From ffdc278810fc487c92d560be5b15afd7aeeb10cb Mon Sep 17 00:00:00 2001 From: ahoying Date: Tue, 8 Dec 2015 10:30:15 -0700 Subject: [PATCH 1/2] Switch to using a sorted array for the ignore field attribute IDs. Then use an optimized check to return if each field's attribute ID is in the array. Also switched the string compare for the 'time' field to using an attribute ID comparison. --- fw1-loggrabber.c | 132 ++++++++++++++++++++++++++++++++++++----------- fw1-loggrabber.h | 10 ++++ 2 files changed, 112 insertions(+), 30 deletions(-) diff --git a/fw1-loggrabber.c b/fw1-loggrabber.c index 1ccd598..58bca26 100644 --- a/fw1-loggrabber.c +++ b/fw1-loggrabber.c @@ -966,26 +966,21 @@ read_fw1_logfile_record (OpsecSession * pSession, lea_record * pRec, { ignore = FALSE; strcpy (tmpdata, "\0"); - szAttrib = lea_attr_name (pSession, pRec->fields[i].lea_attr_id); /* - * Compare the field name with the list of ignored fields. - * If the names match, then skip over processing this field. + * Compare the field attribute id with the list of ignored fields. + * If the IDs match, then skip over processing this field. */ - for (x = 0; x < ignore_fields_count; x++) + if (ignore_attr_id_count) { - if (ignore_attr_id_array[x] == pRec->fields[i].lea_attr_id) + ignore = find_in_int_array(ignore_attr_id_array, ignore_attr_id_count, pRec->fields[i].lea_attr_id) + + if (ignore) { - ignore = TRUE; - break; + continue; } } - if (ignore) - { - continue; - } - if (!(cfgvalues.resolve_mode)) { switch (pRec->fields[i].lea_val_type) @@ -1029,27 +1024,33 @@ read_fw1_logfile_record (OpsecSession * pSession, lea_record * pRec, } } - if (strcmp (szAttrib, "time") == 0) + /* + * Check if the current field is the 'time' field based + * on its lea_attr_id value + */ + if (time_attr_id == pRec->fields[i].lea_attr_id) { switch (cfgvalues.dateformat) { - case DATETIME_CP: - break; - case DATETIME_UNIX: - sprintf (tmpdata, "%lu", - (long unsigned int) pRec->fields[i].lea_value.ul_value); - break; - case DATETIME_STD: - logtime = (time_t) pRec->fields[i].lea_value.ul_value; - datetime = localtime (&logtime); - strftime (tmpdata, 20, "%Y-%m-%d %H:%M:%S", datetime); - break; - default: - fprintf (stderr, "ERROR: Unsupported dateformat chosen\n"); - exit_loggrabber (1); + case DATETIME_CP: + break; + case DATETIME_UNIX: + sprintf (tmpdata, "%lu", + (long unsigned int) pRec->fields[i].lea_value.ul_value); + break; + case DATETIME_STD: + logtime = (time_t) pRec->fields[i].lea_value.ul_value; + datetime = localtime (&logtime); + strftime (tmpdata, 20, "%Y-%m-%d %H:%M:%S", datetime); + break; + default: + fprintf (stderr, "ERROR: Unsupported dateformat chosen\n"); + exit_loggrabber (1); } } + szAttrib = lea_attr_name (pSession, pRec->fields[i].lea_attr_id); + *field_headers[i] = string_duplicate (szAttrib); if (tmpdata[0]) @@ -1143,6 +1144,7 @@ read_fw1_logfile_dict (OpsecSession * psession, int dict_id, LEA_VT val_type, int n_d_entries) { lea_value_t d_value; + int i; int x; if (cfgvalues.debug_mode >= 2) @@ -1155,8 +1157,32 @@ read_fw1_logfile_dict (OpsecSession * psession, int dict_id, LEA_VT val_type, fprintf (stderr, "DEBUG: LEA logfile dict handler was invoked\n"); } - if (ignore_fields_count && dict_id == LEA_ATTRIB_ID) + if (dict_id == LEA_ATTRIB_ID) { + i = 0; + + if (cfgvalues.debug_mode) + { + fprintf (stderr, "DEBUG: Checking attribute id for time\n"); + } + if ((lea_reverse_dictionary_lookup(psession, LEA_ATTRIB_ID, "time", + &d_value)) != LEA_NOT_FOUND) + { + if (cfgvalues.debug_mode) + { + fprintf (stderr, "DEBUG: Got attribute id %i\n", d_value.i_value); + } + time_attr_id = d_value.i_value; + } + else + { + if (cfgvalues.debug_mode) + { + fprintf (stderr, "DEBUG: No attribute id found\n"); + } + time_attr_id = -1; + } + for (x = 0; x < ignore_fields_count; x++) { if (cfgvalues.debug_mode) @@ -1170,7 +1196,8 @@ read_fw1_logfile_dict (OpsecSession * psession, int dict_id, LEA_VT val_type, { fprintf (stderr, "DEBUG: Got attribute id %i\n", d_value.i_value); } - ignore_attr_id_array[x] = d_value.i_value; + ignore_attr_id_array[i] = d_value.i_value; + i++; } else { @@ -1178,9 +1205,16 @@ read_fw1_logfile_dict (OpsecSession * psession, int dict_id, LEA_VT val_type, { fprintf (stderr, "DEBUG: No attribute id found\n"); } - ignore_attr_id_array[x] = -1; } } + + if (i) + { + ignore_attr_id_count = i; + + // sorting the array allows faster value lookups in O(log n) time + qsort(ignore_attr_id_array, ignore_attr_id_count, sizeof(int), integer_cmp); + } } return OPSEC_SESSION_OK; @@ -5135,6 +5169,44 @@ getschar () return ch; } +int +integer_cmp (const void * a, const void * b) +{ + return ( *(int*)a - *(int*)b ); +} + +int +find_in_int_array (int * a, int len, int val) +{ + int left = 0; + int right = len - 1; + + // Fast return if the value is less than the min or greater than the max + if (len == 0 || val < a[left] || val > a[right]) + { + return FALSE; + } + + while (right > left + 1) + { + int middle = (right+left) / 2; + if (a[middle] == val) + { + return TRUE; + } + else if (a[middle] > val) + { + right = middle; + } + else + { + left = middle; + } + } + + return FALSE; +} + void check_config_files (char *loggrabberconf, char *leaconf) { diff --git a/fw1-loggrabber.h b/fw1-loggrabber.h index 60c2447..a7d7e5a 100644 --- a/fw1-loggrabber.h +++ b/fw1-loggrabber.h @@ -289,6 +289,8 @@ int string_icmp (const char *, const char *); int string_incmp (const char *, const char *, size_t); char *string_toupper (const char *); char getschar (); +int integer_cmp (const void *, const void *); +int find_in_int_array (int *, int, int); /* * file operation functions @@ -332,8 +334,16 @@ int create_tables = FALSE; char *ignore_fields = NULL; int ignore_fields_count = 0; char **ignore_fields_array = NULL; + +int ignore_attr_id_count = 0; int ignore_attr_id_array[NUMBER_FIELDS] = { 0 }; +/* + * Holds the attribute ID for the "time" field from the ATTRIB_ID databases. + * The value is set in the read_fw1_logfile_dict function + */ +int time_attr_id = -1; + OpsecSession* pSession = NULL; OpsecEnv* pEnv = NULL; From b60147e74d1722dd35e6f9980323a5d1b9166634 Mon Sep 17 00:00:00 2001 From: ahoying Date: Tue, 8 Dec 2015 10:33:15 -0700 Subject: [PATCH 2/2] Fix missing ; Remove unused variable x --- fw1-loggrabber.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fw1-loggrabber.c b/fw1-loggrabber.c index 58bca26..471df31 100644 --- a/fw1-loggrabber.c +++ b/fw1-loggrabber.c @@ -938,7 +938,6 @@ read_fw1_logfile_record (OpsecSession * pSession, lea_record * pRec, { char *szAttrib; int i; - int x; unsigned long ul; unsigned short us; char tmpdata[21]; @@ -973,7 +972,7 @@ read_fw1_logfile_record (OpsecSession * pSession, lea_record * pRec, */ if (ignore_attr_id_count) { - ignore = find_in_int_array(ignore_attr_id_array, ignore_attr_id_count, pRec->fields[i].lea_attr_id) + ignore = find_in_int_array(ignore_attr_id_array, ignore_attr_id_count, pRec->fields[i].lea_attr_id); if (ignore) {