From 9094f3a5b4d800cba80d4c2a06355568c4eb903a Mon Sep 17 00:00:00 2001 From: Kevin Guillemot Date: Tue, 28 May 2019 16:22:38 +0200 Subject: [PATCH 1/2] PARSER :: Improvement : Improve Checkpoint parser to accept quoted strings + Tests --- src/parser.c | 24 ++++++++++++++++++++---- tests/field_checkpoint-lea-terminator.sh | 3 +++ tests/field_checkpoint-lea_jsoncnf.sh | 3 +++ tests/field_checkpoint-lea_v1.sh | 3 +++ 4 files changed, 29 insertions(+), 4 deletions(-) diff --git a/src/parser.c b/src/parser.c index 7343d844..fb3355e2 100644 --- a/src/parser.c +++ b/src/parser.c @@ -2936,20 +2936,36 @@ PARSER_Parse(CheckpointLEA) if(i+1 >= npb->strLen || npb->str[i] != ':') { FAIL(LN_WRONGPARSER); } + /* Sometimes there is multiple colons */ + while( i < npb->strLen && npb->str[i+1] == ':' ) { + i++; + } lenName = i - iName; ++i; /* skip ':' */ while(i < npb->strLen && npb->str[i] == ' ') /* skip leading SP */ ++i; - iValue = i; - while(i < npb->strLen && npb->str[i] != ';') { + /* Improvement by KGuillemot & M4jr0 to support quoted values */ + if( npb->str[i] == '"' ) { + iValue = i+1; + i++; + while( i < npb->strLen && ( npb->str[i] != '"' || npb->str[i-1] == '\\' ) ) { + ++i; + } + // Do not take the " in value + lenValue = i - iValue; + // Skip " ++i; + } else { + iValue = i; + while (i < npb->strLen && npb->str[i] != ';') { + ++i; + } + lenValue = i - iValue; } if(i+1 > npb->strLen || npb->str[i] != ';') FAIL(LN_WRONGPARSER); - lenValue = i - iValue; ++i; /* skip ';' */ - if(value != NULL) { CHKN(name = malloc(sizeof(char) * (lenName + 1))); memcpy(name, npb->str+iName, lenName); diff --git a/tests/field_checkpoint-lea-terminator.sh b/tests/field_checkpoint-lea-terminator.sh index 0d7469bd..1daaba99 100755 --- a/tests/field_checkpoint-lea-terminator.sh +++ b/tests/field_checkpoint-lea-terminator.sh @@ -10,6 +10,9 @@ add_rule 'rule=:[ %{"name":"f", "type":"checkpoint-lea", "terminator": "]"}%]' execute '[ tcp_flags: RST-ACK; src: 192.168.0.1; ]' assert_output_json_eq '{ "f": { "tcp_flags": "RST-ACK", "src": "192.168.0.1" } }' +# Newest Checkpoint format +execute '[ tcp_flags:"RST-ACK"; src:"192.168.0.1"; ]' +assert_output_json_eq '{ "f": { "tcp_flags": "RST-ACK", "src": "192.168.0.1" } }' cleanup_tmp_files diff --git a/tests/field_checkpoint-lea_jsoncnf.sh b/tests/field_checkpoint-lea_jsoncnf.sh index 2d1581ff..ecdaa269 100755 --- a/tests/field_checkpoint-lea_jsoncnf.sh +++ b/tests/field_checkpoint-lea_jsoncnf.sh @@ -10,6 +10,9 @@ add_rule 'rule=:%{"name":"f", "type":"checkpoint-lea"}%' execute 'tcp_flags: RST-ACK; src: 192.168.0.1;' assert_output_json_eq '{ "f": { "tcp_flags": "RST-ACK", "src": "192.168.0.1" } }' +# Newest Checkpoint format +execute 'tcp_flags:"RST-ACK"; src:"192.168.0.1";' +assert_output_json_eq '{ "f": { "tcp_flags": "RST-ACK", "src": "192.168.0.1" } }' cleanup_tmp_files diff --git a/tests/field_checkpoint-lea_v1.sh b/tests/field_checkpoint-lea_v1.sh index 3d38ff05..95aa5ceb 100755 --- a/tests/field_checkpoint-lea_v1.sh +++ b/tests/field_checkpoint-lea_v1.sh @@ -9,6 +9,9 @@ add_rule 'rule=:%f:checkpoint-lea%' execute 'tcp_flags: RST-ACK; src: 192.168.0.1;' assert_output_json_eq '{ "f": { "tcp_flags": "RST-ACK", "src": "192.168.0.1" } }' +# Newest Checkpoint format +execute 'tcp_flags:"RST-ACK"; src:"192.168.0.1";' +assert_output_json_eq '{ "f": { "tcp_flags": "RST-ACK", "src": "192.168.0.1" } }' cleanup_tmp_files From 6fb0a810b7763d919ad4027f7675647ef70d12a7 Mon Sep 17 00:00:00 2001 From: Emile Duquennoy Date: Mon, 28 Jun 2021 15:39:51 +0200 Subject: [PATCH 2/2] FIX CHECKPOINT-LEA: ';' NOT NEEDED AFTER LAST VALUE As of today, Checkpoint logs do not necessarily provide a semicolon between the last key:value pair and the terminator. This causes the parse to fail with current behavior. --- src/parser.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/parser.c b/src/parser.c index fb3355e2..2c55f1e5 100644 --- a/src/parser.c +++ b/src/parser.c @@ -2958,14 +2958,18 @@ PARSER_Parse(CheckpointLEA) ++i; } else { iValue = i; - while (i < npb->strLen && npb->str[i] != ';') { + while (i < npb->strLen && npb->str[i] != ';' && npb->str[i] != data->terminator) { ++i; } lenValue = i - iValue; } - if(i+1 > npb->strLen || npb->str[i] != ';') + + if(i+1 > npb->strLen || (npb->str[i] != ';' && npb->str[i] != data->terminator)) FAIL(LN_WRONGPARSER); - ++i; /* skip ';' */ + + if(npb->str[i] == ';') + ++i; /* skip ';' */ + if(value != NULL) { CHKN(name = malloc(sizeof(char) * (lenName + 1))); memcpy(name, npb->str+iName, lenName);