summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/tsg_entry.cpp223
-rw-r--r--src/tsg_entry.h2
-rw-r--r--src/tsg_rule.cpp17
-rw-r--r--src/tsg_send_log.cpp10
-rw-r--r--src/tsg_ssh_utils.cpp1
5 files changed, 165 insertions, 88 deletions
diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index bb1644b..fd50e60 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -54,7 +54,24 @@ id2field_t g_tsg_fs2_field[TSG_FS2_MAX]={{TLD_TYPE_UNKNOWN, TSG_FS2_LINKS, "link
{TLD_TYPE_UNKNOWN, TSG_FS2_INTERCEPT, "intercept"},
{TLD_TYPE_UNKNOWN, TSG_FS2_LOG, "log"},
{TLD_TYPE_UNKNOWN, TSG_FS2_DENY, "deny"}
- };
+ };
+
+id2field_t g_tsg_proto_name2id[PROTO_MAX]={{TLD_TYPE_UNKNOWN, PROTO_UNKONWN, "unknown"},
+ {TLD_TYPE_UNKNOWN, PROTO_IPv4, "IPV4"},
+ {TLD_TYPE_UNKNOWN, PROTO_IPv6, "IPV6"},
+ {TLD_TYPE_UNKNOWN, PROTO_TCP, "TCP"},
+ {TLD_TYPE_UNKNOWN, PROTO_UDP, "UDP"},
+ {TLD_TYPE_UNKNOWN, PROTO_HTTP, "HTTP"},
+ {TLD_TYPE_UNKNOWN, PROTO_MAIL, "MAIL"},
+ {TLD_TYPE_UNKNOWN, PROTO_DNS, "DNS"},
+ {TLD_TYPE_UNKNOWN, PROTO_FTP, "FTP"},
+ {TLD_TYPE_UNKNOWN, PROTO_SSL, "SSL"},
+ {TLD_TYPE_UNKNOWN, PROTO_SIP, "SIP"},
+ {TLD_TYPE_UNKNOWN, PROTO_BGP, "BGP"},
+ {TLD_TYPE_UNKNOWN, PROTO_STREAMING_MEDIA, "STREAMING_MEDIA"},
+ {TLD_TYPE_UNKNOWN, PROTO_QUIC, "QUIC"},
+ {TLD_TYPE_UNKNOWN, PROTO_SSH, "SSH"}
+ };
#define DECCRYPTION_EXCLUSION_ALLOW_POLICY_ID 1
@@ -91,6 +108,35 @@ static int tsg_get_sn(char *filename, char *device_sn, int device_sn_len)
return flags;
}
+static int tsg_proto_name2flag(char *proto_list, int *flag)
+{
+ int i=0;
+ char *s=NULL,*e=NULL;
+
+ s=proto_list;
+ while(s)
+ {
+ e=index(s, ';');
+ if(!e)
+ {
+ break;
+ }
+
+ for(i=0; i< PROTO_MAX; i++)
+ {
+ if((memcmp(s, g_tsg_proto_name2id[i].name, e-s))==0)
+ {
+ *flag|=(1<<g_tsg_proto_name2id[i].id);
+ break;
+ }
+ }
+
+ s=e+1;
+ }
+
+ return 0;
+}
+
int tsg_set_device_id_to_telegraf(char *device_sn)
{
char buff[128]={0};
@@ -427,106 +473,121 @@ static int identify_application_protocol(struct streaminfo *a_stream, struct _id
int ret=0;
identify_info->proto = PROTO_UNKONWN;
- //http
- char *host=NULL;
- ret=http_host_parser((char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, a_stream->curdir, &host);
- if(ret>=0)
- {
- identify_info->proto=PROTO_HTTP;
- if(ret>0 && host!=NULL)
- {
- identify_info->domain_len=MIN(ret, (int)sizeof(identify_info->domain) - 1);
- strncpy(identify_info->domain, host, identify_info->domain_len);
- }
- else
- {
- identify_info->domain_len=0;
- }
- return 1;
- }
- //ssl
- enum chello_parse_result chello_status = CHELLO_PARSE_INVALID_FORMAT;
- struct ssl_chello *chello = NULL;
-
- chello=ssl_chello_parse((unsigned char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, &chello_status);
- if(chello_status==CHELLO_PARSE_SUCCESS)
+ if(g_tsg_para.proto_flag&(1<<PROTO_HTTP)) //http
{
- identify_info->proto=PROTO_SSL;
- if(chello->sni==NULL)
- {
- identify_info->domain_len = 0;
- }
- else
+ char *host=NULL;
+ ret=http_host_parser((char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, a_stream->curdir, &host);
+ if(ret>=0)
{
- identify_info->domain_len = strnlen(chello->sni, sizeof(identify_info->domain) - 1);
- strncpy(identify_info->domain, chello->sni, identify_info->domain_len);
+ identify_info->proto=PROTO_HTTP;
+ if(ret>0 && host!=NULL)
+ {
+ identify_info->domain_len=MIN(ret, (int)sizeof(identify_info->domain) - 1);
+ strncpy(identify_info->domain, host, identify_info->domain_len);
+ }
+ else
+ {
+ identify_info->domain_len=0;
+ }
+ return 1;
}
-
- ssl_chello_free(chello);
- return 1;
}
- ssl_chello_free(chello);
-
- //dns
- struct stream_tuple4_v4 *tpl4 = NULL;
- struct stream_tuple4_v6 *tpl6 = NULL;
-
- switch(a_stream->addr.addrtype)
+ if(g_tsg_para.proto_flag&(1<<PROTO_SSL)) //ssl
{
- case ADDR_TYPE_IPV4:
- tpl4=a_stream->addr.tuple4_v4;
- if((ntohs(tpl4->source)==53) || (ntohs(tpl4->dest)==53))
+ enum chello_parse_result chello_status = CHELLO_PARSE_INVALID_FORMAT;
+ struct ssl_chello *chello = NULL;
+
+ chello=ssl_chello_parse((unsigned char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, &chello_status);
+ if(chello_status==CHELLO_PARSE_SUCCESS)
+ {
+ identify_info->proto=PROTO_SSL;
+ if(chello->sni==NULL)
{
- identify_info->proto=PROTO_DNS;
- return 1;
+ identify_info->domain_len = 0;
}
- break;
- case ADDR_TYPE_IPV6:
- tpl6=a_stream->addr.tuple4_v6;
- if((ntohs(tpl6->source)==53) || (ntohs(tpl6->dest)==53))
+ else
{
- identify_info->proto=PROTO_DNS;
- return 1;
+ identify_info->domain_len = strnlen(chello->sni, sizeof(identify_info->domain) - 1);
+ strncpy(identify_info->domain, chello->sni, identify_info->domain_len);
}
- break;
- default:
- break;
+
+ ssl_chello_free(chello);
+ return 1;
+ }
+
+ ssl_chello_free(chello);
}
- //ftp
- ret=ftp_control_identify(a_stream);
- if(ret>0)
+ if(g_tsg_para.proto_flag&(1<<PROTO_DNS)) //dns
{
- identify_info->proto=PROTO_FTP;
- return 1;
- }
+ struct stream_tuple4_v4 *tpl4 = NULL;
+ struct stream_tuple4_v6 *tpl6 = NULL;
- //mail
- ret=mail_protocol_identify_by_first_payload(a_stream,(char *)a_stream->ptcpdetail->pdata, a_stream->ptcpdetail->datalen, a_stream->threadnum);
- if(ret>=SMTP_PROTOCOL&& ret<=IMAP_PROTOCOL)
+ switch(a_stream->addr.addrtype)
+ {
+ case ADDR_TYPE_IPV4:
+ tpl4=a_stream->addr.tuple4_v4;
+ if((ntohs(tpl4->source)==53) || (ntohs(tpl4->dest)==53))
+ {
+ identify_info->proto=PROTO_DNS;
+ return 1;
+ }
+ break;
+ case ADDR_TYPE_IPV6:
+ tpl6=a_stream->addr.tuple4_v6;
+ if((ntohs(tpl6->source)==53) || (ntohs(tpl6->dest)==53))
+ {
+ identify_info->proto=PROTO_DNS;
+ return 1;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+
+ if(g_tsg_para.proto_flag&(1<<PROTO_FTP)) //ftp
{
- identify_info->proto=PROTO_MAIL;
- return 1;
+ ret=ftp_control_identify(a_stream);
+ if(ret>0)
+ {
+ identify_info->proto=PROTO_FTP;
+ return 1;
+ }
}
-
- ret = ssh_protocol_identify((unsigned char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen,g_tsg_para.logger);
- if(ret > 0)
+
+ if(g_tsg_para.proto_flag&(1<<PROTO_MAIL)) //mail
{
- identify_info->proto=PROTO_SSH;
- return 1;
+ ret=mail_protocol_identify_by_first_payload(a_stream,(char *)a_stream->ptcpdetail->pdata, a_stream->ptcpdetail->datalen, a_stream->threadnum);
+ if(ret>=SMTP_PROTOCOL&& ret<=IMAP_PROTOCOL)
+ {
+ identify_info->proto=PROTO_MAIL;
+ return 1;
+ }
}
- //ssh
- //quic
- ret=quic_protocol_identify(a_stream, a_packet, identify_info->domain, sizeof(identify_info->domain));
- if(ret>0)
+
+ if(g_tsg_para.proto_flag&(1<<PROTO_SSH)) //ssh
{
- identify_info->proto=PROTO_QUIC;
- identify_info->domain_len=ret;
- return 1;
+ ret = ssh_protocol_identify((unsigned char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen,g_tsg_para.logger);
+ if(ret > 0)
+ {
+ identify_info->proto=PROTO_SSH;
+ return 1;
+ }
}
+ if(g_tsg_para.proto_flag&(1<<PROTO_QUIC)) //quic
+ {
+ ret=quic_protocol_identify(a_stream, a_packet, identify_info->domain, sizeof(identify_info->domain));
+ if(ret>0)
+ {
+ identify_info->proto=PROTO_QUIC;
+ identify_info->domain_len=ret;
+ return 1;
+ }
+ }
return ret;
}
@@ -901,6 +962,7 @@ extern "C" int TSG_MASTER_INIT()
char fs_server_ip[MAX_IPV4_LEN]={0};
char fs_output_path[MAX_STRING_LEN*4]={0};
char device_sn_filename[MAX_STRING_LEN]={0};
+ char identify_proto_name[MAX_STRING_LEN*4]={0};
memset(&g_tsg_para, 0, sizeof(g_tsg_para));
@@ -913,6 +975,9 @@ extern "C" int TSG_MASTER_INIT()
printf("MESA_create_runtime_log_handle failed ...\n");
return -1;
}
+
+ MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "IDENTIFY_PROTO_NAME", identify_proto_name, sizeof(identify_proto_name), "HTTP;SSL;DNS;FTP;BGP;SIP;MAIL;STREAMING_MEDIA;QUIC;");
+ tsg_proto_name2flag(identify_proto_name, &g_tsg_para.proto_flag);
MESA_load_profile_int_def(tsg_conffile, "SYSTEM", "DEVICE_ID", &g_tsg_para.device_id, 0);
MESA_load_profile_short_def(tsg_conffile, "SYSTEM", "TIMEOUT", (short *)&g_tsg_para.timeout, 300);
diff --git a/src/tsg_entry.h b/src/tsg_entry.h
index 6552276..bbe774a 100644
--- a/src/tsg_entry.h
+++ b/src/tsg_entry.h
@@ -4,6 +4,7 @@
#include <MESA/Maat_rule.h>
#include <MESA/field_stat2.h>
#include "tsg_rule.h"
+#include "tsg_label.h"
#include "tsg_statistic.h"
#if(__GNUC__ * 100 + __GNUC_MINOR__ * 10 + __GNUC_PATCHLEVEL__ >= 411)
@@ -90,6 +91,7 @@ typedef struct _tsg_para
int dyn_subscribe_ip_table_id; //TSG_DYN_SUBSCRIBER_IP
int priority_project_id;
int internal_project_id;
+ int proto_flag; //tsg_protocol_t
int fs2_field_id[TSG_FS2_MAX];
char device_sn[MAX_DOAMIN_LEN/8];
char table_name[TABLE_MAX][_MAX_TABLE_NAME_LEN];
diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp
index b0e1a5d..e831099 100644
--- a/src/tsg_rule.cpp
+++ b/src/tsg_rule.cpp
@@ -93,6 +93,13 @@ static char* str_unescape(char* s)
return s;
}
+static void eliminate_default_value(char *value)
+{
+ if(value!=NULL && (memcmp(value, "null", 4))==0)
+ {
+ value[0]='\0';
+ }
+}
void ASN_dup_data(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void* argp)
{
@@ -143,6 +150,7 @@ void ASN_new_data(int table_id, const char* key, const char* table_line, MAAT_PL
}
str_unescape(asn->organization);
+ eliminate_default_value(asn->organization);
atomic_inc(&asn->ref_cnt);
asn->table_id=table_id;
@@ -262,6 +270,15 @@ void location_new_data(int table_id, const char* key, const char* table_line, MA
str_unescape(location->country_full);
str_unescape(location->province_full);
str_unescape(location->city_full);
+ eliminate_default_value(location->language);
+ eliminate_default_value(location->continent_abbr);
+ eliminate_default_value(location->continent_full);
+ eliminate_default_value(location->country_abbr);
+ eliminate_default_value(location->country_full);
+ eliminate_default_value(location->province_abbr);
+ eliminate_default_value(location->province_full);
+ eliminate_default_value(location->city_full);
+ eliminate_default_value(location->time_zone);
atomic_inc(&location->ref_cnt);
location->table_id=table_id;
diff --git a/src/tsg_send_log.cpp b/src/tsg_send_log.cpp
index 182ab37..24d8e5e 100644
--- a/src/tsg_send_log.cpp
+++ b/src/tsg_send_log.cpp
@@ -209,20 +209,14 @@ int set_common_field_from_label(struct tsg_log_instance_t *_instance, struct TLD
if(internal_label->client_location!=NULL)
{
location=internal_label->client_location;
- snprintf(buff, sizeof(buff), "%s,%s,%s", (!(memcmp(location->city_full, "null", 4)) ? "" : location->city_full),
- (!(memcmp(location->province_full, "null", 4)) ? "" : location->province_full),
- (!(memcmp(location->country_full, "null", 4)) ? "" : location->country_full)
- );
+ snprintf(buff, sizeof(buff), "%s,%s,%s", location->city_full, location->province_full, location->country_full);
TLD_append(_handle, _instance->id2field[LOG_COMMON_CLINET_LOCATION].name, (void *)buff, TLD_TYPE_STRING);
}
if(internal_label->server_location!=NULL)
{
location=internal_label->server_location;
- snprintf(buff, sizeof(buff), "%s,%s,%s", (!(memcmp(location->city_full, "null", 4)) ? "" : location->city_full),
- (!(memcmp(location->province_full, "null", 4)) ? "" : location->province_full),
- (!(memcmp(location->country_full, "null", 4)) ? "" : location->country_full)
- );
+ snprintf(buff, sizeof(buff), "%s,%s,%s", location->city_full, location->province_full, location->country_full);
TLD_append(_handle, _instance->id2field[LOG_COMMON_SERVER_LOCATION].name, (void *)buff, TLD_TYPE_STRING);
}
}
diff --git a/src/tsg_ssh_utils.cpp b/src/tsg_ssh_utils.cpp
index 420cdd7..fc0c136 100644
--- a/src/tsg_ssh_utils.cpp
+++ b/src/tsg_ssh_utils.cpp
@@ -9,7 +9,6 @@
int ssh_protocol_identify(const unsigned char* buff, size_t buff_len, void* argp)
{
- void *logger=argp;
if(buff == NULL || buff_len < SSH_PROTOCOL_FIELD_LEN)
{
return -1;
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-30 18:25:33 +0000