aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

unified2: nostamp and file rotation

Browse Source 
Give unified2 a nostamp option which will create the file
without the timestamp suffix (like Snort's nostamp option).

Also register for rotation notification on SIGHUP so the file
will be recreated if it is removed by an external rotation
program (only when nostamp is used).
pull/2572/head
Jason Ish 9 years ago committed by Victor Julien
parent 2c01985e73
commit 82f6103149
3 changed files with 62 additions and 25 deletions
Show Stats Download Patch File Download Diff File

79
src/alert-unified2-alert.c
Unescape Escape View File

@ -225,7 +225,7 @@ static int Unified2IPv4TypeAlert(ThreadVars *, const Packet *, void *);
static int Unified2IPv6TypeAlert(ThreadVars *, const Packet *, void *); static int Unified2IPv6TypeAlert(ThreadVars *, const Packet *, void *);
static int Unified2PacketTypeAlert(Unified2AlertThread *, const Packet *, uint32_t, int); static int Unified2PacketTypeAlert(Unified2AlertThread *, const Packet *, uint32_t, int);
void Unified2RegisterTests(void); void Unified2RegisterTests(void);
int Unified2AlertOpenFileCtx(LogFileCtx *, const char *); static int Unified2AlertOpenFileCtx(LogFileCtx *, const char *, bool);
static void Unified2AlertDeInitCtx(OutputCtx *); static void Unified2AlertDeInitCtx(OutputCtx *);
int Unified2Condition(ThreadVars *tv, const Packet *p); int Unified2Condition(ThreadVars *tv, const Packet *p);
@ -263,15 +263,15 @@ static int Unified2AlertCloseFile(Unified2AlertThread *aun)
* \retval 0 on succces * \retval 0 on succces
* \retval -1 on failure * \retval -1 on failure
*/ */
static int Unified2AlertRotateFile(Unified2AlertThread *aun) static int Unified2AlertRotateFile(Unified2AlertThread *aun, bool truncate)
{ {
if (Unified2AlertCloseFile(aun) < 0) { if (Unified2AlertCloseFile(aun) < 0) {
SCLogError(SC_ERR_UNIFIED2_ALERT_GENERIC, SCLogError(SC_ERR_UNIFIED2_ALERT_GENERIC,
"Error: Unified2AlertCloseFile failed"); "Error: Unified2AlertCloseFile failed");
return -1; return -1;
} }
if (Unified2AlertOpenFileCtx(aun->unified2alert_ctx->file_ctx,aun->unified2alert_ctx-> if (Unified2AlertOpenFileCtx(aun->unified2alert_ctx->file_ctx,
file_ctx->prefix) < 0) { aun->unified2alert_ctx->file_ctx->prefix, truncate) < 0) {
SCLogError(SC_ERR_UNIFIED2_ALERT_GENERIC, SCLogError(SC_ERR_UNIFIED2_ALERT_GENERIC,
"Error: Unified2AlertOpenFileCtx, open new log file failed"); "Error: Unified2AlertOpenFileCtx, open new log file failed");
return -1; return -1;
@ -787,6 +787,7 @@ static int Unified2PacketTypeAlert(Unified2AlertThread *aun, const Packet *p, ui
static int Unified2IPv6TypeAlert(ThreadVars *t, const Packet *p, void *data) static int Unified2IPv6TypeAlert(ThreadVars *t, const Packet *p, void *data)
{ {
Unified2AlertThread *aun = (Unified2AlertThread *)data; Unified2AlertThread *aun = (Unified2AlertThread *)data;
LogFileCtx *file_ctx = aun->unified2alert_ctx->file_ctx;
Unified2AlertFileHeader hdr; Unified2AlertFileHeader hdr;
AlertIPv6Unified2 *phdr; AlertIPv6Unified2 *phdr;
AlertIPv6Unified2 gphdr; AlertIPv6Unified2 gphdr;
@ -921,19 +922,22 @@ static int Unified2IPv6TypeAlert(ThreadVars *t, const Packet *p, void *data)
phdr->classification_id = htonl(pa->s->class); phdr->classification_id = htonl(pa->s->class);
phdr->priority_id = htonl(pa->s->prio); phdr->priority_id = htonl(pa->s->prio);
SCMutexLock(&aun->unified2alert_ctx->file_ctx->fp_mutex); SCMutexLock(&file_ctx->fp_mutex);
if ((aun->unified2alert_ctx->file_ctx->size_current + length) >
aun->unified2alert_ctx->file_ctx->size_limit) { bool truncate = (file_ctx->size_current + length) > file_ctx->size_limit
if (Unified2AlertRotateFile(aun) < 0) { ? true : false;
if (truncate || file_ctx->rotation_flag) {
if (Unified2AlertRotateFile(aun, truncate) < 0) {
aun->unified2alert_ctx->file_ctx->alerts += i; aun->unified2alert_ctx->file_ctx->alerts += i;
SCMutexUnlock(&aun->unified2alert_ctx->file_ctx->fp_mutex); SCMutexUnlock(&file_ctx->fp_mutex);
return -1; return -1;
} }
file_ctx->rotation_flag = 0;
} }
if (Unified2Write(aun) != 1) { if (Unified2Write(aun) != 1) {
aun->unified2alert_ctx->file_ctx->alerts += i; file_ctx->alerts += i;
SCMutexUnlock(&aun->unified2alert_ctx->file_ctx->fp_mutex); SCMutexUnlock(&file_ctx->fp_mutex);
return -1; return -1;
} }
@ -972,6 +976,7 @@ static int Unified2IPv6TypeAlert(ThreadVars *t, const Packet *p, void *data)
static int Unified2IPv4TypeAlert (ThreadVars *tv, const Packet *p, void *data) static int Unified2IPv4TypeAlert (ThreadVars *tv, const Packet *p, void *data)
{ {
Unified2AlertThread *aun = (Unified2AlertThread *)data; Unified2AlertThread *aun = (Unified2AlertThread *)data;
LogFileCtx *file_ctx = aun->unified2alert_ctx->file_ctx;
Unified2AlertFileHeader hdr; Unified2AlertFileHeader hdr;
AlertIPv4Unified2 *phdr; AlertIPv4Unified2 *phdr;
AlertIPv4Unified2 gphdr; AlertIPv4Unified2 gphdr;
@ -1097,20 +1102,22 @@ static int Unified2IPv4TypeAlert (ThreadVars *tv, const Packet *p, void *data)
phdr->priority_id = htonl(pa->s->prio); phdr->priority_id = htonl(pa->s->prio);
/* check and enforce the filesize limit */ /* check and enforce the filesize limit */
SCMutexLock(&aun->unified2alert_ctx->file_ctx->fp_mutex); SCMutexLock(&file_ctx->fp_mutex);
if ((aun->unified2alert_ctx->file_ctx->size_current + length) > bool truncate = (file_ctx->size_current + length) > file_ctx->size_limit
aun->unified2alert_ctx->file_ctx->size_limit) { ? true : false;
if (Unified2AlertRotateFile(aun) < 0) { if (truncate || file_ctx->rotation_flag) {
aun->unified2alert_ctx->file_ctx->alerts += i; if (Unified2AlertRotateFile(aun, truncate) < 0) {
SCMutexUnlock(&aun->unified2alert_ctx->file_ctx->fp_mutex); file_ctx->alerts += i;
SCMutexUnlock(&file_ctx->fp_mutex);
return -1; return -1;
} }
file_ctx->rotation_flag = 0;
} }
if (Unified2Write(aun) != 1) { if (Unified2Write(aun) != 1) {
aun->unified2alert_ctx->file_ctx->alerts += i; file_ctx->alerts += i;
SCMutexUnlock(&aun->unified2alert_ctx->file_ctx->fp_mutex); SCMutexUnlock(&file_ctx->fp_mutex);
return -1; return -1;
} }
@ -1226,6 +1233,7 @@ OutputCtx *Unified2AlertInitCtx(ConfNode *conf)
LogFileCtx* file_ctx = NULL; LogFileCtx* file_ctx = NULL;
OutputCtx* output_ctx = NULL; OutputCtx* output_ctx = NULL;
HttpXFFCfg *xff_cfg = NULL; HttpXFFCfg *xff_cfg = NULL;
int nostamp = 0;
file_ctx = LogFileNewCtx(); file_ctx = LogFileNewCtx();
if (file_ctx == NULL) { if (file_ctx == NULL) {
@ -1279,6 +1287,13 @@ OutputCtx *Unified2AlertInitCtx(ConfNode *conf)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
} }
if (ConfGetChildValueBool(conf, "nostamp", &nostamp)) {
if (nostamp) {
SCLogConfig("Disabling unified2 timestamp.");
file_ctx->nostamp = true;
}
}
} }
uint32_t flags = UNIFIED2_ALERT_FLAGS_EMIT_PACKET; uint32_t flags = UNIFIED2_ALERT_FLAGS_EMIT_PACKET;
@ -1295,10 +1310,15 @@ OutputCtx *Unified2AlertInitCtx(ConfNode *conf)
} }
} }
ret = Unified2AlertOpenFileCtx(file_ctx, filename); ret = Unified2AlertOpenFileCtx(file_ctx, filename, false);
if (ret < 0) if (ret < 0)
goto error; goto error;
/* Only register for file rotation if theout is non-timestamped. */
if (nostamp) {
OutputRegisterFileRotationFlag(&file_ctx->rotation_flag);
}
output_ctx = SCCalloc(1, sizeof(OutputCtx)); output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) if (unlikely(output_ctx == NULL))
goto error; goto error;
@ -1367,7 +1387,8 @@ static void Unified2AlertDeInitCtx(OutputCtx *output_ctx)
* \param prefix Prefix of the log file. * \param prefix Prefix of the log file.
* \return -1 if failure, 0 if succesful * \return -1 if failure, 0 if succesful
* */ * */
int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix) static int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix,
bool truncate)
{ {
int ret = 0; int ret = 0;
char *filename = NULL; char *filename = NULL;
@ -1396,9 +1417,17 @@ int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix)
char *log_dir; char *log_dir;
log_dir = ConfigGetLogDirectory(); log_dir = ConfigGetLogDirectory();
snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, prefix, (uint32_t)ts.tv_sec); if (file_ctx->nostamp) {
snprintf(filename, PATH_MAX, "%s/%s", log_dir, prefix);
} else {
snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, prefix, (uint32_t)ts.tv_sec);
}
file_ctx->fp = fopen(filename, "ab"); if (truncate) {
file_ctx->fp = fopen(filename, "wb");
} else {
file_ctx->fp = fopen(filename, "ab");
}
if (file_ctx->fp == NULL) { if (file_ctx->fp == NULL) {
SCLogError(SC_ERR_FOPEN, "failed to open %s: %s", filename, SCLogError(SC_ERR_FOPEN, "failed to open %s: %s", filename,
strerror(errno)); strerror(errno));
@ -1916,7 +1945,7 @@ static int Unified2TestRotate01(void)
TimeSetIncrementTime(1); TimeSetIncrementTime(1);
ret = Unified2AlertRotateFile(data); ret = Unified2AlertRotateFile(data, false);
if (ret == -1) if (ret == -1)
goto error; goto error;

3
src/util-logopenfile.h
Unescape Escape View File

@ -123,6 +123,9 @@ typedef struct LogFileCtx_ {
/* Flag set when file rotation notification is received. */ /* Flag set when file rotation notification is received. */
int rotation_flag; int rotation_flag;
/* Set to true if the filename should not be timestamped. */
bool nostamp;
} LogFileCtx; } LogFileCtx;
/* Min time (msecs) before trying to reconnect a Unix domain socket */ /* Min time (msecs) before trying to reconnect a Unix domain socket */

5
suricata.yaml.in
Unescape Escape View File

@ -250,6 +250,11 @@ outputs:
# is parsed as bytes. # is parsed as bytes.
#limit: 32mb #limit: 32mb
# By default unified2 log files have the file creation time (in
# unix epoch format) appended to the filename. Set this to yes to
# disable this behaviour.
#nostamp: no
# Sensor ID field of unified2 alerts. # Sensor ID field of unified2 alerts.
#sensor-id: 0 #sensor-id: 0

Write Preview
Loading…
Cancel
Save