![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
e8a15000b664a20b611892d41ed61855f2d074f9
1 /**
2 * collectd - src/snort.c
3 * Copyright (C) 2013 Kris Nielander
4 * Copyright (C) 2013 Florian Forster
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; only version 2 of the License is applicable.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
18 *
19 * Authors:
20 * Kris Nielander <nielander at fox-it.com>
21 * Florian Forster <octo at collectd.org>
22 **/
24 #include "collectd.h"
25 #include "plugin.h" /* plugin_register_*, plugin_dispatch_values */
26 #include "common.h" /* auxiliary functions */
27 #include "utils_tail.h"
29 #include <sys/mman.h>
30 #include <sys/stat.h>
31 #include <fcntl.h>
32 #include <stdlib.h>
33 #include <string.h>
35 struct metric_definition_s {
36 char *name;
37 char *type;
38 char *instance;
39 int data_source_type;
40 int index;
41 struct metric_definition_s *next;
42 };
43 typedef struct metric_definition_s metric_definition_t;
45 struct instance_definition_s {
46 char *name;
47 char *path;
48 cu_tail_t *tail;
49 metric_definition_t **metric_list;
50 size_t metric_list_len;
51 cdtime_t interval;
52 struct instance_definition_s *next;
53 };
54 typedef struct instance_definition_s instance_definition_t;
56 /* Private */
57 static metric_definition_t *metric_head = NULL;
59 static int snort_submit (instance_definition_t *id,
60 metric_definition_t *md,
61 value_t v, cdtime_t t)
62 {
63 /* Registration variables */
64 value_list_t vl = VALUE_LIST_INIT;
66 /* Register */
67 vl.values_len = 1;
68 vl.values = &v;
70 sstrncpy(vl.host, hostname_g, sizeof (vl.host));
71 sstrncpy(vl.plugin, "snort", sizeof(vl.plugin));
72 sstrncpy(vl.plugin_instance, id->name, sizeof(vl.plugin_instance));
73 sstrncpy(vl.type, md->type, sizeof(vl.type));
74 if (md->instance != NULL)
75 sstrncpy(vl.type_instance, md->instance, sizeof(vl.type_instance));
77 vl.time = t;
78 vl.interval = id->interval;
80 DEBUG("snort plugin: -> plugin_dispatch_values (&vl);");
81 plugin_dispatch_values(&vl);
83 return (0);
84 }
86 static cdtime_t parse_time (char const *tbuf)
87 {
88 double t;
89 char *endptr = 0;
91 errno = 0;
92 t = strtod (tbuf, &endptr);
93 if ((errno != 0) || (endptr == NULL) || (endptr[0] != 0))
94 return (cdtime ());
96 return (DOUBLE_TO_CDTIME_T (t));
97 }
99 static int snort_read_metric (instance_definition_t *id,
100 metric_definition_t *md,
101 char **fields, size_t fields_num)
102 {
103 value_t v;
104 cdtime_t t;
105 int status;
107 if (md->index >= fields_num)
108 return (EINVAL);
110 t = parse_time (fields[0]);
112 status = parse_value (fields[md->index], &v, md->data_source_type);
113 if (status != 0)
114 return (status);
116 return (snort_submit (id, md, v, t));
117 }
119 static int snort_read_buffer (instance_definition_t *id,
120 char *buffer, size_t buffer_size)
121 {
122 char **metrics;
123 size_t metrics_num;
125 char *ptr;
126 size_t i;
128 /* Remove newlines at the end of line. */
129 while (buffer_size > 0) {
130 if ((buffer[buffer_size - 1] == '\n')
131 || (buffer[buffer_size - 1] == '\r')) {
132 buffer[buffer_size - 1] = 0;
133 buffer_size--;
134 } else {
135 break;
136 }
137 }
139 /* Ignore empty lines. */
140 if ((buffer_size == 0) || (buffer[0] == '#'))
141 return (0);
143 /* Count the number of fields. */
144 metrics_num = 1;
145 for (i = 0; i < buffer_size; i++) {
146 if (buffer[i] == ',')
147 metrics_num++;
148 }
150 if (metrics_num == 1) {
151 ERROR("snort plugin: last line of `%s' does not contain "
152 "enough values.", id->path);
153 return (-1);
154 }
156 /* Create a list of all values */
157 metrics = calloc (metrics_num, sizeof (*metrics));
158 if (metrics == NULL) {
159 ERROR ("snort plugin: calloc failed.");
160 return (ENOMEM);
161 }
163 ptr = buffer;
164 metrics[0] = ptr;
165 i = 1;
166 for (ptr = buffer; *ptr != 0; ptr++) {
167 if (*ptr != ',')
168 continue;
170 *ptr = 0;
171 metrics[i] = ptr + 1;
172 i++;
173 }
174 assert (i == metrics_num);
176 /* Register values */
177 for (i = 0; i < id->metric_list_len; ++i){
178 metric_definition_t *md = id->metric_list[i];
180 if (((size_t) md->index) >= metrics_num) {
181 ERROR ("snort plugin: Metric \"%s\": Request for index %i when "
182 "only %zu fields are available.",
183 md->name, md->index, metrics_num);
184 continue;
185 }
187 snort_read_metric (id, md, metrics, metrics_num);
188 }
190 /* Free up resources */
191 sfree (metrics);
192 return (0);
193 }
195 static int snort_read (user_data_t *ud) {
196 instance_definition_t *id;
198 id = ud->data;
199 DEBUG("snort plugin: snort_read (instance = %s)", id->name);
201 if (id->tail == NULL)
202 {
203 id->tail = cu_tail_create (id->path);
204 if (id->tail == NULL)
205 {
206 ERROR ("snort plugin: cu_tail_create (\"%s\") failed.",
207 id->path);
208 return (-1);
209 }
210 }
212 while (42)
213 {
214 char buffer[1024];
215 size_t buffer_len;
216 int status;
218 status = cu_tail_readline (id->tail, buffer, (int) sizeof (buffer));
219 if (status != 0)
220 {
221 ERROR ("snort plugin: Instance \"%s\": cu_tail_readline failed "
222 "with status %i.", id->name, status);
223 return (-1);
224 }
226 buffer_len = strlen (buffer);
227 if (buffer_len == 0)
228 break;
230 snort_read_buffer (id, buffer, buffer_len);
231 }
233 return (0);
234 }
236 static void snort_metric_definition_destroy(void *arg){
237 metric_definition_t *md;
239 md = arg;
240 if (md == NULL)
241 return;
243 if (md->name != NULL)
244 DEBUG("snort plugin: Destroying metric definition `%s'.", md->name);
246 sfree(md->name);
247 sfree(md->type);
248 sfree(md->instance);
249 sfree(md);
250 }
252 static int snort_config_add_metric_index(metric_definition_t *md, oconfig_item_t *ci){
253 if ((ci->values_num != 1) || (ci->values[0].type != OCONFIG_TYPE_NUMBER)){
254 WARNING("snort plugin: `Index' needs exactly one integer argument.");
255 return (-1);
256 }
258 md->index = (int)ci->values[0].value.number;
259 if (md->index <= 0){
260 WARNING("snort plugin: `Index' must be higher than 0.");
261 return (-1);
262 }
264 return (0);
265 }
267 /* Parse metric */
268 static int snort_config_add_metric(oconfig_item_t *ci){
269 metric_definition_t *md;
270 const data_set_t *ds;
271 int status = 0;
272 int i;
274 md = (metric_definition_t *)malloc(sizeof(*md));
275 if (md == NULL)
276 return (-1);
277 memset(md, 0, sizeof(*md));
278 md->name = NULL;
279 md->type = NULL;
280 md->instance = NULL;
281 md->next = NULL;
283 status = cf_util_get_string (ci, &md->name);
284 if (status != 0) {
285 sfree (md);
286 return (-1);
287 }
289 for (i = 0; i < ci->children_num; ++i){
290 oconfig_item_t *option = ci->children + i;
291 status = 0;
293 if (strcasecmp("Type", option->key) == 0)
294 status = cf_util_get_string(option, &md->type);
295 else if (strcasecmp("Instance", option->key) == 0)
296 status = cf_util_get_string(option, &md->instance);
297 else if (strcasecmp("Index", option->key) == 0)
298 status = snort_config_add_metric_index(md, option);
299 else {
300 WARNING("snort plugin: Option `%s' not allowed here.", option->key);
301 status = -1;
302 }
304 if (status != 0)
305 break;
306 }
308 if (status != 0){
309 snort_metric_definition_destroy(md);
310 return (-1);
311 }
313 /* Verify all necessary options have been set. */
314 if (md->type == NULL){
315 WARNING("snort plugin: Option `Type' must be set.");
316 status = -1;
317 } else if (md->index == 0){
318 WARNING("snort plugin: Option `Index' must be set.");
319 status = -1;
320 }
322 if (status != 0){
323 snort_metric_definition_destroy(md);
324 return (-1);
325 }
327 /* Retrieve the data source type from the types db. */
328 ds = plugin_get_ds(md->type);
329 if (ds == NULL){
330 ERROR ("snort plugin: Failed to look up type \"%s\". "
331 "It may not be defined in the types.db file. "
332 "Please read the types.db(5) manual page for more details.",
333 md->type);
334 snort_metric_definition_destroy(md);
335 return (-1);
336 } else if (ds->ds_num != 1) {
337 ERROR ("snort plugin: The type \"%s\" has %i data sources. "
338 "Only types with a single data soure are supported.",
339 ds->type, ds->ds_num);
340 return (-1);
341 } else {
342 md->data_source_type = ds->ds->type;
343 }
345 DEBUG("snort plugin: md = { name = %s, type = %s, data_source_type = %d, index = %d }",
346 md->name, md->type, md->data_source_type, md->index);
348 if (metric_head == NULL)
349 metric_head = md;
350 else {
351 metric_definition_t *last;
352 last = metric_head;
353 while (last->next != NULL)
354 last = last->next;
355 last->next = md;
356 }
358 return (0);
359 }
361 static void snort_instance_definition_destroy(void *arg){
362 instance_definition_t *id;
364 id = arg;
365 if (id == NULL)
366 return;
368 if (id->name != NULL)
369 DEBUG("snort plugin: Destroying instance definition `%s'.", id->name);
371 cu_tail_destroy (id->tail);
372 id->tail = NULL;
374 sfree(id->name);
375 sfree(id->path);
376 sfree(id->metric_list);
377 sfree(id);
378 }
380 static int snort_config_add_instance_collect(instance_definition_t *id, oconfig_item_t *ci){
381 metric_definition_t *metric;
382 int i;
384 if (ci->values_num < 1){
385 WARNING("snort plugin: The `Collect' config option needs at least one argument.");
386 return (-1);
387 }
389 /* Verify string arguments */
390 for (i = 0; i < ci->values_num; ++i)
391 if (ci->values[i].type != OCONFIG_TYPE_STRING){
392 WARNING("snort plugin: All arguments to `Collect' must be strings.");
393 return (-1);
394 }
396 id->metric_list = (metric_definition_t **)malloc(sizeof(metric_definition_t *) * ci->values_num);
397 if (id->metric_list == NULL)
398 return (-1);
400 for (i = 0; i < ci->values_num; ++i){
401 for (metric = metric_head; metric != NULL; metric = metric->next)
402 if (strcasecmp(ci->values[i].value.string, metric->name) == 0)
403 break;
405 if (metric == NULL){
406 WARNING("snort plugin: `Collect' argument not found `%s'.", ci->values[i].value.string);
407 return (-1);
408 }
410 DEBUG("snort plugin: id { name=%s md->name=%s }", id->name, metric->name);
412 id->metric_list[i] = metric;
413 id->metric_list_len++;
414 }
416 return (0);
417 }
419 /* Parse instance */
420 static int snort_config_add_instance(oconfig_item_t *ci){
422 instance_definition_t* id;
423 int status = 0;
424 int i;
426 /* Registration variables */
427 char cb_name[DATA_MAX_NAME_LEN];
428 user_data_t cb_data;
429 struct timespec cb_interval;
431 if ((ci->values_num != 1) || (ci->values[0].type != OCONFIG_TYPE_STRING)){
432 WARNING("snort plugin: The `Instance' config option needs exactly one string argument.");
433 return (-1);
434 }
436 id = (instance_definition_t *)malloc(sizeof(*id));
437 if (id == NULL)
438 return (-1);
439 memset(id, 0, sizeof(*id));
441 id->name = strdup(ci->values[0].value.string);
442 if (id->name == NULL){
443 free(id);
444 return (-1);
445 }
447 /* Use default interval. */
448 id->interval = plugin_get_interval();
450 for (i = 0; i < ci->children_num; ++i){
451 oconfig_item_t *option = ci->children + i;
452 status = 0;
454 if (strcasecmp("Path", option->key) == 0)
455 status = cf_util_get_string(option, &id->path);
456 else if (strcasecmp("Collect", option->key) == 0)
457 status = snort_config_add_instance_collect(id, option);
458 else if (strcasecmp("Interval", option->key) == 0)
459 cf_util_get_cdtime(option, &id->interval);
460 else {
461 WARNING("snort plugin: Option `%s' not allowed here.", option->key);
462 status = -1;
463 }
465 if (status != 0)
466 break;
467 }
469 if (status != 0){
470 snort_instance_definition_destroy(id);
471 return (-1);
472 }
474 /* Verify all necessary options have been set. */
475 if (id->path == NULL){
476 WARNING("snort plugin: Option `Path' must be set.");
477 status = -1;
478 } else if (id->metric_list == NULL){
479 WARNING("snort plugin: Option `Collect' must be set.");
480 status = -1;
481 }
483 if (status != 0){
484 snort_instance_definition_destroy(id);
485 return (-1);
486 }
488 DEBUG("snort plugin: id = { name = %s, path = %s }", id->name, id->path);
490 ssnprintf (cb_name, sizeof (cb_name), "snort-%s", id->name);
491 memset(&cb_data, 0, sizeof(cb_data));
492 cb_data.data = id;
493 cb_data.free_func = snort_instance_definition_destroy;
494 CDTIME_T_TO_TIMESPEC(id->interval, &cb_interval);
495 status = plugin_register_complex_read(NULL, cb_name, snort_read, &cb_interval, &cb_data);
497 if (status != 0){
498 ERROR("snort plugin: Registering complex read function failed.");
499 snort_instance_definition_destroy(id);
500 return (-1);
501 }
503 return (0);
504 }
506 /* Parse blocks */
507 static int snort_config(oconfig_item_t *ci){
508 int i;
509 for (i = 0; i < ci->children_num; ++i){
510 oconfig_item_t *child = ci->children + i;
511 if (strcasecmp("Metric", child->key) == 0)
512 snort_config_add_metric(child);
513 else if (strcasecmp("Instance", child->key) == 0)
514 snort_config_add_instance(child);
515 else
516 WARNING("snort plugin: Ignore unknown config option `%s'.", child->key);
517 }
519 return (0);
520 } /* int snort_config */
522 static int snort_shutdown(void){
523 metric_definition_t *metric_this;
524 metric_definition_t *metric_next;
526 metric_this = metric_head;
527 metric_head = NULL;
529 while (metric_this != NULL){
530 metric_next = metric_this->next;
531 snort_metric_definition_destroy(metric_this);
532 metric_this = metric_next;
533 }
535 return (0);
536 }
538 void module_register(void){
539 plugin_register_complex_config("snort", snort_config);
540 plugin_register_shutdown("snort", snort_shutdown);
541 }
543 /* vim: set sw=4 sts=4 et : */