suricata
alert-fastlog.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Logs alerts in a line based text format compatible to Snort's
24  * alert_fast format.
25  *
26  * \todo Support classifications
27  * \todo Support more than just IPv4/IPv6 TCP/UDP.
28  */
29 
30 #include "suricata-common.h"
31 #include "debug.h"
32 #include "detect.h"
33 #include "flow.h"
34 #include "conf.h"
35 
36 #include "threads.h"
37 #include "tm-threads.h"
38 #include "threadvars.h"
39 #include "util-debug.h"
40 
41 #include "util-unittest.h"
42 #include "util-unittest-helper.h"
43 
44 #include "detect-parse.h"
45 #include "detect-engine.h"
46 #include "detect-engine-mpm.h"
47 #include "detect-reference.h"
49 
50 #include "output.h"
51 #include "alert-fastlog.h"
52 
53 #include "util-privs.h"
54 #include "util-print.h"
55 #include "util-proto-name.h"
56 #include "util-optimize.h"
57 #include "util-logopenfile.h"
58 #include "util-time.h"
59 
60 #define DEFAULT_LOG_FILENAME "fast.log"
61 
62 #define MODULE_NAME "AlertFastLog"
63 
64 /* The largest that size allowed for one alert string. */
65 #define MAX_FASTLOG_ALERT_SIZE 2048
66 /* The largest alert buffer that will be written at one time, possibly
67  * holding multiple alerts. */
68 #define MAX_FASTLOG_BUFFER_SIZE (2 * MAX_FASTLOG_ALERT_SIZE)
69 
70 TmEcode AlertFastLogThreadInit(ThreadVars *, const void *, void **);
72 void AlertFastLogRegisterTests(void);
73 static void AlertFastLogDeInitCtx(OutputCtx *);
74 
75 int AlertFastLogCondition(ThreadVars *tv, const Packet *p);
76 int AlertFastLogger(ThreadVars *tv, void *data, const Packet *p);
77 
79 {
84 }
85 
86 typedef struct AlertFastLogThread_ {
87  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
90 
92 {
93  return (p->alerts.cnt ? TRUE : FALSE);
94 }
95 
96 static inline void AlertFastLogOutputAlert(AlertFastLogThread *aft, char *buffer,
97  int alert_size)
98 {
99  /* Output the alert string and count alerts. Only need to lock here. */
100  aft->file_ctx->Write(buffer, alert_size, aft->file_ctx);
101 }
102 
103 int AlertFastLogger(ThreadVars *tv, void *data, const Packet *p)
104 {
105  AlertFastLogThread *aft = (AlertFastLogThread *)data;
106  int i;
107  char timebuf[64];
108  int decoder_event = 0;
109 
110  CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
111 
112  char srcip[46], dstip[46];
113  if (PKT_IS_IPV4(p)) {
114  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
115  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
116  } else if (PKT_IS_IPV6(p)) {
117  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
118  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
119  } else {
120  decoder_event = 1;
121  }
122 
123  /* Buffer to store the generated alert strings. The buffer is
124  * filled with alert strings until it doesn't have room to store
125  * another full alert, only then is the buffer written. This is
126  * more efficient for multiple alerts and only slightly slower for
127  * single alerts.
128  */
129  char alert_buffer[MAX_FASTLOG_BUFFER_SIZE];
130 
131  for (i = 0; i < p->alerts.cnt; i++) {
132  const PacketAlert *pa = &p->alerts.alerts[i];
133  if (unlikely(pa->s == NULL)) {
134  continue;
135  }
136 
137  const char *action = "";
138  if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
139  action = "[Drop] ";
140  } else if (pa->action & ACTION_DROP) {
141  action = "[wDrop] ";
142  }
143 
144  char proto[16] = "";
145  if (likely(decoder_event == 0)) {
146  if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) {
147  strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto));
148  } else {
149  snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IP_GET_IPPROTO(p));
150  }
151  }
152 
153  /* Create the alert string without locking. */
154  int size = 0;
155  if (likely(decoder_event == 0)) {
156  PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
157  "%s %s[**] [%" PRIu32 ":%" PRIu32 ":%"
158  PRIu32 "] %s [**] [Classification: %s] [Priority: %"PRIu32"]"
159  " {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "\n", timebuf, action,
160  pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,
161  proto, srcip, p->sp, dstip, p->dp);
162  } else {
163  PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
164  "%s %s[**] [%" PRIu32 ":%" PRIu32
165  ":%" PRIu32 "] %s [**] [Classification: %s] [Priority: "
166  "%" PRIu32 "] [**] [Raw pkt: ", timebuf, action, pa->s->gid,
167  pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio);
168  PrintBufferRawLineHex(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
169  GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
170  if (p->pcap_cnt != 0) {
171  PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
172  "] [pcap file packet: %"PRIu64"]\n", p->pcap_cnt);
173  } else {
174  PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE, "]\n");
175  }
176  }
177 
178  /* Write the alert to output file */
179  AlertFastLogOutputAlert(aft, alert_buffer, size);
180  }
181 
182  return TM_ECODE_OK;
183 }
184 
185 TmEcode AlertFastLogThreadInit(ThreadVars *t, const void *initdata, void **data)
186 {
188  if (unlikely(aft == NULL))
189  return TM_ECODE_FAILED;
190  memset(aft, 0, sizeof(AlertFastLogThread));
191  if(initdata == NULL)
192  {
193  SCLogDebug("Error getting context for AlertFastLog. \"initdata\" argument NULL");
194  SCFree(aft);
195  return TM_ECODE_FAILED;
196  }
197  /** Use the Ouptut Context (file pointer and mutex) */
198  aft->file_ctx = ((OutputCtx *)initdata)->data;
199 
200  *data = (void *)aft;
201  return TM_ECODE_OK;
202 }
203 
205 {
206  AlertFastLogThread *aft = (AlertFastLogThread *)data;
207  if (aft == NULL) {
208  return TM_ECODE_OK;
209  }
210 
211  /* clear memory */
212  memset(aft, 0, sizeof(AlertFastLogThread));
213 
214  SCFree(aft);
215  return TM_ECODE_OK;
216 }
217 
218 /**
219  * \brief Create a new LogFileCtx for "fast" output style.
220  * \param conf The configuration node for this output.
221  * \return A LogFileCtx pointer on success, NULL on failure.
222  */
224 {
225  OutputInitResult result = { NULL, false };
226  LogFileCtx *logfile_ctx = LogFileNewCtx();
227  if (logfile_ctx == NULL) {
228  SCLogDebug("AlertFastLogInitCtx2: Could not create new LogFileCtx");
229  return result;
230  }
231 
232  if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
233  LogFileFreeCtx(logfile_ctx);
234  return result;
235  }
236 
237  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
238  if (unlikely(output_ctx == NULL))
239  return result;
240  output_ctx->data = logfile_ctx;
241  output_ctx->DeInit = AlertFastLogDeInitCtx;
242 
243  result.ctx = output_ctx;
244  result.ok = true;
245  return result;
246 }
247 
248 static void AlertFastLogDeInitCtx(OutputCtx *output_ctx)
249 {
250  LogFileCtx *logfile_ctx = (LogFileCtx *)output_ctx->data;
251  LogFileFreeCtx(logfile_ctx);
252  SCFree(output_ctx);
253 }
254 
255 /*------------------------------Unittests-------------------------------------*/
256 
257 #ifdef UNITTESTS
258 
259 static int AlertFastLogTest01(void)
260 {
261  int result = 0;
262  uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n"
263  "Host: one.example.org\r\n";
264 
265  uint16_t buflen = strlen((char *)buf);
266  Packet *p = NULL;
267  ThreadVars th_v;
268  DetectEngineThreadCtx *det_ctx;
269 
270  memset(&th_v, 0, sizeof(th_v));
271  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
272 
274  if (de_ctx == NULL) {
275  return result;
276  }
277 
278  de_ctx->flags |= DE_QUIET;
279 
282 
283  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
284  "(msg:\"FastLog test\"; content:\"GET\"; "
285  "Classtype:unknown; sid:1;)");
286 
287  SigGroupBuild(de_ctx);
288  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
289 
290  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
291  if (p->alerts.cnt == 1) {
292  result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0);
293  }
294 
295  SigGroupCleanup(de_ctx);
296  SigCleanSignatures(de_ctx);
297  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
298  DetectEngineCtxFree(de_ctx);
299 
300  UTHFreePackets(&p, 1);
301  return result;
302 }
303 
304 static int AlertFastLogTest02(void)
305 {
306  int result = 0;
307  uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n"
308  "Host: one.example.org\r\n";
309  uint16_t buflen = strlen((char *)buf);
310  Packet *p = NULL;
311  ThreadVars th_v;
312  DetectEngineThreadCtx *det_ctx;
313 
314  memset(&th_v, 0, sizeof(th_v));
315 
316  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
317 
319  if (de_ctx == NULL) {
320  return result;
321  }
322 
323  de_ctx->flags |= DE_QUIET;
324 
327 
328  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
329  "(msg:\"FastLog test\"; content:\"GET\"; "
330  "Classtype:unknown; sid:1;)");
331 
332  SigGroupBuild(de_ctx);
333  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
334 
335  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
336  if (p->alerts.cnt == 1) {
337  result = (strcmp(p->alerts.alerts[0].s->class_msg,
338  "Unknown are we") == 0);
339  if (result == 0)
340  printf("p->alerts.alerts[0].class_msg %s: ", p->alerts.alerts[0].s->class_msg);
341  }
342 
343  SigGroupCleanup(de_ctx);
344  SigCleanSignatures(de_ctx);
345  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
346  DetectEngineCtxFree(de_ctx);
347 
348  UTHFreePackets(&p, 1);
349  return result;
350 }
351 
352 #endif /* UNITTESTS */
353 
354 /**
355  * \brief This function registers unit tests for AlertFastLog API.
356  */
358 {
359 
360 #ifdef UNITTESTS
361 
362  UtRegisterTest("AlertFastLogTest01", AlertFastLogTest01);
363  UtRegisterTest("AlertFastLogTest02", AlertFastLogTest02);
364 
365 #endif /* UNITTESTS */
366 
367 }
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:212
char * known_proto[256]
uint8_t SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
#define SCLogDebug(...)
Definition: util-debug.h:335
OutputInitResult AlertFastLogInitCtx(ConfNode *conf)
Create a new LogFileCtx for "fast" output style.
int AlertFastLogger(ThreadVars *tv, void *data, const Packet *p)
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
char * msg
Definition: detect.h:552
uint32_t id
Definition: detect.h:528
#define FALSE
#define unlikely(expr)
Definition: util-optimize.h:35
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:213
int AlertFastLogCondition(ThreadVars *tv, const Packet *p)
Definition: alert-fastlog.c:91
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Port sp
Definition: decode.h:413
int prio
Definition: detect.h:531
Port dp
Definition: decode.h:421
Signature * sig_list
Definition: detect.h:729
uint8_t action
Definition: decode.h:269
#define PKT_IS_IPV6(p)
Definition: decode.h:250
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void AlertFastLogRegister(void)
Definition: alert-fastlog.c:78
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
#define MAX_FASTLOG_BUFFER_SIZE
Definition: alert-fastlog.c:68
uint64_t pcap_cnt
Definition: decode.h:561
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
int EngineModeIsIPS(void)
Definition: suricata.c:239
#define TRUE
#define PKT_IS_IPV4(p)
Definition: decode.h:249
LogFileCtx * file_ctx
Definition: alert-fastlog.c:88
main detection engine ctx
Definition: detect.h:723
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
TmEcode AlertFastLogThreadInit(ThreadVars *, const void *, void **)
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:292
const struct Signature_ * s
Definition: decode.h:271
#define DEFAULT_LOG_FILENAME
Definition: alert-fastlog.c:60
#define DE_QUIET
Definition: detect.h:296
#define SCCalloc(nm, a)
Definition: util-mem.h:197
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:158
uint8_t flags
Definition: detect.h:724
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:218
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void PrintBufferRawLineHex(char *nbuf, int *offset, int max_size, uint8_t *buf, uint32_t buflen)
print a buffer as hex on a single line
Definition: util-print.c:42
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define PrintBufferData(buf, buf_offset_ptr, buf_size,...)
Definition: util-print.h:29
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
void SCClassConfLoadClassficationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
struct AlertFastLogThread_ AlertFastLogThread
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:267
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint32_t gid
Definition: detect.h:529
uint8_t proto
char * class_msg
Definition: detect.h:555
Definition: conf.h:32
int(* Write)(const char *buffer, int buffer_len, struct LogFileCtx_ *fp)
OutputCtx * ctx
Definition: output.h:42
#define SCMalloc(a)
Definition: util-mem.h:166
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:217
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
#define MAX_FASTLOG_ALERT_SIZE
Definition: alert-fastlog.c:65
#define SCFree(a)
Definition: util-mem.h:228
void * data
Definition: tm-modules.h:81
#define IP_GET_IPPROTO(p)
Definition: decode.h:261
uint32_t rev
Definition: detect.h:530
#define MODULE_NAME
Definition: alert-fastlog.c:62
PacketAlerts alerts
Definition: decode.h:555
#define GET_PKT_DATA(p)
Definition: decode.h:223
uint16_t cnt
Definition: decode.h:291
Per thread variable structure.
Definition: threadvars.h:57
struct timeval ts
Definition: decode.h:449
#define GET_PKT_LEN(p)
Definition: decode.h:222
#define ACTION_DROP
TmEcode AlertFastLogThreadDeinit(ThreadVars *, void *)
#define likely(expr)
Definition: util-optimize.h:32
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
FILE * SCClassConfGenerateValidDummyClassConfigFD01(void)
Creates a dummy classification file, with all valid Classtypes, for testing purposes.
void CreateTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:237
DetectEngineCtx * DetectEngineCtxInit(void)
void AlertFastLogRegisterTests(void)
This function registers unit tests for AlertFastLog API.