From 5776a98f672803c0e46d5cce9871f06b3b818714 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Mon, 1 Jun 2020 10:23:12 -0400 Subject: [PATCH] log/syslog: Improve protocol output handling Move protocol handling outside of the packet alert loop. --- src/alert-syslog.c | 59 +++++++++++++++++++++++----------------------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/src/alert-syslog.c b/src/alert-syslog.c index 7c7c6c841c..e0b2d57e43 100644 --- a/src/alert-syslog.c +++ b/src/alert-syslog.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2014 Open Information Security Foundation +/* Copyright (C) 2007-2020 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -209,6 +209,15 @@ static TmEcode AlertSyslogIPv4(ThreadVars *tv, const Packet *p, void *data) if (p->alerts.cnt == 0) return TM_ECODE_OK; + char proto[16] = ""; + char *protoptr; + if (SCProtoNameValid(IPV4_GET_IPPROTO(p))) { + protoptr = known_proto[IPV4_GET_IPPROTO(p)]; + } else { + snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IPV4_GET_IPPROTO(p)); + protoptr = proto; + } + /* Not sure if this mutex is needed around calls to syslog. */ SCMutexLock(&ast->file_ctx->fp_mutex); @@ -229,19 +238,11 @@ static TmEcode AlertSyslogIPv4(ThreadVars *tv, const Packet *p, void *data) action = "[wDrop] "; } - if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) { - syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%" - PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]" - " {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", action, pa->s->gid, - pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio, - known_proto[IPV4_GET_IPPROTO(p)], srcip, p->sp, dstip, p->dp); - } else { - syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%" - PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]" - " {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "", - action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, - pa->s->prio, IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp); - } + syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%" + PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]" + " {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", action, pa->s->gid, + pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio, + protoptr, srcip, p->sp, dstip, p->dp); } SCMutexUnlock(&ast->file_ctx->fp_mutex); @@ -266,6 +267,15 @@ static TmEcode AlertSyslogIPv6(ThreadVars *tv, const Packet *p, void *data) if (p->alerts.cnt == 0) return TM_ECODE_OK; + char proto[16] = ""; + char *protoptr; + if (SCProtoNameValid(IPV6_GET_L4PROTO(p))) { + protoptr = known_proto[IPV6_GET_L4PROTO(p)]; + } else { + snprintf(proto, sizeof(proto), "PROTO:03%" PRIu32, IPV6_GET_L4PROTO(p)); + protoptr = proto; + } + SCMutexLock(&ast->file_ctx->fp_mutex); for (i = 0; i < p->alerts.cnt; i++) { @@ -285,21 +295,12 @@ static TmEcode AlertSyslogIPv6(ThreadVars *tv, const Packet *p, void *data) action = "[wDrop] "; } - if (SCProtoNameValid(IPV6_GET_L4PROTO(p)) == TRUE) { - syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%" - "" PRIu32 "] %s [Classification: %s] [Priority: %" - "" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", - action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, - pa->s->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp, - dstip, p->dp); - - } else { - syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%" - "" PRIu32 "] %s [Classification: %s] [Priority: %" - "" PRIu32 "] {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "", - action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, - pa->s->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp); - } + syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%" + "" PRIu32 "] %s [Classification: %s] [Priority: %" + "" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", + action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, + pa->s->prio, protoptr, srcip, p->sp, + dstip, p->dp); } SCMutexUnlock(&ast->file_ctx->fp_mutex);