HLBR: engine/message.c Source File

00001 #include "message.h"
00002 #include <string.h>
00003 #include <stdlib.h>
00004 #include <stdio.h>
00005 #include "../decoders/decode_ip.h"
00006 #include "../decoders/decode_tcp.h"
00007 #include "../decoders/decode_udp.h"
00008 #include <netinet/in.h>
00009 #include <arpa/inet.h>
00010 
00011 //#define DEBUG
00012 
00013 extern GlobalVars       Globals;
00014 
00015 /***************************************************
00016 * Make sense of a message string
00017 ***************************************************/
00018 MessageItem* ParseMessageString(char* MString){
00019         MessageItem*    MI=NULL;
00020         MessageItem*    MThis=NULL;
00021         char*                   CThis=NULL;
00022 #ifdef DEBUGPATH
00023         printf("In ParseMessageString\n");
00024 #endif
00025         
00026         CThis=MString;
00027         while (*CThis){
00028                 if (!MI){
00029                         MI=calloc(sizeof(MessageItem),1);
00030                         MThis=MI;
00031                 }else{
00032                         MThis->Next=calloc(sizeof(MessageItem),1);
00033                         MThis=MThis->Next;
00034                 }
00035                 if (*CThis=='%'){
00036                         /*this might be a macro*/
00037                         if (strncasecmp(CThis, "%sip",4)==0){
00038 #ifdef DEBUG
00039                                 printf("SIP->");
00040 #endif                          
00041                                 CThis+=3;
00042                                 MThis->Type=MESSAGE_ITEM_SIP;                           
00043                         }else if (strncasecmp(CThis, "%dip",4)==0){
00044 #ifdef DEBUG
00045                                 printf("DIP->");
00046 #endif                          
00047                                 CThis+=3;                               
00048                                 MThis->Type=MESSAGE_ITEM_DIP;
00049                         }else if (strncasecmp(CThis, "%sp",3)==0){
00050 #ifdef DEBUG
00051                                 printf("SPort->");
00052 #endif                          
00053                                 CThis+=2;                               
00054                                 MThis->Type=MESSAGE_ITEM_SPORT;                         
00055                         }else if (strncasecmp(CThis, "%dp",3)==0){
00056 #ifdef DEBUG
00057                                 printf("DPort->");
00058 #endif                          
00059                                 CThis+=2;                               
00060                                 MThis->Type=MESSAGE_ITEM_DPORT;
00061                         }else if (strncasecmp(CThis, "%min",4)==0){
00062 #ifdef DEBUG
00063                                 printf("Minute->");
00064 #endif                          
00065                                 CThis+=3;
00066                                 MThis->Type=MESSAGE_ITEM_MIN;
00067                         }else if (strncasecmp(CThis, "%y",2)==0){
00068 #ifdef DEBUG
00069                                 printf("Year->");
00070 #endif                          
00071                                 CThis+=1;                               
00072                                 MThis->Type=MESSAGE_ITEM_YEAR;
00073                         }else if (strncasecmp(CThis, "%m",2)==0){
00074 #ifdef DEBUG
00075                                 printf("Month->");
00076 #endif                          
00077                                 CThis+=1;                               
00078                                 MThis->Type=MESSAGE_ITEM_MONTH;
00079                         }else if (strncasecmp(CThis, "%d",2)==0){
00080 #ifdef DEBUG
00081                                 printf("Day->");
00082 #endif                          
00083                                 CThis+=1;                               
00084                                 MThis->Type=MESSAGE_ITEM_DAY;
00085                         }else if (strncasecmp(CThis, "%h",2)==0){
00086 #ifdef DEBUG
00087                                 printf("Hour->");
00088 #endif                          
00089                                 CThis+=1;                               
00090                                 MThis->Type=MESSAGE_ITEM_HOUR;
00091                         }else if (strncasecmp(CThis, "%s",2)==0){
00092 #ifdef DEBUG
00093                                 printf("Second->");
00094 #endif                          
00095                                 CThis+=1;                               
00096                                 MThis->Type=MESSAGE_ITEM_SEC;
00097                         }else if (strncasecmp(CThis, "%usec",5)==0){
00098 #ifdef DEBUG
00099                                 printf("USec->");
00100 #endif                          
00101                                 CThis+=4;
00102                                 MThis->Type=MESSAGE_ITEM_USEC;
00103                         }else if (strncasecmp(CThis, "%pn",3)==0){
00104 #ifdef DEBUG
00105                                 printf("PacketNum->");
00106 #endif                          
00107                                 CThis+=2;
00108                                 MThis->Type=MESSAGE_ITEM_PACKET_NUM;                            
00109                         }else if (strncasecmp(CThis, "%ac",3)==0){
00110 #ifdef DEBUG
00111                                 printf("AlertCount->");
00112 #endif                          
00113                                 CThis+=2;
00114                                 MThis->Type=MESSAGE_ITEM_ALERT_COUNT;
00115                         }else{
00116                                 /*we don't recognise this, assume text*/
00117 #ifdef DEBUG
00118                                 printf("\"%c\"->",*CThis);
00119 #endif                                                  
00120                                 MThis->Value='_';
00121                                 MThis->Type=MESSAGE_ITEM_CHAR;
00122                         }
00123                 }else{
00124                         /*Add this to the text stuff*/
00125 #ifdef DEBUG
00126                         printf("\"%c\"->",*CThis);
00127 #endif                  
00128                         MThis->Value=*CThis;
00129                         MThis->Type=MESSAGE_ITEM_CHAR;
00130                 }
00131                 CThis++;
00132         }
00133         
00134 #ifdef DEBUG
00135         printf("\n");
00136 #endif  
00137 
00138         return MI;
00139 }
00140 
00141 /***************************************************
00142 * Free a message 
00143 ***************************************************/
00144 void FreeMessage(MessageItem* MItem){
00145         MessageItem*    m;
00146         MessageItem*    del;
00147 #ifdef DEBUGPATH
00148         printf("In FreeMessage\n");
00149 #endif
00150 
00151         m=MItem;
00152         while (m){
00153                 del=m;
00154                 m=m->Next;
00155                 free(del);
00156                 del=NULL;
00157         }
00158 }
00159 
00165 int ApplyMessage(MessageItem* MItem, int PacketSlot, char* Buff, int BuffLen)
00166 {
00167         MessageItem*    MThis;
00168         int             Total;
00169         IPData*         ip_data = NULL;
00170         TCPData*        tcp_data = NULL;
00171         UDPData*        udp_data = NULL;
00172         PacketRec*      p;
00173         struct tm*      tm;
00174         
00175         DEBUGPATH;
00176 
00177         if (!MItem) {
00178                 Buff[0] = 0x00;
00179                 return FALSE;
00180         }
00181 
00182         p = &Globals.Packets[PacketSlot];
00183         tm = localtime(&p->tv.tv_sec);
00184 
00185         Total = 0;
00186         MThis = MItem;
00187         while (MThis) {
00188                 switch (MThis->Type) {
00189                 case MESSAGE_ITEM_SIP:
00190                         if (!ip_data) {
00191                                 if (!GetDataByID(PacketSlot, GetDecoderByName("IP"), (void**)&ip_data)) {
00192                                         snprintf(Buff+Total, BuffLen-Total, "???.???.???.???");
00193                                         Total+=strlen("???.???.???.???");
00194                                         break;
00195                                 }
00196                         }
00197                         
00198                         snprintf(Buff+Total, BuffLen-Total, "%s", inet_ntoa(*(struct in_addr*)&ip_data->Header->saddr));
00199                         Total=strlen(Buff);
00200                         break;
00201                 case MESSAGE_ITEM_DIP:
00202                         if (!ip_data){
00203                                 if (!GetDataByID(PacketSlot, GetDecoderByName("IP"), (void**)&ip_data)){
00204                                         snprintf(Buff+Total, BuffLen-Total, "???.???.???.???");
00205                                         Total+=strlen("???.???.???.???");
00206                                         break;
00207                                 }
00208                         }
00209                         
00210                         snprintf(Buff+Total, BuffLen-Total, "%s", inet_ntoa(*(struct in_addr*)&ip_data->Header->daddr));
00211                         Total=strlen(Buff);                     
00212                         break;
00213                 case MESSAGE_ITEM_SPORT:
00214                         /*get for both TCP and UDP*/
00215                         if (ip_data){
00216                                 if (ip_data->Header->protocol==IP_PROTO_TCP){
00217                                         if (!GetDataByID(PacketSlot, GetDecoderByName("TCP"), (void**)&tcp_data)){
00218                                                 snprintf(Buff+Total, BuffLen-Total, "??");
00219                                                 Total+=strlen("??");
00220                                                 break;
00221                                         }
00222                         
00223                                         snprintf(Buff+Total, BuffLen-Total, "%u", ntohs(tcp_data->Header->source));
00224                                         Total=strlen(Buff);                     
00225                                         break;
00226                                 }else if (ip_data->Header->protocol==IP_PROTO_UDP){
00227                                         if (!GetDataByID(PacketSlot, GetDecoderByName("UDP"), (void**)&udp_data)){
00228                                                 snprintf(Buff+Total, BuffLen-Total, "??");
00229                                                 Total+=strlen("??");
00230                                                 break;
00231                                         }
00232                         
00233                                         snprintf(Buff+Total, BuffLen-Total, "%u", ntohs(udp_data->Header->source));
00234                                         Total=strlen(Buff);                     
00235                                         break;                                                                          
00236                                 }else{
00237                                         snprintf(Buff+Total, BuffLen-Total, "??");
00238                                         Total+=strlen("??");
00239                                         break;          
00240                                 }
00241                         }else{
00242                                 snprintf(Buff+Total, BuffLen-Total, "??");
00243                                 Total+=strlen("??");
00244                                 break;          
00245                         }
00246                 case MESSAGE_ITEM_DPORT:
00247                         /*get for both TCP and UDP*/
00248                         if (!ip_data){  
00249                                 snprintf(Buff+Total, BuffLen-Total, "??");
00250                                 Total+=strlen("??");
00251                                 break;          
00252                         }
00253                         
00254                         if (ip_data->Header->protocol==IP_PROTO_TCP){
00255                                 if (!GetDataByID(PacketSlot, GetDecoderByName("TCP"), (void**)&tcp_data)){
00256                                         snprintf(Buff+Total, BuffLen-Total, "??");
00257                                         Total+=strlen("??");
00258                                         break;
00259                                 }
00260                         
00261                                 snprintf(Buff+Total, BuffLen-Total, "%u", ntohs(tcp_data->Header->dest));
00262                                 Total=strlen(Buff);
00263                                 break;                                          
00264                         }else if (ip_data->Header->protocol==IP_PROTO_UDP){
00265                                 if (!GetDataByID(PacketSlot, GetDecoderByName("UDP"), (void**)&udp_data)){
00266                                         snprintf(Buff+Total, BuffLen-Total, "??");
00267                                         Total+=strlen("??");
00268                                         break;
00269                                 }
00270                         
00271                                 snprintf(Buff+Total, BuffLen-Total, "%u", ntohs(udp_data->Header->dest));                               Total=strlen(Buff);                     
00272                                 break;                                                                          
00273                         }else{
00274                                 snprintf(Buff+Total, BuffLen-Total, "??");
00275                                 Total+=strlen("??");
00276                                 break;          
00277                         }                       
00278                 case MESSAGE_ITEM_CHAR:
00279                         snprintf(Buff+Total, BuffLen-Total, "%c",MThis->Value);
00280                         Total+=1;
00281                         break;
00282                 case MESSAGE_ITEM_YEAR:
00283                         snprintf(Buff+Total, BuffLen-Total, "%04i",tm->tm_year+1900);
00284                         Total+=4;
00285                         break;                  
00286                 case MESSAGE_ITEM_MONTH:
00287                         snprintf(Buff+Total, BuffLen-Total, "%02i",tm->tm_mon+1);
00288                         Total+=2;
00289                         break;
00290                 case MESSAGE_ITEM_DAY:
00291                         snprintf(Buff+Total, BuffLen-Total, "%02i",tm->tm_mday);
00292                         Total+=2;
00293                         break;
00294                 case MESSAGE_ITEM_HOUR:
00295                         snprintf(Buff+Total, BuffLen-Total, "%02i",tm->tm_hour);
00296                         Total+=2;
00297                         break;
00298                 case MESSAGE_ITEM_MIN:
00299                         snprintf(Buff+Total, BuffLen-Total, "%02i",tm->tm_min);
00300                         Total+=2;
00301                         break;
00302                 case MESSAGE_ITEM_SEC:
00303                         snprintf(Buff+Total, BuffLen-Total, "%02i",tm->tm_sec);
00304                         Total+=2;
00305                         break;
00306                 case MESSAGE_ITEM_USEC:
00307                         snprintf(Buff+Total, BuffLen-Total, "%04li",p->tv.tv_sec);
00308                         Total+=4;
00309                         break;
00310                 case MESSAGE_ITEM_PACKET_NUM:
00311                         snprintf(Buff+Total, BuffLen-Total, "%08u",p->PacketNum);
00312                         Total+=8;
00313                         break;
00314                 case MESSAGE_ITEM_ALERT_COUNT:
00315                         snprintf(Buff+Total, BuffLen-Total, "%08u",Globals.AlertCount);
00316                         Total+=8;
00317                         break;                  
00318                 default:
00319                         PRINTERROR1("ApplyMessage: I don't know how to handle that message type (%i)\n", MThis->Type);
00320                         break;
00321                 }
00322                 MThis = MThis->Next;
00323         }
00324 
00325         return TRUE;
00326 }