|
|
|
|
/* Copyright (C) 2007-2014 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
* Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
|
|
|
* 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \file
|
|
|
|
|
*
|
|
|
|
|
* \author Victor Julien <victor@inliniac.net>
|
|
|
|
|
*
|
|
|
|
|
* File based pcap packet acquisition support
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "suricata-common.h"
|
|
|
|
|
#include "suricata.h"
|
|
|
|
|
#include "decode.h"
|
|
|
|
|
#include "packet-queue.h"
|
|
|
|
|
#include "threads.h"
|
|
|
|
|
#include "threadvars.h"
|
|
|
|
|
#include "tm-queuehandlers.h"
|
|
|
|
|
#include "source-pcap-file.h"
|
|
|
|
|
#include "util-time.h"
|
|
|
|
|
#include "util-debug.h"
|
|
|
|
|
#include "conf.h"
|
|
|
|
|
#include "util-error.h"
|
|
|
|
|
#include "util-privs.h"
|
|
|
|
|
#include "tmqh-packetpool.h"
|
|
|
|
|
#include "tm-threads.h"
|
|
|
|
|
#include "util-optimize.h"
|
|
|
|
|
#include "flow-manager.h"
|
|
|
|
|
#include "util-profiling.h"
|
unix-manager: add unix command socket and associated script
This patch introduces a unix command socket. JSON formatted messages
can be exchanged between suricata and a program connecting to a
dedicated socket.
The protocol is the following:
* Client connects to the socket
* It sends a version message: { "version": "$VERSION_ID" }
* Server answers with { "return": "OK|NOK" }
If server returns OK, the client is now allowed to send command.
The format of command is the following:
{
"command": "pcap-file",
"arguments": { "filename": "smtp-clean.pcap", "output-dir": "/tmp/out" }
}
The server will try to execute the "command" specified with the
(optional) provided "arguments".
The answer by server is the following:
{
"return": "OK|NOK",
"message": JSON_OBJECT or information string
}
A simple script is provided and is available under scripts/suricatasc. It
is not intended to be enterprise-grade tool but it is more a proof of
concept/example code. The first command line argument of suricatasc is
used to specify the socket to connect to.
Configuration of the feature is made in the YAML under the 'unix-command'
section:
unix-command:
enabled: yes
filename: custom.socket
The path specified in 'filename' is not absolute and is relative to the
state directory.
A new running mode called 'unix-socket' is also added.
When starting in this mode, only a unix socket manager
is started. When it receives a 'pcap-file' command, the manager
start a 'pcap-file' running mode which does not really leave at
the end of file but simply exit. The manager is then able to start
a new running mode with a new file.
To start this mode, Suricata must be started with the --unix-socket
option which has an optional argument which fix the file name of the
socket. The path is not absolute and is relative to the state directory.
THe 'pcap-file' command adds a file to the list of files to treat.
For each pcap file, a pcap file running mode is started and the output
directory is changed to what specified in the command. The running
mode specified in the 'runmode' YAML setting is used to select which
running mode must be use for the pcap file treatment.
This requires modification in suricata.c file where initialisation code
is now conditional to the fact 'unix-socket' mode is not used.
Two other commands exists to get info on the remaining tasks:
* pcap-file-number: return the number of files in the waiting queue
* pcap-file-list: return the list of waiting files
'pcap-file-list' returns a structured object as message. The
structure is the following:
{
'count': 2,
'files': ['file1.pcap', 'file2.pcap']
}
14 years ago
|
|
|
#include "runmode-unix-socket.h"
|
|
|
|
|
#include "util-checksum.h"
|
|
|
|
|
#include "util-atomic.h"
|
|
|
|
|
|
|
|
|
|
#ifdef __SC_CUDA_SUPPORT__
|
|
|
|
|
|
|
|
|
|
#include "util-cuda.h"
|
|
|
|
|
#include "util-cuda-buffer.h"
|
|
|
|
|
#include "util-mpm-ac.h"
|
|
|
|
|
#include "util-cuda-handlers.h"
|
|
|
|
|
#include "detect-engine.h"
|
|
|
|
|
#include "detect-engine-mpm.h"
|
|
|
|
|
#include "util-cuda-vars.h"
|
|
|
|
|
|
|
|
|
|
#endif /* __SC_CUDA_SUPPORT__ */
|
|
|
|
|
|
|
|
|
|
extern uint8_t suricata_ctl_flags;
|
|
|
|
|
extern int max_pending_packets;
|
|
|
|
|
|
|
|
|
|
//static int pcap_max_read_packets = 0;
|
|
|
|
|
|
|
|
|
|
typedef struct PcapFileGlobalVars_ {
|
|
|
|
|
pcap_t *pcap_handle;
|
|
|
|
|
int (*Decoder)(ThreadVars *, DecodeThreadVars *, Packet *, u_int8_t *, u_int16_t, PacketQueue *);
|
|
|
|
|
int datalink;
|
|
|
|
|
struct bpf_program filter;
|
|
|
|
|
uint64_t cnt; /** packet counter */
|
|
|
|
|
ChecksumValidationMode conf_checksum_mode;
|
|
|
|
|
ChecksumValidationMode checksum_mode;
|
|
|
|
|
SC_ATOMIC_DECLARE(unsigned int, invalid_checksums);
|
|
|
|
|
|
|
|
|
|
} PcapFileGlobalVars;
|
|
|
|
|
|
|
|
|
|
/** max packets < 65536 */
|
|
|
|
|
//#define PCAP_FILE_MAX_PKTS 256
|
|
|
|
|
|
|
|
|
|
typedef struct PcapFileThreadVars_
|
|
|
|
|
{
|
|
|
|
|
/* counters */
|
|
|
|
|
uint32_t pkts;
|
|
|
|
|
uint64_t bytes;
|
|
|
|
|
|
|
|
|
|
ThreadVars *tv;
|
|
|
|
|
TmSlot *slot;
|
|
|
|
|
|
|
|
|
|
/** callback result -- set if one of the thread module failed. */
|
|
|
|
|
int cb_result;
|
|
|
|
|
|
|
|
|
|
uint8_t done;
|
|
|
|
|
uint32_t errs;
|
|
|
|
|
} PcapFileThreadVars;
|
|
|
|
|
|
|
|
|
|
static PcapFileGlobalVars pcap_g;
|
|
|
|
|
|
|
|
|
|
TmEcode ReceivePcapFileLoop(ThreadVars *, void *, void *);
|
|
|
|
|
|
|
|
|
|
TmEcode ReceivePcapFileThreadInit(ThreadVars *, void *, void **);
|
|
|
|
|
void ReceivePcapFileThreadExitStats(ThreadVars *, void *);
|
|
|
|
|
TmEcode ReceivePcapFileThreadDeinit(ThreadVars *, void *);
|
|
|
|
|
|
|
|
|
|
TmEcode DecodePcapFile(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
|
|
|
|
|
TmEcode DecodePcapFileThreadInit(ThreadVars *, void *, void **);
|
|
|
|
|
TmEcode DecodePcapFileThreadDeinit(ThreadVars *tv, void *data);
|
|
|
|
|
|
|
|
|
|
void TmModuleReceivePcapFileRegister (void) {
|
|
|
|
|
memset(&pcap_g, 0x00, sizeof(pcap_g));
|
|
|
|
|
|
|
|
|
|
tmm_modules[TMM_RECEIVEPCAPFILE].name = "ReceivePcapFile";
|
|
|
|
|
tmm_modules[TMM_RECEIVEPCAPFILE].ThreadInit = ReceivePcapFileThreadInit;
|
|
|
|
|
tmm_modules[TMM_RECEIVEPCAPFILE].Func = NULL;
|
|
|
|
|
tmm_modules[TMM_RECEIVEPCAPFILE].PktAcqLoop = ReceivePcapFileLoop;
|
|
|
|
|
tmm_modules[TMM_RECEIVEPCAPFILE].ThreadExitPrintStats = ReceivePcapFileThreadExitStats;
|
|
|
|
|
tmm_modules[TMM_RECEIVEPCAPFILE].ThreadDeinit = ReceivePcapFileThreadDeinit;
|
|
|
|
|
tmm_modules[TMM_RECEIVEPCAPFILE].RegisterTests = NULL;
|
|
|
|
|
tmm_modules[TMM_RECEIVEPCAPFILE].cap_flags = 0;
|
|
|
|
|
tmm_modules[TMM_RECEIVEPCAPFILE].flags = TM_FLAG_RECEIVE_TM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void TmModuleDecodePcapFileRegister (void) {
|
|
|
|
|
tmm_modules[TMM_DECODEPCAPFILE].name = "DecodePcapFile";
|
|
|
|
|
tmm_modules[TMM_DECODEPCAPFILE].ThreadInit = DecodePcapFileThreadInit;
|
|
|
|
|
tmm_modules[TMM_DECODEPCAPFILE].Func = DecodePcapFile;
|
|
|
|
|
tmm_modules[TMM_DECODEPCAPFILE].ThreadExitPrintStats = NULL;
|
|
|
|
|
tmm_modules[TMM_DECODEPCAPFILE].ThreadDeinit = DecodePcapFileThreadDeinit;
|
|
|
|
|
tmm_modules[TMM_DECODEPCAPFILE].RegisterTests = NULL;
|
|
|
|
|
tmm_modules[TMM_DECODEPCAPFILE].cap_flags = 0;
|
|
|
|
|
tmm_modules[TMM_DECODEPCAPFILE].flags = TM_FLAG_DECODE_TM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void PcapFileCallbackLoop(char *user, struct pcap_pkthdr *h, u_char *pkt) {
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
PcapFileThreadVars *ptv = (PcapFileThreadVars *)user;
|
|
|
|
|
Packet *p = PacketGetFromQueueOrAlloc();
|
|
|
|
|
|
|
|
|
|
if (unlikely(p == NULL)) {
|
|
|
|
|
SCReturn;
|
|
|
|
|
}
|
|
|
|
|
PACKET_PROFILING_TMM_START(p, TMM_RECEIVEPCAPFILE);
|
|
|
|
|
|
|
|
|
|
PKT_SET_SRC(p, PKT_SRC_WIRE);
|
|
|
|
|
p->ts.tv_sec = h->ts.tv_sec;
|
|
|
|
|
p->ts.tv_usec = h->ts.tv_usec;
|
|
|
|
|
SCLogDebug("p->ts.tv_sec %"PRIuMAX"", (uintmax_t)p->ts.tv_sec);
|
|
|
|
|
p->datalink = pcap_g.datalink;
|
Add per packet profiling.
Per packet profiling uses tick based accounting. It has 2 outputs, a summary
and a csv file that contains per packet stats.
Stats per packet include:
1) total ticks spent
2) ticks spent per individual thread module
3) "threading overhead" which is simply calculated by subtracting (2) of (1).
A number of changes were made to integrate the new code in a clean way:
a number of generic enums are now placed in tm-threads-common.h so we can
include them from any part of the engine.
Code depends on --enable-profiling just like the rule profiling code.
New yaml parameters:
profiling:
# packet profiling
packets:
# Profiling can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: yes
filename: packet_stats.log
append: yes
# per packet csv output
csv:
# Output can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: no
filename: packet_stats.csv
Example output of summary stats:
IP ver Proto cnt min max avg
------ ----- ------ ------ ---------- -------
IPv4 6 19436 11448 5404365 32993
IPv4 256 4 11511 49968 30575
Per Thread module stats:
Thread Module IP ver Proto cnt min max avg
------------------------ ------ ----- ------ ------ ---------- -------
TMM_DECODEPCAPFILE IPv4 6 19434 1242 47889 1770
TMM_DETECT IPv4 6 19436 1107 137241 1504
TMM_ALERTFASTLOG IPv4 6 19436 90 1323 155
TMM_ALERTUNIFIED2ALERT IPv4 6 19436 108 1359 138
TMM_ALERTDEBUGLOG IPv4 6 19436 90 1134 154
TMM_LOGHTTPLOG IPv4 6 19436 414 5392089 7944
TMM_STREAMTCP IPv4 6 19434 828 1299159 19438
The proto 256 is a counter for handling of pseudo/tunnel packets.
Example output of csv:
pcap_cnt,ipver,ipproto,total,TMM_DECODENFQ,TMM_VERDICTNFQ,TMM_RECEIVENFQ,TMM_RECEIVEPCAP,TMM_RECEIVEPCAPFILE,TMM_DECODEPCAP,TMM_DECODEPCAPFILE,TMM_RECEIVEPFRING,TMM_DECODEPFRING,TMM_DETECT,TMM_ALERTFASTLOG,TMM_ALERTFASTLOG4,TMM_ALERTFASTLOG6,TMM_ALERTUNIFIEDLOG,TMM_ALERTUNIFIEDALERT,TMM_ALERTUNIFIED2ALERT,TMM_ALERTPRELUDE,TMM_ALERTDEBUGLOG,TMM_ALERTSYSLOG,TMM_LOGDROPLOG,TMM_ALERTSYSLOG4,TMM_ALERTSYSLOG6,TMM_RESPONDREJECT,TMM_LOGHTTPLOG,TMM_LOGHTTPLOG4,TMM_LOGHTTPLOG6,TMM_PCAPLOG,TMM_STREAMTCP,TMM_DECODEIPFW,TMM_VERDICTIPFW,TMM_RECEIVEIPFW,TMM_RECEIVEERFFILE,TMM_DECODEERFFILE,TMM_RECEIVEERFDAG,TMM_DECODEERFDAG,threading
1,4,6,172008,0,0,0,0,0,0,47889,0,0,48582,1323,0,0,0,0,1359,0,1134,0,0,0,0,0,8028,0,0,0,49356,0,0,0,0,0,0,0,14337
First line of the file contains labels.
2 example gnuplot scripts added to plot the data.
14 years ago
|
|
|
p->pcap_cnt = ++pcap_g.cnt;
|
|
|
|
|
|
|
|
|
|
ptv->pkts++;
|
|
|
|
|
ptv->bytes += h->caplen;
|
|
|
|
|
|
|
|
|
|
if (unlikely(PacketCopyData(p, pkt, h->caplen))) {
|
|
|
|
|
TmqhOutputPacketpool(ptv->tv, p);
|
|
|
|
|
PACKET_PROFILING_TMM_END(p, TMM_RECEIVEPCAPFILE);
|
|
|
|
|
SCReturn;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* We only check for checksum disable */
|
|
|
|
|
if (pcap_g.checksum_mode == CHECKSUM_VALIDATION_DISABLE) {
|
|
|
|
|
p->flags |= PKT_IGNORE_CHECKSUM;
|
|
|
|
|
} else if (pcap_g.checksum_mode == CHECKSUM_VALIDATION_AUTO) {
|
|
|
|
|
if (ChecksumAutoModeCheck(ptv->pkts, p->pcap_cnt,
|
|
|
|
|
SC_ATOMIC_GET(pcap_g.invalid_checksums))) {
|
|
|
|
|
pcap_g.checksum_mode = CHECKSUM_VALIDATION_DISABLE;
|
|
|
|
|
p->flags |= PKT_IGNORE_CHECKSUM;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
PACKET_PROFILING_TMM_END(p, TMM_RECEIVEPCAPFILE);
|
|
|
|
|
|
|
|
|
|
if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) != TM_ECODE_OK) {
|
|
|
|
|
pcap_breakloop(pcap_g.pcap_handle);
|
|
|
|
|
ptv->cb_result = TM_ECODE_FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCReturn;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief Main PCAP file reading Loop function
|
|
|
|
|
*/
|
|
|
|
|
TmEcode ReceivePcapFileLoop(ThreadVars *tv, void *data, void *slot)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
uint16_t packet_q_len = 0;
|
|
|
|
|
PcapFileThreadVars *ptv = (PcapFileThreadVars *)data;
|
|
|
|
|
int r;
|
|
|
|
|
TmSlot *s = (TmSlot *)slot;
|
|
|
|
|
|
|
|
|
|
ptv->slot = s->slot_next;
|
|
|
|
|
ptv->cb_result = TM_ECODE_OK;
|
|
|
|
|
|
|
|
|
|
while (1) {
|
|
|
|
|
if (suricata_ctl_flags & (SURICATA_STOP | SURICATA_KILL)) {
|
|
|
|
|
SCReturnInt(TM_ECODE_OK);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* make sure we have at least one packet in the packet pool, to prevent
|
|
|
|
|
* us from alloc'ing packets at line rate */
|
|
|
|
|
PacketPoolWait();
|
|
|
|
|
|
|
|
|
|
/* Right now we just support reading packets one at a time. */
|
|
|
|
|
r = pcap_dispatch(pcap_g.pcap_handle, (int)packet_q_len,
|
|
|
|
|
(pcap_handler)PcapFileCallbackLoop, (u_char *)ptv);
|
|
|
|
|
if (unlikely(r == -1)) {
|
|
|
|
|
SCLogError(SC_ERR_PCAP_DISPATCH, "error code %" PRId32 " %s",
|
|
|
|
|
r, pcap_geterr(pcap_g.pcap_handle));
|
|
|
|
|
if (! RunModeUnixSocketIsActive()) {
|
|
|
|
|
/* in the error state we just kill the engine */
|
|
|
|
|
EngineKill();
|
|
|
|
|
SCReturnInt(TM_ECODE_FAILED);
|
|
|
|
|
} else {
|
|
|
|
|
pcap_close(pcap_g.pcap_handle);
|
|
|
|
|
pcap_g.pcap_handle = NULL;
|
|
|
|
|
UnixSocketPcapFile(TM_ECODE_DONE);
|
|
|
|
|
SCReturnInt(TM_ECODE_DONE);
|
|
|
|
|
}
|
|
|
|
|
} else if (unlikely(r == 0)) {
|
|
|
|
|
SCLogInfo("pcap file end of file reached (pcap err code %" PRId32 ")", r);
|
unix-manager: add unix command socket and associated script
This patch introduces a unix command socket. JSON formatted messages
can be exchanged between suricata and a program connecting to a
dedicated socket.
The protocol is the following:
* Client connects to the socket
* It sends a version message: { "version": "$VERSION_ID" }
* Server answers with { "return": "OK|NOK" }
If server returns OK, the client is now allowed to send command.
The format of command is the following:
{
"command": "pcap-file",
"arguments": { "filename": "smtp-clean.pcap", "output-dir": "/tmp/out" }
}
The server will try to execute the "command" specified with the
(optional) provided "arguments".
The answer by server is the following:
{
"return": "OK|NOK",
"message": JSON_OBJECT or information string
}
A simple script is provided and is available under scripts/suricatasc. It
is not intended to be enterprise-grade tool but it is more a proof of
concept/example code. The first command line argument of suricatasc is
used to specify the socket to connect to.
Configuration of the feature is made in the YAML under the 'unix-command'
section:
unix-command:
enabled: yes
filename: custom.socket
The path specified in 'filename' is not absolute and is relative to the
state directory.
A new running mode called 'unix-socket' is also added.
When starting in this mode, only a unix socket manager
is started. When it receives a 'pcap-file' command, the manager
start a 'pcap-file' running mode which does not really leave at
the end of file but simply exit. The manager is then able to start
a new running mode with a new file.
To start this mode, Suricata must be started with the --unix-socket
option which has an optional argument which fix the file name of the
socket. The path is not absolute and is relative to the state directory.
THe 'pcap-file' command adds a file to the list of files to treat.
For each pcap file, a pcap file running mode is started and the output
directory is changed to what specified in the command. The running
mode specified in the 'runmode' YAML setting is used to select which
running mode must be use for the pcap file treatment.
This requires modification in suricata.c file where initialisation code
is now conditional to the fact 'unix-socket' mode is not used.
Two other commands exists to get info on the remaining tasks:
* pcap-file-number: return the number of files in the waiting queue
* pcap-file-list: return the list of waiting files
'pcap-file-list' returns a structured object as message. The
structure is the following:
{
'count': 2,
'files': ['file1.pcap', 'file2.pcap']
}
14 years ago
|
|
|
if (! RunModeUnixSocketIsActive()) {
|
|
|
|
|
EngineStop();
|
|
|
|
|
} else {
|
|
|
|
|
pcap_close(pcap_g.pcap_handle);
|
|
|
|
|
pcap_g.pcap_handle = NULL;
|
|
|
|
|
UnixSocketPcapFile(TM_ECODE_DONE);
|
|
|
|
|
SCReturnInt(TM_ECODE_DONE);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
} else if (ptv->cb_result == TM_ECODE_FAILED) {
|
|
|
|
|
SCLogError(SC_ERR_PCAP_DISPATCH, "Pcap callback PcapFileCallbackLoop failed");
|
|
|
|
|
if (! RunModeUnixSocketIsActive()) {
|
|
|
|
|
EngineKill();
|
|
|
|
|
SCReturnInt(TM_ECODE_FAILED);
|
|
|
|
|
} else {
|
|
|
|
|
pcap_close(pcap_g.pcap_handle);
|
|
|
|
|
pcap_g.pcap_handle = NULL;
|
|
|
|
|
UnixSocketPcapFile(TM_ECODE_DONE);
|
|
|
|
|
SCReturnInt(TM_ECODE_DONE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
SCPerfSyncCountersIfSignalled(tv);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCReturnInt(TM_ECODE_OK);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TmEcode ReceivePcapFileThreadInit(ThreadVars *tv, void *initdata, void **data) {
|
|
|
|
|
SCEnter();
|
|
|
|
|
char *tmpbpfstring = NULL;
|
|
|
|
|
char *tmpstring = NULL;
|
|
|
|
|
if (initdata == NULL) {
|
|
|
|
|
SCLogError(SC_ERR_INVALID_ARGUMENT, "error: initdata == NULL");
|
|
|
|
|
SCReturnInt(TM_ECODE_FAILED);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SCLogInfo("reading pcap file %s", (char *)initdata);
|
|
|
|
|
|
|
|
|
|
PcapFileThreadVars *ptv = SCMalloc(sizeof(PcapFileThreadVars));
|
|
|
|
|
if (unlikely(ptv == NULL))
|
|
|
|
|
SCReturnInt(TM_ECODE_FAILED);
|
|
|
|
|
memset(ptv, 0, sizeof(PcapFileThreadVars));
|
|
|
|
|
|
|
|
|
|
char errbuf[PCAP_ERRBUF_SIZE] = "";
|
|
|
|
|
pcap_g.pcap_handle = pcap_open_offline((char *)initdata, errbuf);
|
|
|
|
|
if (pcap_g.pcap_handle == NULL) {
|
|
|
|
|
SCLogError(SC_ERR_FOPEN, "%s\n", errbuf);
|
|
|
|
|
SCFree(ptv);
|
unix-manager: add unix command socket and associated script
This patch introduces a unix command socket. JSON formatted messages
can be exchanged between suricata and a program connecting to a
dedicated socket.
The protocol is the following:
* Client connects to the socket
* It sends a version message: { "version": "$VERSION_ID" }
* Server answers with { "return": "OK|NOK" }
If server returns OK, the client is now allowed to send command.
The format of command is the following:
{
"command": "pcap-file",
"arguments": { "filename": "smtp-clean.pcap", "output-dir": "/tmp/out" }
}
The server will try to execute the "command" specified with the
(optional) provided "arguments".
The answer by server is the following:
{
"return": "OK|NOK",
"message": JSON_OBJECT or information string
}
A simple script is provided and is available under scripts/suricatasc. It
is not intended to be enterprise-grade tool but it is more a proof of
concept/example code. The first command line argument of suricatasc is
used to specify the socket to connect to.
Configuration of the feature is made in the YAML under the 'unix-command'
section:
unix-command:
enabled: yes
filename: custom.socket
The path specified in 'filename' is not absolute and is relative to the
state directory.
A new running mode called 'unix-socket' is also added.
When starting in this mode, only a unix socket manager
is started. When it receives a 'pcap-file' command, the manager
start a 'pcap-file' running mode which does not really leave at
the end of file but simply exit. The manager is then able to start
a new running mode with a new file.
To start this mode, Suricata must be started with the --unix-socket
option which has an optional argument which fix the file name of the
socket. The path is not absolute and is relative to the state directory.
THe 'pcap-file' command adds a file to the list of files to treat.
For each pcap file, a pcap file running mode is started and the output
directory is changed to what specified in the command. The running
mode specified in the 'runmode' YAML setting is used to select which
running mode must be use for the pcap file treatment.
This requires modification in suricata.c file where initialisation code
is now conditional to the fact 'unix-socket' mode is not used.
Two other commands exists to get info on the remaining tasks:
* pcap-file-number: return the number of files in the waiting queue
* pcap-file-list: return the list of waiting files
'pcap-file-list' returns a structured object as message. The
structure is the following:
{
'count': 2,
'files': ['file1.pcap', 'file2.pcap']
}
14 years ago
|
|
|
if (! RunModeUnixSocketIsActive()) {
|
|
|
|
|
return TM_ECODE_FAILED;
|
|
|
|
|
} else {
|
|
|
|
|
UnixSocketPcapFile(TM_ECODE_FAILED);
|
|
|
|
|
SCReturnInt(TM_ECODE_DONE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ConfGet("bpf-filter", &tmpbpfstring) != 1) {
|
|
|
|
|
SCLogDebug("could not get bpf or none specified");
|
|
|
|
|
} else {
|
|
|
|
|
SCLogInfo("using bpf-filter \"%s\"", tmpbpfstring);
|
|
|
|
|
|
|
|
|
|
if(pcap_compile(pcap_g.pcap_handle,&pcap_g.filter,tmpbpfstring,1,0) < 0) {
|
|
|
|
|
SCLogError(SC_ERR_BPF,"bpf compilation error %s",pcap_geterr(pcap_g.pcap_handle));
|
|
|
|
|
SCFree(ptv);
|
|
|
|
|
return TM_ECODE_FAILED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(pcap_setfilter(pcap_g.pcap_handle,&pcap_g.filter) < 0) {
|
|
|
|
|
SCLogError(SC_ERR_BPF,"could not set bpf filter %s",pcap_geterr(pcap_g.pcap_handle));
|
|
|
|
|
SCFree(ptv);
|
|
|
|
|
return TM_ECODE_FAILED;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pcap_g.datalink = pcap_datalink(pcap_g.pcap_handle);
|
|
|
|
|
SCLogDebug("datalink %" PRId32 "", pcap_g.datalink);
|
|
|
|
|
|
unix-manager: add unix command socket and associated script
This patch introduces a unix command socket. JSON formatted messages
can be exchanged between suricata and a program connecting to a
dedicated socket.
The protocol is the following:
* Client connects to the socket
* It sends a version message: { "version": "$VERSION_ID" }
* Server answers with { "return": "OK|NOK" }
If server returns OK, the client is now allowed to send command.
The format of command is the following:
{
"command": "pcap-file",
"arguments": { "filename": "smtp-clean.pcap", "output-dir": "/tmp/out" }
}
The server will try to execute the "command" specified with the
(optional) provided "arguments".
The answer by server is the following:
{
"return": "OK|NOK",
"message": JSON_OBJECT or information string
}
A simple script is provided and is available under scripts/suricatasc. It
is not intended to be enterprise-grade tool but it is more a proof of
concept/example code. The first command line argument of suricatasc is
used to specify the socket to connect to.
Configuration of the feature is made in the YAML under the 'unix-command'
section:
unix-command:
enabled: yes
filename: custom.socket
The path specified in 'filename' is not absolute and is relative to the
state directory.
A new running mode called 'unix-socket' is also added.
When starting in this mode, only a unix socket manager
is started. When it receives a 'pcap-file' command, the manager
start a 'pcap-file' running mode which does not really leave at
the end of file but simply exit. The manager is then able to start
a new running mode with a new file.
To start this mode, Suricata must be started with the --unix-socket
option which has an optional argument which fix the file name of the
socket. The path is not absolute and is relative to the state directory.
THe 'pcap-file' command adds a file to the list of files to treat.
For each pcap file, a pcap file running mode is started and the output
directory is changed to what specified in the command. The running
mode specified in the 'runmode' YAML setting is used to select which
running mode must be use for the pcap file treatment.
This requires modification in suricata.c file where initialisation code
is now conditional to the fact 'unix-socket' mode is not used.
Two other commands exists to get info on the remaining tasks:
* pcap-file-number: return the number of files in the waiting queue
* pcap-file-list: return the list of waiting files
'pcap-file-list' returns a structured object as message. The
structure is the following:
{
'count': 2,
'files': ['file1.pcap', 'file2.pcap']
}
14 years ago
|
|
|
switch(pcap_g.datalink) {
|
|
|
|
|
case LINKTYPE_LINUX_SLL:
|
|
|
|
|
pcap_g.Decoder = DecodeSll;
|
|
|
|
|
break;
|
|
|
|
|
case LINKTYPE_ETHERNET:
|
|
|
|
|
pcap_g.Decoder = DecodeEthernet;
|
|
|
|
|
break;
|
|
|
|
|
case LINKTYPE_PPP:
|
|
|
|
|
pcap_g.Decoder = DecodePPP;
|
|
|
|
|
break;
|
|
|
|
|
case LINKTYPE_RAW:
|
|
|
|
|
pcap_g.Decoder = DecodeRaw;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
SCLogError(SC_ERR_UNIMPLEMENTED, "datalink type %" PRId32 " not "
|
|
|
|
|
"(yet) supported in module PcapFile.\n", pcap_g.datalink);
|
|
|
|
|
SCFree(ptv);
|
|
|
|
|
if (! RunModeUnixSocketIsActive()) {
|
|
|
|
|
SCReturnInt(TM_ECODE_FAILED);
|
|
|
|
|
} else {
|
|
|
|
|
pcap_close(pcap_g.pcap_handle);
|
|
|
|
|
pcap_g.pcap_handle = NULL;
|
|
|
|
|
UnixSocketPcapFile(TM_ECODE_DONE);
|
|
|
|
|
SCReturnInt(TM_ECODE_DONE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ConfGet("pcap-file.checksum-checks", &tmpstring) != 1) {
|
|
|
|
|
pcap_g.conf_checksum_mode = CHECKSUM_VALIDATION_AUTO;
|
|
|
|
|
} else {
|
|
|
|
|
if (strcmp(tmpstring, "auto") == 0) {
|
|
|
|
|
pcap_g.conf_checksum_mode = CHECKSUM_VALIDATION_AUTO;
|
|
|
|
|
} else if (strcmp(tmpstring, "yes") == 0) {
|
|
|
|
|
pcap_g.conf_checksum_mode = CHECKSUM_VALIDATION_ENABLE;
|
|
|
|
|
} else if (strcmp(tmpstring, "no") == 0) {
|
|
|
|
|
pcap_g.conf_checksum_mode = CHECKSUM_VALIDATION_DISABLE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
pcap_g.checksum_mode = pcap_g.conf_checksum_mode;
|
|
|
|
|
|
|
|
|
|
ptv->tv = tv;
|
|
|
|
|
*data = (void *)ptv;
|
|
|
|
|
|
|
|
|
|
SCReturnInt(TM_ECODE_OK);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ReceivePcapFileThreadExitStats(ThreadVars *tv, void *data) {
|
|
|
|
|
SCEnter();
|
|
|
|
|
PcapFileThreadVars *ptv = (PcapFileThreadVars *)data;
|
|
|
|
|
|
|
|
|
|
if (pcap_g.conf_checksum_mode == CHECKSUM_VALIDATION_AUTO &&
|
|
|
|
|
pcap_g.cnt < CHECKSUM_SAMPLE_COUNT &&
|
|
|
|
|
SC_ATOMIC_GET(pcap_g.invalid_checksums)) {
|
|
|
|
|
uint64_t chrate = pcap_g.cnt / SC_ATOMIC_GET(pcap_g.invalid_checksums);
|
|
|
|
|
if (chrate < CHECKSUM_INVALID_RATIO)
|
|
|
|
|
SCLogWarning(SC_ERR_INVALID_CHECKSUM,
|
|
|
|
|
"1/%" PRIu64 "th of packets have an invalid checksum,"
|
|
|
|
|
" consider setting pcap-file.checksum-checks variable to no"
|
|
|
|
|
" or use '-k none' option on command line.",
|
|
|
|
|
chrate);
|
|
|
|
|
else
|
|
|
|
|
SCLogInfo("1/%" PRIu64 "th of packets have an invalid checksum",
|
|
|
|
|
chrate);
|
|
|
|
|
}
|
|
|
|
|
SCLogNotice("Pcap-file module read %" PRIu32 " packets, %" PRIu64 " bytes", ptv->pkts, ptv->bytes);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TmEcode ReceivePcapFileThreadDeinit(ThreadVars *tv, void *data) {
|
|
|
|
|
SCEnter();
|
|
|
|
|
PcapFileThreadVars *ptv = (PcapFileThreadVars *)data;
|
|
|
|
|
if (ptv) {
|
|
|
|
|
SCFree(ptv);
|
|
|
|
|
}
|
|
|
|
|
SCReturnInt(TM_ECODE_OK);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
double prev_signaled_ts = 0;
|
|
|
|
|
|
|
|
|
|
TmEcode DecodePcapFile(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
DecodeThreadVars *dtv = (DecodeThreadVars *)data;
|
|
|
|
|
|
|
|
|
|
/* XXX HACK: flow timeout can call us for injected pseudo packets
|
|
|
|
|
* see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
|
|
|
|
|
if (p->flags & PKT_PSEUDO_STREAM_END)
|
|
|
|
|
return TM_ECODE_OK;
|
|
|
|
|
|
|
|
|
|
/* update counters */
|
|
|
|
|
SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
|
|
|
|
|
// SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);
|
|
|
|
|
|
|
|
|
|
SCPerfCounterAddUI64(dtv->counter_bytes, tv->sc_perf_pca, GET_PKT_LEN(p));
|
|
|
|
|
#if 0
|
|
|
|
|
SCPerfCounterAddDouble(dtv->counter_bytes_per_sec, tv->sc_perf_pca, GET_PKT_LEN(p));
|
|
|
|
|
SCPerfCounterAddDouble(dtv->counter_mbit_per_sec, tv->sc_perf_pca,
|
|
|
|
|
(GET_PKT_LEN(p) * 8)/1000000.0 );
|
|
|
|
|
#endif
|
|
|
|
|
SCPerfCounterAddUI64(dtv->counter_avg_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));
|
|
|
|
|
SCPerfCounterSetUI64(dtv->counter_max_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));
|
|
|
|
|
|
|
|
|
|
double curr_ts = p->ts.tv_sec + p->ts.tv_usec / 1000.0;
|
|
|
|
|
if (curr_ts < prev_signaled_ts || (curr_ts - prev_signaled_ts) > 60.0) {
|
|
|
|
|
prev_signaled_ts = curr_ts;
|
|
|
|
|
FlowWakeupFlowManagerThread();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* update the engine time representation based on the timestamp
|
|
|
|
|
* of the packet. */
|
|
|
|
|
TimeSet(&p->ts);
|
|
|
|
|
|
|
|
|
|
/* call the decoder */
|
|
|
|
|
pcap_g.Decoder(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
|
|
|
|
|
|
|
|
|
|
#ifdef DEBUG
|
|
|
|
|
BUG_ON(p->pkt_src != PKT_SRC_WIRE && p->pkt_src != PKT_SRC_FFR_V2);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
PacketDecodeFinalize(tv, dtv, p);
|
|
|
|
|
|
|
|
|
|
SCReturnInt(TM_ECODE_OK);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TmEcode DecodePcapFileThreadInit(ThreadVars *tv, void *initdata, void **data)
|
|
|
|
|
{
|
|
|
|
|
SCEnter();
|
|
|
|
|
DecodeThreadVars *dtv = NULL;
|
|
|
|
|
dtv = DecodeThreadVarsAlloc(tv);
|
|
|
|
|
|
|
|
|
|
if (dtv == NULL)
|
|
|
|
|
SCReturnInt(TM_ECODE_FAILED);
|
|
|
|
|
|
|
|
|
|
DecodeRegisterPerfCounters(dtv, tv);
|
|
|
|
|
|
|
|
|
|
#ifdef __SC_CUDA_SUPPORT__
|
|
|
|
|
if (CudaThreadVarsInit(&dtv->cuda_vars) < 0)
|
|
|
|
|
SCReturnInt(TM_ECODE_FAILED);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
*data = (void *)dtv;
|
|
|
|
|
|
|
|
|
|
SCReturnInt(TM_ECODE_OK);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TmEcode DecodePcapFileThreadDeinit(ThreadVars *tv, void *data)
|
|
|
|
|
{
|
|
|
|
|
if (data != NULL)
|
|
|
|
|
DecodeThreadVarsFree(data);
|
|
|
|
|
SCReturnInt(TM_ECODE_OK);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void PcapIncreaseInvalidChecksum()
|
|
|
|
|
{
|
|
|
|
|
(void) SC_ATOMIC_ADD(pcap_g.invalid_checksums, 1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* eof */
|
|
|
|
|
|
