/**
* \brief Create a new LogFileCtx for "fast" output style.
* \param conf The configuration node for this output.
* \return A LogFileCtx pointer on success, NULL on failure.
*/
static OutputCtx *JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
{
AlertJsonThread *ajt = parent_ctx->data;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL))
return NULL;
if (conf) {
const char *payload = ConfNodeLookupChildValue(conf, "payload");
const char *packet = ConfNodeLookupChildValue(conf, "packet");
const char *payload_printable = ConfNodeLookupChildValue(conf, "payload-printable");
if (payload_printable != NULL) {
if (ConfValIsTrue(payload_printable)) {
ajt->file_ctx->flags |= LOG_JSON_PAYLOAD;
}
}
if (payload != NULL) {
if (ConfValIsTrue(payload)) {
ajt->file_ctx->flags |= LOG_JSON_PAYLOAD_BASE64;
}
}
if (packet != NULL) {
if (ConfValIsTrue(packet)) {
ajt->file_ctx->flags |= LOG_JSON_PACKET;
}
}
}
output_ctx->data = ajt->file_ctx;
output_ctx->DeInit = JsonAlertLogDeInitCtxSub;
return output_ctx;
}
/**
* \brief Create a new LogFileCtx for "fast" output style.
* \param conf The configuration node for this output.
* \return A LogFileCtx pointer on success, NULL on failure.
*/
OutputCtx *AlertPcapInfoInitCtx(ConfNode *conf)
{
LogFileCtx *logfile_ctx = LogFileNewCtx();
if (logfile_ctx == NULL) {
SCLogDebug("AlertPcapInfoInitCtx2: Could not create new LogFileCtx");
return NULL;
}
const char *filename = ConfNodeLookupChildValue(conf, "filename");
if (filename == NULL)
filename = DEFAULT_LOG_FILENAME;
const char *mode = ConfNodeLookupChildValue(conf, "append");
if (mode == NULL)
mode = DEFAULT_PCAPINFO_MODE_APPEND;
if (AlertPcapInfoOpenFileCtx(logfile_ctx, filename, mode) < 0) {
LogFileFreeCtx(logfile_ctx);
return NULL;
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL))
return NULL;
output_ctx->data = logfile_ctx;
output_ctx->DeInit = AlertPcapInfoDeInitCtx;
SCLogInfo("Fast log output initialized, filename: %s", filename);
return output_ctx;
}
/** \brief Create a new LogFileCtx for unified alert logging.
* \param conf The ConfNode for this output.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
OutputCtx *AlertUnifiedAlertInitCtx(ConfNode *conf)
{
int ret = 0;
LogFileCtx *file_ctx = NULL;
file_ctx = LogFileNewCtx();
if (file_ctx == NULL) {
SCLogError(SC_ERR_UNIFIED_ALERT_GENERIC, "Couldn't create new file_ctx");
goto error;
}
const char *filename = NULL;
if (conf != NULL)
filename = ConfNodeLookupChildValue(conf, "filename");
if (filename == NULL)
filename = DEFAULT_LOG_FILENAME;
file_ctx->prefix = SCStrdup(filename);
const char *s_limit = NULL;
uint32_t limit = DEFAULT_LIMIT;
if (conf != NULL) {
s_limit = ConfNodeLookupChildValue(conf, "limit");
if (s_limit != NULL) {
if (ByteExtractStringUint32(&limit, 10, 0, s_limit) == -1) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Fail to initialize unified alert output, invalid limit: %s",
s_limit);
exit(EXIT_FAILURE);
}
if (limit < MIN_LIMIT) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Fail to initialize unified alert output, limit less than "
"allowed minimum: %d.", MIN_LIMIT);
exit(EXIT_FAILURE);
}
}
}
file_ctx->size_limit = limit * 1024 * 1024;
ret = AlertUnifiedAlertOpenFileCtx(file_ctx, filename);
if (ret < 0)
goto error;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (output_ctx == NULL)
goto error;
output_ctx->data = file_ctx;
output_ctx->DeInit = AlertUnifiedAlertDeInitCtx;
SCLogInfo("Unified-alert initialized: filename %s, limit %"PRIu32" MB",
filename, limit);
return output_ctx;
error:
if (file_ctx != NULL) {
LogFileFreeCtx(file_ctx);
}
return NULL;
}
void SCProfilingKeywordsGlobalInit(void) {
ConfNode *conf;
conf = ConfGetNode("profiling.keywords");
if (conf != NULL) {
if (ConfNodeChildValueIsTrue(conf, "enabled")) {
profiling_keyword_enabled = 1;
const char *filename = ConfNodeLookupChildValue(conf, "filename");
if (filename != NULL) {
char *log_dir;
log_dir = ConfigGetLogDirectory();
profiling_file_name = SCMalloc(PATH_MAX);
if (unlikely(profiling_file_name == NULL)) {
SCLogError(SC_ERR_MEM_ALLOC, "can't duplicate file name");
exit(EXIT_FAILURE);
}
snprintf(profiling_file_name, PATH_MAX, "%s/%s", log_dir, filename);
const char *v = ConfNodeLookupChildValue(conf, "append");
if (v == NULL || ConfValIsTrue(v)) {
profiling_file_mode = "a";
} else {
profiling_file_mode = "w";
}
profiling_keywords_output_to_file = 1;
}
}
}
}
static OutputInitResult JsonDropLogInitCtx(ConfNode *conf)
{
OutputInitResult result = { NULL, false };
if (OutputDropLoggerEnable() != 0) {
SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'drop' logger "
"can be enabled");
return result;
}
JsonDropOutputCtx *drop_ctx = SCCalloc(1, sizeof(*drop_ctx));
if (drop_ctx == NULL)
return result;
drop_ctx->file_ctx = LogFileNewCtx();
if (drop_ctx->file_ctx == NULL) {
JsonDropOutputCtxFree(drop_ctx);
return result;
}
if (SCConfLogOpenGeneric(conf, drop_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
JsonDropOutputCtxFree(drop_ctx);
return result;
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
JsonDropOutputCtxFree(drop_ctx);
return result;
}
if (conf) {
const char *extended = ConfNodeLookupChildValue(conf, "alerts");
if (extended != NULL) {
if (ConfValIsTrue(extended)) {
drop_ctx->flags = LOG_DROP_ALERTS;
}
}
extended = ConfNodeLookupChildValue(conf, "flows");
if (extended != NULL) {
if (strcasecmp(extended, "start") == 0) {
g_droplog_flows_start = 1;
} else if (strcasecmp(extended, "all") == 0) {
g_droplog_flows_start = 0;
} else {
SCLogWarning(SC_ERR_CONF_YAML_ERROR, "valid options for "
"'flow' are 'start' and 'all'");
}
}
}
output_ctx->data = drop_ctx;
output_ctx->DeInit = JsonDropLogDeInitCtx;
result.ctx = output_ctx;
result.ok = true;
return result;
}
/** \brief Create a new http log LogFileCtx.
* \param conf Pointer to ConfNode containing this loggers configuration.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
OutputCtx *LogStatsLogInitCtx(ConfNode *conf)
{
LogFileCtx *file_ctx = LogFileNewCtx();
if (file_ctx == NULL) {
SCLogError(SC_ERR_HTTP_LOG_GENERIC, "couldn't create new file_ctx");
return NULL;
}
if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
LogFileFreeCtx(file_ctx);
return NULL;
}
LogStatsFileCtx *statslog_ctx = SCMalloc(sizeof(LogStatsFileCtx));
if (unlikely(statslog_ctx == NULL)) {
LogFileFreeCtx(file_ctx);
return NULL;
}
memset(statslog_ctx, 0x00, sizeof(LogStatsFileCtx));
statslog_ctx->flags = LOG_STATS_TOTALS;
if (conf != NULL) {
const char *totals = ConfNodeLookupChildValue(conf, "totals");
const char *threads = ConfNodeLookupChildValue(conf, "threads");
const char *nulls = ConfNodeLookupChildValue(conf, "null-values");
SCLogDebug("totals %s threads %s", totals, threads);
if (totals != NULL && ConfValIsFalse(totals)) {
statslog_ctx->flags &= ~LOG_STATS_TOTALS;
}
if (threads != NULL && ConfValIsTrue(threads)) {
statslog_ctx->flags |= LOG_STATS_THREADS;
}
if (nulls != NULL && ConfValIsTrue(nulls)) {
statslog_ctx->flags |= LOG_STATS_NULLS;
}
SCLogDebug("statslog_ctx->flags %08x", statslog_ctx->flags);
}
statslog_ctx->file_ctx = file_ctx;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
LogFileFreeCtx(file_ctx);
SCFree(statslog_ctx);
return NULL;
}
output_ctx->data = statslog_ctx;
output_ctx->DeInit = LogStatsLogDeInitCtx;
SCLogDebug("STATS log output initialized");
return output_ctx;
}
/** \brief Create a new http log LogFilestoreCtx.
* \param conf Pointer to ConfNode containing this loggers configuration.
* \return NULL if failure, LogFilestoreCtx* to the file_ctx if succesful
* */
static OutputCtx *LogFilestoreLogInitCtx(ConfNode *conf)
{
LogFileCtx *logfile_ctx = LogFileNewCtx();
if (logfile_ctx == NULL) {
SCLogDebug("Could not create new LogFilestoreCtx");
return NULL;
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL))
return NULL;
output_ctx->data = NULL;
output_ctx->DeInit = LogFilestoreLogDeInitCtx;
char *s_default_log_dir = NULL;
s_default_log_dir = ConfigGetLogDirectory();
const char *s_base_dir = NULL;
s_base_dir = ConfNodeLookupChildValue(conf, "log-dir");
if (s_base_dir == NULL || strlen(s_base_dir) == 0) {
strlcpy(g_logfile_base_dir,
s_default_log_dir, sizeof(g_logfile_base_dir));
} else {
if (PathIsAbsolute(s_base_dir)) {
strlcpy(g_logfile_base_dir,
s_base_dir, sizeof(g_logfile_base_dir));
} else {
snprintf(g_logfile_base_dir, sizeof(g_logfile_base_dir),
"%s/%s", s_default_log_dir, s_base_dir);
}
}
const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
if (force_magic != NULL && ConfValIsTrue(force_magic)) {
FileForceMagicEnable();
SCLogInfo("forcing magic lookup for stored files");
}
const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5");
if (force_md5 != NULL && ConfValIsTrue(force_md5)) {
#ifdef HAVE_NSS
FileForceMd5Enable();
SCLogInfo("forcing md5 calculation for stored files");
#else
SCLogInfo("md5 calculation requires linking against libnss");
#endif
}
SCLogInfo("storing files in %s", g_logfile_base_dir);
SCReturnPtr(output_ctx, "OutputCtx");
}
OutputCtx *OutputStatsLogInit(ConfNode *conf)
{
LogFileCtx *file_ctx = LogFileNewCtx();
if(file_ctx == NULL) {
SCLogError(SC_ERR_STATS_LOG_GENERIC, "couldn't create new file_ctx");
return NULL;
}
if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
LogFileFreeCtx(file_ctx);
return NULL;
}
OutputStatsCtx *stats_ctx = SCMalloc(sizeof(OutputStatsCtx));
if (unlikely(stats_ctx == NULL)) {
LogFileFreeCtx(file_ctx);
return NULL;
}
stats_ctx->flags = JSON_STATS_TOTALS;
if (conf != NULL) {
const char *totals = ConfNodeLookupChildValue(conf, "totals");
const char *threads = ConfNodeLookupChildValue(conf, "threads");
const char *deltas = ConfNodeLookupChildValue(conf, "deltas");
SCLogDebug("totals %s threads %s deltas %s", totals, threads, deltas);
if (totals != NULL && ConfValIsFalse(totals)) {
stats_ctx->flags &= ~JSON_STATS_TOTALS;
}
if (threads != NULL && ConfValIsTrue(threads)) {
stats_ctx->flags |= JSON_STATS_THREADS;
}
if (deltas != NULL && ConfValIsTrue(deltas)) {
stats_ctx->flags |= JSON_STATS_DELTAS;
}
SCLogDebug("stats_ctx->flags %08x", stats_ctx->flags);
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
LogFileFreeCtx(file_ctx);
SCFree(stats_ctx);
return NULL;
}
stats_ctx->file_ctx = file_ctx;
output_ctx->data = stats_ctx;
output_ctx->DeInit = OutputStatsLogDeinit;
return output_ctx;
}
/**
* \brief Create a new LogFileCtx for "syslog" output style.
*
* \param conf The configuration node for this output.
* \return A OutputCtx pointer on success, NULL on failure.
*/
OutputCtx *AlertSyslogInitCtx(ConfNode *conf)
{
const char *facility_s = ConfNodeLookupChildValue(conf, "facility");
if (facility_s == NULL) {
facility_s = DEFAULT_ALERT_SYSLOG_FACILITY_STR;
}
LogFileCtx *logfile_ctx = LogFileNewCtx();
if (logfile_ctx == NULL) {
SCLogDebug("AlertSyslogInitCtx: Could not create new LogFileCtx");
return NULL;
}
int facility = SCMapEnumNameToValue(facility_s, SCSyslogGetFacilityMap());
if (facility == -1) {
SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid syslog facility: \"%s\","
" now using \"%s\" as syslog facility", facility_s,
DEFAULT_ALERT_SYSLOG_FACILITY_STR);
facility = DEFAULT_ALERT_SYSLOG_FACILITY;
}
const char *level_s = ConfNodeLookupChildValue(conf, "level");
if (level_s != NULL) {
int level = SCMapEnumNameToValue(level_s, SCSyslogGetLogLevelMap());
if (level != -1) {
alert_syslog_level = level;
}
}
const char *ident = ConfNodeLookupChildValue(conf, "identity");
/* if null we just pass that to openlog, which will then
* figure it out by itself. */
openlog(ident, LOG_PID|LOG_NDELAY, facility);
OutputCtx *output_ctx = SCMalloc(sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
SCLogDebug("AlertSyslogInitCtx: Could not create new OutputCtx");
return NULL;
}
memset(output_ctx, 0x00, sizeof(OutputCtx));
output_ctx->data = logfile_ctx;
output_ctx->DeInit = AlertSyslogDeInitCtx;
SCLogInfo("Syslog output initialized");
return output_ctx;
}
OutputCtx *OutputStatsLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
{
AlertJsonThread *ajt = parent_ctx->data;
OutputStatsCtx *stats_ctx = SCMalloc(sizeof(OutputStatsCtx));
if (unlikely(stats_ctx == NULL))
return NULL;
stats_ctx->flags = JSON_STATS_TOTALS;
if (conf != NULL) {
const char *totals = ConfNodeLookupChildValue(conf, "totals");
const char *threads = ConfNodeLookupChildValue(conf, "threads");
const char *deltas = ConfNodeLookupChildValue(conf, "deltas");
SCLogDebug("totals %s threads %s deltas %s", totals, threads, deltas);
if ((totals != NULL && ConfValIsFalse(totals)) &&
(threads != NULL && ConfValIsFalse(threads))) {
SCFree(stats_ctx);
SCLogError(SC_ERR_JSON_STATS_LOG_NEGATED,
"Cannot disable both totals and threads in stats logging");
return NULL;
}
if (totals != NULL && ConfValIsFalse(totals)) {
stats_ctx->flags &= ~JSON_STATS_TOTALS;
}
if (threads != NULL && ConfValIsTrue(threads)) {
stats_ctx->flags |= JSON_STATS_THREADS;
}
if (deltas != NULL && ConfValIsTrue(deltas)) {
stats_ctx->flags |= JSON_STATS_DELTAS;
}
SCLogDebug("stats_ctx->flags %08x", stats_ctx->flags);
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
SCFree(stats_ctx);
return NULL;
}
stats_ctx->file_ctx = ajt->file_ctx;
output_ctx->data = stats_ctx;
output_ctx->DeInit = OutputStatsLogDeinitSub;
return output_ctx;
}
OutputCtx *OutputTlsLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
{
OutputJsonCtx *ojc = parent_ctx->data;
OutputTlsCtx *tls_ctx = SCMalloc(sizeof(OutputTlsCtx));
if (unlikely(tls_ctx == NULL))
return NULL;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
SCFree(tls_ctx);
return NULL;
}
tls_ctx->file_ctx = ojc->file_ctx;
tls_ctx->flags = LOG_TLS_DEFAULT;
if (conf) {
const char *extended = ConfNodeLookupChildValue(conf, "extended");
if (extended != NULL) {
if (ConfValIsTrue(extended)) {
tls_ctx->flags = LOG_TLS_EXTENDED;
}
}
}
output_ctx->data = tls_ctx;
output_ctx->DeInit = OutputTlsLogDeinitSub;
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TLS);
return output_ctx;
}
OutputCtx *OutputHttpLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
{
AlertJsonThread *ajt = parent_ctx->data;
LogHttpFileCtx *http_ctx = SCMalloc(sizeof(LogHttpFileCtx));
if (unlikely(http_ctx == NULL))
return NULL;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
SCFree(http_ctx);
return NULL;
}
http_ctx->file_ctx = ajt->file_ctx;
http_ctx->flags = LOG_HTTP_DEFAULT;
if (conf) {
const char *extended = ConfNodeLookupChildValue(conf, "extended");
if (extended != NULL) {
if (ConfValIsTrue(extended)) {
http_ctx->flags = LOG_HTTP_EXTENDED;
}
}
}
output_ctx->data = http_ctx;
output_ctx->DeInit = NULL;
/* enable the logger for the app layer */
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP);
return output_ctx;
}
static OutputCtx *JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
{
if (OutputDropLoggerEnable() != 0) {
SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'drop' logger "
"can be enabled");
return NULL;
}
AlertJsonThread *ajt = parent_ctx->data;
JsonDropOutputCtx *drop_ctx = SCCalloc(1, sizeof(*drop_ctx));
if (drop_ctx == NULL)
return NULL;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
JsonDropOutputCtxFree(drop_ctx);
return NULL;
}
if (conf) {
const char *extended = ConfNodeLookupChildValue(conf, "alerts");
if (extended != NULL) {
if (ConfValIsTrue(extended)) {
drop_ctx->flags = LOG_DROP_ALERTS;
}
}
}
drop_ctx->file_ctx = ajt->file_ctx;
output_ctx->data = drop_ctx;
output_ctx->DeInit = JsonDropLogDeInitCtxSub;
return output_ctx;
}
/** \brief Create a new http log LogFileCtx.
* \param conf Pointer to ConfNode containing this loggers configuration.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
OutputCtx *OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
{
OutputJsonCtx *ojc = parent_ctx->data;
OutputFileCtx *output_file_ctx = SCMalloc(sizeof(OutputFileCtx));
if (unlikely(output_file_ctx == NULL))
return NULL;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
SCFree(output_file_ctx);
return NULL;
}
output_file_ctx->file_ctx = ojc->file_ctx;
if (conf) {
const char *force_filestore = ConfNodeLookupChildValue(conf, "force-filestore");
if (force_filestore != NULL && ConfValIsTrue(force_filestore)) {
FileForceFilestoreEnable();
SCLogInfo("forcing filestore of all files");
}
const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
if (force_magic != NULL && ConfValIsTrue(force_magic)) {
FileForceMagicEnable();
SCLogInfo("forcing magic lookup for logged files");
}
const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5");
if (force_md5 != NULL && ConfValIsTrue(force_md5)) {
#ifdef HAVE_NSS
FileForceMd5Enable();
SCLogInfo("forcing md5 calculation for logged files");
#else
SCLogInfo("md5 calculation requires linking against libnss");
#endif
}
}
output_ctx->data = output_file_ctx;
output_ctx->DeInit = OutputFileLogDeinitSub;
FileForceTrackingEnable();
return output_ctx;
}
/** \brief Create a new http log LogFileCtx.
* \param conf Pointer to ConfNode containing this loggers configuration.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
static OutputCtx *LogFileLogInitCtx(ConfNode *conf)
{
LogFileCtx *logfile_ctx = LogFileNewCtx();
if (logfile_ctx == NULL) {
SCLogDebug("Could not create new LogFileCtx");
return NULL;
}
if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
LogFileFreeCtx(logfile_ctx);
return NULL;
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL))
return NULL;
output_ctx->data = logfile_ctx;
output_ctx->DeInit = LogFileLogDeInitCtx;
const char *force_filestore = ConfNodeLookupChildValue(conf, "force-filestore");
if (force_filestore != NULL && ConfValIsTrue(force_filestore)) {
FileForceFilestoreEnable();
SCLogInfo("forcing filestore of all files");
}
const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
if (force_magic != NULL && ConfValIsTrue(force_magic)) {
FileForceMagicEnable();
SCLogInfo("forcing magic lookup for logged files");
}
const char *force_md5 = ConfNodeLookupChildValue(conf, "force-md5");
if (force_md5 != NULL && ConfValIsTrue(force_md5)) {
#ifdef HAVE_NSS
FileForceMd5Enable();
SCLogInfo("forcing md5 calculation for logged files");
#else
SCLogInfo("md5 calculation requires linking against libnss");
#endif
}
FileForceTrackingEnable();
SCReturnPtr(output_ctx, "OutputCtx");
}
/**
* \brief Sets up the rule analyzer according to the config
* \retval 1 if rule analyzer successfully enabled
* \retval 0 if not enabled
*/
int SetupRuleAnalyzer(void)
{
ConfNode *conf = ConfGetNode("engine-analysis");
int enabled = 0;
if (conf != NULL) {
const char *value = ConfNodeLookupChildValue(conf, "rules");
if (value && ConfValIsTrue(value)) {
enabled = 1;
} else if (value && strcasecmp(value, "warnings-only") == 0) {
enabled = 1;
rule_warnings_only = 1;
}
if (enabled) {
char *log_dir;
log_dir = ConfigGetLogDirectory();
snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, "rules_analysis.txt");
rule_engine_analysis_FD = fopen(log_path, "w");
if (rule_engine_analysis_FD == NULL) {
SCLogError(SC_ERR_FOPEN, "failed to open %s: %s", log_path, strerror(errno));
return 0;
}
SCLogInfo("Engine-Analysis for rules printed to file - %s",
log_path);
struct timeval tval;
struct tm *tms;
gettimeofday(&tval, NULL);
struct tm local_tm;
tms = SCLocalTime(tval.tv_sec, &local_tm);
fprintf(rule_engine_analysis_FD, "----------------------------------------------"
"---------------------\n");
fprintf(rule_engine_analysis_FD, "Date: %" PRId32 "/%" PRId32 "/%04d -- "
"%02d:%02d:%02d\n",
tms->tm_mday, tms->tm_mon + 1, tms->tm_year + 1900, tms->tm_hour,
tms->tm_min, tms->tm_sec);
fprintf(rule_engine_analysis_FD, "----------------------------------------------"
"---------------------\n");
/*compile regex's for rule analysis*/
if (PerCentEncodingSetup()== 0) {
fprintf(rule_engine_analysis_FD, "Error compiling regex; can't check for percent encoding in normalized http content.\n");
}
}
}
else {
SCLogInfo("Conf parameter \"engine-analysis.rules\" not found. "
"Defaulting to not printing the rules analysis report.");
}
if (!enabled) {
SCLogInfo("Engine-Analysis for rules disabled in conf file.");
return 0;
}
return 1;
}
/**
* \brief Create a new LogFileCtx for alert debug logging.
*
* \param ConfNode containing configuration for this logger.
*
* \return output_ctx if succesful, NULL otherwise
*/
OutputCtx *AlertDebugLogInitCtx(ConfNode *conf)
{
int ret = 0;
LogFileCtx *file_ctx = NULL;
file_ctx = LogFileNewCtx();
if(file_ctx == NULL) {
SCLogDebug("couldn't create new file_ctx");
goto error;
}
const char *filename = ConfNodeLookupChildValue(conf, "filename");
if (filename == NULL)
filename = DEFAULT_LOG_FILENAME;
const char *mode = ConfNodeLookupChildValue(conf, "append");
if (mode == NULL)
mode = DEFAULT_LOG_MODE_APPEND;
/** fill the new LogFileCtx with the specific AlertDebugLog configuration */
ret = AlertDebugLogOpenFileCtx(file_ctx, filename, mode);
if(ret < 0)
goto error;
OutputCtx *output_ctx = SCMalloc(sizeof(OutputCtx));
if (output_ctx == NULL)
goto error;
memset(output_ctx, 0x00, sizeof(OutputCtx));
output_ctx->data = file_ctx;
output_ctx->DeInit = AlertDebugLogDeInitCtx;
return output_ctx;
error:
if (file_ctx != NULL) {
LogFileFreeCtx(file_ctx);
}
return NULL;
}
/** \brief Create a new tls log LogFileCtx.
* \param conf Pointer to ConfNode containing this loggers configuration.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
static OutputCtx *LogTlsLogInitCtx(ConfNode *conf)
{
if (OutputTlsLoggerEnable() != 0) {
SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'tls' logger "
"can be enabled");
return NULL;
}
LogFileCtx* file_ctx = LogFileNewCtx();
if (file_ctx == NULL) {
SCLogError(SC_ERR_TLS_LOG_GENERIC, "LogTlsLogInitCtx: Couldn't "
"create new file_ctx");
return NULL;
}
if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
goto filectx_error;
}
LogTlsFileCtx *tlslog_ctx = SCCalloc(1, sizeof(LogTlsFileCtx));
if (unlikely(tlslog_ctx == NULL))
goto filectx_error;
tlslog_ctx->file_ctx = file_ctx;
const char *extended = ConfNodeLookupChildValue(conf, "extended");
if (extended == NULL) {
tlslog_ctx->flags |= LOG_TLS_DEFAULT;
} else {
if (ConfValIsTrue(extended)) {
tlslog_ctx->flags |= LOG_TLS_EXTENDED;
}
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL))
goto tlslog_error;
output_ctx->data = tlslog_ctx;
output_ctx->DeInit = LogTlsLogDeInitCtx;
SCLogDebug("TLS log output initialized");
/* enable the logger for the app layer */
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TLS);
return output_ctx;
tlslog_error:
SCFree(tlslog_ctx);
filectx_error:
LogFileFreeCtx(file_ctx);
return NULL;
}
/** \brief Create a new http log LogFileCtx.
* \param conf Pointer to ConfNode containing this loggers configuration.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
static OutputCtx *OutputFileLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
{
OutputJsonCtx *ojc = parent_ctx->data;
OutputFileCtx *output_file_ctx = SCMalloc(sizeof(OutputFileCtx));
if (unlikely(output_file_ctx == NULL))
return NULL;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
SCFree(output_file_ctx);
return NULL;
}
output_file_ctx->file_ctx = ojc->file_ctx;
if (conf) {
const char *force_filestore = ConfNodeLookupChildValue(conf, "force-filestore");
if (force_filestore != NULL && ConfValIsTrue(force_filestore)) {
FileForceFilestoreEnable();
SCLogConfig("forcing filestore of all files");
}
const char *force_magic = ConfNodeLookupChildValue(conf, "force-magic");
if (force_magic != NULL && ConfValIsTrue(force_magic)) {
FileForceMagicEnable();
SCLogConfig("forcing magic lookup for logged files");
}
FileForceHashParseCfg(conf);
}
output_ctx->data = output_file_ctx;
output_ctx->DeInit = OutputFileLogDeinitSub;
FileForceTrackingEnable();
return output_ctx;
}
OutputCtx *OutputTlsLogInit(ConfNode *conf)
{
if (OutputTlsLoggerEnable() != 0) {
SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'tls' logger "
"can be enabled");
return NULL;
}
LogFileCtx *file_ctx = LogFileNewCtx();
if(file_ctx == NULL) {
SCLogError(SC_ERR_HTTP_LOG_GENERIC, "couldn't create new file_ctx");
return NULL;
}
if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME) < 0) {
LogFileFreeCtx(file_ctx);
return NULL;
}
OutputTlsCtx *tls_ctx = SCMalloc(sizeof(OutputTlsCtx));
if (unlikely(tls_ctx == NULL)) {
LogFileFreeCtx(file_ctx);
return NULL;
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
LogFileFreeCtx(file_ctx);
SCFree(tls_ctx);
return NULL;
}
tls_ctx->file_ctx = file_ctx;
tls_ctx->flags = LOG_TLS_DEFAULT;
if (conf) {
const char *extended = ConfNodeLookupChildValue(conf, "extended");
if (extended != NULL) {
if (ConfValIsTrue(extended)) {
tls_ctx->flags = LOG_TLS_EXTENDED;
}
}
}
output_ctx->data = tls_ctx;
output_ctx->DeInit = OutputTlsLogDeinit;
return output_ctx;
}
OutputCtx *OutputHttpLogInit(ConfNode *conf)
{
LogFileCtx *file_ctx = LogFileNewCtx();
if(file_ctx == NULL) {
SCLogError(SC_ERR_HTTP_LOG_GENERIC, "couldn't create new file_ctx");
return NULL;
}
if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME) < 0) {
LogFileFreeCtx(file_ctx);
return NULL;
}
LogHttpFileCtx *http_ctx = SCMalloc(sizeof(LogHttpFileCtx));
if (unlikely(http_ctx == NULL)) {
LogFileFreeCtx(file_ctx);
return NULL;
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
LogFileFreeCtx(file_ctx);
SCFree(http_ctx);
return NULL;
}
http_ctx->file_ctx = file_ctx;
http_ctx->flags = LOG_HTTP_DEFAULT;
if (conf) {
const char *extended = ConfNodeLookupChildValue(conf, "extended");
if (extended != NULL) {
if (ConfValIsTrue(extended)) {
http_ctx->flags = LOG_HTTP_EXTENDED;
}
}
}
output_ctx->data = http_ctx;
output_ctx->DeInit = NULL;
/* enable the logger for the app layer */
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_HTTP);
return output_ctx;
}
OutputCtx *OutputTlsLogInit(ConfNode *conf)
{
LogFileCtx *file_ctx = LogFileNewCtx();
if(file_ctx == NULL) {
SCLogError(SC_ERR_TLS_LOG_GENERIC, "couldn't create new file_ctx");
return NULL;
}
if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
LogFileFreeCtx(file_ctx);
return NULL;
}
OutputTlsCtx *tls_ctx = SCMalloc(sizeof(OutputTlsCtx));
if (unlikely(tls_ctx == NULL)) {
LogFileFreeCtx(file_ctx);
return NULL;
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
LogFileFreeCtx(file_ctx);
SCFree(tls_ctx);
return NULL;
}
tls_ctx->file_ctx = file_ctx;
tls_ctx->flags = LOG_TLS_DEFAULT;
if (conf) {
const char *extended = ConfNodeLookupChildValue(conf, "extended");
if (extended != NULL) {
if (ConfValIsTrue(extended)) {
tls_ctx->flags = LOG_TLS_EXTENDED;
}
}
}
output_ctx->data = tls_ctx;
output_ctx->DeInit = OutputTlsLogDeinit;
AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_TLS);
return output_ctx;
}
static OutputCtx *JsonDropLogInitCtx(ConfNode *conf)
{
if (OutputDropLoggerEnable() != 0) {
SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'drop' logger "
"can be enabled");
return NULL;
}
JsonDropOutputCtx *drop_ctx = SCCalloc(1, sizeof(*drop_ctx));
if (drop_ctx == NULL)
return NULL;
drop_ctx->file_ctx = LogFileNewCtx();
if (drop_ctx->file_ctx == NULL) {
JsonDropOutputCtxFree(drop_ctx);
return NULL;
}
if (SCConfLogOpenGeneric(conf, drop_ctx->file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
JsonDropOutputCtxFree(drop_ctx);
return NULL;
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
JsonDropOutputCtxFree(drop_ctx);
return NULL;
}
if (conf) {
const char *extended = ConfNodeLookupChildValue(conf, "alerts");
if (extended != NULL) {
if (ConfValIsTrue(extended)) {
drop_ctx->flags = LOG_DROP_ALERTS;
}
}
}
output_ctx->data = drop_ctx;
output_ctx->DeInit = JsonDropLogDeInitCtx;
return output_ctx;
}
OutputCtx *OutputTlsLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
{
AlertJsonThread *ajt = parent_ctx->data;
if (OutputTlsLoggerEnable() != 0) {
SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'tls' logger "
"can be enabled");
return NULL;
}
OutputTlsCtx *tls_ctx = SCMalloc(sizeof(OutputTlsCtx));
if (unlikely(tls_ctx == NULL))
return NULL;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
SCFree(tls_ctx);
return NULL;
}
tls_ctx->file_ctx = ajt->file_ctx;
tls_ctx->flags = LOG_TLS_DEFAULT;
if (conf) {
const char *extended = ConfNodeLookupChildValue(conf, "extended");
if (extended != NULL) {
if (ConfValIsTrue(extended)) {
tls_ctx->flags = LOG_TLS_EXTENDED;
}
}
}
output_ctx->data = tls_ctx;
output_ctx->DeInit = OutputTlsLogDeinitSub;
return output_ctx;
}
/**
* \brief Create a new LogFileCtx for "fast" output style.
* \param conf The configuration node for this output.
* \return A LogFileCtx pointer on success, NULL on failure.
*/
OutputCtx *OutputJsonInitCtx(ConfNode *conf)
{
OutputJsonCtx *json_ctx = SCCalloc(1, sizeof(OutputJsonCtx));;
if (unlikely(json_ctx == NULL)) {
SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx");
return NULL;
}
json_ctx->file_ctx = LogFileNewCtx();
if (unlikely(json_ctx->file_ctx == NULL)) {
SCLogDebug("AlertJsonInitCtx: Could not create new LogFileCtx");
SCFree(json_ctx);
return NULL;
}
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL)) {
LogFileFreeCtx(json_ctx->file_ctx);
SCFree(json_ctx);
return NULL;
}
output_ctx->data = json_ctx;
output_ctx->DeInit = OutputJsonDeInitCtx;
if (conf) {
const char *output_s = ConfNodeLookupChildValue(conf, "type");
if (output_s != NULL) {
if (strcmp(output_s, "file") == 0) {
json_ctx->json_out = ALERT_FILE;
} else if (strcmp(output_s, "syslog") == 0) {
json_ctx->json_out = ALERT_SYSLOG;
} else if (strcmp(output_s, "unix_dgram") == 0) {
json_ctx->json_out = ALERT_UNIX_DGRAM;
} else if (strcmp(output_s, "unix_stream") == 0) {
json_ctx->json_out = ALERT_UNIX_STREAM;
} else {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Invalid JSON output option: %s", output_s);
exit(EXIT_FAILURE);
}
}
if (json_ctx->json_out == ALERT_FILE) {
if (SCConfLogOpenGeneric(conf, json_ctx->file_ctx, DEFAULT_LOG_FILENAME) < 0) {
LogFileFreeCtx(json_ctx->file_ctx);
SCFree(json_ctx);
SCFree(output_ctx);
return NULL;
}
const char *format_s = ConfNodeLookupChildValue(conf, "format");
if (format_s != NULL) {
if (strcmp(format_s, "indent") == 0) {
json_ctx->format = INDENT;
} else if (strcmp(format_s, "compact") == 0) {
json_ctx->format = COMPACT;
} else {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Invalid JSON format option: %s", format_s);
exit(EXIT_FAILURE);
}
}
} else if (json_out == ALERT_SYSLOG) {
const char *facility_s = ConfNodeLookupChildValue(conf, "facility");
if (facility_s == NULL) {
facility_s = DEFAULT_ALERT_SYSLOG_FACILITY_STR;
}
int facility = SCMapEnumNameToValue(facility_s, SCSyslogGetFacilityMap());
if (facility == -1) {
SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid syslog facility: \"%s\","
" now using \"%s\" as syslog facility", facility_s,
DEFAULT_ALERT_SYSLOG_FACILITY_STR);
facility = DEFAULT_ALERT_SYSLOG_FACILITY;
}
const char *level_s = ConfNodeLookupChildValue(conf, "level");
if (level_s != NULL) {
int level = SCMapEnumNameToValue(level_s, SCSyslogGetLogLevelMap());
if (level != -1) {
alert_syslog_level = level;
}
}
const char *ident = ConfNodeLookupChildValue(conf, "identity");
/* if null we just pass that to openlog, which will then
* figure it out by itself. */
openlog(ident, LOG_PID|LOG_NDELAY, facility);
}
const char *sensor_id_s = ConfNodeLookupChildValue(conf, "sensor-id");
if (sensor_id_s != NULL) {
if (ByteExtractStringUint64((uint64_t *)&sensor_id, 10, 0, sensor_id_s) == -1) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Failed to initialize JSON output, "
"invalid sensor-is: %s", sensor_id_s);
exit(EXIT_FAILURE);
}
}
format = json_ctx->format;
json_out = json_ctx->json_out;
}
return output_ctx;
}
/**
* \brief Initialize profiling.
*/
void
SCProfilingInit(void)
{
ConfNode *conf;
SC_ATOMIC_INIT(samples);
intmax_t rate_v = 0;
(void)ConfGetInt("profiling.sample-rate", &rate_v);
if (rate_v > 0 && rate_v < INT_MAX) {
rate = (int)rate_v;
if (rate != 1)
SCLogInfo("profiling runs for every %dth packet", rate);
else
SCLogInfo("profiling runs for every packet");
}
conf = ConfGetNode("profiling.packets");
if (conf != NULL) {
if (ConfNodeChildValueIsTrue(conf, "enabled")) {
profiling_packets_enabled = 1;
if (pthread_mutex_init(&packet_profile_lock, NULL) != 0) {
SCLogError(SC_ERR_MUTEX,
"Failed to initialize packet profiling mutex.");
exit(EXIT_FAILURE);
}
memset(&packet_profile_data4, 0, sizeof(packet_profile_data4));
memset(&packet_profile_data6, 0, sizeof(packet_profile_data6));
memset(&packet_profile_tmm_data4, 0, sizeof(packet_profile_tmm_data4));
memset(&packet_profile_tmm_data6, 0, sizeof(packet_profile_tmm_data6));
memset(&packet_profile_app_data4, 0, sizeof(packet_profile_app_data4));
memset(&packet_profile_app_data6, 0, sizeof(packet_profile_app_data6));
memset(&packet_profile_app_pd_data4, 0, sizeof(packet_profile_app_pd_data4));
memset(&packet_profile_app_pd_data6, 0, sizeof(packet_profile_app_pd_data6));
memset(&packet_profile_detect_data4, 0, sizeof(packet_profile_detect_data4));
memset(&packet_profile_detect_data6, 0, sizeof(packet_profile_detect_data6));
memset(&packet_profile_log_data4, 0, sizeof(packet_profile_log_data4));
memset(&packet_profile_log_data6, 0, sizeof(packet_profile_log_data6));
memset(&packet_profile_flowworker_data, 0, sizeof(packet_profile_flowworker_data));
const char *filename = ConfNodeLookupChildValue(conf, "filename");
if (filename != NULL) {
char *log_dir;
log_dir = ConfigGetLogDirectory();
profiling_packets_file_name = SCMalloc(PATH_MAX);
if (unlikely(profiling_packets_file_name == NULL)) {
SCLogError(SC_ERR_MEM_ALLOC, "can't duplicate file name");
exit(EXIT_FAILURE);
}
snprintf(profiling_packets_file_name, PATH_MAX, "%s/%s", log_dir, filename);
const char *v = ConfNodeLookupChildValue(conf, "append");
if (v == NULL || ConfValIsTrue(v)) {
profiling_packets_file_mode = "a";
} else {
profiling_packets_file_mode = "w";
}
profiling_packets_output_to_file = 1;
}
}
conf = ConfGetNode("profiling.packets.csv");
if (conf != NULL) {
if (ConfNodeChildValueIsTrue(conf, "enabled")) {
const char *filename = ConfNodeLookupChildValue(conf, "filename");
if (filename == NULL) {
filename = "packet_profile.csv";
}
char *log_dir;
log_dir = ConfigGetLogDirectory();
profiling_csv_file_name = SCMalloc(PATH_MAX);
if (unlikely(profiling_csv_file_name == NULL)) {
SCLogError(SC_ERR_MEM_ALLOC, "out of memory");
exit(EXIT_FAILURE);
}
snprintf(profiling_csv_file_name, PATH_MAX, "%s/%s", log_dir, filename);
packet_profile_csv_fp = fopen(profiling_csv_file_name, "w");
if (packet_profile_csv_fp == NULL) {
return;
}
fprintf(packet_profile_csv_fp, "pcap_cnt,ipver,ipproto,total,");
int i;
for (i = 0; i < TMM_SIZE; i++) {
fprintf(packet_profile_csv_fp, "%s,", TmModuleTmmIdToString(i));
}
fprintf(packet_profile_csv_fp, "threading,");
for (i = 0; i < ALPROTO_MAX; i++) {
fprintf(packet_profile_csv_fp, "%s,", AppProtoToString(i));
}
fprintf(packet_profile_csv_fp, "proto detect,");
for (i = 0; i < PROF_DETECT_SIZE; i++) {
fprintf(packet_profile_csv_fp, "%s,", PacketProfileDetectIdToString(i));
}
fprintf(packet_profile_csv_fp, "\n");
profiling_packets_csv_enabled = 1;
}
}
}
conf = ConfGetNode("profiling.locks");
if (conf != NULL) {
if (ConfNodeChildValueIsTrue(conf, "enabled")) {
#ifndef PROFILE_LOCKING
SCLogWarning(SC_WARN_PROFILE, "lock profiling not compiled in. Add --enable-profiling-locks to configure.");
#else
profiling_locks_enabled = 1;
LockRecordInitHash();
const char *filename = ConfNodeLookupChildValue(conf, "filename");
if (filename != NULL) {
char *log_dir;
log_dir = ConfigGetLogDirectory();
profiling_locks_file_name = SCMalloc(PATH_MAX);
if (unlikely(profiling_locks_file_name == NULL)) {
SCLogError(SC_ERR_MEM_ALLOC, "can't duplicate file name");
exit(EXIT_FAILURE);
}
snprintf(profiling_locks_file_name, PATH_MAX, "%s/%s", log_dir, filename);
const char *v = ConfNodeLookupChildValue(conf, "append");
if (v == NULL || ConfValIsTrue(v)) {
profiling_locks_file_mode = "a";
} else {
profiling_locks_file_mode = "w";
}
profiling_locks_output_to_file = 1;
}
#endif
}
}
}
static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
{
HttpXFFCfg *xff_cfg = NULL;
xff_cfg = SCMalloc(sizeof(HttpXFFCfg));
if (unlikely(xff_cfg == NULL)) {
return;
}
memset(xff_cfg, 0, sizeof(HttpXFFCfg));
json_output_ctx->xff_cfg = xff_cfg;
uint32_t payload_buffer_size = JSON_STREAM_BUFFER_SIZE;
if (conf != NULL) {
const char *payload = ConfNodeLookupChildValue(conf, "payload");
const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
const char *packet = ConfNodeLookupChildValue(conf, "packet");
const char *payload_printable = ConfNodeLookupChildValue(conf, "payload-printable");
const char *http = ConfNodeLookupChildValue(conf, "http");
const char *tls = ConfNodeLookupChildValue(conf, "tls");
const char *ssh = ConfNodeLookupChildValue(conf, "ssh");
const char *smtp = ConfNodeLookupChildValue(conf, "smtp");
const char *tagged_packets = ConfNodeLookupChildValue(conf, "tagged-packets");
if (ssh != NULL) {
if (ConfValIsTrue(ssh)) {
json_output_ctx->flags |= LOG_JSON_SSH;
}
}
if (tls != NULL) {
if (ConfValIsTrue(tls)) {
json_output_ctx->flags |= LOG_JSON_TLS;
}
}
if (http != NULL) {
if (ConfValIsTrue(http)) {
json_output_ctx->flags |= LOG_JSON_HTTP;
}
}
if (smtp != NULL) {
if (ConfValIsTrue(smtp)) {
json_output_ctx->flags |= LOG_JSON_SMTP;
}
}
if (payload_printable != NULL) {
if (ConfValIsTrue(payload_printable)) {
json_output_ctx->flags |= LOG_JSON_PAYLOAD;
}
}
if (payload != NULL) {
if (ConfValIsTrue(payload)) {
json_output_ctx->flags |= LOG_JSON_PAYLOAD_BASE64;
}
}
if (payload_buffer_value != NULL) {
uint32_t value;
if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
SCLogError(SC_ERR_ALERT_PAYLOAD_BUFFER, "Error parsing "
"payload-buffer-size - %s. Killing engine",
payload_buffer_value);
exit(EXIT_FAILURE);
} else {
payload_buffer_size = value;
}
}
if (packet != NULL) {
if (ConfValIsTrue(packet)) {
json_output_ctx->flags |= LOG_JSON_PACKET;
}
}
if (tagged_packets != NULL) {
if (ConfValIsTrue(tagged_packets)) {
json_output_ctx->flags |= LOG_JSON_TAGGED_PACKETS;
}
}
json_output_ctx->payload_buffer_size = payload_buffer_size;
HttpXFFGetCfg(conf, xff_cfg);
}
}
static void *MpmCudaConfParse(ConfNode *node)
{
const char *value;
MpmCudaConf *conf = SCMalloc(sizeof(MpmCudaConf));
if (unlikely(conf == NULL))
exit(EXIT_FAILURE);
memset(conf, 0, sizeof(*conf));
if (node != NULL)
value = ConfNodeLookupChildValue(node, "data-buffer-size-min-limit");
else
value = NULL;
if (value == NULL) {
/* default */
conf->data_buffer_size_min_limit = UTIL_MPM_CUDA_DATA_BUFFER_SIZE_MIN_LIMIT_DEFAULT;
} else if (ParseSizeStringU16(value, &conf->data_buffer_size_min_limit) < 0) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for %s."
"data-buffer-size-min-limit - \"%s\"", node->name, value);
exit(EXIT_FAILURE);
}
if (node != NULL)
value = ConfNodeLookupChildValue(node, "data-buffer-size-max-limit");
else
value = NULL;
if (value == NULL) {
/* default */
conf->data_buffer_size_max_limit = UTIL_MPM_CUDA_DATA_BUFFER_SIZE_MAX_LIMIT_DEFAULT;
} else if (ParseSizeStringU16(value, &conf->data_buffer_size_max_limit) < 0) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for %s."
"data-buffer-size-max-limit - \"%s\"", node->name, value);
exit(EXIT_FAILURE);
}
if (node != NULL)
value = ConfNodeLookupChildValue(node, "cudabuffer-buffer-size");
else
value = NULL;
if (value == NULL) {
/* default */
conf->cb_buffer_size = UTIL_MPM_CUDA_CUDA_BUFFER_DBUFFER_SIZE_DEFAULT;
} else if (ParseSizeStringU32(value, &conf->cb_buffer_size) < 0) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for %s."
"cb-buffer-size - \"%s\"", node->name, value);
exit(EXIT_FAILURE);
}
if (node != NULL)
value = ConfNodeLookupChildValue(node, "gpu-transfer-size");
else
value = NULL;
if (value == NULL) {
/* default */
conf->gpu_transfer_size = UTIL_MPM_CUDA_GPU_TRANSFER_SIZE;
} else if (ParseSizeStringU32(value, &conf->gpu_transfer_size) < 0) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for %s."
"gpu-transfer-size - \"%s\"", node->name, value);
exit(EXIT_FAILURE);
}
if (node != NULL)
value = ConfNodeLookupChildValue(node, "batching-timeout");
else
value = NULL;
if (value == NULL) {
/* default */
conf->batching_timeout = UTIL_MPM_CUDA_BATCHING_TIMEOUT_DEFAULT;
} else if ((conf->batching_timeout = atoi(value)) < 0) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for %s."
"batching-timeout - \"%s\"", node->name, value);
exit(EXIT_FAILURE);
}
if (node != NULL)
value = ConfNodeLookupChildValue(node, "device-id");
else
value = NULL;
if (value == NULL) {
/* default */
conf->device_id = UTIL_MPM_CUDA_DEVICE_ID_DEFAULT;
} else if ((conf->device_id = atoi(value)) < 0) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for %s."
"device-id - \"%s\"", node->name, value);
exit(EXIT_FAILURE);
}
if (node != NULL)
value = ConfNodeLookupChildValue(node, "cuda-streams");
else
value = NULL;
if (value == NULL) {
/* default */
conf->cuda_streams = UTIL_MPM_CUDA_CUDA_STREAMS_DEFAULT;
} else if ((conf->cuda_streams = atoi(value)) < 0) {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for %s."
"cuda-streams - \"%s\"", node->name, value);
exit(EXIT_FAILURE);
}
return conf;
}
/** \brief Create a new LogFileCtx from the provided ConfNode.
* \param conf The configuration node for this output.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
OutputCtx *Unified2AlertInitCtx(ConfNode *conf)
{
int ret = 0;
LogFileCtx* file_ctx = NULL;
file_ctx = LogFileNewCtx();
if (file_ctx == NULL) {
SCLogError(SC_ERR_UNIFIED2_ALERT_GENERIC, "Couldn't create new file_ctx");
goto error;
}
const char *filename = NULL;
if (conf != NULL) { /* To faciliate unit tests. */
filename = ConfNodeLookupChildValue(conf, "filename");
}
if (filename == NULL)
filename = DEFAULT_LOG_FILENAME;
file_ctx->prefix = SCStrdup(filename);
const char *s_limit = NULL;
file_ctx->size_limit = DEFAULT_LIMIT;
if (conf != NULL) {
s_limit = ConfNodeLookupChildValue(conf, "limit");
if (s_limit != NULL) {
if (ParseSizeStringU64(s_limit, &file_ctx->size_limit) < 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Failed to initialize unified2 output, invalid limit: %s",
s_limit);
exit(EXIT_FAILURE);
}
if (file_ctx->size_limit < 4096) {
SCLogInfo("unified2-alert \"limit\" value of %"PRIu64" assumed to be pre-1.2 "
"style: setting limit to %"PRIu64"mb", file_ctx->size_limit, file_ctx->size_limit);
uint64_t size = file_ctx->size_limit * 1024 * 1024;
file_ctx->size_limit = size;
} else if (file_ctx->size_limit < MIN_LIMIT) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Failed to initialize unified2 output, limit less than "
"allowed minimum: %d.", MIN_LIMIT);
exit(EXIT_FAILURE);
}
}
}
if (conf != NULL) {
const char *sensor_id_s = NULL;
sensor_id_s = ConfNodeLookupChildValue(conf, "sensor-id");
if (sensor_id_s != NULL) {
if (ByteExtractStringUint32(&sensor_id, 10, 0, sensor_id_s) == -1) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "Failed to initialize unified2 output, invalid sensor-id: %s", sensor_id_s);
exit(EXIT_FAILURE);
}
}
}
ret = Unified2AlertOpenFileCtx(file_ctx, filename);
if (ret < 0)
goto error;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL))
goto error;
output_ctx->data = file_ctx;
output_ctx->DeInit = Unified2AlertDeInitCtx;
SCLogInfo("Unified2-alert initialized: filename %s, limit %"PRIu64" MB",
filename, file_ctx->size_limit / (1024*1024));
SC_ATOMIC_INIT(unified2_event_id);
return output_ctx;
error:
if (file_ctx != NULL) {
LogFileFreeCtx(file_ctx);
}
return NULL;
}
int SCConfLogOpenRedis(ConfNode *redis_node, LogFileCtx *log_ctx)
{
const char *redis_server = NULL;
const char *redis_port = NULL;
const char *redis_mode = NULL;
const char *redis_key = NULL;
if (redis_node) {
redis_server = ConfNodeLookupChildValue(redis_node, "server");
redis_port = ConfNodeLookupChildValue(redis_node, "port");
redis_mode = ConfNodeLookupChildValue(redis_node, "mode");
redis_key = ConfNodeLookupChildValue(redis_node, "key");
}
if (!redis_server) {
redis_server = "127.0.0.1";
SCLogInfo("Using default redis server (127.0.0.1)");
}
if (!redis_port)
redis_port = "6379";
if (!redis_mode)
redis_mode = "list";
if (!redis_key)
redis_key = "suricata";
log_ctx->redis_setup.key = SCStrdup(redis_key);
if (!log_ctx->redis_setup.key) {
SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate redis key name");
exit(EXIT_FAILURE);
}
log_ctx->redis_setup.batch_size = 0;
ConfNode *pipelining = ConfNodeLookupChild(redis_node, "pipelining");
if (pipelining) {
int enabled = 0;
int ret;
intmax_t val;
ret = ConfGetChildValueBool(pipelining, "enabled", &enabled);
if (ret && enabled) {
ret = ConfGetChildValueInt(pipelining, "batch-size", &val);
if (ret) {
log_ctx->redis_setup.batch_size = val;
} else {
log_ctx->redis_setup.batch_size = 10;
}
}
}
if (!strcmp(redis_mode, "list")) {
log_ctx->redis_setup.command = redis_push_cmd;
if (!log_ctx->redis_setup.command) {
SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate redis key command");
exit(EXIT_FAILURE);
}
} else {
log_ctx->redis_setup.command = redis_publish_cmd;
if (!log_ctx->redis_setup.command) {
SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate redis key command");
exit(EXIT_FAILURE);
}
}
redisContext *c = redisConnect(redis_server, atoi(redis_port));
if (c != NULL && c->err) {
SCLogError(SC_ERR_SOCKET, "Error connecting to redis server: %s", c->errstr);
exit(EXIT_FAILURE);
}
/* store server params for reconnection */
log_ctx->redis_setup.server = SCStrdup(redis_server);
if (!log_ctx->redis_setup.server) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating redis server string");
exit(EXIT_FAILURE);
}
log_ctx->redis_setup.port = atoi(redis_port);
log_ctx->redis_setup.tried = 0;
log_ctx->redis = c;
log_ctx->Close = SCLogFileCloseRedis;
return 0;
}
