filterx/modules/cef: add filterx-func-parse-leef() based on event-for…

…mat-parser

this version supports only LEEF:1.0 atm, LEEF:2.0 will be added as a separate feature

Signed-off-by: shifter <shifter@axoflow.com>

modules/cef/CMakeLists.txt

@@ -7,6 +7,8 @@ set(CEF_SOURCES
     event-format-parser-cfg.h
     filterx-func-parse-cef.c
     filterx-func-parse-cef.h
+    filterx-func-parse-leef.c
+    filterx-func-parse-leef.h
 )
 
 add_module(

modules/cef/Makefile.am

@@ -10,6 +10,8 @@ modules_cef_libcef_la_SOURCES	=	\
 	modules/cef/event-format-parser.h	\
 	modules/cef/filterx-func-parse-cef.c	\
 	modules/cef/filterx-func-parse-cef.h	\
+	modules/cef/filterx-func-parse-leef.c	\
+	modules/cef/filterx-func-parse-leef.h	\
 	modules/cef/cef-plugin.c
 
 modules_cef_libcef_la_CFLAGS	=	\

modules/cef/cef-plugin.c

@@ -23,12 +23,14 @@
 #include "plugin.h"
 #include "plugin-types.h"
 #include "filterx-func-parse-cef.h"
+#include "filterx-func-parse-leef.h"
 #include "filterx/expr-function.h"
 
 static Plugin cef_plugins[] =
 {
   TEMPLATE_FUNCTION_PLUGIN(tf_cef, "format-cef-extension"),
   FILTERX_GENERATOR_FUNCTION_PLUGIN(parse_cef),
+  FILTERX_GENERATOR_FUNCTION_PLUGIN(parse_leef),
 };
 
 gboolean

modules/cef/filterx-func-parse-leef.c

@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2024 Axoflow
+ * Copyright (c) 2024 shifter
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * As an additional exemption you are allowed to compile & link against the
+ * OpenSSL libraries as published by the OpenSSL project. See the file
+ * COPYING for details.
+ *
+ */
+
+#include "filterx-func-parse-leef.h"
+#include "filterx/object-string.h"
+#include "filterx/object-primitive.h"
+#include "filterx/expr-literal.h"
+#include "filterx/expr-literal-generator.h"
+#include "filterx/filterx-eval.h"
+#include "filterx/filterx-globals.h"
+#include "filterx/object-extractor.h"
+#include "filterx/object-json.h"
+#include "filterx/object-message-value.h"
+#include "filterx/object-null.h"
+#include "filterx/filterx-object.h"
+#include "filterx/object-dict-interface.h"
+#include "filterx/object-list-interface.h"
+#include "filterx/object-string.h"
+
+#include "scanner/csv-scanner/csv-scanner.h"
+#include "parser/parser-expr.h"
+#include "scratch-buffers.h"
+#include "str-utils.h"
+#include "scanner/kv-scanner/kv-scanner.h"
+#include "event-format-parser.h"
+
+static Field leef_fields[] =
+{
+  { .name = "version", .field_parser = parse_version},
+  { .name = "vendor"},
+  { .name = "productName"},
+  { .name = "productVersion"},
+  { .name = "eventId"},
+  { .name = "extensions", .field_parser = parse_extensions},
+};
+
+typedef struct FilterXFunctionParseLEEF_
+{
+  FilterXFunctionEventFormatParser super;
+} FilterXFunctionParseLEEF;
+
+
+FilterXExpr *
+filterx_function_parse_leef_new(FilterXFunctionArgs *args, GError **err)
+{
+  FilterXFunctionParseLEEF *self = g_new0(FilterXFunctionParseLEEF, 1);
+  if (!filterx_function_parser_init_instance(&self->super, "parse_leef", args, err))
+    goto error;
+
+  Config cfg =
+  {
+    .delimiters = "|",
+    .log_type = EVENFORMAT_LOGTYPE_LEEF,
+    .num_fields = 6,
+    .extensions_value_separator = '=',
+    .extensions_pair_separator = "\t",
+    .fields = leef_fields,
+  };
+
+  filterx_function_parser_set_config(&self->super, &cfg);
+
+  filterx_function_args_free(args);
+  return &self->super.super.super.super;
+
+error:
+  append_error_message(err, FILTERX_FUNC_PARSE_LEEF_USAGE);
+  filterx_function_args_free(args);
+  filterx_expr_unref(&self->super.super.super.super);
+  return NULL;
+}
+
+FILTERX_GENERATOR_FUNCTION(parse_leef, filterx_function_parse_leef_new);

modules/cef/filterx-func-parse-leef.h

@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2023 Axoflow
+ * Copyright (c) 2024 shifter
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * As an additional exemption you are allowed to compile & link against the
+ * OpenSSL libraries as published by the OpenSSL project. See the file
+ * COPYING for details.
+ *
+ */
+
+#ifndef FILTERX_FUNC_PARSE_LEEF_H_INCLUDED
+#define FILTERX_FUNC_PARSE_LEEF_H_INCLUDED
+
+#include "plugin.h"
+#include "filterx/expr-function.h"
+
+#define FILTERX_FUNC_PARSE_LEEF_USAGE "Usage: parse_leef($str)"
+
+FILTERX_GENERATOR_FUNCTION_DECLARE(parse_leef);
+
+FilterXExpr *filterx_function_parse_leef_new(FilterXFunctionArgs *args, GError **error);
+
+#endif