aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '531ff3ddec'
${ noResults }
suricata/src/output-filedata.c

465 lines
14 KiB
C
Raw Normal View History Unescape Escape

Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
/* Copyright (C) 2007-2014 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*
* AppLayer Filedata Logger Output registration functions
*/
#include "suricata-common.h"
#include "tm-modules.h"
logging: use a single entry point for all loggers Introduces a new thread module, TMM_LOGGER, which is the root most logger. Only handles loggers in the packet path, stats and flow logging are not included. The loggers are made up of a hierarchy of loggers. At the top we have the root logger which is the main entry point to logging. Under the root there exists parent loggers that are the entry point for specific types of loggers such as packet logger, transaction loggers, etc. Each parent logger may have 0 or more loggers that actual handle the job of producing output to something like a file.
9 years ago
#include "output.h"
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
#include "output-filedata.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "detect-filemagic.h"
#include "conf.h"
profiling: support log api The log API calls thread modules directly, so the TMM profiling logic can be applied to it. This patch does so. The "Thread Module" out now again lists the individual loggers. As the module are normally called much less frequently the numbers are hard to compare to pre-log-api numbers.
12 years ago
#include "util-profiling.h"
output: get rid of BUG_ONs
6 years ago
#include "util-validate.h"
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
typedef struct OutputLoggerThreadStore_ {
void *thread_data;
struct OutputLoggerThreadStore_ *next;
} OutputLoggerThreadStore;
/** per thread data for this module, contains a list of per thread
* data for the packet loggers. */
typedef struct OutputLoggerThreadData_ {
OutputLoggerThreadStore *store;
} OutputLoggerThreadData;
/* logger instance, a module + a output ctx,
* it's perfectly valid that have multiple instances of the same
* log module (e.g. http.log) with different output ctx'. */
typedef struct OutputFiledataLogger_ {
FiledataLogger LogFunc;
OutputCtx *output_ctx;
struct OutputFiledataLogger_ *next;
const char *name;
logging: add profiling back for non-tmm loggers The loggers moved away from a TMM required a new profiling support.
9 years ago
LoggerId logger_id;
logging: convert file data logging to non-thread module
9 years ago
ThreadInitFunc ThreadInit;
ThreadDeinitFunc ThreadDeinit;
ThreadExitPrintStatsFunc ThreadExitPrintStats;
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
} OutputFiledataLogger;
static OutputFiledataLogger *list = NULL;
static char g_waldo[PATH_MAX] = "";
static SCMutex g_waldo_mutex = SCMUTEX_INITIALIZER;
static int g_waldo_init = 0;
static int g_waldo_deinit = 0;
logging: add profiling back for non-tmm loggers The loggers moved away from a TMM required a new profiling support.
9 years ago
int OutputRegisterFiledataLogger(LoggerId id, const char *name,
FiledataLogger LogFunc, OutputCtx *output_ctx, ThreadInitFunc ThreadInit,
logging: convert file data logging to non-thread module
9 years ago
ThreadDeinitFunc ThreadDeinit,
ThreadExitPrintStatsFunc ThreadExitPrintStats)
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
{
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
OutputFiledataLogger *op = SCMalloc(sizeof(*op));
if (op == NULL)
return -1;
memset(op, 0x00, sizeof(*op));
op->LogFunc = LogFunc;
op->output_ctx = output_ctx;
log api: convert all names to const Instead of strdupping all names w/o a need, use const ptrs.
12 years ago
op->name = name;
logging: add profiling back for non-tmm loggers The loggers moved away from a TMM required a new profiling support.
9 years ago
op->logger_id = id;
logging: convert file data logging to non-thread module
9 years ago
op->ThreadInit = ThreadInit;
op->ThreadDeinit = ThreadDeinit;
op->ThreadExitPrintStats = ThreadExitPrintStats;
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
if (list == NULL)
list = op;
else {
OutputFiledataLogger *t = list;
while (t->next)
t = t->next;
t->next = op;
}
output: fix debug messages
9 years ago
SCLogDebug("OutputRegisterFiledataLogger happy");
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
return 0;
}
file-store: small cleanup
9 years ago
SC_ATOMIC_DECLARE(unsigned int, g_file_store_id);
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
output-filedata: close files even w/o data If there is no data chunk but the file is closed/truncated anyway, logging is still required.
11 years ago
static int CallLoggers(ThreadVars *tv, OutputLoggerThreadStore *store_list,
filestore: avoid open write close sequence Current file storing approach is using a open file, write data, close file logic. If this technic is fixing the problem of getting too much open files in Suricata it is not optimal. Test on a loop shows that open, write, close on a single file is two time slower than a single open, loop of write, close. This patch updates the logic by storing the fd in the File structure. This is done for a certain number of files. If this amount is exceeded then the previous logic is used. This patch also adds two counters. First is the number of currently open files. The second one is the number of time the open, write, close sequence has been used due to too much open files. In EVE, the entries are: stats {file_store: {"open_files_max_hit":0,"open_files":5}}
8 years ago
Packet *p, File *ff,
file: update logger API to log direction By adding the flow direction to the logger we can have an accurate logging of fileinfo events that has source and destination IP correctly set.
7 years ago
const uint8_t *data, uint32_t data_len, uint8_t flags, uint8_t dir)
output-filedata: close files even w/o data If there is no data chunk but the file is closed/truncated anyway, logging is still required.
11 years ago
{
OutputFiledataLogger *logger = list;
OutputLoggerThreadStore *store = store_list;
int file_logged = 0;
while (logger && store) {
output: get rid of BUG_ONs
6 years ago
DEBUG_VALIDATE_BUG_ON(logger->LogFunc == NULL);
output-filedata: close files even w/o data If there is no data chunk but the file is closed/truncated anyway, logging is still required.
11 years ago
SCLogDebug("logger %p", logger);
logging: add profiling back for non-tmm loggers The loggers moved away from a TMM required a new profiling support.
9 years ago
PACKET_PROFILING_LOGGER_START(p, logger->logger_id);
file: update logger API to log direction By adding the flow direction to the logger we can have an accurate logging of fileinfo events that has source and destination IP correctly set.
7 years ago
logger->LogFunc(tv, store->thread_data, (const Packet *)p, ff, data, data_len, flags, dir);
logging: add profiling back for non-tmm loggers The loggers moved away from a TMM required a new profiling support.
9 years ago
PACKET_PROFILING_LOGGER_END(p, logger->logger_id);
output-filedata: close files even w/o data If there is no data chunk but the file is closed/truncated anyway, logging is still required.
11 years ago
file_logged = 1;
logger = logger->next;
store = store->next;
output: get rid of BUG_ONs
6 years ago
DEBUG_VALIDATE_BUG_ON(logger == NULL && store != NULL);
DEBUG_VALIDATE_BUG_ON(logger != NULL && store == NULL);
output-filedata: close files even w/o data If there is no data chunk but the file is closed/truncated anyway, logging is still required.
11 years ago
}
return file_logged;
}
output/filedata: call loggers on both directions
8 years ago
static void OutputFiledataLogFfc(ThreadVars *tv, OutputLoggerThreadStore *store,
Packet *p, FileContainer *ffc, const uint8_t call_flags,
file: update logger API to log direction By adding the flow direction to the logger we can have an accurate logging of fileinfo events that has source and destination IP correctly set.
7 years ago
const bool file_close, const bool file_trunc, const uint8_t dir)
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
{
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
if (ffc != NULL) {
File *ff;
for (ff = ffc->head; ff != NULL; ff = ff->next) {
file: fix storing parallel files When looping available files 'flags' misuse would lead to all files being closed after the first close. This patch separates per file and per call flags.
8 years ago
uint8_t file_flags = call_flags;
magic: make optional Make libmagic optional. If installed it will be enabled by default in configure. Use --disable-libmagic to disable.
9 years ago
#ifdef HAVE_MAGIC
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
if (FileForceMagic() && ff->magic == NULL) {
FilemagicGlobalLookup(ff);
}
magic: make optional Make libmagic optional. If installed it will be enabled by default in configure. Use --disable-libmagic to disable.
9 years ago
#endif
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
SCLogDebug("ff %p", ff);
if (ff->flags & FILE_STORED) {
SCLogDebug("stored flag set");
continue;
}
if (!(ff->flags & FILE_STORE)) {
SCLogDebug("ff FILE_STORE not set");
continue;
}
output-filedata: close files even w/o data If there is no data chunk but the file is closed/truncated anyway, logging is still required.
11 years ago
/* if we have no data chunks left to log, we should still
* close the logger(s) */
util-file: introduce new functions for file size This patch introduces the FileDataSize and FileTrackedSize functions. The first one is just a renaming of the initial FilSize function whereas the other one is using the newly introduced size field as value.
9 years ago
if (FileDataSize(ff) == ff->content_stored &&
file: switch to streaming buffer API Make the file storage use the streaming buffer API. As the individual file chunks were not needed by themselves, this approach uses a chunkless implementation.
10 years ago
(file_trunc || file_close)) {
files: properly close files on flow timeout If a file transfer stops on flow timeout, it won't be closed or truncated. This patch makes sure that in such cases the files are indeed truncated. This fixes the filestore-v2 output module, as that requires a sha256 for storing the partial file correctly.
7 years ago
if (ff->state < FILE_STATE_CLOSED) {
FileCloseFilePtr(ff, NULL, 0, FILE_TRUNCATED);
}
file: update logger API to log direction By adding the flow direction to the logger we can have an accurate logging of fileinfo events that has source and destination IP correctly set.
7 years ago
CallLoggers(tv, store, p, ff, NULL, 0, OUTPUT_FILEDATA_FLAG_CLOSE, dir);
output-filedata: close files even w/o data If there is no data chunk but the file is closed/truncated anyway, logging is still required.
11 years ago
ff->flags |= FILE_STORED;
continue;
}
file: switch to streaming buffer API Make the file storage use the streaming buffer API. As the individual file chunks were not needed by themselves, this approach uses a chunkless implementation.
10 years ago
/* store */
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
output/filedata: call loggers on both directions
8 years ago
/* if file_store_id == 0, this is the first store of this file */
file: clarify file store id name
9 years ago
if (ff->file_store_id == 0) {
file: switch to streaming buffer API Make the file storage use the streaming buffer API. As the individual file chunks were not needed by themselves, this approach uses a chunkless implementation.
10 years ago
/* new file */
file-store: small cleanup
9 years ago
ff->file_store_id = SC_ATOMIC_ADD(g_file_store_id, 1);
file: fix storing parallel files When looping available files 'flags' misuse would lead to all files being closed after the first close. This patch separates per file and per call flags.
8 years ago
file_flags |= OUTPUT_FILEDATA_FLAG_OPEN;
file: switch to streaming buffer API Make the file storage use the streaming buffer API. As the individual file chunks were not needed by themselves, this approach uses a chunkless implementation.
10 years ago
} else {
/* existing file */
}
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
file: switch to streaming buffer API Make the file storage use the streaming buffer API. As the individual file chunks were not needed by themselves, this approach uses a chunkless implementation.
10 years ago
/* if file needs to be closed or truncated, inform
* loggers */
if ((file_close || file_trunc) && ff->state < FILE_STATE_CLOSED) {
files: properly close files on flow timeout If a file transfer stops on flow timeout, it won't be closed or truncated. This patch makes sure that in such cases the files are indeed truncated. This fixes the filestore-v2 output module, as that requires a sha256 for storing the partial file correctly.
7 years ago
FileCloseFilePtr(ff, NULL, 0, FILE_TRUNCATED);
file: switch to streaming buffer API Make the file storage use the streaming buffer API. As the individual file chunks were not needed by themselves, this approach uses a chunkless implementation.
10 years ago
}
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
file: switch to streaming buffer API Make the file storage use the streaming buffer API. As the individual file chunks were not needed by themselves, this approach uses a chunkless implementation.
10 years ago
/* tell the logger we're closing up */
if (ff->state >= FILE_STATE_CLOSED)
file: fix storing parallel files When looping available files 'flags' misuse would lead to all files being closed after the first close. This patch separates per file and per call flags.
8 years ago
file_flags |= OUTPUT_FILEDATA_FLAG_CLOSE;
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
file: switch to streaming buffer API Make the file storage use the streaming buffer API. As the individual file chunks were not needed by themselves, this approach uses a chunkless implementation.
10 years ago
/* do the actual logging */
const uint8_t *data = NULL;
uint32_t data_len = 0;
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
file: switch to streaming buffer API Make the file storage use the streaming buffer API. As the individual file chunks were not needed by themselves, this approach uses a chunkless implementation.
10 years ago
StreamingBufferGetDataAtOffset(ff->sb,
&data, &data_len,
ff->content_stored);
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
file: update logger API to log direction By adding the flow direction to the logger we can have an accurate logging of fileinfo events that has source and destination IP correctly set.
7 years ago
const int file_logged = CallLoggers(tv, store, p, ff, data, data_len, file_flags, dir);
file: switch to streaming buffer API Make the file storage use the streaming buffer API. As the individual file chunks were not needed by themselves, this approach uses a chunkless implementation.
10 years ago
if (file_logged) {
ff->content_stored += data_len;
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
file: switch to streaming buffer API Make the file storage use the streaming buffer API. As the individual file chunks were not needed by themselves, this approach uses a chunkless implementation.
10 years ago
/* all done */
file: fix storing parallel files When looping available files 'flags' misuse would lead to all files being closed after the first close. This patch separates per file and per call flags.
8 years ago
if (file_flags & OUTPUT_FILEDATA_FLAG_CLOSE) {
file: switch to streaming buffer API Make the file storage use the streaming buffer API. As the individual file chunks were not needed by themselves, this approach uses a chunkless implementation.
10 years ago
ff->flags |= FILE_STORED;
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
}
}
}
}
output/filedata: call loggers on both directions
8 years ago
}
static TmEcode OutputFiledataLog(ThreadVars *tv, Packet *p, void *thread_data)
{
output: get rid of BUG_ONs
6 years ago
DEBUG_VALIDATE_BUG_ON(thread_data == NULL);
output/filedata: call loggers on both directions
8 years ago
if (list == NULL) {
/* No child loggers. */
return TM_ECODE_OK;
}
OutputLoggerThreadData *op_thread_data = (OutputLoggerThreadData *)thread_data;
OutputLoggerThreadStore *store = op_thread_data->store;
/* no flow, no files */
Flow * const f = p->flow;
if (f == NULL || f->alstate == NULL) {
SCReturnInt(TM_ECODE_OK);
}
const bool file_close_ts = ((p->flags & PKT_PSEUDO_STREAM_END) &&
(p->flowflags & FLOW_PKT_TOSERVER));
const bool file_close_tc = ((p->flags & PKT_PSEUDO_STREAM_END) &&
(p->flowflags & FLOW_PKT_TOCLIENT));
const bool file_trunc = StreamTcpReassembleDepthReached(p);
app-layer/files: optimize GetFiles calls Remove FlowGetProtoMapping calls from the GetFiles wrapper and get the alstate from the flow directly.
6 years ago
FileContainer *ffc_ts = AppLayerParserGetFiles(f, STREAM_TOSERVER);
FileContainer *ffc_tc = AppLayerParserGetFiles(f, STREAM_TOCLIENT);
output/filedata: call loggers on both directions
8 years ago
SCLogDebug("ffc_ts %p", ffc_ts);
file: update logger API to log direction By adding the flow direction to the logger we can have an accurate logging of fileinfo events that has source and destination IP correctly set.
7 years ago
OutputFiledataLogFfc(tv, store, p, ffc_ts, STREAM_TOSERVER, file_close_ts, file_trunc, STREAM_TOSERVER);
output/filedata: call loggers on both directions
8 years ago
SCLogDebug("ffc_tc %p", ffc_tc);
file: update logger API to log direction By adding the flow direction to the logger we can have an accurate logging of fileinfo events that has source and destination IP correctly set.
7 years ago
OutputFiledataLogFfc(tv, store, p, ffc_tc, STREAM_TOCLIENT, file_close_tc, file_trunc, STREAM_TOCLIENT);
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
return TM_ECODE_OK;
}
/**
* \internal
*
* \brief Open the waldo file (if available) and load the file_id
*
* \param path full path for the waldo file
*/
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static void LogFiledataLogLoadWaldo(const char *path)
{
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
char line[16] = "";
unsigned int id = 0;
FILE *fp = fopen(path, "r");
if (fp == NULL) {
SCLogInfo("couldn't open waldo: %s", strerror(errno));
SCReturn;
}
if (fgets(line, (int)sizeof(line), fp) != NULL) {
if (sscanf(line, "%10u", &id) == 1) {
SCLogInfo("id %u", id);
atomics: change SC_ATOMIC_ADD to 'fetch_add' Until this point the SC_ATOMIC_ADD macro pointed to a 'add_fetch' intrinsic. This patch changes it to a 'fetch_add'. There are 2 reasons for this: 1. C11 stdatomics.h has only 'atomic_fetch_add' and no 'add_fetch' So this patch prepares for adding support for C11 atomics. 2. It was not consistent with SC_ATOMIC_SUB, which did use 'fetch_sub' and not 'sub_fetch'. Most callers are not using the return value, so these are unaffected. The callers that do use the return value are updated.
5 years ago
SC_ATOMIC_SET(g_file_store_id, id);
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
}
}
fclose(fp);
}
/**
* \internal
*
* \brief Store the waldo file based on the file_id
*
* \param path full path for the waldo file
*/
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static void LogFiledataLogStoreWaldo(const char *path)
{
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
char line[16] = "";
atomics: change SC_ATOMIC_ADD to 'fetch_add' Until this point the SC_ATOMIC_ADD macro pointed to a 'add_fetch' intrinsic. This patch changes it to a 'fetch_add'. There are 2 reasons for this: 1. C11 stdatomics.h has only 'atomic_fetch_add' and no 'add_fetch' So this patch prepares for adding support for C11 atomics. 2. It was not consistent with SC_ATOMIC_SUB, which did use 'fetch_sub' and not 'sub_fetch'. Most callers are not using the return value, so these are unaffected. The callers that do use the return value are updated.
5 years ago
if (SC_ATOMIC_GET(g_file_store_id) == 1) {
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
SCReturn;
}
FILE *fp = fopen(path, "w");
if (fp == NULL) {
SCLogInfo("couldn't open waldo: %s", strerror(errno));
SCReturn;
}
file-store: small cleanup
9 years ago
snprintf(line, sizeof(line), "%u\n", SC_ATOMIC_GET(g_file_store_id));
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
if (fwrite(line, strlen(line), 1, fp) != 1) {
SCLogError(SC_ERR_FWRITE, "fwrite failed: %s", strerror(errno));
}
fclose(fp);
}
/** \brief thread init for the tx logger
* This will run the thread init functions for the individual registered
* loggers */
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
static TmEcode OutputFiledataLogThreadInit(ThreadVars *tv, const void *initdata, void **data)
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
{
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
OutputLoggerThreadData *td = SCMalloc(sizeof(*td));
if (td == NULL)
return TM_ECODE_FAILED;
memset(td, 0x00, sizeof(*td));
*data = (void *)td;
SCLogDebug("OutputFiledataLogThreadInit happy (*data %p)", *data);
OutputFiledataLogger *logger = list;
while (logger) {
logging: convert file data logging to non-thread module
9 years ago
if (logger->ThreadInit) {
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
void *retptr = NULL;
logging: convert file data logging to non-thread module
9 years ago
if (logger->ThreadInit(tv, (void *)logger->output_ctx, &retptr) == TM_ECODE_OK) {
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
OutputLoggerThreadStore *ts = SCMalloc(sizeof(*ts));
/* todo */ BUG_ON(ts == NULL);
memset(ts, 0x00, sizeof(*ts));
/* store thread handle */
ts->thread_data = retptr;
if (td->store == NULL) {
td->store = ts;
} else {
OutputLoggerThreadStore *tmp = td->store;
while (tmp->next != NULL)
tmp = tmp->next;
tmp->next = ts;
}
SCLogDebug("%s is now set up", logger->name);
}
}
logger = logger->next;
}
SCMutexLock(&g_waldo_mutex);
if (g_waldo_init == 0) {
ConfNode *node = ConfGetNode("file-store-waldo");
if (node == NULL) {
ConfNode *outputs = ConfGetNode("outputs");
if (outputs) {
ConfNode *output;
TAILQ_FOREACH(output, &outputs->head, next) {
/* we only care about file and file-store */
if (!(strcmp(output->val, "file") == 0 || strcmp(output->val, "file-store") == 0))
continue;
ConfNode *file = ConfNodeLookupChild(output, output->val);
BUG_ON(file == NULL);
if (file == NULL) {
SCLogDebug("file-store failed, lets try 'file'");
file = ConfNodeLookupChild(outputs, "file");
if (file == NULL)
SCLogDebug("file failed as well, giving up");
}
if (file != NULL) {
node = ConfNodeLookupChild(file, "waldo");
if (node == NULL)
SCLogDebug("no waldo node");
}
}
}
}
if (node != NULL) {
compiler: more strict compiler warnings Set flags by default: -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wcast-align -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char Fix minor compiler warnings for these new flags on gcc and clang.
8 years ago
const char *s_default_log_dir = NULL;
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
s_default_log_dir = ConfigGetLogDirectory();
const char *waldo = node->val;
SCLogDebug("loading waldo %s", waldo);
if (waldo != NULL && strlen(waldo) > 0) {
if (PathIsAbsolute(waldo)) {
snprintf(g_waldo, sizeof(g_waldo), "%s", waldo);
} else {
snprintf(g_waldo, sizeof(g_waldo), "%s/%s", s_default_log_dir, waldo);
}
SCLogDebug("loading waldo file %s", g_waldo);
LogFiledataLogLoadWaldo(g_waldo);
}
}
g_waldo_init = 1;
}
SCMutexUnlock(&g_waldo_mutex);
return TM_ECODE_OK;
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static TmEcode OutputFiledataLogThreadDeinit(ThreadVars *tv, void *thread_data)
{
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
OutputLoggerThreadData *op_thread_data = (OutputLoggerThreadData *)thread_data;
OutputLoggerThreadStore *store = op_thread_data->store;
OutputFiledataLogger *logger = list;
while (logger && store) {
logging: convert file data logging to non-thread module
9 years ago
if (logger->ThreadDeinit) {
logger->ThreadDeinit(tv, store->thread_data);
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
}
output api: complete shutdown functions Add missing function for Filedata API. Clean up list in all functions.
11 years ago
OutputLoggerThreadStore *next_store = store->next;
SCFree(store);
store = next_store;
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
logger = logger->next;
}
SCMutexLock(&g_waldo_mutex);
if (g_waldo_deinit == 0) {
if (strlen(g_waldo) > 0) {
SCLogDebug("we have a waldo at %s", g_waldo);
LogFiledataLogStoreWaldo(g_waldo);
}
g_waldo_deinit = 1;
}
SCMutexUnlock(&g_waldo_mutex);
output-filedata: fix memleak This fixes: Direct leak of 31792 byte(s) in 3974 object(s) allocated from: #0 0x4c396b in malloc (/opt/suricata-asan/bin/suricata+0x4c396b) #1 0xd86ce2 in OutputFiledataLogThreadInit /home/pmanev/sandnet-qa/stage/oisf/src/output-filedata.c:308:34 #2 0x106c255 in TmThreadsSlotPktAcqLoop /home/pmanev/sandnet-qa/stage/oisf/src/tm-threads.c:295:17 #3 0x7fbc9fcb3181 in start_thread /build/eglibc-3GlaMS/eglibc-2.19/nptl/pthread_create.c:312
10 years ago
SCFree(op_thread_data);
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
return TM_ECODE_OK;
}
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
static void OutputFiledataLogExitPrintStats(ThreadVars *tv, void *thread_data)
{
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
OutputLoggerThreadData *op_thread_data = (OutputLoggerThreadData *)thread_data;
OutputLoggerThreadStore *store = op_thread_data->store;
OutputFiledataLogger *logger = list;
while (logger && store) {
logging: convert file data logging to non-thread module
9 years ago
if (logger->ThreadExitPrintStats) {
logger->ThreadExitPrintStats(tv, store->thread_data);
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
}
logger = logger->next;
store = store->next;
}
}
output: optimize root logging loop Instead of unconditionally looping all the 'root' loggers, loop only those that are in use. Root loggers are: packet, tx, file, filedata, streaming.
6 years ago
static uint32_t OutputFiledataLoggerGetActiveCount(void)
{
uint32_t cnt = 0;
for (OutputFiledataLogger *p = list; p != NULL; p = p->next) {
cnt++;
}
return cnt;
}
logging: rename registration functions to not have tmm As the logging modules are no longer threading modules, rename them so they don't look like they are being registered as threading modules. Also, move the registration to the output.c which will handle registration of the loggers.
9 years ago
void OutputFiledataLoggerRegister(void)
Enforce function coding standard Functions should be defined as: int foo(void) { } Rather than: int food(void) { } All functions where changed by a script to match this standard.
11 years ago
{
logging: use a single entry point for all loggers Introduces a new thread module, TMM_LOGGER, which is the root most logger. Only handles loggers in the packet path, stats and flow logging are not included. The loggers are made up of a hierarchy of loggers. At the top we have the root logger which is the main entry point to logging. Under the root there exists parent loggers that are the entry point for specific types of loggers such as packet logger, transaction loggers, etc. Each parent logger may have 0 or more loggers that actual handle the job of producing output to something like a file.
9 years ago
OutputRegisterRootLogger(OutputFiledataLogThreadInit,
OutputFiledataLogThreadDeinit, OutputFiledataLogExitPrintStats,
output: optimize root logging loop Instead of unconditionally looping all the 'root' loggers, loop only those that are in use. Root loggers are: packet, tx, file, filedata, streaming.
6 years ago
OutputFiledataLog, OutputFiledataLoggerGetActiveCount);
file-store: small cleanup
9 years ago
SC_ATOMIC_INIT(g_file_store_id);
atomics: change SC_ATOMIC_ADD to 'fetch_add' Until this point the SC_ATOMIC_ADD macro pointed to a 'add_fetch' intrinsic. This patch changes it to a 'fetch_add'. There are 2 reasons for this: 1. C11 stdatomics.h has only 'atomic_fetch_add' and no 'add_fetch' So this patch prepares for adding support for C11 atomics. 2. It was not consistent with SC_ATOMIC_SUB, which did use 'fetch_sub' and not 'sub_fetch'. Most callers are not using the return value, so these are unaffected. The callers that do use the return value are updated.
5 years ago
SC_ATOMIC_SET(g_file_store_id, 1);
Introduce Filedata Logger API A new logger API for registering file storage handlers. Where the FileLog handler is called once per file, this handler will be called for each data chunk so that storing the entire file is possible. The logger call in the API is as follows: typedef int (*FiledataLogger)(ThreadVars *, void *thread_data, const Packet *, const File *, const FileData *, uint8_t flags); All data is const, thus should be read only. The final flags field is used to indicate to the caller that the file is new, or if it's being closed. Files use an internal unique id 'file_id' which can be used by the loggers to create unique file names. This id can use the 'waldo' feature of the log-filestore module. This patch moves that waldo loading and storing logic to this API's implementation. A new configuration directive 'file-store-waldo: <filename>' is added, but the existing waldo settings will also continue to work.
12 years ago
}
output api: complete shutdown functions Add missing function for Filedata API. Clean up list in all functions.
11 years ago
void OutputFiledataShutdown(void)
{
OutputFiledataLogger *logger = list;
while (logger) {
OutputFiledataLogger *next_logger = logger->next;
SCFree(logger);
logger = next_logger;
}
list = NULL;
}