/**
* \internal
* \brief Write meta data on a single line json record
*/
static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const File *ff)
{
json_t *js = CreateJSONHeader((Packet *)p, 0, "fileinfo"); //TODO const
json_t *hjs = NULL;
if (unlikely(js == NULL))
return;
/* reset */
MemBufferReset(aft->buffer);
switch (p->flow->alproto) {
case ALPROTO_HTTP:
hjs = JsonHttpAddMetadata(p->flow, ff->txid);
if (hjs)
json_object_set_new(js, "http", hjs);
break;
case ALPROTO_SMTP:
hjs = JsonSMTPAddMetadata(p->flow, ff->txid);
if (hjs)
json_object_set_new(js, "smtp", hjs);
hjs = JsonEmailAddMetadata(p->flow, ff->txid);
if (hjs)
json_object_set_new(js, "email", hjs);
break;
#ifdef HAVE_RUST
case ALPROTO_NFS:
hjs = JsonNFSAddMetadataRPC(p->flow, ff->txid);
if (hjs)
json_object_set_new(js, "rpc", hjs);
hjs = JsonNFSAddMetadata(p->flow, ff->txid);
if (hjs)
json_object_set_new(js, "nfs", hjs);
break;
#endif
}
json_object_set_new(js, "app_proto",
json_string(AppProtoToString(p->flow->alproto)));
json_t *fjs = json_object();
if (unlikely(fjs == NULL)) {
json_decref(js);
return;
}
char *s = BytesToString(ff->name, ff->name_len);
json_object_set_new(fjs, "filename", json_string(s));
if (s != NULL)
SCFree(s);
#ifdef HAVE_MAGIC
if (ff->magic)
json_object_set_new(fjs, "magic", json_string((char *)ff->magic));
#endif
json_object_set_new(fjs, "gaps", json_boolean((ff->flags & FILE_HAS_GAPS)));
switch (ff->state) {
case FILE_STATE_CLOSED:
json_object_set_new(fjs, "state", json_string("CLOSED"));
#ifdef HAVE_NSS
if (ff->flags & FILE_MD5) {
size_t x;
int i;
char str[256];
for (i = 0, x = 0; x < sizeof(ff->md5); x++) {
i += snprintf(&str[i], 255-i, "%02x", ff->md5[x]);
}
json_object_set_new(fjs, "md5", json_string(str));
}
if (ff->flags & FILE_SHA1) {
size_t x;
int i;
char str[256];
for (i = 0, x = 0; x < sizeof(ff->sha1); x++) {
i += snprintf(&str[i], 255-i, "%02x", ff->sha1[x]);
}
json_object_set_new(fjs, "sha1", json_string(str));
}
if (ff->flags & FILE_SHA256) {
size_t x;
int i;
char str[256];
for (i = 0, x = 0; x < sizeof(ff->sha256); x++) {
i += snprintf(&str[i], 255-i, "%02x", ff->sha256[x]);
}
json_object_set_new(fjs, "sha256", json_string(str));
}
#endif
break;
case FILE_STATE_TRUNCATED:
json_object_set_new(fjs, "state", json_string("TRUNCATED"));
break;
case FILE_STATE_ERROR:
json_object_set_new(fjs, "state", json_string("ERROR"));
break;
default:
json_object_set_new(fjs, "state", json_string("UNKNOWN"));
break;
}
json_object_set_new(fjs, "stored",
(ff->flags & FILE_STORED) ? json_true() : json_false());
if (ff->flags & FILE_STORED) {
json_object_set_new(fjs, "file_id", json_integer(ff->file_store_id));
}
json_object_set_new(fjs, "size", json_integer(FileTrackedSize(ff)));
json_object_set_new(fjs, "tx_id", json_integer(ff->txid));
/* originally just 'file', but due to bug 1127 naming it fileinfo */
json_object_set_new(js, "fileinfo", fjs);
OutputJSONBuffer(js, aft->filelog_ctx->file_ctx, &aft->buffer);
json_object_del(js, "fileinfo");
switch (p->flow->alproto) {
case ALPROTO_HTTP:
json_object_del(js, "http");
break;
case ALPROTO_SMTP:
json_object_del(js, "smtp");
json_object_del(js, "email");
break;
}
json_object_clear(js);
json_decref(js);
}
static void LogFilestoreLogCloseMetaFile(const File *ff)
{
char pid_expression[PATH_MAX] = "";
if (FileIncludePid())
snprintf(pid_expression, sizeof(pid_expression), ".%d", getpid());
char final_filename[PATH_MAX] = "";
if (snprintf(final_filename, sizeof(final_filename), "%s/file%s.%u",
g_logfile_base_dir, pid_expression, ff->file_store_id) == sizeof(final_filename))
return;
char final_metafilename[PATH_MAX] = "";
if (snprintf(final_metafilename, sizeof(final_metafilename),
"%s.meta", final_filename) == sizeof(final_metafilename))
return;
char working_metafilename[PATH_MAX] = "";
if (snprintf(working_metafilename, sizeof(working_metafilename),
"%s%s", final_metafilename, g_working_file_suffix) == sizeof(working_metafilename))
return;
FILE *fp = fopen(working_metafilename, "a");
if (fp != NULL) {
#ifdef HAVE_MAGIC
fprintf(fp, "MAGIC: %s\n",
ff->magic ? ff->magic : "<unknown>");
#endif
switch (ff->state) {
case FILE_STATE_CLOSED:
fprintf(fp, "STATE: CLOSED\n");
#ifdef HAVE_NSS
if (ff->flags & FILE_MD5) {
fprintf(fp, "MD5: ");
size_t x;
for (x = 0; x < sizeof(ff->md5); x++) {
fprintf(fp, "%02x", ff->md5[x]);
}
fprintf(fp, "\n");
}
if (ff->flags & FILE_SHA1) {
fprintf(fp, "SHA1: ");
size_t x;
for (x = 0; x < sizeof(ff->sha1); x++) {
fprintf(fp, "%02x", ff->sha1[x]);
}
fprintf(fp, "\n");
}
if (ff->flags & FILE_SHA256) {
fprintf(fp, "SHA256: ");
size_t x;
for (x = 0; x < sizeof(ff->sha256); x++) {
fprintf(fp, "%02x", ff->sha256[x]);
}
fprintf(fp, "\n");
}
#endif
break;
case FILE_STATE_TRUNCATED:
fprintf(fp, "STATE: TRUNCATED\n");
break;
case FILE_STATE_ERROR:
fprintf(fp, "STATE: ERROR\n");
break;
default:
fprintf(fp, "STATE: UNKNOWN\n");
break;
}
fprintf(fp, "SIZE: %"PRIu64"\n", FileTrackedSize(ff));
fclose(fp);
} else {
SCLogInfo("opening %s failed: %s", working_metafilename,
strerror(errno));
}
}
