23374838686

Committed 21 Mar 2026 07:29AM UTC coverage: 59.341% (-20.0%) from 79.315%

Build # 23374838686

Build Type

Pull #15075

github

Committed by

web-flow

Commit Message

Merge 90b4e834f into 6587e363a

Pull Request Pull Request #15075: Stack 8001 v16.4

Coverage Stats

38 of 70 new or added lines in 10 files covered. (54.29%)

34165 existing lines in 563 files now uncovered.

119621 of 201584 relevant lines covered (59.34%)

650666.92 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

3.92

/src/alert-debuglog.c

/* Copyright (C) 2007-2014 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 */

#include "suricata-common.h"
#include "suricata.h"

#include "action-globals.h"
#include "detect.h"
#include "flow.h"
#include "conf.h"
#include "stream.h"
#include "app-layer-protos.h"

#include "threads.h"
#include "threadvars.h"
#include "tm-threads.h"

#include "util-print.h"

#include "pkt-var.h"

#include "util-unittest.h"

#include "util-debug.h"
#include "util-validate.h"
#include "util-buffer.h"

#include "output.h"
#include "alert-debuglog.h"
#include "util-privs.h"
#include "flow-var.h"
#include "flow-bit.h"
#include "util-var-name.h"
#include "util-optimize.h"
#include "util-logopenfile.h"
#include "util-time.h"

#include "stream-tcp-reassemble.h"

#define DEFAULT_LOG_FILENAME "alert-debug.log"

#define MODULE_NAME "AlertDebugLog"

typedef struct AlertDebugLogThread_ {
    LogFileCtx *file_ctx;
    /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
    MemBuffer *buffer;
} AlertDebugLogThread;

/**
 *  \brief Function to log the FlowVars into alert-debug.log
 *
 *  \param aft Pointer to AlertDebugLog Thread
 *  \param p Pointer to the packet
 *
 */
static void AlertDebugLogFlowVars(AlertDebugLogThread *aft, const Packet *p)
{
    const GenericVar *gv = p->flow->flowvar;
    uint16_t i;
    while (gv != NULL) {
        if (gv->type == DETECT_FLOWBITS) {
            FlowBit *fb = (FlowBit *)gv;
            const char *fbname = VarNameStoreLookupById(fb->idx, VAR_TYPE_FLOW_BIT);
            if (fbname) {
                MemBufferWriteString(aft->buffer, "FLOWBIT:           %s\n",
                        fbname);
            }
        } else if (gv->type == DETECT_FLOWVAR || gv->type == DETECT_FLOWINT) {
            FlowVar *fv = (FlowVar *) gv;

            if (fv->datatype == FLOWVAR_TYPE_STR) {
                const char *fvname = VarNameStoreLookupById(fv->idx,
                        VAR_TYPE_FLOW_VAR);
                MemBufferWriteString(aft->buffer, "FLOWVAR:           \"%s\" => \"",
                                     fvname);
                for (i = 0; i < fv->data.fv_str.value_len; i++) {
                    if (isprint(fv->data.fv_str.value[i])) {
                        MemBufferWriteString(aft->buffer, "%c",
                                             fv->data.fv_str.value[i]);
                    } else {
                        MemBufferWriteString(aft->buffer, "\\%02X",
                                             fv->data.fv_str.value[i]);
                    }
                }
                MemBufferWriteString(aft->buffer, "\"\n");
            } else if (fv->datatype == FLOWVAR_TYPE_INT) {
                const char *fvname = VarNameStoreLookupById(fv->idx,
                        VAR_TYPE_FLOW_INT);
                MemBufferWriteString(aft->buffer, "FLOWINT:           \"%s\" =>"
                        " %"PRIu32"\n", fvname, fv->data.fv_int.value);
            }
        }
        gv = gv->next;
    }
}

/**
 *  \brief Function to log the PktVars into alert-debug.log
 *
 *  \param aft Pointer to AlertDebugLog Thread
 *  \param p Pointer to the packet
 *
 */
static void AlertDebugLogPktVars(AlertDebugLogThread *aft, const Packet *p)
{
    const PktVar *pv = p->pktvar;

    while (pv != NULL) {
        const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);
        MemBufferWriteString(aft->buffer, "PKTVAR:            %s\n", varname);
        PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
                             pv->value, pv->value_len);
        pv = pv->next;
    }
}

/** \todo doc
 * assume we have aft lock */
static int AlertDebugPrintStreamSegmentCallback(
        const Packet *p, TcpSegment *seg, void *data, const uint8_t *buf, uint32_t buflen)
{
    AlertDebugLogThread *aft = (AlertDebugLogThread *)data;

    MemBufferWriteString(aft->buffer, "STREAM DATA LEN:     %"PRIu32"\n", buflen);
    MemBufferWriteString(aft->buffer, "STREAM DATA:\n");

    PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
                         buf, buflen);

    return 1;
}

static TmEcode AlertDebugLogger(ThreadVars *tv, const Packet *p, void *thread_data)
{
    AlertDebugLogThread *aft = (AlertDebugLogThread *)thread_data;
    int i;
    char timebuf[64];
    const char *pkt_src_str = NULL;

    if (p->alerts.cnt == 0)
        return TM_ECODE_OK;

    MemBufferReset(aft->buffer);

    CreateTimeString(p->ts, timebuf, sizeof(timebuf));

    MemBufferWriteString(aft->buffer, "+================\n"
                         "TIME:              %s\n", timebuf);
    uint64_t pcap_cnt = PcapPacketCntGet(p);
    if (pcap_cnt > 0) {
        MemBufferWriteString(aft->buffer, "PCAP PKT NUM:      %" PRIu64 "\n", pcap_cnt);
    }
    pkt_src_str = PktSrcToString(p->pkt_src);
    MemBufferWriteString(aft->buffer, "PKT SRC:           %s\n", pkt_src_str);

    char srcip[46], dstip[46];
    if (PacketIsIPv4(p)) {
        PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
        PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
    } else {
        DEBUG_VALIDATE_BUG_ON(!(PacketIsIPv6(p)));
        PrintInetIPv6((const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip),
                aft->file_ctx->compress_ipv6);
        PrintInetIPv6((const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip),
                aft->file_ctx->compress_ipv6);
    }

    MemBufferWriteString(aft->buffer, "SRC IP:            %s\n"
                         "DST IP:            %s\n"
                         "PROTO:             %" PRIu32 "\n",
                         srcip, dstip, p->proto);
    if (PacketIsTCP(p) || PacketIsUDP(p)) {
        MemBufferWriteString(aft->buffer, "SRC PORT:          %" PRIu32 "\n"
                             "DST PORT:          %" PRIu32 "\n",
                             p->sp, p->dp);
        if (PacketIsTCP(p)) {
            const TCPHdr *tcph = PacketGetTCP(p);
            MemBufferWriteString(aft->buffer,
                    "TCP SEQ:           %" PRIu32 "\n"
                    "TCP ACK:           %" PRIu32 "\n",
                    TCP_GET_RAW_SEQ(tcph), TCP_GET_RAW_ACK(tcph));
        }
    }

    /* flow stuff */
    MemBufferWriteString(aft->buffer, "FLOW:              to_server: %s, "
                         "to_client: %s\n",
                         p->flowflags & FLOW_PKT_TOSERVER ? "TRUE" : "FALSE",
                         p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE");

    if (p->flow != NULL) {
        int applayer = 0;
        applayer = StreamTcpAppLayerIsDisabled(p->flow);
        CreateTimeString(p->flow->startts, timebuf, sizeof(timebuf));
        MemBufferWriteString(aft->buffer, "FLOW Start TS:     %s\n", timebuf);
        MemBufferWriteString(aft->buffer, "FLOW PKTS TODST:   %"PRIu32"\n"
                             "FLOW PKTS TOSRC:   %"PRIu32"\n"
                             "FLOW Total Bytes:  %"PRIu64"\n",
                             p->flow->todstpktcnt, p->flow->tosrcpktcnt,
                             p->flow->todstbytecnt + p->flow->tosrcbytecnt);
        MemBufferWriteString(aft->buffer,
                "FLOW ACTION:       DROP: %s\n"
                "FLOW PAYLOAD: %s, APP_LAYER: %s\n"
                "FLOW APP_LAYER:    DETECTED: %s, PROTO %" PRIu16 "\n",
                p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
                p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
                applayer ? "TRUE" : "FALSE",
                (p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto);
        AlertDebugLogFlowVars(aft, p);
    }

    AlertDebugLogPktVars(aft, p);

/* any stuff */
/* Sig details? */

    MemBufferWriteString(aft->buffer,
                         "PACKET LEN:        %" PRIu32 "\n"
                         "PACKET:\n",
                         GET_PKT_LEN(p));
    PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
                         GET_PKT_DATA(p), GET_PKT_LEN(p));

    MemBufferWriteString(aft->buffer, "ALERT CNT:           %" PRIu32 "\n",
                         p->alerts.cnt);

    for (i = 0; i < p->alerts.cnt; i++) {
        const PacketAlert *pa = &p->alerts.alerts[i];
        if (unlikely(pa->s == NULL || (pa->action & ACTION_ALERT) == 0)) {
            continue;
        }

        MemBufferWriteString(aft->buffer,
                             "ALERT MSG [%02d]:      %s\n"
                             "ALERT GID [%02d]:      %" PRIu32 "\n"
                             "ALERT SID [%02d]:      %" PRIu32 "\n"
                             "ALERT REV [%02d]:      %" PRIu32 "\n"
                             "ALERT CLASS [%02d]:    %s\n"
                             "ALERT PRIO [%02d]:     %" PRIu32 "\n"
                             "ALERT FOUND IN [%02d]: %s\n",
                             i, pa->s->msg,
                             i, pa->s->gid,
                             i, pa->s->id,
                             i, pa->s->rev,
                             i, pa->s->class_msg ? pa->s->class_msg : "<none>",
                             i, pa->s->prio,
                             i,
                             pa->flags & PACKET_ALERT_FLAG_STREAM_MATCH  ? "STREAM" :
                             (pa->flags & PACKET_ALERT_FLAG_STATE_MATCH ? "STATE" : "PACKET"));
        if (pa->flags & PACKET_ALERT_FLAG_TX) {
            MemBufferWriteString(aft->buffer,
                    "ALERT IN TX [%02d]:    %"PRIu64"\n", i, pa->tx_id);
        } else {
            MemBufferWriteString(aft->buffer,
                    "ALERT IN TX [%02d]:    N/A\n", i);
        }
        if (p->payload_len > 0) {
            MemBufferWriteString(aft->buffer,
                                 "PAYLOAD LEN:         %" PRIu32 "\n"
                                 "PAYLOAD:\n",
                                 p->payload_len);
            PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
                                 p->payload, p->payload_len);
        }
        if ((pa->flags & PACKET_ALERT_FLAG_STATE_MATCH) ||
            (pa->flags & PACKET_ALERT_FLAG_STREAM_MATCH)) {
            /* This is an app layer or stream alert */
            int ret;
            uint8_t flag;
            if (!(PacketIsTCP(p)) || p->flow == NULL || p->flow->protoctx == NULL) {
                continue;
            }
            /* IDS mode reverse the data */
            /** \todo improve the order selection policy */
            if (p->flowflags & FLOW_PKT_TOSERVER) {
                flag = STREAM_DUMP_TOCLIENT;
            } else {
                flag = STREAM_DUMP_TOSERVER;
            }
            ret = StreamSegmentForEach((const Packet *)p, flag,
                                 AlertDebugPrintStreamSegmentCallback,
                                 (void *)aft);
            if (ret < 0) {
                return TM_ECODE_FAILED;
            }
        }
    }

    aft->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer),
        MEMBUFFER_OFFSET(aft->buffer), aft->file_ctx);

    return TM_ECODE_OK;
}

static TmEcode AlertDebugLogDecoderEvent(ThreadVars *tv, const Packet *p, void *thread_data)
{
    AlertDebugLogThread *aft = (AlertDebugLogThread *)thread_data;
    int i;
    char timebuf[64];
    const char *pkt_src_str = NULL;

    if (p->alerts.cnt == 0)
        return TM_ECODE_OK;

    MemBufferReset(aft->buffer);

    CreateTimeString(p->ts, timebuf, sizeof(timebuf));

    MemBufferWriteString(aft->buffer,
                         "+================\n"
                         "TIME:              %s\n", timebuf);
    uint64_t pcap_cnt = PcapPacketCntGet(p);
    if (pcap_cnt > 0) {
        MemBufferWriteString(aft->buffer, "PCAP PKT NUM:      %" PRIu64 "\n", pcap_cnt);
    }
    pkt_src_str = PktSrcToString(p->pkt_src);
    MemBufferWriteString(aft->buffer, "PKT SRC:           %s\n", pkt_src_str);
    MemBufferWriteString(aft->buffer,
                         "ALERT CNT:         %" PRIu32 "\n", p->alerts.cnt);

    for (i = 0; i < p->alerts.cnt; i++) {
        const PacketAlert *pa = &p->alerts.alerts[i];
        if (unlikely(pa->s == NULL || (pa->action & ACTION_ALERT) == 0)) {
            continue;
        }

        MemBufferWriteString(aft->buffer,
                             "ALERT MSG [%02d]:    %s\n"
                             "ALERT GID [%02d]:    %" PRIu32 "\n"
                             "ALERT SID [%02d]:    %" PRIu32 "\n"
                             "ALERT REV [%02d]:    %" PRIu32 "\n"
                             "ALERT CLASS [%02d]:  %s\n"
                             "ALERT PRIO [%02d]:   %" PRIu32 "\n",
                             i, pa->s->msg,
                             i, pa->s->gid,
                             i, pa->s->id,
                             i, pa->s->rev,
                             i, pa->s->class_msg,
                             i, pa->s->prio);
    }

    MemBufferWriteString(aft->buffer,
                         "PACKET LEN:        %" PRIu32 "\n"
                         "PACKET:\n",
                         GET_PKT_LEN(p));
    PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,
                         GET_PKT_DATA(p), GET_PKT_LEN(p));

    aft->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer),
        MEMBUFFER_OFFSET(aft->buffer), aft->file_ctx);

    return TM_ECODE_OK;
}

static TmEcode AlertDebugLogThreadInit(ThreadVars *t, const void *initdata, void **data)
{
    AlertDebugLogThread *aft = SCCalloc(1, sizeof(AlertDebugLogThread));
    if (unlikely(aft == NULL))
        return TM_ECODE_FAILED;

    if(initdata == NULL)
    {
        SCLogDebug("Error getting context for AlertDebugLog.  \"initdata\" argument NULL");
        SCFree(aft);
        return TM_ECODE_FAILED;
    }
    /** Use the Output Context (file pointer and mutex) */
    aft->file_ctx = ((OutputCtx *)initdata)->data;

    /* 1 mb seems sufficient enough */
    aft->buffer = MemBufferCreateNew(1 * 1024 * 1024);
    if (aft->buffer == NULL) {
        SCFree(aft);
        return TM_ECODE_FAILED;
    }

    *data = (void *)aft;
    return TM_ECODE_OK;
}

static TmEcode AlertDebugLogThreadDeinit(ThreadVars *t, void *data)
{
    AlertDebugLogThread *aft = (AlertDebugLogThread *)data;
    if (aft == NULL) {
        return TM_ECODE_OK;
    }

    MemBufferFree(aft->buffer);
    /* clear memory */
    memset(aft, 0, sizeof(AlertDebugLogThread));

    SCFree(aft);
    return TM_ECODE_OK;
}

static void AlertDebugLogDeInitCtx(OutputCtx *output_ctx)
{
    if (output_ctx != NULL) {
        LogFileCtx *logfile_ctx = (LogFileCtx *)output_ctx->data;
        if (logfile_ctx != NULL) {
            LogFileFreeCtx(logfile_ctx);
        }
        SCFree(output_ctx);
    }
}

/**
 *  \brief Create a new LogFileCtx for alert debug logging.
 *
 *  \param SCConfNode containing configuration for this logger.
 *
 *  \return output_ctx if succesful, NULL otherwise
 */
static OutputInitResult AlertDebugLogInitCtx(SCConfNode *conf)
{
    OutputInitResult result = { NULL, false };
    LogFileCtx *file_ctx = NULL;

    file_ctx = LogFileNewCtx();
    if (file_ctx == NULL) {
        SCLogDebug("couldn't create new file_ctx");
        goto error;
    }

    if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
        goto error;
    }

    OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
    if (unlikely(output_ctx == NULL))
        goto error;

    output_ctx->data = file_ctx;
    output_ctx->DeInit = AlertDebugLogDeInitCtx;

    SCLogDebug("Alert debug log output initialized");
    result.ctx = output_ctx;
    result.ok = true;
    return result;

error:
    if (file_ctx != NULL) {
        LogFileFreeCtx(file_ctx);
    }

    return result;
}

static bool AlertDebugLogCondition(ThreadVars *tv, void *thread_data, const Packet *p)
{
    return (p->alerts.cnt > 0);
}

static int AlertDebugLogLogger(ThreadVars *tv, void *thread_data, const Packet *p)
{
    if (PacketIsIPv4(p) || PacketIsIPv6(p)) {
        return AlertDebugLogger(tv, p, thread_data);
    } else if (p->events.cnt > 0) {
        return AlertDebugLogDecoderEvent(tv, p, thread_data);
    }
    return TM_ECODE_OK;
}

void AlertDebugLogRegister(void)
{
    OutputPacketLoggerFunctions output_logger_functions = {
        .LogFunc = AlertDebugLogLogger,
        .FlushFunc = NULL,
        .ConditionFunc = AlertDebugLogCondition,
        .ThreadInitFunc = AlertDebugLogThreadInit,
        .ThreadDeinitFunc = AlertDebugLogThreadDeinit,
        .ThreadExitPrintStatsFunc = NULL,
    };

    OutputRegisterPacketModule(LOGGER_ALERT_DEBUG, MODULE_NAME, "alert-debug", AlertDebugLogInitCtx,
            &output_logger_functions);
}

1	/* Copyright (C) 2007-2014 Open Information Security Foundation
2	*
3	* You can copy, redistribute or modify this Program under the terms of
4	* the GNU General Public License version 2 as published by the Free
5	* Software Foundation.
6	*
7	* This program is distributed in the hope that it will be useful,
8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10	* GNU General Public License for more details.
11	*
12	* You should have received a copy of the GNU General Public License
13	* version 2 along with this program; if not, write to the Free Software
14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15	* 02110-1301, USA.
16	*/
17
18	/**
19	* \file
20	*
21	* \author Victor Julien <victor@inliniac.net>
22	*/
23
24	#include "suricata-common.h"
25	#include "suricata.h"
26
27	#include "action-globals.h"
28	#include "detect.h"
29	#include "flow.h"
30	#include "conf.h"
31	#include "stream.h"
32	#include "app-layer-protos.h"
33
34	#include "threads.h"
35	#include "threadvars.h"
36	#include "tm-threads.h"
37
38	#include "util-print.h"
39
40	#include "pkt-var.h"
41
42	#include "util-unittest.h"
43
44	#include "util-debug.h"
45	#include "util-validate.h"
46	#include "util-buffer.h"
47
48	#include "output.h"
49	#include "alert-debuglog.h"
50	#include "util-privs.h"
51	#include "flow-var.h"
52	#include "flow-bit.h"
53	#include "util-var-name.h"
54	#include "util-optimize.h"
55	#include "util-logopenfile.h"
56	#include "util-time.h"
57
58	#include "stream-tcp-reassemble.h"
59
UNCOV 60	#define DEFAULT_LOG_FILENAME "alert-debug.log"	×
61
62	#define MODULE_NAME "AlertDebugLog"	2✔
63
64	typedef struct AlertDebugLogThread_ {
65	LogFileCtx *file_ctx;
66	/** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
67	MemBuffer *buffer;
68	} AlertDebugLogThread;
69
70	/**
71	* \brief Function to log the FlowVars into alert-debug.log
72	*
73	* \param aft Pointer to AlertDebugLog Thread
74	* \param p Pointer to the packet
75	*
76	*/
77	static void AlertDebugLogFlowVars(AlertDebugLogThread aft, const Packet p)
UNCOV 78	{	×
UNCOV 79	const GenericVar *gv = p->flow->flowvar;	×
UNCOV 80	uint16_t i;	×
UNCOV 81	while (gv != NULL) {	×
82	if (gv->type == DETECT_FLOWBITS) {	×
83	FlowBit fb = (FlowBit )gv;	×
84	const char *fbname = VarNameStoreLookupById(fb->idx, VAR_TYPE_FLOW_BIT);	×
85	if (fbname) {	×
86	MemBufferWriteString(aft->buffer, "FLOWBIT: %s\n",	×
87	fbname);	×
88	}	×
89	} else if (gv->type == DETECT_FLOWVAR \|\| gv->type == DETECT_FLOWINT) {	×
90	FlowVar fv = (FlowVar ) gv;	×
91
92	if (fv->datatype == FLOWVAR_TYPE_STR) {	×
93	const char *fvname = VarNameStoreLookupById(fv->idx,	×
94	VAR_TYPE_FLOW_VAR);	×
95	MemBufferWriteString(aft->buffer, "FLOWVAR: \"%s\" => \"",	×
96	fvname);	×
97	for (i = 0; i < fv->data.fv_str.value_len; i++) {	×
98	if (isprint(fv->data.fv_str.value[i])) {	×
99	MemBufferWriteString(aft->buffer, "%c",	×
100	fv->data.fv_str.value[i]);	×
101	} else {	×
102	MemBufferWriteString(aft->buffer, "\\%02X",	×
103	fv->data.fv_str.value[i]);	×
104	}	×
105	}	×
106	MemBufferWriteString(aft->buffer, "\"\n");	×
107	} else if (fv->datatype == FLOWVAR_TYPE_INT) {	×
108	const char *fvname = VarNameStoreLookupById(fv->idx,	×
109	VAR_TYPE_FLOW_INT);	×
110	MemBufferWriteString(aft->buffer, "FLOWINT: \"%s\" =>"	×
111	" %"PRIu32"\n", fvname, fv->data.fv_int.value);	×
112	}	×
113	}	×
114	gv = gv->next;	×
115	}	×
UNCOV 116	}	×
117
118	/**
119	* \brief Function to log the PktVars into alert-debug.log
120	*
121	* \param aft Pointer to AlertDebugLog Thread
122	* \param p Pointer to the packet
123	*
124	*/
125	static void AlertDebugLogPktVars(AlertDebugLogThread aft, const Packet p)
UNCOV 126	{	×
UNCOV 127	const PktVar *pv = p->pktvar;	×
128
UNCOV 129	while (pv != NULL) {	×
130	const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);	×
131	MemBufferWriteString(aft->buffer, "PKTVAR: %s\n", varname);	×
132	PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,	×
133	pv->value, pv->value_len);	×
134	pv = pv->next;	×
135	}	×
UNCOV 136	}	×
137
138	/** \todo doc
139	* assume we have aft lock */
140	static int AlertDebugPrintStreamSegmentCallback(
141	const Packet p, TcpSegment seg, void data, const uint8_t buf, uint32_t buflen)
142	{	×
143	AlertDebugLogThread aft = (AlertDebugLogThread )data;	×
144
145	MemBufferWriteString(aft->buffer, "STREAM DATA LEN: %"PRIu32"\n", buflen);	×
146	MemBufferWriteString(aft->buffer, "STREAM DATA:\n");	×
147
148	PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,	×
149	buf, buflen);	×
150
151	return 1;	×
152	}	×
153
154	static TmEcode AlertDebugLogger(ThreadVars tv, const Packet p, void *thread_data)
UNCOV 155	{	×
UNCOV 156	AlertDebugLogThread aft = (AlertDebugLogThread )thread_data;	×
UNCOV 157	int i;	×
UNCOV 158	char timebuf[64];	×
UNCOV 159	const char *pkt_src_str = NULL;	×
160
UNCOV 161	if (p->alerts.cnt == 0)	×
162	return TM_ECODE_OK;	×
163
UNCOV 164	MemBufferReset(aft->buffer);	×
165
UNCOV 166	CreateTimeString(p->ts, timebuf, sizeof(timebuf));	×
167
UNCOV 168	MemBufferWriteString(aft->buffer, "+================\n"	×
UNCOV 169	"TIME: %s\n", timebuf);	×
UNCOV 170	uint64_t pcap_cnt = PcapPacketCntGet(p);	×
UNCOV 171	if (pcap_cnt > 0) {	×
UNCOV 172	MemBufferWriteString(aft->buffer, "PCAP PKT NUM: %" PRIu64 "\n", pcap_cnt);	×
UNCOV 173	}	×
UNCOV 174	pkt_src_str = PktSrcToString(p->pkt_src);	×
UNCOV 175	MemBufferWriteString(aft->buffer, "PKT SRC: %s\n", pkt_src_str);	×
176
UNCOV 177	char srcip[46], dstip[46];	×
UNCOV 178	if (PacketIsIPv4(p)) {	×
UNCOV 179	PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));	×
UNCOV 180	PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));	×
UNCOV 181	} else {	×
182	DEBUG_VALIDATE_BUG_ON(!(PacketIsIPv6(p)));	×
183	PrintInetIPv6((const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip),	×
184	aft->file_ctx->compress_ipv6);	×
185	PrintInetIPv6((const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip),	×
186	aft->file_ctx->compress_ipv6);	×
187	}	×
188
UNCOV 189	MemBufferWriteString(aft->buffer, "SRC IP: %s\n"	×
UNCOV 190	"DST IP: %s\n"	×
UNCOV 191	"PROTO: %" PRIu32 "\n",	×
UNCOV 192	srcip, dstip, p->proto);	×
UNCOV 193	if (PacketIsTCP(p) \|\| PacketIsUDP(p)) {	×
UNCOV 194	MemBufferWriteString(aft->buffer, "SRC PORT: %" PRIu32 "\n"	×
UNCOV 195	"DST PORT: %" PRIu32 "\n",	×
UNCOV 196	p->sp, p->dp);	×
UNCOV 197	if (PacketIsTCP(p)) {	×
198	const TCPHdr *tcph = PacketGetTCP(p);	×
199	MemBufferWriteString(aft->buffer,	×
200	"TCP SEQ: %" PRIu32 "\n"	×
201	"TCP ACK: %" PRIu32 "\n",	×
202	TCP_GET_RAW_SEQ(tcph), TCP_GET_RAW_ACK(tcph));	×
203	}	×
UNCOV 204	}	×
205
206	/* flow stuff */
UNCOV 207	MemBufferWriteString(aft->buffer, "FLOW: to_server: %s, "	×
UNCOV 208	"to_client: %s\n",	×
UNCOV 209	p->flowflags & FLOW_PKT_TOSERVER ? "TRUE" : "FALSE",	×
UNCOV 210	p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE");	×
211
UNCOV 212	if (p->flow != NULL) {	×
UNCOV 213	int applayer = 0;	×
UNCOV 214	applayer = StreamTcpAppLayerIsDisabled(p->flow);	×
UNCOV 215	CreateTimeString(p->flow->startts, timebuf, sizeof(timebuf));	×
UNCOV 216	MemBufferWriteString(aft->buffer, "FLOW Start TS: %s\n", timebuf);	×
UNCOV 217	MemBufferWriteString(aft->buffer, "FLOW PKTS TODST: %"PRIu32"\n"	×
UNCOV 218	"FLOW PKTS TOSRC: %"PRIu32"\n"	×
UNCOV 219	"FLOW Total Bytes: %"PRIu64"\n",	×
UNCOV 220	p->flow->todstpktcnt, p->flow->tosrcpktcnt,	×
UNCOV 221	p->flow->todstbytecnt + p->flow->tosrcbytecnt);	×
UNCOV 222	MemBufferWriteString(aft->buffer,	×
UNCOV 223	"FLOW ACTION: DROP: %s\n"	×
UNCOV 224	"FLOW PAYLOAD: %s, APP_LAYER: %s\n"	×
UNCOV 225	"FLOW APP_LAYER: DETECTED: %s, PROTO %" PRIu16 "\n",	×
UNCOV 226	p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",	×
UNCOV 227	p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",	×
UNCOV 228	applayer ? "TRUE" : "FALSE",	×
UNCOV 229	(p->flow->alproto != ALPROTO_UNKNOWN) ? "TRUE" : "FALSE", p->flow->alproto);	×
UNCOV 230	AlertDebugLogFlowVars(aft, p);	×
UNCOV 231	}	×
232
UNCOV 233	AlertDebugLogPktVars(aft, p);	×
234
235	/* any stuff */
236	/* Sig details? */
237
UNCOV 238	MemBufferWriteString(aft->buffer,	×
UNCOV 239	"PACKET LEN: %" PRIu32 "\n"	×
UNCOV 240	"PACKET:\n",	×
UNCOV 241	GET_PKT_LEN(p));	×
UNCOV 242	PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,	×
UNCOV 243	GET_PKT_DATA(p), GET_PKT_LEN(p));	×
244
UNCOV 245	MemBufferWriteString(aft->buffer, "ALERT CNT: %" PRIu32 "\n",	×
UNCOV 246	p->alerts.cnt);	×
247
UNCOV 248	for (i = 0; i < p->alerts.cnt; i++) {	×
UNCOV 249	const PacketAlert *pa = &p->alerts.alerts[i];	×
UNCOV 250	if (unlikely(pa->s == NULL \|\| (pa->action & ACTION_ALERT) == 0)) {	×
251	continue;	×
252	}	×
253
UNCOV 254	MemBufferWriteString(aft->buffer,	×
UNCOV 255	"ALERT MSG [%02d]: %s\n"	×
UNCOV 256	"ALERT GID [%02d]: %" PRIu32 "\n"	×
UNCOV 257	"ALERT SID [%02d]: %" PRIu32 "\n"	×
UNCOV 258	"ALERT REV [%02d]: %" PRIu32 "\n"	×
UNCOV 259	"ALERT CLASS [%02d]: %s\n"	×
UNCOV 260	"ALERT PRIO [%02d]: %" PRIu32 "\n"	×
UNCOV 261	"ALERT FOUND IN [%02d]: %s\n",	×
UNCOV 262	i, pa->s->msg,	×
UNCOV 263	i, pa->s->gid,	×
UNCOV 264	i, pa->s->id,	×
UNCOV 265	i, pa->s->rev,	×
UNCOV 266	i, pa->s->class_msg ? pa->s->class_msg : "<none>",	×
UNCOV 267	i, pa->s->prio,	×
UNCOV 268	i,	×
UNCOV 269	pa->flags & PACKET_ALERT_FLAG_STREAM_MATCH ? "STREAM" :	×
UNCOV 270	(pa->flags & PACKET_ALERT_FLAG_STATE_MATCH ? "STATE" : "PACKET"));	×
UNCOV 271	if (pa->flags & PACKET_ALERT_FLAG_TX) {	×
UNCOV 272	MemBufferWriteString(aft->buffer,	×
UNCOV 273	"ALERT IN TX [%02d]: %"PRIu64"\n", i, pa->tx_id);	×
UNCOV 274	} else {	×
275	MemBufferWriteString(aft->buffer,	×
276	"ALERT IN TX [%02d]: N/A\n", i);	×
277	}	×
UNCOV 278	if (p->payload_len > 0) {	×
UNCOV 279	MemBufferWriteString(aft->buffer,	×
UNCOV 280	"PAYLOAD LEN: %" PRIu32 "\n"	×
UNCOV 281	"PAYLOAD:\n",	×
UNCOV 282	p->payload_len);	×
UNCOV 283	PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,	×
UNCOV 284	p->payload, p->payload_len);	×
UNCOV 285	}	×
UNCOV 286	if ((pa->flags & PACKET_ALERT_FLAG_STATE_MATCH) \|\|	×
UNCOV 287	(pa->flags & PACKET_ALERT_FLAG_STREAM_MATCH)) {	×
288	/* This is an app layer or stream alert */
UNCOV 289	int ret;	×
UNCOV 290	uint8_t flag;	×
UNCOV 291	if (!(PacketIsTCP(p)) \|\| p->flow == NULL \|\| p->flow->protoctx == NULL) {	×
UNCOV 292	continue;	×
UNCOV 293	}	×
294	/* IDS mode reverse the data */
295	/** \todo improve the order selection policy */
296	if (p->flowflags & FLOW_PKT_TOSERVER) {	×
297	flag = STREAM_DUMP_TOCLIENT;	×
298	} else {	×
299	flag = STREAM_DUMP_TOSERVER;	×
300	}	×
301	ret = StreamSegmentForEach((const Packet *)p, flag,	×
302	AlertDebugPrintStreamSegmentCallback,	×
303	(void *)aft);	×
304	if (ret < 0) {	×
305	return TM_ECODE_FAILED;	×
306	}	×
307	}	×
UNCOV 308	}	×
309
UNCOV 310	aft->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer),	×
UNCOV 311	MEMBUFFER_OFFSET(aft->buffer), aft->file_ctx);	×
312
UNCOV 313	return TM_ECODE_OK;	×
UNCOV 314	}	×
315
316	static TmEcode AlertDebugLogDecoderEvent(ThreadVars tv, const Packet p, void *thread_data)
317	{	×
318	AlertDebugLogThread aft = (AlertDebugLogThread )thread_data;	×
319	int i;	×
320	char timebuf[64];	×
321	const char *pkt_src_str = NULL;	×
322
323	if (p->alerts.cnt == 0)	×
324	return TM_ECODE_OK;	×
325
326	MemBufferReset(aft->buffer);	×
327
328	CreateTimeString(p->ts, timebuf, sizeof(timebuf));	×
329
330	MemBufferWriteString(aft->buffer,	×
331	"+================\n"	×
332	"TIME: %s\n", timebuf);	×
333	uint64_t pcap_cnt = PcapPacketCntGet(p);	×
334	if (pcap_cnt > 0) {	×
335	MemBufferWriteString(aft->buffer, "PCAP PKT NUM: %" PRIu64 "\n", pcap_cnt);	×
336	}	×
337	pkt_src_str = PktSrcToString(p->pkt_src);	×
338	MemBufferWriteString(aft->buffer, "PKT SRC: %s\n", pkt_src_str);	×
339	MemBufferWriteString(aft->buffer,	×
340	"ALERT CNT: %" PRIu32 "\n", p->alerts.cnt);	×
341
342	for (i = 0; i < p->alerts.cnt; i++) {	×
343	const PacketAlert *pa = &p->alerts.alerts[i];	×
344	if (unlikely(pa->s == NULL \|\| (pa->action & ACTION_ALERT) == 0)) {	×
345	continue;	×
346	}	×
347
348	MemBufferWriteString(aft->buffer,	×
349	"ALERT MSG [%02d]: %s\n"	×
350	"ALERT GID [%02d]: %" PRIu32 "\n"	×
351	"ALERT SID [%02d]: %" PRIu32 "\n"	×
352	"ALERT REV [%02d]: %" PRIu32 "\n"	×
353	"ALERT CLASS [%02d]: %s\n"	×
354	"ALERT PRIO [%02d]: %" PRIu32 "\n",	×
355	i, pa->s->msg,	×
356	i, pa->s->gid,	×
357	i, pa->s->id,	×
358	i, pa->s->rev,	×
359	i, pa->s->class_msg,	×
360	i, pa->s->prio);	×
361	}	×
362
363	MemBufferWriteString(aft->buffer,	×
364	"PACKET LEN: %" PRIu32 "\n"	×
365	"PACKET:\n",	×
366	GET_PKT_LEN(p));	×
367	PrintRawDataToBuffer(aft->buffer->buffer, &aft->buffer->offset, aft->buffer->size,	×
368	GET_PKT_DATA(p), GET_PKT_LEN(p));	×
369
370	aft->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer),	×
371	MEMBUFFER_OFFSET(aft->buffer), aft->file_ctx);	×
372
373	return TM_ECODE_OK;	×
374	}	×
375
376	static TmEcode AlertDebugLogThreadInit(ThreadVars t, const void initdata, void **data)
UNCOV 377	{	×
UNCOV 378	AlertDebugLogThread *aft = SCCalloc(1, sizeof(AlertDebugLogThread));	×
UNCOV 379	if (unlikely(aft == NULL))	×
380	return TM_ECODE_FAILED;	×
381
UNCOV 382	if(initdata == NULL)	×
383	{	×
384	SCLogDebug("Error getting context for AlertDebugLog. \"initdata\" argument NULL");	×
385	SCFree(aft);	×
386	return TM_ECODE_FAILED;	×
387	}	×
388	/** Use the Output Context (file pointer and mutex) */
UNCOV 389	aft->file_ctx = ((OutputCtx *)initdata)->data;	×
390
391	/* 1 mb seems sufficient enough */
UNCOV 392	aft->buffer = MemBufferCreateNew(1 * 1024 * 1024);	×
UNCOV 393	if (aft->buffer == NULL) {	×
394	SCFree(aft);	×
395	return TM_ECODE_FAILED;	×
396	}	×
397
UNCOV 398	data = (void )aft;	×
UNCOV 399	return TM_ECODE_OK;	×
UNCOV 400	}	×
401
402	static TmEcode AlertDebugLogThreadDeinit(ThreadVars t, void data)
UNCOV 403	{	×
UNCOV 404	AlertDebugLogThread aft = (AlertDebugLogThread )data;	×
UNCOV 405	if (aft == NULL) {	×
406	return TM_ECODE_OK;	×
407	}	×
408
UNCOV 409	MemBufferFree(aft->buffer);	×
410	/* clear memory */
UNCOV 411	memset(aft, 0, sizeof(AlertDebugLogThread));	×
412
UNCOV 413	SCFree(aft);	×
UNCOV 414	return TM_ECODE_OK;	×
UNCOV 415	}	×
416
417	static void AlertDebugLogDeInitCtx(OutputCtx *output_ctx)
UNCOV 418	{	×
UNCOV 419	if (output_ctx != NULL) {	×
UNCOV 420	LogFileCtx logfile_ctx = (LogFileCtx )output_ctx->data;	×
UNCOV 421	if (logfile_ctx != NULL) {	×
UNCOV 422	LogFileFreeCtx(logfile_ctx);	×
UNCOV 423	}	×
UNCOV 424	SCFree(output_ctx);	×
UNCOV 425	}	×
UNCOV 426	}	×
427
428	/**
429	* \brief Create a new LogFileCtx for alert debug logging.
430	*
431	* \param SCConfNode containing configuration for this logger.
432	*
433	* \return output_ctx if succesful, NULL otherwise
434	*/
435	static OutputInitResult AlertDebugLogInitCtx(SCConfNode *conf)
UNCOV 436	{	×
UNCOV 437	OutputInitResult result = { NULL, false };	×
UNCOV 438	LogFileCtx *file_ctx = NULL;	×
439
UNCOV 440	file_ctx = LogFileNewCtx();	×
UNCOV 441	if (file_ctx == NULL) {	×
442	SCLogDebug("couldn't create new file_ctx");	×
443	goto error;	×
444	}	×
445
UNCOV 446	if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {	×
447	goto error;	×
448	}	×
449
UNCOV 450	OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));	×
UNCOV 451	if (unlikely(output_ctx == NULL))	×
452	goto error;	×
453
UNCOV 454	output_ctx->data = file_ctx;	×
UNCOV 455	output_ctx->DeInit = AlertDebugLogDeInitCtx;	×
456
UNCOV 457	SCLogDebug("Alert debug log output initialized");	×
UNCOV 458	result.ctx = output_ctx;	×
UNCOV 459	result.ok = true;	×
UNCOV 460	return result;	×
461
462	error:	×
463	if (file_ctx != NULL) {	×
464	LogFileFreeCtx(file_ctx);	×
465	}	×
466
467	return result;	×
UNCOV 468	}	×
469
470	static bool AlertDebugLogCondition(ThreadVars tv, void thread_data, const Packet *p)
UNCOV 471	{	×
UNCOV 472	return (p->alerts.cnt > 0);	×
UNCOV 473	}	×
474
475	static int AlertDebugLogLogger(ThreadVars tv, void thread_data, const Packet *p)
UNCOV 476	{	×
UNCOV 477	if (PacketIsIPv4(p) \|\| PacketIsIPv6(p)) {	×
UNCOV 478	return AlertDebugLogger(tv, p, thread_data);	×
UNCOV 479	} else if (p->events.cnt > 0) {	×
480	return AlertDebugLogDecoderEvent(tv, p, thread_data);	×
481	}	×
482	return TM_ECODE_OK;	×
UNCOV 483	}	×
484
485	void AlertDebugLogRegister(void)
486	{	2✔
487	OutputPacketLoggerFunctions output_logger_functions = {	2✔
488	.LogFunc = AlertDebugLogLogger,	2✔
489	.FlushFunc = NULL,	2✔
490	.ConditionFunc = AlertDebugLogCondition,	2✔
491	.ThreadInitFunc = AlertDebugLogThreadInit,	2✔
492	.ThreadDeinitFunc = AlertDebugLogThreadDeinit,	2✔
493	.ThreadExitPrintStatsFunc = NULL,	2✔
494	};	2✔
495
496	OutputRegisterPacketModule(LOGGER_ALERT_DEBUG, MODULE_NAME, "alert-debug", AlertDebugLogInitCtx,	2✔
497	&output_logger_functions);	2✔
498	}	2✔

OISF / suricata / 23374838686

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous