From 2e2e80b8127589704ab6c5e81ffa8780b0ecbf47 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 21 Oct 2011 19:00:16 +0200 Subject: [PATCH] Add packet alert flag to indicate a match happened (partly) in the app layer state. Make unified2 use this flag. --- src/alert-unified2-alert.c | 18 +++++++++++------- src/decode.h | 9 ++++++--- src/detect.c | 12 ++++++------ 3 files changed, 23 insertions(+), 16 deletions(-) diff --git a/src/alert-unified2-alert.c b/src/alert-unified2-alert.c index 89a0500547..2c5bd05973 100644 --- a/src/alert-unified2-alert.c +++ b/src/alert-unified2-alert.c @@ -167,7 +167,7 @@ TmEcode Unified2AlertThreadInit(ThreadVars *, void *, void **); TmEcode Unified2AlertThreadDeinit(ThreadVars *, void *); int Unified2IPv4TypeAlert(ThreadVars *, Packet *, void *, PacketQueue *); int Unified2IPv6TypeAlert(ThreadVars *, Packet *, void *, PacketQueue *); -int Unified2PacketTypeAlert(Unified2AlertThread *, Packet *, void *, uint32_t); +int Unified2PacketTypeAlert(Unified2AlertThread *, Packet *, void *, uint32_t, int); void Unified2RegisterTests(); int Unified2AlertOpenFileCtx(LogFileCtx *, const char *); static void Unified2AlertDeInitCtx(OutputCtx *); @@ -592,9 +592,11 @@ static int Unified2PrintStreamSegmentCallback(Packet *p, void *data, uint8_t *bu * \retval 0 on succces * \retval -1 on failure */ -int Unified2PacketTypeAlert (Unified2AlertThread *aun, Packet *p, void *stream, uint32_t event_id) +int Unified2PacketTypeAlert (Unified2AlertThread *aun, Packet *p, void *stream, uint32_t event_id, int state) { if (PKT_IS_TCP(p) && stream != NULL) { + SCLogDebug("reassembled stream logging"); + if (PKT_IS_IPV4(p)) { return Unified2StreamTypeAlertIPv4(aun, p, stream, event_id); } else if (PKT_IS_IPV6(p)) { @@ -612,7 +614,6 @@ int Unified2PacketTypeAlert (Unified2AlertThread *aun, Packet *p, void *stream, EthernetHdr ethhdr = { {0,0,0,0,0,0}, {0,0,0,0,0,0}, htons(ETHERNET_TYPE_IPV6) }; #endif - memset(hdr, 0, sizeof(Unified2AlertFileHeader)); memset(phdr, 0, sizeof(Unified2Packet)); @@ -625,7 +626,9 @@ int Unified2PacketTypeAlert (Unified2AlertThread *aun, Packet *p, void *stream, phdr->event_second = phdr->packet_second = htonl(p->ts.tv_sec); phdr->packet_microsecond = htonl(p->ts.tv_usec); aun->phdr = phdr; - if ((p->payload_len == 0) && PKT_IS_TCP(p) && (p->flow != NULL) && (p->flow->protoctx != NULL)) { + + if (state) { + SCLogDebug("logging the state"); uint8_t flag; /* We have raw data here */ @@ -675,6 +678,8 @@ int Unified2PacketTypeAlert (Unified2AlertThread *aun, Packet *p, void *stream, /* or no segment could been logged or no segment have been logged */ if (ret == 0) { + SCLogDebug("no stream, no state: falling back to payload logging"); + /* we need to reset offset and length which could * have been modified by the segment logging */ aun->offset = len; @@ -848,8 +853,7 @@ int Unified2IPv6TypeAlert (ThreadVars *t, Packet *p, void *data, PacketQueue *pq aun->length = 0; aun->offset = 0; - ret = Unified2PacketTypeAlert(aun, p, pa->alert_msg, event_id); - + ret = Unified2PacketTypeAlert(aun, p, pa->alert_msg, phdr->event_id, pa->flags & PACKET_ALERT_FLAG_STATE_MATCH ? 1 : 0); if (ret != 1) { SCLogError(SC_ERR_FWRITE, "Error: fwrite failed: %s", strerror(errno)); SCMutexUnlock(&aun->file_ctx->fp_mutex); @@ -986,7 +990,7 @@ int Unified2IPv4TypeAlert (ThreadVars *tv, Packet *p, void *data, PacketQueue *p /* Write the alert (it doesn't lock inside, since we * already locked here for rotation check) */ - ret = Unified2PacketTypeAlert(aun, p, pa->alert_msg, event_id); + ret = Unified2PacketTypeAlert(aun, p, pa->alert_msg, event_id, pa->flags & PACKET_ALERT_FLAG_STATE_MATCH ? 1 : 0); if (ret != 1) { SCLogError(SC_ERR_FWRITE, "Error: PacketTypeAlert writing failed"); SCMutexUnlock(&aun->file_ctx->fp_mutex); diff --git a/src/decode.h b/src/decode.h index 73f6547295..4213f252cf 100644 --- a/src/decode.h +++ b/src/decode.h @@ -230,10 +230,13 @@ typedef struct PacketAlert_ { struct Signature_ *s; } PacketAlert; -/* After processing an alert by the thresholding module, if at - * last it gets triggered, we might want to stick the drop action to - * the flow on IPS mode */ +/** After processing an alert by the thresholding module, if at + * last it gets triggered, we might want to stick the drop action to + * the flow on IPS mode */ #define PACKET_ALERT_FLAG_DROP_FLOW 0x01 +/** Signature matched (partly) in the state. Used in unified logger to + * know if it needs to log the stream or the packet. */ +#define PACKET_ALERT_FLAG_STATE_MATCH 0x02 #define PACKET_ALERT_MAX 15 diff --git a/src/detect.c b/src/detect.c index 2cc9da71f6..2bfbfe727b 100644 --- a/src/detect.c +++ b/src/detect.c @@ -1636,9 +1636,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh if (de_r != 1) { goto next; - } else { - if (s->action == ACTION_DROP) - alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW; } } else { SCLogDebug("already having a destate"); @@ -1647,11 +1644,14 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh s->id, (uintmax_t)s->num, DeStateMatchResultToString(det_ctx->de_state_sig_array[s->num])); if (det_ctx->de_state_sig_array[s->num] != DE_STATE_MATCH_NEW) { goto next; - } else { - if (s->action == ACTION_DROP) - alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW; } } + + /* match */ + if (s->action == ACTION_DROP) + alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW; + + alert_flags |= PACKET_ALERT_FLAG_STATE_MATCH; } /* if we get here but have no sigmatches to match against,