/**
* \brief Initialize the "magic" context.
*/
int MagicInit(void)
{
BUG_ON(g_magic_ctx != NULL);
SCEnter();
char *filename = NULL;
FILE *fd = NULL;
SCMutexInit(&g_magic_lock, NULL);
SCMutexLock(&g_magic_lock);
g_magic_ctx = magic_open(0);
if (g_magic_ctx == NULL) {
SCLogError(SC_ERR_MAGIC_OPEN, "magic_open failed: %s",
magic_error(g_magic_ctx));
goto error;
}
(void)ConfGet("magic-file", &filename);
if (filename != NULL) {
if (strlen(filename) == 0) {
/* set filename to NULL on *nix systems so magic_load uses system
* default path (see man libmagic) */
SCLogConfig("using system default magic-file");
filename = NULL;
}
else {
SCLogConfig("using magic-file %s", filename);
if ( (fd = fopen(filename, "r")) == NULL) {
SCLogWarning(SC_ERR_FOPEN, "Error opening file: \"%s\": %s",
filename, strerror(errno));
goto error;
}
fclose(fd);
}
}
if (magic_load(g_magic_ctx, filename) != 0) {
SCLogError(SC_ERR_MAGIC_LOAD, "magic_load failed: %s",
magic_error(g_magic_ctx));
goto error;
}
SCMutexUnlock(&g_magic_lock);
SCReturnInt(0);
error:
if (g_magic_ctx != NULL) {
magic_close(g_magic_ctx);
g_magic_ctx = NULL;
}
SCMutexUnlock(&g_magic_lock);
SCReturnInt(-1);
}
/** \brief Create a new http log LogFileCtx.
* \param conf Pointer to ConfNode containing this loggers configuration.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
OutputCtx *OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
{
OutputJsonCtx *ojc = parent_ctx->data;
OutputFileCtx *output_file_ctx = SCMalloc(sizeof(OutputFileCtx));
if (unlikely(output_file_ctx == NULL))
return NULL;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
SCFree(output_file_ctx);
return NULL;
}
output_file_ctx->file_ctx = ojc->file_ctx;
if (conf) {
const char *force_filestore = ConfNodeLookupChildValue(conf, "force-filestore");
if (force_filestore != NULL && ConfValIsTrue(force_filestore)) {
FileForceFilestoreEnable();
SCLogConfig("forcing filestore of all files");
}
const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
if (force_magic != NULL && ConfValIsTrue(force_magic)) {
FileForceMagicEnable();
SCLogConfig("forcing magic lookup for logged files");
}
const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5");
if (force_md5 != NULL && ConfValIsTrue(force_md5)) {
#ifdef HAVE_NSS
FileForceMd5Enable();
SCLogConfig("forcing md5 calculation for logged files");
#else
SCLogInfo("md5 calculation requires linking against libnss");
#endif
}
}
output_ctx->data = output_file_ctx;
output_ctx->DeInit = OutputFileLogDeinitSub;
FileForceTrackingEnable();
return output_ctx;
}
/** \brief Create a new http log LogFileCtx.
* \param conf Pointer to ConfNode containing this loggers configuration.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
static OutputCtx *OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
{
OutputJsonCtx *ojc = parent_ctx->data;
OutputFileCtx *output_file_ctx = SCMalloc(sizeof(OutputFileCtx));
if (unlikely(output_file_ctx == NULL))
return NULL;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
SCFree(output_file_ctx);
return NULL;
}
output_file_ctx->file_ctx = ojc->file_ctx;
if (conf) {
const char *force_filestore = ConfNodeLookupChildValue(conf, "force-filestore");
if (force_filestore != NULL && ConfValIsTrue(force_filestore)) {
FileForceFilestoreEnable();
SCLogConfig("forcing filestore of all files");
}
const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
if (force_magic != NULL && ConfValIsTrue(force_magic)) {
FileForceMagicEnable();
SCLogConfig("forcing magic lookup for logged files");
}
FileForceHashParseCfg(conf);
}
output_ctx->data = output_file_ctx;
output_ctx->DeInit = OutputFileLogDeinitSub;
FileForceTrackingEnable();
return output_ctx;
}
/** \brief initialize the configuration
* \warning Not thread safe */
void DefragInitConfig(char quiet)
{
SCLogDebug("initializing defrag engine...");
memset(&defrag_config, 0, sizeof(defrag_config));
//SC_ATOMIC_INIT(flow_flags);
SC_ATOMIC_INIT(defragtracker_counter);
SC_ATOMIC_INIT(defrag_memuse);
SC_ATOMIC_INIT(defragtracker_prune_idx);
DefragTrackerQueueInit(&defragtracker_spare_q);
/* set defaults */
defrag_config.hash_rand = (uint32_t)RandomGet();
defrag_config.hash_size = DEFRAG_DEFAULT_HASHSIZE;
defrag_config.memcap = DEFRAG_DEFAULT_MEMCAP;
defrag_config.prealloc = DEFRAG_DEFAULT_PREALLOC;
/* Check if we have memcap and hash_size defined at config */
const char *conf_val;
uint32_t configval = 0;
/** set config values for memcap, prealloc and hash_size */
if ((ConfGet("defrag.memcap", &conf_val)) == 1)
{
if (ParseSizeStringU64(conf_val, &defrag_config.memcap) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing defrag.memcap "
"from conf file - %s. Killing engine",
conf_val);
exit(EXIT_FAILURE);
}
}
if ((ConfGet("defrag.hash-size", &conf_val)) == 1)
{
if (ByteExtractStringUint32(&configval, 10, strlen(conf_val),
conf_val) > 0) {
defrag_config.hash_size = configval;
} else {
WarnInvalidConfEntry("defrag.hash-size", "%"PRIu32, defrag_config.hash_size);
}
}
if ((ConfGet("defrag.trackers", &conf_val)) == 1)
{
if (ByteExtractStringUint32(&configval, 10, strlen(conf_val),
conf_val) > 0) {
defrag_config.prealloc = configval;
} else {
WarnInvalidConfEntry("defrag.trackers", "%"PRIu32, defrag_config.prealloc);
}
}
SCLogDebug("DefragTracker config from suricata.yaml: memcap: %"PRIu64", hash-size: "
"%"PRIu32", prealloc: %"PRIu32, defrag_config.memcap,
defrag_config.hash_size, defrag_config.prealloc);
/* alloc hash memory */
uint64_t hash_size = defrag_config.hash_size * sizeof(DefragTrackerHashRow);
if (!(DEFRAG_CHECK_MEMCAP(hash_size))) {
SCLogError(SC_ERR_DEFRAG_INIT, "allocating defrag hash failed: "
"max defrag memcap is smaller than projected hash size. "
"Memcap: %"PRIu64", Hash table size %"PRIu64". Calculate "
"total hash size by multiplying \"defrag.hash-size\" with %"PRIuMAX", "
"which is the hash bucket size.", defrag_config.memcap, hash_size,
(uintmax_t)sizeof(DefragTrackerHashRow));
exit(EXIT_FAILURE);
}
defragtracker_hash = SCCalloc(defrag_config.hash_size, sizeof(DefragTrackerHashRow));
if (unlikely(defragtracker_hash == NULL)) {
SCLogError(SC_ERR_FATAL, "Fatal error encountered in DefragTrackerInitConfig. Exiting...");
exit(EXIT_FAILURE);
}
memset(defragtracker_hash, 0, defrag_config.hash_size * sizeof(DefragTrackerHashRow));
uint32_t i = 0;
for (i = 0; i < defrag_config.hash_size; i++) {
DRLOCK_INIT(&defragtracker_hash[i]);
}
(void) SC_ATOMIC_ADD(defrag_memuse, (defrag_config.hash_size * sizeof(DefragTrackerHashRow)));
if (quiet == FALSE) {
SCLogConfig("allocated %"PRIu64" bytes of memory for the defrag hash... "
"%" PRIu32 " buckets of size %" PRIuMAX "",
SC_ATOMIC_GET(defrag_memuse), defrag_config.hash_size,
(uintmax_t)sizeof(DefragTrackerHashRow));
}
if ((ConfGet("defrag.prealloc", &conf_val)) == 1)
{
if (ConfValIsTrue(conf_val)) {
/* pre allocate defrag trackers */
for (i = 0; i < defrag_config.prealloc; i++) {
if (!(DEFRAG_CHECK_MEMCAP(sizeof(DefragTracker)))) {
SCLogError(SC_ERR_DEFRAG_INIT, "preallocating defrag trackers failed: "
"max defrag memcap reached. Memcap %"PRIu64", "
"Memuse %"PRIu64".", defrag_config.memcap,
((uint64_t)SC_ATOMIC_GET(defrag_memuse) + (uint64_t)sizeof(DefragTracker)));
exit(EXIT_FAILURE);
}
DefragTracker *h = DefragTrackerAlloc();
if (h == NULL) {
SCLogError(SC_ERR_DEFRAG_INIT, "preallocating defrag failed: %s", strerror(errno));
exit(EXIT_FAILURE);
}
DefragTrackerEnqueue(&defragtracker_spare_q,h);
}
if (quiet == FALSE) {
SCLogConfig("preallocated %" PRIu32 " defrag trackers of size %" PRIuMAX "",
defragtracker_spare_q.len, (uintmax_t)sizeof(DefragTracker));
}
}
}
if (quiet == FALSE) {
SCLogConfig("defrag memory usage: %"PRIu64" bytes, maximum: %"PRIu64,
SC_ATOMIC_GET(defrag_memuse), defrag_config.memcap);
}
return;
}
/**
* \brief Create a new LogFileCtx for "fast" output style.
* \param conf The configuration node for this output.
* \return A LogFileCtx pointer on success, NULL on failure.
*/
OutputInitResult OutputJsonInitCtx(ConfNode *conf)
{
OutputInitResult result = { NULL, false };
OutputJsonCtx *json_ctx = SCCalloc(1, sizeof(OutputJsonCtx));
if (unlikely(json_ctx == NULL)) {
SCLogDebug("could not create new OutputJsonCtx");
return result;
}
/* First lookup a sensor-name value in this outputs configuration
* node (deprecated). If that fails, lookup the global one. */
const char *sensor_name = ConfNodeLookupChildValue(conf, "sensor-name");
if (sensor_name != NULL) {
SCLogWarning(SC_ERR_DEPRECATED_CONF,
"Found deprecated eve-log setting \"sensor-name\". "
"Please set sensor-name globally.");
}
else {
(void)ConfGet("sensor-name", &sensor_name);
}
json_ctx->file_ctx = LogFileNewCtx();
if (unlikely(json_ctx->file_ctx == NULL)) {
SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx");
SCFree(json_ctx);
return result;
}
if (sensor_name) {
json_ctx->file_ctx->sensor_name = SCStrdup(sensor_name);
if (json_ctx->file_ctx->sensor_name == NULL) {
LogFileFreeCtx(json_ctx->file_ctx);
SCFree(json_ctx);
return result;
}
} else {
json_ctx->file_ctx->sensor_name = NULL;
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
LogFileFreeCtx(json_ctx->file_ctx);
SCFree(json_ctx);
return result;
}
output_ctx->data = json_ctx;
output_ctx->DeInit = OutputJsonDeInitCtx;
if (conf) {
const char *output_s = ConfNodeLookupChildValue(conf, "filetype");
// Backwards compatibility
if (output_s == NULL) {
output_s = ConfNodeLookupChildValue(conf, "type");
}
if (output_s != NULL) {
if (strcmp(output_s, "file") == 0 ||
strcmp(output_s, "regular") == 0) {
json_ctx->json_out = LOGFILE_TYPE_FILE;
} else if (strcmp(output_s, "syslog") == 0) {
json_ctx->json_out = LOGFILE_TYPE_SYSLOG;
} else if (strcmp(output_s, "unix_dgram") == 0) {
json_ctx->json_out = LOGFILE_TYPE_UNIX_DGRAM;
} else if (strcmp(output_s, "unix_stream") == 0) {
json_ctx->json_out = LOGFILE_TYPE_UNIX_STREAM;
} else if (strcmp(output_s, "redis") == 0) {
#ifdef HAVE_LIBHIREDIS
SCLogRedisInit();
json_ctx->json_out = LOGFILE_TYPE_REDIS;
#else
SCLogError(SC_ERR_INVALID_ARGUMENT,
"redis JSON output option is not compiled");
exit(EXIT_FAILURE);
#endif
} else {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Invalid JSON output option: %s", output_s);
exit(EXIT_FAILURE);
}
}
const char *prefix = ConfNodeLookupChildValue(conf, "prefix");
if (prefix != NULL)
{
SCLogInfo("Using prefix '%s' for JSON messages", prefix);
json_ctx->file_ctx->prefix = SCStrdup(prefix);
if (json_ctx->file_ctx->prefix == NULL)
{
SCLogError(SC_ERR_MEM_ALLOC,
"Failed to allocate memory for eve-log.prefix setting.");
exit(EXIT_FAILURE);
}
json_ctx->file_ctx->prefix_len = strlen(prefix);
}
if (json_ctx->json_out == LOGFILE_TYPE_FILE ||
json_ctx->json_out == LOGFILE_TYPE_UNIX_DGRAM ||
json_ctx->json_out == LOGFILE_TYPE_UNIX_STREAM)
{
if (SCConfLogOpenGeneric(conf, json_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
LogFileFreeCtx(json_ctx->file_ctx);
SCFree(json_ctx);
SCFree(output_ctx);
return result;
}
OutputRegisterFileRotationFlag(&json_ctx->file_ctx->rotation_flag);
}
#ifndef OS_WIN32
else if (json_ctx->json_out == LOGFILE_TYPE_SYSLOG) {
const char *facility_s = ConfNodeLookupChildValue(conf, "facility");
if (facility_s == NULL) {
facility_s = DEFAULT_ALERT_SYSLOG_FACILITY_STR;
}
int facility = SCMapEnumNameToValue(facility_s, SCSyslogGetFacilityMap());
if (facility == -1) {
SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid syslog facility: \"%s\","
" now using \"%s\" as syslog facility", facility_s,
DEFAULT_ALERT_SYSLOG_FACILITY_STR);
facility = DEFAULT_ALERT_SYSLOG_FACILITY;
}
const char *level_s = ConfNodeLookupChildValue(conf, "level");
if (level_s != NULL) {
int level = SCMapEnumNameToValue(level_s, SCSyslogGetLogLevelMap());
if (level != -1) {
json_ctx->file_ctx->syslog_setup.alert_syslog_level = level;
}
}
const char *ident = ConfNodeLookupChildValue(conf, "identity");
/* if null we just pass that to openlog, which will then
* figure it out by itself. */
openlog(ident, LOG_PID|LOG_NDELAY, facility);
}
#endif
#ifdef HAVE_LIBHIREDIS
else if (json_ctx->json_out == LOGFILE_TYPE_REDIS) {
ConfNode *redis_node = ConfNodeLookupChild(conf, "redis");
if (!json_ctx->file_ctx->sensor_name) {
char hostname[1024];
gethostname(hostname, 1023);
json_ctx->file_ctx->sensor_name = SCStrdup(hostname);
}
if (json_ctx->file_ctx->sensor_name == NULL) {
LogFileFreeCtx(json_ctx->file_ctx);
SCFree(json_ctx);
SCFree(output_ctx);
return result;
}
if (SCConfLogOpenRedis(redis_node, json_ctx->file_ctx) < 0) {
LogFileFreeCtx(json_ctx->file_ctx);
SCFree(json_ctx);
SCFree(output_ctx);
return result;
}
}
#endif
const char *sensor_id_s = ConfNodeLookupChildValue(conf, "sensor-id");
if (sensor_id_s != NULL) {
if (ByteExtractStringUint64((uint64_t *)&sensor_id, 10, 0, sensor_id_s) == -1) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Failed to initialize JSON output, "
"invalid sensor-id: %s", sensor_id_s);
exit(EXIT_FAILURE);
}
}
/* Check if top-level metadata should be logged. */
const ConfNode *metadata = ConfNodeLookupChild(conf, "metadata");
if (metadata && metadata->val && ConfValIsFalse(metadata->val)) {
SCLogConfig("Disabling eve metadata logging.");
json_ctx->cfg.include_metadata = false;
} else {
json_ctx->cfg.include_metadata = true;
}
/* See if we want to enable the community id */
const ConfNode *community_id = ConfNodeLookupChild(conf, "community-id");
if (community_id && community_id->val && ConfValIsTrue(community_id->val)) {
SCLogConfig("Enabling eve community_id logging.");
json_ctx->cfg.include_community_id = true;
} else {
json_ctx->cfg.include_community_id = false;
}
const char *cid_seed = ConfNodeLookupChildValue(conf, "community-id-seed");
if (cid_seed != NULL) {
if (ByteExtractStringUint16(&json_ctx->cfg.community_id_seed,
10, 0, cid_seed) == -1)
{
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Failed to initialize JSON output, "
"invalid community-id-seed: %s", cid_seed);
exit(EXIT_FAILURE);
}
}
/* Do we have a global eve xff configuration? */
const ConfNode *xff = ConfNodeLookupChild(conf, "xff");
if (xff != NULL) {
json_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
if (likely(json_ctx->xff_cfg != NULL)) {
HttpXFFGetCfg(conf, json_ctx->xff_cfg);
}
}
const char *pcapfile_s = ConfNodeLookupChildValue(conf, "pcap-file");
if (pcapfile_s != NULL && ConfValIsTrue(pcapfile_s)) {
json_ctx->file_ctx->is_pcap_offline =
(RunmodeGetCurrent() == RUNMODE_PCAP_FILE);
}
json_ctx->file_ctx->type = json_ctx->json_out;
}
SCLogDebug("returning output_ctx %p", output_ctx);
result.ctx = output_ctx;
result.ok = true;
return result;
}
/** \brief initialize the configuration
* \warning Not thread safe */
void IPPairInitConfig(char quiet)
{
SCLogDebug("initializing ippair engine...");
if (IPPairStorageSize() > 0)
g_ippair_size = sizeof(IPPair) + IPPairStorageSize();
memset(&ippair_config, 0, sizeof(ippair_config));
//SC_ATOMIC_INIT(flow_flags);
SC_ATOMIC_INIT(ippair_counter);
SC_ATOMIC_INIT(ippair_memuse);
SC_ATOMIC_INIT(ippair_prune_idx);
SC_ATOMIC_INIT(ippair_config.memcap);
IPPairQueueInit(&ippair_spare_q);
/* set defaults */
ippair_config.hash_rand = (uint32_t)RandomGet();
ippair_config.hash_size = IPPAIR_DEFAULT_HASHSIZE;
ippair_config.prealloc = IPPAIR_DEFAULT_PREALLOC;
SC_ATOMIC_SET(ippair_config.memcap, IPPAIR_DEFAULT_MEMCAP);
/* Check if we have memcap and hash_size defined at config */
const char *conf_val;
uint32_t configval = 0;
/** set config values for memcap, prealloc and hash_size */
uint64_t ippair_memcap;
if ((ConfGet("ippair.memcap", &conf_val)) == 1)
{
if (ParseSizeStringU64(conf_val, &ippair_memcap) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing ippair.memcap "
"from conf file - %s. Killing engine",
conf_val);
exit(EXIT_FAILURE);
} else {
SC_ATOMIC_SET(ippair_config.memcap, ippair_memcap);
}
}
if ((ConfGet("ippair.hash-size", &conf_val)) == 1)
{
if (ByteExtractStringUint32(&configval, 10, strlen(conf_val),
conf_val) > 0) {
ippair_config.hash_size = configval;
}
}
if ((ConfGet("ippair.prealloc", &conf_val)) == 1)
{
if (ByteExtractStringUint32(&configval, 10, strlen(conf_val),
conf_val) > 0) {
ippair_config.prealloc = configval;
} else {
WarnInvalidConfEntry("ippair.prealloc", "%"PRIu32, ippair_config.prealloc);
}
}
SCLogDebug("IPPair config from suricata.yaml: memcap: %"PRIu64", hash-size: "
"%"PRIu32", prealloc: %"PRIu32, SC_ATOMIC_GET(ippair_config.memcap),
ippair_config.hash_size, ippair_config.prealloc);
/* alloc hash memory */
uint64_t hash_size = ippair_config.hash_size * sizeof(IPPairHashRow);
if (!(IPPAIR_CHECK_MEMCAP(hash_size))) {
SCLogError(SC_ERR_IPPAIR_INIT, "allocating ippair hash failed: "
"max ippair memcap is smaller than projected hash size. "
"Memcap: %"PRIu64", Hash table size %"PRIu64". Calculate "
"total hash size by multiplying \"ippair.hash-size\" with %"PRIuMAX", "
"which is the hash bucket size.", SC_ATOMIC_GET(ippair_config.memcap), hash_size,
(uintmax_t)sizeof(IPPairHashRow));
exit(EXIT_FAILURE);
}
ippair_hash = SCMallocAligned(ippair_config.hash_size * sizeof(IPPairHashRow), CLS);
if (unlikely(ippair_hash == NULL)) {
SCLogError(SC_ERR_FATAL, "Fatal error encountered in IPPairInitConfig. Exiting...");
exit(EXIT_FAILURE);
}
memset(ippair_hash, 0, ippair_config.hash_size * sizeof(IPPairHashRow));
uint32_t i = 0;
for (i = 0; i < ippair_config.hash_size; i++) {
HRLOCK_INIT(&ippair_hash[i]);
}
(void) SC_ATOMIC_ADD(ippair_memuse, (ippair_config.hash_size * sizeof(IPPairHashRow)));
if (quiet == FALSE) {
SCLogConfig("allocated %"PRIu64" bytes of memory for the ippair hash... "
"%" PRIu32 " buckets of size %" PRIuMAX "",
SC_ATOMIC_GET(ippair_memuse), ippair_config.hash_size,
(uintmax_t)sizeof(IPPairHashRow));
}
/* pre allocate ippairs */
for (i = 0; i < ippair_config.prealloc; i++) {
if (!(IPPAIR_CHECK_MEMCAP(g_ippair_size))) {
SCLogError(SC_ERR_IPPAIR_INIT, "preallocating ippairs failed: "
"max ippair memcap reached. Memcap %"PRIu64", "
"Memuse %"PRIu64".", SC_ATOMIC_GET(ippair_config.memcap),
((uint64_t)SC_ATOMIC_GET(ippair_memuse) + g_ippair_size));
exit(EXIT_FAILURE);
}
IPPair *h = IPPairAlloc();
if (h == NULL) {
SCLogError(SC_ERR_IPPAIR_INIT, "preallocating ippair failed: %s", strerror(errno));
exit(EXIT_FAILURE);
}
IPPairEnqueue(&ippair_spare_q,h);
}
if (quiet == FALSE) {
SCLogConfig("preallocated %" PRIu32 " ippairs of size %" PRIu16 "",
ippair_spare_q.len, g_ippair_size);
SCLogConfig("ippair memory usage: %"PRIu64" bytes, maximum: %"PRIu64,
SC_ATOMIC_GET(ippair_memuse), SC_ATOMIC_GET(ippair_config.memcap));
}
return;
}
