aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Store matching stream msg (ptr) in packets alert structure so it's available to the output plugins.

Browse Source
remotes/origin/master-1.1.x
Victor Julien 15 years ago
parent 8faacb727d
commit 864c8718e1
10 changed files with 101 additions and 41 deletions
Show Stats Download Patch File Download Diff File

41
src/alert-debuglog.c
Unescape Escape View File

@ -30,6 +30,7 @@
#include "detect.h" #include "detect.h"
#include "flow.h" #include "flow.h"
#include "conf.h" #include "conf.h"
#include "stream.h"
#include "threads.h" #include "threads.h"
#include "threadvars.h" #include "threadvars.h"
@ -181,18 +182,6 @@ TmEcode AlertDebugLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq
if (p->pcap_cnt > 0) { if (p->pcap_cnt > 0) {
fprintf(aft->file_ctx->fp, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt); fprintf(aft->file_ctx->fp, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt);
} }
fprintf(aft->file_ctx->fp, "ALERT CNT: %" PRIu32 "\n", p->alerts.cnt);
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
fprintf(aft->file_ctx->fp, "ALERT MSG [%02d]: %s\n", i, pa->msg);
fprintf(aft->file_ctx->fp, "ALERT GID [%02d]: %" PRIu32 "\n", i, pa->gid);
fprintf(aft->file_ctx->fp, "ALERT SID [%02d]: %" PRIu32 "\n", i, pa->sid);
fprintf(aft->file_ctx->fp, "ALERT REV [%02d]: %" PRIu32 "\n", i, pa->rev);
fprintf(aft->file_ctx->fp, "ALERT CLASS [%02d]: %s\n", i, pa->class_msg);
fprintf(aft->file_ctx->fp, "ALERT PRIO [%02d]: %" PRIu32 "\n", i, pa->prio);
}
char srcip[16], dstip[16]; char srcip[16], dstip[16];
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
@ -244,12 +233,36 @@ TmEcode AlertDebugLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq
/* any stuff */ /* any stuff */
/* Sig details? */ /* Sig details? */
aft->file_ctx->alerts += p->alerts.cnt;
fprintf(aft->file_ctx->fp, "PACKET LEN: %" PRIu32 "\n", GET_PKT_LEN(p)); fprintf(aft->file_ctx->fp, "PACKET LEN: %" PRIu32 "\n", GET_PKT_LEN(p));
fprintf(aft->file_ctx->fp, "PACKET:\n"); fprintf(aft->file_ctx->fp, "PACKET:\n");
PrintRawDataFp(aft->file_ctx->fp, GET_PKT_DATA(p), GET_PKT_LEN(p)); PrintRawDataFp(aft->file_ctx->fp, GET_PKT_DATA(p), GET_PKT_LEN(p));
fprintf(aft->file_ctx->fp, "ALERT CNT: %" PRIu32 "\n", p->alerts.cnt);
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
fprintf(aft->file_ctx->fp, "ALERT MSG [%02d]: %s\n", i, pa->msg);
fprintf(aft->file_ctx->fp, "ALERT GID [%02d]: %" PRIu32 "\n", i, pa->gid);
fprintf(aft->file_ctx->fp, "ALERT SID [%02d]: %" PRIu32 "\n", i, pa->sid);
fprintf(aft->file_ctx->fp, "ALERT REV [%02d]: %" PRIu32 "\n", i, pa->rev);
fprintf(aft->file_ctx->fp, "ALERT CLASS [%02d]: %s\n", i, pa->class_msg ? pa->class_msg : "<none>");
fprintf(aft->file_ctx->fp, "ALERT PRIO [%02d]: %" PRIu32 "\n", i, pa->prio);
fprintf(aft->file_ctx->fp, "ALERT FOUND IN [%02d]: %s\n", i, pa->alert_msg ? "STREAM" : "OTHER");
if (pa->alert_msg != NULL) {
fprintf(aft->file_ctx->fp, "ALERT STREAM LEN[%02d]:%"PRIu16"\n", i, ((StreamMsg *)pa->alert_msg)->data.data_len);
fprintf(aft->file_ctx->fp, "ALERT STREAM [%02d]:\n", i);
PrintRawDataFp(aft->file_ctx->fp, ((StreamMsg *)pa->alert_msg)->data.data,
((StreamMsg *)pa->alert_msg)->data.data_len);
} else if (p->payload_len > 0) {
fprintf(aft->file_ctx->fp, "PAYLOAD LEN: %" PRIu32 "\n", p->payload_len);
fprintf(aft->file_ctx->fp, "PAYLOAD:\n");
PrintRawDataFp(aft->file_ctx->fp, p->payload, p->payload_len);
}
}
aft->file_ctx->alerts += p->alerts.cnt;
fflush(aft->file_ctx->fp); fflush(aft->file_ctx->fp);
SCMutexUnlock(&aft->file_ctx->fp_mutex); SCMutexUnlock(&aft->file_ctx->fp_mutex);

9
src/decode.h
Unescape Escape View File

@ -226,6 +226,10 @@ typedef struct PacketAlert_ {
char *class_msg; char *class_msg;
DetectReference *references; DetectReference *references;
uint8_t flags; uint8_t flags;
/** Pointer to smsg this signature matched on, or
* NULL if the sig didn't match on a smsg */
void *alert_msg;
} PacketAlert; } PacketAlert;
/* After processing an alert by the thresholding module, if at /* After processing an alert by the thresholding module, if at
@ -238,6 +242,11 @@ typedef struct PacketAlert_ {
typedef struct PacketAlerts_ { typedef struct PacketAlerts_ {
uint16_t cnt; uint16_t cnt;
PacketAlert alerts[PACKET_ALERT_MAX]; PacketAlert alerts[PACKET_ALERT_MAX];
/** pointer to (list of) stream message(s)
* that one or more of the signatures
* matched on */
void *alert_msgs;
} PacketAlerts; } PacketAlerts;
/** number of decoder events we support per packet. Power of 2 minus 1 /** number of decoder events we support per packet. Power of 2 minus 1

14
src/detect-engine-alert.c
Unescape Escape View File

@ -35,7 +35,7 @@
* \param p Packet structure * \param p Packet structure
* *
*/ */
int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
Signature *s, Packet *p, uint16_t pos) Signature *s, Packet *p, uint16_t pos)
{ {
SCEnter(); SCEnter();
@ -110,7 +110,15 @@ int PacketAlertRemove(Packet *p, uint16_t pos)
return match; return match;
} }
int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p, uint8_t flags) /** \brief append a signature match to a packet
*
* \param det_ctx thread detection engine ctx
* \param s the signature that matched
* \param p packet
* \param flags alert flags
* \param alert_msg ptr to StreamMsg object that the signature matched on
*/
int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p, uint8_t flags, void *alert_msg)
{ {
int i = 0; int i = 0;
@ -139,6 +147,7 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p, u
p->alerts.alerts[p->alerts.cnt].class_msg = s->class_msg; p->alerts.alerts[p->alerts.cnt].class_msg = s->class_msg;
p->alerts.alerts[p->alerts.cnt].references = s->references; p->alerts.alerts[p->alerts.cnt].references = s->references;
p->alerts.alerts[p->alerts.cnt].flags = flags; p->alerts.alerts[p->alerts.cnt].flags = flags;
p->alerts.alerts[p->alerts.cnt].alert_msg = alert_msg;
} else { } else {
/* We need to make room for this s->num /* We need to make room for this s->num
(a bit ugly with mamcpy but we are planning changes here)*/ (a bit ugly with mamcpy but we are planning changes here)*/
@ -164,6 +173,7 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p, u
p->alerts.alerts[i].class_msg = s->class_msg; p->alerts.alerts[i].class_msg = s->class_msg;
p->alerts.alerts[i].references = s->references; p->alerts.alerts[i].references = s->references;
p->alerts.alerts[i].flags = flags; p->alerts.alerts[i].flags = flags;
p->alerts.alerts[i].alert_msg = alert_msg;
} }
/* Update the count */ /* Update the count */

2
src/detect-engine-alert.h
Unescape Escape View File

@ -28,7 +28,7 @@
#include "detect.h" #include "detect.h"
void PacketAlertFinalize(DetectEngineCtx *, DetectEngineThreadCtx *, Packet *); void PacketAlertFinalize(DetectEngineCtx *, DetectEngineThreadCtx *, Packet *);
int PacketAlertAppend(DetectEngineThreadCtx *, Signature *, Packet *, uint8_t); int PacketAlertAppend(DetectEngineThreadCtx *, Signature *, Packet *, uint8_t, /* (StreamMsg *) */void *);
int PacketAlertAppendTag(Packet *, PacketAlert *); int PacketAlertAppendTag(Packet *, PacketAlert *);
int PacketAlertCheck(Packet *, uint32_t); int PacketAlertCheck(Packet *, uint32_t);
int PacketAlertRemove(Packet *, uint16_t); int PacketAlertRemove(Packet *, uint16_t);

4
src/detect-engine-iponly.c
Unescape Escape View File

@ -1004,9 +1004,9 @@ void IPOnlyMatchPacket(DetectEngineCtx *de_ctx,
if ( !(s->flags & SIG_FLAG_NOALERT)) { if ( !(s->flags & SIG_FLAG_NOALERT)) {
if (s->action & ACTION_DROP) if (s->action & ACTION_DROP)
PacketAlertAppend(det_ctx, s, p, PACKET_ALERT_FLAG_DROP_FLOW); PacketAlertAppend(det_ctx, s, p, PACKET_ALERT_FLAG_DROP_FLOW, NULL);
else else
PacketAlertAppend(det_ctx, s, p, 0); PacketAlertAppend(det_ctx, s, p, 0, NULL);
} }
} }
} }

2
src/detect-engine-threshold.h
Unescape Escape View File

@ -29,8 +29,6 @@
#define THRESHOLD_HASH_SIZE 0xffff #define THRESHOLD_HASH_SIZE 0xffff
int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *,
Signature *sig, Packet *p, uint16_t);
DetectThresholdData *SigGetThresholdType(Signature *, Packet *); DetectThresholdData *SigGetThresholdType(Signature *, Packet *);
int PacketAlertThreshold(DetectEngineCtx *, DetectEngineThreadCtx *, int PacketAlertThreshold(DetectEngineCtx *, DetectEngineThreadCtx *,
DetectThresholdData *, Packet *, Signature *); DetectThresholdData *, Packet *, Signature *);

28
src/detect.c
Unescape Escape View File

@ -1244,6 +1244,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
/* inspect the sigs against the packet */ /* inspect the sigs against the packet */
for (idx = 0; idx < det_ctx->match_array_cnt; idx++) { for (idx = 0; idx < det_ctx->match_array_cnt; idx++) {
StreamMsg *alert_msg = NULL;
PROFILING_START; PROFILING_START;
s = det_ctx->match_array[idx]; s = det_ctx->match_array[idx];
@ -1345,6 +1346,13 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
* rest of the pkts with no further inspection */ * rest of the pkts with no further inspection */
if (s->action == ACTION_DROP) if (s->action == ACTION_DROP)
alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW; alert_flags |= PACKET_ALERT_FLAG_DROP_FLOW;
/* store ptr to current smsg */
if (alert_msg == NULL) {
alert_msg = smsg_inspect;
p->alerts.alert_msgs = smsg;
}
break; break;
} }
} }
@ -1378,6 +1386,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) { if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) {
goto next; goto next;
} }
} else { } else {
if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1) if (DetectEngineInspectPacketPayload(de_ctx, det_ctx, s, p->flow, flags, alstate, p) != 1)
goto next; goto next;
@ -1425,7 +1434,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
fmatch = 1; fmatch = 1;
if (!(s->flags & SIG_FLAG_NOALERT)) { if (!(s->flags & SIG_FLAG_NOALERT)) {
PacketAlertAppend(det_ctx, s, p, alert_flags); PacketAlertAppend(det_ctx, s, p, alert_flags, NULL);
} }
} else { } else {
if (s->flags & SIG_FLAG_RECURSIVE) { if (s->flags & SIG_FLAG_RECURSIVE) {
@ -1445,7 +1454,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
if (!(s->flags & SIG_FLAG_NOALERT)) { if (!(s->flags & SIG_FLAG_NOALERT)) {
/* only add once */ /* only add once */
if (rmatch == 0) { if (rmatch == 0) {
PacketAlertAppend(det_ctx, s, p, alert_flags); PacketAlertAppend(det_ctx, s, p, alert_flags, alert_msg);
} }
} }
rmatch = fmatch = 1; rmatch = fmatch = 1;
@ -1478,7 +1487,7 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
if (sm == NULL) { if (sm == NULL) {
fmatch = 1; fmatch = 1;
if (!(s->flags & SIG_FLAG_NOALERT)) { if (!(s->flags & SIG_FLAG_NOALERT)) {
PacketAlertAppend(det_ctx, s, p, alert_flags); PacketAlertAppend(det_ctx, s, p, alert_flags, alert_msg);
} }
} }
} else { } else {
@ -1546,16 +1555,13 @@ end:
} }
} }
/* if we had no alerts that involved the smsgs,
* we can get rid of them now. */
if (p->alerts.alert_msgs == NULL) {
/* if we have (a) smsg(s), return to the pool */ /* if we have (a) smsg(s), return to the pool */
while (smsg != NULL) { StreamMsgReturnListToPool(smsg);
StreamMsg *smsg_next = smsg->next;
SCLogDebug("returning smsg %p to pool", smsg);
smsg->next = NULL;
smsg->prev = NULL;
smsg->flow = NULL;
StreamMsgReturnToPool(smsg);
smsg = smsg_next;
} }
SCMutexUnlock(&p->flow->m); SCMutexUnlock(&p->flow->m);
FlowDecrUsecnt(p->flow); FlowDecrUsecnt(p->flow);

14
src/stream.c
Unescape Escape View File

@ -223,3 +223,17 @@ uint16_t StreamMsgQueueGetMinChunkLen(uint8_t dir) {
} }
} }
/** \brief Return a list of smsgs to the pool */
void StreamMsgReturnListToPool(void *list) {
/* if we have (a) smsg(s), return to the pool */
StreamMsg *smsg = (StreamMsg *)list;
while (smsg != NULL) {
StreamMsg *smsg_next = smsg->next;
SCLogDebug("returning smsg %p to pool", smsg);
smsg->next = NULL;
smsg->prev = NULL;
smsg->flow = NULL;
StreamMsgReturnToPool(smsg);
smsg = smsg_next;
}
}

2
src/stream.h
Unescape Escape View File

@ -87,5 +87,7 @@ void StreamMsgQueueSetMinChunkLen(uint8_t dir, uint16_t len);
uint16_t StreamMsgQueueGetMinInitChunkLen(uint8_t); uint16_t StreamMsgQueueGetMinInitChunkLen(uint8_t);
uint16_t StreamMsgQueueGetMinChunkLen(uint8_t); uint16_t StreamMsgQueueGetMinChunkLen(uint8_t);
void StreamMsgReturnListToPool(void *);
#endif /* __STREAM_H__ */ #endif /* __STREAM_H__ */

8
src/tmqh-packetpool.c
Unescape Escape View File

@ -37,6 +37,8 @@
#include "threadvars.h" #include "threadvars.h"
#include "flow.h" #include "flow.h"
#include "stream.h"
#include "tm-queuehandlers.h" #include "tm-queuehandlers.h"
#include "pkt-var.h" #include "pkt-var.h"
@ -127,6 +129,12 @@ void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
char proot = 0; char proot = 0;
/* final alerts cleanup... return smsgs to pool if needed */
if (p->alerts.alert_msgs != NULL) {
StreamMsgReturnListToPool(p->alerts.alert_msgs);
p->alerts.alert_msgs = NULL;
}
if (IS_TUNNEL_PKT(p)) { if (IS_TUNNEL_PKT(p)) {
SCLogDebug("Packet %p is a tunnel packet: %s", SCLogDebug("Packet %p is a tunnel packet: %s",
p,p->root ? "upper layer" : "tunnel root"); p,p->root ? "upper layer" : "tunnel root");

Write Preview
Loading…
Cancel
Save