1
/* Copyright (C) 2007-2010 Open Information Security Foundation
3
* You can copy, redistribute or modify this Program under the terms of
4
* the GNU General Public License version 2 as published by the Free
7
* This program is distributed in the hope that it will be useful,
8
* but WITHOUT ANY WARRANTY; without even the implied warranty of
9
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10
* GNU General Public License for more details.
12
* You should have received a copy of the GNU General Public License
13
* version 2 along with this program; if not, write to the Free Software
14
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
21
* \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
23
* Logs alerts in a line based text format in to syslog.
27
#include "suricata-common.h"
33
#include "tm-threads.h"
34
#include "threadvars.h"
37
#include "detect-parse.h"
38
#include "detect-engine.h"
39
#include "detect-engine-mpm.h"
40
#include "detect-reference.h"
43
#include "alert-syslog.h"
45
#include "util-classification-config.h"
46
#include "util-debug.h"
47
#include "util-print.h"
48
#include "util-proto-name.h"
49
#include "util-syslog.h"
50
#include "util-optimize.h"
52
#define DEFAULT_ALERT_SYSLOG_FACILITY_STR "local0"
53
#define DEFAULT_ALERT_SYSLOG_FACILITY LOG_LOCAL0
54
#define DEFAULT_ALERT_SYSLOG_LEVEL LOG_ERR
55
#define MODULE_NAME "AlertSyslog"
57
extern uint8_t engine_mode;
59
static int alert_syslog_level = DEFAULT_ALERT_SYSLOG_LEVEL;
62
typedef struct AlertSyslogThread_ {
63
/** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
67
TmEcode AlertSyslog (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
68
TmEcode AlertSyslogIPv4(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
69
TmEcode AlertSyslogIPv6(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);
70
TmEcode AlertSyslogThreadInit(ThreadVars *, void *, void **);
71
TmEcode AlertSyslogThreadDeinit(ThreadVars *, void *);
72
void AlertSyslogExitPrintStats(ThreadVars *, void *);
73
void AlertSyslogRegisterTests(void);
74
OutputCtx *AlertSyslogInitCtx(ConfNode *);
76
static void AlertSyslogDeInitCtx(OutputCtx *);
79
/** \brief Function to register the AlertSyslog module */
80
void TmModuleAlertSyslogRegister (void) {
82
tmm_modules[TMM_ALERTSYSLOG].name = MODULE_NAME;
83
tmm_modules[TMM_ALERTSYSLOG].ThreadInit = AlertSyslogThreadInit;
84
tmm_modules[TMM_ALERTSYSLOG].Func = AlertSyslog;
85
tmm_modules[TMM_ALERTSYSLOG].ThreadExitPrintStats = AlertSyslogExitPrintStats;
86
tmm_modules[TMM_ALERTSYSLOG].ThreadDeinit = AlertSyslogThreadDeinit;
87
tmm_modules[TMM_ALERTSYSLOG].RegisterTests = NULL;
88
tmm_modules[TMM_ALERTSYSLOG].cap_flags = 0;
90
OutputRegisterModule(MODULE_NAME, "syslog", AlertSyslogInitCtx);
91
#endif /* !OS_WIN32 */
94
/** \brief Function to register the AlertSyslog module for IPv4 */
95
void TmModuleAlertSyslogIPv4Register (void) {
97
tmm_modules[TMM_ALERTSYSLOG4].name = "AlertSyslogIPv4";
98
tmm_modules[TMM_ALERTSYSLOG4].ThreadInit = AlertSyslogThreadInit;
99
tmm_modules[TMM_ALERTSYSLOG4].Func = AlertSyslogIPv4;
100
tmm_modules[TMM_ALERTSYSLOG4].ThreadExitPrintStats = AlertSyslogExitPrintStats;
101
tmm_modules[TMM_ALERTSYSLOG4].ThreadDeinit = AlertSyslogThreadDeinit;
102
tmm_modules[TMM_ALERTSYSLOG4].RegisterTests = NULL;
103
#endif /* !OS_WIN32 */
106
/** \brief Function to register the AlertSyslog module for IPv6 */
107
void TmModuleAlertSyslogIPv6Register (void) {
109
tmm_modules[TMM_ALERTSYSLOG6].name = "AlertSyslogIPv6";
110
tmm_modules[TMM_ALERTSYSLOG6].ThreadInit = AlertSyslogThreadInit;
111
tmm_modules[TMM_ALERTSYSLOG6].Func = AlertSyslogIPv6;
112
tmm_modules[TMM_ALERTSYSLOG6].ThreadExitPrintStats = AlertSyslogExitPrintStats;
113
tmm_modules[TMM_ALERTSYSLOG6].ThreadDeinit = AlertSyslogThreadDeinit;
114
tmm_modules[TMM_ALERTSYSLOG6].RegisterTests = NULL;
115
#endif /* !OS_WIN32 */
120
* \brief Create a new LogFileCtx for "syslog" output style.
122
* \param conf The configuration node for this output.
123
* \return A OutputCtx pointer on success, NULL on failure.
125
OutputCtx *AlertSyslogInitCtx(ConfNode *conf)
127
const char *facility_s = ConfNodeLookupChildValue(conf, "facility");
128
if (facility_s == NULL) {
129
facility_s = DEFAULT_ALERT_SYSLOG_FACILITY_STR;
132
LogFileCtx *logfile_ctx = LogFileNewCtx();
133
if (logfile_ctx == NULL) {
134
SCLogDebug("AlertSyslogInitCtx: Could not create new LogFileCtx");
138
int facility = SCMapEnumNameToValue(facility_s, SCSyslogGetFacilityMap());
139
if (facility == -1) {
140
SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Invalid syslog facility: \"%s\","
141
" now using \"%s\" as syslog facility", facility_s,
142
DEFAULT_ALERT_SYSLOG_FACILITY_STR);
143
facility = DEFAULT_ALERT_SYSLOG_FACILITY;
146
const char *level_s = ConfNodeLookupChildValue(conf, "level");
147
if (level_s != NULL) {
148
int level = SCMapEnumNameToValue(level_s, SCSyslogGetLogLevelMap());
150
alert_syslog_level = level;
154
const char *ident = ConfNodeLookupChildValue(conf, "identity");
155
/* if null we just pass that to openlog, which will then
156
* figure it out by itself. */
158
openlog(ident, LOG_PID|LOG_NDELAY, facility);
160
OutputCtx *output_ctx = SCMalloc(sizeof(OutputCtx));
161
if (output_ctx == NULL) {
162
SCLogDebug("AlertSyslogInitCtx: Could not create new OutputCtx");
165
memset(output_ctx, 0x00, sizeof(OutputCtx));
167
output_ctx->data = logfile_ctx;
168
output_ctx->DeInit = AlertSyslogDeInitCtx;
170
SCLogInfo("Syslog output initialized");
176
* \brief Function to clear the memory of the output context and closes the
179
* \param output_ctx pointer to the output context to be cleared
181
static void AlertSyslogDeInitCtx(OutputCtx *output_ctx)
183
if (output_ctx != NULL) {
184
LogFileCtx *logfile_ctx = (LogFileCtx *)output_ctx->data;
185
if (logfile_ctx != NULL) {
186
LogFileFreeCtx(logfile_ctx);
194
* \brief Function to initialize the AlertSystlogThread and sets the output
197
* \param tv Pointer to the threadvars
198
* \param initdata Pointer to the output context
199
* \param data pointer to pointer to point to the AlertSyslogThread
201
TmEcode AlertSyslogThreadInit(ThreadVars *t, void *initdata, void **data)
203
if(initdata == NULL) {
204
SCLogDebug("Error getting context for AlertSyslog. \"initdata\" "
206
return TM_ECODE_FAILED;
209
AlertSyslogThread *ast = SCMalloc(sizeof(AlertSyslogThread));
211
return TM_ECODE_FAILED;
213
memset(ast, 0, sizeof(AlertSyslogThread));
215
/** Use the Ouptut Context (file pointer and mutex) */
216
ast->file_ctx = ((OutputCtx *)initdata)->data;
223
* \brief Function to deinitialize the AlertSystlogThread
225
* \param tv Pointer to the threadvars
226
* \param data pointer to the AlertSyslogThread to be cleared
228
TmEcode AlertSyslogThreadDeinit(ThreadVars *t, void *data)
230
AlertSyslogThread *ast = (AlertSyslogThread *)data;
236
memset(ast, 0, sizeof(AlertSyslogThread));
243
* \brief Function which is called to print the IPv4 alerts to the syslog
245
* \param tv Pointer to the threadvars
246
* \param p Pointer to the packet
247
* \param data pointer to the AlertSyslogThread
248
* \param pq pointer the to packet queue
249
* \param postpq pointer to the post processed packet queue
251
* \return On succes return TM_ECODE_OK
253
TmEcode AlertSyslogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
256
AlertSyslogThread *ast = (AlertSyslogThread *)data;
260
if (p->alerts.cnt == 0)
263
SCMutexLock(&ast->file_ctx->fp_mutex);
265
ast->file_ctx->alerts += p->alerts.cnt;
267
for (i = 0; i < p->alerts.cnt; i++) {
268
PacketAlert *pa = &p->alerts.alerts[i];
269
if (unlikely(pa->s == NULL)) {
273
char srcip[16], dstip[16];
275
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
276
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
278
if (pa->action == ACTION_DROP && IS_ENGINE_MODE_IPS(engine_mode)) {
280
} else if (pa->action == ACTION_DROP) {
284
if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) {
285
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
286
PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
287
" {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", action, pa->s->gid,
288
pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,
289
known_proto[IPV4_GET_IPPROTO(p)], srcip, p->sp, dstip, p->dp);
291
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
292
PRIu32 "] %s [Classification: %s] [Priority: %"PRIu32"]"
293
" {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
294
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
295
pa->s->prio, IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
298
SCMutexUnlock(&ast->file_ctx->fp_mutex);
304
* \brief Function which is called to print the IPv6 alerts to the syslog
306
* \param tv Pointer to the threadvars
307
* \param p Pointer to the packet
308
* \param data pointer to the AlertSyslogThread
309
* \param pq pointer the to packet queue
310
* \param postpq pointer to the post processed packet queue
312
* \return On succes return TM_ECODE_OK
314
TmEcode AlertSyslogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
317
AlertSyslogThread *ast = (AlertSyslogThread *)data;
321
if (p->alerts.cnt == 0)
324
SCMutexLock(&ast->file_ctx->fp_mutex);
326
ast->file_ctx->alerts += p->alerts.cnt;
328
for (i = 0; i < p->alerts.cnt; i++) {
329
PacketAlert *pa = &p->alerts.alerts[i];
330
if (unlikely(pa->s == NULL)) {
334
char srcip[46], dstip[46];
336
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
337
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
339
if (pa->action == ACTION_DROP && IS_ENGINE_MODE_IPS(engine_mode)) {
341
} else if (pa->action == ACTION_DROP) {
345
if (SCProtoNameValid(IPV6_GET_L4PROTO(p)) == TRUE) {
346
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
347
"" PRIu32 "] %s [Classification: %s] [Priority: %"
348
"" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "",
349
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
350
pa->s->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp,
354
syslog(alert_syslog_level, "%s[%" PRIu32 ":%" PRIu32 ":%"
355
"" PRIu32 "] %s [Classification: %s] [Priority: %"
356
"" PRIu32 "] {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
357
action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg,
358
pa->s->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
362
SCMutexUnlock(&ast->file_ctx->fp_mutex);
368
* \brief Function which is called to print the decode alerts to the syslog
370
* \param tv Pointer to the threadvars
371
* \param p Pointer to the packet
372
* \param data pointer to the AlertSyslogThread
373
* \param pq pointer the to packet queue
374
* \param postpq pointer to the post processed packet queue
376
* \return On succes return TM_ECODE_OK
378
TmEcode AlertSyslogDecoderEvent(ThreadVars *tv, Packet *p, void *data,
379
PacketQueue *pq, PacketQueue *postpq)
381
AlertSyslogThread *ast = (AlertSyslogThread *)data;
385
if (p->alerts.cnt == 0)
388
SCMutexLock(&ast->file_ctx->fp_mutex);
390
ast->file_ctx->alerts += p->alerts.cnt;
391
char temp_buf_hdr[512];
392
char temp_buf_pkt[65] = "";
393
char temp_buf_tail[32];
394
char alert[2048] = "";
396
for (i = 0; i < p->alerts.cnt; i++) {
397
PacketAlert *pa = &p->alerts.alerts[i];
398
if (unlikely(pa->s == NULL)) {
402
if (pa->action == ACTION_DROP && IS_ENGINE_MODE_IPS(engine_mode)) {
404
} else if (pa->action == ACTION_DROP) {
408
snprintf(temp_buf_hdr, sizeof(temp_buf_hdr), "%s[%" PRIu32 ":%" PRIu32
409
":%" PRIu32 "] %s [Classification: %s] [Priority: %" PRIu32
410
"] [**] [Raw pkt: ", action, pa->s->gid, pa->s->id, pa->s->rev, pa->s->msg,
411
pa->s->class_msg, pa->s->prio);
412
strlcpy(alert, temp_buf_hdr, sizeof(alert));
414
PrintRawLineHexBuf(temp_buf_pkt, sizeof(temp_buf_pkt), GET_PKT_DATA(p), GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
415
strlcat(alert, temp_buf_pkt, sizeof(alert));
417
if (p->pcap_cnt != 0) {
418
snprintf(temp_buf_tail, sizeof(temp_buf_tail), "] [pcap file packet: %"PRIu64"]",
421
temp_buf_tail[0] = ']';
422
temp_buf_tail[1] = '\0';
424
strlcat(alert, temp_buf_tail, sizeof(alert));
426
syslog(alert_syslog_level, "%s", alert);
428
SCMutexUnlock(&ast->file_ctx->fp_mutex);
434
* \brief Function which is called to print the alerts to the syslog
436
* \param tv Pointer to the threadvars
437
* \param p Pointer to the packet
438
* \param data pointer to the AlertSyslogThread
439
* \param pq pointer the to packet queue
440
* \param postpq pointer to the post processed packet queue
442
* \return On succes return TM_ECODE_OK
444
TmEcode AlertSyslog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
447
if (PKT_IS_IPV4(p)) {
448
return AlertSyslogIPv4(tv, p, data, pq, NULL);
449
} else if (PKT_IS_IPV6(p)) {
450
return AlertSyslogIPv6(tv, p, data, pq, NULL);
451
} else if (p->events.cnt > 0) {
452
return AlertSyslogDecoderEvent(tv, p, data, pq, NULL);
459
* \brief Function to print the total alert while closing the engine
461
* \param tv Pointer to the output threadvars
462
* \param data Pointer to the AlertSyslogThread data
464
void AlertSyslogExitPrintStats(ThreadVars *tv, void *data) {
465
AlertSyslogThread *ast = (AlertSyslogThread *)data;
470
SCLogInfo("(%s) Alerts %" PRIu64 "", tv->name, ast->file_ctx->alerts);
472
#endif /* !OS_WIN32 */
added
removed
src/alert-syslog.c
