From: Mike Stepanek (mstepane) Date: Wed, 14 Jul 2021 18:41:54 +0000 (+0000) Subject: Merge pull request #2977 in SNORT/snort3 from ~SHASLAD/snort3:revert_events_id to... X-Git-Tag: 3.1.8.0~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2dd1b1ac7cfc80603d3b7c83a124ff37847eed8a;p=thirdparty%2Fsnort3.git Merge pull request #2977 in SNORT/snort3 from ~SHASLAD/snort3:revert_events_id to master Squashed commit of the following: commit a12bc01526b3f1e930c421b398e0a8c82a6b4ab2 Author: Shashi Lad Date: Wed Jul 14 13:36:03 2021 -0400 Revert "Merge pull request #2957 in SNORT/snort3 from ~STECHEW/snort3:events_id to master" This reverts commit a77d77d7f24982b93672b385daef92a9304eec3e. --- diff --git a/src/detection/detect.cc b/src/detection/detect.cc index 5f47cc84b..205617dd8 100644 --- a/src/detection/detect.cc +++ b/src/detection/detect.cc @@ -65,7 +65,7 @@ bool snort_log(Packet* p) void CallLogFuncs(Packet* p, ListHead* head, Event* event, const char* msg) { - event->update_event_id(p->context->conf->get_event_log_id()); + event->event_id = event_id | p->context->conf->get_event_log_id(); DetectionEngine::set_check_tags(false); pc.log_pkts++; @@ -82,7 +82,8 @@ void CallLogFuncs(Packet* p, const OptTreeNode* otn, ListHead* head) event.sig_info = const_cast(&otn->sigInfo); event.ref_time.tv_sec = p->pkth->ts.tv_sec; event.ref_time.tv_usec = p->pkth->ts.tv_usec; - event.update_event_id_and_ref(p->context->conf->get_event_log_id()); + event.event_id = event_id | p->context->conf->get_event_log_id(); + event.event_reference = event.event_id; DetectionEngine::set_check_tags(false); pc.log_pkts++; @@ -98,7 +99,8 @@ void CallAlertFuncs(Packet* p, const OptTreeNode* otn, ListHead* head) event.sig_info = const_cast(&otn->sigInfo); event.ref_time.tv_sec = p->pkth->ts.tv_sec; event.ref_time.tv_usec = p->pkth->ts.tv_usec; - event.update_event_id_and_ref(p->context->conf->get_event_log_id()); + event.event_id = event_id | p->context->conf->get_event_log_id(); + event.event_reference = event.event_id; pc.total_alert_pkts++; diff --git a/src/detection/detection_util.cc b/src/detection/detection_util.cc index 1c9c30753..e40d8a858 100644 --- a/src/detection/detection_util.cc +++ b/src/detection/detection_util.cc @@ -84,7 +84,7 @@ void EventTrace_Log(const Packet* p, const OptTreeNode* otn, Actions::Type actio TextLog_Print(tlog, "\nEvt=%u, Gid=%u, Sid=%u, Rev=%u, Act=%s\n", - get_event_id(), otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, acts.c_str()); + event_id, otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, acts.c_str()); TextLog_Print(tlog, "Pkt=" STDu64 ", Sec=%lu.%6lu, Len=%u, Cap=%u\n", diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index 3b82f9c84..f7136e1d3 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -255,11 +255,11 @@ int fpLogEvent(const RuleTreeNode* rtn, const OptTreeNode* otn, Packet* p) otn->state[get_instance_id()].alerts++; - incr_event_id(); + event_id++; IpsAction * act = get_ips_policy()->action[action]; act->exec(p, otn); - SetTags(p, otn, get_event_id()); + SetTags(p, otn, event_id); fpLogOther(p, rtn, otn, action); diff --git a/src/detection/tag.cc b/src/detection/tag.cc index fa7ed05f3..b8f2f5932 100644 --- a/src/detection/tag.cc +++ b/src/detection/tag.cc @@ -544,7 +544,12 @@ int CheckTagList(Packet* p, Event& event, void** log_list) if ( create_event ) { /* set the event info */ - event.set_event(GID_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id, p->context->conf->get_event_log_id(), returned->event_time); + SetEvent(event, GID_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id); + + /* set event reference details */ + event.ref_time.tv_sec = returned->event_time.tv_sec; + event.ref_time.tv_usec = returned->event_time.tv_usec; + event.event_reference = returned->event_id | p->context->conf->get_event_log_id(); *log_list = returned->log_list; } diff --git a/src/events/event.cc b/src/events/event.cc index a2c801f17..7a5471181 100644 --- a/src/events/event.cc +++ b/src/events/event.cc @@ -28,58 +28,26 @@ using namespace snort; -static THREAD_LOCAL uint16_t g_event_id; +THREAD_LOCAL uint16_t event_id; // FIXIT-M also incremented in fpLogEvent() -uint16_t get_event_id() +void SetEvent( + Event& event, uint32_t gid, uint32_t sid, uint32_t rev, + uint32_t classification, uint32_t priority, uint32_t event_ref) { - return g_event_id; -} - -void incr_event_id() -{ - g_event_id++; -} - -static uint32_t calc_event_id(uint16_t id, uint16_t log_id) -{ - // Use instance ID to make log_id unique per packet thread. Even if - // it overflows, value will still be unique if there are less than - // 65k threads. - log_id += snort::get_instance_id(); - return (id | (log_id << 16)); -} - -void Event::update_event_id(uint16_t log_id) -{ - event_id = calc_event_id(g_event_id, log_id); -} - -void Event::update_event_id_and_ref(uint16_t log_id) -{ - event_id = calc_event_id(g_event_id, log_id); - event_reference = event_id; -} - -void Event::set_event(uint32_t gid, uint32_t sid, uint32_t rev, - uint32_t classification, uint32_t priority, uint16_t event_ref, - uint16_t log_id, const struct timeval& tv) -{ - sig_info->gid = gid; - sig_info->sid = sid; - sig_info->rev = rev; - sig_info->class_id = classification; - sig_info->priority = priority; + event.sig_info->gid = gid; + event.sig_info->sid = sid; + event.sig_info->rev = rev; + event.sig_info->class_id = classification; + event.sig_info->priority = priority; - /* update event_id based on g_event_id. */ - incr_event_id(); - update_event_id(SnortConfig::get_conf()->get_event_log_id()); + /* this one gets set automatically */ + event.event_id = ++event_id | SnortConfig::get_conf()->get_event_log_id(); if (event_ref) - event_reference = calc_event_id(event_ref, log_id); + event.event_reference = event_ref; else - event_reference = event_id; + event.event_reference = event.event_id; - ref_time.tv_sec = tv.tv_sec; - ref_time.tv_usec = tv.tv_usec;; + event.ref_time.tv_sec = event.ref_time.tv_usec = 0; } diff --git a/src/events/event.h b/src/events/event.h index 50b1aec07..6c053df13 100644 --- a/src/events/event.h +++ b/src/events/event.h @@ -24,6 +24,7 @@ #include "main/thread.h" struct SigInfo; +extern THREAD_LOCAL uint16_t event_id; /* we must use fixed size of 32 bits, because on-disk * format of savefiles uses 32-bit tv_sec (and tv_usec) @@ -37,35 +38,20 @@ struct sf_timeval32 struct Event { SigInfo* sig_info = nullptr; + uint32_t event_id = 0; + uint32_t event_reference = 0; // reference to other events that have gone off, + // such as in the case of tagged packets... struct sf_timeval32 ref_time = { 0, 0 }; /* reference time for the event reference */ const char* alt_msg = nullptr; Event() = default; Event(SigInfo& si) { sig_info = &si; } - - uint32_t get_event_id() const { return event_id; } - void set_event_id(uint32_t id) { event_id = id; } - - uint32_t get_event_reference() const { return event_reference; } - void set_event_reference(uint32_t ref) { event_reference = ref; } - - void update_event_id(uint16_t log_id); - void update_event_id_and_ref(uint16_t log_id); - - void set_event(uint32_t gid, uint32_t sid, uint32_t rev, - uint32_t classification, uint32_t priority, uint16_t event_ref, - uint16_t log_id, const struct timeval& tv); - - -private: - uint32_t event_id = 0; - uint32_t event_reference = 0; // reference to other events that have gone off, - // such as in the case of tagged packets... }; -uint16_t get_event_id(); -void incr_event_id(); +void SetEvent( + Event&, uint32_t gid, uint32_t sid, uint32_t rev, + uint32_t classification, uint32_t priority, uint32_t event_ref); #endif diff --git a/src/framework/base_api.h b/src/framework/base_api.h index 27a104b73..973ae216e 100644 --- a/src/framework/base_api.h +++ b/src/framework/base_api.h @@ -29,7 +29,7 @@ // this is the current version of the base api // must be prefixed to subtype version -#define BASE_API_VERSION 4 +#define BASE_API_VERSION 3 // set options to API_OPTIONS to ensure compatibility #ifndef API_OPTIONS diff --git a/src/loggers/alert_luajit.cc b/src/loggers/alert_luajit.cc index 0783e2fd5..a4ad98d49 100644 --- a/src/loggers/alert_luajit.cc +++ b/src/loggers/alert_luajit.cc @@ -54,8 +54,8 @@ SO_PUBLIC const SnortEvent* get_event() lua_event.sid = event->sig_info->sid; lua_event.rev = event->sig_info->rev; - lua_event.event_id = event->get_event_id(); - lua_event.event_ref = event->get_event_reference(); + lua_event.event_id = event->event_id; + lua_event.event_ref = event->event_reference; if ( !event->sig_info->message.empty() ) lua_event.msg = event->sig_info->message.c_str(); diff --git a/src/loggers/alert_sf_socket.cc b/src/loggers/alert_sf_socket.cc index 5151a33ac..ac7876743 100644 --- a/src/loggers/alert_sf_socket.cc +++ b/src/loggers/alert_sf_socket.cc @@ -294,7 +294,7 @@ static void load_sar(Packet* packet, const Event& event, SnortActionRequest& sar return; /* construct the action request */ - sar.event_id = event.get_event_id(); + sar.event_id = event.event_id; sar.tv_sec = packet->pkth->ts.tv_sec; sar.gid = event.sig_info->gid; sar.sid = event.sig_info->sid; diff --git a/src/loggers/alert_unixsock.cc b/src/loggers/alert_unixsock.cc index 648dea9c9..cd899ac87 100644 --- a/src/loggers/alert_unixsock.cc +++ b/src/loggers/alert_unixsock.cc @@ -128,8 +128,8 @@ static void get_alert_pkt( us.alert.class_id = event.sig_info->class_id; us.alert.priority = event.sig_info->priority; - us.alert.event_id = event.get_event_id(); - us.alert.event_ref = event.get_event_reference(); + us.alert.event_id = event.event_id; + us.alert.event_ref = event.event_reference; us.alert.ref_time = event.ref_time; if (p && p->pkt) diff --git a/src/loggers/unified2.cc b/src/loggers/unified2.cc index 490813363..31adbf1fa 100644 --- a/src/loggers/unified2.cc +++ b/src/loggers/unified2.cc @@ -168,7 +168,7 @@ static void alert_event(Packet* p, const char*, Unified2Config* config, const Ev u2_event.snort_id = 0; // FIXIT-H alert_event define / use - u2_event.event_id = htonl(event->get_event_id()); + u2_event.event_id = htonl(event->event_id); u2_event.event_second = htonl(event->ref_time.tv_sec); u2_event.event_microsecond = htonl(event->ref_time.tv_usec); @@ -346,7 +346,7 @@ static void _Unified2LogPacketAlert( if (event != nullptr) { - logheader.event_id = htonl(event->get_event_reference()); + logheader.event_id = htonl(event->event_reference); logheader.event_second = htonl(event->ref_time.tv_sec); } else @@ -617,7 +617,7 @@ static void _AlertIP4_v2(Packet* p, const char*, Unified2Config* config, const E memset(&alertdata, 0, sizeof(alertdata)); - alertdata.event_id = htonl(event->get_event_id()); + alertdata.event_id = htonl(event->event_id); alertdata.event_second = htonl(event->ref_time.tv_sec); alertdata.event_microsecond = htonl(event->ref_time.tv_usec); alertdata.generator_id = htonl(event->sig_info->gid); @@ -703,7 +703,7 @@ static void _AlertIP6_v2(Packet* p, const char*, Unified2Config* config, const E memset(&alertdata, 0, sizeof(alertdata)); - alertdata.event_id = htonl(event->get_event_id()); + alertdata.event_id = htonl(event->event_id); alertdata.event_second = htonl(event->ref_time.tv_sec); alertdata.event_microsecond = htonl(event->ref_time.tv_usec); alertdata.generator_id = htonl(event->sig_info->gid); @@ -922,10 +922,10 @@ void U2Logger::alert_legacy(Packet* p, const char* msg, const Event& event) if (p->ptrs.ip_api.is_ip6()) { const SfIp* ip = p->ptrs.ip_api.get_src(); - _WriteExtraData(&config, event.get_event_id(), event.ref_time.tv_sec, + _WriteExtraData(&config, event.event_id, event.ref_time.tv_sec, (const uint8_t*) ip->get_ip6_ptr(), sizeof(struct in6_addr), EVENT_INFO_IPV6_SRC); ip = p->ptrs.ip_api.get_dst(); - _WriteExtraData(&config, event.get_event_id(), event.ref_time.tv_sec, + _WriteExtraData(&config, event.event_id, event.ref_time.tv_sec, (const uint8_t*) ip->get_ip6_ptr(), sizeof(struct in6_addr), EVENT_INFO_IPV6_DST); } } @@ -937,7 +937,7 @@ void U2Logger::alert_legacy(Packet* p, const char* msg, const Event& event) if ( p->flow ) Stream::update_flow_alert( p->flow, p, event.sig_info->gid, event.sig_info->sid, - event.get_event_id(), event.ref_time.tv_sec); + event.event_id, event.ref_time.tv_sec); if ( p->xtradata_mask ) { @@ -947,7 +947,7 @@ void U2Logger::alert_legacy(Packet* p, const char* msg, const Event& event) if ( max_count > 0 ) AlertExtraData( p->flow, &config, log_funcs, max_count, p->xtradata_mask, - event.get_event_id(), event.ref_time.tv_sec); + event.event_id, event.ref_time.tv_sec); } } @@ -963,7 +963,7 @@ void U2Logger::alert(Packet* p, const char* msg, const Event& event) if ( p->flow ) Stream::update_flow_alert( p->flow, p, event.sig_info->gid, event.sig_info->sid, - event.get_event_id(), event.ref_time.tv_sec); + event.event_id, event.ref_time.tv_sec); if ( p->xtradata_mask ) { @@ -973,7 +973,7 @@ void U2Logger::alert(Packet* p, const char* msg, const Event& event) if ( max_count > 0 ) AlertExtraData( p->flow, &config, log_funcs, max_count, p->xtradata_mask, - event.get_event_id(), event.ref_time.tv_sec); + event.event_id, event.ref_time.tv_sec); } } diff --git a/src/main/snort_config.h b/src/main/snort_config.h index eacd1184e..bf73f6c2f 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -331,7 +331,7 @@ public: //------------------------------------------------------ // FIXIT-L command line only stuff, add to conf / module - uint16_t event_log_id = 0; + uint32_t event_log_id = 0; SfCidr obfuscation_net; std::string bpf_filter; std::string metadata_filter; @@ -545,7 +545,7 @@ public: { return run_flags & RUN_FLAG__INLINE_TEST; } // event stuff - uint16_t get_event_log_id() const + uint32_t get_event_log_id() const { return event_log_id; } bool process_all_events() const diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc index a07fc1be1..a909fcd3d 100644 --- a/src/main/snort_module.cc +++ b/src/main/snort_module.cc @@ -718,7 +718,7 @@ bool SnortModule::set(const char*, Value& v, SnortConfig* sc) sc->output_flags |= OUTPUT_FLAG__LINE_BUFFER; else if ( v.is("-G") || v.is("--logid") ) - sc->event_log_id = v.get_uint16(); + sc->event_log_id = v.get_uint16() << 16; else if ( v.is("-g") ) sc->set_gid(v.get_string()); diff --git a/src/piglet_plugins/pp_event_iface.cc b/src/piglet_plugins/pp_event_iface.cc index 8c0463071..42052faa8 100644 --- a/src/piglet_plugins/pp_event_iface.cc +++ b/src/piglet_plugins/pp_event_iface.cc @@ -41,12 +41,8 @@ static void set_fields(lua_State* L, int tindex, Event& self) { Lua::Table table(L, tindex); - uint32_t value = 0; - table.get_field("event_id", value); - self.set_event_id(value); - - table.get_field("event_reference", value); - self.set_event_reference(value); + table.get_field("event_id", self.event_id); + table.get_field("event_reference", self.event_reference); const char* s = nullptr; if ( table.get_field("alt_msg", s) && s ) // FIXIT-L shouldn't need both conditions @@ -61,8 +57,8 @@ static void get_fields(lua_State* L, int tindex, Event& self) { Lua::Table table(L, tindex); - table.set_field("event_id", self.get_event_id()); - table.set_field("event_reference", self.get_event_reference()); + table.set_field("event_id", self.event_id); + table.set_field("event_reference", self.event_reference); if ( self.alt_msg ) table.set_field("alt_msg", self.alt_msg);