Merge pull request #8 from ahoying/EfficientRecordProcessing

Improve efficiency during record processing
certego · Dec 8, 2015 · 9341e68 · 9341e68
2 parents 2e9fff0 + b60147e
commit 9341e68
Show file tree

Hide file tree

Showing 2 changed files with 112 additions and 31 deletions.
diff --git a/fw1-loggrabber.c b/fw1-loggrabber.c
@@ -938,7 +938,6 @@ read_fw1_logfile_record (OpsecSession * pSession, lea_record * pRec,
 {
   char *szAttrib;
   int i;
-  int x;
   unsigned long ul;
   unsigned short us;
   char tmpdata[21];
@@ -966,26 +965,21 @@ read_fw1_logfile_record (OpsecSession * pSession, lea_record * pRec,
     {
       ignore = FALSE;
       strcpy (tmpdata, "\0");
-      szAttrib = lea_attr_name (pSession, pRec->fields[i].lea_attr_id);
 
       /*
-       * Compare the field name with the list of ignored fields.
-       * If the names match, then skip over processing this field.
+       * Compare the field attribute id with the list of ignored fields.
+       * If the IDs match, then skip over processing this field.
        */
-      for (x = 0; x < ignore_fields_count; x++)
+      if (ignore_attr_id_count)
         {
-          if (ignore_attr_id_array[x] == pRec->fields[i].lea_attr_id)
+          ignore = find_in_int_array(ignore_attr_id_array, ignore_attr_id_count, pRec->fields[i].lea_attr_id);
+
+          if (ignore)
             {
-              ignore = TRUE;
-              break;
+              continue;
             }
         }
 
-      if (ignore)
-        {
-          continue;
-        }
-
       if (!(cfgvalues.resolve_mode))
         {
           switch (pRec->fields[i].lea_val_type)
@@ -1029,27 +1023,33 @@ read_fw1_logfile_record (OpsecSession * pSession, lea_record * pRec,
             }
         }
 
-      if (strcmp (szAttrib, "time") == 0)
+      /*
+       * Check if the current field is the 'time' field based
+       * on its lea_attr_id value
+       */
+      if (time_attr_id == pRec->fields[i].lea_attr_id)
         {
           switch (cfgvalues.dateformat)
             {
-            case DATETIME_CP:
-              break;
-            case DATETIME_UNIX:
-              sprintf (tmpdata, "%lu",
-                   (long unsigned int) pRec->fields[i].lea_value.ul_value);
-              break;
-            case DATETIME_STD:
-              logtime = (time_t) pRec->fields[i].lea_value.ul_value;
-              datetime = localtime (&logtime);
-              strftime (tmpdata, 20, "%Y-%m-%d %H:%M:%S", datetime);
-              break;
-            default:
-              fprintf (stderr, "ERROR: Unsupported dateformat chosen\n");
-              exit_loggrabber (1);
+              case DATETIME_CP:
+                break;
+              case DATETIME_UNIX:
+                sprintf (tmpdata, "%lu",
+                     (long unsigned int) pRec->fields[i].lea_value.ul_value);
+                break;
+              case DATETIME_STD:
+                logtime = (time_t) pRec->fields[i].lea_value.ul_value;
+                datetime = localtime (&logtime);
+                strftime (tmpdata, 20, "%Y-%m-%d %H:%M:%S", datetime);
+                break;
+              default:
+                fprintf (stderr, "ERROR: Unsupported dateformat chosen\n");
+                exit_loggrabber (1);
             }
         }
 
+      szAttrib = lea_attr_name (pSession, pRec->fields[i].lea_attr_id);
+
       *field_headers[i] = string_duplicate (szAttrib);
 
       if (tmpdata[0])
@@ -1143,6 +1143,7 @@ read_fw1_logfile_dict (OpsecSession * psession, int dict_id, LEA_VT val_type,
                        int n_d_entries)
 {
   lea_value_t d_value;
+  int i;
   int x;
 
   if (cfgvalues.debug_mode >= 2)
@@ -1155,8 +1156,32 @@ read_fw1_logfile_dict (OpsecSession * psession, int dict_id, LEA_VT val_type,
       fprintf (stderr, "DEBUG: LEA logfile dict handler was invoked\n");
     }
 
-  if (ignore_fields_count && dict_id == LEA_ATTRIB_ID)
+  if (dict_id == LEA_ATTRIB_ID)
     {
+      i = 0;
+
+      if (cfgvalues.debug_mode)
+        {
+          fprintf (stderr, "DEBUG: Checking attribute id for time\n");
+        }
+      if ((lea_reverse_dictionary_lookup(psession, LEA_ATTRIB_ID, "time",
+                                         &d_value)) != LEA_NOT_FOUND)
+        {
+          if (cfgvalues.debug_mode)
+            {
+              fprintf (stderr, "DEBUG: Got attribute id %i\n", d_value.i_value);
+            }
+          time_attr_id = d_value.i_value;
+        }
+      else
+        {
+          if (cfgvalues.debug_mode)
+            {
+              fprintf (stderr, "DEBUG: No attribute id found\n");
+            }
+          time_attr_id = -1;
+        }
+
       for (x = 0; x < ignore_fields_count; x++)
         {
           if (cfgvalues.debug_mode)
@@ -1170,17 +1195,25 @@ read_fw1_logfile_dict (OpsecSession * psession, int dict_id, LEA_VT val_type,
                 {
                   fprintf (stderr, "DEBUG: Got attribute id %i\n", d_value.i_value);
                 }
-              ignore_attr_id_array[x] = d_value.i_value;
+              ignore_attr_id_array[i] = d_value.i_value;
+              i++;
             }
           else
             {
               if (cfgvalues.debug_mode)
                 {
                   fprintf (stderr, "DEBUG: No attribute id found\n");
                 }
-              ignore_attr_id_array[x] = -1;
             }
         }
+
+      if (i)
+        {
+          ignore_attr_id_count = i;
+
+          // sorting the array allows faster value lookups in O(log n) time
+          qsort(ignore_attr_id_array, ignore_attr_id_count, sizeof(int), integer_cmp);
+        }
     }
 
   return OPSEC_SESSION_OK;
@@ -5135,6 +5168,44 @@ getschar ()
   return ch;
 }
 
+int
+integer_cmp (const void * a, const void * b)
+{
+  return ( *(int*)a - *(int*)b );
+}
+
+int
+find_in_int_array (int * a, int len, int val)
+{
+  int left = 0;
+  int right = len - 1;
+
+  // Fast return if the value is less than the min or greater than the max
+  if (len == 0 || val < a[left] || val > a[right])
+    {
+      return FALSE;
+    }
+
+  while (right > left + 1)
+    {
+      int middle = (right+left) / 2;
+      if (a[middle] == val)
+        {
+          return TRUE;
+        }
+      else if (a[middle] > val)
+        {
+          right = middle;
+        }
+      else
+        {
+          left = middle;
+        }
+    }
+
+  return FALSE;
+}
+
 void
 check_config_files (char *loggrabberconf, char *leaconf)
 {

diff --git a/fw1-loggrabber.h b/fw1-loggrabber.h
@@ -289,6 +289,8 @@ int string_icmp (const char *, const char *);
 int string_incmp (const char *, const char *, size_t);
 char *string_toupper (const char *);
 char getschar ();
+int integer_cmp (const void *, const void *);
+int find_in_int_array (int *, int, int);
 
 /*
  * file operation functions
@@ -332,8 +334,16 @@ int create_tables = FALSE;
 char *ignore_fields = NULL;
 int ignore_fields_count = 0;
 char **ignore_fields_array = NULL;
+
+int ignore_attr_id_count = 0;
 int ignore_attr_id_array[NUMBER_FIELDS] = { 0 };
 
+/*
+ * Holds the attribute ID for the "time" field from the ATTRIB_ID databases.
+ * The value is set in the read_fw1_logfile_dict function
+ */
+int time_attr_id = -1;
+
 OpsecSession* pSession = NULL;
 OpsecEnv*     pEnv     = NULL;