1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
#include <iconv.h>
#include <stdio.h>
#include <string.h>
#include <sys/time.h>
#include <arpa/inet.h>
#include "T2_HTTP_DIG_BIZ.h"
static const char *module_name = "T2_HTTP_DIG_BIZ";
static const char *t2_biz_conf_file = "./t2conf/T2_HTTP_DIG_BIZ.conf";
static char T2_HTTP_DIG_BIZ_VERSION_20190121 = 0;
static g_http_dig_biz_info_t g_http_dig_biz_info;
static int init_t2_dig_context(t2_digapis_context_t **param, soq_protocol_t proto, int thread_seq)
{
t2_digapis_context_t *pme;
pme = (t2_digapis_context_t *)calloc(1, sizeof(t2_digapis_context_t));
*param = pme;
return 0;
}
static void destroy_t2_dig_context(t2_digapis_context_t *pme)
{
int ret;
digapis_error_msg dig_emsg;
digapis_detector_result result;
ret = digapis_detector_thread_init();
if(ret < 0)
{
MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: digapis_detector_thread_init error", __FILE__, __LINE__);
}
memset(&result, 0, sizeof(digapis_detector_result));
result.is_ipv4 = pme->is_ipv4;
snprintf(result.sip, 128, "%s", pme->sip);
snprintf(result.dip, 128, "%s", pme->dip);
result.sport = pme->sport;
result.dport = pme->dport;
ret = digapis_detector_process_request((const unsigned char*)pme->request, pme->request_len, &result, &dig_emsg);
if(ret != 0)
{
MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: digapis_detector_process_request error! request_msg:%s", __FILE__, __LINE__, pme->request);
}
else
{
if(result.request_category_1 != 0)
{
ret = digapis_detector_process_response((const unsigned char*)pme->request, pme->request_len, (const unsigned char*)pme->response, pme->response_len, &result, &dig_emsg);
if(ret != 0)
{
MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: digapis_detector_process_response error! response_msg:%s", __FILE__, __LINE__, pme->response);
}
else
{
MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_INFO, module_name, "<%s>%d: digapis_detector_process_response success.", __FILE__, __LINE__);
}
}
}
free(pme);
pme = NULL;
}
int T2_HTTP_DIGAPI_ENTRY(stSessionInfo* session_info, void **param, int thread_seq, struct streaminfo *a_stream, void *a_packet)
{
t2_digapis_context_t *pme = (t2_digapis_context_t *)*param;
http_infor* http_info = (http_infor*)session_info->app_info;
if(NULL == session_info)
{
destroy_t2_dig_context(pme);
*param = NULL;
MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "session_info is NULL");
return PROT_STATE_DROPME;
}
if(session_info->session_state&SESSION_STATE_PENDING)
{
if((init_t2_dig_context(&pme, PROTO_HTTP, thread_seq)) < 0)
{
MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "init_process_context failed ...");
return PROT_STATE_DROPME;
}
*param = pme;
if(ADDR_TYPE_IPV4 == a_stream->addr.addrtype)
{
pme->is_ipv4 = 1;
inet_ntop(AF_INET, &(((struct stream_tuple4_v4*)a_stream->addr.tuple4_v4)->saddr), pme->sip, 128);
inet_ntop(AF_INET, &(((struct stream_tuple4_v4*)a_stream->addr.tuple4_v4)->daddr), pme->dip, 128);
pme->sport = ntohs(((struct stream_tuple4_v4*)a_stream->addr.tuple4_v4)->source);
pme->dport = ntohs(((struct stream_tuple4_v4*)a_stream->addr.tuple4_v4)->dest);
}
if(ADDR_TYPE_IPV6 == a_stream->addr.addrtype)
{
pme->is_ipv4 = 0;
inet_ntop(AF_INET6, ((struct stream_tuple4_v6*)a_stream->addr.tuple4_v6)->saddr, pme->sip, 128);
inet_ntop(AF_INET6, ((struct stream_tuple4_v6*)a_stream->addr.tuple4_v6)->daddr, pme->dip, 128);
pme->sport = ntohs(((struct stream_tuple4_v6*)a_stream->addr.tuple4_v6)->source);
pme->dport = ntohs(((struct stream_tuple4_v6*)a_stream->addr.tuple4_v6)->dest);
}
}
if(HTTP_REQ_LINE == session_info->prot_flag && (pme->request_len+session_info->buflen+2)< REQUEST_MAX_LENGTH)
{
memcpy(pme->request+pme->request_len, session_info->buf, session_info->buflen);
pme->request_len += session_info->buflen;
memcpy(pme->request+pme->request_len, "\r\n", 2);
pme->request_len += 2;
}
if(HTTP_RES_LINE == session_info->prot_flag &&(pme->response_len+session_info->buflen+2)<RESPONSE_MAX_LENGTH)
{
memcpy(pme->response+pme->response_len, session_info->buf, session_info->buflen);
pme->response_len += session_info->buflen;
memcpy(pme->response+pme->response_len, "\r\n", 2);
pme->response_len += 2;
}
if(HTTP_UNGZIP_CONTENT == session_info->prot_flag && 0x01 == a_stream->curdir && (pme->request_len+session_info->buflen+4)< REQUEST_MAX_LENGTH)
{
memcpy(pme->request+pme->request_len, "\r\n", 2);
pme->request_len += 2;
memcpy(pme->request+pme->request_len, session_info->buf, session_info->buflen);
pme->request_len += session_info->buflen;
memcpy(pme->request+pme->request_len, "\r\n", 2);
pme->request_len += 2;
}
if(HTTP_UNGZIP_CONTENT == session_info->prot_flag && 0x02 == a_stream->curdir && (pme->response_len+session_info->buflen+4)<RESPONSE_MAX_LENGTH)
{
memcpy(pme->response+pme->response_len, "\r\n", 2);
pme->response_len += 2;
memcpy(pme->response+pme->response_len, session_info->buf, session_info->buflen);
pme->response_len += session_info->buflen;
memcpy(pme->response+pme->response_len, "\r\n", 2);
pme->response_len += 2;
}
if(http_info->append_infor.contlen > 0)
{
if(http_info->curdir == 1 && (pme->request_len+http_info->append_infor.contlen+2)< REQUEST_MAX_LENGTH)
{
memcpy(pme->request+pme->request_len, http_info->append_infor.content, http_info->append_infor.contlen);
pme->request_len += http_info->append_infor.contlen;
memcpy(pme->request+pme->request_len, "\r\n", 2);
pme->request_len += 2;
}
else if((pme->response_len+http_info->append_infor.contlen+2)<RESPONSE_MAX_LENGTH)
{
memcpy(pme->response+pme->response_len, http_info->append_infor.content, http_info->append_infor.contlen);
pme->response_len += http_info->append_infor.contlen;
memcpy(pme->response+pme->response_len, "\r\n", 2);
pme->response_len += 2;
}
}
if((session_info->session_state&SESSION_STATE_CLOSE))
{
destroy_t2_dig_context(pme);
*param = NULL;
}
return PROT_STATE_GIVEME;
}
int T2_HTTP_DIG_BIZ_INIT(void)
{
digapis_detector_cfg dig_cfg;
digapis_error_msg dig_emsg;
memset(&g_http_dig_biz_info, 0, sizeof(g_http_dig_biz_info_t));
MESA_load_profile_int_def(t2_biz_conf_file, "HTTP_BIZ", "RUN_RLOG_LV", &g_http_dig_biz_info.run_rlog_lv, 10);
MESA_load_profile_string_def(t2_biz_conf_file, "HTTP_BIZ", "RUN_LOG_PATH", g_http_dig_biz_info.run_log_path, MAX_PATH_LEN, "./t2log/T2_HTTP_DIG_BIZ.log");
g_http_dig_biz_info.run_log_handle = MESA_create_runtime_log_handle(g_http_dig_biz_info.run_log_path, g_http_dig_biz_info.run_rlog_lv);
if(g_http_dig_biz_info.run_log_handle == NULL)
{
printf("<%s>%d: MESA_create_runtime_log_handle failed ...\n", __FILE__, __LINE__);
return -1;
}
memset(&dig_cfg, 0, sizeof(digapis_detector_cfg));
MESA_load_profile_string_def(t2_biz_conf_file, "HTTP_BIZ", "ES_URL", dig_cfg.es_url, MAX_PATH_LEN, "http://elastic:[email protected]:39200/");
MESA_load_profile_string_def(t2_biz_conf_file, "HTTP_BIZ", "ES_INDEX", dig_cfg.es_index, 128, "aiids_tcp_");
MESA_load_profile_string_def(t2_biz_conf_file, "HTTP_BIZ", "ES_DOC_TYPE", dig_cfg.es_doc_type, 128, "vulnerability");
int ret = digapis_detector_init(&dig_cfg, &dig_emsg);
if(ret != 0)
{
MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: digapis_detector_init error", __FILE__, __LINE__);
return -1;
}
return 0;
}
void T2_HTTP_DIG_BIZ_DESTROY()
{
}
|
