/** * \internal * \brief Write meta data on a single line json record */ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const File *ff) { json_t *js = CreateJSONHeader((Packet *)p, 0, "fileinfo"); //TODO const json_t *hjs = NULL; if (unlikely(js == NULL)) return; /* reset */ MemBufferReset(aft->buffer); switch (p->flow->alproto) { case ALPROTO_HTTP: hjs = JsonHttpAddMetadata(p->flow, ff->txid); if (hjs) json_object_set_new(js, "http", hjs); break; case ALPROTO_SMTP: hjs = JsonSMTPAddMetadata(p->flow, ff->txid); if (hjs) json_object_set_new(js, "smtp", hjs); hjs = JsonEmailAddMetadata(p->flow, ff->txid); if (hjs) json_object_set_new(js, "email", hjs); break; #ifdef HAVE_RUST case ALPROTO_NFS: hjs = JsonNFSAddMetadataRPC(p->flow, ff->txid); if (hjs) json_object_set_new(js, "rpc", hjs); hjs = JsonNFSAddMetadata(p->flow, ff->txid); if (hjs) json_object_set_new(js, "nfs", hjs); break; #endif } json_object_set_new(js, "app_proto", json_string(AppProtoToString(p->flow->alproto))); json_t *fjs = json_object(); if (unlikely(fjs == NULL)) { json_decref(js); return; } char *s = BytesToString(ff->name, ff->name_len); json_object_set_new(fjs, "filename", json_string(s)); if (s != NULL) SCFree(s); #ifdef HAVE_MAGIC if (ff->magic) json_object_set_new(fjs, "magic", json_string((char *)ff->magic)); #endif json_object_set_new(fjs, "gaps", json_boolean((ff->flags & FILE_HAS_GAPS))); switch (ff->state) { case FILE_STATE_CLOSED: json_object_set_new(fjs, "state", json_string("CLOSED")); #ifdef HAVE_NSS if (ff->flags & FILE_MD5) { size_t x; int i; char str[256]; for (i = 0, x = 0; x < sizeof(ff->md5); x++) { i += snprintf(&str[i], 255-i, "%02x", ff->md5[x]); } json_object_set_new(fjs, "md5", json_string(str)); } if (ff->flags & FILE_SHA1) { size_t x; int i; char str[256]; for (i = 0, x = 0; x < sizeof(ff->sha1); x++) { i += snprintf(&str[i], 255-i, "%02x", ff->sha1[x]); } json_object_set_new(fjs, "sha1", json_string(str)); } if (ff->flags & FILE_SHA256) { size_t x; int i; char str[256]; for (i = 0, x = 0; x < sizeof(ff->sha256); x++) { i += snprintf(&str[i], 255-i, "%02x", ff->sha256[x]); } json_object_set_new(fjs, "sha256", json_string(str)); } #endif break; case FILE_STATE_TRUNCATED: json_object_set_new(fjs, "state", json_string("TRUNCATED")); break; case FILE_STATE_ERROR: json_object_set_new(fjs, "state", json_string("ERROR")); break; default: json_object_set_new(fjs, "state", json_string("UNKNOWN")); break; } json_object_set_new(fjs, "stored", (ff->flags & FILE_STORED) ? json_true() : json_false()); if (ff->flags & FILE_STORED) { json_object_set_new(fjs, "file_id", json_integer(ff->file_store_id)); } json_object_set_new(fjs, "size", json_integer(FileTrackedSize(ff))); json_object_set_new(fjs, "tx_id", json_integer(ff->txid)); /* originally just 'file', but due to bug 1127 naming it fileinfo */ json_object_set_new(js, "fileinfo", fjs); OutputJSONBuffer(js, aft->filelog_ctx->file_ctx, &aft->buffer); json_object_del(js, "fileinfo"); switch (p->flow->alproto) { case ALPROTO_HTTP: json_object_del(js, "http"); break; case ALPROTO_SMTP: json_object_del(js, "smtp"); json_object_del(js, "email"); break; } json_object_clear(js); json_decref(js); }
static void LogFilestoreLogCloseMetaFile(const File *ff) { char pid_expression[PATH_MAX] = ""; if (FileIncludePid()) snprintf(pid_expression, sizeof(pid_expression), ".%d", getpid()); char final_filename[PATH_MAX] = ""; if (snprintf(final_filename, sizeof(final_filename), "%s/file%s.%u", g_logfile_base_dir, pid_expression, ff->file_store_id) == sizeof(final_filename)) return; char final_metafilename[PATH_MAX] = ""; if (snprintf(final_metafilename, sizeof(final_metafilename), "%s.meta", final_filename) == sizeof(final_metafilename)) return; char working_metafilename[PATH_MAX] = ""; if (snprintf(working_metafilename, sizeof(working_metafilename), "%s%s", final_metafilename, g_working_file_suffix) == sizeof(working_metafilename)) return; FILE *fp = fopen(working_metafilename, "a"); if (fp != NULL) { #ifdef HAVE_MAGIC fprintf(fp, "MAGIC: %s\n", ff->magic ? ff->magic : "<unknown>"); #endif switch (ff->state) { case FILE_STATE_CLOSED: fprintf(fp, "STATE: CLOSED\n"); #ifdef HAVE_NSS if (ff->flags & FILE_MD5) { fprintf(fp, "MD5: "); size_t x; for (x = 0; x < sizeof(ff->md5); x++) { fprintf(fp, "%02x", ff->md5[x]); } fprintf(fp, "\n"); } if (ff->flags & FILE_SHA1) { fprintf(fp, "SHA1: "); size_t x; for (x = 0; x < sizeof(ff->sha1); x++) { fprintf(fp, "%02x", ff->sha1[x]); } fprintf(fp, "\n"); } if (ff->flags & FILE_SHA256) { fprintf(fp, "SHA256: "); size_t x; for (x = 0; x < sizeof(ff->sha256); x++) { fprintf(fp, "%02x", ff->sha256[x]); } fprintf(fp, "\n"); } #endif break; case FILE_STATE_TRUNCATED: fprintf(fp, "STATE: TRUNCATED\n"); break; case FILE_STATE_ERROR: fprintf(fp, "STATE: ERROR\n"); break; default: fprintf(fp, "STATE: UNKNOWN\n"); break; } fprintf(fp, "SIZE: %"PRIu64"\n", FileTrackedSize(ff)); fclose(fp); } else { SCLogInfo("opening %s failed: %s", working_metafilename, strerror(errno)); } }