From: Jeff Lucovsky Date: Sat, 25 May 2019 20:38:45 +0000 (-0700) Subject: eve/logging: 2991 Optimize logging by TX X-Git-Tag: suricata-5.0.0-rc1~267 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d568e7faddd9d8db1eba1c449e7b2da458374f42;p=thirdparty%2Fsuricata.git eve/logging: 2991 Optimize logging by TX This changeset makes changes to the TX logging path. Since the txn is passed to the TX logger, the TX can be used directly instead of through the TX id. --- diff --git a/rust/src/applayertemplate/template.rs b/rust/src/applayertemplate/template.rs index b0fc89bf97..6312316413 100644 --- a/rust/src/applayertemplate/template.rs +++ b/rust/src/applayertemplate/template.rs @@ -416,14 +416,10 @@ pub extern "C" fn rs_template_tx_set_logged( #[no_mangle] pub extern "C" fn rs_template_state_get_events( - state: *mut libc::c_void, - tx_id: u64, + tx: *mut libc::c_void ) -> *mut core::AppLayerDecoderEvents { - let state = cast_pointer!(state, TemplateState); - match state.get_tx(tx_id) { - Some(tx) => tx.events, - _ => std::ptr::null_mut(), - } + let tx = cast_pointer!(tx, TemplateTransaction); + return tx.events; } #[no_mangle] diff --git a/rust/src/dhcp/dhcp.rs b/rust/src/dhcp/dhcp.rs index 13441e5021..4ac17c1624 100644 --- a/rust/src/dhcp/dhcp.rs +++ b/rust/src/dhcp/dhcp.rs @@ -328,15 +328,11 @@ pub extern "C" fn rs_dhcp_tx_set_logged(_state: *mut libc::c_void, } #[no_mangle] -pub extern "C" fn rs_dhcp_state_get_events(state: *mut libc::c_void, - tx_id: u64) +pub extern "C" fn rs_dhcp_state_get_events(tx: *mut libc::c_void) -> *mut core::AppLayerDecoderEvents { - let state = cast_pointer!(state, DHCPState); - match state.get_tx(tx_id) { - Some(tx) => tx.events, - _ => std::ptr::null_mut(), - } + let tx = cast_pointer!(tx, DHCPTransaction); + return tx.events; } #[no_mangle] diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs index 67f6ceb8fd..20dea35ba7 100644 --- a/rust/src/dns/dns.rs +++ b/rust/src/dns/dns.rs @@ -745,18 +745,11 @@ pub extern "C" fn rs_dns_state_get_tx_detect_state( } #[no_mangle] -pub extern "C" fn rs_dns_state_get_events(state: &mut DNSState, - tx_id: u64) +pub extern "C" fn rs_dns_state_get_events(tx: *mut libc::c_void) -> *mut core::AppLayerDecoderEvents { - match state.get_tx(tx_id) { - Some(tx) => { - return tx.events; - } - _ => { - return std::ptr::null_mut(); - } - } + let tx = cast_pointer!(tx, DNSTransaction); + return tx.events; } #[no_mangle] diff --git a/rust/src/ikev2/ikev2.rs b/rust/src/ikev2/ikev2.rs index c8b8b3d2e8..00ffdb8851 100644 --- a/rust/src/ikev2/ikev2.rs +++ b/rust/src/ikev2/ikev2.rs @@ -571,15 +571,11 @@ pub extern "C" fn rs_ikev2_state_get_tx_detect_state( #[no_mangle] -pub extern "C" fn rs_ikev2_state_get_events(state: *mut libc::c_void, - tx_id: u64) +pub extern "C" fn rs_ikev2_state_get_events(tx: *mut libc::c_void) -> *mut core::AppLayerDecoderEvents { - let state = cast_pointer!(state,IKEV2State); - match state.get_tx_by_id(tx_id) { - Some(tx) => tx.events, - _ => std::ptr::null_mut(), - } + let tx = cast_pointer!(tx, IKEV2Transaction); + return tx.events; } #[no_mangle] diff --git a/rust/src/krb/krb5.rs b/rust/src/krb/krb5.rs index ed551497bb..d408949e24 100644 --- a/rust/src/krb/krb5.rs +++ b/rust/src/krb/krb5.rs @@ -367,15 +367,11 @@ pub extern "C" fn rs_krb5_state_get_tx_detect_state( #[no_mangle] -pub extern "C" fn rs_krb5_state_get_events(state: *mut libc::c_void, - tx_id: u64) +pub extern "C" fn rs_krb5_state_get_events(tx: *mut libc::c_void) -> *mut core::AppLayerDecoderEvents { - let state = cast_pointer!(state,KRB5State); - match state.get_tx_by_id(tx_id) { - Some(tx) => tx.events, - _ => std::ptr::null_mut(), - } + let tx = cast_pointer!(tx, KRB5Transaction); + return tx.events; } #[no_mangle] diff --git a/rust/src/nfs/nfs.rs b/rust/src/nfs/nfs.rs index 2edae59305..fdea7008fb 100644 --- a/rust/src/nfs/nfs.rs +++ b/rust/src/nfs/nfs.rs @@ -1589,18 +1589,11 @@ pub extern "C" fn rs_nfs_tx_get_detect_flags( } #[no_mangle] -pub extern "C" fn rs_nfs_state_get_events(state: &mut NFSState, - tx_id: u64) +pub extern "C" fn rs_nfs_state_get_events(tx: *mut libc::c_void) -> *mut AppLayerDecoderEvents { - match state.get_tx_by_id(tx_id) { - Some(tx) => { - return tx.events; - } - _ => { - return std::ptr::null_mut(); - } - } + let tx = cast_pointer!(tx, NFSTransaction); + return tx.events; } #[no_mangle] diff --git a/rust/src/ntp/ntp.rs b/rust/src/ntp/ntp.rs index 7b681b7b87..2af9e288bd 100644 --- a/rust/src/ntp/ntp.rs +++ b/rust/src/ntp/ntp.rs @@ -304,15 +304,11 @@ pub extern "C" fn rs_ntp_state_get_tx_detect_state( #[no_mangle] -pub extern "C" fn rs_ntp_state_get_events(state: *mut libc::c_void, - tx_id: u64) +pub extern "C" fn rs_ntp_state_get_events(tx: *mut libc::c_void) -> *mut core::AppLayerDecoderEvents { - let state = cast_pointer!(state,NTPState); - match state.get_tx_by_id(tx_id) { - Some(tx) => tx.events, - _ => std::ptr::null_mut(), - } + let tx = cast_pointer!(tx, NTPTransaction); + return tx.events; } #[no_mangle] diff --git a/rust/src/parser.rs b/rust/src/parser.rs index e304dead23..6a760323dc 100644 --- a/rust/src/parser.rs +++ b/rust/src/parser.rs @@ -137,7 +137,7 @@ pub type StateGetProgressFn = extern "C" fn (*mut c_void, u8) -> c_int; pub type GetDetectStateFn = extern "C" fn (*mut c_void) -> *mut DetectEngineState; pub type SetDetectStateFn = extern "C" fn (*mut c_void, &mut DetectEngineState) -> c_int; pub type GetEventInfoFn = extern "C" fn (*const c_char, *mut c_int, *mut AppLayerEventType) -> c_int; -pub type GetEventsFn = extern "C" fn (*mut c_void, u64) -> *mut AppLayerDecoderEvents; +pub type GetEventsFn = extern "C" fn (*mut c_void) -> *mut AppLayerDecoderEvents; pub type GetTxLoggedFn = extern "C" fn (*mut c_void, *mut c_void) -> u32; pub type SetTxLoggedFn = extern "C" fn (*mut c_void, *mut c_void, u32); pub type LocalStorageNewFn = extern "C" fn () -> *mut c_void; diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs index 35239d6174..ad3dd4ee91 100644 --- a/rust/src/smb/smb.rs +++ b/rust/src/smb/smb.rs @@ -2104,18 +2104,11 @@ pub extern "C" fn rs_smb_state_truncate( } #[no_mangle] -pub extern "C" fn rs_smb_state_get_events(state: &mut SMBState, - tx_id: u64) +pub extern "C" fn rs_smb_state_get_events(tx: *mut libc::c_void) -> *mut AppLayerDecoderEvents { - match state.get_tx_by_id(tx_id) { - Some(tx) => { - return tx.events; - } - _ => { - return std::ptr::null_mut(); - } - } + let tx = cast_pointer!(tx, SMBTransaction); + return tx.events; } #[no_mangle] diff --git a/src/app-layer-dnp3.c b/src/app-layer-dnp3.c index b1cf55f4d4..74997ed957 100644 --- a/src/app-layer-dnp3.c +++ b/src/app-layer-dnp3.c @@ -1309,23 +1309,9 @@ error: SCReturnInt(-1); } -static AppLayerDecoderEvents *DNP3GetEvents(void *state, uint64_t tx_id) +static AppLayerDecoderEvents *DNP3GetEvents(void *tx) { - DNP3State *dnp3 = state; - DNP3Transaction *tx; - uint64_t tx_num = tx_id + 1; - - if (dnp3->curr && dnp3->curr->tx_num == tx_num) { - return dnp3->curr->decoder_events; - } - - TAILQ_FOREACH(tx, &dnp3->tx_list, next) { - if (tx->tx_num == tx_num) { - return tx->decoder_events; - } - } - - return NULL; + return ((DNP3Transaction *) tx)->decoder_events; } static void *DNP3GetTx(void *alstate, uint64_t tx_id) diff --git a/src/app-layer-dns-tcp-rust.c b/src/app-layer-dns-tcp-rust.c index 85e4c61a30..a402e7ccc6 100644 --- a/src/app-layer-dns-tcp-rust.c +++ b/src/app-layer-dns-tcp-rust.c @@ -110,9 +110,9 @@ static int RustDNSSetTxDetectState(void *tx, return 0; } -static AppLayerDecoderEvents *RustDNSGetEvents(void *state, uint64_t id) +static AppLayerDecoderEvents *RustDNSGetEvents(void *tx) { - return rs_dns_state_get_events(state, id); + return rs_dns_state_get_events(tx); } void RegisterRustDNSTCPParsers(void) @@ -170,6 +170,7 @@ void RegisterRustDNSTCPParsers(void) AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_DNS, rs_dns_state_progress_completion_status); DNSAppLayerRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_DNS); + DNSAppLayerRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_DNS); /* This parser accepts gaps. */ AppLayerParserRegisterOptionFlags(IPPROTO_TCP, ALPROTO_DNS, diff --git a/src/app-layer-dns-udp-rust.c b/src/app-layer-dns-udp-rust.c index b3e5c08ab2..dba6bce3ac 100644 --- a/src/app-layer-dns-udp-rust.c +++ b/src/app-layer-dns-udp-rust.c @@ -116,9 +116,9 @@ static uint64_t RustDNSGetDetectFlags(void *tx, uint8_t dir) return rs_dns_tx_get_detect_flags(tx, dir); } -static AppLayerDecoderEvents *RustDNSGetEvents(void *state, uint64_t id) +static AppLayerDecoderEvents *RustDNSGetEvents(void *tx) { - return rs_dns_state_get_events(state, id); + return rs_dns_state_get_events(tx); } void RegisterRustDNSUDPParsers(void) @@ -183,6 +183,7 @@ void RegisterRustDNSUDPParsers(void) rs_dns_state_progress_completion_status); DNSAppLayerRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_DNS); + DNSAppLayerRegisterGetEventInfoById(IPPROTO_UDP, ALPROTO_DNS); #if 0 DNSUDPConfigure(); diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c index c4d27b4ea7..3a46ecfca9 100644 --- a/src/app-layer-enip.c +++ b/src/app-layer-enip.c @@ -112,20 +112,9 @@ static uint64_t ENIPGetTxCnt(void *alstate) return ((uint64_t) ((ENIPState *) alstate)->transaction_max); } -static AppLayerDecoderEvents *ENIPGetEvents(void *state, uint64_t id) +static AppLayerDecoderEvents *ENIPGetEvents(void *tx) { - ENIPState *enip = (ENIPState *) state; - ENIPTransaction *tx; - - if (enip->curr && enip->curr->tx_num == (id + 1)) - return enip->curr->decoder_events; - - TAILQ_FOREACH(tx, &enip->tx_list, next) { - if (tx->tx_num == (id+1)) - return tx->decoder_events; - } - - return NULL; + return ((ENIPTransaction *)tx)->decoder_events; } static int ENIPStateGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type) diff --git a/src/app-layer-htp-file.c b/src/app-layer-htp-file.c index 6e7cc6f029..a04196a74a 100644 --- a/src/app-layer-htp-file.c +++ b/src/app-layer-htp-file.c @@ -1264,7 +1264,8 @@ static int HTPFileParserTest08(void) } FLOWLOCK_WRLOCK(f); - AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, tx); if (decoder_events == NULL) { printf("no app events: "); FLOWLOCK_UNLOCK(f); @@ -1386,7 +1387,8 @@ static int HTPFileParserTest09(void) } FLOWLOCK_WRLOCK(f); - AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, tx); if (decoder_events == NULL) { printf("no app events: "); FLOWLOCK_UNLOCK(f); @@ -1506,7 +1508,8 @@ static int HTPFileParserTest10(void) } FLOWLOCK_WRLOCK(f); - AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, tx); if (decoder_events != NULL) { printf("app events: "); FLOWLOCK_UNLOCK(f); @@ -1644,7 +1647,8 @@ static int HTPFileParserTest11(void) } FLOWLOCK_WRLOCK(f); - AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + void *txtmp = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, txtmp); if (decoder_events != NULL) { printf("app events: "); FLOWLOCK_UNLOCK(f); diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index 6c75c0e6d9..539570a169 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -287,19 +287,16 @@ static void HTPSetEvent(HtpState *s, HtpTxUserData *htud, uint8_t e) SCLogDebug("couldn't set event %u", e); } -static AppLayerDecoderEvents *HTPGetEvents(void *state, uint64_t tx_id) +static AppLayerDecoderEvents *HTPGetEvents(void *tx) { - SCLogDebug("get HTTP events for TX %"PRIu64, tx_id); + SCLogDebug("get HTTP events for TX %p", tx); - HtpState *s = (HtpState *)state; - htp_tx_t *tx = HTPStateGetTx(s, tx_id); - if (tx != NULL) { - HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx); - if (htud != NULL) { - SCLogDebug("has htud, htud->decoder_events %p", htud->decoder_events); - return htud->decoder_events; - } + HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx); + if (htud != NULL) { + SCLogDebug("has htud, htud->decoder_events %p", htud->decoder_events); + return htud->decoder_events; } + return NULL; } @@ -6139,7 +6136,8 @@ libhtp:\n\ FAIL_IF(tx->request_method_number != HTP_M_GET); FAIL_IF(tx->request_protocol_number != HTP_PROTOCOL_1_1); - AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + void *txtmp = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, txtmp); FAIL_IF_NULL(decoder_events); FAIL_IF(decoder_events->events[0] != HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG); @@ -6256,7 +6254,8 @@ libhtp:\n\ } FLOWLOCK_WRLOCK(f); - AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + void *txtmp = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, txtmp); if (decoder_events != NULL) { printf("app events: "); FLOWLOCK_UNLOCK(f); @@ -6338,7 +6337,8 @@ static int HTPParserTest16(void) } FLOWLOCK_WRLOCK(f); - AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + void *txtmp = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0); + AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, txtmp); if (decoder_events == NULL) { printf("no app events: "); FLOWLOCK_UNLOCK(f); diff --git a/src/app-layer-modbus.c b/src/app-layer-modbus.c index 3a5d9276f8..5c55614f7b 100644 --- a/src/app-layer-modbus.c +++ b/src/app-layer-modbus.c @@ -214,20 +214,9 @@ static void ModbusSetEvent(ModbusState *modbus, uint8_t e) SCLogDebug("couldn't set event %u", e); } -static AppLayerDecoderEvents *ModbusGetEvents(void *state, uint64_t id) +static AppLayerDecoderEvents *ModbusGetEvents(void *tx) { - ModbusState *modbus = (ModbusState *) state; - ModbusTransaction *tx; - - if (modbus->curr && modbus->curr->tx_num == (id + 1)) - return modbus->curr->decoder_events; - - TAILQ_FOREACH(tx, &modbus->tx_list, next) { - if (tx->tx_num == (id+1)) - return tx->decoder_events; - } - - return NULL; + return ((ModbusTransaction *)tx)->decoder_events; } static int ModbusGetAlstateProgress(void *modbus_tx, uint8_t direction) diff --git a/src/app-layer-nfs-tcp.c b/src/app-layer-nfs-tcp.c index 1fe61e2cb2..ffa81a2a07 100644 --- a/src/app-layer-nfs-tcp.c +++ b/src/app-layer-nfs-tcp.c @@ -101,9 +101,17 @@ static int NFSTCPStateGetEventInfo(const char *event_name, int *event_id, return rs_nfs_state_get_event_info(event_name, event_id, event_type); } -static AppLayerDecoderEvents *NFSTCPGetEvents(void *state, uint64_t id) +static int NFSTCPStateGetEventInfoById(int event_id, const char **event_name, + AppLayerEventType *event_type) { - return rs_nfs_state_get_events(state, id); + *event_name = "NFS TCP event name (generic)"; + *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION; + return 0; +} + +static AppLayerDecoderEvents *NFSTCPGetEvents(void *tx) +{ + return rs_nfs_state_get_events(tx); } /** @@ -378,6 +386,10 @@ void RegisterNFSTCPParsers(void) AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_NFS, NFSTCPStateGetEventInfo); + + AppLayerParserRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_NFS, + NFSTCPStateGetEventInfoById); + AppLayerParserRegisterGetEventsFunc(IPPROTO_TCP, ALPROTO_NFS, NFSTCPGetEvents); diff --git a/src/app-layer-nfs-udp.c b/src/app-layer-nfs-udp.c index 5cc58965a3..3ae3118090 100644 --- a/src/app-layer-nfs-udp.c +++ b/src/app-layer-nfs-udp.c @@ -98,9 +98,17 @@ static int NFSStateGetEventInfo(const char *event_name, int *event_id, return rs_nfs_state_get_event_info(event_name, event_id, event_type); } -static AppLayerDecoderEvents *NFSGetEvents(void *state, uint64_t id) +static int NFSStateGetEventInfoById(int event_id, const char **event_name, + AppLayerEventType *event_type) { - return rs_nfs_state_get_events(state, id); + *event_name = "NFS UDP event name (generic)"; + *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION; + return 0; +} + +static AppLayerDecoderEvents *NFSGetEvents(void *tx) +{ + return rs_nfs_state_get_events(tx); } /** @@ -338,6 +346,10 @@ void RegisterNFSUDPParsers(void) AppLayerParserRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_NFS, NFSStateGetEventInfo); + + AppLayerParserRegisterGetEventInfoById(IPPROTO_UDP, ALPROTO_NFS, + NFSStateGetEventInfoById); + AppLayerParserRegisterGetEventsFunc(IPPROTO_UDP, ALPROTO_NFS, NFSGetEvents); diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index dcca37ff1b..988bdef911 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -103,7 +103,7 @@ typedef struct AppLayerParserProtoCtx_ void (*Truncate)(void *, uint8_t); FileContainer *(*StateGetFiles)(void *, uint8_t); - AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t); + AppLayerDecoderEvents *(*StateGetEvents)(void *); int (*StateGetProgress)(void *alstate, uint8_t direction); uint64_t (*StateGetTxCnt)(void *alstate); @@ -433,7 +433,7 @@ void AppLayerParserRegisterGetFilesFunc(uint8_t ipproto, AppProto alproto, } void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto alproto, - AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t)) + AppLayerDecoderEvents *(*StateGetEvents)(void *)) { SCEnter(); @@ -844,7 +844,7 @@ void AppLayerParserSetDecoderEvents(AppLayerParserState *pstate, AppLayerDecoder } AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, - void *alstate, uint64_t tx_id) + void *tx) { SCEnter(); @@ -854,7 +854,7 @@ AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alp StateGetEvents != NULL) { ptr = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto]. - StateGetEvents(alstate, tx_id); + StateGetEvents(tx); } SCReturnPtr(ptr, "AppLayerDecoderEvents *"); diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h index 74320b1726..6f67b0b881 100644 --- a/src/app-layer-parser.h +++ b/src/app-layer-parser.h @@ -138,7 +138,7 @@ void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto proto, void AppLayerParserRegisterGetFilesFunc(uint8_t ipproto, AppProto alproto, FileContainer *(*StateGetFiles)(void *, uint8_t)); void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto proto, - AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t)); + AppLayerDecoderEvents *(*StateGetEvents)(void *) __attribute__((nonnull))); void AppLayerParserRegisterLoggerFuncs(uint8_t ipproto, AppProto alproto, LoggerId (*StateGetTxLogged)(void *, void *), void (*StateSetTxLogged)(void *, void *, LoggerId)); @@ -200,8 +200,7 @@ void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *p AppLayerDecoderEvents *AppLayerParserGetDecoderEvents(AppLayerParserState *pstate); void AppLayerParserSetDecoderEvents(AppLayerParserState *pstate, AppLayerDecoderEvents *devents); -AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *alstate, - uint64_t tx_id); +AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx); FileContainer *AppLayerParserGetFiles(uint8_t ipproto, AppProto alproto, void *alstate, uint8_t direction); int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, diff --git a/src/app-layer-register.h b/src/app-layer-register.h index c7bb7d4e39..647da56c1b 100644 --- a/src/app-layer-register.h +++ b/src/app-layer-register.h @@ -54,7 +54,7 @@ typedef struct AppLayerParser { DetectEngineState *(*GetTxDetectState)(void *tx); int (*SetTxDetectState)(void *tx, DetectEngineState *); - AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t); + AppLayerDecoderEvents *(*StateGetEvents)(void *); int (*StateGetEventInfo)(const char *event_name, int *event_id, AppLayerEventType *event_type); diff --git a/src/app-layer-smb.c b/src/app-layer-smb.c index 5146d59262..95d5a58926 100644 --- a/src/app-layer-smb.c +++ b/src/app-layer-smb.c @@ -186,9 +186,17 @@ static FileContainer *SMBGetFiles(void *state, uint8_t direction) return rs_smb_getfiles(direction, state); } -static AppLayerDecoderEvents *SMBGetEvents(void *state, uint64_t id) +static AppLayerDecoderEvents *SMBGetEvents(void *tx) { - return rs_smb_state_get_events(state, id); + return rs_smb_state_get_events(tx); +} + +static int SMBGetEventInfoById(int event_id, const char **event_name, + AppLayerEventType *event_type) +{ + *event_name = "SMB event name (generic)"; + *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION; + return 0; } static int SMBGetEventInfo(const char *event_name, int *event_id, @@ -302,6 +310,8 @@ void RegisterSMBParsers(void) SMBGetEvents); AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_SMB, SMBGetEventInfo); + AppLayerParserRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_SMB, + SMBGetEventInfoById); AppLayerParserRegisterDetectStateFuncs(IPPROTO_TCP, ALPROTO_SMB, SMBGetTxDetectState, SMBSetTxDetectState); diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c index f7525b24f8..73ad7141d0 100644 --- a/src/app-layer-smtp.c +++ b/src/app-layer-smtp.c @@ -1705,15 +1705,11 @@ static void SMTPStateTruncate(void *state, uint8_t direction) } } -static AppLayerDecoderEvents *SMTPGetEvents(void *state, uint64_t tx_id) +static AppLayerDecoderEvents *SMTPGetEvents(void *tx) { - SCLogDebug("get SMTP events for TX %"PRIu64, tx_id); + SCLogDebug("get SMTP events for TX %p", tx); - SMTPTransaction *tx = SMTPStateGetTx(state, tx_id); - if (tx != NULL) { - return tx->decoder_events; - } - return NULL; + return ((SMTPTransaction *)tx)->decoder_events; } static DetectEngineState *SMTPGetTxDetectState(void *vtx) diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index 03fa785c65..ea384c8d1e 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -164,9 +164,10 @@ void SSLSetEvent(SSLState *ssl_state, uint8_t event) ssl_state->events++; } -static AppLayerDecoderEvents *SSLGetEvents(void *state, uint64_t id) +static AppLayerDecoderEvents *SSLGetEvents(void *tx) { - SSLState *ssl_state = (SSLState *)state; + /* for TLS, TX == state, see GetTx */ + SSLState *ssl_state = (SSLState *)tx; return ssl_state->decoder_events; } diff --git a/src/app-layer-template.c b/src/app-layer-template.c index 9e8cfeadf6..dd0fd203d7 100644 --- a/src/app-layer-template.c +++ b/src/app-layer-template.c @@ -190,18 +190,9 @@ static int TemplateStateGetEventInfoById(int event_id, const char **event_name, return 0; } -static AppLayerDecoderEvents *TemplateGetEvents(void *statev, uint64_t tx_id) +static AppLayerDecoderEvents *TemplateGetEvents(void *tx) { - TemplateState *state = statev; - TemplateTransaction *tx; - - TAILQ_FOREACH(tx, &state->tx_list, next) { - if (tx->tx_id == tx_id) { - return tx->decoder_events; - } - } - - return NULL; + return ((TemplateTransaction *)tx)->decoder_events; } /** diff --git a/src/app-layer-tftp.c b/src/app-layer-tftp.c index 22ce1d2992..bac605d467 100644 --- a/src/app-layer-tftp.c +++ b/src/app-layer-tftp.c @@ -72,7 +72,7 @@ static int TFTPStateGetEventInfo(const char *event_name, int *event_id, return -1; } -static AppLayerDecoderEvents *TFTPGetEvents(void *state, uint64_t tx_id) +static AppLayerDecoderEvents *TFTPGetEvents(void *tx) { return NULL; } diff --git a/src/detect-app-layer-event.c b/src/detect-app-layer-event.c index 37c01bdaec..092ab0bc1f 100644 --- a/src/detect-app-layer-event.c +++ b/src/detect-app-layer-event.c @@ -95,7 +95,7 @@ static int DetectEngineAptEventInspect(ThreadVars *tv, DetectAppLayerEventData *aled = NULL; alproto = f->alproto; - decoder_events = AppLayerParserGetEventsByTx(f->proto, alproto, alstate, tx_id); + decoder_events = AppLayerParserGetEventsByTx(f->proto, alproto, tx); if (decoder_events == NULL) goto end; diff --git a/src/output-json-anomaly.c b/src/output-json-anomaly.c index 0a9f7f92a6..e9b64af5b3 100644 --- a/src/output-json-anomaly.c +++ b/src/output-json-anomaly.c @@ -137,7 +137,7 @@ static int AnomalyDecodeEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft, static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft, const Packet *p, AppLayerDecoderEvents *decoder_events, - bool is_applayer, const char *layer, uint64_t tx_id) + bool is_pktlayer, const char *layer, uint64_t tx_id) { const char *alprotoname = AppLayerGetProtoName(p->flow->alproto); @@ -168,28 +168,20 @@ static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft, JsonAddCommonOptions(&aft->json_output_ctx->cfg, p, p->flow, js); - /* Use app layer proto name if available */ - if (alprotoname) { - json_object_set_new(ajs, "alproto", json_string(alprotoname)); - } else { - json_object_set_new(ajs, "alproto", - p->flow ? json_integer(p->flow->alproto) : json_string("unknown")); - } + json_object_set_new(js, "app_proto", json_string(alprotoname)); const char *event_name = NULL; uint8_t event_code = decoder_events->events[i]; AppLayerEventType event_type; int r; - if (is_applayer) { + if (is_pktlayer) { r = AppLayerGetEventInfoById(event_code, &event_name, &event_type); } else { r = AppLayerParserGetEventInfoById(p->flow->proto, p->flow->alproto, event_code, &event_name, &event_type); } if (r == 0) { - json_object_set_new(ajs, "type", - json_string(event_type == APP_LAYER_EVENT_TYPE_TRANSACTION ? - "transaction" : "packet")); + json_object_set_new(ajs, "type", json_string("applayer")); json_object_set_new(ajs, "event", json_string(event_name)); } else { json_object_set_new(ajs, "type", json_string("unknown")); @@ -220,15 +212,13 @@ static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft, static int JsonAnomalyTxLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) { - JsonAnomalyLogThread *aft = thread_data; - uint8_t proto = f->proto; - AppProto alproto = f->alproto; AppLayerDecoderEvents *decoder_events; - decoder_events = AppLayerParserGetEventsByTx(proto, alproto, state, tx_id); - if (decoder_events && (decoder_events->event_last_logged < decoder_events->cnt)) { + decoder_events = AppLayerParserGetEventsByTx(f->proto, f->alproto, tx); + if (decoder_events && decoder_events->event_last_logged < decoder_events->cnt) { SCLogDebug("state %p, tx: %p, tx_id: %"PRIu64, state, tx, tx_id); + JsonAnomalyLogThread *aft = thread_data; AnomalyAppLayerDecoderEventJson(aft, p, decoder_events, false, - "applayer_parser", tx_id); + "proto_parser", tx_id); } return TM_ECODE_OK; } @@ -239,6 +229,11 @@ static inline bool AnomalyHasParserEvents(const Packet *p) AppLayerParserHasDecoderEvents(p->flow->alparser)); } +static inline bool AnomalyHasPacketAppLayerEvents(const Packet *p) +{ + return p->app_layer_events && p->app_layer_events->cnt; +} + static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p) { @@ -249,9 +244,9 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet * } /* app layer events */ - if (rc == TM_ECODE_OK && p->app_layer_events && p->app_layer_events->cnt) { + if (rc == TM_ECODE_OK && AnomalyHasPacketAppLayerEvents(p)) { rc = AnomalyAppLayerDecoderEventJson(aft, p, p->app_layer_events, - true, "app_layer", TX_ID_UNUSED); + true, "proto_detect", TX_ID_UNUSED); } /* parser state events */ @@ -275,7 +270,9 @@ static int JsonAnomalyLogger(ThreadVars *tv, void *thread_data, const Packet *p) static int JsonAnomalyLogCondition(ThreadVars *tv, const Packet *p) { - return p->events.cnt > 0 || p->app_layer_events || AnomalyHasParserEvents(p); + return p->events.cnt > 0 || + (p->app_layer_events && p->app_layer_events->cnt > 0) || + AnomalyHasParserEvents(p); } #define OUTPUT_BUFFER_SIZE 65535 @@ -323,16 +320,6 @@ static TmEcode JsonAnomalyLogThreadDeinit(ThreadVars *t, void *data) return TM_ECODE_OK; } -static void JsonAnomalyLogDeInitCtx(OutputCtx *output_ctx) -{ - AnomalyJsonOutputCtx *json_output_ctx = (AnomalyJsonOutputCtx *) output_ctx->data; - if (json_output_ctx != NULL) { - LogFileFreeCtx(json_output_ctx->file_ctx); - SCFree(json_output_ctx); - } - SCFree(output_ctx); -} - static void JsonAnomalyLogDeInitCtxSub(OutputCtx *output_ctx) { SCLogDebug("cleaning up sub output_ctx %p", output_ctx); @@ -369,50 +356,6 @@ static void JsonAnomalyLogConf(AnomalyJsonOutputCtx *json_output_ctx, json_output_ctx->flags |= flags; } -/** - * \brief Create a new LogFileCtx for "fast" output style. - * \param conf The configuration node for this output. - * \return A LogFileCtx pointer on success, NULL on failure. - */ -static OutputInitResult JsonAnomalyLogInitCtx(ConfNode *conf) -{ - OutputInitResult result = { NULL, false }; - AnomalyJsonOutputCtx *json_output_ctx = NULL; - LogFileCtx *logfile_ctx = LogFileNewCtx(); - if (logfile_ctx == NULL) { - SCLogDebug("JsonAnomalyLogInitCtx: Could not create new LogFileCtx"); - return result; - } - - if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME, 1) < 0) { - LogFileFreeCtx(logfile_ctx); - return result; - } - - OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx)); - if (unlikely(output_ctx == NULL)) { - LogFileFreeCtx(logfile_ctx); - return result; - } - - json_output_ctx = SCCalloc(1, sizeof(AnomalyJsonOutputCtx)); - if (unlikely(json_output_ctx == NULL)) { - LogFileFreeCtx(logfile_ctx); - SCFree(output_ctx); - return result; - } - - json_output_ctx->file_ctx = logfile_ctx; - JsonAnomalyLogConf(json_output_ctx, conf); - - output_ctx->data = json_output_ctx; - output_ctx->DeInit = JsonAnomalyLogDeInitCtx; - - result.ctx = output_ctx; - result.ok = true; - return result; -} - /** * \brief Create a new LogFileCtx for "fast" output style. * \param conf The configuration node for this output. @@ -452,10 +395,6 @@ error: void JsonAnomalyLogRegister (void) { - OutputRegisterPacketModule(LOGGER_JSON_ANOMALY, MODULE_NAME, "anomaly-json-log", - JsonAnomalyLogInitCtx, JsonAnomalyLogger, JsonAnomalyLogCondition, - JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit, NULL); - OutputRegisterPacketSubModule(LOGGER_JSON_ANOMALY, "eve-log", MODULE_NAME, "eve-log.anomaly", JsonAnomalyLogInitCtxSub, JsonAnomalyLogger, JsonAnomalyLogCondition, JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit,