From 09cdbbfcdb6d796884caf294ac24a54be8d82cc3 Mon Sep 17 00:00:00 2001 From: laforge Date: Thu, 16 Nov 2000 17:20:52 +0000 Subject: Major update. Almost everything has changed. - no more dynamic allocations at runtime - only once at startup - less list traversal through interpreter and key hashes - output plugins can request only certain results! --- extensions/ulogd_BASE.c | 267 +++++++++++++++++++++++++-------------------- extensions/ulogd_OPRINT.c | 6 +- extensions/ulogd_PWSNIFF.c | 42 ++++--- 3 files changed, 171 insertions(+), 144 deletions(-) (limited to 'extensions') diff --git a/extensions/ulogd_BASE.c b/extensions/ulogd_BASE.c index 391ac59..5d4ef2f 100644 --- a/extensions/ulogd_BASE.c +++ b/extensions/ulogd_BASE.c @@ -1,11 +1,11 @@ -/* ulogd_MAC.c, Version $Revision: 1.5 $ +/* ulogd_MAC.c, Version $Revision: 1.6 $ * * ulogd logging interpreter for MAC addresses, TIME, IP and TCP headers, etc. * * (C) 2000 by Harald Welte * This software is released under the terms of GNU GPL * - * $Id: ulogd_BASE.c,v 1.5 2000/09/22 06:54:33 laforge Exp $ + * $Id: ulogd_BASE.c,v 1.6 2000/09/26 06:25:02 laforge Exp $ * */ @@ -18,12 +18,19 @@ #include #include -ulog_iret_t *_interp_mac(ulog_packet_msg_t *pkt) +/*********************************************************************** + * Raw header + ***********************************************************************/ +static ulog_iret_t mac_rets[1] = { + { NULL, NULL, 0, ULOGD_RET_STRING, ULOGD_RETF_FREE, "raw.mac", NULL }, +}; + +ulog_iret_t *_interp_mac(struct ulog_interpreter *ip, ulog_packet_msg_t *pkt) { unsigned char *p; int i; char *buf; - ulog_iret_t *ret; + ulog_iret_t *ret = ip->result; if (pkt->mac_len) { buf = (char *) malloc(3 * pkt->mac_len + 1); @@ -32,201 +39,223 @@ ulog_iret_t *_interp_mac(ulog_packet_msg_t *pkt) p = pkt->mac; for (i = 0; i < pkt->mac_len; i++, p++) sprintf(buf, "%s%02x%c", buf, *p, i==pkt->mac_len-1 ? ' ':':'); - ret = alloc_ret(ULOGD_RET_STRING,"raw.mac.addr"); - ret->value.ptr = buf; + ret[0].value.ptr = buf; + ret[0].flags |= ULOGD_RETF_VALID; return ret; } return NULL; } -ulog_iret_t *_interp_time(ulog_packet_msg_t *pkt) -{ - ulog_iret_t *ret, *ret2; - - ret = alloc_ret(ULOGD_RET_UINT32, "oob.time.sec"); - ret2 = alloc_ret(ULOGD_RET_UINT32, "oob.time.usec"); - - ret->value.ui32 = pkt->timestamp_sec; - ret->next = ret2; +/*********************************************************************** + * OUT OF BAND + ***********************************************************************/ - ret2->value.ui32 = pkt->timestamp_usec; - - return ret; -} +static ulog_iret_t oob_rets[] = { + { NULL, NULL, 0, ULOGD_RET_STRING, ULOGD_RETF_NONE, "oob.prefix", NULL }, + { NULL, NULL, 0, ULOGD_RET_UINT32, ULOGD_RETF_NONE, "oob.time.sec", NULL }, + { NULL, NULL, 0, ULOGD_RET_UINT32, ULOGD_RETF_NONE, "oob.time.usec", NULL }, + { NULL, NULL, 0, ULOGD_RET_UINT32, ULOGD_RETF_NONE, "oob.mark", NULL }, +}; -ulog_iret_t *_interp_prefix(ulog_packet_msg_t *pkt) +ulog_iret_t *_interp_oob(struct ulog_interpreter *ip, ulog_packet_msg_t *pkt) { - ulog_iret_t *ret; - - ret = alloc_ret(ULOGD_RET_STRING, "oob.prefix"); - ret->value.ptr = malloc(sizeof(pkt->prefix)); - strcpy(ret->value.ptr, pkt->prefix); + ulog_iret_t *ret = ip->result; + + ret[0].value.ptr = pkt->prefix; + ret[0].flags |= ULOGD_RETF_VALID; + ret[1].value.ui32 = pkt->timestamp_sec; + ret[1].flags |= ULOGD_RETF_VALID; + ret[2].value.ui32 = pkt->timestamp_usec; + ret[2].flags |= ULOGD_RETF_VALID; + ret[3].value.ui32 = pkt->mark; + ret[3].flags |= ULOGD_RETF_VALID; return ret; } -ulog_iret_t *_interp_mark(ulog_packet_msg_t *pkt) -{ - ulog_iret_t *ret; - - ret = alloc_ret(ULOGD_RET_UINT32, "oob.mark"); - ret->value.ui32 = pkt->mark; - - return ret; -} +/*********************************************************************** + * IP HEADER + ***********************************************************************/ + +static ulog_iret_t iphdr_rets[] = { + { NULL, NULL, 0, ULOGD_RET_IPADDR, ULOGD_RETF_NONE, "ip.saddr", 0 }, + { NULL, NULL, 0, ULOGD_RET_IPADDR, ULOGD_RETF_NONE, "ip.daddr", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "ip.protocol", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "ip.tos", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "ip.ttl", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "ip.totlen", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT8, ULOGD_RETF_NONE, "ip.ihl", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "ip.csum", 0 }, +}; -ulog_iret_t *_interp_iphdr(ulog_packet_msg_t *pkt) +ulog_iret_t *_interp_iphdr(struct ulog_interpreter *ip, ulog_packet_msg_t *pkt) { - ulog_iret_t *ret, *ret2; + ulog_iret_t *ret = ip->result; struct iphdr *iph = (struct iphdr *) pkt->payload; - ret = alloc_ret(ULOGD_RET_IPADDR, "ip.hdr.saddr"); - ret->value.ui32 = ntohl(iph->saddr); - - ret->next = ret2 = alloc_ret(ULOGD_RET_IPADDR, "ip.hdr.daddr"); - ret2->value.ui32 = ntohl(iph->daddr); - - ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT8, "ip.hdr.protocol"); - ret2->value.ui8 = iph->protocol; - - ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT8, "ip.hdr.tos"); - ret2->value.ui8 = ntohs(iph->tos); - - ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT8, "ip.hdr.ttl"); - ret2->value.ui8 = iph->ttl; - - ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT16, "ip.hdr.tot_len"); - ret2->value.ui16 = ntohs(iph->tot_len); - - ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT8, "ip.hdr.ihl"); - ret2->value.ui8 = iph->ihl; - - ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT16, "ip.hdr.csum"); - ret2->value.ui16 = ntohs(iph->check); + ret[0].value.ui32 = ntohl(iph->saddr); + ret[0].flags |= ULOGD_RETF_VALID; + ret[1].value.ui32 = ntohl(iph->daddr); + ret[1].flags |= ULOGD_RETF_VALID; + ret[2].value.ui8 = iph->protocol; + ret[2].flags |= ULOGD_RETF_VALID; + ret[3].value.ui8 = ntohs(iph->tos); + ret[3].flags |= ULOGD_RETF_VALID; + ret[4].value.ui8 = iph->ttl; + ret[4].flags |= ULOGD_RETF_VALID; + ret[5].value.ui16 = ntohs(iph->tot_len); + ret[5].flags |= ULOGD_RETF_VALID; + ret[6].value.ui8 = iph->ihl; + ret[6].flags |= ULOGD_RETF_VALID; + ret[7].value.ui16 = ntohs(iph->check); + ret[7].flags |= ULOGD_RETF_VALID; return ret; } -ulog_iret_t *_interp_tcphdr(ulog_packet_msg_t *pkt) +/*********************************************************************** + * TCP HEADER + ***********************************************************************/ +static ulog_iret_t tcphdr_rets[] = { + { NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "tcp.sport", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "tcp.dport", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT32, ULOGD_RETF_NONE, "tcp.seq", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT32, ULOGD_RETF_NONE, "tcp.ackseq", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "tcp.window", 0 }, + { NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.urg", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "tcp.urgp", 0 }, + { NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.ack", 0 }, + { NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.psh", 0 }, + { NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.rst", 0 }, + { NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.syn", 0 }, + { NULL, NULL, 0, ULOGD_RET_BOOL, ULOGD_RETF_NONE, "tcp.fin", 0 }, +}; + +ulog_iret_t *_interp_tcphdr(struct ulog_interpreter *ip, ulog_packet_msg_t *pkt) { struct iphdr *iph = (struct iphdr *) pkt->payload; void *protoh = (u_int32_t *)iph + iph->ihl; struct tcphdr *tcph = (struct tcphdr *) protoh; - ulog_iret_t *ret, *ret2; + ulog_iret_t *ret = ip->result; if (iph->protocol != IPPROTO_TCP) return NULL; - ret = alloc_ret(ULOGD_RET_UINT16, "tcp.hdr.sport"); - ret->value.ui16 = ntohs(tcph->source); - - ret->next = ret2 = alloc_ret(ULOGD_RET_UINT16, "tcp.hdr.dport"); - ret2->value.ui16 = ntohs(tcph->dest); - - ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT32, "tcp.hdr.seq"); - ret2->value.ui32 = ntohl(tcph->seq); - - ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT32, "tcp.hdr.ack_seq"); - ret2->value.ui32 = ntohl(tcph->ack_seq); - - ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT16, "tcp.hdr.window"); - ret2->value.ui16 = ntohs(tcph->window); - + ret[0].value.ui16 = ntohs(tcph->source); + ret[0].flags |= ULOGD_RETF_VALID; + ret[1].value.ui16 = ntohs(tcph->dest); + ret[1].flags |= ULOGD_RETF_VALID; + ret[2].value.ui32 = ntohl(tcph->seq); + ret[2].flags |= ULOGD_RETF_VALID; + ret[3].value.ui32 = ntohl(tcph->ack_seq); + ret[3].flags |= ULOGD_RETF_VALID; + ret[4].value.ui16 = ntohs(tcph->window); + ret[4].flags |= ULOGD_RETF_VALID; if (tcph->urg) { - ret2 = ret2->next = alloc_ret(ULOGD_RET_BOOL, "tcp.hdr.urg"); - ret2->value.b = 1; - - ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT16, "tcp.hdr.urgp"); - ret2->value.ui16 = ntohs(tcph->urg_ptr); + ret[5].value.b = tcph->urg; + ret[5].flags |= ULOGD_RETF_VALID; + ret[6].value.ui16 = ntohs(tcph->urg_ptr); + ret[6].flags |= ULOGD_RETF_VALID; } if (tcph->ack) { - ret2 = ret2->next = alloc_ret(ULOGD_RET_BOOL, "tcp.hdr.ack"); - ret2->value.b = 1; + ret[7].value.b = tcph->ack; + ret[7].flags |= ULOGD_RETF_VALID; } if (tcph->psh) { - ret2 = ret2->next = alloc_ret(ULOGD_RET_BOOL, "tcp.hdr.psh"); - ret2->value.b = 1; + ret[8].value.b = tcph->psh; + ret[8].flags |= ULOGD_RETF_VALID; } if (tcph->rst) { - ret2 = ret2->next = alloc_ret(ULOGD_RET_BOOL, "tcp.hdr.rst"); - ret2->value.b = 1; + ret[9].value.b = tcph->rst; + ret[9].flags |= ULOGD_RETF_VALID; } if (tcph->syn) { - ret2 = ret2->next = alloc_ret(ULOGD_RET_BOOL, "tcp.hdr.syn"); - ret2->value.b = 1; + ret[10].value.b = tcph->syn; + ret[10].flags |= ULOGD_RETF_VALID; } if (tcph->fin) { - ret2 = ret2->next = alloc_ret(ULOGD_RET_BOOL, "tcp.hdr.fin"); - ret2->value.b = 1; + ret[11].value.b = tcph->fin; + ret[11].flags |= ULOGD_RETF_VALID; } return ret; } -ulog_iret_t *_interp_udp(ulog_packet_msg_t *pkt) +/*********************************************************************** + * UDP HEADER + ***********************************************************************/ +static ulog_iret_t udphdr_rets[] = { + { NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "udp.sport", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "udp.dport", 0 }, + { NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "upd.len", 0 }, +}; +ulog_iret_t *_interp_udp(struct ulog_interpreter *ip, ulog_packet_msg_t *pkt) { struct iphdr *iph = (struct iphdr *) pkt->payload; void *protoh = (u_int32_t *)iph + iph->ihl; struct udphdr *udph = protoh; - ulog_iret_t *ret, *ret2; + ulog_iret_t *ret = ip->result; if (iph->protocol != IPPROTO_UDP) return NULL; - ret = alloc_ret(ULOGD_RET_UINT16, "udp.hdr.sport"); - ret->value.ui16 = ntohs(udph->source); - - ret2 = ret->next = alloc_ret(ULOGD_RET_UINT16, "udp.hdr.dport"); - ret2->value.ui16 = ntohs(udph->dest); - - ret2 = ret2->next = alloc_ret(ULOGD_RET_UINT16, "udp.hdr.len"); - ret2->value.ui16 = ntohs(udph->len); + ret[0].value.ui16 = ntohs(udph->source); + ret[0].flags |= ULOGD_RETF_VALID; + ret[1].value.ui16 = ntohs(udph->dest); + ret[1].flags |= ULOGD_RETF_VALID; + ret[2].value.ui16 = ntohs(udph->len); + ret[2].flags |= ULOGD_RETF_VALID; return ret; } -ulog_iret_t *_interp_icmp(ulog_packet_msg_t *pkt) +/*********************************************************************** + * ICMP HEADER + ***********************************************************************/ + +static ulog_iret_t icmphdr_rets[] = { + { NULL, NULL, 0, ULOGD_RET_UINT16, ULOGD_RETF_NONE, "icmp.type", 0 }, +}; + +ulog_iret_t *_interp_icmp(struct ulog_interpreter *ip, ulog_packet_msg_t *pkt) { struct iphdr *iph = (struct iphdr *) pkt->payload; void *protoh = (u_int32_t *) (iph + iph->ihl); struct icmphdr *icmph = protoh; - ulog_iret_t *ret; + ulog_iret_t *ret = ip->result; if (iph->protocol != IPPROTO_ICMP) return NULL; - ret = alloc_ret(ULOGD_RET_UINT8, "icmp.hdr.type"); - ret->value.ui8 = icmph->type; + ret[0].value.ui8 = icmph->type; + ret[0].flags |= ULOGD_RETF_VALID; return ret; } - -static ulog_interpreter_t base_ip[] = { - - { NULL, "raw.mac", &_interp_mac }, - { NULL, "oob.time", &_interp_time }, - { NULL, "oob.prefix", &_interp_prefix }, - { NULL, "oob.mark", &_interp_mark }, - { NULL, "ip.hdr", &_interp_iphdr }, - { NULL, "tcp.hdr", &_interp_tcphdr }, - { NULL, "icmp.hdr", &_interp_icmp }, - { NULL, "udp.hdr", &_interp_udp }, - { NULL, "", NULL }, +static ulog_interpreter_t base_ip[] = { + { NULL, "raw", 0, &_interp_mac, 1, &mac_rets }, + { NULL, "oob", 0, &_interp_oob, 4, &oob_rets }, + { NULL, "ip", 0, &_interp_iphdr, 8, &iphdr_rets }, + { NULL, "tcp", 0, &_interp_tcphdr, 12, &tcphdr_rets }, + { NULL, "icmp", 0, &_interp_icmp, 1, &icmphdr_rets }, + { NULL, "udp", 0, &_interp_udp, 3, &udphdr_rets }, + { NULL, "", 0, NULL, 0, { NULL } }, }; + void _base_reg_ip(void) { ulog_interpreter_t *ip = base_ip; ulog_interpreter_t *p; - for (p = ip; p->interp; p++) + for (p = ip; p->interp; p++) { register_interpreter(p); + } } - void _init(void) { _base_reg_ip(); diff --git a/extensions/ulogd_OPRINT.c b/extensions/ulogd_OPRINT.c index 0b551b6..3fa42ed 100644 --- a/extensions/ulogd_OPRINT.c +++ b/extensions/ulogd_OPRINT.c @@ -1,11 +1,11 @@ -/* ulogd_MAC.c, Version $Revision: 1.3 $ +/* ulogd_MAC.c, Version $Revision: 1.4 $ * * ulogd output target for logging to a file * * (C) 2000 by Harald Welte * This software is released under the terms of GNU GPL * - * $Id: ulogd_OPRINT.c,v 1.3 2000/09/12 14:29:37 laforge Exp $ + * $Id: ulogd_OPRINT.c,v 1.4 2000/09/22 06:54:33 laforge Exp $ * */ @@ -34,7 +34,7 @@ int _output_print(ulog_iret_t *res) ulog_iret_t *ret; fprintf(of, "===>PACKET BOUNDARY\n"); - for (ret = res; ret; ret = ret->next) { + for (ret = res; ret; ret = ret->cur_next) { fprintf(of,"%s=", ret->key); switch (ret->type) { case ULOGD_RET_STRING: diff --git a/extensions/ulogd_PWSNIFF.c b/extensions/ulogd_PWSNIFF.c index f8e1327..cc0f19e 100644 --- a/extensions/ulogd_PWSNIFF.c +++ b/extensions/ulogd_PWSNIFF.c @@ -1,11 +1,11 @@ -/* ulogd_PWSNIFF.c, Version $Revision: 1.1 $ +/* ulogd_PWSNIFF.c, Version $Revision: 1.2 $ * * ulogd logging interpreter for POP3 / FTP like plaintext passwords. * * (C) 2000 by Harald Welte * This software is released under the terms of GNU GPL * - * $Id: ulogd_PWSNIFF.c,v 1.1 2000/08/17 08:03:22 laforge Exp $ + * $Id: ulogd_PWSNIFF.c,v 1.2 2000/09/22 06:54:33 laforge Exp $ * */ @@ -46,15 +46,14 @@ static char *_get_next_blank(char* begp, char *endp) return NULL; } -static ulog_iret_t *_interp_pwsniff(ulog_packet_msg_t *pkt) +static ulog_iret_t *_interp_pwsniff(ulog_interpreter_t *ip, ulog_packet_msg_t *pkt) { struct iphdr *iph = (struct iphdr *) pkt->payload; void *protoh = (u_int32_t *)iph + iph->ihl; struct tcphdr *tcph = protoh; u_int32_t tcplen = ntohs(iph->tot_len) - iph->ihl * 4; unsigned char *ptr, *begp, *pw_begp, *endp, *pw_endp; - ulog_iret_t *ret = NULL; - ulog_iret_t *ret2; + ulog_iret_t *ret = ip->result; int len, pw_len, i, cont = 0; len = pw_len = 0; @@ -94,37 +93,36 @@ static ulog_iret_t *_interp_pwsniff(ulog_packet_msg_t *pkt) } if (len) { - ret = alloc_ret(ULOGD_RET_STRING, "pwsniff.user"); - ret->value.ptr = (char *) malloc(len+1); - if (!ret->value.ptr) { + ret[0].value.ptr = (char *) malloc(len+1); + ret[0].flags |= ULOGD_RETF_VALID; + if (!ret[0].value.ptr) { ulogd_error("_interp_pwsniff: OOM (size=%u)\n", len); - free(ret); return NULL; } - strncpy(ret->value.ptr, begp, len); - *((char *)ret->value.ptr + len + 1) = '\0'; + strncpy(ret[0].value.ptr, begp, len); + *((char *)ret[0].value.ptr + len + 1) = '\0'; } if (pw_len) { - ret2 = alloc_ret(ULOGD_RET_STRING,"pwsniff.pass"); - ret2->value.ptr = (char *) malloc(pw_len+1); - if (!ret2->value.ptr){ + ret[1].value.ptr = (char *) malloc(pw_len+1); + ret[1].flags |= ULOGD_RETF_VALID; + if (!ret[1].value.ptr){ ulogd_error("_interp_pwsniff: OOM (size=%u)\n", pw_len); - free(ret2); return NULL; } - strncpy(ret2->value.ptr, pw_begp, pw_len); - *((char *)ret2->value.ptr + pw_len + 1) = '\0'; + strncpy(ret[1].value.ptr, pw_begp, pw_len); + *((char *)ret[1].value.ptr + pw_len + 1) = '\0'; - if (ret) - ret->next = ret2; - else - ret = ret2; } return ret; } + +static ulog_iret_t pwsniff_rets[] = { + { NULL, NULL, 0, ULOGD_RET_STRING, ULOGD_RETF_FREE, "pwsniff.user", 0 }, + { NULL, NULL, 0, ULOGD_RET_STRING, ULOGD_RETF_FREE, "pwsniff.pass", 0 }, +}; static ulog_interpreter_t base_ip[] = { - { NULL, "pwsniff", &_interp_pwsniff }, + { NULL, "pwsniff", 0, &_interp_pwsniff, 2, &pwsniff_rets }, { NULL, "", NULL }, }; void _base_reg_ip(void) -- cgit v1.2.3