diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index 3703e82..e54477f 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -272,7 +272,6 @@ static int master_send_log(struct streaminfo *a_stream, struct Maat_rule_t *p_re tsg_log_t log_msg; char *domain_field_name=NULL; char *schema_field_name=NULL; - char *schema_field_value=NULL; struct TLD_handle_t *TLD_handle=NULL; TLD_handle=TLD_create(thread_seq); @@ -282,16 +281,12 @@ static int master_send_log(struct streaminfo *a_stream, struct Maat_rule_t *p_re if(identify_info->proto==PROTO_IMAP || identify_info->proto==PROTO_SMTP || identify_info->proto==PROTO_POP3) { - schema_field_value=tsg_schema_index2string(PROTO_MAIL); + TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[PROTO_MAIL].name, TLD_TYPE_STRING); + TLD_append(TLD_handle, (char *)"mail_protocol_type", (void *)g_tsg_proto_name2id[identify_info->proto].name, TLD_TYPE_STRING); } else - { - schema_field_value=tsg_schema_index2string(identify_info->proto); - } - - if(schema_field_value!=NULL) - { - TLD_append(TLD_handle, schema_field_name, (void *)schema_field_value, TLD_TYPE_STRING); + { + TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[identify_info->proto].name, TLD_TYPE_STRING); } switch(identify_info->proto) diff --git a/src/tsg_entry.h b/src/tsg_entry.h index fdf3722..c35feb8 100644 --- a/src/tsg_entry.h +++ b/src/tsg_entry.h @@ -247,7 +247,8 @@ void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* char *tsg_schema_index2string(tsg_protocol_t proto); struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, struct _identify_info *identify_info, int thread_seq); int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct identify_info *identify_info, Maat_rule_t *result, int result_num, scan_status_t *mid, int thread_seq); -int tsg_scan_app_id_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *name, unsigned int id, int thread_seq); -int tsg_scan_app_properties_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *property, char *district, int thread_seq); +int tsg_scan_app_id_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *name, unsigned int id, int thread_seq); +int tsg_scan_app_properties_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *property, char *district, int thread_seq); +int tsg_scan_subscribe_id_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, struct _subscribe_id_info_t *user_info, int thread_seq); #endif diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp index bb645b9..6caca7c 100644 --- a/src/tsg_rule.cpp +++ b/src/tsg_rule.cpp @@ -13,6 +13,8 @@ #include "MESA/http.h" #include "tsg_rule.h" #include "tsg_entry.h" +#include "tsg_send_log.h" +#include "tsg_send_log_internal.h" Maat_feather_t g_tsg_maat_feather; Maat_feather_t g_tsg_dynamic_maat_feather; @@ -28,8 +30,7 @@ enum kni_scan_table{ const char *g_kni_scan_table_name[SCAN_TABLE_MAX]; int g_kni_scan_tableid[SCAN_TABLE_MAX] = {0}; - - +extern id2field_t g_tsg_proto_name2id[PROTO_MAX]; const struct _str2index method2index[TSG_METHOD_TYPE_MAX]={ {TSG_METHOD_TYPE_UNKNOWN, 7, (char *)"unknown"}, {TSG_METHOD_TYPE_DROP, 4, (char *)"drop"}, {TSG_METHOD_TYPE_REDIRECTION, 8, (char *)"redirect"}, @@ -38,29 +39,6 @@ const struct _str2index method2index[TSG_METHOD_TYPE_MAX]={ {TSG_METHOD_TYPE_UNK {TSG_METHOD_TYPE_ALERT, 5, (char *)"alert"} }; -const struct _str2index g_tsg_proto_string[PROTO_MAX+1]={{PROTO_UNKONWN, 0, (char *)""}, - {PROTO_IPv4, 5, (char *)"IPv4."}, - {PROTO_IPv6, 5, (char *)"IPv6."}, - {PROTO_TCP, 4, (char *)"TCP."}, - {PROTO_UDP, 4, (char *)"UDP."}, - {PROTO_HTTP, 5, (char *)"HTTP."}, - {PROTO_MAIL, 5, (char *)"MAIL."}, - {PROTO_DNS, 4, (char *)"DNS."}, - {PROTO_FTP, 4, (char *)"FTP."}, - {PROTO_SSL, 4, (char *)"SSL."}, - {PROTO_SIP, 4, (char *)"SIP."}, - {PROTO_BGP, 4, (char *)"BGP."}, - {PROTO_STREAMING_MEDIA, 16, (char *)"STREAMING_MEDIA."}, - {PROTO_QUIC, 5, (char *)"QUIC."}, - {PROTO_SSH, 4, (char *)"SSH."}, - {PROTO_SMTP, 5, (char *)"MAIL."}, - {PROTO_IMAP, 5, (char *)"MAIL."}, - {PROTO_POP3, 5, (char *)"MAIL."}, - {PROTO_RTP, 4, (char *)"RTP."}, - {PROTO_APP, 4, (char *)"APP."}, - {PROTO_MAX, 0, (char *)""} -}; - static char* str_unescape(char* s) { int i=0,j=0; @@ -106,9 +84,9 @@ static int proto_str2id(tsg_protocol_t proto) case PROTO_UDP: return 101; case PROTO_HTTP: return 106; case PROTO_MAIL: return 110; - case PROTO_IMAP: return 110; - case PROTO_POP3: return 110;//116 - case PROTO_SMTP: return 110;//122 + case PROTO_IMAP: return 111; + case PROTO_POP3: return 116;//116 + case PROTO_SMTP: return 122;//122 case PROTO_DNS: return 103; case PROTO_FTP: return 104; case PROTO_SSL: return 126; @@ -1132,59 +1110,40 @@ int tsg_scan_ip_asn(Maat_feather_t maat_feather, const struct streaminfo *a_stre { int ret=0; - if(asn!=NULL) + if(asn==NULL || result==NULL || result_num==0) { - ret=Maat_full_scan_string(maat_feather, - g_tsg_para.table_id[idx], - CHARSET_GBK, - asn->asn, - strlen(asn->asn), - result, - NULL, - result_num, - mid, - a_stream->threadnum); - if(ret > 0) - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_IP_ASN", - "Hit IP_ASN: %s scan ret: %d table_name: %s policy_id: %d service: %d action: %d addr: %s", - asn->asn, - ret, - g_tsg_para.table_name[idx], - result[0].config_id, - result[0].service_id, - (unsigned char)result[0].action, - PRINTADDR(a_stream, g_tsg_para.level) - ); - } - else - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_IP_ASN", - "No hit IP_ASN: %s scan ret: %d table_name: %s addr: %s", - asn->asn, - ret, - g_tsg_para.table_name[idx], - PRINTADDR(a_stream, g_tsg_para.level) - ); - } - } - else + return 0; + } + + ret=Maat_full_scan_string(maat_feather, g_tsg_para.table_id[idx], CHARSET_GBK, asn->asn, strlen(asn->asn), result, NULL, result_num, mid, a_stream->threadnum); + if(ret > 0) { MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, "SCAN_IP_ASN", - "IP_ASN is NULL scan ret: %d table_name: %s addr: %s", + "Hit IP_ASN: %s scan ret: %d table_name: %s policy_id: %d service: %d action: %d addr: %s", + asn->asn, ret, g_tsg_para.table_name[idx], + result[0].config_id, + result[0].service_id, + (unsigned char)result[0].action, PRINTADDR(a_stream, g_tsg_para.level) ); + + return ret; } - return (ret>0 ? ret : 0); + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "SCAN_IP_ASN", + "No hit IP_ASN: %s scan ret: %d table_name: %s addr: %s", + asn->asn, + ret, + g_tsg_para.table_name[idx], + PRINTADDR(a_stream, g_tsg_para.level) + ); + return 0; } @@ -1193,79 +1152,57 @@ int tsg_scan_ip_location(Maat_feather_t maat_feather, const struct streaminfo *a int ret=0; char buff[1024]={0}; - if(location!=NULL) + if(location==NULL || result==NULL || result_num==0) { - snprintf(buff, sizeof(buff), "%s.%s.", location->country_full, location->city_full); - ret=Maat_full_scan_string(maat_feather, - g_tsg_para.table_id[idx], - CHARSET_GBK, - buff, - strlen(buff), - result, - NULL, - result_num, - mid, - a_stream->threadnum); - if(ret > 0) - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_IP_LOCATION", - "Hit IP_LOCATION: %s scan ret: %d table_name: %s policy_id: %d service: %d action: %d addr: %s", - buff, - ret, - g_tsg_para.table_name[idx], - result[0].config_id, - result[0].service_id, - (unsigned char)result[0].action, - PRINTADDR(a_stream, g_tsg_para.level) - ); - } - else - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_IP_LOCATION", - "No hit IP_LOCATION: %s scan ret: %d table_name: %s addr: %s", - buff, - ret, - g_tsg_para.table_name[idx], - PRINTADDR(a_stream, g_tsg_para.level) - ); - } - } - else + return 0; + } + + snprintf(buff, sizeof(buff), "%s.%s.", location->country_full, location->city_full); + ret=Maat_full_scan_string(maat_feather, g_tsg_para.table_id[idx], CHARSET_GBK, buff, strlen(buff), result, NULL, result_num, mid, a_stream->threadnum); + if(ret > 0) { MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, "SCAN_IP_LOCATION", - "IP_LOCATION is NULL scan ret: %d table_name: %s addr: %s", + "Hit IP_LOCATION: %s scan ret: %d table_name: %s policy_id: %d service: %d action: %d addr: %s", + buff, ret, g_tsg_para.table_name[idx], + result[0].config_id, + result[0].service_id, + (unsigned char)result[0].action, PRINTADDR(a_stream, g_tsg_para.level) ); + return ret; } - - return (ret>0 ? ret : 0); + + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "SCAN_IP_LOCATION", + "No hit IP_LOCATION: %s scan ret: %d table_name: %s addr: %s", + buff, + ret, + g_tsg_para.table_name[idx], + PRINTADDR(a_stream, g_tsg_para.level) + ); + + return 0; } int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *a_stream, tsg_protocol_t proto, scan_status_t *mid, Maat_rule_t*result, int result_num) { int ret=0; struct ipaddr t_addr; + unsigned int proto_id=0; struct ipaddr* p_addr=NULL; int hit_num=0,tans_proto=0; - int is_scan_addr=1, maat_ret=0,found_pos=0; + int is_scan_addr=1, maat_ret=0; const struct streaminfo *cur_stream = a_stream; struct _session_attribute_label_t *attribute_label=NULL; if(result==NULL || result_num<=0 || a_stream==NULL || maat_feather==NULL) { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_NESTING_ADDR", - "result==NULL || result_num<=0 || maat_feather==NULL || a_stream==NULL" - ); + MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, "SCAN_NESTING_ADDR", "result==NULL || result_num<=0 || maat_feather==NULL || a_stream==NULL"); return -1; } @@ -1309,14 +1246,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * break; } - maat_ret=Maat_scan_proto_addr(maat_feather, - g_tsg_para.table_id[TABLE_IP_ADDR], - p_addr, - tans_proto, - result+hit_num, - result_num-hit_num, - mid, - (int)cur_stream->threadnum); + maat_ret=Maat_scan_proto_addr(maat_feather, g_tsg_para.table_id[TABLE_IP_ADDR], p_addr, tans_proto, result+hit_num, result_num-hit_num, mid, (int)cur_stream->threadnum); if(maat_ret>0) { MESA_handle_runtime_log(g_tsg_para.logger, @@ -1334,13 +1264,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * } else { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_IP", - "No hit addr: %s scan ret: %d", - PRINTADDR(a_stream, g_tsg_para.level), - maat_ret - ); + MESA_handle_runtime_log(g_tsg_para.logger,RLOG_LV_DEBUG, "SCAN_IP", "No hit addr: %s scan ret: %d", PRINTADDR(a_stream, g_tsg_para.level), maat_ret); } } @@ -1350,62 +1274,12 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * if(hit_numPROTO_UNKONWN && protothreadnum); + if(proto==PROTO_SMTP || proto==PROTO_IMAP || proto==PROTO_POP3) { - maat_ret=Maat_full_scan_string(maat_feather, - g_tsg_para.table_id[TABLE_APP_ID], - CHARSET_GBK, - g_tsg_proto_string[proto].type, - strlen(g_tsg_proto_string[proto].type), - result+hit_num, - &found_pos, - result_num-hit_num, - mid, - a_stream->threadnum - ); - } - else - { - unsigned int proto_id=proto_str2id(proto); - if(proto_id>0) - { - maat_ret=Maat_scan_intval(maat_feather, - g_tsg_para.table_id[TABLE_APP_ID], - proto_id, - result+hit_num, - result_num-hit_num, - mid, - a_stream->threadnum - ); - } - } - if(maat_ret > 0) - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_PROTO", - "Hit PROTO: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", - g_tsg_proto_string[proto].type, - maat_ret, - result[hit_num].config_id, - result[hit_num].service_id, - (unsigned char)result[hit_num].action, - PRINTADDR(a_stream, g_tsg_para.level) - ); - - hit_num+=maat_ret; - } - else - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_PROTO", - "No hit PROTO: %s(%d) scan ret: %d addr: %s", - g_tsg_proto_string[proto].type, - proto_str2id(proto), - maat_ret, - PRINTADDR(a_stream, g_tsg_para.level) - ); + proto_id=proto_str2id(PROTO_MAIL); + hit_num+=tsg_scan_app_id_policy(maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, g_tsg_proto_name2id[PROTO_MAIL].name, proto_id, (int)a_stream->threadnum); } } @@ -1434,92 +1308,11 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo * hit_num+=tsg_scan_ip_asn(maat_feather, a_stream, attribute_label->server_asn, TABLE_DST_ASN, mid, result+hit_num, result_num-hit_num); } - if(hit_numclient_subscribe_id, &attribute_label->server_subscribe_id); - - if(attribute_label->client_subscribe_id!=NULL) - { - maat_ret=Maat_full_scan_string(maat_feather, - g_tsg_para.table_id[TABLE_SUBSCRIBER_ID], - CHARSET_GBK, - attribute_label->client_subscribe_id->subscribe_id, - strlen(attribute_label->client_subscribe_id->subscribe_id), - result+hit_num, - &found_pos, - result_num-hit_num, - mid, - a_stream->threadnum); - if(maat_ret > 0) - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_SUBSCRIBER", - "Hit source subscribe id: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", - attribute_label->client_subscribe_id->subscribe_id, - maat_ret, - result[hit_num].config_id, - result[hit_num].service_id, - (unsigned char)result[hit_num].action, - PRINTADDR(a_stream, g_tsg_para.level) - ); - - hit_num+=maat_ret; - } - else - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_SUBSCRIBER", - "No hit source subscribe id: %s scan ret: %d addr: %s", - attribute_label->client_subscribe_id->subscribe_id, - maat_ret, - PRINTADDR(a_stream, g_tsg_para.level) - ); - } - } - - if(attribute_label->server_subscribe_id!=NULL) - { - maat_ret=Maat_full_scan_string(maat_feather, - g_tsg_para.table_id[TABLE_SUBSCRIBER_ID], - CHARSET_GBK, - attribute_label->server_subscribe_id->subscribe_id, - strlen(attribute_label->server_subscribe_id->subscribe_id), - result+hit_num, - &found_pos, - result_num-hit_num, - mid, - a_stream->threadnum); - if(maat_ret > 0) - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_SUBSCRIBER", - "Hit dest subscribe id: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", - attribute_label->server_subscribe_id->subscribe_id, - maat_ret, - result[hit_num].config_id, - result[hit_num].service_id, - (unsigned char)result[hit_num].action, - PRINTADDR(a_stream, g_tsg_para.level) - ); - - hit_num+=maat_ret; - } - else - { - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_SUBSCRIBER", - "No hit dest subscribe id: %s scan ret: %d addr: %s", - attribute_label->server_subscribe_id->subscribe_id, - maat_ret, - PRINTADDR(a_stream, g_tsg_para.level) - ); - } - } + hit_num+=tsg_scan_subscribe_id_policy(maat_feather, a_stream, result+hit_num, result_num-hit_num, mid,attribute_label->client_subscribe_id, (int)a_stream->threadnum); + hit_num+=tsg_scan_subscribe_id_policy(maat_feather, a_stream, result+hit_num, result_num-hit_num, mid,attribute_label->server_subscribe_id, (int)a_stream->threadnum); } ret=project_req_add_struct((struct streaminfo *)a_stream, g_tsg_para.internal_project_id, (void *)attribute_label); @@ -1759,7 +1552,7 @@ int tsg_get_fqdn_category_id(Maat_feather_t maat_feather, char *fqdn, unsigned i } -int tsg_scan_app_id_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *name, unsigned int id, int thread_seq) +int tsg_scan_app_id_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *name, unsigned int id, int thread_seq) { int ret=0; @@ -1769,9 +1562,8 @@ int tsg_scan_app_id_policy(Maat_feather_t maat_feather, struct streaminfo *a_str MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, "SCAN_ID", - "Hit %s %s_id: %d ret: %d policy_id: %d service: %d action: %d addr: %s", + "Hit %s id: %d ret: %d policy_id: %d service: %d action: %d addr: %s", name, - (id>1000) ? "app" : "proto", id, ret, result[0].config_id, @@ -1783,16 +1575,8 @@ int tsg_scan_app_id_policy(Maat_feather_t maat_feather, struct streaminfo *a_str return ret; } - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "SCAN_ID", - "scan %s %s_id: %d ret: %d addr: %s", - name, - (id>1000) ? "app" : "proto", - id, - ret, - PRINTADDR(a_stream, g_tsg_para.level) - ); + MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, "SCAN_ID", "scan %s id: %d ret: %d addr: %s", name, id, ret, PRINTADDR(a_stream, g_tsg_para.level)); + return 0; } @@ -1840,4 +1624,50 @@ int tsg_scan_app_properties_policy(Maat_feather_t maat_feather, struct streaminf return hit_num; } +int tsg_scan_subscribe_id_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, struct _subscribe_id_info_t *user_info, int thread_seq) +{ + int maat_ret=0; + if(user_info==NULL || result==NULL || result_num==0) + { + return 0; + } + + maat_ret=Maat_full_scan_string(maat_feather, + g_tsg_para.table_id[TABLE_SUBSCRIBER_ID], + CHARSET_GBK, + user_info->subscribe_id, + strlen(user_info->subscribe_id), + result, + NULL, + result_num, + mid, + thread_seq); + if(maat_ret > 0) + { + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "SCAN_SUBSCRIBER", + "Hit source subscribe id: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", + user_info->subscribe_id, + maat_ret, + result[0].config_id, + result[0].service_id, + (unsigned char)result[0].action, + PRINTADDR(a_stream, g_tsg_para.level) + ); + + return maat_ret; + } + + MESA_handle_runtime_log(g_tsg_para.logger, + RLOG_LV_DEBUG, + "SCAN_SUBSCRIBER", + "No hit source subscribe id: %s scan ret: %d addr: %s", + user_info->subscribe_id, + maat_ret, + PRINTADDR(a_stream, g_tsg_para.level) + ); + + return 0; +}