Commit Graph

4793 Commits (c36a8d30e5e6de74cae30eb4dc8c1b178a495d72)
 

Author SHA1 Message Date
Victor Julien c36a8d30e5 threading: add utility to get module id from name
Add TmModuleGetIdByName to go from module name to id directly.
12 years ago
Victor Julien 8a735a9b90 profiling: add sample-rate yaml option
Add option "profiling.sample-rate":

  # Run profiling for every xth packet. The default is 1, which means we
  # profile every packet. If set to 1000, one packet is profiled for every
  # 1000 received.
  #sample-rate: 1000

This allows for configuration of the sample rate.
12 years ago
Victor Julien 2c3a92a1c9 profiling: conditional rule profiling
Add support for conditional rule profiling. Currently only simple
rate limiting is supported, but hardcoded to inspecting rules for
each packet.
12 years ago
Victor Julien 13d491f577 profiling: lower overhead when disabled
Instead of a large (6k+) structure in the Packet, make the profiling
storage dynamic. To do this the Packet->profile is now a pointer.

Initial support for selective sampling, e.g. only profile every
1000th packet.
12 years ago
Eric Leblond c2fcf329f0 tls: fix negated match
A negated match is matching if the tested field is NULL. But as it
is not set, nor negated nor normal test must match.

Without this patch, a rule like:
 alert tls any any -> any any (msg:"negated match"; tls.subject:!"CN=home.regit.org"; sid:1; rev:1;)
is alerting for all connections. Event if they are done on a certificate
with matching subject. This was due to the fact that tls protocol
is discovered before the handshake is complete. Thus the condition
on tls is true with a NULL tls.subject. And code was returning a
positive match in the case of a NULL subject and a signature with
a negated match.
12 years ago
Victor Julien 385c04164b Updated banned function cocci check
Added: strndup and strchrnul

Both are not supported on OS X 10.6. It's rather old, but it's the
only Mac QA box I have, so for now it'll have to do.
12 years ago
Victor Julien 717c271e58 Replace strchrnul with strchr
And add a null check then of course. strchrnul isn't supported on
all platforms.
12 years ago
Victor Julien 1e4421a7d4 Remove SCStrndup
Removed strndup wrapper as it's not available in all plaforms.
12 years ago
Victor Julien 74fb60c010 Replace remaining SCStrndup calls
Replace them with BytesToString().
12 years ago
Victor Julien c07f5397f4 Introduce BytesToString utility
Introduce a utility function to convert an array of bytes into a
null-terminated string:

 char *BytesToString(const uint8_t *bytes, size_t nbytes);

All non-printables are copied over, except for '\0', which is
turned into literal '\' '0' in the string. So the resulting string
may be bigger than the input.
12 years ago
Victor Julien 2b60871bf1 json loggers: dup bstr with bstr_util_strdup_to_c
In various places SCStrndup was used to 'dup' a bstr string, however
libhtp provides bstr_util_strdup_to_c for this. As this is a cleaner
interface, it's preferred.
12 years ago
Victor Julien 0032ad34d4 stream: yaml addition for recent config options 12 years ago
Victor Julien 0cf71befbb util-host-os-info: scan-build fix
util-host-os-info.c:202:13: warning: Potential leak of memory pointed to by 'user_data'
            SCLogError(SC_ERR_INVALID_IPV6_ADDR, "Invalid IPV6 address inside");
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-debug.h:278:35: note: expanded from macro 'SCLogError'
 #define SCLogError(err_code, ...) SCLogErr(SC_LOG_ERROR, err_code, \
                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-debug.h:214:82: note: expanded from macro 'SCLogErr'
                                  char _sc_log_err_msg[SC_LOG_MAX_LOG_MSG_LEN] = ""; \
                                                                                 ^~
1 warning generated.
12 years ago
Victor Julien a6474bd6bf util-host-os-info: scan build fixes
util-host-os-info.c:200:13: warning: Potential leak of memory pointed to by 'ip_str'
            SCLogError(SC_ERR_INVALID_IPV6_ADDR, "Invalid IPV6 address inside");
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-debug.h:278:35: note: expanded from macro 'SCLogError'
 #define SCLogError(err_code, ...) SCLogErr(SC_LOG_ERROR, err_code, \
                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-debug.h:214:82: note: expanded from macro 'SCLogErr'
                                  char _sc_log_err_msg[SC_LOG_MAX_LOG_MSG_LEN] = ""; \
                                                                                 ^~
util-host-os-info.c:200:13: warning: Potential leak of memory pointed to by 'user_data'
            SCLogError(SC_ERR_INVALID_IPV6_ADDR, "Invalid IPV6 address inside");
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-debug.h:278:35: note: expanded from macro 'SCLogError'
 #define SCLogError(err_code, ...) SCLogErr(SC_LOG_ERROR, err_code, \
                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-debug.h:214:82: note: expanded from macro 'SCLogErr'
                                  char _sc_log_err_msg[SC_LOG_MAX_LOG_MSG_LEN] = ""; \
                                                                                 ^~
2 warnings generated.
12 years ago
Victor Julien 9ef9a14315 Fix util-debug scan-build warnings
util-debug.c:461:12: warning: Potential leak of memory pointed to by 'substr'
    return SC_ERR_SPRINTF;
           ^~~~~~~~~~~~~~
util-debug.c:856:31: warning: Potential leak of memory pointed to by 's'
                op_ifaces_ctx = SCLogInitFileOPIface(s, NULL, SC_LOG_LEVEL_MAX);
                ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
util-debug.c:1349:9: warning: Potential leak of memory pointed to by 's'
    if (log_level >= 0 && log_level < SC_LOG_LEVEL_MAX)
        ^~~~~~~~~
3 warnings generated.
12 years ago
Eric Leblond 0189b4d1eb json file: separate http params
This patch separates http keys from file to have a different value
list:

{
 "time":"01\/31\/2014-12:04:52.837245","event_type":"file","src_ip":"5.3.1.1","src_port":80,"dest_ip":"1.8.1.9","dest_port":9539,"proto":"TCP",
 "http":{"url":"/foo/","hostname":"bar.com","http_refer":"http:\/\/bar.org","http_user_agent":"Mozilla\/5.0"},
 "file":{"filename":"bar","magic":"unknown","state":"CLOSED","stored":false,"size":21}
}

One interest of this modification is that it is possible to use the
same key as the one used in http events. Thus correlating both type
of events is trivial. On code side, this will permit to factorize
the code by simply asking the underlying protocol to output its
info in a json object.

Second interest is that adding file extraction for a new protocol
will result in only changing the protocol specific json list.
12 years ago
Eric Leblond 6fd9b4b255 json: add event_type key
This patch adds an event_type key to the generated events. Current
value is one of "dns", "alert, "file", "tls", "http", "drop". It is
then easy to differentiate in log analysis tools the events based on
source inside Suricata.
12 years ago
Eric Leblond 93a84180dc json dns: do not use array to output answer
Without this patch DNS answers for a single query are stored in a
single json event. The result is an array in the object like this one:
 {"type":"answer","id":45084,"rrname":"s-static.ak.facebook.com","rrtype":"CNAME","ttl":734},
 {"type":"answer","id":45084,"rrname":"s-static.ak.facebook.com.edgekey.net","rrtype":"CNAME","ttl":1710},
This type of output is not well supported in logstash. It is
displayed as it is written above and it is not possible to
query the fields.

I think the reason is that this is not logical if we consider search
query. For example if we search for "rrname" equal "s-static.ak.facebook.com"
we got one entry with two values in it. That's against the logic
of event. Furthermore, if we want to get a complete query, we can
used the id.

This patch splits the answer part in mulitple message. The result
is then accepted by logstash and fields can be queried easily.
12 years ago
Eric Leblond eab0b7fae9 json-dns: sync field names with draft rfc2629
This patch updates DNS field name to be in sync with RFC 2629:
 https://github.com/adulau/pdns-qof
This will allow to easily use Suricata with other passive DNS tools.
12 years ago
Eric Leblond 7a9efd74e4 json: sync key name with CIM
This patch is synchronizing key name with Common Information Model.
It updates key name following what is proposed in:
 http://docs.splunk.com/Documentation/PCI/2.0/DataSource/CommonInformationModelFieldReference
The interest of these modifications is that using the same key name
as other software will provide an easy to correlate and improve
data. For example, geoip setting in logstash can be applied on
all src_ip fields allowing geoip tagging of data.
12 years ago
Victor Julien 31a024c9b5 Various fixes for scan-build warnings 12 years ago
Victor Julien cd7a5ff0ca output: cleanups
Preparation of making output type for json logs configurable.
12 years ago
Victor Julien efd4c42c0a json tls log: rename to output-json-tls 12 years ago
Victor Julien 9950427466 output: check for multiple instances of drop and tls
Both the drop and tls logs are currently not designed to have multiple
instances running. So until that is changed, error out if more than one
instance is started.
12 years ago
Victor Julien 870bb23ff6 json drop log: rename to output-json-drop 12 years ago
Victor Julien 6cecb4e4d2 json dns: rename output-dnslog -> output-json-dns 12 years ago
Victor Julien 5874f52ec6 json: rename output-httplog -> output-json-http 12 years ago
Victor Julien b5ef269b03 json outputs: cleanups
Clean up header files and improve memory handling.
12 years ago
Victor Julien 3fc63d3656 jansson file log: make file log module
Turn the libjansson based file logger into a file module, as a child
of eve-log.
12 years ago
Victor Julien 039f7b3e5f tls json: turn into packet logger
Like log-tls, turn the json tls logger into a packet logger as the
protocol parser is not tx aware.

Make it a child of eve-log as well.
12 years ago
Victor Julien a9eab06593 output: simple name space support for sub modules
To avoid module name clashes, a submode abc of parent xyz, will now
register itself as xyz.abc.
12 years ago
Victor Julien 3a794f7a63 drop-json: make child of eve-log
Make drop json child of eve-log.
12 years ago
Victor Julien f0aa2ed240 json drop log: move into packet module
Move JSON drop log into a full packet module.
12 years ago
Victor Julien 4bd37cc46a log api: use AppProto instead of uint16_t 12 years ago
Victor Julien 52c3d3ad7c log api: convert all names to const
Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
Victor Julien 85335d9cbe alert json: make child of eve-log
Enable alert json for eve-log by registering the module as a sub-
module of eve-log.
12 years ago
Victor Julien 42858647e2 alert-json: make full module out of json alert
Make a full module out of the json alert code in output-json-alert.[ch].
12 years ago
Victor Julien 79771ff570 output: sub-module support for other log api's
Packets:
void OutputRegisterPacketSubModule(const char *parent_name, char *name, char *conf_name,
    OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *),
    PacketLogger LogFunc, PacketLogCondition ConditionFunc);

Files:
void OutputRegisterFileSubModule(const char *parent_name, char *name, char *conf_name,
    OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *), FileLogger FileLogFunc);

Filedata:
void OutputRegisterFiledataSubModule(const char *parent_name, char *name, char *conf_name,
    OutputCtx *(*InitFunc)(ConfNode *, OutputCtx *), FiledataLogger FiledataLogFunc);
12 years ago
Victor Julien f830cb8026 output: introduce concept of sub-modules
To support the 'eve-log' idea, we need to be able to force all log
modules to be enabled by the master eve-log module, and need to be
able to make all logs go into a single file. This didn't fit the
API so far, so added the sub-module concept.

A sub-module is a regular module, that registers itself as a sub-
module of another module:

    OutputRegisterTxSubModule("eve-log", "JsonHttpLog", "http",
            OutputHttpLogInitSub, ALPROTO_HTTP, JsonHttpLogger);

The first argument is the name of the parent. The 4th argument is
the OutputCtx init function. It differs slightly from the non-sub
one. The different is that in addition to it's ConfNode, it gets
the OutputCtx from the parent. This way it can set the parents
LogFileCtx in it's own OutputCtx.

The runmode setup code will take care of all the extra setup. It's
possible to register a module both as a normal module and as a sub-
module, which can operate at the same time.

Only the TxLogger API is handled in this patch, the rest will be
updated later.
12 years ago
Victor Julien 8c3e71559a dns-json: turn logger to tx api
Convert Json DNS logger into a Tx Logger API logger.
12 years ago
Victor Julien bc71a43e08 http-json: separate module using tx api
Turn HTTP json logger into a Tx Logger API logger.
12 years ago
Victor Julien 4874d5abbb Various compile fixes after rebase with master 12 years ago
Tom DeCanio 18458a14fb json: rebase fixes
- restore json output-file.[ch] as output-json-file.[ch] after rebase conflict
- fix Makefile.am after merge conflict
- some dev-log-api-v4.0 rebase json fallout cleanup
12 years ago
Tom DeCanio 6fd1b31c57 Remaining JSON output pull request comment edits 12 years ago
Tom DeCanio a3d86594dc address most initial JSON pull request comments 12 years ago
Tom DeCanio 55df2d5cdb add "united" drop JSON log 12 years ago
Tom DeCanio 0c067646a8 Add "united" JSON files output 12 years ago
Tom DeCanio 730ee3d721 First cut at "united" file log output in JSON 12 years ago
Tom DeCanio 88a04742c0 JSON output cleanup 12 years ago
Tom DeCanio b4ac0d90a4 remove unused http JSON code 12 years ago