diff options
| author | yangwei <[email protected]> | 2019-01-23 12:49:08 +0600 |
|---|---|---|
| committer | yangwei <[email protected]> | 2019-01-23 12:49:08 +0600 |
| commit | 81216b1a9d64c6b45076a7887b0a4e06dfd22b03 (patch) | |
| tree | 0bc2b4ea9dff9ce8207bb1f2d4bc778ef1b71885 | |
| parent | d9a0355afd84f251ea7070eafada1b1f9a38c4d6 (diff) | |
新增client 和 server hello阶段的ciphersuits字段输出
| -rw-r--r-- | src/ntc_ssl_collect.c | 210 | ||||
| -rw-r--r-- | src/ntc_ssl_collect.h | 4 |
2 files changed, 133 insertions, 81 deletions
diff --git a/src/ntc_ssl_collect.c b/src/ntc_ssl_collect.c index bc27908..cde6bbb 100644 --- a/src/ntc_ssl_collect.c +++ b/src/ntc_ssl_collect.c @@ -79,46 +79,46 @@ static int ntc_addStreamInfo_to_jsonObj(cJSON *json_obj, const struct streaminfo addr = &(a_stream->addr); switch (addr->addrtype) { - case ADDR_TYPE_IPV4: - case __ADDR_TYPE_IP_PAIR_V4: - inet_ntop(AF_INET, &addr->ipv4->saddr, src_ip_str, sizeof(src_ip_str)); - inet_ntop(AF_INET, &addr->ipv4->daddr, dst_ip_str, sizeof(dst_ip_str)); - cJSON_AddStringToObject(json_obj, "s_ip", src_ip_str); - cJSON_AddStringToObject(json_obj, "d_ip", dst_ip_str); - cJSON_AddNumberToObject(json_obj, "s_port", ntohs(addr->ipv4->source)); - cJSON_AddNumberToObject(json_obj, "d_port", ntohs(addr->ipv4->dest)); - break; - case ADDR_TYPE_IPV6: - case __ADDR_TYPE_IP_PAIR_V6: - cJSON_AddNumberToObject(json_obj, "addr_type", addr->addrtype); - inet_ntop(AF_INET6, addr->ipv6->saddr, src_ip_str, sizeof(src_ip_str)); - inet_ntop(AF_INET6, addr->ipv6->daddr, dst_ip_str, sizeof(dst_ip_str)); - cJSON_AddStringToObject(json_obj, "s_ip", src_ip_str); - cJSON_AddStringToObject(json_obj, "d_ip", dst_ip_str); - cJSON_AddNumberToObject(json_obj, "s_port", ntohs(addr->ipv6->source)); - cJSON_AddNumberToObject(json_obj, "d_port", ntohs(addr->ipv6->dest)); - break; - case ADDR_TYPE_VLAN: - case ADDR_TYPE_GRE: - case ADDR_TYPE_MPLS: - case ADDR_TYPE_PPPOE_SES: - case ADDR_TYPE_L2TP: - case ADDR_TYPE_PPP: - cJSON_AddNumberToObject(json_obj, "addr_type", addr->addrtype); - cJSON_AddStringToObject(json_obj, "s_ip", null_addr); - cJSON_AddStringToObject(json_obj, "d_ip", null_addr); - cJSON_AddNumberToObject(json_obj, "s_port", null_port); - cJSON_AddNumberToObject(json_obj, "d_port", null_port); - break; - case ADDR_TYPE_PPTP: - cJSON_AddNumberToObject(json_obj, "addr_type", addr->addrtype); - cJSON_AddStringToObject(json_obj, "s_ip", null_addr); - cJSON_AddStringToObject(json_obj, "d_ip", null_addr); - cJSON_AddNumberToObject(json_obj, "s_port", ntohs(addr->pptp->C2S_call_id)); - cJSON_AddNumberToObject(json_obj, "d_port", ntohs(addr->pptp->S2C_call_id)); - break; - default: - break; + case ADDR_TYPE_IPV4: + case __ADDR_TYPE_IP_PAIR_V4: + inet_ntop(AF_INET, &addr->ipv4->saddr, src_ip_str, sizeof(src_ip_str)); + inet_ntop(AF_INET, &addr->ipv4->daddr, dst_ip_str, sizeof(dst_ip_str)); + cJSON_AddStringToObject(json_obj, "s_ip", src_ip_str); + cJSON_AddStringToObject(json_obj, "d_ip", dst_ip_str); + cJSON_AddNumberToObject(json_obj, "s_port", ntohs(addr->ipv4->source)); + cJSON_AddNumberToObject(json_obj, "d_port", ntohs(addr->ipv4->dest)); + break; + case ADDR_TYPE_IPV6: + case __ADDR_TYPE_IP_PAIR_V6: + cJSON_AddNumberToObject(json_obj, "addr_type", addr->addrtype); + inet_ntop(AF_INET6, addr->ipv6->saddr, src_ip_str, sizeof(src_ip_str)); + inet_ntop(AF_INET6, addr->ipv6->daddr, dst_ip_str, sizeof(dst_ip_str)); + cJSON_AddStringToObject(json_obj, "s_ip", src_ip_str); + cJSON_AddStringToObject(json_obj, "d_ip", dst_ip_str); + cJSON_AddNumberToObject(json_obj, "s_port", ntohs(addr->ipv6->source)); + cJSON_AddNumberToObject(json_obj, "d_port", ntohs(addr->ipv6->dest)); + break; + case ADDR_TYPE_VLAN: + case ADDR_TYPE_GRE: + case ADDR_TYPE_MPLS: + case ADDR_TYPE_PPPOE_SES: + case ADDR_TYPE_L2TP: + case ADDR_TYPE_PPP: + cJSON_AddNumberToObject(json_obj, "addr_type", addr->addrtype); + cJSON_AddStringToObject(json_obj, "s_ip", null_addr); + cJSON_AddStringToObject(json_obj, "d_ip", null_addr); + cJSON_AddNumberToObject(json_obj, "s_port", null_port); + cJSON_AddNumberToObject(json_obj, "d_port", null_port); + break; + case ADDR_TYPE_PPTP: + cJSON_AddNumberToObject(json_obj, "addr_type", addr->addrtype); + cJSON_AddStringToObject(json_obj, "s_ip", null_addr); + cJSON_AddStringToObject(json_obj, "d_ip", null_addr); + cJSON_AddNumberToObject(json_obj, "s_port", ntohs(addr->pptp->C2S_call_id)); + cJSON_AddNumberToObject(json_obj, "d_port", ntohs(addr->pptp->S2C_call_id)); + break; + default: + break; } addr_proto = layer_addr_prefix_ntop(a_stream); @@ -190,14 +190,23 @@ void ntc_ssl_collect_send_kafka_log(rd_kafka_topic_t *topic, struct streaminfo * { cJSON_AddItemToObject(log_obj, "client_cert", ctx->client_cert); } + + if (ctx->server_ciphersuits != NULL) + { + cJSON_AddStringToObject(log_obj, "server_ciphersuits", ctx->server_ciphersuits); + } + if (ctx->client_ciphersuits != NULL) + { + cJSON_AddStringToObject(log_obj, "client_ciphersuits", ctx->client_ciphersuits); + } //char *payload = cJSON_Print(log_obj); char *payload = cJSON_PrintUnformatted(log_obj); int paylen = strlen(payload); - if(g_ssl_collect_item.comm_log_mode > 0) + if (g_ssl_collect_item.comm_log_mode > 0) { rd_kafka_produce(g_ntc_kafka_topic, RD_KAFKA_PARTITION_UA, RD_KAFKA_MSG_F_COPY, payload, paylen, NULL, 0, NULL); } - MESA_handle_runtime_log(g_ssl_collect_item.log_handle, RLOG_LV_DEBUG, __FUNCTION__ , "%s", payload); + MESA_handle_runtime_log(g_ssl_collect_item.log_handle, RLOG_LV_DEBUG, __FUNCTION__, "%s", payload); free(payload); cJSON_Delete(log_obj); log_obj = NULL; @@ -213,12 +222,12 @@ int ntc_get_dpkt_label(struct streaminfo *a_stream, const char *label_name, char return -1; } snprintf(label_buf, *label_buflen, "PROTO_ID=%u;APP_ID=%u;OS_ID=%u;BS_ID=%u;WEB_ID=%u;BEHAV_ID=%u;", - dpkt_info->dpkt_proto_type, - dpkt_info->dpkt_app_type, - dpkt_info->dpkt_op_type, - dpkt_info->dpkt_browser_type, - dpkt_info->dpkt_web_type, - dpkt_info->dpkt_behavior_type); + dpkt_info->dpkt_proto_type, + dpkt_info->dpkt_app_type, + dpkt_info->dpkt_op_type, + dpkt_info->dpkt_browser_type, + dpkt_info->dpkt_web_type, + dpkt_info->dpkt_behavior_type); *label_buflen = strlen(label_buf); return 0; } @@ -263,7 +272,8 @@ int nct_get_flow_stat(comm_context_t *ctx, struct streaminfo *a_stream, int flow int ntc_ssl_store_cert(comm_context_t *ctx, struct streaminfo *a_stream, ssl_stream *a_ssl) { st_cert_t *cert = a_ssl->stSSLCert; - if(cert == NULL)return -1; + if (cert == NULL) + return -1; if (cert->cert_type != CERT_TYPE_INDIVIDUAL) { @@ -271,49 +281,62 @@ int ntc_ssl_store_cert(comm_context_t *ctx, struct streaminfo *a_stream, ssl_str } cJSON *cert_obj = cJSON_CreateObject(); - if(strlen(cert->SSLVersion) > 0)cJSON_AddStringToObject(cert_obj, "version", cert->SSLVersion); + if (strlen(cert->SSLVersion) > 0) + cJSON_AddStringToObject(cert_obj, "version", cert->SSLVersion); - if(strlen(cert->SSLSerialNum) > 0) + if (strlen(cert->SSLSerialNum) > 0) { char serial_buf[512] = "0x"; - for(unsigned int i = 0; i < strlen(cert->SSLSerialNum); i++) + for (unsigned int i = 0; i < strlen(cert->SSLSerialNum); i++) { - sprintf(serial_buf, "%s%02X", serial_buf, cert->SSLSerialNum[i]); + sprintf(serial_buf, "%s%02X", serial_buf, cert->SSLSerialNum[i]); } cJSON_AddStringToObject(cert_obj, "serial_number", serial_buf); //cJSON_AddStringToObject(cert_obj, "serial_number", cert->SSLSerialNum); } - if(strlen(cert->SSLFPAg) > 0)cJSON_AddStringToObject(cert_obj, "algorithm", cert->SSLFPAg); + if (strlen(cert->SSLFPAg) > 0) + cJSON_AddStringToObject(cert_obj, "algorithm", cert->SSLFPAg); - if(strlen(cert->SSLAgID) > 0)cJSON_AddStringToObject(cert_obj, "algorithm_id", cert->SSLAgID); + if (strlen(cert->SSLAgID) > 0) + cJSON_AddStringToObject(cert_obj, "algorithm_id", cert->SSLAgID); - if(strlen(cert->SSLIssuer) > 0)cJSON_AddStringToObject(cert_obj, "issuer", cert->SSLIssuer); + if (strlen(cert->SSLIssuer) > 0) + cJSON_AddStringToObject(cert_obj, "issuer", cert->SSLIssuer); - if(strlen(cert->SSLIssuerC) > 0)cJSON_AddStringToObject(cert_obj, "issue_country", cert->SSLIssuerC); + if (strlen(cert->SSLIssuerC) > 0) + cJSON_AddStringToObject(cert_obj, "issue_country", cert->SSLIssuerC); - if(strlen(cert->SSLIssuerO) > 0)cJSON_AddStringToObject(cert_obj, "issue_organize", cert->SSLIssuerO); + if (strlen(cert->SSLIssuerO) > 0) + cJSON_AddStringToObject(cert_obj, "issue_organize", cert->SSLIssuerO); - if(strlen(cert->SSLIssuerCN) > 0)cJSON_AddStringToObject(cert_obj, "issue_cname", cert->SSLIssuerCN); + if (strlen(cert->SSLIssuerCN) > 0) + cJSON_AddStringToObject(cert_obj, "issue_cname", cert->SSLIssuerCN); - if(strlen(cert->SSLSub) > 0)cJSON_AddStringToObject(cert_obj, "sub", cert->SSLSub); + if (strlen(cert->SSLSub) > 0) + cJSON_AddStringToObject(cert_obj, "sub", cert->SSLSub); - if(strlen(cert->SSLSubC) > 0)cJSON_AddStringToObject(cert_obj, "sub_country", cert->SSLSubC); + if (strlen(cert->SSLSubC) > 0) + cJSON_AddStringToObject(cert_obj, "sub_country", cert->SSLSubC); - if(strlen(cert->SSLSubO) > 0)cJSON_AddStringToObject(cert_obj, "sub_organize", cert->SSLSubO); + if (strlen(cert->SSLSubO) > 0) + cJSON_AddStringToObject(cert_obj, "sub_organize", cert->SSLSubO); - if(strlen(cert->SSLSubCN) > 0)cJSON_AddStringToObject(cert_obj, "sub_cname", cert->SSLSubCN); + if (strlen(cert->SSLSubCN) > 0) + cJSON_AddStringToObject(cert_obj, "sub_cname", cert->SSLSubCN); - if(strlen(cert->SSLFrom) > 0)cJSON_AddStringToObject(cert_obj, "start_time", cert->SSLFrom); + if (strlen(cert->SSLFrom) > 0) + cJSON_AddStringToObject(cert_obj, "start_time", cert->SSLFrom); - if(strlen(cert->SSLTo) > 0)cJSON_AddStringToObject(cert_obj, "expire_time", cert->SSLTo); + if (strlen(cert->SSLTo) > 0) + cJSON_AddStringToObject(cert_obj, "expire_time", cert->SSLTo); - if(cert->SSLSubAltName != NULL && cert->SSLSubAltName->count > 0) + if (cert->SSLSubAltName != NULL && cert->SSLSubAltName->count > 0) { //cJSON *san = cJSON_CreateStringArray((const char **)cert->SSLSubAltName->san_array, cert->SSLSubAltName->count); cJSON *san = cJSON_CreateArray(); cJSON *member = NULL; - for(int i = 0; i < cert->SSLSubAltName->count; i++) + for (int i = 0; i < cert->SSLSubAltName->count; i++) { member = cJSON_CreateString(cert->SSLSubAltName->san_array[i].san); cJSON_AddItemToArray(san, member); @@ -327,7 +350,7 @@ int ntc_ssl_store_cert(comm_context_t *ctx, struct streaminfo *a_stream, ssl_str } else if (a_stream->curdir == DIR_S2C) { - ctx->server_cert = cert_obj; + ctx->server_cert = cert_obj; } else { @@ -338,17 +361,17 @@ int ntc_ssl_store_cert(comm_context_t *ctx, struct streaminfo *a_stream, ssl_str return 1; } -void ntc_ssl_collect_close( comm_context_t * ctx, struct streaminfo *a_stream, ssl_stream *a_ssl) +void ntc_ssl_collect_close(comm_context_t *ctx, struct streaminfo *a_stream, ssl_stream *a_ssl) { char label_buf[128] = {0}; int label_buflen = sizeof(label_buf); nct_get_flow_stat(ctx, a_stream, g_ssl_collect_item.tcp_flow_id); ntc_get_dpkt_label(a_stream, g_ssl_collect_item.dpkt_label, label_buf, &label_buflen); ntc_ssl_collect_send_kafka_log(g_ntc_kafka_topic, a_stream, ctx, label_buf, label_buflen, a_ssl); - if(ctx != NULL) + if (ctx != NULL) { free(ctx); - ctx=NULL; + ctx = NULL; } return; } @@ -362,21 +385,44 @@ extern "C" UCHAR ntc_ssl_collect_entry(stSessionInfo *session_info, void **param *param = calloc(sizeof(comm_context_t), 1); } ctx = (comm_context_t *)*param; + ssl_stream *a_ssl = (ssl_stream *)session_info->app_info; switch (session_info->prot_flag) { - case SSL_CERTIFICATE_DETAIL: - if (session_info->app_info != NULL) + case SSL_CLIENT_HELLO: + if (a_ssl != NULL && a_ssl->stClientHello != NULL) + { + if (a_ssl->stClientHello->ciphersuits.suite_len > 0 && a_ssl->stClientHello->ciphersuits.suite_value != NULL) { - ntc_ssl_store_cert(ctx, a_stream, (ssl_stream *)session_info->app_info); + ctx->client_ciphersuits = ssl_get_suite(&a_ssl->stClientHello->ciphersuits); } - break; - case SSL_APPLICATION_DATA: - ntc_ssl_collect_close(ctx, a_stream, (ssl_stream *)session_info->app_info); + } + break; + case SSL_SERVER_HELLO: + if (a_ssl != NULL && a_ssl->stServerHello != NULL) + { + if (a_ssl->stServerHello->ciphersuits.suite_len > 0 && a_ssl->stServerHello->ciphersuits.suite_value != NULL) + { + ctx->server_ciphersuits = ssl_get_suite(&a_ssl->stServerHello->ciphersuits); + } + } + break; + case SSL_CERTIFICATE_DETAIL: + if (a_ssl != NULL) + { + ntc_ssl_store_cert(ctx, a_stream, a_ssl); + } + break; + case SSL_APPLICATION_DATA: + if (g_ssl_collect_item.collect_all_sw == 0) + { + ntc_ssl_collect_close(ctx, a_stream, a_ssl); ret = PROT_STATE_DROPME; - default: - break; + } + break; + default: + break; } - if((session_info->session_state & SESSION_STATE_CLOSE) == SESSION_STATE_CLOSE && ret != PROT_STATE_DROPME) + if ((session_info->session_state & SESSION_STATE_CLOSE) == SESSION_STATE_CLOSE && ret != PROT_STATE_DROPME) { ntc_ssl_collect_close(ctx, a_stream, (ssl_stream *)session_info->app_info); ret = PROT_STATE_DROPME; @@ -401,6 +447,7 @@ int ntc_ssl_collect_load_profile() MESA_load_profile_int_def(PROFILE_PATH, "SYSTEM", "ENTRANCE_ID", &(g_ssl_collect_item.entry_id), 0); MESA_load_profile_int_def(PROFILE_PATH, PLUGIN_NAME, "service", &g_ssl_collect_item.service, 0); + MESA_load_profile_int_def(PROFILE_PATH, PLUGIN_NAME, "collect_all_sw", &g_ssl_collect_item.collect_all_sw, 0); MESA_load_profile_string_def(PROFILE_PATH, PLUGIN_NAME, "dpkt_label", g_ssl_collect_item.dpkt_label, sizeof(g_ssl_collect_item.dpkt_label), "DPKT_PROJECT"); return 0; } @@ -411,7 +458,8 @@ int ntc_ssl_collect_kaka_init() MESA_load_profile_uint_def(PROFILE_PATH, PLUGIN_NAME, "kafka_mode", &g_ssl_collect_item.comm_log_mode, 3); MESA_load_profile_string_def(PROFILE_PATH, PLUGIN_NAME, "kafka_topic", g_ssl_collect_item.kafka_topic, sizeof(g_ssl_collect_item.kafka_topic), NTC_SSL_COLLECT_TOPIC); - if(g_ssl_collect_item.comm_log_mode == 0)return 0; + if (g_ssl_collect_item.comm_log_mode == 0) + return 0; if ((g_ssl_collect_item.comm_log_mode & INDIE_KAFKA) == INDIE_KAFKA) { if (0 > MESA_load_profile_string_nodef(PROFILE_PATH, PLUGIN_NAME, "kafka_brokelist", g_ssl_collect_item.kafka_brokelist, sizeof(g_ssl_collect_item.kafka_brokelist))) diff --git a/src/ntc_ssl_collect.h b/src/ntc_ssl_collect.h index 74115ec..2361509 100644 --- a/src/ntc_ssl_collect.h +++ b/src/ntc_ssl_collect.h @@ -21,6 +21,8 @@ extern "C" char kafka_topic[1024]; char dpkt_label[1024]; int dpkt_project_id; + + int collect_all_sw; char kafka_handle_provide_path[1024]; char kafka_handle_name[1024]; @@ -77,6 +79,8 @@ typedef struct _comm_context_t unsigned long long s2c_bytes; cJSON *client_cert; cJSON *server_cert; + const char *client_ciphersuits; + const char *server_ciphersuits; }comm_context_t; |