aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Shrink PacketAlerts structure so that Packet structure is a lot smaller. Reduce max events per packet from 256 to 15.

Browse Source
remotes/origin/master-1.1.x
Victor Julien 15 years ago
parent d3f19a3851
commit 75439863ed
13 changed files with 204 additions and 159 deletions
Show Stats Download Patch File Download Diff File

37
src/alert-debuglog.c
Unescape Escape View File

@ -51,6 +51,7 @@
#include "flow-var.h"
#include "flow-bit.h"
#include "util-var-name.h"
#include "util-optimize.h"
#define DEFAULT_LOG_FILENAME "alert-debug.log"
@ -244,13 +245,16 @@ TmEcode AlertDebugLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
fprintf(aft->file_ctx->fp, "ALERT MSG [%02d]: %s\n", i, pa->msg);
fprintf(aft->file_ctx->fp, "ALERT GID [%02d]: %" PRIu32 "\n", i, pa->gid);
fprintf(aft->file_ctx->fp, "ALERT SID [%02d]: %" PRIu32 "\n", i, pa->sid);
fprintf(aft->file_ctx->fp, "ALERT REV [%02d]: %" PRIu32 "\n", i, pa->rev);
fprintf(aft->file_ctx->fp, "ALERT CLASS [%02d]: %s\n", i, pa->class_msg ? pa->class_msg : "<none>");
fprintf(aft->file_ctx->fp, "ALERT PRIO [%02d]: %" PRIu32 "\n", i, pa->prio);
fprintf(aft->file_ctx->fp, "ALERT MSG [%02d]: %s\n", i, pa->s->msg);
fprintf(aft->file_ctx->fp, "ALERT GID [%02d]: %" PRIu32 "\n", i, pa->s->gid);
fprintf(aft->file_ctx->fp, "ALERT SID [%02d]: %" PRIu32 "\n", i, pa->s->id);
fprintf(aft->file_ctx->fp, "ALERT REV [%02d]: %" PRIu32 "\n", i, pa->s->rev);
fprintf(aft->file_ctx->fp, "ALERT CLASS [%02d]: %s\n", i, pa->s->class_msg ? pa->s->class_msg : "<none>");
fprintf(aft->file_ctx->fp, "ALERT PRIO [%02d]: %" PRIu32 "\n", i, pa->s->prio);
fprintf(aft->file_ctx->fp, "ALERT FOUND IN [%02d]: %s\n", i, pa->alert_msg ? "STREAM" : "OTHER");
if (pa->alert_msg != NULL) {
fprintf(aft->file_ctx->fp, "ALERT STREAM LEN[%02d]:%"PRIu16"\n", i, ((StreamMsg *)pa->alert_msg)->data.data_len);
@ -288,13 +292,17 @@ TmEcode AlertDebugLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq
SCMutexLock(&aft->file_ctx->fp_mutex);
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char srcip[46], dstip[46];
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
fprintf(aft->file_ctx->fp, "%s [**] [%" PRIu32 ":%" PRIu32 ":%" PRIu32 "] %s [**] [Classification: fixme] [Priority: %" PRIu32 "] {%" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "\n",
timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
timebuf, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
}
fprintf(aft->file_ctx->fp, "FLOW: to_server: %s, to_client: %s\n",
@ -361,13 +369,16 @@ TmEcode AlertDebugLogDecoderEvent(ThreadVars *tv, Packet *p, void *data, PacketQ
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
fprintf(aft->file_ctx->fp, "ALERT MSG [%02d]: %s\n", i, pa->msg);
fprintf(aft->file_ctx->fp, "ALERT GID [%02d]: %" PRIu32 "\n", i, pa->gid);
fprintf(aft->file_ctx->fp, "ALERT SID [%02d]: %" PRIu32 "\n", i, pa->sid);
fprintf(aft->file_ctx->fp, "ALERT REV [%02d]: %" PRIu32 "\n", i, pa->rev);
fprintf(aft->file_ctx->fp, "ALERT CLASS [%02d]: %s\n", i, pa->class_msg);
fprintf(aft->file_ctx->fp, "ALERT PRIO [%02d]: %" PRIu32 "\n", i, pa->prio);
fprintf(aft->file_ctx->fp, "ALERT MSG [%02d]: %s\n", i, pa->s->msg);
fprintf(aft->file_ctx->fp, "ALERT GID [%02d]: %" PRIu32 "\n", i, pa->s->gid);
fprintf(aft->file_ctx->fp, "ALERT SID [%02d]: %" PRIu32 "\n", i, pa->s->id);
fprintf(aft->file_ctx->fp, "ALERT REV [%02d]: %" PRIu32 "\n", i, pa->s->rev);
fprintf(aft->file_ctx->fp, "ALERT CLASS [%02d]: %s\n", i, pa->s->class_msg);
fprintf(aft->file_ctx->fp, "ALERT PRIO [%02d]: %" PRIu32 "\n", i, pa->s->prio);
}
aft->file_ctx->alerts += p->alerts.cnt;

37
src/alert-fastlog.c
Unescape Escape View File

@ -57,6 +57,7 @@
#include "util-privs.h"
#include "util-print.h"
#include "util-proto-name.h"
#include "util-optimize.h"
#define DEFAULT_LOG_FILENAME "fast.log"
@ -136,6 +137,9 @@ TmEcode AlertFastLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char srcip[16], dstip[16];
@ -152,13 +156,13 @@ TmEcode AlertFastLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
fprintf(aft->file_ctx->fp, "%s %s[**] [%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [**] [Classification: %s] [Priority: %"PRIu32"]"
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", timebuf, action,
pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio,
pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,
known_proto[IPV4_GET_IPPROTO(p)], srcip, p->sp, dstip, p->dp);
} else {
fprintf(aft->file_ctx->fp, "%s %s[**] [%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [**] [Classification: %s] [Priority: %"PRIu32"]"
" {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "", timebuf,
action, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio,
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,
IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
}
@ -190,6 +194,10 @@ TmEcode AlertFastLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char srcip[46], dstip[46];
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
@ -205,16 +213,16 @@ TmEcode AlertFastLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
fprintf(aft->file_ctx->fp, "%s %s[**] [%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [**] [Classification: %s] [Priority: %"
"" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", timebuf,
action, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
pa->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp,
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp,
dstip, p->dp);
} else {
fprintf(aft->file_ctx->fp, "%s %s[**] [%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [**] [Classification: %s] [Priority: %"
"" PRIu32 "] {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
timebuf, action, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
timebuf, action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
}
fprintf(aft->file_ctx->fp,"\n");
@ -245,6 +253,9 @@ TmEcode AlertFastLogDecoderEvent(ThreadVars *tv, Packet *p, void *data, PacketQu
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
if (pa->action == ACTION_DROP && IS_ENGINE_MODE_IPS(engine_mode)) {
action = "[Drop] ";
@ -254,8 +265,8 @@ TmEcode AlertFastLogDecoderEvent(ThreadVars *tv, Packet *p, void *data, PacketQu
fprintf(aft->file_ctx->fp, "%s %s[**] [%" PRIu32 ":%" PRIu32
":%" PRIu32 "] %s [**] [Classification: %s] [Priority: "
"%" PRIu32 "] [**] [Raw pkt: ", timebuf, action, pa->gid,
pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio);
"%" PRIu32 "] [**] [Raw pkt: ", timebuf, action, pa->s->gid,
pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio);
PrintRawLineHexFp(aft->file_ctx->fp, GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
if (p->pcap_cnt != 0) {
@ -441,7 +452,7 @@ int AlertFastLogTest01()
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (p->alerts.cnt == 1)
result = (strcmp(p->alerts.alerts[0].class_msg, "Unknown are we") == 0);
result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0);
else
result = 0;
@ -499,14 +510,14 @@ int AlertFastLogTest02()
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (p->alerts.cnt == 1) {
result = (strcmp(p->alerts.alerts[0].class_msg, "Unknown Traffic") != 0);
result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown Traffic") != 0);
if (result == 0)
printf("p->alerts.alerts[0].class_msg %s: ", p->alerts.alerts[0].class_msg);
printf("p->alerts.alerts[0].class_msg %s: ", p->alerts.alerts[0].s->class_msg);
result = (strcmp(p->alerts.alerts[0].class_msg,
result = (strcmp(p->alerts.alerts[0].s->class_msg,
"Unknown are we") == 0);
if (result == 0)
printf("p->alerts.alerts[0].class_msg %s: ", p->alerts.alerts[0].class_msg);
printf("p->alerts.alerts[0].class_msg %s: ", p->alerts.alerts[0].s->class_msg);
} else {
result = 0;
}

25
src/alert-prelude.c
Unescape Escape View File

@ -53,6 +53,7 @@
#include "output.h"
#include "util-privs.h"
#include "util-optimize.h"
#ifndef PRELUDE
/** Handle the case where no PRELUDE support is compiled in.
@ -220,13 +221,13 @@ static int EventToImpact(PacketAlert *pa, Packet *p, idmef_alert_t *alert)
if ( ret < 0 )
SCReturnInt(ret);
if ( pa->prio < mid_priority )
if ( (uint)pa->s->prio < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( pa->prio < low_priority )
else if ( (uint)pa->s->prio < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( pa->prio < info_priority )
else if ( (uint)pa->s->prio < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else
@ -249,7 +250,7 @@ static int EventToImpact(PacketAlert *pa, Packet *p, idmef_alert_t *alert)
if ( ret < 0 )
SCReturnInt(ret);
prelude_string_set_ref(str, pa->class_msg);
prelude_string_set_ref(str, pa->s->class_msg);
SCReturnInt(0);
}
@ -489,8 +490,8 @@ static int PacketToData(Packet *p, PacketAlert *pa, idmef_alert_t *alert, AlertP
if ( ! p )
SCReturnInt(0);
AddIntData(alert, "snort_rule_sid", pa->sid);
AddIntData(alert, "snort_rule_rev", pa->rev);
AddIntData(alert, "snort_rule_sid", pa->s->id);
AddIntData(alert, "snort_rule_rev", pa->s->rev);
if (ctx->log_packet_header) {
if ( PKT_IS_IPV4(p) )
@ -606,14 +607,14 @@ static int EventToReference(PacketAlert *pa, Packet *p, idmef_classification_t *
if ( ret < 0 )
SCReturnInt(ret);
if ( pa->gid == 0 )
ret = prelude_string_sprintf(str, "%u", pa->sid);
if ( pa->s->gid == 0 )
ret = prelude_string_sprintf(str, "%u", pa->s->id);
else
ret = prelude_string_sprintf(str, "%u:%u", pa->gid, pa->sid);
ret = prelude_string_sprintf(str, "%u:%u", pa->s->gid, pa->s->id);
if ( ret < 0 )
SCReturnInt(ret);
ret = AddSnortReference(class, pa->gid, pa->sid);
ret = AddSnortReference(class, pa->s->gid, pa->s->id);
if ( ret < 0 )
SCReturnInt(ret);
@ -670,6 +671,8 @@ TmEcode AlertPrelude (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Pa
/* XXX which one to add to this alert? Lets see how Snort solves this.
* For now just take last alert. */
pa = &p->alerts.alerts[p->alerts.cnt-1];
if (pa->s == NULL)
goto err;
ret = idmef_message_new(&idmef);
if ( ret < 0 )
@ -687,7 +690,7 @@ TmEcode AlertPrelude (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, Pa
if ( ret < 0 )
goto err;
prelude_string_set_ref(str, pa->msg);
prelude_string_set_ref(str, pa->s->msg);
ret = EventToImpact(pa, p, alert);
if ( ret < 0 )

31
src/alert-syslog.c
Unescape Escape View File

@ -48,6 +48,7 @@
#include "util-print.h"
#include "util-proto-name.h"
#include "util-syslog.h"
#include "util-optimize.h"
#define DEFAULT_ALERT_SYSLOG_FACILITY_STR "local0"
#define DEFAULT_ALERT_SYSLOG_FACILITY LOG_LOCAL0
@ -261,6 +262,9 @@ TmEcode AlertSyslogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char srcip[16], dstip[16];
@ -276,15 +280,15 @@ TmEcode AlertSyslogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", action, pa->gid,
pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio,
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", action, pa->s->gid,
pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,
known_proto[IPV4_GET_IPPROTO(p)], srcip, p->sp, dstip, p->dp);
} else {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
" {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
pa->prio, IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
}
}
SCMutexUnlock(&ast->file_ctx->fp_mutex);
@ -319,6 +323,10 @@ TmEcode AlertSyslogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char srcip[46], dstip[46];
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
@ -334,16 +342,16 @@ TmEcode AlertSyslogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [Classification: %s] [Priority: %"
"" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
pa->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp,
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp,
dstip, p->dp);
} else {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [Classification: %s] [Priority: %"
"" PRIu32 "] {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
}
}
@ -383,6 +391,9 @@ TmEcode AlertSyslogDecoderEvent(ThreadVars *tv, Packet *p, void *data,
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
if (pa->action == ACTION_DROP && IS_ENGINE_MODE_IPS(engine_mode)) {
action = "[Drop] ";
@ -392,8 +403,8 @@ TmEcode AlertSyslogDecoderEvent(ThreadVars *tv, Packet *p, void *data,
snprintf(temp_buf_hdr, sizeof(temp_buf_hdr), "%s[%" PRIu32 ":%" PRIu32
":%" PRIu32 "] %s [Classification: %s] [Priority: %" PRIu32
"] [**] [Raw pkt: ", action, pa->gid, pa->sid, pa->rev, pa->msg,
pa->class_msg, pa->prio);
"] [**] [Raw pkt: ", action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg,
pa->s->class_msg, pa->s->prio);
strlcpy(alert, temp_buf_hdr, sizeof(alert));
PrintRawLineHexBuf(temp_buf_pkt, sizeof(temp_buf_pkt), GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);

15
src/alert-unified-alert.c
Unescape Escape View File

@ -48,6 +48,7 @@
#include "output.h"
#include "alert-unified-alert.h"
#include "util-privs.h"
#include "util-optimize.h"
#define DEFAULT_LOG_FILENAME "unified.alert"
@ -214,12 +215,16 @@ TmEcode AlertUnifiedAlert (ThreadVars *tv, Packet *p, void *data, PacketQueue *p
for (; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
/* fill the rest of the hdr structure with the data of the alert */
hdr.sig_gen = pa->gid;
hdr.sig_sid = pa->sid;
hdr.sig_rev = pa->rev;
hdr.sig_class = pa->class;
hdr.sig_prio = pa->prio;
hdr.sig_gen = pa->s->gid;
hdr.sig_sid = pa->s->id;
hdr.sig_rev = pa->s->rev;
hdr.sig_class = pa->s->class;
hdr.sig_prio = pa->s->prio;
SCMutexLock(&aun->file_ctx->fp_mutex);
/** check and enforce the filesize limit, thread safe */

19
src/alert-unified-log.c
Unescape Escape View File

@ -48,6 +48,7 @@
#include "output.h"
#include "alert-unified-log.h"
#include "util-privs.h"
#include "util-optimize.h"
#define DEFAULT_LOG_FILENAME "unified.log"
@ -185,7 +186,6 @@ TmEcode AlertUnifiedLog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
{
AlertUnifiedLogThread *aun = (AlertUnifiedLogThread *)data;
AlertUnifiedLogPacketHeader hdr;
PacketAlert pa_tag;
PacketAlert *pa;
int ret;
uint8_t ethh_offset = 0;
@ -199,7 +199,6 @@ TmEcode AlertUnifiedLog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
/* initialize the pa_tag structure if we have tags */
if (p->flags & PKT_HAS_TAG) {
PacketAlertAppendTag(p, &pa_tag);
/* one extra "alert" to process */
alert_cnt++;
}
@ -225,17 +224,21 @@ TmEcode AlertUnifiedLog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
pa = &p->alerts.alerts[i];
} else {
if (p->flags & PKT_HAS_TAG)
pa = &pa_tag;
pa = PacketAlertGetTag();
else
break;
}
if (unlikely(pa->s == NULL)) {
continue;
}
/* fill the hdr structure with the data of the alert */
hdr.sig_gen = pa->gid;
hdr.sig_sid = pa->sid;
hdr.sig_rev = pa->rev;
hdr.sig_class = pa->class;
hdr.sig_prio = pa->prio;
hdr.sig_gen = pa->s->gid;
hdr.sig_sid = pa->s->id;
hdr.sig_rev = pa->s->rev;
hdr.sig_class = pa->s->class;
hdr.sig_prio = pa->s->prio;
memcpy(buf,&hdr,sizeof(hdr));
buflen = sizeof(hdr);

86
src/alert-unified2-alert.c
Unescape Escape View File

@ -49,6 +49,7 @@
#include "util-privs.h"
#include "stream.h"
#include "util-optimize.h"
#ifndef IPPROTO_SCTP
#define IPPROTO_SCTP 132
@ -493,7 +494,6 @@ int Unified2IPv6TypeAlert (ThreadVars *t, Packet *p, void *data, PacketQueue *pq
Unified2AlertThread *aun = (Unified2AlertThread *)data;
AlertIPv6Unified2 phdr;
Unified2AlertFileHeader hdr;
PacketAlert pa_tag;
PacketAlert *pa;
int ret, len;
char write_buffer[sizeof(Unified2AlertFileHeader) + sizeof(AlertIPv6Unified2)];
@ -559,25 +559,26 @@ int Unified2IPv6TypeAlert (ThreadVars *t, Packet *p, void *data, PacketQueue *pq
break;
}
if (p->flags & PKT_HAS_TAG)
PacketAlertAppendTag(p, &pa_tag);
uint16_t i = 0;
for (; i < p->alerts.cnt + 1; i++) {
if (i < p->alerts.cnt)
pa = &p->alerts.alerts[i];
else
if (p->flags & PKT_HAS_TAG)
pa = &pa_tag;
pa = PacketAlertGetTag();
else
break;
if (unlikely(pa->s == NULL)) {
continue;
}
/* fill the header structure with the data of the alert */
phdr.generator_id = htonl(pa->gid);
phdr.signature_id = htonl(pa->sid);
phdr.signature_revision = htonl(pa->rev);
phdr.classification_id = htonl(pa->class);
phdr.priority_id = htonl(pa->prio);
phdr.generator_id = htonl(pa->s->gid);
phdr.signature_id = htonl(pa->s->id);
phdr.signature_revision = htonl(pa->s->rev);
phdr.classification_id = htonl(pa->s->class);
phdr.priority_id = htonl(pa->s->prio);
memcpy(write_buffer+sizeof(Unified2AlertFileHeader),&phdr,sizeof(AlertIPv6Unified2));
@ -629,7 +630,6 @@ int Unified2IPv4TypeAlert (ThreadVars *tv, Packet *p, void *data, PacketQueue *p
AlertIPv4Unified2 phdr;
Unified2AlertFileHeader hdr;
PacketAlert *pa;
PacketAlert pa_tag;
int ret, len;
char write_buffer[sizeof(Unified2AlertFileHeader) + sizeof(AlertIPv4Unified2)];
@ -681,25 +681,26 @@ int Unified2IPv4TypeAlert (ThreadVars *tv, Packet *p, void *data, PacketQueue *p
break;
}
if (p->flags & PKT_HAS_TAG)
PacketAlertAppendTag(p, &pa_tag);
uint16_t i = 0;
for (; i < p->alerts.cnt + 1; i++) {
if (i < p->alerts.cnt)
pa = &p->alerts.alerts[i];
else
if (p->flags & PKT_HAS_TAG)
pa = &pa_tag;
pa = PacketAlertGetTag();
else
break;
if (unlikely(pa->s == NULL)) {
continue;
}
/* fill the hdr structure with the alert data */
phdr.generator_id = htonl(pa->gid);
phdr.signature_id = htonl(pa->sid);
phdr.signature_revision = htonl(pa->rev);
phdr.classification_id = htonl(pa->class);
phdr.priority_id = htonl(pa->prio);
phdr.generator_id = htonl(pa->s->gid);
phdr.signature_id = htonl(pa->s->id);
phdr.signature_revision = htonl(pa->s->rev);
phdr.classification_id = htonl(pa->s->class);
phdr.priority_id = htonl(pa->s->prio);
memcpy(write_buffer+sizeof(Unified2AlertFileHeader),&phdr,sizeof(AlertIPv4Unified2));
@ -941,6 +942,7 @@ static int Unified2Test01 (void) {
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_ipv4_tcp[] = {
0x00, 0x14, 0xbf, 0xe8, 0xcb, 0x26, 0xaa, 0x00,
@ -963,11 +965,13 @@ static int Unified2Test01 (void) {
memset(&pq, 0, sizeof(PacketQueue));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].sid = 1;
p->alerts.alerts[p->alerts.cnt-1].gid = 1;
p->alerts.alerts[p->alerts.cnt-1].rev = 1;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_ipv4_tcp));
FlowInitConfig(FLOW_QUIET);
@ -1022,6 +1026,7 @@ static int Unified2Test02 (void) {
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_ipv6_tcp[] = {
0x00, 0x11, 0x25, 0x82, 0x95, 0xb5, 0x00, 0xd0,
@ -1046,11 +1051,13 @@ static int Unified2Test02 (void) {
memset(&pq, 0, sizeof(PacketQueue));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].sid = 1;
p->alerts.alerts[p->alerts.cnt-1].gid = 1;
p->alerts.alerts[p->alerts.cnt-1].rev = 1;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_ipv6_tcp));
FlowInitConfig(FLOW_QUIET);
@ -1106,6 +1113,7 @@ static int Unified2Test03 (void) {
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_gre[] = {
0x00, 0x0e, 0x50, 0x06, 0x42, 0x96, 0xaa, 0x00,
@ -1135,11 +1143,13 @@ static int Unified2Test03 (void) {
memset(&pq, 0, sizeof(PacketQueue));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].sid = 1;
p->alerts.alerts[p->alerts.cnt-1].gid = 1;
p->alerts.alerts[p->alerts.cnt-1].rev = 1;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_gre));
FlowInitConfig(FLOW_QUIET);
@ -1200,6 +1210,7 @@ static int Unified2Test04 (void) {
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_ppp[] = {
0xff, 0x03, 0x00, 0x21, 0x45, 0xc0, 0x00, 0x2c,
@ -1218,11 +1229,13 @@ static int Unified2Test04 (void) {
memset(&pq, 0, sizeof(PacketQueue));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].sid = 1;
p->alerts.alerts[p->alerts.cnt-1].gid = 1;
p->alerts.alerts[p->alerts.cnt-1].rev = 1;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_ppp));
FlowInitConfig(FLOW_QUIET);
@ -1277,6 +1290,7 @@ static int Unified2Test05 (void) {
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_ipv4_tcp[] = {
0x00, 0x14, 0xbf, 0xe8, 0xcb, 0x26, 0xaa, 0x00,
@ -1299,11 +1313,13 @@ static int Unified2Test05 (void) {
memset(&pq, 0, sizeof(PacketQueue));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].sid = 1;
p->alerts.alerts[p->alerts.cnt-1].gid = 1;
p->alerts.alerts[p->alerts.cnt-1].rev = 1;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_ipv4_tcp));
FlowInitConfig(FLOW_QUIET);

12
src/decode.h
Unescape Escape View File

@ -217,19 +217,13 @@ typedef struct PacketAlert_ {
SigIntId num; /* Internal num, used for sorting */
SigIntId order_id; /* Internal num, used for sorting */
uint8_t action; /* Internal num, used for sorting */
uint8_t rev;
uint8_t class;
uint8_t prio;
uint32_t gid;
uint32_t sid;
char *msg;
char *class_msg;
DetectReference *references;
uint8_t flags;
/** Pointer to smsg this signature matched on, or
* NULL if the sig didn't match on a smsg */
void *alert_msg;
struct Signature_ *s;
} PacketAlert;
/* After processing an alert by the thresholding module, if at
@ -237,7 +231,7 @@ typedef struct PacketAlert_ {
* the flow on IPS mode */
#define PACKET_ALERT_FLAG_DROP_FLOW 0x01
#define PACKET_ALERT_MAX 256
#define PACKET_ALERT_MAX 15
typedef struct PacketAlerts_ {
uint16_t cnt;

79
src/detect-engine-alert.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2010 Open Information Security Foundation
/* Copyright (C) 2007-2011 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -27,6 +27,31 @@
#include "flow.h"
#include "flow-private.h"
/** tag signature we use for tag alerts */
static Signature g_tag_signature;
/** tag packet alert structure for tag alerts */
static PacketAlert g_tag_pa;
void PacketAlertTagInit(void) {
memset(&g_tag_signature, 0x00, sizeof(g_tag_signature));
g_tag_signature.id = TAG_SIG_ID;
g_tag_signature.gid = TAG_SIG_GEN;
g_tag_signature.num = TAG_SIG_ID;
g_tag_signature.rev = 1;
g_tag_signature.prio = 2;
memset(&g_tag_pa, 0x00, sizeof(g_tag_pa));
g_tag_pa.order_id = 1000;
g_tag_pa.action = ACTION_ALERT;
g_tag_pa.s = &g_tag_signature;
}
PacketAlert *PacketAlertGetTag(void) {
return &g_tag_pa;
}
/**
* \brief Handle a packet and check if needs a threshold logic
*
@ -79,7 +104,10 @@ int PacketAlertCheck(Packet *p, uint32_t sid)
int match = 0;
for (i = 0; i < p->alerts.cnt; i++) {
if (p->alerts.alerts[i].sid == sid)
if (p->alerts.alerts[i].s == NULL)
continue;
if (p->alerts.alerts[i].s->id == sid)
match++;
}
@ -131,23 +159,12 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p, u
if (p->alerts.cnt == 0 || (p->alerts.cnt > 0 &&
p->alerts.alerts[p->alerts.cnt - 1].order_id < s->order_id)) {
/* We just add it */
if (s->gid > 1)
p->alerts.alerts[p->alerts.cnt].gid = s->gid;
else
p->alerts.alerts[p->alerts.cnt].gid = 1;
p->alerts.alerts[p->alerts.cnt].num = s->num;
p->alerts.alerts[p->alerts.cnt].order_id = s->order_id;
p->alerts.alerts[p->alerts.cnt].action = s->action;
p->alerts.alerts[p->alerts.cnt].sid = s->id;
p->alerts.alerts[p->alerts.cnt].rev = s->rev;
p->alerts.alerts[p->alerts.cnt].prio = s->prio;
p->alerts.alerts[p->alerts.cnt].msg = s->msg;
p->alerts.alerts[p->alerts.cnt].class = s->class;
p->alerts.alerts[p->alerts.cnt].class_msg = s->class_msg;
p->alerts.alerts[p->alerts.cnt].references = s->references;
p->alerts.alerts[p->alerts.cnt].flags = flags;
p->alerts.alerts[p->alerts.cnt].alert_msg = alert_msg;
p->alerts.alerts[p->alerts.cnt].s = s;
} else {
/* We need to make room for this s->num
(a bit ugly with mamcpy but we are planning changes here)*/
@ -157,23 +174,12 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p, u
i++; /* The right place to store the alert */
if (s->gid > 1)
p->alerts.alerts[i].gid = s->gid;
else
p->alerts.alerts[i].gid = 1;
p->alerts.alerts[i].num = s->num;
p->alerts.alerts[i].order_id = s->order_id;
p->alerts.alerts[i].action = s->action;
p->alerts.alerts[i].sid = s->id;
p->alerts.alerts[i].rev = s->rev;
p->alerts.alerts[i].prio = s->prio;
p->alerts.alerts[i].msg = s->msg;
p->alerts.alerts[i].class = s->class;
p->alerts.alerts[i].class_msg = s->class_msg;
p->alerts.alerts[i].references = s->references;
p->alerts.alerts[i].flags = flags;
p->alerts.alerts[i].alert_msg = alert_msg;
p->alerts.alerts[i].s = s;
}
/* Update the count */
@ -182,27 +188,6 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p, u
return 0;
}
/**
* \brief Fill the data of a tagged packet to be logged by unified
*/
int PacketAlertAppendTag(Packet *p, PacketAlert *pa)
{
pa->sid = TAG_SIG_ID;
pa->gid = TAG_SIG_GEN;
pa->num = TAG_SIG_ID;
pa->order_id = 1000;
pa->action = ACTION_ALERT;
pa->rev = 1;
pa->prio = 2;
pa->msg = NULL;
pa->class = 0;
pa->class_msg = NULL;
pa->references = NULL;
pa->alert_msg = NULL;
return 0;
}
/**
* \brief Check the threshold of the sigs that match, set actions, break on pass action
* This function iterate the packet alerts array, removing those that didn't match

6
src/detect-engine-alert.h
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2010 Open Information Security Foundation
/* Copyright (C) 2007-2011 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -23,14 +23,16 @@
#ifndef __DETECT_ENGINE_ALERT_H__
#define __DETECT_ENGINE_ALERT_H__
#include "suricata-common.h"
#include "decode.h"
#include "detect.h"
void PacketAlertFinalize(DetectEngineCtx *, DetectEngineThreadCtx *, Packet *);
int PacketAlertAppend(DetectEngineThreadCtx *, Signature *, Packet *, uint8_t, /* (StreamMsg *) */void *);
int PacketAlertAppendTag(Packet *, PacketAlert *);
int PacketAlertCheck(Packet *, uint32_t);
int PacketAlertRemove(Packet *, uint16_t);
void PacketAlertTagInit(void);
PacketAlert *PacketAlertGetTag(void);
#endif /* __DETECT_ENGINE_ALERT_H__ */

2
src/detect.c
Unescape Escape View File

@ -188,6 +188,8 @@ void TmModuleDetectRegister (void) {
tmm_modules[TMM_DETECT].ThreadDeinit = DetectThreadDeinit;
tmm_modules[TMM_DETECT].RegisterTests = SigRegisterTests;
tmm_modules[TMM_DETECT].cap_flags = 0;
PacketAlertTagInit();
}
void DetectExitPrintStats(ThreadVars *tv, void *data) {

10
src/detect.h
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2010 Open Information Security Foundation
/* Copyright (C) 2007-2011 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -41,7 +41,6 @@
#include "detect-threshold.h"
#include "detect-mark.h"
//#include "detect-engine-tag.h"
#define COUNTER_DETECT_ALERTS 1
@ -433,6 +432,8 @@ typedef struct Signature_ {
/** inline -- action */
uint8_t action;
uint32_t id; /**< sid, set by the 'sid' rule keyword */
uint32_t gid; /**< generator id */
uint8_t rev;
/** classification id **/
@ -443,8 +444,6 @@ typedef struct Signature_ {
int prio;
uint32_t gid; /**< generator id */
uint32_t id; /**< sid, set by the 'sid' rule keyword */
char *msg;
/** classification message */
@ -1032,5 +1031,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx,
int SignatureIsIPOnly(DetectEngineCtx *de_ctx, Signature *s);
SigGroupHead *SigMatchSignaturesGetSgh(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p);
Signature *DetectGetTagSignature(void);
#endif /* __DETECT_H__ */

4
src/log-droplog.c
Unescape Escape View File

@ -442,7 +442,7 @@ int LogDropLogTest01()
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (p->alerts.cnt == 1 && (p->action & ACTION_DROP))
result = (strcmp(p->alerts.alerts[0].class_msg, "Unknown are we") == 0);
result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0);
else
result = 0;
@ -510,7 +510,7 @@ int LogDropLogTest02()
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (p->alerts.cnt == 1 && p->alerts.alerts[0].action != ACTION_DROP)
result = (strcmp(p->alerts.alerts[0].class_msg, "Unknown are we") == 0);
result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0);
else
result = 0;

Write Preview
Loading…
Cancel
Save