0ct0pu5
/
crowdsec


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398
							package rfc5424

import (
	"fmt"
	"time"

	"github.com/crowdsecurity/crowdsec/pkg/acquisition/modules/syslog/internal/parser/utils"
)

type RFC5424Option func(*RFC5424)

type RFC5424 struct {
	PRI       int
	Timestamp time.Time
	Hostname  string
	Tag       string
	Message   string
	PID       string
	MsgID     string
	//
	len            int
	position       int
	buf            []byte
	useCurrentYear bool //If no year is specified in the timestamp, use the current year
	strictHostname bool //If the hostname contains invalid characters or is not an IP, return an error
}

const PRI_MAX_LEN = 3

const NIL_VALUE = '-'

var VALID_TIMESTAMPS = []string{
	time.RFC3339,
}

const VALID_TIMESTAMP = time.RFC3339Nano

func WithCurrentYear() RFC5424Option {
	return func(r *RFC5424) {
		r.useCurrentYear = true
	}
}

func WithStrictHostname() RFC5424Option {
	return func(r *RFC5424) {
		r.strictHostname = true
	}
}

func (r *RFC5424) parsePRI() error {

	pri := 0

	if r.buf[r.position] != '<' {
		return fmt.Errorf("PRI must start with '<'")
	}

	r.position++

	for r.position < r.len {
		c := r.buf[r.position]
		if c == '>' {
			r.position++
			break
		}
		if c < '0' || c > '9' {
			return fmt.Errorf("PRI must be a number")
		}
		pri = pri*10 + int(c-'0')
		r.position++
	}

	if pri > 999 {
		return fmt.Errorf("PRI must be up to 3 characters long")
	}

	if r.position == r.len && r.buf[r.position-1] != '>' {
		return fmt.Errorf("PRI must end with '>'")
	}

	r.PRI = pri
	return nil
}

func (r *RFC5424) parseVersion() error {
	if r.buf[r.position] != '1' {
		return fmt.Errorf("version must be 1")
	}
	r.position += 2
	if r.position >= r.len {
		return fmt.Errorf("version must be followed by a space")
	}
	return nil
}

func (r *RFC5424) parseTimestamp() error {

	timestamp := []byte{}

	if r.buf[r.position] == NIL_VALUE {
		r.Timestamp = time.Now().UTC().Round(0)
		r.position += 2
		return nil
	}

	for r.position < r.len {
		c := r.buf[r.position]
		if c == ' ' {
			break
		}
		timestamp = append(timestamp, c)
		r.position++
	}

	if len(timestamp) == 0 {
		return fmt.Errorf("timestamp is empty")
	}

	if r.position == r.len {
		return fmt.Errorf("EOL after timestamp")
	}

	date, err := time.Parse(VALID_TIMESTAMP, string(timestamp))

	if err != nil {
		return fmt.Errorf("timestamp is not valid")
	}

	r.Timestamp = date

	r.position++

	if r.position >= r.len {
		return fmt.Errorf("EOL after timestamp")
	}

	return nil
}

func (r *RFC5424) parseHostname() error {
	if r.buf[r.position] == NIL_VALUE {
		r.Hostname = ""
		r.position += 2
		return nil
	}

	hostname := []byte{}
	for r.position < r.len {
		c := r.buf[r.position]
		if c == ' ' {
			r.position++
			break
		}
		hostname = append(hostname, c)
		r.position++
	}
	if r.strictHostname {
		if !utils.IsValidHostnameOrIP(string(hostname)) {
			return fmt.Errorf("hostname is not valid")
		}
	}
	if len(hostname) == 0 {
		return fmt.Errorf("hostname is empty")
	}
	r.Hostname = string(hostname)
	return nil
}

func (r *RFC5424) parseAppName() error {
	if r.buf[r.position] == NIL_VALUE {
		r.Tag = ""
		r.position += 2
		return nil
	}

	appname := []byte{}
	for r.position < r.len {
		c := r.buf[r.position]
		if c == ' ' {
			r.position++
			break
		}
		appname = append(appname, c)
		r.position++
	}

	if len(appname) == 0 {
		return fmt.Errorf("appname is empty")
	}

	if len(appname) > 48 {
		return fmt.Errorf("appname is too long")
	}

	r.Tag = string(appname)
	return nil
}

func (r *RFC5424) parseProcID() error {
	if r.buf[r.position] == NIL_VALUE {
		r.PID = ""
		r.position += 2
		return nil
	}

	procid := []byte{}
	for r.position < r.len {
		c := r.buf[r.position]
		if c == ' ' {
			r.position++
			break
		}
		procid = append(procid, c)
		r.position++
	}

	if len(procid) == 0 {
		return fmt.Errorf("procid is empty")
	}

	if len(procid) > 128 {
		return fmt.Errorf("procid is too long")
	}

	r.PID = string(procid)
	return nil
}

func (r *RFC5424) parseMsgID() error {
	if r.buf[r.position] == NIL_VALUE {
		r.MsgID = ""
		r.position += 2
		return nil
	}

	msgid := []byte{}
	for r.position < r.len {
		c := r.buf[r.position]
		if c == ' ' {
			r.position++
			break
		}
		msgid = append(msgid, c)
		r.position++
	}

	if len(msgid) == 0 {
		return fmt.Errorf("msgid is empty")
	}

	if len(msgid) > 32 {
		return fmt.Errorf("msgid is too long")
	}

	r.MsgID = string(msgid)
	return nil
}

func (r *RFC5424) parseStructuredData() error {
	done := false
	if r.buf[r.position] == NIL_VALUE {
		r.position += 2
		return nil
	}
	if r.buf[r.position] != '[' {
		return fmt.Errorf("structured data must start with '[' or be '-'")
	}
	prev := byte(0)
	for r.position < r.len {
		done = false
		c := r.buf[r.position]
		if c == ']' && prev != '\\' {
			done = true
			r.position++
			if r.position < r.len && r.buf[r.position] == ' ' {
				break
			}
		}
		prev = c
		r.position++
	}
	r.position++
	if !done {
		return fmt.Errorf("structured data must end with ']'")
	}
	return nil
}

func (r *RFC5424) parseMessage() error {
	if r.position == r.len {
		return fmt.Errorf("message is empty")
	}

	message := []byte{}

	for r.position < r.len {
		c := r.buf[r.position]
		message = append(message, c)
		r.position++
	}
	r.Message = string(message)
	return nil
}

func (r *RFC5424) Parse(message []byte) error {
	r.len = len(message)
	if r.len == 0 {
		return fmt.Errorf("syslog line is empty")
	}
	r.buf = message

	err := r.parsePRI()
	if err != nil {
		return err
	}

	if r.position >= r.len {
		return fmt.Errorf("EOL after PRI")
	}

	err = r.parseVersion()
	if err != nil {
		return err
	}

	if r.position >= r.len {
		return fmt.Errorf("EOL after Version")
	}

	err = r.parseTimestamp()
	if err != nil {
		return err
	}

	if r.position >= r.len {
		return fmt.Errorf("EOL after Timestamp")
	}

	err = r.parseHostname()
	if err != nil {
		return err
	}

	if r.position >= r.len {
		return fmt.Errorf("EOL after hostname")
	}

	err = r.parseAppName()
	if err != nil {
		return err
	}

	if r.position >= r.len {
		return fmt.Errorf("EOL after appname")
	}

	err = r.parseProcID()
	if err != nil {
		return err
	}

	if r.position >= r.len {
		return fmt.Errorf("EOL after ProcID")
	}

	err = r.parseMsgID()
	if err != nil {
		return err
	}

	if r.position >= r.len {
		return fmt.Errorf("EOL after MSGID")
	}

	err = r.parseStructuredData()
	if err != nil {
		return err
	}

	if r.position >= r.len {
		return fmt.Errorf("EOL after SD")
	}

	err = r.parseMessage()
	if err != nil {
		return err
	}

	return nil
}

func NewRFC5424Parser(opts ...RFC5424Option) *RFC5424 {
	r := &RFC5424{}
	for _, opt := range opts {
		opt(r)
	}
	return r
}