Skip to content
This repository has been archived by the owner on Dec 29, 2020. It is now read-only.

Commit

Permalink
Switch to using a sorted array for the ignore field attribute IDs. Then
Browse files Browse the repository at this point in the history 
use an optimized check to return if each field's attribute ID is in the
array. 

Also switched the string compare for the 'time' field to using an
attribute ID comparison.
  • Loading branch information
@ahoying
ahoying committed Dec 8, 2015
1 parent 6fe8dcf commit ffdc278
Show file tree
Hide file tree
Showing 2 changed files with 112 additions and 30 deletions.
132 changes: 102 additions & 30 deletions fw1-loggrabber.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -966,26 +966,21 @@ read_fw1_logfile_record (OpsecSession * pSession, lea_record * pRec,
{
ignore = FALSE;
strcpy (tmpdata, "\0");
szAttrib = lea_attr_name (pSession, pRec->fields[i].lea_attr_id);

/*
* Compare the field name with the list of ignored fields.
* If the names match, then skip over processing this field.
* Compare the field attribute id with the list of ignored fields.
* If the IDs match, then skip over processing this field.
*/
for (x = 0; x < ignore_fields_count; x++)
if (ignore_attr_id_count)
{
if (ignore_attr_id_array[x] == pRec->fields[i].lea_attr_id)
ignore = find_in_int_array(ignore_attr_id_array, ignore_attr_id_count, pRec->fields[i].lea_attr_id)

if (ignore)
{
ignore = TRUE;
break;
continue;
}
}

if (ignore)
{
continue;
}

if (!(cfgvalues.resolve_mode))
{
switch (pRec->fields[i].lea_val_type)
Expand Down Expand Up @@ -1029,27 +1024,33 @@ read_fw1_logfile_record (OpsecSession * pSession, lea_record * pRec,
}
}

if (strcmp (szAttrib, "time") == 0)
/*
* Check if the current field is the 'time' field based
* on its lea_attr_id value
*/
if (time_attr_id == pRec->fields[i].lea_attr_id)
{
switch (cfgvalues.dateformat)
{
case DATETIME_CP:
break;
case DATETIME_UNIX:
sprintf (tmpdata, "%lu",
(long unsigned int) pRec->fields[i].lea_value.ul_value);
break;
case DATETIME_STD:
logtime = (time_t) pRec->fields[i].lea_value.ul_value;
datetime = localtime (&logtime);
strftime (tmpdata, 20, "%Y-%m-%d %H:%M:%S", datetime);
break;
default:
fprintf (stderr, "ERROR: Unsupported dateformat chosen\n");
exit_loggrabber (1);
case DATETIME_CP:
break;
case DATETIME_UNIX:
sprintf (tmpdata, "%lu",
(long unsigned int) pRec->fields[i].lea_value.ul_value);
break;
case DATETIME_STD:
logtime = (time_t) pRec->fields[i].lea_value.ul_value;
datetime = localtime (&logtime);
strftime (tmpdata, 20, "%Y-%m-%d %H:%M:%S", datetime);
break;
default:
fprintf (stderr, "ERROR: Unsupported dateformat chosen\n");
exit_loggrabber (1);
}
}

szAttrib = lea_attr_name (pSession, pRec->fields[i].lea_attr_id);

*field_headers[i] = string_duplicate (szAttrib);

if (tmpdata[0])
Expand Down Expand Up @@ -1143,6 +1144,7 @@ read_fw1_logfile_dict (OpsecSession * psession, int dict_id, LEA_VT val_type,
int n_d_entries)
{
lea_value_t d_value;
int i;
int x;

if (cfgvalues.debug_mode >= 2)
Expand All @@ -1155,8 +1157,32 @@ read_fw1_logfile_dict (OpsecSession * psession, int dict_id, LEA_VT val_type,
fprintf (stderr, "DEBUG: LEA logfile dict handler was invoked\n");
}

if (ignore_fields_count && dict_id == LEA_ATTRIB_ID)
if (dict_id == LEA_ATTRIB_ID)
{
i = 0;

if (cfgvalues.debug_mode)
{
fprintf (stderr, "DEBUG: Checking attribute id for time\n");
}
if ((lea_reverse_dictionary_lookup(psession, LEA_ATTRIB_ID, "time",
&d_value)) != LEA_NOT_FOUND)
{
if (cfgvalues.debug_mode)
{
fprintf (stderr, "DEBUG: Got attribute id %i\n", d_value.i_value);
}
time_attr_id = d_value.i_value;
}
else
{
if (cfgvalues.debug_mode)
{
fprintf (stderr, "DEBUG: No attribute id found\n");
}
time_attr_id = -1;
}

for (x = 0; x < ignore_fields_count; x++)
{
if (cfgvalues.debug_mode)
Expand All @@ -1170,17 +1196,25 @@ read_fw1_logfile_dict (OpsecSession * psession, int dict_id, LEA_VT val_type,
{
fprintf (stderr, "DEBUG: Got attribute id %i\n", d_value.i_value);
}
ignore_attr_id_array[x] = d_value.i_value;
ignore_attr_id_array[i] = d_value.i_value;
i++;
}
else
{
if (cfgvalues.debug_mode)
{
fprintf (stderr, "DEBUG: No attribute id found\n");
}
ignore_attr_id_array[x] = -1;
}
}

if (i)
{
ignore_attr_id_count = i;

// sorting the array allows faster value lookups in O(log n) time
qsort(ignore_attr_id_array, ignore_attr_id_count, sizeof(int), integer_cmp);
}
}

return OPSEC_SESSION_OK;
Expand Down Expand Up @@ -5135,6 +5169,44 @@ getschar ()
return ch;
}

int
integer_cmp (const void * a, const void * b)
{
return ( *(int*)a - *(int*)b );
}

int
find_in_int_array (int * a, int len, int val)
{
int left = 0;
int right = len - 1;

// Fast return if the value is less than the min or greater than the max
if (len == 0 || val < a[left] || val > a[right])
{
return FALSE;
}

while (right > left + 1)
{
int middle = (right+left) / 2;
if (a[middle] == val)
{
return TRUE;
}
else if (a[middle] > val)
{
right = middle;
}
else
{
left = middle;
}
}

return FALSE;
}

void
check_config_files (char *loggrabberconf, char *leaconf)
{
Expand Down
10 changes: 10 additions & 0 deletions fw1-loggrabber.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,8 @@ int string_icmp (const char *, const char *);
int string_incmp (const char *, const char *, size_t);
char *string_toupper (const char *);
char getschar ();
int integer_cmp (const void *, const void *);
int find_in_int_array (int *, int, int);

/*
* file operation functions
Expand Down Expand Up @@ -332,8 +334,16 @@ int create_tables = FALSE;
char *ignore_fields = NULL;
int ignore_fields_count = 0;
char **ignore_fields_array = NULL;

int ignore_attr_id_count = 0;
int ignore_attr_id_array[NUMBER_FIELDS] = { 0 };

/*
* Holds the attribute ID for the "time" field from the ATTRIB_ID databases.
* The value is set in the read_fw1_logfile_dict function
*/
int time_attr_id = -1;

OpsecSession* pSession = NULL;
OpsecEnv* pEnv = NULL;

Expand Down

0 comments on commit ffdc278

Please sign in to comment.