diff --git a/bin/tsg_log_field.conf b/bin/tsg_log_field.conf index daa19de..5358584 100644 --- a/bin/tsg_log_field.conf +++ b/bin/tsg_log_field.conf @@ -4,7 +4,7 @@ TOPIC SECURITY-EVENT-LOG 0 TOPIC SECURITY-EVENT-LOG 1 TOPIC CONNECTION-RECORD-LOG 2 TOPIC CONNECTION-SKETCH 3 -TOPIC INTERNAL-RTP-LOG 4 +TOPIC INTERNAL-RTP-LOG 4 TOPIC VOIP-RECORD-LOG 5 #TYPE FIELD VALUE @@ -45,17 +45,33 @@ STRING common_schema_type 34 STRING http_host 35 STRING ssl_sni 36 LONG common_establish_latency_ms 37 -STRING common_sub_action 38 +STRING common_sub_action 38 STRING common_client_asn 39 STRING common_server_asn 40 STRING common_client_location 41 STRING common_server_location 42 -STRING quic_sni 43 +STRING quic_sni 43 STRING ssl_ja3_hash 44 STRING common_data_center 45 -STRING common_l7_protocol 46 +STRING common_l7_protocol 46 STRING common_tcp_client_isn 47 STRING common_tcp_server_isn 48 LONG common_app_surrogate_id 49 -STRING sip_from 50 -STRING sip_to 51 \ No newline at end of file +STRING sip_from 50 +STRING sip_to 51 +STRING common_tunnels 52 +STRING tunnels_schema_type 53 +STRING gtp_sgw_ip 54 +STRING gtp_pgw_ip 55 +STRING gtp_sgw_port 56 +STRING gtp_pgw_port 57 +STRING gtp_uplink_teid 58 +STRING gtp_downlink_teid 59 +STRING mpls_c2s_direction_label 60 +STRING mpls_s2c_direction_label 61 +STRING vlan_c2s_direction_id 62 +STRING vlan_s2c_direction_id 63 +STRING client_mac 64 +STRING server_mac 65 +STRING client_ip 66 +STRING server_ip 67 diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index dbba836..335a183 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -647,7 +647,7 @@ void set_session_attribute_label(struct streaminfo *a_stream, enum TSG_ATTRIBUTE attribute_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, g_tsg_para.internal_project_id); if(attribute_label==NULL) { - attribute_label=(struct _session_attribute_label_t *)calloc(1, sizeof(struct _session_attribute_label_t)); + attribute_label=(struct _session_attribute_label_t *)dictator_malloc(thread_seq, sizeof(struct _session_attribute_label_t)); memset(attribute_label, 0, sizeof(struct _session_attribute_label_t)); ret=project_req_add_struct(a_stream, g_tsg_para.internal_project_id, (const void *)attribute_label); diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp index 374c0e3..6cbfe40 100644 --- a/src/tsg_rule.cpp +++ b/src/tsg_rule.cpp @@ -1412,7 +1412,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * attribute_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, g_tsg_para.internal_project_id); if(attribute_label==NULL) { - attribute_label=(struct _session_attribute_label_t *)calloc(1, sizeof(struct _session_attribute_label_t)); + attribute_label=(struct _session_attribute_label_t *)dictator_malloc(a_stream->threadnum, sizeof(struct _session_attribute_label_t)); memset(attribute_label, 0, sizeof(struct _session_attribute_label_t)); } diff --git a/src/tsg_send_log.cpp b/src/tsg_send_log.cpp index 77ebf5b..b72f7c4 100644 --- a/src/tsg_send_log.cpp +++ b/src/tsg_send_log.cpp @@ -11,6 +11,7 @@ #include #include #include +#include #include #include @@ -34,6 +35,29 @@ const id2field_t tld_type[TLD_TYPE_MAX]={{TLD_TYPE_UNKNOWN, TLD_TYPE_UNKNOWN, " extern "C" int MESA_get_dev_ipv4(const char *device, int *ip_add); +static int is_tunnels(struct streaminfo *a_stream) +{ + if(a_stream!=NULL && a_stream->pfather!=NULL && a_stream->pfather->addr.addrtype!=ADDR_TYPE_MAC) + { + return 1; + } + + return 0; +} + +static int convert_mac_to_string(unsigned char *mac, char *buff) +{ + int i=0,len=0; + for(i=0; i<6; i++) + { + len+=sprintf(buff+len, "%02x:", mac[i]); + } + + buff[len-1]='\0'; + + return 0; +} + static int action2fs_id(int action) { switch(action) @@ -162,6 +186,7 @@ struct TLD_handle_t *TLD_create(int thread_id) return _handle; } + static int set_l7_protocol(struct tsg_log_instance_t *_instance, struct TLD_handle_t *_handle, struct streaminfo *a_stream) { char *l7_protocol=NULL; @@ -181,6 +206,212 @@ static int set_l7_protocol(struct tsg_log_instance_t *_instance, struct TLD_hand return 0; } +static cJSON *get_link_mac(struct tsg_log_instance_t *_instance, struct ethhdr *addr) +{ + char buff[128]={0}; + cJSON *mac_object=cJSON_CreateObject(); + convert_mac_to_string(addr->h_source, buff); + cJSON_AddStringToObject(mac_object, _instance->id2field[LOG_COMMON_TUNNELS_MAC_SOURCE].name, buff); + + convert_mac_to_string(addr->h_dest, buff); + cJSON_AddStringToObject(mac_object, _instance->id2field[LOG_COMMON_TUNNELS_MAC_DEST].name, buff); + + return mac_object; +} + +static int get_gtp_ipxx_port(struct tsg_log_instance_t *_instance, struct streaminfo *a_stream, cJSON *object) +{ + char ip_buff[64]={0}; + + if(a_stream!=NULL) + { + switch(a_stream->addr.addrtype) + { + case ADDR_TYPE_IPV4: + inet_ntop(AF_INET, (const void *)&(a_stream->addr.ipv4->saddr), ip_buff, sizeof(ip_buff)); + cJSON_AddStringToObject(object, _instance->id2field[LOG_COMMON_TUNNELS_GTP_SGW_IP].name, ip_buff); + inet_ntop(AF_INET, (const void *)&(a_stream->addr.ipv4->daddr), ip_buff, sizeof(ip_buff)); + cJSON_AddStringToObject(object, _instance->id2field[LOG_COMMON_TUNNELS_GTP_PGW_IP].name, ip_buff); + + cJSON_AddNumberToObject(object, _instance->id2field[LOG_COMMON_TUNNELS_GTP_SGW_PORT].name, (unsigned int)(a_stream->addr.ipv4->source)); + cJSON_AddNumberToObject(object, _instance->id2field[LOG_COMMON_TUNNELS_GTP_PGW_PORT].name, (unsigned int)(a_stream->addr.ipv4->dest)); + return 1; + break; + case ADDR_TYPE_IPV6: + inet_ntop(AF_INET6, (const void *)(a_stream->addr.ipv6->saddr), ip_buff, sizeof(ip_buff)); + cJSON_AddStringToObject(object, _instance->id2field[LOG_COMMON_TUNNELS_GTP_SGW_IP].name, ip_buff); + inet_ntop(AF_INET6, (const void *)(a_stream->addr.ipv6->daddr), ip_buff, sizeof(ip_buff)); + cJSON_AddStringToObject(object, _instance->id2field[LOG_COMMON_TUNNELS_GTP_PGW_IP].name, ip_buff); + + cJSON_AddNumberToObject(object, _instance->id2field[LOG_COMMON_TUNNELS_GTP_SGW_PORT].name, (unsigned int)(a_stream->addr.ipv6->source)); + cJSON_AddNumberToObject(object, _instance->id2field[LOG_COMMON_TUNNELS_GTP_PGW_PORT].name, (unsigned int)(a_stream->addr.ipv6->dest)); + return 1; + break; + default: + break; + + } + } + + return 0; +} + +static int get_common_tunnels(struct tsg_log_instance_t *_instance, struct TLD_handle_t *_handle, struct streaminfo *a_stream) +{ + int i=0,ret=0; + char ip_buff[64]={0}; + const struct streaminfo *ptmp = a_stream; + const struct streaminfo *pfather=NULL; + cJSON *tunnel_object=NULL; + cJSON *tunnel_array=cJSON_CreateArray(); + cJSON *src_array=NULL, *dst_array=NULL; + cJSON *mac_object=NULL; + + while(ptmp) + { + pfather = ptmp->pfather; + switch(ptmp->addr.addrtype) + { + case ADDR_TYPE_MAC: + tunnel_object=cJSON_CreateObject(); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_SCHEMA_TYPE].name, "MAC"); + + switch(a_stream->dir) + { + case DIR_C2S: + mac_object=get_link_mac(_instance, &(ptmp->addr.mac->src_addr)); + cJSON_AddItemToObject(tunnel_object, "c2s_direction_mac", mac_object); + break; + case DIR_S2C: + mac_object=get_link_mac(_instance, &(ptmp->addr.mac->dst_addr)); + cJSON_AddItemToObject(tunnel_object, "s2c_direction_mac", mac_object); + break; + case DIR_DOUBLE: + mac_object=get_link_mac(_instance, &(ptmp->addr.mac->src_addr)); + cJSON_AddItemToObject(tunnel_object, "c2s_direction_mac", mac_object); + + mac_object=get_link_mac(_instance, &(ptmp->addr.mac->dst_addr)); + cJSON_AddItemToObject(tunnel_object, "s2c_direction_mac", mac_object); + break; + } + break; + case ADDR_TYPE_VLAN: + tunnel_object=cJSON_CreateObject(); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_SCHEMA_TYPE].name, "VLAN"); + + src_array=cJSON_CreateArray(); + for(i=0; iaddr.vlan->c2s_layer_num; i++) + { + cJSON_AddNumberToObject(src_array, _instance->id2field[LOG_COMMON_TUNNELS_VLAN_SRC_ID].name, ntohs(ptmp->addr.vlan->c2s_addr_array[i].VID)); + } + if(ptmp->addr.vlan->c2s_layer_num>0) + { + cJSON_AddItemToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_VLAN_SRC_ID].name, src_array); + } + + dst_array=cJSON_CreateArray(); + for(i=0; iaddr.vlan->s2c_layer_num; i++) + { + cJSON_AddNumberToObject(dst_array, _instance->id2field[LOG_COMMON_TUNNELS_VLAN_DST_ID].name, ntohs(ptmp->addr.vlan->s2c_addr_array[i].VID)); + } + + if(ptmp->addr.vlan->s2c_layer_num>0) + { + cJSON_AddItemToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_VLAN_DST_ID].name, dst_array); + } + break; + case ADDR_TYPE_GRE: + tunnel_object=cJSON_CreateObject(); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_SCHEMA_TYPE].name, "GRE"); + break; + case ADDR_TYPE_MPLS: + tunnel_object=cJSON_CreateObject(); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_SCHEMA_TYPE].name, (char *)"MPLS"); + + src_array=cJSON_CreateArray(); + for(i=0; iaddr.mpls->c2s_layer_num; i++) + { + cJSON_AddNumberToObject(src_array, _instance->id2field[LOG_COMMON_TUNNELS_MPLS_SRC_LABEL].name, ntohl(ptmp->addr.mpls->c2s_addr_array[i].label)); + } + + if(ptmp->addr.mpls->c2s_layer_num>0) + { + cJSON_AddItemToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_MPLS_SRC_LABEL].name, src_array); + } + + dst_array=cJSON_CreateArray(); + for(i=0; iaddr.mpls->s2c_layer_num; i++) + { + cJSON_AddNumberToObject(dst_array, _instance->id2field[LOG_COMMON_TUNNELS_MPLS_DST_LABEL].name, ntohl(ptmp->addr.mpls->s2c_addr_array[i].label)); + } + + if(ptmp->addr.mpls->s2c_layer_num>0) + { + cJSON_AddItemToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_MPLS_DST_LABEL].name, dst_array); + } + break; + case ADDR_TYPE_L2TP: + tunnel_object=cJSON_CreateObject(); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_SCHEMA_TYPE].name, "L2TP"); + break; + case __ADDR_TYPE_IP_PAIR_V4: + tunnel_object=cJSON_CreateObject(); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_SCHEMA_TYPE].name, "IPv4"); + + inet_ntop(AF_INET, (const void *)&(ptmp->addr.ipv4->saddr), ip_buff, sizeof(ip_buff)); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_CLIENT_IP].name, ip_buff); + + inet_ntop(AF_INET, (const void *)&(ptmp->addr.ipv4->daddr), ip_buff, sizeof(ip_buff)); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_SERVER_IP].name, ip_buff); + break; + case __ADDR_TYPE_IP_PAIR_V6: + tunnel_object=cJSON_CreateObject(); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_SCHEMA_TYPE].name, "IPv6"); + + inet_ntop(AF_INET6, (const void *)(ptmp->addr.ipv6->saddr), ip_buff, sizeof(ip_buff)); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_CLIENT_IP].name, ip_buff); + + inet_ntop(AF_INET6, (const void *)(ptmp->addr.ipv6->daddr), ip_buff, sizeof(ip_buff)); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_SERVER_IP].name, ip_buff); + break; + case ADDR_TYPE_PPTP: + tunnel_object=cJSON_CreateObject(); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_SCHEMA_TYPE].name, "PPTP"); + + + cJSON_AddNumberToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_PPTP_C2S_ID].name, ntohl(ptmp->addr.pptp->C2S_call_id)); + break; + case ADDR_TYPE_GPRS_TUNNEL: + tunnel_object=cJSON_CreateObject(); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_SCHEMA_TYPE].name, "GTP"); + cJSON_AddNumberToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_GTP_UPLINK_TEID].name, ntohl(ptmp->addr.gtp->teid_c2s)); + cJSON_AddNumberToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_GTP_DOWNLINK_TEID].name, ntohl(ptmp->addr.gtp->teid_s2c)); + + ret=get_gtp_ipxx_port(_instance, ptmp->pfather, tunnel_object); + if(ret==1) + { + ptmp=pfather->pfather; + } + break; + case ADDR_TYPE_VXLAN: + tunnel_object=cJSON_CreateObject(); + cJSON_AddStringToObject(tunnel_object, _instance->id2field[LOG_COMMON_TUNNELS_SCHEMA_TYPE].name, "VXLAN"); + break; + default: + ptmp = pfather; + continue; + break; + } + + ptmp = pfather; + cJSON_AddItemToArray(tunnel_array, tunnel_object); + } + + TLD_append(_handle, _instance->id2field[LOG_COMMON_TUNNELS].name, tunnel_array, TLD_TYPE_CJSON); + + return 0; +} + char *log_field_id2name(struct tsg_log_instance_t *instance, tsg_log_field_id_t id) { struct tsg_log_instance_t *_instance=instance; @@ -457,6 +688,11 @@ int TLD_append_streaminfo(struct tsg_log_instance_t *instance, struct TLD_handle { stream_addr_list_ntop(a_stream,nest_addr_buf, sizeof(nest_addr_buf)); } + + if(is_tunnels(a_stream)) + { + get_common_tunnels(_instance, _handle, a_stream); + } TLD_append(_handle, _instance->id2field[LOG_COMMON_ADDRESS_LIST].name, (void *)nest_addr_buf, TLD_TYPE_STRING); @@ -887,7 +1123,7 @@ int tsg_send_log(struct tsg_log_instance_t *instance, struct TLD_handle_t *handl FS_operate(g_tsg_para.fs2_handle, _instance->fs_status_ids[thread_id], 0, FS_OP_SET, _instance->send_log_percent[thread_id]); } - free(payload); + cJSON_free(payload); payload=NULL; TLD_delete(_handle, _instance->id2field[LOG_COMMON_POLICY_ID].name); diff --git a/src/tsg_send_log_internal.h b/src/tsg_send_log_internal.h index 19261f4..326d2ef 100644 --- a/src/tsg_send_log_internal.h +++ b/src/tsg_send_log_internal.h @@ -75,6 +75,26 @@ typedef enum _tsg_log_field_id LOG_COMMON_TCP_CLIENT_ISN, LOG_COMMON_TCP_SERVER_ISN, LOG_COMMON_APP_SURROGATE_ID, + LOG_COMMON_SIP_FROM, + LOG_COMMON_SIP_TO, + LOG_COMMON_TUNNELS, + LOG_COMMON_TUNNELS_SCHEMA_TYPE, + LOG_COMMON_TUNNELS_GTP_SGW_IP, + LOG_COMMON_TUNNELS_GTP_PGW_IP, + LOG_COMMON_TUNNELS_GTP_SGW_PORT, + LOG_COMMON_TUNNELS_GTP_PGW_PORT, + LOG_COMMON_TUNNELS_GTP_UPLINK_TEID, + LOG_COMMON_TUNNELS_GTP_DOWNLINK_TEID, + LOG_COMMON_TUNNELS_MPLS_SRC_LABEL, + LOG_COMMON_TUNNELS_MPLS_DST_LABEL, + LOG_COMMON_TUNNELS_VLAN_SRC_ID, + LOG_COMMON_TUNNELS_VLAN_DST_ID, + LOG_COMMON_TUNNELS_MAC_SOURCE, + LOG_COMMON_TUNNELS_MAC_DEST, + LOG_COMMON_TUNNELS_CLIENT_IP, + LOG_COMMON_TUNNELS_SERVER_IP, + LOG_COMMON_TUNNELS_PPTP_C2S_ID, + LOG_COMMON_TUNNELS_PPTP_S2C_ID, LOG_COMMON_MAX }tsg_log_field_id_t;