diff --git a/inc/tsg_label.h b/inc/tsg_label.h index 52aa9f7..193836f 100644 --- a/inc/tsg_label.h +++ b/inc/tsg_label.h @@ -49,10 +49,12 @@ struct asn_info struct location_info { int ref_cnt; + int full_location_len; char *country_full; char *province_full; char *city_full; char *subdivision_addr; + char *full_location; }; struct subscribe_id_info diff --git a/inc/tsg_send_log.h b/inc/tsg_send_log.h index 517a5da..5951be8 100644 --- a/inc/tsg_send_log.h +++ b/inc/tsg_send_log.h @@ -53,5 +53,5 @@ int tsg_send_log(struct tsg_log_instance_t *instance, struct TLD_handle_t *handl unsigned long long tsg_get_stream_trace_id(const struct streaminfo *a_stream); const char *tsg_l7_protocol_id2name(unsigned int l7_protocol_id); -unsigned int tsg_l7_protocol_name2id(const char *l7_protocol_name); +unsigned int tsg_l7_protocol_name2id(const char *l7_protocol_name, unsigned int l7_protocol_name_len); diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp index 850a34c..67a8608 100644 --- a/src/tsg_action.cpp +++ b/src/tsg_action.cpp @@ -1015,11 +1015,11 @@ unsigned char tsg_enforing_deny(const struct streaminfo *a_stream, struct maat_r if(protocol==PROTO_MAIL) { - app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[PROTO_SMTP].name); + app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[PROTO_SMTP].name, g_tsg_proto_name2id[PROTO_SMTP].len); } else { - app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[protocol].name); + app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[protocol].name, g_tsg_proto_name2id[protocol].len); } state=tsg_enforing_deny_application(a_stream, p_result, protocol, app_id, ACTION_RETURN_TYPE_APP, user_data); } diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index 1d37567..69613a1 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -637,7 +637,7 @@ int session_application_full_path_combine(struct gather_app_result *gather_resul int offset=0,combined_num=0; unsigned int combined_array[COMBINED_APP_ID_NUM]={0}; - if(gather_result->l7_protocol_num>=gather_result->l7_qm_engine_num) + if(gather_result->l7_protocol_num >= gather_result->l7_qm_engine_num) { combined_num+=copy_app_id(gather_result->l7_protocol, gather_result->l7_protocol_num, combined_array, COMBINED_APP_ID_NUM); } @@ -992,7 +992,7 @@ int session_app_gather_results_set_l7_protocol(const struct streaminfo *a_stream return 0; } - int app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[protocol].name); + int app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[protocol].name, g_tsg_proto_name2id[protocol].len); if(app_id>0) { gather_result->l7_protocol_num=1; @@ -1602,11 +1602,11 @@ size_t session_app_id_and_properties_scan(const struct streaminfo *a_stream, str struct app_id_dict *dict=(struct app_id_dict *)matched_rule_cites_app_id_dict(g_tsg_maat_feather, (long long)app_attribute[i].app_id); if(dict!=NULL) { - matched_cnt+=tsg_scan_app_properties_policy(a_stream, g_tsg_maat_feather, dict->risk, (char *)"risk", (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); - matched_cnt+=tsg_scan_app_properties_policy(a_stream, g_tsg_maat_feather, dict->category, (char *)"category", (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); - matched_cnt+=tsg_scan_app_properties_policy(a_stream, g_tsg_maat_feather, dict->technology, (char *)"technology", (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); - matched_cnt+=tsg_scan_app_properties_policy(a_stream, g_tsg_maat_feather, dict->subcategory, (char *)"subcategory", (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); - matched_cnt+=tsg_scan_app_properties_policy(a_stream, g_tsg_maat_feather, dict->characteristics, (char *)"characteristics", (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); + matched_cnt+=tsg_scan_app_properties_policy(a_stream, g_tsg_maat_feather, dict->risk, (int)dict->risk_len, (char *)"risk", 4, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); + matched_cnt+=tsg_scan_app_properties_policy(a_stream, g_tsg_maat_feather, dict->category, (int)dict->category_len, (char *)"category", 8, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); + matched_cnt+=tsg_scan_app_properties_policy(a_stream, g_tsg_maat_feather, dict->technology, (int)dict->technology_len, (char *)"technology", 10, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); + matched_cnt+=tsg_scan_app_properties_policy(a_stream, g_tsg_maat_feather, dict->subcategory, (int)dict->subcategory_len, (char *)"subcategory", 11, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); + matched_cnt+=tsg_scan_app_properties_policy(a_stream, g_tsg_maat_feather, dict->characteristics, (int)dict->characteristics_len, (char *)"characteristics", 15, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); matched_cnt+=tsg_scan_app_id_policy(a_stream, g_tsg_maat_feather, app_attribute[i].app_id, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); after_n_packets=dict->deny_app_para.after_n_packets; @@ -1711,7 +1711,7 @@ static unsigned char matched_security_rules_deal(const struct streaminfo *a_stre { if(srt_process_context->hited_para.matched_app_id==0) { - srt_process_context->hited_para.matched_app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[srt_process_context->proto].name); + srt_process_context->hited_para.matched_app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[srt_process_context->proto].name, g_tsg_proto_name2id[srt_process_context->proto].len); } srt_action_context_set_hitted_app_id(a_stream, srt_process_context->hited_para.matched_app_id, a_stream->threadnum); @@ -1940,9 +1940,9 @@ int session_app_identify_result_cb(const struct streaminfo *a_stream, int bridge return 0; } - struct maat_rule rules[MAX_TSG_ALL_RESULT_NUM]={0}; + struct maat_rule rules[MAX_MATCHED_RULES_NUM]={0}; srt_process_context->last_scan_time=tsg_get_current_time_ms(); - size_t matched_cnt=session_app_id_and_properties_scan((struct streaminfo *)a_stream, rules, MAX_TSG_ALL_RESULT_NUM, srt_process_context, scan_app, scan_app_num, identify_result->origin, (int)a_stream->threadnum); + size_t matched_cnt=session_app_id_and_properties_scan((struct streaminfo *)a_stream, rules, MAX_MATCHED_RULES_NUM, srt_process_context, scan_app, scan_app_num, identify_result->origin, (int)a_stream->threadnum); srt_process_context->sync_cb_state=session_matched_rules_deal(a_stream, srt_process_context, rules, matched_cnt, NULL); return 0; @@ -1969,8 +1969,8 @@ int session_flags_identify_result_cb(const struct streaminfo *a_stream, int brid return 0; } - struct maat_rule rules[MAX_TSG_ALL_RESULT_NUM]={0}; - size_t matched_cnt=tsg_scan_session_flags(a_stream, g_tsg_maat_feather, srt_process_context->session_flag, (srt_process_context->mid), rules, MAX_TSG_ALL_RESULT_NUM); + struct maat_rule rules[MAX_MATCHED_RULES_NUM]={0}; + size_t matched_cnt=tsg_scan_session_flags(a_stream, g_tsg_maat_feather, srt_process_context->session_flag, (srt_process_context->mid), rules, MAX_MATCHED_RULES_NUM); srt_process_context->sync_cb_state=session_matched_rules_deal(a_stream, srt_process_context, rules, matched_cnt, NULL); return 0; @@ -2008,7 +2008,7 @@ size_t session_pending_state_deal(const struct streaminfo *a_stream, struct sess matched_cnt+=tsg_scan_fqdn_category_id(a_stream, g_tsg_maat_feather, srt_process_context->domain, table_idx, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); if(srt_process_context->is_esni) { - unsigned int protocol_id=tsg_l7_protocol_name2id("ESNI"); + unsigned int protocol_id=tsg_l7_protocol_name2id("ESNI", 4); matched_cnt+=tsg_scan_app_id_policy(a_stream, g_tsg_maat_feather, protocol_id, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); } @@ -2041,9 +2041,8 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo { size_t matched_cnt=0; unsigned char state=APP_STATE_GIVEME; - struct app_identify_result unknown_result; - int n_matched_rules=MAX_TSG_ALL_RESULT_NUM; - struct maat_rule matched_rules[MAX_TSG_ALL_RESULT_NUM]; + int n_matched_rules=MAX_MATCHED_RULES_NUM; + struct maat_rule matched_rules[MAX_MATCHED_RULES_NUM]; struct session_runtime_process_context *srt_process_context=(struct session_runtime_process_context *)*pme; if(*pme==NULL) @@ -2086,6 +2085,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo case OP_STATE_DATA: if(srt_process_context->is_app_link==FLAG_FALSE && (srt_process_context->deal_pkt_num++) == (g_tsg_para.identify_app_max_pkt_num+1)) { + struct app_identify_result unknown_result; unknown_result.app_id_num=1; unknown_result.surrogate_id[0]=0; unknown_result.origin=ORIGIN_UNKNOWN; @@ -2151,13 +2151,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, unsigned char stream_state, void **pme, int thread_seq, const void *a_packet) { - int ret=0; - int eth_rawpkt_len=0; unsigned char state=APP_STATE_GIVEME; - size_t n_matched_rules=MAX_TSG_ALL_RESULT_NUM; - struct maat_rule matched_rules[MAX_TSG_ALL_RESULT_NUM]={0}; - struct maat_rule security_rules[MAX_RESULT_NUM]={0}; - struct maat_rule shaping_rules[MAX_RESULT_NUM]={0}; struct session_runtime_action_context *srt_action_context=(struct session_runtime_action_context *)(*pme); if(stream_state==OP_STATE_PENDING && srt_action_context->method_type!=TSG_METHOD_TYPE_SHUNT && !(srt_action_context->udp_data_dropme)) @@ -2169,9 +2163,12 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns } struct maat_state *scan_mid=maat_state_new(g_tsg_maat_feather, thread_seq); + size_t n_matched_rules=MAX_MATCHED_RULES_NUM; + struct maat_rule matched_rules[MAX_MATCHED_RULES_NUM]; int matched_cnt=tsg_scan_nesting_addr(a_stream, g_tsg_maat_feather, PROTO_UNKONWN, scan_mid, matched_rules, n_matched_rules); if(matched_cnt>0) { + struct maat_rule security_rules[MAX_RESULT_NUM]; int n_security_rules=tsg_select_rules_by_service_id(matched_rules, matched_cnt, security_rules, MAX_RESULT_NUM, TSG_SERVICE_SECURITY); if(n_security_rules>0) { @@ -2179,13 +2176,14 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns state=matched_security_rules_deal(a_stream, srt_process_context, security_rules, n_security_rules, a_packet, thread_seq); } - struct maat_rule s_chaining_rules[MAX_RESULT_NUM]={0}; + struct maat_rule s_chaining_rules[MAX_RESULT_NUM]; size_t n_s_chaining_rules=tsg_select_rules_by_service_id(matched_rules, matched_cnt, s_chaining_rules, MAX_RESULT_NUM, TSG_SERVICE_CHAINING); if(state==APP_STATE_GIVEME && n_s_chaining_rules>0) { matched_service_chaining_rules_deal(a_stream, s_chaining_rules, n_s_chaining_rules, thread_seq); } + struct maat_rule shaping_rules[MAX_RESULT_NUM]; size_t n_shaping_rules=tsg_select_rules_by_service_id(matched_rules, matched_cnt, shaping_rules, MAX_RESULT_NUM, TSG_SERVICE_SHAPING); if(state==APP_STATE_GIVEME && n_shaping_rules>0) { @@ -2200,16 +2198,17 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns switch(srt_action_context->method_type) { case TSG_METHOD_TYPE_RATE_LIMIT: - eth_rawpkt_len=get_raw_packet_len(a_stream); - if(eth_rawpkt_len<=0) { - break; - } - - ret=is_permit_pass(eth_rawpkt_len*8, srt_action_context->bucket, thread_seq); - if(ret==0) - { - state|=APP_STATE_GIVEME|APP_STATE_DROPPKT; + int eth_rawpkt_len=get_raw_packet_len(a_stream); + if(eth_rawpkt_len<=0) + { + break; + } + + if((is_permit_pass(eth_rawpkt_len*8, srt_action_context->bucket, thread_seq))==0) + { + state|=APP_STATE_GIVEME|APP_STATE_DROPPKT; + } } break; case TSG_METHOD_TYPE_TAMPER: @@ -2219,41 +2218,48 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns } break; case TSG_METHOD_TYPE_DEFAULT: - if(!is_do_default_policy(a_stream, srt_action_context->default_policy_after_n_packets) || stream_state==OP_STATE_CLOSE) { - break; - } - - if(get_default_policy(&security_rules[0])) - { - state=tsg_enforing_deny(a_stream, &security_rules[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet); - session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, &security_rules[0], 1, thread_seq); + if(!is_do_default_policy(a_stream, srt_action_context->default_policy_after_n_packets) || stream_state==OP_STATE_CLOSE) + { + break; + } + + struct maat_rule default_rules; + if(get_default_policy(&default_rules)) + { + state=tsg_enforing_deny(a_stream, &default_rules, PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet); + session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, &default_rules, 1, thread_seq); + } } break; case TSG_METHOD_TYPE_DROP: case TSG_METHOD_TYPE_APP_DROP: - // contain hited current packet, platform calls tcp first and tcpall secondary. - if(((srt_action_context->hited_para.after_n_packets > 0) && a_stream->type==STREAM_TYPE_TCP) || - ((srt_action_context->hited_para.after_n_packets > 0) && a_stream->type==STREAM_TYPE_UDP) - || stream_state==OP_STATE_CLOSE) - { - srt_action_context->hited_para.after_n_packets--; - break; - } - ret=session_matched_rules_copy(a_stream, TSG_SERVICE_SECURITY, &(security_rules[0]), 1); - //ret=tsg_pull_policy_result((struct streaminfo *)a_stream,PULL_FW_RESULT, &security_result[0], 1, &tmp_identify_info); - if(ret<=0 || security_rules[0].action!=TSG_ACTION_DENY) { - break; - } + // contain hited current packet, platform calls tcp first and tcpall secondary. + if(((srt_action_context->hited_para.after_n_packets > 0) && a_stream->type==STREAM_TYPE_TCP) || + ((srt_action_context->hited_para.after_n_packets > 0) && a_stream->type==STREAM_TYPE_UDP) + || stream_state==OP_STATE_CLOSE) + { + srt_action_context->hited_para.after_n_packets--; + break; + } + + struct maat_rule matched_rules; + int ret=session_matched_rules_copy(a_stream, TSG_SERVICE_SECURITY, &(matched_rules), 1); + //ret=tsg_pull_policy_result((struct streaminfo *)a_stream,PULL_FW_RESULT, &security_result[0], 1, &tmp_identify_info); + if(ret<=0 || matched_rules.action!=TSG_ACTION_DENY) + { + break; + } - if(srt_action_context->hited_para.matched_app_id<=0) - { - state=tsg_enforing_deny(a_stream, &(security_rules[0]), srt_action_context->protocol, ACTION_RETURN_TYPE_TCPALL, a_packet); - } - else - { - state=tsg_enforing_deny_application(a_stream, &(security_rules[0]), srt_action_context->protocol, srt_action_context->hited_para.matched_app_id, ACTION_RETURN_TYPE_TCPALL, a_packet); + if(srt_action_context->hited_para.matched_app_id<=0) + { + state=tsg_enforing_deny(a_stream, &matched_rules, srt_action_context->protocol, ACTION_RETURN_TYPE_TCPALL, a_packet); + } + else + { + state=tsg_enforing_deny_application(a_stream, &matched_rules, srt_action_context->protocol, srt_action_context->hited_para.matched_app_id, ACTION_RETURN_TYPE_TCPALL, a_packet); + } } break; case TSG_METHOD_TYPE_SHUNT: @@ -2335,7 +2341,7 @@ extern "C" unsigned char TSG_MASTER_UDP_ENTRY(const struct streaminfo *a_udp, vo if(state1&APP_STATE_DROPME || state2&APP_STATE_DROPME || a_udp->opstate==OP_STATE_CLOSE) { - session_application_metrics_update(a_udp, udp_srt_context->srt_action_context, thread_seq); + //session_application_metrics_update(a_udp, udp_srt_context->srt_action_context, thread_seq); dictator_free(thread_seq, *pme); *pme=NULL; diff --git a/src/tsg_entry.h b/src/tsg_entry.h index 7727a6f..c17e8b5 100644 --- a/src/tsg_entry.h +++ b/src/tsg_entry.h @@ -81,11 +81,19 @@ struct app_id_dict int continue_scanning; unsigned short tcp_timeout; unsigned short udp_timeout; + unsigned short app_name_len; + unsigned short parent_app_name_len; + char risk_len; + char category_len; + char subcategory_len; + char technology_len; + char characteristics_len; + char padding[3]; int tcp_time_wait; int tcp_half_close; - char *risk; char *app_name; char *parent_app_name; + char *risk; char *category; char *subcategory; char *technology; diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp index 0e02ccc..6d5fefe 100644 --- a/src/tsg_rule.cpp +++ b/src/tsg_rule.cpp @@ -47,7 +47,7 @@ const struct str2index method2index[TSG_METHOD_TYPE_MAX]={ {TSG_METHOD_TYPE_UNKN }; extern const char *tsg_l7_protocol_id2name(unsigned int l7_protocol_id); -extern unsigned int tsg_l7_protocol_name2id(const char *l7_protocol_name); +extern unsigned int tsg_l7_protocol_name2id(const char *l7_protocol_name, unsigned int l7_protocol_name_len); static char* tm_strdup(const char* s) { @@ -553,6 +553,7 @@ void ex_data_location_dup(int table_id, void **to, void **from, long argl, void* void ex_data_location_new(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { + char full_address[1024]={0}; struct location_info *location=(struct location_info *)calloc(1, sizeof(struct location_info)); location->country_full=column_string_get_value(table_line, 13); // country_full @@ -566,6 +567,25 @@ void ex_data_location_new(const char *table_name, int table_id, const char* key, { location->subdivision_addr=column_string_get_value(table_line, 17); // subdivision_addr tsg_str_unescape(location->subdivision_addr); + + location->full_location_len=snprintf(full_address, + sizeof(full_address), + "%s.%s.%s.%s.", + location->country_full, + location->province_full, + location->city_full, + location->subdivision_addr==NULL ? "" : location->subdivision_addr); + } + else + { + location->full_location_len=snprintf(full_address, sizeof(full_address), "%s.%s.", location->country_full, location->city_full); + } + + if(location->full_location_len>0) + { + location->full_location=(char *)malloc(location->full_location_len+1); + memcpy(location->full_location, full_address, location->full_location_len); + location->full_location[location->full_location_len]='\0'; } atomic_inc(&location->ref_cnt); @@ -586,6 +606,7 @@ void ex_data_location_free(int table_id, void **ad, long argl, void* argp) tsg_free_field(location->province_full); tsg_free_field(location->city_full); tsg_free_field(location->subdivision_addr); + tsg_free_field(location->full_location); tsg_free_field((char *)(*ad)); *ad=NULL; @@ -786,14 +807,41 @@ void ex_data_app_id_dict_new(const char *table_name, int table_id, const char* k parse_security_deny_action(deny_action_str, &(dict->deny_app_para)); tsg_free_field(deny_action_str); deny_action_str=NULL; + + if(tsg_str_unescape(dict->app_name)) + { + dict->app_name_len=(unsigned short)strlen(dict->app_name); + } + + if(tsg_str_unescape(dict->parent_app_name)) + { + dict->parent_app_name_len=(unsigned short)strlen(dict->parent_app_name); + } + + if(tsg_str_unescape(dict->risk)) + { + dict->risk_len=(char)strlen(dict->risk); + } - tsg_str_unescape(dict->risk); - tsg_str_unescape(dict->app_name); - tsg_str_unescape(dict->parent_app_name); - tsg_str_unescape(dict->category); - tsg_str_unescape(dict->subcategory); - tsg_str_unescape(dict->technology); - tsg_str_unescape(dict->characteristics); + if(tsg_str_unescape(dict->category)) + { + dict->category_len=(char)strlen(dict->category); + } + + if(tsg_str_unescape(dict->subcategory)) + { + dict->subcategory_len=(char)strlen(dict->subcategory); + } + + if(tsg_str_unescape(dict->technology)) + { + dict->technology_len=(char)strlen(dict->technology); + } + + if(tsg_str_unescape(dict->characteristics)) + { + dict->characteristics_len=(char)strlen(dict->characteristics); + } atomic_inc(&dict->ref_cnt); *ad=(void *)dict; @@ -2475,28 +2523,12 @@ size_t tsg_scan_ip_asn(const struct streaminfo *a_stream, struct maat *feather, size_t tsg_scan_ip_location(const struct streaminfo *a_stream, struct maat *feather, struct location_info *location, enum MAAT_SCAN_TB idx, struct maat_state *s_mid, struct maat_rule *matched_rules, size_t n_matched_rules) { - char full_address[1024]={0}; if(location==NULL || matched_rules==NULL || n_matched_rules==0) { return 0; } - if(g_tsg_maat_rt_para.location_field_num==19) - { - snprintf(full_address, - sizeof(full_address), - "%s.%s.%s.%s.", - location->country_full, - location->province_full, - location->city_full, - location->subdivision_addr==NULL ? "" : location->subdivision_addr); - } - else - { - snprintf(full_address, sizeof(full_address), "%s.%s.", location->country_full, location->city_full); - } - - return tsg_scan_string(a_stream, feather, full_address, strlen(full_address), idx, s_mid, matched_rules, n_matched_rules); + return tsg_scan_string(a_stream, feather, location->full_location, location->full_location_len, idx, s_mid, matched_rules, n_matched_rules); } int tsg_scan_intercept_exclusion(const struct streaminfo *a_stream, struct maat *feather, struct maat_rule *p_result, char *domain, int thread_seq) @@ -2774,7 +2806,7 @@ size_t tsg_scan_app_id_policy(const struct streaminfo *a_stream, struct maat *fe return tsg_scan_integer(a_stream, feather, (long long)app_id, MAAT_SCAN_APP_ID, s_mid, matched_rules, n_matched_rules); } -size_t tsg_scan_app_properties_policy(const struct streaminfo *a_stream, struct maat *feather, char *property, char *district, struct maat_state *s_mid, struct maat_rule *matched_rules, int n_matched_rules) +size_t tsg_scan_app_properties_policy(const struct streaminfo *a_stream, struct maat *feather, char *property, int property_len, char *district, int district_len, struct maat_state *s_mid, struct maat_rule *matched_rules, int n_matched_rules) { if(property==NULL || district==NULL) { @@ -2783,8 +2815,8 @@ size_t tsg_scan_app_properties_policy(const struct streaminfo *a_stream, struct size_t matched_cnt=0; struct maat_rule property_result[MAX_RESULT_NUM]={0}; - maat_state_set_scan_district(s_mid, g_tsg_maat_rt_para.scan_tb[MAAT_SCAN_SELECTOR_PROPERTIES].id, (const char *)district, strlen(district)); - size_t ret=tsg_scan_string(a_stream, feather, property, strlen(property), MAAT_SCAN_SELECTOR_PROPERTIES, s_mid, property_result, MAX_RESULT_NUM); + maat_state_set_scan_district(s_mid, g_tsg_maat_rt_para.scan_tb[MAAT_SCAN_SELECTOR_PROPERTIES].id, (const char *)district, district_len); + size_t ret=tsg_scan_string(a_stream, feather, property, property_len, MAAT_SCAN_SELECTOR_PROPERTIES, s_mid, property_result, MAX_RESULT_NUM); for(size_t i=0; iPROTO_UNKONWN && protoapp_name) > app_name_len) + if((int)(dict->app_name_len) > app_name_len) { ex_data_app_id_dict_free(g_tsg_maat_rt_para.plugin_tb[MAAT_PLUGIN_APP_ID_DICT].id, (void **)&dict, 0, NULL); return offset; } if(dict->parent_app_id!=0 && is_joint_parent==1) - { - offset=snprintf(app_name, app_name_len, "%s.%s", dict->parent_app_name, dict->app_name); + { + offset=(int)dict->parent_app_name_len; + memcpy(app_name, dict->parent_app_name, offset); + app_name[offset++]='.'; + + memcpy(app_name+offset, dict->app_name, dict->app_name_len); + offset+=dict->app_name_len; + app_name[offset]='\0'; } else { - offset=snprintf(app_name, app_name_len, "%s", dict->app_name); + offset=(int)dict->app_name_len; + memcpy(app_name, dict->app_name, offset); + app_name[offset]='\0'; } ex_data_app_id_dict_free(g_tsg_maat_rt_para.plugin_tb[MAAT_PLUGIN_APP_ID_DICT].id, (void **)&dict, 0, NULL); diff --git a/src/tsg_rule_internal.h b/src/tsg_rule_internal.h index 4f4d9a5..c173bc0 100644 --- a/src/tsg_rule_internal.h +++ b/src/tsg_rule_internal.h @@ -163,9 +163,9 @@ int tsg_get_app_name_by_id(struct maat *feather, int app_id, char *app_name, int size_t tsg_scan_session_flags(const struct streaminfo *a_stream, struct maat *feather, unsigned long flag, struct maat_state *s_mid, struct maat_rule *results, size_t n_results); size_t tsg_scan_app_id_policy(const struct streaminfo *a_stream, struct maat *feather, unsigned int app_id, struct maat_state *s_mid, struct maat_rule *results, size_t n_results); size_t tsg_scan_shared_policy(const struct streaminfo *a_stream, struct maat *feather, char *domain, int idx, struct maat_state *s_mid, struct maat_rule *results, size_t n_results); -size_t tsg_scan_app_properties_policy(const struct streaminfo *a_stream, struct maat *feather, char *property, char *district, struct maat_state *s_mid, struct maat_rule *results, int n_results); size_t tsg_scan_tunnel_id(const struct streaminfo *a_stream, struct maat *feather, struct maat_rule *results, size_t n_results, struct maat_state *s_mid, long long *bool_id_array, size_t n_bool_id_array); size_t tsg_scan_fqdn_category_id(const struct streaminfo * a_stream, struct maat *feather, unsigned int *category_id, int category_id_num, int table_idx, struct maat_state *s_mid, struct maat_rule *results, size_t n_results); +size_t tsg_scan_app_properties_policy(const struct streaminfo *a_stream, struct maat *feather, char *property, int property_len, char *district, int district_len, struct maat_state *s_mid, struct maat_rule *matched_rules, int n_matched_rules); int tsg_scan_intercept_exclusion(const struct streaminfo *a_stream, struct maat *feather, struct maat_rule *p_result, char *domain, int thread_seq); diff --git a/src/tsg_send_log.cpp b/src/tsg_send_log.cpp index 7364073..893cf10 100644 --- a/src/tsg_send_log.cpp +++ b/src/tsg_send_log.cpp @@ -334,26 +334,16 @@ static int set_location(struct TLD_handle_t *_handle, const struct streaminfo * len+=string_cat(buff+len, buff_len-len, location_info->province_full); buff[len++]=','; string_cat(buff+len, buff_len-len, location_info->country_full); + + TLD_append(_handle, field_name, (void *)buff, TLD_TYPE_STRING); break; case 19: - len+=string_cat(buff+len, buff_len-len, location_info->country_full); - buff[len++]='.'; - len+=string_cat(buff+len, buff_len-len, location_info->province_full); - buff[len++]='.'; - len+=string_cat(buff+len, buff_len-len, location_info->city_full); - - if(location_info->subdivision_addr!=NULL) - { - buff[len++]='.'; - string_cat(buff+len, buff_len-len, location_info->subdivision_addr); - } + TLD_append(_handle, field_name, (void *)location_info->full_location, TLD_TYPE_STRING); break; default: return 0; } - TLD_append(_handle, field_name, (void *)buff, TLD_TYPE_STRING); - return 1; } diff --git a/src/tsg_statistic.cpp b/src/tsg_statistic.cpp index af677b6..2ca8c39 100644 --- a/src/tsg_statistic.cpp +++ b/src/tsg_statistic.cpp @@ -66,12 +66,23 @@ int tsg_set_intercept_flow(struct maat_rule *p_result, struct traffic_info *traf security_tags[SECURITY_TAG_ACTION].value_int = p_result->action; security_tags[SECURITY_TAG_VSYS_ID].value_int = p_result->vsys_id; + long long column[COLUMN_MAX]; + size_t n_column_num=COLUMN_MAX; + column[COLUMN_HIT_COUNT]=traffic_info->con_num; + column[COLUMN_IN_BYTES]=traffic_info->in_bytes; + column[COLUMN_OUT_BYTES]=traffic_info->out_bytes; + column[COLUMN_IN_PKTS]=traffic_info->in_packets; + column[COLUMN_OUT_PKTS]=traffic_info->out_packets; + + fieldstat_dynamic_table_row_metric_values_incrby(g_tsg_statis_para.security_metric_handle, g_tsg_statis_para.metric_table_id, "security_rule_hits", column, n_column_num, security_tags, SECURITY_TAG_MAX, thread_seq); + +#if 0 fieldstat_dynamic_table_metric_value_incrby(g_tsg_statis_para.security_metric_handle, g_tsg_statis_para.metric_table_id, g_tsg_statis_para.security_column_ids[COLUMN_HIT_COUNT], "security_rule_hits", traffic_info->con_num, security_tags, (size_t)SECURITY_TAG_MAX, thread_seq); fieldstat_dynamic_table_metric_value_incrby(g_tsg_statis_para.security_metric_handle, g_tsg_statis_para.metric_table_id, g_tsg_statis_para.security_column_ids[COLUMN_IN_BYTES], "security_rule_hits", traffic_info->in_bytes, security_tags, (size_t)SECURITY_TAG_MAX, thread_seq); fieldstat_dynamic_table_metric_value_incrby(g_tsg_statis_para.security_metric_handle, g_tsg_statis_para.metric_table_id, g_tsg_statis_para.security_column_ids[COLUMN_OUT_BYTES], "security_rule_hits", traffic_info->out_bytes, security_tags, (size_t)SECURITY_TAG_MAX, thread_seq); fieldstat_dynamic_table_metric_value_incrby(g_tsg_statis_para.security_metric_handle, g_tsg_statis_para.metric_table_id, g_tsg_statis_para.security_column_ids[COLUMN_IN_PKTS], "security_rule_hits", traffic_info->in_packets, security_tags, (size_t)SECURITY_TAG_MAX, thread_seq); fieldstat_dynamic_table_metric_value_incrby(g_tsg_statis_para.security_metric_handle, g_tsg_statis_para.metric_table_id, g_tsg_statis_para.security_column_ids[COLUMN_OUT_PKTS], "security_rule_hits", traffic_info->out_packets, security_tags, (size_t)SECURITY_TAG_MAX, thread_seq); - +#endif return 0; } @@ -81,17 +92,29 @@ int tsg_set_policy_flow(const struct streaminfo *a_stream, struct maat_rule *p_r { return -1; } - - unsigned long long value = 0; - int value_len = sizeof(unsigned long long); - + struct fieldstat_tag security_tags[SECURITY_TAG_MAX] = {{"rule_id", 0, -1}, {"action", 0, -1}, {"vsys_id", 0, -1}}; security_tags[SECURITY_TAG_RULE_ID].value_int = p_result->rule_id; security_tags[SECURITY_TAG_ACTION].value_int = p_result->action; security_tags[SECURITY_TAG_VSYS_ID].value_int = p_result->vsys_id; + long long column[COLUMN_MAX]; + size_t n_column_num=COLUMN_MAX; + + column[COLUMN_HIT_COUNT]=1; + + int value_len = sizeof(unsigned long long); + MESA_get_stream_opt(a_stream, MSO_TOTAL_INBOUND_BYTE_RAW, (void *)&(column[COLUMN_IN_BYTES]), &value_len); + MESA_get_stream_opt(a_stream, MSO_TOTAL_INBOUND_PKT, (void *)&(column[COLUMN_IN_PKTS]), &value_len); + MESA_get_stream_opt(a_stream, MSO_TOTAL_OUTBOUND_BYTE_RAW, (void *)&(column[COLUMN_OUT_BYTES]), &value_len); + MESA_get_stream_opt(a_stream, MSO_TOTAL_OUTBOUND_PKT, (void *)&(column[COLUMN_OUT_PKTS]), &value_len); + + fieldstat_dynamic_table_row_metric_values_incrby(g_tsg_statis_para.security_metric_handle, g_tsg_statis_para.metric_table_id, "security_rule_hits", column, n_column_num, security_tags, SECURITY_TAG_MAX, thread_seq); + +#if 0 fieldstat_dynamic_table_metric_value_incrby(g_tsg_statis_para.security_metric_handle, g_tsg_statis_para.metric_table_id, g_tsg_statis_para.security_column_ids[COLUMN_HIT_COUNT], "security_rule_hits", 1, security_tags, (size_t)SECURITY_TAG_MAX, thread_seq); + unsigned long long value = 0; value=0; MESA_get_stream_opt(a_stream, MSO_TOTAL_INBOUND_BYTE_RAW, (void *)&value, &value_len); fieldstat_dynamic_table_metric_value_incrby(g_tsg_statis_para.security_metric_handle, g_tsg_statis_para.metric_table_id, g_tsg_statis_para.security_column_ids[COLUMN_IN_BYTES], "security_rule_hits", value, security_tags, (size_t)SECURITY_TAG_MAX, thread_seq); @@ -107,7 +130,7 @@ int tsg_set_policy_flow(const struct streaminfo *a_stream, struct maat_rule *p_r value=0; MESA_get_stream_opt(a_stream, MSO_TOTAL_OUTBOUND_PKT, (void *)&value, &value_len); fieldstat_dynamic_table_metric_value_incrby(g_tsg_statis_para.security_metric_handle, g_tsg_statis_para.metric_table_id, g_tsg_statis_para.security_column_ids[COLUMN_OUT_PKTS], "security_rule_hits", value, security_tags, (size_t)SECURITY_TAG_MAX, thread_seq); - +#endif return 0; } @@ -202,6 +225,32 @@ int tsg_set_application_metrics(const struct streaminfo *a_stream, const char *l app_tags[APP_TAG_PROTOCOL_LABEL].value_str = l4_protocol; app_tags[APP_TAG_APP_FULL_PATH].value_str = app_full_path; + long long column[TRAFFIC_APP_MAX]; + size_t n_column_num=TRAFFIC_APP_MAX; + + column[TRAFFIC_APP_SESSIONS]=app_statis->sessions; + column[TRAFFIC_APP_IN_BYTES]=app_statis->in_bytes; + column[TRAFFIC_APP_OUT_BYTES]=app_statis->out_bytes; + column[TRAFFIC_APP_IN_PKTS]=app_statis->in_pkts; + column[TRAFFIC_APP_OUT_PKTS]=app_statis->out_pkts; + column[TRAFFIC_APP_C2S_PKTS]=app_statis->c2s_pkts; + column[TRAFFIC_APP_S2C_PKTS]=app_statis->s2c_pkts; + column[TRAFFIC_APP_C2S_BYTES]=app_statis->c2s_bytes; + column[TRAFFIC_APP_S2C_BYTES]=app_statis->s2c_bytes; + column[TRAFFIC_APP_C2S_FRAGMENTS]=app_statis->c2s_fragments; + column[TRAFFIC_APP_S2C_FRAGMENTS]=app_statis->s2c_fragments; + column[TRAFFIC_APP_C2S_LOST_BYTES]=app_statis->c2s_tcp_lost_bytes; + column[TRAFFIC_APP_S2C_LOST_BYTES]=app_statis->s2c_tcp_lost_bytes; + column[TRAFFIC_APP_C2S_ORDER_PKTS]=app_statis->c2s_tcp_ooorder_pkts; + column[TRAFFIC_APP_S2C_ORDER_PKTS]=app_statis->s2c_tcp_ooorder_pkts; + column[TRAFFIC_APP_C2S_RETRANSMITTED_PKTS]=app_statis->c2s_tcp_retransmitted_pkts; + column[TRAFFIC_APP_S2C_RETRANSMITTED_PKTS]=app_statis->s2c_tcp_retransmitted_pkts; + column[TRAFFIC_APP_C2S_RETRANSMITTED_BYTES]=app_statis->c2s_tcp_retransmitted_bytes; + column[TRAFFIC_APP_S2C_RETRANSMITTED_BYTES]=app_statis->s2c_tcp_retransmitted_bytes; + + fieldstat_dynamic_table_row_metric_values_incrby(g_tsg_statis_para.app_metric_handle, g_tsg_statis_para.app_metric_table_id, "traffic_application_protocol_stat", column, n_column_num, app_tags, APP_TAG_MAX, thread_seq); + +#if 0 fieldstat_dynamic_table_metric_value_incrby(g_tsg_statis_para.app_metric_handle, g_tsg_statis_para.app_metric_table_id, g_tsg_statis_para.app_column_ids[TRAFFIC_APP_SESSIONS], "traffic_application_protocol_stat", app_statis->sessions, app_tags, (size_t)APP_TAG_MAX, thread_seq); @@ -258,7 +307,7 @@ int tsg_set_application_metrics(const struct streaminfo *a_stream, const char *l fieldstat_dynamic_table_metric_value_incrby(g_tsg_statis_para.app_metric_handle, g_tsg_statis_para.app_metric_table_id, g_tsg_statis_para.app_column_ids[TRAFFIC_APP_S2C_RETRANSMITTED_BYTES], "traffic_application_protocol_stat", app_statis->s2c_tcp_retransmitted_bytes, app_tags, (size_t)APP_TAG_MAX, thread_seq); - +#endif return 0; } diff --git a/src/tsg_variable.cpp b/src/tsg_variable.cpp index 19d3b9f..207a00d 100644 --- a/src/tsg_variable.cpp +++ b/src/tsg_variable.cpp @@ -7,31 +7,31 @@ struct tsg_rt_para g_tsg_para; -struct id2field g_tsg_proto_name2id[PROTO_MAX]={{PROTO_UNKONWN, 0, "unknown"}, - {PROTO_IPv4, 0, "IPV4"}, - {PROTO_IPv6, 0, "IPV6"}, - {PROTO_TCP, 0, "TCP"}, - {PROTO_UDP, 0, "UDP"}, - {PROTO_HTTP, 0, "HTTP"}, - {PROTO_MAIL, 0, "MAIL"}, - {PROTO_DNS, 0, "DNS"}, - {PROTO_FTP, 0, "FTP"}, - {PROTO_SSL, 0, "SSL"}, - {PROTO_SIP, 0, "SIP"}, - {PROTO_BGP, 0, "BGP"}, - {PROTO_STREAMING_MEDIA, 0, "STREAMING_MEDIA"}, - {PROTO_QUIC, 0, "QUIC"}, - {PROTO_SSH, 0, "SSH"}, - {PROTO_SMTP, 0, "SMTP"}, - {PROTO_IMAP, 0, "IMAP"}, - {PROTO_POP3, 0, "POP3"}, - {PROTO_RTP, 0, "RTP"}, - {PROTO_APP, 0, "BASE"}, - {PROTO_L2TP, 0, "L2TP"}, - {PROTO_PPTP, 0, "PPTP"}, - {PROTO_STRATUM, 0, "Stratum"}, - {PROTO_RDP, 0, "RDP"}, - {PROTO_DTLS, 0, "DTLS"} +struct id2field_tlv g_tsg_proto_name2id[PROTO_MAX]={{PROTO_UNKONWN, 0, 7, "unknown"}, + {PROTO_IPv4, 0, 4, "IPV4"}, + {PROTO_IPv6, 0, 4, "IPV6"}, + {PROTO_TCP, 0, 3, "TCP"}, + {PROTO_UDP, 0, 3, "UDP"}, + {PROTO_HTTP, 0, 4, "HTTP"}, + {PROTO_MAIL, 0, 4, "MAIL"}, + {PROTO_DNS, 0, 3, "DNS"}, + {PROTO_FTP, 0, 3, "FTP"}, + {PROTO_SSL, 0, 3, "SSL"}, + {PROTO_SIP, 0, 3, "SIP"}, + {PROTO_BGP, 0, 3, "BGP"}, + {PROTO_STREAMING_MEDIA, 0, 15, "STREAMING_MEDIA"}, + {PROTO_QUIC, 0, 4, "QUIC"}, + {PROTO_SSH, 0, 3, "SSH"}, + {PROTO_SMTP, 0, 4, "SMTP"}, + {PROTO_IMAP, 0, 4, "IMAP"}, + {PROTO_POP3, 0, 3, "POP3"}, + {PROTO_RTP, 0, 3, "RTP"}, + {PROTO_APP, 0, 4, "BASE"}, + {PROTO_L2TP, 0, 4, "L2TP"}, + {PROTO_PPTP, 0, 4, "PPTP"}, + {PROTO_STRATUM, 0, 7, "Stratum"}, + {PROTO_RDP, 0, 3, "RDP"}, + {PROTO_DTLS, 0, 4, "DTLS"} }; const char *tsg_l7_protocol_id2name(unsigned int l7_protocol_id) @@ -46,11 +46,11 @@ const char *tsg_l7_protocol_id2name(unsigned int l7_protocol_id) return NULL; } -unsigned int tsg_l7_protocol_name2id(const char *l7_protocol_name) +unsigned int tsg_l7_protocol_name2id(const char *l7_protocol_name, unsigned int l7_protocol_name_len) { struct l7_protocol *l7_proto=NULL; - HASH_FIND(hh2, g_tsg_para.id_by_name, l7_protocol_name, strlen(l7_protocol_name), l7_proto); + HASH_FIND(hh2, g_tsg_para.id_by_name, l7_protocol_name, l7_protocol_name_len, l7_proto); if(l7_proto!=NULL) { return l7_proto->id; diff --git a/src/tsg_variable.h b/src/tsg_variable.h index 9702a76..71c93c0 100644 --- a/src/tsg_variable.h +++ b/src/tsg_variable.h @@ -18,8 +18,8 @@ enum DEPLOY_MODE #define MIN(a, b) (((a) < (b)) ? (a) : (b)) #endif -#ifndef MAX_TSG_ALL_RESULT_NUM -#define MAX_TSG_ALL_RESULT_NUM MAX_RESULT_NUM*3 +#ifndef MAX_MATCHED_RULES_NUM +#define MAX_MATCHED_RULES_NUM MAX_RESULT_NUM*4 #endif #ifndef MAX_STRING_LEN32 @@ -47,6 +47,14 @@ struct id2field char name[MAX_STRING_LEN32]; }; +struct id2field_tlv +{ + int type; + int id; + int len; + char name[MAX_STRING_LEN32]; +}; + struct tsg_rt_para { int level; @@ -84,7 +92,7 @@ struct tsg_rt_para }; extern struct tsg_rt_para g_tsg_para;; -extern struct id2field g_tsg_proto_name2id[PROTO_MAX]; +extern struct id2field_tlv g_tsg_proto_name2id[PROTO_MAX]; struct l7_protocol { diff --git a/test/bin/gtest_maat.json b/test/bin/gtest_maat.json index 8d14882..0fc10df 100644 --- a/test/bin/gtest_maat.json +++ b/test/bin/gtest_maat.json @@ -1153,7 +1153,7 @@ "table_content": { "format": "uncase plain", "match_method": "complete", - "keywords": "country_full_test.city_full_test.", + "keywords": "country_full_test..city_full_test.", "expr_type": "none" } } @@ -1184,7 +1184,7 @@ "table_content": { "format": "uncase plain", "match_method": "complete", - "keywords": "country_full_test.city_full_test.", + "keywords": "country_full_test..city_full_test.", "expr_type": "none" } } diff --git a/test/src/gtest_tableinfo.cpp b/test/src/gtest_tableinfo.cpp index 28ea6c8..43d10b4 100644 --- a/test/src/gtest_tableinfo.cpp +++ b/test/src/gtest_tableinfo.cpp @@ -757,6 +757,8 @@ TEST(TSG_Table, TSG_SECURITY_SOURCE_LOCATION) struct location_info location = {0}; location.country_full = (char *)"country_full_test"; location.city_full = (char *)"city_full_test"; + location.full_location=(char *)"country_full_test..city_full_test."; + location.full_location_len=strlen(location.full_location); struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); struct maat_rule results[MAX_RESULT_NUM] = {0}; EXPECT_EQ(tsg_scan_ip_location((const struct streaminfo *)&a_stream, g_tsg_maat_feather, &location, MAAT_SCAN_SRC_LOCATION, mid, results, MAX_RESULT_NUM), 1); @@ -772,6 +774,8 @@ TEST(TSG_Table, TSG_SECURITY_DESTINATION_LOCATION) struct location_info location = {0}; location.country_full = (char *)"country_full_test"; location.city_full = (char *)"city_full_test"; + location.full_location=(char *)"country_full_test..city_full_test."; + location.full_location_len=strlen(location.full_location); struct maat_state *mid = maat_state_new(g_tsg_maat_feather, a_stream.threadnum); struct maat_rule results[MAX_RESULT_NUM] = {0}; EXPECT_EQ(tsg_scan_ip_location((const struct streaminfo *)&a_stream, g_tsg_maat_feather, &location, MAAT_SCAN_DST_LOCATION, mid, results, MAX_RESULT_NUM), 1);