本文整理汇总了C++中SCEnter函数的典型用法代码示例。如果您正苦于以下问题:C++ SCEnter函数的具体用法?C++ SCEnter怎么用?C++ SCEnter使用的例子?那么, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了SCEnter函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: RunModeSetIPSAutoFp
int RunModeSetIPSAutoFp(ConfigIPSParserFunc ConfigParser,
const char *recv_mod_name,
const char *verdict_mod_name,
const char *decode_mod_name)
{
SCEnter();
char tname[TM_THREAD_NAME_MAX];
char qname[TM_QUEUE_NAME_MAX];
TmModule *tm_module ;
const char *cur_queue = NULL;
char *queues = NULL;
int thread;
/* Available cpus */
uint16_t ncpus = UtilCpuGetNumProcessorsOnline();
int nqueue = LiveGetDeviceCount();
int thread_max = TmThreadGetNbThreads(WORKER_CPU_SET);
/* always create at least one thread */
if (thread_max == 0)
thread_max = ncpus * threading_detect_ratio;
if (thread_max < 1)
thread_max = 1;
queues = RunmodeAutoFpCreatePickupQueuesString(thread_max);
if (queues == NULL) {
SCLogError(SC_ERR_RUNMODE, "RunmodeAutoFpCreatePickupQueuesString failed");
exit(EXIT_FAILURE);
}
for (int i = 0; i < nqueue; i++) {
/* create the threads */
cur_queue = LiveGetDeviceName(i);
if (cur_queue == NULL) {
SCLogError(SC_ERR_RUNMODE, "invalid queue number");
exit(EXIT_FAILURE);
}
memset(tname, 0, sizeof(tname));
snprintf(tname, sizeof(tname), "%s-Q%s", thread_name_autofp, cur_queue);
ThreadVars *tv_receive =
TmThreadCreatePacketHandler(tname,
"packetpool", "packetpool",
queues, "flow", "pktacqloop");
if (tv_receive == NULL) {
SCLogError(SC_ERR_RUNMODE, "TmThreadsCreate failed");
exit(EXIT_FAILURE);
}
TmModule *tm_module = TmModuleGetByName(recv_mod_name);
if (tm_module == NULL) {
SCLogError(SC_ERR_RUNMODE, "TmModuleGetByName failed for %s", recv_mod_name);
exit(EXIT_FAILURE);
}
TmSlotSetFuncAppend(tv_receive, tm_module, (void *) ConfigParser(i));
tm_module = TmModuleGetByName(decode_mod_name);
if (tm_module == NULL) {
SCLogError(SC_ERR_RUNMODE, "TmModuleGetByName %s failed", decode_mod_name);
exit(EXIT_FAILURE);
}
TmSlotSetFuncAppend(tv_receive, tm_module, NULL);
TmThreadSetCPU(tv_receive, RECEIVE_CPU_SET);
if (TmThreadSpawn(tv_receive) != TM_ECODE_OK) {
SCLogError(SC_ERR_RUNMODE, "TmThreadSpawn failed");
exit(EXIT_FAILURE);
}
}
for (thread = 0; thread < thread_max; thread++) {
snprintf(tname, sizeof(tname), "%s#%02d", thread_name_workers, thread+1);
snprintf(qname, sizeof(qname), "pickup%d", thread+1);
SCLogDebug("tname %s, qname %s", tname, qname);
ThreadVars *tv_detect_ncpu =
TmThreadCreatePacketHandler(tname,
qname, "flow",
"verdict-queue", "simple",
"varslot");
if (tv_detect_ncpu == NULL) {
SCLogError(SC_ERR_RUNMODE, "TmThreadsCreate failed");
exit(EXIT_FAILURE);
}
TmModule *tm_module = TmModuleGetByName("FlowWorker");
if (tm_module == NULL) {
SCLogError(SC_ERR_RUNMODE, "TmModuleGetByName for FlowWorker failed");
exit(EXIT_FAILURE);
}
TmSlotSetFuncAppend(tv_detect_ncpu, tm_module, NULL);
TmThreadSetCPU(tv_detect_ncpu, WORKER_CPU_SET);
TmThreadSetGroupName(tv_detect_ncpu, "Detect");
if (TmThreadSpawn(tv_detect_ncpu) != TM_ECODE_OK) {
SCLogError(SC_ERR_RUNMODE, "TmThreadSpawn failed");
exit(EXIT_FAILURE);
//.........这里部分代码省略.........
示例2: ReceiveErfDagLoop
/**
* \brief Receives packets from a DAG interface.
*
* \param tv pointer to ThreadVars
* \param data pointer to ErfDagThreadVars
* \param slot slot containing task information
*
* \retval TM_ECODE_OK on success
* \retval TM_ECODE_FAILED on failure
*/
TmEcode
ReceiveErfDagLoop(ThreadVars *tv, void *data, void *slot)
{
SCEnter();
ErfDagThreadVars *dtv = (ErfDagThreadVars *)data;
uint32_t diff = 0;
int err;
uint8_t *top = NULL;
uint32_t pkts_read = 0;
TmSlot *s = (TmSlot *)slot;
dtv->slot = s->slot_next;
while (1) {
if (suricata_ctl_flags & (SURICATA_STOP | SURICATA_KILL)) {
SCReturnInt(TM_ECODE_OK);
}
top = dag_advance_stream(dtv->dagfd, dtv->dagstream, &(dtv->btm));
if (top == NULL) {
if (errno == EAGAIN) {
if (dtv->dagstream & 0x1) {
usleep(10 * 1000);
dtv->btm = dtv->top;
}
continue;
} else {
SCLogError(SC_ERR_ERF_DAG_STREAM_READ_FAILED,
"Failed to read from stream: %d, DAG: %s when "
"using dag_advance_stream",
dtv->dagstream, dtv->dagname);
SCReturnInt(TM_ECODE_FAILED);
}
}
diff = top - dtv->btm;
if (diff == 0) {
continue;
}
assert(diff >= dag_record_size);
err = ProcessErfDagRecords(dtv, top, &pkts_read);
if (err == TM_ECODE_FAILED) {
SCLogError(SC_ERR_ERF_DAG_STREAM_READ_FAILED,
"Failed to read from stream: %d, DAG: %s",
dtv->dagstream, dtv->dagname);
ReceiveErfDagCloseStream(dtv->dagfd, dtv->dagstream);
SCReturnInt(TM_ECODE_FAILED);
}
StatsSyncCountersIfSignalled(tv);
SCLogDebug("Read %d records from stream: %d, DAG: %s",
pkts_read, dtv->dagstream, dtv->dagname);
}
SCReturnInt(TM_ECODE_OK);
}示例3: ProcessErfDagRecord
/**
* \brief Process a DAG record into a TM packet buffer.
* \param prec pointer to a DAG record.
* \param
*/
static inline TmEcode
ProcessErfDagRecord(ErfDagThreadVars *ewtn, char *prec)
{
SCEnter();
int wlen = 0;
int rlen = 0;
int hdr_num = 0;
char hdr_type = 0;
dag_record_t *dr = (dag_record_t*)prec;
erf_payload_t *pload;
Packet *p;
hdr_type = dr->type;
wlen = ntohs(dr->wlen);
rlen = ntohs(dr->rlen);
/* count extension headers */
while (hdr_type & 0x80) {
if (rlen < (dag_record_size + (hdr_num * 8))) {
SCLogError(SC_ERR_UNIMPLEMENTED,
"Insufficient captured packet length.");
SCReturnInt(TM_ECODE_FAILED);
}
hdr_type = prec[(dag_record_size + (hdr_num * 8))];
hdr_num++;
}
/* Check that the whole frame was captured */
if (rlen < (dag_record_size + (8 * hdr_num) + 2 + wlen)) {
SCLogInfo("Incomplete frame captured.");
SCReturnInt(TM_ECODE_OK);
}
/* skip over extension headers */
pload = (erf_payload_t *)(prec + dag_record_size + (8 * hdr_num));
p = PacketGetFromQueueOrAlloc();
if (p == NULL) {
SCLogError(SC_ERR_MEM_ALLOC,
"Failed to allocate a Packet on stream: %d, DAG: %s",
ewtn->dagstream, ewtn->dagname);
SCReturnInt(TM_ECODE_FAILED);
}
PKT_SET_SRC(p, PKT_SRC_WIRE);
SET_PKT_LEN(p, wlen);
p->datalink = LINKTYPE_ETHERNET;
/* Take into account for link type Ethernet ETH frame starts
* after ther ERF header + pad.
*/
if (unlikely(PacketCopyData(p, pload->eth.dst, GET_PKT_LEN(p)))) {
TmqhOutputPacketpool(ewtn->tv, p);
SCReturnInt(TM_ECODE_FAILED);
}
/* Convert ERF time to timeval - from libpcap. */
uint64_t ts = dr->ts;
p->ts.tv_sec = ts >> 32;
ts = (ts & 0xffffffffULL) * 1000000;
ts += 0x80000000; /* rounding */
p->ts.tv_usec = ts >> 32;
if (p->ts.tv_usec >= 1000000) {
p->ts.tv_usec -= 1000000;
p->ts.tv_sec++;
}
StatsIncr(tv, ewtn->packets);
ewtn->bytes += wlen;
if (TmThreadsSlotProcessPkt(ewtn->tv, ewtn->slot, p) != TM_ECODE_OK) {
TmqhOutputPacketpool(ewtn->tv, p);
SCReturnInt(TM_ECODE_FAILED);
}
SCReturnInt(TM_ECODE_OK);
}示例4: SCEnter
static const uint8_t *DetectEngineSMTPGetBufferForTX(uint64_t tx_id,
DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Flow *f, File *curr_file,
uint8_t flags,
uint32_t *buffer_len,
uint32_t *stream_start_offset)
{
SCEnter();
int index = 0;
const uint8_t *buffer = NULL;
*buffer_len = 0;
*stream_start_offset = 0;
uint64_t file_size = FileSize(curr_file);
if (det_ctx->smtp_buffers_list_len == 0) {
if (SMTPCreateSpace(det_ctx, 1) < 0)
goto end;
index = 0;
if (det_ctx->smtp_buffers_list_len == 0) {
det_ctx->smtp_start_tx_id = tx_id;
}
det_ctx->smtp_buffers_list_len++;
} else {
if ((tx_id - det_ctx->smtp_start_tx_id) < det_ctx->smtp_buffers_list_len) {
if (det_ctx->smtp[(tx_id - det_ctx->smtp_start_tx_id)].buffer_len != 0) {
*buffer_len = det_ctx->smtp[(tx_id - det_ctx->smtp_start_tx_id)].buffer_len;
*stream_start_offset = det_ctx->smtp[(tx_id - det_ctx->smtp_start_tx_id)].offset;
buffer = det_ctx->smtp[(tx_id - det_ctx->smtp_start_tx_id)].buffer;
SCReturnPtr(buffer, "uint8_t");
}
} else {
if (SMTPCreateSpace(det_ctx, (tx_id - det_ctx->smtp_start_tx_id) + 1) < 0)
goto end;
if (det_ctx->smtp_buffers_list_len == 0) {
det_ctx->smtp_start_tx_id = tx_id;
}
det_ctx->smtp_buffers_list_len++;
}
index = (tx_id - det_ctx->smtp_start_tx_id);
}
SCLogDebug("smtp_config.content_limit %u, smtp_config.content_inspect_min_size %u",
smtp_config.content_limit, smtp_config.content_inspect_min_size);
SCLogDebug("file %p size %"PRIu64", state %d", curr_file, file_size, curr_file->state);
/* no new data */
if (curr_file->content_inspected == file_size) {
SCLogDebug("no new data");
goto end;
}
if (file_size == 0) {
SCLogDebug("no data to inspect for this transaction");
goto end;
}
if ((smtp_config.content_limit == 0 || file_size < smtp_config.content_limit) &&
file_size < smtp_config.content_inspect_min_size &&
!(flags & STREAM_EOF) && !(curr_file->state > FILE_STATE_OPENED)) {
SCLogDebug("we still haven't seen the entire content. "
"Let's defer content inspection till we see the "
"entire content.");
goto end;
}
StreamingBufferGetDataAtOffset(curr_file->sb,
&det_ctx->smtp[index].buffer, &det_ctx->smtp[index].buffer_len,
curr_file->content_inspected);
det_ctx->smtp[index].offset = curr_file->content_inspected;
/* updat inspected tracker */
curr_file->content_inspected = FileSize(curr_file);
SCLogDebug("content_inspected %u, offset %u", (uint)curr_file->content_inspected, (uint)det_ctx->smtp[index].offset);
buffer = det_ctx->smtp[index].buffer;
*buffer_len = det_ctx->smtp[index].buffer_len;
*stream_start_offset = det_ctx->smtp[index].offset;
end:
SCLogDebug("buffer %p, len %u", buffer, *buffer_len);
SCReturnPtr(buffer, "uint8_t");
}示例5: DetectFtpbounceMatchArgs
/**
* \brief This function is used to match ftpbounce attacks
*
* \param payload Payload of the PORT command
* \param payload_len Length of the payload
* \param ip_orig IP source to check the ftpbounce condition
* \param offset offset to the arguments of the PORT command
*
* \retval 1 if ftpbounce detected, 0 if not
*/
int DetectFtpbounceMatchArgs(uint8_t *payload, uint16_t payload_len,
uint32_t ip_orig, uint16_t offset)
{
SCEnter();
SCLogDebug("Checking ftpbounce condition");
char *c = NULL;
uint16_t i = 0;
int octet = 0;
int octet_ascii_len = 0;
int noctet = 0;
uint32_t ip = 0;
/* PrintRawDataFp(stdout, payload, payload_len); */
if (payload_len < 7) {
/* we need at least a differet ip address
* in the format 1,2,3,4,x,y where x,y is the port
* in two byte representation so let's look at
* least for the IP octets in comma separated */
return 0;
}
if (offset + 7 >= payload_len)
return 0;
c =(char*) payload;
if (c == NULL) {
SCLogDebug("No payload to check");
return 0;
}
i = offset;
/* Search for the first IP octect(Skips "PORT ") */
while (i < payload_len && !isdigit((unsigned char)c[i])) i++;
for (;i < payload_len && octet_ascii_len < 4 ;i++) {
if (isdigit((unsigned char)c[i])) {
octet =(c[i] - '0') + octet * 10;
octet_ascii_len++;
} else {
if (octet > 256) {
SCLogDebug("Octet not in ip format");
return 0;
}
if (isspace((unsigned char)c[i]))
while (i < payload_len && isspace((unsigned char)c[i]) ) i++;
if (i < payload_len && c[i] == ',') { /* we have an octet */
noctet++;
octet_ascii_len = 0;
ip =(ip << 8) + octet;
octet = 0;
} else {
SCLogDebug("Unrecognized character '%c'", c[i]);
return 0;
}
if (noctet == 4) {
/* Different IP than src, ftp bounce scan */
ip = SCByteSwap32(ip);
if (ip != ip_orig) {
SCLogDebug("Different ip, so Matched ip:%d <-> ip_orig:%d",
ip, ip_orig);
return 1;
}
SCLogDebug("Same ip, so no match here");
return 0;
}
}
}
SCLogDebug("No match");
return 0;
}示例6: SetupAnalyzer
/**
* \brief Initialize analyzer description
*
* \return 0 if ok
*/
static int SetupAnalyzer(idmef_analyzer_t *analyzer)
{
int ret;
prelude_string_t *string;
SCEnter();
ret = idmef_analyzer_new_model(analyzer, &string);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating analyzer model: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = prelude_string_set_constant(string, ANALYZER_MODEL);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error setting analyzer model: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = idmef_analyzer_new_class(analyzer, &string);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating analyzer class: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = prelude_string_set_constant(string, ANALYZER_CLASS);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error setting analyzer class: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = idmef_analyzer_new_manufacturer(analyzer, &string);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating analyzer manufacturer: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = prelude_string_set_constant(string, ANALYZER_MANUFACTURER);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error setting analyzer manufacturer: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = idmef_analyzer_new_version(analyzer, &string);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating analyzer version: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = prelude_string_set_constant(string, VERSION);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error setting analyzer version: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
SCReturnInt(0);
}示例7: EventToSourceTarget
/**
* \brief Add Source and Target fields to the IDMEF alert.
* These objects contains IP addresses, source and destination
* ports (see sections 4.2.4.3 and 4.2.4.4 of RFC 4765).
*
* \return 0 if ok
*/
static int EventToSourceTarget(const PacketAlert *pa, const Packet *p,
idmef_alert_t *alert)
{
int ret;
idmef_node_t *node;
idmef_source_t *source;
idmef_target_t *target;
idmef_address_t *address;
idmef_service_t *service;
prelude_string_t *string;
static char saddr[128], daddr[128];
uint8_t ip_vers;
uint8_t ip_proto;
uint16_t sp, dp;
uint8_t invert = 0;
SCEnter();
if ( !p )
SCReturnInt(0);
if ( ! IPH_IS_VALID(p) )
SCReturnInt(0);
if (pa->s->flags & SIG_FLAG_HAS_TARGET) {
if (pa->s->flags & SIG_FLAG_SRC_IS_TARGET) {
invert = 1;
} else {
invert = 0;
}
} else {
invert = 0;
}
if (PKT_IS_IPV4(p)) {
ip_vers = 4;
ip_proto = IPV4_GET_RAW_IPPROTO(p->ip4h);
if (invert) {
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), saddr, sizeof(saddr));
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), daddr, sizeof(daddr));
sp = p->dp;
dp = p->sp;
} else {
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), saddr, sizeof(saddr));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), daddr, sizeof(daddr));
sp = p->sp;
dp = p->dp;
}
} else if (PKT_IS_IPV6(p)) {
ip_vers = 6;
ip_proto = IPV6_GET_L4PROTO(p);
if (invert) {
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), saddr, sizeof(saddr));
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), daddr, sizeof(daddr));
sp = p->dp;
dp = p->sp;
} else {
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), saddr, sizeof(saddr));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), daddr, sizeof(daddr));
sp = p->sp;
dp = p->dp;
}
} else
SCReturnInt(0);
ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
if (unlikely(ret < 0))
SCReturnInt(ret);
ret = idmef_source_new_service(source, &service);
if (unlikely(ret < 0))
SCReturnInt(ret);
if ( p->tcph || p->udph )
idmef_service_set_port(service, sp);
idmef_service_set_ip_version(service, ip_vers);
idmef_service_set_iana_protocol_number(service, ip_proto);
ret = idmef_source_new_node(source, &node);
if (unlikely(ret < 0))
SCReturnInt(ret);
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if (unlikely(ret < 0))
SCReturnInt(ret);
ret = idmef_address_new_address(address, &string);
if (unlikely(ret < 0))
SCReturnInt(ret);
prelude_string_set_ref(string, saddr);
//.........这里部分代码省略.........
示例8: PacketAlertFinalize
/**
* \brief Check the threshold of the sigs that match, set actions, break on pass action
* This function iterate the packet alerts array, removing those that didn't match
* the threshold, and those that match after a signature with the action "pass".
* The array is sorted by action priority/order
* \param de_ctx detection engine context
* \param det_ctx detection engine thread context
* \param p pointer to the packet
*/
void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p) {
SCEnter();
int i = 0;
Signature *s = NULL;
SigMatch *sm = NULL;
while (i < p->alerts.cnt) {
SCLogDebug("Sig->num: %"PRIu16, p->alerts.alerts[i].num);
s = de_ctx->sig_array[p->alerts.alerts[i].num];
int res = PacketAlertHandle(de_ctx, det_ctx, s, p, i);
if (res > 0) {
/* Now, if we have an alert, we have to check if we want
* to tag this session or src/dst host */
sm = s->sm_lists[DETECT_SM_LIST_TMATCH];
while (sm) {
/* tags are set only for alerts */
sigmatch_table[sm->type].Match(NULL, det_ctx, p, s, sm);
sm = sm->next;
}
if (s->flags & SIG_FLAG_IPONLY) {
if ((p->flowflags & FLOW_PKT_TOSERVER && !(p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
(p->flowflags & FLOW_PKT_TOCLIENT && !(p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET))) {
SCLogDebug("testing against \"ip-only\" signatures");
if (p->flow != NULL) {
/* Update flow flags for iponly */
FLOWLOCK_WRLOCK(p->flow);
FlowSetIPOnlyFlagNoLock(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
if (s->action & ACTION_DROP)
p->flow->flags |= FLOW_ACTION_DROP;
if (s->action & ACTION_REJECT)
p->flow->flags |= FLOW_ACTION_DROP;
if (s->action & ACTION_REJECT_DST)
p->flow->flags |= FLOW_ACTION_DROP;
if (s->action & ACTION_REJECT_BOTH)
p->flow->flags |= FLOW_ACTION_DROP;
if (s->action & ACTION_PASS)
p->flow->flags |= FLOW_ACTION_PASS;
FLOWLOCK_UNLOCK(p->flow);
}
}
}
/* set verdict on packet */
p->action |= p->alerts.alerts[i].action;
if (p->action & ACTION_PASS) {
/* Ok, reset the alert cnt to end in the previous of pass
* so we ignore the rest with less prio */
p->alerts.cnt = i;
break;
/* if the signature wants to drop, check if the
* PACKET_ALERT_FLAG_DROP_FLOW flag is set. */
} else if (p->action & ACTION_DROP &&
((p->alerts.alerts[i].flags & PACKET_ALERT_FLAG_DROP_FLOW) ||
(s->flags & SIG_FLAG_APPLAYER))
&& p->flow != NULL)
{
FLOWLOCK_WRLOCK(p->flow);
/* This will apply only on IPS mode (check StreamTcpPacket) */
p->flow->flags |= FLOW_ACTION_DROP;
FLOWLOCK_UNLOCK(p->flow);
}
}
/* Thresholding removes this alert */
if (res == 0 || res == 2) {
PacketAlertRemove(p, i);
if (p->alerts.cnt == 0)
break;
} else {
i++;
}
}
/* At this point, we should have all the new alerts. Now check the tag
* keyword context for sessions and hosts */
TagHandlePacket(de_ctx, det_ctx, p);
}示例9: RunModeFilePcapAuto
/*
* \brief RunModeFilePcapAuto set up the following thread packet handlers:
* - Receive thread (from pcap file)
* - Decode thread
* - Stream thread
* - Detect: If we have only 1 cpu, it will setup one Detect thread
* If we have more than one, it will setup num_cpus - 1
* starting from the second cpu available.
* - Outputs thread
* By default the threads will use the first cpu available
* except the Detection threads if we have more than one cpu.
*
* \param de_ctx Pointer to the Detection Engine.
*
* \retval 0 If all goes well. (If any problem is detected the engine will
* exit()).
*/
int RunModeFilePcapAuto(DetectEngineCtx *de_ctx)
{
SCEnter();
char tname[16];
uint16_t cpu = 0;
TmModule *tm_module;
int cuda = 0;
RunModeInitialize();
/* Available cpus */
uint16_t ncpus = UtilCpuGetNumProcessorsOnline();
char *file = NULL;
if (ConfGet("pcap-file.file", &file) == 0) {
SCLogError(SC_ERR_RUNMODE, "Failed retrieving pcap-file from Conf");
exit(EXIT_FAILURE);
}
SCLogDebug("file %s", file);
TimeModeSetOffline();
#if defined(__SC_CUDA_SUPPORT__)
if (PatternMatchDefaultMatcher() == MPM_B2G_CUDA) {
cuda = 1;
}
#endif
if (cuda == 0) {
/* create the threads */
ThreadVars *tv_receivepcap =
TmThreadCreatePacketHandler("ReceivePcapFile",
"packetpool", "packetpool",
"detect-queue1", "simple",
"pktacqloop");
if (tv_receivepcap == NULL) {
printf("ERROR: TmThreadsCreate failed\n");
exit(EXIT_FAILURE);
}
tm_module = TmModuleGetByName("ReceivePcapFile");
if (tm_module == NULL) {
printf("ERROR: TmModuleGetByName failed for ReceivePcap\n");
exit(EXIT_FAILURE);
}
TmSlotSetFuncAppend(tv_receivepcap, tm_module, file);
TmThreadSetCPU(tv_receivepcap, RECEIVE_CPU_SET);
tm_module = TmModuleGetByName("DecodePcapFile");
if (tm_module == NULL) {
printf("ERROR: TmModuleGetByName DecodePcap failed\n");
exit(EXIT_FAILURE);
}
TmSlotSetFuncAppend(tv_receivepcap, tm_module, NULL);
tm_module = TmModuleGetByName("StreamTcp");
if (tm_module == NULL) {
printf("ERROR: TmModuleGetByName StreamTcp failed\n");
exit(EXIT_FAILURE);
}
TmSlotSetFuncAppend(tv_receivepcap, tm_module, (void *)de_ctx);
TmThreadSetCPU(tv_receivepcap, DECODE_CPU_SET);
if (TmThreadSpawn(tv_receivepcap) != TM_ECODE_OK) {
printf("ERROR: TmThreadSpawn failed\n");
exit(EXIT_FAILURE);
}
#if defined(__SC_CUDA_SUPPORT__)
} else {
/* create the threads */
ThreadVars *tv_receivepcap =
TmThreadCreatePacketHandler("ReceivePcapFile",
"packetpool", "packetpool",
"cuda-pb", "simple",
"pktacqloop");
if (tv_receivepcap == NULL) {
printf("ERROR: TmThreadsCreate failed\n");
exit(EXIT_FAILURE);
}
tm_module = TmModuleGetByName("ReceivePcapFile");
if (tm_module == NULL) {
printf("ERROR: TmModuleGetByName failed for ReceivePcap\n");
exit(EXIT_FAILURE);
//.........这里部分代码省略.........
示例10: ReceiveErfDag
/**
* \brief Thread entry function for reading ERF records from a DAG card.
*
* Reads a new ERF record the DAG input buffer and copies it to
* an internal Suricata packet buffer -- similar to the way the
* pcap packet handler works.
*
* We create new packet structures using PacketGetFromQueueOrAlloc
* for each packet between the top and btm pointers except for
* the first packet for which a Packet buffer is provided
* from the packetpool.
*
* We always read up to dag_max_read_packets ERF packets from the
* DAG buffer, but we might read less. This differs from the
* ReceivePcap handler -- it will only read pkts up to a maximum
* of either the packetpool count or the pcap_max_read_packets.
*
* \param tv pointer to ThreadVars
* \param p data pointer
* \param data
* \param pq pointer to the PacketQueue (not used here)
* \param postpq
* \retval TM_ECODE_FAILED on failure and TM_ECODE_OK on success.
* \note We also use the packetpool hack first used in the source-pcap
* handler so we don't keep producing packets without any dying.
* This implies that if we are in this situation we run the risk
* of dropping packets at the interface.
*/
TmEcode
ReceiveErfDag(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
PacketQueue *postpq)
{
SCEnter();
uint16_t packet_q_len = 0;
uint32_t diff = 0;
int err;
uint8_t *top = NULL;
uint32_t pkts_read = 0;
assert(p);
assert(pq);
assert(postpq);
ErfDagThreadVars *ewtn = (ErfDagThreadVars *)data;
/* NOTE/JNM: Hack copied from source-pcap.c
*
* Make sure we have at least one packet in the packet pool, to
* prevent us from alloc'ing packets at line rate
*/
while (packet_q_len == 0) {
packet_q_len = PacketPoolSize();
if (packet_q_len == 0) {
PacketPoolWait();
}
}
if (postpq == NULL) {
ewtn->dag_max_read_packets = 1;
}
while(pkts_read == 0)
{
if (suricata_ctl_flags != 0) {
break;
}
/* NOTE/JNM: This might not work well if we start restricting the
* number of ERF records processed per call to a small number as
* the over head required here could exceed the time it takes to
* process a small number of ERF records.
*
* XXX/JNM: Possibly process the DAG stream buffer first if there
* are ERF packets or else call dag_advance_stream and then process
* the DAG stream buffer.
*/
top = dag_advance_stream(ewtn->dagfd, ewtn->dagstream, &(ewtn->btm));
if (NULL == top)
{
if((ewtn->dagstream & 0x1) && (errno == EAGAIN)) {
usleep(10 * 1000);
ewtn->btm = ewtn->top;
continue;
}
else {
SCLogError(SC_ERR_ERF_DAG_STREAM_READ_FAILED,
"Failed to read from stream: %d, DAG: %s when using dag_advance_stream",
ewtn->dagstream, ewtn->dagname);
SCReturnInt(TM_ECODE_FAILED);
}
}
diff = top - ewtn->btm;
if (diff == 0)
{
continue;
}
//.........这里部分代码省略.........
示例11: ProcessErfDagRecords
TmEcode ProcessErfDagRecords(ErfDagThreadVars *ewtn,
Packet *p,
uint8_t* top,
PacketQueue *postpq,
uint32_t *pkts_read)
{
SCEnter();
int err = 0;
dag_record_t* dr = NULL;
char *prec = NULL;
int rlen;
*pkts_read = 0;
while(((top-(ewtn->btm))>=dag_record_size) &&
((*pkts_read)<(ewtn->dag_max_read_packets)))
{
prec = (char*)ewtn->btm;
dr = (dag_record_t*)prec;
rlen = ntohs(dr->rlen);
if (rlen == 20) {
rlen = 28;
SCLogWarning(SC_WARN_ERF_DAG_REC_LEN_CHANGED,
"Warning, adjusted the length of ERF from 20 to 28 on stream: %d, DAG: %s",
ewtn->dagstream, ewtn->dagname);
}
/* If we don't have enough data to finsih processing this ERF record
* return and maybe next time we will.
*/
if ((top-(ewtn->btm)) < rlen)
SCReturnInt(TM_ECODE_OK);
p = p ? p : PacketGetFromQueueOrAlloc();
if (p == NULL) {
SCLogError(SC_ERR_MEM_ALLOC,
"Failed to allocate a Packet on stream: %d, DAG: %s",
ewtn->dagstream, ewtn->dagname);
SCReturnInt(TM_ECODE_FAILED);
}
err = ProcessErfDagRecord(ewtn, prec, p);
if (err != TM_ECODE_OK)
SCReturnInt(err);
ewtn->btm += rlen;
/* XXX/JNM: Hack to get around the fact that the first Packet from
* Suricata is added explicitly by the Slot code and shouldn't go
* onto the post queue -- else it is added twice to the next queue.
*/
if (*pkts_read) {
PacketEnqueue(postpq, p);
}
(*pkts_read)++;
p = NULL;
}
SCReturnInt(TM_ECODE_OK);
}示例12: SCEnter
static uint8_t *DetectEngineSMTPGetBufferForTX(uint64_t tx_id,
DetectEngineCtx *de_ctx,
DetectEngineThreadCtx *det_ctx,
Flow *f, File *curr_file,
uint8_t flags,
uint32_t *buffer_len,
uint32_t *stream_start_offset)
{
SCEnter();
int index = 0;
uint8_t *buffer = NULL;
*buffer_len = 0;
*stream_start_offset = 0;
FileData *curr_chunk = NULL;
if (det_ctx->smtp_buffers_list_len == 0) {
if (SMTPCreateSpace(det_ctx, 1) < 0)
goto end;
index = 0;
if (det_ctx->smtp_buffers_list_len == 0) {
det_ctx->smtp_start_tx_id = tx_id;
}
det_ctx->smtp_buffers_list_len++;
} else {
if ((tx_id - det_ctx->smtp_start_tx_id) < det_ctx->smtp_buffers_list_len) {
if (det_ctx->smtp[(tx_id - det_ctx->smtp_start_tx_id)].buffer_len != 0) {
*buffer_len = det_ctx->smtp[(tx_id - det_ctx->smtp_start_tx_id)].buffer_len;
*stream_start_offset = det_ctx->smtp[(tx_id - det_ctx->smtp_start_tx_id)].offset;
buffer = det_ctx->smtp[(tx_id - det_ctx->smtp_start_tx_id)].buffer;
SCReturnPtr(buffer, "uint8_t");
}
} else {
if (SMTPCreateSpace(det_ctx, (tx_id - det_ctx->smtp_start_tx_id) + 1) < 0)
goto end;
if (det_ctx->smtp_buffers_list_len == 0) {
det_ctx->smtp_start_tx_id = tx_id;
}
det_ctx->smtp_buffers_list_len++;
}
index = (tx_id - det_ctx->smtp_start_tx_id);
}
SCLogDebug("smtp_config.content_limit %u, smtp_config.content_inspect_min_size %u",
smtp_config.content_limit, smtp_config.content_inspect_min_size);
SCLogDebug("file %p size %"PRIu64", state %d", curr_file, curr_file->content_len_so_far, curr_file->state);
/* no new data */
if (curr_file->content_inspected == curr_file->content_len_so_far) {
SCLogDebug("no new data");
goto end;
}
curr_chunk = curr_file->chunks_head;
if (curr_chunk == NULL) {
SCLogDebug("no data chunks to inspect for this transaction");
goto end;
}
if ((smtp_config.content_limit == 0 ||
curr_file->content_len_so_far < smtp_config.content_limit) &&
curr_file->content_len_so_far < smtp_config.content_inspect_min_size &&
!(flags & STREAM_EOF) && !(curr_file->state > FILE_STATE_OPENED)) {
SCLogDebug("we still haven't seen the entire content. "
"Let's defer content inspection till we see the "
"entire content.");
goto end;
}
int first = 1;
curr_chunk = curr_file->chunks_head;
while (curr_chunk != NULL) {
/* see if we can filter out chunks */
if (curr_file->content_inspected > 0) {
if (curr_chunk->stream_offset < curr_file->content_inspected) {
if ((curr_file->content_inspected - curr_chunk->stream_offset) > smtp_config.content_inspect_window) {
curr_chunk = curr_chunk->next;
continue;
} else {
/* include this one */
}
} else {
/* include this one */
}
}
if (first) {
det_ctx->smtp[index].offset = curr_chunk->stream_offset;
first = 0;
}
/* see if we need to grow the buffer */
if (det_ctx->smtp[index].buffer == NULL || (det_ctx->smtp[index].buffer_len + curr_chunk->len) > det_ctx->smtp[index].buffer_size) {
void *ptmp;
det_ctx->smtp[index].buffer_size += curr_chunk->len * 2;
if ((ptmp = SCRealloc(det_ctx->smtp[index].buffer, det_ctx->smtp[index].buffer_size)) == NULL) {
//.........这里部分代码省略.........
示例13: NapatechStreamLoop
/**
* \brief Main Napatech reading Loop function
*/
TmEcode NapatechStreamLoop(ThreadVars *tv, void *data, void *slot)
{
SCEnter();
int32_t status;
char errbuf[100];
uint64_t pkt_ts;
NtNetBuf_t packet_buffer;
NapatechThreadVars *ntv = (NapatechThreadVars *)data;
NtNetRx_t stat_cmd;
SCLogInfo("Opening NAPATECH Stream: %lu for processing", ntv->stream_id);
if ((status = NT_NetRxOpen(&(ntv->rx_stream), "SuricataStream", NT_NET_INTERFACE_PACKET, ntv->stream_id, ntv->hba)) != NT_SUCCESS) {
NT_ExplainError(status, errbuf, sizeof(errbuf));
SCLogError(SC_ERR_NAPATECH_OPEN_FAILED, "Failed to open NAPATECH Stream: %lu - %s", ntv->stream_id, errbuf);
SCFree(ntv);
SCReturnInt(TM_ECODE_FAILED);
}
stat_cmd.cmd = NT_NETRX_READ_CMD_STREAM_DROP;
SCLogInfo("Napatech Packet Stream Loop Started for Stream ID: %lu", ntv->stream_id);
TmSlot *s = (TmSlot *)slot;
ntv->slot = s->slot_next;
while (!(suricata_ctl_flags & (SURICATA_STOP | SURICATA_KILL))) {
/* make sure we have at least one packet in the packet pool, to prevent
* us from alloc'ing packets at line rate */
PacketPoolWait();
/*
* Napatech returns packets 1 at a time
*/
status = NT_NetRxGet(ntv->rx_stream, &packet_buffer, 1000);
if (unlikely(status == NT_STATUS_TIMEOUT || status == NT_STATUS_TRYAGAIN)) {
/*
* no frames currently available
*/
continue;
} else if (unlikely(status != NT_SUCCESS)) {
SCLogError(SC_ERR_NAPATECH_STREAM_NEXT_FAILED,
"Failed to read from Napatech Stream: %lu",
ntv->stream_id);
SCReturnInt(TM_ECODE_FAILED);
}
Packet *p = PacketGetFromQueueOrAlloc();
if (unlikely(p == NULL)) {
NT_NetRxRelease(ntv->rx_stream, packet_buffer);
SCReturnInt(TM_ECODE_FAILED);
}
pkt_ts = NT_NET_GET_PKT_TIMESTAMP(packet_buffer);
/*
* Handle the different timestamp forms that the napatech cards could use
* - NT_TIMESTAMP_TYPE_NATIVE is not supported due to having an base of 0 as opposed to NATIVE_UNIX which has a base of 1/1/1970
*/
switch(NT_NET_GET_PKT_TIMESTAMP_TYPE(packet_buffer)) {
case NT_TIMESTAMP_TYPE_NATIVE_UNIX:
p->ts.tv_sec = pkt_ts / 100000000;
p->ts.tv_usec = ((pkt_ts % 100000000) / 100) + (pkt_ts % 100) > 50 ? 1 : 0;
break;
case NT_TIMESTAMP_TYPE_PCAP:
p->ts.tv_sec = pkt_ts >> 32;
p->ts.tv_usec = pkt_ts & 0xFFFFFFFF;
break;
case NT_TIMESTAMP_TYPE_PCAP_NANOTIME:
p->ts.tv_sec = pkt_ts >> 32;
p->ts.tv_usec = ((pkt_ts & 0xFFFFFFFF) / 1000) + (pkt_ts % 1000) > 500 ? 1 : 0;
break;
case NT_TIMESTAMP_TYPE_NATIVE_NDIS:
/* number of seconds between 1/1/1601 and 1/1/1970 */
p->ts.tv_sec = (pkt_ts / 100000000) - 11644473600;
p->ts.tv_usec = ((pkt_ts % 100000000) / 100) + (pkt_ts % 100) > 50 ? 1 : 0;
break;
default:
SCLogError(SC_ERR_NAPATECH_TIMESTAMP_TYPE_NOT_SUPPORTED,
"Packet from Napatech Stream: %lu does not have a supported timestamp format",
ntv->stream_id);
NT_NetRxRelease(ntv->rx_stream, packet_buffer);
SCReturnInt(TM_ECODE_FAILED);
}
SCLogDebug("p->ts.tv_sec %"PRIuMAX"", (uintmax_t)p->ts.tv_sec);
p->datalink = LINKTYPE_ETHERNET;
ntv->pkts++;
ntv->bytes += NT_NET_GET_PKT_WIRE_LENGTH(packet_buffer);
// Update drop counter
if (unlikely((status = NT_NetRxRead(ntv->rx_stream, &stat_cmd)) != NT_SUCCESS))
{
NT_ExplainError(status, errbuf, sizeof(errbuf));
SCLogWarning(SC_ERR_NAPATECH_STAT_DROPS_FAILED, "Couldn't retrieve drop statistics from the RX stream: %lu - %s", ntv->stream_id, errbuf);
//.........这里部分代码省略.........
示例14: DetectTransformCompressWhitespaceSetup
/**
* \internal
* \brief Apply the nocase keyword to the last pattern match, either content or uricontent
* \param det_ctx detection engine ctx
* \param s signature
* \param nullstr should be null
* \retval 0 ok
* \retval -1 failure
*/
static int DetectTransformCompressWhitespaceSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
{
SCEnter();
int r = DetectSignatureAddTransform(s, DETECT_TRANSFORM_COMPRESS_WHITESPACE);
SCReturnInt(r);
}示例15: RunModeSetIPSAutoFp
/**
* \param de_ctx detection engine, can be NULL
*/
int RunModeSetIPSAutoFp(DetectEngineCtx *de_ctx,
ConfigIPSParserFunc ConfigParser,
char *recv_mod_name,
char *verdict_mod_name,
char *decode_mod_name)
{
SCEnter();
char tname[TM_THREAD_NAME_MAX];
char qname[TM_QUEUE_NAME_MAX];
TmModule *tm_module ;
char *cur_queue = NULL;
char *queues = NULL;
int thread;
/* Available cpus */
uint16_t ncpus = UtilCpuGetNumProcessorsOnline();
int nqueue = LiveGetDeviceCount();
int thread_max = TmThreadGetNbThreads(DETECT_CPU_SET);
/* always create at least one thread */
if (thread_max == 0)
thread_max = ncpus * threading_detect_ratio;
if (thread_max < 1)
thread_max = 1;
RunmodeSetFlowStreamAsync();
queues = RunmodeAutoFpCreatePickupQueuesString(thread_max);
if (queues == NULL) {
SCLogError(SC_ERR_RUNMODE, "RunmodeAutoFpCreatePickupQueuesString failed");
exit(EXIT_FAILURE);
}
for (int i = 0; i < nqueue; i++) {
/* create the threads */
cur_queue = LiveGetDeviceName(i);
if (cur_queue == NULL) {
SCLogError(SC_ERR_RUNMODE, "invalid queue number");
exit(EXIT_FAILURE);
}
memset(tname, 0, sizeof(tname));
snprintf(tname, sizeof(tname), "Recv-Q%s", cur_queue);
char *thread_name = SCStrdup(tname);
if (unlikely(thread_name == NULL)) {
SCLogError(SC_ERR_RUNMODE, "thread name creation failed");
exit(EXIT_FAILURE);
}
ThreadVars *tv_receive =
TmThreadCreatePacketHandler(thread_name,
"packetpool", "packetpool",
queues, "flow", "pktacqloop");
if (tv_receive == NULL) {
SCLogError(SC_ERR_RUNMODE, "TmThreadsCreate failed");
exit(EXIT_FAILURE);
}
TmModule *tm_module = TmModuleGetByName(recv_mod_name);
if (tm_module == NULL) {
SCLogError(SC_ERR_RUNMODE, "TmModuleGetByName failed for %s", recv_mod_name);
exit(EXIT_FAILURE);
}
TmSlotSetFuncAppend(tv_receive, tm_module, (void *) ConfigParser(i));
tm_module = TmModuleGetByName(decode_mod_name);
if (tm_module == NULL) {
SCLogError(SC_ERR_RUNMODE, "TmModuleGetByName %s failed", decode_mod_name);
exit(EXIT_FAILURE);
}
TmSlotSetFuncAppend(tv_receive, tm_module, NULL);
TmThreadSetCPU(tv_receive, RECEIVE_CPU_SET);
if (TmThreadSpawn(tv_receive) != TM_ECODE_OK) {
SCLogError(SC_ERR_RUNMODE, "TmThreadSpawn failed");
exit(EXIT_FAILURE);
}
}
for (thread = 0; thread < thread_max; thread++) {
snprintf(tname, sizeof(tname), "Detect%"PRIu16, thread+1);
snprintf(qname, sizeof(qname), "pickup%"PRIu16, thread+1);
SCLogDebug("tname %s, qname %s", tname, qname);
char *thread_name = SCStrdup(tname);
if (unlikely(thread_name == NULL)) {
SCLogError(SC_ERR_MEM_ALLOC, "Can't allocate thread name");
exit(EXIT_FAILURE);
}
ThreadVars *tv_detect_ncpu =
TmThreadCreatePacketHandler(thread_name,
qname, "flow",
"verdict-queue", "simple",
"varslot");
if (tv_detect_ncpu == NULL) {
SCLogError(SC_ERR_RUNMODE, "TmThreadsCreate failed");
exit(EXIT_FAILURE);
//.........这里部分代码省略.........