static void AlertExtraData(
Flow* flow, void* data,
LogFunction* log_funcs, uint32_t max_count,
- uint32_t xtradata_mask,
- uint32_t event_id, uint32_t event_second)
+ uint32_t xtradata_mask, const AlertInfo& alert_info)
{
Unified2Config* config = (Unified2Config*)data;
uint32_t xid;
- if ((config == nullptr) || !xtradata_mask || !event_second)
+ if ((config == nullptr) || !xtradata_mask || !alert_info.event_second)
return;
xid = ffs(xtradata_mask);
if ( log_func(flow, &write_buffer, &len, &type) && (len > 0) )
{
- _WriteExtraData(config, obf, event_id, tenant_id, event_second, write_buffer, len, type);
+ _WriteExtraData(config, obf, alert_info.event_id, tenant_id, alert_info.event_second, write_buffer, len, type);
}
xtradata_mask ^= BIT(xid);
xid = ffs(xtradata_mask);
uint32_t max_count = Stream::get_xtra_data_map(log_funcs);
if ( max_count > 0 )
- AlertExtraData(
- p->flow, &config, log_funcs, max_count, p->xtradata_mask,
- event.get_event_id(), event.ref_time.tv_sec);
+ AlertExtraData(p->flow, &config, log_funcs, max_count, p->xtradata_mask,
+ { /* gid */ 0, /* sid */ 0, event.get_event_id(), event.ref_time.tv_sec });
}
}
uint32_t max_count = Stream::get_xtra_data_map(log_funcs);
if ( max_count > 0 )
- AlertExtraData(
- p->flow, &config, log_funcs, max_count, p->xtradata_mask,
- event.get_event_id(), event.ref_time.tv_sec);
+ AlertExtraData(p->flow, &config, log_funcs, max_count, p->xtradata_mask,
+ { /* gid */ 0, /* sid */ 0, event.get_event_id(), event.ref_time.tv_sec });
}
}
uint32_t xtradata_func_count = 0;
LogFunction xtradata_map[MAX_LOG_FN];
LogExtraData extra_data_log = nullptr;
- void* extra_data_config = nullptr;
+ void* extra_data_context = nullptr;
};
static StreamImpl stream;
//-------------------------------------------------------------------------
void Stream::log_extra_data(
- Flow* flow, uint32_t mask, uint32_t id, uint32_t sec)
+ Flow* flow, uint32_t mask, const AlertInfo& alert_info)
{
if ( mask && stream.extra_data_log )
{
stream.extra_data_log(
- flow, stream.extra_data_config, stream.xtradata_map,
- stream.xtradata_func_count, mask, id, sec);
+ flow, stream.extra_data_context, stream.xtradata_map,
+ stream.xtradata_func_count, mask, alert_info);
}
}
{
const std::lock_guard<std::mutex> xtra_lock(stream_xtra_mutex);
stream.extra_data_log = f;
- stream.extra_data_config = config;
+ stream.extra_data_context = config;
}
//-------------------------------------------------------------------------
"first | last | linux | old_linux | bsd | macos | solaris | irix | " \
"hpux11 | hpux10 | windows | win_2003 | vista | proxy"
+struct AlertInfo
+{
+ AlertInfo() = default;
+ AlertInfo(uint32_t gid, uint32_t sid, uint32_t id, uint32_t ts = 0)
+ : gid(gid), sid(sid), event_id(id), event_second(ts) {}
+
+ uint32_t gid = 0;
+ uint32_t sid = 0;
+
+ uint32_t event_id = 0;
+ uint32_t event_second = 0;
+};
+
typedef int (* LogFunction)(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type);
typedef void (* LogExtraData)(Flow*, void* config, LogFunction* funcs,
- uint32_t max_count, uint32_t xtradata_mask, uint32_t id, uint32_t sec);
+ uint32_t max_count, uint32_t xtradata_mask, const AlertInfo& alert_info);
#define MAX_LOG_FN 32
// extra data methods
static void set_extra_data(Flow*, Packet*, uint32_t);
- static void log_extra_data(Flow*, uint32_t mask, uint32_t id, uint32_t sec);
+ static void log_extra_data(Flow*, uint32_t mask, const AlertInfo&);
static uint32_t reg_xtra_data_cb(LogFunction);
static void reg_xtra_data_log(LogExtraData, void*);
#include "normalize/norm_stats.h"
#include "stream/paf.h"
+#include "stream/stream.h"
#include "tcp_segment_node.h"
class TcpSession;
void init_soe(TcpSegmentDescriptor& tsd, TcpSegmentNode* left, TcpSegmentNode* right);
};
-struct StreamAlertInfo
+struct StreamAlertInfo : snort::AlertInfo
{
- StreamAlertInfo(uint32_t gid, uint32_t sid, uint32_t seq, uint32_t id, uint32_t sec)
- : gid(gid), sid(sid), seq(seq), event_id(id), event_second(sec)
+ StreamAlertInfo(uint32_t gid_, uint32_t sid_, uint32_t seq_num_ = 0, uint32_t id_ = 0, uint32_t ts_ = 0)
+ : snort::AlertInfo(gid_, sid_, id_, ts_), seq(seq_num_)
{}
- uint32_t gid;
- uint32_t sid;
uint32_t seq;
- // if we log extra data, event_* is used to correlate with alert
- uint32_t event_id;
- uint32_t event_second;
};
struct TcpReassemblerState
bool TcpReassembler::add_alert(TcpReassemblerState& trs, uint32_t gid, uint32_t sid)
{
- trs.alerts.emplace_back(gid, sid, 0, 0, 0);
+ trs.alerts.emplace_back(gid, sid);
return true;
}
Flow* flow = trs.sos.session->flow;
for ( auto& alert : trs.alerts )
- Stream::log_extra_data(flow, trs.xtradata_mask, alert.event_id, alert.event_second);
+ Stream::log_extra_data(flow, trs.xtradata_mask, alert);
if ( !flow->is_suspended() )
trs.alerts.clear();
projects / thirdparty / snort3.git / commitdiff
