From 4c4862d83805680dbb3dd437326439bdb92b8582 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 3 Dec 2008 11:51:30 +0100 Subject: [PATCH] Improve logging, add alert-output module, at module exit stats, add HTTP POST uri capture. --- src/Makefile.am | 2 + src/alert-debuglog.c | 242 ++++++++++++++++++++++++++++++++++++++++ src/alert-debuglog.h | 11 ++ src/alert-fastlog.c | 16 +++ src/detect-engine-mpm.c | 42 ++++++- src/detect.c | 28 +++-- src/flow.c | 2 + src/log-httplog.c | 97 ++++++++-------- src/source-nfq.c | 33 +++++- src/source-nfq.h | 3 + src/tm-modules.h | 2 + src/tm-threads.c | 59 +++++++++- src/util-print.c | 49 ++++++++ src/util-print.h | 10 ++ src/vips.c | 19 ++-- 15 files changed, 548 insertions(+), 67 deletions(-) create mode 100644 src/alert-debuglog.c create mode 100644 src/alert-debuglog.h create mode 100644 src/util-print.c create mode 100644 src/util-print.h diff --git a/src/Makefile.am b/src/Makefile.am index 8428d8f316..585bcb8284 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -51,6 +51,7 @@ detect-msg.c detect-msg.h \ detect-flow.c detect-flow.h \ detect-dsize.c detect-dsize.h \ detect-noalert.c detect-noalert.h \ +util-print.c util-print.h \ util-mpm-trie.c util-mpm-trie.h \ util-mpm.c util-mpm.h \ util-binsearch.c util-binsearch.h \ @@ -68,6 +69,7 @@ tmqh-simple.c tmqh-simple.h \ tmqh-nfq.c tmqh-nfq.h \ tmqh-packetpool.c tmqh-packetpool.h \ alert-fastlog.c alert-fastlog.h \ +alert-debuglog.c alert-debuglog.h \ log-httplog.c log-httplog.h \ alert-unified-log.c alert-unified-log.h \ alert-unified-alert.c alert-unified-alert.h \ diff --git a/src/alert-debuglog.c b/src/alert-debuglog.c new file mode 100644 index 0000000000..57c71ca5c8 --- /dev/null +++ b/src/alert-debuglog.c @@ -0,0 +1,242 @@ +/* Copyright (c) 2008 Victor Julien */ + +/* alert debuglog + * + * TODO + * - figure out a way to safely print detection engine info + * - maybe by having a log queue in the packet + * - maybe by accessing it just and hoping threading doesn't hurt + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "vips.h" +#include "debug.h" +#include "detect.h" +#include "flow.h" + +#include "threadvars.h" +#include "tm-modules.h" + +#include "util-print.h" + +#include "pkt-var.h" + +#include "util-unittest.h" + +int AlertDebuglog (ThreadVars *, Packet *, void *, PacketQueue *); +int AlertDebuglogIPv4(ThreadVars *, Packet *, void *, PacketQueue *); +int AlertDebuglogIPv6(ThreadVars *, Packet *, void *, PacketQueue *); +int AlertDebuglogThreadInit(ThreadVars *, void **); +int AlertDebuglogThreadDeinit(ThreadVars *, void *); +void AlertDebuglogExitPrintStats(ThreadVars *, void *); + +void TmModuleAlertDebuglogRegister (void) { + tmm_modules[TMM_ALERTDEBUGLOG].name = "AlertDebuglog"; + tmm_modules[TMM_ALERTDEBUGLOG].Init = AlertDebuglogThreadInit; + tmm_modules[TMM_ALERTDEBUGLOG].Func = AlertDebuglog; + tmm_modules[TMM_ALERTDEBUGLOG].ExitPrintStats = AlertDebuglogExitPrintStats; + tmm_modules[TMM_ALERTDEBUGLOG].Deinit = AlertDebuglogThreadDeinit; + tmm_modules[TMM_ALERTDEBUGLOG].RegisterTests = NULL; +} +/* +void TmModuleAlertDebuglogIPv4Register (void) { + tmm_modules[TMM_ALERTDEBUGLOG4].name = "AlertDebuglogIPv4"; + tmm_modules[TMM_ALERTDEBUGLOG4].Init = AlertDebuglogThreadInit; + tmm_modules[TMM_ALERTDEBUGLOG4].Func = AlertDebuglogIPv4; + tmm_modules[TMM_ALERTDEBUGLOG4].Deinit = AlertDebuglogThreadDeinit; + tmm_modules[TMM_ALERTDEBUGLOG4].RegisterTests = NULL; +} + +void TmModuleAlertDebuglogIPv6Register (void) { + tmm_modules[TMM_ALERTDEBUGLOG6].name = "AlertDebuglogIPv6"; + tmm_modules[TMM_ALERTDEBUGLOG6].Init = AlertDebuglogThreadInit; + tmm_modules[TMM_ALERTDEBUGLOG6].Func = AlertDebuglogIPv6; + tmm_modules[TMM_ALERTDEBUGLOG6].Deinit = AlertDebuglogThreadDeinit; + tmm_modules[TMM_ALERTDEBUGLOG6].RegisterTests = NULL; +} +*/ +typedef struct _AlertDebuglogThread { + FILE *fp; + u_int32_t alerts; +} AlertDebuglogThread; + +static void CreateTimeString (const struct timeval *ts, char *str, size_t size) { + time_t time = ts->tv_sec; + struct tm *t = gmtime(&time); + u_int32_t sec = ts->tv_sec % 86400; + + snprintf(str, size, "%02d/%02d/%02d-%02d:%02d:%02d.%06u", + t->tm_mon + 1, t->tm_mday, t->tm_year - 100, + sec / 3600, (sec % 3600) / 60, sec % 60, + (u_int32_t) ts->tv_usec); +} + +int AlertDebuglogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) +{ + AlertDebuglogThread *aft = (AlertDebuglogThread *)data; + int i; + char timebuf[64]; + + if (p->alerts.cnt == 0) + return 0; + + CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); + + fprintf(aft->fp, "+================\n"); + fprintf(aft->fp, "TIME: %s\n", timebuf); + fprintf(aft->fp, "ALERT CNT: %u\n", p->alerts.cnt); + + for (i = 0; i < p->alerts.cnt; i++) { + PacketAlert *pa = &p->alerts.alerts[i]; + + fprintf(aft->fp, "ALERT MSG [%02d]: %s\n", i, pa->msg); + fprintf(aft->fp, "ALERT GID [%02d]: %u\n", i, pa->gid); + fprintf(aft->fp, "ALERT SID [%02d]: %u\n", i, pa->sid); + fprintf(aft->fp, "ALERT REV [%02d]: %u\n", i, pa->rev); + fprintf(aft->fp, "ALERT PRIO [%02d]: %u\n", i, pa->prio); + } + + char srcip[16], dstip[16]; + inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); + inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); + + fprintf(aft->fp, "SRC IP: %s\n", srcip); + fprintf(aft->fp, "DST IP: %s\n", dstip); + fprintf(aft->fp, "PROTO: %u\n", IPV4_GET_IPPROTO(p)); + if (IPV4_GET_IPPROTO(p) == IPPROTO_TCP || IPV4_GET_IPPROTO(p) == IPPROTO_UDP) { + fprintf(aft->fp, "SRC PORT: %u\n", p->sp); + fprintf(aft->fp, "DST PORT: %u\n", p->dp); + } + + /* flow stuff */ + fprintf(aft->fp, "FLOW: to_server: %s, to_client %s\n", + p->flowflags & FLOW_PKT_TOSERVER ? "TRUE" : "FALSE", + p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE"); + + PktVar *pv = PktVarGet(p,"http_host"); + if (pv) { + fprintf(aft->fp, "PKTVAR: %s\n", pv->name); + PrintRawDataFp(aft->fp, pv->value, pv->value_len); + } + + pv = PktVarGet(p,"http_ua"); + if (pv) { + fprintf(aft->fp, "PKTVAR: %s\n", pv->name); + PrintRawDataFp(aft->fp, pv->value, pv->value_len); + } + + for (i = 0; i < p->http_uri.cnt; i++) { + fprintf(aft->fp, "RAW URI [%2d]: ", i); + PrintRawUriFp(aft->fp, p->http_uri.raw[i], p->http_uri.raw_size[i]); + fprintf(aft->fp, "\n"); + PrintRawDataFp(aft->fp, p->http_uri.raw[i], p->http_uri.raw_size[i]); + } + +/* any stuff */ +/* Sig details? */ +/* pkt vars */ +/* flowvars */ + + aft->alerts += p->alerts.cnt; + + fprintf(aft->fp, "PACKET LEN: %u\n", p->pktlen); + fprintf(aft->fp, "PACKET:\n"); + PrintRawDataFp(aft->fp, p->pkt, p->pktlen); + + fflush(aft->fp); + return 0; +} + +int AlertDebuglogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) +{ + AlertDebuglogThread *aft = (AlertDebuglogThread *)data; + int i; + char timebuf[64]; + + if (p->alerts.cnt == 0) + return 0; + + aft->alerts += p->alerts.cnt; + + CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); + + for (i = 0; i < p->alerts.cnt; i++) { + PacketAlert *pa = &p->alerts.alerts[i]; + char srcip[46], dstip[46]; + + inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); + inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); + + fprintf(aft->fp, "%s [**] [%u:%u:%u] %s [**] [Classification: fixme] [Priority: %u] {%u} %s:%u -> %s:%u\n", + timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp); + fflush(aft->fp); + } + + return 0; +} + +int AlertDebuglog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) +{ + if (PKT_IS_IPV4(p)) { + return AlertDebuglogIPv4(tv, p, data, pq); + } else if (PKT_IS_IPV6(p)) { + return AlertDebuglogIPv6(tv, p, data, pq); + } + + return 0; +} + +int AlertDebuglogThreadInit(ThreadVars *t, void **data) +{ + AlertDebuglogThread *aft = malloc(sizeof(AlertDebuglogThread)); + if (aft == NULL) { + return -1; + } + memset(aft, 0, sizeof(AlertDebuglogThread)); + + /* XXX */ + aft->fp = fopen("/var/log/eips/alert-debug.log", "w"); + if (aft->fp == NULL) { + return -1; + } + + *data = (void *)aft; + return 0; +} + +int AlertDebuglogThreadDeinit(ThreadVars *t, void *data) +{ + AlertDebuglogThread *aft = (AlertDebuglogThread *)data; + if (aft == NULL) { + return 0; + } + + if (aft->fp != NULL) + fclose(aft->fp); + + /* clear memory */ + memset(aft, 0, sizeof(AlertDebuglogThread)); + + free(aft); + return 0; +} + +void AlertDebuglogExitPrintStats(ThreadVars *tv, void *data) { + AlertDebuglogThread *aft = (AlertDebuglogThread *)data; + if (aft == NULL) { + return; + } + + printf(" - (%s) Alerts %u.\n", tv->name, aft->alerts); +} + diff --git a/src/alert-debuglog.h b/src/alert-debuglog.h new file mode 100644 index 0000000000..08e50934b2 --- /dev/null +++ b/src/alert-debuglog.h @@ -0,0 +1,11 @@ +/* Copyright (c) 2008 Victor Julien */ + +#ifndef __ALERT_DEBUGLOG_H__ +#define __ALERT_DEBUGLOG_H__ + +void TmModuleAlertDebuglogRegister (void); +void TmModuleAlertDebuglogIPv4Register (void); +void TmModuleAlertDebuglogIPv6Register (void); + +#endif /* __ALERT_DEBUGLOG_H__ */ + diff --git a/src/alert-fastlog.c b/src/alert-fastlog.c index c610c9b333..b90c5e3a95 100644 --- a/src/alert-fastlog.c +++ b/src/alert-fastlog.c @@ -38,11 +38,13 @@ int AlertFastlogIPv4(ThreadVars *, Packet *, void *, PacketQueue *); int AlertFastlogIPv6(ThreadVars *, Packet *, void *, PacketQueue *); int AlertFastlogThreadInit(ThreadVars *, void **); int AlertFastlogThreadDeinit(ThreadVars *, void *); +void AlertFastlogExitPrintStats(ThreadVars *, void *); void TmModuleAlertFastlogRegister (void) { tmm_modules[TMM_ALERTFASTLOG].name = "AlertFastlog"; tmm_modules[TMM_ALERTFASTLOG].Init = AlertFastlogThreadInit; tmm_modules[TMM_ALERTFASTLOG].Func = AlertFastlog; + tmm_modules[TMM_ALERTFASTLOG].ExitPrintStats = AlertFastlogExitPrintStats; tmm_modules[TMM_ALERTFASTLOG].Deinit = AlertFastlogThreadDeinit; tmm_modules[TMM_ALERTFASTLOG].RegisterTests = NULL; } @@ -65,6 +67,7 @@ void TmModuleAlertFastlogIPv6Register (void) { typedef struct _AlertFastlogThread { FILE *fp; + u_int32_t alerts; } AlertFastlogThread; static void CreateTimeString (const struct timeval *ts, char *str, size_t size) { @@ -87,6 +90,8 @@ int AlertFastlogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) if (p->alerts.cnt == 0) return 0; + aft->alerts += p->alerts.cnt; + CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); for (i = 0; i < p->alerts.cnt; i++) { @@ -112,6 +117,8 @@ int AlertFastlogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) if (p->alerts.cnt == 0) return 0; + aft->alerts += p->alerts.cnt; + CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); for (i = 0; i < p->alerts.cnt; i++) { @@ -175,3 +182,12 @@ int AlertFastlogThreadDeinit(ThreadVars *t, void *data) return 0; } +void AlertFastlogExitPrintStats(ThreadVars *tv, void *data) { + AlertFastlogThread *aft = (AlertFastlogThread *)data; + if (aft == NULL) { + return; + } + + printf(" - (%s) Alerts %u.\n", tv->name, aft->alerts); +} + diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 66053cd047..bf21cfd62c 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -136,6 +136,9 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) MpmInitCtx(sh->mpm_uri_ctx, MPM_WUMANBER); } + u_int16_t mpm_content_maxlen = 0, mpm_uricontent_maxlen = 0; + u_int32_t mpm_content_cnt = 0, mpm_uricontent_cnt = 0; + /* for each signature in this group do */ for (sig = 0; sig < sh->sig_cnt; sig++) { u_int32_t num = sh->match_array[sig]; @@ -146,8 +149,39 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) cnt++; - /* find flow setting of this rule */ + u_int16_t content_maxlen = 0, uricontent_maxlen = 0; + u_int16_t content_cnt = 0, uricontent_cnt = 0; SigMatch *sm; + + for (sm = s->match; sm != NULL; sm = sm->next) { + if (sm->type == DETECT_CONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_COPY)) { + DetectContentData *cd = (DetectContentData *)sm->ctx; + if (cd->content_len > content_maxlen) + content_maxlen = cd->content_len; + + mpm_content_cnt++; + content_cnt++; + } else if (sm->type == DETECT_URICONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_URI_COPY)) { + DetectUricontentData *ud = (DetectUricontentData *)sm->ctx; + if (ud->uricontent_len > uricontent_maxlen) + uricontent_maxlen = ud->uricontent_len; + + mpm_uricontent_cnt++; + uricontent_cnt++; + } + } + + if (content_cnt) { + if (mpm_content_maxlen == 0) mpm_content_maxlen = content_maxlen; + if (mpm_content_maxlen > content_maxlen) + mpm_content_maxlen = content_maxlen; + } + if (uricontent_maxlen) { + if (mpm_uricontent_maxlen == 0) mpm_uricontent_maxlen = uricontent_maxlen; + if (mpm_uricontent_maxlen > uricontent_maxlen) + mpm_uricontent_maxlen = uricontent_maxlen; + } + for (sm = s->match; sm != NULL; sm = sm->next) { if (sm->type == DETECT_CONTENT && !(sh->flags & SIG_GROUP_HEAD_MPM_COPY)) { DetectContentData *cd = (DetectContentData *)sm->ctx; @@ -174,6 +208,9 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) if (sh->mpm_ctx->Prepare != NULL) { sh->mpm_ctx->Prepare(sh->mpm_ctx); } + if (mpm_content_cnt && mpm_content_maxlen > 1) + printf("mpm_content_cnt %u, mpm_content_maxlen %d\n", mpm_content_cnt, mpm_content_maxlen); + //sh->mpm_ctx->PrintCtx(sh->mpm_ctx); } /* uricontent */ @@ -181,6 +218,9 @@ int PatternMatchPrepareGroup(DetectEngineCtx *de_ctx, SigGroupHead *sh) if (sh->mpm_uri_ctx->Prepare != NULL) { sh->mpm_uri_ctx->Prepare(sh->mpm_uri_ctx); } + if (mpm_uricontent_cnt && mpm_uricontent_maxlen > 1) + printf("mpm_uricontent_cnt %u, mpm_uricontent_maxlen %d\n", mpm_uricontent_cnt, mpm_uricontent_maxlen); + //sh->mpm_uri_ctx->PrintCtx(sh->mpm_uri_ctx); } diff --git a/src/detect.c b/src/detect.c index 0ce11e37ed..ab4d618ca7 100644 --- a/src/detect.c +++ b/src/detect.c @@ -77,21 +77,26 @@ void SigLoadSignatures (void) /* The next 3 rules handle HTTP header capture. */ /* http_uri -- for uricontent */ - sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)"); + sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP GET URI cap\"; flow:to_server; content:\"GET \"; depth:4; pcre:\"/^GET (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:1;)"); if (sig) { prevsig = sig; g_de_ctx->sig_list = sig; } + sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP POST URI cap\"; flow:to_server; content:\"POST \"; depth:5; pcre:\"/^POST (?P.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; noalert; sid:2;)"); + if (sig == NULL) + return; + prevsig->next = sig; + prevsig = sig; /* http_host -- for the log-httplog module */ - sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; flow:to_server; content:\"Host:\"; pcre:\"/^Host: (?P.*)\\r\\n/m\"; noalert; sid:2;)"); + sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; flow:to_server; content:\"Host:\"; pcre:\"/^Host: (?P.*)\\r\\n/m\"; noalert; sid:3;)"); if (sig == NULL) return; prevsig->next = sig; prevsig = sig; /* http_ua -- for the log-httplog module */ - sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP UA cap\"; flow:to_server; content:\"User-Agent:\"; pcre:\"/^User-Agent: (?P.*)\\r\\n/m\"; noalert; sid:3;)"); + sig = SigInit("alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP UA cap\"; flow:to_server; content:\"User-Agent:\"; pcre:\"/^User-Agent: (?P.*)\\r\\n/m\"; noalert; sid:4;)"); if (sig == NULL) return; prevsig->next = sig; @@ -455,9 +460,16 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p) /* only if the last matched as well, we have a hit */ if (sm == NULL) { - printf("Signature %u matched: %s, flow: toserver %s toclient %s\n", s->id, s->msg ? s->msg : "", - p->flowflags & FLOW_PKT_TOSERVER ? "TRUE":"FALSE", - p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE":"FALSE"); + if (s->id > 100) { + printf("Signature %u matched: %s, flow: toserver %s toclient %s proto %u, SP %s (%u) DP %s (%u) sig sp: ", + s->id, s->msg ? s->msg : "", + p->flowflags & FLOW_PKT_TOSERVER ? "TRUE":"FALSE", + p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE":"FALSE", + p->proto, s->flags & SIG_FLAG_SP_ANY ? "ANY":"NOTANY", p->sp, + s->flags & SIG_FLAG_DP_ANY ? "ANY":"NOTANY", p->dp); + DetectPortPrint(s->sp); printf(" dp: "); + DetectPortPrint(s->dp); printf("\n"); + } fmatch = 1; if (!(s->flags & SIG_FLAG_NOALERT)) { @@ -518,7 +530,7 @@ static int SignatureIsIPOnly(Signature *s) { sm = s->match; if (sm == NULL) - return 1; + goto iponly; for ( ; sm != NULL; sm = sm->next) { if (sm->type == DETECT_CONTENT) { @@ -536,6 +548,8 @@ static int SignatureIsIPOnly(Signature *s) { } } +iponly: + printf("IP-ONLY (%u): source %s, dest %s\n", s->id, s->flags & SIG_FLAG_SRC_ANY ? "ANY" : "SET", s->flags & SIG_FLAG_DST_ANY ? "ANY" : "SET"); return 1; } diff --git a/src/flow.c b/src/flow.c index dffbaa1b67..2ee2123764 100644 --- a/src/flow.c +++ b/src/flow.c @@ -278,6 +278,7 @@ void FlowInitConfig (void) /* Not Thread safe */ void FlowPrintFlows (void) { +/* int i; printf("Flows:\n"); for (i = 0; i < flow_config.hash_size; i++) { @@ -301,6 +302,7 @@ void FlowPrintFlows (void) } } } +*/ printf("Flow Queue info:\n"); printf("SPARE %u\n", flow_spare_q.len); #ifdef DBG_PERF diff --git a/src/log-httplog.c b/src/log-httplog.c index ded975d650..742dbafab6 100644 --- a/src/log-httplog.c +++ b/src/log-httplog.c @@ -25,6 +25,7 @@ #include "threads.h" +#include "util-print.h" #include "util-unittest.h" int LogHttplog (ThreadVars *, Packet *, void *, PacketQueue *); @@ -32,11 +33,13 @@ int LogHttplogIPv4(ThreadVars *, Packet *, void *, PacketQueue *); int LogHttplogIPv6(ThreadVars *, Packet *, void *, PacketQueue *); int LogHttplogThreadInit(ThreadVars *, void **); int LogHttplogThreadDeinit(ThreadVars *, void *); +void LogHttplogExitPrintStats(ThreadVars *, void *); void TmModuleLogHttplogRegister (void) { tmm_modules[TMM_LOGHTTPLOG].name = "LogHttplog"; tmm_modules[TMM_LOGHTTPLOG].Init = LogHttplogThreadInit; tmm_modules[TMM_LOGHTTPLOG].Func = LogHttplog; + tmm_modules[TMM_LOGHTTPLOG].ExitPrintStats = LogHttplogExitPrintStats; tmm_modules[TMM_LOGHTTPLOG].Deinit = LogHttplogThreadDeinit; tmm_modules[TMM_LOGHTTPLOG].RegisterTests = NULL; } @@ -59,6 +62,7 @@ void TmModuleLogHttplogIPv6Register (void) { typedef struct _LogHttplogThread { FILE *fp; + u_int32_t uri_cnt; } LogHttplogThread; static void CreateTimeString (const struct timeval *ts, char *str, size_t size) { @@ -76,30 +80,14 @@ int LogHttplogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) { LogHttplogThread *aft = (LogHttplogThread *)data; int i; - char timebuf[64], hostname[256] = "unknown", ua[256] = "unknown"; - PktVar *pv; - u_int16_t size; + char timebuf[64]; /* XXX add a better check for this */ if (p->http_uri.cnt == 0) return 0; - pv = PktVarGet(p, "http_host"); - if (pv != NULL) { - size = pv->value_len; - if (size >= sizeof(hostname)) - size = sizeof(hostname) - 1; - - strncpy(hostname,(char *)pv->value,size); - } - pv = PktVarGet(p, "http_ua"); - if (pv != NULL) { - size = pv->value_len; - if (size >= sizeof(ua)) - size = sizeof(ua) - 1; - - strncpy(ua,(char *)pv->value,size); - } + PktVar *pv_hn = PktVarGet(p, "http_host"); + PktVar *pv_ua = PktVarGet(p, "http_ua"); CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); @@ -108,10 +96,24 @@ int LogHttplogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); for (i = 0; i < p->http_uri.cnt; i++) { - fprintf(aft->fp, "%s %s [**] %s [**] %s [**] %s:%u -> %s:%u\n", - timebuf, hostname, p->http_uri.raw[i], ua, srcip, p->sp, dstip, p->dp); - fflush(aft->fp); + /* time */ + fprintf(aft->fp, "%s ", timebuf); + /* hostname */ + if (pv_hn != NULL) PrintRawUriFp(aft->fp, pv_hn->value, pv_hn->value_len); + else fprintf(aft->fp, ""); + fprintf(aft->fp, " [**] "); + /* uri */ + PrintRawUriFp(aft->fp, p->http_uri.raw[i], p->http_uri.raw_size[i]); + fprintf(aft->fp, " [**] "); + /* user agent */ + if (pv_ua != NULL) PrintRawUriFp(aft->fp, pv_ua->value, pv_ua->value_len); + else fprintf(aft->fp, ""); + /* ip/tcp header info */ + fprintf(aft->fp, " [**] %s:%u -> %s:%u\n", srcip, p->sp, dstip, p->dp); } + fflush(aft->fp); + + aft->uri_cnt += p->http_uri.cnt; return 0; } @@ -119,30 +121,14 @@ int LogHttplogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) { LogHttplogThread *aft = (LogHttplogThread *)data; int i; - char timebuf[64], hostname[256] = "unknown", ua[256] = "unknown"; - PktVar *pv; - u_int16_t size; + char timebuf[64]; /* XXX add a better check for this */ if (p->http_uri.cnt == 0) return 0; - pv = PktVarGet(p, "http_host"); - if (pv != NULL) { - size = pv->value_len; - if (size >= sizeof(hostname)) - size = sizeof(hostname) - 1; - - strncpy(hostname,(char *)pv->value,size); - } - pv = PktVarGet(p, "http_ua"); - if (pv != NULL) { - size = pv->value_len; - if (size >= sizeof(ua)) - size = sizeof(ua) - 1; - - strncpy(ua,(char *)pv->value,size); - } + PktVar *pv_hn = PktVarGet(p, "http_host"); + PktVar *pv_ua = PktVarGet(p, "http_ua"); CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); @@ -151,10 +137,24 @@ int LogHttplogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); for (i = 0; i < p->http_uri.cnt; i++) { - fprintf(aft->fp, "%s %s [**] %s [**] %s [**] %s:%u -> %s:%u\n", - timebuf, hostname, p->http_uri.raw[i], ua, srcip, p->sp, dstip, p->dp); - fflush(aft->fp); + /* time */ + fprintf(aft->fp, "%s ", timebuf); + /* hostname */ + if (pv_hn != NULL) PrintRawUriFp(aft->fp, pv_hn->value, pv_hn->value_len); + else fprintf(aft->fp, ""); + fprintf(aft->fp, " [**] "); + /* uri */ + PrintRawUriFp(aft->fp, p->http_uri.raw[i], p->http_uri.raw_size[i]); + fprintf(aft->fp, " [**] "); + /* user agent */ + if (pv_ua != NULL) PrintRawUriFp(aft->fp, pv_ua->value, pv_ua->value_len); + else fprintf(aft->fp, ""); + /* ip/tcp header info */ + fprintf(aft->fp, " [**] %s:%u -> %s:%u\n", srcip, p->sp, dstip, p->dp); } + fflush(aft->fp); + + aft->uri_cnt += p->http_uri.cnt; return 0; } @@ -207,3 +207,12 @@ int LogHttplogThreadDeinit(ThreadVars *t, void *data) return 0; } +void LogHttplogExitPrintStats(ThreadVars *tv, void *data) { + LogHttplogThread *aft = (LogHttplogThread *)data; + if (aft == NULL) { + return; + } + + printf(" - (%s) HTTP requests %u.\n", tv->name, aft->uri_cnt); +} + diff --git a/src/source-nfq.c b/src/source-nfq.c index 88b2775fe5..f98b44de51 100644 --- a/src/source-nfq.c +++ b/src/source-nfq.c @@ -29,9 +29,13 @@ static u_int16_t verdict_queue_num = 0; int ReceiveNFQ(ThreadVars *, Packet *, void *, PacketQueue *); int ReceiveNFQThreadInit(ThreadVars *, void **); +void ReceiveNFQThreadExitStats(ThreadVars *, void *); + int VerdictNFQ(ThreadVars *, Packet *, void *, PacketQueue *); int VerdictNFQThreadInit(ThreadVars *, void **); +void VerdictNFQThreadExitStats(ThreadVars *, void *); int VerdictNFQThreadDeinit(ThreadVars *, void *); + int DecodeNFQ(ThreadVars *, Packet *, void *, PacketQueue *); void TmModuleReceiveNFQRegister (void) { @@ -42,6 +46,7 @@ void TmModuleReceiveNFQRegister (void) { tmm_modules[TMM_RECEIVENFQ].name = "ReceiveNFQ"; tmm_modules[TMM_RECEIVENFQ].Init = ReceiveNFQThreadInit; tmm_modules[TMM_RECEIVENFQ].Func = ReceiveNFQ; + tmm_modules[TMM_RECEIVENFQ].ExitPrintStats = ReceiveNFQThreadExitStats; tmm_modules[TMM_RECEIVENFQ].Deinit = NULL; tmm_modules[TMM_RECEIVENFQ].RegisterTests = NULL; } @@ -50,6 +55,7 @@ void TmModuleVerdictNFQRegister (void) { tmm_modules[TMM_VERDICTNFQ].name = "VerdictNFQ"; tmm_modules[TMM_VERDICTNFQ].Init = VerdictNFQThreadInit; tmm_modules[TMM_VERDICTNFQ].Func = VerdictNFQ; + tmm_modules[TMM_VERDICTNFQ].ExitPrintStats = VerdictNFQThreadExitStats; tmm_modules[TMM_VERDICTNFQ].Deinit = VerdictNFQThreadDeinit; tmm_modules[TMM_VERDICTNFQ].RegisterTests = NULL; } @@ -58,6 +64,7 @@ void TmModuleDecodeNFQRegister (void) { tmm_modules[TMM_DECODENFQ].name = "DecodeNFQ"; tmm_modules[TMM_DECODENFQ].Init = NULL; tmm_modules[TMM_DECODENFQ].Func = DecodeNFQ; + tmm_modules[TMM_DECODENFQ].ExitPrintStats = NULL; tmm_modules[TMM_DECODENFQ].Deinit = NULL; tmm_modules[TMM_DECODENFQ].RegisterTests = NULL; } @@ -114,6 +121,7 @@ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, #ifdef COUNTERS nfq_t->pkts++; + nfq_t->bytes += p->pktlen; #endif /* COUNTERS */ /* pass on... */ @@ -221,7 +229,7 @@ int NFQInitThread(NFQThreadVars *nfq_t, u_int16_t queue_num, u_int32_t queue_max } int ReceiveNFQThreadInit(ThreadVars *tv, void **data) { - printf("ReceiveNFQThreadInit: starting... will bind to queuenum %u\n", receive_queue_num); + //printf("ReceiveNFQThreadInit: starting... will bind to queuenum %u\n", receive_queue_num); NFQThreadVars *ntv = &nfq_t[receive_queue_num]; @@ -242,7 +250,7 @@ int ReceiveNFQThreadInit(ThreadVars *tv, void **data) { } int VerdictNFQThreadInit(ThreadVars *tv, void **data) { - printf("VerdictNFQThreadInit: starting... will bind to queuenum %u\n", verdict_queue_num); + //printf("VerdictNFQThreadInit: starting... will bind to queuenum %u\n", verdict_queue_num); /* no initialization, ReceiveNFQ takes care of that */ NFQThreadVars *ntv = &nfq_t[verdict_queue_num]; @@ -255,7 +263,7 @@ int VerdictNFQThreadInit(ThreadVars *tv, void **data) { int VerdictNFQThreadDeinit(ThreadVars *tv, void *data) { NFQThreadVars *ntv = (NFQThreadVars *)data; - printf("VerdictNFQThreadDeinit: starting... will close queuenum %u\n", ntv->queue_num); + //printf("VerdictNFQThreadDeinit: starting... will close queuenum %u\n", ntv->queue_num); nfq_destroy_queue(ntv->qh); @@ -305,6 +313,20 @@ int ReceiveNFQ(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq) { return 0; } +void ReceiveNFQThreadExitStats(ThreadVars *tv, void *data) { + NFQThreadVars *ntv = (NFQThreadVars *)data; +#ifdef COUNTERS + printf(" - (%s) Pkts %u, Bytes %llu, Errors %u\n", tv->name, ntv->pkts, ntv->bytes, ntv->errs); +#endif +} + +void VerdictNFQThreadExitStats(ThreadVars *tv, void *data) { + NFQThreadVars *ntv = (NFQThreadVars *)data; +#ifdef COUNTERS + printf(" - (%s) Pkts accepted %u, dropped %u\n", tv->name, ntv->accepted, ntv->dropped); +#endif +} + void NFQSetVerdict(NFQThreadVars *t, Packet *p) { int ret; u_int32_t verdict; @@ -323,6 +345,11 @@ void NFQSetVerdict(NFQThreadVars *t, Packet *p) { verdict = NF_DROP; } +#ifdef COUNTERS + if (verdict == NF_ACCEPT) t->accepted++; + if (verdict == NF_DROP) t->dropped++; +#endif /* COUNTERS */ + mutex_lock(&t->mutex_qh); ret = nfq_set_verdict(t->qh, p->nfq_v.id, verdict, 0, NULL); mutex_unlock(&t->mutex_qh); diff --git a/src/source-nfq.h b/src/source-nfq.h index 96e50c1f1a..958b442ac2 100644 --- a/src/source-nfq.h +++ b/src/source-nfq.h @@ -39,7 +39,10 @@ typedef struct _NFQThreadVars /* counters */ u_int32_t pkts; + u_int64_t bytes; u_int32_t errs; + u_int32_t accepted; + u_int32_t dropped; ThreadVars *tv; } NFQThreadVars; diff --git a/src/tm-modules.h b/src/tm-modules.h index d5dacc068b..99de4c7a44 100644 --- a/src/tm-modules.h +++ b/src/tm-modules.h @@ -5,6 +5,7 @@ typedef struct _TmModule { char *name; int (*Init)(ThreadVars *, void **); int (*Func)(ThreadVars *, Packet *, void *, PacketQueue *); + void (*ExitPrintStats)(ThreadVars *, void *); int (*Deinit)(ThreadVars *, void *); void (*RegisterTests)(void); } TmModule; @@ -19,6 +20,7 @@ enum { TMM_ALERTFASTLOG6, TMM_ALERTUNIFIEDLOG, TMM_ALERTUNIFIEDALERT, + TMM_ALERTDEBUGLOG, TMM_RESPONDREJECT, TMM_LOGHTTPLOG, TMM_LOGHTTPLOG4, diff --git a/src/tm-threads.c b/src/tm-threads.c index eb905205f4..5c2fa71771 100644 --- a/src/tm-threads.c +++ b/src/tm-threads.c @@ -13,6 +13,7 @@ static ThreadVars *tv_root; typedef struct _Tm1Slot { int (*Slot1Init)(ThreadVars *, void **); int (*Slot1Func)(ThreadVars *, Packet *, void *, PacketQueue *); + void (*Slot1ExitPrintStats)(ThreadVars *, void *); int (*Slot1Deinit)(ThreadVars *, void *); void *slot1_data; PacketQueue slot1_pq; @@ -22,12 +23,14 @@ typedef struct _Tm1Slot { typedef struct _Tm2Slot { int (*Slot1Init)(ThreadVars *, void **); int (*Slot1Func)(ThreadVars *, Packet *, void *, PacketQueue *); + void (*Slot1ExitPrintStats)(ThreadVars *, void *); int (*Slot1Deinit)(ThreadVars *, void *); void *slot1_data; PacketQueue slot1_pq; int (*Slot2Init)(ThreadVars *, void **); int (*Slot2Func)(ThreadVars *, Packet *, void *, PacketQueue *); + void (*Slot2ExitPrintStats)(ThreadVars *, void *); int (*Slot2Deinit)(ThreadVars *, void *); void *slot2_data; PacketQueue slot2_pq; @@ -37,18 +40,21 @@ typedef struct _Tm2Slot { typedef struct _Tm3Slot { int (*Slot1Init)(ThreadVars *, void **); int (*Slot1Func)(ThreadVars *, Packet *, void *, PacketQueue *); + void (*Slot1ExitPrintStats)(ThreadVars *, void *); int (*Slot1Deinit)(ThreadVars *, void *); void *slot1_data; PacketQueue slot1_pq; int (*Slot2Init)(ThreadVars *, void **); int (*Slot2Func)(ThreadVars *, Packet *, void *, PacketQueue *); + void (*Slot2ExitPrintStats)(ThreadVars *, void *); int (*Slot2Deinit)(ThreadVars *, void *); void *slot2_data; PacketQueue slot2_pq; int (*Slot3Init)(ThreadVars *, void **); int (*Slot3Func)(ThreadVars *, Packet *, void *, PacketQueue *); + void (*Slot3ExitPrintStats)(ThreadVars *, void *); int (*Slot3Deinit)(ThreadVars *, void *); void *slot3_data; PacketQueue slot3_pq; @@ -85,6 +91,10 @@ void *TmThreadsSlot1NoIn(void *td) { run = 0; } + if (s1->Slot1ExitPrintStats != NULL) { + s1->Slot1ExitPrintStats(tv, s1->slot1_data); + } + if (s1->Slot1Deinit != NULL) { r = s1->Slot1Deinit(tv, s1->slot1_data); if (r != 0) { @@ -120,6 +130,10 @@ void *TmThreadsSlot1NoOut(void *td) { run = 0; } + if (s1->Slot1ExitPrintStats != NULL) { + s1->Slot1ExitPrintStats(tv, s1->slot1_data); + } + if (s1->Slot1Deinit != NULL) { r = s1->Slot1Deinit(tv, s1->slot1_data); if (r != 0) { @@ -157,6 +171,10 @@ void *TmThreadsSlot1NoInOut(void *td) { } } + if (s1->Slot1ExitPrintStats != NULL) { + s1->Slot1ExitPrintStats(tv, s1->slot1_data); + } + if (s1->Slot1Deinit != NULL) { r = s1->Slot1Deinit(tv, s1->slot1_data); if (r != 0) { @@ -212,6 +230,10 @@ void *TmThreadsSlot1(void *td) { } } + if (s1->Slot1ExitPrintStats != NULL) { + s1->Slot1ExitPrintStats(tv, s1->slot1_data); + } + if (s1->Slot1Deinit != NULL) { r = s1->Slot1Deinit(tv, s1->slot1_data); if (r != 0) { @@ -285,12 +307,21 @@ void *TmThreadsSlot2(void *td) { } } + if (s2->Slot1ExitPrintStats != NULL) { + s2->Slot1ExitPrintStats(tv, s2->slot1_data); + } + if (s2->Slot1Deinit != NULL) { r = s2->Slot1Deinit(tv, s2->slot1_data); if (r != 0) { pthread_exit((void *) -1); } } + + if (s2->Slot2ExitPrintStats != NULL) { + s2->Slot2ExitPrintStats(tv, s2->slot2_data); + } + if (s2->Slot2Deinit != NULL) { r = s2->Slot2Deinit(tv, s2->slot2_data); if (r != 0) { @@ -395,18 +426,32 @@ void *TmThreadsSlot3(void *td) { } } + if (s3->Slot1ExitPrintStats != NULL) { + s3->Slot1ExitPrintStats(tv, s3->slot1_data); + } + if (s3->Slot1Deinit != NULL) { r = s3->Slot1Deinit(tv, s3->slot1_data); if (r != 0) { pthread_exit((void *) -1); } } + + if (s3->Slot2ExitPrintStats != NULL) { + s3->Slot2ExitPrintStats(tv, s3->slot2_data); + } + if (s3->Slot2Deinit != NULL) { r = s3->Slot2Deinit(tv, s3->slot2_data); if (r != 0) { pthread_exit((void *) -1); } } + + if (s3->Slot3ExitPrintStats != NULL) { + s3->Slot3ExitPrintStats(tv, s3->slot3_data); + } + if (s3->Slot3Deinit != NULL) { r = s3->Slot3Deinit(tv, s3->slot3_data); if (r != 0) { @@ -459,6 +504,7 @@ void Tm1SlotSetFunc(ThreadVars *tv, TmModule *tm) { s1->Slot1Init = tm->Init; s1->Slot1Func = tm->Func; + s1->Slot1ExitPrintStats = tm->ExitPrintStats; s1->Slot1Deinit = tm->Deinit; } @@ -471,6 +517,7 @@ void Tm2SlotSetFunc1(ThreadVars *tv, TmModule *tm) { s2->Slot1Init = tm->Init; s2->Slot1Func = tm->Func; + s2->Slot1ExitPrintStats = tm->ExitPrintStats; s2->Slot1Deinit = tm->Deinit; } @@ -483,6 +530,7 @@ void Tm2SlotSetFunc2(ThreadVars *tv, TmModule *tm) { s2->Slot2Init = tm->Init; s2->Slot2Func = tm->Func; + s2->Slot2ExitPrintStats = tm->ExitPrintStats; s2->Slot2Deinit = tm->Deinit; } @@ -495,6 +543,7 @@ void Tm3SlotSetFunc1(ThreadVars *tv, TmModule *tm) { s3->Slot1Init = tm->Init; s3->Slot1Func = tm->Func; + s3->Slot1ExitPrintStats = tm->ExitPrintStats; s3->Slot1Deinit = tm->Deinit; } @@ -507,6 +556,7 @@ void Tm3SlotSetFunc2(ThreadVars *tv, TmModule *tm) { s3->Slot2Init = tm->Init; s3->Slot2Func = tm->Func; + s3->Slot2ExitPrintStats = tm->ExitPrintStats; s3->Slot2Deinit = tm->Deinit; } @@ -514,12 +564,13 @@ void Tm3SlotSetFunc3(ThreadVars *tv, TmModule *tm) { Tm3Slot *s3 = (Tm3Slot *)tv->tm_slots; if (s3->Slot2Func != NULL) - printf("Warning: slot 2 is already set tp %p, " + printf("Warning: slot 3 is already set tp %p, " "overwriting with %p\n", s3->Slot2Func, tm->Func); - s3->Slot2Init = tm->Init; - s3->Slot2Func = tm->Func; - s3->Slot2Deinit = tm->Deinit; + s3->Slot3Init = tm->Init; + s3->Slot3Func = tm->Func; + s3->Slot3ExitPrintStats = tm->ExitPrintStats; + s3->Slot3Deinit = tm->Deinit; } ThreadVars *TmThreadCreate(char *name, char *inq_name, char *inqh_name, char *outq_name, char *outqh_name, char *slots) { diff --git a/src/util-print.c b/src/util-print.c new file mode 100644 index 0000000000..ecf2b19108 --- /dev/null +++ b/src/util-print.c @@ -0,0 +1,49 @@ +/* Copyright (c) 2008 by Victor Julien */ + +#include +#include +#include +#include + +void PrintRawUriFp(FILE *fp, u_int8_t *buf, u_int32_t buflen) { + int i; + for (i = 0; i < buflen; i++) { + if (isprint(buf[i])) fprintf(fp, "%c", buf[i]); + else fprintf(fp, "\\x%02X", buf[i]); + } +} + +void PrintRawDataFp(FILE *fp, u_int8_t *buf, u_int32_t buflen) { + int i,ch = 0; + + for (i = 0; i < buflen; i+=16) { + fprintf(fp ," %04X ", i); + ch = 0; + for (ch = 0; (i+ch) < buflen && ch < 16; ch++) { + fprintf(fp, "%02X ", (u_int8_t)buf[i+ch]); + + if (ch == 7) fprintf(fp, " "); + } + if (ch == 16) fprintf(fp, " "); + else if (ch < 8) { + int spaces = (16 - ch) * 3 + 2 + 1; + int s = 0; + for ( ; s < spaces; s++) fprintf(fp, " "); + } else if(ch < 16) { + int spaces = (16 - ch) * 3 + 2; + int s = 0; + for ( ; s < spaces; s++) fprintf(fp, " "); + } + + ch = 0; + for (ch = 0; (i+ch) < buflen && ch < 16; ch++) { + fprintf(fp, "%c", isprint((u_int8_t)buf[i+ch]) ? (u_int8_t)buf[i+ch] : '.'); + + if (ch == 7) fprintf(fp, " "); + if (ch == 15) fprintf(fp, "\n"); + } + } + if (ch != 16) + fprintf(fp, "\n"); +} + diff --git a/src/util-print.h b/src/util-print.h new file mode 100644 index 0000000000..e4c4c77189 --- /dev/null +++ b/src/util-print.h @@ -0,0 +1,10 @@ +/* Copyright (c) 2008 by Victor Julien */ + +#ifndef __UTIL_PRINT_H__ +#define __UTIL_PRINT_H__ + +void PrintRawUriFp(FILE *fp, u_int8_t *buf, u_int32_t buflen); +void PrintRawDataFp(FILE *fp, u_int8_t *buf, u_int32_t buflen); + +#endif /* __UTIL_PRINT_H__ */ + diff --git a/src/vips.c b/src/vips.c index c3672e33bc..b3db8ffad2 100644 --- a/src/vips.c +++ b/src/vips.c @@ -37,6 +37,7 @@ #include "alert-fastlog.h" #include "alert-unified-log.h" #include "alert-unified-alert.h" +#include "alert-debuglog.h" #include "log-httplog.h" @@ -180,6 +181,7 @@ int main(int argc, char **argv) TmModuleDecodeNFQRegister(); TmModuleDetectRegister(); TmModuleAlertFastlogRegister(); + TmModuleAlertDebuglogRegister(); TmModuleRespondRejectRegister(); TmModuleAlertFastlogIPv4Register(); TmModuleAlertFastlogIPv6Register(); @@ -382,7 +384,8 @@ int main(int argc, char **argv) exit(1); } - ThreadVars *tv_unified = TmThreadCreate("AlertUnifiedLog","alert-queue2","simple","packetpool","packetpool","2slot"); + //ThreadVars *tv_unified = TmThreadCreate("AlertUnifiedLog","alert-queue2","simple","packetpool","packetpool","2slot"); + ThreadVars *tv_unified = TmThreadCreate("AlertUnifiedLog","alert-queue2","simple","alert-queue3","simple","2slot"); if (tv_unified == NULL) { printf("ERROR: TmThreadsCreate failed\n"); exit(1); @@ -407,24 +410,24 @@ int main(int argc, char **argv) exit(1); } -/* - ThreadVars *tv_unifiedalert = TmThreadCreate("AlertUnifiedAlert","alert-queue3","simple","packetpool","packetpool","1slot"); - if (tv_unifiedalert == NULL) { + + ThreadVars *tv_debugalert = TmThreadCreate("AlertDebuglog","alert-queue3","simple","packetpool","packetpool","1slot"); + if (tv_debugalert == NULL) { printf("ERROR: TmThreadsCreate failed\n"); exit(1); } - tm_module = TmModuleGetByName("AlertUnifiedAlert"); + tm_module = TmModuleGetByName("AlertDebuglog"); if (tm_module == NULL) { printf("ERROR: TmModuleGetByName failed\n"); exit(1); } - Tm1SlotSetFunc(tv_unifiedalert,tm_module); + Tm1SlotSetFunc(tv_debugalert,tm_module); - if (TmThreadSpawn(tv_unifiedalert) != 0) { + if (TmThreadSpawn(tv_debugalert) != 0) { printf("ERROR: TmThreadSpawn failed\n"); exit(1); } -*/ + ThreadVars tv_flowmgr; memset(&tv_flowmgr, 0, sizeof(ThreadVars)); printf("Creating FlowManagerThread...\n");