aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

log/syslog: Improve protocol output handling

Browse Source 
Move protocol handling outside of the packet alert loop.
pull/5146/head
Jeff Lucovsky 5 years ago committed by Victor Julien
parent 0a1c36759a
commit 5776a98f67
1 changed files with 30 additions and 29 deletions
Show Stats Download Patch File Download Diff File

59
src/alert-syslog.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2014 Open Information Security Foundation
/* Copyright (C) 2007-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -209,6 +209,15 @@ static TmEcode AlertSyslogIPv4(ThreadVars *tv, const Packet *p, void *data)
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
char proto[16] = "";
char *protoptr;
if (SCProtoNameValid(IPV4_GET_IPPROTO(p))) {
protoptr = known_proto[IPV4_GET_IPPROTO(p)];
} else {
snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IPV4_GET_IPPROTO(p));
protoptr = proto;
}
/* Not sure if this mutex is needed around calls to syslog. */
SCMutexLock(&ast->file_ctx->fp_mutex);
@ -229,19 +238,11 @@ static TmEcode AlertSyslogIPv4(ThreadVars *tv, const Packet *p, void *data)
action = "[wDrop] ";
}
if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", action, pa->s->gid,
pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,
known_proto[IPV4_GET_IPPROTO(p)], srcip, p->sp, dstip, p->dp);
} else {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
" {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
}
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", action, pa->s->gid,
pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,
protoptr, srcip, p->sp, dstip, p->dp);
}
SCMutexUnlock(&ast->file_ctx->fp_mutex);
@ -266,6 +267,15 @@ static TmEcode AlertSyslogIPv6(ThreadVars *tv, const Packet *p, void *data)
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
char proto[16] = "";
char *protoptr;
if (SCProtoNameValid(IPV6_GET_L4PROTO(p))) {
protoptr = known_proto[IPV6_GET_L4PROTO(p)];
} else {
snprintf(proto, sizeof(proto), "PROTO:03%" PRIu32, IPV6_GET_L4PROTO(p));
protoptr = proto;
}
SCMutexLock(&ast->file_ctx->fp_mutex);
for (i = 0; i < p->alerts.cnt; i++) {
@ -285,21 +295,12 @@ static TmEcode AlertSyslogIPv6(ThreadVars *tv, const Packet *p, void *data)
action = "[wDrop] ";
}
if (SCProtoNameValid(IPV6_GET_L4PROTO(p)) == TRUE) {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [Classification: %s] [Priority: %"
"" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp,
dstip, p->dp);
} else {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [Classification: %s] [Priority: %"
"" PRIu32 "] {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
}
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [Classification: %s] [Priority: %"
"" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, protoptr, srcip, p->sp,
dstip, p->dp);
}
SCMutexUnlock(&ast->file_ctx->fp_mutex);

Write Preview
Loading…
Cancel
Save