From: Bhargava Jandhyala (bjandhya) Date: Fri, 7 May 2021 09:14:15 +0000 (+0000) Subject: Merge pull request #2846 in SNORT/snort3 from ~SMULKA/snort3:ips_log to master X-Git-Tag: 3.1.5.0~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9cda9a271022cb51f56706540da3c39a16fe4cd5;p=thirdparty%2Fsnort3.git Merge pull request #2846 in SNORT/snort3 from ~SMULKA/snort3:ips_log to master Squashed commit of the following: commit e3d48073b8acbba1694383b0a56e6fb00f36cdd4 Author: smulka Date: Fri Apr 16 02:23:50 2021 -0400 packet_tracer: IPS daq trace log --- diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index c09f082a9..c0a848740 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -36,6 +36,7 @@ #include "managers/inspector_manager.h" #include "managers/mpse_manager.h" #include "packet_io/active.h" +#include "packet_tracer/packet_tracer.h" #include "parser/parser.h" #include "profiler/profiler_defs.h" #include "protocols/packet.h" @@ -223,6 +224,9 @@ void DetectionEngine::finish_inspect(Packet* p, bool inspected) { log_events(p); + if ( PacketTracer::is_daq_activated() ) + populate_trace_data(); + if ( p->active ) { if ( p->active->session_was_blocked() and ( p->active->keep_pruned_flow() or @@ -615,6 +619,9 @@ bool DetectionEngine::inspect(Packet* p) if ( !all_disabled(p) ) { + if ( PacketTracer::is_daq_activated() ) + PacketTracer::pt_timer_start(); + if ( detect(p, true) ) return false; // don't finish out offloaded packets } diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index 1015d5db0..f7136e1d3 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -94,9 +94,27 @@ enum FPTask : uint8_t THREAD_LOCAL ProfileStats mpsePerfStats; THREAD_LOCAL ProfileStats rulePerfStats; +#define CONTEXT_LEN 1024 +static THREAD_LOCAL char tr_context[CONTEXT_LEN]; +static THREAD_LOCAL uint32_t tr_len = 0; + static void fp_immediate(Packet*); static void fp_immediate(MpseGroup*, Packet*, const uint8_t*, unsigned); +void populate_trace_data() +{ + if ( tr_len > 0 ) + { + tr_context[tr_len-1] = ' '; + PacketTracer::daq_log("IPS+%" PRId64"++%s$", + TO_NSECS(pt_timer->get()), + tr_context); + + tr_len = 0; + tr_context[0] = '\0'; + } +} + static inline void init_match_info(const IpsContext* c) { for ( unsigned i = 0; i < c->conf->num_rule_types; i++ ) @@ -121,6 +139,16 @@ static inline void fpLogOther( otn->sigInfo.rev, act.c_str()); } + if ( PacketTracer::is_daq_activated() ) + { + std::string act = Actions::get_string(action); + tr_len += snprintf(tr_context+tr_len, sizeof(tr_context) - tr_len, + "gid:%u, sid:%u, rev:%u, action:%s, msg:%s\n", + otn->sigInfo.gid, otn->sigInfo.sid, + otn->sigInfo.rev, act.c_str(), + otn->sigInfo.message.c_str()); + } + // rule option actions are queued here (eg replace) otn_trigger_actions(otn, p); diff --git a/src/detection/fp_detect.h b/src/detection/fp_detect.h index bf52a4764..70c565ad4 100644 --- a/src/detection/fp_detect.h +++ b/src/detection/fp_detect.h @@ -52,6 +52,7 @@ struct RuleTreeNode; int fpLogEvent(const RuleTreeNode*, const OptTreeNode*, snort::Packet*); bool fp_eval_rtn(RuleTreeNode*, snort::Packet*, int check_ports); int fp_eval_option(void*, Cursor&, snort::Packet*); +void populate_trace_data(); #define MAX_NUM_RULE_TYPES 16 // max number of allowed rule types