Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.

snfLOGmgr.hpp 39KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670
  1. // snfLOGmgr.hpp
  2. //
  3. // (C) Copyright 2006 - 2009 ARM Research Labs, LLC.
  4. // See www.armresearch.com for the copyright terms.
  5. //
  6. // SNF Logging and Statistics engine.
  7. ////////////////////////////////////////////////////////////////////////////////
  8. //// Begin snfLOGmgr include only once
  9. #ifndef snfLOGmgr_included
  10. #define snfLOGmgr_included
  11. #include <list>
  12. #include <set>
  13. #include <string>
  14. #include <vector>
  15. #include <sstream>
  16. #include <ctime>
  17. #include <cstdio>
  18. #include "timing.hpp"
  19. #include "threading.hpp"
  20. #include "snf_match.h"
  21. #include "snfCFGmgr.hpp"
  22. #include "snfNETmgr.hpp"
  23. #include "GBUdb.hpp"
  24. #include "histogram.hpp"
  25. class snfNETmgr; // Declare snfNETmgr
  26. extern const char* SNF_ENGINE_VERSION; // Declare the Engine Version Data
  27. using namespace std;
  28. //// DiscLogger ////////////////////////////////////////////////////////////////
  29. // Writes log files back to Disc and double buffers data to minimize contention
  30. // and delays. So - if it takes a few milliseconds to post the log to disc, the
  31. // application that post()s to the log does not have to wait. Write back happens
  32. // about once per second when enabled. Files can be appended or overwritten.
  33. class DiscLogger : private Thread { // Double buffered lazy writer.
  34. private:
  35. Mutex BufferControlMutex; // Protects buffers while swapping.
  36. Mutex FlushMutex; // Protects flush operations.
  37. string myPath; // Where the file should be written.
  38. string BufferA; // Log data buffer A.
  39. string BufferB; // Log data buffer B.
  40. bool UseANotB; // Indicates the active buffer.
  41. bool isDirty; // True if data not yet written.
  42. bool isBad; // True if last write failed.
  43. bool isTimeToStop; // True when shutting down.
  44. bool inAppendMode; // True when in append mode.
  45. string& FlushingBuffer() { return ((UseANotB)?BufferA:BufferB); } // Returns the buffer for flushing.
  46. string& PostingBuffer() { return ((UseANotB)?BufferB:BufferA); } // Returns the buffer for posting.
  47. bool isEnabled; // True when this should run.
  48. void myTask(); // Write back thread task.
  49. public:
  50. DiscLogger(string N = "UnNamed"); // Constructs and starts the thread.
  51. ~DiscLogger(); // Flushes and stops the thread.
  52. string Path(const string PathName) { // Sets the file path.
  53. ScopeMutex NewSettings(BufferControlMutex);
  54. myPath = PathName;
  55. return myPath;
  56. }
  57. string Path() { // Returns the file path.
  58. ScopeMutex DontMove(BufferControlMutex);
  59. return myPath;
  60. }
  61. bool AppendMode(const bool AppendNotOverwrite) { // Sets append mode if true.
  62. return (inAppendMode = AppendNotOverwrite);
  63. }
  64. bool AppendMode() { return (inAppendMode); } // True if in append mode.
  65. bool OverwriteMode(const bool OverwriteNotAppend) { // Sets overwrite mode if true.
  66. return (inAppendMode = (!OverwriteNotAppend));
  67. }
  68. bool OverwriteMode() { return (!inAppendMode); } // True if in overwrite mode.
  69. void post(const string Input, const string NewPath = ""); // Post Input to log, [set path].
  70. void flush(); // Flush right now!
  71. bool Bad() { return (isBad); } // True if last write failed.
  72. bool Good() { return (!isBad); } // True if not Bad();
  73. bool Dirty() { return (isDirty); } // True if data needs to be written.
  74. bool Enabled(const bool MakeEnabled) { return (isEnabled = MakeEnabled); } // Enables writing if true.
  75. bool Enabled() { return (isEnabled); } // True if enabled.
  76. const static ThreadType Type; // The thread's type.
  77. const static ThreadState DiscLogger_Flush; // Flushing state.
  78. const static ThreadState DiscLogger_Wait; // Waiting state.
  79. };
  80. //// IPTestRecord //////////////////////////////////////////////////////////////
  81. // Contains a complete analysis of a given IP. snf_RulebaseHandler provides a
  82. // test facility that accepts and processes IPTestRecord objects. The calling
  83. // process can then submit the IPTestRecord along with it's action to the
  84. // snfLOGmgr for logging.
  85. class IPTestRecord { // IP Analysis Record.
  86. public:
  87. IP4Address IP; // The IP to be tested.
  88. GBUdbRecord G; // The GBUdb Record for the IP.
  89. snfIPRange R; // The GBUdb classification (range).
  90. int Code; // Code associated with Range.
  91. IPTestRecord(IP4Address testIP) : IP(testIP), Code(0) {} // Construct with an IP.
  92. };
  93. //// snfScanData ///////////////////////////////////////////////////////////////
  94. // Contains testing data for a message.
  95. // It's defined here in the LOGmgr module because this is the module that must
  96. // log and collect statistics for each scanned message. The snfScanData object
  97. // is the standardized way each engine reports it's scan results to snfLOGmgr.
  98. const int MaxIPsPerMessage = 50; // Maximum number of IPs to scan per message.
  99. struct IPScanRecord { // Structure for IP scan results.
  100. int Ordinal; // Which IP starting with zero.
  101. unsigned int IP; // What is the IP.
  102. GBUdbRecord GBUdbData; // GBUdb data.
  103. };
  104. class snfScanData { // Scan Data record for each message.
  105. private:
  106. IPScanRecord MyIPScanData[MaxIPsPerMessage]; // Array of IP scan results.
  107. int MyIPCount; // Count of IP scan results.
  108. bool DrillDownFlags[MaxIPsPerMessage]; // DrillDown flags. (Set Ignore).
  109. int SourceIPOrdinal; // Ordinal to source IP scan data.
  110. bool SourceIPFoundFlag; // True if source IP is set.
  111. snfIPRange SourceIPRangeFlag; // GBUdb detection range for source IP.
  112. IP4Address myCallerForcedSourceIP; // Caller forced source IP if not 0UL.
  113. IP4Address myHeaderDirectiveSourceIP; // Header forced source IP if not 0UL.
  114. public:
  115. snfScanData(int ScanHorizon); // Constructor.
  116. ~snfScanData(); // Destructor.
  117. // The ReadyToClear bit helps multi-phase input situations where the first
  118. // phase might add some input data before calling the base-level scanner.
  119. // In those cases, the pre-scan-phase will clear() the ScanData (and with
  120. // it the ReadyToClear bit) before adding a few critical pieces of data -
  121. // such as the scan name and the scan-start UTC for example. When the base
  122. // level scanner is called to perform the actual scan, the clear() call
  123. // will be inert so that any pre-set data will be preserved.
  124. bool ReadyToClear; // True when Logging is done.
  125. void clear(); // Clear for a new message.
  126. class NoFreeIPScanRecords {}; // Thrown when we run out of scan records.
  127. class OutOfBounds {}; // Thrown in IPScanData if no record at i.
  128. int IPScanCount(); // Return the number of IPs.
  129. IPScanRecord& newIPScanRecord(); // Get the next free IP scan record.
  130. IPScanRecord& IPScanData(int i); // Return the IP scan record i.
  131. // 20080221 _M We can now define in header directives patterns for Received
  132. // headers that we should drill past if they show up as a message source
  133. // candidate. This allows GBUdb to learn to ignore certain IPs automatically
  134. // as they arrive either by IP stubs such as "[12.34.56." or by reverse DNS
  135. // data such as "friendly.example.com [". When the header directives engine
  136. // scans the headers it will call drillPastOrdinal for any Received header
  137. // that matches a <drilldown/> directive. Later when the header analysis
  138. // engine tries to pick the source for the message it will check each source
  139. // candidate against the isDrillDownSource() method. If the source is to be
  140. // ignored then it will set the ignore flag for that IP, process it as if
  141. // it were ignored, and continue searching for the actual source.
  142. void drillPastOrdinal(int O); // Sets Drill Down flag for IP record O.
  143. bool isDrillDownSource(IPScanRecord& X); // True if we drill through this source.
  144. IP4Address HeaderDirectiveSourceIP(IP4Address A); // set Header directive source IP.
  145. IP4Address HeaderDirectiveSourceIP(); // get Header directive source IP.
  146. IP4Address CallerForcedSourceIP(IP4Address A); // set Caller forced source IP.
  147. IP4Address CallerForcedSourceIP(); // get Caller forced source IP.
  148. IPScanRecord& SourceIPRecord(IPScanRecord& X); // Sets the source IP record.
  149. IPScanRecord& SourceIPRecord(); // Gets the source IP record.
  150. bool FoundSourceIP(); // True if the source IP record was set.
  151. snfIPRange SourceIPRange(); // GET Source IP range.
  152. snfIPRange SourceIPRange(snfIPRange R); // SET Source IP range for this scan.
  153. // Direct access data...
  154. string SourceIPEvaluation; // GBUdb Source IP evaluation.
  155. // LogControl and General Message Flags
  156. time_t StartOfJobUTC; // Timestamp at start of job.
  157. int SetupTime; // Time in ms spent setting up to scan.
  158. string ScanName; // Identifying name or message file name.
  159. Timer ScanTime; // Scan time in ms.
  160. int ScanDepth; // Scan Depth in evaluators.
  161. string ClassicLogText; // Classic log entry text if any.
  162. string XMLLogText; // XML log entry text if any.
  163. string XHDRsText; // XHeaders text if any.
  164. bool XHeaderInjectOn; // True if injecting headers is on.
  165. bool XHeaderFileOn; // True if creating .xhdr file is on.
  166. bool MessageFileTypeCGPOn; // Expect a CGP type message file.
  167. int ScanSize; // What size is the scan request.
  168. // GBUdb Activity Flags
  169. bool GBUdbNormalTriggered; // True if GBUdb indeterminate IP source.
  170. bool GBUdbWhiteTriggered; // True if GBUdb found source IP white.
  171. bool GBUdbWhiteSymbolForced; // True if white was on and symbol was set.
  172. bool GBUdbPatternSourceConflict; // True if pattern was found with white IP.
  173. bool GBUdbAutoPanicTriggered; // True if autopanic was triggered.
  174. bool GBUdbAutoPanicExecuted; // True if an autopanic was added.
  175. bool GBUdbBlackTriggered; // True if GBUdb found source IP black.
  176. bool GBUdbBlackSymbolForced; // True if black was on and symbol was set.
  177. bool GBUdbTruncateTriggered; // True if Truncate was possible.
  178. bool GBUdbPeekTriggered; // True if we could peek.
  179. bool GBUdbSampleTriggered; // True if we could sample.
  180. bool GBUdbTruncateExecuted; // True if we actually did truncate.
  181. bool GBUdbPeekExecuted; // True if we peeked instead of truncating.
  182. bool GBUdbSampleExecuted; // True if we sampled.
  183. bool GBUdbCautionTriggered; // True if GBUdb found source IP suspicous.
  184. bool GBUdbCautionSymbolForced; // True if caution was on and symbol was set.
  185. // Rule panics
  186. set<int> RulePanics; // A list of rule IDs panicked this scan.
  187. // Pattern Engine Scan Result Data
  188. vector<unsigned char> FilteredData; // Message data after filter chain.
  189. unsigned long int HeaderDirectiveFlags; // Flags set by header directives.
  190. bool PatternWasFound; // True if the pattern engine matched.
  191. int PatternID; // The winning rule ID.
  192. int PatternSymbol; // The associated symbol.
  193. list<snf_match> MatchRecords; // List of match records.
  194. list<snf_match>::iterator MatchRecordsCursor; // Localized iterator for match records.
  195. int MatchRecordsDelivered; // Match records seen so far.
  196. int CompositeFinalResult; // What the scan function returned.
  197. };
  198. //// SMHDMY counter
  199. //
  200. // Provides a running SUM for a series of sliding windows. The input() expects
  201. // a new piece of data every second (or so). It is presumed that another counter
  202. // will keep track of the actual milliseconds if accuracy is required. The object
  203. // is all primative data parts so it is possible to store and retrieve this object
  204. // in binary format on the same system when that's helpful.
  205. class snf_SMHDMY_Counter { // Sliding window "live" counter.
  206. private:
  207. bool do_input(int X, int& SUM, int* DATA, int& ORDINAL, int SIZE); // Subroutine for assimilating input.
  208. public:
  209. snf_SMHDMY_Counter() { // When making a new one, reset all
  210. memset(this, 0, sizeof(snf_SMHDMY_Counter)); // data to zero. It's all ints ;-)
  211. }
  212. // 60 seconds is a minute (6 x 10)
  213. int SEC6DATA[6], SEC6SUM, SEC6ORDINAL;
  214. int SEC10DATA[10], SEC10SUM, SEC10ORDINAL;
  215. // 60 minutes is an hour (6 x 10)
  216. int MIN6DATA[6], MIN6SUM, MIN6ORDINAL;
  217. int MIN10DATA[10], MIN10SUM, MIN10ORDINAL;
  218. // 24 hours is a day (4 x 6)
  219. int HOUR4DATA[4], HOUR4SUM, HOUR4ORDINAL;
  220. int HOUR6DATA[6], HOUR6SUM, HOUR6ORDINAL;
  221. // 7 days is a week (7)
  222. int WEEK7DATA[7], WEEK7SUM, WEEK7ORDINAL;
  223. // 30 days is a month (5 x 6)
  224. int MONTH5DATA[5], MONTH5SUM, MONTH5ORDINAL;
  225. int MONTH6DATA[6], MONTH6SUM, MONTH6ORDINAL;
  226. // 12 months (almost) is a year (3 x 4)
  227. int YEAR3DATA[3], YEAR3SUM, YEAR3ORDINAL;
  228. int YEAR4DATA[4], YEAR4SUM, YEAR4ORDINAL;
  229. // 365 days is a year
  230. int YEAR365DATA[365], YEAR365SUM, YEAR365ORDINAL;
  231. void input(int X); // Add new data to the counter.
  232. bool Cycled60Seconds() { return (0 == SEC6ORDINAL && 0 == SEC10ORDINAL); } // Full cycle of data for seconds.
  233. int Sum60Seconds() { return SEC10SUM; }
  234. int Sum66Seconds() { return (SEC6SUM + SEC10SUM); }
  235. int SumThru1Minute() { return Sum66Seconds(); } // All samples thru one minute.
  236. bool Cycled60Minutes() { // Full cycle of data for minutes.
  237. return (Cycled60Seconds() && 0 == MIN6ORDINAL && 0 == MIN10ORDINAL);
  238. }
  239. int Sum60Minutes() { return MIN10SUM; }
  240. int Sum66Minutes() { return (MIN6SUM + MIN10SUM); }
  241. int SumThru1Hour() { return SumThru1Minute() + Sum66Minutes(); } // All samples thru one hour.
  242. bool Cycled24Hours() { // Full cycle of data for hours.
  243. return (Cycled60Minutes() && 0 == HOUR4ORDINAL && 0 == HOUR6ORDINAL);
  244. }
  245. int Sum24Hours() { return HOUR6SUM; }
  246. int Sum28Hours() { return (HOUR4SUM + HOUR6SUM); }
  247. int SumThru1Day() { return SumThru1Hour() + Sum28Hours(); } // All samples thru one day.
  248. bool Cycled7Days() { return (Cycled24Hours() && 0 == WEEK7ORDINAL); } // Full cycle of data for week.
  249. int Sum7Days() { return WEEK7SUM; }
  250. int SumThru1Week() { return SumThru1Day() + Sum7Days(); } // All samples thru one week.
  251. bool Cycled30Days() { // Full cycle of data for month.
  252. return (Cycled24Hours() && 0 == MONTH6ORDINAL && 0 == MONTH5ORDINAL);
  253. }
  254. int Sum30Days() { return MONTH6SUM; }
  255. int Sum35Days() { return (MONTH5SUM + MONTH6SUM); }
  256. int SumThru1Month() { return SumThru1Day() + Sum35Days(); } // All samples thu one month.
  257. bool Cycled12Months() { // Full cycle of data for 12 months.
  258. return (Cycled30Days() && 0 == YEAR3ORDINAL && 0 == YEAR4ORDINAL);
  259. }
  260. int Sum450Days() { return (YEAR3SUM + YEAR4SUM); }
  261. int SumThru1Year() { return SumThru1Month() + Sum450Days(); } // All samples thru one year.
  262. bool Cycled365Days() { return (Cycled24Hours() && 0 == YEAR365ORDINAL); } // Full cycle of data for 365 days.
  263. int Sum365Days() { return YEAR365SUM; }
  264. };
  265. //// snfLOGmgr /////////////////////////////////////////////////////////////////
  266. // A note about the LOG manager and configuration data:
  267. // Events that are logged with the log manager may come from scans using
  268. // different configurations. In order to keep things as sane as possible,
  269. // operations that are dependent on configuration information such as creating
  270. // log file entries or producing status page data will require that an
  271. // appropriate snfCFGData object be provided by reference and that the
  272. // snfCFGData object be guaranteed to remain stable for the duration of the
  273. // call. Changing snfCFGData may result in inconsistent results.
  274. //
  275. // This requirement is fairly easy to accomplish since posts to the LOGmgr
  276. // will come from scanning engines that have a snfCFGPacket "grab()ed" during
  277. // their operations, and executive requests will come from the ruelbase
  278. // manager which can grab a snfCFGPacket for the duration of the request.
  279. const int NumberOfResultCodes = 64;
  280. class snfCounterPack {
  281. public:
  282. snfCounterPack(); // Construct new CounterPacks clean.
  283. void reset(); // How to reset a counter pack.
  284. Timer ActiveTime; // Measures Active (swapped in) Time.
  285. struct {
  286. unsigned long Scans; // Number of messages scanned.
  287. unsigned long Spam; // Count of spam results.
  288. unsigned long Ham; // Count of ham results.
  289. unsigned long GBUdbNormalTriggered; // Count of indeterminate gbudb IP hits.
  290. unsigned long GBUdbWhiteTriggered; // Count of GBUdb found source IP white.
  291. unsigned long GBUdbWhiteSymbolForced; // Count of white was on and symbol was set.
  292. unsigned long GBUdbPatternSourceConflict; // Count of pattern was found with white IP.
  293. unsigned long GBUdbAutoPanicTriggered; // Count of autopanic was triggered.
  294. unsigned long GBUdbAutoPanicExecuted; // Count of an autopanic was added.
  295. unsigned long GBUdbBlackTriggered; // Count of GBUdb found source IP black.
  296. unsigned long GBUdbBlackSymbolForced; // Count of black was on and symbol was set.
  297. unsigned long GBUdbTruncateTriggered; // Count of Truncate was possible.
  298. unsigned long GBUdbPeekTriggered; // Count of we could peek.
  299. unsigned long GBUdbSampleTriggered; // Count of we could sample.
  300. unsigned long GBUdbTruncateExecuted; // Count of if we actually did truncate.
  301. unsigned long GBUdbPeekExecuted; // Count of we peeked instead of truncating.
  302. unsigned long GBUdbSampleExecuted; // Count of we sampled.
  303. unsigned long GBUdbCautionTriggered; // Count of GBUdb found source IP suspicous.
  304. unsigned long GBUdbCautionSymbolForced; // Count of caution was on and symbol was set.
  305. unsigned long PatternWasFound; // Count of scanner matches.
  306. unsigned long RulePanicFound; // Count of rule panics.
  307. } Events;
  308. };
  309. //// Interval timers precisely track the time between hack()s. There are
  310. //// two timers inside. One is active, the other is stopped. Each time hack()
  311. //// is called, one timer becomes active at the moment the other is stopped.
  312. class IntervalTimer { // Precision interval timer.
  313. private:
  314. Timer A; // Here is one timer.
  315. Timer B; // Here is the other timer.
  316. bool ANotB; // True if A is the active timer.
  317. Timer& Active(); // Selects the active timer.
  318. Timer& Inactive(); // Selects the inactive timer.
  319. public:
  320. msclock hack(); // Chop off a new interval & return it.
  321. msclock Interval(); // Return the last interval.
  322. msclock Elapsed(); // Return the time since last hack.
  323. };
  324. //// PersistentState stores the counters we keep between runs.
  325. class snfLOGPersistentState {
  326. public:
  327. snfLOGPersistentState() : Ready(0) {}
  328. bool Ready; // True if we're ready to use.
  329. void store(string& FileNameToStore); // Write the whole thing to a file.
  330. void restore(string& FileNameToRestore); // Read the whole thing from a file.
  331. time_t LastSyncTime; // time_t of last Sync event.
  332. time_t LastSaveTime; // time_t of last GBUdb Save event.
  333. time_t LastCondenseTime; // time_t of last GBUdb Condense event.
  334. int LatestRuleID; // Latest rule ID seen so far.
  335. int SerialNumberCounter; // Remembers the serial number.
  336. };
  337. class snfLOGmgr : private Thread {
  338. private:
  339. Mutex MyMutex; // Mutex to serialize updates & queries.
  340. Mutex ConfigMutex; // Mutex to protect config changes.
  341. Mutex SerialNumberMutex; // Protects the serial number.
  342. Mutex PeekMutex; // Protects Peek Loop Counter.
  343. Mutex SampleMutex; // Protects Sample Loop Counter.
  344. Mutex StatusReportMutex; // Protects status report post & get.
  345. volatile int PeekEnableCounter; // How many peek attempts recently?
  346. volatile int SampleEnableCounter; // How many sample attempts recently?
  347. snfCounterPack CounterPackA, CounterPackB; // Swapable counter packs.
  348. snfCounterPack* CurrentCounters; // Current Event Counters.
  349. snfCounterPack* ReportingCounters; // Counters being used to collect data.
  350. snfCounterPack* getSnapshot(); // Get a copy of the current counters.
  351. volatile bool Configured; // True if we're properly configured.
  352. volatile bool TimeToDie; // True when the thread should stop.
  353. void myTask(); // Thread task.
  354. time_t StartupTime; // Time since engine started.
  355. snfLOGPersistentState Status; // Persistent State Data.
  356. string PersistentFileName; // File name for the State Data.
  357. snfNETmgr* myNETmgr; // Net manager link.
  358. GBUdb* myGBUdb; // GBUdb link.
  359. // Configuration
  360. string ActiveRulebaseUTC; // UTC of last successful load.
  361. string AvailableRulebaseUTC; // UTC of rulebase available for update.
  362. bool NewerRulebaseIsAvailable; // True if a newer rulebase is available.
  363. string myPlatformVersion; // Version info for platform.
  364. bool Rotate_LocalTime; // Rotate logs using localtime.
  365. string LogsPath; // Path to logs directory.
  366. bool ClassicLogRotate; // True = Rotate Classic Log.
  367. bool XMLLogRotate; // True = Rotate XML Log.
  368. // Live stats
  369. snf_SMHDMY_Counter MessageCounter;
  370. snf_SMHDMY_Counter HamCounter;
  371. snf_SMHDMY_Counter SpamCounter;
  372. snf_SMHDMY_Counter WhiteCounter;
  373. snf_SMHDMY_Counter CautionCounter;
  374. snf_SMHDMY_Counter BlackCounter;
  375. snf_SMHDMY_Counter TruncateCounter;
  376. snf_SMHDMY_Counter SampleCounter;
  377. snf_SMHDMY_Counter AutoPanicCounter;
  378. snf_SMHDMY_Counter RulePanicCounter;
  379. snf_SMHDMY_Counter TimeCounter;
  380. // Histograms
  381. Histogram ResultsSecond;
  382. Histogram ResultsMinute;
  383. Histogram ResultsHour;
  384. Histogram RulesSecond;
  385. Histogram RulesMinute;
  386. Histogram RulesHour;
  387. Histogram PanicsSecond;
  388. Histogram PanicsMinute;
  389. Histogram PanicsHour;
  390. // Reporting
  391. string NodeId; // We need this for our status msgs.
  392. void do_StatusReports(); // Update & sequence status reports.
  393. int XML_Log_Mode; // What is the XML log mode.
  394. int Classic_Log_Mode; // What is the Classic log mode.
  395. // Every second we get the basics and collect data. (local only)
  396. bool SecondReport_Log_OnOff;
  397. bool SecondReport_Append_OnOff;
  398. string SecondReport_Log_Filename;
  399. string SecondReportText;
  400. string SecondReportTimestamp;
  401. bool do_SecondReport(); // Send our 1 second status report.
  402. // Every minute we get hard data and event logs. (for sync)
  403. bool MinuteReport_Log_OnOff;
  404. bool MinuteReport_Append_OnOff;
  405. string MinuteReport_Log_Filename;
  406. string MinuteReportText;
  407. string MinuteReportTimestamp;
  408. Histogram PatternRulesHistogram;
  409. bool do_MinuteReport(); // Send our 1 minute status report.
  410. // Every hour we get a summary.
  411. bool HourReport_Log_OnOff;
  412. bool HourReport_Append_OnOff;
  413. string HourReport_Log_Filename;
  414. string HourReportText;
  415. string HourReportTimestamp;
  416. bool do_HourReport(); // Send our 1 hour status report.
  417. void postStatusLog( // Post a Status log if required.
  418. const string& LogData, // Here's the log entry's data.
  419. const string& LogFileName, // Here is where it should go.
  420. const bool LogEnabled, // This is true if we should write it.
  421. const bool AppendNotOverwrite, // True=Append, False=Overwrite.
  422. DiscLogger& Logger // Lazy Log Writer to use.
  423. );
  424. DiscLogger SecondStatusLogger; // Lazy writer for Second status.
  425. DiscLogger MinuteStatusLogger; // Lazy writer for Minute status.
  426. DiscLogger HourStatusLogger; // Lazy writer for Hour status.
  427. DiscLogger XMLScanLogger; // Lazy writer for XML Scan log.
  428. DiscLogger ClassicScanLogger; // Lazy writer for Classic Scan log.
  429. void doXHDRs(snfCFGData& CFGData, snfScanData& ScanData); // XHDR sub routine for LogThisScan()
  430. void doXMLLogs(snfCFGData& CFGData, snfScanData& ScanData); // XML sub routine for LogThisScan()
  431. void doClassicLogs(snfCFGData& CFGData, snfScanData& ScanData); // Classic sub routine for LogThisScan()
  432. void captureLTSMetrics(snfCFGData& CFGData, snfScanData& ScanData); // LogThisScan section 1, Locked.
  433. void performLTSLogging(snfCFGData& CFGData, snfScanData& ScanData); // LogThisScan section 2, Unlocked.
  434. public:
  435. snfLOGmgr(); // Initialize & start the thread.
  436. ~snfLOGmgr(); // Stop the thread & clean up.
  437. void stop(); // Stops the manager.
  438. void linkNETmgr(snfNETmgr& N); // Link in my NETmgr
  439. void linkGBUdb(GBUdb& G); // Link in my GBUdb
  440. void configure(snfCFGData& CFGData); // Update the configuration.
  441. void updateActiveUTC(string ActiveUTC); // Set active rulebase UTC.
  442. void logThisIPTest(IPTestRecord& I, string Action); // Capthre the data from an IP test.
  443. void logThisScan(snfCFGData& CFGData, snfScanData& ScanData); // Capture the data from this scan.
  444. void logThisError(snfScanData& ScanData, const string ContextName, // Inject an error log entry for this
  445. const int Code, const string Text // scan using this number & message.
  446. );
  447. void logThisError(string ContextName, int Code, string Text); // Log an error message.
  448. void logThisInfo(string ContextName, int Code, string text); // Log an informational message.
  449. string PlatformVersion(string NewPlatformVersion); // Set platform version info.
  450. string PlatformVersion(); // Get platform version info.
  451. string EngineVersion(); // Get engine version info.
  452. void updateAvailableUTC(string& AvailableRulebaseTimestamp); // Stores Available, true==update ready.
  453. string ActiveRulebaseTimestamp(); // Get active rulebase timestamp.
  454. string AvailableRulebaseTimestamp(); // Get available rulebase timestamp.
  455. bool isUpdateAvailable(); // True if update is available.
  456. bool OkToPeek(int PeekOneInX); // Check to see if it's ok to peek.
  457. bool OkToSample(int SampleOneInX); // Check to see if it's ok to sample.
  458. time_t Timestamp(); // Get an ordinary timestamp.
  459. string Timestamp(time_t t); // Convert time_t to a timestamp s.
  460. string& Timestamp(string& s); // Appends a current timestamp in s.
  461. string LocalTimestamp(time_t t); // Convert time_t to a local timestamp s.
  462. string& LocalTimestamp(string& s); // Appends a current local timestamp in s.
  463. unsigned int SerialNumber(); // Returns the next serial number.
  464. string& SerialNumber(string& s); // Appends the next serial number.
  465. void RecordSyncEvent(); // Sets timestamp of latest Sync.
  466. int SecsSinceLastSync(); // Gets seconds since latest Sync.
  467. void RecordSaveEvent(); // Sets timestamp of latest Save.
  468. int SecsSinceLastSave(); // Gets seconds since latest Save.
  469. void RecordCondenseEvent(); // Sets timestamp of latest Condense.
  470. int SecsSinceLastCondense(); // Gets seconds since latest Condense.
  471. // Live stats functions
  472. double MessagesPerMinute(); // Avg Msgs/Minute.
  473. double HamPerMinute(); // Avg Ham/Minute.
  474. double SpamPerMinute(); // Avg Spam/Minute.
  475. double WhitePerMinute(); // Avg White/Minute.
  476. double CautionPerMinute(); // Avg Caution/Minute.
  477. double BlackPerMinute(); // Avg Black/Minute.
  478. double TruncatePerMinute(); // Avg Truncate/Minute.
  479. double SamplePerMinute(); // Avg Sample/Minute.
  480. int LatestRuleID(); // Returns the latest Rule ID seen.
  481. int RunningTime(); // Seconds running since startup.
  482. string getStatusSecondReport(); // Get latest status.second report.
  483. string getStatusMinuteReport(); // Get latest status.minute report.
  484. string getStatusHourReport(); // Get latest status.hour report.
  485. const static ThreadType Type; // The thread's type.
  486. };
  487. #include "snfLOGmgr.inline.hpp"
  488. #endif
  489. //// End snfLOGmgr include only once
  490. ////////////////////////////////////////////////////////////////////////////////