From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sat, 1 Aug 2020 13:45:04 +0000 (-0400)
Subject: output/anomaly: Restrict anomaly logger count
X-Git-Tag: suricata-5.0.4~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3ce608886ba5abfda610849f9189c653aad57632;p=thirdparty%2Fsuricata.git

output/anomaly: Restrict anomaly logger count

This commit restricts the anomaly logger count. The restriction is
necessary due to state maintenance in the logger that doesn't scale
beyond a single logger.

Until that issue's solved, when multiple anomaly loggers are configured,
an error message will be emitted to highlight the restriction.

(cherry picked from commit 8e2aab7467a92cedc8cb67647af8601d43b36e91)
---

diff --git a/src/output-json-anomaly.c b/src/output-json-anomaly.c
index 8b754087ba..dd9f062dc1 100644
--- a/src/output-json-anomaly.c
+++ b/src/output-json-anomaly.c
@@ -84,6 +84,27 @@ typedef struct JsonAnomalyLogThread_ {
     AnomalyJsonOutputCtx* json_output_ctx;
 } JsonAnomalyLogThread;
 
+/*
+ * Restrict the anomaly logger count due to decoder state maintenance issues
+ */
+
+#define MAX_ANOMALY_LOGGERS 1
+static int anomaly_loggers = 0;
+static bool OutputAnomalyLoggerEnable(void)
+{
+    if (anomaly_loggers < MAX_ANOMALY_LOGGERS) {
+        anomaly_loggers++;
+        return true;
+    }
+    return false;
+}
+
+static void OutputAnomalyLoggerDisable(void)
+{
+    if (anomaly_loggers)
+        anomaly_loggers--;
+}
+
 static int AnomalyDecodeEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft,
                                   const Packet *p)
 {
@@ -338,7 +359,7 @@ static TmEcode JsonAnomalyLogThreadDeinit(ThreadVars *t, void *data)
     return TM_ECODE_OK;
 }
 
-static void JsonAnomalyLogDeInitCtxSub(OutputCtx *output_ctx)
+static void JsonAnomalyLogDeInitCtxSubHelper(OutputCtx *output_ctx)
 {
     SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
 
@@ -350,6 +371,13 @@ static void JsonAnomalyLogDeInitCtxSub(OutputCtx *output_ctx)
     SCFree(output_ctx);
 }
 
+static void JsonAnomalyLogDeInitCtxSub(OutputCtx *output_ctx)
+{
+    OutputAnomalyLoggerDisable();
+
+    JsonAnomalyLogDeInitCtxSubHelper(output_ctx);
+}
+
 #define DEFAULT_LOG_FILENAME "anomaly.json"
 static void SetFlag(const ConfNode *conf, const char *name, uint16_t flag, uint16_t *out_flags)
 {
@@ -395,12 +423,7 @@ static void JsonAnomalyLogConf(AnomalyJsonOutputCtx *json_output_ctx,
     json_output_ctx->flags |= flags;
 }
 
-/**
- * \brief Create a new LogFileCtx for "fast" output style.
- * \param conf The configuration node for this output.
- * \return A LogFileCtx pointer on success, NULL on failure.
- */
-static OutputInitResult JsonAnomalyLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
+static OutputInitResult JsonAnomalyLogInitCtxHelper(ConfNode *conf, OutputCtx *parent_ctx)
 {
     OutputInitResult result = { NULL, false };
     OutputJsonCtx *ajt = parent_ctx->data;
@@ -420,7 +443,7 @@ static OutputInitResult JsonAnomalyLogInitCtxSub(ConfNode *conf, OutputCtx *pare
     json_output_ctx->cfg = ajt->cfg;
 
     output_ctx->data = json_output_ctx;
-    output_ctx->DeInit = JsonAnomalyLogDeInitCtxSub;
+    output_ctx->DeInit = JsonAnomalyLogDeInitCtxSubHelper;
 
     result.ctx = output_ctx;
     result.ok = true;
@@ -432,6 +455,29 @@ error:
     return result;
 }
 
+/**
+ * \brief Create a new LogFileCtx for "fast" output style.
+ * \param conf The configuration node for this output.
+ * \return A LogFileCtx pointer on success, NULL on failure.
+ */
+static OutputInitResult JsonAnomalyLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
+{
+
+    if (!OutputAnomalyLoggerEnable()) {
+        OutputInitResult result = { NULL, false };
+        SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'anomaly' logger "
+                "can be enabled");
+        return result;
+    }
+
+    OutputInitResult result = JsonAnomalyLogInitCtxHelper(conf, parent_ctx);
+    if (result.ok) {
+        result.ctx->DeInit = JsonAnomalyLogDeInitCtxSub;
+    }
+
+    return result;
+}
+
 void JsonAnomalyLogRegister (void)
 {
     OutputRegisterPacketSubModule(LOGGER_JSON_ANOMALY, "eve-log", MODULE_NAME,
@@ -440,7 +486,7 @@ void JsonAnomalyLogRegister (void)
         NULL);
 
     OutputRegisterTxSubModule(LOGGER_JSON_ANOMALY, "eve-log", MODULE_NAME,
-        "eve-log.anomaly", JsonAnomalyLogInitCtxSub, ALPROTO_UNKNOWN,
+        "eve-log.anomaly", JsonAnomalyLogInitCtxHelper, ALPROTO_UNKNOWN,
         JsonAnomalyTxLogger, JsonAnomalyLogThreadInit,
         JsonAnomalyLogThreadDeinit, NULL);
 }