From afe0074cf2ccf3d476b2e1fd670426cfc99f82ec Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 6 Jan 2010 14:20:34 -0800 Subject: [PATCH 2/3] Configurable alert outputs for PF_RING modes. --- src/runmodes.c | 278 +++----------------------------------------------------- src/runmodes.h | 6 +- src/suricata.c | 16 +-- 3 files changed, 23 insertions(+), 277 deletions(-) diff --git a/src/runmodes.c b/src/runmodes.c index bedf41f..b5a5a82 100644 --- a/src/runmodes.c +++ b/src/runmodes.c @@ -1094,7 +1094,7 @@ int RunModeFilePcap2(DetectEngineCtx *de_ctx, char *file, LogFileCtx *af_logfile return 0; } -int RunModeIdsPfring(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile_ctx, LogFileCtx *ad_logfile_ctx, LogFileCtx *lh_logfile_ctx, LogFileCtx *aul_logfile_ctx, LogFileCtx *aua_logfile_ctx, LogFileCtx *au2a_logfile_ctx) { +int RunModeIdsPfring(DetectEngineCtx *de_ctx, char *iface) { TimeModeSetLive(); /* create the threads */ @@ -1251,68 +1251,10 @@ int RunModeIdsPfring(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfil exit(EXIT_FAILURE); } - ThreadVars *tv_alert = TmThreadCreatePacketHandler("AlertFastlog&Httplog","alert-queue1","simple","alert-queue2","simple","varslot"); - if (tv_alert == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - tm_module = TmModuleGetByName("AlertFastlog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_alert, tm_module, af_logfile_ctx); - - tm_module = TmModuleGetByName("LogHttplog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_alert, tm_module, lh_logfile_ctx); - - if (TmThreadSpawn(tv_alert) != TM_ECODE_OK) { - printf("ERROR: TmThreadSpawn failed\n"); - exit(EXIT_FAILURE); - } - - ThreadVars *tv_unified = TmThreadCreatePacketHandler("AlertUnifiedLog","alert-queue2","simple","alert-queue3","simple","varslot"); - if (tv_unified == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - - tm_module = TmModuleGetByName("AlertUnifiedLog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_unified, tm_module, aul_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedAlert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_unified, tm_module, aua_logfile_ctx); - - if (TmThreadSpawn(tv_unified) != TM_ECODE_OK) { - printf("ERROR: TmThreadSpawn failed\n"); - exit(EXIT_FAILURE); - } - - ThreadVars *tv_debugalert = TmThreadCreatePacketHandler("AlertDebuglog","alert-queue3","simple","packetpool","packetpool","1slot"); - if (tv_debugalert == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - tm_module = TmModuleGetByName("AlertDebuglog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - Tm1SlotSetFunc(tv_debugalert,tm_module,ad_logfile_ctx); - - if (TmThreadSpawn(tv_debugalert) != TM_ECODE_OK) { + ThreadVars *tv_outputs = TmThreadCreatePacketHandler("Outputs", + "alert-queue1", "simple", "packetpool", "packetpool", "varslot"); + SetupOutputs(tv_outputs); + if (TmThreadSpawn(tv_outputs) != TM_ECODE_OK) { printf("ERROR: TmThreadSpawn failed\n"); exit(EXIT_FAILURE); } @@ -1321,7 +1263,7 @@ int RunModeIdsPfring(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfil } /** \brief Live pfring mode with 4 stream tracking and reassembly threads, testing the flow queuehandler */ -int RunModeIdsPfring2(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile_ctx, LogFileCtx *ad_logfile_ctx, LogFileCtx *lh_logfile_ctx, LogFileCtx *aul_logfile_ctx, LogFileCtx *aua_logfile_ctx, LogFileCtx *au2a_logfile_ctx) { +int RunModeIdsPfring2(DetectEngineCtx *de_ctx, char *iface) { TimeModeSetLive(); /* create the threads */ @@ -1478,68 +1420,10 @@ int RunModeIdsPfring2(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfi exit(EXIT_FAILURE); } - ThreadVars *tv_alert = TmThreadCreatePacketHandler("AlertFastlog&Httplog","alert-queue1","simple","alert-queue2","simple","varslot"); - if (tv_alert == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - tm_module = TmModuleGetByName("AlertFastlog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_alert, tm_module, af_logfile_ctx); - - tm_module = TmModuleGetByName("LogHttplog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_alert, tm_module, lh_logfile_ctx); - - if (TmThreadSpawn(tv_alert) != TM_ECODE_OK) { - printf("ERROR: TmThreadSpawn failed\n"); - exit(EXIT_FAILURE); - } - - ThreadVars *tv_unified = TmThreadCreatePacketHandler("AlertUnifiedLog","alert-queue2","simple","alert-queue3","simple","varslot"); - if (tv_unified == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - - tm_module = TmModuleGetByName("AlertUnifiedLog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_unified,tm_module,aul_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedAlert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv_unified,tm_module,aua_logfile_ctx); - - if (TmThreadSpawn(tv_unified) != TM_ECODE_OK) { - printf("ERROR: TmThreadSpawn failed\n"); - exit(EXIT_FAILURE); - } - - ThreadVars *tv_debugalert = TmThreadCreatePacketHandler("AlertDebuglog","alert-queue3","simple","packetpool","packetpool","1slot"); - if (tv_debugalert == NULL) { - printf("ERROR: TmThreadsCreate failed\n"); - exit(EXIT_FAILURE); - } - tm_module = TmModuleGetByName("AlertDebuglog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - Tm1SlotSetFunc(tv_debugalert,tm_module,ad_logfile_ctx); - - if (TmThreadSpawn(tv_debugalert) != TM_ECODE_OK) { + ThreadVars *tv_outputs = TmThreadCreatePacketHandler("Outputs", + "alert-queue1", "simple", "packetpool", "packetpool", "varslot"); + SetupOutputs(tv_outputs); + if (TmThreadSpawn(tv_outputs) != TM_ECODE_OK) { printf("ERROR: TmThreadSpawn failed\n"); exit(EXIT_FAILURE); } @@ -1547,7 +1431,7 @@ int RunModeIdsPfring2(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfi return 0; } /** \brief Live pfring mode with 4 stream tracking and reassembly threads, testing the flow queuehandler */ -int RunModeIdsPfring3(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfile_ctx, LogFileCtx *ad_logfile_ctx, LogFileCtx *lh_logfile_ctx, LogFileCtx *aul_logfile_ctx, LogFileCtx *aua_logfile_ctx, LogFileCtx *au2a_logfile_ctx) { +int RunModeIdsPfring3(DetectEngineCtx *de_ctx, char *iface) { TimeModeSetLive(); /* create the threads */ @@ -1612,40 +1496,7 @@ int RunModeIdsPfring3(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfi } TmVarSlotSetFuncAppend(tv,tm_module,NULL); - tm_module = TmModuleGetByName("AlertFastlog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,af_logfile_ctx); - - tm_module = TmModuleGetByName("LogHttplog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); - - tm_module = TmModuleGetByName("AlertUnifiedLog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); - - tm_module = TmModuleGetByName("AlertUnifiedAlert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); - - tm_module = TmModuleGetByName("AlertDebuglog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); + SetupOutputs(tv); TmThreadSetCPUAffinity(tv, 0); @@ -1680,40 +1531,7 @@ int RunModeIdsPfring3(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfi } TmVarSlotSetFuncAppend(tv,tm_module,NULL); - tm_module = TmModuleGetByName("AlertFastlog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); - - tm_module = TmModuleGetByName("LogHttplog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,lh_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedLog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,aul_logfile_ctx); - - tm_module = TmModuleGetByName("AlertUnifiedAlert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,aua_logfile_ctx); - - tm_module = TmModuleGetByName("AlertDebuglog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); + SetupOutputs(tv); TmThreadSetCPUAffinity(tv, 0); @@ -1748,40 +1566,7 @@ int RunModeIdsPfring3(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfi } TmVarSlotSetFuncAppend(tv,tm_module,NULL); - tm_module = TmModuleGetByName("AlertFastlog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); - - tm_module = TmModuleGetByName("LogHttplog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); - - tm_module = TmModuleGetByName("AlertUnifiedLog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); - - tm_module = TmModuleGetByName("AlertUnifiedAlert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); - - tm_module = TmModuleGetByName("AlertDebuglog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); + SetupOutputs(tv); TmThreadSetCPUAffinity(tv, 1); @@ -1816,40 +1601,7 @@ int RunModeIdsPfring3(DetectEngineCtx *de_ctx, char *iface, LogFileCtx *af_logfi } TmVarSlotSetFuncAppend(tv,tm_module,NULL); - tm_module = TmModuleGetByName("AlertFastlog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertFastlog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); - - tm_module = TmModuleGetByName("LogHttplog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); - - tm_module = TmModuleGetByName("AlertUnifiedLog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedLog failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); - - tm_module = TmModuleGetByName("AlertUnifiedAlert"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName for AlertUnifiedAlert failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,NULL); - - tm_module = TmModuleGetByName("AlertDebuglog"); - if (tm_module == NULL) { - printf("ERROR: TmModuleGetByName failed\n"); - exit(EXIT_FAILURE); - } - TmVarSlotSetFuncAppend(tv,tm_module,ad_logfile_ctx); + SetupOutputs(tv); TmThreadSetCPUAffinity(tv, 1); diff --git a/src/runmodes.h b/src/runmodes.h index 0e64ee1..53d955f 100644 --- a/src/runmodes.h +++ b/src/runmodes.h @@ -10,9 +10,9 @@ int RunModeIpsNFQ(DetectEngineCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, L int RunModeFilePcap(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *); int RunModeFilePcap2(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *); -int RunModeIdsPfring(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *); -int RunModeIdsPfring2(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *); -int RunModeIdsPfring3(DetectEngineCtx *, char *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *, LogFileCtx *); +int RunModeIdsPfring(DetectEngineCtx *, char *); +int RunModeIdsPfring2(DetectEngineCtx *, char *); +int RunModeIdsPfring3(DetectEngineCtx *, char *); void RunModeShutDown(void); diff --git a/src/suricata.c b/src/suricata.c index bccb878..ab864a1 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -647,8 +647,8 @@ int main(int argc, char **argv) gettimeofday(&start_time, NULL); if (mode == MODE_PCAP_DEV) { - RunModeIdsPcap3(de_ctx, pcap_dev); - //RunModeIdsPcap2(de_ctx, pcap_dev); + //RunModeIdsPcap3(de_ctx, pcap_dev); + RunModeIdsPcap2(de_ctx, pcap_dev); //RunModeIdsPcap(de_ctx, pcap_dev); } else if (mode == MODE_PCAP_FILE) { @@ -662,15 +662,9 @@ int main(int argc, char **argv) //RunModeFilePcap2(de_ctx, pcap_file, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); } else if (mode == MODE_PFRING) { - af_logfile_ctx = AlertFastlogInitCtx(NULL); - ad_logfile_ctx = AlertDebuglogInitCtx(NULL); - lh_logfile_ctx = LogHttplogInitCtx(NULL); - aul_logfile_ctx = AlertUnifiedLogInitCtx(NULL); - aua_logfile_ctx = AlertUnifiedAlertInitCtx(NULL); - au2a_logfile_ctx = Unified2AlertInitCtx(NULL); - //RunModeIdsPfring3(de_ctx, pfring_dev, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); - RunModeIdsPfring2(de_ctx, pfring_dev, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); - //RunModeIdsPfring(de_ctx, pfring_dev, af_logfile_ctx, ad_logfile_ctx, lh_logfile_ctx, aul_logfile_ctx, aua_logfile_ctx, au2a_logfile_ctx); + //RunModeIdsPfring3(de_ctx, pfring_dev); + RunModeIdsPfring2(de_ctx, pfring_dev); + RunModeIdsPfring(de_ctx, pfring_dev); } else if (mode == MODE_NFQ) { af_logfile_ctx = AlertFastlogInitCtx(NULL); -- 1.6.5.2