From: Steve Chew (stechew) Date: Tue, 13 Jul 2021 22:46:38 +0000 (+0000) Subject: Merge pull request #2957 in SNORT/snort3 from ~STECHEW/snort3:events_id to master X-Git-Tag: 3.1.8.0~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a77d77d7f24982b93672b385daef92a9304eec3e;p=thirdparty%2Fsnort3.git Merge pull request #2957 in SNORT/snort3 from ~STECHEW/snort3:events_id to master Squashed commit of the following: commit 4615dadb6a99cdff0b9d2b510fa11fd031ec2de8 Author: Steve Chew Date: Tue Jul 13 14:47:21 2021 -0400 Update commit 9976e20f54ce0ca6d2d3d3906dd0bb1375bec726 Author: Steve Chew Date: Fri Jun 25 16:38:13 2021 -0400 events: Use instance_id to make event_id unique across threads. --- diff --git a/src/detection/detect.cc b/src/detection/detect.cc index 205617dd8..5f47cc84b 100644 --- a/src/detection/detect.cc +++ b/src/detection/detect.cc @@ -65,7 +65,7 @@ bool snort_log(Packet* p) void CallLogFuncs(Packet* p, ListHead* head, Event* event, const char* msg) { - event->event_id = event_id | p->context->conf->get_event_log_id(); + event->update_event_id(p->context->conf->get_event_log_id()); DetectionEngine::set_check_tags(false); pc.log_pkts++; @@ -82,8 +82,7 @@ void CallLogFuncs(Packet* p, const OptTreeNode* otn, ListHead* head) event.sig_info = const_cast(&otn->sigInfo); event.ref_time.tv_sec = p->pkth->ts.tv_sec; event.ref_time.tv_usec = p->pkth->ts.tv_usec; - event.event_id = event_id | p->context->conf->get_event_log_id(); - event.event_reference = event.event_id; + event.update_event_id_and_ref(p->context->conf->get_event_log_id()); DetectionEngine::set_check_tags(false); pc.log_pkts++; @@ -99,8 +98,7 @@ void CallAlertFuncs(Packet* p, const OptTreeNode* otn, ListHead* head) event.sig_info = const_cast(&otn->sigInfo); event.ref_time.tv_sec = p->pkth->ts.tv_sec; event.ref_time.tv_usec = p->pkth->ts.tv_usec; - event.event_id = event_id | p->context->conf->get_event_log_id(); - event.event_reference = event.event_id; + event.update_event_id_and_ref(p->context->conf->get_event_log_id()); pc.total_alert_pkts++; diff --git a/src/detection/detection_util.cc b/src/detection/detection_util.cc index e40d8a858..1c9c30753 100644 --- a/src/detection/detection_util.cc +++ b/src/detection/detection_util.cc @@ -84,7 +84,7 @@ void EventTrace_Log(const Packet* p, const OptTreeNode* otn, Actions::Type actio TextLog_Print(tlog, "\nEvt=%u, Gid=%u, Sid=%u, Rev=%u, Act=%s\n", - event_id, otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, acts.c_str()); + get_event_id(), otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, acts.c_str()); TextLog_Print(tlog, "Pkt=" STDu64 ", Sec=%lu.%6lu, Len=%u, Cap=%u\n", diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index f7136e1d3..3b82f9c84 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -255,11 +255,11 @@ int fpLogEvent(const RuleTreeNode* rtn, const OptTreeNode* otn, Packet* p) otn->state[get_instance_id()].alerts++; - event_id++; + incr_event_id(); IpsAction * act = get_ips_policy()->action[action]; act->exec(p, otn); - SetTags(p, otn, event_id); + SetTags(p, otn, get_event_id()); fpLogOther(p, rtn, otn, action); diff --git a/src/detection/tag.cc b/src/detection/tag.cc index b8f2f5932..fa7ed05f3 100644 --- a/src/detection/tag.cc +++ b/src/detection/tag.cc @@ -544,12 +544,7 @@ int CheckTagList(Packet* p, Event& event, void** log_list) if ( create_event ) { /* set the event info */ - SetEvent(event, GID_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id); - - /* set event reference details */ - event.ref_time.tv_sec = returned->event_time.tv_sec; - event.ref_time.tv_usec = returned->event_time.tv_usec; - event.event_reference = returned->event_id | p->context->conf->get_event_log_id(); + event.set_event(GID_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id, p->context->conf->get_event_log_id(), returned->event_time); *log_list = returned->log_list; } diff --git a/src/events/event.cc b/src/events/event.cc index 7a5471181..a2c801f17 100644 --- a/src/events/event.cc +++ b/src/events/event.cc @@ -28,26 +28,58 @@ using namespace snort; -THREAD_LOCAL uint16_t event_id; // FIXIT-M also incremented in fpLogEvent() +static THREAD_LOCAL uint16_t g_event_id; -void SetEvent( - Event& event, uint32_t gid, uint32_t sid, uint32_t rev, - uint32_t classification, uint32_t priority, uint32_t event_ref) +uint16_t get_event_id() { - event.sig_info->gid = gid; - event.sig_info->sid = sid; - event.sig_info->rev = rev; - event.sig_info->class_id = classification; - event.sig_info->priority = priority; + return g_event_id; +} + +void incr_event_id() +{ + g_event_id++; +} + +static uint32_t calc_event_id(uint16_t id, uint16_t log_id) +{ + // Use instance ID to make log_id unique per packet thread. Even if + // it overflows, value will still be unique if there are less than + // 65k threads. + log_id += snort::get_instance_id(); + return (id | (log_id << 16)); +} + +void Event::update_event_id(uint16_t log_id) +{ + event_id = calc_event_id(g_event_id, log_id); +} + +void Event::update_event_id_and_ref(uint16_t log_id) +{ + event_id = calc_event_id(g_event_id, log_id); + event_reference = event_id; +} + +void Event::set_event(uint32_t gid, uint32_t sid, uint32_t rev, + uint32_t classification, uint32_t priority, uint16_t event_ref, + uint16_t log_id, const struct timeval& tv) +{ + sig_info->gid = gid; + sig_info->sid = sid; + sig_info->rev = rev; + sig_info->class_id = classification; + sig_info->priority = priority; - /* this one gets set automatically */ - event.event_id = ++event_id | SnortConfig::get_conf()->get_event_log_id(); + /* update event_id based on g_event_id. */ + incr_event_id(); + update_event_id(SnortConfig::get_conf()->get_event_log_id()); if (event_ref) - event.event_reference = event_ref; + event_reference = calc_event_id(event_ref, log_id); else - event.event_reference = event.event_id; + event_reference = event_id; - event.ref_time.tv_sec = event.ref_time.tv_usec = 0; + ref_time.tv_sec = tv.tv_sec; + ref_time.tv_usec = tv.tv_usec;; } diff --git a/src/events/event.h b/src/events/event.h index 6c053df13..50b1aec07 100644 --- a/src/events/event.h +++ b/src/events/event.h @@ -24,7 +24,6 @@ #include "main/thread.h" struct SigInfo; -extern THREAD_LOCAL uint16_t event_id; /* we must use fixed size of 32 bits, because on-disk * format of savefiles uses 32-bit tv_sec (and tv_usec) @@ -38,20 +37,35 @@ struct sf_timeval32 struct Event { SigInfo* sig_info = nullptr; - uint32_t event_id = 0; - uint32_t event_reference = 0; // reference to other events that have gone off, - // such as in the case of tagged packets... struct sf_timeval32 ref_time = { 0, 0 }; /* reference time for the event reference */ const char* alt_msg = nullptr; Event() = default; Event(SigInfo& si) { sig_info = &si; } + + uint32_t get_event_id() const { return event_id; } + void set_event_id(uint32_t id) { event_id = id; } + + uint32_t get_event_reference() const { return event_reference; } + void set_event_reference(uint32_t ref) { event_reference = ref; } + + void update_event_id(uint16_t log_id); + void update_event_id_and_ref(uint16_t log_id); + + void set_event(uint32_t gid, uint32_t sid, uint32_t rev, + uint32_t classification, uint32_t priority, uint16_t event_ref, + uint16_t log_id, const struct timeval& tv); + + +private: + uint32_t event_id = 0; + uint32_t event_reference = 0; // reference to other events that have gone off, + // such as in the case of tagged packets... }; -void SetEvent( - Event&, uint32_t gid, uint32_t sid, uint32_t rev, - uint32_t classification, uint32_t priority, uint32_t event_ref); +uint16_t get_event_id(); +void incr_event_id(); #endif diff --git a/src/framework/base_api.h b/src/framework/base_api.h index 973ae216e..27a104b73 100644 --- a/src/framework/base_api.h +++ b/src/framework/base_api.h @@ -29,7 +29,7 @@ // this is the current version of the base api // must be prefixed to subtype version -#define BASE_API_VERSION 3 +#define BASE_API_VERSION 4 // set options to API_OPTIONS to ensure compatibility #ifndef API_OPTIONS diff --git a/src/loggers/alert_luajit.cc b/src/loggers/alert_luajit.cc index a4ad98d49..0783e2fd5 100644 --- a/src/loggers/alert_luajit.cc +++ b/src/loggers/alert_luajit.cc @@ -54,8 +54,8 @@ SO_PUBLIC const SnortEvent* get_event() lua_event.sid = event->sig_info->sid; lua_event.rev = event->sig_info->rev; - lua_event.event_id = event->event_id; - lua_event.event_ref = event->event_reference; + lua_event.event_id = event->get_event_id(); + lua_event.event_ref = event->get_event_reference(); if ( !event->sig_info->message.empty() ) lua_event.msg = event->sig_info->message.c_str(); diff --git a/src/loggers/alert_sf_socket.cc b/src/loggers/alert_sf_socket.cc index ac7876743..5151a33ac 100644 --- a/src/loggers/alert_sf_socket.cc +++ b/src/loggers/alert_sf_socket.cc @@ -294,7 +294,7 @@ static void load_sar(Packet* packet, const Event& event, SnortActionRequest& sar return; /* construct the action request */ - sar.event_id = event.event_id; + sar.event_id = event.get_event_id(); sar.tv_sec = packet->pkth->ts.tv_sec; sar.gid = event.sig_info->gid; sar.sid = event.sig_info->sid; diff --git a/src/loggers/alert_unixsock.cc b/src/loggers/alert_unixsock.cc index cd899ac87..648dea9c9 100644 --- a/src/loggers/alert_unixsock.cc +++ b/src/loggers/alert_unixsock.cc @@ -128,8 +128,8 @@ static void get_alert_pkt( us.alert.class_id = event.sig_info->class_id; us.alert.priority = event.sig_info->priority; - us.alert.event_id = event.event_id; - us.alert.event_ref = event.event_reference; + us.alert.event_id = event.get_event_id(); + us.alert.event_ref = event.get_event_reference(); us.alert.ref_time = event.ref_time; if (p && p->pkt) diff --git a/src/loggers/unified2.cc b/src/loggers/unified2.cc index 31adbf1fa..490813363 100644 --- a/src/loggers/unified2.cc +++ b/src/loggers/unified2.cc @@ -168,7 +168,7 @@ static void alert_event(Packet* p, const char*, Unified2Config* config, const Ev u2_event.snort_id = 0; // FIXIT-H alert_event define / use - u2_event.event_id = htonl(event->event_id); + u2_event.event_id = htonl(event->get_event_id()); u2_event.event_second = htonl(event->ref_time.tv_sec); u2_event.event_microsecond = htonl(event->ref_time.tv_usec); @@ -346,7 +346,7 @@ static void _Unified2LogPacketAlert( if (event != nullptr) { - logheader.event_id = htonl(event->event_reference); + logheader.event_id = htonl(event->get_event_reference()); logheader.event_second = htonl(event->ref_time.tv_sec); } else @@ -617,7 +617,7 @@ static void _AlertIP4_v2(Packet* p, const char*, Unified2Config* config, const E memset(&alertdata, 0, sizeof(alertdata)); - alertdata.event_id = htonl(event->event_id); + alertdata.event_id = htonl(event->get_event_id()); alertdata.event_second = htonl(event->ref_time.tv_sec); alertdata.event_microsecond = htonl(event->ref_time.tv_usec); alertdata.generator_id = htonl(event->sig_info->gid); @@ -703,7 +703,7 @@ static void _AlertIP6_v2(Packet* p, const char*, Unified2Config* config, const E memset(&alertdata, 0, sizeof(alertdata)); - alertdata.event_id = htonl(event->event_id); + alertdata.event_id = htonl(event->get_event_id()); alertdata.event_second = htonl(event->ref_time.tv_sec); alertdata.event_microsecond = htonl(event->ref_time.tv_usec); alertdata.generator_id = htonl(event->sig_info->gid); @@ -922,10 +922,10 @@ void U2Logger::alert_legacy(Packet* p, const char* msg, const Event& event) if (p->ptrs.ip_api.is_ip6()) { const SfIp* ip = p->ptrs.ip_api.get_src(); - _WriteExtraData(&config, event.event_id, event.ref_time.tv_sec, + _WriteExtraData(&config, event.get_event_id(), event.ref_time.tv_sec, (const uint8_t*) ip->get_ip6_ptr(), sizeof(struct in6_addr), EVENT_INFO_IPV6_SRC); ip = p->ptrs.ip_api.get_dst(); - _WriteExtraData(&config, event.event_id, event.ref_time.tv_sec, + _WriteExtraData(&config, event.get_event_id(), event.ref_time.tv_sec, (const uint8_t*) ip->get_ip6_ptr(), sizeof(struct in6_addr), EVENT_INFO_IPV6_DST); } } @@ -937,7 +937,7 @@ void U2Logger::alert_legacy(Packet* p, const char* msg, const Event& event) if ( p->flow ) Stream::update_flow_alert( p->flow, p, event.sig_info->gid, event.sig_info->sid, - event.event_id, event.ref_time.tv_sec); + event.get_event_id(), event.ref_time.tv_sec); if ( p->xtradata_mask ) { @@ -947,7 +947,7 @@ void U2Logger::alert_legacy(Packet* p, const char* msg, const Event& event) if ( max_count > 0 ) AlertExtraData( p->flow, &config, log_funcs, max_count, p->xtradata_mask, - event.event_id, event.ref_time.tv_sec); + event.get_event_id(), event.ref_time.tv_sec); } } @@ -963,7 +963,7 @@ void U2Logger::alert(Packet* p, const char* msg, const Event& event) if ( p->flow ) Stream::update_flow_alert( p->flow, p, event.sig_info->gid, event.sig_info->sid, - event.event_id, event.ref_time.tv_sec); + event.get_event_id(), event.ref_time.tv_sec); if ( p->xtradata_mask ) { @@ -973,7 +973,7 @@ void U2Logger::alert(Packet* p, const char* msg, const Event& event) if ( max_count > 0 ) AlertExtraData( p->flow, &config, log_funcs, max_count, p->xtradata_mask, - event.event_id, event.ref_time.tv_sec); + event.get_event_id(), event.ref_time.tv_sec); } } diff --git a/src/main/snort_config.h b/src/main/snort_config.h index bf73f6c2f..eacd1184e 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -331,7 +331,7 @@ public: //------------------------------------------------------ // FIXIT-L command line only stuff, add to conf / module - uint32_t event_log_id = 0; + uint16_t event_log_id = 0; SfCidr obfuscation_net; std::string bpf_filter; std::string metadata_filter; @@ -545,7 +545,7 @@ public: { return run_flags & RUN_FLAG__INLINE_TEST; } // event stuff - uint32_t get_event_log_id() const + uint16_t get_event_log_id() const { return event_log_id; } bool process_all_events() const diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc index a909fcd3d..a07fc1be1 100644 --- a/src/main/snort_module.cc +++ b/src/main/snort_module.cc @@ -718,7 +718,7 @@ bool SnortModule::set(const char*, Value& v, SnortConfig* sc) sc->output_flags |= OUTPUT_FLAG__LINE_BUFFER; else if ( v.is("-G") || v.is("--logid") ) - sc->event_log_id = v.get_uint16() << 16; + sc->event_log_id = v.get_uint16(); else if ( v.is("-g") ) sc->set_gid(v.get_string()); diff --git a/src/piglet_plugins/pp_event_iface.cc b/src/piglet_plugins/pp_event_iface.cc index 42052faa8..8c0463071 100644 --- a/src/piglet_plugins/pp_event_iface.cc +++ b/src/piglet_plugins/pp_event_iface.cc @@ -41,8 +41,12 @@ static void set_fields(lua_State* L, int tindex, Event& self) { Lua::Table table(L, tindex); - table.get_field("event_id", self.event_id); - table.get_field("event_reference", self.event_reference); + uint32_t value = 0; + table.get_field("event_id", value); + self.set_event_id(value); + + table.get_field("event_reference", value); + self.set_event_reference(value); const char* s = nullptr; if ( table.get_field("alt_msg", s) && s ) // FIXIT-L shouldn't need both conditions @@ -57,8 +61,8 @@ static void get_fields(lua_State* L, int tindex, Event& self) { Lua::Table table(L, tindex); - table.set_field("event_id", self.event_id); - table.set_field("event_reference", self.event_reference); + table.set_field("event_id", self.get_event_id()); + table.set_field("event_reference", self.get_event_reference()); if ( self.alt_msg ) table.set_field("alt_msg", self.alt_msg);