + identify_info->domain_len=ret; return 1; } - break; - default: - break; - } + } + break; + default: + break; } - if(g_tsg_para.proto_flag&(1<0) - { - identify_info->proto=PROTO_FTP; - return 1; - } - } - - if(g_tsg_para.proto_flag&(1<ptcpdetail->pdata, a_stream->ptcpdetail->datalen, a_stream->threadnum); - if(ret>=SMTP_PROTOCOL&& ret<=IMAP_PROTOCOL) - { - identify_info->proto=PROTO_MAIL; - return 1; - } - } - - if(g_tsg_para.proto_flag&(1<ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen,g_tsg_para.logger); - if(ret > 0) - { - identify_info->proto=PROTO_SSH; - return 1; - } - } - - if(g_tsg_para.proto_flag&(1<domain, sizeof(identify_info->domain)); - if(ret>0) - { - identify_info->proto=PROTO_QUIC; - identify_info->domain_len=ret; - return 1; - } - } return ret; } diff --git a/src/tsg_entry.h b/src/tsg_entry.h index d50d1fa..de3e5dc 100644 --- a/src/tsg_entry.h +++ b/src/tsg_entry.h @@ -87,6 +87,7 @@ struct _master_context typedef struct _tsg_para { unsigned short timeout; + int app_id_table_type; int device_id; int table_id[TABLE_MAX]; int dyn_subscribe_ip_table_id; //TSG_DYN_SUBSCRIBER_IP diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp index e831099..012937e 100644 --- a/src/tsg_rule.cpp +++ b/src/tsg_rule.cpp @@ -53,6 +53,9 @@ const struct _str2index g_tsg_proto_string[PROTO_MAX+1]={{PROTO_UNKONWN, 0, (cha {PROTO_STREAMING_MEDIA, 16, (char *)"STREAMING_MEDIA."}, {PROTO_QUIC, 5, (char *)"QUIC."}, {PROTO_SSH, 4, (char *)"SSH."}, + {PROTO_SMTP, 5, (char *)"MAIL."}, + {PROTO_IMAP, 5, (char *)"MAIL."}, + {PROTO_POP3, 5, (char *)"MAIL."}, {PROTO_MAX, 0, (char *)""} }; @@ -93,6 +96,33 @@ static char* str_unescape(char* s) return s; } +static int proto_str2id(tsg_protocol_t proto) +{ + switch(proto) + { + case PROTO_TCP: return 100; + case PROTO_UDP: return 101; + case PROTO_HTTP: return 106; + case PROTO_IMAP: return 110; + case PROTO_POP3: return 116; + case PROTO_SMTP: return 122; + case PROTO_DNS: return 103; + case PROTO_FTP: return 104; + case PROTO_SSL: return 126; + case PROTO_SIP: return 120; + case PROTO_QUIC: return 119; + case PROTO_SSH: return 125; + case PROTO_IPv6: + case PROTO_IPv4: + case PROTO_STREAMING_MEDIA: + case PROTO_BGP: + default: + break; + } + + return 0; +} + static void eliminate_default_value(char *value) { if(value!=NULL && (memcmp(value, "null", 4))==0) @@ -126,7 +156,6 @@ void ASN_dup_data(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *fr void ASN_new_data(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp) { - void *logger=argp; int ret=0,id=0,is_valid=0; struct _asn_info_t *asn=NULL; @@ -137,15 +166,6 @@ void ASN_new_data(int table_id, const char* key, const char* table_line, MAAT_PL { free(asn); asn=NULL; - - MESA_handle_runtime_log(logger, - RLOG_LV_FATAL, - "IP_ASN", - "Parse ip ASN failed, ret: %d table_id: %d table_line: %s", - ret, - table_id, - table_line - ); return; } @@ -284,20 +304,6 @@ void location_new_data(int table_id, const char* key, const char* table_line, MA location->table_id=table_id; *ad=(MAAT_PLUGIN_EX_DATA)location; - MESA_handle_runtime_log(logger, - RLOG_LV_DEBUG, - "IP_LOCATION", - "Add(table_id: %d) ip location: geoname_id: %d start_ip: %s end_ip: %s continent: %s country: %s province: %s city: %s ref_cnt: %d", - table_id, - location->geoname_id, - location->start_ip, - location->end_ip, - location->continent_full, - location->country_full, - location->province_full, - location->city_full, - location->ref_cnt - ); return; } @@ -377,14 +383,6 @@ void subscribe_id_new_data(int table_id, const char* key, const char* table_line subscribe_id->table_id=table_id; *ad=(MAAT_PLUGIN_EX_DATA)subscribe_id; - MESA_handle_runtime_log(logger, - RLOG_LV_DEBUG, - "SUBSCRIBE_ID", - "Add(table_id: %d ) subscribe_id: %s ref_cnt: %d", - table_id, - subscribe_id->subscribe_id, - subscribe_id->ref_cnt - ); return; } @@ -513,6 +511,8 @@ int tsg_rule_init(const char* conffile, void *logger) char maat_conffile[256]={0}; char cb_subscriber_ip_table[32]={0}; + MESA_load_profile_int_def(conffile, "MAAT","APP_ID_TABLE_TYPE", &g_tsg_para.app_id_table_type, 1); + MESA_load_profile_string_def(conffile, "MAAT", "PROFILE", maat_conffile, sizeof(maat_conffile), "./tsgconf/maat_profile.conf"); MESA_load_profile_string_def(conffile, "MAAT", "IP_ADDR_TABLE", g_tsg_para.table_name[TABLE_IP_ADDR], _MAX_TABLE_NAME_LEN, "TSG_SECURITY_ADDR"); MESA_load_profile_string_def(conffile, "MAAT", "SUBSCRIBER_ID_TABLE", g_tsg_para.table_name[TABLE_SUBSCRIBER_ID], _MAX_TABLE_NAME_LEN, "TSG_OBJ_SUBSCRIBER_ID"); @@ -1014,16 +1014,35 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * if(hit_numPROTO_UNKONWN && protothreadnum); + if(g_tsg_para.app_id_table_type==0) + { + maat_ret=Maat_full_scan_string(maat_feather, + g_tsg_para.table_id[TABLE_APP_ID], + CHARSET_GBK, + g_tsg_proto_string[proto].type, + strlen(g_tsg_proto_string[proto].type), + result+hit_num, + &found_pos, + result_num-hit_num, + mid, + a_stream->threadnum + ); + } + else + { + unsigned int proto_id=proto_str2id(proto); + if(proto_id>0) + { + maat_ret=Maat_scan_intval(maat_feather, + g_tsg_para.table_id[TABLE_APP_ID], + proto_id, + result+hit_num, + result_num-hit_num, + mid, + a_stream->threadnum + ); + } + } if(maat_ret > 0) { MESA_handle_runtime_log(g_tsg_para.logger,