From: Yehor Velykozhon -X (yvelykoz - SOFTSERVE INC at Cisco) Date: Tue, 12 Sep 2023 14:44:37 +0000 (+0000) Subject: Pull request #3982: Stream: extend interface of extra data logging X-Git-Tag: 3.1.71.0~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=63805fd880cbc889bb0be0f28de2474e6666c51f;p=thirdparty%2Fsnort3.git Pull request #3982: Stream: extend interface of extra data logging Merge in SNORT/snort3 from ~YVELYKOZ/snort3:extra_data_update to master Squashed commit of the following: commit a4369053a05642a3c8ad9384ee1e9e04601ddce9 Author: Yehor Velykozhon Date: Fri Aug 18 18:00:14 2023 +0300 stream: extend list of arguments for extra data logging --- diff --git a/src/loggers/unified2.cc b/src/loggers/unified2.cc index 9769e7272..47f3b2a29 100644 --- a/src/loggers/unified2.cc +++ b/src/loggers/unified2.cc @@ -331,13 +331,12 @@ static void _WriteExtraData(Unified2Config* config, static void AlertExtraData( Flow* flow, void* data, LogFunction* log_funcs, uint32_t max_count, - uint32_t xtradata_mask, - uint32_t event_id, uint32_t event_second) + uint32_t xtradata_mask, const AlertInfo& alert_info) { Unified2Config* config = (Unified2Config*)data; uint32_t xid; - if ((config == nullptr) || !xtradata_mask || !event_second) + if ((config == nullptr) || !xtradata_mask || !alert_info.event_second) return; xid = ffs(xtradata_mask); @@ -359,7 +358,7 @@ static void AlertExtraData( if ( log_func(flow, &write_buffer, &len, &type) && (len > 0) ) { - _WriteExtraData(config, obf, event_id, tenant_id, event_second, write_buffer, len, type); + _WriteExtraData(config, obf, alert_info.event_id, tenant_id, alert_info.event_second, write_buffer, len, type); } xtradata_mask ^= BIT(xid); xid = ffs(xtradata_mask); @@ -965,9 +964,8 @@ void U2Logger::alert_legacy(Packet* p, const char* msg, const Event& event) uint32_t max_count = Stream::get_xtra_data_map(log_funcs); if ( max_count > 0 ) - AlertExtraData( - p->flow, &config, log_funcs, max_count, p->xtradata_mask, - event.get_event_id(), event.ref_time.tv_sec); + AlertExtraData(p->flow, &config, log_funcs, max_count, p->xtradata_mask, + { /* gid */ 0, /* sid */ 0, event.get_event_id(), event.ref_time.tv_sec }); } } @@ -991,9 +989,8 @@ void U2Logger::alert(Packet* p, const char* msg, const Event& event) uint32_t max_count = Stream::get_xtra_data_map(log_funcs); if ( max_count > 0 ) - AlertExtraData( - p->flow, &config, log_funcs, max_count, p->xtradata_mask, - event.get_event_id(), event.ref_time.tv_sec); + AlertExtraData(p->flow, &config, log_funcs, max_count, p->xtradata_mask, + { /* gid */ 0, /* sid */ 0, event.get_event_id(), event.ref_time.tv_sec }); } } diff --git a/src/stream/stream.cc b/src/stream/stream.cc index 7bffc920c..434144d01 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -62,7 +62,7 @@ public: uint32_t xtradata_func_count = 0; LogFunction xtradata_map[MAX_LOG_FN]; LogExtraData extra_data_log = nullptr; - void* extra_data_config = nullptr; + void* extra_data_context = nullptr; }; static StreamImpl stream; @@ -513,13 +513,13 @@ StreamSplitter* Stream::get_splitter(Flow* flow, bool to_server) //------------------------------------------------------------------------- void Stream::log_extra_data( - Flow* flow, uint32_t mask, uint32_t id, uint32_t sec) + Flow* flow, uint32_t mask, const AlertInfo& alert_info) { if ( mask && stream.extra_data_log ) { stream.extra_data_log( - flow, stream.extra_data_config, stream.xtradata_map, - stream.xtradata_func_count, mask, id, sec); + flow, stream.extra_data_context, stream.xtradata_map, + stream.xtradata_func_count, mask, alert_info); } } @@ -550,7 +550,7 @@ void Stream::reg_xtra_data_log(LogExtraData f, void* config) { const std::lock_guard xtra_lock(stream_xtra_mutex); stream.extra_data_log = f; - stream.extra_data_config = config; + stream.extra_data_context = config; } //------------------------------------------------------------------------- diff --git a/src/stream/stream.h b/src/stream/stream.h index e9126a2fa..a4fac3b6c 100644 --- a/src/stream/stream.h +++ b/src/stream/stream.h @@ -62,9 +62,22 @@ class StreamSplitter; "first | last | linux | old_linux | bsd | macos | solaris | irix | " \ "hpux11 | hpux10 | windows | win_2003 | vista | proxy" +struct AlertInfo +{ + AlertInfo() = default; + AlertInfo(uint32_t gid, uint32_t sid, uint32_t id, uint32_t ts = 0) + : gid(gid), sid(sid), event_id(id), event_second(ts) {} + + uint32_t gid = 0; + uint32_t sid = 0; + + uint32_t event_id = 0; + uint32_t event_second = 0; +}; + typedef int (* LogFunction)(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type); typedef void (* LogExtraData)(Flow*, void* config, LogFunction* funcs, - uint32_t max_count, uint32_t xtradata_mask, uint32_t id, uint32_t sec); + uint32_t max_count, uint32_t xtradata_mask, const AlertInfo& alert_info); #define MAX_LOG_FN 32 @@ -230,7 +243,7 @@ public: // extra data methods static void set_extra_data(Flow*, Packet*, uint32_t); - static void log_extra_data(Flow*, uint32_t mask, uint32_t id, uint32_t sec); + static void log_extra_data(Flow*, uint32_t mask, const AlertInfo&); static uint32_t reg_xtra_data_cb(LogFunction); static void reg_xtra_data_log(LogExtraData, void*); diff --git a/src/stream/tcp/segment_overlap_editor.h b/src/stream/tcp/segment_overlap_editor.h index 80eb81772..e95fe1294 100644 --- a/src/stream/tcp/segment_overlap_editor.h +++ b/src/stream/tcp/segment_overlap_editor.h @@ -26,6 +26,7 @@ #include "normalize/norm_stats.h" #include "stream/paf.h" +#include "stream/stream.h" #include "tcp_segment_node.h" class TcpSession; @@ -70,18 +71,13 @@ struct SegmentOverlapState void init_soe(TcpSegmentDescriptor& tsd, TcpSegmentNode* left, TcpSegmentNode* right); }; -struct StreamAlertInfo +struct StreamAlertInfo : snort::AlertInfo { - StreamAlertInfo(uint32_t gid, uint32_t sid, uint32_t seq, uint32_t id, uint32_t sec) - : gid(gid), sid(sid), seq(seq), event_id(id), event_second(sec) + StreamAlertInfo(uint32_t gid_, uint32_t sid_, uint32_t seq_num_ = 0, uint32_t id_ = 0, uint32_t ts_ = 0) + : snort::AlertInfo(gid_, sid_, id_, ts_), seq(seq_num_) {} - uint32_t gid; - uint32_t sid; uint32_t seq; - // if we log extra data, event_* is used to correlate with alert - uint32_t event_id; - uint32_t event_second; }; struct TcpReassemblerState diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc index a5f413a06..13d94b5fd 100644 --- a/src/stream/tcp/tcp_reassembler.cc +++ b/src/stream/tcp/tcp_reassembler.cc @@ -265,7 +265,7 @@ void TcpReassembler::dup_reassembly_segment( bool TcpReassembler::add_alert(TcpReassemblerState& trs, uint32_t gid, uint32_t sid) { - trs.alerts.emplace_back(gid, sid, 0, 0, 0); + trs.alerts.emplace_back(gid, sid); return true; } @@ -300,7 +300,7 @@ void TcpReassembler::purge_alerts(TcpReassemblerState& trs) Flow* flow = trs.sos.session->flow; for ( auto& alert : trs.alerts ) - Stream::log_extra_data(flow, trs.xtradata_mask, alert.event_id, alert.event_second); + Stream::log_extra_data(flow, trs.xtradata_mask, alert); if ( !flow->is_suspended() ) trs.alerts.clear();