54 #define DEFAULT_LOG_FILENAME "http.log"
56 #define MODULE_NAME "LogHttpLog"
58 #define OUTPUT_BUFFER_SIZE 65535
62 static void LogHttpLogDeInitCtx(
OutputCtx *);
73 #define LOG_HTTP_CF_REQUEST_HOST 'h'
74 #define LOG_HTTP_CF_REQUEST_PROTOCOL 'H'
75 #define LOG_HTTP_CF_REQUEST_METHOD 'm'
76 #define LOG_HTTP_CF_REQUEST_URI 'u'
77 #define LOG_HTTP_CF_REQUEST_TIME 't'
78 #define LOG_HTTP_CF_REQUEST_HEADER 'i'
79 #define LOG_HTTP_CF_REQUEST_COOKIE 'C'
80 #define LOG_HTTP_CF_REQUEST_LEN 'b'
81 #define LOG_HTTP_CF_RESPONSE_STATUS 's'
82 #define LOG_HTTP_CF_RESPONSE_HEADER 'o'
83 #define LOG_HTTP_CF_RESPONSE_LEN 'B'
92 #define LOG_HTTP_DEFAULT 0
93 #define LOG_HTTP_EXTENDED 1
94 #define LOG_HTTP_CUSTOM 2
105 static uint32_t GetCookieValue(uint8_t *rawcookies, uint32_t rawcookies_len,
char *cookiename,
106 uint8_t **cookievalue)
108 uint8_t *p = rawcookies;
111 while (p < rawcookies + rawcookies_len) {
112 if (cv == NULL && *p ==
'=') {
114 }
else if (cv != NULL && (*p ==
';' || p == rawcookies + rawcookies_len - 1) ) {
117 if (strlen(cookiename) == (
unsigned int) (cv-cn-1) &&
118 strncmp(cookiename, (
char *) cn, cv-cn-1) == 0) {
120 return (uint32_t) (p-cv);
131 static void LogHttpLogCustom(
LogHttpLogThread *aft, htp_tx_t *tx,
const struct timeval *
ts,
132 char *srcip,
Port sp,
char *dstip,
Port dp)
139 uint8_t *cvalue = NULL;
140 uint32_t cvalue_len = 0;
142 htp_header_t *h_request_hdr;
143 htp_header_t *h_response_hdr;
145 for (i = 0; i < httplog_ctx->
cf->
cf_n; i++) {
146 h_request_hdr = NULL;
147 h_response_hdr = NULL;
164 snprintf(buf,
sizeof(buf),
"%06u", (
unsigned int)
ts->tv_usec);
171 aft->
buffer->
size, (uint8_t *)srcip,strlen(srcip));
176 aft->
buffer->
size, (uint8_t *)dstip,strlen(dstip));
188 if (tx->request_method != NULL) {
190 aft->
buffer->
size, (uint8_t *)bstr_ptr(tx->request_method),
191 bstr_len(tx->request_method));
198 if (tx->request_uri != NULL) {
200 if (datalen == 0 || datalen > bstr_len(tx->request_uri)) {
201 datalen = bstr_len(tx->request_uri);
204 aft->
buffer->
size, (uint8_t *)bstr_ptr(tx->request_uri),
212 if (tx->request_hostname != NULL)
215 if (datalen == 0 || datalen > bstr_len(tx->request_hostname)) {
216 datalen = bstr_len(tx->request_hostname);
219 aft->
buffer->
size, (uint8_t *)bstr_ptr(tx->request_hostname),
227 if (tx->request_protocol != NULL) {
229 aft->
buffer->
size, (uint8_t *)bstr_ptr(tx->request_protocol),
230 bstr_len(tx->request_protocol));
237 if (tx->request_headers != NULL) {
238 h_request_hdr = htp_table_get_c(tx->request_headers, node->
data);
240 if (h_request_hdr != NULL) {
242 if (datalen == 0 || datalen > bstr_len(h_request_hdr->value)) {
243 datalen = bstr_len(h_request_hdr->value);
246 aft->
buffer->
size, (uint8_t *)bstr_ptr(h_request_hdr->value),
254 if (tx->request_headers != NULL) {
255 h_request_hdr = htp_table_get_c(tx->request_headers,
"Cookie");
256 if (h_request_hdr != NULL) {
257 cvalue_len = GetCookieValue((uint8_t *) bstr_ptr(h_request_hdr->value),
258 bstr_len(h_request_hdr->value), (
char *) node->
data,
262 if (cvalue_len > 0 && cvalue != NULL) {
264 if (datalen == 0 || datalen > cvalue_len) {
265 datalen = cvalue_len;
279 if (tx->response_status != NULL) {
281 aft->
buffer->
size, (uint8_t *)bstr_ptr(tx->response_status),
282 bstr_len(tx->response_status));
289 if (tx->response_headers != NULL) {
290 h_response_hdr = htp_table_get_c(tx->response_headers,
293 if (h_response_hdr != NULL) {
295 if (datalen == 0 || datalen > bstr_len(h_response_hdr->value)) {
296 datalen = bstr_len(h_response_hdr->value);
299 aft->
buffer->
size, (uint8_t *)bstr_ptr(h_response_hdr->value),
312 SCLogDebug(
"No matching parameter %%%c for custom http log.", node->
type);
324 htp_header_t *h_referer = NULL;
325 if (tx->request_headers != NULL) {
326 h_referer = htp_table_get_c(tx->request_headers,
"referer");
328 if (h_referer != NULL) {
330 (uint8_t *)bstr_ptr(h_referer->value),
331 bstr_len(h_referer->value));
339 if (tx->request_method != NULL) {
341 (uint8_t *)bstr_ptr(tx->request_method),
342 bstr_len(tx->request_method));
347 if (tx->request_protocol != NULL) {
349 (uint8_t *)bstr_ptr(tx->request_protocol),
350 bstr_len(tx->request_protocol));
357 if (tx->response_status != NULL) {
359 (uint8_t *)bstr_ptr(tx->response_status),
360 bstr_len(tx->response_status));
362 if ((tx->response_status_number > 300) && ((tx->response_status_number) < 303)) {
363 htp_header_t *h_location = htp_table_get_c(tx->response_headers,
"location");
364 if (h_location != NULL) {
368 (uint8_t *)bstr_ptr(h_location->value),
369 bstr_len(h_location->value));
392 char srcip[46], dstip[46];
426 SCLogDebug(
"got a HTTP request and now logging !!");
432 LogHttpLogCustom(aft, tx, &p->
ts, srcip, sp, dstip, dp);
438 if (tx->request_hostname != NULL) {
440 (uint8_t *)bstr_ptr(tx->request_hostname),
441 bstr_len(tx->request_hostname));
448 if (tx->request_uri != NULL) {
450 (uint8_t *)bstr_ptr(tx->request_uri),
451 bstr_len(tx->request_uri));
456 htp_header_t *h_user_agent = NULL;
457 if (tx->request_headers != NULL) {
458 h_user_agent = htp_table_get_c(tx->request_headers,
"user-agent");
460 if (h_user_agent != NULL) {
462 (uint8_t *)bstr_ptr(h_user_agent->value),
463 bstr_len(h_user_agent->value));
468 LogHttpLogExtended(aft, tx);
474 "%s:%" PRIu16
" -> %s:%" PRIu16
"\n",
475 srcip, sp, dstip, dp);
498 r = LogHttpLogIPWrapper(
tv, thread_data, p, f, (
HtpState *)state, (htp_tx_t *)tx, tx_id, AF_INET);
500 r = LogHttpLogIPWrapper(
tv, thread_data, p, f, (
HtpState *)state, (htp_tx_t *)tx, tx_id, AF_INET6);
515 SCLogDebug(
"Error getting context for LogHTTPLog. \"initdata\" argument NULL");
521 if (aft->
buffer == NULL) {
556 if(file_ctx == NULL) {
567 if (
unlikely(httplog_ctx == NULL)) {
580 if (custom != NULL && customformat != NULL &&
ConfValIsTrue(custom)) {
583 if (!httplog_ctx->
cf) {
594 if (extended == NULL) {
608 output_ctx->
data = httplog_ctx;
609 output_ctx->
DeInit = LogHttpLogDeInitCtx;
616 result.
ctx = output_ctx;
630 static void LogHttpLogDeInitCtx(
OutputCtx *output_ctx)