/**
* \brief Log the dropped packets when engine is running in inline mode
*
* \param tv Pointer the current thread variables
* \param p Pointer the packet which is being logged
* \param data Pointer to the droplog struct
* \param pq Pointer the packet queue
* \param postpq Pointer the packet queue where this packet will be sent
*
* \return return TM_EODE_OK on success
*/
TmEcode LogDropLog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
PacketQueue *postpq)
{
/* Check if we are in inline mode or not, if not then no need to log */
extern uint8_t engine_mode;
if (!IS_ENGINE_MODE_IPS(engine_mode)) {
SCLogDebug("engine is not running in inline mode, so returning");
return TM_ECODE_OK;
}
if ((p->flow != NULL) && (p->flow->flags & FLOW_ACTION_DROP)) {
if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED)) {
p->flow->flags |= FLOW_TOSERVER_DROP_LOGGED;
return LogDropLogNetFilter(tv, p, data, pq, NULL);
} else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED)) {
p->flow->flags |= FLOW_TOCLIENT_DROP_LOGGED;
return LogDropLogNetFilter(tv, p, data, pq, NULL);
}
} else {
return LogDropLogNetFilter(tv, p, data, pq, postpq);
}
return TM_ECODE_OK;
}
/**
* \brief Check if we need to drop-log this packet
*
* \param tv Pointer the current thread variables
* \param p Pointer the packet which is tested
*
* \retval bool TRUE or FALSE
*/
static int JsonDropLogCondition(ThreadVars *tv, const Packet *p) {
extern uint8_t engine_mode;
if (!IS_ENGINE_MODE_IPS(engine_mode)) {
SCLogDebug("engine is not running in inline mode, so returning");
return FALSE;
}
if (PKT_IS_PSEUDOPKT(p)) {
SCLogDebug("drop log doesn't log pseudo packets");
return FALSE;
}
if (p->flow != NULL) {
int ret = FALSE;
FLOWLOCK_RDLOCK(p->flow);
if (p->flow->flags & FLOW_ACTION_DROP) {
if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED))
ret = TRUE;
else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
ret = TRUE;
}
FLOWLOCK_UNLOCK(p->flow);
return ret;
} else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
return TRUE;
}
return FALSE;
}
/**
* \brief Function which is called to print the decode alerts to the syslog
*
* \param tv Pointer to the threadvars
* \param p Pointer to the packet
* \param data pointer to the AlertSyslogThread
* \param pq pointer the to packet queue
* \param postpq pointer to the post processed packet queue
*
* \return On succes return TM_ECODE_OK
*/
static TmEcode AlertSyslogDecoderEvent(ThreadVars *tv, const Packet *p, void *data)
{
AlertSyslogThread *ast = (AlertSyslogThread *)data;
int i;
char *action = "";
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
SCMutexLock(&ast->file_ctx->fp_mutex);
ast->file_ctx->alerts += p->alerts.cnt;
char temp_buf_hdr[512];
char temp_buf_pkt[65] = "";
char temp_buf_tail[32];
char alert[2048] = "";
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
if ((pa->action & ACTION_DROP) && IS_ENGINE_MODE_IPS(engine_mode)) {
action = "[Drop] ";
} else if (pa->action & ACTION_DROP) {
action = "[wDrop] ";
}
snprintf(temp_buf_hdr, sizeof(temp_buf_hdr), "%s[%" PRIu32 ":%" PRIu32
":%" PRIu32 "] %s [Classification: %s] [Priority: %" PRIu32
"] [**] [Raw pkt: ", action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg,
pa->s->class_msg, pa->s->prio);
strlcpy(alert, temp_buf_hdr, sizeof(alert));
PrintRawLineHexBuf(temp_buf_pkt, sizeof(temp_buf_pkt), GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
strlcat(alert, temp_buf_pkt, sizeof(alert));
if (p->pcap_cnt != 0) {
snprintf(temp_buf_tail, sizeof(temp_buf_tail), "] [pcap file packet: %"PRIu64"]",
p->pcap_cnt);
} else {
temp_buf_tail[0] = ']';
temp_buf_tail[1] = '\0';
}
strlcat(alert, temp_buf_tail, sizeof(alert));
syslog(alert_syslog_level, "%s", alert);
}
SCMutexUnlock(&ast->file_ctx->fp_mutex);
return TM_ECODE_OK;
}
TmEcode AlertFastLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
AlertFastLogThread *aft = (AlertFastLogThread *)data;
int i;
char timebuf[64];
char *action = "";
extern uint8_t engine_mode;
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
char srcip[46], dstip[46];
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
if ((pa->action & ACTION_DROP) && IS_ENGINE_MODE_IPS(engine_mode)) {
action = "[Drop] ";
} else if (pa->action & ACTION_DROP) {
action = "[wDrop] ";
}
char proto[16] = "";
if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) {
strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto));
} else {
snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IP_GET_IPPROTO(p));
}
SCMutexLock(&aft->file_ctx->fp_mutex);
fprintf(aft->file_ctx->fp, "%s %s[**] [%" PRIu32 ":%" PRIu32 ":%"
PRIu32 "] %s [**] [Classification: %s] [Priority: %"
PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "\n", timebuf,
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, proto, srcip, p->sp,
dstip, p->dp);
fflush(aft->file_ctx->fp);
aft->file_ctx->alerts++;
SCMutexUnlock(&aft->file_ctx->fp_mutex);
}
return TM_ECODE_OK;
}
/**
* \brief Function which is called to print the IPv6 alerts to the syslog
*
* \param tv Pointer to the threadvars
* \param p Pointer to the packet
* \param data pointer to the AlertSyslogThread
*
* \return On succes return TM_ECODE_OK
*/
static TmEcode AlertSyslogIPv6(ThreadVars *tv, const Packet *p, void *data)
{
AlertSyslogThread *ast = (AlertSyslogThread *)data;
int i;
char *action = "";
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
SCMutexLock(&ast->file_ctx->fp_mutex);
ast->file_ctx->alerts += p->alerts.cnt;
for (i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
char srcip[46], dstip[46];
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
if ((pa->action & ACTION_DROP) && IS_ENGINE_MODE_IPS(engine_mode)) {
action = "[Drop] ";
} else if (pa->action & ACTION_DROP) {
action = "[wDrop] ";
}
if (SCProtoNameValid(IPV6_GET_L4PROTO(p)) == TRUE) {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [Classification: %s] [Priority: %"
"" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp,
dstip, p->dp);
} else {
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
"" PRIu32 "] %s [Classification: %s] [Priority: %"
"" PRIu32 "] {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
pa->s->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
}
}
SCMutexUnlock(&ast->file_ctx->fp_mutex);
return TM_ECODE_OK;
}
TmEcode AlertFastLogDecoderEvent(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
AlertFastLogThread *aft = (AlertFastLogThread *)data;
int i;
char timebuf[64];
char *action = "";
extern uint8_t engine_mode;
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
for (i = 0; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
if ((pa->action & ACTION_DROP) && IS_ENGINE_MODE_IPS(engine_mode)) {
action = "[Drop] ";
} else if (pa->action & ACTION_DROP) {
action = "[wDrop] ";
}
SCMutexLock(&aft->file_ctx->fp_mutex);
fprintf(aft->file_ctx->fp, "%s %s[**] [%" PRIu32 ":%" PRIu32
":%" PRIu32 "] %s [**] [Classification: %s] [Priority: "
"%" PRIu32 "] [**] [Raw pkt: ", timebuf, action, pa->s->gid,
pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio);
PrintRawLineHexFp(aft->file_ctx->fp, GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
if (p->pcap_cnt != 0) {
fprintf(aft->file_ctx->fp, "] [pcap file packet: %"PRIu64"]\n", p->pcap_cnt);
} else {
fprintf(aft->file_ctx->fp, "]\n");
}
fflush(aft->file_ctx->fp);
aft->file_ctx->alerts++;
SCMutexUnlock(&aft->file_ctx->fp_mutex);
}
return TM_ECODE_OK;
}
