src/output-plugins/log_dispatch.c

   1 /**
   2  * \author Edward Fjellskål <edward.fjellskaal@redpill-linpro.com>
   3  * \author Kacper Wysocki <comotion@krutt.org>
   4  */
   5
   6 //#include "../common.h"
   7
   8 #include "../prads.h"
   9 #include "../sys_func.h" // u_ntop
  10 #include "../cxt.h"
  11 #include "log.h"
  12 #include "log_stdout.h"
  13 #include "log_file.h"
  14 #include "log_fifo.h"
  15
  16 int n_outputs = 0;
  17 output_plugin *log_output[LOG_MAX];
  18
  19 /* set up function pointers for logging */
  20 int init_logging(int logtype, const char *file, int flags)
  21 {
  22    int rc;
  23    output_plugin *log_fun;
  24    switch (logtype)
  25    {
  26       case LOG_FILE:
  27          log_fun = init_log_file();
  28          break;
  29       case LOG_STDOUT:
  30          log_fun = init_log_stdout();
  31          break;
  32       case LOG_FIFO:
  33          log_fun = init_log_fifo();
  34          break;
  35       /* these types are coming !*/
  36       case LOG_ASCII:
  37          break;
  38       case LOG_UNIFIED:
  39          break;
  40       default:
  41          fprintf(stderr,"whoops! init_logging\n");
  42    }
  43    if(log_fun){
  44        log_output[n_outputs++] = log_fun;
  45        if(log_fun->init) {
  46            rc = log_fun->init(log_fun, file, flags);
  47            if(rc)
  48                n_outputs--;
  49            return rc;
  50        } else
  51            return 0;
  52    }
  53    return 0xFABE;
  54 }
  55
  56 /* magic logging function - iterate over all loggers */
  57 // note... this breaks anywhere non-GNU!
  58 #define log_foo(func, all, count, ...) \
  59     do { \
  60         int _i; \
  61         for(_i = 0; _i < (count) ; _i++) { \
  62             output_plugin* _p = (all)[_i]; \
  63             if(_p && _p -> func) \
  64                 _p -> func(_p, ##__VA_ARGS__); \
  65         } \
  66     }while(0)
  67
  68
  69 void end_logging()
  70 {
  71     log_foo(denit, log_output, n_outputs);
  72 }
  73
  74 void log_asset_arp (asset *masset)
  75 {
  76 #ifdef DEBUG_LOG
  77     static char ip_addr_s[INET6_ADDRSTRLEN];
  78     inet_ntop(AF_INET, &masset->ip_addr.s6_addr32[0], ip_addr_s, INET_ADDRSTRLEN + 1 );
  79     dlog("[*] added mac address to asset: %s\n",ip_addr_s);
  80 #endif
  81     log_foo(arp, log_output, n_outputs, masset);
  82 }
  83
  84 void log_asset_os (asset *main, os_asset *os, connection *cxt)
  85 {
  86 #ifdef DEBUG
  87     static char ip_addr_s[INET6_ADDRSTRLEN];
  88     u_ntop(main->ip_addr, main->af, ip_addr_s);
  89 #ifdef DEBUG_LOG
  90     dlog("[%lu] Incoming asset, %s: %s:%u [%s]\n",
  91     os->last_seen, (char*)bdata(os->detection),ip_addr_s,ntohs(os->port),(char*)bdata(os->raw_fp));
  92 #endif
  93 #endif
  94     log_foo(os, log_output, n_outputs, main, os, cxt);
  95 }
  96
  97 void log_asset_service (asset *main, serv_asset *service, connection *cxt)
  98 {
  99 #ifdef DEBUG
 100     static char ip_addr_s[INET6_ADDRSTRLEN];
 101     u_ntop(main->ip_addr, main->af, ip_addr_s);
 102     if (service->role == SC_SERVER ) {
 103         fprintf(stderr, "[*] new service: %s:%d %s\n",ip_addr_s,ntohs(service->port),(char *)bdata(service->application));
 104     } else {
 105         fprintf(stderr, "[*] new client: %s:%d %s\n",ip_addr_s,ntohs(service->port),(char *)bdata(service->application));
 106     }
 107 #endif
 108     log_foo(service, log_output, n_outputs, main, service, cxt);
 109 }
 110
 111
 112 /* log_connection(cxt, fd): write cxt to fd, with the following format:
 113  ** startsec|id|start time|end time|total time|proto|src|sport|dst|dport|s_packets|s_bytes|d_packets|d_bytes|s_flags|d_flags
 114  *
 115  * TODO: call plugins
 116  *
 117  * question is only whether to dump ip address as int or human readable
 118
 119 //asprintf(&cxtfname, "%s/stats.%s.%ld", dpath, dev, tstamp);
 120 //cxtFile = fopen(cxtfname, "w");
 121  */
 122 void log_connection(connection *cxt, FILE* fd, int outputmode)
 123 {
 124     char stime[80], ltime[80];
 125     time_t tot_time;
 126     uint32_t s_ip_t, d_ip_t;
 127     static char src_s[INET6_ADDRSTRLEN];
 128     static char dst_s[INET6_ADDRSTRLEN];
 129     strftime(stime, 80, "%F %H:%M:%S", gmtime(&cxt->start_time));
 130     strftime(ltime, 80, "%F %H:%M:%S", gmtime(&cxt->last_pkt_time));
 131
 132     tot_time = cxt->last_pkt_time - cxt->start_time;
 133     if ( cxt->af == AF_INET ) {
 134         s_ip_t = ntohl(cxt->s_ip.s6_addr32[0]);
 135         d_ip_t = ntohl(cxt->d_ip.s6_addr32[0]);
 136     }
 137
 138     fprintf(fd, "%ld%09ju|%s|%s|%ld|%u|",
 139             cxt->start_time, cxt->cxid, stime, ltime, tot_time,
 140             cxt->proto);
 141     if(outputmode || cxt->af == AF_INET6) {
 142         if(!inet_ntop(cxt->af, (cxt->af == AF_INET6? (void*) &cxt->s_ip : (void*) cxt->s_ip.s6_addr32), src_s, INET6_ADDRSTRLEN))
 143             perror("inet_ntop");
 144         if(!inet_ntop(cxt->af, (cxt->af == AF_INET6? (void*) &cxt->d_ip : (void*) cxt->d_ip.s6_addr32), dst_s, INET6_ADDRSTRLEN))
 145             perror("inet_ntop");
 146         fprintf(fd, "%s|%u|%s|%u|",
 147                 src_s, ntohs(cxt->s_port),
 148                 dst_s, ntohs(cxt->d_port));
 149     } else {
 150         fprintf(fd, "%u|%u|%u|%u|",
 151                 s_ip_t, ntohs(cxt->s_port),
 152                 d_ip_t, ntohs(cxt->d_port));
 153     }
 154     fprintf(fd, "%ju|%ju|",
 155             cxt->s_total_pkts, cxt->s_total_bytes);
 156     fprintf(fd, "%ju|%ju|%u|%u",
 157             cxt->d_total_pkts, cxt->d_total_bytes,
 158             cxt->s_tcpFlags, cxt->d_tcpFlags);
 159     // hack to distinguish output paths
 160     char *o = NULL;
 161     switch (outputmode) {
 162         case CX_EXPIRE:
 163             o="[expired.]";
 164             break;
 165         case CX_ENDED:
 166             o="[ended.]";
 167             break;
 168         case CX_NEW:
 169             o="[New]";
 170             break;
 171     }
 172     if(o) fprintf(fd, "|%s", o);
 173     fprintf(fd, "\n");
 174 }
 175