Project

General

Profile

Download (23 KB)

Feature #250 » fr250-20111206.patch

Updated patch, more functionality. - Mike Pomraning, 12/06/2011 03:59 PM

View differences:

src/output.h
#include "tm-threads.h"
#define DEFAULT_LOG_MODE_APPEND "yes"
#define DEFAULT_LOG_FILETYPE "regular"
typedef struct OutputModule_ {
char *name;
src/util-error.c
CASE_CODE (SC_ERR_LIBCAP_NG_REQUIRED);
CASE_CODE (SC_ERR_LIBNET11_INCOMPATIBLE_WITH_LIBCAP_NG);
CASE_CODE (SC_WARN_FLOW_EMERGENCY);
CASE_CODE (SC_ERR_SVC);
CASE_CODE (SC_ERR_SVC);
CASE_CODE (SC_ERR_ERF_DAG_OPEN_FAILED);
CASE_CODE (SC_ERR_ERF_DAG_STREAM_OPEN_FAILED);
CASE_CODE (SC_ERR_ERF_DAG_STREAM_START_FAILED);
......
CASE_CODE (SC_ERR_AFP_READ);
CASE_CODE (SC_ERR_AFP_DISPATCH);
CASE_CODE (SC_ERR_CMD_LINE);
CASE_CODE (SC_ERR_SOCKET);
default:
return "UNKNOWN_ERROR";
src/util-error.h
SC_ERR_CMD_LINE,
SC_ERR_MAGIC_OPEN,
SC_ERR_MAGIC_LOAD,
SC_ERR_SOCKET,
} SCError;
const char *SCErrorToString(SCError);
src/util-logopenfile.c
/* vi: set et ts=4: */
/* Copyright (C) 2007-2011 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Mike Pomraning <mpomraning@qualys.com>
*
* File-like output for logging: regular files and sockets.
*/
#include <sys/socket.h>
#include <sys/un.h>
#include "suricata-common.h" /* errno.h, string.h, etc. */
#include "tm-modules.h" /* LogFileCtx */
#include "conf.h" /* ConfNode, etc. */
#include "output.h" /* DEFAULT_LOG_* */
/** \brief connect to the indicated local stream socket, logging any errors
* \param path filesystem path to connect to
* \retval FILE* on success (fdopen'd wrapper of underlying socket)
* \retval NULL on error
*/
static FILE *
SCLogOpenUnixSocketFp(const char *path, int sock_type)
{
struct sockaddr_un sun = {0};
int s = -1;
FILE * ret = NULL;
s = socket(PF_UNIX, sock_type, 0);
if (s < 0) goto err;
sun.sun_family = AF_UNIX;
strncpy(sun.sun_path, path, sizeof(sun.sun_path) - 1);
if (connect(s, (const struct sockaddr *)&sun, sizeof(sun)) < 0)
goto err;
ret = fdopen(s, "w");
if (ret == NULL)
goto err;
return ret;
err:
SCLogError(SC_ERR_SOCKET, "Error connecting to socket \"%s\": %s",
path, strerror(errno));
if (s >= 0)
close(s);
return NULL;
}
/** \brief open the indicated file, logging any errors
* \param path filesystem path to open
* \param append_setting open file with O_APPEND: "yes" or "no"
* \retval FILE* on success
* \retval NULL on error
*/
static FILE *
SCLogOpenFileFp(const char *path, const char *append_setting)
{
FILE *ret = NULL;
if (strcasecmp(append_setting, "yes") == 0) {
ret = fopen(path, "a");
} else {
ret = fopen(path, "w");
}
if (ret == NULL)
SCLogError(SC_ERR_FOPEN, "Error opening file: \"%s\": %s",
path, strerror(errno));
return ret;
}
/** \brief open a generic output "log file", which may be a regular file or a socket
* \param conf ConfNode structure for the output section in question
* \param log_ctx Log file context allocated by caller
* \param default_filename Default name of file to open, if not specified in ConfNode
* \retval 0 on success
* \retval -1 on error
*/
int
SCConfLogOpenGeneric(ConfNode *conf,
LogFileCtx *log_ctx,
const char *default_filename)
{
char log_path[PATH_MAX];
char *log_dir;
const char *filename, *filetype;
// Arg check
if (conf == NULL || log_ctx == NULL || default_filename == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"SCConfLogOpenGeneric(conf %p, ctx %p, default %p) "
"missing an argument",
conf, log_ctx, default_filename);
return -1;
}
if (log_ctx->fp != NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"SCConfLogOpenGeneric: previously initialized Log CTX "
"encountered");
return -1;
}
// Resolve the given config
filename = ConfNodeLookupChildValue(conf, "filename");
if (filename == NULL)
filename = default_filename;
if (ConfGet("default-log-dir", &log_dir) != 1)
log_dir = DEFAULT_LOG_DIR;
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, filename);
filetype = ConfNodeLookupChildValue(conf, "filetype");
if (filetype == NULL)
filetype = DEFAULT_LOG_FILETYPE;
// Now, what have we been asked to open?
if (strcasecmp(filetype, "unix_stream") == 0) {
log_ctx->fp = SCLogOpenUnixSocketFp(log_path, SOCK_STREAM);
} else if (strcasecmp(filetype, "unix_dgram") == 0) {
log_ctx->fp = SCLogOpenUnixSocketFp(log_path, SOCK_DGRAM);
} else if (strcasecmp(filetype, DEFAULT_LOG_FILETYPE) == 0) {
const char *append;
append = ConfNodeLookupChildValue(conf, "append");
if (append == NULL)
append = DEFAULT_LOG_MODE_APPEND;
log_ctx->fp = SCLogOpenFileFp(log_path, append);
} else {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for "
"%s.type. Expected \"regular\" (default), \"unix_stream\" "
"or \"unix_dgram\"",
conf->name);
}
if (log_ctx->fp == NULL)
return -1; // Error already logged by Open...Fp routine
SCLogInfo("%s output device (%s) initialized: %s", conf->name, filetype,
filename);
return 0;
}
src/util-logopenfile.h
/* Copyright (C) 2007-2011 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Mike Pomraning <mpomraning@qualys.com>
*/
#ifndef __UTIL_LOGOPENFILE_H__
#define __UTIL_LOGOPENFILE_H__
#include "conf.h" /* ConfNode */
#include "tm-modules.h" /* LogFileCtx */
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *, const char *);
#endif /* __UTIL_LOGOPENFILE_H__ */
-
src/alert-debuglog.c
#include "flow-bit.h"
#include "util-var-name.h"
#include "util-optimize.h"
#include "util-logopenfile.h"
#define DEFAULT_LOG_FILENAME "alert-debug.log"
......
TmEcode AlertDebugLogThreadInit(ThreadVars *, void*, void **);
TmEcode AlertDebugLogThreadDeinit(ThreadVars *, void *);
void AlertDebugLogExitPrintStats(ThreadVars *, void *);
int AlertDebugLogOpenFileCtx(LogFileCtx* , const char *, const char *);
void TmModuleAlertDebugLogRegister (void) {
tmm_modules[TMM_ALERTDEBUGLOG].name = MODULE_NAME;
......
LogFileCtx *file_ctx = NULL;
file_ctx = LogFileNewCtx();
if(file_ctx == NULL) {
if (file_ctx == NULL) {
SCLogDebug("couldn't create new file_ctx");
goto error;
}
const char *filename = ConfNodeLookupChildValue(conf, "filename");
if (filename == NULL)
filename = DEFAULT_LOG_FILENAME;
const char *mode = ConfNodeLookupChildValue(conf, "append");
if (mode == NULL)
mode = DEFAULT_LOG_MODE_APPEND;
/** fill the new LogFileCtx with the specific AlertDebugLog configuration */
ret = AlertDebugLogOpenFileCtx(file_ctx, filename, mode);
if(ret < 0)
if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME) < 0) {
goto error;
}
OutputCtx *output_ctx = SCMalloc(sizeof(OutputCtx));
if (output_ctx == NULL)
......
output_ctx->data = file_ctx;
output_ctx->DeInit = AlertDebugLogDeInitCtx;
SCLogInfo("Alert debug log output initialized, filename: %s", filename);
SCLogInfo("Alert debug log output initialized");
return output_ctx;
error:
......
return NULL;
}
/** \brief Read the config set the file pointer, open the file
* \param file_ctx pointer to a created LogFileCtx using LogFileNewCtx()
* \param filename name of log file
* \param mode append mode (bool)
* \return -1 if failure, 0 if succesful
* */
int AlertDebugLogOpenFileCtx(LogFileCtx *file_ctx, const char *filename, const
char *mode)
{
char log_path[PATH_MAX];
char *log_dir;
if (ConfGet("default-log-dir", &log_dir) != 1)
log_dir = DEFAULT_LOG_DIR;
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, filename);
if (ConfValIsTrue(mode)) {
file_ctx->fp = fopen(log_path, "a");
} else {
file_ctx->fp = fopen(log_path, "w");
}
if (file_ctx->fp == NULL) {
SCLogError(SC_ERR_FOPEN, "failed to open %s: %s", log_path,
strerror(errno));
return -1;
}
return 0;
}
src/alert-fastlog.c
#include "util-print.h"
#include "util-proto-name.h"
#include "util-optimize.h"
#include "util-logopenfile.h"
#define DEFAULT_LOG_FILENAME "fast.log"
......
TmEcode AlertFastLogThreadInit(ThreadVars *, void *, void **);
TmEcode AlertFastLogThreadDeinit(ThreadVars *, void *);
void AlertFastLogExitPrintStats(ThreadVars *, void *);
static int AlertFastLogOpenFileCtx(LogFileCtx *, const char *, const char *);
void AlertFastLogRegisterTests(void);
static void AlertFastLogDeInitCtx(OutputCtx *);
......
return NULL;
}
const char *filename = ConfNodeLookupChildValue(conf, "filename");
if (filename == NULL)
filename = DEFAULT_LOG_FILENAME;
const char *mode = ConfNodeLookupChildValue(conf, "append");
if (mode == NULL)
mode = DEFAULT_LOG_MODE_APPEND;
if (AlertFastLogOpenFileCtx(logfile_ctx, filename, mode) < 0) {
if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME) < 0) {
LogFileFreeCtx(logfile_ctx);
return NULL;
}
......
output_ctx->data = logfile_ctx;
output_ctx->DeInit = AlertFastLogDeInitCtx;
SCLogInfo("Fast log output initialized, filename: %s", filename);
return output_ctx;
}
......
SCFree(output_ctx);
}
/** \brief Read the config set the file pointer, open the file
* \param file_ctx pointer to a created LogFileCtx using LogFileNewCtx()
* \param filename name of log file
* \param mode append mode (bool)
* \return -1 if failure, 0 if succesful
* */
static int AlertFastLogOpenFileCtx(LogFileCtx *file_ctx, const char *filename,
const char *mode)
{
char log_path[PATH_MAX];
char *log_dir;
if (ConfGet("default-log-dir", &log_dir) != 1)
log_dir = DEFAULT_LOG_DIR;
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, filename);
if (ConfValIsTrue(mode)) {
file_ctx->fp = fopen(log_path, "a");
} else {
file_ctx->fp = fopen(log_path, "w");
}
if (file_ctx->fp == NULL) {
SCLogError(SC_ERR_FOPEN, "failed to open %s: %s", log_path,
strerror(errno));
return -1;
}
return 0;
}
/*------------------------------Unittests-------------------------------------*/
#ifdef UNITTESTS
src/log-droplog.c
#include "util-privs.h"
#include "util-print.h"
#include "util-proto-name.h"
#include "util-logopenfile.h"
#define DEFAULT_LOG_FILENAME "drop.log"
......
TmEcode LogDropLogThreadDeinit(ThreadVars *, void *);
OutputCtx *LogDropLogInitCtx(ConfNode *);
static void LogDropLogDeInitCtx(OutputCtx *);
static int LogDropLogOpenFileCtx(LogFileCtx *, const char *, const char *);
void LogDropLogRegisterTests(void);
void LogDropLogExitPrintStats(ThreadVars *, void *);
......
return NULL;
}
const char *filename = ConfNodeLookupChildValue(conf, "filename");
if (filename == NULL)
filename = DEFAULT_LOG_FILENAME;
const char *mode = ConfNodeLookupChildValue(conf, "append");
if (mode == NULL)
mode = DEFAULT_LOG_MODE_APPEND;
if (LogDropLogOpenFileCtx(logfile_ctx, filename, mode) < 0) {
if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME) < 0) {
LogFileFreeCtx(logfile_ctx);
return NULL;
}
......
output_ctx->data = logfile_ctx;
output_ctx->DeInit = LogDropLogDeInitCtx;
SCLogInfo("Drop log output initialized, filename: %s", filename);
return output_ctx;
}
......
}
}
/** \brief Read the config set the file pointer, open the file
* \param file_ctx pointer to a created LogFileCtx using LogFileNewCtx()
* \param filename name of log file
* \param mode append mode (bool)
* \return -1 if failure, 0 if succesful
* */
static int LogDropLogOpenFileCtx(LogFileCtx *file_ctx, const char *filename,
const char *mode)
{
char log_path[PATH_MAX];
char *log_dir;
if (ConfGet("default-log-dir", &log_dir) != 1)
log_dir = DEFAULT_LOG_DIR;
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, filename);
if (ConfValIsTrue(mode)) {
file_ctx->fp = fopen(log_path, "a");
} else {
file_ctx->fp = fopen(log_path, "w");
}
if (file_ctx->fp == NULL) {
SCLogError(SC_ERR_FOPEN, "failed to open %s: %s", log_path,
strerror(errno));
return -1;
}
return 0;
}
/** \brief Function to create the time string from the packet timestamp */
static void CreateTimeString (const struct timeval *ts, char *str, size_t size) {
time_t time = ts->tv_sec;
src/log-httplog.c
#include "app-layer.h"
#include "util-privs.h"
#include "util-logopenfile.h"
#define DEFAULT_LOG_FILENAME "http.log"
#define MODULE_NAME "LogHttpLog"
......
TmEcode LogHttpLogThreadInit(ThreadVars *, void *, void **);
TmEcode LogHttpLogThreadDeinit(ThreadVars *, void *);
void LogHttpLogExitPrintStats(ThreadVars *, void *);
int LogHttpLogOpenFileCtx(LogFileCtx* , const char *, const char *);
static void LogHttpLogDeInitCtx(OutputCtx *);
void TmModuleLogHttpLogRegister (void) {
......
* */
OutputCtx *LogHttpLogInitCtx(ConfNode *conf)
{
int ret=0;
LogFileCtx* file_ctx=LogFileNewCtx();
if(file_ctx == NULL)
......
return NULL;
}
const char *filename = ConfNodeLookupChildValue(conf, "filename");
if (filename == NULL)
filename = DEFAULT_LOG_FILENAME;
const char *mode = ConfNodeLookupChildValue(conf, "append");
if (mode == NULL)
mode = DEFAULT_LOG_MODE_APPEND;
/** fill the new LogFileCtx with the specific LogHttpLog configuration */
ret=LogHttpLogOpenFileCtx(file_ctx, filename, mode);
if(ret < 0)
if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME) < 0) {
LogFileFreeCtx(file_ctx);
return NULL;
}
LogHttpFileCtx *httplog_ctx = SCCalloc(1, sizeof(LogHttpFileCtx));
if (httplog_ctx == NULL)
......
output_ctx->data = httplog_ctx;
output_ctx->DeInit = LogHttpLogDeInitCtx;
SCLogInfo("HTTP log output initialized, filename: %s", filename);
SCLogInfo("HTTP log output initialized");
return output_ctx;
}
......
SCFree(httplog_ctx);
SCFree(output_ctx);
}
/** \brief Read the config set the file pointer, open the file
* \param file_ctx pointer to a created LogFileCtx using LogFileNewCtx()
* \param filename name of log file
* \param mode append mode (bool)
* \return -1 if failure, 0 if succesful
* */
int LogHttpLogOpenFileCtx(LogFileCtx *file_ctx, const char *filename, const
char *mode)
{
char log_path[PATH_MAX];
char *log_dir;
if (ConfGet("default-log-dir", &log_dir) != 1)
log_dir = DEFAULT_LOG_DIR;
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, filename);
if (ConfValIsTrue(mode)) {
file_ctx->fp = fopen(log_path, "a");
} else {
file_ctx->fp = fopen(log_path, "w");
}
if (file_ctx->fp == NULL) {
SCLogError(SC_ERR_FOPEN, "failed to open %s: %s", log_path,
strerror(errno));
return -1;
}
return 0;
}
-
src/Makefile.am
win32-syslog.h \
util-profiling.c util-profiling.h \
cuda-packet-batcher.c cuda-packet-batcher.h \
util-ioctl.h util-ioctl.c
util-ioctl.h util-ioctl.c \
util-logopenfile.h util-logopenfile.c
# set the include path found by configure
INCLUDES= $(all_includes)
-
suricata.yaml
enabled: yes
filename: fast.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# alert output for use with Barnyard2
- unified2-alert:
......
enabled: yes
filename: http.log
append: yes
#extended: yes # enable this for extended logging information
#extended: yes # enable this for extended logging information
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# a line based log to used with pcap file study.
# this module is dedicated to offline pcap parsing (empty output
......
enabled: no
filename: alert-debug.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# alert output to prelude (http://www.prelude-technologies.com/) only
# available if Suricata has been compiled with --enable-prelude
......
enabled: yes
filename: drop.log
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# output module to store extracted files to disk
#
(4-4/5)