You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672
  1. // snfLOGmgr.hpp
  2. //
  3. // (C) Copyright 2006 - 2020 ARM Research Labs, LLC.
  4. // See www.armresearch.com for the copyright terms.
  5. //
  6. // SNF Logging and Statistics engine.
  7. ////////////////////////////////////////////////////////////////////////////////
  8. //// Begin snfLOGmgr include only once
  9. #pragma once
  10. #include <list>
  11. #include <set>
  12. #include <string>
  13. #include <vector>
  14. #include <sstream>
  15. #include <ctime>
  16. #include <cstdio>
  17. #include "snf_match.h"
  18. #include "snfCFGmgr.hpp"
  19. #include "snfNETmgr.hpp"
  20. #include "GBUdb.hpp"
  21. #include "../CodeDweller/timing.hpp"
  22. #include "../CodeDweller/threading.hpp"
  23. #include "../CodeDweller/histogram.hpp"
  24. namespace cd = codedweller;
  25. class snfNETmgr; // Declare snfNETmgr
  26. extern const char* SNF_ENGINE_VERSION; // Declare the Engine Version Data
  27. //// DiscLogger ////////////////////////////////////////////////////////////////
  28. // Writes log files back to Disc and double buffers data to minimize contention
  29. // and delays. So - if it takes a few milliseconds to post the log to disc, the
  30. // application that post()s to the log does not have to wait. Write back happens
  31. // about once per second when enabled. Files can be appended or overwritten.
  32. class DiscLogger : private cd::Thread { // Double buffered lazy writer.
  33. private:
  34. cd::Mutex BufferControlMutex; // Protects buffers while swapping.
  35. cd::Mutex FlushMutex; // Protects flush operations.
  36. std::string myPath; // Where the file should be written.
  37. std::string BufferA; // Log data buffer A.
  38. std::string BufferB; // Log data buffer B.
  39. bool UseANotB; // Indicates the active buffer.
  40. bool isDirty; // True if data not yet written.
  41. bool isBad; // True if last write failed.
  42. bool isTimeToStop; // True when shutting down.
  43. bool inAppendMode; // True when in append mode.
  44. std::string& FlushingBuffer() { return ((UseANotB)?BufferA:BufferB); } // Returns the buffer for flushing.
  45. std::string& PostingBuffer() { return ((UseANotB)?BufferB:BufferA); } // Returns the buffer for posting.
  46. bool isEnabled; // True when this should run.
  47. void myTask(); // Write back thread task.
  48. public:
  49. DiscLogger(std::string N = "UnNamed"); // Constructs and starts the thread.
  50. ~DiscLogger(); // Flushes and stops the thread.
  51. std::string Path(const std::string PathName) { // Sets the file path.
  52. cd::ScopeMutex NewSettings(BufferControlMutex);
  53. myPath = PathName;
  54. return myPath;
  55. }
  56. std::string Path() { // Returns the file path.
  57. cd::ScopeMutex DontMove(BufferControlMutex);
  58. return myPath;
  59. }
  60. bool AppendMode(const bool AppendNotOverwrite) { // Sets append mode if true.
  61. return (inAppendMode = AppendNotOverwrite);
  62. }
  63. bool AppendMode() { return (inAppendMode); } // True if in append mode.
  64. bool OverwriteMode(const bool OverwriteNotAppend) { // Sets overwrite mode if true.
  65. return (inAppendMode = (!OverwriteNotAppend));
  66. }
  67. bool OverwriteMode() { return (!inAppendMode); } // True if in overwrite mode.
  68. void post(const std::string Input, const std::string NewPath = ""); // Post Input to log, [set path].
  69. void flush(); // Flush right now!
  70. bool Bad() { return (isBad); } // True if last write failed.
  71. bool Good() { return (!isBad); } // True if not Bad();
  72. bool Dirty() { return (isDirty); } // True if data needs to be written.
  73. bool Enabled(const bool MakeEnabled) { return (isEnabled = MakeEnabled); } // Enables writing if true.
  74. bool Enabled() { return (isEnabled); } // True if enabled.
  75. const static cd::ThreadType Type; // The thread's type.
  76. const static cd::ThreadState DiscLogger_Flush; // Flushing state.
  77. const static cd::ThreadState DiscLogger_Wait; // Waiting state.
  78. };
  79. //// IPTestRecord //////////////////////////////////////////////////////////////
  80. // Contains a complete analysis of a given IP. snf_RulebaseHandler provides a
  81. // test facility that accepts and processes IPTestRecord objects. The calling
  82. // process can then submit the IPTestRecord along with it's action to the
  83. // snfLOGmgr for logging.
  84. class IPTestRecord { // IP Analysis Record.
  85. public:
  86. cd::IP4Address IP; // The IP to be tested.
  87. GBUdbRecord G; // The GBUdb Record for the IP.
  88. snfIPRange R; // The GBUdb classification (range).
  89. int Code; // Code associated with Range.
  90. IPTestRecord(cd::IP4Address testIP) : IP(testIP), Code(0) {} // Construct with an IP.
  91. };
  92. //// snfScanData ///////////////////////////////////////////////////////////////
  93. // Contains testing data for a message.
  94. // It's defined here in the LOGmgr module because this is the module that must
  95. // log and collect statistics for each scanned message. The snfScanData object
  96. // is the standardized way each engine reports it's scan results to snfLOGmgr.
  97. const int MaxIPsPerMessage = 50; // Maximum number of IPs to scan per message.
  98. struct IPScanRecord { // Structure for IP scan results.
  99. int Ordinal; // Which IP starting with zero.
  100. unsigned int IP; // What is the IP.
  101. GBUdbRecord GBUdbData; // GBUdb data.
  102. };
  103. class snfScanData { // Scan Data record for each message.
  104. private:
  105. IPScanRecord MyIPScanData[MaxIPsPerMessage]; // Array of IP scan results.
  106. int MyIPCount; // Count of IP scan results.
  107. bool DrillDownFlags[MaxIPsPerMessage]; // DrillDown flags. (Set Ignore).
  108. int SourceIPOrdinal; // Ordinal to source IP scan data.
  109. bool SourceIPFoundFlag; // True if source IP is set.
  110. snfIPRange SourceIPRangeFlag; // GBUdb detection range for source IP.
  111. cd::IP4Address myCallerForcedSourceIP; // Caller forced source IP if not 0UL.
  112. cd::IP4Address myHeaderDirectiveSourceIP; // Header forced source IP if not 0UL.
  113. public:
  114. snfScanData(int ScanHorizon); // Constructor.
  115. ~snfScanData(); // Destructor.
  116. // The ReadyToClear bit helps multi-phase input situations where the first
  117. // phase might add some input data before calling the base-level scanner.
  118. // In those cases, the pre-scan-phase will clear() the ScanData (and with
  119. // it the ReadyToClear bit) before adding a few critical pieces of data -
  120. // such as the scan name and the scan-start UTC for example. When the base
  121. // level scanner is called to perform the actual scan, the clear() call
  122. // will be inert so that any pre-set data will be preserved.
  123. bool ReadyToClear; // True when Logging is done.
  124. void clear(); // Clear for a new message.
  125. class NoFreeIPScanRecords {}; // Thrown when we run out of scan records.
  126. class OutOfBounds {}; // Thrown in IPScanData if no record at i.
  127. int IPScanCount(); // Return the number of IPs.
  128. IPScanRecord& newIPScanRecord(); // Get the next free IP scan record.
  129. IPScanRecord& IPScanData(int i); // Return the IP scan record i.
  130. // 20080221 _M We can now define in header directives patterns for Received
  131. // headers that we should drill past if they show up as a message source
  132. // candidate. This allows GBUdb to learn to ignore certain IPs automatically
  133. // as they arrive either by IP stubs such as "[12.34.56." or by reverse DNS
  134. // data such as "friendly.example.com [". When the header directives engine
  135. // scans the headers it will call drillPastOrdinal for any Received header
  136. // that matches a <drilldown/> directive. Later when the header analysis
  137. // engine tries to pick the source for the message it will check each source
  138. // candidate against the isDrillDownSource() method. If the source is to be
  139. // ignored then it will set the ignore flag for that IP, process it as if
  140. // it were ignored, and continue searching for the actual source.
  141. void drillPastOrdinal(int O); // Sets Drill Down flag for IP record O.
  142. bool isDrillDownSource(IPScanRecord& X); // True if we drill through this source.
  143. cd::IP4Address HeaderDirectiveSourceIP(cd::IP4Address A); // set Header directive source IP.
  144. cd::IP4Address HeaderDirectiveSourceIP(); // get Header directive source IP.
  145. cd::IP4Address CallerForcedSourceIP(cd::IP4Address A); // set Caller forced source IP.
  146. cd::IP4Address CallerForcedSourceIP(); // get Caller forced source IP.
  147. IPScanRecord& SourceIPRecord(IPScanRecord& X); // Sets the source IP record.
  148. IPScanRecord& SourceIPRecord(); // Gets the source IP record.
  149. bool FoundSourceIP(); // True if the source IP record was set.
  150. snfIPRange SourceIPRange(); // GET Source IP range.
  151. snfIPRange SourceIPRange(snfIPRange R); // SET Source IP range for this scan.
  152. // Direct access data...
  153. std::string SourceIPEvaluation; // GBUdb Source IP evaluation.
  154. // LogControl and General Message Flags
  155. time_t StartOfJobUTC; // Timestamp at start of job.
  156. int SetupTime; // Time in ms spent setting up to scan.
  157. std::string ScanName; // Identifying name or message file name.
  158. cd::Timer ScanTime; // Scan time in ms.
  159. int ScanDepth; // Scan Depth in evaluators.
  160. std::string ClassicLogText; // Classic log entry text if any.
  161. std::string XMLLogText; // XML log entry text if any.
  162. std::string XHDRsText; // XHeaders text if any.
  163. bool XHeaderInjectOn; // True if injecting headers is on.
  164. bool XHeaderFileOn; // True if creating .xhdr file is on.
  165. bool MessageFileTypeCGPOn; // Expect a CGP type message file.
  166. unsigned int ScanSize; // What size is the scan request.
  167. // GBUdb Activity Flags
  168. bool GBUdbNormalTriggered; // True if GBUdb indeterminate IP source.
  169. bool GBUdbWhiteTriggered; // True if GBUdb found source IP white.
  170. bool GBUdbWhiteSymbolForced; // True if white was on and symbol was set.
  171. bool GBUdbPatternSourceConflict; // True if pattern was found with white IP.
  172. bool GBUdbAutoPanicTriggered; // True if autopanic was triggered.
  173. bool GBUdbAutoPanicExecuted; // True if an autopanic was added.
  174. bool GBUdbBlackTriggered; // True if GBUdb found source IP black.
  175. bool GBUdbBlackSymbolForced; // True if black was on and symbol was set.
  176. bool GBUdbTruncateTriggered; // True if Truncate was possible.
  177. bool GBUdbPeekTriggered; // True if we could peek.
  178. bool GBUdbSampleTriggered; // True if we could sample.
  179. bool GBUdbTruncateExecuted; // True if we actually did truncate.
  180. bool GBUdbPeekExecuted; // True if we peeked instead of truncating.
  181. bool GBUdbSampleExecuted; // True if we sampled.
  182. bool GBUdbCautionTriggered; // True if GBUdb found source IP suspicous.
  183. bool GBUdbCautionSymbolForced; // True if caution was on and symbol was set.
  184. // Rule panics
  185. std::set<int> RulePanics; // A list of rule IDs panicked this scan.
  186. // Pattern Engine Scan Result Data
  187. std::vector<unsigned char> FilteredData; // Message data after filter chain.
  188. unsigned long int HeaderDirectiveFlags; // Flags set by header directives.
  189. bool PatternWasFound; // True if the pattern engine matched.
  190. int PatternID; // The winning rule ID.
  191. int PatternSymbol; // The associated symbol.
  192. std::list<snf_match> MatchRecords; // List of match records.
  193. std::list<snf_match>::iterator MatchRecordsCursor; // Localized iterator for match records.
  194. int MatchRecordsDelivered; // Match records seen so far.
  195. int CompositeFinalResult; // What the scan function returned.
  196. };
  197. //// SMHDMY counter
  198. //
  199. // Provides a running SUM for a series of sliding windows. The input() expects
  200. // a new piece of data every second (or so). It is presumed that another counter
  201. // will keep track of the actual milliseconds if accuracy is required. The object
  202. // is all primative data parts so it is possible to store and retrieve this object
  203. // in binary format on the same system when that's helpful.
  204. class snf_SMHDMY_Counter { // Sliding window "live" counter.
  205. private:
  206. bool do_input(int X, int& SUM, int* DATA, int& ORDINAL, int SIZE); // Subroutine for assimilating input.
  207. public:
  208. snf_SMHDMY_Counter() { // When making a new one, reset all
  209. memset(this, 0, sizeof(snf_SMHDMY_Counter)); // data to zero. It's all ints ;-)
  210. }
  211. // 60 seconds is a minute (6 x 10)
  212. int SEC6DATA[6], SEC6SUM, SEC6ORDINAL;
  213. int SEC10DATA[10], SEC10SUM, SEC10ORDINAL;
  214. // 60 minutes is an hour (6 x 10)
  215. int MIN6DATA[6], MIN6SUM, MIN6ORDINAL;
  216. int MIN10DATA[10], MIN10SUM, MIN10ORDINAL;
  217. // 24 hours is a day (4 x 6)
  218. int HOUR4DATA[4], HOUR4SUM, HOUR4ORDINAL;
  219. int HOUR6DATA[6], HOUR6SUM, HOUR6ORDINAL;
  220. // 7 days is a week (7)
  221. int WEEK7DATA[7], WEEK7SUM, WEEK7ORDINAL;
  222. // 30 days is a month (5 x 6)
  223. int MONTH5DATA[5], MONTH5SUM, MONTH5ORDINAL;
  224. int MONTH6DATA[6], MONTH6SUM, MONTH6ORDINAL;
  225. // 12 months (almost) is a year (3 x 4)
  226. int YEAR3DATA[3], YEAR3SUM, YEAR3ORDINAL;
  227. int YEAR4DATA[4], YEAR4SUM, YEAR4ORDINAL;
  228. // 365 days is a year
  229. int YEAR365DATA[365], YEAR365SUM, YEAR365ORDINAL;
  230. void input(int X); // Add new data to the counter.
  231. bool Cycled60Seconds() { return (0 == SEC6ORDINAL && 0 == SEC10ORDINAL); } // Full cycle of data for seconds.
  232. int Sum60Seconds() { return SEC10SUM; }
  233. int Sum66Seconds() { return (SEC6SUM + SEC10SUM); }
  234. int SumThru1Minute() { return Sum66Seconds(); } // All samples thru one minute.
  235. bool Cycled60Minutes() { // Full cycle of data for minutes.
  236. return (Cycled60Seconds() && 0 == MIN6ORDINAL && 0 == MIN10ORDINAL);
  237. }
  238. int Sum60Minutes() { return MIN10SUM; }
  239. int Sum66Minutes() { return (MIN6SUM + MIN10SUM); }
  240. int SumThru1Hour() { return SumThru1Minute() + Sum66Minutes(); } // All samples thru one hour.
  241. bool Cycled24Hours() { // Full cycle of data for hours.
  242. return (Cycled60Minutes() && 0 == HOUR4ORDINAL && 0 == HOUR6ORDINAL);
  243. }
  244. int Sum24Hours() { return HOUR6SUM; }
  245. int Sum28Hours() { return (HOUR4SUM + HOUR6SUM); }
  246. int SumThru1Day() { return SumThru1Hour() + Sum28Hours(); } // All samples thru one day.
  247. bool Cycled7Days() { return (Cycled24Hours() && 0 == WEEK7ORDINAL); } // Full cycle of data for week.
  248. int Sum7Days() { return WEEK7SUM; }
  249. int SumThru1Week() { return SumThru1Day() + Sum7Days(); } // All samples thru one week.
  250. bool Cycled30Days() { // Full cycle of data for month.
  251. return (Cycled24Hours() && 0 == MONTH6ORDINAL && 0 == MONTH5ORDINAL);
  252. }
  253. int Sum30Days() { return MONTH6SUM; }
  254. int Sum35Days() { return (MONTH5SUM + MONTH6SUM); }
  255. int SumThru1Month() { return SumThru1Day() + Sum35Days(); } // All samples thu one month.
  256. bool Cycled12Months() { // Full cycle of data for 12 months.
  257. return (Cycled30Days() && 0 == YEAR3ORDINAL && 0 == YEAR4ORDINAL);
  258. }
  259. int Sum450Days() { return (YEAR3SUM + YEAR4SUM); }
  260. int SumThru1Year() { return SumThru1Month() + Sum450Days(); } // All samples thru one year.
  261. bool Cycled365Days() { return (Cycled24Hours() && 0 == YEAR365ORDINAL); } // Full cycle of data for 365 days.
  262. int Sum365Days() { return YEAR365SUM; }
  263. };
  264. //// snfLOGmgr /////////////////////////////////////////////////////////////////
  265. // A note about the LOG manager and configuration data:
  266. // Events that are logged with the log manager may come from scans using
  267. // different configurations. In order to keep things as sane as possible,
  268. // operations that are dependent on configuration information such as creating
  269. // log file entries or producing status page data will require that an
  270. // appropriate snfCFGData object be provided by reference and that the
  271. // snfCFGData object be guaranteed to remain stable for the duration of the
  272. // call. Changing snfCFGData may result in inconsistent results.
  273. //
  274. // This requirement is fairly easy to accomplish since posts to the LOGmgr
  275. // will come from scanning engines that have a snfCFGPacket "grab()ed" during
  276. // their operations, and executive requests will come from the ruelbase
  277. // manager which can grab a snfCFGPacket for the duration of the request.
  278. const int NumberOfResultCodes = 64;
  279. class snfCounterPack {
  280. public:
  281. snfCounterPack(); // Construct new CounterPacks clean.
  282. void reset(); // How to reset a counter pack.
  283. cd::Timer ActiveTime; // Measures Active (swapped in) Time.
  284. struct {
  285. unsigned long Scans; // Number of messages scanned.
  286. unsigned long Spam; // Count of spam results.
  287. unsigned long Ham; // Count of ham results.
  288. unsigned long GBUdbNormalTriggered; // Count of indeterminate gbudb IP hits.
  289. unsigned long GBUdbWhiteTriggered; // Count of GBUdb found source IP white.
  290. unsigned long GBUdbWhiteSymbolForced; // Count of white was on and symbol was set.
  291. unsigned long GBUdbPatternSourceConflict; // Count of pattern was found with white IP.
  292. unsigned long GBUdbAutoPanicTriggered; // Count of autopanic was triggered.
  293. unsigned long GBUdbAutoPanicExecuted; // Count of an autopanic was added.
  294. unsigned long GBUdbBlackTriggered; // Count of GBUdb found source IP black.
  295. unsigned long GBUdbBlackSymbolForced; // Count of black was on and symbol was set.
  296. unsigned long GBUdbTruncateTriggered; // Count of Truncate was possible.
  297. unsigned long GBUdbPeekTriggered; // Count of we could peek.
  298. unsigned long GBUdbSampleTriggered; // Count of we could sample.
  299. unsigned long GBUdbTruncateExecuted; // Count of if we actually did truncate.
  300. unsigned long GBUdbPeekExecuted; // Count of we peeked instead of truncating.
  301. unsigned long GBUdbSampleExecuted; // Count of we sampled.
  302. unsigned long GBUdbCautionTriggered; // Count of GBUdb found source IP suspicous.
  303. unsigned long GBUdbCautionSymbolForced; // Count of caution was on and symbol was set.
  304. unsigned long PatternWasFound; // Count of scanner matches.
  305. unsigned long RulePanicFound; // Count of rule panics.
  306. } Events;
  307. };
  308. //// Interval timers precisely track the time between hack()s. There are
  309. //// two timers inside. One is active, the other is stopped. Each time hack()
  310. //// is called, one timer becomes active at the moment the other is stopped.
  311. class IntervalTimer { // Precision interval timer.
  312. private:
  313. cd::Timer A; // Here is one timer.
  314. cd::Timer B; // Here is the other timer.
  315. bool ANotB; // True if A is the active timer.
  316. cd::Timer& Active(); // Selects the active timer.
  317. cd::Timer& Inactive(); // Selects the inactive timer.
  318. public:
  319. cd::msclock hack(); // Chop off a new interval & return it.
  320. cd::msclock Interval(); // Return the last interval.
  321. cd::msclock Elapsed(); // Return the time since last hack.
  322. };
  323. //// PersistentState stores the counters we keep between runs.
  324. class snfLOGPersistentState {
  325. public:
  326. snfLOGPersistentState() :
  327. Ready(0),
  328. LastSyncTime(0),
  329. LastSaveTime(0),
  330. LastCondenseTime(0),
  331. LatestRuleID(0),
  332. SerialNumberCounter(0) {}
  333. bool Ready; // True if we're ready to use.
  334. void store(std::string& FileNameToStore); // Write the whole thing to a file.
  335. void restore(std::string& FileNameToRestore); // Read the whole thing from a file.
  336. time_t LastSyncTime; // time_t of last Sync event.
  337. time_t LastSaveTime; // time_t of last GBUdb Save event.
  338. time_t LastCondenseTime; // time_t of last GBUdb Condense event.
  339. int LatestRuleID; // Latest rule ID seen so far.
  340. int SerialNumberCounter; // Remembers the serial number.
  341. };
  342. class snfLOGmgr : private cd::Thread {
  343. private:
  344. cd::Mutex MyMutex; // Mutex to serialize updates & queries.
  345. cd::Mutex ConfigMutex; // Mutex to protect config changes.
  346. cd::Mutex SerialNumberMutex; // Protects the serial number.
  347. cd::Mutex PeekMutex; // Protects Peek Loop Counter.
  348. cd::Mutex SampleMutex; // Protects Sample Loop Counter.
  349. cd::Mutex StatusReportMutex; // Protects status report post & get.
  350. snfCounterPack CounterPackA, CounterPackB; // Swapable counter packs.
  351. snfCounterPack* CurrentCounters; // Current Event Counters.
  352. snfCounterPack* ReportingCounters; // Counters being used to collect data.
  353. snfCounterPack* getSnapshot(); // Get a copy of the current counters.
  354. volatile bool Configured; // True if we're properly configured.
  355. volatile bool TimeToDie; // True when the thread should stop.
  356. volatile int PeekEnableCounter; // How many peek attempts recently?
  357. volatile int SampleEnableCounter; // How many sample attempts recently?
  358. void myTask(); // Thread task.
  359. time_t StartupTime; // Time since engine started.
  360. snfLOGPersistentState Status; // Persistent State Data.
  361. std::string PersistentFileName; // File name for the State Data.
  362. snfNETmgr* myNETmgr; // Net manager link.
  363. GBUdb* myGBUdb; // GBUdb link.
  364. // Configuration
  365. std::string ActiveRulebaseUTC; // UTC of last successful load.
  366. std::string AvailableRulebaseUTC; // UTC of rulebase available for update.
  367. bool NewerRulebaseIsAvailable; // True if a newer rulebase is available.
  368. std::string myPlatformVersion; // Version info for platform.
  369. bool Rotate_LocalTime; // Rotate logs using localtime.
  370. std::string LogsPath; // Path to logs directory.
  371. bool ClassicLogRotate; // True = Rotate Classic Log.
  372. bool XMLLogRotate; // True = Rotate XML Log.
  373. // Live stats
  374. snf_SMHDMY_Counter MessageCounter;
  375. snf_SMHDMY_Counter HamCounter;
  376. snf_SMHDMY_Counter SpamCounter;
  377. snf_SMHDMY_Counter WhiteCounter;
  378. snf_SMHDMY_Counter CautionCounter;
  379. snf_SMHDMY_Counter BlackCounter;
  380. snf_SMHDMY_Counter TruncateCounter;
  381. snf_SMHDMY_Counter SampleCounter;
  382. snf_SMHDMY_Counter AutoPanicCounter;
  383. snf_SMHDMY_Counter RulePanicCounter;
  384. snf_SMHDMY_Counter TimeCounter;
  385. // Histograms
  386. cd::Histogram ResultsSecond;
  387. cd::Histogram ResultsMinute;
  388. cd::Histogram ResultsHour;
  389. cd::Histogram RulesSecond;
  390. cd::Histogram RulesMinute;
  391. cd::Histogram RulesHour;
  392. cd::Histogram PanicsSecond;
  393. cd::Histogram PanicsMinute;
  394. cd::Histogram PanicsHour;
  395. // Reporting
  396. std::string NodeId; // We need this for our status msgs.
  397. void do_StatusReports(); // Update & sequence status reports.
  398. int XML_Log_Mode; // What is the XML log mode.
  399. int Classic_Log_Mode; // What is the Classic log mode.
  400. // Every second we get the basics and collect data. (local only)
  401. bool SecondReport_Log_OnOff;
  402. bool SecondReport_Append_OnOff;
  403. std::string SecondReport_Log_Filename;
  404. std::string SecondReportText;
  405. std::string SecondReportTimestamp;
  406. bool do_SecondReport(); // Send our 1 second status report.
  407. // Every minute we get hard data and event logs. (for sync)
  408. bool MinuteReport_Log_OnOff;
  409. bool MinuteReport_Append_OnOff;
  410. std::string MinuteReport_Log_Filename;
  411. std::string MinuteReportText;
  412. std::string MinuteReportTimestamp;
  413. cd::Histogram PatternRulesHistogram;
  414. bool do_MinuteReport(); // Send our 1 minute status report.
  415. // Every hour we get a summary.
  416. bool HourReport_Log_OnOff;
  417. bool HourReport_Append_OnOff;
  418. std::string HourReport_Log_Filename;
  419. std::string HourReportText;
  420. std::string HourReportTimestamp;
  421. bool do_HourReport(); // Send our 1 hour status report.
  422. void postStatusLog( // Post a Status log if required.
  423. const std::string& LogData, // Here's the log entry's data.
  424. const std::string& LogFileName, // Here is where it should go.
  425. const bool LogEnabled, // This is true if we should write it.
  426. const bool AppendNotOverwrite, // True=Append, False=Overwrite.
  427. DiscLogger& Logger // Lazy Log Writer to use.
  428. );
  429. DiscLogger SecondStatusLogger; // Lazy writer for Second status.
  430. DiscLogger MinuteStatusLogger; // Lazy writer for Minute status.
  431. DiscLogger HourStatusLogger; // Lazy writer for Hour status.
  432. DiscLogger XMLScanLogger; // Lazy writer for XML Scan log.
  433. DiscLogger ClassicScanLogger; // Lazy writer for Classic Scan log.
  434. void doXHDRs(snfCFGData& CFGData, snfScanData& ScanData); // XHDR sub routine for LogThisScan()
  435. void doXMLLogs(snfCFGData& CFGData, snfScanData& ScanData); // XML sub routine for LogThisScan()
  436. void doClassicLogs(snfCFGData& CFGData, snfScanData& ScanData); // Classic sub routine for LogThisScan()
  437. void captureLTSMetrics(snfCFGData& CFGData, snfScanData& ScanData); // LogThisScan section 1, Locked.
  438. void performLTSLogging(snfCFGData& CFGData, snfScanData& ScanData); // LogThisScan section 2, Unlocked.
  439. public:
  440. snfLOGmgr(); // Initialize & start the thread.
  441. ~snfLOGmgr(); // Stop the thread & clean up.
  442. void stop(); // Stops the manager.
  443. void linkNETmgr(snfNETmgr& N); // Link in my NETmgr
  444. void linkGBUdb(GBUdb& G); // Link in my GBUdb
  445. void configure(snfCFGData& CFGData); // Update the configuration.
  446. void updateActiveUTC(std::string ActiveUTC); // Set active rulebase UTC.
  447. void logThisIPTest(IPTestRecord& I, std::string Action); // Capthre the data from an IP test.
  448. void logThisScan(snfCFGData& CFGData, snfScanData& ScanData); // Capture the data from this scan.
  449. void logThisError(snfScanData& ScanData, const std::string ContextName, // Inject an error log entry for this
  450. const int Code, const std::string Text // scan using this number & message.
  451. );
  452. void logThisError(std::string ContextName, int Code, std::string Text); // Log an error message.
  453. void logThisInfo(std::string ContextName, int Code, std::string text); // Log an informational message.
  454. std::string PlatformVersion(std::string NewPlatformVersion); // Set platform version info.
  455. std::string PlatformVersion(); // Get platform version info.
  456. std::string EngineVersion(); // Get engine version info.
  457. void updateAvailableUTC(std::string& AvailableRulebaseTimestamp); // Stores Available, true==update ready.
  458. std::string ActiveRulebaseTimestamp(); // Get active rulebase timestamp.
  459. std::string AvailableRulebaseTimestamp(); // Get available rulebase timestamp.
  460. bool isUpdateAvailable(); // True if update is available.
  461. bool OkToPeek(int PeekOneInX); // Check to see if it's ok to peek.
  462. bool OkToSample(int SampleOneInX); // Check to see if it's ok to sample.
  463. time_t Timestamp(); // Get an ordinary timestamp.
  464. std::string Timestamp(time_t t); // Convert time_t to a timestamp s.
  465. std::string& Timestamp(std::string& s); // Appends a current timestamp in s.
  466. std::string LocalTimestamp(time_t t); // Convert time_t to a local timestamp s.
  467. std::string& LocalTimestamp(std::string& s); // Appends a current local timestamp in s.
  468. unsigned int SerialNumber(); // Returns the next serial number.
  469. std::string& SerialNumber(std::string& s); // Appends the next serial number.
  470. int SecsSinceStartup(); // Gets seconds since starup.
  471. void RecordSyncEvent(); // Sets timestamp of latest Sync.
  472. int SecsSinceLastSync(); // Gets seconds since latest Sync.
  473. void RecordSaveEvent(); // Sets timestamp of latest Save.
  474. int SecsSinceLastSave(); // Gets seconds since latest Save.
  475. void RecordCondenseEvent(); // Sets timestamp of latest Condense.
  476. int SecsSinceLastCondense(); // Gets seconds since latest Condense.
  477. // Live stats functions
  478. double MessagesPerMinute(); // Avg Msgs/Minute.
  479. double HamPerMinute(); // Avg Ham/Minute.
  480. double SpamPerMinute(); // Avg Spam/Minute.
  481. double WhitePerMinute(); // Avg White/Minute.
  482. double CautionPerMinute(); // Avg Caution/Minute.
  483. double BlackPerMinute(); // Avg Black/Minute.
  484. double TruncatePerMinute(); // Avg Truncate/Minute.
  485. double SamplePerMinute(); // Avg Sample/Minute.
  486. int LatestRuleID(); // Returns the latest Rule ID seen.
  487. int RunningTime(); // Seconds running since startup.
  488. std::string getStatusSecondReport(); // Get latest status.second report.
  489. std::string getStatusMinuteReport(); // Get latest status.minute report.
  490. std::string getStatusHourReport(); // Get latest status.hour report.
  491. const static cd::ThreadType Type; // The thread's type.
  492. };
  493. //// End snfLOGmgr include only once
  494. ////////////////////////////////////////////////////////////////////////////////