From: Bhagya Tholpady (bbantwal) Date: Thu, 9 Apr 2020 16:41:25 +0000 (+0000) Subject: Merge pull request #2127 in SNORT/snort3 from ~OKHOMIAK/snort3:standardize_all_inspec... X-Git-Tag: 3.0.1-2~27 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=79ddca49447a442c517fb2fe99acdd1de53deedd;p=thirdparty%2Fsnort3.git Merge pull request #2127 in SNORT/snort3 from ~OKHOMIAK/snort3:standardize_all_inspectors_config_output to master Squashed commit of the following: commit cb70afb884f256e88504a45217c28783cc70b083 Author: Oleksii Khomiakovskyi Date: Tue Apr 7 21:44:31 2020 +0300 appid: remove unused config options and rename "debug" option changes include: * instance_id, dump_ports, app_stats_rollover_time options removed * debug option renamed to list_odp_detectors * snort2lua updated according to config option changes mentioned above commit cd58c49f50c9c22a1504405d449c137b9e743375 Author: Oleksii Khomiakovskyi Date: Thu Mar 26 10:49:03 2020 +0200 inspectors: update verbose config output in show() method to a new format Add ConfigLogger class containing standard print functions --- diff --git a/src/file_api/file_config.cc b/src/file_api/file_config.cc index 8d27443e8..fac4b68c0 100644 --- a/src/file_api/file_config.cc +++ b/src/file_api/file_config.cc @@ -68,18 +68,18 @@ void FileConfig::process_file_policy_rule(FileRule& rule) filePolicy.insert_file_rule(rule); } -FileMagicRule* FileConfig::get_rule_from_id(uint32_t id) +const FileMagicRule* FileConfig::get_rule_from_id(uint32_t id) const { return fileIdentifier.get_rule_from_id(id); } void FileConfig::get_magic_rule_ids_from_type(const std::string& type, - const std::string& version, FileTypeBitSet& ids_set) + const std::string& version, FileTypeBitSet& ids_set) const { return fileIdentifier.get_magic_rule_ids_from_type(type, version, ids_set); } -std::string FileConfig::file_type_name(uint32_t id) +std::string FileConfig::file_type_name(uint32_t id) const { if (SNORT_FILE_TYPE_UNKNOWN == id) return "Unknown file type, done"; @@ -87,7 +87,7 @@ std::string FileConfig::file_type_name(uint32_t id) else if (SNORT_FILE_TYPE_CONTINUE == id) return "Undecided file type, continue..."; - FileMagicRule* info = get_rule_from_id(id); + const FileMagicRule* info = get_rule_from_id(id); if (info != nullptr) return info->type; diff --git a/src/file_api/file_config.h b/src/file_api/file_config.h index 05ea94736..6e779f088 100644 --- a/src/file_api/file_config.h +++ b/src/file_api/file_config.h @@ -45,15 +45,16 @@ class FileConfig { public: - FileMagicRule* get_rule_from_id(uint32_t); + const FileMagicRule* get_rule_from_id(uint32_t) const; void get_magic_rule_ids_from_type(const std::string&, const std::string&, - snort::FileTypeBitSet&); + snort::FileTypeBitSet&) const; void process_file_rule(FileMagicRule&); void process_file_policy_rule(FileRule&); bool process_file_magic(FileMagicData&); uint32_t find_file_type_id(const uint8_t* buf, int len, uint64_t file_offset, void** context); FilePolicy& get_file_policy() { return filePolicy; } - std::string file_type_name(uint32_t id); + const FilePolicy& get_file_policy() const { return filePolicy; } + std::string file_type_name(uint32_t id) const; int64_t file_type_depth = DEFAULT_FILE_TYPE_DEPTH; int64_t file_signature_depth = DEFAULT_FILE_SIGNATURE_DEPTH; diff --git a/src/file_api/file_flows.cc b/src/file_api/file_flows.cc index 97687a216..73ffdad3d 100644 --- a/src/file_api/file_flows.cc +++ b/src/file_api/file_flows.cc @@ -383,16 +383,42 @@ bool FileInspect::configure(SnortConfig*) return true; } -void FileInspect::show(SnortConfig*) +static void file_config_show(const FileConfig* fc) { - if (!config) - return; + const FilePolicy& fp = fc->get_file_policy(); + + if ( ConfigLogger::log_flag("enable_type", fp.get_file_type()) ) + ConfigLogger::log_value("type_depth", fc->file_type_depth); + + if ( ConfigLogger::log_flag("enable_signature", fp.get_file_signature()) ) + ConfigLogger::log_value("signature_depth", fc->file_signature_depth); + + if ( ConfigLogger::log_flag("block_timeout_lookup", fc->block_timeout_lookup) ) + ConfigLogger::log_value("block_timeout", fc->file_block_timeout); + + if ( ConfigLogger::log_flag("enable_capture", fp.get_file_capture()) ) + { + ConfigLogger::log_value("capture_memcap", fc->capture_memcap); + ConfigLogger::log_value("capture_max_size", fc->capture_max_size); + ConfigLogger::log_value("capture_min_size", fc->capture_min_size); + ConfigLogger::log_value("capture_block_size", fc->capture_block_size); + } - LogMessage(" capture_memcap: %zu MB\n", config->capture_memcap); - LogMessage(" capture_max_size: %zu bytes\n", config->capture_max_size); - LogMessage(" capture_min_size: %zu bytes\n", config->capture_min_size); - LogMessage(" lookup_timeout: %zu secs\n", config->file_lookup_timeout); - LogMessage("\n"); + ConfigLogger::log_value("lookup_timeout", fc->file_lookup_timeout); + ConfigLogger::log_value("max_files_cached", fc->max_files_cached); + ConfigLogger::log_value("max_files_per_flow", fc->max_files_per_flow); + ConfigLogger::log_value("show_data_depth", fc->show_data_depth); + + ConfigLogger::log_flag("trace_type", fc->trace_type); + ConfigLogger::log_flag("trace_signature", fc->trace_signature); + ConfigLogger::log_flag("trace_stream", fc->trace_stream); + ConfigLogger::log_value("verdict_delay", fc->verdict_delay); +} + +void FileInspect::show(SnortConfig*) +{ + if ( config ) + file_config_show(config); } static Module* mod_ctor() diff --git a/src/file_api/file_identifier.cc b/src/file_api/file_identifier.cc index 5796f101b..233b8fa2e 100644 --- a/src/file_api/file_identifier.cc +++ b/src/file_api/file_identifier.cc @@ -359,7 +359,7 @@ uint32_t FileIdentifier::find_file_type_id(const uint8_t* buf, int len, uint64_t return file_type_id; } -FileMagicRule* FileIdentifier::get_rule_from_id(uint32_t id) +const FileMagicRule* FileIdentifier::get_rule_from_id(uint32_t id) const { if ((id < FILE_ID_MAX) && (file_magic_rules[id].id > 0)) { @@ -370,7 +370,7 @@ FileMagicRule* FileIdentifier::get_rule_from_id(uint32_t id) } void FileIdentifier::get_magic_rule_ids_from_type(const std::string& type, - const std::string& version, FileTypeBitSet& ids_set) + const std::string& version, FileTypeBitSet& ids_set) const { ids_set.reset(); diff --git a/src/file_api/file_identifier.h b/src/file_api/file_identifier.h index 81c621ae3..7315f4c9b 100644 --- a/src/file_api/file_identifier.h +++ b/src/file_api/file_identifier.h @@ -88,11 +88,12 @@ class FileIdentifier { public: ~FileIdentifier(); - uint32_t memory_usage() { return memory_used; } + uint32_t memory_usage() const { return memory_used; } void insert_file_rule(FileMagicRule& rule); uint32_t find_file_type_id(const uint8_t* buf, int len, uint64_t offset, void** context); - FileMagicRule* get_rule_from_id(uint32_t); - void get_magic_rule_ids_from_type(const std::string&, const std::string&, snort::FileTypeBitSet&); + const FileMagicRule* get_rule_from_id(uint32_t) const; + void get_magic_rule_ids_from_type(const std::string&, const std::string&, + snort::FileTypeBitSet&) const; private: void init_merge_hash(); diff --git a/src/file_api/file_log.cc b/src/file_api/file_log.cc index 2155198b2..54601a9de 100644 --- a/src/file_api/file_log.cc +++ b/src/file_api/file_log.cc @@ -221,8 +221,8 @@ private: void FileLog::show(SnortConfig*) { - LogMessage(" Log system time: %s\n", config.log_sys_time ? "true" : "false"); - LogMessage(" Log packet time: %s\n", config.log_pkt_time ? "true" : "false"); + ConfigLogger::log_flag("log_pkt_time", config.log_pkt_time); + ConfigLogger::log_flag("log_sys_time", config.log_sys_time); } //------------------------------------------------------------------------- diff --git a/src/file_api/file_policy.cc b/src/file_api/file_policy.cc index a1cea020a..b79587204 100644 --- a/src/file_api/file_policy.cc +++ b/src/file_api/file_policy.cc @@ -64,6 +64,21 @@ void FilePolicy::set_file_capture(bool enabled) capture_enabled = enabled; } +bool FilePolicy::get_file_type() const +{ + return type_enabled; +} + +bool FilePolicy::get_file_signature() const +{ + return signature_enabled; +} + +bool FilePolicy::get_file_capture() const +{ + return capture_enabled; +} + void FilePolicy::insert_file_rule(FileRule& rule) { file_rules.emplace_back(rule); diff --git a/src/file_api/file_policy.h b/src/file_api/file_policy.h index 7ab9c8af2..fb5c0f40f 100644 --- a/src/file_api/file_policy.h +++ b/src/file_api/file_policy.h @@ -73,6 +73,9 @@ public: void set_file_type(bool enabled); void set_file_signature(bool enabled); void set_file_capture(bool enabled); + bool get_file_type() const; + bool get_file_signature() const; + bool get_file_capture() const; void load(); void set_verdict_delay(int64_t delay) { verdict_delay = delay; } diff --git a/src/framework/inspector.h b/src/framework/inspector.h index 7ebae979f..d7b4e4ffb 100644 --- a/src/framework/inspector.h +++ b/src/framework/inspector.h @@ -160,6 +160,7 @@ public: ~InspectorData() override { delete data; } + void show(SnortConfig*) override { } void eval(Packet*) override { } T* data; diff --git a/src/log/dev_notes.txt b/src/log/dev_notes.txt index f601f88a2..2f4366bdd 100644 --- a/src/log/dev_notes.txt +++ b/src/log/dev_notes.txt @@ -6,12 +6,15 @@ Text output logging facilities are located here: * messages - provides Dumper class and message logging facilities. + Class ConfigLogger is implemented to provide functions to format + config verbose output from Inspector::show(). + * obfuscator - provides an API for logging packets w/o revealing sensitive data. class Obfuscator is implemented with a std::set to provide in order access for pottentialy out-of-order insertions. - + Currently does not support streaming mode. It should be possible to iterate over contiguous chunks of data, alternating between obfuscated and plain. diff --git a/src/log/messages.cc b/src/log/messages.cc index c6388cd15..e7dc68d5e 100644 --- a/src/log/messages.cc +++ b/src/log/messages.cc @@ -33,8 +33,6 @@ #include "time/packet_time.h" #include "utils/util_cstring.h" -#define MAX_LINE_LEN 75 - using namespace snort; static int already_fatal = 0; @@ -355,36 +353,65 @@ NORETURN_ASSERT void log_safec_error(const char* msg, void*, int e) assert(false); } -bool LogFlag(const char* caption, bool flag) +bool ConfigLogger::log_flag(const char* caption, bool flag) { LogMessage("%25.25s: %s\n", caption, flag ? "enabled" : "disabled"); return flag; } -void LogLimit(const char* caption, int val, int unlim, int disable) +void ConfigLogger::log_limit(const char* caption, int val, int unlim, int disable) { if ( val == disable ) - LogMessage("%25.25s: %d %s\n", caption, disable, "(disabled)"); + LogMessage("%25.25s: %d (disabled)\n", caption, val); else if ( val == unlim ) - LogMessage("%25.25s: %d %s\n", caption, val, "(unlimited)"); + LogMessage("%25.25s: %d (unlimited)\n", caption, val); else LogMessage("%25.25s: %d\n", caption, val); } -void LogLimit(const char* caption, int val, int unlim) +void ConfigLogger::log_limit(const char* caption, int val, int unlim) { if ( val == unlim ) - LogMessage("%25.25s: %d %s\n", caption, val, "(unlimited)"); + LogMessage("%25.25s: %d (unlimited)\n", caption, val); else LogMessage("%25.25s: %d\n", caption, val); } -void LogValue(const char* caption, uint32_t n) +void ConfigLogger::log_limit(const char* caption, int64_t val, int64_t unlim) +{ + if ( val == unlim ) + LogMessage("%25.25s: %" PRId64 " (unlimited)\n", caption, val); + else + LogMessage("%25.25s: %" PRId64 "\n", caption, val); +} + +void ConfigLogger::log_value(const char* caption, int32_t n) +{ + LogMessage("%25.25s: %" PRId32 "\n", caption, n); +} + +void ConfigLogger::log_value(const char* caption, uint32_t n) { LogMessage("%25.25s: %" PRIu32 "\n", caption, n); } -void LogList(const char* caption, const char* list) +void ConfigLogger::log_value(const char* caption, int64_t n) +{ + LogMessage("%25.25s: %" PRId64 "\n", caption, n); +} + +void ConfigLogger::log_value(const char* caption, uint64_t n) +{ + LogMessage("%25.25s: %" PRIu64 "\n", caption, n); +} + +void ConfigLogger::log_value(const char* caption, const char* str) +{ + if ( str and str[0] ) + LogMessage("%25.25s: %s\n", caption, str); +} + +void ConfigLogger::log_list(const char* caption, const char* list) { std::string res; std::stringstream ss; @@ -396,7 +423,7 @@ void LogList(const char* caption, const char* list) ss << list; while (ss >> val) { - if ( len + val.length() > MAX_LINE_LEN ) + if ( len + val.length() > max_line_len ) { res += '\n' + offset; len = 0; diff --git a/src/log/messages.h b/src/log/messages.h index 8813b0ed9..cac2409dd 100644 --- a/src/log/messages.h +++ b/src/log/messages.h @@ -66,11 +66,23 @@ SO_PUBLIC void LogMessage(FILE*, const char*, ...) __attribute__((format (printf SO_PUBLIC void WarningMessage(const char*, ...) __attribute__((format (printf, 1, 2))); SO_PUBLIC void ErrorMessage(const char*, ...) __attribute__((format (printf, 1, 2))); -SO_PUBLIC bool LogFlag(const char* caption, bool flag); -SO_PUBLIC void LogLimit(const char* caption, int val, int unlim); -SO_PUBLIC void LogLimit(const char* caption, int val, int unlim, int disable); -SO_PUBLIC void LogList(const char* caption, const char* list); -SO_PUBLIC void LogValue(const char* caption, uint32_t n); +class SO_PUBLIC ConfigLogger final +{ +public: + ConfigLogger() = delete; + static bool log_flag(const char* caption, bool flag); + static void log_limit(const char* caption, int val, int unlim); + static void log_limit(const char* caption, int val, int unlim, int disable); + static void log_limit(const char* caption, int64_t val, int64_t unlim); + static void log_value(const char* caption, int32_t n); + static void log_value(const char* caption, uint32_t n); + static void log_value(const char* caption, int64_t n); + static void log_value(const char* caption, uint64_t n); + static void log_value(const char* caption, const char* str); + static void log_list(const char* caption, const char* list); +private: + static constexpr size_t max_line_len = 75; +}; // FIXIT-RC do not call FatalError() during runtime [[noreturn]] SO_PUBLIC void FatalError(const char*, ...) __attribute__((format (printf, 1, 2))); diff --git a/src/mime/file_mime_config.cc b/src/mime/file_mime_config.cc index aae828259..2f13d13c4 100644 --- a/src/mime/file_mime_config.cc +++ b/src/mime/file_mime_config.cc @@ -129,7 +129,7 @@ void DecodeConfig::sync_all_depths() (bitenc_depth >= 0) or (uu_depth >= 0); } -int DecodeConfig::get_max_depth(int decode_depth) +int DecodeConfig::get_max_depth(int decode_depth) const { if ( file_depth and decode_depth ) return (file_depth > decode_depth) ? file_depth : decode_depth; @@ -142,7 +142,7 @@ void DecodeConfig::show(bool full) const { if ( !decode_enabled ) { - LogFlag("decode_enabled", decode_enabled); + ConfigLogger::log_flag("decode_enabled", decode_enabled); return; } @@ -150,16 +150,16 @@ void DecodeConfig::show(bool full) const auto qp = (qp_depth == 0) ? -1 : ((qp_depth == -1) ? 0 : qp_depth); auto uu = (uu_depth == 0) ? -1 : ((uu_depth == -1) ? 0 : uu_depth); auto bitenc = (bitenc_depth == 0) ? -1 : ((bitenc_depth == -1) ? 0 : bitenc_depth); - LogLimit("b64_decode_depth", b64, -1, 0); - LogLimit("qp_decode_depth", qp, -1, 0); - LogLimit("uu_decode_depth", uu, -1, 0); - LogLimit("bitenc_decode_depth", bitenc, -1, 0); + ConfigLogger::log_limit("b64_decode_depth", b64, -1, 0); + ConfigLogger::log_limit("qp_decode_depth", qp, -1, 0); + ConfigLogger::log_limit("uu_decode_depth", uu, -1, 0); + ConfigLogger::log_limit("bitenc_decode_depth", bitenc, -1, 0); if ( full ) - LogFlag("ignore_data", ignore_data); + ConfigLogger::log_flag("ignore_data", ignore_data); - LogFlag("decompress_pdf", decompress_pdf); - LogFlag("decompress_swf", decompress_swf); - LogFlag("decompress_zip", decompress_zip); + ConfigLogger::log_flag("decompress_pdf", decompress_pdf); + ConfigLogger::log_flag("decompress_swf", decompress_swf); + ConfigLogger::log_flag("decompress_zip", decompress_zip); } diff --git a/src/mime/file_mime_config.h b/src/mime/file_mime_config.h index 1d15d0c38..4e5ca53ff 100644 --- a/src/mime/file_mime_config.h +++ b/src/mime/file_mime_config.h @@ -66,7 +66,7 @@ public: bool is_decoding_enabled() const; void sync_all_depths(); void show(bool = false) const; - int get_max_depth(int); + int get_max_depth(int) const; private: bool ignore_data = false; diff --git a/src/network_inspectors/appid/appid_config.cc b/src/network_inspectors/appid/appid_config.cc index 947cda661..5e8baa64c 100644 --- a/src/network_inspectors/appid/appid_config.cc +++ b/src/network_inspectors/appid/appid_config.cc @@ -74,6 +74,26 @@ AppIdConfig::~AppIdConfig() snort_free((void*)app_detector_dir); } +void AppIdConfig::show() const +{ + ConfigLogger::log_value("app_detector_dir", app_detector_dir); + + ConfigLogger::log_value("app_stats_period", app_stats_period); + ConfigLogger::log_value("app_stats_rollover_size", app_stats_rollover_size); + + ConfigLogger::log_flag("list_odp_detectors", list_odp_detectors); + + ConfigLogger::log_value("tp_appid_path", tp_appid_path.c_str()); + ConfigLogger::log_value("tp_appid_config", tp_appid_config.c_str()); + + ConfigLogger::log_flag("tp_appid_stats_enable", tp_appid_stats_enable); + ConfigLogger::log_flag("tp_appid_config_dump", tp_appid_config_dump); + + ConfigLogger::log_flag("log_all_sessions", log_all_sessions); + ConfigLogger::log_flag("log_stats", log_stats); + ConfigLogger::log_value("memcap", memcap); +} + void AppIdContext::pterm() { assert(odp_ctxt); @@ -112,10 +132,9 @@ void AppIdContext::create_tp_appid_ctxt() tp_appid_ctxt = TPLibHandler::create_tp_appid_ctxt(config, *odp_ctxt); } -void AppIdContext::show() +void AppIdContext::show() const { - if (!config.tp_appid_path.empty()) - LogMessage(" 3rd Party Dir: %s\n", config.tp_appid_path.c_str()); + config.show(); } OdpContext::OdpContext(AppIdConfig& config, SnortConfig* sc) diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h index 3e1d850d2..e044ef052 100644 --- a/src/network_inspectors/appid/appid_config.h +++ b/src/network_inspectors/appid/appid_config.h @@ -60,20 +60,19 @@ public: // after certificate-exchange). Such manual detection is disabled by default (0). uint32_t first_decrypted_packet_debug = 0; #endif - bool stats_logging_enabled = false; + bool log_stats = false; unsigned long app_stats_period = 300; unsigned long app_stats_rollover_size = 0; - unsigned long app_stats_rollover_time = 0; const char* app_detector_dir = nullptr; std::string tp_appid_path = ""; std::string tp_appid_config = ""; bool tp_appid_stats_enable = false; bool tp_appid_config_dump = false; - uint32_t instance_id = 0; size_t memcap = 0; - bool debug = false; - bool dump_ports = false; + bool list_odp_detectors = false; bool log_all_sessions = false; + + void show() const; }; class OdpContext @@ -214,7 +213,7 @@ public: void create_tp_appid_ctxt(); bool init_appid(snort::SnortConfig*); static void pterm(); - void show(); + void show() const; AppIdConfig& config; diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc index ea04bd082..1e8e614dd 100644 --- a/src/network_inspectors/appid/appid_inspector.cc +++ b/src/network_inspectors/appid/appid_inspector.cc @@ -28,7 +28,6 @@ #include #include "flow/flow.h" -#include "log/messages.h" #include "managers/inspector_manager.h" #include "managers/module_manager.h" #include "packet_tracer/packet_tracer.h" @@ -129,16 +128,7 @@ bool AppIdInspector::configure(SnortConfig* sc) void AppIdInspector::show(SnortConfig*) { - LogMessage(" Detector Path: %s\n", config->app_detector_dir); - LogMessage(" appStats Logging: %s\n", config->stats_logging_enabled ? "enabled" : - "disabled"); - LogMessage(" appStats Period: %lu secs\n", config->app_stats_period); - LogMessage(" appStats Rollover Size: %lu bytes\n", - config->app_stats_rollover_size); - LogMessage(" appStats Rollover time: %lu secs\n", - config->app_stats_rollover_time); - LogMessage(" memcap: %zu bytes\n", config->memcap); - LogMessage("\n"); + config->show(); } void AppIdInspector::tinit() diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc index 382ec586b..e9cce524b 100644 --- a/src/network_inspectors/appid/appid_module.cc +++ b/src/network_inspectors/appid/appid_module.cc @@ -70,16 +70,10 @@ static const Parameter s_params[] = "time period for collecting and logging appid statistics" }, { "app_stats_rollover_size", Parameter::PT_INT, "0:max32", "20971520", "max file size for appid stats before rolling over the log file" }, - { "app_stats_rollover_time", Parameter::PT_INT, "0:max31", "86400", - "max time period for collection appid stats before rolling over the log file" }, { "app_detector_dir", Parameter::PT_STRING, nullptr, nullptr, "directory to load appid detectors from" }, - { "instance_id", Parameter::PT_INT, "0:max32", "0", - "instance id - ignored" }, - { "debug", Parameter::PT_BOOL, nullptr, "false", - "enable appid debug logging" }, - { "dump_ports", Parameter::PT_BOOL, nullptr, "false", - "enable dump of appid port information" }, + { "list_odp_detectors", Parameter::PT_BOOL, nullptr, "false", + "enable logging of odp detectors statistics" }, { "tp_appid_path", Parameter::PT_STRING, nullptr, nullptr, "path to third party appid dynamic library" }, { "tp_appid_config", Parameter::PT_STRING, nullptr, nullptr, @@ -290,13 +284,11 @@ bool AppIdModule::set(const char* fqn, Value& v, SnortConfig* c) if ( v.is("memcap") ) config->memcap = v.get_size(); else if ( v.is("log_stats") ) - config->stats_logging_enabled = v.get_bool(); + config->log_stats = v.get_bool(); else if ( v.is("app_stats_period") ) config->app_stats_period = v.get_uint32(); else if ( v.is("app_stats_rollover_size") ) config->app_stats_rollover_size = v.get_uint32(); - else if ( v.is("app_stats_rollover_time") ) - config->app_stats_rollover_time = v.get_uint32(); else if ( v.is("app_detector_dir") ) config->app_detector_dir = snort_strdup(v.get_string()); else if ( v.is("tp_appid_path") ) @@ -307,12 +299,8 @@ bool AppIdModule::set(const char* fqn, Value& v, SnortConfig* c) config->tp_appid_stats_enable = v.get_bool(); else if ( v.is("tp_appid_config_dump") ) config->tp_appid_config_dump = v.get_bool(); - else if ( v.is("instance_id") ) - config->instance_id = v.get_uint32(); - else if ( v.is("debug") ) - config->debug = v.get_bool(); - else if ( v.is("dump_ports") ) - config->dump_ports = v.get_bool(); + else if ( v.is("list_odp_detectors") ) + config->list_odp_detectors = v.get_bool(); else if ( v.is("log_all_sessions") ) config->log_all_sessions = v.get_bool(); else diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index edaf6887e..78a0dab64 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -112,7 +112,7 @@ AppIdSession::~AppIdSession() { if (!in_expected_cache) { - if (ctxt.config.stats_logging_enabled) + if (ctxt.config.log_stats) AppIdStatistics::get_stats_manager()->update(*this); // fail any service detection that is in process for this flow diff --git a/src/network_inspectors/appid/appid_stats.cc b/src/network_inspectors/appid/appid_stats.cc index cd453f32c..77f25a6b3 100644 --- a/src/network_inspectors/appid/appid_stats.cc +++ b/src/network_inspectors/appid/appid_stats.cc @@ -142,7 +142,6 @@ AppIdStatistics::AppIdStatistics(const AppIdConfig& config) { enabled = true; - rollPeriod = config.app_stats_rollover_time; rollSize = config.app_stats_rollover_size; bucketInterval = config.app_stats_period; @@ -178,7 +177,7 @@ AppIdStatistics::~AppIdStatistics() AppIdStatistics* AppIdStatistics::initialize_manager(const AppIdConfig& config) { - if ( !config.stats_logging_enabled ) + if ( !config.log_stats ) return nullptr; appid_stats_manager = new AppIdStatistics(config); diff --git a/src/network_inspectors/appid/appid_stats.h b/src/network_inspectors/appid/appid_stats.h index 425b54495..b45a6b0ee 100644 --- a/src/network_inspectors/appid/appid_stats.h +++ b/src/network_inspectors/appid/appid_stats.h @@ -82,7 +82,6 @@ private: time_t bucketInterval = 0; time_t bucketEnd = 0; size_t rollSize = 0; - time_t rollPeriod = 0; }; #endif diff --git a/src/network_inspectors/appid/lua_detector_module.cc b/src/network_inspectors/appid/lua_detector_module.cc index 5788371d5..b85003d79 100644 --- a/src/network_inspectors/appid/lua_detector_module.cc +++ b/src/network_inspectors/appid/lua_detector_module.cc @@ -212,7 +212,7 @@ void LuaDetectorManager::initialize(AppIdContext& ctxt, int is_control) lua_detector_mgr->initialize_lua_detectors(); lua_detector_mgr->activate_lua_detectors(); - if (ctxt.config.debug) + if (ctxt.config.list_odp_detectors) lua_detector_mgr->list_lua_detectors(); } diff --git a/src/network_inspectors/arp_spoof/arp_spoof.cc b/src/network_inspectors/arp_spoof/arp_spoof.cc index b768627fc..7678a6ed8 100644 --- a/src/network_inspectors/arp_spoof/arp_spoof.cc +++ b/src/network_inspectors/arp_spoof/arp_spoof.cc @@ -71,6 +71,9 @@ #include "config.h" #endif +#include +#include + #include "detection/detection_engine.h" #include "events/event_queue.h" #include "log/messages.h" @@ -103,6 +106,33 @@ static const IPMacEntry* LookupIPMacEntryByIP(const IPMacEntryList& ipmel, uint3 return nullptr; } +static std::string to_hex_string(const uint8_t* data, size_t len) +{ + std::stringstream ss; + ss << std::hex; + for (size_t i = 0; i < len; i++) + ss << std::setw(2) << std::setfill('0') << (unsigned int)data[i]; + return ss.str(); +} + +static void arp_config_show(const ArpSpoofConfig* config) +{ + if ( !config->ipmel.size() ) + return; + + ConfigLogger::log_list("hosts", "(list)"); + + for (auto& ip : config->ipmel) + { + std::string ip_mac; + SfIpString ip_str; + snort_inet_ntop(AF_INET, &ip.ipv4_addr, ip_str, sizeof(SfIpString)); + ip_mac += "{ ip = " + std::string(ip_str); + ip_mac += ", mac = " + to_hex_string(ip.mac_addr, sizeof(ip.mac_addr)) + " }"; + ConfigLogger::log_list("", ip_mac.c_str()); + } +} + //------------------------------------------------------------------------- // class stuff //------------------------------------------------------------------------- @@ -113,6 +143,7 @@ public: ArpSpoof(ArpSpoofModule*); ~ArpSpoof() override; + void show(snort::SnortConfig*) override; void eval(Packet*) override; private: @@ -129,6 +160,12 @@ ArpSpoof::~ArpSpoof () delete config; } +void ArpSpoof::show(SnortConfig*) +{ + if ( config ) + arp_config_show(config); +} + void ArpSpoof::eval(Packet* p) { Profile profile(arpPerfStats); diff --git a/src/network_inspectors/normalize/norm.h b/src/network_inspectors/normalize/norm.h index d2bb2cf93..6cbbec385 100644 --- a/src/network_inspectors/normalize/norm.h +++ b/src/network_inspectors/normalize/norm.h @@ -67,9 +67,9 @@ inline void Norm_Set(NormalizerConfig* nc, NormFlags nf, bool enable) Norm_Disable(nc, nf); } -inline int Norm_IsEnabled(const NormalizerConfig* nc, NormFlags nf) +inline bool Norm_IsEnabled(const NormalizerConfig* nc, NormFlags nf) { - return ( (nc->normalizer_flags & nf) != 0 ); + return nc->normalizer_flags & nf; } inline void Norm_TcpPassOption(NormalizerConfig* nc, uint8_t opt) @@ -84,10 +84,10 @@ inline void Norm_TcpDropOption(NormalizerConfig* nc, uint8_t opt) nc->normalizer_options[byte] &= ~bit; } -inline int Norm_TcpIsOptional(const NormalizerConfig* nc, uint8_t opt) +inline bool Norm_TcpIsOptional(const NormalizerConfig* nc, uint8_t opt) { uint8_t byte = (opt >> 3), bit = (1 << (opt & 0x07)); - return ( (nc->normalizer_options[byte] & bit) != 0 ); + return nc->normalizer_options[byte] & bit; } const PegInfo* Norm_GetPegs(); diff --git a/src/network_inspectors/normalize/normalize.cc b/src/network_inspectors/normalize/normalize.cc index 5be0a08ac..2da195ff8 100644 --- a/src/network_inspectors/normalize/normalize.cc +++ b/src/network_inspectors/normalize/normalize.cc @@ -40,127 +40,163 @@ static THREAD_LOCAL uint32_t t_flags = 0; //------------------------------------------------------------------------- // printing stuff //------------------------------------------------------------------------- - -#define ON "on" -#define OFF "off" - -static inline void LogConf(const char* p, const char* s) +static inline std::string to_str(bool flag) { - LogMessage("%12s: %s\n", p, s); + return flag ? "enabled" : "disabled"; } -static inline void LogFlag( - const char* p, const NormalizerConfig* nc, NormFlags nf) +static void print_ip4(const NormalizerConfig* nc) { - const char* s = Norm_IsEnabled(nc, nf) ? ON : OFF; - LogConf(p, s); -} + bool ip4 = Norm_IsEnabled(nc, (NormFlags)NORM_IP4_ANY); + ConfigLogger::log_flag("ip4", ip4); -static void Print_IP4(SnortConfig*, const NormalizerConfig* nc) -{ - if ( !Norm_IsEnabled(nc, (NormFlags)NORM_IP4_ANY) ) + if ( !ip4 ) return; - LogFlag("ip4.base", nc, NORM_IP4_BASE); - //LogFlag("ip4.id", nc, NORM_IP4_ID); - LogFlag("ip4.df", nc, NORM_IP4_DF); - LogFlag("ip4.rf", nc, NORM_IP4_RF); - LogFlag("ip4.tos", nc, NORM_IP4_TOS); - LogFlag("ip4.trim", nc, NORM_IP4_TRIM); + std::string opts; + opts += "{ base = " + to_str(Norm_IsEnabled(nc, NORM_IP4_BASE)); + opts += ", df = " + to_str(Norm_IsEnabled(nc, NORM_IP4_DF)); + opts += ", rf = " + to_str(Norm_IsEnabled(nc, NORM_IP4_RF)); + opts += ", tos = " + to_str(Norm_IsEnabled(nc, NORM_IP4_TOS)); + opts += ", trim = " + to_str(Norm_IsEnabled(nc, NORM_IP4_TRIM)); + opts += ", ttl = " + to_str(Norm_IsEnabled(nc, NORM_IP4_TTL)); if ( Norm_IsEnabled(nc, NORM_IP4_TTL) ) { NetworkPolicy* policy = get_network_policy(); - LogMessage("%12s: %s (min=%d, new=%d)\n", "ip4.ttl", ON, - policy->min_ttl, policy->new_ttl); + opts += ", min_ttl = " + std::to_string(policy->min_ttl); + opts += ", new_ttl = " + std::to_string(policy->new_ttl); } - else - LogConf("ip4.ttl", OFF); + + opts += " }"; + + ConfigLogger::log_list("ip4", opts.c_str()); } -static void Print_ICMP4(const NormalizerConfig* nc) +static void print_icmp4(const NormalizerConfig* nc) { - LogFlag("icmp4", nc, NORM_ICMP4); + ConfigLogger::log_flag("icmp4", Norm_IsEnabled(nc, NORM_ICMP4)); } -static void Print_IP6(SnortConfig*, const NormalizerConfig* nc) +static void print_ip6(const NormalizerConfig* nc) { - if ( !Norm_IsEnabled(nc, (NormFlags)NORM_IP6_ANY) ) + bool ip6 = Norm_IsEnabled(nc, (NormFlags)NORM_IP6_ANY); + ConfigLogger::log_flag("ip6", ip6); + + if ( !ip6 ) return; - LogFlag("ip6.base", nc, NORM_IP6_BASE); + std::string opts; + opts += "{ base = " + to_str(Norm_IsEnabled(nc, NORM_IP6_BASE)); if ( Norm_IsEnabled(nc, NORM_IP6_TTL) ) { NetworkPolicy* policy = get_network_policy(); - LogMessage("%12s: %s (min=%d, new=%d)\n", "ip6.hops", - ON, policy->min_ttl, policy->new_ttl); + opts += ", min_ttl = " + std::to_string(policy->min_ttl); + opts += ", new_ttl = " + std::to_string(policy->new_ttl); } + + opts += " }"; + + ConfigLogger::log_list("ip6", opts.c_str()); +} + +static void print_icmp6(const NormalizerConfig* nc) +{ + ConfigLogger::log_flag("icmp6", Norm_IsEnabled(nc, NORM_ICMP6)); +} + +static std::string get_allowed_names(const NormalizerConfig* config) +{ + std::string names; + if ( Norm_TcpIsOptional(config, 4) or Norm_TcpIsOptional(config, 5) ) + names += "sack"; + + if ( Norm_TcpIsOptional(config, 6) or Norm_TcpIsOptional(config, 7) ) + names += " echo"; + + if ( Norm_TcpIsOptional(config, 9) or Norm_TcpIsOptional(config, 10) ) + names += " partial_order"; + + if ( Norm_TcpIsOptional(config, 11) or Norm_TcpIsOptional(config, 12) + or Norm_TcpIsOptional(config, 13) ) + names += " conn_count"; + + if ( Norm_TcpIsOptional(config, 14) or Norm_TcpIsOptional(config, 15) ) + names += " alt_checksum"; + + if ( Norm_TcpIsOptional(config, 19) ) + names += " md5"; + + return names; } -static void Print_ICMP6(const NormalizerConfig* nc) +static std::string get_allowed_codes(const NormalizerConfig* nc) { - LogFlag("icmp6", nc, NORM_ICMP6); + std::string codes; + std::unordered_set named_codes = {4, 5, 6, 7, 9, 10, 11, 12, 13, 14, 15, 19}; + + for (int opt = 2; opt < 256; opt++) + { + if ( Norm_TcpIsOptional(nc, opt) and !named_codes.count(opt) ) + codes += std::to_string(opt) + ", "; + } + + if ( !codes.empty() ) + codes.erase(codes.end() - 2); + + return codes; } -static void Print_TCP(const NormalizerConfig* nc) +static void print_tcp(const NormalizerConfig* nc) { - if ( !Norm_IsEnabled(nc, (NormFlags)NORM_TCP_ANY) ) + bool tcp = Norm_IsEnabled(nc, (NormFlags)NORM_TCP_ANY); + ConfigLogger::log_flag("tcp", tcp); + + if ( !tcp ) return; - const char* s; + std::string opts; + opts += "{ ecn = "; if ( Norm_IsEnabled(nc, NORM_TCP_ECN_PKT) ) - s = "packet"; + opts += "packet"; else if ( Norm_IsEnabled(nc, NORM_TCP_ECN_STR) ) - s = "stream"; + opts +="stream"; else - s = OFF; - - LogConf("tcp.ecn", s); - LogFlag("tcp.block", nc, NORM_TCP_BLOCK); - LogFlag("tcp.rsv", nc, NORM_TCP_RSV); - LogFlag("tcp.pad", nc, NORM_TCP_PAD); - LogFlag("tcp.req_urg", nc, NORM_TCP_REQ_URG); - LogFlag("tcp.req_pay", nc, NORM_TCP_REQ_PAY); - LogFlag("tcp.req_urp", nc, NORM_TCP_REQ_URP); - LogFlag("tcp.urp", nc, NORM_TCP_URP); - - if ( Norm_IsEnabled(nc, NORM_TCP_OPT) ) + opts += to_str(false); + + opts += ", block = " + to_str(Norm_IsEnabled(nc, NORM_TCP_BLOCK)); + opts += ", rsv = " + to_str(Norm_IsEnabled(nc, NORM_TCP_RSV)); + opts += ", pad = " + to_str(Norm_IsEnabled(nc, NORM_TCP_PAD)); + opts += ", req_urg = " + to_str(Norm_IsEnabled(nc, NORM_TCP_REQ_URG)); + opts += ", req_pay = " + to_str(Norm_IsEnabled(nc, NORM_TCP_REQ_PAY)); + opts += ", req_urp = " + to_str(Norm_IsEnabled(nc, NORM_TCP_REQ_URP)); + opts += ", urp = " + to_str(Norm_IsEnabled(nc, NORM_TCP_URP)); + opts += ", ips = " + to_str(Norm_IsEnabled(nc, NORM_TCP_IPS)); + + auto names = get_allowed_names(nc); + auto codes = get_allowed_codes(nc); + + if ( !names.empty() ) + opts += ", allow_names = { " + names + " }"; + + if ( !codes.empty() ) + opts += ", allow_codes = { " + codes + " }"; + + if ( Norm_IsEnabled(nc, (NormFlags)NORM_TCP_TRIM_ANY) ) { - char buf[1024]; - char* p = buf; - int opt; - int buf_size = sizeof(buf); - - int len = safe_snprintf(p, buf_size, "%s", "(allow "); - p += len; - buf_size -= len; - bool opt_printed = false; - // TBD translate options to keywords allowed by parser - for ( opt = 2; opt < 256; opt++ ) - { - if ( Norm_TcpIsOptional(nc, opt) ) - { - const char* fmt = opt_printed ? ",%d" : "%d"; - len = safe_snprintf(p, buf_size, fmt, opt); - if (len >0) - opt_printed = true; - p += len; - buf_size -= len; - } - } - snprintf(p, buf_size, "%c", ')'); - LogMessage("%12s: %s %s\n", "tcp.opt", ON, buf); + opts += ", trim_syn = " + to_str(Norm_IsEnabled(nc, NORM_TCP_TRIM_SYN)); + opts += ", trim_rst = " + to_str(Norm_IsEnabled(nc, NORM_TCP_TRIM_RST)); + opts += ", trim_win = " + to_str(Norm_IsEnabled(nc, NORM_TCP_TRIM_WIN)); + opts += ", trim_mss = " + to_str(Norm_IsEnabled(nc, NORM_TCP_TRIM_MSS)); } else - LogConf("tcp.opt", OFF); + opts += ", trim = " + to_str(false); + + opts += " }"; - LogFlag("tcp.ips", nc, NORM_TCP_IPS); - LogFlag("tcp.trim_syn", nc, NORM_TCP_TRIM_SYN); - LogFlag("tcp.trim_rst", nc, NORM_TCP_TRIM_RST); - LogFlag("tcp.trim_win", nc, NORM_TCP_TRIM_WIN); - LogFlag("tcp.trim_mss", nc, NORM_TCP_TRIM_MSS); + ConfigLogger::log_list("tcp", opts.c_str()); } //------------------------------------------------------------------------- @@ -215,7 +251,7 @@ bool Normalize_IsEnabled(NormFlags nf) return false; NetworkPolicy* nap = get_network_policy(); - return ( (nap->normal_mask & nf) != 0 ); + return nap->normal_mask & nf; } NormMode Normalize_GetMode(NormFlags nf) @@ -230,13 +266,13 @@ NormMode Normalize_GetMode(NormFlags nf) return NORM_MODE_TEST; } -void Normalizer::show(SnortConfig* sc) +void Normalizer::show(SnortConfig*) { - Print_IP4(sc, &config); - Print_IP6(sc, &config); - Print_ICMP4(&config); - Print_ICMP6(&config); - Print_TCP(&config); + print_ip4(&config); + print_ip6(&config); + print_icmp4(&config); + print_icmp6(&config); + print_tcp(&config); } void Normalizer::eval(Packet* p) diff --git a/src/network_inspectors/normalize/normalize.h b/src/network_inspectors/normalize/normalize.h index 2687ac382..ea108cfb4 100644 --- a/src/network_inspectors/normalize/normalize.h +++ b/src/network_inspectors/normalize/normalize.h @@ -55,6 +55,7 @@ enum NormFlags NORM_TCP_REQ_URG = 0x01000000, // clear URP if URG = 0 NORM_TCP_REQ_PAY = 0x02000000, // clear URP/URG on no payload NORM_TCP_REQ_URP = 0x04000000, // clear URG if URP is not set + NORM_ALL = 0xFFFFFFFF, // all normalizations on }; @@ -71,8 +72,10 @@ bool Normalize_IsEnabled(NormFlags); NormMode Normalize_GetMode(NormFlags); #define NORM_IP4_ANY (0xFF) -#define NORM_IP6_ANY (NORM_IP6_BASE|NORM_IP6_TTL) -#define NORM_TCP_ANY (0xFF000) +#define NORM_IP6_ANY (NORM_IP6_BASE | NORM_IP6_TTL) +#define NORM_TCP_ANY (0xFFFF000) +#define NORM_TCP_TRIM_ANY (NORM_TCP_TRIM_SYN | NORM_TCP_TRIM_RST | \ + NORM_TCP_TRIM_WIN | NORM_TCP_TRIM_MSS) #endif diff --git a/src/network_inspectors/packet_capture/packet_capture.cc b/src/network_inspectors/packet_capture/packet_capture.cc index 5add618bf..925a3b027 100644 --- a/src/network_inspectors/packet_capture/packet_capture.cc +++ b/src/network_inspectors/packet_capture/packet_capture.cc @@ -168,6 +168,7 @@ public: PacketCapture(CaptureModule*); // non-static functions + void show(SnortConfig*) override; void eval(Packet*) override; void tterm() override { capture_term(); } @@ -196,6 +197,13 @@ bool PacketCapture::capture_init() return false; } +void PacketCapture::show(SnortConfig*) +{ + ConfigLogger::log_flag("enable", config.enabled); + if ( config.enabled ) + ConfigLogger::log_value("filter", config.filter.c_str()); +} + void PacketCapture::eval(Packet* p) { diff --git a/src/network_inspectors/perf_monitor/perf_module.h b/src/network_inspectors/perf_monitor/perf_module.h index 02f446a13..c6a2aa8be 100644 --- a/src/network_inspectors/perf_monitor/perf_module.h +++ b/src/network_inspectors/perf_monitor/perf_module.h @@ -35,10 +35,8 @@ #define PERF_BASE 0x00000001 #define PERF_CPU 0x00000002 #define PERF_FLOW 0x00000004 -#define PERF_EVENT 0x00000008 -#define PERF_BASE_MAX 0x00000010 -#define PERF_FLOWIP 0x00000020 -#define PERF_SUMMARY 0x00000040 +#define PERF_FLOWIP 0x00000008 +#define PERF_SUMMARY 0x00000010 #define ROLLOVER_THRESH 512 #define MAX_PERF_FILE_SIZE UINT64_MAX diff --git a/src/network_inspectors/perf_monitor/perf_monitor.cc b/src/network_inspectors/perf_monitor/perf_monitor.cc index d18ffdddd..4f5e93118 100644 --- a/src/network_inspectors/perf_monitor/perf_monitor.cc +++ b/src/network_inspectors/perf_monitor/perf_monitor.cc @@ -123,58 +123,58 @@ private: PerfMonitor::PerfMonitor(PerfConfig* pcfg) : config(pcfg) { assert (config != nullptr); } -void PerfMonitor::show(SnortConfig*) +static const char* to_string(const PerfOutput& po) { - LogMessage(" Sample Time: %d seconds\n", config->sample_interval); - LogMessage(" Packet Count: %d\n", config->pkt_cnt); - LogMessage(" Max File Size: " STDu64 "\n", config->max_file_size); - LogMessage(" Summary Mode: %s\n", - (config->perf_flags & PERF_SUMMARY) ? "ACTIVE" : "INACTIVE"); - LogMessage(" Base Stats: %s\n", - (config->perf_flags & PERF_BASE) ? "ACTIVE" : "INACTIVE"); - LogMessage(" Flow Stats: %s\n", - (config->perf_flags & PERF_FLOW) ? "ACTIVE" : "INACTIVE"); - if (config->perf_flags & PERF_FLOW) - { - LogMessage(" Max Flow Port: %u\n", config->flow_max_port_to_track); - } - LogMessage(" Event Stats: %s\n", - (config->perf_flags & PERF_EVENT) ? "ACTIVE" : "INACTIVE"); - LogMessage(" Flow IP Stats: %s\n", - (config->perf_flags & PERF_FLOWIP) ? "ACTIVE" : "INACTIVE"); - if (config->perf_flags & PERF_FLOWIP) + switch (po) { - LogMessage(" Flow IP Memcap: %zu\n", config->flowip_memcap); + case PerfOutput::TO_CONSOLE: + return "console"; + case PerfOutput::TO_FILE: + return "file"; } - LogMessage(" CPU Stats: %s\n", - (config->perf_flags & PERF_CPU) ? "ACTIVE" : "INACTIVE"); - switch ( config->output ) - { - case PerfOutput::TO_CONSOLE: - LogMessage(" Output Location: console\n"); - break; - case PerfOutput::TO_FILE: - LogMessage(" Output Location: file\n"); - break; - } - switch(config->format) + + return ""; +} + +static const char* to_string(const PerfFormat& pf) +{ + switch (pf) { - case PerfFormat::TEXT: - LogMessage(" Output Format: text\n"); - break; - case PerfFormat::CSV: - LogMessage(" Output Format: csv\n"); - break; - case PerfFormat::JSON: - LogMessage(" Output Format: json\n"); - break; + case PerfFormat::TEXT: + return "text"; + case PerfFormat::CSV: + return "csv"; + case PerfFormat::JSON: + return "json"; #ifdef HAVE_FLATBUFFERS - case PerfFormat::FBS: - LogMessage(" Output Format: flatbuffers\n"); - break; + case PerfFormat::FBS: + return "flatbuffers"; #endif - default: break; + case PerfFormat::MOCK: + return "mock"; } + + return ""; +} + +void PerfMonitor::show(SnortConfig*) +{ + ConfigLogger::log_flag("base", config->perf_flags & PERF_BASE); + ConfigLogger::log_flag("cpu", config->perf_flags & PERF_CPU); + ConfigLogger::log_flag("summary", config->perf_flags & PERF_SUMMARY); + + if ( ConfigLogger::log_flag("flow", config->perf_flags & PERF_FLOW) ) + ConfigLogger::log_value("flow_ports", config->flow_max_port_to_track); + + if ( ConfigLogger::log_flag("flow_ip", config->perf_flags & PERF_FLOWIP) ) + ConfigLogger::log_value("flow_ip_memcap", config->flowip_memcap); + + ConfigLogger::log_value("packets", config->pkt_cnt); + ConfigLogger::log_value("seconds", config->sample_interval); + ConfigLogger::log_value("max_file_size", config->max_file_size); + + ConfigLogger::log_value("output", to_string(config->output)); + ConfigLogger::log_value("format", to_string(config->format)); } void PerfMonitor::disable_tracker(size_t i) diff --git a/src/network_inspectors/port_scan/port_scan.cc b/src/network_inspectors/port_scan/port_scan.cc index a129ac176..e2435f7c6 100644 --- a/src/network_inspectors/port_scan/port_scan.cc +++ b/src/network_inspectors/port_scan/port_scan.cc @@ -290,116 +290,120 @@ static void PortscanAlert(PS_PKT* ps_pkt, PS_PROTO* proto, int proto_type) } } -static void PrintIPPortSet(IP_PORT* p) +static std::string get_protos(int ds) { - char output_str[80]; - - SfIpString ip_str; - p->ip.get_addr()->ntop(ip_str); - - if (p->notflag) - SnortSnprintf(output_str, sizeof(output_str), " !%s", ip_str); - else - SnortSnprintf(output_str, sizeof(output_str), " %s", ip_str); - - if (((p->ip.get_family() == AF_INET6) and (p->ip.get_bits() != 128)) || - ((p->ip.get_family() == AF_INET ) and (p->ip.get_bits() != 32 ))) - SnortSnprintfAppend(output_str, sizeof(output_str), "/%d", p->ip.get_bits()); - - SF_LNODE* cursor; - PORTRANGE* pr =(PORTRANGE*)sflist_first(&p->portset.port_list, &cursor); - - if ( pr and pr->port_lo != 0 ) - SnortSnprintfAppend(output_str, sizeof(output_str), " : "); - - for (; pr != nullptr; - pr=(PORTRANGE*)sflist_next(&cursor) ) - { - if ( pr->port_lo != 0) - { - SnortSnprintfAppend(output_str, sizeof(output_str), "%u", pr->port_lo); - if ( pr->port_hi != pr->port_lo ) - { - SnortSnprintfAppend(output_str, sizeof(output_str), "-%u", pr->port_hi); - } - SnortSnprintfAppend(output_str, sizeof(output_str), " "); - } - } - LogMessage("%s\n", output_str); + std::string protos; + + if ( !ds ) + return "none"; + if ( (ds & PS_PROTO_ALL) == PS_PROTO_ALL ) + return "all"; + if ( ds & PS_PROTO_TCP ) + protos += "tcp "; + if ( ds & PS_PROTO_UDP ) + protos += "udp "; + if ( ds & PS_PROTO_ICMP ) + protos += "icmp "; + if ( ds & PS_PROTO_IP ) + protos += "ip "; + + protos.pop_back(); + + return protos; } -static void PrintPortscanConf(PortscanConfig* config) +static std::string get_types(int dst) { - char buf[STD_BUF + 1]; - - SnortSnprintf(buf, sizeof(buf), " Detect Protocols: "); - - if ( config->detect_scans & PS_PROTO_TCP ) - sfsnprintfappend(buf, sizeof(buf)-1, "TCP "); - - if ( config->detect_scans & PS_PROTO_UDP ) - sfsnprintfappend(buf, sizeof(buf)-1, "UDP "); + std::string types; + + if ( !dst ) + return "none"; + if ( (dst & PS_TYPE_ALL) == PS_TYPE_ALL ) + return "all"; + if ( dst & PS_TYPE_PORTSCAN ) + types += "portscan "; + if ( dst & PS_TYPE_PORTSWEEP ) + types += "portsweep "; + if ( dst & PS_TYPE_DECOYSCAN ) + types += "decoy_portscan "; + if ( dst & PS_TYPE_DISTPORTSCAN ) + types += "distributed_portscan "; + + types.pop_back(); + + return types; +} - if ( config->detect_scans & PS_PROTO_ICMP ) - sfsnprintfappend(buf, sizeof(buf)-1, "ICMP "); +static std::string to_string(const IPSET* list) +{ + SF_LNODE* cursor; + std::string ipset; - if ( config->detect_scans & PS_PROTO_IP ) - sfsnprintfappend(buf, sizeof(buf)-1, "IP"); + for (auto p = (const IP_PORT*)sflist_first(&list->ip_list, &cursor); p; + p = (const IP_PORT*)sflist_next(&cursor)) + { + SfIpString ip_str; - LogMessage("%s\n", buf); - SnortSnprintf(buf, sizeof(buf), " Detect Scan Type: "); + p->ip.get_addr()->ntop(ip_str); - if (config->detect_scan_type & PS_TYPE_PORTSCAN) - sfsnprintfappend(buf, sizeof(buf)-1, "portscan "); + if ( p->notflag ) + ipset += "!"; - if (config->detect_scan_type & PS_TYPE_PORTSWEEP) - sfsnprintfappend(buf, sizeof(buf)-1, "portsweep "); + ipset += std::string(ip_str); - if (config->detect_scan_type & PS_TYPE_DECOYSCAN) - sfsnprintfappend(buf, sizeof(buf)-1, "decoy_portscan "); + if ( ((p->ip.get_family() == AF_INET6) and (p->ip.get_bits() != 128)) or + ((p->ip.get_family() == AF_INET ) and (p->ip.get_bits() != 32 )) ) + ipset += "/" + std::to_string(p->ip.get_bits()); - if (config->detect_scan_type & PS_TYPE_DISTPORTSCAN) - sfsnprintfappend(buf, sizeof(buf)-1, "distributed_portscan"); + SF_LNODE* pr_cursor; + auto pr =(const PORTRANGE*)sflist_first(&p->portset.port_list, &pr_cursor); - LogMessage("%s\n", buf); - LogMessage(" Memcap (in bytes): %zu\n", config->memcap); - LogMessage(" Number of Nodes: %zu\n", config->memcap / ps_node_size()); + if ( pr and pr->port_lo ) + ipset += " : "; - if ( config->logfile ) - LogMessage(" Logfile: %s\n", "yes"); + for (; pr; pr = (const PORTRANGE*)sflist_next(&pr_cursor)) + { + if ( pr->port_lo ) + { + ipset += std::to_string(pr->port_lo); + if ( pr->port_hi != pr->port_lo ) + ipset += "-" + std::to_string(pr->port_hi); + ipset += " "; + } + } + ipset += ", "; + } - if (config->ignore_scanners) - { - LogMessage(" Ignore Scanner IP List:\n"); - SF_LNODE* cursor; + if ( ipset.empty() ) + return "none"; - IP_PORT* p = (IP_PORT*)sflist_first(&config->ignore_scanners->ip_list, &cursor); + ipset.erase(ipset.end() - 2); - for ( ; p; p = (IP_PORT*)sflist_next(&cursor) ) - PrintIPPortSet(p); - } + return ipset; +} - if (config->ignore_scanned) - { - LogMessage(" Ignore Scanned IP List:\n"); - SF_LNODE* cursor; +static void portscan_config_show(const PortscanConfig* config) +{ + ConfigLogger::log_value("memcap", config->memcap); + ConfigLogger::log_value("protos", get_protos(config->detect_scans).c_str()); + ConfigLogger::log_value("scan_types", get_types(config->detect_scan_type).c_str()); - IP_PORT* p = (IP_PORT*)sflist_first(&config->ignore_scanned->ip_list, &cursor); + if ( config->watch_ip ) + ConfigLogger::log_list("watch_ip", to_string(config->watch_ip).c_str()); - for ( ; p; p = (IP_PORT*)sflist_next(&cursor) ) - PrintIPPortSet(p); - } + if ( config->ignore_scanners ) + ConfigLogger::log_list("ignore_scanners", to_string(config->ignore_scanners).c_str()); - if (config->watch_ip) - { - LogMessage(" Watch IP List:\n"); - SF_LNODE* cursor; + if ( config->ignore_scanned ) + ConfigLogger::log_list("ignore_scanned", to_string(config->ignore_scanned).c_str()); - IP_PORT* p = (IP_PORT*)sflist_first(&config->watch_ip->ip_list, &cursor); + ConfigLogger::log_flag("alert_all", config->alert_all); + ConfigLogger::log_flag("include_midstream", config->include_midstream); - for ( ; p; p = (IP_PORT*)sflist_next(&cursor) ) - PrintIPPortSet(p); - } + ConfigLogger::log_value("tcp_window", config->tcp_window); + ConfigLogger::log_value("udp_window", config->udp_window); + ConfigLogger::log_value("ip_window", config->ip_window); + ConfigLogger::log_value("icmp_window", config->icmp_window); } //------------------------------------------------------------------------- @@ -429,7 +433,8 @@ void PortScan::tterm() void PortScan::show(SnortConfig*) { - PrintPortscanConf(config); + if ( config ) + portscan_config_show(config); } void PortScan::eval(Packet* p) diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc index 92246b78d..1813009e8 100644 --- a/src/network_inspectors/reputation/reputation_inspect.cc +++ b/src/network_inspectors/reputation/reputation_inspect.cc @@ -75,45 +75,6 @@ const char* WhiteActionOption[] = */ static void snort_reputation(ReputationConfig* GlobalConf, Packet* p); -static void print_iplist_stats(ReputationConfig* config) -{ - /*Print out the summary*/ - LogMessage(" Reputation total memory usage: " STDu64 " bytes\n", - reputationstats.memory_allocated); - config->num_entries = sfrt_flat_num_entries(config->ip_list); - LogMessage(" Reputation total entries loaded: %u, invalid: %lu, re-defined: %lu\n", - config->num_entries,total_invalids,total_duplicates); -} - -static void print_reputation_conf(ReputationConfig* config) -{ - assert(config); - - print_iplist_stats(config); - - LogMessage(" Memcap: %d %s \n", - config->memcap, - config->memcap == 500 ? "(Default) M bytes" : "M bytes"); - LogMessage(" Scan local network: %s\n", - config->scanlocal ? "ENABLED" : "DISABLED (Default)"); - LogMessage(" Reputation priority: %s \n", - config->priority == WHITELISTED_TRUST ? - "whitelist (Default)" : "blacklist"); - LogMessage(" Nested IP: %s %s \n", - NestedIPKeyword[config->nested_ip], - config->nested_ip == INNER ? "(Default)" : ""); - LogMessage(" White action: %s %s \n", - WhiteActionOption[config->white_action], - config->white_action == UNBLACK ? "(Default)" : ""); - if (config->blacklist_path.size()) - LogMessage(" Blacklist File Path: %s\n", config->blacklist_path.c_str()); - - if (config->whitelist_path.size()) - LogMessage(" Whitelist File Path: %s\n", config->whitelist_path.c_str()); - - LogMessage("\n"); -} - static inline IPrepInfo* reputation_lookup(ReputationConfig* config, const SfIp* ip) { IPrepInfo* result; @@ -246,6 +207,7 @@ static IPdecision reputation_decision(ReputationConfig* config, Packet* p) } // For OUTER or ALL, save current layers, iterate, then restore layers as needed + ip::IpApi blocked_api; ip::IpApi tmp_api = p->ptrs.ip_api; int8_t num_layer = 0; IpProtocol tmp_next = p->get_ip_proto_next(); @@ -254,13 +216,10 @@ static IPdecision reputation_decision(ReputationConfig* config, Packet* p) { layer::set_outer_ip_api(p, p->ptrs.ip_api, p->ip_proto_next, num_layer); decision_per_layer(config, p, ingress_zone, egress_zone, p->ptrs.ip_api, &decision_final); - if (decision_final != BLACKLISTED_SRC and decision_final != BLACKLISTED_DST) - p->ptrs.ip_api = tmp_api; } else if (config->nested_ip == ALL) { bool done = false; - ip::IpApi blocked_api; IPdecision decision_current = DECISION_NULL; while (!done and layer::set_outer_ip_api(p, p->ptrs.ip_api, p->ip_proto_next, num_layer)) @@ -275,14 +234,15 @@ static IPdecision reputation_decision(ReputationConfig* config, Packet* p) decision_current = DECISION_NULL; } } - if (decision_final != BLACKLISTED_SRC and decision_final != BLACKLISTED_DST) - p->ptrs.ip_api = tmp_api; - else if (p->ptrs.ip_api != blocked_api) - p->ptrs.ip_api = blocked_api; } else assert(false); // Should never hit this + if (decision_final != BLACKLISTED_SRC and decision_final != BLACKLISTED_DST) + p->ptrs.ip_api = tmp_api; + else if (config->nested_ip == ALL and p->ptrs.ip_api != blocked_api) + p->ptrs.ip_api = blocked_api; + p->ip_proto_next = tmp_next; return decision_final; } @@ -367,6 +327,65 @@ static unsigned create_reputation_id() return reputation_id_tracker; } +static const char* to_string(NestedIP nip) +{ + switch (nip) + { + case INNER: + return "inner"; + case OUTER: + return "outer"; + case ALL: + return "all"; + } + + return ""; +} + +static const char* to_string(WhiteAction wa) +{ + switch (wa) + { + case UNBLACK: + return "unblack"; + case TRUST: + return "trust"; + } + + return ""; +} + +static const char* to_string(IPdecision ipd) +{ + switch (ipd) + { + case BLACKLISTED: + return "blacklisted"; + case WHITELISTED_TRUST: + return "whitelisted_trust"; + case MONITORED: + return "monitored"; + case BLACKLISTED_SRC: + return "blacklisted_src"; + case BLACKLISTED_DST: + return "blacklisted_dst"; + case WHITELISTED_TRUST_SRC: + return "whitelisted_trust_src"; + case WHITELISTED_TRUST_DST: + return "whitelisted_trust_dst"; + case WHITELISTED_UNBLACK: + return "whitelisted_unblack"; + case MONITORED_SRC: + return "monitored_src"; + case MONITORED_DST: + return "monitored_dst"; + case DECISION_NULL: + case DECISION_MAX: + default: + return ""; + } +} + //------------------------------------------------------------------------- // class stuff //------------------------------------------------------------------------- @@ -394,7 +413,14 @@ Reputation::Reputation(ReputationConfig* pc) void Reputation::show(SnortConfig*) { - print_reputation_conf(&config); + ConfigLogger::log_value("blacklist", config.blacklist_path.c_str()); + ConfigLogger::log_value("list_dir", config.list_dir.c_str()); + ConfigLogger::log_value("memcap", config.memcap); + ConfigLogger::log_value("nested_ip", to_string(config.nested_ip)); + ConfigLogger::log_value("priority", to_string(config.priority)); + ConfigLogger::log_flag("scan_local", config.scanlocal); + ConfigLogger::log_value("white (action)", to_string(config.white_action)); + ConfigLogger::log_value("whitelist", config.whitelist_path.c_str()); } void Reputation::eval(Packet* p) diff --git a/src/network_inspectors/rna/rna_inspector.cc b/src/network_inspectors/rna/rna_inspector.cc index d0cee9011..19fbb97ba 100644 --- a/src/network_inspectors/rna/rna_inspector.cc +++ b/src/network_inspectors/rna/rna_inspector.cc @@ -102,31 +102,25 @@ void RnaInspector::eval(Packet* p) void RnaInspector::show(SnortConfig*) { - if (mod_conf) + if ( mod_conf ) { - if (!mod_conf->rna_conf_path.empty()) - LogMessage(" Config path: %s\n", mod_conf->rna_conf_path.c_str()); - if (!mod_conf->rna_util_lib_path.empty()) - LogMessage(" Library path: %s\n", mod_conf->rna_util_lib_path.c_str()); - if (!mod_conf->fingerprint_dir.empty()) - LogMessage(" Fingerprint dir: %s\n", mod_conf->fingerprint_dir.c_str()); - if (!mod_conf->custom_fingerprint_dir.empty()) - LogMessage(" Custom fingerprint dir: %s\n", - mod_conf->custom_fingerprint_dir.c_str()); - LogMessage(" Enable logger: %d\n", mod_conf->enable_logger); + ConfigLogger::log_value("rna_conf_path", mod_conf->rna_conf_path.c_str()); + ConfigLogger::log_value("rna_util_lib_path", mod_conf->rna_util_lib_path.c_str()); + ConfigLogger::log_value("fingerprint_dir", mod_conf->fingerprint_dir.c_str()); + ConfigLogger::log_value("custom_fingerprint_dir", mod_conf->custom_fingerprint_dir.c_str()); + ConfigLogger::log_flag("enable_logger", mod_conf->enable_logger); + ConfigLogger::log_flag("log_when_idle", mod_conf->log_when_idle); } - if (rna_conf) + if ( rna_conf ) { - LogMessage(" Update timeout: %u secs\n", rna_conf->update_timeout); - LogMessage(" Max host client apps: %u\n", rna_conf->max_host_client_apps); - LogMessage(" Max payloads: %u\n", rna_conf->max_payloads); - LogMessage(" Max host services: %u\n", rna_conf->max_host_services); - LogMessage(" Max host service info: %u\n", rna_conf->max_host_service_info); - LogMessage(" Banner grab: %d\n", rna_conf->enable_banner_grab); + ConfigLogger::log_value("UpdateTimeout", rna_conf->update_timeout); + ConfigLogger::log_value("MaxHostClientApps", rna_conf->max_host_client_apps); + ConfigLogger::log_value("MaxPayloads", rna_conf->max_payloads); + ConfigLogger::log_value("MaxHostServices", rna_conf->max_host_services); + ConfigLogger::log_value("MaxHostServiceInfo", rna_conf->max_host_service_info); + ConfigLogger::log_value("BannerGrab", rna_conf->enable_banner_grab); } - - LogMessage("\n"); } void RnaInspector::tinit() diff --git a/src/service_inspectors/cip/cip.cc b/src/service_inspectors/cip/cip.cc index 0f365e81f..4ccc0504b 100644 --- a/src/service_inspectors/cip/cip.cc +++ b/src/service_inspectors/cip/cip.cc @@ -111,27 +111,6 @@ static void free_cip_data(void* data) } } -static void print_cip_conf(CipProtoConf* config) -{ - if (config == nullptr) - return; - LogMessage(" Embedded Enabled: %s\n", - config->embedded_cip_enabled ? "ENABLED" : "DISABLED"); - if (config->embedded_cip_enabled) - { - LogMessage(" Embedded Class: 0x%x\n", config->embedded_cip_class_id); - LogMessage(" Embedded Service: 0x%x\n", config->embedded_cip_service_id); - } - - LogMessage(" Unconnected Timeout: %d (seconds)\n", config->unconnected_timeout); - LogMessage(" Max CIP connections per TCP connection: %d\n", - static_cast(config->max_cip_connections)); - LogMessage(" Max unconnected messages per TCP connection: %d\n", - static_cast(config->max_unconnected_messages)); - - LogMessage("\n"); -} - static CipPacketDirection get_packet_direction(Packet* p) { if (!p->has_tcp_data()) @@ -300,8 +279,20 @@ Cip::~Cip() void Cip::show(SnortConfig*) { - /* defined in module.cc */ - print_cip_conf(config); + if (!config) + return; + + if (config->embedded_cip_enabled) + { + std::string cip_path = std::to_string(config->embedded_cip_class_id); + cip_path += " "; + cip_path += std::to_string(config->embedded_cip_service_id); + ConfigLogger::log_value("embedded_cip_path", cip_path.c_str()); + } + + ConfigLogger::log_value("unconnected_timeout", config->unconnected_timeout); + ConfigLogger::log_value("max_cip_connections", config->max_cip_connections); + ConfigLogger::log_value("max_unconnected_messages", config->max_unconnected_messages); } void Cip::eval(Packet* p) diff --git a/src/service_inspectors/dce_rpc/dce_common.cc b/src/service_inspectors/dce_rpc/dce_common.cc index d1469648e..257f7a7f4 100644 --- a/src/service_inspectors/dce_rpc/dce_common.cc +++ b/src/service_inspectors/dce_rpc/dce_common.cc @@ -118,24 +118,17 @@ bool dce2_set_co_config(Value& v, dce2CoProtoConf& co) void print_dce2_common_config(dce2CommonProtoConf& common) { - LogMessage(" One alert per flow: %s\n", - common.limit_alerts ? - "ENABLED" : "DISABLED"); - LogMessage(" Defragmentation: %s\n", - common.disable_defrag ? - "DISABLED" : "ENABLED"); - LogMessage(" Max Fragment length: %d\n", - common.max_frag_len); + ConfigLogger::log_flag("limit_alerts", common.limit_alerts); + ConfigLogger::log_flag("disable_defrag", common.disable_defrag); + ConfigLogger::log_value("max_frag_len", common.max_frag_len); } void print_dce2_co_config(dce2CoProtoConf& co) { print_dce2_common_config(co.common); - LogMessage(" Policy : %s\n", - dce2_get_policy_name(co.policy)); - LogMessage(" Reassemble Threshold : %d\n", - co.co_reassemble_threshold); + ConfigLogger::log_value("policy", dce2_get_policy_name(co.policy)); + ConfigLogger::log_value("reassemble_threshold", co.co_reassemble_threshold); } bool dce2_paf_abort(DCE2_SsnData* sd) diff --git a/src/service_inspectors/dce_rpc/dce_smb_module.cc b/src/service_inspectors/dce_rpc/dce_smb_module.cc index 1ae5a23c1..f07307c09 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_module.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_module.cc @@ -96,7 +96,7 @@ static const PegInfo dce2_smb_pegs[] = }; static const char* dce2SmbFingerprintPolicyStrings[] = -{ "Disabled", "Client","Server", "Client and Server" }; +{ "disabled", "client", "server", "client and server" }; static const Parameter s_params[] = { @@ -190,6 +190,29 @@ static const RuleMap dce2_smb_rules[] = { 0, nullptr } }; +static std::string get_shares(DCE2_List* shares) +{ + std::string cmds; + + if ( shares ) + { + for (dce2SmbShare* share = (dce2SmbShare*)DCE2_ListFirst(shares); + share; + share = (dce2SmbShare*)DCE2_ListNext(shares)) + { + cmds += share->ascii_str; + cmds += " "; + } + } + + if ( !cmds.empty() ) + cmds.pop_back(); + else + cmds += "none"; + + return cmds; +} + Dce2SmbModule::Dce2SmbModule() : Module(DCE2_SMB_NAME, DCE2_SMB_HELP, s_params, false, &dce_smb_trace) { memset(&config, 0, sizeof(config)); @@ -273,6 +296,19 @@ static void set_smb_versions_mask(dce2SmbProtoConf& config, const char* s) } } +static const char* get_smb_versions(uint16_t mask) +{ + switch (mask) + { + case DCE2_VALID_SMB_VERSION_FLAG_V1: + return "v1"; + case DCE2_VALID_SMB_VERSION_FLAG_V2: + return "v2"; + default: + return "all"; + } +} + static bool set_smb_invalid_shares(dce2SmbProtoConf& config, Value& v) { string tok; @@ -384,56 +420,16 @@ void Dce2SmbModule::get_data(dce2SmbProtoConf& dce2_smb_config) void print_dce2_smb_conf(dce2SmbProtoConf& config) { print_dce2_co_config(config.common); - LogMessage(" SMB fingerprint policy : %s\n", - dce2SmbFingerprintPolicyStrings[config.smb_fingerprint_policy]); - - if (config.smb_max_chain == 0) - LogMessage(" Maximum SMB command chaining: Unlimited\n"); - else if (config.smb_max_chain == 1) - LogMessage(" Maximum SMB command chaining: No chaining allowed\n"); - else - LogMessage(" Maximum SMB command chaining: %u\n", config.smb_max_chain); - if (config.smb_max_compound == 0) - LogMessage(" Maximum SMB compounded requests: Unlimited\n"); - else if (config.smb_max_compound == 1) - LogMessage(" Maximum SMB compounded requests: No compounding allowed\n"); - else - LogMessage(" Maximum SMB compounded requests: %u\n", config.smb_max_compound); - - if (config.smb_file_depth == -1) - LogMessage(" SMB file depth: Disabled\n"); - else if (config.smb_file_depth == 0) - LogMessage(" SMB file depth: Unlimited\n"); - else - LogMessage(" SMB file depth: %d\n",config.smb_file_depth); - - if (config.smb_valid_versions_mask == DCE2_VALID_SMB_VERSION_FLAG_V1) - { - LogMessage(" SMB valid versions : v1\n"); - } - else if (config.smb_valid_versions_mask == DCE2_VALID_SMB_VERSION_FLAG_V2) - { - LogMessage(" SMB valid versions : v2\n"); - } - else - { - LogMessage(" SMB valid versions : all\n"); - } - if (config.smb_invalid_shares != nullptr) - { - dce2SmbShare* share; - - LogMessage(" Invalid SMB shares:\n"); - - for (share = (dce2SmbShare*)DCE2_ListFirst(config.smb_invalid_shares); - share != nullptr; - share = (dce2SmbShare*)DCE2_ListNext(config.smb_invalid_shares)) - { - LogMessage(" %s\n",share->ascii_str); - } - } - if (config.legacy_mode) - LogMessage(" SMB legacy mode enabled\n"); + ConfigLogger::log_value("smb_fingerprint_policy", + dce2SmbFingerprintPolicyStrings[config.smb_fingerprint_policy]); + ConfigLogger::log_limit("smb_max_chain", config.smb_max_chain, 0, 1); + ConfigLogger::log_limit("smb_max_compound", config.smb_max_compound, 0, 1); + ConfigLogger::log_value("valid_smb_versions", + get_smb_versions(config.smb_valid_versions_mask)); + ConfigLogger::log_limit("smb_file_depth", config.smb_file_depth, 0, -1); + ConfigLogger::log_list("smb_invalid_shares", + get_shares(config.smb_invalid_shares).c_str()); + ConfigLogger::log_flag("smb_legacy_mode", config.legacy_mode); } diff --git a/src/service_inspectors/dnp3/dnp3.cc b/src/service_inspectors/dnp3/dnp3.cc index a43b797f2..d41d6af23 100644 --- a/src/service_inspectors/dnp3/dnp3.cc +++ b/src/service_inspectors/dnp3/dnp3.cc @@ -27,6 +27,7 @@ #include "detection/detection_engine.h" #include "events/event_queue.h" +#include "log/messages.h" #include "protocols/packet.h" #include "dnp3_paf.h" @@ -240,7 +241,7 @@ Dnp3::Dnp3(const dnp3ProtoConf& pc) void Dnp3::show(SnortConfig*) { - print_dnp3_conf(config); + ConfigLogger::log_flag("check_crc", config.check_crc); } void Dnp3::eval(Packet* p) diff --git a/src/service_inspectors/dnp3/dnp3_module.cc b/src/service_inspectors/dnp3/dnp3_module.cc index e2db079b2..9333deb0a 100644 --- a/src/service_inspectors/dnp3/dnp3_module.cc +++ b/src/service_inspectors/dnp3/dnp3_module.cc @@ -24,8 +24,6 @@ #include "dnp3_module.h" -#include "log/messages.h" - #include "dnp3.h" using namespace snort; @@ -101,11 +99,3 @@ void Dnp3Module::get_data(dnp3ProtoConf& dnp3_config) { dnp3_config.check_crc = config.check_crc; } - -void print_dnp3_conf(const dnp3ProtoConf& config) -{ - LogMessage(" Check CRC: %s\n", - config.check_crc ? - "ENABLED" : "DISABLED"); -} - diff --git a/src/service_inspectors/dnp3/dnp3_module.h b/src/service_inspectors/dnp3/dnp3_module.h index 3de09693e..8a6ff065a 100644 --- a/src/service_inspectors/dnp3/dnp3_module.h +++ b/src/service_inspectors/dnp3/dnp3_module.h @@ -58,7 +58,5 @@ private: dnp3ProtoConf config; }; -void print_dnp3_conf(const dnp3ProtoConf& config); - #endif diff --git a/src/service_inspectors/ftp_telnet/ftp.cc b/src/service_inspectors/ftp_telnet/ftp.cc index 2413ef42d..4715fd659 100644 --- a/src/service_inspectors/ftp_telnet/ftp.cc +++ b/src/service_inspectors/ftp_telnet/ftp.cc @@ -188,6 +188,13 @@ static int snort_ftp(Packet* p) typedef InspectorData FtpClient; +template<> +void FtpClient::show(SnortConfig*) +{ + if ( data ) + print_conf_client(data); +} + class FtpServer : public Inspector { public: @@ -220,7 +227,8 @@ bool FtpServer::configure(SnortConfig* sc) void FtpServer::show(SnortConfig*) { - PrintFTPServerConf(ftp_server); + if ( ftp_server ) + print_conf_server(ftp_server); } StreamSplitter* FtpServer::get_splitter(bool c2s) diff --git a/src/service_inspectors/ftp_telnet/ftp_bounce_lookup.cc b/src/service_inspectors/ftp_telnet/ftp_bounce_lookup.cc index 226c4eff6..b423e7619 100644 --- a/src/service_inspectors/ftp_telnet/ftp_bounce_lookup.cc +++ b/src/service_inspectors/ftp_telnet/ftp_bounce_lookup.cc @@ -66,22 +66,6 @@ int ftp_bounce_lookup_cleanup(BOUNCE_LOOKUP** BounceLookup) return FTPP_SUCCESS; } -/* - * Function: ftp_bounce_lookup_add(BOUNCE_LOOKUP *BounceLookup, - * char *ip, int len, - * FTP_BOUNCE_TO *BounceTo) - * - * Purpose: Add a bounce configuration to the list. IP is stored - * in dot notation order. When the lookup happens, we - * compare up to len bytes of the address. - * - * Arguments: BounceLookup => a pointer to the lookup structure - * IP => the ftp bounce address - * BounceTo => a pointer to the bounce configuration structure - * - * Returns: int => return code indicating error or success - * - */ int ftp_bounce_lookup_add(BOUNCE_LOOKUP* BounceLookup, const SfIp* Ip, FTP_BOUNCE_TO* BounceTo) { @@ -112,24 +96,6 @@ int ftp_bounce_lookup_add(BOUNCE_LOOKUP* BounceLookup, const SfIp* Ip, return FTPP_SUCCESS; } -/* - * Function: ftp_bounce_lookup_find(BOUNCE_LOOKUP *BounceLookup, - * const SfIp *ip, int *iError) - * - * Purpose: Find a bounce configuration given a IP. - * We look up a bounce configuration given an IP and - * return a pointer to that bounce configuration if found. - * - * Arguments: BounceLookup => a pointer to the lookup structure - * IP => the ftp bounce address - * iError => a pointer to an error code - * - * Returns: int => return code indicating error or success - * - * Returns: FTP_BOUNCE_TO* => Pointer to bounce configuration structure - * matching IP if found, NULL otherwise. - * - */ FTP_BOUNCE_TO* ftp_bounce_lookup_find(BOUNCE_LOOKUP* BounceLookup, const SfIp* Ip, int* iError) { @@ -157,21 +123,6 @@ FTP_BOUNCE_TO* ftp_bounce_lookup_find(BOUNCE_LOOKUP* BounceLookup, const SfIp* I return BounceTo; } -// FIXIT-L orphan code until FTP client inspector acquires a show() method -#if 0 -/* - * Function: ftp_bounce_lookup_first(BOUNCE_LOOKUP *BounceLookup, - * int *iError) - * - * Purpose: This lookups the first bounce configuration, so we can - * iterate through the configurations. - * - * Arguments: BounceLookup => pointer to the bounce lookup structure - * iError => pointer to the integer to set for errors - * - * Returns: FTP_BOUNCE_TO* => Pointer to first bounce configuration structure - * - */ FTP_BOUNCE_TO* ftp_bounce_lookup_first(BOUNCE_LOOKUP* BounceLookup, int* iError) { FTP_BOUNCE_TO* BounceTo; @@ -198,22 +149,6 @@ FTP_BOUNCE_TO* ftp_bounce_lookup_first(BOUNCE_LOOKUP* BounceLookup, int* iError) return BounceTo; } -/* - * Function: ftp_bounce_lookup_next(BOUNCE_LOOKUP *BounceLookup, - * int *iError) - * - * Iterates to the next configuration, like a list it just returns - * the next config in the config list. - * - * Purpose: This lookups the next bounce configuration, so we can - * iterate through the configurations. - * - * Arguments: BounceLookup => pointer to the bounce lookup structure - * iError => pointer to the integer to set for errors - * - * Returns: FTP_BOUNCE_TO* => Pointer to next bounce configuration structure - * - */ FTP_BOUNCE_TO* ftp_bounce_lookup_next(BOUNCE_LOOKUP* BounceLookup, int* iError) { FTP_BOUNCE_TO* BounceTo; @@ -239,5 +174,3 @@ FTP_BOUNCE_TO* ftp_bounce_lookup_next(BOUNCE_LOOKUP* BounceLookup, int* iError) return BounceTo; } -#endif - diff --git a/src/service_inspectors/ftp_telnet/ftp_bounce_lookup.h b/src/service_inspectors/ftp_telnet/ftp_bounce_lookup.h index 734aa6779..6e697a146 100644 --- a/src/service_inspectors/ftp_telnet/ftp_bounce_lookup.h +++ b/src/service_inspectors/ftp_telnet/ftp_bounce_lookup.h @@ -39,9 +39,8 @@ int ftp_bounce_lookup_cleanup(BOUNCE_LOOKUP** BounceLookup); int ftp_bounce_lookup_add(BOUNCE_LOOKUP* BounceLookup, const snort::SfIp* ip, FTP_BOUNCE_TO* BounceTo); FTP_BOUNCE_TO* ftp_bounce_lookup_find(BOUNCE_LOOKUP* BounceLookup, const snort::SfIp* ip, int* iError); -// FIXIT-L orphan code until FTP client inspector acquires a show() method -// FTP_BOUNCE_TO* ftp_bounce_lookup_first(BOUNCE_LOOKUP* BounceLookup, int* iError); -// FTP_BOUNCE_TO* ftp_bounce_lookup_next(BOUNCE_LOOKUP* BounceLookup, int* iError); +FTP_BOUNCE_TO* ftp_bounce_lookup_first(BOUNCE_LOOKUP* BounceLookup, int* iError); +FTP_BOUNCE_TO* ftp_bounce_lookup_next(BOUNCE_LOOKUP* BounceLookup, int* iError); #endif diff --git a/src/service_inspectors/ftp_telnet/ftp_print.cc b/src/service_inspectors/ftp_telnet/ftp_print.cc index f7c3fcb6a..559ab0f3a 100644 --- a/src/service_inspectors/ftp_telnet/ftp_print.cc +++ b/src/service_inspectors/ftp_telnet/ftp_print.cc @@ -42,245 +42,60 @@ using namespace snort; -int PrintConfOpt(bool on, const char* Option) +void print_conf_client(FTP_CLIENT_PROTO_CONF* config) { - LogMessage(" %s: %s\n", Option, on ? "ON" : "OFF"); - return FTPP_SUCCESS; -} - -/* - * Function: PrintFormatDate(FTP_DATE_FMT *DateFmt) - * - * Purpose: Recursively prints the FTP date validation tree - * - * Arguments: DateFmt => pointer to the date format node - * - * Returns: None - * - */ -static void PrintFormatDate(char* buf, FTP_DATE_FMT* DateFmt) -{ - FTP_DATE_FMT* OptChild; - - if (!DateFmt->empty) - sfsnprintfappend(buf, BUF_SIZE, "%s", DateFmt->format_string); - - if (DateFmt->optional) - { - OptChild = DateFmt->optional; - sfsnprintfappend(buf, BUF_SIZE, "["); - PrintFormatDate(buf, OptChild); - sfsnprintfappend(buf, BUF_SIZE, "]"); - } - - if (DateFmt->next_a) - { - if (DateFmt->next_b) - sfsnprintfappend(buf, BUF_SIZE, "{"); - OptChild = DateFmt->next_a; - PrintFormatDate(buf, OptChild); - if (DateFmt->next_b) - { - sfsnprintfappend(buf, BUF_SIZE, "|"); - OptChild = DateFmt->next_b; - PrintFormatDate(buf, OptChild); - sfsnprintfappend(buf, BUF_SIZE, "}"); - } - } - - if (DateFmt->next) - PrintFormatDate(buf, DateFmt->next); -} - -/* - * Function: PrintCmdFmt(FTP_PARAM_FMT *CmdFmt) - * - * Purpose: Recursively prints the FTP command parameter validation tree - * - * Arguments: CmdFmt => pointer to the parameter validation node - * - * Returns: None - * - */ -static void PrintCmdFmt(char* buf, FTP_PARAM_FMT* CmdFmt) -{ - FTP_PARAM_FMT* OptChild; - - switch (CmdFmt->type) - { - case e_int: - sfsnprintfappend(buf, BUF_SIZE, " %s", F_INT); - break; - case e_number: - sfsnprintfappend(buf, BUF_SIZE, " %s", F_NUMBER); - break; - case e_char: - sfsnprintfappend(buf, BUF_SIZE, " %s 0x%x", F_CHAR, - CmdFmt->format.chars_allowed); - break; - case e_date: - sfsnprintfappend(buf, BUF_SIZE, " %s", F_DATE); - PrintFormatDate(buf, CmdFmt->format.date_fmt); - break; - case e_literal: - sfsnprintfappend(buf, BUF_SIZE, " %s %s", F_LITERAL, - CmdFmt->format.literal); - break; - case e_unrestricted: - sfsnprintfappend(buf, BUF_SIZE, " %s", F_STRING); - break; - case e_strformat: - sfsnprintfappend(buf, BUF_SIZE, " %s", F_STRING_FMT); - break; - case e_host_port: - sfsnprintfappend(buf, BUF_SIZE, " %s", F_HOST_PORT); - break; - case e_long_host_port: - sfsnprintfappend(buf, BUF_SIZE, " %s", F_LONG_HOST_PORT); - break; - case e_extd_host_port: - sfsnprintfappend(buf, BUF_SIZE, " %s", F_EXTD_HOST_PORT); - break; - case e_head: - break; - default: - break; - } - - if (CmdFmt->optional_fmt) - { - OptChild = CmdFmt->optional_fmt; - sfsnprintfappend(buf, BUF_SIZE, "["); - PrintCmdFmt(buf, OptChild); - sfsnprintfappend(buf, BUF_SIZE, "]"); - } - - if (CmdFmt->numChoices) - { - int i; - sfsnprintfappend(buf, BUF_SIZE, "{"); - for (i=0; inumChoices; i++) - { - if (i) - sfsnprintfappend(buf, BUF_SIZE, "|"); - OptChild = CmdFmt->choices[i]; - PrintCmdFmt(buf, OptChild); - } - sfsnprintfappend(buf, BUF_SIZE, "}"); - } + ConfigLogger::log_flag("bounce", config->bounce); + ConfigLogger::log_flag("ignore_telnet_erase_cmds", config->ignore_telnet_erase_cmds); + ConfigLogger::log_value("max_resp_len", config->max_resp_len); + ConfigLogger::log_flag("telnet_cmds", config->telnet_cmds); - if (CmdFmt->next_param_fmt && CmdFmt->next_param_fmt->prev_optional) - PrintCmdFmt(buf, CmdFmt->next_param_fmt); -} + int ret; -// FIXIT-L orphan code until FTP client inspector acquires a show() method -#if 0 -int PrintFTPClientConf(FTP_CLIENT_PROTO_CONF* ClientConf) -{ - FTP_BOUNCE_TO* FTPBounce; - int iErr; - - LogMessage(FTP_CLIENT_NAME ":\n"); - - PrintConfOpt(ClientConf->bounce, "Check for Bounce Attacks"); - PrintConfOpt(ClientConf->telnet_cmds, "Check for Telnet Cmds"); - PrintConfOpt(ClientConf->ignore_telnet_erase_cmds, "Ignore Telnet Cmd Operations"); - LogMessage(" Max Response Length: %d\n", ClientConf->max_resp_len); - - FTPBounce = ftp_bounce_lookup_first(ClientConf->bounce_lookup, &iErr); - if (FTPBounce) + for (FTP_BOUNCE_TO* FTPBounce = ftp_bounce_lookup_first(config->bounce_lookup, &ret); + FTPBounce; + FTPBounce = ftp_bounce_lookup_next(config->bounce_lookup, &ret)) { - LogMessage(" Allow FTP bounces to:\n"); + char buf[BUF_SIZE + 1] = {0}; - while (FTPBounce) - { - char* addr_str; - char bits_str[5]; - uint8_t bits; - bits_str[0] = '\0'; + FTPBounce->ip.ntop(buf, BUF_SIZE); - addr_str = FTPBounce->ip.ntoa(); - bits = (uint8_t)FTPBounce->ip.bits; - if (((FTPBounce->ip.family == AF_INET) && (bits != 32)) || - ((FTPBounce->ip.family == AF_INET6) && (bits != 128))) - { - snprintf(bits_str, sizeof(bits_str), "/%hhu", bits); - } - if (FTPBounce->porthi) - { - LogMessage(" Address: %s%s, Ports: %d-%d\n", - addr_str, bits_str[0] ? bits_str : "", - FTPBounce->portlo, FTPBounce->porthi); - } - else - { - LogMessage(" Address: %s%s, Port: %d\n", - addr_str, bits_str[0] ? bits_str : "", - FTPBounce->portlo); - } + if (FTPBounce->porthi) + snprintf(buf, BUF_SIZE, ":%d-%d", FTPBounce->portlo, FTPBounce->porthi); + else + snprintf(buf, BUF_SIZE, ":%d", FTPBounce->portlo); - FTPBounce = ftp_bounce_lookup_next(ClientConf->bounce_lookup, &iErr); - } + ConfigLogger::log_list("bounce", buf); } - - return FTPP_SUCCESS; } -#endif -int PrintFTPServerConf(FTP_SERVER_PROTO_CONF* ServerConf) +void print_conf_server(FTP_SERVER_PROTO_CONF* config) { - int iRet; - FTP_CMD_CONF* FTPCmd; - - if (!ServerConf) + ConfigLogger::log_flag("check_encrypted", config->detect_encrypted); + ConfigLogger::log_value("def_max_param_len", config->def_max_param_len); + ConfigLogger::log_flag("encrypted_traffic", config->check_encrypted_data); + ConfigLogger::log_flag("ignore_data_chan", config->data_chan); + ConfigLogger::log_flag("ignore_telnet_erase_cmds", config->ignore_telnet_erase_cmds); + ConfigLogger::log_flag("telnet_cmds", config->telnet_cmds); + ConfigLogger::log_flag("print_cmds", config->print_commands); + + if (!config->print_commands) + return; + + int ret; + std::string cmds; + + for (FTP_CMD_CONF* ftp_cmd = ftp_cmd_lookup_first(config->cmd_lookup, &ret); + ftp_cmd; + ftp_cmd = ftp_cmd_lookup_next(config->cmd_lookup, &ret)) { - return FTPP_INVALID_ARG; + cmds += ftp_cmd->cmd_name; + cmds += " "; } - PrintConfOpt(ServerConf->telnet_cmds, "Check for Telnet Cmds"); - PrintConfOpt(ServerConf->ignore_telnet_erase_cmds, "Ignore Telnet Cmd Operations"); - LogMessage(" Ignore open data channels: %s\n", - ServerConf->data_chan ? "YES" : "NO"); - PrintConfOpt(ServerConf->detect_encrypted, "Check for Encrypted Traffic"); - LogMessage(" Continue to check encrypted data: %s\n", - ServerConf->check_encrypted_data ? "YES" : "NO"); - - if (ServerConf->print_commands) - { - LogMessage(" FTP Commands:\n"); - - FTPCmd = ftp_cmd_lookup_first(ServerConf->cmd_lookup, &iRet); - while (FTPCmd != nullptr) - { - char buf[BUF_SIZE+1]; - snprintf(buf, BUF_SIZE, " %s { %u ", - FTPCmd->cmd_name, FTPCmd->max_param_len); + if ( !cmds.empty() ) + cmds.pop_back(); + else + cmds += "none"; -#ifdef PRINT_DEFAULT_CONFIGS - // FIXIT-L should append, not overwrite - if (FTPCmd->data_chan_cmd) - snprintf(buf, BUF_SIZE, "%s", "data_chan "); - if (FTPCmd->data_xfer_cmd) - snprintf(buf, BUF_SIZE, "%s", "data_xfer "); - if (FTPCmd->encr_cmd) - snprintf(buf, BUF_SIZE, "%s", "encr "); -#endif - - if (FTPCmd->check_validity) - { - FTP_PARAM_FMT* CmdFmt = FTPCmd->param_format; - while (CmdFmt != nullptr) - { - PrintCmdFmt(buf, CmdFmt); - - CmdFmt = CmdFmt->next_param_fmt; - } - } - LogMessage("%s}\n", buf); - FTPCmd = ftp_cmd_lookup_next(ServerConf->cmd_lookup, &iRet); - } - } - - return FTPP_SUCCESS; + ConfigLogger::log_list("commands", cmds.c_str()); } - diff --git a/src/service_inspectors/ftp_telnet/ftp_print.h b/src/service_inspectors/ftp_telnet/ftp_print.h index 1ddb880fd..3e7aa8631 100644 --- a/src/service_inspectors/ftp_telnet/ftp_print.h +++ b/src/service_inspectors/ftp_telnet/ftp_print.h @@ -27,10 +27,8 @@ #include "ftpp_ui_config.h" -int PrintConfOpt(bool on, const char* Option); -// FIXIT-L orphan code until FTP client inspector acquires a show() method -// int PrintFTPClientConf(FTP_CLIENT_PROTO_CONF*); -int PrintFTPServerConf(FTP_SERVER_PROTO_CONF*); +void print_conf_client(FTP_CLIENT_PROTO_CONF*); +void print_conf_server(FTP_SERVER_PROTO_CONF*); #endif diff --git a/src/service_inspectors/ftp_telnet/telnet.cc b/src/service_inspectors/ftp_telnet/telnet.cc index 32337088d..27b01eccf 100644 --- a/src/service_inspectors/ftp_telnet/telnet.cc +++ b/src/service_inspectors/ftp_telnet/telnet.cc @@ -174,35 +174,6 @@ static int snort_telnet(TELNET_PROTO_CONF* GlobalConf, Packet* p) return FTPP_INVALID_PROTO; } -/* - * Function: PrintTelnetConf(TELNET_PROTO_CONF *TelnetConf, - * char *Option) - * - * Purpose: Prints the telnet configuration - * - * Arguments: TelnetConf => pointer to the telnet configuration - * - * Returns: int => an error code integer (0 = success, - * >0 = non-fatal error, <0 = fatal error) - * - */ -static int PrintTelnetConf(TELNET_PROTO_CONF* TelnetConf) -{ - if (!TelnetConf) - { - return FTPP_INVALID_ARG; - } - - LogMessage(" Are You There Threshold: %d\n", - TelnetConf->ayt_threshold); - LogMessage(" Normalize: %s\n", TelnetConf->normalize ? "YES" : "NO"); - PrintConfOpt(TelnetConf->detect_encrypted, "Check for Encrypted Traffic"); - LogMessage(" Continue to check encrypted data: %s\n", - TelnetConf->check_encrypted_data ? "YES" : "NO"); - - return FTPP_SUCCESS; -} - //------------------------------------------------------------------------- // class stuff //------------------------------------------------------------------------- @@ -242,7 +213,13 @@ bool Telnet::configure(SnortConfig* sc) void Telnet::show(SnortConfig*) { - PrintTelnetConf(config); + if ( !config ) + return; + + ConfigLogger::log_value("ayt_attack_thresh", config->ayt_threshold); + ConfigLogger::log_flag("check_encrypted", config->detect_encrypted); + ConfigLogger::log_flag("encrypted_traffic", config->check_encrypted_data); + ConfigLogger::log_flag("normalize", config->normalize); } void Telnet::eval(Packet* p) diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc index f6f8d57e4..920833cf2 100644 --- a/src/service_inspectors/http_inspect/http_inspect.cc +++ b/src/service_inspectors/http_inspect/http_inspect.cc @@ -24,6 +24,8 @@ #include "http_inspect.h" #include +#include +#include #include "detection/detection_engine.h" #include "detection/detection_util.h" @@ -52,7 +54,35 @@ using namespace snort; using namespace HttpCommon; using namespace HttpEnums; -HttpInspect::HttpInspect(const HttpParaList* params_) : +static std::string GetUnreservedChars(const ByteBitSet& bitset) +{ + const ByteBitSet& def_bitset(HttpParaList::UriParam::UriParam::default_unreserved_char); + std::string chars; + + for (unsigned char c = 1; c; ++c) + if (def_bitset[c] && !bitset[c]) + chars += c; + + return chars; +} + +static std::string GetBadChars(const ByteBitSet& bitset) +{ + std::stringstream ss; + ss << std::hex; + + for (unsigned i = 0; i < bitset.size(); ++i) + if (bitset[i]) + ss << " 0x" << std::setw(2) << std::setfill('0') << i; + + auto str = ss.str(); + if ( !str.empty() ) + str.erase(0, 1); + + return str; +} + +HttpInspect::HttpInspect(const HttpParaList* params_) : params(params_), xtra_trueip_id(Stream::reg_xtra_data_cb(get_xtra_trueip)), xtra_uri_id(Stream::reg_xtra_data_cb(get_xtra_uri)), @@ -92,36 +122,34 @@ void HttpInspect::show(snort::SnortConfig*) { assert(params); - if ( params->request_depth == -1 ) - LogMessage(" request_depth: " "%s" "\n", "unlimited"); - else - LogMessage(" request_depth: " STDi64 "\n", params->request_depth); - - if ( params->response_depth == -1 ) - LogMessage(" response_depth: " "%s" "\n", "unlimited"); - else - LogMessage(" response_depth: " STDi64 "\n", params->response_depth); - - LogMessage(" unzip: %s\n", params->unzip ? "yes" : "no"); - LogMessage(" normalize_utf: %s\n", params->normalize_utf ? "yes" : "no"); - LogMessage(" decompress_pdf: %s\n", params->decompress_pdf ? "yes" : "no"); - LogMessage(" decompress_swf: %s\n", params->decompress_swf ? "yes" : "no"); - LogMessage(" decompress_zip: %s\n", params->decompress_zip ? "yes" : "no"); - LogMessage(" detained_inspection: %s\n", params->detained_inspection ? "yes" : "no"); - - LogMessage(" normalize_javascript: %s\n", params->js_norm_param.normalize_javascript ? "yes" : "no"); - LogMessage(" max_javascript_whitespaces: %d\n", params->js_norm_param.max_javascript_whitespaces); - - LogMessage(" percent_u: %s\n", params->uri_param.percent_u ? "yes" : "no"); - LogMessage(" utf8: %s\n", params->uri_param.utf8 ? "yes" : "no"); - LogMessage(" utf8_bare_byte: %s\n", params->uri_param.utf8_bare_byte ? "yes" : "no"); - LogMessage(" oversize_dir_length: %d\n", params->uri_param.oversize_dir_length); - LogMessage(" iis_unicode: %s\n", params->uri_param.iis_unicode ? "yes" : "no"); - LogMessage(" iis_unicode_map_file: %s\n", params->uri_param.iis_unicode_map_file.c_str()); - LogMessage(" iis_double_decode: %s\n", params->uri_param.iis_double_decode ? "yes" : "no"); - LogMessage(" backslash_to_slash: %s\n", params->uri_param.backslash_to_slash ? "yes" : "no"); - LogMessage(" plus_to_space: %s\n", params->uri_param.plus_to_space ? "yes" : "no"); - LogMessage(" simplify_path: %s\n", params->uri_param.simplify_path ? "yes" : "no"); + auto unreserved_chars = GetUnreservedChars(params->uri_param.unreserved_char); + auto bad_chars = GetBadChars(params->uri_param.bad_characters); + + ConfigLogger::log_limit("request_depth", params->request_depth, -1LL); + ConfigLogger::log_limit("response_depth", params->response_depth, -1LL); + ConfigLogger::log_flag("unzip", params->unzip); + ConfigLogger::log_flag("normalize_utf", params->normalize_utf); + ConfigLogger::log_flag("decompress_pdf", params->decompress_pdf); + ConfigLogger::log_flag("decompress_swf", params->decompress_swf); + ConfigLogger::log_flag("decompress_zip", params->decompress_zip); + ConfigLogger::log_flag("detained_inspection", params->detained_inspection); + ConfigLogger::log_flag("normalize_javascript", params->js_norm_param.normalize_javascript); + ConfigLogger::log_value("max_javascript_whitespaces", + params->js_norm_param.max_javascript_whitespaces); + ConfigLogger::log_flag("detained_inspection", params->detained_inspection); + ConfigLogger::log_value("bad_characters", bad_chars.c_str()); + ConfigLogger::log_value("ignore_unreserved", unreserved_chars.c_str()); + ConfigLogger::log_flag("percent_u", params->uri_param.percent_u); + ConfigLogger::log_flag("utf8", params->uri_param.utf8); + ConfigLogger::log_flag("utf8_bare_byte", params->uri_param.utf8_bare_byte); + ConfigLogger::log_flag("iis_unicode", params->uri_param.iis_unicode); + ConfigLogger::log_value("iis_unicode_map_file", params->uri_param.iis_unicode_map_file.c_str()); + ConfigLogger::log_value("iis_unicode_code_page", params->uri_param.iis_unicode_code_page); + ConfigLogger::log_flag("iis_double_decode", params->uri_param.iis_double_decode); + ConfigLogger::log_value("oversize_dir_length", params->uri_param.oversize_dir_length); + ConfigLogger::log_flag("backslash_to_slash", params->uri_param.backslash_to_slash); + ConfigLogger::log_flag("plus_to_space", params->uri_param.plus_to_space); + ConfigLogger::log_flag("simplify_path", params->uri_param.simplify_path); } InspectSection HttpInspect::get_latest_is(const Packet* p) diff --git a/src/service_inspectors/http_inspect/http_module.cc b/src/service_inspectors/http_inspect/http_module.cc index 3af6878d9..8ea340e09 100644 --- a/src/service_inspectors/http_inspect/http_module.cc +++ b/src/service_inspectors/http_inspect/http_module.cc @@ -306,24 +306,27 @@ HttpParaList::JsNormParam::~JsNormParam() delete js_norm; } +// Characters that should not be percent-encoded +// 0-9, a-z, A-Z, tilde, period, underscore, and minus +// Initializer string for std::bitset is in reverse order. The first character is element 255 +// and the last is element 0. +// __STRDUMP_DISABLE__ +const std::bitset<256> HttpParaList::UriParam::UriParam::default_unreserved_char + { std::string( + "00000000" "00000000" "00000000" "00000000" + "00000000" "00000000" "00000000" "00000000" + "00000000" "00000000" "00000000" "00000000" + "00000000" "00000000" "00000000" "00000000" + "01000111" "11111111" "11111111" "11111110" + "10000111" "11111111" "11111111" "11111110" + "00000011" "11111111" "01100000" "00000000" + "00000000" "00000000" "00000000" "00000000") }; +// __STRDUMP_ENABLE__ + // Some values in these tables may be changed by configuration parameters. HttpParaList::UriParam::UriParam() : - // Characters that should not be percent-encoded - // 0-9, a-z, A-Z, tilde, period, underscore, and minus - // Initializer string for std::bitset is in reverse order. The first character is element 255 - // and the last is element 0. -// __STRDUMP_DISABLE__ - unreserved_char { std::string( - "00000000" "00000000" "00000000" "00000000" - "00000000" "00000000" "00000000" "00000000" - "00000000" "00000000" "00000000" "00000000" - "00000000" "00000000" "00000000" "00000000" - "01000111" "11111111" "11111111" "11111110" - "10000111" "11111111" "11111111" "11111110" - "00000011" "11111111" "01100000" "00000000" - "00000000" "00000000" "00000000" "00000000" ) }, -// __STRDUMP_ENABLE__ + unreserved_char { default_unreserved_char }, uri_char { CHAR_NORMAL, CHAR_NORMAL, CHAR_NORMAL, CHAR_NORMAL, CHAR_NORMAL, CHAR_NORMAL, CHAR_NORMAL, CHAR_NORMAL, diff --git a/src/service_inspectors/http_inspect/http_module.h b/src/service_inspectors/http_inspect/http_module.h index e9021ed52..ca97f9516 100644 --- a/src/service_inspectors/http_inspect/http_module.h +++ b/src/service_inspectors/http_inspect/http_module.h @@ -75,6 +75,8 @@ public: std::bitset<256> bad_characters; std::bitset<256> unreserved_char; HttpEnums::CharAction uri_char[256]; + + static const std::bitset<256> default_unreserved_char; }; UriParam uri_param; diff --git a/src/service_inspectors/sip/sip.cc b/src/service_inspectors/sip/sip.cc index bd2ed64ba..74e916845 100644 --- a/src/service_inspectors/sip/sip.cc +++ b/src/service_inspectors/sip/sip.cc @@ -81,74 +81,22 @@ static void FreeSipData(void* data) sip_freeDialogs(&ssn->dialogs); } -static void PrintSipConf(SIP_PROTO_CONF* config) +static std::string GetSIPMethods(SIPMethodNode* method) { - SIPMethodNode* method; - if (config == nullptr) - return; - LogMessage(" Max number of dialogs in a session: %d %s \n", - config->maxNumDialogsInSession, - config->maxNumDialogsInSession - == SIP_DEFAULT_MAX_DIALOGS_IN_SESSION ? - "(Default)" : ""); - - LogMessage(" Ignore media channel: %s\n", - config->ignoreChannel ? - "ENABLED" : "DISABLED"); - LogMessage(" Max URI length: %d %s \n", - config->maxUriLen, - config->maxUriLen - == SIP_DEFAULT_MAX_URI_LEN ? - "(Default)" : ""); - LogMessage(" Max Call ID length: %d %s \n", - config->maxCallIdLen, - config->maxCallIdLen - == SIP_DEFAULT_MAX_CALL_ID_LEN ? - "(Default)" : ""); - LogMessage(" Max Request name length: %d %s \n", - config->maxRequestNameLen, - config->maxRequestNameLen - == SIP_DEFAULT_MAX_REQUEST_NAME_LEN ? - "(Default)" : ""); - LogMessage(" Max From length: %d %s \n", - config->maxFromLen, - config->maxFromLen - == SIP_DEFAULT_MAX_FROM_LEN ? - "(Default)" : ""); - LogMessage(" Max To length: %d %s \n", - config->maxToLen, - config->maxToLen - == SIP_DEFAULT_MAX_TO_LEN ? - "(Default)" : ""); - LogMessage(" Max Via length: %d %s \n", - config->maxViaLen, - config->maxViaLen - == SIP_DEFAULT_MAX_VIA_LEN ? - "(Default)" : ""); - LogMessage(" Max Contact length: %d %s \n", - config->maxContactLen, - config->maxContactLen - == SIP_DEFAULT_MAX_CONTACT_LEN ? - "(Default)" : ""); - LogMessage(" Max Content length: %d %s \n", - config->maxContentLen, - config->maxContentLen - == SIP_DEFAULT_MAX_CONTENT_LEN ? - "(Default)" : ""); - LogMessage("\n"); - LogMessage(" Methods:\n"); - LogMessage("\t%s ", - config->methodsConfig - == SIP_METHOD_DEFAULT ? - "(Default)" : ""); - method = config->methods; - while (nullptr != method) + std::string cmds; + + for (; method; method = method->nextm) { - LogMessage(" %s", method->methodName); - method = method->nextm; + cmds += method->methodName; + cmds += " "; } - LogMessage("\n"); + if ( !cmds.empty() ) + cmds.pop_back(); + else + cmds += "none"; + + return cmds; } /********************************************************************* @@ -271,7 +219,22 @@ Sip::~Sip() void Sip::show(SnortConfig*) { - PrintSipConf(config); + if ( !config ) + return; + + auto methods = GetSIPMethods(config->methods); + + ConfigLogger::log_flag("ignore_call_channel", config->ignoreChannel); + ConfigLogger::log_value("max_call_id_len", config->maxCallIdLen); + ConfigLogger::log_value("max_contact_len", config->maxContactLen); + ConfigLogger::log_value("max_content_len", config->maxContentLen); + ConfigLogger::log_value("max_dialogs", config->maxNumDialogsInSession); + ConfigLogger::log_value("max_from_len", config->maxFromLen); + ConfigLogger::log_value("max_requestName_len", config->maxRequestNameLen); + ConfigLogger::log_value("max_to_len", config->maxToLen); + ConfigLogger::log_value("max_uri_len", config->maxUriLen); + ConfigLogger::log_value("max_via_len", config->maxViaLen); + ConfigLogger::log_list("methods", methods.c_str()); } void Sip::eval(Packet* p) diff --git a/src/service_inspectors/smtp/smtp.cc b/src/service_inspectors/smtp/smtp.cc index 9e0933d85..3aea12cef 100644 --- a/src/service_inspectors/smtp/smtp.cc +++ b/src/service_inspectors/smtp/smtp.cc @@ -476,12 +476,12 @@ static const char* to_string(const SMTPXlinkState& mode) static void log_mail_show(const snort::MailLogConfig& conf) { - LogFlag("log_mailfrom", conf.log_mailfrom); - LogFlag("log_rcptto", conf.log_rcptto); - LogFlag("log_filename", conf.log_filename); + ConfigLogger::log_flag("log_mailfrom", conf.log_mailfrom); + ConfigLogger::log_flag("log_rcptto", conf.log_rcptto); + ConfigLogger::log_flag("log_filename", conf.log_filename); - if ( LogFlag("log_email_hdrs", conf.log_email_hdrs) ) - LogValue("email_hdrs_log_depth", conf.email_hdrs_log_depth); + if ( ConfigLogger::log_flag("log_email_hdrs", conf.log_email_hdrs) ) + ConfigLogger::log_value("email_hdrs_log_depth", conf.email_hdrs_log_depth); } void SmtpProtoConf::show() const @@ -494,23 +494,23 @@ void SmtpProtoConf::show() const auto norm_cmds = GetCmdGroup(cmds, cmd_config, NORM_CMDS); auto valid_cmds = GetCmdGroup(cmds, cmd_config, VALID_CMDS); - LogValue("normalize", to_string(normalize)); - LogList("normalize_cmds", norm_cmds.c_str()); + ConfigLogger::log_value("normalize", to_string(normalize)); + ConfigLogger::log_list("normalize_cmds", norm_cmds.c_str()); - LogFlag("ignore_tls_data", ignore_tls_data); - LogLimit("max_command_line_len", max_command_line_len, 0); - LogList("alt_max_command_line_len", alt_len_cmds.c_str()); - LogLimit("max_header_line_len", max_header_line_len, 0); - LogLimit("max_auth_command_line_len", max_auth_command_line_len, 0); - LogLimit("max_response_line_length", max_response_line_len, 0); + ConfigLogger::log_flag("ignore_tls_data", ignore_tls_data); + ConfigLogger::log_limit("max_command_line_len", max_command_line_len, 0); + ConfigLogger::log_list("alt_max_command_line_len", alt_len_cmds.c_str()); + ConfigLogger::log_limit("max_header_line_len", max_header_line_len, 0); + ConfigLogger::log_limit("max_auth_command_line_len", max_auth_command_line_len, 0); + ConfigLogger::log_limit("max_response_line_length", max_response_line_len, 0); - LogValue("xlink2state", to_string(xlink2state)); - LogList("invalid_cmds", alert_cmds.c_str()); + ConfigLogger::log_value("xlink2state", to_string(xlink2state)); + ConfigLogger::log_list("invalid_cmds", alert_cmds.c_str()); - LogList("auth_cmds", auth_cmds.c_str()); - LogList("binary_data_cmds", bdata_cmds.c_str()); - LogList("data_cmds", data_cmds.c_str()); - LogList("valid_cmds", valid_cmds.c_str()); + ConfigLogger::log_list("auth_cmds", auth_cmds.c_str()); + ConfigLogger::log_list("binary_data_cmds", bdata_cmds.c_str()); + ConfigLogger::log_list("data_cmds", data_cmds.c_str()); + ConfigLogger::log_list("valid_cmds", valid_cmds.c_str()); decode_conf.show(true); log_mail_show(log_config); diff --git a/src/service_inspectors/ssh/ssh.cc b/src/service_inspectors/ssh/ssh.cc index a3b1c1c18..622978c57 100644 --- a/src/service_inspectors/ssh/ssh.cc +++ b/src/service_inspectors/ssh/ssh.cc @@ -80,18 +80,6 @@ static SSHData* get_session_data(Flow* flow) return fd ? &fd->session : nullptr; } -static void PrintSshConf(SSH_PROTO_CONF* config) -{ - if ( !config ) - return; - - LogMessage(" Max Encrypted Packets: %d\n", config->MaxEncryptedPackets); - LogMessage(" Max Server Version String Length: %d\n", config->MaxServerVersionLen); - LogMessage(" MaxClientBytes: %d\n", config->MaxClientBytes); - - LogMessage("\n"); -} - /* Returns the true length of the ssh packet, including * the ssh packet header and all padding. * @@ -757,7 +745,12 @@ Ssh::~Ssh() void Ssh::show(SnortConfig*) { - PrintSshConf(config); + if ( !config ) + return; + + ConfigLogger::log_value("max_encrypted_packets", config->MaxEncryptedPackets); + ConfigLogger::log_value("max_client_bytes", config->MaxClientBytes); + ConfigLogger::log_value("max_server_version_len", config->MaxServerVersionLen); } void Ssh::eval(Packet* p) diff --git a/src/service_inspectors/ssl/ssl_inspector.cc b/src/service_inspectors/ssl/ssl_inspector.cc index a023fd6ee..89a9d51a8 100644 --- a/src/service_inspectors/ssl/ssl_inspector.cc +++ b/src/service_inspectors/ssl/ssl_inspector.cc @@ -99,18 +99,6 @@ SSLData* get_ssl_session_data(Flow* flow) return fd ? &fd->session : nullptr; } -static void PrintSslConf(SSL_PROTO_CONF* config) -{ - if (config == nullptr) - return; - if ( config->trustservers ) - { - LogMessage(" Server side data is trusted\n"); - } - - LogMessage("\n"); -} - static void SSL_UpdateCounts(const uint32_t new_flags) { if (new_flags & SSL_CHANGE_CIPHER_FLAG) @@ -445,7 +433,11 @@ Ssl::~Ssl() void Ssl::show(SnortConfig*) { - PrintSslConf(config); + if ( !config ) + return; + + ConfigLogger::log_flag("trust_servers", config->trustservers); + ConfigLogger::log_value("max_heartbeat_length", config->max_heartbeat_len); } void Ssl::eval(Packet* p) diff --git a/src/stream/base/stream_base.cc b/src/stream/base/stream_base.cc index 5e2a9e971..5c863e7db 100644 --- a/src/stream/base/stream_base.cc +++ b/src/stream/base/stream_base.cc @@ -207,10 +207,11 @@ void StreamBase::tterm() FlushBucket::clear(); } -void StreamBase::show(SnortConfig*) +void StreamBase::show(SnortConfig* sc) { - LogMessage(" Max flows: %d\n", config.flow_cache_cfg.max_flows); - LogMessage(" Pruning timeout: %d\n", config.flow_cache_cfg.pruning_timeout); + if ( sc ) + ConfigLogger::log_flag("ip_frags_only", sc->ip_frags_only()); + config.show(); } void StreamBase::eval(Packet* p) diff --git a/src/stream/base/stream_module.cc b/src/stream/base/stream_module.cc index f700a6ba5..c6a3345b8 100644 --- a/src/stream/base/stream_module.cc +++ b/src/stream/base/stream_module.cc @@ -98,6 +98,9 @@ static const RuleMap stream_rules[] = { 0, nullptr } }; +static const char* const flow_type_names[] = +{ "none", "ip_cache", "tcp_cache", "udp_cache", "icmp_cache", "user_cache", "file_cache", "max"}; + StreamModule::StreamModule() : Module(MOD_NAME, MOD_HELP, s_params, false, &stream_trace) { } @@ -266,3 +269,18 @@ bool StreamReloadResourceManager::tune_resources(unsigned work_limit) return ( flows_to_delete ) ? false : true; } +void StreamModuleConfig::show() const +{ + ConfigLogger::log_value("max_flows", flow_cache_cfg.max_flows); + ConfigLogger::log_value("pruning_timeout", flow_cache_cfg.pruning_timeout); + + for (int i = to_utype(PktType::IP); i < to_utype(PktType::MAX); ++i) + { + std::string tmp; + tmp += "{ idle_timeout = " + std::to_string(flow_cache_cfg.proto[i].nominal_timeout); + tmp += ", cap_weight = " + std::to_string(flow_cache_cfg.proto[i].cap_weight); + tmp += " }"; + + ConfigLogger::log_value(flow_type_names[i], tmp.c_str()); + } +} diff --git a/src/stream/base/stream_module.h b/src/stream/base/stream_module.h index acba5f112..2e0979681 100644 --- a/src/stream/base/stream_module.h +++ b/src/stream/base/stream_module.h @@ -79,6 +79,7 @@ struct StreamModuleConfig unsigned footprint = 0; #endif + void show() const; }; class StreamReloadResourceManager : public snort::ReloadResourceTuner diff --git a/src/stream/file/stream_file.cc b/src/stream/file/stream_file.cc index 5597ff203..c9f2bb4f6 100644 --- a/src/stream/file/stream_file.cc +++ b/src/stream/file/stream_file.cc @@ -23,6 +23,8 @@ #include "stream_file.h" +#include "log/messages.h" + #include "file_module.h" #include "file_session.h" @@ -39,6 +41,7 @@ public: { config.upload = b; } NORETURN_ASSERT void eval(Packet*) override; + void show(SnortConfig*) override; StreamFileConfig config; }; @@ -49,6 +52,11 @@ NORETURN_ASSERT void StreamFile::eval(Packet*) assert(false); } +void StreamFile::show(SnortConfig*) +{ + ConfigLogger::log_flag("upload", config.upload); +} + StreamFileConfig* get_file_cfg(Inspector* ins) { assert(ins); diff --git a/src/stream/icmp/stream_icmp.cc b/src/stream/icmp/stream_icmp.cc index 809ece03d..10dbcd847 100644 --- a/src/stream/icmp/stream_icmp.cc +++ b/src/stream/icmp/stream_icmp.cc @@ -40,11 +40,6 @@ StreamIcmpConfig::StreamIcmpConfig() session_timeout = 30; } -static void icmp_show(StreamIcmpConfig* pc) -{ - LogMessage(" Timeout: %d seconds\n", pc->session_timeout); -} - //------------------------------------------------------------------------- // inspector stuff //------------------------------------------------------------------------- @@ -74,7 +69,10 @@ StreamIcmp::~StreamIcmp() void StreamIcmp::show(SnortConfig*) { - icmp_show(config); + if ( !config ) + return; + + ConfigLogger::log_value("session_timeout", config->session_timeout); } NORETURN_ASSERT void StreamIcmp::eval(Packet*) diff --git a/src/stream/ip/ip_defrag.cc b/src/stream/ip/ip_defrag.cc index 73f694207..24ac736ce 100644 --- a/src/stream/ip/ip_defrag.cc +++ b/src/stream/ip/ip_defrag.cc @@ -183,24 +183,6 @@ static const char* const frag_policy_names[] = "SOLARIS" }; -static void FragPrintEngineConfig(FragEngine* engine) -{ - LogMessage(" engine-based policy: %s\n", - frag_policy_names[engine->frag_policy]); - LogMessage(" Fragment timeout: %d seconds\n", - engine->frag_timeout); - LogMessage(" Fragment min_ttl: %d\n", engine->min_ttl); - - LogMessage(" Max frags: %d\n", engine->max_frags); - LogMessage(" Max overlaps: %d\n", - engine->max_overlaps); - LogMessage(" Min fragment Length: %d\n", - engine->min_fragment_length); -#ifdef REG_TEST - LogMessage(" FragTracker Size: %zu\n", sizeof(FragTracker)); -#endif -} - static inline void EventAnomIpOpts(FragEngine*) { DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_IPOPTIONS); @@ -857,7 +839,11 @@ bool Defrag::configure(SnortConfig* sc) void Defrag::show(SnortConfig*) { - FragPrintEngineConfig(&engine); + ConfigLogger::log_value("max_frags", engine.max_frags); + ConfigLogger::log_value("max_overlaps", engine.max_overlaps); + ConfigLogger::log_value("min_frag_length", engine.min_fragment_length); + ConfigLogger::log_value("min_ttl", engine.min_ttl); + ConfigLogger::log_value("policy", frag_policy_names[engine.frag_policy]); } void Defrag::cleanup(FragTracker* ft) diff --git a/src/stream/ip/stream_ip.cc b/src/stream/ip/stream_ip.cc index 31d25cefa..694efe084 100644 --- a/src/stream/ip/stream_ip.cc +++ b/src/stream/ip/stream_ip.cc @@ -59,11 +59,6 @@ StreamIpConfig::StreamIpConfig() frag_engine.min_fragment_length = 0; } -static void ip_show(StreamIpConfig* pc) -{ - LogMessage(" Timeout: %d seconds\n", pc->session_timeout); -} - //------------------------------------------------------------------------- // inspector stuff //------------------------------------------------------------------------- @@ -104,8 +99,11 @@ bool StreamIp::configure(SnortConfig* sc) void StreamIp::show(SnortConfig* sc) { - ip_show(config); + if ( !config ) + return; + defrag->show(sc); + ConfigLogger::log_value("session_timeout", config->session_timeout); } NORETURN_ASSERT void StreamIp::eval(Packet*) diff --git a/src/stream/tcp/stream_tcp.cc b/src/stream/tcp/stream_tcp.cc index 33e1d9aad..1433e90c5 100644 --- a/src/stream/tcp/stream_tcp.cc +++ b/src/stream/tcp/stream_tcp.cc @@ -59,7 +59,12 @@ StreamTcp::~StreamTcp() { delete config; } void StreamTcp::show(SnortConfig*) -{ TcpStreamConfig::show_config(config); } +{ + if ( !config ) + return; + + config->show(); +} bool StreamTcp::configure(SnortConfig* sc) { diff --git a/src/stream/tcp/tcp_stream_config.cc b/src/stream/tcp/tcp_stream_config.cc index 40ff21d1d..dad8375e9 100644 --- a/src/stream/tcp/tcp_stream_config.cc +++ b/src/stream/tcp/tcp_stream_config.cc @@ -29,47 +29,40 @@ using namespace snort; -static const char* const reassembly_policy_names[] = +static const char* const policy_names[] = { "first", "last", "linux", "old_linux", "bsd", "macos", "solaris", "irix", "hpux11", "hpux10", "windows", "win_2003", "vista", "proxy" }; TcpStreamConfig::TcpStreamConfig() = default; -void TcpStreamConfig::show_config() const +void TcpStreamConfig::show() const { - TcpStreamConfig::show_config(this); -} - -void TcpStreamConfig::show_config(const TcpStreamConfig* config) -{ - LogMessage(" Reassembly Policy: %s\n", - reassembly_policy_names[ static_cast( config->reassembly_policy ) ]); - LogMessage(" Timeout: %d seconds\n", config->session_timeout); - - if ( config->max_window != 0 ) - LogMessage(" Max TCP Window: %u\n", config->max_window); - - if ( config->overlap_limit ) - LogMessage(" Limit on TCP Overlaps: %d\n", config->overlap_limit); - - if ( config->max_queued_bytes != 0 ) - LogMessage(" Maximum number of bytes to queue per session: %d\n", - config->max_queued_bytes); - - if ( config->max_queued_segs != 0 ) - LogMessage(" Maximum number of segs to queue per session: %d\n", - config->max_queued_segs); - - if ( config->flags ) - { - LogMessage(" Options:\n"); - if (config->flags & STREAM_CONFIG_NO_ASYNC_REASSEMBLY) - LogMessage(" Don't queue packets on one-sided sessions: YES\n"); - } - - if ( config->hs_timeout < 0 ) - LogMessage(" Require 3-Way Handshake: NO\n"); - else - LogMessage(" Require 3-Way Handshake: after %d seconds\n", config->hs_timeout); + ConfigLogger::log_value("flush_factor", flush_factor); + ConfigLogger::log_value("max_pdu", paf_max); + ConfigLogger::log_value("max_window", max_window); + ConfigLogger::log_flag("no_ack", no_ack); + ConfigLogger::log_value("overlap_limit", overlap_limit); + ConfigLogger::log_value("policy", policy_names[static_cast(policy)]); + + std::string str; + str += "{ max_bytes = "; + str += std::to_string(max_queued_bytes); + str += ", max_segments = "; + str += std::to_string(max_queued_segs); + str += " }"; + ConfigLogger::log_value("queue_limit", str.c_str()); + + ConfigLogger::log_flag("reassemble_async", !(flags & STREAM_CONFIG_NO_ASYNC_REASSEMBLY)); + ConfigLogger::log_limit("require_3whs", hs_timeout, -1, hs_timeout < 0 ? hs_timeout : -1); + ConfigLogger::log_value("session_timeout", session_timeout); + + str = "{ count = "; + str += std::to_string(max_consec_small_segs); + str += ", maximum_size = "; + str += std::to_string(max_consec_small_seg_size); + str += " }"; + ConfigLogger::log_value("small_segments", str.c_str()); + + ConfigLogger::log_flag("track_only", (flags & STREAM_CONFIG_NO_REASSEMBLY)); } diff --git a/src/stream/tcp/tcp_stream_config.h b/src/stream/tcp/tcp_stream_config.h index cd3d6f5f4..40595a5a3 100644 --- a/src/stream/tcp/tcp_stream_config.h +++ b/src/stream/tcp/tcp_stream_config.h @@ -50,11 +50,9 @@ public: return false; } - void show_config() const; - static void show_config(const TcpStreamConfig*); + void show() const; StreamPolicy policy = StreamPolicy::OS_DEFAULT; - StreamPolicy reassembly_policy = StreamPolicy::OS_DEFAULT; uint16_t flags = 0; uint16_t flush_factor = 0; diff --git a/src/stream/udp/stream_udp.cc b/src/stream/udp/stream_udp.cc index e071bd97a..f8444a5bc 100644 --- a/src/stream/udp/stream_udp.cc +++ b/src/stream/udp/stream_udp.cc @@ -39,15 +39,6 @@ StreamUdpConfig::StreamUdpConfig() session_timeout = 30; } -static void udp_show(StreamUdpConfig* pc) -{ - LogMessage(" Timeout: %d seconds\n", pc->session_timeout); - -#ifdef REG_TEST - LogMessage(" UDP Session Size: %zu\n", sizeof(UdpSession)); -#endif -} - //------------------------------------------------------------------------- // inspector stuff //------------------------------------------------------------------------- @@ -77,8 +68,10 @@ StreamUdp::~StreamUdp() void StreamUdp::show(SnortConfig*) { - if ( config ) - udp_show(config); + if ( !config ) + return; + + ConfigLogger::log_value("session_timeout", config->session_timeout); } NORETURN_ASSERT void StreamUdp::eval(Packet*) diff --git a/src/stream/user/stream_user.cc b/src/stream/user/stream_user.cc index 3c1117bd8..f747e188d 100644 --- a/src/stream/user/stream_user.cc +++ b/src/stream/user/stream_user.cc @@ -39,11 +39,6 @@ StreamUserConfig::StreamUserConfig() session_timeout = 60; } -static void user_show (StreamUserConfig* pc) -{ - LogMessage(" Timeout: %d seconds\n", pc->session_timeout); -} - //------------------------------------------------------------------------- // inspector stuff //------------------------------------------------------------------------- @@ -74,7 +69,10 @@ StreamUser::~StreamUser() void StreamUser::show(SnortConfig*) { - user_show(config); + if ( !config ) + return; + + ConfigLogger::log_value("session_timeout", config->session_timeout); } NORETURN_ASSERT void StreamUser::eval(Packet*) diff --git a/src/utils/sflsq.cc b/src/utils/sflsq.cc index 4f54d6c1b..b86bd45c9 100644 --- a/src/utils/sflsq.cc +++ b/src/utils/sflsq.cc @@ -116,7 +116,7 @@ void sflist_add_tail(SF_LIST* s, NODE_DATA ndata) s->count++; } -NODE_DATA sflist_first(SF_LIST* s, SF_LNODE** v) +NODE_DATA sflist_first(const SF_LIST* s, SF_LNODE** v) { if ( !s ) { diff --git a/src/utils/sflsq.h b/src/utils/sflsq.h index 3e736dbb4..c4505f087 100644 --- a/src/utils/sflsq.h +++ b/src/utils/sflsq.h @@ -59,7 +59,7 @@ SO_PUBLIC void sflist_add_before(SF_LIST*, SF_LNODE*, NODE_DATA); SO_PUBLIC NODE_DATA sflist_remove_head(SF_LIST*); SO_PUBLIC NODE_DATA sflist_remove_tail(SF_LIST*); SO_PUBLIC int sflist_count(SF_LIST*); -SO_PUBLIC NODE_DATA sflist_first(SF_LIST*, SF_LNODE**); +SO_PUBLIC NODE_DATA sflist_first(const SF_LIST*, SF_LNODE**); SO_PUBLIC NODE_DATA sflist_next(SF_LNODE**); SO_PUBLIC void sflist_free(SF_LIST*); SO_PUBLIC void sflist_free_all(SF_LIST*, void (* free)(void*) ); diff --git a/tools/snort2lua/preprocessor_states/pps_appid.cc b/tools/snort2lua/preprocessor_states/pps_appid.cc index ef764b859..1cd729bc0 100644 --- a/tools/snort2lua/preprocessor_states/pps_appid.cc +++ b/tools/snort2lua/preprocessor_states/pps_appid.cc @@ -68,23 +68,15 @@ bool AppId::convert(std::istringstream& data_stream) { tmpval = parse_int_option("memcap", arg_stream, false); } - else if (keyword == "debug") + else if (keyword == "list_odp_detectors") { std::string val; if (!(arg_stream >> val)) - data_api.failed_conversion(arg_stream, "appid: debug "); + data_api.failed_conversion(arg_stream, "appid: list_odp_detectors "); else if (val == "yes") - table_api.add_option("debug", true); + table_api.add_option("list_odp_detectors", true); else - table_api.add_option("debug", false); - } - else if (keyword == "dump_ports") - { - table_api.add_option("dump_ports", true); - } - else if (keyword == "instance_id") - { - tmpval = parse_int_option("instance_id", arg_stream, false); + table_api.add_option("list_odp_detectors", false); } else if (keyword == "app_stats_filename") { @@ -107,10 +99,6 @@ bool AppId::convert(std::istringstream& data_stream) { tmpval = parse_int_option("app_stats_rollover_size", arg_stream, false); } - else if (keyword == "app_stats_rollover_time") - { - tmpval = parse_int_option("app_stats_rollover_time", arg_stream, false); - } else if (keyword == "app_detector_dir") { std::string file_name;