From: Jason Ish Date: Mon, 16 Jan 2017 22:25:56 +0000 (-0600) Subject: unified2: nostamp and file rotation X-Git-Tag: suricata-4.0.0-beta1~295 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=82f61031499c40b09afd9469a6a042a1c3ce482d;p=thirdparty%2Fsuricata.git unified2: nostamp and file rotation Give unified2 a nostamp option which will create the file without the timestamp suffix (like Snort's nostamp option). Also register for rotation notification on SIGHUP so the file will be recreated if it is removed by an external rotation program (only when nostamp is used). --- diff --git a/src/alert-unified2-alert.c b/src/alert-unified2-alert.c index 5f2db257fe..1a6f5f567b 100644 --- a/src/alert-unified2-alert.c +++ b/src/alert-unified2-alert.c @@ -225,7 +225,7 @@ static int Unified2IPv4TypeAlert(ThreadVars *, const Packet *, void *); static int Unified2IPv6TypeAlert(ThreadVars *, const Packet *, void *); static int Unified2PacketTypeAlert(Unified2AlertThread *, const Packet *, uint32_t, int); void Unified2RegisterTests(void); -int Unified2AlertOpenFileCtx(LogFileCtx *, const char *); +static int Unified2AlertOpenFileCtx(LogFileCtx *, const char *, bool); static void Unified2AlertDeInitCtx(OutputCtx *); int Unified2Condition(ThreadVars *tv, const Packet *p); @@ -263,15 +263,15 @@ static int Unified2AlertCloseFile(Unified2AlertThread *aun) * \retval 0 on succces * \retval -1 on failure */ -static int Unified2AlertRotateFile(Unified2AlertThread *aun) +static int Unified2AlertRotateFile(Unified2AlertThread *aun, bool truncate) { if (Unified2AlertCloseFile(aun) < 0) { SCLogError(SC_ERR_UNIFIED2_ALERT_GENERIC, "Error: Unified2AlertCloseFile failed"); return -1; } - if (Unified2AlertOpenFileCtx(aun->unified2alert_ctx->file_ctx,aun->unified2alert_ctx-> - file_ctx->prefix) < 0) { + if (Unified2AlertOpenFileCtx(aun->unified2alert_ctx->file_ctx, + aun->unified2alert_ctx->file_ctx->prefix, truncate) < 0) { SCLogError(SC_ERR_UNIFIED2_ALERT_GENERIC, "Error: Unified2AlertOpenFileCtx, open new log file failed"); return -1; @@ -787,6 +787,7 @@ static int Unified2PacketTypeAlert(Unified2AlertThread *aun, const Packet *p, ui static int Unified2IPv6TypeAlert(ThreadVars *t, const Packet *p, void *data) { Unified2AlertThread *aun = (Unified2AlertThread *)data; + LogFileCtx *file_ctx = aun->unified2alert_ctx->file_ctx; Unified2AlertFileHeader hdr; AlertIPv6Unified2 *phdr; AlertIPv6Unified2 gphdr; @@ -921,19 +922,22 @@ static int Unified2IPv6TypeAlert(ThreadVars *t, const Packet *p, void *data) phdr->classification_id = htonl(pa->s->class); phdr->priority_id = htonl(pa->s->prio); - SCMutexLock(&aun->unified2alert_ctx->file_ctx->fp_mutex); - if ((aun->unified2alert_ctx->file_ctx->size_current + length) > - aun->unified2alert_ctx->file_ctx->size_limit) { - if (Unified2AlertRotateFile(aun) < 0) { + SCMutexLock(&file_ctx->fp_mutex); + + bool truncate = (file_ctx->size_current + length) > file_ctx->size_limit + ? true : false; + if (truncate || file_ctx->rotation_flag) { + if (Unified2AlertRotateFile(aun, truncate) < 0) { aun->unified2alert_ctx->file_ctx->alerts += i; - SCMutexUnlock(&aun->unified2alert_ctx->file_ctx->fp_mutex); + SCMutexUnlock(&file_ctx->fp_mutex); return -1; } + file_ctx->rotation_flag = 0; } if (Unified2Write(aun) != 1) { - aun->unified2alert_ctx->file_ctx->alerts += i; - SCMutexUnlock(&aun->unified2alert_ctx->file_ctx->fp_mutex); + file_ctx->alerts += i; + SCMutexUnlock(&file_ctx->fp_mutex); return -1; } @@ -972,6 +976,7 @@ static int Unified2IPv6TypeAlert(ThreadVars *t, const Packet *p, void *data) static int Unified2IPv4TypeAlert (ThreadVars *tv, const Packet *p, void *data) { Unified2AlertThread *aun = (Unified2AlertThread *)data; + LogFileCtx *file_ctx = aun->unified2alert_ctx->file_ctx; Unified2AlertFileHeader hdr; AlertIPv4Unified2 *phdr; AlertIPv4Unified2 gphdr; @@ -1097,20 +1102,22 @@ static int Unified2IPv4TypeAlert (ThreadVars *tv, const Packet *p, void *data) phdr->priority_id = htonl(pa->s->prio); /* check and enforce the filesize limit */ - SCMutexLock(&aun->unified2alert_ctx->file_ctx->fp_mutex); - - if ((aun->unified2alert_ctx->file_ctx->size_current + length) > - aun->unified2alert_ctx->file_ctx->size_limit) { - if (Unified2AlertRotateFile(aun) < 0) { - aun->unified2alert_ctx->file_ctx->alerts += i; - SCMutexUnlock(&aun->unified2alert_ctx->file_ctx->fp_mutex); + SCMutexLock(&file_ctx->fp_mutex); + + bool truncate = (file_ctx->size_current + length) > file_ctx->size_limit + ? true : false; + if (truncate || file_ctx->rotation_flag) { + if (Unified2AlertRotateFile(aun, truncate) < 0) { + file_ctx->alerts += i; + SCMutexUnlock(&file_ctx->fp_mutex); return -1; } + file_ctx->rotation_flag = 0; } if (Unified2Write(aun) != 1) { - aun->unified2alert_ctx->file_ctx->alerts += i; - SCMutexUnlock(&aun->unified2alert_ctx->file_ctx->fp_mutex); + file_ctx->alerts += i; + SCMutexUnlock(&file_ctx->fp_mutex); return -1; } @@ -1226,6 +1233,7 @@ OutputCtx *Unified2AlertInitCtx(ConfNode *conf) LogFileCtx* file_ctx = NULL; OutputCtx* output_ctx = NULL; HttpXFFCfg *xff_cfg = NULL; + int nostamp = 0; file_ctx = LogFileNewCtx(); if (file_ctx == NULL) { @@ -1279,6 +1287,13 @@ OutputCtx *Unified2AlertInitCtx(ConfNode *conf) exit(EXIT_FAILURE); } } + + if (ConfGetChildValueBool(conf, "nostamp", &nostamp)) { + if (nostamp) { + SCLogConfig("Disabling unified2 timestamp."); + file_ctx->nostamp = true; + } + } } uint32_t flags = UNIFIED2_ALERT_FLAGS_EMIT_PACKET; @@ -1295,10 +1310,15 @@ OutputCtx *Unified2AlertInitCtx(ConfNode *conf) } } - ret = Unified2AlertOpenFileCtx(file_ctx, filename); + ret = Unified2AlertOpenFileCtx(file_ctx, filename, false); if (ret < 0) goto error; + /* Only register for file rotation if theout is non-timestamped. */ + if (nostamp) { + OutputRegisterFileRotationFlag(&file_ctx->rotation_flag); + } + output_ctx = SCCalloc(1, sizeof(OutputCtx)); if (unlikely(output_ctx == NULL)) goto error; @@ -1367,7 +1387,8 @@ static void Unified2AlertDeInitCtx(OutputCtx *output_ctx) * \param prefix Prefix of the log file. * \return -1 if failure, 0 if succesful * */ -int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix) +static int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix, + bool truncate) { int ret = 0; char *filename = NULL; @@ -1396,9 +1417,17 @@ int Unified2AlertOpenFileCtx(LogFileCtx *file_ctx, const char *prefix) char *log_dir; log_dir = ConfigGetLogDirectory(); - snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, prefix, (uint32_t)ts.tv_sec); + if (file_ctx->nostamp) { + snprintf(filename, PATH_MAX, "%s/%s", log_dir, prefix); + } else { + snprintf(filename, PATH_MAX, "%s/%s.%" PRIu32, log_dir, prefix, (uint32_t)ts.tv_sec); + } - file_ctx->fp = fopen(filename, "ab"); + if (truncate) { + file_ctx->fp = fopen(filename, "wb"); + } else { + file_ctx->fp = fopen(filename, "ab"); + } if (file_ctx->fp == NULL) { SCLogError(SC_ERR_FOPEN, "failed to open %s: %s", filename, strerror(errno)); @@ -1916,7 +1945,7 @@ static int Unified2TestRotate01(void) TimeSetIncrementTime(1); - ret = Unified2AlertRotateFile(data); + ret = Unified2AlertRotateFile(data, false); if (ret == -1) goto error; diff --git a/src/util-logopenfile.h b/src/util-logopenfile.h index 063e2bfb74..df423c8bab 100644 --- a/src/util-logopenfile.h +++ b/src/util-logopenfile.h @@ -123,6 +123,9 @@ typedef struct LogFileCtx_ { /* Flag set when file rotation notification is received. */ int rotation_flag; + + /* Set to true if the filename should not be timestamped. */ + bool nostamp; } LogFileCtx; /* Min time (msecs) before trying to reconnect a Unix domain socket */ diff --git a/suricata.yaml.in b/suricata.yaml.in index 95f341bcf6..6c5ee19758 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -250,6 +250,11 @@ outputs: # is parsed as bytes. #limit: 32mb + # By default unified2 log files have the file creation time (in + # unix epoch format) appended to the filename. Set this to yes to + # disable this behaviour. + #nostamp: no + # Sensor ID field of unified2 alerts. #sensor-id: 0