Feature #39 » 0001-Use-the-configuration-file-to-setup-alert-logging-an.patch
| src/alert-debuglog.c | ||
|---|---|---|
|
TmEcode AlertDebuglogThreadInit(ThreadVars *, void*, void **);
|
||
|
TmEcode AlertDebuglogThreadDeinit(ThreadVars *, void *);
|
||
|
void AlertDebuglogExitPrintStats(ThreadVars *, void *);
|
||
|
int AlertDebuglogOpenFileCtx(LogFileCtx* , char *);
|
||
|
int AlertDebuglogOpenFileCtx(LogFileCtx* , const char *);
|
||
|
void TmModuleAlertDebuglogRegister (void) {
|
||
|
tmm_modules[TMM_ALERTDEBUGLOG].name = "AlertDebuglog";
|
||
| ... | ... | |
|
}
|
||
|
/** \brief Create a new file_ctx from config_file (if specified)
|
||
|
* \param config_file for loading separate configs
|
||
|
/** \brief Create a new LogFileCtx for alert debug logging.
|
||
|
* \param ConfNode containing configuration for this logger.
|
||
|
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
|
||
|
* */
|
||
|
LogFileCtx *AlertDebuglogInitCtx(char *config_file)
|
||
|
LogFileCtx *AlertDebuglogInitCtx(ConfNode *conf)
|
||
|
{
|
||
|
int ret=0;
|
||
|
LogFileCtx* file_ctx=LogFileNewCtx();
|
||
| ... | ... | |
|
return NULL;
|
||
|
}
|
||
|
const char *filename = ConfNodeLookupChildValue(conf, "filename");
|
||
|
if (filename == NULL)
|
||
|
filename = DEFAULT_LOG_FILENAME;
|
||
|
/** fill the new LogFileCtx with the specific AlertDebuglog configuration */
|
||
|
ret=AlertDebuglogOpenFileCtx(file_ctx, config_file);
|
||
|
ret=AlertDebuglogOpenFileCtx(file_ctx, filename);
|
||
|
if(ret < 0)
|
||
|
return NULL;
|
||
|
/** In AlertDebuglogOpenFileCtx the second parameter should be the configuration file to use
|
||
|
* but it's not implemented yet, so passing NULL to load the default
|
||
|
* configuration
|
||
|
*/
|
||
|
return file_ctx;
|
||
|
}
|
||
|
/** \brief Read the config set the file pointer, open the file
|
||
|
* \param file_ctx pointer to a created LogFileCtx using LogFileNewCtx()
|
||
|
* \param config_file for loading separate configs
|
||
|
* \param filename name of log file
|
||
|
* \return -1 if failure, 0 if succesful
|
||
|
* */
|
||
|
int AlertDebuglogOpenFileCtx(LogFileCtx *file_ctx, char *config_file)
|
||
|
int AlertDebuglogOpenFileCtx(LogFileCtx *file_ctx, const char *filename)
|
||
|
{
|
||
|
int ret=0;
|
||
|
if(config_file == NULL)
|
||
|
{
|
||
|
/** Separate config files not implemented at the moment,
|
||
|
* but it must be able to load from separate config file.
|
||
|
* Load the default configuration.
|
||
|
*/
|
||
|
char log_path[PATH_MAX], *log_dir;
|
||
|
if (ConfGet("default-log-dir", &log_dir) != 1)
|
||
|
log_dir = DEFAULT_LOG_DIR;
|
||
|
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, DEFAULT_LOG_FILENAME);
|
||
|
file_ctx->fp = fopen(log_path, "w");
|
||
|
if (file_ctx->fp == NULL) {
|
||
|
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path,
|
||
|
strerror(errno));
|
||
|
return -1;
|
||
|
}
|
||
|
}
|
||
|
char log_path[PATH_MAX], *log_dir;
|
||
|
if (ConfGet("default-log-dir", &log_dir) != 1)
|
||
|
log_dir = DEFAULT_LOG_DIR;
|
||
|
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, DEFAULT_LOG_FILENAME);
|
||
|
file_ctx->fp = fopen(log_path, "w");
|
||
|
if (file_ctx->fp == NULL) {
|
||
|
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path,
|
||
|
strerror(errno));
|
||
|
return -1;
|
||
|
}
|
||
|
|
||
|
return ret;
|
||
|
}
|
||
| src/alert-debuglog.h | ||
|---|---|---|
|
void TmModuleAlertDebuglogRegister (void);
|
||
|
void TmModuleAlertDebuglogIPv4Register (void);
|
||
|
void TmModuleAlertDebuglogIPv6Register (void);
|
||
|
LogFileCtx *AlertDebuglogInitCtx(char *);
|
||
|
LogFileCtx *AlertDebuglogInitCtx(ConfNode *);
|
||
|
#endif /* __ALERT_DEBUGLOG_H__ */
|
||
| src/alert-fastlog.c | ||
|---|---|---|
|
TmEcode AlertFastlogThreadInit(ThreadVars *, void *, void **);
|
||
|
TmEcode AlertFastlogThreadDeinit(ThreadVars *, void *);
|
||
|
void AlertFastlogExitPrintStats(ThreadVars *, void *);
|
||
|
int AlertFastlogOpenFileCtx(LogFileCtx *, char *);
|
||
|
int AlertFastlogOpenFileCtx(LogFileCtx *, const char *);
|
||
|
void AlertFastLogRegisterTests(void);
|
||
|
void TmModuleAlertFastlogRegister (void) {
|
||
| ... | ... | |
|
SCLogInfo("(%s) Alerts %" PRIu32 "", tv->name, aft->alerts);
|
||
|
}
|
||
|
/** \brief Create a new file_ctx from config_file (if specified)
|
||
|
* \param config_file for loading separate configs
|
||
|
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
|
||
|
* */
|
||
|
LogFileCtx *AlertFastlogInitCtx(char *config_file)
|
||
|
/**
|
||
|
* \brief Create a new LogFileCtx for "fast" output style.
|
||
|
* \param conf The configuration node for this output.
|
||
|
* \return A LogFileCtx pointer on success, NULL on failure.
|
||
|
*/
|
||
|
LogFileCtx *AlertFastlogInitCtx(ConfNode *conf)
|
||
|
{
|
||
|
int ret=0;
|
||
|
LogFileCtx* file_ctx=LogFileNewCtx();
|
||
|
if(file_ctx == NULL)
|
||
|
{
|
||
|
SCLogDebug("AlertFastlogInitCtx: Couldn't create new file_ctx");
|
||
|
LogFileCtx *logfile_ctx = LogFileNewCtx();
|
||
|
if (logfile_ctx == NULL) {
|
||
|
SCLogDebug("AlertFastLogInitCtx2: Could not create new LogFileCtx");
|
||
|
return NULL;
|
||
|
}
|
||
|
/** fill the new LogFileCtx with the specific AlertFastlog configuration */
|
||
|
ret=AlertFastlogOpenFileCtx(file_ctx, config_file);
|
||
|
if(ret < 0)
|
||
|
const char *filename = ConfNodeLookupChildValue(conf, "filename");
|
||
|
if (filename == NULL)
|
||
|
filename = DEFAULT_LOG_FILENAME;
|
||
|
if (AlertFastlogOpenFileCtx(logfile_ctx, filename) < 0) {
|
||
|
LogFileFreeCtx(logfile_ctx);
|
||
|
return NULL;
|
||
|
}
|
||
|
/** In AlertFastlogOpenFileCtx the second parameter should be the configuration file to use
|
||
|
* but it's not implemented yet, so passing NULL to load the default
|
||
|
* configuration
|
||
|
*/
|
||
|
SCLogInfo("Fast log output registered, filename: %s", filename);
|
||
|
return file_ctx;
|
||
|
return logfile_ctx;
|
||
|
}
|
||
|
/** \brief Read the config set the file pointer, open the file
|
||
|
* \param file_ctx pointer to a created LogFileCtx using LogFileNewCtx()
|
||
|
* \param config_file for loading separate configs
|
||
|
* \param filename name of log file
|
||
|
* \return -1 if failure, 0 if succesful
|
||
|
* */
|
||
|
int AlertFastlogOpenFileCtx(LogFileCtx *file_ctx, char *config_file)
|
||
|
int AlertFastlogOpenFileCtx(LogFileCtx *file_ctx, const char *filename)
|
||
|
{
|
||
|
if(config_file == NULL)
|
||
|
{
|
||
|
/** Separate config files not implemented at the moment,
|
||
|
* but it must be able to load from separate config file.
|
||
|
* Load the default configuration.
|
||
|
*/
|
||
|
char log_path[PATH_MAX], *log_dir;
|
||
|
if (ConfGet("default-log-dir", &log_dir) != 1)
|
||
|
log_dir = DEFAULT_LOG_DIR;
|
||
|
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, DEFAULT_LOG_FILENAME);
|
||
|
file_ctx->fp = fopen(log_path, "w");
|
||
|
if (file_ctx->fp == NULL) {
|
||
|
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path,
|
||
|
strerror(errno));
|
||
|
return -1;
|
||
|
}
|
||
|
char log_path[PATH_MAX], *log_dir;
|
||
|
if (ConfGet("default-log-dir", &log_dir) != 1)
|
||
|
log_dir = DEFAULT_LOG_DIR;
|
||
|
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, filename);
|
||
|
|
||
|
file_ctx->fp = fopen(log_path, "w");
|
||
|
|
||
|
if (file_ctx->fp == NULL) {
|
||
|
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path,
|
||
|
strerror(errno));
|
||
|
return -1;
|
||
|
}
|
||
|
return 0;
|
||
| src/alert-fastlog.h | ||
|---|---|---|
|
void TmModuleAlertFastlogRegister (void);
|
||
|
void TmModuleAlertFastlogIPv4Register (void);
|
||
|
void TmModuleAlertFastlogIPv6Register (void);
|
||
|
LogFileCtx *AlertFastlogInitCtx(char *);
|
||
|
LogFileCtx *AlertFastlogInitCtx(ConfNode *);
|
||
|
#endif /* __ALERT_FASTLOG_H__ */
|
||
| src/alert-unified-alert.c | ||
|---|---|---|
|
TmEcode AlertUnifiedAlert (ThreadVars *, Packet *, void *, PacketQueue *);
|
||
|
TmEcode AlertUnifiedAlertThreadInit(ThreadVars *, void *, void **);
|
||
|
TmEcode AlertUnifiedAlertThreadDeinit(ThreadVars *, void *);
|
||
|
int AlertUnifiedAlertOpenFileCtx(LogFileCtx *, char *);
|
||
|
int AlertUnifiedAlertOpenFileCtx(LogFileCtx *, const char *);
|
||
|
void AlertUnifiedAlertRegisterTests (void);
|
||
|
void TmModuleAlertUnifiedAlertRegister (void) {
|
||
| ... | ... | |
|
"Error: AlertUnifiedAlertCloseFile failed");
|
||
|
return -1;
|
||
|
}
|
||
|
if (AlertUnifiedAlertOpenFileCtx(aun->file_ctx,aun->file_ctx->config_file) < 0) {
|
||
|
if (AlertUnifiedAlertOpenFileCtx(aun->file_ctx,aun->file_ctx->prefix) < 0) {
|
||
|
SCLogError(SC_ERR_UNIFIED_ALERT_GENERIC_ERROR,
|
||
|
"Error: AlertUnifiedLogOpenFileCtx, open new log file failed");
|
||
|
return -1;
|
||
| ... | ... | |
|
}
|
||
|
/** \brief Create a new file_ctx from config_file (if specified)
|
||
|
* \param config_file for loading separate configs
|
||
|
/** \brief Create a new LogFileCtx for unified alert logging.
|
||
|
* \param conf The ConfNode for this output.
|
||
|
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
|
||
|
* */
|
||
|
LogFileCtx *AlertUnifiedAlertInitCtx(char *config_file)
|
||
|
LogFileCtx *AlertUnifiedAlertInitCtx(ConfNode *conf)
|
||
|
{
|
||
|
int ret = 0;
|
||
|
LogFileCtx *file_ctx = LogFileNewCtx();
|
||
| ... | ... | |
|
return NULL;
|
||
|
}
|
||
|
/** fill the new LogFileCtx with the specific AlertUnifiedAlert configuration */
|
||
|
ret = AlertUnifiedAlertOpenFileCtx(file_ctx, config_file);
|
||
|
const char *filename;
|
||
|
if (conf != NULL)
|
||
|
filename = ConfNodeLookupChildValue(conf, "filename");
|
||
|
if (filename == NULL)
|
||
|
filename = DEFAULT_LOG_FILENAME;
|
||
|
file_ctx->prefix = strdup(filename);
|
||
|
ret = AlertUnifiedAlertOpenFileCtx(file_ctx, filename);
|
||
|
if (ret < 0)
|
||
|
return NULL;
|
||
|
/** In AlertUnifiedAlertOpenFileCtx the second parameter should be
|
||
|
* the configuration file to use but it's not implemented yet, so
|
||
|
* passing NULL to load the default configuration
|
||
|
*/
|
||
|
return file_ctx;
|
||
|
}
|
||
| ... | ... | |
|
* \param config_file for loading separate configs
|
||
|
* \return -1 if failure, 0 if succesful
|
||
|
* */
|
||
|
int AlertUnifiedAlertOpenFileCtx(LogFileCtx *file_ctx, char *config_file)
|
||
|
int AlertUnifiedAlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix)
|
||
|
{
|
||
|
char *filename = NULL;
|
||
|
if (file_ctx->filename != NULL)
|
||
| ... | ... | |
|
else
|
||
|
filename = file_ctx->filename = malloc(PATH_MAX); /* XXX some sane default? */
|
||
|
if (config_file == NULL) {
|
||
|
/** Separate config files not implemented at the moment,
|
||
|
* but it must be able to load from separate config file.
|
||
|
* Load the default configuration.
|
||
|
*/
|
||
|
/* get the time so we can have a filename with seconds since epoch */
|
||
|
struct timeval ts;
|
||
|
memset (&ts, 0, sizeof(struct timeval));
|
||
|
TimeGet(&ts);
|
||
|
/* create the filename to use */
|
||
|
char *log_dir;
|
||
|
if (ConfGet("default-log-dir", &log_dir) != 1)
|
||
|
log_dir = DEFAULT_LOG_DIR;
|
||
|
snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, "unified.alert", (uint32_t)ts.tv_sec);
|
||
|
/* XXX filename & location */
|
||
|
file_ctx->fp = fopen(filename, "wb");
|
||
|
if (file_ctx->fp == NULL) {
|
||
|
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", filename,
|
||
|
strerror(errno));
|
||
|
return -1;
|
||
|
}
|
||
|
/* get the time so we can have a filename with seconds since epoch */
|
||
|
struct timeval ts;
|
||
|
memset (&ts, 0, sizeof(struct timeval));
|
||
|
TimeGet(&ts);
|
||
|
|
||
|
/* create the filename to use */
|
||
|
char *log_dir;
|
||
|
if (ConfGet("default-log-dir", &log_dir) != 1)
|
||
|
log_dir = DEFAULT_LOG_DIR;
|
||
|
|
||
|
snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, prefix, (uint32_t)ts.tv_sec);
|
||
|
|
||
|
/* XXX filename & location */
|
||
|
file_ctx->fp = fopen(filename, "wb");
|
||
|
if (file_ctx->fp == NULL) {
|
||
|
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", filename,
|
||
|
strerror(errno));
|
||
|
return -1;
|
||
|
}
|
||
|
return 0;
|
||
| src/alert-unified-alert.h | ||
|---|---|---|
|
#define __ALERT_UNIFIED_ALERT_H__
|
||
|
void TmModuleAlertUnifiedAlertRegister (void);
|
||
|
LogFileCtx *AlertUnifiedAlertInitCtx(char *);
|
||
|
LogFileCtx *AlertUnifiedAlertInitCtx(ConfNode *);
|
||
|
#endif /* __ALERT_UNIFIED_ALERT_H__ */
|
||
| src/alert-unified-log.c | ||
|---|---|---|
|
*
|
||
|
*/
|
||
|
#include <string.h>
|
||
|
#include "suricata-common.h"
|
||
|
#include "debug.h"
|
||
|
#include "detect.h"
|
||
| ... | ... | |
|
TmEcode AlertUnifiedLog (ThreadVars *, Packet *, void *, PacketQueue *);
|
||
|
TmEcode AlertUnifiedLogThreadInit(ThreadVars *, void *, void **);
|
||
|
TmEcode AlertUnifiedLogThreadDeinit(ThreadVars *, void *);
|
||
|
int AlertUnifiedLogOpenFileCtx(LogFileCtx *, char *);
|
||
|
int AlertUnifiedLogOpenFileCtx(LogFileCtx *, const char *);
|
||
|
void AlertUnifiedLogRegisterTests(void);
|
||
|
void TmModuleAlertUnifiedLogRegister (void) {
|
||
| ... | ... | |
|
printf("Error: AlertUnifiedLogCloseFile failed\n");
|
||
|
return -1;
|
||
|
}
|
||
|
if (AlertUnifiedLogOpenFileCtx(aun->file_ctx,aun->file_ctx->config_file) < 0) {
|
||
|
if (AlertUnifiedLogOpenFileCtx(aun->file_ctx,aun->file_ctx->prefix) < 0) {
|
||
|
printf("Error: AlertUnifiedLogOpenFileCtx, open new log file failed\n");
|
||
|
return -1;
|
||
|
}
|
||
| ... | ... | |
|
}
|
||
|
/** \brief Create a new file_ctx from config_file (if specified)
|
||
|
* \param config_file for loading separate configs
|
||
|
/** \brief Create a new LogFileCtx for unified alert logging.
|
||
|
* \param ConfNode pointer to the configuration node for this logger.
|
||
|
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
|
||
|
* */
|
||
|
LogFileCtx *AlertUnifiedLogInitCtx(char *config_file)
|
||
|
LogFileCtx *AlertUnifiedLogInitCtx(ConfNode *conf)
|
||
|
{
|
||
|
int ret=0;
|
||
|
LogFileCtx* file_ctx=LogFileNewCtx();
|
||
| ... | ... | |
|
return NULL;
|
||
|
}
|
||
|
/** fill the new LogFileCtx with the specific AlertUnifiedLog configuration */
|
||
|
ret=AlertUnifiedLogOpenFileCtx(file_ctx, config_file);
|
||
|
const char *filename;
|
||
|
if (conf != NULL) { /* \todo Maybe test should setup a ConfNode */
|
||
|
filename = ConfNodeLookupChildValue(conf, "filename");
|
||
|
}
|
||
|
if (filename == NULL)
|
||
|
filename = DEFAULT_LOG_FILENAME;
|
||
|
file_ctx->prefix = strdup(filename);
|
||
|
ret=AlertUnifiedLogOpenFileCtx(file_ctx, filename);
|
||
|
if(ret < 0)
|
||
|
return NULL;
|
||
|
/** In AlertUnifiedLogOpenFileCtx the second parameter should be the configuration file to use
|
||
|
* but it's not implemented yet, so passing NULL to load the default
|
||
|
* configuration
|
||
|
*/
|
||
|
return file_ctx;
|
||
|
}
|
||
|
/** \brief Read the config set the file pointer, open the file
|
||
|
* \param file_ctx pointer to a created LogFileCtx using LogFileNewCtx()
|
||
|
* \param config_file for loading separate configs
|
||
|
* \param prefix Prefix for log filenames.
|
||
|
* \return -1 if failure, 0 if succesful
|
||
|
* */
|
||
|
int AlertUnifiedLogOpenFileCtx(LogFileCtx *file_ctx, char *config_file)
|
||
|
int AlertUnifiedLogOpenFileCtx(LogFileCtx *file_ctx, const char *prefix)
|
||
|
{
|
||
|
char *filename = NULL;
|
||
|
if (file_ctx->filename != NULL)
|
||
| ... | ... | |
|
else
|
||
|
filename = file_ctx->filename = malloc(PATH_MAX); /* XXX some sane default? */
|
||
|
if(config_file == NULL)
|
||
|
{
|
||
|
/** Separate config files not implemented at the moment,
|
||
|
* but it must be able to load from separate config file.
|
||
|
* Load the default configuration.
|
||
|
*/
|
||
|
/* get the time so we can have a filename with seconds since epoch */
|
||
|
struct timeval ts;
|
||
|
memset (&ts, 0, sizeof(struct timeval));
|
||
|
TimeGet(&ts);
|
||
|
/* create the filename to use */
|
||
|
char *log_dir;
|
||
|
if (ConfGet("default-log-dir", &log_dir) != 1)
|
||
|
log_dir = DEFAULT_LOG_DIR;
|
||
|
snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, "unified.log", (uint32_t)ts.tv_sec);
|
||
|
/* XXX filename & location */
|
||
|
file_ctx->fp = fopen(filename, "wb");
|
||
|
if (file_ctx->fp == NULL) {
|
||
|
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", filename,
|
||
|
strerror(errno));
|
||
|
return -1;
|
||
|
}
|
||
|
/* get the time so we can have a filename with seconds since epoch */
|
||
|
struct timeval ts;
|
||
|
memset (&ts, 0, sizeof(struct timeval));
|
||
|
TimeGet(&ts);
|
||
|
|
||
|
/* create the filename to use */
|
||
|
char *log_dir;
|
||
|
if (ConfGet("default-log-dir", &log_dir) != 1)
|
||
|
log_dir = DEFAULT_LOG_DIR;
|
||
|
|
||
|
snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, prefix, (uint32_t)ts.tv_sec);
|
||
|
|
||
|
/* XXX filename & location */
|
||
|
file_ctx->fp = fopen(filename, "wb");
|
||
|
if (file_ctx->fp == NULL) {
|
||
|
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", filename,
|
||
|
strerror(errno));
|
||
|
return -1;
|
||
|
}
|
||
|
return 0;
|
||
| src/alert-unified-log.h | ||
|---|---|---|
|
#define __ALERT_UNIFIED_LOG_H__
|
||
|
void TmModuleAlertUnifiedLogRegister (void);
|
||
|
LogFileCtx *AlertUnifiedLogInitCtx(char *);
|
||
|
LogFileCtx *AlertUnifiedLogInitCtx(ConfNode *);
|
||
|
#endif /* __ALERT_UNIFIED_LOG_H__ */
|
||
| src/alert-unified2-alert.c | ||
|---|---|---|
|
#define IPPROTO_SCTP 132
|
||
|
#endif
|
||
|
#define DEFAULT_LOG_FILENAME "unified2.alert"
|
||
|
/*prototypes*/
|
||
|
TmEcode Unified2Alert (ThreadVars *, Packet *, void *, PacketQueue *);
|
||
|
TmEcode Unified2AlertThreadInit(ThreadVars *, void *, void **);
|
||
| ... | ... | |
|
int Unified2IPv6TypeAlert(ThreadVars *, Packet *, void *, PacketQueue *);
|
||
|
int Unified2PacketTypeAlert(ThreadVars *, Packet *, void *);
|
||
|
void Unified2RegisterTests();
|
||
|
int Unified2AlertOpenFileCtx(LogFileCtx *, char *);
|
||
|
int Unified2AlertOpenFileCtx(LogFileCtx *, const char *);
|
||
|
/**
|
||
|
* Unified2 thread vars
|
||
| ... | ... | |
|
"Error: Unified2AlertCloseFile failed");
|
||
|
return -1;
|
||
|
}
|
||
|
if (Unified2AlertOpenFileCtx(aun->file_ctx,aun->file_ctx->config_file) < 0) {
|
||
|
if (Unified2AlertOpenFileCtx(aun->file_ctx,aun->file_ctx->prefix) < 0) {
|
||
|
SCLogError(SC_ERR_UNIFIED2_ALERT_GENERIC_ERROR,
|
||
|
"Error: Unified2AlertOpenFileCtx, open new log file failed");
|
||
|
return -1;
|
||
| ... | ... | |
|
return TM_ECODE_FAILED;
|
||
|
}
|
||
|
/** \brief Create a new file_ctx from config_file (if specified)
|
||
|
* \param config_file for loading separate configs
|
||
|
/** \brief Create a new LogFileCtx from the provided ConfNode.
|
||
|
* \param conf The configuration node for this output.
|
||
|
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
|
||
|
* */
|
||
|
LogFileCtx *Unified2AlertInitCtx(char *config_file)
|
||
|
LogFileCtx *Unified2AlertInitCtx(ConfNode *conf)
|
||
|
{
|
||
|
int ret=0;
|
||
|
LogFileCtx* file_ctx=LogFileNewCtx();
|
||
| ... | ... | |
|
return NULL;
|
||
|
}
|
||
|
/** fill the new LogFileCtx with the specific Unified2Alert configuration */
|
||
|
ret=Unified2AlertOpenFileCtx(file_ctx, config_file);
|
||
|
const char *filename;
|
||
|
if (conf != NULL) { /* To faciliate unit tests. */
|
||
|
filename = ConfNodeLookupChildValue(conf, "filename");
|
||
|
}
|
||
|
if (filename == NULL)
|
||
|
filename = DEFAULT_LOG_FILENAME;
|
||
|
file_ctx->prefix = strdup(filename);
|
||
|
ret=Unified2AlertOpenFileCtx(file_ctx, filename);
|
||
|
if(ret < 0)
|
||
|
return NULL;
|
||
|
/** In Unified2AlertOpenFileCtx the second parameter should be the configuration file to use
|
||
|
* but it's not implemented yet, so passing NULL to load the default
|
||
|
* configuration
|
||
|
*/
|
||
|
return file_ctx;
|
||
|
}
|
||
|
/** \brief Read the config set the file pointer, open the file
|
||
|
* \param file_ctx pointer to a created LogFileCtx using LogFileNewCtx()
|
||
|
* \param config_file for loading separate configs
|
||
|
* \param prefix Prefix of the log file.
|
||
|
* \return -1 if failure, 0 if succesful
|
||
|
* */
|
||
|
int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, char *config_file)
|
||
|
int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix)
|
||
|
{
|
||
|
char *filename = NULL;
|
||
|
if (file_ctx->filename != NULL)
|
||
| ... | ... | |
|
else
|
||
|
filename = file_ctx->filename = malloc(PATH_MAX); /* XXX some sane default? */
|
||
|
if (config_file == NULL) {
|
||
|
/** Separate config files not implemented at the moment,
|
||
|
* but it must be able to load from separate config file.
|
||
|
* Load the default configuration.
|
||
|
*/
|
||
|
/** get the time so we can have a filename with seconds since epoch */
|
||
|
struct timeval ts;
|
||
|
memset(&ts, 0x00, sizeof(struct timeval));
|
||
|
TimeGet(&ts);
|
||
|
/* create the filename to use */
|
||
|
char *log_dir;
|
||
|
if (ConfGet("default-log-dir", &log_dir) != 1)
|
||
|
log_dir = DEFAULT_LOG_DIR;
|
||
|
snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, "unified2.alert", (uint32_t)ts.tv_sec);
|
||
|
/* XXX filename & location */
|
||
|
file_ctx->fp = fopen(filename, "wb");
|
||
|
if (file_ctx->fp == NULL) {
|
||
|
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", filename,
|
||
|
strerror(errno));
|
||
|
return -1;
|
||
|
}
|
||
|
/** get the time so we can have a filename with seconds since epoch */
|
||
|
struct timeval ts;
|
||
|
memset(&ts, 0x00, sizeof(struct timeval));
|
||
|
TimeGet(&ts);
|
||
|
|
||
|
/* create the filename to use */
|
||
|
char *log_dir;
|
||
|
if (ConfGet("default-log-dir", &log_dir) != 1)
|
||
|
log_dir = DEFAULT_LOG_DIR;
|
||
|
|
||
|
snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, prefix, (uint32_t)ts.tv_sec);
|
||
|
|
||
|
/* XXX filename & location */
|
||
|
file_ctx->fp = fopen(filename, "wb");
|
||
|
if (file_ctx->fp == NULL) {
|
||
|
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", filename,
|
||
|
strerror(errno));
|
||
|
return -1;
|
||
|
}
|
||
|
return 0;
|
||
| src/alert-unified2-alert.h | ||
|---|---|---|
|
#define UNIFIED2_IDS_EVENT_IPV6_MPLS_TYPE 100
|
||
|
void TmModuleUnified2AlertRegister (void);
|
||
|
LogFileCtx *Unified2AlertInitCtx(char *);
|
||
|
LogFileCtx *Unified2AlertInitCtx(ConfNode *);
|
||
|
#endif /* __ALERT_UNIFIED2_ALERT_H__ */
|
||
| src/conf-yaml-loader.c | ||
|---|---|---|
|
}
|
||
|
else {
|
||
|
if (state == CONF_KEY) {
|
||
|
if (parent->is_seq) {
|
||
|
parent->val = strdup(value);
|
||
|
}
|
||
|
node = ConfNodeNew();
|
||
|
node->name = strdup((char *)event.data.scalar.value);
|
||
|
node->name = strdup(value);
|
||
|
TAILQ_INSERT_TAIL(&parent->head, node, next);
|
||
|
state = CONF_VAL;
|
||
|
}
|
||
|
else {
|
||
|
node->val = strdup((char *)event.data.scalar.value);
|
||
|
node->val = strdup(value);
|
||
|
state = CONF_KEY;
|
||
|
}
|
||
|
}
|
||
| ... | ... | |
|
else if (event.type == YAML_MAPPING_START_EVENT) {
|
||
|
if (inseq) {
|
||
|
ConfNode *seq_node = ConfNodeNew();
|
||
|
seq_node->is_seq = 1;
|
||
|
seq_node->name = calloc(1, DEFAULT_NAME_LEN);
|
||
|
snprintf(seq_node->name, DEFAULT_NAME_LEN, "%d", seq_idx++);
|
||
|
TAILQ_INSERT_TAIL(&node->head, seq_node, next);
|
||
| ... | ... | |
|
else {
|
||
|
ConfYamlParse2(parser, node, inseq);
|
||
|
}
|
||
|
state ^= CONF_VAL;
|
||
|
state = CONF_KEY;
|
||
|
}
|
||
|
else if (event.type == YAML_MAPPING_END_EVENT) {
|
||
|
done = 1;
|
||
| src/conf.c | ||
|---|---|---|
|
level++;
|
||
|
TAILQ_FOREACH(child, &node->head, next) {
|
||
|
name[level] = strdup(child->name);
|
||
|
if (child->val != NULL) {
|
||
|
// if (child->val != NULL) {
|
||
|
if (prefix == NULL) {
|
||
|
printf("%s = %s\n", ConfPrintNameArray(name, level),
|
||
|
child->val);
|
||
| ... | ... | |
|
printf("%s.%s = %s\n", prefix,
|
||
|
ConfPrintNameArray(name, level), child->val);
|
||
|
}
|
||
|
}
|
||
|
//}
|
||
|
ConfNodeDump(child, prefix);
|
||
|
free(name[level]);
|
||
|
}
|
||
| src/conf.h | ||
|---|---|---|
|
char *name;
|
||
|
char *val;
|
||
|
int is_seq;
|
||
|
int allow_override;
|
||
|
TAILQ_HEAD(, ConfNode_) head;
|
||
| src/log-httplog.c | ||
|---|---|---|
|
TmEcode LogHttplogThreadInit(ThreadVars *, void *, void **);
|
||
|
TmEcode LogHttplogThreadDeinit(ThreadVars *, void *);
|
||
|
void LogHttplogExitPrintStats(ThreadVars *, void *);
|
||
|
int LogHttplogOpenFileCtx(LogFileCtx* , char *);
|
||
|
int LogHttplogOpenFileCtx(LogFileCtx* , const char *);
|
||
|
void TmModuleLogHttplogRegister (void) {
|
||
|
tmm_modules[TMM_LOGHTTPLOG].name = "LogHttplog";
|
||
| ... | ... | |
|
SCLogInfo("(%s) HTTP requests %" PRIu32 "", tv->name, aft->uri_cnt);
|
||
|
}
|
||
|
/** \brief Create a new file_ctx from config_file (if specified)
|
||
|
* \param config_file for loading separate configs
|
||
|
/** \brief Create a new http log LogFileCtx.
|
||
|
* \param conf Pointer to ConfNode containing this loggers configuration.
|
||
|
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
|
||
|
* */
|
||
|
LogFileCtx *LogHttplogInitCtx(char *config_file)
|
||
|
LogFileCtx *LogHttplogInitCtx(ConfNode *conf)
|
||
|
{
|
||
|
int ret=0;
|
||
|
LogFileCtx* file_ctx=LogFileNewCtx();
|
||
| ... | ... | |
|
return NULL;
|
||
|
}
|
||
|
const char *filename = ConfNodeLookupChildValue(conf, "filename");
|
||
|
if (filename == NULL)
|
||
|
filename = DEFAULT_LOG_FILENAME;
|
||
|
/** fill the new LogFileCtx with the specific LogHttplog configuration */
|
||
|
ret=LogHttplogOpenFileCtx(file_ctx, config_file);
|
||
|
ret=LogHttplogOpenFileCtx(file_ctx, filename);
|
||
|
if(ret < 0)
|
||
|
return NULL;
|
||
|
/** In LogHttplogOpenFileCtx the second parameter should be the configuration file to use
|
||
|
* but it's not implemented yet, so passing NULL to load the default
|
||
|
* configuration
|
||
|
*/
|
||
|
return file_ctx;
|
||
|
}
|
||
| ... | ... | |
|
* \param config_file for loading separate configs
|
||
|
* \return -1 if failure, 0 if succesful
|
||
|
* */
|
||
|
int LogHttplogOpenFileCtx(LogFileCtx *file_ctx, char *config_file)
|
||
|
int LogHttplogOpenFileCtx(LogFileCtx *file_ctx, const char *filename)
|
||
|
{
|
||
|
if(config_file == NULL)
|
||
|
{
|
||
|
/** Separate config files not implemented at the moment,
|
||
|
* but it must be able to load from separate config file.
|
||
|
* Load the default configuration.
|
||
|
*/
|
||
|
char log_path[PATH_MAX], *log_dir;
|
||
|
if (ConfGet("default-log-dir", &log_dir) != 1)
|
||
|
log_dir = DEFAULT_LOG_DIR;
|
||
|
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, DEFAULT_LOG_FILENAME);
|
||
|
file_ctx->fp = fopen(log_path, "w");
|
||
|
if (file_ctx->fp == NULL) {
|
||
|
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path,
|
||
|
strerror(errno));
|
||
|
return -1;
|
||
|
}
|
||
|
if(file_ctx->config_file == NULL)
|
||
|
file_ctx->config_file = strdup("configfile.lh");
|
||
|
/** Remember the config file (or NULL if not indicated) */
|
||
|
char log_path[PATH_MAX], *log_dir;
|
||
|
if (ConfGet("default-log-dir", &log_dir) != 1)
|
||
|
log_dir = DEFAULT_LOG_DIR;
|
||
|
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, filename);
|
||
|
|
||
|
file_ctx->fp = fopen(log_path, "w");
|
||
|
|
||
|
if (file_ctx->fp == NULL) {
|
||
|
SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path,
|
||
|
strerror(errno));
|
||
|
return -1;
|
||
|
}
|
||
|
return 0;
|
||
| src/log-httplog.h | ||
|---|---|---|
|
void TmModuleLogHttplogRegister (void);
|
||
|
void TmModuleLogHttplogIPv4Register (void);
|
||
|
void TmModuleLogHttplogIPv6Register (void);
|
||
|
LogFileCtx *LogHttplogInitCtx(char *);
|
||
|
LogFileCtx *LogHttplogInitCtx(ConfNode *);
|
||
|
#endif /* __LOG_HTTPLOG_H__ */
|
||
| src/runmodes.c | ||
|---|---|---|
|
#include "suricata-common.h"
|
||
|
#include "detect-engine.h"
|
||
|
#include "tm-threads.h"
|
||
|
#include "util-debug.h"
|
||
|
#include "util-time.h"
|
||
|
#include "conf.h"
|
||
|
#include "queue.h"
|
||
|
int RunModeIdsPcap(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile_ctx, LogFileCtx *ad_logfile_ctx, LogFileCtx *lh_logfile_ctx, LogFileCtx *aul_logfile_ctx, LogFileCtx *aua_logfile_ctx, LogFileCtx *au2a_logfile_ctx) {
|
||
|
#include "alert-fastlog.h"
|
||
|
#include "alert-unified-log.h"
|
||
|
#include "alert-unified-alert.h"
|
||
|
#include "alert-unified2-alert.h"
|
||
|
#include "alert-debuglog.h"
|
||
|
#include "log-httplog.h"
|
||
|
/**
|
||
|
* Define a linked list to use as a registry of LogFileCtx shutdown hooks.
|
||
|
*/
|
||
|
typedef struct LogFileCtxShutDownHook_ {
|
||
|
LogFileCtx *logfile_ctx;
|
||
|
TAILQ_ENTRY(LogFileCtxShutDownHook_) entries;
|
||
|
} LogFileCtxShutDownHook;
|
||
|
TAILQ_HEAD(, LogFileCtxShutDownHook_) LogFileCtxShutDownHooks =
|
||
|
TAILQ_HEAD_INITIALIZER(LogFileCtxShutDownHooks);
|
||
|
/**
|
||
|
* \brief Register a LogFileCtx for shutdown cleanup.
|
||
|
*
|
||
|
* \param logfile_ctx A point to the LogFileCtx to free on shutdown.
|
||
|
*/
|
||
|
void RegisterLogFileCtx(LogFileCtx *logfile_ctx)
|
||
|
{
|
||
|
LogFileCtxShutDownHook *hook = calloc(1, sizeof(LogFileCtxShutDownHook));
|
||
|
if (hook == NULL) {
|
||
|
SCLogError(SC_ERR_MEM_ALLOC,
|
||
|
"Failed to allocate memory for LogFileCtx shutdown hook");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
hook->logfile_ctx = logfile_ctx;
|
||
|
TAILQ_INSERT_TAIL(&LogFileCtxShutDownHooks, hook, entries);
|
||
|
}
|
||
|
/**
|
||
|
* Run the log file shutdown hooks. The hooks are also unregistered
|
||
|
* and the memory is freed.
|
||
|
*/
|
||
|
static void RunLogFileCtxShutDownHooks(void)
|
||
|
{
|
||
|
LogFileCtxShutDownHook *hook;
|
||
|
while ((hook = TAILQ_FIRST(&LogFileCtxShutDownHooks))) {
|
||
|
TAILQ_REMOVE(&LogFileCtxShutDownHooks, hook, entries);
|
||
|
LogFileFreeCtx(hook->logfile_ctx);
|
||
|
free(hook);
|
||
|
}
|
||
|
}
|
||
|
void RunModeShutDown(void)
|
||
|
{
|
||
|
RunLogFileCtxShutDownHooks();
|
||
|
}
|
||
|
struct AlertOutput {
|
||
|
char *shortname;
|
||
|
char *longname;
|
||
|
LogFileCtx *(*InitFunc)(ConfNode *);
|
||
|
} alert_descriptor[] = {
|
||
|
{"fast", "AlertFastlog", AlertFastlogInitCtx},
|
||
|
{"http-log", "LogHttplog", LogHttplogInitCtx},
|
||
|
{"unified-log", "AlertUnifiedLog", AlertUnifiedLogInitCtx},
|
||
|
{"unified-alert", "AlertUnifiedAlert", AlertUnifiedAlertInitCtx},
|
||
|
{"unified2-alert", "Unified2Alert", Unified2AlertInitCtx},
|
||
|
{"alert-debug", "AlertDebuglog", AlertDebuglogInitCtx},
|
||
|
};
|
||
|
struct AlertOutput *
|
||
|
GetAlertOutputByName(char *name)
|
||
|
{
|
||
|
int i;
|
||
|
for (i = 0; i < sizeof(alert_descriptor)/sizeof(alert_descriptor[0]); i++) {
|
||
|
if (strcmp(alert_descriptor[i].shortname, name) == 0)
|
||
|
return &alert_descriptor[i];
|
||
|
}
|
||
|
return NULL;
|
||
|
}
|
||
|
static void SetupOutputs(ThreadVars *tv_outputs)
|
||
|
{
|
||
|
ConfNode *outputs = ConfGetNode("outputs");
|
||
|
if (outputs == NULL) {
|
||
|
/* No "outputs" section in the configuration. */
|
||
|
return;
|
||
|
}
|
||
|
ConfNode *output, *output_config;
|
||
|
TmModule *tm_module;
|
||
|
struct AlertOutput *output_info;
|
||
|
const char *enabled;
|
||
|
TAILQ_FOREACH(output, &outputs->head, next) {
|
||
|
output_info = GetAlertOutputByName(output->val);
|
||
|
if (output_info == NULL) {
|
||
|
printf("Unknown output type: %s\n", output->val);
|
||
|
continue;
|
||
|
}
|
||
|
output_config = ConfNodeLookupChild(output, output_info->shortname);
|
||
|
if (output_config == NULL) {
|
||
|
/* Shouldn't happen. */
|
||
|
SCLogError(SC_INVALID_ARGUMENT,
|
||
|
"Failed to lookup configuration child node: fast");
|
||
|
exit(1);
|
||
|
}
|
||
|
enabled = ConfNodeLookupChildValue(output_config, "enabled");
|
||
|
if (enabled != NULL && strcasecmp(enabled, "yes") == 0) {
|
||
|
LogFileCtx *logfile_ctx = output_info->InitFunc(output_config);
|
||
|
if (logfile_ctx == NULL) {
|
||
|
/* In most cases the init function will have logged the
|
||
|
* error. */
|
||
|
continue;
|
||
|
}
|
||
|
if (logfile_ctx == NULL) {
|
||
|
printf("* fast_ctx is NULL\n");
|
||
|
}
|
||
|
tm_module = TmModuleGetByName(output_info->longname);
|
||
|
if (tm_module == NULL) {
|
||
|
SCLogError(SC_INVALID_ARGUMENT,
|
||
|
"TmModuleGetByName for AlertFastlog failed");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv_outputs, tm_module, logfile_ctx);
|
||
|
RegisterLogFileCtx(logfile_ctx);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
int RunModeIdsPcap(DetectEngineCtx *de_ctx, char *iface) {
|
||
|
TimeModeSetLive();
|
||
|
/* create the threads */
|
||
| ... | ... | |
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
ThreadVars *tv_alert = TmThreadCreatePacketHandler("AlertFastlog&Httplog","alert-queue1","simple","alert-queue2","simple","varslot");
|
||
|
if (tv_alert == NULL) {
|
||
|
printf("ERROR: TmThreadsCreate failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
tm_module = TmModuleGetByName("AlertFastlog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertFastlog failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv_alert, tm_module, af_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("LogHttplog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv_alert, tm_module, lh_logfile_ctx);
|
||
|
if (TmThreadSpawn(tv_alert) != TM_ECODE_OK) {
|
||
|
printf("ERROR: TmThreadSpawn failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
ThreadVars *tv_unified = TmThreadCreatePacketHandler("AlertUnifiedLog","alert-queue2","simple","alert-queue3","simple","varslot");
|
||
|
if (tv_unified == NULL) {
|
||
|
printf("ERROR: TmThreadsCreate failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
tm_module = TmModuleGetByName("AlertUnifiedLog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv_unified, tm_module, aul_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertUnifiedAlert");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv_unified, tm_module, aua_logfile_ctx);
|
||
|
if (TmThreadSpawn(tv_unified) != TM_ECODE_OK) {
|
||
|
printf("ERROR: TmThreadSpawn failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
ThreadVars *tv_unified2 = TmThreadCreatePacketHandler("Unified2Alert","alert-queue3","simple","alert-queue4","simple","1slot");
|
||
|
if (tv_unified2 == NULL) {
|
||
|
printf("ERROR: TmThreadsCreate failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
tm_module = TmModuleGetByName("Unified2Alert");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
Tm1SlotSetFunc(tv_unified2,tm_module,au2a_logfile_ctx);
|
||
|
if (TmThreadSpawn(tv_unified2) != TM_ECODE_OK) {
|
||
|
printf("ERROR: TmThreadSpawn failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
ThreadVars *tv_debugalert = TmThreadCreatePacketHandler("AlertDebuglog","alert-queue4","simple","packetpool","packetpool","1slot");
|
||
|
if (tv_debugalert == NULL) {
|
||
|
printf("ERROR: TmThreadsCreate failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
tm_module = TmModuleGetByName("AlertDebuglog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
Tm1SlotSetFunc(tv_debugalert,tm_module, ad_logfile_ctx);
|
||
|
if (TmThreadSpawn(tv_debugalert) != TM_ECODE_OK) {
|
||
|
ThreadVars *tv_outputs = TmThreadCreatePacketHandler("Outputs",
|
||
|
"alert-queue1", "simple", "packetpool", "packetpool", "varslot");
|
||
|
SetupOutputs(tv_outputs);
|
||
|
if (TmThreadSpawn(tv_outputs) != TM_ECODE_OK) {
|
||
|
printf("ERROR: TmThreadSpawn failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
| ... | ... | |
|
}
|
||
|
/** \brief Live pcap mode with 4 stream tracking and reassembly threads, testing the flow queuehandler */
|
||
|
int RunModeIdsPcap2(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile_ctx, LogFileCtx *ad_logfile_ctx, LogFileCtx *lh_logfile_ctx, LogFileCtx *aul_logfile_ctx, LogFileCtx *aua_logfile_ctx, LogFileCtx *au2a_logfile_ctx) {
|
||
|
int RunModeIdsPcap2(DetectEngineCtx *de_ctx, char *iface) {
|
||
|
TimeModeSetLive();
|
||
|
/* create the threads */
|
||
| ... | ... | |
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
ThreadVars *tv_alert = TmThreadCreatePacketHandler("AlertFastlog&Httplog","alert-queue1","simple","alert-queue2","simple","varslot");
|
||
|
if (tv_alert == NULL) {
|
||
|
printf("ERROR: TmThreadsCreate failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
tm_module = TmModuleGetByName("AlertFastlog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertFastlog failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv_alert, tm_module, af_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("LogHttplog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv_alert, tm_module, lh_logfile_ctx);
|
||
|
if (TmThreadSpawn(tv_alert) != TM_ECODE_OK) {
|
||
|
printf("ERROR: TmThreadSpawn failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
ThreadVars *tv_unified = TmThreadCreatePacketHandler("AlertUnifiedLog","alert-queue2","simple","alert-queue3","simple","varslot");
|
||
|
if (tv_unified == NULL) {
|
||
|
printf("ERROR: TmThreadsCreate failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
tm_module = TmModuleGetByName("AlertUnifiedLog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv_unified,tm_module,aul_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertUnifiedAlert");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv_unified,tm_module,aua_logfile_ctx);
|
||
|
if (TmThreadSpawn(tv_unified) != TM_ECODE_OK) {
|
||
|
printf("ERROR: TmThreadSpawn failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
ThreadVars *tv_unified2 = TmThreadCreatePacketHandler("Unified2Alert","alert-queue3","simple","alert-queue4","simple","1slot");
|
||
|
if (tv_unified2 == NULL) {
|
||
|
printf("ERROR: TmThreadsCreate failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
tm_module = TmModuleGetByName("Unified2Alert");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
Tm1SlotSetFunc(tv_unified2,tm_module,au2a_logfile_ctx);
|
||
|
if (TmThreadSpawn(tv_unified2) != TM_ECODE_OK) {
|
||
|
printf("ERROR: TmThreadSpawn failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
ThreadVars *tv_debugalert = TmThreadCreatePacketHandler("AlertDebuglog","alert-queue4","simple","packetpool","packetpool","1slot");
|
||
|
if (tv_debugalert == NULL) {
|
||
|
printf("ERROR: TmThreadsCreate failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
tm_module = TmModuleGetByName("AlertDebuglog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
Tm1SlotSetFunc(tv_debugalert,tm_module, ad_logfile_ctx);
|
||
|
if (TmThreadSpawn(tv_debugalert) != TM_ECODE_OK) {
|
||
|
ThreadVars *tv_outputs = TmThreadCreatePacketHandler("Outputs",
|
||
|
"alert-queue1", "simple", "packetpool", "packetpool", "varslot");
|
||
|
SetupOutputs(tv_outputs);
|
||
|
if (TmThreadSpawn(tv_outputs) != TM_ECODE_OK) {
|
||
|
printf("ERROR: TmThreadSpawn failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
| ... | ... | |
|
}
|
||
|
/** \brief Live pcap mode with 4 stream tracking and reassembly threads, testing the flow queuehandler */
|
||
|
int RunModeIdsPcap3(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile_ctx, LogFileCtx *ad_logfile_ctx, LogFileCtx *lh_logfile_ctx, LogFileCtx *aul_logfile_ctx, LogFileCtx *aua_logfile_ctx, LogFileCtx *au2a_logfile_ctx) {
|
||
|
int RunModeIdsPcap3(DetectEngineCtx *de_ctx, char *iface) {
|
||
|
TimeModeSetLive();
|
||
|
/* create the threads */
|
||
| ... | ... | |
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,NULL);
|
||
|
tm_module = TmModuleGetByName("AlertFastlog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertFastlog failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,af_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("LogHttplog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module, lh_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertUnifiedLog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,aul_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertUnifiedAlert");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,aua_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("Unified2Alert");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for Unified2Alert failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,au2a_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertDebuglog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module, ad_logfile_ctx);
|
||
|
/* In this mode we don't create a new thread for alerting/logging.
|
||
|
* We'll pass the one currently being setup and the alerting
|
||
|
* modules will be appended to it. */
|
||
|
SetupOutputs(tv);
|
||
|
TmThreadSetCPUAffinity(tv, 0);
|
||
| ... | ... | |
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,NULL);
|
||
|
tm_module = TmModuleGetByName("AlertFastlog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertFastlog failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,af_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("LogHttplog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module, lh_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertUnifiedLog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,aul_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertUnifiedAlert");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,aua_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("Unified2Alert");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for Unified2Alert failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,au2a_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertDebuglog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module, ad_logfile_ctx);
|
||
|
SetupOutputs(tv);
|
||
|
TmThreadSetCPUAffinity(tv, 0);
|
||
| ... | ... | |
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,NULL);
|
||
|
tm_module = TmModuleGetByName("AlertFastlog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertFastlog failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,af_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("LogHttplog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module, lh_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertUnifiedLog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,aul_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertUnifiedAlert");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,aua_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("Unified2Alert");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for Unified2Alert failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,au2a_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertDebuglog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module, ad_logfile_ctx);
|
||
|
SetupOutputs(tv);
|
||
|
TmThreadSetCPUAffinity(tv, 1);
|
||
| ... | ... | |
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,NULL);
|
||
|
tm_module = TmModuleGetByName("AlertFastlog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertFastlog failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,af_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("LogHttplog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module, lh_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertUnifiedLog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,aul_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertUnifiedAlert");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,aua_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("Unified2Alert");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName for Unified2Alert failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module,au2a_logfile_ctx);
|
||
|
tm_module = TmModuleGetByName("AlertDebuglog");
|
||
|
if (tm_module == NULL) {
|
||
|
printf("ERROR: TmModuleGetByName failed\n");
|
||
|
exit(EXIT_FAILURE);
|
||
|
}
|
||
|
TmVarSlotSetFuncAppend(tv,tm_module, ad_logfile_ctx);
|
||
|
SetupOutputs(tv);
|
||
|
TmThreadSetCPUAffinity(tv, 1);
|
||
| src/runmodes.h | ||
|---|---|---|
|
#ifndef __RUNMODES_H__
|
||
|
#define __RUNMODES_H__
|
||
|
int RunModeIdsPcap(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *);
|
||
|
int RunModeIdsPcap2(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *);
|
||
|
int RunModeIdsPcap3(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *);
|
||
|
int RunModeIdsPcap(DetectEngineCtx *, char *);
|
||
|
int RunModeIdsPcap2(DetectEngineCtx *, char *);
|
||
|
int RunModeIdsPcap3(DetectEngineCtx *, char *);
|
||
|
int RunModeIpsNFQ(DetectEngineCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *);
|
||
| ... | ... | |
|
int RunModeIdsPfring2(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *);
|
||
|
int RunModeIdsPfring3(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *);
|
||
|
void RunModeShutDown(void);
|
||
|
#endif /* __RUNMODES_H__ */
|
||
| src/suricata.c | ||
|---|---|---|
|
#include "tmqh-flow.h"
|
||
|
#include "conf.h"
|
||
|
#include "conf-yaml-loader.h"
|
||
|
#include "alert-fastlog.h"
|
||
|
#include "alert-unified-log.h"
|
||
|
#include "alert-unified-alert.h"
|
||
| ... | ... | |
|
#include "util-rule-vars.h"
|
||
|
#include "util-classification-config.h"
|
||
|
#include "conf.h"
|
||
|
#include "conf-yaml-loader.h"
|
||
|
#include "defrag.h"
|
||
|
#include "runmodes.h"
|
||
| ... | ... | |
|
SCClassConfLoadClassficationConfigFile(de_ctx);
|
||
|
/** Create file contexts for output modules */
|
||
|
/* ascii */
|
||
|
LogFileCtx *af_logfile_ctx = AlertFastlogInitCtx(NULL);
|
||
|
LogFileCtx *ad_logfile_ctx = AlertDebuglogInitCtx(NULL);
|
||
|
LogFileCtx *lh_logfile_ctx = LogHttplogInitCtx(NULL);
|
||
|
/* unified */
|
||
|
LogFileCtx *aul_logfile_ctx = AlertUnifiedLogInitCtx(NULL);
|
||
|
LogFileCtx *aua_logfile_ctx = AlertUnifiedAlertInitCtx(NULL);
|
||
|
LogFileCtx *au2a_logfile_ctx = Unified2AlertInitCtx(NULL);
|
||
|
/* Logging/alerting contexts. Eventually this won't be needed. */
|
||
|
LogFileCtx *af_logfile_ctx = NULL; /* AlertFastlog */
|
||
|
LogFileCtx *ad_logfile_ctx = NULL; /* AlertDebuglog */
|
||
|
LogFileCtx *lh_logfile_ctx = NULL; /* LogHttplog */
|
||
|
LogFileCtx *aul_logfile_ctx = NULL; /* AlertUnifiedLog */
|
||
|
LogFileCtx *aua_logfile_ctx = NULL; /* AlertUnifiedAlert */
|
||
|
LogFileCtx *au2a_logfile_ctx = NULL; /* Unified2Alert */
|
||
|
if (SigLoadSignatures(de_ctx, sig_file) < 0) {
|
||
|
if (sig_file == NULL) {
|
||
| ... | ... | |
|
gettimeofday(&start_time, NULL);
|
||
|
if (mode == MODE_PCAP_DEV) {
|
||
|
//RunModeIdsPcap3(de_ctx, pcap_dev, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx);
|
||
|
RunModeIdsPcap2(de_ctx, pcap_dev, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx);
|
||
|
//RunModeIdsPcap(de_ctx, pcap_dev, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx);
|
||
|
RunModeIdsPcap3(de_ctx, pcap_dev);
|
||
|
//RunModeIdsPcap2(de_ctx, pcap_dev);
|
||
|
//RunModeIdsPcap(de_ctx, pcap_dev);
|
||
|
}
|
||
|
else if (mode == MODE_PCAP_FILE) {
|
||
|
af_logfile_ctx = AlertFastlogInitCtx(NULL);
|
||
|
ad_logfile_ctx = AlertDebuglogInitCtx(NULL);
|
||
|
lh_logfile_ctx = LogHttplogInitCtx(NULL);
|
||