1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
|
/* Copyright (C) 2007-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
* \author Ken Steele <suricata@tilera.com>
*
* Time keeping for offline (non-live) packet handling (pcap files).
* And time string generation for alerts.
*/
/* Real time vs offline time
*
* When we run on live traffic, time handling is simple. Packets have a
* timestamp set by the capture method. Management threads can simply
* use 'gettimeofday' to know the current time. There should never be
* any serious gap between the two.
*
* In offline mode, things are dramatically different. Here we try to keep
* the time from the pcap, which means that if the packets are in 2011 the
* log output should also reflect this. Multiple issues:
* 1. merged pcaps might have huge time jumps or time going backward
* 2. slowly recorded pcaps may be processed much faster than their 'realtime'
* 3. management threads need a concept of what the 'current' time is for
* enforcing timeouts
* 4. due to (1) individual threads may have very different views on what
* the current time is. E.g. T1 processed packet 1 with TS X, while T2
* at the very same time processes packet 2 with TS X+100000s.
*
* In offline mode we keep the timestamp per thread. If a management thread
* needs current time, it will get the minimum of the threads' values. This
* is to avoid the problem that T2s time value might already trigger a flow
* timeout as the flow lastts + 100000s is almost certainly meaning the flow
* would be considered timed out.
*/
#ifdef OS_WIN32
/* for MinGW we need to set _POSIX_C_SOURCE before including
* sys/time.h. */
#ifndef _POSIX_C_SOURCE
#define _POSIX_C_SOURCE 200809L
#endif
#endif
#include "suricata-common.h"
#include "suricata.h"
#include "detect.h"
#include "threads.h"
#include "tm-threads.h"
#include "util-debug.h"
#include "util-time.h"
#ifdef UNITTESTS
static struct timeval current_time = { 0, 0 };
#endif
//static SCMutex current_time_mutex = SCMUTEX_INITIALIZER;
static SCSpinlock current_time_spinlock;
static bool live_time_tracking = true;
struct tm *SCLocalTime(time_t timep, struct tm *result);
struct tm *SCUtcTime(time_t timep, struct tm *result);
void TimeInit(void)
{
SCSpinInit(¤t_time_spinlock, 0);
/* Initialize Time Zone settings. */
tzset();
}
void TimeDeinit(void)
{
SCSpinDestroy(¤t_time_spinlock);
}
bool TimeModeIsReady(void)
{
if (live_time_tracking)
return true;
return TmThreadsTimeSubsysIsReady();
}
void TimeModeSetLive(void)
{
live_time_tracking = true;
SCLogDebug("live time mode enabled");
}
void TimeModeSetOffline (void)
{
live_time_tracking = false;
SCLogDebug("offline time mode enabled");
}
bool TimeModeIsLive(void)
{
return live_time_tracking;
}
void TimeSetByThread(const int thread_id, SCTime_t tv)
{
if (live_time_tracking)
return;
TmThreadsSetThreadTimestamp(thread_id, tv);
}
#ifdef UNITTESTS
void TimeSet(SCTime_t ts)
{
if (live_time_tracking)
return;
SCSpinLock(¤t_time_spinlock);
SCTIME_TO_TIMEVAL(¤t_time, ts);
SCLogDebug("time set to %" PRIuMAX " sec, %" PRIuMAX " usec",
(uintmax_t)current_time.tv_sec, (uintmax_t)current_time.tv_usec);
SCSpinUnlock(¤t_time_spinlock);
}
/** \brief set the time to "gettimeofday" meant for testing */
void TimeSetToCurrentTime(void)
{
struct timeval tv;
memset(&tv, 0x00, sizeof(tv));
gettimeofday(&tv, NULL);
SCTime_t ts = SCTIME_FROM_TIMEVAL(&tv);
TimeSet(ts);
}
#endif
SCTime_t TimeGet(void)
{
struct timeval tv = { 0 };
if (live_time_tracking) {
gettimeofday(&tv, NULL);
} else {
#ifdef UNITTESTS
if (unlikely(RunmodeIsUnittests())) {
SCSpinLock(¤t_time_spinlock);
tv.tv_sec = current_time.tv_sec;
tv.tv_usec = current_time.tv_usec;
SCSpinUnlock(¤t_time_spinlock);
} else {
#endif
TmThreadsGetMinimalTimestamp(&tv);
#ifdef UNITTESTS
}
#endif
}
SCLogDebug("time we got is %" PRIuMAX " sec, %" PRIuMAX " usec", (uintmax_t)tv.tv_sec,
(uintmax_t)tv.tv_usec);
return SCTIME_FROM_TIMEVAL(&tv);
}
#ifdef UNITTESTS
/** \brief increment the time in the engine
* \param tv_sec seconds to increment the time with */
void TimeSetIncrementTime(uint32_t tv_sec)
{
SCTime_t ts = TimeGet();
ts = SCTIME_ADD_SECS(ts, tv_sec);
TimeSet(ts);
}
#endif
#ifdef OS_WIN32
/** \internal
* \brief wrapper around strftime on Windows to provide output
* compatible with posix %z
*/
static inline void WinStrftime(const SCTime_t ts, const struct tm *t, char *str, size_t size)
{
char time_fmt[64] = { 0 };
char tz[6] = { 0 };
const long int tzdiff = -_timezone;
const int h = abs(_timezone) / 3600 + _daylight;
const int m = (abs(_timezone) % 3600) / 60;
snprintf(tz, sizeof(tz), "%c%02d%02d", tzdiff < 0 ? '-' : '+', h, m);
strftime(time_fmt, sizeof(time_fmt), "%Y-%m-%dT%H:%M:%S.%%06u", t);
snprintf(str, size, time_fmt, SCTIME_USECS(ts));
strlcat(str, tz, size); // append our timezone
}
#endif
void CreateIsoTimeString(const SCTime_t ts, char *str, size_t size)
{
time_t time = SCTIME_SECS(ts);
struct tm local_tm;
memset(&local_tm, 0, sizeof(local_tm));
struct tm *t = (struct tm*)SCLocalTime(time, &local_tm);
if (likely(t != NULL)) {
#ifdef OS_WIN32
WinStrftime(ts, t, str, size);
#else
char time_fmt[64] = { 0 };
int64_t usec = SCTIME_USECS(ts);
strftime(time_fmt, sizeof(time_fmt), "%Y-%m-%dT%H:%M:%S.%%06" PRIi64 "%z", t);
snprintf(str, size, time_fmt, usec);
#endif
} else {
snprintf(str, size, "ts-error");
}
}
void CreateUtcIsoTimeString(const SCTime_t ts, char *str, size_t size)
{
time_t time = SCTIME_SECS(ts);
struct tm local_tm;
memset(&local_tm, 0, sizeof(local_tm));
struct tm *t = (struct tm*)SCUtcTime(time, &local_tm);
if (likely(t != NULL)) {
char time_fmt[64] = { 0 };
strftime(time_fmt, sizeof(time_fmt), "%Y-%m-%dT%H:%M:%S", t);
snprintf(str, size, time_fmt, SCTIME_USECS(ts));
} else {
snprintf(str, size, "ts-error");
}
}
void CreateFormattedTimeString (const struct tm *t, const char *fmt, char *str, size_t size)
{
if (likely(t != NULL)) {
strftime(str, size, fmt, t);
} else {
snprintf(str, size, "ts-error");
}
}
struct tm *SCUtcTime(time_t timep, struct tm *result)
{
return gmtime_r(&timep, result);
}
/*
* Time Caching code
*/
#ifndef TLS
/* OpenBSD does not support thread_local, so don't use time caching on BSD
*/
struct tm *SCLocalTime(time_t timep, struct tm *result)
{
return localtime_r(&timep, result);
}
void CreateTimeString(const SCTime_t ts, char *str, size_t size)
{
time_t time = SCTIME_SECS(ts);
struct tm local_tm;
struct tm *t = (struct tm*)SCLocalTime(time, &local_tm);
if (likely(t != NULL)) {
snprintf(str, size, "%02d/%02d/%02d-%02d:%02d:%02d.%06u", t->tm_mon + 1, t->tm_mday,
t->tm_year + 1900, t->tm_hour, t->tm_min, t->tm_sec, (uint32_t)SCTIME_USECS(ts));
} else {
snprintf(str, size, "ts-error");
}
}
#else
/* On systems supporting thread_local, use Per-thread values for caching
* in CreateTimeString */
/* The maximum possible length of the time string.
* "%02d/%02d/%02d-%02d:%02d:%02d.%06u"
* Or "01/01/2013-15:42:21.123456", which is 26, so round up to 32. */
#define MAX_LOCAL_TIME_STRING 32
static thread_local int mru_time_slot; /* Most recently used cached value */
static thread_local time_t last_local_time[2];
static thread_local short int cached_local_time_len[2];
static thread_local char cached_local_time[2][MAX_LOCAL_TIME_STRING];
/* Per-thread values for caching SCLocalTime() These cached values are
* independent from the CreateTimeString cached values. */
static thread_local int mru_tm_slot; /* Most recently used local tm */
static thread_local time_t cached_minute_start[2];
static thread_local struct tm cached_local_tm[2];
/** \brief Convert time_t into Year, month, day, hour and minutes.
* \param timep Time in seconds since defined date.
* \param result The structure into which the broken down time it put.
*
* To convert a time in seconds into year, month, day, hours, minutes
* and seconds, call localtime_r(), which uses the current time zone
* to compute these values. Note, glibc's localtime_r() acquires a lock
* each time it is called, which limits parallelism. To call
* localtime_r() less often, the values returned are cached for the
* current and previous minute and then seconds are adjusted to
* compute the returned result. This is valid as long as the
* difference between the start of the current minute and the current
* time is less than 60 seconds. Once the minute value changes, all
* the other values could change.
*
* Two values are cached to prevent thrashing when changing from one
* minute to the next. The two cached minutes are independent and are
* not required to be M and M+1. If more than two minutes are
* requested, the least-recently-used cached value is updated more
* often, the results are still correct, but performance will be closer
* to previous performance.
*/
struct tm *SCLocalTime(time_t timep, struct tm *result)
{
/* Only get a new local time when the time crosses into a new
* minute. */
int mru = mru_tm_slot;
int lru = 1 - mru;
int mru_seconds = timep - cached_minute_start[mru];
int lru_seconds = timep - cached_minute_start[lru];
int new_seconds;
if (cached_minute_start[mru]==0 && cached_minute_start[lru]==0) {
localtime_r(&timep, &cached_local_tm[lru]);
/* Subtract seconds to get back to the start of the minute. */
new_seconds = cached_local_tm[lru].tm_sec;
cached_minute_start[lru] = timep - new_seconds;
mru = lru;
mru_tm_slot = mru;
} else if (lru_seconds > 0 && (mru_seconds >= 0 && mru_seconds <= 59)) {
/* Use most-recently cached time, adjusting the seconds. */
new_seconds = mru_seconds;
} else if (mru_seconds > 0 && (lru_seconds >= 0 && lru_seconds <= 59)) {
/* Use least-recently cached time, update to most recently used. */
new_seconds = lru_seconds;
mru = lru;
mru_tm_slot = mru;
} else {
/* Update least-recent cached time. */
if (localtime_r(&timep, &cached_local_tm[lru]) == NULL)
return NULL;
/* Subtract seconds to get back to the start of the minute. */
new_seconds = cached_local_tm[lru].tm_sec;
cached_minute_start[lru] = timep - new_seconds;
mru = lru;
mru_tm_slot = mru;
}
memcpy(result, &cached_local_tm[mru], sizeof(struct tm));
result->tm_sec = new_seconds;
return result;
}
/* Update the cached time string in cache index N, for the current minute. */
static int UpdateCachedTime(int n, time_t time)
{
struct tm local_tm;
struct tm *t = (struct tm *)SCLocalTime(time, &local_tm);
int cached_len = snprintf(cached_local_time[n], MAX_LOCAL_TIME_STRING,
"%02d/%02d/%02d-%02d:%02d:",
t->tm_mon + 1, t->tm_mday, t->tm_year + 1900,
t->tm_hour, t->tm_min);
cached_local_time_len[n] = cached_len;
/* Store the time of the beginning of the minute. */
last_local_time[n] = time - t->tm_sec;
mru_time_slot = n;
return t->tm_sec;
}
/** \brief Return a formatted string for the provided time.
*
* Cache the Month/Day/Year - Hours:Min part of the time string for
* the current minute. Copy that result into the return string and
* then only print the seconds for each call.
*/
void CreateTimeString(const SCTime_t ts, char *str, size_t size)
{
time_t time = SCTIME_SECS(ts);
int seconds;
/* Only get a new local time when the time crosses into a new
* minute */
int mru = mru_time_slot;
int lru = 1 - mru;
int mru_seconds = time - last_local_time[mru];
int lru_seconds = time - last_local_time[lru];
if (last_local_time[mru]==0 && last_local_time[lru]==0) {
/* First time here, update both caches */
UpdateCachedTime(mru, time);
seconds = UpdateCachedTime(lru, time);
} else if (mru_seconds >= 0 && mru_seconds <= 59) {
/* Use most-recently cached time. */
seconds = mru_seconds;
} else if (lru_seconds >= 0 && lru_seconds <= 59) {
/* Use least-recently cached time. Change this slot to Most-recent */
seconds = lru_seconds;
mru_time_slot = lru;
} else {
/* Update least-recent cached time. Lock accessing local time
* function because it keeps any internal non-spin lock. */
seconds = UpdateCachedTime(lru, time);
}
/* Copy the string up to the current minute then print the seconds
into the return string buffer. */
char *cached_str = cached_local_time[mru_time_slot];
int cached_len = cached_local_time_len[mru_time_slot];
if (cached_len >= (int)size)
cached_len = size;
memcpy(str, cached_str, cached_len);
snprintf(str + cached_len, size - cached_len, "%02d.%06u", seconds, (uint32_t)SCTIME_USECS(ts));
}
#endif /* defined(__OpenBSD__) */
/**
* \brief Convert broken-down time to seconds since Unix epoch.
*
* This function is based on: http://www.catb.org/esr/time-programming
* (released to the public domain).
*
* \param tp Pointer to broken-down time.
*
* \retval Seconds since Unix epoch.
*/
time_t SCMkTimeUtc (struct tm *tp)
{
time_t result;
long year;
#define MONTHSPERYEAR 12
static const int mdays[MONTHSPERYEAR] =
{ 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 };
year = 1900 + tp->tm_year + tp->tm_mon / MONTHSPERYEAR;
result = (year - 1970) * 365 + mdays[tp->tm_mon % MONTHSPERYEAR];
result += (year - 1968) / 4;
result -= (year - 1900) / 100;
result += (year - 1600) / 400;
if ((year % 4) == 0 && ((year % 100) != 0 || (year % 400) == 0) &&
(tp->tm_mon % MONTHSPERYEAR) < 2)
result--;
result += tp->tm_mday - 1;
result *= 24;
result += tp->tm_hour;
result *= 60;
result += tp->tm_min;
result *= 60;
result += tp->tm_sec;
#ifndef OS_WIN32
if (tp->tm_gmtoff)
result -= tp->tm_gmtoff;
#endif
return result;
}
/**
* \brief Parse a date string based on specified patterns.
*
* This function is based on GNU C library getdate.
*
* \param string Date string to parse.
* \param patterns String array containing patterns.
* \param num_patterns Number of patterns to check.
* \param tp Pointer to broken-down time.
*
* \retval 0 on success.
* \retval 1 on failure.
*/
int SCStringPatternToTime (char *string, const char **patterns, int num_patterns,
struct tm *tp)
{
char *result = NULL;
int i = 0;
/* Do the pattern matching */
for (i = 0; i < num_patterns; i++)
{
if (patterns[i] == NULL)
continue;
tp->tm_hour = tp->tm_min = tp->tm_sec = 0;
tp->tm_year = tp->tm_mon = tp->tm_mday = tp->tm_wday = INT_MIN;
tp->tm_isdst = -1;
#ifndef OS_WIN32
tp->tm_gmtoff = 0;
tp->tm_zone = NULL;
#endif
result = strptime(string, patterns[i], tp);
if (result && *result == '\0')
break;
}
/* Return if no patterns matched */
if (result == NULL || *result != '\0')
return 1;
/* Return if no date is given */
if (tp->tm_year == INT_MIN && tp->tm_mon == INT_MIN &&
tp->tm_mday == INT_MIN)
return 1;
/* The first of the month is assumed, if only year and
month is given */
if (tp->tm_year != INT_MIN && tp->tm_mon != INT_MIN &&
tp->tm_mday <= 0)
tp->tm_mday = 1;
return 0;
}
/**
* \brief Convert epoch time to string pattern.
*
* This function converts epoch time to a string based on a pattern.
*
* \param epoch Epoch time.
* \param pattern String pattern.
* \param str Formated string.
* \param size Size of allocated string.
*
* \retval 0 on success.
* \retval 1 on failure.
*/
int SCTimeToStringPattern (time_t epoch, const char *pattern, char *str, size_t size)
{
struct tm tm;
memset(&tm, 0, sizeof(tm));
struct tm *tp = (struct tm *)SCLocalTime(epoch, &tm);
char buffer[PATH_MAX] = { 0 };
if (unlikely(tp == NULL)) {
return 1;
}
int r = strftime(buffer, sizeof(buffer), pattern, tp);
if (r == 0) {
return 1;
}
strlcpy(str, buffer, size);
return 0;
}
/**
* \brief Parse string containing time size (1m, 1h, etc).
*
* \param str String to parse.
*
* \retval size on success.
* \retval 0 on failure.
*/
uint64_t SCParseTimeSizeString (const char *str)
{
uint64_t size = 0;
uint64_t modifier = 1;
char last = str[strlen(str)-1];
switch (last)
{
case '0' ... '9':
break;
/* seconds */
case 's':
break;
/* minutes */
case 'm':
modifier = 60;
break;
/* hours */
case 'h':
modifier = 60 * 60;
break;
/* days */
case 'd':
modifier = 60 * 60 * 24;
break;
/* weeks */
case 'w':
modifier = 60 * 60 * 24 * 7;
break;
/* invalid */
default:
return 0;
}
errno = 0;
size = strtoumax(str, NULL, 10);
if (errno) {
return 0;
}
return (size * modifier);
}
/**
* \brief Get seconds until a time unit changes.
*
* \param str String containing time type (minute, hour, etc).
* \param epoch Epoch time.
*
* \retval seconds.
*/
uint64_t SCGetSecondsUntil (const char *str, time_t epoch)
{
uint64_t seconds = 0;
struct tm tm;
memset(&tm, 0, sizeof(tm));
struct tm *tp = (struct tm *)SCLocalTime(epoch, &tm);
if (strcmp(str, "minute") == 0)
seconds = 60 - tp->tm_sec;
else if (strcmp(str, "hour") == 0)
seconds = (60 * (60 - tp->tm_min)) + (60 - tp->tm_sec);
else if (strcmp(str, "day") == 0)
seconds = (3600 * (24 - tp->tm_hour)) + (60 * (60 - tp->tm_min)) +
(60 - tp->tm_sec);
return seconds;
}
uint64_t SCTimespecAsEpochMillis(const struct timespec* ts)
{
return ts->tv_sec * 1000L + ts->tv_nsec / 1000000L;
}
uint64_t TimeDifferenceMicros(struct timeval t0, struct timeval t1)
{
return (uint64_t)(t1.tv_sec - t0.tv_sec) * 1000000L + (t1.tv_usec - t1.tv_usec);
}
|