aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve logging, add alert-output module, at module exit stats, add HTTP POST uri capture.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 17 years ago
parent 724d942688
commit 4c4862d838
15 changed files with 548 additions and 67 deletions
Show Stats Download Patch File Download Diff File

2
src/Makefile.am
Unescape Escape View File

@ -51,6 +51,7 @@ detect-msg.c detect-msg.h \
detect-flow.c detect-flow.h \
detect-dsize.c detect-dsize.h \
detect-noalert.c detect-noalert.h \
util-print.c util-print.h \
util-mpm-trie.c util-mpm-trie.h \
util-mpm.c util-mpm.h \
util-binsearch.c util-binsearch.h \
@ -68,6 +69,7 @@ tmqh-simple.c tmqh-simple.h \
tmqh-nfq.c tmqh-nfq.h \
tmqh-packetpool.c tmqh-packetpool.h \
alert-fastlog.c alert-fastlog.h \
alert-debuglog.c alert-debuglog.h \
log-httplog.c log-httplog.h \
alert-unified-log.c alert-unified-log.h \
alert-unified-alert.c alert-unified-alert.h \

242
src/alert-debuglog.c
Unescape Escape View File

@ -0,0 +1,242 @@
/* Copyright (c) 2008 Victor Julien <victor@inliniac.net> */
/* alert debuglog
*
* TODO
* - figure out a way to safely print detection engine info
* - maybe by having a log queue in the packet
* - maybe by accessing it just and hoping threading doesn't hurt
*/
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include "vips.h"
#include "debug.h"
#include "detect.h"
#include "flow.h"
#include "threadvars.h"
#include "tm-modules.h"
#include "util-print.h"
#include "pkt-var.h"
#include "util-unittest.h"
int AlertDebuglog (ThreadVars *, Packet *, void *, PacketQueue *);
int AlertDebuglogIPv4(ThreadVars *, Packet *, void *, PacketQueue *);
int AlertDebuglogIPv6(ThreadVars *, Packet *, void *, PacketQueue *);
int AlertDebuglogThreadInit(ThreadVars *, void **);
int AlertDebuglogThreadDeinit(ThreadVars *, void *);
void AlertDebuglogExitPrintStats(ThreadVars *, void *);
void TmModuleAlertDebuglogRegister (void) {
tmm_modules[TMM_ALERTDEBUGLOG].name = "AlertDebuglog";
tmm_modules[TMM_ALERTDEBUGLOG].Init = AlertDebuglogThreadInit;
tmm_modules[TMM_ALERTDEBUGLOG].Func = AlertDebuglog;
tmm_modules[TMM_ALERTDEBUGLOG].ExitPrintStats = AlertDebuglogExitPrintStats;
tmm_modules[TMM_ALERTDEBUGLOG].Deinit = AlertDebuglogThreadDeinit;
tmm_modules[TMM_ALERTDEBUGLOG].RegisterTests = NULL;
}
/*
void TmModuleAlertDebuglogIPv4Register (void) {
tmm_modules[TMM_ALERTDEBUGLOG4].name = "AlertDebuglogIPv4";
tmm_modules[TMM_ALERTDEBUGLOG4].Init = AlertDebuglogThreadInit;
tmm_modules[TMM_ALERTDEBUGLOG4].Func = AlertDebuglogIPv4;
tmm_modules[TMM_ALERTDEBUGLOG4].Deinit = AlertDebuglogThreadDeinit;
tmm_modules[TMM_ALERTDEBUGLOG4].RegisterTests = NULL;
}
void TmModuleAlertDebuglogIPv6Register (void) {
tmm_modules[TMM_ALERTDEBUGLOG6].name = "AlertDebuglogIPv6";
tmm_modules[TMM_ALERTDEBUGLOG6].Init = AlertDebuglogThreadInit;
tmm_modules[TMM_ALERTDEBUGLOG6].Func = AlertDebuglogIPv6;
tmm_modules[TMM_ALERTDEBUGLOG6].Deinit = AlertDebuglogThreadDeinit;
tmm_modules[TMM_ALERTDEBUGLOG6].RegisterTests = NULL;
}
*/
typedef struct _AlertDebuglogThread {
FILE *fp;
u_int32_t alerts;
} AlertDebuglogThread;
static void CreateTimeString (const struct timeval *ts, char *str, size_t size) {
time_t time = ts->tv_sec;
struct tm *t = gmtime(&time);
u_int32_t sec = ts->tv_sec % 86400;
snprintf(str, size, "%02d/%02d/%02d-%02d:%02d:%02d.%06u",
t->tm_mon + 1, t->tm_mday, t->tm_year - 100,
sec / 3600, (sec % 3600) / 60, sec % 60,
(u_int32_t) ts->tv_usec);
}
int AlertDebuglogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
{
AlertDebuglogThread *aft = (AlertDebuglogThread *)data;
int i;
char timebuf[64];
if (p->alerts.cnt == 0)
return 0;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
fprintf(aft->fp, "+================\n");
fprintf(aft->fp, "TIME: %s\n", timebuf);
fprintf(aft->fp, "ALERT CNT: %u\n", p->alerts.cnt);
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
fprintf(aft->fp, "ALERT MSG [%02d]: %s\n", i, pa->msg);
fprintf(aft->fp, "ALERT GID [%02d]: %u\n", i, pa->gid);
fprintf(aft->fp, "ALERT SID [%02d]: %u\n", i, pa->sid);
fprintf(aft->fp, "ALERT REV [%02d]: %u\n", i, pa->rev);
fprintf(aft->fp, "ALERT PRIO [%02d]: %u\n", i, pa->prio);
}
char srcip[16], dstip[16];
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
fprintf(aft->fp, "SRC IP: %s\n", srcip);
fprintf(aft->fp, "DST IP: %s\n", dstip);
fprintf(aft->fp, "PROTO: %u\n", IPV4_GET_IPPROTO(p));
if (IPV4_GET_IPPROTO(p) == IPPROTO_TCP || IPV4_GET_IPPROTO(p) == IPPROTO_UDP) {
fprintf(aft->fp, "SRC PORT: %u\n", p->sp);
fprintf(aft->fp, "DST PORT: %u\n", p->dp);
}
/* flow stuff */
fprintf(aft->fp, "FLOW: to_server: %s, to_client %s\n",
p->flowflags & FLOW_PKT_TOSERVER ? "TRUE" : "FALSE",
p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE");
PktVar *pv = PktVarGet(p,"http_host");
if (pv) {
fprintf(aft->fp, "PKTVAR: %s\n", pv->name);
PrintRawDataFp(aft->fp, pv->value, pv->value_len);
}
pv = PktVarGet(p,"http_ua");
if (pv) {
fprintf(aft->fp, "PKTVAR: %s\n", pv->name);
PrintRawDataFp(aft->fp, pv->value, pv->value_len);
}
for (i = 0; i < p->http_uri.cnt; i++) {
fprintf(aft->fp, "RAW URI [%2d]: ", i);
PrintRawUriFp(aft->fp, p->http_uri.raw[i], p->http_uri.raw_size[i]);
fprintf(aft->fp, "\n");
PrintRawDataFp(aft->fp, p->http_uri.raw[i], p->http_uri.raw_size[i]);
}
/* any stuff */
/* Sig details? */
/* pkt vars */
/* flowvars */
aft->alerts += p->alerts.cnt;
fprintf(aft->fp, "PACKET LEN: %u\n", p->pktlen);
fprintf(aft->fp, "PACKET:\n");
PrintRawDataFp(aft->fp, p->pkt, p->pktlen);
fflush(aft->fp);
return 0;
}
int AlertDebuglogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
{
AlertDebuglogThread *aft = (AlertDebuglogThread *)data;
int i;
char timebuf[64];
if (p->alerts.cnt == 0)
return 0;
aft->alerts += p->alerts.cnt;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
char srcip[46], dstip[46];
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
fprintf(aft->fp, "%s [**] [%u:%u:%u] %s [**] [Classification: fixme] [Priority: %u] {%u} %s:%u -> %s:%u\n",
timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
fflush(aft->fp);
}
return 0;
}
int AlertDebuglog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
{
if (PKT_IS_IPV4(p)) {
return AlertDebuglogIPv4(tv, p, data, pq);
} else if (PKT_IS_IPV6(p)) {
return AlertDebuglogIPv6(tv, p, data, pq);
}
return 0;
}
int AlertDebuglogThreadInit(ThreadVars *t, void **data)
{
AlertDebuglogThread *aft = malloc(sizeof(AlertDebuglogThread));
if (aft == NULL) {
return -1;
}
memset(aft, 0, sizeof(AlertDebuglogThread));
/* XXX */
aft->fp = fopen("/var/log/eips/alert-debug.log", "w");
if (aft->fp == NULL) {
return -1;
}
*data = (void *)aft;
return 0;
}
int AlertDebuglogThreadDeinit(ThreadVars *t, void *data)
{
AlertDebuglogThread *aft = (AlertDebuglogThread *)data;
if (aft == NULL) {
return 0;
}
if (aft->fp != NULL)
fclose(aft->fp);
/* clear memory */
memset(aft, 0, sizeof(AlertDebuglogThread));
free(aft);
return 0;
}
void AlertDebuglogExitPrintStats(ThreadVars *tv, void *data) {
AlertDebuglogThread *aft = (AlertDebuglogThread *)data;
if (aft == NULL) {
return;
}
printf(" - (%s) Alerts %u.\n", tv->name, aft->alerts);
}

11
src/alert-debuglog.h
Unescape Escape View File

@ -0,0 +1,11 @@
/* Copyright (c) 2008 Victor Julien <victor@inliniac.net> */
#ifndef __ALERT_DEBUGLOG_H__
#define __ALERT_DEBUGLOG_H__
void TmModuleAlertDebuglogRegister (void);
void TmModuleAlertDebuglogIPv4Register (void);
void TmModuleAlertDebuglogIPv6Register (void);
#endif /* __ALERT_DEBUGLOG_H__ */

16
src/alert-fastlog.c
Unescape Escape View File

@ -38,11 +38,13 @@ int AlertFastlogIPv4(ThreadVars *, Packet *, void *, PacketQueue *);
int AlertFastlogIPv6(ThreadVars *, Packet *, void *, PacketQueue *);
int AlertFastlogThreadInit(ThreadVars *, void **);
int AlertFastlogThreadDeinit(ThreadVars *, void *);
void AlertFastlogExitPrintStats(ThreadVars *, void *);
void TmModuleAlertFastlogRegister (void) {
tmm_modules[TMM_ALERTFASTLOG].name = "AlertFastlog";
tmm_modules[TMM_ALERTFASTLOG].Init = AlertFastlogThreadInit;
tmm_modules[TMM_ALERTFASTLOG].Func = AlertFastlog;
tmm_modules[TMM_ALERTFASTLOG].ExitPrintStats = AlertFastlogExitPrintStats;
tmm_modules[TMM_ALERTFASTLOG].Deinit = AlertFastlogThreadDeinit;
tmm_modules[TMM_ALERTFASTLOG].RegisterTests = NULL;
}
@ -65,6 +67,7 @@ void TmModuleAlertFastlogIPv6Register (void) {
typedef struct _AlertFastlogThread {
FILE *fp;
u_int32_t alerts;
} AlertFastlogThread;
static void CreateTimeString (const struct timeval *ts, char *str, size_t size) {
@ -87,6 +90,8 @@ int AlertFastlogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
if (p->alerts.cnt == 0)
return 0;
aft->alerts += p->alerts.cnt;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
for (i = 0; i < p->alerts.cnt; i++) {
@ -112,6 +117,8 @@ int AlertFastlogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
if (p->alerts.cnt == 0)
return 0;
aft->alerts += p->alerts.cnt;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
for (i = 0; i < p->alerts.cnt; i++) {
@ -175,3 +182,12 @@ int AlertFastlogThreadDeinit(ThreadVars *t, void *data)
return 0;
}
void AlertFastlogExitPrintStats(ThreadVars *tv, void *data) {
AlertFastlogThread *aft = (AlertFastlogThread *)data;
if (aft == NULL) {
return;
}
printf(" - (%s) Alerts %u.\n", tv->name, aft->alerts);
}

42
src/detect-engine-mpm.c
Unescape Escape View File

@ -136,6 +136,9 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
MpmInitCtx(sh->mpm_uri_ctx, MPM_WUMANBER);
}
u_int16_t mpm_content_maxlen = 0, mpm_uricontent_maxlen = 0;
u_int32_t mpm_content_cnt = 0, mpm_uricontent_cnt = 0;
/* for each signature in this group do */
for (sig = 0; sig < sh->sig_cnt; sig++) {
u_int32_t num = sh->match_array[sig];
@ -146,8 +149,39 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
cnt++;
/* find flow setting of this rule */
u_int16_t content_maxlen = 0, uricontent_maxlen = 0;
u_int16_t content_cnt = 0, uricontent_cnt = 0;
SigMatch *sm;
for (sm = s->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_COPY)) {
DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->content_len > content_maxlen)
content_maxlen = cd->content_len;
mpm_content_cnt++;
content_cnt++;
} else if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) {
DetectUricontentData *ud = (DetectUricontentData *)sm->ctx;
if (ud->uricontent_len > uricontent_maxlen)
uricontent_maxlen = ud->uricontent_len;
mpm_uricontent_cnt++;
uricontent_cnt++;
}
}
if (content_cnt) {
if (mpm_content_maxlen == 0) mpm_content_maxlen = content_maxlen;
if (mpm_content_maxlen > content_maxlen)
mpm_content_maxlen = content_maxlen;
}
if (uricontent_maxlen) {
if (mpm_uricontent_maxlen == 0) mpm_uricontent_maxlen = uricontent_maxlen;
if (mpm_uricontent_maxlen > uricontent_maxlen)
mpm_uricontent_maxlen = uricontent_maxlen;
}
for (sm = s->match; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_COPY)) {
DetectContentData *cd = (DetectContentData *)sm->ctx;
@ -174,6 +208,9 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (sh->mpm_ctx->Prepare != NULL) {
sh->mpm_ctx->Prepare(sh->mpm_ctx);
}
if (mpm_content_cnt && mpm_content_maxlen > 1)
printf("mpm_content_cnt %u, mpm_content_maxlen %d\n", mpm_content_cnt, mpm_content_maxlen);
//sh->mpm_ctx->PrintCtx(sh->mpm_ctx);
}
/* uricontent */
@ -181,6 +218,9 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh)
if (sh->mpm_uri_ctx->Prepare != NULL) {
sh->mpm_uri_ctx->Prepare(sh->mpm_uri_ctx);
}
if (mpm_uricontent_cnt && mpm_uricontent_maxlen > 1)
printf("mpm_uricontent_cnt %u, mpm_uricontent_maxlen %d\n", mpm_uricontent_cnt, mpm_uricontent_maxlen);
//sh->mpm_uri_ctx->PrintCtx(sh->mpm_uri_ctx);
}

28
src/detect.c
Unescape Escape View File

@ -77,21 +77,26 @@ void SigLoadSignatures (void)
/* The next 3 rules handle HTTP header capture. */
/* http_uri -- for uricontent */
sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)");
sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP GET URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)");
if (sig) {
prevsig = sig;
g_de_ctx->sig_list = sig;
}
sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP POST URI cap\"; flow:to_server; content:\"POST \"; depth:5; pcre:\"/^POST (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:2;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
/* http_host -- for the log-httplog module */
sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; flow:to_server; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:2;)");
sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; flow:to_server; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:3;)");
if (sig == NULL)
return;
prevsig->next = sig;
prevsig = sig;
/* http_ua -- for the log-httplog module */
sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP UA cap\"; flow:to_server; content:\"User-Agent:\"; pcre:\"/^User-Agent: (?P<pkt_http_ua>.*)\\r\\n/m\"; noalert; sid:3;)");
sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP UA cap\"; flow:to_server; content:\"User-Agent:\"; pcre:\"/^User-Agent: (?P<pkt_http_ua>.*)\\r\\n/m\"; noalert; sid:4;)");
if (sig == NULL)
return;
prevsig->next = sig;
@ -455,9 +460,16 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
/* only if the last matched as well, we have a hit */
if (sm == NULL) {
printf("Signature %u matched: %s, flow: toserver %s toclient %s\n", s->id, s->msg ? s->msg : "",
p->flowflags & FLOW_PKT_TOSERVER ? "TRUE":"FALSE",
p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE":"FALSE");
if (s->id > 100) {
printf("Signature %u matched: %s, flow: toserver %s toclient %s proto %u, SP %s (%u) DP %s (%u) sig sp: ",
s->id, s->msg ? s->msg : "",
p->flowflags & FLOW_PKT_TOSERVER ? "TRUE":"FALSE",
p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE":"FALSE",
p->proto, s->flags & SIG_FLAG_SP_ANY ? "ANY":"NOTANY", p->sp,
s->flags & SIG_FLAG_DP_ANY ? "ANY":"NOTANY", p->dp);
DetectPortPrint(s->sp); printf(" dp: ");
DetectPortPrint(s->dp); printf("\n");
}
fmatch = 1;
if (!(s->flags & SIG_FLAG_NOALERT)) {
@ -518,7 +530,7 @@ static int SignatureIsIPOnly(Signature *s) {
sm = s->match;
if (sm == NULL)
return 1;
goto iponly;
for ( ; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_CONTENT) {
@ -536,6 +548,8 @@ static int SignatureIsIPOnly(Signature *s) {
}
}
iponly:
printf("IP-ONLY (%u): source %s, dest %s\n", s->id, s->flags & SIG_FLAG_SRC_ANY ? "ANY" : "SET", s->flags & SIG_FLAG_DST_ANY ? "ANY" : "SET");
return 1;
}

2
src/flow.c
Unescape Escape View File

@ -278,6 +278,7 @@ void FlowInitConfig (void)
/* Not Thread safe */
void FlowPrintFlows (void)
{
/*
int i;
printf("Flows:\n");
for (i = 0; i < flow_config.hash_size; i++) {
@ -301,6 +302,7 @@ void FlowPrintFlows (void)
}
}
}
*/
printf("Flow Queue info:\n");
printf("SPARE %u\n", flow_spare_q.len);
#ifdef DBG_PERF

97
src/log-httplog.c
Unescape Escape View File

@ -25,6 +25,7 @@
#include "threads.h"
#include "util-print.h"
#include "util-unittest.h"
int LogHttplog (ThreadVars *, Packet *, void *, PacketQueue *);
@ -32,11 +33,13 @@ int LogHttplogIPv4(ThreadVars *, Packet *, void *, PacketQueue *);
int LogHttplogIPv6(ThreadVars *, Packet *, void *, PacketQueue *);
int LogHttplogThreadInit(ThreadVars *, void **);
int LogHttplogThreadDeinit(ThreadVars *, void *);
void LogHttplogExitPrintStats(ThreadVars *, void *);
void TmModuleLogHttplogRegister (void) {
tmm_modules[TMM_LOGHTTPLOG].name = "LogHttplog";
tmm_modules[TMM_LOGHTTPLOG].Init = LogHttplogThreadInit;
tmm_modules[TMM_LOGHTTPLOG].Func = LogHttplog;
tmm_modules[TMM_LOGHTTPLOG].ExitPrintStats = LogHttplogExitPrintStats;
tmm_modules[TMM_LOGHTTPLOG].Deinit = LogHttplogThreadDeinit;
tmm_modules[TMM_LOGHTTPLOG].RegisterTests = NULL;
}
@ -59,6 +62,7 @@ void TmModuleLogHttplogIPv6Register (void) {
typedef struct _LogHttplogThread {
FILE *fp;
u_int32_t uri_cnt;
} LogHttplogThread;
static void CreateTimeString (const struct timeval *ts, char *str, size_t size) {
@ -76,30 +80,14 @@ int LogHttplogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
{
LogHttplogThread *aft = (LogHttplogThread *)data;
int i;
char timebuf[64], hostname[256] = "unknown", ua[256] = "unknown";
PktVar *pv;
u_int16_t size;
char timebuf[64];
/* XXX add a better check for this */
if (p->http_uri.cnt == 0)
return 0;
pv = PktVarGet(p, "http_host");
if (pv != NULL) {
size = pv->value_len;
if (size >= sizeof(hostname))
size = sizeof(hostname) - 1;
strncpy(hostname,(char *)pv->value,size);
}
pv = PktVarGet(p, "http_ua");
if (pv != NULL) {
size = pv->value_len;
if (size >= sizeof(ua))
size = sizeof(ua) - 1;
strncpy(ua,(char *)pv->value,size);
}
PktVar *pv_hn = PktVarGet(p, "http_host");
PktVar *pv_ua = PktVarGet(p, "http_ua");
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
@ -108,10 +96,24 @@ int LogHttplogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
for (i = 0; i < p->http_uri.cnt; i++) {
fprintf(aft->fp, "%s %s [**] %s [**] %s [**] %s:%u -> %s:%u\n",
timebuf, hostname, p->http_uri.raw[i], ua, srcip, p->sp, dstip, p->dp);
fflush(aft->fp);
/* time */
fprintf(aft->fp, "%s ", timebuf);
/* hostname */
if (pv_hn != NULL) PrintRawUriFp(aft->fp, pv_hn->value, pv_hn->value_len);
else fprintf(aft->fp, "<hostname unknown>");
fprintf(aft->fp, " [**] ");
/* uri */
PrintRawUriFp(aft->fp, p->http_uri.raw[i], p->http_uri.raw_size[i]);
fprintf(aft->fp, " [**] ");
/* user agent */
if (pv_ua != NULL) PrintRawUriFp(aft->fp, pv_ua->value, pv_ua->value_len);
else fprintf(aft->fp, "<useragent unknown>");
/* ip/tcp header info */
fprintf(aft->fp, " [**] %s:%u -> %s:%u\n", srcip, p->sp, dstip, p->dp);
}
fflush(aft->fp);
aft->uri_cnt += p->http_uri.cnt;
return 0;
}
@ -119,30 +121,14 @@ int LogHttplogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
{
LogHttplogThread *aft = (LogHttplogThread *)data;
int i;
char timebuf[64], hostname[256] = "unknown", ua[256] = "unknown";
PktVar *pv;
u_int16_t size;
char timebuf[64];
/* XXX add a better check for this */
if (p->http_uri.cnt == 0)
return 0;
pv = PktVarGet(p, "http_host");
if (pv != NULL) {
size = pv->value_len;
if (size >= sizeof(hostname))
size = sizeof(hostname) - 1;
strncpy(hostname,(char *)pv->value,size);
}
pv = PktVarGet(p, "http_ua");
if (pv != NULL) {
size = pv->value_len;
if (size >= sizeof(ua))
size = sizeof(ua) - 1;
strncpy(ua,(char *)pv->value,size);
}
PktVar *pv_hn = PktVarGet(p, "http_host");
PktVar *pv_ua = PktVarGet(p, "http_ua");
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
@ -151,10 +137,24 @@ int LogHttplogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
for (i = 0; i < p->http_uri.cnt; i++) {
fprintf(aft->fp, "%s %s [**] %s [**] %s [**] %s:%u -> %s:%u\n",
timebuf, hostname, p->http_uri.raw[i], ua, srcip, p->sp, dstip, p->dp);
fflush(aft->fp);
/* time */
fprintf(aft->fp, "%s ", timebuf);
/* hostname */
if (pv_hn != NULL) PrintRawUriFp(aft->fp, pv_hn->value, pv_hn->value_len);
else fprintf(aft->fp, "<hostname unknown>");
fprintf(aft->fp, " [**] ");
/* uri */
PrintRawUriFp(aft->fp, p->http_uri.raw[i], p->http_uri.raw_size[i]);
fprintf(aft->fp, " [**] ");
/* user agent */
if (pv_ua != NULL) PrintRawUriFp(aft->fp, pv_ua->value, pv_ua->value_len);
else fprintf(aft->fp, "<useragent unknown>");
/* ip/tcp header info */
fprintf(aft->fp, " [**] %s:%u -> %s:%u\n", srcip, p->sp, dstip, p->dp);
}
fflush(aft->fp);
aft->uri_cnt += p->http_uri.cnt;
return 0;
}
@ -207,3 +207,12 @@ int LogHttplogThreadDeinit(ThreadVars *t, void *data)
return 0;
}
void LogHttplogExitPrintStats(ThreadVars *tv, void *data) {
LogHttplogThread *aft = (LogHttplogThread *)data;
if (aft == NULL) {
return;
}
printf(" - (%s) HTTP requests %u.\n", tv->name, aft->uri_cnt);
}

33
src/source-nfq.c
Unescape Escape View File

@ -29,9 +29,13 @@ static u_int16_t verdict_queue_num = 0;
int ReceiveNFQ(ThreadVars *, Packet *, void *, PacketQueue *);
int ReceiveNFQThreadInit(ThreadVars *, void **);
void ReceiveNFQThreadExitStats(ThreadVars *, void *);
int VerdictNFQ(ThreadVars *, Packet *, void *, PacketQueue *);
int VerdictNFQThreadInit(ThreadVars *, void **);
void VerdictNFQThreadExitStats(ThreadVars *, void *);
int VerdictNFQThreadDeinit(ThreadVars *, void *);
int DecodeNFQ(ThreadVars *, Packet *, void *, PacketQueue *);
void TmModuleReceiveNFQRegister (void) {
@ -42,6 +46,7 @@ void TmModuleReceiveNFQRegister (void) {
tmm_modules[TMM_RECEIVENFQ].name = "ReceiveNFQ";
tmm_modules[TMM_RECEIVENFQ].Init = ReceiveNFQThreadInit;
tmm_modules[TMM_RECEIVENFQ].Func = ReceiveNFQ;
tmm_modules[TMM_RECEIVENFQ].ExitPrintStats = ReceiveNFQThreadExitStats;
tmm_modules[TMM_RECEIVENFQ].Deinit = NULL;
tmm_modules[TMM_RECEIVENFQ].RegisterTests = NULL;
}
@ -50,6 +55,7 @@ void TmModuleVerdictNFQRegister (void) {
tmm_modules[TMM_VERDICTNFQ].name = "VerdictNFQ";
tmm_modules[TMM_VERDICTNFQ].Init = VerdictNFQThreadInit;
tmm_modules[TMM_VERDICTNFQ].Func = VerdictNFQ;
tmm_modules[TMM_VERDICTNFQ].ExitPrintStats = VerdictNFQThreadExitStats;
tmm_modules[TMM_VERDICTNFQ].Deinit = VerdictNFQThreadDeinit;
tmm_modules[TMM_VERDICTNFQ].RegisterTests = NULL;
}
@ -58,6 +64,7 @@ void TmModuleDecodeNFQRegister (void) {
tmm_modules[TMM_DECODENFQ].name = "DecodeNFQ";
tmm_modules[TMM_DECODENFQ].Init = NULL;
tmm_modules[TMM_DECODENFQ].Func = DecodeNFQ;
tmm_modules[TMM_DECODENFQ].ExitPrintStats = NULL;
tmm_modules[TMM_DECODENFQ].Deinit = NULL;
tmm_modules[TMM_DECODENFQ].RegisterTests = NULL;
}
@ -114,6 +121,7 @@ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
#ifdef COUNTERS
nfq_t->pkts++;
nfq_t->bytes += p->pktlen;
#endif /* COUNTERS */
/* pass on... */
@ -221,7 +229,7 @@ int NFQInitThread(NFQThreadVars *nfq_t, u_int16_t queue_num, u_int32_t queue_max
}
int ReceiveNFQThreadInit(ThreadVars *tv, void **data) {
printf("ReceiveNFQThreadInit: starting... will bind to queuenum %u\n", receive_queue_num);
//printf("ReceiveNFQThreadInit: starting... will bind to queuenum %u\n", receive_queue_num);
NFQThreadVars *ntv = &nfq_t[receive_queue_num];
@ -242,7 +250,7 @@ int ReceiveNFQThreadInit(ThreadVars *tv, void **data) {
}
int VerdictNFQThreadInit(ThreadVars *tv, void **data) {
printf("VerdictNFQThreadInit: starting... will bind to queuenum %u\n", verdict_queue_num);
//printf("VerdictNFQThreadInit: starting... will bind to queuenum %u\n", verdict_queue_num);
/* no initialization, ReceiveNFQ takes care of that */
NFQThreadVars *ntv = &nfq_t[verdict_queue_num];
@ -255,7 +263,7 @@ int VerdictNFQThreadInit(ThreadVars *tv, void **data) {
int VerdictNFQThreadDeinit(ThreadVars *tv, void *data) {
NFQThreadVars *ntv = (NFQThreadVars *)data;
printf("VerdictNFQThreadDeinit: starting... will close queuenum %u\n", ntv->queue_num);
//printf("VerdictNFQThreadDeinit: starting... will close queuenum %u\n", ntv->queue_num);
nfq_destroy_queue(ntv->qh);
@ -305,6 +313,20 @@ int ReceiveNFQ(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) {
return 0;
}
void ReceiveNFQThreadExitStats(ThreadVars *tv, void *data) {
NFQThreadVars *ntv = (NFQThreadVars *)data;
#ifdef COUNTERS
printf(" - (%s) Pkts %u, Bytes %llu, Errors %u\n", tv->name, ntv->pkts, ntv->bytes, ntv->errs);
#endif
}
void VerdictNFQThreadExitStats(ThreadVars *tv, void *data) {
NFQThreadVars *ntv = (NFQThreadVars *)data;
#ifdef COUNTERS
printf(" - (%s) Pkts accepted %u, dropped %u\n", tv->name, ntv->accepted, ntv->dropped);
#endif
}
void NFQSetVerdict(NFQThreadVars *t, Packet *p) {
int ret;
u_int32_t verdict;
@ -323,6 +345,11 @@ void NFQSetVerdict(NFQThreadVars *t, Packet *p) {
verdict = NF_DROP;
}
#ifdef COUNTERS
if (verdict == NF_ACCEPT) t->accepted++;
if (verdict == NF_DROP) t->dropped++;
#endif /* COUNTERS */
mutex_lock(&t->mutex_qh);
ret = nfq_set_verdict(t->qh, p->nfq_v.id, verdict, 0, NULL);
mutex_unlock(&t->mutex_qh);

3
src/source-nfq.h
Unescape Escape View File

@ -39,7 +39,10 @@ typedef struct _NFQThreadVars
/* counters */
u_int32_t pkts;
u_int64_t bytes;
u_int32_t errs;
u_int32_t accepted;
u_int32_t dropped;
ThreadVars *tv;
} NFQThreadVars;

2
src/tm-modules.h
Unescape Escape View File

@ -5,6 +5,7 @@ typedef struct _TmModule {
char *name;
int (*Init)(ThreadVars *, void **);
int (*Func)(ThreadVars *, Packet *, void *, PacketQueue *);
void (*ExitPrintStats)(ThreadVars *, void *);
int (*Deinit)(ThreadVars *, void *);
void (*RegisterTests)(void);
} TmModule;
@ -19,6 +20,7 @@ enum {
TMM_ALERTFASTLOG6,
TMM_ALERTUNIFIEDLOG,
TMM_ALERTUNIFIEDALERT,
TMM_ALERTDEBUGLOG,
TMM_RESPONDREJECT,
TMM_LOGHTTPLOG,
TMM_LOGHTTPLOG4,

59
src/tm-threads.c
Unescape Escape View File

@ -13,6 +13,7 @@ static ThreadVars *tv_root;
typedef struct _Tm1Slot {
int (*Slot1Init)(ThreadVars *, void **);
int (*Slot1Func)(ThreadVars *, Packet *, void *, PacketQueue *);
void (*Slot1ExitPrintStats)(ThreadVars *, void *);
int (*Slot1Deinit)(ThreadVars *, void *);
void *slot1_data;
PacketQueue slot1_pq;
@ -22,12 +23,14 @@ typedef struct _Tm1Slot {
typedef struct _Tm2Slot {
int (*Slot1Init)(ThreadVars *, void **);
int (*Slot1Func)(ThreadVars *, Packet *, void *, PacketQueue *);
void (*Slot1ExitPrintStats)(ThreadVars *, void *);
int (*Slot1Deinit)(ThreadVars *, void *);
void *slot1_data;
PacketQueue slot1_pq;
int (*Slot2Init)(ThreadVars *, void **);
int (*Slot2Func)(ThreadVars *, Packet *, void *, PacketQueue *);
void (*Slot2ExitPrintStats)(ThreadVars *, void *);
int (*Slot2Deinit)(ThreadVars *, void *);
void *slot2_data;
PacketQueue slot2_pq;
@ -37,18 +40,21 @@ typedef struct _Tm2Slot {
typedef struct _Tm3Slot {
int (*Slot1Init)(ThreadVars *, void **);
int (*Slot1Func)(ThreadVars *, Packet *, void *, PacketQueue *);
void (*Slot1ExitPrintStats)(ThreadVars *, void *);
int (*Slot1Deinit)(ThreadVars *, void *);
void *slot1_data;
PacketQueue slot1_pq;
int (*Slot2Init)(ThreadVars *, void **);
int (*Slot2Func)(ThreadVars *, Packet *, void *, PacketQueue *);
void (*Slot2ExitPrintStats)(ThreadVars *, void *);
int (*Slot2Deinit)(ThreadVars *, void *);
void *slot2_data;
PacketQueue slot2_pq;
int (*Slot3Init)(ThreadVars *, void **);
int (*Slot3Func)(ThreadVars *, Packet *, void *, PacketQueue *);
void (*Slot3ExitPrintStats)(ThreadVars *, void *);
int (*Slot3Deinit)(ThreadVars *, void *);
void *slot3_data;
PacketQueue slot3_pq;
@ -85,6 +91,10 @@ void *TmThreadsSlot1NoIn(void *td) {
run = 0;
}
if (s1->Slot1ExitPrintStats != NULL) {
s1->Slot1ExitPrintStats(tv, s1->slot1_data);
}
if (s1->Slot1Deinit != NULL) {
r = s1->Slot1Deinit(tv, s1->slot1_data);
if (r != 0) {
@ -120,6 +130,10 @@ void *TmThreadsSlot1NoOut(void *td) {
run = 0;
}
if (s1->Slot1ExitPrintStats != NULL) {
s1->Slot1ExitPrintStats(tv, s1->slot1_data);
}
if (s1->Slot1Deinit != NULL) {
r = s1->Slot1Deinit(tv, s1->slot1_data);
if (r != 0) {
@ -157,6 +171,10 @@ void *TmThreadsSlot1NoInOut(void *td) {
}
}
if (s1->Slot1ExitPrintStats != NULL) {
s1->Slot1ExitPrintStats(tv, s1->slot1_data);
}
if (s1->Slot1Deinit != NULL) {
r = s1->Slot1Deinit(tv, s1->slot1_data);
if (r != 0) {
@ -212,6 +230,10 @@ void *TmThreadsSlot1(void *td) {
}
}
if (s1->Slot1ExitPrintStats != NULL) {
s1->Slot1ExitPrintStats(tv, s1->slot1_data);
}
if (s1->Slot1Deinit != NULL) {
r = s1->Slot1Deinit(tv, s1->slot1_data);
if (r != 0) {
@ -285,12 +307,21 @@ void *TmThreadsSlot2(void *td) {
}
}
if (s2->Slot1ExitPrintStats != NULL) {
s2->Slot1ExitPrintStats(tv, s2->slot1_data);
}
if (s2->Slot1Deinit != NULL) {
r = s2->Slot1Deinit(tv, s2->slot1_data);
if (r != 0) {
pthread_exit((void *) -1);
}
}
if (s2->Slot2ExitPrintStats != NULL) {
s2->Slot2ExitPrintStats(tv, s2->slot2_data);
}
if (s2->Slot2Deinit != NULL) {
r = s2->Slot2Deinit(tv, s2->slot2_data);
if (r != 0) {
@ -395,18 +426,32 @@ void *TmThreadsSlot3(void *td) {
}
}
if (s3->Slot1ExitPrintStats != NULL) {
s3->Slot1ExitPrintStats(tv, s3->slot1_data);
}
if (s3->Slot1Deinit != NULL) {
r = s3->Slot1Deinit(tv, s3->slot1_data);
if (r != 0) {
pthread_exit((void *) -1);
}
}
if (s3->Slot2ExitPrintStats != NULL) {
s3->Slot2ExitPrintStats(tv, s3->slot2_data);
}
if (s3->Slot2Deinit != NULL) {
r = s3->Slot2Deinit(tv, s3->slot2_data);
if (r != 0) {
pthread_exit((void *) -1);
}
}
if (s3->Slot3ExitPrintStats != NULL) {
s3->Slot3ExitPrintStats(tv, s3->slot3_data);
}
if (s3->Slot3Deinit != NULL) {
r = s3->Slot3Deinit(tv, s3->slot3_data);
if (r != 0) {
@ -459,6 +504,7 @@ void Tm1SlotSetFunc(ThreadVars *tv, TmModule *tm) {
s1->Slot1Init = tm->Init;
s1->Slot1Func = tm->Func;
s1->Slot1ExitPrintStats = tm->ExitPrintStats;
s1->Slot1Deinit = tm->Deinit;
}
@ -471,6 +517,7 @@ void Tm2SlotSetFunc1(ThreadVars *tv, TmModule *tm) {
s2->Slot1Init = tm->Init;
s2->Slot1Func = tm->Func;
s2->Slot1ExitPrintStats = tm->ExitPrintStats;
s2->Slot1Deinit = tm->Deinit;
}
@ -483,6 +530,7 @@ void Tm2SlotSetFunc2(ThreadVars *tv, TmModule *tm) {
s2->Slot2Init = tm->Init;
s2->Slot2Func = tm->Func;
s2->Slot2ExitPrintStats = tm->ExitPrintStats;
s2->Slot2Deinit = tm->Deinit;
}
@ -495,6 +543,7 @@ void Tm3SlotSetFunc1(ThreadVars *tv, TmModule *tm) {
s3->Slot1Init = tm->Init;
s3->Slot1Func = tm->Func;
s3->Slot1ExitPrintStats = tm->ExitPrintStats;
s3->Slot1Deinit = tm->Deinit;
}
@ -507,6 +556,7 @@ void Tm3SlotSetFunc2(ThreadVars *tv, TmModule *tm) {
s3->Slot2Init = tm->Init;
s3->Slot2Func = tm->Func;
s3->Slot2ExitPrintStats = tm->ExitPrintStats;
s3->Slot2Deinit = tm->Deinit;
}
@ -514,12 +564,13 @@ void Tm3SlotSetFunc3(ThreadVars *tv, TmModule *tm) {
Tm3Slot *s3 = (Tm3Slot *)tv->tm_slots;
if (s3->Slot2Func != NULL)
printf("Warning: slot 2 is already set tp %p, "
printf("Warning: slot 3 is already set tp %p, "
"overwriting with %p\n", s3->Slot2Func, tm->Func);
s3->Slot2Init = tm->Init;
s3->Slot2Func = tm->Func;
s3->Slot2Deinit = tm->Deinit;
s3->Slot3Init = tm->Init;
s3->Slot3Func = tm->Func;
s3->Slot3ExitPrintStats = tm->ExitPrintStats;
s3->Slot3Deinit = tm->Deinit;
}
ThreadVars *TmThreadCreate(char *name, char *inq_name, char *inqh_name, char *outq_name, char *outqh_name, char *slots) {

49
src/util-print.c
Unescape Escape View File

@ -0,0 +1,49 @@
/* Copyright (c) 2008 by Victor Julien <victor@inliniac.net> */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
void PrintRawUriFp(FILE *fp, u_int8_t *buf, u_int32_t buflen) {
int i;
for (i = 0; i < buflen; i++) {
if (isprint(buf[i])) fprintf(fp, "%c", buf[i]);
else fprintf(fp, "\\x%02X", buf[i]);
}
}
void PrintRawDataFp(FILE *fp, u_int8_t *buf, u_int32_t buflen) {
int i,ch = 0;
for (i = 0; i < buflen; i+=16) {
fprintf(fp ," %04X ", i);
ch = 0;
for (ch = 0; (i+ch) < buflen && ch < 16; ch++) {
fprintf(fp, "%02X ", (u_int8_t)buf[i+ch]);
if (ch == 7) fprintf(fp, " ");
}
if (ch == 16) fprintf(fp, " ");
else if (ch < 8) {
int spaces = (16 - ch) * 3 + 2 + 1;
int s = 0;
for ( ; s < spaces; s++) fprintf(fp, " ");
} else if(ch < 16) {
int spaces = (16 - ch) * 3 + 2;
int s = 0;
for ( ; s < spaces; s++) fprintf(fp, " ");
}
ch = 0;
for (ch = 0; (i+ch) < buflen && ch < 16; ch++) {
fprintf(fp, "%c", isprint((u_int8_t)buf[i+ch]) ? (u_int8_t)buf[i+ch] : '.');
if (ch == 7) fprintf(fp, " ");
if (ch == 15) fprintf(fp, "\n");
}
}
if (ch != 16)
fprintf(fp, "\n");
}

10
src/util-print.h
Unescape Escape View File

@ -0,0 +1,10 @@
/* Copyright (c) 2008 by Victor Julien <victor@inliniac.net> */
#ifndef __UTIL_PRINT_H__
#define __UTIL_PRINT_H__
void PrintRawUriFp(FILE *fp, u_int8_t *buf, u_int32_t buflen);
void PrintRawDataFp(FILE *fp, u_int8_t *buf, u_int32_t buflen);
#endif /* __UTIL_PRINT_H__ */

19
src/vips.c
Unescape Escape View File

@ -37,6 +37,7 @@
#include "alert-fastlog.h"
#include "alert-unified-log.h"
#include "alert-unified-alert.h"
#include "alert-debuglog.h"
#include "log-httplog.h"
@ -180,6 +181,7 @@ int main(int argc, char **argv)
TmModuleDecodeNFQRegister();
TmModuleDetectRegister();
TmModuleAlertFastlogRegister();
TmModuleAlertDebuglogRegister();
TmModuleRespondRejectRegister();
TmModuleAlertFastlogIPv4Register();
TmModuleAlertFastlogIPv6Register();
@ -382,7 +384,8 @@ int main(int argc, char **argv)
exit(1);
}
ThreadVars *tv_unified = TmThreadCreate("AlertUnifiedLog","alert-queue2","simple","packetpool","packetpool","2slot");
//ThreadVars *tv_unified = TmThreadCreate("AlertUnifiedLog","alert-queue2","simple","packetpool","packetpool","2slot");
ThreadVars *tv_unified = TmThreadCreate("AlertUnifiedLog","alert-queue2","simple","alert-queue3","simple","2slot");
if (tv_unified == NULL) {
printf("ERROR: TmThreadsCreate failed\n");
exit(1);
@ -407,24 +410,24 @@ int main(int argc, char **argv)
exit(1);
}
/*
ThreadVars *tv_unifiedalert = TmThreadCreate("AlertUnifiedAlert","alert-queue3","simple","packetpool","packetpool","1slot");
if (tv_unifiedalert == NULL) {
ThreadVars *tv_debugalert = TmThreadCreate("AlertDebuglog","alert-queue3","simple","packetpool","packetpool","1slot");
if (tv_debugalert == NULL) {
printf("ERROR: TmThreadsCreate failed\n");
exit(1);
}
tm_module = TmModuleGetByName("AlertUnifiedAlert");
tm_module = TmModuleGetByName("AlertDebuglog");
if (tm_module == NULL) {
printf("ERROR: TmModuleGetByName failed\n");
exit(1);
}
Tm1SlotSetFunc(tv_unifiedalert,tm_module);
Tm1SlotSetFunc(tv_debugalert,tm_module);
if (TmThreadSpawn(tv_unifiedalert) != 0) {
if (TmThreadSpawn(tv_debugalert) != 0) {
printf("ERROR: TmThreadSpawn failed\n");
exit(1);
}
*/
ThreadVars tv_flowmgr;
memset(&tv_flowmgr, 0, sizeof(ThreadVars));
printf("Creating FlowManagerThread...\n");

Write Preview
Loading…
Cancel
Save