var[0]=1 var[1]=10 var[2]=0
04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow
+==== Protocols decoding trace
+
+Turning on decode trace will print out information about the packets decoded
+protocols. Can be useful in case of tunneling.
+
+Example for a icmpv4-in-ipv6 packet:
+
+In snort.lua, the following line was added:
+
+decode = { trace = 1 }
+
+The output:
+
+ decode: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14
+ decode: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40
+ decode: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
+ decode: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0
==== Other available traces
#include "codecs/codec_module.h"
+#include "main/snort_debug.h"
+
using namespace snort;
#define codec_module_help \
"general decoder rules"
-CodecModule::CodecModule() : Module("decode", codec_module_help)
+Trace TRACE_NAME(decode);
+
+static const Parameter s_params[] = {{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }};
+
+CodecModule::CodecModule() : Module("decode", codec_module_help, s_params, false, &TRACE_NAME(decode))
{ }
+bool CodecModule::set(const char* fqn, Value& v, SnortConfig* sc)
+{
+ return Module::set(fqn, v, sc);
+}
+
static const RuleMap general_decode_rules[] =
{
{ DECODE_IP_BAD_PROTO, "bad IP protocol" },
#include <cstdint>
#include "framework/module.h"
+#include "main/snort_debug.h"
#include "main/snort_types.h"
namespace snort
Usage get_usage() const override
{ return CONTEXT; }
+
+ bool set(const char*, snort::Value&, snort::SnortConfig*) override;
};
}
+
+extern Trace TRACE_NAME(decode);
+
#endif
static const Parameter defaults[] =
{
{ "trace", Parameter::PT_INT, nullptr, nullptr,
- "mask for enabling debug traces in module" },
+ "mask for enabling debug traces in module" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
{ CountType::END, nullptr, nullptr }
};
+void Module::enable_trace()
+{
+ if ( trace )
+ *trace = 1;
+}
+
virtual Usage get_usage() const
{ return CONTEXT; }
+ void enable_trace();
+
protected:
Module(const char* name, const char* help);
Module(const char* name, const char* help, const Parameter*,
#include "main/shell.h"
#include "main/snort.h"
#include "main/snort_config.h"
+#include "main/snort_debug.h"
#include "main/snort_module.h"
#include "main/swapper.h"
#include "main/thread_config.h"
orphan_commands.push(ac);
return false;
}
+
+#ifdef DEBUG_MSGS
+ unsigned ac_ref_count = ac->get();
+ trace_logf(snort, "[%u] Queuing command %s for execution (refcount %u)\n",
+ idx, ac->stringify(), ac_ref_count);
+#else
ac->get();
+#endif
analyzer->execute(ac);
return true;
}
unsigned ac_ref_count = ac->put();
if (ac_ref_count == 0)
{
+ trace_logf(snort, "[%u] Destroying completed command %s\n",
+ idx, ac->stringify());
delete ac;
}
+#ifdef DEBUG_MSGS
+ else
+ trace_logf(snort, "[%u] Reaped ongoing command %s (refcount %u)\n",
+ idx, ac->stringify(), ac_ref_count);
+#endif
}
void Pig::reap_commands()
unsigned dispatched = 0;
ac = get_command(ac, from_shell);
+ trace_logf(snort, "Broadcasting %s command\n", ac->stringify());
for (unsigned idx = 0; idx < max_pigs; ++idx)
{
{
AnalyzerCommand* ac = orphan_commands.front();
orphan_commands.pop();
+ trace_logf(snort, "Destroying orphan command %s\n", ac->stringify());
delete ac;
}
}
#include "framework/parameter.h"
#include "log/messages.h"
#include "main.h"
+#include "main/snort_debug.h"
#include "packet_io/sfdaq_config.h"
#include "packet_io/trough.h"
#include "parser/config_file.h"
{ "--x2s", Parameter::PT_STRING, nullptr, nullptr,
"output ASCII string for given byte code (see also --x2c)" },
+
+ { "--trace", Parameter::PT_IMPLIED, nullptr, nullptr,
+ "turn on main loop debug trace" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
"command line configuration"
#endif
+Trace TRACE_NAME(snort);
+
class SnortModule : public Module
{
public:
- SnortModule() : Module(s_name, s_help, s_params)
+ SnortModule() : Module(s_name, s_help, s_params, false, &TRACE_NAME(snort))
{ }
#ifdef SHELL
else if ( v.is("--x2s") )
x2s(v.get_string());
+ else if (v.is("--trace"))
+ Module::enable_trace();
+
return true;
}
// the snort module is for handling command line args,
// shell commands, and basic application stats
+#include "main/snort_debug.h"
+
namespace snort
{
class Module;
}
+extern Trace TRACE_NAME(snort);
snort::Module* get_snort_module();
#endif
// loop until the protocol id is no longer valid
while (CodecManager::s_protocols[mapped_prot]->decode(raw, codec_data, p->ptrs))
{
+ trace_logf(decode, "Codec %s (protocol_id: %hu) "
+ "ip header starts at: %p, length is %d\n",
+ CodecManager::s_protocols[mapped_prot]->get_name(),
+ static_cast<uint16_t>(codec_data.next_prot_id), pkt, codec_data.lyr_len);
+
if ( codec_data.codec_flags & CODEC_ETHER_NEXT )
{
if ( codec_data.next_prot_id < ProtocolId::ETHERTYPE_MINIMUM )
codec_data.proto_bits = 0;
}
+ trace_logf(decode, "Codec %s (protocol_id: %hu) ip header"
+ " starts at: %p, length is %lu\n",
+ CodecManager::s_protocols[mapped_prot]->get_name(),
+ static_cast<uint16_t>(prev_prot_id), pkt, (unsigned long)codec_data.lyr_len);
+
if ( p->num_layers > 0 )
s_stats[mapped_prot + stat_offset]++;
projects / thirdparty / snort3.git / commitdiff
