#include #include #include #include #include #include "T2_HTTP_DIG_BIZ.h" static const char *module_name = "T2_HTTP_DIG_BIZ"; static const char *t2_biz_conf_file = "./t2conf/T2_HTTP_DIG_BIZ.conf"; static char T2_HTTP_DIG_BIZ_VERSION_20190121 = 0; static g_http_dig_biz_info_t g_http_dig_biz_info; static int init_t2_dig_context(t2_digapis_context_t **param, soq_protocol_t proto, int thread_seq) { t2_digapis_context_t *pme; pme = (t2_digapis_context_t *)calloc(1, sizeof(t2_digapis_context_t)); *param = pme; return 0; } static void destroy_t2_dig_context(t2_digapis_context_t *pme) { int ret; digapis_error_msg dig_emsg; digapis_detector_result result; ret = digapis_detector_thread_init(); if(ret < 0) { MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: digapis_detector_thread_init error", __FILE__, __LINE__); } memset(&result, 0, sizeof(digapis_detector_result)); result.is_ipv4 = pme->is_ipv4; snprintf(result.sip, 128, "%s", pme->sip); snprintf(result.dip, 128, "%s", pme->dip); result.sport = pme->sport; result.dport = pme->dport; ret = digapis_detector_process_request((const unsigned char*)pme->request, pme->request_len, &result, &dig_emsg); if(ret != 0) { MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: digapis_detector_process_request error! request_msg:%s", __FILE__, __LINE__, pme->request); } else { if(result.request_category_1 != 0) { ret = digapis_detector_process_response((const unsigned char*)pme->request, pme->request_len, (const unsigned char*)pme->response, pme->response_len, &result, &dig_emsg); if(ret != 0) { MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: digapis_detector_process_response error! response_msg:%s", __FILE__, __LINE__, pme->response); } else { MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_INFO, module_name, "<%s>%d: digapis_detector_process_response success.", __FILE__, __LINE__); } } } free(pme); pme = NULL; } int T2_HTTP_DIGAPI_ENTRY(stSessionInfo* session_info, void **param, int thread_seq, struct streaminfo *a_stream, void *a_packet) { t2_digapis_context_t *pme = (t2_digapis_context_t *)*param; http_infor* http_info = (http_infor*)session_info->app_info; if(NULL == session_info) { destroy_t2_dig_context(pme); *param = NULL; MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "session_info is NULL"); return PROT_STATE_DROPME; } if(session_info->session_state&SESSION_STATE_PENDING) { if((init_t2_dig_context(&pme, PROTO_HTTP, thread_seq)) < 0) { MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "init_process_context failed ..."); return PROT_STATE_DROPME; } *param = pme; if(ADDR_TYPE_IPV4 == a_stream->addr.addrtype) { pme->is_ipv4 = 1; inet_ntop(AF_INET, &(((struct stream_tuple4_v4*)a_stream->addr.tuple4_v4)->saddr), pme->sip, 128); inet_ntop(AF_INET, &(((struct stream_tuple4_v4*)a_stream->addr.tuple4_v4)->daddr), pme->dip, 128); pme->sport = ntohs(((struct stream_tuple4_v4*)a_stream->addr.tuple4_v4)->source); pme->dport = ntohs(((struct stream_tuple4_v4*)a_stream->addr.tuple4_v4)->dest); } if(ADDR_TYPE_IPV6 == a_stream->addr.addrtype) { pme->is_ipv4 = 0; inet_ntop(AF_INET6, ((struct stream_tuple4_v6*)a_stream->addr.tuple4_v6)->saddr, pme->sip, 128); inet_ntop(AF_INET6, ((struct stream_tuple4_v6*)a_stream->addr.tuple4_v6)->daddr, pme->dip, 128); pme->sport = ntohs(((struct stream_tuple4_v6*)a_stream->addr.tuple4_v6)->source); pme->dport = ntohs(((struct stream_tuple4_v6*)a_stream->addr.tuple4_v6)->dest); } } if(HTTP_REQ_LINE == session_info->prot_flag && (pme->request_len+session_info->buflen+2)< REQUEST_MAX_LENGTH) { memcpy(pme->request+pme->request_len, session_info->buf, session_info->buflen); pme->request_len += session_info->buflen; memcpy(pme->request+pme->request_len, "\r\n", 2); pme->request_len += 2; } if(HTTP_RES_LINE == session_info->prot_flag &&(pme->response_len+session_info->buflen+2)response+pme->response_len, session_info->buf, session_info->buflen); pme->response_len += session_info->buflen; memcpy(pme->response+pme->response_len, "\r\n", 2); pme->response_len += 2; } if(HTTP_UNGZIP_CONTENT == session_info->prot_flag && 0x01 == a_stream->curdir && (pme->request_len+session_info->buflen+4)< REQUEST_MAX_LENGTH) { memcpy(pme->request+pme->request_len, "\r\n", 2); pme->request_len += 2; memcpy(pme->request+pme->request_len, session_info->buf, session_info->buflen); pme->request_len += session_info->buflen; memcpy(pme->request+pme->request_len, "\r\n", 2); pme->request_len += 2; } if(HTTP_UNGZIP_CONTENT == session_info->prot_flag && 0x02 == a_stream->curdir && (pme->response_len+session_info->buflen+4)response+pme->response_len, "\r\n", 2); pme->response_len += 2; memcpy(pme->response+pme->response_len, session_info->buf, session_info->buflen); pme->response_len += session_info->buflen; memcpy(pme->response+pme->response_len, "\r\n", 2); pme->response_len += 2; } if(http_info->append_infor.contlen > 0) { if(http_info->curdir == 1 && (pme->request_len+http_info->append_infor.contlen+2)< REQUEST_MAX_LENGTH) { memcpy(pme->request+pme->request_len, http_info->append_infor.content, http_info->append_infor.contlen); pme->request_len += http_info->append_infor.contlen; memcpy(pme->request+pme->request_len, "\r\n", 2); pme->request_len += 2; } else if((pme->response_len+http_info->append_infor.contlen+2)response+pme->response_len, http_info->append_infor.content, http_info->append_infor.contlen); pme->response_len += http_info->append_infor.contlen; memcpy(pme->response+pme->response_len, "\r\n", 2); pme->response_len += 2; } } if((session_info->session_state&SESSION_STATE_CLOSE)) { destroy_t2_dig_context(pme); *param = NULL; } return PROT_STATE_GIVEME; } int T2_HTTP_DIG_BIZ_INIT(void) { digapis_detector_cfg dig_cfg; digapis_error_msg dig_emsg; memset(&g_http_dig_biz_info, 0, sizeof(g_http_dig_biz_info_t)); MESA_load_profile_int_def(t2_biz_conf_file, "HTTP_BIZ", "RUN_RLOG_LV", &g_http_dig_biz_info.run_rlog_lv, 10); MESA_load_profile_string_def(t2_biz_conf_file, "HTTP_BIZ", "RUN_LOG_PATH", g_http_dig_biz_info.run_log_path, MAX_PATH_LEN, "./t2log/T2_HTTP_DIG_BIZ.log"); g_http_dig_biz_info.run_log_handle = MESA_create_runtime_log_handle(g_http_dig_biz_info.run_log_path, g_http_dig_biz_info.run_rlog_lv); if(g_http_dig_biz_info.run_log_handle == NULL) { printf("<%s>%d: MESA_create_runtime_log_handle failed ...\n", __FILE__, __LINE__); return -1; } memset(&dig_cfg, 0, sizeof(digapis_detector_cfg)); MESA_load_profile_string_def(t2_biz_conf_file, "HTTP_BIZ", "ES_URL", dig_cfg.es_url, MAX_PATH_LEN, "http://elastic:elastic123789@192.168.10.26:39200/"); MESA_load_profile_string_def(t2_biz_conf_file, "HTTP_BIZ", "ES_INDEX", dig_cfg.es_index, 128, "aiids_tcp_"); MESA_load_profile_string_def(t2_biz_conf_file, "HTTP_BIZ", "ES_DOC_TYPE", dig_cfg.es_doc_type, 128, "vulnerability"); int ret = digapis_detector_init(&dig_cfg, &dig_emsg); if(ret != 0) { MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: digapis_detector_init error", __FILE__, __LINE__); return -1; } return 0; } void T2_HTTP_DIG_BIZ_DESTROY() { }