Skip to content
Browse files

-Added config directive for input plugin.

-Modified spooler specific allocation to be per spooler.
-Modified spooler logflow.

-Other Cleaned up some code
  • Loading branch information...
1 parent 7c1d826 commit 91726cc6a01eb3f583a7804aacb75607168dde10 @binf binf committed with Jun 15, 2011
Showing with 773 additions and 430 deletions.
  1. +2 −18 src/barnyard2.c
  2. +136 −12 src/input-plugins/spi_unified2.c
  3. +11 −0 src/input-plugins/spi_unified2.h
  4. +596 −398 src/spooler.c
  5. +28 −2 src/spooler.h
View
20 src/barnyard2.c
@@ -312,15 +312,6 @@ int Barnyard2Main(int argc, char *argv[])
Barnyard2Init(argc, argv);
- /* init logpacket */
- if( (InitializeLogPacket()))
- {
- /* XXX */
- FatalError("InitializeLogPacket(): Unable to initialize spooler...\n");
- }
- /* init logpacket */
-
-
if (BcDaemonMode())
{
GoDaemon();
@@ -1050,15 +1041,7 @@ static void Barnyard2Cleanup(int exit_val)
{
PluginSignalFuncNode *idxPlugin = NULL;
-
- /* cleanup logpacket */
- if( FreeLogPacket())
- {
- /* XXX */
- LogMessage("FreeLogPacket(), failed ...cleanup continue\n");
- }
- /* cleanup logpacket */
-
+
/* This function can be called more than once. For example,
* once from the SIGINT signal handler, and once recursively
* as a result of calling pcap_close() below. We only need
@@ -1067,6 +1050,7 @@ static void Barnyard2Cleanup(int exit_val)
* double-freeing any memory. Not guaranteed to be
* thread-safe, but it will prevent the simple cases.
*/
+
static int already_exiting = 0;
if( already_exiting != 0 )
{
View
148 src/input-plugins/spi_unified2.c
@@ -31,6 +31,10 @@
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
+
+#ifndef __USE_GNU
+#define __USE_GNU 1
+#endif
#include <string.h>
#ifdef SOLARIS
#include <strings.h>
@@ -44,13 +48,20 @@
#include "barnyard2.h"
#include "debug.h"
+#include "mstring.h"
#include "plugbase.h"
#include "spi_unified2.h"
#include "spooler.h"
#include "strlcpyu.h"
#include "util.h"
+/*
+ * Define in which context we run (For spooler)
+ */
+static u_int32_t spiOpCtx = 0;
+
+
/*
* Function: UnifiedLogSetup()
*
@@ -70,20 +81,133 @@ void Unified2Setup(void)
DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Input plugin: Unified2 is setup...\n"););
}
+
+/* In the future this could get per-input processor thread specific with thread key for example. */
+/**
+ * Return Input plugin Unified2 Operation Context
+ *
+ *
+ * @return spiOpCtx
+ */
+int spiUnified2GetOperationMode(void)
+{
+ return spiOpCtx;
+}
+
+/**
+ * Parse unified2 input pluggin configuration.
+ *
+ * @param iArgs
+ *
+ * @return Success [0] Failure [1]
+ */
+int parseUnified2InputArgs(char *iArgs)
+{
+ char **toks = NULL;
+ int num_toks = 0;
+ int i = 0;
+ char *op_mode = NULL;
+
+ if(iArgs == NULL)
+ {
+ /* XXX */
+ return 1;
+ }
+
+ toks = mSplit((char *)iArgs, ",", 31, &num_toks, '\\');
+ for(i = 0; i < num_toks; ++i)
+ {
+ char **stoks = NULL;
+ int num_stoks = 0;
+ char *index = toks[i];
+ while(isspace((int)*index))
+ ++index;
+
+ stoks = mSplit(index, " ", 2, &num_stoks, 0);
+
+ if(strcasecmp("input_mode", stoks[0]) == 0)
+ {
+ if(num_stoks >= 1)
+ {
+ op_mode = strndup(stoks[1],64);
+
+ if(strcasecmp("unified2",op_mode) == 0)
+ {
+ spiOpCtx = LOGCTXUNIFIED2;
+ }
+ else if(strcasecmp("alert_unified2",op_mode) == 0)
+ {
+ spiOpCtx= LOGCTXALERTUNIFIED2;
+ }
+ else if(strcasecmp("log_unified2",op_mode) == 0)
+ {
+ spiOpCtx = LOGCTXLOGUNIFIED2;
+ }
+ else
+ {
+ if(op_mode != NULL)
+ {
+ free(op_mode);
+ }
+
+ /* XXX */
+ LogMessage("parseUnified2InputArgs(): Unknown mode [%s] specified to input_mode directive.\n"
+ "\t\t\t Unified2 Input processor accecpt one of the following mode: (unified2|alert_unified2|log_unified2) \n",stoks[1]);
+ return 1;
+ }
+ }
+ else
+ {
+ if(op_mode != NULL)
+ {
+ free(op_mode);
+ }
+
+ /* XXX */
+ LogMessage("parseUnified2InputArgs(): Need argument to input_mode directive: (unified2|alert_unified2|log_unified2) \n");
+ return 1;
+ }
+ }
+ else
+ {
+ /* XXX */
+ LogMessage("parseUnified2InputArgs(): unsupported option [%s]\n",stoks[0]);
+ return 1;
+ }
+ }
+ return 0;
+}
+
+
+/**
+ * Initialize Unified2 Input Plugin.
+ *
+ * @param args
+ */
void Unified2Init(char *args)
{
- /* parse the argument list from the rules file */
- //data = ParseAlertTestArgs(args);
-
- DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking UnifiedLog functions to call lists...\n"););
-
- /* Link the input processor read/process functions to the function list */
- AddReadRecordHeaderFuncToInputList("unified2", Unified2ReadRecordHeader);
- AddReadRecordFuncToInputList("unified2", Unified2ReadRecord);
-
- /* Link the input processor exit/restart functions into the function list */
- AddFuncToCleanExitList(Unified2CleanExitFunc, NULL);
- AddFuncToRestartList(Unified2RestartFunc, NULL);
+
+ if(args == NULL)
+ {
+ /* XXX*/
+ FatalError("Unified2Init(): Can't start with NULL arguments \n");
+ }
+
+ if(parseUnified2InputArgs(args))
+ {
+ /* XXX */
+ FatalError("Unified2Init(): Can't parse unified2 arguments [%s] \n",args);
+ }
+
+ DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking UnifiedLog functions to call lists...\n"););
+
+ /* Link the input processor read/process functions to the function list */
+ AddReadRecordHeaderFuncToInputList("unified2", Unified2ReadRecordHeader);
+ AddReadRecordFuncToInputList("unified2", Unified2ReadRecord);
+
+ /* Link the input processor exit/restart functions into the function list */
+ AddFuncToCleanExitList(Unified2CleanExitFunc, NULL);
+ AddFuncToRestartList(Unified2RestartFunc, NULL);
}
/* Partial reads should rarely, if ever, happen. Thus we should not actually
View
11 src/input-plugins/spi_unified2.h
@@ -48,4 +48,15 @@ void Unified2PrintEventRecord(Unified2IDSEvent_legacy *);
void Unified2PrintEvent6Record(Unified2IDSEventIPv6_legacy *);
+int spiUnified2GetOperationMode(void);
+
+
+enum spiOpModeContext
+{
+ LOGCTXUNIFIED2 = 0,
+ LOGCTXALERTUNIFIED2 = 2,
+ LOGCTXLOGUNIFIED2 = 4
+};
+
+
#endif /* __SPI_UNIFIED2_H__ */
View
994 src/spooler.c
@@ -37,12 +37,26 @@
#include "barnyard2.h"
#include "debug.h"
#include "decode.h"
+#include "input-plugins/spi_unified2.h"
#include "plugbase.h"
#include "spooler.h"
#include "unified2.h"
#include "util.h"
+/* Spooler memory allocation functions */
+static int InitializeSpoolerStatic(Spooler *);
+static int FreeSpoolerStatic(Spooler *);
+/* Spooler (spoolerProcessRecord) Input Plugin context functions */
+static int spoolerIpp_AlertUnified2(Spooler *,int,int);
+static int spoolerIpp_LogUnified2(Spooler *,int,int);
+static int spoolerIpp_Unified2(Spooler *,int,int);
+
+
+
+#define SPOOLER_NULL 0x00000000
+#define SPOOLER_EVENT 0x00000001
+#define SPOOLER_READY 0x00000002
@@ -130,74 +144,81 @@ static int FindNextExtension(const char *dirpath, const char *filebase,
}
+
Spooler *spoolerOpen(const char *dirpath, const char *filename, uint32_t extension)
{
- Spooler *spooler = NULL;
- int ret;
-
- /* perform sanity checks */
- if ( filename == NULL )
- return NULL;
-
- /* create the spooler structure and allocate all memory */
- spooler = (Spooler *)SnortAlloc(sizeof(Spooler));
-
- /* Use preallocated buffed to maximum possible size */
-
- spooler->record.data =(void *)SnortAlloc(MAX_UNIFIED2_EVENT_SIZE);
- memset(spooler->record.data,'\0',MAX_UNIFIED2_EVENT_SIZE);
-
- spooler->record.header =(void *)SnortAlloc(sizeof(Unified2RecordHeader));
- memset(spooler->record.header,'\0',sizeof(Unified2RecordHeader));
-
-
- spooler->fd = -1;
-
- /* build the full filepath */
- if (extension == 0)
+ Spooler *spooler = NULL;
+ int ret;
+
+ /* perform sanity checks */
+ if ( filename == NULL )
+ return NULL;
+
+ /* create the spooler structure and allocate all memory */
+ spooler = (Spooler *)SnortAlloc(sizeof(Spooler));
+
+ /* Use preallocated buffed to maximum possible size */
+
+ spooler->record.data =(void *)SnortAlloc(MAX_UNIFIED2_EVENT_SIZE);
+ memset(spooler->record.data,'\0',MAX_UNIFIED2_EVENT_SIZE);
+
+ spooler->record.header =(void *)SnortAlloc(sizeof(Unified2RecordHeader));
+ memset(spooler->record.header,'\0',sizeof(Unified2RecordHeader));
+
+ if( (InitializeSpoolerStatic(spooler)))
{
- ret = SnortSnprintf(spooler->filepath, MAX_FILEPATH_BUF, "%s", filename);
+ /* XXX */
+ LogMessage("InigializeSpoolerStatic(), failed..\n");
+ return NULL;
}
- else
+
+ spooler->fd = -1;
+
+ /* build the full filepath */
+ if (extension == 0)
{
- ret = SnortSnprintf(spooler->filepath, MAX_FILEPATH_BUF, "%s/%s.%u", dirpath, filename,
- extension);
+ ret = SnortSnprintf(spooler->filepath, MAX_FILEPATH_BUF, "%s", filename);
}
-
- /* sanity check the filepath */
- if (ret != SNORT_SNPRINTF_SUCCESS)
+ else
{
- spoolerClose(spooler);
- FatalError("spooler: filepath too long!\n");
+ ret = SnortSnprintf(spooler->filepath, MAX_FILEPATH_BUF, "%s/%s.%u", dirpath, filename,
+ extension);
}
-
- spooler->timestamp = extension;
-
- LogMessage("Opened spool file '%s'\n", spooler->filepath);
-
- /* open the file non-blocking */
- if ( (spooler->fd=open(spooler->filepath, O_RDONLY | O_NONBLOCK, 0)) == -1 )
+
+ /* sanity check the filepath */
+ if (ret != SNORT_SNPRINTF_SUCCESS)
{
- LogMessage("ERROR: Unable to open log spool file '%s' (%s)\n",
- spooler->filepath, strerror(errno));
- spoolerClose(spooler);
- spooler = NULL;
- return NULL;
+ spoolerClose(spooler);
+ FatalError("spooler: filepath too long!\n");
}
+
+ spooler->timestamp = extension;
+
+ LogMessage("Opened spool file '%s'\n", spooler->filepath);
- /* set state to initially be open */
- spooler->state = SPOOLER_STATE_OPENED;
-
- spooler->ifn = GetInputPlugin("unified2");
-
- if (spooler->ifn == NULL)
+ /* open the file non-blocking */
+ if ( (spooler->fd=open(spooler->filepath, O_RDONLY | O_NONBLOCK, 0)) == -1 )
{
- spoolerClose(spooler);
- spooler = NULL;
- FatalError("ERROR: No suitable input plugin found!\n");
+ LogMessage("ERROR: Unable to open log spool file '%s' (%s)\n",
+ spooler->filepath, strerror(errno));
+ spoolerClose(spooler);
+ spooler = NULL;
+ return NULL;
}
-
- return spooler;
+
+ /* set state to initially be open */
+ spooler->state = SPOOLER_STATE_OPENED;
+
+ spooler->ifn = GetInputPlugin("unified2");
+
+ if (spooler->ifn == NULL)
+ {
+ spoolerClose(spooler);
+ spooler = NULL;
+ FatalError("ERROR: No suitable input plugin found!\n");
+ }
+
+ return spooler;
}
int spoolerClose(Spooler *spooler)
@@ -226,10 +247,9 @@ int spoolerClose(Spooler *spooler)
free(spooler->record.header);
spooler->record.header = NULL;
}
-
- /* depricated */
- //spoolerFreeRecord(&spooler->record);
+
+ FreeSpoolerStatic(spooler);
free(spooler);
spooler = NULL;
@@ -426,7 +446,7 @@ int ProcessContinuous(const char *dirpath, const char *filebase,
waiting_logged = 1;
barnyard2_conf->process_new_records_only_flag = 0;
}
-
+
sleep(1);
continue;
}
@@ -447,15 +467,15 @@ int ProcessContinuous(const char *dirpath, const char *filebase,
pc_ret = -1;
continue;
}
-
+
waiting_logged = 0;
-
+
/* set timestamp to ensure we look for a newer file next time */
timestamp = extension + 1;
-
+
continue;
}
-
+
/* act according to current spooler state */
switch(spooler->state)
{
@@ -467,17 +487,17 @@ int ProcessContinuous(const char *dirpath, const char *filebase,
case SPOOLER_STATE_HEADER_READ:
ret = spoolerReadRecord(spooler);
break;
-
- default:
- LogMessage("ERROR: Invalid spooler state (%i). Closing '%s'\n",
- spooler->state, spooler->filepath);
-
+
+ default:
+ LogMessage("ERROR: Invalid spooler state (%i). Closing '%s'\n",
+ spooler->state, spooler->filepath);
+
#ifndef WIN32
- /* archive the spool file */
+ /* archive the spool file */
if (BcArchiveDir() != NULL)
ArchiveFile(spooler->filepath, BcArchiveDir());
#endif
-
+
/* we've finished with the spooler so destroy and cleanup */
spoolerClose(spooler);
spooler = NULL;
@@ -486,6 +506,7 @@ int ProcessContinuous(const char *dirpath, const char *filebase,
break;
}
+
/* if no spooler exists, we are waiting for a newer file to arrive */
if (spooler == NULL)
continue;
@@ -610,247 +631,238 @@ int ProcessContinuousWithWaldo(Waldo *waldo)
-/*
-** RECORD PROCESSING EVENTS
-*/
-/* Less allocation */
-Packet *LogPacket = NULL;
-
-
-
-/* EVENT */
-/* PACKET */
-
-//EVENT WITHOUT PACKET? NOT.
-
-//EVENT_STATE
-//PACKET_STATE
-static Unified2IDSEvent_legacy *U2IdsEventLegacyPtr = NULL;
-static Unified2IDSEventIPv6_legacy *U2IdeEventV6LegacyPtr = NULL;
-static Unified2ExtraData *u2ExtraDataPtr = NULL;
-static Unified2ExtraDataHdr *u2ExtraDataHdrPtr = NULL;
-static Unified2Packet *u2PacketPtr = NULL;
-static Unified2IDSEventIPv6 *U2IdsEventV6Ptr = NULL;
-static Unified2IDSEvent *U2IdsEventPtr = NULL;
-
-static int SpoolerState = 0;
-static void *SpoolerEventPtr = NULL;
-
-#define SPOOLER_NULL 0x00000000
-#define SPOOLER_EVENT 0x00000001
-#define SPOOLER_READY 0x00000002
-#define SPOOLER_FAST_FORWARD 0x10000000
-
-int InitializeSpoolerStatic(void)
+static int InitializeSpoolerStatic(Spooler *iSpooler)
{
-
- if( (U2IdsEventLegacyPtr = (Unified2IDSEvent_legacy *)malloc(sizeof(Unified2IDSEvent_legacy))) == NULL)
+
+ if(iSpooler == NULL)
{
- /* XXX */
- return 1;
+ /* XXX */
+ return 1;
}
-
- memset(U2IdsEventLegacyPtr,'\0',sizeof(Unified2IDSEvent_legacy));
-
- if( (U2IdeEventV6LegacyPtr = (Unified2IDSEventIPv6_legacy *)malloc(sizeof(Unified2IDSEventIPv6_legacy))) == NULL)
+
+ if( (iSpooler->sur.U2IdsEventLegacyPtr = (Unified2IDSEvent_legacy *)malloc(sizeof(Unified2IDSEvent_legacy))) == NULL)
{
- /* XXX */
- return 1;
+ /* XXX */
+ return 1;
}
-
- memset(U2IdeEventV6LegacyPtr,'\0',sizeof(Unified2IDSEventIPv6_legacy));
-
- if( (u2ExtraDataPtr = (Unified2ExtraData *)malloc(sizeof(Unified2ExtraData))) == NULL)
+ memset(iSpooler->sur.U2IdsEventLegacyPtr,'\0',sizeof(Unified2IDSEvent_legacy));
+
+ if( (iSpooler->sur.U2IdeEventV6LegacyPtr = (Unified2IDSEventIPv6_legacy *)malloc(sizeof(Unified2IDSEventIPv6_legacy))) == NULL)
{
- /* XXX */
- return 1;
+ /* XXX */
+ return 1;
}
- memset(u2ExtraDataPtr,'\0',sizeof(Unified2ExtraData));
-
- if( (u2ExtraDataHdrPtr = (Unified2ExtraDataHdr *)malloc(sizeof(Unified2ExtraDataHdr))) == NULL)
+ memset(iSpooler->sur.U2IdeEventV6LegacyPtr,'\0',sizeof(Unified2IDSEventIPv6_legacy));
+
+ if( (iSpooler->sur.u2ExtraDataPtr = (Unified2ExtraData *)malloc(sizeof(Unified2ExtraData))) == NULL)
{
- /* XXX */
- return 1;
+ /* XXX */
+ return 1;
}
- memset(u2ExtraDataHdrPtr,'\0',sizeof(Unified2ExtraDataHdr));
-
- if( (u2PacketPtr = (Unified2Packet *)malloc(sizeof(Unified2Packet))) == NULL)
+ memset(iSpooler->sur.u2ExtraDataPtr,'\0',sizeof(Unified2ExtraData));
+
+ if( (iSpooler->sur.u2ExtraDataHdrPtr = (Unified2ExtraDataHdr *)malloc(sizeof(Unified2ExtraDataHdr))) == NULL)
{
- /* XXX */
- return 1;
+ /* XXX */
+ return 1;
}
- memset(u2PacketPtr,'\0',sizeof(Unified2Packet));
-
- if( (U2IdsEventV6Ptr = (Unified2IDSEventIPv6 *)malloc(sizeof(Unified2IDSEventIPv6))) == NULL)
+ memset(iSpooler->sur.u2ExtraDataHdrPtr,'\0',sizeof(Unified2ExtraDataHdr));
+
+ if( (iSpooler->sur.u2PacketPtr = (Unified2Packet *)malloc(sizeof(Unified2Packet))) == NULL)
{
- /* XXX */
- return 1;
+ /* XXX */
+ return 1;
}
- memset(U2IdsEventV6Ptr,'\0',sizeof(Unified2IDSEventIPv6));
-
- if( (U2IdsEventPtr = (Unified2IDSEvent *)malloc(sizeof(Unified2IDSEvent))) == NULL)
+ memset(iSpooler->sur.u2PacketPtr,'\0',sizeof(Unified2Packet));
+
+ if( (iSpooler->sur.U2IdsEventV6Ptr = (Unified2IDSEventIPv6 *)malloc(sizeof(Unified2IDSEventIPv6))) == NULL)
{
- /* XXX */
- return 1;
+ /* XXX */
+ return 1;
}
- memset(U2IdsEventPtr,'\0',sizeof(Unified2IDSEvent));
-
- return 0;
-}
-
-int FreeSpoolerStatic(void)
-{
- if( U2IdsEventLegacyPtr != NULL)
+ memset(iSpooler->sur.U2IdsEventV6Ptr,'\0',sizeof(Unified2IDSEventIPv6));
+
+ if( (iSpooler->sur.U2IdsEventPtr = (Unified2IDSEvent *)malloc(sizeof(Unified2IDSEvent))) == NULL)
{
- free(U2IdsEventLegacyPtr);
+ /* XXX */
+ return 1;
}
-
- if( U2IdeEventV6LegacyPtr != NULL)
+ memset(iSpooler->sur.U2IdsEventPtr,'\0',sizeof(Unified2IDSEvent));
+
+
+ if( (iSpooler->sur.LogPacket=(Packet *)malloc(sizeof(Packet))) == NULL)
{
- free(U2IdeEventV6LegacyPtr);
+ /* XXX */
+ return 1;
}
+ memset(iSpooler->sur.LogPacket,'\0',sizeof(Packet));
+
+
+ return 0;
+}
- if( u2ExtraDataPtr != NULL)
+static int FreeSpoolerStatic(Spooler *iSpooler)
+{
+
+ if(iSpooler == NULL)
{
- free(u2ExtraDataHdrPtr);
+ /* XXX */
+ return 1;
}
-
- if( u2PacketPtr != NULL)
+
+ if( iSpooler->sur.U2IdsEventLegacyPtr != NULL)
{
- free(u2PacketPtr);
+ free(iSpooler->sur.U2IdsEventLegacyPtr);
+ iSpooler->sur.U2IdsEventLegacyPtr = NULL;
}
-
- if( U2IdsEventPtr != NULL)
+
+ if( iSpooler->sur.U2IdeEventV6LegacyPtr != NULL)
{
- free(U2IdsEventPtr);
+ free(iSpooler->sur.U2IdeEventV6LegacyPtr);
+ iSpooler->sur.U2IdeEventV6LegacyPtr = NULL;
}
- if( U2IdsEventV6Ptr != NULL)
+ if( iSpooler->sur.u2ExtraDataPtr != NULL)
{
- free(U2IdsEventV6Ptr);
+ free(iSpooler->sur.u2ExtraDataHdrPtr);
+ iSpooler->sur.u2ExtraDataHdrPtr = NULL;
}
-
- return 0;
-}
-
-int InitializeLogPacket(void)
-{
-
- if(LogPacket == NULL)
+
+ if( iSpooler->sur.u2PacketPtr != NULL)
{
- if( (LogPacket=(Packet *)malloc(sizeof(Packet))) == NULL)
- {
- /* XXX */
- return 1;
-
- }
- memset(LogPacket,'\0',sizeof(Packet));
+ free(iSpooler->sur.u2PacketPtr);
+ iSpooler->sur.u2PacketPtr = NULL;
}
- else
+
+ if( iSpooler->sur.U2IdsEventPtr != NULL)
{
- /* XXX */
- return 1;
+ free(iSpooler->sur.U2IdsEventPtr);
+ iSpooler->sur.U2IdsEventPtr = NULL;
}
-
- return InitializeSpoolerStatic();
-}
-
-int FreeLogPacket(void)
-{
- if(LogPacket != NULL)
+
+ if( iSpooler->sur.U2IdsEventV6Ptr != NULL)
{
- memset(LogPacket,'\0',sizeof(Packet));
- free(LogPacket);
- LogPacket = NULL;
- return 0;
+ free(iSpooler->sur.U2IdsEventV6Ptr);
+ iSpooler->sur.U2IdsEventV6Ptr = NULL;
}
-
- return FreeSpoolerStatic();
+
+ if( iSpooler->sur.LogPacket != NULL)
+ {
+ free(iSpooler->sur.LogPacket);
+ iSpooler->sur.LogPacket = NULL;
+ }
+
+ return 0;
}
-int SpoolerSetStaticEvent(u_int32_t type,void *RecordData)
+int SpoolerSetStaticEvent(u_int32_t type,Spooler *iSpooler)
{
- if(RecordData == NULL)
+ if((iSpooler == NULL) ||
+ (iSpooler->record.data == NULL))
{
- /* XXX */
- return 1;
+ /* XXX */
+ return 1;
}
-
- switch(type)
+
+ switch(type)
{
-
+
case UNIFIED2_IDS_EVENT:
case UNIFIED2_IDS_EVENT_MPLS:
case UNIFIED2_IDS_EVENT_VLAN:
- memset(U2IdsEventPtr,'\0',sizeof(Unified2IDSEvent));
- memcpy(U2IdsEventPtr,RecordData,sizeof(Unified2IDSEvent));
- SpoolerEventPtr =(void *)U2IdsEventPtr;
- break;
-
+ memset(iSpooler->sur.U2IdsEventPtr,'\0',sizeof(Unified2IDSEvent));
+ memcpy(iSpooler->sur.U2IdsEventPtr,iSpooler->record.data,sizeof(Unified2IDSEvent));
+ iSpooler->sur.SpoolerEventPtr =(void *)iSpooler->sur.U2IdsEventPtr;
+ break;
+
case UNIFIED2_IDS_EVENT_IPV6:
case UNIFIED2_IDS_EVENT_IPV6_MPLS:
case UNIFIED2_IDS_EVENT_IPV6_VLAN:
- memset(U2IdsEventV6Ptr,'\0',sizeof(Unified2IDSEventIPv6));
- memcpy(U2IdsEventV6Ptr,RecordData,sizeof(Unified2IDSEventIPv6));
- SpoolerEventPtr =(void *)U2IdsEventV6Ptr;
- break;
-
+ memset(iSpooler->sur.U2IdsEventV6Ptr,'\0',sizeof(Unified2IDSEventIPv6));
+ memcpy(iSpooler->sur.U2IdsEventV6Ptr,iSpooler->record.data,sizeof(Unified2IDSEventIPv6));
+ iSpooler->sur.SpoolerEventPtr =(void *)iSpooler->sur.U2IdsEventV6Ptr;
+ break;
+
default:
- /* XXX */
- return 1;
- break;
-
+ /* XXX */
+ return 1;
+ break;
}
-
- return 0;
+
+ return 0;
}
-int SpoolerCheckEventPtr(void)
+
+int SpoolerCheckEventPtr(Spooler *iSpooler)
{
- if(SpoolerEventPtr == NULL)
+ if((iSpooler == NULL) ||
+ (iSpooler->sur.SpoolerEventPtr == NULL))
{
- /* XXX */
- return 1;
+ /* XXX */
+ return 1;
}
-
- return 0;
+
+ return 0;
}
-void * SpoolerGetEventPtr(void)
+void * SpoolerGetEventPtr(Spooler *iSpooler)
{
- return SpoolerEventPtr;
+ if(iSpooler == NULL)
+ {
+ return NULL;
+ }
+
+ return iSpooler->sur.SpoolerEventPtr;
}
-int SpoolerPacketGeneric(Spooler *spooler)
+int SpoolerPacketGeneric(Spooler *iSpooler)
{
- struct pcap_pkthdr pkth;
-
- /* Cleanup ze mess */
- memset(LogPacket,'\0',sizeof(Packet));
- spooler->record.pkt = LogPacket;
-
- pkth.caplen = ntohl(((Unified2Packet *)spooler->record.data)->packet_length);
- pkth.len = pkth.caplen;
- pkth.ts.tv_sec = ntohl(((Unified2Packet *)spooler->record.data)->packet_second);
- pkth.ts.tv_usec = ntohl(((Unified2Packet *)spooler->record.data)->packet_microsecond);
-
- /* decode the packet from the Unified2Packet information */
- datalink = ntohl(((Unified2Packet *)spooler->record.data)->linktype);
- DecodePacket(datalink, spooler->record.pkt, &pkth,
- ((Unified2Packet *)spooler->record.data)->packet_data);
-
- return 0;
+ struct pcap_pkthdr pkth;
+
+ if(iSpooler == NULL ||
+ iSpooler->sur.LogPacket == NULL)
+ {
+ /* XXX */
+ return 1;
+ }
+
+ /* Cleanup ze mess */
+ memset(iSpooler->sur.LogPacket,'\0',sizeof(Packet));
+ iSpooler->record.pkt = iSpooler->sur.LogPacket;
+
+ pkth.caplen = ntohl(((Unified2Packet *)iSpooler->record.data)->packet_length);
+ pkth.len = pkth.caplen;
+ pkth.ts.tv_sec = ntohl(((Unified2Packet *)iSpooler->record.data)->packet_second);
+ pkth.ts.tv_usec = ntohl(((Unified2Packet *)iSpooler->record.data)->packet_microsecond);
+
+ /* decode the packet from the Unified2Packet information */
+ datalink = ntohl(((Unified2Packet *)iSpooler->record.data)->linktype);
+ DecodePacket(datalink, iSpooler->record.pkt, &pkth,
+ ((Unified2Packet *)iSpooler->record.data)->packet_data);
+
+ return 0;
}
+
+/* Notes
+---------------------------------
+What to do to clean the code more.
+We enter the spooler function.
+Identify which event type we are dealing with.
+Identify which spooler_state we are in
+Validate action.
+Return.
+*/
void spoolerProcessRecord(Spooler *spooler, int fire_output)
{
uint32_t type = 0;
- if(LogPacket == NULL)
- {
+ if(spooler == NULL ||
+ spooler->sur.LogPacket == NULL)
+ {
FatalError("spoolerProcessRecord(): LogPacket is null,finshake in the mix! \n");
- }
+ }
/* convert type once */
type = ntohl(((Unified2RecordHeader *)spooler->record.header)->type);
@@ -865,195 +877,381 @@ void spoolerProcessRecord(Spooler *spooler, int fire_output)
(type != (UNIFIED2_IDS_EVENT_VLAN)) &&
(type != (UNIFIED2_IDS_EVENT_IPV6_VLAN)) &&
(type != (UNIFIED2_EXTRA_DATA)))
- {
+ {
pc.total_unknown++;
+ pc.total_records++;
FatalError("spoolerProcessRecord(): Caught a Record type [%lu] which is unknown.Is your unified2 file corrupted? \n",type);
- }
+ }
/* increment the stats */
pc.total_records++;
- switch(SpoolerState)
- {
-
- case SPOOLER_NULL:
- /* Callback in case dual event would be logged...(shoudln't happen)*/
- EVENT_PROCESS:
-
- /* At the time of the implementation of the spooler new "look"
- i do not want to remove check for UNIFIED2_EVENT since
- there is probably somehwere people with old snort, at least
- this will give them a warning, but i think that we should
- just bail out soon and it will remove a useless spooler state
- in the future (that shouldn't be there anyways)
- */
- if(type == UNIFIED2_EVENT)
- {
- LogMessage("spoolerProcessRecord(): A long long time ago...\n"
- "caught UNIFIED2_EVENT event type[%lu] ..running a old snort?\n "
- "Now snort should log UNIFIED2_IDS_EVENT event type [%lu].\n",
- UNIFIED2_EVENT,
- UNIFIED2_IDS_EVENT);
+ if(type == UNIFIED2_EVENT)
+ {
+ /* Soft fast forward... */
+ LogMessage("spoolerProcessRecord(): A long long time ago...\n"
+ "caught UNIFIED2_EVENT event type[%lu] ..running a old snort?\n "
+ "Now snort should log UNIFIED2_IDS_EVENT event type [%lu].\n",
+ UNIFIED2_EVENT,
+ UNIFIED2_IDS_EVENT);
+ goto WALDO_WRITE;
+ }
+ else
+ {
+ /* Pass Control to Input Plugins Selector */
+ switch(spiUnified2GetOperationMode())
+ {
- SpoolerState = SPOOLER_FAST_FORWARD;
- }
- else if( (type == UNIFIED2_PACKET))
- {
- /* In case that we have a lonely packet. */
- /* increment the stats */
- pc.total_packets++;
+ case LOGCTXUNIFIED2:
+ if( (spoolerIpp_Unified2(spooler,type,fire_output)))
+ {
+ /* XXX */
+ FatalError("spoolerIpp_Unified2(): Failed...\n");
+ }
+ break;
- LogMessage("spoolerProcessRecord(): Received a UNIFIED2 Lonely packet with event_id [%lu] \n\n",
- ntohl(((Unified2Packet *)spooler->record.data)->event_id));
-
+ case LOGCTXALERTUNIFIED2:
+ if( (spoolerIpp_AlertUnified2(spooler,type,fire_output)))
+ {
+ /* XXX */
+ FatalError("spoolerIpp_AlertUnified2(): Failed...\n");
+ }
+ break;
- if( (SpoolerPacketGeneric(spooler)))
- {
+ case LOGCTXLOGUNIFIED2:
+
+ if( (spoolerIpp_LogUnified2(spooler,type,fire_output)))
+ {
/* XXX */
- FatalError("SpoolerPacketGeneric(): failed.... \n");
- }
+ FatalError("spoolerIppLogUnified2(): Failed...\n");
+ }
+ break;
- if(fire_output)
+ default:
+ FatalError("spiUnified2GetOperationMode() should never return unknown value...\n");
+ break;
+ }
+ }
+
+
+WALDO_WRITE:
+ /* Update Counters
+ Made a generic counter block so some "dups"
+ are not ommited leading to errors
+ */
+ switch(type)
+ {
+
+ case UNIFIED2_IDS_EVENT:
+ case UNIFIED2_IDS_EVENT_IPV6:
+ case UNIFIED2_IDS_EVENT_MPLS:
+ case UNIFIED2_IDS_EVENT_IPV6_MPLS:
+ case UNIFIED2_IDS_EVENT_VLAN:
+ case UNIFIED2_IDS_EVENT_IPV6_VLAN:
+ pc.total_events++;
+ break;
+
+ case UNIFIED2_PACKET:
+ pc.total_packets++;
+ break;
+
+ case UNIFIED2_EXTRA_DATA:
+ pc.total_unknown++;/* Updating unknown meanwhile, until full support is propagated */
+ break;
+
+ case UNIFIED2_EVENT: /* Will stay here ...depricated event type not supported anymore */
+ default:
+ pc.total_unknown++;
+ break;
+ }
+
+ spoolerWriteWaldo(&barnyard2_conf->waldo, spooler);
+ return;
+}
+
+
+/* InputPlugin [alert_unified2] Context logging function */
+static int spoolerIpp_AlertUnified2(Spooler *iSpooler,int evtType,int vLog)
+{
+ void *logEvtPtr = NULL;
+
+ if(iSpooler == NULL)
+ {
+ /* XXX */
+ return 1;
+ }
+
+ switch(iSpooler->sur.SpoolerState)
+ {
+
+ case SPOOLER_NULL:
+
+ /* SpoolerState and evtType inner switch */
+ switch (evtType)
+ {
+ case UNIFIED2_PACKET:
+ /* Should not get/log any packets in this mode */
+ return 0;
+
+ break; /* UNIFIED2_PACKET */
+
+ case UNIFIED2_EXTRA_DATA:
+ LogMessage("[%s()]: Read a UNIFIED2_EXTRA_DATA type : [%lu] in alert_unified2 mode,\n"
+ "\tsince output plugins do not yet support UNIFIED2_EXTRA_DATA, we will fastforward. \n",__FUNCTION__,evtType);
+ return 0;
+ break; /* UNIFIED2_EXTRA_DATA */
+
+
+ default:
+ /*Should be an event ..*/
+ if( (SpoolerSetStaticEvent(evtType,iSpooler)))
{
- CallOutputPlugins(OUTPUT_TYPE__SPECIAL,
- spooler->record.pkt,
- NULL,
- type);
+ /* XXX */
+ LogMessage("SpoolerSetStaticEvent(), failed \n");
+ return 1;
}
-
- /* Should not be changed, but lets set it anyways */
- /* Reset Spooler state */
- SpoolerState = SPOOLER_NULL;
+
+ /* we should mabey shortcut this but the function is usefull
+ and it makes a single api to manage something that could be
+ errorprone to change at many places.
+ */
+ logEvtPtr = (void *)SpoolerGetEventPtr(iSpooler);
+
+ /* We are now in Event State, return. */
+ break; /* default */
}
- else if( (type == UNIFIED2_EXTRA_DATA))
- {
- LogMessage("spoolerProcessRecord(): Read a UNIFIED2_EXTRA_DATA type : [%lu] record without an event, since we do not yes support\n"
- "\tUNIFIED2_EXTRA_DATA, we will fastforward. \n",type);
-
- SpoolerState = SPOOLER_NULL;
+ break; /* SPOOLER_NULL */
+
+ default:
+ LogMessage("[%s()]: Encountered an unknown spooler state [%lu], error... \n",__FUNCTION__,iSpooler->sur.SpoolerState);
+ return 1;
+ break; /* default */
+ }
+
+
+/*
+ * If we need a fastforward kickback enable the label..
+ * Spooler_ALERT_UNIFIED2_OUTPUT:
+*/
+ if(vLog)
+ {
+ CallOutputPlugins(OUTPUT_TYPE__ALERT,
+ NULL,
+ logEvtPtr,
+ evtType);
+ }
+
+ return 0;
+}
- /* For the moment */
- pc.total_unknown++;
+/* InputPlugin [log_Unified2] Context logging function */
+static int spoolerIpp_LogUnified2(Spooler *iSpooler,int evtType,int vLog)
+{
+ void *logPktPtr = NULL;
+
+ if(iSpooler == NULL)
+ {
+ /* XXX */
+ return 1;
+ }
+
+ switch(iSpooler->sur.SpoolerState)
+ {
+
+ case SPOOLER_NULL:
+
+ /* Callback in case dual event would be logged...(shoudln't happen)*/
+
+ switch (evtType)
+ {
+ case UNIFIED2_PACKET:
+
+ if( (SpoolerPacketGeneric(iSpooler)))
+ {
+ /* XXX */
+ FatalError("SpoolerPacketGeneric(): failed.... \n");
+ }
+
+ logPktPtr = (void *)iSpooler->record.pkt;
+ break; /* UNIFIED2_PACKET */
+
+ case UNIFIED2_EXTRA_DATA:
+ LogMessage("[%s()]: Read a UNIFIED2_EXTRA_DATA type : [%lu] in log_unified2 mode,\n"
+ "\tsince output plugins do not yet support UNIFIED2_EXTRA_DATA, we will fastforward. \n",__FUNCTION__,evtType);
+ return 0;
+ break; /* UNIFIED2_EXTRA_DATA */
+
+ default:
+ /* Since we only log packets, we do not log events. */
+ /* We are now in Event State, return. */
+ return 0; /* Return to buisness */
+ break; /* DEFAULT */
}
- else
+
+ break; /* SPOOLER_NULL */
+
+ default:
+ LogMessage("[%s()]: Encountered an unknown spooler state [%lu], error... \n",__FUNCTION__,iSpooler->sur.SpoolerState);
+ return 1;
+
+ break; /* DEFAULT */
+ }
+/*
+ * If we need a fastforward kickback enable the label..
+ * Spooler_LOG_UNIFIED2_OUTPUT:
+*/
+ if(vLog)
+ {
+ CallOutputPlugins(OUTPUT_TYPE__LOG,
+ logPktPtr,
+ NULL,
+ evtType);
+ }
+
+ return 0;
+}
+
+/* InputPlugin [unified2] Context logging function */
+static int spoolerIpp_Unified2(Spooler *iSpooler,int evtType,int vLog)
+{
+ void *logEvtPtr = NULL;
+ void *logPktPtr = NULL;
+
+ if(iSpooler == NULL)
+ {
+ /* XXX */
+ return 1;
+ }
+
+ switch(iSpooler->sur.SpoolerState)
+ {
+
+ case SPOOLER_NULL:
+
+ /* Callback in case dual event would be logged...(shoudln't happen)*/
+ EVENT_PROCESS_UNIFIED2:
+
+ /* SpoolerState and evtType inner switch */
+ switch (evtType)
{
- if( (SpoolerSetStaticEvent(type,spooler->record.data)))
+ case UNIFIED2_PACKET:
+
+ if( (SpoolerPacketGeneric(iSpooler)))
{
- /* XXX */
- FatalError("SpoolerSetStaticEvent(), failed \n");
+ /* XXX */
+ FatalError("SpoolerPacketGeneric(): failed.... \n");
}
-
- /* increment the stats */
- pc.total_events++;
-
- /* We are now in Event State */
- SpoolerState = SPOOLER_EVENT;
+
+ logPktPtr = (void *)iSpooler->record.pkt;
+ break; /* UNIFIED2_PACKET */
+
+ case UNIFIED2_EXTRA_DATA:
+ LogMessage("[%s()]: Read a UNIFIED2_EXTRA_DATA type : [%lu] record without an event\n"
+ "since output plugins do not yet support UNIFIED2_EXTRA_DATA, we will fastforward. \n",__FUNCTION__,evtType);
+ return 0;
+ break; /* UNIFIED2_EXTRA_DATA */
+
+ /*Should be an event ..*/
+ default:
+ if( (SpoolerSetStaticEvent(evtType,iSpooler)))
+ {
+ /* XXX */
+ LogMessage("SpoolerSetStaticEvent(), failed \n");
+ return 1;
+ }
+
+ /* We are now in Event State, return. */
+ iSpooler->sur.SpoolerState = SPOOLER_EVENT;
+ return 0; /* Return to buisness */
+ break; /* default */
}
-
- break;
-
+ break; /* SPOOLER_NULL */
+
case SPOOLER_EVENT:
-
- if( SpoolerCheckEventPtr())
+
+ switch(evtType)
{
- /* XXX */
- FatalError("SpoolerCheckEventPtr(), error in spoolerProcessRecord(), something went wrong ...\n");
- }
-
- if( ((type == UNIFIED2_IDS_EVENT) ||
- (type == UNIFIED2_IDS_EVENT_IPV6 ) ||
- (type == UNIFIED2_IDS_EVENT_MPLS) ||
- (type == UNIFIED2_IDS_EVENT_IPV6_MPLS) ||
- (type == UNIFIED2_IDS_EVENT_VLAN) ||
- (type == UNIFIED2_IDS_EVENT_IPV6_VLAN)))
- {
-
- if(fire_output)
+ case UNIFIED2_PACKET:
+
+ if( SpoolerCheckEventPtr(iSpooler))
{
- CallOutputPlugins(OUTPUT_TYPE__SPECIAL,
- NULL,
- SpoolerGetEventPtr(),
- type);
+ /* XXX */
+ LogMessage("[%s()] error from SpoolerCheckEventPtr(), something went wrong ...\n",__FUNCTION__);
+ return 1;
}
-
- /* setting the spooler state back to null shouldn't happend but we do it anyways */
- SpoolerState = SPOOLER_NULL;
- goto EVENT_PROCESS;
- }
- else if( type == UNIFIED2_PACKET )
- {
- /* increment the stats */
- pc.total_packets++;
-
- if( (SpoolerPacketGeneric(spooler)))
+
+ if( (SpoolerPacketGeneric(iSpooler)))
{
- /* XXX */
- FatalError("SpoolerPacketGeneric(): failed.... \n");
+ /* XXX */
+ FatalError("SpoolerPacketGeneric(): failed.... \n");
}
-
- if(fire_output)
+
+ logPktPtr = (void *)iSpooler->record.pkt;
+ logEvtPtr = (void *)SpoolerGetEventPtr(iSpooler);
+ break; /* UNIFIED2_PACKET */
+
+ case UNIFIED2_EVENT:
+ case UNIFIED2_IDS_EVENT:
+ case UNIFIED2_IDS_EVENT_IPV6:
+ case UNIFIED2_IDS_EVENT_MPLS:
+ case UNIFIED2_IDS_EVENT_IPV6_MPLS:
+ case UNIFIED2_IDS_EVENT_VLAN:
+ case UNIFIED2_IDS_EVENT_IPV6_VLAN:
+
+ if(vLog)
{
- CallOutputPlugins(OUTPUT_TYPE__SPECIAL,
- spooler->record.pkt,
- SpoolerGetEventPtr(),
- type);
+ logEvtPtr = (void *)SpoolerGetEventPtr(iSpooler);
+ CallOutputPlugins(OUTPUT_TYPE__SPECIAL,
+ logPktPtr,
+ logEvtPtr,
+ evtType);
+ iSpooler->sur.SpoolerState = SPOOLER_NULL;
+ goto EVENT_PROCESS_UNIFIED2;
}
-
- /* Reset Spooler state */
- SpoolerState = SPOOLER_NULL;
- }
- /* Will integrate EXTRA_DATA processing in here soon ..*/
- else if(type == UNIFIED2_EXTRA_DATA)
- {
- LogMessage("Caught a UNIFIED2_EXTRA_DATA, spooler and output pluggin do not yet fully support UNIFIED2_EXTRA_DATA, processing next event.\n");
-
- /* For the moment */
- pc.total_unknown++;
-
-
- /* Reset Spooler state */
- SpoolerState = SPOOLER_NULL;
- }
- else
- {
-
- /* For the moment */
- pc.total_unknown++;
-
- FatalError("spoolerProcessRecord(): in SPOOLER_EVENT state caught an unknown UNIFIED2 type [%lu]..bailling\n",type);
+ break; /* UNIFIED2_EVENT,UNIFIED2_IDS_EVENT,UNIFIED2_IDS_EVENT_IPV6,
+ UNIFIED2_IDS_EVENT_MPLS,UNIFIED2_IDS_EVENT_IPV6_MPLS,
+ UNIFIED2_IDS_EVENT_VLAN,UNIFIED2_IDS_EVENT_IPV6_VLAN */
+
+ case UNIFIED2_EXTRA_DATA:
+
+ LogMessage("Caught a UNIFIED2_EXTRA_DATA, spooler and output pluggin do not yet fully support UNIFIED2_EXTRA_DATA, processing next event.\n");
+
+ /* Reset Spooler state */
+ iSpooler->sur.SpoolerState = SPOOLER_NULL;
+
+ /* log current event anyways */
+ logEvtPtr = (void *)SpoolerGetEventPtr(iSpooler);
+ break; /* UNIFIED2_EXTRA_DATA */
+
+ default:
+ LogMessage("[%s()]: Encountered an unknown spooler state [%lu], error... \n",__FUNCTION__,iSpooler->sur.SpoolerState);
+ return 1;
+
+ break; /* default */
}
-
- break;
-
- case SPOOLER_FAST_FORWARD:
- LogMessage("spoolerProcessRecord(): Previous event was a legacy event of type[%lu], Current event is of type [%lu],fast forward \n",
- UNIFIED2_EVENT,type);
- /* Reset Spooler state */
- SpoolerState = SPOOLER_NULL;
- break;
-
- default:
- FatalError("Unknown spooler state [%lu] \n\n",SpoolerState);
- break;
+
+ iSpooler->sur.SpoolerState = SPOOLER_NULL;
+ break; /* SPOOLER_EVENT */
+ }
+
+
+/*
+ * If we need a fastforward kickback enable the label..
+ * Spooler_UNIFIED2_OUTPUT:
+ */
+ if(vLog)
+ {
+ CallOutputPlugins(OUTPUT_TYPE__SPECIAL,
+ logPktPtr,
+ logEvtPtr,
+ evtType);
}
-
- spoolerWriteWaldo(&barnyard2_conf->waldo, spooler);
+ return 0;
}
-/* Depricated unallocated by spoolerClose*/
-//void spoolerFreeRecord(Record *record)
-//{
-//
-//
-// if (record->data)
-// {
-// free(record->data);
-// }
-//
-// record->data = NULL;
-//}
+
/*
** WALDO FILE OPERATIONS
View
30 src/spooler.h
@@ -96,18 +96,44 @@ typedef struct _PacketRecordNode
struct _PacketRecordNode *next; /* reference to next event record */
} PacketRecordNode;
+
+typedef struct _Spooler_unified2_references
+{
+ /* Different type of unified2 event */
+ Unified2IDSEvent_legacy *U2IdsEventLegacyPtr;
+ Unified2IDSEventIPv6_legacy *U2IdeEventV6LegacyPtr;
+ Unified2ExtraData *u2ExtraDataPtr;
+ Unified2ExtraDataHdr *u2ExtraDataHdrPtr;
+ Unified2Packet *u2PacketPtr;
+ Unified2IDSEventIPv6 *U2IdsEventV6Ptr;
+ Unified2IDSEvent *U2IdsEventPtr;
+
+ /* Holder for possible packet */
+ Packet *LogPacket;
+
+ /* Event Pointer sent to output pluggin */
+ void *SpoolerEventPtr;
+
+ /* Spooler State */
+ int SpoolerState;
+
+} Spooler_unified2_references;
+
typedef struct _Spooler
{
InputFuncNode *ifn; // Processing function of input file
-
+
int fd; // file descriptor of input file
char filepath[MAX_FILEPATH_BUF]; // file path of input file
time_t timestamp; // time stamp of input file
uint32_t state; // current read state
uint32_t offset; // current file offest
uint32_t record_idx; // current record number
+
+ uint32_t magic;
+
+ Spooler_unified2_references sur; // Spooler Unified2 reference structures
- uint32_t magic;
void *header; // header of input file
Record record; // data of current Record

0 comments on commit 91726cc

Please sign in to comment.
Something went wrong with that request. Please try again.