From b3cf531933b8d8b1434620839c865705c72e4c82 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 6 Jan 2010 13:32:53 -0800 Subject: [PATCH] Use the configuration file to setup alert logging (and http logging). Only setup for the live pcap modes at the moment. --- src/alert-debuglog.c | 52 ++--- src/alert-debuglog.h | 2 +- src/alert-fastlog.c | 73 +++---- src/alert-fastlog.h | 2 +- src/alert-unified-alert.c | 70 +++---- src/alert-unified-alert.h | 2 +- src/alert-unified-log.c | 78 ++++---- src/alert-unified-log.h | 2 +- src/alert-unified2-alert.c | 75 ++++---- src/alert-unified2-alert.h | 2 +- src/conf-yaml-loader.c | 10 +- src/conf.c | 4 +- src/conf.h | 1 + src/log-httplog.c | 54 ++--- src/log-httplog.h | 2 +- src/runmodes.c | 477 ++++++++++++++------------------------------ src/runmodes.h | 8 +- src/suricata.c | 51 ++++-- src/tm-modules.c | 5 +- src/tm-modules.h | 7 +- suricata.yaml | 26 +++ 21 files changed, 420 insertions(+), 583 deletions(-) diff --git a/src/alert-debuglog.c b/src/alert-debuglog.c index 997d4d9..29cf909 100644 --- a/src/alert-debuglog.c +++ b/src/alert-debuglog.c @@ -34,7 +34,7 @@ TmEcode AlertDebuglogIPv6(ThreadVars *, Packet *, void *, PacketQueue *); TmEcode AlertDebuglogThreadInit(ThreadVars *, void*, void **); TmEcode AlertDebuglogThreadDeinit(ThreadVars *, void *); void AlertDebuglogExitPrintStats(ThreadVars *, void *); -int AlertDebuglogOpenFileCtx(LogFileCtx* , char *); +int AlertDebuglogOpenFileCtx(LogFileCtx* , const char *); void TmModuleAlertDebuglogRegister (void) { tmm_modules[TMM_ALERTDEBUGLOG].name = "AlertDebuglog"; @@ -228,11 +228,11 @@ void AlertDebuglogExitPrintStats(ThreadVars *tv, void *data) { } -/** \brief Create a new file_ctx from config_file (if specified) - * \param config_file for loading separate configs +/** \brief Create a new LogFileCtx for alert debug logging. + * \param ConfNode containing configuration for this logger. * \return NULL if failure, LogFileCtx* to the file_ctx if succesful * */ -LogFileCtx *AlertDebuglogInitCtx(char *config_file) +LogFileCtx *AlertDebuglogInitCtx(ConfNode *conf) { int ret=0; LogFileCtx* file_ctx=LogFileNewCtx(); @@ -243,47 +243,39 @@ LogFileCtx *AlertDebuglogInitCtx(char *config_file) return NULL; } + const char *filename = ConfNodeLookupChildValue(conf, "filename"); + if (filename == NULL) + filename = DEFAULT_LOG_FILENAME; + /** fill the new LogFileCtx with the specific AlertDebuglog configuration */ - ret=AlertDebuglogOpenFileCtx(file_ctx, config_file); + ret=AlertDebuglogOpenFileCtx(file_ctx, filename); if(ret < 0) return NULL; - /** In AlertDebuglogOpenFileCtx the second parameter should be the configuration file to use - * but it's not implemented yet, so passing NULL to load the default - * configuration - */ - return file_ctx; } /** \brief Read the config set the file pointer, open the file * \param file_ctx pointer to a created LogFileCtx using LogFileNewCtx() - * \param config_file for loading separate configs + * \param filename name of log file * \return -1 if failure, 0 if succesful * */ -int AlertDebuglogOpenFileCtx(LogFileCtx *file_ctx, char *config_file) +int AlertDebuglogOpenFileCtx(LogFileCtx *file_ctx, const char *filename) { int ret=0; - if(config_file == NULL) - { - /** Separate config files not implemented at the moment, - * but it must be able to load from separate config file. - * Load the default configuration. - */ - - char log_path[PATH_MAX], *log_dir; - if (ConfGet("default-log-dir", &log_dir) != 1) - log_dir = DEFAULT_LOG_DIR; - snprintf(log_path, PATH_MAX, "%s/%s", log_dir, DEFAULT_LOG_FILENAME); - file_ctx->fp = fopen(log_path, "w"); - if (file_ctx->fp == NULL) { - SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path, - strerror(errno)); - return -1; - } - } + char log_path[PATH_MAX], *log_dir; + if (ConfGet("default-log-dir", &log_dir) != 1) + log_dir = DEFAULT_LOG_DIR; + snprintf(log_path, PATH_MAX, "%s/%s", log_dir, DEFAULT_LOG_FILENAME); + file_ctx->fp = fopen(log_path, "w"); + if (file_ctx->fp == NULL) { + SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path, + strerror(errno)); + return -1; + } + return ret; } diff --git a/src/alert-debuglog.h b/src/alert-debuglog.h index 1bea007..d2f4e99 100644 --- a/src/alert-debuglog.h +++ b/src/alert-debuglog.h @@ -6,7 +6,7 @@ void TmModuleAlertDebuglogRegister (void); void TmModuleAlertDebuglogIPv4Register (void); void TmModuleAlertDebuglogIPv6Register (void); -LogFileCtx *AlertDebuglogInitCtx(char *); +LogFileCtx *AlertDebuglogInitCtx(ConfNode *); #endif /* __ALERT_DEBUGLOG_H__ */ diff --git a/src/alert-fastlog.c b/src/alert-fastlog.c index c03b6d7..c1fcdcd 100644 --- a/src/alert-fastlog.c +++ b/src/alert-fastlog.c @@ -38,7 +38,7 @@ TmEcode AlertFastlogIPv6(ThreadVars *, Packet *, void *, PacketQueue *); TmEcode AlertFastlogThreadInit(ThreadVars *, void *, void **); TmEcode AlertFastlogThreadDeinit(ThreadVars *, void *); void AlertFastlogExitPrintStats(ThreadVars *, void *); -int AlertFastlogOpenFileCtx(LogFileCtx *, char *); +int AlertFastlogOpenFileCtx(LogFileCtx *, const char *); void AlertFastLogRegisterTests(void); void TmModuleAlertFastlogRegister (void) { @@ -199,61 +199,50 @@ void AlertFastlogExitPrintStats(ThreadVars *tv, void *data) { SCLogInfo("(%s) Alerts %" PRIu32 "", tv->name, aft->alerts); } -/** \brief Create a new file_ctx from config_file (if specified) - * \param config_file for loading separate configs - * \return NULL if failure, LogFileCtx* to the file_ctx if succesful - * */ -LogFileCtx *AlertFastlogInitCtx(char *config_file) +/** + * \brief Create a new LogFileCtx for "fast" output style. + * \param conf The configuration node for this output. + * \return A LogFileCtx pointer on success, NULL on failure. + */ +LogFileCtx *AlertFastlogInitCtx(ConfNode *conf) { - int ret=0; - LogFileCtx* file_ctx=LogFileNewCtx(); - - if(file_ctx == NULL) - { - SCLogDebug("AlertFastlogInitCtx: Couldn't create new file_ctx"); + LogFileCtx *logfile_ctx = LogFileNewCtx(); + if (logfile_ctx == NULL) { + SCLogDebug("AlertFastLogInitCtx2: Could not create new LogFileCtx"); return NULL; } - /** fill the new LogFileCtx with the specific AlertFastlog configuration */ - ret=AlertFastlogOpenFileCtx(file_ctx, config_file); - - if(ret < 0) + const char *filename = ConfNodeLookupChildValue(conf, "filename"); + if (filename == NULL) + filename = DEFAULT_LOG_FILENAME; + if (AlertFastlogOpenFileCtx(logfile_ctx, filename) < 0) { + LogFileFreeCtx(logfile_ctx); return NULL; + } - /** In AlertFastlogOpenFileCtx the second parameter should be the configuration file to use - * but it's not implemented yet, so passing NULL to load the default - * configuration - */ + SCLogInfo("Fast log output registered, filename: %s", filename); - return file_ctx; + return logfile_ctx; } /** \brief Read the config set the file pointer, open the file * \param file_ctx pointer to a created LogFileCtx using LogFileNewCtx() - * \param config_file for loading separate configs + * \param filename name of log file * \return -1 if failure, 0 if succesful * */ -int AlertFastlogOpenFileCtx(LogFileCtx *file_ctx, char *config_file) +int AlertFastlogOpenFileCtx(LogFileCtx *file_ctx, const char *filename) { - if(config_file == NULL) - { - /** Separate config files not implemented at the moment, - * but it must be able to load from separate config file. - * Load the default configuration. - */ - - char log_path[PATH_MAX], *log_dir; - if (ConfGet("default-log-dir", &log_dir) != 1) - log_dir = DEFAULT_LOG_DIR; - snprintf(log_path, PATH_MAX, "%s/%s", log_dir, DEFAULT_LOG_FILENAME); - - file_ctx->fp = fopen(log_path, "w"); - - if (file_ctx->fp == NULL) { - SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path, - strerror(errno)); - return -1; - } + char log_path[PATH_MAX], *log_dir; + if (ConfGet("default-log-dir", &log_dir) != 1) + log_dir = DEFAULT_LOG_DIR; + snprintf(log_path, PATH_MAX, "%s/%s", log_dir, filename); + + file_ctx->fp = fopen(log_path, "w"); + + if (file_ctx->fp == NULL) { + SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path, + strerror(errno)); + return -1; } return 0; diff --git a/src/alert-fastlog.h b/src/alert-fastlog.h index 9223188..55fd5ea 100644 --- a/src/alert-fastlog.h +++ b/src/alert-fastlog.h @@ -7,7 +7,7 @@ void TmModuleAlertFastlogRegister (void); void TmModuleAlertFastlogIPv4Register (void); void TmModuleAlertFastlogIPv6Register (void); -LogFileCtx *AlertFastlogInitCtx(char *); +LogFileCtx *AlertFastlogInitCtx(ConfNode *); #endif /* __ALERT_FASTLOG_H__ */ diff --git a/src/alert-unified-alert.c b/src/alert-unified-alert.c index 89811e7..6aa0507 100644 --- a/src/alert-unified-alert.c +++ b/src/alert-unified-alert.c @@ -32,7 +32,7 @@ TmEcode AlertUnifiedAlert (ThreadVars *, Packet *, void *, PacketQueue *); TmEcode AlertUnifiedAlertThreadInit(ThreadVars *, void *, void **); TmEcode AlertUnifiedAlertThreadDeinit(ThreadVars *, void *); -int AlertUnifiedAlertOpenFileCtx(LogFileCtx *, char *); +int AlertUnifiedAlertOpenFileCtx(LogFileCtx *, const char *); void AlertUnifiedAlertRegisterTests (void); void TmModuleAlertUnifiedAlertRegister (void) { @@ -121,7 +121,7 @@ int AlertUnifiedAlertRotateFile(ThreadVars *t, AlertUnifiedAlertThread *aun) { "Error: AlertUnifiedAlertCloseFile failed"); return -1; } - if (AlertUnifiedAlertOpenFileCtx(aun->file_ctx,aun->file_ctx->config_file) < 0) { + if (AlertUnifiedAlertOpenFileCtx(aun->file_ctx,aun->file_ctx->prefix) < 0) { SCLogError(SC_ERR_UNIFIED_ALERT_GENERIC_ERROR, "Error: AlertUnifiedLogOpenFileCtx, open new log file failed"); return -1; @@ -252,11 +252,11 @@ error: } -/** \brief Create a new file_ctx from config_file (if specified) - * \param config_file for loading separate configs +/** \brief Create a new LogFileCtx for unified alert logging. + * \param conf The ConfNode for this output. * \return NULL if failure, LogFileCtx* to the file_ctx if succesful * */ -LogFileCtx *AlertUnifiedAlertInitCtx(char *config_file) +LogFileCtx *AlertUnifiedAlertInitCtx(ConfNode *conf) { int ret = 0; LogFileCtx *file_ctx = LogFileNewCtx(); @@ -267,17 +267,18 @@ LogFileCtx *AlertUnifiedAlertInitCtx(char *config_file) return NULL; } - /** fill the new LogFileCtx with the specific AlertUnifiedAlert configuration */ - ret = AlertUnifiedAlertOpenFileCtx(file_ctx, config_file); + const char *filename; + if (conf != NULL) + filename = ConfNodeLookupChildValue(conf, "filename"); + if (filename == NULL) + filename = DEFAULT_LOG_FILENAME; + file_ctx->prefix = strdup(filename); + + ret = AlertUnifiedAlertOpenFileCtx(file_ctx, filename); if (ret < 0) return NULL; - /** In AlertUnifiedAlertOpenFileCtx the second parameter should be - * the configuration file to use but it's not implemented yet, so - * passing NULL to load the default configuration - */ - return file_ctx; } @@ -286,7 +287,7 @@ LogFileCtx *AlertUnifiedAlertInitCtx(char *config_file) * \param config_file for loading separate configs * \return -1 if failure, 0 if succesful * */ -int AlertUnifiedAlertOpenFileCtx(LogFileCtx *file_ctx, char *config_file) +int AlertUnifiedAlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix) { char *filename = NULL; if (file_ctx->filename != NULL) @@ -294,31 +295,24 @@ int AlertUnifiedAlertOpenFileCtx(LogFileCtx *file_ctx, char *config_file) else filename = file_ctx->filename = malloc(PATH_MAX); /* XXX some sane default? */ - if (config_file == NULL) { - /** Separate config files not implemented at the moment, - * but it must be able to load from separate config file. - * Load the default configuration. - */ - - /* get the time so we can have a filename with seconds since epoch */ - struct timeval ts; - memset (&ts, 0, sizeof(struct timeval)); - TimeGet(&ts); - - /* create the filename to use */ - char *log_dir; - if (ConfGet("default-log-dir", &log_dir) != 1) - log_dir = DEFAULT_LOG_DIR; - - snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, "unified.alert", (uint32_t)ts.tv_sec); - - /* XXX filename & location */ - file_ctx->fp = fopen(filename, "wb"); - if (file_ctx->fp == NULL) { - SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", filename, - strerror(errno)); - return -1; - } + /* get the time so we can have a filename with seconds since epoch */ + struct timeval ts; + memset (&ts, 0, sizeof(struct timeval)); + TimeGet(&ts); + + /* create the filename to use */ + char *log_dir; + if (ConfGet("default-log-dir", &log_dir) != 1) + log_dir = DEFAULT_LOG_DIR; + + snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, prefix, (uint32_t)ts.tv_sec); + + /* XXX filename & location */ + file_ctx->fp = fopen(filename, "wb"); + if (file_ctx->fp == NULL) { + SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", filename, + strerror(errno)); + return -1; } return 0; diff --git a/src/alert-unified-alert.h b/src/alert-unified-alert.h index 29946b9..a1677e5 100644 --- a/src/alert-unified-alert.h +++ b/src/alert-unified-alert.h @@ -4,7 +4,7 @@ #define __ALERT_UNIFIED_ALERT_H__ void TmModuleAlertUnifiedAlertRegister (void); -LogFileCtx *AlertUnifiedAlertInitCtx(char *); +LogFileCtx *AlertUnifiedAlertInitCtx(ConfNode *); #endif /* __ALERT_UNIFIED_ALERT_H__ */ diff --git a/src/alert-unified-log.c b/src/alert-unified-log.c index c2462be..67f4d17 100644 --- a/src/alert-unified-log.c +++ b/src/alert-unified-log.c @@ -12,6 +12,8 @@ * */ +#include + #include "suricata-common.h" #include "debug.h" #include "detect.h" @@ -32,7 +34,7 @@ TmEcode AlertUnifiedLog (ThreadVars *, Packet *, void *, PacketQueue *); TmEcode AlertUnifiedLogThreadInit(ThreadVars *, void *, void **); TmEcode AlertUnifiedLogThreadDeinit(ThreadVars *, void *); -int AlertUnifiedLogOpenFileCtx(LogFileCtx *, char *); +int AlertUnifiedLogOpenFileCtx(LogFileCtx *, const char *); void AlertUnifiedLogRegisterTests(void); void TmModuleAlertUnifiedLogRegister (void) { @@ -122,7 +124,8 @@ int AlertUnifiedLogRotateFile(ThreadVars *t, AlertUnifiedLogThread *aun) { printf("Error: AlertUnifiedLogCloseFile failed\n"); return -1; } - if (AlertUnifiedLogOpenFileCtx(aun->file_ctx,aun->file_ctx->config_file) < 0) { + + if (AlertUnifiedLogOpenFileCtx(aun->file_ctx,aun->file_ctx->prefix) < 0) { printf("Error: AlertUnifiedLogOpenFileCtx, open new log file failed\n"); return -1; } @@ -263,11 +266,11 @@ error: } -/** \brief Create a new file_ctx from config_file (if specified) - * \param config_file for loading separate configs +/** \brief Create a new LogFileCtx for unified alert logging. + * \param ConfNode pointer to the configuration node for this logger. * \return NULL if failure, LogFileCtx* to the file_ctx if succesful * */ -LogFileCtx *AlertUnifiedLogInitCtx(char *config_file) +LogFileCtx *AlertUnifiedLogInitCtx(ConfNode *conf) { int ret=0; LogFileCtx* file_ctx=LogFileNewCtx(); @@ -278,26 +281,29 @@ LogFileCtx *AlertUnifiedLogInitCtx(char *config_file) return NULL; } - /** fill the new LogFileCtx with the specific AlertUnifiedLog configuration */ - ret=AlertUnifiedLogOpenFileCtx(file_ctx, config_file); + const char *filename; + if (conf != NULL) { /* \todo Maybe test should setup a ConfNode */ + filename = ConfNodeLookupChildValue(conf, "filename"); + } + if (filename == NULL) + filename = DEFAULT_LOG_FILENAME; + + file_ctx->prefix = strdup(filename); + + ret=AlertUnifiedLogOpenFileCtx(file_ctx, filename); if(ret < 0) return NULL; - /** In AlertUnifiedLogOpenFileCtx the second parameter should be the configuration file to use - * but it's not implemented yet, so passing NULL to load the default - * configuration - */ - return file_ctx; } /** \brief Read the config set the file pointer, open the file * \param file_ctx pointer to a created LogFileCtx using LogFileNewCtx() - * \param config_file for loading separate configs + * \param prefix Prefix for log filenames. * \return -1 if failure, 0 if succesful * */ -int AlertUnifiedLogOpenFileCtx(LogFileCtx *file_ctx, char *config_file) +int AlertUnifiedLogOpenFileCtx(LogFileCtx *file_ctx, const char *prefix) { char *filename = NULL; if (file_ctx->filename != NULL) @@ -305,32 +311,24 @@ int AlertUnifiedLogOpenFileCtx(LogFileCtx *file_ctx, char *config_file) else filename = file_ctx->filename = malloc(PATH_MAX); /* XXX some sane default? */ - if(config_file == NULL) - { - /** Separate config files not implemented at the moment, - * but it must be able to load from separate config file. - * Load the default configuration. - */ - - /* get the time so we can have a filename with seconds since epoch */ - struct timeval ts; - memset (&ts, 0, sizeof(struct timeval)); - TimeGet(&ts); - - /* create the filename to use */ - char *log_dir; - if (ConfGet("default-log-dir", &log_dir) != 1) - log_dir = DEFAULT_LOG_DIR; - - snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, "unified.log", (uint32_t)ts.tv_sec); - - /* XXX filename & location */ - file_ctx->fp = fopen(filename, "wb"); - if (file_ctx->fp == NULL) { - SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", filename, - strerror(errno)); - return -1; - } + /* get the time so we can have a filename with seconds since epoch */ + struct timeval ts; + memset (&ts, 0, sizeof(struct timeval)); + TimeGet(&ts); + + /* create the filename to use */ + char *log_dir; + if (ConfGet("default-log-dir", &log_dir) != 1) + log_dir = DEFAULT_LOG_DIR; + + snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, prefix, (uint32_t)ts.tv_sec); + + /* XXX filename & location */ + file_ctx->fp = fopen(filename, "wb"); + if (file_ctx->fp == NULL) { + SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", filename, + strerror(errno)); + return -1; } return 0; diff --git a/src/alert-unified-log.h b/src/alert-unified-log.h index df8720b..b317543 100644 --- a/src/alert-unified-log.h +++ b/src/alert-unified-log.h @@ -4,7 +4,7 @@ #define __ALERT_UNIFIED_LOG_H__ void TmModuleAlertUnifiedLogRegister (void); -LogFileCtx *AlertUnifiedLogInitCtx(char *); +LogFileCtx *AlertUnifiedLogInitCtx(ConfNode *); #endif /* __ALERT_UNIFIED_LOG_H__ */ diff --git a/src/alert-unified2-alert.c b/src/alert-unified2-alert.c index 2f81187..7f2d7af 100644 --- a/src/alert-unified2-alert.c +++ b/src/alert-unified2-alert.c @@ -25,6 +25,8 @@ #define IPPROTO_SCTP 132 #endif +#define DEFAULT_LOG_FILENAME "unified2.alert" + /*prototypes*/ TmEcode Unified2Alert (ThreadVars *, Packet *, void *, PacketQueue *); TmEcode Unified2AlertThreadInit(ThreadVars *, void *, void **); @@ -33,7 +35,7 @@ int Unified2IPv4TypeAlert(ThreadVars *, Packet *, void *, PacketQueue *); int Unified2IPv6TypeAlert(ThreadVars *, Packet *, void *, PacketQueue *); int Unified2PacketTypeAlert(ThreadVars *, Packet *, void *); void Unified2RegisterTests(); -int Unified2AlertOpenFileCtx(LogFileCtx *, char *); +int Unified2AlertOpenFileCtx(LogFileCtx *, const char *); /** * Unified2 thread vars @@ -157,7 +159,7 @@ int Unified2AlertRotateFile(ThreadVars *t, Unified2AlertThread *aun) { "Error: Unified2AlertCloseFile failed"); return -1; } - if (Unified2AlertOpenFileCtx(aun->file_ctx,aun->file_ctx->config_file) < 0) { + if (Unified2AlertOpenFileCtx(aun->file_ctx,aun->file_ctx->prefix) < 0) { SCLogError(SC_ERR_UNIFIED2_ALERT_GENERIC_ERROR, "Error: Unified2AlertOpenFileCtx, open new log file failed"); return -1; @@ -534,11 +536,11 @@ error: return TM_ECODE_FAILED; } -/** \brief Create a new file_ctx from config_file (if specified) - * \param config_file for loading separate configs +/** \brief Create a new LogFileCtx from the provided ConfNode. + * \param conf The configuration node for this output. * \return NULL if failure, LogFileCtx* to the file_ctx if succesful * */ -LogFileCtx *Unified2AlertInitCtx(char *config_file) +LogFileCtx *Unified2AlertInitCtx(ConfNode *conf) { int ret=0; LogFileCtx* file_ctx=LogFileNewCtx(); @@ -550,26 +552,28 @@ LogFileCtx *Unified2AlertInitCtx(char *config_file) return NULL; } - /** fill the new LogFileCtx with the specific Unified2Alert configuration */ - ret=Unified2AlertOpenFileCtx(file_ctx, config_file); + const char *filename; + if (conf != NULL) { /* To faciliate unit tests. */ + filename = ConfNodeLookupChildValue(conf, "filename"); + } + if (filename == NULL) + filename = DEFAULT_LOG_FILENAME; + file_ctx->prefix = strdup(filename); + + ret=Unified2AlertOpenFileCtx(file_ctx, filename); if(ret < 0) return NULL; - /** In Unified2AlertOpenFileCtx the second parameter should be the configuration file to use - * but it's not implemented yet, so passing NULL to load the default - * configuration - */ - return file_ctx; } /** \brief Read the config set the file pointer, open the file * \param file_ctx pointer to a created LogFileCtx using LogFileNewCtx() - * \param config_file for loading separate configs + * \param prefix Prefix of the log file. * \return -1 if failure, 0 if succesful * */ -int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, char *config_file) +int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix) { char *filename = NULL; if (file_ctx->filename != NULL) @@ -577,31 +581,24 @@ int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, char *config_file) else filename = file_ctx->filename = malloc(PATH_MAX); /* XXX some sane default? */ - if (config_file == NULL) { - /** Separate config files not implemented at the moment, - * but it must be able to load from separate config file. - * Load the default configuration. - */ - - /** get the time so we can have a filename with seconds since epoch */ - struct timeval ts; - memset(&ts, 0x00, sizeof(struct timeval)); - TimeGet(&ts); - - /* create the filename to use */ - char *log_dir; - if (ConfGet("default-log-dir", &log_dir) != 1) - log_dir = DEFAULT_LOG_DIR; - - snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, "unified2.alert", (uint32_t)ts.tv_sec); - - /* XXX filename & location */ - file_ctx->fp = fopen(filename, "wb"); - if (file_ctx->fp == NULL) { - SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", filename, - strerror(errno)); - return -1; - } + /** get the time so we can have a filename with seconds since epoch */ + struct timeval ts; + memset(&ts, 0x00, sizeof(struct timeval)); + TimeGet(&ts); + + /* create the filename to use */ + char *log_dir; + if (ConfGet("default-log-dir", &log_dir) != 1) + log_dir = DEFAULT_LOG_DIR; + + snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, prefix, (uint32_t)ts.tv_sec); + + /* XXX filename & location */ + file_ctx->fp = fopen(filename, "wb"); + if (file_ctx->fp == NULL) { + SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", filename, + strerror(errno)); + return -1; } return 0; diff --git a/src/alert-unified2-alert.h b/src/alert-unified2-alert.h index 9f79c82..ed41757 100644 --- a/src/alert-unified2-alert.h +++ b/src/alert-unified2-alert.h @@ -22,7 +22,7 @@ #define UNIFIED2_IDS_EVENT_IPV6_MPLS_TYPE 100 void TmModuleUnified2AlertRegister (void); -LogFileCtx *Unified2AlertInitCtx(char *); +LogFileCtx *Unified2AlertInitCtx(ConfNode *); #endif /* __ALERT_UNIFIED2_ALERT_H__ */ diff --git a/src/conf-yaml-loader.c b/src/conf-yaml-loader.c index 6370938..9b88b45 100644 --- a/src/conf-yaml-loader.c +++ b/src/conf-yaml-loader.c @@ -110,13 +110,16 @@ ConfYamlParse2(yaml_parser_t *parser, ConfNode *parent, int inseq) } else { if (state == CONF_KEY) { + if (parent->is_seq) { + parent->val = strdup(value); + } node = ConfNodeNew(); - node->name = strdup((char *)event.data.scalar.value); + node->name = strdup(value); TAILQ_INSERT_TAIL(&parent->head, node, next); state = CONF_VAL; } else { - node->val = strdup((char *)event.data.scalar.value); + node->val = strdup(value); state = CONF_KEY; } } @@ -130,6 +133,7 @@ ConfYamlParse2(yaml_parser_t *parser, ConfNode *parent, int inseq) else if (event.type == YAML_MAPPING_START_EVENT) { if (inseq) { ConfNode *seq_node = ConfNodeNew(); + seq_node->is_seq = 1; seq_node->name = calloc(1, DEFAULT_NAME_LEN); snprintf(seq_node->name, DEFAULT_NAME_LEN, "%d", seq_idx++); TAILQ_INSERT_TAIL(&node->head, seq_node, next); @@ -138,7 +142,7 @@ ConfYamlParse2(yaml_parser_t *parser, ConfNode *parent, int inseq) else { ConfYamlParse2(parser, node, inseq); } - state ^= CONF_VAL; + state = CONF_KEY; } else if (event.type == YAML_MAPPING_END_EVENT) { done = 1; diff --git a/src/conf.c b/src/conf.c index b8a4d19..f25af88 100644 --- a/src/conf.c +++ b/src/conf.c @@ -428,7 +428,7 @@ ConfNodeDump(ConfNode *node, const char *prefix) level++; TAILQ_FOREACH(child, &node->head, next) { name[level] = strdup(child->name); - if (child->val != NULL) { + // if (child->val != NULL) { if (prefix == NULL) { printf("%s = %s\n", ConfPrintNameArray(name, level), child->val); @@ -437,7 +437,7 @@ ConfNodeDump(ConfNode *node, const char *prefix) printf("%s.%s = %s\n", prefix, ConfPrintNameArray(name, level), child->val); } - } + //} ConfNodeDump(child, prefix); free(name[level]); } diff --git a/src/conf.h b/src/conf.h index e2736a9..be2ca3f 100644 --- a/src/conf.h +++ b/src/conf.h @@ -16,6 +16,7 @@ typedef struct ConfNode_ { char *name; char *val; + int is_seq; int allow_override; TAILQ_HEAD(, ConfNode_) head; diff --git a/src/log-httplog.c b/src/log-httplog.c index 51ddeb5..5f0d1d4 100644 --- a/src/log-httplog.c +++ b/src/log-httplog.c @@ -28,7 +28,7 @@ TmEcode LogHttplogIPv6(ThreadVars *, Packet *, void *, PacketQueue *); TmEcode LogHttplogThreadInit(ThreadVars *, void *, void **); TmEcode LogHttplogThreadDeinit(ThreadVars *, void *); void LogHttplogExitPrintStats(ThreadVars *, void *); -int LogHttplogOpenFileCtx(LogFileCtx* , char *); +int LogHttplogOpenFileCtx(LogFileCtx* , const char *); void TmModuleLogHttplogRegister (void) { tmm_modules[TMM_LOGHTTPLOG].name = "LogHttplog"; @@ -217,11 +217,11 @@ void LogHttplogExitPrintStats(ThreadVars *tv, void *data) { SCLogInfo("(%s) HTTP requests %" PRIu32 "", tv->name, aft->uri_cnt); } -/** \brief Create a new file_ctx from config_file (if specified) - * \param config_file for loading separate configs +/** \brief Create a new http log LogFileCtx. + * \param conf Pointer to ConfNode containing this loggers configuration. * \return NULL if failure, LogFileCtx* to the file_ctx if succesful * */ -LogFileCtx *LogHttplogInitCtx(char *config_file) +LogFileCtx *LogHttplogInitCtx(ConfNode *conf) { int ret=0; LogFileCtx* file_ctx=LogFileNewCtx(); @@ -233,17 +233,16 @@ LogFileCtx *LogHttplogInitCtx(char *config_file) return NULL; } + const char *filename = ConfNodeLookupChildValue(conf, "filename"); + if (filename == NULL) + filename = DEFAULT_LOG_FILENAME; + /** fill the new LogFileCtx with the specific LogHttplog configuration */ - ret=LogHttplogOpenFileCtx(file_ctx, config_file); + ret=LogHttplogOpenFileCtx(file_ctx, filename); if(ret < 0) return NULL; - /** In LogHttplogOpenFileCtx the second parameter should be the configuration file to use - * but it's not implemented yet, so passing NULL to load the default - * configuration - */ - return file_ctx; } @@ -252,30 +251,19 @@ LogFileCtx *LogHttplogInitCtx(char *config_file) * \param config_file for loading separate configs * \return -1 if failure, 0 if succesful * */ -int LogHttplogOpenFileCtx(LogFileCtx *file_ctx, char *config_file) +int LogHttplogOpenFileCtx(LogFileCtx *file_ctx, const char *filename) { - if(config_file == NULL) - { - /** Separate config files not implemented at the moment, - * but it must be able to load from separate config file. - * Load the default configuration. - */ - - char log_path[PATH_MAX], *log_dir; - if (ConfGet("default-log-dir", &log_dir) != 1) - log_dir = DEFAULT_LOG_DIR; - snprintf(log_path, PATH_MAX, "%s/%s", log_dir, DEFAULT_LOG_FILENAME); - - file_ctx->fp = fopen(log_path, "w"); - - if (file_ctx->fp == NULL) { - SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path, - strerror(errno)); - return -1; - } - if(file_ctx->config_file == NULL) - file_ctx->config_file = strdup("configfile.lh"); - /** Remember the config file (or NULL if not indicated) */ + char log_path[PATH_MAX], *log_dir; + if (ConfGet("default-log-dir", &log_dir) != 1) + log_dir = DEFAULT_LOG_DIR; + snprintf(log_path, PATH_MAX, "%s/%s", log_dir, filename); + + file_ctx->fp = fopen(log_path, "w"); + + if (file_ctx->fp == NULL) { + SCLogError(SC_ERR_FOPEN, "ERROR: failed to open %s: %s", log_path, + strerror(errno)); + return -1; } return 0; diff --git a/src/log-httplog.h b/src/log-httplog.h index ef3c865..9bb9dd8 100644 --- a/src/log-httplog.h +++ b/src/log-httplog.h @@ -6,7 +6,7 @@ void TmModuleLogHttplogRegister (void); void TmModuleLogHttplogIPv4Register (void); void TmModuleLogHttplogIPv6Register (void); -LogFileCtx *LogHttplogInitCtx(char *); +LogFileCtx *LogHttplogInitCtx(ConfNode *); #endif /* __LOG_HTTPLOG_H__ */ diff --git a/src/runmodes.c b/src/runmodes.c index f3714bd..bedf41f 100644 --- a/src/runmodes.c +++ b/src/runmodes.c @@ -9,9 +9,143 @@ #include "suricata-common.h" #include "detect-engine.h" #include "tm-threads.h" +#include "util-debug.h" #include "util-time.h" +#include "conf.h" +#include "queue.h" -int RunModeIdsPcap(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile_ctx, LogFileCtx *ad_logfile_ctx, LogFileCtx *lh_logfile_ctx, LogFileCtx *aul_logfile_ctx, LogFileCtx *aua_logfile_ctx, LogFileCtx *au2a_logfile_ctx) { +#include "alert-fastlog.h" +#include "alert-unified-log.h" +#include "alert-unified-alert.h" +#include "alert-unified2-alert.h" +#include "alert-debuglog.h" + +#include "log-httplog.h" + +/** + * Define a linked list to use as a registry of LogFileCtx shutdown hooks. + */ +typedef struct LogFileCtxShutDownHook_ { + LogFileCtx *logfile_ctx; + TAILQ_ENTRY(LogFileCtxShutDownHook_) entries; +} LogFileCtxShutDownHook; +TAILQ_HEAD(, LogFileCtxShutDownHook_) LogFileCtxShutDownHooks = + TAILQ_HEAD_INITIALIZER(LogFileCtxShutDownHooks); + +/** + * \brief Register a LogFileCtx for shutdown cleanup. + * + * \param logfile_ctx A point to the LogFileCtx to free on shutdown. + */ +void RegisterLogFileCtx(LogFileCtx *logfile_ctx) +{ + LogFileCtxShutDownHook *hook = calloc(1, sizeof(LogFileCtxShutDownHook)); + if (hook == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, + "Failed to allocate memory for LogFileCtx shutdown hook"); + exit(EXIT_FAILURE); + } + hook->logfile_ctx = logfile_ctx; + TAILQ_INSERT_TAIL(&LogFileCtxShutDownHooks, hook, entries); +} + +/** + * Run the log file shutdown hooks. The hooks are also unregistered + * and the memory is freed. + */ +static void RunLogFileCtxShutDownHooks(void) +{ + LogFileCtxShutDownHook *hook; + + while ((hook = TAILQ_FIRST(&LogFileCtxShutDownHooks))) { + TAILQ_REMOVE(&LogFileCtxShutDownHooks, hook, entries); + LogFileFreeCtx(hook->logfile_ctx); + free(hook); + } +} + +void RunModeShutDown(void) +{ + RunLogFileCtxShutDownHooks(); +} + +struct AlertOutput { + char *shortname; + char *longname; + LogFileCtx *(*InitFunc)(ConfNode *); +} alert_descriptor[] = { + {"fast", "AlertFastlog", AlertFastlogInitCtx}, + {"http-log", "LogHttplog", LogHttplogInitCtx}, + {"unified-log", "AlertUnifiedLog", AlertUnifiedLogInitCtx}, + {"unified-alert", "AlertUnifiedAlert", AlertUnifiedAlertInitCtx}, + {"unified2-alert", "Unified2Alert", Unified2AlertInitCtx}, + {"alert-debug", "AlertDebuglog", AlertDebuglogInitCtx}, +}; + +struct AlertOutput * +GetAlertOutputByName(char *name) +{ + int i; + + for (i = 0; i < sizeof(alert_descriptor)/sizeof(alert_descriptor[0]); i++) { + if (strcmp(alert_descriptor[i].shortname, name) == 0) + return &alert_descriptor[i]; + } + + return NULL; +} + +static void SetupOutputs(ThreadVars *tv_outputs) +{ + ConfNode *outputs = ConfGetNode("outputs"); + if (outputs == NULL) { + /* No "outputs" section in the configuration. */ + return; + } + + ConfNode *output, *output_config; + TmModule *tm_module; + struct AlertOutput *output_info; + const char *enabled; + TAILQ_FOREACH(output, &outputs->head, next) { + output_info = GetAlertOutputByName(output->val); + if (output_info == NULL) { + printf("Unknown output type: %s\n", output->val); + continue; + } + + output_config = ConfNodeLookupChild(output, output_info->shortname); + if (output_config == NULL) { + /* Shouldn't happen. */ + SCLogError(SC_INVALID_ARGUMENT, + "Failed to lookup configuration child node: fast"); + exit(1); + } + + enabled = ConfNodeLookupChildValue(output_config, "enabled"); + if (enabled != NULL && strcasecmp(enabled, "yes") == 0) { + LogFileCtx *logfile_ctx = output_info->InitFunc(output_config); + if (logfile_ctx == NULL) { + /* In most cases the init function will have logged the + * error. */ + continue; + } + if (logfile_ctx == NULL) { + printf("* fast_ctx is NULL\n"); + } + tm_module = TmModuleGetByName(output_info->longname); + if (tm_module == NULL) { + SCLogError(SC_INVALID_ARGUMENT, + "TmModuleGetByName for AlertFastlog failed"); + exit(EXIT_FAILURE); + } + TmVarSlotSetFuncAppend(tv_outputs, tm_module, logfile_ctx); + RegisterLogFileCtx(logfile_ctx); + } + } +} + +int RunModeIdsPcap(DetectEngineCtx *de_ctx, char *iface) { TimeModeSetLive(); /* create the threads */ @@ -117,85 +251,10 @@ int RunModeIdsPcap(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile_ exit(EXIT_FAILURE); } - ThreadVars *tv_alert = TmThreadCreatePacketHandler("AlertFastlog&Httplog","alert-queue1","simple","alert-queue2","simple","varslot"); - if (tv_alert == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - tm_module = TmModuleGetByName("AlertFastlog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_alert, tm_module, af_logfile_ctx); - - tm_module = TmModuleGetByName("LogHttplog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_alert, tm_module, lh_logfile_ctx); - - if (TmThreadSpawn(tv_alert) != TM_ECODE_OK) { - printf("ERROR: TmThreadSpawn failed\n"); - exit(EXIT_FAILURE); - } - - ThreadVars *tv_unified = TmThreadCreatePacketHandler("AlertUnifiedLog","alert-queue2","simple","alert-queue3","simple","varslot"); - if (tv_unified == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - - tm_module = TmModuleGetByName("AlertUnifiedLog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_unified, tm_module, aul_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedAlert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_unified, tm_module, aua_logfile_ctx); - - if (TmThreadSpawn(tv_unified) != TM_ECODE_OK) { - printf("ERROR: TmThreadSpawn failed\n"); - exit(EXIT_FAILURE); - } - - ThreadVars *tv_unified2 = TmThreadCreatePacketHandler("Unified2Alert","alert-queue3","simple","alert-queue4","simple","1slot"); - if (tv_unified2 == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - tm_module = TmModuleGetByName("Unified2Alert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - Tm1SlotSetFunc(tv_unified2,tm_module,au2a_logfile_ctx); - - if (TmThreadSpawn(tv_unified2) != TM_ECODE_OK) { - printf("ERROR: TmThreadSpawn failed\n"); - exit(EXIT_FAILURE); - } - - ThreadVars *tv_debugalert = TmThreadCreatePacketHandler("AlertDebuglog","alert-queue4","simple","packetpool","packetpool","1slot"); - if (tv_debugalert == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - tm_module = TmModuleGetByName("AlertDebuglog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - Tm1SlotSetFunc(tv_debugalert,tm_module, ad_logfile_ctx); - - if (TmThreadSpawn(tv_debugalert) != TM_ECODE_OK) { + ThreadVars *tv_outputs = TmThreadCreatePacketHandler("Outputs", + "alert-queue1", "simple", "packetpool", "packetpool", "varslot"); + SetupOutputs(tv_outputs); + if (TmThreadSpawn(tv_outputs) != TM_ECODE_OK) { printf("ERROR: TmThreadSpawn failed\n"); exit(EXIT_FAILURE); } @@ -204,7 +263,7 @@ int RunModeIdsPcap(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile_ } /** \brief Live pcap mode with 4 stream tracking and reassembly threads, testing the flow queuehandler */ -int RunModeIdsPcap2(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile_ctx, LogFileCtx *ad_logfile_ctx, LogFileCtx *lh_logfile_ctx, LogFileCtx *aul_logfile_ctx, LogFileCtx *aua_logfile_ctx, LogFileCtx *au2a_logfile_ctx) { +int RunModeIdsPcap2(DetectEngineCtx *de_ctx, char *iface) { TimeModeSetLive(); /* create the threads */ @@ -361,85 +420,10 @@ int RunModeIdsPcap2(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile exit(EXIT_FAILURE); } - ThreadVars *tv_alert = TmThreadCreatePacketHandler("AlertFastlog&Httplog","alert-queue1","simple","alert-queue2","simple","varslot"); - if (tv_alert == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - tm_module = TmModuleGetByName("AlertFastlog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_alert, tm_module, af_logfile_ctx); - - tm_module = TmModuleGetByName("LogHttplog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_alert, tm_module, lh_logfile_ctx); - - if (TmThreadSpawn(tv_alert) != TM_ECODE_OK) { - printf("ERROR: TmThreadSpawn failed\n"); - exit(EXIT_FAILURE); - } - - ThreadVars *tv_unified = TmThreadCreatePacketHandler("AlertUnifiedLog","alert-queue2","simple","alert-queue3","simple","varslot"); - if (tv_unified == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - - tm_module = TmModuleGetByName("AlertUnifiedLog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_unified,tm_module,aul_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedAlert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_unified,tm_module,aua_logfile_ctx); - - if (TmThreadSpawn(tv_unified) != TM_ECODE_OK) { - printf("ERROR: TmThreadSpawn failed\n"); - exit(EXIT_FAILURE); - } - - ThreadVars *tv_unified2 = TmThreadCreatePacketHandler("Unified2Alert","alert-queue3","simple","alert-queue4","simple","1slot"); - if (tv_unified2 == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - tm_module = TmModuleGetByName("Unified2Alert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - Tm1SlotSetFunc(tv_unified2,tm_module,au2a_logfile_ctx); - - if (TmThreadSpawn(tv_unified2) != TM_ECODE_OK) { - printf("ERROR: TmThreadSpawn failed\n"); - exit(EXIT_FAILURE); - } - - ThreadVars *tv_debugalert = TmThreadCreatePacketHandler("AlertDebuglog","alert-queue4","simple","packetpool","packetpool","1slot"); - if (tv_debugalert == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - tm_module = TmModuleGetByName("AlertDebuglog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - Tm1SlotSetFunc(tv_debugalert,tm_module, ad_logfile_ctx); - - if (TmThreadSpawn(tv_debugalert) != TM_ECODE_OK) { + ThreadVars *tv_outputs = TmThreadCreatePacketHandler("Outputs", + "alert-queue1", "simple", "packetpool", "packetpool", "varslot"); + SetupOutputs(tv_outputs); + if (TmThreadSpawn(tv_outputs) != TM_ECODE_OK) { printf("ERROR: TmThreadSpawn failed\n"); exit(EXIT_FAILURE); } @@ -448,7 +432,7 @@ int RunModeIdsPcap2(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile } /** \brief Live pcap mode with 4 stream tracking and reassembly threads, testing the flow queuehandler */ -int RunModeIdsPcap3(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile_ctx, LogFileCtx *ad_logfile_ctx, LogFileCtx *lh_logfile_ctx, LogFileCtx *aul_logfile_ctx, LogFileCtx *aua_logfile_ctx, LogFileCtx *au2a_logfile_ctx) { +int RunModeIdsPcap3(DetectEngineCtx *de_ctx, char *iface) { TimeModeSetLive(); /* create the threads */ @@ -513,47 +497,10 @@ int RunModeIdsPcap3(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile } TmVarSlotSetFuncAppend(tv,tm_module,NULL); - tm_module = TmModuleGetByName("AlertFastlog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,af_logfile_ctx); - - tm_module = TmModuleGetByName("LogHttplog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module, lh_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedLog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,aul_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedAlert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,aua_logfile_ctx); - - tm_module = TmModuleGetByName("Unified2Alert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for Unified2Alert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,au2a_logfile_ctx); - - tm_module = TmModuleGetByName("AlertDebuglog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module, ad_logfile_ctx); + /* In this mode we don't create a new thread for alerting/logging. + * We'll pass the one currently being setup and the alerting + * modules will be appended to it. */ + SetupOutputs(tv); TmThreadSetCPUAffinity(tv, 0); @@ -588,47 +535,7 @@ int RunModeIdsPcap3(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile } TmVarSlotSetFuncAppend(tv,tm_module,NULL); - tm_module = TmModuleGetByName("AlertFastlog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,af_logfile_ctx); - - tm_module = TmModuleGetByName("LogHttplog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module, lh_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedLog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,aul_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedAlert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,aua_logfile_ctx); - - tm_module = TmModuleGetByName("Unified2Alert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for Unified2Alert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,au2a_logfile_ctx); - - tm_module = TmModuleGetByName("AlertDebuglog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module, ad_logfile_ctx); + SetupOutputs(tv); TmThreadSetCPUAffinity(tv, 0); @@ -663,47 +570,7 @@ int RunModeIdsPcap3(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile } TmVarSlotSetFuncAppend(tv,tm_module,NULL); - tm_module = TmModuleGetByName("AlertFastlog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,af_logfile_ctx); - - tm_module = TmModuleGetByName("LogHttplog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module, lh_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedLog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,aul_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedAlert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,aua_logfile_ctx); - - tm_module = TmModuleGetByName("Unified2Alert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for Unified2Alert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,au2a_logfile_ctx); - - tm_module = TmModuleGetByName("AlertDebuglog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module, ad_logfile_ctx); + SetupOutputs(tv); TmThreadSetCPUAffinity(tv, 1); @@ -738,47 +605,7 @@ int RunModeIdsPcap3(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile } TmVarSlotSetFuncAppend(tv,tm_module,NULL); - tm_module = TmModuleGetByName("AlertFastlog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,af_logfile_ctx); - - tm_module = TmModuleGetByName("LogHttplog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module, lh_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedLog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,aul_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedAlert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,aua_logfile_ctx); - - tm_module = TmModuleGetByName("Unified2Alert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for Unified2Alert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,au2a_logfile_ctx); - - tm_module = TmModuleGetByName("AlertDebuglog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module, ad_logfile_ctx); + SetupOutputs(tv); TmThreadSetCPUAffinity(tv, 1); diff --git a/src/runmodes.h b/src/runmodes.h index c2bc1a9..0e64ee1 100644 --- a/src/runmodes.h +++ b/src/runmodes.h @@ -1,9 +1,9 @@ #ifndef __RUNMODES_H__ #define __RUNMODES_H__ -int RunModeIdsPcap(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *); -int RunModeIdsPcap2(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *); -int RunModeIdsPcap3(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *); +int RunModeIdsPcap(DetectEngineCtx *, char *); +int RunModeIdsPcap2(DetectEngineCtx *, char *); +int RunModeIdsPcap3(DetectEngineCtx *, char *); int RunModeIpsNFQ(DetectEngineCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *); @@ -14,5 +14,7 @@ int RunModeIdsPfring(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogF int RunModeIdsPfring2(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *); int RunModeIdsPfring3(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *); +void RunModeShutDown(void); + #endif /* __RUNMODES_H__ */ diff --git a/src/suricata.c b/src/suricata.c index d1523a7..bccb878 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -33,6 +33,9 @@ #include "tmqh-flow.h" +#include "conf.h" +#include "conf-yaml-loader.h" + #include "alert-fastlog.h" #include "alert-unified-log.h" #include "alert-unified-alert.h" @@ -76,9 +79,6 @@ #include "util-rule-vars.h" #include "util-classification-config.h" -#include "conf.h" -#include "conf-yaml-loader.h" - #include "defrag.h" #include "runmodes.h" @@ -624,15 +624,13 @@ int main(int argc, char **argv) SCClassConfLoadClassficationConfigFile(de_ctx); - /** Create file contexts for output modules */ - /* ascii */ - LogFileCtx *af_logfile_ctx = AlertFastlogInitCtx(NULL); - LogFileCtx *ad_logfile_ctx = AlertDebuglogInitCtx(NULL); - LogFileCtx *lh_logfile_ctx = LogHttplogInitCtx(NULL); - /* unified */ - LogFileCtx *aul_logfile_ctx = AlertUnifiedLogInitCtx(NULL); - LogFileCtx *aua_logfile_ctx = AlertUnifiedAlertInitCtx(NULL); - LogFileCtx *au2a_logfile_ctx = Unified2AlertInitCtx(NULL); + /* Logging/alerting contexts. Eventually this won't be needed. */ + LogFileCtx *af_logfile_ctx = NULL; /* AlertFastlog */ + LogFileCtx *ad_logfile_ctx = NULL; /* AlertDebuglog */ + LogFileCtx *lh_logfile_ctx = NULL; /* LogHttplog */ + LogFileCtx *aul_logfile_ctx = NULL; /* AlertUnifiedLog */ + LogFileCtx *aua_logfile_ctx = NULL; /* AlertUnifiedAlert */ + LogFileCtx *au2a_logfile_ctx = NULL; /* Unified2Alert */ if (SigLoadSignatures(de_ctx, sig_file) < 0) { if (sig_file == NULL) { @@ -649,20 +647,38 @@ int main(int argc, char **argv) gettimeofday(&start_time, NULL); if (mode == MODE_PCAP_DEV) { - //RunModeIdsPcap3(de_ctx, pcap_dev, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); - RunModeIdsPcap2(de_ctx, pcap_dev, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); - //RunModeIdsPcap(de_ctx, pcap_dev, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); + RunModeIdsPcap3(de_ctx, pcap_dev); + //RunModeIdsPcap2(de_ctx, pcap_dev); + //RunModeIdsPcap(de_ctx, pcap_dev); } else if (mode == MODE_PCAP_FILE) { + af_logfile_ctx = AlertFastlogInitCtx(NULL); + ad_logfile_ctx = AlertDebuglogInitCtx(NULL); + lh_logfile_ctx = LogHttplogInitCtx(NULL); + aul_logfile_ctx = AlertUnifiedLogInitCtx(NULL); + aua_logfile_ctx = AlertUnifiedAlertInitCtx(NULL); + au2a_logfile_ctx = Unified2AlertInitCtx(NULL); RunModeFilePcap(de_ctx, pcap_file, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); //RunModeFilePcap2(de_ctx, pcap_file, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); } else if (mode == MODE_PFRING) { + af_logfile_ctx = AlertFastlogInitCtx(NULL); + ad_logfile_ctx = AlertDebuglogInitCtx(NULL); + lh_logfile_ctx = LogHttplogInitCtx(NULL); + aul_logfile_ctx = AlertUnifiedLogInitCtx(NULL); + aua_logfile_ctx = AlertUnifiedAlertInitCtx(NULL); + au2a_logfile_ctx = Unified2AlertInitCtx(NULL); //RunModeIdsPfring3(de_ctx, pfring_dev, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); RunModeIdsPfring2(de_ctx, pfring_dev, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); //RunModeIdsPfring(de_ctx, pfring_dev, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); } else if (mode == MODE_NFQ) { + af_logfile_ctx = AlertFastlogInitCtx(NULL); + ad_logfile_ctx = AlertDebuglogInitCtx(NULL); + lh_logfile_ctx = LogHttplogInitCtx(NULL); + aul_logfile_ctx = AlertUnifiedLogInitCtx(NULL); + aua_logfile_ctx = AlertUnifiedAlertInitCtx(NULL); + au2a_logfile_ctx = Unified2AlertInitCtx(NULL); RunModeIpsNFQ(de_ctx, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); } else { @@ -755,7 +771,10 @@ int main(int argc, char **argv) SigCleanSignatures(de_ctx); DetectEngineCtxFree(de_ctx); - /** Destroy file contexts for output modules */ + RunModeShutDown(); + + /* Remove when all run modes use the configuration file for output + * configuration. LogFileFreeCtx accepts NULL. */ LogFileFreeCtx(af_logfile_ctx); LogFileFreeCtx(lh_logfile_ctx); LogFileFreeCtx(ad_logfile_ctx); diff --git a/src/tm-modules.c b/src/tm-modules.c index 245f8fb..731a765 100644 --- a/src/tm-modules.c +++ b/src/tm-modules.c @@ -77,9 +77,8 @@ int LogFileFreeCtx(LogFileCtx *lf_ctx) fclose(lf_ctx->fp); SCMutexUnlock(&lf_ctx->fp_mutex); } - if (lf_ctx->config_file != NULL) { - free(lf_ctx->config_file); - } + if (lf_ctx->prefix != NULL) + free(lf_ctx->prefix); free(lf_ctx); ret=1; } diff --git a/src/tm-modules.h b/src/tm-modules.h index e3ce4d6..312a0e4 100644 --- a/src/tm-modules.h +++ b/src/tm-modules.h @@ -58,11 +58,12 @@ typedef struct LogFileCtx_ { * record cannot be written to the file in one call */ SCMutex fp_mutex; - /** To know where did we read this config */ - char *config_file; - /** The name of the file */ char *filename; + + /**< Used by some alert loggers like the unified ones that append + * the date onto the end of files. */ + char *prefix; } LogFileCtx; LogFileCtx *LogFileNewCtx(); diff --git a/suricata.yaml b/suricata.yaml index d26ee13..48bd4ef 100644 --- a/suricata.yaml +++ b/suricata.yaml @@ -3,6 +3,32 @@ # overridden with the -l command line parameter. default-log-dir: /var/log/suricata +outputs: + + - fast: + enabled: yes + filename: fast.log + + - unified-log: + enabled: yes + filename: unified.log + + - unified-alert: + enabled: yes + filename: unified.alert + + - unified2-alert: + enabled: yes + filename: unified2.alert + + - http-log: + enabled: yes + filename: http.log + + - alert-debug: + enabled: yes + filename: alert-debug.log + defrag: max-frags: 65535 prealloc: yes -- 1.6.5.2