diff --git a/src/Makefile.am b/src/Makefile.am index 1b2c56bd8d..a494c6859b 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -188,6 +188,7 @@ util-ringbuffer.c util-ringbuffer.h \ util-validate.h util-affinity.h util-affinity.c \ util-memcmp.c util-memcmp.h \ util-proto-name.c util-proto-name.h \ +util-syslog.c util-syslog.h \ tm-modules.c tm-modules.h \ tm-queues.c tm-queues.h \ tm-queuehandlers.c tm-queuehandlers.h \ @@ -203,6 +204,7 @@ alert-prelude.c alert-prelude.h \ alert-unified-log.c alert-unified-log.h \ alert-unified-alert.c alert-unified-alert.h \ alert-unified2-alert.c alert-unified2-alert.h \ +alert-syslog.c alert-syslog.h \ log-httplog.c log-httplog.h \ stream.c stream.h \ stream-tcp.c stream-tcp.h stream-tcp-private.h \ diff --git a/src/alert-syslog.c b/src/alert-syslog.c new file mode 100644 index 0000000000..f94470ec99 --- /dev/null +++ b/src/alert-syslog.c @@ -0,0 +1,407 @@ +/* Copyright (C) 2007-2010 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Gurvinder Singh + * + * Logs alerts in a line based text format in to syslog. + * + */ + +#include "suricata-common.h" +#include "debug.h" +#include "flow.h" +#include "conf.h" + +#include "threads.h" +#include "tm-threads.h" +#include "threadvars.h" +#include "tm-modules.h" + +#include "detect.h" +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-reference.h" + +#include "output.h" +#include "alert-syslog.h" + +#include "util-classification-config.h" +#include "util-debug.h" +#include "util-print.h" +#include "util-proto-name.h" +#include "util-syslog.h" + +#define DEFAULT_ALERT_SYSLOG_FACILITY_STR "local0" +#define DEFAULT_ALERT_SYSLOG_FACILITY LOG_LOCAL0 +#define DEFAULT_ALERT_SYSLOG_LEVEL LOG_ERR +#define MODULE_NAME "AlertSyslog" + +typedef struct AlertSyslogThread_ { + /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */ + LogFileCtx* file_ctx; +} AlertSyslogThread; + +TmEcode AlertSyslog (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *); +TmEcode AlertSyslogIPv4(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *); +TmEcode AlertSyslogIPv6(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *); +TmEcode AlertSyslogThreadInit(ThreadVars *, void *, void **); +TmEcode AlertSyslogThreadDeinit(ThreadVars *, void *); +void AlertSyslogExitPrintStats(ThreadVars *, void *); +void AlertSyslogRegisterTests(void); +OutputCtx *AlertSyslogInitCtx(ConfNode *); +static void AlertSyslogDeInitCtx(OutputCtx *); + +/** \brief Function to register the AlertSyslog module */ +void TmModuleAlertSyslogRegister (void) { + tmm_modules[TMM_ALERTSYSLOG].name = MODULE_NAME; + tmm_modules[TMM_ALERTSYSLOG].ThreadInit = AlertSyslogThreadInit; + tmm_modules[TMM_ALERTSYSLOG].Func = AlertSyslog; + tmm_modules[TMM_ALERTSYSLOG].ThreadExitPrintStats = AlertSyslogExitPrintStats; + tmm_modules[TMM_ALERTSYSLOG].ThreadDeinit = AlertSyslogThreadDeinit; + tmm_modules[TMM_ALERTSYSLOG].RegisterTests = NULL; + tmm_modules[TMM_ALERTSYSLOG].cap_flags = 0; + + OutputRegisterModule(MODULE_NAME, "syslog", AlertSyslogInitCtx); +} + +/** \brief Function to register the AlertSyslog module for IPv4 */ +void TmModuleAlertSyslogIPv4Register (void) { + tmm_modules[TMM_ALERTSYSLOG4].name = "AlertSyslogIPv4"; + tmm_modules[TMM_ALERTSYSLOG4].ThreadInit = AlertSyslogThreadInit; + tmm_modules[TMM_ALERTSYSLOG4].Func = AlertSyslogIPv4; + tmm_modules[TMM_ALERTSYSLOG4].ThreadExitPrintStats = AlertSyslogExitPrintStats; + tmm_modules[TMM_ALERTSYSLOG4].ThreadDeinit = AlertSyslogThreadDeinit; + tmm_modules[TMM_ALERTSYSLOG4].RegisterTests = NULL; +} + +/** \brief Function to register the AlertSyslog module for IPv6 */ +void TmModuleAlertSyslogIPv6Register (void) { + tmm_modules[TMM_ALERTSYSLOG6].name = "AlertSyslogIPv6"; + tmm_modules[TMM_ALERTSYSLOG6].ThreadInit = AlertSyslogThreadInit; + tmm_modules[TMM_ALERTSYSLOG6].Func = AlertSyslogIPv6; + tmm_modules[TMM_ALERTSYSLOG6].ThreadExitPrintStats = AlertSyslogExitPrintStats; + tmm_modules[TMM_ALERTSYSLOG6].ThreadDeinit = AlertSyslogThreadDeinit; + tmm_modules[TMM_ALERTSYSLOG6].RegisterTests = NULL; +} + +/** + * \brief Create a new LogFileCtx for "syslog" output style. + * + * \param conf The configuration node for this output. + * \return A OutputCtx pointer on success, NULL on failure. + */ +OutputCtx *AlertSyslogInitCtx(ConfNode *conf) +{ + const char *enabled = ConfNodeLookupChildValue(conf, "enabled"); + if (enabled != NULL && strncmp(enabled, "no", 2) == 0) { + SCLogDebug("alert-syslog module has been disabled"); + return NULL; + } + + const char *facility_s = ConfNodeLookupChildValue(conf, "facility"); + if (facility_s == NULL) { + facility_s = DEFAULT_ALERT_SYSLOG_FACILITY_STR; + } + + LogFileCtx *logfile_ctx = LogFileNewCtx(); + if (logfile_ctx == NULL) { + SCLogDebug("AlertSyslogInitCtx: Could not create new LogFileCtx"); + return NULL; + } + + int facility = SCMapEnumNameToValue(facility_s, SCGetFacilityMap()); + if (facility == -1) { + SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid syslog facility: \"%s\"," + " now using \"%s\" as syslog facility", facility_s, + DEFAULT_ALERT_SYSLOG_FACILITY_STR); + facility = DEFAULT_ALERT_SYSLOG_FACILITY; + } + + openlog(NULL, LOG_NDELAY, facility); + + OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx)); + if (output_ctx == NULL) { + SCLogDebug("AlertSyslogInitCtx: Could not create new OutputCtx"); + return NULL; + } + + output_ctx->data = logfile_ctx; + output_ctx->DeInit = AlertSyslogDeInitCtx; + + SCLogInfo("Syslog output initialized"); + + return output_ctx; +} + +/** + * \brief Function to clear the memory of the output context and closes the + * syslog interface + * + * \param output_ctx pointer to the output context to be cleared + */ +static void AlertSyslogDeInitCtx(OutputCtx *output_ctx) +{ + if (output_ctx != NULL) { + LogFileCtx *logfile_ctx = (LogFileCtx *)output_ctx->data; + LogFileFreeCtx(logfile_ctx); + free(output_ctx); + } + closelog(); +} + +/** + * \brief Function to initialize the AlertSystlogThread and sets the output + * context pointer + * + * \param tv Pointer to the threadvars + * \param initdata Pointer to the output context + * \param data pointer to pointer to point to the AlertSyslogThread + */ +TmEcode AlertSyslogThreadInit(ThreadVars *t, void *initdata, void **data) +{ + AlertSyslogThread *ast = SCMalloc(sizeof(AlertSyslogThread)); + if (ast == NULL) + return TM_ECODE_FAILED; + + memset(ast, 0, sizeof(AlertSyslogThread)); + if(initdata == NULL) + { + SCLogDebug("Error getting context for AlertSyslog. \"initdata\" " + "argument NULL"); + SCFree(ast); + return TM_ECODE_FAILED; + } + /** Use the Ouptut Context (file pointer and mutex) */ + ast->file_ctx = ((OutputCtx *)initdata)->data; + + *data = (void *)ast; + return TM_ECODE_OK; +} + +/** + * \brief Function to deinitialize the AlertSystlogThread + * + * \param tv Pointer to the threadvars + * \param data pointer to the AlertSyslogThread to be cleared + */ +TmEcode AlertSyslogThreadDeinit(ThreadVars *t, void *data) +{ + AlertSyslogThread *ast = (AlertSyslogThread *)data; + if (ast == NULL) { + return TM_ECODE_OK; + } + + /* clear memory */ + memset(ast, 0, sizeof(AlertSyslogThread)); + + SCFree(ast); + return TM_ECODE_OK; +} + +/** + * \brief Function which is called to print the IPv4 alerts to the syslog + * + * \param tv Pointer to the threadvars + * \param p Pointer to the packet + * \param data pointer to the AlertSyslogThread + * \param pq pointer the to packet queue + * \param postpq pointer to the post processed packet queue + * + * \return On succes return TM_ECODE_OK + */ +TmEcode AlertSyslogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, + PacketQueue *postpq) +{ + AlertSyslogThread *ast = (AlertSyslogThread *)data; + int i; + + if (p->alerts.cnt == 0) + return TM_ECODE_OK; + + SCMutexLock(&ast->file_ctx->fp_mutex); + + ast->file_ctx->alerts += p->alerts.cnt; + + for (i = 0; i < p->alerts.cnt; i++) { + PacketAlert *pa = &p->alerts.alerts[i]; + + char srcip[16], dstip[16]; + + inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); + inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); + + if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) { + syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "[%" PRIu32 ":%" PRIu32 ":%" + PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]" + " {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", pa->gid, pa->sid, + pa->rev, pa->msg, pa->class_msg, pa->prio, + known_proto[IPV4_GET_IPPROTO(p)], srcip, p->sp, dstip, p->dp); + } else { + syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "[%" PRIu32 ":%" PRIu32 ":%" + PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]" + " {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "", + pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio, + IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp); + } + } + SCMutexUnlock(&ast->file_ctx->fp_mutex); + + return TM_ECODE_OK; +} + +/** + * \brief Function which is called to print the IPv6 alerts to the syslog + * + * \param tv Pointer to the threadvars + * \param p Pointer to the packet + * \param data pointer to the AlertSyslogThread + * \param pq pointer the to packet queue + * \param postpq pointer to the post processed packet queue + * + * \return On succes return TM_ECODE_OK + */ +TmEcode AlertSyslogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, + PacketQueue *postpq) +{ + AlertSyslogThread *ast = (AlertSyslogThread *)data; + int i; + + if (p->alerts.cnt == 0) + return TM_ECODE_OK; + + SCMutexLock(&ast->file_ctx->fp_mutex); + + ast->file_ctx->alerts += p->alerts.cnt; + + for (i = 0; i < p->alerts.cnt; i++) { + PacketAlert *pa = &p->alerts.alerts[i]; + char srcip[46], dstip[46]; + + inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); + inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); + + if (SCProtoNameValid(IPV6_GET_L4PROTO(p)) == TRUE) { + syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "[%" PRIu32 ":%" PRIu32 ":%" + "" PRIu32 "] %s [Classification: %s] [Priority: %" + "" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", + pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, + pa->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp, + dstip, p->dp); + + } else { + syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "[%" PRIu32 ":%" PRIu32 ":%" + "" PRIu32 "] %s [Classification: %s] [Priority: %" + "" PRIu32 "] {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "", + pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, + pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp); + } + + } + SCMutexUnlock(&ast->file_ctx->fp_mutex); + + return TM_ECODE_OK; +} + +/** + * \brief Function which is called to print the decode alerts to the syslog + * + * \param tv Pointer to the threadvars + * \param p Pointer to the packet + * \param data pointer to the AlertSyslogThread + * \param pq pointer the to packet queue + * \param postpq pointer to the post processed packet queue + * + * \return On succes return TM_ECODE_OK + */ +TmEcode AlertSyslogDecoderEvent(ThreadVars *tv, Packet *p, void *data, + PacketQueue *pq, PacketQueue *postpq) +{ + AlertSyslogThread *ast = (AlertSyslogThread *)data; + int i; + + if (p->alerts.cnt == 0) + return TM_ECODE_OK; + + SCMutexLock(&ast->file_ctx->fp_mutex); + + ast->file_ctx->alerts += p->alerts.cnt; + char temp_buf[2048]; + + for (i = 0; i < p->alerts.cnt; i++) { + PacketAlert *pa = &p->alerts.alerts[i]; + + syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "[%" PRIu32 ":%" PRIu32 ":%" PRIu32 "]" + " %s [Classification: %s] [Priority: %" PRIu32 "] [**] [Raw pkt: ", + pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio); + + PrintRawLineHexBuf(temp_buf, p->pkt, p->pktlen < 32 ? p->pktlen : 32); + syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "%s", temp_buf); + + if (p->pcap_cnt != 0) { + syslog(DEFAULT_ALERT_SYSLOG_LEVEL, "] [pcap file packet: %"PRIu64"]", + p->pcap_cnt); + } + + } + SCMutexUnlock(&ast->file_ctx->fp_mutex); + + return TM_ECODE_OK; +} + +/** + * \brief Function which is called to print the alerts to the syslog + * + * \param tv Pointer to the threadvars + * \param p Pointer to the packet + * \param data pointer to the AlertSyslogThread + * \param pq pointer the to packet queue + * \param postpq pointer to the post processed packet queue + * + * \return On succes return TM_ECODE_OK + */ +TmEcode AlertSyslog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, + PacketQueue *postpq) +{ + if (PKT_IS_IPV4(p)) { + return AlertSyslogIPv4(tv, p, data, pq, postpq); + } else if (PKT_IS_IPV6(p)) { + return AlertSyslogIPv6(tv, p, data, pq, postpq); + } else if (p->events.cnt > 0) { + return AlertSyslogDecoderEvent(tv, p, data, pq, postpq); + } + + return TM_ECODE_OK; +} + +/** + * \brief Function to print the total alert while closing the engine + * + * \param tv Pointer to the output threadvars + * \param data Pointer to the AlertSyslogThread data + */ +void AlertSyslogExitPrintStats(ThreadVars *tv, void *data) { + AlertSyslogThread *ast = (AlertSyslogThread *)data; + if (ast == NULL) { + return; + } + + SCLogInfo("(%s) Alerts %" PRIu64 "", tv->name, ast->file_ctx->alerts); +} \ No newline at end of file diff --git a/src/alert-syslog.h b/src/alert-syslog.h new file mode 100644 index 0000000000..440009c742 --- /dev/null +++ b/src/alert-syslog.h @@ -0,0 +1,34 @@ +/* Copyright (C) 2007-2010 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Gurvinder Singh + * + * alert syslog modeule header file + * + */ + +#ifndef ALERT_SYSLOG_H +#define ALERT_SYSLOG_H + +void TmModuleAlertSyslogRegister (void); +void TmModuleAlertSyslogIPv4Register (void); +void TmModuleAlertSyslogIPv6Register (void); + +#endif /* ALERT_SYSLOG_H */ diff --git a/src/suricata.c b/src/suricata.c index e01fce2c24..a318e27bff 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -79,6 +79,7 @@ #include "alert-unified2-alert.h" #include "alert-debuglog.h" #include "alert-prelude.h" +#include "alert-syslog.h" #include "log-httplog.h" @@ -918,9 +919,12 @@ int main(int argc, char **argv) TmModuleRespondRejectRegister(); TmModuleAlertFastLogIPv4Register(); TmModuleAlertFastLogIPv6Register(); + TmModuleAlertSyslogIPv4Register(); + TmModuleAlertSyslogIPv6Register(); TmModuleAlertUnifiedLogRegister(); TmModuleAlertUnifiedAlertRegister(); TmModuleUnified2AlertRegister(); + TmModuleAlertSyslogRegister(); TmModuleStreamTcpRegister(); TmModuleLogHttpLogRegister(); TmModuleLogHttpLogIPv4Register(); diff --git a/src/tm-modules.h b/src/tm-modules.h index 817497a871..1829533d3e 100644 --- a/src/tm-modules.h +++ b/src/tm-modules.h @@ -68,6 +68,9 @@ enum { TMM_ALERTUNIFIED2ALERT, TMM_ALERTPRELUDE, TMM_ALERTDEBUGLOG, + TMM_ALERTSYSLOG, + TMM_ALERTSYSLOG4, + TMM_ALERTSYSLOG6, TMM_RESPONDREJECT, TMM_LOGHTTPLOG, TMM_LOGHTTPLOG4, diff --git a/src/util-debug.c b/src/util-debug.c index c82457ad54..c55b5ba39b 100644 --- a/src/util-debug.c +++ b/src/util-debug.c @@ -41,6 +41,7 @@ #include "tm-threads.h" #include "util-unittest.h" +#include "util-syslog.h" #include "conf.h" @@ -67,32 +68,6 @@ SCEnumCharMap sc_log_op_iface_map[ ] = { { NULL, -1 } }; -/* holds the string-enum mapping for the syslog facility in SCLogOPIfaceCtx */ -SCEnumCharMap sc_syslog_facility_map[] = { - { "auth", LOG_AUTH }, - { "authpriv", LOG_AUTHPRIV }, - { "cron", LOG_CRON }, - { "daemon", LOG_DAEMON }, - { "ftp", LOG_FTP }, - { "kern", LOG_KERN }, - { "lpr", LOG_LPR }, - { "mail", LOG_MAIL }, - { "news", LOG_NEWS }, - { "security", LOG_AUTH }, - { "syslog", LOG_SYSLOG }, - { "user", LOG_USER }, - { "uucp", LOG_UUCP }, - { "local0", LOG_LOCAL0 }, - { "local1", LOG_LOCAL1 }, - { "local2", LOG_LOCAL2 }, - { "local3", LOG_LOCAL3 }, - { "local4", LOG_LOCAL4 }, - { "local5", LOG_LOCAL5 }, - { "local6", LOG_LOCAL6 }, - { "local7", LOG_LOCAL7 }, - { NULL, -1 } -}; - #if defined (OS_WIN32) /** * \brief Used for synchronous output on WIN32 @@ -882,7 +857,7 @@ static inline void SCLogSetOPIface(SCLogInitData *sc_lid, SCLogConfig *sc_lc) if (s == NULL) s = SC_LOG_DEF_SYSLOG_FACILITY_STR; - op_ifaces_ctx = SCLogInitSyslogOPIface(SCMapEnumNameToValue(s, sc_syslog_facility_map), NULL, -1); + op_ifaces_ctx = SCLogInitSyslogOPIface(SCMapEnumNameToValue(s, SCGetFacilityMap()), NULL, -1); break; default: break; @@ -1072,7 +1047,7 @@ SCLogOPIfaceCtx *SCLogInitOPIfaceCtx(const char *iface_name, case SC_LOG_OP_IFACE_FILE: return SCLogInitFileOPIface(arg, log_format, log_level); case SC_LOG_OP_IFACE_SYSLOG: - return SCLogInitSyslogOPIface(SCMapEnumNameToValue(arg, sc_syslog_facility_map), log_format, log_level); + return SCLogInitSyslogOPIface(SCMapEnumNameToValue(arg, SCGetFacilityMap()), log_format, log_level); default: #ifdef DEBUG printf("Output Interface \"%s\" not supported by the logging module", @@ -1208,12 +1183,12 @@ void SCLogLoadConfig(void) const char *facility_s = ConfNodeLookupChildValue(output, "facility"); if (facility_s != NULL) { - facility = SCMapEnumNameToValue(facility_s, - sc_syslog_facility_map); + facility = SCMapEnumNameToValue(facility_s, SCGetFacilityMap()); if (facility == -1) { - SCLogError(SC_ERR_INVALID_ARGUMENT, - "Invalid syslog facility: %s", facility_s); - exit(EXIT_FAILURE); + SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid syslog " + "facility: \"%s\", now using \"%s\" as syslog " + "facility", facility_s, SC_LOG_DEF_SYSLOG_FACILITY_STR); + facility = SC_LOG_DEF_SYSLOG_FACILITY; } } printf("Initialization syslog logging with format \"%s\".\n", @@ -1295,7 +1270,7 @@ void SCLogInitLogModuleIfEnvSet(void) if (s == NULL) s = SC_LOG_DEF_SYSLOG_FACILITY_STR; - op_ifaces_ctx = SCLogInitSyslogOPIface(SCMapEnumNameToValue(s, sc_syslog_facility_map), NULL, -1); + op_ifaces_ctx = SCLogInitSyslogOPIface(SCMapEnumNameToValue(s, SCGetFacilityMap()), NULL, -1); break; default: break; diff --git a/src/util-debug.h b/src/util-debug.h index c3ec3e0a03..d3631fda2a 100644 --- a/src/util-debug.h +++ b/src/util-debug.h @@ -29,6 +29,7 @@ #include "util-error.h" #include "pcre.h" #include "util-debug-filters.h" +#include "syslog.h" #ifndef __UTIL_DEBUG_H__ #define __UTIL_DEBUG_H__ diff --git a/src/util-print.c b/src/util-print.c index 40357b477f..d49125cc91 100644 --- a/src/util-print.c +++ b/src/util-print.c @@ -49,6 +49,26 @@ void PrintRawLineHexFp(FILE *fp, uint8_t *buf, uint32_t buflen) fprintf(fp, "%s", nbuf); } +/** + * \brief print a buffer as hex on a single line in to retbuf buffer + * + * Prints in the format "00 AA BB" + * + * \param retbuf pointer to the buffer which will have the result + * \param buf buffer to print from + * \param buflen length of the input buffer + */ +void PrintRawLineHexBuf(char *retbuf, uint8_t *buf, uint32_t buflen) +{ + char temp[5] = ""; + uint32_t u = 0; + + for (u = 0; u < buflen; u++) { + snprintf(temp, sizeof(temp), "%02X ", buf[u]); + strlcat(retbuf, temp, sizeof(retbuf)); + } +} + void PrintRawUriFp(FILE *fp, uint8_t *buf, uint32_t buflen) { char nbuf[2048] = ""; diff --git a/src/util-print.h b/src/util-print.h index 94e6d807be..5eb99d30dc 100644 --- a/src/util-print.h +++ b/src/util-print.h @@ -27,6 +27,7 @@ void PrintRawLineHexFp(FILE *, uint8_t *, uint32_t); void PrintRawUriFp(FILE *, uint8_t *, uint32_t); void PrintRawDataFp(FILE *, uint8_t *, uint32_t); +void PrintRawLineHexBuf(char *, uint8_t *, uint32_t ); #endif /* __UTIL_PRINT_H__ */ diff --git a/src/util-syslog.c b/src/util-syslog.c new file mode 100644 index 0000000000..ff6148c785 --- /dev/null +++ b/src/util-syslog.c @@ -0,0 +1,58 @@ +/* Copyright (C) 2007-2010 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Gurvinder Singh + * + * Syslog utility file + * + */ + +#include "suricata-common.h" + +/* holds the string-enum mapping for the syslog facility in SCLogOPIfaceCtx */ +SCEnumCharMap sc_syslog_facility_map[] = { + { "auth", LOG_AUTH }, + { "authpriv", LOG_AUTHPRIV }, + { "cron", LOG_CRON }, + { "daemon", LOG_DAEMON }, + { "ftp", LOG_FTP }, + { "kern", LOG_KERN }, + { "lpr", LOG_LPR }, + { "mail", LOG_MAIL }, + { "news", LOG_NEWS }, + { "security", LOG_AUTH }, + { "syslog", LOG_SYSLOG }, + { "user", LOG_USER }, + { "uucp", LOG_UUCP }, + { "local0", LOG_LOCAL0 }, + { "local1", LOG_LOCAL1 }, + { "local2", LOG_LOCAL2 }, + { "local3", LOG_LOCAL3 }, + { "local4", LOG_LOCAL4 }, + { "local5", LOG_LOCAL5 }, + { "local6", LOG_LOCAL6 }, + { "local7", LOG_LOCAL7 }, + { NULL, -1 } +}; + +/** \brief returns the syslog facility enum map */ +SCEnumCharMap *SCGetFacilityMap() { + return sc_syslog_facility_map; +} diff --git a/src/util-syslog.h b/src/util-syslog.h new file mode 100644 index 0000000000..ae7d0b7e55 --- /dev/null +++ b/src/util-syslog.h @@ -0,0 +1,30 @@ +/* Copyright (C) 2007-2010 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Gurvinder Singh + * + */ + +#ifndef UTIL_SYSLOG_H +#define UTIL_SYSLOG_H + +SCEnumCharMap *SCGetFacilityMap(void); + +#endif /* UTIL_SYSLOG_H */ diff --git a/suricata.yaml b/suricata.yaml index 8df7e84598..9b658f5923 100644 --- a/suricata.yaml +++ b/suricata.yaml @@ -96,6 +96,11 @@ outputs: filename: stats.log interval: 8 + # a line based alerts log similar to fast.log into syslog + - syslog: + enabled: no + facility: local5 + # When running in NFQ inline mode, it is possible to use a simulated # non-terminal NFQUEUE verdict. # This permit to do send all needed packet to suricata via this a rule: