#[no_mangle]
pub extern "C" fn rs_template_state_get_events(
- state: *mut libc::c_void,
- tx_id: u64,
+ tx: *mut libc::c_void
) -> *mut core::AppLayerDecoderEvents {
- let state = cast_pointer!(state, TemplateState);
- match state.get_tx(tx_id) {
- Some(tx) => tx.events,
- _ => std::ptr::null_mut(),
- }
+ let tx = cast_pointer!(tx, TemplateTransaction);
+ return tx.events;
}
#[no_mangle]
}
#[no_mangle]
-pub extern "C" fn rs_dhcp_state_get_events(state: *mut libc::c_void,
- tx_id: u64)
+pub extern "C" fn rs_dhcp_state_get_events(tx: *mut libc::c_void)
-> *mut core::AppLayerDecoderEvents
{
- let state = cast_pointer!(state, DHCPState);
- match state.get_tx(tx_id) {
- Some(tx) => tx.events,
- _ => std::ptr::null_mut(),
- }
+ let tx = cast_pointer!(tx, DHCPTransaction);
+ return tx.events;
}
#[no_mangle]
}
#[no_mangle]
-pub extern "C" fn rs_dns_state_get_events(state: &mut DNSState,
- tx_id: u64)
+pub extern "C" fn rs_dns_state_get_events(tx: *mut libc::c_void)
-> *mut core::AppLayerDecoderEvents
{
- match state.get_tx(tx_id) {
- Some(tx) => {
- return tx.events;
- }
- _ => {
- return std::ptr::null_mut();
- }
- }
+ let tx = cast_pointer!(tx, DNSTransaction);
+ return tx.events;
}
#[no_mangle]
#[no_mangle]
-pub extern "C" fn rs_ikev2_state_get_events(state: *mut libc::c_void,
- tx_id: u64)
+pub extern "C" fn rs_ikev2_state_get_events(tx: *mut libc::c_void)
-> *mut core::AppLayerDecoderEvents
{
- let state = cast_pointer!(state,IKEV2State);
- match state.get_tx_by_id(tx_id) {
- Some(tx) => tx.events,
- _ => std::ptr::null_mut(),
- }
+ let tx = cast_pointer!(tx, IKEV2Transaction);
+ return tx.events;
}
#[no_mangle]
#[no_mangle]
-pub extern "C" fn rs_krb5_state_get_events(state: *mut libc::c_void,
- tx_id: u64)
+pub extern "C" fn rs_krb5_state_get_events(tx: *mut libc::c_void)
-> *mut core::AppLayerDecoderEvents
{
- let state = cast_pointer!(state,KRB5State);
- match state.get_tx_by_id(tx_id) {
- Some(tx) => tx.events,
- _ => std::ptr::null_mut(),
- }
+ let tx = cast_pointer!(tx, KRB5Transaction);
+ return tx.events;
}
#[no_mangle]
}
#[no_mangle]
-pub extern "C" fn rs_nfs_state_get_events(state: &mut NFSState,
- tx_id: u64)
+pub extern "C" fn rs_nfs_state_get_events(tx: *mut libc::c_void)
-> *mut AppLayerDecoderEvents
{
- match state.get_tx_by_id(tx_id) {
- Some(tx) => {
- return tx.events;
- }
- _ => {
- return std::ptr::null_mut();
- }
- }
+ let tx = cast_pointer!(tx, NFSTransaction);
+ return tx.events;
}
#[no_mangle]
#[no_mangle]
-pub extern "C" fn rs_ntp_state_get_events(state: *mut libc::c_void,
- tx_id: u64)
+pub extern "C" fn rs_ntp_state_get_events(tx: *mut libc::c_void)
-> *mut core::AppLayerDecoderEvents
{
- let state = cast_pointer!(state,NTPState);
- match state.get_tx_by_id(tx_id) {
- Some(tx) => tx.events,
- _ => std::ptr::null_mut(),
- }
+ let tx = cast_pointer!(tx, NTPTransaction);
+ return tx.events;
}
#[no_mangle]
pub type GetDetectStateFn = extern "C" fn (*mut c_void) -> *mut DetectEngineState;
pub type SetDetectStateFn = extern "C" fn (*mut c_void, &mut DetectEngineState) -> c_int;
pub type GetEventInfoFn = extern "C" fn (*const c_char, *mut c_int, *mut AppLayerEventType) -> c_int;
-pub type GetEventsFn = extern "C" fn (*mut c_void, u64) -> *mut AppLayerDecoderEvents;
+pub type GetEventsFn = extern "C" fn (*mut c_void) -> *mut AppLayerDecoderEvents;
pub type GetTxLoggedFn = extern "C" fn (*mut c_void, *mut c_void) -> u32;
pub type SetTxLoggedFn = extern "C" fn (*mut c_void, *mut c_void, u32);
pub type LocalStorageNewFn = extern "C" fn () -> *mut c_void;
}
#[no_mangle]
-pub extern "C" fn rs_smb_state_get_events(state: &mut SMBState,
- tx_id: u64)
+pub extern "C" fn rs_smb_state_get_events(tx: *mut libc::c_void)
-> *mut AppLayerDecoderEvents
{
- match state.get_tx_by_id(tx_id) {
- Some(tx) => {
- return tx.events;
- }
- _ => {
- return std::ptr::null_mut();
- }
- }
+ let tx = cast_pointer!(tx, SMBTransaction);
+ return tx.events;
}
#[no_mangle]
SCReturnInt(-1);
}
-static AppLayerDecoderEvents *DNP3GetEvents(void *state, uint64_t tx_id)
+static AppLayerDecoderEvents *DNP3GetEvents(void *tx)
{
- DNP3State *dnp3 = state;
- DNP3Transaction *tx;
- uint64_t tx_num = tx_id + 1;
-
- if (dnp3->curr && dnp3->curr->tx_num == tx_num) {
- return dnp3->curr->decoder_events;
- }
-
- TAILQ_FOREACH(tx, &dnp3->tx_list, next) {
- if (tx->tx_num == tx_num) {
- return tx->decoder_events;
- }
- }
-
- return NULL;
+ return ((DNP3Transaction *) tx)->decoder_events;
}
static void *DNP3GetTx(void *alstate, uint64_t tx_id)
return 0;
}
-static AppLayerDecoderEvents *RustDNSGetEvents(void *state, uint64_t id)
+static AppLayerDecoderEvents *RustDNSGetEvents(void *tx)
{
- return rs_dns_state_get_events(state, id);
+ return rs_dns_state_get_events(tx);
}
void RegisterRustDNSTCPParsers(void)
AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_DNS,
rs_dns_state_progress_completion_status);
DNSAppLayerRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_DNS);
+ DNSAppLayerRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_DNS);
/* This parser accepts gaps. */
AppLayerParserRegisterOptionFlags(IPPROTO_TCP, ALPROTO_DNS,
return rs_dns_tx_get_detect_flags(tx, dir);
}
-static AppLayerDecoderEvents *RustDNSGetEvents(void *state, uint64_t id)
+static AppLayerDecoderEvents *RustDNSGetEvents(void *tx)
{
- return rs_dns_state_get_events(state, id);
+ return rs_dns_state_get_events(tx);
}
void RegisterRustDNSUDPParsers(void)
rs_dns_state_progress_completion_status);
DNSAppLayerRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_DNS);
+ DNSAppLayerRegisterGetEventInfoById(IPPROTO_UDP, ALPROTO_DNS);
#if 0
DNSUDPConfigure();
return ((uint64_t) ((ENIPState *) alstate)->transaction_max);
}
-static AppLayerDecoderEvents *ENIPGetEvents(void *state, uint64_t id)
+static AppLayerDecoderEvents *ENIPGetEvents(void *tx)
{
- ENIPState *enip = (ENIPState *) state;
- ENIPTransaction *tx;
-
- if (enip->curr && enip->curr->tx_num == (id + 1))
- return enip->curr->decoder_events;
-
- TAILQ_FOREACH(tx, &enip->tx_list, next) {
- if (tx->tx_num == (id+1))
- return tx->decoder_events;
- }
-
- return NULL;
+ return ((ENIPTransaction *)tx)->decoder_events;
}
static int ENIPStateGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)
}
FLOWLOCK_WRLOCK(f);
- AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, tx);
if (decoder_events == NULL) {
printf("no app events: ");
FLOWLOCK_UNLOCK(f);
}
FLOWLOCK_WRLOCK(f);
- AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, tx);
if (decoder_events == NULL) {
printf("no app events: ");
FLOWLOCK_UNLOCK(f);
}
FLOWLOCK_WRLOCK(f);
- AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, tx);
if (decoder_events != NULL) {
printf("app events: ");
FLOWLOCK_UNLOCK(f);
}
FLOWLOCK_WRLOCK(f);
- AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ void *txtmp = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, txtmp);
if (decoder_events != NULL) {
printf("app events: ");
FLOWLOCK_UNLOCK(f);
SCLogDebug("couldn't set event %u", e);
}
-static AppLayerDecoderEvents *HTPGetEvents(void *state, uint64_t tx_id)
+static AppLayerDecoderEvents *HTPGetEvents(void *tx)
{
- SCLogDebug("get HTTP events for TX %"PRIu64, tx_id);
+ SCLogDebug("get HTTP events for TX %p", tx);
- HtpState *s = (HtpState *)state;
- htp_tx_t *tx = HTPStateGetTx(s, tx_id);
- if (tx != NULL) {
- HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
- if (htud != NULL) {
- SCLogDebug("has htud, htud->decoder_events %p", htud->decoder_events);
- return htud->decoder_events;
- }
+ HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
+ if (htud != NULL) {
+ SCLogDebug("has htud, htud->decoder_events %p", htud->decoder_events);
+ return htud->decoder_events;
}
+
return NULL;
}
FAIL_IF(tx->request_method_number != HTP_M_GET);
FAIL_IF(tx->request_protocol_number != HTP_PROTOCOL_1_1);
- AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ void *txtmp = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, txtmp);
FAIL_IF_NULL(decoder_events);
FAIL_IF(decoder_events->events[0] != HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG);
}
FLOWLOCK_WRLOCK(f);
- AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ void *txtmp = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, txtmp);
if (decoder_events != NULL) {
printf("app events: ");
FLOWLOCK_UNLOCK(f);
}
FLOWLOCK_WRLOCK(f);
- AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ void *txtmp = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+ AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, txtmp);
if (decoder_events == NULL) {
printf("no app events: ");
FLOWLOCK_UNLOCK(f);
SCLogDebug("couldn't set event %u", e);
}
-static AppLayerDecoderEvents *ModbusGetEvents(void *state, uint64_t id)
+static AppLayerDecoderEvents *ModbusGetEvents(void *tx)
{
- ModbusState *modbus = (ModbusState *) state;
- ModbusTransaction *tx;
-
- if (modbus->curr && modbus->curr->tx_num == (id + 1))
- return modbus->curr->decoder_events;
-
- TAILQ_FOREACH(tx, &modbus->tx_list, next) {
- if (tx->tx_num == (id+1))
- return tx->decoder_events;
- }
-
- return NULL;
+ return ((ModbusTransaction *)tx)->decoder_events;
}
static int ModbusGetAlstateProgress(void *modbus_tx, uint8_t direction)
return rs_nfs_state_get_event_info(event_name, event_id, event_type);
}
-static AppLayerDecoderEvents *NFSTCPGetEvents(void *state, uint64_t id)
+static int NFSTCPStateGetEventInfoById(int event_id, const char **event_name,
+ AppLayerEventType *event_type)
{
- return rs_nfs_state_get_events(state, id);
+ *event_name = "NFS TCP event name (generic)";
+ *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
+ return 0;
+}
+
+static AppLayerDecoderEvents *NFSTCPGetEvents(void *tx)
+{
+ return rs_nfs_state_get_events(tx);
}
/**
AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_NFS,
NFSTCPStateGetEventInfo);
+
+ AppLayerParserRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_NFS,
+ NFSTCPStateGetEventInfoById);
+
AppLayerParserRegisterGetEventsFunc(IPPROTO_TCP, ALPROTO_NFS,
NFSTCPGetEvents);
return rs_nfs_state_get_event_info(event_name, event_id, event_type);
}
-static AppLayerDecoderEvents *NFSGetEvents(void *state, uint64_t id)
+static int NFSStateGetEventInfoById(int event_id, const char **event_name,
+ AppLayerEventType *event_type)
{
- return rs_nfs_state_get_events(state, id);
+ *event_name = "NFS UDP event name (generic)";
+ *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
+ return 0;
+}
+
+static AppLayerDecoderEvents *NFSGetEvents(void *tx)
+{
+ return rs_nfs_state_get_events(tx);
}
/**
AppLayerParserRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_NFS,
NFSStateGetEventInfo);
+
+ AppLayerParserRegisterGetEventInfoById(IPPROTO_UDP, ALPROTO_NFS,
+ NFSStateGetEventInfoById);
+
AppLayerParserRegisterGetEventsFunc(IPPROTO_UDP, ALPROTO_NFS,
NFSGetEvents);
void (*Truncate)(void *, uint8_t);
FileContainer *(*StateGetFiles)(void *, uint8_t);
- AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t);
+ AppLayerDecoderEvents *(*StateGetEvents)(void *);
int (*StateGetProgress)(void *alstate, uint8_t direction);
uint64_t (*StateGetTxCnt)(void *alstate);
}
void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto alproto,
- AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t))
+ AppLayerDecoderEvents *(*StateGetEvents)(void *))
{
SCEnter();
}
AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto,
- void *alstate, uint64_t tx_id)
+ void *tx)
{
SCEnter();
StateGetEvents != NULL)
{
ptr = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
- StateGetEvents(alstate, tx_id);
+ StateGetEvents(tx);
}
SCReturnPtr(ptr, "AppLayerDecoderEvents *");
void AppLayerParserRegisterGetFilesFunc(uint8_t ipproto, AppProto alproto,
FileContainer *(*StateGetFiles)(void *, uint8_t));
void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto proto,
- AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t));
+ AppLayerDecoderEvents *(*StateGetEvents)(void *) __attribute__((nonnull)));
void AppLayerParserRegisterLoggerFuncs(uint8_t ipproto, AppProto alproto,
LoggerId (*StateGetTxLogged)(void *, void *),
void (*StateSetTxLogged)(void *, void *, LoggerId));
AppLayerDecoderEvents *AppLayerParserGetDecoderEvents(AppLayerParserState *pstate);
void AppLayerParserSetDecoderEvents(AppLayerParserState *pstate, AppLayerDecoderEvents *devents);
-AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *alstate,
- uint64_t tx_id);
+AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx);
FileContainer *AppLayerParserGetFiles(uint8_t ipproto, AppProto alproto,
void *alstate, uint8_t direction);
int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto,
DetectEngineState *(*GetTxDetectState)(void *tx);
int (*SetTxDetectState)(void *tx, DetectEngineState *);
- AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t);
+ AppLayerDecoderEvents *(*StateGetEvents)(void *);
int (*StateGetEventInfo)(const char *event_name,
int *event_id, AppLayerEventType *event_type);
return rs_smb_getfiles(direction, state);
}
-static AppLayerDecoderEvents *SMBGetEvents(void *state, uint64_t id)
+static AppLayerDecoderEvents *SMBGetEvents(void *tx)
{
- return rs_smb_state_get_events(state, id);
+ return rs_smb_state_get_events(tx);
+}
+
+static int SMBGetEventInfoById(int event_id, const char **event_name,
+ AppLayerEventType *event_type)
+{
+ *event_name = "SMB event name (generic)";
+ *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
+ return 0;
}
static int SMBGetEventInfo(const char *event_name, int *event_id,
SMBGetEvents);
AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_SMB,
SMBGetEventInfo);
+ AppLayerParserRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_SMB,
+ SMBGetEventInfoById);
AppLayerParserRegisterDetectStateFuncs(IPPROTO_TCP, ALPROTO_SMB,
SMBGetTxDetectState, SMBSetTxDetectState);
}
}
-static AppLayerDecoderEvents *SMTPGetEvents(void *state, uint64_t tx_id)
+static AppLayerDecoderEvents *SMTPGetEvents(void *tx)
{
- SCLogDebug("get SMTP events for TX %"PRIu64, tx_id);
+ SCLogDebug("get SMTP events for TX %p", tx);
- SMTPTransaction *tx = SMTPStateGetTx(state, tx_id);
- if (tx != NULL) {
- return tx->decoder_events;
- }
- return NULL;
+ return ((SMTPTransaction *)tx)->decoder_events;
}
static DetectEngineState *SMTPGetTxDetectState(void *vtx)
ssl_state->events++;
}
-static AppLayerDecoderEvents *SSLGetEvents(void *state, uint64_t id)
+static AppLayerDecoderEvents *SSLGetEvents(void *tx)
{
- SSLState *ssl_state = (SSLState *)state;
+ /* for TLS, TX == state, see GetTx */
+ SSLState *ssl_state = (SSLState *)tx;
return ssl_state->decoder_events;
}
return 0;
}
-static AppLayerDecoderEvents *TemplateGetEvents(void *statev, uint64_t tx_id)
+static AppLayerDecoderEvents *TemplateGetEvents(void *tx)
{
- TemplateState *state = statev;
- TemplateTransaction *tx;
-
- TAILQ_FOREACH(tx, &state->tx_list, next) {
- if (tx->tx_id == tx_id) {
- return tx->decoder_events;
- }
- }
-
- return NULL;
+ return ((TemplateTransaction *)tx)->decoder_events;
}
/**
return -1;
}
-static AppLayerDecoderEvents *TFTPGetEvents(void *state, uint64_t tx_id)
+static AppLayerDecoderEvents *TFTPGetEvents(void *tx)
{
return NULL;
}
DetectAppLayerEventData *aled = NULL;
alproto = f->alproto;
- decoder_events = AppLayerParserGetEventsByTx(f->proto, alproto, alstate, tx_id);
+ decoder_events = AppLayerParserGetEventsByTx(f->proto, alproto, tx);
if (decoder_events == NULL)
goto end;
static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft,
const Packet *p, AppLayerDecoderEvents *decoder_events,
- bool is_applayer, const char *layer, uint64_t tx_id)
+ bool is_pktlayer, const char *layer, uint64_t tx_id)
{
const char *alprotoname = AppLayerGetProtoName(p->flow->alproto);
JsonAddCommonOptions(&aft->json_output_ctx->cfg, p, p->flow, js);
- /* Use app layer proto name if available */
- if (alprotoname) {
- json_object_set_new(ajs, "alproto", json_string(alprotoname));
- } else {
- json_object_set_new(ajs, "alproto",
- p->flow ? json_integer(p->flow->alproto) : json_string("unknown"));
- }
+ json_object_set_new(js, "app_proto", json_string(alprotoname));
const char *event_name = NULL;
uint8_t event_code = decoder_events->events[i];
AppLayerEventType event_type;
int r;
- if (is_applayer) {
+ if (is_pktlayer) {
r = AppLayerGetEventInfoById(event_code, &event_name, &event_type);
} else {
r = AppLayerParserGetEventInfoById(p->flow->proto, p->flow->alproto,
event_code, &event_name, &event_type);
}
if (r == 0) {
- json_object_set_new(ajs, "type",
- json_string(event_type == APP_LAYER_EVENT_TYPE_TRANSACTION ?
- "transaction" : "packet"));
+ json_object_set_new(ajs, "type", json_string("applayer"));
json_object_set_new(ajs, "event", json_string(event_name));
} else {
json_object_set_new(ajs, "type", json_string("unknown"));
static int JsonAnomalyTxLogger(ThreadVars *tv, void *thread_data, const Packet *p,
Flow *f, void *state, void *tx, uint64_t tx_id)
{
- JsonAnomalyLogThread *aft = thread_data;
- uint8_t proto = f->proto;
- AppProto alproto = f->alproto;
AppLayerDecoderEvents *decoder_events;
- decoder_events = AppLayerParserGetEventsByTx(proto, alproto, state, tx_id);
- if (decoder_events && (decoder_events->event_last_logged < decoder_events->cnt)) {
+ decoder_events = AppLayerParserGetEventsByTx(f->proto, f->alproto, tx);
+ if (decoder_events && decoder_events->event_last_logged < decoder_events->cnt) {
SCLogDebug("state %p, tx: %p, tx_id: %"PRIu64, state, tx, tx_id);
+ JsonAnomalyLogThread *aft = thread_data;
AnomalyAppLayerDecoderEventJson(aft, p, decoder_events, false,
- "applayer_parser", tx_id);
+ "proto_parser", tx_id);
}
return TM_ECODE_OK;
}
AppLayerParserHasDecoderEvents(p->flow->alparser));
}
+static inline bool AnomalyHasPacketAppLayerEvents(const Packet *p)
+{
+ return p->app_layer_events && p->app_layer_events->cnt;
+}
+
static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p)
{
}
/* app layer events */
- if (rc == TM_ECODE_OK && p->app_layer_events && p->app_layer_events->cnt) {
+ if (rc == TM_ECODE_OK && AnomalyHasPacketAppLayerEvents(p)) {
rc = AnomalyAppLayerDecoderEventJson(aft, p, p->app_layer_events,
- true, "app_layer", TX_ID_UNUSED);
+ true, "proto_detect", TX_ID_UNUSED);
}
/* parser state events */
static int JsonAnomalyLogCondition(ThreadVars *tv, const Packet *p)
{
- return p->events.cnt > 0 || p->app_layer_events || AnomalyHasParserEvents(p);
+ return p->events.cnt > 0 ||
+ (p->app_layer_events && p->app_layer_events->cnt > 0) ||
+ AnomalyHasParserEvents(p);
}
#define OUTPUT_BUFFER_SIZE 65535
return TM_ECODE_OK;
}
-static void JsonAnomalyLogDeInitCtx(OutputCtx *output_ctx)
-{
- AnomalyJsonOutputCtx *json_output_ctx = (AnomalyJsonOutputCtx *) output_ctx->data;
- if (json_output_ctx != NULL) {
- LogFileFreeCtx(json_output_ctx->file_ctx);
- SCFree(json_output_ctx);
- }
- SCFree(output_ctx);
-}
-
static void JsonAnomalyLogDeInitCtxSub(OutputCtx *output_ctx)
{
SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
json_output_ctx->flags |= flags;
}
-/**
- * \brief Create a new LogFileCtx for "fast" output style.
- * \param conf The configuration node for this output.
- * \return A LogFileCtx pointer on success, NULL on failure.
- */
-static OutputInitResult JsonAnomalyLogInitCtx(ConfNode *conf)
-{
- OutputInitResult result = { NULL, false };
- AnomalyJsonOutputCtx *json_output_ctx = NULL;
- LogFileCtx *logfile_ctx = LogFileNewCtx();
- if (logfile_ctx == NULL) {
- SCLogDebug("JsonAnomalyLogInitCtx: Could not create new LogFileCtx");
- return result;
- }
-
- if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
- LogFileFreeCtx(logfile_ctx);
- return result;
- }
-
- OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
- if (unlikely(output_ctx == NULL)) {
- LogFileFreeCtx(logfile_ctx);
- return result;
- }
-
- json_output_ctx = SCCalloc(1, sizeof(AnomalyJsonOutputCtx));
- if (unlikely(json_output_ctx == NULL)) {
- LogFileFreeCtx(logfile_ctx);
- SCFree(output_ctx);
- return result;
- }
-
- json_output_ctx->file_ctx = logfile_ctx;
- JsonAnomalyLogConf(json_output_ctx, conf);
-
- output_ctx->data = json_output_ctx;
- output_ctx->DeInit = JsonAnomalyLogDeInitCtx;
-
- result.ctx = output_ctx;
- result.ok = true;
- return result;
-}
-
/**
* \brief Create a new LogFileCtx for "fast" output style.
* \param conf The configuration node for this output.
void JsonAnomalyLogRegister (void)
{
- OutputRegisterPacketModule(LOGGER_JSON_ANOMALY, MODULE_NAME, "anomaly-json-log",
- JsonAnomalyLogInitCtx, JsonAnomalyLogger, JsonAnomalyLogCondition,
- JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit, NULL);
-
OutputRegisterPacketSubModule(LOGGER_JSON_ANOMALY, "eve-log", MODULE_NAME,
"eve-log.anomaly", JsonAnomalyLogInitCtxSub, JsonAnomalyLogger,
JsonAnomalyLogCondition, JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit,
projects / thirdparty / suricata.git / commitdiff
