app-layer/logging Add TX packet logging support

Add transactional logging support for packet based loggers, like the anomaly logger.
7 years ago · 36644907f5
parent f7b934f83f
commit 36644907f5
4 changed files with 25 additions and 16 deletions
--- a/src/app-layer-parser.c
+++ b/src/app-layer-parser.c
@ -1044,8 +1044,7 @@ int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto,
                                                   uint8_t direction)
 {
    SCEnter();
-    int r = 0;
-    r = alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].
+    int r = alp_ctx.ctxs[FLOW_PROTO_DEFAULT][alproto].
                StateGetProgressCompletionStatus(direction);
    SCReturnInt(r);
 }
--- a/src/output-tx.c
+++ b/src/output-tx.c
@ -72,7 +72,7 @@ int OutputRegisterTxLogger(LoggerId id, const char *name, AppProto alproto,
                           ThreadDeinitFunc ThreadDeinit,
                           void (*ThreadExitPrintStats)(ThreadVars *, void *))
 {
-    if (!(AppLayerParserIsTxAware(alproto))) {
+    if (alproto != ALPROTO_UNKNOWN && !(AppLayerParserIsTxAware(alproto))) {
        SCLogNotice("%s logger not enabled: protocol %s is disabled",
            name, AppProtoToString(alproto));
        return -1;
@ -93,7 +93,9 @@ int OutputRegisterTxLogger(LoggerId id, const char *name, AppProto alproto,
    op->ThreadDeinit = ThreadDeinit;
    op->ThreadExitPrintStats = ThreadExitPrintStats;

-    if (tc_log_progress < 0) {
+    if (alproto == ALPROTO_UNKNOWN) {
+        op->tc_log_progress = 0;
+    } else if (tc_log_progress < 0) {
        op->tc_log_progress =
            AppLayerParserGetStateProgressCompletionStatus(alproto,
                                                           STREAM_TOCLIENT);
@ -101,7 +103,9 @@ int OutputRegisterTxLogger(LoggerId id, const char *name, AppProto alproto,
        op->tc_log_progress = tc_log_progress;
    }

-    if (ts_log_progress < 0) {
+    if (alproto == ALPROTO_UNKNOWN) {
+        op->ts_log_progress = 0;
+    } else if (ts_log_progress < 0) {
        op->ts_log_progress =
            AppLayerParserGetStateProgressCompletionStatus(alproto,
                                                           STREAM_TOSERVER);
@ -200,13 +204,15 @@ static TmEcode OutputTxLog(ThreadVars *tv, Packet *p, void *thread_data)
        while (logger && store) {
            DEBUG_VALIDATE_BUG_ON(logger->LogFunc == NULL);

-            SCLogDebug("logger %p, LogCondition %p, ts_log_progress %d "
-                    "tc_log_progress %d", logger, logger->LogCondition,
+            SCLogDebug("logger %p, Alproto %d LogCondition %p, ts_log_progress %d "
+                    "tc_log_progress %d", logger, logger->alproto, logger->LogCondition,
                    logger->ts_log_progress, logger->tc_log_progress);
-            if (logger->alproto == alproto &&
-                (tx_logged_old & (1<<logger->logger_id)) == 0)
-            {
-                SCLogDebug("alproto match, logging tx_id %"PRIu64, tx_id);
+            /* always invoke "wild card" tx loggers */
+            if (logger->alproto == ALPROTO_UNKNOWN ||
+                (logger->alproto == alproto &&
+                 (tx_logged_old & (1<<logger->logger_id)) == 0)) {
+
+                SCLogDebug("alproto match %d, logging tx_id %"PRIu64, logger->alproto, tx_id);

                if (!(AppLayerParserStateIssetFlag(f->alparser,
                                                   APP_LAYER_PARSER_EOF))) {
@ -229,13 +235,14 @@ static TmEcode OutputTxLog(ThreadVars *tv, Packet *p, void *thread_data)
                    }
                }

-                SCLogDebug("Logging tx_id %"PRIu64" to logger %d", tx_id,
-                    logger->logger_id);
+                SCLogDebug("Logging tx_id %"PRIu64" to logger %d", tx_id, logger->logger_id);
                PACKET_PROFILING_LOGGER_START(p, logger->logger_id);
                logger->LogFunc(tv, store->thread_data, p, f, alstate, tx, tx_id);
                PACKET_PROFILING_LOGGER_END(p, logger->logger_id);

-                tx_logged |= (1<<logger->logger_id);
+                if (alproto != ALPROTO_UNKNOWN) {
+                    tx_logged |= (1<<logger->logger_id);
+                }
            }

 next_logger:
--- a/src/output.c
+++ b/src/output.c
@ -308,7 +308,7 @@ static void OutputRegisterTxSubModuleWrapper(LoggerId id, const char *parent_nam
    module->ThreadExitPrintStats = ThreadExitPrintStats;
    TAILQ_INSERT_TAIL(&output_modules, module, entries);

-    SCLogDebug("Tx logger \"%s\" registered.", name);
+    SCLogDebug("Tx logger for alproto %d \"%s\" registered.", alproto, name);
    return;
 error:
    SCLogError(SC_ERR_FATAL, "Fatal error encountered. Exiting...");
--- a/src/runmodes.c
+++ b/src/runmodes.c
@ -588,7 +588,10 @@ static void SetupOutput(const char *name, OutputModule *module, OutputCtx *outpu
                module->ts_log_progress, module->TxLogCondition,
                module->ThreadInit, module->ThreadDeinit,
                module->ThreadExitPrintStats);
-        logger_bits[module->alproto] |= (1<<module->logger_id);
+        /* Not used with wild card loggers */
+        if (module->alproto != ALPROTO_UNKNOWN) {
+            logger_bits[module->alproto] |= (1<<module->logger_id);
+        }
    } else if (module->FiledataLogFunc) {
        SCLogDebug("%s is a filedata logger", module->name);
        OutputRegisterFiledataLogger(module->logger_id, module->name,