aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- rebase

Browse Source 
Provide limits to the unified outputs.
remotes/origin/master-1.0.x
Jason Ish 16 years ago committed by Victor Julien
parent 16b6f536a0
commit fbdf1baf1c
5 changed files with 103 additions and 11 deletions
Show Stats Download Patch File Download Diff File

34
src/alert-unified-alert.c
Unescape Escape View File

@ -32,12 +32,19 @@
#include "util-time.h" #include "util-time.h"
#include "util-error.h" #include "util-error.h"
#include "util-debug.h" #include "util-debug.h"
#include "util-byte.h"
#include "output.h" #include "output.h"
#include "alert-unified-alert.h" #include "alert-unified-alert.h"
#define DEFAULT_LOG_FILENAME "unified.alert" #define DEFAULT_LOG_FILENAME "unified.alert"
/**< Default log file limit in MB. */
#define DEFAULT_LIMIT 32
/**< Minimum log file limit in MB. */
#define MIN_LIMIT 1
#define MODULE_NAME "AlertUnifiedAlert" #define MODULE_NAME "AlertUnifiedAlert"
TmEcode AlertUnifiedAlert (ThreadVars *, Packet *, void *, PacketQueue *); TmEcode AlertUnifiedAlert (ThreadVars *, Packet *, void *, PacketQueue *);
@ -293,13 +300,34 @@ LogFileCtx *AlertUnifiedAlertInitCtx(ConfNode *conf)
filename = DEFAULT_LOG_FILENAME; filename = DEFAULT_LOG_FILENAME;
file_ctx->prefix = strdup(filename); file_ctx->prefix = strdup(filename);
ret = AlertUnifiedAlertOpenFileCtx(file_ctx, filename); const char *s_limit = NULL;
/* XXX make configurable */ uint32_t limit = DEFAULT_LIMIT;
file_ctx->size_limit = UNIFIED_FILESIZE_LIMIT; if (conf != NULL) {
s_limit = ConfNodeLookupChildValue(conf, "limit");
if (s_limit != NULL) {
if (ByteExtractStringUint32(&limit, 10, 0, s_limit) == -1) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Fail to initialize unified alert output, invalid limit: %s",
s_limit);
exit(EXIT_FAILURE);
}
if (limit < MIN_LIMIT) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Fail to initialize unified alert output, limit less than "
"allowed minimum.");
exit(EXIT_FAILURE);
}
}
}
file_ctx->size_limit = limit * 1024 * 1024;
ret = AlertUnifiedAlertOpenFileCtx(file_ctx, filename);
if (ret < 0) if (ret < 0)
return NULL; return NULL;
SCLogInfo("Unified-alert initialized: filename %s, limit %"PRIu32" MB",
filename, limit);
return file_ctx; return file_ctx;
} }

35
src/alert-unified-log.c
Unescape Escape View File

@ -34,12 +34,19 @@
#include "util-time.h" #include "util-time.h"
#include "util-debug.h" #include "util-debug.h"
#include "util-error.h" #include "util-error.h"
#include "util-byte.h"
#include "output.h" #include "output.h"
#include "alert-unified-log.h" #include "alert-unified-log.h"
#define DEFAULT_LOG_FILENAME "unified.log" #define DEFAULT_LOG_FILENAME "unified.log"
/**< Default log file limit in MB. */
#define DEFAULT_LIMIT 32
/**< Minimum log file limit in MB. */
#define MIN_LIMIT 1
#define MODULE_NAME "AlertUnifiedLog" #define MODULE_NAME "AlertUnifiedLog"
TmEcode AlertUnifiedLog (ThreadVars *, Packet *, void *, PacketQueue *); TmEcode AlertUnifiedLog (ThreadVars *, Packet *, void *, PacketQueue *);
@ -308,15 +315,37 @@ LogFileCtx *AlertUnifiedLogInitCtx(ConfNode *conf)
} }
if (filename == NULL) if (filename == NULL)
filename = DEFAULT_LOG_FILENAME; filename = DEFAULT_LOG_FILENAME;
file_ctx->prefix = strdup(filename); file_ctx->prefix = strdup(filename);
file_ctx->size_limit = UNIFIED_FILESIZE_LIMIT; /* XXX Make configurable. */
ret = AlertUnifiedLogOpenFileCtx(file_ctx, filename); const char *s_limit = NULL;
uint32_t limit = DEFAULT_LIMIT;
if (conf != NULL) {
s_limit = ConfNodeLookupChildValue(conf, "limit");
if (s_limit != NULL) {
if (ByteExtractStringUint32(&limit, 10, 0, s_limit) == -1) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Fail to initialize unified log output, invalid limit: %s",
s_limit);
exit(EXIT_FAILURE);
}
if (limit < MIN_LIMIT) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Fail to initialize unified log output, limit less than "
"allowed minimum.");
exit(EXIT_FAILURE);
}
SCLogDebug("limit set to %"PRIu32, limit);
}
}
file_ctx->size_limit = limit * 1024 * 1024;
ret = AlertUnifiedLogOpenFileCtx(file_ctx, filename);
if (ret < 0) if (ret < 0)
return NULL; return NULL;
SCLogInfo("Unified-log initialized: filename %s, limit %"PRIu32" MB",
filename, limit);
return file_ctx; return file_ctx;
} }

35
src/alert-unified2-alert.c
Unescape Escape View File

@ -21,6 +21,7 @@
#include "util-error.h" #include "util-error.h"
#include "util-debug.h" #include "util-debug.h"
#include "util-time.h" #include "util-time.h"
#include "util-byte.h"
#include "output.h" #include "output.h"
#include "alert-unified2-alert.h" #include "alert-unified2-alert.h"
@ -31,6 +32,12 @@
#define DEFAULT_LOG_FILENAME "unified2.alert" #define DEFAULT_LOG_FILENAME "unified2.alert"
/**< Default log file limit in MB. */
#define DEFAULT_LIMIT 32
/**< Minimum log file limit in MB. */
#define MIN_LIMIT 1
/*prototypes*/ /*prototypes*/
TmEcode Unified2Alert (ThreadVars *, Packet *, void *, PacketQueue *); TmEcode Unified2Alert (ThreadVars *, Packet *, void *, PacketQueue *);
TmEcode Unified2AlertThreadInit(ThreadVars *, void *, void **); TmEcode Unified2AlertThreadInit(ThreadVars *, void *, void **);
@ -585,14 +592,34 @@ LogFileCtx *Unified2AlertInitCtx(ConfNode *conf)
filename = DEFAULT_LOG_FILENAME; filename = DEFAULT_LOG_FILENAME;
file_ctx->prefix = strdup(filename); file_ctx->prefix = strdup(filename);
ret = Unified2AlertOpenFileCtx(file_ctx, filename); const char *s_limit = NULL;
uint32_t limit = DEFAULT_LIMIT;
/* XXX make configurable */ if (conf != NULL) {
file_ctx->size_limit = UNIFIED_FILESIZE_LIMIT; s_limit = ConfNodeLookupChildValue(conf, "limit");
if (s_limit != NULL) {
if (ByteExtractStringUint32(&limit, 10, 0, s_limit) == -1) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Fail to initialize unified2 output, invalid limit: %s",
s_limit);
exit(EXIT_FAILURE);
}
if (limit < MIN_LIMIT) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Fail to initialize unified2 output, limit less than "
"allowed minimum.");
exit(EXIT_FAILURE);
}
}
}
file_ctx->size_limit = limit * 1024 * 1024;
ret = Unified2AlertOpenFileCtx(file_ctx, filename);
if (ret < 0) if (ret < 0)
return NULL; return NULL;
SCLogInfo("Unified2-alert initialized: filename %s, limit %"PRIu32" MB",
filename, limit);
return file_ctx; return file_ctx;
} }

1
src/output.h
Unescape Escape View File

@ -9,7 +9,6 @@
#define __OUTPUT_H__ #define __OUTPUT_H__
#include "suricata.h" #include "suricata.h"
#define UNIFIED_FILESIZE_LIMIT 10*1024*1024
typedef struct OutputModule_ { typedef struct OutputModule_ {
char *name; char *name;

9
suricata.yaml
Unescape Escape View File

@ -21,14 +21,23 @@ outputs:
enabled: yes enabled: yes
filename: unified.log filename: unified.log
# Limit in MB.
#limit: 32
- unified-alert: - unified-alert:
enabled: yes enabled: yes
filename: unified.alert filename: unified.alert
# Limit in MB.
#limit: 32
- unified2-alert: - unified2-alert:
enabled: yes enabled: yes
filename: unified2.alert filename: unified2.alert
# Limit in MB.
#limit: 32
- http-log: - http-log:
enabled: yes enabled: yes
filename: http.log filename: http.log

Write Preview
Loading…
Cancel
Save