From: Steven Baigal (sbaigal) Date: Tue, 21 Mar 2023 13:16:27 +0000 (+0000) Subject: Pull request #3766: host cache: removed some log to prevent log flooding X-Git-Tag: 3.1.58.0~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d1d9dd06e2a350413dca77af93ee5fa64a616dc3;p=thirdparty%2Fsnort3.git Pull request #3766: host cache: removed some log to prevent log flooding Merge in SNORT/snort3 from ~RSHAFIQ/snort3:host_cache_logs to master Squashed commit of the following: commit ec6949eab03ba034c9ed416476329e1a6c6ad697 Author: rshafiq Date: Thu Feb 16 09:30:46 2023 -0500 host cache: removed some log to prevent log flooding --- diff --git a/src/control/control.cc b/src/control/control.cc index 39da1119c..df47773c7 100644 --- a/src/control/control.cc +++ b/src/control/control.cc @@ -34,6 +34,7 @@ using namespace snort; +std::vector ControlConn::log_exclusion_list; ControlConn* ControlConn::query_from_lua(const lua_State* L) { @@ -77,6 +78,36 @@ void ControlConn::configure() const ModuleManager::load_commands(shell); } +void ControlConn::log_command(const std::string& command, bool log) +{ + if(command.empty()) + return; + + auto it = std::find(log_exclusion_list.begin(), log_exclusion_list.end(), command); + if (log) + { + if (it != log_exclusion_list.end()) + log_exclusion_list.erase(it); + } else + { + if (it == log_exclusion_list.end()) + log_exclusion_list.push_back(command); + } +} + +bool ControlConn::loggable(const std::string& command) +{ + if(log_exclusion_list.empty() or command.empty()) + return true; + + for (const auto& m : log_exclusion_list) + { + if (command.find(m) != std::string::npos) + return false; + } + return true; +} + int ControlConn::read_commands() { char buf[STD_BUF]; @@ -90,9 +121,9 @@ int ControlConn::read_commands() char* nl; while ((nl = strchr(p, '\n')) != nullptr) { - std::string command = next_command; next_command.append(buf, nl - p); - LogMessage("Control: received command, %s\n", next_command.c_str()); + if(loggable(next_command)) + LogMessage("Control: received command, %s\n", next_command.c_str()); pending_commands.push(std::move(next_command)); next_command.clear(); p = nl + 1; diff --git a/src/control/control.h b/src/control/control.h index 6076cda7c..8c4c67c49 100644 --- a/src/control/control.h +++ b/src/control/control.h @@ -27,6 +27,7 @@ #include #include #include +#include #include "main/snort_types.h" @@ -68,8 +69,11 @@ public: SO_PUBLIC bool respond(const char* format, ...) __attribute__((format (printf, 2, 3))); SO_PUBLIC static ControlConn* query_from_lua(const lua_State*); + static void log_command(const std::string& module, bool log); + private: void touch(); + bool loggable(const std::string& command); private: std::queue pending_commands; @@ -80,6 +84,8 @@ private: bool blocked = false; bool removed = false; time_t touched; + + static std::vector log_exclusion_list; }; #define LogRespond(cn, ...) do { if (cn) cn->respond(__VA_ARGS__); else LogMessage(__VA_ARGS__); } while(0) diff --git a/src/host_tracker/host_cache_module.cc b/src/host_tracker/host_cache_module.cc index 906efe722..2ea6c0c49 100644 --- a/src/host_tracker/host_cache_module.cc +++ b/src/host_tracker/host_cache_module.cc @@ -36,10 +36,11 @@ using namespace snort; using namespace std; +THREAD_LOCAL const Trace* host_cache_trace = nullptr; + //------------------------------------------------------------------------- // commands //------------------------------------------------------------------------- - static int host_cache_dump(lua_State* L) { HostCacheModule* mod = (HostCacheModule*) ModuleManager::get_module(HOST_CACHE_NAME); @@ -69,14 +70,14 @@ static int host_cache_delete_host(lua_State* L) const char* ips = luaL_optstring(L, 1, nullptr); if (ips == nullptr) { - LogMessage("Usage: host_cache.delete_host(ip)\n"); + debug_logf(host_cache_trace, nullptr, "Usage: host_cache.delete_host(ip)\n"); return 0; } SfIp ip; if (ip.set(ips) != SFIP_SUCCESS) { - LogMessage("Bad ip %s\n", ips); + debug_logf(host_cache_trace, nullptr, "Bad ip %s\n", ips); return 0; } @@ -85,11 +86,10 @@ static int host_cache_delete_host(lua_State* L) ht->set_visibility(false); else { - LogMessage("%s not found in host cache\n", ips); + debug_logf(host_cache_trace, nullptr, "%s not found in host cache\n", ips); return 0; } - - LogMessage("host_cache_delete_host done\n"); + debug_logf(host_cache_trace, nullptr, "host_cache_delete_host done\n"); } return 0; } @@ -104,14 +104,14 @@ static int host_cache_delete_network_proto(lua_State* L) if (ips == nullptr || proto == -1) { - LogMessage("Usage: host_cache.delete_network_proto(ip, proto)\n"); + debug_logf(host_cache_trace, nullptr, "Usage: host_cache.delete_network_proto(ip, proto)\n"); return 0; } SfIp ip; if (ip.set(ips) != SFIP_SUCCESS) { - LogMessage("Bad ip %s\n", ips); + debug_logf(host_cache_trace, nullptr, "Bad ip %s\n", ips); return 0; } @@ -120,17 +120,16 @@ static int host_cache_delete_network_proto(lua_State* L) { if ( !ht->set_network_proto_visibility(proto, false) ) { - LogMessage("%d not found for host %s\n", proto, ips); + debug_logf(host_cache_trace, nullptr, "%d not found for host %s\n", proto, ips); return 0; } } else { - LogMessage("%s not found in host cache\n", ips); + debug_logf(host_cache_trace, nullptr, "%s not found in host cache\n", ips); return 0; } - - LogMessage("host_cache_delete_network_proto done\n"); + debug_logf(host_cache_trace, nullptr, "host_cache_delete_network_proto done\n"); } return 0; } @@ -142,17 +141,16 @@ static int host_cache_delete_transport_proto(lua_State* L) { const char* ips = luaL_optstring(L, 1, nullptr); int proto = luaL_optint(L, 2, -1); - if ( ips == nullptr || proto == -1 ) { - LogMessage("Usage: host_cache.delete_transport_proto(ip, proto)\n"); + debug_logf(host_cache_trace, nullptr, "Usage: host_cache.delete_transport_proto(ip, proto)\n"); return 0; } SfIp ip; if ( ip.set(ips) != SFIP_SUCCESS ) { - LogMessage("Bad ip %s\n", ips); + debug_logf(host_cache_trace, nullptr, "Bad ip %s\n", ips); return 0; } @@ -161,17 +159,16 @@ static int host_cache_delete_transport_proto(lua_State* L) { if ( !ht->set_xproto_visibility(proto, false) ) { - LogMessage("%d not found for host %s\n", proto, ips); + debug_logf(host_cache_trace, nullptr, "%d not found for host %s\n", proto, ips); return 0; } } else { - LogMessage("%s not found in host cache\n", ips); + debug_logf(host_cache_trace, nullptr, "%s not found in host cache\n", ips); return 0; } - - LogMessage("host_cache_delete_transport_proto done\n"); + debug_logf(host_cache_trace, nullptr, "host_cache_delete_transport_proto done\n"); } return 0; } @@ -187,20 +184,20 @@ static int host_cache_delete_service(lua_State* L) if ( ips == nullptr || port == -1 || proto == -1 ) { - LogMessage("Usage: host_cache.delete_service(ip, port, proto).\n"); + debug_logf(host_cache_trace, nullptr, "Usage: host_cache.delete_service(ip, port, proto).\n"); return 0; } if ( !(0 <= proto and proto < 256) ) { - LogMessage("Protocol must be between 0 and 255.\n"); + debug_logf(host_cache_trace, nullptr, "Protocol must be between 0 and 255.\n"); return 0; } SfIp ip; if ( ip.set(ips) != SFIP_SUCCESS ) { - LogMessage("Bad ip %s\n", ips); + debug_logf(host_cache_trace, nullptr, "Bad ip %s\n", ips); return 0; } @@ -209,17 +206,16 @@ static int host_cache_delete_service(lua_State* L) { if ( !ht->set_service_visibility(port, (IpProtocol)proto, false) ) { - LogMessage("%d or %d not found for host %s\n", port, proto, ips); + debug_logf(host_cache_trace, nullptr, "%d or %d not found for host %s\n", port, proto, ips); return 0; } } else { - LogMessage("%s not found in host cache\n", ips); + debug_logf(host_cache_trace, nullptr, "%s not found in host cache\n", ips); return 0; } - - LogMessage("host_cache_delete_service done\n"); + debug_logf(host_cache_trace, nullptr, "host_cache_delete_service done\n"); } return 0; } @@ -236,14 +232,14 @@ static int host_cache_delete_client(lua_State* L) if (ips == nullptr || id == -1 || service == -1) { - LogMessage("Usage: host_cache.delete_client(ip, id, service, ).\n"); + debug_logf(host_cache_trace, nullptr, "Usage: host_cache.delete_client(ip, id, service, ).\n"); return 0; } SfIp ip; if (ip.set(ips) != SFIP_SUCCESS) { - LogMessage("Bad ip %s\n", ips); + debug_logf(host_cache_trace, nullptr, "Bad ip %s\n", ips); return 0; } @@ -253,17 +249,16 @@ static int host_cache_delete_client(lua_State* L) HostClient hc(id, version, service); if ( !ht->set_client_visibility(hc, false) ) { - LogMessage("Client not found for host %s\n", ips); + debug_logf(host_cache_trace, nullptr, "Client not found for host %s\n", ips); return 0; } } else { - LogMessage("%s not found in host cache\n", ips); + debug_logf(host_cache_trace, nullptr, "%s not found in host cache\n", ips); return 0; } - - LogMessage("host_cache_delete_client done\n"); + debug_logf(host_cache_trace, nullptr, "host_cache_delete_client done\n"); } return 0; } @@ -371,7 +366,10 @@ bool HostCacheModule::end(const char* fqn, int, SnortConfig* sc) if ( Snort::is_reloading() ) sc->register_reload_handler(new HostCacheReloadTuner(memcap)); else + { host_cache.set_max_size(memcap); + ControlConn::log_command("host_cache.delete_host",false); + } } return true; @@ -489,3 +487,17 @@ void HostCacheModule::sum_stats(bool accumulate_now_stats) Module::sum_stats(accumulate_now_stats); host_cache.unlock(); } + +void HostCacheModule::set_trace(const Trace* trace) const +{ host_cache_trace = trace; } + +const TraceOption* HostCacheModule::get_trace_options() const +{ +#ifndef DEBUG_MSGS + return nullptr; +#else + static const TraceOption host_cache_trace_options(nullptr, 0, nullptr); + + return &host_cache_trace_options; +#endif +} diff --git a/src/host_tracker/host_cache_module.h b/src/host_tracker/host_cache_module.h index 21feb2c71..258f6b8f0 100644 --- a/src/host_tracker/host_cache_module.h +++ b/src/host_tracker/host_cache_module.h @@ -28,6 +28,7 @@ #include "framework/module.h" #include "main/snort.h" #include "main/reload_tuner.h" +#include "trace/trace_api.h" #include "host_cache.h" @@ -75,10 +76,14 @@ public: void log_host_cache(const char* file_name, bool verbose = false); std::string get_host_cache_stats(); + void set_trace(const snort::Trace*) const override; + const snort::TraceOption* get_trace_options() const override; + private: std::string dump_file; size_t memcap = 0; }; +extern THREAD_LOCAL const snort::Trace* host_cache_trace; #endif diff --git a/src/host_tracker/test/host_cache_module_test.cc b/src/host_tracker/test/host_cache_module_test.cc index 057be7b01..557226d5f 100644 --- a/src/host_tracker/test/host_cache_module_test.cc +++ b/src/host_tracker/test/host_cache_module_test.cc @@ -48,11 +48,16 @@ static char logged_message[LOG_MAX+1]; static ControlConn ctrlcon(1, true); ControlConn::ControlConn(int, bool) {} ControlConn::~ControlConn() {} +void ControlConn::log_command(const std::string& , bool ) { } ControlConn* ControlConn::query_from_lua(const lua_State*) { return &ctrlcon; } bool ControlConn::respond(const char*, ...) { return true; } namespace snort { +void trace_vprintf(const char*, TraceLevel, const char*, const Packet*, const char*, va_list) { } +uint8_t TraceApi::get_constraints_generation() { return 0; } +void TraceApi::filter(const Packet&) { } + const SnortConfig* SnortConfig::get_conf() { return nullptr; } diff --git a/src/main.cc b/src/main.cc index 9049b4ca5..a97d34249 100644 --- a/src/main.cc +++ b/src/main.cc @@ -379,6 +379,25 @@ int main_set_watchdog_params(lua_State* L) return 0; } +int main_log_command(lua_State* L) +{ + if (!L) + return 0; + + ControlConn* ctrlcon = ControlConn::query_from_lua(L); + if (lua_gettop(L) >= 2) + { + std::string command = luaL_optstring(L, 1, nullptr); + bool exclusion = luaL_opt(L,lua_toboolean, 2, true); + ctrlcon->log_command(command, exclusion); + LogRespond(ctrlcon, "Control: Logging %s for %s\n", exclusion ? "enabled" : "disabled" , command.c_str()); + } + else + LogRespond(ctrlcon, "Usage: log_command(,true|false)\n"); + + return 0; +} + int main_rotate_stats(lua_State* L) { ControlConn* ctrlcon = ControlConn::query_from_lua(L); diff --git a/src/main.h b/src/main.h index c9c66213e..927e4d2f4 100644 --- a/src/main.h +++ b/src/main.h @@ -28,6 +28,7 @@ const char* get_prompt(); // commands provided by the snort module int main_delete_inspector(lua_State* = nullptr); int main_dump_stats(lua_State* = nullptr); +int main_log_command(lua_State* = nullptr); int main_dump_heap_stats(lua_State* = nullptr); int main_reset_stats(lua_State* = nullptr); int main_set_watchdog_params(lua_State* = nullptr); diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc index 0bc012654..740a4a1ac 100644 --- a/src/main/snort_module.cc +++ b/src/main/snort_module.cc @@ -111,6 +111,13 @@ static const Parameter s_watchdog[] = { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; +static const Parameter main_log_command_param[] = +{ + { "command", Parameter::PT_STRING, nullptr, nullptr, " to update logging" }, + { "logging", Parameter::PT_BOOL, nullptr, nullptr, " true|false, enable or disable logging" }, + { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } +}; + static const Command snort_cmds[] = { { "set_watchdog_params", main_set_watchdog_params, s_watchdog, "set watchdog parameters" }, @@ -127,6 +134,7 @@ static const Command snort_cmds[] = { "reload_policy", main_reload_policy, s_reload, "reload part or all of the default policy" }, { "reload_daq", main_reload_daq, nullptr, "reload daq module" }, { "reload_hosts", main_reload_hosts, s_reload, "load a new hosts table" }, + { "log_command", main_log_command,main_log_command_param, "enabled or disable logging of a command"}, // FIXIT-M rewrite trough to permit updates on the fly //{ "process", main_process, nullptr, "process given pcap" },