diff --git a/src/Makefile.am b/src/Makefile.am index 85486cf1fa..a4a2289444 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -286,7 +286,6 @@ ippair-bit.c ippair-bit.h \ ippair-queue.c ippair-queue.h \ ippair-storage.c ippair-storage.h \ ippair-timeout.c ippair-timeout.h \ -log-dnslog.c log-dnslog.h \ log-droplog.c log-droplog.h \ log-filestore.c log-filestore.h \ log-cf-common.c log-cf-common.h \ diff --git a/src/log-dnslog.c b/src/log-dnslog.c deleted file mode 100644 index 2e4b628b11..0000000000 --- a/src/log-dnslog.c +++ /dev/null @@ -1,380 +0,0 @@ -/* Copyright (C) 2007-2013 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Victor Julien - * - * Implements dns logging portion of the engine. - */ - -#include "suricata-common.h" -#include "debug.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-print.h" -#include "util-unittest.h" - -#include "util-debug.h" - -#include "output.h" -#include "log-dnslog.h" -#include "app-layer-dns-common.h" -#include "app-layer-dns-udp.h" -#include "app-layer.h" -#include "util-privs.h" -#include "util-buffer.h" - -#include "util-logopenfile.h" -#include "util-time.h" - -#ifndef HAVE_RUST - -#define DEFAULT_LOG_FILENAME "dns.log" - -#define MODULE_NAME "LogDnsLog" - -#define OUTPUT_BUFFER_SIZE 65535 - -/* we can do query logging as well, but it's disabled for now as the - * TX id handling doesn't expect it */ -#define QUERY 0 - -typedef struct LogDnsFileCtx_ { - LogFileCtx *file_ctx; - uint32_t flags; /** Store mode */ -} LogDnsFileCtx; - -typedef struct LogDnsLogThread_ { - LogDnsFileCtx *dnslog_ctx; - /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */ - uint32_t dns_cnt; - - MemBuffer *buffer; -} LogDnsLogThread; - -static void LogQuery(LogDnsLogThread *aft, char *timebuf, char *srcip, char *dstip, Port sp, Port dp, DNSTransaction *tx, DNSQueryEntry *entry) -{ - LogDnsFileCtx *hlog = aft->dnslog_ctx; - - SCLogDebug("got a DNS request and now logging !!"); - - /* reset */ - MemBufferReset(aft->buffer); - - /* time & tx */ - MemBufferWriteString(aft->buffer, - "%s [**] Query TX %04x [**] ", timebuf, tx->tx_id); - - /* query */ - PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size, - (uint8_t *)((uint8_t *)entry + sizeof(DNSQueryEntry)), - entry->len); - - char record[16] = ""; - DNSCreateTypeString(entry->type, record, sizeof(record)); - MemBufferWriteString(aft->buffer, - " [**] %s [**] %s:%" PRIu16 " -> %s:%" PRIu16 "\n", - record, srcip, sp, dstip, dp); - - hlog->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer), - MEMBUFFER_OFFSET(aft->buffer), hlog->file_ctx); -} - -static void LogAnswer(LogDnsLogThread *aft, char *timebuf, char *srcip, char *dstip, Port sp, Port dp, DNSTransaction *tx, DNSAnswerEntry *entry) -{ - LogDnsFileCtx *hlog = aft->dnslog_ctx; - - SCLogDebug("got a DNS response and now logging !!"); - - /* reset */ - MemBufferReset(aft->buffer); - /* time & tx*/ - MemBufferWriteString(aft->buffer, - "%s [**] Response TX %04x [**] ", timebuf, tx->tx_id); - - if (entry == NULL) { - if (tx->rcode) { - char rcode[16] = ""; - DNSCreateRcodeString(tx->rcode, rcode, sizeof(rcode)); - MemBufferWriteString(aft->buffer, "%s", rcode); - } else if (tx->recursion_desired) { - MemBufferWriteString(aft->buffer, "Recursion Desired"); - } - } else { - /* query */ - if (entry->fqdn_len > 0) { - PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size, - (uint8_t *)((uint8_t *)entry + sizeof(DNSAnswerEntry)), - entry->fqdn_len); - } else { - MemBufferWriteString(aft->buffer, ""); - } - - char record[16] = ""; - DNSCreateTypeString(entry->type, record, sizeof(record)); - MemBufferWriteString(aft->buffer, - " [**] %s [**] TTL %u [**] ", record, entry->ttl); - - uint8_t *ptr = (uint8_t *)((uint8_t *)entry + sizeof(DNSAnswerEntry) + entry->fqdn_len); - if (entry->type == DNS_RECORD_TYPE_A && entry->data_len == 4) { - char a[16] = ""; - PrintInet(AF_INET, (const void *)ptr, a, sizeof(a)); - MemBufferWriteString(aft->buffer, "%s", a); - } else if (entry->type == DNS_RECORD_TYPE_AAAA && entry->data_len == 16) { - char a[46]; - PrintInet(AF_INET6, (const void *)ptr, a, sizeof(a)); - MemBufferWriteString(aft->buffer, "%s", a); - } else if (entry->data_len == 0) { - MemBufferWriteString(aft->buffer, ""); - } else { - PrintRawUriBuf((char *)aft->buffer->buffer, &aft->buffer->offset, - aft->buffer->size, ptr, entry->data_len); - } - } - - /* ip/tcp header info */ - MemBufferWriteString(aft->buffer, - " [**] %s:%" PRIu16 " -> %s:%" PRIu16 "\n", - srcip, sp, dstip, dp); - - hlog->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer), - MEMBUFFER_OFFSET(aft->buffer), hlog->file_ctx); -} - -static int LogDnsLogger(ThreadVars *tv, void *data, const Packet *p, - Flow *f, void *state, void *tx, uint64_t tx_id, uint8_t direction) -{ - LogDnsLogThread *aft = (LogDnsLogThread *)data; - DNSTransaction *dns_tx = (DNSTransaction *)tx; - SCLogDebug("pcap_cnt %"PRIu64, p->pcap_cnt); - char timebuf[64]; - CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); - - int ipproto = 0; - if (PKT_IS_IPV4(p)) - ipproto = AF_INET; - else if (PKT_IS_IPV6(p)) - ipproto = AF_INET6; - - char srcip[46], dstip[46]; - Port sp, dp; - if ((PKT_IS_TOCLIENT(p))) { - switch (ipproto) { - case AF_INET: - PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); - PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); - break; - case AF_INET6: - PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); - PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); - break; - default: - goto end; - } - sp = p->sp; - dp = p->dp; - } else { - switch (ipproto) { - case AF_INET: - PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), srcip, sizeof(srcip)); - PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), dstip, sizeof(dstip)); - break; - case AF_INET6: - PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), srcip, sizeof(srcip)); - PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), dstip, sizeof(dstip)); - break; - default: - goto end; - } - sp = p->dp; - dp = p->sp; - } - - if (direction == STREAM_TOSERVER) { - DNSQueryEntry *query = NULL; - TAILQ_FOREACH(query, &dns_tx->query_list, next) { - LogQuery(aft, timebuf, dstip, srcip, dp, sp, dns_tx, query); - } - } else if (direction == STREAM_TOCLIENT) { - if (dns_tx->rcode) - LogAnswer(aft, timebuf, srcip, dstip, sp, dp, dns_tx, NULL); - if (dns_tx->recursion_desired) - LogAnswer(aft, timebuf, srcip, dstip, sp, dp, dns_tx, NULL); - - DNSAnswerEntry *entry = NULL; - TAILQ_FOREACH(entry, &dns_tx->answer_list, next) { - LogAnswer(aft, timebuf, srcip, dstip, sp, dp, dns_tx, entry); - } - - entry = NULL; - TAILQ_FOREACH(entry, &dns_tx->authority_list, next) { - LogAnswer(aft, timebuf, srcip, dstip, sp, dp, dns_tx, entry); - } - } - - aft->dns_cnt++; -end: - return 0; -} - -static int LogDnsRequestLogger(ThreadVars *tv, void *data, const Packet *p, - Flow *f, void *state, void *tx, uint64_t tx_id) -{ - return LogDnsLogger(tv, data, p, f, state, tx, tx_id, STREAM_TOSERVER); -} - -static int LogDnsResponseLogger(ThreadVars *tv, void *data, const Packet *p, - Flow *f, void *state, void *tx, uint64_t tx_id) -{ - return LogDnsLogger(tv, data, p, f, state, tx, tx_id, STREAM_TOCLIENT); -} - -static TmEcode LogDnsLogThreadInit(ThreadVars *t, const void *initdata, void **data) -{ - LogDnsLogThread *aft = SCMalloc(sizeof(LogDnsLogThread)); - if (unlikely(aft == NULL)) - return TM_ECODE_FAILED; - memset(aft, 0, sizeof(LogDnsLogThread)); - - if(initdata == NULL) - { - SCLogDebug("Error getting context for LogDNSLog. \"initdata\" argument NULL"); - SCFree(aft); - return TM_ECODE_FAILED; - } - - aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE); - if (aft->buffer == NULL) { - SCFree(aft); - return TM_ECODE_FAILED; - } - - /* Use the Ouptut Context (file pointer and mutex) */ - aft->dnslog_ctx= ((OutputCtx *)initdata)->data; - - *data = (void *)aft; - return TM_ECODE_OK; -} - -static TmEcode LogDnsLogThreadDeinit(ThreadVars *t, void *data) -{ - LogDnsLogThread *aft = (LogDnsLogThread *)data; - if (aft == NULL) { - return TM_ECODE_OK; - } - - MemBufferFree(aft->buffer); - /* clear memory */ - memset(aft, 0, sizeof(LogDnsLogThread)); - - SCFree(aft); - return TM_ECODE_OK; -} - -static void LogDnsLogExitPrintStats(ThreadVars *tv, void *data) -{ - LogDnsLogThread *aft = (LogDnsLogThread *)data; - if (aft == NULL) { - return; - } - - SCLogInfo("DNS logger logged %" PRIu32 " transactions", aft->dns_cnt); -} - -static void LogDnsLogDeInitCtx(OutputCtx *output_ctx) -{ - LogDnsFileCtx *dnslog_ctx = (LogDnsFileCtx *)output_ctx->data; - LogFileFreeCtx(dnslog_ctx->file_ctx); - SCFree(dnslog_ctx); - SCFree(output_ctx); -} - -/** \brief Create a new dns log LogFileCtx. - * \param conf Pointer to ConfNode containing this loggers configuration. - * \return NULL if failure, LogFileCtx* to the file_ctx if succesful - * */ -static OutputInitResult LogDnsLogInitCtx(ConfNode *conf) -{ - OutputInitResult result = { NULL, false }; - LogFileCtx* file_ctx = LogFileNewCtx(); - - if(file_ctx == NULL) { - SCLogError(SC_ERR_DNS_LOG_GENERIC, "couldn't create new file_ctx"); - return result; - } - - if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) { - LogFileFreeCtx(file_ctx); - return result; - } - - LogDnsFileCtx *dnslog_ctx = SCMalloc(sizeof(LogDnsFileCtx)); - if (unlikely(dnslog_ctx == NULL)) { - LogFileFreeCtx(file_ctx); - return result; - } - memset(dnslog_ctx, 0x00, sizeof(LogDnsFileCtx)); - - dnslog_ctx->file_ctx = file_ctx; - - OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx)); - if (unlikely(output_ctx == NULL)) { - LogFileFreeCtx(file_ctx); - SCFree(dnslog_ctx); - return result; - } - - output_ctx->data = dnslog_ctx; - output_ctx->DeInit = LogDnsLogDeInitCtx; - - SCLogDebug("DNS log output initialized"); - - AppLayerParserRegisterLogger(IPPROTO_UDP, ALPROTO_DNS); - AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_DNS); - - result.ctx = output_ctx; - result.ok = true; - return result; -} - -#endif /* !HAVE_RUST */ - -void LogDnsLogRegister (void) -{ -#ifndef HAVE_RUST - /* Request logger. */ - OutputRegisterTxModuleWithProgress(LOGGER_DNS_TS, MODULE_NAME, "dns-log", - LogDnsLogInitCtx, ALPROTO_DNS, LogDnsRequestLogger, 0, 1, - LogDnsLogThreadInit, LogDnsLogThreadDeinit, LogDnsLogExitPrintStats); - - /* Response logger. */ - OutputRegisterTxModuleWithProgress(LOGGER_DNS_TC, MODULE_NAME, "dns-log", - LogDnsLogInitCtx, ALPROTO_DNS, LogDnsResponseLogger, 1, 1, - LogDnsLogThreadInit, LogDnsLogThreadDeinit, LogDnsLogExitPrintStats); - - /* enable the logger for the app layer */ - SCLogDebug("registered %s", MODULE_NAME); -#endif /* !HAVE_RUST */ -} diff --git a/src/log-dnslog.h b/src/log-dnslog.h deleted file mode 100644 index eefac42248..0000000000 --- a/src/log-dnslog.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2007-2013 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Victor Julien - */ - -#ifndef __LOG_DNSLOG_H__ -#define __LOG_DNSLOG_H__ - -void LogDnsLogRegister(void); - -#endif /* __LOG_DNSLOG_H__ */ diff --git a/src/output.c b/src/output.c index 547b02230e..f2bdedcf9c 100644 --- a/src/output.c +++ b/src/output.c @@ -53,7 +53,6 @@ #include "output-json-drop.h" #include "log-httplog.h" #include "output-json-http.h" -#include "log-dnslog.h" #include "output-json-dns.h" #include "log-tlslog.h" #include "log-tlsstore.h" @@ -1072,8 +1071,7 @@ void OutputRegisterLoggers(void) JsonFileLogRegister(); LogFilestoreRegister(); OutputFilestoreRegister(); - /* dns log */ - LogDnsLogRegister(); + /* dns */ JsonDnsLogRegister(); /* tcp streaming data */ LogTcpDataLogRegister(); diff --git a/src/runmodes.c b/src/runmodes.c index 697fbea905..95f8f38686 100644 --- a/src/runmodes.c +++ b/src/runmodes.c @@ -800,11 +800,9 @@ void RunModeInitializeOutputs(void) continue; #endif } else if (strcmp(output->val, "dns-log") == 0) { -#ifdef HAVE_RUST SCLogWarning(SC_ERR_NOT_SUPPORTED, - "dns-log is not available when Rust is enabled."); + "dns-log is not longer available as of Suricata 5.0"); continue; -#endif } else if (strcmp(output->val, "tls-log") == 0) { tls_log_enabled = 1; }