From: Anoop Saldanha Date: Fri, 22 Jun 2012 18:18:06 +0000 (+0530) Subject: free flowvar entries in flow after live rule swap. Sync flowbits entries into packet... X-Git-Tag: suricata-1.3rc1~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=32183faa82cc1242daf5832bc74ef42b2d86a3e9;p=thirdparty%2Fsuricata.git free flowvar entries in flow after live rule swap. Sync flowbits entries into packet struct to be used by alert debuglog when alert debuglog is enabled --- diff --git a/src/alert-debuglog.c b/src/alert-debuglog.c index 19166bebf0..92f5cbad0f 100644 --- a/src/alert-debuglog.c +++ b/src/alert-debuglog.c @@ -141,14 +141,19 @@ static void AlertDebugLogFlowVars(AlertDebugLogThread *aft, Packet *p) */ static void AlertDebugLogFlowBits(AlertDebugLogThread *aft, Packet *p) { - GenericVar *gv = p->flow->flowvar; - while (gv != NULL) { - if (gv->type == DETECT_FLOWBITS) { - FlowBit *fb = (FlowBit *) gv; - MemBufferWriteString(aft->buffer, "FLOWBIT idx(%"PRIu32")\n", fb->idx); + int i; + for (i = 0; i < p->debuglog_flowbits_names_len; i++) { + if (p->debuglog_flowbits_names[i] != NULL) { + MemBufferWriteString(aft->buffer, "FLOWBIT: %s\n", + p->debuglog_flowbits_names[i]); } - gv = gv->next; } + + SCFree(p->debuglog_flowbits_names); + p->debuglog_flowbits_names = NULL; + p->debuglog_flowbits_names_len = 0; + + return; } /** diff --git a/src/decode.h b/src/decode.h index 553a254341..eb62bcd341 100644 --- a/src/decode.h +++ b/src/decode.h @@ -381,6 +381,10 @@ typedef struct Packet_ /* IPS action to take */ uint8_t action; + /* used to hold flowbits only if debuglog is enabled */ + int debuglog_flowbits_names_len; + const char **debuglog_flowbits_names; + /* pkt vars */ PktVar *pktvar; diff --git a/src/detect.c b/src/detect.c index f9a53ac3b5..fdf5f759da 100644 --- a/src/detect.c +++ b/src/detect.c @@ -29,6 +29,7 @@ #include "detect.h" #include "flow.h" #include "flow-private.h" +#include "flow-bit.h" #include "detect-parse.h" #include "detect-engine.h" @@ -165,6 +166,7 @@ #include "stream-tcp.h" #include "stream-tcp-inline.h" +#include "util-var-name.h" #include "util-classification-config.h" #include "util-print.h" #include "util-unittest.h" @@ -181,6 +183,8 @@ #include "util-vector.h" #include "util-path.h" +#include "runmodes.h" + extern uint8_t engine_mode; extern int engine_analysis; @@ -1284,6 +1288,68 @@ static void DebugInspectIds(Packet *p, Flow *f, StreamMsg *smsg) } #endif +static void AlertDebugLogModeSyncFlowbitsNamesToPacketStruct(Packet *p, DetectEngineCtx *de_ctx) +{ +#define MALLOC_JUMP 5 + + int i = 0; + + GenericVar *gv = p->flow->flowvar; + + while (gv != NULL) { + i++; + gv = gv->next; + } + if (i == 0) + return; + + p->debuglog_flowbits_names_len = i; + + p->debuglog_flowbits_names = SCMalloc(sizeof(char *) * + p->debuglog_flowbits_names_len); + if (p->debuglog_flowbits_names == NULL) { + return; + } + memset(p->debuglog_flowbits_names, 0, + sizeof(char *) * p->debuglog_flowbits_names_len); + + i = 0; + gv = p->flow->flowvar; + while (gv != NULL) { + if (gv->type != DETECT_FLOWBITS) { + gv = gv->next; + continue; + } + + FlowBit *fb = (FlowBit *) gv; + char *name = VariableIdxGetName(de_ctx, fb->idx, fb->type); + if (name != NULL) { + p->debuglog_flowbits_names[i] = SCStrdup(name); + if (p->debuglog_flowbits_names[i] == NULL) { + return; + } + i++; + } + + if (i == p->debuglog_flowbits_names_len) { + p->debuglog_flowbits_names_len += MALLOC_JUMP; + p->debuglog_flowbits_names = SCRealloc(p->debuglog_flowbits_names, + sizeof(char *) * + p->debuglog_flowbits_names_len); + if (p->debuglog_flowbits_names == NULL) { + return; + } + memset(p->debuglog_flowbits_names + + p->debuglog_flowbits_names_len - MALLOC_JUMP, + 0, sizeof(char *) * MALLOC_JUMP); + } + + gv = gv->next; + } + + return; +} + /** * \brief Signature match function * @@ -1342,6 +1408,8 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh reset_de_state = 1; p->flow->de_ctx_id = de_ctx->id; + GenericVarFree(p->flow->flowvar); + p->flow->flowvar = NULL; } /* set the iponly stuff */ @@ -1785,6 +1853,12 @@ end: } FLOWLOCK_WRLOCK(p->flow); + if (debuglog_enabled) { + if (p->alerts.cnt > 0) { + AlertDebugLogModeSyncFlowbitsNamesToPacketStruct(p, de_ctx); + } + } + if (!(sms_runflags & SMS_USE_FLOW_SGH)) { if (p->flowflags & FLOW_PKT_TOSERVER && !(p->flow->flags & FLOW_SGH_TOSERVER)) { /* first time we see this toserver sgh, store it */ diff --git a/src/runmodes.c b/src/runmodes.c index b5301004e7..0788f8675e 100644 --- a/src/runmodes.c +++ b/src/runmodes.c @@ -50,6 +50,8 @@ #include "source-pfring.h" +int debuglog_enabled = 0; + /** * \brief Holds description for a runmode. */ @@ -404,6 +406,9 @@ void RunModeInitializeOutputs(void) "TmModuleGetByName for %s failed", module->name); exit(EXIT_FAILURE); } + if (strcmp(tmm_modules[TMM_ALERTDEBUGLOG].name, tm_module->name) == 0) + debuglog_enabled = 1; + RunModeOutput *runmode_output = SCCalloc(1, sizeof(RunModeOutput)); if (runmode_output == NULL) return; diff --git a/src/runmodes.h b/src/runmodes.h index c390d64f6f..532a193aef 100644 --- a/src/runmodes.h +++ b/src/runmodes.h @@ -64,4 +64,6 @@ void RunModeShutDown(void); int threading_set_cpu_affinity; extern float threading_detect_ratio; +extern int debuglog_enabled; + #endif /* __RUNMODES_H__ */