void CallLogFuncs(Packet* p, ListHead* head, Event* event, const char* msg)
{
- event->event_id = event_id | p->context->conf->get_event_log_id();
+ event->update_event_id(p->context->conf->get_event_log_id());
DetectionEngine::set_check_tags(false);
pc.log_pkts++;
event.sig_info = const_cast<SigInfo*>(&otn->sigInfo);
event.ref_time.tv_sec = p->pkth->ts.tv_sec;
event.ref_time.tv_usec = p->pkth->ts.tv_usec;
- event.event_id = event_id | p->context->conf->get_event_log_id();
- event.event_reference = event.event_id;
+ event.update_event_id_and_ref(p->context->conf->get_event_log_id());
DetectionEngine::set_check_tags(false);
pc.log_pkts++;
event.sig_info = const_cast<SigInfo*>(&otn->sigInfo);
event.ref_time.tv_sec = p->pkth->ts.tv_sec;
event.ref_time.tv_usec = p->pkth->ts.tv_usec;
- event.event_id = event_id | p->context->conf->get_event_log_id();
- event.event_reference = event.event_id;
+ event.update_event_id_and_ref(p->context->conf->get_event_log_id());
pc.total_alert_pkts++;
TextLog_Print(tlog,
"\nEvt=%u, Gid=%u, Sid=%u, Rev=%u, Act=%s\n",
- event_id, otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, acts.c_str());
+ get_event_id(), otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, acts.c_str());
TextLog_Print(tlog,
"Pkt=" STDu64 ", Sec=%lu.%6lu, Len=%u, Cap=%u\n",
otn->state[get_instance_id()].alerts++;
- event_id++;
+ incr_event_id();
IpsAction * act = get_ips_policy()->action[action];
act->exec(p, otn);
- SetTags(p, otn, event_id);
+ SetTags(p, otn, get_event_id());
fpLogOther(p, rtn, otn, action);
if ( create_event )
{
/* set the event info */
- SetEvent(event, GID_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id);
-
- /* set event reference details */
- event.ref_time.tv_sec = returned->event_time.tv_sec;
- event.ref_time.tv_usec = returned->event_time.tv_usec;
- event.event_reference = returned->event_id | p->context->conf->get_event_log_id();
+ event.set_event(GID_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id, p->context->conf->get_event_log_id(), returned->event_time);
*log_list = returned->log_list;
}
using namespace snort;
-THREAD_LOCAL uint16_t event_id; // FIXIT-M also incremented in fpLogEvent()
+static THREAD_LOCAL uint16_t g_event_id;
-void SetEvent(
- Event& event, uint32_t gid, uint32_t sid, uint32_t rev,
- uint32_t classification, uint32_t priority, uint32_t event_ref)
+uint16_t get_event_id()
{
- event.sig_info->gid = gid;
- event.sig_info->sid = sid;
- event.sig_info->rev = rev;
- event.sig_info->class_id = classification;
- event.sig_info->priority = priority;
+ return g_event_id;
+}
+
+void incr_event_id()
+{
+ g_event_id++;
+}
+
+static uint32_t calc_event_id(uint16_t id, uint16_t log_id)
+{
+ // Use instance ID to make log_id unique per packet thread. Even if
+ // it overflows, value will still be unique if there are less than
+ // 65k threads.
+ log_id += snort::get_instance_id();
+ return (id | (log_id << 16));
+}
+
+void Event::update_event_id(uint16_t log_id)
+{
+ event_id = calc_event_id(g_event_id, log_id);
+}
+
+void Event::update_event_id_and_ref(uint16_t log_id)
+{
+ event_id = calc_event_id(g_event_id, log_id);
+ event_reference = event_id;
+}
+
+void Event::set_event(uint32_t gid, uint32_t sid, uint32_t rev,
+ uint32_t classification, uint32_t priority, uint16_t event_ref,
+ uint16_t log_id, const struct timeval& tv)
+{
+ sig_info->gid = gid;
+ sig_info->sid = sid;
+ sig_info->rev = rev;
+ sig_info->class_id = classification;
+ sig_info->priority = priority;
- /* this one gets set automatically */
- event.event_id = ++event_id | SnortConfig::get_conf()->get_event_log_id();
+ /* update event_id based on g_event_id. */
+ incr_event_id();
+ update_event_id(SnortConfig::get_conf()->get_event_log_id());
if (event_ref)
- event.event_reference = event_ref;
+ event_reference = calc_event_id(event_ref, log_id);
else
- event.event_reference = event.event_id;
+ event_reference = event_id;
- event.ref_time.tv_sec = event.ref_time.tv_usec = 0;
+ ref_time.tv_sec = tv.tv_sec;
+ ref_time.tv_usec = tv.tv_usec;
}
#include "main/thread.h"
struct SigInfo;
-extern THREAD_LOCAL uint16_t event_id;
/* we must use fixed size of 32 bits, because on-disk
* format of savefiles uses 32-bit tv_sec (and tv_usec)
struct Event
{
SigInfo* sig_info = nullptr;
- uint32_t event_id = 0;
- uint32_t event_reference = 0; // reference to other events that have gone off,
- // such as in the case of tagged packets...
struct sf_timeval32 ref_time = { 0, 0 }; /* reference time for the event reference */
const char* alt_msg = nullptr;
Event() = default;
Event(SigInfo& si)
{ sig_info = &si; }
+
+ uint32_t get_event_id() const { return event_id; }
+ void set_event_id(uint32_t id) { event_id = id; }
+
+ uint32_t get_event_reference() const { return event_reference; }
+ void set_event_reference(uint32_t ref) { event_reference = ref; }
+
+ void update_event_id(uint16_t log_id);
+ void update_event_id_and_ref(uint16_t log_id);
+
+ void set_event(uint32_t gid, uint32_t sid, uint32_t rev,
+ uint32_t classification, uint32_t priority, uint16_t event_ref,
+ uint16_t log_id, const struct timeval& tv);
+
+
+private:
+ uint32_t event_id = 0;
+ uint32_t event_reference = 0; // reference to other events that have gone off,
+ // such as in the case of tagged packets...
};
-void SetEvent(
- Event&, uint32_t gid, uint32_t sid, uint32_t rev,
- uint32_t classification, uint32_t priority, uint32_t event_ref);
+uint16_t get_event_id();
+void incr_event_id();
#endif
// this is the current version of the base api
// must be prefixed to subtype version
-#define BASE_API_VERSION 4
+#define BASE_API_VERSION 5
// set options to API_OPTIONS to ensure compatibility
#ifndef API_OPTIONS
lua_event.sid = event->sig_info->sid;
lua_event.rev = event->sig_info->rev;
- lua_event.event_id = event->event_id;
- lua_event.event_ref = event->event_reference;
+ lua_event.event_id = event->get_event_id();
+ lua_event.event_ref = event->get_event_reference();
if ( !event->sig_info->message.empty() )
lua_event.msg = event->sig_info->message.c_str();
return;
/* construct the action request */
- sar.event_id = event.event_id;
+ sar.event_id = event.get_event_id();
sar.tv_sec = packet->pkth->ts.tv_sec;
sar.gid = event.sig_info->gid;
sar.sid = event.sig_info->sid;
us.alert.class_id = event.sig_info->class_id;
us.alert.priority = event.sig_info->priority;
- us.alert.event_id = event.event_id;
- us.alert.event_ref = event.event_reference;
+ us.alert.event_id = event.get_event_id();
+ us.alert.event_ref = event.get_event_reference();
us.alert.ref_time = event.ref_time;
if (p && p->pkt)
u2_event.snort_id = 0; // FIXIT-H alert_event define / use
- u2_event.event_id = htonl(event->event_id);
+ u2_event.event_id = htonl(event->get_event_id());
u2_event.event_second = htonl(event->ref_time.tv_sec);
u2_event.event_microsecond = htonl(event->ref_time.tv_usec);
if (event != nullptr)
{
- logheader.event_id = htonl(event->event_reference);
+ logheader.event_id = htonl(event->get_event_reference());
logheader.event_second = htonl(event->ref_time.tv_sec);
}
else
memset(&alertdata, 0, sizeof(alertdata));
- alertdata.event_id = htonl(event->event_id);
+ alertdata.event_id = htonl(event->get_event_id());
alertdata.event_second = htonl(event->ref_time.tv_sec);
alertdata.event_microsecond = htonl(event->ref_time.tv_usec);
alertdata.generator_id = htonl(event->sig_info->gid);
memset(&alertdata, 0, sizeof(alertdata));
- alertdata.event_id = htonl(event->event_id);
+ alertdata.event_id = htonl(event->get_event_id());
alertdata.event_second = htonl(event->ref_time.tv_sec);
alertdata.event_microsecond = htonl(event->ref_time.tv_usec);
alertdata.generator_id = htonl(event->sig_info->gid);
if (p->ptrs.ip_api.is_ip6())
{
const SfIp* ip = p->ptrs.ip_api.get_src();
- _WriteExtraData(&config, event.event_id, event.ref_time.tv_sec,
+ _WriteExtraData(&config, event.get_event_id(), event.ref_time.tv_sec,
(const uint8_t*) ip->get_ip6_ptr(), sizeof(struct in6_addr), EVENT_INFO_IPV6_SRC);
ip = p->ptrs.ip_api.get_dst();
- _WriteExtraData(&config, event.event_id, event.ref_time.tv_sec,
+ _WriteExtraData(&config, event.get_event_id(), event.ref_time.tv_sec,
(const uint8_t*) ip->get_ip6_ptr(), sizeof(struct in6_addr), EVENT_INFO_IPV6_DST);
}
}
if ( p->flow )
Stream::update_flow_alert(
p->flow, p, event.sig_info->gid, event.sig_info->sid,
- event.event_id, event.ref_time.tv_sec);
+ event.get_event_id(), event.ref_time.tv_sec);
if ( p->xtradata_mask )
{
if ( max_count > 0 )
AlertExtraData(
p->flow, &config, log_funcs, max_count, p->xtradata_mask,
- event.event_id, event.ref_time.tv_sec);
+ event.get_event_id(), event.ref_time.tv_sec);
}
}
if ( p->flow )
Stream::update_flow_alert(
p->flow, p, event.sig_info->gid, event.sig_info->sid,
- event.event_id, event.ref_time.tv_sec);
+ event.get_event_id(), event.ref_time.tv_sec);
if ( p->xtradata_mask )
{
if ( max_count > 0 )
AlertExtraData(
p->flow, &config, log_funcs, max_count, p->xtradata_mask,
- event.event_id, event.ref_time.tv_sec);
+ event.get_event_id(), event.ref_time.tv_sec);
}
}
//------------------------------------------------------
// FIXIT-L command line only stuff, add to conf / module
- uint32_t event_log_id = 0;
+ uint16_t event_log_id = 0;
SfCidr obfuscation_net;
std::string bpf_filter;
std::string metadata_filter;
{ return run_flags & RUN_FLAG__INLINE_TEST; }
// event stuff
- uint32_t get_event_log_id() const
+ uint16_t get_event_log_id() const
{ return event_log_id; }
bool process_all_events() const
sc->output_flags |= OUTPUT_FLAG__LINE_BUFFER;
else if ( v.is("-G") || v.is("--logid") )
- sc->event_log_id = v.get_uint16() << 16;
+ sc->event_log_id = v.get_uint16();
else if ( v.is("-g") )
sc->set_gid(v.get_string());
{
Lua::Table table(L, tindex);
- table.get_field("event_id", self.event_id);
- table.get_field("event_reference", self.event_reference);
+ uint32_t value = 0;
+ table.get_field("event_id", value);
+ self.set_event_id(value);
+
+ table.get_field("event_reference", value);
+ self.set_event_reference(value);
const char* s = nullptr;
if ( table.get_field("alt_msg", s) && s ) // FIXIT-L shouldn't need both conditions
{
Lua::Table table(L, tindex);
- table.set_field("event_id", self.event_id);
- table.set_field("event_reference", self.event_reference);
+ table.set_field("event_id", self.get_event_id());
+ table.set_field("event_reference", self.get_event_reference());
if ( self.alt_msg )
table.set_field("alt_msg", self.alt_msg);
projects / thirdparty / snort3.git / commitdiff
