一 flow管理
flow流是suricata的重要资源,目前通过流管理线程(FlowManager 即FM线程)和流重用线程(FlowRecycler即FR线程)来处理.
FlowManager 线程:
- 判断flow流等数据,如果超时了,需要将flow加入到重用队列flow_recycle_q中.
其中重用线程FlowRecycler:
- 从重用队列flow_recycle_q 中取流信息.
- 输出flow日志.
- 重置flow流信息.
- 将流加入到可用的队列:flow_spare_q中.
二 状态日志
状态日志包括简单的stats.log日志,还有发送的很详细的,包括http等详细信息的日志,调用过程如下:
CS线程来处理.
(gdb) where
#0 callSendEveAttackLogAlarmMsg (
pMsg=0x6310004b0810 "{\"timestamp\":\"2020-08-18T15:10:23.770399+0800\",\"pre_time\":\"2020-08-18T15:07:52.504179+0800\",\"event_type\":\"stats\",\"stats\":{\"uptime\":2206,\"capture\":{\"kernel_packets\":21135,\"kernel_packets_delta\":1429,\"k"..., iMsgLen=6363)
at ../srcSF/spiderFlow-common.c:275
#1 0x0000000000a6f07f in LogFileWrite (file_ctx=file_ctx@entry=0x621000039900, buffer=0x6310004b0800) at util-logopenfile.c:737
#2 0x000000000093eda0 in OutputJSONBuffer (js=js@entry=0x60700024efd0, file_ctx=0x621000039900, buffer=buffer@entry=0x6020001ba038)
at output-json.c:918
#3 0x00000000008dac10 in JsonStatsLogger (tv=<optimized out>, thread_data=0x6020001ba030, st=<optimized out>) at output-json-stats.c:329
#4 0x00000000009311d1 in OutputStatsLog (tv=tv@entry=0x612000044a40, thread_data=thread_data@entry=0x6020001ba010,
st=st@entry=0x1825c00 <stats_table>) at output-stats.c:105
#5 0x0000000000676d32 in StatsOutput (tv=<optimized out>) at counters.c:771
#6 StatsMgmtThread (arg=<optimized out>) at counters.c:379
#7 0x00007fe2709bce25 in start_thread () from /usr/lib64/libpthread.so.0
#8 0x00007fe2702d034d in clone () from /usr/lib64/libc.so.6
网友评论