From f28aa383f0004c2f71beba1bc6a71e8243c70f98 Mon Sep 17 00:00:00 2001 From: shifter Date: Fri, 4 Oct 2024 12:04:32 +0200 Subject: [PATCH] filterx/modules/cef: add filterx-func-parse-leef() based on event-format-parser this version supports only LEEF:1.0 atm, LEEF:2.0 will be added as a separate feature Signed-off-by: shifter --- modules/cef/CMakeLists.txt | 2 + modules/cef/Makefile.am | 2 + modules/cef/cef-plugin.c | 2 + modules/cef/filterx-func-parse-leef.c | 93 +++++++++++++++++++++++++++ modules/cef/filterx-func-parse-leef.h | 36 +++++++++++ 5 files changed, 135 insertions(+) create mode 100644 modules/cef/filterx-func-parse-leef.c create mode 100644 modules/cef/filterx-func-parse-leef.h diff --git a/modules/cef/CMakeLists.txt b/modules/cef/CMakeLists.txt index 6489838da..56b4c92be 100644 --- a/modules/cef/CMakeLists.txt +++ b/modules/cef/CMakeLists.txt @@ -7,6 +7,8 @@ set(CEF_SOURCES event-format-parser-cfg.h filterx-func-parse-cef.c filterx-func-parse-cef.h + filterx-func-parse-leef.c + filterx-func-parse-leef.h ) add_module( diff --git a/modules/cef/Makefile.am b/modules/cef/Makefile.am index cc7d3b864..309e6f3b0 100644 --- a/modules/cef/Makefile.am +++ b/modules/cef/Makefile.am @@ -10,6 +10,8 @@ modules_cef_libcef_la_SOURCES = \ modules/cef/event-format-parser.h \ modules/cef/filterx-func-parse-cef.c \ modules/cef/filterx-func-parse-cef.h \ + modules/cef/filterx-func-parse-leef.c \ + modules/cef/filterx-func-parse-leef.h \ modules/cef/cef-plugin.c modules_cef_libcef_la_CFLAGS = \ diff --git a/modules/cef/cef-plugin.c b/modules/cef/cef-plugin.c index 1fb33a5a4..b4083a52c 100644 --- a/modules/cef/cef-plugin.c +++ b/modules/cef/cef-plugin.c @@ -23,12 +23,14 @@ #include "plugin.h" #include "plugin-types.h" #include "filterx-func-parse-cef.h" +#include "filterx-func-parse-leef.h" #include "filterx/expr-function.h" static Plugin cef_plugins[] = { TEMPLATE_FUNCTION_PLUGIN(tf_cef, "format-cef-extension"), FILTERX_GENERATOR_FUNCTION_PLUGIN(parse_cef), + FILTERX_GENERATOR_FUNCTION_PLUGIN(parse_leef), }; gboolean diff --git a/modules/cef/filterx-func-parse-leef.c b/modules/cef/filterx-func-parse-leef.c new file mode 100644 index 000000000..b9088c14b --- /dev/null +++ b/modules/cef/filterx-func-parse-leef.c @@ -0,0 +1,93 @@ +/* + * Copyright (c) 2024 Axoflow + * Copyright (c) 2024 shifter + * + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + * As an additional exemption you are allowed to compile & link against the + * OpenSSL libraries as published by the OpenSSL project. See the file + * COPYING for details. + * + */ + +#include "filterx-func-parse-leef.h" +#include "filterx/object-string.h" +#include "filterx/object-primitive.h" +#include "filterx/expr-literal.h" +#include "filterx/expr-literal-generator.h" +#include "filterx/filterx-eval.h" +#include "filterx/filterx-globals.h" +#include "filterx/object-extractor.h" +#include "filterx/object-json.h" +#include "filterx/object-message-value.h" +#include "filterx/object-null.h" +#include "filterx/filterx-object.h" +#include "filterx/object-dict-interface.h" +#include "filterx/object-list-interface.h" +#include "filterx/object-string.h" + +#include "scanner/csv-scanner/csv-scanner.h" +#include "parser/parser-expr.h" +#include "scratch-buffers.h" +#include "str-utils.h" +#include "scanner/kv-scanner/kv-scanner.h" +#include "event-format-parser.h" + +static Field leef_fields[] = +{ + { .name = "version", .field_parser = parse_version}, + { .name = "vendor"}, + { .name = "productName"}, + { .name = "productVersion"}, + { .name = "eventId"}, + { .name = "extensions", .field_parser = parse_extensions}, +}; + +typedef struct FilterXFunctionParseLEEF_ +{ + FilterXFunctionEventFormatParser super; +} FilterXFunctionParseLEEF; + + +FilterXExpr * +filterx_function_parse_leef_new(FilterXFunctionArgs *args, GError **err) +{ + FilterXFunctionParseLEEF *self = g_new0(FilterXFunctionParseLEEF, 1); + if (!filterx_function_parser_init_instance(&self->super, "parse_leef", args, err)) + goto error; + + Config cfg = + { + .delimiters = "|", + .log_type = EVENFORMAT_LOGTYPE_LEEF, + .num_fields = 6, + .extensions_value_separator = '=', + .extensions_pair_separator = "\t", + .fields = leef_fields, + }; + + filterx_function_parser_set_config(&self->super, &cfg); + + filterx_function_args_free(args); + return &self->super.super.super.super; + +error: + append_error_message(err, FILTERX_FUNC_PARSE_LEEF_USAGE); + filterx_function_args_free(args); + filterx_expr_unref(&self->super.super.super.super); + return NULL; +} + +FILTERX_GENERATOR_FUNCTION(parse_leef, filterx_function_parse_leef_new); diff --git a/modules/cef/filterx-func-parse-leef.h b/modules/cef/filterx-func-parse-leef.h new file mode 100644 index 000000000..b57d4aa58 --- /dev/null +++ b/modules/cef/filterx-func-parse-leef.h @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2023 Axoflow + * Copyright (c) 2024 shifter + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + * + * As an additional exemption you are allowed to compile & link against the + * OpenSSL libraries as published by the OpenSSL project. See the file + * COPYING for details. + * + */ + +#ifndef FILTERX_FUNC_PARSE_LEEF_H_INCLUDED +#define FILTERX_FUNC_PARSE_LEEF_H_INCLUDED + +#include "plugin.h" +#include "filterx/expr-function.h" + +#define FILTERX_FUNC_PARSE_LEEF_USAGE "Usage: parse_leef($str)" + +FILTERX_GENERATOR_FUNCTION_DECLARE(parse_leef); + +FilterXExpr *filterx_function_parse_leef_new(FilterXFunctionArgs *args, GError **error); + +#endif