Pull request #3766: host cache: removed some log to prevent log flooding

Merge in SNORT/snort3 from ~RSHAFIQ/snort3:host_cache_logs to master

Squashed commit of the following:

commit ec6949eab03ba034c9ed416476329e1a6c6ad697
Author: rshafiq <rshafiq@cisco.com>
Date:   Thu Feb 16 09:30:46 2023 -0500

    host cache: removed some log to prevent log flooding

diff --git a/src/control/control.cc b/src/control/control.cc
index 39da1119ccd2bed0d0eb15f3724a8ce70deadbe7..df47773c7510c2c46356a680611a48683bfb5425 100644 (file)
--- a/src/control/control.cc
+++ b/src/control/control.cc
@@ -34,6 +34,7 @@
 
 using namespace snort;
 
+std::vector<std::string> ControlConn::log_exclusion_list;
 
 ControlConn* ControlConn::query_from_lua(const lua_State* L)
 {
@@ -77,6 +78,36 @@ void ControlConn::configure() const
     ModuleManager::load_commands(shell);
 }
 
+void ControlConn::log_command(const std::string& command, bool log) 
+{
+    if(command.empty())
+        return;
+    
+    auto it = std::find(log_exclusion_list.begin(), log_exclusion_list.end(), command);
+    if (log) 
+    {
+        if (it != log_exclusion_list.end()) 
+            log_exclusion_list.erase(it);
+    } else 
+    {
+        if (it == log_exclusion_list.end()) 
+            log_exclusion_list.push_back(command);
+    }
+}
+
+bool ControlConn::loggable(const std::string& command)
+{
+    if(log_exclusion_list.empty() or command.empty())
+        return true;
+    
+    for (const auto& m : log_exclusion_list) 
+    {
+        if (command.find(m) != std::string::npos)
+            return false;
+    }
+    return true;
+}
+
 int ControlConn::read_commands()
 {
     char buf[STD_BUF];
@@ -90,9 +121,9 @@ int ControlConn::read_commands()
         char* nl;
         while ((nl = strchr(p, '\n')) != nullptr)
         {
-            std::string command = next_command;
             next_command.append(buf, nl - p);
-            LogMessage("Control: received command, %s\n", next_command.c_str());
+            if(loggable(next_command))
+                LogMessage("Control: received command, %s\n", next_command.c_str());
             pending_commands.push(std::move(next_command));
             next_command.clear();
             p = nl + 1;

diff --git a/src/control/control.h b/src/control/control.h
index 6076cda7c80a79d85f18437b190eae1f9fdf78ea..8c4c67c49d0598213973bd0ca1be8f5ec1fb7277 100644 (file)
--- a/src/control/control.h
+++ b/src/control/control.h
@@ -27,6 +27,7 @@
 #include <ctime>
 #include <queue>
 #include <string>
+#include <vector>
 
 #include "main/snort_types.h"
 
@@ -68,8 +69,11 @@ public:
     SO_PUBLIC bool respond(const char* format, ...) __attribute__((format (printf, 2, 3)));
     SO_PUBLIC static ControlConn* query_from_lua(const lua_State*);
 
+    static void log_command(const std::string& module, bool log);
+
 private:
     void touch();
+    bool loggable(const std::string& command);
 
 private:
     std::queue<std::string> pending_commands;
@@ -80,6 +84,8 @@ private:
     bool blocked = false;
     bool removed = false;
     time_t touched;
+
+    static std::vector<std::string> log_exclusion_list;
 };
 
 #define LogRespond(cn, ...)       do { if (cn) cn->respond(__VA_ARGS__); else LogMessage(__VA_ARGS__); } while(0)

diff --git a/src/host_tracker/host_cache_module.cc b/src/host_tracker/host_cache_module.cc
index 906efe7226bc8666f15981ad4d3a1c0bbfead0c3..2ea6c0c497d227c518f359b9e0c1639f51aee468 100644 (file)
--- a/src/host_tracker/host_cache_module.cc
+++ b/src/host_tracker/host_cache_module.cc
@@ -36,10 +36,11 @@
 using namespace snort;
 using namespace std;
 
+THREAD_LOCAL const Trace* host_cache_trace = nullptr;
+
 //-------------------------------------------------------------------------
 // commands
 //-------------------------------------------------------------------------
-
 static int host_cache_dump(lua_State* L)
 {
     HostCacheModule* mod = (HostCacheModule*) ModuleManager::get_module(HOST_CACHE_NAME);
@@ -69,14 +70,14 @@ static int host_cache_delete_host(lua_State* L)
         const char* ips = luaL_optstring(L, 1, nullptr);
         if (ips == nullptr)
         {
-            LogMessage("Usage: host_cache.delete_host(ip)\n");
+            debug_logf(host_cache_trace, nullptr,  "Usage: host_cache.delete_host(ip)\n");
             return 0;
         }
 
         SfIp ip;
         if (ip.set(ips) != SFIP_SUCCESS)
         {
-            LogMessage("Bad ip %s\n", ips);
+            debug_logf(host_cache_trace, nullptr,  "Bad ip %s\n", ips);
             return 0;
         }
 
@@ -85,11 +86,10 @@ static int host_cache_delete_host(lua_State* L)
             ht->set_visibility(false);
         else
         {
-            LogMessage("%s not found in host cache\n", ips);
+            debug_logf(host_cache_trace, nullptr,  "%s not found in host cache\n", ips);
             return 0;
         }
-
-        LogMessage("host_cache_delete_host done\n");
+        debug_logf(host_cache_trace, nullptr,  "host_cache_delete_host done\n");
     }
     return 0;
 }
@@ -104,14 +104,14 @@ static int host_cache_delete_network_proto(lua_State* L)
 
         if (ips == nullptr || proto == -1)
         {
-            LogMessage("Usage: host_cache.delete_network_proto(ip, proto)\n");
+            debug_logf(host_cache_trace, nullptr,  "Usage: host_cache.delete_network_proto(ip, proto)\n");
             return 0;
         }
 
         SfIp ip;
         if (ip.set(ips) != SFIP_SUCCESS)
         {
-            LogMessage("Bad ip %s\n", ips);
+            debug_logf(host_cache_trace, nullptr,  "Bad ip %s\n", ips);
             return 0;
         }
 
@@ -120,17 +120,16 @@ static int host_cache_delete_network_proto(lua_State* L)
         {
             if ( !ht->set_network_proto_visibility(proto, false) )
             {
-                LogMessage("%d not found for host %s\n", proto, ips);
+                debug_logf(host_cache_trace, nullptr,  "%d not found for host %s\n", proto, ips);
                 return 0;
             }
         }
         else
         {
-            LogMessage("%s not found in host cache\n", ips);
+            debug_logf(host_cache_trace, nullptr,  "%s not found in host cache\n", ips);
             return 0;
         }
-
-        LogMessage("host_cache_delete_network_proto done\n");
+        debug_logf(host_cache_trace, nullptr,  "host_cache_delete_network_proto done\n");
     }
     return 0;
 }
@@ -142,17 +141,16 @@ static int host_cache_delete_transport_proto(lua_State* L)
     {
         const char* ips = luaL_optstring(L, 1, nullptr);
         int proto = luaL_optint(L, 2, -1);
-
         if ( ips == nullptr || proto == -1 )
         {
-            LogMessage("Usage: host_cache.delete_transport_proto(ip, proto)\n");
+            debug_logf(host_cache_trace, nullptr,  "Usage: host_cache.delete_transport_proto(ip, proto)\n");
             return 0;
         }
 
         SfIp ip;
         if ( ip.set(ips) != SFIP_SUCCESS )
         {
-            LogMessage("Bad ip %s\n", ips);
+            debug_logf(host_cache_trace, nullptr,  "Bad ip %s\n", ips);
             return 0;
         }
 
@@ -161,17 +159,16 @@ static int host_cache_delete_transport_proto(lua_State* L)
         {
             if ( !ht->set_xproto_visibility(proto, false) )
             {
-                LogMessage("%d not found for host %s\n", proto, ips);
+                debug_logf(host_cache_trace, nullptr,  "%d not found for host %s\n", proto, ips);
                 return 0;
             }
         }
         else
         {
-            LogMessage("%s not found in host cache\n", ips);
+            debug_logf(host_cache_trace, nullptr,  "%s not found in host cache\n", ips);
             return 0;
         }
-
-        LogMessage("host_cache_delete_transport_proto done\n");
+        debug_logf(host_cache_trace, nullptr,  "host_cache_delete_transport_proto done\n");
     }
     return 0;
 }
@@ -187,20 +184,20 @@ static int host_cache_delete_service(lua_State* L)
 
         if ( ips == nullptr || port == -1 || proto == -1 )
         {
-            LogMessage("Usage: host_cache.delete_service(ip, port, proto).\n");
+            debug_logf(host_cache_trace, nullptr,  "Usage: host_cache.delete_service(ip, port, proto).\n");
             return 0;
         }
 
         if ( !(0 <= proto and proto < 256) )
         {
-            LogMessage("Protocol must be between 0 and 255.\n");
+            debug_logf(host_cache_trace, nullptr,  "Protocol must be between 0 and 255.\n");
             return 0;
         }
 
         SfIp ip;
         if ( ip.set(ips) != SFIP_SUCCESS )
         {
-            LogMessage("Bad ip %s\n", ips);
+            debug_logf(host_cache_trace, nullptr,  "Bad ip %s\n", ips);
             return 0;
         }
 
@@ -209,17 +206,16 @@ static int host_cache_delete_service(lua_State* L)
         {
             if ( !ht->set_service_visibility(port, (IpProtocol)proto, false) )
             {
-                LogMessage("%d or %d not found for host %s\n", port, proto, ips);
+                debug_logf(host_cache_trace, nullptr,  "%d or %d not found for host %s\n", port, proto, ips);
                 return 0;
             }
         }
         else
         {
-            LogMessage("%s not found in host cache\n", ips);
+            debug_logf(host_cache_trace, nullptr,  "%s not found in host cache\n", ips);
             return 0;
         }
-
-        LogMessage("host_cache_delete_service done\n");
+        debug_logf(host_cache_trace, nullptr,  "host_cache_delete_service done\n");
     }
     return 0;
 }
@@ -236,14 +232,14 @@ static int host_cache_delete_client(lua_State* L)
 
         if (ips == nullptr || id == -1 || service == -1)
         {
-            LogMessage("Usage: host_cache.delete_client(ip, id, service, <version>).\n");
+            debug_logf(host_cache_trace, nullptr,  "Usage: host_cache.delete_client(ip, id, service, <version>).\n");
             return 0;
         }
 
         SfIp ip;
         if (ip.set(ips) != SFIP_SUCCESS)
         {
-            LogMessage("Bad ip %s\n", ips);
+            debug_logf(host_cache_trace, nullptr,  "Bad ip %s\n", ips);
             return 0;
         }
 
@@ -253,17 +249,16 @@ static int host_cache_delete_client(lua_State* L)
             HostClient hc(id, version, service);
             if ( !ht->set_client_visibility(hc, false) )
             {
-                LogMessage("Client not found for host %s\n", ips);
+                debug_logf(host_cache_trace, nullptr,  "Client not found for host %s\n", ips);
                 return 0;
             }
         }
         else
         {
-            LogMessage("%s not found in host cache\n", ips);
+            debug_logf(host_cache_trace, nullptr,  "%s not found in host cache\n", ips);
             return 0;
         }
-
-        LogMessage("host_cache_delete_client done\n");
+        debug_logf(host_cache_trace, nullptr,  "host_cache_delete_client done\n");
     }
     return 0;
 }
@@ -371,7 +366,10 @@ bool HostCacheModule::end(const char* fqn, int, SnortConfig* sc)
         if ( Snort::is_reloading() )
             sc->register_reload_handler(new HostCacheReloadTuner(memcap));
         else
+        {   
             host_cache.set_max_size(memcap);
+            ControlConn::log_command("host_cache.delete_host",false);
+        }
     }
 
     return true;
@@ -489,3 +487,17 @@ void HostCacheModule::sum_stats(bool accumulate_now_stats)
     Module::sum_stats(accumulate_now_stats);
     host_cache.unlock();
 }
+
+void HostCacheModule::set_trace(const Trace* trace) const
+{ host_cache_trace = trace; }
+
+const TraceOption* HostCacheModule::get_trace_options() const
+{
+#ifndef DEBUG_MSGS
+    return nullptr;
+#else
+    static const TraceOption host_cache_trace_options(nullptr, 0, nullptr);
+
+    return &host_cache_trace_options;
+#endif
+}

diff --git a/src/host_tracker/host_cache_module.h b/src/host_tracker/host_cache_module.h
index 21feb2c71d19c1977b0eb7ba35b907fc18a19f47..258f6b8f09b4cc39b6db25a6f6e600bc7ec1b051 100644 (file)
--- a/src/host_tracker/host_cache_module.h
+++ b/src/host_tracker/host_cache_module.h
@@ -28,6 +28,7 @@
 #include "framework/module.h"
 #include "main/snort.h"
 #include "main/reload_tuner.h"
+#include "trace/trace_api.h"
 
 #include "host_cache.h"
 
@@ -75,10 +76,14 @@ public:
     void log_host_cache(const char* file_name, bool verbose = false);
     std::string get_host_cache_stats();
 
+    void set_trace(const snort::Trace*) const override;
+    const snort::TraceOption* get_trace_options() const override;
+
 private:
     std::string dump_file;
     size_t memcap = 0;
 };
+extern THREAD_LOCAL const snort::Trace* host_cache_trace;
 
 #endif
 

diff --git a/src/host_tracker/test/host_cache_module_test.cc b/src/host_tracker/test/host_cache_module_test.cc
index 057be7b0184463b994fa9ca7720c5254afeea201..557226d5f998acb132ae6fe176c3b8460781eca5 100644 (file)
--- a/src/host_tracker/test/host_cache_module_test.cc
+++ b/src/host_tracker/test/host_cache_module_test.cc
@@ -48,11 +48,16 @@ static char logged_message[LOG_MAX+1];
 static ControlConn ctrlcon(1, true);
 ControlConn::ControlConn(int, bool) {}
 ControlConn::~ControlConn() {}
+void ControlConn::log_command(const std::string& , bool ) { }
 ControlConn* ControlConn::query_from_lua(const lua_State*) { return &ctrlcon; }
 bool ControlConn::respond(const char*, ...) { return true; }
 
 namespace snort
 {
+void trace_vprintf(const char*, TraceLevel, const char*, const Packet*, const char*, va_list) { }
+uint8_t TraceApi::get_constraints_generation() { return 0; }
+void TraceApi::filter(const Packet&) { }
+
 const SnortConfig* SnortConfig::get_conf()
 { return nullptr; }
 

diff --git a/src/main.cc b/src/main.cc
index 9049b4ca53bc592066bd3d3912ade371d632d75b..a97d34249afd0f99ca2f254351079489bece37e6 100644 (file)
--- a/src/main.cc
+++ b/src/main.cc
@@ -379,6 +379,25 @@ int main_set_watchdog_params(lua_State* L)
     return 0;
 }
 
+int main_log_command(lua_State* L)
+{
+    if (!L)
+        return 0;
+    
+    ControlConn* ctrlcon = ControlConn::query_from_lua(L);
+    if (lua_gettop(L) >= 2)
+    {
+        std::string command = luaL_optstring(L, 1, nullptr);
+        bool exclusion = luaL_opt(L,lua_toboolean, 2, true);
+        ctrlcon->log_command(command, exclusion);
+        LogRespond(ctrlcon, "Control: Logging %s for %s\n", exclusion ? "enabled" : "disabled" , command.c_str());
+    }
+    else
+        LogRespond(ctrlcon, "Usage: log_command(<command>,true|false)\n");
+    
+    return 0;
+}
+
 int main_rotate_stats(lua_State* L)
 {
     ControlConn* ctrlcon = ControlConn::query_from_lua(L);

diff --git a/src/main.h b/src/main.h
index c9c66213e0b519c1cc7ff5daf4d2ce88a096b970..927e4d2f4d55b940db57b54d54415e150ed1d4de 100644 (file)
--- a/src/main.h
+++ b/src/main.h
@@ -28,6 +28,7 @@ const char* get_prompt();
 // commands provided by the snort module
 int main_delete_inspector(lua_State* = nullptr);
 int main_dump_stats(lua_State* = nullptr);
+int main_log_command(lua_State* = nullptr);
 int main_dump_heap_stats(lua_State* = nullptr);
 int main_reset_stats(lua_State* = nullptr);
 int main_set_watchdog_params(lua_State* = nullptr);

diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc
index 0bc0126542e67c9836bca9a95c5ddc620e7dadb0..740a4a1ac4c9d3bac749dc366b9ad80e4bc44a96 100644 (file)
--- a/src/main/snort_module.cc
+++ b/src/main/snort_module.cc
@@ -111,6 +111,13 @@ static const Parameter s_watchdog[] =
     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
 };
 
+static const Parameter main_log_command_param[] =
+{
+    { "command", Parameter::PT_STRING, nullptr, nullptr, "<command> to update logging" },
+    { "logging", Parameter::PT_BOOL, nullptr, nullptr, " true|false, enable or disable <command> logging" },
+    { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
+};
+
 static const Command snort_cmds[] =
 {
     { "set_watchdog_params", main_set_watchdog_params, s_watchdog, "set watchdog parameters" },
@@ -127,6 +134,7 @@ static const Command snort_cmds[] =
     { "reload_policy", main_reload_policy, s_reload, "reload part or all of the default policy" },
     { "reload_daq", main_reload_daq, nullptr, "reload daq module" },
     { "reload_hosts", main_reload_hosts, s_reload, "load a new hosts table" },
+    { "log_command", main_log_command,main_log_command_param, "enabled or disable logging of a command"},
 
     // FIXIT-M rewrite trough to permit updates on the fly
     //{ "process", main_process, nullptr, "process given pcap" },