free flowvar entries in flow after live rule swap. Sync flowbits entries into packet struct to be used by alert debuglog when alert debuglog is enabled

14 years ago · 32183faa82
parent 8fb2040eee
commit 32183faa82
5 changed files with 96 additions and 6 deletions
--- a/src/alert-debuglog.c
+++ b/src/alert-debuglog.c
@ -141,14 +141,19 @@ static void AlertDebugLogFlowVars(AlertDebugLogThread *aft, Packet *p)
 */
 static void AlertDebugLogFlowBits(AlertDebugLogThread *aft, Packet *p)
 {
-    GenericVar *gv = p->flow->flowvar;
-    while (gv != NULL) {
-        if (gv->type == DETECT_FLOWBITS) {
-            FlowBit *fb = (FlowBit *) gv;
-            MemBufferWriteString(aft->buffer, "FLOWBIT idx(%"PRIu32")\n", fb->idx);
+    int i;
+    for (i = 0; i < p->debuglog_flowbits_names_len; i++) {
+        if (p->debuglog_flowbits_names[i] != NULL) {
+            MemBufferWriteString(aft->buffer, "FLOWBIT:           %s\n",
+                                 p->debuglog_flowbits_names[i]);
        }
-        gv = gv->next;
    }
+
+    SCFree(p->debuglog_flowbits_names);
+    p->debuglog_flowbits_names = NULL;
+    p->debuglog_flowbits_names_len = 0;
+
+    return;
 }

 /**
--- a/src/decode.h
+++ b/src/decode.h
@ -381,6 +381,10 @@ typedef struct Packet_
    /* IPS action to take */
    uint8_t action;

+    /* used to hold flowbits only if debuglog is enabled */
+    int debuglog_flowbits_names_len;
+    const char **debuglog_flowbits_names;
+
    /* pkt vars */
    PktVar *pktvar;

--- a/src/detect.c
+++ b/src/detect.c
@ -29,6 +29,7 @@
 #include "detect.h"
 #include "flow.h"
 #include "flow-private.h"
+#include "flow-bit.h"

 #include "detect-parse.h"
 #include "detect-engine.h"
@ -165,6 +166,7 @@
 #include "stream-tcp.h"
 #include "stream-tcp-inline.h"

+#include "util-var-name.h"
 #include "util-classification-config.h"
 #include "util-print.h"
 #include "util-unittest.h"
@ -181,6 +183,8 @@
 #include "util-vector.h"
 #include "util-path.h"

+#include "runmodes.h"
+
 extern uint8_t engine_mode;

 extern int engine_analysis;
@ -1284,6 +1288,68 @@ static void DebugInspectIds(Packet *p, Flow *f, StreamMsg *smsg)
 }
 #endif

+static void AlertDebugLogModeSyncFlowbitsNamesToPacketStruct(Packet *p, DetectEngineCtx *de_ctx)
+{
+#define MALLOC_JUMP 5
+
+    int i = 0;
+
+    GenericVar *gv = p->flow->flowvar;
+
+    while (gv != NULL) {
+        i++;
+        gv = gv->next;
+    }
+    if (i == 0)
+        return;
+
+    p->debuglog_flowbits_names_len = i;
+
+    p->debuglog_flowbits_names = SCMalloc(sizeof(char *) *
+                                          p->debuglog_flowbits_names_len);
+    if (p->debuglog_flowbits_names == NULL) {
+        return;
+    }
+    memset(p->debuglog_flowbits_names, 0,
+           sizeof(char *) * p->debuglog_flowbits_names_len);
+
+    i = 0;
+    gv = p->flow->flowvar;
+    while (gv != NULL) {
+        if (gv->type != DETECT_FLOWBITS) {
+            gv = gv->next;
+            continue;
+        }
+
+        FlowBit *fb = (FlowBit *) gv;
+        char *name = VariableIdxGetName(de_ctx, fb->idx, fb->type);
+        if (name != NULL) {
+            p->debuglog_flowbits_names[i] = SCStrdup(name);
+            if (p->debuglog_flowbits_names[i] == NULL) {
+                return;
+            }
+            i++;
+        }
+
+        if (i == p->debuglog_flowbits_names_len) {
+            p->debuglog_flowbits_names_len += MALLOC_JUMP;
+            p->debuglog_flowbits_names = SCRealloc(p->debuglog_flowbits_names,
+                                                   sizeof(char *) *
+                                                   p->debuglog_flowbits_names_len);
+            if (p->debuglog_flowbits_names == NULL) {
+                return;
+            }
+            memset(p->debuglog_flowbits_names +
+                   p->debuglog_flowbits_names_len - MALLOC_JUMP,
+                   0, sizeof(char *) * MALLOC_JUMP);
+        }
+
+        gv = gv->next;
+    }
+
+    return;
+}
+
 /**
 *  \brief Signature match function
 *
@ -1342,6 +1408,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                reset_de_state = 1;

                p->flow->de_ctx_id = de_ctx->id;
+                GenericVarFree(p->flow->flowvar);
+                p->flow->flowvar = NULL;
            }

            /* set the iponly stuff */
@ -1785,6 +1853,12 @@ end:
        }

        FLOWLOCK_WRLOCK(p->flow);
+        if (debuglog_enabled) {
+            if (p->alerts.cnt > 0) {
+                AlertDebugLogModeSyncFlowbitsNamesToPacketStruct(p, de_ctx);
+            }
+        }
+
        if (!(sms_runflags & SMS_USE_FLOW_SGH)) {
            if (p->flowflags & FLOW_PKT_TOSERVER && !(p->flow->flags & FLOW_SGH_TOSERVER)) {
                /* first time we see this toserver sgh, store it */
--- a/src/runmodes.c
+++ b/src/runmodes.c
@ -50,6 +50,8 @@

 #include "source-pfring.h"

+int debuglog_enabled = 0;
+
 /**
 * \brief Holds description for a runmode.
 */
@ -404,6 +406,9 @@ void RunModeInitializeOutputs(void)
                    "TmModuleGetByName for %s failed", module->name);
            exit(EXIT_FAILURE);
        }
+        if (strcmp(tmm_modules[TMM_ALERTDEBUGLOG].name, tm_module->name) == 0)
+            debuglog_enabled = 1;
+
        RunModeOutput *runmode_output = SCCalloc(1, sizeof(RunModeOutput));
        if (runmode_output == NULL)
            return;
--- a/src/runmodes.h
+++ b/src/runmodes.h
@ -64,4 +64,6 @@ void RunModeShutDown(void);
 int threading_set_cpu_affinity;
 extern float threading_detect_ratio;

+extern int debuglog_enabled;
+
 #endif /* __RUNMODES_H__ */