From 2c6dd6b8fa277ed1ca831699d99f0f0ce429a72b Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@endace.com>
Date: Tue, 30 Mar 2010 14:14:59 -0700
Subject: [PATCH] Be compatible with Snort. Stick with a 32 bit style of
 timeval for the unified outputs.

---
 src/alert-unified-alert.c | 25 ++++---------------------
 src/alert-unified-log.c   | 30 ++++--------------------------
 src/util-time.h           | 10 ++++++++++
 3 files changed, 18 insertions(+), 47 deletions(-)

diff --git a/src/alert-unified-alert.c b/src/alert-unified-alert.c
index 80f4a6dbfc..437f18a34b 100644
--- a/src/alert-unified-alert.c
+++ b/src/alert-unified-alert.c
@@ -9,14 +9,7 @@
  * - inspect error messages for threadsafety
  * - inspect gettimeofday for threadsafely
  * - implement configuration
- *
- * Notes: barnyard-0.2.0 read "struct timeval" instead of
- * struct timeval32 like snort, this means that on 64 bit arch, the log entries
- * wont have the same length. To be sure to add compatibility for barnyard
- * and other parsers, theres a macro available for 64 bit barnyard compatibility
- * But if you want real snort compatibility, don't use that macro
  */
-#define BARNYARD_64_COMPAT 1
 
 #include "suricata-common.h"
 #include "debug.h"
@@ -90,19 +83,9 @@ typedef struct AlertUnifiedAlertPacketHeader_ {
     uint32_t sig_prio;
     uint32_t pad1; /* Snort's event_id */
     uint32_t pad2; /* Snort's event_reference */
-#ifdef BARNYARD_64_COMPAT
-    uint64_t tv_sec1; /* from Snort's struct pcap_timeval in Event */
-    uint64_t tv_usec1; /* from Snort's struct pcap_timeval in Event */
-    uint64_t tv_sec2; /* from Snort's struct pcap_timeval */
-    uint64_t tv_usec2; /* from Snort's struct pcap_timeval */
-#else
-    uint32_t tv_sec1; /* from Snort's struct pcap_timeval in Event */
-    uint32_t tv_usec1; /* from Snort's struct pcap_timeval in Event */
-    uint32_t tv_sec2; /* from Snort's struct pcap_timeval */
-    uint32_t tv_usec2; /* from Snort's struct pcap_timeval */
-#endif
+    struct sc_timeval32 ref_ts; /* Reference timestamp. */
+    struct sc_timeval32 ts; /* Timestamp. */
     uint32_t src_ip;
-
     uint32_t dst_ip;
     uint16_t sp;
     uint16_t dp;
@@ -193,8 +176,8 @@ TmEcode AlertUnifiedAlert (ThreadVars *tv, Packet *p, void *data, PacketQueue *p
     /* fill the hdr structure with the data of the packet */
     hdr.pad1 = 0;
     hdr.pad2 = 0;
-    hdr.tv_sec1 = hdr.tv_sec2 = p->ts.tv_sec;
-    hdr.tv_usec1 = hdr.tv_usec2 = p->ts.tv_usec;
+    hdr.ts.tv_sec = hdr.ref_ts.tv_sec = p->ts.tv_sec;
+    hdr.ts.tv_usec = hdr.ref_ts.tv_usec = p->ts.tv_sec;
     hdr.src_ip = GET_IPV4_SRC_ADDR_U32(p);
     hdr.dst_ip = GET_IPV4_DST_ADDR_U32(p);
     hdr.sp = p->sp;
diff --git a/src/alert-unified-log.c b/src/alert-unified-log.c
index 227b98c59f..830fe9179c 100644
--- a/src/alert-unified-log.c
+++ b/src/alert-unified-log.c
@@ -9,15 +9,7 @@
  * - inspect error messages for threadsafety
  * - inspect gettimeofday for threadsafely
  * - implement configuration
- *
- * Notes: barnyard-0.2.0 read "struct timeval" instead of
- * struct timeval32 like snort, this means that on 64 bit arch, the log entries
- * wont have the same length. To be sure to add compatibility for barnyard
- * and other parsers, theres a macro available for 64 bit barnyard compatibility
- * But if you want real snort compatibility, don't use that macro
  */
-#define BARNYARD_64_COMPAT 1
-
 #include <string.h>
 
 #include "suricata-common.h"
@@ -94,27 +86,13 @@ typedef struct AlertUnifiedLogPacketHeader_ {
     uint32_t sig_prio;
     uint32_t pad1; /* Snort's event_id */
     uint32_t pad2; /* Snort's event_reference */
-#ifdef BARNYARD_64_COMPAT
-    uint64_t tv_sec1; /* from Snort's struct pcap_timeval in Event */
-    uint64_t tv_usec1; /* from Snort's struct pcap_timeval in Event */
-
-    /* 32 bit unsigned flags */
-    uint32_t pktflags;
-
-    /* Snort's 'SnortPktHeader' structure */
-    uint64_t tv_sec2; /* from Snort's struct pcap_timeval */
-    uint64_t tv_usec2; /* from Snort's struct pcap_timeval */
-#else
-    uint32_t tv_sec1; /* from Snort's struct pcap_timeval in Event */
-    uint32_t tv_usec1; /* from Snort's struct pcap_timeval in Event */
+    struct sc_timeval32 ref_tv;
 
     /* 32 bit unsigned flags */
     uint32_t pktflags;
 
     /* Snort's 'SnortPktHeader' structure */
-    uint32_t tv_sec2; /* from Snort's struct pcap_timeval */
-    uint32_t tv_usec2; /* from Snort's struct pcap_timeval */
-#endif
+    struct sc_timeval32 tv;
     uint32_t caplen;
     uint32_t pktlen;
 } AlertUnifiedLogPacketHeader;
@@ -192,8 +170,8 @@ TmEcode AlertUnifiedLog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
     /* fill the hdr structure with the data of the packet */
     hdr.pad1 = 0;
     hdr.pad2 = 0;
-    hdr.tv_sec1 = hdr.tv_sec2 = p->ts.tv_sec;
-    hdr.tv_usec1 = hdr.tv_usec2 = p->ts.tv_usec;
+    hdr.tv.tv_sec = hdr.ref_tv.tv_sec = p->ts.tv_sec;
+    hdr.tv.tv_usec = hdr.ref_tv.tv_usec = p->ts.tv_usec;
     hdr.pktflags = 0; /* XXX */
     hdr.pktlen = hdr.caplen = p->pktlen + ethh_offset;
 
diff --git a/src/util-time.h b/src/util-time.h
index 5597e700e2..664bc70e82 100644
--- a/src/util-time.h
+++ b/src/util-time.h
@@ -1,6 +1,16 @@
 #ifndef __UTIL_TIME_H__
 #define __UTIL_TIME_H__
 
+/**
+ * A timeval with 32 bit fields.
+ *
+ * Used by the unified on disk file format.
+ */
+struct sc_timeval32 {
+    uint32_t tv_sec;
+    uint32_t tv_usec;
+};
+
 void TimeSet(struct timeval *);
 void TimeGet(struct timeval *);