suricata
alert-unified2-alert.c File Reference
#include "suricata-common.h"
#include "runmodes.h"
#include "debug.h"
#include "detect.h"
#include "flow.h"
#include "conf.h"
#include "pkt-var.h"
#include "threads.h"
#include "threadvars.h"
#include "tm-threads.h"
#include "output.h"
#include "util-unittest.h"
#include "alert-unified2-alert.h"
#include "decode-ipv4.h"
#include "host.h"
#include "util-profiling.h"
#include "decode.h"
#include "util-error.h"
#include "util-debug.h"
#include "util-time.h"
#include "util-byte.h"
#include "util-misc.h"
#include "util-logopenfile.h"
#include "app-layer-parser.h"
#include "app-layer-htp.h"
#include "app-layer.h"
#include "app-layer-htp-xff.h"
#include "util-privs.h"
#include "stream.h"
#include "stream-tcp-inline.h"
#include "util-optimize.h"
Include dependency graph for alert-unified2-alert.c:

Go to the source code of this file.

Data Structures

struct  Unified2ExtraDataHdr_
 
struct  Unified2AlertFileHeader_
 
struct  AlertIPv4Unified2_
 
struct  AlertIPv6Unified2_
 
struct  AlertUnified2Packet_
 
struct  Unified2AlertFileCtx_
 
struct  Unified2AlertThread_
 
struct  _FakeIPv4Hdr
 
struct  _FakeIPv6Hdr
 

Macros

#define DEFAULT_LOG_FILENAME   "unified2.alert"
 
#define DEFAULT_LIMIT   32 * 1024 * 1024
 
#define MIN_LIMIT   1 * 1024 * 1024
 
#define UNIFIED2_ALERT_XFF_IPV4   8
 
#define UNIFIED2_ALERT_XFF_IPV6   16
 
#define UNIFIED2_ALERT_FLAGS_EMIT_PACKET   (1 << 0)
 
#define UNIFIED2_PACKET_SIZE   (sizeof(Unified2Packet) - 4)
 
#define MODULE_NAME   "Unified2Alert"
 

Typedefs

typedef struct Unified2AlertFileHeader_ Unified2AlertFileHeader
 
typedef struct AlertIPv4Unified2_ AlertIPv4Unified2
 
typedef struct AlertIPv6Unified2_ AlertIPv6Unified2
 
typedef struct AlertUnified2Packet_ Unified2Packet
 
typedef struct Unified2AlertFileCtx_ Unified2AlertFileCtx
 
typedef struct Unified2AlertThread_ Unified2AlertThread
 

Functions

struct Unified2ExtraDataHdr_ __attribute__ ((__packed__))
 DNP3 link header. More...
 
 SC_ATOMIC_DECLARE (unsigned int, unified2_event_id)
 
TmEcode Unified2AlertThreadInit (ThreadVars *t, const void *initdata, void **data)
 Thread init function. More...
 
TmEcode Unified2AlertThreadDeinit (ThreadVars *t, void *data)
 Thread deinit function. More...
 
void Unified2RegisterTests (void)
 this function registers unit tests for Unified2 More...
 
int Unified2Condition (ThreadVars *tv, const Packet *p)
 
int Unified2Logger (ThreadVars *t, void *data, const Packet *p)
 Unified2 main entry function. More...
 
void Unified2AlertRegister (void)
 
OutputInitResult Unified2AlertInitCtx (ConfNode *conf)
 Create a new LogFileCtx from the provided ConfNode. More...
 

Variables

uint32_t event_type
 
uint32_t event_length
 
 Unified2ExtraData
 
IPV4Hdr ip4h
 
TCPHdr tcph
 
IPV6Hdr ip6h
 

Detailed Description

Author
Breno Silva breno.nosp@m..sil.nosp@m.va@gm.nosp@m.ail..nosp@m.com
Eric Leblond eric@.nosp@m.regi.nosp@m.t.org
Ignacio Sanchez sanch.nosp@m.ezma.nosp@m.rtin..nosp@m.ji@g.nosp@m.mail..nosp@m.com
Duarte Silva duart.nosp@m.e.si.nosp@m.lva@s.nosp@m.eria.nosp@m.lizin.nosp@m.g.me

Logs alerts in a format compatible to Snort's unified2 format, so it should be readable by Barnyard2.

Definition in file alert-unified2-alert.c.

Macro Definition Documentation

#define DEFAULT_LIMIT   32 * 1024 * 1024

Minimum log file limit in MB.

Definition at line 77 of file alert-unified2-alert.c.

Referenced by Unified2AlertInitCtx().

#define DEFAULT_LOG_FILENAME   "unified2.alert"

Default log file limit in MB.

Definition at line 74 of file alert-unified2-alert.c.

Referenced by Unified2AlertInitCtx().

#define MIN_LIMIT   1 * 1024 * 1024

Definition at line 80 of file alert-unified2-alert.c.

Referenced by Unified2AlertInitCtx().

#define MODULE_NAME   "Unified2Alert"

Definition at line 235 of file alert-unified2-alert.c.

Referenced by Unified2AlertRegister().

#define UNIFIED2_ALERT_FLAGS_EMIT_PACKET   (1 << 0)

Definition at line 190 of file alert-unified2-alert.c.

Referenced by Unified2AlertInitCtx().

#define UNIFIED2_ALERT_XFF_IPV4   8

Extracted XFF IP is v4

Definition at line 180 of file alert-unified2-alert.c.

#define UNIFIED2_ALERT_XFF_IPV6   16

Extracted XFF IP is v4

Definition at line 182 of file alert-unified2-alert.c.

#define UNIFIED2_PACKET_SIZE   (sizeof(Unified2Packet) - 4)

Definition at line 217 of file alert-unified2-alert.c.

Typedef Documentation

Unified2 Ipv4 struct

Used for storing ipv4 type values.

Unified2 Ipv6 type struct

Used for storing ipv6 type values.

Unified2 file header struct

Used for storing file header options.

Unified2 thread vars

Used for storing file options.

Unified2 packet type struct

Used for storing packet type values.

Function Documentation

SC_ATOMIC_DECLARE ( unsigned  int,
unified2_event_id   
)

Atomic counter, to link relative event

OutputInitResult Unified2AlertInitCtx ( ConfNode conf)

Create a new LogFileCtx from the provided ConfNode.

Parameters
confThe configuration node for this output.
Returns
NULL if failure, LogFileCtx* to the file_ctx if succesful

Definition at line 1276 of file alert-unified2-alert.c.

References Packet_::action, ACTION_DROP, PacketAlerts_::alerts, Packet_::alerts, ByteExtractStringUint32(), PacketAlerts_::cnt, ConfGetChildValueBool(), ConfigGetLogDirectory(), ConfNodeLookupChildValue(), ConfValIsFalse(), ConfValIsTrue(), OutputInitResult_::ctx, OutputCtx_::data, DecodeEthernet(), DecodePPP(), DEFAULT_LIMIT, DEFAULT_LOG_FILENAME, OutputCtx_::DeInit, Unified2AlertFileCtx_::file_ctx, LogFileCtx_::filename, flags, Unified2AlertFileCtx_::flags, FLOW_QUIET, FlowInitConfig(), FlowShutdown(), LogFileCtx_::fp, Signature_::gid, HttpXFFGetCfg(), Signature_::id, LogFileFreeCtx(), LogFileNewCtx(), MIN_LIMIT, LogFileCtx_::nostamp, OutputInitResult_::ok, OutputRegisterFileRotationFlag(), PACKET_RECYCLE, PacketDequeue(), PacketGetFromAlloc(), ParseSizeStringU64(), LogFileCtx_::prefix, Signature_::rev, LogFileCtx_::rotation_flag, run_mode, RUNMODE_UNITTEST, PacketAlert_::s, SC_ATOMIC_INIT, SC_ERR_FOPEN, SC_ERR_INVALID_ARGUMENT, SC_ERR_MEM_ALLOC, SC_ERR_UNIFIED2_ALERT_GENERIC, SCCalloc, SCFree, SCLogError, SCLogInfo, SCMalloc, SCStrdup, SET_PKT_LEN, LogFileCtx_::size_limit, TimeGet(), TimeSetIncrementTime(), TM_ECODE_FAILED, UNIFIED2_ALERT_FLAGS_EMIT_PACKET, Unified2AlertInitCtx(), Unified2AlertThreadDeinit(), Unified2AlertThreadInit(), Unified2Logger(), unlikely, and Unified2AlertFileCtx_::xff_cfg.

Referenced by Unified2AlertInitCtx(), and Unified2AlertRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

TmEcode Unified2AlertThreadDeinit ( ThreadVars t,
void *  data 
)

Thread deinit function.

Parameters
tThread Variable containing input/output queue, cpu affinity etc.
dataUnified2 thread data.
Return values
TM_ECODE_OKon succces
TM_ECODE_FAILEDon failure

Definition at line 1242 of file alert-unified2-alert.c.

References Unified2AlertThread_::data, Unified2AlertThread_::datalen, Unified2AlertFileCtx_::file_ctx, LogFileCtx_::flags, LOGFILE_ALERTS_PRINTED, SCFree, TM_ECODE_FAILED, TM_ECODE_OK, and Unified2AlertThread_::unified2alert_ctx.

Referenced by Unified2AlertInitCtx(), and Unified2AlertRegister().

Here is the caller graph for this function:

TmEcode Unified2AlertThreadInit ( ThreadVars t,
const void *  initdata,
void **  data 
)

Thread init function.

prototypes

Parameters
tThread Variable containing input/output queue, cpu affinity etc.
initdataUnified2 thread initial data.
dataUnified2 thread data.
Return values
TM_ECODE_OKon succces
TM_ECODE_FAILEDon failure

Use the Ouptut Context (file pointer and mutex)

Definition at line 1204 of file alert-unified2-alert.c.

References Unified2AlertThread_::data, Unified2AlertThread_::datalen, IPV4_MAXPACKET_LEN, SCFree, SCLogDebug, SCMalloc, TM_ECODE_FAILED, TM_ECODE_OK, Unified2AlertThread_::unified2alert_ctx, Unified2ExtraData, and unlikely.

Referenced by Unified2AlertInitCtx(), and Unified2AlertRegister().

Here is the caller graph for this function:

int Unified2Condition ( ThreadVars tv,
const Packet p 
)

Definition at line 305 of file alert-unified2-alert.c.

References Packet_::alerts, PacketAlerts_::cnt, FALSE, Packet_::flags, likely, PKT_HAS_TAG, and TRUE.

Referenced by Unified2AlertRegister().

Here is the caller graph for this function:

int Unified2Logger ( ThreadVars t,
void *  data,
const Packet p 
)

Unified2 main entry function.

Return values
TM_ECODE_OKall is good
TM_ECODE_FAILEDserious error

Be sure that we have a nice zeroed buffer

We can only have override mode if packet IP version matches the XFF IP version, otherwise fall-back to extra data

Definition at line 317 of file alert-unified2-alert.c.

Referenced by Unified2AlertInitCtx(), and Unified2AlertRegister().

Here is the caller graph for this function:

void Unified2RegisterTests ( void  )

this function registers unit tests for Unified2

Definition at line 2026 of file alert-unified2-alert.c.

References UtRegisterTest().

Referenced by Unified2AlertRegister().

Here is the call graph for this function:

Here is the caller graph for this function:

Variable Documentation

uint32_t event_length

Definition at line 85 of file alert-unified2-alert.c.

TCPHdr tcph
Unified2ExtraData

Definition at line 105 of file alert-unified2-alert.c.

Referenced by Unified2AlertThreadInit().