void CallLogFuncs(Packet* p, ListHead* head, Event* event, const char* msg)
{
- event->update_event_id(p->context->conf->get_event_log_id());
+ event->event_id = event_id | p->context->conf->get_event_log_id();
DetectionEngine::set_check_tags(false);
pc.log_pkts++;
event.sig_info = const_cast<SigInfo*>(&otn->sigInfo);
event.ref_time.tv_sec = p->pkth->ts.tv_sec;
event.ref_time.tv_usec = p->pkth->ts.tv_usec;
- event.update_event_id_and_ref(p->context->conf->get_event_log_id());
+ event.event_id = event_id | p->context->conf->get_event_log_id();
+ event.event_reference = event.event_id;
DetectionEngine::set_check_tags(false);
pc.log_pkts++;
event.sig_info = const_cast<SigInfo*>(&otn->sigInfo);
event.ref_time.tv_sec = p->pkth->ts.tv_sec;
event.ref_time.tv_usec = p->pkth->ts.tv_usec;
- event.update_event_id_and_ref(p->context->conf->get_event_log_id());
+ event.event_id = event_id | p->context->conf->get_event_log_id();
+ event.event_reference = event.event_id;
pc.total_alert_pkts++;
TextLog_Print(tlog,
"\nEvt=%u, Gid=%u, Sid=%u, Rev=%u, Act=%s\n",
- get_event_id(), otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, acts.c_str());
+ event_id, otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, acts.c_str());
TextLog_Print(tlog,
"Pkt=" STDu64 ", Sec=%lu.%6lu, Len=%u, Cap=%u\n",
otn->state[get_instance_id()].alerts++;
- incr_event_id();
+ event_id++;
IpsAction * act = get_ips_policy()->action[action];
act->exec(p, otn);
- SetTags(p, otn, get_event_id());
+ SetTags(p, otn, event_id);
fpLogOther(p, rtn, otn, action);
if ( create_event )
{
/* set the event info */
- event.set_event(GID_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id, p->context->conf->get_event_log_id(), returned->event_time);
+ SetEvent(event, GID_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id);
+
+ /* set event reference details */
+ event.ref_time.tv_sec = returned->event_time.tv_sec;
+ event.ref_time.tv_usec = returned->event_time.tv_usec;
+ event.event_reference = returned->event_id | p->context->conf->get_event_log_id();
*log_list = returned->log_list;
}
using namespace snort;
-static THREAD_LOCAL uint16_t g_event_id;
+THREAD_LOCAL uint16_t event_id; // FIXIT-M also incremented in fpLogEvent()
-uint16_t get_event_id()
+void SetEvent(
+ Event& event, uint32_t gid, uint32_t sid, uint32_t rev,
+ uint32_t classification, uint32_t priority, uint32_t event_ref)
{
- return g_event_id;
-}
-
-void incr_event_id()
-{
- g_event_id++;
-}
-
-static uint32_t calc_event_id(uint16_t id, uint16_t log_id)
-{
- // Use instance ID to make log_id unique per packet thread. Even if
- // it overflows, value will still be unique if there are less than
- // 65k threads.
- log_id += snort::get_instance_id();
- return (id | (log_id << 16));
-}
-
-void Event::update_event_id(uint16_t log_id)
-{
- event_id = calc_event_id(g_event_id, log_id);
-}
-
-void Event::update_event_id_and_ref(uint16_t log_id)
-{
- event_id = calc_event_id(g_event_id, log_id);
- event_reference = event_id;
-}
-
-void Event::set_event(uint32_t gid, uint32_t sid, uint32_t rev,
- uint32_t classification, uint32_t priority, uint16_t event_ref,
- uint16_t log_id, const struct timeval& tv)
-{
- sig_info->gid = gid;
- sig_info->sid = sid;
- sig_info->rev = rev;
- sig_info->class_id = classification;
- sig_info->priority = priority;
+ event.sig_info->gid = gid;
+ event.sig_info->sid = sid;
+ event.sig_info->rev = rev;
+ event.sig_info->class_id = classification;
+ event.sig_info->priority = priority;
- /* update event_id based on g_event_id. */
- incr_event_id();
- update_event_id(SnortConfig::get_conf()->get_event_log_id());
+ /* this one gets set automatically */
+ event.event_id = ++event_id | SnortConfig::get_conf()->get_event_log_id();
if (event_ref)
- event_reference = calc_event_id(event_ref, log_id);
+ event.event_reference = event_ref;
else
- event_reference = event_id;
+ event.event_reference = event.event_id;
- ref_time.tv_sec = tv.tv_sec;
- ref_time.tv_usec = tv.tv_usec;;
+ event.ref_time.tv_sec = event.ref_time.tv_usec = 0;
}
#include "main/thread.h"
struct SigInfo;
+extern THREAD_LOCAL uint16_t event_id;
/* we must use fixed size of 32 bits, because on-disk
* format of savefiles uses 32-bit tv_sec (and tv_usec)
struct Event
{
SigInfo* sig_info = nullptr;
+ uint32_t event_id = 0;
+ uint32_t event_reference = 0; // reference to other events that have gone off,
+ // such as in the case of tagged packets...
struct sf_timeval32 ref_time = { 0, 0 }; /* reference time for the event reference */
const char* alt_msg = nullptr;
Event() = default;
Event(SigInfo& si)
{ sig_info = &si; }
-
- uint32_t get_event_id() const { return event_id; }
- void set_event_id(uint32_t id) { event_id = id; }
-
- uint32_t get_event_reference() const { return event_reference; }
- void set_event_reference(uint32_t ref) { event_reference = ref; }
-
- void update_event_id(uint16_t log_id);
- void update_event_id_and_ref(uint16_t log_id);
-
- void set_event(uint32_t gid, uint32_t sid, uint32_t rev,
- uint32_t classification, uint32_t priority, uint16_t event_ref,
- uint16_t log_id, const struct timeval& tv);
-
-
-private:
- uint32_t event_id = 0;
- uint32_t event_reference = 0; // reference to other events that have gone off,
- // such as in the case of tagged packets...
};
-uint16_t get_event_id();
-void incr_event_id();
+void SetEvent(
+ Event&, uint32_t gid, uint32_t sid, uint32_t rev,
+ uint32_t classification, uint32_t priority, uint32_t event_ref);
#endif
// this is the current version of the base api
// must be prefixed to subtype version
-#define BASE_API_VERSION 4
+#define BASE_API_VERSION 3
// set options to API_OPTIONS to ensure compatibility
#ifndef API_OPTIONS
lua_event.sid = event->sig_info->sid;
lua_event.rev = event->sig_info->rev;
- lua_event.event_id = event->get_event_id();
- lua_event.event_ref = event->get_event_reference();
+ lua_event.event_id = event->event_id;
+ lua_event.event_ref = event->event_reference;
if ( !event->sig_info->message.empty() )
lua_event.msg = event->sig_info->message.c_str();
return;
/* construct the action request */
- sar.event_id = event.get_event_id();
+ sar.event_id = event.event_id;
sar.tv_sec = packet->pkth->ts.tv_sec;
sar.gid = event.sig_info->gid;
sar.sid = event.sig_info->sid;
us.alert.class_id = event.sig_info->class_id;
us.alert.priority = event.sig_info->priority;
- us.alert.event_id = event.get_event_id();
- us.alert.event_ref = event.get_event_reference();
+ us.alert.event_id = event.event_id;
+ us.alert.event_ref = event.event_reference;
us.alert.ref_time = event.ref_time;
if (p && p->pkt)
u2_event.snort_id = 0; // FIXIT-H alert_event define / use
- u2_event.event_id = htonl(event->get_event_id());
+ u2_event.event_id = htonl(event->event_id);
u2_event.event_second = htonl(event->ref_time.tv_sec);
u2_event.event_microsecond = htonl(event->ref_time.tv_usec);
if (event != nullptr)
{
- logheader.event_id = htonl(event->get_event_reference());
+ logheader.event_id = htonl(event->event_reference);
logheader.event_second = htonl(event->ref_time.tv_sec);
}
else
memset(&alertdata, 0, sizeof(alertdata));
- alertdata.event_id = htonl(event->get_event_id());
+ alertdata.event_id = htonl(event->event_id);
alertdata.event_second = htonl(event->ref_time.tv_sec);
alertdata.event_microsecond = htonl(event->ref_time.tv_usec);
alertdata.generator_id = htonl(event->sig_info->gid);
memset(&alertdata, 0, sizeof(alertdata));
- alertdata.event_id = htonl(event->get_event_id());
+ alertdata.event_id = htonl(event->event_id);
alertdata.event_second = htonl(event->ref_time.tv_sec);
alertdata.event_microsecond = htonl(event->ref_time.tv_usec);
alertdata.generator_id = htonl(event->sig_info->gid);
if (p->ptrs.ip_api.is_ip6())
{
const SfIp* ip = p->ptrs.ip_api.get_src();
- _WriteExtraData(&config, event.get_event_id(), event.ref_time.tv_sec,
+ _WriteExtraData(&config, event.event_id, event.ref_time.tv_sec,
(const uint8_t*) ip->get_ip6_ptr(), sizeof(struct in6_addr), EVENT_INFO_IPV6_SRC);
ip = p->ptrs.ip_api.get_dst();
- _WriteExtraData(&config, event.get_event_id(), event.ref_time.tv_sec,
+ _WriteExtraData(&config, event.event_id, event.ref_time.tv_sec,
(const uint8_t*) ip->get_ip6_ptr(), sizeof(struct in6_addr), EVENT_INFO_IPV6_DST);
}
}
if ( p->flow )
Stream::update_flow_alert(
p->flow, p, event.sig_info->gid, event.sig_info->sid,
- event.get_event_id(), event.ref_time.tv_sec);
+ event.event_id, event.ref_time.tv_sec);
if ( p->xtradata_mask )
{
if ( max_count > 0 )
AlertExtraData(
p->flow, &config, log_funcs, max_count, p->xtradata_mask,
- event.get_event_id(), event.ref_time.tv_sec);
+ event.event_id, event.ref_time.tv_sec);
}
}
if ( p->flow )
Stream::update_flow_alert(
p->flow, p, event.sig_info->gid, event.sig_info->sid,
- event.get_event_id(), event.ref_time.tv_sec);
+ event.event_id, event.ref_time.tv_sec);
if ( p->xtradata_mask )
{
if ( max_count > 0 )
AlertExtraData(
p->flow, &config, log_funcs, max_count, p->xtradata_mask,
- event.get_event_id(), event.ref_time.tv_sec);
+ event.event_id, event.ref_time.tv_sec);
}
}
//------------------------------------------------------
// FIXIT-L command line only stuff, add to conf / module
- uint16_t event_log_id = 0;
+ uint32_t event_log_id = 0;
SfCidr obfuscation_net;
std::string bpf_filter;
std::string metadata_filter;
{ return run_flags & RUN_FLAG__INLINE_TEST; }
// event stuff
- uint16_t get_event_log_id() const
+ uint32_t get_event_log_id() const
{ return event_log_id; }
bool process_all_events() const
sc->output_flags |= OUTPUT_FLAG__LINE_BUFFER;
else if ( v.is("-G") || v.is("--logid") )
- sc->event_log_id = v.get_uint16();
+ sc->event_log_id = v.get_uint16() << 16;
else if ( v.is("-g") )
sc->set_gid(v.get_string());
{
Lua::Table table(L, tindex);
- uint32_t value = 0;
- table.get_field("event_id", value);
- self.set_event_id(value);
-
- table.get_field("event_reference", value);
- self.set_event_reference(value);
+ table.get_field("event_id", self.event_id);
+ table.get_field("event_reference", self.event_reference);
const char* s = nullptr;
if ( table.get_field("alt_msg", s) && s ) // FIXIT-L shouldn't need both conditions
{
Lua::Table table(L, tindex);
- table.set_field("event_id", self.get_event_id());
- table.set_field("event_reference", self.get_event_reference());
+ table.set_field("event_id", self.event_id);
+ table.set_field("event_reference", self.event_reference);
if ( self.alt_msg )
table.set_field("alt_msg", self.alt_msg);
projects / thirdparty / snort3.git / commitdiff
