From: Michael Altizer (mialtize) Date: Wed, 10 Mar 2021 17:22:20 +0000 (+0000) Subject: Merge pull request #2786 in SNORT/snort3 from ~MIALTIZE/snort3:flowstats_style to... X-Git-Tag: 3.1.2.0~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54c78b68fce557a25627c99ec81063d8577f5e2c;p=thirdparty%2Fsnort3.git Merge pull request #2786 in SNORT/snort3 from ~MIALTIZE/snort3:flowstats_style to master Squashed commit of the following: commit 29bb7fe503dc2b2a8a87a164717a124368db13df Author: Michael Altizer Date: Tue Mar 9 21:46:30 2021 -0500 snort: Update for DAQ_FlowStats_t structure and field name changes --- diff --git a/daqs/daq_hext.c b/daqs/daq_hext.c index 978998267..d88afb18a 100644 --- a/daqs/daq_hext.c +++ b/daqs/daq_hext.c @@ -53,7 +53,7 @@ typedef struct _hext_msg_desc { DAQ_Msg_t msg; DAQ_PktHdr_t pkthdr; - Flow_Stats_t flowstats; + DAQ_FlowStats_t flowstats; DAQ_UsrHdr_t pci; uint8_t* data; struct _hext_msg_desc* next; @@ -242,22 +242,22 @@ static void IpAddr(uint32_t* addr, char const* ip) static bool parse_flowstats(DAQ_MsgType type, const char* line, HextMsgDesc *desc) { #define FLOWSTATS_FORMAT \ - "%" SCNi16 " " /* ingressGroup */ \ - "%" SCNi16 " " /* egressGroup */ \ - "%" SCNi32 " " /* ingressIntf */ \ - "%" SCNi32 " " /* egressIntf */ \ + "%" SCNi16 " " /* ingress_group */ \ + "%" SCNi16 " " /* egress_group */ \ + "%" SCNi32 " " /* ingress_intf */ \ + "%" SCNi32 " " /* egress_intf */ \ "%s " /* srcAddr */ \ - "%" SCNu16 " " /* initiatorPort */ \ + "%" SCNu16 " " /* initiator_port */ \ "%s " /* dstAddr */ \ - "%" SCNu16 " " /* responderPort */ \ + "%" SCNu16 " " /* responder_port */ \ "%" SCNu32 " " /* opaque */ \ - "%" SCNu64 " " /* initiatorPkts */ \ - "%" SCNu64 " " /* responderPkts */ \ - "%" SCNu64 " " /* initiatorPktsDropped */ \ - "%" SCNu64 " " /* responderPktsDropped */ \ - "%" SCNu64 " " /* initiatorBytesDropped */ \ - "%" SCNu64 " " /* responderBytesDropped */ \ - "%" SCNu8 " " /* isQoSAppliedOnSrcIntf */ \ + "%" SCNu64 " " /* initiator_pkts */ \ + "%" SCNu64 " " /* responder_pkts */ \ + "%" SCNu64 " " /* initiator_pkts_dropped */ \ + "%" SCNu64 " " /* responder_pkts_dropped */ \ + "%" SCNu64 " " /* initiator_bytes_dropped */ \ + "%" SCNu64 " " /* responder_bytes_dropped */ \ + "%" SCNu8 " " /* is_qos_applied_on_src_intf */ \ "%" SCNu32 " " /* sof_timestamp.tv_sec */ \ "%" SCNu32 " " /* eof_timestamp.tv_sec */ \ "%" SCNu16 " " /* vlan_tag */ \ @@ -265,13 +265,13 @@ static bool parse_flowstats(DAQ_MsgType type, const char* line, HextMsgDesc *des "%" SCNu8 " " /* protocol */ \ "%" SCNu8 /* flags */ #define FLOWSTATS_ITEMS 22 - Flow_Stats_t* f = &desc->flowstats; + DAQ_FlowStats_t* f = &desc->flowstats; char srcaddr[INET6_ADDRSTRLEN], dstaddr[INET6_ADDRSTRLEN]; uint32_t sof_sec, eof_sec; - int rval = sscanf(line, FLOWSTATS_FORMAT, &f->ingressGroup, &f->egressGroup, &f->ingressIntf, - &f->egressIntf, srcaddr, &f->initiatorPort, dstaddr, &f->responderPort, &f->opaque, - &f->initiatorPkts, &f->responderPkts, &f->initiatorPktsDropped, &f->responderPktsDropped, - &f->initiatorBytesDropped, &f->responderBytesDropped, &f->isQoSAppliedOnSrcIntf, + int rval = sscanf(line, FLOWSTATS_FORMAT, &f->ingress_group, &f->egress_group, &f->ingress_intf, + &f->egress_intf, srcaddr, &f->initiator_port, dstaddr, &f->responder_port, &f->opaque, + &f->initiator_pkts, &f->responder_pkts, &f->initiator_pkts_dropped, &f->responder_pkts_dropped, + &f->initiator_bytes_dropped, &f->responder_bytes_dropped, &f->is_qos_applied_on_src_intf, &sof_sec, &eof_sec, &f->vlan_tag, &f->address_space_id, &f->protocol, &f->flags); if (rval != FLOWSTATS_ITEMS) @@ -286,10 +286,10 @@ static bool parse_flowstats(DAQ_MsgType type, const char* line, HextMsgDesc *des desc->msg.data_len = 0; desc->msg.data = NULL; - IpAddr((uint32_t*)&f->initiatorIp, srcaddr); - f->initiatorPort = htons(f->initiatorPort); - IpAddr((uint32_t*)&f->responderIp, dstaddr); - f->responderPort = htons(f->responderPort); + IpAddr((uint32_t*)&f->initiator_ip, srcaddr); + f->initiator_port = htons(f->initiator_port); + IpAddr((uint32_t*)&f->responder_ip, dstaddr); + f->responder_port = htons(f->responder_port); f->sof_timestamp.tv_usec = 0; f->eof_timestamp.tv_usec = 0; if (f->vlan_tag == 0) diff --git a/doc/user/daq.txt b/doc/user/daq.txt index 1e1b8b081..8076ac5f8 100644 --- a/doc/user/daq.txt +++ b/doc/user/daq.txt @@ -275,8 +275,8 @@ command or a blank line. Data after a blank line will start another packet with the same tuple as the prior one. $sof and $eof commands generate Start of Flow and End of Flow metapackets -respectively. They are followed by a definition of a Flow_Stats_t data structure -which will be fed into Snort via the metadata callback. +respectively. They are followed by a definition of a DAQ_FlowStats_t data +structure which will be fed into Snort via the metadata callback. Strings may contain the following escape sequences: diff --git a/src/loggers/log_hext.cc b/src/loggers/log_hext.cc index abaa81fea..0e74fb4ad 100644 --- a/src/loggers/log_hext.cc +++ b/src/loggers/log_hext.cc @@ -67,14 +67,14 @@ void DaqMessageEventHandler::handle(DataEvent& event, Flow*) return; } - const Flow_Stats_t* fs = (const Flow_Stats_t*) dme->get_header(); + const DAQ_FlowStats_t* fs = (const DAQ_FlowStats_t*) dme->get_header(); SfIp src, dst; char shost[INET6_ADDRSTRLEN]; char dhost[INET6_ADDRSTRLEN]; - src.set(fs->initiatorIp); - dst.set(fs->responderIp); + src.set(fs->initiator_ip); + dst.set(fs->responder_ip); src.ntop(shost, sizeof(shost)); dst.ntop(dhost, sizeof(dhost)); @@ -83,22 +83,22 @@ void DaqMessageEventHandler::handle(DataEvent& event, Flow*) TextLog_Print(hext_log, "\n$%s " // type (sof or eof) - "%hd " // ingressGroup - "%hd " // egressGroup - "%d " // ingressIntf - "%d " // egressIntf - "%s " // initiatorIp (stringified) - "%d " // initiatorPort (host order) - "%s " // responderIp (stringified) - "%d " // responderPort (host order) + "%hd " // ingress_group + "%hd " // egress_group + "%d " // ingress_intf + "%d " // egress_intf + "%s " // initiator_ip (stringified) + "%d " // initiator_port (host order) + "%s " // responder_ip (stringified) + "%d " // responder_port (host order) "%u " // opaque - "%" PRIu64 " " // initiatorPkts - "%" PRIu64 " " // responderPkts - "%" PRIu64 " " // initiatorPktsDropped - "%" PRIu64 " " // responderPktsDropped - "%" PRIu64 " " // initiatorBytesDropped - "%" PRIu64 " " // responderBytesDropped - "%hhu " // isQoSAppliedOnSrcIntf + "%" PRIu64 " " // initiator_pkts + "%" PRIu64 " " // responder_pkts + "%" PRIu64 " " // initiator_pkts_dropped + "%" PRIu64 " " // responder_pkts_dropped + "%" PRIu64 " " // initiator_bytes_dropped + "%" PRIu64 " " // responder_bytes_dropped + "%hhu " // is_qos_applied_on_src_intf "%ld " // sof_timestamp.tv_sec "%ld " // eof_timestamp.tv_sec "%hu " // vlan_tag @@ -106,20 +106,20 @@ void DaqMessageEventHandler::handle(DataEvent& event, Flow*) "%hhu" // protocol "\n", cmd, - fs->ingressGroup, - fs->egressGroup, - fs->ingressIntf, - fs->egressIntf, - shost, ntohs(fs->initiatorPort), - dhost, ntohs(fs->responderPort), + fs->ingress_group, + fs->egress_group, + fs->ingress_intf, + fs->egress_intf, + shost, ntohs(fs->initiator_port), + dhost, ntohs(fs->responder_port), fs->opaque, - fs->initiatorPkts, - fs->responderPkts, - fs->initiatorPktsDropped, - fs->responderPktsDropped, - fs->initiatorBytesDropped, - fs->responderBytesDropped, - fs->isQoSAppliedOnSrcIntf, + fs->initiator_pkts, + fs->responder_pkts, + fs->initiator_pkts_dropped, + fs->responder_pkts_dropped, + fs->initiator_bytes_dropped, + fs->responder_bytes_dropped, + fs->is_qos_applied_on_src_intf, fs->sof_timestamp.tv_sec, fs->eof_timestamp.tv_sec, vlan_tag, diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc index 2aa9e40b4..0c32d7cbe 100644 --- a/src/main/analyzer.cc +++ b/src/main/analyzer.cc @@ -165,7 +165,7 @@ void Analyzer::set_main_hook(MainHook_f f) static void process_daq_sof_eof_msg(DAQ_Msg_h msg, DAQ_Verdict& verdict) { - const Flow_Stats_t *stats = (const Flow_Stats_t *) daq_msg_get_hdr(msg); + const DAQ_FlowStats_t *stats = (const DAQ_FlowStats_t*) daq_msg_get_hdr(msg); const char* key; if (daq_msg_get_type(msg) == DAQ_MSG_TYPE_EOF) diff --git a/src/sfip/sf_ip.h b/src/sfip/sf_ip.h index b5cd78cc7..29187526a 100644 --- a/src/sfip/sf_ip.h +++ b/src/sfip/sf_ip.h @@ -52,7 +52,7 @@ struct SO_PUBLIC SfIp /* Sets to a raw source IP (4 or 16 bytes, according to family) */ SfIpRet set(const void* src, int fam); /* Sets to a raw source IP, source must be a 128 bit IPv6 (detects IPv4 mapped IPv6) - * This is specifically for conversion of Flow_Stats_t ipv4 mapped ipv6 addresses */ + * This is specifically for conversion of DAQ_FlowStats_t ipv4 mapped ipv6 addresses */ SfIpRet set(const void* src); /* Converts string IP format to an array of values. Also checks IP address format. */ SfIpRet pton(const int fam, const char* ip);