static void core_vars_gen_list(ib_tx_t *tx, const char *name)
{
assert(tx != NULL);
assert(name != NULL);
ib_status_t rc;
ib_var_source_t *source;
rc = ib_var_source_acquire(
&source,
tx->mp,
ib_var_store_config(tx->var_store),
name, strlen(name)
);
if (rc != IB_OK) {
ib_log_warning_tx(tx, "Failed to acquire \"%s\" var: %s",
name, ib_status_to_string(rc));
return;
}
rc = ib_var_source_initialize(source, NULL, tx->var_store, IB_FTYPE_LIST);
if (rc != IB_OK) {
ib_log_warning_tx(tx,
"Failed add \"%s\" var to transaction: %s",
name, ib_status_to_string(rc)
);
}
}
ib_status_t ib_capture_acquire(
const ib_tx_t *tx,
const char *collection_name,
ib_field_t **field
)
{
assert(tx != NULL);
assert(tx->var_store != NULL);
ib_status_t rc;
ib_var_source_t *source;
/* Look up the capture list */
collection_name = get_collection_name(collection_name);
// @todo Acquire source at configuration time.
rc = ib_var_source_acquire(&source,
tx->mm,
ib_engine_var_config_get(tx->ib),
collection_name, strlen(collection_name)
);
if (rc != IB_OK) {
return rc;
}
rc = ib_var_source_get(source, field, tx->var_store);
if (
rc == IB_ENOENT ||
(rc == IB_OK && (*field)->type != IB_FTYPE_LIST)
) {
rc = ib_var_source_initialize(
source,
field,
tx->var_store,
IB_FTYPE_LIST
);
}
if (rc != IB_OK) {
return rc;
}
return IB_OK;
}
/**
* Lookup the IP address in the GeoIP database
*
* @param[in] ib IronBee engine
* @param[in] tx Transaction
* @param[in] event Event
* @param[in] data callback data (Module configuration)
*/
static ib_status_t geoip_lookup(
ib_engine_t *ib,
ib_tx_t *tx,
ib_state_event_type_t event,
void *data
)
{
assert(ib != NULL);
assert(event == handle_context_tx_event);
assert(data != NULL);
const char *ip = tx->er_ipstr;
const module_data_t *mod_data = (const module_data_t *)data;
if (ip == NULL) {
ib_log_alert_tx(tx, "Trying to lookup NULL IP in GEOIP");
return IB_EINVAL;
}
#ifdef GEOIP_HAVE_VERSION
/**
* Some configurations exist as single characters and must be converted to
* a string. This is simply a place to assemble that string before
* it is passed into ip_data_add_nulstr.
* This is only needed if we have support confidence items. WAM
*/
char one_char_str[2] = { '\0', '\0' };
#endif /* GEOIP_HAVE_VERSION */
ib_status_t rc;
/* Declare and initialize the GeoIP property list.
* Regardless of if we find a record or not, we want to create the list
* artifact so that later modules know we ran and did [not] find a
* record. */
ib_field_t *geoip_lst = NULL;
ib_field_t *tmp_field = NULL;
/* Id of geo ip record to read. */
int geoip_id;
ib_log_debug_tx(tx, "GeoIP Lookup '%s'", ip);
/* Build a new list. */
rc = ib_var_source_initialize(
mod_data->geoip_source,
&geoip_lst,
tx->var_store,
IB_FTYPE_LIST
);
/* NOTICE: Called before GeoIP_record_by_addr allocates a
* GeoIPRecord. */
if (rc != IB_OK) {
ib_log_alert_tx(tx, "Unable to add GEOIP var.");
return IB_EINVAL;
}
if (mod_data->geoip_db == NULL) {
ib_log_alert_tx(tx,
"GeoIP database was never opened. Perhaps the "
"configuration file needs a GeoIPDatabaseFile "
"\"/usr/share/geoip/GeoLite.dat\" line?");
return IB_EINVAL;
}
geoip_id = GeoIP_id_by_addr(mod_data->geoip_db, ip);
if (geoip_id > 0) {
const char *tmp_str;
ib_log_debug_tx(tx, "GeoIP record found.");
/* Add integers. */
tmp_field = NULL;
tmp_str = GeoIP_code_by_id(geoip_id);
if (tmp_str)
{
ib_field_create(&tmp_field,
tx->mp,
IB_FIELD_NAME("country_code"),
IB_FTYPE_NULSTR,
ib_ftype_nulstr_in(tmp_str));
ib_field_list_add(geoip_lst, tmp_field);
}
tmp_str = GeoIP_code3_by_id(geoip_id);
if (tmp_str)
{
ib_field_create(&tmp_field,
tx->mp,
IB_FIELD_NAME("country_code3"),
IB_FTYPE_NULSTR,
ib_ftype_nulstr_in(tmp_str));
ib_field_list_add(geoip_lst, tmp_field);
}
tmp_str = GeoIP_country_name_by_id(mod_data->geoip_db, geoip_id);
if (tmp_str)
{
ib_field_create(&tmp_field,
tx->mp,
IB_FIELD_NAME("country_name"),
IB_FTYPE_NULSTR,
ib_ftype_nulstr_in(tmp_str));
ib_field_list_add(geoip_lst, tmp_field);
}
tmp_str = GeoIP_continent_by_id(geoip_id);
if (tmp_str)
{
ib_field_create(&tmp_field,
tx->mp,
IB_FIELD_NAME("continent_code"),
IB_FTYPE_NULSTR,
ib_ftype_nulstr_in(tmp_str));
ib_field_list_add(geoip_lst, tmp_field);
}
}
else
{
ib_log_debug_tx(tx, "No GeoIP record found.");
ib_field_create(&tmp_field,
tx->mp,
IB_FIELD_NAME("country_code"),
IB_FTYPE_NULSTR,
ib_ftype_nulstr_in("O1"));
ib_field_list_add(geoip_lst, tmp_field);
ib_field_create(&tmp_field,
tx->mp,
IB_FIELD_NAME("country_code3"),
IB_FTYPE_NULSTR,
ib_ftype_nulstr_in("O01"));
ib_field_list_add(geoip_lst, tmp_field);
ib_field_create(&tmp_field,
tx->mp,
IB_FIELD_NAME("country_name"),
IB_FTYPE_NULSTR,
ib_ftype_nulstr_in("Other Country"));
ib_field_list_add(geoip_lst, tmp_field);
ib_field_create(&tmp_field,
tx->mp,
IB_FIELD_NAME("continent_code"),
IB_FTYPE_NULSTR,
ib_ftype_nulstr_in("O1"));
ib_field_list_add(geoip_lst, tmp_field);
}
return IB_OK;
}
/**
* Parse the user agent header, splitting into component fields.
*
* Attempt to tokenize the user agent string passed in, storing the
* result in the DPI associated with the transaction.
*
* @param[in] ib IronBee object
* @param[in,out] tx Transaction object
* @param[in] bs Byte string containing the agent string
*
* @returns Status code
*/
static ib_status_t modua_agent_fields(ib_engine_t *ib,
ib_tx_t *tx,
const ib_bytestr_t *bs)
{
const modua_match_rule_t *rule = NULL;
ib_field_t *agent_list = NULL;
char *product = NULL;
char *platform = NULL;
char *extra = NULL;
char *agent;
char *buf;
size_t len;
ib_status_t rc;
ib_var_source_t *source;
/* Get the length of the byte string */
len = ib_bytestr_length(bs);
/* Allocate memory for a copy of the string to split up below. */
buf = (char *)ib_mpool_calloc(tx->mp, 1, len+1);
if (buf == NULL) {
ib_log_error_tx(tx,
"Failed to allocate %zd bytes for agent string",
len+1);
return IB_EALLOC;
}
/* Copy the string out */
memcpy(buf, ib_bytestr_const_ptr(bs), len);
buf[len] = '\0';
ib_log_debug_tx(tx, "Found user agent: '%s'", buf);
/* Copy the agent string */
agent = (char *)ib_mpool_strdup(tx->mp, buf);
if (agent == NULL) {
ib_log_error_tx(tx, "Failed to allocate copy of agent string");
return IB_EALLOC;
}
/* Parse the user agent string */
rc = modua_parse_uastring(buf, &product, &platform, &extra);
if (rc != IB_OK) {
ib_log_debug_tx(tx, "Failed to parse User Agent string '%s'", agent);
return IB_OK;
}
/* Categorize the parsed string */
rule = modua_match_cat_rules(product, platform, extra);
if (rule == NULL) {
ib_log_debug_tx(tx, "No rule matched" );
}
else {
ib_log_debug_tx(tx, "Matched to rule #%d / category '%s'",
rule->rule_num, rule->category );
}
/* Build a new list. */
rc = ib_var_source_acquire(
&source, tx->mp, ib_engine_var_config_get(ib), IB_S2SL("UA")
);
if (rc != IB_OK) {
ib_log_alert_tx(tx, "Unable to acquire source for UserAgent list.");
return rc;
}
rc = ib_var_source_initialize(
source, &agent_list, tx->var_store, IB_FTYPE_LIST
);
if (rc != IB_OK)
{
ib_log_alert_tx(tx, "Unable to add UserAgent list to DPI.");
return rc;
}
/* Store Agent */
rc = modua_store_field(ib, tx->mp, agent_list, "agent", agent);
if (rc != IB_OK) {
return rc;
}
/* Store product */
rc = modua_store_field(ib, tx->mp, agent_list, "PRODUCT", product);
if (rc != IB_OK) {
return rc;
}
/* Store Platform */
rc = modua_store_field(ib, tx->mp, agent_list, "OS", platform);
if (rc != IB_OK) {
return rc;
}
/* Store Extra */
rc = modua_store_field(ib, tx->mp, agent_list, "extra", extra);
if (rc != IB_OK) {
return rc;
}
/* Store Extra */
if (rule != NULL) {
rc = modua_store_field(ib, tx->mp, agent_list,
"category", rule->category);
}
else {
rc = modua_store_field(ib, tx->mp, agent_list, "category", NULL );
}
if (rc != IB_OK) {
return rc;
}
/* Done */
return IB_OK;
}
/**
* Create an alias list collection.
*
* @param ib Engine.
* @param tx Transaction.
* @param name Collection name
* @param header Header list to alias
*
* @returns Status code
*/
static ib_status_t create_header_alias_list(
ib_engine_t *ib,
ib_tx_t *tx,
const char *name,
ib_parsed_header_wrapper_t *header)
{
ib_field_t *f;
ib_list_t *header_list;
ib_status_t rc;
ib_parsed_name_value_pair_list_t *nvpair;
ib_var_source_t *source;
assert(ib != NULL);
assert(tx != NULL);
assert(name != NULL);
assert(header != NULL);
/* Create the list */
rc = ib_var_source_acquire(
&source,
ib_var_store_pool(tx->var_store),
ib_var_store_config(tx->var_store),
name, strlen(name)
);
if (rc != IB_OK) {
return rc;
}
rc = ib_var_source_get(source, &f, tx->var_store);
if (rc == IB_ENOENT || ! f) {
rc = ib_var_source_initialize(
source,
&f,
tx->var_store,
IB_FTYPE_LIST
);
if (rc != IB_OK) {
return rc;
}
}
rc = ib_field_mutable_value(f, ib_ftype_list_mutable_out(&header_list));
if (rc != IB_OK) {
return rc;
}
/* Loop through the list & alias everything */
for(nvpair = header->head; nvpair != NULL; nvpair = nvpair->next) {
assert(nvpair);
assert(nvpair->value);
ib_bytestr_t *bs = NULL;
if (ib_bytestr_ptr(nvpair->value) != NULL) {
rc = ib_bytestr_alias_mem(
&bs,
tx->mp,
ib_bytestr_ptr(nvpair->value),
ib_bytestr_length(nvpair->value)
);
}
else {
rc = ib_bytestr_dup_mem(&bs, tx->mp, (const uint8_t *)"", 0);
}
if (rc != IB_OK) {
ib_log_error_tx(
tx,
"Error creating bytestring of '%.*s' for %s: %s",
(int)ib_bytestr_length(nvpair->name),
(const char *)ib_bytestr_ptr(nvpair->name),
name,
ib_status_to_string(rc)
);
return rc;
}
/* Create a byte string field */
rc = ib_field_create(
&f,
tx->mp,
(const char *)ib_bytestr_const_ptr(nvpair->name),
ib_bytestr_length(nvpair->name),
IB_FTYPE_BYTESTR,
ib_ftype_bytestr_in(bs)
);
if (rc != IB_OK) {
ib_log_error_tx(tx,
"Error creating field of '%.*s' for %s: %s",
(int)ib_bytestr_length(nvpair->name),
(const char *)ib_bytestr_ptr(nvpair->name),
name,
ib_status_to_string(rc));
return rc;
}
/* Add the field to the list */
rc = ib_list_push(header_list, f);
if (rc != IB_OK) {
ib_log_error_tx(tx, "Error adding alias of '%.*s' to %s list: %s",
(int)ib_bytestr_length(nvpair->name),
(const char *)ib_bytestr_ptr(nvpair->name),
name,
ib_status_to_string(rc));
return rc;
}
}
return IB_OK;
}
