4cea66ce887ca1be665c61eb7cf956244860b655
1 /**
2 * collectd - src/snort.c
3 * Copyright (C) 2013 Kris Nielander
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; only version 2 of the License is applicable.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License along
15 * with this program; if not, write to the Free Software Foundation, Inc.,
16 * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
17 *
18 * Authors:
19 * Kris Nielander <nielander@fox-it.com>
20 *
21 * This plugin is based on the snmp plugin by Florian octo Forster.
22 *
23 **/
25 #include "collectd.h"
26 #include "plugin.h" /* plugin_register_*, plugin_dispatch_values */
27 #include "common.h" /* auxiliary functions */
28 #include <sys/mman.h>
29 #include <sys/stat.h>
30 #include <fcntl.h>
31 #include <stdlib.h>
32 #include <string.h>
34 struct metric_definition_s {
35 char *name;
36 char *type_instance;
37 int data_source_type;
38 int index;
39 struct metric_definition_s *next;
40 };
41 typedef struct metric_definition_s metric_definition_t;
43 struct instance_definition_s {
44 char *name;
45 char *path;
46 metric_definition_t **metric_list;
47 int metric_list_len;
48 cdtime_t last;
49 cdtime_t interval;
50 struct instance_definition_s *next;
51 };
52 typedef struct instance_definition_s instance_definition_t;
54 /* Private */
55 static metric_definition_t *metric_head = NULL;
57 static int snort_read_submit(instance_definition_t *id, metric_definition_t *md,
58 const char *buf){
60 /* Registration variables */
61 value_t value;
62 value_list_t vl = VALUE_LIST_INIT;
64 DEBUG("snort plugin: plugin_instance=%s type_instance=%s value=%s",
65 id->name, md->type_instance, buf);
67 if (buf == NULL)
68 return (-1);
70 /* Parse value */
71 parse_value(buf, &value, md->data_source_type);
73 /* Register */
74 vl.values_len = 1;
75 vl.values = &value;
77 sstrncpy(vl.host, hostname_g, sizeof (vl.host));
78 sstrncpy(vl.plugin, "snort", sizeof(vl.plugin));
79 sstrncpy(vl.plugin_instance, id->name, sizeof(vl.plugin_instance));
80 sstrncpy(vl.type, "snort", sizeof(vl.type));
81 sstrncpy(vl.type_instance, md->type_instance, sizeof(vl.type_instance));
83 vl.time = id->last;
84 vl.interval = id->interval;
86 DEBUG("snort plugin: -> plugin_dispatch_values (&vl);");
87 plugin_dispatch_values(&vl);
89 return (0);
90 }
92 static int snort_read(user_data_t *ud){
93 instance_definition_t *id;
94 metric_definition_t *md;
95 int fd;
96 int i;
97 int count;
99 char **metrics;
101 struct stat sb;
102 char *p, *buf, *buf_s;
104 id = ud->data;
105 DEBUG("snort plugin: snort_read (instance = %s)", id->name);
107 fd = open(id->path, O_RDONLY);
108 if (fd == -1){
109 ERROR("snort plugin: Unable to open `%s'.", id->path);
110 return (-1);
111 }
113 if ((fstat(fd, &sb) != 0) || (!S_ISREG(sb.st_mode))){
114 ERROR("snort plugin: \"%s\" is not a file.", id->path);
115 return (-1);
116 }
118 p = mmap(/* addr = */ NULL, sb.st_size, PROT_READ, MAP_SHARED, fd,
119 /* offset = */ 0);
120 if (p == MAP_FAILED){
121 ERROR("snort plugin: mmap error");
122 return (-1);
123 }
125 /* Set the pointer to the last line of the file. */
126 count = 0;
127 for (i = sb.st_size - 2; i > 0; --i){
128 if (p[i] == ',')
129 ++count;
130 else if (p[i] == '\n')
131 break;
132 }
134 /* Move to the new line */
135 i++;
137 if (p[i] == '#'){
138 ERROR("snort plugin: last line of perfmon file is a comment.");
139 return (-1);
140 }
142 /* Copy the line to the buffer */
143 buf_s = buf = strdup(&p[i]);
145 /* Done with mmap and file pointer */
146 close(fd);
147 munmap(p, sb.st_size);
149 /* Create a list of all values */
150 metrics = (char **)calloc(count, sizeof(char *));
151 if (metrics == NULL)
152 return (-1);
154 for (i = 0; i < count; ++i)
155 if ((p = strsep(&buf, ",")) != NULL)
156 metrics[i] = p;
158 /* Set last time */
159 id->last = TIME_T_TO_CDTIME_T(strtol(metrics[0], NULL, 0));
161 /* Register values */
162 for (i = 0; i < id->metric_list_len; ++i){
163 md = id->metric_list[i];
164 snort_read_submit(id, md, metrics[md->index]);
165 }
167 /* Free up resources */
168 free(metrics);
169 free(buf_s);
170 return (0);
171 }
173 static void snort_metric_definition_destroy(void *arg){
174 metric_definition_t *md;
176 md = arg;
177 if (md == NULL)
178 return;
180 if (md->name != NULL)
181 DEBUG("snort plugin: Destroying metric definition `%s'.", md->name);
183 sfree(md->name);
184 sfree(md->type_instance);
185 sfree(md);
186 }
188 static int snort_config_add_metric_data_source_type(metric_definition_t *md, oconfig_item_t *ci){
189 if ((ci->values_num != 1) || (ci->values[0].type != OCONFIG_TYPE_STRING)){
190 WARNING("snort plugin: `DataSourceType' needs exactly one string argument.");
191 return (-1);
192 }
194 if (strcasecmp(ci->values[0].value.string, "GAUGE") == 0)
195 md->data_source_type = DS_TYPE_GAUGE;
196 else if (strcasecmp(ci->values[0].value.string, "COUNTER") == 0)
197 md->data_source_type = DS_TYPE_COUNTER;
198 else if (strcasecmp(ci->values[0].value.string, "DERIVE") == 0)
199 md->data_source_type = DS_TYPE_DERIVE;
200 else if (strcasecmp(ci->values[0].value.string, "ABSOLUTE") == 0)
201 md->data_source_type = DS_TYPE_ABSOLUTE;
202 else {
203 WARNING("snort plugin: Unrecognized value for `DataSourceType' `%s'.", ci->values[0].value.string);
204 return (-1);
205 }
207 return (0);
208 }
210 static int snort_config_add_metric_index(metric_definition_t *md, oconfig_item_t *ci){
211 if ((ci->values_num != 1) || (ci->values[0].type != OCONFIG_TYPE_NUMBER)){
212 WARNING("snort plugin: `Index' needs exactly one integer argument.");
213 return (-1);
214 }
216 md->index = (int)ci->values[0].value.number;
217 if (md->index <= 0){
218 WARNING("snort plugin: `Index' must be higher than 0.");
219 return (-1);
220 }
222 return (0);
223 }
225 /* Parse metric */
226 static int snort_config_add_metric(oconfig_item_t *ci){
227 metric_definition_t *md;
228 int status = 0;
229 int i;
231 if ((ci->values_num != 1) || (ci->values[0].type != OCONFIG_TYPE_STRING)){
232 WARNING("snort plugin: The `Metric' config option needs exactly one string argument.");
233 return (-1);
234 }
236 md = (metric_definition_t *)malloc(sizeof(*md));
237 if (md == NULL)
238 return (-1);
239 memset(md, 0, sizeof(*md));
241 md->name = strdup(ci->values[0].value.string);
242 if (md->name == NULL){
243 free(md);
244 return (-1);
245 }
247 /* Reset the data source type to `-1', `0' is a gauge. */
248 md->data_source_type = -1;
250 for (i = 0; i < ci->children_num; ++i){
251 oconfig_item_t *option = ci->children + i;
252 status = 0;
254 if (strcasecmp("TypeInstance", option->key) == 0)
255 status = cf_util_get_string(option, &md->type_instance);
256 else if (strcasecmp("DataSourceType", option->key) == 0)
257 status = snort_config_add_metric_data_source_type(md, option);
258 else if (strcasecmp("Index", option->key) == 0)
259 status = snort_config_add_metric_index(md, option);
260 else {
261 WARNING("snort plugin: Option `%s' not allowed here.", option->key);
262 status = -1;
263 }
265 if (status != 0)
266 break;
267 }
269 if (status != 0){
270 snort_metric_definition_destroy(md);
271 return (-1);
272 }
274 /* Verify all necessary options have been set. */
275 if (md->type_instance == NULL){
276 WARNING("snort plugin: Option `TypeInstance' must be set.");
277 status = -1;
278 } else if (md->data_source_type == -1){
279 WARNING("snort plugin: Option `DataSourceType' must be set.");
280 status = -1;
281 } else if (md->index == 0){
282 WARNING("snort plugin: Option `Index' must be set.");
283 status = -1;
284 }
286 if (status != 0){
287 snort_metric_definition_destroy(md);
288 return (-1);
289 }
291 DEBUG("snort plugin: md = { name = %s, type_instance = %s, data_source_type = %d, index = %d }",
292 md->name, md->type_instance, md->data_source_type, md->index);
294 if (metric_head == NULL)
295 metric_head = md;
296 else {
297 metric_definition_t *last;
298 last = metric_head;
299 while (last->next != NULL)
300 last = last->next;
301 last->next = md;
302 }
304 return (0);
305 }
307 static void snort_instance_definition_destroy(void *arg){
308 instance_definition_t *id;
310 id = arg;
311 if (id == NULL)
312 return;
314 if (id->name != NULL)
315 DEBUG("snort plugin: Destroying instance definition `%s'.", id->name);
317 sfree(id->name);
318 sfree(id->path);
319 sfree(id->metric_list);
320 sfree(id);
321 }
323 static int snort_config_add_instance_collect(instance_definition_t *id, oconfig_item_t *ci){
324 metric_definition_t *metric;
325 int i;
327 if (ci->values_num < 1){
328 WARNING("snort plugin: The `Collect' config option needs at least one argument.");
329 return (-1);
330 }
332 /* Verify string arguments */
333 for (i = 0; i < ci->values_num; ++i)
334 if (ci->values[i].type != OCONFIG_TYPE_STRING){
335 WARNING("snort plugin: All arguments to `Collect' must be strings.");
336 return (-1);
337 }
339 id->metric_list = (metric_definition_t **)malloc(sizeof(metric_definition_t *) * ci->values_num);
340 if (id->metric_list == NULL)
341 return (-1);
343 for (i = 0; i < ci->values_num; ++i){
344 for (metric = metric_head; metric != NULL; metric = metric->next)
345 if (strcasecmp(ci->values[i].value.string, metric->name) == 0)
346 break;
348 if (metric == NULL){
349 WARNING("snort plugin: `Collect' argument not found `%s'.", ci->values[i].value.string);
350 return (-1);
351 }
353 DEBUG("snort plugin: id { name=%s md->name=%s }", id->name, metric->name);
355 id->metric_list[i] = metric;
356 id->metric_list_len++;
357 }
359 return (0);
360 }
362 /* Parse instance */
363 static int snort_config_add_instance(oconfig_item_t *ci){
365 instance_definition_t* id;
366 int status = 0;
367 int i;
369 /* Registration variables */
370 char cb_name[DATA_MAX_NAME_LEN];
371 user_data_t cb_data;
372 struct timespec cb_interval;
374 if ((ci->values_num != 1) || (ci->values[0].type != OCONFIG_TYPE_STRING)){
375 WARNING("snort plugin: The `Instance' config option needs exactly one string argument.");
376 return (-1);
377 }
379 id = (instance_definition_t *)malloc(sizeof(*id));
380 if (id == NULL)
381 return (-1);
382 memset(id, 0, sizeof(*id));
384 id->name = strdup(ci->values[0].value.string);
385 if (id->name == NULL){
386 free(id);
387 return (-1);
388 }
390 /* Use default interval. */
391 id->interval = plugin_get_interval();
393 for (i = 0; i < ci->children_num; ++i){
394 oconfig_item_t *option = ci->children + i;
395 status = 0;
397 if (strcasecmp("Path", option->key) == 0)
398 status = cf_util_get_string(option, &id->path);
399 else if (strcasecmp("Collect", option->key) == 0)
400 status = snort_config_add_instance_collect(id, option);
401 else if (strcasecmp("Interval", option->key) == 0)
402 cf_util_get_cdtime(option, &id->interval);
403 else {
404 WARNING("snort plugin: Option `%s' not allowed here.", option->key);
405 status = -1;
406 }
408 if (status != 0)
409 break;
410 }
412 if (status != 0){
413 snort_instance_definition_destroy(id);
414 return (-1);
415 }
417 /* Verify all necessary options have been set. */
418 if (id->path == NULL){
419 WARNING("snort plugin: Option `Path' must be set.");
420 status = -1;
421 } else if (id->metric_list == NULL){
422 WARNING("snort plugin: Option `Collect' must be set.");
423 status = -1;
424 }
426 if (status != 0){
427 snort_instance_definition_destroy(id);
428 return (-1);
429 }
431 DEBUG("snort plugin: id = { name = %s, path = %s }", id->name, id->path);
433 ssnprintf (cb_name, sizeof (cb_name), "snort-%s", id->name);
434 memset(&cb_data, 0, sizeof(cb_data));
435 cb_data.data = id;
436 cb_data.free_func = snort_instance_definition_destroy;
437 CDTIME_T_TO_TIMESPEC(id->interval, &cb_interval);
438 status = plugin_register_complex_read(NULL, cb_name, snort_read, &cb_interval, &cb_data);
440 if (status != 0){
441 ERROR("snort plugin: Registering complex read function failed.");
442 snort_instance_definition_destroy(id);
443 return (-1);
444 }
446 return (0);
447 }
449 /* Parse blocks */
450 static int snort_config(oconfig_item_t *ci){
451 int i;
452 for (i = 0; i < ci->children_num; ++i){
453 oconfig_item_t *child = ci->children + i;
454 if (strcasecmp("Metric", child->key) == 0)
455 snort_config_add_metric(child);
456 else if (strcasecmp("Instance", child->key) == 0)
457 snort_config_add_instance(child);
458 else
459 WARNING("snort plugin: Ignore unknown config option `%s'.", child->key);
460 }
462 return (0);
463 } /* int snort_config */
465 static int snort_shutdown(void){
466 metric_definition_t *metric_this;
467 metric_definition_t *metric_next;
469 metric_this = metric_head;
470 metric_head = NULL;
472 while (metric_this != NULL){
473 metric_next = metric_this->next;
474 snort_metric_definition_destroy(metric_this);
475 metric_this = metric_next;
476 }
478 return (0);
479 }
481 void module_register(void){
482 plugin_register_complex_config("snort", snort_config);
483 plugin_register_shutdown("snort", snort_shutdown);
484 }