aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Packet logging API: convert unified2

Browse Source 
Convert unified2 alert to new logging API.
pull/797/head
Victor Julien 12 years ago
parent d43ac9ae98
commit 4049c2f74c
7 changed files with 42 additions and 39 deletions
Show Stats Download Patch File Download Diff File

4
src/alert-debuglog.c
Unescape Escape View File

@ -168,7 +168,7 @@ static void AlertDebugLogPktVars(AlertDebugLogThread *aft, Packet *p)
/** \todo doc
* assume we have aft lock */
static int AlertDebugPrintStreamSegmentCallback(Packet *p, void *data, uint8_t *buf, uint32_t buflen)
static int AlertDebugPrintStreamSegmentCallback(const Packet *p, void *data, uint8_t *buf, uint32_t buflen)
{
AlertDebugLogThread *aft = (AlertDebugLogThread *)data;
@ -332,7 +332,7 @@ TmEcode AlertDebugLogger(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
} else {
flag = FLOW_PKT_TOSERVER;
}
ret = StreamSegmentForEach(p, flag,
ret = StreamSegmentForEach((const Packet *)p, flag,
AlertDebugPrintStreamSegmentCallback,
(void *)aft);
if (ret < 0) {

3
src/alert-fastlog.c
Unescape Escape View File

@ -62,9 +62,6 @@
#define MODULE_NAME "AlertFastLog"
TmEcode AlertFastLog (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
TmEcode AlertFastLogIPv4(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
TmEcode AlertFastLogIPv6(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
TmEcode AlertFastLogThreadInit(ThreadVars *, void *, void **);
TmEcode AlertFastLogThreadDeinit(ThreadVars *, void *);
void AlertFastLogExitPrintStats(ThreadVars *, void *);

64
src/alert-unified2-alert.c
Unescape Escape View File

@ -233,27 +233,32 @@ typedef struct Unified2AlertThread_ {
SC_ATOMIC_DECLARE(unsigned int, unified2_event_id); /**< Atomic counter, to link relative event */
/** prototypes */
TmEcode Unified2Alert (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
//TmEcode Unified2Alert (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
TmEcode Unified2AlertThreadInit(ThreadVars *, void *, void **);
TmEcode Unified2AlertThreadDeinit(ThreadVars *, void *);
int Unified2IPv4TypeAlert(ThreadVars *, Packet *, void *, PacketQueue *);
int Unified2IPv6TypeAlert(ThreadVars *, Packet *, void *, PacketQueue *);
int Unified2PacketTypeAlert(Unified2AlertThread *, Packet *, uint32_t, int);
static int Unified2IPv4TypeAlert(ThreadVars *, const Packet *, void *);
static int Unified2IPv6TypeAlert(ThreadVars *, const Packet *, void *);
static int Unified2PacketTypeAlert(Unified2AlertThread *, const Packet *, uint32_t, int);
void Unified2RegisterTests();
int Unified2AlertOpenFileCtx(LogFileCtx *, const char *);
static void Unified2AlertDeInitCtx(OutputCtx *);
int Unified2Condition(ThreadVars *tv, const Packet *p);
int Unified2Logger(ThreadVars *tv, void *data, const Packet *p);
#define MODULE_NAME "Unified2Alert"
void TmModuleUnified2AlertRegister (void) {
tmm_modules[TMM_ALERTUNIFIED2ALERT].name = MODULE_NAME;
tmm_modules[TMM_ALERTUNIFIED2ALERT].ThreadInit = Unified2AlertThreadInit;
tmm_modules[TMM_ALERTUNIFIED2ALERT].Func = Unified2Alert;
// tmm_modules[TMM_ALERTUNIFIED2ALERT].Func = Unified2Alert;
tmm_modules[TMM_ALERTUNIFIED2ALERT].ThreadDeinit = Unified2AlertThreadDeinit;
tmm_modules[TMM_ALERTUNIFIED2ALERT].RegisterTests = Unified2RegisterTests;
tmm_modules[TMM_ALERTUNIFIED2ALERT].cap_flags = 0;
OutputRegisterModule(MODULE_NAME, "unified2-alert", Unified2AlertInitCtx);
//OutputRegisterModule(MODULE_NAME, "unified2-alert", Unified2AlertInitCtx);
OutputRegisterPacketModule(MODULE_NAME, "unified2-alert",
Unified2AlertInitCtx, Unified2Logger, Unified2Condition);
}
/**
@ -318,7 +323,7 @@ static int Unified2Write(Unified2AlertThread *aun)
return 1;
}
static int GetXFFIPFromTx (Packet *p, uint64_t tx_id, char *xff_header, char *dstbuf, int dstbuflen)
static int GetXFFIPFromTx (const Packet *p, uint64_t tx_id, char *xff_header, char *dstbuf, int dstbuflen)
{
uint8_t xff_chain[UNIFIED2_ALERT_XFF_CHAIN_MAXLEN];
HtpState *htp_state = NULL;
@ -375,7 +380,7 @@ static int GetXFFIPFromTx (Packet *p, uint64_t tx_id, char *xff_header, char *ds
* \retval 1 if the IP has been found and returned in dstbuf
* \retval 0 if the IP has not being found or error
*/
static int GetXFFIP (Packet *p, char *xff_header, char *dstbuf, int dstbuflen)
static int GetXFFIP (const Packet *p, char *xff_header, char *dstbuf, int dstbuflen)
{
HtpState *htp_state = NULL;
uint64_t tx_id = 0;
@ -397,21 +402,24 @@ end:
return 0; // Not found
}
int Unified2Condition(ThreadVars *tv, const Packet *p) {
if (likely(p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG)))
return FALSE;
return TRUE;
}
/**
* \brief Unified2 main entry function
*
* \retval TM_ECODE_OK all is good
* \retval TM_ECODE_FAILED serious error
*/
TmEcode Unified2Alert (ThreadVars *t, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
int Unified2Logger (ThreadVars *t, void *data, const Packet *p)
{
int ret = 0;
Unified2AlertThread *aun = (Unified2AlertThread *)data;
aun->xff_flags = UNIFIED2_ALERT_XFF_DISABLED;
if (likely(p->alerts.cnt == 0 && !(p->flags & PKT_HAS_TAG)))
return TM_ECODE_OK;
/* overwrite mode can only work per u2 block, not per individual
* alert. So we'll look for an XFF record once */
if ((aun->unified2alert_ctx->xff_mode & UNIFIED2_ALERT_XFF_OVERWRITE) && p->flow != NULL) {
@ -446,9 +454,9 @@ TmEcode Unified2Alert (ThreadVars *t, Packet *p, void *data, PacketQueue *pq, Pa
}
if (PKT_IS_IPV4(p)) {
ret = Unified2IPv4TypeAlert (t, p, data, pq);
ret = Unified2IPv4TypeAlert (t, p, data);
} else if(PKT_IS_IPV6(p)) {
ret = Unified2IPv6TypeAlert (t, p, data, pq);
ret = Unified2IPv6TypeAlert (t, p, data);
} else {
/* we're only supporting IPv4 and IPv6 */
return TM_ECODE_OK;
@ -466,7 +474,7 @@ typedef struct _FakeIPv4Hdr {
TCPHdr tcph;
} FakeIPv4Hdr;
static int Unified2ForgeFakeIPv4Header(FakeIPv4Hdr *fakehdr, Packet *p, int pkt_len, char invert)
static int Unified2ForgeFakeIPv4Header(FakeIPv4Hdr *fakehdr, const Packet *p, int pkt_len, char invert)
{
fakehdr->ip4h.ip_verhl = p->ip4h->ip_verhl;
fakehdr->ip4h.ip_proto = p->ip4h->ip_proto;
@ -499,7 +507,7 @@ typedef struct _FakeIPv6Hdr {
/**
* \param payload_len length of the payload
*/
static int Unified2ForgeFakeIPv6Header(FakeIPv6Hdr *fakehdr, Packet *p, int payload_len, char invert)
static int Unified2ForgeFakeIPv6Header(FakeIPv6Hdr *fakehdr, const Packet *p, int payload_len, char invert)
{
fakehdr->ip6h.s_ip6_vfc = p->ip6h->s_ip6_vfc;
fakehdr->ip6h.s_ip6_nxt = IPPROTO_TCP;
@ -525,7 +533,7 @@ static int Unified2ForgeFakeIPv6Header(FakeIPv6Hdr *fakehdr, Packet *p, int payl
/**
* \brief Write a faked Packet in unified2 file for each stream segment.
*/
static int Unified2PrintStreamSegmentCallback(Packet *p, void *data, uint8_t *buf, uint32_t buflen)
static int Unified2PrintStreamSegmentCallback(const Packet *p, void *data, uint8_t *buf, uint32_t buflen)
{
int ret = 1;
Unified2AlertThread *aun = (Unified2AlertThread *)data;
@ -772,7 +780,7 @@ error:
* \retval 0 on succces
* \retval -1 on failure
*/
int Unified2PacketTypeAlert (Unified2AlertThread *aun, Packet *p, uint32_t event_id, int stream)
static int Unified2PacketTypeAlert (Unified2AlertThread *aun, const Packet *p, uint32_t event_id, int stream)
{
int ret = 0;
@ -872,18 +880,17 @@ int Unified2PacketTypeAlert (Unified2AlertThread *aun, Packet *p, uint32_t event
* \param t Thread Variable containing input/output queue, cpu affinity etc.
* \param p Packet struct used to decide for ipv4 or ipv6
* \param data Unified2 thread data.
* \param pq Packet queue
*
* \retval 0 on succces
* \retval -1 on failure
*/
int Unified2IPv6TypeAlert (ThreadVars *t, Packet *p, void *data, PacketQueue *pq)
static int Unified2IPv6TypeAlert (ThreadVars *t, const Packet *p, void *data)
{
Unified2AlertThread *aun = (Unified2AlertThread *)data;
Unified2AlertFileHeader hdr;
AlertIPv6Unified2 *phdr;
AlertIPv6Unified2 gphdr;
PacketAlert *pa;
const PacketAlert *pa;
int offset, length;
int ret;
unsigned int event_id;
@ -1058,18 +1065,17 @@ int Unified2IPv6TypeAlert (ThreadVars *t, Packet *p, void *data, PacketQueue *pq
* \param t Thread Variable containing input/output queue, cpu affinity etc.
* \param p Packet struct used to decide for ipv4 or ipv6
* \param data Unified2 thread data.
* \param pq Packet queue
* \retval 0 on succces
* \retval -1 on failure
*/
int Unified2IPv4TypeAlert (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
static int Unified2IPv4TypeAlert (ThreadVars *tv, const Packet *p, void *data)
{
Unified2AlertThread *aun = (Unified2AlertThread *)data;
Unified2AlertFileHeader hdr;
AlertIPv4Unified2 *phdr;
AlertIPv4Unified2 gphdr;
PacketAlert *pa;
const PacketAlert *pa;
int offset, length;
int ret;
unsigned int event_id;
@ -1571,7 +1577,7 @@ static int Unified2Test01 (void) {
if(ret == TM_ECODE_FAILED) {
goto end;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
ret = Unified2Logger(&tv, data, p);
if(ret == TM_ECODE_FAILED) {
goto end;
}
@ -1660,7 +1666,7 @@ static int Unified2Test02 (void) {
if(ret == -1) {
goto end;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
ret = Unified2Logger(&tv, data, p);
if(ret == TM_ECODE_FAILED) {
goto end;
}
@ -1756,7 +1762,7 @@ static int Unified2Test03 (void) {
if(ret == -1) {
goto end;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
ret = Unified2Logger(&tv, data, p);
if(ret == TM_ECODE_FAILED) {
goto end;
}
@ -1852,7 +1858,7 @@ static int Unified2Test04 (void) {
if(ret == -1) {
goto end;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
ret = Unified2Logger(&tv, data, p);
if(ret == TM_ECODE_FAILED) {
goto end;
}
@ -1941,7 +1947,7 @@ static int Unified2Test05 (void) {
if(ret == -1) {
goto end;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
ret = Unified2Logger(&tv, data, p);
if(ret == TM_ECODE_FAILED) {
goto end;
}

2
src/stream-tcp.c
Unescape Escape View File

@ -5394,7 +5394,7 @@ void StreamTcpPseudoPacketCreateStreamEndPacket(Packet *p, TcpSession *ssn, Pack
* \return -1 in case of error, the number of segment in case of success
*
*/
int StreamTcpSegmentForEach(Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
int StreamTcpSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
{
TcpSession *ssn = NULL;
TcpStream *stream = NULL;

2
src/stream-tcp.h
Unescape Escape View File

@ -118,7 +118,7 @@ int StreamTcpCheckMemcap(uint64_t);
Packet *StreamTcpPseudoSetup(Packet *, uint8_t *, uint32_t);
int StreamTcpSegmentForEach(Packet *p, uint8_t flag,
int StreamTcpSegmentForEach(const Packet *p, uint8_t flag,
StreamSegmentCallback CallbackFunc,
void *data);
void StreamTcpReassembleConfigEnableOverlapCheck(void);

2
src/stream.c
Unescape Escape View File

@ -249,7 +249,7 @@ void StreamMsgReturnListToPool(void *list) {
*
* \return -1 in case of error, the number of segment in case of success
*/
int StreamSegmentForEach(Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
int StreamSegmentForEach(const Packet *p, uint8_t flag, StreamSegmentCallback CallbackFunc, void *data)
{
switch(p->proto) {
case IPPROTO_TCP:

4
src/stream.h
Unescape Escape View File

@ -73,8 +73,8 @@ uint16_t StreamMsgQueueGetMinChunkLen(uint8_t);
void StreamMsgReturnListToPool(void *);
typedef int (*StreamSegmentCallback)(Packet *, void *, uint8_t *, uint32_t);
int StreamSegmentForEach(Packet *p, uint8_t flag,
typedef int (*StreamSegmentCallback)(const Packet *, void *, uint8_t *, uint32_t);
int StreamSegmentForEach(const Packet *p, uint8_t flag,
StreamSegmentCallback CallbackFunc,
void *data);

Write Preview
Loading…
Cancel
Save