/**
* \internal
* \brief this function is used to add the seq option into the signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param optstr pointer to the user provided options
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectSeqSetup (DetectEngineCtx *de_ctx, Signature *s, char *optstr)
{
DetectSeqData *data;
SigMatch *sm = NULL;
data = SCMalloc(sizeof(DetectSeqData));
if (data == NULL)
goto error;
sm = SigMatchAlloc();
if (sm == NULL) {
goto error;
}
sm->type = DETECT_SEQ;
if (-1 == ByteExtractStringUint32(&data->seq, 10, 0, optstr)) {
goto error;
}
sm->ctx = data;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
s->flags |= SIG_FLAG_REQUIRE_PACKET;
return 0;
error:
if (data) SCFree(data);
return -1;
}
/** \brief Create a new LogFileCtx for unified alert logging.
* \param conf The ConfNode for this output.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
OutputCtx *AlertUnifiedAlertInitCtx(ConfNode *conf)
{
int ret = 0;
LogFileCtx *file_ctx = NULL;
file_ctx = LogFileNewCtx();
if (file_ctx == NULL) {
SCLogError(SC_ERR_UNIFIED_ALERT_GENERIC, "Couldn't create new file_ctx");
goto error;
}
const char *filename = NULL;
if (conf != NULL)
filename = ConfNodeLookupChildValue(conf, "filename");
if (filename == NULL)
filename = DEFAULT_LOG_FILENAME;
file_ctx->prefix = SCStrdup(filename);
const char *s_limit = NULL;
uint32_t limit = DEFAULT_LIMIT;
if (conf != NULL) {
s_limit = ConfNodeLookupChildValue(conf, "limit");
if (s_limit != NULL) {
if (ByteExtractStringUint32(&limit, 10, 0, s_limit) == -1) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Fail to initialize unified alert output, invalid limit: %s",
s_limit);
exit(EXIT_FAILURE);
}
if (limit < MIN_LIMIT) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Fail to initialize unified alert output, limit less than "
"allowed minimum: %d.", MIN_LIMIT);
exit(EXIT_FAILURE);
}
}
}
file_ctx->size_limit = limit * 1024 * 1024;
ret = AlertUnifiedAlertOpenFileCtx(file_ctx, filename);
if (ret < 0)
goto error;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (output_ctx == NULL)
goto error;
output_ctx->data = file_ctx;
output_ctx->DeInit = AlertUnifiedAlertDeInitCtx;
SCLogInfo("Unified-alert initialized: filename %s, limit %"PRIu32" MB",
filename, limit);
return output_ctx;
error:
if (file_ctx != NULL) {
LogFileFreeCtx(file_ctx);
}
return NULL;
}
/** \test max u32 value + 1 */
static int ByteTest16 (void) {
const char *str = "4294967296";
uint32_t u32 = 0;
int ret = ByteExtractStringUint32(&u32, 10, strlen(str), str);
if (ret != 0) {
return 1;
}
return 0;
}
static int ByteTest08 (void) {
const char *str = "1234567890";
uint32_t val = 1234567890;
uint32_t i32 = 0xbfbfbfbf;
int ret = ByteExtractStringUint32(&i32, 10, strlen(str), str);
if ((ret == 10) && (i32 == val)) {
return 1;
}
return 0;
}
/** \test max u32 value */
static int ByteTest15 (void) {
const char *str = "4294967295";
uint32_t val = 4294967295UL;
uint32_t u32 = 0xffffffff;
int ret = ByteExtractStringUint32(&u32, 10, strlen(str), str);
if ((ret == 10) && (u32 == val)) {
return 1;
}
return 0;
}
/**
* \internal
* \brief This function is used to parse threshold options passed via threshold: keyword
*
* \param rawstr Pointer to the user provided threshold options
*
* \retval de pointer to DetectThresholdData on success
* \retval NULL on failure
*/
static DetectThresholdData *DetectThresholdParse (char *rawstr)
{
DetectThresholdData *de = NULL;
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
const char *str_ptr = NULL;
char *args[9] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL };
char *copy_str = NULL, *threshold_opt = NULL;
int second_found = 0, count_found = 0;
int type_found = 0, track_found = 0;
int second_pos = 0, count_pos = 0;
uint16_t pos = 0;
int i = 0;
copy_str = SCStrdup(rawstr);
for(pos = 0, threshold_opt = strtok(copy_str,","); pos < strlen(copy_str) && threshold_opt != NULL; pos++, threshold_opt = strtok(NULL,",")) {
if(strstr(threshold_opt,"count"))
count_found++;
if(strstr(threshold_opt,"second"))
second_found++;
if(strstr(threshold_opt,"type"))
type_found++;
if(strstr(threshold_opt,"track"))
track_found++;
}
if(copy_str)
SCFree(copy_str);
if(count_found != 1 || second_found != 1 || type_found != 1 || track_found != 1)
goto error;
ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret < 5) {
SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
goto error;
}
de = SCMalloc(sizeof(DetectThresholdData));
if (de == NULL)
goto error;
memset(de,0,sizeof(DetectThresholdData));
for (i = 0; i < (ret - 1); i++) {
res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS,i + 1, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
args[i] = (char *)str_ptr;
if (strncasecmp(args[i],"limit",strlen("limit")) == 0)
de->type = TYPE_LIMIT;
if (strncasecmp(args[i],"both",strlen("both")) == 0)
de->type = TYPE_BOTH;
if (strncasecmp(args[i],"threshold",strlen("threshold")) == 0)
de->type = TYPE_THRESHOLD;
if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
de->track = TRACK_DST;
if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
de->track = TRACK_SRC;
if (strncasecmp(args[i],"count",strlen("seconds")) == 0)
count_pos = i+1;
if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
second_pos = i+1;
}
if (args[count_pos] == NULL || args[second_pos] == NULL) {
goto error;
}
if (ByteExtractStringUint32(&de->count, 10, strlen(args[count_pos]),
args[count_pos]) <= 0) {
goto error;
}
if (ByteExtractStringUint32(&de->seconds, 10, strlen(args[second_pos]),
args[second_pos]) <= 0) {
goto error;
}
for (i = 0; i < (ret - 1); i++){
if (args[i] != NULL) SCFree(args[i]);
}
return de;
error:
for (i = 0; i < (ret - 1); i++){
if (args[i] != NULL) SCFree(args[i]);
}
if (de) SCFree(de);
return NULL;
}
/** \brief initialize the configuration
* \warning Not thread safe */
void HostInitConfig(char quiet)
{
SCLogDebug("initializing host engine...");
memset(&host_config, 0, sizeof(host_config));
//SC_ATOMIC_INIT(flow_flags);
SC_ATOMIC_INIT(host_counter);
SC_ATOMIC_INIT(host_memuse);
SC_ATOMIC_INIT(host_prune_idx);
HostQueueInit(&host_spare_q);
unsigned int seed = RandomTimePreseed();
/* set defaults */
host_config.hash_rand = (int)( HOST_DEFAULT_HASHSIZE * (rand_r(&seed) / RAND_MAX + 1.0));
host_config.hash_size = HOST_DEFAULT_HASHSIZE;
host_config.memcap = HOST_DEFAULT_MEMCAP;
host_config.prealloc = HOST_DEFAULT_PREALLOC;
/* Check if we have memcap and hash_size defined at config */
char *conf_val;
uint32_t configval = 0;
/** set config values for memcap, prealloc and hash_size */
if ((ConfGet("host.memcap", &conf_val)) == 1)
{
if (ParseSizeStringU64(conf_val, &host_config.memcap) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing host.memcap "
"from conf file - %s. Killing engine",
conf_val);
exit(EXIT_FAILURE);
}
}
if ((ConfGet("host.hash-size", &conf_val)) == 1)
{
if (ByteExtractStringUint32(&configval, 10, strlen(conf_val),
conf_val) > 0) {
host_config.hash_size = configval;
}
}
if ((ConfGet("host.prealloc", &conf_val)) == 1)
{
if (ByteExtractStringUint32(&configval, 10, strlen(conf_val),
conf_val) > 0) {
host_config.prealloc = configval;
}
}
SCLogDebug("Host config from suricata.yaml: memcap: %"PRIu64", hash-size: "
"%"PRIu32", prealloc: %"PRIu32, host_config.memcap,
host_config.hash_size, host_config.prealloc);
/* alloc hash memory */
uint64_t hash_size = host_config.hash_size * sizeof(HostHashRow);
if (!(HOST_CHECK_MEMCAP(hash_size))) {
SCLogError(SC_ERR_HOST_INIT, "allocating host hash failed: "
"max host memcap is smaller than projected hash size. "
"Memcap: %"PRIu64", Hash table size %"PRIu64". Calculate "
"total hash size by multiplying \"host.hash-size\" with %"PRIuMAX", "
"which is the hash bucket size.", host_config.memcap, hash_size,
(uintmax_t)sizeof(HostHashRow));
exit(EXIT_FAILURE);
}
host_hash = SCCalloc(host_config.hash_size, sizeof(HostHashRow));
if (unlikely(host_hash == NULL)) {
SCLogError(SC_ERR_FATAL, "Fatal error encountered in HostInitConfig. Exiting...");
exit(EXIT_FAILURE);
}
memset(host_hash, 0, host_config.hash_size * sizeof(HostHashRow));
uint32_t i = 0;
for (i = 0; i < host_config.hash_size; i++) {
HRLOCK_INIT(&host_hash[i]);
}
(void) SC_ATOMIC_ADD(host_memuse, (host_config.hash_size * sizeof(HostHashRow)));
if (quiet == FALSE) {
SCLogInfo("allocated %llu bytes of memory for the host hash... "
"%" PRIu32 " buckets of size %" PRIuMAX "",
SC_ATOMIC_GET(host_memuse), host_config.hash_size,
(uintmax_t)sizeof(HostHashRow));
}
/* pre allocate hosts */
for (i = 0; i < host_config.prealloc; i++) {
if (!(HOST_CHECK_MEMCAP(sizeof(Host)))) {
SCLogError(SC_ERR_HOST_INIT, "preallocating hosts failed: "
"max host memcap reached. Memcap %"PRIu64", "
"Memuse %"PRIu64".", host_config.memcap,
((uint64_t)SC_ATOMIC_GET(host_memuse) + (uint64_t)sizeof(Host)));
exit(EXIT_FAILURE);
}
Host *h = HostAlloc();
if (h == NULL) {
SCLogError(SC_ERR_HOST_INIT, "preallocating host failed: %s", strerror(errno));
exit(EXIT_FAILURE);
}
HostEnqueue(&host_spare_q,h);
}
if (quiet == FALSE) {
SCLogInfo("preallocated %" PRIu32 " hosts of size %" PRIuMAX "",
host_spare_q.len, (uintmax_t)sizeof(Host));
SCLogInfo("host memory usage: %llu bytes, maximum: %"PRIu64,
SC_ATOMIC_GET(host_memuse), host_config.memcap);
}
return;
}
/** \brief initialize the configuration
* \warning Not thread safe */
void DefragInitConfig(char quiet)
{
SCLogDebug("initializing defrag engine...");
memset(&defrag_config, 0, sizeof(defrag_config));
//SC_ATOMIC_INIT(flow_flags);
SC_ATOMIC_INIT(defragtracker_counter);
SC_ATOMIC_INIT(defrag_memuse);
SC_ATOMIC_INIT(defragtracker_prune_idx);
DefragTrackerQueueInit(&defragtracker_spare_q);
/* set defaults */
defrag_config.hash_rand = (uint32_t)RandomGet();
defrag_config.hash_size = DEFRAG_DEFAULT_HASHSIZE;
defrag_config.memcap = DEFRAG_DEFAULT_MEMCAP;
defrag_config.prealloc = DEFRAG_DEFAULT_PREALLOC;
/* Check if we have memcap and hash_size defined at config */
const char *conf_val;
uint32_t configval = 0;
/** set config values for memcap, prealloc and hash_size */
if ((ConfGet("defrag.memcap", &conf_val)) == 1)
{
if (ParseSizeStringU64(conf_val, &defrag_config.memcap) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing defrag.memcap "
"from conf file - %s. Killing engine",
conf_val);
exit(EXIT_FAILURE);
}
}
if ((ConfGet("defrag.hash-size", &conf_val)) == 1)
{
if (ByteExtractStringUint32(&configval, 10, strlen(conf_val),
conf_val) > 0) {
defrag_config.hash_size = configval;
} else {
WarnInvalidConfEntry("defrag.hash-size", "%"PRIu32, defrag_config.hash_size);
}
}
if ((ConfGet("defrag.trackers", &conf_val)) == 1)
{
if (ByteExtractStringUint32(&configval, 10, strlen(conf_val),
conf_val) > 0) {
defrag_config.prealloc = configval;
} else {
WarnInvalidConfEntry("defrag.trackers", "%"PRIu32, defrag_config.prealloc);
}
}
SCLogDebug("DefragTracker config from suricata.yaml: memcap: %"PRIu64", hash-size: "
"%"PRIu32", prealloc: %"PRIu32, defrag_config.memcap,
defrag_config.hash_size, defrag_config.prealloc);
/* alloc hash memory */
uint64_t hash_size = defrag_config.hash_size * sizeof(DefragTrackerHashRow);
if (!(DEFRAG_CHECK_MEMCAP(hash_size))) {
SCLogError(SC_ERR_DEFRAG_INIT, "allocating defrag hash failed: "
"max defrag memcap is smaller than projected hash size. "
"Memcap: %"PRIu64", Hash table size %"PRIu64". Calculate "
"total hash size by multiplying \"defrag.hash-size\" with %"PRIuMAX", "
"which is the hash bucket size.", defrag_config.memcap, hash_size,
(uintmax_t)sizeof(DefragTrackerHashRow));
exit(EXIT_FAILURE);
}
defragtracker_hash = SCCalloc(defrag_config.hash_size, sizeof(DefragTrackerHashRow));
if (unlikely(defragtracker_hash == NULL)) {
SCLogError(SC_ERR_FATAL, "Fatal error encountered in DefragTrackerInitConfig. Exiting...");
exit(EXIT_FAILURE);
}
memset(defragtracker_hash, 0, defrag_config.hash_size * sizeof(DefragTrackerHashRow));
uint32_t i = 0;
for (i = 0; i < defrag_config.hash_size; i++) {
DRLOCK_INIT(&defragtracker_hash[i]);
}
(void) SC_ATOMIC_ADD(defrag_memuse, (defrag_config.hash_size * sizeof(DefragTrackerHashRow)));
if (quiet == FALSE) {
SCLogConfig("allocated %"PRIu64" bytes of memory for the defrag hash... "
"%" PRIu32 " buckets of size %" PRIuMAX "",
SC_ATOMIC_GET(defrag_memuse), defrag_config.hash_size,
(uintmax_t)sizeof(DefragTrackerHashRow));
}
if ((ConfGet("defrag.prealloc", &conf_val)) == 1)
{
if (ConfValIsTrue(conf_val)) {
/* pre allocate defrag trackers */
for (i = 0; i < defrag_config.prealloc; i++) {
if (!(DEFRAG_CHECK_MEMCAP(sizeof(DefragTracker)))) {
SCLogError(SC_ERR_DEFRAG_INIT, "preallocating defrag trackers failed: "
"max defrag memcap reached. Memcap %"PRIu64", "
"Memuse %"PRIu64".", defrag_config.memcap,
((uint64_t)SC_ATOMIC_GET(defrag_memuse) + (uint64_t)sizeof(DefragTracker)));
exit(EXIT_FAILURE);
}
DefragTracker *h = DefragTrackerAlloc();
if (h == NULL) {
SCLogError(SC_ERR_DEFRAG_INIT, "preallocating defrag failed: %s", strerror(errno));
exit(EXIT_FAILURE);
}
DefragTrackerEnqueue(&defragtracker_spare_q,h);
}
if (quiet == FALSE) {
SCLogConfig("preallocated %" PRIu32 " defrag trackers of size %" PRIuMAX "",
defragtracker_spare_q.len, (uintmax_t)sizeof(DefragTracker));
}
}
}
if (quiet == FALSE) {
SCLogConfig("defrag memory usage: %"PRIu64" bytes, maximum: %"PRIu64,
SC_ATOMIC_GET(defrag_memuse), defrag_config.memcap);
}
return;
}
void SCProfilingRulesGlobalInit(void) {
ConfNode *conf;
const char *val;
conf = ConfGetNode("profiling.rules");
if (conf != NULL) {
if (ConfNodeChildValueIsTrue(conf, "enabled")) {
profiling_rules_enabled = 1;
val = ConfNodeLookupChildValue(conf, "sort");
if (val != NULL) {
if (strcmp(val, "ticks") == 0) {
profiling_rules_sort_order =
SC_PROFILING_RULES_SORT_BY_TICKS;
}
else if (strcmp(val, "avgticks") == 0) {
profiling_rules_sort_order =
SC_PROFILING_RULES_SORT_BY_AVG_TICKS;
}
else if (strcmp(val, "avgticks_match") == 0) {
profiling_rules_sort_order =
SC_PROFILING_RULES_SORT_BY_AVG_TICKS_MATCH;
}
else if (strcmp(val, "avgticks_no_match") == 0) {
profiling_rules_sort_order =
SC_PROFILING_RULES_SORT_BY_AVG_TICKS_NO_MATCH;
}
else if (strcmp(val, "checks") == 0) {
profiling_rules_sort_order =
SC_PROFILING_RULES_SORT_BY_CHECKS;
}
else if (strcmp(val, "matches") == 0) {
profiling_rules_sort_order =
SC_PROFILING_RULES_SORT_BY_MATCHES;
}
else if (strcmp(val, "maxticks") == 0) {
profiling_rules_sort_order =
SC_PROFILING_RULES_SORT_BY_MAX_TICKS;
}
else {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Invalid profiling sort order: %s", val);
exit(EXIT_FAILURE);
}
}
val = ConfNodeLookupChildValue(conf, "limit");
if (val != NULL) {
if (ByteExtractStringUint32(&profiling_rules_limit, 10,
(uint16_t)strlen(val), val) <= 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid limit: %s", val);
exit(EXIT_FAILURE);
}
}
const char *filename = ConfNodeLookupChildValue(conf, "filename");
if (filename != NULL) {
char *log_dir;
log_dir = ConfigGetLogDirectory();
profiling_file_name = SCMalloc(PATH_MAX);
if (unlikely(profiling_file_name == NULL)) {
SCLogError(SC_ERR_MEM_ALLOC, "can't duplicate file name");
exit(EXIT_FAILURE);
}
snprintf(profiling_file_name, PATH_MAX, "%s/%s", log_dir, filename);
const char *v = ConfNodeLookupChildValue(conf, "append");
if (v == NULL || ConfValIsTrue(v)) {
profiling_file_mode = "a";
} else {
profiling_file_mode = "w";
}
profiling_output_to_file = 1;
}
}
}
}
DetectBytejumpData *DetectBytejumpParse(char *optstr, char **offset)
{
DetectBytejumpData *data = NULL;
char *args[10] = {
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL
};
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
int numargs = 0;
int i = 0;
uint32_t nbytes;
char *str_ptr;
char *end_ptr;
/* Execute the regex and populate args with captures. */
ret = pcre_exec(parse_regex, parse_regex_study, optstr,
strlen(optstr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret < 2 || ret > 10) {
SCLogError(SC_ERR_PCRE_PARSE,"parse error, ret %" PRId32
", string \"%s\"", ret, optstr);
goto error;
}
/* The first two arguments are stashed in the first PCRE substring.
* This is because byte_jump can take 10 arguments, but PCRE only
* supports 9 substrings, sigh.
*/
res = pcre_get_substring((char *)optstr, ov,
MAX_SUBSTRINGS, 1, (const char **)&str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING,"pcre_get_substring failed "
"for arg 1");
goto error;
}
/* Break up first substring into two parameters
*
* NOTE: Because of this, we cannot free args[1] as it is part of args[0],
* and *yes* this *is* ugly.
*/
end_ptr = str_ptr;
while (!(isspace((unsigned char)*end_ptr) || (*end_ptr == ','))) end_ptr++;
*(end_ptr++) = '\0';
args[0] = str_ptr;
numargs++;
str_ptr = end_ptr;
while (isspace((unsigned char)*str_ptr) || (*str_ptr == ',')) str_ptr++;
end_ptr = str_ptr;
while (!(isspace((unsigned char)*end_ptr) || (*end_ptr == ',')) && (*end_ptr != '\0'))
end_ptr++;
*(end_ptr++) = '\0';
args[1] = str_ptr;
numargs++;
/* The remaining args are directly from PCRE substrings */
for (i = 1; i < (ret - 1); i++) {
res = pcre_get_substring((char *)optstr, ov, MAX_SUBSTRINGS, i + 1, (const char **)&str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING,"pcre_get_substring failed for arg %d", i + 1);
goto error;
}
args[i+1] = str_ptr;
numargs++;
}
/* Initialize the data */
data = SCMalloc(sizeof(DetectBytejumpData));
if (unlikely(data == NULL))
goto error;
data->base = DETECT_BYTEJUMP_BASE_UNSET;
data->flags = 0;
data->multiplier = 1;
data->post_offset = 0;
/*
* The first two options are required and positional. The
* remaining arguments are flags and are not positional.
*/
/* Number of bytes */
if (ByteExtractStringUint32(&nbytes, 10, strlen(args[0]), args[0]) <= 0) {
SCLogError(SC_ERR_INVALID_VALUE, "Malformed number of bytes: %s", optstr);
goto error;
}
/* Offset */
if (args[1][0] != '-' && isalpha((unsigned char)args[1][0])) {
if (offset == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "byte_jump supplied with "
"var name for offset. \"value\" argument supplied to "
"this function has to be non-NULL");
goto error;
}
*offset = SCStrdup(args[1]);
if (*offset == NULL)
goto error;
} else {
if (ByteExtractStringInt32(&data->offset, 0, strlen(args[1]), args[1]) <= 0) {
SCLogError(SC_ERR_INVALID_VALUE, "Malformed offset: %s", optstr);
goto error;
}
}
/* The remaining options are flags. */
/** \todo Error on dups? */
for (i = 2; i < numargs; i++) {
if (strcmp("relative", args[i]) == 0) {
data->flags |= DETECT_BYTEJUMP_RELATIVE;
} else if (strcasecmp("string", args[i]) == 0) {
data->flags |= DETECT_BYTEJUMP_STRING;
} else if (strcasecmp("dec", args[i]) == 0) {
data->base |= DETECT_BYTEJUMP_BASE_DEC;
} else if (strcasecmp("hex", args[i]) == 0) {
data->base |= DETECT_BYTEJUMP_BASE_HEX;
} else if (strcasecmp("oct", args[i]) == 0) {
data->base |= DETECT_BYTEJUMP_BASE_OCT;
} else if (strcasecmp("big", args[i]) == 0) {
if (data->flags & DETECT_BYTEJUMP_LITTLE) {
data->flags ^= DETECT_BYTEJUMP_LITTLE;
}
data->flags |= DETECT_BYTEJUMP_BIG;
} else if (strcasecmp("little", args[i]) == 0) {
data->flags |= DETECT_BYTEJUMP_LITTLE;
} else if (strcasecmp("from_beginning", args[i]) == 0) {
data->flags |= DETECT_BYTEJUMP_BEGIN;
} else if (strcasecmp("align", args[i]) == 0) {
data->flags |= DETECT_BYTEJUMP_ALIGN;
} else if (strncasecmp("multiplier ", args[i], 11) == 0) {
if (ByteExtractStringUint32(&data->multiplier, 10,
strlen(args[i]) - 11,
args[i] + 11) <= 0)
{
SCLogError(SC_ERR_INVALID_VALUE, "Malformed multiplier: %s", optstr);
goto error;
}
} else if (strncasecmp("post_offset ", args[i], 12) == 0) {
if (ByteExtractStringInt32(&data->post_offset, 10,
strlen(args[i]) - 12,
args[i] + 12) <= 0)
{
SCLogError(SC_ERR_INVALID_VALUE, "Malformed post_offset: %s", optstr);
goto error;
}
} else if (strcasecmp("dce", args[i]) == 0) {
data->flags |= DETECT_BYTEJUMP_DCE;
} else {
SCLogError(SC_ERR_INVALID_VALUE, "Unknown option: \"%s\"", args[i]);
goto error;
}
}
if (data->flags & DETECT_BYTEJUMP_STRING) {
/* 23 - This is the largest string (octal, with a zero prefix) that
* will not overflow uint64_t. The only way this length
* could be over 23 and still not overflow is if it were zero
* prefixed and we only support 1 byte of zero prefix for octal.
*
* "01777777777777777777777" = 0xffffffffffffffff
*/
if (nbytes > 23) {
SCLogError(SC_ERR_INVALID_VALUE, "Cannot test more than 23 bytes "
"with \"string\": %s", optstr);
goto error;
}
} else {
if (nbytes > 8) {
SCLogError(SC_ERR_INVALID_VALUE, "Cannot test more than 8 bytes "
"without \"string\": %s\n", optstr);
goto error;
}
if (data->base != DETECT_BYTEJUMP_BASE_UNSET) {
SCLogError(SC_ERR_INVALID_VALUE, "Cannot use a base "
"without \"string\": %s", optstr);
goto error;
}
}
/* This is max 23 so it will fit in a byte (see above) */
data->nbytes = (uint8_t)nbytes;
for (i = 0; i < numargs; i++){
if (i == 1) continue; /* args[1] is part of args[0] */
if (args[i] != NULL) SCFree(args[i]);
}
return data;
error:
for (i = 0; i < numargs; i++){
if (i == 1) continue; /* args[1] is part of args[0] */
if (args[i] != NULL) SCFree(args[i]);
}
if (data != NULL) DetectBytejumpFree(data);
return NULL;
}
/**
* \brief This function is used to parse rpc options passed via rpc keyword
*
* \param rpcstr Pointer to the user provided rpc options
*
* \retval rd pointer to DetectRpcData on success
* \retval NULL on failure
*/
static DetectRpcData *DetectRpcParse (const char *rpcstr)
{
DetectRpcData *rd = NULL;
char *args[3] = {NULL,NULL,NULL};
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
ret = pcre_exec(parse_regex, parse_regex_study, rpcstr, strlen(rpcstr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret < 1 || ret > 4) {
SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 ", string %s", ret, rpcstr);
goto error;
}
if (ret > 1) {
const char *str_ptr;
res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
args[0] = (char *)str_ptr;
if (ret > 2) {
res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
args[1] = (char *)str_ptr;
}
if (ret > 3) {
res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 3, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
args[2] = (char *)str_ptr;
}
}
rd = SCMalloc(sizeof(DetectRpcData));
if (unlikely(rd == NULL))
goto error;
rd->flags = 0;
rd->program = 0;
rd->program_version = 0;
rd->procedure = 0;
int i;
for (i = 0; i < (ret - 1); i++) {
if (args[i]) {
switch (i) {
case 0:
if (ByteExtractStringUint32(&rd->program, 10, strlen(args[i]), args[i]) <= 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid size specified for the rpc program:\"%s\"", args[i]);
goto error;
}
rd->flags |= DETECT_RPC_CHECK_PROGRAM;
break;
case 1:
if (args[i][0] != '*') {
if (ByteExtractStringUint32(&rd->program_version, 10, strlen(args[i]), args[i]) <= 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid size specified for the rpc version:\"%s\"", args[i]);
goto error;
}
rd->flags |= DETECT_RPC_CHECK_VERSION;
}
break;
case 2:
if (args[i][0] != '*') {
if (ByteExtractStringUint32(&rd->procedure, 10, strlen(args[i]), args[i]) <= 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "Invalid size specified for the rpc procedure:\"%s\"", args[i]);
goto error;
}
rd->flags |= DETECT_RPC_CHECK_PROCEDURE;
}
break;
}
} else {
SCLogError(SC_ERR_INVALID_VALUE, "invalid rpc option %s",rpcstr);
goto error;
}
}
for (i = 0; i < (ret -1); i++){
if (args[i] != NULL)
SCFree(args[i]);
}
return rd;
error:
for (i = 0; i < (ret -1) && i < 3; i++){
if (args[i] != NULL)
SCFree(args[i]);
}
if (rd != NULL)
DetectRpcFree(rd);
return NULL;
}
static int DetectBase64DecodeParse(const char *str, uint32_t *bytes,
uint32_t *offset, uint8_t *relative)
{
static const int max = 30;
int ov[max];
int pcre_rc;
const char *bytes_str = NULL;
const char *offset_str = NULL;
const char *relative_str = NULL;
int retval = 0;
*bytes = 0;
*offset = 0;
*relative = 0;
pcre_rc = pcre_exec(decode_pcre, decode_pcre_study, str, strlen(str), 0, 0,
ov, max);
if (pcre_rc < 3) {
goto error;
}
if (pcre_rc >= 3) {
if (pcre_get_substring((char *)str, ov, max, 2, &bytes_str) > 0) {
if (ByteExtractStringUint32(bytes, 10, 0, bytes_str) <= 0) {
SCLogError(SC_ERR_INVALID_RULE_ARGUMENT,
"Bad value for bytes: \"%s\"", bytes_str);
goto error;
}
}
}
if (pcre_rc >= 5) {
if (pcre_get_substring((char *)str, ov, max, 4, &offset_str)) {
if (ByteExtractStringUint32(offset, 10, 0, offset_str) <= 0) {
SCLogError(SC_ERR_INVALID_RULE_ARGUMENT,
"Bad value for offset: \"%s\"", offset_str);
goto error;
}
}
}
if (pcre_rc >= 6) {
if (pcre_get_substring((char *)str, ov, max, 5, &relative_str)) {
if (strcmp(relative_str, "relative") == 0) {
*relative = 1;
}
else {
SCLogError(SC_ERR_INVALID_RULE_ARGUMENT,
"Invalid argument: \"%s\"", relative_str);
goto error;
}
}
}
retval = 1;
error:
if (bytes_str != NULL) {
pcre_free_substring(bytes_str);
}
if (offset_str != NULL) {
pcre_free_substring(offset_str);
}
if (relative_str != NULL) {
pcre_free_substring(relative_str);
}
return retval;
}
/** \brief open a generic output "log file", which may be a regular file or a socket
* \param conf ConfNode structure for the output section in question
* \param log_ctx Log file context allocated by caller
* \param default_filename Default name of file to open, if not specified in ConfNode
* \param rotate Register the file for rotation in HUP.
* \retval 0 on success
* \retval -1 on error
*/
int
SCConfLogOpenGeneric(ConfNode *conf,
LogFileCtx *log_ctx,
const char *default_filename,
int rotate)
{
char log_path[PATH_MAX];
const char *log_dir;
const char *filename, *filetype;
// Arg check
if (conf == NULL || log_ctx == NULL || default_filename == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"SCConfLogOpenGeneric(conf %p, ctx %p, default %p) "
"missing an argument",
conf, log_ctx, default_filename);
return -1;
}
if (log_ctx->fp != NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"SCConfLogOpenGeneric: previously initialized Log CTX "
"encountered");
return -1;
}
// Resolve the given config
filename = ConfNodeLookupChildValue(conf, "filename");
if (filename == NULL)
filename = default_filename;
log_dir = ConfigGetLogDirectory();
if (PathIsAbsolute(filename)) {
snprintf(log_path, PATH_MAX, "%s", filename);
} else {
snprintf(log_path, PATH_MAX, "%s/%s", log_dir, filename);
}
/* Rotate log file based on time */
const char *rotate_int = ConfNodeLookupChildValue(conf, "rotate-interval");
if (rotate_int != NULL) {
time_t now = time(NULL);
log_ctx->flags |= LOGFILE_ROTATE_INTERVAL;
/* Use a specific time */
if (strcmp(rotate_int, "minute") == 0) {
log_ctx->rotate_time = now + SCGetSecondsUntil(rotate_int, now);
log_ctx->rotate_interval = 60;
} else if (strcmp(rotate_int, "hour") == 0) {
log_ctx->rotate_time = now + SCGetSecondsUntil(rotate_int, now);
log_ctx->rotate_interval = 3600;
} else if (strcmp(rotate_int, "day") == 0) {
log_ctx->rotate_time = now + SCGetSecondsUntil(rotate_int, now);
log_ctx->rotate_interval = 86400;
}
/* Use a timer */
else {
log_ctx->rotate_interval = SCParseTimeSizeString(rotate_int);
if (log_ctx->rotate_interval == 0) {
SCLogError(SC_ERR_INVALID_NUMERIC_VALUE,
"invalid rotate-interval value");
exit(EXIT_FAILURE);
}
log_ctx->rotate_time = now + log_ctx->rotate_interval;
}
}
filetype = ConfNodeLookupChildValue(conf, "filetype");
if (filetype == NULL)
filetype = DEFAULT_LOG_FILETYPE;
const char *filemode = ConfNodeLookupChildValue(conf, "filemode");
uint32_t mode = 0;
if (filemode != NULL &&
ByteExtractStringUint32(&mode, 8, strlen(filemode),
filemode) > 0) {
log_ctx->filemode = mode;
}
const char *append = ConfNodeLookupChildValue(conf, "append");
if (append == NULL)
append = DEFAULT_LOG_MODE_APPEND;
/* JSON flags */
#ifdef HAVE_LIBJANSSON
log_ctx->json_flags = JSON_PRESERVE_ORDER|JSON_COMPACT|
JSON_ENSURE_ASCII|JSON_ESCAPE_SLASH;
ConfNode *json_flags = ConfNodeLookupChild(conf, "json");
if (json_flags != 0) {
const char *preserve_order = ConfNodeLookupChildValue(json_flags,
"preserve-order");
if (preserve_order != NULL && ConfValIsFalse(preserve_order))
log_ctx->json_flags &= ~(JSON_PRESERVE_ORDER);
const char *compact = ConfNodeLookupChildValue(json_flags, "compact");
if (compact != NULL && ConfValIsFalse(compact))
log_ctx->json_flags &= ~(JSON_COMPACT);
const char *ensure_ascii = ConfNodeLookupChildValue(json_flags,
"ensure-ascii");
if (ensure_ascii != NULL && ConfValIsFalse(ensure_ascii))
log_ctx->json_flags &= ~(JSON_ENSURE_ASCII);
const char *escape_slash = ConfNodeLookupChildValue(json_flags,
"escape-slash");
if (escape_slash != NULL && ConfValIsFalse(escape_slash))
log_ctx->json_flags &= ~(JSON_ESCAPE_SLASH);
}
#endif /* HAVE_LIBJANSSON */
// Now, what have we been asked to open?
if (strcasecmp(filetype, "unix_stream") == 0) {
#ifdef BUILD_WITH_UNIXSOCKET
/* Don't bail. May be able to connect later. */
log_ctx->is_sock = 1;
log_ctx->sock_type = SOCK_STREAM;
log_ctx->fp = SCLogOpenUnixSocketFp(log_path, SOCK_STREAM, 1);
#else
return -1;
#endif
} else if (strcasecmp(filetype, "unix_dgram") == 0) {
#ifdef BUILD_WITH_UNIXSOCKET
/* Don't bail. May be able to connect later. */
log_ctx->is_sock = 1;
log_ctx->sock_type = SOCK_DGRAM;
log_ctx->fp = SCLogOpenUnixSocketFp(log_path, SOCK_DGRAM, 1);
#else
return -1;
#endif
} else if (strcasecmp(filetype, DEFAULT_LOG_FILETYPE) == 0 ||
strcasecmp(filetype, "file") == 0) {
log_ctx->fp = SCLogOpenFileFp(log_path, append, log_ctx->filemode);
if (log_ctx->fp == NULL)
return -1; // Error already logged by Open...Fp routine
log_ctx->is_regular = 1;
if (rotate) {
OutputRegisterFileRotationFlag(&log_ctx->rotation_flag);
}
} else if (strcasecmp(filetype, "pcie") == 0) {
log_ctx->pcie_fp = SCLogOpenPcieFp(log_ctx, log_path, append);
if (log_ctx->pcie_fp == NULL)
return -1; // Error already logged by Open...Fp routine
#ifdef HAVE_LIBHIREDIS
} else if (strcasecmp(filetype, "redis") == 0) {
ConfNode *redis_node = ConfNodeLookupChild(conf, "redis");
if (SCConfLogOpenRedis(redis_node, log_ctx) < 0) {
SCLogError(SC_ERR_REDIS, "failed to open redis output");
return -1;
}
log_ctx->type = LOGFILE_TYPE_REDIS;
#endif
} else {
SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid entry for "
"%s.filetype. Expected \"regular\" (default), \"unix_stream\", "
"\"pcie\" "
"or \"unix_dgram\"",
conf->name);
}
log_ctx->filename = SCStrdup(log_path);
if (unlikely(log_ctx->filename == NULL)) {
SCLogError(SC_ERR_MEM_ALLOC,
"Failed to allocate memory for filename");
return -1;
}
#ifdef BUILD_WITH_UNIXSOCKET
/* If a socket and running live, do non-blocking writes. */
if (log_ctx->is_sock && run_mode_offline == 0) {
SCLogInfo("Setting logging socket of non-blocking in live mode.");
log_ctx->send_flags |= MSG_DONTWAIT;
}
#endif
SCLogInfo("%s output device (%s) initialized: %s", conf->name, filetype,
filename);
return 0;
}
static DetectBytetestData *DetectBytetestParse(const char *optstr, char **value, char **offset)
{
DetectBytetestData *data = NULL;
char *args[9] = {
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL
};
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
int i;
uint32_t nbytes;
const char *str_ptr = NULL;
/* Execute the regex and populate args with captures. */
ret = pcre_exec(parse_regex, parse_regex_study, optstr,
strlen(optstr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret < 6 || ret > 10) {
SCLogError(SC_ERR_PCRE_PARSE, "parse error, ret %" PRId32
", string %s", ret, optstr);
goto error;
}
for (i = 0; i < (ret - 1); i++) {
res = pcre_get_substring((char *)optstr, ov, MAX_SUBSTRINGS,
i + 1, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed "
"for arg %d", i + 1);
goto error;
}
args[i] = (char *)str_ptr;
}
/* Initialize the data */
data = SCMalloc(sizeof(DetectBytetestData));
if (unlikely(data == NULL))
goto error;
data->base = DETECT_BYTETEST_BASE_UNSET;
data->flags = 0;
/*
* The first four options are required and positional. The
* remaining arguments are flags and are not positional.
*/
/* Number of bytes */
if (ByteExtractStringUint32(&nbytes, 10, 0, args[0]) <= 0) {
SCLogError(SC_ERR_INVALID_VALUE, "Malformed number of bytes: %s", str_ptr);
goto error;
}
/* Operator is next two args: neg + op */
data->op = 0;
if (args[1] != NULL && *args[1] == '!') {
data->flags |= DETECT_BYTETEST_NEGOP;
}
if (args[2] != NULL) {
if ((strcmp("=", args[2]) == 0) || ((data->flags & DETECT_BYTETEST_NEGOP)
&& strcmp("", args[2]) == 0)) {
data->op |= DETECT_BYTETEST_OP_EQ;
} else if (strcmp("<", args[2]) == 0) {
data->op |= DETECT_BYTETEST_OP_LT;
} else if (strcmp(">", args[2]) == 0) {
data->op |= DETECT_BYTETEST_OP_GT;
} else if (strcmp("&", args[2]) == 0) {
data->op |= DETECT_BYTETEST_OP_AND;
} else if (strcmp("^", args[2]) == 0) {
data->op |= DETECT_BYTETEST_OP_OR;
} else if (strcmp(">=", args[2]) == 0) {
data->op |= DETECT_BYTETEST_OP_GE;
} else if (strcmp("<=", args[2]) == 0) {
data->op |= DETECT_BYTETEST_OP_LE;
} else {
SCLogError(SC_ERR_INVALID_OPERATOR, "Invalid operator");
goto error;
}
}
/* Value */
if (args[3][0] != '-' && isalpha((unsigned char)args[3][0])) {
if (value == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "byte_test supplied with "
"var name for value. \"value\" argument supplied to "
"this function has to be non-NULL");
goto error;
}
*value = SCStrdup(args[3]);
if (*value == NULL)
goto error;
} else {
if (ByteExtractStringUint64(&data->value, 0, 0, args[3]) <= 0) {
SCLogError(SC_ERR_INVALID_VALUE, "Malformed value: %s", str_ptr);
goto error;
}
}
/* Offset */
if (args[4][0] != '-' && isalpha((unsigned char)args[4][0])) {
if (offset == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "byte_test supplied with "
"var name for offset. \"offset\" argument supplied to "
"this function has to be non-NULL");
goto error;
}
*offset = SCStrdup(args[4]);
if (*offset == NULL)
goto error;
} else {
if (ByteExtractStringInt32(&data->offset, 0, 0, args[4]) <= 0) {
SCLogError(SC_ERR_INVALID_VALUE, " Malformed offset: %s", str_ptr);
goto error;
}
}
/* The remaining options are flags. */
/** \todo Error on dups? */
for (i = 5; i < (ret - 1); i++) {
if (args[i] != NULL) {
if (strcmp("relative", args[i]) == 0) {
data->flags |= DETECT_BYTETEST_RELATIVE;
} else if (strcasecmp("string", args[i]) == 0) {
data->flags |= DETECT_BYTETEST_STRING;
} else if (strcasecmp("dec", args[i]) == 0) {
data->base |= DETECT_BYTETEST_BASE_DEC;
} else if (strcasecmp("hex", args[i]) == 0) {
data->base |= DETECT_BYTETEST_BASE_HEX;
} else if (strcasecmp("oct", args[i]) == 0) {
data->base |= DETECT_BYTETEST_BASE_OCT;
} else if (strcasecmp("big", args[i]) == 0) {
if (data->flags & DETECT_BYTETEST_LITTLE) {
data->flags ^= DETECT_BYTETEST_LITTLE;
}
data->flags |= DETECT_BYTETEST_BIG;
} else if (strcasecmp("little", args[i]) == 0) {
data->flags |= DETECT_BYTETEST_LITTLE;
} else if (strcasecmp("dce", args[i]) == 0) {
data->flags |= DETECT_BYTETEST_DCE;
} else {
SCLogError(SC_ERR_UNKNOWN_VALUE, "Unknown value: \"%s\"",
args[i]);
goto error;
}
}
}
if (data->flags & DETECT_BYTETEST_STRING) {
/* 23 - This is the largest string (octal, with a zero prefix) that
* will not overflow uint64_t. The only way this length
* could be over 23 and still not overflow is if it were zero
* prefixed and we only support 1 byte of zero prefix for octal.
*
* "01777777777777777777777" = 0xffffffffffffffff
*/
if (nbytes > 23) {
SCLogError(SC_ERR_INVALID_VALUE, "Cannot test more than 23 bytes with \"string\": %s",
optstr);
goto error;
}
} else {
if (nbytes > 8) {
SCLogError(SC_ERR_INVALID_VALUE, "Cannot test more than 8 bytes without \"string\": %s",
optstr);
goto error;
}
if (data->base != DETECT_BYTETEST_BASE_UNSET) {
SCLogError(SC_ERR_INVALID_VALUE, "Cannot use a base without \"string\": %s", optstr);
goto error;
}
}
/* This is max 23 so it will fit in a byte (see above) */
data->nbytes = (uint8_t)nbytes;
for (i = 0; i < (ret - 1); i++){
if (args[i] != NULL) SCFree(args[i]);
}
return data;
error:
for (i = 0; i < (ret - 1); i++){
if (args[i] != NULL) SCFree(args[i]);
}
if (data != NULL) DetectBytetestFree(data);
return NULL;
}
/**
* \internal
* \brief This function is used to parse detection_filter options passed via detection_filter: keyword
*
* \param rawstr Pointer to the user provided detection_filter options
*
* \retval df pointer to DetectThresholdData on success
* \retval NULL on failure
*/
DetectThresholdData *DetectDetectionFilterParse (char *rawstr)
{
DetectThresholdData *df = NULL;
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
const char *str_ptr = NULL;
char *args[6] = { NULL, NULL, NULL, NULL, NULL, NULL};
char *copy_str = NULL, *df_opt = NULL;
int seconds_found = 0, count_found = 0, track_found = 0;
int seconds_pos = 0, count_pos = 0;
uint16_t pos = 0;
int i = 0;
copy_str = SCStrdup(rawstr);
if (unlikely(copy_str == NULL)) {
goto error;
}
for(pos = 0, df_opt = strtok(copy_str,","); pos < strlen(copy_str) && df_opt != NULL; pos++, df_opt = strtok(NULL,",")) {
if(strstr(df_opt,"count"))
count_found++;
if(strstr(df_opt,"second"))
seconds_found++;
if(strstr(df_opt,"track"))
track_found++;
}
SCFree(copy_str);
copy_str = NULL;
if (count_found != 1 || seconds_found != 1 || track_found != 1)
goto error;
ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
if (ret < 5) {
SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
goto error;
}
df = SCMalloc(sizeof(DetectThresholdData));
if (unlikely(df == NULL))
goto error;
memset(df,0,sizeof(DetectThresholdData));
df->type = TYPE_DETECTION;
for (i = 0; i < (ret - 1); i++) {
res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS, i + 1, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
args[i] = (char *)str_ptr;
if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
df->track = TRACK_DST;
if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
df->track = TRACK_SRC;
if (strncasecmp(args[i],"count",strlen("count")) == 0)
count_pos = i+1;
if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
seconds_pos = i+1;
}
if (args[count_pos] == NULL || args[seconds_pos] == NULL) {
goto error;
}
if (ByteExtractStringUint32(&df->count, 10, strlen(args[count_pos]),
args[count_pos]) <= 0) {
goto error;
}
if (ByteExtractStringUint32(&df->seconds, 10, strlen(args[seconds_pos]),
args[seconds_pos]) <= 0) {
goto error;
}
if (df->count == 0 || df->seconds == 0) {
SCLogError(SC_ERR_INVALID_VALUE, "found an invalid value");
goto error;
}
for (i = 0; i < 6; i++){
if (args[i] != NULL)
SCFree(args[i]);
}
return df;
error:
for (i = 0; i < 6; i++){
if (args[i] != NULL)
SCFree(args[i]);
}
if (df != NULL)
SCFree(df);
return NULL;
}
/** \brief Create a new LogFileCtx from the provided ConfNode.
* \param conf The configuration node for this output.
* \return NULL if failure, LogFileCtx* to the file_ctx if succesful
* */
OutputCtx *Unified2AlertInitCtx(ConfNode *conf)
{
int ret = 0;
LogFileCtx* file_ctx = NULL;
file_ctx = LogFileNewCtx();
if (file_ctx == NULL) {
SCLogError(SC_ERR_UNIFIED2_ALERT_GENERIC, "Couldn't create new file_ctx");
goto error;
}
const char *filename = NULL;
if (conf != NULL) { /* To faciliate unit tests. */
filename = ConfNodeLookupChildValue(conf, "filename");
}
if (filename == NULL)
filename = DEFAULT_LOG_FILENAME;
file_ctx->prefix = SCStrdup(filename);
const char *s_limit = NULL;
file_ctx->size_limit = DEFAULT_LIMIT;
if (conf != NULL) {
s_limit = ConfNodeLookupChildValue(conf, "limit");
if (s_limit != NULL) {
if (ParseSizeStringU64(s_limit, &file_ctx->size_limit) < 0) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Failed to initialize unified2 output, invalid limit: %s",
s_limit);
exit(EXIT_FAILURE);
}
if (file_ctx->size_limit < 4096) {
SCLogInfo("unified2-alert \"limit\" value of %"PRIu64" assumed to be pre-1.2 "
"style: setting limit to %"PRIu64"mb", file_ctx->size_limit, file_ctx->size_limit);
uint64_t size = file_ctx->size_limit * 1024 * 1024;
file_ctx->size_limit = size;
} else if (file_ctx->size_limit < MIN_LIMIT) {
SCLogError(SC_ERR_INVALID_ARGUMENT,
"Failed to initialize unified2 output, limit less than "
"allowed minimum: %d.", MIN_LIMIT);
exit(EXIT_FAILURE);
}
}
}
if (conf != NULL) {
const char *sensor_id_s = NULL;
sensor_id_s = ConfNodeLookupChildValue(conf, "sensor-id");
if (sensor_id_s != NULL) {
if (ByteExtractStringUint32(&sensor_id, 10, 0, sensor_id_s) == -1) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "Failed to initialize unified2 output, invalid sensor-id: %s", sensor_id_s);
exit(EXIT_FAILURE);
}
}
}
ret = Unified2AlertOpenFileCtx(file_ctx, filename);
if (ret < 0)
goto error;
OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
if (unlikely(output_ctx == NULL))
goto error;
output_ctx->data = file_ctx;
output_ctx->DeInit = Unified2AlertDeInitCtx;
SCLogInfo("Unified2-alert initialized: filename %s, limit %"PRIu64" MB",
filename, file_ctx->size_limit / (1024*1024));
SC_ATOMIC_INIT(unified2_event_id);
return output_ctx;
error:
if (file_ctx != NULL) {
LogFileFreeCtx(file_ctx);
}
return NULL;
}
/** \brief initialize the configuration
* \warning Not thread safe */
void IPPairInitConfig(char quiet)
{
SCLogDebug("initializing ippair engine...");
if (IPPairStorageSize() > 0)
g_ippair_size = sizeof(IPPair) + IPPairStorageSize();
memset(&ippair_config, 0, sizeof(ippair_config));
//SC_ATOMIC_INIT(flow_flags);
SC_ATOMIC_INIT(ippair_counter);
SC_ATOMIC_INIT(ippair_memuse);
SC_ATOMIC_INIT(ippair_prune_idx);
SC_ATOMIC_INIT(ippair_config.memcap);
IPPairQueueInit(&ippair_spare_q);
/* set defaults */
ippair_config.hash_rand = (uint32_t)RandomGet();
ippair_config.hash_size = IPPAIR_DEFAULT_HASHSIZE;
ippair_config.prealloc = IPPAIR_DEFAULT_PREALLOC;
SC_ATOMIC_SET(ippair_config.memcap, IPPAIR_DEFAULT_MEMCAP);
/* Check if we have memcap and hash_size defined at config */
const char *conf_val;
uint32_t configval = 0;
/** set config values for memcap, prealloc and hash_size */
uint64_t ippair_memcap;
if ((ConfGet("ippair.memcap", &conf_val)) == 1)
{
if (ParseSizeStringU64(conf_val, &ippair_memcap) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing ippair.memcap "
"from conf file - %s. Killing engine",
conf_val);
exit(EXIT_FAILURE);
} else {
SC_ATOMIC_SET(ippair_config.memcap, ippair_memcap);
}
}
if ((ConfGet("ippair.hash-size", &conf_val)) == 1)
{
if (ByteExtractStringUint32(&configval, 10, strlen(conf_val),
conf_val) > 0) {
ippair_config.hash_size = configval;
}
}
if ((ConfGet("ippair.prealloc", &conf_val)) == 1)
{
if (ByteExtractStringUint32(&configval, 10, strlen(conf_val),
conf_val) > 0) {
ippair_config.prealloc = configval;
} else {
WarnInvalidConfEntry("ippair.prealloc", "%"PRIu32, ippair_config.prealloc);
}
}
SCLogDebug("IPPair config from suricata.yaml: memcap: %"PRIu64", hash-size: "
"%"PRIu32", prealloc: %"PRIu32, SC_ATOMIC_GET(ippair_config.memcap),
ippair_config.hash_size, ippair_config.prealloc);
/* alloc hash memory */
uint64_t hash_size = ippair_config.hash_size * sizeof(IPPairHashRow);
if (!(IPPAIR_CHECK_MEMCAP(hash_size))) {
SCLogError(SC_ERR_IPPAIR_INIT, "allocating ippair hash failed: "
"max ippair memcap is smaller than projected hash size. "
"Memcap: %"PRIu64", Hash table size %"PRIu64". Calculate "
"total hash size by multiplying \"ippair.hash-size\" with %"PRIuMAX", "
"which is the hash bucket size.", SC_ATOMIC_GET(ippair_config.memcap), hash_size,
(uintmax_t)sizeof(IPPairHashRow));
exit(EXIT_FAILURE);
}
ippair_hash = SCMallocAligned(ippair_config.hash_size * sizeof(IPPairHashRow), CLS);
if (unlikely(ippair_hash == NULL)) {
SCLogError(SC_ERR_FATAL, "Fatal error encountered in IPPairInitConfig. Exiting...");
exit(EXIT_FAILURE);
}
memset(ippair_hash, 0, ippair_config.hash_size * sizeof(IPPairHashRow));
uint32_t i = 0;
for (i = 0; i < ippair_config.hash_size; i++) {
HRLOCK_INIT(&ippair_hash[i]);
}
(void) SC_ATOMIC_ADD(ippair_memuse, (ippair_config.hash_size * sizeof(IPPairHashRow)));
if (quiet == FALSE) {
SCLogConfig("allocated %"PRIu64" bytes of memory for the ippair hash... "
"%" PRIu32 " buckets of size %" PRIuMAX "",
SC_ATOMIC_GET(ippair_memuse), ippair_config.hash_size,
(uintmax_t)sizeof(IPPairHashRow));
}
/* pre allocate ippairs */
for (i = 0; i < ippair_config.prealloc; i++) {
if (!(IPPAIR_CHECK_MEMCAP(g_ippair_size))) {
SCLogError(SC_ERR_IPPAIR_INIT, "preallocating ippairs failed: "
"max ippair memcap reached. Memcap %"PRIu64", "
"Memuse %"PRIu64".", SC_ATOMIC_GET(ippair_config.memcap),
((uint64_t)SC_ATOMIC_GET(ippair_memuse) + g_ippair_size));
exit(EXIT_FAILURE);
}
IPPair *h = IPPairAlloc();
if (h == NULL) {
SCLogError(SC_ERR_IPPAIR_INIT, "preallocating ippair failed: %s", strerror(errno));
exit(EXIT_FAILURE);
}
IPPairEnqueue(&ippair_spare_q,h);
}
if (quiet == FALSE) {
SCLogConfig("preallocated %" PRIu32 " ippairs of size %" PRIu16 "",
ippair_spare_q.len, g_ippair_size);
SCLogConfig("ippair memory usage: %"PRIu64" bytes, maximum: %"PRIu64,
SC_ATOMIC_GET(ippair_memuse), SC_ATOMIC_GET(ippair_config.memcap));
}
return;
}
